diff options
39 files changed, 479 insertions, 300 deletions
diff --git a/security/nss/cmd/lib/pppolicy.c b/security/nss/cmd/lib/pppolicy.c index 2d489f41a..c0094083c 100644 --- a/security/nss/cmd/lib/pppolicy.c +++ b/security/nss/cmd/lib/pppolicy.c @@ -91,7 +91,7 @@ static const SEC_ASN1Template secu_CertificatePoliciesTemplate[] = { static CERTCertificatePolicies * -secu_DecodeCertificatePoliciesExtension(const SECItem *extnValue) +secu_DecodeCertificatePoliciesExtension(SECItem *extnValue) { PRArenaPool *arena = NULL; SECStatus rv; @@ -241,7 +241,7 @@ secu_PrintPolicyInfo(FILE *out,CERTPolicyInfo *policyInfo,char *msg,int level) } void -SECU_PrintPolicy(FILE *out, const SECItem *value, const char *msg, int level) +SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level) { CERTCertificatePolicies *policies = NULL; CERTPolicyInfo **policyInfos; @@ -268,8 +268,8 @@ SECU_PrintPolicy(FILE *out, const SECItem *value, const char *msg, int level) void -SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, const SECItem *value, - const char *msg, int level) +SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, + char *msg, int level) { CERTPrivKeyUsagePeriod * prd; PLArenaPool * arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); diff --git a/security/nss/cmd/lib/secutil.c b/security/nss/cmd/lib/secutil.c index 4f194e3be..0c52a647c 100644 --- a/security/nss/cmd/lib/secutil.c +++ b/security/nss/cmd/lib/secutil.c @@ -330,7 +330,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg) return NULL; } -static char * +char * secu_InitSlotPassword(PK11SlotInfo *slot, PRBool retry, void *arg) { char *p0 = NULL; @@ -779,7 +779,7 @@ static void secu_Newline(FILE *out) } void -SECU_PrintAsHex(FILE *out, const SECItem *data, const char *m, int level) +SECU_PrintAsHex(FILE *out, SECItem *data, const char *m, int level) { unsigned i; int column; @@ -937,7 +937,7 @@ SECU_StripTagAndLength(SECItem *i) ** call SECU_PrintEncodedInteger(); */ void -SECU_PrintInteger(FILE *out, const SECItem *i, const char *m, int level) +SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level) { int iv; @@ -975,7 +975,7 @@ SECU_PrintInteger(FILE *out, const SECItem *i, const char *m, int level) } static void -secu_PrintRawString(FILE *out, const SECItem *si, const char *m, int level) +secu_PrintRawString(FILE *out, SECItem *si, const char *m, int level) { int column; unsigned int i; @@ -1007,7 +1007,7 @@ secu_PrintRawString(FILE *out, const SECItem *si, const char *m, int level) } void -SECU_PrintString(FILE *out, const SECItem *si, const char *m, int level) +SECU_PrintString(FILE *out, SECItem *si, char *m, int level) { SECItem my = *si; @@ -1018,7 +1018,7 @@ SECU_PrintString(FILE *out, const SECItem *si, const char *m, int level) /* print an unencoded boolean */ static void -secu_PrintBoolean(FILE *out, const SECItem *i, const char *m, int level) +secu_PrintBoolean(FILE *out, SECItem *i, const char *m, int level) { int val = 0; @@ -1039,7 +1039,7 @@ secu_PrintBoolean(FILE *out, const SECItem *i, const char *m, int level) * otherwise just print the formatted time string only. */ static void -secu_PrintTime(FILE *out, int64 time, const char *m, int level) +secu_PrintTime(FILE *out, int64 time, char *m, int level) { PRExplodedTime printableTime; char *timeString; @@ -1072,7 +1072,7 @@ secu_PrintTime(FILE *out, int64 time, const char *m, int level) * otherwise just print the formatted time string only. */ void -SECU_PrintUTCTime(FILE *out, const SECItem *t, const char *m, int level) +SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level) { int64 time; SECStatus rv; @@ -1090,7 +1090,7 @@ SECU_PrintUTCTime(FILE *out, const SECItem *t, const char *m, int level) * afterward; otherwise just print the formatted time string only. */ void -SECU_PrintGeneralizedTime(FILE *out, const SECItem *t, const char *m, int level) +SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level) { int64 time; SECStatus rv; @@ -1109,7 +1109,7 @@ SECU_PrintGeneralizedTime(FILE *out, const SECItem *t, const char *m, int level) * afterward; otherwise just print the formatted time string only. */ void -SECU_PrintTimeChoice(FILE *out, const SECItem *t, const char *m, int level) +SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level) { switch (t->type) { case siUTCTime: @@ -1129,7 +1129,7 @@ SECU_PrintTimeChoice(FILE *out, const SECItem *t, const char *m, int level) /* This prints a SET or SEQUENCE */ void -SECU_PrintSet(FILE *out, const SECItem *t, const char *m, int level) +SECU_PrintSet(FILE *out, SECItem *t, char *m, int level) { int type = t->data[0] & SEC_ASN1_TAGNUM_MASK; int constructed = t->data[0] & SEC_ASN1_CONSTRUCTED; @@ -1183,7 +1183,7 @@ SECU_PrintSet(FILE *out, const SECItem *t, const char *m, int level) } static void -secu_PrintContextSpecific(FILE *out, const SECItem *i, const char *m, int level) +secu_PrintContextSpecific(FILE *out, SECItem *i, char *m, int level) { int type = i->data[0] & SEC_ASN1_TAGNUM_MASK; int constructed = i->data[0] & SEC_ASN1_CONSTRUCTED; @@ -1214,7 +1214,7 @@ secu_PrintContextSpecific(FILE *out, const SECItem *i, const char *m, int level) } static void -secu_PrintOctetString(FILE *out, const SECItem *i, const char *m, int level) +secu_PrintOctetString(FILE *out, SECItem *i, char *m, int level) { SECItem tmp = *i; if (SECSuccess == SECU_StripTagAndLength(&tmp)) @@ -1222,7 +1222,7 @@ secu_PrintOctetString(FILE *out, const SECItem *i, const char *m, int level) } static void -secu_PrintBitString(FILE *out, const SECItem *i, const char *m, int level) +secu_PrintBitString(FILE *out, SECItem *i, char *m, int level) { int unused_bits; SECItem tmp = *i; @@ -1242,7 +1242,7 @@ secu_PrintBitString(FILE *out, const SECItem *i, const char *m, int level) /* in a decoded bit string, the len member is a bit length. */ static void -secu_PrintDecodedBitString(FILE *out, const SECItem *i, const char *m, int level) +secu_PrintDecodedBitString(FILE *out, SECItem *i, char *m, int level) { int unused_bits; SECItem tmp = *i; @@ -1261,7 +1261,7 @@ secu_PrintDecodedBitString(FILE *out, const SECItem *i, const char *m, int level /* Print a DER encoded Boolean */ void -SECU_PrintEncodedBoolean(FILE *out, const SECItem *i, const char *m, int level) +SECU_PrintEncodedBoolean(FILE *out, SECItem *i, char *m, int level) { SECItem my = *i; if (SECSuccess == SECU_StripTagAndLength(&my)) @@ -1270,7 +1270,7 @@ SECU_PrintEncodedBoolean(FILE *out, const SECItem *i, const char *m, int level) /* Print a DER encoded integer */ void -SECU_PrintEncodedInteger(FILE *out, const SECItem *i, const char *m, int level) +SECU_PrintEncodedInteger(FILE *out, SECItem *i, char *m, int level) { SECItem my = *i; if (SECSuccess == SECU_StripTagAndLength(&my)) @@ -1279,7 +1279,7 @@ SECU_PrintEncodedInteger(FILE *out, const SECItem *i, const char *m, int level) /* Print a DER encoded OID */ void -SECU_PrintEncodedObjectID(FILE *out, const SECItem *i, const char *m, int level) +SECU_PrintEncodedObjectID(FILE *out, SECItem *i, char *m, int level) { SECItem my = *i; if (SECSuccess == SECU_StripTagAndLength(&my)) @@ -1287,7 +1287,7 @@ SECU_PrintEncodedObjectID(FILE *out, const SECItem *i, const char *m, int level) } static void -secu_PrintBMPString(FILE *out, const SECItem *i, const char *m, int level) +secu_PrintBMPString(FILE *out, SECItem *i, char *m, int level) { unsigned char * s; unsigned char * d; @@ -1321,7 +1321,7 @@ loser: } static void -secu_PrintUniversalString(FILE *out, const SECItem *i, const char *m, int level) +secu_PrintUniversalString(FILE *out, SECItem *i, char *m, int level) { unsigned char * s; unsigned char * d; @@ -1356,7 +1356,7 @@ loser: } static void -secu_PrintUniversal(FILE *out, const SECItem *i, const char *m, int level) +secu_PrintUniversal(FILE *out, SECItem *i, char *m, int level) { switch (i->data[0] & SEC_ASN1_TAGNUM_MASK) { case SEC_ASN1_ENUMERATED: @@ -1412,7 +1412,7 @@ secu_PrintUniversal(FILE *out, const SECItem *i, const char *m, int level) } void -SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level) +SECU_PrintAny(FILE *out, SECItem *i, char *m, int level) { if ( i && i->len && i->data ) { switch (i->data[0] & SEC_ASN1_CLASS_MASK) { @@ -1430,7 +1430,7 @@ SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level) } static int -secu_PrintValidity(FILE *out, const CERTValidity *v, const char *m, int level) +secu_PrintValidity(FILE *out, CERTValidity *v, char *m, int level) { SECU_Indent(out, level); fprintf(out, "%s:\n", m); SECU_PrintTimeChoice(out, &v->notBefore, "Not Before", level+1); @@ -1440,7 +1440,7 @@ secu_PrintValidity(FILE *out, const CERTValidity *v, const char *m, int level) /* This function does NOT expect a DER type and length. */ SECOidTag -SECU_PrintObjectID(FILE *out, const SECItem *oid, const char *m, int level) +SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level) { SECOidData *oiddata; char * oidString = NULL; @@ -1509,8 +1509,8 @@ const SEC_ASN1Template secuPBEV2Params[] = { 0 } }; -static void -secu_PrintRSAPSSParams(FILE *out, const SECItem *value, const char *m, int level) +void +secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level) { PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); SECStatus rv; @@ -1573,8 +1573,8 @@ secu_PrintRSAPSSParams(FILE *out, const SECItem *value, const char *m, int level PORT_FreeArena(pool, PR_FALSE); } -static void -secu_PrintKDF2Params(FILE *out, const SECItem *value, const char *m, int level) +void +secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level) { PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); SECStatus rv; @@ -1603,8 +1603,8 @@ secu_PrintKDF2Params(FILE *out, const SECItem *value, const char *m, int level) PORT_FreeArena(pool, PR_FALSE); } -static void -secu_PrintPKCS5V2Params(FILE *out, const SECItem *value, const char *m, int level) +void +secu_PrintPKCS5V2Params(FILE *out, SECItem *value, char *m, int level) { PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); SECStatus rv; @@ -1630,8 +1630,8 @@ secu_PrintPKCS5V2Params(FILE *out, const SECItem *value, const char *m, int leve PORT_FreeArena(pool, PR_FALSE); } -static void -secu_PrintPBEParams(FILE *out, const SECItem *value, const char *m, int level) +void +secu_PrintPBEParams(FILE *out, SECItem *value, char *m, int level) { PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); SECStatus rv; @@ -1660,7 +1660,7 @@ secu_PrintPBEParams(FILE *out, const SECItem *value, const char *m, int level) /* This function does NOT expect a DER type and length. */ void -SECU_PrintAlgorithmID(FILE *out, const SECAlgorithmID *a, const char *m, int level) +SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, int level) { SECOidTag algtag; SECU_PrintObjectID(out, &a->algorithm, m, level); @@ -1700,8 +1700,7 @@ SECU_PrintAlgorithmID(FILE *out, const SECAlgorithmID *a, const char *m, int lev } static void -secu_PrintAttribute(FILE *out, const SEC_PKCS7Attribute *attr, - const char *m, int level) +secu_PrintAttribute(FILE *out, SEC_PKCS7Attribute *attr, char *m, int level) { SECItem *value; int i; @@ -1740,8 +1739,7 @@ secu_PrintAttribute(FILE *out, const SEC_PKCS7Attribute *attr, } static void -secu_PrintRSAPublicKey(FILE *out, const SECKEYPublicKey *pk, - const char *m, int level) +secu_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) { SECU_Indent(out, level); fprintf(out, "%s:\n", m); @@ -1754,8 +1752,7 @@ secu_PrintRSAPublicKey(FILE *out, const SECKEYPublicKey *pk, } static void -secu_PrintDSAPublicKey(FILE *out, const SECKEYPublicKey *pk, - const char *m, int level) +secu_PrintDSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) { SECU_Indent(out, level); fprintf(out, "%s:\n", m); SECU_PrintInteger(out, &pk->u.dsa.params.prime, "Prime", level+1); @@ -1766,8 +1763,7 @@ secu_PrintDSAPublicKey(FILE *out, const SECKEYPublicKey *pk, #ifdef NSS_ENABLE_ECC static void -secu_PrintECPublicKey(FILE *out, const SECKEYPublicKey *pk, - const char *m, int level) +secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level) { SECItem curveOID = { siBuffer, NULL, 0}; @@ -1787,8 +1783,7 @@ secu_PrintECPublicKey(FILE *out, const SECKEYPublicKey *pk, static void secu_PrintSubjectPublicKeyInfo(FILE *out, PRArenaPool *arena, - const CERTSubjectPublicKeyInfo *i, - const char *msg, int level) + CERTSubjectPublicKeyInfo *i, char *msg, int level) { SECKEYPublicKey *pk; @@ -1834,8 +1829,7 @@ loser: } static SECStatus -secu_PrintX509InvalidDate(FILE *out, const SECItem *value, - const char *msg, int level) +secu_PrintX509InvalidDate(FILE *out, SECItem *value, char *msg, int level) { SECItem decodedValue; SECStatus rv; @@ -1861,7 +1855,7 @@ secu_PrintX509InvalidDate(FILE *out, const SECItem *value, } static SECStatus -PrintExtKeyUsageExtension (FILE *out, const SECItem *value, const char *msg, int level) +PrintExtKeyUsageExtension (FILE *out, SECItem *value, char *msg, int level) { CERTOidSequence *os; SECItem **op; @@ -1879,8 +1873,7 @@ PrintExtKeyUsageExtension (FILE *out, const SECItem *value, const char *msg, in } static SECStatus -secu_PrintBasicConstraints(FILE *out, const SECItem *value, - const char *msg, int level) { +secu_PrintBasicConstraints(FILE *out, SECItem *value, char *msg, int level) { CERTBasicConstraints constraints; SECStatus rv; @@ -1915,7 +1908,7 @@ static const char * const nsTypeBits[] = { /* NSCertType is merely a bit string whose bits are displayed symbolically */ static SECStatus -secu_PrintNSCertType(FILE *out, const SECItem *value, const char *msg, int level) +secu_PrintNSCertType(FILE *out, SECItem *value, char *msg, int level) { int unused; int NS_Type; @@ -1964,8 +1957,7 @@ static const char * const usageBits[] = { /* X509KeyUsage is merely a bit string whose bits are displayed symbolically */ static void -secu_PrintX509KeyUsage(FILE *out, const SECItem *value, - const char *msg, int level) +secu_PrintX509KeyUsage(FILE *out, SECItem *value, char *msg, int level) { int unused; int usage; @@ -2000,7 +1992,7 @@ secu_PrintX509KeyUsage(FILE *out, const SECItem *value, } static void -secu_PrintIPAddress(FILE *out, const SECItem *value, const char *msg, int level) +secu_PrintIPAddress(FILE *out, SECItem *value, char *msg, int level) { PRStatus st; PRNetAddr addr; @@ -2035,8 +2027,7 @@ loser: static void -secu_PrintGeneralName(FILE *out, const CERTGeneralName *gname, - const char *msg, int level) +secu_PrintGeneralName(FILE *out, CERTGeneralName *gname, char *msg, int level) { char label[40]; if (msg && msg[0]) { @@ -2080,20 +2071,18 @@ secu_PrintGeneralName(FILE *out, const CERTGeneralName *gname, } static void -secu_PrintGeneralNames(FILE *out, const CERTGeneralName *gname, - const char *msg, int level) +secu_PrintGeneralNames(FILE *out, CERTGeneralName *gname, char *msg, int level) { - const CERTGeneralName *name = gname; + CERTGeneralName *name = gname; do { secu_PrintGeneralName(out, name, msg, level); - name = CERT_GetNextGeneralName((CERTGeneralName *) name); + name = CERT_GetNextGeneralName(name); } while (name && name != gname); } static void -secu_PrintAuthKeyIDExtension(FILE *out, const SECItem *value, - const char *msg, int level) +secu_PrintAuthKeyIDExtension(FILE *out, SECItem *value, char *msg, int level) { CERTAuthKeyID *kid = NULL; PLArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); @@ -2125,8 +2114,7 @@ secu_PrintAuthKeyIDExtension(FILE *out, const SECItem *value, static void -secu_PrintAltNameExtension(FILE *out, const SECItem *value, - const char *msg, int level) +secu_PrintAltNameExtension(FILE *out, SECItem *value, char *msg, int level) { CERTGeneralName * nameList; CERTGeneralName * current; @@ -2154,10 +2142,9 @@ secu_PrintAltNameExtension(FILE *out, const SECItem *value, } static void -secu_PrintCRLDistPtsExtension(FILE *out, const SECItem *value, - const char *msg, int level) +secu_PrintCRLDistPtsExtension(FILE *out, SECItem *value, char *msg, int level) { - const CERTCrlDistributionPoints * dPoints; + CERTCrlDistributionPoints * dPoints; PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); if (!pool) { @@ -2199,10 +2186,10 @@ secu_PrintCRLDistPtsExtension(FILE *out, const SECItem *value, static void -secu_PrintNameConstraintSubtree(FILE *out, const CERTNameConstraint *value, - const char *msg, int level) +secu_PrintNameConstraintSubtree(FILE *out, CERTNameConstraint *value, + char *msg, int level) { - const CERTNameConstraint *head = value; + CERTNameConstraint *head = value; SECU_Indent(out, level); fprintf(out, "%s Subtree:\n", msg); level++; do { @@ -2211,13 +2198,12 @@ secu_PrintNameConstraintSubtree(FILE *out, const CERTNameConstraint *value, SECU_PrintInteger(out, &value->min, "Minimum", level+1); if (value->max.data) SECU_PrintInteger(out, &value->max, "Maximum", level+1); - value = CERT_GetNextNameConstraint((CERTNameConstraint *) value); + value = CERT_GetNextNameConstraint(value); } while (value != head); } static void -secu_PrintNameConstraintsExtension(FILE *out, const SECItem *value, - const char *msg, int level) +secu_PrintNameConstraintsExtension(FILE *out, SECItem *value, char *msg, int level) { CERTNameConstraints * cnstrnts; PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); @@ -2243,8 +2229,7 @@ secu_PrintNameConstraintsExtension(FILE *out, const SECItem *value, static void -secu_PrintAuthorityInfoAcess(FILE *out, const SECItem *value, - const char *msg, int level) +secu_PrintAuthorityInfoAcess(FILE *out, SECItem *value, char *msg, int level) { CERTAuthInfoAccess **infos = NULL; PLArenaPool * pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); @@ -2278,8 +2263,8 @@ secu_PrintAuthorityInfoAcess(FILE *out, const SECItem *value, void -SECU_PrintExtensions(FILE *out, CERTCertExtension const * const *extensions, - const char *msg, int level) +SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, + char *msg, int level) { SECOidTag oidTag; @@ -2289,7 +2274,7 @@ SECU_PrintExtensions(FILE *out, CERTCertExtension const * const *extensions, } while ( *extensions ) { - const SECItem *tmpitem; + SECItem *tmpitem; tmpitem = &(*extensions)->id; SECU_PrintObjectID(out, tmpitem, "Name", level); @@ -2411,23 +2396,23 @@ SECU_PrintExtensions(FILE *out, CERTCertExtension const * const *extensions, * print those, so make a directory name out of the RDN, and print it. */ void -SECU_PrintRDN(FILE *out, const CERTRDN *rdn, const char *msg, int level) +SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level) { CERTName name; CERTRDN *rdns[2]; name.arena = NULL; name.rdns = rdns; - rdns[0] = (CERTRDN *) rdn; + rdns[0] = rdn; rdns[1] = NULL; SECU_PrintName(out, &name, msg, level); } void -SECU_PrintName(FILE *out, const CERTName *name, const char *msg, int level) +SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level) { char *nameStr = NULL; - const char *str; + char *str; SECItem my; if (!name) { @@ -2572,9 +2557,8 @@ SECU_PrintSetOfAny(FILE *out, SECItem **any, char *m, int level) return rv; } -static int -secu_PrintCertAttribute(FILE *out, const CERTAttribute *attr, - const char *m, int level) +int +SECU_PrintCertAttribute(FILE *out, CERTAttribute *attr, char *m, int level) { int rv = 0; SECOidTag tag; @@ -2587,21 +2571,19 @@ secu_PrintCertAttribute(FILE *out, const CERTAttribute *attr, return rv; } -static int -secu_PrintCertAttributes(FILE *out, CERTAttribute const * const *attrs, - const char *m, int level) +int +SECU_PrintCertAttributes(FILE *out, CERTAttribute **attrs, char *m, int level) { int rv = 0; while (attrs[0]) { - rv |= secu_PrintCertAttribute(out, attrs[0], m, level+1); + rv |= SECU_PrintCertAttribute(out, attrs[0], m, level+1); attrs++; } return rv; } int /* sometimes a PRErrorCode, other times a SECStatus. Sigh. */ -SECU_PrintCertificateRequest(FILE *out, const SECItem *der, - const char *m, int level) +SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, int level) { PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTCertificateRequest *cr; @@ -2627,7 +2609,7 @@ SECU_PrintCertificateRequest(FILE *out, const SECItem *der, secu_PrintSubjectPublicKeyInfo(out, arena, &cr->subjectPublicKeyInfo, "Subject Public Key Info", level+1); if (cr->attributes) - secu_PrintCertAttributes(out, cr->attributes, "Attributes", level+1); + SECU_PrintCertAttributes(out, cr->attributes, "Attributes", level+1); rv = 0; loser: PORT_FreeArena(arena, PR_FALSE); @@ -2635,7 +2617,7 @@ loser: } int -SECU_PrintCertificate(FILE *out, const SECItem *der, const char *m, int level) +SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level) { PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTCertificate *c; @@ -2681,7 +2663,7 @@ loser: } int -SECU_PrintRSAPublicKey(FILE *out, const SECItem *der, const char *m, int level) +SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level) { PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); SECKEYPublicKey key; @@ -2703,8 +2685,7 @@ SECU_PrintRSAPublicKey(FILE *out, const SECItem *der, const char *m, int level) } int -SECU_PrintSubjectPublicKeyInfo(FILE *out, const SECItem *der, - const char *m, int level) +SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, int level) { PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); int rv = SEC_ERROR_NO_MEMORY; @@ -2731,7 +2712,7 @@ SECU_PrintSubjectPublicKeyInfo(FILE *out, const SECItem *der, #ifdef HAVE_EPV_TEMPLATE int -SECU_PrintPrivateKey(FILE *out, const SECItem *der, const char *m, int level) +SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level) { PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); SECKEYEncryptedPrivateKeyInfo key; @@ -2758,7 +2739,7 @@ loser: #endif int -SECU_PrintFingerprints(FILE *out, const SECItem *derCert, const char *m, int level) +SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, int level) { unsigned char fingerprint[20]; char *fpStr = NULL; @@ -2804,27 +2785,25 @@ SECU_PrintFingerprints(FILE *out, const SECItem *derCert, const char *m, int lev /* forward declaration */ static int -secu_PrintPKCS7ContentInfo(FILE *, const SEC_PKCS7ContentInfo *, - const char *, int); +secu_PrintPKCS7ContentInfo(FILE *, SEC_PKCS7ContentInfo *, char *, int); /* ** secu_PrintPKCS7EncContent ** Prints a SEC_PKCS7EncryptedContentInfo (without decrypting it) */ static void -secu_PrintPKCS7EncContent(FILE *out, const SEC_PKCS7EncryptedContentInfo *src, - const char *m, int level) +secu_PrintPKCS7EncContent(FILE *out, SEC_PKCS7EncryptedContentInfo *src, + char *m, int level) { - SECOidData * contentTypeTag = src->contentTypeTag != NULL - ? src->contentTypeTag - : SECOID_FindOID(&(src->contentType)); + if (src->contentTypeTag == NULL) + src->contentTypeTag = SECOID_FindOID(&(src->contentType)); SECU_Indent(out, level); fprintf(out, "%s:\n", m); SECU_Indent(out, level + 1); fprintf(out, "Content Type: %s\n", - (contentTypeTag != NULL) ? contentTypeTag->desc - : "Unknown"); + (src->contentTypeTag != NULL) ? src->contentTypeTag->desc + : "Unknown"); SECU_PrintAlgorithmID(out, &(src->contentEncAlg), "Content Encryption Algorithm", level+1); SECU_PrintAsHex(out, &(src->encContent), @@ -2858,8 +2837,7 @@ secu_PrintRecipientInfo(FILE *out, SEC_PKCS7RecipientInfo *info, char *m, ** Prints a PKCS7SingerInfo type */ static void -secu_PrintSignerInfo(FILE *out, const SEC_PKCS7SignerInfo *info, - const char *m, int level) +secu_PrintSignerInfo(FILE *out, SEC_PKCS7SignerInfo *info, char *m, int level) { SEC_PKCS7Attribute *attr; int iv; @@ -2908,7 +2886,7 @@ secu_PrintSignerInfo(FILE *out, const SEC_PKCS7SignerInfo *info, some */ void -SECU_PrintCRLInfo(FILE *out, const CERTCrl *crl, const char *m, int level) +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level) { CERTCrlEntry *entry; int iv; @@ -2947,7 +2925,7 @@ SECU_PrintCRLInfo(FILE *out, const CERTCrl *crl, const char *m, int level) ** Pretty print a PKCS7 signed data type (up to version 1). */ static int -secu_PrintPKCS7Signed(FILE *out, const SEC_PKCS7SignedData *src, +secu_PrintPKCS7Signed(FILE *out, SEC_PKCS7SignedData *src, const char *m, int level) { SECAlgorithmID *digAlg; /* digest algorithms */ @@ -3026,7 +3004,7 @@ secu_PrintPKCS7Signed(FILE *out, const SEC_PKCS7SignedData *src, ** Pretty print a PKCS7 enveloped data type (up to version 1). */ static void -secu_PrintPKCS7Enveloped(FILE *out, const SEC_PKCS7EnvelopedData *src, +secu_PrintPKCS7Enveloped(FILE *out, SEC_PKCS7EnvelopedData *src, const char *m, int level) { SEC_PKCS7RecipientInfo *recInfo; /* pointer for signer information */ @@ -3057,7 +3035,7 @@ secu_PrintPKCS7Enveloped(FILE *out, const SEC_PKCS7EnvelopedData *src, */ static int secu_PrintPKCS7SignedAndEnveloped(FILE *out, - const SEC_PKCS7SignedAndEnvelopedData *src, + SEC_PKCS7SignedAndEnvelopedData *src, const char *m, int level) { SECAlgorithmID *digAlg; /* pointer for digest algorithms */ @@ -3141,7 +3119,7 @@ secu_PrintPKCS7SignedAndEnveloped(FILE *out, } int -SECU_PrintCrl (FILE *out, const SECItem *der, const char *m, int level) +SECU_PrintCrl (FILE *out, SECItem *der, char *m, int level) { PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTCrl *c = NULL; @@ -3170,7 +3148,7 @@ SECU_PrintCrl (FILE *out, const SECItem *der, const char *m, int level) ** Pretty print a PKCS7 encrypted data type (up to version 1). */ static void -secu_PrintPKCS7Encrypted(FILE *out, const SEC_PKCS7EncryptedData *src, +secu_PrintPKCS7Encrypted(FILE *out, SEC_PKCS7EncryptedData *src, const char *m, int level) { SECU_Indent(out, level); fprintf(out, "%s:\n", m); @@ -3185,7 +3163,7 @@ secu_PrintPKCS7Encrypted(FILE *out, const SEC_PKCS7EncryptedData *src, ** Pretty print a PKCS7 digested data type (up to version 1). */ static void -secu_PrintPKCS7Digested(FILE *out, const SEC_PKCS7DigestedData *src, +secu_PrintPKCS7Digested(FILE *out, SEC_PKCS7DigestedData *src, const char *m, int level) { SECU_Indent(out, level); fprintf(out, "%s:\n", m); @@ -3204,27 +3182,25 @@ secu_PrintPKCS7Digested(FILE *out, const SEC_PKCS7DigestedData *src, ** appropriate function */ static int -secu_PrintPKCS7ContentInfo(FILE *out, const SEC_PKCS7ContentInfo *src, - const char *m, int level) +secu_PrintPKCS7ContentInfo(FILE *out, SEC_PKCS7ContentInfo *src, + char *m, int level) { const char *desc; SECOidTag kind; int rv; - const SECOidData * contentTypeTag; SECU_Indent(out, level); fprintf(out, "%s:\n", m); level++; - contentTypeTag = src->contentTypeTag != NULL - ? src->contentTypeTag - : SECOID_FindOID(&(src->contentType)); + if (src->contentTypeTag == NULL) + src->contentTypeTag = SECOID_FindOID(&(src->contentType)); - if (contentTypeTag == NULL) { + if (src->contentTypeTag == NULL) { desc = "Unknown"; kind = SEC_OID_PKCS7_DATA; } else { - desc = contentTypeTag->desc; - kind = contentTypeTag->offset; + desc = src->contentTypeTag->desc; + kind = src->contentTypeTag->offset; } if (src->content.data == NULL) { @@ -3271,8 +3247,7 @@ secu_PrintPKCS7ContentInfo(FILE *out, const SEC_PKCS7ContentInfo *src, ** Decode and print any major PKCS7 data type (up to version 1). */ int -SECU_PrintPKCS7ContentInfo(FILE *out, const SECItem *der, - const char *m, int level) +SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, int level) { SEC_PKCS7ContentInfo *cinfo; int rv; @@ -3326,8 +3301,7 @@ printFlags(FILE *out, unsigned int flags, int level) } void -SECU_PrintTrustFlags(FILE *out, const CERTCertTrust *trust, - const char *m, int level) +SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, int level) { SECU_Indent(out, level); fprintf(out, "%s:\n", m); SECU_Indent(out, level+1); fprintf(out, "SSL Flags:\n"); @@ -3338,7 +3312,7 @@ SECU_PrintTrustFlags(FILE *out, const CERTCertTrust *trust, printFlags(out, trust->objectSigningFlags, level+2); } -int SECU_PrintDERName(FILE *out, const SECItem *der, const char *m, int level) +int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level) { PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); CERTName *name; @@ -3361,7 +3335,7 @@ loser: return rv; } -int SECU_PrintSignedData(FILE *out, const SECItem *der, const char *m, +int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, int level, SECU_PPFunc inner) { PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); @@ -3395,9 +3369,9 @@ loser: } SECStatus -SEC_PrintCertificateAndTrust(const CERTCertificate *cert, +SEC_PrintCertificateAndTrust(CERTCertificate *cert, const char *label, - const CERTCertTrust *trust) + CERTCertTrust *trust) { SECStatus rv; SECItem data; diff --git a/security/nss/cmd/lib/secutil.h b/security/nss/cmd/lib/secutil.h index c0ef218cc..b611028e4 100644 --- a/security/nss/cmd/lib/secutil.h +++ b/security/nss/cmd/lib/secutil.h @@ -205,20 +205,17 @@ SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii); extern void SECU_Indent(FILE *out, int level); /* Print integer value and hex */ -extern void SECU_PrintInteger(FILE *out, const SECItem *i, const char *m, - int level); +extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level); /* Print ObjectIdentifier symbolically */ -extern SECOidTag SECU_PrintObjectID(FILE *out, const SECItem *oid, - const char *m, int level); +extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level); /* Print AlgorithmIdentifier symbolically */ -extern void SECU_PrintAlgorithmID(FILE *out, const SECAlgorithmID *a, - const char *m, int level); +extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m, + int level); /* Print SECItem as hex */ -extern void SECU_PrintAsHex(FILE *out, const SECItem *i, const char *m, - int level); +extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level); /* dump a buffer in hex and ASCII */ extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len); @@ -228,24 +225,22 @@ extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len); * do indent formatting based on "level" and add a newline afterward; * otherwise just print the formatted time string only. */ -extern void SECU_PrintUTCTime(FILE *out, const SECItem *t, - const char *m, int level); +extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level); /* * Format and print the Generalized Time "t". If the tag message "m" * is not NULL, * do indent formatting based on "level" and add a newline * afterward; otherwise just print the formatted time string only. */ -extern void SECU_PrintGeneralizedTime(FILE *out, const SECItem *t, - const char *m, int level); +extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, + int level); /* * Format and print the UTC or Generalized Time "t". If the tag message * "m" is not NULL, do indent formatting based on "level" and add a newline * afterward; otherwise just print the formatted time string only. */ -extern void SECU_PrintTimeChoice(FILE *out, const SECItem *t, - const char *m, int level); +extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level); /* callback for listing certs through pkcs11 */ extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data); @@ -259,76 +254,68 @@ SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out, int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname); /* Dump contents of cert req */ -extern int SECU_PrintCertificateRequest(FILE *out, const SECItem *der, - const char *m, int level); +extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m, + int level); /* Dump contents of certificate */ -extern int SECU_PrintCertificate(FILE *out, const SECItem *der, - const char *m, int level); +extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level); /* Dump contents of a DER certificate name (issuer or subject) */ -extern int SECU_PrintDERName(FILE *out, const SECItem *der, const char *m, - int level); +extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level); /* print trust flags on a cert */ -extern void SECU_PrintTrustFlags(FILE *out, const CERTCertTrust *trust, - const char *m, int level); +extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m, + int level); /* Dump contents of an RSA public key */ -extern int SECU_PrintRSAPublicKey(FILE *out, const SECItem *der, - const char *m, int level); +extern int SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level); -extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, const SECItem *der, - const char *m, int level); +extern int SECU_PrintSubjectPublicKeyInfo(FILE *out, SECItem *der, char *m, + int level); #ifdef HAVE_EPV_TEMPLATE /* Dump contents of private key */ -extern int SECU_PrintPrivateKey(FILE *out, const SECItem *der, - const char *m, int level); +extern int SECU_PrintPrivateKey(FILE *out, SECItem *der, char *m, int level); #endif /* Print the MD5 and SHA1 fingerprints of a cert */ -extern int SECU_PrintFingerprints(FILE *out, const SECItem *derCert, - const char *m, int level); +extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m, + int level); /* Pretty-print any PKCS7 thing */ -extern int SECU_PrintPKCS7ContentInfo(FILE *out, const SECItem *der, - const char *m, int level); +extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m, + int level); /* Init PKCS11 stuff */ extern SECStatus SECU_PKCS11Init(PRBool readOnly); /* Dump contents of signed data */ -extern int SECU_PrintSignedData(FILE *out, const SECItem *der, const char *m, +extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m, int level, SECU_PPFunc inner); /* Print cert data and its trust flags */ -extern SECStatus SEC_PrintCertificateAndTrust(const CERTCertificate *cert, +extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert, const char *label, - const CERTCertTrust *trust); + CERTCertTrust *trust); -extern int SECU_PrintCrl(FILE *out, const SECItem *der, const char *m, - int level); +extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level); extern void -SECU_PrintCRLInfo(FILE *out, const CERTCrl *crl, const char *m, int level); +SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level); -extern void SECU_PrintString(FILE *out, const SECItem *si, - const char *m, int level); -extern void SECU_PrintAny(FILE *out, const SECItem *i, const char *m, int level); +extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level); +extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level); -extern void SECU_PrintPolicy(FILE *out, const SECItem *value, - const char *msg, int level); -extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, const SECItem *value, - const char *msg, int level); +extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level); +extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value, + char *msg, int level); -extern void SECU_PrintExtensions(FILE *out, - CERTCertExtension const * const *extensions, - const char *msg, int level); +extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions, + char *msg, int level); -extern void SECU_PrintName(FILE *out, const CERTName *name, const char *msg, +extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg, int level); -extern void SECU_PrintRDN(FILE *out, const CERTRDN *rdn, const char *msg, int level); +extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level); #ifdef SECU_GetPassword /* Convert a High public Key to a Low public Key */ diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index 699f1feaf..d78881de2 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -455,7 +455,7 @@ mySSLSNISocketConfig(PRFileDesc *fd, const SECItem *sniNameArr, PRInt32 i = 0; const SECItem *current = sniNameArr; const char **nameArr = (const char**)arg; - secuPWData *pwdata; + const secuPWData *pwdata; CERTCertificate * cert = NULL; SECKEYPrivateKey * privKey = NULL; diff --git a/security/nss/cmd/signtool/verify.c b/security/nss/cmd/signtool/verify.c index 65c045f0f..a3f698bb6 100644 --- a/security/nss/cmd/signtool/verify.c +++ b/security/nss/cmd/signtool/verify.c @@ -79,7 +79,7 @@ VerifyJar(char *filename) "\nNOTE -- \"%s\" archive DID NOT PASS crypto verification.\n", filename); if (status < 0) { - const char *errtext; + char *errtext; if (status >= JAR_BASE && status <= JAR_BASE_END) { errtext = JAR_get_error (status); @@ -310,7 +310,7 @@ JarWho(char *filename) filename); retval = -1; if (jar->valid < 0 || status != -1) { - const char *errtext; + char *errtext; if (status >= JAR_BASE && status <= JAR_BASE_END) { errtext = JAR_get_error (status); diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index aa54a6e3e..80f343273 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -1096,7 +1096,7 @@ AppendAVA(stringBuf *bufp, CERTAVA *ava, CertStrictnessLevel strict) #undef vt char * -CERT_NameToAsciiInvertible(const CERTName *name, CertStrictnessLevel strict) +CERT_NameToAsciiInvertible(CERTName *name, CertStrictnessLevel strict) { CERTRDN** rdns; CERTRDN** lastRdn; @@ -1151,7 +1151,7 @@ loser: } char * -CERT_NameToAscii(const CERTName *name) +CERT_NameToAscii(CERTName *name) { return CERT_NameToAsciiInvertible(name, CERT_N2A_READABLE); } diff --git a/security/nss/lib/certdb/cert.h b/security/nss/lib/certdb/cert.h index 50ee8247c..e4fc67439 100644 --- a/security/nss/lib/certdb/cert.h +++ b/security/nss/lib/certdb/cert.h @@ -74,14 +74,14 @@ extern CERTName *CERT_AsciiToName(char *string); ** This version produces a string for maximum human readability, ** not for strict RFC compliance. */ -extern char *CERT_NameToAscii(const CERTName *name); +extern char *CERT_NameToAscii(CERTName *name); /* ** Convert an CERTName into its RFC1485 encoded equivalent. ** Returns a string that must be freed with PORT_Free(). ** Caller chooses encoding rules. */ -extern char *CERT_NameToAsciiInvertible(const CERTName *name, +extern char *CERT_NameToAsciiInvertible(CERTName *name, CertStrictnessLevel strict); extern CERTAVA *CERT_CopyAVA(PLArenaPool *arena, CERTAVA *src); @@ -525,7 +525,7 @@ extern CERTCertificate *CERT_FindCertByKey(CERTCertDBHandle *handle, SECItem *ke ** "name" is the distinguished name to look up */ extern CERTCertificate * -CERT_FindCertByName (CERTCertDBHandle *handle, const SECItem *name); +CERT_FindCertByName (CERTCertDBHandle *handle, SECItem *name); /* ** Find a certificate in the database by name @@ -920,7 +920,7 @@ extern SECStatus CERT_EncodeCRLDistributionPoints ** encodedValue - value to decoded */ extern SECStatus CERT_DecodeBasicConstraintValue - (CERTBasicConstraints *value, const SECItem *encodedValue); + (CERTBasicConstraints *value, SECItem *encodedValue); /* Decodes a DER encoded authorityKeyIdentifier extension value into a ** readable format. @@ -929,7 +929,7 @@ extern SECStatus CERT_DecodeBasicConstraintValue ** Returns a CERTAuthKeyID structure which contains the decoded value */ extern CERTAuthKeyID *CERT_DecodeAuthKeyID - (PLArenaPool *arena, const SECItem *encodedValue); + (PLArenaPool *arena, SECItem *encodedValue); /* Decodes a DER encoded crlDistributionPoints extension value into a @@ -940,7 +940,7 @@ extern CERTAuthKeyID *CERT_DecodeAuthKeyID ** decoded value */ extern CERTCrlDistributionPoints * CERT_DecodeCRLDistributionPoints - (PLArenaPool *arena, const SECItem *der); + (PLArenaPool *arena, SECItem *der); /* Extract certain name type from a generalName */ extern void *CERT_GetGeneralNameByType @@ -948,7 +948,7 @@ extern void *CERT_GetGeneralNameByType extern CERTOidSequence * -CERT_DecodeOidSequence(const SECItem *seqItem); +CERT_DecodeOidSequence(SECItem *seqItem); @@ -960,7 +960,7 @@ CERT_DecodeOidSequence(const SECItem *seqItem); ***************************************************************************/ extern SECStatus CERT_FindCertExtension - (const CERTCertificate *cert, int tag, SECItem *value); + (CERTCertificate *cert, int tag, SECItem *value); extern SECStatus CERT_FindNSCertTypeExtension (CERTCertificate *cert, SECItem *value); @@ -1061,11 +1061,10 @@ extern SECStatus CERT_FindCRLEntryReasonExten (CERTCrlEntry *crlEntry, extern void CERT_FreeNicknames(CERTCertNicknames *nicknames); -extern PRBool CERT_CompareCerts(const CERTCertificate *c1, - const CERTCertificate *c2); +extern PRBool CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2); extern PRBool CERT_CompareCertsForRedirection(CERTCertificate *c1, - CERTCertificate *c2); + CERTCertificate *c2); /* ** Generate an array of the Distinguished Names that the given cert database @@ -1186,30 +1185,28 @@ CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings); SECStatus CERT_DecodePolicyConstraintsExtension( - CERTCertificatePolicyConstraints *decodedValue, const SECItem *encodedValue); + CERTCertificatePolicyConstraints *decodedValue, SECItem *encodedValue); SECStatus CERT_DecodeInhibitAnyExtension - (CERTCertificateInhibitAny *decodedValue, const SECItem *extnValue); + (CERTCertificateInhibitAny *decodedValue, SECItem *extnValue); CERTUserNotice * -CERT_DecodeUserNotice(const SECItem *noticeItem); +CERT_DecodeUserNotice(SECItem *noticeItem); extern CERTGeneralName * -CERT_DecodeAltNameExtension(PLArenaPool *reqArena, - const SECItem *EncodedAltName); +CERT_DecodeAltNameExtension(PLArenaPool *reqArena, SECItem *EncodedAltName); extern CERTNameConstraints * CERT_DecodeNameConstraintsExtension(PLArenaPool *arena, - const SECItem *encodedConstraints); + SECItem *encodedConstraints); /* returns addr of a NULL termainated array of pointers to CERTAuthInfoAccess */ extern CERTAuthInfoAccess ** CERT_DecodeAuthInfoAccessExtension(PLArenaPool *reqArena, - const SECItem *encodedExtension); + SECItem *encodedExtension); extern CERTPrivKeyUsagePeriod * -CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, - const SECItem *extnValue); +CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue); extern CERTGeneralName * CERT_GetNextGeneralName(CERTGeneralName *current); diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 41b9506d5..85814960f 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -596,6 +596,17 @@ cert_ComputeCertType(CERTCertificate *cert) nsCertType |= NS_CERT_TYPE_SSL_SERVER; } } + /* Treat certs with step-up OID as also having SSL server type. */ + if (findOIDinOIDSeqByTagNum(extKeyUsage, + SEC_OID_NS_KEY_USAGE_GOVT_APPROVED) == + SECSuccess){ + if (basicConstraintPresent == PR_TRUE && + (basicConstraint.isCA)) { + nsCertType |= NS_CERT_TYPE_SSL_CA; + } else { + nsCertType |= NS_CERT_TYPE_SSL_SERVER; + } + } if (findOIDinOIDSeqByTagNum(extKeyUsage, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH) == SECSuccess){ @@ -1825,7 +1836,7 @@ CERT_VerifyCertName(CERTCertificate *cert, const char *hn) } PRBool -CERT_CompareCerts(const CERTCertificate *c1, const CERTCertificate *c2) +CERT_CompareCerts(CERTCertificate *c1, CERTCertificate *c2) { SECComparison comp; diff --git a/security/nss/lib/certdb/certv3.c b/security/nss/lib/certdb/certv3.c index 8385016f8..616926b21 100644 --- a/security/nss/lib/certdb/certv3.c +++ b/security/nss/lib/certdb/certv3.c @@ -57,7 +57,7 @@ CERT_FindCertExtensionByOID(CERTCertificate *cert, SECItem *oid, SECStatus -CERT_FindCertExtension(const CERTCertificate *cert, int tag, SECItem *value) +CERT_FindCertExtension(CERTCertificate *cert, int tag, SECItem *value) { return (cert_FindExtension (cert->extensions, tag, value)); } diff --git a/security/nss/lib/certdb/certxutl.c b/security/nss/lib/certdb/certxutl.c index 360faf54a..c28ef211d 100644 --- a/security/nss/lib/certdb/certxutl.c +++ b/security/nss/lib/certdb/certxutl.c @@ -52,11 +52,11 @@ * require knowledge of data structures of callers */ #endif -static const CERTCertExtension * -GetExtension (CERTCertExtension const * const *extensions, const SECItem *oid) +static CERTCertExtension * +GetExtension (CERTCertExtension **extensions, SECItem *oid) { - CERTCertExtension const * const *exts; - const CERTCertExtension *ext = NULL; + CERTCertExtension **exts; + CERTCertExtension *ext = NULL; SECComparison comp; exts = extensions; @@ -76,10 +76,9 @@ GetExtension (CERTCertExtension const * const *extensions, const SECItem *oid) } SECStatus -cert_FindExtensionByOID (CERTCertExtension const * const *extensions, const SECItem *oid, - SECItem *value) +cert_FindExtensionByOID (CERTCertExtension **extensions, SECItem *oid, SECItem *value) { - const CERTCertExtension *ext; + CERTCertExtension *ext; SECStatus rv = SECSuccess; ext = GetExtension (extensions, oid); @@ -96,7 +95,7 @@ cert_FindExtensionByOID (CERTCertExtension const * const *extensions, const SECI SECStatus CERT_GetExtenCriticality (CERTCertExtension **extensions, int tag, PRBool *isCritical) { - const CERTCertExtension *ext; + CERTCertExtension *ext; SECOidData *oid; if (!isCritical) @@ -123,8 +122,7 @@ CERT_GetExtenCriticality (CERTCertExtension **extensions, int tag, PRBool *isCri } SECStatus -cert_FindExtension(CERTCertExtension const * const *extensions, int tag, - SECItem *value) +cert_FindExtension(CERTCertExtension **extensions, int tag, SECItem *value) { SECOidData *oid; diff --git a/security/nss/lib/certdb/certxutl.h b/security/nss/lib/certdb/certxutl.h index cc38bbdee..9f8a1596d 100644 --- a/security/nss/lib/certdb/certxutl.h +++ b/security/nss/lib/certdb/certxutl.h @@ -66,12 +66,11 @@ cert_StartExtensions (void *owner, PLArenaPool *arena, void (*setExts)(void *object, CERTCertExtension **exts)); extern SECStatus -cert_FindExtension (CERTCertExtension const * const *extensions, int tag, - SECItem *value); +cert_FindExtension (CERTCertExtension **extensions, int tag, SECItem *value); extern SECStatus -cert_FindExtensionByOID (CERTCertExtension const * const *extensions, - const SECItem *oid, SECItem *value); +cert_FindExtensionByOID (CERTCertExtension **extensions, + SECItem *oid, SECItem *value); extern SECStatus cert_GetExtenCriticality (CERTCertExtension **extensions, diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c index 0d539d531..0c2e1c6da 100644 --- a/security/nss/lib/certdb/genname.c +++ b/security/nss/lib/certdb/genname.c @@ -718,7 +718,7 @@ loser: CERTNameConstraints * cert_DecodeNameConstraints(PRArenaPool *reqArena, - const SECItem *encodedConstraints) + SECItem *encodedConstraints) { CERTNameConstraints *constraints; SECStatus rv; diff --git a/security/nss/lib/certdb/genname.h b/security/nss/lib/certdb/genname.h index 4ff6661fe..d7ab0f108 100644 --- a/security/nss/lib/certdb/genname.h +++ b/security/nss/lib/certdb/genname.h @@ -63,7 +63,7 @@ cert_EncodeNameConstraints(CERTNameConstraints *constraints, PRArenaPool *arena, SECItem *dest); extern CERTNameConstraints * -cert_DecodeNameConstraints(PRArenaPool *arena, const SECItem *encodedConstraints); +cert_DecodeNameConstraints(PRArenaPool *arena, SECItem *encodedConstraints); extern CERTGeneralName * cert_CombineNamesLists(CERTGeneralName *list1, CERTGeneralName *list2); diff --git a/security/nss/lib/certdb/polcyxtn.c b/security/nss/lib/certdb/polcyxtn.c index 7a4ad1c5d..a8aed3e8f 100644 --- a/security/nss/lib/certdb/polcyxtn.c +++ b/security/nss/lib/certdb/polcyxtn.c @@ -313,7 +313,7 @@ CERT_DestroyPolicyMappingsExtension(CERTCertificatePolicyMappings *mappings) SECStatus CERT_DecodePolicyConstraintsExtension (CERTCertificatePolicyConstraints *decodedValue, - const SECItem *encodedValue) + SECItem *encodedValue) { CERTCertificatePolicyConstraints decodeContext; PRArenaPool *arena = NULL; @@ -369,7 +369,7 @@ CERT_DecodePolicyConstraintsExtension } SECStatus CERT_DecodeInhibitAnyExtension - (CERTCertificateInhibitAny *decodedValue, const SECItem *encodedValue) + (CERTCertificateInhibitAny *decodedValue, SECItem *encodedValue) { CERTCertificateInhibitAny decodeContext; PRArenaPool *arena = NULL; @@ -402,7 +402,7 @@ SECStatus CERT_DecodeInhibitAnyExtension } CERTUserNotice * -CERT_DecodeUserNotice(const SECItem *noticeItem) +CERT_DecodeUserNotice(SECItem *noticeItem) { PRArenaPool *arena = NULL; SECStatus rv; @@ -636,7 +636,7 @@ const SEC_ASN1Template CERT_OidSeqTemplate[] = { }; CERTOidSequence * -CERT_DecodeOidSequence(const SECItem *seqItem) +CERT_DecodeOidSequence(SECItem *seqItem) { PRArenaPool *arena = NULL; SECStatus rv; diff --git a/security/nss/lib/certdb/stanpcertdb.c b/security/nss/lib/certdb/stanpcertdb.c index 62a1c004c..56587ea8c 100644 --- a/security/nss/lib/certdb/stanpcertdb.c +++ b/security/nss/lib/certdb/stanpcertdb.c @@ -535,7 +535,7 @@ get_best_temp_or_perm(NSSCertificate *ct, NSSCertificate *cp) } CERTCertificate * -CERT_FindCertByName(CERTCertDBHandle *handle, const SECItem *name) +CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name) { NSSCertificate *cp, *ct, *c; NSSDER subject; @@ -631,7 +631,7 @@ CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert) static CERTCertificate * common_FindCertByNicknameOrEmailAddrForUsage(CERTCertDBHandle *handle, - const char *name, + char *name, PRBool anyUsage, SECCertUsage lookingForUsage) { diff --git a/security/nss/lib/certdb/xauthkid.c b/security/nss/lib/certdb/xauthkid.c index 81e71d258..7d507980e 100644 --- a/security/nss/lib/certdb/xauthkid.c +++ b/security/nss/lib/certdb/xauthkid.c @@ -110,7 +110,7 @@ SECStatus CERT_EncodeAuthKeyID (PRArenaPool *arena, CERTAuthKeyID *value, SECIte } CERTAuthKeyID * -CERT_DecodeAuthKeyID (PRArenaPool *arena, const SECItem *encodedValue) +CERT_DecodeAuthKeyID (PRArenaPool *arena, SECItem *encodedValue) { CERTAuthKeyID * value = NULL; SECStatus rv = SECFailure; diff --git a/security/nss/lib/certdb/xbsconst.c b/security/nss/lib/certdb/xbsconst.c index f000fcd49..221a5686e 100644 --- a/security/nss/lib/certdb/xbsconst.c +++ b/security/nss/lib/certdb/xbsconst.c @@ -120,7 +120,7 @@ SECStatus CERT_EncodeBasicConstraintValue } SECStatus CERT_DecodeBasicConstraintValue - (CERTBasicConstraints *value, const SECItem *encodedValue) + (CERTBasicConstraints *value, SECItem *encodedValue) { EncodedContext decodeContext; PRArenaPool *our_pool; diff --git a/security/nss/lib/certdb/xconst.c b/security/nss/lib/certdb/xconst.c index 58c0ad187..7d23b4092 100644 --- a/security/nss/lib/certdb/xconst.c +++ b/security/nss/lib/certdb/xconst.c @@ -131,8 +131,7 @@ CERT_EncodePrivateKeyUsagePeriod(PRArenaPool *arena, } CERTPrivKeyUsagePeriod * -CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, - const SECItem *extnValue) +CERT_DecodePrivKeyUsagePeriodExtension(PLArenaPool *arena, SECItem *extnValue) { SECStatus rv; CERTPrivKeyUsagePeriod *pPeriod; @@ -203,8 +202,7 @@ CERT_EncodeAltNameExtension(PRArenaPool *arena, CERTGeneralName *value, SECIte } CERTGeneralName * -CERT_DecodeAltNameExtension(PRArenaPool *reqArena, - const SECItem *EncodedAltName) +CERT_DecodeAltNameExtension(PRArenaPool *reqArena, SECItem *EncodedAltName) { SECStatus rv = SECSuccess; CERTAltNameEncodedContext encodedContext; @@ -252,7 +250,7 @@ CERT_EncodeNameConstraintsExtension(PRArenaPool *arena, CERTNameConstraints * CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, - const SECItem *encodedConstraints) + SECItem *encodedConstraints) { return cert_DecodeNameConstraints(arena, encodedConstraints); } @@ -260,7 +258,7 @@ CERT_DecodeNameConstraintsExtension(PRArenaPool *arena, CERTAuthInfoAccess ** CERT_DecodeAuthInfoAccessExtension(PRArenaPool *reqArena, - const SECItem *encodedExtension) + SECItem *encodedExtension) { CERTAuthInfoAccess **info = NULL; SECStatus rv; diff --git a/security/nss/lib/certhigh/certvfypkix.c b/security/nss/lib/certhigh/certvfypkix.c index fdd670a58..282d69b4e 100644 --- a/security/nss/lib/certhigh/certvfypkix.c +++ b/security/nss/lib/certhigh/certvfypkix.c @@ -225,6 +225,9 @@ typedef struct { const SECCertUsageToEku certUsageEkuStringMap[] = { {certUsageSSLClient, ekuIndexSSLClient}, {certUsageSSLServer, ekuIndexSSLServer}, + {certUsageSSLServerWithStepUp, ekuIndexSSLServer}, /* need to add oids to + * the list of eku. + * see 390381*/ {certUsageSSLCA, ekuIndexSSLServer}, {certUsageEmailSigner, ekuIndexEmail}, {certUsageEmailRecipient, ekuIndexEmail}, @@ -236,6 +239,8 @@ const SECCertUsageToEku certUsageEkuStringMap[] = { {certUsageAnyCA, ekuIndexUnknown}, }; +#define CERT_USAGE_EKU_STRING_MAPS_TOTAL 12 + /* * FUNCTION: cert_NssCertificateUsageToPkixKUAndEKU * DESCRIPTION: @@ -287,7 +292,7 @@ cert_NssCertificateUsageToPkixKUAndEKU( PKIX_List_Create(&ekuOidsList, plContext), PKIX_LISTCREATEFAILED); - for (;i < PR_ARRAY_SIZE(certUsageEkuStringMap);i++) { + for (;i < CERT_USAGE_EKU_STRING_MAPS_TOTAL;i++) { const SECCertUsageToEku *usageToEkuElem = &certUsageEkuStringMap[i]; if (usageToEkuElem->certUsage == requiredCertUsage) { diff --git a/security/nss/lib/certhigh/xcrldist.c b/security/nss/lib/certhigh/xcrldist.c index 1f3ec1427..d4d098ae4 100644 --- a/security/nss/lib/certhigh/xcrldist.c +++ b/security/nss/lib/certhigh/xcrldist.c @@ -171,8 +171,7 @@ CERT_EncodeCRLDistributionPoints (PLArenaPool *arena, } CERTCrlDistributionPoints * -CERT_DecodeCRLDistributionPoints (PLArenaPool *arena, - const SECItem *encodedValue) +CERT_DecodeCRLDistributionPoints (PLArenaPool *arena, SECItem *encodedValue) { CERTCrlDistributionPoints *value = NULL; CRLDistributionPoint **pointList, *point; diff --git a/security/nss/lib/cryptohi/keyhi.h b/security/nss/lib/cryptohi/keyhi.h index 4a7e66d03..892e273c1 100644 --- a/security/nss/lib/cryptohi/keyhi.h +++ b/security/nss/lib/cryptohi/keyhi.h @@ -171,7 +171,7 @@ SECKEY_ConvertAndDecodeSubjectPublicKeyInfo(char *spkistr); * (used by JSS). */ extern SECKEYPublicKey * -SECKEY_ExtractPublicKey(const CERTSubjectPublicKeyInfo *); +SECKEY_ExtractPublicKey(CERTSubjectPublicKeyInfo *); /* ** Destroy a private key object. diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c index bcf32e07e..ffd27ad6d 100644 --- a/security/nss/lib/cryptohi/seckey.c +++ b/security/nss/lib/cryptohi/seckey.c @@ -469,10 +469,8 @@ SECKEY_UpdateCertPQG(CERTCertificate * subjectCert) * the normal standard format. Store the decoded parameters in * a V3 certificate data structure. */ -static SECStatus -seckey_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, - const SECItem *params) -{ +SECStatus +SECKEY_DSADecodePQG(PRArenaPool *arena, SECKEYPublicKey *pubk, SECItem *params) { SECStatus rv; SECItem newparams; @@ -572,7 +570,7 @@ CERT_GetCertKeyType (CERTSubjectPublicKeyInfo *spki) } static SECKEYPublicKey * -seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) +seckey_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki) { SECKEYPublicKey *pubk; SECItem os, newOs, newParms; @@ -621,7 +619,7 @@ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) rv = SEC_QuickDERDecodeItem(arena, pubk, SECKEY_DSAPublicKeyTemplate, &newOs); if (rv != SECSuccess) break; - rv = seckey_DSADecodePQG(arena, pubk, + rv = SECKEY_DSADecodePQG(arena, pubk, &spki->algorithm.parameters); if (rv == SECSuccess) return pubk; @@ -671,7 +669,7 @@ seckey_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) /* required for JSS */ SECKEYPublicKey * -SECKEY_ExtractPublicKey(const CERTSubjectPublicKeyInfo *spki) +SECKEY_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki) { return seckey_ExtractPublicKey(spki); } diff --git a/security/nss/lib/nss/utilwrap.c b/security/nss/lib/nss/utilwrap.c index 7afb2699e..900ab325a 100644 --- a/security/nss/lib/nss/utilwrap.c +++ b/security/nss/lib/nss/utilwrap.c @@ -330,7 +330,7 @@ SECStatus SECOID_CopyAlgorithmID(PRArenaPool *arena, SECAlgorithmID *dest, return SECOID_CopyAlgorithmID_Util(arena, dest, src); } -SECOidTag SECOID_GetAlgorithmTag(const SECAlgorithmID *aid) +SECOidTag SECOID_GetAlgorithmTag(SECAlgorithmID *aid) { return SECOID_GetAlgorithmTag_Util(aid); } @@ -434,7 +434,7 @@ SECStatus DER_Lengths(SECItem *item, int *header_len_p, return DER_Lengths_Util(item, header_len_p, contents_len_p); } -long DER_GetInteger(const SECItem *src) +long DER_GetInteger(SECItem *src) { return DER_GetInteger_Util(src); } diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c index a7034ed0f..f68cddff8 100644 --- a/security/nss/lib/pkcs7/p7decode.c +++ b/security/nss/lib/pkcs7/p7decode.c @@ -1114,7 +1114,7 @@ SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx) SEC_PKCS7ContentInfo * -SEC_PKCS7DecodeItem(const SECItem *p7item, +SEC_PKCS7DecodeItem(SECItem *p7item, SEC_PKCS7DecoderContentCallback cb, void *cb_arg, SECKEYGetPasswordKey pwfn, void *pwfn_arg, SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, diff --git a/security/nss/lib/pkcs7/secpkcs7.h b/security/nss/lib/pkcs7/secpkcs7.h index b10e58256..645eb77d4 100644 --- a/security/nss/lib/pkcs7/secpkcs7.h +++ b/security/nss/lib/pkcs7/secpkcs7.h @@ -106,7 +106,7 @@ SEC_PKCS7DecoderFinish(SEC_PKCS7DecoderContext *p7dcx); void SEC_PKCS7DecoderAbort(SEC_PKCS7DecoderContext *p7dcx, int error); extern SEC_PKCS7ContentInfo * -SEC_PKCS7DecodeItem(const SECItem *p7item, +SEC_PKCS7DecodeItem(SECItem *p7item, SEC_PKCS7DecoderContentCallback cb, void *cb_arg, SECKEYGetPasswordKey pwfn, void *pwfn_arg, SEC_PKCS7GetDecryptKeyCallback decrypt_key_cb, diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c index ed9eec72b..a35f4f838 100644 --- a/security/nss/lib/pki/pki3hack.c +++ b/security/nss/lib/pki/pki3hack.c @@ -592,6 +592,10 @@ cert_trust_from_stan_trust(NSSTrust *t, PRArenaPool *arena) rvTrust->sslFlags |= client; rvTrust->emailFlags = get_nss3trust_from_nss4trust(t->emailProtection); rvTrust->objectSigningFlags = get_nss3trust_from_nss4trust(t->codeSigning); + /* The cert is a valid step-up cert (in addition to/lieu of trust above */ + if (t->stepUpApproved) { + rvTrust->sslFlags |= CERTDB_GOVT_APPROVED_CA; + } return rvTrust; } diff --git a/security/nss/lib/softoken/pkcs11i.h b/security/nss/lib/softoken/pkcs11i.h index c51c54aba..e19c7d153 100644 --- a/security/nss/lib/softoken/pkcs11i.h +++ b/security/nss/lib/softoken/pkcs11i.h @@ -636,7 +636,7 @@ extern void sftk_nullAttribute(SFTKObject *object,CK_ATTRIBUTE_TYPE type); extern CK_RV sftk_GetULongAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, CK_ULONG *longData); extern CK_RV sftk_forceAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, - const void *value, unsigned int len); + void *value, unsigned int len); extern CK_RV sftk_defaultAttribute(SFTKObject *object, CK_ATTRIBUTE_TYPE type, void *value, unsigned int len); extern unsigned int sftk_MapTrust(CK_TRUST trust, PRBool clientAuth); diff --git a/security/nss/lib/ssl/SSLerrs.h b/security/nss/lib/ssl/SSLerrs.h index 141f290e7..44b967e30 100644 --- a/security/nss/lib/ssl/SSLerrs.h +++ b/security/nss/lib/ssl/SSLerrs.h @@ -408,6 +408,3 @@ ER3(SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY, (SSL_ERROR_BASE + 115), ER3(SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID, (SSL_ERROR_BASE + 116), "SSL received invalid NPN extension data.") - -ER3(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2, (SSL_ERROR_BASE + 117), -"SSL feature not supported for SSL 2.0 connections.") diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 0e05ad33d..ea79c8ffb 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -238,6 +238,9 @@ static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { #define EXPORT_RSA_KEY_LENGTH 64 /* bytes */ +/* This is a hack to make sure we don't do double handshakes for US policy */ +PRBool ssl3_global_policy_some_restricted = PR_FALSE; + /* This global item is used only in servers. It is is initialized by ** SSL_ConfigSecureServer(), and is used in ssl3_SendCertificateRequest(). */ @@ -3757,6 +3760,7 @@ done: **************************************************************************/ /* Called from ssl3_HandleHelloRequest(), + * ssl3_HandleFinished() (for step-up) * ssl3_RedoHandshake() * ssl2_BeginClientHandshake (when resuming ssl3 session) */ @@ -5580,7 +5584,7 @@ ssl3_HandleCertificateRequest(sslSocket *ss, SSL3Opaque *b, PRUint32 length) } switch (rv) { case SECWouldBlock: /* getClientAuthData has put up a dialog box. */ - ssl3_SetAlwaysBlock(ss); + ssl_SetAlwaysBlock(ss); break; /* not an error */ case SECSuccess: @@ -7816,6 +7820,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ssl3CertNode * lastCert = NULL; ssl3CertNode * certs = NULL; PRArenaPool * arena = NULL; + CERTCertificate *cert; PRInt32 remaining = 0; PRInt32 size; SECStatus rv; @@ -7972,7 +7977,7 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) SSL_GETPID(), ss->fd)); ss->ssl3.peerCertChain = certs; certs = NULL; - ssl3_SetAlwaysBlock(ss); + ssl_SetAlwaysBlock(ss); goto cert_block; } /* cert is bad */ @@ -7981,11 +7986,23 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) /* cert is good */ } + /* start SSL Step Up, if appropriate */ + cert = ss->sec.peerCert; + if (!isServer && + ssl3_global_policy_some_restricted && + ss->ssl3.policy == SSL_ALLOWED && + anyRestrictedEnabled(ss) && + SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert, + PR_FALSE, /* checkSig */ + certUsageSSLServerWithStepUp, +/*XXX*/ ss->authCertificateArg) ) { + ss->ssl3.policy = SSL_RESTRICTED; + ss->ssl3.hs.rehandshake = PR_TRUE; + } + ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); if (!ss->sec.isServer) { - CERTCertificate *cert = ss->sec.peerCert; - /* set the server authentication and key exchange types and sizes ** from the value in the cert. If the key exchange key is different, ** it will get fixed when we handle the server key exchange message. @@ -8125,7 +8142,8 @@ loser: int ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) { - int rv = SECSuccess; + CERTCertificate * cert; + int rv = SECSuccess; if (MSB(ss->version) != MSB(SSL_LIBRARY_VERSION_3_0)) { SET_ERROR_CODE @@ -8136,6 +8154,21 @@ ssl3_RestartHandshakeAfterServerCert(sslSocket *ss) return SECFailure; } + cert = ss->sec.peerCert; + + /* Permit step up if user decided to accept the cert */ + if (!ss->sec.isServer && + ssl3_global_policy_some_restricted && + ss->ssl3.policy == SSL_ALLOWED && + anyRestrictedEnabled(ss) && + (SECSuccess == CERT_VerifyCertNow(cert->dbhandle, cert, + PR_FALSE, /* checksig */ + certUsageSSLServerWithStepUp, +/*XXX*/ ss->authCertificateArg) )) { + ss->ssl3.policy = SSL_RESTRICTED; + ss->ssl3.hs.rehandshake = PR_TRUE; + } + if (ss->handshake != NULL) { ss->handshake = ssl_GatherRecord1stHandshake; ss->sec.ci.sid->peerCert = CERT_DupCertificate(ss->sec.peerCert); @@ -8392,6 +8425,7 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, SECStatus rv = SECSuccess; PRBool isServer = ss->sec.isServer; PRBool isTLS; + PRBool doStepUp; SSL3KEAType effectiveExchKeyType; PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) ); @@ -8447,6 +8481,8 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, } } + doStepUp = (PRBool)(!isServer && ss->ssl3.hs.rehandshake); + ssl_GetXmitBufLock(ss); /*************************************/ if ((isServer && !ss->ssl3.hs.isResuming) || @@ -8472,11 +8508,12 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, goto xmit_loser; /* err is set. */ } /* If this thread is in SSL_SecureSend (trying to write some data) + ** or if it is going to step up, ** then set the ssl_SEND_FLAG_FORCE_INTO_BUFFER flag, so that the ** last two handshake messages (change cipher spec and finished) ** will be sent in the same send/write call as the application data. */ - if (ss->writerThread == PR_GetCurrentThread()) { + if (doStepUp || ss->writerThread == PR_GetCurrentThread()) { flags = ssl_SEND_FLAG_FORCE_INTO_BUFFER; } @@ -8493,12 +8530,19 @@ ssl3_HandleFinished(sslSocket *ss, SSL3Opaque *b, PRUint32 length, } } + /* Optimization: don't cache this connection if we're going to step up. */ + if (doStepUp) { + ssl_FreeSID(sid); + ss->sec.ci.sid = sid = NULL; + ss->ssl3.hs.rehandshake = PR_FALSE; + rv = ssl3_SendClientHello(ss); xmit_loser: - ssl_ReleaseXmitBufLock(ss); /*************************************/ - if (rv != SECSuccess) { - return rv; + ssl_ReleaseXmitBufLock(ss); + return rv; /* err code is set if appropriate. */ } + ssl_ReleaseXmitBufLock(ss); /*************************************/ + /* The first handshake is now completed. */ ss->handshake = NULL; ss->firstHsDone = PR_TRUE; @@ -9213,6 +9257,7 @@ ssl3_InitState(sslSocket *ss) ssl_GetSpecWriteLock(ss); ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0]; ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1]; + ss->ssl3.hs.rehandshake = PR_FALSE; ss->ssl3.hs.sendingSCSV = PR_FALSE; ssl3_InitCipherSpec(ss, ss->ssl3.crSpec); ssl3_InitCipherSpec(ss, ss->ssl3.prSpec); @@ -9321,6 +9366,10 @@ ssl3_SetPolicy(ssl3CipherSuite which, int policy) } suite->policy = policy; + if (policy == SSL_RESTRICTED) { + ssl3_global_policy_some_restricted = PR_TRUE; + } + return SECSuccess; } diff --git a/security/nss/lib/ssl/sslcon.c b/security/nss/lib/ssl/sslcon.c index b84327e11..4676659e1 100644 --- a/security/nss/lib/ssl/sslcon.c +++ b/security/nss/lib/ssl/sslcon.c @@ -518,6 +518,7 @@ ssl2_GetSendBuffer(sslSocket *ss, unsigned int len) * ssl2_HandleMessage() <- ssl_Do1stHandshake() * ssl2_HandleServerHelloMessage() <- ssl_Do1stHandshake() after ssl2_BeginClientHandshake() + * ssl2_RestartHandshakeAfterCertReq() <- Called from certdlgs.c in nav. * ssl2_HandleClientHelloMessage() <- ssl_Do1stHandshake() after ssl2_BeginServerHandshake() * @@ -764,6 +765,7 @@ done: } /* Called from ssl2_HandleRequestCertificate() <- ssl2_HandleMessage() + * ssl2_RestartHandshakeAfterCertReq() <- (application) * Acquires and releases the socket's xmitBufLock. */ static int @@ -1175,6 +1177,7 @@ loser: /* ** Called from: ssl2_HandleServerHelloMessage, ** ssl2_HandleClientSessionKeyMessage, +** ssl2_RestartHandshakeAfterServerCert, ** ssl2_HandleClientHelloMessage, ** */ @@ -1234,7 +1237,9 @@ ssl2_UseClearSendFunc(sslSocket *ss) * ssl2_HandleServerHelloMessage * ssl2_BeginClientHandshake * ssl2_HandleClientSessionKeyMessage + * ssl2_RestartHandshakeAfterCertReq * ssl3_RestartHandshakeAfterCertReq + * ssl2_RestartHandshakeAfterServerCert * ssl3_RestartHandshakeAfterServerCert * ssl2_HandleClientHelloMessage * ssl2_BeginServerHandshake @@ -2227,6 +2232,8 @@ ssl2_TriggerNextMessage(sslSocket *ss) ** ssl2_HandleVerifyMessage ** ssl2_HandleServerHelloMessage ** ssl2_HandleClientSessionKeyMessage +** ssl2_RestartHandshakeAfterCertReq +** ssl2_RestartHandshakeAfterServerCert */ static SECStatus ssl2_TryToFinish(sslSocket *ss) @@ -2260,6 +2267,7 @@ ssl2_TryToFinish(sslSocket *ss) /* ** Called from ssl2_HandleRequestCertificate +** ssl2_RestartHandshakeAfterCertReq */ static SECStatus ssl2_SignResponse(sslSocket *ss, @@ -2346,9 +2354,8 @@ ssl2_HandleRequestCertificate(sslSocket *ss) ret = (*ss->getClientAuthData)(ss->getClientAuthDataArg, ss->fd, NULL, &cert, &key); if ( ret == SECWouldBlock ) { - PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); - ret = -1; - goto loser; + ssl_SetAlwaysBlock(ss); + goto done; } if (ret) { @@ -2708,7 +2715,8 @@ ssl2_HandleMessage(sslSocket *ss) /************************************************************************/ -/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage. +/* Called from ssl_Do1stHandshake, after ssl2_HandleServerHelloMessage or +** ssl2_RestartHandshakeAfterServerCert. */ static SECStatus ssl2_HandleVerifyMessage(sslSocket *ss) @@ -2928,16 +2936,19 @@ ssl2_HandleServerHelloMessage(sslSocket *ss) rv = (*ss->handleBadCert)(ss->badCertArg, ss->fd); if ( rv ) { if ( rv == SECWouldBlock ) { - SSL_DBG(("%d: SSL[%d]: SSL2 bad cert handler returned " - "SECWouldBlock", SSL_GETPID(), ss->fd)); - PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); - rv = SECFailure; - } else { - /* cert is bad */ - SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d", - SSL_GETPID(), ss->fd, PORT_GetError())); + /* someone will handle this connection asynchronously*/ + + SSL_DBG(("%d: SSL[%d]: go to async cert handler", + SSL_GETPID(), ss->fd)); + ssl_ReleaseRecvBufLock(ss); + ssl_SetAlwaysBlock(ss); + return SECWouldBlock; } + /* cert is bad */ + SSL_DBG(("%d: SSL[%d]: server certificate is no good: error=%d", + SSL_GETPID(), ss->fd, PORT_GetError())); goto loser; + } /* cert is good */ } else { @@ -3320,6 +3331,133 @@ loser: } /* + * attempt to restart the handshake after asynchronously handling + * a request for the client's certificate. + * + * inputs: + * cert Client cert chosen by application. + * key Private key associated with cert. + * + * XXX: need to make ssl2 and ssl3 versions of this function agree on whether + * they take the reference, or bump the ref count! + * + * Return value: XXX + * + * Caller holds 1stHandshakeLock. + */ +int +ssl2_RestartHandshakeAfterCertReq(sslSocket * ss, + CERTCertificate * cert, + SECKEYPrivateKey * key) +{ + int ret; + SECStatus rv = SECSuccess; + SECItem response; + + if (ss->version >= SSL_LIBRARY_VERSION_3_0) + return SECFailure; + + response.data = NULL; + + /* generate error if no cert or key */ + if ( ( cert == NULL ) || ( key == NULL ) ) { + goto no_cert; + } + + /* generate signed response to the challenge */ + rv = ssl2_SignResponse(ss, key, &response); + if ( rv != SECSuccess ) { + goto no_cert; + } + + /* Send response message */ + ret = ssl2_SendCertificateResponseMessage(ss, &cert->derCert, &response); + if (ret) { + goto no_cert; + } + + /* try to finish the handshake */ + ret = ssl2_TryToFinish(ss); + if (ret) { + goto loser; + } + + /* done with handshake */ + if (ss->handshake == 0) { + ret = SECSuccess; + goto done; + } + + /* continue handshake */ + ssl_GetRecvBufLock(ss); + ss->gs.recordLen = 0; + ssl_ReleaseRecvBufLock(ss); + + ss->handshake = ssl_GatherRecord1stHandshake; + ss->nextHandshake = ssl2_HandleMessage; + ret = ssl2_TriggerNextMessage(ss); + goto done; + +no_cert: + /* no cert - send error */ + ret = ssl2_SendErrorMessage(ss, SSL_PE_NO_CERTIFICATE); + goto done; + +loser: + ret = SECFailure; +done: + /* free allocated data */ + if ( response.data ) { + PORT_Free(response.data); + } + + return ret; +} + + +/* restart an SSL connection that we stopped to run certificate dialogs +** XXX Need to document here how an application marks a cert to show that +** the application has accepted it (overridden CERT_VerifyCert). + * + * Return value: XXX + * + * Caller holds 1stHandshakeLock. +*/ +int +ssl2_RestartHandshakeAfterServerCert(sslSocket *ss) +{ + int rv = SECSuccess; + + if (ss->version >= SSL_LIBRARY_VERSION_3_0) + return SECFailure; + + /* SSL 2 + ** At this point we have a completed session key and our session + ** cipher is setup and ready to go. Switch to encrypted write routine + ** as all future message data is to be encrypted. + */ + ssl2_UseEncryptedSendFunc(ss); + + rv = ssl2_TryToFinish(ss); + if (rv == SECSuccess && ss->handshake != NULL) { + /* handshake is not yet finished. */ + + SSL_TRC(5, ("%d: SSL[%d]: got server-hello, required=0x%d got=0x%x", + SSL_GETPID(), ss->fd, ss->sec.ci.requiredElements, + ss->sec.ci.elements)); + + ssl_GetRecvBufLock(ss); + ss->gs.recordLen = 0; /* mark it all used up. */ + ssl_ReleaseRecvBufLock(ss); + + ss->handshake = ssl_GatherRecord1stHandshake; + ss->nextHandshake = ssl2_HandleVerifyMessage; + } + + return rv; +} + +/* ** Handle the initial hello message from the client ** ** not static because ssl2_GatherData() tests ss->nextHandshake for this value. diff --git a/security/nss/lib/ssl/sslerr.h b/security/nss/lib/ssl/sslerr.h index 94e0afc1d..76d976267 100644 --- a/security/nss/lib/ssl/sslerr.h +++ b/security/nss/lib/ssl/sslerr.h @@ -207,8 +207,6 @@ SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY = (SSL_ERROR_BASE + 115), SSL_ERROR_NEXT_PROTOCOL_DATA_INVALID = (SSL_ERROR_BASE + 116), -SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2 = (SSL_ERROR_BASE + 117), - SSL_ERROR_END_OF_LIST /* let the c compiler determine the value of this. */ } SSLErrorCodes; #endif /* NO_SECURITY_ERROR_ENUM */ diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index 87a399ad0..4a88008d4 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -775,6 +775,8 @@ const ssl3CipherSuiteDef *suite_def; unsigned long msg_len; SECItem ca_list; /* used only by client */ PRBool isResuming; /* are we resuming a session */ + PRBool rehandshake; /* immediately start another handshake + * when this one finishes */ PRBool usedStepDownKey; /* we did a server key exchange. */ PRBool sendingSCSV; /* instead of empty RI */ sslBuffer msgState; /* current state for handshake messages*/ @@ -1148,6 +1150,7 @@ extern FILE * ssl_keylog_iob; extern CERTDistNames * ssl3_server_ca_list; extern PRUint32 ssl_sid_timeout; extern PRUint32 ssl3_sid_timeout; +extern PRBool ssl3_global_policy_some_restricted; extern const char * const ssl_cipherName[]; extern const char * const ssl3_cipherName[]; @@ -1261,7 +1264,7 @@ extern PRBool ssl_FdIsBlocking(PRFileDesc *fd); extern PRBool ssl_SocketIsBlocking(sslSocket *ss); -extern void ssl3_SetAlwaysBlock(sslSocket *ss); +extern void ssl_SetAlwaysBlock(sslSocket *ss); extern SECStatus ssl_EnableNagleDelay(sslSocket *ss, PRBool enabled); @@ -1350,11 +1353,16 @@ extern void ssl_FreeSocket(struct sslSocketStr *ssl); extern SECStatus SSL3_SendAlert(sslSocket *ss, SSL3AlertLevel level, SSL3AlertDescription desc); +extern int ssl2_RestartHandshakeAfterCertReq(sslSocket * ss, + CERTCertificate * cert, + SECKEYPrivateKey * key); + extern SECStatus ssl3_RestartHandshakeAfterCertReq(sslSocket * ss, CERTCertificate * cert, SECKEYPrivateKey * key, CERTCertificateList *certChain); +extern int ssl2_RestartHandshakeAfterServerCert(sslSocket *ss); extern int ssl3_RestartHandshakeAfterServerCert(sslSocket *ss); /* diff --git a/security/nss/lib/ssl/sslsecur.c b/security/nss/lib/ssl/sslsecur.c index 88c6f5790..e7bd09efb 100644 --- a/security/nss/lib/ssl/sslsecur.c +++ b/security/nss/lib/ssl/sslsecur.c @@ -173,7 +173,7 @@ ssl_Do1stHandshake(sslSocket *ss) * retry on a connection on the next read/write. */ static SECStatus -ssl3_AlwaysBlock(sslSocket *ss) +AlwaysBlock(sslSocket *ss) { PORT_SetError(PR_WOULD_BLOCK_ERROR); /* perhaps redundant. */ return SECWouldBlock; @@ -183,10 +183,10 @@ ssl3_AlwaysBlock(sslSocket *ss) * set the initial handshake state machine to block */ void -ssl3_SetAlwaysBlock(sslSocket *ss) +ssl_SetAlwaysBlock(sslSocket *ss) { if (!ss->firstHsDone) { - ss->handshake = ssl3_AlwaysBlock; + ss->handshake = AlwaysBlock; ss->nextHandshake = 0; } } @@ -1500,8 +1500,7 @@ SSL_RestartHandshakeAfterCertReq(sslSocket * ss, if (ss->version >= SSL_LIBRARY_VERSION_3_0) { ret = ssl3_RestartHandshakeAfterCertReq(ss, cert, key, certChain); } else { - PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); - ret = SECFailure; + ret = ssl2_RestartHandshakeAfterCertReq(ss, cert, key); } ssl_Release1stHandshakeLock(ss); /************************************/ @@ -1528,8 +1527,7 @@ SSL_RestartHandshakeAfterServerCert(sslSocket *ss) if (ss->version >= SSL_LIBRARY_VERSION_3_0) { rv = ssl3_RestartHandshakeAfterServerCert(ss); } else { - PORT_SetError(SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_SSL2); - rv = SECFailure; + rv = ssl2_RestartHandshakeAfterServerCert(ss); } ssl_Release1stHandshakeLock(ss); diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 8e0e59666..c557782b1 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -1214,6 +1214,7 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt32 which, PRBool *enabled) SECStatus NSS_SetDomesticPolicy(void) { +#ifndef EXPORT_VERSION SECStatus status = SECSuccess; cipherPolicy * policy; @@ -1223,18 +1224,37 @@ NSS_SetDomesticPolicy(void) break; } return status; +#else + return NSS_SetExportPolicy(); +#endif } SECStatus NSS_SetExportPolicy(void) { - return NSS_SetDomesticPolicy(); + SECStatus status = SECSuccess; + cipherPolicy * policy; + + for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { + status = SSL_SetPolicy(policy->cipher, policy->export); + if (status != SECSuccess) + break; + } + return status; } SECStatus NSS_SetFrancePolicy(void) { - return NSS_SetDomesticPolicy(); + SECStatus status = SECSuccess; + cipherPolicy * policy; + + for (policy = ssl_ciphers; policy->cipher != 0; ++policy) { + status = SSL_SetPolicy(policy->cipher, policy->france); + if (status != SECSuccess) + break; + } + return status; } diff --git a/security/nss/lib/util/dersubr.c b/security/nss/lib/util/dersubr.c index b99eb1f63..3aa0db8f1 100644 --- a/security/nss/lib/util/dersubr.c +++ b/security/nss/lib/util/dersubr.c @@ -208,7 +208,7 @@ DER_SetUInteger(PRArenaPool *arena, SECItem *it, PRUint32 ui) ** If an underflow/overflow occurs, sets error code and returns min/max. */ long -DER_GetInteger(const SECItem *it) +DER_GetInteger(SECItem *it) { long ival = 0; unsigned len = it->len; @@ -240,7 +240,7 @@ DER_GetInteger(const SECItem *it) ** If an underflow/overflow occurs, sets error code and returns min/max. */ unsigned long -DER_GetUInteger(const SECItem *it) +DER_GetUInteger(SECItem *it) { unsigned long ival = 0; unsigned len = it->len; diff --git a/security/nss/lib/util/pkcs11n.h b/security/nss/lib/util/pkcs11n.h index 8ddd4d973..80f9283f3 100644 --- a/security/nss/lib/util/pkcs11n.h +++ b/security/nss/lib/util/pkcs11n.h @@ -162,6 +162,7 @@ static const char CKT_CVS_ID[] = "@(#) $RCSfile$ $Revision$ $Date$"; #define CKA_CERT_MD5_HASH (CKA_TRUST + 101) /* NSS trust stuff */ +/* XXX fgmr new ones here-- step-up, etc. */ /* HISTORICAL: define used to pass in the database key for DSA private keys */ #define CKA_NETSCAPE_DB 0xD5A0DB00L diff --git a/security/nss/lib/util/secalgid.c b/security/nss/lib/util/secalgid.c index 701736bc1..316c9f5aa 100644 --- a/security/nss/lib/util/secalgid.c +++ b/security/nss/lib/util/secalgid.c @@ -41,7 +41,7 @@ #include "secerr.h" SECOidTag -SECOID_GetAlgorithmTag(const SECAlgorithmID *id) +SECOID_GetAlgorithmTag(SECAlgorithmID *id) { if (id == NULL || id->algorithm.data == NULL) return SEC_OID_UNKNOWN; diff --git a/security/nss/lib/util/secder.h b/security/nss/lib/util/secder.h index 55e03ab91..b227227b9 100644 --- a/security/nss/lib/util/secder.h +++ b/security/nss/lib/util/secder.h @@ -108,14 +108,14 @@ extern SECStatus DER_SetUInteger(PLArenaPool *arena, SECItem *dst, PRUint32 src) ** If "-1" is returned, then the caller should check the error in ** XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER). */ -extern long DER_GetInteger(const SECItem *src); +extern long DER_GetInteger(SECItem *src); /* ** Decode a der encoded *unsigned* integer that is stored in "src". ** If the ULONG_MAX is returned, then the caller should check the error ** in XP_GetError() to see if an overflow occurred (SEC_ERROR_BAD_DER). */ -extern unsigned long DER_GetUInteger(const SECItem *src); +extern unsigned long DER_GetUInteger(SECItem *src); /* ** Convert an NSPR time value to a der encoded time value. diff --git a/security/nss/lib/util/secoid.h b/security/nss/lib/util/secoid.h index c9653ab1d..e758f9614 100644 --- a/security/nss/lib/util/secoid.h +++ b/security/nss/lib/util/secoid.h @@ -93,7 +93,7 @@ extern SECStatus SECOID_CopyAlgorithmID(PLArenaPool *arena, SECAlgorithmID *dest /* ** Get the tag number for the given algorithm-id object. */ -extern SECOidTag SECOID_GetAlgorithmTag(const SECAlgorithmID *aid); +extern SECOidTag SECOID_GetAlgorithmTag(SECAlgorithmID *aid); /* ** Destroy an algorithm-id object. |