diff options
68 files changed, 3125 insertions, 775 deletions
diff --git a/security/nss/Makefile b/security/nss/Makefile index 21a54fbe5..89992328e 100644 --- a/security/nss/Makefile +++ b/security/nss/Makefile @@ -110,10 +110,6 @@ endif nss_RelEng_bld: build_coreconf import all -ifeq ($(OS_ARCH),SunOS) -solarispkg: - @echo Making Solaris packages. - rm -rf pkg/$(OBJDIR) - cp -r pkg/solaris pkg/$(OBJDIR) - $(MAKE) -C pkg/$(OBJDIR) publish -endif +package: + $(MAKE) -C pkg publish + diff --git a/security/nss/cmd/platlibs.mk b/security/nss/cmd/platlibs.mk index 4f486e938..920f82120 100644 --- a/security/nss/cmd/platlibs.mk +++ b/security/nss/cmd/platlibs.mk @@ -110,6 +110,10 @@ EXTRA_LIBS += \ $(DIST)/lib/libdbm.$(LIB_SUFFIX) \ $(NULL) +ifeq ($(OS_ARCH), SunOS) +EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib' -R '$$ORIGIN/..' +endif + ifeq ($(OS_ARCH), AIX) EXTRA_SHARED_LIBS += -brtl endif diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index b10e94a7d..aba39f3b0 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -118,6 +118,17 @@ const int ssl3CipherSuites[] = { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ SSL_RSA_WITH_RC4_128_SHA, /* n */ + TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ + SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ + SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ + SSL_DHE_RSA_WITH_DES_CBC_SHA, /* r */ + SSL_DHE_DSS_WITH_DES_CBC_SHA, /* s */ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */ + TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */ + TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ 0 }; @@ -200,6 +211,8 @@ Usage(const char *progName) "l SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n" "m SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n" "n SSL3 RSA WITH RC4 128 SHA\n" +"v TLS_RSA_WITH_AES_128_CBC_SHA\n" +"y TLS_RSA_WITH_AES_256_CBC_SHA\n" ,progName); } diff --git a/security/nss/cmd/signtool/util.c b/security/nss/cmd/signtool/util.c index 8f8717864..cdc289915 100644 --- a/security/nss/cmd/signtool/util.c +++ b/security/nss/cmd/signtool/util.c @@ -284,10 +284,17 @@ void VerifyCertDir(char *dir, char *keyName) { char fn [FNSIZE]; + PRStatus hasDB; - sprintf (fn, "%s/cert7.db", dir); + sprintf (fn, "%s/cert8.db", dir); + hasDB = PR_Access (fn, PR_ACCESS_EXISTS); - if (PR_Access (fn, PR_ACCESS_EXISTS)) + if (hasDB == PR_FAILURE) { + sprintf (fn, "%s/cert7.db", dir); + hasDB = PR_Access (fn, PR_ACCESS_EXISTS); + } + + if (hasDB == PR_FAILURE) { PR_fprintf(errorFD, "%s: No certificate database in \"%s\"\n", PROGRAM_NAME, dir); diff --git a/security/nss/cmd/strsclnt/strsclnt.c b/security/nss/cmd/strsclnt/strsclnt.c index 157fff1e2..78c5d4c8a 100644 --- a/security/nss/cmd/strsclnt/strsclnt.c +++ b/security/nss/cmd/strsclnt/strsclnt.c @@ -99,6 +99,17 @@ int ssl3CipherSuites[] = { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ SSL_RSA_WITH_RC4_128_SHA, /* n */ + TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ + SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ + SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ + SSL_DHE_RSA_WITH_DES_CBC_SHA, /* r */ + SSL_DHE_DSS_WITH_DES_CBC_SHA, /* s */ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */ + TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */ + TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ 0 }; diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c index 5817c39ef..a511e03e0 100644 --- a/security/nss/cmd/tstclnt/tstclnt.c +++ b/security/nss/cmd/tstclnt/tstclnt.c @@ -92,6 +92,17 @@ int ssl3CipherSuites[] = { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, /* l */ TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, /* m */ SSL_RSA_WITH_RC4_128_SHA, /* n */ + TLS_DHE_DSS_WITH_RC4_128_SHA, /* o */ + SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, /* p */ + SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, /* q */ + SSL_DHE_RSA_WITH_DES_CBC_SHA, /* r */ + SSL_DHE_DSS_WITH_DES_CBC_SHA, /* s */ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, /* t */ + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, /* u */ + TLS_RSA_WITH_AES_128_CBC_SHA, /* v */ + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, /* w */ + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, /* x */ + TLS_RSA_WITH_AES_256_CBC_SHA, /* y */ 0 }; @@ -190,6 +201,17 @@ static void Usage(const char *progName) "l SSL3 RSA EXPORT WITH DES CBC SHA\t(new)\n" "m SSL3 RSA EXPORT WITH RC4 56 SHA\t(new)\n" "n SSL3 RSA WITH RC4 128 SHA\n" +"o TLS DHE DSS WITH RC4 128 SHA\n" +"p SSL3 DHE RSA WITH 3DES EDE CBC SHA\n" +"q SSL3 DHE DSS WITH 3DES EDE CBC SHA\n" +"r SSL3 DHE RSA WITH DES CBC SHA\n" +"s SSL3 DHE DSS WITH DES CBC SHA\n" +"t TLS_DHE_DSS_WITH_AES_128_CBC_SHA\n" +"u TLS_DHE_RSA_WITH_AES_128_CBC_SHA\n" +"v TLS_RSA_WITH_AES_128_CBC_SHA\n" +"w TLS_DHE_DSS_WITH_AES_256_CBC_SHA\n" +"x TLS_DHE_RSA_WITH_AES_256_CBC_SHA\n" +"y TLS_RSA_WITH_AES_256_CBC_SHA\n" ); exit(1); } diff --git a/security/nss/lib/certdb/alg1485.c b/security/nss/lib/certdb/alg1485.c index 139e422eb..409b17a69 100644 --- a/security/nss/lib/certdb/alg1485.c +++ b/security/nss/lib/certdb/alg1485.c @@ -438,7 +438,8 @@ CERT_ParseRFC1485AVA(PRArenaPool *arena, char **pbp, char *endptr, } else if (Is7Bit((unsigned char *)valBuf, valLen)) { vt = SEC_ASN1_T61_STRING; } else { - vt = SEC_ASN1_UNIVERSAL_STRING; + /* according to RFC3280, UTF8String is preferred encoding */ + vt = SEC_ASN1_UTF8_STRING; } } a = CERT_CreateAVA(arena, n2k->kind, vt, (char *) valBuf); @@ -623,6 +624,11 @@ get_oid_string /* end points to one past the legitimate data */ end = &d[ oid->len ]; + if (oid->len > 1024) { + PORT_SetError(SEC_ERROR_NO_MEMORY); + return (char *)NULL; + } + /* * Check for our pseudo-encoded single-digit OIDs */ @@ -774,6 +780,7 @@ AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava) default: /* handle unknown attribute types per RFC 2253 */ tagName = unknownTag = get_oid_string(&ava->type); + if (!tagName) return SECFailure; maxLen = 256; break; } @@ -791,6 +798,7 @@ AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava) /* Check value length */ if (avaValue->len > maxLen) { if (unknownTag) PR_smprintf_free(unknownTag); + SECITEM_FreeItem(avaValue, PR_TRUE); PORT_SetError(SEC_ERROR_INVALID_AVA); return SECFailure; } @@ -798,6 +806,7 @@ AppendAVA(char **bufp, unsigned *buflenp, CERTAVA *ava) len = PORT_Strlen(tagName); if (len+1 > sizeof(tmpBuf)) { if (unknownTag) PR_smprintf_free(unknownTag); + SECITEM_FreeItem(avaValue, PR_TRUE); PORT_SetError(SEC_ERROR_OUTPUT_LEN); return SECFailure; } diff --git a/security/nss/lib/certdb/cdbhdl.h b/security/nss/lib/certdb/cdbhdl.h index c195eb308..6a9f11409 100644 --- a/security/nss/lib/certdb/cdbhdl.h +++ b/security/nss/lib/certdb/cdbhdl.h @@ -54,4 +54,8 @@ struct CERTCertDBHandleStr { PZMonitor *dbMon; }; +DB * +dbsopen(const char *dbname, int flags, int mode, DBTYPE type, + const void *userData); + #endif diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c index 5eb141378..4701e1e45 100644 --- a/security/nss/lib/certdb/certdb.c +++ b/security/nss/lib/certdb/certdb.c @@ -1128,6 +1128,7 @@ CERT_CheckKeyUsage(CERTCertificate *cert, unsigned int requiredUsage) */ if ( requiredUsage & KU_KEY_AGREEMENT_OR_ENCIPHERMENT ) { key = CERT_ExtractPublicKey(cert); + if (!key) return SECFailure; if ( ( key->keyType == keaKey ) || ( key->keyType == fortezzaKey ) || ( key->keyType == dhKey ) ) { requiredUsage |= KU_KEY_AGREEMENT; diff --git a/security/nss/lib/certdb/dbmshim.c b/security/nss/lib/certdb/dbmshim.c new file mode 100644 index 000000000..b469a80f4 --- /dev/null +++ b/security/nss/lib/certdb/dbmshim.c @@ -0,0 +1,671 @@ +/* + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + */ + +/* + * Berkeley DB 1.85 Shim code to handle blobs. + * + * $Id$ + */ + +#include "prerror.h" +#include "prprf.h" +#include "cert.h" +#include "mcom_db.h" +#include "certdb.h" +#include "secitem.h" +#include "secder.h" + +/* Call to PK11_FreeSlot below */ + +#include "secasn1.h" +#include "secerr.h" +#include "nssb64.h" +#include "blapi.h" +#include "sechash.h" + +#ifdef macintosh +#define PATH_SEPARATOR ":" +#else +#define PATH_SEPARATOR "/" +#endif + +#define NO_RDONLY O_RDONLY +#define NO_RDWR O_RDWR +#define NO_CREATE (O_RDWR | O_CREAT | O_TRUNC) + +/* + * Blob block: + * Byte 0 CERTDB Version -+ -+ + * Byte 1 certDBEntryTypeBlob | BLOB_HEAD_LEN | + * Byte 2 flags (always '0'); | | + * Byte 3 reserved (always '0'); -+ | + * Byte 4 LSB length | <--BLOB_LENGTH_START | BLOB_BUF_LEN + * Byte 5 . | | + * Byte 6 . | BLOB_LENGTH_LEN | + * Byte 7 MSB length | | + * Byte 8 blob_filename -+ -+ <-- BLOB_NAME_START | + * Byte 9 . | BLOB_NAME_LEN | + * . . | | + * Byte 37 . -+ -+ + */ +#define DBS_BLOCK_SIZE (16*1024) /* 16 k */ +#define DBS_MAX_ENTRY_SIZE (DBS_BLOCK_SIZE - (2048)) /* 14 k */ +#define DBS_CACHE_SIZE DBS_BLOCK_SIZE*8 +#define ROUNDDIV(x,y) (x+(y-1))/y +#define BLOB_HEAD_LEN 4 +#define BLOB_LENGTH_START BLOB_HEAD_LEN +#define BLOB_LENGTH_LEN 4 +#define BLOB_NAME_START BLOB_LENGTH_START+BLOB_LENGTH_LEN +#define BLOB_NAME_LEN 1+ROUNDDIV(SHA1_LENGTH,3)*4+1 +#define BLOB_BUF_LEN BLOB_HEAD_LEN+BLOB_LENGTH_LEN+BLOB_NAME_LEN + +/* a Shim data structure. This data structure has a db built into it. */ +typedef struct DBSStr DBS; + +struct DBSStr { + DB db; + char *blobdir; + int mode; + PRBool readOnly; + PRFileMap *dbs_mapfile; + unsigned char *dbs_addr; + PRUint32 dbs_len; + char staticBlobArea[BLOB_BUF_LEN]; +}; + + + +/* + * return true if the Datablock contains a blobtype + */ +static PRBool +dbs_IsBlob(DBT *blobData) +{ + unsigned char *addr = (unsigned char *)blobData->data; + if (blobData->size < BLOB_BUF_LEN) { + return PR_FALSE; + } + return addr && ((certDBEntryType) addr[1] == certDBEntryTypeBlob); +} + +/* + * extract the filename in the blob of the real data set. + * This value is not malloced (does not need to be freed by the caller. + */ +static const char * +dbs_getBlobFileName(DBT *blobData) +{ + char *addr = (char *)blobData->data; + + return &addr[BLOB_NAME_START]; +} + +/* + * extract the size of the actual blob from the blob record + */ +static PRUint32 +dbs_getBlobSize(DBT *blobData) +{ + unsigned char *addr = (unsigned char *)blobData->data; + + return (PRUint32)(addr[BLOB_LENGTH_START+3] << 24) | + (addr[BLOB_LENGTH_START+2] << 16) | + (addr[BLOB_LENGTH_START+1] << 8) | + addr[BLOB_LENGTH_START]; +} + + +/* We are using base64 data for the filename, but base64 data can include a + * '/' which is interpreted as a path separator on many platforms. Replace it + * with an inocuous '-'. We don't need to convert back because we never actual + * decode the filename. + */ + +static void +dbs_replaceSlash(char *cp, int len) +{ + while (len--) { + if (*cp == '/') *cp = '-'; + cp++; + } +} + +/* + * create a blob record from a key, data and return it in blobData. + * NOTE: The data element is static data (keeping with the dbm model). + */ +static void +dbs_mkBlob(DBS *dbsp,const DBT *key, const DBT *data, DBT *blobData) +{ + unsigned char sha1_data[SHA1_LENGTH]; + char *b = dbsp->staticBlobArea; + PRUint32 length = data->size; + SECItem sha1Item; + + b[0] = CERT_DB_FILE_VERSION; /* certdb version number */ + b[1] = (char) certDBEntryTypeBlob; /* type */ + b[2] = 0; /* flags */ + b[3] = 0; /* reserved */ + b[BLOB_LENGTH_START] = length & 0xff; + b[BLOB_LENGTH_START+1] = (length >> 8) & 0xff; + b[BLOB_LENGTH_START+2] = (length >> 16) & 0xff; + b[BLOB_LENGTH_START+3] = (length >> 24) & 0xff; + sha1Item.data = sha1_data; + sha1Item.len = SHA1_LENGTH; + SHA1_HashBuf(sha1_data,key->data,key->size); + b[BLOB_NAME_START]='b'; /* Make sure we start with a alpha */ + NSSBase64_EncodeItem(NULL,&b[BLOB_NAME_START+1],BLOB_NAME_LEN-1,&sha1Item); + b[BLOB_BUF_LEN-1] = 0; + dbs_replaceSlash(&b[BLOB_NAME_START+1],BLOB_NAME_LEN-1); + blobData->data = b; + blobData->size = BLOB_BUF_LEN; + return; +} + + +/* + * construct a path to the actual blob. The string returned must be + * freed by the caller with PR_smprintf_free. + * + * Note: this file does lots of consistancy checks on the DBT. The + * routines that call this depend on these checks, so they don't worry + * about them (success of this routine implies a good blobdata record). + */ +static char * +dbs_getBlobFilePath(char *blobdir,DBT *blobData) +{ + const char *name; + + if (blobdir == NULL) { + PR_SetError(SEC_ERROR_BAD_DATABASE,0); + return NULL; + } + if (!dbs_IsBlob(blobData)) { + PR_SetError(SEC_ERROR_BAD_DATABASE,0); + return NULL; + } + name = dbs_getBlobFileName(blobData); + if (!name || *name == 0) { + PR_SetError(SEC_ERROR_BAD_DATABASE,0); + return NULL; + } + return PR_smprintf("%s" PATH_SEPARATOR "%s", blobdir, name); +} + +/* + * Delete a blob file pointed to by the blob record. + */ +static void +dbs_removeBlob(DBS *dbsp, DBT *blobData) +{ + char *file; + + file = dbs_getBlobFilePath(dbsp->blobdir, blobData); + if (!file) { + return; + } + PR_Delete(file); + PR_smprintf_free(file); +} + +/* + * Directory modes are slightly different, the 'x' bit needs to be on to + * access them. Copy all the read bits to 'x' bits + */ +static int +dbs_DirMode(int mode) +{ + int x_bits = (mode >> 2) & 0111; + return mode | x_bits; +} + +/* + * write a data blob to it's file. blobdData is the blob record that will be + * stored in the database. data is the actual data to go out on disk. + */ +static int +dbs_writeBlob(DBS *dbsp, int mode, DBT *blobData, const DBT *data) +{ + char *file = NULL; + PRFileDesc *filed; + PRStatus status; + int len; + int error = 0; + + file = dbs_getBlobFilePath(dbsp->blobdir, blobData); + if (!file) { + goto loser; + } + if (PR_Access(dbsp->blobdir, PR_ACCESS_EXISTS) != PR_SUCCESS) { + status = PR_MkDir(dbsp->blobdir,dbs_DirMode(mode)); + if (status != PR_SUCCESS) { + goto loser; + } + } + filed = PR_OpenFile(file,PR_CREATE_FILE|PR_TRUNCATE|PR_WRONLY, mode); + if (filed == NULL) { + error = PR_GetError(); + goto loser; + } + len = PR_Write(filed,data->data,data->size); + error = PR_GetError(); + PR_Close(filed); + if (len < (int)data->size) { + goto loser; + } + PR_smprintf_free(file); + return 0; + +loser: + if (file) { + PR_Delete(file); + PR_smprintf_free(file); + } + /* don't let close or delete reset the error */ + PR_SetError(error,0); + return -1; +} + + +/* + * we need to keep a address map in memory between calls to DBM. + * remember what we have mapped can close it when we get another dbm + * call. + * + * NOTE: Not all platforms support mapped files. This code is designed to + * detect this at runtime. If map files aren't supported the OS will indicate + * this by failing the PR_Memmap call. In this case we emulate mapped files + * by just reading in the file into regular memory. We signal this state by + * making dbs_mapfile NULL and dbs_addr non-NULL. + */ + +static void +dbs_freemap(DBS *dbsp) +{ + if (dbsp->dbs_mapfile) { + PR_MemUnmap(dbsp->dbs_addr,dbsp->dbs_len); + PR_CloseFileMap(dbsp->dbs_mapfile); + dbsp->dbs_mapfile = NULL; + dbsp->dbs_addr = NULL; + dbsp->dbs_len = 0; + } else if (dbsp->dbs_addr) { + PORT_Free(dbsp->dbs_addr); + dbsp->dbs_addr = NULL; + dbsp->dbs_len = 0; + } + return; +} + +static void +dbs_setmap(DBS *dbsp, PRFileMap *mapfile, unsigned char *addr, PRUint32 len) +{ + dbsp->dbs_mapfile = mapfile; + dbsp->dbs_addr = addr; + dbsp->dbs_len = len; +} + +/* + * platforms that cannot map the file need to read it into a temp buffer. + */ +static unsigned char * +dbs_EmulateMap(PRFileDesc *filed, int len) +{ + unsigned char *addr; + PRInt32 dataRead; + + addr = PORT_Alloc(len); + if (addr == NULL) { + return NULL; + } + + dataRead = PR_Read(filed,addr,len); + if (dataRead != len) { + PORT_Free(addr); + if (dataRead > 0) { + /* PR_Read didn't set an error, we need to */ + PR_SetError(SEC_ERROR_BAD_DATABASE,0); + } + return NULL; + } + + return addr; +} + + +/* + * pull a database record off the disk + * data points to the blob record on input and the real record (if we could + * read it) on output. if there is an error data is not modified. + */ +static int +dbs_readBlob(DBS *dbsp, DBT *data) +{ + char *file = NULL; + PRFileDesc *filed = NULL; + PRFileMap *mapfile = NULL; + unsigned char *addr = NULL; + int error; + int len = -1; + + file = dbs_getBlobFilePath(dbsp->blobdir, data); + if (!file) { + goto loser; + } + filed = PR_OpenFile(file,PR_RDONLY,0); + PR_smprintf_free(file); file = NULL; + if (filed == NULL) { + goto loser; + } + + len = dbs_getBlobSize(data); + mapfile = PR_CreateFileMap(filed, len, PR_PROT_READONLY); + if (mapfile == NULL) { + /* USE PR_GetError instead of PORT_GetError here + * because we are getting the error from PR_xxx + * function */ + if (PR_GetError() != PR_NOT_IMPLEMENTED_ERROR) { + goto loser; + } + addr = dbs_EmulateMap(filed, len); + } else { + addr = PR_MemMap(mapfile, 0, len); + } + if (addr == NULL) { + goto loser; + } + PR_Close(filed); + dbs_setmap(dbsp,mapfile,addr,len); + + data->data = addr; + data->size = len; + return 0; + +loser: + /* preserve the error code */ + error = PR_GetError(); + if (addr) { + if (mapfile) { + PORT_Assert(len != -1); + PR_MemUnmap(addr,len); + } else { + PORT_Free(addr); + } + } + if (mapfile) { + PR_CloseFileMap(mapfile); + } + if (filed) { + PR_Close(filed); + } + PR_SetError(error,0); + return -1; +} + +/* + * actual DBM shims + */ +static int +dbs_get(const DB *dbs, const DBT *key, DBT *data, unsigned int flags) +{ + int ret; + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + + + dbs_freemap(dbsp); + + ret = (* db->get)(db, key, data, flags); + if ((ret == 0) && dbs_IsBlob(data)) { + ret = dbs_readBlob(dbsp,data); + } + + return(ret); +} + +static int +dbs_put(const DB *dbs, DBT *key, const DBT *data, unsigned int flags) +{ + DBT blob; + int ret = 0; + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + + dbs_freemap(dbsp); + + /* If the db is readonly, just pass the data down to rdb and let it fail */ + if (!dbsp->readOnly) { + DBT oldData; + int ret1; + + /* make sure the current record is deleted if it's a blob */ + ret1 = (*db->get)(db,key,&oldData,0); + if ((ret1 == 0) && flags == R_NOOVERWRITE) { + /* let DBM return the error to maintain consistancy */ + return (* db->put)(db, key, data, flags); + } + if ((ret1 == 0) && dbs_IsBlob(&oldData)) { + dbs_removeBlob(dbsp, &oldData); + } + + if (data->size > DBS_MAX_ENTRY_SIZE) { + dbs_mkBlob(dbsp,key,data,&blob); + ret = dbs_writeBlob(dbsp, dbsp->mode, &blob, data); + data = &blob; + } + } + + if (ret == 0) { + ret = (* db->put)(db, key, data, flags); + } + return(ret); +} + +static int +dbs_sync(const DB *dbs, unsigned int flags) +{ + DB *db = (DB *)dbs->internal; + DBS *dbsp = (DBS *)dbs; + + dbs_freemap(dbsp); + + return (* db->sync)(db, flags); +} + +static int +dbs_del(const DB *dbs, const DBT *key, unsigned int flags) +{ + int ret; + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + + dbs_freemap(dbsp); + + if (!dbsp->readOnly) { + DBT oldData; + ret = (*db->get)(db,key,&oldData,0); + if ((ret == 0) && dbs_IsBlob(&oldData)) { + dbs_removeBlob(dbsp,&oldData); + } + } + + return (* db->del)(db, key, flags); +} + +static int +dbs_seq(const DB *dbs, DBT *key, DBT *data, unsigned int flags) +{ + int ret; + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + + dbs_freemap(dbsp); + + ret = (* db->seq)(db, key, data, flags); + if ((ret == 0) && dbs_IsBlob(data)) { + /* don't return a blob read as an error so traversals keep going */ + (void) dbs_readBlob(dbsp,data); + } + + return(ret); +} + +static int +dbs_close(DB *dbs) +{ + DBS *dbsp = (DBS *)dbs; + DB *db = (DB *)dbs->internal; + int ret; + + dbs_freemap(dbsp); + ret = (* db->close)(db); + PORT_Free(dbsp->blobdir); + PORT_Free(dbsp); + return ret; +} + +static int +dbs_fd(const DB *dbs) +{ + DB *db = (DB *)dbs->internal; + + return (* db->fd)(db); +} + +/* + * the naming convention we use is + * change the .xxx into .dir. (for nss it's always .db); + * if no .extension exists or is equal to .dir, add a .dir + * the returned data must be freed. + */ +#define DIRSUFFIX ".dir" +static char * +dbs_mkBlobDirName(const char *dbname) +{ + int dbname_len = PORT_Strlen(dbname); + int dbname_end = dbname_len; + const char *cp; + char *blobDir = NULL; + + /* scan back from the end looking for either a directory separator, a '.', + * or the end of the string. NOTE: Windows should check for both separators + * here. For now this is safe because we know NSS always uses a '.' + */ + for (cp = &dbname[dbname_len]; + (cp > dbname) && (*cp != '.') && (*cp != *PATH_SEPARATOR) ; + cp--) + /* Empty */ ; + if (*cp == '.') { + dbname_end = cp - dbname; + if (PORT_Strcmp(cp,DIRSUFFIX) == 0) { + dbname_end = dbname_len; + } + } + blobDir = PORT_ZAlloc(dbname_end+sizeof(DIRSUFFIX)); + if (blobDir == NULL) { + return NULL; + } + PORT_Memcpy(blobDir,dbname,dbname_end); + PORT_Memcpy(&blobDir[dbname_end],DIRSUFFIX,sizeof(DIRSUFFIX)); + return blobDir; +} + +#define DBM_DEFAULT 0 +static const HASHINFO dbs_hashInfo = { + DBS_BLOCK_SIZE, /* bucket size, must be greater than = to + * or maximum entry size (+ header) + * we allow before blobing */ + DBM_DEFAULT, /* Fill Factor */ + DBM_DEFAULT, /* number of elements */ + DBS_CACHE_SIZE, /* cache size */ + DBM_DEFAULT, /* hash function */ + DBM_DEFAULT, /* byte order */ +}; + +/* + * the open function. NOTE: this is the only exposed function in this file. + * everything else is called through the function table pointer. + */ +DB * +dbsopen(const char *dbname, int flags, int mode, DBTYPE type, + const void *userData) +{ + DB *db = NULL,*dbs = NULL; + DBS *dbsp = NULL; + + /* NOTE: we are overriding userData with dbs_hashInfo. since all known + * callers pass 0, this is ok, otherwise we should merge the two */ + + dbsp = (DBS *)PORT_ZAlloc(sizeof(DBS)); + if (!dbsp) { + return NULL; + } + dbs = &dbsp->db; + + dbsp->blobdir=dbs_mkBlobDirName(dbname); + if (dbsp->blobdir == NULL) { + goto loser; + } + dbsp->mode = mode; + dbsp->readOnly = (PRBool)(flags == NO_RDONLY); + dbsp->dbs_mapfile = NULL; + dbsp->dbs_addr = NULL; + dbsp->dbs_len = 0; + + /* the real dbm call */ + db = dbopen(dbname, flags, mode, type, &dbs_hashInfo); + if (db == NULL) { + goto loser; + } + dbs->internal = (void *) db; + dbs->type = type; + dbs->close = dbs_close; + dbs->get = dbs_get; + dbs->del = dbs_del; + dbs->put = dbs_put; + dbs->seq = dbs_seq; + dbs->sync = dbs_sync; + dbs->fd = dbs_fd; + + return dbs; +loser: + if (db) { + (*db->close)(db); + } + if (dbsp && dbsp->blobdir) { + PORT_Free(dbsp->blobdir); + } + if (dbsp) { + PORT_Free(dbsp); + } + return NULL; +} diff --git a/security/nss/lib/certdb/genname.c b/security/nss/lib/certdb/genname.c index 9fe969e3a..9ee7126a3 100644 --- a/security/nss/lib/certdb/genname.c +++ b/security/nss/lib/certdb/genname.c @@ -193,17 +193,27 @@ CERT_CreateGeneralNameList(CERTGeneralName *name) { } list = (CERTGeneralNameList *) PORT_ArenaZAlloc(arena, sizeof(CERTGeneralNameList)); + if (!list) + goto loser; if (name != NULL) { list->name = (CERTGeneralName *) PORT_ArenaZAlloc(arena, sizeof(CERTGeneralName)); + if (!list->name) + goto loser; list->name->l.next = list->name->l.prev = &list->name->l; CERT_CopyGeneralName(arena, list->name, name); } list->lock = PZ_NewLock(nssILockList); + if (!list->lock) + goto loser; list->arena = arena; list->refCount = 1; done: return list; + +loser: + PORT_FreeArena(arena, PR_FALSE); + return NULL; } CERTGeneralName * @@ -244,7 +254,6 @@ SECItem * cert_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PRArenaPool *arena) { - PORT_Assert(arena); if (arena == NULL) { goto loser; @@ -290,9 +299,12 @@ cert_EncodeGeneralName(CERTGeneralName *genName, SECItem *dest, PRArenaPool *are case certDirectoryName: if (genName->derDirectoryName.data == NULL) { /* The field hasn't been encoded yet. */ + SECItem * pre_dest = SEC_ASN1EncodeItem (arena, &(genName->derDirectoryName), &(genName->name.directoryName), CERT_NameTemplate); + if (!pre_dest) + goto loser; } if (genName->derDirectoryName.data == NULL) { goto loser; @@ -433,12 +445,12 @@ cert_DecodeGeneralNames (PRArenaPool *arena, } currentName->l.next = head; currentName->l.prev = tail; - tail = &(currentName->l); - (cert_get_prev_general_name(currentName))->l.next = tail; + tail = head->prev = tail->next = &(currentName->l); encodedGenName++; } - (cert_get_next_general_name(currentName))->l.prev = tail; - return cert_get_next_general_name(currentName); + if (currentName) { + return cert_get_next_general_name(currentName); + } loser: return NULL; } @@ -570,10 +582,10 @@ cert_DecodeNameConstraint(PRArenaPool *arena, SECStatus rv = SECSuccess; CERTGeneralName *temp; - - PORT_Assert(arena); constraint = (CERTNameConstraint *) PORT_ArenaZAlloc(arena, sizeof(CERTNameConstraint)); + if (!constraint) + goto loser; rv = SEC_ASN1DecodeItem(arena, constraint, CERTNameConstraintTemplate, encodedConstraint); if (rv != SECSuccess) { goto loser; @@ -605,6 +617,7 @@ cert_DecodeNameConstraintSubTree(PRArenaPool *arena, CERTNameConstraint *next = NULL; int i = 0; + PORT_Assert(arena); while (subTree[i] != NULL) { current = cert_DecodeNameConstraint(arena, subTree[i]); if (current == NULL) { @@ -621,14 +634,6 @@ cert_DecodeNameConstraintSubTree(PRArenaPool *arena, first->l.prev = &(current->l); return first; loser: - if (first) { - current = first; - do { - next = cert_get_next_name_constraint(current); - PORT_Free(current); - current = next; - }while (current != first); - } return NULL; } @@ -707,6 +712,8 @@ CERT_CopyGeneralName(PRArenaPool *arena, rv = SECITEM_CopyItem(arena, &dest->name.other, &src->name.other); } } + if (rv != SECSuccess) + return rv; src = cert_get_next_general_name(src); /* if there is only one general name, we shouldn't do this */ if (src != srcHead) { @@ -718,6 +725,8 @@ CERT_CopyGeneralName(PRArenaPool *arena, temp = (CERTGeneralName *) PORT_ZAlloc(sizeof(CERTGeneralName)); } + if (!temp) + return SECFailure; temp->l.next = &destHead->l; temp->l.prev = &dest->l; destHead->l.prev = &temp->l; @@ -842,7 +851,7 @@ CERT_AddNameConstraint(CERTNameConstraint *list, SECStatus -CERT_GetNameConstriantByType (CERTNameConstraint *constraints, +CERT_GetNameConstraintByType (CERTNameConstraint *constraints, CERTGeneralNameType type, CERTNameConstraint **returnList, PRArenaPool *arena) @@ -968,41 +977,72 @@ loser: return NULL; } +/* This function does very basic regular expression matching. +** The only wildcard character is "*", which matches any substring. +** constraint is the regular expression. name is to be tested against it. +** return SECSuccess on match, SECFailure otherwise. Does not set error. +*/ static SECStatus -compareNameToConstraint(char *name, char *constraint, PRBool substring) +compareNameToConstraint(const char *name, const char *constraint, int level) { + PRBool substring = PR_FALSE; SECStatus rv; - if (*constraint == '\0' && *name == '\0') { - return SECSuccess; + while (*name == *constraint && *constraint != '\0' && *constraint != '*') { + ++name; + ++constraint; } - if (*constraint == '*') { - return compareNameToConstraint(name, constraint + 1, PR_TRUE); + if (*constraint == '\0' && *name == '\0') + return SECSuccess; + + while (*constraint == '*') { + ++constraint; + substring = PR_TRUE; } - if (substring) { - if (*constraint == '\0') { - return SECSuccess; - } - while (*name != *constraint) { - if (*name == '\0') { - return SECFailure; - } - name++; - } - rv = compareNameToConstraint(name + 1, constraint + 1, PR_FALSE); - if (rv == SECSuccess) { - return rv; - } - name++; - } else { - if (*name == *constraint) { + + if (!substring) + return SECFailure; + + if (*constraint == '\0') + return SECSuccess; + + if (++level > 20) + return SECFailure; /* prevent stack overflow */ + + do { + while (*name != *constraint && *name != '\0') name++; - constraint++; - } else { + if (*name == '\0') return SECFailure; - } - } - return compareNameToConstraint(name, constraint, substring); + + /* recurse */ + rv = compareNameToConstraint(name + 1, constraint + 1, level); + + ++name; + } while (rv != SECSuccess); + return rv; +} + +#define compareN2C(n,c) compareNameToConstraint((n),(c),0) + +/* This isn't right for items containing UCS2 or UCS4. +** Those should be converted to UTF8 rather than merely strncpy'ed. +** But it's not clear that we can tell what the encoding is here. +*/ +static char * +secItem2String(PLArenaPool *arena, SECItem *item) +{ + char * cPtr; + if (arena) + cPtr = PORT_ArenaAlloc(arena, item->len + 1); + else + cPtr = PORT_Alloc(item->len + 1); + if (cPtr) { + if (item->len) + PORT_Strncpy(cPtr, (char *)item->data, item->len); + cPtr[item->len] = '\0'; + } + return cPtr; } SECStatus @@ -1011,234 +1051,247 @@ cert_CompareNameWithConstraints(CERTGeneralName *name, PRBool excluded) { SECStatus rv = SECSuccess; - char *nameString = NULL; - char *constraintString = NULL; + char *nString = NULL; + char *cString = NULL; int start; int end; - int tag; - CERTRDN **nameRDNS, *nameRDN; - CERTRDN **constraintRDNS, *constraintRDN; - CERTAVA **nameAVAS, *nameAVA; - CERTAVA **constraintAVAS, *constraintAVA; + CERTRDN **nRDNs, *nRDN; + CERTAVA **nAVAs, *nAVA; CERTNameConstraint *current; - SECItem *avaValue; - CERTName constraintName; CERTName certName; SECComparison status = SECEqual; - PRArenaPool *certNameArena; - PRArenaPool *constraintNameArena; + PRArenaPool *nArena; + + if (!constraints) + return SECSuccess; + + nArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!nArena) + return SECFailure; certName.arena = NULL; - certName.rdns = NULL; - constraintName.arena = NULL; - constraintName.rdns = NULL; - if (constraints != NULL) { - current = constraints; - if (name->type == certDirectoryName) { - certNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERT_CopyName(certNameArena, &certName, &name->name.directoryName); - nameRDNS = certName.rdns; - for (;;) { - nameRDN = *nameRDNS++; - nameAVAS = nameRDN->avas; - for(;;) { - nameAVA = *nameAVAS++; - tag = CERT_GetAVATag(nameAVA); - if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS || - tag == SEC_OID_RFC1274_MAIL) { - avaValue = CERT_DecodeAVAValue(&nameAVA->value); - nameString = (char*)PORT_ZAlloc(avaValue->len + 1); - nameString = PORT_Strncpy(nameString, (char *) avaValue->data, avaValue->len); - start = 0; - while(nameString[start] != '@' && nameString[start + 1] != '\0') { - start++; - } + certName.rdns = NULL; + + /* Phase 1. If the name is a Directory Name, look through all the + ** AVAs in all the RDNs for any that are email addresses. + ** Subject all email addresses to all RFC822 email address constraints. + */ + if (name->type == certDirectoryName) { + rv = CERT_CopyName(nArena, &certName, &name->name.directoryName); + if (rv != SECSuccess) + goto loser; + nRDNs = certName.rdns; + while (nRDNs && *nRDNs) { /* loop over RDNs */ + nRDN = *nRDNs++; + nAVAs = nRDN->avas; + while (nAVAs && *nAVAs) { /* loop over AVAs */ + int tag; + nAVA = *nAVAs++; + tag = CERT_GetAVATag(nAVA); + if ( tag == SEC_OID_PKCS9_EMAIL_ADDRESS || + tag == SEC_OID_RFC1274_MAIL) { /* email AVA */ + SECItem *avaValue; + avaValue = CERT_DecodeAVAValue(&nAVA->value); + if (!avaValue) + goto loser; + nString = secItem2String(nArena, avaValue); + SECITEM_FreeItem(avaValue, PR_TRUE); + if (!nString) + goto loser; + start = 0; + while (nString[start] != '@' && nString[start] != '\0') { + start++; + } + if (nString[start]) start++; - do{ - if (current->name.type == certRFC822Name) { - constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1); - constraintString = PORT_Strncpy(constraintString, - (char *) current->name.name.other.data, - current->name.name.other.len); - rv = compareNameToConstraint(nameString + start, constraintString, - PR_FALSE); - - if (constraintString != NULL) { - PORT_Free(constraintString); - constraintString = NULL; - } - if (nameString != NULL) { - PORT_Free(nameString); - nameString = NULL; - } - if (rv == SECSuccess && excluded == PR_TRUE) { + current = constraints; + do { /* loop over constraints */ + if (current->name.type == certRFC822Name) { + cString = + secItem2String(nArena, ¤t->name.name.other); + if (!cString) + goto loser; + rv = compareN2C(nString + start, cString); + if (rv == SECSuccess) { + if (excluded) goto found; - } - if (rv == SECSuccess && excluded == PR_FALSE) { - break; - } + break; /* out of loop over constraints. */ } - current = cert_get_next_name_constraint(current); - } while (current != constraints); - } - if (rv != SECSuccess && excluded == PR_FALSE) { - goto loser; - } - if (*nameAVAS == NULL) { - break; - } - } - if (*nameRDNS == NULL) { - break; + } /* email address constraint */ + current = cert_get_next_name_constraint(current); + } while (current != constraints); /*loop over constraints*/ + } /* handle one email AVA */ + if (rv != SECSuccess && excluded == PR_FALSE) { + goto no_match; } } - } - current = constraints; - do { - switch (name->type) { - case certDNSName: - nameString = (char*)PORT_ZAlloc(name->name.other.len + 1); - nameString = PORT_Strncpy(nameString, (char *) name->name.other.data, - name->name.other.len); - constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1); - constraintString = PORT_Strncpy(constraintString, - (char *) current->name.name.other.data, - current->name.name.other.len); - rv = compareNameToConstraint(nameString, constraintString, PR_FALSE); - if (nameString != NULL) { - PORT_Free(nameString); - } - if (constraintString != NULL) { - PORT_Free(constraintString); - } - break; - case certRFC822Name: - nameString = (char*)PORT_ZAlloc(name->name.other.len + 1); - nameString = PORT_Strncpy(nameString, (char *) name->name.other.data, - name->name.other.len); - start = 0; - while(nameString[start] != '@' && nameString[start + 1] != '\0') { - start++; - } + } /* loop over RDNs */ + } /* name->type == certDirectoryName */ + + /* Phase 2. loop over all constratints for this name. */ + current = constraints; + do { + switch (name->type) { + + case certDNSName: + PORT_Assert(name->type == current->name.type); + nString = secItem2String(nArena, &name->name.other); + if (!nString) + goto loser; + cString = secItem2String(nArena, ¤t->name.name.other); + if (!cString) + goto loser; + rv = compareN2C(nString, cString); + break; + + case certRFC822Name: + PORT_Assert(name->type == current->name.type); + nString = secItem2String(nArena, &name->name.other); + if (!nString) + goto loser; + start = 0; + while (nString[start] != '@' && + nString[start] != '\0') { start++; - constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1); - constraintString = PORT_Strncpy(constraintString, - (char *) current->name.name.other.data, - current->name.name.other.len); - rv = compareNameToConstraint(nameString + start, constraintString, PR_FALSE); - if (nameString != NULL) { - PORT_Free(nameString); - } - if (constraintString != NULL) { - PORT_Free(constraintString); - } - break; - case certURI: - nameString = (char*)PORT_ZAlloc(name->name.other.len + 1); - nameString = PORT_Strncpy(nameString, (char *) name->name.other.data, - name->name.other.len); - start = 0; - while(PORT_Strncmp(nameString + start, "://", 3) != 0 && - nameString[start + 3] != '\0') { - start++; - } + } + if (nString[start]) + start++; + cString = secItem2String(nArena, ¤t->name.name.other); + if (!cString) + goto loser; + rv = compareN2C(nString + start, cString); + break; + + case certURI: + PORT_Assert(name->type == current->name.type); + nString = secItem2String(nArena, &name->name.other); + if (!nString) + goto loser; + /* XXX This URI hostname parsing is wrong because it doesn't + ** handle user name and password strings that can come + ** before the host name. + */ + start = 0; + while(nString[start] != 0 && + PORT_Strncmp(nString + start, "://", 3) != 0 ) { + start++; + } + if (nString[start]) start +=3; - end = 0; - while(nameString[start + end] != '/' && - nameString[start + end] != '\0') { - end++; - } - nameString[start + end] = '\0'; - constraintString = (char*)PORT_ZAlloc(current->name.name.other.len + 1); - constraintString = PORT_Strncpy(constraintString, - (char *) current->name.name.other.data, - current->name.name.other.len); - rv = compareNameToConstraint(nameString + start, constraintString, PR_FALSE); - if (nameString != NULL) { - PORT_Free(nameString); - } - if (constraintString != NULL) { - PORT_Free(constraintString); + end = 0; + while(nString[start + end] != '/' && + nString[start + end] != ':' && + nString[start + end] != '\0') { + end++; + } + nString[start + end] = '\0'; + cString = secItem2String(nArena, ¤t->name.name.other); + if (!cString) + goto loser; + rv = compareN2C(nString + start, cString); + break; + + case certDirectoryName: + PORT_Assert(current->name.type == certDirectoryName || \ + current->name.type == certRFC822Name); + if (current->name.type == certRFC822Name) + goto next_constraint; /* already handled in phase 1. */ + if (current->name.type == certDirectoryName) { + PRArenaPool *cArena; + CERTRDN **cRDNs, *cRDN; + CERTAVA **cAVAs, *cAVA; + CERTName constraintName; + + constraintName.arena = NULL; + constraintName.rdns = NULL; + + cArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); + if (!cArena) + goto loser; + rv = CERT_CopyName(cArena, &constraintName, + ¤t->name.name.directoryName); + if (rv != SECSuccess) { + PORT_FreeArena(cArena, PR_FALSE); + goto loser; } - break; - case certDirectoryName: - if (current->name.type == certDirectoryName) { - constraintNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERT_CopyName(constraintNameArena, &constraintName, ¤t->name.name.directoryName); - constraintRDNS = constraintName.rdns; - for (;;) { - constraintRDN = *constraintRDNS++; - constraintAVAS = constraintRDN->avas; - for(;;) { - constraintAVA = *constraintAVAS++; - certNameArena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); - CERT_CopyName(certNameArena, &certName, &name->name.directoryName); - nameRDNS = certName.rdns; - for (;;) { - nameRDN = *nameRDNS++; - nameAVAS = nameRDN->avas++; - for(;;) { - nameAVA = *nameAVAS++; - status = CERT_CompareAVA(constraintAVA, nameAVA); - if (status == SECEqual || *nameAVAS == NULL) { - break; - } - } - if (status == SECEqual || *nameRDNS == NULL) { + cRDNs = constraintName.rdns; + while (cRDNs && *cRDNs) { /* loop over constraint RDNs */ + cRDN = *cRDNs++; + cAVAs = cRDN->avas; + while (cAVAs && *cAVAs) { /* loop over constraint AVAs */ + cAVA = *cAVAs++; + + /* certName was initialized in Phase 1. */ + PORT_Assert(certName.arena != NULL); + + nRDNs = certName.rdns; + while (nRDNs && *nRDNs) { /* loop over name RDNs */ + nRDN = *nRDNs++; + nAVAs = nRDN->avas; + while (nAVAs && *nAVAs) { /* loop over name AVAs */ + nAVA = *nAVAs++; + status = CERT_CompareAVA(cAVA, nAVA); + if (status == SECEqual) break; - } - } - if (status != SECEqual || *constraintAVAS == NULL) { + } /* loop over name AVAs */ + if (status == SECEqual) break; - } - } - if (status != SECEqual || *constraintRDNS == NULL) { + } /* loop over name RDNs */ + if (status != SECEqual) break; - } - } - if (status == SECEqual) { - if (excluded == PR_FALSE) { - goto found; - } else { - goto loser; - } - } - break; - } else if (current->name.type == certRFC822Name) { - current = cert_get_next_name_constraint(current); - continue; - } - default: - /* other types are not supported */ - if (excluded) { - goto found; - } else { - goto loser; + } /* loop over AVAs in constraint */ + if (status != SECEqual) + break; + } /* loop over RDNs in constraint */ + PORT_FreeArena(cArena, PR_FALSE); + if (status == SECEqual) { + if (!excluded) + goto found; + goto no_match; } + break; } - if (rv == SECSuccess && status == SECEqual) { - goto found; - } - current = cert_get_next_name_constraint(current); - } while (current !=constraints); - } else { - goto found; - } -loser: - if (certName.arena) { - CERT_DestroyName(&certName); - } - if (constraintName.arena) { - CERT_DestroyName(&constraintName); - } + goto loser; +#ifdef NOTYET + case certOtherName: /* type 1 */ + case certX400Address: /* type 4 */ + case certEDIPartyName: /* type 6 */ + case certIPAddress: /* type 8 */ + case certRegisterID: /* type 9 */ + PORT_Assert(name->type == current->name.type); + if (name->type == current->name.type && + name->name.other.len == current->name.name.other.len && + !memcmp(name->name.other.data, current->name.name.other.data, + name->name.other.len)) + rv = SECSuccess; + else + rv = SECFailure; + break; +#endif + default: + /* non-standard types are not supported */ + goto loser; + } + if (rv == SECSuccess && status == SECEqual) { + goto found; + } +next_constraint: + current = cert_get_next_name_constraint(current); + } while (current !=constraints); + +no_match: + if (nArena) + PORT_FreeArena(nArena, PR_FALSE); return SECFailure; + +loser: + if (nArena) + PORT_FreeArena(nArena, PR_FALSE); + return excluded ? SECSuccess : SECFailure; + found: - if (certName.arena) { - CERT_DestroyName(&certName); - } - if (constraintName.arena) { - CERT_DestroyName(&constraintName); - } + if (nArena) + PORT_FreeArena(nArena, PR_FALSE); return SECSuccess; } @@ -1269,7 +1322,7 @@ CERT_CompareNameSpace(CERTCertificate *cert, } do { if (constraints->excluded != NULL) { - rv = CERT_GetNameConstriantByType(constraints->excluded, currentName->type, + rv = CERT_GetNameConstraintByType(constraints->excluded, currentName->type, &matchingConstraints, arena); if (rv != SECSuccess) { goto loser; @@ -1283,7 +1336,7 @@ CERT_CompareNameSpace(CERTCertificate *cert, } } if (constraints->permited != NULL) { - rv = CERT_GetNameConstriantByType(constraints->permited, currentName->type, + rv = CERT_GetNameConstraintByType(constraints->permited, currentName->type, &matchingConstraints, arena); if (rv != SECSuccess) { goto loser; diff --git a/security/nss/lib/certdb/manifest.mn b/security/nss/lib/certdb/manifest.mn index 1cb6ff4b7..b0adf2313 100644 --- a/security/nss/lib/certdb/manifest.mn +++ b/security/nss/lib/certdb/manifest.mn @@ -60,6 +60,7 @@ CSRCS = \ pcertdb.c \ polcyxtn.c \ secname.c \ + syserr.c \ xauthkid.c \ xbsconst.c \ xconst.c \ diff --git a/security/nss/lib/certdb/pcertdb.c b/security/nss/lib/certdb/pcertdb.c index f6601d4cb..152615535 100644 --- a/security/nss/lib/certdb/pcertdb.c +++ b/security/nss/lib/certdb/pcertdb.c @@ -61,6 +61,23 @@ CERTCertificate * CERT_FindCertByDERCertNoLocking(CERTCertDBHandle *handle, SECItem *derCert); +extern void nss_MD_map_system_error(); + +static void map_dbm_error(int dbmrv) +{ + /* a return > 0 indicates the database operation succeeded, but + * 1) a record that should have been in the db wasn't (read) + * 2) a record that should not have been in the db was (write) + * this is a corruption of the db, and hence a SEC_ERROR + */ + if (dbmrv > 0) { + PORT_SetError(SEC_ERROR_BAD_DATABASE); + } else { + /* otherwise, a system error occurred during a dbm operation */ + nss_MD_map_system_error(); + } +} + /* * the following functions are wrappers for the db library that implement * a global lock to make the database thread safe. @@ -195,13 +212,13 @@ DeleteDBEntry(CERTCertDBHandle *handle, certDBEntryType type, SECItem *dbkey) /* delete entry from database */ ret = certdb_Del(handle->permCertDB, &key, 0 ); if ( ret != 0 ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); + map_dbm_error(ret); goto loser; } ret = certdb_Sync(handle->permCertDB, 0); if ( ret ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); + map_dbm_error(ret); goto loser; } @@ -228,13 +245,13 @@ ReadDBEntry(CERTCertDBHandle *handle, certDBEntryCommon *entry, /* read entry from database */ ret = certdb_Get(handle->permCertDB, &key, &data, 0 ); if ( ret != 0 ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); + map_dbm_error(ret); goto loser; } /* validate the entry */ if ( data.size < SEC_DB_ENTRY_HEADER_LEN ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); + map_dbm_error(ret); goto loser; } buf = (unsigned char *)data.data; @@ -2904,12 +2921,12 @@ FindSubjectList(CERTCertDBHandle *handle, SECItem *subject, PRBool create) /* error accessing the database */ if ( ret < 0 ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); + map_dbm_error(ret); goto loser; } if ( ret == 0 ) { /* found in temp database */ - if ( tmpdata.size != sizeof(CERTCertificate *) ) { + if ( tmpdata.size != sizeof(CERTSubjectList *) ) { PORT_SetError(SEC_ERROR_BAD_DATABASE); goto loser; } @@ -2929,6 +2946,7 @@ FindSubjectList(CERTCertDBHandle *handle, SECItem *subject, PRBool create) ret = certdb_Put(handle->tempCertDB, &namekey, &tmpdata, R_NOOVERWRITE); if ( ret ) { + map_dbm_error(ret); goto loser; } } @@ -4855,7 +4873,7 @@ CERT_OpenCertDB(CERTCertDBHandle *handle, PRBool readOnly, DBM_DEFAULT, /* bucket size */ DBM_DEFAULT, /* fill factor */ DBM_DEFAULT, /* number of elements */ - 256 * 1024, /* bytes to cache */ + 1024 * 1024, /* bytes to cache */ DBM_DEFAULT, /* hash function */ DBM_DEFAULT /* byte order */ }; @@ -4964,7 +4982,7 @@ SEC_AddTempNickname(CERTCertDBHandle *handle, char *nickname, ret = certdb_Put(handle->tempCertDB, &namekey, &keydata, R_NOOVERWRITE); if ( ret ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); + map_dbm_error(ret); goto loser; } @@ -5085,6 +5103,7 @@ NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, char *nickname, /* enter into the subject index */ rv = AddTempCertToSubjectList(cert); if ( rv != SECSuccess ) { + promoteError = PR_FALSE; goto loser; } /* @@ -5111,6 +5130,8 @@ NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, char *nickname, /* enter into main db */ status = certdb_Put(handle->tempCertDB, &key, &data, R_NOOVERWRITE); if ( status ) { + map_dbm_error(status); + promoteError = PR_FALSE; goto loser; } @@ -5310,7 +5331,7 @@ FindCertByKey(CERTCertDBHandle *handle, SECItem *certKey, PRBool lockdb) /* error accessing the database */ if ( ret < 0 ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); + map_dbm_error(ret); goto loser; } @@ -5493,7 +5514,7 @@ CERT_FindCertByNickname(CERTCertDBHandle *handle, char *nickname) /* error accessing the database */ if ( ret < 0 ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); + map_dbm_error(ret); goto loser; } @@ -6296,6 +6317,7 @@ SEC_AddPermCrlToTemp(CERTCertDBHandle *handle, certDBEntryRevocation *entry) /* enter into main db */ status = certdb_Put(handle->tempCertDB, &key, &data, R_NOOVERWRITE); if ( status ) { + map_dbm_error(status); goto loser; } @@ -6319,7 +6341,6 @@ loser: PORT_FreeArena(arena, PR_FALSE); } - PORT_SetError(SEC_ERROR_BAD_DATABASE); return(0); } @@ -6408,7 +6429,7 @@ SEC_FindCrlByKey(CERTCertDBHandle *handle, SECItem *crlKey, int type) /* error accessing the database */ if ( ret < 0 ) { - PORT_SetError(SEC_ERROR_BAD_DATABASE); + map_dbm_error(ret); goto loser; } diff --git a/security/nss/lib/certdb/secname.c b/security/nss/lib/certdb/secname.c index 4df4cd204..597f9ae32 100644 --- a/security/nss/lib/certdb/secname.c +++ b/security/nss/lib/certdb/secname.c @@ -67,8 +67,8 @@ CountArray(void **array) return count; } -static void -**AddToArray(PRArenaPool *arena, void **array, void *element) +static void ** +AddToArray(PRArenaPool *arena, void **array, void *element) { unsigned count; void **ap; @@ -96,35 +96,6 @@ static void return array; } -#if 0 -static void -**RemoveFromArray(void **array, void *element) -{ - unsigned count; - void **ap; - int slot; - - /* Look for element */ - ap = array; - if (ap) { - count = 1; /* count the null at the end */ - slot = -1; - for (; *ap; ap++, count++) { - if (*ap == element) { - /* Found it */ - slot = ap - array; - } - } - if (slot >= 0) { - /* Found it. Squish array down */ - PORT_Memmove((void*) (array + slot), (void*) (array + slot + 1), - (count - slot - 1) * sizeof(void*)); - /* Don't bother reallocing the memory */ - } - } - return array; -} -#endif /* 0 */ SECOidTag CERT_GetAVATag(CERTAVA *ava) @@ -217,6 +188,7 @@ SetupAVAValue(PRArenaPool *arena, int valueType, char *value, SECItem *it, case SEC_ASN1_PRINTABLE_STRING: case SEC_ASN1_IA5_STRING: case SEC_ASN1_T61_STRING: + case SEC_ASN1_UTF8_STRING: /* no conversion required */ valueLen = PORT_Strlen(value); break; case SEC_ASN1_UNIVERSAL_STRING: @@ -352,17 +324,27 @@ SECStatus CERT_CopyRDN(PRArenaPool *arena, CERTRDN *to, CERTRDN *from) { CERTAVA **avas, *fava, *tava; - SECStatus rv; + SECStatus rv = SECSuccess; /* Copy each ava from from */ avas = from->avas; - while ((fava = *avas++) != 0) { - tava = CERT_CopyAVA(arena, fava); - if (!tava) return SECFailure; - rv = CERT_AddAVA(arena, to, tava); - if (rv) return rv; + if (avas) { + if (avas[0] == NULL) { + rv = CERT_AddAVA(arena, to, NULL); + return rv; + } + while ((fava = *avas++) != 0) { + tava = CERT_CopyAVA(arena, fava); + if (!tava) { + rv = SECFailure; + break; + } + rv = CERT_AddAVA(arena, to, tava); + if (rv != SECSuccess) + break; + } } - return SECSuccess; + return rv; } /************************************************************************/ @@ -453,24 +435,38 @@ SECStatus CERT_CopyName(PRArenaPool *arena, CERTName *to, CERTName *from) { CERTRDN **rdns, *frdn, *trdn; - SECStatus rv; + SECStatus rv = SECSuccess; + + if (!to || !from) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } CERT_DestroyName(to); to->arena = arena; /* Copy each rdn from from */ rdns = from->rdns; - while ((frdn = *rdns++) != 0) { - trdn = CERT_CreateRDN(arena, 0); - if ( trdn == NULL ) { - return(SECFailure); + if (rdns) { + if (rdns[0] == NULL) { + rv = CERT_AddRDN(to, NULL); + return rv; + } + while ((frdn = *rdns++) != NULL) { + trdn = CERT_CreateRDN(arena, 0); + if (!trdn) { + rv = SECFailure; + break; + } + rv = CERT_CopyRDN(arena, trdn, frdn); + if (rv != SECSuccess) + break; + rv = CERT_AddRDN(to, trdn); + if (rv != SECSuccess) + break; } - rv = CERT_CopyRDN(arena, trdn, frdn); - if (rv) return rv; - rv = CERT_AddRDN(to, trdn); - if (rv) return rv; } - return SECSuccess; + return rv; } /************************************************************************/ diff --git a/security/nss/lib/certdb/syserr.c b/security/nss/lib/certdb/syserr.c new file mode 100644 index 000000000..d7b27fd2c --- /dev/null +++ b/security/nss/lib/certdb/syserr.c @@ -0,0 +1,226 @@ +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* + * This file essentially replicates NSPR's source for the functions that + * map system-specific error codes to NSPR error codes. We would use + * NSPR's functions, instead of duplicating them, but they're private. + * As long as SSL's server session cache code must do platform native I/O + * to accomplish its job, and NSPR's error mapping functions remain private, + * this code will continue to need to be replicated. + * + * The contents of this file are subject to the Mozilla Public + * License Version 1.1 (the "License"); you may not use this file + * except in compliance with the License. You may obtain a copy of + * the License at http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS + * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or + * implied. See the License for the specific language governing + * rights and limitations under the License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is Netscape + * Communications Corporation. Portions created by Netscape are + * Copyright (C) 1994-2000 Netscape Communications Corporation. All + * Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the + * terms of the GNU General Public License Version 2 or later (the + * "GPL"), in which case the provisions of the GPL are applicable + * instead of those above. If you wish to allow use of your + * version of this file only under the terms of the GPL and not to + * allow others to use your version of this file under the MPL, + * indicate your decision by deleting the provisions above and + * replace them with the notice and other provisions required by + * the GPL. If you do not delete the provisions above, a recipient + * may use your version of this file under either the MPL or the + * GPL. + * + * $Id$ + */ + +#include "prerror.h" +#include "prlog.h" +#include <errno.h> + +/* mapping of system -> NSPR error codes, taken from libssl. + * used when dbm return value < 0, indicating system error. + */ + +#if defined(WIN32) + +#include <windows.h> + +void nss_MD_map_system_error() +{ + PRErrorCode prError; + PRInt32 err = GetLastError(); + + switch (err) { + case EACCES: prError = PR_NO_ACCESS_RIGHTS_ERROR; break; + case ENOENT: prError = PR_FILE_NOT_FOUND_ERROR; break; + case ERROR_ACCESS_DENIED: prError = PR_NO_ACCESS_RIGHTS_ERROR; break; + case ERROR_ALREADY_EXISTS: prError = PR_FILE_EXISTS_ERROR; break; + case ERROR_DISK_CORRUPT: prError = PR_IO_ERROR; break; + case ERROR_DISK_FULL: prError = PR_NO_DEVICE_SPACE_ERROR; break; + case ERROR_DISK_OPERATION_FAILED: prError = PR_IO_ERROR; break; + case ERROR_DRIVE_LOCKED: prError = PR_FILE_IS_LOCKED_ERROR; break; + case ERROR_FILENAME_EXCED_RANGE: prError = PR_NAME_TOO_LONG_ERROR; break; + case ERROR_FILE_CORRUPT: prError = PR_IO_ERROR; break; + case ERROR_FILE_EXISTS: prError = PR_FILE_EXISTS_ERROR; break; + case ERROR_FILE_INVALID: prError = PR_BAD_DESCRIPTOR_ERROR; break; +#if ERROR_FILE_NOT_FOUND != ENOENT + case ERROR_FILE_NOT_FOUND: prError = PR_FILE_NOT_FOUND_ERROR; break; +#endif + case ERROR_HANDLE_DISK_FULL: prError = PR_NO_DEVICE_SPACE_ERROR; break; + case ERROR_INVALID_ADDRESS: prError = PR_ACCESS_FAULT_ERROR; break; + case ERROR_INVALID_HANDLE: prError = PR_BAD_DESCRIPTOR_ERROR; break; + case ERROR_INVALID_NAME: prError = PR_INVALID_ARGUMENT_ERROR; break; + case ERROR_INVALID_PARAMETER: prError = PR_INVALID_ARGUMENT_ERROR; break; + case ERROR_INVALID_USER_BUFFER: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break; + case ERROR_LOCKED: prError = PR_FILE_IS_LOCKED_ERROR; break; + case ERROR_NETNAME_DELETED: prError = PR_CONNECT_RESET_ERROR; break; + case ERROR_NOACCESS: prError = PR_ACCESS_FAULT_ERROR; break; + case ERROR_NOT_ENOUGH_MEMORY: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break; + case ERROR_NOT_ENOUGH_QUOTA: prError = PR_OUT_OF_MEMORY_ERROR; break; + case ERROR_NOT_READY: prError = PR_IO_ERROR; break; + case ERROR_NO_MORE_FILES: prError = PR_NO_MORE_FILES_ERROR; break; + case ERROR_OPEN_FAILED: prError = PR_IO_ERROR; break; + case ERROR_OPEN_FILES: prError = PR_IO_ERROR; break; + case ERROR_OUTOFMEMORY: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break; + case ERROR_PATH_BUSY: prError = PR_IO_ERROR; break; + case ERROR_PATH_NOT_FOUND: prError = PR_FILE_NOT_FOUND_ERROR; break; + case ERROR_SEEK_ON_DEVICE: prError = PR_IO_ERROR; break; + case ERROR_SHARING_VIOLATION: prError = PR_FILE_IS_BUSY_ERROR; break; + case ERROR_STACK_OVERFLOW: prError = PR_ACCESS_FAULT_ERROR; break; + case ERROR_TOO_MANY_OPEN_FILES: prError = PR_SYS_DESC_TABLE_FULL_ERROR; break; + case ERROR_WRITE_PROTECT: prError = PR_NO_ACCESS_RIGHTS_ERROR; break; + case WSAEACCES: prError = PR_NO_ACCESS_RIGHTS_ERROR; break; + case WSAEADDRINUSE: prError = PR_ADDRESS_IN_USE_ERROR; break; + case WSAEADDRNOTAVAIL: prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break; + case WSAEAFNOSUPPORT: prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break; + case WSAEALREADY: prError = PR_ALREADY_INITIATED_ERROR; break; + case WSAEBADF: prError = PR_BAD_DESCRIPTOR_ERROR; break; + case WSAECONNABORTED: prError = PR_CONNECT_ABORTED_ERROR; break; + case WSAECONNREFUSED: prError = PR_CONNECT_REFUSED_ERROR; break; + case WSAECONNRESET: prError = PR_CONNECT_RESET_ERROR; break; + case WSAEDESTADDRREQ: prError = PR_INVALID_ARGUMENT_ERROR; break; + case WSAEFAULT: prError = PR_ACCESS_FAULT_ERROR; break; + case WSAEHOSTUNREACH: prError = PR_HOST_UNREACHABLE_ERROR; break; + case WSAEINVAL: prError = PR_INVALID_ARGUMENT_ERROR; break; + case WSAEISCONN: prError = PR_IS_CONNECTED_ERROR; break; + case WSAEMFILE: prError = PR_PROC_DESC_TABLE_FULL_ERROR; break; + case WSAEMSGSIZE: prError = PR_BUFFER_OVERFLOW_ERROR; break; + case WSAENETDOWN: prError = PR_NETWORK_DOWN_ERROR; break; + case WSAENETRESET: prError = PR_CONNECT_ABORTED_ERROR; break; + case WSAENETUNREACH: prError = PR_NETWORK_UNREACHABLE_ERROR; break; + case WSAENOBUFS: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break; + case WSAENOPROTOOPT: prError = PR_INVALID_ARGUMENT_ERROR; break; + case WSAENOTCONN: prError = PR_NOT_CONNECTED_ERROR; break; + case WSAENOTSOCK: prError = PR_NOT_SOCKET_ERROR; break; + case WSAEOPNOTSUPP: prError = PR_OPERATION_NOT_SUPPORTED_ERROR; break; + case WSAEPROTONOSUPPORT: prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break; + case WSAEPROTOTYPE: prError = PR_INVALID_ARGUMENT_ERROR; break; + case WSAESHUTDOWN: prError = PR_SOCKET_SHUTDOWN_ERROR; break; + case WSAESOCKTNOSUPPORT: prError = PR_INVALID_ARGUMENT_ERROR; break; + case WSAETIMEDOUT: prError = PR_CONNECT_ABORTED_ERROR; break; + case WSAEWOULDBLOCK: prError = PR_WOULD_BLOCK_ERROR; break; + default: prError = PR_UNKNOWN_ERROR; break; + } + PR_SetError(prError, err); +} + +#elif defined(XP_UNIX) + +void nss_MD_map_system_error() +{ + PRErrorCode prError; + int err = errno; + + switch (err ) { + case EACCES: prError = PR_NO_ACCESS_RIGHTS_ERROR; break; + case EADDRINUSE: prError = PR_ADDRESS_IN_USE_ERROR; break; + case EADDRNOTAVAIL: prError = PR_ADDRESS_NOT_AVAILABLE_ERROR; break; + case EAFNOSUPPORT: prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break; + case EAGAIN: prError = PR_WOULD_BLOCK_ERROR; break; + case EALREADY: prError = PR_ALREADY_INITIATED_ERROR; break; + case EBADF: prError = PR_BAD_DESCRIPTOR_ERROR; break; +#ifdef EBADMSG + case EBADMSG: prError = PR_IO_ERROR; break; +#endif + case EBUSY: prError = PR_FILESYSTEM_MOUNTED_ERROR; break; + case ECONNREFUSED: prError = PR_CONNECT_REFUSED_ERROR; break; + case ECONNRESET: prError = PR_CONNECT_RESET_ERROR; break; + case EDEADLK: prError = PR_DEADLOCK_ERROR; break; +#ifdef EDIRCORRUPTED + case EDIRCORRUPTED: prError = PR_DIRECTORY_CORRUPTED_ERROR; break; +#endif +#ifdef EDQUOT + case EDQUOT: prError = PR_NO_DEVICE_SPACE_ERROR; break; +#endif + case EEXIST: prError = PR_FILE_EXISTS_ERROR; break; + case EFAULT: prError = PR_ACCESS_FAULT_ERROR; break; + case EFBIG: prError = PR_FILE_TOO_BIG_ERROR; break; + case EINPROGRESS: prError = PR_IN_PROGRESS_ERROR; break; + case EINTR: prError = PR_PENDING_INTERRUPT_ERROR; break; + case EINVAL: prError = PR_INVALID_ARGUMENT_ERROR; break; + case EIO: prError = PR_IO_ERROR; break; + case EISCONN: prError = PR_IS_CONNECTED_ERROR; break; + case EISDIR: prError = PR_IS_DIRECTORY_ERROR; break; + case ELOOP: prError = PR_LOOP_ERROR; break; + case EMFILE: prError = PR_PROC_DESC_TABLE_FULL_ERROR; break; + case EMLINK: prError = PR_MAX_DIRECTORY_ENTRIES_ERROR; break; + case EMSGSIZE: prError = PR_INVALID_ARGUMENT_ERROR; break; +#ifdef EMULTIHOP + case EMULTIHOP: prError = PR_REMOTE_FILE_ERROR; break; +#endif + case ENAMETOOLONG: prError = PR_NAME_TOO_LONG_ERROR; break; + case ENETUNREACH: prError = PR_NETWORK_UNREACHABLE_ERROR; break; + case ENFILE: prError = PR_SYS_DESC_TABLE_FULL_ERROR; break; +#if !defined(SCO) + case ENOBUFS: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break; +#endif + case ENODEV: prError = PR_FILE_NOT_FOUND_ERROR; break; + case ENOENT: prError = PR_FILE_NOT_FOUND_ERROR; break; + case ENOLCK: prError = PR_FILE_IS_LOCKED_ERROR; break; +#ifdef ENOLINK + case ENOLINK: prError = PR_REMOTE_FILE_ERROR; break; +#endif + case ENOMEM: prError = PR_OUT_OF_MEMORY_ERROR; break; + case ENOPROTOOPT: prError = PR_INVALID_ARGUMENT_ERROR; break; + case ENOSPC: prError = PR_NO_DEVICE_SPACE_ERROR; break; +#ifdef ENOSR + case ENOSR: prError = PR_INSUFFICIENT_RESOURCES_ERROR; break; +#endif + case ENOTCONN: prError = PR_NOT_CONNECTED_ERROR; break; + case ENOTDIR: prError = PR_NOT_DIRECTORY_ERROR; break; + case ENOTSOCK: prError = PR_NOT_SOCKET_ERROR; break; + case ENXIO: prError = PR_FILE_NOT_FOUND_ERROR; break; + case EOPNOTSUPP: prError = PR_NOT_TCP_SOCKET_ERROR; break; +#ifdef EOVERFLOW + case EOVERFLOW: prError = PR_BUFFER_OVERFLOW_ERROR; break; +#endif + case EPERM: prError = PR_NO_ACCESS_RIGHTS_ERROR; break; + case EPIPE: prError = PR_CONNECT_RESET_ERROR; break; +#ifdef EPROTO + case EPROTO: prError = PR_IO_ERROR; break; +#endif + case EPROTONOSUPPORT: prError = PR_PROTOCOL_NOT_SUPPORTED_ERROR; break; + case EPROTOTYPE: prError = PR_ADDRESS_NOT_SUPPORTED_ERROR; break; + case ERANGE: prError = PR_INVALID_METHOD_ERROR; break; + case EROFS: prError = PR_READ_ONLY_FILESYSTEM_ERROR; break; + case ESPIPE: prError = PR_INVALID_METHOD_ERROR; break; + case ETIMEDOUT: prError = PR_IO_TIMEOUT_ERROR; break; +#if EWOULDBLOCK != EAGAIN + case EWOULDBLOCK: prError = PR_WOULD_BLOCK_ERROR; break; +#endif + case EXDEV: prError = PR_NOT_SAME_DEVICE_ERROR; break; + + default: prError = PR_UNKNOWN_ERROR; break; + } + PR_SetError(prError, err); +} + +#endif diff --git a/security/nss/lib/cryptohi/seckey.c b/security/nss/lib/cryptohi/seckey.c index 38473cf71..5a9955f7a 100644 --- a/security/nss/lib/cryptohi/seckey.c +++ b/security/nss/lib/cryptohi/seckey.c @@ -377,7 +377,8 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) (tag != SEC_OID_MISSI_DSS) && (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) && - (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) ) { + (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) && + (tag != SEC_OID_SDN702_DSA_SIGNATURE) ) { return SECSuccess; } @@ -423,7 +424,8 @@ seckey_UpdateCertPQGChain(CERTCertificate * subjectCert, int count) (tag != SEC_OID_MISSI_DSS) && (tag != SEC_OID_ANSIX9_DSA_SIGNATURE) && (tag != SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) && - (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) ) { + (tag != SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST) && + (tag != SEC_OID_SDN702_DSA_SIGNATURE) ) { return SECFailure; } @@ -865,6 +867,7 @@ seckey_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki) return pubk; break; case SEC_OID_ANSIX9_DSA_SIGNATURE: + case SEC_OID_SDN702_DSA_SIGNATURE: pubk->keyType = dsaKey; rv = SEC_ASN1DecodeItem(arena, pubk, SECKEY_DSAPublicKeyTemplate, &os); if (rv != SECSuccess) break; @@ -909,7 +912,7 @@ seckey_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki) if (rv == SECSuccess) return pubk; - break; + break; case SEC_OID_MISSI_ALT_KEA: pubk->keyType = keaKey; @@ -923,7 +926,7 @@ seckey_ExtractPublicKey(CERTSubjectPublicKeyInfo *spki) if (rv == SECSuccess) return pubk; - break; + break; default: diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile index c5b5a1299..f33134d5d 100644 --- a/security/nss/lib/freebl/Makefile +++ b/security/nss/lib/freebl/Makefile @@ -140,16 +140,7 @@ ifdef USE_HYBRID OS_CFLAGS += -xchip=ultra2 endif endif -ifeq ($(OS_RELEASE),5.5.1) - SYSV_SPARC = 1 -endif -ifeq ($(OS_RELEASE),5.6) - SYSV_SPARC = 1 -endif -ifeq ($(OS_RELEASE),5.7) - SYSV_SPARC = 1 -endif -ifeq ($(OS_RELEASE),5.8) +ifeq (5.5.1,$(firstword $(sort 5.5.1 $(OS_RELEASE)))) SYSV_SPARC = 1 endif ifeq ($(SYSV_SPARC),1) diff --git a/security/nss/lib/freebl/rijndael.c b/security/nss/lib/freebl/rijndael.c index f59cd6c99..1a5857c48 100644 --- a/security/nss/lib/freebl/rijndael.c +++ b/security/nss/lib/freebl/rijndael.c @@ -282,16 +282,17 @@ rijndael_invkey_expansion(AESContext *cx, unsigned char *key, unsigned int Nk) #define BYTE3WORD(w) ((w) & 0x000000ff) #endif -#define COLUMN_0(array) *((PRUint32 *)(array )) -#define COLUMN_1(array) *((PRUint32 *)(array + 4)) -#define COLUMN_2(array) *((PRUint32 *)(array + 8)) -#define COLUMN_3(array) *((PRUint32 *)(array + 12)) -#define COLUMN_4(array) *((PRUint32 *)(array + 16)) -#define COLUMN_5(array) *((PRUint32 *)(array + 20)) -#define COLUMN_6(array) *((PRUint32 *)(array + 24)) -#define COLUMN_7(array) *((PRUint32 *)(array + 28)) +typedef union { + PRUint32 w[4]; + PRUint8 b[16]; +} rijndael_state; -#define STATE_BYTE(i) clone[i] +#define COLUMN_0(state) state.w[0] +#define COLUMN_1(state) state.w[1] +#define COLUMN_2(state) state.w[2] +#define COLUMN_3(state) state.w[3] + +#define STATE_BYTE(i) state.b[i] static SECStatus rijndael_encryptBlock128(AESContext *cx, @@ -300,61 +301,92 @@ rijndael_encryptBlock128(AESContext *cx, { unsigned int r; PRUint32 *roundkeyw; - PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE]; + rijndael_state state; + PRUint32 C0, C1, C2, C3; +#if defined(_X86_) +#define pIn input +#define pOut output +#else + unsigned char *pIn, *pOut; + PRUint32 inBuf[4], outBuf[4]; + if ((ptrdiff_t)input & 0x3) { + memcpy(inBuf, input, sizeof inBuf); + pIn = (unsigned char *)inBuf; + } else { + pIn = (unsigned char *)input; + } + if ((ptrdiff_t)output & 0x3) { + pOut = (unsigned char *)outBuf; + } else { + pOut = (unsigned char *)output; + } +#endif roundkeyw = cx->expandedKey; /* Step 1: Add Round Key 0 to initial state */ - COLUMN_0(clone) = COLUMN_0(input) ^ *roundkeyw++; - COLUMN_1(clone) = COLUMN_1(input) ^ *roundkeyw++; - COLUMN_2(clone) = COLUMN_2(input) ^ *roundkeyw++; - COLUMN_3(clone) = COLUMN_3(input) ^ *roundkeyw++; + COLUMN_0(state) = *((PRUint32 *)(pIn )) ^ *roundkeyw++; + COLUMN_1(state) = *((PRUint32 *)(pIn + 4 )) ^ *roundkeyw++; + COLUMN_2(state) = *((PRUint32 *)(pIn + 8 )) ^ *roundkeyw++; + COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw++; /* Step 2: Loop over rounds [1..NR-1] */ for (r=1; r<cx->Nr; ++r) { /* Do ShiftRow, ByteSub, and MixColumn all at once */ - COLUMN_0(output) = T0(STATE_BYTE(0)) ^ - T1(STATE_BYTE(5)) ^ - T2(STATE_BYTE(10)) ^ - T3(STATE_BYTE(15)); - COLUMN_1(output) = T0(STATE_BYTE(4)) ^ - T1(STATE_BYTE(9)) ^ - T2(STATE_BYTE(14)) ^ - T3(STATE_BYTE(3)); - COLUMN_2(output) = T0(STATE_BYTE(8)) ^ - T1(STATE_BYTE(13)) ^ - T2(STATE_BYTE(2)) ^ - T3(STATE_BYTE(7)); - COLUMN_3(output) = T0(STATE_BYTE(12)) ^ - T1(STATE_BYTE(1)) ^ - T2(STATE_BYTE(6)) ^ - T3(STATE_BYTE(11)); + C0 = T0(STATE_BYTE(0)) ^ + T1(STATE_BYTE(5)) ^ + T2(STATE_BYTE(10)) ^ + T3(STATE_BYTE(15)); + C1 = T0(STATE_BYTE(4)) ^ + T1(STATE_BYTE(9)) ^ + T2(STATE_BYTE(14)) ^ + T3(STATE_BYTE(3)); + C2 = T0(STATE_BYTE(8)) ^ + T1(STATE_BYTE(13)) ^ + T2(STATE_BYTE(2)) ^ + T3(STATE_BYTE(7)); + C3 = T0(STATE_BYTE(12)) ^ + T1(STATE_BYTE(1)) ^ + T2(STATE_BYTE(6)) ^ + T3(STATE_BYTE(11)); /* Round key addition */ - COLUMN_0(clone) = COLUMN_0(output) ^ *roundkeyw++; - COLUMN_1(clone) = COLUMN_1(output) ^ *roundkeyw++; - COLUMN_2(clone) = COLUMN_2(output) ^ *roundkeyw++; - COLUMN_3(clone) = COLUMN_3(output) ^ *roundkeyw++; + COLUMN_0(state) = C0 ^ *roundkeyw++; + COLUMN_1(state) = C1 ^ *roundkeyw++; + COLUMN_2(state) = C2 ^ *roundkeyw++; + COLUMN_3(state) = C3 ^ *roundkeyw++; } /* Step 3: Do the last round */ /* Final round does not employ MixColumn */ - COLUMN_0(output) = ((BYTE0WORD(T2(STATE_BYTE(0)))) | - (BYTE1WORD(T3(STATE_BYTE(5)))) | - (BYTE2WORD(T0(STATE_BYTE(10)))) | - (BYTE3WORD(T1(STATE_BYTE(15))))) ^ - *roundkeyw++; - COLUMN_1(output) = ((BYTE0WORD(T2(STATE_BYTE(4)))) | - (BYTE1WORD(T3(STATE_BYTE(9)))) | - (BYTE2WORD(T0(STATE_BYTE(14)))) | - (BYTE3WORD(T1(STATE_BYTE(3))))) ^ - *roundkeyw++; - COLUMN_2(output) = ((BYTE0WORD(T2(STATE_BYTE(8)))) | - (BYTE1WORD(T3(STATE_BYTE(13)))) | - (BYTE2WORD(T0(STATE_BYTE(2)))) | - (BYTE3WORD(T1(STATE_BYTE(7))))) ^ - *roundkeyw++; - COLUMN_3(output) = ((BYTE0WORD(T2(STATE_BYTE(12)))) | - (BYTE1WORD(T3(STATE_BYTE(1)))) | - (BYTE2WORD(T0(STATE_BYTE(6)))) | - (BYTE3WORD(T1(STATE_BYTE(11))))) ^ - *roundkeyw++; + C0 = ((BYTE0WORD(T2(STATE_BYTE(0)))) | + (BYTE1WORD(T3(STATE_BYTE(5)))) | + (BYTE2WORD(T0(STATE_BYTE(10)))) | + (BYTE3WORD(T1(STATE_BYTE(15))))) ^ + *roundkeyw++; + C1 = ((BYTE0WORD(T2(STATE_BYTE(4)))) | + (BYTE1WORD(T3(STATE_BYTE(9)))) | + (BYTE2WORD(T0(STATE_BYTE(14)))) | + (BYTE3WORD(T1(STATE_BYTE(3))))) ^ + *roundkeyw++; + C2 = ((BYTE0WORD(T2(STATE_BYTE(8)))) | + (BYTE1WORD(T3(STATE_BYTE(13)))) | + (BYTE2WORD(T0(STATE_BYTE(2)))) | + (BYTE3WORD(T1(STATE_BYTE(7))))) ^ + *roundkeyw++; + C3 = ((BYTE0WORD(T2(STATE_BYTE(12)))) | + (BYTE1WORD(T3(STATE_BYTE(1)))) | + (BYTE2WORD(T0(STATE_BYTE(6)))) | + (BYTE3WORD(T1(STATE_BYTE(11))))) ^ + *roundkeyw++; + *((PRUint32 *) pOut ) = C0; + *((PRUint32 *)(pOut + 4)) = C1; + *((PRUint32 *)(pOut + 8)) = C2; + *((PRUint32 *)(pOut + 12)) = C3; +#if defined(_X86_) +#undef pIn +#undef pOut +#else + if ((ptrdiff_t)output & 0x3) { + memcpy(output, outBuf, sizeof outBuf); + } +#endif return SECSuccess; } @@ -365,61 +397,88 @@ rijndael_decryptBlock128(AESContext *cx, { int r; PRUint32 *roundkeyw; - PRUint8 clone[RIJNDAEL_MAX_STATE_SIZE]; + rijndael_state state; + PRUint32 C0, C1, C2, C3; +#if defined(_X86_) +#define pIn input +#define pOut output +#else + unsigned char *pIn, *pOut; + PRUint32 inBuf[4], outBuf[4]; + if ((ptrdiff_t)input & 0x3) { + memcpy(inBuf, input, sizeof inBuf); + pIn = (unsigned char *)inBuf; + } else { + pIn = (unsigned char *)input; + } + if ((ptrdiff_t)output & 0x3) { + pOut = (unsigned char *)outBuf; + } else { + pOut = (unsigned char *)output; + } +#endif roundkeyw = cx->expandedKey + cx->Nb * cx->Nr + 3; /* reverse the final key addition */ - COLUMN_3(clone) = COLUMN_3(input) ^ *roundkeyw--; - COLUMN_2(clone) = COLUMN_2(input) ^ *roundkeyw--; - COLUMN_1(clone) = COLUMN_1(input) ^ *roundkeyw--; - COLUMN_0(clone) = COLUMN_0(input) ^ *roundkeyw--; + COLUMN_3(state) = *((PRUint32 *)(pIn + 12)) ^ *roundkeyw--; + COLUMN_2(state) = *((PRUint32 *)(pIn + 8)) ^ *roundkeyw--; + COLUMN_1(state) = *((PRUint32 *)(pIn + 4)) ^ *roundkeyw--; + COLUMN_0(state) = *((PRUint32 *)(pIn )) ^ *roundkeyw--; /* Loop over rounds in reverse [NR..1] */ for (r=cx->Nr; r>1; --r) { /* Invert the (InvByteSub*InvMixColumn)(InvShiftRow(state)) */ - COLUMN_0(output) = TInv0(STATE_BYTE(0)) ^ - TInv1(STATE_BYTE(13)) ^ - TInv2(STATE_BYTE(10)) ^ - TInv3(STATE_BYTE(7)); - COLUMN_1(output) = TInv0(STATE_BYTE(4)) ^ - TInv1(STATE_BYTE(1)) ^ - TInv2(STATE_BYTE(14)) ^ - TInv3(STATE_BYTE(11)); - COLUMN_2(output) = TInv0(STATE_BYTE(8)) ^ - TInv1(STATE_BYTE(5)) ^ - TInv2(STATE_BYTE(2)) ^ - TInv3(STATE_BYTE(15)); - COLUMN_3(output) = TInv0(STATE_BYTE(12)) ^ - TInv1(STATE_BYTE(9)) ^ - TInv2(STATE_BYTE(6)) ^ - TInv3(STATE_BYTE(3)); + C0 = TInv0(STATE_BYTE(0)) ^ + TInv1(STATE_BYTE(13)) ^ + TInv2(STATE_BYTE(10)) ^ + TInv3(STATE_BYTE(7)); + C1 = TInv0(STATE_BYTE(4)) ^ + TInv1(STATE_BYTE(1)) ^ + TInv2(STATE_BYTE(14)) ^ + TInv3(STATE_BYTE(11)); + C2 = TInv0(STATE_BYTE(8)) ^ + TInv1(STATE_BYTE(5)) ^ + TInv2(STATE_BYTE(2)) ^ + TInv3(STATE_BYTE(15)); + C3 = TInv0(STATE_BYTE(12)) ^ + TInv1(STATE_BYTE(9)) ^ + TInv2(STATE_BYTE(6)) ^ + TInv3(STATE_BYTE(3)); /* Invert the key addition step */ - COLUMN_3(clone) = COLUMN_3(output) ^ *roundkeyw--; - COLUMN_2(clone) = COLUMN_2(output) ^ *roundkeyw--; - COLUMN_1(clone) = COLUMN_1(output) ^ *roundkeyw--; - COLUMN_0(clone) = COLUMN_0(output) ^ *roundkeyw--; + COLUMN_3(state) = C3 ^ *roundkeyw--; + COLUMN_2(state) = C2 ^ *roundkeyw--; + COLUMN_1(state) = C1 ^ *roundkeyw--; + COLUMN_0(state) = C0 ^ *roundkeyw--; } /* inverse sub */ - output[ 0] = SBOXINV(clone[ 0]); - output[ 1] = SBOXINV(clone[13]); - output[ 2] = SBOXINV(clone[10]); - output[ 3] = SBOXINV(clone[ 7]); - output[ 4] = SBOXINV(clone[ 4]); - output[ 5] = SBOXINV(clone[ 1]); - output[ 6] = SBOXINV(clone[14]); - output[ 7] = SBOXINV(clone[11]); - output[ 8] = SBOXINV(clone[ 8]); - output[ 9] = SBOXINV(clone[ 5]); - output[10] = SBOXINV(clone[ 2]); - output[11] = SBOXINV(clone[15]); - output[12] = SBOXINV(clone[12]); - output[13] = SBOXINV(clone[ 9]); - output[14] = SBOXINV(clone[ 6]); - output[15] = SBOXINV(clone[ 3]); + pOut[ 0] = SBOXINV(STATE_BYTE( 0)); + pOut[ 1] = SBOXINV(STATE_BYTE(13)); + pOut[ 2] = SBOXINV(STATE_BYTE(10)); + pOut[ 3] = SBOXINV(STATE_BYTE( 7)); + pOut[ 4] = SBOXINV(STATE_BYTE( 4)); + pOut[ 5] = SBOXINV(STATE_BYTE( 1)); + pOut[ 6] = SBOXINV(STATE_BYTE(14)); + pOut[ 7] = SBOXINV(STATE_BYTE(11)); + pOut[ 8] = SBOXINV(STATE_BYTE( 8)); + pOut[ 9] = SBOXINV(STATE_BYTE( 5)); + pOut[10] = SBOXINV(STATE_BYTE( 2)); + pOut[11] = SBOXINV(STATE_BYTE(15)); + pOut[12] = SBOXINV(STATE_BYTE(12)); + pOut[13] = SBOXINV(STATE_BYTE( 9)); + pOut[14] = SBOXINV(STATE_BYTE( 6)); + pOut[15] = SBOXINV(STATE_BYTE( 3)); /* final key addition */ - COLUMN_3(output) ^= *roundkeyw--; - COLUMN_2(output) ^= *roundkeyw--; - COLUMN_1(output) ^= *roundkeyw--; - COLUMN_0(output) ^= *roundkeyw--; + *((PRUint32 *)(pOut + 12)) ^= *roundkeyw--; + *((PRUint32 *)(pOut + 8)) ^= *roundkeyw--; + *((PRUint32 *)(pOut + 4)) ^= *roundkeyw--; + *((PRUint32 *) pOut ) ^= *roundkeyw--; +#if defined(_X86_) +#undef pIn +#undef pOut +#else + if ((ptrdiff_t)output & 0x3) { + memcpy(output, outBuf, sizeof outBuf); + } +#endif return SECSuccess; } @@ -441,6 +500,8 @@ rijndael_encryptBlock(AESContext *cx, unsigned char *output, const unsigned char *input) { + return SECFailure; +#ifdef rijndael_large_blocks_fixed unsigned int j, r, Nb; unsigned int c2, c3; PRUint32 *roundkeyw; @@ -473,6 +534,7 @@ rijndael_encryptBlock(AESContext *cx, *roundkeyw++; } return SECSuccess; +#endif } SECStatus @@ -480,6 +542,8 @@ rijndael_decryptBlock(AESContext *cx, unsigned char *output, const unsigned char *input) { + return SECFailure; +#ifdef rijndael_large_blocks_fixed int j, r, Nb; int c2, c3; PRUint32 *roundkeyw; @@ -513,6 +577,7 @@ rijndael_decryptBlock(AESContext *cx, COLUMN(output, j) ^= *roundkeyw--; } return SECSuccess; +#endif } /************************************************************************** diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c index 40903b34d..588cfa6ec 100644 --- a/security/nss/lib/freebl/rsa.c +++ b/security/nss/lib/freebl/rsa.c @@ -226,7 +226,9 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) RSAPrivateKey *key = NULL; PRArenaPool *arena = NULL; /* Require key size to be a multiple of 16 bits. */ - if (!publicExponent || keySizeInBits % 16 != 0) { + if (!publicExponent || keySizeInBits % 16 != 0 || + keySizeInBits == 0 || publicExponent->len == 0 || + (publicExponent->len == 1 && publicExponent->data[0] == 1)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } @@ -759,11 +761,13 @@ swap_in_key_value(PRArenaPool *arena, mp_int *mpval, SECItem *buffer) if ((unsigned int)len <= buffer->len) { /* The new value is no longer than the old buffer, so use it */ err = mp_to_unsigned_octets(mpval, buffer->data, len); + if (err >= 0) err = MP_OKAY; buffer->len = len; } else if (arena) { /* The new value is longer, but working within an arena */ (void)SECITEM_AllocItem(arena, buffer, len); err = mp_to_unsigned_octets(mpval, buffer->data, len); + if (err >= 0) err = MP_OKAY; } else { /* The new value is longer, no arena, can't handle this key */ return SECFailure; @@ -810,6 +814,7 @@ RSA_PrivateKeyCheck(RSAPrivateKey *key) /* mind the p's and q's (and d_p's and d_q's) */ SECItem tmp; mp_exch(&p, &q); + mp_exch(&d_p,&d_q); tmp = key->prime1; key->prime1 = key->prime2; key->prime2 = tmp; diff --git a/security/nss/lib/freebl/sparcfix.c b/security/nss/lib/freebl/sparcfix.c deleted file mode 100644 index 6ebc41cf0..000000000 --- a/security/nss/lib/freebl/sparcfix.c +++ /dev/null @@ -1,95 +0,0 @@ -/* - * The contents of this file are subject to the Mozilla Public - * License Version 1.1 (the "License"); you may not use this file - * except in compliance with the License. You may obtain a copy of - * the License at http://www.mozilla.org/MPL/ - * - * Software distributed under the License is distributed on an "AS - * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - * implied. See the License for the specific language governing - * rights and limitations under the License. - * - * The Original Code is a program to modify v8+vis objects for linking. - * - * The Initial Developer of the Original Code is Sun Microsystems Inc. - * Portions created by Sun Microsystems Inc. are - * Copyright (C) 1999-2000 Sun Microsystems Inc. All Rights Reserved. - * - * Contributor(s): - * Netscape Communications Corporation - * - * Alternatively, the contents of this file may be used under the - * terms of the GNU General Public License Version 2 or later (the - * "GPL"), in which case the provisions of the GPL are applicable - * instead of those above. If you wish to allow use of your - * version of this file only under the terms of the GPL and not to - * allow others to use your version of this file under the MPL, - * indicate your decision by deleting the provisions above and - * replace them with the notice and other provisions required by - * the GPL. If you do not delete the provisions above, a recipient - * may use your version of this file under either the MPL or the - * GPL. - * $Id$ - */ -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> -#if defined(SOLARIS2_6) || defined(SOLARIS2_7) || defined(SOLARIS2_8) -#define NEW_SYSV_SPARC 1 -#include <gelf.h> -#endif -#include <libelf.h> -#include <sys/elf_SPARC.h> - -int -main(int argc, char *argv[]) -{ - Elf * elf; - off_t size; - int fd; - int count; -#if defined(NEW_SYSV_SPARC) - GElf_Ehdr hdr; - GElf_Ehdr *ehdr = &hdr; -#else - Elf32_Ehdr *ehdr; -#endif - - - elf_version(EV_CURRENT); - fd = open(argv[1], O_RDWR); - if (fd < 0) - goto loser; - elf = elf_begin(fd, ELF_C_RDWR, (Elf *)0); - if (!elf) - goto loser; - -#if defined(NEW_SYSV_SPARC) - gelf_getehdr(elf, ehdr); -#else - ehdr = elf32_getehdr(elf); - if (!ehdr) - goto loser; -#endif - - if (ehdr->e_machine == EM_SPARC32PLUS) { - ehdr->e_machine = EM_SPARC; - ehdr->e_flags &= ~(EF_SPARC_32PLUS | EF_SPARC_SUN_US1); -#if defined(NEW_SYSV_SPARC) - count = gelf_update_ehdr(elf, ehdr); - if (count < 0) - goto loser; -#endif - size = elf_update(elf, ELF_C_WRITE); - if (size < 0) - goto loser; - } - - do { - count = elf_end(elf); - } while (count > 0); - return count; - -loser: - return 1; -} diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index abd86d6a6..f11dcc19f 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -49,11 +49,11 @@ SEC_BEGIN_PROTOS * The format of the version string should be * "<major version>.<minor version>[.<patch level>] [<Beta>]" */ -#define NSS_VERSION "3.3.5 Beta" +#define NSS_VERSION "3.3.4.4" #define NSS_VMAJOR 3 #define NSS_VMINOR 3 -#define NSS_VPATCH 5 -#define NSS_BETA PR_TRUE +#define NSS_VPATCH 4 +#define NSS_BETA PR_FALSE /* diff --git a/security/nss/lib/nss/nssinit.c b/security/nss/lib/nss/nssinit.c index b1322668c..8ee45528d 100644 --- a/security/nss/lib/nss/nssinit.c +++ b/security/nss/lib/nss/nssinit.c @@ -155,8 +155,10 @@ nss_OpenKeyDB(const char * configdir, const char *prefix, PRBool readOnly) if (name == NULL) return SECFailure; keydb = SECKEY_OpenKeyDB(readOnly, nss_keydb_name_cb, (void *)name); - if (keydb == NULL) + if (keydb == NULL) { + PORT_Free(name); return SECFailure; + } SECKEY_SetDefaultKeyDB(keydb); PORT_Free(name); return SECSuccess; @@ -361,6 +363,10 @@ NSS_NoDB_Init(const char * configdir) return rv; } RNG_SystemInfoForRNG(); + + if (secoid_Init() != SECSuccess) { + return rv; + } rv = nss_OpenVolatileCertDB(); if (rv != SECSuccess) { diff --git a/security/nss/lib/pk11wrap/pk11skey.c b/security/nss/lib/pk11wrap/pk11skey.c index 5ea1f561c..65cae261b 100644 --- a/security/nss/lib/pk11wrap/pk11skey.c +++ b/security/nss/lib/pk11wrap/pk11skey.c @@ -305,6 +305,17 @@ PK11_SymKeyFromHandle(PK11SlotInfo *slot, PK11SymKey *parent, PK11Origin origin, symKey->origin = origin; symKey->owner = owner; + /* adopt the parent's session */ + /* This is only used by SSL. What we really want here is a session + * structure with a ref count so the session goes away only after all the + * keys do. */ + if (owner && parent) { + pk11_CloseSession(symKey->slot, symKey->session,symKey->sessionOwner); + symKey->sessionOwner = parent->sessionOwner; + symKey->session = parent->session; + parent->sessionOwner = PR_FALSE; + } + return symKey; } @@ -3147,20 +3158,7 @@ PK11_ExitContextMonitor(PK11Context *cx) { void PK11_DestroyContext(PK11Context *context, PRBool freeit) { - SECStatus rv = SECFailure; - if (context->ownSession && context->key && /* context owns session & key */ - context->key->session == context->session && /* sharing session */ - !context->key->sessionOwner) /* sanity check */ - { - /* session still valid, let the key free it as necessary */ - rv = PK11_Finalize(context); /* end any ongoing activity */ - if (rv == SECSuccess) { - context->key->sessionOwner = PR_TRUE; - } /* else couldn't finalize the session, close it */ - } - if (rv == SECFailure) { pk11_CloseSession(context->slot,context->session,context->ownSession); - } /* initialize the critical fields of the context */ if (context->savedData != NULL ) PORT_Free(context->savedData); if (context->key) PK11_FreeSymKey(context->key); @@ -3345,14 +3343,7 @@ static PK11Context *pk11_CreateNewContextInSlot(CK_MECHANISM_TYPE type, context->operation = operation; context->key = symKey ? PK11_ReferenceSymKey(symKey) : NULL; context->slot = PK11_ReferenceSlot(slot); - if (symKey && symKey->sessionOwner) { - /* The symkey owns a session. Adopt that session. */ - context->session = symKey->session; - context->ownSession = symKey->sessionOwner; - symKey->sessionOwner = PR_FALSE; - } else { - context->session = pk11_GetNewSession(slot, &context->ownSession); - } + context->session = pk11_GetNewSession(slot,&context->ownSession); context->cx = symKey ? symKey->cx : NULL; /* get our session */ context->savedData = NULL; @@ -3884,6 +3875,11 @@ PK11_DigestKey(PK11Context *context, PK11SymKey *key) SECStatus rv = SECSuccess; PK11SymKey *newKey = NULL; + if (!context || !key) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + /* if we ran out of session, we need to restore our previously stored * state. */ diff --git a/security/nss/lib/pk11wrap/pk11slot.c b/security/nss/lib/pk11wrap/pk11slot.c index b32f83211..c613c01cb 100644 --- a/security/nss/lib/pk11wrap/pk11slot.c +++ b/security/nss/lib/pk11wrap/pk11slot.c @@ -463,6 +463,10 @@ PK11_DestroySlot(PK11SlotInfo *slot) /* free up the cached keys and sessions */ PK11_CleanKeyList(slot); + if (slot->mechanismList) { + PORT_Free(slot->mechanismList); + } + /* finally Tell our parent module that we've gone away so it can unload */ if (slot->module) { SECMOD_SlotDestroyModule(slot->module,PR_TRUE); diff --git a/security/nss/lib/pkcs7/p7decode.c b/security/nss/lib/pkcs7/p7decode.c index ced36fb2d..a6d10b85a 100644 --- a/security/nss/lib/pkcs7/p7decode.c +++ b/security/nss/lib/pkcs7/p7decode.c @@ -280,11 +280,8 @@ sec_pkcs7_decoder_start_digests (SEC_PKCS7DecoderContext *p7dcx, int depth, /* * No algorithms means no work to do. - * This is not expected, so cause an assert. - * But if it does happen, just act as if there were - * no algorithms specified. + * Just act as if there were no algorithms specified. */ - PORT_Assert (digcnt != 0); if (digcnt == 0) return SECSuccess; diff --git a/security/nss/lib/softoken/pkcs11.c b/security/nss/lib/softoken/pkcs11.c index 992feda19..9c123bd0b 100644 --- a/security/nss/lib/softoken/pkcs11.c +++ b/security/nss/lib/softoken/pkcs11.c @@ -1956,9 +1956,13 @@ SECKEYLowPublicKey *pk11_GetPubKey(PK11Object *object,CK_KEY_TYPE key_type) pubKey->keyType = rsaKey; crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.modulus, object,CKA_MODULUS); + if (pubKey->u.rsa.modulus.len == 0) + crv = CKR_ARGUMENTS_BAD; if (crv != CKR_OK) break; crv = pk11_Attribute2SSecItem(arena,&pubKey->u.rsa.publicExponent, object,CKA_PUBLIC_EXPONENT); + if (pubKey->u.rsa.publicExponent.len == 0) + crv = CKR_ARGUMENTS_BAD; break; case CKK_DSA: pubKey->keyType = dsaKey; diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 84bb4e5ba..b8cb1cfa3 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -1162,7 +1162,7 @@ finish_des: (unsigned char*)att->attrib.pValue, (unsigned char*)pMechanism->pParameter, pMechanism->mechanism == CKM_AES_ECB ? NSS_AES : NSS_AES_CBC, - PR_TRUE, att->attrib.ulValueLen,16); + PR_FALSE, att->attrib.ulValueLen,16); pk11_FreeAttribute(att); if (context->cipherInfo == NULL) { crv = CKR_HOST_MEMORY; @@ -4486,8 +4486,17 @@ loser: /* * SSL Key generation given pre master secret */ -static char *mixers[] = { "A", "BB", "CCC", "DDDD", "EEEEE", "FFFFFF", "GGGGGGG"}; -#define NUM_MIXERS 7 +#define NUM_MIXERS 9 +static const char * const mixers[NUM_MIXERS] = { + "A", + "BB", + "CCC", + "DDDD", + "EEEEE", + "FFFFFF", + "GGGGGGG", + "HHHHHHHH", + "IIIIIIIII" }; #define SSL3_PMS_LENGTH 48 #define SSL3_MASTER_SECRET_LENGTH 48 @@ -4913,6 +4922,7 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE hSession, &key_block[i], IVSize); i += IVSize; } + PORT_Assert(i <= sizeof key_block); } else if (!isTLS) { diff --git a/security/nss/lib/softoken/rsawrapr.c b/security/nss/lib/softoken/rsawrapr.c index 5b1b8d894..bb6e454af 100644 --- a/security/nss/lib/softoken/rsawrapr.c +++ b/security/nss/lib/softoken/rsawrapr.c @@ -240,6 +240,10 @@ RSA_FormatOneBlock(unsigned modulusLen, RSA_BlockType blockType, */ padLen = modulusLen - data->len - 3; PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN); + if (padLen < RSA_BLOCK_MIN_PAD_LEN) { + PORT_Free(block); + return NULL; + } for (i = 0; i < padLen; i++) { /* Pad with non-zero random data. */ do { @@ -776,6 +780,8 @@ RSA_EncryptBlock(SECKEYLowPublicKey *key, SECItem unformatted; formatted.data = NULL; + if (modulus_len == 0) + goto failure; if (max_output_len < modulus_len) goto failure; PORT_Assert(key->keyType == rsaKey); diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 792ef5372..8ed3e0e8d 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -93,11 +93,17 @@ static SECStatus Null_Cipher(void *ctx, unsigned char *output, int *outputLen, */ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { /* cipher_suite policy enabled is_present*/ - { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, + { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, + { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, + { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { SSL_RSA_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { SSL_RSA_WITH_RC4_128_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, @@ -168,6 +174,8 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = { {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, {cipher_fortezza, calg_fortezza, 10, 10, type_block, 24, 8, kg_null}, + {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, + {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, }; @@ -262,6 +270,22 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = { cipher_fortezza, mac_sha, kea_fortezza}, {SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_fortezza}, +/* New TLS cipher suites */ + {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, + {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_dss}, + {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dhe_rsa}, + {TLS_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_rsa}, + {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_dss}, + {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dhe_rsa}, +#if 0 + {TLS_DH_DSS_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_dss}, + {TLS_DH_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_rsa}, + {TLS_DH_ANON_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_dh_anon}, + {TLS_DH_DSS_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_dss}, + {TLS_DH_RSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_rsa}, + {TLS_DH_ANON_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_dh_anon}, +#endif + {TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, cipher_des, mac_sha,kea_rsa_export_1024}, {TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, @@ -285,6 +309,8 @@ const char * const ssl3_cipherName[] = { "DES-CBC-40", "IDEA-CBC", "FORTEZZA", + "AES-128", + "AES-256", "missing" }; @@ -1845,7 +1871,7 @@ ssl3_HandleChangeCipherSpecs(sslSocket *ss, sslBuffer *buf) SSL_TRC(3, ("%d: SSL3[%d]: handle change_cipher_spec record", SSL_GETPID(), ss->fd)); - if (ws != wait_change_cipher && ws != wait_cert_verify) { + if (ws != wait_change_cipher) { (void)SSL3_SendAlert(ss, alert_fatal, unexpected_message); PORT_SetError(SSL_ERROR_RX_UNEXPECTED_CHANGE_CIPHER); return SECFailure; @@ -2366,6 +2392,10 @@ ssl3_ComputeHandshakeHashes(sslSocket * ss, PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) ); isTLS = (PRBool)(spec->version > SSL_LIBRARY_VERSION_3_0); + if (!spec->master_secret) { + PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HANDSHAKE); + return SECFailure; + } md5 = PK11_CloneContext(ssl3->hs.md5); if (md5 == NULL) { @@ -7080,7 +7110,7 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) *buf = *origBuf; } while (buf->len > 0) { - while (ssl3->hs.header_bytes < 4) { + if (ssl3->hs.header_bytes < 4) { uint8 t; t = *(buf->buf++); buf->len--; @@ -7088,21 +7118,22 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) ssl3->hs.msg_type = (SSL3HandshakeType)t; else ssl3->hs.msg_len = (ssl3->hs.msg_len << 8) + t; + if (ssl3->hs.header_bytes < 4) + continue; #define MAX_HANDSHAKE_MSG_LEN 0x1ffff /* 128k - 1 */ - - if (ssl3->hs.header_bytes == 4) { - if (ssl3->hs.msg_len > MAX_HANDSHAKE_MSG_LEN) { - (void)ssl3_DecodeError(ss); - PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); - return SECFailure; - } + if (ssl3->hs.msg_len > MAX_HANDSHAKE_MSG_LEN) { + (void)ssl3_DecodeError(ss); + PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); + return SECFailure; } #undef MAX_HANDSHAKE_MSG_LEN - if (buf->len == 0 && ssl3->hs.msg_len > 0) { - buf->buf = NULL; - return SECSuccess; - } + + /* If msg_len is zero, be sure we fall through, + ** even if bug->len is zero. + */ + if (ssl3->hs.msg_len > 0) + continue; } /* @@ -7131,23 +7162,22 @@ ssl3_HandleHandshake(sslSocket *ss, sslBuffer *origBuf) /* must be copied to msg_body and dealt with from there */ unsigned int bytes; - bytes = PR_MIN(buf->len, ssl3->hs.msg_len); + PORT_Assert(ssl3->hs.msg_body.len <= ssl3->hs.msg_len); + bytes = PR_MIN(buf->len, ssl3->hs.msg_len - ssl3->hs.msg_body.len); /* Grow the buffer if needed */ - if (bytes > ssl3->hs.msg_body.space - ssl3->hs.msg_body.len) { - rv = sslBuffer_Grow(&ssl3->hs.msg_body, - ssl3->hs.msg_body.len + bytes); - if (rv != SECSuccess) { - /* sslBuffer_Grow has set a memory error code. */ - return SECFailure; - } + rv = sslBuffer_Grow(&ssl3->hs.msg_body, ssl3->hs.msg_len); + if (rv != SECSuccess) { + /* sslBuffer_Grow has set a memory error code. */ + return SECFailure; } + PORT_Memcpy(ssl3->hs.msg_body.buf + ssl3->hs.msg_body.len, - buf->buf, buf->len); + buf->buf, bytes); + ssl3->hs.msg_body.len += bytes; buf->buf += bytes; buf->len -= bytes; - /* should not be more than one message in msg_body */ PORT_Assert(ssl3->hs.msg_body.len <= ssl3->hs.msg_len); /* if we have a whole message, do it */ diff --git a/security/nss/lib/ssl/sslenum.c b/security/nss/lib/ssl/sslenum.c index fe32b8f14..c83038203 100644 --- a/security/nss/lib/ssl/sslenum.c +++ b/security/nss/lib/ssl/sslenum.c @@ -76,6 +76,14 @@ const PRUint16 SSL_ImplementedCiphers[] = { SSL_DHE_DSS_WITH_DES_CBC_SHA, TLS_DHE_DSS_WITH_RC4_128_SHA, + /* AES ciphersuites */ + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + 0 }; diff --git a/security/nss/lib/ssl/sslgathr.c b/security/nss/lib/ssl/sslgathr.c index 1d316db84..060e68b2e 100644 --- a/security/nss/lib/ssl/sslgathr.c +++ b/security/nss/lib/ssl/sslgathr.c @@ -197,6 +197,11 @@ ssl2_GatherData(sslSocket *ss, sslGather *gs, int flags) gs->recordPadding = gs->hdr[2]; } + if (!gs->count) { + PORT_SetError(SSL_ERROR_RX_RECORD_TOO_LONG); + goto cleanup; + } + if (gs->count > gs->buf.space) { err = sslBuffer_Grow(&gs->buf, gs->count); if (err) { diff --git a/security/nss/lib/ssl/sslimpl.h b/security/nss/lib/ssl/sslimpl.h index 98beb5097..0b043dddd 100644 --- a/security/nss/lib/ssl/sslimpl.h +++ b/security/nss/lib/ssl/sslimpl.h @@ -221,7 +221,7 @@ typedef struct { #endif } ssl3CipherSuiteCfg; -#define ssl_V3_SUITES_IMPLEMENTED 19 +#define ssl_V3_SUITES_IMPLEMENTED 25 typedef struct sslOptionsStr { unsigned int useSecurity : 1; /* 1 */ @@ -599,6 +599,8 @@ typedef enum { cipher_des40, cipher_idea, cipher_fortezza, + cipher_aes_128, + cipher_aes_256, cipher_missing /* reserved for no such supported cipher */ } SSL3BulkCipher; @@ -612,6 +614,7 @@ typedef enum { calg_3des = CKM_DES3_CBC, calg_idea = CKM_IDEA_CBC, calg_fortezza = CKM_SKIPJACK_CBC64, + calg_aes = CKM_AES_CBC, calg_init = (int) 0x7fffffffL } CipherAlgorithm; diff --git a/security/nss/lib/ssl/sslproto.h b/security/nss/lib/ssl/sslproto.h index 51b780ca2..13850020c 100644 --- a/security/nss/lib/ssl/sslproto.h +++ b/security/nss/lib/ssl/sslproto.h @@ -139,7 +139,21 @@ #define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA 0x001d #define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA 0x001e -/* New TLS cipher suites backported to SSL3. */ +/* New TLS cipher suites */ +#define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F +#define TLS_DH_DSS_WITH_AES_128_CBC_SHA 0x0030 +#define TLS_DH_RSA_WITH_AES_128_CBC_SHA 0x0031 +#define TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x0032 +#define TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x0033 +#define TLS_DH_ANON_WITH_AES_128_CBC_SHA 0x0034 + +#define TLS_RSA_WITH_AES_256_CBC_SHA 0x0035 +#define TLS_DH_DSS_WITH_AES_256_CBC_SHA 0x0036 +#define TLS_DH_RSA_WITH_AES_256_CBC_SHA 0x0037 +#define TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x0038 +#define TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x0039 +#define TLS_DH_ANON_WITH_AES_256_CBC_SHA 0x003A + #define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 0x0062 #define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 0x0064 diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 25ee5667b..d294a1421 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -80,6 +80,12 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED, SSL_ALLOWED }, + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, + { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_ALLOWED, SSL_NOT_ALLOWED }, { 0, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED } diff --git a/security/nss/lib/util/dertime.c b/security/nss/lib/util/dertime.c index 5fbdca656..8bac47edb 100644 --- a/security/nss/lib/util/dertime.c +++ b/security/nss/lib/util/dertime.c @@ -119,6 +119,11 @@ DER_AsciiToTime(int64 *dst, char *string) { long year, month, mday, hour, minute, second, hourOff, minOff, days; int64 result, tmp1, tmp2; + + PORT_Assert(string != NULL); + if (string == NULL) { + goto loser; + } /* Verify time is formatted properly and capture information */ second = 0; @@ -209,6 +214,9 @@ DER_AsciiToTime(int64 *dst, char *string) SECStatus DER_UTCTimeToTime(int64 *dst, SECItem *time) { + if (!dst || !time) { + return SECFailure; + } return DER_AsciiToTime(dst, (char*) time->data); } diff --git a/security/nss/lib/util/secasn1d.c b/security/nss/lib/util/secasn1d.c index 58c52c1f6..483925df4 100644 --- a/security/nss/lib/util/secasn1d.c +++ b/security/nss/lib/util/secasn1d.c @@ -38,6 +38,13 @@ * $Id$ */ +/* #define DEBUG_ASN1D_STATES 1 */ + +#ifdef DEBUG_ASN1D_STATES +#include <stdio.h> +#define PR_Assert sec_asn1d_Assert +#endif + #include "secasn1.h" #include "secerr.h" @@ -72,7 +79,7 @@ typedef enum { } sec_asn1d_parse_place; #ifdef DEBUG_ASN1D_STATES -static const char *place_names[] = { +static const char * const place_names[] = { "beforeIdentifier", "duringIdentifier", "afterIdentifier", @@ -101,6 +108,114 @@ static const char *place_names[] = { "afterChoice", "notInUse" }; + +static const char * const class_names[] = { + "UNIVERSAL", + "APPLICATION", + "CONTEXT_SPECIFIC", + "PRIVATE" +}; + +static const char * const method_names[] = { "PRIMITIVE", "CONSTRUCTED" }; + +static const char * const type_names[] = { + "END_OF_CONTENTS", + "BOOLEAN", + "INTEGER", + "BIT_STRING", + "OCTET_STRING", + "NULL", + "OBJECT_ID", + "OBJECT_DESCRIPTOR", + "(type 08)", + "REAL", + "ENUMERATED", + "EMBEDDED", + "UTF8_STRING", + "(type 0d)", + "(type 0e)", + "(type 0f)", + "SEQUENCE", + "SET", + "NUMERIC_STRING", + "PRINTABLE_STRING", + "T61_STRING", + "VIDEOTEXT_STRING", + "IA5_STRING", + "UTC_TIME", + "GENERALIZED_TIME", + "GRAPHIC_STRING", + "VISIBLE_STRING", + "GENERAL_STRING", + "UNIVERSAL_STRING", + "(type 1d)", + "BMP_STRING", + "HIGH_TAG_VALUE" +}; + +static const char * const flag_names[] = { /* flags, right to left */ + "OPTIONAL", + "EXPLICIT", + "ANY", + "INLINE", + "POINTER", + "GROUP", + "DYNAMIC", + "SKIP", + "INNER", + "SAVE", + "", /* decoder ignores "MAY_STREAM", */ + "SKIP_REST", + "CHOICE", + "NO_STREAM", + "DEBUG_BREAK", + "unknown 08", + "unknown 10", + "unknown 20", + "unknown 40", + "unknown 80" +}; + +static int /* bool */ +formatKind(unsigned long kind, char * buf) +{ + int i; + unsigned long k = kind & SEC_ASN1_TAGNUM_MASK; + unsigned long notag = kind & (SEC_ASN1_CHOICE | SEC_ASN1_POINTER | + SEC_ASN1_INLINE | SEC_ASN1_ANY | SEC_ASN1_SAVE); + + buf[0] = 0; + if ((kind & SEC_ASN1_CLASS_MASK) != SEC_ASN1_UNIVERSAL) { + sprintf(buf, " %s", class_names[(kind & SEC_ASN1_CLASS_MASK) >> 6] ); + buf += strlen(buf); + } + if (kind & SEC_ASN1_METHOD_MASK) { + sprintf(buf, " %s", method_names[1]); + buf += strlen(buf); + } + if ((kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL) { + if (k || !notag) { + sprintf(buf, " %s", type_names[k] ); + if ((k == SEC_ASN1_SET || k == SEC_ASN1_SEQUENCE) && + (kind & SEC_ASN1_GROUP)) { + buf += strlen(buf); + sprintf(buf, "_OF"); + } + } + } else { + sprintf(buf, " [%d]", k); + } + buf += strlen(buf); + + for (k = kind >> 8, i = 0; k; k >>= 1, ++i) { + if (k & 1) { + sprintf(buf, " %s", flag_names[i]); + buf += strlen(buf); + } + } + return notag != 0; +} + #endif /* DEBUG_ASN1D_STATES */ typedef enum { @@ -274,12 +389,7 @@ sec_asn1d_push_state (SEC_ASN1DecoderContext *cx, new_state = (sec_asn1d_state*)sec_asn1d_zalloc (cx->our_pool, sizeof(*new_state)); if (new_state == NULL) { - cx->status = decodeError; - if (state != NULL) { - PORT_ArenaRelease(cx->our_pool, state->our_mark); - state->our_mark = NULL; - } - return NULL; + goto loser; } new_state->top = cx; @@ -291,13 +401,24 @@ sec_asn1d_push_state (SEC_ASN1DecoderContext *cx, if (state != NULL) { new_state->depth = state->depth; - if (new_depth) - new_state->depth++; + if (new_depth) { + if (++new_state->depth > SEC_ASN1D_MAX_DEPTH) { + goto loser; + } + } state->child = new_state; } cx->current = new_state; return new_state; + +loser: + cx->status = decodeError; + if (state != NULL) { + PORT_ArenaRelease(cx->our_pool, state->our_mark); + state->our_mark = NULL; + } + return NULL; } @@ -412,10 +533,10 @@ sec_asn1d_init_state_based_on_template (sec_asn1d_state *state) encode_kind &= ~SEC_ASN1_DYNAMIC; encode_kind &= ~SEC_ASN1_MAY_STREAM; - if( encode_kind & SEC_ASN1_CHOICE ) { + if (encode_kind & SEC_ASN1_CHOICE) { #if 0 /* XXX remove? */ sec_asn1d_state *child = sec_asn1d_push_state(state->top, state->theTemplate, state->dest, PR_FALSE); - if( (sec_asn1d_state *)NULL == child ) { + if ((sec_asn1d_state *)NULL == child) { return (sec_asn1d_state *)NULL; } @@ -536,7 +657,7 @@ sec_asn1d_init_state_based_on_template (sec_asn1d_state *state) /* XXX is this the right set of bits to test here? */ PORT_Assert ((under_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL - | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM + | SEC_ASN1_MAY_STREAM | SEC_ASN1_INLINE | SEC_ASN1_POINTER)) == 0); if (encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) { @@ -551,7 +672,7 @@ sec_asn1d_init_state_based_on_template (sec_asn1d_state *state) expect_tag_number = 0; } else { check_tag_mask = SEC_ASN1_TAG_MASK; - expect_tag_modifiers = encode_kind & SEC_ASN1_TAG_MASK + expect_tag_modifiers = (unsigned char)encode_kind & SEC_ASN1_TAG_MASK & ~SEC_ASN1_TAGNUM_MASK; /* * XXX This assumes only single-octet identifiers. To handle @@ -600,6 +721,43 @@ sec_asn1d_init_state_based_on_template (sec_asn1d_state *state) return state; } +static sec_asn1d_state * +sec_asn1d_get_enclosing_construct(sec_asn1d_state *state) +{ + for (state = state->parent; state; state = state->parent) { + sec_asn1d_parse_place place = state->place; + if (place != afterImplicit && + place != afterPointer && + place != afterInline && + place != afterSaveEncoding && + place != duringSaveEncoding && + place != duringChoice) { + + /* we've walked up the stack to a state that represents + ** the enclosing construct. + */ + break; + } + } + return state; +} + +static PRBool +sec_asn1d_parent_allows_EOC(sec_asn1d_state *state) +{ + /* get state of enclosing construct. */ + state = sec_asn1d_get_enclosing_construct(state); + if (state) { + sec_asn1d_parse_place place = state->place; + /* Is it one of the types that permits an unexpected EOC? */ + int eoc_permitted = + (place == duringGroup || + place == duringConstructedString || + state->child->optional); + return (state->indefinite && eoc_permitted) ? PR_TRUE : PR_FALSE; + } + return PR_FALSE; +} static unsigned long sec_asn1d_parse_identifier (sec_asn1d_state *state, @@ -616,6 +774,13 @@ sec_asn1d_parse_identifier (sec_asn1d_state *state, } byte = (unsigned char) *buf; +#ifdef DEBUG_ASN1D_STATES + { + char kindBuf[256]; + formatKind(byte, kindBuf); + printf("Found tag %02x %s\n", byte, kindBuf); + } +#endif tag_number = byte & SEC_ASN1_TAGNUM_MASK; if (IS_HIGH_TAG_NUMBER (tag_number)) { @@ -628,15 +793,7 @@ sec_asn1d_parse_identifier (sec_asn1d_state *state, */ state->pending = 1; } else { - if (byte == 0 && state->parent != NULL && - (state->parent->indefinite || - ( - (state->parent->place == afterImplicit || - state->parent->place == afterPointer) - && state->parent->parent != NULL && state->parent->parent->indefinite - ) - ) - ) { + if (byte == 0 && sec_asn1d_parent_allows_EOC(state)) { /* * Our parent has indefinite-length encoding, and the * entire tag found is 0, so it seems that we have hit the @@ -769,6 +926,17 @@ sec_asn1d_parse_length (sec_asn1d_state *state, } } + /* If we're parsing an ANY, SKIP, or SAVE template, and + ** the object being saved is definite length encoded and constructed, + ** there's no point in decoding that construct's members. + ** So, just forget it's constructed and treat it as primitive. + ** (SAVE appears as an ANY at this point) + */ + if (!state->indefinite && + (state->underlying_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP))) { + state->found_tag_modifiers &= ~SEC_ASN1_CONSTRUCTED; + } + return 1; } @@ -821,6 +989,12 @@ sec_asn1d_prepare_for_contents (sec_asn1d_state *state) PRArenaPool *poolp; unsigned long alloc_len; +#ifdef DEBUG_ASN1D_STATES + { + printf("Found Length %d %s\n", state->contents_length, + state->indefinite ? "indefinite" : ""); + } +#endif /* * XXX I cannot decide if this allocation should exclude the case @@ -863,6 +1037,20 @@ sec_asn1d_prepare_for_contents (sec_asn1d_state *state) */ state->pending = state->contents_length; + /* If this item has definite length encoding, and + ** is enclosed by a definite length constructed type, + ** make sure it isn't longer than the remaining space in that + ** constructed type. + */ + if (state->contents_length > 0) { + sec_asn1d_state *parent = sec_asn1d_get_enclosing_construct(state); + if (parent && !parent->indefinite && + state->consumed + state->contents_length > parent->pending) { + state->top->status = decodeError; + return; + } + } + /* * An EXPLICIT is nothing but an outer header, which we have * already parsed and accepted. Now we need to do the inner @@ -893,7 +1081,10 @@ sec_asn1d_prepare_for_contents (sec_asn1d_state *state) * below under cases SET_OF and SEQUENCE_OF; it will be cleaner. */ PORT_Assert (state->underlying_kind == SEC_ASN1_SET_OF - || state->underlying_kind == SEC_ASN1_SEQUENCE_OF); + || state->underlying_kind == SEC_ASN1_SEQUENCE_OF + || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF|SEC_ASN1_DYNAMIC) + || state->underlying_kind == (SEC_ASN1_SEQUENCE_OF|SEC_ASN1_DYNAMIC) + ); if (state->contents_length != 0 || state->indefinite) { const SEC_ASN1Template *subt; @@ -913,10 +1104,9 @@ sec_asn1d_prepare_for_contents (sec_asn1d_state *state) } else { /* * A group of zero; we are done. - * XXX Should we store a NULL here? Or set state to - * afterGroup and let that code do it? + * Set state to afterGroup and let that code plant the NULL. */ - state->place = afterEndOfContents; + state->place = afterGroup; } return; } @@ -1213,8 +1403,12 @@ sec_asn1d_free_child (sec_asn1d_state *state, PRBool error) if (error && state->top->their_pool == NULL) { /* * XXX We need to free anything allocated. + * At this point, we failed in the middle of decoding. But we + * can't free the data we previously allocated with PR_Malloc + * unless we keep track of every pointer. So instead we have a + * memory leak when decoding fails half-way, unless an arena is + * used. See bug 95311 . */ - PORT_Assert (0); } state->child = NULL; state->our_mark = NULL; @@ -1231,7 +1425,17 @@ sec_asn1d_free_child (sec_asn1d_state *state, PRBool error) state->place = beforeEndOfContents; } - +/* We have just saved an entire encoded ASN.1 object (type) for a SAVE +** template, and now in the next template, we are going to decode that +** saved data by calling SEC_ASN1DecoderUpdate recursively. +** If that recursive call fails with needBytes, it is a fatal error, +** because the encoded object should have been complete. +** If that recursive call fails with decodeError, it will have already +** cleaned up the state stack, so we must bail out quickly. +** +** These checks of the status returned by the recursive call are now +** done in the caller of this function, immediately after it returns. +*/ static void sec_asn1d_reuse_encoding (sec_asn1d_state *state) { @@ -1297,6 +1501,9 @@ sec_asn1d_reuse_encoding (sec_asn1d_state *state) if (SEC_ASN1DecoderUpdate (state->top, (char *) item->data, item->len) != SECSuccess) return; + if (state->top->status == needBytes) { + return; + } PORT_Assert (state->top->current == state); PORT_Assert (state->child == child); @@ -1349,9 +1556,19 @@ sec_asn1d_parse_bit_string (sec_asn1d_state *state, { unsigned char byte; - PORT_Assert (state->pending > 0); + /*PORT_Assert (state->pending > 0); */ PORT_Assert (state->place == beforeBitString); + if (state->pending == 0) { + if (state->dest != NULL) { + SECItem *item = (SECItem *)(state->dest); + item->data = NULL; + item->len = 0; + state->place = beforeEndOfContents; + return 0; + } + } + if (len == 0) { state->top->status = needBytes; return 0; @@ -1376,8 +1593,18 @@ static unsigned long sec_asn1d_parse_more_bit_string (sec_asn1d_state *state, const char *buf, unsigned long len) { - PORT_Assert (state->pending > 0); PORT_Assert (state->place == duringBitString); + if (state->pending == 0) { + /* An empty bit string with some unused bits is invalid. */ + if (state->bit_string_unused_bits) { + PORT_SetError (SEC_ERROR_BAD_DER); + state->top->status = decodeError; + } else { + /* An empty bit string with no unused bits is OK. */ + state->place = beforeEndOfContents; + } + return 0; + } len = sec_asn1d_parse_leaf (state, buf, len); if (state->place == beforeEndOfContents && state->dest != NULL) { @@ -1487,7 +1714,7 @@ sec_asn1d_next_substring (sec_asn1d_state *state) if (state->pending) { PORT_Assert (!state->indefinite); - if( child_consumed > state->pending ) { + if (child_consumed > state->pending) { PORT_SetError (SEC_ERROR_BAD_DER); state->top->status = decodeError; return; @@ -1606,7 +1833,7 @@ sec_asn1d_next_in_group (sec_asn1d_state *state) */ if (state->pending) { PORT_Assert (!state->indefinite); - if( child_consumed > state->pending ) { + if (child_consumed > state->pending) { PORT_SetError (SEC_ERROR_BAD_DER); state->top->status = decodeError; return; @@ -1676,7 +1903,7 @@ sec_asn1d_next_in_sequence (sec_asn1d_state *state) sec_asn1d_free_child (child, PR_FALSE); if (state->pending) { PORT_Assert (!state->indefinite); - if( child_consumed > state->pending ) { + if (child_consumed > state->pending) { PORT_SetError (SEC_ERROR_BAD_DER); state->top->status = decodeError; return; @@ -1725,7 +1952,7 @@ sec_asn1d_next_in_sequence (sec_asn1d_state *state) */ if (state->indefinite && child->endofcontents) { PORT_Assert (child_consumed == 2); - if( child_consumed != 2 ) { + if (child_consumed != 2) { PORT_SetError (SEC_ERROR_BAD_DER); state->top->status = decodeError; } else { @@ -1788,7 +2015,7 @@ sec_asn1d_next_in_sequence (sec_asn1d_state *state) * sake it should probably be made to work at some point. */ PORT_Assert (child_found_tag_number < SEC_ASN1_HIGH_TAG_NUMBER); - identifier = child_found_tag_modifiers | child_found_tag_number; + identifier = (unsigned char)(child_found_tag_modifiers | child_found_tag_number); sec_asn1d_record_any_header (child, (char *) &identifier, 1); } } @@ -1888,7 +2115,8 @@ sec_asn1d_concat_group (sec_asn1d_state *state) PORT_Assert (state->place == afterGroup); placep = (const void***)state->dest; - if (state->subitems_head != NULL) { + PORT_Assert(state->subitems_head == NULL || placep != NULL); + if (placep != NULL) { struct subitem *item; const void **group; int count; @@ -1908,7 +2136,6 @@ sec_asn1d_concat_group (sec_asn1d_state *state) return; } - PORT_Assert (placep != NULL); *placep = group; item = state->subitems_head; @@ -1924,8 +2151,6 @@ sec_asn1d_concat_group (sec_asn1d_state *state) * a memory leak (it is just temporarily left dangling). */ state->subitems_head = state->subitems_tail = NULL; - } else if (placep != NULL) { - *placep = NULL; } state->place = afterEndOfContents; @@ -2035,7 +2260,7 @@ static unsigned long sec_asn1d_parse_end_of_contents (sec_asn1d_state *state, const char *buf, unsigned long len) { - int i; + unsigned int i; PORT_Assert (state->pending <= 2); PORT_Assert (state->place == duringEndOfContents); @@ -2081,7 +2306,7 @@ sec_asn1d_pop_state (sec_asn1d_state *state) state->consumed += state->child->consumed; if (state->pending) { PORT_Assert (!state->indefinite); - if( state->child->consumed > state->pending ) { + if (state->child->consumed > state->pending) { PORT_SetError (SEC_ERROR_BAD_DER); state->top->status = decodeError; } else { @@ -2105,134 +2330,146 @@ sec_asn1d_pop_state (sec_asn1d_state *state) } static sec_asn1d_state * -sec_asn1d_before_choice -( - sec_asn1d_state *state -) +sec_asn1d_before_choice (sec_asn1d_state *state) { - sec_asn1d_state *child; + sec_asn1d_state *child; - if( state->allocate ) { - void *dest; + if (state->allocate) { + void *dest; - dest = sec_asn1d_zalloc(state->top->their_pool, state->theTemplate->size); - if( (void *)NULL == dest ) { - state->top->status = decodeError; - return (sec_asn1d_state *)NULL; - } + dest = sec_asn1d_zalloc(state->top->their_pool, state->theTemplate->size); + if ((void *)NULL == dest) { + state->top->status = decodeError; + return (sec_asn1d_state *)NULL; + } - state->dest = (char *)dest + state->theTemplate->offset; - } + state->dest = (char *)dest + state->theTemplate->offset; + } - child = sec_asn1d_push_state(state->top, state->theTemplate + 1, - state->dest, PR_FALSE); - if( (sec_asn1d_state *)NULL == child ) { - return (sec_asn1d_state *)NULL; - } + child = sec_asn1d_push_state(state->top, state->theTemplate + 1, + (char *)state->dest - state->theTemplate->offset, + PR_FALSE); + if ((sec_asn1d_state *)NULL == child) { + return (sec_asn1d_state *)NULL; + } - sec_asn1d_scrub_state(child); - child = sec_asn1d_init_state_based_on_template(child); - if( (sec_asn1d_state *)NULL == child ) { - return (sec_asn1d_state *)NULL; - } + sec_asn1d_scrub_state(child); + child = sec_asn1d_init_state_based_on_template(child); + if ((sec_asn1d_state *)NULL == child) { + return (sec_asn1d_state *)NULL; + } - child->optional = PR_TRUE; + child->optional = PR_TRUE; - state->place = duringChoice; + state->place = duringChoice; - return child; + return child; } static sec_asn1d_state * -sec_asn1d_during_choice -( - sec_asn1d_state *state -) +sec_asn1d_during_choice (sec_asn1d_state *state) { - sec_asn1d_state *child = state->child; - - PORT_Assert((sec_asn1d_state *)NULL != child); - - if( child->missing ) { - unsigned char child_found_tag_modifiers = 0; - unsigned long child_found_tag_number = 0; + sec_asn1d_state *child = state->child; + + PORT_Assert((sec_asn1d_state *)NULL != child); - child->theTemplate++; + if (child->missing) { + unsigned char child_found_tag_modifiers = 0; + unsigned long child_found_tag_number = 0; + void * dest; + + state->consumed += child->consumed; + + if (child->endofcontents) { + /* This choice is probably the first item in a GROUP + ** (e.g. SET_OF) that was indefinite-length encoded. + ** We're actually at the end of that GROUP. + ** We look up the stack to be sure that we find + ** a state with indefinite length encoding before we + ** find a state (like a SEQUENCE) that is definite. + */ + child->place = notInUse; + state->place = afterChoice; + state->endofcontents = PR_TRUE; /* propagate this up */ + if (sec_asn1d_parent_allows_EOC(state)) + return state; + PORT_SetError(SEC_ERROR_BAD_DER); + state->top->status = decodeError; + return NULL; + } - if( 0 == child->theTemplate->kind ) { - /* Ran out of choices */ - PORT_SetError(SEC_ERROR_BAD_DER); - state->top->status = decodeError; - return (sec_asn1d_state *)NULL; - } + dest = (char *)child->dest - child->theTemplate->offset; + child->theTemplate++; - state->consumed += child->consumed; + if (0 == child->theTemplate->kind) { + /* Ran out of choices */ + PORT_SetError(SEC_ERROR_BAD_DER); + state->top->status = decodeError; + return (sec_asn1d_state *)NULL; + } + child->dest = (char *)dest + child->theTemplate->offset; - /* cargo'd from next_in_sequence innards */ - if( state->pending ) { - PORT_Assert(!state->indefinite); - if( child->consumed > state->pending ) { - PORT_SetError (SEC_ERROR_BAD_DER); - state->top->status = decodeError; - return NULL; - } - state->pending -= child->consumed; - if( 0 == state->pending ) { - /* XXX uh.. not sure if I should have stopped this - * from happening before. */ - PORT_Assert(0); - PORT_SetError(SEC_ERROR_BAD_DER); - state->top->status = decodeError; - return (sec_asn1d_state *)NULL; - } - } + /* cargo'd from next_in_sequence innards */ + if (state->pending) { + PORT_Assert(!state->indefinite); + if (child->consumed > state->pending) { + PORT_SetError (SEC_ERROR_BAD_DER); + state->top->status = decodeError; + return NULL; + } + state->pending -= child->consumed; + if (0 == state->pending) { + /* XXX uh.. not sure if I should have stopped this + * from happening before. */ + PORT_Assert(0); + PORT_SetError(SEC_ERROR_BAD_DER); + state->top->status = decodeError; + return (sec_asn1d_state *)NULL; + } + } - child->consumed = 0; - sec_asn1d_scrub_state(child); + child->consumed = 0; + sec_asn1d_scrub_state(child); - /* move it on top again */ - state->top->current = child; + /* move it on top again */ + state->top->current = child; - child_found_tag_modifiers = child->found_tag_modifiers; - child_found_tag_number = child->found_tag_number; + child_found_tag_modifiers = child->found_tag_modifiers; + child_found_tag_number = child->found_tag_number; - child = sec_asn1d_init_state_based_on_template(child); - if( (sec_asn1d_state *)NULL == child ) { - return (sec_asn1d_state *)NULL; - } + child = sec_asn1d_init_state_based_on_template(child); + if ((sec_asn1d_state *)NULL == child) { + return (sec_asn1d_state *)NULL; + } - /* copy our findings to the new top */ - child->found_tag_modifiers = child_found_tag_modifiers; - child->found_tag_number = child_found_tag_number; + /* copy our findings to the new top */ + child->found_tag_modifiers = child_found_tag_modifiers; + child->found_tag_number = child_found_tag_number; - child->optional = PR_TRUE; - child->place = afterIdentifier; + child->optional = PR_TRUE; + child->place = afterIdentifier; - return child; - } else { - if( (void *)NULL != state->dest ) { - /* Store the enum */ - int *which = (int *)((char *)state->dest + state->theTemplate->offset); - *which = (int)child->theTemplate->size; + return child; + } + if ((void *)NULL != state->dest) { + /* Store the enum */ + int *which = (int *)state->dest; + *which = (int)child->theTemplate->size; } child->place = notInUse; state->place = afterChoice; return state; - } } static void -sec_asn1d_after_choice -( - sec_asn1d_state *state -) +sec_asn1d_after_choice (sec_asn1d_state *state) { - state->consumed += state->child->consumed; - state->child->consumed = 0; - state->place = afterEndOfContents; - sec_asn1d_pop_state(state); + state->consumed += state->child->consumed; + state->child->consumed = 0; + state->place = afterEndOfContents; + sec_asn1d_pop_state(state); } unsigned long @@ -2257,7 +2494,7 @@ SECStatus SEC_ASN1DecodeInteger(SECItem *src, unsigned long *value) { unsigned long v; - int i; + unsigned int i; if (src == NULL) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -2290,29 +2527,42 @@ SEC_ASN1DecodeInteger(SECItem *src, unsigned long *value) #ifdef DEBUG_ASN1D_STATES static void -dump_states -( - SEC_ASN1DecoderContext *cx -) +dump_states(SEC_ASN1DecoderContext *cx) { - sec_asn1d_state *state; - - for( state = cx->current; state->parent; state = state->parent ) { - ; - } - - for( ; state; state = state->child ) { - int i; - for( i = 0; i < state->depth; i++ ) { - printf(" "); - } - - printf("%s: template[0]->kind = 0x%02x, expect tag number = 0x%02x\n", - (state == cx->current) ? "STATE" : "State", - state->theTemplate->kind, state->expect_tag_number); - } - - return; + sec_asn1d_state *state; + char kindBuf[256]; + + for (state = cx->current; state->parent; state = state->parent) { + ; + } + + for (; state; state = state->child) { + int i; + for (i = 0; i < state->depth; i++) { + printf(" "); + } + + i = formatKind(state->theTemplate->kind, kindBuf); + printf("%s: tmpl %08x, kind%s", + (state == cx->current) ? "STATE" : "State", + state->theTemplate, + kindBuf); + printf(" %s", (state->place >= 0 && state->place <= notInUse) + ? place_names[ state->place ] + : "(undefined)"); + if (!i) + printf(", expect 0x%02x", + state->expect_tag_number | state->expect_tag_modifiers); + + printf("%s%s%s %d\n", + state->indefinite ? ", indef" : "", + state->missing ? ", miss" : "", + state->endofcontents ? ", EOC" : "", + state->pending + ); + } + + return; } #endif /* DEBUG_ASN1D_STATES */ @@ -2323,7 +2573,7 @@ SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx, sec_asn1d_state *state = NULL; unsigned long consumed; SEC_ASN1EncodingPart what; - + sec_asn1d_state *stateEnd = cx->current; if (cx->status == needBytes) cx->status = keepGoing; @@ -2333,10 +2583,11 @@ SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx, what = SEC_ASN1_Contents; consumed = 0; #ifdef DEBUG_ASN1D_STATES - printf("\nPLACE = %s, next byte = 0x%02x\n", + printf("\nPLACE = %s, next byte = 0x%02x, %08x[%d]\n", (state->place >= 0 && state->place <= notInUse) ? place_names[ state->place ] : "(undefined)", - (unsigned int)((unsigned char *)buf)[ consumed ]); + (unsigned int)((unsigned char *)buf)[ consumed ], + buf, consumed); dump_states(cx); #endif /* DEBUG_ASN1D_STATES */ switch (state->place) { @@ -2379,6 +2630,16 @@ SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx, break; case duringSaveEncoding: sec_asn1d_reuse_encoding (state); + if (cx->status == decodeError) { + /* recursive call has already popped all states from stack. + ** Bail out quickly. + */ + return SECFailure; + } + if (cx->status == needBytes) { + /* recursive call wanted more data. Fatal. Clean up below. */ + cx->status = decodeError; + } break; case duringSequence: sec_asn1d_next_in_sequence (state); @@ -2396,7 +2657,10 @@ SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx, sec_asn1d_concat_group (state); break; case afterSaveEncoding: - /* XXX comment! */ + /* SEC_ASN1DecoderUpdate has called itself recursively to + ** decode SAVEd encoded data, and now is done decoding that. + ** Return to the calling copy of SEC_ASN1DecoderUpdate. + */ return SECSuccess; case beforeEndOfContents: sec_asn1d_prepare_for_end_of_contents (state); @@ -2431,7 +2695,7 @@ SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx, /* We should not consume more than we have. */ PORT_Assert (consumed <= len); - if( consumed > len ) { + if (consumed > len) { PORT_SetError (SEC_ERROR_BAD_DER); cx->status = decodeError; break; @@ -2501,7 +2765,7 @@ SEC_ASN1DecoderUpdate (SEC_ASN1DecoderContext *cx, } if (cx->status == decodeError) { - while (state != NULL) { + while (state != NULL && stateEnd->parent!=state) { sec_asn1d_free_child (state, PR_TRUE); state = state->parent; } @@ -2678,6 +2942,13 @@ SEC_ASN1DecodeItem (PRArenaPool *poolp, void *dest, (char *) item->data, item->len); } +#ifdef DEBUG_ASN1D_STATES +void sec_asn1d_Assert(const char *s, const char *file, PRIntn ln) +{ + printf("Assertion failed, \"%s\", file %s, line %d\n", s, file, ln); + fflush(stdout); +} +#endif /* * Generic templates for individual/simple items and pointers to diff --git a/security/nss/lib/util/secasn1t.h b/security/nss/lib/util/secasn1t.h index cb56a0bd7..d74820a8e 100644 --- a/security/nss/lib/util/secasn1t.h +++ b/security/nss/lib/util/secasn1t.h @@ -191,6 +191,8 @@ typedef struct sec_ASN1Template_struct { #define SEC_ASN1_SET_OF (SEC_ASN1_GROUP | SEC_ASN1_SET) #define SEC_ASN1_ANY_CONTENTS (SEC_ASN1_ANY | SEC_ASN1_INNER) +/* Maximum depth of nested SEQUENCEs and SETs */ +#define SEC_ASN1D_MAX_DEPTH 32 /* ** Function used for SEC_ASN1_DYNAMIC. diff --git a/security/nss/lib/util/secitem.c b/security/nss/lib/util/secitem.c index f185d60b9..a60755881 100644 --- a/security/nss/lib/util/secitem.c +++ b/security/nss/lib/util/secitem.c @@ -141,6 +141,11 @@ SECITEM_CompareItem(const SECItem *a, const SECItem *b) unsigned m; SECComparison rv; + if (!a || !a->len || !a->data) + return (!b || !b->len || !b->data) ? SECEqual : SECLessThan; + if (!b || !b->len || !b->data) + return SECGreaterThan; + m = ( ( a->len < b->len ) ? a->len : b->len ); rv = (SECComparison) PORT_Memcmp(a->data, b->data, m); @@ -159,10 +164,15 @@ SECITEM_CompareItem(const SECItem *a, const SECItem *b) PRBool SECITEM_ItemsAreEqual(const SECItem *a, const SECItem *b) { - if (SECITEM_CompareItem(a, b) == SECEqual) - return PR_TRUE; - - return PR_FALSE; + if (a->len != b->len) + return PR_FALSE; + if (!a->len) + return PR_TRUE; + if (!a->data || !b->data) { + /* avoid null pointer crash. */ + return (PRBool)(a->data == b->data); + } + return (PRBool)!PORT_Memcmp(a->data, b->data, a->len); } SECItem * diff --git a/security/nss/lib/util/secoid.c b/security/nss/lib/util/secoid.c index f58158190..cef09291a 100644 --- a/security/nss/lib/util/secoid.c +++ b/security/nss/lib/util/secoid.c @@ -39,7 +39,8 @@ #include "secerr.h" /* MISSI Mosaic Object ID space */ -#define MISSI 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01 +#define USGOV 0x60, 0x86, 0x48, 0x01, 0x65 +#define MISSI USGOV, 0x02, 0x01, 0x01 #define MISSI_OLD_KEA_DSS MISSI, 0x0c #define MISSI_OLD_DSS MISSI, 0x02 #define MISSI_KEA_DSS MISSI, 0x14 @@ -47,6 +48,9 @@ #define MISSI_KEA MISSI, 0x0a #define MISSI_ALT_KEA MISSI, 0x16 +#define NISTALGS USGOV, 3, 4 +#define AES NISTALGS, 1 + /** ** The Netscape OID space is allocated by Terry Hayes. If you need ** a piece of the space, contact him at thayes@netscape.com. @@ -307,8 +311,8 @@ static unsigned char pkcs12RSASignatureWithSHA1Digest[] = static unsigned char ansix9DSASignature[] = { ANSI_X9_ALGORITHM, 0x01 }; static unsigned char ansix9DSASignaturewithSHA1Digest[] = { ANSI_X9_ALGORITHM, 0x03 }; -static unsigned char bogusDSASignaturewithSHA1Digest[] = - { ALGORITHM, 0x1b }; +static unsigned char bogusDSASignaturewithSHA1Digest[] = { ALGORITHM, 0x1b }; +static unsigned char sdn702DSASignature[] = { ALGORITHM, 0x0c }; /* verisign OIDs */ static unsigned char verisignUserNotices[] = { VERISIGN, 1, 7, 1, 1 }; @@ -395,6 +399,21 @@ static unsigned char cmsRC2wrap[] = { PKCS9_SMIME_ALGS, 7 }; /* RFC2633 SMIME message attributes */ static unsigned char smimeEncryptionKeyPreference[] = { PKCS9_SMIME_ATTRS, 11 }; +static unsigned char aes128_ECB[] = { AES, 1 }; +static unsigned char aes128_CBC[] = { AES, 2 }; +static unsigned char aes128_OFB[] = { AES, 3 }; +static unsigned char aes128_CFB[] = { AES, 4 }; + +static unsigned char aes192_ECB[] = { AES, 21 }; +static unsigned char aes192_CBC[] = { AES, 22 }; +static unsigned char aes192_OFB[] = { AES, 23 }; +static unsigned char aes192_CFB[] = { AES, 24 }; + +static unsigned char aes256_ECB[] = { AES, 41 }; +static unsigned char aes256_CBC[] = { AES, 42 }; +static unsigned char aes256_OFB[] = { AES, 43 }; +static unsigned char aes256_CFB[] = { AES, 44 }; + /* * NOTE: the order of these entries must mach the SECOidTag enum in secoidt.h! */ @@ -1215,6 +1234,30 @@ static SECOidData oids[] = { "S/MIME Encryption Key Preference", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION }, + /* AES algorithm OIDs */ + { { siDEROID, aes128_ECB, sizeof(aes128_ECB) }, + SEC_OID_AES_128_ECB, + "AES-128-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION }, + { { siDEROID, aes128_CBC, sizeof(aes128_CBC) }, + SEC_OID_AES_128_CBC, + "AES-128-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION }, + { { siDEROID, aes192_ECB, sizeof(aes192_ECB) }, + SEC_OID_AES_192_ECB, + "AES-192-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION }, + { { siDEROID, aes192_CBC, sizeof(aes192_CBC) }, + SEC_OID_AES_192_CBC, + "AES-192-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION }, + { { siDEROID, aes256_ECB, sizeof(aes256_ECB) }, + SEC_OID_AES_256_ECB, + "AES-256-ECB", CKM_AES_ECB, INVALID_CERT_EXTENSION }, + { { siDEROID, aes256_CBC, sizeof(aes256_CBC) }, + SEC_OID_AES_256_CBC, + "AES-256-CBC", CKM_AES_CBC, INVALID_CERT_EXTENSION }, + + /* More bogus DSA OIDs */ + { { siDEROID, sdn702DSASignature, sizeof(sdn702DSASignature) }, + SEC_OID_SDN702_DSA_SIGNATURE, + "SDN.702 DSA Signature", CKM_DSA_SHA1, INVALID_CERT_EXTENSION }, }; /* diff --git a/security/nss/lib/util/secoidt.h b/security/nss/lib/util/secoidt.h index 0594610ec..f854bad3d 100644 --- a/security/nss/lib/util/secoidt.h +++ b/security/nss/lib/util/secoidt.h @@ -284,6 +284,16 @@ typedef enum { /* SMIME attributes */ SEC_OID_SMIME_ENCRYPTION_KEY_PREFERENCE = 182, + /* AES OIDs */ + SEC_OID_AES_128_ECB = 183, + SEC_OID_AES_128_CBC = 184, + SEC_OID_AES_192_ECB = 185, + SEC_OID_AES_192_CBC = 186, + SEC_OID_AES_256_ECB = 187, + SEC_OID_AES_256_CBC = 188, + + SEC_OID_SDN702_DSA_SIGNATURE = 189, + SEC_OID_TOTAL } SECOidTag; @@ -301,9 +311,10 @@ struct SECOidDataStr { SECOidTag offset; char *desc; unsigned long mechanism; - SECSupportExtenTag supportedExtension; /* only used for x.509 v3 extensions, so - that we can print the names of those - extensions that we don't even support */ + SECSupportExtenTag supportedExtension; + /* only used for x.509 v3 extensions, so + that we can print the names of those + extensions that we don't even support */ }; #endif /* _SECOIDT_H_ */ diff --git a/security/nss/manifest.mn b/security/nss/manifest.mn index d04abdeca..cdd8e2435 100644 --- a/security/nss/manifest.mn +++ b/security/nss/manifest.mn @@ -33,7 +33,7 @@ CORE_DEPTH = .. DEPTH = .. -IMPORTS = nspr20/v4.1.4 \ +IMPORTS = nspr20/v4.1.6 \ dbm/DBM_1_55_RTM \ $(NULL) diff --git a/security/nss/pkg/Makefile b/security/nss/pkg/Makefile new file mode 100644 index 000000000..20eab6bbf --- /dev/null +++ b/security/nss/pkg/Makefile @@ -0,0 +1,55 @@ +#! gmake +# +# The contents of this file are subject to the Mozilla Public +# License Version 1.1 (the "License"); you may not use this file +# except in compliance with the License. You may obtain a copy of +# the License at http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS +# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or +# implied. See the License for the specific language governing +# rights and limitations under the License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is Netscape +# Communications Corporation. Portions created by Netscape are +# Copyright (C) 1994-2000 Netscape Communications Corporation. All +# Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the +# terms of the GNU General Public License Version 2 or later (the +# "GPL"), in which case the provisions of the GPL are applicable +# instead of those above. If you wish to allow use of your +# version of this file only under the terms of the GPL and not to +# allow others to use your version of this file under the MPL, +# indicate your decision by deleting the provisions above and +# replace them with the notice and other provisions required by +# the GPL. If you do not delete the provisions above, a recipient +# may use your version of this file under either the MPL or the +# GPL. +# + +CORE_DEPTH = ../.. +DEPTH = ../.. + +include $(CORE_DEPTH)/coreconf/config.mk + +publish: +ifeq ($(OS_TARGET),Linux) + rm -rf $(OBJDIR) + cp -r linux $(OBJDIR) + $(MAKE) -C $(OBJDIR) publish +endif +ifeq ($(OS_TARGET),SunOS) + rm -rf $(OBJDIR) + cp -r solaris $(OBJDIR) + $(MAKE) -C $(OBJDIR) publish +endif + +clean:: + rm -rf $(OBJDIR) + +include $(CORE_DEPTH)/coreconf/rules.mk diff --git a/security/nss/pkg/linux/Makefile b/security/nss/pkg/linux/Makefile new file mode 100644 index 000000000..842444ae1 --- /dev/null +++ b/security/nss/pkg/linux/Makefile @@ -0,0 +1,57 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# + +CORE_DEPTH = ../../.. + +NAME = sun-nss +RELEASE = 1 +VERSION = `grep NSS_VERSION $(CORE_DEPTH)/../dist/public/security/nss.h \ + | sed -e 's/"$$//' -e 's/.*"//' -e 's/ .*//'` +PWD = `pwd` +BUILDROOT = $(PWD)\/$(NAME)-root + +include $(CORE_DEPTH)/coreconf/config.mk + +publish: + $(MAKE) clean + mkdir -p SOURCES SRPMS RPMS BUILD + mkdir -p usr/lib/mps + find $(CORE_DEPTH)/../dist/$(OBJDIR)/lib -type l \ + \( -name "*.so" -o -name "*.chk" \) \ + -exec cp {} usr/lib/mps \; + (cd $(CORE_DEPTH)/../dist/public && tar cphf - .) \ + | (mkdir -p usr/include/mps && cd usr/include/mps && tar xvfBp -) + tar czvf $(NAME)-$(VERSION).tar.gz usr + echo "%define _topdir `pwd`" >temp.spec + sed -e "s/NAME_REPLACE/$(NAME)/" \ + -e "s/VERSION_REPLACE/$(VERSION)/" \ + -e "s/RELEASE_REPLACE/$(RELEASE)/" \ + <$(NAME).spec >>temp.spec + echo "" >>temp.spec + echo "%files" >>temp.spec + echo "%defattr(-,root,root)" >>temp.spec + echo "%dir /usr" >>temp.spec + echo "%dir /usr/lib" >>temp.spec + echo "%dir /usr/lib/mps" >>temp.spec + find usr \( -name "*.so" -o -name "*.chk" \) \ + | sed -e "s-^-/-" >>temp.spec + echo "" >>temp.spec + echo "%files devel" >>temp.spec + echo "%defattr(-,root,root)" >>temp.spec + find usr -type d | sed -e "s-^-%dir /-" >>temp.spec + find usr -type f ! \( -name "*.so" -o -name "*.chk" \) \ + | sed -e "s-^-/-" >>temp.spec + cp $(NAME)-$(VERSION).tar.gz SOURCES + rpm -ba temp.spec + +clean:: + rm -rf SOURCES SRPMS RPMS BUILD + rm -rf usr + rm -f temp.spec + rm -f $(NAME)-$(VERSION).tar.gz + +include $(CORE_DEPTH)/coreconf/rules.mk diff --git a/security/nss/pkg/linux/sun-nss.spec b/security/nss/pkg/linux/sun-nss.spec new file mode 100644 index 000000000..94457b87a --- /dev/null +++ b/security/nss/pkg/linux/sun-nss.spec @@ -0,0 +1,42 @@ +Summary: Network Security Services +Name: NAME_REPLACE +Vendor: Sun Microsystems +Version: VERSION_REPLACE +Release: RELEASE_REPLACE +Copyright: MPL/GPL +Group: System Environment/Base +Source: %{name}-%{version}.tar.gz +ExclusiveOS: Linux +BuildRoot: %_topdir/%{name}-root + +Requires: sun-nspr >= 4.1.2 + +%description +Network Security Services (NSS) is a set of libraries designed +to support cross-platform development of security-enabled server +applications. Applications built with NSS can support SSL v2 +and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, +X.509 v3 certificates, and other security standards. See: +http://www.mozilla.org/projects/security/pki/nss/overview.html + +%package devel +Summary: Development Libraries for Network Security Services +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +Header files for doing development with Network Security Services. + +%prep +%setup -c + +%build + +%install +rm -rf $RPM_BUILD_ROOT +mkdir $RPM_BUILD_ROOT +cd $RPM_BUILD_ROOT +tar xvzf $RPM_SOURCE_DIR/%{name}-%{version}.tar.gz + +%clean +rm -rf $RPM_BUILD_ROOT diff --git a/security/nss/pkg/solaris/Makefile b/security/nss/pkg/solaris/Makefile index 2d2ff6ff4..2ba36e4fb 100644 --- a/security/nss/pkg/solaris/Makefile +++ b/security/nss/pkg/solaris/Makefile @@ -12,23 +12,35 @@ CORE_DEPTH = ../../.. cp $< $@ chmod +x $@ +HEADER_DIR_BEFORE_3_6 = public/security +HEADER_DIR_SINCE_3_6 = public/nss ifeq ($(USE_64), 1) DIRS = \ - SUNWtlsx + SUNWtlsx \ + SUNWtlsux \ + SUNWtlsdx else DIRS = \ - SUNWtls + SUNWtls \ + SUNWtlsu \ + SUNWtlsd endif PROTO = \ $(ROOT) \ $(ROOT)/usr \ $(ROOT)/usr/lib \ - $(ROOT)/usr/lib/mps + $(ROOT)/usr/lib/mps \ + $(ROOT)/usr/include \ + $(ROOT)/usr/include/mps \ + $(ROOT)/usr/sfw \ + $(ROOT)/usr/sfw/bin ifdef USE_64 -PROTO += $(ROOT)/usr/lib/mps/sparcv9 +PROTO += $(ROOT)/usr/lib/mps/sparcv9 \ + $(ROOT)/usr/include/mps/sparcv9 \ + $(ROOT)/usr/sfw/bin/sparcv9 endif include Makefile.com @@ -36,7 +48,7 @@ include Makefile.com awk_pkginfo: bld_awk_pkginfo ./bld_awk_pkginfo -m $(MACH) -p "$(PRODUCT_VERSION)" -o $@ -v $(PRODUCT_VERSION) -all:: awk_pkginfo $(PROTO) +all:: awk_pkginfo $(PROTO) # $(HEADER_DIR) publish: awk_pkginfo $(PROTO) +$(LOOP_OVER_DIRS) @@ -48,9 +60,25 @@ $(ROOT) $(ROOT)/%: mkdir -p $@ ifdef USE_64 -$(ROOT)/usr/lib/mps/sparcv9: $(ROOT)/usr/lib +$(ROOT)/usr/lib/mps/sparcv9: $(ROOT)/usr/lib/mps $(LN) -sf ../../../../$(DIST)/lib $@ +$(ROOT)/usr/sfw/bin/sparcv9: $(ROOT)/usr/sfw/bin + $(LN) -sf ../../../../$(DIST)/bin $@ +$(ROOT)/usr/include/mps/sparcv9: $(ROOT)/usr/include + @if [ -d ../../../$(SOURCE_PREFIX)/$(HEADER_DIR_SINCE_3_6) ] ; then \ + $(LN) -sf ../../../../$(SOURCE_PREFIX)/$(HEADER_DIR_SINCE_3_6) $@ ; \ + else \ + $(LN) -sf ../../../../$(SOURCE_PREFIX)/$(HEADER_DIR_BEFORE_3_6) $@ ; \ + fi else $(ROOT)/usr/lib/mps: $(ROOT)/usr/lib $(LN) -sf ../../../$(DIST)/lib $@ +$(ROOT)/usr/sfw/bin: $(ROOT)/usr/sfw + $(LN) -sf ../../../$(DIST)/bin $@ +$(ROOT)/usr/include/mps: $(ROOT)/usr/include + @if [ -d ../../../$(SOURCE_PREFIX)/$(HEADER_DIR_SINCE_3_6) ] ; then \ + $(LN) -sf ../../../$(SOURCE_PREFIX)/$(HEADER_DIR_SINCE_3_6) $@ ; \ + else \ + $(LN) -sf ../../../$(SOURCE_PREFIX)/$(HEADER_DIR_BEFORE_3_6) $@ ; \ + fi endif diff --git a/security/nss/pkg/solaris/Makefile-devl.com b/security/nss/pkg/solaris/Makefile-devl.com new file mode 100755 index 000000000..8e1c52ad4 --- /dev/null +++ b/security/nss/pkg/solaris/Makefile-devl.com @@ -0,0 +1,33 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# + +MACH = $(shell mach) + +PUBLISH_ROOT = $(DIST) +ifeq ($(CORE_DEPTH),../../..) +ROOT = ROOT +else +ROOT = $(subst ../../../,,$(CORE_DEPTH))/ROOT +endif + +PKGARCHIVE = $(PUBLISH_ROOT)/pkgarchive +DATAFILES = copyright +FILES = $(DATAFILES) pkginfo + + +PACKAGE = $(shell basename `pwd`) + +PRODUCT_VERSION = $(shell grep NSS_VERSION $(CORE_DEPTH)/nss/lib/nss/nss.h | sed -e 's/"$$//' -e 's/.*"//' -e 's/ .*//') + +LN = /usr/bin/ln + +CLOBBERFILES = $(FILES) + +include $(CORE_DEPTH)/coreconf/config.mk +include $(CORE_DEPTH)/coreconf/rules.mk + +# vim: ft=make diff --git a/security/nss/pkg/solaris/Makefile-devl.targ b/security/nss/pkg/solaris/Makefile-devl.targ new file mode 100755 index 000000000..bbf9411bb --- /dev/null +++ b/security/nss/pkg/solaris/Makefile-devl.targ @@ -0,0 +1,26 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# + +pkginfo: pkginfo.tmpl ../awk_pkginfo + $(RM) $@; nawk -f ../awk_pkginfo $@.tmpl > $@ + +pkg: $(PKGARCHIVE) prototype + pkgmk -f prototype -d $(PKGARCHIVE) -r $(ROOT) -o $(PACKAGE) + +$(PKGARCHIVE): + [ -d $(PKGARCHIVE) ] || mkdir -p $(PKGARCHIVE) + +$(DATAFILES):: %: ../common_files/% + $(RM) $@; cp ../common_files/$@ $@ + +$(MACHDATAFILES): %: ../common_files/%_$(MACH) + $(RM) $@; cp ../common_files/$@_$(MACH) $@ + +clobber clean:: + -$(RM) $(CLOBBERFILES) $(CLEANFILES) + +.PHONY: pkg diff --git a/security/nss/pkg/solaris/Makefile-tlsu.com b/security/nss/pkg/solaris/Makefile-tlsu.com new file mode 100755 index 000000000..8e1c52ad4 --- /dev/null +++ b/security/nss/pkg/solaris/Makefile-tlsu.com @@ -0,0 +1,33 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# + +MACH = $(shell mach) + +PUBLISH_ROOT = $(DIST) +ifeq ($(CORE_DEPTH),../../..) +ROOT = ROOT +else +ROOT = $(subst ../../../,,$(CORE_DEPTH))/ROOT +endif + +PKGARCHIVE = $(PUBLISH_ROOT)/pkgarchive +DATAFILES = copyright +FILES = $(DATAFILES) pkginfo + + +PACKAGE = $(shell basename `pwd`) + +PRODUCT_VERSION = $(shell grep NSS_VERSION $(CORE_DEPTH)/nss/lib/nss/nss.h | sed -e 's/"$$//' -e 's/.*"//' -e 's/ .*//') + +LN = /usr/bin/ln + +CLOBBERFILES = $(FILES) + +include $(CORE_DEPTH)/coreconf/config.mk +include $(CORE_DEPTH)/coreconf/rules.mk + +# vim: ft=make diff --git a/security/nss/pkg/solaris/Makefile-tlsu.targ b/security/nss/pkg/solaris/Makefile-tlsu.targ new file mode 100755 index 000000000..bbf9411bb --- /dev/null +++ b/security/nss/pkg/solaris/Makefile-tlsu.targ @@ -0,0 +1,26 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# + +pkginfo: pkginfo.tmpl ../awk_pkginfo + $(RM) $@; nawk -f ../awk_pkginfo $@.tmpl > $@ + +pkg: $(PKGARCHIVE) prototype + pkgmk -f prototype -d $(PKGARCHIVE) -r $(ROOT) -o $(PACKAGE) + +$(PKGARCHIVE): + [ -d $(PKGARCHIVE) ] || mkdir -p $(PKGARCHIVE) + +$(DATAFILES):: %: ../common_files/% + $(RM) $@; cp ../common_files/$@ $@ + +$(MACHDATAFILES): %: ../common_files/%_$(MACH) + $(RM) $@; cp ../common_files/$@_$(MACH) $@ + +clobber clean:: + -$(RM) $(CLOBBERFILES) $(CLEANFILES) + +.PHONY: pkg diff --git a/security/nss/pkg/solaris/Makefile.com b/security/nss/pkg/solaris/Makefile.com index ac4790230..d3580a3a5 100644 --- a/security/nss/pkg/solaris/Makefile.com +++ b/security/nss/pkg/solaris/Makefile.com @@ -21,8 +21,7 @@ FILES = $(DATAFILES) pkginfo prototype PACKAGE = $(shell basename `pwd`) -PRODUCT_VERSION = "3.3.4" -PRODUCT_NAME = NSS_3_3_4_RTM +PRODUCT_VERSION = $(shell grep NSS_VERSION $(CORE_DEPTH)/nss/lib/nss/nss.h | sed -e 's/"$$//' -e 's/.*"//' -e 's/ .*//') LN = /usr/bin/ln diff --git a/security/nss/pkg/solaris/SUNWtlsd/Makefile b/security/nss/pkg/solaris/SUNWtlsd/Makefile new file mode 100755 index 000000000..3a1bd83b3 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsd/Makefile @@ -0,0 +1,16 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# + +CORE_DEPTH = ../../../.. +include ../Makefile-devl.com + +DATAFILES += + +all:: $(FILES) +publish:: all pkg + +include ../Makefile-devl.targ diff --git a/security/nss/pkg/solaris/SUNWtlsd/pkgdepend b/security/nss/pkg/solaris/SUNWtlsd/pkgdepend new file mode 100755 index 000000000..fe0695db7 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsd/pkgdepend @@ -0,0 +1,23 @@ +# Copyright 2002 Microsystems, Inc. All Rights Reserved. +# Use is subject to license terms. +# +# $Id$ +# +# This package information file defines software dependencies associated +# with the pkg. You can define three types of pkg dependencies with this file: +# P indicates a prerequisite for installation +# I indicates an incompatible package +# R indicates a reverse dependency +# <pkg.abbr> see pkginfo(4), PKG parameter +# <name> see pkginfo(4), NAME parameter +# <version> see pkginfo(4), VERSION parameter +# <arch> see pkginfo(4), ARCH parameter +# <type> <pkg.abbr> <name> +# (<arch>)<version> +# (<arch>)<version> +# ... +# <type> <pkg.abbr> <name> +# ... + +P SUNWprd Netscape Portable Runtime Development +P SUNWtls Netscape Security Services diff --git a/security/nss/pkg/solaris/SUNWtlsd/pkginfo.tmpl b/security/nss/pkg/solaris/SUNWtlsd/pkginfo.tmpl new file mode 100755 index 000000000..c47b89069 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsd/pkginfo.tmpl @@ -0,0 +1,34 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# +# +# This required package information file describes characteristics of the +# package, such as package abbreviation, full package name, package version, +# and package architecture. +# +PKG="SUNWtlsd" +NAME="Network Security Services Development" +ARCH="ISA" +VERSION="NSSVERS,REV=0.0.0" +SUNW_PRODNAME="Network Security Services Development" +SUNW_PRODVERS="RELEASE/VERSION" +SUNW_PKGTYPE="usr" +MAXINST="1000" +CATEGORY="system" +DESC="Network Security Services Files for Development" +VENDOR="Sun Microsystems, Inc." +HOTLINE="Please contact your local service provider" +EMAIL="" +CLASSES="none" +BASEDIR=/ +SUNW_PKGVERS="1.0" +#VSTOCK="<reserved by Release Engineering for package part #>" +#ISTATES="<developer defined>" +#RSTATES='<developer defined>' +#ULIMIT="<developer defined>" +#ORDER="<developer defined>" +#PSTAMP="<developer defined>" +#INTONLY="<developer defined>" diff --git a/security/nss/pkg/solaris/SUNWtlsd/prototype b/security/nss/pkg/solaris/SUNWtlsd/prototype new file mode 100755 index 000000000..52b1e8911 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsd/prototype @@ -0,0 +1,121 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# +# This required package information file contains a list of package contents. +# The 'pkgmk' command uses this file to identify the contents of a package +# and their location on the development machine when building the package. +# Can be created via a text editor or through use of the 'pkgproto' command. + +#!search <pathname pathname ...> # where to find pkg objects +#!include <filename> # include another 'prototype' file +#!default <mode> <owner> <group> # default used if not specified on entry +#!<param>=<value> # puts parameter in pkg environment + +# packaging files +i copyright +i pkginfo +i depend=pkgdepend +# +# source locations relative to the prototype file +# +# SUNWtlsd +# +d none usr 0755 root sys +d none usr/include 0755 root bin +d none usr/include/mps 0755 root bin +f none usr/include/mps/base64.h 0644 root bin +f none usr/include/mps/blapi.h 0644 root bin +f none usr/include/mps/blapit.h 0644 root bin +f none usr/include/mps/cert.h 0644 root bin +f none usr/include/mps/certdb.h 0644 root bin +f none usr/include/mps/certt.h 0644 root bin +f none usr/include/mps/ciferfam.h 0644 root bin +f none usr/include/mps/cmmf.h 0644 root bin +f none usr/include/mps/cmmft.h 0644 root bin +f none usr/include/mps/cms.h 0644 root bin +f none usr/include/mps/cmsreclist.h 0644 root bin +f none usr/include/mps/cmst.h 0644 root bin +f none usr/include/mps/crmf.h 0644 root bin +f none usr/include/mps/crmft.h 0644 root bin +f none usr/include/mps/cryptohi.h 0644 root bin +f none usr/include/mps/cryptoht.h 0644 root bin +f none usr/include/mps/hasht.h 0644 root bin +f none usr/include/mps/jar-ds.h 0644 root bin +f none usr/include/mps/jar.h 0644 root bin +f none usr/include/mps/jarfile.h 0644 root bin +f none usr/include/mps/key.h 0644 root bin +f none usr/include/mps/keydbt.h 0644 root bin +f none usr/include/mps/keyhi.h 0644 root bin +f none usr/include/mps/keylow.h 0644 root bin +f none usr/include/mps/keyt.h 0644 root bin +f none usr/include/mps/keytboth.h 0644 root bin +f none usr/include/mps/keythi.h 0644 root bin +f none usr/include/mps/keytlow.h 0644 root bin +f none usr/include/mps/nss.h 0644 root bin +f none usr/include/mps/nssb64.h 0644 root bin +f none usr/include/mps/nssb64t.h 0644 root bin +f none usr/include/mps/nssbase.h 0644 root bin +f none usr/include/mps/nssbaset.h 0644 root bin +f none usr/include/mps/nssckepv.h 0644 root bin +f none usr/include/mps/nssckft.h 0644 root bin +f none usr/include/mps/nssckfw.h 0644 root bin +f none usr/include/mps/nssckfwc.h 0644 root bin +f none usr/include/mps/nssckfwt.h 0644 root bin +f none usr/include/mps/nssckg.h 0644 root bin +f none usr/include/mps/nssckmdt.h 0644 root bin +f none usr/include/mps/nssckp.h 0644 root bin +f none usr/include/mps/nssckt.h 0644 root bin +f none usr/include/mps/nsscku.h 0644 root bin +f none usr/include/mps/nssilock.h 0644 root bin +f none usr/include/mps/nsslocks.h 0644 root bin +f none usr/include/mps/nssrwlk.h 0644 root bin +f none usr/include/mps/nssrwlkt.h 0644 root bin +f none usr/include/mps/ocsp.h 0644 root bin +f none usr/include/mps/ocspt.h 0644 root bin +f none usr/include/mps/p12.h 0644 root bin +f none usr/include/mps/p12plcy.h 0644 root bin +f none usr/include/mps/p12t.h 0644 root bin +f none usr/include/mps/pk11func.h 0644 root bin +f none usr/include/mps/pk11pqg.h 0644 root bin +f none usr/include/mps/pk11sdr.h 0644 root bin +f none usr/include/mps/pkcs11.h 0644 root bin +f none usr/include/mps/pkcs11f.h 0644 root bin +f none usr/include/mps/pkcs11p.h 0644 root bin +f none usr/include/mps/pkcs11t.h 0644 root bin +f none usr/include/mps/pkcs11u.h 0644 root bin +f none usr/include/mps/pkcs12.h 0644 root bin +f none usr/include/mps/pkcs12t.h 0644 root bin +f none usr/include/mps/pkcs7t.h 0644 root bin +f none usr/include/mps/portreg.h 0644 root bin +f none usr/include/mps/pqgutil.h 0644 root bin +f none usr/include/mps/preenc.h 0644 root bin +f none usr/include/mps/secasn1.h 0644 root bin +f none usr/include/mps/secasn1t.h 0644 root bin +f none usr/include/mps/seccomon.h 0644 root bin +f none usr/include/mps/secder.h 0644 root bin +f none usr/include/mps/secdert.h 0644 root bin +f none usr/include/mps/secdig.h 0644 root bin +f none usr/include/mps/secdigt.h 0644 root bin +f none usr/include/mps/secerr.h 0644 root bin +f none usr/include/mps/sechash.h 0644 root bin +f none usr/include/mps/secitem.h 0644 root bin +f none usr/include/mps/secmime.h 0644 root bin +f none usr/include/mps/secmod.h 0644 root bin +f none usr/include/mps/secmodt.h 0644 root bin +f none usr/include/mps/secoid.h 0644 root bin +f none usr/include/mps/secoidt.h 0644 root bin +f none usr/include/mps/secpkcs5.h 0644 root bin +f none usr/include/mps/secpkcs7.h 0644 root bin +f none usr/include/mps/secport.h 0644 root bin +f none usr/include/mps/secrng.h 0644 root bin +f none usr/include/mps/secrngt.h 0644 root bin +f none usr/include/mps/smime.h 0644 root bin +f none usr/include/mps/ssl.h 0644 root bin +f none usr/include/mps/sslerr.h 0644 root bin +f none usr/include/mps/sslproto.h 0644 root bin +f none usr/include/mps/swfort.h 0644 root bin +f none usr/include/mps/swfortt.h 0644 root bin +f none usr/include/mps/watcomfx.h 0644 root bin diff --git a/security/nss/pkg/solaris/SUNWtlsdx/Makefile b/security/nss/pkg/solaris/SUNWtlsdx/Makefile new file mode 100755 index 000000000..3a1bd83b3 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsdx/Makefile @@ -0,0 +1,16 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# + +CORE_DEPTH = ../../../.. +include ../Makefile-devl.com + +DATAFILES += + +all:: $(FILES) +publish:: all pkg + +include ../Makefile-devl.targ diff --git a/security/nss/pkg/solaris/SUNWtlsdx/pkgdepend b/security/nss/pkg/solaris/SUNWtlsdx/pkgdepend new file mode 100755 index 000000000..831c2b37c --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsdx/pkgdepend @@ -0,0 +1,23 @@ +# Copyright 2002 Microsystems, Inc. All Rights Reserved. +# Use is subject to license terms. +# +# $Id$ +# +# This package information file defines software dependencies associated +# with the pkg. You can define three types of pkg dependencies with this file: +# P indicates a prerequisite for installation +# I indicates an incompatible package +# R indicates a reverse dependency +# <pkg.abbr> see pkginfo(4), PKG parameter +# <name> see pkginfo(4), NAME parameter +# <version> see pkginfo(4), VERSION parameter +# <arch> see pkginfo(4), ARCH parameter +# <type> <pkg.abbr> <name> +# (<arch>)<version> +# (<arch>)<version> +# ... +# <type> <pkg.abbr> <name> +# ... + +P SUNWprdx Netscape Portable Runtime Development (64-bit) +P SUNWtlsx Netscape Security Services (64-bit) diff --git a/security/nss/pkg/solaris/SUNWtlsdx/pkginfo.tmpl b/security/nss/pkg/solaris/SUNWtlsdx/pkginfo.tmpl new file mode 100755 index 000000000..cadd53c8c --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsdx/pkginfo.tmpl @@ -0,0 +1,35 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# +# +# This required package information file describes characteristics of the +# package, such as package abbreviation, full package name, package version, +# and package architecture. +# +PKG="SUNWtlsdx" +NAME="Network Security Services Development (64-bit)" +ARCH="ISA" +SUNW_ISA="sparcv9" +VERSION="NSSVERS,REV=0.0.0" +SUNW_PRODNAME="Network Security Services Development (64-bit)" +SUNW_PRODVERS="RELEASE/VERSION" +SUNW_PKGTYPE="usr" +MAXINST="1000" +CATEGORY="system" +DESC="Network Security Services Files for Development (64-bit)" +VENDOR="Sun Microsystems, Inc." +HOTLINE="Please contact your local service provider" +EMAIL="" +CLASSES="none" +BASEDIR=/ +SUNW_PKGVERS="1.0" +#VSTOCK="<reserved by Release Engineering for package part #>" +#ISTATES="<developer defined>" +#RSTATES='<developer defined>' +#ULIMIT="<developer defined>" +#ORDER="<developer defined>" +#PSTAMP="<developer defined>" +#INTONLY="<developer defined>" diff --git a/security/nss/pkg/solaris/SUNWtlsdx/prototype b/security/nss/pkg/solaris/SUNWtlsdx/prototype new file mode 100755 index 000000000..fe52f14db --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsdx/prototype @@ -0,0 +1,122 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# +# This required package information file contains a list of package contents. +# The 'pkgmk' command uses this file to identify the contents of a package +# and their location on the development machine when building the package. +# Can be created via a text editor or through use of the 'pkgproto' command. + +#!search <pathname pathname ...> # where to find pkg objects +#!include <filename> # include another 'prototype' file +#!default <mode> <owner> <group> # default used if not specified on entry +#!<param>=<value> # puts parameter in pkg environment + +# packaging files +i copyright +i pkginfo +i depend=pkgdepend +# +# source locations relative to the prototype file +# +# SUNWtlsdx +# +d none usr 0755 root sys +d none usr/include 0755 root bin +s none usr/include/mps/64=sparcv9 +d none usr/include/mps/sparcv9 0755 root bin +f none usr/include/mps/sparcv9/base64.h 0644 root bin +f none usr/include/mps/sparcv9/blapi.h 0644 root bin +f none usr/include/mps/sparcv9/blapit.h 0644 root bin +f none usr/include/mps/sparcv9/cert.h 0644 root bin +f none usr/include/mps/sparcv9/certdb.h 0644 root bin +f none usr/include/mps/sparcv9/certt.h 0644 root bin +f none usr/include/mps/sparcv9/ciferfam.h 0644 root bin +f none usr/include/mps/sparcv9/cmmf.h 0644 root bin +f none usr/include/mps/sparcv9/cmmft.h 0644 root bin +f none usr/include/mps/sparcv9/cms.h 0644 root bin +f none usr/include/mps/sparcv9/cmsreclist.h 0644 root bin +f none usr/include/mps/sparcv9/cmst.h 0644 root bin +f none usr/include/mps/sparcv9/crmf.h 0644 root bin +f none usr/include/mps/sparcv9/crmft.h 0644 root bin +f none usr/include/mps/sparcv9/cryptohi.h 0644 root bin +f none usr/include/mps/sparcv9/cryptoht.h 0644 root bin +f none usr/include/mps/sparcv9/hasht.h 0644 root bin +f none usr/include/mps/sparcv9/jar-ds.h 0644 root bin +f none usr/include/mps/sparcv9/jar.h 0644 root bin +f none usr/include/mps/sparcv9/jarfile.h 0644 root bin +f none usr/include/mps/sparcv9/key.h 0644 root bin +f none usr/include/mps/sparcv9/keydbt.h 0644 root bin +f none usr/include/mps/sparcv9/keyhi.h 0644 root bin +f none usr/include/mps/sparcv9/keylow.h 0644 root bin +f none usr/include/mps/sparcv9/keyt.h 0644 root bin +f none usr/include/mps/sparcv9/keytboth.h 0644 root bin +f none usr/include/mps/sparcv9/keythi.h 0644 root bin +f none usr/include/mps/sparcv9/keytlow.h 0644 root bin +f none usr/include/mps/sparcv9/nss.h 0644 root bin +f none usr/include/mps/sparcv9/nssb64.h 0644 root bin +f none usr/include/mps/sparcv9/nssb64t.h 0644 root bin +f none usr/include/mps/sparcv9/nssbase.h 0644 root bin +f none usr/include/mps/sparcv9/nssbaset.h 0644 root bin +f none usr/include/mps/sparcv9/nssckepv.h 0644 root bin +f none usr/include/mps/sparcv9/nssckft.h 0644 root bin +f none usr/include/mps/sparcv9/nssckfw.h 0644 root bin +f none usr/include/mps/sparcv9/nssckfwc.h 0644 root bin +f none usr/include/mps/sparcv9/nssckfwt.h 0644 root bin +f none usr/include/mps/sparcv9/nssckg.h 0644 root bin +f none usr/include/mps/sparcv9/nssckmdt.h 0644 root bin +f none usr/include/mps/sparcv9/nssckp.h 0644 root bin +f none usr/include/mps/sparcv9/nssckt.h 0644 root bin +f none usr/include/mps/sparcv9/nsscku.h 0644 root bin +f none usr/include/mps/sparcv9/nssilock.h 0644 root bin +f none usr/include/mps/sparcv9/nsslocks.h 0644 root bin +f none usr/include/mps/sparcv9/nssrwlk.h 0644 root bin +f none usr/include/mps/sparcv9/nssrwlkt.h 0644 root bin +f none usr/include/mps/sparcv9/ocsp.h 0644 root bin +f none usr/include/mps/sparcv9/ocspt.h 0644 root bin +f none usr/include/mps/sparcv9/p12.h 0644 root bin +f none usr/include/mps/sparcv9/p12plcy.h 0644 root bin +f none usr/include/mps/sparcv9/p12t.h 0644 root bin +f none usr/include/mps/sparcv9/pk11func.h 0644 root bin +f none usr/include/mps/sparcv9/pk11pqg.h 0644 root bin +f none usr/include/mps/sparcv9/pk11sdr.h 0644 root bin +f none usr/include/mps/sparcv9/pkcs11.h 0644 root bin +f none usr/include/mps/sparcv9/pkcs11f.h 0644 root bin +f none usr/include/mps/sparcv9/pkcs11p.h 0644 root bin +f none usr/include/mps/sparcv9/pkcs11t.h 0644 root bin +f none usr/include/mps/sparcv9/pkcs11u.h 0644 root bin +f none usr/include/mps/sparcv9/pkcs12.h 0644 root bin +f none usr/include/mps/sparcv9/pkcs12t.h 0644 root bin +f none usr/include/mps/sparcv9/pkcs7t.h 0644 root bin +f none usr/include/mps/sparcv9/portreg.h 0644 root bin +f none usr/include/mps/sparcv9/pqgutil.h 0644 root bin +f none usr/include/mps/sparcv9/preenc.h 0644 root bin +f none usr/include/mps/sparcv9/secasn1.h 0644 root bin +f none usr/include/mps/sparcv9/secasn1t.h 0644 root bin +f none usr/include/mps/sparcv9/seccomon.h 0644 root bin +f none usr/include/mps/sparcv9/secder.h 0644 root bin +f none usr/include/mps/sparcv9/secdert.h 0644 root bin +f none usr/include/mps/sparcv9/secdig.h 0644 root bin +f none usr/include/mps/sparcv9/secdigt.h 0644 root bin +f none usr/include/mps/sparcv9/secerr.h 0644 root bin +f none usr/include/mps/sparcv9/sechash.h 0644 root bin +f none usr/include/mps/sparcv9/secitem.h 0644 root bin +f none usr/include/mps/sparcv9/secmime.h 0644 root bin +f none usr/include/mps/sparcv9/secmod.h 0644 root bin +f none usr/include/mps/sparcv9/secmodt.h 0644 root bin +f none usr/include/mps/sparcv9/secoid.h 0644 root bin +f none usr/include/mps/sparcv9/secoidt.h 0644 root bin +f none usr/include/mps/sparcv9/secpkcs5.h 0644 root bin +f none usr/include/mps/sparcv9/secpkcs7.h 0644 root bin +f none usr/include/mps/sparcv9/secport.h 0644 root bin +f none usr/include/mps/sparcv9/secrng.h 0644 root bin +f none usr/include/mps/sparcv9/secrngt.h 0644 root bin +f none usr/include/mps/sparcv9/smime.h 0644 root bin +f none usr/include/mps/sparcv9/ssl.h 0644 root bin +f none usr/include/mps/sparcv9/sslerr.h 0644 root bin +f none usr/include/mps/sparcv9/sslproto.h 0644 root bin +f none usr/include/mps/sparcv9/swfort.h 0644 root bin +f none usr/include/mps/sparcv9/swfortt.h 0644 root bin +f none usr/include/mps/sparcv9/watcomfx.h 0644 root bin diff --git a/security/nss/pkg/solaris/SUNWtlsu/Makefile b/security/nss/pkg/solaris/SUNWtlsu/Makefile new file mode 100755 index 000000000..a8aefbac1 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsu/Makefile @@ -0,0 +1,16 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# + +CORE_DEPTH = ../../../.. +include ../Makefile-tlsu.com + +DATAFILES += + +all:: $(FILES) +publish:: all pkg + +include ../Makefile-tlsu.targ diff --git a/security/nss/pkg/solaris/SUNWtlsu/pkgdepend b/security/nss/pkg/solaris/SUNWtlsu/pkgdepend new file mode 100755 index 000000000..8b348ba47 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsu/pkgdepend @@ -0,0 +1,22 @@ +# Copyright 2002 Microsystems, Inc. All Rights Reserved. +# Use is subject to license terms. +# +# $Id$ +# +# This package information file defines software dependencies associated +# with the pkg. You can define three types of pkg dependencies with this file: +# P indicates a prerequisite for installation +# I indicates an incompatible package +# R indicates a reverse dependency +# <pkg.abbr> see pkginfo(4), PKG parameter +# <name> see pkginfo(4), NAME parameter +# <version> see pkginfo(4), VERSION parameter +# <arch> see pkginfo(4), ARCH parameter +# <type> <pkg.abbr> <name> +# (<arch>)<version> +# (<arch>)<version> +# ... +# <type> <pkg.abbr> <name> +# ... + +P SUNWtls Netscape Security Services diff --git a/security/nss/pkg/solaris/SUNWtlsu/pkginfo.tmpl b/security/nss/pkg/solaris/SUNWtlsu/pkginfo.tmpl new file mode 100755 index 000000000..e5648316d --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsu/pkginfo.tmpl @@ -0,0 +1,34 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# +# +# This required package information file describes characteristics of the +# package, such as package abbreviation, full package name, package version, +# and package architecture. +# +PKG="SUNWtlsu" +NAME="Network Security Services Utilities" +ARCH="ISA" +VERSION="NSSVERS,REV=0.0.0" +SUNW_PRODNAME="Network Security Services Utilities" +SUNW_PRODVERS="RELEASE/VERSION" +SUNW_PKGTYPE="usr" +MAXINST="1000" +CATEGORY="system" +DESC="Network Security Services Utilities Programs" +VENDOR="Sun Microsystems, Inc." +HOTLINE="Please contact your local service provider" +EMAIL="" +CLASSES="none" +BASEDIR=/ +SUNW_PKGVERS="1.0" +#VSTOCK="<reserved by Release Engineering for package part #>" +#ISTATES="<developer defined>" +#RSTATES='<developer defined>' +#ULIMIT="<developer defined>" +#ORDER="<developer defined>" +#PSTAMP="<developer defined>" +#INTONLY="<developer defined>" diff --git a/security/nss/pkg/solaris/SUNWtlsu/prototype b/security/nss/pkg/solaris/SUNWtlsu/prototype new file mode 100755 index 000000000..2f57c370c --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsu/prototype @@ -0,0 +1,35 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# +# This required package information file contains a list of package contents. +# The 'pkgmk' command uses this file to identify the contents of a package +# and their location on the development machine when building the package. +# Can be created via a text editor or through use of the 'pkgproto' command. + +#!search <pathname pathname ...> # where to find pkg objects +#!include <filename> # include another 'prototype' file +#!default <mode> <owner> <group> # default used if not specified on entry +#!<param>=<value> # puts parameter in pkg environment + +# packaging files +i copyright +i pkginfo +i depend=pkgdepend +# +# source locations relative to the prototype file +# +# SUNWtlsu +# +d none usr 0755 root sys +d none usr/sfw 0755 root bin +d none usr/sfw/bin 0755 root bin +f none usr/sfw/bin/certutil 0755 root bin +f none usr/sfw/bin/cmsutil 0755 root bin +f none usr/sfw/bin/modutil 0755 root bin +f none usr/sfw/bin/pk12util 0755 root bin +f none usr/sfw/bin/signtool 0755 root bin +f none usr/sfw/bin/signver 0755 root bin +f none usr/sfw/bin/ssltap 0755 root bin diff --git a/security/nss/pkg/solaris/SUNWtlsux/Makefile b/security/nss/pkg/solaris/SUNWtlsux/Makefile new file mode 100755 index 000000000..a8aefbac1 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsux/Makefile @@ -0,0 +1,16 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# + +CORE_DEPTH = ../../../.. +include ../Makefile-tlsu.com + +DATAFILES += + +all:: $(FILES) +publish:: all pkg + +include ../Makefile-tlsu.targ diff --git a/security/nss/pkg/solaris/SUNWtlsux/pkgdepend b/security/nss/pkg/solaris/SUNWtlsux/pkgdepend new file mode 100755 index 000000000..ae1bf71a6 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsux/pkgdepend @@ -0,0 +1,22 @@ +# Copyright 2002 Microsystems, Inc. All Rights Reserved. +# Use is subject to license terms. +# +# $Id$ +# +# This package information file defines software dependencies associated +# with the pkg. You can define three types of pkg dependencies with this file: +# P indicates a prerequisite for installation +# I indicates an incompatible package +# R indicates a reverse dependency +# <pkg.abbr> see pkginfo(4), PKG parameter +# <name> see pkginfo(4), NAME parameter +# <version> see pkginfo(4), VERSION parameter +# <arch> see pkginfo(4), ARCH parameter +# <type> <pkg.abbr> <name> +# (<arch>)<version> +# (<arch>)<version> +# ... +# <type> <pkg.abbr> <name> +# ... + +P SUNWtlsx Netscape Security Services (64-bit) diff --git a/security/nss/pkg/solaris/SUNWtlsux/pkginfo.tmpl b/security/nss/pkg/solaris/SUNWtlsux/pkginfo.tmpl new file mode 100755 index 000000000..cc7972dc4 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsux/pkginfo.tmpl @@ -0,0 +1,34 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# +# +# This required package information file describes characteristics of the +# package, such as package abbreviation, full package name, package version, +# and package architecture. +# +PKG="SUNWtlsux" +NAME="Network Security Services Utilities (64-bit)" +ARCH="ISA" +VERSION="NSSVERS,REV=0.0.0" +SUNW_PRODNAME="Network Security Services Utilities (64-bit)" +SUNW_PRODVERS="RELEASE/VERSION" +SUNW_PKGTYPE="usr" +MAXINST="1000" +CATEGORY="system" +DESC="Network Security Services Utilities Programs (64-bit)" +VENDOR="Sun Microsystems, Inc." +HOTLINE="Please contact your local service provider" +EMAIL="" +CLASSES="none" +BASEDIR=/ +SUNW_PKGVERS="1.0" +#VSTOCK="<reserved by Release Engineering for package part #>" +#ISTATES="<developer defined>" +#RSTATES='<developer defined>' +#ULIMIT="<developer defined>" +#ORDER="<developer defined>" +#PSTAMP="<developer defined>" +#INTONLY="<developer defined>" diff --git a/security/nss/pkg/solaris/SUNWtlsux/prototype b/security/nss/pkg/solaris/SUNWtlsux/prototype new file mode 100755 index 000000000..4b0b33b25 --- /dev/null +++ b/security/nss/pkg/solaris/SUNWtlsux/prototype @@ -0,0 +1,37 @@ +# +# Copyright 2002 Sun Microsystems, Inc. All rights reserved. +# Use is subject to license terms. +# +#ident "$Id$" +# +# This required package information file contains a list of package contents. +# The 'pkgmk' command uses this file to identify the contents of a package +# and their location on the development machine when building the package. +# Can be created via a text editor or through use of the 'pkgproto' command. + +#!search <pathname pathname ...> # where to find pkg objects +#!include <filename> # include another 'prototype' file +#!default <mode> <owner> <group> # default used if not specified on entry +#!<param>=<value> # puts parameter in pkg environment + +# packaging files +i copyright +i pkginfo +i depend=pkgdepend +# +# source locations relative to the prototype file +# +# SUNWtlsux +# +d none usr 0755 root sys +d none usr/sfw 0755 root bin +d none usr/sfw/bin 0755 root bin +s none usr/sfw/bin/64=sparcv9 +d none usr/sfw/bin/sparcv9 0755 root bin +f none usr/sfw/bin/sparcv9/certutil 0755 root bin +f none usr/sfw/bin/sparcv9/cmsutil 0755 root bin +f none usr/sfw/bin/sparcv9/modutil 0755 root bin +f none usr/sfw/bin/sparcv9/pk12util 0755 root bin +f none usr/sfw/bin/sparcv9/signtool 0755 root bin +f none usr/sfw/bin/sparcv9/signver 0755 root bin +f none usr/sfw/bin/sparcv9/ssltap 0755 root bin diff --git a/security/nss/tests/ssl/ssl.sh b/security/nss/tests/ssl/ssl.sh index 78c0c6444..a82c88429 100755 --- a/security/nss/tests/ssl/ssl.sh +++ b/security/nss/tests/ssl/ssl.sh @@ -127,7 +127,7 @@ wait_for_selfserv() html_failed "<TR><TD> Wait for Server " echo "RETRY: tstclnt -p ${PORT} -h ${HOST} -q -d . < ${REQUEST_FILE}" tstclnt -p ${PORT} -h ${HOST} -q -d . < ${REQUEST_FILE} - elif [ sparam = "-c ABCDEFabcdefghijklm" ] ; then # "$1" = "cov" ] ; then + elif [ sparam = "-c ABCDEFabcdefghijklmnvy" ] ; then # "$1" = "cov" ] ; then html_passed "<TR><TD> Wait for Server" fi is_selfserv_alive @@ -180,7 +180,7 @@ ssl_cov() html_head "SSL Cipher Coverage" testname="" - sparam="-c ABCDEFabcdefghijklm" + sparam="-c ABCDEFabcdefghijklmnvy" start_selfserv # Launch the server cat ${SSLCOV} | while read tls param testname diff --git a/security/nss/tests/ssl/sslcov.txt b/security/nss/tests/ssl/sslcov.txt index 8df8f4f2c..e60e06d28 100644 --- a/security/nss/tests/ssl/sslcov.txt +++ b/security/nss/tests/ssl/sslcov.txt @@ -35,3 +35,10 @@ # (NULL is not enabled by default) TLS i TLS RSA WITH NULL MD5 noTLS i SSL3 RSA WITH NULL MD5 +# added on nelson's request + TLS n TLS RSA WITH RC4 128 SHA + noTLS n SSL3 RSA WITH RC4 128 SHA + TLS v TLS RSA WITH AES 128 CBC SHA + noTLS v SSL3 RSA WITH AES 128 CBC SHA + TLS y TLS RSA WITH AES 256 CBC SHA + noTLS y SSL3 RSA WITH AES 256 CBC SHA |