diff options
Diffstat (limited to 'security/nss/cmd')
48 files changed, 9105 insertions, 1112 deletions
diff --git a/security/nss/cmd/cmdlib/Makefile b/security/nss/cmd/cmdlib/Makefile new file mode 100644 index 000000000..c4f18fb5d --- /dev/null +++ b/security/nss/cmd/cmdlib/Makefile @@ -0,0 +1,79 @@ +#! gmake +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include config.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + diff --git a/security/nss/cmd/cmdlib/cmdline.c b/security/nss/cmd/cmdlib/cmdline.c new file mode 100644 index 000000000..164b03835 --- /dev/null +++ b/security/nss/cmd/cmdlib/cmdline.c @@ -0,0 +1,477 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include <string.h> +#include <ctype.h> + +#include "cmdutil.h" + +static int s_indent_size = 4; + +void +CMD_SetIndentSize(int size) +{ + s_indent_size = size; +} + +#if 0 +static void +indent(PRFileDesc *out, int level) +{ + int i, j; + for (i=0; i<level; i++) + for (j=0; j<s_indent_size; j++) + PR_fprintf(out, " "); +} +#endif + +struct cmdPrintStateStr { + PRFileDesc *file; + int width; + int indent; + int linepos; +}; + +static void +init_print_ps(cmdPrintState *ps, PRFileDesc *outfile, int width, int indent) +{ + ps->file = (outfile) ? outfile : PR_STDOUT; + ps->width = (width > 0) ? width : 80; + ps->indent = (indent > 0) ? indent : 0; + ps->linepos = 0; +} + +static void +print_ps_indent(cmdPrintState *ps) +{ + int j; + if (ps->linepos != 0) { + PR_fprintf(ps->file, "\n"); + ps->linepos = 0; + } + for (j=0; j<=ps->indent; j++) PR_fprintf(ps->file, " "); + ps->linepos = ps->indent; +} + +static void +print_ps_to_indent(cmdPrintState *ps) +{ + if (ps->linepos > ps->indent) + PR_fprintf(ps->file, "\n"); + while (ps->linepos <= ps->indent) { + PR_fprintf(ps->file, " "); + ps->linepos++; + } +} + +static void +nprintbuf(cmdPrintState *ps, char *buf, int start, int len) +{ + int j; + for (j=start; j<start + len; j++) { + if (buf[j] == '\n') { + PR_fprintf(ps->file, "\n"); + ps->linepos = 0; + print_ps_indent(ps); + } else { + PR_fprintf(ps->file, "%c", buf[j]); + ps->linepos++; + } + } +} + +static void +nprintf(cmdPrintState *ps, char *msg, ...) +{ + char buf[256]; + int i, len, grouplen; + PRBool openquote, openbracket, openparen, openangle, itsaword; + va_list args; + va_start(args, msg); + vsprintf(buf, msg, args); + len = strlen(buf); + /* print_ps_indent(ps); */ + if (len < ps->width - ps->linepos) { + nprintbuf(ps, buf, 0, len + 1); + return; + } + /* group in this order: " [ ( < word > ) ] " */ + i=0; + openquote=openbracket=openparen=openangle=itsaword=PR_FALSE; + while (i<len) { + grouplen = 0; + if (buf[i] == '\"') { openquote = PR_TRUE; grouplen = 1; } + else if (buf[i] == '[') { openbracket = PR_TRUE; grouplen = 1; } + else if (buf[i] == '(') { openparen = PR_TRUE; grouplen = 1; } + else if (buf[i] == '<') { openangle = PR_TRUE; grouplen = 1; } + else itsaword = PR_TRUE; + while (grouplen < len && buf[i+grouplen] != '\0' && + ((openquote && buf[i+grouplen] != '\"') || + (openbracket && buf[i+grouplen] != ']') || + (openparen && buf[i+grouplen] != ')') || + (openangle && buf[i+grouplen] != '>') || + (itsaword && !isspace(buf[i+grouplen])))) + grouplen++; + grouplen++; /* grab the terminator (whitespace for word) */ + if (!itsaword && isspace(buf[i+grouplen])) grouplen++; + if (grouplen < ps->width - ps->linepos) { + nprintbuf(ps, buf, i, grouplen); + } else if (grouplen < ps->width - ps->indent) { + print_ps_indent(ps); + nprintbuf(ps, buf, i, grouplen); + } else { + /* it's just too darn long. what to do? */ + } + i += grouplen; + openquote=openbracket=openparen=openangle=itsaword=PR_FALSE; + } + va_end(args); +} + +void +CMD_PrintUsageString(cmdPrintState *ps, char *str) +{ + nprintf(ps, "%s", str); +} + +/* void because it exits with Usage() if failure */ +static void +command_line_okay(cmdCommand *cmd, char *progName) +{ + int i, c = -1; + /* user asked for help. hope somebody gives it to them. */ + if (cmd->opt[0].on) return; + /* check that the command got all of its needed options */ + for (i=0; i<cmd->ncmd; i++) { + if (cmd->cmd[i].on) { + if (c > 0) { + fprintf(stderr, + "%s: only one command can be given at a time.\n", + progName); + CMD_Usage(progName, cmd); + } else { + c = i; + } + } + } + if (cmd->cmd[c].argUse == CMDArgReq && cmd->cmd[c].arg == NULL) { + /* where's the arg when you need it... */ + fprintf(stderr, "%s: command --%s requires an argument.\n", + progName, cmd->cmd[c].s); + fprintf(stderr, "type \"%s --%s --help\" for help.\n", + progName, cmd->cmd[c].s); + CMD_Usage(progName, cmd); + } + for (i=0; i<cmd->nopt; i++) { + if (cmd->cmd[c].req & CMDBIT(i)) { + /* command requires this option */ + if (!cmd->opt[i].on) { + /* but it ain't there */ + fprintf(stderr, "%s: command --%s requires option --%s.\n", + progName, cmd->cmd[c].s, cmd->opt[i].s); + } else { + /* okay, its there, but does it have an arg? */ + if (cmd->opt[i].argUse == CMDArgReq && !cmd->opt[i].arg) { + fprintf(stderr, "%s: option --%s requires an argument.\n", + progName, cmd->opt[i].s); + } + } + } else if (cmd->cmd[c].opt & CMDBIT(i)) { + /* this option is optional */ + if (cmd->opt[i].on) { + /* okay, its there, but does it have an arg? */ + if (cmd->opt[i].argUse == CMDArgReq && !cmd->opt[i].arg) { + fprintf(stderr, "%s: option --%s requires an argument.\n", + progName, cmd->opt[i].s); + } + } + } else { + /* command knows nothing about it */ + if (cmd->opt[i].on) { + /* so why the h--- is it on? */ + fprintf(stderr, "%s: option --%s not used with command --%s.\n", + progName, cmd->opt[i].s, cmd->cmd[c].s); + } + } + } +} + +static char * +get_arg(char *curopt, char **nextopt, int argc, int *index) +{ + char *str; + if (curopt) { + str = curopt; + } else { + if (*index + 1 >= argc) return NULL; + /* not really an argument but another flag */ + if (nextopt[*index+1][0] == '-') return NULL; + str = nextopt[++(*index)]; + } + /* parse the option */ + return strdup(str); +} + +int +CMD_ParseCommandLine(int argc, char **argv, char *progName, cmdCommand *cmd) +{ + int i, j, k; + int cmdToRun = -1; + char *flag; + i=1; + if (argc <= 1) return -2; /* gross hack for cmdless things like atob */ + do { + flag = argv[i]; + if (strlen(flag) < 2) /* huh? */ + return -1; + if (flag[0] != '-') + return -1; + /* ignore everything after lone "--" (app-specific weirdness there) */ + if (strcmp(flag, "--") == 0) + return cmdToRun; + /* single hyphen means short alias (single-char) */ + if (flag[1] != '-') { + j=1; + /* collect a set of opts, ex. -abc */ + while (flag[j] != '\0') { + PRBool found = PR_FALSE; + /* walk the command set looking for match */ + for (k=0; k<cmd->ncmd; k++) { + if (flag[j] == cmd->cmd[k].c) { + /* done - only take one command at a time */ + if (j > 1) return -1; + cmd->cmd[k].on = found = PR_TRUE; + cmdToRun = k; + if (cmd->cmd[k].argUse != CMDNoArg) + cmd->cmd[k].arg = get_arg(NULL, argv, argc, &i); + goto next_flag; + } + } + /* wasn't found in commands, try options */ + for (k=0; k<cmd->nopt; k++) { + if (flag[j] == cmd->opt[k].c) { + /* collect this option and keep going */ + cmd->opt[k].on = found = PR_TRUE; + if (flag[j+1] == '\0') { + if (cmd->opt[k].argUse != CMDNoArg) + cmd->opt[k].arg = get_arg(NULL, argv, argc, &i); + goto next_flag; + } + } + } + j++; + if (!found) return -1; + } + } else { /* long alias, ex. --list */ + char *fl = NULL, *arg = NULL; + PRBool hyphened = PR_FALSE; + fl = &flag[2]; + arg = strchr(fl, '='); + if (arg) { + *arg++ = '\0'; + } else { + arg = strchr(fl, '-'); + if (arg) { + hyphened = PR_TRUE; /* watch this, see below */ + *arg++ = '\0'; + } + } + for (k=0; k<cmd->ncmd; k++) { + if (strcmp(fl, cmd->cmd[k].s) == 0) { + cmd->cmd[k].on = PR_TRUE; + cmdToRun = k; + if (cmd->cmd[k].argUse != CMDNoArg || hyphened) { + cmd->cmd[k].arg = get_arg(arg, argv, argc, &i); + } + if (arg) arg[-1] = '='; + goto next_flag; + } + } + for (k=0; k<cmd->nopt; k++) { + if (strcmp(fl, cmd->opt[k].s) == 0) { + cmd->opt[k].on = PR_TRUE; + if (cmd->opt[k].argUse != CMDNoArg || hyphened) { + cmd->opt[k].arg = get_arg(arg, argv, argc, &i); + } + if (arg) arg[-1] = '='; + goto next_flag; + } + } + return -1; + } +next_flag: + i++; + } while (i < argc); + command_line_okay(cmd, progName); + return cmdToRun; +} + +void +CMD_LongUsage(char *progName, cmdCommand *cmd, cmdUsageCallback usage) +{ + int i, j; + PRBool oneCommand = PR_FALSE; + cmdPrintState ps; + init_print_ps(&ps, PR_STDERR, 80, 0); + nprintf(&ps, "\n%s: ", progName); + /* prints app-specific header */ + ps.indent = strlen(progName) + 4; + usage(&ps, 0, PR_FALSE, PR_TRUE, PR_FALSE); + for (i=0; i<cmd->ncmd; i++) if (cmd->cmd[i].on) oneCommand = PR_TRUE; + for (i=0; i<cmd->ncmd; i++) { + if ((oneCommand && cmd->cmd[i].on) || !oneCommand) { + ps.indent = 0; + print_ps_indent(&ps); + if (cmd->cmd[i].c != 0) { + nprintf(&ps, "-%c, ", cmd->cmd[i].c); + nprintf(&ps, "--%-16s ", cmd->cmd[i].s); + } else { + nprintf(&ps, "--%-20s ", cmd->cmd[i].s); + } + ps.indent += 20; + usage(&ps, i, PR_TRUE, PR_FALSE, PR_FALSE); + for (j=0; j<cmd->nopt; j++) { + if (cmd->cmd[i].req & CMDBIT(j)) { + ps.indent = 0; + print_ps_indent(&ps); + nprintf(&ps, "%3s* ", ""); + if (cmd->opt[j].c != 0) { + nprintf(&ps, "-%c, ", cmd->opt[j].c); + nprintf(&ps, "--%-16s ", cmd->opt[j].s); + } else { + nprintf(&ps, "--%-20s ", cmd->opt[j].s); + } + ps.indent += 29; + usage(&ps, j, PR_FALSE, PR_FALSE, PR_FALSE); + } + } + for (j=0; j<cmd->nopt; j++) { + if (cmd->cmd[i].opt & CMDBIT(j)) { + ps.indent = 0; + print_ps_indent(&ps); + nprintf(&ps, "%5s", ""); + if (cmd->opt[j].c != 0) { + nprintf(&ps, "-%c, ", cmd->opt[j].c); + nprintf(&ps, "--%-16s ", cmd->opt[j].s); + } else { + nprintf(&ps, "--%-20s ", cmd->opt[j].s); + } + ps.indent += 29; + usage(&ps, j, PR_FALSE, PR_FALSE, PR_FALSE); + } + } + } + nprintf(&ps, "\n"); + } + ps.indent = 0; + nprintf(&ps, "\n* - required flag for command\n\n"); + /* prints app-specific footer */ + usage(&ps, 0, PR_FALSE, PR_FALSE, PR_TRUE); + /*nprintf(&ps, "\n\n");*/ + exit(1); +} + +void +CMD_Usage(char *progName, cmdCommand *cmd) +{ + int i, j, inc; + PRBool first; + cmdPrintState ps; + init_print_ps(&ps, PR_STDERR, 80, 0); + nprintf(&ps, "%s", progName); + ps.indent = strlen(progName) + 1; + print_ps_to_indent(&ps); + for (i=0; i<cmd->ncmd; i++) { + if (cmd->cmd[i].c != 0) { + nprintf(&ps, "-%c", cmd->cmd[i].c); + inc = 4; + } else { + nprintf(&ps, "--%s", cmd->cmd[i].s); + inc = 4 + strlen(cmd->cmd[i].s); + } + first = PR_TRUE; + ps.indent += inc; + print_ps_to_indent(&ps); + for (j=0; j<cmd->nopt; j++) { + if (cmd->cmd[i].req & CMDBIT(j)) { + if (cmd->opt[j].c != 0 && cmd->opt[j].argUse == CMDNoArg) { + if (first) { + nprintf(&ps, "-"); + first = !first; + } + nprintf(&ps, "%c", cmd->opt[j].c); + } + } + } + for (j=0; j<cmd->nopt; j++) { + if (cmd->cmd[i].req & CMDBIT(j)) { + if (cmd->opt[j].c != 0) + nprintf(&ps, "-%c ", cmd->opt[j].c); + else + nprintf(&ps, "--%s ", cmd->opt[j].s); + if (cmd->opt[j].argUse != CMDNoArg) + nprintf(&ps, "%s ", cmd->opt[j].s); + } + } + first = PR_TRUE; + for (j=0; j<cmd->nopt; j++) { + if (cmd->cmd[i].opt & CMDBIT(j)) { + if (cmd->opt[j].c != 0 && cmd->opt[j].argUse == CMDNoArg) { + if (first) { + nprintf(&ps, "[-"); + first = !first; + } + nprintf(&ps, "%c", cmd->opt[j].c); + } + } + } + if (!first) nprintf(&ps, "] "); + for (j=0; j<cmd->nopt; j++) { + if (cmd->cmd[i].opt & CMDBIT(j) && + cmd->opt[j].argUse != CMDNoArg) { + if (cmd->opt[j].c != 0) + nprintf(&ps, "[-%c %s] ", cmd->opt[j].c, cmd->opt[j].s); + else + nprintf(&ps, "[--%s %s] ", cmd->opt[j].s, cmd->opt[j].s); + } + } + ps.indent -= inc; + print_ps_indent(&ps); + } + ps.indent = 0; + nprintf(&ps, "\n"); + exit(1); +} diff --git a/security/nss/cmd/cmdlib/cmdutil.h b/security/nss/cmd/cmdlib/cmdutil.h new file mode 100644 index 000000000..a51583f1c --- /dev/null +++ b/security/nss/cmd/cmdlib/cmdutil.h @@ -0,0 +1,118 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifndef _CMDUTIL_H_ +#define _CMDUTIL_H_ + +#include <stdio.h> +#include "nspr.h" +#include "nssbase.h" + +typedef int +(* CMD_PPFunc)(PRFileDesc *out, NSSItem *item, char *msg, int level); + + +/* + * Command Line Parsing routines + * + * The attempt here is to provide common functionality for command line + * parsing across an array of tools. The tools should obey the historical + * rules of: + * + * (1) one command per line, + * (2) the command should be uppercase, + * (3) options should be lowercase, + * (4) a short usage statement is presented in case of error, + * (5) a long usage statement is given by -? or --help + */ + +/* To aid in formatting usage output. XXX Uh, why exposed? */ +typedef struct cmdPrintStateStr cmdPrintState; + +typedef enum { + CMDArgReq = 0, + CMDArgOpt, + CMDNoArg +} CMDArg; + +struct cmdCommandLineArgStr { + char c; /* one-character alias for flag */ + char *s; /* string alias for flag */ + CMDArg argUse; /* flag takes an argument */ + char *arg; /* argument given for flag */ + PRBool on; /* flag was issued at command-line */ + int req; /* required arguments for commands */ + int opt; /* optional arguments for commands */ +}; + +struct cmdCommandLineOptStr { + char c; /* one-character alias for flag */ + char *s; /* string alias for flag */ + CMDArg argUse; /* flag takes an argument */ + char *arg; /* argument given for flag */ + PRBool on; /* flag was issued at command-line */ +}; + +typedef struct cmdCommandLineArgStr cmdCommandLineArg; +typedef struct cmdCommandLineOptStr cmdCommandLineOpt; + +struct cmdCommandStr { + int ncmd; + int nopt; + cmdCommandLineArg *cmd; + cmdCommandLineOpt *opt; +}; + +typedef struct cmdCommandStr cmdCommand; + +int +CMD_ParseCommandLine(int argc, char **argv, char *progName, cmdCommand *cmd); + +typedef void +(* cmdUsageCallback)(cmdPrintState *, int, PRBool, PRBool, PRBool); + +#define CMDBIT(n) (1<<n) + +void +CMD_Usage(char *progName, cmdCommand *cmd); + +void +CMD_LongUsage(char *progName, cmdCommand *cmd, cmdUsageCallback use); + +void +CMD_PrintUsageString(cmdPrintState *ps, char *str); + +#endif /* _CMDUTIL_H_ */ diff --git a/security/nss/cmd/cmdlib/config.mk b/security/nss/cmd/cmdlib/config.mk new file mode 100644 index 000000000..665828c63 --- /dev/null +++ b/security/nss/cmd/cmdlib/config.mk @@ -0,0 +1,47 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +# +# Override TARGETS variable so that only static libraries +# are specifed as dependencies within rules.mk. +# + +TARGETS = $(LIBRARY) +SHARED_LIBRARY = +IMPORT_LIBRARY = +PROGRAM = + diff --git a/security/nss/cmd/cmdlib/manifest.mn b/security/nss/cmd/cmdlib/manifest.mn new file mode 100644 index 000000000..1456a6a38 --- /dev/null +++ b/security/nss/cmd/cmdlib/manifest.mn @@ -0,0 +1,53 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +CORE_DEPTH = ../../.. + +LIBRARY_NAME = cmdutil + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = seccmd + +DEFINES = -DNSPR20 + +EXPORTS = cmdutil.h \ + $(NULL) + +CSRCS = cmdline.c \ + $(NULL) + +REQUIRES = nss nspr dbm + diff --git a/security/nss/cmd/dbck/dbrecover.c b/security/nss/cmd/dbck/dbrecover.c new file mode 100644 index 000000000..db65d0e5c --- /dev/null +++ b/security/nss/cmd/dbck/dbrecover.c @@ -0,0 +1,702 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +enum { + dbInvalidCert = 0, + dbNoSMimeProfile, + dbOlderCert, + dbBadCertificate, + dbCertNotWrittenToDB +}; + +typedef struct dbRestoreInfoStr +{ + NSSLOWCERTCertDBHandle *handle; + PRBool verbose; + PRFileDesc *out; + int nCerts; + int nOldCerts; + int dbErrors[5]; + PRBool removeType[3]; + PRBool promptUser[3]; +} dbRestoreInfo; + +char * +IsEmailCert(CERTCertificate *cert) +{ + char *email, *tmp1, *tmp2; + PRBool isCA; + int len; + + if (!cert->subjectName) { + return NULL; + } + + tmp1 = PORT_Strstr(cert->subjectName, "E="); + tmp2 = PORT_Strstr(cert->subjectName, "MAIL="); + /* XXX Nelson has cert for KTrilli which does not have either + * of above but is email cert (has cert->emailAddr). + */ + if (!tmp1 && !tmp2 && !(cert->emailAddr && cert->emailAddr[0])) { + return NULL; + } + + /* Server or CA cert, not personal email. */ + isCA = CERT_IsCACert(cert, NULL); + if (isCA) + return NULL; + + /* XXX CERT_IsCACert advertises checking the key usage ext., + but doesn't appear to. */ + /* Check the key usage extension. */ + if (cert->keyUsagePresent) { + /* Must at least be able to sign or encrypt (not neccesarily + * both if it is one of a dual cert). + */ + if (!((cert->rawKeyUsage & KU_DIGITAL_SIGNATURE) || + (cert->rawKeyUsage & KU_KEY_ENCIPHERMENT))) + return NULL; + + /* CA cert, not personal email. */ + if (cert->rawKeyUsage & (KU_KEY_CERT_SIGN | KU_CRL_SIGN)) + return NULL; + } + + if (cert->emailAddr && cert->emailAddr[0]) { + email = PORT_Strdup(cert->emailAddr); + } else { + if (tmp1) + tmp1 += 2; /* "E=" */ + else + tmp1 = tmp2 + 5; /* "MAIL=" */ + len = strcspn(tmp1, ", "); + email = (char*)PORT_Alloc(len+1); + PORT_Strncpy(email, tmp1, len); + email[len] = '\0'; + } + + return email; +} + +SECStatus +deleteit(CERTCertificate *cert, void *arg) +{ + return SEC_DeletePermCertificate(cert); +} + +/* Different than DeleteCertificate - has the added bonus of removing + * all certs with the same DN. + */ +SECStatus +deleteAllEntriesForCert(NSSLOWCERTCertDBHandle *handle, CERTCertificate *cert, + PRFileDesc *outfile) +{ +#if 0 + certDBEntrySubject *subjectEntry; + certDBEntryNickname *nicknameEntry; + certDBEntrySMime *smimeEntry; + int i; +#endif + + if (outfile) { + PR_fprintf(outfile, "$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$\n\n"); + PR_fprintf(outfile, "Deleting redundant certificate:\n"); + dumpCertificate(cert, -1, outfile); + } + + CERT_TraverseCertsForSubject(handle, cert->subjectList, deleteit, NULL); +#if 0 + CERT_LockDB(handle); + subjectEntry = ReadDBSubjectEntry(handle, &cert->derSubject); + /* It had better be there, or created a bad db. */ + PORT_Assert(subjectEntry); + for (i=0; i<subjectEntry->ncerts; i++) { + DeleteDBCertEntry(handle, &subjectEntry->certKeys[i]); + } + DeleteDBSubjectEntry(handle, &cert->derSubject); + if (subjectEntry->emailAddr && subjectEntry->emailAddr[0]) { + smimeEntry = ReadDBSMimeEntry(handle, subjectEntry->emailAddr); + if (smimeEntry) { + if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject, + &smimeEntry->subjectName)) + /* Only delete it if it's for this subject! */ + DeleteDBSMimeEntry(handle, subjectEntry->emailAddr); + SEC_DestroyDBEntry((certDBEntry*)smimeEntry); + } + } + if (subjectEntry->nickname) { + nicknameEntry = ReadDBNicknameEntry(handle, subjectEntry->nickname); + if (nicknameEntry) { + if (SECITEM_ItemsAreEqual(&subjectEntry->derSubject, + &nicknameEntry->subjectName)) + /* Only delete it if it's for this subject! */ + DeleteDBNicknameEntry(handle, subjectEntry->nickname); + SEC_DestroyDBEntry((certDBEntry*)nicknameEntry); + } + } + SEC_DestroyDBEntry((certDBEntry*)subjectEntry); + CERT_UnlockDB(handle); +#endif + return SECSuccess; +} + +void +getCertsToDelete(char *numlist, int len, int *certNums, int nCerts) +{ + int j, num; + char *numstr, *numend, *end; + + numstr = numlist; + end = numstr + len - 1; + while (numstr != end) { + numend = strpbrk(numstr, ", \n"); + *numend = '\0'; + if (PORT_Strlen(numstr) == 0) + return; + num = PORT_Atoi(numstr); + if (numstr == numlist) + certNums[0] = num; + for (j=1; j<nCerts+1; j++) { + if (num == certNums[j]) { + certNums[j] = -1; + break; + } + } + if (numend == end) + break; + numstr = strpbrk(numend+1, "0123456789"); + } +} + +PRBool +userSaysDeleteCert(CERTCertificate **certs, int nCerts, + int errtype, dbRestoreInfo *info, int *certNums) +{ + char response[32]; + int32 nb; + int i; + /* User wants to remove cert without prompting. */ + if (info->promptUser[errtype] == PR_FALSE) + return (info->removeType[errtype]); + switch (errtype) { + case dbInvalidCert: + PR_fprintf(PR_STDOUT, "******** Expired ********\n"); + PR_fprintf(PR_STDOUT, "Cert has expired.\n\n"); + dumpCertificate(certs[0], -1, PR_STDOUT); + PR_fprintf(PR_STDOUT, + "Keep it? (y/n - this one, Y/N - all expired certs) [n] "); + break; + case dbNoSMimeProfile: + PR_fprintf(PR_STDOUT, "******** No Profile ********\n"); + PR_fprintf(PR_STDOUT, "S/MIME cert has no profile.\n\n"); + dumpCertificate(certs[0], -1, PR_STDOUT); + PR_fprintf(PR_STDOUT, + "Keep it? (y/n - this one, Y/N - all S/MIME w/o profile) [n] "); + break; + case dbOlderCert: + PR_fprintf(PR_STDOUT, "******* Redundant nickname/email *******\n\n"); + PR_fprintf(PR_STDOUT, "These certs have the same nickname/email:\n"); + for (i=0; i<nCerts; i++) + dumpCertificate(certs[i], i, PR_STDOUT); + PR_fprintf(PR_STDOUT, + "Enter the certs you would like to keep from those listed above.\n"); + PR_fprintf(PR_STDOUT, + "Use a comma-separated list of the cert numbers (ex. 0, 8, 12).\n"); + PR_fprintf(PR_STDOUT, + "The first cert in the list will be the primary cert\n"); + PR_fprintf(PR_STDOUT, + " accessed by the nickname/email handle.\n"); + PR_fprintf(PR_STDOUT, + "List cert numbers to keep here, or hit enter\n"); + PR_fprintf(PR_STDOUT, + " to always keep only the newest cert: "); + break; + default: + } + nb = PR_Read(PR_STDIN, response, sizeof(response)); + PR_fprintf(PR_STDOUT, "\n\n"); + if (errtype == dbOlderCert) { + if (!isdigit(response[0])) { + info->promptUser[errtype] = PR_FALSE; + info->removeType[errtype] = PR_TRUE; + return PR_TRUE; + } + getCertsToDelete(response, nb, certNums, nCerts); + return PR_TRUE; + } + /* User doesn't want to be prompted for this type anymore. */ + if (response[0] == 'Y') { + info->promptUser[errtype] = PR_FALSE; + info->removeType[errtype] = PR_FALSE; + return PR_FALSE; + } else if (response[0] == 'N') { + info->promptUser[errtype] = PR_FALSE; + info->removeType[errtype] = PR_TRUE; + return PR_TRUE; + } + return (response[0] != 'y') ? PR_TRUE : PR_FALSE; +} + +SECStatus +addCertToDB(certDBEntryCert *certEntry, dbRestoreInfo *info, + NSSLOWCERTCertDBHandle *oldhandle) +{ + SECStatus rv = SECSuccess; + PRBool allowOverride; + PRBool userCert; + SECCertTimeValidity validity; + CERTCertificate *oldCert = NULL; + CERTCertificate *dbCert = NULL; + CERTCertificate *newCert = NULL; + CERTCertTrust *trust; + certDBEntrySMime *smimeEntry = NULL; + char *email = NULL; + char *nickname = NULL; + int nCertsForSubject = 1; + + oldCert = CERT_DecodeDERCertificate(&certEntry->derCert, PR_FALSE, + certEntry->nickname); + if (!oldCert) { + info->dbErrors[dbBadCertificate]++; + SEC_DestroyDBEntry((certDBEntry*)certEntry); + return SECSuccess; + } + + oldCert->dbEntry = certEntry; + oldCert->trust = &certEntry->trust; + oldCert->dbhandle = oldhandle; + + trust = oldCert->trust; + + info->nOldCerts++; + + if (info->verbose) + PR_fprintf(info->out, "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n\n"); + + if (oldCert->nickname) + nickname = PORT_Strdup(oldCert->nickname); + + /* Always keep user certs. Skip ahead. */ + /* XXX if someone sends themselves a signed message, it is possible + for their cert to be imported as an "other" cert, not a user cert. + this mucks with smime entries... */ + userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) || + (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) || + (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER); + if (userCert) + goto createcert; + + /* If user chooses so, ignore expired certificates. */ + allowOverride = (PRBool)((oldCert->keyUsage == certUsageSSLServer) || + (oldCert->keyUsage == certUsageSSLServerWithStepUp)); + validity = CERT_CheckCertValidTimes(oldCert, PR_Now(), allowOverride); + /* If cert expired and user wants to delete it, ignore it. */ + if ((validity != secCertTimeValid) && + userSaysDeleteCert(&oldCert, 1, dbInvalidCert, info, 0)) { + info->dbErrors[dbInvalidCert]++; + if (info->verbose) { + PR_fprintf(info->out, "Deleting expired certificate:\n"); + dumpCertificate(oldCert, -1, info->out); + } + goto cleanup; + } + + /* New database will already have default certs, don't attempt + to overwrite them. */ + dbCert = CERT_FindCertByDERCert(info->handle, &oldCert->derCert); + if (dbCert) { + info->nCerts++; + if (info->verbose) { + PR_fprintf(info->out, "Added certificate to database:\n"); + dumpCertificate(oldCert, -1, info->out); + } + goto cleanup; + } + + /* Determine if cert is S/MIME and get its email if so. */ + email = IsEmailCert(oldCert); + + /* + XXX Just create empty profiles? + if (email) { + SECItem *profile = CERT_FindSMimeProfile(oldCert); + if (!profile && + userSaysDeleteCert(&oldCert, 1, dbNoSMimeProfile, info, 0)) { + info->dbErrors[dbNoSMimeProfile]++; + if (info->verbose) { + PR_fprintf(info->out, + "Deleted cert missing S/MIME profile.\n"); + dumpCertificate(oldCert, -1, info->out); + } + goto cleanup; + } else { + SECITEM_FreeItem(profile); + } + } + */ + +createcert: + + /* Sometimes happens... */ + if (!nickname && userCert) + nickname = PORT_Strdup(oldCert->subjectName); + + /* Create a new certificate, copy of the old one. */ + newCert = CERT_NewTempCertificate(info->handle, &oldCert->derCert, + nickname, PR_FALSE, PR_TRUE); + if (!newCert) { + PR_fprintf(PR_STDERR, "Unable to create new certificate.\n"); + dumpCertificate(oldCert, -1, PR_STDERR); + info->dbErrors[dbBadCertificate]++; + goto cleanup; + } + + /* Add the cert to the new database. */ + rv = CERT_AddTempCertToPerm(newCert, nickname, oldCert->trust); + if (rv) { + PR_fprintf(PR_STDERR, "Failed to write temp cert to perm database.\n"); + dumpCertificate(oldCert, -1, PR_STDERR); + info->dbErrors[dbCertNotWrittenToDB]++; + goto cleanup; + } + + if (info->verbose) { + PR_fprintf(info->out, "Added certificate to database:\n"); + dumpCertificate(oldCert, -1, info->out); + } + + /* If the cert is an S/MIME cert, and the first with it's subject, + * modify the subject entry to include the email address, + * CERT_AddTempCertToPerm does not do email addresses and S/MIME entries. + */ + if (smimeEntry) { /*&& !userCert && nCertsForSubject == 1) { */ +#if 0 + UpdateSubjectWithEmailAddr(newCert, email); +#endif + SECItem emailProfile, profileTime; + rv = CERT_FindFullSMimeProfile(oldCert, &emailProfile, &profileTime); + /* calls UpdateSubjectWithEmailAddr */ + if (rv == SECSuccess) + rv = CERT_SaveSMimeProfile(newCert, &emailProfile, &profileTime); + } + + info->nCerts++; + +cleanup: + + if (nickname) + PORT_Free(nickname); + if (email) + PORT_Free(email); + if (oldCert) + CERT_DestroyCertificate(oldCert); + if (dbCert) + CERT_DestroyCertificate(dbCert); + if (newCert) + CERT_DestroyCertificate(newCert); + if (smimeEntry) + SEC_DestroyDBEntry((certDBEntry*)smimeEntry); + return SECSuccess; +} + +#if 0 +SECStatus +copyDBEntry(SECItem *data, SECItem *key, certDBEntryType type, void *pdata) +{ + SECStatus rv; + NSSLOWCERTCertDBHandle *newdb = (NSSLOWCERTCertDBHandle *)pdata; + certDBEntryCommon common; + SECItem dbkey; + + common.type = type; + common.version = CERT_DB_FILE_VERSION; + common.flags = data->data[2]; + common.arena = NULL; + + dbkey.len = key->len + SEC_DB_KEY_HEADER_LEN; + dbkey.data = (unsigned char *)PORT_Alloc(dbkey.len*sizeof(unsigned char)); + PORT_Memcpy(&dbkey.data[SEC_DB_KEY_HEADER_LEN], key->data, key->len); + dbkey.data[0] = type; + + rv = WriteDBEntry(newdb, &common, &dbkey, data); + + PORT_Free(dbkey.data); + return rv; +} +#endif + +int +certIsOlder(CERTCertificate **cert1, CERTCertificate** cert2) +{ + return !CERT_IsNewer(*cert1, *cert2); +} + +int +findNewestSubjectForEmail(NSSLOWCERTCertDBHandle *handle, int subjectNum, + certDBArray *dbArray, dbRestoreInfo *info, + int *subjectWithSMime, int *smimeForSubject) +{ + int newestSubject; + int subjectsForEmail[50]; + int i, j, ns, sNum; + certDBEntryListNode *subjects = &dbArray->subjects; + certDBEntryListNode *smime = &dbArray->smime; + certDBEntrySubject *subjectEntry1, *subjectEntry2; + certDBEntrySMime *smimeEntry; + CERTCertificate **certs; + CERTCertificate *cert; + CERTCertTrust *trust; + PRBool userCert; + int *certNums; + + ns = 0; + subjectEntry1 = (certDBEntrySubject*)&subjects.entries[subjectNum]; + subjectsForEmail[ns++] = subjectNum; + + *subjectWithSMime = -1; + *smimeForSubject = -1; + newestSubject = subjectNum; + + cert = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]); + if (cert) { + trust = cert->trust; + userCert = (SEC_GET_TRUST_FLAGS(trust, trustSSL) & CERTDB_USER) || + (SEC_GET_TRUST_FLAGS(trust, trustEmail) & CERTDB_USER) || + (SEC_GET_TRUST_FLAGS(trust, trustObjectSigning) & CERTDB_USER); + CERT_DestroyCertificate(cert); + } + + /* + * XXX Should we make sure that subjectEntry1->emailAddr is not + * a null pointer or an empty string before going into the next + * two for loops, which pass it to PORT_Strcmp? + */ + + /* Loop over the remaining subjects. */ + for (i=subjectNum+1; i<subjects.numEntries; i++) { + subjectEntry2 = (certDBEntrySubject*)&subjects.entries[i]; + if (!subjectEntry2) + continue; + if (subjectEntry2->emailAddr && subjectEntry2->emailAddr[0] && + PORT_Strcmp(subjectEntry1->emailAddr, + subjectEntry2->emailAddr) == 0) { + /* Found a subject using the same email address. */ + subjectsForEmail[ns++] = i; + } + } + + /* Find the S/MIME entry for this email address. */ + for (i=0; i<smime.numEntries; i++) { + smimeEntry = (certDBEntrySMime*)&smime.entries[i]; + if (smimeEntry->common.arena == NULL) + continue; + if (smimeEntry->emailAddr && smimeEntry->emailAddr[0] && + PORT_Strcmp(subjectEntry1->emailAddr, smimeEntry->emailAddr) == 0) { + /* Find which of the subjects uses this S/MIME entry. */ + for (j=0; j<ns && *subjectWithSMime < 0; j++) { + sNum = subjectsForEmail[j]; + subjectEntry2 = (certDBEntrySubject*)&subjects.entries[sNum]; + if (SECITEM_ItemsAreEqual(&smimeEntry->subjectName, + &subjectEntry2->derSubject)) { + /* Found the subject corresponding to the S/MIME entry. */ + *subjectWithSMime = sNum; + *smimeForSubject = i; + } + } + SEC_DestroyDBEntry((certDBEntry*)smimeEntry); + PORT_Memset(smimeEntry, 0, sizeof(certDBEntry)); + break; + } + } + + if (ns <= 1) + return subjectNum; + + if (userCert) + return *subjectWithSMime; + + /* Now find which of the subjects has the newest cert. */ + certs = (CERTCertificate**)PORT_Alloc(ns*sizeof(CERTCertificate*)); + certNums = (int*)PORT_Alloc((ns+1)*sizeof(int)); + certNums[0] = 0; + for (i=0; i<ns; i++) { + sNum = subjectsForEmail[i]; + subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum]; + certs[i] = CERT_FindCertByKey(handle, &subjectEntry1->certKeys[0]); + certNums[i+1] = i; + } + /* Sort the array by validity. */ + qsort(certs, ns, sizeof(CERTCertificate*), + (int (*)(const void *, const void *))certIsOlder); + newestSubject = -1; + for (i=0; i<ns; i++) { + sNum = subjectsForEmail[i]; + subjectEntry1 = (certDBEntrySubject*)&subjects.entries[sNum]; + if (SECITEM_ItemsAreEqual(&subjectEntry1->derSubject, + &certs[0]->derSubject)) + newestSubject = sNum; + else + SEC_DestroyDBEntry((certDBEntry*)subjectEntry1); + } + if (info && userSaysDeleteCert(certs, ns, dbOlderCert, info, certNums)) { + for (i=1; i<ns+1; i++) { + if (certNums[i] >= 0 && certNums[i] != certNums[0]) { + deleteAllEntriesForCert(handle, certs[certNums[i]], info->out); + info->dbErrors[dbOlderCert]++; + } + } + } + CERT_DestroyCertArray(certs, ns); + return newestSubject; +} + +NSSLOWCERTCertDBHandle * +DBCK_ReconstructDBFromCerts(NSSLOWCERTCertDBHandle *oldhandle, char *newdbname, + PRFileDesc *outfile, PRBool removeExpired, + PRBool requireProfile, PRBool singleEntry, + PRBool promptUser) +{ + SECStatus rv; + dbRestoreInfo info; + certDBEntryContentVersion *oldContentVersion; + certDBArray dbArray; + int i; + + PORT_Memset(&dbArray, 0, sizeof(dbArray)); + PORT_Memset(&info, 0, sizeof(info)); + info.verbose = (outfile) ? PR_TRUE : PR_FALSE; + info.out = (outfile) ? outfile : PR_STDOUT; + info.removeType[dbInvalidCert] = removeExpired; + info.removeType[dbNoSMimeProfile] = requireProfile; + info.removeType[dbOlderCert] = singleEntry; + info.promptUser[dbInvalidCert] = promptUser; + info.promptUser[dbNoSMimeProfile] = promptUser; + info.promptUser[dbOlderCert] = promptUser; + + /* Allocate a handle to fill with CERT_OpenCertDB below. */ + info.handle = PORT_ZNew(NSSLOWCERTCertDBHandle); + if (!info.handle) { + fprintf(stderr, "unable to get database handle"); + return NULL; + } + + /* Create a certdb with the most recent set of roots. */ + rv = CERT_OpenCertDBFilename(info.handle, newdbname, PR_FALSE); + + if (rv) { + fprintf(stderr, "could not open certificate database"); + goto loser; + } + + /* Create certificate, subject, nickname, and email records. + * mcom_db seems to have a sequential access bug. Though reads and writes + * should be allowed during traversal, they seem to screw up the sequence. + * So, stuff all the cert entries into an array, and loop over the array + * doing read/writes in the db. + */ + fillDBEntryArray(oldhandle, certDBEntryTypeCert, &dbArray.certs); + for (elem = PR_LIST_HEAD(&dbArray->certs.link); + elem != &dbArray->certs.link; elem = PR_NEXT_LINK(elem)) { + node = LISTNODE_CAST(elem); + addCertToDB((certDBEntryCert*)&node->entry, &info, oldhandle); + /* entries get destroyed in addCertToDB */ + } +#if 0 + rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeSMimeProfile, + copyDBEntry, info.handle); +#endif + + /* Fix up the pointers between (nickname|S/MIME) --> (subject). + * Create S/MIME entries for S/MIME certs. + * Have the S/MIME entry point to the last-expiring cert using + * an email address. + */ +#if 0 + CERT_RedoHandlesForSubjects(info.handle, singleEntry, &info); +#endif + + freeDBEntryList(&dbArray.certs.link); + + /* Copy over the version record. */ + /* XXX Already exists - and _must_ be correct... */ + /* + versionEntry = ReadDBVersionEntry(oldhandle); + rv = WriteDBVersionEntry(info.handle, versionEntry); + */ + + /* Copy over the content version record. */ + /* XXX Can probably get useful info from old content version? + * Was this db created before/after this tool? etc. + */ +#if 0 + oldContentVersion = ReadDBContentVersionEntry(oldhandle); + CERT_SetDBContentVersion(oldContentVersion->contentVersion, info.handle); +#endif + +#if 0 + /* Copy over the CRL & KRL records. */ + rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeRevocation, + copyDBEntry, info.handle); + /* XXX Only one KRL, just do db->get? */ + rv = nsslowcert_TraverseDBEntries(oldhandle, certDBEntryTypeKeyRevocation, + copyDBEntry, info.handle); +#endif + + PR_fprintf(info.out, "Database had %d certificates.\n", info.nOldCerts); + + PR_fprintf(info.out, "Reconstructed %d certificates.\n", info.nCerts); + PR_fprintf(info.out, "(ax) Rejected %d expired certificates.\n", + info.dbErrors[dbInvalidCert]); + PR_fprintf(info.out, "(as) Rejected %d S/MIME certificates missing a profile.\n", + info.dbErrors[dbNoSMimeProfile]); + PR_fprintf(info.out, "(ar) Rejected %d certificates for which a newer certificate was found.\n", + info.dbErrors[dbOlderCert]); + PR_fprintf(info.out, " Rejected %d corrupt certificates.\n", + info.dbErrors[dbBadCertificate]); + PR_fprintf(info.out, " Rejected %d certificates which did not write to the DB.\n", + info.dbErrors[dbCertNotWrittenToDB]); + + if (rv) + goto loser; + + return info.handle; + +loser: + if (info.handle) + PORT_Free(info.handle); + return NULL; +} + diff --git a/security/nss/cmd/fipstest/Makefile b/security/nss/cmd/fipstest/Makefile index 60f791f6c..3b8ea808a 100755 --- a/security/nss/cmd/fipstest/Makefile +++ b/security/nss/cmd/fipstest/Makefile @@ -62,10 +62,9 @@ include $(CORE_DEPTH)/coreconf/config.mk include ../platlibs.mk -#EXTRA_SHARED_LIBS += \ -# -L/usr/lib \ -# -lposix4 \ -# $(NULL) +ifdef NSS_ENABLE_ECC +DEFINES += -DNSS_ENABLE_ECC +endif ####################################################################### # (5) Execute "global" rules. (OPTIONAL) # diff --git a/security/nss/cmd/fipstest/dsa.sh b/security/nss/cmd/fipstest/dsa.sh new file mode 100755 index 000000000..50dd20d4a --- /dev/null +++ b/security/nss/cmd/fipstest/dsa.sh @@ -0,0 +1,34 @@ +#!/bin/sh +# +# A Bourne shell script for running the NIST DSA Validation System +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +request=KeyPair.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa keypair $request > $response + +request=PQGGen.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa pqggen $request > $response + +request=PQGVer.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa pqgver $request > $response + +request=SigGen.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa siggen $request > $response + +request=SigVer.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest dsa sigver $request > $response diff --git a/security/nss/cmd/fipstest/ecdsa.sh b/security/nss/cmd/fipstest/ecdsa.sh new file mode 100644 index 000000000..306c8650f --- /dev/null +++ b/security/nss/cmd/fipstest/ecdsa.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# +# A Bourne shell script for running the NIST ECDSA Validation System +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +request=KeyPair.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdsa keypair $request > $response + +request=PKV.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdsa pkv $request > $response + +request=SigGen.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdsa siggen $request > $response + +request=SigVer.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest ecdsa sigver $request > $response diff --git a/security/nss/cmd/fipstest/fipstest.c b/security/nss/cmd/fipstest/fipstest.c index bea7f2e72..c602cbc2d 100644 --- a/security/nss/cmd/fipstest/fipstest.c +++ b/security/nss/cmd/fipstest/fipstest.c @@ -41,298 +41,25 @@ #include "secitem.h" #include "blapi.h" #include "nss.h" +#include "secerr.h" +#include "secoidt.h" +#include "keythi.h" +#include "ec.h" #if 0 #include "../../lib/freebl/mpi/mpi.h" #endif -static const unsigned char -table3[32][8] = { - { 0x10, 0x46, 0x91, 0x34, 0x89, 0x98, 0x01, 0x31 }, - { 0x10, 0x07, 0x10, 0x34, 0x89, 0x98, 0x80, 0x20 }, - { 0x10, 0x07, 0x10, 0x34, 0xc8, 0x98, 0x01, 0x20 }, - { 0x10, 0x46, 0x10, 0x34, 0x89, 0x98, 0x80, 0x20 }, - { 0x10, 0x86, 0x91, 0x15, 0x19, 0x19, 0x01, 0x01 }, - { 0x10, 0x86, 0x91, 0x15, 0x19, 0x58, 0x01, 0x01 }, - { 0x51, 0x07, 0xb0, 0x15, 0x19, 0x58, 0x01, 0x01 }, - { 0x10, 0x07, 0xb0, 0x15, 0x19, 0x19, 0x01, 0x01 }, - { 0x31, 0x07, 0x91, 0x54, 0x98, 0x08, 0x01, 0x01 }, - { 0x31, 0x07, 0x91, 0x94, 0x98, 0x08, 0x01, 0x01 }, - { 0x10, 0x07, 0x91, 0x15, 0xb9, 0x08, 0x01, 0x40 }, - { 0x31, 0x07, 0x91, 0x15, 0x98, 0x08, 0x01, 0x40 }, - { 0x10, 0x07, 0xd0, 0x15, 0x89, 0x98, 0x01, 0x01 }, - { 0x91, 0x07, 0x91, 0x15, 0x89, 0x98, 0x01, 0x01 }, - { 0x91, 0x07, 0xd0, 0x15, 0x89, 0x19, 0x01, 0x01 }, - { 0x10, 0x07, 0xd0, 0x15, 0x98, 0x98, 0x01, 0x20 }, - { 0x10, 0x07, 0x94, 0x04, 0x98, 0x19, 0x01, 0x01 }, - { 0x01, 0x07, 0x91, 0x04, 0x91, 0x19, 0x04, 0x01 }, - { 0x01, 0x07, 0x91, 0x04, 0x91, 0x19, 0x01, 0x01 }, - { 0x01, 0x07, 0x94, 0x04, 0x91, 0x19, 0x04, 0x01 }, - { 0x19, 0x07, 0x92, 0x10, 0x98, 0x1a, 0x01, 0x01 }, - { 0x10, 0x07, 0x91, 0x19, 0x98, 0x19, 0x08, 0x01 }, - { 0x10, 0x07, 0x91, 0x19, 0x98, 0x1a, 0x08, 0x01 }, - { 0x10, 0x07, 0x92, 0x10, 0x98, 0x19, 0x01, 0x01 }, - { 0x10, 0x07, 0x91, 0x15, 0x98, 0x19, 0x01, 0x0b }, - { 0x10, 0x04, 0x80, 0x15, 0x98, 0x19, 0x01, 0x01 }, - { 0x10, 0x04, 0x80, 0x15, 0x98, 0x19, 0x01, 0x02 }, - { 0x10, 0x04, 0x80, 0x15, 0x98, 0x19, 0x01, 0x08 }, - { 0x10, 0x02, 0x91, 0x15, 0x98, 0x10, 0x01, 0x04 }, - { 0x10, 0x02, 0x91, 0x15, 0x98, 0x19, 0x01, 0x04 }, - { 0x10, 0x02, 0x91, 0x15, 0x98, 0x10, 0x02, 0x01 }, - { 0x10, 0x02, 0x91, 0x16, 0x98, 0x10, 0x01, 0x01 } -}; - -static const unsigned char -table4_key[19][8] = { - { 0x7c, 0xa1, 0x10, 0x45, 0x4a, 0x1a, 0x6e, 0x57 }, - { 0x01, 0x31, 0xd9, 0x61, 0x9d, 0xc1, 0x37, 0x6e }, - { 0x07, 0xa1, 0x13, 0x3e, 0x4a, 0x0b, 0x26, 0x86 }, - { 0x38, 0x49, 0x67, 0x4c, 0x26, 0x02, 0x31, 0x9e }, - { 0x04, 0xb9, 0x15, 0xba, 0x43, 0xfe, 0xb5, 0xb6 }, - { 0x01, 0x13, 0xb9, 0x70, 0xfd, 0x34, 0xf2, 0xce }, - { 0x01, 0x70, 0xf1, 0x75, 0x46, 0x8f, 0xb5, 0xe6 }, - { 0x43, 0x29, 0x7f, 0xad, 0x38, 0xe3, 0x73, 0xfe }, - { 0x07, 0xa7, 0x13, 0x70, 0x45, 0xda, 0x2a, 0x16 }, - { 0x04, 0x68, 0x91, 0x04, 0xc2, 0xfd, 0x3b, 0x2f }, - { 0x37, 0xd0, 0x6b, 0xb5, 0x16, 0xcb, 0x75, 0x46 }, - { 0x1f, 0x08, 0x26, 0x0d, 0x1a, 0xc2, 0x46, 0x5e }, - { 0x58, 0x40, 0x23, 0x64, 0x1a, 0xba, 0x61, 0x76 }, - { 0x02, 0x58, 0x16, 0x16, 0x46, 0x29, 0xb0, 0x07 }, - { 0x49, 0x79, 0x3e, 0xbc, 0x79, 0xb3, 0x25, 0x8f }, - { 0x4f, 0xb0, 0x5e, 0x15, 0x15, 0xab, 0x73, 0xa7 }, - { 0x49, 0xe9, 0x5d, 0x6d, 0x4c, 0xa2, 0x29, 0xbf }, - { 0x01, 0x83, 0x10, 0xdc, 0x40, 0x9b, 0x26, 0xd6 }, - { 0x1c, 0x58, 0x7f, 0x1c, 0x13, 0x92, 0x4f, 0xef } -}; - -static const unsigned char -table4_inp[19][8] = { - { 0x01, 0xa1, 0xd6, 0xd0, 0x39, 0x77, 0x67, 0x42 }, - { 0x5c, 0xd5, 0x4c, 0xa8, 0x3d, 0xef, 0x57, 0xda }, - { 0x02, 0x48, 0xd4, 0x38, 0x06, 0xf6, 0x71, 0x72 }, - { 0x51, 0x45, 0x4b, 0x58, 0x2d, 0xdf, 0x44, 0x0a }, - { 0x42, 0xfd, 0x44, 0x30, 0x59, 0x57, 0x7f, 0xa2 }, - { 0x05, 0x9b, 0x5e, 0x08, 0x51, 0xcf, 0x14, 0x3a }, - { 0x07, 0x56, 0xd8, 0xe0, 0x77, 0x47, 0x61, 0xd2 }, - { 0x76, 0x25, 0x14, 0xb8, 0x29, 0xbf, 0x48, 0x6a }, - { 0x3b, 0xdd, 0x11, 0x90, 0x49, 0x37, 0x28, 0x02 }, - { 0x26, 0x95, 0x5f, 0x68, 0x35, 0xaf, 0x60, 0x9a }, - { 0x16, 0x4d, 0x5e, 0x40, 0x4f, 0x27, 0x52, 0x32 }, - { 0x6b, 0x05, 0x6e, 0x18, 0x75, 0x9f, 0x5c, 0xca }, - { 0x00, 0x4b, 0xd6, 0xef, 0x09, 0x17, 0x60, 0x62 }, - { 0x48, 0x0d, 0x39, 0x00, 0x6e, 0xe7, 0x62, 0xf2 }, - { 0x43, 0x75, 0x40, 0xc8, 0x69, 0x8f, 0x3c, 0xfa }, - { 0x07, 0x2d, 0x43, 0xa0, 0x77, 0x07, 0x52, 0x92 }, - { 0x02, 0xfe, 0x55, 0x77, 0x81, 0x17, 0xf1, 0x2a }, - { 0x1d, 0x9d, 0x5c, 0x50, 0x18, 0xf7, 0x28, 0xc2 }, - { 0x30, 0x55, 0x32, 0x28, 0x6d, 0x6f, 0x29, 0x5a } -}; +#ifdef NSS_ENABLE_ECC +extern SECStatus +EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams); +#endif -static const unsigned char -des_ecb_enc_sample_key[8] = { 0x97, 0xae, 0x43, 0x08, 0xb6, 0xa8, 0x7a, 0x08 }; -static const unsigned char -des_ecb_enc_sample_inp[8] = { 0xcf, 0xcd, 0x91, 0xf1, 0xb3, 0x40, 0xc9, 0x91 }; - -static const unsigned char -des_ecb_dec_sample_key[8] = { 0x0b, 0x8c, 0x38, 0xef, 0x52, 0x01, 0xda, 0x13 }; -static const unsigned char -des_ecb_dec_sample_inp[8] = { 0x58, 0x0b, 0x39, 0x57, 0x3d, 0x9b, 0x8d, 0xdf }; - -static const unsigned char -des_cbc_enc_sample_key[8] = { 0x58, 0x62, 0xd3, 0xf8, 0x04, 0xe9, 0xb3, 0x98 }; -static const unsigned char -des_cbc_enc_sample_iv[8] = { 0xac, 0xcf, 0x45, 0x4c, 0x1a, 0x28, 0x68, 0xcf }; -static const unsigned char -des_cbc_enc_sample_inp[8] = { 0xf1, 0x55, 0x47, 0x63, 0x76, 0x0e, 0x43, 0xa9 }; - -static const unsigned char -des_cbc_dec_sample_key[8] = { 0x64, 0x6d, 0x02, 0x75, 0xe9, 0x34, 0xe6, 0x7a }; -static const unsigned char -des_cbc_dec_sample_iv[8] = { 0xb4, 0x32, 0xa3, 0x8c, 0xd5, 0xe3, 0x20, 0x1a }; -static const unsigned char -des_cbc_dec_sample_inp[8] = { 0x5a, 0xfe, 0xe8, 0xf2, 0xf6, 0x63, 0x4f, 0xb6 }; - -static const unsigned char -tdea_ecb_enc_sample_key[24] = { - 0x0b, 0x62, 0x7f, 0x67, 0xea, 0xda, 0x0b, 0x34, - 0x08, 0x07, 0x3b, 0xc8, 0x8c, 0x23, 0x1a, 0xb6, - 0x75, 0x0b, 0x9e, 0x57, 0x83, 0xf4, 0xe6, 0xa4 }; -static const unsigned char -tdea_ecb_enc_sample_inp[8] = { 0x44, 0x15, 0x7a, 0xb0, 0x0a, 0x78, 0x6d, 0xbf }; - -static const unsigned char -tdea_ecb_dec_sample_key[24] = { - 0x91, 0xe5, 0x07, 0xba, 0x01, 0x01, 0xb6, 0xdc, - 0x0e, 0x51, 0xf1, 0xd0, 0x25, 0xc2, 0xc2, 0x1c, - 0x1f, 0x54, 0x2f, 0xa1, 0xf8, 0xce, 0xda, 0x89 }; -static const unsigned char -tdea_ecb_dec_sample_inp[8] = { 0x66, 0xe8, 0x72, 0x0d, 0x42, 0x85, 0x4b, 0xba }; - -static const unsigned char -tdea_cbc_enc_sample_key[24] = { - 0xd5, 0xe5, 0x61, 0x61, 0xb0, 0xc4, 0xa4, 0x25, - 0x45, 0x1a, 0x15, 0x67, 0xa4, 0x89, 0x6b, 0xc4, - 0x3b, 0x54, 0x1a, 0x4c, 0x1a, 0xb5, 0x49, 0x0d }; -static const unsigned char -tdea_cbc_enc_sample_iv[8] = { 0x5a, 0xb2, 0xa7, 0x3e, 0xc4, 0x3c, 0xe7, 0x1e }; -static const unsigned char -tdea_cbc_enc_sample_inp[8] = { 0x9e, 0x76, 0x87, 0x7c, 0x54, 0x14, 0xab, 0x50 }; - -static const unsigned char -tdea_cbc_dec_sample_key[24] = { - 0xf8, 0x25, 0xcd, 0x02, 0xc7, 0x76, 0xe6, 0xce, - 0x9e, 0x16, 0xe6, 0x40, 0x7f, 0xcd, 0x01, 0x80, - 0x5b, 0x38, 0xc4, 0xe0, 0xb5, 0x6e, 0x94, 0x61 }; -static const unsigned char -tdea_cbc_dec_sample_iv[8] = { 0x74, 0x3e, 0xdc, 0xc2, 0xc6, 0xc4, 0x18, 0xe3 }; -static const unsigned char -tdea_cbc_dec_sample_inp[8] = { 0xbe, 0x47, 0xd1, 0x77, 0xa5, 0xe8, 0x29, 0xfb }; - - -static const unsigned char -des_ecb_enc_key[8] = { 0x49, 0x45, 0xd9, 0x3d, 0x83, 0xcd, 0x61, 0x9b }; -static const unsigned char -des_ecb_enc_inp[8] = { 0x81, 0xf2, 0x12, 0x0d, 0x99, 0x04, 0x5d, 0x16 }; - -static const unsigned char -des_ecb_dec_key[8] = { 0x7a, 0x6b, 0x61, 0x76, 0xc8, 0x85, 0x43, 0x31 }; -static const unsigned char -des_ecb_dec_inp[8] = { 0xef, 0xe4, 0x6e, 0x4f, 0x4f, 0xc3, 0x28, 0xcc }; - -static const unsigned char -des_cbc_enc_key[8] = { 0xc8, 0x5e, 0xfd, 0xa7, 0xa7, 0xc2, 0xc4, 0x0d }; -static const unsigned char -des_cbc_enc_iv[8] = { 0x4c, 0xb9, 0xcf, 0x46, 0xff, 0x7a, 0x3d, 0xff }; -static const unsigned char -des_cbc_enc_inp[8] = { 0x80, 0x1b, 0x24, 0x9b, 0x24, 0x0e, 0xa5, 0x96 }; - -static const unsigned char -des_cbc_dec_key[8] = { 0x2c, 0x3d, 0xa1, 0x67, 0x4c, 0xfb, 0x85, 0x23 }; -static const unsigned char -des_cbc_dec_iv[8] = { 0x7a, 0x0a, 0xc2, 0x15, 0x1d, 0x22, 0x98, 0x3a }; -static const unsigned char -des_cbc_dec_inp[8] = { 0x2d, 0x5d, 0x02, 0x04, 0x98, 0x5d, 0x5e, 0x28 }; - -static const unsigned char -tdea1_ecb_enc_key[24] = { - 0x89, 0xcd, 0xd3, 0xf1, 0x01, 0xc1, 0x1a, 0xf4, - 0x89, 0xcd, 0xd3, 0xf1, 0x01, 0xc1, 0x1a, 0xf4, - 0x89, 0xcd, 0xd3, 0xf1, 0x01, 0xc1, 0x1a, 0xf4 }; - -static const unsigned char -tdea1_ecb_enc_inp[8] = { 0xe5, 0x8c, 0x48, 0xf0, 0x91, 0x4e, 0xeb, 0x87 }; - -static const unsigned char -tdea1_ecb_dec_key[24] = { - 0xbf, 0x86, 0x94, 0xe0, 0x83, 0x46, 0x70, 0x37, - 0xbf, 0x86, 0x94, 0xe0, 0x83, 0x46, 0x70, 0x37, - 0xbf, 0x86, 0x94, 0xe0, 0x83, 0x46, 0x70, 0x37 }; - -static const unsigned char -tdea1_ecb_dec_inp[8] = { 0x35, 0x7a, 0x6c, 0x05, 0xe0, 0x8c, 0x3d, 0xb7 }; - -static const unsigned char -tdea1_cbc_enc_key[24] = { - 0x46, 0xf1, 0x6d, 0xbf, 0xe3, 0xd5, 0xd3, 0x94, - 0x46, 0xf1, 0x6d, 0xbf, 0xe3, 0xd5, 0xd3, 0x94, - 0x46, 0xf1, 0x6d, 0xbf, 0xe3, 0xd5, 0xd3, 0x94 }; - - -static const unsigned char -tdea1_cbc_enc_iv[8] = { 0xf7, 0x3e, 0x14, 0x05, 0x88, 0xeb, 0x2e, 0x96 }; -static const unsigned char -tdea1_cbc_enc_inp[8] = { 0x18, 0x1b, 0xdf, 0x18, 0x10, 0xb2, 0xe0, 0x05 }; - -static const unsigned char -tdea1_cbc_dec_key[24] = { - 0x83, 0xd0, 0x54, 0xa2, 0x92, 0xe9, 0x6e, 0x7c, - 0x83, 0xd0, 0x54, 0xa2, 0x92, 0xe9, 0x6e, 0x7c, - 0x83, 0xd0, 0x54, 0xa2, 0x92, 0xe9, 0x6e, 0x7c }; - - -static const unsigned char -tdea1_cbc_dec_iv[8] = { 0xb9, 0x65, 0x4a, 0x94, 0xba, 0x6a, 0x66, 0xf9 }; -static const unsigned char -tdea1_cbc_dec_inp[8] = { 0xce, 0xb8, 0x30, 0x95, 0xac, 0x82, 0xdf, 0x9b }; - -static const unsigned char -tdea2_ecb_enc_key[24] = { - 0x79, 0x98, 0x4a, 0xe9, 0x23, 0xad, 0x10, 0xda, - 0x16, 0x3e, 0xb5, 0xfe, 0xcd, 0x52, 0x20, 0x01, - 0x79, 0x98, 0x4a, 0xe9, 0x23, 0xad, 0x10, 0xda }; -static const unsigned char -tdea2_ecb_enc_inp[8] = { 0x99, 0xd2, 0xca, 0xe8, 0xa7, 0x90, 0x13, 0xc2 }; - -static const unsigned char -tdea2_ecb_dec_key[24] = { - 0x98, 0xcd, 0x29, 0x52, 0x85, 0x91, 0x75, 0xe3, - 0xab, 0x29, 0xe3, 0x10, 0xa2, 0x10, 0x04, 0x58, - 0x98, 0xcd, 0x29, 0x52, 0x85, 0x91, 0x75, 0xe3 }; - -static const unsigned char -tdea2_ecb_dec_inp[8] = { 0xc0, 0x35, 0x24, 0x1f, 0xc9, 0x29, 0x5c, 0x7a }; - -static const unsigned char -tdea2_cbc_enc_key[24] = { - 0xba, 0x5d, 0x70, 0xf8, 0x08, 0x13, 0xb0, 0x4c, - 0xf8, 0x46, 0xa8, 0xce, 0xe6, 0xb3, 0x08, 0x02, - 0xba, 0x5d, 0x70, 0xf8, 0x08, 0x13, 0xb0, 0x4c }; - - -static const unsigned char -tdea2_cbc_enc_iv[8] = { 0xe8, 0x39, 0xd7, 0x3a, 0x8d, 0x8c, 0x59, 0x8a }; -static const unsigned char -tdea2_cbc_enc_inp[8] = { 0x6e, 0x85, 0x0a, 0x4c, 0x86, 0x86, 0x70, 0x23 }; - -static const unsigned char -tdea2_cbc_dec_key[24] = { - 0x25, 0xf8, 0x9e, 0x7a, 0xef, 0x26, 0xb5, 0x9e, - 0x46, 0x32, 0x19, 0x9b, 0xea, 0x1c, 0x19, 0xad, - 0x25, 0xf8, 0x9e, 0x7a, 0xef, 0x26, 0xb5, 0x9e }; - - -static const unsigned char -tdea2_cbc_dec_iv[8] = { 0x48, 0x07, 0x6f, 0xf9, 0x05, 0x14, 0xc1, 0xdc }; -static const unsigned char -tdea2_cbc_dec_inp[8] = { 0x9e, 0xf4, 0x10, 0x55, 0xe8, 0x7e, 0x7e, 0x25 }; - -static const unsigned char -tdea3_ecb_enc_key[24] = { - 0x6d, 0x37, 0x16, 0x31, 0x6e, 0x02, 0x83, 0xb6, - 0xf7, 0x16, 0xa2, 0x64, 0x57, 0x8c, 0xae, 0x34, - 0xd0, 0xce, 0x38, 0xb6, 0x31, 0x5e, 0xae, 0x1a }; -static const unsigned char -tdea3_ecb_enc_inp[8] = { 0x28, 0x8a, 0x45, 0x22, 0x53, 0x95, 0xba, 0x3c }; - -static const unsigned char -tdea3_ecb_dec_key[24] = { - 0xb0, 0x75, 0x92, 0x2c, 0xfd, 0x67, 0x8a, 0x26, - 0xc8, 0xba, 0xad, 0x68, 0xb6, 0xba, 0x92, 0x49, - 0xe3, 0x2c, 0xec, 0x83, 0x34, 0xe6, 0xda, 0x98 }; -static const unsigned char -tdea3_ecb_dec_inp[8] = { 0x03, 0xcc, 0xe6, 0x65, 0xf6, 0xc5, 0xc3, 0xba }; - -static const unsigned char -tdea3_cbc_enc_key[24] = { - 0x01, 0x32, 0x73, 0xe9, 0xcb, 0x8a, 0x89, 0x80, - 0x02, 0x7a, 0xc1, 0x5d, 0xf4, 0xd5, 0x6b, 0x76, - 0x2f, 0xef, 0xfd, 0x58, 0x57, 0x1a, 0xce, 0x29 }; -static const unsigned char -tdea3_cbc_enc_iv[8] = { 0x93, 0x98, 0x7c, 0x66, 0x98, 0x21, 0x5b, 0x9e }; -static const unsigned char -tdea3_cbc_enc_inp[8] = { 0x16, 0x54, 0x09, 0xd2, 0x2c, 0xad, 0x6d, 0x99 }; - -static const unsigned char -tdea3_cbc_dec_key[24] = { - 0x57, 0x70, 0x3b, 0x4f, 0xae, 0xe6, 0x9d, 0x0e, - 0x4c, 0x3b, 0x23, 0xcd, 0x54, 0x20, 0xbc, 0x58, - 0x3b, 0x8a, 0x4a, 0xf1, 0x73, 0xf8, 0xf8, 0x38 }; -static const unsigned char -tdea3_cbc_dec_iv[8] = { 0x5f, 0x62, 0xe4, 0xea, 0xa7, 0xb2, 0xb5, 0x70 }; -static const unsigned char -tdea3_cbc_dec_inp[8] = { 0x44, 0xb3, 0xe6, 0x3b, 0x1f, 0xbb, 0x43, 0x02 }; +#define ENCRYPT 1 +#define DECRYPT 0 +#define BYTE unsigned char SECStatus -hex_from_2char(unsigned char *c2, unsigned char *byteval) +hex_from_2char(const unsigned char *c2, unsigned char *byteval) { int i; unsigned char offset; @@ -381,463 +108,778 @@ to_hex_str(char *str, const unsigned char *buf, unsigned int len) } void -to_hex_str_cap(char *str, unsigned char *buf, unsigned int len) +to_hex_str_cap(char *str, const unsigned char *buf, unsigned int len) { unsigned int i; for (i=0; i<len; i++) { char2_from_hex(buf[i], &str[2*i], 'A'); } + str[2*len] = '\0'; } -void -des_var_pt_kat(int mode, PRBool encrypt, unsigned int len, - unsigned char *key, unsigned char *iv, - unsigned char *inp) +/* + * Convert a string of hex digits (str) to an array (buf) of len bytes. + * Return PR_TRUE if the hex string can fit in the byte array. Return + * PR_FALSE if the hex string is empty or is too long. + */ +PRBool +from_hex_str(unsigned char *buf, unsigned int len, const char *str) { - int i; - unsigned int olen, mbnum = 0; - unsigned char mod_byte = 0x80; - unsigned char in[8]; - unsigned char out[8]; - char keystr[17], ivstr[17], instr[17], outstr[17]; - char *ptty = (len == 8) ? "PT" : "PLAINTEXT"; - char *ctty = (len == 8) ? "CT" : "CIPHERTEXT"; - char tchar = (len == 8) ? '\t' : '\n'; - DESContext *cx1 = NULL, *cx2 = NULL; - memset(in, 0, sizeof in); - memset(keystr, 0, sizeof keystr); - memset(ivstr, 0, sizeof ivstr); - memset(instr, 0, sizeof instr); - memset(outstr, 0, sizeof outstr); - in[mbnum] = mod_byte; - for (i=1; i<=64; i++) { - cx1 = DES_CreateContext(key, iv, mode, PR_TRUE); - if (!encrypt) { - cx2 = DES_CreateContext(key, iv, mode, PR_FALSE); - } - if (len > 8) { - printf("COUNT = %d\n", i); - to_hex_str(keystr, key, 8); - printf("KEY1=%s\n", keystr); - to_hex_str(keystr, key+8, 8); - printf("KEY2=%s\n", keystr); - to_hex_str(keystr, key+16, 8); - printf("KEY3=%s\n", keystr); - } else { - to_hex_str(keystr, key, 8); - printf("%ld\tKEY=%s\t", i, keystr); - } - if (iv) { - to_hex_str(ivstr, iv, 8); - printf("IV=%s%c", ivstr, tchar); - } - DES_Encrypt(cx1, out, &olen, 8, in, 8); - if (encrypt) { - to_hex_str(instr, in, 8); - to_hex_str(outstr, out, 8); - printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr); - } else { - unsigned char inv[8]; - DES_Decrypt(cx2, inv, &olen, 8, out, 8); - to_hex_str(instr, out, 8); - to_hex_str(outstr, inv, 8); - printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr); + unsigned int nxdigit; /* number of hex digits in str */ + unsigned int i; /* index into buf */ + unsigned int j; /* index into str */ + + /* count the hex digits */ + nxdigit = 0; + for (nxdigit = 0; isxdigit(str[nxdigit]); nxdigit++) { + /* empty body */ + } + if (nxdigit == 0) { + return PR_FALSE; + } + if (nxdigit > 2*len) { + /* + * The input hex string is too long, but we allow it if the + * extra digits are leading 0's. + */ + for (j = 0; j < nxdigit-2*len; j++) { + if (str[j] != '0') { + return PR_FALSE; + } } - if (mod_byte > 0x01) { - mod_byte >>= 1; + /* skip leading 0's */ + str += nxdigit-2*len; + nxdigit = 2*len; + } + for (i=0, j=0; i< len; i++) { + if (2*i < 2*len-nxdigit) { + /* Handle a short input as if we padded it with leading 0's. */ + if (2*i+1 < 2*len-nxdigit) { + buf[i] = 0; + } else { + char tmp[2]; + tmp[0] = '0'; + tmp[1] = str[j]; + hex_from_2char(tmp, &buf[i]); + j++; + } } else { - in[mbnum] = 0x00; - mod_byte = 0x80; - mbnum++; - } - in[mbnum] = mod_byte; - DES_DestroyContext(cx1, PR_TRUE); - if (cx2) { - DES_DestroyContext(cx2, PR_TRUE); + hex_from_2char(&str[j], &buf[i]); + j += 2; } } + return PR_TRUE; } -void -des_inv_perm_kat(int mode, PRBool encrypt, unsigned int len, - unsigned char *key, unsigned char *iv, - unsigned char *inp) +SECStatus +tdea_encrypt_buf( + int mode, + const unsigned char *key, + const unsigned char *iv, + unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen, + const unsigned char *input, unsigned int inputlen) { - int i; - unsigned int olen, mbnum = 0; - unsigned char mod_byte = 0x80; - unsigned char in[8]; - unsigned char out[8]; - char keystr[17], ivstr[17], instr[17], outstr[17]; - char *ptty = (len == 8) ? "PT" : "PLAINTEXT"; - char *ctty = (len == 8) ? "CT" : "CIPHERTEXT"; - char tchar = (len == 8) ? '\t' : '\n'; - DESContext *cx1 = NULL, *cx2 = NULL; - memset(in, 0, sizeof in); - memset(keystr, 0, sizeof keystr); - memset(ivstr, 0, sizeof ivstr); - memset(instr, 0, sizeof instr); - memset(outstr, 0, sizeof outstr); - in[mbnum] = mod_byte; - for (i=1; i<=64; i++) { - if (encrypt) { - cx1 = DES_CreateContext(key, iv, mode, PR_TRUE); - cx2 = DES_CreateContext(key, iv, mode, PR_TRUE); - } else { - cx1 = DES_CreateContext(key, iv, mode, PR_FALSE); - } - if (len > 8) { - printf("COUNT = %d\n", i); - to_hex_str(keystr, key, 8); - printf("KEY1=%s\n", keystr); - to_hex_str(keystr, key+8, 8); - printf("KEY2=%s\n", keystr); - to_hex_str(keystr, key+16, 8); - printf("KEY3=%s\n", keystr); - } else { - to_hex_str(keystr, key, 8); - printf("%ld\tKEY=%s\t", i, keystr); - } - if (iv) { - to_hex_str(ivstr, iv, 8); - printf("IV=%s%c", ivstr, tchar); - } - if (encrypt) { - unsigned char inv[8]; - DES_Encrypt(cx1, out, &olen, 8, in, 8); - DES_Encrypt(cx2, inv, &olen, 8, out, 8); - to_hex_str(instr, out, 8); - to_hex_str(outstr, inv, 8); - printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr); - } else { - DES_Decrypt(cx1, out, &olen, 8, in, 8); - to_hex_str(instr, in, 8); - to_hex_str(outstr, out, 8); - printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr); - } - if (mod_byte > 0x01) { - mod_byte >>= 1; - } else { - in[mbnum] = 0x00; - mod_byte = 0x80; - mbnum++; - } - in[mbnum] = mod_byte; - DES_DestroyContext(cx1, PR_TRUE); - if (cx2) { - DES_DestroyContext(cx2, PR_TRUE); - } + SECStatus rv = SECFailure; + DESContext *cx; + unsigned char doublecheck[8*20]; /* 1 to 20 blocks */ + unsigned int doublechecklen = 0; + + cx = DES_CreateContext(key, iv, mode, PR_TRUE); + if (cx == NULL) { + goto loser; + } + rv = DES_Encrypt(cx, output, outputlen, maxoutputlen, input, inputlen); + if (rv != SECSuccess) { + goto loser; + } + if (*outputlen != inputlen) { + goto loser; + } + DES_DestroyContext(cx, PR_TRUE); + cx = NULL; + + /* + * Doublecheck our result by decrypting the ciphertext and + * compare the output with the input plaintext. + */ + cx = DES_CreateContext(key, iv, mode, PR_FALSE); + if (cx == NULL) { + goto loser; + } + rv = DES_Decrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck, + output, *outputlen); + if (rv != SECSuccess) { + goto loser; + } + if (doublechecklen != *outputlen) { + goto loser; + } + DES_DestroyContext(cx, PR_TRUE); + cx = NULL; + if (memcmp(doublecheck, input, inputlen) != 0) { + goto loser; + } + rv = SECSuccess; + +loser: + if (cx != NULL) { + DES_DestroyContext(cx, PR_TRUE); } + return rv; } -void -des_var_key_kat(int mode, PRBool encrypt, unsigned int len, - unsigned char *key, unsigned char *iv, - unsigned char *inp) +SECStatus +tdea_decrypt_buf( + int mode, + const unsigned char *key, + const unsigned char *iv, + unsigned char *output, unsigned int *outputlen, unsigned int maxoutputlen, + const unsigned char *input, unsigned int inputlen) { - int i; - unsigned int olen, mbnum = 0; - unsigned char mod_byte = 0x80; - unsigned char keyin[24]; - unsigned char out[8]; - char keystr[17], ivstr[17], instr[17], outstr[17]; - char *ptty = (len == 8) ? "PT" : "PLAINTEXT"; - char *ctty = (len == 8) ? "CT" : "CIPHERTEXT"; - char tchar = (len == 8) ? '\t' : '\n'; - DESContext *cx1 = NULL, *cx2 = NULL; - memset(keyin, 1, sizeof keyin); - memset(keystr, 0, sizeof keystr); - memset(ivstr, 0, sizeof ivstr); - memset(instr, 0, sizeof instr); - memset(outstr, 0, sizeof outstr); - keyin[mbnum] = mod_byte; - keyin[mbnum+8] = mod_byte; - keyin[mbnum+16] = mod_byte; - for (i=1; i<=56; i++) { - cx1 = DES_CreateContext(keyin, iv, mode, PR_TRUE); - if (!encrypt) { - cx2 = DES_CreateContext(keyin, iv, mode, PR_FALSE); - } - if (len > 8) { - printf("COUNT = %d\n", i); - to_hex_str(keystr, keyin, 8); - printf("KEY1=%s\n", keystr); - to_hex_str(keystr, keyin+8, 8); - printf("KEY2=%s\n", keystr); - to_hex_str(keystr, keyin+16, 8); - printf("KEY3=%s\n", keystr); - } else { - to_hex_str(keystr, keyin, 8); - printf("%ld\tKEY=%s\t", i, keystr); - } - if (iv) { - to_hex_str(ivstr, iv, 8); - printf("IV=%s%c", ivstr, tchar); - } - DES_Encrypt(cx1, out, &olen, 8, inp, 8); - if (encrypt) { - to_hex_str(instr, inp, 8); - to_hex_str(outstr, out, 8); - printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr); - } else { - unsigned char inv[8]; - DES_Decrypt(cx2, inv, &olen, 8, out, 8); - to_hex_str(instr, out, 8); - to_hex_str(outstr, inv, 8); - printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr); - } - if (mod_byte > 0x02) { - mod_byte >>= 1; - } else { - keyin[mbnum] = 0x01; - keyin[mbnum+8] = 0x01; - keyin[mbnum+16] = 0x01; - mod_byte = 0x80; - mbnum++; - } - keyin[mbnum] = mod_byte; - keyin[mbnum+8] = mod_byte; - keyin[mbnum+16] = mod_byte; - DES_DestroyContext(cx1, PR_TRUE); - if (cx2) { - DES_DestroyContext(cx2, PR_TRUE); - } + SECStatus rv = SECFailure; + DESContext *cx; + unsigned char doublecheck[8*20]; /* 1 to 20 blocks */ + unsigned int doublechecklen = 0; + + cx = DES_CreateContext(key, iv, mode, PR_FALSE); + if (cx == NULL) { + goto loser; + } + rv = DES_Decrypt(cx, output, outputlen, maxoutputlen, + input, inputlen); + if (rv != SECSuccess) { + goto loser; + } + if (*outputlen != inputlen) { + goto loser; + } + DES_DestroyContext(cx, PR_TRUE); + cx = NULL; + + /* + * Doublecheck our result by encrypting the plaintext and + * compare the output with the input ciphertext. + */ + cx = DES_CreateContext(key, iv, mode, PR_TRUE); + if (cx == NULL) { + goto loser; } + rv = DES_Encrypt(cx, doublecheck, &doublechecklen, sizeof doublecheck, + output, *outputlen); + if (rv != SECSuccess) { + goto loser; + } + if (doublechecklen != *outputlen) { + goto loser; + } + DES_DestroyContext(cx, PR_TRUE); + cx = NULL; + if (memcmp(doublecheck, input, inputlen) != 0) { + goto loser; + } + rv = SECSuccess; + +loser: + if (cx != NULL) { + DES_DestroyContext(cx, PR_TRUE); + } + return rv; } +/* + * Perform the TDEA Known Answer Test (KAT) or Multi-block Message + * Test (MMT) in ECB or CBC mode. The KAT (there are five types) + * and MMT have the same structure: given the key and IV (CBC mode + * only), encrypt the given plaintext or decrypt the given ciphertext. + * So we can handle them the same way. + * + * reqfn is the pathname of the REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ void -des_perm_op_kat(int mode, PRBool encrypt, unsigned int len, - unsigned char *key, unsigned char *iv, - unsigned char *inp) +tdea_kat_mmt(char *reqfn) { - int i; - unsigned int olen; - unsigned char keyin[24]; - unsigned char out[8]; - char keystr[17], ivstr[17], instr[17], outstr[17]; - char *ptty = (len == 8) ? "PT" : "PLAINTEXT"; - char *ctty = (len == 8) ? "CT" : "CIPHERTEXT"; - char tchar = (len == 8) ? '\t' : '\n'; - DESContext *cx1 = NULL, *cx2 = NULL; - memset(keyin, 0, sizeof keyin); - memset(keystr, 0, sizeof keystr); - memset(ivstr, 0, sizeof ivstr); - memset(instr, 0, sizeof instr); - memset(outstr, 0, sizeof outstr); - for (i=0; i<32; i++) { - memcpy(keyin, table3[i], 8); - memcpy(keyin+8, table3[i], 8); - memcpy(keyin+16, table3[i], 8); - cx1 = DES_CreateContext(keyin, iv, mode, PR_TRUE); - if (!encrypt) { - cx2 = DES_CreateContext(keyin, iv, mode, PR_FALSE); - } - if (len > 8) { - printf("COUNT = %d\n", i); - to_hex_str(keystr, keyin, 8); - printf("KEY1=%s\n", keystr); - to_hex_str(keystr, keyin+8, 8); - printf("KEY2=%s\n", keystr); - to_hex_str(keystr, keyin+16, 8); - printf("KEY3=%s\n", keystr); - } else { - to_hex_str(keystr, keyin, 8); - printf("%ld\tKEY=%s\t", i, keystr); - } - if (iv) { - to_hex_str(ivstr, iv, 8); - printf("IV=%s%c", ivstr, tchar); - } - DES_Encrypt(cx1, out, &olen, 8, inp, 8); - if (encrypt) { - to_hex_str(instr, inp, 8); - to_hex_str(outstr, out, 8); - printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr); - } else { - unsigned char inv[8]; - DES_Decrypt(cx2, inv, &olen, 8, out, 8); - to_hex_str(instr, out, 8); - to_hex_str(outstr, inv, 8); - printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr); - } - DES_DestroyContext(cx1, PR_TRUE); - if (cx2) { - DES_DestroyContext(cx2, PR_TRUE); - } + char buf[180]; /* holds one line from the input REQUEST file. + * needs to be large enough to hold the longest + * line "CIPHERTEXT = <180 hex digits>\n". + */ + FILE *req; /* input stream from the REQUEST file */ + FILE *resp; /* output stream to the RESPONSE file */ + int i, j; + int mode; /* NSS_DES_EDE3 (ECB) or NSS_DES_EDE3_CBC */ + int crypt = DECRYPT; /* 1 means encrypt, 0 means decrypt */ + unsigned char key[24]; /* TDEA 3 key bundle */ + unsigned int numKeys = 0; + unsigned char iv[8]; /* for all modes except ECB */ + unsigned char plaintext[8*20]; /* 1 to 20 blocks */ + unsigned int plaintextlen; + unsigned char ciphertext[8*20]; /* 1 to 20 blocks */ + unsigned int ciphertextlen; + SECStatus rv; + + req = fopen(reqfn, "r"); + resp = stdout; + while (fgets(buf, sizeof buf, req) != NULL) { + /* a comment or blank line */ + if (buf[0] == '#' || buf[0] == '\n') { + fputs(buf, resp); + continue; + } + /* [ENCRYPT] or [DECRYPT] */ + if (buf[0] == '[') { + if (strncmp(&buf[1], "ENCRYPT", 7) == 0) { + crypt = ENCRYPT; + } else { + crypt = DECRYPT; + } + fputs(buf, resp); + continue; + } + /* NumKeys */ + if (strncmp(&buf[0], "NumKeys", 7) == 0) { + i = 7; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + numKeys = buf[i]; + fputs(buf, resp); + continue; + } + /* "COUNT = x" begins a new data set */ + if (strncmp(buf, "COUNT", 5) == 0) { + /* mode defaults to ECB, if dataset has IV mode will be set CBC */ + mode = NSS_DES_EDE3; + /* zeroize the variables for the test with this data set */ + memset(key, 0, sizeof key); + memset(iv, 0, sizeof iv); + memset(plaintext, 0, sizeof plaintext); + plaintextlen = 0; + memset(ciphertext, 0, sizeof ciphertext); + ciphertextlen = 0; + fputs(buf, resp); + continue; + } + if (numKeys == 0) { + if (strncmp(buf, "KEYs", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &key[j]); + key[j+8] = key[j]; + key[j+16] = key[j]; + } + fputs(buf, resp); + continue; + } + } else { + /* KEY1 = ... */ + if (strncmp(buf, "KEY1", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &key[j]); + } + fputs(buf, resp); + continue; + } + /* KEY2 = ... */ + if (strncmp(buf, "KEY2", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=8; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &key[j]); + } + fputs(buf, resp); + continue; + } + /* KEY3 = ... */ + if (strncmp(buf, "KEY3", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=16; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &key[j]); + } + fputs(buf, resp); + continue; + } + } + + /* IV = ... */ + if (strncmp(buf, "IV", 2) == 0) { + mode = NSS_DES_EDE3_CBC; + i = 2; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; j<sizeof iv; i+=2,j++) { + hex_from_2char(&buf[i], &iv[j]); + } + fputs(buf, resp); + continue; + } + + /* PLAINTEXT = ... */ + if (strncmp(buf, "PLAINTEXT", 9) == 0) { + /* sanity check */ + if (crypt != ENCRYPT) { + goto loser; + } + i = 9; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &plaintext[j]); + } + plaintextlen = j; + rv = tdea_encrypt_buf(mode, key, + (mode == NSS_DES_EDE3) ? NULL : iv, + ciphertext, &ciphertextlen, sizeof ciphertext, + plaintext, plaintextlen); + if (rv != SECSuccess) { + goto loser; + } + + fputs(buf, resp); + fputs("CIPHERTEXT = ", resp); + to_hex_str(buf, ciphertext, ciphertextlen); + fputs(buf, resp); + fputc('\n', resp); + continue; + } + /* CIPHERTEXT = ... */ + if (strncmp(buf, "CIPHERTEXT", 10) == 0) { + /* sanity check */ + if (crypt != DECRYPT) { + goto loser; + } + + i = 10; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &ciphertext[j]); + } + ciphertextlen = j; + + rv = tdea_decrypt_buf(mode, key, + (mode == NSS_DES_EDE3) ? NULL : iv, + plaintext, &plaintextlen, sizeof plaintext, + ciphertext, ciphertextlen); + if (rv != SECSuccess) { + goto loser; + } + + fputs(buf, resp); + fputs("PLAINTEXT = ", resp); + to_hex_str(buf, plaintext, plaintextlen); + fputs(buf, resp); + fputc('\n', resp); + continue; + } } + +loser: + fclose(req); } -void -des_sub_tbl_kat(int mode, PRBool encrypt, unsigned int len, - unsigned char *key, unsigned char *iv, - unsigned char *inp) +/* +* Set the parity bit for the given byte +*/ +BYTE odd_parity( BYTE in) { - int i; - unsigned int olen; - unsigned char keyin[24]; - unsigned char out[8]; - char keystr[17], ivstr[17], instr[17], outstr[17]; - char *ptty = (len == 8) ? "PT" : "PLAINTEXT"; - char *ctty = (len == 8) ? "CT" : "CIPHERTEXT"; - char tchar = (len == 8) ? '\t' : '\n'; - DESContext *cx1 = NULL, *cx2 = NULL; - memset(keyin, 0, sizeof keyin); - memset(keystr, 0, sizeof keystr); - memset(ivstr, 0, sizeof ivstr); - memset(instr, 0, sizeof instr); - memset(outstr, 0, sizeof outstr); - for (i=0; i<19; i++) { - memcpy(keyin, table4_key[i], 8); - memcpy(keyin+8, table4_key[i], 8); - memcpy(keyin+16, table4_key[i], 8); - cx1 = DES_CreateContext(keyin, iv, mode, PR_TRUE); - if (!encrypt) { - cx2 = DES_CreateContext(keyin, iv, mode, PR_FALSE); - } - if (len > 8) { - printf("COUNT = %d\n", i); - to_hex_str(keystr, keyin, 8); - printf("KEY1=%s\n", keystr); - to_hex_str(keystr, keyin+8, 8); - printf("KEY2=%s\n", keystr); - to_hex_str(keystr, keyin+16, 8); - printf("KEY3=%s\n", keystr); - } else { - to_hex_str(keystr, keyin, 8); - printf("%ld\tKEY=%s\t", i, keystr); - } - if (iv) { - to_hex_str(ivstr, iv, 8); - printf("IV=%s%c", ivstr, tchar); - } - DES_Encrypt(cx1, out, &olen, 8, table4_inp[i], 8); - if (encrypt) { - to_hex_str(instr, table4_inp[i], 8); - to_hex_str(outstr, out, 8); - printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr); - } else { - unsigned char inv[8]; - DES_Decrypt(cx2, inv, &olen, 8, out, 8); - to_hex_str(instr, out, 8); - to_hex_str(outstr, inv, 8); - printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr); - } - DES_DestroyContext(cx1, PR_TRUE); - if (cx2) { - DES_DestroyContext(cx2, PR_TRUE); - } - } + BYTE out = in; + in ^= in >> 4; + in ^= in >> 2; + in ^= in >> 1; + return (BYTE)(out ^ !(in & 1)); } -unsigned char make_odd_parity(unsigned char b) +/* + * Generate Keys [i+1] from Key[i], PT/CT[j-2], PT/CT[j-1], and PT/CT[j] + * for TDEA Monte Carlo Test (MCT) in ECB and CBC modes. + */ +void +tdea_mct_next_keys(unsigned char *key, + const unsigned char *text_2, const unsigned char *text_1, + const unsigned char *text, unsigned int numKeys) { - int i; - int sum = 0; - for (i=1; i<8; i++) { - sum += (b & (1 << i)) ? 1 : 0; + int k; + + /* key1[i+1] = key1[i] xor PT/CT[j] */ + for (k=0; k<8; k++) { + key[k] ^= text[k]; + } + /* key2 */ + if (numKeys == 2 || numKeys == 3) { + /* key2 independent */ + for (k=8; k<16; k++) { + /* key2[i+1] = KEY2[i] xor PT/CT[j-1] */ + key[k] ^= text_1[k-8]; + } + } else { + /* key2 == key 1 */ + for (k=8; k<16; k++) { + /* key2[i+1] = KEY2[i] xor PT/CT[j] */ + key[k] = key[k-8]; + } } - if (sum & 0x01) { - return (b & 0xfe); + /* key3 */ + if (numKeys == 1 || numKeys == 2) { + /* key3 == key 1 */ + for (k=16; k<24; k++) { + /* key3[i+1] = KEY3[i] xor PT/CT[j] */ + key[k] = key[k-16]; + } } else { - return (b | 0x01); + /* key3 independent */ + for (k=16; k<24; k++) { + /* key3[i+1] = KEY3[i] xor PT/CT[j-2] */ + key[k] ^= text_2[k-16]; + } + } + /* set the parity bits */ + for (k=0; k<24; k++) { + key[k] = odd_parity(key[k]); + } +} + +/* + * Perform the Monte Carlo Test + * + * mode = NSS_DES_EDE3 or NSS_DES_EDE3_CBC + * crypt = ENCRYPT || DECRYPT + * inputtext = plaintext or Cyphertext depending on the value of crypt + * inputlength is expected to be size 8 bytes + * iv = needs to be set for NSS_DES_EDE3_CBC mode + * resp = is the output response file. + */ + void +tdea_mct_test(int mode, unsigned char* key, unsigned int numKeys, + unsigned int crypt, unsigned char* inputtext, + unsigned int inputlength, unsigned char* iv, FILE *resp) { + + int i, j; + unsigned char outputtext_1[8]; /* PT/CT[j-1] */ + unsigned char outputtext_2[8]; /* PT/CT[j-2] */ + char buf[80]; /* holds one line from the input REQUEST file. */ + unsigned int outputlen; + unsigned char outputtext[8]; + + + SECStatus rv; + + if (mode == NSS_DES_EDE3 && iv != NULL) { + printf("IV must be NULL for NSS_DES_EDE3 mode"); + goto loser; + } else if (mode == NSS_DES_EDE3_CBC && iv == NULL) { + printf("IV must not be NULL for NSS_DES_EDE3_CBC mode"); + goto loser; } + + /* loop 400 times */ + for (i=0; i<400; i++) { + /* if i == 0 CV[0] = IV not necessary */ + /* record the count and key values and plainText */ + sprintf(buf, "COUNT = %d\n", i); + fputs(buf, resp); + /* Output KEY1[i] */ + fputs("KEY1 = ", resp); + to_hex_str(buf, key, 8); + fputs(buf, resp); + fputc('\n', resp); + /* Output KEY2[i] */ + fputs("KEY2 = ", resp); + to_hex_str(buf, &key[8], 8); + fputs(buf, resp); + fputc('\n', resp); + /* Output KEY3[i] */ + fputs("KEY3 = ", resp); + to_hex_str(buf, &key[16], 8); + fputs(buf, resp); + fputc('\n', resp); + if (mode == NSS_DES_EDE3_CBC) { + /* Output CV[i] */ + fputs("IV = ", resp); + to_hex_str(buf, iv, 8); + fputs(buf, resp); + fputc('\n', resp); + } + if (crypt == ENCRYPT) { + /* Output PT[0] */ + fputs("PLAINTEXT = ", resp); + } else { + /* Output CT[0] */ + fputs("CIPHERTEXT = ", resp); + } + + to_hex_str(buf, inputtext, inputlength); + fputs(buf, resp); + fputc('\n', resp); + + /* loop 10,000 times */ + for (j=0; j<10000; j++) { + + outputlen = 0; + if (crypt == ENCRYPT) { + /* inputtext == ciphertext outputtext == plaintext*/ + rv = tdea_encrypt_buf(mode, key, + (mode == NSS_DES_EDE3) ? NULL : iv, + outputtext, &outputlen, 8, + inputtext, 8); + } else { + /* inputtext == plaintext outputtext == ciphertext */ + rv = tdea_decrypt_buf(mode, key, + (mode == NSS_DES_EDE3) ? NULL : iv, + outputtext, &outputlen, 8, + inputtext, 8); + } + + if (rv != SECSuccess) { + goto loser; + } + if (outputlen != inputlength) { + goto loser; + } + + if (mode == NSS_DES_EDE3_CBC) { + if (crypt == ENCRYPT) { + if (j == 0) { + /*P[j+1] = CV[0] */ + memcpy(inputtext, iv, 8); + } else { + /* p[j+1] = C[j-1] */ + memcpy(inputtext, outputtext_1, 8); + } + /* CV[j+1] = C[j] */ + memcpy(iv, outputtext, 8); + if (j != 9999) { + /* save C[j-1] */ + memcpy(outputtext_1, outputtext, 8); + } + } else { /* DECRYPT */ + /* CV[j+1] = C[j] */ + memcpy(iv, inputtext, 8); + /* C[j+1] = P[j] */ + memcpy(inputtext, outputtext, 8); + } + } else { + /* ECB mode PT/CT[j+1] = CT/PT[j] */ + memcpy(inputtext, outputtext, 8); + } + + /* Save PT/CT[j-2] and PT/CT[j-1] */ + if (j==9997) memcpy(outputtext_2, outputtext, 8); + if (j==9998) memcpy(outputtext_1, outputtext, 8); + /* done at the end of the for(j) loop */ + } + + + if (crypt == ENCRYPT) { + /* Output CT[j] */ + fputs("CIPHERTEXT = ", resp); + } else { + /* Output PT[j] */ + fputs("PLAINTEXT = ", resp); + } + to_hex_str(buf, outputtext, 8); + fputs(buf, resp); + fputc('\n', resp); + + /* Key[i+1] = Key[i] xor ... outputtext_2 == PT/CT[j-2] + * outputtext_1 == PT/CT[j-1] outputtext == PT/CT[j] + */ + tdea_mct_next_keys(key, outputtext_2, + outputtext_1, outputtext, numKeys); + + if (mode == NSS_DES_EDE3_CBC) { + /* taken care of in the j=9999 iteration */ + if (crypt == ENCRYPT) { + /* P[i] = C[j-1] */ + /* CV[i] = C[j] */ + } else { + /* taken care of in the j=9999 iteration */ + /* CV[i] = C[j] */ + /* C[i] = P[j] */ + } + } else { + /* ECB PT/CT[i] = PT/CT[j] */ + memcpy(inputtext, outputtext, 8); + } + /* done at the end of the for(i) loop */ + fputc('\n', resp); + } + +loser: + return; } +/* + * Perform the TDEA Monte Carlo Test (MCT) in ECB/CBC modes. + * by gathering the input from the request file, and then + * calling tdea_mct_test. + * + * reqfn is the pathname of the input REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ void -des_modes(int mode, PRBool encrypt, unsigned int len, - const unsigned char *key, const unsigned char *iv, - const unsigned char *inp, int keymode) +tdea_mct(int mode, char *reqfn) { int i, j; - unsigned int olen; - unsigned char keyin[24]; - unsigned char in[8]; - unsigned char cv[8]; - unsigned char cv0[8]; - unsigned char in0[8]; - unsigned char out[8]; - unsigned char cj9998[8], cj9997[8]; - char keystr[17], ivstr[17], instr[17], outstr[17]; - char *ptty = (len == 8) ? "PT" : "PLAINTEXT"; - char *ctty = (len == 8) ? "CT" : "CIPHERTEXT"; - char tchar = (len == 8) ? '\t' : '\n'; - DESContext *cx1 = NULL; - memset(keystr, 0, sizeof keystr); - memset(ivstr, 0, sizeof ivstr); - memset(instr, 0, sizeof instr); - memset(outstr, 0, sizeof outstr); - memcpy(in, inp, 8); - if (iv) memcpy(cv, iv, 8); - memcpy(keyin, key, len); - for (i=0; i<400; i++) { - if (iv) memcpy(cv0, cv, 8); - memcpy(in0, in, 8); - for (j=0; j<10000; j++) { - if (encrypt) { - cx1 = DES_CreateContext(keyin, cv, mode, PR_TRUE); - DES_Encrypt(cx1, out, &olen, 8, in, 8); - } else { - cx1 = DES_CreateContext(keyin, cv, mode, PR_FALSE); - DES_Decrypt(cx1, out, &olen, 8, in, 8); - } - if (j==9997) memcpy(cj9997, out, 8); - if (j==9998) memcpy(cj9998, out, 8); - if (iv) { - if (encrypt) { - memcpy(in, cv, 8); - memcpy(cv, out, 8); - } else { - memcpy(cv, in, 8); - memcpy(in, out, 8); - } - } else { - memcpy(in, out, 8); - } - DES_DestroyContext(cx1, PR_TRUE); - } - if (keymode > 0) { - printf("COUNT = %d\n", i); - to_hex_str(keystr, keyin, 8); - printf("KEY1=%s\n", keystr); - to_hex_str(keystr, keyin+8, 8); - printf("KEY2=%s\n", keystr); - to_hex_str(keystr, keyin+16, 8); - printf("KEY3=%s\n", keystr); - } else { - to_hex_str(keystr, keyin, 8); - printf("%ld\tKEY=%s\t", i, keystr); - } - if (iv) { - to_hex_str(ivstr, cv0, 8); - printf("CV=%s%c", ivstr, tchar); - } - to_hex_str(instr, in0, 8); - to_hex_str(outstr, out, 8); - if (encrypt) { - printf("%s=%s%c%s=%s\n\n", ptty, instr, tchar, ctty, outstr); - } else { - printf("%s=%s%c%s=%s\n\n", ctty, instr, tchar, ptty, outstr); - } - for (j=0; j<8; j++) { - keyin[j] ^= out[j]; - keyin[j] = make_odd_parity(keyin[j]); - if (keymode == 0) continue; - if (keymode > 1) { - keyin[j+8] ^= cj9998[j]; - keyin[j+8] = make_odd_parity(keyin[j+8]); - } else { - keyin[j+8] = keyin[j]; - } - if (keymode > 2) { - keyin[j+16] ^= cj9997[j]; - keyin[j+16] = make_odd_parity(keyin[j+16]); - } else { - keyin[j+16] = keyin[j]; - } - } + char buf[80]; /* holds one line from the input REQUEST file. */ + FILE *req; /* input stream from the REQUEST file */ + FILE *resp; /* output stream to the RESPONSE file */ + unsigned int crypt = 0; /* 1 means encrypt, 0 means decrypt */ + unsigned char key[24]; /* TDEA 3 key bundle */ + unsigned int numKeys = 0; + unsigned char plaintext[8]; /* PT[j] */ + unsigned char ciphertext[8]; /* CT[j] */ + unsigned char iv[8]; + + /* zeroize the variables for the test with this data set */ + memset(key, 0, sizeof key); + memset(plaintext, 0, sizeof plaintext); + memset(ciphertext, 0, sizeof ciphertext); + memset(iv, 0, sizeof iv); + + req = fopen(reqfn, "r"); + resp = stdout; + while (fgets(buf, sizeof buf, req) != NULL) { + /* a comment or blank line */ + if (buf[0] == '#' || buf[0] == '\n') { + fputs(buf, resp); + continue; + } + /* [ENCRYPT] or [DECRYPT] */ + if (buf[0] == '[') { + if (strncmp(&buf[1], "ENCRYPT", 7) == 0) { + crypt = ENCRYPT; + } else { + crypt = DECRYPT; + } + fputs(buf, resp); + continue; + } + /* NumKeys */ + if (strncmp(&buf[0], "NumKeys", 7) == 0) { + i = 7; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + numKeys = atoi(&buf[i]); + continue; + } + /* KEY1 = ... */ + if (strncmp(buf, "KEY1", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &key[j]); + } + continue; + } + /* KEY2 = ... */ + if (strncmp(buf, "KEY2", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=8; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &key[j]); + } + continue; + } + /* KEY3 = ... */ + if (strncmp(buf, "KEY3", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=16; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &key[j]); + } + continue; + } + + /* IV = ... */ + if (strncmp(buf, "IV", 2) == 0) { + i = 2; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; j<sizeof iv; i+=2,j++) { + hex_from_2char(&buf[i], &iv[j]); + } + continue; + } + + /* PLAINTEXT = ... */ + if (strncmp(buf, "PLAINTEXT", 9) == 0) { + + /* sanity check */ + if (crypt != ENCRYPT) { + goto loser; + } + /* PT[0] = PT */ + i = 9; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; j<sizeof plaintext; i+=2,j++) { + hex_from_2char(&buf[i], &plaintext[j]); + } + + /* do the Monte Carlo test */ + if (mode==NSS_DES_EDE3) { + tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, plaintext, sizeof plaintext, NULL, resp); + } else { + tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, plaintext, sizeof plaintext, iv, resp); + } + continue; + } + /* CIPHERTEXT = ... */ + if (strncmp(buf, "CIPHERTEXT", 10) == 0) { + /* sanity check */ + if (crypt != DECRYPT) { + goto loser; + } + /* CT[0] = CT */ + i = 10; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &ciphertext[j]); + } + + /* do the Monte Carlo test */ + if (mode==NSS_DES_EDE3) { + tdea_mct_test(NSS_DES_EDE3, key, numKeys, crypt, ciphertext, sizeof ciphertext, NULL, resp); + } else { + tdea_mct_test(NSS_DES_EDE3_CBC, key, numKeys, crypt, ciphertext, sizeof ciphertext, iv, resp); + } + continue; + } } + +loser: + fclose(req); } + SECStatus aes_encrypt_buf( int mode, @@ -1797,152 +1839,6 @@ void write_compact_string(FILE *out, unsigned char *hash, unsigned int len) fseek(out, 0, SEEK_END); } -void do_shs_type3(FILE *out, unsigned char *M, unsigned int len) -{ - int i, j, a; - unsigned char zero[30]; - unsigned char iword[4]; - unsigned int l = len; - char hashstr[41]; - SHA1Context *cx; - memset(zero, 0, sizeof zero); - for (j=0; j<100; j++) { - cx = SHA1_NewContext(); - for (i=1; i<=50000; i++) { - SHA1_Begin(cx); - SHA1_Update(cx, M, l); - a = j/4 + 3; - SHA1_Update(cx, zero, a); - iword[3] = (char)i; - iword[2] = (char)(i >> 8); - iword[1] = (char)(i >> 16); - iword[0] = (char)(i >> 24); - SHA1_Update(cx, iword, 4); - SHA1_End(cx, M, &l, 20); - } - SHA1_DestroyContext(cx, PR_TRUE); - to_hex_str_cap(hashstr, M, l); - hashstr[40] = '\0'; - fprintf(out, "%s ^", hashstr); - if (j<99) fprintf(out, "\n"); - } -} - -void -shs_test(char *reqfn) -{ - char buf[80]; - FILE *shareq, *sharesp; - char readbuf[64]; - int i, nr; - int newline, skip, r_z, r_b, r_n, r, b, z, n, reading; - unsigned char hash[20]; - char hashstr[41]; - unsigned char input[13000]; - int next_bit = 0; - int shs_type = 0; - shareq = fopen(reqfn, "r"); - sharesp = stdout; - newline = 1; - reading = skip = r_z = r_b = r_n = z = r = n = 0; - while ((nr = fread(buf, 1, sizeof buf, shareq)) > 0) { - for (i=0; i<nr; i++) { - if (newline) { - if (buf[i] == '#' || buf[i] == 'D' || buf[i] == '<') { - skip = 1; - } else if (buf[i] == 'H') { - skip = 0; - shs_type++; - fprintf(sharesp, "H>SHS Type %d Hashes<H", shs_type); - } else if (isdigit(buf[i])) { - r_z = 1; - readbuf[r++] = buf[i]; - } - newline = (buf[i] == '\n') ? 1 : 0; - } else { - if (buf[i] == '\n' && !r_n) { - skip = r_z = r_n = 0; - newline = 1; - } else if (r_z) { - if (buf[i] == ' ') { - r_z = 0; - readbuf[r] = '\0'; - z = atoi(readbuf); - r_b = 1; - r = 0; - } else if (isdigit(buf[i])) { - readbuf[r++] = buf[i]; - } - } else if (r_b) { - if (buf[i] == ' ') { - r_b = 0; - readbuf[r] = '\0'; - b = atoi(readbuf); - r_n = 1; - r = 0; - } else if (isdigit(buf[i])) { - readbuf[r++] = buf[i]; - } - } else if (r_n) { - if (buf[i] == ' ') { - readbuf[r++] = '\0'; - n = atoi(readbuf); - if (b == 0) { - next_bit += n; - b = 1; - } else { - int next_byte = next_bit / 8; - int shift = next_bit % 8; - unsigned char m = 0xff; - if (n < 8 - shift) { - m <<= (8 - n); - m >>= shift; - input[next_byte] |= m; - next_bit += n; - } else { - m >>= shift; - input[next_byte++] |= m; - next_bit += 8 - shift; - n -= (8 - shift); - while (n > 8) { - m = 0xff; - input[next_byte++] |= m; - next_bit += 8; - n -= 8; - } - if (n > 0) { - m = 0xff << (8 - n); - input[next_byte] |= m; - next_bit += n; - } - } - b = 0; - } - r = 0; - } else if (buf[i] == '^') { - r_n = 0; - if (shs_type < 3) { - SHA1_HashBuf(hash, input, next_bit/8); - to_hex_str_cap(hashstr, hash, sizeof hash); - hashstr[40] = '\0'; - fprintf(sharesp, "%s ^", hashstr); - memset(input, 0, sizeof input); - next_bit = 0; - } else { - do_shs_type3(sharesp, input, next_bit/8); - } - } else if (isdigit(buf[i])) { - readbuf[r++] = buf[i]; - } - } - } - if (skip || newline) { - fprintf(sharesp, "%c", buf[i]); - } - } - } -} - int get_next_line(FILE *req, char *key, char *val, FILE *rsp) { int ignore = 0; @@ -2331,6 +2227,686 @@ do_sigver: fclose(rsp); } +#ifdef NSS_ENABLE_ECC +typedef struct curveNameTagPairStr { + char *curveName; + SECOidTag curveOidTag; +} CurveNameTagPair; + +#define DEFAULT_CURVE_OID_TAG SEC_OID_SECG_EC_SECP192R1 +/* #define DEFAULT_CURVE_OID_TAG SEC_OID_SECG_EC_SECP160R1 */ + +static CurveNameTagPair nameTagPair[] = +{ + { "sect163k1", SEC_OID_SECG_EC_SECT163K1}, + { "nistk163", SEC_OID_SECG_EC_SECT163K1}, + { "sect163r1", SEC_OID_SECG_EC_SECT163R1}, + { "sect163r2", SEC_OID_SECG_EC_SECT163R2}, + { "nistb163", SEC_OID_SECG_EC_SECT163R2}, + { "sect193r1", SEC_OID_SECG_EC_SECT193R1}, + { "sect193r2", SEC_OID_SECG_EC_SECT193R2}, + { "sect233k1", SEC_OID_SECG_EC_SECT233K1}, + { "nistk233", SEC_OID_SECG_EC_SECT233K1}, + { "sect233r1", SEC_OID_SECG_EC_SECT233R1}, + { "nistb233", SEC_OID_SECG_EC_SECT233R1}, + { "sect239k1", SEC_OID_SECG_EC_SECT239K1}, + { "sect283k1", SEC_OID_SECG_EC_SECT283K1}, + { "nistk283", SEC_OID_SECG_EC_SECT283K1}, + { "sect283r1", SEC_OID_SECG_EC_SECT283R1}, + { "nistb283", SEC_OID_SECG_EC_SECT283R1}, + { "sect409k1", SEC_OID_SECG_EC_SECT409K1}, + { "nistk409", SEC_OID_SECG_EC_SECT409K1}, + { "sect409r1", SEC_OID_SECG_EC_SECT409R1}, + { "nistb409", SEC_OID_SECG_EC_SECT409R1}, + { "sect571k1", SEC_OID_SECG_EC_SECT571K1}, + { "nistk571", SEC_OID_SECG_EC_SECT571K1}, + { "sect571r1", SEC_OID_SECG_EC_SECT571R1}, + { "nistb571", SEC_OID_SECG_EC_SECT571R1}, + { "secp160k1", SEC_OID_SECG_EC_SECP160K1}, + { "secp160r1", SEC_OID_SECG_EC_SECP160R1}, + { "secp160r2", SEC_OID_SECG_EC_SECP160R2}, + { "secp192k1", SEC_OID_SECG_EC_SECP192K1}, + { "secp192r1", SEC_OID_SECG_EC_SECP192R1}, + { "nistp192", SEC_OID_SECG_EC_SECP192R1}, + { "secp224k1", SEC_OID_SECG_EC_SECP224K1}, + { "secp224r1", SEC_OID_SECG_EC_SECP224R1}, + { "nistp224", SEC_OID_SECG_EC_SECP224R1}, + { "secp256k1", SEC_OID_SECG_EC_SECP256K1}, + { "secp256r1", SEC_OID_SECG_EC_SECP256R1}, + { "nistp256", SEC_OID_SECG_EC_SECP256R1}, + { "secp384r1", SEC_OID_SECG_EC_SECP384R1}, + { "nistp384", SEC_OID_SECG_EC_SECP384R1}, + { "secp521r1", SEC_OID_SECG_EC_SECP521R1}, + { "nistp521", SEC_OID_SECG_EC_SECP521R1}, + + { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 }, + { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 }, + { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 }, + { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 }, + { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 }, + { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 }, + + { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 }, + { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 }, + { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 }, + { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 }, + { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 }, + { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 }, + { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 }, + { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 }, + { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 }, + { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 }, + { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 }, + { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 }, + { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 }, + { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 }, + { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 }, + { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 }, + { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 }, + { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 }, + { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 }, + { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 }, + + { "secp112r1", SEC_OID_SECG_EC_SECP112R1}, + { "secp112r2", SEC_OID_SECG_EC_SECP112R2}, + { "secp128r1", SEC_OID_SECG_EC_SECP128R1}, + { "secp128r2", SEC_OID_SECG_EC_SECP128R2}, + + { "sect113r1", SEC_OID_SECG_EC_SECT113R1}, + { "sect113r2", SEC_OID_SECG_EC_SECT113R2}, + { "sect131r1", SEC_OID_SECG_EC_SECT131R1}, + { "sect131r2", SEC_OID_SECG_EC_SECT131R2}, +}; + +static SECKEYECParams * +getECParams(const char *curve) +{ + SECKEYECParams *ecparams; + SECOidData *oidData = NULL; + SECOidTag curveOidTag = SEC_OID_UNKNOWN; /* default */ + int i, numCurves; + + if (curve != NULL) { + numCurves = sizeof(nameTagPair)/sizeof(CurveNameTagPair); + for (i = 0; ((i < numCurves) && (curveOidTag == SEC_OID_UNKNOWN)); + i++) { + if (PL_strcmp(curve, nameTagPair[i].curveName) == 0) + curveOidTag = nameTagPair[i].curveOidTag; + } + } + + /* Return NULL if curve name is not recognized */ + if ((curveOidTag == SEC_OID_UNKNOWN) || + (oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) { + fprintf(stderr, "Unrecognized elliptic curve %s\n", curve); + return NULL; + } + + ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len)); + + /* + * ecparams->data needs to contain the ASN encoding of an object ID (OID) + * representing the named curve. The actual OID is in + * oidData->oid.data so we simply prepend 0x06 and OID length + */ + ecparams->data[0] = SEC_ASN1_OBJECT_ID; + ecparams->data[1] = oidData->oid.len; + memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len); + + return ecparams; +} + +/* + * Perform the ECDSA Key Pair Generation Test. + * + * reqfn is the pathname of the REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ +void +ecdsa_keypair_test(char *reqfn) +{ + char buf[256]; /* holds one line from the input REQUEST file + * or to the output RESPONSE file. + * needs to be large enough to hold the longest + * line "Qx = <144 hex digits>\n". + */ + FILE *ecdsareq; /* input stream from the REQUEST file */ + FILE *ecdsaresp; /* output stream to the RESPONSE file */ + char curve[16]; /* "nistxddd" */ + ECParams *ecparams; + int N; + int i; + unsigned int len; + + ecdsareq = fopen(reqfn, "r"); + ecdsaresp = stdout; + strcpy(curve, "nist"); + while (fgets(buf, sizeof buf, ecdsareq) != NULL) { + /* a comment or blank line */ + if (buf[0] == '#' || buf[0] == '\n') { + fputs(buf, ecdsaresp); + continue; + } + /* [X-ddd] */ + if (buf[0] == '[') { + const char *src; + char *dst; + SECKEYECParams *encodedparams; + + src = &buf[1]; + dst = &curve[4]; + *dst++ = tolower(*src); + src += 2; /* skip the hyphen */ + *dst++ = *src++; + *dst++ = *src++; + *dst++ = *src++; + *dst = '\0'; + encodedparams = getECParams(curve); + if (encodedparams == NULL) { + goto loser; + } + if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) { + goto loser; + } + SECITEM_FreeItem(encodedparams, PR_TRUE); + fputs(buf, ecdsaresp); + continue; + } + /* N = x */ + if (buf[0] == 'N') { + if (sscanf(buf, "N = %d", &N) != 1) { + goto loser; + } + for (i = 0; i < N; i++) { + ECPrivateKey *ecpriv; + + if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) { + goto loser; + } + fputs("d = ", ecdsaresp); + to_hex_str(buf, ecpriv->privateValue.data, + ecpriv->privateValue.len); + fputs(buf, ecdsaresp); + fputc('\n', ecdsaresp); + if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue) + != SECSuccess) { + goto loser; + } + len = ecpriv->publicValue.len; + if (len%2 == 0) { + goto loser; + } + len = (len-1)/2; + if (ecpriv->publicValue.data[0] + != EC_POINT_FORM_UNCOMPRESSED) { + goto loser; + } + fputs("Qx = ", ecdsaresp); + to_hex_str(buf, &ecpriv->publicValue.data[1], len); + fputs(buf, ecdsaresp); + fputc('\n', ecdsaresp); + fputs("Qy = ", ecdsaresp); + to_hex_str(buf, &ecpriv->publicValue.data[1+len], len); + fputs(buf, ecdsaresp); + fputc('\n', ecdsaresp); + fputc('\n', ecdsaresp); + PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE); + } + PORT_FreeArena(ecparams->arena, PR_TRUE); + continue; + } + } +loser: + fclose(ecdsareq); +} + +/* + * Perform the ECDSA Public Key Validation Test. + * + * reqfn is the pathname of the REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ +void +ecdsa_pkv_test(char *reqfn) +{ + char buf[256]; /* holds one line from the input REQUEST file. + * needs to be large enough to hold the longest + * line "Qx = <144 hex digits>\n". + */ + FILE *ecdsareq; /* input stream from the REQUEST file */ + FILE *ecdsaresp; /* output stream to the RESPONSE file */ + char curve[16]; /* "nistxddd" */ + ECParams *ecparams = NULL; + SECItem pubkey; + unsigned int i; + unsigned int len; + PRBool keyvalid = PR_TRUE; + + ecdsareq = fopen(reqfn, "r"); + ecdsaresp = stdout; + strcpy(curve, "nist"); + pubkey.data = NULL; + while (fgets(buf, sizeof buf, ecdsareq) != NULL) { + /* a comment or blank line */ + if (buf[0] == '#' || buf[0] == '\n') { + fputs(buf, ecdsaresp); + continue; + } + /* [X-ddd] */ + if (buf[0] == '[') { + const char *src; + char *dst; + SECKEYECParams *encodedparams; + + src = &buf[1]; + dst = &curve[4]; + *dst++ = tolower(*src); + src += 2; /* skip the hyphen */ + *dst++ = *src++; + *dst++ = *src++; + *dst++ = *src++; + *dst = '\0'; + if (ecparams != NULL) { + PORT_FreeArena(ecparams->arena, PR_TRUE); + ecparams = NULL; + } + encodedparams = getECParams(curve); + if (encodedparams == NULL) { + goto loser; + } + if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) { + goto loser; + } + SECITEM_FreeItem(encodedparams, PR_TRUE); + len = (ecparams->fieldID.size + 7) >> 3; + if (pubkey.data != NULL) { + PORT_Free(pubkey.data); + pubkey.data = NULL; + } + SECITEM_AllocItem(NULL, &pubkey, 2*len+1); + if (pubkey.data == NULL) { + goto loser; + } + pubkey.data[0] = EC_POINT_FORM_UNCOMPRESSED; + fputs(buf, ecdsaresp); + continue; + } + /* Qx = ... */ + if (strncmp(buf, "Qx", 2) == 0) { + fputs(buf, ecdsaresp); + i = 2; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + keyvalid = from_hex_str(&pubkey.data[1], len, &buf[i]); + continue; + } + /* Qy = ... */ + if (strncmp(buf, "Qy", 2) == 0) { + fputs(buf, ecdsaresp); + if (!keyvalid) { + fputs("Result = F\n", ecdsaresp); + continue; + } + i = 2; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + keyvalid = from_hex_str(&pubkey.data[1+len], len, &buf[i]); + if (!keyvalid) { + fputs("Result = F\n", ecdsaresp); + continue; + } + if (EC_ValidatePublicKey(ecparams, &pubkey) == SECSuccess) { + fputs("Result = P\n", ecdsaresp); + } else if (PORT_GetError() == SEC_ERROR_BAD_KEY) { + fputs("Result = F\n", ecdsaresp); + } else { + goto loser; + } + continue; + } + } +loser: + if (ecparams != NULL) { + PORT_FreeArena(ecparams->arena, PR_TRUE); + } + if (pubkey.data != NULL) { + PORT_Free(pubkey.data); + } + fclose(ecdsareq); +} + +/* + * Perform the ECDSA Signature Generation Test. + * + * reqfn is the pathname of the REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ +void +ecdsa_siggen_test(char *reqfn) +{ + char buf[1024]; /* holds one line from the input REQUEST file + * or to the output RESPONSE file. + * needs to be large enough to hold the longest + * line "Msg = <256 hex digits>\n". + */ + FILE *ecdsareq; /* input stream from the REQUEST file */ + FILE *ecdsaresp; /* output stream to the RESPONSE file */ + char curve[16]; /* "nistxddd" */ + ECParams *ecparams = NULL; + int i, j; + unsigned int len; + unsigned char msg[512]; /* message to be signed (<= 128 bytes) */ + unsigned int msglen; + unsigned char sha1[20]; /* SHA-1 hash (160 bits) */ + unsigned char sig[2*MAX_ECKEY_LEN]; + SECItem signature, digest; + + ecdsareq = fopen(reqfn, "r"); + ecdsaresp = stdout; + strcpy(curve, "nist"); + while (fgets(buf, sizeof buf, ecdsareq) != NULL) { + /* a comment or blank line */ + if (buf[0] == '#' || buf[0] == '\n') { + fputs(buf, ecdsaresp); + continue; + } + /* [X-ddd] */ + if (buf[0] == '[') { + const char *src; + char *dst; + SECKEYECParams *encodedparams; + + src = &buf[1]; + dst = &curve[4]; + *dst++ = tolower(*src); + src += 2; /* skip the hyphen */ + *dst++ = *src++; + *dst++ = *src++; + *dst++ = *src++; + *dst = '\0'; + if (ecparams != NULL) { + PORT_FreeArena(ecparams->arena, PR_TRUE); + ecparams = NULL; + } + encodedparams = getECParams(curve); + if (encodedparams == NULL) { + goto loser; + } + if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) { + goto loser; + } + SECITEM_FreeItem(encodedparams, PR_TRUE); + fputs(buf, ecdsaresp); + continue; + } + /* Msg = ... */ + if (strncmp(buf, "Msg", 3) == 0) { + ECPrivateKey *ecpriv; + + i = 3; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &msg[j]); + } + msglen = j; + if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) { + goto loser; + } + fputs(buf, ecdsaresp); + + if (EC_NewKey(ecparams, &ecpriv) != SECSuccess) { + goto loser; + } + if (EC_ValidatePublicKey(ecparams, &ecpriv->publicValue) + != SECSuccess) { + goto loser; + } + len = ecpriv->publicValue.len; + if (len%2 == 0) { + goto loser; + } + len = (len-1)/2; + if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { + goto loser; + } + fputs("Qx = ", ecdsaresp); + to_hex_str(buf, &ecpriv->publicValue.data[1], len); + fputs(buf, ecdsaresp); + fputc('\n', ecdsaresp); + fputs("Qy = ", ecdsaresp); + to_hex_str(buf, &ecpriv->publicValue.data[1+len], len); + fputs(buf, ecdsaresp); + fputc('\n', ecdsaresp); + + digest.type = siBuffer; + digest.data = sha1; + digest.len = sizeof sha1; + signature.type = siBuffer; + signature.data = sig; + signature.len = sizeof sig; + if (ECDSA_SignDigest(ecpriv, &signature, &digest) != SECSuccess) { + goto loser; + } + len = signature.len; + if (len%2 != 0) { + goto loser; + } + len = len/2; + fputs("R = ", ecdsaresp); + to_hex_str(buf, &signature.data[0], len); + fputs(buf, ecdsaresp); + fputc('\n', ecdsaresp); + fputs("S = ", ecdsaresp); + to_hex_str(buf, &signature.data[len], len); + fputs(buf, ecdsaresp); + fputc('\n', ecdsaresp); + + PORT_FreeArena(ecpriv->ecParams.arena, PR_TRUE); + continue; + } + } +loser: + if (ecparams != NULL) { + PORT_FreeArena(ecparams->arena, PR_TRUE); + } + fclose(ecdsareq); +} + +/* + * Perform the ECDSA Signature Verification Test. + * + * reqfn is the pathname of the REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ +void +ecdsa_sigver_test(char *reqfn) +{ + char buf[1024]; /* holds one line from the input REQUEST file. + * needs to be large enough to hold the longest + * line "Msg = <256 hex digits>\n". + */ + FILE *ecdsareq; /* input stream from the REQUEST file */ + FILE *ecdsaresp; /* output stream to the RESPONSE file */ + char curve[16]; /* "nistxddd" */ + ECParams *ecparams = NULL; + ECPublicKey ecpub; + unsigned int i, j; + unsigned int flen; /* length in bytes of the field size */ + unsigned int olen; /* length in bytes of the base point order */ + unsigned char msg[512]; /* message that was signed (<= 128 bytes) */ + unsigned int msglen; + unsigned char sha1[20]; /* SHA-1 hash (160 bits) */ + unsigned char sig[2*MAX_ECKEY_LEN]; + SECItem signature, digest; + PRBool keyvalid = PR_TRUE; + PRBool sigvalid = PR_TRUE; + + ecdsareq = fopen(reqfn, "r"); + ecdsaresp = stdout; + ecpub.publicValue.type = siBuffer; + ecpub.publicValue.data = NULL; + ecpub.publicValue.len = 0; + strcpy(curve, "nist"); + while (fgets(buf, sizeof buf, ecdsareq) != NULL) { + /* a comment or blank line */ + if (buf[0] == '#' || buf[0] == '\n') { + fputs(buf, ecdsaresp); + continue; + } + /* [X-ddd] */ + if (buf[0] == '[') { + const char *src; + char *dst; + SECKEYECParams *encodedparams; + + src = &buf[1]; + dst = &curve[4]; + *dst++ = tolower(*src); + src += 2; /* skip the hyphen */ + *dst++ = *src++; + *dst++ = *src++; + *dst++ = *src++; + *dst = '\0'; + if (ecparams != NULL) { + PORT_FreeArena(ecparams->arena, PR_TRUE); + ecparams = NULL; + } + encodedparams = getECParams(curve); + if (encodedparams == NULL) { + goto loser; + } + if (EC_DecodeParams(encodedparams, &ecparams) != SECSuccess) { + goto loser; + } + SECITEM_FreeItem(encodedparams, PR_TRUE); + ecpub.ecParams = *ecparams; + flen = (ecparams->fieldID.size + 7) >> 3; + olen = ecparams->order.len; + if (2*olen > sizeof sig) { + goto loser; + } + if (ecpub.publicValue.data != NULL) { + SECITEM_FreeItem(&ecpub.publicValue, PR_FALSE); + } + SECITEM_AllocItem(NULL, &ecpub.publicValue, 2*flen+1); + if (ecpub.publicValue.data == NULL) { + goto loser; + } + ecpub.publicValue.data[0] = EC_POINT_FORM_UNCOMPRESSED; + fputs(buf, ecdsaresp); + continue; + } + /* Msg = ... */ + if (strncmp(buf, "Msg", 3) == 0) { + i = 3; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; isxdigit(buf[i]); i+=2,j++) { + hex_from_2char(&buf[i], &msg[j]); + } + msglen = j; + if (SHA1_HashBuf(sha1, msg, msglen) != SECSuccess) { + goto loser; + } + fputs(buf, ecdsaresp); + + digest.type = siBuffer; + digest.data = sha1; + digest.len = sizeof sha1; + + continue; + } + /* Qx = ... */ + if (strncmp(buf, "Qx", 2) == 0) { + fputs(buf, ecdsaresp); + i = 2; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + keyvalid = from_hex_str(&ecpub.publicValue.data[1], flen, + &buf[i]); + continue; + } + /* Qy = ... */ + if (strncmp(buf, "Qy", 2) == 0) { + fputs(buf, ecdsaresp); + if (!keyvalid) { + continue; + } + i = 2; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + keyvalid = from_hex_str(&ecpub.publicValue.data[1+flen], flen, + &buf[i]); + if (!keyvalid) { + continue; + } + if (EC_ValidatePublicKey(ecparams, &ecpub.publicValue) + != SECSuccess) { + if (PORT_GetError() == SEC_ERROR_BAD_KEY) { + keyvalid = PR_FALSE; + } else { + goto loser; + } + } + continue; + } + /* R = ... */ + if (buf[0] == 'R') { + fputs(buf, ecdsaresp); + i = 1; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + sigvalid = from_hex_str(sig, olen, &buf[i]); + continue; + } + /* S = ... */ + if (buf[0] == 'S') { + fputs(buf, ecdsaresp); + i = 1; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + if (sigvalid) { + sigvalid = from_hex_str(&sig[olen], olen, &buf[i]); + } + signature.type = siBuffer; + signature.data = sig; + signature.len = 2*olen; + + if (!keyvalid || !sigvalid) { + fputs("Result = F\n", ecdsaresp); + } else if (ECDSA_VerifyDigest(&ecpub, &signature, &digest) + == SECSuccess) { + fputs("Result = P\n", ecdsaresp); + } else { + fputs("Result = F\n", ecdsaresp); + } + continue; + } + } +loser: + if (ecparams != NULL) { + PORT_FreeArena(ecparams->arena, PR_TRUE); + } + if (ecpub.publicValue.data != NULL) { + SECITEM_FreeItem(&ecpub.publicValue, PR_FALSE); + } + fclose(ecdsareq); +} +#endif /* NSS_ENABLE_ECC */ + void do_random() { int i, j, k = 0; @@ -2344,272 +2920,427 @@ void do_random() } } +/* + * Calculate the SHA Message Digest + * + * MD = Message digest + * MDLen = length of Message Digest and SHA_Type + * msg = message to digest + * msgLen = length of message to digest + */ +SECStatus sha_calcMD(unsigned char *MD, unsigned int MDLen, unsigned char *msg, unsigned int msgLen) +{ + SECStatus sha_status = SECFailure; + + if (MDLen == SHA1_LENGTH) { + sha_status = SHA1_HashBuf(MD, msg, msgLen); + } else if (MDLen == SHA256_LENGTH) { + sha_status = SHA256_HashBuf(MD, msg, msgLen); + } else if (MDLen == SHA384_LENGTH) { + sha_status = SHA384_HashBuf(MD, msg, msgLen); + } else if (MDLen == SHA512_LENGTH) { + sha_status = SHA512_HashBuf(MD, msg, msgLen); + } + + return sha_status; +} + +/* + * Perform the SHA Monte Carlo Test + * + * MDLen = length of Message Digest and SHA_Type + * seed = input seed value + * resp = is the output response file. + */ +SECStatus sha_mct_test(unsigned int MDLen, unsigned char *seed, FILE *resp) +{ + int i, j; + unsigned int msgLen = MDLen*3; + unsigned char MD_i3[HASH_LENGTH_MAX]; /* MD[i-3] */ + unsigned char MD_i2[HASH_LENGTH_MAX]; /* MD[i-2] */ + unsigned char MD_i1[HASH_LENGTH_MAX]; /* MD[i-1] */ + unsigned char MD_i[HASH_LENGTH_MAX]; /* MD[i] */ + unsigned char msg[HASH_LENGTH_MAX*3]; + char buf[HASH_LENGTH_MAX*2 + 1]; /* MAX buf MD_i as a hex string */ + + for (j=0; j<100; j++) { + /* MD_0 = MD_1 = MD_2 = seed */ + memcpy(MD_i3, seed, MDLen); + memcpy(MD_i2, seed, MDLen); + memcpy(MD_i1, seed, MDLen); + + for (i=3; i < 1003; i++) { + /* Mi = MD[i-3] || MD [i-2] || MD [i-1] */ + memcpy(msg, MD_i3, MDLen); + memcpy(&msg[MDLen], MD_i2, MDLen); + memcpy(&msg[MDLen*2], MD_i1,MDLen); + + /* MDi = SHA(Msg) */ + if (sha_calcMD(MD_i, MDLen, + msg, msgLen) != SECSuccess) { + return SECFailure; + } + + /* save MD[i-3] MD[i-2] MD[i-1] */ + memcpy(MD_i3, MD_i2, MDLen); + memcpy(MD_i2, MD_i1, MDLen); + memcpy(MD_i1, MD_i, MDLen); + + } + + /* seed = MD_i */ + memcpy(seed, MD_i, MDLen); + + sprintf(buf, "COUNT = %d\n", j); + fputs(buf, resp); + + /* output MD_i */ + fputs("MD = ", resp); + to_hex_str(buf, MD_i, MDLen); + fputs(buf, resp); + fputc('\n', resp); + } + + return SECSuccess; +} + +/* + * Perform the SHA Tests. + * + * reqfn is the pathname of the input REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ +void sha_test(char *reqfn) +{ + int i, j; + unsigned int MDlen; /* the length of the Message Digest in Bytes */ + unsigned int msgLen; /* the length of the input Message in Bytes */ + char *msg = NULL; /* holds the message to digest.*/ + size_t bufSize = 25608; /*MAX buffer size */ + char *buf = NULL; /* holds one line from the input REQUEST file.*/ + unsigned char seed[HASH_LENGTH_MAX]; /* max size of seed 64 bytes */ + unsigned char MD[HASH_LENGTH_MAX]; /* message digest */ + + FILE *req; /* input stream from the REQUEST file */ + FILE *resp; /* output stream to the RESPONSE file */ + + buf = PORT_ZAlloc(bufSize); + if (buf == NULL) { + goto loser; + } + + /* zeroize the variables for the test with this data set */ + memset(seed, 0, sizeof seed); + + req = fopen(reqfn, "r"); + resp = stdout; + while (fgets(buf, bufSize, req) != NULL) { + + /* a comment or blank line */ + if (buf[0] == '#' || buf[0] == '\n') { + fputs(buf, resp); + continue; + } + /* [L = Length of the Message Digest and sha_type */ + if (buf[0] == '[') { + if (strncmp(&buf[1], "L ", 1) == 0) { + i = 2; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + MDlen = atoi(&buf[i]); + fputs(buf, resp); + continue; + } + } + /* Len = Length of the Input Message Length ... */ + if (strncmp(buf, "Len", 3) == 0) { + i = 3; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + if (msg) { + PORT_ZFree(msg,msgLen); + msg = NULL; + } + msgLen = atoi(&buf[i]); /* in bits */ + msgLen = msgLen/8; /* convert to bytes */ + fputs(buf, resp); + msg = PORT_ZAlloc(msgLen); + if (msg == NULL && msgLen != 0) { + goto loser; + } + continue; + } + /* MSG = ... */ + if (strncmp(buf, "Msg", 3) == 0) { + i = 3; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; j< msgLen; i+=2,j++) { + hex_from_2char(&buf[i], &msg[j]); + } + fputs(buf, resp); + /* calculate the Message Digest */ + memset(MD, 0, sizeof MD); + if (sha_calcMD(MD, MDlen, + msg, msgLen) != SECSuccess) { + goto loser; + } + + fputs("MD = ", resp); + to_hex_str(buf, MD, MDlen); + fputs(buf, resp); + fputc('\n', resp); + + continue; + } + /* Seed = ... */ + if (strncmp(buf, "Seed", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; j<sizeof seed; i+=2,j++) { + hex_from_2char(&buf[i], &seed[j]); + } + + fputs(buf, resp); + fputc('\n', resp); + + /* do the Monte Carlo test */ + if (sha_mct_test(MDlen, seed, resp) != SECSuccess) { + goto loser; + } + + continue; + } + } +loser: + fclose(req); + if (buf) { + PORT_ZFree(buf, bufSize); + } + if (msg) { + PORT_ZFree(msg, msgLen); + } +} + +/****************************************************/ +/* HMAC SHA-X calc */ +/* hmac_computed - the computed HMAC */ +/* hmac_length - the length of the computed HMAC */ +/* secret_key - secret key to HMAC */ +/* secret_key_length - length of secret key, */ +/* message - message to HMAC */ +/* message_length - length ofthe message */ +/****************************************************/ +static SECStatus +hmac_calc(unsigned char *hmac_computed, + const unsigned int hmac_length, + const char *secret_key, + const unsigned int secret_key_length, + const char *message, + const unsigned int message_length, + const HASH_HashType hashAlg ) +{ + SECStatus hmac_status = SECFailure; + HMACContext *cx = NULL; + SECHashObject *hashObj = NULL; + unsigned int bytes_hashed = 0; + + hashObj = (SECHashObject *) HASH_GetRawHashObject(hashAlg); + + if (!hashObj) + return( SECFailure ); + + cx = HMAC_Create(hashObj, secret_key, + secret_key_length, + PR_TRUE); /* PR_TRUE for in FIPS mode */ + + if (cx == NULL) + return( SECFailure ); + + HMAC_Begin(cx); + HMAC_Update(cx, message, message_length); + hmac_status = HMAC_Finish(cx, hmac_computed, &bytes_hashed, + hmac_length); + + HMAC_Destroy(cx, PR_TRUE); + + return( hmac_status ); +} + +/* + * Perform the HMAC Tests. + * + * reqfn is the pathname of the input REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ +void hmac_test(char *reqfn) +{ + int i, j; + size_t bufSize = 288; /* MAX buffer size */ + char *buf = NULL; /* holds one line from the input REQUEST file.*/ + unsigned int keyLen; /* Key Length */ + char key[140]; /* key MAX size = 140 */ + unsigned int msgLen = 128; /* the length of the input */ + /* Message is always 128 Bytes */ + char *msg = NULL; /* holds the message to digest.*/ + unsigned int HMACLen; /* the length of the HMAC Bytes */ + unsigned char HMAC[HASH_LENGTH_MAX]; /* computed HMAC */ + HASH_HashType hash_alg; /* HMAC type */ + + FILE *req; /* input stream from the REQUEST file */ + FILE *resp; /* output stream to the RESPONSE file */ + + buf = PORT_ZAlloc(bufSize); + if (buf == NULL) { + goto loser; + } + msg = PORT_ZAlloc(msgLen); + memset(msg, 0, msgLen); + if (msg == NULL) { + goto loser; + } + + req = fopen(reqfn, "r"); + resp = stdout; + while (fgets(buf, bufSize, req) != NULL) { + + /* a comment or blank line */ + if (buf[0] == '#' || buf[0] == '\n') { + fputs(buf, resp); + continue; + } + /* [L = Length of the MAC and HASH_type */ + if (buf[0] == '[') { + if (strncmp(&buf[1], "L ", 1) == 0) { + i = 2; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + /* HMACLen will get reused for Tlen */ + HMACLen = atoi(&buf[i]); + /* set the HASH algorithm for HMAC */ + if (HMACLen == SHA1_LENGTH) { + hash_alg = HASH_AlgSHA1; + } else if (HMACLen == SHA256_LENGTH) { + hash_alg = HASH_AlgSHA256; + } else if (HMACLen == SHA384_LENGTH) { + hash_alg = HASH_AlgSHA384; + } else if (HMACLen == SHA512_LENGTH) { + hash_alg = HASH_AlgSHA512; + } else { + goto loser; + } + fputs(buf, resp); + continue; + } + } + /* Count = test iteration number*/ + if (strncmp(buf, "Count ", 5) == 0) { + /* count can just be put into resp file */ + fputs(buf, resp); + /* zeroize the variables for the test with this data set */ + keyLen = 0; + HMACLen = 0; + memset(key, 0, sizeof key); + memset(msg, 0, sizeof msg); + memset(HMAC, 0, sizeof HMAC); + continue; + } + /* KLen = Length of the Input Secret Key ... */ + if (strncmp(buf, "Klen", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + keyLen = atoi(&buf[i]); /* in bytes */ + fputs(buf, resp); + continue; + } + /* key = the secret key for the key to MAC */ + if (strncmp(buf, "Key", 3) == 0) { + i = 3; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; j< keyLen; i+=2,j++) { + hex_from_2char(&buf[i], &key[j]); + } + fputs(buf, resp); + } + /* TLen = Length of the calculated HMAC */ + if (strncmp(buf, "Tlen", 4) == 0) { + i = 4; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + HMACLen = atoi(&buf[i]); /* in bytes */ + fputs(buf, resp); + continue; + } + /* MSG = to HMAC always 128 bytes for these tests */ + if (strncmp(buf, "Msg", 3) == 0) { + i = 3; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + for (j=0; j< msgLen; i+=2,j++) { + hex_from_2char(&buf[i], &msg[j]); + } + fputs(buf, resp); + /* calculate the HMAC and output */ + if (hmac_calc(HMAC, HMACLen, key, keyLen, + msg, msgLen, hash_alg) != SECSuccess) { + goto loser; + } + fputs("MAC = ", resp); + to_hex_str(buf, HMAC, HMACLen); + fputs(buf, resp); + fputc('\n', resp); + continue; + } + } +loser: + fclose(req); + if (buf) { + PORT_ZFree(buf, bufSize); + } + if (msg) { + PORT_ZFree(msg, msgLen); + } +} + int main(int argc, char **argv) { - unsigned char key[24]; - unsigned char inp[24]; - unsigned char iv[8]; if (argc < 2) exit (-1); NSS_NoDB_Init(NULL); - memset(inp, 0, sizeof inp); - /*************/ - /* DES */ - /*************/ - /**** ECB ****/ - /* encrypt */ - if ( strcmp(argv[1], "des_5_1_1_1") == 0) { - printf("Variable Plaintext Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - des_var_pt_kat(NSS_DES, PR_TRUE, 8, key, NULL, NULL); - } else if (strcmp(argv[1], "des_5_1_1_2") == 0) { - printf("Inverse Plaintext Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - des_inv_perm_kat(NSS_DES, PR_TRUE, 8, key, NULL, NULL); - } else if (strcmp(argv[1], "des_5_1_1_3") == 0) { - printf("Variable Key Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - des_var_key_kat(NSS_DES, PR_TRUE, 8, key, NULL, inp); - } else if (strcmp(argv[1], "des_5_1_1_4") == 0) { - printf("Permutation Operation Known Answer Test - Encryption\n\n"); - des_perm_op_kat(NSS_DES, PR_TRUE, 8, NULL, NULL, inp); - } else if (strcmp(argv[1], "des_5_1_1_5") == 0) { - printf("Substitution Table Known Answer Test - Encryption\n\n"); - des_sub_tbl_kat(NSS_DES, PR_TRUE, 8, NULL, NULL, NULL); - } else if (strcmp(argv[1], "des_5_1_1_6") == 0) { - printf("Modes Test for the Encryption Process\n\n"); - des_modes(NSS_DES, PR_TRUE, 8, des_ecb_enc_key, - NULL, des_ecb_enc_inp, 0); - /* decrypt */ - } else if (strcmp(argv[1], "des_5_1_2_1") == 0) { - printf("Variable Ciphertext Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - des_var_pt_kat(NSS_DES, PR_FALSE, 8, key, NULL, NULL); - } else if (strcmp(argv[1], "des_5_1_2_2") == 0) { - printf("Inverse Permutation Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - des_inv_perm_kat(NSS_DES, PR_FALSE, 8, key, NULL, NULL); - } else if (strcmp(argv[1], "des_5_1_2_3") == 0) { - printf("Variable Key Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - des_var_key_kat(NSS_DES, PR_FALSE, 8, key, NULL, inp); - } else if (strcmp(argv[1], "des_5_1_2_4") == 0) { - printf("Permutation Operation Known Answer Test - Decryption\n\n"); - des_perm_op_kat(NSS_DES, PR_FALSE, 8, NULL, NULL, inp); - } else if (strcmp(argv[1], "des_5_1_2_5") == 0) { - printf("Substitution Table Known Answer Test - Decryption\n\n"); - des_sub_tbl_kat(NSS_DES, PR_FALSE, 8, NULL, NULL, NULL); - } else if (strcmp(argv[1], "des_5_1_2_6") == 0) { - printf("Modes Test for the Decryption Process\n\n"); - des_modes(NSS_DES, PR_FALSE, 8, des_ecb_dec_key, - NULL, des_ecb_dec_inp, 0); - /**** CBC ****/ - /* encrypt */ - } else if (strcmp(argv[1], "des_5_2_1_1") == 0) { - printf("Variable Plaintext Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_var_pt_kat(NSS_DES_CBC, PR_TRUE, 8, key, iv, NULL); - } else if (strcmp(argv[1], "des_5_2_1_2") == 0) { - printf("Inverse Plaintext Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_inv_perm_kat(NSS_DES_CBC, PR_TRUE, 8, key, iv, NULL); - } else if (strcmp(argv[1], "des_5_2_1_3") == 0) { - printf("Variable Key Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_var_key_kat(NSS_DES_CBC, PR_TRUE, 8, key, iv, inp); - } else if (strcmp(argv[1], "des_5_2_1_4") == 0) { - printf("Permutation Operation Known Answer Test - Encryption\n\n"); - memset(iv, 0, sizeof iv); - des_perm_op_kat(NSS_DES_CBC, PR_TRUE, 8, NULL, iv, inp); - } else if (strcmp(argv[1], "des_5_2_1_5") == 0) { - printf("Substitution Table Known Answer Test - Encryption\n\n"); - memset(iv, 0, sizeof iv); - des_sub_tbl_kat(NSS_DES_CBC, PR_TRUE, 8, NULL, iv, NULL); - } else if (strcmp(argv[1], "des_5_2_1_6") == 0) { - printf("Modes Test for the Encryption Process\n\n"); - des_modes(NSS_DES_CBC, PR_TRUE, 8, des_cbc_enc_key, - des_cbc_enc_iv, des_cbc_enc_inp, 0); - /* decrypt */ - } else if (strcmp(argv[1], "des_5_2_2_1") == 0) { - printf("Variable Ciphertext Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_var_pt_kat(NSS_DES_CBC, PR_FALSE, 8, key, iv, NULL); - } else if (strcmp(argv[1], "des_5_2_2_2") == 0) { - printf("Inverse Permutation Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_inv_perm_kat(NSS_DES_CBC, PR_FALSE, 8, key, iv, NULL); - } else if (strcmp(argv[1], "des_5_2_2_3") == 0) { - printf("Variable Key Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_var_key_kat(NSS_DES_CBC, PR_FALSE, 8, key, iv, inp); - } else if (strcmp(argv[1], "des_5_2_2_4") == 0) { - printf("Permutation Operation Known Answer Test - Decryption\n\n"); - memset(iv, 0, sizeof iv); - des_perm_op_kat(NSS_DES_CBC, PR_FALSE, 8, NULL, iv, inp); - } else if (strcmp(argv[1], "des_5_2_2_5") == 0) { - printf("Substitution Table Known Answer Test - Decryption\n\n"); - memset(iv, 0, sizeof iv); - des_sub_tbl_kat(NSS_DES_CBC, PR_FALSE, 8, NULL, iv, NULL); - } else if (strcmp(argv[1], "des_5_2_2_6") == 0) { - printf("Modes Test for the Decryption Process\n\n"); - des_modes(NSS_DES_CBC, PR_FALSE, 8, des_cbc_dec_key, - des_cbc_dec_iv, des_cbc_dec_inp, 0); /*************/ /* TDEA */ /*************/ - /**** ECB ****/ - /* encrypt */ - } else if (strcmp(argv[1], "tdea_5_1_1_1") == 0) { - printf("Variable Plaintext Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - des_var_pt_kat(NSS_DES_EDE3, PR_TRUE, 24, key, NULL, NULL); - } else if (strcmp(argv[1], "tdea_5_1_1_2") == 0) { - printf("Inverse Plaintext Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - des_inv_perm_kat(NSS_DES_EDE3, PR_TRUE, 24, key, NULL, NULL); - } else if (strcmp(argv[1], "tdea_5_1_1_3") == 0) { - printf("Variable Key Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - des_var_key_kat(NSS_DES_EDE3, PR_TRUE, 24, key, NULL, inp); - } else if (strcmp(argv[1], "tdea_5_1_1_4") == 0) { - printf("Permutation Operation Known Answer Test - Encryption\n\n"); - des_perm_op_kat(NSS_DES_EDE3, PR_TRUE, 24, NULL, NULL, inp); - } else if (strcmp(argv[1], "tdea_5_1_1_5") == 0) { - printf("Substitution Table Known Answer Test - Encryption\n\n"); - des_sub_tbl_kat(NSS_DES_EDE3, PR_TRUE, 24, NULL, NULL, NULL); - } else if (strcmp(argv[1], "tdea_5_1_1_6_3") == 0) { - printf("Modes Test for the Encryption Process\n"); - printf("DATA FILE UTILIZED: datecbmontee1\n\n"); - des_modes(NSS_DES_EDE3, PR_TRUE, 24, tdea1_ecb_enc_key, - NULL, tdea1_ecb_enc_inp, 1); - } else if (strcmp(argv[1], "tdea_5_1_1_6_2") == 0) { - printf("Modes Test for the Encryption Process\n"); - printf("DATA FILE UTILIZED: datecbmontee2\n\n"); - des_modes(NSS_DES_EDE3, PR_TRUE, 24, tdea2_ecb_enc_key, - NULL, tdea2_ecb_enc_inp, 2); - } else if (strcmp(argv[1], "tdea_5_1_1_6_1") == 0) { - printf("Modes Test for the Encryption Process\n"); - printf("DATA FILE UTILIZED: datecbmontee3\n\n"); - des_modes(NSS_DES_EDE3, PR_TRUE, 24, tdea3_ecb_enc_key, - NULL, tdea3_ecb_enc_inp, 3); - /* decrypt */ - } else if (strcmp(argv[1], "tdea_5_1_2_1") == 0) { - printf("Variable Ciphertext Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - des_var_pt_kat(NSS_DES_EDE3, PR_FALSE, 24, key, NULL, NULL); - } else if (strcmp(argv[1], "tdea_5_1_2_2") == 0) { - printf("Inverse Permutation Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - des_inv_perm_kat(NSS_DES_EDE3, PR_FALSE, 24, key, NULL, NULL); - } else if (strcmp(argv[1], "tdea_5_1_2_3") == 0) { - printf("Variable Key Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - des_var_key_kat(NSS_DES_EDE3, PR_FALSE, 24, key, NULL, inp); - } else if (strcmp(argv[1], "tdea_5_1_2_4") == 0) { - printf("Permutation Operation Known Answer Test - Decryption\n\n"); - des_perm_op_kat(NSS_DES_EDE3, PR_FALSE, 24, NULL, NULL, inp); - } else if (strcmp(argv[1], "tdea_5_1_2_5") == 0) { - printf("Substitution Table Known Answer Test - Decryption\n\n"); - des_sub_tbl_kat(NSS_DES_EDE3, PR_FALSE, 24, NULL, NULL, NULL); - } else if (strcmp(argv[1], "tdea_5_1_2_6_3") == 0) { - printf("Modes Test for the Decryption Process\n"); - printf("DATA FILE UTILIZED: datecbmonted1\n\n"); - des_modes(NSS_DES_EDE3, PR_FALSE, 24, tdea1_ecb_dec_key, - NULL, tdea1_ecb_dec_inp, 1); - } else if (strcmp(argv[1], "tdea_5_1_2_6_2") == 0) { - printf("Modes Test for the Decryption Process\n"); - printf("DATA FILE UTILIZED: datecbmonted2\n\n"); - des_modes(NSS_DES_EDE3, PR_FALSE, 24, tdea2_ecb_dec_key, - NULL, tdea2_ecb_dec_inp, 2); - } else if (strcmp(argv[1], "tdea_5_1_2_6_1") == 0) { - printf("Modes Test for the Decryption Process\n"); - printf("DATA FILE UTILIZED: datecbmonted3\n\n"); - des_modes(NSS_DES_EDE3, PR_FALSE, 24, tdea3_ecb_dec_key, - NULL, tdea3_ecb_dec_inp, 3); - /**** CBC ****/ - /* encrypt */ - } else if (strcmp(argv[1], "tdea_5_2_1_1") == 0) { - printf("Variable Plaintext Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_var_pt_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, key, iv, NULL); - } else if (strcmp(argv[1], "tdea_5_2_1_2") == 0) { - printf("Inverse Plaintext Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_inv_perm_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, key, iv, NULL); - } else if (strcmp(argv[1], "tdea_5_2_1_3") == 0) { - printf("Variable Key Known Answer Test - Encryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_var_key_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, key, iv, inp); - } else if (strcmp(argv[1], "tdea_5_2_1_4") == 0) { - printf("Permutation Operation Known Answer Test - Encryption\n\n"); - memset(iv, 0, sizeof iv); - des_perm_op_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, NULL, iv, inp); - } else if (strcmp(argv[1], "tdea_5_2_1_5") == 0) { - memset(iv, 0, sizeof iv); - printf("Substitution Table Known Answer Test - Encryption\n\n"); - des_sub_tbl_kat(NSS_DES_EDE3_CBC, PR_TRUE, 24, NULL, iv, NULL); - } else if (strcmp(argv[1], "tdea_5_2_1_6_3") == 0) { - printf("Modes Test for the Encryption Process\n"); - printf("DATA FILE UTILIZED: datcbcmontee1\n\n"); - des_modes(NSS_DES_EDE3_CBC, PR_TRUE, 24, tdea1_cbc_enc_key, - tdea1_cbc_enc_iv, tdea1_cbc_enc_inp, 1); - } else if (strcmp(argv[1], "tdea_5_2_1_6_2") == 0) { - printf("Modes Test for the Encryption Process\n"); - printf("DATA FILE UTILIZED: datcbcmontee2\n\n"); - des_modes(NSS_DES_EDE3_CBC, PR_TRUE, 24, tdea2_cbc_enc_key, - tdea2_cbc_enc_iv, tdea2_cbc_enc_inp, 2); - } else if (strcmp(argv[1], "tdea_5_2_1_6_1") == 0) { - printf("Modes Test for the Encryption Process\n"); - printf("DATA FILE UTILIZED: datcbcmontee3\n\n"); - des_modes(NSS_DES_EDE3_CBC, PR_TRUE, 24, tdea3_cbc_enc_key, - tdea3_cbc_enc_iv, tdea3_cbc_enc_inp, 3); - /* decrypt */ - } else if (strcmp(argv[1], "tdea_5_2_2_1") == 0) { - printf("Variable Ciphertext Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_var_pt_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, key, iv, NULL); - } else if (strcmp(argv[1], "tdea_5_2_2_2") == 0) { - printf("Inverse Permutation Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_inv_perm_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, key, iv, NULL); - } else if (strcmp(argv[1], "tdea_5_2_2_3") == 0) { - printf("Variable Key Known Answer Test - Decryption\n\n"); - memset(key, 1, sizeof key); - memset(iv, 0, sizeof iv); - des_var_key_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, key, iv, inp); - } else if (strcmp(argv[1], "tdea_5_2_2_4") == 0) { - printf("Permutation Operation Known Answer Test - Decryption\n\n"); - memset(iv, 0, sizeof iv); - des_perm_op_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, NULL, iv, inp); - } else if (strcmp(argv[1], "tdea_5_2_2_5") == 0) { - printf("Substitution Table Known Answer Test - Decryption\n\n"); - memset(iv, 0, sizeof iv); - des_sub_tbl_kat(NSS_DES_EDE3_CBC, PR_FALSE, 24, NULL, iv, NULL); - } else if (strcmp(argv[1], "tdea_5_2_2_6_3") == 0) { - printf("Modes Test for the Decryption Process\n"); - printf("DATA FILE UTILIZED: datcbcmonted1\n\n"); - des_modes(NSS_DES_EDE3_CBC, PR_FALSE, 24, tdea1_cbc_dec_key, - tdea1_cbc_dec_iv, tdea1_cbc_dec_inp, 1); - } else if (strcmp(argv[1], "tdea_5_2_2_6_2") == 0) { - printf("Modes Test for the Decryption Process\n"); - printf("DATA FILE UTILIZED: datcbcmonted2\n\n"); - des_modes(NSS_DES_EDE3_CBC, PR_FALSE, 24, tdea2_cbc_dec_key, - tdea2_cbc_dec_iv, tdea2_cbc_dec_inp, 2); - } else if (strcmp(argv[1], "tdea_5_2_2_6_1") == 0) { - printf("Modes Test for the Decryption Process\n"); - printf("DATA FILE UTILIZED: datcbcmonted3\n\n"); - des_modes(NSS_DES_EDE3_CBC, PR_FALSE, 24, tdea3_cbc_dec_key, - tdea3_cbc_dec_iv, tdea3_cbc_dec_inp, 3); + if (strcmp(argv[1], "tdea") == 0) { + /* argv[2]=kat|mmt|mct argv[3]=ecb|cbc argv[4]=<test name>.req */ + if (strcmp(argv[2], "kat") == 0) { + /* Known Answer Test (KAT) */ + tdea_kat_mmt(argv[4]); + } else if (strcmp(argv[2], "mmt") == 0) { + /* Multi-block Message Test (MMT) */ + tdea_kat_mmt(argv[4]); + } else if (strcmp(argv[2], "mct") == 0) { + /* Monte Carlo Test (MCT) */ + if (strcmp(argv[3], "ecb") == 0) { + /* ECB mode */ + tdea_mct(NSS_DES_EDE3, argv[4]); + } else if (strcmp(argv[3], "cbc") == 0) { + /* CBC mode */ + tdea_mct(NSS_DES_EDE3_CBC, argv[4]); + } + } /*************/ /* AES */ /*************/ @@ -2632,15 +3363,40 @@ int main(int argc, char **argv) } } /*************/ - /* SHS */ + /* SHA */ /*************/ - } else if (strcmp(argv[1], "shs") == 0) { - shs_test(argv[2]); + } else if (strcmp(argv[1], "sha") == 0) { + sha_test(argv[2]); + /*************/ + /* HMAC */ + /*************/ + } else if (strcmp(argv[1], "hmac") == 0) { + hmac_test(argv[2]); /*************/ /* DSS */ /*************/ } else if (strcmp(argv[1], "dss") == 0) { dss_test(argv[2], argv[3]); +#ifdef NSS_ENABLE_ECC + /*************/ + /* ECDSA */ + /*************/ + } else if (strcmp(argv[1], "ecdsa") == 0) { + /* argv[2]=keypair|pkv|siggen|sigver argv[3]=<test name>.req */ + if ( strcmp(argv[2], "keypair") == 0) { + /* Key Pair Generation Test */ + ecdsa_keypair_test(argv[3]); + } else if (strcmp(argv[2], "pkv") == 0) { + /* Public Key Validation Test */ + ecdsa_pkv_test(argv[3]); + } else if (strcmp(argv[2], "siggen") == 0) { + /* Signature Generation Test */ + ecdsa_siggen_test(argv[3]); + } else if (strcmp(argv[2], "sigver") == 0) { + /* Signature Verification Test */ + ecdsa_sigver_test(argv[3]); + } +#endif /* NSS_ENABLE_ECC */ /*************/ /* RNG */ /*************/ diff --git a/security/nss/cmd/fipstest/hmac.sh b/security/nss/cmd/fipstest/hmac.sh new file mode 100755 index 000000000..ace988c7f --- /dev/null +++ b/security/nss/cmd/fipstest/hmac.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# A Bourne shell script for running the NIST HMAC Algorithm Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +hmac_requests=" +HMAC.req +" + +for request in $hmac_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest hmac $request > $response +done + diff --git a/security/nss/cmd/fipstest/rng.sh b/security/nss/cmd/fipstest/rng.sh new file mode 100644 index 000000000..4b62a998d --- /dev/null +++ b/security/nss/cmd/fipstest/rng.sh @@ -0,0 +1,29 @@ +#!/bin/sh +# +# A Bourne shell script for running the NIST RNG Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +vst_requests=" +FIPS186_VST.req +FIPS186_VSTGEN.req +" +mct_requests=" +FIPS186_MCT.req +FIPS186_MCTGEN.req +" + +for request in $vst_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest rng vst $request > $response +done +for request in $mct_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest rng mct $request > $response +done diff --git a/security/nss/cmd/fipstest/rsa.sh b/security/nss/cmd/fipstest/rsa.sh new file mode 100644 index 000000000..4b68a58bc --- /dev/null +++ b/security/nss/cmd/fipstest/rsa.sh @@ -0,0 +1,20 @@ +#!/bin/sh +# +# A Bourne shell script for running the NIST RSA Validation System +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + + +request=SigGen15.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest rsa siggen $request > $response + +request=SigVer15.req +response=`echo $request | sed -e "s/req/rsp/"` +echo $request $response +fipstest rsa sigver $request > $response diff --git a/security/nss/cmd/fipstest/sha.sh b/security/nss/cmd/fipstest/sha.sh new file mode 100644 index 000000000..685a41b00 --- /dev/null +++ b/security/nss/cmd/fipstest/sha.sh @@ -0,0 +1,46 @@ +#!/bin/sh +# +# A Bourne shell script for running the NIST SHA Algorithm Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +sha_ShortMsg_requests=" +SHA1ShortMsg.req +SHA256ShortMsg.req +SHA384ShortMsg.req +SHA512ShortMsg.req +" + +sha_LongMsg_requests=" +SHA1LongMsg.req +SHA256LongMsg.req +SHA384LongMsg.req +SHA512LongMsg.req +" + +sha_Monte_requests=" +SHA1Monte.req +SHA256Monte.req +SHA384Monte.req +SHA512Monte.req +" +for request in $sha_ShortMsg_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest sha $request > $response +done +for request in $sha_LongMsg_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest sha $request > $response +done +for request in $sha_Monte_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest sha $request > $response +done + diff --git a/security/nss/cmd/fipstest/tdea.sh b/security/nss/cmd/fipstest/tdea.sh new file mode 100644 index 000000000..505478039 --- /dev/null +++ b/security/nss/cmd/fipstest/tdea.sh @@ -0,0 +1,87 @@ +#!/bin/sh +# +# A Bourne shell script for running the NIST tdea Algorithm Validation Suite +# +# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +# variables appropriately so that the fipstest command and the NSPR and NSS +# shared libraries/DLLs are on the search path. Then run this script in the +# directory where the REQUEST (.req) files reside. The script generates the +# RESPONSE (.rsp) files in the same directory. + +#CBC_Known_Answer_tests +#Initial Permutation KAT +#Permutation Operation KAT +#Subsitution Table KAT +#Variable Key KAT +#Variable PlainText KAT +cbc_kat_requests=" +TCBCinvperm.req +TCBCpermop.req +TCBCsubtab.req +TCBCvarkey.req +TCBCvartext.req +" + +#CBC Monte Carlo KATs +cbc_monte_requests=" +TCBCMonte1.req +TCBCMonte2.req +TCBCMonte3.req +" +#Multi-block Message KATs +cbc_mmt_requests=" +TCBCMMT1.req +TCBCMMT2.req +TCBCMMT3.req +" + +ecb_kat_requests=" +TECBinvperm.req +TECBpermop.req +TECBsubtab.req +TECBvarkey.req +TECBvartext.req +" + +ecb_monte_requests=" +TECBMonte1.req +TECBMonte2.req +TECBMonte3.req +" + +ecb_mmt_requests=" +TECBMMT1.req +TECBMMT2.req +TECBMMT3.req +" + +for request in $ecb_mmt_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea mmt ecb $request > $response +done +for request in $ecb_kat_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea kat ecb $request > $response +done +for request in $ecb_monte_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea mct ecb $request > $response +done +for request in $cbc_mmt_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea mmt cbc $request > $response +done +for request in $cbc_kat_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea kat cbc $request > $response +done +for request in $cbc_monte_requests; do + response=`echo $request | sed -e "s/req/rsp/"` + echo $request $response + fipstest tdea mct cbc $request > $response +done diff --git a/security/nss/cmd/ilock/Makefile b/security/nss/cmd/ilock/Makefile new file mode 100644 index 000000000..9ee2a8f00 --- /dev/null +++ b/security/nss/cmd/ilock/Makefile @@ -0,0 +1,79 @@ +#! gmake +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../platlibs.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + +include ../platrules.mk + diff --git a/security/nss/cmd/ilock/ilock.c b/security/nss/cmd/ilock/ilock.c new file mode 100644 index 000000000..a62f9aacb --- /dev/null +++ b/security/nss/cmd/ilock/ilock.c @@ -0,0 +1,202 @@ +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape Portable Runtime (NSPR). + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1998-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +/* +** File: ilock.c +** Description: ilock.c is a unit test for nssilock. ilock.c +** tests the basic operation of nssilock. It should not be +** considered a complete test suite. +** +** To check that logging works, before running this test, +** define the following environment variables: +** +** +** +** +** +*/ + +#include <stdio.h> +#include <stdlib.h> +#include <plgetopt.h> +#include <nspr.h> +#include <nssilock.h> + + +/* +** Test harness infrastructure +*/ +PRLogModuleInfo *lm; +PRLogModuleLevel msgLevel = PR_LOG_NONE; +PRIntn debug = 0; +PRUint32 failed_already = 0; +/* end Test harness infrastructure */ + +PRIntn optIterations = 1; /* default iterations */ + +PRIntn main(PRIntn argc, char *argv[]) +{ + PRIntn i; + { + /* + ** Get command line options + */ + PLOptStatus os; + PLOptState *opt = PL_CreateOptState(argc, argv, "hdvi:"); + + while (PL_OPT_EOL != (os = PL_GetNextOpt(opt))) + { + if (PL_OPT_BAD == os) continue; + switch (opt->option) + { + case 'd': /* debug */ + debug = 1; + msgLevel = PR_LOG_ERROR; + break; + case 'v': /* verbose mode */ + msgLevel = PR_LOG_DEBUG; + break; + case 'i': /* number of iterations */ + optIterations = atol( opt->value ); + if ( 0 == optIterations ) optIterations = 1; /* coerce default on zero */ + break; + default: + break; + } + } + PL_DestroyOptState(opt); + } + + for ( i = 0 ; i < optIterations ; i++ ) { + /* First, test Lock */ + { + PZLock *pl; + PZMonitor *pm; + PZCondVar *cv; + PRStatus rc; + + pl = PZ_NewLock( nssILockOther ); + if ( NULL == pl ) { + failed_already = PR_TRUE; + goto Finished; + } + PZ_Lock( pl ); + + rc = PZ_Unlock( pl ); + if ( PR_FAILURE == rc ) { + failed_already = PR_TRUE; + goto Finished; + } + PZ_DestroyLock( pl ); + + /* now, test CVar */ + /* re-create the lock we just destroyed */ + pl = PZ_NewLock( nssILockOther ); + if ( NULL == pl ) { + failed_already = PR_TRUE; + goto Finished; + } + + cv = PZ_NewCondVar( pl ); + if ( NULL == cv ) { + failed_already = PR_TRUE; + goto Finished; + } + + PZ_Lock( pl ); + rc = PZ_NotifyCondVar( cv ); + if ( PR_FAILURE == rc ) { + failed_already = PR_TRUE; + goto Finished; + } + + rc = PZ_NotifyAllCondVar( cv ); + if ( PR_FAILURE == rc ) { + failed_already = PR_TRUE; + goto Finished; + } + + rc = PZ_WaitCondVar( cv, PR_SecondsToInterval(1)); + if ( PR_FAILURE == rc ) { + if ( PR_UNKNOWN_ERROR != PR_GetError()) { + failed_already = PR_TRUE; + goto Finished; + } + } + PZ_Unlock( pl ); + PZ_DestroyCondVar( cv ); + + /* Now, test Monitor */ + pm = PZ_NewMonitor( nssILockOther ); + if ( NULL == pm ) { + failed_already = PR_TRUE; + goto Finished; + } + + PZ_EnterMonitor( pm ); + + rc = PZ_Notify( pm ); + if ( PR_FAILURE == rc ) { + failed_already = PR_TRUE; + goto Finished; + } + rc = PZ_NotifyAll( pm ); + if ( PR_FAILURE == rc ) { + failed_already = PR_TRUE; + goto Finished; + } + rc = PZ_Wait( pm, PR_INTERVAL_NO_WAIT ); + if ( PR_FAILURE == rc ) { + failed_already = PR_TRUE; + goto Finished; + } + rc = PZ_ExitMonitor( pm ); + if ( PR_FAILURE == rc ) { + failed_already = PR_TRUE; + goto Finished; + } + PZ_DestroyMonitor( pm ); + } + } /* --- end for() --- */ + + +Finished: + if (debug) printf("%s\n", (failed_already)? "FAIL" : "PASS"); + return( (failed_already == PR_TRUE )? 1 : 0 ); +} /* main() */ +/* end ilock.c */ + diff --git a/security/nss/cmd/ilock/manifest.mn b/security/nss/cmd/ilock/manifest.mn new file mode 100644 index 000000000..055b0a05b --- /dev/null +++ b/security/nss/cmd/ilock/manifest.mn @@ -0,0 +1,48 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +CORE_DEPTH = ../../.. + +DEFINES += -DNSPR20 + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +CSRCS = ilock.c + +PROGRAM = ilock +# PROGRAM = ./$(OBJDIR)/ilock.exe + diff --git a/security/nss/cmd/include/secnew.h b/security/nss/cmd/include/secnew.h new file mode 100644 index 000000000..b8310596b --- /dev/null +++ b/security/nss/cmd/include/secnew.h @@ -0,0 +1,166 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#ifndef __secnew_h_ +#define __secnew_h_ + +#include <stdio.h> + +typedef struct BERTemplateStr BERTemplate; +typedef struct BERParseStr BERParse; +typedef struct SECArbStr SECArb; + +/* + * An array of these structures define an encoding for an object using + * DER. The array is terminated with an entry where kind == 0. + */ +struct BERTemplateStr { + /* Kind of item to decode/encode */ + unsigned long kind; + + /* + * Offset from base of structure to SECItem that will hold + * decoded/encoded value. + */ + unsigned short offset; + + /* + * Used with DER_SET or DER_SEQUENCE. If not zero then points to a + * sub-template. The sub-template is filled in and completed before + * continuing on. + */ + BERTemplate *sub; + + /* + * Argument value, dependent on kind. Size of structure to allocate + * when kind==DER_POINTER For Context-Specific Implicit types its the + * underlying type to use. + */ + unsigned long arg; +}; + +/* + * an arbitrary object + */ +struct SECArbStr { + unsigned long tag; /* NOTE: does not support high tag form */ + unsigned long length; /* as reported in stream */ + union { + SECItem item; + struct { + int numSubs; + SECArb **subs; + } cons; + } body; +}; + +/* + * Decode a piece of der encoded data. + * "dest" points to a structure that will be filled in with the + * decoding results. + * "t" is a template structure which defines the shape of the + * expected data. + * "src" is the ber encoded data. + */ + +extern SECStatus BER_Decode(PRArenaPool * arena, void *dest, BERTemplate *t, + SECArb *arb); + + +/* + * Encode a data structure into DER. + * "dest" will be filled in (and memory allocated) to hold the der + * encoded structure in "src" + * "t" is a template structure which defines the shape of the + * stored data + * "src" is a pointer to the structure that will be encoded + */ + +extern SECStatus BER_Encode(PRArenaPool *arena, SECItem *dest, BERTemplate *t, + void *src); + +/* + * Client provided function that will get called with all the bytes + * passing through the parser + */ +typedef void (*BERFilterProc)(void *instance, unsigned char *buf, int length); + +/* + * Client provided function that can will be called after the tag and + * length information has been collected. It can be set up to be called + * either before or after the data has been colleced. + */ +typedef void (*BERNotifyProc)( + void *instance, SECArb *arb, int depth, PRBool before); + +extern BERParse *BER_ParseInit(PRArenaPool *arena, PRBool forceDER); +extern SECArb *BER_ParseFini(BERParse *h); +extern SECStatus BER_ParseSome(BERParse *h, unsigned char *buf, int len); + +extern void BER_SetFilter(BERParse *h, BERFilterProc proc, void *instance); +extern void BER_SetLeafStorage(BERParse *h, PRBool keep); +extern void BER_SetNotifyProc(BERParse *h, BERNotifyProc proc, void *instance, + PRBool beforeData); + +/* + * A BERUnparseProc is used as a callback to put the encoded SECArb tree + * tree to some stream. It returns PR_TRUE if the unparsing is to be + * aborted. + */ +typedef SECStatus (*BERUnparseProc)( + void *instance, unsigned char *data, int length, SECArb* arb); + +/* + * BER_Unparse walks the SECArb tree calling the BERUnparseProc with + * various pieces. It returns SECFailure if there was an error during that + * tree walk. + */ +extern SECStatus BER_Unparse(SECArb *arb, BERUnparseProc proc, void *instance); + +/* + * BER_ResolveLengths does a recursive walk through the tree generating + * non-zero entries for the length field of each node. It will fail if it + * discoveres a non-constructed node with a unknown length data field. + * Leaves are supposed to be of known length. + */ +extern SECStatus BER_ResolveLengths(SECArb *arb); + +/* + * BER_PRettyPrintArb will write an ASCII version of the tree to the FILE + * out. + */ +extern SECStatus BER_PrettyPrintArb(FILE *out, SECArb* a); + +#endif /* __secnew_h_ */ diff --git a/security/nss/cmd/keyutil/Makefile b/security/nss/cmd/keyutil/Makefile new file mode 100644 index 000000000..eab21f369 --- /dev/null +++ b/security/nss/cmd/keyutil/Makefile @@ -0,0 +1,77 @@ +#! gmake +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../platlibs.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +include ../platrules.mk diff --git a/security/nss/cmd/keyutil/keyutil.c b/security/nss/cmd/keyutil/keyutil.c new file mode 100644 index 000000000..4da43a1bd --- /dev/null +++ b/security/nss/cmd/keyutil/keyutil.c @@ -0,0 +1,344 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include <stdio.h> +#include <string.h> +#include "secutil.h" + +#if defined(XP_UNIX) +#include <unistd.h> +#include <sys/time.h> +#include <termios.h> +#endif + +#include "secopt.h" + +#if defined(XP_WIN) +#include <time.h> +#include <conio.h> +#endif + +#if defined(__sun) && !defined(SVR4) +extern int fclose(FILE*); +extern int fprintf(FILE *, char *, ...); +extern int getopt(int, char**, char*); +extern int isatty(int); +extern char *optarg; +extern char *sys_errlist[]; +#define strerror(errno) sys_errlist[errno] +#endif + +#include "nspr.h" +#include "prtypes.h" +#include "prtime.h" +#include "prlong.h" + +static char *progName; + +static SECStatus +ListKeys(SECKEYKeyDBHandle *handle, FILE *out) +{ + int rt; + + rt = SECU_PrintKeyNames(handle, out); + if (rt) { + SECU_PrintError(progName, "unable to list nicknames"); + return SECFailure; + } + return SECSuccess; +} + +static SECStatus +DumpPublicKey(SECKEYKeyDBHandle *handle, char *nickname, FILE *out) +{ + SECKEYLowPrivateKey *privKey; + SECKEYLowPublicKey *publicKey; + + /* check if key actually exists */ + if (SECU_CheckKeyNameExists(handle, nickname) == PR_FALSE) { + SECU_PrintError(progName, "the key \"%s\" does not exist", nickname); + return SECFailure; + } + + /* Read in key */ + privKey = SECU_GetPrivateKey(handle, nickname); + if (!privKey) { + return SECFailure; + } + + publicKey = SECKEY_LowConvertToPublicKey(privKey); + + /* Output public key (in the clear) */ + switch(publicKey->keyType) { + case rsaKey: + fprintf(out, "RSA Public-Key:\n"); + SECU_PrintInteger(out, &publicKey->u.rsa.modulus, "modulus", 1); + SECU_PrintInteger(out, &publicKey->u.rsa.publicExponent, + "publicExponent", 1); + break; + case dsaKey: + fprintf(out, "DSA Public-Key:\n"); + SECU_PrintInteger(out, &publicKey->u.dsa.params.prime, "prime", 1); + SECU_PrintInteger(out, &publicKey->u.dsa.params.subPrime, + "subPrime", 1); + SECU_PrintInteger(out, &publicKey->u.dsa.params.base, "base", 1); + SECU_PrintInteger(out, &publicKey->u.dsa.publicValue, "publicValue", 1); + break; + default: + fprintf(out, "unknown key type\n"); + break; + } + return SECSuccess; +} + +static SECStatus +DumpPrivateKey(SECKEYKeyDBHandle *handle, char *nickname, FILE *out) +{ + SECKEYLowPrivateKey *key; + + /* check if key actually exists */ + if (SECU_CheckKeyNameExists(handle, nickname) == PR_FALSE) { + SECU_PrintError(progName, "the key \"%s\" does not exist", nickname); + return SECFailure; + } + + /* Read in key */ + key = SECU_GetPrivateKey(handle, nickname); + if (!key) { + SECU_PrintError(progName, "error retrieving key"); + return SECFailure; + } + + switch(key->keyType) { + case rsaKey: + fprintf(out, "RSA Private-Key:\n"); + SECU_PrintInteger(out, &key->u.rsa.modulus, "modulus", 1); + SECU_PrintInteger(out, &key->u.rsa.publicExponent, "publicExponent", 1); + SECU_PrintInteger(out, &key->u.rsa.privateExponent, + "privateExponent", 1); + SECU_PrintInteger(out, &key->u.rsa.prime1, "prime1", 1); + SECU_PrintInteger(out, &key->u.rsa.prime2, "prime2", 1); + SECU_PrintInteger(out, &key->u.rsa.exponent1, "exponent1", 1); + SECU_PrintInteger(out, &key->u.rsa.exponent2, "exponent2", 1); + SECU_PrintInteger(out, &key->u.rsa.coefficient, "coefficient", 1); + break; + case dsaKey: + fprintf(out, "DSA Private-Key:\n"); + SECU_PrintInteger(out, &key->u.dsa.params.prime, "prime", 1); + SECU_PrintInteger(out, &key->u.dsa.params.subPrime, "subPrime", 1); + SECU_PrintInteger(out, &key->u.dsa.params.base, "base", 1); + SECU_PrintInteger(out, &key->u.dsa.publicValue, "publicValue", 1); + SECU_PrintInteger(out, &key->u.dsa.privateValue, "privateValue", 1); + break; + default: + fprintf(out, "unknown key type\n"); + break; + } + return SECSuccess; +} + +static SECStatus +ChangePassword(SECKEYKeyDBHandle *handle) +{ + SECStatus rv; + + /* Write out database with a new password */ + rv = SECU_ChangeKeyDBPassword(handle, NULL); + if (rv) { + SECU_PrintError(progName, "unable to change key password"); + } + return rv; +} + +static SECStatus +DeletePrivateKey (SECKEYKeyDBHandle *keyHandle, char *nickName) +{ + SECStatus rv; + + rv = SECU_DeleteKeyByName (keyHandle, nickName); + if (rv != SECSuccess) + fprintf(stderr, "%s: problem deleting private key (%s)\n", + progName, SECU_Strerror(PR_GetError())); + return (rv); + +} + + +static void +Usage(const char *progName) +{ + fprintf(stderr, + "Usage: %s -p name [-d keydir]\n", progName); + fprintf(stderr, + " %s -P name [-d keydir]\n", progName); + fprintf(stderr, + " %s -D name [-d keydir]\n", progName); + fprintf(stderr, + " %s -l [-d keydir]\n", progName); + fprintf(stderr, + " %s -c [-d keydir]\n", progName); + + fprintf(stderr, "%-20s Pretty print public key info for named key\n", + "-p nickname"); + fprintf(stderr, "%-20s Pretty print private key info for named key\n", + "-P nickname"); + fprintf(stderr, "%-20s Delete named private key from the key database\n", + "-D nickname"); + fprintf(stderr, "%-20s List the nicknames for the keys in a database\n", + "-l"); + fprintf(stderr, "%-20s Change the key database password\n", + "-c"); + fprintf(stderr, "\n"); + fprintf(stderr, "%-20s Key database directory (default is ~/.netscape)\n", + "-d keydir"); + + exit(-1); +} + +int main(int argc, char **argv) +{ + int o, changePassword, deleteKey, dumpPublicKey, dumpPrivateKey, list; + char *nickname; + SECStatus rv; + SECKEYKeyDBHandle *keyHandle; + + progName = strrchr(argv[0], '/'); + progName = progName ? progName+1 : argv[0]; + + /* Parse command line arguments */ + changePassword = deleteKey = dumpPublicKey = dumpPrivateKey = list = 0; + nickname = NULL; + + while ((o = getopt(argc, argv, "ADP:cd:glp:")) != -1) { + switch (o) { + case '?': + Usage(progName); + break; + + case 'A': + fprintf(stderr, "%s: Can no longer add a key.", progName); + fprintf(stderr, " Use pkcs12 to import a key.\n\n"); + Usage(progName); + break; + + case 'D': + deleteKey = 1; + nickname = optarg; + break; + + case 'P': + dumpPrivateKey = 1; + nickname = optarg; + break; + + case 'c': + changePassword = 1; + break; + + case 'd': + SECU_ConfigDirectory(optarg); + break; + + case 'g': + fprintf(stderr, "%s: Can no longer generate a key.", progName); + fprintf(stderr, " Use certutil to generate a cert request.\n\n"); + Usage(progName); + break; + + case 'l': + list = 1; + break; + + case 'p': + dumpPublicKey = 1; + nickname = optarg; + break; + } + } + + if (dumpPublicKey+changePassword+dumpPrivateKey+list+deleteKey != 1) + Usage(progName); + + if ((list || changePassword) && nickname) + Usage(progName); + + if ((dumpPublicKey || dumpPrivateKey || deleteKey) && !nickname) + Usage(progName); + + + /* Call the libsec initialization routines */ + PR_Init( PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + SEC_Init(); + + /* + * XXX Note that the following opens the key database writable. + * If dumpPublicKey or dumpPrivateKey or list, though, we only want + * to open it read-only. There needs to be a better interface + * to the initialization routines so that we can specify which way + * to open it. + */ + rv = SECU_PKCS11Init(); + if (rv != SECSuccess) { + SECU_PrintError(progName, "SECU_PKCS11Init failed"); + return -1; + } + + keyHandle = SECKEY_GetDefaultKeyDB(); + if (keyHandle == NULL) { + SECU_PrintError(progName, "could not open key database"); + return -1; + } + + SECU_RegisterDynamicOids(); + if (dumpPublicKey) { + rv = DumpPublicKey(keyHandle, nickname, stdout); + } else + if (changePassword) { + rv = ChangePassword(keyHandle); + } else + if (dumpPrivateKey) { + rv = DumpPrivateKey(keyHandle, nickname, stdout); + } else + if (list) { + rv = ListKeys(keyHandle, stdout); + } else + if (deleteKey) { + rv = DeletePrivateKey(keyHandle, nickname); + } + + + return rv ? -1 : 0; +} diff --git a/security/nss/cmd/keyutil/manifest.mn b/security/nss/cmd/keyutil/manifest.mn new file mode 100644 index 000000000..ec2d043c8 --- /dev/null +++ b/security/nss/cmd/keyutil/manifest.mn @@ -0,0 +1,54 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +CORE_DEPTH = ../../.. + +DEFINES += -DNSPR20 + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +CSRCS = \ + keyutil.c \ + $(NULL) + +# The MODULE is always implicitly required. +# Listing it here in REQUIRES makes it appear twice in the cc command line. +REQUIRES = seccmd dbm + + +PROGRAM = keyutil diff --git a/security/nss/cmd/pkiutil/Makefile b/security/nss/cmd/pkiutil/Makefile new file mode 100644 index 000000000..865888882 --- /dev/null +++ b/security/nss/cmd/pkiutil/Makefile @@ -0,0 +1,80 @@ +#! gmake +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include platlibs.mk + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + +include ../platrules.mk + diff --git a/security/nss/cmd/pkiutil/manifest.mn b/security/nss/cmd/pkiutil/manifest.mn new file mode 100644 index 000000000..e82483ca1 --- /dev/null +++ b/security/nss/cmd/pkiutil/manifest.mn @@ -0,0 +1,51 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +CORE_DEPTH = ../../.. + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +CSRCS = \ + pkiutil.c \ + $(NULL) + +# The MODULE is always implicitly required. +# Listing it here in REQUIRES makes it appear twice in the cc command line. +REQUIRES = dbm seccmd + +PROGRAM = pkiutil diff --git a/security/nss/cmd/pkiutil/pkiutil.c b/security/nss/cmd/pkiutil/pkiutil.c new file mode 100644 index 000000000..b059baa87 --- /dev/null +++ b/security/nss/cmd/pkiutil/pkiutil.c @@ -0,0 +1,376 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#include "nspr.h" +#include "prtypes.h" +#include "prtime.h" +#include "prlong.h" +#include "nss.h" +#include "cmdutil.h" +#include "nsspki.h" +/* hmmm...*/ +#include "pki.h" + +#define PKIUTIL_VERSION_STRING "pkiutil version 0.1" + +char *progName = NULL; + +typedef struct { + PRBool raw; + PRBool ascii; + char *name; + PRFileDesc *file; +} objOutputMode; + +typedef enum { + PKIUnknown = -1, + PKICertificate, + PKIPublicKey, + PKIPrivateKey, + PKIAny +} PKIObjectType; + +static PKIObjectType +get_object_class(char *type) +{ + if (strcmp(type, "certificate") == 0 || strcmp(type, "cert") == 0 || + strcmp(type, "Certificate") == 0 || strcmp(type, "Cert") == 0) { + return PKICertificate; + } else if (strcmp(type, "public_key") == 0 || + strcmp(type, "PublicKey") == 0) { + return PKIPublicKey; + } else if (strcmp(type, "private_key") == 0 || + strcmp(type, "PrivateKey") == 0) { + return PKIPrivateKey; + } else if (strcmp(type, "all") == 0 || strcmp(type, "any") == 0) { + return PKIAny; + } + fprintf(stderr, "%s: \"%s\" is not a valid PKCS#11 object type.\n", + progName, type); + return PKIUnknown; +} + +static PRStatus +print_cert_callback(NSSCertificate *c, void *arg) +{ + int i; + NSSUTF8 *label; + NSSItem *id; + label = NSSCertificate_GetLabel(c); + printf("%s\n", label); + nss_ZFreeIf((void*)label); +#if 0 + id = NSSCertificate_GetID(c); + for (i=0; i<id->size; i++) { + printf("%c", ((char *)id->data)[i]); + } + printf("\n"); +#endif + return PR_SUCCESS; +} + +/* pkiutil commands */ +enum { + cmd_Add = 0, + cmd_Dump, + cmd_List, + cmd_Version, + pkiutil_num_commands +}; + +/* pkiutil options */ +enum { + opt_Help = 0, + opt_Ascii, + opt_ProfileDir, + opt_TokenName, + opt_InputFile, + opt_Nickname, + opt_OutputFile, + opt_Binary, + opt_Trust, + opt_Type, + pkiutil_num_options +}; + +static cmdCommandLineArg pkiutil_commands[] = +{ + { /* cmd_Add */ 'A', "add", CMDNoArg, 0, PR_FALSE, + CMDBIT(opt_Nickname) | CMDBIT(opt_Trust), + CMDBIT(opt_Ascii) | CMDBIT(opt_ProfileDir) + | CMDBIT(opt_TokenName) | CMDBIT(opt_InputFile) + | CMDBIT(opt_Binary) | CMDBIT(opt_Type) }, + { /* cmd_Dump */ 0 , "dump", CMDNoArg, 0, PR_FALSE, + CMDBIT(opt_Nickname), + CMDBIT(opt_Ascii) | CMDBIT(opt_ProfileDir) + | CMDBIT(opt_TokenName) | CMDBIT(opt_Binary) + | CMDBIT(opt_Type) }, + { /* cmd_List */ 'L', "list", CMDNoArg, 0, PR_FALSE, 0, + CMDBIT(opt_Ascii) | CMDBIT(opt_ProfileDir) + | CMDBIT(opt_TokenName) | CMDBIT(opt_Binary) + | CMDBIT(opt_Nickname) | CMDBIT(opt_Type) }, + { /* cmd_Version */ 'Y', "version", CMDNoArg, 0, PR_FALSE, 0, 0 } +}; + +static cmdCommandLineOpt pkiutil_options[] = +{ + { /* opt_Help */ '?', "help", CMDNoArg, 0, PR_FALSE }, + { /* opt_Ascii */ 'a', "ascii", CMDNoArg, 0, PR_FALSE }, + { /* opt_ProfileDir */ 'd', "dbdir", CMDArgReq, 0, PR_FALSE }, + { /* opt_TokenName */ 'h', "token", CMDArgReq, 0, PR_FALSE }, + { /* opt_InputFile */ 'i', "infile", CMDArgReq, 0, PR_FALSE }, + { /* opt_Nickname */ 'n', "nickname", CMDArgReq, 0, PR_FALSE }, + { /* opt_OutputFile */ 'o', "outfile", CMDArgReq, 0, PR_FALSE }, + { /* opt_Binary */ 'r', "raw", CMDNoArg, 0, PR_FALSE }, + { /* opt_Trust */ 't', "trust", CMDArgReq, 0, PR_FALSE }, + { /* opt_Type */ 0 , "type", CMDArgReq, 0, PR_FALSE } +}; + +void pkiutil_usage(cmdPrintState *ps, + int num, PRBool cmd, PRBool header, PRBool footer) +{ +#define pusg CMD_PrintUsageString + if (header) { + pusg(ps, "utility for managing PKCS#11 objects (certs and keys)\n"); + } else if (footer) { + /* + printf("certificate trust can be:\n"); + printf(" p - valid peer, P - trusted peer (implies p)\n"); + printf(" c - valid CA\n"); + printf(" T - trusted CA to issue client certs (implies c)\n"); + printf(" C - trusted CA to issue server certs (implies c)\n"); + printf(" u - user cert\n"); + printf(" w - send warning\n"); + */ + } else if (cmd) { + switch(num) { + case cmd_Add: + pusg(ps, "Add an object to the token"); break; + case cmd_Dump: + pusg(ps, "Dump a single object"); break; + case cmd_List: + pusg(ps, "List objects on the token (-n for single object)"); break; + case cmd_Version: + pusg(ps, "Report version"); break; + default: + pusg(ps, "Unrecognized command"); break; + } + } else { + switch(num) { + case opt_Ascii: + pusg(ps, "Use ascii (base-64 encoded) mode for I/O"); break; + case opt_ProfileDir: + pusg(ps, "Directory containing security databases (def: \".\")"); + break; + case opt_TokenName: + pusg(ps, "Name of PKCS#11 token to use (def: internal)"); break; + case opt_InputFile: + pusg(ps, "File for input (def: stdin)"); break; + case opt_Nickname: + pusg(ps, "Nickname of object"); break; + case opt_OutputFile: + pusg(ps, "File for output (def: stdout)"); break; + case opt_Binary: + pusg(ps, "Use raw (binary der-encoded) mode for I/O"); break; + case opt_Trust: + pusg(ps, "Trust level for certificate"); break; + case opt_Help: break; + default: + pusg(ps, "Unrecognized option"); + } + } +} + +int +main(int argc, char **argv) +{ + PRFileDesc *infile = NULL; + PRFileDesc *outfile = NULL; + char *profiledir = "./"; +#if 0 + secuPWData pwdata = { PW_NONE, 0 }; +#endif + int objclass = 3; /* ANY */ + NSSTrustDomain *root_cert_td = NULL; + char *rootpath = NULL; + char builtin_name[]= "libnssckbi.so"; /* temporary hardcode */ + PRStatus rv = PR_SUCCESS; + + int cmdToRun; + cmdCommand pkiutil; + pkiutil.ncmd = pkiutil_num_commands; + pkiutil.nopt = pkiutil_num_options; + pkiutil.cmd = pkiutil_commands; + pkiutil.opt = pkiutil_options; + + progName = strrchr(argv[0], '/'); + progName = progName ? progName+1 : argv[0]; + + cmdToRun = CMD_ParseCommandLine(argc, argv, progName, &pkiutil); + +#if 0 + { int i, nc; + for (i=0; i<pkiutil.ncmd; i++) + printf("%s: %s <%s>\n", pkiutil.cmd[i].s, + (pkiutil.cmd[i].on) ? "on" : "off", + pkiutil.cmd[i].arg); + for (i=0; i<pkiutil.nopt; i++) + printf("%s: %s <%s>\n", pkiutil.opt[i].s, + (pkiutil.opt[i].on) ? "on" : "off", + pkiutil.opt[i].arg); + } +#endif + + if (pkiutil.opt[opt_Help].on) + CMD_LongUsage(progName, &pkiutil, pkiutil_usage); + + if (cmdToRun < 0) + CMD_Usage(progName, &pkiutil); + + /* -d */ + if (pkiutil.opt[opt_ProfileDir].on) { + profiledir = strdup(pkiutil.opt[opt_ProfileDir].arg); + } + + /* -i */ + if (pkiutil.opt[opt_InputFile].on) { + char *fn = pkiutil.opt[opt_InputFile].arg; + infile = PR_Open(fn, PR_RDONLY, 0660); + } else { + infile = PR_STDIN; + } + + /* -o */ + if (pkiutil.opt[opt_OutputFile].on) { + char *fn = pkiutil.opt[opt_OutputFile].arg; + outfile = PR_Open(fn, PR_WRONLY | PR_CREATE_FILE, 0660); + } else { + outfile = PR_STDOUT; + } + + /* --type can be found on many options */ + if (pkiutil.opt[opt_Type].on) + objclass = get_object_class(pkiutil.opt[opt_Type].arg); + else if (cmdToRun == cmd_Dump && pkiutil.cmd[cmd_Dump].arg) + objclass = get_object_class(pkiutil.cmd[cmd_Dump].arg); + else if (cmdToRun == cmd_List && pkiutil.cmd[cmd_List].arg) + objclass = get_object_class(pkiutil.cmd[cmd_List].arg); + else if (cmdToRun == cmd_Add && pkiutil.cmd[cmd_Add].arg) + objclass = get_object_class(pkiutil.cmd[cmd_Add].arg); + if (objclass < 0) + goto done; + + /* --print is an alias for --list --nickname */ + if (cmdToRun == cmd_Dump) cmdToRun = cmd_List; + + /* if list has raw | ascii must have -n. can't have both raw and ascii */ + if (pkiutil.opt[opt_Binary].on || pkiutil.opt[opt_Ascii].on) { + if (cmdToRun == cmd_List && !pkiutil.opt[opt_Nickname].on) { + fprintf(stderr, "%s: specify a object to output with -n\n", + progName); + CMD_LongUsage(progName, &pkiutil, pkiutil_usage); + } + } + + /* initialize */ + PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1); + /* NSS_InitReadWrite(profiledir); */ + NSS_NoDB_Init(NULL); + + /* Display version info and exit */ + if (cmdToRun == cmd_Version) { + printf("%s\nNSS Version %s\n", PKIUTIL_VERSION_STRING, NSS_VERSION); + goto done; + } + + /* XXX okay - bootstrap stan by loading the root cert module for testing */ + root_cert_td = NSSTrustDomain_Create(NULL, NULL, NULL, NULL); + { + int rootpathlen = strlen(profiledir) + strlen(builtin_name) + 1; + rootpath = (char *)malloc(rootpathlen); + memcpy(rootpath, profiledir, strlen(profiledir)); + memcpy(rootpath + strlen(profiledir), + builtin_name, strlen(builtin_name)); + rootpath[rootpathlen - 1] = '\0'; + } + NSSTrustDomain_LoadModule(root_cert_td, "Builtin Root Module", rootpath, + NULL, NULL); + + printf("\n"); + if (pkiutil.opt[opt_Nickname].on) { + int i; + NSSCertificate **certs; + NSSCertificate *cert; + certs = NSSTrustDomain_FindCertificatesByNickname(root_cert_td, + pkiutil.opt[opt_Nickname].arg, NULL, 0, NULL); + i = 0; + while ((cert = certs[i++]) != NULL) { + printf("Found cert:\n"); + print_cert_callback(cert, NULL); + } + } else { + NSSTrustDomain_TraverseCertificates(root_cert_td, print_cert_callback, 0); + } + + NSSTrustDomain_Destroy(root_cert_td); + + /* List token objects */ + if (cmdToRun == cmd_List) { +#if 0 + rv = list_token_objects(slot, objclass, + pkiutil.opt[opt_Nickname].arg, + pkiutil.opt[opt_Binary].on, + pkiutil.opt[opt_Ascii].on, + outfile, &pwdata); +#endif + goto done; + } + +#if 0 + /* Import an object into the token. */ + if (cmdToRun == cmd_Add) { + rv = add_object_to_token(slot, object); + goto done; + } +#endif + +done: + if (NSS_Shutdown() != SECSuccess) { + exit(1); + } + + return rv; +} diff --git a/security/nss/cmd/pkiutil/platlibs.mk b/security/nss/cmd/pkiutil/platlibs.mk new file mode 100644 index 000000000..d0cd7ee58 --- /dev/null +++ b/security/nss/cmd/pkiutil/platlibs.mk @@ -0,0 +1,57 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS) +EXTRA_LIBS += \ + $(DIST)/lib/libcmdutil.$(LIB_SUFFIX) \ + $(NULL) + +ifeq ($(OS_ARCH), AIX) +EXTRA_SHARED_LIBS += -brtl +endif + +# $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS) +# $(EXTRA_SHARED_LIBS) come before $(OS_LIBS), except on AIX. +EXTRA_SHARED_LIBS += \ + -L$(DIST)/lib/ \ + -lnsspki3 \ + -lnss3 \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ + $(NULL) + diff --git a/security/nss/cmd/shlibsign/sign.sh b/security/nss/cmd/shlibsign/sign.sh index 97c582a79..764012d7b 100644 --- a/security/nss/cmd/shlibsign/sign.sh +++ b/security/nss/cmd/shlibsign/sign.sh @@ -50,6 +50,8 @@ OpenVMS) export DYLD_LIBRARY_PATH LIBRARY_PATH=${1}/lib:${4}:$LIBRARY_PATH export LIBRARY_PATH + ADDON_PATH=${1}/lib:${4}:$ADDON_PATH + export ADDON_PATH echo ${2}/shlibsign -v -i ${5} ${2}/shlibsign -v -i ${5} ;; diff --git a/security/nss/cmd/sslstrength/Makefile b/security/nss/cmd/sslstrength/Makefile new file mode 100644 index 000000000..7cfeaac2a --- /dev/null +++ b/security/nss/cmd/sslstrength/Makefile @@ -0,0 +1,86 @@ +#! gmake +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../platlibs.mk + +ifeq (,$(filter-out WINNT WIN95 WIN16,$(OS_TARGET))) # omits WINCE +ifndef BUILD_OPT +LDFLAGS += /subsystem:console /profile /debug /machine:I386 /incremental:no +OS_CFLAGS += -D_CONSOLE +endif +endif + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + +#include ../platlibs.mk + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +include ../platrules.mk + diff --git a/security/nss/cmd/sslstrength/manifest.mn b/security/nss/cmd/sslstrength/manifest.mn new file mode 100644 index 000000000..ceb49dd59 --- /dev/null +++ b/security/nss/cmd/sslstrength/manifest.mn @@ -0,0 +1,54 @@ +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +CORE_DEPTH = ../../.. + +MODULE = nss + +EXPORTS = + +CSRCS = sslstrength.c \ + $(NULL) + +PROGRAM = sslstrength + +REQUIRES = dbm seccmd + +DEFINES += -DDLL_PREFIX=\"$(DLL_PREFIX)\" -DDLL_SUFFIX=\"$(DLL_SUFFIX)\" + +PACKAGE_FILES = sslstrength + +ARCHIVE_NAME = sslstrength diff --git a/security/nss/cmd/sslstrength/sslstr.cgi b/security/nss/cmd/sslstrength/sslstr.cgi new file mode 100644 index 000000000..dc632eebf --- /dev/null +++ b/security/nss/cmd/sslstrength/sslstr.cgi @@ -0,0 +1,300 @@ +#!/usr/bin/perl +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + + +use CGI qw(:standard); + + + +# Replace this will the full path to the sslstrength executable. +$sslstrength = "./sslstrength"; + + +# Replace this with the name of this CGI. + +$sslcgi = "sslstr.cgi"; + + +$query = new CGI; + +print header; + +print "<HTML><HEAD> +<SCRIPT language='javascript'> + +function doexport(form) { + form.ssl2ciphers.options[0].selected=0; + form.ssl2ciphers.options[1].selected=0; + form.ssl2ciphers.options[2].selected=0; + form.ssl2ciphers.options[3].selected=0; + form.ssl2ciphers.options[4].selected=1; + form.ssl2ciphers.options[5].selected=1; + + form.ssl3ciphers.options[0].selected=1; + form.ssl3ciphers.options[1].selected=1; + form.ssl3ciphers.options[2].selected=0; + form.ssl3ciphers.options[3].selected=1; + form.ssl3ciphers.options[4].selected=1; + form.ssl3ciphers.options[5].selected=1; + form.ssl3ciphers.options[6].selected=0; + form.ssl3ciphers.options[7].selected=0; + + +} + +function dodomestic(form) { + form.ssl2ciphers.options[0].selected=1; + form.ssl2ciphers.options[1].selected=1; + form.ssl2ciphers.options[2].selected=1; + form.ssl2ciphers.options[3].selected=1; + form.ssl2ciphers.options[4].selected=1; + form.ssl2ciphers.options[5].selected=1; + + form.ssl3ciphers.options[0].selected=1; + form.ssl3ciphers.options[1].selected=1; + form.ssl3ciphers.options[2].selected=1; + form.ssl3ciphers.options[3].selected=1; + form.ssl3ciphers.options[4].selected=1; + form.ssl3ciphers.options[5].selected=1; + form.ssl3ciphers.options[6].selected=1; + form.ssl3ciphers.options[7].selected=1; + +} + +function doclearssl2(form) { + form.ssl2ciphers.options[0].selected=0; + form.ssl2ciphers.options[1].selected=0; + form.ssl2ciphers.options[2].selected=0; + form.ssl2ciphers.options[3].selected=0; + form.ssl2ciphers.options[4].selected=0; + form.ssl2ciphers.options[5].selected=0; +} + + +function doclearssl3(form) { + form.ssl3ciphers.options[0].selected=0; + form.ssl3ciphers.options[1].selected=0; + form.ssl3ciphers.options[2].selected=0; + form.ssl3ciphers.options[3].selected=0; + form.ssl3ciphers.options[4].selected=0; + form.ssl3ciphers.options[5].selected=0; + form.ssl3ciphers.options[6].selected=0; + form.ssl3ciphers.options[7].selected=0; + +} + +function dohost(form,hostname) { + form.host.value=hostname; + } + + + +</SCRIPT> +<TITLE>\n"; +print "SSLStrength\n"; +print "</TITLE></HEAD>\n"; + +print "<h1>SSLStrength</h1>\n"; + +if ($query->param('dotest')) { + print "Output from sslstrength: \n"; + print "<pre>\n"; + + $cs = ""; + + @ssl2ciphers = $query->param('ssl2ciphers'); + for $cipher (@ssl2ciphers) { + if ($cipher eq "SSL_EN_RC2_128_WITH_MD5") { $cs .= "a"; } + if ($cipher eq "SSL_EN_RC2_128_CBC_WITH_MD5") { $cs .= "b"; } + if ($cipher eq "SSL_EN_DES_192_EDE3_CBC_WITH_MD5") { $cs .= "c"; } + if ($cipher eq "SSL_EN_DES_64_CBC_WITH_MD5") { $cs .= "d"; } + if ($cipher eq "SSL_EN_RC4_128_EXPORT40_WITH_MD5") { $cs .= "e"; } + if ($cipher eq "SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5") { $cs .= "f"; } + } + + @ssl3ciphers = $query->param('ssl3ciphers'); + for $cipher (@ssl3ciphers) { + if ($cipher eq "SSL_RSA_WITH_RC4_128_MD5") { $cs .= "i"; } + if ($cipher eq "SSL_RSA_WITH_3DES_EDE_CBC_SHA") { $cs .= "j"; } + if ($cipher eq "SSL_RSA_WITH_DES_CBC_SHA") { $cs .= "k"; } + if ($cipher eq "SSL_RSA_EXPORT_WITH_RC4_40_MD5") { $cs .= "l"; } + if ($cipher eq "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5") { $cs .= "m"; } + if ($cipher eq "SSL_RSA_WITH_NULL_MD5") { $cs .= "o"; } + if ($cipher eq "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA") { $cs .= "p"; } + if ($cipher eq "SSL_RSA_FIPS_WITH_DES_CBC_SHA") { $cs .= "q"; } + } + + $hs = $query->param('host'); + if ($hs eq "") { + print "</pre>You must specify a host to connect to.<br><br>\n"; + exit(0); + } + + $ps = $query->param('policy'); + + $cmdstring = "$sslstrength $hs policy=$ps ciphers=$cs"; + + print "running sslstrength:\n"; + print "$cmdstring\n"; + + $r = open(SSLS, "$cmdstring |"); + if ($r == 0) { + print "<pre>There was a problem starting $cmdstring<br><br>\n"; + exit(0); + } + while (<SSLS>) { + print "$_"; + } + close(SSLS); + + + print "</pre>\n"; + +} + +else { +print "<FORM method=post action=$sslcgi>\n"; +print "<hr> +<h2>Host Name</h2> +<TABLE BORDER=0 CELLPADDING=20> +<TR> +<TD> +Type hostname here:<br> +<input type=text name=host size=30> <br><br> +<TD> + <b>Or click these buttons to test some well-known servers</b><br> + <TABLE BORDER=0> + <TR> + <TD> + Export servers: + <TD> + <input type=button value='F-Tech' onclick=dohost(this.form,'strongbox.ftech.net')> + </TR> + <TR> + <TD> + Domestic servers: + <TD> + <input type=button value='Wells Fargo' onclick=dohost(this.form,'banking.wellsfargo.com')> + </TR> + <TR> + <TD> + Step-Up Servers + <TD> + <input type=button value='Barclaycard' onclick=dohost(this.form,'enigma.barclaycard.co.uk')> + <input type=button value='BBVnet' onclick=dohost(this.form,'www.bbvnet.com')> + <input type=button value='BHIF' onclick=dohost(this.form,'empresas.bhif.cl')> + </TR> + </TABLE> +</TR> +</TABLE> +<br> +<hr> +<br> +<h2>Encryption policy</h2> +<input type=radio name=policy VALUE=export onclick=doexport(this.form)> +Export<br> +<input type=radio name=policy VALUE=domestic CHECKED onclick=dodomestic(this.form)> +Domestic<br> +<br> +<hr> +<br> +<h2>Cipher Selection</h2> +(use ctrl to multi-select)<br> +<table> +<tr> +<td>SSL 2 Ciphers +<td> +<SELECT NAME=ssl2ciphers SIZE=6 MULTIPLE align=bottom> +<OPTION SELECTED>SSL_EN_RC4_128_WITH_MD5 +<OPTION SELECTED>SSL_EN_RC2_128_CBC_WITH_MD5 +<OPTION SELECTED>SSL_EN_DES_192_EDE3_CBC_WITH_MD5 +<OPTION SELECTED>SSL_EN_DES_64_CBC_WITH_MD5 +<OPTION SELECTED>SSL_EN_RC4_128_EXPORT40_WITH_MD5 +<OPTION SELECTED>SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 +</SELECT> +<input type=button Value='Clear all' onclick = 'doclearssl2(this.form)'> +</tr> +<tr> +<td>SSL3 Ciphers +<td> +<SELECT NAME=ssl3ciphers SIZE=8 MULTIPLE> +<OPTION SELECTED>SSL_RSA_WITH_RC4_128_MD5 +<OPTION SELECTED>SSL_RSA_WITH_3DES_EDE_CBC_SHA +<OPTION SELECTED>SSL_RSA_WITH_DES_CBC_SHA +<OPTION SELECTED>SSL_RSA_EXPORT_WITH_RC4_40_MD5 +<OPTION SELECTED>SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 +<OPTION SELECTED>SSL_RSA_WITH_NULL_MD5 +<OPTION SELECTED>SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA +<OPTION SELECTED>SSL_RSA_FIPS_WITH_DES_CBC_SHA +</SELECT> +<input type=button value='Clear all' onclick = 'doclearssl3(this.form)'> + +<TD> +<input type=submit name=dotest value='Run SSLStrength'> +</tr> +</table> +<input type=hidden name=dotest> +<br> +<br> +</form> +\n"; + +} + + +exit(0); + + +__END__ + + id CipherName Domestic Export + a SSL_EN_RC4_128_WITH_MD5 (ssl2) Yes No + b SSL_EN_RC2_128_CBC_WITH_MD5 (ssl2) Yes No + c SSL_EN_DES_192_EDE3_CBC_WITH_MD5 (ssl2) Yes No + d SSL_EN_DES_64_CBC_WITH_MD5 (ssl2) Yes No + e SSL_EN_RC4_128_EXPORT40_WITH_MD5 (ssl2) Yes Yes + f SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2) Yes Yes + i SSL_RSA_WITH_RC4_128_MD5 (ssl3) Yes Step-up only + j SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3) Yes Step-up only + k SSL_RSA_WITH_DES_CBC_SHA (ssl3) Yes No + l SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3) Yes Yes + m SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (ssl3) Yes Yes + o SSL_RSA_WITH_NULL_MD5 (ssl3) Yes Yes + + + diff --git a/security/nss/cmd/sslstrength/sslstrength.c b/security/nss/cmd/sslstrength/sslstrength.c new file mode 100644 index 000000000..ee4c0a692 --- /dev/null +++ b/security/nss/cmd/sslstrength/sslstrength.c @@ -0,0 +1,625 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +#ifdef SSLTELNET +#include <termios.h> +#endif + +/* Portable layer header files */ +#include "prinit.h" +#include "prprf.h" +#include "prsystem.h" +#include "prmem.h" +#include "plstr.h" +#include "prnetdb.h" +#include "prinrval.h" + +#include "secutil.h" + +/* Security library files */ +#include "cert.h" +#include "ssl.h" +#include "sslproto.h" +#include "secmod.h" +#include "nss.h" + +/* define this if you want telnet capability! */ + +/* #define SSLTELNET 1 */ + +PRInt32 debug; + +#ifdef DEBUG_stevep +#define dbmsg(x) if (verbose) PR_fprintf(PR_STDOUT,x); +#else +#define dbmsg(x) ; +#endif + + +/* Set SSL Policy to Domestic (strong=1) or Export (strong=0) */ + +#define ALLOW(x) SSL_CipherPolicySet(x,SSL_ALLOWED); SSL_CipherPrefSetDefault(x,1); +#define DISALLOW(x) SSL_CipherPolicySet(x,SSL_NOT_ALLOWED); SSL_CipherPrefSetDefault(x,0); +#define MAYBEALLOW(x) SSL_CipherPolicySet(x,SSL_RESTRICTED); SSL_CipherPrefSetDefault(x,1); + +struct CipherPolicy { + char number; + long id; + char *name; + PRInt32 pref; + PRInt32 domestic; + PRInt32 export; +}; + +struct CipherPolicy ciphers[] = { + { 'a',SSL_EN_RC4_128_WITH_MD5, "SSL_EN_RC4_128_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, + { 'b',SSL_EN_RC2_128_CBC_WITH_MD5, "SSL_EN_RC2_128_CBC_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, + { 'c',SSL_EN_DES_192_EDE3_CBC_WITH_MD5, "SSL_EN_DES_192_EDE3_CBC_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, + { 'd',SSL_EN_DES_64_CBC_WITH_MD5, "SSL_EN_DES_64_CBC_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, + { 'e',SSL_EN_RC4_128_EXPORT40_WITH_MD5, "SSL_EN_RC4_128_EXPORT40_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED }, + { 'f',SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED }, +#ifdef FORTEZZA + { 'g',SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",1,SSL_ALLOWED,SSL_NOT_ALLOWED }, + { 'h',SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, "SSL_FORTEZZA_DMS_WITH_RC4_128_SHA",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, +#endif + { 'i',SSL_RSA_WITH_RC4_128_MD5, "SSL_RSA_WITH_RC4_128_MD5 (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED }, + { 'j',SSL_RSA_WITH_3DES_EDE_CBC_SHA, "SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED }, + { 'k',SSL_RSA_WITH_DES_CBC_SHA, "SSL_RSA_WITH_DES_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, + { 'l',SSL_RSA_EXPORT_WITH_RC4_40_MD5, "SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, + { 'm',SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, +#ifdef FORTEZZA + { 'n',SSL_FORTEZZA_DMS_WITH_NULL_SHA, "SSL_FORTEZZA_DMS_WITH_NULL_SHA",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, +#endif + { 'o',SSL_RSA_WITH_NULL_MD5, "SSL_RSA_WITH_NULL_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, + { 'p',SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, + { 'q',SSL_RSA_FIPS_WITH_DES_CBC_SHA, "SSL_RSA_FIPS_WITH_DES_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED } + +}; + +void PrintErrString(char *progName,char *msg) { + + PRErrorCode e = PORT_GetError(); + char *s=NULL; + + + if ((e >= PR_NSPR_ERROR_BASE) && (e < PR_MAX_ERROR)) { + + if (e == PR_DIRECTORY_LOOKUP_ERROR) + s = PL_strdup("Hostname Lookup Failed"); + else if (e == PR_NETWORK_UNREACHABLE_ERROR) + s = PL_strdup("Network Unreachable"); + else if (e == PR_CONNECT_TIMEOUT_ERROR) + s = PL_strdup("Connection Timed Out"); + else s = PR_smprintf("%d",e); + + if (!s) return; + } + else { + s = PL_strdup(SECU_ErrorString(e)); + } + + PR_fprintf(PR_STDOUT,"%s: ",progName); + if (s) { + if (*s) + PR_fprintf(PR_STDOUT, "%s\n", s); + else + PR_fprintf(PR_STDOUT, "\n"); + + PR_Free(s); + } + +} + +void PrintCiphers(int onlyenabled) { + int ciphercount,i; + + if (onlyenabled) { + PR_fprintf(PR_STDOUT,"Your Cipher preference:\n"); + } + + ciphercount = sizeof(ciphers)/sizeof(struct CipherPolicy); + PR_fprintf(PR_STDOUT, + " %s %-45s %-12s %-12s\n","id","CipherName","Domestic","Export"); + + for (i=0;i<ciphercount;i++) { + if ( (onlyenabled ==0) || ((onlyenabled==1)&&(ciphers[i].pref))) { + PR_fprintf(PR_STDOUT, + " %c %-45s %-12s %-12s\n",ciphers[i].number,ciphers[i].name, + (ciphers[i].domestic==SSL_ALLOWED)?"Yes": + ( (ciphers[i].domestic==SSL_NOT_ALLOWED)?"No":"Step-up only"), + (ciphers[i].export==SSL_ALLOWED)?"Yes": + ( (ciphers[i].export==SSL_NOT_ALLOWED)?"No":"Step-up only")); + } + } +} + + +void SetPolicy(char *c,int policy) { /* policy==1 : domestic, policy==0, export */ + int i,j,cpolicy; + /* first, enable all relevant ciphers according to policy */ + for (j=0;j<(sizeof(ciphers)/sizeof(struct CipherPolicy));j++) { + SSL_CipherPolicySet(ciphers[j].id,policy?ciphers[j].domestic:ciphers[j].export); + SSL_CipherPrefSetDefault(ciphers[j].id, PR_FALSE); + ciphers[j].pref =0; + } + + + for (i=0;i<(int)PL_strlen(c);i++) { + for (j=0;j<(sizeof(ciphers)/sizeof(struct CipherPolicy));j++) { + if (ciphers[j].number == c[i]) { + cpolicy = policy?ciphers[j].domestic:ciphers[j].export; + if (cpolicy == SSL_NOT_ALLOWED) { + PR_fprintf(PR_STDOUT, "You're trying to enable a cipher (%c:%s) outside of your policy. ignored\n", + c[i],ciphers[j].name); + } + else { + ciphers[j].pref=1; + SSL_CipherPrefSetDefault(ciphers[j].id, PR_TRUE); + } + } + } + } +} + + +int MyAuthCertificateHook(void *arg, PRFileDesc *fd, PRBool checksig, PRBool isserver) { + return SECSuccess; +} + + +void Usage() { +#ifdef SSLTELNET + PR_fprintf(PR_STDOUT,"SSLTelnet "); +#else + PR_fprintf(PR_STDOUT,"SSLStrength (No telnet functionality) "); +#endif + PR_fprintf(PR_STDOUT,"Version 1.5\n"); + + PR_fprintf(PR_STDOUT,"Usage:\n sslstrength hostname[:port] [ciphers=xyz] [certdir=x] [debug] [verbose] " +#ifdef SSLTELNET +"[telnet]|[servertype]|[querystring=<string>] " +#endif +"[policy=export|domestic]\n sslstrength ciphers\n"); +} + + +PRInt32 debug = 0; +PRInt32 verbose = 0; + +PRInt32 main(PRInt32 argc,char **argv, char **envp) +{ + + + /* defaults for command line arguments */ + char *hostnamearg=NULL; + char *portnumarg=NULL; + char *sslversionarg=NULL; + char *keylenarg=NULL; + char *certdir=NULL; + char *hostname; + char *nickname=NULL; + char *progname=NULL; + /* struct sockaddr_in addr; */ + PRNetAddr addr; + + int ss_on; + char *ss_cipher; + int ss_keysize; + int ss_secretsize; + char *ss_issuer; + char *ss_subject; + int policy=1; + char *set_ssl_policy=NULL; + int print_ciphers=0; + + char buf[10]; + char netdbbuf[PR_NETDB_BUF_SIZE]; + PRHostEnt hp; + PRStatus r; + PRNetAddr na; + SECStatus rv; + int portnum=443; /* default https: port */ + PRFileDesc *s,*fd; + + CERTCertDBHandle *handle; + CERTCertificate *c; + PRInt32 i; +#ifdef SSLTELNET + struct termios tmp_tc; + char cb; + int prev_lflag,prev_oflag,prev_iflag; + int t_fin,t_fout; + int servertype=0, telnet=0; + char *querystring=NULL; +#endif + + debug = 0; + + progname = (char *)PL_strrchr(argv[0], '/'); + progname = progname ? progname+1 : argv[0]; + + /* Read in command line args */ + if (argc == 1) { + Usage(); + return(0); + } + + if (! PL_strcmp("ciphers",argv[1])) { + PrintCiphers(0); + exit(0); + } + + hostname = argv[1]; + + if (!PL_strcmp(hostname , "usage") || !PL_strcmp(hostname, "-help") ) { + Usage(); + exit(0); + } + + if ((portnumarg = PL_strchr(hostname,':'))) { + *portnumarg = 0; + portnumarg = &portnumarg[1]; + } + + if (portnumarg) { + if (*portnumarg == 0) { + PR_fprintf(PR_STDOUT,"malformed port number supplied\n"); + return(1); + } + portnum = atoi(portnumarg); + } + + for (i = 2 ; i < argc; i++) + { + if (!PL_strncmp(argv[i] , "sslversion=",11) ) + sslversionarg=&(argv[i][11]); + else if (!PL_strncmp(argv[i], "certdir=",8) ) + certdir = &(argv[i][8]); + else if (!PL_strncmp(argv[i], "ciphers=",8) ) + { + set_ssl_policy=&(argv[i][8]); + } + else if (!PL_strncmp(argv[i], "policy=",7) ) { + if (!PL_strcmp(&(argv[i][7]),"domestic")) policy=1; + else if (!PL_strcmp(&(argv[i][7]),"export")) policy=0; + else { + PR_fprintf(PR_STDOUT,"sslstrength: invalid argument. policy must be one of (domestic,export)\n"); + } + } + else if (!PL_strcmp(argv[i] , "debug") ) + debug = 1; +#ifdef SSLTELNET + else if (!PL_strcmp(argv[i] , "telnet") ) + telnet = 1; + else if (!PL_strcmp(argv[i] , "servertype") ) + servertype = 1; + else if (!PL_strncmp(argv[i] , "querystring=",11) ) + querystring = &argv[i][12]; +#endif + else if (!PL_strcmp(argv[i] , "verbose") ) + verbose = 1; + } + +#ifdef SSLTELNET + if (telnet && (servertype || querystring)) { + PR_fprintf(PR_STDOUT,"You can't use telnet and (server or querystring) options at the same time\n"); + exit(1); + } +#endif + + PR_fprintf(PR_STDOUT,"Using %s policy\n",policy?"domestic":"export"); + + /* allow you to set env var SSLDIR to set the cert directory */ + if (! certdir) certdir = SECU_DefaultSSLDir(); + + /* if we don't have one still, initialize with no databases */ + if (!certdir) { + rv = NSS_NoDB_Init(NULL); + + (void) SECMOD_AddNewModule("Builtins", DLL_PREFIX"nssckbi."DLL_SUFFIX,0,0); + } else { + rv = NSS_Init(certdir); + SECU_ConfigDirectory(certdir); + } + + /* Lookup host */ + r = PR_GetHostByName(hostname,netdbbuf,PR_NETDB_BUF_SIZE,&hp); + + if (r) { + PrintErrString(progname,"Host Name lookup failed"); + return(1); + } + + /* should the third field really be 0? */ + + PR_EnumerateHostEnt(0,&hp,0,&na); + PR_InitializeNetAddr(PR_IpAddrNull,portnum,&na); + + PR_fprintf(PR_STDOUT,"Connecting to %s:%d\n",hostname, portnum); + + /* Create socket */ + + fd = PR_NewTCPSocket(); + if (fd == NULL) { + PrintErrString(progname, "error creating socket"); + return -1; + } + + s = SSL_ImportFD(NULL,fd); + if (s == NULL) { + PrintErrString(progname, "error creating socket"); + return -1; + } + + dbmsg("10: About to enable security\n"); + + rv = SSL_OptionSet(s, SSL_SECURITY, PR_TRUE); + if (rv < 0) { + PrintErrString(progname, "error enabling socket"); + return -1; + } + + if (set_ssl_policy) { + SetPolicy(set_ssl_policy,policy); + } + else { + PR_fprintf(PR_STDOUT,"Using all ciphersuites usually found in client\n"); + if (policy) { + SetPolicy("abcdefghijklmnopqrst",policy); + } + else { + SetPolicy("efghijlmo",policy); + } + } + + PrintCiphers(1); + + rv = SSL_OptionSet(s, SSL_HANDSHAKE_AS_CLIENT, PR_TRUE); + if (rv < 0) { + PrintErrString(progname, "error enabling client handshake"); + return -1; + } + + dbmsg("30: About to set AuthCertificateHook\n"); + + + SSL_AuthCertificateHook(s, MyAuthCertificateHook, (void *)handle); + /* SSL_AuthCertificateHook(s, SSL_AuthCertificate, (void *)handle); */ + /* SSL_GetClientAuthDataHook(s, GetClientAuthDataHook, (void *)nickname);*/ + + + dbmsg("40: About to SSLConnect\n"); + + /* Try to connect to the server */ + /* now SSL_Connect takes new arguments. */ + + + r = PR_Connect(s, &na, PR_TicksPerSecond()*5); + if (r < 0) { + PrintErrString(progname, "unable to connect"); + return -1; + } + + rv = SSL_ForceHandshake(s); + + if (rv) { + PrintErrString(progname,"SSL Handshake failed. "); + exit(1); + } + + rv = SSL_SecurityStatus(s, &ss_on, &ss_cipher, + &ss_keysize, &ss_secretsize, + &ss_issuer, &ss_subject); + + + dbmsg("60: done with security status, about to print\n"); + + c = SSL_PeerCertificate(s); + if (!c) PR_fprintf(PR_STDOUT,"Couldn't retrieve peers Certificate\n"); + PR_fprintf(PR_STDOUT,"SSL Connection Status\n",rv); + + PR_fprintf(PR_STDOUT," Cipher: %s\n",ss_cipher); + PR_fprintf(PR_STDOUT," Key Size: %d\n",ss_keysize); + PR_fprintf(PR_STDOUT," Secret Key Size: %d\n",ss_secretsize); + PR_fprintf(PR_STDOUT," Issuer: %s\n",ss_issuer); + PR_fprintf(PR_STDOUT," Subject: %s\n",ss_subject); + + PR_fprintf(PR_STDOUT," Valid: from %s to %s\n", + c==NULL?"???":DER_TimeChoiceDayToAscii(&c->validity.notBefore), + c==NULL?"???":DER_TimeChoiceDayToAscii(&c->validity.notAfter)); + +#ifdef SSLTELNET + + + + + if (servertype || querystring) { + char buffer[1024]; + char ch; + char qs[] = "HEAD / HTTP/1.0"; + + + + + if (!querystring) querystring = qs; + PR_fprintf(PR_STDOUT,"\nServer query mode\n>>Sending:\n%s\n",querystring); + + PR_fprintf(PR_STDOUT,"\n*** Server said:\n"); + ch = querystring[PL_strlen(querystring)-1]; + if (ch == '"' || ch == '\'') { + PR_fprintf(PR_STDOUT,"Warning: I'm not smart enough to cope with quotes mid-string like that\n"); + } + + rv = PR_Write(s,querystring,PL_strlen(querystring)); + if ((rv < 1) ) { + PR_fprintf(PR_STDOUT,"Oh dear - couldn't send servertype query\n"); + goto closedown; + } + + rv = PR_Write(s,"\r\n\r\n",4); + rv = PR_Read(s,buffer,1024); + if ((rv < 1) ) { + PR_fprintf(PR_STDOUT,"Oh dear - couldn't read server repsonse\n"); + goto closedown; + } + PR_Write(PR_STDOUT,buffer,rv); + } + + + if (telnet) { + + PR_fprintf(PR_STDOUT,"---------------------------\n" + "telnet mode. CTRL-C to exit\n" + "---------------------------\n"); + + + + /* fudge terminal attributes */ + t_fin = PR_FileDesc2NativeHandle(PR_STDIN); + t_fout = PR_FileDesc2NativeHandle(PR_STDOUT); + + tcgetattr(t_fin,&tmp_tc); + prev_lflag = tmp_tc.c_lflag; + prev_oflag = tmp_tc.c_oflag; + prev_iflag = tmp_tc.c_iflag; + tmp_tc.c_lflag &= ~ECHO; + /* tmp_tc.c_oflag &= ~ONLCR; */ + tmp_tc.c_lflag &= ~ICANON; + tmp_tc.c_iflag &= ~ICRNL; + tmp_tc.c_cflag |= CS8; + tmp_tc.c_cc[VMIN] = 1; + tmp_tc.c_cc[VTIME] = 0; + + tcsetattr(t_fin, TCSANOW, &tmp_tc); + /* ioctl(tin, FIONBIO, (char *)&onoff); + ioctl(tout, FIONBIO, (char *)&onoff);*/ + + + { + PRPollDesc pds[2]; + char buffer[1024]; + int amt,amtwritten; + char *x; + + /* STDIN */ + pds[0].fd = PR_STDIN; + pds[0].in_flags = PR_POLL_READ; + pds[1].fd = s; + pds[1].in_flags = PR_POLL_READ | PR_POLL_EXCEPT; + + while (1) { + int nfds; + + nfds = PR_Poll(pds,2,PR_SecondsToInterval(2)); + if (nfds == 0) continue; + + /** read input from keyboard*/ + /* note: this is very inefficient if reading from a file */ + + if (pds[0].out_flags & PR_POLL_READ) { + amt = PR_Read(PR_STDIN,&buffer,1); + /* PR_fprintf(PR_STDOUT,"fd[0]:%d=%d\r\n",amt,buffer[0]); */ + if (amt == 0) { + PR_fprintf(PR_STDOUT,"\n"); + goto loser; + } + + if (buffer[0] == '\r') { + buffer[0] = '\r'; + buffer[1] = '\n'; + amt = 2; + } + rv = PR_Write(PR_STDOUT,buffer,amt); + + + rv = PR_Write(s,buffer,amt); + if (rv == -1) { + PR_fprintf(PR_STDOUT,"Error writing to socket: %d\n",PR_GetError()); + } + } + + /***/ + + + /***/ + if (pds[1].out_flags & PR_POLL_EXCEPT) { + PR_fprintf(PR_STDOUT,"\r\nServer closed connection\r\n"); + goto loser; + } + if (pds[1].out_flags & PR_POLL_READ) { + amt = PR_Read(s,&buffer,1024); + + if (amt == 0) { + PR_fprintf(PR_STDOUT,"\r\nServer closed connection\r\n"); + goto loser; + } + rv = PR_Write(PR_STDOUT,buffer,amt); + } + /***/ + + } + } + loser: + + /* set terminal back to normal */ + tcgetattr(t_fin,&tmp_tc); + + tmp_tc.c_lflag = prev_lflag; + tmp_tc.c_oflag = prev_oflag; + tmp_tc.c_iflag = prev_iflag; + tcsetattr(t_fin, TCSANOW, &tmp_tc); + + /* ioctl(tin, FIONBIO, (char *)&onoff); + ioctl(tout, FIONBIO, (char *)&onoff); */ + } + +#endif + /* SSLTELNET */ + + closedown: + + PR_Close(s); + + if (NSS_Shutdown() != SECSuccess) { + exit(1); + } + + return(0); + +} /* main */ + +/*EOF*/ + diff --git a/security/nss/cmd/sslstrength/sslwrap b/security/nss/cmd/sslstrength/sslwrap new file mode 100755 index 000000000..892fd349e --- /dev/null +++ b/security/nss/cmd/sslstrength/sslwrap @@ -0,0 +1,185 @@ +#!/usr/bin/perl +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + + +@profiles = ( +# "host:port" "policy" "ciphers" "exp-cipher" "expkeysize" + + [ "cfu:443", "export", "efijlmo", "RC4-40", "40" ], + [ "hbombsgi:448", "export", "efijlmo", "RC4-40", "40" ], + [ "hbombsgi:448", "domestic", "abcdefijklmo", "RC4", "128" ], + [ "gandalf:5666", "domestic", "abcdefijklmo", "RC4", "128" ], + [ "gandalf:5666", "export", "efijlmo", "RC4", "128" ], + [ "gandalf:5666", "domestic", "j", "3DES-EDE-CBC", "168" ], + [ "gandalf:5666", "domestic", "k", "DES-CBC", "56" ], + [ "gandalf:5666", "export", "l", "RC4-40", "40" ], + [ "gandalf:5666", "export", "efijlmo", "RC4", "128" ], + [ "hbombcfu:443", "export", "efijlmo", "RC4", "128" ], + + ); + +$file = &filename; + +open(HTML, ">$file.htm") || die"Cannot open html output file\n"; + +$mutversion = ""; +$platform = $ARGV[0]; + + +print HTML +"<HTML><HEAD> +<TITLE>ssl/sslstrength: Version: $mutversion Platform: $platform Run date mm/dd/yy</TITLE></HEAD><BODY>\n"; + +print HTML +"<TABLE BORDER=1><TR> +<TD><B>Test Case Number</B></TD> +<TD><B>Program</B></TD> +<TD><B>Description of Test Case</B></TD> +<TD><B>Start date/time<B></TD> +<TD><B>End date/time<B></TD> +<TD><B>PASS/FAIL</B></TD> +</TR>\n"; + +$countpass =0; +$countfail =0; + + +$testnum =0; +for $profile (@profiles) { + $testnum ++; + ($host, $policy, $ciphers, $expcipher, $expkeysize) = @$profile; + + $cmd = "./sslstrength $host policy=$policy ciphers=$ciphers"; + + $starttime = &datestring." ".×tring; + print STDERR "$cmd\n"; + open(PIPE, "$cmd|") || die "Cannot start sslstrength\n"; + + $cipher = ""; + $keysize = ""; + while (<PIPE>) { + chop; + if (/^ Cipher: *(.*)/) { + $cipher = $1; + } + if (/^ Secret Key Size: (.*)/) { + $keysize = $1; + } + } + close(PIPE); + $endtime = &datestring." ".×tring; + + if (( $? != 0) || ($cipher ne $expcipher) || ($keysize ne $expkeysize)) { + $countfail ++; + $passed =0; + } + else { + $countpass ++; + $passed =1; + } + +print HTML +"<TR> +<TD><B>$testnum</B></TD> +<TD></TD> +<TD>$cmd</TD> +<TD>$starttime</TD> +<TD>$endtime</TD> +<TD><B>".($passed ? "PASS" : "<FONT COLOR=red>FAIL: return code = +c=$cipher, ec=$expcipher, s=$keysize, es=$expkeysize.</FONT>")." +</B></TD> +</TR>\n"; + +} + +print HTML "</table>\n"; + +close(HTML); + +open (SUM, ">$file.sum") ||die "couldn't open summary file for writing\n"; + +print SUM <<EOM; +[Status] +mut=SSL +mutversion=1.0 +platform=$platform +pass=$countpass +fail=$countfail +knownFail=0 +malformed=0 +EOM + + close(SUM); + + + +sub timestring +{ + + my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime(time); + my $string; + + $string = sprintf "%2d:%02d:%02d",$hour, $min, $sec; + return $string; +} + +sub datestring +{ + + my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime(time); + my $string; + + $string = sprintf "%d/%d/%2d",$mon+1, $mday+1, $year; + return $string; +} + +sub filename +{ + + my ($sec, $min, $hour, $mday, $mon, $year, $wday, $yday, $isdst) = localtime(time); + my $string; + + $string = sprintf "%04d%02d%02d",$year+1900, $mon+1, $mday; + return $string; +} + + + + + + diff --git a/security/nss/cmd/swfort/Makefile b/security/nss/cmd/swfort/Makefile new file mode 100644 index 000000000..ec86309c0 --- /dev/null +++ b/security/nss/cmd/swfort/Makefile @@ -0,0 +1,113 @@ +#! gmake +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +CORE_DEPTH = ../../.. + +include manifest.mn +include $(CORE_DEPTH)/coreconf/config.mk + +# $(NULL) + + +INCLUDES += \ + -I$(DIST)/../public/security \ + -I$(DIST)/../private/security \ + -I$(DEPTH)/security/lib/cert \ + -I$(DEPTH)/security/lib/key \ + -I$(DEPTH)/security/lib/util \ + -I./include \ + $(NULL) + + +# For the time being, sec stuff is export only +# US_FLAGS = -DEXPORT_VERSION -DUS_VERSION + +US_FLAGS = -DEXPORT_VERSION +EXPORT_FLAGS = -DEXPORT_VERSION + +BASE_LIBS = \ + $(DIST)/lib/libdbm.$(LIB_SUFFIX) \ + $(DIST)/lib/libxp.$(LIB_SUFFIX) \ + $(DIST)/lib/libnspr.$(LIB_SUFFIX) \ + $(NULL) + +# $(DIST)/lib/libpurenspr.$(LIB_SUFFIX) \ + +#There are a circular dependancies in security/lib, and we deal with it by +# double linking some libraries +SEC_LIBS = \ + $(DIST)/lib/libsecnav.$(LIB_SUFFIX) \ + $(DIST)/lib/libssl.$(LIB_SUFFIX) \ + $(DIST)/lib/libpkcs7.$(LIB_SUFFIX) \ + $(DIST)/lib/libcert.$(LIB_SUFFIX) \ + $(DIST)/lib/libkey.$(LIB_SUFFIX) \ + $(DIST)/lib/libsecmod.$(LIB_SUFFIX) \ + $(DIST)/lib/libcrypto.$(LIB_SUFFIX) \ + $(DIST)/lib/libsecutil.$(LIB_SUFFIX) \ + $(DIST)/lib/libssl.$(LIB_SUFFIX) \ + $(DIST)/lib/libpkcs7.$(LIB_SUFFIX) \ + $(DIST)/lib/libcert.$(LIB_SUFFIX) \ + $(DIST)/lib/libkey.$(LIB_SUFFIX) \ + $(DIST)/lib/libsecmod.$(LIB_SUFFIX) \ + $(DIST)/lib/libcrypto.$(LIB_SUFFIX) \ + $(DIST)/lib/libsecutil.$(LIB_SUFFIX) \ + $(DIST)/lib/libhash.$(LIB_SUFFIX) \ + $(NULL) + +MYLIB = lib/$(OBJDIR)/libsectool.$(LIB_SUFFIX) + +US_LIBS = $(MYLIB) $(SEC_LIBS) $(BASE_LIBS) $(MYLIB) $(BASE_LIBS) +EX_LIBS = $(MYLIB) $(SEC_LIBS) $(BASE_LIBS) $(MYLIB) $(BASE_LIBS) + +REQUIRES = libxp nspr security + +CSRCS = $(EXEC_SRCS) $(BI_SRCS) + +OBJS = $(CSRCS:.c=.o) $(BI_SRCS:.c=-us.o) $(BI_SRCS:.c=-ex.o) + +PROGS = $(addprefix $(OBJDIR)/, $(EXEC_SRCS:.c=$(BIN_SUFFIX))) +US_PROGS = $(addprefix $(OBJDIR)/, $(BI_SRCS:.c=-us$(BIN_SUFFIX))) +EX_PROGS = $(addprefix $(OBJDIR)/, $(BI_SRCS:.c=-ex$(BIN_SUFFIX))) + + +NON_DIRS = $(PROGS) $(US_PROGS) $(EX_PROGS) +TARGETS = $(NON_DIRS) + +include $(CORE_DEPTH)/coreconf/rules.mk + +symbols:: + @echo "TARGETS = $(TARGETS)" diff --git a/security/nss/cmd/swfort/instinit/Makefile b/security/nss/cmd/swfort/instinit/Makefile new file mode 100644 index 000000000..a2e75fc7b --- /dev/null +++ b/security/nss/cmd/swfort/instinit/Makefile @@ -0,0 +1,79 @@ +#! gmake +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +include ../../platlibs.mk + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + +include ../../platrules.mk diff --git a/security/nss/cmd/swfort/instinit/instinit.c b/security/nss/cmd/swfort/instinit/instinit.c new file mode 100644 index 000000000..2e65b1aac --- /dev/null +++ b/security/nss/cmd/swfort/instinit/instinit.c @@ -0,0 +1,424 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#include <stdio.h> + +#include "prio.h" +#include "seccomon.h" +#include "swforti.h" +#include "cert.h" +#include "pk11func.h" +#include "nss.h" +#include "secutil.h" + +#define CERTDB_VALID_CA (1<<3) +#define CERTDB_TRUSTED_CA (1<<4) /* trusted for issuing server certs */ + +void secmod_GetInternalModule(SECMODModule *module); +void sec_SetCheckKRLState(int i); + +#define STEP 16 +void +printItem(SECItem *key) { + int i; + unsigned char *block; + int len; + for (block=key->data,len=key->len; len > 0; len -= STEP,block += STEP) { + for(i=0; i < STEP && i < len; i++) printf(" %02x ",block[i]); + printf("\n"); + } + printf("\n"); +} + +void +dump(unsigned char *block, int len) { + int i; + for (; len > 0; len -= STEP,block += STEP) { + for(i=0; i < STEP && i < len; i++) printf(" %02x ",block[i]); + printf("\n"); + } + printf("\n"); +} + + +/* + * We need to move this to security/cmd .. so we can use the password + * prompting infrastructure. + */ +char *GetUserInput(char * prompt) +{ + char phrase[200]; + + fprintf(stderr, "%s", prompt); + fflush (stderr); + + fgets ((char*) phrase, sizeof(phrase), stdin); + + /* stomp on newline */ + phrase[PORT_Strlen((char*)phrase)-1] = 0; + + /* Validate password */ + return (char*) PORT_Strdup((char*)phrase); +} + +void ClearPass(char *pass) { + PORT_Memset(pass,0,strlen(pass)); + PORT_Free(pass); +} + +char * +formatDERIssuer(FORTSWFile *file,SECItem *derIssuer) +{ + CERTName name; + SECStatus rv; + + PORT_Memset(&name,0,sizeof(name));; + rv = SEC_ASN1DecodeItem(file->arena,&name,CERT_NameTemplate,derIssuer); + if (rv != SECSuccess) { + return NULL; + } + return CERT_NameToAscii(&name); +} + +#define NETSCAPE_INIT_FILE "nsswft.swf" + +char *getDefaultTarget(void) +{ + char *fname = NULL; + char *home = NULL; + static char unix_home[512]; + + /* first try to get it from the environment */ + fname = getenv("SW_FORTEZZA_FILE"); + if (fname != NULL) { + return PORT_Strdup(fname); + } + +#ifdef XP_UNIX + home = getenv("HOME"); + if (home) { + strncpy(unix_home,home, sizeof(unix_home)-sizeof("/.netscape/"NETSCAPE_INIT_FILE)); + strcat(unix_home,"/.netscape/"NETSCAPE_INIT_FILE); + return unix_home; + } +#endif +#ifdef XP_WIN + home = getenv("windir"); + if (home) { + strncpy(unix_home,home, sizeof(unix_home)-sizeof("\\"NETSCAPE_INIT_FILE)); + strcat(unix_home,"\\"NETSCAPE_INIT_FILE); + return unix_home; + } +#endif + return (NETSCAPE_INIT_FILE); +} + +void +usage(char *prog) { + fprintf(stderr,"usage: %s [-v][-f][-t transport_pass][-u user_pass][-o output_file] source_file\n",prog); + exit(1); +} + +int main(int argc, char ** argv) +{ + + FORTSignedSWFile * swfile; + int size; + SECItem file; + char *progname = *argv++; + char *filename = NULL; + char *outname = NULL; + char *cp; + int verbose = 0; + int force = 0; + CERTCertDBHandle *certhandle = NULL; + CERTCertificate *cert; + CERTCertTrust *trust; + char * pass; + SECStatus rv; + int i; + int64 now; /* XXXX */ + char *issuer; + char *transport_pass = NULL; + char *user_pass = NULL; + SECItem *outItem = NULL; + PRFileDesc *fd; + PRFileInfo info; + PRStatus prv; + + + + + /* put better argument parsing here */ + while ((cp = *argv++) != NULL) { + if (*cp == '-') { + while (*++cp) { + switch (*cp) { + /* verbose mode */ + case 'v': + verbose++; + break; + /* explicitly set the target */ + case 'o': + outname = *argv++; + break; + case 'f': + /* skip errors in signatures without prompts */ + force++; + break; + case 't': + /* provide password on command line */ + transport_pass = *argv++; + break; + case 'u': + /* provide user password on command line */ + user_pass = *argv++; + break; + default: + usage(progname); + break; + } + } + } else if (filename) { + usage(progname); + } else { + filename = cp; + } + } + + if (filename == NULL) usage(progname); + if (outname == NULL) outname = getDefaultTarget(); + + + now = PR_Now(); + /* read the file in */ + fd = PR_Open(filename,PR_RDONLY,0); + if (fd == NULL) { + fprintf(stderr,"%s: couldn't open file \"%s\".\n",progname,filename); + exit(1); + } + + prv = PR_GetOpenFileInfo(fd,&info); + if (prv != PR_SUCCESS) { + fprintf(stderr,"%s: couldn't get info on file \"%s\".\n", + progname,filename); + exit(1); + } + + size = info.size; + + file.data = malloc(size); + file.len = size; + + file.len = PR_Read(fd,file.data,file.len); + if (file.len < 0) { + fprintf(stderr,"%s: couldn't read file \"%s\".\n",progname, filename); + exit(1); + } + + PR_Close(fd); + + /* Parse the file */ + swfile = FORT_GetSWFile(&file); + if (swfile == NULL) { + fprintf(stderr, + "%s: File \"%s\" not a valid FORTEZZA initialization file.\n", + progname,filename); + exit(1); + } + + issuer = formatDERIssuer(&swfile->file,&swfile->file.derIssuer); + if (issuer == NULL) { + issuer = "<Invalid Issuer DER>"; + } + + if (verbose) { + printf("Processing file %s ....\n",filename); + printf(" Version %ld\n",DER_GetInteger(&swfile->file.version)); + printf(" Issuer: %s\n",issuer); + printf(" Serial Number: "); + for (i=0; i < (int)swfile->file.serialID.len; i++) { + printf(" %02x",swfile->file.serialID.data[i]); + } + printf("\n"); + } + + + /* Check the Initalization phrase and save Kinit */ + if (!transport_pass) { + pass = SECU_GetPasswordString(NULL,"Enter the Initialization Memphrase:"); + transport_pass = pass; + } + rv = FORT_CheckInitPhrase(swfile,transport_pass); + if (rv != SECSuccess) { + fprintf(stderr, + "%s: Invalid Initialization Memphrase for file \"%s\".\n", + progname,filename); + exit(1); + } + + /* Check the user or init phrase and save Ks, use Kinit to unwrap the + * remaining data. */ + if (!user_pass) { + pass = SECU_GetPasswordString(NULL,"Enter the User Memphrase or the User PIN:"); + user_pass = pass; + } + rv = FORT_CheckUserPhrase(swfile,user_pass); + if (rv != SECSuccess) { + fprintf(stderr,"%s: Invalid User Memphrase or PIN for file \"%s\".\n", + progname,filename); + exit(1); + } + + NSS_NoDB_Init(NULL); + sec_SetCheckKRLState(1); + certhandle = CERT_GetDefaultCertDB(); + + /* now dump the certs into the temparary data base */ + for (i=0; swfile->file.slotEntries[i]; i++) { + int trusted = 0; + SECItem *derCert = FORT_GetDERCert(swfile, + swfile->file.slotEntries[i]->certIndex); + + if (derCert == NULL) { + if (verbose) { + printf(" Cert %02d: %s \"%s\" \n", + swfile->file.slotEntries[i]->certIndex, + "untrusted", "Couldn't decrypt Cert"); + } + continue; + } + cert = CERT_NewTempCertificate(certhandle, derCert, NULL, + PR_FALSE, PR_TRUE); + if (cert == NULL) { + if (verbose) { + printf(" Cert %02d: %s \"%s\" \n", + swfile->file.slotEntries[i]->certIndex, + "untrusted", "Couldn't decode Cert"); + } + continue; + } + if (swfile->file.slotEntries[i]->trusted.data[0]) { + /* Add TRUST */ + trust = PORT_ArenaAlloc(cert->arena,sizeof(CERTCertTrust)); + if (trust != NULL) { + trust->sslFlags = CERTDB_VALID_CA|CERTDB_TRUSTED_CA; + trust->emailFlags = CERTDB_VALID_CA|CERTDB_TRUSTED_CA; + trust->objectSigningFlags = CERTDB_VALID_CA|CERTDB_TRUSTED_CA; + cert->trust = trust; + trusted++; + } + } + if (verbose) { + printf(" Cert %02d: %s \"%s\" \n", + swfile->file.slotEntries[i]->certIndex, + trusted?" trusted ":"untrusted", + CERT_NameToAscii(&cert->subject)); + } + } + + fflush(stdout); + + + cert = CERT_FindCertByName(certhandle,&swfile->file.derIssuer); + if (cert == NULL) { + fprintf(stderr,"%s: Couldn't find signer certificate \"%s\".\n", + progname,issuer); + rv = SECFailure; + goto noverify; + } + rv = CERT_VerifySignedData(&swfile->signatureWrap,cert, now, NULL); + if (rv != SECSuccess) { + fprintf(stderr, + "%s: Couldn't verify the signature on file \"%s\" with certificate \"%s\".\n", + progname,filename,issuer); + goto noverify; + } + rv = CERT_VerifyCert(certhandle, cert, PR_TRUE, certUsageSSLServer, + now ,NULL,NULL); + /* not an normal cert, see if it's a CA? */ + if (rv != SECSuccess) { + rv = CERT_VerifyCert(certhandle, cert, PR_TRUE, certUsageAnyCA, + now ,NULL,NULL); + } + if (rv != SECSuccess) { + fprintf(stderr,"%s: Couldn't verify the signer certificate \"%s\".\n", + progname,issuer); + goto noverify; + } + +noverify: + if (rv != SECSuccess) { + if (!force) { + pass = GetUserInput( + "Signature verify failed, continue without verification? "); + if (!(pass && ((*pass == 'Y') || (*pass == 'y')))) { + exit(1); + } + } + } + + + /* now write out the modified init file for future use */ + outItem = FORT_PutSWFile(swfile); + if (outItem == NULL) { + fprintf(stderr,"%s: Couldn't format target init file.\n", + progname); + goto noverify; + } + + if (verbose) { + printf("writing modified file out to \"%s\".\n",outname); + } + + /* now write it out */ + fd = PR_Open(outname,PR_WRONLY|PR_CREATE_FILE|PR_TRUNCATE,0700); + if (fd == NULL) { + fprintf(stderr,"%s: couldn't open file \"%s\".\n",progname,outname); + exit(1); + } + + file.len = PR_Write(fd,outItem->data,outItem->len); + if (file.len < 0) { + fprintf(stderr,"%s: couldn't read file \"%s\".\n",progname, filename); + exit(1); + } + + PR_Close(fd); + + exit(0); + return (0); +} + diff --git a/security/nss/cmd/swfort/instinit/manifest.mn b/security/nss/cmd/swfort/instinit/manifest.mn new file mode 100644 index 000000000..8fbfd4d9e --- /dev/null +++ b/security/nss/cmd/swfort/instinit/manifest.mn @@ -0,0 +1,50 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +CORE_DEPTH = ../../../.. + +DEFINES += -DNSPR20 + +MODULE = nss + +CSRCS = instinit.c + +REQUIRES = nspr dbm seccmd + +PROGRAM = instinit +# PROGRAM = ./$(OBJDIR)/selfserv.exe + +USE_STATIC_LIBS = 1 diff --git a/security/nss/cmd/swfort/manifest.mn b/security/nss/cmd/swfort/manifest.mn new file mode 100644 index 000000000..92bc6ea2f --- /dev/null +++ b/security/nss/cmd/swfort/manifest.mn @@ -0,0 +1,42 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +CORE_DEPTH = ../../.. + +REQUIRES = nss seccmd dbm + + +DIRS = instinit newuser diff --git a/security/nss/cmd/swfort/newuser/Makefile b/security/nss/cmd/swfort/newuser/Makefile new file mode 100644 index 000000000..cb295c50f --- /dev/null +++ b/security/nss/cmd/swfort/newuser/Makefile @@ -0,0 +1,87 @@ +#! gmake +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### + +ctmp := $(shell $(MAKE) -C ../../../lib/fortcrypt --no-print-directory cilib_name) +ifeq ($(ctmp), $(patsubst /%,/,$(ctmp))) + CILIB := ../../../lib/fortcrypt/$(ctmp) +else + CILIB := $(ctmp) +endif + +EXTRA_LIBS += $(CILIB) + +include ../../platlibs.mk + + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + +include ../../platrules.mk + diff --git a/security/nss/cmd/swfort/newuser/manifest.mn b/security/nss/cmd/swfort/newuser/manifest.mn new file mode 100644 index 000000000..6b8b4d5ba --- /dev/null +++ b/security/nss/cmd/swfort/newuser/manifest.mn @@ -0,0 +1,49 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** +CORE_DEPTH = ../../../.. + +DEFINES += -DNSPR20 + +MODULE = nss + +CSRCS = newuser.c mktst.c + +REQUIRES = nspr dbm seccmd + +PROGRAM = newuser + +USE_STATIC_LIBS = 1 diff --git a/security/nss/cmd/swfort/newuser/mktst.c b/security/nss/cmd/swfort/newuser/mktst.c new file mode 100644 index 000000000..cca8704d1 --- /dev/null +++ b/security/nss/cmd/swfort/newuser/mktst.c @@ -0,0 +1,257 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#include <stdio.h> + +#include "prio.h" +#include "swforti.h" +#include "maci.h" +#include "secder.h" +#include "blapi.h" + +void +printkey(char *s, unsigned char *block) { + int i; + printf("%s \n 0x",s); + for(i=0; i < 10; i++) printf("%02x",block[i]); + printf("\n"); +} + +void +printblock(char *s, unsigned char *block) { + int i; + printf("%s \n 0x",s); + for(i=0; i < 8; i++) printf("%02x",block[i]); + printf("\n 0x"); + for(i=8; i < 16; i++) printf("%02x",block[i]); + printf("\n"); +} + + +static char *leafbits="THIS IS NOT LEAF"; + +static void +encryptCertEntry(fortProtectedData *pdata,FORTSkipjackKeyPtr Ks, + unsigned char *data,int len) +{ + unsigned char *dataout; + int enc_len; + /* XXX Make length */ + pdata->dataIV.data = PORT_ZAlloc(24); + pdata->dataIV.len = 24; + PORT_Memcpy(pdata->dataIV.data,leafbits,SKIPJACK_LEAF_SIZE); + fort_GenerateRandom(&pdata->dataIV.data[SKIPJACK_LEAF_SIZE], + SKIPJACK_BLOCK_SIZE); + enc_len = (len + (SKIPJACK_BLOCK_SIZE-1)) & ~(SKIPJACK_BLOCK_SIZE-1); + dataout = pdata->dataEncryptedWithKs.data = PORT_ZAlloc(enc_len); + pdata->dataEncryptedWithKs.len = enc_len; + fort_skipjackEncrypt(Ks,&pdata->dataIV.data[SKIPJACK_LEAF_SIZE], + enc_len, data,dataout); + if (len > 255) { + pdata->length.data = PORT_ZAlloc(2); + pdata->length.data[0] = (len >> 8) & 0xff; + pdata->length.data[1] = len & 0xff; + pdata->length.len = 2; + } else { + pdata->length.data = PORT_ZAlloc(1); + pdata->length.data[0] = len & 0xff; + pdata->length.len = 1; + } + +} + +unsigned char issuer[30] = { 0 }; + +void +makeCertSlot(fortSlotEntry *entry,int index,char *label,SECItem *cert, + FORTSkipjackKeyPtr Ks, unsigned char *xKEA, unsigned char *xDSA, + unsigned char *pubKey, int pubKeyLen, unsigned char *p, unsigned char *q, + unsigned char *g) +{ + unsigned char *key; /* private key */ + + entry->trusted.data = PORT_Alloc(1); + *entry->trusted.data = index == 0 ? 1 : 0; + entry->trusted.len = 1; + entry->certificateIndex.data = PORT_Alloc(1); + *entry->certificateIndex.data = index; + entry->certificateIndex.len = 1; + entry->certIndex = index; + encryptCertEntry(&entry->certificateLabel,Ks, + (unsigned char *)label, strlen(label)); + encryptCertEntry(&entry->certificateData,Ks, cert->data, cert->len); + if (xKEA) { + entry->exchangeKeyInformation = PORT_ZNew(fortKeyInformation); + entry->exchangeKeyInformation->keyFlags.data = PORT_ZAlloc(1); + entry->exchangeKeyInformation->keyFlags.data[0] = 1; + entry->exchangeKeyInformation->keyFlags.len = 1; + key = PORT_Alloc(24); + fort_skipjackWrap(Ks,24,xKEA,key); + entry->exchangeKeyInformation->privateKeyWrappedWithKs.data = key; + entry->exchangeKeyInformation->privateKeyWrappedWithKs.len = 24; + entry->exchangeKeyInformation->derPublicKey.data = pubKey; + entry->exchangeKeyInformation->derPublicKey.len = pubKeyLen; + entry->exchangeKeyInformation->p.data = p; + entry->exchangeKeyInformation->p.len = 128; + entry->exchangeKeyInformation->q.data = q; + entry->exchangeKeyInformation->q.len = 20; + entry->exchangeKeyInformation->g.data = g; + entry->exchangeKeyInformation->g.len = 128; + + entry->signatureKeyInformation = PORT_ZNew(fortKeyInformation); + entry->signatureKeyInformation->keyFlags.data = PORT_ZAlloc(1); + entry->signatureKeyInformation->keyFlags.data[0] = 1; + entry->signatureKeyInformation->keyFlags.len = 1; + key = PORT_Alloc(24); + fort_skipjackWrap(Ks,24,xDSA,key); + entry->signatureKeyInformation->privateKeyWrappedWithKs.data = key; + entry->signatureKeyInformation->privateKeyWrappedWithKs.len = 24; + entry->signatureKeyInformation->derPublicKey.data = pubKey; + entry->signatureKeyInformation->derPublicKey.len = pubKeyLen; + entry->signatureKeyInformation->p.data = p; + entry->signatureKeyInformation->p.len = 128; + entry->signatureKeyInformation->q.data = q; + entry->signatureKeyInformation->q.len = 20; + entry->signatureKeyInformation->g.data = g; + entry->signatureKeyInformation->g.len = 128; + } else { + entry->exchangeKeyInformation = NULL; + entry->signatureKeyInformation = NULL; + } + + return; +} + + +void +makeProtectedPhrase(FORTSWFile *file, fortProtectedPhrase *prot_phrase, + FORTSkipjackKeyPtr Ks, FORTSkipjackKeyPtr Kinit, char *phrase) +{ + SHA1Context *sha; + unsigned char hashout[SHA1_LENGTH]; + FORTSkipjackKey Kfek; + unsigned int len; + unsigned char cw[4]; + unsigned char enc_version[2]; + unsigned char *data = NULL; + int keySize; + int i,version; + char tmp_data[13]; + + if (strlen(phrase) < 12) { + PORT_Memset(tmp_data, ' ', sizeof(tmp_data)); + PORT_Memcpy(tmp_data,phrase,strlen(phrase)); + tmp_data[12] = 0; + phrase = tmp_data; + } + + /* now calculate the PBE key for fortezza */ + sha = SHA1_NewContext(); + SHA1_Begin(sha); + version = DER_GetUInteger(&file->version); + enc_version[0] = (version >> 8) & 0xff; + enc_version[1] = version & 0xff; + SHA1_Update(sha,enc_version,sizeof(enc_version)); + SHA1_Update(sha,file->derIssuer.data, file->derIssuer.len); + SHA1_Update(sha,file->serialID.data, file->serialID.len); + SHA1_Update(sha,(unsigned char *)phrase,strlen(phrase)); + SHA1_End(sha,hashout,&len,SHA1_LENGTH); + PORT_Memcpy(Kfek,hashout,sizeof(FORTSkipjackKey)); + + keySize = sizeof(CI_KEY); + if (Kinit) keySize = SKIPJACK_BLOCK_SIZE*2; + data = PORT_ZAlloc(keySize); + prot_phrase->wrappedKValue.data = data; + prot_phrase->wrappedKValue.len = keySize; + fort_skipjackWrap(Kfek,sizeof(CI_KEY),Ks,data); + + /* first, decrypt the hashed/Encrypted Memphrase */ + data = (unsigned char *) PORT_ZAlloc(SHA1_LENGTH+sizeof(cw)); + + /* now build the hash for comparisons */ + SHA1_Begin(sha); + SHA1_Update(sha,(unsigned char *)phrase,strlen(phrase)); + SHA1_End(sha,hashout,&len,SHA1_LENGTH); + SHA1_DestroyContext(sha,PR_TRUE); + + + /* now calcuate the checkword and compare it */ + cw[0] = cw[1] = cw[2] = cw[3] = 0; + for (i=0; i <5 ; i++) { + cw[0] = cw[0] ^ hashout[i*4]; + cw[1] = cw[1] ^ hashout[i*4+1]; + cw[2] = cw[2] ^ hashout[i*4+2]; + cw[3] = cw[3] ^ hashout[i*4+3]; + } + + PORT_Memcpy(data,hashout,len); + PORT_Memcpy(data+len,cw,sizeof(cw)); + + prot_phrase->memPhraseIV.data = PORT_ZAlloc(24); + prot_phrase->memPhraseIV.len = 24; + PORT_Memcpy(prot_phrase->memPhraseIV.data,leafbits,SKIPJACK_LEAF_SIZE); + fort_GenerateRandom(&prot_phrase->memPhraseIV.data[SKIPJACK_LEAF_SIZE], + SKIPJACK_BLOCK_SIZE); + prot_phrase->kValueIV.data = PORT_ZAlloc(24); + prot_phrase->kValueIV.len = 24; + PORT_Memcpy(prot_phrase->kValueIV.data,leafbits,SKIPJACK_LEAF_SIZE); + fort_GenerateRandom(&prot_phrase->kValueIV.data[SKIPJACK_LEAF_SIZE], + SKIPJACK_BLOCK_SIZE); + fort_skipjackEncrypt(Ks,&prot_phrase->memPhraseIV.data[SKIPJACK_LEAF_SIZE], + len+sizeof(cw), data,data); + + prot_phrase->hashedEncryptedMemPhrase.data = data; + prot_phrase->hashedEncryptedMemPhrase.len = len+sizeof(cw); + + if (Kinit) { + fort_skipjackEncrypt(Kinit, + &prot_phrase->kValueIV.data[SKIPJACK_LEAF_SIZE], + prot_phrase->wrappedKValue.len, + prot_phrase->wrappedKValue.data, + prot_phrase->wrappedKValue.data ); + } + + return; +} + + +void +fill_in(SECItem *item,unsigned char *data, int len) +{ + item->data = PORT_Alloc(len); + PORT_Memcpy(item->data,data,len); + item->len = len; +} + diff --git a/security/nss/cmd/swfort/newuser/newuser.c b/security/nss/cmd/swfort/newuser/newuser.c new file mode 100644 index 000000000..e0db69509 --- /dev/null +++ b/security/nss/cmd/swfort/newuser/newuser.c @@ -0,0 +1,1134 @@ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape security libraries. + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1994-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +#include <stdio.h> +#include <fcntl.h> +#include <sys/types.h> +#ifdef XP_UNIX +#include <unistd.h> +#endif +#include "cryptint.h" +#include "blapi.h" /* program calls low level functions directly!*/ +#include "pk11func.h" +#include "secmod.h" +/*#include "secmodi.h"*/ +#include "cert.h" +#include "key.h" +#include "nss.h" +#include "swforti.h" +#include "secutil.h" + +#ifndef O_BINARY +#define O_BINARY 0 +#endif + +#define MAX_PERSONALITIES 50 +typedef struct { + int index; + CI_CERT_STR label; + CERTCertificate *cert; +} certlist; + +typedef struct { + int card; + int index; + CI_CERT_STR label; + certlist valid[MAX_PERSONALITIES]; + int count; +} Cert; + + +#define EMAIL_OID_LEN 9 +#define EMAIL_OID 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01 +unsigned char emailAVA[127] = { + 0x31, 6+EMAIL_OID_LEN, /* Set */ + 0x30, 4+EMAIL_OID_LEN, /* Sequence */ + 0x06, EMAIL_OID_LEN, EMAIL_OID, + 0x13, 0, /* printable String */ +}; +#define EMAIL_DATA_START 8+EMAIL_OID_LEN + +int emailOffset[] = { 1, 3, EMAIL_DATA_START-1 }; +int offsetCount = sizeof(emailOffset)/sizeof(emailOffset[0]); + +unsigned char hash[20] = { 'H', 'a', 's', 'h', ' ', 'F', 'a', 'i', 'l', 'e', + 'd', ' ', '*', '*', '*', '*', '*', '*', '*', '*' }; +unsigned char sig[40] = { 'H', 'a', 's', 'h', ' ', 'F', 'a', 'i', 'l', 'e', + 'd', ' ', '*', '*', '*', '*', '*', '*', '*', '*', + '>', '>', '>', ' ', 'N', 'o', 't', ' ', 'S', 'i', + 'g', 'n', 'd', ' ', '<', '<', '<', ' ', ' ', ' ' }; + + +/*void *malloc(int); */ + +unsigned char *data_start(unsigned char *buf, int length, int *data_length) +{ + unsigned char tag; + int used_length= 0; + + tag = buf[used_length++]; + + /* blow out when we come to the end */ + if (tag == 0) { + return NULL; + } + + *data_length = buf[used_length++]; + + if (*data_length&0x80) { + int len_count = *data_length & 0x7f; + + *data_length = 0; + + while (len_count-- > 0) { + *data_length = (*data_length << 8) | buf[used_length++]; + } + } + + if (*data_length > (length-used_length) ) { + *data_length = length-used_length; + return NULL; + } + + return (buf + used_length); +} + +unsigned char * +GetAbove(unsigned char *cert,int cert_length,int *above_len) +{ + unsigned char *buf = cert; + int buf_length = cert_length; + unsigned char *tmp; + int len; + + *above_len = 0; + + /* optional serial number */ + if ((buf[0] & 0xa0) == 0xa0) { + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + } + /* serial number */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + /* skip the OID */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + /* issuer */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + /* skip the date */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + + *above_len = buf - cert; + return cert; +} + +unsigned char * +GetSubject(unsigned char *cert,int cert_length,int *subj_len) { + unsigned char *buf = cert; + int buf_length = cert_length; + unsigned char *tmp; + int len; + + *subj_len = 0; + + /* optional serial number */ + if ((buf[0] & 0xa0) == 0xa0) { + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + } + /* serial number */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + /* skip the OID */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + /* issuer */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + /* skip the date */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + + return data_start(buf,buf_length,subj_len); +} + +unsigned char * +GetBelow(unsigned char *cert,int cert_length,int *below_len) { + unsigned char *subj; + int subj_len; + unsigned char *below; + + *below_len = 0; + + subj = GetSubject(cert,cert_length,&subj_len); + + below = subj + subj_len; + *below_len = cert_length - (below - cert); + return below; +} + +unsigned char * +GetSignature(unsigned char *sig,int sig_length,int *subj_len) { + unsigned char *buf = sig; + int buf_length = sig_length; + unsigned char *tmp; + int len; + + *subj_len = 0; + + /* signature oid */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + buf_length -= (tmp-buf) + len; + buf = tmp + len; + /* signature data */ + tmp = data_start(buf,buf_length,&len); + if (tmp == NULL) return NULL; + + *subj_len = len -1; + return tmp+1; +} + +int DER_Sequence(unsigned char *buf, int length) { + int next = 0; + + buf[next++] = 0x30; + if (length < 0x80) { + buf[next++] = length; + } else { + buf[next++] = 0x82; + buf[next++] = (length >> 8) & 0xff; + buf[next++] = length & 0xff; + } + return next; +} + +static +int Cert_length(unsigned char *buf, int length) { + unsigned char tag; + int used_length= 0; + int data_length; + + tag = buf[used_length++]; + + /* blow out when we come to the end */ + if (tag == 0) { + return 0; + } + + data_length = buf[used_length++]; + + if (data_length&0x80) { + int len_count = data_length & 0x7f; + + data_length = 0; + + while (len_count-- > 0) { + data_length = (data_length << 8) | buf[used_length++]; + } + } + + if (data_length > (length-used_length) ) { + return length; + } + + return (data_length + used_length); +} + +int +InitCard(int card, char *inpass) { + int cirv; + char buf[50]; + char *pass; + + cirv = CI_Open( 0 /* flags */, card); + if (cirv != CI_OK) return cirv; + + if (inpass == NULL) { + sprintf(buf,"Enter PIN for card in socket %d: ",card); + pass = SECU_GetPasswordString(NULL, buf); + + if (pass == NULL) { + CI_Close(CI_POWER_DOWN_FLAG,card); + return CI_FAIL; + } + } else pass=inpass; + + cirv = CI_CheckPIN(CI_USER_PIN,(unsigned char *)pass); + if (cirv != CI_OK) { + CI_Close(CI_POWER_DOWN_FLAG,card); + } + return cirv; +} + +int +isUser(CI_PERSON *person) { + return 1; +} + +int +isCA(CI_PERSON *person) { + return 0; +} + +int FoundCert(int card, char *name, Cert *cert) { + CI_PERSON personalities[MAX_PERSONALITIES]; + CI_PERSON *person; + int cirv; + int i; + int user_len = strlen(name); + + PORT_Memset(personalities, 0, sizeof(CI_PERSON)*MAX_PERSONALITIES); + + cirv = CI_GetPersonalityList(MAX_PERSONALITIES,personalities); + if (cirv != CI_OK) return 0; + + + cert->count = 1; + cert->valid[0].index = 0; + memcpy(cert->valid[0].label,"RRXX0000Root PAA Certificate ", + sizeof(cert->valid[0].label)); + cert->valid[0].cert = NULL; + for (i=0; i < MAX_PERSONALITIES; i++) { + person = &personalities[i]; + if ( (PORT_Memcmp(person->CertLabel,"RRXX",4) == 0) || + (PORT_Memcmp(person->CertLabel,"RTXX",4) == 0) || + (PORT_Memcmp(person->CertLabel,"LAXX",4) == 0) || + (PORT_Memcmp(person->CertLabel,"INKS",4) == 0) || + (PORT_Memcmp(person->CertLabel,"INKX",4) == 0) || + (PORT_Memcmp(person->CertLabel,"ONKS",4) == 0) || + (PORT_Memcmp(person->CertLabel,"ONKX",4) == 0) || + (PORT_Memcmp(person->CertLabel,"KEAK",4) == 0) || + (PORT_Memcmp(person->CertLabel,"3IKX",4) == 0) || + (PORT_Memcmp(person->CertLabel,"DSA1",4) == 0) || + (PORT_Memcmp(person->CertLabel,"DSAI",4) == 0) || + (PORT_Memcmp(person->CertLabel,"DSAO",4) == 0) || + (PORT_Memcmp(person->CertLabel,"3IXS",4) == 0) || + (PORT_Memcmp(person->CertLabel,"3OXS",4) == 0) ){ + int index; + + cert->valid[cert->count].cert = NULL; + memcpy(cert->valid[cert->count].label, + person->CertLabel,sizeof(person->CertLabel)); + for (index = sizeof(person->CertLabel)-1; + cert->valid[cert->count].label[index] == ' '; index--) { + cert->valid[cert->count].label[index] = 0; + } + cert->valid[cert->count++].index = person->CertificateIndex; + } + } + for (i=0; i < MAX_PERSONALITIES; i++) { + person = &personalities[i]; + if (strncmp((char *)&person->CertLabel[8],name,user_len) == 0) { + cert->card = card; + cert->index = person->CertificateIndex; + memcpy(&cert->label,person->CertLabel,sizeof(person->CertLabel)); + return 1; + } + } + return 0; +} + +void +Terminate(char *mess, int cirv, int card1, int card2) +{ + fprintf(stderr,"FAIL: %s error %d\n",mess,cirv); + if (card1 != -1) CI_Close(CI_POWER_DOWN_FLAG,card1); + if (card2 != -1) CI_Close(CI_POWER_DOWN_FLAG,card2); + CI_Terminate(); + exit(1); +} + +void +usage(char *prog) +{ + fprintf(stderr,"usage: %s [-e email][-t transport][-u userpin][-U userpass][-s ssopin][-S ssopass][-o outfile] common_name ca_label\n",prog); + exit(1); +} + +#define CERT_SIZE 2048 + + +/* version and oid */ +unsigned char header[] = { + /* Cert OID */ + 0x02, 0x10, + 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, + 0x30, 0x0b, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01, 0x13 }; + +#define KEY_START 21 +#define KMID_OFFSET 4 +#define KEA_OFFSET 15 +#define DSA_OFFSET 148 +unsigned char key[] = { + /* Sequence(Constructed): 293 bytes (0x125) */ + 0x30, 0x82, 0x01, 0x25, + /*Sequence(Constructed): 11 bytes (0xb) */ + 0x30, 0x0b, + /* ObjectId(Universal): 9 bytes (0x9) */ + 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01, 0x14, + /* BitString(Universal): 276 bytes (0x114) */ + 0x03, 0x82, 0x01, 0x14, + 0x00, 0x00, 0x01, 0xef, 0x04, 0x01, 0x00, 0x01, + 0x00, 0x00, 0x69, 0x60, 0x70, 0x00, 0x80, 0x02, + 0x2e, 0x46, 0xb9, 0xcb, 0x22, 0x72, 0x0b, 0x1c, + 0xe6, 0x25, 0x20, 0x16, 0x86, 0x05, 0x8e, 0x2b, + 0x98, 0xd1, 0x46, 0x3d, 0x00, 0xb8, 0x69, 0xe1, + 0x1a, 0x42, 0x7d, 0x7d, 0xb5, 0xbf, 0x9f, 0x26, + 0xd3, 0x2c, 0xb1, 0x73, 0x01, 0xb6, 0xb2, 0x6f, + 0x7b, 0xa5, 0x54, 0x85, 0x60, 0x77, 0x81, 0x8a, + 0x87, 0x86, 0xe0, 0x2d, 0xbf, 0xdb, 0x28, 0xe8, + 0xfa, 0x20, 0x35, 0xb4, 0xc0, 0x94, 0x10, 0x8e, + 0x1c, 0x58, 0xaa, 0x02, 0x60, 0x97, 0xf5, 0xb3, + 0x2f, 0xf8, 0x99, 0x29, 0x28, 0x73, 0x47, 0x36, + 0xdd, 0x1d, 0x78, 0x95, 0xeb, 0xb8, 0xec, 0x45, + 0x96, 0x69, 0x6f, 0x54, 0xc8, 0x1f, 0x2d, 0x3a, + 0xd9, 0x0e, 0x8e, 0xaa, 0x59, 0x11, 0x8c, 0x3b, + 0x8d, 0xa4, 0xed, 0xf2, 0x7d, 0xdc, 0x42, 0xaa, + 0xa4, 0xd2, 0x1c, 0xb9, 0x87, 0xd0, 0xd9, 0x3d, + 0x8e, 0x89, 0xbb, 0x06, 0x54, 0xcf, 0x32, 0x00, + 0x02, 0x00, 0x00, 0x80, 0x0b, 0x80, 0x6c, 0x0f, + 0x71, 0xd1, 0xa1, 0xa9, 0x26, 0xb4, 0xf1, 0xcd, + 0x6a, 0x7a, 0x09, 0xaa, 0x58, 0x28, 0xd7, 0x35, + 0x74, 0x8e, 0x7c, 0x83, 0xcb, 0xfe, 0x00, 0x3b, + 0x62, 0x00, 0xfb, 0x90, 0x37, 0xcd, 0x93, 0xcf, + 0xf3, 0xe4, 0x6d, 0x8d, 0xdd, 0xb8, 0x53, 0xe0, + 0x5c, 0xda, 0x1a, 0x7e, 0x56, 0x03, 0x95, 0x03, + 0x2f, 0x74, 0x86, 0xb1, 0xa0, 0xbb, 0x05, 0x91, + 0xe4, 0x76, 0x83, 0xe6, 0x62, 0xf9, 0x12, 0x64, + 0x5a, 0x62, 0xd8, 0x94, 0x04, 0x1f, 0x83, 0x02, + 0x2e, 0xc5, 0xa7, 0x17, 0x46, 0x46, 0x21, 0x96, + 0xc3, 0xa9, 0x8e, 0x92, 0x18, 0xd1, 0x52, 0x08, + 0x1d, 0xff, 0x8e, 0x24, 0xdb, 0x6c, 0xd8, 0xfe, + 0x80, 0x93, 0xe1, 0xa5, 0x4a, 0x0a, 0x37, 0x24, + 0x18, 0x07, 0xbe, 0x0f, 0xaf, 0x73, 0xea, 0x50, + 0x64, 0xa1, 0xb3, 0x77, 0xe5, 0x41, 0x02, 0x82, + 0x39, 0xb9, 0xe3, 0x94 +}; + +unsigned char valitity[] = { + 0x30, 0x1e, + 0x17, 0x0d, + '2','0','0','0','0','1','0','1','0','0','0','0','Z', + 0x17, 0x0d, + '2','0','0','5','1','2','0','1','0','0','0','0','Z' +}; + + +unsigned char cnam_oid[] = { 0x06, 0x03, 0x55, 0x04, 0x03 }; + +unsigned char signature[] = { + /* the OID */ + 0x30, 0x0b, 0x06, 0x09, + 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01, 0x13, + /* signature wrap */ + 0x03, 0x29, 0x00, + /* 40 byte dsa signature */ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff +}; + +unsigned char fortezza_oid [] = { + 0x60, 0x86, 0x48, 0x01, 0x65, 0x02, 0x01, 0x01, 0x13 +}; + +unsigned char software_ou[] = { + 0x31, 26, 0x30, 24, + 0x06, 0x03, 0x55, 0x04, 0x0b, + 0x13, 17, + 'S','o','f','t','w', + 'a','r','e',' ','F', + 'O','R','T','E','Z','Z','A' +}; + + +char letterarray[] = { + 'a','b','c','d','e','f','g','h','i','j','k','l','m','n', + 'o','p','q','r','s','t','u','v','w','x','y','z' }; + +char constarray[] = { + 'b','c','d','f','g','h','j','k','l','m','n', + 'p','q','r','s','t','v','w','x','y','z' }; + +char vowelarray[] = { + 'a','e','i','o','u','y' }; + +char digitarray[] = { + '0','1','2','3','4','5','6','7','8','9' }; + +unsigned long +getRandom(unsigned long max) { + unsigned short data; + unsigned long result; + + fort_GenerateRandom((unsigned char *)&data,sizeof(data)); + + result = (unsigned long)data * max; + result = result >> 16; + return result; +} + + +char getLetter(void) +{ + return letterarray[getRandom(sizeof(letterarray))]; +} +char getVowel(void) +{ + return vowelarray[getRandom(sizeof(vowelarray))]; +} +char getDigit(void) +{ + return digitarray[getRandom(sizeof(digitarray))]; +} + +char getConst(void) +{ + return constarray[getRandom(sizeof(constarray))]; +} + +char *getPinPhrase(void) +{ + char * pass = PORT_ZAlloc(5); + + pass[0] = getDigit(); + pass[1] = getDigit(); + pass[2] = getDigit(); + pass[3] = getDigit(); + + return pass; +} + +char *getPassPhrase(void) +{ + char * pass = PORT_ZAlloc(13); + + pass[0] = getConst()+'A'-'a'; + pass[1] = getVowel(); + pass[2] = getConst(); + pass[3] = getVowel(); + pass[4] = getConst(); + pass[5] = getVowel(); + pass[6] = getConst(); + pass[7] = getDigit(); + pass[8] = getDigit(); + pass[9] = getDigit(); + pass[10] = getDigit(); + pass[11] = getLetter()+'A'-'a'; + + return pass; +} + +extern void +makeCertSlot(fortSlotEntry * entry, + int index, + char * label, + SECItem * cert, + FORTSkipjackKeyPtr Ks, + unsigned char *xKEA, + unsigned char *xDSA, + unsigned char *pubKey, + int pubKeyLen, + unsigned char *p, + unsigned char *q, + unsigned char *g); + +extern void +makeProtectedPhrase(FORTSWFile * file, + fortProtectedPhrase *prot_phrase, + FORTSkipjackKeyPtr Ks, + FORTSkipjackKeyPtr Kinit, + char * phrase); + +extern void +fill_in(SECItem *item, unsigned char *data, int len); + +char *userLabel = "INKS0002 "; +int main(int argc, char **argv) +{ + char *progname = *argv++; + char *commonName = NULL; + char *caname = NULL; + char *email = NULL; + char *outname = NULL; + char *cp; + int arg_count = 0; + Cert caCert; + SECItem userCert; + int cirv,i; + int cards, start; + unsigned char *subject; + int subject_len; + int signature_len = sizeof(signature); + int newSubject_len, newCertBody_len, len; + int cname1_len, cname_len, pstring_len; + int valitity_len = sizeof(valitity); + unsigned char origCert[CERT_SIZE]; + unsigned char newSubject[CERT_SIZE]; + unsigned char newCertBody[CERT_SIZE]; + unsigned char newCert[CERT_SIZE]; + unsigned char pstring[CERT_SIZE]; + unsigned char cname1[CERT_SIZE]; + unsigned char cname[CERT_SIZE]; + CERTCertificate *myCACert = NULL; + CERTCertificate *cert; + CERTCertDBHandle *certhandle; + SECStatus rv; + unsigned char serial[16]; + SECKEYPublicKey *pubKey; + DSAPrivateKey *keaPrivKey; + DSAPrivateKey *dsaPrivKey; + CI_RANDOM randomVal; + PQGParams *params; + int pca_index = -1; + unsigned char *p,*q,*g; + FORTSkipjackKey Ks; + FORTSkipjackKey Kinit; + FORTSWFile *file; + FORTSignedSWFile *signed_file; + FORTSignedSWFile *signed_file2; + unsigned char random[20]; + unsigned char vers; + unsigned char *data; + char *transportPin=NULL; + char *ssoMemPhrase=NULL; + char *userMemPhrase=NULL; + char *ssoPin=NULL; + char *userPin=NULL; + char *pass=NULL; + SECItem *outItem; + int email_len = 0; + int emailAVA_len = 0; + + + /* put better argument parsing here */ + while ((cp = *argv++) != NULL) { + if (*cp == '-') { + while (*++cp) { + switch (*cp) { + /* verbose mode */ + case 'e': + email = *argv++; + break; + /* explicitly set the target */ + case 'o': + outname = *argv++; + break; + case 't': + /* provide password on command line */ + transportPin = *argv++; + break; + case 'u': + /* provide user password on command line */ + userPin = *argv++; + break; + case 'U': + /* provide user password on command line */ + userMemPhrase = *argv++; + break; + case 's': + /* provide user password on command line */ + ssoPin = *argv++; + break; + case 'S': + /* provide user password on command line */ + ssoMemPhrase = *argv++; + break; + case 'p': + /* provide card password on command line */ + pass = *argv++; + break; + case 'd': + transportPin="test1234567890"; + ssoMemPhrase="sso1234567890"; + userMemPhrase="user1234567890"; + ssoPin="9999"; + userPin="0000"; + break; + default: + usage(progname); + break; + } + } + } else switch (arg_count++) { + case 0: + commonName = cp; + break; + case 1: + caname = cp; + break; + default: + usage(progname); + } + } + + if (outname == NULL) outname = "swfort.sfi"; + if (caname == NULL) usage(progname); + + + + caCert.card = -1; + memset(newCert,0,CERT_SIZE); + + if (commonName == NULL) usage(progname); + + + cirv = CI_Initialize(&cards); + + start = 0; + for (i=0; i < cards; i++) { + cirv = InitCard(i+1,pass); + if (cirv == CI_OK) { + if (FoundCert(i+1,caname,&caCert)) { + break; + } + } + } + + if (caCert.card == -1) { + fprintf(stderr, + "WARNING: Couldn't find Signing CA...new cert will not be signed\n"); + } + + + /* + * initialize enough security to deal with certificates. + */ + NSS_NoDB_Init(NULL); + certhandle = CERT_GetDefaultCertDB(); + if (certhandle == NULL) { + Terminate("Couldn't build temparary Cert Database", + 1, -1, caCert.card); + exit(1); + } + + CI_GenerateRandom(random); + RNG_RandomUpdate(random,sizeof(random)); + CI_GenerateRandom(random); + RNG_RandomUpdate(random,sizeof(random)); + + + if (transportPin == NULL) transportPin = getPassPhrase(); + if (ssoMemPhrase == NULL) ssoMemPhrase = getPassPhrase(); + if (userMemPhrase == NULL) userMemPhrase = getPassPhrase(); + if (ssoPin == NULL) ssoPin = getPinPhrase(); + if (userPin == NULL) userPin = getPinPhrase(); + + + + /* now dump the certs into the temparary data base */ + for (i=0; i < caCert.count; i++) { + SECItem derCert; + + cirv = CI_Select(caCert.card); + if (cirv != CI_OK) { + Terminate("Couldn't select on CA card",cirv, + -1, caCert.card); + } + cirv = CI_GetCertificate(caCert.valid[i].index,origCert); + if (cirv != CI_OK) { + continue; + } + derCert.data = origCert; + derCert.len = Cert_length(origCert, sizeof(origCert)); + cert = + (CERTCertificate *)CERT_NewTempCertificate(certhandle,&derCert, NULL, + PR_FALSE, PR_TRUE); + caCert.valid[i].cert = cert; + if (cert == NULL) continue; + if (caCert.valid[i].index == caCert.index) myCACert=cert; + if (caCert.valid[i].index == atoi((char *)&caCert.label[4])) + pca_index = i; + } + + if (myCACert == NULL) { + Terminate("Couldn't find CA's Certificate", 1, -1, caCert.card); + exit(1); + } + + + /* + * OK now build the user cert. + */ + /* first get the serial number and KMID */ + cirv = CI_GenerateRandom(randomVal); + memcpy(&header[2],randomVal,sizeof(serial)); + memcpy(serial,randomVal,sizeof(serial)); + memcpy(&key[KEY_START+KMID_OFFSET],randomVal+sizeof(serial),7); + /* KMID */ + + /* now generate the keys */ + pubKey = CERT_ExtractPublicKey(myCACert); + if (pubKey == NULL) { + Terminate("Couldn't extract CA's public key", + 1, -1, caCert.card); + exit(1); + } + + + switch (pubKey->keyType) { + case fortezzaKey: + params = (PQGParams *)&pubKey->u.fortezza.params; + break; + case dsaKey: + params = (PQGParams *)&pubKey->u.dsa.params; + break; + default: + Terminate("Certificate is not a fortezza or DSA Cert", + 1, -1, caCert.card); + exit(1); + } + + rv = DSA_NewKey(params,&keaPrivKey); + if (rv != SECSuccess) { + Terminate("Couldn't Generate KEA key", + PORT_GetError(), -1, caCert.card); + exit(1); + } + rv = DSA_NewKey(params,&dsaPrivKey); + if (rv != SECSuccess) { + Terminate("Couldn't Generate DSA key", + PORT_GetError(), -1, caCert.card); + exit(1); + } + + if (keaPrivKey->publicValue.len == 129) + keaPrivKey->publicValue.data++; + if (dsaPrivKey->publicValue.len == 129) + dsaPrivKey->publicValue.data++; + if (keaPrivKey->privateValue.len == 21) + keaPrivKey->privateValue.data++; + if (dsaPrivKey->privateValue.len == 21) + dsaPrivKey->privateValue.data++; + + /* save the parameters */ + p = params->prime.data; + if (params->prime.len == 129) p++; + q = params->subPrime.data; + if (params->subPrime.len == 21) q++; + g = params->base.data; + if (params->base.len == 129) g++; + + memcpy(&key[KEY_START+KEA_OFFSET], + keaPrivKey->publicValue.data, + keaPrivKey->publicValue.len); + memcpy(&key[KEY_START+DSA_OFFSET], + dsaPrivKey->publicValue.data, + dsaPrivKey->publicValue.len); + + /* build the der subject */ + subject = data_start(myCACert->derSubject.data,myCACert->derSubject.len, + &subject_len); + + /* build the new Common name AVA */ + len = DER_Sequence(pstring,strlen(commonName)); + memcpy(pstring+len,commonName,strlen(commonName)); + len += strlen(commonName); + pstring_len = len; + pstring[0] = 0x13; + + len = DER_Sequence(cname1,sizeof(cnam_oid)+pstring_len); + memcpy(cname1+len,cnam_oid,sizeof(cnam_oid)); len += sizeof(cnam_oid); + memcpy(cname1+len,pstring,pstring_len); len += pstring_len; + cname1_len = len; + + len = DER_Sequence(cname, cname1_len); + memcpy(cname+len,cname1,cname1_len); len += cname1_len; + cname_len = len; + cname[0] = 0x31; /* make it a set rather than a sequence */ + + if (email) { + email_len = strlen(email); + emailAVA_len = EMAIL_DATA_START + email_len; + } + + /* now assemble it */ + len = DER_Sequence(newSubject,subject_len + sizeof(software_ou) + + cname_len + emailAVA_len); + memcpy(newSubject+len,subject,subject_len); + + for (i=0; i < subject_len; i++) { + if (memcmp(newSubject+len+i,cnam_oid,sizeof(cnam_oid)) == 0) { + newSubject[i+len+4] = 0x0b; /* change CN to OU */ + break; + } + } + len += subject_len; + memcpy(newSubject+len,software_ou,sizeof(software_ou)); + len += sizeof(software_ou); + memcpy(newSubject+len,cname,cname_len); len += cname_len; + newSubject_len = len; + + /* + * build the email AVA + */ + if (email) { + memcpy(&emailAVA[EMAIL_DATA_START],email,email_len); + for (i=0; i < offsetCount; i++) { + emailAVA[emailOffset[i]] += email_len; + } + memcpy(newSubject+len,emailAVA,emailAVA_len); + newSubject_len += emailAVA_len; + } + + + /* + * Assemble the Cert + */ + + len = DER_Sequence(newCertBody,sizeof(header)+newSubject_len+ + valitity_len+myCACert->derSubject.len+sizeof(key)); + memcpy(newCertBody+len,header,sizeof(header));len += sizeof(header); + memcpy(newCertBody+len,myCACert->derSubject.data, + myCACert->derSubject.len);len += myCACert->derSubject.len; + memcpy(newCertBody+len,valitity,valitity_len);len += valitity_len; + memcpy(newCertBody+len,newSubject,newSubject_len); + len += newSubject_len; + memcpy(newCertBody+len,key,sizeof(key));len += sizeof(key); + newCertBody_len = len; + + + /* + * generate the hash + */ + cirv = CI_InitializeHash(); + if (cirv == CI_OK) { + int hash_left = newCertBody_len & 63; + int hash_len = newCertBody_len - hash_left; + cirv = CI_Hash(hash_len,newCertBody); + if (cirv == CI_OK) { + cirv = CI_GetHash(hash_left,newCertBody+hash_len,hash); + } + } + + /* + * now sign the hash + */ + if ((cirv == CI_OK) && (caCert.card != -1)) { + cirv = CI_Select(caCert.card); + if (cirv == CI_OK) { + cirv = CI_SetPersonality(caCert.index); + if (cirv == CI_OK) { + cirv = CI_Sign(hash,sig); + } + } + } else cirv = -1; + + if (cirv != CI_OK) { + memcpy(sig,hash,sizeof(hash)); + } + + /* + * load in new signature + */ + { + int sig_len; + unsigned char *sig_start = + GetSignature(signature,signature_len,&sig_len); + memcpy(sig_start,sig,sizeof(sig)); + } + + /* + * now do the final wrap + */ + len = DER_Sequence(newCert,newCertBody_len+signature_len); + memcpy(newCert+len,newCertBody,newCertBody_len); len += newCertBody_len; + memcpy(newCert+len, signature, signature_len); len +=signature_len; + userCert.data = newCert; + userCert.len = len; + + + /* OK, we now have our cert, let's go build our software file */ + signed_file = PORT_ZNew(FORTSignedSWFile); + file = &signed_file->file; + + signed_file->signatureWrap.signature.data = PORT_ZAlloc(40); + signed_file->signatureWrap.signature.len = 40; + signed_file->signatureWrap.signatureAlgorithm.algorithm.data = + fortezza_oid; + signed_file->signatureWrap.signatureAlgorithm.algorithm.len = + sizeof(fortezza_oid); + + vers = 1; + fill_in(&file->version,&vers,1); + file->derIssuer.data = myCACert->derSubject.data; + file->derIssuer.len = myCACert->derSubject.len; + file->serialID.data = serial; + file->serialID.len =sizeof(serial); + /* generate out Ks value */ + fort_GenerateRandom(Ks,sizeof(Ks)); + makeProtectedPhrase(file,&file->initMemPhrase,Kinit,NULL,transportPin); + makeProtectedPhrase(file,&file->ssoMemPhrase,Ks,Kinit,ssoMemPhrase); + makeProtectedPhrase(file,&file->ssoPinPhrase,Ks,Kinit,ssoPin); + makeProtectedPhrase(file,&file->userMemPhrase,Ks,Kinit,userMemPhrase); + makeProtectedPhrase(file,&file->userPinPhrase,Ks,Kinit,userPin); + file->wrappedRandomSeed.data = PORT_ZAlloc(12); + file->wrappedRandomSeed.len = 12; + cirv = fort_GenerateRandom(file->wrappedRandomSeed.data,10); + if (cirv != CI_OK) { + Terminate("Couldn't get Random Seed", + cirv, -1, caCert.card); + } + fort_skipjackWrap(Ks,12,file->wrappedRandomSeed.data, + file->wrappedRandomSeed.data); + file->slotEntries = PORT_ZAlloc(sizeof(fortSlotEntry *)*5); + /* paa */ + file->slotEntries[0] = PORT_ZNew(fortSlotEntry); + makeCertSlot(file->slotEntries[0],0, + (char *)caCert.valid[0].label, + &caCert.valid[0].cert->derCert, + Ks,NULL,NULL,NULL,0,p,q,g); + /* pca */ + file->slotEntries[1] = PORT_ZNew(fortSlotEntry); + makeCertSlot(file->slotEntries[1],1, + (char *)caCert.valid[pca_index].label, + &caCert.valid[pca_index].cert->derCert, + Ks,NULL,NULL,NULL,0,p,q,g); + /* ca */ + file->slotEntries[2] = PORT_ZNew(fortSlotEntry); + /* make sure the caCert lable points to our new pca slot location */ + caCert.label[4] = '0'; + caCert.label[5] = '0'; + caCert.label[6] = '0'; + caCert.label[7] = '1'; + makeCertSlot(file->slotEntries[2],2,(char *)caCert.label, + &myCACert->derCert,Ks,NULL,NULL,NULL,0,p,q,g); + /* user */ + file->slotEntries[3] = PORT_ZNew(fortSlotEntry); + strncpy(&userLabel[8],commonName,sizeof(CI_PERSON)-8); + makeCertSlot(file->slotEntries[3],3,userLabel,&userCert,Ks, + keaPrivKey->privateValue.data, + dsaPrivKey->privateValue.data, + key, sizeof(key), p, q, g); + file->slotEntries[4] = 0; + + /* encode the file so we can sign it */ + outItem = FORT_PutSWFile(signed_file); + + /* get the der encoded data to sign */ + signed_file2 = FORT_GetSWFile(outItem); + + /* now sign it */ + len = signed_file2->signatureWrap.data.len; + data = signed_file2->signatureWrap.data.data; + /* + * generate the hash + */ + cirv = CI_InitializeHash(); + if (cirv == CI_OK) { + int hash_left = len & 63; + int hash_len = len - hash_left; + cirv = CI_Hash(hash_len,data); + if (cirv == CI_OK) { + cirv = CI_GetHash(hash_left,data+hash_len,hash); + } + } + + /* + * now sign the hash + */ + if ((cirv == CI_OK) && (caCert.card != -1)) { + cirv = CI_Select(caCert.card); + if (cirv == CI_OK) { + cirv = CI_SetPersonality(caCert.index); + if (cirv == CI_OK) { + cirv = CI_Sign(hash,sig); + } + } + } else cirv = -1; + + if (cirv != CI_OK) { + memcpy(sig,hash,sizeof(hash)); + } + memcpy( signed_file->signatureWrap.signature.data,sig,sizeof(sig)); + signed_file->signatureWrap.signature.len = sizeof(sig)*8; + + + /* encode it for the last time */ + outItem = FORT_PutSWFile(signed_file); + + + /* + * write it out to the .sfi file + */ + { + int fd = open(outname,O_WRONLY|O_CREAT|O_BINARY,0777); + + write(fd,outItem->data,outItem->len); + close(fd); + } + CI_Close(CI_POWER_DOWN_FLAG,caCert.card); + CI_Terminate(); + + printf("Wrote %s to file %s.\n",commonName,outname); + printf("Initialization Memphrase: %s\n",transportPin); + printf("SSO Memphrase: %s\n",ssoMemPhrase); + printf("User Memphrase: %s\n",userMemPhrase); + printf("SSO pin: %s\n",ssoPin); + printf("User pin: %s\n",userPin); + + return 0; +} + diff --git a/security/nss/cmd/ttformat/Makefile b/security/nss/cmd/ttformat/Makefile new file mode 100644 index 000000000..4de295a9c --- /dev/null +++ b/security/nss/cmd/ttformat/Makefile @@ -0,0 +1,78 @@ +#! gmake +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +####################################################################### +# (1) Include initial platform-independent assignments (MANDATORY). # +####################################################################### + +include manifest.mn + +####################################################################### +# (2) Include "global" configuration information. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/config.mk + +####################################################################### +# (3) Include "component" configuration information. (OPTIONAL) # +####################################################################### + +####################################################################### +# (4) Include "local" platform-dependent assignments (OPTIONAL). # +####################################################################### +include ../platlibs.mk + +####################################################################### +# (5) Execute "global" rules. (OPTIONAL) # +####################################################################### + +include $(CORE_DEPTH)/coreconf/rules.mk + +####################################################################### +# (6) Execute "component" rules. (OPTIONAL) # +####################################################################### + + + +####################################################################### +# (7) Execute "local" rules. (OPTIONAL). # +####################################################################### + + +include ../platrules.mk + diff --git a/security/nss/cmd/ttformat/manifest.mn b/security/nss/cmd/ttformat/manifest.mn new file mode 100644 index 000000000..39667ee88 --- /dev/null +++ b/security/nss/cmd/ttformat/manifest.mn @@ -0,0 +1,52 @@ +# +# ***** BEGIN LICENSE BLOCK ***** +# Version: MPL 1.1/GPL 2.0/LGPL 2.1 +# +# The contents of this file are subject to the Mozilla Public License Version +# 1.1 (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# http://www.mozilla.org/MPL/ +# +# Software distributed under the License is distributed on an "AS IS" basis, +# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License +# for the specific language governing rights and limitations under the +# License. +# +# The Original Code is the Netscape security libraries. +# +# The Initial Developer of the Original Code is +# Netscape Communications Corporation. +# Portions created by the Initial Developer are Copyright (C) 1994-2000 +# the Initial Developer. All Rights Reserved. +# +# Contributor(s): +# +# Alternatively, the contents of this file may be used under the terms of +# either the GNU General Public License Version 2 or later (the "GPL"), or +# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), +# in which case the provisions of the GPL or the LGPL are applicable instead +# of those above. If you wish to allow use of your version of this file only +# under the terms of either the GPL or the LGPL, and not to allow others to +# use your version of this file under the terms of the MPL, indicate your +# decision by deleting the provisions above and replace them with the notice +# and other provisions required by the GPL or the LGPL. If you do not delete +# the provisions above, a recipient may use your version of this file under +# the terms of any one of the MPL, the GPL or the LGPL. +# +# ***** END LICENSE BLOCK ***** + +CORE_DEPTH = ../../.. + +DEFINES += -DNSPR20 + +# MODULE public and private header directories are implicitly REQUIRED. +MODULE = nss + +CSRCS = ttformat.c + +# The MODULE is always implicitly required. +# Listing it here in REQUIRES makes it appear twice in the cc command line. +REQUIRES = seccmd dbm + +PROGRAM = ttformat + diff --git a/security/nss/cmd/ttformat/nClient b/security/nss/cmd/ttformat/nClient new file mode 100755 index 000000000..aab8402bd --- /dev/null +++ b/security/nss/cmd/ttformat/nClient @@ -0,0 +1,49 @@ +# /bin/ksh +# +# nClient -- run the nss test strsclnt for performance testing +# +# syntax: nClient [options] +# +# where: options are: +# any valid command line option for strsclnt +# Note that some options are set by this script! +# +# Description: +# nClient runs the nss test program "strsclnt" for purposes of +# gathering performance data. +# +# some shell variables are set at the top of the script +# you may have to change these, depending on the host you +# are running on and other "stuff". caveat emptor. +# +# You will have to tinker with this script to get it to +# run for you. +# +# See also: nServ +# +# --- begin nClient ------------------------------------------------------- +baseDir=/home/lorenzo/nss-raw/mozilla +# +# shell variables for running strsclnt +# +export HOST=`hostname -s` +export DOMSUF=red.iplanet.com +serverHost=dbldog +nssDB=${baseDir}/tests_results/security/${HOST}.1/client +nssHost=${HOST}.red.iplanet.com +pushd ${baseDir}/security/nss/tests/common +objDir=`gmake objdir_name` +popd +# +# +nssOptions="-p 12944 ${serverHost}.red.iplanet.com" +export LD_LIBRARY_PATH=${baseDir}/dist/${objDir}/lib +clientProg=${baseDir}/security/nss/cmd/strsclnt/${objDir}/strsclnt +# +# do the test +# +nssCommand="${clientProg} -d ${nssDB} ${nssOptions}" +echo $nssCommand $* +${nssCommand} $* & +# +# --- end nClient -------------------------------------------------------- diff --git a/security/nss/cmd/ttformat/nServ b/security/nss/cmd/ttformat/nServ new file mode 100755 index 000000000..ddf51b0e8 --- /dev/null +++ b/security/nss/cmd/ttformat/nServ @@ -0,0 +1,49 @@ +# /bin/ksh +# +# nServ -- run the nss test selfserv for performance testing +# +# syntax: nServ [options] +# +# where: options are: +# Valid arguments to the selfserv program +# Note that this script sets some options +# +# Description: +# nServ runs the nss test program "selfserv" for purposes of +# gathering performance data. +# +# some shell variables are set at the top of the script +# you may have to change these, depending on the host you +# are running on and other "stuff". caveat emptor. +# +# See also: nClinet +# +# --- begin nServ ------------------------------------------------------- +# +baseDir=/home/lorenzo/nss-server/mozilla +# +# shell variables for running selfserv +# +export HOST=`hostname -s` +export DOMSUF=red.iplanet.com +nssDB=${baseDir}/tests_results/security/${HOST}.1/server +nssHost=${HOST}.red.iplanet.com +nssOptions="-p 12944 -w nss" +pushd ${baseDir}/security/nss/tests/common +objDir=`gmake objdir_name` +popd +export LD_LIBRARY_PATH=${baseDir}/dist/${objDir}/lib +# +# shell variables for capturing instrumentation data +# +export NSPR_LOG_MODULES=TestCase:6 +export NSPR_LOG_FILE=xxxLogfile +# +# do the test +# +nssCommand="${baseDir}/dist/${objDir}/bin/selfserv -d ${nssDB} -n ${nssHost} ${nssOptions}" +echo $nssCommand +${nssCommand} $* & +# xxgdb ${baseDir}/dist/${objDir}/bin/selfserv +# +# --- end nServ ------------------------------------------------------- diff --git a/security/nss/cmd/ttformat/redux.pl b/security/nss/cmd/ttformat/redux.pl new file mode 100755 index 000000000..ccc13c24a --- /dev/null +++ b/security/nss/cmd/ttformat/redux.pl @@ -0,0 +1,77 @@ +# +# redux.pl -- general nss trace data extraction +# +# syntax: redux.pl +# +# redux.pl reads a file of formatted trace table records from stdin +# The trace records are formatted by nssilock.c +# redux.pl parses the lines and accumulates data in a hash +# When finished with stdin, redux.pl traverses the hash and emits +# the accumulated data. +# +# Operation: +# read stdin, accumulate in a hash by file, line, type. +# traverse the hash, reporting data. +# +# raw data format: +# thredid op ltype callTime heldTime lock line file +# +# Notes: +# After running redux.pl, sort the report on column 4 in decending sequence +# to see where the lock contention is. +# +# +# ----------------------------------------------------------------------- +use Getopt::Std; + +getopts("h") || die "redux.pl: unrecognized command option"; + + +# ----------------------------------------------------------------------- +# read stdin to exhaustion +while ( <STDIN> ) { + $recordCount++; +# next if ($recordCount < 36000 ); # skip initialization records + chomp; + ($thredid, $op, $ltype, $callTime, $heldTime, $lock, $line, $file) = split; + +# select out un-interesting lines +# next if (( $callTime < $opt_c ) && ( $heldTime < $opt_h )); +# print $_, "\n"; + +# count general stats + $interesting++; + +# format the key + $hashKey = $file ." ". $line ." ". $ltype; + +# Update the data in the hash entry + $theData = $theHash{$hashKey}; # read it if it already exists + ( $hCount, $hcallTime, $hheldTime, $hcallMax, $hheldMax ) = split(/\s+/, $theData ); + $hCount++; + $hcallTime += $callTime; + $hheldTime += $heldTime; + $hcallMax = ( $hcallMax > $callTime )? $hcallMax : $callTime; + $hheldMax = ( $hheldMax > $heldTime )? $hheldMax : $heldTime; + +# Write theData back to the hash + $theData = $hCount." ".$hcallTime." ".$hheldTime." ".$hcallMax." ".$hheldMax; + $theHash{$hashKey} = $theData; +} # end while() + +# ----------------------------------------------------------------------- +# traverse theHash + printf("%-16s %6s %-16s %8s %8s %8s %8s %8s\n", + "File","line","ltype","hits","calltim","heldtim","callmax","heldmax" ); +while (($hashKey,$theData) = each(%theHash)) { + $hashElements++; + ($file, $line, $ltype) = split(/\s+/, $hashKey ); + ( $hCount, $hcallTime, $hheldTime, $hcallMax, $hheldMax ) = split(/\s+/, $theData ); + printf("%-16s %6d %-16s %8d %8d %8d %8d %8d\n", + $file, $line, $ltype, $hCount, $hcallTime, $hheldTime, $hcallMax, $hheldMax ); +} # end while() + +# ----------------------------------------------------------------------- +# dump global statistics +printf ("Record count: %d\n", $recordCount ); +printf("Interesting: %d, HashElements: %d\n", $interesting, $hashElements); diff --git a/security/nss/cmd/ttformat/reduxhwm.pl b/security/nss/cmd/ttformat/reduxhwm.pl new file mode 100644 index 000000000..f442ff4e4 --- /dev/null +++ b/security/nss/cmd/ttformat/reduxhwm.pl @@ -0,0 +1,33 @@ +# +# reduxhwm.pl -- analyze highwatermark data in xxxLogfile +# +# example interesting line in xxxLogfile +# 1026[8154da0]: selfserv: Launched thread in slot 37, highWaterMark: 63 +# +# +# +while ( <STDIN> ) { + chomp; + ($proc, $who, $launched, $thread, $in, $slotx, $slot, $hwm, $highwatermark) = split; + if ( $launched == "Launched" ) { + next if ( $slot == 0 ); + $notInteresting++; + if ( $hwmMax < $highwatermark ){ + $hwmMax = $highwatermark; + } + $hwmArray[$slot] += 1; + $interesting++; + } +} # end while() + +printf ("Interesteing: %d\n", $interesting ); +printf ("Not Interesting: %d\n", $notInteresting - $interesting ); + +foreach $element (@hwmArray) { + $percent = 100*($element / $interesting); + $percentTotal += $percent; + printf("Slot %2d: %d hits, %2.2f percent, %2.2f total percent\n", $i, $element, $percent, $percentTotal ); + $i++; +} +printf("Sum of percentages: %3.2f\n", $percentTotal ); +# --- end --- diff --git a/security/nss/cmd/ttformat/ttformat.c b/security/nss/cmd/ttformat/ttformat.c new file mode 100644 index 000000000..26c9bbbce --- /dev/null +++ b/security/nss/cmd/ttformat/ttformat.c @@ -0,0 +1,138 @@ +/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is the Netscape Portable Runtime (NSPR). + * + * The Initial Developer of the Original Code is + * Netscape Communications Corporation. + * Portions created by the Initial Developer are Copyright (C) 1998-2000 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ + +/* +** File: ttformat.c +** Description: ttformat.c reads the file "xxxTTLog". xxxTTLog +** contains fixed length binary data written by nssilock. +** ttformat formats the data to a human readable form (printf) +** usable for visual scanning and for processing via a perl script. +** Output is written to stdout +** +*/ + +#include <stdio.h> +#include <stdlib.h> +#include <nssilock.h> + +/* +** struct maps enum nssILockType to character representation +*/ +struct { + nssILockType ltype; + char *name; +} ltypeNameT[] = { + { nssILockArena, "Arena" }, + { nssILockSession, "Session" }, + { nssILockObject, "Object" }, + { nssILockRefLock, "RefLock" }, + { nssILockCert, "Cert", }, + { nssILockCertDB, "CertDB" }, + { nssILockDBM, "DBM" }, + { nssILockCache, "Cache" }, + { nssILockSSL, "SSL" }, + { nssILockList, "List" }, + { nssILockSlot, "Slot" }, + { nssILockFreelist, "Freelist" }, + { nssILockOID, "OID" }, + { nssILockAttribute, "Attribute" }, + { nssILockPK11cxt, "PK11Context" }, + { nssILockRWLock, "RWLock" }, + { nssILockOther, "Other" }, + { nssILockSelfServ, "SelfServ" } +}; /* end ltypeNameT */ + +/* +** struct maps enum nssILockOp to character representation +*/ +struct { + nssILockOp op; + char *name; +} opNameT[] = { + { FlushTT, "FlushTT" }, + { NewLock, "NewLock" }, + { Lock, "Lock" }, + { Unlock, "Unlock" }, + { DestroyLock, "DestroyLock" }, + { NewCondVar, "NewCondVar" }, + { WaitCondVar, "WaitCondVar" }, + { NotifyCondVar, "NotifyCondVar" }, + { NotifyAllCondVar, "NotifyAllCondVar" }, + { DestroyCondVar, "DestroyCondVar" }, + { NewMonitor, "NewMonitor" }, + { EnterMonitor, "EnterMonitor" }, + { ExitMonitor, "ExitMonitor" }, + { Notify, "Notify" }, + { NotifyAll, "NotifyAll" }, + { Wait, "Wait" }, + { DestroyMonitor, "DestroyMonitor" } +}; /* end opNameT */ + + +int main(int argc, char *argv[]) +{ + FILE *filea; + struct pzTrace_s inBuf; + char *opName; + char *ltypeName; + int rCount = 0; + int oCount = 0; + + filea = fopen( "xxxTTLog", "r" ); + if ( NULL == filea ) { + fprintf( stderr, "ttformat: Oh drat! Can't open 'xxxTTLog'\n" ); + exit(1); + } + + while(1 == (fread( &inBuf, sizeof(inBuf), 1 , filea ))) { + ++rCount; + if ( inBuf.op > DestroyMonitor ) continue; + if ( inBuf.op < FlushTT ) continue; + + opName = opNameT[inBuf.op].name; + ltypeName = ltypeNameT[inBuf.ltype].name; + + ++oCount; + printf("%8d %18s %18s %6d %6d %12p %6d %20s\n", + inBuf.threadID, opName, ltypeName, inBuf.callTime, inBuf.heldTime, + inBuf.lock, inBuf.line, inBuf.file ); + } /* end while() */ + + fprintf( stderr, "Read: %d, Wrote: %d\n", rCount, oCount ); + return 0; +} /* main() */ +/* end ttformat.c */ |