corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Backed out changeset f5abeef3c07e (bug 1957519) for causing bc failures on browser_clientAuthRememberService.js. UPGRADE_NSS_RELEASE CLOSED TREE

Browse Source
This commit is contained in:
Iulian Moraru
2025-04-22 15:14:14 +03:00
parent d425e97e55
commit 0d7a5cb946
23 changed files with 212 additions and 420 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
security/nss/automation/abi-check/expected-report-libnss3.so.txt
View File

@@ -0,0 +1,21 @@
3 Added functions:
'function const char* SECMOD_FlagsToPolicyString(PRUint32, PRBool)' {SECMOD_FlagsToPolicyString@@NSS_3.110}
'function SECOidTag SECMOD_PolicyStringToOid(const char*, const char*)' {SECMOD_PolicyStringToOid@@NSS_3.110}
'function PRUint32 SECMOD_PolicyStringToOpt(const char*)' {SECMOD_PolicyStringToOpt@@NSS_3.110}
1 function with some indirect sub-type change:
[C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2202:1 has some indirect sub-type changes:
parameter 2 of type 'typedef SECOidTag' has sub-type changes:
underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
type size hasn't changed
1 enumerator insertion:
'__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390'
1 enumerator change:
'__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1

15
security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
View File

@@ -0,0 +1,15 @@
1 function with some indirect sub-type change:
[C]'function SECOidTag HASH_GetHMACOidTagByHashOidTag_Util(SECOidTag)' at nsshash.c:149:1 has some indirect sub-type changes:
return type changed:
underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
type size hasn't changed
1 enumerator insertion:
'__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390'
1 enumerator change:
'__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1

45
security/nss/automation/abi-check/expected-report-libsmime3.so.txt
View File

@@ -0,0 +1,45 @@
1 function with some indirect sub-type change:
[C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes:
parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes:
in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1:
underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed:
type size hasn't changed
1 data member changes (2 filtered):
type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed:
underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed:
type size hasn't changed
1 data member changes (3 filtered):
type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed:
in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1:
underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:470:1 changed:
type size hasn't changed
1 data member changes (1 filtered):
type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed:
in pointed to type 'NSSCMSAttribute*':
in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1:
underlying type 'struct NSSCMSAttributeStr' at cmst.h:489:1 changed:
type size hasn't changed
1 data member change:
type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed:
in pointed to type 'typedef SECOidData' at secoidt.h:16:1:
underlying type 'struct SECOidDataStr' at secoidt.h:553:1 changed:
type size hasn't changed
1 data member change:
type of 'SECOidTag SECOidDataStr::offset' changed:
underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed:
type size hasn't changed
1 enumerator insertion:
'__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390'
1 enumerator change:
'__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1

2
security/nss/automation/abi-check/previous-nss-release
View File

@@ -1 +1 @@
NSS_3_110_BRANCH
NSS_3_109_BRANCH

2
security/nss/automation/taskcluster/scripts/cryptofuzz.sh
View File

@@ -29,7 +29,7 @@ popd
# Run Cryptofuzz.
# Decrease the default ASAN quarantine size of 256 MB as we tend to run
# out of memory on 32-bit.
ASAN_OPTIONS="quarantine_size_mb=64" ./cryptofuzz/cryptofuzz -dict="cryptofuzz-dict.txt" --force-module=nss "nss/fuzz/corpus/cryptofuzz" "$@"
ASAN_OPTIONS="quarantine_size_mb=128" ./cryptofuzz/cryptofuzz -dict="cryptofuzz-dict.txt" --force-module=nss "nss/fuzz/corpus/cryptofuzz" "$@"
# Alert if version is older than half a year.
cryptofuzz_timestamp=$(git -C cryptofuzz show -s --format=%ct $CRYPTOFUZZ_VERSION)

12
security/nss/cmd/dbtool/dbtool.c
View File

@@ -309,7 +309,7 @@ makeNSSVendorName(CK_ATTRIBUTE_TYPE attribute, const char *nameType)
static char nss_name[256];
const char *name = NULL;
if ((attribute >= CKA_NSS) && (attribute < 0xffffffffUL)) {
snprintf(nss_name, sizeof(nss_name), "%s+%d", nameType, (int)(attribute - CKA_NSS));
sprintf(nss_name, "%s+%d", nameType, (int)(attribute - CKA_NSS));
name = nss_name;
}
return name;
@@ -546,7 +546,7 @@ dumpSignature(CK_ATTRIBUTE_TYPE attribute, SDB *keydb, PRBool isKey,
if (!force && !isAuthenticatedAttribute(attribute)) {
return;
}
snprintf(id, sizeof(id), META_SIG_TEMPLATE,
sprintf(id, META_SIG_TEMPLATE,
isKey ? "key" : "cert",
(unsigned int)objectID, (unsigned int)attribute);
printf(" Signature %s:", id);
@@ -555,7 +555,7 @@ dumpSignature(CK_ATTRIBUTE_TYPE attribute, SDB *keydb, PRBool isKey,
crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL);
if ((crv != CKR_OK) && isKey) {
snprintf(id, sizeof(id), META_SIG_TEMPLATE,
sprintf(id, META_SIG_TEMPLATE,
isKey ? "key" : "cert", (unsigned int)(objectID | SFTK_KEYDB_TYPE | SFTK_TOKEN_TYPE),
(unsigned int)attribute);
crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL);
@@ -730,11 +730,11 @@ secu_ConfigDirectory(const char *base)
home = "";
if (*home && home[strlen(home) - 1] == '/')
snprintf(buf, sizeof(buf), "%.900s%s", home, dir);
sprintf(buf, "%.900s%s", home, dir);
else
snprintf(buf, sizeof(buf), "%.900s/%s", home, dir);
sprintf(buf, "%.900s/%s", home, dir);
} else {
snprintf(buf, sizeof(buf), "%.900s", base);
sprintf(buf, "%.900s", base);
if (buf[strlen(buf) - 1] == '/')
buf[strlen(buf) - 1] = 0;
}

1
security/nss/cmd/selfserv/Makefile
View File

@@ -24,7 +24,6 @@ include $(CORE_DEPTH)/coreconf/config.mk
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
include ../platlibs.mk
include $(CORE_DEPTH)/coreconf/zlib.mk
#######################################################################
# (5) Execute "global" rules. (OPTIONAL) #

71
security/nss/cmd/selfserv/selfserv.c
View File

@@ -43,7 +43,6 @@
#include "certt.h"
#include "ocsp.h"
#include "nssb64.h"
#include "zlib.h"
#ifndef PORT_Strstr
#define PORT_Strstr strstr
@@ -168,7 +167,7 @@ PrintUsageHeader(const char *progName)
" [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
" [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n"
" [-I groups] [-J signatureschemes] [-e ec_nickname]\n"
" -U [0|1] -H [0|1|2] -W [0|1] [-z externalPsk] -q\n"
" -U [0|1] -H [0|1|2] -W [0|1] [-z externalPsk]\n"
"\n",
progName);
}
@@ -254,8 +253,7 @@ PrintParameterUsage()
" \"publicname:\". For example, \"publicname:example.com\". In this mode,\n"
" an ephemeral ECH keypair is generated and ECHConfigs are printed to stdout.\n"
" 2. As a Base64 tuple of <ECHRawPrivateKey> || <ECHConfigs>. In this mode, the\n"
" raw private key is used to bootstrap the HPKE context.\n"
"-q Enable zlib certificate compression\n",
" raw private key is used to bootstrap the HPKE context.\n",
stderr);
}
@@ -823,7 +821,6 @@ PRBool NoReuse = PR_FALSE;
PRBool hasSidCache = PR_FALSE;
PRBool disableLocking = PR_FALSE;
PRBool enableSessionTickets = PR_FALSE;
PRBool enableZlibCertificateCompression = PR_FALSE;
PRBool failedToNegotiateName = PR_FALSE;
PRBool enableExtendedMasterSecret = PR_FALSE;
PRBool zeroRTT = PR_FALSE;
@@ -2070,57 +2067,6 @@ configureEch(PRFileDesc *model_sock)
return configureEchWithData(model_sock);
}
static SECStatus
zlibCertificateDecode(const SECItem *input,
unsigned char *output, size_t outputLen,
size_t *usedLen)
{
if (!input || !input->data || input->len == 0 || !output || outputLen == 0) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
*usedLen = outputLen;
int ret = uncompress(output, (unsigned long *)usedLen, input->data, input->len);
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_BAD_DATA, 0);
return SECFailure;
}
return SECSuccess;
}
static SECStatus
zlibCertificateEncode(const SECItem *input, SECItem *output)
{
if (!input || !input->data || input->len == 0 || !output) {
PR_SetError(SEC_ERROR_INVALID_ARGS, 0);
return SECFailure;
}
unsigned long maxCompressedLen = compressBound(input->len);
SECITEM_AllocItem(NULL, output, maxCompressedLen);
int ret = compress(output->data, (unsigned long *)&output->len, input->data, input->len);
if (ret != Z_OK) {
PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);
return SECFailure;
}
return SECSuccess;
}
static SECStatus
configureZlibCompression(PRFileDesc *model_sock)
{
SSLCertificateCompressionAlgorithm zlibAlg = { 1, "zlib",
zlibCertificateEncode,
zlibCertificateDecode };
return SSL_SetCertificateCompressionAlgorithm(model_sock, zlibAlg);
}
void
server_main(
PRFileDesc *listen_sock,
@@ -2177,13 +2123,6 @@ server_main(
}
}
if (enableZlibCertificateCompression) {
rv = configureZlibCompression(model_sock);
if (rv != SECSuccess) {
errExit("error enabling Zlib Certificate Compression");
}
}
if (virtServerNameIndex > 1) {
rv = SSL_SNISocketConfigHook(model_sock, mySSLSNISocketConfig,
(void *)&virtServerNameArray);
@@ -2594,7 +2533,7 @@ main(int argc, char **argv)
** XXX: 'B', and 'q' were used in the past but removed
** in 3.28, please leave some time before resuing those. */
optstate = PL_CreateOptState(argc, argv,
"2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:X:YZa:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:x:yz:");
"2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:X:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:x:yz:");
while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) {
++optionsFound;
switch (optstate->option) {
@@ -2779,10 +2718,6 @@ main(int argc, char **argv)
port = PORT_Atoi(optstate->value);
break;
case 'q':
enableZlibCertificateCompression = PR_TRUE;
break;
case 'r':
++requestCert;
break;

5
security/nss/cmd/selfserv/selfserv.gyp
View File

@@ -15,8 +15,7 @@
],
'dependencies': [
'<(DEPTH)/exports.gyp:dbm_exports',
'<(DEPTH)/exports.gyp:nss_exports',
'<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib'
'<(DEPTH)/exports.gyp:nss_exports'
]
}
],
@@ -28,4 +27,4 @@
'variables': {
'module': 'nss'
}
}
}

19
security/nss/coreconf/config.mk
View File

@@ -259,22 +259,3 @@ DEFINES += -DNO_NSPR_10_SUPPORT
# Hide old, deprecated, TLS cipher suite names when building NSS
DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
# By default the PKCS5_PBKD2_PARAMS(structure) version is determined based on the
# cryptokiVersion of the token, PKCS5_PBKD2_PARAMS2 structure is used for version
# 2.40 or later, PKCS5_PBKD2_PARAMS structure is used otherwise.
# This define allows to force the use of PKCS5_PBKD2_PARAMS2 structure only.
ifeq ($(SOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY),1)
DEFINES += -DSOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY
endif
# By default the PKCS5_PBKD2_PARAMS(structure) version is auto-detected based on
# the difference between the two structures, in this case the password length is
# limited to 8192 bytes.
# Using this define, only PKCS5_PBKD2_PARAMS2 structure is expected, this can cause
# segmentation fault if PKCS5_PBKD2_PARAMS structure is provided!).
# Additional the password length is not limited with this option.
ifeq ($(NSS_USE_PKCS5_PBKD2_PARAMS2_ONLY),1)
DEFINES += -DNSS_USE_PKCS5_PBKD2_PARAMS2_ONLY
endif

20
security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc
View File

@@ -324,26 +324,6 @@ TEST_P(TlsConnectClientAuth, ClientAuth) {
client_->CheckClientAuthCompleted();
}
TEST_F(TlsConnectStreamTls13, ClientAuthWithMultipleTickets) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH);
auto cb = [](PRFileDesc* fd, const PRUint8* ticket, unsigned int ticket_len,
void* arg) -> SECStatus { return SECSuccess; };
EXPECT_EQ(SECSuccess,
SSL_SetResumptionTokenCallback(client_->ssl_fd(), cb, nullptr));
Connect();
SendReceive(50);
CheckKeys();
// An automatic ticket has already been sent. This sends another one.
EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0));
SendReceive(100);
}
// All stream only tests; PostHandshakeAuth isn't supported for DTLS.
TEST_P(TlsConnectClientAuthStream13, PostHandshakeAuth) {

18
security/nss/lib/ckfw/builtins/certdata.txt
View File

@@ -200,7 +200,7 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\013\004\000\000\000\000\001\025\113\132\303\224
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -366,7 +366,7 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\004\070\143\336\370
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -500,7 +500,7 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\004\002\000\000\271
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -946,7 +946,7 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -1452,7 +1452,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217
\240\255
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -1598,8 +1598,8 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
@@ -1745,8 +1745,8 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE

4
security/nss/lib/ckfw/builtins/nssckbi.h
View File

@@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 76
#define NSS_BUILTINS_LIBRARY_VERSION "2.76"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 74
#define NSS_BUILTINS_LIBRARY_VERSION "2.74"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

6
security/nss/lib/nss/nss.h
View File

@@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.111" _NSS_CUSTOMIZED " Beta"
#define NSS_VERSION "3.110" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 111
#define NSS_VMINOR 110
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_TRUE
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED

52
security/nss/lib/pk11wrap/pk11pbe.c
View File

@@ -940,15 +940,15 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech)
* based on the algorithm. */
if (algorithm == SEC_OID_PKCS5_PBKDF2) {
SECOidTag prfAlgTag;
CK_PKCS5_PBKD2_PARAMS2 *pbeV2_params =
(CK_PKCS5_PBKD2_PARAMS2 *)PORT_ZAlloc(
PR_MAX(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS)) + salt->len);
CK_PKCS5_PBKD2_PARAMS *pbeV2_params =
(CK_PKCS5_PBKD2_PARAMS *)PORT_ZAlloc(
sizeof(CK_PKCS5_PBKD2_PARAMS) + salt->len);
if (pbeV2_params == NULL) {
goto loser;
}
paramData = (unsigned char *)pbeV2_params;
paramLen = PR_MAX(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS));
paramLen = sizeof(CK_PKCS5_PBKD2_PARAMS);
/* set the prf */
prfAlgTag = SEC_OID_HMAC_SHA1;
@@ -981,7 +981,7 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech)
pbeV2_params->pPrfData = NULL;
pbeV2_params->ulPrfDataLen = 0;
pbeV2_params->saltSource = CKZ_SALT_SPECIFIED;
pSalt = ((CK_CHAR_PTR)pbeV2_params) + PR_MAX(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS));
pSalt = ((CK_CHAR_PTR)pbeV2_params) + sizeof(CK_PKCS5_PBKD2_PARAMS);
if (salt->data) {
PORT_Memcpy(pSalt, salt->data, salt->len);
}
@@ -1420,12 +1420,7 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *params, CK_KEY_TYPE keyType, int keyLen,
SECItem *pwitem, void *wincx)
{
#ifndef SOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY
SECItem _params = { 0, NULL, 0 };
CK_PKCS5_PBKD2_PARAMS pbev2_1_params;
CK_ULONG pwLen;
#endif
/* do some sanity checks */
if ((params == NULL) || (params->data == NULL)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1439,39 +1434,15 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
/* set the password pointer in the parameters... */
if (type == CKM_PKCS5_PBKD2) {
CK_PKCS5_PBKD2_PARAMS2 *pbev2_params;
if ((params->len < PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS))) ||
pwitem->len > CK_PKCS5_PBKD2_PARAMS_MAX_PWD_LEN) {
CK_PKCS5_PBKD2_PARAMS *pbev2_params;
if (params->len < sizeof(CK_PKCS5_PBKD2_PARAMS)) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return NULL;
}
pbev2_params = (CK_PKCS5_PBKD2_PARAMS2 *)params->data;
pbev2_params = (CK_PKCS5_PBKD2_PARAMS *)params->data;
pbev2_params->pPassword = pwitem->data;
#ifdef SOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY
pbev2_params->ulPasswordLen = pwitem->len;
#else
CK_VERSION cryptokiVersion = slot->module->cryptokiVersion;
if (cryptokiVersion.major < 2 ||
(cryptokiVersion.major == 2 && cryptokiVersion.minor < 40)) {
/* CK_PKCS5_PBKD2_PARAMS */
_params.type = params->type;
_params.data = (CK_CHAR_PTR)&pbev2_1_params;
_params.len = sizeof(CK_PKCS5_PBKD2_PARAMS);
params = &_params;
memcpy(&pbev2_1_params, pbev2_params,
PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS2),
sizeof(CK_PKCS5_PBKD2_PARAMS)));
pwLen = pwitem->len;
pbev2_1_params.ulPasswordLen = &pwLen;
} else {
/* CK_PKCS5_PBKD2_PARAMS2 */
pbev2_params->ulPasswordLen = pwitem->len;
}
#endif
pwLen = pwitem->len;
pbev2_params->ulPasswordLen = &pwLen;
} else {
CK_PBE_PARAMS *pbe_params;
if (params->len < sizeof(CK_PBE_PARAMS)) {
@@ -1484,7 +1455,8 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
}
/* generate the key (and sometimes the IV as a side effect...) */
return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType, keyLen, NULL,
return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType,
keyLen, NULL,
CKF_SIGN | CKF_ENCRYPT | CKF_DECRYPT | CKF_UNWRAP | CKF_WRAP,
0, wincx);
}

44
security/nss/lib/softoken/pkcs11c.c
View File

@@ -4220,47 +4220,20 @@ nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism,
{
SECItem *pbe_key = NULL, iv, pwitem;
CK_PBE_PARAMS *pbe_params = NULL;
CK_PKCS5_PBKD2_PARAMS2 *pbkd2_params = NULL;
CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL;
*key_length = 0;
iv.data = NULL;
iv.len = 0;
if (pMechanism->mechanism == CKM_PKCS5_PBKD2) {
pbkd2_params = (CK_PKCS5_PBKD2_PARAMS2 *)pMechanism->pParameter;
if (!pMechanism->pParameter) {
if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) {
return CKR_MECHANISM_PARAM_INVALID;
}
#ifdef NSS_USE_PKCS5_PBKD2_PARAMS2_ONLY
if (pMechanism->ulParameterLen < sizeof(CK_PKCS5_PBKD2_PARAMS2)) {
return CKR_MECHANISM_PARAM_INVALID;
}
pwitem.len = pbkd2_params->ulPasswordLen;
#else
int v2;
if (pMechanism->ulParameterLen < PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS),
sizeof(CK_PKCS5_PBKD2_PARAMS2))) {
return CKR_MECHANISM_PARAM_INVALID;
}
if (sizeof(CK_PKCS5_PBKD2_PARAMS2) != sizeof(CK_PKCS5_PBKD2_PARAMS)) {
if (pMechanism->ulParameterLen == sizeof(CK_PKCS5_PBKD2_PARAMS)) {
v2 = 0;
} else if (pMechanism->ulParameterLen == sizeof(CK_PKCS5_PBKD2_PARAMS2)) {
v2 = 1;
} else {
return CKR_MECHANISM_PARAM_INVALID;
}
} else {
/* it's unlikely that the password will be longer than 2048 bytes, if so it is
* most likely a pointer => CK_PKCS5_PBKD2_PARAMS */
v2 = pbkd2_params->ulPasswordLen <= CK_PKCS5_PBKD2_PARAMS_MAX_PWD_LEN;
}
pwitem.len = v2 ? pbkd2_params->ulPasswordLen : *((CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter)->ulPasswordLen;
#endif
pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
pwitem.data = (unsigned char *)pbkd2_params->pPassword;
/* was this a typo in the PKCS #11 spec? */
pwitem.len = *pbkd2_params->ulPasswordLen;
} else {
if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PBE_PARAMS))) {
return CKR_MECHANISM_PARAM_INVALID;
@@ -4649,7 +4622,7 @@ nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe,
CK_PBE_PARAMS *pbe_params = NULL;
NSSPKCS5PBEParameter *params = NULL;
HASH_HashType hashType = HASH_AlgSHA1;
CK_PKCS5_PBKD2_PARAMS2 *pbkd2_params = NULL;
CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL;
SECItem salt;
CK_ULONG iteration = 0;
@@ -4661,11 +4634,10 @@ nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe,
}
if (pMechanism->mechanism == CKM_PKCS5_PBKD2) {
if (pMechanism->ulParameterLen < PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS2),
sizeof(CK_PKCS5_PBKD2_PARAMS))) {
if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) {
return CKR_MECHANISM_PARAM_INVALID;
}
pbkd2_params = (CK_PKCS5_PBKD2_PARAMS2 *)pMechanism->pParameter;
pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter;
switch (pbkd2_params->prf) {
case CKP_PKCS5_PBKD2_HMAC_SHA1:
hashType = HASH_AlgSHA1;

6
security/nss/lib/softoken/softkver.h
View File

@@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.111" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VERSION "3.110" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 111
#define SOFTOKEN_VMINOR 110
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_TRUE
#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */

3
security/nss/lib/ssl/ssl3con.c
View File

@@ -12492,9 +12492,6 @@ ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid, PK11SymKey *secret)
sid->sigScheme = ss->sec.signatureScheme;
sid->lastAccessTime = sid->creationTime = ssl_Time(ss);
sid->expirationTime = sid->creationTime + (ssl_ticket_lifetime * PR_USEC_PER_SEC);
if (sid->localCert) {
CERT_DestroyCertificate(sid->localCert);
}
sid->localCert = CERT_DupCertificate(ss->sec.localCert);
if (ss->sec.isServer) {
sid->namedCurve = ss->sec.serverCert->namedCurve;

7
security/nss/lib/ssl/sslsock.c
View File

@@ -313,13 +313,6 @@ ssl_DupSocket(sslSocket *os)
ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled;
PORT_Memcpy(ss->ssl3.supportedCertCompressionAlgorithms,
os->ssl3.supportedCertCompressionAlgorithms,
sizeof(ss->ssl3.supportedCertCompressionAlgorithms[0]) *
os->ssl3.supportedCertCompressionAlgorithmsCount);
ss->ssl3.supportedCertCompressionAlgorithmsCount =
os->ssl3.supportedCertCompressionAlgorithmsCount;
if (ss->opt.useSecurity) {
PRCList *cursor;

1
security/nss/lib/ssl/tls13con.c
View File

@@ -2369,7 +2369,6 @@ tls13_HandleClientHelloPart2(sslSocket *ss,
}
tls13_RestoreCipherInfo(ss, sid);
PORT_Assert(!ss->sec.localCert);
ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert);
if (sid->peerCert != NULL) {
ss->sec.peerCert = CERT_DupCertificate(sid->peerCert);

6
security/nss/lib/util/nssutil.h
View File

@@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.111 Beta"
#define NSSUTIL_VERSION "3.110"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 111
#define NSSUTIL_VMINOR 110
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_TRUE
#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS

85
security/nss/lib/util/pkcs11n.h
View File

@@ -411,31 +411,90 @@ typedef struct CK_NSS_HKDFParams {
/*
* CK_NSS_IKE_PRF_PLUS_PARAMS is a structure that provides the parameters to
* the CKM_NSS_IKE_PRF_PLUS_DERIVE mechanism.
* It is now standardized, so The struct is just an alias for the standard
* struct in pkcs11t.h.
* The fields of the structure have the following meanings:
* prfMechanism underlying MAC mechanism used to generate the prf.
* bHasSeedKey hSeed key is present.
* hSeedKey optional seed from key
* pSeedData optional seed from data.
* ulSeedDataLen length of optional seed data.
* If no seed data is present this value is NULL.
*/
typedef struct CK_IKE2_PRF_PLUS_DERIVE_PARAMS CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS;
typedef struct CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS {
CK_MECHANISM_TYPE prfMechanism;
CK_BBOOL bHasSeedKey;
CK_OBJECT_HANDLE hSeedKey;
CK_BYTE_PTR pSeedData;
CK_ULONG ulSeedDataLen;
} CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS;
/* CK_NSS_IKE_PRF_DERIVE_PARAMS is a structure that provides the parameters to
* the CKM_NSS_IKE_PRF_DERIVE mechanism.
* It is now standardized, so The struct is just an alias for the standard
* struct in pkcs11t.h.
* the CKM_NSS_IKE_PRF_DERIVE mechanism.
*
* The fields of the structure have the following meanings:
* prfMechanism underlying MAC mechanism used to generate the prf.
* bRekey hNewKey is present.
* pNi Ni value
* ulNiLen length of Ni
* pNr Nr value
* ulNrLen length of Nr
* hNewKey New key value to drive the rekey.
*/
typedef struct CK_IKE_PRF_DERIVE_PARAMS CK_NSS_IKE_PRF_DERIVE_PARAMS;
typedef struct CK_NSS_IKE_PRF_DERIVE_PARAMS {
CK_MECHANISM_TYPE prfMechanism;
CK_BBOOL bDataAsKey;
CK_BBOOL bRekey;
CK_BYTE_PTR pNi;
CK_ULONG ulNiLen;
CK_BYTE_PTR pNr;
CK_ULONG ulNrLen;
CK_OBJECT_HANDLE hNewKey;
} CK_NSS_IKE_PRF_DERIVE_PARAMS;
/* CK_NSS_IKE1_PRF_DERIVE_PARAMS is a structure that provides the parameters
* to the CKM_NSS_IKE_PRF_DERIVE mechanism.
* It is now standardized, so The struct is just an alias for the standard
* struct in pkcs11t.h.
*
* The fields of the structure have the following meanings:
* prfMechanism underlying MAC mechanism used to generate the prf.
* bRekey hNewKey is present.
* pCKYi CKYi value
* ulCKYiLen length of CKYi
* pCKYr CKYr value
* ulCKYrLen length of CKYr
* hNewKey New key value to drive the rekey.
*/
typedef struct CK_IKE1_PRF_DERIVE_PARAMS CK_NSS_IKE1_PRF_DERIVE_PARAMS;
typedef struct CK_NSS_IKE1_PRF_DERIVE_PARAMS {
CK_MECHANISM_TYPE prfMechanism;
CK_BBOOL bHasPrevKey;
CK_OBJECT_HANDLE hKeygxy;
CK_OBJECT_HANDLE hPrevKey;
CK_BYTE_PTR pCKYi;
CK_ULONG ulCKYiLen;
CK_BYTE_PTR pCKYr;
CK_ULONG ulCKYrLen;
CK_BYTE keyNumber;
} CK_NSS_IKE1_PRF_DERIVE_PARAMS;
/* CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS is a structure that provides the
* parameters to the CKM_NSS_IKE_APP_B_PRF_DERIVE mechanism.
* It is now standardized, so The struct is just an alias for the standard
* struct in pkcs11t.h.
*
* The fields of the structure have the following meanings:
* prfMechanism underlying MAC mechanism used to generate the prf.
* bHasKeygxy hKeygxy exists
* hKeygxy optional key to hash in the prf
* pExtraData optional extra data to hash in the prf
* ulExtraData length of the optional extra data.
*
* CK_NSS_IKE_APP_B_PRF_DERIVE can take wither CK_NSS_IKE1_APP_B_PRF_DRIVE_PARAMS
* or a single CK_MECHANISM_TYPE. In the latter cases bHashKeygx is assumed to
* be false and ulExtraDataLen is assumed to be '0'.
*/
typedef struct CK_IKE1_EXTENDED_DERIVE_PARAMS CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS;
typedef struct CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS {
CK_MECHANISM_TYPE prfMechanism;
CK_BBOOL bHasKeygxy;
CK_OBJECT_HANDLE hKeygxy;
CK_BYTE_PTR pExtraData;
CK_ULONG ulExtraDataLen;
} CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS;
/*
* Parameter for the TLS extended master secret key derivation mechanisms:

187
security/nss/lib/util/pkcs11t.h
View File

@@ -35,7 +35,7 @@
#endif
#define CRYPTOKI_VERSION_MAJOR 3
#define CRYPTOKI_VERSION_MINOR 1
#define CRYPTOKI_VERSION_MINOR 0
#define CRYPTOKI_VERSION_AMENDMENT 0
/* an unsigned 8-bit value */
@@ -93,6 +93,7 @@ typedef struct CK_INFO {
CK_VERSION cryptokiVersion; /* PKCS #11 interface ver */
CK_UTF8CHAR manufacturerID[32]; /* blank padded */
CK_FLAGS flags; /* must be zero */
/* libraryDescription and libraryVersion are new for v2.0 */
CK_UTF8CHAR libraryDescription[32]; /* blank padded */
CK_VERSION libraryVersion; /* version of library */
@@ -106,7 +107,6 @@ typedef CK_INFO CK_PTR CK_INFO_PTR;
* for v2.0 */
typedef CK_ULONG CK_NOTIFICATION;
#define CKN_SURRENDER 0
#define CKN_OTP_CHANGED 1
typedef CK_ULONG CK_SLOT_ID;
@@ -330,7 +330,6 @@ typedef CK_ULONG CK_OBJECT_CLASS;
#define CKO_HW_FEATURE 0x00000005UL
#define CKO_DOMAIN_PARAMETERS 0x00000006UL
#define CKO_MECHANISM 0x00000007UL
#define CKO_OTP_KEY 0x00000008UL
#define CKO_PROFILE 0x00000009UL
#define CKO_VENDOR_DEFINED 0x80000000UL
@@ -339,7 +338,6 @@ typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
/* CK_PROFILE_ID is new for v3.00. CK_PROFILE_ID is a value that
* identifies the profile that the token supports. */
typedef CK_ULONG CK_PROFILE_ID;
typedef CK_PROFILE_ID CK_PTR CK_PROFILE_ID_PTR;
/* Profile ID's */
#define CKP_INVALID_ID 0x00000000UL
@@ -347,9 +345,6 @@ typedef CK_PROFILE_ID CK_PTR CK_PROFILE_ID_PTR;
#define CKP_EXTENDED_PROVIDER 0x00000002UL
#define CKP_AUTHENTICATION_TOKEN 0x00000003UL
#define CKP_PUBLIC_CERTIFICATES_TOKEN 0x00000004UL
#define CKP_COMPLETE_PROVIDER 0x00000005UL
#define CKP_HKDF_TLS_TOKEN 0x00000006UL
#define CKP_VENDOR_DEFINED 0x80000000UL
/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
@@ -405,11 +400,6 @@ typedef CK_ULONG CK_KEY_TYPE;
#define CKK_BLOWFISH 0x00000020UL
#define CKK_TWOFISH 0x00000021UL
/* New for v3.1 */
#define CKK_SECURID 0x00000022UL
#define CKK_ACTI 0x00000024UL
#define CKK_HOTP 0x00000023UL
/* Camellia is proposed for v2.20 Amendment 3 */
#define CKK_CAMELLIA 0x00000025UL
@@ -452,9 +442,6 @@ typedef CK_ULONG CK_KEY_TYPE;
#define CKK_SHA512_256_HMAC 0x00000044UL
#define CKK_SHA512_T_HMAC 0x00000045UL
/* New for v3.1 */
#define CKK_HSS 0x00000046UL
#define CKK_VENDOR_DEFINED 0x80000000UL
/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
@@ -679,16 +666,6 @@ typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN;
#define CKA_X2RATCHET_PNS 0x00000611UL
#define CKA_X2RATCHET_RK 0x00000612UL
/* new for v3.1 */
#define CKA_HSS_KEYS_REMAINING 0x0000061cUL
#define CKA_HSS_LEVELS 0x00000617UL
#define CKA_HSS_LMOTS_TYPE 0x00000619UL
#define CKA_HSS_LMOTS_TYPES 0x0000061bUL
#define CKA_HSS_LMS_TYPE 0x00000618UL
#define CKA_HSS_LMS_TYPES 0x0000061aUL
#define CKA_NAME_HASH_ALGORITHM 0x0000008cUL
#define CKA_UNIQUE_ID 0x00000004UL
#define CKA_VENDOR_DEFINED 0x80000000UL
/* CK_ATTRIBUTE is a structure that includes the type, length
@@ -696,6 +673,7 @@ typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN;
typedef struct CK_ATTRIBUTE {
CK_ATTRIBUTE_TYPE type;
CK_VOID_PTR pValue;
/* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
CK_ULONG ulValueLen; /* in bytes */
} CK_ATTRIBUTE;
@@ -1140,7 +1118,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
#define CKM_CAMELLIA_CBC_PAD 0x00000555UL
#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556UL
#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557UL
#define CKM_CAMELLIA_CTR 0x00000558UL
/* new for v2.40 */
#define CKM_ARIA_KEY_GEN 0x00000560UL
@@ -1161,9 +1138,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
#define CKM_SEED_ECB_ENCRYPT_DATA 0x00000656UL
#define CKM_SEED_CBC_ENCRYPT_DATA 0x00000657UL
/* new for v3.1 */
#define CKM_KEA_DERIVE 0x00001012UL
/* new for v2.40 */
#define CKM_ECDSA_SHA3_224 0x00001047UL
#define CKM_ECDSA_SHA3_256 0x00001048UL
@@ -1173,11 +1147,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
#define CKM_EC_MONTGOMERY_KEY_PAIR_GEN 0x00001056UL
#define CKM_EDDSA 0x00001057UL
/* new for v3.1 */
#define CKM_AES_XTS 0x00001071UL
#define CKM_AES_XTS_KEY_GEN 0x00001072UL
#define CKM_AES_GMAC 0x0000108eUL
/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100UL
#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101UL
@@ -1205,50 +1174,24 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
#define CKM_POLY1305_KEY_GEN 0x00001227UL
#define CKM_POLY1305 0x00001228UL
/* new for v3.1 */
#define CKM_DES3_CMAC 0x00000138UL
#define CKM_DES3_CMAC_GENERAL 0x00000137UL
#define CKM_DSA_PARAMETER_GEN 0x00002000UL
#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001UL
#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002UL
/* new for v2.40 */
#define CKM_DSA_PROBABILISTIC_PARAMETER_GEN 0x00002003UL
#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN 0x00002003UL
#define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN 0x00002004UL
#define CKM_DSA_FIPS_G_GEN 0x00002005UL
/* new for v3.1 */
#define CKM_AES_OFB 0x00002104UL
#define CKM_AES_CFB64 0x00002105UL
#define CKM_AES_CFB8 0x00002106UL
#define CKM_AES_CFB128 0x00002107UL
#define CKM_AES_KEY_WRAP_PKCS7 0x0000210cUL
/* new for v2.40 */
#define CKM_AES_CFB1 0x00002108UL
#define CKM_AES_KEY_WRAP 0x00002109UL
#define CKM_AES_KEY_WRAP_PAD 0x0000210AUL
#define CKM_AES_KEY_WRAP_KWP 0x0000210BUL
/* new for v3.1 */
#define CKM_SHA3_256_KEY_DERIVE 0x00000397UL
#define CKM_SHA3_224_KEY_DERIVE 0x00000398UL
#define CKM_SHA3_384_KEY_DERIVE 0x00000399UL
#define CKM_SHA3_512_KEY_DERIVE 0x0000039aUL
#define CKM_SHAKE_128_KEY_DERIVE 0x0000039bUL
#define CKM_SHAKE_256_KEY_DERIVE 0x0000039cUL
/* CKM_SP800_108_xxx_KDF are new for v3.0 */
#define CKM_SP800_108_COUNTER_KDF 0x000003acUL
#define CKM_SP800_108_FEEDBACK_KDF 0x000003adUL
#define CKM_SP800_108_DOUBLE_PIPELINE_KDF 0x000003aeUL
/* new for v3.1 */
#define CKM_TLS10_MAC_SERVER 0x000003d6UL
#define CKM_TLS10_MAC_CLIENT 0x000003d7UL
/* new for v2.4 */
#define CKM_RSA_PKCS_TPM_1_1 0x00004001UL
#define CKM_RSA_PKCS_OAEP_TPM_1_1 0x00004002UL
@@ -1298,14 +1241,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE;
#define CKM_HKDF_KEY_GEN 0x0000402cUL
#define CKM_SALSA20_KEY_GEN 0x0000402dUL
/* new for v3.1 */
#define CKM_HSS 0x00004033UL
#define CKM_HSS_KEY_PAIR_GEN 0x00004032UL
#define CKM_IKE1_EXTENDED_DERIVE 0x00004031UL
#define CKM_IKE1_PRF_DERIVE 0x00004030UL
#define CKM_IKE2_PRF_PLUS_DERIVE 0x0000402eUL
#define CKM_IKE_PRF_DERIVE 0x0000402fUL
#define CKM_VENDOR_DEFINED 0x80000000UL
typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
@@ -1374,7 +1309,6 @@ typedef struct CK_MECHANISM_INFO {
#define CKF_EC_NAMEDCURVE CKF_EC_OID /* renamed in v3.0 */
#define CKF_EC_UNCOMPRESS 0x01000000UL
#define CKF_EC_COMPRESS 0x02000000UL
#define CKF_EC_CURVENAME 0x04000000UL
#define CKF_EXTENSION 0x80000000UL /* FALSE for this version */
@@ -1418,7 +1352,6 @@ typedef CK_ULONG CK_RV;
#define CKR_DEVICE_REMOVED 0x00000032UL
#define CKR_ENCRYPTED_DATA_INVALID 0x00000040UL
#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041UL
#define CKR_AEAD_DECRYPT_FAILED 0x00000042UL
#define CKR_FUNCTION_CANCELED 0x00000050UL
#define CKR_FUNCTION_NOT_PARALLEL 0x00000051UL
@@ -1487,8 +1420,6 @@ typedef CK_ULONG CK_RV;
#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102UL
#define CKR_USER_TYPE_INVALID 0x00000103UL
#define CKR_KEY_EXHAUSTED 0x00000203UL
/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
* are new to v2.01 */
#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104UL
@@ -1696,7 +1627,6 @@ typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
/* CK_EC_KDF_TYPE is new for v2.11. */
typedef CK_ULONG CK_EC_KDF_TYPE;
typedef CK_EC_KDF_TYPE CK_PTR CK_EC_KDF_TYPE_PTR;
/* The following EC Key Derivation Functions are defined */
#define CKD_NULL 0x00000001UL
@@ -2003,7 +1933,7 @@ typedef struct CK_GCM_MESSAGE_PARAMS {
CK_ULONG ulTagBits;
} CK_GCM_MESSAGE_PARAMS;
typedef CK_GCM_MESSAGE_PARAMS CK_PTR CK_GCM_MESSAGE_PARAMS_PTR;
typedef CK_GCM_MESSAGE_PARAMS CK_GCM_MESSAGE_PARAMS_PTR;
typedef struct CK_CCM_MESSAGE_PARAMS {
CK_ULONG ulDataLen; /*plaintext or ciphertext*/
@@ -2015,7 +1945,7 @@ typedef struct CK_CCM_MESSAGE_PARAMS {
CK_ULONG ulMACLen;
} CK_CCM_MESSAGE_PARAMS;
typedef CK_CCM_MESSAGE_PARAMS CK_PTR CK_CCM_MESSAGE_PARAMS_PTR;
typedef CK_CCM_MESSAGE_PARAMS CK_CCM_MESSAGE_PARAMS_PTR;
/* SALSA20/CHACHA20 doe not define IV generators */
typedef struct CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS {
@@ -2045,7 +1975,7 @@ typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR
CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR;
CK_SKIPJACK_PRIVATE_WRAP_PTR;
/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
* CKM_SKIPJACK_RELAYX mechanism */
@@ -2225,8 +2155,6 @@ typedef struct CK_TLS_KDF_PARAMS {
CK_ULONG ulContextDataLength;
} CK_TLS_KDF_PARAMS;
typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR;
typedef struct CK_TLS_MAC_PARAMS {
CK_MECHANISM_TYPE prfHashMechanism;
CK_ULONG ulMacLength;
@@ -2253,101 +2181,6 @@ typedef CK_HKDF_PARAMS CK_PTR CK_HKDF_PARAMS_PTR;
#define CKF_HKDF_SALT_DATA 0x00000002UL
#define CKF_HKDF_SALT_KEY 0x00000004UL
/* IKE is new for v3.1 */
/*
* CK_IKE2_PRF_PLUS_PARAMS is a structure that provides the parameters to
* the CKM_IKE2_PRF_PLUS_DERIVE mechanism.
* The fields of the structure have the following meanings:
* prfMechanism underlying MAC mechanism used to generate the prf.
* bHasSeedKey hSeed key is present.
* hSeedKey optional seed from key
* pSeedData optional seed from data.
* ulSeedDataLen length of optional seed data.
* If no seed data is present this value is NULL.
*/
typedef struct CK_IKE2_PRF_PLUS_DERIVE_PARAMS {
CK_MECHANISM_TYPE prfMechanism;
CK_BBOOL bHasSeedKey;
CK_OBJECT_HANDLE hSeedKey;
CK_BYTE_PTR pSeedData;
CK_ULONG ulSeedDataLen;
} CK_IKE2_PRF_PLUS_DERIVE_PARAMS;
typedef CK_IKE2_PRF_PLUS_DERIVE_PARAMS CK_PTR CK_IKE2_PRF_PLUS_DERIVE_PARAMS_PTR;
/* CK_IKE_PRF_DERIVE_PARAMS is a structure that provides the parameters to
* the CKM_IKE_PRF_DERIVE mechanism.
*
* The fields of the structure have the following meanings:
* prfMechanism underlying MAC mechanism used to generate the prf.
* bRekey hNewKey is present.
* pNi Ni value
* ulNiLen length of Ni
* pNr Nr value
* ulNrLen length of Nr
* hNewKey New key value to drive the rekey.
*/
typedef struct CK_IKE_PRF_DERIVE_PARAMS {
CK_MECHANISM_TYPE prfMechanism;
CK_BBOOL bDataAsKey;
CK_BBOOL bRekey;
CK_BYTE_PTR pNi;
CK_ULONG ulNiLen;
CK_BYTE_PTR pNr;
CK_ULONG ulNrLen;
CK_OBJECT_HANDLE hNewKey;
} CK_IKE_PRF_DERIVE_PARAMS;
typedef CK_IKE_PRF_DERIVE_PARAMS CK_PTR CK_IKE_PRF_DERIVE_PARAMS_PTR;
/* CK_IKE1_PRF_DERIVE_PARAMS is a structure that provides the parameters
* to the CKM_IKE1_PRF_DERIVE mechanism.
*
* The fields of the structure have the following meanings:
* prfMechanism underlying MAC mechanism used to generate the prf.
* bHasPrevKey there is a previous key to use
* hKeygxy key to hash in the prf (usually a dhkey of sorts)
* hPrevKey the previous ike1 key
* pCKYi CKYi value
* ulCKYiLen length of CKYi
* pCKYr CKYr value
* ulCKYrLen length of CKYr
* hNewKey New key value to drive the rekey.
*/
typedef struct CK_IKE1_PRF_DERIVE_PARAMS {
CK_MECHANISM_TYPE prfMechanism;
CK_BBOOL bHasPrevKey;
CK_OBJECT_HANDLE hKeygxy;
CK_OBJECT_HANDLE hPrevKey;
CK_BYTE_PTR pCKYi;
CK_ULONG ulCKYiLen;
CK_BYTE_PTR pCKYr;
CK_ULONG ulCKYrLen;
CK_BYTE keyNumber;
} CK_IKE1_PRF_DERIVE_PARAMS;
typedef CK_IKE1_PRF_DERIVE_PARAMS CK_PTR CK_IKE1_PRF_DERIVE_PARAMS_PTR;
/* CK_IKE1_EXTENDED_DERIVE_PARAMS is a structure that provides the
* parameters to the CKM_IKE1_EXTENDED_DERIVE mechanism.
*
* The fields of the structure have the following meanings:
* prfMechanism underlying MAC mechanism used to generate the prf.
* bHasKeygxy hKeygxy exists
* hKeygxy optional key to hash in the prf
* pExtraData optional extra data to hash in the prf
* ulExtraData length of the optional extra data.
*/
typedef struct CK_IKE1_EXTENDED_DERIVE_PARAMS {
CK_MECHANISM_TYPE prfMechanism;
CK_BBOOL bHasKeygxy;
CK_OBJECT_HANDLE hKeygxy;
CK_BYTE_PTR pExtraData;
CK_ULONG ulExtraDataLen;
} CK_IKE1_EXTENDED_DERIVE_PARAMS;
typedef CK_IKE1_EXTENDED_DERIVE_PARAMS CK_PTR CK_IKE1_EXTENDED_DERIVE_PARAMS_PTR;
/* WTLS is new for version 2.20 */
typedef struct CK_WTLS_RANDOM_DATA {
CK_BYTE_PTR pClientRandom;
@@ -2580,13 +2413,6 @@ typedef struct CK_PKCS5_PBKD2_PARAMS2 {
typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR;
/* The following value is used to determines if a parameter is of type PARAMS or PARAMS2
* based on the value of ulPasswordLen. If ulPasswordLen is greater that the value below,
* it is most likely a memory address i.e. a pointer (PARAMS). Otherwise, it is considered
* a length value (PARAMS2). This is ignored if NSS_USE_PKCS5_PBKD2_PARAMS2_ONLY is defined.
*/
#define CK_PKCS5_PBKD2_PARAMS_MAX_PWD_LEN 8192
/* OTP is new in v2.40 */
typedef CK_ULONG CK_OTP_PARAM_TYPE;
#define CK_OTP_VALUE 0UL
@@ -2692,7 +2518,6 @@ typedef struct CK_EDDSA_PARAMS {
CK_BYTE_PTR pContextData;
} CK_EDDSA_PARAMS;
typedef CK_ULONG CK_XEDDSA_HASH_TYPE;
typedef CK_EDDSA_PARAMS CK_PTR CK_EDDSA_PARAMS_PTR;
typedef CK_XEDDSA_HASH_TYPE CK_PTR CK_XEDDSA_HASH_TYPE_PTR;
typedef struct CK_XEDDSA_PARAMS {