diff --git a/security/nss/automation/abi-check/expected-report-libnss3.so.txt b/security/nss/automation/abi-check/expected-report-libnss3.so.txt index e69de29bb2d1..97b1735cca0e 100644 --- a/security/nss/automation/abi-check/expected-report-libnss3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnss3.so.txt @@ -0,0 +1,21 @@ + +3 Added functions: + + 'function const char* SECMOD_FlagsToPolicyString(PRUint32, PRBool)' {SECMOD_FlagsToPolicyString@@NSS_3.110} + 'function SECOidTag SECMOD_PolicyStringToOid(const char*, const char*)' {SECMOD_PolicyStringToOid@@NSS_3.110} + 'function PRUint32 SECMOD_PolicyStringToOpt(const char*)' {SECMOD_PolicyStringToOpt@@NSS_3.110} + +1 function with some indirect sub-type change: + + [C]'function SECStatus CERT_AddOCSPAcceptableResponses(CERTOCSPRequest*, SECOidTag, ...)' at ocsp.c:2202:1 has some indirect sub-type changes: + parameter 2 of type 'typedef SECOidTag' has sub-type changes: + underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: + type size hasn't changed + 1 enumerator insertion: + '__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390' + + 1 enumerator change: + '__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1 + + + diff --git a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt index e69de29bb2d1..71a04c6da41c 100644 --- a/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libnssutil3.so.txt @@ -0,0 +1,15 @@ + +1 function with some indirect sub-type change: + + [C]'function SECOidTag HASH_GetHMACOidTagByHashOidTag_Util(SECOidTag)' at nsshash.c:149:1 has some indirect sub-type changes: + return type changed: + underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: + type size hasn't changed + 1 enumerator insertion: + '__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390' + + 1 enumerator change: + '__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1 + + + diff --git a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt index e69de29bb2d1..037524482d5a 100644 --- a/security/nss/automation/abi-check/expected-report-libsmime3.so.txt +++ b/security/nss/automation/abi-check/expected-report-libsmime3.so.txt @@ -0,0 +1,45 @@ + +1 function with some indirect sub-type change: + + [C]'function PK11SymKey* NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo*)' at cmscinfo.c:426:1 has some indirect sub-type changes: + parameter 1 of type 'NSSCMSContentInfo*' has sub-type changes: + in pointed to type 'typedef NSSCMSContentInfo' at cmst.h:54:1: + underlying type 'struct NSSCMSContentInfoStr' at cmst.h:126:1 changed: + type size hasn't changed + 1 data member changes (2 filtered): + type of 'NSSCMSContent NSSCMSContentInfoStr::content' changed: + underlying type 'union NSSCMSContentUnion' at cmst.h:113:1 changed: + type size hasn't changed + 1 data member changes (3 filtered): + type of 'NSSCMSEncryptedData* NSSCMSContentUnion::encryptedData' changed: + in pointed to type 'typedef NSSCMSEncryptedData' at cmst.h:65:1: + underlying type 'struct NSSCMSEncryptedDataStr' at cmst.h:470:1 changed: + type size hasn't changed + 1 data member changes (1 filtered): + type of 'NSSCMSAttribute** NSSCMSEncryptedDataStr::unprotectedAttr' changed: + in pointed to type 'NSSCMSAttribute*': + in pointed to type 'typedef NSSCMSAttribute' at cmst.h:69:1: + underlying type 'struct NSSCMSAttributeStr' at cmst.h:489:1 changed: + type size hasn't changed + 1 data member change: + type of 'SECOidData* NSSCMSAttributeStr::typeTag' changed: + in pointed to type 'typedef SECOidData' at secoidt.h:16:1: + underlying type 'struct SECOidDataStr' at secoidt.h:553:1 changed: + type size hasn't changed + 1 data member change: + type of 'SECOidTag SECOidDataStr::offset' changed: + underlying type 'enum __anonymous_enum__' at secoidt.h:34:1 changed: + type size hasn't changed + 1 enumerator insertion: + '__anonymous_enum__::SEC_OID_TLS_REQUIRE_EMS' value '390' + + 1 enumerator change: + '__anonymous_enum__::SEC_OID_TOTAL' from value '390' to '391' at secoidt.h:34:1 + + + + + + + + diff --git a/security/nss/automation/abi-check/previous-nss-release b/security/nss/automation/abi-check/previous-nss-release index 9829a3d1aefa..c2e70582a20a 100644 --- a/security/nss/automation/abi-check/previous-nss-release +++ b/security/nss/automation/abi-check/previous-nss-release @@ -1 +1 @@ -NSS_3_110_BRANCH +NSS_3_109_BRANCH diff --git a/security/nss/automation/taskcluster/scripts/cryptofuzz.sh b/security/nss/automation/taskcluster/scripts/cryptofuzz.sh index 92c8fefe0f1b..e6f9c9d068e5 100755 --- a/security/nss/automation/taskcluster/scripts/cryptofuzz.sh +++ b/security/nss/automation/taskcluster/scripts/cryptofuzz.sh @@ -29,7 +29,7 @@ popd # Run Cryptofuzz. # Decrease the default ASAN quarantine size of 256 MB as we tend to run # out of memory on 32-bit. -ASAN_OPTIONS="quarantine_size_mb=64" ./cryptofuzz/cryptofuzz -dict="cryptofuzz-dict.txt" --force-module=nss "nss/fuzz/corpus/cryptofuzz" "$@" +ASAN_OPTIONS="quarantine_size_mb=128" ./cryptofuzz/cryptofuzz -dict="cryptofuzz-dict.txt" --force-module=nss "nss/fuzz/corpus/cryptofuzz" "$@" # Alert if version is older than half a year. cryptofuzz_timestamp=$(git -C cryptofuzz show -s --format=%ct $CRYPTOFUZZ_VERSION) diff --git a/security/nss/cmd/dbtool/dbtool.c b/security/nss/cmd/dbtool/dbtool.c index 0abb0452df09..cf09665c0673 100644 --- a/security/nss/cmd/dbtool/dbtool.c +++ b/security/nss/cmd/dbtool/dbtool.c @@ -309,7 +309,7 @@ makeNSSVendorName(CK_ATTRIBUTE_TYPE attribute, const char *nameType) static char nss_name[256]; const char *name = NULL; if ((attribute >= CKA_NSS) && (attribute < 0xffffffffUL)) { - snprintf(nss_name, sizeof(nss_name), "%s+%d", nameType, (int)(attribute - CKA_NSS)); + sprintf(nss_name, "%s+%d", nameType, (int)(attribute - CKA_NSS)); name = nss_name; } return name; @@ -546,7 +546,7 @@ dumpSignature(CK_ATTRIBUTE_TYPE attribute, SDB *keydb, PRBool isKey, if (!force && !isAuthenticatedAttribute(attribute)) { return; } - snprintf(id, sizeof(id), META_SIG_TEMPLATE, + sprintf(id, META_SIG_TEMPLATE, isKey ? "key" : "cert", (unsigned int)objectID, (unsigned int)attribute); printf(" Signature %s:", id); @@ -555,7 +555,7 @@ dumpSignature(CK_ATTRIBUTE_TYPE attribute, SDB *keydb, PRBool isKey, crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL); if ((crv != CKR_OK) && isKey) { - snprintf(id, sizeof(id), META_SIG_TEMPLATE, + sprintf(id, META_SIG_TEMPLATE, isKey ? "key" : "cert", (unsigned int)(objectID | SFTK_KEYDB_TYPE | SFTK_TOKEN_TYPE), (unsigned int)attribute); crv = (*keydb->sdb_GetMetaData)(keydb, id, &signText, NULL); @@ -730,11 +730,11 @@ secu_ConfigDirectory(const char *base) home = ""; if (*home && home[strlen(home) - 1] == '/') - snprintf(buf, sizeof(buf), "%.900s%s", home, dir); + sprintf(buf, "%.900s%s", home, dir); else - snprintf(buf, sizeof(buf), "%.900s/%s", home, dir); + sprintf(buf, "%.900s/%s", home, dir); } else { - snprintf(buf, sizeof(buf), "%.900s", base); + sprintf(buf, "%.900s", base); if (buf[strlen(buf) - 1] == '/') buf[strlen(buf) - 1] = 0; } diff --git a/security/nss/cmd/selfserv/Makefile b/security/nss/cmd/selfserv/Makefile index b7d72ca671c4..7b74b369c706 100644 --- a/security/nss/cmd/selfserv/Makefile +++ b/security/nss/cmd/selfserv/Makefile @@ -24,7 +24,6 @@ include $(CORE_DEPTH)/coreconf/config.mk # (4) Include "local" platform-dependent assignments (OPTIONAL). # ####################################################################### include ../platlibs.mk -include $(CORE_DEPTH)/coreconf/zlib.mk ####################################################################### # (5) Execute "global" rules. (OPTIONAL) # diff --git a/security/nss/cmd/selfserv/selfserv.c b/security/nss/cmd/selfserv/selfserv.c index a938040998c4..ee1c4da2f9fd 100644 --- a/security/nss/cmd/selfserv/selfserv.c +++ b/security/nss/cmd/selfserv/selfserv.c @@ -43,7 +43,6 @@ #include "certt.h" #include "ocsp.h" #include "nssb64.h" -#include "zlib.h" #ifndef PORT_Strstr #define PORT_Strstr strstr @@ -168,7 +167,7 @@ PrintUsageHeader(const char *progName) " [ T ] [-A ca]\n" " [-C SSLCacheEntries] [-S dsa_nickname] [-Q]\n" " [-I groups] [-J signatureschemes] [-e ec_nickname]\n" - " -U [0|1] -H [0|1|2] -W [0|1] [-z externalPsk] -q\n" + " -U [0|1] -H [0|1|2] -W [0|1] [-z externalPsk]\n" "\n", progName); } @@ -254,8 +253,7 @@ PrintParameterUsage() " \"publicname:\". For example, \"publicname:example.com\". In this mode,\n" " an ephemeral ECH keypair is generated and ECHConfigs are printed to stdout.\n" " 2. As a Base64 tuple of || . In this mode, the\n" - " raw private key is used to bootstrap the HPKE context.\n" - "-q Enable zlib certificate compression\n", + " raw private key is used to bootstrap the HPKE context.\n", stderr); } @@ -823,7 +821,6 @@ PRBool NoReuse = PR_FALSE; PRBool hasSidCache = PR_FALSE; PRBool disableLocking = PR_FALSE; PRBool enableSessionTickets = PR_FALSE; -PRBool enableZlibCertificateCompression = PR_FALSE; PRBool failedToNegotiateName = PR_FALSE; PRBool enableExtendedMasterSecret = PR_FALSE; PRBool zeroRTT = PR_FALSE; @@ -2070,57 +2067,6 @@ configureEch(PRFileDesc *model_sock) return configureEchWithData(model_sock); } -static SECStatus -zlibCertificateDecode(const SECItem *input, - unsigned char *output, size_t outputLen, - size_t *usedLen) -{ - if (!input || !input->data || input->len == 0 || !output || outputLen == 0) { - PR_SetError(SEC_ERROR_INVALID_ARGS, 0); - return SECFailure; - } - - *usedLen = outputLen; - - int ret = uncompress(output, (unsigned long *)usedLen, input->data, input->len); - if (ret != Z_OK) { - PR_SetError(SEC_ERROR_BAD_DATA, 0); - return SECFailure; - } - - return SECSuccess; -} - -static SECStatus -zlibCertificateEncode(const SECItem *input, SECItem *output) -{ - if (!input || !input->data || input->len == 0 || !output) { - PR_SetError(SEC_ERROR_INVALID_ARGS, 0); - return SECFailure; - } - - unsigned long maxCompressedLen = compressBound(input->len); - SECITEM_AllocItem(NULL, output, maxCompressedLen); - - int ret = compress(output->data, (unsigned long *)&output->len, input->data, input->len); - if (ret != Z_OK) { - PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); - return SECFailure; - } - - return SECSuccess; -} - -static SECStatus -configureZlibCompression(PRFileDesc *model_sock) -{ - SSLCertificateCompressionAlgorithm zlibAlg = { 1, "zlib", - zlibCertificateEncode, - zlibCertificateDecode }; - - return SSL_SetCertificateCompressionAlgorithm(model_sock, zlibAlg); -} - void server_main( PRFileDesc *listen_sock, @@ -2177,13 +2123,6 @@ server_main( } } - if (enableZlibCertificateCompression) { - rv = configureZlibCompression(model_sock); - if (rv != SECSuccess) { - errExit("error enabling Zlib Certificate Compression"); - } - } - if (virtServerNameIndex > 1) { rv = SSL_SNISocketConfigHook(model_sock, mySSLSNISocketConfig, (void *)&virtServerNameArray); @@ -2594,7 +2533,7 @@ main(int argc, char **argv) ** XXX: 'B', and 'q' were used in the past but removed ** in 3.28, please leave some time before resuing those. */ optstate = PL_CreateOptState(argc, argv, - "2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:X:YZa:bc:d:e:f:g:hi:jk:lmn:op:qrst:uvw:x:yz:"); + "2:A:C:DEGH:I:J:L:M:NP:QRS:T:U:V:W:X:YZa:bc:d:e:f:g:hi:jk:lmn:op:rst:uvw:x:yz:"); while ((status = PL_GetNextOpt(optstate)) == PL_OPT_OK) { ++optionsFound; switch (optstate->option) { @@ -2779,10 +2718,6 @@ main(int argc, char **argv) port = PORT_Atoi(optstate->value); break; - case 'q': - enableZlibCertificateCompression = PR_TRUE; - break; - case 'r': ++requestCert; break; diff --git a/security/nss/cmd/selfserv/selfserv.gyp b/security/nss/cmd/selfserv/selfserv.gyp index 47e8f90c68a6..783be845ef8d 100644 --- a/security/nss/cmd/selfserv/selfserv.gyp +++ b/security/nss/cmd/selfserv/selfserv.gyp @@ -15,8 +15,7 @@ ], 'dependencies': [ '<(DEPTH)/exports.gyp:dbm_exports', - '<(DEPTH)/exports.gyp:nss_exports', - '<(DEPTH)/lib/zlib/zlib.gyp:nss_zlib' + '<(DEPTH)/exports.gyp:nss_exports' ] } ], @@ -28,4 +27,4 @@ 'variables': { 'module': 'nss' } -} +} \ No newline at end of file diff --git a/security/nss/coreconf/config.mk b/security/nss/coreconf/config.mk index 9c641e88aba9..4d57462459de 100644 --- a/security/nss/coreconf/config.mk +++ b/security/nss/coreconf/config.mk @@ -259,22 +259,3 @@ DEFINES += -DNO_NSPR_10_SUPPORT # Hide old, deprecated, TLS cipher suite names when building NSS DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES - - -# By default the PKCS5_PBKD2_PARAMS(structure) version is determined based on the -# cryptokiVersion of the token, PKCS5_PBKD2_PARAMS2 structure is used for version -# 2.40 or later, PKCS5_PBKD2_PARAMS structure is used otherwise. -# This define allows to force the use of PKCS5_PBKD2_PARAMS2 structure only. -ifeq ($(SOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY),1) - DEFINES += -DSOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY -endif - -# By default the PKCS5_PBKD2_PARAMS(structure) version is auto-detected based on -# the difference between the two structures, in this case the password length is -# limited to 8192 bytes. -# Using this define, only PKCS5_PBKD2_PARAMS2 structure is expected, this can cause -# segmentation fault if PKCS5_PBKD2_PARAMS structure is provided!). -# Additional the password length is not limited with this option. -ifeq ($(NSS_USE_PKCS5_PBKD2_PARAMS2_ONLY),1) - DEFINES += -DNSS_USE_PKCS5_PBKD2_PARAMS2_ONLY -endif diff --git a/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc b/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc index 22f5ce190be6..660bd7568c40 100644 --- a/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc +++ b/security/nss/gtests/ssl_gtest/ssl_auth_unittest.cc @@ -324,26 +324,6 @@ TEST_P(TlsConnectClientAuth, ClientAuth) { client_->CheckClientAuthCompleted(); } -TEST_F(TlsConnectStreamTls13, ClientAuthWithMultipleTickets) { - client_->SetupClientAuth(); - server_->RequestClientAuth(true); - - ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3); - ConfigureSessionCache(RESUME_BOTH, RESUME_BOTH); - - auto cb = [](PRFileDesc* fd, const PRUint8* ticket, unsigned int ticket_len, - void* arg) -> SECStatus { return SECSuccess; }; - EXPECT_EQ(SECSuccess, - SSL_SetResumptionTokenCallback(client_->ssl_fd(), cb, nullptr)); - - Connect(); - SendReceive(50); - CheckKeys(); - // An automatic ticket has already been sent. This sends another one. - EXPECT_EQ(SECSuccess, SSL_SendSessionTicket(server_->ssl_fd(), nullptr, 0)); - SendReceive(100); -} - // All stream only tests; PostHandshakeAuth isn't supported for DTLS. TEST_P(TlsConnectClientAuthStream13, PostHandshakeAuth) { diff --git a/security/nss/lib/ckfw/builtins/certdata.txt b/security/nss/lib/ckfw/builtins/certdata.txt index 82fca6c76180..1ed5a248b57a 100644 --- a/security/nss/lib/ckfw/builtins/certdata.txt +++ b/security/nss/lib/ckfw/builtins/certdata.txt @@ -200,7 +200,7 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\013\004\000\000\000\000\001\025\113\132\303\224 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -366,7 +366,7 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\070\143\336\370 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -500,7 +500,7 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\004\002\000\000\271 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -946,7 +946,7 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\001 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -1452,7 +1452,7 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\020\120\224\154\354\030\352\325\234\115\325\227\357\165\217 \240\255 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -1598,8 +1598,8 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE @@ -1745,8 +1745,8 @@ END CKA_SERIAL_NUMBER MULTILINE_OCTAL \002\001\000 END -CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST -CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE diff --git a/security/nss/lib/ckfw/builtins/nssckbi.h b/security/nss/lib/ckfw/builtins/nssckbi.h index fdaf066a02c8..876c54811ea2 100644 --- a/security/nss/lib/ckfw/builtins/nssckbi.h +++ b/security/nss/lib/ckfw/builtins/nssckbi.h @@ -46,8 +46,8 @@ * It's recommend to switch back to 0 after having reached version 98/99. */ #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 -#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 76 -#define NSS_BUILTINS_LIBRARY_VERSION "2.76" +#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 74 +#define NSS_BUILTINS_LIBRARY_VERSION "2.74" /* These version numbers detail the semantic changes to the ckfw engine. */ #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/security/nss/lib/nss/nss.h b/security/nss/lib/nss/nss.h index 74dfd660cd4a..b3bccd46dea1 100644 --- a/security/nss/lib/nss/nss.h +++ b/security/nss/lib/nss/nss.h @@ -22,12 +22,12 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.111" _NSS_CUSTOMIZED " Beta" +#define NSS_VERSION "3.110" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 -#define NSS_VMINOR 111 +#define NSS_VMINOR 110 #define NSS_VPATCH 0 #define NSS_VBUILD 0 -#define NSS_BETA PR_TRUE +#define NSS_BETA PR_FALSE #ifndef RC_INVOKED diff --git a/security/nss/lib/pk11wrap/pk11pbe.c b/security/nss/lib/pk11wrap/pk11pbe.c index 0884546b1929..eb8538148118 100644 --- a/security/nss/lib/pk11wrap/pk11pbe.c +++ b/security/nss/lib/pk11wrap/pk11pbe.c @@ -940,15 +940,15 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech) * based on the algorithm. */ if (algorithm == SEC_OID_PKCS5_PBKDF2) { SECOidTag prfAlgTag; - CK_PKCS5_PBKD2_PARAMS2 *pbeV2_params = - (CK_PKCS5_PBKD2_PARAMS2 *)PORT_ZAlloc( - PR_MAX(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS)) + salt->len); + CK_PKCS5_PBKD2_PARAMS *pbeV2_params = + (CK_PKCS5_PBKD2_PARAMS *)PORT_ZAlloc( + sizeof(CK_PKCS5_PBKD2_PARAMS) + salt->len); if (pbeV2_params == NULL) { goto loser; } paramData = (unsigned char *)pbeV2_params; - paramLen = PR_MAX(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS)); + paramLen = sizeof(CK_PKCS5_PBKD2_PARAMS); /* set the prf */ prfAlgTag = SEC_OID_HMAC_SHA1; @@ -981,7 +981,7 @@ pbe_PK11AlgidToParam(SECAlgorithmID *algid, SECItem *mech) pbeV2_params->pPrfData = NULL; pbeV2_params->ulPrfDataLen = 0; pbeV2_params->saltSource = CKZ_SALT_SPECIFIED; - pSalt = ((CK_CHAR_PTR)pbeV2_params) + PR_MAX(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS)); + pSalt = ((CK_CHAR_PTR)pbeV2_params) + sizeof(CK_PKCS5_PBKD2_PARAMS); if (salt->data) { PORT_Memcpy(pSalt, salt->data, salt->len); } @@ -1420,12 +1420,7 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, SECItem *params, CK_KEY_TYPE keyType, int keyLen, SECItem *pwitem, void *wincx) { -#ifndef SOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY - SECItem _params = { 0, NULL, 0 }; - CK_PKCS5_PBKD2_PARAMS pbev2_1_params; CK_ULONG pwLen; -#endif - /* do some sanity checks */ if ((params == NULL) || (params->data == NULL)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -1439,39 +1434,15 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, /* set the password pointer in the parameters... */ if (type == CKM_PKCS5_PBKD2) { - CK_PKCS5_PBKD2_PARAMS2 *pbev2_params; - - if ((params->len < PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS2), sizeof(CK_PKCS5_PBKD2_PARAMS))) || - pwitem->len > CK_PKCS5_PBKD2_PARAMS_MAX_PWD_LEN) { + CK_PKCS5_PBKD2_PARAMS *pbev2_params; + if (params->len < sizeof(CK_PKCS5_PBKD2_PARAMS)) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } - pbev2_params = (CK_PKCS5_PBKD2_PARAMS2 *)params->data; + pbev2_params = (CK_PKCS5_PBKD2_PARAMS *)params->data; pbev2_params->pPassword = pwitem->data; - -#ifdef SOFTOKEN_USE_PKCS5_PBKD2_PARAMS2_ONLY - pbev2_params->ulPasswordLen = pwitem->len; -#else - CK_VERSION cryptokiVersion = slot->module->cryptokiVersion; - if (cryptokiVersion.major < 2 || - (cryptokiVersion.major == 2 && cryptokiVersion.minor < 40)) { - /* CK_PKCS5_PBKD2_PARAMS */ - _params.type = params->type; - _params.data = (CK_CHAR_PTR)&pbev2_1_params; - _params.len = sizeof(CK_PKCS5_PBKD2_PARAMS); - params = &_params; - memcpy(&pbev2_1_params, pbev2_params, - PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS2), - sizeof(CK_PKCS5_PBKD2_PARAMS))); - - pwLen = pwitem->len; - pbev2_1_params.ulPasswordLen = &pwLen; - } else { - /* CK_PKCS5_PBKD2_PARAMS2 */ - pbev2_params->ulPasswordLen = pwitem->len; - } -#endif - + pwLen = pwitem->len; + pbev2_params->ulPasswordLen = &pwLen; } else { CK_PBE_PARAMS *pbe_params; if (params->len < sizeof(CK_PBE_PARAMS)) { @@ -1484,7 +1455,8 @@ pk11_RawPBEKeyGenWithKeyType(PK11SlotInfo *slot, CK_MECHANISM_TYPE type, } /* generate the key (and sometimes the IV as a side effect...) */ - return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType, keyLen, NULL, + return pk11_TokenKeyGenWithFlagsAndKeyType(slot, type, params, keyType, + keyLen, NULL, CKF_SIGN | CKF_ENCRYPT | CKF_DECRYPT | CKF_UNWRAP | CKF_WRAP, 0, wincx); } diff --git a/security/nss/lib/softoken/pkcs11c.c b/security/nss/lib/softoken/pkcs11c.c index 2b45ca5ff74e..7bcfe54515fe 100644 --- a/security/nss/lib/softoken/pkcs11c.c +++ b/security/nss/lib/softoken/pkcs11c.c @@ -4220,47 +4220,20 @@ nsc_pbe_key_gen(NSSPKCS5PBEParameter *pkcs5_pbe, CK_MECHANISM_PTR pMechanism, { SECItem *pbe_key = NULL, iv, pwitem; CK_PBE_PARAMS *pbe_params = NULL; - CK_PKCS5_PBKD2_PARAMS2 *pbkd2_params = NULL; + CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL; *key_length = 0; iv.data = NULL; iv.len = 0; if (pMechanism->mechanism == CKM_PKCS5_PBKD2) { - pbkd2_params = (CK_PKCS5_PBKD2_PARAMS2 *)pMechanism->pParameter; - if (!pMechanism->pParameter) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) { return CKR_MECHANISM_PARAM_INVALID; } - -#ifdef NSS_USE_PKCS5_PBKD2_PARAMS2_ONLY - if (pMechanism->ulParameterLen < sizeof(CK_PKCS5_PBKD2_PARAMS2)) { - return CKR_MECHANISM_PARAM_INVALID; - } - pwitem.len = pbkd2_params->ulPasswordLen; -#else - int v2; - if (pMechanism->ulParameterLen < PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS), - sizeof(CK_PKCS5_PBKD2_PARAMS2))) { - return CKR_MECHANISM_PARAM_INVALID; - } - - if (sizeof(CK_PKCS5_PBKD2_PARAMS2) != sizeof(CK_PKCS5_PBKD2_PARAMS)) { - if (pMechanism->ulParameterLen == sizeof(CK_PKCS5_PBKD2_PARAMS)) { - v2 = 0; - } else if (pMechanism->ulParameterLen == sizeof(CK_PKCS5_PBKD2_PARAMS2)) { - v2 = 1; - } else { - return CKR_MECHANISM_PARAM_INVALID; - } - } else { - /* it's unlikely that the password will be longer than 2048 bytes, if so it is - * most likely a pointer => CK_PKCS5_PBKD2_PARAMS */ - v2 = pbkd2_params->ulPasswordLen <= CK_PKCS5_PBKD2_PARAMS_MAX_PWD_LEN; - } - pwitem.len = v2 ? pbkd2_params->ulPasswordLen : *((CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter)->ulPasswordLen; -#endif - + pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; pwitem.data = (unsigned char *)pbkd2_params->pPassword; + /* was this a typo in the PKCS #11 spec? */ + pwitem.len = *pbkd2_params->ulPasswordLen; } else { if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PBE_PARAMS))) { return CKR_MECHANISM_PARAM_INVALID; @@ -4649,7 +4622,7 @@ nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe, CK_PBE_PARAMS *pbe_params = NULL; NSSPKCS5PBEParameter *params = NULL; HASH_HashType hashType = HASH_AlgSHA1; - CK_PKCS5_PBKD2_PARAMS2 *pbkd2_params = NULL; + CK_PKCS5_PBKD2_PARAMS *pbkd2_params = NULL; SECItem salt; CK_ULONG iteration = 0; @@ -4661,11 +4634,10 @@ nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe, } if (pMechanism->mechanism == CKM_PKCS5_PBKD2) { - if (pMechanism->ulParameterLen < PR_MIN(sizeof(CK_PKCS5_PBKD2_PARAMS2), - sizeof(CK_PKCS5_PBKD2_PARAMS))) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_PKCS5_PBKD2_PARAMS))) { return CKR_MECHANISM_PARAM_INVALID; } - pbkd2_params = (CK_PKCS5_PBKD2_PARAMS2 *)pMechanism->pParameter; + pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *)pMechanism->pParameter; switch (pbkd2_params->prf) { case CKP_PKCS5_PBKD2_HMAC_SHA1: hashType = HASH_AlgSHA1; diff --git a/security/nss/lib/softoken/softkver.h b/security/nss/lib/softoken/softkver.h index d0f9678fa673..aaf522fa7685 100644 --- a/security/nss/lib/softoken/softkver.h +++ b/security/nss/lib/softoken/softkver.h @@ -17,11 +17,11 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.111" SOFTOKEN_ECC_STRING " Beta" +#define SOFTOKEN_VERSION "3.110" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 -#define SOFTOKEN_VMINOR 111 +#define SOFTOKEN_VMINOR 110 #define SOFTOKEN_VPATCH 0 #define SOFTOKEN_VBUILD 0 -#define SOFTOKEN_BETA PR_TRUE +#define SOFTOKEN_BETA PR_FALSE #endif /* _SOFTKVER_H_ */ diff --git a/security/nss/lib/ssl/ssl3con.c b/security/nss/lib/ssl/ssl3con.c index 4a86a20b2a91..a7c8bb4c7f60 100644 --- a/security/nss/lib/ssl/ssl3con.c +++ b/security/nss/lib/ssl/ssl3con.c @@ -12492,9 +12492,6 @@ ssl3_FillInCachedSID(sslSocket *ss, sslSessionID *sid, PK11SymKey *secret) sid->sigScheme = ss->sec.signatureScheme; sid->lastAccessTime = sid->creationTime = ssl_Time(ss); sid->expirationTime = sid->creationTime + (ssl_ticket_lifetime * PR_USEC_PER_SEC); - if (sid->localCert) { - CERT_DestroyCertificate(sid->localCert); - } sid->localCert = CERT_DupCertificate(ss->sec.localCert); if (ss->sec.isServer) { sid->namedCurve = ss->sec.serverCert->namedCurve; diff --git a/security/nss/lib/ssl/sslsock.c b/security/nss/lib/ssl/sslsock.c index 85e9d4ccabe8..1fffe69f00aa 100644 --- a/security/nss/lib/ssl/sslsock.c +++ b/security/nss/lib/ssl/sslsock.c @@ -313,13 +313,6 @@ ssl_DupSocket(sslSocket *os) ss->ssl3.dheWeakGroupEnabled = os->ssl3.dheWeakGroupEnabled; - PORT_Memcpy(ss->ssl3.supportedCertCompressionAlgorithms, - os->ssl3.supportedCertCompressionAlgorithms, - sizeof(ss->ssl3.supportedCertCompressionAlgorithms[0]) * - os->ssl3.supportedCertCompressionAlgorithmsCount); - ss->ssl3.supportedCertCompressionAlgorithmsCount = - os->ssl3.supportedCertCompressionAlgorithmsCount; - if (ss->opt.useSecurity) { PRCList *cursor; diff --git a/security/nss/lib/ssl/tls13con.c b/security/nss/lib/ssl/tls13con.c index c489b2b10842..98f2f2b7a0bd 100644 --- a/security/nss/lib/ssl/tls13con.c +++ b/security/nss/lib/ssl/tls13con.c @@ -2369,7 +2369,6 @@ tls13_HandleClientHelloPart2(sslSocket *ss, } tls13_RestoreCipherInfo(ss, sid); - PORT_Assert(!ss->sec.localCert); ss->sec.localCert = CERT_DupCertificate(ss->sec.serverCert->serverCert); if (sid->peerCert != NULL) { ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h index 7bb3f30ac2c5..62812c3972da 100644 --- a/security/nss/lib/util/nssutil.h +++ b/security/nss/lib/util/nssutil.h @@ -19,12 +19,12 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.111 Beta" +#define NSSUTIL_VERSION "3.110" #define NSSUTIL_VMAJOR 3 -#define NSSUTIL_VMINOR 111 +#define NSSUTIL_VMINOR 110 #define NSSUTIL_VPATCH 0 #define NSSUTIL_VBUILD 0 -#define NSSUTIL_BETA PR_TRUE +#define NSSUTIL_BETA PR_FALSE SEC_BEGIN_PROTOS diff --git a/security/nss/lib/util/pkcs11n.h b/security/nss/lib/util/pkcs11n.h index c6a92bf3b153..5e190f9e710b 100644 --- a/security/nss/lib/util/pkcs11n.h +++ b/security/nss/lib/util/pkcs11n.h @@ -411,31 +411,90 @@ typedef struct CK_NSS_HKDFParams { /* * CK_NSS_IKE_PRF_PLUS_PARAMS is a structure that provides the parameters to * the CKM_NSS_IKE_PRF_PLUS_DERIVE mechanism. - * It is now standardized, so The struct is just an alias for the standard - * struct in pkcs11t.h. + * The fields of the structure have the following meanings: + * prfMechanism underlying MAC mechanism used to generate the prf. + * bHasSeedKey hSeed key is present. + * hSeedKey optional seed from key + * pSeedData optional seed from data. + * ulSeedDataLen length of optional seed data. + * If no seed data is present this value is NULL. */ -typedef struct CK_IKE2_PRF_PLUS_DERIVE_PARAMS CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS; +typedef struct CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bHasSeedKey; + CK_OBJECT_HANDLE hSeedKey; + CK_BYTE_PTR pSeedData; + CK_ULONG ulSeedDataLen; +} CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS; /* CK_NSS_IKE_PRF_DERIVE_PARAMS is a structure that provides the parameters to - * the CKM_NSS_IKE_PRF_DERIVE mechanism. - * It is now standardized, so The struct is just an alias for the standard - * struct in pkcs11t.h. + * the CKM_NSS_IKE_PRF_DERIVE mechanism. + * + * The fields of the structure have the following meanings: + * prfMechanism underlying MAC mechanism used to generate the prf. + * bRekey hNewKey is present. + * pNi Ni value + * ulNiLen length of Ni + * pNr Nr value + * ulNrLen length of Nr + * hNewKey New key value to drive the rekey. */ -typedef struct CK_IKE_PRF_DERIVE_PARAMS CK_NSS_IKE_PRF_DERIVE_PARAMS; +typedef struct CK_NSS_IKE_PRF_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bDataAsKey; + CK_BBOOL bRekey; + CK_BYTE_PTR pNi; + CK_ULONG ulNiLen; + CK_BYTE_PTR pNr; + CK_ULONG ulNrLen; + CK_OBJECT_HANDLE hNewKey; +} CK_NSS_IKE_PRF_DERIVE_PARAMS; /* CK_NSS_IKE1_PRF_DERIVE_PARAMS is a structure that provides the parameters * to the CKM_NSS_IKE_PRF_DERIVE mechanism. - * It is now standardized, so The struct is just an alias for the standard - * struct in pkcs11t.h. + * + * The fields of the structure have the following meanings: + * prfMechanism underlying MAC mechanism used to generate the prf. + * bRekey hNewKey is present. + * pCKYi CKYi value + * ulCKYiLen length of CKYi + * pCKYr CKYr value + * ulCKYrLen length of CKYr + * hNewKey New key value to drive the rekey. */ -typedef struct CK_IKE1_PRF_DERIVE_PARAMS CK_NSS_IKE1_PRF_DERIVE_PARAMS; +typedef struct CK_NSS_IKE1_PRF_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bHasPrevKey; + CK_OBJECT_HANDLE hKeygxy; + CK_OBJECT_HANDLE hPrevKey; + CK_BYTE_PTR pCKYi; + CK_ULONG ulCKYiLen; + CK_BYTE_PTR pCKYr; + CK_ULONG ulCKYrLen; + CK_BYTE keyNumber; +} CK_NSS_IKE1_PRF_DERIVE_PARAMS; /* CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS is a structure that provides the * parameters to the CKM_NSS_IKE_APP_B_PRF_DERIVE mechanism. - * It is now standardized, so The struct is just an alias for the standard - * struct in pkcs11t.h. + * + * The fields of the structure have the following meanings: + * prfMechanism underlying MAC mechanism used to generate the prf. + * bHasKeygxy hKeygxy exists + * hKeygxy optional key to hash in the prf + * pExtraData optional extra data to hash in the prf + * ulExtraData length of the optional extra data. + * + * CK_NSS_IKE_APP_B_PRF_DERIVE can take wither CK_NSS_IKE1_APP_B_PRF_DRIVE_PARAMS + * or a single CK_MECHANISM_TYPE. In the latter cases bHashKeygx is assumed to + * be false and ulExtraDataLen is assumed to be '0'. */ -typedef struct CK_IKE1_EXTENDED_DERIVE_PARAMS CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS; +typedef struct CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS { + CK_MECHANISM_TYPE prfMechanism; + CK_BBOOL bHasKeygxy; + CK_OBJECT_HANDLE hKeygxy; + CK_BYTE_PTR pExtraData; + CK_ULONG ulExtraDataLen; +} CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS; /* * Parameter for the TLS extended master secret key derivation mechanisms: diff --git a/security/nss/lib/util/pkcs11t.h b/security/nss/lib/util/pkcs11t.h index b8c70ea9f1bd..7659a2a2f923 100644 --- a/security/nss/lib/util/pkcs11t.h +++ b/security/nss/lib/util/pkcs11t.h @@ -35,7 +35,7 @@ #endif #define CRYPTOKI_VERSION_MAJOR 3 -#define CRYPTOKI_VERSION_MINOR 1 +#define CRYPTOKI_VERSION_MINOR 0 #define CRYPTOKI_VERSION_AMENDMENT 0 /* an unsigned 8-bit value */ @@ -93,6 +93,7 @@ typedef struct CK_INFO { CK_VERSION cryptokiVersion; /* PKCS #11 interface ver */ CK_UTF8CHAR manufacturerID[32]; /* blank padded */ CK_FLAGS flags; /* must be zero */ + /* libraryDescription and libraryVersion are new for v2.0 */ CK_UTF8CHAR libraryDescription[32]; /* blank padded */ CK_VERSION libraryVersion; /* version of library */ @@ -106,7 +107,6 @@ typedef CK_INFO CK_PTR CK_INFO_PTR; * for v2.0 */ typedef CK_ULONG CK_NOTIFICATION; #define CKN_SURRENDER 0 -#define CKN_OTP_CHANGED 1 typedef CK_ULONG CK_SLOT_ID; @@ -330,7 +330,6 @@ typedef CK_ULONG CK_OBJECT_CLASS; #define CKO_HW_FEATURE 0x00000005UL #define CKO_DOMAIN_PARAMETERS 0x00000006UL #define CKO_MECHANISM 0x00000007UL -#define CKO_OTP_KEY 0x00000008UL #define CKO_PROFILE 0x00000009UL #define CKO_VENDOR_DEFINED 0x80000000UL @@ -339,7 +338,6 @@ typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR; /* CK_PROFILE_ID is new for v3.00. CK_PROFILE_ID is a value that * identifies the profile that the token supports. */ typedef CK_ULONG CK_PROFILE_ID; -typedef CK_PROFILE_ID CK_PTR CK_PROFILE_ID_PTR; /* Profile ID's */ #define CKP_INVALID_ID 0x00000000UL @@ -347,9 +345,6 @@ typedef CK_PROFILE_ID CK_PTR CK_PROFILE_ID_PTR; #define CKP_EXTENDED_PROVIDER 0x00000002UL #define CKP_AUTHENTICATION_TOKEN 0x00000003UL #define CKP_PUBLIC_CERTIFICATES_TOKEN 0x00000004UL -#define CKP_COMPLETE_PROVIDER 0x00000005UL -#define CKP_HKDF_TLS_TOKEN 0x00000006UL - #define CKP_VENDOR_DEFINED 0x80000000UL /* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a @@ -405,11 +400,6 @@ typedef CK_ULONG CK_KEY_TYPE; #define CKK_BLOWFISH 0x00000020UL #define CKK_TWOFISH 0x00000021UL -/* New for v3.1 */ -#define CKK_SECURID 0x00000022UL -#define CKK_ACTI 0x00000024UL -#define CKK_HOTP 0x00000023UL - /* Camellia is proposed for v2.20 Amendment 3 */ #define CKK_CAMELLIA 0x00000025UL @@ -452,9 +442,6 @@ typedef CK_ULONG CK_KEY_TYPE; #define CKK_SHA512_256_HMAC 0x00000044UL #define CKK_SHA512_T_HMAC 0x00000045UL -/* New for v3.1 */ -#define CKK_HSS 0x00000046UL - #define CKK_VENDOR_DEFINED 0x80000000UL /* CK_CERTIFICATE_TYPE is a value that identifies a certificate @@ -679,16 +666,6 @@ typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN; #define CKA_X2RATCHET_PNS 0x00000611UL #define CKA_X2RATCHET_RK 0x00000612UL -/* new for v3.1 */ -#define CKA_HSS_KEYS_REMAINING 0x0000061cUL -#define CKA_HSS_LEVELS 0x00000617UL -#define CKA_HSS_LMOTS_TYPE 0x00000619UL -#define CKA_HSS_LMOTS_TYPES 0x0000061bUL -#define CKA_HSS_LMS_TYPE 0x00000618UL -#define CKA_HSS_LMS_TYPES 0x0000061aUL -#define CKA_NAME_HASH_ALGORITHM 0x0000008cUL -#define CKA_UNIQUE_ID 0x00000004UL - #define CKA_VENDOR_DEFINED 0x80000000UL /* CK_ATTRIBUTE is a structure that includes the type, length @@ -696,6 +673,7 @@ typedef CK_ULONG CK_JAVA_MIDP_SECURITY_DOMAIN; typedef struct CK_ATTRIBUTE { CK_ATTRIBUTE_TYPE type; CK_VOID_PTR pValue; + /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */ CK_ULONG ulValueLen; /* in bytes */ } CK_ATTRIBUTE; @@ -1140,7 +1118,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_CAMELLIA_CBC_PAD 0x00000555UL #define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556UL #define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557UL -#define CKM_CAMELLIA_CTR 0x00000558UL /* new for v2.40 */ #define CKM_ARIA_KEY_GEN 0x00000560UL @@ -1161,9 +1138,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_SEED_ECB_ENCRYPT_DATA 0x00000656UL #define CKM_SEED_CBC_ENCRYPT_DATA 0x00000657UL -/* new for v3.1 */ -#define CKM_KEA_DERIVE 0x00001012UL - /* new for v2.40 */ #define CKM_ECDSA_SHA3_224 0x00001047UL #define CKM_ECDSA_SHA3_256 0x00001048UL @@ -1173,11 +1147,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_EC_MONTGOMERY_KEY_PAIR_GEN 0x00001056UL #define CKM_EDDSA 0x00001057UL -/* new for v3.1 */ -#define CKM_AES_XTS 0x00001071UL -#define CKM_AES_XTS_KEY_GEN 0x00001072UL -#define CKM_AES_GMAC 0x0000108eUL - /* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */ #define CKM_DES_ECB_ENCRYPT_DATA 0x00001100UL #define CKM_DES_CBC_ENCRYPT_DATA 0x00001101UL @@ -1205,50 +1174,24 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_POLY1305_KEY_GEN 0x00001227UL #define CKM_POLY1305 0x00001228UL -/* new for v3.1 */ -#define CKM_DES3_CMAC 0x00000138UL -#define CKM_DES3_CMAC_GENERAL 0x00000137UL - #define CKM_DSA_PARAMETER_GEN 0x00002000UL #define CKM_DH_PKCS_PARAMETER_GEN 0x00002001UL #define CKM_X9_42_DH_PARAMETER_GEN 0x00002002UL /* new for v2.40 */ #define CKM_DSA_PROBABILISTIC_PARAMETER_GEN 0x00002003UL -#define CKM_DSA_PROBABLISTIC_PARAMETER_GEN 0x00002003UL #define CKM_DSA_SHAWE_TAYLOR_PARAMETER_GEN 0x00002004UL #define CKM_DSA_FIPS_G_GEN 0x00002005UL - -/* new for v3.1 */ -#define CKM_AES_OFB 0x00002104UL -#define CKM_AES_CFB64 0x00002105UL -#define CKM_AES_CFB8 0x00002106UL -#define CKM_AES_CFB128 0x00002107UL -#define CKM_AES_KEY_WRAP_PKCS7 0x0000210cUL - -/* new for v2.40 */ #define CKM_AES_CFB1 0x00002108UL #define CKM_AES_KEY_WRAP 0x00002109UL #define CKM_AES_KEY_WRAP_PAD 0x0000210AUL #define CKM_AES_KEY_WRAP_KWP 0x0000210BUL -/* new for v3.1 */ -#define CKM_SHA3_256_KEY_DERIVE 0x00000397UL -#define CKM_SHA3_224_KEY_DERIVE 0x00000398UL -#define CKM_SHA3_384_KEY_DERIVE 0x00000399UL -#define CKM_SHA3_512_KEY_DERIVE 0x0000039aUL -#define CKM_SHAKE_128_KEY_DERIVE 0x0000039bUL -#define CKM_SHAKE_256_KEY_DERIVE 0x0000039cUL - /* CKM_SP800_108_xxx_KDF are new for v3.0 */ #define CKM_SP800_108_COUNTER_KDF 0x000003acUL #define CKM_SP800_108_FEEDBACK_KDF 0x000003adUL #define CKM_SP800_108_DOUBLE_PIPELINE_KDF 0x000003aeUL -/* new for v3.1 */ -#define CKM_TLS10_MAC_SERVER 0x000003d6UL -#define CKM_TLS10_MAC_CLIENT 0x000003d7UL - /* new for v2.4 */ #define CKM_RSA_PKCS_TPM_1_1 0x00004001UL #define CKM_RSA_PKCS_OAEP_TPM_1_1 0x00004002UL @@ -1298,14 +1241,6 @@ typedef CK_ULONG CK_MECHANISM_TYPE; #define CKM_HKDF_KEY_GEN 0x0000402cUL #define CKM_SALSA20_KEY_GEN 0x0000402dUL -/* new for v3.1 */ -#define CKM_HSS 0x00004033UL -#define CKM_HSS_KEY_PAIR_GEN 0x00004032UL -#define CKM_IKE1_EXTENDED_DERIVE 0x00004031UL -#define CKM_IKE1_PRF_DERIVE 0x00004030UL -#define CKM_IKE2_PRF_PLUS_DERIVE 0x0000402eUL -#define CKM_IKE_PRF_DERIVE 0x0000402fUL - #define CKM_VENDOR_DEFINED 0x80000000UL typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR; @@ -1374,7 +1309,6 @@ typedef struct CK_MECHANISM_INFO { #define CKF_EC_NAMEDCURVE CKF_EC_OID /* renamed in v3.0 */ #define CKF_EC_UNCOMPRESS 0x01000000UL #define CKF_EC_COMPRESS 0x02000000UL -#define CKF_EC_CURVENAME 0x04000000UL #define CKF_EXTENSION 0x80000000UL /* FALSE for this version */ @@ -1418,7 +1352,6 @@ typedef CK_ULONG CK_RV; #define CKR_DEVICE_REMOVED 0x00000032UL #define CKR_ENCRYPTED_DATA_INVALID 0x00000040UL #define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041UL -#define CKR_AEAD_DECRYPT_FAILED 0x00000042UL #define CKR_FUNCTION_CANCELED 0x00000050UL #define CKR_FUNCTION_NOT_PARALLEL 0x00000051UL @@ -1487,8 +1420,6 @@ typedef CK_ULONG CK_RV; #define CKR_USER_PIN_NOT_INITIALIZED 0x00000102UL #define CKR_USER_TYPE_INVALID 0x00000103UL -#define CKR_KEY_EXHAUSTED 0x00000203UL - /* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES * are new to v2.01 */ #define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104UL @@ -1696,7 +1627,6 @@ typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR; /* CK_EC_KDF_TYPE is new for v2.11. */ typedef CK_ULONG CK_EC_KDF_TYPE; -typedef CK_EC_KDF_TYPE CK_PTR CK_EC_KDF_TYPE_PTR; /* The following EC Key Derivation Functions are defined */ #define CKD_NULL 0x00000001UL @@ -2003,7 +1933,7 @@ typedef struct CK_GCM_MESSAGE_PARAMS { CK_ULONG ulTagBits; } CK_GCM_MESSAGE_PARAMS; -typedef CK_GCM_MESSAGE_PARAMS CK_PTR CK_GCM_MESSAGE_PARAMS_PTR; +typedef CK_GCM_MESSAGE_PARAMS CK_GCM_MESSAGE_PARAMS_PTR; typedef struct CK_CCM_MESSAGE_PARAMS { CK_ULONG ulDataLen; /*plaintext or ciphertext*/ @@ -2015,7 +1945,7 @@ typedef struct CK_CCM_MESSAGE_PARAMS { CK_ULONG ulMACLen; } CK_CCM_MESSAGE_PARAMS; -typedef CK_CCM_MESSAGE_PARAMS CK_PTR CK_CCM_MESSAGE_PARAMS_PTR; +typedef CK_CCM_MESSAGE_PARAMS CK_CCM_MESSAGE_PARAMS_PTR; /* SALSA20/CHACHA20 doe not define IV generators */ typedef struct CK_SALSA20_CHACHA20_POLY1305_MSG_PARAMS { @@ -2045,7 +1975,7 @@ typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS { } CK_SKIPJACK_PRIVATE_WRAP_PARAMS; typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR - CK_SKIPJACK_PRIVATE_WRAP_PARAMS_PTR; + CK_SKIPJACK_PRIVATE_WRAP_PTR; /* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the * CKM_SKIPJACK_RELAYX mechanism */ @@ -2225,8 +2155,6 @@ typedef struct CK_TLS_KDF_PARAMS { CK_ULONG ulContextDataLength; } CK_TLS_KDF_PARAMS; -typedef CK_TLS_KDF_PARAMS CK_PTR CK_TLS_KDF_PARAMS_PTR; - typedef struct CK_TLS_MAC_PARAMS { CK_MECHANISM_TYPE prfHashMechanism; CK_ULONG ulMacLength; @@ -2253,101 +2181,6 @@ typedef CK_HKDF_PARAMS CK_PTR CK_HKDF_PARAMS_PTR; #define CKF_HKDF_SALT_DATA 0x00000002UL #define CKF_HKDF_SALT_KEY 0x00000004UL -/* IKE is new for v3.1 */ -/* - * CK_IKE2_PRF_PLUS_PARAMS is a structure that provides the parameters to - * the CKM_IKE2_PRF_PLUS_DERIVE mechanism. - * The fields of the structure have the following meanings: - * prfMechanism underlying MAC mechanism used to generate the prf. - * bHasSeedKey hSeed key is present. - * hSeedKey optional seed from key - * pSeedData optional seed from data. - * ulSeedDataLen length of optional seed data. - * If no seed data is present this value is NULL. - */ -typedef struct CK_IKE2_PRF_PLUS_DERIVE_PARAMS { - CK_MECHANISM_TYPE prfMechanism; - CK_BBOOL bHasSeedKey; - CK_OBJECT_HANDLE hSeedKey; - CK_BYTE_PTR pSeedData; - CK_ULONG ulSeedDataLen; -} CK_IKE2_PRF_PLUS_DERIVE_PARAMS; - -typedef CK_IKE2_PRF_PLUS_DERIVE_PARAMS CK_PTR CK_IKE2_PRF_PLUS_DERIVE_PARAMS_PTR; - -/* CK_IKE_PRF_DERIVE_PARAMS is a structure that provides the parameters to - * the CKM_IKE_PRF_DERIVE mechanism. - * - * The fields of the structure have the following meanings: - * prfMechanism underlying MAC mechanism used to generate the prf. - * bRekey hNewKey is present. - * pNi Ni value - * ulNiLen length of Ni - * pNr Nr value - * ulNrLen length of Nr - * hNewKey New key value to drive the rekey. - */ -typedef struct CK_IKE_PRF_DERIVE_PARAMS { - CK_MECHANISM_TYPE prfMechanism; - CK_BBOOL bDataAsKey; - CK_BBOOL bRekey; - CK_BYTE_PTR pNi; - CK_ULONG ulNiLen; - CK_BYTE_PTR pNr; - CK_ULONG ulNrLen; - CK_OBJECT_HANDLE hNewKey; -} CK_IKE_PRF_DERIVE_PARAMS; - -typedef CK_IKE_PRF_DERIVE_PARAMS CK_PTR CK_IKE_PRF_DERIVE_PARAMS_PTR; - -/* CK_IKE1_PRF_DERIVE_PARAMS is a structure that provides the parameters - * to the CKM_IKE1_PRF_DERIVE mechanism. - * - * The fields of the structure have the following meanings: - * prfMechanism underlying MAC mechanism used to generate the prf. - * bHasPrevKey there is a previous key to use - * hKeygxy key to hash in the prf (usually a dhkey of sorts) - * hPrevKey the previous ike1 key - * pCKYi CKYi value - * ulCKYiLen length of CKYi - * pCKYr CKYr value - * ulCKYrLen length of CKYr - * hNewKey New key value to drive the rekey. - */ -typedef struct CK_IKE1_PRF_DERIVE_PARAMS { - CK_MECHANISM_TYPE prfMechanism; - CK_BBOOL bHasPrevKey; - CK_OBJECT_HANDLE hKeygxy; - CK_OBJECT_HANDLE hPrevKey; - CK_BYTE_PTR pCKYi; - CK_ULONG ulCKYiLen; - CK_BYTE_PTR pCKYr; - CK_ULONG ulCKYrLen; - CK_BYTE keyNumber; -} CK_IKE1_PRF_DERIVE_PARAMS; - -typedef CK_IKE1_PRF_DERIVE_PARAMS CK_PTR CK_IKE1_PRF_DERIVE_PARAMS_PTR; - -/* CK_IKE1_EXTENDED_DERIVE_PARAMS is a structure that provides the - * parameters to the CKM_IKE1_EXTENDED_DERIVE mechanism. - * - * The fields of the structure have the following meanings: - * prfMechanism underlying MAC mechanism used to generate the prf. - * bHasKeygxy hKeygxy exists - * hKeygxy optional key to hash in the prf - * pExtraData optional extra data to hash in the prf - * ulExtraData length of the optional extra data. - */ -typedef struct CK_IKE1_EXTENDED_DERIVE_PARAMS { - CK_MECHANISM_TYPE prfMechanism; - CK_BBOOL bHasKeygxy; - CK_OBJECT_HANDLE hKeygxy; - CK_BYTE_PTR pExtraData; - CK_ULONG ulExtraDataLen; -} CK_IKE1_EXTENDED_DERIVE_PARAMS; - -typedef CK_IKE1_EXTENDED_DERIVE_PARAMS CK_PTR CK_IKE1_EXTENDED_DERIVE_PARAMS_PTR; - /* WTLS is new for version 2.20 */ typedef struct CK_WTLS_RANDOM_DATA { CK_BYTE_PTR pClientRandom; @@ -2580,13 +2413,6 @@ typedef struct CK_PKCS5_PBKD2_PARAMS2 { typedef CK_PKCS5_PBKD2_PARAMS2 CK_PTR CK_PKCS5_PBKD2_PARAMS2_PTR; -/* The following value is used to determines if a parameter is of type PARAMS or PARAMS2 - * based on the value of ulPasswordLen. If ulPasswordLen is greater that the value below, - * it is most likely a memory address i.e. a pointer (PARAMS). Otherwise, it is considered - * a length value (PARAMS2). This is ignored if NSS_USE_PKCS5_PBKD2_PARAMS2_ONLY is defined. - */ -#define CK_PKCS5_PBKD2_PARAMS_MAX_PWD_LEN 8192 - /* OTP is new in v2.40 */ typedef CK_ULONG CK_OTP_PARAM_TYPE; #define CK_OTP_VALUE 0UL @@ -2692,7 +2518,6 @@ typedef struct CK_EDDSA_PARAMS { CK_BYTE_PTR pContextData; } CK_EDDSA_PARAMS; typedef CK_ULONG CK_XEDDSA_HASH_TYPE; -typedef CK_EDDSA_PARAMS CK_PTR CK_EDDSA_PARAMS_PTR; typedef CK_XEDDSA_HASH_TYPE CK_PTR CK_XEDDSA_HASH_TYPE_PTR; typedef struct CK_XEDDSA_PARAMS {