Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(274)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: nss/lib/pk11wrap/pk11pars.c

Issue 1843333003: Update NSPR to 4.12 and NSS to 3.23 on iOS (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/nss.git@master
Patch Set: Created 4 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « nss/lib/pk11wrap/pk11obj.c ('k') | nss/lib/pk11wrap/pk11pbe.c » ('j') | nss/lib/util/secoid.c » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* This Source Code Form is subject to the terms of the Mozilla Public 1 /* This Source Code Form is subject to the terms of the Mozilla Public
2 * License, v. 2.0. If a copy of the MPL was not distributed with this 2 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 3 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 /* 4 /*
5 * The following handles the loading, unloading and management of 5 * The following handles the loading, unloading and management of
6 * various PCKS #11 modules 6 * various PCKS #11 modules
7 */ 7 */
8 8
9 #include <ctype.h> 9 #include <ctype.h>
10 #include <assert.h>
10 #include "pkcs11.h" 11 #include "pkcs11.h"
11 #include "seccomon.h" 12 #include "seccomon.h"
12 #include "secmod.h" 13 #include "secmod.h"
13 #include "secmodi.h" 14 #include "secmodi.h"
14 #include "secmodti.h" 15 #include "secmodti.h"
15 #include "pki3hack.h" 16 #include "pki3hack.h"
16 #include "secerr.h" 17 #include "secerr.h"
17 18 #include "nss.h"
18 #include "utilpars.h" 19 #include "utilpars.h"
19 20
20 /* create a new module */ 21 /* create a new module */
21 static SECMODModule * 22 static SECMODModule *
22 secmod_NewModule(void) 23 secmod_NewModule(void)
23 { 24 {
24 SECMODModule *newMod; 25 SECMODModule *newMod;
25 PLArenaPool *arena; 26 PLArenaPool *arena;
26 27
27 28
28 /* create an arena in which dllName and commonName can be 29 /* create an arena in which dllName and commonName can be
(...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after
131 * for 3.4 we continue to use the old SECMODModule structure 132 * for 3.4 we continue to use the old SECMODModule structure
132 */ 133 */
133 SECMODModule * 134 SECMODModule *
134 SECMOD_CreateModule(const char *library, const char *moduleName, 135 SECMOD_CreateModule(const char *library, const char *moduleName,
135 const char *parameters, const char *nss) 136 const char *parameters, const char *nss)
136 { 137 {
137 return SECMOD_CreateModuleEx(library, moduleName, parameters, nss, NULL); 138 return SECMOD_CreateModuleEx(library, moduleName, parameters, nss, NULL);
138 } 139 }
139 140
140 /* 141 /*
142 * NSS config options format:
143 *
144 * The specified ciphers will be allowed by policy, but an application
145 * may allow more by policy explicitly:
146 * config="allow=curve1:curve2:hash1:hash2:rsa-1024..."
147 *
148 * Only the specified hashes and curves will be allowed:
149 * config="disallow=all allow=sha1:sha256:secp256r1:secp384r1"
150 *
151 * Only the specified hashes and curves will be allowed, and
152 * RSA keys of 2048 or more will be accepted, and DH key exchange
153 * with 1024-bit primes or more:
154 * config="disallow=all allow=sha1:sha256:secp256r1:secp384r1:min-rsa=2048:min-d h=1024"
155 *
156 * A policy that enables the AES ciphersuites and the SECP256/384 curves:
157 * config="allow=aes128-cbc:aes128-gcm:TLS1.0:TLS1.2:TLS1.1:HMAC-SHA1:SHA1:SHA25 6:SHA384:RSA:ECDHE-RSA:SECP256R1:SECP384R1"
158 *
159 * Disallow values are parsed first, then allow values, independent of the
160 * order they appear.
161 *
162 * Future key words (not yet implemented):
163 * enable: turn on ciphersuites by default.
164 * disable: turn off ciphersuites by default without disallowing them by policy.
165 * flags: turn on the following flags:
166 * ssl-lock: turn off the ability for applications to change policy with
167 * the SSL_SetCipherPolicy (or SSL_SetPolicy).
168 * policy-lock: turn off the ability for applications to change policy with
169 * the call NSS_SetAlgorithmPolicy.
170 * ssl-default-lock: turn off the ability for applications to change cipher
171 * suite states with SSL_EnableCipher, SSL_DisableCipher.
172 *
173 */
174
175 typedef struct {
176 const char *name;
177 unsigned name_size;
178 SECOidTag oid;
179 PRUint32 val;
180 } oidValDef;
181
182 typedef struct {
183 const char *name;
184 unsigned name_size;
185 PRInt32 option;
186 } optionFreeDef;
187
188 typedef struct {
189 const char *name;
190 unsigned name_size;
191 PRUint32 flag;
192 } policyFlagDef;
193
194 /*
195 * This table should be merged with the SECOID table.
196 */
197 #define CIPHER_NAME(x) x,(sizeof(x)-1)
198 static const oidValDef algOptList[] = {
199 /* Curves */
200 {CIPHER_NAME("PRIME192V1"),SEC_OID_ANSIX962_EC_PRIME192V1,
201 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
202 {CIPHER_NAME("PRIME192V2"), SEC_OID_ANSIX962_EC_PRIME192V2,
203 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
204 {CIPHER_NAME("PRIME192V3"), SEC_OID_ANSIX962_EC_PRIME192V3,
205 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
206 {CIPHER_NAME("PRIME239V1"), SEC_OID_ANSIX962_EC_PRIME239V1,
207 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
208 {CIPHER_NAME("PRIME239V2"), SEC_OID_ANSIX962_EC_PRIME239V2,
209 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
210 {CIPHER_NAME("PRIME239V3"), SEC_OID_ANSIX962_EC_PRIME239V3,
211 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
212 {CIPHER_NAME("PRIME256V1"), SEC_OID_ANSIX962_EC_PRIME256V1,
213 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
214 {CIPHER_NAME("SECP112R1"), SEC_OID_SECG_EC_SECP112R1,
215 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
216 {CIPHER_NAME("SECP112R2"), SEC_OID_SECG_EC_SECP112R2,
217 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
218 {CIPHER_NAME("SECP128R1"), SEC_OID_SECG_EC_SECP128R1,
219 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
220 {CIPHER_NAME("SECP128R2"), SEC_OID_SECG_EC_SECP128R2,
221 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
222 {CIPHER_NAME("SECP160K1"), SEC_OID_SECG_EC_SECP160K1,
223 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
224 {CIPHER_NAME("SECP160R1"), SEC_OID_SECG_EC_SECP160R1,
225 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
226 {CIPHER_NAME("SECP160R2"), SEC_OID_SECG_EC_SECP160R2,
227 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
228 {CIPHER_NAME("SECP192K1"), SEC_OID_SECG_EC_SECP192K1,
229 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
230 {CIPHER_NAME("SECP192R1"), SEC_OID_ANSIX962_EC_PRIME192V1,
231 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
232 {CIPHER_NAME("SECP224K1"), SEC_OID_SECG_EC_SECP224K1,
233 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
234 {CIPHER_NAME("SECP256K1"), SEC_OID_SECG_EC_SECP256K1,
235 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
236 {CIPHER_NAME("SECP256R1"), SEC_OID_ANSIX962_EC_PRIME256V1,
237 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
238 {CIPHER_NAME("SECP384R1"), SEC_OID_SECG_EC_SECP384R1,
239 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
240 {CIPHER_NAME("SECP521R1"), SEC_OID_SECG_EC_SECP521R1,
241 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
242 /* ANSI X9.62 named elliptic curves (characteristic two field) */
243 {CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
244 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
245 {CIPHER_NAME("C2PNB163V2"), SEC_OID_ANSIX962_EC_C2PNB163V2,
246 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
247 {CIPHER_NAME("C2PNB163V3"), SEC_OID_ANSIX962_EC_C2PNB163V3,
248 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
249 {CIPHER_NAME("C2PNB176V1"), SEC_OID_ANSIX962_EC_C2PNB176V1,
250 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
251 {CIPHER_NAME("C2TNB191V1"), SEC_OID_ANSIX962_EC_C2TNB191V1,
252 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
253 {CIPHER_NAME("C2TNB191V2"), SEC_OID_ANSIX962_EC_C2TNB191V2,
254 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
255 {CIPHER_NAME("C2TNB191V3"), SEC_OID_ANSIX962_EC_C2TNB191V3,
256 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
257 {CIPHER_NAME("C2ONB191V4"), SEC_OID_ANSIX962_EC_C2ONB191V4,
258 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
259 {CIPHER_NAME("C2ONB191V5"), SEC_OID_ANSIX962_EC_C2ONB191V5,
260 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
261 {CIPHER_NAME("C2PNB208W1"), SEC_OID_ANSIX962_EC_C2PNB208W1,
262 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
263 {CIPHER_NAME("C2TNB239V1"), SEC_OID_ANSIX962_EC_C2TNB239V1,
264 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
265 {CIPHER_NAME("C2TNB239V2"), SEC_OID_ANSIX962_EC_C2TNB239V2,
266 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
267 {CIPHER_NAME("C2TNB239V3"), SEC_OID_ANSIX962_EC_C2TNB239V3,
268 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
269 {CIPHER_NAME("C2ONB239V4"), SEC_OID_ANSIX962_EC_C2ONB239V4,
270 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
271 {CIPHER_NAME("C2ONB239V5"), SEC_OID_ANSIX962_EC_C2ONB239V5,
272 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
273 {CIPHER_NAME("C2PNB272W1"), SEC_OID_ANSIX962_EC_C2PNB272W1,
274 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
275 {CIPHER_NAME("C2PNB304W1"), SEC_OID_ANSIX962_EC_C2PNB304W1,
276 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
277 {CIPHER_NAME("C2TNB359V1"), SEC_OID_ANSIX962_EC_C2TNB359V1,
278 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
279 {CIPHER_NAME("C2PNB368W1"), SEC_OID_ANSIX962_EC_C2PNB368W1,
280 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
281 {CIPHER_NAME("C2TNB431R1"), SEC_OID_ANSIX962_EC_C2TNB431R1,
282 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
283 /* SECG named elliptic curves (characteristic two field) */
284 {CIPHER_NAME("SECT113R1"), SEC_OID_SECG_EC_SECT113R1,
285 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
286 {CIPHER_NAME("SECT131R1"), SEC_OID_SECG_EC_SECT113R2,
287 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
288 {CIPHER_NAME("SECT131R1"), SEC_OID_SECG_EC_SECT131R1,
289 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
290 {CIPHER_NAME("SECT131R2"), SEC_OID_SECG_EC_SECT131R2,
291 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
292 {CIPHER_NAME("SECT163K1"), SEC_OID_SECG_EC_SECT163K1,
293 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
294 {CIPHER_NAME("SECT163R1"), SEC_OID_SECG_EC_SECT163R1,
295 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
296 {CIPHER_NAME("SECT163R2"), SEC_OID_SECG_EC_SECT163R2,
297 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
298 {CIPHER_NAME("SECT193R1"), SEC_OID_SECG_EC_SECT193R1,
299 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
300 {CIPHER_NAME("SECT193R2"), SEC_OID_SECG_EC_SECT193R2,
301 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
302 {CIPHER_NAME("SECT233K1"), SEC_OID_SECG_EC_SECT233K1,
303 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
304 {CIPHER_NAME("SECT233R1"), SEC_OID_SECG_EC_SECT233R1,
305 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
306 {CIPHER_NAME("SECT239K1"), SEC_OID_SECG_EC_SECT239K1,
307 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
308 {CIPHER_NAME("SECT283K1"), SEC_OID_SECG_EC_SECT283K1,
309 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
310 {CIPHER_NAME("SECT283R1"), SEC_OID_SECG_EC_SECT283R1,
311 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
312 {CIPHER_NAME("SECT409K1"), SEC_OID_SECG_EC_SECT409K1,
313 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
314 {CIPHER_NAME("SECT409R1"), SEC_OID_SECG_EC_SECT409R1,
315 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
316 {CIPHER_NAME("SECT571K1"), SEC_OID_SECG_EC_SECT571K1,
317 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
318 {CIPHER_NAME("SECT571R1"), SEC_OID_SECG_EC_SECT571R1,
319 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
320
321 /* Hashes */
322 {CIPHER_NAME("MD2"), SEC_OID_MD2,
323 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
324 {CIPHER_NAME("MD4"), SEC_OID_MD4,
325 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
326 {CIPHER_NAME("MD5"), SEC_OID_MD5,
327 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
328 {CIPHER_NAME("SHA1"), SEC_OID_SHA1,
329 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
330 {CIPHER_NAME("SHA224"), SEC_OID_SHA224,
331 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
332 {CIPHER_NAME("SHA256"), SEC_OID_SHA256,
333 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
334 {CIPHER_NAME("SHA384"), SEC_OID_SHA384,
335 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
336 {CIPHER_NAME("SHA512"), SEC_OID_SHA512,
337 NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
338
339 /* MACs */
340 {CIPHER_NAME("HMAC-SHA1"), SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL},
341 {CIPHER_NAME("HMAC-SHA224"), SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL},
342 {CIPHER_NAME("HMAC-SHA256"), SEC_OID_HMAC_SHA256, NSS_USE_ALG_IN_SSL},
343 {CIPHER_NAME("HMAC-SHA384"), SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL},
344 {CIPHER_NAME("HMAC-SHA512"), SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL},
345 {CIPHER_NAME("HMAC-MD5"), SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL},
346
347 /* Ciphers */
348 {CIPHER_NAME("AES128-CBC"), SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL},
349 {CIPHER_NAME("AES192-CBC"), SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL},
350 {CIPHER_NAME("AES256-CBC"), SEC_OID_AES_256_CBC, NSS_USE_ALG_IN_SSL},
351 {CIPHER_NAME("AES128-GCM"), SEC_OID_AES_128_GCM, NSS_USE_ALG_IN_SSL},
352 {CIPHER_NAME("AES192-GCM"), SEC_OID_AES_192_GCM, NSS_USE_ALG_IN_SSL},
353 {CIPHER_NAME("AES256-GCM"), SEC_OID_AES_256_GCM, NSS_USE_ALG_IN_SSL},
354 {CIPHER_NAME("CAMELLIA128-CBC"), SEC_OID_CAMELLIA_128_CBC, NSS_USE_ALG_IN_SS L},
355 {CIPHER_NAME("CAMELLIA192-CBC"), SEC_OID_CAMELLIA_192_CBC, NSS_USE_ALG_IN_SS L},
356 {CIPHER_NAME("CAMELLIA256-CBC"), SEC_OID_CAMELLIA_256_CBC, NSS_USE_ALG_IN_SS L},
357 {CIPHER_NAME("CHACHA20-POLY1305"), SEC_OID_CHACHA20_POLY1305, NSS_USE_ALG_IN _SSL},
358 {CIPHER_NAME("SEED-CBC"), SEC_OID_SEED_CBC, NSS_USE_ALG_IN_SSL},
359 {CIPHER_NAME("DES-EDE3-CBC"), SEC_OID_DES_EDE3_CBC, NSS_USE_ALG_IN_SSL},
360 {CIPHER_NAME("DES-40-CBC"), SEC_OID_DES_40_CBC, NSS_USE_ALG_IN_SSL},
361 {CIPHER_NAME("DES-CBC"), SEC_OID_DES_CBC, NSS_USE_ALG_IN_SSL},
362 {CIPHER_NAME("NULL-CIPHER"), SEC_OID_NULL_CIPHER, NSS_USE_ALG_IN_SSL},
363 {CIPHER_NAME("RC2"), SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL},
364 {CIPHER_NAME("RC4"), SEC_OID_RC4, NSS_USE_ALG_IN_SSL},
365 {CIPHER_NAME("IDEA"), SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL},
366
367 /* Key exchange */
368 {CIPHER_NAME("RSA"), SEC_OID_TLS_RSA, NSS_USE_ALG_IN_SSL_KX},
369 {CIPHER_NAME("RSA-EXPORT"), SEC_OID_TLS_RSA_EXPORT, NSS_USE_ALG_IN_SSL_KX},
370 {CIPHER_NAME("DHE-RSA"), SEC_OID_TLS_DHE_RSA, NSS_USE_ALG_IN_SSL_KX},
371 {CIPHER_NAME("DHE-DSS"), SEC_OID_TLS_DHE_DSS, NSS_USE_ALG_IN_SSL_KX},
372 {CIPHER_NAME("DH-RSA"), SEC_OID_TLS_DH_RSA, NSS_USE_ALG_IN_SSL_KX},
373 {CIPHER_NAME("DH-DSS"), SEC_OID_TLS_DH_DSS, NSS_USE_ALG_IN_SSL_KX},
374 {CIPHER_NAME("ECDHE-ECDSA"), SEC_OID_TLS_ECDHE_ECDSA, NSS_USE_ALG_IN_SSL_KX} ,
375 {CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX},
376 {CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX},
377 {CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX},
378 };
379
380 static const optionFreeDef sslOptList[] = {
381 /* Versions */
382 {CIPHER_NAME("SSL2.0"), 0x002},
383 {CIPHER_NAME("SSL3.0"), 0x300},
384 {CIPHER_NAME("SSL3.1"), 0x301},
385 {CIPHER_NAME("TLS1.0"), 0x301},
386 {CIPHER_NAME("TLS1.1"), 0x302},
387 {CIPHER_NAME("TLS1.2"), 0x303},
388 {CIPHER_NAME("TLS1.3"), 0x304},
389 {CIPHER_NAME("DTLS1.0"),0x302},
390 {CIPHER_NAME("DTLS1.1"),0x302},
391 {CIPHER_NAME("DTLS1.2"),0x303},
392 {CIPHER_NAME("DTLS1.3"),0x304},
393 };
394
395 static const optionFreeDef freeOptList[] = {
396
397 /* Restrictions for asymetric keys */
398 {CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE},
399 {CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE},
400 {CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE},
401 /* constraints on SSL Protocols */
402 {CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY},
403 {CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY},
404 /* constraints on DTLS Protocols */
405 {CIPHER_NAME("DTLS-VERSION-MIN"), NSS_DTLS_VERSION_MIN_POLICY},
406 {CIPHER_NAME("DTLS-VERSION-MAX"), NSS_DTLS_VERSION_MIN_POLICY}
407 };
408
409 static const policyFlagDef policyFlagList[] = {
410 {CIPHER_NAME("SSL"), NSS_USE_ALG_IN_SSL},
411 {CIPHER_NAME("SSL-KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX},
412 /* add other key exhanges in the future */
413 {CIPHER_NAME("KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX},
414 {CIPHER_NAME("CERT-SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE},
415 /* add other signatures in the future */
416 {CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE},
417 /* enable everything */
418 {CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL|NSS_USE_ALG_IN_SSL_KX|
419 NSS_USE_ALG_IN_CERT_SIGNATURE},
420 {CIPHER_NAME("NONE"), 0}
421 };
422
423 /*
424 * Get the next cipher on the list. point to the next one in 'next'.
425 * return the length;
426 */
427 static const char *
428 secmod_ArgGetSubValue(const char *cipher, char sep1, char sep2,
429 int *len, const char **next)
430 {
431 const char *start = cipher;
432
433 if (start == NULL) {
434 *len = 0;
435 *next = NULL;
436 return start;
437 }
438
439 for (; *cipher && *cipher != sep2; cipher++) {
440 if (*cipher == sep1) {
441 *next = cipher+1;
442 *len = cipher - start;
443 return start;
444 }
445 }
446 *next = NULL;
447 *len = cipher-start;
448 return start;
449 }
450
451 static PRUint32
452 secmod_parsePolicyValue(const char *policyFlags, int policyLength)
453 {
454 const char *flag, *currentString;
455 PRUint32 flags = 0;
456 int i;
457
458 for (currentString = policyFlags; currentString
459 && currentString < policyFlags + policyLength; ) {
460 int length;
461 flag = secmod_ArgGetSubValue(currentString, ',', ':', &length,
462 &currentString);
463 if (length == 0) {
464 continue;
465 }
466 for (i = 0; i < PR_ARRAY_SIZE(policyFlagList); i++) {
467 const policyFlagDef *policy = &policyFlagList[i];
468 unsigned name_size = policy->name_size;
469 if ((policy->name_size == length) &&
470 PORT_Strncasecmp(policy->name, flag, name_size) == 0) {
471 flags |= policy->flag;
472 break;
473 }
474 }
475 }
476 return flags;
477 }
478
479
480 /* allow symbolic names for values. The only ones currently defines or
481 * SSL protocol versions. */
482 static PRInt32
483 secmod_getPolicyOptValue(const char *policyValue, int policyValueLength)
484 {
485 PRInt32 val = atoi(policyValue);
486 int i;
487
488
489 if ((val != 0) || (*policyValue == '0')) {
490 return val;
491 }
492 for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
493 if (policyValueLength == sslOptList[i].name_size &&
494 PORT_Strncasecmp(sslOptList[i].name, policyValue,
495 sslOptList[i].name_size) == 0 ) {
496 val = sslOptList[i].option;
497 break;
498 }
499 }
500 return val;
501 }
502
503 static SECStatus secmod_applyCryptoPolicy(const char *policyString,
504 PRBool allow)
505 {
506 const char *cipher, *currentString;
507 unsigned i;
508 SECStatus rv = SECSuccess;
509 PRBool unknown;
510
511
512 if (policyString == NULL || policyString[0] == 0) {
513 return SECSuccess; /* do nothing */
514 }
515
516 /* if we change any of these, make sure it gets applied in ssl as well */
517 NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
518
519 for (currentString = policyString; currentString; ) {
520 int length;
521 PRBool newValue = PR_FALSE;
522
523 cipher = secmod_ArgGetSubValue(currentString, ':', 0, &length,
524 &currentString);
525 unknown = PR_TRUE;
526 if (length >= 3 && cipher[3] == '/') {
527 newValue = PR_TRUE;
528 }
529 if ((newValue || (length == 3))
530 && PORT_Strncasecmp(cipher, "all", 3) == 0) {
531 /* disable or enable all options by default */
532 PRUint32 value = 0;
533 if (newValue) {
534 value = secmod_parsePolicyValue(&cipher[3]+1, length-3-1);
535 }
536 for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
537 PRUint32 enable, disable;
538 if (!newValue) {
539 value = algOptList[i].val;
540 }
541 if (allow) {
542 enable = value;
543 disable = 0;
544 } else {
545 enable = 0;
546 disable = value;
547 }
548 NSS_SetAlgorithmPolicy(algOptList[i].oid, enable, disable);
549 }
550 continue;
551 }
552
553 for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
554 const oidValDef *algOpt = &algOptList[i];
555 unsigned name_size = algOpt->name_size;
556 PRBool newValue = PR_FALSE;
557
558 if ((length >= name_size) && (cipher[name_size] == '/')) {
559 newValue = PR_TRUE;
560 }
561 if ( (newValue || algOpt->name_size == length) &&
562 PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
563 PRUint32 value = algOpt->val;
564 PRUint32 enable, disable;
565 if (newValue) {
566 value = secmod_parsePolicyValue(&cipher[name_size]+1,
567 length-name_size-1);
568 }
569 if (allow) {
570 enable = value;
571 disable = 0;
572 } else {
573 enable = 0;
574 disable = value;
575 }
576 rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
577 if (rv != SECSuccess) {
578 /* could not enable option */
579 /* NSS_SetAlgorithPolicy should have set the error code */
580 return SECFailure;
581 }
582 unknown = PR_FALSE;
583 break;
584 }
585 }
586 if (!unknown) {
587 continue;
588 }
589
590 for (i = 0; i < PR_ARRAY_SIZE(freeOptList); i++) {
591 const optionFreeDef *freeOpt = &freeOptList[i];
592 unsigned name_size = freeOpt->name_size;
593
594 if ((length > name_size) && cipher[name_size] == '=' &&
595 PORT_Strncasecmp(freeOpt->name, cipher, name_size) == 0 ) {
596 PRInt32 val = secmod_getPolicyOptValue( &cipher[name_size+1],
597 length-name_size-1);
598
599 rv = NSS_OptionSet(freeOpt->option, val);
600 if (rv != SECSuccess) {
601 /* could not enable option */
602 /* NSS_OptionSet should have set the error code */
603 return SECFailure;
604 }
605 /* to allow the policy to expand in the future. ignore ciphers
606 * we don't understand */
607 unknown = PR_FALSE;
608 break;
609 }
610 }
611 }
612 return rv;
613 }
614
615 static SECStatus
616 secmod_parseCryptoPolicy(const char *policyConfig)
617 {
618 char *disallow, *allow;
619 SECStatus rv;
620
621 if (policyConfig == NULL) {
622 return SECSuccess; /* no policy given */
623 }
624 /* make sure we initialize the oid table and set all the default policy
625 * values first so we can override them here */
626 rv = SECOID_Init();
627 if (rv != SECSuccess) {
628 return rv;
629 }
630 disallow = NSSUTIL_ArgGetParamValue("disallow",policyConfig);
631 rv = secmod_applyCryptoPolicy(disallow, PR_FALSE);
632 if (disallow) PORT_Free(disallow);
633 if (rv != SECSuccess) {
634 return rv;
635 }
636 allow = NSSUTIL_ArgGetParamValue("allow",policyConfig);
637 rv = secmod_applyCryptoPolicy(allow, PR_TRUE);
638 if (allow) PORT_Free(allow);
639 return rv;
640 }
641
642 /*
141 * for 3.4 we continue to use the old SECMODModule structure 643 * for 3.4 we continue to use the old SECMODModule structure
142 */ 644 */
143 SECMODModule * 645 SECMODModule *
144 SECMOD_CreateModuleEx(const char *library, const char *moduleName, 646 SECMOD_CreateModuleEx(const char *library, const char *moduleName,
145 const char *parameters, const char *nss, 647 const char *parameters, const char *nss,
146 const char *config) 648 const char *config)
147 { 649 {
148 SECMODModule *mod = secmod_NewModule(); 650 SECMODModule *mod;
651 SECStatus rv;
149 char *slotParams,*ciphers; 652 char *slotParams,*ciphers;
150 /* pk11pars.h still does not have const char * interfaces */ 653 /* pk11pars.h still does not have const char * interfaces */
151 char *nssc = (char *)nss; 654 char *nssc = (char *)nss;
655
656 rv = secmod_parseCryptoPolicy(config);
657
658 /* do not load the module if policy parsing fails */
659 if (rv != SECSuccess) {
660 return NULL;
661 }
662
663 mod = secmod_NewModule();
152 if (mod == NULL) return NULL; 664 if (mod == NULL) return NULL;
153 665
154 mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName : ""); 666 mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName : "");
155 if (library) { 667 if (library) {
156 mod->dllName = PORT_ArenaStrdup(mod->arena,library); 668 mod->dllName = PORT_ArenaStrdup(mod->arena,library);
157 } 669 }
158 /* new field */ 670 /* new field */
159 if (parameters) { 671 if (parameters) {
160 mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters); 672 mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters);
161 } 673 }
162 if (config) { 674
163 » /* XXX: Apply configuration */
164 }
165 mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc); 675 mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc);
166 mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc); 676 mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc);
167 mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc); 677 mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc);
168 slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc); 678 slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc);
169 mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams, 679 mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams,
170 &mod->slotInfoCount); 680 &mod->slotInfoCount);
171 if (slotParams) PORT_Free(slotParams); 681 if (slotParams) PORT_Free(slotParams);
172 /* new field */ 682 /* new field */
173 mod->trustOrder = NSSUTIL_ArgReadLong("trustOrder",nssc, 683 mod->trustOrder = NSSUTIL_ArgReadLong("trustOrder",nssc,
174 NSSUTIL_DEFAULT_TRUST_ORDER,NULL); 684 NSSUTIL_DEFAULT_TRUST_ORDER,NULL);
(...skipping 134 matching lines...) Expand 10 before | Expand all | Expand 10 after
309 /* 819 /*
310 * Find any tokens= values in the module spec. 820 * Find any tokens= values in the module spec.
311 * Always return a new spec which does not have any tokens= arguments. 821 * Always return a new spec which does not have any tokens= arguments.
312 * If tokens= arguments are found, Split the the various tokens defined into 822 * If tokens= arguments are found, Split the the various tokens defined into
313 * an array of child specs to return. 823 * an array of child specs to return.
314 * 824 *
315 * Caller is responsible for freeing the child spec and the new token 825 * Caller is responsible for freeing the child spec and the new token
316 * spec. 826 * spec.
317 */ 827 */
318 char * 828 char *
319 secmod_ParseModuleSpecForTokens(PRBool convert, PRBool isFIPS, 829 secmod_ParseModuleSpecForTokens(PRBool convert, PRBool isFIPS,
320 » » » » char *moduleSpec, char ***children, 830 » » » » const char *moduleSpec, char ***children,
321 CK_SLOT_ID **ids) 831 CK_SLOT_ID **ids)
322 { 832 {
323 int newSpecLen = PORT_Strlen(moduleSpec)+2; 833 int newSpecLen = PORT_Strlen(moduleSpec)+2;
324 char *newSpec = PORT_Alloc(newSpecLen); 834 char *newSpec = PORT_Alloc(newSpecLen);
325 char *newSpecPtr = newSpec; 835 char *newSpecPtr = newSpec;
326 char *modulePrev = moduleSpec; 836 const char *modulePrev = moduleSpec;
327 char *target = NULL; 837 char *target = NULL;
328 char *tmp = NULL; 838 char *tmp = NULL;
329 char **childArray = NULL; 839 char **childArray = NULL;
330 char *tokenIndex; 840 const char *tokenIndex;
331 CK_SLOT_ID *idArray = NULL; 841 CK_SLOT_ID *idArray = NULL;
332 int tokenCount = 0; 842 int tokenCount = 0;
333 int i; 843 int i;
334 844
335 if (newSpec == NULL) { 845 if (newSpec == NULL) {
336 return NULL; 846 return NULL;
337 } 847 }
338 848
339 *children = NULL; 849 *children = NULL;
340 if (ids) { 850 if (ids) {
(...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after
480 /* return it */ 990 /* return it */
481 *children = childArray; 991 *children = childArray;
482 if (ids) { 992 if (ids) {
483 *ids = idArray; 993 *ids = idArray;
484 } 994 }
485 return newSpec; 995 return newSpec;
486 } 996 }
487 997
488 /* get the database and flags from the spec */ 998 /* get the database and flags from the spec */
489 static char * 999 static char *
490 secmod_getConfigDir(char *spec, char **certPrefix, char **keyPrefix, 1000 secmod_getConfigDir(const char *spec, char **certPrefix, char **keyPrefix,
491 PRBool *readOnly) 1001 PRBool *readOnly)
492 { 1002 {
493 char * config = NULL; 1003 char * config = NULL;
494 1004
495 *certPrefix = NULL; 1005 *certPrefix = NULL;
496 *keyPrefix = NULL; 1006 *keyPrefix = NULL;
497 *readOnly = NSSUTIL_ArgHasFlag("flags","readOnly",spec); 1007 *readOnly = NSSUTIL_ArgHasFlag("flags","readOnly",spec);
498 1008
499 spec = NSSUTIL_ArgStrip(spec); 1009 spec = NSSUTIL_ArgStrip(spec);
500 while (*spec) { 1010 while (*spec) {
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after
570 /* explicit dbm open */ 1080 /* explicit dbm open */
571 if (strncmp(configDir, "dbm:", 4) == 0) { 1081 if (strncmp(configDir, "dbm:", 4) == 0) {
572 return PR_TRUE; 1082 return PR_TRUE;
573 } 1083 }
574 /* explicit open of a non-dbm database */ 1084 /* explicit open of a non-dbm database */
575 if ((strncmp(configDir, "sql:",4) == 0) 1085 if ((strncmp(configDir, "sql:",4) == 0)
576 || (strncmp(configDir, "rdb:", 4) == 0) 1086 || (strncmp(configDir, "rdb:", 4) == 0)
577 || (strncmp(configDir, "extern:", 7) == 0)) { 1087 || (strncmp(configDir, "extern:", 7) == 0)) {
578 return PR_FALSE; 1088 return PR_FALSE;
579 } 1089 }
580 env = PR_GetEnv("NSS_DEFAULT_DB_TYPE"); 1090 env = PR_GetEnvSecure("NSS_DEFAULT_DB_TYPE");
581 /* implicit dbm open */ 1091 /* implicit dbm open */
582 if ((env == NULL) || (strcmp(env,"dbm") == 0)) { 1092 if ((env == NULL) || (strcmp(env,"dbm") == 0)) {
583 return PR_TRUE; 1093 return PR_TRUE;
584 } 1094 }
585 /* implicit non-dbm open */ 1095 /* implicit non-dbm open */
586 return PR_FALSE; 1096 return PR_FALSE;
587 } 1097 }
588 1098
589 /* 1099 /*
590 * match two prefixes. prefix may be NULL. NULL patches '\0' 1100 * match two prefixes. prefix may be NULL. NULL patches '\0'
(...skipping 551 matching lines...) Expand 10 before | Expand all | Expand 10 after
1142 1652
1143 SECMOD_GetReadLock(moduleLock); 1653 SECMOD_GetReadLock(moduleLock);
1144 rv = STAN_RemoveModuleFromDefaultTrustDomain(mod); 1654 rv = STAN_RemoveModuleFromDefaultTrustDomain(mod);
1145 SECMOD_ReleaseReadLock(moduleLock); 1655 SECMOD_ReleaseReadLock(moduleLock);
1146 if (SECSuccess != rv) { 1656 if (SECSuccess != rv) {
1147 return SECFailure; 1657 return SECFailure;
1148 } 1658 }
1149 return SECMOD_DeleteModuleEx(NULL, mod, &atype, PR_FALSE); 1659 return SECMOD_DeleteModuleEx(NULL, mod, &atype, PR_FALSE);
1150 } 1660 }
1151 1661
OLDNEW
« no previous file with comments | « nss/lib/pk11wrap/pk11obj.c ('k') | nss/lib/pk11wrap/pk11pbe.c » ('j') | nss/lib/util/secoid.c » ('J')

Powered by Google App Engine
This is Rietveld 408576698