This commit introduces various 'dummy' OIDs to pass parameters
from the NSS to the SSL module.
---
lib/nss/nssinit.c | 1 +
lib/pk11wrap/pk11pars.c | 327 +++++++++++++++++++++++++++++++++++++++++++++++-
lib/ssl/ssl3con.c | 198 +++++++++++++++++++++--------
lib/ssl/sslimpl.h | 5 +
lib/ssl/sslinit.c | 3 +-
lib/util/secoid.c | 82 +++++++++++-
lib/util/secoidt.h | 40 ++++++
7 files changed, 596 insertions(+), 60 deletions(-)
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
index 6218a7e..76f4e67 100644
--- a/lib/nss/nssinit.c
+++ b/lib/nss/nssinit.c
@@ -633,6 +633,7 @@ nss_Init(const char *configdir, const char *certPrefix,
const char *keyPrefix,
passwordRequired = pk11_password_required;
}
+
/* Skip the module init if we are already initted and we are trying
* to init with noCertDB and noModDB */
if (!(isReallyInitted && noCertDB && noModDB)) {
diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
index 40ac790..438996c 100644
--- a/lib/pk11wrap/pk11pars.c
+++ b/lib/pk11wrap/pk11pars.c
@@ -7,6 +7,7 @@
*/
#include <ctype.h>
+#include <assert.h>
#include "pkcs11.h"
#include "seccomon.h"
#include "secmod.h"
@@ -14,6 +15,7 @@
#include "secmodti.h"
#include "pki3hack.h"
#include "secerr.h"
+#include "nss.h"
#include "utilpars.h"
@@ -137,6 +139,310 @@ SECMOD_CreateModule(const char *library, const char
*moduleName,
return SECMOD_CreateModuleEx(library, moduleName, parameters, nss, NULL);
}
+/* NSS config options format:
+ *
+ * The specified ciphersuites will be enabled, but an application
+ * may enable more:
+ * config=curve1:curve2:hash1:hash2:rsa-1024...
+ *
+ * Only the specified hashes and curves will be enabled:
+ * config=sha1:sha256:secp256r1:secp384r1
+ *
+ * Only the specified hashes and curves will be enabled, and
+ * RSA keys of 2048 or more will be accepted, and DH key exchange
+ * with 1024-bit primes or more:
+ * config=sha1:sha256:secp256r1:secp384r1:min-rsa=2048:min-dh=1024
+ *
+ * A policy that enables the AES ciphersuites and the SECP256/384 curves:
+ *
config=aes128-cbc:aes128-gcm:TLS1.0:TLS1.2:TLS1.1:HMAC-SHA1:SHA1:SHA256:SHA384:RSA:ECDHE-RSA:SECP256R1:SECP384R1
+ *
+ */
+
+typedef struct {
+ const char *name;
+ SECOidTag oid;
+ PRUint32 val;
+} oidValDef;
+
+typedef struct {
+ const char *name;
+ unsigned name_size;
+ PRInt32 option;
+} optionFreeDef;
+
+#define STR(x) x,(sizeof(x)-1)
+static const oidValDef algOptList[] = {
+ /* Curves */
+ {"PRIME192V1", SEC_OID_ANSIX962_EC_PRIME192V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"PRIME192V2", SEC_OID_ANSIX962_EC_PRIME192V2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"PRIME192V3", SEC_OID_ANSIX962_EC_PRIME192V3,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"PRIME239V1", SEC_OID_ANSIX962_EC_PRIME239V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"PRIME239V2", SEC_OID_ANSIX962_EC_PRIME239V2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"PRIME239V3", SEC_OID_ANSIX962_EC_PRIME239V3,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"PRIME256V1", SEC_OID_ANSIX962_EC_PRIME256V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP112R1", SEC_OID_SECG_EC_SECP112R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP112R2", SEC_OID_SECG_EC_SECP112R2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP128R1", SEC_OID_SECG_EC_SECP128R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP128R2", SEC_OID_SECG_EC_SECP128R2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP160K1", SEC_OID_SECG_EC_SECP160K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP160R1", SEC_OID_SECG_EC_SECP160R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP160R2", SEC_OID_SECG_EC_SECP160R2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP192K1", SEC_OID_SECG_EC_SECP192K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP192R1", SEC_OID_ANSIX962_EC_PRIME192V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP224K1", SEC_OID_SECG_EC_SECP224K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP256K1", SEC_OID_SECG_EC_SECP256K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP256R1", SEC_OID_ANSIX962_EC_PRIME256V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP384R1", SEC_OID_SECG_EC_SECP384R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECP521R1", SEC_OID_SECG_EC_SECP521R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ /* ANSI X9.62 named elliptic curves (characteristic two field) */
+ {"C2PNB163V1", SEC_OID_ANSIX962_EC_C2PNB163V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2PNB163V2", SEC_OID_ANSIX962_EC_C2PNB163V2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2PNB163V3", SEC_OID_ANSIX962_EC_C2PNB163V3,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2PNB176V1", SEC_OID_ANSIX962_EC_C2PNB176V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2TNB191V1", SEC_OID_ANSIX962_EC_C2TNB191V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2TNB191V2", SEC_OID_ANSIX962_EC_C2TNB191V2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2TNB191V3", SEC_OID_ANSIX962_EC_C2TNB191V3,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2ONB191V4", SEC_OID_ANSIX962_EC_C2ONB191V4,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2ONB191V5", SEC_OID_ANSIX962_EC_C2ONB191V5,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2PNB208W1", SEC_OID_ANSIX962_EC_C2PNB208W1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2TNB239V1", SEC_OID_ANSIX962_EC_C2TNB239V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2TNB239V2", SEC_OID_ANSIX962_EC_C2TNB239V2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2TNB239V3", SEC_OID_ANSIX962_EC_C2TNB239V3,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2ONB239V4", SEC_OID_ANSIX962_EC_C2ONB239V4,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2ONB239V5", SEC_OID_ANSIX962_EC_C2ONB239V5,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2PNB272W1", SEC_OID_ANSIX962_EC_C2PNB272W1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2PNB304W1", SEC_OID_ANSIX962_EC_C2PNB304W1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2TNB359V1", SEC_OID_ANSIX962_EC_C2TNB359V1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2PNB368W1", SEC_OID_ANSIX962_EC_C2PNB368W1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"C2TNB431R1", SEC_OID_ANSIX962_EC_C2TNB431R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ /* SECG named elliptic curves (characteristic two field) */
+ {"SECT113R1", SEC_OID_SECG_EC_SECT113R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT131R1", SEC_OID_SECG_EC_SECT113R2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT131R1", SEC_OID_SECG_EC_SECT131R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT131R2", SEC_OID_SECG_EC_SECT131R2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT163K1", SEC_OID_SECG_EC_SECT163K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT163R1", SEC_OID_SECG_EC_SECT163R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT163R2", SEC_OID_SECG_EC_SECT163R2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT193R1", SEC_OID_SECG_EC_SECT193R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT193R2", SEC_OID_SECG_EC_SECT193R2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT233K1", SEC_OID_SECG_EC_SECT233K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT233R1", SEC_OID_SECG_EC_SECT233R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT239K1", SEC_OID_SECG_EC_SECT239K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT283K1", SEC_OID_SECG_EC_SECT283K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT283R1", SEC_OID_SECG_EC_SECT283R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT409K1", SEC_OID_SECG_EC_SECT409K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT409R1", SEC_OID_SECG_EC_SECT409R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT571K1", SEC_OID_SECG_EC_SECT571K1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SECT571R1", SEC_OID_SECG_EC_SECT571R1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+
+ /* Hashes */
+ {"MD2", SEC_OID_MD2,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"MD4", SEC_OID_MD4,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"MD5", SEC_OID_MD5,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SHA1", SEC_OID_SHA1,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SHA224", SEC_OID_SHA224,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SHA256", SEC_OID_SHA256,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SHA384", SEC_OID_SHA384,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+ {"SHA512", SEC_OID_SHA512,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE},
+
+ /* MACs */
+ {"HMAC-SHA1", SEC_OID_HMAC_SHA1, NSS_USE_ALG_IN_SSL},
+ {"HMAC-SHA224", SEC_OID_HMAC_SHA224, NSS_USE_ALG_IN_SSL},
+ {"HMAC-SHA256", SEC_OID_HMAC_SHA256, NSS_USE_ALG_IN_SSL},
+ {"HMAC-SHA384", SEC_OID_HMAC_SHA384, NSS_USE_ALG_IN_SSL},
+ {"HMAC-SHA512", SEC_OID_HMAC_SHA512, NSS_USE_ALG_IN_SSL},
+ {"HMAC-MD5", SEC_OID_HMAC_MD5, NSS_USE_ALG_IN_SSL},
+
+ /* Ciphers */
+ {"AES128-CBC", SEC_OID_AES_128_CBC, NSS_USE_ALG_IN_SSL},
+ {"AES192-CBC", SEC_OID_AES_192_CBC, NSS_USE_ALG_IN_SSL},
+ {"AES256-CBC", SEC_OID_AES_256_CBC, NSS_USE_ALG_IN_SSL},
+ {"AES128-GCM", SEC_OID_AES_128_GCM, NSS_USE_ALG_IN_SSL},
+ {"AES192-GCM", SEC_OID_AES_192_GCM, NSS_USE_ALG_IN_SSL},
+ {"AES256-GCM", SEC_OID_AES_256_GCM, NSS_USE_ALG_IN_SSL},
+ {"CAMELLIA128-CBC", SEC_OID_CAMELLIA_128_CBC, NSS_USE_ALG_IN_SSL},
+ {"CAMELLIA192-CBC", SEC_OID_CAMELLIA_192_CBC, NSS_USE_ALG_IN_SSL},
+ {"CAMELLIA256-CBC", SEC_OID_CAMELLIA_256_CBC, NSS_USE_ALG_IN_SSL},
+ {"SEED-CBC", SEC_OID_SEED_CBC, NSS_USE_ALG_IN_SSL},
+ {"DES-EDE3-CBC", SEC_OID_DES_EDE3_CBC, NSS_USE_ALG_IN_SSL},
+ {"DES-40-CBC", SEC_OID_DES_40_CBC, NSS_USE_ALG_IN_SSL},
+ {"DES-CBC", SEC_OID_DES_CBC, NSS_USE_ALG_IN_SSL},
+ {"NULL-CIPHER", SEC_OID_NULL_CIPHER, NSS_USE_ALG_IN_SSL},
+ {"RC2", SEC_OID_RC2_CBC, NSS_USE_ALG_IN_SSL},
+ {"RC4", SEC_OID_RC4, NSS_USE_ALG_IN_SSL},
+ {"IDEA", SEC_OID_IDEA_CBC, NSS_USE_ALG_IN_SSL},
+
+ /* Key exchange */
+ {"RSA", SEC_OID_TLS_RSA, NSS_USE_ALG_IN_SSL_KX},
+ {"RSA-EXPORT", SEC_OID_TLS_RSA_EXPORT, NSS_USE_ALG_IN_SSL_KX},
+ {"DHE-RSA", SEC_OID_TLS_DHE_RSA, NSS_USE_ALG_IN_SSL_KX},
+ {"DHE-DSS", SEC_OID_TLS_DHE_DSS, NSS_USE_ALG_IN_SSL_KX},
+ {"DH-RSA", SEC_OID_TLS_DH_RSA, NSS_USE_ALG_IN_SSL_KX},
+ {"DH-DSS", SEC_OID_TLS_DH_DSS, NSS_USE_ALG_IN_SSL_KX},
+ {"ECDHE-ECDSA", SEC_OID_TLS_ECDHE_ECDSA, NSS_USE_ALG_IN_SSL_KX},
+ {"ECDHE-RSA", SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX},
+ {"ECDH-ECDSA", SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX},
+ {"ECDH-RSA", SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX},
+
+ /* Versions */
+ {"SSL2.0", SEC_OID_SSL_V2_0, NSS_USE_ALG_IN_SSL_KX},
+ {"SSL3.0", SEC_OID_SSL_V3_0, NSS_USE_ALG_IN_SSL_KX},
+ {"TLS1.0", SEC_OID_TLS_V1_0, NSS_USE_ALG_IN_SSL_KX},
+ {"TLS1.1", SEC_OID_TLS_V1_1, NSS_USE_ALG_IN_SSL_KX},
+ {"TLS1.2", SEC_OID_TLS_V1_2, NSS_USE_ALG_IN_SSL_KX},
+ {"DTLS1.0", SEC_OID_DTLS_V1_0, NSS_USE_ALG_IN_SSL_KX},
+ {"DTLS1.2", SEC_OID_DTLS_V1_2, NSS_USE_ALG_IN_SSL_KX},
+};
+
+static const optionFreeDef freeOptList[] = {
+
+ /* Restrictions for RSA keys */
+ {STR("MIN-RSA"), NSS_RSA_MIN_KEY_SIZE},
+ {STR("MIN-DH"), NSS_DH_MIN_KEY_SIZE},
+ {STR("MIN-DSA"), NSS_DSA_MIN_KEY_SIZE},
+};
+
+static SECStatus applyCryptoPolicy(char *policy)
+{
+ char *s, *sp, *p;
+ unsigned i;
+ SECStatus rv;
+ unsigned unknown;
+
+ if (policy == NULL) {
+ return SECSuccess; /* do nothing */
+ }
+
+ p = policy;
+
+ /* disable all options by default */
+ for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
+ NSS_SetAlgorithmPolicy(algOptList[i].oid, 0, algOptList[i].val);
+ }
+
+ NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL, 0);
+
+ do {
+ s = strtok_r(p, ":", &sp);
+ p = NULL;
+
+ if (s != NULL) {
+ unknown = 1;
+
+ for (i = 0; i < PR_ARRAY_SIZE(algOptList); i++) {
+ if (strcasecmp(algOptList[i].name, s) == 0) {
+ rv = NSS_SetAlgorithmPolicy(algOptList[i].oid,
+ algOptList[i].val, 0);
+ if (rv != SECSuccess) {
+ /* could not enable option */
+ rv = SECFailure;
+ goto cleanup;
+ }
+ unknown = 0;
+ break;
+ }
+ }
+
+ if (unknown != 0) {
+ for (i = 0; i < PR_ARRAY_SIZE(freeOptList); i++) {
+ if (strncasecmp(freeOptList[i].name, s,
freeOptList[i].name_size) == 0 &&
+ s[freeOptList[i].name_size] == '=') {
+ PRInt32 val = atoi(&s[freeOptList[i].name_size+1]);
+ assert(val != 0);
+
+ rv = NSS_OptionSet(freeOptList[i].option, val);
+ if (rv != SECSuccess) {
+ /* could not enable option */
+ rv = SECFailure;
+ goto cleanup;
+ }
+ unknown = 0;
+ break;
+ }
+ }
+ }
+
+ if (unknown != 0) {
+ fprintf(stderr, "error in term '%s'\n", s);
+ rv = SECFailure;
+ goto cleanup;
+ }
+ }
+ } while (s != NULL);
+
+ cleanup:
+ /*NSS cannot recover*/
+ rv = SECSuccess;
+ return rv;
+}
+
/*
* for 3.4 we continue to use the old SECMODModule structure
*/
@@ -145,10 +451,25 @@ SECMOD_CreateModuleEx(const char *library, const char
*moduleName,
const char *parameters, const char *nss,
const char *config)
{
- SECMODModule *mod = secmod_NewModule();
+ SECMODModule *mod;
+ SECStatus rv;
char *slotParams,*ciphers;
/* pk11pars.h still does not have const char * interfaces */
char *nssc = (char *)nss;
+ char *configc = NULL;
+
+ if (config) {
+ configc = PORT_Strdup(config); /* no const */
+ }
+ rv = applyCryptoPolicy(configc);
+ if (configc) PORT_Free(configc);
+
+ /* do not load the module if policy parsing fails */
+ if (rv != SECSuccess) {
+ return NULL;
+ }
+
+ mod = secmod_NewModule();
if (mod == NULL) return NULL;
mod->commonName = PORT_ArenaStrdup(mod->arena,moduleName ? moduleName :
"");
@@ -159,9 +480,7 @@ SECMOD_CreateModuleEx(const char *library, const char
*moduleName,
if (parameters) {
mod->libraryParams = PORT_ArenaStrdup(mod->arena,parameters);
}
- if (config) {
- /* XXX: Apply configuration */
- }
+
mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc);
mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc);
mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc);
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
index 5d9265c..918a037 100644
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -256,56 +256,56 @@ static SSL3Statistics ssl3stats;
/* indexed by SSL3BulkCipher */
static const ssl3BulkCipherDef bulk_cipher_defs[] = {
- /* |--------- Lengths --------| */
- /* cipher calg k s type i b t n */
- /* e e v l a o */
- /* y c | o g n */
- /* | r | c | c */
- /* | e | k | e */
- /* | t | | | | */
- {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
- {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0},
- {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0},
- {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0},
- {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0},
- {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0},
- {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0},
- {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0},
- {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0},
- {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0},
- {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0},
- {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0},
- {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0},
- {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0},
- {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0},
- {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8},
- {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0},
+ /* |--------- Lengths --------| */
+ /* cipher calg k s type i b t n
*/
+ /* e e v l a o o
*/
+ /* y c | o g n i
*/
+ /* | r | c | c d
*/
+ /* | e | k | e |
*/
+ /* | t | | | | |
*/
+ {cipher_null, calg_null, 0, 0, type_stream, 0, 0, 0, 0,
SEC_OID_NULL_CIPHER},
+ {cipher_rc4, calg_rc4, 16,16, type_stream, 0, 0, 0, 0,
SEC_OID_RC4},
+ {cipher_rc4_40, calg_rc4, 16, 5, type_stream, 0, 0, 0, 0,
SEC_OID_RC4_40},
+ {cipher_rc4_56, calg_rc4, 16, 7, type_stream, 0, 0, 0, 0,
SEC_OID_RC4_56},
+ {cipher_rc2, calg_rc2, 16,16, type_block, 8, 8, 0, 0,
SEC_OID_RC2_CBC},
+ {cipher_rc2_40, calg_rc2, 16, 5, type_block, 8, 8, 0, 0,
SEC_OID_RC2_40_CBC},
+ {cipher_des, calg_des, 8, 8, type_block, 8, 8, 0, 0,
SEC_OID_DES_CBC},
+ {cipher_3des, calg_3des, 24,24, type_block, 8, 8, 0, 0,
SEC_OID_DES_EDE3_CBC},
+ {cipher_des40, calg_des, 8, 5, type_block, 8, 8, 0, 0,
SEC_OID_DES_40_CBC},
+ {cipher_idea, calg_idea, 16,16, type_block, 8, 8, 0, 0,
SEC_OID_IDEA_CBC},
+ {cipher_aes_128, calg_aes, 16,16, type_block, 16,16, 0, 0,
SEC_OID_AES_128_CBC},
+ {cipher_aes_256, calg_aes, 32,32, type_block, 16,16, 0, 0,
SEC_OID_AES_256_CBC},
+ {cipher_camellia_128, calg_camellia, 16,16, type_block, 16,16, 0, 0,
SEC_OID_CAMELLIA_128_CBC},
+ {cipher_camellia_256, calg_camellia, 32,32, type_block, 16,16, 0, 0,
SEC_OID_CAMELLIA_256_CBC},
+ {cipher_seed, calg_seed, 16,16, type_block, 16,16, 0, 0,
SEC_OID_SEED_CBC},
+ {cipher_aes_128_gcm, calg_aes_gcm, 16,16, type_aead, 4, 0,16, 8,
SEC_OID_AES_128_GCM},
+ {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, 0, 0, 0},
};
static const ssl3KEADef kea_defs[] =
{ /* indexed by SSL3KeyExchangeAlgorithm */
- /* kea exchKeyType signKeyType is_limited limit tls_keygen */
- {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE},
- {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE},
- {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE},
- {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE},
- {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
- {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
- {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
- {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
- {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE},
- {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE},
- {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE},
- {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE},
- {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE},
- {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE},
- {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE },
+ /* kea exchKeyType signKeyType is_limited limit tls_keygen
oid*/
+ {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE, 0},
+ {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_RSA},
+ {kea_rsa_export, kt_rsa, sign_rsa, PR_TRUE, 512, PR_FALSE,
SEC_OID_TLS_RSA_EXPORT},
+ {kea_rsa_export_1024,kt_rsa, sign_rsa, PR_TRUE, 1024, PR_FALSE,
SEC_OID_TLS_RSA_EXPORT},
+ {kea_dh_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_DH_DSS},
+ {kea_dh_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE,
SEC_OID_TLS_DH_DSS},
+ {kea_dh_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_DH_RSA},
+ {kea_dh_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE,
SEC_OID_TLS_DH_RSA},
+ {kea_dhe_dss, kt_dh, sign_dsa, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_DHE_DSS},
+ {kea_dhe_dss_export, kt_dh, sign_dsa, PR_TRUE, 512, PR_FALSE,
SEC_OID_TLS_DHE_DSS},
+ {kea_dhe_rsa, kt_dh, sign_rsa, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_DHE_RSA},
+ {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE,
SEC_OID_TLS_DHE_RSA},
+ {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_DH_ANON},
+ {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE,
SEC_OID_TLS_DH_ANON},
+ {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE,
SEC_OID_TLS_RSA},
#ifndef NSS_DISABLE_ECC
- {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
- {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE},
- {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
- {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE},
- {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE},
+ {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_ECDH_ECDSA},
+ {kea_ecdhe_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_ECDHE_ECDSA},
+ {kea_ecdh_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_ECDH_RSA},
+ {kea_ecdhe_rsa, kt_ecdh, sign_rsa, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_ECDHE_RSA},
+ {kea_ecdh_anon, kt_ecdh, sign_null, PR_FALSE, 0, PR_FALSE,
SEC_OID_TLS_ECDH_ANON},
#endif /* NSS_DISABLE_ECC */
};
@@ -483,13 +483,13 @@ static const SSLCipher2Mech alg2Mech[] = {
static const ssl3MACDef mac_defs[] = { /* indexed by SSL3MACAlgorithm */
/* pad_size is only used for SSL 3.0 MAC. See RFC 6101 Sec. 5.2.3.1. */
/* mac mmech pad_size mac_size */
- { mac_null, mmech_invalid, 0, 0 },
- { mac_md5, mmech_md5, 48, MD5_LENGTH },
- { mac_sha, mmech_sha, 40, SHA1_LENGTH},
- {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH },
- {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH},
- {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH},
- { mac_aead, mmech_invalid, 0, 0 },
+ { mac_null, mmech_invalid, 0, 0 , 0},
+ { mac_md5, mmech_md5, 48, MD5_LENGTH, SEC_OID_HMAC_MD5 },
+ { mac_sha, mmech_sha, 40, SHA1_LENGTH, SEC_OID_HMAC_SHA1},
+ {hmac_md5, mmech_md5_hmac, 0, MD5_LENGTH, SEC_OID_HMAC_MD5},
+ {hmac_sha, mmech_sha_hmac, 0, SHA1_LENGTH, SEC_OID_HMAC_SHA1},
+ {hmac_sha256, mmech_sha256_hmac, 0, SHA256_LENGTH, SEC_OID_HMAC_SHA256},
+ { mac_aead, mmech_invalid, 0, 0, 0 },
};
/* indexed by SSL3BulkCipher */
@@ -12089,4 +12089,98 @@ ssl3_DestroySSL3Info(sslSocket *ss)
SECITEM_FreeItem(&ss->ssl3.nextProto, PR_FALSE);
}
+typedef struct {
+ SSL3ProtocolVersion num;
+ SSLProtocolVariant variant;
+} rangeDef;
+
+static const rangeDef rangeList[] = {
+ {SSL_LIBRARY_VERSION_2, ssl_variant_stream},
+ {SSL_LIBRARY_VERSION_3_0, ssl_variant_stream},
+ {SSL_LIBRARY_VERSION_TLS_1_0, ssl_variant_stream},
+ {SSL_LIBRARY_VERSION_TLS_1_1, ssl_variant_stream},
+ {SSL_LIBRARY_VERSION_TLS_1_2, ssl_variant_stream},
+ {SSL_LIBRARY_VERSION_TLS_1_1, ssl_variant_datagram},
+ {SSL_LIBRARY_VERSION_TLS_1_2, ssl_variant_datagram},
+};
+
+SECStatus SSL_applyNSSPolicy(void)
+ {
+ unsigned i;
+ SECStatus rv;
+ PRUint32 policy = 0;
+ SSLVersionRange range;
+ SSLProtocolVariant variant;
+ const ssl3CipherSuiteDef *suite;
+
+ NSS_GetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, &policy);
+ if (!(policy & NSS_USE_POLICY_IN_SSL)) {
+ return SECSuccess; /* do nothing */
+ }
+
+ /* disable every ciphersuite */
+ for (i = 0; i < PR_ARRAY_SIZE(cipher_suite_defs); ++i) {
+ SSL_CipherPrefSetDefault(cipher_suite_defs[i].cipher_suite, PR_FALSE);
+
+ suite = &cipher_suite_defs[i];
+
+ rv = NSS_GetAlgorithmPolicy(kea_defs[suite->key_exchange_alg].oid,
&policy);
+ if (rv != SECSuccess || !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+ SSL_CipherPolicySet(cipher_suite_defs[i].cipher_suite,
SSL_NOT_ALLOWED);
+ continue;
+ }
+
+ rv =
NSS_GetAlgorithmPolicy(bulk_cipher_defs[suite->bulk_cipher_alg].oid, &policy);
+ if (rv != SECSuccess || !(policy & NSS_USE_ALG_IN_SSL)) {
+ SSL_CipherPolicySet(cipher_suite_defs[i].cipher_suite,
SSL_NOT_ALLOWED);
+ continue;
+ }
+
+ if (bulk_cipher_defs[suite->bulk_cipher_alg].type != type_aead) {
+ rv = NSS_GetAlgorithmPolicy(mac_defs[suite->mac_alg].oid,
&policy);
+ if (rv != SECSuccess || !(policy & NSS_USE_ALG_IN_SSL)) {
+ SSL_CipherPolicySet(cipher_suite_defs[i].cipher_suite,
SSL_NOT_ALLOWED);
+ continue;
+ }
+ }
+
+ /*fprintf(stderr, "enabling: %.4x\n",
cipher_suite_defs[i].cipher_suite);*/
+ rv = SSL_CipherPrefSetDefault(cipher_suite_defs[i].cipher_suite,
PR_TRUE);
+ if (rv != SECSuccess) {
+ /* could not apply ciphersuite! */
+ }
+ }
+
+ for (variant = ssl_variant_stream; variant <= ssl_variant_datagram;
variant++) {
+ range.min = 0;
+ for (i = 0; i < PR_ARRAY_SIZE(rangeList); i++) {
+ if (rangeList[i].variant != variant)
+ continue;
+ rv = NSS_GetAlgorithmPolicy(rangeList[i].num, &policy);
+ if (rv == SECSuccess && (policy & NSS_USE_ALG_IN_SSL_KX)) {
+ range.min = rangeList[i].num;
+ variant = rangeList[i].variant;
+ break;
+ }
+ }
+
+ if (range.min != 0) {
+ range.max = range.min;
+ for (i = PR_ARRAY_SIZE(rangeList)-1; i>=0; i--) {
+ if (rangeList[i].variant != variant)
+ continue;
+
+ rv = NSS_GetAlgorithmPolicy(rangeList[i].num, &policy);
+ if (rv == SECSuccess && (policy & NSS_USE_ALG_IN_SSL_KX)) {
+ range.max = rangeList[i].num;
+ break;
+ }
+ }
+ SSL_VersionRangeSetDefault(variant, &range);
+ }
+ }
+
+ return SECSuccess;
+}
+
/* End of ssl3con.c */
diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
index af3c191..ae69f04 100644
--- a/lib/ssl/sslimpl.h
+++ b/lib/ssl/sslimpl.h
@@ -726,6 +726,7 @@ typedef struct {
PRBool is_limited;
int key_size_limit;
PRBool tls_keygen;
+ SECOidTag oid;
} ssl3KEADef;
/*
@@ -741,6 +742,7 @@ struct ssl3BulkCipherDefStr {
int block_size;
int tag_size; /* authentication tag size for AEAD ciphers. */
int explicit_nonce_size; /* for AEAD ciphers. */
+ SECOidTag oid;
};
/*
@@ -751,6 +753,7 @@ struct ssl3MACDefStr {
CK_MECHANISM_TYPE mmech;
int pad_size;
int mac_size;
+ SECOidTag oid;
};
typedef enum {
@@ -1900,6 +1903,8 @@ SECStatus SSL_DisableDefaultExportCipherSuites(void);
SECStatus SSL_DisableExportCipherSuites(PRFileDesc * fd);
PRBool SSL_IsExportCipherSuite(PRUint16 cipherSuite);
+SECStatus SSL_applyNSSPolicy(void);
+
extern SECStatus
ssl3_TLSPRFWithMasterSecret(ssl3CipherSpec *spec,
const char *label, unsigned int labelLen,
diff --git a/lib/ssl/sslinit.c b/lib/ssl/sslinit.c
index bb9df25..4a9b70e 100644
--- a/lib/ssl/sslinit.c
+++ b/lib/ssl/sslinit.c
@@ -11,6 +11,7 @@
#include "secerr.h"
#include "ssl.h"
#include "sslimpl.h"
+#include "sslproto.h"
static int ssl_inited = 0;
@@ -26,8 +27,8 @@ ssl_Init(void)
#ifdef DEBUG
ssl3_CheckCipherSuiteOrderConsistency();
#endif
-
ssl_inited = 1;
+ SSL_applyNSSPolicy();
}
return SECSuccess;
}
diff --git a/lib/util/secoid.c b/lib/util/secoid.c
index 9f121be..4f76803 100644
--- a/lib/util/secoid.c
+++ b/lib/util/secoid.c
@@ -169,6 +169,11 @@ const char __nss_util_sccsid[] = "@(#)NSS "
NSSUTIL_VERSION _DEBUG_STRING
#define CAMELLIA_ENCRYPT_OID MITSUBISHI_ALG,1
#define CAMELLIA_WRAP_OID MITSUBISHI_ALG,3
+/* For IDEA: 1.3.6.1.4.1.188.7.1.1
+ */
+#define ASCOM_OID 0x2b,0x6,0x1,0x4,0x1,0xbc
+#define ASCOM_IDEA_ALG ASCOM_OID,0x7,0x1,0x1
+
/* for SEED : iso(1) member-body(2) korea(410)
* kisa(200004) algorithm(1)
*/
@@ -465,6 +470,10 @@ CONST_OID netscapeSMimeKEA[] = {
NETSCAPE_ALGS, 0x01 };
CONST_OID skipjackCBC[] = { MISSI, 0x04 };
CONST_OID dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 };
+CONST_OID idea_CBC[] = { ASCOM_IDEA_ALG, 2 };
+CONST_OID aes128_GCM[] = { AES, 0x6 };
+CONST_OID aes192_GCM[] = { AES, 0x1a };
+CONST_OID aes256_GCM[] = { AES, 0x23 };
CONST_OID aes128_ECB[] = { AES, 1 };
CONST_OID aes128_CBC[] = { AES, 2 };
#ifdef DEFINE_ALL_AES_CIPHERS
@@ -588,8 +597,10 @@ CONST_OID evIncorporationCountry[] = {
EV_NAME_ATTRIBUTE, 3 };
#define OI(x) { siDEROID, (unsigned char *)x, sizeof x }
#ifndef SECOID_NO_STRINGS
#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, desc, mech, ext }
+#define ODE(tag,desc,mech,ext) { { siDEROID, NULL, 0 }, tag, desc, mech, ext }
#else
#define OD(oid,tag,desc,mech,ext) { OI(oid), tag, 0, mech, ext }
+#define ODE(tag,desc,mech,ext) { { siDEROID, NULL, 0 }, tag, 0, mech, ext }
#endif
#if defined(NSS_ALLOW_UNSUPPORTED_CRITICAL)
@@ -1648,7 +1659,71 @@ const static SECOidData oids[SEC_OID_TOTAL] = {
"Microsoft Trust List Signing",
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
OD( x520Name, SEC_OID_AVA_NAME,
- "X520 Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION )
+ "X520 Name", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+
+ OD( aes128_GCM, SEC_OID_AES_128_GCM,
+ "AES-128-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION ),
+ OD( aes192_GCM, SEC_OID_AES_192_GCM,
+ "AES-192-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION ),
+ OD( aes256_GCM, SEC_OID_AES_256_GCM,
+ "AES-256-GCM", CKM_AES_GCM, INVALID_CERT_EXTENSION ),
+ OD( idea_CBC, SEC_OID_IDEA_CBC,
+ "IDEA_CBC", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+
+ ODE( SEC_OID_RC2_40_CBC,
+ "RC2-40-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_DES_40_CBC,
+ "DES-40-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_RC4_40,
+ "RC4-40", CKM_RC4, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_RC4_56,
+ "RC4-56", CKM_RC4, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_NULL_CIPHER,
+ "NULL cipher", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_HMAC_MD5,
+ "HMAC-MD5", CKM_MD5_HMAC, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_RSA,
+ "TLS RSA key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_DHE_RSA,
+ "TLS DHE-RSA key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_DHE_DSS,
+ "TLS DHE-DSS key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_DH_RSA,
+ "TLS DH-RSA key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_DH_DSS,
+ "TLS DH-DSS key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_DH_ANON,
+ "TLS DH-ANON key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_ECDHE_ECDSA,
+ "TLS ECDHE-ECDSA key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_ECDHE_RSA,
+ "TLS ECDHE-RSA key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_ECDH_ECDSA,
+ "TLS ECDH-ECDSA key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_ECDH_RSA,
+ "TLS ECDH-RSA key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_ECDH_ANON,
+ "TLS ECDH-ANON key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_RSA_EXPORT,
+ "TLS RSA-EXPORT key exchange", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_SSL_V2_0,
+ "SSL 2.0 protocol", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_SSL_V3_0,
+ "SSL 3.0 protocol", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_V1_0,
+ "TLS 1.0 protocol", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_V1_1,
+ "TLS 1.1 protocol", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_TLS_V1_2,
+ "TLS 1.2 protocol", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_DTLS_V1_0,
+ "DTLS 1.0 protocol", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_DTLS_V1_2,
+ "DTLS 1.2 protocol", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION ),
+ ODE( SEC_OID_APPLY_SSL_POLICY,
+ "Apply SSL policy (pseudo-OID)", CKM_INVALID_MECHANISM,
INVALID_CERT_EXTENSION ),
+
};
/* PRIVATE EXTENDED SECOID Table
@@ -1881,6 +1956,7 @@ secoid_HashNumber(const void *key)
return (PLHashNumber) key;
}
+#define DEF_FLAGS
(NSS_USE_ALG_IN_CERT_SIGNATURE|NSS_USE_ALG_IN_SSL_KX|NSS_USE_ALG_IN_SSL_KX)
static void
handleHashAlgSupport(char * envVal)
{
@@ -1896,14 +1972,14 @@ handleHashAlgSupport(char * envVal)
*nextArg++ = '\0';
}
}
- notEnable = (*arg == '-') ?
(NSS_USE_ALG_IN_CERT_SIGNATURE|NSS_USE_ALG_IN_SSL_KX) : 0;
+ notEnable = (*arg == '-') ? (DEF_FLAGS) : 0;
if ((*arg == '+' || *arg == '-') && *++arg) {
int i;
for (i = 1; i < SEC_OID_TOTAL; i++) {
if (oids[i].desc && strstr(arg, oids[i].desc)) {
xOids[i].notPolicyFlags = notEnable |
- (xOids[i].notPolicyFlags &
~(NSS_USE_ALG_IN_CERT_SIGNATURE|NSS_USE_ALG_IN_SSL_KX));
+ (xOids[i].notPolicyFlags & ~(DEF_FLAGS));
}
}
}
diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
index 747450e..3772643 100644
--- a/lib/util/secoidt.h
+++ b/lib/util/secoidt.h
@@ -443,6 +443,44 @@ typedef enum {
/* The 'name' attribute type in X.520 */
SEC_OID_AVA_NAME = 317,
+
+ SEC_OID_AES_128_GCM = 318,
+ SEC_OID_AES_192_GCM = 319,
+ SEC_OID_AES_256_GCM = 320,
+ SEC_OID_IDEA_CBC = 321,
+
+ /* pseudo - OIDs */
+
+ SEC_OID_RC2_40_CBC = 322,
+ SEC_OID_DES_40_CBC = 323,
+ SEC_OID_RC4_40 = 324,
+ SEC_OID_RC4_56 = 325,
+ SEC_OID_NULL_CIPHER = 326,
+
+ SEC_OID_HMAC_MD5 = 327,
+
+ SEC_OID_TLS_RSA = 328,
+ SEC_OID_TLS_DHE_RSA = 329,
+ SEC_OID_TLS_DHE_DSS = 330,
+ SEC_OID_TLS_DH_RSA = 331,
+ SEC_OID_TLS_DH_DSS = 332,
+ SEC_OID_TLS_DH_ANON = 333,
+ SEC_OID_TLS_ECDHE_ECDSA = 334,
+ SEC_OID_TLS_ECDHE_RSA = 335,
+ SEC_OID_TLS_ECDH_ECDSA = 336,
+ SEC_OID_TLS_ECDH_RSA = 337,
+ SEC_OID_TLS_ECDH_ANON = 338,
+ SEC_OID_TLS_RSA_EXPORT = 339,
+
+ SEC_OID_SSL_V2_0 = 340,
+ SEC_OID_SSL_V3_0 = 341,
+ SEC_OID_TLS_V1_0 = 342,
+ SEC_OID_TLS_V1_1 = 343,
+ SEC_OID_TLS_V1_2 = 344,
+ SEC_OID_DTLS_V1_0 = 345,
+ SEC_OID_DTLS_V1_2 = 346,
+ SEC_OID_APPLY_SSL_POLICY = 347,
+
SEC_OID_TOTAL
} SECOidTag;
@@ -477,6 +515,8 @@ struct SECOidDataStr {
#define NSS_USE_ALG_IN_CERT_SIGNATURE 0x00000001 /* CRLs and OCSP, too */
#define NSS_USE_ALG_IN_CMS_SIGNATURE 0x00000002 /* used in S/MIME */
#define NSS_USE_ALG_IN_SSL_KX 0x00000004 /* used in SSL key exchange
*/
+#define NSS_USE_ALG_IN_SSL 0x00000008 /* used in SSL record
protocol */
+#define NSS_USE_POLICY_IN_SSL 0x00000010 /* enable policy in SSL
protocol */
#define NSS_USE_ALG_RESERVED 0xfffffffc /* may be used in future */
/* Code MUST NOT SET or CLEAR reserved bits, and must NOT depend on them
--
1.9.0
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
