[CVS] RPM: rpm-5_4: rpm/rpmio/ rpmnss.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 16-Feb-2015 22:38:59 Branch: rpm-5_4 Handle: 2015021621385900 Modified files: (Branch: rpm-5_4) rpm/rpmio rpmnss.c Log: - add suggested pure annotation (gcc 4.9.2). Summary: RevisionChanges Path 1.40.2.18 +1 -0 rpm/rpmio/rpmnss.c patch -p0 <<'@@ .' Index: rpm/rpmio/rpmnss.c $ cvs diff -u -r1.40.2.17 -r1.40.2.18 rpmnss.c --- rpm/rpmio/rpmnss.c24 Sep 2014 13:03:04 - 1.40.2.17 +++ rpm/rpmio/rpmnss.c16 Feb 2015 21:38:59 - 1.40.2.18 @@ -102,6 +102,7 @@ return (((keyVN_t *)a)->V - ((keyVN_t *)b)->V); } +RPM_GNUC_PURE static const char * keyVN(keyVN_t * keys, size_t nkeys, /*@null@*/ int V) { @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org
[CVS] RPM: rpm-5_4: rpm/rpmio/ rpmnss.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 16-Aug-2013 21:32:42 Branch: rpm-5_4 Handle: 2013081619324200 Modified files: (Branch: rpm-5_4) rpm/rpmio rpmnss.c Log: - nss: stub-in available {hash,pubkey} detection. Summary: RevisionChanges Path 1.40.2.7+7 -12 rpm/rpmio/rpmnss.c patch -p0 <<'@@ .' Index: rpm/rpmio/rpmnss.c $ cvs diff -u -r1.40.2.6 -r1.40.2.7 rpmnss.c --- rpm/rpmio/rpmnss.c4 Aug 2013 06:59:50 - 1.40.2.6 +++ rpm/rpmio/rpmnss.c16 Aug 2013 19:32:42 - 1.40.2.7 @@ -618,8 +618,10 @@ nss->encAlg = getEncAlg(pubp->pubkey_algo); nss->hashAlg = getHashAlg(sigp->hash_algo); -if (nss->hashAlg == SEC_OID_UNKNOWN) +if (nss->hashAlg == SEC_OID_UNKNOWN) { +fprintf(stderr, "*** %s/%s hashAlg %d\n", dig->pubkey_algoN, dig->hash_algoN, (unsigned)nss->hashAlg); goto exit; +} /* Compare leading 16 bits of digest for quick check. */ rc = memcmp(nss->digest, sigp->signhash16, sizeof(sigp->signhash16)); @@ -1039,29 +1041,22 @@ static int rpmnssAvailableCipher(pgpDig dig, int algo) { int rc = 0; /* assume available */ -#ifdef NOTYET -rc = rpmgnssvailable(dig->impl, algo, - (gcry_md_test_algo(algo) || algo == PGPHASHALGO_MD5)); -#endif return rc; } static int rpmnssAvailableDigest(pgpDig dig, int algo) { int rc = 0; /* assume available */ -#ifdef NOTYET -rc = rpmgnssvailable(dig->impl, algo, - (gcry_md_test_algo(algo) || algo == PGPHASHALGO_MD5)); -#endif +SECOidTag hashAlgo = getHashAlg(algo); +rc = (hashAlgo == SEC_OID_UNKNOWN); /* XXX C, not boolean, return */ return rc; } static int rpmnssAvailablePubkey(pgpDig dig, int algo) { int rc = 0; /* assume available */ -#ifdef NOTYET -rc = rpmnssAvailable(dig->impl, algo, gcry_pk_test_algo(algo)); -#endif +SECOidTag encAlgo = getEncAlg(algo); +rc = (encAlgo == SEC_OID_UNKNOWN); /* XXX C, not boolean, return */ return rc; } @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org
[CVS] RPM: rpm-5_4: rpm/rpmio/ rpmnss.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 04-Aug-2013 08:59:50 Branch: rpm-5_4 Handle: 2013080406595000 Modified files: (Branch: rpm-5_4) rpm/rpmio rpmnss.c Log: - nss: keygen: permit FIPS-180-3 and DSA2 parameter selection. todo++. Summary: RevisionChanges Path 1.40.2.6+106 -13rpm/rpmio/rpmnss.c patch -p0 <<'@@ .' Index: rpm/rpmio/rpmnss.c $ cvs diff -u -r1.40.2.5 -r1.40.2.6 rpmnss.c --- rpm/rpmio/rpmnss.c4 Aug 2013 04:33:45 - 1.40.2.5 +++ rpm/rpmio/rpmnss.c4 Aug 2013 06:59:50 - 1.40.2.6 @@ -572,11 +572,11 @@ if (nss->nbits == 0) nss->nbits = 1024; /* XXX FIXME */ assert(nss->nbits); -{CK_MECHANISM_TYPE _type = CKM_RSA_PKCS_KEY_PAIR_GEN; - PK11SlotInfo * _slot = PK11_GetBestSlot(_type, NULL); +{void * _cx = NULL; + CK_MECHANISM_TYPE _type = CKM_RSA_PKCS_KEY_PAIR_GEN; + PK11SlotInfo * _slot = PK11_GetBestSlot(_type, _cx); int _isPerm = PR_FALSE; int _isSensitive = PR_TRUE; - void * _cx = NULL; if (_slot) { static unsigned _pe = 0x10001; /* XXX FIXME: pass in e */ @@ -683,7 +683,6 @@ rc = (rc == SECSuccess); -exit: SPEW(!rc, rc, dig); return rc; } @@ -692,24 +691,88 @@ { rpmnss nss = (rpmnss) dig->impl; int rc = 0; /* assume failure */ +unsigned _L = 8; +unsigned _N = 0; +unsigned _seedBytes = 0; +int xx; if (nss->nbits == 0) nss->nbits = 1024; /* XXX FIXME */ assert(nss->nbits); +if (nss->qbits == 0) nss->qbits = 160; /* XXX FIXME */ +assert(nss->qbits); + +/* + * Generate PQGParams and PQGVerify structs. + * Length of P specified by L. + * if L is greater than 1024 then the resulting verify parameters will be + * DSA2. + * Length of Q specified by N. If zero, The PKCS #11 module will + * pick an appropriately sized Q for P. If N is specified and L = 1024, then + * the resulting verify parameters will be DSA2, Otherwise DSA1 parameters + * will be returned. + * Length of SEED in bytes specified in seedBytes. + * + * The underlying PKCS #11 module will check the values for L, N, + * and seedBytes. The rules for softoken are: + * + * If L <= 1024, then L must be between 512 and 1024 in increments of 64 bits. + * If L <= 1024, then N must be 0 or 160. + * If L >= 1024, then L and N must match the following table: + * L=1024 N=0 or 160 + * L=2048 N=0 or 224 + * L=2048 N=256 + * L=3072 N=0 or 256 + * if L <= 1024 + * seedBbytes must be in the range [20..256]. + * if L >= 1024 + * seedBbytes must be in the range [20..L/16]. + */ + +xx = PQG_PBITS_TO_INDEX(nss->nbits); +if (xx >= 0 && xx <= 8) {/* FIPS-186-1 */ + _L = nss->nbits; + _N = 0; /* XXX DSA1 */ + _seedBytes = 0; /* XXX DSA1 */ +} else { /* FIPS-186-3 */ + switch (nss->nbits) { + default:/* XXX sanity */ + case 1024: + _L = 1024; + _N = 160; /* XXX DSA2 */ + _seedBytes = 20; + break; + case 2048: + _L = 2048; + _N = (nss->qbits == 256) ? 256 : 0; /* 256 or 224 */ + _seedBytes = 20;/* XXX FIXME */ + break; + case 3072: + _L = 3072; + _N = (nss->qbits == 256) ? 256 : 0; /* always 256 */ + _seedBytes = 20;/* XXX FIXME */ + break; + } +} -{CK_MECHANISM_TYPE _type = CKM_DSA_KEY_PAIR_GEN; - PK11SlotInfo * _slot = PK11_GetBestSlot(_type, NULL); +{void * _cx = NULL; + CK_MECHANISM_TYPE _type = CKM_DSA_KEY_PAIR_GEN; + PK11SlotInfo * _slot = PK11_GetBestSlot(_type, _cx); int _isPerm = PR_FALSE; int _isSensitive = PR_TRUE; - void * _cx = NULL; if (_slot) { PQGParams *pqgParams = NULL; PQGVerify *pqgVfy = NULL; void * params = NULL; -int xx; +#ifndef NOTYET + xx = rpmnssErr(nss, "PK11_PQG_ParamGenV2", + PK11_PQG_ParamGenV2(_L, _N, _seedBytes, + &pqgParams, &pqgVfy)); +#else xx = rpmnssErr(nss, "PK11_PQG_ParamGen", - PK11_PQG_ParamGen(nss->nbits, &pqgParams, &pqgVfy)); + PK11_PQG_ParamGen(0, &pqgPar
[CVS] RPM: rpm-5_4: rpm/rpmio/ rpmnss.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 04-Aug-2013 06:33:45 Branch: rpm-5_4 Handle: 2013080404334500 Modified files: (Branch: rpm-5_4) rpm/rpmio rpmnss.c Log: - nss: don't prevent DSA2 verify, permit keygen with nbits != 1024. Summary: RevisionChanges Path 1.40.2.5+1 -7 rpm/rpmio/rpmnss.c patch -p0 <<'@@ .' Index: rpm/rpmio/rpmnss.c $ cvs diff -u -r1.40.2.4 -r1.40.2.5 rpmnss.c --- rpm/rpmio/rpmnss.c4 Aug 2013 03:11:56 - 1.40.2.4 +++ rpm/rpmio/rpmnss.c4 Aug 2013 04:33:45 - 1.40.2.5 @@ -660,12 +660,6 @@ SECItem sig = { siBuffer, NULL, 0 }; assert(nss->hashAlg != SEC_OID_UNKNOWN); -switch (nss->hashAlg) { -default: - goto exit; -case SEC_OID_SHA1: /* XXX DSA2? */ - break; -} nss->item.type = siBuffer; nss->item.data = (unsigned char *) nss->digest; @@ -715,7 +709,7 @@ int xx; xx = rpmnssErr(nss, "PK11_PQG_ParamGen", - PK11_PQG_ParamGen(0, &pqgParams, &pqgVfy)); + PK11_PQG_ParamGen(nss->nbits, &pqgParams, &pqgVfy)); if (xx != SECSuccess) goto exit; params = pqgParams; @@ . __ RPM Package Managerhttp://rpm5.org CVS Sources Repositoryrpm-cvs@rpm5.org
[CVS] RPM: rpm-5_4: rpm/rpmio/ rpmnss.c rpmnss.h rpm/tests/ tecdsa.c t...
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 04-Aug-2013 05:11:56 Branch: rpm-5_4 Handle: 2013080403115600 Modified files: (Branch: rpm-5_4) rpm/rpmio rpmnss.c rpmnss.h rpm/tests tecdsa.c tpgp.c Log: - nss: refactor/rescusitate, including ECDSA, using NSS 3.15.1. Summary: RevisionChanges Path 1.40.2.4+217 -233 rpm/rpmio/rpmnss.c 1.12.2.1+4 -1 rpm/rpmio/rpmnss.h 1.23.2.2+174 -63rpm/tests/tecdsa.c 1.8.2.2 +4 -0 rpm/tests/tpgp.c patch -p0 <<'@@ .' Index: rpm/rpmio/rpmnss.c $ cvs diff -u -r1.40.2.3 -r1.40.2.4 rpmnss.c --- rpm/rpmio/rpmnss.c29 Jul 2013 05:22:32 - 1.40.2.3 +++ rpm/rpmio/rpmnss.c4 Aug 2013 03:11:56 - 1.40.2.4 @@ -362,6 +362,7 @@ _ENTRY(OUT_OF_SEARCH_LIMITS), _ENTRY(INVALID_POLICY_MAPPING), _ENTRY(POLICY_VALIDATION_FAILED), +/* No longer used. Unknown AIA location types are now silently ignored. */ _ENTRY(UNKNOWN_AIA_LOCATION_TYPE), _ENTRY(BAD_HTTP_RESPONSE), _ENTRY(BAD_LDAP_RESPONSE), @@ -377,6 +378,27 @@ #if defined(SEC_ERROR_CRL_IMPORT_FAILED) _ENTRY(CRL_IMPORT_FAILED), #endif +#if defined(SEC_ERROR_EXPIRED_PASSWORD) +_ENTRY(EXPIRED_PASSWORD), +#endif +#if defined(SEC_ERROR_LOCKED_PASSWORD) +_ENTRY(LOCKED_PASSWORD), +#endif +#if defined(SEC_ERROR_UNKNOWN_PKCS11_ERROR) +_ENTRY(UNKNOWN_PKCS11_ERROR), +#endif +#if defined(SEC_ERROR_BAD_CRL_DP_URL) +_ENTRY(BAD_CRL_DP_URL), +#endif +#if defined(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED) +_ENTRY(CERT_SIGNATURE_ALGORITHM_DISABLED), +#endif +#if defined(SEC_ERROR_LEGACY_DATABASE) +_ENTRY(LEGACY_DATABASE), +#endif +#if defined(SEC_ERROR_APPLICATION_CALLBACK_ERROR) +_ENTRY(APPLICATION_CALLBACK_ERROR), +#endif }; static size_t nrpmnssERRS = sizeof(rpmnssERRS) / sizeof(rpmnssERRS[0]); #undef _ENTRY @@ -423,6 +445,44 @@ } /*==*/ +static SECOidTag getEncAlg(unsigned pubkey_algo) +{ +SECOidTag encAlg = SEC_OID_UNKNOWN; + +switch (pubkey_algo) { +case PGPPUBKEYALGO_RSA: encAlg = SEC_OID_PKCS1_RSA_ENCRYPTION; break; +case PGPPUBKEYALGO_DSA: encAlg = SEC_OID_ANSIX9_DSA_SIGNATURE; break; +case PGPPUBKEYALGO_ECDSA:encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;break; +case PGPPUBKEYALGO_ELGAMAL: /*@fallthrough@*/ +default: + break; +} +return encAlg; +} + +static SECOidTag getHashAlg(unsigned hash_algo) +{ +SECOidTag hashAlg = SEC_OID_UNKNOWN; + +switch (hash_algo) { +case PGPHASHALGO_MD2:hashAlg = SEC_OID_MD2; break; +case PGPHASHALGO_MD4:hashAlg = SEC_OID_MD4; break; +case PGPHASHALGO_MD5:hashAlg = SEC_OID_MD5; break; +case PGPHASHALGO_SHA1: hashAlg = SEC_OID_SHA1; break; +case PGPHASHALGO_SHA224: hashAlg = SEC_OID_SHA224; break; +case PGPHASHALGO_SHA256: hashAlg = SEC_OID_SHA256; break; +case PGPHASHALGO_SHA384: hashAlg = SEC_OID_SHA384; break; +case PGPHASHALGO_SHA512: hashAlg = SEC_OID_SHA512; break; +case PGPHASHALGO_RIPEMD160: /*@fallthrough@*/ +case PGPHASHALGO_TIGER192: /*@fallthrough@*/ +case PGPHASHALGO_HAVAL_5_160:/*@fallthrough@*/ +default: + break; +} +return hashAlg; +} + +/*==*/ static int rpmnssSetRSA(/*@only@*/ DIGEST_CTX ctx, pgpDig dig, pgpDigParams sigp) @@ -436,57 +496,21 @@ dig->hash_algoN = _pgpHashAlgo2Name(sigp->hash_algo); assert(sigp->hash_algo == rpmDigestAlgo(ctx)); -nss->sigalg = SEC_OID_UNKNOWN; -switch (sigp->hash_algo) { -case PGPHASHALGO_MD5: - nss->sigalg = SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION; - break; -case PGPHASHALGO_SHA1: - nss->sigalg = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; - break; -case PGPHASHALGO_RIPEMD160: - break; -case PGPHASHALGO_MD2: - nss->sigalg = SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION; - break; -case PGPHASHALGO_MD4: - nss->sigalg = SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION; - break; -case PGPHASHALGO_TIGER192: - break; -case PGPHASHALGO_HAVAL_5_160: - break; -case PGPHASHALGO_SHA256: - nss->sigalg
[CVS] RPM: rpm-5_4: rpm/rpmio/ rpmnss.c
RPM Package Manager, CVS Repository http://rpm5.org/cvs/ Server: rpm5.org Name: Jeff Johnson Root: /v/rpm/cvs Email: j...@rpm5.org Module: rpm Date: 29-Jul-2013 07:22:32 Branch: rpm-5_4 Handle: 2013072905223200 Modified files: (Branch: rpm-5_4) rpm/rpmio rpmnss.c Log: - nss: sanity before attempting ECDSA through NSS. Summary: RevisionChanges Path 1.40.2.3+113 -23rpm/rpmio/rpmnss.c patch -p0 <<'@@ .' Index: rpm/rpmio/rpmnss.c $ cvs diff -u -r1.40.2.2 -r1.40.2.3 rpmnss.c --- rpm/rpmio/rpmnss.c16 Apr 2012 03:21:22 - 1.40.2.2 +++ rpm/rpmio/rpmnss.c29 Jul 2013 05:22:32 - 1.40.2.3 @@ -42,34 +42,32 @@ /*==*/ -#ifdef NOTYET -typedef struct key_s { +typedef struct keyNV_s { /*@observer@*/ -const char * name; /* key name */ -uint32_t value; -} KEY; +const char * N; /* key name */ +uint32_t V; +} keyNV_t; static int -keyCmp(const void * a, const void * b) +keyNVCmp(const void * a, const void * b) { -return strcmp(((KEY *)a)->name, ((KEY *)b)->name); +return strcmp(((keyNV_t *)a)->N, ((keyNV_t *)b)->N); } static uint32_t -keyValue(KEY * keys, size_t nkeys, /*@null@*/ const char *name) +keyNV(keyNV_t * keys, size_t nkeys, /*@null@*/ const char *N) { -uint32_t keyval = 0; +uint32_t V = 0; -if (name && *name) { - /* XXX bsearch is overkill */ - KEY needle = { .name = name, .value = 0 }; - KEY *k = (KEY *)bsearch(&needle, keys, nkeys, sizeof(*keys), keyCmp); +if (N && *N) { + keyNV_t needle = { .N = N, .V = 0 }; + keyNV_t *k = (keyNV_t *) + bsearch(&needle, keys, nkeys, sizeof(*keys), keyNVCmp); if (k) - keyval = k->value; + V = k->V; } -return keyval; +return V; } -#endif typedef struct keyVN_s { int V; @@ -115,6 +113,87 @@ /*==*/ +extern SECStatus +EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams); + +static keyNV_t rpmnssOIDS[] = { + { "c2onb191v4", SEC_OID_ANSIX962_EC_C2ONB191V4 }, + { "c2onb191v5", SEC_OID_ANSIX962_EC_C2ONB191V5 }, + { "c2onb239v4", SEC_OID_ANSIX962_EC_C2ONB239V4 }, + { "c2onb239v5", SEC_OID_ANSIX962_EC_C2ONB239V5 }, + { "c2pnb163v1", SEC_OID_ANSIX962_EC_C2PNB163V1 }, + { "c2pnb163v2", SEC_OID_ANSIX962_EC_C2PNB163V2 }, + { "c2pnb163v3", SEC_OID_ANSIX962_EC_C2PNB163V3 }, + { "c2pnb176v1", SEC_OID_ANSIX962_EC_C2PNB176V1 }, + { "c2pnb208w1", SEC_OID_ANSIX962_EC_C2PNB208W1 }, + { "c2pnb272w1", SEC_OID_ANSIX962_EC_C2PNB272W1 }, + { "c2pnb304w1", SEC_OID_ANSIX962_EC_C2PNB304W1 }, + { "c2pnb368w1", SEC_OID_ANSIX962_EC_C2PNB368W1 }, + { "c2tnb191v1", SEC_OID_ANSIX962_EC_C2TNB191V1 }, + { "c2tnb191v2", SEC_OID_ANSIX962_EC_C2TNB191V2 }, + { "c2tnb191v3", SEC_OID_ANSIX962_EC_C2TNB191V3 }, + { "c2tnb239v1", SEC_OID_ANSIX962_EC_C2TNB239V1 }, + { "c2tnb239v2", SEC_OID_ANSIX962_EC_C2TNB239V2 }, + { "c2tnb239v3", SEC_OID_ANSIX962_EC_C2TNB239V3 }, + { "c2tnb359v1", SEC_OID_ANSIX962_EC_C2TNB359V1 }, + { "c2tnb431r1", SEC_OID_ANSIX962_EC_C2TNB431R1 }, + { "nistb163", SEC_OID_SECG_EC_SECT163R2}, + { "nistb233", SEC_OID_SECG_EC_SECT233R1}, + { "nistb283", SEC_OID_SECG_EC_SECT283R1}, + { "nistb409", SEC_OID_SECG_EC_SECT409R1}, + { "nistb571", SEC_OID_SECG_EC_SECT571R1}, + { "nistk163", SEC_OID_SECG_EC_SECT163K1}, + { "nistk233", SEC_OID_SECG_EC_SECT233K1}, + { "nistk283", SEC_OID_SECG_EC_SECT283K1}, + { "nistk409", SEC_OID_SECG_EC_SECT409K1}, + { "nistk571", SEC_OID_SECG_EC_SECT571K1}, + { "nistp192", SEC_OID_SECG_EC_SECP192R1}, + { "nistp224", SEC_OID_SECG_EC_SECP224R1}, + { "nistp256", SEC_OID_SECG_EC_SECP256R1}, + { "nistp384", SEC_OID_SECG_EC_SECP384R1}, + { "nistp521", SEC_OID_SECG_EC_SECP521R1}, + { "prime192v1", SEC_OID_ANSIX962_EC_PRIME192V1 }, + { "prime192v2", SEC_OID_ANSIX962_EC_PRIME192V2 }, + { "prime192v3", SEC_OID_ANSIX962_EC_PRIME192V3 }, + { "prime239v1", SEC_OID_ANSIX962_EC_PRIME239V1 }, + { "prime239v2", SEC_OID_ANSIX962_EC_PRIME239V2 }, + { "prime239v3", SEC_OID_ANSIX962_EC_PRIME239V3 }, + { "secp112r1", SEC_OID_SECG_EC_SECP112R1}, + { "secp112r2", SEC_OID_SECG_EC_SECP112R2}, + { "secp128r1", SEC_OID_SECG_EC_SECP128R1}, + { "secp128r2", SEC_OID_SECG_EC_SECP128R2}, + { "secp160k1", SEC_OID_SECG_EC_S