Accepting request 1226642 from mozilla:Factory
- Remove upstreamed bmo-1400603.patch - Added nss-bmo1930797.patch to fix failing tests in testsuite - update to NSS 3.106 * bmo#1925975 - NSS 3.106 should be distributed with NSPR 4.36. * bmo#1923767 - pk12util: improve error handling in p12U_ReadPKCS12File. * bmo#1899402 - Correctly destroy bulkkey in error scenario. * bmo#1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers. * bmo#1923002 - Extract certificates with handshake collection script. * bmo#1923006 - Specify len_control for fuzz targets. * bmo#1923280 - Fix memory leak in dumpCertificatePEM. * bmo#1102981 - Fix UBSan errors for SECU_PrintCertificate and SECU_PrintCertificateBasicInfo. * bmo#1921528 - add new error codes to mozilla::pkix for Firefox to use. * bmo#1921768 - allow null phKey in NSC_DeriveKey. * bmo#1921801 - Only create seed corpus zip from existing corpus. * bmo#1826035 - Use explicit allowlist for for KDF PRFS. * bmo#1920138 - Increase optimization level for fuzz builds. * bmo#1920470 - Remove incorrect assert. * bmo#1914870 - Use libFuzzer options from fuzz/options/\*.options in CI. * bmo#1920945 - Polish corpus collection for automation. * bmo#1917572 - Detect new and unfuzzed SSL options. * bmo#1804646 - PKCS12 fuzzing target. - requires NSPR 4.36 OBS-URL: https://build.opensuse.org/request/show/1226642 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=224
This commit is contained in:
commit
6ac2ba3813
@ -1,5 +1,5 @@
|
||||
mozilla-nss
|
||||
requires "mozilla-nspr-<targettype> >= 4.35"
|
||||
requires "mozilla-nspr-<targettype> >= 4.36"
|
||||
requires "libfreebl3-<targettype>"
|
||||
requires "libsoftokn3-<targettype>"
|
||||
requires "libnssckbi.so"
|
||||
@ -10,7 +10,7 @@ libsoftokn3
|
||||
+/usr/lib/libsoftokn3.chk
|
||||
+/usr/lib/libnssdbm3.chk
|
||||
libfreebl3
|
||||
provides "libfreebl3-hmac-<targettype> = <version>-%release"
|
||||
provides "libfreebl3-hmac-<targettype> = <version>-%release"
|
||||
obsoletes "libfreebl3-hmac-<targettype> < <version>-%release"
|
||||
+/lib/libfreebl3.chk
|
||||
+/lib/libfreeblpriv3.chk
|
||||
|
@ -1,337 +0,0 @@
|
||||
From b2f3a6407d2d6ec89522410d7ac4c56d310c92b1 Mon Sep 17 00:00:00 2001
|
||||
From: Daiki Ueno <dueno@redhat.com>
|
||||
Date: Mon, 18 Sep 2017 11:24:00 +0200
|
||||
Subject: [PATCH] freebl: Reorganize AES-GCM source code based on hw/sw
|
||||
implementation
|
||||
|
||||
diff --git a/lib/freebl/gcm-hw.c b/lib/freebl/gcm-hw.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/lib/freebl/gcm-hw.c
|
||||
@@ -0,0 +1,151 @@
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
+
|
||||
+#ifdef FREEBL_NO_DEPEND
|
||||
+#include "stubs.h"
|
||||
+#endif
|
||||
+#include "gcm.h"
|
||||
+#include "secerr.h"
|
||||
+
|
||||
+#ifdef NSS_X86_OR_X64
|
||||
+#include <wmmintrin.h> /* clmul */
|
||||
+#endif
|
||||
+
|
||||
+#define WRITE64(x, bytes) \
|
||||
+ (bytes)[0] = (x) >> 56; \
|
||||
+ (bytes)[1] = (x) >> 48; \
|
||||
+ (bytes)[2] = (x) >> 40; \
|
||||
+ (bytes)[3] = (x) >> 32; \
|
||||
+ (bytes)[4] = (x) >> 24; \
|
||||
+ (bytes)[5] = (x) >> 16; \
|
||||
+ (bytes)[6] = (x) >> 8; \
|
||||
+ (bytes)[7] = (x);
|
||||
+
|
||||
+SECStatus
|
||||
+gcm_HashWrite_hw(gcmHashContext *ghash, unsigned char *outbuf,
|
||||
+ unsigned int maxout)
|
||||
+{
|
||||
+#ifdef NSS_X86_OR_X64
|
||||
+ uint64_t tmp_out[2];
|
||||
+ _mm_storeu_si128((__m128i *)tmp_out, ghash->x);
|
||||
+ PORT_Assert(maxout >= 16);
|
||||
+ WRITE64(tmp_out[0], outbuf + 8);
|
||||
+ WRITE64(tmp_out[1], outbuf);
|
||||
+ return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
+ return SECFailure;
|
||||
+#endif /* NSS_X86_OR_X64 */
|
||||
+}
|
||||
+
|
||||
+SECStatus
|
||||
+gcm_HashMult_hw(gcmHashContext *ghash, const unsigned char *buf,
|
||||
+ unsigned int count)
|
||||
+{
|
||||
+#ifdef NSS_X86_OR_X64
|
||||
+ size_t i;
|
||||
+ pre_align __m128i z_high post_align;
|
||||
+ pre_align __m128i z_low post_align;
|
||||
+ pre_align __m128i C post_align;
|
||||
+ pre_align __m128i D post_align;
|
||||
+ pre_align __m128i E post_align;
|
||||
+ pre_align __m128i F post_align;
|
||||
+ pre_align __m128i bin post_align;
|
||||
+ pre_align __m128i Ci post_align;
|
||||
+ pre_align __m128i tmp post_align;
|
||||
+
|
||||
+ for (i = 0; i < count; i++, buf += 16) {
|
||||
+ bin = _mm_set_epi16(((uint16_t)buf[0] << 8) | buf[1],
|
||||
+ ((uint16_t)buf[2] << 8) | buf[3],
|
||||
+ ((uint16_t)buf[4] << 8) | buf[5],
|
||||
+ ((uint16_t)buf[6] << 8) | buf[7],
|
||||
+ ((uint16_t)buf[8] << 8) | buf[9],
|
||||
+ ((uint16_t)buf[10] << 8) | buf[11],
|
||||
+ ((uint16_t)buf[12] << 8) | buf[13],
|
||||
+ ((uint16_t)buf[14] << 8) | buf[15]);
|
||||
+ Ci = _mm_xor_si128(bin, ghash->x);
|
||||
+
|
||||
+ /* Do binary mult ghash->X = Ci * ghash->H. */
|
||||
+ C = _mm_clmulepi64_si128(Ci, ghash->h, 0x00);
|
||||
+ D = _mm_clmulepi64_si128(Ci, ghash->h, 0x11);
|
||||
+ E = _mm_clmulepi64_si128(Ci, ghash->h, 0x01);
|
||||
+ F = _mm_clmulepi64_si128(Ci, ghash->h, 0x10);
|
||||
+ tmp = _mm_xor_si128(E, F);
|
||||
+ z_high = _mm_xor_si128(tmp, _mm_slli_si128(D, 8));
|
||||
+ z_high = _mm_unpackhi_epi64(z_high, D);
|
||||
+ z_low = _mm_xor_si128(_mm_slli_si128(tmp, 8), C);
|
||||
+ z_low = _mm_unpackhi_epi64(_mm_slli_si128(C, 8), z_low);
|
||||
+
|
||||
+ /* Shift one to the left (multiply by x) as gcm spec is stupid. */
|
||||
+ C = _mm_slli_si128(z_low, 8);
|
||||
+ E = _mm_srli_epi64(C, 63);
|
||||
+ D = _mm_slli_si128(z_high, 8);
|
||||
+ F = _mm_srli_epi64(D, 63);
|
||||
+ /* Carry over */
|
||||
+ C = _mm_srli_si128(z_low, 8);
|
||||
+ D = _mm_srli_epi64(C, 63);
|
||||
+ z_low = _mm_or_si128(_mm_slli_epi64(z_low, 1), E);
|
||||
+ z_high = _mm_or_si128(_mm_or_si128(_mm_slli_epi64(z_high, 1), F), D);
|
||||
+
|
||||
+ /* Reduce */
|
||||
+ C = _mm_slli_si128(z_low, 8);
|
||||
+ /* D = z_low << 127 */
|
||||
+ D = _mm_slli_epi64(C, 63);
|
||||
+ /* E = z_low << 126 */
|
||||
+ E = _mm_slli_epi64(C, 62);
|
||||
+ /* F = z_low << 121 */
|
||||
+ F = _mm_slli_epi64(C, 57);
|
||||
+ /* z_low ^= (z_low << 127) ^ (z_low << 126) ^ (z_low << 121); */
|
||||
+ z_low = _mm_xor_si128(_mm_xor_si128(_mm_xor_si128(z_low, D), E), F);
|
||||
+ C = _mm_srli_si128(z_low, 8);
|
||||
+ /* D = z_low >> 1 */
|
||||
+ D = _mm_slli_epi64(C, 63);
|
||||
+ D = _mm_or_si128(_mm_srli_epi64(z_low, 1), D);
|
||||
+ /* E = z_low >> 2 */
|
||||
+ E = _mm_slli_epi64(C, 62);
|
||||
+ E = _mm_or_si128(_mm_srli_epi64(z_low, 2), E);
|
||||
+ /* F = z_low >> 7 */
|
||||
+ F = _mm_slli_epi64(C, 57);
|
||||
+ F = _mm_or_si128(_mm_srli_epi64(z_low, 7), F);
|
||||
+ /* ghash->x ^= z_low ^ (z_low >> 1) ^ (z_low >> 2) ^ (z_low >> 7); */
|
||||
+ ghash->x = _mm_xor_si128(_mm_xor_si128(
|
||||
+ _mm_xor_si128(_mm_xor_si128(z_high, z_low), D), E),
|
||||
+ F);
|
||||
+ }
|
||||
+ return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
+ return SECFailure;
|
||||
+#endif /* NSS_X86_OR_X64 */
|
||||
+}
|
||||
+
|
||||
+SECStatus
|
||||
+gcm_HashInit_hw(gcmHashContext *ghash)
|
||||
+{
|
||||
+#ifdef NSS_X86_OR_X64
|
||||
+ ghash->ghash_mul = gcm_HashMult_hw;
|
||||
+ ghash->x = _mm_setzero_si128();
|
||||
+ /* MSVC requires __m64 to load epi64. */
|
||||
+ ghash->h = _mm_set_epi32(ghash->h_high >> 32, (uint32_t)ghash->h_high,
|
||||
+ ghash->h_low >> 32, (uint32_t)ghash->h_low);
|
||||
+ ghash->hw = PR_TRUE;
|
||||
+ return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
+ return SECFailure;
|
||||
+#endif /* NSS_X86_OR_X64 */
|
||||
+}
|
||||
+
|
||||
+SECStatus
|
||||
+gcm_HashZeroX_hw(gcmHashContext *ghash)
|
||||
+{
|
||||
+#ifdef NSS_X86_OR_X64
|
||||
+ ghash->x = _mm_setzero_si128();
|
||||
+ return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
+ return SECFailure;
|
||||
+#endif /* NSS_X86_OR_X64 */
|
||||
+}
|
||||
+
|
||||
diff --git a/lib/freebl/rijndael-hw.c b/lib/freebl/rijndael-hw.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/lib/freebl/rijndael-hw.c
|
||||
@@ -0,0 +1,170 @@
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
+
|
||||
+#ifdef FREEBL_NO_DEPEND
|
||||
+#include "stubs.h"
|
||||
+#endif
|
||||
+#include "rijndael.h"
|
||||
+#include "secerr.h"
|
||||
+
|
||||
+#ifdef NSS_X86_OR_X64
|
||||
+#include <wmmintrin.h> /* aes-ni */
|
||||
+#endif
|
||||
+
|
||||
+#if defined(NSS_X86_OR_X64)
|
||||
+#define EXPAND_KEY128(k, rcon, res) \
|
||||
+ tmp_key = _mm_aeskeygenassist_si128(k, rcon); \
|
||||
+ tmp_key = _mm_shuffle_epi32(tmp_key, 0xFF); \
|
||||
+ tmp = _mm_xor_si128(k, _mm_slli_si128(k, 4)); \
|
||||
+ tmp = _mm_xor_si128(tmp, _mm_slli_si128(tmp, 4)); \
|
||||
+ tmp = _mm_xor_si128(tmp, _mm_slli_si128(tmp, 4)); \
|
||||
+ res = _mm_xor_si128(tmp, tmp_key)
|
||||
+
|
||||
+static void
|
||||
+native_key_expansion128(AESContext *cx, const unsigned char *key)
|
||||
+{
|
||||
+ __m128i *keySchedule = cx->keySchedule;
|
||||
+ pre_align __m128i tmp_key post_align;
|
||||
+ pre_align __m128i tmp post_align;
|
||||
+ keySchedule[0] = _mm_loadu_si128((__m128i *)key);
|
||||
+ EXPAND_KEY128(keySchedule[0], 0x01, keySchedule[1]);
|
||||
+ EXPAND_KEY128(keySchedule[1], 0x02, keySchedule[2]);
|
||||
+ EXPAND_KEY128(keySchedule[2], 0x04, keySchedule[3]);
|
||||
+ EXPAND_KEY128(keySchedule[3], 0x08, keySchedule[4]);
|
||||
+ EXPAND_KEY128(keySchedule[4], 0x10, keySchedule[5]);
|
||||
+ EXPAND_KEY128(keySchedule[5], 0x20, keySchedule[6]);
|
||||
+ EXPAND_KEY128(keySchedule[6], 0x40, keySchedule[7]);
|
||||
+ EXPAND_KEY128(keySchedule[7], 0x80, keySchedule[8]);
|
||||
+ EXPAND_KEY128(keySchedule[8], 0x1B, keySchedule[9]);
|
||||
+ EXPAND_KEY128(keySchedule[9], 0x36, keySchedule[10]);
|
||||
+}
|
||||
+
|
||||
+#define EXPAND_KEY192_PART1(res, k0, kt, rcon) \
|
||||
+ tmp2 = _mm_slli_si128(k0, 4); \
|
||||
+ tmp1 = _mm_xor_si128(k0, tmp2); \
|
||||
+ tmp2 = _mm_slli_si128(tmp2, 4); \
|
||||
+ tmp1 = _mm_xor_si128(_mm_xor_si128(tmp1, tmp2), _mm_slli_si128(tmp2, 4)); \
|
||||
+ tmp2 = _mm_aeskeygenassist_si128(kt, rcon); \
|
||||
+ res = _mm_xor_si128(tmp1, _mm_shuffle_epi32(tmp2, 0x55))
|
||||
+
|
||||
+#define EXPAND_KEY192_PART2(res, k1, k2) \
|
||||
+ tmp2 = _mm_xor_si128(k1, _mm_slli_si128(k1, 4)); \
|
||||
+ res = _mm_xor_si128(tmp2, _mm_shuffle_epi32(k2, 0xFF))
|
||||
+
|
||||
+#define EXPAND_KEY192(k0, res1, res2, res3, carry, rcon1, rcon2) \
|
||||
+ EXPAND_KEY192_PART1(tmp3, k0, res1, rcon1); \
|
||||
+ EXPAND_KEY192_PART2(carry, res1, tmp3); \
|
||||
+ res1 = _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(res1), \
|
||||
+ _mm_castsi128_pd(tmp3), 0)); \
|
||||
+ res2 = _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(tmp3), \
|
||||
+ _mm_castsi128_pd(carry), 1)); \
|
||||
+ EXPAND_KEY192_PART1(res3, tmp3, carry, rcon2)
|
||||
+
|
||||
+static void
|
||||
+native_key_expansion192(AESContext *cx, const unsigned char *key)
|
||||
+{
|
||||
+ __m128i *keySchedule = cx->keySchedule;
|
||||
+ pre_align __m128i tmp1 post_align;
|
||||
+ pre_align __m128i tmp2 post_align;
|
||||
+ pre_align __m128i tmp3 post_align;
|
||||
+ pre_align __m128i carry post_align;
|
||||
+ keySchedule[0] = _mm_loadu_si128((__m128i *)key);
|
||||
+ keySchedule[1] = _mm_loadu_si128((__m128i *)(key + 16));
|
||||
+ EXPAND_KEY192(keySchedule[0], keySchedule[1], keySchedule[2],
|
||||
+ keySchedule[3], carry, 0x1, 0x2);
|
||||
+ EXPAND_KEY192_PART2(keySchedule[4], carry, keySchedule[3]);
|
||||
+ EXPAND_KEY192(keySchedule[3], keySchedule[4], keySchedule[5],
|
||||
+ keySchedule[6], carry, 0x4, 0x8);
|
||||
+ EXPAND_KEY192_PART2(keySchedule[7], carry, keySchedule[6]);
|
||||
+ EXPAND_KEY192(keySchedule[6], keySchedule[7], keySchedule[8],
|
||||
+ keySchedule[9], carry, 0x10, 0x20);
|
||||
+ EXPAND_KEY192_PART2(keySchedule[10], carry, keySchedule[9]);
|
||||
+ EXPAND_KEY192(keySchedule[9], keySchedule[10], keySchedule[11],
|
||||
+ keySchedule[12], carry, 0x40, 0x80);
|
||||
+}
|
||||
+
|
||||
+#define EXPAND_KEY256_PART(res, rconx, k1x, k2x, X) \
|
||||
+ tmp_key = _mm_shuffle_epi32(_mm_aeskeygenassist_si128(k2x, rconx), X); \
|
||||
+ tmp2 = _mm_slli_si128(k1x, 4); \
|
||||
+ tmp1 = _mm_xor_si128(k1x, tmp2); \
|
||||
+ tmp2 = _mm_slli_si128(tmp2, 4); \
|
||||
+ tmp1 = _mm_xor_si128(_mm_xor_si128(tmp1, tmp2), _mm_slli_si128(tmp2, 4)); \
|
||||
+ res = _mm_xor_si128(tmp1, tmp_key);
|
||||
+
|
||||
+#define EXPAND_KEY256(res1, res2, k1, k2, rcon) \
|
||||
+ EXPAND_KEY256_PART(res1, rcon, k1, k2, 0xFF); \
|
||||
+ EXPAND_KEY256_PART(res2, 0x00, k2, res1, 0xAA)
|
||||
+
|
||||
+static void
|
||||
+native_key_expansion256(AESContext *cx, const unsigned char *key)
|
||||
+{
|
||||
+ __m128i *keySchedule = cx->keySchedule;
|
||||
+ pre_align __m128i tmp_key post_align;
|
||||
+ pre_align __m128i tmp1 post_align;
|
||||
+ pre_align __m128i tmp2 post_align;
|
||||
+ keySchedule[0] = _mm_loadu_si128((__m128i *)key);
|
||||
+ keySchedule[1] = _mm_loadu_si128((__m128i *)(key + 16));
|
||||
+ EXPAND_KEY256(keySchedule[2], keySchedule[3], keySchedule[0],
|
||||
+ keySchedule[1], 0x01);
|
||||
+ EXPAND_KEY256(keySchedule[4], keySchedule[5], keySchedule[2],
|
||||
+ keySchedule[3], 0x02);
|
||||
+ EXPAND_KEY256(keySchedule[6], keySchedule[7], keySchedule[4],
|
||||
+ keySchedule[5], 0x04);
|
||||
+ EXPAND_KEY256(keySchedule[8], keySchedule[9], keySchedule[6],
|
||||
+ keySchedule[7], 0x08);
|
||||
+ EXPAND_KEY256(keySchedule[10], keySchedule[11], keySchedule[8],
|
||||
+ keySchedule[9], 0x10);
|
||||
+ EXPAND_KEY256(keySchedule[12], keySchedule[13], keySchedule[10],
|
||||
+ keySchedule[11], 0x20);
|
||||
+ EXPAND_KEY256_PART(keySchedule[14], 0x40, keySchedule[12],
|
||||
+ keySchedule[13], 0xFF);
|
||||
+}
|
||||
+
|
||||
+#endif /* NSS_X86_OR_X64 */
|
||||
+
|
||||
+/*
|
||||
+ * AES key expansion using aes-ni instructions.
|
||||
+ */
|
||||
+void
|
||||
+rijndael_native_key_expansion(AESContext *cx, const unsigned char *key,
|
||||
+ unsigned int Nk)
|
||||
+{
|
||||
+#ifdef NSS_X86_OR_X64
|
||||
+ switch (Nk) {
|
||||
+ case 4:
|
||||
+ native_key_expansion128(cx, key);
|
||||
+ return;
|
||||
+ case 6:
|
||||
+ native_key_expansion192(cx, key);
|
||||
+ return;
|
||||
+ case 8:
|
||||
+ native_key_expansion256(cx, key);
|
||||
+ return;
|
||||
+ default:
|
||||
+ /* This shouldn't happen. */
|
||||
+ PORT_Assert(0);
|
||||
+ }
|
||||
+#else
|
||||
+ PORT_Assert(0);
|
||||
+#endif /* NSS_X86_OR_X64 */
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+rijndael_native_encryptBlock(AESContext *cx,
|
||||
+ unsigned char *output,
|
||||
+ const unsigned char *input)
|
||||
+{
|
||||
+#ifdef NSS_X86_OR_X64
|
||||
+ int i;
|
||||
+ pre_align __m128i m post_align = _mm_loadu_si128((__m128i *)input);
|
||||
+ m = _mm_xor_si128(m, cx->keySchedule[0]);
|
||||
+ for (i = 1; i < cx->Nr; ++i) {
|
||||
+ m = _mm_aesenc_si128(m, cx->keySchedule[i]);
|
||||
+ }
|
||||
+ m = _mm_aesenclast_si128(m, cx->keySchedule[cx->Nr]);
|
||||
+ _mm_storeu_si128((__m128i *)output, m);
|
||||
+#else
|
||||
+ PORT_Assert(0);
|
||||
+#endif /* NSS_X86_OR_X64 */
|
||||
+}
|
@ -1,3 +1,34 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Nov 26 15:07:49 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||||
|
||||
- Remove upstreamed bmo-1400603.patch
|
||||
- Added nss-bmo1930797.patch to fix failing tests in testsuite
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 21 14:11:56 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
|
||||
|
||||
- update to NSS 3.106
|
||||
* bmo#1925975 - NSS 3.106 should be distributed with NSPR 4.36.
|
||||
* bmo#1923767 - pk12util: improve error handling in p12U_ReadPKCS12File.
|
||||
* bmo#1899402 - Correctly destroy bulkkey in error scenario.
|
||||
* bmo#1919997 - PKCS7 fuzz target, r=djackson,nss-reviewers.
|
||||
* bmo#1923002 - Extract certificates with handshake collection script.
|
||||
* bmo#1923006 - Specify len_control for fuzz targets.
|
||||
* bmo#1923280 - Fix memory leak in dumpCertificatePEM.
|
||||
* bmo#1102981 - Fix UBSan errors for SECU_PrintCertificate and
|
||||
SECU_PrintCertificateBasicInfo.
|
||||
* bmo#1921528 - add new error codes to mozilla::pkix for Firefox to use.
|
||||
* bmo#1921768 - allow null phKey in NSC_DeriveKey.
|
||||
* bmo#1921801 - Only create seed corpus zip from existing corpus.
|
||||
* bmo#1826035 - Use explicit allowlist for for KDF PRFS.
|
||||
* bmo#1920138 - Increase optimization level for fuzz builds.
|
||||
* bmo#1920470 - Remove incorrect assert.
|
||||
* bmo#1914870 - Use libFuzzer options from fuzz/options/\*.options in CI.
|
||||
* bmo#1920945 - Polish corpus collection for automation.
|
||||
* bmo#1917572 - Detect new and unfuzzed SSL options.
|
||||
* bmo#1804646 - PKCS12 fuzzing target.
|
||||
- requires NSPR 4.36
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Oct 26 08:07:03 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
|
||||
|
||||
|
@ -17,15 +17,15 @@
|
||||
#
|
||||
|
||||
|
||||
%global nss_softokn_fips_version 3.105
|
||||
%define NSPR_min_version 4.35
|
||||
%global nss_softokn_fips_version 3.106
|
||||
%define NSPR_min_version 4.36
|
||||
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
|
||||
%define nssdbdir %{_sysconfdir}/pki/nssdb
|
||||
%global crypto_policies_version 20210218
|
||||
Name: mozilla-nss
|
||||
Version: 3.105
|
||||
Version: 3.106
|
||||
Release: 0
|
||||
%define underscore_version 3_105
|
||||
%define underscore_version 3_106
|
||||
Summary: Network Security Services
|
||||
License: MPL-2.0
|
||||
Group: System/Libraries
|
||||
@ -50,8 +50,8 @@ Patch2: system-nspr.patch
|
||||
Patch3: nss-no-rpath.patch
|
||||
Patch4: add-relro-linker-option.patch
|
||||
Patch5: malloc.patch
|
||||
Patch6: bmo-1400603.patch
|
||||
Patch7: nss-sqlitename.patch
|
||||
Patch8: nss-bmo1930797.patch
|
||||
Patch9: nss-fips-use-getrandom.patch
|
||||
Patch10: nss-fips-dsa-kat.patch
|
||||
Patch11: nss-fips-pairwise-consistency-check.patch
|
||||
@ -210,8 +210,8 @@ cd nss
|
||||
%if 0%{?suse_version} > 1110
|
||||
%patch -P 5 -p1
|
||||
%endif
|
||||
%patch -P 6 -p1
|
||||
%patch -P 7 -p1
|
||||
%patch -P 8 -p1
|
||||
# FIPS patches
|
||||
%patch -P 9 -p1
|
||||
%patch -P 10 -p1
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:8e8e4c8c88ca5c828b207cfaf66c6188e7f96c97cc18946d3db7da4c0d395619
|
||||
size 76620664
|
3
nss-3.106.tar.gz
Normal file
3
nss-3.106.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:026b744e1e0784b890c3846ac9506472a92138c1f4d41dec581949574c585c38
|
||||
size 76621626
|
341
nss-bmo1930797.patch
Normal file
341
nss-bmo1930797.patch
Normal file
@ -0,0 +1,341 @@
|
||||
# HG changeset patch
|
||||
# User Robert Relyea <rrelyea@redhat.com>
|
||||
# Date 1731716524 28800
|
||||
# Node ID 03e207e378dd37a87e172febb58012472611a78f
|
||||
# Parent fe06bec77d445965548ee6f9d803bf8d035863c7
|
||||
Bug 1930797 pkcs12 fixes from RHEL need to be picked up.
|
||||
|
||||
1. add ignore integrity option to pk12util
|
||||
2. update pk12util manpage
|
||||
a. with new ignore integrity option.
|
||||
b. with the correct current defaults for pk12util.
|
||||
3. don't include a fake iv in the param portion of the pbmac1.
|
||||
4. restore the ability to decode md5 mac'ed pkcs12 files.
|
||||
5. restore tests for bad pkcs12 encodings
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D229394
|
||||
|
||||
Index: nss/cmd/pk12util/pk12util.c
|
||||
===================================================================
|
||||
--- nss.orig/cmd/pk12util/pk12util.c
|
||||
+++ nss/cmd/pk12util/pk12util.c
|
||||
@@ -32,12 +32,12 @@ static void
|
||||
Usage()
|
||||
{
|
||||
#define FPS PR_fprintf(PR_STDERR,
|
||||
- FPS "Usage: %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
|
||||
+ FPS "Usage: %s -i importfile [-I] [-d certdir] [-P dbprefix] [-h tokenname]\n",
|
||||
progName);
|
||||
FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
|
||||
FPS "\t\t [-v]\n");
|
||||
|
||||
- FPS "Usage: %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
|
||||
+ FPS "Usage: %s -l listfile [-I] [-d certdir] [-P dbprefix] [-h tokenname]\n",
|
||||
progName);
|
||||
FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
|
||||
FPS "\t\t [-v]\n");
|
||||
@@ -351,7 +351,8 @@ P12U_InitSlot(PK11SlotInfo *slot, secuPW
|
||||
*/
|
||||
SEC_PKCS12DecoderContext *
|
||||
p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot,
|
||||
- secuPWData *slotPw, secuPWData *p12FilePw)
|
||||
+ secuPWData *slotPw, secuPWData *p12FilePw,
|
||||
+ PRBool ignoreIntegrity)
|
||||
{
|
||||
SEC_PKCS12DecoderContext *p12dcx = NULL;
|
||||
p12uContext *p12cxt = NULL;
|
||||
@@ -458,7 +459,10 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha
|
||||
/* rv has been set at this point */
|
||||
|
||||
done:
|
||||
- if (rv != SECSuccess) {
|
||||
+ /* if we are ignoring Integrity and we failed because we couldn't
|
||||
+ * verify the integrity code, go ahead and succeed */
|
||||
+ if (rv != SECSuccess && !(ignoreIntegrity &&
|
||||
+ (pk12uErrno == PK12UERR_DECODEVERIFY))) {
|
||||
if (p12dcx != NULL) {
|
||||
SEC_PKCS12DecoderFinish(p12dcx);
|
||||
p12dcx = NULL;
|
||||
@@ -490,7 +494,8 @@ done:
|
||||
*/
|
||||
PRIntn
|
||||
P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot,
|
||||
- secuPWData *slotPw, secuPWData *p12FilePw)
|
||||
+ secuPWData *slotPw, secuPWData *p12FilePw,
|
||||
+ PRBool ignoreIntegrity)
|
||||
{
|
||||
SEC_PKCS12DecoderContext *p12dcx = NULL;
|
||||
SECItem uniPwitem = { 0 };
|
||||
@@ -509,7 +514,8 @@ P12U_ImportPKCS12Object(char *in_file, P
|
||||
do {
|
||||
trypw = PR_FALSE; /* normally we do this once */
|
||||
rv = SECFailure;
|
||||
- p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
|
||||
+ p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw,
|
||||
+ p12FilePw, ignoreIntegrity);
|
||||
|
||||
if (p12dcx == NULL) {
|
||||
goto loser;
|
||||
@@ -777,14 +783,16 @@ loser:
|
||||
|
||||
PRIntn
|
||||
P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot,
|
||||
- secuPWData *slotPw, secuPWData *p12FilePw)
|
||||
+ secuPWData *slotPw, secuPWData *p12FilePw,
|
||||
+ PRBool ignoreIntegrity)
|
||||
{
|
||||
SEC_PKCS12DecoderContext *p12dcx = NULL;
|
||||
SECItem uniPwitem = { 0 };
|
||||
SECStatus rv = SECFailure;
|
||||
const SEC_PKCS12DecoderItem *dip;
|
||||
|
||||
- p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
|
||||
+ p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw,
|
||||
+ ignoreIntegrity);
|
||||
/* did the blob authenticate properly? */
|
||||
if (p12dcx == NULL) {
|
||||
SECU_PrintError(progName, "PKCS12 decode not verified");
|
||||
@@ -997,7 +1005,8 @@ enum {
|
||||
opt_CertCipher,
|
||||
opt_KeyLength,
|
||||
opt_CertKeyLength,
|
||||
- opt_Mac
|
||||
+ opt_Mac,
|
||||
+ opt_IgnoreIntegrity
|
||||
};
|
||||
|
||||
static secuCommandFlag pk12util_options[] = {
|
||||
@@ -1018,7 +1027,8 @@ static secuCommandFlag pk12util_options[
|
||||
{ /* opt_CertCipher */ 'C', PR_TRUE, 0, PR_FALSE },
|
||||
{ /* opt_KeyLength */ 'm', PR_TRUE, 0, PR_FALSE, "key_len" },
|
||||
{ /* opt_CertKeyLength */ 0, PR_TRUE, 0, PR_FALSE, "cert_key_len" },
|
||||
- { /* opt_Mac */ 'M', PR_TRUE, 0, PR_FALSE, PR_FALSE }
|
||||
+ { /* opt_Mac */ 'M', PR_TRUE, 0, PR_FALSE },
|
||||
+ { /* opt_IgnoreIntegrity */ 'I', PR_FALSE, 0, PR_FALSE }
|
||||
};
|
||||
|
||||
int
|
||||
@@ -1039,6 +1049,7 @@ main(int argc, char **argv)
|
||||
int certKeyLen = 0;
|
||||
secuCommand pk12util;
|
||||
PRInt32 forceUnicode;
|
||||
+ PRBool ignoreIntegrity = PR_FALSE;
|
||||
|
||||
#ifdef _CRTDBG_MAP_ALLOC
|
||||
_CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF);
|
||||
@@ -1113,6 +1124,9 @@ main(int argc, char **argv)
|
||||
if (pk12util.options[opt_Raw].activated) {
|
||||
dumpRawFile = PR_TRUE;
|
||||
}
|
||||
+ if (pk12util.options[opt_IgnoreIntegrity].activated) {
|
||||
+ ignoreIntegrity = PR_TRUE;
|
||||
+ }
|
||||
if (pk12util.options[opt_KeyLength].activated) {
|
||||
keyLen = atoi(pk12util.options[opt_KeyLength].arg);
|
||||
}
|
||||
@@ -1183,7 +1197,8 @@ main(int argc, char **argv)
|
||||
}
|
||||
|
||||
if (pk12util.options[opt_Import].activated) {
|
||||
- P12U_ImportPKCS12Object(import_file, slot, &slotPw, &p12FilePw);
|
||||
+ P12U_ImportPKCS12Object(import_file, slot, &slotPw, &p12FilePw,
|
||||
+ ignoreIntegrity);
|
||||
|
||||
} else if (pk12util.options[opt_Export].activated) {
|
||||
P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg,
|
||||
@@ -1191,7 +1206,8 @@ main(int argc, char **argv)
|
||||
hash, &slotPw, &p12FilePw);
|
||||
|
||||
} else if (pk12util.options[opt_List].activated) {
|
||||
- P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw);
|
||||
+ P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw,
|
||||
+ ignoreIntegrity);
|
||||
|
||||
} else {
|
||||
Usage();
|
||||
Index: nss/doc/pk12util.xml
|
||||
===================================================================
|
||||
--- nss.orig/doc/pk12util.xml
|
||||
+++ nss/doc/pk12util.xml
|
||||
@@ -38,6 +38,7 @@
|
||||
<arg>-P dbprefix</arg>
|
||||
<arg>-r</arg>
|
||||
<arg>-v</arg>
|
||||
+ <arg>-I</arg>
|
||||
<arg>--cert-key-len certKeyLength</arg>
|
||||
<arg>-k slotPasswordFile|-K slotPassword</arg>
|
||||
<arg>-w p12filePasswordFile|-W p12filePassword</arg>
|
||||
@@ -147,6 +148,11 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
+ <term>-I </term>
|
||||
+ <listitem><para>Ignore integrity check results on importing and listing.</para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term>-w p12filePasswordFile</term>
|
||||
<listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem>
|
||||
</varlistentry>
|
||||
@@ -317,7 +323,7 @@ Certificate Friendly Name: Thawte Fre
|
||||
|
||||
<refsection id="encryption">
|
||||
<title>Password Encryption</title>
|
||||
- <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||
+ <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||
<para>The private key is always protected with strong encryption by default.</para>
|
||||
<para>Several types of ciphers are supported.</para>
|
||||
<variablelist>
|
||||
@@ -327,6 +333,7 @@ Certificate Friendly Name: Thawte Fre
|
||||
<listitem>
|
||||
<itemizedlist>
|
||||
<listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
|
||||
+ <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
Index: nss/lib/pk11wrap/pk11mech.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/pk11wrap/pk11mech.c
|
||||
+++ nss/lib/pk11wrap/pk11mech.c
|
||||
@@ -1719,10 +1719,19 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
|
||||
case CKM_JUNIPER_CBC128:
|
||||
case CKM_JUNIPER_COUNTER:
|
||||
case CKM_JUNIPER_SHUFFLE:
|
||||
- newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
||||
- SEC_ASN1_GET(SEC_OctetStringTemplate));
|
||||
- if (newParams == NULL)
|
||||
- break;
|
||||
+ if (param && param->len > 0) {
|
||||
+ newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
||||
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
|
||||
+ if (newParams == NULL)
|
||||
+ break;
|
||||
+ } else {
|
||||
+ /* if no parameters have been supplied, then use NULL params
|
||||
+ * The SECOID_SetAlgorithmID encoder will encode that as no
|
||||
+ * params (since params are optional) or with an explicit NULL
|
||||
+ * (for some historical cases where explicit NULL is expected).
|
||||
+ */
|
||||
+ newParams = NULL;
|
||||
+ }
|
||||
rv = SECSuccess;
|
||||
break;
|
||||
}
|
||||
Index: nss/lib/pk11wrap/pk11pbe.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/pk11wrap/pk11pbe.c
|
||||
+++ nss/lib/pk11wrap/pk11pbe.c
|
||||
@@ -770,9 +770,10 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
|
||||
algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
|
||||
}
|
||||
|
||||
+ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
||||
+
|
||||
/* set the PKCS5v2 specific parameters */
|
||||
if (keyLength == 0) {
|
||||
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
||||
if (hashAlg != SEC_OID_UNKNOWN) {
|
||||
keyLength = HASH_ResultLenByOidTag(hashAlg);
|
||||
} else {
|
||||
@@ -787,18 +788,25 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
|
||||
prfAlg = SEC_OID_HMAC_SHA1;
|
||||
}
|
||||
|
||||
- /* build the PKCS5v2 cipher algorithm id */
|
||||
- cipherParams = pk11_GenerateNewParamWithKeyLen(
|
||||
- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
||||
- if (!cipherParams) {
|
||||
- goto loser;
|
||||
+ /* build the PKCS5v2 cipher algorithm id, if cipher
|
||||
+ * is an HMAC, the cipherParams should be NULL */
|
||||
+ if (hashAlg == SEC_OID_UNKNOWN) {
|
||||
+ cipherParams = pk11_GenerateNewParamWithKeyLen(
|
||||
+ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
||||
+ if (!cipherParams) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+ } else {
|
||||
+ cipherParams = NULL;
|
||||
}
|
||||
|
||||
PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
|
||||
|
||||
rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
|
||||
poolp, &pbeV2_param.cipherAlgId);
|
||||
- SECITEM_FreeItem(cipherParams, PR_TRUE);
|
||||
+ if (cipherParams) {
|
||||
+ SECITEM_FreeItem(cipherParams, PR_TRUE);
|
||||
+ }
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
Index: nss/lib/pkcs12/p12local.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/pkcs12/p12local.c
|
||||
+++ nss/lib/pkcs12/p12local.c
|
||||
@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
|
||||
*hmacMech = PK11_AlgtagToMechanism(hmacAlg);
|
||||
/* pkcs12v2 hmac uses UTF8 rather than unicode */
|
||||
if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
|
||||
- PR_TRUE, PR_FALSE, PR_FALSE)) {
|
||||
+ PR_FALSE, PR_FALSE, PR_FALSE)) {
|
||||
return NULL;
|
||||
}
|
||||
symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);
|
||||
Index: nss/lib/util/nsshash.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/util/nsshash.c
|
||||
+++ nss/lib/util/nsshash.c
|
||||
@@ -107,6 +107,9 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
|
||||
switch (hmacOid) {
|
||||
/* no oid exists for HMAC_MD2 */
|
||||
/* NSS does not define a oid for HMAC_MD4 */
|
||||
+ case SEC_OID_HMAC_MD5:
|
||||
+ hashOid = SEC_OID_MD5;
|
||||
+ break;
|
||||
case SEC_OID_HMAC_SHA1:
|
||||
hashOid = SEC_OID_SHA1;
|
||||
break;
|
||||
@@ -150,6 +153,9 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag
|
||||
switch (hashOid) {
|
||||
/* no oid exists for HMAC_MD2 */
|
||||
/* NSS does not define a oid for HMAC_MD4 */
|
||||
+ case SEC_OID_MD5:
|
||||
+ hmacOid = SEC_OID_HMAC_MD5;
|
||||
+ break;
|
||||
case SEC_OID_SHA1:
|
||||
hmacOid = SEC_OID_HMAC_SHA1;
|
||||
break;
|
||||
Index: nss/tests/tools/tools.sh
|
||||
===================================================================
|
||||
--- nss.orig/tests/tools/tools.sh
|
||||
+++ nss/tests/tools/tools.sh
|
||||
@@ -541,21 +541,21 @@ tools_p12_import_pbmac1_samples()
|
||||
html_msg $ret 0 "Importing private key pbmac1 hmac-sha-512 from PKCS#12 file"
|
||||
check_tmpfile
|
||||
|
||||
- echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
|
||||
- ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
|
||||
+ echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I"
|
||||
+ ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-iter.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1
|
||||
ret=$?
|
||||
html_msg $ret 19 "Fail to list private key with bad iterator"
|
||||
check_tmpfile
|
||||
|
||||
- echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
|
||||
- ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
|
||||
+ echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I"
|
||||
+ ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-bad-salt.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1
|
||||
ret=$?
|
||||
echo "Fail to list private key with bad salt val=$ret"
|
||||
html_msg $ret 19 "Fail to import private key with bad salt"
|
||||
check_tmpfile
|
||||
|
||||
- echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234'"
|
||||
- ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' 2>&1
|
||||
+ echo "${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I"
|
||||
+ ${BINDIR}/pk12util -l ${TOOLSDIR}/data/pbmac1-invalid-no-length.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -W '1234' -I 2>&1
|
||||
ret=$?
|
||||
echo "Fail to import private key with no length val=$ret"
|
||||
html_msg $ret 19 "Fail to import private key with no length"
|
Loading…
x
Reference in New Issue
Block a user