From b62572db42a0bb17372a4ecdcc2f67e31abfa724 Mon Sep 17 00:00:00 2001 From: "nelsonb%netscape.com" Date: Wed, 6 Apr 2005 19:43:19 +0000 Subject: [PATCH] Remove fortezza support from libSSL and related commands. Bug 239960. ON PERFORMANCE_HACKS_BRANCH. r=rrelyea. git-svn-id: svn://10.0.0.236/trunk@171820 18797224-902f-48f8-a5cc-f745e15eee43 --- mozilla/security/nss/cmd/SSLsample/server.c | 3 - .../security/nss/cmd/SSLsample/sslsample.c | 6 +- mozilla/security/nss/cmd/manifest.mn | 3 +- mozilla/security/nss/cmd/modutil/modutil.c | 5 +- mozilla/security/nss/cmd/platlibs.mk | 2 - mozilla/security/nss/cmd/selfserv/selfserv.c | 11 +- .../nss/cmd/sslstrength/sslstrength.c | 7 - mozilla/security/nss/cmd/strsclnt/strsclnt.c | 8 +- mozilla/security/nss/cmd/tstclnt/tstclnt.c | 11 +- mozilla/security/nss/cmd/vfyserv/vfyserv.c | 2 +- mozilla/security/nss/cmd/vfyserv/vfyutil.c | 6 +- mozilla/security/nss/lib/manifest.mn | 4 +- mozilla/security/nss/lib/ssl/nsskea.c | 8 +- mozilla/security/nss/lib/ssl/preenc.h | 96 +- mozilla/security/nss/lib/ssl/prelib.c | 199 +--- mozilla/security/nss/lib/ssl/ssl.h | 4 +- mozilla/security/nss/lib/ssl/ssl3con.c | 1007 +---------------- mozilla/security/nss/lib/ssl/ssl3prot.h | 19 +- mozilla/security/nss/lib/ssl/sslauth.c | 5 +- mozilla/security/nss/lib/ssl/sslcon.c | 4 +- mozilla/security/nss/lib/ssl/sslenum.c | 7 +- mozilla/security/nss/lib/ssl/sslimpl.h | 18 +- mozilla/security/nss/lib/ssl/sslinfo.c | 7 +- mozilla/security/nss/lib/ssl/sslproto.h | 8 +- mozilla/security/nss/lib/ssl/sslsecur.c | 9 +- mozilla/security/nss/lib/ssl/sslsnce.c | 8 +- mozilla/security/nss/lib/ssl/sslsock.c | 5 +- mozilla/security/nss/lib/ssl/sslt.h | 8 +- .../nss/pkg/solaris/SUNWtlsd/prototype | 4 +- 29 files changed, 118 insertions(+), 1366 deletions(-) diff --git a/mozilla/security/nss/cmd/SSLsample/server.c b/mozilla/security/nss/cmd/SSLsample/server.c index ced32d287e2..5965d4723fc 100644 --- a/mozilla/security/nss/cmd/SSLsample/server.c +++ b/mozilla/security/nss/cmd/SSLsample/server.c @@ -102,14 +102,11 @@ Usage(const char *progName) "E SSL2 DES 64 CBC WITH MD5\n" "F SSL2 DES 192 EDE3 CBC WITH MD5\n" "\n" -"a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA\n" -"b SSL3 FORTEZZA DMS WITH RC4 128 SHA\n" "c SSL3 RSA WITH RC4 128 MD5\n" "d SSL3 RSA WITH 3DES EDE CBC SHA\n" "e SSL3 RSA WITH DES CBC SHA\n" "f SSL3 RSA EXPORT WITH RC4 40 MD5\n" "g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n" -"h SSL3 FORTEZZA DMS WITH NULL SHA\n" "i SSL3 RSA WITH NULL MD5\n" "j SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n" "k SSL3 RSA FIPS WITH DES CBC SHA\n" diff --git a/mozilla/security/nss/cmd/SSLsample/sslsample.c b/mozilla/security/nss/cmd/SSLsample/sslsample.c index 85f5d523b62..422d453de59 100644 --- a/mozilla/security/nss/cmd/SSLsample/sslsample.c +++ b/mozilla/security/nss/cmd/SSLsample/sslsample.c @@ -50,14 +50,14 @@ int ssl2CipherSuites[] = { }; int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ diff --git a/mozilla/security/nss/cmd/manifest.mn b/mozilla/security/nss/cmd/manifest.mn index de58f84c1b0..7066fa03ebc 100644 --- a/mozilla/security/nss/cmd/manifest.mn +++ b/mozilla/security/nss/cmd/manifest.mn @@ -72,7 +72,6 @@ DIRS = lib \ SSLsample \ ssltap \ strsclnt \ - swfort \ symkeyutil \ tstclnt \ vfychain \ @@ -81,6 +80,7 @@ DIRS = lib \ $(NULL) TEMPORARILY_DONT_BUILD = \ + sha1test \ $(NULL) # rsaperf \ @@ -92,5 +92,6 @@ TEMPORARILY_DONT_BUILD = \ # to build (requires allxpstr.h) # DONT_BULD = jar \ + swfort \ perror \ $(NULL) diff --git a/mozilla/security/nss/cmd/modutil/modutil.c b/mozilla/security/nss/cmd/modutil/modutil.c index 77c91a31ee6..d277fea05fa 100644 --- a/mozilla/security/nss/cmd/modutil/modutil.c +++ b/mozilla/security/nss/cmd/modutil/modutil.c @@ -749,11 +749,10 @@ usage() "---------------------------------------------------------------------------\n" "\n" "Mechanism lists are colon-separated. The following mechanisms are recognized:\n" -"RSA, DSA, RC2, RC4, RC5, DES, DH, FORTEZZA, SHA1, MD5, MD2, SSL, TLS, RANDOM,\n" -" FRIENDLY\n" +"RSA, DSA, RC2, RC4, RC5, DES, DH, SHA1, MD5, MD2, SSL, TLS, RANDOM, FRIENDLY\n" "\n" "Cipher lists are colon-separated. The following ciphers are recognized:\n" -"FORTEZZA\n" +"\n" "\nQuestions or bug reports should be sent to modutil-support@netscape.com.\n" ); diff --git a/mozilla/security/nss/cmd/platlibs.mk b/mozilla/security/nss/cmd/platlibs.mk index 92269a250b7..b586c787ea8 100644 --- a/mozilla/security/nss/cmd/platlibs.mk +++ b/mozilla/security/nss/cmd/platlibs.mk @@ -66,7 +66,6 @@ EXTRA_LIBS += \ $(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \ $(CRYPTOLIB) \ - $(DIST)/lib/$(LIB_PREFIX)swfci.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \ @@ -116,7 +115,6 @@ EXTRA_LIBS += \ $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssdev.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ - $(DIST)/lib/$(LIB_PREFIX)swfci.$(LIB_SUFFIX) \ $(CRYPTOLIB) \ $(DIST)/lib/$(LIB_PREFIX)secutil.$(LIB_SUFFIX) \ $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) \ diff --git a/mozilla/security/nss/cmd/selfserv/selfserv.c b/mozilla/security/nss/cmd/selfserv/selfserv.c index d5469ebc141..c936e71c828 100644 --- a/mozilla/security/nss/cmd/selfserv/selfserv.c +++ b/mozilla/security/nss/cmd/selfserv/selfserv.c @@ -133,14 +133,14 @@ const int ssl2CipherSuites[] = { }; const int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ @@ -253,14 +253,11 @@ Usage(const char *progName) "T TLS ECDHE RSA WITH AES 128 CBC SHA\n" #endif /* NSS_ENABLE_ECC */ "\n" -"a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA\n" -"b SSL3 FORTEZZA DMS WITH RC4 128 SHA\n" "c SSL3 RSA WITH RC4 128 MD5\n" "d SSL3 RSA WITH 3DES EDE CBC SHA\n" "e SSL3 RSA WITH DES CBC SHA\n" "f SSL3 RSA EXPORT WITH RC4 40 MD5\n" "g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n" -"h SSL3 FORTEZZA DMS WITH NULL SHA\n" "i SSL3 RSA WITH NULL MD5\n" "j SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n" "k SSL3 RSA FIPS WITH DES CBC SHA\n" @@ -1895,7 +1892,7 @@ main(int argc, char **argv) cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) /* do nothing */; - if (cipher) { + if (cipher > 0) { SECStatus status; status = SSL_CipherPrefSetDefault(cipher, SSL_ALLOWED); if (status != SECSuccess) diff --git a/mozilla/security/nss/cmd/sslstrength/sslstrength.c b/mozilla/security/nss/cmd/sslstrength/sslstrength.c index ee4c0a692bd..34ac5c0dfa0 100644 --- a/mozilla/security/nss/cmd/sslstrength/sslstrength.c +++ b/mozilla/security/nss/cmd/sslstrength/sslstrength.c @@ -91,18 +91,11 @@ struct CipherPolicy ciphers[] = { { 'd',SSL_EN_DES_64_CBC_WITH_MD5, "SSL_EN_DES_64_CBC_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, { 'e',SSL_EN_RC4_128_EXPORT40_WITH_MD5, "SSL_EN_RC4_128_EXPORT40_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED }, { 'f',SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, "SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5 (ssl2)",1, SSL_ALLOWED,SSL_ALLOWED }, -#ifdef FORTEZZA - { 'g',SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, "SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",1,SSL_ALLOWED,SSL_NOT_ALLOWED }, - { 'h',SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, "SSL_FORTEZZA_DMS_WITH_RC4_128_SHA",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, -#endif { 'i',SSL_RSA_WITH_RC4_128_MD5, "SSL_RSA_WITH_RC4_128_MD5 (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED }, { 'j',SSL_RSA_WITH_3DES_EDE_CBC_SHA, "SSL_RSA_WITH_3DES_EDE_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_RESTRICTED }, { 'k',SSL_RSA_WITH_DES_CBC_SHA, "SSL_RSA_WITH_DES_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, { 'l',SSL_RSA_EXPORT_WITH_RC4_40_MD5, "SSL_RSA_EXPORT_WITH_RC4_40_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, { 'm',SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, "SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, -#ifdef FORTEZZA - { 'n',SSL_FORTEZZA_DMS_WITH_NULL_SHA, "SSL_FORTEZZA_DMS_WITH_NULL_SHA",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, -#endif { 'o',SSL_RSA_WITH_NULL_MD5, "SSL_RSA_WITH_NULL_MD5 (ssl3)",1, SSL_ALLOWED,SSL_ALLOWED }, { 'p',SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED }, { 'q',SSL_RSA_FIPS_WITH_DES_CBC_SHA, "SSL_RSA_FIPS_WITH_DES_CBC_SHA (ssl3)",1, SSL_ALLOWED,SSL_NOT_ALLOWED } diff --git a/mozilla/security/nss/cmd/strsclnt/strsclnt.c b/mozilla/security/nss/cmd/strsclnt/strsclnt.c index 2e1a930ddd9..e6111b4ad07 100644 --- a/mozilla/security/nss/cmd/strsclnt/strsclnt.c +++ b/mozilla/security/nss/cmd/strsclnt/strsclnt.c @@ -111,14 +111,14 @@ int ssl2CipherSuites[] = { }; int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ @@ -1053,7 +1053,7 @@ client_main( cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) /* do nothing */; - if (cipher) { + if (cipher > 0) { SECStatus rv; rv = SSL_CipherPrefSetDefault(cipher, PR_TRUE); if (rv != SECSuccess) { diff --git a/mozilla/security/nss/cmd/tstclnt/tstclnt.c b/mozilla/security/nss/cmd/tstclnt/tstclnt.c index fb658604d4b..b0980a6d026 100644 --- a/mozilla/security/nss/cmd/tstclnt/tstclnt.c +++ b/mozilla/security/nss/cmd/tstclnt/tstclnt.c @@ -108,14 +108,14 @@ int ssl2CipherSuites[] = { }; int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ @@ -257,14 +257,11 @@ static void Usage(const char *progName) "T TLS ECDHE RSA WITH AES 128 CBC SHA\n" #endif /* NSS_ENABLE_ECC */ "\n" -"a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA\n" -"b SSL3 FORTEZZA DMS WITH RC4 128 SHA\n" "c SSL3 RSA WITH RC4 128 MD5\n" "d SSL3 RSA WITH 3DES EDE CBC SHA\n" "e SSL3 RSA WITH DES CBC SHA\n" "f SSL3 RSA EXPORT WITH RC4 40 MD5\n" "g SSL3 RSA EXPORT WITH RC2 CBC 40 MD5\n" -"h SSL3 FORTEZZA DMS WITH NULL SHA\n" "i SSL3 RSA WITH NULL MD5\n" "j SSL3 RSA FIPS WITH 3DES EDE CBC SHA\n" "k SSL3 RSA FIPS WITH DES CBC SHA\n" @@ -670,7 +667,7 @@ int main(int argc, char **argv) cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) /* do nothing */; - if (cipher) { + if (cipher > 0) { SECStatus status; status = SSL_CipherPrefSet(s, cipher, SSL_ALLOWED); if (status != SECSuccess) diff --git a/mozilla/security/nss/cmd/vfyserv/vfyserv.c b/mozilla/security/nss/cmd/vfyserv/vfyserv.c index f1fd2382536..4c31e4c70b9 100644 --- a/mozilla/security/nss/cmd/vfyserv/vfyserv.c +++ b/mozilla/security/nss/cmd/vfyserv/vfyserv.c @@ -444,7 +444,7 @@ main(int argc, char **argv) cptr = islower(ndx) ? ssl3CipherSuites : ssl2CipherSuites; for (ndx &= 0x1f; (cipher = *cptr++) != 0 && --ndx > 0; ) /* do nothing */; - if (cipher) { + if (cipher > 0) { SSL_CipherPrefSetDefault(cipher, PR_TRUE); } } diff --git a/mozilla/security/nss/cmd/vfyserv/vfyutil.c b/mozilla/security/nss/cmd/vfyserv/vfyutil.c index b1d282f6424..4741a22ad1d 100644 --- a/mozilla/security/nss/cmd/vfyserv/vfyutil.c +++ b/mozilla/security/nss/cmd/vfyserv/vfyutil.c @@ -53,14 +53,14 @@ int ssl2CipherSuites[] = { }; int ssl3CipherSuites[] = { - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* a */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, /* b */ + -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */ + -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, * b */ SSL_RSA_WITH_RC4_128_MD5, /* c */ SSL_RSA_WITH_3DES_EDE_CBC_SHA, /* d */ SSL_RSA_WITH_DES_CBC_SHA, /* e */ SSL_RSA_EXPORT_WITH_RC4_40_MD5, /* f */ SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* g */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, /* h */ + -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA, * h */ SSL_RSA_WITH_NULL_MD5, /* i */ SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, /* j */ SSL_RSA_FIPS_WITH_DES_CBC_SHA, /* k */ diff --git a/mozilla/security/nss/lib/manifest.mn b/mozilla/security/nss/lib/manifest.mn index 108f188f0eb..268ff04962a 100644 --- a/mozilla/security/nss/lib/manifest.mn +++ b/mozilla/security/nss/lib/manifest.mn @@ -47,7 +47,6 @@ DEPTH = ../.. # smime # ckfw (builtins module) # crmf jar (not dll's) -# fortcrypt DIRS = util freebl softoken \ base asn1 dev pki pki1 \ certdb certhigh pk11wrap cryptohi nss \ @@ -55,9 +54,10 @@ DIRS = util freebl softoken \ pkcs12 pkcs7 smime \ crmf jar \ ckfw \ - fortcrypt \ $(NULL) +# fortcrypt is no longer built + # NSS 4.0 build - pure stan libraries ifdef PURE_STAN_BUILD DIRS = base asn1 dev pki pki1 diff --git a/mozilla/security/nss/lib/ssl/nsskea.c b/mozilla/security/nss/lib/ssl/nsskea.c index a6da09ab224..9054198442d 100644 --- a/mozilla/security/nss/lib/ssl/nsskea.c +++ b/mozilla/security/nss/lib/ssl/nsskea.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: nsskea.c,v 1.4 2004-04-27 23:04:39 gerv%gerv.net Exp $ */ +/* $Id: nsskea.c,v 1.5 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #include "cert.h" #include "ssl.h" /* for SSLKEAType */ @@ -58,12 +58,6 @@ NSS_FindCertKEAType(CERTCertificate * cert) case SEC_OID_PKCS1_RSA_ENCRYPTION: keaType = kt_rsa; break; - case SEC_OID_MISSI_KEA_DSS_OLD: - case SEC_OID_MISSI_KEA_DSS: - case SEC_OID_MISSI_DSS_OLD: - case SEC_OID_MISSI_DSS: - keaType = kt_fortezza; - break; case SEC_OID_X942_DIFFIE_HELMAN_KEY: keaType = kt_dh; break; diff --git a/mozilla/security/nss/lib/ssl/preenc.h b/mozilla/security/nss/lib/ssl/preenc.h index 57620a13359..d3064fc0ef4 100644 --- a/mozilla/security/nss/lib/ssl/preenc.h +++ b/mozilla/security/nss/lib/ssl/preenc.h @@ -1,8 +1,7 @@ /* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil -*- */ /* - * Functions and types used by https servers to send (download) pre-encrypted - * files over SSL connections that use Fortezza ciphersuites. + * Fortezza support is removed. * * ***** BEGIN LICENSE BLOCK ***** * Version: MPL 1.1/GPL 2.0/LGPL 2.1 @@ -39,7 +38,12 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: preenc.h,v 1.3 2004-04-27 23:04:39 gerv%gerv.net Exp $ */ +/* $Id: preenc.h,v 1.4 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ + +/* Fortezza support is removed. + * This file remains so that old programs will continue to compile, + * But this functionality is no longer supported or implemented. + */ #include "seccomon.h" #include "prio.h" @@ -48,53 +52,44 @@ typedef struct PEHeaderStr PEHeader; #define PE_MIME_TYPE "application/pre-encrypted" - -/* - * unencrypted header. The 'top' half of this header is generic. The union - * is type specific, and may include bulk cipher type information - * (Fortezza supports only Fortezza Bulk encryption). Only fortezza - * pre-encrypted is defined. - */ typedef struct PEFortezzaHeaderStr PEFortezzaHeader; typedef struct PEFortezzaGeneratedHeaderStr PEFortezzaGeneratedHeader; typedef struct PEFixedKeyHeaderStr PEFixedKeyHeader; typedef struct PERSAKeyHeaderStr PERSAKeyHeader; struct PEFortezzaHeaderStr { - unsigned char key[12]; /* Ks wrapped MEK */ - unsigned char iv[24]; /* iv for this MEK */ - unsigned char hash[20]; /* SHA hash of file */ - unsigned char serial[8]; /* serial number of the card that owns - * Ks */ + unsigned char key[12]; + unsigned char iv[24]; + unsigned char hash[20]; + unsigned char serial[8]; }; struct PEFortezzaGeneratedHeaderStr { - unsigned char key[12]; /* TEK wrapped MEK */ - unsigned char iv[24]; /* iv for this MEK */ - unsigned char hash[20]; /* SHA hash of file */ - unsigned char Ra[128]; /* RA to generate TEK */ - unsigned char Y[128]; /* Y to generate TEK */ + unsigned char key[12]; + unsigned char iv[24]; + unsigned char hash[20]; + unsigned char Ra[128]; + unsigned char Y[128]; }; struct PEFixedKeyHeaderStr { - unsigned char pkcs11Mech[4]; /* Symetric key operation */ - unsigned char labelLen[2]; /* length of the token label */ - unsigned char keyIDLen[2]; /* length of the token Key ID */ - unsigned char ivLen[2]; /* length of IV */ - unsigned char keyLen[2]; /* length of key (DES3_ECB encrypted) */ - unsigned char data[1]; /* start of data */ + unsigned char pkcs11Mech[4]; + unsigned char labelLen[2]; + unsigned char keyIDLen[2]; + unsigned char ivLen[2]; + unsigned char keyLen[2]; + unsigned char data[1]; }; struct PERSAKeyHeaderStr { - unsigned char pkcs11Mech[4]; /* Symetric key operation */ - unsigned char issuerLen[2]; /* length of cert issuer */ - unsigned char serialLen[2]; /* length of the cert serial */ - unsigned char ivLen[2]; /* length of IV */ - unsigned char keyLen[2]; /* length of key (RSA encrypted) */ - unsigned char data[1]; /* start of data */ + unsigned char pkcs11Mech[4]; + unsigned char issuerLen[2]; + unsigned char serialLen[2]; + unsigned char ivLen[2]; + unsigned char keyLen[2]; + unsigned char data[1]; }; -/* macros to get at the variable length data fields */ #define PEFIXED_Label(header) (header->data) #define PEFIXED_KeyID(header) (&header->data[GetInt2(header->labelLen)]) #define PEFIXED_IV(header) (&header->data[GetInt2(header->labelLen)\ @@ -108,10 +103,10 @@ struct PERSAKeyHeaderStr { #define PERSA_Key(header) (&header->data[GetInt2(header->issuerLen)\ +GetInt2(header->serialLen)+GetInt2(header->keyLen)]) struct PEHeaderStr { - unsigned char magic [2]; /* always 0xC0DE */ - unsigned char len [2]; /* length of PEHeader */ - unsigned char type [2]; /* FORTEZZA, DIFFIE-HELMAN, RSA */ - unsigned char version[2]; /* version number: 1.0 */ + unsigned char magic [2]; + unsigned char len [2]; + unsigned char type [2]; + unsigned char version[2]; union { PEFortezzaHeader fortezza; PEFortezzaGeneratedHeader g_fortezza; @@ -124,12 +119,9 @@ struct PEHeaderStr { #define PE_INTRO_LEN 4 #define PE_BASE_HEADER_LEN 8 -#define PRE_BLOCK_SIZE 8 /* for decryption blocks */ +#define PRE_BLOCK_SIZE 8 -/* - * Platform neutral encode/decode macros. - */ #define GetInt2(c) ((c[0] << 8) | c[1]) #define GetInt4(c) (((unsigned long)c[0] << 24)|((unsigned long)c[1] << 16)\ |((unsigned long)c[2] << 8)| ((unsigned long)c[3])) @@ -137,28 +129,18 @@ struct PEHeaderStr { #define PutInt4(c,i) ((c[0]=((i) >> 24) & 0xff),(c[1]=((i) >> 16) & 0xff),\ (c[2] = ((i) >> 8) & 0xff), (c[3] = (i) & 0xff)) -/* - * magic numbers. - */ #define PRE_MAGIC 0xc0de #define PRE_VERSION 0x1010 -#define PRE_FORTEZZA_FILE 0x00ff /* pre-encrypted file on disk */ -#define PRE_FORTEZZA_STREAM 0x00f5 /* pre-encrypted file in stream */ -#define PRE_FORTEZZA_GEN_STREAM 0x00f6 /* Generated pre-encrypted file */ -#define PRE_FIXED_FILE 0x000f /* fixed key on disk */ -#define PRE_RSA_FILE 0x001f /* RSA in file */ -#define PRE_FIXED_STREAM 0x0005 /* fixed key in stream */ +#define PRE_FORTEZZA_FILE 0x00ff +#define PRE_FORTEZZA_STREAM 0x00f5 +#define PRE_FORTEZZA_GEN_STREAM 0x00f6 +#define PRE_FIXED_FILE 0x000f +#define PRE_RSA_FILE 0x001f +#define PRE_FIXED_STREAM 0x0005 -/* - * internal implementation info - */ - - -/* convert an existing stream header to a version with local parameters */ PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *, int *headerSize); -/* convert an existing file header to one suitable for streaming out */ PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *, int *headerSize); diff --git a/mozilla/security/nss/lib/ssl/prelib.c b/mozilla/security/nss/lib/ssl/prelib.c index c07378d8fe9..0feb8e32045 100644 --- a/mozilla/security/nss/lib/ssl/prelib.c +++ b/mozilla/security/nss/lib/ssl/prelib.c @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: prelib.c,v 1.4 2004-04-27 23:04:39 gerv%gerv.net Exp $ */ +/* $Id: prelib.c,v 1.5 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #include "cert.h" #include "ssl.h" @@ -50,205 +50,18 @@ #include "preenc.h" #include "pk11func.h" -static unsigned char fromHex(char x) { - if ((x >= '0') && (x <= '9')) return x-'0'; - if ((x >= 'a') && (x <= 'f')) return x-'a'+10; - return x-'A'+10; -} - PEHeader *SSL_PreencryptedStreamToFile(PRFileDesc *fd, PEHeader *inHeader, - int *headerSize) + int *headerSize) { - PK11SymKey *key, *tek, *Ks; - sslSocket *ss; - PK11SlotInfo *slot; - CK_TOKEN_INFO info; - int oldHeaderSize; - PEHeader *header; - SECStatus rv; - SECItem item; - int i; - - if (fd == NULL) { - /* XXX set an error */ - return NULL; - } - - ss = ssl_FindSocket(fd); - if (ss == NULL) { - return NULL; - } - - PORT_Assert(ss->ssl3 != NULL); - if (ss->ssl3 == NULL) { - return NULL; - } - - if (GetInt2(inHeader->magic) != PRE_MAGIC) { - return NULL; - } - - oldHeaderSize = GetInt2(inHeader->len); - header = (PEHeader *) PORT_ZAlloc(oldHeaderSize); - if (header == NULL) { - return NULL; - } - - switch (GetInt2(inHeader->type)) { - case PRE_FORTEZZA_FILE: - case PRE_FORTEZZA_GEN_STREAM: - case PRE_FIXED_FILE: - case PRE_RSA_FILE: - default: - *headerSize = oldHeaderSize; - PORT_Memcpy(header,inHeader,oldHeaderSize); - return header; - - case PRE_FORTEZZA_STREAM: - *headerSize = PE_BASE_HEADER_LEN + sizeof(PEFortezzaHeader); - PutInt2(header->magic,PRE_MAGIC); - PutInt2(header->len,*headerSize); - PutInt2(header->type, PRE_FORTEZZA_FILE); - PORT_Memcpy(header->version,inHeader->version,sizeof(header->version)); - PORT_Memcpy(header->u.fortezza.hash,inHeader->u.fortezza.hash, - sizeof(header->u.fortezza.hash)); - PORT_Memcpy(header->u.fortezza.iv,inHeader->u.fortezza.iv, - sizeof(header->u.fortezza.iv)); - - /* get the kea context from the session */ - tek = ss->ssl3->fortezza.tek; - if (tek == NULL) { - PORT_Free(header); - return NULL; - } - - - /* get the slot and the serial number */ - slot = PK11_GetSlotFromKey(tek); - if (slot == NULL) { - PORT_Free(header); - return NULL; - } - rv = PK11_GetTokenInfo(slot,&info); - if (rv != SECSuccess) { - PORT_Free(header); - PK11_FreeSlot(slot); - return NULL; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, ss->pkcs11PinArg); - PK11_FreeSlot(slot); - if (Ks == NULL) { - PORT_Free(header); - return NULL; - } - - /* unwrap the key with the TEK */ - item.data = inHeader->u.fortezza.key; - item.len = sizeof(inHeader->u.fortezza.key); - key = PK11_UnwrapSymKey(tek,CKM_SKIPJACK_WRAP, - NULL, &item, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); - if (key == NULL) { - PORT_Free(header); - PK11_FreeSymKey(Ks); - return NULL; - } - - /* rewrap with the local Ks */ - item.data = header->u.fortezza.key; - item.len = sizeof(header->u.fortezza.key); - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks, key, &item); - PK11_FreeSymKey(Ks); - PK11_FreeSymKey(key); - if (rv != SECSuccess) { - PORT_Free(header); - return NULL; - } - - /* copy our local serial number into header */ - for (i=0; i < sizeof(header->u.fortezza.serial); i++) { - header->u.fortezza.serial[i] = - (fromHex(info.serialNumber[i*2]) << 4) | - fromHex(info.serialNumber[i*2 + 1]); - } - break; - case PRE_FIXED_STREAM: - /* not implemented yet */ - PORT_Free(header); - return NULL; - } - - return(header); + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + return NULL; } -/* - * this one needs to allocate space and work for RSA & FIXED key files as well - */ PEHeader *SSL_PreencryptedFileToStream(PRFileDesc *fd, PEHeader *header, int *headerSize) { - PK11SymKey *key, *tek, *Ks; - sslSocket *ss; - PK11SlotInfo *slot; - SECStatus rv; - SECItem item; - - *headerSize = 0; /* hack */ - - if (fd == NULL) { - /* XXX set an error */ - return NULL; - } - - ss = ssl_FindSocket(fd); - if (ss == NULL) { - return NULL; - } - - PORT_Assert(ss->ssl3 != NULL); - if (ss->ssl3 == NULL) { - return NULL; - } - - /* get the kea context from the session */ - tek = ss->ssl3->fortezza.tek; - if (tek == NULL) { - return NULL; - } - - slot = PK11_GetSlotFromKey(tek); - if (slot == NULL) return NULL; - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, PK11_GetWindow(tek)); - PK11_FreeSlot(slot); - if (Ks == NULL) return NULL; - - - /* unwrap with the local Ks */ - item.data = header->u.fortezza.key; - item.len = sizeof(header->u.fortezza.key); - /* rewrap the key with the TEK */ - key = PK11_UnwrapSymKey(Ks,CKM_SKIPJACK_WRAP, - NULL, &item, CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); - if (key == NULL) { - PK11_FreeSymKey(Ks); - return NULL; - } - - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, key, &item); - PK11_FreeSymKey(Ks); - PK11_FreeSymKey(key); - if (rv != SECSuccess) { - return NULL; - } - - /* copy over our local serial number */ - PORT_Memset(header->u.fortezza.serial,0,sizeof(header->u.fortezza.serial)); - - /* change type to stream */ - PutInt2(header->type, PRE_FORTEZZA_STREAM); - - return(header); + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + return NULL; } diff --git a/mozilla/security/nss/lib/ssl/ssl.h b/mozilla/security/nss/lib/ssl/ssl.h index 175f280ed27..ad44172122e 100644 --- a/mozilla/security/nss/lib/ssl/ssl.h +++ b/mozilla/security/nss/lib/ssl/ssl.h @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl.h,v 1.19 2004-04-27 23:04:39 gerv%gerv.net Exp $ */ +/* $Id: ssl.h,v 1.20 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #ifndef __ssl_h_ #define __ssl_h_ @@ -190,7 +190,7 @@ SSL_IMPORT SECStatus SSL_SecurityStatus(PRFileDesc *fd, int *on, char **cipher, #define SSL_SECURITY_STATUS_OFF 0 #define SSL_SECURITY_STATUS_ON_HIGH 1 #define SSL_SECURITY_STATUS_ON_LOW 2 -#define SSL_SECURITY_STATUS_FORTEZZA 3 +#define SSL_SECURITY_STATUS_FORTEZZA 3 /* NO LONGER SUPPORTED */ /* ** Return the certificate for our SSL peer. If the client calls this diff --git a/mozilla/security/nss/lib/ssl/ssl3con.c b/mozilla/security/nss/lib/ssl/ssl3con.c index eb76786c4d0..896946bc9dc 100644 --- a/mozilla/security/nss/lib/ssl/ssl3con.c +++ b/mozilla/security/nss/lib/ssl/ssl3con.c @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl3con.c,v 1.69 2005-03-09 05:20:44 nelsonb%netscape.com Exp $ */ +/* $Id: ssl3con.c,v 1.70 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #include "nssrenam.h" #include "cert.h" @@ -109,7 +109,6 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { #endif /* NSS_ENABLE_ECC */ { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, - { SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, @@ -136,7 +135,6 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, - { SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE}, @@ -152,7 +150,6 @@ static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, - { SSL_FORTEZZA_DMS_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_TRUE, PR_FALSE}, #ifdef NSS_ENABLE_ECC { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDH_ECDSA_WITH_NULL_SHA, SSL_NOT_ALLOWED, PR_FALSE, PR_FALSE}, @@ -177,9 +174,6 @@ static const /*SSL3ClientCertificateType */ uint8 certificate_types [] = { #endif /* NSS_ENABLE_ECC */ }; -static const /*SSL3ClientCertificateType */ uint8 fortezza_certificate_types [] = { - ct_Fortezza, -}; /* * make sure there is room in the write buffer for padding and @@ -217,13 +211,13 @@ static const ssl3BulkCipherDef bulk_cipher_defs[] = { {cipher_3des, calg_3des, 24, 24, type_block, 8, 8, kg_strong}, {cipher_des40, calg_des, 8, 5, type_block, 8, 8, kg_export}, {cipher_idea, calg_idea, 16, 16, type_block, 8, 8, kg_strong}, - {cipher_fortezza, calg_fortezza, 10, 10, type_block, 24, 8, kg_null}, {cipher_aes_128, calg_aes, 16, 16, type_block, 16,16, kg_strong}, {cipher_aes_256, calg_aes, 32, 32, type_block, 16,16, kg_strong}, {cipher_missing, calg_null, 0, 0, type_stream, 0, 0, kg_null}, }; -static const ssl3KEADef kea_defs[] = { /* indexed by SSL3KeyExchangeAlgorithm */ +static const ssl3KEADef kea_defs[] = +{ /* indexed by SSL3KeyExchangeAlgorithm */ /* kea exchKeyType signKeyType is_limited limit tls_keygen */ {kea_null, kt_null, sign_null, PR_FALSE, 0, PR_FALSE}, {kea_rsa, kt_rsa, sign_rsa, PR_FALSE, 0, PR_FALSE}, @@ -239,7 +233,6 @@ static const ssl3KEADef kea_defs[] = { /* indexed by SSL3KeyExchangeAlgorithm */ {kea_dhe_rsa_export, kt_dh, sign_rsa, PR_TRUE, 512, PR_FALSE}, {kea_dh_anon, kt_dh, sign_null, PR_FALSE, 0, PR_FALSE}, {kea_dh_anon_export, kt_dh, sign_null, PR_TRUE, 512, PR_FALSE}, - {kea_fortezza, kt_fortezza, sign_dsa, PR_FALSE, 0, PR_FALSE}, {kea_rsa_fips, kt_rsa, sign_rsa, PR_FALSE, 0, PR_TRUE }, #ifdef NSS_ENABLE_ECC {kea_ecdh_ecdsa, kt_ecdh, sign_ecdsa, PR_FALSE, 0, PR_FALSE}, @@ -250,7 +243,8 @@ static const ssl3KEADef kea_defs[] = { /* indexed by SSL3KeyExchangeAlgorithm */ }; /* must use ssl_LookupCipherSuiteDef to access */ -static const ssl3CipherSuiteDef cipher_suite_defs[] = { +static const ssl3CipherSuiteDef cipher_suite_defs[] = +{ /* cipher_suite bulk_cipher_alg mac_alg key_exchange_alg */ {SSL_NULL_WITH_NULL_NULL, cipher_null, mac_null, kea_null}, @@ -298,10 +292,6 @@ static const ssl3CipherSuiteDef cipher_suite_defs[] = { {SSL_DH_ANON_3DES_CBC_SHA, cipher_3des, mac_sha, kea_dh_anon}, #endif - {SSL_FORTEZZA_DMS_WITH_NULL_SHA, cipher_null, mac_sha, kea_fortezza}, - {SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, - cipher_fortezza, mac_sha, kea_fortezza}, - {SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, cipher_rc4, mac_sha, kea_fortezza}, /* New TLS cipher suites */ {TLS_RSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_rsa}, @@ -362,14 +352,16 @@ typedef struct SSLCipher2MechStr { CK_MECHANISM_TYPE cmech; } SSLCipher2Mech; +/* indexed by type SSLCipherAlgorithm */ static const SSLCipher2Mech alg2Mech[] = { + /* calg, cmech */ { calg_null , (CK_MECHANISM_TYPE)0x80000000L }, { calg_rc4 , CKM_RC4 }, { calg_rc2 , CKM_RC2_CBC }, { calg_des , CKM_DES_CBC }, { calg_3des , CKM_DES3_CBC }, { calg_idea , CKM_IDEA_CBC }, - { calg_fortezza , CKM_SKIPJACK_CBC64 }, + { calg_fortezza , CKM_SKIPJACK_CBC64 }, { calg_aes , CKM_AES_CBC }, /* { calg_init , (CK_MECHANISM_TYPE)0x7fffffffL } */ }; @@ -401,7 +393,6 @@ const char * const ssl3_cipherName[] = { "3DES-EDE-CBC", "DES-CBC-40", "IDEA-CBC", - "FORTEZZA", "AES-128", "AES-256", "missing" @@ -838,7 +829,6 @@ ssl3_SignHashes(SSL3Hashes *hash, SECKEYPrivateKey *key, SECItem *buf, hashItem.len = sizeof(SSL3Hashes); break; case dsaKey: - case fortezzaKey: doDerEncode = isTLS; hashItem.data = hash->sha; hashItem.len = sizeof(hash->sha); @@ -911,7 +901,6 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash, CERTCertificate *cert, hashItem.len = sizeof(SSL3Hashes); break; case dsaKey: - case fortezzaKey: hashItem.data = hash->sha; hashItem.len = sizeof(hash->sha); if (isTLS) { @@ -1212,30 +1201,6 @@ done: } #endif /* NSS_ENABLE_ECC */ -/* Caller must set hiLevel error code. */ -static SECStatus -ssl3_ComputeFortezzaPublicKeyHash(SECItem publicValue, unsigned char * hash) -{ - PK11Context *sha = NULL; - SECStatus rv = SECFailure; - unsigned int outLen; - - sha = PK11_CreateDigestContext(SEC_OID_SHA1); - if (sha == NULL) { - return rv; /* Caller must set hiLevel error code. */ - } - - rv = PK11_DigestBegin(sha); - rv |= PK11_DigestOp(sha, (unsigned char *)publicValue.data, publicValue.len); - rv |= PK11_DigestFinal(sha, hash, &outLen, SHA1_LENGTH); - PORT_Assert(rv != SECSuccess || outLen == SHA1_LENGTH); - if (rv != SECSuccess) - rv = SECFailure; - PK11_DestroyContext(sha, PR_TRUE); - - return rv; -} - static void ssl3_BumpSequenceNumber(SSL3SequenceNumber *num) @@ -1713,10 +1678,9 @@ ssl3_SendRecord( sslSocket * ss, } } - /* This variable records - * the actual size of the buffer we allocated above. Some - * algorithms (FORTEZZA) will expand the number of bytes it needs to - * send data. If we only supply the output buffer with the same number + /* This variable records the actual size of the buffer allocated above. + * Some algorithms may expand the number of bytes needed to send data. + * If we only supply the output buffer with the same number * of bytes as the input buffer, we will fail. */ bufSize = contentLen + SSL3_BUFFER_FUDGE; @@ -1994,7 +1958,6 @@ ssl3_HandleNoCertificate(sslSocket *ss) ** ssl3_HandleClientHello <- ** ssl3_HandleV2ClientHello <- ** ssl3_HandleCertificateVerify <- -** ssl3_HandleFortezzaClientKeyExchange <- ** ssl3_HandleClientKeyExchange <- ** ssl3_HandleCertificate <- ** ssl3_HandleFinished <- @@ -2309,9 +2272,7 @@ ssl3_GenerateSessionKeys(sslSocket *ss, const PK11SymKey *pms) void * pwArg = ss->pkcs11PinArg; PRBool isTLS = (PRBool)(kea_def->tls_keygen || (pwSpec->version > SSL_LIBRARY_VERSION_3_0)); - PRBool skipKeysAndIVs = (PRBool) - ((cipher_def->calg == calg_fortezza) || - (cipher_def->calg == calg_null)); + PRBool skipKeysAndIVs = (PRBool)(cipher_def->calg == calg_null); /* * Whenever isDH is true, we need to use CKM_TLS_MASTER_KEY_DERIVE_DH * which, unlike CKM_TLS_MASTER_KEY_DERIVE, converts arbitrary size @@ -2999,8 +2960,7 @@ ssl3_SendClientHello(sslSocket *ss) * make sure the token that holds the master secret still exists ... * If we previously did client-auth, make sure that the token that holds * the private key still exists, is logged in, hasn't been removed, etc. - * Also for fortezza, make sure that the card that holds the session keys - * exist as well... */ + */ if (sid) { PK11SlotInfo *slot; PRBool sidOK = PR_TRUE; @@ -3022,12 +2982,6 @@ ssl3_SendClientHello(sslSocket *ss) PK11_FreeSlot(slot); slot = NULL; } - /* do sid-has-FORTEZZA-slot check */ - if (sid->u.ssl3.hasFortezza) { - /* do has fortezza check */ - if (!PK11_VerifyKeyOK(sid->u.ssl3.tek)) - sidOK = PR_FALSE; - } /* If we previously did client-auth, make sure that the token that ** holds the private key still exists, is logged in, hasn't been @@ -3279,35 +3233,6 @@ ssl_UnwrapSymWrappingKey( PORT_Assert(wrappedKey.len <= sizeof pWswk->wrappedSymmetricWrappingkey); switch (exchKeyType) { - PK11SymKey * Ks; - PK11SlotInfo * slot; - SECItem param; - - case kt_fortezza: - /* get the slot that the fortezza server private key is in. */ - slot = PK11_GetSlotFromPrivateKey(svrPrivKey); - if (slot == NULL) { - SET_ERROR_CODE - goto loser; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_CBC64, NULL, pwArg); - PK11_FreeSlot(slot); - if (Ks == NULL) { - SET_ERROR_CODE - goto loser; - } - - /* unwrap client write key with the local Ks and IV */ - param.type = siBuffer; - param.data = pWswk->wrapIV; - param.len = pWswk->wrapIVLen; - unwrappedWrappingKey = - PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_CBC64, ¶m, &wrappedKey, - masterWrapMech, CKA_UNWRAP, 0); - PK11_FreeSymKey(Ks); - break; case kt_rsa: unwrappedWrappingKey = @@ -3466,36 +3391,6 @@ getWrappingKey( sslSocket * ss, /* wrap symmetric wrapping key in server's public key. */ switch (exchKeyType) { - PK11SymKey * Ks; - PK11SlotInfo * fSlot; - SECItem param; - - case kt_fortezza: - /* get the slot that the fortezza server private key is in. */ - fSlot = PK11_GetSlotFromPrivateKey(svrPrivKey); - if (fSlot == NULL) { - SET_ERROR_CODE - goto loser; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(fSlot, CKM_SKIPJACK_CBC64, NULL, pwArg); - PK11_FreeSlot(fSlot); - if (Ks == NULL) { - SET_ERROR_CODE - goto loser; - } - - /* wrap symmetricWrapping key with the local Ks */ - param.type = siBuffer; - param.data = wswk.wrapIV; - param.len = sizeof wswk.wrapIV; - rv = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, ¶m, Ks, - unwrappedWrappingKey, &wrappedKey); - wswk.wrapIVLen = param.len; - PK11_FreeSymKey(Ks); - asymWrapMechanism = CKM_SKIPJACK_CBC64; - break; case kt_rsa: asymWrapMechanism = CKM_RSA_PKCS; @@ -3554,20 +3449,6 @@ done: } -static SECStatus -ssl3_FortezzaAppendHandshake(sslSocket *ss, unsigned char * data, int len) -{ - SSL3FortezzaKeys *fortezza_CKE = NULL; - SECStatus rv = SECFailure; - - rv = ssl3_AppendHandshakeHeader(ss, client_key_exchange, - (sizeof(*fortezza_CKE)-sizeof(fortezza_CKE->y_c)) + 1 + len); - if (rv == SECSuccess) { - rv = ssl3_AppendHandshakeVariable(ss, data, len, 1); - } - return rv; /* err set by ssl3_AppendHandshake* */ -} - /* Called from ssl3_SendClientKeyExchange(). */ static SECStatus sendRSAClientKeyExchange(sslSocket * ss, SECKEYPublicKey * svrPubKey) @@ -3814,433 +3695,8 @@ loser: } #endif /* NSS_ENABLE_ECC */ -/* fortezza client-auth portion of ClientKeyExchange message - * This function appends the KEA public key from the client's V3 cert - * (empty for a V1 cert) to the outgoing ClientKeyExchange message. - * For a V3 cert, it also computes the Fortezza public key hash of that key - * and signs that hash with the client's signing private key. - * It also finds and returns the client's KEA private key. - * - * Called from sendFortezzaClientKeyExchange <- ssl3_SendClientKeyExchange() - */ -static SECKEYPrivateKey * -sendFortezzaCKXClientAuth(sslSocket *ss, SSL3FortezzaKeys * fortezza_CKE) -{ - SECKEYPublicKey * pubKey = NULL; - SECKEYPrivateKey * privKeaKey = NULL; - CERTCertificate * peerCert = ss->sec.peerCert; - void * pwArg = ss->pkcs11PinArg; - SECStatus rv = SECFailure; - SECItem sigItem; - SECItem hashItem; - - /* extract our own local public key. */ - pubKey = CERT_ExtractPublicKey(ss->ssl3->clientCertificate); - if (!pubKey) { - ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); - goto loser; - } - - if (pubKey->keyType == fortezzaKey) { - /* fortezza clientauth with fortezza V1 certificate */ - rv = ssl3_FortezzaAppendHandshake(ss, NULL, 0); - if (rv != SECSuccess) { - goto loser; /* err was set by AppendHandshake. */ - } - privKeaKey = PK11_FindKeyByAnyCert(ss->ssl3->clientCertificate, pwArg); - if (!privKeaKey) { - ssl_MapLowLevelError(SEC_ERROR_NO_KEY); - } - - } else { - /* fortezza clientauth w/ V3 certificate or non fortezza cert*/ - CERTCertificate * ccert = NULL; - SECKEYPublicKey * foundPubKey = NULL; - unsigned char hash[SHA1_LENGTH]; - - ccert = PK11_FindBestKEAMatch(peerCert, pwArg); - if (ccert == NULL) { - PORT_SetError(SSL_ERROR_FORTEZZA_PQG); - goto v3_loser; - } - - foundPubKey = CERT_ExtractPublicKey(ccert); - if (foundPubKey == NULL) { - ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); - goto v3_loser; - } - - if (foundPubKey->keyType == keaKey) { - rv = ssl3_FortezzaAppendHandshake(ss, - foundPubKey->u.kea.publicValue.data, - foundPubKey->u.kea.publicValue.len); - if (rv != SECSuccess) { - goto v3_loser; /* err was set by AppendHandshake. */ - } - - rv = ssl3_ComputeFortezzaPublicKeyHash( - foundPubKey->u.kea.publicValue, hash); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto v3_loser; - } - } else { - rv = ssl3_FortezzaAppendHandshake(ss, - foundPubKey->u.fortezza.KEAKey.data, - foundPubKey->u.fortezza.KEAKey.len); - if (rv != SECSuccess) { - goto v3_loser; /* err was set by AppendHandshake. */ - } - - rv = ssl3_ComputeFortezzaPublicKeyHash( - foundPubKey->u.fortezza.KEAKey, hash); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto v3_loser; - } - } - - hashItem.data = (unsigned char *) hash; - hashItem.len = SHA1_LENGTH; - - sigItem.data = fortezza_CKE->y_signature; - sigItem.len = sizeof fortezza_CKE->y_signature; - - rv = PK11_Sign(ss->ssl3->clientPrivateKey, &sigItem, &hashItem); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto v3_loser; - } - - privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg); - if (!privKeaKey) { - ssl_MapLowLevelError(SEC_ERROR_NO_KEY); - } - -v3_loser: - if (foundPubKey) - SECKEY_DestroyPublicKey(foundPubKey); - if (ccert) - CERT_DestroyCertificate(ccert); - } /* fortezza clientauth w/ V3 certificate or non fortezza cert*/ - -loser: - - if (pubKey) - SECKEY_DestroyPublicKey(pubKey); - return privKeaKey; -} /* End of fortezza client-auth. */ -/* fortezza without client-auth */ -/* fortezza client-auth portion of ClientKeyExchange message - * This function appends the public KEA key from the client's cert - * to the outgoing ClientKeyExchange message. - * It also finds and returns the client's KEA private key. - * - * Called from sendFortezzaClientKeyExchange <- ssl3_SendClientKeyExchange() - */ -static SECKEYPrivateKey * -sendFortezzaCKXNoClientAuth(sslSocket *ss) -{ - SECKEYPublicKey * foundPubKey = NULL; - SECKEYPrivateKey * privKeaKey = NULL; - CERTCertificate * ccert = NULL; - CERTCertificate * peerCert = ss->sec.peerCert; - void * pwArg = ss->pkcs11PinArg; - SECStatus rv = SECFailure; - - ccert = PK11_FindBestKEAMatch(peerCert, pwArg); - if (ccert == NULL) { - PORT_SetError(SSL_ERROR_FORTEZZA_PQG); - goto loser; - } - - foundPubKey = CERT_ExtractPublicKey(ccert); - if (foundPubKey == NULL) { - ssl_MapLowLevelError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); - goto loser; - } - - if (foundPubKey->keyType == fortezzaKey) { - /* fortezza V1 cert */ - rv = ssl3_FortezzaAppendHandshake(ss, - foundPubKey->u.fortezza.KEAKey.data, - foundPubKey->u.fortezza.KEAKey.len); - if (rv != SECSuccess) { - goto loser; /* err was set by AppendHandshake. */ - } - privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg); - if (!privKeaKey) { - ssl_MapLowLevelError(SEC_ERROR_NO_KEY); - } - } else { - /* fortezza V3 cert */ - rv = ssl3_FortezzaAppendHandshake(ss, - foundPubKey->u.kea.publicValue.data, - foundPubKey->u.kea.publicValue.len); - if (rv != SECSuccess) { - goto loser; /* err was set by AppendHandshake. */ - } - privKeaKey = PK11_FindKeyByAnyCert(ccert, pwArg); - if (!privKeaKey) { - ssl_MapLowLevelError(SEC_ERROR_NO_KEY); - } - } - -loser: - if (foundPubKey) - SECKEY_DestroyPublicKey(foundPubKey); - if (ccert) - CERT_DestroyCertificate(ccert); - return privKeaKey; -} - -/* Called from ssl3_SendClientKeyExchange(). */ -static SECStatus -sendFortezzaClientKeyExchange(sslSocket * ss, SECKEYPublicKey * serverKey) -{ - ssl3CipherSpec * pwSpec = NULL; - sslSessionID * sid = ss->sec.ci.sid; - PK11SlotInfo * slot = NULL; - PK11SymKey * pms = NULL; - PK11SymKey * tek = NULL; - PK11SymKey * client_write_key = NULL; - PK11SymKey * server_write_key = NULL; - SECKEYPrivateKey * privKeaKey = NULL; - void * pwArg = ss->pkcs11PinArg; - SECStatus rv = SECFailure; - CK_VERSION version; - SECItem param; - SECItem raItem; - SECItem rbItem; - SECItem enc_pms; - SECItem item; - SSL3FortezzaKeys fortezza_CKE; - PRBool releaseSpecWriteLock = PR_FALSE; - - PORT_Assert( ssl_HaveXmitBufLock(ss)); - PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) ); - - /* first get an appropriate slot for doing MACing. - * Note: This slot will NOT be a Fortezza slot because Fortezza - * cannot generate an SSL3 pre-master-secret. - */ - slot = PK11_GetBestSlot(CKM_SSL3_PRE_MASTER_KEY_GEN, pwArg); - if (slot == NULL) { - PORT_SetError(SSL_ERROR_TOKEN_SLOT_NOT_FOUND); - goto loser; - } - - /* create a pre-Master secret */ - version.major = MSB(ss->version); - version.minor = LSB(ss->version); - - param.data = (unsigned char *)&version; - param.len = sizeof version; - - pms = PK11_KeyGen(slot, CKM_SSL3_PRE_MASTER_KEY_GEN, - ¶m, 0, pwArg); - PK11_FreeSlot(slot); - slot = NULL; - if (pms == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* If we don't have a certificate, we need to read out your public key. - * This changes a bit when we need to deal with the PQG stuff - */ - PORT_Memset(fortezza_CKE.y_signature, 0, sizeof fortezza_CKE.y_signature); - - /* Send the KEA public key and get the KEA private key. */ - if (ss->ssl3->clientCertificate != NULL) { - /* with client-auth */ - privKeaKey = sendFortezzaCKXClientAuth(ss, &fortezza_CKE); - } else { - /* without client-auth */ - privKeaKey = sendFortezzaCKXNoClientAuth(ss); - } - if (privKeaKey == NULL) { - rv = SECFailure; - goto loser; /* error was already set. */ - } - - /* Now we derive the TEK, and generate r_c the client's "random" public key. - * r_c is generated and filled in by the PubDerive call below. - */ - raItem.data = fortezza_CKE.r_c; - raItem.len = sizeof fortezza_CKE.r_c; - - /* R_s == server's "random" public key, sent in the Server Key Exchange */ - rbItem.data = ss->ssl3->fortezza.R_s; - rbItem.len = sizeof ss->ssl3->fortezza.R_s; - - tek = PK11_PubDerive(privKeaKey, serverKey, PR_TRUE, /* generate r_c */ - &raItem, &rbItem, CKM_KEA_KEY_DERIVE, - CKM_SKIPJACK_WRAP, CKA_WRAP, 0, pwArg); - SECKEY_DestroyPrivateKey(privKeaKey); - privKeaKey = NULL; - if (tek == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(tek); /* can't fail. */ - - /* encrypt the pms with the TEK. - * NB: PK11_WrapSymKey will generate and output the encrypted PMS - * AND the IV for decrypting the PMS. - */ - param.data = fortezza_CKE.master_secret_iv; - param.len = sizeof fortezza_CKE.master_secret_iv; - - enc_pms.data = fortezza_CKE.encrypted_preMasterSecret; - enc_pms.len = sizeof fortezza_CKE.encrypted_preMasterSecret; - - rv = PK11_WrapSymKey(CKM_SKIPJACK_CBC64, ¶m, tek, pms, &enc_pms); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - rv = SECFailure; /* not there yet. */ - - slot = PK11_GetSlotFromKey(tek); - - ssl_GetSpecWriteLock(ss); releaseSpecWriteLock = PR_TRUE; - - pwSpec = ss->ssl3->pwSpec; - pwSpec->client.write_key = client_write_key = - PK11_KeyGen(slot, CKM_SKIPJACK_CBC64, NULL, 0, pwArg); - if (client_write_key == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - /* the -1 is a hack. It's supposed to be key size, but we use it - * to tell the wrapper that we're doing a weird PKCS #11 key gen. - * Usually the result of key gen is an encrypt key. This is not - * the case with SSL, where this key is a decrypt key. - */ - pwSpec->server.write_key = server_write_key = - PK11_KeyGen(slot, CKM_SKIPJACK_CBC64, NULL, -1, pwArg); - if (server_write_key == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - rv = ssl3_InitPendingCipherSpec(ss, pms); - PK11_FreeSymKey(pms); pms = NULL; - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* copy the keys and IVs out now */ - item.data = fortezza_CKE.wrapped_client_write_key; - item.len = sizeof fortezza_CKE.wrapped_client_write_key; - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, client_write_key, &item); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - item.data = fortezza_CKE.wrapped_server_write_key; - item.len = sizeof fortezza_CKE.wrapped_server_write_key; - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, tek, server_write_key, &item); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* we only get the generated IV's if we're doing skipjack. */ - if (pwSpec->cipher_def->calg == calg_fortezza) { - PORT_Memcpy(fortezza_CKE.client_write_iv, pwSpec->client.write_iv, - sizeof fortezza_CKE.client_write_iv); - PORT_Memcpy(fortezza_CKE.server_write_iv, pwSpec->server.write_iv, - sizeof fortezza_CKE.server_write_iv); - } else { - /* generate IVs to make old servers happy */ - rv = PK11_GenerateFortezzaIV(client_write_key, - fortezza_CKE.client_write_iv, - sizeof fortezza_CKE.client_write_iv); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - rv = PK11_GenerateFortezzaIV(server_write_key, - fortezza_CKE.server_write_iv, - sizeof fortezza_CKE.server_write_iv); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - } - - /* NOTE: This technique of writing out the struct, rather than writing - * out the individual members works only because all the rest of the - * values are fixed-length strings of well-defined byte order. - * Add one SECItem or one Number and we will need to break the elements out. - */ - rv = ssl3_AppendHandshake(ss, &fortezza_CKE.r_c, - (sizeof fortezza_CKE - sizeof fortezza_CKE.y_c)); - if (rv != SECSuccess) { - goto loser; /* err was set by AppendHandshake. */ - } - - /* now we initialize our contexts */ - sid->u.ssl3.hasFortezza = PR_TRUE; - sid->u.ssl3.tek = tek; tek = NULL; /* adopt.. */ - - if (pwSpec->cipher_def->calg == calg_fortezza) { - sid->u.ssl3.clientWriteKey = - PK11_ReferenceSymKey(pwSpec->client.write_key); - sid->u.ssl3.serverWriteKey= - PK11_ReferenceSymKey(pwSpec->server.write_key); - - PORT_Memcpy(sid->u.ssl3.keys.client_write_iv, - pwSpec->client.write_iv, - sizeof sid->u.ssl3.keys.client_write_iv); - PORT_Memcpy(sid->u.ssl3.keys.server_write_iv, - pwSpec->server.write_iv, - sizeof sid->u.ssl3.keys.server_write_iv); - - rv = PK11_SaveContext((PK11Context *)pwSpec->encodeContext, - sid->u.ssl3.clientWriteSave, - &sid->u.ssl3.clientWriteSaveLen, - sizeof sid->u.ssl3.clientWriteSave); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - } else { - PK11_FreeSymKey(client_write_key); - pwSpec->client.write_key = client_write_key = NULL; - - PK11_FreeSymKey(server_write_key); - pwSpec->server.write_key = server_write_key = NULL; - - rv = SECSuccess; - } - /* FALL THROUGH */ - -loser: - if (tek) PK11_FreeSymKey(tek); - if (slot) PK11_FreeSlot(slot); - if (pms) PK11_FreeSymKey(pms); - if (rv != SECSuccess) { - if (client_write_key) { - PK11_FreeSymKey(client_write_key); - pwSpec->client.write_key = client_write_key = NULL; - } - if (server_write_key) { - PK11_FreeSymKey(server_write_key); - pwSpec->server.write_key = server_write_key = NULL; - } - } - if (releaseSpecWriteLock) - ssl_GetSpecWriteLock(ss); - return rv; -} /* Called from ssl3_HandleServerHelloDone(). */ static SECStatus @@ -4290,10 +3746,6 @@ ssl3_SendClientKeyExchange(sslSocket *ss) rv = sendRSAClientKeyExchange(ss, serverKey); break; - case kt_fortezza: - rv = sendFortezzaClientKeyExchange(ss, serverKey); - break; - case kt_dh: rv = sendDHClientKeyExchange(ss, serverKey); break; @@ -4361,7 +3813,7 @@ ssl3_SendCertificateVerify(sslSocket *ss) PK11_FreeSlot(slot); } /* If we're doing RSA key exchange, we're all done with the private key - * here. Diffie-Hellman & Fortezza key exchanges need the client's + * here. Diffie-Hellman key exchanges need the client's * private key for the key exchange. */ if (ssl3->hs.kea_def->exchKeyType == kt_rsa) { @@ -4586,39 +4038,11 @@ ssl3_HandleServerHello(sslSocket *ss, SSL3Opaque *b, PRUint32 length) ss->sec.peerCert = CERT_DupCertificate(sid->peerCert); } - /* reload the FORTEZZA key material. These keys aren't generated - * by the master secret, but by the key exchange. We restart by - * reusing these keys. */ - if (sid->u.ssl3.hasFortezza) { - ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(sid->u.ssl3.tek); - } - if (ss->ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) { - ss->ssl3->pwSpec->client.write_key = - PK11_ReferenceSymKey(sid->u.ssl3.clientWriteKey); - ss->ssl3->pwSpec->server.write_key = - PK11_ReferenceSymKey(sid->u.ssl3.serverWriteKey); - /* add the tek later for pre-encrypted files */ - PORT_Memcpy(ss->ssl3->pwSpec->client.write_iv, - sid->u.ssl3.keys.client_write_iv, - sizeof sid->u.ssl3.keys.client_write_iv); - PORT_Memcpy(ss->ssl3->pwSpec->server.write_iv, - sid->u.ssl3.keys.server_write_iv, - sizeof sid->u.ssl3.keys.server_write_iv); - } /* NULL value for PMS signifies re-use of the old MS */ rv = ssl3_InitPendingCipherSpec(ss, NULL); if (rv != SECSuccess) { - goto alert_loser; /* err code was set by ssl3_InitPendingCipherSpec */ - } - if (ss->ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) { - rv = PK11_RestoreContext( - (PK11Context *)ss->ssl3->pwSpec->encodeContext, - sid->u.ssl3.clientWriteSave, - sid->u.ssl3.clientWriteSaveLen); - if (rv != SECSuccess) { - goto alert_loser; /* err is set. */ - } + goto alert_loser; /* err code was set */ } SECITEM_ZfreeItem(&sidBytes, PR_FALSE); return SECSuccess; @@ -4974,26 +4398,6 @@ ssl3_HandleServerKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length) return SECSuccess; #endif /* NSS_ENABLE_ECC */ - case kt_fortezza: - - /* Fortezza needs *BOTH* a server cert message - * and a server key exchange message. - */ - if (ss->ssl3->hs.ws == wait_server_cert) { - errCode = SSL_ERROR_RX_UNEXPECTED_SERVER_KEY_EXCH; - desc = unexpected_message; - goto alert_loser; - } - /* Get the server's "random" public key. */ - rv = ssl3_ConsumeHandshake(ss, ss->ssl3->fortezza.R_s, - sizeof ss->ssl3->fortezza.R_s, &b, &length); - if (rv != SECSuccess) { - goto loser; /* malformed */ - } - - ss->ssl3->hs.ws = wait_cert_request; - return SECSuccess; - default: desc = handshake_failure; errCode = SEC_ERROR_UNSUPPORTED_KEYALG; @@ -5407,7 +4811,6 @@ ssl3_NewSessionID(sslSocket *ss, PRBool is_server) sid->u.ssl3.resumable = PR_TRUE; sid->u.ssl3.policy = SSL_ALLOWED; - sid->u.ssl3.hasFortezza = PR_FALSE; sid->u.ssl3.clientWriteKey = NULL; sid->u.ssl3.serverWriteKey = NULL; sid->u.ssl3.tek = NULL; @@ -5456,12 +4859,8 @@ ssl3_SendServerHelloSequence(sslSocket *ss) */ kea_def = ss->ssl3->hs.kea_def; ss->ssl3->hs.usedStepDownKey = PR_FALSE; - if (kea_def->kea == kea_fortezza) { - rv = ssl3_SendServerKeyExchange(ss); - if (rv != SECSuccess) { - return rv; /* err code was set. */ - } - } else if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { + + if (kea_def->is_limited && kea_def->exchKeyType == kt_rsa) { /* see if we can legally use the key in the cert. */ int keyLen; /* bytes */ @@ -5717,7 +5116,6 @@ compression_found: * as if the client had sent us no sid to begin with, and make a new one. */ if (sid != NULL) do { - PK11SlotInfo * slot; PK11SymKey * wrapKey; /* wrapping key */ SECItem wrappedKey; /* wrapped key */ ssl3CipherSpec *pwSpec; @@ -5798,74 +5196,6 @@ compression_found: goto loser; } - /* reload the FORTEZZA key material. - * On Fortezza, the following keys & IVs are generated by the KEA, - * not from the PMS. Since we're not going to redo the KEA, we - * have to save & restore them for Fortezza. - * use kea because we haven't call InitCipher Specs yet...? - */ - if (ssl3->hs.suite_def->bulk_cipher_alg == cipher_fortezza) { - PK11SymKey * Ks; - SECItem item; - - PORT_Memcpy(pwSpec->client.write_iv, - sid->u.ssl3.keys.client_write_iv, - sizeof sid->u.ssl3.keys.client_write_iv); - PORT_Memcpy(pwSpec->server.write_iv, - sid->u.ssl3.keys.server_write_iv, - sizeof sid->u.ssl3.keys.server_write_iv); - - /* Now, unwrap the client and server write keys with Ks */ - - /* get the slot that the fortezza server private key is in. */ - slot = PK11_GetSlotFromPrivateKey( - ss->serverCerts[kt_fortezza].serverKey); - if (slot == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, - ss->pkcs11PinArg); - PK11_FreeSlot(slot); - if (Ks == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto loser; - } - - /* unwrap client write key with the local Ks */ - item.data = sid->u.ssl3.keys.wrapped_client_write_key; - item.len = sizeof sid->u.ssl3.keys.wrapped_client_write_key; - - pwSpec->client.write_key = - PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_WRAP, NULL, &item, - CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); - if (pwSpec->client.write_key == NULL) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto loser; - } - - /* unwrap server write key with the local Ks */ - item.data = sid->u.ssl3.keys.wrapped_server_write_key; - item.len = sizeof sid->u.ssl3.keys.wrapped_server_write_key; - - pwSpec->server.write_key = - PK11_UnwrapSymKey(Ks, CKM_SKIPJACK_WRAP, NULL, &item, - CKM_SKIPJACK_CBC64, CKA_ENCRYPT, 0); - if (pwSpec->server.write_key == NULL) { - PK11_FreeSymKey(pwSpec->client.write_key); - pwSpec->client.write_key = NULL; - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto loser; - } - /* Set flag that says "generate 8 byte random prefix plaintext." */ - PK11_SetFortezzaHack(pwSpec->server.write_key); /* can't fail */ - - } - if (haveSpecWriteLock) { ssl_ReleaseSpecWriteLock(ss); haveSpecWriteLock = PR_FALSE; @@ -6276,27 +5606,6 @@ const ssl3KEADef * kea_def = ss->ssl3->hs.kea_def; PORT_Free(signed_hash.data); return SECSuccess; - case kt_fortezza: - - /* Set server's "random" public key R_s to the email value == 1 */ - PORT_Memset(ss->ssl3->fortezza.R_s, 0, sizeof(ss->ssl3->fortezza.R_s)); - ss->ssl3->fortezza.R_s[127] = 1; - - /* don't waste time signing the random number */ - length = sizeof (ss->ssl3->fortezza.R_s) /*+ 2 + signed_hash.len*/; - - rv = ssl3_AppendHandshakeHeader(ss, server_key_exchange, length); - if (rv != SECSuccess) { - goto loser; /* err set by AppendHandshake. */ - } - - rv = ssl3_AppendHandshake( ss, &ss->ssl3->fortezza.R_s, - sizeof(ss->ssl3->fortezza.R_s)); - if (rv != SECSuccess) { - goto loser; /* err set by AppendHandshake. */ - } - return SECSuccess; - #ifdef NSS_ENABLE_ECC case kt_ecdh: /* Generate ephemeral ECDH key pair and send the public key */ @@ -6441,13 +5750,8 @@ const uint8 * certTypes; calen += 2 + name->len; } - if (ss->ssl3->hs.kea_def->exchKeyType == kt_fortezza) { - certTypes = fortezza_certificate_types; - certTypesLength = sizeof fortezza_certificate_types; - } else { - certTypes = certificate_types; - certTypesLength = sizeof certificate_types; - } + certTypes = certificate_types; + certTypesLength = sizeof certificate_types; length = 1 + certTypesLength + 2 + calen; @@ -6554,256 +5858,6 @@ loser: return SECFailure; } -/* -** Called from ssl3_HandleClientKeyExchange() -*/ -static SECStatus -ssl3_HandleFortezzaClientKeyExchange(sslSocket *ss, SSL3Opaque *b, - PRUint32 length, - SECKEYPrivateKey *serverKey) -{ - SECKEYPublicKey * pubKey = NULL; - PK11SymKey * tek = NULL; - PK11SymKey * pms; - PK11SymKey * Ks = NULL; - sslSessionID * sid = ss->sec.ci.sid; - ssl3CipherSpec * pwSpec = ss->ssl3->pwSpec; - void * pwArg = ss->pkcs11PinArg; - SECStatus rv; - SECItem raItem; - SECItem rbItem; - SECItem param; - SECItem item; - SECItem enc_pms; - SSL3FortezzaKeys fortezza_CKE; - - PORT_Assert( ssl_HaveRecvBufLock(ss) ); - PORT_Assert( ssl_HaveSSL3HandshakeLock(ss) ); - - fortezza_CKE.y_c.data = NULL; - rv = ssl3_ConsumeHandshakeVariable(ss, &fortezza_CKE.y_c, 1, &b, &length); - if (rv != SECSuccess) { - PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH); - goto fortezza_loser; - } - rv = ssl3_ConsumeHandshake(ss, &fortezza_CKE.r_c, - sizeof fortezza_CKE - sizeof fortezza_CKE.y_c, - &b, &length); - if (rv != SECSuccess) { - PORT_SetError(SSL_ERROR_RX_MALFORMED_CLIENT_KEY_EXCH); - goto fortezza_loser; - } - - /* Build a Token Encryption key (tek). TEK's can never be unloaded - * from the card, but given these parameters, and *OUR* fortezza - * card, we can always regenerate the same one on the fly. - */ - if (ss->sec.peerCert != NULL) { - /* client-auth case */ - - pubKey = CERT_ExtractPublicKey(ss->sec.peerCert); - if (pubKey == NULL) { - SEND_ALERT - PORT_SetError(SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE); - rv = SECFailure; - goto fortezza_loser; - } - - if (pubKey->keyType != fortezzaKey) { - /* handle V3 client-auth case */ - SECItem sigItem; - SECItem hashItem; - unsigned char hash[SHA1_LENGTH]; - - rv = ssl3_ComputeFortezzaPublicKeyHash(fortezza_CKE.y_c, hash); - if (rv != SECSuccess) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - sigItem.data = fortezza_CKE.y_signature; - sigItem.len = sizeof fortezza_CKE.y_signature; - - hashItem.data = hash; - hashItem.len = sizeof hash; - - rv = PK11_Verify(pubKey, &sigItem, &hashItem, pwArg); - if (rv != SECSuccess) { - SSL3_SendAlert(ss, alert_fatal, illegal_parameter); - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - SECKEY_DestroyPublicKey(pubKey); pubKey = NULL; - } - } - rv = SECFailure; - - /* Make the public key if necessary */ - if (fortezza_CKE.y_c.len != 0) { - if (pubKey != NULL) { - /* The client is not allowed to send the public key - * if it can be extracted from the certificate. */ - SSL3_SendAlert(ss, alert_fatal, illegal_parameter); - PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - pubKey = PK11_MakeKEAPubKey(fortezza_CKE.y_c.data, - fortezza_CKE.y_c.len); - } - if (pubKey == NULL) { - /* no public Key in either the cert or the protocol message*/ - SSL3_SendAlert(ss, alert_fatal, illegal_parameter); - PORT_SetError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* Now we derive the TEK. r_c is the client's "random" public key. */ - raItem.data = fortezza_CKE.r_c; - raItem.len = sizeof(fortezza_CKE.r_c); - - /* R_s == server's "random" public key, sent in the Server Key Exchange */ - rbItem.data = ss->ssl3->fortezza.R_s; - rbItem.len = sizeof ss->ssl3->fortezza.R_s; - - tek = PK11_PubDerive(serverKey, pubKey, PR_FALSE, /* don't gen r_c */ - &raItem, &rbItem, CKM_KEA_KEY_DERIVE, - CKM_SKIPJACK_WRAP, CKA_WRAP, 0, pwArg); - SECKEY_DestroyPublicKey(pubKey); pubKey = NULL; - if (tek == NULL) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - ss->ssl3->fortezza.tek = PK11_ReferenceSymKey(tek); - - if (pwSpec->cipher_def->calg == calg_fortezza) { - item.data = fortezza_CKE.wrapped_client_write_key; - item.len = sizeof fortezza_CKE.wrapped_client_write_key; - - pwSpec->client.write_key = - PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL, &item, - CKM_SKIPJACK_CBC64, CKA_DECRYPT, 0); - if (pwSpec->client.write_key == NULL) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto fortezza_loser; - } - - item.data = fortezza_CKE.wrapped_server_write_key; - item.len = sizeof fortezza_CKE.wrapped_server_write_key; - - pwSpec->server.write_key = - PK11_UnwrapSymKey(tek, CKM_SKIPJACK_WRAP, NULL, &item, - CKM_SKIPJACK_CBC64, CKA_ENCRYPT, 0); - if (pwSpec->server.write_key == NULL) { - PK11_FreeSymKey(pwSpec->client.write_key); - pwSpec->client.write_key = NULL; - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto fortezza_loser; - } - /* Set a flag that says "generate 8 byte random prefix plaintext." */ - PK11_SetFortezzaHack(pwSpec->server.write_key); /* can't fail */ - - PORT_Memcpy(pwSpec->client.write_iv, fortezza_CKE.client_write_iv, - sizeof fortezza_CKE.client_write_iv); - PORT_Memcpy(pwSpec->server.write_iv, fortezza_CKE.server_write_iv, - sizeof fortezza_CKE.server_write_iv); - - } - - /* decrypt the pms with the TEK */ - enc_pms.data = fortezza_CKE.encrypted_preMasterSecret; - enc_pms.len = sizeof fortezza_CKE.encrypted_preMasterSecret; - - param.data = fortezza_CKE.master_secret_iv; - param.len = sizeof fortezza_CKE.master_secret_iv; - - pms = PK11_UnwrapSymKey(tek, CKM_SKIPJACK_CBC64, ¶m, &enc_pms, - CKM_SSL3_MASTER_KEY_DERIVE, CKA_DERIVE, 0); - if (pms == NULL) { - SEND_ALERT - ssl_MapLowLevelError(SSL_ERROR_SYM_KEY_UNWRAP_FAILURE); - goto fortezza_loser; - } - - rv = ssl3_InitPendingCipherSpec(ss, pms); - PK11_FreeSymKey(pms); - if (rv != SECSuccess) { - SEND_ALERT - goto fortezza_loser; /* err code is set. */ - } - - if (pwSpec->cipher_def->calg == calg_fortezza) { - PK11SlotInfo * slot; - - sid->u.ssl3.clientWriteKey = - PK11_ReferenceSymKey(pwSpec->client.write_key); - sid->u.ssl3.serverWriteKey = - PK11_ReferenceSymKey(pwSpec->server.write_key); - - PORT_Memcpy(sid->u.ssl3.keys.client_write_iv, pwSpec->client.write_iv, - sizeof sid->u.ssl3.keys.client_write_iv); - PORT_Memcpy(sid->u.ssl3.keys.server_write_iv, pwSpec->server.write_iv, - sizeof sid->u.ssl3.keys.server_write_iv); - - /* Now, wrap the client and server write keys in Ks for storage - * in the on-disk sid. - */ - - slot = PK11_GetSlotFromKey(tek); /* get ref to the slot */ - if (slot == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* Look up the Token Fixed Key */ - Ks = PK11_FindFixedKey(slot, CKM_SKIPJACK_WRAP, NULL, ss->pkcs11PinArg); - PK11_FreeSlot(slot); - if (Ks == NULL) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* rewrap server write key with the local Ks */ - item.data = sid->u.ssl3.keys.wrapped_server_write_key; - item.len = sizeof sid->u.ssl3.keys.wrapped_server_write_key; - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks, - pwSpec->server.write_key, &item); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* rewrap client write key with the local Ks */ - item.data = sid->u.ssl3.keys.wrapped_client_write_key; - item.len = sizeof sid->u.ssl3.keys.wrapped_client_write_key; - rv = PK11_WrapSymKey(CKM_SKIPJACK_WRAP, NULL, Ks, - pwSpec->client.write_key, &item); - if (rv != SECSuccess) { - ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE); - goto fortezza_loser; - } - - /* wrap the master secret later, when we handle the client's - * finished message. - */ - } - - sid->u.ssl3.hasFortezza = PR_TRUE; - sid->u.ssl3.tek = tek; tek = NULL; - - rv = SECSuccess; - -fortezza_loser: - if (Ks) PK11_FreeSymKey(Ks); - if (tek) PK11_FreeSymKey(tek); - if (pubKey) SECKEY_DestroyPublicKey(pubKey); - if (fortezza_CKE.y_c.data != NULL) - SECITEM_FreeItem(&fortezza_CKE.y_c, PR_FALSE); - return rv; -} /* find a slot that is able to generate a PMS and wrap it with RSA. * Then generate and return the PMS. @@ -7109,12 +6163,6 @@ const ssl3KEADef * kea_def; } break; - case kt_fortezza: - rv = ssl3_HandleFortezzaClientKeyExchange(ss, b, length, serverKey); - if (rv != SECSuccess) { - return SECFailure; /* error code set */ - } - break; #ifdef NSS_ENABLE_ECC case kt_ecdh: @@ -7493,18 +6541,8 @@ ssl3_HandleCertificate(sslSocket *ss, SSL3Opaque *b, PRUint32 length) SECKEY_UpdateCertPQG(ss->sec.peerCert); /* - * We're making a fortezza connection, and the card hasn't unloaded it's - * certs, try to unload those certs now. + * Ask caller-supplied callback function to validate cert chain. */ - if (!trusted) { - CERTCertificate *ccert; - - ccert = PK11_FindBestKEAMatch(ss->sec.peerCert, ss->pkcs11PinArg); - if (ccert) - CERT_DestroyCertificate(ccert); - } - - rv = (SECStatus)(*ss->authCertificate)(ss->authCertificateArg, ss->fd, PR_TRUE, isServer); if (rv) { @@ -7597,7 +6635,6 @@ cert_block: ssl3->hs.ws = wait_cert_request; /* disallow server_key_exchange */ if (ssl3->hs.kea_def->is_limited || /* XXX OR server cert is signing only. */ - ssl3->hs.kea_def->kea == kea_fortezza || #ifdef NSS_ENABLE_ECC ssl3->hs.kea_def->kea == kea_ecdhe_ecdsa || ssl3->hs.kea_def->kea == kea_ecdhe_rsa || @@ -8625,7 +7662,6 @@ ssl3_InitState(sslSocket *ss) ssl3->hs.rehandshake = PR_FALSE; ssl3_InitCipherSpec(ss, ssl3->crSpec); ssl3_InitCipherSpec(ss, ssl3->prSpec); - ssl3->fortezza.tek = NULL; ssl3->hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello; ssl_ReleaseSpecWriteLock(ss); @@ -8994,9 +8030,6 @@ ssl3_DestroySSL3Info(ssl3State *ssl3) PK11_DestroyContext(ssl3->hs.sha,PR_TRUE); } - if (ssl3->fortezza.tek != NULL) { - PK11_FreeSymKey(ssl3->fortezza.tek); - } /* free the SSL3Buffer (msg_body) */ PORT_Free(ssl3->hs.msg_body.buf); diff --git a/mozilla/security/nss/lib/ssl/ssl3prot.h b/mozilla/security/nss/lib/ssl/ssl3prot.h index f68c12e27e2..3416b66f396 100644 --- a/mozilla/security/nss/lib/ssl/ssl3prot.h +++ b/mozilla/security/nss/lib/ssl/ssl3prot.h @@ -1,4 +1,4 @@ -/* +/* Private header file of libSSL. * Various and sundry protocol constants. DON'T CHANGE THESE. These * values are defined by the SSL 3.0 protocol specification. * @@ -38,7 +38,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: ssl3prot.h,v 1.6 2004-04-27 23:04:39 gerv%gerv.net Exp $ */ +/* $Id: ssl3prot.h,v 1.7 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #ifndef __ssl3proto_h_ #define __ssl3proto_h_ @@ -206,7 +206,6 @@ typedef enum { kea_dhe_rsa_export, kea_dh_anon, kea_dh_anon_export, - kea_fortezza, kea_rsa_fips, kea_ecdh_ecdsa, kea_ecdhe_ecdsa, @@ -259,7 +258,6 @@ typedef enum { ct_RSA_fixed_ECDH = 8, ct_ECDSA_fixed_ECDH = 9, - ct_Fortezza = 20 } SSL3ClientCertificateType; typedef SECItem *SSL3DistinquishedName; @@ -271,18 +269,6 @@ typedef struct { typedef SECItem SSL3EncryptedPreMasterSecret; -/* Following struct is the format of a Fortezza ClientKeyExchange message. */ -typedef struct { - SECItem y_c; - SSL3Opaque r_c [128]; - SSL3Opaque y_signature [40]; - SSL3Opaque wrapped_client_write_key [12]; - SSL3Opaque wrapped_server_write_key [12]; - SSL3Opaque client_write_iv [24]; - SSL3Opaque server_write_iv [24]; - SSL3Opaque master_secret_iv [24]; - SSL3Opaque encrypted_preMasterSecret[48]; -} SSL3FortezzaKeys; typedef SSL3Opaque SSL3MasterSecret[48]; @@ -299,7 +285,6 @@ typedef struct { union { SSL3EncryptedPreMasterSecret rsa; SSL3ClientDiffieHellmanPublic diffie_helman; - SSL3FortezzaKeys fortezza; } exchange_keys; } SSL3ClientKeyExchange; diff --git a/mozilla/security/nss/lib/ssl/sslauth.c b/mozilla/security/nss/lib/ssl/sslauth.c index 802e1780a83..6051024fa05 100644 --- a/mozilla/security/nss/lib/ssl/sslauth.c +++ b/mozilla/security/nss/lib/ssl/sslauth.c @@ -33,7 +33,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslauth.c,v 1.11 2004-04-27 23:04:39 gerv%gerv.net Exp $ */ +/* $Id: sslauth.c,v 1.12 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #include "cert.h" #include "secitem.h" #include "ssl.h" @@ -117,8 +117,7 @@ SSL_SecurityStatus(PRFileDesc *fd, int *op, char **cp, int *kp0, int *kp1, cipherName = ssl3_cipherName[ss->sec.cipherType]; } if (cipherName && PORT_Strstr(cipherName, "DES")) isDes = PR_TRUE; - /* do same key stuff for fortezza */ - + if (cp) { *cp = PORT_Strdup(cipherName); } diff --git a/mozilla/security/nss/lib/ssl/sslcon.c b/mozilla/security/nss/lib/ssl/sslcon.c index 55e96deda5e..fbc9a2ff199 100644 --- a/mozilla/security/nss/lib/ssl/sslcon.c +++ b/mozilla/security/nss/lib/ssl/sslcon.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslcon.c,v 1.24 2004-06-24 02:02:39 nelsonb%netscape.com Exp $ */ +/* $Id: sslcon.c,v 1.25 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #include "nssrenam.h" #include "cert.h" @@ -145,7 +145,7 @@ const char * const ssl_cipherName[] = { "DES-CBC", "DES-EDE3-CBC", "unknown", - "Fortezza", + "unknown", /* was fortezza, NO LONGER USED */ }; diff --git a/mozilla/security/nss/lib/ssl/sslenum.c b/mozilla/security/nss/lib/ssl/sslenum.c index 92ca7004ffd..93abdfd7ad9 100644 --- a/mozilla/security/nss/lib/ssl/sslenum.c +++ b/mozilla/security/nss/lib/ssl/sslenum.c @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslenum.c,v 1.9 2004-04-27 23:04:39 gerv%gerv.net Exp $ */ +/* $Id: sslenum.c,v 1.10 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #include "ssl.h" #include "sslproto.h" @@ -56,7 +56,6 @@ const PRUint16 SSL_ImplementedCiphers[] = { TLS_RSA_WITH_AES_256_CBC_SHA, /* 128-bit */ - SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, #ifdef NSS_ENABLE_ECC TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, @@ -84,9 +83,6 @@ const PRUint16 SSL_ImplementedCiphers[] = { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, - /* 80 bit skipjack */ - SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, /* KEA + SkipJack */ - /* 56-bit DES "domestic" cipher suites */ SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, @@ -106,7 +102,6 @@ const PRUint16 SSL_ImplementedCiphers[] = { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, /* ciphersuites with no encryption */ - SSL_FORTEZZA_DMS_WITH_NULL_SHA, #ifdef NSS_ENABLE_ECC TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, diff --git a/mozilla/security/nss/lib/ssl/sslimpl.h b/mozilla/security/nss/lib/ssl/sslimpl.h index 0d6c5a0e127..4909b2fcc2c 100644 --- a/mozilla/security/nss/lib/ssl/sslimpl.h +++ b/mozilla/security/nss/lib/ssl/sslimpl.h @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslimpl.h,v 1.36 2005-04-05 03:48:20 nelsonb%netscape.com Exp $ */ +/* $Id: sslimpl.h,v 1.37 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #ifndef __sslimpl_h_ #define __sslimpl_h_ @@ -84,7 +84,7 @@ typedef SSLSignType SSL3SignType; #define calg_des ssl_calg_des #define calg_3des ssl_calg_3des #define calg_idea ssl_calg_idea -#define calg_fortezza ssl_calg_fortezza +#define calg_fortezza ssl_calg_fortezza /* deprecated, must preserve */ #define calg_aes ssl_calg_aes #define mac_null ssl_mac_null @@ -414,7 +414,6 @@ typedef enum { cipher_3des, cipher_des40, cipher_idea, - cipher_fortezza, cipher_aes_128, cipher_aes_256, cipher_missing /* reserved for no such supported cipher */ @@ -522,7 +521,6 @@ struct sslSessionIDStr { SSL3CompressionMethod compression; PRBool resumable; int policy; - PRBool hasFortezza; ssl3SidKeys keys; CK_MECHANISM_TYPE masterWrapMech; /* mechanism used to wrap master secret */ @@ -560,11 +558,6 @@ struct sslSessionIDStr { char masterValid; char clAuthValid; - /* the following values are used only in the client, and only - * with fortezza. - */ - SSL3Opaque clientWriteSave[80]; - int clientWriteSaveLen; } ssl3; } u; }; @@ -660,12 +653,7 @@ const ssl3CipherSuiteDef *suite_def; /* protected by recvBufLock */ } SSL3HandshakeState; -struct SSL3FortezzaKEAParamsStr { - unsigned char R_s[128]; /* server's "random" public key */ - PK11SymKey * tek; -}; -typedef struct SSL3FortezzaKEAParamsStr SSL3FortezzaKEAParams; /* ** This is the "ssl3" struct, as in "ss->ssl3". @@ -704,7 +692,7 @@ struct ssl3StateStr { /* chain while we are trying to validate it. */ CERTDistNames * ca_list; /* used by server. trusted CAs for this socket. */ - SSL3FortezzaKEAParams fortezza; + }; typedef struct { diff --git a/mozilla/security/nss/lib/ssl/sslinfo.c b/mozilla/security/nss/lib/ssl/sslinfo.c index 99b59137042..3a5dc08e0b3 100644 --- a/mozilla/security/nss/lib/ssl/sslinfo.c +++ b/mozilla/security/nss/lib/ssl/sslinfo.c @@ -34,7 +34,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslinfo.c,v 1.9 2005-04-05 03:48:20 nelsonb%netscape.com Exp $ */ +/* $Id: sslinfo.c,v 1.10 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #include "ssl.h" #include "sslimpl.h" #include "sslproto.h" @@ -100,8 +100,6 @@ SSL_GetChannelInfo(PRFileDesc *fd, SSLChannelInfo *info, PRUintn len) return SECSuccess; } -#define kt_kea kt_fortezza -#define calg_sj calg_fortezza #define CS(x) x, #x #define CK(x) x | 0xff00, #x @@ -143,7 +141,6 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_DHE_DSS_WITH_AES_256_CBC_SHA), S_DSA, K_DHE, C_AES, B_256, M_SHA, 0, 0, 0, }, {0,CS(TLS_RSA_WITH_AES_256_CBC_SHA), S_RSA, K_RSA, C_AES, B_256, M_SHA, 0, 0, 0, }, -{0,CS(SSL_FORTEZZA_DMS_WITH_RC4_128_SHA), S_KEA, K_KEA, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA), S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA), S_RSA, K_DHE, C_AES, B_128, M_SHA, 0, 0, 0, }, {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA), S_DSA, K_DHE, C_AES, B_128, M_SHA, 0, 0, 0, }, @@ -156,7 +153,6 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 1, }, {0,CS(SSL_RSA_WITH_3DES_EDE_CBC_SHA), S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 0, }, -{0,CS(SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA),S_KEA, K_KEA, C_SJ, B_SJ, M_SHA, 1, 0, 0, }, {0,CS(SSL_DHE_RSA_WITH_DES_CBC_SHA), S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, }, {0,CS(SSL_DHE_DSS_WITH_DES_CBC_SHA), S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, }, {0,CS(SSL_RSA_FIPS_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, 0, 1, }, @@ -166,7 +162,6 @@ static const SSLCipherSuiteInfo suiteInfo[] = { {0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA), S_RSA, K_RSA, C_DES, B_DES, M_SHA, 1, 1, 0, }, {0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5), S_RSA, K_RSA, C_RC4, B_40, M_MD5, 0, 1, 0, }, {0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5), S_RSA, K_RSA, C_RC2, B_40, M_MD5, 0, 1, 0, }, -{0,CS(SSL_FORTEZZA_DMS_WITH_NULL_SHA), S_KEA, K_KEA, C_NULL,B_0, M_SHA, 0, 1, 0, }, {0,CS(SSL_RSA_WITH_NULL_SHA), S_RSA, K_RSA, C_NULL,B_0, M_SHA, 0, 1, 0, }, {0,CS(SSL_RSA_WITH_NULL_MD5), S_RSA, K_RSA, C_NULL,B_0, M_MD5, 0, 1, 0, }, diff --git a/mozilla/security/nss/lib/ssl/sslproto.h b/mozilla/security/nss/lib/ssl/sslproto.h index 52e66c6e4b3..508bed293db 100644 --- a/mozilla/security/nss/lib/ssl/sslproto.h +++ b/mozilla/security/nss/lib/ssl/sslproto.h @@ -39,7 +39,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslproto.h,v 1.6 2004-04-27 23:04:39 gerv%gerv.net Exp $ */ +/* $Id: sslproto.h,v 1.7 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #ifndef __sslproto_h_ #define __sslproto_h_ @@ -139,9 +139,9 @@ #define SSL_DH_ANON_WITH_DES_CBC_SHA 0x001a #define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA 0x001b -#define SSL_FORTEZZA_DMS_WITH_NULL_SHA 0x001c -#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA 0x001d -#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA 0x001e +#define SSL_FORTEZZA_DMS_WITH_NULL_SHA 0x001c /* deprecated */ +#define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA 0x001d /* deprecated */ +#define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA 0x001e /* deprecated */ /* New TLS cipher suites */ #define TLS_RSA_WITH_AES_128_CBC_SHA 0x002F diff --git a/mozilla/security/nss/lib/ssl/sslsecur.c b/mozilla/security/nss/lib/ssl/sslsecur.c index 2ca54d7c189..fb6f82bd524 100644 --- a/mozilla/security/nss/lib/ssl/sslsecur.c +++ b/mozilla/security/nss/lib/ssl/sslsecur.c @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsecur.c,v 1.27 2005-04-05 03:48:20 nelsonb%netscape.com Exp $ */ +/* $Id: sslsecur.c,v 1.28 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #include "cert.h" #include "secitem.h" #include "keyhi.h" @@ -574,12 +574,7 @@ ssl_FindCertKEAType(CERTCertificate * cert) case SEC_OID_PKCS1_RSA_ENCRYPTION: keaType = kt_rsa; break; - case SEC_OID_MISSI_KEA_DSS_OLD: - case SEC_OID_MISSI_KEA_DSS: - case SEC_OID_MISSI_DSS_OLD: - case SEC_OID_MISSI_DSS: - keaType = kt_fortezza; - break; + case SEC_OID_X942_DIFFIE_HELMAN_KEY: keaType = kt_dh; break; diff --git a/mozilla/security/nss/lib/ssl/sslsnce.c b/mozilla/security/nss/lib/ssl/sslsnce.c index 34e9f635e7e..c242a87b3b9 100644 --- a/mozilla/security/nss/lib/ssl/sslsnce.c +++ b/mozilla/security/nss/lib/ssl/sslsnce.c @@ -36,7 +36,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsnce.c,v 1.31 2005-03-09 05:20:44 nelsonb%netscape.com Exp $ */ +/* $Id: sslsnce.c,v 1.32 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ /* Note: ssl_FreeSID() in sslnonce.c gets used for both client and server * cache sids! @@ -147,7 +147,7 @@ struct sidCacheEntryStr { /* 2 */ PRUint16 compression; /* SSL3CompressionMethod */ /*122 */ ssl3SidKeys keys; /* keys and ivs, wrapped as needed. */ -/* 1 */ PRUint8 hasFortezza; +/* 1 */ PRUint8 unused; /* was hasFortezza; */ /* 1 */ PRUint8 resumable; /* 4 */ PRUint32 masterWrapMech; @@ -442,7 +442,6 @@ ConvertFromSID(sidCacheEntry *to, sslSessionID *from) to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; to->u.ssl3.compression = (uint16)from->u.ssl3.compression; to->u.ssl3.resumable = from->u.ssl3.resumable; - to->u.ssl3.hasFortezza = from->u.ssl3.hasFortezza; to->u.ssl3.keys = from->u.ssl3.keys; to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; @@ -518,7 +517,6 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, to->u.ssl3.cipherSuite = from->u.ssl3.cipherSuite; to->u.ssl3.compression = (SSL3CompressionMethod)from->u.ssl3.compression; to->u.ssl3.resumable = from->u.ssl3.resumable; - to->u.ssl3.hasFortezza = from->u.ssl3.hasFortezza; to->u.ssl3.keys = from->u.ssl3.keys; to->u.ssl3.masterWrapMech = from->u.ssl3.masterWrapMech; to->u.ssl3.exchKeyType = from->u.ssl3.exchKeyType; @@ -544,8 +542,6 @@ ConvertToSID(sidCacheEntry *from, certCacheEntry *pcce, to->u.ssl3.clAuthSeries = 0; to->u.ssl3.clAuthValid = PR_FALSE; - to->u.ssl3.clientWriteSaveLen = 0; - if (from->u.ssl3.certIndex != -1 && pcce) { SECItem derCert; diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c index a24647ca9f3..e81871e2e9f 100644 --- a/mozilla/security/nss/lib/ssl/sslsock.c +++ b/mozilla/security/nss/lib/ssl/sslsock.c @@ -40,7 +40,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslsock.c,v 1.35 2005-04-05 03:48:20 nelsonb%netscape.com Exp $ */ +/* $Id: sslsock.c,v 1.36 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #include "seccomon.h" #include "cert.h" #include "keyhi.h" @@ -71,8 +71,6 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ { SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL_ALLOWED, SSL_ALLOWED }, { SSL_EN_DES_64_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, - { SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_RSA_WITH_RC4_128_MD5, SSL_RESTRICTED, SSL_NOT_ALLOWED }, { SSL_RSA_WITH_RC4_128_SHA, SSL_RESTRICTED, SSL_NOT_ALLOWED }, { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, @@ -81,7 +79,6 @@ static cipherPolicy ssl_ciphers[] = { /* Export France */ { SSL_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_ALLOWED, SSL_ALLOWED }, - { SSL_FORTEZZA_DMS_WITH_NULL_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_NOT_ALLOWED, SSL_NOT_ALLOWED }, diff --git a/mozilla/security/nss/lib/ssl/sslt.h b/mozilla/security/nss/lib/ssl/sslt.h index e45327ccc75..0594fccc19a 100644 --- a/mozilla/security/nss/lib/ssl/sslt.h +++ b/mozilla/security/nss/lib/ssl/sslt.h @@ -37,7 +37,7 @@ * the terms of any one of the MPL, the GPL or the LGPL. * * ***** END LICENSE BLOCK ***** */ -/* $Id: sslt.h,v 1.6 2004-04-27 23:04:39 gerv%gerv.net Exp $ */ +/* $Id: sslt.h,v 1.7 2005-04-06 19:43:17 nelsonb%netscape.com Exp $ */ #ifndef __sslt_h_ #define __sslt_h_ @@ -66,7 +66,7 @@ typedef enum { ssl_kea_null = 0, ssl_kea_rsa = 1, ssl_kea_dh = 2, - ssl_kea_fortezza = 3, + ssl_kea_fortezza = 3, /* deprecated, now unused */ ssl_kea_ecdh = 4, ssl_kea_size /* number of ssl_kea_ algorithms */ } SSLKEAType; @@ -79,7 +79,7 @@ typedef enum { #define kt_null ssl_kea_null #define kt_rsa ssl_kea_rsa #define kt_dh ssl_kea_dh -#define kt_fortezza ssl_kea_fortezza +#define kt_fortezza ssl_kea_fortezza /* deprecated, now unused */ #define kt_ecdh ssl_kea_ecdh #define kt_kea_size ssl_kea_size @@ -105,7 +105,7 @@ typedef enum { ssl_calg_des = 3, ssl_calg_3des = 4, ssl_calg_idea = 5, - ssl_calg_fortezza = 6, /* skipjack */ + ssl_calg_fortezza = 6, /* deprecated, now unused */ ssl_calg_aes = 7 /* coming soon */ } SSLCipherAlgorithm; diff --git a/mozilla/security/nss/pkg/solaris/SUNWtlsd/prototype b/mozilla/security/nss/pkg/solaris/SUNWtlsd/prototype index aeff94f13a1..fd54289b313 100755 --- a/mozilla/security/nss/pkg/solaris/SUNWtlsd/prototype +++ b/mozilla/security/nss/pkg/solaris/SUNWtlsd/prototype @@ -38,7 +38,7 @@ # # ***** END LICENSE BLOCK ***** # -#ident "$Id: prototype,v 1.4 2005-02-28 17:45:19 christophe.ravel.bugs%sun.com Exp $" +#ident "$Id: prototype,v 1.5 2005-04-06 19:43:19 nelsonb%netscape.com Exp $" # # This required package information file contains a list of package contents. # The 'pkgmk' command uses this file to identify the contents of a package @@ -160,6 +160,4 @@ f none usr/include/mps/ssl.h 0644 root bin f none usr/include/mps/sslerr.h 0644 root bin f none usr/include/mps/sslproto.h 0644 root bin f none usr/include/mps/sslt.h 0644 root bin -f none usr/include/mps/swfort.h 0644 root bin -f none usr/include/mps/swfortt.h 0644 root bin f none usr/include/mps/watcomfx.h 0644 root bin