af5bf173e1
Rebase NSS to nss-3.112 for Firefox in RHEL 9 - add ml-dsa support - add mlkem1024 support in ssl
152 lines
4.7 KiB
Diff
152 lines
4.7 KiB
Diff
diff --git a/lib/pkcs12/p12plcy.c b/lib/pkcs12/p12plcy.c
|
|
--- a/lib/pkcs12/p12plcy.c
|
|
+++ b/lib/pkcs12/p12plcy.c
|
|
@@ -32,27 +32,31 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
|
|
{ SEC_OID_UNKNOWN, 0, PKCS12_NULL, PR_FALSE, PR_FALSE },
|
|
{ SEC_OID_UNKNOWN, 0, 0L, PR_FALSE, PR_FALSE }
|
|
};
|
|
|
|
/* determine if algid is an algorithm which is allowed */
|
|
static PRBool
|
|
sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
|
|
{
|
|
+#ifdef notdef
|
|
PRUint32 policy;
|
|
SECStatus rv;
|
|
|
|
rv = NSS_GetAlgorithmPolicy(alg, &policy);
|
|
if (rv != SECSuccess) {
|
|
return PR_FALSE;
|
|
}
|
|
if ((policy & needed) == needed) {
|
|
return PR_TRUE;
|
|
}
|
|
return PR_FALSE;
|
|
+#else
|
|
+ return PR_TRUE;
|
|
+#endif
|
|
}
|
|
|
|
PRBool
|
|
SEC_PKCS12CipherAllowed(SECOidTag pbeAlg, SECOidTag hmacAlg)
|
|
{
|
|
SECOidTag cipherAlg = SEC_PKCS5GetCryptoFromAlgTag(pbeAlg);
|
|
SECOidTag hashAlg = SEC_PKCS5GetHashFromAlgTag(pbeAlg);
|
|
if (cipherAlg == SEC_OID_UNKNOWN) {
|
|
diff --git a/lib/smime/smimeutil.c b/lib/smime/smimeutil.c
|
|
--- a/lib/smime/smimeutil.c
|
|
+++ b/lib/smime/smimeutil.c
|
|
@@ -197,16 +197,17 @@ smime_get_policy_tag_from_key_length(SEC
|
|
return SEC_OID_UNKNOWN;
|
|
}
|
|
return algtag;
|
|
}
|
|
|
|
PRBool
|
|
smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
|
|
{
|
|
+#ifdef notdef
|
|
PRUint32 policyFlags;
|
|
|
|
/* some S/MIME algs map to the same underlying KEA mechanism,
|
|
* collaps them here */
|
|
if ((neededPolicy & (NSS_USE_ALG_IN_SMIME_KX | NSS_USE_ALG_IN_SMIME_KX_LEGACY)) != 0) {
|
|
CK_MECHANISM_TYPE mechType = PK11_AlgtagToMechanism(algtag);
|
|
switch (mechType) {
|
|
case CKM_ECDH1_DERIVE:
|
|
@@ -216,16 +217,17 @@ smime_allowed_by_policy(SECOidTag algtag
|
|
}
|
|
}
|
|
|
|
if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
|
|
((policyFlags & neededPolicy) != neededPolicy)) {
|
|
PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
|
|
return PR_FALSE;
|
|
}
|
|
+#endif
|
|
return PR_TRUE;
|
|
}
|
|
|
|
/*
|
|
* We'll need this for the fake policy oids for RC2, but the
|
|
* rest of these should be moved to pk11wrap for generic
|
|
* algtag to key size values. We already need this for
|
|
* sec_pkcs5v2_key_length_by oid.
|
|
@@ -480,28 +482,34 @@ smime_init_once(void *arg)
|
|
return PR_FAILURE;
|
|
}
|
|
algorithm_list_lock = PZ_NewLock(nssILockCache);
|
|
if (algorithm_list_lock == NULL) {
|
|
*error = PORT_GetError();
|
|
return PR_FAILURE;
|
|
}
|
|
|
|
+#ifdef notdef
|
|
/* At initialization time, we need to set up the defaults. We first
|
|
* look to see if the system or application has set up certain algorithms
|
|
* by policy. If they have set up values by policy we'll only allow those
|
|
* algorithms. We'll then look to see if any algorithms are enabled by
|
|
* the application. */
|
|
rv = NSS_GetAlgorithmPolicyAll(NSS_USE_ALG_IN_SMIME_LEGACY,
|
|
NSS_USE_ALG_IN_SMIME_LEGACY,
|
|
&tags, &tagCount);
|
|
if (tags) {
|
|
PORT_Free(tags);
|
|
tags = NULL;
|
|
}
|
|
+#else
|
|
+ /* just initialize the old maps */
|
|
+ rv = SECSuccess;
|
|
+ tagCount = 0;
|
|
+#endif
|
|
if ((rv != SECSuccess) || (tagCount == 0)) {
|
|
/* No algorithms have been enabled by policy (either by the system
|
|
* or by the application, we then will use the traditional default
|
|
* algorithms from the policy map */
|
|
for (i = smime_legacy_map_count - 1; i >= 0; i--) {
|
|
SECOidTag policytag = smime_legacy_map[i].policytag;
|
|
/* this enables the algorithm by policy. We need this or
|
|
* the policy code will reject attempts to use it */
|
|
diff --git a/tests/smime/smime.sh b/tests/smime/smime.sh
|
|
--- a/tests/smime/smime.sh
|
|
+++ b/tests/smime/smime.sh
|
|
@@ -867,13 +867,13 @@ smime_cleanup()
|
|
}
|
|
|
|
################## main #################################################
|
|
|
|
smime_init
|
|
smime_main
|
|
smime_data_tb
|
|
smime_p7
|
|
-if using_sql ; then
|
|
- smime_policy
|
|
-fi
|
|
+#if using_sql ; then
|
|
+# smime_policy
|
|
+#fi
|
|
smime_cleanup
|
|
|
|
diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
|
|
--- a/tests/tools/tools.sh
|
|
+++ b/tests/tools/tools.sh
|
|
@@ -590,17 +590,17 @@ tools_p12()
|
|
tools_p12_export_list_import_most_ciphers
|
|
fi
|
|
tools_p12_export_with_none_ciphers
|
|
tools_p12_export_with_invalid_ciphers
|
|
tools_p12_import_old_files
|
|
tools_p12_import_pbmac1_samples
|
|
if using_sql; then
|
|
tools_p12_import_rsa_pss_private_key
|
|
- tools_p12_policy
|
|
+# tools_p12_policy
|
|
fi
|
|
}
|
|
|
|
############################## tools_sign ##############################
|
|
# local shell function pk12util uses a hardcoded tmp file, if this exists
|
|
# and is owned by another user we don't get reasonable errormessages
|
|
########################################################################
|
|
check_tmpfile()
|