NSSLOWInitContext * NSSLOW_Init(void) { #ifdef FREEBL_NO_DEPEND (void)FREEBL_InitStubs(); #endif /* make sure the FIPS product is installed if we are trying to * go into FIPS mode */ if (nsslow_GetFIPSEnabled()) { if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); post_failed = PR_TRUE; return NULL; } } post_failed = PR_FALSE; return &dummyContext; }
static PRBool blapi_SHVerifyFile(const char *shName, PRBool self) { char *checkName = NULL; PRFileDesc *checkFD = NULL; PRFileDesc *shFD = NULL; void *hashcx = NULL; const SECHashObject *hashObj = NULL; SECItem signature = { 0, NULL, 0 }; SECItem hash; int bytesRead, offset; SECStatus rv; DSAPublicKey key; int count; #ifdef FREEBL_USE_PRELINK int pid = 0; #endif PRBool result = PR_FALSE; /* if anything goes wrong, * the signature does not verify */ unsigned char buf[4096]; unsigned char hashBuf[HASH_LENGTH_MAX]; PORT_Memset(&key,0,sizeof(key)); hash.data = hashBuf; hash.len = sizeof(hashBuf); /* If our integrity check was never ran or failed, fail any other * integrity checks to prevent any token going into FIPS mode. */ if (!self && (BL_FIPSEntryOK(PR_FALSE) != SECSuccess)) { return PR_FALSE; } if (!shName) { goto loser; } /* figure out the name of our check file */ checkName = mkCheckFileName(shName); if (!checkName) { goto loser; } /* open the check File */ checkFD = PR_Open(checkName, PR_RDONLY, 0); if (checkFD == NULL) { #ifdef DEBUG_SHVERIFY fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n", checkName, (int)PR_GetError(), (int)PR_GetOSError()); #endif /* DEBUG_SHVERIFY */ goto loser; } /* read and Verify the headerthe header */ bytesRead = PR_Read(checkFD, buf, 12); if (bytesRead != 12) { goto loser; } if ((buf[0] != NSS_SIGN_CHK_MAGIC1) || (buf[1] != NSS_SIGN_CHK_MAGIC2)) { goto loser; } if ((buf[2] != NSS_SIGN_CHK_MAJOR_VERSION) || (buf[3] < NSS_SIGN_CHK_MINOR_VERSION)) { goto loser; } #ifdef notdef if (decodeInt(&buf[8]) != CKK_DSA) { goto loser; } #endif /* seek past any future header extensions */ offset = decodeInt(&buf[4]); if (PR_Seek(checkFD, offset, PR_SEEK_SET) < 0) { goto loser; } /* read the key */ rv = readItem(checkFD,&key.params.prime); if (rv != SECSuccess) { goto loser; } rv = readItem(checkFD,&key.params.subPrime); if (rv != SECSuccess) { goto loser; } rv = readItem(checkFD,&key.params.base); if (rv != SECSuccess) { goto loser; } rv = readItem(checkFD,&key.publicValue); if (rv != SECSuccess) { goto loser; } /* read the siganture */ rv = readItem(checkFD,&signature); if (rv != SECSuccess) { goto loser; } /* done with the check file */ PR_Close(checkFD); checkFD = NULL; hashObj = HASH_GetRawHashObject(PQG_GetHashType(&key.params)); if (hashObj == NULL) { goto loser; } /* open our library file */ #ifdef FREEBL_USE_PRELINK shFD = bl_OpenUnPrelink(shName,&pid); #else shFD = PR_Open(shName, PR_RDONLY, 0); #endif if (shFD == NULL) { #ifdef DEBUG_SHVERIFY fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n", shName, (int)PR_GetError(), (int)PR_GetOSError()); #endif /* DEBUG_SHVERIFY */ goto loser; } /* hash our library file with SHA1 */ hashcx = hashObj->create(); if (hashcx == NULL) { goto loser; } hashObj->begin(hashcx); count = 0; while ((bytesRead = PR_Read(shFD, buf, sizeof(buf))) > 0) { hashObj->update(hashcx, buf, bytesRead); count += bytesRead; } #ifdef FREEBL_USE_PRELINK bl_CloseUnPrelink(shFD, pid); #else PR_Close(shFD); #endif shFD = NULL; hashObj->end(hashcx, hash.data, &hash.len, hash.len); /* verify the hash against the check file */ if (DSA_VerifyDigest(&key, &signature, &hash) == SECSuccess) { result = PR_TRUE; } #ifdef DEBUG_SHVERIFY { int i,j; fprintf(stderr,"File %s: %d bytes\n",shName, count); fprintf(stderr," hash: %d bytes\n", hash.len); #define STEP 10 for (i=0; i < hash.len; i += STEP) { fprintf(stderr," "); for (j=0; j < STEP && (i+j) < hash.len; j++) { fprintf(stderr," %02x", hash.data[i+j]); } fprintf(stderr,"\n"); } fprintf(stderr," signature: %d bytes\n", signature.len); for (i=0; i < signature.len; i += STEP) { fprintf(stderr," "); for (j=0; j < STEP && (i+j) < signature.len; j++) { fprintf(stderr," %02x", signature.data[i+j]); } fprintf(stderr,"\n"); } fprintf(stderr,"Verified : %s\n",result?"TRUE": "FALSE"); } #endif /* DEBUG_SHVERIFY */ loser: if (checkName != NULL) { PORT_Free(checkName); } if (checkFD != NULL) { PR_Close(checkFD); } if (shFD != NULL) { PR_Close(shFD); } if (hashcx != NULL) { if (hashObj) { hashObj->destroy(hashcx,PR_TRUE); } } if (signature.data != NULL) { PORT_Free(signature.data); } if (key.params.prime.data != NULL) { PORT_Free(key.params.prime.data); } if (key.params.subPrime.data != NULL) { PORT_Free(key.params.subPrime.data); } if (key.params.base.data != NULL) { PORT_Free(key.params.base.data); } if (key.publicValue.data != NULL) { PORT_Free(key.publicValue.data); } return result; }