import UBI nss-3.90.0-4.el8_9
This commit is contained in:
parent
69f2c418a9
commit
0df7624fca
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,3 +1,4 @@
|
||||
SOURCES/NameConstraints_Certs.tar
|
||||
SOURCES/blank-cert8.db
|
||||
SOURCES/blank-cert9.db
|
||||
SOURCES/blank-key3.db
|
||||
|
@ -1,3 +1,4 @@
|
||||
39ad4988f85b50fdc3569d21b6c885cf9eb390b0 SOURCES/NameConstraints_Certs.tar
|
||||
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
|
||||
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
|
||||
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
|
||||
|
949
SOURCES/blinding_ct.patch
Normal file
949
SOURCES/blinding_ct.patch
Normal file
@ -0,0 +1,949 @@
|
||||
diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h
|
||||
--- a/lib/freebl/mpi/mpi-priv.h
|
||||
+++ b/lib/freebl/mpi/mpi-priv.h
|
||||
@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d
|
||||
void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
|
||||
mp_digit b, mp_digit *c);
|
||||
|
||||
#endif
|
||||
|
||||
void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
|
||||
mp_size a_len, mp_digit b,
|
||||
mp_digit *c);
|
||||
+void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a,
|
||||
+ mp_size a_len, mp_digit b,
|
||||
+ mp_digit *c, mp_size c_len);
|
||||
void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
|
||||
mp_size a_len,
|
||||
mp_digit *sqrs);
|
||||
|
||||
mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
|
||||
mp_digit divisor, mp_digit *quot, mp_digit *rem);
|
||||
|
||||
/* c += a * b * (MP_RADIX ** offset); */
|
||||
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
|
||||
--- a/lib/freebl/mpi/mpi.c
|
||||
+++ b/lib/freebl/mpi/mpi.c
|
||||
@@ -5,16 +5,18 @@
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "mpi-priv.h"
|
||||
#include "mplogic.h"
|
||||
|
||||
+#include <assert.h>
|
||||
+
|
||||
#if defined(__arm__) && \
|
||||
((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
|
||||
/* 16-bit thumb or ARM v3 doesn't work inlined assember version */
|
||||
#undef MP_ASSEMBLY_MULTIPLY
|
||||
#undef MP_ASSEMBLY_SQUARE
|
||||
#endif
|
||||
|
||||
#if MP_LOGTAB
|
||||
@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b,
|
||||
|
||||
CLEANUP:
|
||||
return res;
|
||||
|
||||
} /* end mp_sub() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
-/* {{{ mp_mul(a, b, c) */
|
||||
+/* {{{ s_mp_mulg(a, b, c) */
|
||||
|
||||
/*
|
||||
- mp_mul(a, b, c)
|
||||
-
|
||||
- Compute c = a * b. All parameters may be identical.
|
||||
+ s_mp_mulg(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. All parameters may be identical. if constantTime is set,
|
||||
+ then the operations are done in constant time. The original is mostly
|
||||
+ constant time as long as s_mpv_mul_d_add() is constant time. This is true
|
||||
+ of the x86 assembler, as well as the current c code.
|
||||
*/
|
||||
mp_err
|
||||
-mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
||||
+s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime)
|
||||
{
|
||||
mp_digit *pb;
|
||||
mp_int tmp;
|
||||
mp_err res;
|
||||
mp_size ib;
|
||||
mp_size useda, usedb;
|
||||
|
||||
ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
|
||||
@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b,
|
||||
}
|
||||
|
||||
MP_USED(c) = 1;
|
||||
MP_DIGIT(c, 0) = 0;
|
||||
if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
|
||||
goto CLEANUP;
|
||||
|
||||
#ifdef NSS_USE_COMBA
|
||||
- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
||||
+ /* comba isn't constant time because it clamps! If we cared
|
||||
+ * (we needed a constant time version of multiply that was 'faster'
|
||||
+ * we could easily pass constantTime down to the comba code and
|
||||
+ * get it to skip the clamp... but here are assembler versions
|
||||
+ * which add comba to platforms that can't compile the normal
|
||||
+ * comba's imbedded assembler which would also need to change, so
|
||||
+ * for now we just skip comba when we are running constant time. */
|
||||
+ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
||||
if (MP_USED(a) == 4) {
|
||||
s_mp_mul_comba_4(a, b, c);
|
||||
goto CLEANUP;
|
||||
}
|
||||
if (MP_USED(a) == 8) {
|
||||
s_mp_mul_comba_8(a, b, c);
|
||||
goto CLEANUP;
|
||||
}
|
||||
@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b,
|
||||
|
||||
/* Outer loop: Digits of b */
|
||||
useda = MP_USED(a);
|
||||
usedb = MP_USED(b);
|
||||
for (ib = 1; ib < usedb; ib++) {
|
||||
mp_digit b_i = *pb++;
|
||||
|
||||
/* Inner product: Digits of a */
|
||||
- if (b_i)
|
||||
+ if (constantTime || b_i)
|
||||
s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
|
||||
else
|
||||
MP_DIGIT(c, ib + useda) = b_i;
|
||||
}
|
||||
|
||||
- s_mp_clamp(c);
|
||||
+ if (!constantTime) {
|
||||
+ s_mp_clamp(c);
|
||||
+ }
|
||||
|
||||
if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
|
||||
SIGN(c) = ZPOS;
|
||||
else
|
||||
SIGN(c) = NEG;
|
||||
|
||||
CLEANUP:
|
||||
mp_clear(&tmp);
|
||||
return res;
|
||||
+} /* end smp_mulg() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_mul(a, b, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mul(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. All parameters may be identical.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
||||
+{
|
||||
+ return s_mp_mulg(a, b, c, 0);
|
||||
} /* end mp_mul() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ mp_mulCT(a, b, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mulCT(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. In constant time. Parameters may not be identical.
|
||||
+ NOTE: a and b may be modified.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize)
|
||||
+{
|
||||
+ mp_err res;
|
||||
+
|
||||
+ /* make the multiply values fixed length so multiply
|
||||
+ * doesn't leak the length. at this point all the
|
||||
+ * values are blinded, but once we finish we want the
|
||||
+ * output size to be hidden (so no clamping the out put) */
|
||||
+ MP_CHECKOK(s_mp_pad(a, setSize));
|
||||
+ MP_CHECKOK(s_mp_pad(b, setSize));
|
||||
+ MP_CHECKOK(s_mp_pad(c, 2*setSize));
|
||||
+ MP_CHECKOK(s_mp_mulg(a, b, c, 1));
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_mulCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_sqr(a, sqr) */
|
||||
|
||||
#if MP_SQUARE
|
||||
/*
|
||||
Computes the square of a. This can be done more
|
||||
efficiently than a general multiplication, because many of the
|
||||
computation steps are redundant when squaring. The inner product
|
||||
step is a bit more complicated, but we save a fair number of
|
||||
@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m,
|
||||
}
|
||||
|
||||
return MP_OKAY;
|
||||
|
||||
} /* end mp_mod() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ s_mp_subCT_d(a, b, borrow, c) */
|
||||
+
|
||||
+/*
|
||||
+ s_mp_subCT_d(a, b, borrow, c)
|
||||
+
|
||||
+ Compute c = (a -b) - subtract in constant time. returns borrow
|
||||
+ */
|
||||
+mp_digit
|
||||
+s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) {
|
||||
+ mp_digit borrow1, borrow2, t;
|
||||
+#ifdef MP_COMPILER_USES_CARRY
|
||||
+ /* while it doesn't look constant-time, this is idiomatic code
|
||||
+ * to tell compilers to use the carry bit from subtraction */
|
||||
+ t = a - borrow;
|
||||
+ if (t > a) {
|
||||
+ borrow1 = 1;
|
||||
+ } else {
|
||||
+ borrow1 = 0;
|
||||
+ }
|
||||
+ *ret = t - b;
|
||||
+ if (*ret > t) {
|
||||
+ borrow2 = 1;
|
||||
+ } else {
|
||||
+ borrow2 = 0;
|
||||
+ }
|
||||
+#else
|
||||
+ mp_digit bitr, bitb, nbitt;
|
||||
+ /* this is constant time independent of compilier */
|
||||
+ t = a - borrow;
|
||||
+ borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1));
|
||||
+ *ret = t - b;
|
||||
+ bitb = b >> (MP_DIGIT_BIT-1);
|
||||
+ bitr = *ret >> (MP_DIGIT_BIT-1);
|
||||
+ nbitt = (~t) >> (MP_DIGIT_BIT-1);
|
||||
+ borrow2 = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr);
|
||||
+#endif
|
||||
+ /* only borrow 1 or borrow 2 should be 1, we want to guarrentee
|
||||
+ * the overall borrow is 1, so use | here */
|
||||
+ return borrow1 | borrow2;
|
||||
+} /* s_mp_subCT_d() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_subCT(a, b, ret, borrow) */
|
||||
+
|
||||
+/* return ret= a - b and borrow in borrow. done in constant time.
|
||||
+ * b could be modified.
|
||||
+ */
|
||||
+mp_err
|
||||
+mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow)
|
||||
+{
|
||||
+ mp_size used_a = MP_USED(a);
|
||||
+ mp_size i;
|
||||
+ mp_err res;
|
||||
+
|
||||
+ MP_CHECKOK(s_mp_pad(b, used_a));
|
||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
||||
+ *borrow = 0;
|
||||
+ for (i=0; i < used_a; i++) {
|
||||
+ *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow,
|
||||
+ &MP_DIGIT(ret,i));
|
||||
+ }
|
||||
+
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_subCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_selectCT(cond, a, b, ret) */
|
||||
+
|
||||
+/*
|
||||
+ * return ret= cond ? a : b; cond should be either 0 or 1
|
||||
+ */
|
||||
+mp_err
|
||||
+mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret)
|
||||
+{
|
||||
+ mp_size used_a = MP_USED(a);
|
||||
+ mp_err res;
|
||||
+ mp_size i;
|
||||
+
|
||||
+ cond *= MP_DIGIT_MAX;
|
||||
+
|
||||
+ /* we currently require these to be equal on input,
|
||||
+ * we could use pad to extend one of them, but that might
|
||||
+ * leak data as it wouldn't be constant time */
|
||||
+ assert(used_a == MP_USED(b));
|
||||
+
|
||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
||||
+ for (i=0; i < used_a; i++) {
|
||||
+ MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond);
|
||||
+ }
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_selectCT() */
|
||||
+
|
||||
+
|
||||
+/* {{{ mp_reduceCT(a, m, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_reduceCT(a, m, c)
|
||||
+
|
||||
+ Compute c = aR^-1 (mod m) in constant time.
|
||||
+ input should be in montgomery form. If input is the
|
||||
+ result of a montgomery multiply then out put will be
|
||||
+ in mongomery form.
|
||||
+ Result will be reduced to MP_USED(m), but not be
|
||||
+ clamped.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c)
|
||||
+{
|
||||
+ mp_size used_m = MP_USED(m);
|
||||
+ mp_size used_c = used_m*2+1;
|
||||
+ mp_digit *m_digits, *c_digits;
|
||||
+ mp_size i;
|
||||
+ mp_digit borrow, carry;
|
||||
+ mp_err res;
|
||||
+ mp_int sub;
|
||||
+
|
||||
+ MP_DIGITS(&sub) = 0;
|
||||
+ MP_CHECKOK(mp_init_size(&sub,used_m));
|
||||
+
|
||||
+ if (a != c) {
|
||||
+ MP_CHECKOK(mp_copy(a, c));
|
||||
+ }
|
||||
+ MP_CHECKOK(s_mp_pad(c, used_c));
|
||||
+ m_digits = MP_DIGITS(m);
|
||||
+ c_digits = MP_DIGITS(c);
|
||||
+ for (i=0; i < used_m; i++) {
|
||||
+ mp_digit m_i = MP_DIGIT(c,i)*n0i;
|
||||
+ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--);
|
||||
+ }
|
||||
+ s_mp_rshd(c, used_m);
|
||||
+ /* MP_USED(c) should be used_m+1 with the high word being any carry
|
||||
+ * from the previous multiply, save that carry and drop the high
|
||||
+ * word for the substraction below */
|
||||
+ carry = MP_DIGIT(c,used_m);
|
||||
+ MP_DIGIT(c,used_m) = 0;
|
||||
+ MP_USED(c) = used_m;
|
||||
+ /* mp_subCT wants c and m to be the same size, we've already
|
||||
+ * guarrenteed that in the previous statement, so mp_subCT won't actually
|
||||
+ * modify m, so it's safe to recast */
|
||||
+ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow));
|
||||
+
|
||||
+ /* we return c-m if c >= m no borrow or there was a borrow and a carry */
|
||||
+ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c));
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ mp_clear(&sub);
|
||||
+ return res;
|
||||
+} /* end mp_reduceCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_mod_d(a, d, c) */
|
||||
|
||||
/*
|
||||
mp_mod_d(a, d, c)
|
||||
|
||||
Compute c = a (mod d). Result will always be 0 <= c < d
|
||||
*/
|
||||
mp_err
|
||||
@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int
|
||||
if ((res = mp_mod(c, m, c)) != MP_OKAY)
|
||||
return res;
|
||||
|
||||
return MP_OKAY;
|
||||
}
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ mp_mulmontmodCT(a, b, m, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mulmontmodCT(a, b, m, c)
|
||||
+
|
||||
+ Compute c = (a * b) mod m in constant time wrt a and b. either a or b
|
||||
+ should be in montgomery form and the output is native. If both a and b
|
||||
+ are in montgomery form, then the output will also be in montgomery form
|
||||
+ and can be recovered with an mp_reduceCT call.
|
||||
+ NOTE: a and b may be modified.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i,
|
||||
+ mp_int *c)
|
||||
+{
|
||||
+ mp_err res;
|
||||
+
|
||||
+ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
|
||||
+
|
||||
+ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY)
|
||||
+ return res;
|
||||
+
|
||||
+ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY)
|
||||
+ return res;
|
||||
+
|
||||
+ return MP_OKAY;
|
||||
+}
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_sqrmod(a, m, c) */
|
||||
|
||||
#if MP_SQUARE
|
||||
mp_err
|
||||
mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
|
||||
{
|
||||
mp_err res;
|
||||
|
||||
@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b)
|
||||
{ \
|
||||
mp_digit a0b1, a1b0; \
|
||||
Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
|
||||
Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
|
||||
a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
|
||||
a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
|
||||
a1b0 += a0b1; \
|
||||
Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
|
||||
- if (a1b0 < a0b1) \
|
||||
- Phi += MP_HALF_RADIX; \
|
||||
+ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \
|
||||
a1b0 <<= MP_HALF_DIGIT_BIT; \
|
||||
Plo += a1b0; \
|
||||
- if (Plo < a1b0) \
|
||||
- ++Phi; \
|
||||
+ Phi += MP_CT_LTU(Plo, a1b0); \
|
||||
}
|
||||
#endif
|
||||
|
||||
+/* Constant time version of s_mpv_mul_d_add_prop.
|
||||
+ * Presently, this is only used by the Constant time Montgomery arithmetic code. */
|
||||
+/* c += a * b */
|
||||
+void
|
||||
+s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b,
|
||||
+ mp_digit *c, mp_size c_len)
|
||||
+{
|
||||
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
||||
+ mp_digit d = 0;
|
||||
+
|
||||
+ c_len -= a_len;
|
||||
+ /* Inner product: Digits of a */
|
||||
+ while (a_len--) {
|
||||
+ mp_word w = ((mp_word)b * *a++) + *c + d;
|
||||
+ *c++ = ACCUM(w);
|
||||
+ d = CARRYOUT(w);
|
||||
+ }
|
||||
+
|
||||
+ /* propagate the carry to the end, even if carry is zero */
|
||||
+ while (c_len--) {
|
||||
+ mp_word w = (mp_word)*c + d;
|
||||
+ *c++ = ACCUM(w);
|
||||
+ d = CARRYOUT(w);
|
||||
+ }
|
||||
+#else
|
||||
+ mp_digit carry = 0;
|
||||
+ c_len -= a_len;
|
||||
+ while (a_len--) {
|
||||
+ mp_digit a_i = *a++;
|
||||
+ mp_digit a0b0, a1b1;
|
||||
+ MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
+
|
||||
+ a0b0 += carry;
|
||||
+ a1b1 += MP_CT_LTU(a0b0, carry);
|
||||
+ a0b0 += a_i = *c;
|
||||
+ a1b1 += MP_CT_LTU(a0b0, a_i);
|
||||
+
|
||||
+ *c++ = a0b0;
|
||||
+ carry = a1b1;
|
||||
+ }
|
||||
+ /* propagate the carry to the end, even if carry is zero */
|
||||
+ while (c_len--) {
|
||||
+ mp_digit c_i = *c;
|
||||
+ carry += c_i;
|
||||
+ *c++ = carry;
|
||||
+ carry = MP_CT_LTU(carry, c_i);
|
||||
+ }
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
#if !defined(MP_ASSEMBLY_MULTIPLY)
|
||||
/* c = a * b */
|
||||
void
|
||||
s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
|
||||
{
|
||||
#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
||||
mp_digit d = 0;
|
||||
|
||||
@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a
|
||||
mp_digit carry = 0;
|
||||
while (a_len--) {
|
||||
mp_digit a_i = *a++;
|
||||
mp_digit a0b0, a1b1;
|
||||
|
||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
|
||||
a0b0 += carry;
|
||||
- if (a0b0 < carry)
|
||||
- ++a1b1;
|
||||
+ a1b1 += a0b0 < carry;
|
||||
*c++ = a0b0;
|
||||
carry = a1b1;
|
||||
}
|
||||
*c = carry;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* c += a * b */
|
||||
@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si
|
||||
mp_digit carry = 0;
|
||||
while (a_len--) {
|
||||
mp_digit a_i = *a++;
|
||||
mp_digit a0b0, a1b1;
|
||||
|
||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
|
||||
a0b0 += carry;
|
||||
- if (a0b0 < carry)
|
||||
- ++a1b1;
|
||||
+ a1b1 += (a0b0 < carry);
|
||||
a0b0 += a_i = *c;
|
||||
- if (a0b0 < a_i)
|
||||
- ++a1b1;
|
||||
+ a1b1 += (a0b0 < a_i);
|
||||
*c++ = a0b0;
|
||||
carry = a1b1;
|
||||
}
|
||||
*c = carry;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Presently, this is only used by the Montgomery arithmetic code. */
|
||||
diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h
|
||||
--- a/lib/freebl/mpi/mpi.h
|
||||
+++ b/lib/freebl/mpi/mpi.h
|
||||
@@ -145,16 +145,54 @@ typedef int mp_sword;
|
||||
#define MP_USED(MP) ((MP)->used)
|
||||
#define MP_ALLOC(MP) ((MP)->alloc)
|
||||
#define MP_DIGITS(MP) ((MP)->dp)
|
||||
#define MP_DIGIT(MP, N) (MP)->dp[(N)]
|
||||
|
||||
/* This defines the maximum I/O base (minimum is 2) */
|
||||
#define MP_MAX_RADIX 64
|
||||
|
||||
+/* Constant Time Macros on mp_digits */
|
||||
+#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1)))
|
||||
+
|
||||
+/* basic zero and non zero tests */
|
||||
+#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
||||
+#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
||||
+
|
||||
+
|
||||
+/* basic constant-time helper macro for equalities and inequalities.
|
||||
+ * The inequalities will produce incorrect results if
|
||||
+ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay
|
||||
+ * within the range 0-MP_DIGIT_MAX/2. */
|
||||
+#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b)))
|
||||
+#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b)))
|
||||
+#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a))
|
||||
+#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b))
|
||||
+#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b))
|
||||
+#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b))
|
||||
+#define MP_CT_TRUE ((mp_digit)1)
|
||||
+#define MP_CT_FALSE ((mp_digit)0)
|
||||
+
|
||||
+/* use constant time result to select a boolean value */
|
||||
+#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r)))
|
||||
+
|
||||
+/* full inequalities that work with full mp_digit values */
|
||||
+#define MP_CT_OVERFLOW(a,b,c,d) \
|
||||
+ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \
|
||||
+ (MP_CT_HIGH_TO_LOW(d)),c)
|
||||
+#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a)
|
||||
+#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b)
|
||||
+#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a)
|
||||
+#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b)
|
||||
+#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b)
|
||||
+#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a)
|
||||
+#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b)
|
||||
+#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a)
|
||||
+
|
||||
+
|
||||
typedef struct {
|
||||
mp_sign sign; /* sign of this quantity */
|
||||
mp_size alloc; /* how many digits allocated */
|
||||
mp_size used; /* how many digits used */
|
||||
mp_digit *dp; /* the digits themselves */
|
||||
} mp_int;
|
||||
|
||||
/* Default precision */
|
||||
@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig
|
||||
|
||||
/* Sign manipulations */
|
||||
mp_err mp_abs(const mp_int *a, mp_int *b);
|
||||
mp_err mp_neg(const mp_int *a, mp_int *b);
|
||||
|
||||
/* Full arithmetic */
|
||||
mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
+mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow);
|
||||
mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
+mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize);
|
||||
#if MP_SQUARE
|
||||
mp_err mp_sqr(const mp_int *a, mp_int *b);
|
||||
#else
|
||||
#define mp_sqr(a, b) mp_mul(a, a, b)
|
||||
#endif
|
||||
mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
|
||||
mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
|
||||
mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
|
||||
@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const
|
||||
mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
#else
|
||||
#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
|
||||
#endif
|
||||
mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
|
||||
mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
|
||||
#endif /* MP_MODARITH */
|
||||
|
||||
+/* montgomery math */
|
||||
+mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont);
|
||||
+mp_digit mp_calculate_mont_n0i(const mp_int *N);
|
||||
+mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct);
|
||||
+mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c);
|
||||
+
|
||||
/* Comparisons */
|
||||
int mp_cmp_z(const mp_int *a);
|
||||
int mp_cmp_d(const mp_int *a, mp_digit d);
|
||||
int mp_cmp(const mp_int *a, const mp_int *b);
|
||||
int mp_cmp_mag(const mp_int *a, const mp_int *b);
|
||||
int mp_isodd(const mp_int *a);
|
||||
int mp_iseven(const mp_int *a);
|
||||
+mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret);
|
||||
|
||||
/* Number theoretic */
|
||||
mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
|
||||
mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
|
||||
mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
|
||||
mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
|
||||
diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c
|
||||
--- a/lib/freebl/mpi/mpmontg.c
|
||||
+++ b/lib/freebl/mpi/mpmontg.c
|
||||
@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_
|
||||
}
|
||||
res = MP_OKAY;
|
||||
|
||||
CLEANUP:
|
||||
return res;
|
||||
}
|
||||
#endif
|
||||
|
||||
-STATIC
|
||||
mp_err
|
||||
-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
|
||||
+mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont)
|
||||
{
|
||||
mp_err res;
|
||||
|
||||
/* xMont = x * R mod N where N is modulus */
|
||||
- MP_CHECKOK(mp_copy(x, xMont));
|
||||
- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */
|
||||
- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */
|
||||
+ if (x != xMont) {
|
||||
+ MP_CHECKOK(mp_copy(x, xMont));
|
||||
+ }
|
||||
+ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */
|
||||
+ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */
|
||||
CLEANUP:
|
||||
return res;
|
||||
}
|
||||
|
||||
+mp_digit
|
||||
+mp_calculate_mont_n0i(const mp_int *N)
|
||||
+{
|
||||
+ return 0 - s_mp_invmod_radix(MP_DIGIT(N,0));
|
||||
+}
|
||||
+
|
||||
#ifdef MP_USING_MONT_MULF
|
||||
|
||||
/* the floating point multiply is already cache safe,
|
||||
* don't turn on cache safe unless we specifically
|
||||
* force it */
|
||||
#ifndef MP_FORCE_CACHE_SAFE
|
||||
#undef MP_USING_CACHE_SAFE_MOD_EXP
|
||||
#endif
|
||||
@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase,
|
||||
MP_DIGITS(&accum1) = 0;
|
||||
|
||||
for (i = 0; i < MAX_ODD_INTS; ++i)
|
||||
oddPowers[i] = 0;
|
||||
|
||||
MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2));
|
||||
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
MP_CHECKOK(s_mp_pad(&accum1, nLen));
|
||||
|
||||
oddPowSize = 2 * nLen + 1;
|
||||
dTmpSize = 2 * oddPowSize;
|
||||
dSize = sizeof(double) * (nLen * 4 + 1 +
|
||||
((odd_ints + 1) * oddPowSize) + dTmpSize);
|
||||
dBuf = malloc(dSize);
|
||||
if (!dBuf) {
|
||||
@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase,
|
||||
for (i = 1; i < odd_ints; ++i) {
|
||||
MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2));
|
||||
MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i));
|
||||
MP_CHECKOK(s_mp_redc(oddPowers + i, mmm));
|
||||
}
|
||||
|
||||
/* set accumulator to montgomery residue of 1 */
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
pa1 = &accum1;
|
||||
pa2 = &accum2;
|
||||
|
||||
for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
|
||||
mp_size smallExp;
|
||||
MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits));
|
||||
smallExp = (mp_size)res;
|
||||
|
||||
@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
||||
/* build the first WEAVE_WORD powers inline */
|
||||
/* if WEAVE_WORD_SIZE is not 4, this code will have to change */
|
||||
if (num_powers > 2) {
|
||||
MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2));
|
||||
mp_set(&accum[0], 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0]));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0]));
|
||||
MP_CHECKOK(mp_copy(montBase, &accum[1]));
|
||||
SQR(montBase, &accum[2]);
|
||||
MUL_NOWEAVE(montBase, &accum[2], &accum[3]);
|
||||
powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1));
|
||||
if (!powersArray) {
|
||||
res = MP_MEM;
|
||||
goto CLEANUP;
|
||||
}
|
||||
@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
||||
MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers));
|
||||
if (first_window < 4) {
|
||||
MP_CHECKOK(mp_copy(&accum[first_window], &accum1));
|
||||
first_window = num_powers;
|
||||
}
|
||||
} else {
|
||||
if (first_window == 0) {
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
} else {
|
||||
/* assert first_window == 1? */
|
||||
MP_CHECKOK(mp_copy(montBase, &accum1));
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* calculate all the powers in the powers array.
|
||||
@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m
|
||||
nLen = MP_USED(modulus);
|
||||
MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2));
|
||||
|
||||
mmm.N = *modulus; /* a copy of the mp_int struct */
|
||||
|
||||
/* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
|
||||
** where n0 = least significant mp_digit of N, the modulus.
|
||||
*/
|
||||
- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0));
|
||||
+ mmm.n0prime = mp_calculate_mont_n0i(modulus);
|
||||
|
||||
- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase));
|
||||
+ MP_CHECKOK(mp_to_mont(base, modulus, &montBase));
|
||||
|
||||
bits_in_exponent = mpl_significant_bits(exponent);
|
||||
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
|
||||
if (mp_using_cache_safe_exp) {
|
||||
if (bits_in_exponent > 780)
|
||||
window_bits = 6;
|
||||
else if (bits_in_exponent > 256)
|
||||
window_bits = 5;
|
||||
diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
|
||||
--- a/lib/freebl/rsa.c
|
||||
+++ b/lib/freebl/rsa.c
|
||||
@@ -65,16 +65,18 @@ struct blindingParamsStr {
|
||||
** the Handbook of Applied Cryptography, 11.118-11.119.
|
||||
*/
|
||||
struct RSABlindingParamsStr {
|
||||
/* Blinding-specific parameters */
|
||||
PRCList link; /* link to list of structs */
|
||||
SECItem modulus; /* list element "key" */
|
||||
blindingParams *free, *bp; /* Blinding parameters queue */
|
||||
blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
|
||||
+ /* precalculate montegomery reduction value */
|
||||
+ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */
|
||||
};
|
||||
typedef struct RSABlindingParamsStr RSABlindingParams;
|
||||
|
||||
/*
|
||||
** RSABlindingParamsListStr
|
||||
**
|
||||
** List of key-specific blinding params. The arena holds the volatile pool
|
||||
** of memory for each entry and the list itself. The lock is for list
|
||||
@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey *
|
||||
CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen));
|
||||
CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen));
|
||||
/* k < n */
|
||||
CHECK_MPI_OK(mp_mod(&k, n, &k));
|
||||
/* f = k**e mod n */
|
||||
CHECK_MPI_OK(mp_exptmod(&k, &e, n, f));
|
||||
/* g = k**-1 mod n */
|
||||
CHECK_MPI_OK(mp_invmod(&k, n, g));
|
||||
+ /* g in montgomery form.. */
|
||||
+ CHECK_MPI_OK(mp_to_mont(g, n, g));
|
||||
cleanup:
|
||||
if (kb)
|
||||
PORT_ZFree(kb, modLen);
|
||||
mp_clear(&k);
|
||||
mp_clear(&e);
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams *
|
||||
* of rsabp->array pointer and must be set to NULL
|
||||
*/
|
||||
rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL;
|
||||
|
||||
bp = rsabp->array;
|
||||
rsabp->bp = NULL;
|
||||
rsabp->free = bp;
|
||||
|
||||
+ /* precalculate montgomery reduction parameter */
|
||||
+ rsabp->n0i = mp_calculate_mont_n0i(n);
|
||||
+
|
||||
/* List elements are keyed using the modulus */
|
||||
return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
|
||||
- mp_int *f, mp_int *g)
|
||||
+ mp_int *f, mp_int *g, mp_digit *n0i)
|
||||
{
|
||||
RSABlindingParams *rsabp = NULL;
|
||||
blindingParams *bpUnlinked = NULL;
|
||||
blindingParams *bp;
|
||||
PRCList *el;
|
||||
SECStatus rv = SECSuccess;
|
||||
mp_err err = MP_OKAY;
|
||||
int cmp = -1;
|
||||
@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key,
|
||||
** head (since el would have looped back to the head).
|
||||
*/
|
||||
PR_INSERT_BEFORE(&rsabp->link, el);
|
||||
}
|
||||
|
||||
/* We've found (or created) the RSAblindingParams struct for this key.
|
||||
* Now, search its list of ready blinding params for a usable one.
|
||||
*/
|
||||
+ *n0i = rsabp->n0i;
|
||||
while (0 != (bp = rsabp->bp)) {
|
||||
#ifdef UNSAFE_FUZZER_MODE
|
||||
/* Found a match and there are still remaining uses left */
|
||||
/* Return the parameters */
|
||||
CHECK_MPI_OK(mp_copy(&bp->f, f));
|
||||
CHECK_MPI_OK(mp_copy(&bp->g, g));
|
||||
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
@@ -1426,16 +1434,17 @@ cleanup:
|
||||
rsabp->free = bp;
|
||||
}
|
||||
if (holdingLock) {
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
}
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
}
|
||||
+ *n0i = 0;
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
/*
|
||||
** Perform a raw private-key operation
|
||||
** Length of input and output buffers are equal to key's modulus len.
|
||||
*/
|
||||
static SECStatus
|
||||
@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
PRBool check)
|
||||
{
|
||||
unsigned int modLen;
|
||||
unsigned int offset;
|
||||
SECStatus rv = SECSuccess;
|
||||
mp_err err;
|
||||
mp_int n, c, m;
|
||||
mp_int f, g;
|
||||
+ mp_digit n0i;
|
||||
if (!key || !output || !input) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
/* check input out of range (needs to be in range [0..n-1]) */
|
||||
modLen = rsa_modulusLen(&key->modulus);
|
||||
if (modLen == 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
CHECK_MPI_OK(mp_init(&f));
|
||||
CHECK_MPI_OK(mp_init(&g));
|
||||
SECITEM_TO_MPINT(key->modulus, &n);
|
||||
OCTETS_TO_MPINT(input, &c, modLen);
|
||||
/* If blinding, compute pre-image of ciphertext by multiplying by
|
||||
** blinding factor
|
||||
*/
|
||||
if (nssRSAUseBlinding) {
|
||||
- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g));
|
||||
+ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i));
|
||||
/* c' = c*f mod n */
|
||||
CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c));
|
||||
}
|
||||
/* Do the private key operation m = c**d mod n */
|
||||
if (key->prime1.len == 0 ||
|
||||
key->prime2.len == 0 ||
|
||||
key->exponent1.len == 0 ||
|
||||
key->exponent2.len == 0 ||
|
||||
@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
} else {
|
||||
CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c));
|
||||
}
|
||||
/* If blinding, compute post-image of plaintext by multiplying by
|
||||
** blinding factor
|
||||
*/
|
||||
if (nssRSAUseBlinding) {
|
||||
/* m = m'*g mod n */
|
||||
- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m));
|
||||
+ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m));
|
||||
}
|
||||
err = mp_to_fixlen_octets(&m, output, modLen);
|
||||
if (err >= 0)
|
||||
err = MP_OKAY;
|
||||
cleanup:
|
||||
mp_clear(&n);
|
||||
mp_clear(&c);
|
||||
mp_clear(&m);
|
@ -15,11 +15,12 @@ typedef enum {
|
||||
SFTKFIPSECC, /* not just keys but specific curves */
|
||||
SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */
|
||||
SFTKFIPSRSAPSS, /* make sure salt isn't too big */
|
||||
SFTKFIPSPBKDF2 /* handle pbkdf2 FIPS restrictions */
|
||||
SFTKFIPSPBKDF2, /* handle pbkdf2 FIPS restrictions */
|
||||
SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */
|
||||
} SFTKFIPSSpecialClass;
|
||||
|
||||
/* set according to your security policy */
|
||||
#define SFTKFIPS_PBKDF2_MIN_PW_LEN 7
|
||||
#define SFTKFIPS_PBKDF2_MIN_PW_LEN 8
|
||||
|
||||
typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList;
|
||||
struct SFTKFIPSAlgorithmListStr {
|
||||
@ -27,6 +28,7 @@ struct SFTKFIPSAlgorithmListStr {
|
||||
CK_MECHANISM_INFO info;
|
||||
CK_ULONG step;
|
||||
SFTKFIPSSpecialClass special;
|
||||
size_t offset;
|
||||
};
|
||||
|
||||
SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
@ -50,7 +52,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
#define CKF_KPG CKF_GENERATE_KEY_PAIR
|
||||
#define CKF_GEN CKF_GENERATE
|
||||
#define CKF_SGN (CKF_SIGN | CKF_VERIFY)
|
||||
#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP)
|
||||
#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT )
|
||||
#define CKF_ECW (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP)
|
||||
#define CKF_WRP (CKF_WRAP | CKF_UNWRAP)
|
||||
#define CKF_KEK (CKF_WRAP | CKF_UNWRAP)
|
||||
#define CKF_KEA CKF_DERIVE
|
||||
#define CKF_KDF CKF_DERIVE
|
||||
@ -101,6 +105,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
/* -------------------- Elliptic Curve Operations --------------------- */
|
||||
{ CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDH1_COFACTOR_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
@ -115,10 +120,10 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
{ CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD },
|
||||
{ CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_GCM, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSAEAD },
|
||||
{ CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
/* ------------------------- Hashing Operations ----------------------- */
|
||||
{ CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
@ -136,36 +141,41 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
{ CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
|
||||
/* ---------------------- SSL/TLS operations ------------------------- */
|
||||
{ CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_TLS_MAC_PARAMS, prfHashMechanism) },
|
||||
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },
|
||||
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },
|
||||
|
||||
/* ------------------------- HKDF Operations -------------------------- */
|
||||
{ CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_HKDF_PARAMS, prfHashMechanism) },
|
||||
{ CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_HKDF_PARAMS, prfHashMechanism) },
|
||||
{ CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
|
||||
{ CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
|
||||
/* ------------------ NIST 800-108 Key Derivations ------------------- */
|
||||
{ CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
/* --------------------IPSEC ----------------------- */
|
||||
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS, prfMechanism) },
|
||||
{ CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_NSS_IKE_PRF_DERIVE_PARAMS, prfMechanism) },
|
||||
/* ------------------ PBE Key Derivations ------------------- */
|
||||
{ CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 },
|
||||
};
|
||||
|
42
SOURCES/nss-3.90-aes-gmc-indicator.patch
Normal file
42
SOURCES/nss-3.90-aes-gmc-indicator.patch
Normal file
@ -0,0 +1,42 @@
|
||||
diff --git a/lib/softoken/sftkmessage.c b/lib/softoken/sftkmessage.c
|
||||
--- a/lib/softoken/sftkmessage.c
|
||||
+++ b/lib/softoken/sftkmessage.c
|
||||
@@ -146,16 +146,38 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
|
||||
|
||||
CHECK_FORK();
|
||||
|
||||
/* make sure we're legal */
|
||||
crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
|
||||
+ if (context->isFIPS && (contextType == CKA_ENCRYPT)) {
|
||||
+ if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) {
|
||||
+ context->isFIPS = PR_FALSE;
|
||||
+ } else {
|
||||
+ CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
|
||||
+ switch (p->ivGenerator) {
|
||||
+ case CKG_NO_GENERATE:
|
||||
+ context->isFIPS = PR_FALSE;
|
||||
+ break;
|
||||
+ case CKG_GENERATE_RANDOM:
|
||||
+ if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
|
||||
+ context->isFIPS = PR_FALSE;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
|
||||
+ context->isFIPS = PR_FALSE;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!pOuttext) {
|
||||
*pulOuttextLen = ulIntextLen;
|
||||
return CKR_OK;
|
||||
}
|
||||
rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen,
|
||||
maxout, pIntext, ulIntextLen,
|
||||
pParameter, ulParameterLen,
|
||||
pAssociatedData, ulAssociatedDataLen);
|
12
SOURCES/nss-3.90-extend-db-dump-time.patch
Normal file
12
SOURCES/nss-3.90-extend-db-dump-time.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh
|
||||
--- ./tests/dbtests/dbtests.sh.extend 2023-11-15 13:17:50.651020458 -0800
|
||||
+++ ./tests/dbtests/dbtests.sh 2023-11-15 13:18:57.091608850 -0800
|
||||
@@ -366,7 +366,7 @@ dbtest_main()
|
||||
RARRAY=($dtime)
|
||||
TIMEARRAY=(${RARRAY[1]//./ })
|
||||
echo "${TIMEARRAY[0]} seconds"
|
||||
- test ${TIMEARRAY[0]} -lt 2
|
||||
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-3}
|
||||
ret=$?
|
||||
html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
|
||||
fi
|
190
SOURCES/nss-3.90-fips-indicators.patch
Normal file
190
SOURCES/nss-3.90-fips-indicators.patch
Normal file
@ -0,0 +1,190 @@
|
||||
diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800
|
||||
+++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800
|
||||
@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C
|
||||
context->blockSize = 0;
|
||||
context->maxLen = 0;
|
||||
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
|
||||
- operation, key);
|
||||
+ operation, key, 0);
|
||||
*contextPtr = context;
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
crv = sftk_handleObject(key, session);
|
||||
/* we need to do this check at the end, so we can check the generated
|
||||
* key length against fips requirements */
|
||||
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
|
||||
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0);
|
||||
session->lastOpWasFIPS = key->isFIPS;
|
||||
sftk_FreeSession(session);
|
||||
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
||||
@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
return crv;
|
||||
}
|
||||
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
||||
- privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
|
||||
+ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey, 0);
|
||||
publicKey->isFIPS = privateKey->isFIPS;
|
||||
session->lastOpWasFIPS = privateKey->isFIPS;
|
||||
sftk_FreeSession(session);
|
||||
@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
return CKR_TEMPLATE_INCONSISTENT;
|
||||
}
|
||||
|
||||
+ if (!params->bExpand) {
|
||||
+ keySize = hashLen;
|
||||
+ }
|
||||
+
|
||||
/* sourceKey is NULL if we are called from the POST, skip the
|
||||
* sensitiveCheck */
|
||||
if (sourceKey != NULL) {
|
||||
@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
mech.pParameter = params;
|
||||
mech.ulParameterLen = sizeof(*params);
|
||||
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
|
||||
- CKA_DERIVE, saltKey);
|
||||
+ CKA_DERIVE, saltKey,
|
||||
+ keySize);
|
||||
}
|
||||
saltKeySource = saltKey->source;
|
||||
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
|
||||
@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
/* HKDF-Expand */
|
||||
if (!params->bExpand) {
|
||||
okm = prk;
|
||||
- keySize = genLen = hashLen;
|
||||
+ genLen = hashLen;
|
||||
} else {
|
||||
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
|
||||
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
|
||||
@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
return CKR_KEY_HANDLE_INVALID;
|
||||
}
|
||||
}
|
||||
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey);
|
||||
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
|
||||
+ keySize);
|
||||
|
||||
switch (mechanism) {
|
||||
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
|
||||
diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
|
||||
--- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800
|
||||
+++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800
|
||||
@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
|
||||
/* check the FIPS table to determine if this current operation is allowed by
|
||||
* FIPS security policy */
|
||||
PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech,
|
||||
- CK_ATTRIBUTE_TYPE op, SFTKObject *source);
|
||||
+ CK_ATTRIBUTE_TYPE op, SFTKObject *source,
|
||||
+ CK_ULONG targetKeySize);
|
||||
/* add validation objects to the slot */
|
||||
CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
|
||||
|
||||
diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800
|
||||
+++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800
|
||||
@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
|
||||
static CK_ULONG
|
||||
sftk_getKeyLength(SFTKObject *source)
|
||||
{
|
||||
- CK_KEY_TYPE keyType = CK_INVALID_HANDLE;
|
||||
+ CK_KEY_TYPE keyType = CKK_INVALID_KEY_TYPE;
|
||||
CK_ATTRIBUTE_TYPE keyAttribute;
|
||||
CK_ULONG keyLength = 0;
|
||||
SFTKAttribute *attribute;
|
||||
@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source)
|
||||
return keyLength;
|
||||
}
|
||||
|
||||
+PRBool
|
||||
+sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
|
||||
+{
|
||||
+ switch (hash) {
|
||||
+ case CKM_SHA256:
|
||||
+ case CKG_MGF1_SHA256:
|
||||
+ case CKM_SHA384:
|
||||
+ case CKG_MGF1_SHA384:
|
||||
+ case CKM_SHA512:
|
||||
+ case CKG_MGF1_SHA512:
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ return PR_FALSE;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* handle specialized FIPS semantics that are too complicated to
|
||||
* handle with just a table. NOTE: this means any additional semantics
|
||||
* would have to be coded here before they can be added to the table */
|
||||
static PRBool
|
||||
sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech,
|
||||
- SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source)
|
||||
+ SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
|
||||
+ CK_ULONG keyLength, CK_ULONG targetKeyLength)
|
||||
{
|
||||
switch (mechInfo->special) {
|
||||
case SFTKFIPSDH: {
|
||||
@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
if (hashObj == NULL) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
+ /* cap the salt for legacy keys */
|
||||
+ if ((keyLength <= 1024) && (pss->sLen > 63)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ /* cap the salt for based on the hash */
|
||||
if (pss->sLen > hashObj->length) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- return PR_TRUE;
|
||||
+ return sftk_CheckFIPSHash(pss->hashAlg);
|
||||
}
|
||||
case SFTKFIPSPBKDF2: {
|
||||
/* PBKDF2 must have the following addition restrictions
|
||||
@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
}
|
||||
return PR_TRUE;
|
||||
}
|
||||
+ /* check the hash mechanisms to make sure they themselves are FIPS */
|
||||
+ case SFTKFIPSChkHash:
|
||||
+ if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
|
||||
+ + mechInfo->offset));
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
|
||||
PRBool
|
||||
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
|
||||
- SFTKObject *source)
|
||||
+ SFTKObject *source, CK_ULONG targetKeyLength)
|
||||
{
|
||||
#ifndef NSS_HAS_FIPS_INDICATORS
|
||||
return PR_FALSE;
|
||||
@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
|
||||
/* if we match the number of records exactly, then we are an
|
||||
* approved algorithm in the approved mode with an approved key */
|
||||
- if (((mech->mechanism == mechs->type) &&
|
||||
- (opFlags == (mechs->info.flags & opFlags)) &&
|
||||
- (keyLength <= mechs->info.ulMaxKeySize) &&
|
||||
- (keyLength >= mechs->info.ulMinKeySize) &&
|
||||
- ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
|
||||
+ if ((mech->mechanism == mechs->type) &&
|
||||
+ (opFlags == (mechs->info.flags & opFlags)) &&
|
||||
+ (keyLength <= mechs->info.ulMaxKeySize) &&
|
||||
+ (keyLength >= mechs->info.ulMinKeySize) &&
|
||||
+ (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
|
||||
+ ((targetKeyLength == 0) ||
|
||||
+ ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
|
||||
+ (targetKeyLength >= mechs->info.ulMinKeySize) &&
|
||||
+ ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
|
||||
((mechs->special == SFTKFIPSNone) ||
|
||||
- sftk_handleSpecial(slot, mech, mechs, source))) {
|
||||
+ sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
|
||||
return PR_TRUE;
|
||||
}
|
||||
}
|
83
SOURCES/nss-3.90-fips-pkcs11-long-hash.patch
Normal file
83
SOURCES/nss-3.90-fips-pkcs11-long-hash.patch
Normal file
@ -0,0 +1,83 @@
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -15,10 +15,13 @@
|
||||
* keys and their associated Certificates are saved on the token.
|
||||
*
|
||||
* In this implementation, session objects are only visible to the session
|
||||
* that created or generated them.
|
||||
*/
|
||||
+
|
||||
+#include <limits.h> /* for UINT_MAX and ULONG_MAX */
|
||||
+
|
||||
#include "seccomon.h"
|
||||
#include "secitem.h"
|
||||
#include "secport.h"
|
||||
#include "blapi.h"
|
||||
#include "pkcs11.h"
|
||||
@@ -1954,12 +1957,21 @@
|
||||
if (pDigest == NULL) {
|
||||
*pulDigestLen = context->maxLen;
|
||||
goto finish;
|
||||
}
|
||||
|
||||
- /* do it: */
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
||||
+ * length argument, but NSC_Digest takes an unsigned long. */
|
||||
+ while (ulDataLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX);
|
||||
+ pData += UINT_MAX;
|
||||
+ ulDataLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
|
||||
+
|
||||
/* NOTE: this assumes buf size is bigenough for the algorithm */
|
||||
(*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
|
||||
*pulDigestLen = digestLen;
|
||||
|
||||
sftk_TerminateOp(session, SFTK_HASH, context);
|
||||
@@ -1980,12 +1992,22 @@
|
||||
|
||||
/* make sure we're legal */
|
||||
crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
- /* do it: */
|
||||
+
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
||||
+ * length argument, but NSC_DigestUpdate takes an unsigned long. */
|
||||
+ while (ulPartLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
||||
+ pPart += UINT_MAX;
|
||||
+ ulPartLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
|
||||
CK_RV
|
||||
@@ -3166,10 +3188,17 @@
|
||||
crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
|
||||
if (context->hashInfo) {
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ while (ulPartLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
||||
+ pPart += UINT_MAX;
|
||||
+ ulPartLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
|
||||
} else {
|
||||
/* must be block cipher MACing */
|
||||
|
||||
unsigned int blkSize = context->blockSize;
|
||||
|
506
SOURCES/nss-3.90-fips-safe-memset.patch
Normal file
506
SOURCES/nss-3.90-fips-safe-memset.patch
Normal file
@ -0,0 +1,506 @@
|
||||
diff -up ./lib/freebl/aeskeywrap.c.safe_zero ./lib/freebl/aeskeywrap.c
|
||||
--- ./lib/freebl/aeskeywrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/aeskeywrap.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -512,7 +512,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
|
||||
PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen);
|
||||
rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv,
|
||||
outLen);
|
||||
- PORT_Memset(iv, 0, sizeof(iv));
|
||||
+ PORT_SafeZero(iv, sizeof(iv));
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -528,7 +528,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
|
||||
PORT_ZFree(newBuf, paddedInputLen);
|
||||
/* a little overkill, we only need to clear out the length, but this
|
||||
* is easier to verify we got it all */
|
||||
- PORT_Memset(iv, 0, sizeof(iv));
|
||||
+ PORT_SafeZero(iv, sizeof(iv));
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -631,12 +631,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
|
||||
loser:
|
||||
/* if we failed, make sure we don't return any data to the user */
|
||||
if ((rv != SECSuccess) && (output == newBuf)) {
|
||||
- PORT_Memset(newBuf, 0, paddedLen);
|
||||
+ PORT_SafeZero(newBuf, paddedLen);
|
||||
}
|
||||
/* clear out CSP sensitive data from the heap and stack */
|
||||
if (allocBuf) {
|
||||
PORT_ZFree(allocBuf, paddedLen);
|
||||
}
|
||||
- PORT_Memset(iv, 0, sizeof(iv));
|
||||
+ PORT_SafeZero(iv, sizeof(iv));
|
||||
return rv;
|
||||
}
|
||||
diff -up ./lib/freebl/blapii.h.safe_zero ./lib/freebl/blapii.h
|
||||
--- ./lib/freebl/blapii.h.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/blapii.h 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -101,10 +101,10 @@ PRBool ppc_crypto_support();
|
||||
#ifdef NSS_FIPS_DISABLED
|
||||
#define BLAPI_CLEAR_STACK(stack_size)
|
||||
#else
|
||||
-#define BLAPI_CLEAR_STACK(stack_size) \
|
||||
- { \
|
||||
- volatile char _stkclr[stack_size]; \
|
||||
- PORT_Memset((void *)&_stkclr[0], 0, stack_size); \
|
||||
+#define BLAPI_CLEAR_STACK(stack_size) \
|
||||
+ { \
|
||||
+ volatile char _stkclr[stack_size]; \
|
||||
+ PORT_SafeZero((void *)&_stkclr[0], stack_size); \
|
||||
}
|
||||
#endif
|
||||
|
||||
diff -up ./lib/freebl/drbg.c.safe_zero ./lib/freebl/drbg.c
|
||||
--- ./lib/freebl/drbg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/drbg.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -197,7 +197,7 @@ prng_initEntropy(void)
|
||||
SHA256_Update(&ctx, block, sizeof(block));
|
||||
SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
|
||||
sizeof(globalrng->previousEntropyHash));
|
||||
- PORT_Memset(block, 0, sizeof(block));
|
||||
+ PORT_SafeZero(block, sizeof(block));
|
||||
SHA256_DestroyContext(&ctx, PR_FALSE);
|
||||
return PR_SUCCESS;
|
||||
}
|
||||
@@ -246,8 +246,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
|
||||
}
|
||||
|
||||
out:
|
||||
- PORT_Memset(hash, 0, sizeof hash);
|
||||
- PORT_Memset(block, 0, sizeof block);
|
||||
+ PORT_SafeZero(hash, sizeof hash);
|
||||
+ PORT_SafeZero(block, sizeof block);
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -393,8 +393,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
|
||||
PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
|
||||
SHA256_DestroyContext(&ctx, PR_FALSE);
|
||||
}
|
||||
- PORT_Memset(data, 0, sizeof data);
|
||||
- PORT_Memset(thisHash, 0, sizeof thisHash);
|
||||
+ PORT_SafeZero(data, sizeof data);
|
||||
+ PORT_SafeZero(thisHash, sizeof thisHash);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -455,7 +455,7 @@ prng_generateNewBytes(RNGContext *rng,
|
||||
PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry);
|
||||
|
||||
/* if the prng failed, don't return any output, signal softoken */
|
||||
- PORT_Memset(H, 0, sizeof H);
|
||||
+ PORT_SafeZero(H, sizeof H);
|
||||
if (!rng->isValid) {
|
||||
PORT_Memset(returned_bytes, 0, no_of_returned_bytes);
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
diff -up ./lib/freebl/dsa.c.safe_zero ./lib/freebl/dsa.c
|
||||
--- ./lib/freebl/dsa.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/dsa.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
|
||||
err = MP_OKAY;
|
||||
signature->len = dsa_signature_len;
|
||||
cleanup:
|
||||
- PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
|
||||
+ PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN);
|
||||
mp_clear(&p);
|
||||
mp_clear(&q);
|
||||
mp_clear(&g);
|
||||
@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt
|
||||
rv = dsa_SignDigest(key, signature, digest, kSeed);
|
||||
} while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
|
||||
--retries > 0);
|
||||
- PORT_Memset(kSeed, 0, sizeof kSeed);
|
||||
+ PORT_SafeZero(kSeed, sizeof kSeed);
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons
|
||||
verified = SECSuccess; /* Signature verified. */
|
||||
}
|
||||
cleanup:
|
||||
- PORT_Memset(localDigestData, 0, sizeof localDigestData);
|
||||
+ PORT_SafeZero(localDigestData, sizeof localDigestData);
|
||||
mp_clear(&p);
|
||||
mp_clear(&q);
|
||||
mp_clear(&g);
|
||||
diff -up ./lib/freebl/gcm.c.safe_zero ./lib/freebl/gcm.c
|
||||
--- ./lib/freebl/gcm.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/gcm.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -480,7 +480,7 @@ gcmHash_Final(gcmHashContext *ghash, uns
|
||||
rv = SECSuccess;
|
||||
|
||||
cleanup:
|
||||
- PORT_Memset(T, 0, sizeof(T));
|
||||
+ PORT_SafeZero(T, sizeof(T));
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -596,15 +596,15 @@ GCM_CreateContext(void *context, freeblC
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
|
||||
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
|
||||
gcm->ctr_context_init = PR_TRUE;
|
||||
return gcm;
|
||||
|
||||
loser:
|
||||
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
|
||||
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
|
||||
if (ghash && ghash->mem) {
|
||||
void *mem = ghash->mem;
|
||||
- PORT_Memset(ghash, 0, sizeof(gcmHashContext));
|
||||
+ PORT_SafeZero(ghash, sizeof(gcmHashContext));
|
||||
PORT_Free(mem);
|
||||
}
|
||||
if (gcm) {
|
||||
@@ -682,11 +682,11 @@ gcm_InitCounter(GCMContext *gcm, const u
|
||||
goto loser;
|
||||
}
|
||||
|
||||
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
|
||||
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
|
||||
return SECSuccess;
|
||||
|
||||
loser:
|
||||
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
|
||||
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
|
||||
if (freeCtr) {
|
||||
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
|
||||
}
|
||||
@@ -866,10 +866,10 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
||||
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
|
||||
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
|
||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||
- PORT_Memset(tag, 0, sizeof(tag));
|
||||
+ PORT_SafeZero(tag, sizeof(tag));
|
||||
return SECFailure;
|
||||
}
|
||||
- PORT_Memset(tag, 0, sizeof(tag));
|
||||
+ PORT_SafeZero(tag, sizeof(tag));
|
||||
/* finish the decryption */
|
||||
return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
|
||||
inbuf, inlen, AES_BLOCK_SIZE);
|
||||
@@ -1159,10 +1159,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne
|
||||
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
|
||||
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
|
||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||
- PORT_Memset(tag, 0, sizeof(tag));
|
||||
+ PORT_SafeZero(tag, sizeof(tag));
|
||||
return SECFailure;
|
||||
}
|
||||
- PORT_Memset(tag, 0, sizeof(tag));
|
||||
+ PORT_SafeZero(tag, sizeof(tag));
|
||||
/* finish the decryption */
|
||||
rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
|
||||
inbuf, inlen, AES_BLOCK_SIZE);
|
||||
diff -up ./lib/freebl/hmacct.c.safe_zero ./lib/freebl/hmacct.c
|
||||
--- ./lib/freebl/hmacct.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/hmacct.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut,
|
||||
hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
|
||||
hashObj->destroy(mdState, PR_TRUE);
|
||||
|
||||
- PORT_Memset(lengthBytes, 0, sizeof lengthBytes);
|
||||
- PORT_Memset(hmacPad, 0, sizeof hmacPad);
|
||||
- PORT_Memset(firstBlock, 0, sizeof firstBlock);
|
||||
- PORT_Memset(macOut, 0, sizeof macOut);
|
||||
+ PORT_SafeZero(lengthBytes, sizeof lengthBytes);
|
||||
+ PORT_SafeZero(hmacPad, sizeof hmacPad);
|
||||
+ PORT_SafeZero(firstBlock, sizeof firstBlock);
|
||||
+ PORT_SafeZero(macOut, sizeof macOut);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
diff -up ./lib/freebl/intel-gcm-wrap.c.safe_zero ./lib/freebl/intel-gcm-wrap.c
|
||||
--- ./lib/freebl/intel-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/intel-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo
|
||||
void
|
||||
intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
|
||||
{
|
||||
- PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
|
||||
+ PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext));
|
||||
if (freeit) {
|
||||
PORT_Free(gcm);
|
||||
}
|
||||
diff -up ./lib/freebl/ppc-gcm-wrap.c.safe_zero ./lib/freebl/ppc-gcm-wrap.c
|
||||
--- ./lib/freebl/ppc-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/ppc-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex
|
||||
void
|
||||
ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit)
|
||||
{
|
||||
- PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext));
|
||||
+ PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext));
|
||||
if (freeit) {
|
||||
PORT_Free(gcm);
|
||||
}
|
||||
diff -up ./lib/freebl/pqg.c.safe_zero ./lib/freebl/pqg.c
|
||||
--- ./lib/freebl/pqg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/pqg.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -703,7 +703,7 @@ cleanup:
|
||||
mp_clear(&a);
|
||||
mp_clear(&z);
|
||||
mp_clear(&two_length_minus_1);
|
||||
- PORT_Memset(x, 0, sizeof(x));
|
||||
+ PORT_SafeZero(x, sizeof(x));
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
@@ -859,7 +859,7 @@ cleanup:
|
||||
mp_clear(&c);
|
||||
mp_clear(&c0);
|
||||
mp_clear(&one);
|
||||
- PORT_Memset(x, 0, sizeof(x));
|
||||
+ PORT_SafeZero(x, sizeof(x));
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
@@ -1072,7 +1072,7 @@ makePfromQandSeed(
|
||||
CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1 */
|
||||
CHECK_MPI_OK(mp_sub(&X, &c, P)); /* P = X - c */
|
||||
cleanup:
|
||||
- PORT_Memset(V_j, 0, sizeof V_j);
|
||||
+ PORT_SafeZero(V_j, sizeof V_j);
|
||||
mp_clear(&W);
|
||||
mp_clear(&X);
|
||||
mp_clear(&c);
|
||||
@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype,
|
||||
/* step 11.
|
||||
* return valid G */
|
||||
cleanup:
|
||||
- PORT_Memset(data, 0, sizeof(data));
|
||||
+ PORT_SafeZero(data, sizeof(data));
|
||||
if (hashcx) {
|
||||
hashobj->destroy(hashcx, PR_TRUE);
|
||||
}
|
||||
diff -up ./lib/freebl/rijndael.c.safe_zero ./lib/freebl/rijndael.c
|
||||
--- ./lib/freebl/rijndael.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/rijndael.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
|
||||
cx->worker_cx = NULL;
|
||||
cx->destroy = NULL;
|
||||
}
|
||||
- PORT_Memset(cx, 0, sizeof(AESContext));
|
||||
+ PORT_SafeZero(cx, sizeof(AESContext));
|
||||
if (freeit) {
|
||||
PORT_Free(mem);
|
||||
} else {
|
||||
diff -up ./lib/freebl/rsa.c.safe_zero ./lib/freebl/rsa.c
|
||||
--- ./lib/freebl/rsa.c.safe_zero 2023-11-22 14:41:24.066840894 -0800
|
||||
+++ ./lib/freebl/rsa.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -143,8 +143,8 @@ rsa_build_from_primes(const mp_int *p, c
|
||||
/* 2. Compute phi = (p-1)*(q-1) */
|
||||
CHECK_MPI_OK(mp_sub_d(p, 1, &psub1));
|
||||
CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1));
|
||||
+ CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
|
||||
if (needPublicExponent || needPrivateExponent) {
|
||||
- CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
|
||||
/* 3. Compute d = e**-1 mod(phi) */
|
||||
/* or e = d**-1 mod(phi) as necessary */
|
||||
if (needPublicExponent) {
|
||||
@@ -165,6 +165,15 @@ rsa_build_from_primes(const mp_int *p, c
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
+ /* make sure we weren't passed in a d or e = 1 mod phi */
|
||||
+ /* just need to check d, because if one is = 1 mod phi, they both are */
|
||||
+ CHECK_MPI_OK(mp_mod(d, &phi, &tmp));
|
||||
+ if (mp_cmp_d(&tmp, 2) <= 0) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ rv = SECFailure;
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
/* 4. Compute exponent1 = d mod (p-1) */
|
||||
CHECK_MPI_OK(mp_mod(d, &psub1, &tmp));
|
||||
MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
|
||||
@@ -1152,6 +1161,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv
|
||||
/* Perform a public key operation v = m ** e mod n */
|
||||
CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v));
|
||||
if (mp_cmp(&v, c) != 0) {
|
||||
+ /* this error triggers a fips fatal error lock */
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
rv = SECFailure;
|
||||
}
|
||||
cleanup:
|
||||
diff -up ./lib/freebl/rsapkcs.c.safe_zero ./lib/freebl/rsapkcs.c
|
||||
--- ./lib/freebl/rsapkcs.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/rsapkcs.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -977,14 +977,14 @@ rsa_GetHMACContext(const SECHashObject *
|
||||
/* now create the hmac key */
|
||||
hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE);
|
||||
if (hmac == NULL) {
|
||||
- PORT_Memset(keyHash, 0, sizeof(keyHash));
|
||||
+ PORT_SafeZero(keyHash, sizeof(keyHash));
|
||||
return NULL;
|
||||
}
|
||||
HMAC_Begin(hmac);
|
||||
HMAC_Update(hmac, input, inputLen);
|
||||
rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash));
|
||||
if (rv != SECSuccess) {
|
||||
- PORT_Memset(keyHash, 0, sizeof(keyHash));
|
||||
+ PORT_SafeZero(keyHash, sizeof(keyHash));
|
||||
HMAC_Destroy(hmac, PR_TRUE);
|
||||
return NULL;
|
||||
}
|
||||
@@ -992,7 +992,7 @@ rsa_GetHMACContext(const SECHashObject *
|
||||
* reuse the original context allocated above so we don't
|
||||
* need to allocate and free another one */
|
||||
rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE);
|
||||
- PORT_Memset(keyHash, 0, sizeof(keyHash));
|
||||
+ PORT_SafeZero(keyHash, sizeof(keyHash));
|
||||
if (rv != SECSuccess) {
|
||||
HMAC_Destroy(hmac, PR_TRUE);
|
||||
return NULL;
|
||||
@@ -1042,7 +1042,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha
|
||||
return rv;
|
||||
}
|
||||
PORT_Memcpy(output, hmacLast, left);
|
||||
- PORT_Memset(hmacLast, 0, sizeof(hmacLast));
|
||||
+ PORT_SafeZero(hmacLast, sizeof(hmacLast));
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
@@ -1087,7 +1087,7 @@ rsa_GetErrorLength(HMACContext *hmac, in
|
||||
outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen),
|
||||
candidate, outLength);
|
||||
}
|
||||
- PORT_Memset(out, 0, sizeof(out));
|
||||
+ PORT_SafeZero(out, sizeof(out));
|
||||
return outLength;
|
||||
}
|
||||
|
||||
diff -up ./lib/freebl/shvfy.c.safe_zero ./lib/freebl/shvfy.c
|
||||
--- ./lib/freebl/shvfy.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/shvfy.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD,
|
||||
|
||||
/* verify the hash against the check file */
|
||||
rv = DSA_VerifyDigest(key, signature, &hash);
|
||||
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
|
||||
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
|
||||
return (rv == SECSuccess) ? PR_TRUE : PR_FALSE;
|
||||
}
|
||||
#endif
|
||||
@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
|
||||
if (rv == SECSuccess) {
|
||||
result = SECITEM_ItemsAreEqual(signature, &hash);
|
||||
}
|
||||
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
|
||||
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
|
||||
return result;
|
||||
}
|
||||
|
||||
@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
#ifndef NSS_STRICT_INTEGRITY
|
||||
DSAPublicKey key;
|
||||
|
||||
- PORT_Memset(&key, 0, sizeof(key));
|
||||
+ PORT_SafeZero(&key, sizeof(key));
|
||||
#endif
|
||||
|
||||
/* If our integrity check was never ran or failed, fail any other
|
||||
@@ -597,7 +597,7 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
shFD = NULL;
|
||||
|
||||
loser:
|
||||
- PORT_Memset(&header, 0, sizeof header);
|
||||
+ PORT_SafeZero(&header, sizeof header);
|
||||
if (checkName != NULL) {
|
||||
PORT_Free(checkName);
|
||||
}
|
||||
diff -up ./lib/freebl/tlsprfalg.c.safe_zero ./lib/freebl/tlsprfalg.c
|
||||
--- ./lib/freebl/tlsprfalg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/tlsprfalg.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -82,8 +82,8 @@ loser:
|
||||
/* clear out state so it's not left on the stack */
|
||||
if (cx)
|
||||
HMAC_Destroy(cx, PR_TRUE);
|
||||
- PORT_Memset(state, 0, sizeof(state));
|
||||
- PORT_Memset(outbuf, 0, sizeof(outbuf));
|
||||
+ PORT_SafeZero(state, sizeof(state));
|
||||
+ PORT_SafeZero(outbuf, sizeof(outbuf));
|
||||
return rv;
|
||||
}
|
||||
|
||||
diff -up ./lib/freebl/unix_urandom.c.safe_zero ./lib/freebl/unix_urandom.c
|
||||
--- ./lib/freebl/unix_urandom.c.safe_zero 2023-11-22 14:42:24.247388378 -0800
|
||||
+++ ./lib/freebl/unix_urandom.c 2023-11-22 14:44:15.519400684 -0800
|
||||
@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void)
|
||||
return;
|
||||
}
|
||||
RNG_RandomUpdate(bytes, numBytes);
|
||||
- PORT_Memset(bytes, 0, sizeof bytes);
|
||||
+ PORT_SafeZero(bytes, sizeof bytes);
|
||||
}
|
||||
|
||||
#ifdef NSS_FIPS_140_3
|
||||
diff -up ./lib/softoken/pkcs11c.c.safe_zero ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.safe_zero 2023-11-22 14:41:24.069840921 -0800
|
||||
+++ ./lib/softoken/pkcs11c.c 2023-11-22 14:42:24.248388387 -0800
|
||||
@@ -5092,7 +5092,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
if ((signature_length >= pairwise_digest_length) &&
|
||||
(PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
|
||||
PORT_Free(signature);
|
||||
- return CKR_DEVICE_ERROR;
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
}
|
||||
|
||||
/* Verify the known hash using the public key. */
|
||||
diff -up ./lib/util/secport.h.safe_zero ./lib/util/secport.h
|
||||
--- ./lib/util/secport.h.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/util/secport.h 2023-11-22 14:42:24.248388387 -0800
|
||||
@@ -36,6 +36,9 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <ctype.h>
|
||||
+/* ask for Annex K for memset_s. will set the appropriate #define
|
||||
+ * if Annex K is supported */
|
||||
+#define __STDC_WANT_LIB_EXT1__ 1
|
||||
#include <string.h>
|
||||
#include <stddef.h>
|
||||
#include <stdlib.h>
|
||||
@@ -182,6 +185,39 @@ SEC_END_PROTOS
|
||||
#endif /*SUNOS4*/
|
||||
#define PORT_Memset memset
|
||||
|
||||
+/* there are cases where the compiler optimizes away our attempt to clear
|
||||
+ * out our stack variables. There are multiple solutions for this problem,
|
||||
+ * but they aren't universally accepted on all platforms. This attempts
|
||||
+ * to select the best solution available given our os, compilier, and libc */
|
||||
+#ifdef __STDC_LIB_EXT1__
|
||||
+/* if the os implements C11 annex K, use memset_s */
|
||||
+#define PORT_SafeZero(p, n) memset_s(p, n, 0, n)
|
||||
+#else
|
||||
+#ifdef XP_WIN
|
||||
+/* windows has a secure zero funtion */
|
||||
+#define PORT_SafeZero(p, n) SecureZeroMemory(p, n)
|
||||
+#else
|
||||
+/* _DEFAULT_SORUCE == BSD source in GCC based environments
|
||||
+ * if other environmens support explicit_bzero, their defines
|
||||
+ * should be added here */
|
||||
+#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE)
|
||||
+#define PORT_SafeZero(p, n) explicit_bzero(p, n)
|
||||
+#else
|
||||
+/* if the os doesn't support one of the above, but does support
|
||||
+ * memset_explicit, you can add the definition for memset with the
|
||||
+ * appropriate define check here */
|
||||
+/* define an explicitly implementated Safe zero if the OS
|
||||
+ * doesn't provide one */
|
||||
+#define PORT_SafeZero(p, n) \
|
||||
+ if (p != NULL) { \
|
||||
+ volatile unsigned char *__vl = (unsigned char *)p; \
|
||||
+ size_t __nl = n; \
|
||||
+ while (__nl--) *__vl++ = 0; \
|
||||
+ }
|
||||
+#endif /* no explicit_bzero */
|
||||
+#endif /* no windows SecureZeroMemory */
|
||||
+#endif /* no memset_s */
|
||||
+
|
||||
#define PORT_Strcasecmp PL_strcasecmp
|
||||
#define PORT_Strcat strcat
|
||||
#define PORT_Strchr strchr
|
@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: %{nss_version}
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||
@ -113,6 +113,8 @@ Source28: nss-p11-kit.config
|
||||
# will have their own validation
|
||||
Source30: fips_algorithms.h
|
||||
|
||||
Source50: NameConstraints_Certs.tar
|
||||
|
||||
# To inject hardening flags for DSO
|
||||
Patch1: nss-dso-ldflags.patch
|
||||
# This patch uses the GCC -iquote option documented at
|
||||
@ -132,7 +134,7 @@ Patch4: iquote.patch
|
||||
Patch9: nss-sysinit-userdb.patch
|
||||
# Disable nss-sysinit test which is solely to test the above change
|
||||
Patch10: nss-skip-sysinit-gtests.patch
|
||||
|
||||
Patch15: nss-3.90-extend-db-dump-time.patch
|
||||
# For compatibility reasons, we stick with the old PKCS #11 2.40
|
||||
# definition of CK_GCM_PARAMS:
|
||||
%if 0%{?fedora} < 34
|
||||
@ -174,6 +176,12 @@ Patch64: nss-3.90-pbkdf2-indicator.patch
|
||||
#ems policy. needs to upstream
|
||||
Patch70: nss-3.90-add-ems-policy.patch
|
||||
|
||||
Patch80: blinding_ct.patch
|
||||
Patch81: nss-3.90-fips-pkcs11-long-hash.patch
|
||||
Patch82: nss-3.90-fips-safe-memset.patch
|
||||
Patch83: nss-3.90-fips-indicators.patch
|
||||
Patch84: nss-3.90-aes-gmc-indicator.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
support cross-platform development of security-enabled client and
|
||||
@ -310,6 +318,11 @@ popd
|
||||
# each vendors claim in their own FIPS certification
|
||||
cp %{SOURCE30} nss/lib/softoken/
|
||||
|
||||
#update expired test certs
|
||||
pushd nss
|
||||
tar xvf %{SOURCE50}
|
||||
popd
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
|
||||
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
|
||||
|
||||
@ -509,6 +522,10 @@ export USE_64=1
|
||||
# disabled by the system policy.
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
|
||||
%ifarch i686 ppcle64
|
||||
export NSS_DB_DUMP_TIME=10
|
||||
%endif
|
||||
|
||||
# enable the following line to force a test failure
|
||||
# find ./nss -name \*.chk | xargs rm -f
|
||||
|
||||
@ -955,6 +972,16 @@ update-crypto-policies --no-reload &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Dec 6 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-4
|
||||
- FIPS review changes
|
||||
- add PORT_SafeZero to avoid compiler optimizing a way zeroing memory.
|
||||
- update the indicators for this release
|
||||
- allow hashing of longer than int32 values in a single PKCS #11 call.
|
||||
|
||||
* Tue Nov 21 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3.1
|
||||
- Fix expired certs in tests
|
||||
- Fix CVE-2023-5388
|
||||
|
||||
* Thu Aug 3 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3
|
||||
- add indicators for pbkdf2
|
||||
- add camellia to pkcs12 doc files
|
||||
|
Loading…
Reference in New Issue
Block a user