From 0df7624fcaf4ee424b012803dfee684a15bc6c20 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 10 Jan 2024 13:22:49 +0000 Subject: [PATCH] import UBI nss-3.90.0-4.el8_9 --- .gitignore | 1 + .nss.metadata | 1 + SOURCES/blinding_ct.patch | 949 +++++++++++++++++++ SOURCES/fips_algorithms.h | 66 +- SOURCES/nss-3.90-aes-gmc-indicator.patch | 42 + SOURCES/nss-3.90-extend-db-dump-time.patch | 12 + SOURCES/nss-3.90-fips-indicators.patch | 190 ++++ SOURCES/nss-3.90-fips-pkcs11-long-hash.patch | 83 ++ SOURCES/nss-3.90-fips-safe-memset.patch | 506 ++++++++++ SPECS/nss.spec | 31 +- 10 files changed, 1851 insertions(+), 30 deletions(-) create mode 100644 SOURCES/blinding_ct.patch create mode 100644 SOURCES/nss-3.90-aes-gmc-indicator.patch create mode 100644 SOURCES/nss-3.90-extend-db-dump-time.patch create mode 100644 SOURCES/nss-3.90-fips-indicators.patch create mode 100644 SOURCES/nss-3.90-fips-pkcs11-long-hash.patch create mode 100644 SOURCES/nss-3.90-fips-safe-memset.patch diff --git a/.gitignore b/.gitignore index eda990c..e26f3a5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ +SOURCES/NameConstraints_Certs.tar SOURCES/blank-cert8.db SOURCES/blank-cert9.db SOURCES/blank-key3.db diff --git a/.nss.metadata b/.nss.metadata index f78c944..9b1febf 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -1,3 +1,4 @@ +39ad4988f85b50fdc3569d21b6c885cf9eb390b0 SOURCES/NameConstraints_Certs.tar d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db diff --git a/SOURCES/blinding_ct.patch b/SOURCES/blinding_ct.patch new file mode 100644 index 0000000..8d338a1 --- /dev/null +++ b/SOURCES/blinding_ct.patch @@ -0,0 +1,949 @@ +diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h +--- a/lib/freebl/mpi/mpi-priv.h ++++ b/lib/freebl/mpi/mpi-priv.h +@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d + void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len, + mp_digit b, mp_digit *c); + + #endif + + void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a, + mp_size a_len, mp_digit b, + mp_digit *c); ++void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a, ++ mp_size a_len, mp_digit b, ++ mp_digit *c, mp_size c_len); + void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a, + mp_size a_len, + mp_digit *sqrs); + + mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo, + mp_digit divisor, mp_digit *quot, mp_digit *rem); + + /* c += a * b * (MP_RADIX ** offset); */ +diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c +--- a/lib/freebl/mpi/mpi.c ++++ b/lib/freebl/mpi/mpi.c +@@ -5,16 +5,18 @@ + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + + #include "mpi-priv.h" + #include "mplogic.h" + ++#include ++ + #if defined(__arm__) && \ + ((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__)) + /* 16-bit thumb or ARM v3 doesn't work inlined assember version */ + #undef MP_ASSEMBLY_MULTIPLY + #undef MP_ASSEMBLY_SQUARE + #endif + + #if MP_LOGTAB +@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b, + + CLEANUP: + return res; + + } /* end mp_sub() */ + + /* }}} */ + +-/* {{{ mp_mul(a, b, c) */ ++/* {{{ s_mp_mulg(a, b, c) */ + + /* +- mp_mul(a, b, c) +- +- Compute c = a * b. All parameters may be identical. ++ s_mp_mulg(a, b, c) ++ ++ Compute c = a * b. All parameters may be identical. if constantTime is set, ++ then the operations are done in constant time. The original is mostly ++ constant time as long as s_mpv_mul_d_add() is constant time. This is true ++ of the x86 assembler, as well as the current c code. + */ + mp_err +-mp_mul(const mp_int *a, const mp_int *b, mp_int *c) ++s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime) + { + mp_digit *pb; + mp_int tmp; + mp_err res; + mp_size ib; + mp_size useda, usedb; + + ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG); +@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b, + } + + MP_USED(c) = 1; + MP_DIGIT(c, 0) = 0; + if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY) + goto CLEANUP; + + #ifdef NSS_USE_COMBA +- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) { ++ /* comba isn't constant time because it clamps! If we cared ++ * (we needed a constant time version of multiply that was 'faster' ++ * we could easily pass constantTime down to the comba code and ++ * get it to skip the clamp... but here are assembler versions ++ * which add comba to platforms that can't compile the normal ++ * comba's imbedded assembler which would also need to change, so ++ * for now we just skip comba when we are running constant time. */ ++ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) { + if (MP_USED(a) == 4) { + s_mp_mul_comba_4(a, b, c); + goto CLEANUP; + } + if (MP_USED(a) == 8) { + s_mp_mul_comba_8(a, b, c); + goto CLEANUP; + } +@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b, + + /* Outer loop: Digits of b */ + useda = MP_USED(a); + usedb = MP_USED(b); + for (ib = 1; ib < usedb; ib++) { + mp_digit b_i = *pb++; + + /* Inner product: Digits of a */ +- if (b_i) ++ if (constantTime || b_i) + s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib); + else + MP_DIGIT(c, ib + useda) = b_i; + } + +- s_mp_clamp(c); ++ if (!constantTime) { ++ s_mp_clamp(c); ++ } + + if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ) + SIGN(c) = ZPOS; + else + SIGN(c) = NEG; + + CLEANUP: + mp_clear(&tmp); + return res; ++} /* end smp_mulg() */ ++ ++/* }}} */ ++ ++/* {{{ mp_mul(a, b, c) */ ++ ++/* ++ mp_mul(a, b, c) ++ ++ Compute c = a * b. All parameters may be identical. ++ */ ++ ++mp_err ++mp_mul(const mp_int *a, const mp_int *b, mp_int *c) ++{ ++ return s_mp_mulg(a, b, c, 0); + } /* end mp_mul() */ + + /* }}} */ + ++/* {{{ mp_mulCT(a, b, c) */ ++ ++/* ++ mp_mulCT(a, b, c) ++ ++ Compute c = a * b. In constant time. Parameters may not be identical. ++ NOTE: a and b may be modified. ++ */ ++ ++mp_err ++mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize) ++{ ++ mp_err res; ++ ++ /* make the multiply values fixed length so multiply ++ * doesn't leak the length. at this point all the ++ * values are blinded, but once we finish we want the ++ * output size to be hidden (so no clamping the out put) */ ++ MP_CHECKOK(s_mp_pad(a, setSize)); ++ MP_CHECKOK(s_mp_pad(b, setSize)); ++ MP_CHECKOK(s_mp_pad(c, 2*setSize)); ++ MP_CHECKOK(s_mp_mulg(a, b, c, 1)); ++CLEANUP: ++ return res; ++} /* end mp_mulCT() */ ++ ++/* }}} */ ++ + /* {{{ mp_sqr(a, sqr) */ + + #if MP_SQUARE + /* + Computes the square of a. This can be done more + efficiently than a general multiplication, because many of the + computation steps are redundant when squaring. The inner product + step is a bit more complicated, but we save a fair number of +@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m, + } + + return MP_OKAY; + + } /* end mp_mod() */ + + /* }}} */ + ++/* {{{ s_mp_subCT_d(a, b, borrow, c) */ ++ ++/* ++ s_mp_subCT_d(a, b, borrow, c) ++ ++ Compute c = (a -b) - subtract in constant time. returns borrow ++ */ ++mp_digit ++s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) { ++ mp_digit borrow1, borrow2, t; ++#ifdef MP_COMPILER_USES_CARRY ++ /* while it doesn't look constant-time, this is idiomatic code ++ * to tell compilers to use the carry bit from subtraction */ ++ t = a - borrow; ++ if (t > a) { ++ borrow1 = 1; ++ } else { ++ borrow1 = 0; ++ } ++ *ret = t - b; ++ if (*ret > t) { ++ borrow2 = 1; ++ } else { ++ borrow2 = 0; ++ } ++#else ++ mp_digit bitr, bitb, nbitt; ++ /* this is constant time independent of compilier */ ++ t = a - borrow; ++ borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1)); ++ *ret = t - b; ++ bitb = b >> (MP_DIGIT_BIT-1); ++ bitr = *ret >> (MP_DIGIT_BIT-1); ++ nbitt = (~t) >> (MP_DIGIT_BIT-1); ++ borrow2 = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr); ++#endif ++ /* only borrow 1 or borrow 2 should be 1, we want to guarrentee ++ * the overall borrow is 1, so use | here */ ++ return borrow1 | borrow2; ++} /* s_mp_subCT_d() */ ++ ++/* }}} */ ++ ++/* {{{ mp_subCT(a, b, ret, borrow) */ ++ ++/* return ret= a - b and borrow in borrow. done in constant time. ++ * b could be modified. ++ */ ++mp_err ++mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow) ++{ ++ mp_size used_a = MP_USED(a); ++ mp_size i; ++ mp_err res; ++ ++ MP_CHECKOK(s_mp_pad(b, used_a)); ++ MP_CHECKOK(s_mp_pad(ret, used_a)); ++ *borrow = 0; ++ for (i=0; i < used_a; i++) { ++ *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow, ++ &MP_DIGIT(ret,i)); ++ } ++ ++ res = MP_OKAY; ++CLEANUP: ++ return res; ++} /* end mp_subCT() */ ++ ++/* }}} */ ++ ++/* {{{ mp_selectCT(cond, a, b, ret) */ ++ ++/* ++ * return ret= cond ? a : b; cond should be either 0 or 1 ++ */ ++mp_err ++mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret) ++{ ++ mp_size used_a = MP_USED(a); ++ mp_err res; ++ mp_size i; ++ ++ cond *= MP_DIGIT_MAX; ++ ++ /* we currently require these to be equal on input, ++ * we could use pad to extend one of them, but that might ++ * leak data as it wouldn't be constant time */ ++ assert(used_a == MP_USED(b)); ++ ++ MP_CHECKOK(s_mp_pad(ret, used_a)); ++ for (i=0; i < used_a; i++) { ++ MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond); ++ } ++ res = MP_OKAY; ++CLEANUP: ++ return res; ++} /* end mp_selectCT() */ ++ ++ ++/* {{{ mp_reduceCT(a, m, c) */ ++ ++/* ++ mp_reduceCT(a, m, c) ++ ++ Compute c = aR^-1 (mod m) in constant time. ++ input should be in montgomery form. If input is the ++ result of a montgomery multiply then out put will be ++ in mongomery form. ++ Result will be reduced to MP_USED(m), but not be ++ clamped. ++ */ ++ ++mp_err ++mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c) ++{ ++ mp_size used_m = MP_USED(m); ++ mp_size used_c = used_m*2+1; ++ mp_digit *m_digits, *c_digits; ++ mp_size i; ++ mp_digit borrow, carry; ++ mp_err res; ++ mp_int sub; ++ ++ MP_DIGITS(&sub) = 0; ++ MP_CHECKOK(mp_init_size(&sub,used_m)); ++ ++ if (a != c) { ++ MP_CHECKOK(mp_copy(a, c)); ++ } ++ MP_CHECKOK(s_mp_pad(c, used_c)); ++ m_digits = MP_DIGITS(m); ++ c_digits = MP_DIGITS(c); ++ for (i=0; i < used_m; i++) { ++ mp_digit m_i = MP_DIGIT(c,i)*n0i; ++ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--); ++ } ++ s_mp_rshd(c, used_m); ++ /* MP_USED(c) should be used_m+1 with the high word being any carry ++ * from the previous multiply, save that carry and drop the high ++ * word for the substraction below */ ++ carry = MP_DIGIT(c,used_m); ++ MP_DIGIT(c,used_m) = 0; ++ MP_USED(c) = used_m; ++ /* mp_subCT wants c and m to be the same size, we've already ++ * guarrenteed that in the previous statement, so mp_subCT won't actually ++ * modify m, so it's safe to recast */ ++ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow)); ++ ++ /* we return c-m if c >= m no borrow or there was a borrow and a carry */ ++ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c)); ++ res = MP_OKAY; ++CLEANUP: ++ mp_clear(&sub); ++ return res; ++} /* end mp_reduceCT() */ ++ ++/* }}} */ ++ + /* {{{ mp_mod_d(a, d, c) */ + + /* + mp_mod_d(a, d, c) + + Compute c = a (mod d). Result will always be 0 <= c < d + */ + mp_err +@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int + if ((res = mp_mod(c, m, c)) != MP_OKAY) + return res; + + return MP_OKAY; + } + + /* }}} */ + ++/* {{{ mp_mulmontmodCT(a, b, m, c) */ ++ ++/* ++ mp_mulmontmodCT(a, b, m, c) ++ ++ Compute c = (a * b) mod m in constant time wrt a and b. either a or b ++ should be in montgomery form and the output is native. If both a and b ++ are in montgomery form, then the output will also be in montgomery form ++ and can be recovered with an mp_reduceCT call. ++ NOTE: a and b may be modified. ++ */ ++ ++mp_err ++mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, ++ mp_int *c) ++{ ++ mp_err res; ++ ++ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG); ++ ++ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY) ++ return res; ++ ++ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY) ++ return res; ++ ++ return MP_OKAY; ++} ++ ++/* }}} */ ++ + /* {{{ mp_sqrmod(a, m, c) */ + + #if MP_SQUARE + mp_err + mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c) + { + mp_err res; + +@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b) + { \ + mp_digit a0b1, a1b0; \ + Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \ + Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \ + a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \ + a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \ + a1b0 += a0b1; \ + Phi += a1b0 >> MP_HALF_DIGIT_BIT; \ +- if (a1b0 < a0b1) \ +- Phi += MP_HALF_RADIX; \ ++ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \ + a1b0 <<= MP_HALF_DIGIT_BIT; \ + Plo += a1b0; \ +- if (Plo < a1b0) \ +- ++Phi; \ ++ Phi += MP_CT_LTU(Plo, a1b0); \ + } + #endif + ++/* Constant time version of s_mpv_mul_d_add_prop. ++ * Presently, this is only used by the Constant time Montgomery arithmetic code. */ ++/* c += a * b */ ++void ++s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b, ++ mp_digit *c, mp_size c_len) ++{ ++#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD) ++ mp_digit d = 0; ++ ++ c_len -= a_len; ++ /* Inner product: Digits of a */ ++ while (a_len--) { ++ mp_word w = ((mp_word)b * *a++) + *c + d; ++ *c++ = ACCUM(w); ++ d = CARRYOUT(w); ++ } ++ ++ /* propagate the carry to the end, even if carry is zero */ ++ while (c_len--) { ++ mp_word w = (mp_word)*c + d; ++ *c++ = ACCUM(w); ++ d = CARRYOUT(w); ++ } ++#else ++ mp_digit carry = 0; ++ c_len -= a_len; ++ while (a_len--) { ++ mp_digit a_i = *a++; ++ mp_digit a0b0, a1b1; ++ MP_MUL_DxD(a_i, b, a1b1, a0b0); ++ ++ a0b0 += carry; ++ a1b1 += MP_CT_LTU(a0b0, carry); ++ a0b0 += a_i = *c; ++ a1b1 += MP_CT_LTU(a0b0, a_i); ++ ++ *c++ = a0b0; ++ carry = a1b1; ++ } ++ /* propagate the carry to the end, even if carry is zero */ ++ while (c_len--) { ++ mp_digit c_i = *c; ++ carry += c_i; ++ *c++ = carry; ++ carry = MP_CT_LTU(carry, c_i); ++ } ++#endif ++} ++ + #if !defined(MP_ASSEMBLY_MULTIPLY) + /* c = a * b */ + void + s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c) + { + #if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD) + mp_digit d = 0; + +@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a + mp_digit carry = 0; + while (a_len--) { + mp_digit a_i = *a++; + mp_digit a0b0, a1b1; + + MP_MUL_DxD(a_i, b, a1b1, a0b0); + + a0b0 += carry; +- if (a0b0 < carry) +- ++a1b1; ++ a1b1 += a0b0 < carry; + *c++ = a0b0; + carry = a1b1; + } + *c = carry; + #endif + } + + /* c += a * b */ +@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si + mp_digit carry = 0; + while (a_len--) { + mp_digit a_i = *a++; + mp_digit a0b0, a1b1; + + MP_MUL_DxD(a_i, b, a1b1, a0b0); + + a0b0 += carry; +- if (a0b0 < carry) +- ++a1b1; ++ a1b1 += (a0b0 < carry); + a0b0 += a_i = *c; +- if (a0b0 < a_i) +- ++a1b1; ++ a1b1 += (a0b0 < a_i); + *c++ = a0b0; + carry = a1b1; + } + *c = carry; + #endif + } + + /* Presently, this is only used by the Montgomery arithmetic code. */ +diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h +--- a/lib/freebl/mpi/mpi.h ++++ b/lib/freebl/mpi/mpi.h +@@ -145,16 +145,54 @@ typedef int mp_sword; + #define MP_USED(MP) ((MP)->used) + #define MP_ALLOC(MP) ((MP)->alloc) + #define MP_DIGITS(MP) ((MP)->dp) + #define MP_DIGIT(MP, N) (MP)->dp[(N)] + + /* This defines the maximum I/O base (minimum is 2) */ + #define MP_MAX_RADIX 64 + ++/* Constant Time Macros on mp_digits */ ++#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1))) ++ ++/* basic zero and non zero tests */ ++#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x))))) ++#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x))))) ++ ++ ++/* basic constant-time helper macro for equalities and inequalities. ++ * The inequalities will produce incorrect results if ++ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay ++ * within the range 0-MP_DIGIT_MAX/2. */ ++#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b))) ++#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b))) ++#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a)) ++#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b)) ++#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b)) ++#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b)) ++#define MP_CT_TRUE ((mp_digit)1) ++#define MP_CT_FALSE ((mp_digit)0) ++ ++/* use constant time result to select a boolean value */ ++#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r))) ++ ++/* full inequalities that work with full mp_digit values */ ++#define MP_CT_OVERFLOW(a,b,c,d) \ ++ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \ ++ (MP_CT_HIGH_TO_LOW(d)),c) ++#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a) ++#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b) ++#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a) ++#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b) ++#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b) ++#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a) ++#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b) ++#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a) ++ ++ + typedef struct { + mp_sign sign; /* sign of this quantity */ + mp_size alloc; /* how many digits allocated */ + mp_size used; /* how many digits used */ + mp_digit *dp; /* the digits themselves */ + } mp_int; + + /* Default precision */ +@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig + + /* Sign manipulations */ + mp_err mp_abs(const mp_int *a, mp_int *b); + mp_err mp_neg(const mp_int *a, mp_int *b); + + /* Full arithmetic */ + mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c); + mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c); ++mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow); + mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c); ++mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize); + #if MP_SQUARE + mp_err mp_sqr(const mp_int *a, mp_int *b); + #else + #define mp_sqr(a, b) mp_mul(a, a, b) + #endif + mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r); + mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r); + mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c); +@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const + mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c); + #else + #define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c) + #endif + mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c); + mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c); + #endif /* MP_MODARITH */ + ++/* montgomery math */ ++mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont); ++mp_digit mp_calculate_mont_n0i(const mp_int *N); ++mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct); ++mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c); ++ + /* Comparisons */ + int mp_cmp_z(const mp_int *a); + int mp_cmp_d(const mp_int *a, mp_digit d); + int mp_cmp(const mp_int *a, const mp_int *b); + int mp_cmp_mag(const mp_int *a, const mp_int *b); + int mp_isodd(const mp_int *a); + int mp_iseven(const mp_int *a); ++mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret); + + /* Number theoretic */ + mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c); + mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c); + mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y); + mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c); + mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c); + +diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c +--- a/lib/freebl/mpi/mpmontg.c ++++ b/lib/freebl/mpi/mpmontg.c +@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_ + } + res = MP_OKAY; + + CLEANUP: + return res; + } + #endif + +-STATIC + mp_err +-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont) ++mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont) + { + mp_err res; + + /* xMont = x * R mod N where N is modulus */ +- MP_CHECKOK(mp_copy(x, xMont)); +- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */ +- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */ ++ if (x != xMont) { ++ MP_CHECKOK(mp_copy(x, xMont)); ++ } ++ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */ ++ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */ + CLEANUP: + return res; + } + ++mp_digit ++mp_calculate_mont_n0i(const mp_int *N) ++{ ++ return 0 - s_mp_invmod_radix(MP_DIGIT(N,0)); ++} ++ + #ifdef MP_USING_MONT_MULF + + /* the floating point multiply is already cache safe, + * don't turn on cache safe unless we specifically + * force it */ + #ifndef MP_FORCE_CACHE_SAFE + #undef MP_USING_CACHE_SAFE_MOD_EXP + #endif +@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase, + MP_DIGITS(&accum1) = 0; + + for (i = 0; i < MAX_ODD_INTS; ++i) + oddPowers[i] = 0; + + MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2)); + + mp_set(&accum1, 1); +- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1)); ++ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1)); + MP_CHECKOK(s_mp_pad(&accum1, nLen)); + + oddPowSize = 2 * nLen + 1; + dTmpSize = 2 * oddPowSize; + dSize = sizeof(double) * (nLen * 4 + 1 + + ((odd_ints + 1) * oddPowSize) + dTmpSize); + dBuf = malloc(dSize); + if (!dBuf) { +@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase, + for (i = 1; i < odd_ints; ++i) { + MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2)); + MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i)); + MP_CHECKOK(s_mp_redc(oddPowers + i, mmm)); + } + + /* set accumulator to montgomery residue of 1 */ + mp_set(&accum1, 1); +- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1)); ++ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1)); + pa1 = &accum1; + pa2 = &accum2; + + for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) { + mp_size smallExp; + MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits)); + smallExp = (mp_size)res; + +@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase + /* build the first WEAVE_WORD powers inline */ + /* if WEAVE_WORD_SIZE is not 4, this code will have to change */ + if (num_powers > 2) { + MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2)); + MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2)); + MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2)); + MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2)); + mp_set(&accum[0], 1); +- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0])); ++ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0])); + MP_CHECKOK(mp_copy(montBase, &accum[1])); + SQR(montBase, &accum[2]); + MUL_NOWEAVE(montBase, &accum[2], &accum[3]); + powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1)); + if (!powersArray) { + res = MP_MEM; + goto CLEANUP; + } +@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase + MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers)); + if (first_window < 4) { + MP_CHECKOK(mp_copy(&accum[first_window], &accum1)); + first_window = num_powers; + } + } else { + if (first_window == 0) { + mp_set(&accum1, 1); +- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1)); ++ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1)); + } else { + /* assert first_window == 1? */ + MP_CHECKOK(mp_copy(montBase, &accum1)); + } + } + + /* + * calculate all the powers in the powers array. +@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m + nLen = MP_USED(modulus); + MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2)); + + mmm.N = *modulus; /* a copy of the mp_int struct */ + + /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX + ** where n0 = least significant mp_digit of N, the modulus. + */ +- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0)); ++ mmm.n0prime = mp_calculate_mont_n0i(modulus); + +- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase)); ++ MP_CHECKOK(mp_to_mont(base, modulus, &montBase)); + + bits_in_exponent = mpl_significant_bits(exponent); + #ifdef MP_USING_CACHE_SAFE_MOD_EXP + if (mp_using_cache_safe_exp) { + if (bits_in_exponent > 780) + window_bits = 6; + else if (bits_in_exponent > 256) + window_bits = 5; +diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c +--- a/lib/freebl/rsa.c ++++ b/lib/freebl/rsa.c +@@ -65,16 +65,18 @@ struct blindingParamsStr { + ** the Handbook of Applied Cryptography, 11.118-11.119. + */ + struct RSABlindingParamsStr { + /* Blinding-specific parameters */ + PRCList link; /* link to list of structs */ + SECItem modulus; /* list element "key" */ + blindingParams *free, *bp; /* Blinding parameters queue */ + blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE]; ++ /* precalculate montegomery reduction value */ ++ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */ + }; + typedef struct RSABlindingParamsStr RSABlindingParams; + + /* + ** RSABlindingParamsListStr + ** + ** List of key-specific blinding params. The arena holds the volatile pool + ** of memory for each entry and the list itself. The lock is for list +@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey * + CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen)); + CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen)); + /* k < n */ + CHECK_MPI_OK(mp_mod(&k, n, &k)); + /* f = k**e mod n */ + CHECK_MPI_OK(mp_exptmod(&k, &e, n, f)); + /* g = k**-1 mod n */ + CHECK_MPI_OK(mp_invmod(&k, n, g)); ++ /* g in montgomery form.. */ ++ CHECK_MPI_OK(mp_to_mont(g, n, g)); + cleanup: + if (kb) + PORT_ZFree(kb, modLen); + mp_clear(&k); + mp_clear(&e); + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; +@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams * + * of rsabp->array pointer and must be set to NULL + */ + rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL; + + bp = rsabp->array; + rsabp->bp = NULL; + rsabp->free = bp; + ++ /* precalculate montgomery reduction parameter */ ++ rsabp->n0i = mp_calculate_mont_n0i(n); ++ + /* List elements are keyed using the modulus */ + return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus); + } + + static SECStatus + get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen, +- mp_int *f, mp_int *g) ++ mp_int *f, mp_int *g, mp_digit *n0i) + { + RSABlindingParams *rsabp = NULL; + blindingParams *bpUnlinked = NULL; + blindingParams *bp; + PRCList *el; + SECStatus rv = SECSuccess; + mp_err err = MP_OKAY; + int cmp = -1; +@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key, + ** head (since el would have looped back to the head). + */ + PR_INSERT_BEFORE(&rsabp->link, el); + } + + /* We've found (or created) the RSAblindingParams struct for this key. + * Now, search its list of ready blinding params for a usable one. + */ ++ *n0i = rsabp->n0i; + while (0 != (bp = rsabp->bp)) { + #ifdef UNSAFE_FUZZER_MODE + /* Found a match and there are still remaining uses left */ + /* Return the parameters */ + CHECK_MPI_OK(mp_copy(&bp->f, f)); + CHECK_MPI_OK(mp_copy(&bp->g, g)); + + PZ_Unlock(blindingParamsList.lock); +@@ -1426,16 +1434,17 @@ cleanup: + rsabp->free = bp; + } + if (holdingLock) { + PZ_Unlock(blindingParamsList.lock); + } + if (err) { + MP_TO_SEC_ERROR(err); + } ++ *n0i = 0; + return SECFailure; + } + + /* + ** Perform a raw private-key operation + ** Length of input and output buffers are equal to key's modulus len. + */ + static SECStatus +@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key, + PRBool check) + { + unsigned int modLen; + unsigned int offset; + SECStatus rv = SECSuccess; + mp_err err; + mp_int n, c, m; + mp_int f, g; ++ mp_digit n0i; + if (!key || !output || !input) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + /* check input out of range (needs to be in range [0..n-1]) */ + modLen = rsa_modulusLen(&key->modulus); + if (modLen == 0) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key, + CHECK_MPI_OK(mp_init(&f)); + CHECK_MPI_OK(mp_init(&g)); + SECITEM_TO_MPINT(key->modulus, &n); + OCTETS_TO_MPINT(input, &c, modLen); + /* If blinding, compute pre-image of ciphertext by multiplying by + ** blinding factor + */ + if (nssRSAUseBlinding) { +- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g)); ++ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i)); + /* c' = c*f mod n */ + CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c)); + } + /* Do the private key operation m = c**d mod n */ + if (key->prime1.len == 0 || + key->prime2.len == 0 || + key->exponent1.len == 0 || + key->exponent2.len == 0 || +@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key, + } else { + CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c)); + } + /* If blinding, compute post-image of plaintext by multiplying by + ** blinding factor + */ + if (nssRSAUseBlinding) { + /* m = m'*g mod n */ +- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m)); ++ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m)); + } + err = mp_to_fixlen_octets(&m, output, modLen); + if (err >= 0) + err = MP_OKAY; + cleanup: + mp_clear(&n); + mp_clear(&c); + mp_clear(&m); diff --git a/SOURCES/fips_algorithms.h b/SOURCES/fips_algorithms.h index 80d7dcd..d634e0d 100644 --- a/SOURCES/fips_algorithms.h +++ b/SOURCES/fips_algorithms.h @@ -15,11 +15,12 @@ typedef enum { SFTKFIPSECC, /* not just keys but specific curves */ SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */ SFTKFIPSRSAPSS, /* make sure salt isn't too big */ - SFTKFIPSPBKDF2 /* handle pbkdf2 FIPS restrictions */ + SFTKFIPSPBKDF2, /* handle pbkdf2 FIPS restrictions */ + SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */ } SFTKFIPSSpecialClass; /* set according to your security policy */ -#define SFTKFIPS_PBKDF2_MIN_PW_LEN 7 +#define SFTKFIPS_PBKDF2_MIN_PW_LEN 8 typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList; struct SFTKFIPSAlgorithmListStr { @@ -27,6 +28,7 @@ struct SFTKFIPSAlgorithmListStr { CK_MECHANISM_INFO info; CK_ULONG step; SFTKFIPSSpecialClass special; + size_t offset; }; SFTKFIPSAlgorithmList sftk_fips_mechs[] = { @@ -50,7 +52,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { #define CKF_KPG CKF_GENERATE_KEY_PAIR #define CKF_GEN CKF_GENERATE #define CKF_SGN (CKF_SIGN | CKF_VERIFY) -#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP) +#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT ) +#define CKF_ECW (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP) +#define CKF_WRP (CKF_WRAP | CKF_UNWRAP) #define CKF_KEK (CKF_WRAP | CKF_UNWRAP) #define CKF_KEA CKF_DERIVE #define CKF_KDF CKF_DERIVE @@ -101,6 +105,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { /* -------------------- Elliptic Curve Operations --------------------- */ { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDH1_COFACTOR_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, @@ -115,10 +120,10 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD }, - { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_GCM, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSAEAD }, + { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone }, /* ------------------------- Hashing Operations ----------------------- */ { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, @@ -136,36 +141,41 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, /* ---------------------- SSL/TLS operations ------------------------- */ { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, + { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSChkHash, + offsetof(CK_TLS_MAC_PARAMS, prfHashMechanism) }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) }, /* ------------------------- HKDF Operations -------------------------- */ - { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_HKDF_PARAMS, prfHashMechanism) }, + { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_HKDF_PARAMS, prfHashMechanism) }, { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone }, { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone }, /* ------------------ NIST 800-108 Key Derivations ------------------- */ - { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, /* --------------------IPSEC ----------------------- */ - { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS, prfMechanism) }, + { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_IKE_PRF_DERIVE_PARAMS, prfMechanism) }, /* ------------------ PBE Key Derivations ------------------- */ { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 }, }; diff --git a/SOURCES/nss-3.90-aes-gmc-indicator.patch b/SOURCES/nss-3.90-aes-gmc-indicator.patch new file mode 100644 index 0000000..612bb9a --- /dev/null +++ b/SOURCES/nss-3.90-aes-gmc-indicator.patch @@ -0,0 +1,42 @@ +diff --git a/lib/softoken/sftkmessage.c b/lib/softoken/sftkmessage.c +--- a/lib/softoken/sftkmessage.c ++++ b/lib/softoken/sftkmessage.c +@@ -146,16 +146,38 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; + ++ if (context->isFIPS && (contextType == CKA_ENCRYPT)) { ++ if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) { ++ context->isFIPS = PR_FALSE; ++ } else { ++ CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter; ++ switch (p->ivGenerator) { ++ case CKG_NO_GENERATE: ++ context->isFIPS = PR_FALSE; ++ break; ++ case CKG_GENERATE_RANDOM: ++ if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) { ++ context->isFIPS = PR_FALSE; ++ } ++ break; ++ default: ++ if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) { ++ context->isFIPS = PR_FALSE; ++ } ++ } ++ } ++ } ++ + if (!pOuttext) { + *pulOuttextLen = ulIntextLen; + return CKR_OK; + } + rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen, + maxout, pIntext, ulIntextLen, + pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen); diff --git a/SOURCES/nss-3.90-extend-db-dump-time.patch b/SOURCES/nss-3.90-extend-db-dump-time.patch new file mode 100644 index 0000000..9d26770 --- /dev/null +++ b/SOURCES/nss-3.90-extend-db-dump-time.patch @@ -0,0 +1,12 @@ +diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh +--- ./tests/dbtests/dbtests.sh.extend 2023-11-15 13:17:50.651020458 -0800 ++++ ./tests/dbtests/dbtests.sh 2023-11-15 13:18:57.091608850 -0800 +@@ -366,7 +366,7 @@ dbtest_main() + RARRAY=($dtime) + TIMEARRAY=(${RARRAY[1]//./ }) + echo "${TIMEARRAY[0]} seconds" +- test ${TIMEARRAY[0]} -lt 2 ++ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-3} + ret=$? + html_msg ${ret} 0 "certutil dump keys with explicit default trust flags" + fi diff --git a/SOURCES/nss-3.90-fips-indicators.patch b/SOURCES/nss-3.90-fips-indicators.patch new file mode 100644 index 0000000..961d64b --- /dev/null +++ b/SOURCES/nss-3.90-fips-indicators.patch @@ -0,0 +1,190 @@ +diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c +--- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800 ++++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800 +@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C + context->blockSize = 0; + context->maxLen = 0; + context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism, +- operation, key); ++ operation, key, 0); + *contextPtr = context; + return CKR_OK; + } +@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + crv = sftk_handleObject(key, session); + /* we need to do this check at the end, so we can check the generated + * key length against fips requirements */ +- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0); + session->lastOpWasFIPS = key->isFIPS; + sftk_FreeSession(session); + if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { +@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + return crv; + } + /* we need to do this check at the end to make sure the generated key meets the key length requirements */ +- privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey); ++ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey, 0); + publicKey->isFIPS = privateKey->isFIPS; + session->lastOpWasFIPS = privateKey->isFIPS; + sftk_FreeSession(session); +@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + return CKR_TEMPLATE_INCONSISTENT; + } + ++ if (!params->bExpand) { ++ keySize = hashLen; ++ } ++ + /* sourceKey is NULL if we are called from the POST, skip the + * sensitiveCheck */ + if (sourceKey != NULL) { +@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + mech.pParameter = params; + mech.ulParameterLen = sizeof(*params); + key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech, +- CKA_DERIVE, saltKey); ++ CKA_DERIVE, saltKey, ++ keySize); + } + saltKeySource = saltKey->source; + saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE); +@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + /* HKDF-Expand */ + if (!params->bExpand) { + okm = prk; +- keySize = genLen = hashLen; ++ genLen = hashLen; + } else { + /* T(1) = HMAC-Hash(prk, "" | info | 0x01) + * T(n) = HMAC-Hash(prk, T(n-1) | info | n +@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + return CKR_KEY_HANDLE_INVALID; + } + } +- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey); ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey, ++ keySize); + + switch (mechanism) { + /* get a public key from a private key. nsslowkey_ConvertToPublickey() +diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h +--- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800 ++++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800 +@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB + /* check the FIPS table to determine if this current operation is allowed by + * FIPS security policy */ + PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, +- CK_ATTRIBUTE_TYPE op, SFTKObject *source); ++ CK_ATTRIBUTE_TYPE op, SFTKObject *source, ++ CK_ULONG targetKeySize); + /* add validation objects to the slot */ + CK_RV sftk_CreateValidationObjects(SFTKSlot *slot); + +diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800 ++++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800 +@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou + static CK_ULONG + sftk_getKeyLength(SFTKObject *source) + { +- CK_KEY_TYPE keyType = CK_INVALID_HANDLE; ++ CK_KEY_TYPE keyType = CKK_INVALID_KEY_TYPE; + CK_ATTRIBUTE_TYPE keyAttribute; + CK_ULONG keyLength = 0; + SFTKAttribute *attribute; +@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source) + return keyLength; + } + ++PRBool ++sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash) ++{ ++ switch (hash) { ++ case CKM_SHA256: ++ case CKG_MGF1_SHA256: ++ case CKM_SHA384: ++ case CKG_MGF1_SHA384: ++ case CKM_SHA512: ++ case CKG_MGF1_SHA512: ++ return PR_TRUE; ++ } ++ return PR_FALSE; ++} ++ + /* + * handle specialized FIPS semantics that are too complicated to + * handle with just a table. NOTE: this means any additional semantics + * would have to be coded here before they can be added to the table */ + static PRBool + sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech, +- SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source) ++ SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source, ++ CK_ULONG keyLength, CK_ULONG targetKeyLength) + { + switch (mechInfo->special) { + case SFTKFIPSDH: { +@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + if (hashObj == NULL) { + return PR_FALSE; + } ++ /* cap the salt for legacy keys */ ++ if ((keyLength <= 1024) && (pss->sLen > 63)) { ++ return PR_FALSE; ++ } ++ /* cap the salt for based on the hash */ + if (pss->sLen > hashObj->length) { + return PR_FALSE; + } +- return PR_TRUE; ++ return sftk_CheckFIPSHash(pss->hashAlg); + } + case SFTKFIPSPBKDF2: { + /* PBKDF2 must have the following addition restrictions +@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + } + return PR_TRUE; + } ++ /* check the hash mechanisms to make sure they themselves are FIPS */ ++ case SFTKFIPSChkHash: ++ if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) { ++ return PR_FALSE; ++ } ++ return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter) ++ + mechInfo->offset)); + default: + break; + } +@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + + PRBool + sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op, +- SFTKObject *source) ++ SFTKObject *source, CK_ULONG targetKeyLength) + { + #ifndef NSS_HAS_FIPS_INDICATORS + return PR_FALSE; +@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_ + SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i]; + /* if we match the number of records exactly, then we are an + * approved algorithm in the approved mode with an approved key */ +- if (((mech->mechanism == mechs->type) && +- (opFlags == (mechs->info.flags & opFlags)) && +- (keyLength <= mechs->info.ulMaxKeySize) && +- (keyLength >= mechs->info.ulMinKeySize) && +- ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) && ++ if ((mech->mechanism == mechs->type) && ++ (opFlags == (mechs->info.flags & opFlags)) && ++ (keyLength <= mechs->info.ulMaxKeySize) && ++ (keyLength >= mechs->info.ulMinKeySize) && ++ (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) && ++ ((targetKeyLength == 0) || ++ ((targetKeyLength <= mechs->info.ulMaxKeySize) && ++ (targetKeyLength >= mechs->info.ulMinKeySize) && ++ ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) && + ((mechs->special == SFTKFIPSNone) || +- sftk_handleSpecial(slot, mech, mechs, source))) { ++ sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) { + return PR_TRUE; + } + } diff --git a/SOURCES/nss-3.90-fips-pkcs11-long-hash.patch b/SOURCES/nss-3.90-fips-pkcs11-long-hash.patch new file mode 100644 index 0000000..7728732 --- /dev/null +++ b/SOURCES/nss-3.90-fips-pkcs11-long-hash.patch @@ -0,0 +1,83 @@ +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -15,10 +15,13 @@ + * keys and their associated Certificates are saved on the token. + * + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ ++ ++#include /* for UINT_MAX and ULONG_MAX */ ++ + #include "seccomon.h" + #include "secitem.h" + #include "secport.h" + #include "blapi.h" + #include "pkcs11.h" +@@ -1954,12 +1957,21 @@ + if (pDigest == NULL) { + *pulDigestLen = context->maxLen; + goto finish; + } + +- /* do it: */ ++#if (ULONG_MAX > UINT_MAX) ++ /* The context->hashUpdate function takes an unsigned int for its data ++ * length argument, but NSC_Digest takes an unsigned long. */ ++ while (ulDataLen > UINT_MAX) { ++ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX); ++ pData += UINT_MAX; ++ ulDataLen -= UINT_MAX; ++ } ++#endif + (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen); ++ + /* NOTE: this assumes buf size is bigenough for the algorithm */ + (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout); + *pulDigestLen = digestLen; + + sftk_TerminateOp(session, SFTK_HASH, context); +@@ -1980,12 +1992,22 @@ + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; +- /* do it: */ ++ ++#if (ULONG_MAX > UINT_MAX) ++ /* The context->hashUpdate function takes an unsigned int for its data ++ * length argument, but NSC_DigestUpdate takes an unsigned long. */ ++ while (ulPartLen > UINT_MAX) { ++ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX); ++ pPart += UINT_MAX; ++ ulPartLen -= UINT_MAX; ++ } ++#endif + (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen); ++ + return CKR_OK; + } + + /* NSC_DigestFinal finishes a multiple-part message-digesting operation. */ + CK_RV +@@ -3166,10 +3188,17 @@ + crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + if (context->hashInfo) { ++#if (ULONG_MAX > UINT_MAX) ++ while (ulPartLen > UINT_MAX) { ++ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX); ++ pPart += UINT_MAX; ++ ulPartLen -= UINT_MAX; ++ } ++#endif + (*context->hashUpdate)(context->hashInfo, pPart, ulPartLen); + } else { + /* must be block cipher MACing */ + + unsigned int blkSize = context->blockSize; + diff --git a/SOURCES/nss-3.90-fips-safe-memset.patch b/SOURCES/nss-3.90-fips-safe-memset.patch new file mode 100644 index 0000000..1503bd9 --- /dev/null +++ b/SOURCES/nss-3.90-fips-safe-memset.patch @@ -0,0 +1,506 @@ +diff -up ./lib/freebl/aeskeywrap.c.safe_zero ./lib/freebl/aeskeywrap.c +--- ./lib/freebl/aeskeywrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/aeskeywrap.c 2023-11-22 14:42:24.246388369 -0800 +@@ -512,7 +512,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext + PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen); + rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv, + outLen); +- PORT_Memset(iv, 0, sizeof(iv)); ++ PORT_SafeZero(iv, sizeof(iv)); + return rv; + } + +@@ -528,7 +528,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext + PORT_ZFree(newBuf, paddedInputLen); + /* a little overkill, we only need to clear out the length, but this + * is easier to verify we got it all */ +- PORT_Memset(iv, 0, sizeof(iv)); ++ PORT_SafeZero(iv, sizeof(iv)); + return rv; + } + +@@ -631,12 +631,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext + loser: + /* if we failed, make sure we don't return any data to the user */ + if ((rv != SECSuccess) && (output == newBuf)) { +- PORT_Memset(newBuf, 0, paddedLen); ++ PORT_SafeZero(newBuf, paddedLen); + } + /* clear out CSP sensitive data from the heap and stack */ + if (allocBuf) { + PORT_ZFree(allocBuf, paddedLen); + } +- PORT_Memset(iv, 0, sizeof(iv)); ++ PORT_SafeZero(iv, sizeof(iv)); + return rv; + } +diff -up ./lib/freebl/blapii.h.safe_zero ./lib/freebl/blapii.h +--- ./lib/freebl/blapii.h.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/blapii.h 2023-11-22 14:42:24.246388369 -0800 +@@ -101,10 +101,10 @@ PRBool ppc_crypto_support(); + #ifdef NSS_FIPS_DISABLED + #define BLAPI_CLEAR_STACK(stack_size) + #else +-#define BLAPI_CLEAR_STACK(stack_size) \ +- { \ +- volatile char _stkclr[stack_size]; \ +- PORT_Memset((void *)&_stkclr[0], 0, stack_size); \ ++#define BLAPI_CLEAR_STACK(stack_size) \ ++ { \ ++ volatile char _stkclr[stack_size]; \ ++ PORT_SafeZero((void *)&_stkclr[0], stack_size); \ + } + #endif + +diff -up ./lib/freebl/drbg.c.safe_zero ./lib/freebl/drbg.c +--- ./lib/freebl/drbg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/drbg.c 2023-11-22 14:42:24.246388369 -0800 +@@ -197,7 +197,7 @@ prng_initEntropy(void) + SHA256_Update(&ctx, block, sizeof(block)); + SHA256_End(&ctx, globalrng->previousEntropyHash, NULL, + sizeof(globalrng->previousEntropyHash)); +- PORT_Memset(block, 0, sizeof(block)); ++ PORT_SafeZero(block, sizeof(block)); + SHA256_DestroyContext(&ctx, PR_FALSE); + return PR_SUCCESS; + } +@@ -246,8 +246,8 @@ prng_getEntropy(PRUint8 *buffer, size_t + } + + out: +- PORT_Memset(hash, 0, sizeof hash); +- PORT_Memset(block, 0, sizeof block); ++ PORT_SafeZero(hash, sizeof hash); ++ PORT_SafeZero(block, sizeof block); + return rv; + } + +@@ -393,8 +393,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r + PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry); + SHA256_DestroyContext(&ctx, PR_FALSE); + } +- PORT_Memset(data, 0, sizeof data); +- PORT_Memset(thisHash, 0, sizeof thisHash); ++ PORT_SafeZero(data, sizeof data); ++ PORT_SafeZero(thisHash, sizeof thisHash); + } + + /* +@@ -455,7 +455,7 @@ prng_generateNewBytes(RNGContext *rng, + PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry); + + /* if the prng failed, don't return any output, signal softoken */ +- PORT_Memset(H, 0, sizeof H); ++ PORT_SafeZero(H, sizeof H); + if (!rng->isValid) { + PORT_Memset(returned_bytes, 0, no_of_returned_bytes); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); +diff -up ./lib/freebl/dsa.c.safe_zero ./lib/freebl/dsa.c +--- ./lib/freebl/dsa.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/dsa.c 2023-11-22 14:42:24.246388369 -0800 +@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt + err = MP_OKAY; + signature->len = dsa_signature_len; + cleanup: +- PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN); ++ PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN); + mp_clear(&p); + mp_clear(&q); + mp_clear(&g); +@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt + rv = dsa_SignDigest(key, signature, digest, kSeed); + } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM && + --retries > 0); +- PORT_Memset(kSeed, 0, sizeof kSeed); ++ PORT_SafeZero(kSeed, sizeof kSeed); + return rv; + } + +@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons + verified = SECSuccess; /* Signature verified. */ + } + cleanup: +- PORT_Memset(localDigestData, 0, sizeof localDigestData); ++ PORT_SafeZero(localDigestData, sizeof localDigestData); + mp_clear(&p); + mp_clear(&q); + mp_clear(&g); +diff -up ./lib/freebl/gcm.c.safe_zero ./lib/freebl/gcm.c +--- ./lib/freebl/gcm.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/gcm.c 2023-11-22 14:42:24.246388369 -0800 +@@ -480,7 +480,7 @@ gcmHash_Final(gcmHashContext *ghash, uns + rv = SECSuccess; + + cleanup: +- PORT_Memset(T, 0, sizeof(T)); ++ PORT_SafeZero(T, sizeof(T)); + return rv; + } + +@@ -596,15 +596,15 @@ GCM_CreateContext(void *context, freeblC + if (rv != SECSuccess) { + goto loser; + } +- PORT_Memset(H, 0, AES_BLOCK_SIZE); ++ PORT_SafeZero(H, AES_BLOCK_SIZE); + gcm->ctr_context_init = PR_TRUE; + return gcm; + + loser: +- PORT_Memset(H, 0, AES_BLOCK_SIZE); ++ PORT_SafeZero(H, AES_BLOCK_SIZE); + if (ghash && ghash->mem) { + void *mem = ghash->mem; +- PORT_Memset(ghash, 0, sizeof(gcmHashContext)); ++ PORT_SafeZero(ghash, sizeof(gcmHashContext)); + PORT_Free(mem); + } + if (gcm) { +@@ -682,11 +682,11 @@ gcm_InitCounter(GCMContext *gcm, const u + goto loser; + } + +- PORT_Memset(&ctrParams, 0, sizeof ctrParams); ++ PORT_SafeZero(&ctrParams, sizeof ctrParams); + return SECSuccess; + + loser: +- PORT_Memset(&ctrParams, 0, sizeof ctrParams); ++ PORT_SafeZero(&ctrParams, sizeof ctrParams); + if (freeCtr) { + CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); + } +@@ -866,10 +866,10 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig + if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) { + /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ + PORT_SetError(SEC_ERROR_BAD_DATA); +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + return SECFailure; + } +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + /* finish the decryption */ + return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen, AES_BLOCK_SIZE); +@@ -1159,10 +1159,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne + /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ + CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); + PORT_SetError(SEC_ERROR_BAD_DATA); +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + return SECFailure; + } +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + /* finish the decryption */ + rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen, AES_BLOCK_SIZE); +diff -up ./lib/freebl/hmacct.c.safe_zero ./lib/freebl/hmacct.c +--- ./lib/freebl/hmacct.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/hmacct.c 2023-11-22 14:42:24.246388369 -0800 +@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut, + hashObj->end(mdState, mdOut, mdOutLen, mdOutMax); + hashObj->destroy(mdState, PR_TRUE); + +- PORT_Memset(lengthBytes, 0, sizeof lengthBytes); +- PORT_Memset(hmacPad, 0, sizeof hmacPad); +- PORT_Memset(firstBlock, 0, sizeof firstBlock); +- PORT_Memset(macOut, 0, sizeof macOut); ++ PORT_SafeZero(lengthBytes, sizeof lengthBytes); ++ PORT_SafeZero(hmacPad, sizeof hmacPad); ++ PORT_SafeZero(firstBlock, sizeof firstBlock); ++ PORT_SafeZero(macOut, sizeof macOut); + + return SECSuccess; + } +diff -up ./lib/freebl/intel-gcm-wrap.c.safe_zero ./lib/freebl/intel-gcm-wrap.c +--- ./lib/freebl/intel-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/intel-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800 +@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo + void + intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit) + { +- PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext)); ++ PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext)); + if (freeit) { + PORT_Free(gcm); + } +diff -up ./lib/freebl/ppc-gcm-wrap.c.safe_zero ./lib/freebl/ppc-gcm-wrap.c +--- ./lib/freebl/ppc-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/ppc-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800 +@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex + void + ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit) + { +- PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext)); ++ PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext)); + if (freeit) { + PORT_Free(gcm); + } +diff -up ./lib/freebl/pqg.c.safe_zero ./lib/freebl/pqg.c +--- ./lib/freebl/pqg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/pqg.c 2023-11-22 14:42:24.246388369 -0800 +@@ -703,7 +703,7 @@ cleanup: + mp_clear(&a); + mp_clear(&z); + mp_clear(&two_length_minus_1); +- PORT_Memset(x, 0, sizeof(x)); ++ PORT_SafeZero(x, sizeof(x)); + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; +@@ -859,7 +859,7 @@ cleanup: + mp_clear(&c); + mp_clear(&c0); + mp_clear(&one); +- PORT_Memset(x, 0, sizeof(x)); ++ PORT_SafeZero(x, sizeof(x)); + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; +@@ -1072,7 +1072,7 @@ makePfromQandSeed( + CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1 */ + CHECK_MPI_OK(mp_sub(&X, &c, P)); /* P = X - c */ + cleanup: +- PORT_Memset(V_j, 0, sizeof V_j); ++ PORT_SafeZero(V_j, sizeof V_j); + mp_clear(&W); + mp_clear(&X); + mp_clear(&c); +@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype, + /* step 11. + * return valid G */ + cleanup: +- PORT_Memset(data, 0, sizeof(data)); ++ PORT_SafeZero(data, sizeof(data)); + if (hashcx) { + hashobj->destroy(hashcx, PR_TRUE); + } +diff -up ./lib/freebl/rijndael.c.safe_zero ./lib/freebl/rijndael.c +--- ./lib/freebl/rijndael.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/rijndael.c 2023-11-22 14:42:24.247388378 -0800 +@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo + cx->worker_cx = NULL; + cx->destroy = NULL; + } +- PORT_Memset(cx, 0, sizeof(AESContext)); ++ PORT_SafeZero(cx, sizeof(AESContext)); + if (freeit) { + PORT_Free(mem); + } else { +diff -up ./lib/freebl/rsa.c.safe_zero ./lib/freebl/rsa.c +--- ./lib/freebl/rsa.c.safe_zero 2023-11-22 14:41:24.066840894 -0800 ++++ ./lib/freebl/rsa.c 2023-11-22 14:42:24.247388378 -0800 +@@ -143,8 +143,8 @@ rsa_build_from_primes(const mp_int *p, c + /* 2. Compute phi = (p-1)*(q-1) */ + CHECK_MPI_OK(mp_sub_d(p, 1, &psub1)); + CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1)); ++ CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi)); + if (needPublicExponent || needPrivateExponent) { +- CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi)); + /* 3. Compute d = e**-1 mod(phi) */ + /* or e = d**-1 mod(phi) as necessary */ + if (needPublicExponent) { +@@ -165,6 +165,15 @@ rsa_build_from_primes(const mp_int *p, c + goto cleanup; + } + ++ /* make sure we weren't passed in a d or e = 1 mod phi */ ++ /* just need to check d, because if one is = 1 mod phi, they both are */ ++ CHECK_MPI_OK(mp_mod(d, &phi, &tmp)); ++ if (mp_cmp_d(&tmp, 2) <= 0) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ rv = SECFailure; ++ goto cleanup; ++ } ++ + /* 4. Compute exponent1 = d mod (p-1) */ + CHECK_MPI_OK(mp_mod(d, &psub1, &tmp)); + MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena); +@@ -1152,6 +1161,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv + /* Perform a public key operation v = m ** e mod n */ + CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v)); + if (mp_cmp(&v, c) != 0) { ++ /* this error triggers a fips fatal error lock */ ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + rv = SECFailure; + } + cleanup: +diff -up ./lib/freebl/rsapkcs.c.safe_zero ./lib/freebl/rsapkcs.c +--- ./lib/freebl/rsapkcs.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/rsapkcs.c 2023-11-22 14:42:24.247388378 -0800 +@@ -977,14 +977,14 @@ rsa_GetHMACContext(const SECHashObject * + /* now create the hmac key */ + hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE); + if (hmac == NULL) { +- PORT_Memset(keyHash, 0, sizeof(keyHash)); ++ PORT_SafeZero(keyHash, sizeof(keyHash)); + return NULL; + } + HMAC_Begin(hmac); + HMAC_Update(hmac, input, inputLen); + rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash)); + if (rv != SECSuccess) { +- PORT_Memset(keyHash, 0, sizeof(keyHash)); ++ PORT_SafeZero(keyHash, sizeof(keyHash)); + HMAC_Destroy(hmac, PR_TRUE); + return NULL; + } +@@ -992,7 +992,7 @@ rsa_GetHMACContext(const SECHashObject * + * reuse the original context allocated above so we don't + * need to allocate and free another one */ + rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE); +- PORT_Memset(keyHash, 0, sizeof(keyHash)); ++ PORT_SafeZero(keyHash, sizeof(keyHash)); + if (rv != SECSuccess) { + HMAC_Destroy(hmac, PR_TRUE); + return NULL; +@@ -1042,7 +1042,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha + return rv; + } + PORT_Memcpy(output, hmacLast, left); +- PORT_Memset(hmacLast, 0, sizeof(hmacLast)); ++ PORT_SafeZero(hmacLast, sizeof(hmacLast)); + } + return rv; + } +@@ -1087,7 +1087,7 @@ rsa_GetErrorLength(HMACContext *hmac, in + outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen), + candidate, outLength); + } +- PORT_Memset(out, 0, sizeof(out)); ++ PORT_SafeZero(out, sizeof(out)); + return outLength; + } + +diff -up ./lib/freebl/shvfy.c.safe_zero ./lib/freebl/shvfy.c +--- ./lib/freebl/shvfy.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/shvfy.c 2023-11-22 14:42:24.247388378 -0800 +@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD, + + /* verify the hash against the check file */ + rv = DSA_VerifyDigest(key, signature, &hash); +- PORT_Memset(hashBuf, 0, sizeof hashBuf); ++ PORT_SafeZero(hashBuf, sizeof hashBuf); + return (rv == SECSuccess) ? PR_TRUE : PR_FALSE; + } + #endif +@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + if (rv == SECSuccess) { + result = SECITEM_ItemsAreEqual(signature, &hash); + } +- PORT_Memset(hashBuf, 0, sizeof hashBuf); ++ PORT_SafeZero(hashBuf, sizeof hashBuf); + return result; + } + +@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P + #ifndef NSS_STRICT_INTEGRITY + DSAPublicKey key; + +- PORT_Memset(&key, 0, sizeof(key)); ++ PORT_SafeZero(&key, sizeof(key)); + #endif + + /* If our integrity check was never ran or failed, fail any other +@@ -597,7 +597,7 @@ blapi_SHVerifyFile(const char *shName, P + shFD = NULL; + + loser: +- PORT_Memset(&header, 0, sizeof header); ++ PORT_SafeZero(&header, sizeof header); + if (checkName != NULL) { + PORT_Free(checkName); + } +diff -up ./lib/freebl/tlsprfalg.c.safe_zero ./lib/freebl/tlsprfalg.c +--- ./lib/freebl/tlsprfalg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/tlsprfalg.c 2023-11-22 14:42:24.247388378 -0800 +@@ -82,8 +82,8 @@ loser: + /* clear out state so it's not left on the stack */ + if (cx) + HMAC_Destroy(cx, PR_TRUE); +- PORT_Memset(state, 0, sizeof(state)); +- PORT_Memset(outbuf, 0, sizeof(outbuf)); ++ PORT_SafeZero(state, sizeof(state)); ++ PORT_SafeZero(outbuf, sizeof(outbuf)); + return rv; + } + +diff -up ./lib/freebl/unix_urandom.c.safe_zero ./lib/freebl/unix_urandom.c +--- ./lib/freebl/unix_urandom.c.safe_zero 2023-11-22 14:42:24.247388378 -0800 ++++ ./lib/freebl/unix_urandom.c 2023-11-22 14:44:15.519400684 -0800 +@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void) + return; + } + RNG_RandomUpdate(bytes, numBytes); +- PORT_Memset(bytes, 0, sizeof bytes); ++ PORT_SafeZero(bytes, sizeof bytes); + } + + #ifdef NSS_FIPS_140_3 +diff -up ./lib/softoken/pkcs11c.c.safe_zero ./lib/softoken/pkcs11c.c +--- ./lib/softoken/pkcs11c.c.safe_zero 2023-11-22 14:41:24.069840921 -0800 ++++ ./lib/softoken/pkcs11c.c 2023-11-22 14:42:24.248388387 -0800 +@@ -5092,7 +5092,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + if ((signature_length >= pairwise_digest_length) && + (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) { + PORT_Free(signature); +- return CKR_DEVICE_ERROR; ++ return CKR_GENERAL_ERROR; + } + + /* Verify the known hash using the public key. */ +diff -up ./lib/util/secport.h.safe_zero ./lib/util/secport.h +--- ./lib/util/secport.h.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/util/secport.h 2023-11-22 14:42:24.248388387 -0800 +@@ -36,6 +36,9 @@ + #include + + #include ++/* ask for Annex K for memset_s. will set the appropriate #define ++ * if Annex K is supported */ ++#define __STDC_WANT_LIB_EXT1__ 1 + #include + #include + #include +@@ -182,6 +185,39 @@ SEC_END_PROTOS + #endif /*SUNOS4*/ + #define PORT_Memset memset + ++/* there are cases where the compiler optimizes away our attempt to clear ++ * out our stack variables. There are multiple solutions for this problem, ++ * but they aren't universally accepted on all platforms. This attempts ++ * to select the best solution available given our os, compilier, and libc */ ++#ifdef __STDC_LIB_EXT1__ ++/* if the os implements C11 annex K, use memset_s */ ++#define PORT_SafeZero(p, n) memset_s(p, n, 0, n) ++#else ++#ifdef XP_WIN ++/* windows has a secure zero funtion */ ++#define PORT_SafeZero(p, n) SecureZeroMemory(p, n) ++#else ++/* _DEFAULT_SORUCE == BSD source in GCC based environments ++ * if other environmens support explicit_bzero, their defines ++ * should be added here */ ++#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE) ++#define PORT_SafeZero(p, n) explicit_bzero(p, n) ++#else ++/* if the os doesn't support one of the above, but does support ++ * memset_explicit, you can add the definition for memset with the ++ * appropriate define check here */ ++/* define an explicitly implementated Safe zero if the OS ++ * doesn't provide one */ ++#define PORT_SafeZero(p, n) \ ++ if (p != NULL) { \ ++ volatile unsigned char *__vl = (unsigned char *)p; \ ++ size_t __nl = n; \ ++ while (__nl--) *__vl++ = 0; \ ++ } ++#endif /* no explicit_bzero */ ++#endif /* no windows SecureZeroMemory */ ++#endif /* no memset_s */ ++ + #define PORT_Strcasecmp PL_strcasecmp + #define PORT_Strcat strcat + #define PORT_Strchr strchr diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 1f73285..a03ae03 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16)) Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 3%{?dist} +Release: 4%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version}%{nspr_release} @@ -113,6 +113,8 @@ Source28: nss-p11-kit.config # will have their own validation Source30: fips_algorithms.h +Source50: NameConstraints_Certs.tar + # To inject hardening flags for DSO Patch1: nss-dso-ldflags.patch # This patch uses the GCC -iquote option documented at @@ -132,7 +134,7 @@ Patch4: iquote.patch Patch9: nss-sysinit-userdb.patch # Disable nss-sysinit test which is solely to test the above change Patch10: nss-skip-sysinit-gtests.patch - +Patch15: nss-3.90-extend-db-dump-time.patch # For compatibility reasons, we stick with the old PKCS #11 2.40 # definition of CK_GCM_PARAMS: %if 0%{?fedora} < 34 @@ -174,6 +176,12 @@ Patch64: nss-3.90-pbkdf2-indicator.patch #ems policy. needs to upstream Patch70: nss-3.90-add-ems-policy.patch +Patch80: blinding_ct.patch +Patch81: nss-3.90-fips-pkcs11-long-hash.patch +Patch82: nss-3.90-fips-safe-memset.patch +Patch83: nss-3.90-fips-indicators.patch +Patch84: nss-3.90-aes-gmc-indicator.patch + %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and @@ -310,6 +318,11 @@ popd # each vendors claim in their own FIPS certification cp %{SOURCE30} nss/lib/softoken/ +#update expired test certs +pushd nss +tar xvf %{SOURCE50} +popd + # https://bugzilla.redhat.com/show_bug.cgi?id=1247353 find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \; @@ -509,6 +522,10 @@ export USE_64=1 # disabled by the system policy. export NSS_IGNORE_SYSTEM_POLICY=1 +%ifarch i686 ppcle64 +export NSS_DB_DUMP_TIME=10 +%endif + # enable the following line to force a test failure # find ./nss -name \*.chk | xargs rm -f @@ -955,6 +972,16 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog +* Wed Dec 6 2023 Bob Relyea - 3.90.0-4 +- FIPS review changes +- add PORT_SafeZero to avoid compiler optimizing a way zeroing memory. +- update the indicators for this release +- allow hashing of longer than int32 values in a single PKCS #11 call. + +* Tue Nov 21 2023 Bob Relyea - 3.90.0-3.1 +- Fix expired certs in tests +- Fix CVE-2023-5388 + * Thu Aug 3 2023 Bob Relyea - 3.90.0-3 - add indicators for pbkdf2 - add camellia to pkcs12 doc files