import nss-3.44.0-14.el8

This commit is contained in:
CentOS Sources 2020-01-21 11:07:03 -05:00 committed by Stepan Oksanichenko
parent 5efd4a9568
commit 2f9926f1ba
32 changed files with 83948 additions and 1299 deletions

3
.gitignore vendored
View File

@ -7,7 +7,8 @@ SOURCES/cert8.db.xml
SOURCES/cert9.db.xml
SOURCES/key3.db.xml
SOURCES/key4.db.xml
SOURCES/nss-3.41.tar.gz
SOURCES/nss-3.44.tar.gz
SOURCES/nss-config.xml
SOURCES/nss-softokn-cavs-1.0.tar.gz
SOURCES/secmod.db.xml
SOURCES/setup-nsssysinit.xml

View File

@ -7,7 +7,8 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
ea6705e15999bdc6365f05b3d66f9c1d49677f84 SOURCES/cert9.db.xml
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
69c60e8d3190573dbcbc01f50e68e3ceb7d92522 SOURCES/nss-3.41.tar.gz
44a83b1bf4efd27605177ecdbf217e579ae8c8ae SOURCES/nss-3.44.tar.gz
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
d8a7f044570732caf4ed06fd44a63b3e86ea2a16 SOURCES/nss-softokn-cavs-1.0.tar.gz
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml

View File

@ -1,79 +0,0 @@
diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c
--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
+++ nss/lib/pk11wrap/pk11pars.c 2018-03-09 17:24:39.815838810 +0100
@@ -671,6 +671,10 @@ SECMOD_CreateModuleEx(const char *librar
mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc);
mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc);
+ /* if the system FIPS mode is enabled, force FIPS to be on */
+ if (SECMOD_GetSystemFIPSEnabled()) {
+ mod->isFIPS = PR_TRUE;
+ }
mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc);
slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc);
mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams,
diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c
--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
+++ nss/lib/pk11wrap/pk11util.c 2018-03-09 17:25:46.804347730 +0100
@@ -95,6 +95,26 @@ SECMOD_Shutdown()
return SECSuccess;
}
+int SECMOD_GetSystemFIPSEnabled(void) {
+#ifdef LINUX
+ FILE *f;
+ char d;
+ size_t size;
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (!f)
+ return 0;
+
+ size = fread(&d, 1, 1, f);
+ fclose(f);
+ if (size != 1)
+ return 0;
+ if (d == '1')
+ return 1;
+#endif
+ return 0;
+}
+
/*
* retrieve the internal module
*/
@@ -428,7 +448,7 @@ SECMOD_DeleteInternalModule(const char *
SECMODModuleList **mlpp;
SECStatus rv = SECFailure;
- if (pendingModule) {
+ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) {
PORT_SetError(SEC_ERROR_MODULE_STUCK);
return rv;
}
@@ -963,7 +983,7 @@ SECMOD_CanDeleteInternalModule(void)
#ifdef NSS_FIPS_DISABLED
return PR_FALSE;
#else
- return (PRBool)(pendingModule == NULL);
+ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled());
#endif
}
diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h
--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100
+++ nss/lib/pk11wrap/secmodi.h 2018-03-09 17:24:39.816838788 +0100
@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd
CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid,
SECItem **param, SECItem *pwd, PRBool faulty3DES);
+/* Get the state of the system FIPS mode */
+/* NSS uses this to force FIPS mode if the system bit is on. Applications which
+ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or
+ * from FIPS mode will automatically be told that they can't swith out of FIPS
+ * mode */
+int SECMOD_GetSystemFIPSEnabled();
+
extern void pk11sdr_Init(void);
extern void pk11sdr_Shutdown(void);

View File

@ -1,804 +0,0 @@
# HG changeset patch
# User Robert Relyea <rrelyea@redhat.com>
# Date 1544226862 28800
# Fri Dec 07 15:54:22 2018 -0800
# Node ID 521a5b2f10cc197b9349df033f9d3cca0b5226c5
# Parent 5ac4d4904afae59149bb1fab49c3b21244a51a22
try: -b do -u all - p all -t all
diff --git a/cmd/manifest.mn b/cmd/manifest.mn
--- a/cmd/manifest.mn
+++ b/cmd/manifest.mn
@@ -51,16 +51,17 @@ NSS_SRCDIRS = \
ocspclnt \
ocspresp \
oidcalc \
p7content \
p7env \
p7sign \
p7verify \
pk12util \
+ pk11import \
pk11ectest \
pk11gcmtest \
pk11mode \
pk1sign \
pp \
pwdecrypt \
rsaperf \
rsapoptst \
diff --git a/cmd/pk11import/Makefile b/cmd/pk11import/Makefile
new file mode 100644
--- /dev/null
+++ b/cmd/pk11import/Makefile
@@ -0,0 +1,43 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY). #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL) #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL). #
+#######################################################################
+
+include ../platlibs.mk
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL) #
+#######################################################################
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL). #
+#######################################################################
+
+include ../platrules.mk
diff --git a/cmd/pk11import/manifest.mn b/cmd/pk11import/manifest.mn
new file mode 100644
--- /dev/null
+++ b/cmd/pk11import/manifest.mn
@@ -0,0 +1,15 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH = ../..
+
+MODULE = nss
+
+CSRCS = pk11import.c \
+ $(NULL)
+
+REQUIRES = seccmd
+
+PROGRAM = pk11import
+
diff --git a/cmd/pk11import/pk11import.c b/cmd/pk11import/pk11import.c
new file mode 100644
--- /dev/null
+++ b/cmd/pk11import/pk11import.c
@@ -0,0 +1,410 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "secutil.h"
+#include "secmod.h"
+#include "cert.h"
+#include "secoid.h"
+#include "nss.h"
+#include "pk11pub.h"
+#include "pk11pqg.h"
+
+/* NSPR 2.0 header files */
+#include "prinit.h"
+#include "prprf.h"
+#include "prsystem.h"
+#include "prmem.h"
+/* Portable layer header files */
+#include "plstr.h"
+
+SECOidData *
+getCurveFromString(char *curve_name)
+{
+ SECOidTag tag = SEC_OID_SECG_EC_SECP256R1;
+
+ if (PORT_Strcasecmp(curve_name, "NISTP256") == 0) {
+ } else if (PORT_Strcasecmp(curve_name, "NISTP384") == 0) {
+ tag = SEC_OID_SECG_EC_SECP384R1;
+ } else if (PORT_Strcasecmp(curve_name, "NISTP521") == 0) {
+ tag = SEC_OID_SECG_EC_SECP521R1;
+ } else if (PORT_Strcasecmp(curve_name, "Curve25519") == 0) {
+ tag = SEC_OID_CURVE25519;
+ }
+ return SECOID_FindOIDByTag(tag);
+}
+
+void
+dumpItem(const char *label, const SECItem *item)
+{
+ int i;
+ printf("%s = [%d bytes] {", label, item->len);
+ for (i = 0; i < item->len; i++) {
+ if ((i & 0xf) == 0)
+ printf("\n ");
+ else
+ printf(", ");
+ printf("%02x", item->data[i]);
+ }
+ printf("};\n");
+}
+
+SECStatus
+handleEncryptedPrivateImportTest(char *progName, PK11SlotInfo *slot,
+ char *testname, CK_MECHANISM_TYPE genMech, void *params, void *pwArgs)
+{
+ SECStatus rv = SECSuccess;
+ SECItem privID = { 0 };
+ SECItem pubID = { 0 };
+ SECItem pubValue = { 0 };
+ SECItem pbePwItem = { 0 };
+ SECItem nickname = { 0 };
+ SECItem token = { 0 };
+ SECKEYPublicKey *pubKey = NULL;
+ SECKEYPrivateKey *privKey = NULL;
+ PK11GenericObject *objs = NULL;
+ PK11GenericObject *obj = NULL;
+ SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+ PRBool keyFound = 0;
+ KeyType keyType;
+
+ fprintf(stderr, "Testing %s PrivateKeyImport ***********************\n",
+ testname);
+
+ /* generate a temp key */
+ privKey = PK11_GenerateKeyPair(slot, genMech, params, &pubKey,
+ PR_FALSE, PR_TRUE, pwArgs);
+ if (privKey == NULL) {
+ SECU_PrintError(progName, "PK11_GenerateKeyPair Failed");
+ goto cleanup;
+ }
+
+ /* wrap the temp key */
+ pbePwItem.data = (unsigned char *)"pw";
+ pbePwItem.len = 2;
+ epki = PK11_ExportEncryptedPrivKeyInfo(slot, SEC_OID_AES_256_CBC,
+ &pbePwItem, privKey, 1, NULL);
+ if (epki == NULL) {
+ SECU_PrintError(progName, "PK11_ExportEncryptedPrivKeyInfo Failed");
+ goto cleanup;
+ }
+
+ /* Save the public value, which we will need on import */
+ keyType = pubKey->keyType;
+ switch (keyType) {
+ case rsaKey:
+ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.rsa.modulus);
+ break;
+ case dhKey:
+ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.dh.publicValue);
+ break;
+ case dsaKey:
+ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.dsa.publicValue);
+ break;
+ case ecKey:
+ SECITEM_CopyItem(NULL, &pubValue, &pubKey->u.ec.publicValue);
+ break;
+ default:
+ fprintf(stderr, "Unknown keytype = %d\n", keyType);
+ goto cleanup;
+ }
+ dumpItem("pubValue", &pubValue);
+
+ /* when Asymetric keys represent session keys, those session keys are
+ * destroyed when we destroy the Asymetric key representations */
+ SECKEY_DestroyPublicKey(pubKey);
+ pubKey = NULL;
+ SECKEY_DestroyPrivateKey(privKey);
+ privKey = NULL;
+
+ /* unwrap the temp key as a perm */
+ nickname.data = (unsigned char *)"testKey";
+ nickname.len = sizeof("testKey");
+ rv = PK11_ImportEncryptedPrivateKeyInfoAndReturnKey(slot, epki, &pbePwItem,
+ &nickname, &pubValue, PR_TRUE, PR_TRUE, keyType, 0, &privKey, NULL);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "PK11_ImportEncryptedPrivateKeyInfo Failed");
+ goto cleanup;
+ }
+
+ /* verify the public key exists */
+ rv = PK11_ReadRawAttribute(PK11_TypePrivKey, privKey, CKA_ID, &privID);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName,
+ "Couldn't read CKA_ID from pub key, checking next key");
+ goto cleanup;
+ }
+ dumpItem("privKey CKA_ID", &privID);
+ objs = PK11_FindGenericObjects(slot, CKO_PUBLIC_KEY);
+ for (obj = objs; obj; obj = PK11_GetNextGenericObject(obj)) {
+ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, CKA_ID, &pubID);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName,
+ "Couldn't read CKA_ID from pub key, checking next key");
+ continue;
+ }
+ dumpItem("pubKey CKA_ID", &pubID);
+ if (!SECITEM_ItemsAreEqual(&privID, &pubID)) {
+ fprintf(stderr,
+ "CKA_ID does not match priv key, checking next key\n");
+ SECITEM_FreeItem(&pubID, PR_FALSE);
+ continue;
+ }
+ SECITEM_FreeItem(&pubID, PR_FALSE);
+ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, CKA_TOKEN, &token);
+ if (rv == SECSuccess) {
+ if (token.len == 1) {
+ keyFound = token.data[0];
+ }
+ SECITEM_FreeItem(&token, PR_FALSE);
+ }
+ if (keyFound) {
+ printf("matching public key found\n");
+ break;
+ }
+ printf("Matching key was not a token key, checking next key\n");
+ }
+cleanup:
+ if (objs) {
+ PK11_DestroyGenericObjects(objs);
+ }
+ if (pubValue.data) {
+ SECITEM_FreeItem(&pubValue, PR_FALSE);
+ }
+ if (privID.data) {
+ SECITEM_FreeItem(&privID, PR_FALSE);
+ }
+ if (epki) {
+ PORT_FreeArena(epki->arena, PR_TRUE);
+ }
+ if (pubKey) {
+ SECKEY_DestroyPublicKey(pubKey);
+ }
+ if (privKey) {
+ SECKEY_DestroyPrivateKey(privKey);
+ }
+ fprintf(stderr, "%s PrivateKeyImport %s ***********************\n",
+ testname, keyFound ? "PASSED" : "FAILED");
+ return keyFound ? SECSuccess : SECFailure;
+}
+
+static const char *const usageInfo[] = {
+ "pk11import - test PK11_PrivateKeyImport()"
+ "Options:",
+ " -d certdir directory containing cert database",
+ " -k keysize size of the rsa, dh, and dsa key to test (default 1024)",
+ " -C ecc_curve ecc curve (default )",
+ " -f pwFile file to fetch the password from",
+ " -p pwString password",
+ " -r skip rsa test",
+ " -D skip dsa test",
+ " -h skip dh test",
+ " -e skip ec test",
+};
+static int nUsageInfo = sizeof(usageInfo) / sizeof(char *);
+
+static void
+Usage(char *progName, FILE *outFile)
+{
+ int i;
+ fprintf(outFile, "Usage: %s [ commands ] options\n", progName);
+ for (i = 0; i < nUsageInfo; i++)
+ fprintf(outFile, "%s\n", usageInfo[i]);
+ exit(-1);
+}
+
+enum {
+ opt_CertDir,
+ opt_KeySize,
+ opt_ECCurve,
+ opt_PWFile,
+ opt_PWString,
+ opt_NoRSA,
+ opt_NoDSA,
+ opt_NoDH,
+ opt_NoEC
+};
+
+static secuCommandFlag options[] =
+ {
+ { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE },
+ { /* opt_KeySize */ 'k', PR_TRUE, 0, PR_FALSE },
+ { /* opt_ECCurve */ 'C', PR_TRUE, 0, PR_FALSE },
+ { /* opt_PWFile */ 'f', PR_TRUE, 0, PR_FALSE },
+ { /* opt_PWString */ 'p', PR_TRUE, 0, PR_FALSE },
+ { /* opt_NORSA */ 'r', PR_FALSE, 0, PR_FALSE },
+ { /* opt_NoDSA */ 'D', PR_FALSE, 0, PR_FALSE },
+ { /* opt_NoDH */ 'h', PR_FALSE, 0, PR_FALSE },
+ { /* opt_NoEC */ 'e', PR_FALSE, 0, PR_FALSE },
+ };
+
+int
+main(int argc, char **argv)
+{
+ char *progName;
+ SECStatus rv;
+ secuCommand args;
+ PK11SlotInfo *slot = NULL;
+ PRBool failed = PR_FALSE;
+ secuPWData pwArgs = { PW_NONE, 0 };
+ PRBool doRSA = PR_TRUE;
+ PRBool doDSA = PR_TRUE;
+ PRBool doDH = PR_FALSE; /* NSS currently can't export wrapped DH keys */
+ PRBool doEC = PR_TRUE;
+ PQGParams *pqgParams = NULL;
+ int keySize;
+
+ args.numCommands = 0;
+ args.numOptions = sizeof(options) / sizeof(secuCommandFlag);
+ args.commands = NULL;
+ args.options = options;
+
+#ifdef XP_PC
+ progName = strrchr(argv[0], '\\');
+#else
+ progName = strrchr(argv[0], '/');
+#endif
+ progName = progName ? progName + 1 : argv[0];
+
+ rv = SECU_ParseCommandLine(argc, argv, progName, &args);
+ if (SECSuccess != rv) {
+ Usage(progName, stderr);
+ }
+
+ /* Set the certdb directory (default is ~/.netscape) */
+ rv = NSS_InitReadWrite(SECU_ConfigDirectory(args.options[opt_CertDir].arg));
+ if (rv != SECSuccess) {
+ SECU_PrintPRandOSError(progName);
+ return 255;
+ }
+ PK11_SetPasswordFunc(SECU_GetModulePassword);
+
+ /* below here, goto cleanup */
+ SECU_RegisterDynamicOids();
+
+ /* handle the arguments */
+ if (args.options[opt_PWFile].arg) {
+ pwArgs.source = PW_FROMFILE;
+ pwArgs.data = args.options[opt_PWFile].arg;
+ }
+ if (args.options[opt_PWString].arg) {
+ pwArgs.source = PW_PLAINTEXT;
+ pwArgs.data = args.options[opt_PWString].arg;
+ }
+ if (args.options[opt_NoRSA].activated) {
+ doRSA = PR_FALSE;
+ }
+ if (args.options[opt_NoDSA].activated) {
+ doDSA = PR_FALSE;
+ }
+ if (args.options[opt_NoDH].activated) {
+ doDH = PR_FALSE;
+ }
+ if (args.options[opt_NoEC].activated) {
+ doEC = PR_FALSE;
+ }
+
+ slot = PK11_GetInternalKeySlot();
+ if (slot == NULL) {
+ SECU_PrintError(progName, "Couldn't find the internal key slot\n");
+ return 255;
+ }
+ rv = PK11_Authenticate(slot, PR_TRUE, &pwArgs);
+ if (rv != SECSuccess) {
+ SECU_PrintError(progName, "Failed to log into slot");
+ PK11_FreeSlot(slot);
+ return 255;
+ }
+
+ keySize = 1024;
+ if (args.options[opt_KeySize].activated &&
+ args.options[opt_KeySize].arg) {
+ keySize = atoi(args.options[opt_KeySize].arg);
+ }
+
+ if (doDSA || doDH) {
+ PQGVerify *pqgVfy;
+ rv = PK11_PQG_ParamGenV2(keySize, 0, keySize / 16, &pqgParams, &pqgVfy);
+ if (rv == SECSuccess) {
+ PK11_PQG_DestroyVerify(pqgVfy);
+ } else {
+ SECU_PrintError(progName,
+ "PK11_PQG_ParamGenV2 failed, can't test DH or DSA");
+ doDSA = doDH = PR_FALSE;
+ failed = PR_TRUE;
+ }
+ }
+
+ if (doRSA) {
+ PK11RSAGenParams rsaParams;
+ rsaParams.keySizeInBits = keySize;
+ rsaParams.pe = 0x010001;
+ rv = handleEncryptedPrivateImportTest(progName, slot, "RSA",
+ CKM_RSA_PKCS_KEY_PAIR_GEN, &rsaParams, &pwArgs);
+ if (rv != SECSuccess) {
+ fprintf(stderr, "RSA Import Failed!\n");
+ failed = PR_TRUE;
+ }
+ }
+ if (doDSA) {
+ rv = handleEncryptedPrivateImportTest(progName, slot, "DSA",
+ CKM_DSA_KEY_PAIR_GEN, pqgParams, &pwArgs);
+ if (rv != SECSuccess) {
+ fprintf(stderr, "DSA Import Failed!\n");
+ failed = PR_TRUE;
+ }
+ }
+ if (doDH) {
+ SECKEYDHParams dhParams;
+ dhParams.prime = pqgParams->prime;
+ dhParams.base = pqgParams->base;
+ rv = handleEncryptedPrivateImportTest(progName, slot, "DH",
+ CKM_DH_PKCS_KEY_PAIR_GEN, &dhParams, &pwArgs);
+ if (rv != SECSuccess) {
+ fprintf(stderr, "DH Import Failed!\n");
+ failed = PR_TRUE;
+ }
+ }
+ if (doEC) {
+ SECKEYECParams ecParams;
+ SECOidData *curve = SECOID_FindOIDByTag(SEC_OID_SECG_EC_SECP256R1);
+ if (args.options[opt_ECCurve].activated &&
+ args.options[opt_ECCurve].arg) {
+ curve = getCurveFromString(args.options[opt_ECCurve].arg);
+ }
+ ecParams.data = PORT_Alloc(curve->oid.len + 2);
+ if (ecParams.data == NULL) {
+ rv = SECFailure;
+ goto ec_failed;
+ }
+ ecParams.data[0] = SEC_ASN1_OBJECT_ID;
+ ecParams.data[1] = (unsigned char)curve->oid.len;
+ PORT_Memcpy(&ecParams.data[2], curve->oid.data, curve->oid.len);
+ ecParams.len = curve->oid.len + 2;
+ rv = handleEncryptedPrivateImportTest(progName, slot, "ECC",
+ CKM_EC_KEY_PAIR_GEN, &ecParams, &pwArgs);
+ PORT_Free(ecParams.data);
+ ec_failed:
+ if (rv != SECSuccess) {
+ fprintf(stderr, "ECC Import Failed!\n");
+ failed = PR_TRUE;
+ }
+ }
+
+ if (pqgParams) {
+ PK11_PQG_DestroyParams(pqgParams);
+ }
+
+ if (slot) {
+ PK11_FreeSlot(slot);
+ }
+
+ rv = NSS_Shutdown();
+ if (rv != SECSuccess) {
+ fprintf(stderr, "Shutdown failed\n");
+ SECU_PrintPRandOSError(progName);
+ return 255;
+ }
+
+ return failed ? 1 : 0;
+}
diff --git a/cmd/pk11import/pk11import.gyp b/cmd/pk11import/pk11import.gyp
new file mode 100644
--- /dev/null
+++ b/cmd/pk11import/pk11import.gyp
@@ -0,0 +1,25 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+ 'includes': [
+ '../../coreconf/config.gypi',
+ '../../cmd/platlibs.gypi'
+ ],
+ 'targets': [
+ {
+ 'target_name': 'pk11import',
+ 'type': 'executable',
+ 'sources': [
+ 'pk11import.c'
+ ],
+ 'dependencies': [
+ '<(DEPTH)/exports.gyp:dbm_exports',
+ '<(DEPTH)/exports.gyp:nss_exports'
+ ]
+ }
+ ],
+ 'variables': {
+ 'module': 'nss'
+ }
+}
diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c
--- a/lib/pk11wrap/pk11akey.c
+++ b/lib/pk11wrap/pk11akey.c
@@ -1672,16 +1672,96 @@ PK11_MakeKEAPubKey(unsigned char *keyDat
rv = SECITEM_CopyItem(arena, &pubk->u.fortezza.KEAKey, &pkData);
if (rv != SECSuccess) {
PORT_FreeArena(arena, PR_FALSE);
return NULL;
}
return pubk;
}
+SECStatus
+SECKEY_SetPublicValue(SECKEYPrivateKey *privKey, SECItem *publicValue)
+{
+ SECStatus rv;
+ SECKEYPublicKey pubKey;
+ PLArenaPool *arena;
+ PK11SlotInfo *slot = privKey->pkcs11Slot;
+ CK_OBJECT_HANDLE privKeyID = privKey->pkcs11ID;
+
+ pubKey.arena = NULL;
+ pubKey.keyType = privKey->keyType;
+ pubKey.pkcs11Slot = NULL;
+ pubKey.pkcs11ID = CK_INVALID_HANDLE;
+ /* can't use PORT_InitCheapArena here becase SECKEY_DestroyPublic is used
+ * to free it, and it uses PORT_FreeArena which not only frees the
+ * underlying arena, it also frees the allocated arena struct. */
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ pubKey.arena = arena;
+ if (arena == NULL) {
+ return SECFailure;
+ }
+ rv = SECFailure;
+ switch (privKey->keyType) {
+ default:
+ /* error code already set to SECFailure */
+ break;
+ case rsaKey:
+ pubKey.u.rsa.modulus = *publicValue;
+ rv = PK11_ReadAttribute(slot, privKeyID, CKA_PUBLIC_EXPONENT,
+ arena, &pubKey.u.rsa.publicExponent);
+ break;
+ case dsaKey:
+ pubKey.u.dsa.publicValue = *publicValue;
+ rv = PK11_ReadAttribute(slot, privKeyID, CKA_PRIME,
+ arena, &pubKey.u.dsa.params.prime);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = PK11_ReadAttribute(slot, privKeyID, CKA_SUBPRIME,
+ arena, &pubKey.u.dsa.params.subPrime);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = PK11_ReadAttribute(slot, privKeyID, CKA_BASE,
+ arena, &pubKey.u.dsa.params.base);
+ break;
+ case dhKey:
+ pubKey.u.dh.publicValue = *publicValue;
+ rv = PK11_ReadAttribute(slot, privKeyID, CKA_PRIME,
+ arena, &pubKey.u.dh.prime);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = PK11_ReadAttribute(slot, privKeyID, CKA_BASE,
+ arena, &pubKey.u.dh.base);
+ break;
+ case ecKey:
+ pubKey.u.ec.publicValue = *publicValue;
+ pubKey.u.ec.encoding = ECPoint_Undefined;
+ pubKey.u.ec.size = 0;
+ rv = PK11_ReadAttribute(slot, privKeyID, CKA_EC_PARAMS,
+ arena, &pubKey.u.ec.DEREncodedParams);
+ break;
+ }
+ if (rv == SECSuccess) {
+ rv = PK11_ImportPublicKey(slot, &pubKey, PR_TRUE);
+ }
+ /* Even though pubKey is stored on the stack, we've allocated
+ * some of it's data from the arena. SECKEY_DestroyPublicKey
+ * destroys keys by freeing the arena, so this will clean up all
+ * the data we allocated specifically for the key above. It will
+ * also free any slot references which we may have picked up in
+ * PK11_ImportPublicKey. It won't delete the underlying key if
+ * its a Token/Permanent key (which it will be if
+ * PK11_ImportPublicKey succeeds). */
+ SECKEY_DestroyPublicKey(&pubKey);
+
+ return rv;
+}
+
/*
* NOTE: This function doesn't return a SECKEYPrivateKey struct to represent
* the new private key object. If it were to create a session object that
* could later be looked up by its nickname, it would leak a SECKEYPrivateKey.
* So isPerm must be true.
*/
SECStatus
PK11_ImportEncryptedPrivateKeyInfo(PK11SlotInfo *slot,
@@ -1797,22 +1877,16 @@ try_faulty_3des:
PORT_Assert(usage != NULL);
PORT_Assert(usageCount != 0);
privKey = PK11_UnwrapPrivKey(slot, key, cryptoMechType,
crypto_param, &epki->encryptedData,
nickname, publicValue, isPerm, isPrivate,
key_type, usage, usageCount, wincx);
if (privKey) {
- if (privk) {
- *privk = privKey;
- } else {
- SECKEY_DestroyPrivateKey(privKey);
- }
- privKey = NULL;
rv = SECSuccess;
goto done;
}
/* if we are unable to import the key and the pbeMechType is
* CKM_NETSCAPE_PBE_SHA1_TRIPLE_DES_CBC, then it is possible that
* the encrypted blob was created with a buggy key generation method
* which is described in the PKCS 12 implementation notes. So we
@@ -1832,16 +1906,35 @@ try_faulty_3des:
faulty3DES = PR_TRUE;
goto try_faulty_3des;
}
/* key import really did fail */
rv = SECFailure;
done:
+ if ((rv == SECSuccess) && isPerm) {
+ /* If we are importing a token object,
+ * create the corresponding public key.
+ * If this fails, just continue as the target
+ * token simply might not support persistant
+ * public keys. Such tokens are usable, but
+ * need to be authenticated before searching
+ * for user certs. */
+ (void)SECKEY_SetPublicValue(privKey, publicValue);
+ }
+
+ if (privKey) {
+ if (privk) {
+ *privk = privKey;
+ } else {
+ SECKEY_DestroyPrivateKey(privKey);
+ }
+ privKey = NULL;
+ }
if (crypto_param != NULL) {
SECITEM_ZfreeItem(crypto_param, PR_TRUE);
}
if (key != NULL) {
PK11_FreeSymKey(key);
}
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -1810,29 +1810,36 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
* Some curves are always pressumed to be non-DER.
*/
if (pubKey->u.ec.publicValue.len == keyLen &&
(pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
break; /* key was not DER encoded, no need to unwrap */
}
- PORT_Assert(pubKey->u.ec.ecParams.name != ECCurve25519);
+ /* The PKCS #11 spec says that the Params should be DER encoded. Even though the params from the
+ * Certificate aren't according the the ECCurve 25519 spec. We should accept this encoding.
+ PORT_Assert(pubKey->u.ec.ecParams.name != ECCurve25519); */
/* handle the encoded case */
if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) &&
pubKey->u.ec.publicValue.len > keyLen) {
SECItem publicValue;
SECStatus rv;
rv = SEC_QuickDERDecodeItem(arena, &publicValue,
SEC_ASN1_GET(SEC_OctetStringTemplate),
&pubKey->u.ec.publicValue);
/* nope, didn't decode correctly */
- if ((rv != SECSuccess) || (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) || (publicValue.len != keyLen)) {
+ if ((rv != SECSuccess) || (publicValue.len != keyLen)) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ break;
+ }
+ /* we don't handle compressed points except in the case of ECCurve25519 */
+ if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) && (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
crv = CKR_ATTRIBUTE_VALUE_INVALID;
break;
}
/* replace our previous with the decoded key */
pubKey->u.ec.publicValue = publicValue;
break;
}
crv = CKR_ATTRIBUTE_VALUE_INVALID;
diff --git a/nss.gyp b/nss.gyp
--- a/nss.gyp
+++ b/nss.gyp
@@ -159,16 +159,17 @@
'cmd/oidcalc/oidcalc.gyp:oidcalc',
'cmd/p7content/p7content.gyp:p7content',
'cmd/p7env/p7env.gyp:p7env',
'cmd/p7sign/p7sign.gyp:p7sign',
'cmd/p7verify/p7verify.gyp:p7verify',
'cmd/pk11ectest/pk11ectest.gyp:pk11ectest',
'cmd/pk11gcmtest/pk11gcmtest.gyp:pk11gcmtest',
'cmd/pk11mode/pk11mode.gyp:pk11mode',
+ 'cmd/pk11import/pk11import.gyp:pk11import',
'cmd/pk1sign/pk1sign.gyp:pk1sign',
'cmd/pp/pp.gyp:pp',
'cmd/rsaperf/rsaperf.gyp:rsaperf',
'cmd/rsapoptst/rsapoptst.gyp:rsapoptst',
'cmd/sdrtest/sdrtest.gyp:sdrtest',
'cmd/selfserv/selfserv.gyp:selfserv',
'cmd/shlibsign/mangle/mangle.gyp:mangle',
'cmd/strsclnt/strsclnt.gyp:strsclnt',
diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh
--- a/tests/dbtests/dbtests.sh
+++ b/tests/dbtests/dbtests.sh
@@ -247,16 +247,35 @@ dbtest_main()
# the old one should still be there...
${BINDIR}/certutil -L -n bob -d ${CONFLICT_DIR}
ret=$?
if [ $ret -ne 0 ]; then
html_failed "Nicknane conflict test-setting nickname conflict incorrectly worked"
else
html_passed "Nicknane conflict test-setting nickname conflict was correctly rejected"
fi
-
+ # import a token private key and make sure the corresponding public key is
+ # created
+ ${BINDIR}/pk11import -d ${CONFLICT_DIR} -f ${R_PWFILE}
+ echo ${BINDIR}/pk11import -d ${CONFLICT_DIR} -f ${R_PWFILE}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Importing Token Private Key does not create the corrresponding Public Key"
+ else
+ html_passed "Importing Token Private Key correctly creates the corrresponding Public Key"
+ fi
+ # import a token private key and make sure the corresponding public key is
+ # created
+ ${BINDIR}/pk11import -r -D -h -C Curve25519 -d ${CONFLICT_DIR} -f ${R_PWFILE}
+ echo ${BINDIR}/pk11import -r -D -h -C Curve25519 -d ${CONFLICT_DIR} -f ${R_PWFILE}
+ ret=$?
+ if [ $ret -ne 0 ]; then
+ html_failed "Importing ECC Curve 25519 Token Private Key does not create the corrresponding Public Key"
+ else
+ html_passed "Importing ECC Curve 25519 Token Private Key correctly creates the corrresponding Public Key"
+ fi
}
################## main #################################################
dbtest_init
dbtest_main 2>&1
dbtest_cleanup

1114
SOURCES/nss-3.44-cmac.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,21 @@
# HG changeset patch
# User Craig Disselkoen <cdisselk@cs.ucsd.edu>
# Date 1574189697 25200
# Tue Nov 19 11:54:57 2019 -0700
# Branch NSS_3_44_BRANCH
# Node ID 60bca7c6dc6dc44579b9b3e0fb62ca3b82d92eec
# Parent 64e55c9f658e2a75f0835d00a8a1cdc2f25c74d6
Bug 1586176 - EncryptUpdate should use maxout not block size. r=franziskus
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -1321,7 +1321,7 @@ NSC_EncryptUpdate(CK_SESSION_HANDLE hSes
}
/* encrypt the current padded data */
rv = (*context->update)(context->cipherInfo, pEncryptedPart,
- &padoutlen, context->blockSize, context->padBuf,
+ &padoutlen, maxout, context->padBuf,
context->blockSize);
if (rv != SECSuccess) {
return sftk_MapCryptError(PORT_GetError());

View File

@ -0,0 +1,39 @@
diff -up ./lib/softoken/kbkdf.c.coverity ./lib/softoken/kbkdf.c
--- ./lib/softoken/kbkdf.c.coverity 2019-12-03 15:33:43.047732312 -0800
+++ ./lib/softoken/kbkdf.c 2019-12-03 15:39:40.982578357 -0800
@@ -534,6 +534,10 @@ CK_RV kbkdf_CreateKey(CK_SESSION_HANDLE
PR_ASSERT(derived_key != NULL);
PR_ASSERT(derived_key->phKey != NULL);
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
/* Create the new key object for this additional derived key. */
key = sftk_NewObject(slot);
if (key == NULL) {
@@ -589,7 +593,9 @@ done:
sftk_FreeObject(key);
/* Doesn't do anything. */
- sftk_FreeSession(session);
+ if (session) {
+ sftk_FreeSession(session);
+ }
return ret;
}
diff -up ./lib/softoken/sftkhmac.c.coverity ./lib/softoken/sftkhmac.c
--- ./lib/softoken/sftkhmac.c.coverity 2019-12-03 15:40:06.108848341 -0800
+++ ./lib/softoken/sftkhmac.c 2019-12-03 15:41:04.919480267 -0800
@@ -232,7 +232,9 @@ sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHA
keyval->attrib.ulValueLen, isFIPS);
done:
- sftk_FreeAttribute(keyval);
+ if (keyval) {
+ sftk_FreeAttribute(keyval);
+ }
return ret;
}

View File

@ -0,0 +1,62 @@
diff -up ./lib/softoken/kbkdf.c.kdf_update ./lib/softoken/kbkdf.c
--- ./lib/softoken/kbkdf.c.kdf_update 2019-11-27 16:48:01.864135431 -0800
+++ ./lib/softoken/kbkdf.c 2019-11-27 16:48:51.779661708 -0800
@@ -160,6 +160,9 @@ static CK_RV kbkdf_ValidateParameter(CK_
/* There is no additional data to validate for byte arrays; we can
* only assume the context is of the correct size. */
break;
+ default:
+ /* don't allow unknown types */
+ return CKR_MECHANISM_PARAM_INVALID;
}
return CKR_OK;
@@ -250,14 +253,16 @@ static CK_RV kbkdf_ValidateParameters(CK
return CKR_MECHANISM_PARAM_INVALID;
}
- /* Count that we have a parameter of this type. */
- param_type_count[params->pDataParams[offset].type] += 1;
-
/* Validate this parameter has acceptable values. */
ret = kbkdf_ValidateParameter(mech, params->pDataParams + offset);
if (ret != CKR_OK) {
- return CKR_MECHANISM_PARAM_INVALID;
+ return ret;
}
+ /* Count that we have a parameter of this type. */
+ /* Do this after we've validated the param to make sure we don't
+ * overflow our array */
+ PORT_Assert(params->pDataParams[offset].type < sizeof(param_type_count)/sizeof(param_type_count[0]));
+ param_type_count[params->pDataParams[offset].type] += 1;
}
if (mech == CKM_SP800_108_COUNTER_KDF || mech == CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA) {
@@ -306,18 +311,20 @@ static CK_RV kbkdf_ValidateParameters(CK
/* [ section: parameter helpers ] */
static void kbkdf_EncodeInteger(uint64_t integer, CK_ULONG num_bits, CK_BBOOL littleEndian, CK_BYTE_PTR output, CK_ULONG_PTR output_len) {
- uint64_t reordered;
+ CK_ULONG num_bytes = num_bits/8;
+ CK_ULONG i;
if (output_len) {
- *output_len = (num_bits / 8);
+ *output_len = num_bytes;
}
if (littleEndian == CK_TRUE) {
- reordered = htole64(integer);
- memcpy(output, &reordered, num_bits/8);
+ for (i=0; i < num_bytes; i++) {
+ output[i] = (integer >> i*8) & 0xff;
+ }
} else {
- reordered = htobe64(integer);
- reordered = reordered >> (64 - num_bits);
- memcpy(output, &reordered, (num_bits/8));
+ for (i=num_bytes; i > 0; i--) {
+ output[num_bytes-i] = (integer >> (i-1)*8) & 0xff;
+ }
}
}

74471
SOURCES/nss-3.44-kbkdf.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,560 @@
diff -up ./gtests/pk11_gtest/manifest.mn.missing_kdf ./gtests/pk11_gtest/manifest.mn
--- ./gtests/pk11_gtest/manifest.mn.missing_kdf 2019-08-08 10:22:53.072100034 -0700
+++ ./gtests/pk11_gtest/manifest.mn 2019-08-08 10:23:33.424061237 -0700
@@ -14,6 +14,7 @@ CPPSRCS = \
pk11_encrypt_derive_unittest.cc \
pk11_export_unittest.cc \
pk11_import_unittest.cc \
+ pk11_kdf_unittest.cc \
pk11_pbkdf2_unittest.cc \
pk11_prf_unittest.cc \
pk11_prng_unittest.cc \
diff -up ./gtests/pk11_gtest/pk11_gtest.gyp.missing_kdf ./gtests/pk11_gtest/pk11_gtest.gyp
--- ./gtests/pk11_gtest/pk11_gtest.gyp.missing_kdf 2019-08-08 10:23:13.298080588 -0700
+++ ./gtests/pk11_gtest/pk11_gtest.gyp 2019-08-08 10:23:49.728045561 -0700
@@ -19,6 +19,7 @@
'pk11_ecdsa_unittest.cc',
'pk11_encrypt_derive_unittest.cc',
'pk11_import_unittest.cc',
+ 'pk11_kdf_unittest.cc',
'pk11_pbkdf2_unittest.cc',
'pk11_prf_unittest.cc',
'pk11_prng_unittest.cc',
diff -up ./gtests/pk11_gtest/pk11_kdf_unittest.cc.missing_kdf ./gtests/pk11_gtest/pk11_kdf_unittest.cc
--- ./gtests/pk11_gtest/pk11_kdf_unittest.cc.missing_kdf 2019-08-07 14:23:28.657960569 -0700
+++ ./gtests/pk11_gtest/pk11_kdf_unittest.cc 2019-08-08 10:22:38.015114511 -0700
@@ -0,0 +1,509 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "nss.h"
+#include "pk11pub.h"
+
+#include "cpputil.h"
+
+#include "gtest/gtest.h"
+
+namespace nss_test {
+
+const size_t kGxySize = 256;
+const size_t kSeedSize = 8;
+const size_t kKeySize = 64;
+const size_t kLongKeySize = 1056;
+const size_t kAesXcbcLen = 16;
+const size_t kSha1Len = 20;
+const size_t kSha224Len = 28;
+const size_t kSha256Len = 32;
+const size_t kSha384Len = 48;
+const size_t kSha512Len = 64;
+
+// This is not the right size for anything
+const size_t kIncorrectSize = 17;
+
+const uint8_t kGxyData[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+ 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
+ 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
+ 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
+ 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53,
+ 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
+ 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
+ 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x21, 0x22, 0x23,
+ 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b,
+ 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+ 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3,
+ 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
+ 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
+ 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
+ 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3,
+ 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
+ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
+ 0xfc, 0xfd, 0xfe, 0xff};
+
+const uint8_t kKeyData[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+ 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
+ 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
+ 0x3c, 0x3d, 0x3e, 0x3f};
+
+const uint8_t kSeed[] = {
+ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
+ 0xfc, 0xfd, 0xfe, 0xff, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
+ 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xd0, 0xd1, 0xd2, 0xd3};
+
+const uint8_t kExpectedOutputIkeSha256[] = {
+ 0xd3, 0x9d, 0xb2, 0x77, 0x4b, 0x7f, 0xea, 0x81, 0xfc, 0xe5, 0x22, 0xb7,
+ 0xdf, 0xa5, 0x65, 0x15, 0xc9, 0x8f, 0x89, 0x45, 0xda, 0xd9, 0x5d, 0x12,
+ 0xbb, 0x52, 0xb6, 0x3b, 0xf4, 0x4d, 0xaf, 0x16};
+
+const uint8_t kExpectedOutputIke1Sha256[] = {
+ 0x25, 0x45, 0x68, 0xd2, 0x98, 0x96, 0xa3, 0xda, 0x89, 0x76, 0x06, 0x01,
+ 0xd0, 0xce, 0xf8, 0x05, 0x26, 0x3f, 0xaf, 0x95, 0x92, 0x48, 0x02, 0x0e,
+ 0x39, 0x75, 0x94, 0x00, 0x22, 0xd8, 0x5a, 0x50};
+
+const uint8_t kExpectedOutputIkePlusSha256[] = {
+ 0x03, 0x1e, 0xe7, 0x13, 0x6e, 0x58, 0x11, 0xc4, 0x81, 0x56, 0x42, 0x3c,
+ 0x3c, 0xaa, 0xdb, 0xad, 0x8a, 0x84, 0xdc, 0xa3, 0x0f, 0xe7, 0x67, 0x55,
+ 0x9c, 0x9f, 0xb8, 0x57, 0xa9, 0x5b, 0x41, 0x53, 0x86, 0xe0, 0xb3, 0x21,
+ 0x08, 0x1b, 0x38, 0x24, 0xce, 0xef, 0x7c, 0x89, 0x0d, 0xa7, 0xae, 0x14,
+ 0x58, 0xbd, 0x79, 0x9c, 0x32, 0x25, 0x7f, 0x3e, 0xbd, 0xe1, 0xfb, 0x3a,
+ 0x38, 0x51, 0x05, 0xaa, 0xc8, 0x37, 0x3e, 0x4e, 0x9b, 0x70, 0xb8, 0xe2,
+ 0x21, 0xe7, 0x12, 0xb3, 0xf7, 0x64, 0x21, 0x9d, 0x52, 0x38, 0x41, 0xfb,
+ 0x54, 0xaf, 0x59, 0xc3, 0xab, 0xf3, 0x7f, 0x64, 0xee, 0x17, 0xf5, 0xa8,
+ 0x2b, 0xdf, 0x2d, 0xd3, 0x29, 0x0e, 0x4f, 0x31, 0x54, 0x25, 0x4e, 0x65,
+ 0x52, 0xdf, 0x66, 0xfd, 0x49, 0x85, 0x1f, 0x87, 0x71, 0xa1, 0x5c, 0xfa,
+ 0x99, 0xf5, 0x21, 0x9a, 0xbc, 0x55, 0x5b, 0x1c, 0x19, 0xd9, 0x4b, 0x42,
+ 0xc5, 0xa0, 0xed, 0x1a, 0x1e, 0xf0, 0x04, 0x52, 0xb3, 0xd0, 0x0f, 0x48,
+ 0x45, 0x00, 0xdc, 0x94, 0xae, 0xd8, 0x70, 0x2e, 0xdd, 0x12, 0xe1, 0x66,
+ 0x72, 0xc2, 0x39, 0xd2, 0xc6, 0xfa, 0xdd, 0x8c, 0x11, 0x9c, 0x9d, 0x60,
+ 0xd1, 0x08, 0x79, 0x62, 0xbb, 0x97, 0x45, 0x38, 0x2d, 0x83, 0x9c, 0x2e,
+ 0x8f, 0x88, 0xa3, 0xad, 0x5b, 0x8e, 0x4e, 0x0e, 0xdb, 0xee, 0xaf, 0x1d,
+ 0xf6, 0xe7, 0x7e, 0x28, 0xc5, 0xcf, 0x0c, 0xd9, 0xee, 0xde, 0xc8, 0x87,
+ 0x00, 0xfe, 0x02, 0xd8, 0x30, 0xa6, 0x68, 0xec, 0x51, 0x22, 0xac, 0x4c,
+ 0x38, 0x0f, 0xbb, 0x5c, 0xcb, 0xd5, 0x93, 0xda, 0xea, 0xd0, 0x1b, 0x41,
+ 0x85, 0x8d, 0x12, 0x56, 0xbb, 0x90, 0x62, 0xc9, 0x91, 0x62, 0xf8, 0x29,
+ 0x9a, 0x4f, 0xd8, 0x5e, 0x7d, 0x1f, 0x69, 0xe8, 0x23, 0x53, 0x26, 0x98,
+ 0x98, 0x88, 0xfa, 0x14, 0xdc, 0xa3, 0x0f, 0xc7, 0x58, 0xb2, 0x6d, 0xa5,
+ 0x34, 0x53, 0xb5, 0xc3, 0xcc, 0xbb, 0xd7, 0xd4, 0x80, 0xf3, 0x8c, 0x79,
+ 0xd2, 0xac, 0x12, 0xa5, 0xf9, 0x99, 0xe7, 0x1b, 0x46, 0x16, 0x02, 0x6a,
+ 0xa3, 0xc5, 0x20, 0xb5, 0x5a, 0x55, 0xbd, 0xac, 0x70, 0xf1, 0x5b, 0xe4,
+ 0x45, 0x12, 0x7e, 0xcf, 0x12, 0xbf, 0x53, 0x7e, 0x3d, 0xbe, 0x53, 0x77,
+ 0xc4, 0x2c, 0x17, 0x5f, 0xe5, 0xb9, 0x73, 0x01, 0x5d, 0x9b, 0x34, 0x3c,
+ 0x45, 0xf0, 0xa4, 0x91, 0xaf, 0x34, 0xa2, 0xd6, 0x0a, 0x14, 0x98, 0x2c,
+ 0x91, 0xd5, 0x8f, 0x12, 0xde, 0x7c, 0x61, 0xd8, 0x42, 0x07, 0x42, 0x1a,
+ 0x01, 0x2b, 0xf6, 0x54, 0xd1, 0xde, 0x6d, 0x9c, 0x8b, 0x51, 0x81, 0x3e,
+ 0x01, 0xd1, 0xfb, 0x5a, 0xcd, 0xf0, 0xeb, 0xcc, 0x03, 0xe2, 0xc1, 0x31,
+ 0x92, 0x11, 0x88, 0x1f, 0xec, 0x81, 0x07, 0x78, 0x89, 0x89, 0x29, 0x19,
+ 0x3f, 0x75, 0x01, 0x0e, 0x73, 0xbc, 0x1e, 0x76, 0x23, 0x80, 0x36, 0xaa,
+ 0x2a, 0xd0, 0x77, 0x57, 0x6a, 0xea, 0xe2, 0xdb, 0xed, 0x17, 0x79, 0x3d,
+ 0x8b, 0x8a, 0xbe, 0x32, 0x90, 0x2e, 0x1c, 0x00, 0xc2, 0x27, 0xb5, 0x64,
+ 0x7c, 0xc3, 0xca, 0xb8, 0xaf, 0xcb, 0x17, 0x29, 0xec, 0x00, 0x5b, 0x83,
+ 0x9f, 0xfe, 0x8b, 0xb6, 0x6f, 0x01, 0x23, 0x6b, 0xb3, 0xaa, 0x34, 0x3f,
+ 0x5c, 0x66, 0x7c, 0xec, 0x15, 0x5a, 0xa9, 0x3c, 0xe2, 0xef, 0xcb, 0xe5,
+ 0x79, 0xfa, 0xf2, 0x7c, 0x4e, 0x0f, 0x70, 0x41, 0xa4, 0x09, 0x07, 0x30,
+ 0xbd, 0x28, 0x3f, 0x30, 0xd3, 0xc2, 0xbd, 0x06, 0x5e, 0x21, 0xbd, 0x20,
+ 0xae, 0xa4, 0xa9, 0x7d, 0x91, 0xe8, 0x9d, 0x0a, 0x81, 0x02, 0xf7, 0xd6,
+ 0x7c, 0x1f, 0xb6, 0xa5, 0x40, 0xb6, 0x25, 0xac, 0xce, 0x77, 0x20, 0xfa,
+ 0x71, 0x79, 0x21, 0x94, 0xcd, 0x63, 0xcf, 0x62, 0xd4, 0xda, 0xc6, 0xe8,
+ 0x3c, 0xdb, 0x86, 0x1e, 0x8d, 0x2d, 0x12, 0xf6, 0xea, 0xb0, 0xed, 0xf8,
+ 0xfa, 0xc6, 0x37, 0xee, 0xca, 0x11, 0x1a, 0xac, 0x95, 0xf6, 0xe3, 0x02,
+ 0x97, 0xba, 0xb2, 0xb2, 0x02, 0x82, 0xbe, 0x32, 0xa3, 0xe8, 0xf4, 0xae,
+ 0x4e, 0xaf, 0x47, 0xb9, 0xe7, 0x91, 0x18, 0x90, 0xd8, 0xcb, 0x59, 0xed,
+ 0xc2, 0x47, 0x6d, 0xe1, 0x9d, 0x74, 0xe6, 0xc7, 0xc0, 0xdc, 0x82, 0x5b,
+ 0x6a, 0x7d, 0x1c, 0x58, 0xc8, 0x3d, 0x7d, 0xed, 0xdd, 0x60, 0x91, 0x9e,
+ 0x68, 0x6e, 0x56, 0x33, 0x8b, 0xca, 0x35, 0xf8, 0x96, 0x67, 0x22, 0x3a,
+ 0xb9, 0x02, 0xe9, 0x7c, 0xb1, 0xca, 0x25, 0xc2, 0xc8, 0xc7, 0xd8, 0x71,
+ 0xfa, 0xfa, 0x76, 0xeb, 0x1d, 0x52, 0x75, 0xc6, 0x56, 0xf3, 0x1a, 0xd3,
+ 0xda, 0xe4, 0x49, 0x7b, 0xd0, 0x77, 0x72, 0x06, 0xe7, 0xb9, 0xd9, 0x06,
+ 0x87, 0x43, 0x6a, 0x52, 0xee, 0x3a, 0x71, 0x6e, 0x51, 0x8d, 0x55, 0x7a,
+ 0xb1, 0x62, 0x75, 0xac, 0xa9, 0x89, 0x77, 0x93, 0x40, 0xef, 0x66, 0x44,
+ 0x08, 0x49, 0xbb, 0xdb, 0x85, 0x0b, 0xd3, 0xfa, 0x37, 0x27, 0x41, 0xd1,
+ 0x57, 0xc3, 0x95, 0xaa, 0x85, 0x5a, 0x43, 0x74, 0x39, 0x72, 0x08, 0xdf,
+ 0x58, 0xe1, 0xf7, 0x95, 0x6c, 0xc1, 0xb1, 0x9b, 0x21, 0x53, 0xc1, 0xf9,
+ 0xcc, 0x74, 0xf9, 0x62, 0xa4, 0xa0, 0x34, 0x22, 0xaa, 0x84, 0x78, 0x49,
+ 0x50, 0xa9, 0x8e, 0x7b, 0xfa, 0xaa, 0xc2, 0xe8, 0xae, 0x34, 0x3d, 0xa7,
+ 0xe1, 0x5a, 0x14, 0xa6, 0xd7, 0x6c, 0x67, 0xc7, 0x5e, 0xda, 0x79, 0x36,
+ 0x57, 0x85, 0x5e, 0x09, 0xa2, 0x1f, 0x96, 0x5a, 0x71, 0xc2, 0xfe, 0x57,
+ 0x5c, 0x4c, 0xe8, 0xbf, 0x9b, 0x5c, 0xd7, 0x06, 0x09, 0xb5, 0x63, 0x93,
+ 0x7e, 0xee, 0x65, 0xef, 0x88, 0xe1, 0x60, 0x3e, 0x50, 0x84, 0x39, 0xb9,
+ 0xae, 0xab, 0xad, 0xee, 0x31, 0x04, 0x7f, 0xed, 0x78, 0x35, 0xc0, 0x14,
+ 0xa6, 0xc3, 0xeb, 0x3c, 0xd7, 0xc3, 0xb3, 0x6b, 0x58, 0x63, 0x7e, 0xa8,
+ 0xc9, 0xb9, 0x23, 0xd3, 0xe5, 0xe7, 0xcc, 0x84, 0x63, 0xc8, 0xbd, 0x31,
+ 0x9f, 0x02, 0x4e, 0x74, 0x98, 0xba, 0x8a, 0x0c, 0x80, 0xab, 0x10, 0xc4,
+ 0xb2, 0x61, 0xad, 0x3d, 0x93, 0x9d, 0xdc, 0x76, 0xe5, 0x0e, 0x2e, 0x4b,
+ 0x81, 0x3b, 0x1f, 0xd3, 0x54, 0xc0, 0x2a, 0xde, 0x0e, 0x1d, 0x59, 0x31,
+ 0x5c, 0x28, 0xf8, 0x75, 0xfc, 0x71, 0x2e, 0xc1, 0x85, 0x90, 0x23, 0xfd,
+ 0x2e, 0x8b, 0xb9, 0x52, 0x1a, 0xdf, 0x61, 0x54, 0x9b, 0x43, 0xa6, 0x8d,
+ 0x5f, 0xd0, 0x52, 0x0b, 0x66, 0xbc, 0xf5, 0x1a, 0xce, 0x58, 0xef, 0xb3,
+ 0x1d, 0x8d, 0x4b, 0x1b, 0xf3, 0x8e, 0xe6, 0x68, 0xc3, 0xd5, 0x95, 0x42,
+ 0xf5, 0xb0, 0x73, 0x2c, 0x31, 0x71, 0x20, 0xf5, 0xdc, 0xbf, 0x56, 0x72,
+ 0x53, 0xf9, 0xfe, 0xfa, 0x19, 0xdc, 0x46, 0xd1, 0x2b, 0xe3, 0xdb, 0x50,
+ 0xec, 0x14, 0xee, 0x70, 0xcc, 0xe6, 0x11, 0x75, 0xb4, 0x63, 0xfc, 0xd1,
+ 0x8f, 0x54, 0xfa, 0xcc, 0x99, 0xcc, 0xb8, 0x61, 0xa7, 0x33, 0x18, 0xa2,
+ 0x17, 0xee, 0xb1, 0x82, 0x3d, 0x6a, 0x8d, 0x63, 0xe0, 0x15, 0x1b, 0x5c,
+ 0x20, 0x53, 0x33, 0xa7, 0x85, 0x17, 0x81, 0xba, 0x18, 0x2a, 0x73, 0x00,
+ 0x1e, 0x3e, 0x2c, 0xb5, 0x5f, 0x4e, 0x82, 0xa8, 0x09, 0xa0, 0x22, 0xdc,
+ 0xc4, 0x76, 0x7c, 0x66, 0xf4, 0x78, 0xa1, 0x0a, 0xf7, 0x39, 0x06, 0x0a,
+ 0xd7, 0x43, 0x72, 0x12, 0x3b, 0x8e, 0x7e, 0x62, 0x4f, 0x5a, 0x03, 0xe5,
+ 0x22, 0x97, 0xdc, 0xbb, 0xaa, 0xa2, 0xc0, 0x03, 0x8e, 0x60, 0xd1, 0x61,
+ 0xc7, 0xef, 0x0f, 0x54, 0x43, 0x4e, 0x38, 0xda, 0xb6, 0xe2, 0x5b, 0x0e,
+ 0x45, 0xae, 0x39, 0x86, 0x85, 0x25, 0x30, 0xb1, 0x9d, 0xda, 0xdb, 0x70,
+ 0xa7, 0xe5, 0x77, 0xb8, 0x47, 0xaa, 0xe7, 0x3e, 0xe8, 0x5a, 0x96, 0xc6,
+ 0x0a, 0x0b, 0x07, 0x8d, 0x6d, 0xeb, 0x80, 0x0c, 0xd9, 0x80, 0x2d, 0x4d};
+
+const uint8_t kExpectedOutputIkeAppBSha256[] = {
+ 0xe7, 0x11, 0x54, 0x6e, 0x3f, 0xaa, 0xd4, 0xc7, 0xc4, 0xaa, 0x75, 0x6b,
+ 0xc2, 0x6c, 0xad, 0x6a, 0xbe, 0xa8, 0x24, 0x19, 0x84, 0xa0, 0xf6, 0xb0,
+ 0x83, 0x9c, 0x70, 0xca, 0x61, 0xc4, 0xef, 0x88, 0xd7, 0xd5, 0xb7, 0x2e,
+ 0x45, 0x32, 0xe1, 0x1d, 0x12, 0x38, 0xfb, 0xcb, 0x08, 0x54, 0xc7, 0xdb,
+ 0xc4, 0x80, 0x2d, 0xd4, 0xf3, 0xbf, 0x51, 0x80, 0xf3, 0xa6, 0xdf, 0x77,
+ 0x51, 0x61, 0xd8, 0xdb, 0x98, 0x2c, 0xc2, 0xe6, 0x72, 0x36, 0x90, 0xf9,
+ 0xd2, 0x2a, 0x6d, 0x6c, 0xeb, 0x10, 0x3f, 0xa0, 0xa3, 0xff, 0xe4, 0x8b,
+ 0x5a, 0x4a, 0x1b, 0xec, 0xb0, 0x48, 0xb0, 0xed, 0x16, 0x8a, 0x89, 0x31,
+ 0x96, 0x5e, 0xa9, 0x11, 0x1f, 0x28, 0x68, 0x07, 0xf1, 0xa3, 0x2b, 0x01,
+ 0x4f, 0x0b, 0x73, 0x78, 0x3b, 0xca, 0x4f, 0x8f, 0x34, 0xc0, 0x21, 0x14,
+ 0xe3, 0xdf, 0xa1, 0xf7, 0x05, 0x63, 0xcb, 0x74, 0x7a, 0x90, 0x59, 0x19,
+ 0xc9, 0xa9, 0x47, 0xcf, 0xe7, 0xbe, 0x04, 0xa7, 0x0c, 0x32, 0xdd, 0x34,
+ 0x07, 0x8f, 0x4f, 0xb5, 0x75, 0xfb, 0xb9, 0x06, 0xd2, 0x55, 0x08, 0xce,
+ 0x0a, 0x47, 0xc2, 0x64, 0x5f, 0xd5, 0xab, 0x55, 0x2a, 0x1a, 0x7e, 0xbd,
+ 0xd5, 0x6d, 0x43, 0x89, 0x3c, 0x53, 0xde, 0x01, 0xfe, 0x19, 0x19, 0xc3,
+ 0xaf, 0xa0, 0x64, 0x2d, 0x7e, 0xe1, 0x7e, 0x31, 0x61, 0xf9, 0xe6, 0x4f,
+ 0x56, 0xc3, 0xc9, 0x7e, 0x92, 0xd7, 0x88, 0x58, 0x1a, 0x7f, 0x3c, 0x3e,
+ 0xae, 0x3f, 0x86, 0xec, 0xb2, 0xaa, 0x8b, 0xaf, 0x22, 0x49, 0xa5, 0x3d,
+ 0xc2, 0xb1, 0x94, 0x0f, 0x5b, 0x08, 0x49, 0xac, 0x23, 0xa4, 0x79, 0x33,
+ 0xde, 0xfb, 0x8b, 0xd3, 0xe6, 0x6c, 0x83, 0xce, 0x01, 0xc7, 0xb4, 0x23,
+ 0x5c, 0x6d, 0x81, 0xda, 0x70, 0x71, 0x43, 0x9c, 0x94, 0x6a, 0x9e, 0x03,
+ 0x6d, 0xc3, 0x71, 0x69, 0x53, 0x83, 0x89, 0x08, 0x1b, 0x2b, 0x4b, 0xa8,
+ 0x4a, 0x2a, 0xdf, 0x26, 0xaf, 0xc3, 0x8e, 0x59, 0x15, 0xa7, 0x24, 0x8f,
+ 0x3c, 0xad, 0x08, 0xf2, 0x12, 0xe1, 0x42, 0x41, 0x0c, 0xcb, 0x3e, 0xf4,
+ 0x71, 0xab, 0xb1, 0x16, 0x2c, 0xb7, 0xe1, 0x3f, 0x94, 0x03, 0x01, 0x78,
+ 0xd7, 0x84, 0x1d, 0x63, 0x03, 0xfe, 0x4b, 0x3f, 0x40, 0xce, 0x30, 0x75,
+ 0x10, 0xd1, 0xa4, 0xd3, 0x3c, 0x68, 0x9b, 0xc0, 0x6b, 0xdc, 0xe1, 0xda,
+ 0x06, 0x41, 0x71, 0x20, 0x88, 0x82, 0x60, 0x2e, 0x48, 0x93, 0x78, 0x30,
+ 0xb4, 0xb9, 0xe3, 0x88, 0x79, 0xf7, 0x0d, 0x0b, 0xa4, 0xae, 0x2e, 0x7b,
+ 0x00, 0x82, 0x49, 0xbf, 0xe8, 0x07, 0xb4, 0x51, 0xd9, 0xa0, 0xf7, 0x8f,
+ 0xe6, 0x24, 0x17, 0xd0, 0xa5, 0x58, 0xcc, 0x37, 0xf2, 0x86, 0x6e, 0xc2,
+ 0xf0, 0xf0, 0x87, 0x64, 0xfa, 0x6e, 0x94, 0x99, 0x1a, 0xbc, 0xd9, 0xea,
+ 0x48, 0x07, 0x38, 0x2e, 0x79, 0x61, 0x82, 0x69, 0x09, 0x6f, 0xbc, 0x8e,
+ 0x44, 0x38, 0x0e, 0xc9, 0x6f, 0xcd, 0xb7, 0x39, 0x92, 0x02, 0x27, 0x23,
+ 0x35, 0xcf, 0x4f, 0xf7, 0x52, 0x7b, 0x33, 0x93, 0xbd, 0x6c, 0x7c, 0xef,
+ 0x39, 0x4b, 0x1a, 0x9f, 0xdf, 0x8f, 0x5c, 0x5b, 0x7b, 0xdb, 0x6b, 0xfd,
+ 0x72, 0xe0, 0xb0, 0xc5, 0x97, 0x5b, 0x08, 0x6b, 0x17, 0x2f, 0x38, 0xd7,
+ 0xbe, 0xf8, 0xd7, 0x20, 0xf5, 0x33, 0x68, 0x69, 0x16, 0xe5, 0x08, 0x05,
+ 0x6c, 0x1b, 0xfa, 0xa8, 0x63, 0x55, 0xb4, 0x03, 0xb9, 0x89, 0xd7, 0x61,
+ 0xf3, 0x9a, 0xf6, 0x45, 0xb4, 0xb2, 0x16, 0x5d, 0xf3, 0x09, 0x7b, 0x09,
+ 0x09, 0x75, 0x0a, 0xbd, 0xdf, 0x7d, 0xe6, 0x1e, 0x07, 0xec, 0x7c, 0x14,
+ 0xac, 0x4b, 0x68, 0xa8, 0x44, 0x5f, 0x77, 0x36, 0xb8, 0x1d, 0x7c, 0x73,
+ 0x82, 0x80, 0xc2, 0x52, 0x55, 0x2c, 0x5d, 0xba, 0x53, 0x79, 0x45, 0xad,
+ 0x51, 0x98, 0xbb, 0x8a, 0xea, 0x4f, 0x19, 0x22, 0x22, 0x69, 0xd3, 0x3a,
+ 0x72, 0xd8, 0xe3, 0x37, 0xf4, 0x3b, 0xf3, 0xf1, 0x52, 0x48, 0x4d, 0xbf,
+ 0xa5, 0x7a, 0xef, 0x44, 0x53, 0x7b, 0x6e, 0x6c, 0xb7, 0x1a, 0xa8, 0x75,
+ 0xaf, 0xdb, 0x15, 0x05, 0x53, 0xc8, 0xb9, 0x9c, 0xea, 0x1a, 0xf7, 0x9d,
+ 0x9b, 0xb6, 0xa6, 0x5e, 0x0f, 0xf7, 0x49, 0x7e, 0xc9, 0x12, 0x38, 0x3d,
+ 0x78, 0xaf, 0x80, 0x3d, 0x76, 0x6d, 0x96, 0x4f, 0x06, 0xff, 0xdf, 0xc5,
+ 0x9c, 0x47, 0xbe, 0x3e, 0x3d, 0xc2, 0x2a, 0x41, 0x15, 0x7e, 0xbd, 0xab,
+ 0x12, 0x02, 0xfe, 0xa5, 0x4f, 0xb4, 0x1a, 0xf5, 0x6a, 0xed, 0xff, 0x50,
+ 0x5a, 0x56, 0x7b, 0x2f, 0xff, 0xff, 0x29, 0xb5, 0x77, 0xf4, 0x38, 0xb3,
+ 0x40, 0xd9, 0x17, 0x89, 0x43, 0x3f, 0x86, 0x29, 0x50, 0xce, 0x72, 0xde,
+ 0x55, 0x63, 0x06, 0x14, 0x50, 0xae, 0xc1, 0x49, 0x10, 0x55, 0x21, 0xeb,
+ 0x68, 0xe7, 0xfc, 0xc7, 0xf5, 0x92, 0xc5, 0xf2, 0xe2, 0xc9, 0xdb, 0x42,
+ 0x59, 0x44, 0x0e, 0xda, 0x23, 0x50, 0x62, 0xef, 0x6e, 0xae, 0x1c, 0x0e,
+ 0x93, 0x74, 0xa6, 0xdb, 0x4c, 0xc7, 0x4b, 0xa6, 0xe2, 0x3a, 0xe3, 0x03,
+ 0x22, 0xd1, 0xe4, 0x21, 0x13, 0x98, 0x6a, 0xeb, 0x43, 0xbf, 0xe6, 0x8a,
+ 0xfb, 0x28, 0x15, 0x47, 0x7e, 0xaa, 0x12, 0x60, 0x08, 0x23, 0xc6, 0x59,
+ 0xeb, 0xc1, 0x71, 0x18, 0x03, 0x16, 0x7f, 0x75, 0x5f, 0x65, 0x8a, 0x7f,
+ 0x1d, 0xae, 0x98, 0x94, 0xa4, 0xb1, 0xf5, 0xcc, 0x0a, 0x6f, 0x62, 0x79,
+ 0x27, 0x38, 0x32, 0x73, 0x90, 0xc8, 0x3f, 0x70, 0xf7, 0x44, 0xcf, 0xfd,
+ 0xc8, 0xfa, 0xcb, 0x3e, 0x73, 0x5f, 0x1d, 0xde, 0xb5, 0x73, 0x4d, 0x00,
+ 0x2a, 0xce, 0x77, 0x92, 0x17, 0x0f, 0xcf, 0xbf, 0x87, 0x78, 0xdc, 0xbc,
+ 0x83, 0xb3, 0x86, 0xd5, 0x32, 0xf5, 0x17, 0x73, 0xba, 0x90, 0xae, 0xc4,
+ 0x40, 0x25, 0x26, 0xde, 0x8c, 0x5e, 0xbb, 0x83, 0x0e, 0x27, 0xd5, 0x0a,
+ 0x4d, 0x89, 0xf0, 0xf3, 0x0f, 0xb5, 0x7d, 0xe3, 0x04, 0x6b, 0x5a, 0x59,
+ 0xf4, 0x0a, 0x23, 0xc9, 0xe9, 0xe5, 0x1c, 0x20, 0x43, 0xac, 0xe2, 0x61,
+ 0x10, 0x8d, 0x20, 0x83, 0xe7, 0x60, 0x28, 0x32, 0xd0, 0x15, 0x67, 0xf1,
+ 0xaf, 0xd4, 0xcb, 0x2a, 0xec, 0xc5, 0xe2, 0xe7, 0xa2, 0x57, 0x18, 0x3d,
+ 0x5e, 0xdd, 0x14, 0x88, 0x39, 0x59, 0x10, 0x9c, 0xa9, 0xf9, 0xd9, 0xb9,
+ 0xdd, 0x09, 0xb0, 0x2f, 0x5a, 0x30, 0x0f, 0xbf, 0x34, 0x8a, 0xf1, 0x62,
+ 0x40, 0x15, 0x4e, 0xe9, 0x69, 0x2f, 0x94, 0x87, 0x07, 0xf0, 0x01, 0xa2,
+ 0x8f, 0x11, 0xb9, 0x31, 0x4c, 0x2b, 0x7d, 0x7f, 0x6c, 0x04, 0xd6, 0x91,
+ 0x4d, 0x71, 0x6b, 0x8c, 0xa7, 0x47, 0xb1, 0x34, 0x34, 0x08, 0xda, 0x5b,
+ 0xcb, 0x82, 0xbb, 0x5b, 0x14, 0x27, 0x2a, 0x20, 0x25, 0xda, 0xbe, 0x1d,
+ 0x21, 0xa8, 0x68, 0x77, 0xf4, 0x17, 0xaf, 0x7f, 0x22, 0xda, 0xd4, 0xc6,
+ 0x38, 0x0c, 0xbe, 0xf1, 0xa5, 0x0b, 0x17, 0x83, 0x22, 0xb3, 0x5b, 0x12,
+ 0x1f, 0x0a, 0x18, 0x14, 0x46, 0xbf, 0x9b, 0xc0, 0x53, 0x7a, 0x83, 0x40,
+ 0xde, 0x1a, 0x9d, 0xf0, 0x3b, 0x66, 0x74, 0x01, 0xa1, 0xfc, 0x29, 0xde,
+ 0x08, 0x66, 0x85, 0x56, 0x2c, 0xc8, 0x30, 0xb7, 0x42, 0x1f, 0xa2, 0x32,
+ 0x28, 0xc4, 0xc5, 0xfe, 0xea, 0xb0, 0x4e, 0x81, 0x59, 0x74, 0x90, 0x93,
+ 0xb1, 0x1c, 0x5c, 0x4f, 0x54, 0x5e, 0xcc, 0xd7, 0x1d, 0x75, 0xd2, 0x3d,
+ 0x77, 0xff, 0x72, 0xa8, 0x74, 0x31, 0xec, 0x74, 0xe8, 0xcc, 0x69, 0xce,
+ 0xde, 0xe5, 0x05, 0x1e, 0xc2, 0x99, 0x90, 0x22, 0xe5, 0x10, 0xd4, 0xaf,
+ 0x52, 0xe3, 0x47, 0xf4, 0x38, 0xeb, 0xa3, 0xd2, 0x72, 0x64, 0xb2, 0xd3,
+ 0x0c, 0x0c, 0xaa, 0xae, 0x29, 0xb5, 0x38, 0xd4, 0x52, 0xfa, 0x96, 0x17,
+ 0x7a, 0x18, 0xe8, 0x89, 0xd2, 0xd5, 0xd9, 0xae, 0x5a, 0x0e, 0x25, 0x8d};
+
+class IkeKdfTest : public ::testing::Test {
+ public:
+ IkeKdfTest()
+ : params_({siBuffer, nullptr, 0}),
+ gxy_item_({siBuffer, toUcharPtr(kGxyData), kGxySize}),
+ skey_item_({siBuffer, toUcharPtr(kKeyData), kKeySize}),
+ key_mech_(0),
+ slot_(nullptr),
+ gxy_(nullptr),
+ skey_(nullptr),
+ okey_(nullptr) {}
+
+ ~IkeKdfTest() {
+ if (slot_) {
+ PK11_FreeSlot(slot_);
+ }
+ if (gxy_) {
+ PK11_FreeSymKey(gxy_);
+ }
+ ClearTempVars();
+ }
+
+ void ClearTempVars() {
+ if (skey_) {
+ PK11_FreeSymKey(skey_);
+ skey_ = nullptr;
+ }
+ if (okey_) {
+ PK11_FreeSymKey(okey_);
+ okey_ = nullptr;
+ }
+ }
+
+ void Init() {
+ params_.type = siBuffer;
+
+ gxy_item_.type = siBuffer;
+ gxy_item_.data =
+ const_cast<unsigned char*>(static_cast<const unsigned char*>(kGxyData));
+ gxy_item_.len = sizeof(kGxyData);
+ skey_item_.type = siBuffer;
+ skey_item_.data =
+ const_cast<unsigned char*>(static_cast<const unsigned char*>(kKeyData));
+
+ slot_ = PK11_GetInternalSlot();
+ ASSERT_NE(nullptr, slot_);
+ gxy_ = PK11_ImportSymKey(slot_, CKM_NSS_IKE_PRF_DERIVE, PK11_OriginUnwrap,
+ CKA_DERIVE, &gxy_item_, NULL);
+ ASSERT_NE(nullptr, gxy_);
+ }
+
+ void ComputeAndVerifyKey(CK_MECHANISM_TYPE derive_mech,
+ CK_MECHANISM_TYPE hash_mech, const uint8_t* expected) {
+ // Infer prf length from mechanism
+ int prf_len = 0;
+ std::string mac = "unknown";
+
+ switch (hash_mech) {
+ case CKM_AES_XCBC_MAC:
+ prf_len = kAesXcbcLen;
+ mac = "CKM_AES_XCBC_MAC";
+ break;
+ case CKM_SHA_1_HMAC:
+ prf_len = kSha1Len;
+ mac = "CKM_SHA_1_HMAC";
+ break;
+ case CKM_SHA224_HMAC:
+ prf_len = kSha224Len;
+ mac = "CKM_SHA224_HMAC";
+ break;
+ case CKM_SHA256_HMAC:
+ prf_len = kSha256Len;
+ mac = "CKM_SHA256_HMAC";
+ break;
+ case CKM_SHA384_HMAC:
+ prf_len = kSha384Len;
+ mac = "CKM_SHA384_HMAC";
+ break;
+ case CKM_SHA512_HMAC:
+ prf_len = kSha512Len;
+ mac = "CKM_SHA512_HMAC";
+ break;
+ default:
+ ASSERT_TRUE(false) << "Invalid PRF Mechanism";
+ }
+
+ Inner(derive_mech, hash_mech, mac, prf_len, expected);
+ }
+
+ // Set output == nullptr to test when errors occur
+ void Inner(CK_MECHANISM_TYPE derive_mech, CK_MECHANISM_TYPE hash_mech,
+ std::string mac, size_t prf_len, const uint8_t* expected) {
+ PRBool use_skey = PR_FALSE;
+ size_t output_len = 0;
+ PK11SymKey *derive_key = nullptr;
+ std::stringstream s;
+ s << "Derive:";
+ std::string msg;
+
+ ClearTempVars();
+
+ // Import the params
+ CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf;
+ CK_NSS_IKE1_PRF_DERIVE_PARAMS ike1_prf;
+ CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS ikep_prf;
+ CK_MECHANISM_TYPE ike1_app_b;
+
+ switch (derive_mech) {
+ case CKM_NSS_IKE_PRF_DERIVE:
+ ike_prf.prfMechanism = hash_mech;
+ ike_prf.bDataAsKey = PR_TRUE;
+ ike_prf.bRekey = PR_FALSE;
+ ike_prf.pNi = toUcharPtr(kSeed);
+ ike_prf.ulNiLen = kSeedSize;
+ ike_prf.pNr = toUcharPtr(kSeed);
+ ike_prf.ulNrLen = kSeedSize;
+ ike_prf.hNewKey = CK_INVALID_HANDLE;
+ output_len = 0;
+ use_skey = PR_FALSE;
+ params_.data = reinterpret_cast<unsigned char*>(&ike_prf);
+ params_.len = sizeof(ike_prf);
+ s << "CKM_NSS_IKE_PRF_DERIVE";
+ break;
+ case CKM_NSS_IKE_PRF_PLUS_DERIVE:
+ ikep_prf.prfMechanism = hash_mech;
+ ikep_prf.bHasSeedKey = PR_FALSE;
+ ikep_prf.pSeedData= toUcharPtr(kSeed);
+ ikep_prf.ulSeedDataLen = kSeedSize*4;
+ output_len = kLongKeySize;
+ use_skey = PR_TRUE;
+ params_.data = reinterpret_cast<unsigned char*>(&ikep_prf);
+ params_.len = sizeof(ikep_prf);
+ s << "CKM_NSS_IKE_PRF_PLUS_DERIVE";
+ break;
+ case CKM_NSS_IKE1_PRF_DERIVE:
+ ike1_prf.prfMechanism = hash_mech;
+ ike1_prf.bHasPrevKey = PR_FALSE;
+ ike1_prf.hKeygxy = PK11_GetSymKeyHandle(gxy_);
+ ike1_prf.hPrevKey = CK_INVALID_HANDLE;
+ ike1_prf.pCKYi = toUcharPtr(kSeed);
+ ike1_prf.ulCKYiLen = kSeedSize;
+ ike1_prf.pCKYr = toUcharPtr(kSeed);
+ ike1_prf.ulCKYrLen = kSeedSize;
+ ike1_prf.keyNumber = 0;
+ output_len = prf_len;
+ use_skey = PR_TRUE;
+ params_.data = reinterpret_cast<unsigned char*>(&ike1_prf);
+ params_.len = sizeof(ike1_prf);
+ s << "CKM_NSS_IKE1_PRF_DERIVE";
+ break;
+ case CKM_NSS_IKE1_APP_B_PRF_DERIVE:
+ ike1_app_b = hash_mech;
+ output_len = kLongKeySize;
+ use_skey = PR_TRUE;
+ params_.data = reinterpret_cast<unsigned char*>(&ike1_app_b);
+ params_.len = sizeof(ike1_app_b);
+ s << "CKM_NSS_IKE1_APP_B_DERIVE";
+ break;
+ default:
+ ASSERT_TRUE(false) << "Invalid IKE DERIVE mechanism";
+ }
+
+ s << " Mac/Prf:" << mac;
+ msg = s.str();
+
+
+ // Import the PMS
+ derive_key = gxy_;
+ if (use_skey) {
+ skey_item_.len = prf_len;
+ skey_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
+ CKA_DERIVE, &skey_item_, NULL);
+ ASSERT_NE(nullptr, skey_) << msg;
+ derive_key = skey_;
+ }
+
+ // Compute the result key
+ okey_ = PK11_DeriveWithFlags(derive_key, derive_mech, &params_, key_mech_,
+ CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
+
+ // Verify the result has the expected value (null or otherwise)
+ int error = PORT_GetError();
+ s << " Error=" << error;
+ msg = s.str();
+ if (!expected) {
+ EXPECT_EQ(nullptr, okey_) << msg;
+ } else {
+ ASSERT_NE(nullptr, okey_) << msg;
+
+ SECStatus rv = PK11_ExtractKeyValue(okey_);
+ ASSERT_EQ(SECSuccess, rv) << "PK11_ExtractKeyValue";
+
+ SECItem* oData = PK11_GetKeyData(okey_);
+ ASSERT_NE(nullptr, oData) << "PK11_GetKeyData";
+
+ if (output_len == 0) {
+ output_len = prf_len;
+ }
+ s << "\n" << "output_len=" << output_len << " oData->len=" << oData->len << ".\n";
+ for (unsigned int i=0; i < oData->len; i++) {
+ if (i % 12 == 0) s << "\n ";
+ s << " 0x" << std::setfill('0')
+ << std::setw(2) << std::hex << (int) oData->data[i] << ",";
+ }
+ s << "};\n";
+ msg = s.str();
+ ASSERT_EQ(output_len, oData->len) << msg ;
+
+ EXPECT_EQ(0, memcmp(oData->data, expected, output_len)) << msg;
+ }
+ }
+
+ protected:
+ SECItem params_;
+ SECItem gxy_item_;
+ SECItem skey_item_;
+ CK_MECHANISM_TYPE key_mech_;
+ PK11SlotInfo* slot_;
+ PK11SymKey* gxy_;
+ PK11SymKey* skey_;
+ PK11SymKey* okey_;
+};
+
+//
+// The full range is tested with the FIPS vectors in the cavs tests.
+// just make sure the NSS Derive iterfaces are working for everything.
+//
+TEST_F(IkeKdfTest, IkePrfSha256) {
+ Init();
+ ComputeAndVerifyKey(CKM_NSS_IKE_PRF_DERIVE, CKM_SHA256_HMAC,
+ kExpectedOutputIkeSha256);
+}
+
+TEST_F(IkeKdfTest, Ike1PrfSha256) {
+ Init();
+ ComputeAndVerifyKey(CKM_NSS_IKE1_PRF_DERIVE, CKM_SHA256_HMAC,
+ kExpectedOutputIke1Sha256);
+}
+
+TEST_F(IkeKdfTest, IkePlusPrfSha256) {
+ Init();
+ ComputeAndVerifyKey(CKM_NSS_IKE_PRF_PLUS_DERIVE, CKM_SHA256_HMAC,
+ kExpectedOutputIkePlusSha256);
+}
+
+TEST_F(IkeKdfTest, Ike1AppBPrfSha256) {
+ Init();
+ ComputeAndVerifyKey(CKM_NSS_IKE1_APP_B_PRF_DERIVE, CKM_SHA256_HMAC,
+ kExpectedOutputIkeAppBSha256);
+}
+
+} // namespace nss_test
diff -up ./lib/softoken/pkcs11.c.missing_kdf ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.missing_kdf 2019-08-07 14:18:55.039435109 -0700
+++ ./lib/softoken/pkcs11.c 2019-08-08 10:28:12.449792962 -0700
@@ -516,7 +516,8 @@ static const struct mechanismList mechan
/* --------------------IPSEC ----------------------- */
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
{ CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
};
static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
diff -up ./lib/softoken/sftkike.c.missing_kdf ./lib/softoken/sftkike.c
--- ./lib/softoken/sftkike.c.missing_kdf 2019-08-08 10:24:27.872008887 -0700
+++ ./lib/softoken/sftkike.c 2019-08-08 10:27:34.416829530 -0700
@@ -744,7 +744,7 @@ sftk_ike1_appendix_b_prf(CK_SESSION_HAND
* key is inKey
*/
thisKey = outKeyData;
- for (genKeySize = 0; genKeySize <= keySize; genKeySize += macSize) {
+ for (genKeySize = 0; genKeySize < keySize; genKeySize += macSize) {
crv = prf_init(&context, inKey->attrib.pValue, inKey->attrib.ulValueLen);
if (crv != CKR_OK) {
goto fail;

View File

@ -0,0 +1,248 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1573203603 -3600
# Fri Nov 08 10:00:03 2019 +0100
# Node ID c08947c6af5789510641ad17373e2612361e4ec6
# Parent e766899c72a517976f5f4abfec2a56712841e411
Bug 1566131, check policy against hash algorithms used for ServerKeyExchange, r=mt
Summary: This adds necessary policy checks in `ssl3_ComputeCommonKeyHash()`, right before calculating hashes. Note that it currently doesn't check MD5 as it still needs to be allowed in TLS 1.1 or earlier and many tests fail if we change that.
Reviewers: mt
Reviewed By: mt
Bug #: 1566131
Differential Revision: https://phabricator.services.mozilla.com/D45867
diff --git a/gtests/ssl_gtest/ssl_dhe_unittest.cc b/gtests/ssl_gtest/ssl_dhe_unittest.cc
--- a/gtests/ssl_gtest/ssl_dhe_unittest.cc
+++ b/gtests/ssl_gtest/ssl_dhe_unittest.cc
@@ -682,4 +682,100 @@ TEST_P(TlsConnectTls12, ConnectInconsist
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
}
+static void CheckSkeSigScheme(
+ std::shared_ptr<TlsHandshakeRecorder>& capture_ske,
+ uint16_t expected_scheme) {
+ TlsParser parser(capture_ske->buffer());
+ EXPECT_TRUE(parser.SkipVariable(2)) << " read dh_p";
+ EXPECT_TRUE(parser.SkipVariable(2)) << " read dh_q";
+ EXPECT_TRUE(parser.SkipVariable(2)) << " read dh_Ys";
+
+ uint32_t tmp;
+ EXPECT_TRUE(parser.Read(&tmp, 2)) << " read sig_scheme";
+ EXPECT_EQ(expected_scheme, static_cast<uint16_t>(tmp));
+}
+
+TEST_P(TlsConnectTls12, ConnectSigAlgEnabledByPolicyDhe) {
+ EnableOnlyDheCiphers();
+
+ const std::vector<SSLSignatureScheme> schemes = {ssl_sig_rsa_pkcs1_sha1,
+ ssl_sig_rsa_pkcs1_sha384};
+
+ EnsureTlsSetup();
+ client_->SetSignatureSchemes(schemes.data(), schemes.size());
+ server_->SetSignatureSchemes(schemes.data(), schemes.size());
+ auto capture_ske = MakeTlsFilter<TlsHandshakeRecorder>(
+ server_, kTlsHandshakeServerKeyExchange);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Enable SHA-1 by policy.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SSL_KX, 0);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ Handshake(); // Remainder of handshake
+ // The server should now report that it is connected
+ EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
+
+ CheckSkeSigScheme(capture_ske, ssl_sig_rsa_pkcs1_sha1);
+}
+
+TEST_P(TlsConnectTls12, ConnectSigAlgDisabledByPolicyDhe) {
+ EnableOnlyDheCiphers();
+
+ const std::vector<SSLSignatureScheme> schemes = {ssl_sig_rsa_pkcs1_sha1,
+ ssl_sig_rsa_pkcs1_sha384};
+
+ EnsureTlsSetup();
+ client_->SetSignatureSchemes(schemes.data(), schemes.size());
+ server_->SetSignatureSchemes(schemes.data(), schemes.size());
+ auto capture_ske = MakeTlsFilter<TlsHandshakeRecorder>(
+ server_, kTlsHandshakeServerKeyExchange);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Disable SHA-1 by policy after sending ClientHello so that CH
+ // includes SHA-1 signature scheme.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, 0, NSS_USE_ALG_IN_SSL_KX);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ Handshake(); // Remainder of handshake
+ // The server should now report that it is connected
+ EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
+
+ CheckSkeSigScheme(capture_ske, ssl_sig_rsa_pkcs1_sha384);
+}
+
+TEST_P(TlsConnectPre12, ConnectSigAlgDisabledByPolicyDhePre12) {
+ EnableOnlyDheCiphers();
+
+ EnsureTlsSetup();
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Disable SHA-1 by policy. This will cause the connection fail as
+ // TLS 1.1 or earlier uses combined SHA-1 + MD5 signature.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, 0, NSS_USE_ALG_IN_SSL_KX);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ server_->ExpectSendAlert(kTlsAlertHandshakeFailure);
+ client_->ExpectReceiveAlert(kTlsAlertHandshakeFailure);
+
+ // Remainder of handshake
+ Handshake();
+
+ server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
+}
+
} // namespace nss_test
diff --git a/gtests/ssl_gtest/ssl_ecdh_unittest.cc b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
--- a/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -666,6 +666,80 @@ TEST_P(TlsConnectTls12, ConnectIncorrect
client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
}
+static void CheckSkeSigScheme(
+ std::shared_ptr<TlsHandshakeRecorder> &capture_ske,
+ uint16_t expected_scheme) {
+ TlsParser parser(capture_ske->buffer());
+ uint32_t tmp = 0;
+ EXPECT_TRUE(parser.Read(&tmp, 1)) << " read curve_type";
+ EXPECT_EQ(3U, tmp) << "curve type has to be 3";
+ EXPECT_TRUE(parser.Skip(2)) << " read namedcurve";
+ EXPECT_TRUE(parser.SkipVariable(1)) << " read public";
+
+ EXPECT_TRUE(parser.Read(&tmp, 2)) << " read sig_scheme";
+ EXPECT_EQ(expected_scheme, static_cast<uint16_t>(tmp));
+}
+
+TEST_P(TlsConnectTls12, ConnectSigAlgEnabledByPolicy) {
+ EnsureTlsSetup();
+ client_->DisableAllCiphers();
+ client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
+
+ const std::vector<SSLSignatureScheme> schemes = {ssl_sig_rsa_pkcs1_sha1,
+ ssl_sig_rsa_pkcs1_sha384};
+
+ client_->SetSignatureSchemes(schemes.data(), schemes.size());
+ server_->SetSignatureSchemes(schemes.data(), schemes.size());
+ auto capture_ske = MakeTlsFilter<TlsHandshakeRecorder>(
+ server_, kTlsHandshakeServerKeyExchange);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Enable SHA-1 by policy.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SSL_KX, 0);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ Handshake(); // Remainder of handshake
+ // The server should now report that it is connected
+ EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
+
+ CheckSkeSigScheme(capture_ske, ssl_sig_rsa_pkcs1_sha1);
+}
+
+TEST_P(TlsConnectTls12, ConnectSigAlgDisabledByPolicy) {
+ EnsureTlsSetup();
+ client_->DisableAllCiphers();
+ client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
+
+ const std::vector<SSLSignatureScheme> schemes = {ssl_sig_rsa_pkcs1_sha1,
+ ssl_sig_rsa_pkcs1_sha384};
+
+ client_->SetSignatureSchemes(schemes.data(), schemes.size());
+ server_->SetSignatureSchemes(schemes.data(), schemes.size());
+ auto capture_ske = MakeTlsFilter<TlsHandshakeRecorder>(
+ server_, kTlsHandshakeServerKeyExchange);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Disable SHA-1 by policy.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, 0, NSS_USE_ALG_IN_SSL_KX);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ Handshake(); // Remainder of handshake
+ // The server should now report that it is connected
+ EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
+
+ CheckSkeSigScheme(capture_ske, ssl_sig_rsa_pkcs1_sha384);
+}
+
INSTANTIATE_TEST_CASE_P(KeyExchangeTest, TlsKeyExchangeTest,
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
TlsConnectTestBase::kTlsV11Plus));
diff --git a/gtests/ssl_gtest/tls_connect.h b/gtests/ssl_gtest/tls_connect.h
--- a/gtests/ssl_gtest/tls_connect.h
+++ b/gtests/ssl_gtest/tls_connect.h
@@ -164,7 +164,7 @@ class TlsConnectTestBase : public ::test
// ssl_extension_unittest.cc.
const std::vector<SECOidTag> algorithms_ = {SEC_OID_APPLY_SSL_POLICY,
SEC_OID_ANSIX9_DSA_SIGNATURE,
- SEC_OID_CURVE25519};
+ SEC_OID_CURVE25519, SEC_OID_SHA1};
std::vector<std::tuple<SECOidTag, uint32_t>> saved_policies_;
private:
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -1454,8 +1454,14 @@ ssl3_ComputeCommonKeyHash(SSLHashType ha
{
SECStatus rv;
SECOidTag hashOID;
+ PRUint32 policy;
if (hashAlg == ssl_hash_none) {
+ if ((NSS_GetAlgorithmPolicy(SEC_OID_SHA1, &policy) == SECSuccess) &&
+ !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+ ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
+ return SECFailure;
+ }
rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
@@ -1469,6 +1475,11 @@ ssl3_ComputeCommonKeyHash(SSLHashType ha
hashes->len = MD5_LENGTH + SHA1_LENGTH;
} else {
hashOID = ssl3_HashTypeToOID(hashAlg);
+ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
+ !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+ ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
+ return SECFailure;
+ }
hashes->len = HASH_ResultLenByOidTag(hashOID);
if (hashes->len == 0 || hashes->len > sizeof(hashes->u.raw)) {
ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);

View File

@ -0,0 +1,13 @@
diff -up ./doc/certutil.xml.ipsec_doc ./doc/certutil.xml
--- ./doc/certutil.xml.ipsec_doc 2019-05-10 14:14:18.000000000 -0700
+++ ./doc/certutil.xml 2019-06-05 16:49:44.229301383 -0700
@@ -428,6 +428,9 @@ of the attribute codes:
<listitem>
<para><command>J</command> (as an object signer)</para>
</listitem>
+ <listitem>
+<para><command>I</command> (as an IPSEC user)</para>
+ </listitem>
</itemizedlist></listitem>
</varlistentry>

View File

@ -0,0 +1,571 @@
diff -up ./gtests/pk11_gtest/pk11_import_unittest.cc.pub-priv-mech ./gtests/pk11_gtest/pk11_import_unittest.cc
--- ./gtests/pk11_gtest/pk11_import_unittest.cc.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
+++ ./gtests/pk11_gtest/pk11_import_unittest.cc 2019-06-05 16:43:42.276498676 -0700
@@ -78,17 +78,40 @@ class Pk11KeyImportTestBase : public ::t
CK_MECHANISM_TYPE mech_;
private:
+ SECItem GetPublicComponent(ScopedSECKEYPublicKey& pub_key) {
+ SECItem null = { siBuffer, NULL, 0};
+ switch(SECKEY_GetPublicKeyType(pub_key.get())) {
+ case rsaKey:
+ case rsaPssKey:
+ case rsaOaepKey:
+ return pub_key->u.rsa.modulus;
+ case keaKey:
+ return pub_key->u.kea.publicValue;
+ case dsaKey:
+ return pub_key->u.dsa.publicValue;
+ case dhKey:
+ return pub_key->u.dh.publicValue;
+ case ecKey:
+ return pub_key->u.ec.publicValue;
+ case fortezzaKey: /* depricated */
+ case nullKey:
+ /* didn't use default here so we can catch new key types at compile time */
+ break;
+ }
+ return null;
+ }
void CheckForPublicKey(const ScopedSECKEYPrivateKey& priv_key,
const SECItem* expected_public) {
// Verify the public key exists.
StackSECItem priv_id;
+ KeyType type = SECKEY_GetPrivateKeyType(priv_key.get());
SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, priv_key.get(),
CKA_ID, &priv_id);
ASSERT_EQ(SECSuccess, rv) << "Couldn't read CKA_ID from private key: "
<< PORT_ErrorToName(PORT_GetError());
CK_ATTRIBUTE_TYPE value_type = CKA_VALUE;
- switch (SECKEY_GetPrivateKeyType(priv_key.get())) {
+ switch (type) {
case rsaKey:
value_type = CKA_MODULUS;
break;
@@ -106,6 +129,8 @@ class Pk11KeyImportTestBase : public ::t
FAIL() << "unknown key type";
}
+ // Scan public key objects until we find one with the same CKA_ID as
+ // priv_key
std::unique_ptr<PK11GenericObject, PK11GenericObjectsDeleter> objs(
PK11_FindGenericObjects(slot_.get(), CKO_PUBLIC_KEY));
ASSERT_NE(nullptr, objs);
@@ -128,20 +153,46 @@ class Pk11KeyImportTestBase : public ::t
ASSERT_EQ(1U, token.len);
ASSERT_NE(0, token.data[0]);
- StackSECItem value;
- rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &value);
+ StackSECItem raw_value;
+ SECItem decoded_value;
+ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &raw_value);
ASSERT_EQ(SECSuccess, rv);
+ SECItem value = raw_value;
+ // Decode the EC_POINT and check the output against expected.
// CKA_EC_POINT isn't stable, see Bug 1520649.
+ ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+ ASSERT_TRUE(arena);
if (value_type == CKA_EC_POINT) {
- continue;
- }
+ // If this fails due to the noted inconsistency, we may need to
+ // check the whole raw_value, or remove a leading UNCOMPRESSED_POINT tag
+ rv = SEC_QuickDERDecodeItem(arena.get(), &decoded_value,
+ SEC_ASN1_GET(SEC_OctetStringTemplate),
+ &raw_value);
+ ASSERT_EQ(SECSuccess, rv);
+ value = decoded_value;
+ }
ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &value))
<< "expected: "
<< DataBuffer(expected_public->data, expected_public->len)
<< std::endl
<< "actual: " << DataBuffer(value.data, value.len) << std::endl;
+
+ // Finally, convert the private to public and ensure it matches.
+ ScopedSECKEYPublicKey pub_key(
+ SECKEY_ConvertToPublicKey(priv_key.get()));
+ ASSERT_TRUE(pub_key);
+ SECItem converted_public = GetPublicComponent(pub_key);
+ ASSERT_TRUE(converted_public.len != 0);
+
+ ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &converted_public))
+ << "expected: "
+ << DataBuffer(expected_public->data, expected_public->len)
+ << std::endl
+ << "actual: "
+ << DataBuffer(converted_public.data, converted_public.len)
+ << std::endl;
}
}
diff -up ./lib/cryptohi/seckey.c.pub-priv-mech ./lib/cryptohi/seckey.c
--- ./lib/cryptohi/seckey.c.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
+++ ./lib/cryptohi/seckey.c 2019-06-05 16:43:42.277498676 -0700
@@ -1206,6 +1206,37 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
return NULL;
}
+/*
+ * Use the private key to find a public key handle. The handle will be on
+ * the same slot as the private key.
+ */
+static CK_OBJECT_HANDLE
+seckey_FindPublicKeyHandle(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk)
+{
+ CK_OBJECT_HANDLE keyID;
+
+ /* this helper function is only used below. If we want to make this more
+ * general, we would need to free up any already cached handles if the
+ * slot doesn't match up with the private key slot */
+ PORT_Assert(pubk->pkcs11ID == CK_INVALID_HANDLE);
+
+ /* first look for a matching public key */
+ keyID = PK11_MatchItem(privk->pkcs11Slot, privk->pkcs11ID, CKO_PUBLIC_KEY);
+ if (keyID != CK_INVALID_HANDLE) {
+ return keyID;
+ }
+
+ /* none found, create a temp one, make the pubk the owner */
+ pubk->pkcs11ID = PK11_DerivePubKeyFromPrivKey(privk);
+ if (pubk->pkcs11ID == CK_INVALID_HANDLE) {
+ /* end of the road. Token doesn't have matching public key, nor can
+ * token regenerate a new public key from and existing private key. */
+ return CK_INVALID_HANDLE;
+ }
+ pubk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot);
+ return pubk->pkcs11ID;
+}
+
SECKEYPublicKey *
SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
{
@@ -1213,6 +1244,8 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
PLArenaPool *arena;
CERTCertificate *cert;
SECStatus rv;
+ CK_OBJECT_HANDLE pubKeyHandle;
+ SECItem decodedPoint;
/*
* First try to look up the cert.
@@ -1243,11 +1276,47 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
switch (privk->keyType) {
case nullKey:
- case dhKey:
- case dsaKey:
/* Nothing to query, if the cert isn't there, we're done -- no way
* to get the public key */
break;
+ case dsaKey:
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+ if (pubKeyHandle == CK_INVALID_HANDLE)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_BASE, arena, &pubk->u.dsa.params.base);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_PRIME, arena, &pubk->u.dsa.params.prime);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_SUBPRIME, arena, &pubk->u.dsa.params.subPrime);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_VALUE, arena, &pubk->u.dsa.publicValue);
+ if (rv != SECSuccess)
+ break;
+ return pubk;
+ case dhKey:
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+ if (pubKeyHandle == CK_INVALID_HANDLE)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_BASE, arena, &pubk->u.dh.base);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_PRIME, arena, &pubk->u.dh.prime);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_VALUE, arena, &pubk->u.dh.publicValue);
+ if (rv != SECSuccess)
+ break;
+ return pubk;
case rsaKey:
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_MODULUS, arena, &pubk->u.rsa.modulus);
@@ -1258,7 +1327,6 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
if (rv != SECSuccess)
break;
return pubk;
- break;
case ecKey:
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_EC_PARAMS, arena, &pubk->u.ec.DEREncodedParams);
@@ -1268,7 +1336,23 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
if (rv != SECSuccess || pubk->u.ec.publicValue.len == 0) {
- break;
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+ if (pubKeyHandle == CK_INVALID_HANDLE)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
+ if (rv != SECSuccess)
+ break;
+ }
+ /* ec.publicValue should be decoded, PKCS #11 defines CKA_EC_POINT
+ * as encoded, but it's not always. try do decoded it and if it
+ * succeeds store the decoded value */
+ rv = SEC_QuickDERDecodeItem(arena, &decodedPoint,
+ SEC_ASN1_GET(SEC_OctetStringTemplate), &pubk->u.ec.publicValue);
+ if (rv == SECSuccess) {
+ /* both values are in the public key arena, so it's safe to
+ * overwrite the old value */
+ pubk->u.ec.publicValue = decodedPoint;
}
pubk->u.ec.encoding = ECPoint_Undefined;
return pubk;
@@ -1276,7 +1360,9 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
break;
}
- PORT_FreeArena(arena, PR_FALSE);
+ /* must use Destroy public key here, because some paths create temporary
+ * PKCS #11 objects which need to be freed */
+ SECKEY_DestroyPublicKey(pubk);
return NULL;
}
diff -up ./lib/pk11wrap/pk11priv.h.pub-priv-mech ./lib/pk11wrap/pk11priv.h
--- ./lib/pk11wrap/pk11priv.h.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
+++ ./lib/pk11wrap/pk11priv.h 2019-06-05 16:43:42.277498676 -0700
@@ -111,6 +111,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert(
PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType);
+CK_OBJECT_HANDLE PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey);
/**********************************************************************
* Certs
diff -up ./lib/pk11wrap/pk11skey.c.pub-priv-mech ./lib/pk11wrap/pk11skey.c
--- ./lib/pk11wrap/pk11skey.c.pub-priv-mech 2019-06-05 16:37:38.726685789 -0700
+++ ./lib/pk11wrap/pk11skey.c 2019-06-05 16:43:42.278498675 -0700
@@ -1841,6 +1841,35 @@ loser:
}
/*
+ * This regenerate a public key from a private key. This function is currently
+ * NSS private. If we want to make it public, we need to add and optional
+ * template or at least flags (a.la. PK11_DeriveWithFlags).
+ */
+CK_OBJECT_HANDLE
+PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey)
+{
+ PK11SlotInfo *slot = privKey->pkcs11Slot;
+ CK_MECHANISM mechanism;
+ CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE;
+ CK_RV crv;
+
+ mechanism.mechanism = CKM_NSS_PUB_FROM_PRIV;
+ mechanism.pParameter = NULL;
+ mechanism.ulParameterLen = 0;
+
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_DeriveKey(slot->session, &mechanism,
+ privKey->pkcs11ID, NULL, 0,
+ &objectID);
+ PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ return CK_INVALID_HANDLE;
+ }
+ return objectID;
+}
+
+/*
* This Generates a wrapping key based on a privateKey, publicKey, and two
* random numbers. For Mail usage RandomB should be NULL. In the Sender's
* case RandomA is generate, outherwize it is passed.
diff -up ./lib/softoken/lowkey.c.pub-priv-mech ./lib/softoken/lowkey.c
--- ./lib/softoken/lowkey.c.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
+++ ./lib/softoken/lowkey.c 2019-06-05 16:44:20.469479019 -0700
@@ -261,6 +261,7 @@ NSSLOWKEYPublicKey *
nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
{
NSSLOWKEYPublicKey *pubk;
+ SECItem publicValue;
PLArenaPool *arena;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
@@ -301,6 +302,19 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
pubk->arena = arena;
pubk->keyType = privk->keyType;
+ /* if the public key value doesn't exist, calculate it */
+ if (privk->u.dsa.publicValue.len == 0) {
+ rv = DH_Derive(&privk->u.dsa.params.base, &privk->u.dsa.params.prime,
+ &privk->u.dsa.privateValue, &publicValue, 0);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = SECITEM_CopyItem(privk->arena, &privk->u.dsa.publicValue, &publicValue);
+ SECITEM_FreeItem(&publicValue, PR_FALSE);
+ if (rv != SECSuccess) {
+ break;
+ }
+ }
rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
&privk->u.dsa.publicValue);
if (rv != SECSuccess)
@@ -327,6 +341,19 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
pubk->arena = arena;
pubk->keyType = privk->keyType;
+ /* if the public key value doesn't exist, calculate it */
+ if (privk->u.dh.publicValue.len == 0) {
+ rv = DH_Derive(&privk->u.dh.base, &privk->u.dh.prime,
+ &privk->u.dh.privateValue, &publicValue, 0);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = SECITEM_CopyItem(privk->arena, &privk->u.dh.publicValue, &publicValue);
+ SECITEM_FreeItem(&publicValue, PR_FALSE);
+ if (rv != SECSuccess) {
+ break;
+ }
+ }
rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
&privk->u.dh.publicValue);
if (rv != SECSuccess)
diff -up ./lib/softoken/pkcs11c.c.pub-priv-mech ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.pub-priv-mech 2019-06-05 16:37:38.743685780 -0700
+++ ./lib/softoken/pkcs11c.c 2019-06-05 16:44:20.472479017 -0700
@@ -6569,6 +6569,10 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
extractValue = PR_FALSE;
classType = CKO_PRIVATE_KEY;
break;
+ case CKM_NSS_PUB_FROM_PRIV:
+ extractValue = PR_FALSE;
+ classType = CKO_PUBLIC_KEY;
+ break;
case CKM_NSS_JPAKE_FINAL_SHA1: /* fall through */
case CKM_NSS_JPAKE_FINAL_SHA256: /* fall through */
case CKM_NSS_JPAKE_FINAL_SHA384: /* fall through */
@@ -6610,6 +6614,35 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
}
switch (mechanism) {
+ /* get a public key from a private key. nsslowkey_ConvertToPublickey()
+ * will generate the public portion if it doesn't already exist. */
+ case CKM_NSS_PUB_FROM_PRIV: {
+ NSSLOWKEYPrivateKey *privKey;
+ NSSLOWKEYPublicKey *pubKey;
+ int error;
+
+ crv = sftk_GetULongAttribute(sourceKey, CKA_KEY_TYPE, &keyType);
+ if (crv != CKR_OK) {
+ break;
+ }
+
+ /* privKey is stored in sourceKey and will be destroyed when
+ * the sourceKey is freed. */
+ privKey = sftk_GetPrivKey(sourceKey, keyType, &crv);
+ if (privKey == NULL) {
+ break;
+ }
+ pubKey = nsslowkey_ConvertToPublicKey(privKey);
+ if (pubKey == NULL) {
+ error = PORT_GetError();
+ crv = sftk_MapCryptError(error);
+ break;
+ }
+ crv = sftk_PutPubKey(key, sourceKey, keyType, pubKey);
+ nsslowkey_DestroyPublicKey(pubKey);
+ break;
+ }
+
case CKM_NSS_IKE_PRF_DERIVE:
if (pMechanism->ulParameterLen !=
sizeof(CK_NSS_IKE_PRF_DERIVE_PARAMS)) {
diff -up ./lib/softoken/pkcs11.c.pub-priv-mech ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.pub-priv-mech 2019-06-05 16:37:38.728685788 -0700
+++ ./lib/softoken/pkcs11.c 2019-06-05 16:44:20.473479017 -0700
@@ -2206,6 +2206,123 @@ sftk_GetPrivKey(SFTKObject *object, CK_K
return priv;
}
+/* populate a public key object from a lowpublic keys structure */
+CK_RV
+sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType, NSSLOWKEYPublicKey *pubKey)
+{
+ CK_OBJECT_CLASS classType = CKO_PUBLIC_KEY;
+ CK_BBOOL cktrue = CK_TRUE;
+ CK_RV crv = CKR_OK;
+ sftk_DeleteAttributeType(publicKey, CKA_CLASS);
+ sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE);
+ sftk_DeleteAttributeType(publicKey, CKA_VALUE);
+
+ switch (keyType) {
+ case CKK_RSA:
+ sftk_DeleteAttributeType(publicKey, CKA_MODULUS);
+ sftk_DeleteAttributeType(publicKey, CKA_PUBLIC_EXPONENT);
+ /* format the keys */
+ /* fill in the RSA dependent paramenters in the public key */
+ crv = sftk_AddAttributeType(publicKey, CKA_MODULUS,
+ sftk_item_expand(&pubKey->u.rsa.modulus));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(publicKey, CKA_PUBLIC_EXPONENT,
+ sftk_item_expand(&pubKey->u.rsa.publicExponent));
+ break;
+ case CKK_DSA:
+ sftk_DeleteAttributeType(publicKey, CKA_PRIME);
+ sftk_DeleteAttributeType(publicKey, CKA_SUBPRIME);
+ sftk_DeleteAttributeType(publicKey, CKA_BASE);
+ crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
+ sftk_item_expand(&pubKey->u.dsa.params.prime));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_SUBPRIME,
+ sftk_item_expand(&pubKey->u.dsa.params.subPrime));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_BASE,
+ sftk_item_expand(&pubKey->u.dsa.params.base));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+ sftk_item_expand(&pubKey->u.dsa.publicValue));
+ break;
+
+ case CKK_DH:
+ sftk_DeleteAttributeType(publicKey, CKA_PRIME);
+ sftk_DeleteAttributeType(publicKey, CKA_BASE);
+ crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
+ sftk_item_expand(&pubKey->u.dh.prime));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_BASE,
+ sftk_item_expand(&pubKey->u.dh.base));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+ sftk_item_expand(&pubKey->u.dh.publicValue));
+ break;
+
+ case CKK_EC:
+ sftk_DeleteAttributeType(publicKey, CKA_EC_PARAMS);
+ sftk_DeleteAttributeType(publicKey, CKA_EC_POINT);
+
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_PARAMS,
+ sftk_item_expand(&pubKey->u.ec.ecParams.DEREncoding));
+ if (crv != CKR_OK) {
+ break;
+ }
+
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
+ sftk_item_expand(&pubKey->u.ec.publicValue));
+ break;
+
+ default:
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_CLASS, &classType,
+ sizeof(CK_OBJECT_CLASS));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE, &keyType,
+ sizeof(CK_KEY_TYPE));
+ if (crv != CKR_OK)
+ return crv;
+ /* now handle the operator attributes */
+ if (sftk_isTrue(privateKey, CKA_DECRYPT)) {
+ crv = sftk_forceAttribute(publicKey, CKA_ENCRYPT, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ if (sftk_isTrue(privateKey, CKA_SIGN)) {
+ crv = sftk_forceAttribute(publicKey, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ if (sftk_isTrue(privateKey, CKA_SIGN_RECOVER)) {
+ crv = sftk_forceAttribute(publicKey, CKA_VERIFY_RECOVER, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ if (sftk_isTrue(privateKey, CKA_DERIVE)) {
+ crv = sftk_forceAttribute(publicKey, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ return crv;
+}
+
/*
**************************** Symetric Key utils ************************
*/
diff -up ./lib/softoken/pkcs11i.h.pub-priv-mech ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.pub-priv-mech 2019-06-05 16:37:38.730685787 -0700
+++ ./lib/softoken/pkcs11i.h 2019-06-05 16:44:20.473479017 -0700
@@ -695,6 +695,9 @@ extern NSSLOWKEYPublicKey *sftk_GetPubKe
CK_KEY_TYPE key_type, CK_RV *crvp);
extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object,
CK_KEY_TYPE key_type, CK_RV *crvp);
+extern CK_RV sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privKey,
+ CK_KEY_TYPE keyType,
+ NSSLOWKEYPublicKey *pubKey);
extern void sftk_FormatDESKey(unsigned char *key, int length);
extern PRBool sftk_CheckDESKey(unsigned char *key);
extern PRBool sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type);
diff -up ./lib/util/pkcs11n.h.pub-priv-mech ./lib/util/pkcs11n.h
--- ./lib/util/pkcs11n.h.pub-priv-mech 2019-06-05 16:37:38.733685785 -0700
+++ ./lib/util/pkcs11n.h 2019-06-05 16:44:54.389461561 -0700
@@ -152,11 +152,6 @@
#define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5)
#define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6)
-/* IKE mechanism (to be proposed to PKCS #11 */
-#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 7)
-#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 8)
-#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 9)
-#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 10)
/* J-PAKE round 1 key generation mechanisms.
*
@@ -238,6 +233,15 @@
#define CKM_NSS_CHACHA20_CTR (CKM_NSS + 33)
+/* IKE mechanism (to be proposed to PKCS #11 */
+#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 34)
+#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 35)
+#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 36)
+#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 37)
+
+/* Derive a public key from a bare private key */
+#define CKM_NSS_PUB_FROM_PRIV (CKM_NSS + 40)
+
/*
* HISTORICAL:
* Do not attempt to use these. They are only used by NETSCAPE's internal

View File

@ -0,0 +1,202 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1559031046 -7200
# Tue May 28 10:10:46 2019 +0200
# Node ID 0a4e8b72a92e144663c2f35d3836f7828cfc97f2
# Parent 370a9e85f216f5f4ff277995a997c5c9b23a819f
Bug 1552208, prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3, r=mt
Reviewers: mt
Reviewed By: mt
Subscribers: mt, jcj, ueno, rrelyea, HubertKario, KevinJacobs
Tags: #secure-revision, #bmo-crypto-core-security
Bug #: 1552208
Differential Revision: https://phabricator.services.mozilla.com/D32454
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -701,6 +701,44 @@ TEST_P(TlsConnectTls12, ClientAuthIncons
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
}
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureScheme) {
+ static const SSLSignatureScheme kSignatureScheme[] = {
+ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pss_rsae_sha256};
+
+ Reset(TlsAgent::kServerRsa, "rsa");
+ client_->SetSignatureSchemes(kSignatureScheme,
+ PR_ARRAY_SIZE(kSignatureScheme));
+ server_->SetSignatureSchemes(kSignatureScheme,
+ PR_ARRAY_SIZE(kSignatureScheme));
+ client_->SetupClientAuth();
+ server_->RequestClientAuth(true);
+
+ auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
+ client_, kTlsHandshakeCertificateVerify);
+ capture_cert_verify->EnableDecryption();
+
+ Connect();
+ CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_rsae_sha256,
+ 1024);
+}
+
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureSchemeOnly) {
+ static const SSLSignatureScheme kSignatureScheme[] = {
+ ssl_sig_rsa_pkcs1_sha256};
+
+ Reset(TlsAgent::kServerRsa, "rsa");
+ client_->SetSignatureSchemes(kSignatureScheme,
+ PR_ARRAY_SIZE(kSignatureScheme));
+ server_->SetSignatureSchemes(kSignatureScheme,
+ PR_ARRAY_SIZE(kSignatureScheme));
+ client_->SetupClientAuth();
+ server_->RequestClientAuth(true);
+
+ ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
+ server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+}
+
class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
public:
TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
@@ -933,7 +971,7 @@ TEST_P(TlsConnectTls13, InconsistentSign
client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
}
-TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
+TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) {
server_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
server_->RequestClientAuth(false);
@@ -1395,12 +1433,21 @@ TEST_P(TlsSignatureSchemeConfiguration,
INSTANTIATE_TEST_CASE_P(
SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
::testing::Combine(
- TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12Plus,
+ TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12,
::testing::Values(TlsAgent::kServerRsaSign),
::testing::Values(ssl_auth_rsa_sign),
::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_rsae_sha256,
ssl_sig_rsa_pss_rsae_sha384)));
+// RSASSA-PKCS1-v1_5 is not allowed to be used in TLS 1.3
+INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeRsaTls13, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerRsaSign),
+ ::testing::Values(ssl_auth_rsa_sign),
+ ::testing::Values(ssl_sig_rsa_pss_rsae_sha256,
+ ssl_sig_rsa_pss_rsae_sha384)));
// PSS with SHA-512 needs a bigger key to work.
INSTANTIATE_TEST_CASE_P(
SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
diff --git a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
--- a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -68,12 +68,6 @@ class TlsCipherSuiteTestBase : public Tl
virtual void SetupCertificate() {
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
switch (sig_scheme_) {
- case ssl_sig_rsa_pkcs1_sha256:
- case ssl_sig_rsa_pkcs1_sha384:
- case ssl_sig_rsa_pkcs1_sha512:
- Reset(TlsAgent::kServerRsaSign);
- auth_type_ = ssl_auth_rsa_sign;
- break;
case ssl_sig_rsa_pss_rsae_sha256:
case ssl_sig_rsa_pss_rsae_sha384:
Reset(TlsAgent::kServerRsaSign);
@@ -330,6 +324,12 @@ static SSLSignatureScheme kSignatureSche
ssl_sig_rsa_pss_pss_sha256, ssl_sig_rsa_pss_pss_sha384,
ssl_sig_rsa_pss_pss_sha512};
+static SSLSignatureScheme kSignatureSchemesParamsArrTls13[] = {
+ ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
+ ssl_sig_rsa_pss_rsae_sha256, ssl_sig_rsa_pss_rsae_sha384,
+ ssl_sig_rsa_pss_rsae_sha512, ssl_sig_rsa_pss_pss_sha256,
+ ssl_sig_rsa_pss_pss_sha384, ssl_sig_rsa_pss_pss_sha512};
+
INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams,
kDummySignatureSchemesParams,
TLS_RSA_WITH_RC4_128_SHA,
@@ -394,7 +394,7 @@ INSTANTIATE_CIPHER_TEST_P(
#ifndef NSS_DISABLE_TLS_1_3
INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
::testing::ValuesIn(kFasterDHEGroups),
- ::testing::ValuesIn(kSignatureSchemesParamsArr),
+ ::testing::ValuesIn(kSignatureSchemesParamsArrTls13),
TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_256_GCM_SHA384);
INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13,
diff --git a/gtests/ssl_gtest/ssl_extension_unittest.cc b/gtests/ssl_gtest/ssl_extension_unittest.cc
--- a/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/gtests/ssl_gtest/ssl_extension_unittest.cc
@@ -436,14 +436,14 @@ TEST_P(TlsExtensionTest12Plus, Signature
}
TEST_F(TlsExtensionTest13Stream, SignatureAlgorithmsPrecedingGarbage) {
- // 31 unknown signature algorithms followed by sha-256, rsa
+ // 31 unknown signature algorithms followed by sha-256, rsa-pss
const uint8_t val[] = {
0x00, 0x40, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x01};
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x08, 0x04};
DataBuffer extension(val, sizeof(val));
MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_signature_algorithms_xtn,
extension);
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -64,6 +64,7 @@ static SECStatus ssl3_FlushHandshakeMess
static CK_MECHANISM_TYPE ssl3_GetHashMechanismByHashType(SSLHashType hashType);
static CK_MECHANISM_TYPE ssl3_GetMgfMechanismByHashType(SSLHashType hash);
PRBool ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme);
+PRBool ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme);
PRBool ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme);
const PRUint8 ssl_hello_retry_random[] = {
@@ -4101,6 +4102,9 @@ ssl_SignatureSchemeValid(SSLSignatureSch
if (ssl_SignatureSchemeToHashType(scheme) == ssl_hash_sha1) {
return PR_FALSE;
}
+ if (ssl_IsRsaPkcs1SignatureScheme(scheme)) {
+ return PR_FALSE;
+ }
/* With TLS 1.3, EC keys should have been selected based on calling
* ssl_SignatureSchemeFromSpki(), reject them otherwise. */
return spkiOid != SEC_OID_ANSIX962_EC_PUBLIC_KEY;
@@ -4351,6 +4355,22 @@ ssl_IsRsaPssSignatureScheme(SSLSignature
}
PRBool
+ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme)
+{
+ switch (scheme) {
+ case ssl_sig_rsa_pkcs1_sha256:
+ case ssl_sig_rsa_pkcs1_sha384:
+ case ssl_sig_rsa_pkcs1_sha512:
+ case ssl_sig_rsa_pkcs1_sha1:
+ return PR_TRUE;
+
+ default:
+ return PR_FALSE;
+ }
+ return PR_FALSE;
+}
+
+PRBool
ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme)
{
switch (scheme) {

View File

@ -0,0 +1,169 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1561465415 -7200
# Tue Jun 25 14:23:35 2019 +0200
# Node ID a0114e3d8b22d4c6ee77504c483a0fe0037f4c71
# Parent 313dfef345bd93bc67982249bffa2cfdd5a9d1b5
Bug 1560329, drbg: perform continuous test on entropy source
Summary: FIPS 140-2 section 4.9.2 requires a conditional self test to check that consecutive entropy blocks from the system are different. As neither getentropy() nor /dev/urandom provides that check on the output, this adds the self test at caller side.
Reviewers: rrelyea
Bug #: 1560329
Differential Revision: https://phabricator.services.mozilla.com/D35636
diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
--- a/lib/freebl/drbg.c
+++ b/lib/freebl/drbg.c
@@ -30,6 +30,7 @@
#define PRNG_ADDITONAL_DATA_CACHE_SIZE (8 * 1024) /* must be less than \
* PRNG_MAX_ADDITIONAL_BYTES \
*/
+#define PRNG_ENTROPY_BLOCK_SIZE SHA256_LENGTH
/* RESEED_COUNT is how many calls to the prng before we need to reseed
* under normal NIST rules, you must return an error. In the NSS case, we
@@ -96,6 +97,8 @@ struct RNGContextStr {
PRUint32 additionalAvail;
PRBool isValid; /* false if RNG reaches an invalid state */
PRBool isKatTest; /* true if running NIST PRNG KAT tests */
+ /* for continuous entropy check */
+ PRUint8 previousEntropyHash[SHA256_LENGTH];
};
typedef struct RNGContextStr RNGContext;
@@ -169,6 +172,82 @@ prng_instantiate(RNGContext *rng, const
return SECSuccess;
}
+static PRCallOnceType coRNGInitEntropy;
+
+static PRStatus
+prng_initEntropy(void)
+{
+ size_t length;
+ PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
+ SHA256Context ctx;
+
+ /* For FIPS 140-2 4.9.2 continuous random number generator test,
+ * fetch the initial entropy from the system RNG and keep it for
+ * later comparison. */
+ length = RNG_SystemRNG(block, sizeof(block));
+ if (length == 0) {
+ return PR_FAILURE; /* error is already set */
+ }
+ PORT_Assert(length == sizeof(block));
+
+ /* Store the hash of the entropy block rather than the block
+ * itself for backward secrecy. */
+ SHA256_Begin(&ctx);
+ SHA256_Update(&ctx, block, sizeof(block));
+ SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
+ sizeof(globalrng->previousEntropyHash));
+ PORT_Memset(block, 0, sizeof(block));
+ return PR_SUCCESS;
+}
+
+static SECStatus
+prng_getEntropy(PRUint8 *buffer, size_t requestLength)
+{
+ size_t total = 0;
+ PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
+ PRUint8 hash[SHA256_LENGTH];
+ SHA256Context ctx;
+ SECStatus rv = SECSuccess;
+
+ if (PR_CallOnce(&coRNGInitEntropy, prng_initEntropy) != PR_SUCCESS) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ /* For FIPS 140-2 4.9.2 continuous random generator test,
+ * iteratively fetch fixed sized blocks from the system and
+ * compare consecutive blocks. */
+ while (total < requestLength) {
+ size_t length = RNG_SystemRNG(block, sizeof(block));
+ if (length == 0) {
+ rv = SECFailure; /* error is already set */
+ goto out;
+ }
+ PORT_Assert(length == sizeof(block));
+
+ /* Store the hash of the entropy block rather than the block
+ * itself for backward secrecy. */
+ SHA256_Begin(&ctx);
+ SHA256_Update(&ctx, block, sizeof(block));
+ SHA256_End(&ctx, hash, NULL, sizeof(hash));
+
+ if (PORT_Memcmp(globalrng->previousEntropyHash, hash, sizeof(hash)) == 0) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ rv = SECFailure;
+ goto out;
+ }
+ PORT_Memcpy(globalrng->previousEntropyHash, hash, sizeof(hash));
+ length = PR_MIN(requestLength - total, sizeof(block));
+ PORT_Memcpy(buffer, block, length);
+ total += length;
+ buffer += length;
+ }
+
+ out:
+ PORT_Memset(block, 0, sizeof block);
+ return rv;
+}
+
/*
* Update the global random number generator with more seeding
* material. Use the Hash_DRBG reseed algorithm from NIST SP-800-90
@@ -182,11 +261,15 @@ prng_reseed(RNGContext *rng, const PRUin
{
PRUint8 noiseData[(sizeof rng->V_Data) + PRNG_SEEDLEN];
PRUint8 *noise = &noiseData[0];
+ SECStatus rv;
/* if entropy wasn't supplied, fetch it. (normal operation case) */
if (entropy == NULL) {
- entropy_len = (unsigned int)RNG_SystemRNG(
- &noiseData[sizeof rng->V_Data], PRNG_SEEDLEN);
+ entropy_len = PRNG_SEEDLEN;
+ rv = prng_getEntropy(&noiseData[sizeof rng->V_Data], entropy_len);
+ if (rv != SECSuccess) {
+ return SECFailure; /* error is already set */
+ }
} else {
/* NOTE: this code is only available for testing, not to applications */
/* if entropy was too big for the stack variable, get it from malloc */
@@ -384,7 +467,6 @@ static PRStatus
rng_init(void)
{
PRUint8 bytes[PRNG_SEEDLEN * 2]; /* entropy + nonce */
- unsigned int numBytes;
SECStatus rv = SECSuccess;
if (globalrng == NULL) {
@@ -403,18 +485,17 @@ rng_init(void)
}
/* Try to get some seed data for the RNG */
- numBytes = (unsigned int)RNG_SystemRNG(bytes, sizeof bytes);
- PORT_Assert(numBytes == 0 || numBytes == sizeof bytes);
- if (numBytes != 0) {
+ rv = prng_getEntropy(bytes, sizeof bytes);
+ if (rv == SECSuccess) {
/* if this is our first call, instantiate, otherwise reseed
* prng_instantiate gets a new clean state, we want to mix
* any previous entropy we may have collected */
if (V(globalrng)[0] == 0) {
- rv = prng_instantiate(globalrng, bytes, numBytes);
+ rv = prng_instantiate(globalrng, bytes, sizeof bytes);
} else {
- rv = prng_reseed_test(globalrng, bytes, numBytes, NULL, 0);
+ rv = prng_reseed_test(globalrng, bytes, sizeof bytes, NULL, 0);
}
- memset(bytes, 0, numBytes);
+ memset(bytes, 0, sizeof bytes);
} else {
PZ_DestroyLock(globalrng->lock);
globalrng->lock = NULL;

View File

@ -1,170 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1542120846 -3600
# Tue Nov 13 15:54:06 2018 +0100
# Node ID 5046749fa8a56a99c251bc1cdd1b3302f43947d2
# Parent 0d97145d524ab35b8bc2a4a8aea60a83bd244f14
Bug 1493936, add a new "DSA" policy keyword
Summary:
This adds a new policy keyword "DSA" to explicitly disable DSA in TLS 1.2 or earlier.
We could make this a bit more generic, e.g., by adding "ECDSA", "RSA-PSS" etc. However, considering the current use of policy in [fedora-crypto-policies](https://gitlab.com/redhat-crypto/fedora-crypto-policies), I realized that adding new keywords may cause compatibility problems; because the Fedora configuration has `disallow=ALL`, all new keywords would be disabled by default. I think it's okay for DSA, though.
Reviewers: kaie
Reviewed By: kaie
Bug #: 1493936
Differential Revision: https://phabricator.services.mozilla.com/D6777
diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c
--- a/lib/certhigh/certvfy.c
+++ b/lib/certhigh/certvfy.c
@@ -37,7 +37,7 @@ CERT_CertTimesValid(CERTCertificate *c)
return (valid == secCertTimeValid) ? SECSuccess : SECFailure;
}
-SECStatus
+static SECStatus
checkKeyParams(const SECAlgorithmID *sigAlgorithm, const SECKEYPublicKey *key)
{
SECStatus rv;
@@ -47,6 +47,12 @@ checkKeyParams(const SECAlgorithmID *sig
PRInt32 minLen, len;
sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm);
+ rv = NSS_GetAlgorithmPolicy(sigAlg, &policyFlags);
+ if (rv == SECSuccess &&
+ !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+ PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+ return SECFailure;
+ }
switch (sigAlg) {
case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
--- a/lib/pk11wrap/pk11pars.c
+++ b/lib/pk11wrap/pk11pars.c
@@ -384,18 +384,26 @@ static const oidValDef kxOptList[] = {
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
};
+static const oidValDef signOptList[] = {
+ /* Signatures */
+ { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+};
+
typedef struct {
const oidValDef *list;
PRUint32 entries;
const char *description;
+ PRBool allowEmpty;
} algListsDef;
static const algListsDef algOptLists[] = {
- { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC" },
- { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH" },
- { macOptList, PR_ARRAY_SIZE(macOptList), "MAC" },
- { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER" },
- { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX" },
+ { curveOptList, PR_ARRAY_SIZE(curveOptList), "ECC", PR_FALSE },
+ { hashOptList, PR_ARRAY_SIZE(hashOptList), "HASH", PR_FALSE },
+ { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
+ { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
+ { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
};
static const optionFreeDef sslOptList[] = {
@@ -718,7 +726,7 @@ secmod_sanityCheckCryptoPolicy(void)
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
const algListsDef *algOptList = &algOptLists[i];
fprintf(stderr, "NSS-POLICY-%s: NUMBER-OF-%s: %u\n", enabledCount[i] ? sInfo : sWarn, algOptList->description, enabledCount[i]);
- if (!enabledCount[i]) {
+ if (!enabledCount[i] && !algOptList->allowEmpty) {
haveWarning = PR_TRUE;
}
}
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -64,6 +64,7 @@ static SECStatus ssl3_FlushHandshakeMess
static CK_MECHANISM_TYPE ssl3_GetHashMechanismByHashType(SSLHashType hashType);
static CK_MECHANISM_TYPE ssl3_GetMgfMechanismByHashType(SSLHashType hash);
PRBool ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme);
+PRBool ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme);
const PRUint8 ssl_hello_retry_random[] = {
0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
@@ -4309,6 +4310,22 @@ ssl_IsRsaPssSignatureScheme(SSLSignature
return PR_FALSE;
}
+PRBool
+ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme)
+{
+ switch (scheme) {
+ case ssl_sig_dsa_sha256:
+ case ssl_sig_dsa_sha384:
+ case ssl_sig_dsa_sha512:
+ case ssl_sig_dsa_sha1:
+ return PR_TRUE;
+
+ default:
+ return PR_FALSE;
+ }
+ return PR_FALSE;
+}
+
SSLAuthType
ssl_SignatureSchemeToAuthType(SSLSignatureScheme scheme)
{
@@ -6017,6 +6034,13 @@ ssl_CanUseSignatureScheme(SSLSignatureSc
return PR_FALSE;
}
+ if (ssl_IsDsaSignatureScheme(scheme) &&
+ (NSS_GetAlgorithmPolicy(SEC_OID_ANSIX9_DSA_SIGNATURE, &policy) ==
+ SECSuccess) &&
+ !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+ return PR_FALSE;
+ }
+
hashType = ssl_SignatureSchemeToHashType(scheme);
if (requireSha1 && (hashType != ssl_hash_sha1)) {
return PR_FALSE;
@@ -9490,6 +9514,14 @@ ssl3_EncodeSigAlgs(const sslSocket *ss,
continue;
}
+ /* Skip DSA scheme if it is disabled by policy. */
+ if (ssl_IsDsaSignatureScheme(ss->ssl3.signatureSchemes[i]) &&
+ (NSS_GetAlgorithmPolicy(SEC_OID_ANSIX9_DSA_SIGNATURE, &policy) ==
+ SECSuccess) &&
+ !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+ continue;
+ }
+
if ((NSS_GetAlgorithmPolicy(hashOID, &policy) != SECSuccess) ||
(policy & NSS_USE_ALG_IN_SSL_KX)) {
rv = sslBuffer_AppendNumber(buf, ss->ssl3.signatureSchemes[i], 2);
diff --git a/tests/ssl/sslpolicy.txt b/tests/ssl/sslpolicy.txt
--- a/tests/ssl/sslpolicy.txt
+++ b/tests/ssl/sslpolicy.txt
@@ -74,6 +74,8 @@
# SECT409R1
# SECT571K1
# SECT571R1
+# Signatures:
+# DSA
# Hashes:
# MD2
# MD4
@@ -172,3 +174,4 @@
1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly.
+ 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly.

View File

@ -1,12 +1,8 @@
diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
--- a/coreconf/Linux.mk
+++ b/coreconf/Linux.mk
@@ -135,17 +135,17 @@ ifeq ($(KERNEL),Linux)
endif
OS_LIBS = $(OS_PTHREAD) -ldl -lc
ifdef USE_PTHREADS
DEFINES += -D_REENTRANT
Index: nss/coreconf/Linux.mk
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
@@ -144,7 +144,7 @@ ifdef USE_PTHREADS
endif
DSO_CFLAGS = -fPIC
@ -15,8 +11,3 @@ diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
# The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
# incorrectly reports undefined references in the libraries we link with, so
# we don't use -z defs there.
# Also, -z defs conflicts with Address Sanitizer, which emits relocations
# against the libsanitizer runtime built into the main executable.
ZDEFS_FLAG = -Wl,-z,defs
DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG))
LDFLAGS += $(ARCHFLAG) -z noexecstack

View File

@ -0,0 +1,30 @@
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -2382,16 +2382,26 @@ ssl3_CreateOverlapWithPolicy(SSLProtocol
rv = ssl3_GetEffectiveVersionPolicy(protocolVariant,
&effectivePolicyBoundary);
if (rv == SECFailure) {
/* SECFailure means internal failure or invalid configuration. */
overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
return SECFailure;
}
+ /* TODO: TLSv1.3 doesn't work yet under FIPS mode */
+ if (PK11_IsFIPS()) {
+ if (effectivePolicyBoundary.min >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ effectivePolicyBoundary.min = SSL_LIBRARY_VERSION_TLS_1_2;
+ }
+ if (effectivePolicyBoundary.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ effectivePolicyBoundary.max = SSL_LIBRARY_VERSION_TLS_1_2;
+ }
+ }
+
vrange.min = PR_MAX(input->min, effectivePolicyBoundary.min);
vrange.max = PR_MIN(input->max, effectivePolicyBoundary.max);
if (vrange.max < vrange.min) {
/* there was no overlap, turn off range altogether */
overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
return SECFailure;
}

View File

@ -0,0 +1,81 @@
# HG changeset patch
# User Tomas Mraz <tmraz@fedoraproject.org>
# Date 1560861770 -7200
# Tue Jun 18 14:42:50 2019 +0200
# Node ID 6ef49fe67d6227a1d290da5537ec0dade379a15a
# Parent ebc93d6daeaa9001d31fd18b5199779da99ae9aa
Bug 1559906, fipstest: use CKM_TLS12_MASTER_KEY_DERIVE in TLS test, r=rrelyea
This also lets us CAVS tests more than just SHA256.
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+++ b/cmd/fipstest/fipstest.c
@@ -6669,12 +6669,13 @@ tls(char *reqfn)
CK_MECHANISM master_mech = { CKM_TLS_MASTER_KEY_DERIVE, NULL, 0 };
CK_MECHANISM key_block_mech = { CKM_TLS_KEY_AND_MAC_DERIVE, NULL, 0 };
- CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
- CK_SSL3_KEY_MAT_PARAMS key_block_params;
+ CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
+ CK_TLS12_KEY_MAT_PARAMS key_block_params;
CK_SSL3_KEY_MAT_OUT key_material;
CK_RV crv;
/* set up PKCS #11 parameters */
+ master_params.prfHashMechanism = CKM_SHA256;
master_params.pVersion = NULL;
master_params.RandomInfo.pClientRandom = clientHello_random;
master_params.RandomInfo.ulClientRandomLen = sizeof(clientHello_random);
@@ -6682,6 +6683,7 @@ tls(char *reqfn)
master_params.RandomInfo.ulServerRandomLen = sizeof(serverHello_random);
master_mech.pParameter = (void *)&master_params;
master_mech.ulParameterLen = sizeof(master_params);
+ key_block_params.prfHashMechanism = CKM_SHA256;
key_block_params.ulMacSizeInBits = 0;
key_block_params.ulKeySizeInBits = 0;
key_block_params.ulIVSizeInBits = 0;
@@ -6724,13 +6726,39 @@ tls(char *reqfn)
if (buf[0] == '[') {
if (strncmp(buf, "[TLS", 4) == 0) {
if (buf[7] == '0') {
+ /* CK_SSL3_MASTER_KEY_DERIVE_PARAMS is a subset of
+ * CK_TLS12_MASTER_KEY_DERIVE_PARAMS and
+ * CK_SSL3_KEY_MAT_PARAMS is a subset of
+ * CK_TLS12_KEY_MAT_PARAMS. The latter params have
+ * an extra prfHashMechanism field at the end. */
master_mech.mechanism = CKM_TLS_MASTER_KEY_DERIVE;
key_block_mech.mechanism = CKM_TLS_KEY_AND_MAC_DERIVE;
+ master_mech.ulParameterLen = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
+ key_block_mech.ulParameterLen = sizeof(CK_SSL3_KEY_MAT_PARAMS);
} else if (buf[7] == '2') {
- master_mech.mechanism =
- CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
- key_block_mech.mechanism =
- CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
+ if (strncmp(&buf[10], "SHA-1", 5) == 0) {
+ master_params.prfHashMechanism = CKM_SHA_1;
+ key_block_params.prfHashMechanism = CKM_SHA_1;
+ } else if (strncmp(&buf[10], "SHA-224", 7) == 0) {
+ master_params.prfHashMechanism = CKM_SHA224;
+ key_block_params.prfHashMechanism = CKM_SHA224;
+ } else if (strncmp(&buf[10], "SHA-256", 7) == 0) {
+ master_params.prfHashMechanism = CKM_SHA256;
+ key_block_params.prfHashMechanism = CKM_SHA256;
+ } else if (strncmp(&buf[10], "SHA-384", 7) == 0) {
+ master_params.prfHashMechanism = CKM_SHA384;
+ key_block_params.prfHashMechanism = CKM_SHA384;
+ } else if (strncmp(&buf[10], "SHA-512", 7) == 0) {
+ master_params.prfHashMechanism = CKM_SHA512;
+ key_block_params.prfHashMechanism = CKM_SHA512;
+ } else {
+ fprintf(tlsresp, "ERROR: Unable to find prf Hash type");
+ goto loser;
+ }
+ master_mech.mechanism = CKM_TLS12_MASTER_KEY_DERIVE;
+ key_block_mech.mechanism = CKM_TLS12_KEY_AND_MAC_DERIVE;
+ master_mech.ulParameterLen = sizeof(master_params);
+ key_block_mech.ulParameterLen = sizeof(key_block_params);
} else {
fprintf(stderr, "Unknown TLS type %x\n",
(unsigned int)buf[0]);

4513
SOURCES/nss-ike-patch.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,127 @@
# HG changeset patch
# User Martin Thomson <mt@lowentropy.net>
# Date 1560498951 0
# Fri Jun 14 07:55:51 2019 +0000
# Branch NSS_3_44_BRANCH
# Node ID fb9932d6e083322e7b5dfcd3d6e67477e0bb075a
# Parent 876bca2723a1f969422edc93e7504420d8331d3c
Bug 1515342 - More thorough input checking, r=jcj
All part of applying better discipline throughout.
Differential Revision: https://phabricator.services.mozilla.com/D33736
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
@@ -639,6 +639,11 @@ seckey_ExtractPublicKey(const CERTSubjec
return pubk;
break;
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+ /* A basic sanity check on inputs. */
+ if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ break;
+ }
pubk->keyType = ecKey;
pubk->u.ec.size = 0;
diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
--- a/lib/freebl/dh.c
+++ b/lib/freebl/dh.c
@@ -210,7 +210,8 @@ DH_Derive(SECItem *publicValue,
unsigned int len = 0;
unsigned int nb;
unsigned char *secret = NULL;
- if (!publicValue || !prime || !privateValue || !derivedSecret) {
+ if (!publicValue || !publicValue->len || !prime || !prime->len ||
+ !privateValue || !privateValue->len || !derivedSecret) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c
--- a/lib/freebl/ec.c
+++ b/lib/freebl/ec.c
@@ -202,8 +202,8 @@ ec_NewKey(ECParams *ecParams, ECPrivateK
#endif
MP_DIGITS(&k) = 0;
- if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0) ||
- !ecParams->name) {
+ if (!ecParams || ecParams->name == ECCurve_noName ||
+ !privKey || !privKeyBytes || privKeyLen <= 0) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -391,7 +391,7 @@ EC_NewKey(ECParams *ecParams, ECPrivateK
int len;
unsigned char *privKeyBytes = NULL;
- if (!ecParams) {
+ if (!ecParams || ecParams->name == ECCurve_noName || !privKey) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -430,7 +430,8 @@ EC_ValidatePublicKey(ECParams *ecParams,
mp_err err = MP_OKAY;
int len;
- if (!ecParams || !publicValue || !ecParams->name) {
+ if (!ecParams || ecParams->name == ECCurve_noName ||
+ !publicValue || !publicValue->len) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -536,8 +537,9 @@ ECDH_Derive(SECItem *publicValue,
int i;
#endif
- if (!publicValue || !ecParams || !privateValue || !derivedSecret ||
- !ecParams->name) {
+ if (!publicValue || !publicValue->len ||
+ !ecParams || ecParams->name == ECCurve_noName ||
+ !privateValue || !privateValue->len || !derivedSecret) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
diff --git a/lib/util/quickder.c b/lib/util/quickder.c
--- a/lib/util/quickder.c
+++ b/lib/util/quickder.c
@@ -757,6 +757,13 @@ DecodeItem(void* dest,
}
case SEC_ASN1_BIT_STRING: {
+ /* Can't be 8 or more spare bits, or any spare bits
+ * if there are no octets. */
+ if (temp.data[0] >= 8 || (temp.data[0] > 0 && temp.len == 1)) {
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ rv = SECFailure;
+ break;
+ }
/* change the length in the SECItem to be the number
of bits */
temp.len = (temp.len - 1) * 8 - (temp.data[0] & 0x7);
# HG changeset patch
# User Kevin Jacobs <kjacobs@mozilla.com>
# Date 1561145635 0
# Fri Jun 21 19:33:55 2019 +0000
# Branch NSS_3_44_BRANCH
# Node ID 416a8f7cf8986103b4d74694aac1198edbb08b3e
# Parent fb9932d6e083322e7b5dfcd3d6e67477e0bb075a
Bug 1515342 - Ignore spki decode failures on negative (expect_fail) tests. r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D35565
diff --git a/gtests/pk11_gtest/pk11_curve25519_unittest.cc b/gtests/pk11_gtest/pk11_curve25519_unittest.cc
--- a/gtests/pk11_gtest/pk11_curve25519_unittest.cc
+++ b/gtests/pk11_gtest/pk11_curve25519_unittest.cc
@@ -40,6 +40,9 @@ class Pkcs11Curve25519Test
ScopedCERTSubjectPublicKeyInfo certSpki(
SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+ if (!expect_success && !certSpki) {
+ return;
+ }
ASSERT_TRUE(certSpki);
ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));

View File

@ -0,0 +1,143 @@
# HG changeset patch
# User Kevin Jacobs <kjacobs@mozilla.com>
# Date 1560499074 0
# Fri Jun 14 07:57:54 2019 +0000
# Branch NSS_3_44_BRANCH
# Node ID 876bca2723a1f969422edc93e7504420d8331d3c
# Parent 20671f860c2619dc27208d64a84a759fdffc5ed1
Bug 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import. r=jcj,mt
Differential Revision: https://phabricator.services.mozilla.com/D31671
diff --git a/lib/freebl/ecl/ecp_25519.c b/lib/freebl/ecl/ecp_25519.c
--- a/lib/freebl/ecl/ecp_25519.c
+++ b/lib/freebl/ecl/ecp_25519.c
@@ -114,6 +114,9 @@ ec_Curve25519_pt_mul(SECItem *X, SECItem
}
px = P->data;
}
+ if (k->len != 32) {
+ return SECFailure;
+ }
SECStatus rv = ec_Curve25519_mul(X->data, k->data, px);
if (NSS_SecureMemcmpZero(X->data, X->len) == 0) {
diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c
--- a/lib/pk11wrap/pk11akey.c
+++ b/lib/pk11wrap/pk11akey.c
@@ -190,7 +190,6 @@ PK11_ImportPublicKey(PK11SlotInfo *slot,
attrs++;
PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
attrs++;
- signedattr = attrs;
PK11_SETATTRS(attrs, CKA_EC_PARAMS,
pubKey->u.ec.DEREncodedParams.data,
pubKey->u.ec.DEREncodedParams.len);
@@ -222,12 +221,14 @@ PK11_ImportPublicKey(PK11SlotInfo *slot,
PORT_SetError(SEC_ERROR_BAD_KEY);
return CK_INVALID_HANDLE;
}
-
templateCount = attrs - theTemplate;
- signedcount = attrs - signedattr;
PORT_Assert(templateCount <= (sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)));
- for (attrs = signedattr; signedcount; attrs++, signedcount--) {
- pk11_SignedToUnsigned(attrs);
+ if (pubKey->keyType != ecKey) {
+ PORT_Assert(signedattr);
+ signedcount = attrs - signedattr;
+ for (attrs = signedattr; signedcount; attrs++, signedcount--) {
+ pk11_SignedToUnsigned(attrs);
+ }
}
rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
templateCount, isToken, &objectID);
@@ -1074,9 +1075,13 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *
&cktrue, &ckfalse);
/* Not everyone can handle zero padded key values, give
- * them the raw data as unsigned */
- for (ap = attrs; extra_count; ap++, extra_count--) {
- pk11_SignedToUnsigned(ap);
+ * them the raw data as unsigned. The exception is EC,
+ * where the values are encoded or zero-preserving
+ * per-RFC5915 */
+ if (privKey->keyType != ecKey) {
+ for (ap = attrs; extra_count; ap++, extra_count--) {
+ pk11_SignedToUnsigned(ap);
+ }
}
/* now Store the puppies */
diff --git a/lib/pk11wrap/pk11cert.c b/lib/pk11wrap/pk11cert.c
--- a/lib/pk11wrap/pk11cert.c
+++ b/lib/pk11wrap/pk11cert.c
@@ -184,7 +184,9 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERT
SECKEY_DestroyPublicKey(pubKey);
return PR_FALSE;
}
- pk11_SignedToUnsigned(&theTemplate);
+ if (pubKey->keyType != ecKey) {
+ pk11_SignedToUnsigned(&theTemplate);
+ }
if (pk11_FindObjectByTemplate(slot, &theTemplate, 1) != CK_INVALID_HANDLE) {
SECKEY_DestroyPublicKey(pubKey);
return PR_TRUE;
diff --git a/lib/pk11wrap/pk11pk12.c b/lib/pk11wrap/pk11pk12.c
--- a/lib/pk11wrap/pk11pk12.c
+++ b/lib/pk11wrap/pk11pk12.c
@@ -505,7 +505,7 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
}
PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len);
attrs++;
- signedattr = attrs;
+ /* No signed attrs for EC */
/* curveOID always is a copy of AlgorithmID.parameters. */
PK11_SETATTRS(attrs, CKA_EC_PARAMS, lpk->u.ec.curveOID.data,
lpk->u.ec.curveOID.len);
@@ -523,11 +523,12 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
}
templateCount = attrs - theTemplate;
PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
- PORT_Assert(signedattr != NULL);
- signedcount = attrs - signedattr;
-
- for (ap = signedattr; signedcount; ap++, signedcount--) {
- pk11_SignedToUnsigned(ap);
+ if (lpk->keyType != ecKey) {
+ PORT_Assert(signedattr);
+ signedcount = attrs - signedattr;
+ for (ap = signedattr; signedcount; ap++, signedcount--) {
+ pk11_SignedToUnsigned(ap);
+ }
}
rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
diff --git a/lib/softoken/legacydb/lgattr.c b/lib/softoken/legacydb/lgattr.c
--- a/lib/softoken/legacydb/lgattr.c
+++ b/lib/softoken/legacydb/lgattr.c
@@ -950,9 +950,9 @@ lg_FindECPrivateKeyAttribute(NSSLOWKEYPr
case CKA_UNWRAP:
return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
case CKA_VALUE:
- return lg_CopyPrivAttrSigned(attribute, type,
- key->u.ec.privateValue.data,
- key->u.ec.privateValue.len, sdbpw);
+ return lg_CopyPrivAttribute(attribute, type,
+ key->u.ec.privateValue.data,
+ key->u.ec.privateValue.len, sdbpw);
case CKA_EC_PARAMS:
return lg_CopyAttributeSigned(attribute, type,
key->u.ec.ecParams.DEREncoding.data,
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -7747,7 +7747,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar,
withCofactor, &tmp);
- PORT_Free(ecScalar.data);
+ PORT_ZFree(ecScalar.data, ecScalar.len);
ecScalar.data = NULL;
if (privKey != sourceKey->objectInfo) {
nsslowkey_DestroyPrivateKey(privKey);

View File

@ -1,170 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1544699159 -3600
# Thu Dec 13 12:05:59 2018 +0100
# Node ID 0124a811bdf7abfe4bcf135ccc8c719b14db0580
# Parent 5b2efc615899a283c1ab2e26ddb41684aeae60f0
Add manual for nss-policy-check
diff --git a/doc/Makefile b/doc/Makefile
--- a/doc/Makefile
+++ b/doc/Makefile
@@ -21,7 +21,7 @@ all: prepare all-man all-html
prepare: date-and-version
mkdir -p html
mkdir -p nroff
-
+
clean:
rm -f date.xml version.xml *.tar.bz2
rm -f html/*.proc
@@ -45,11 +45,11 @@ version.xml:
nroff/%.1 : %.xml
$(COMPILE.1) $<
-
+
MANPAGES = \
nroff/certutil.1 nroff/cmsutil.1 nroff/crlutil.1 nroff/pk12util.1 \
nroff/modutil.1 nroff/ssltap.1 nroff/derdump.1 nroff/signtool.1 nroff/signver.1 \
-nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1
+nroff/pp.1 nroff/vfychain.1 nroff/vfyserv.1 nroff/nss-policy-check.1
all-man: prepare $(MANPAGES)
@@ -64,6 +64,6 @@ html/%.html : %.xml
HTMLPAGES = \
html/certutil.html html/cmsutil.html html/crlutil.html html/pk12util.html html/modutil.html \
html/ssltap.html html/derdump.html html/signtool.html html/signver.html html/pp.html \
-html/vfychain.html html/vfyserv.html
+html/vfychain.html html/vfyserv.html html/nss-policy-check.html
all-html: prepare $(HTMLPAGES)
diff --git a/doc/certutil.xml b/doc/certutil.xml
--- a/doc/certutil.xml
+++ b/doc/certutil.xml
@@ -180,6 +180,10 @@ For certificate requests, ASCII output d
</varlistentry>
<varlistentry>
+ <term>--simple-self-signed</term>
+ <listitem><para>When printing the certificate chain, don't search for a chain if issuer name equals to subject name.</para></listitem>
+ </varlistentry>
+ <varlistentry>
<term>-b validity-time</term>
<listitem><para>Specify a time at which a certificate is required to be valid. Use when checking certificate validity with the <option>-V</option> option. The format of the <emphasis>validity-time</emphasis> argument is <emphasis>YYMMDDHHMMSS[+HHMM|-HHMM|Z]</emphasis>, which allows offsets to be set relative to the validity end time. Specifying seconds (<emphasis>SS</emphasis>) is optional. When specifying an explicit time, use a Z at the end of the term, <emphasis>YYMMDDHHMMSSZ</emphasis>, to close it. When specifying an offset time, use <emphasis>YYMMDDHHMMSS+HHMM</emphasis> or <emphasis>YYMMDDHHMMSS-HHMM</emphasis> for adding or subtracting time, respectively.
</para>
diff --git a/doc/nss-policy-check.xml b/doc/nss-policy-check.xml
new file mode 100644
--- /dev/null
+++ b/doc/nss-policy-check.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
+<!ENTITY date SYSTEM "date.xml">
+<!ENTITY version SYSTEM "version.xml">
+]>
+
+<refentry id="nss-policy-check">
+
+ <refentryinfo>
+ <date>&date;</date>
+ <title>NSS Security Tools</title>
+ <productname>nss-tools</productname>
+ <productnumber>&version;</productnumber>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>NSS-POLICY-CHECK</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>nss-policy-check</refname>
+ <refpurpose>nss-policy-check policy-file</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>nss-policy-check</command>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsection id="description">
+ <title>Description</title>
+ <para><command>nss-policy-check</command> verifies crypto-policy configuration that controls certain crypto algorithms are allowed/disallowed to use in the NSS library.</para>
+
+ <para>The crypto-policy configuration can be stored in either a system-wide configuration file, specified with the POLICY_PATH and POLICY_FILE build options, or in the pkcs11.txt in NSS database.</para>
+ </refsection>
+
+ <refsection id="basic-usage">
+ <title>Usage and Examples</title>
+ <para>To check the global crypto-policy configuration in <filename>/etc/crypto-policies/back-ends/nss.config</filename>:
+ </para>
+ <programlisting>$ nss-policy-check /etc/crypto-policies/back-ends/nss.config
+NSS-POLICY-INFO: LOADED-SUCCESSFULLY
+NSS-POLICY-INFO: PRIME256V1 is enabled for KX
+NSS-POLICY-INFO: PRIME256V1 is enabled for CERT-SIGNATURE
+NSS-POLICY-INFO: SECP256R1 is enabled for KX
+NSS-POLICY-INFO: SECP256R1 is enabled for CERT-SIGNATURE
+NSS-POLICY-INFO: SECP384R1 is enabled for KX
+NSS-POLICY-INFO: SECP384R1 is enabled for CERT-SIGNATURE
+...
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG-KX: 13
+NSS-POLICY-INFO: NUMBER-OF-SSL-ALG: 9
+NSS-POLICY-INFO: NUMBER-OF-CERT-SIG: 9
+...
+NSS-POLICY-INFO: ciphersuite TLS_AES_128_GCM_SHA256 is enabled
+NSS-POLICY-INFO: ciphersuite TLS_CHACHA20_POLY1305_SHA256 is enabled
+NSS-POLICY-INFO: ciphersuite TLS_AES_256_GCM_SHA384 is enabled
+...
+NSS-POLICY-INFO: NUMBER-OF-CIPHERSUITES: 24
+NSS-POLICY-INFO: NUMBER-OF-TLS-VERSIONS: 3
+NSS-POLICY-INFO: NUMBER-OF-DTLS-VERSIONS: 2
+ </programlisting>
+ <para>If there is a failure or warning, it will be prefixed with
+ NSS-POLICY-FAIL or NSS-POLICY_WARN.
+ </para>
+ <para><command>nss-policy-check</command> exits with 2 if any
+ failure is found, 1 if any warning is found, or 0 if no errors are
+ found.</para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="resources">
+ <title>Additional Resources</title>
+ <para>For information about NSS and other tools related to NSS (like JSS), check out the NSS project wiki at <ulink url="http://www.mozilla.org/projects/security/pki/nss/">http://www.mozilla.org/projects/security/pki/nss/</ulink>. The NSS site relates directly to NSS code changes and releases.</para>
+ <para>Mailing lists: https://lists.mozilla.org/listinfo/dev-tech-crypto</para>
+ <para>IRC: Freenode at #dogtag-pki</para>
+ </refsection>
+
+<!-- fill in your name first; keep the other names for reference -->
+ <refsection id="authors">
+ <title>Authors</title>
+ <para>The NSS tools were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
+ <para>
+ Authors: Elio Maldonado &lt;emaldona@redhat.com>, Deon Lackey &lt;dlackey@redhat.com>.
+ </para>
+ </refsection>
+
+<!-- don't change -->
+ <refsection id="license">
+ <title>LICENSE</title>
+ <para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ </para>
+ </refsection>
+
+</refentry>
diff --git a/doc/pk12util.xml b/doc/pk12util.xml
--- a/doc/pk12util.xml
+++ b/doc/pk12util.xml
@@ -108,7 +108,7 @@
</varlistentry>
<varlistentry>
- <term>-n | --cert-key-len certKeyLength</term>
+ <term>--cert-key-len certKeyLength</term>
<listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
</varlistentry>

View File

@ -0,0 +1,35 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1557150127 -7200
# Mon May 06 15:42:07 2019 +0200
# Node ID 438ac983bda9ec7944990d22a37877e9111caa90
# Parent b018f3e84d87cce99a1fd81feeecb31123058687
pk11slot: reference module from slot for finalization
diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
--- a/lib/pk11wrap/pk11slot.c
+++ b/lib/pk11wrap/pk11slot.c
@@ -1439,6 +1439,11 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
slot->slotID = slotID;
slot->isThreadSafe = mod->isThreadSafe;
slot->hasRSAInfo = PR_FALSE;
+ slot->module = mod; /* NOTE: we don't make a reference here because
+ * modules have references to their slots. This
+ * works because modules keep implicit references
+ * from their slots, and won't unload and disappear
+ * until all their slots have been freed */
if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID, &slotInfo) != CKR_OK) {
slot->disabled = PR_TRUE;
@@ -1448,11 +1453,6 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
/* test to make sure claimed mechanism work */
slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
- slot->module = mod; /* NOTE: we don't make a reference here because
- * modules have references to their slots. This
- * works because modules keep implicit references
- * from their slots, and won't unload and disappear
- * until all their slots have been freed */
(void)PK11_MakeString(NULL, slot->slot_name,
(char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);

View File

@ -0,0 +1,24 @@
# HG changeset patch
# User Greg Rubin <rubin@amazon.com>
# Date 1558464083 25200
# Tue May 21 11:41:23 2019 -0700
# Branch NSS_3_44_BRANCH
# Node ID 1eac9016c021055018389a5cb117678ecc61782a
# Parent 416a8f7cf8986103b4d74694aac1198edbb08b3e
Bug 1554336 - Optimize away unneeded loop in mpi.c r=kevinjacobs,jcj
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
--- a/lib/freebl/mpi/mpi.c
+++ b/lib/freebl/mpi/mpi.c
@@ -2063,7 +2063,10 @@ s_mp_almost_inverse(const mp_int *a, con
}
}
if (res >= 0) {
- while (MP_SIGN(c) != MP_ZPOS) {
+ if (mp_cmp_mag(c, p) >= 0) {
+ MP_CHECKOK(mp_div(c, p, NULL, c));
+ }
+ if (MP_SIGN(c) != MP_ZPOS) {
MP_CHECKOK(mp_add(c, p, c));
}
res = k;

View File

@ -0,0 +1,96 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1559121620 -7200
# Wed May 29 11:20:20 2019 +0200
# Node ID 29a48b604602a523defd6f9322a5adeca7e284a5
# Parent 43a7fb4f994a31222c308113b0fccdd5480d5b8e
Bug 1553443, send session ticket only after handshake is marked as finished
Reviewers: mt
Reviewed By: mt
Bug #: 1553443
Differential Revision: https://phabricator.services.mozilla.com/D32128
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -537,6 +537,40 @@ TEST_F(TlsConnectStreamTls13, PostHandsh
capture_cert_req->buffer().len()));
}
+// Check if post-handshake auth still works when session tickets are enabled:
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1553443
+TEST_F(TlsConnectStreamTls13, PostHandshakeAuthWithSessionTicketsEnabled) {
+ EnsureTlsSetup();
+ client_->SetupClientAuth();
+ EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
+ SSL_ENABLE_POST_HANDSHAKE_AUTH, PR_TRUE));
+ EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
+ SSL_ENABLE_SESSION_TICKETS, PR_TRUE));
+ EXPECT_EQ(SECSuccess, SSL_OptionSet(server_->ssl_fd(),
+ SSL_ENABLE_SESSION_TICKETS, PR_TRUE));
+ size_t called = 0;
+ server_->SetAuthCertificateCallback(
+ [&called](TlsAgent*, PRBool, PRBool) -> SECStatus {
+ called++;
+ return SECSuccess;
+ });
+ Connect();
+ EXPECT_EQ(0U, called);
+ // Send CertificateRequest.
+ EXPECT_EQ(SECSuccess, SSL_GetClientAuthDataHook(
+ client_->ssl_fd(), GetClientAuthDataHook, nullptr));
+ EXPECT_EQ(SECSuccess, SSL_SendCertificateRequest(server_->ssl_fd()))
+ << "Unexpected error: " << PORT_ErrorToName(PORT_GetError());
+ server_->SendData(50);
+ client_->ReadBytes(50);
+ client_->SendData(50);
+ server_->ReadBytes(50);
+ EXPECT_EQ(1U, called);
+ ScopedCERTCertificate cert1(SSL_PeerCertificate(server_->ssl_fd()));
+ ScopedCERTCertificate cert2(SSL_LocalCertificate(client_->ssl_fd()));
+ EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert));
+}
+
// In TLS 1.3, the client sends its cert rejection on the
// second flight, and since it has already received the
// server's Finished, it transitions to complete and
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -4561,6 +4561,11 @@ tls13_ServerHandleFinished(sslSocket *ss
return SECFailure;
}
+ rv = tls13_FinishHandshake(ss);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
ssl_GetXmitBufLock(ss);
if (ss->opt.enableSessionTickets) {
rv = tls13_SendNewSessionTicket(ss, NULL, 0);
@@ -4573,8 +4578,7 @@ tls13_ServerHandleFinished(sslSocket *ss
}
}
ssl_ReleaseXmitBufLock(ss);
-
- return tls13_FinishHandshake(ss);
+ return SECSuccess;
loser:
ssl_ReleaseXmitBufLock(ss);
diff --git a/tests/ssl/sslauth.txt b/tests/ssl/sslauth.txt
--- a/tests/ssl/sslauth.txt
+++ b/tests/ssl/sslauth.txt
@@ -42,6 +42,7 @@
noECC 0 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Require client auth on post hs (client auth)
noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Request don't require client auth on post hs (client does not provide auth)
noECC 1 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Require client auth on post hs (client does not provide auth)
+ noECC 0 -r_-r_-r_-E_-u -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Request don't require client auth on post hs with session ticket (client auth)
#
# Use EC cert for client authentication
#

View File

@ -0,0 +1,11 @@
diff -up nss/gtests/manifest.mn.skip-sysinit-gtests nss/gtests/manifest.mn
--- nss/gtests/manifest.mn.skip-sysinit-gtests 2019-04-26 12:55:05.979302035 +0200
+++ nss/gtests/manifest.mn 2019-04-26 12:55:09.507228984 +0200
@@ -27,7 +27,6 @@ NSS_SRCDIRS = \
smime_gtest \
softoken_gtest \
ssl_gtest \
- $(SYSINIT_GTEST) \
nss_bogo_shim \
$(NULL)
endif

View File

@ -0,0 +1,27 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1558341826 -7200
# Mon May 20 10:43:46 2019 +0200
# Node ID b447f0046807b718d2928d0e33313620d38a287a
# Parent 02ea5f29ac3c1f1c6e6eb4b655afd9b4fc075a9e
tests: skip TLS 1.3 tests under FIPS mode
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -393,6 +393,15 @@ ssl_auth()
echo "${testname}" | grep "TLS 1.3" > /dev/null
TLS13=$?
+ # Currently TLS 1.3 tests are known to fail under FIPS mode,
+ # because HKDF is implemented using the PKCS #11 functions
+ # prohibited under FIPS mode.
+ if [ "${TLS13}" -eq 0 ] && \
+ [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ continue
+ fi
+
if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then

File diff suppressed because it is too large Load Diff

View File

@ -1,6 +0,0 @@
-b /lib{,64}/libfreeblpriv3.so
-b /lib{,64}/libsoftokn3.so
-b /lib{,64}/libnssdbm3.so
-b /usr/lib{,64}/libfreeblpriv3.so
-b /usr/lib{,64}/libsoftokn3.so
-b /usr/lib{,64}/libnssdbm3.so

View File

@ -0,0 +1,106 @@
Index: nss/lib/sysinit/nsssysinit.c
===================================================================
--- nss.orig/lib/sysinit/nsssysinit.c
+++ nss/lib/sysinit/nsssysinit.c
@@ -36,41 +36,9 @@ testdir(char *dir)
return S_ISDIR(buf.st_mode);
}
-/**
- * Append given @dir to @path and creates the directory with mode @mode.
- * Returns 0 if successful, -1 otherwise.
- * Assumes that the allocation for @path has sufficient space for @dir
- * to be added.
- */
-static int
-appendDirAndCreate(char *path, char *dir, mode_t mode)
-{
- PORT_Strcat(path, dir);
- if (!testdir(path)) {
- if (mkdir(path, mode)) {
- return -1;
- }
- }
- return 0;
-}
-
-#define XDG_NSS_USER_PATH1 "/.local"
-#define XDG_NSS_USER_PATH2 "/share"
-#define XDG_NSS_USER_PATH3 "/pki"
-
#define NSS_USER_PATH1 "/.pki"
#define NSS_USER_PATH2 "/nssdb"
-
-/**
- * Return the path to user's NSS database.
- * We search in the following dirs in order:
- * (1) $HOME/.pki/nssdb;
- * (2) $XDG_DATA_HOME/pki/nssdb if XDG_DATA_HOME is set;
- * (3) $HOME/.local/share/pki/nssdb (default XDG_DATA_HOME value).
- * If (1) does not exist, then the returned dir will be set to either
- * (2) or (3), depending if XDG_DATA_HOME is set.
- */
-char *
+static char *
getUserDB(void)
{
char *userdir = PR_GetEnvSecure("HOME");
@@ -81,47 +49,22 @@ getUserDB(void)
}
nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2));
+ if (nssdir == NULL) {
+ return NULL;
+ }
PORT_Strcpy(nssdir, userdir);
- PORT_Strcat(nssdir, NSS_USER_PATH1 NSS_USER_PATH2);
- if (testdir(nssdir)) {
- /* $HOME/.pki/nssdb exists */
- return nssdir;
- } else {
- /* either $HOME/.pki or $HOME/.pki/nssdb does not exist */
+ /* verify it exists */
+ if (!testdir(nssdir)) {
PORT_Free(nssdir);
- }
- int size = 0;
- char *xdguserdatadir = PR_GetEnvSecure("XDG_DATA_HOME");
- if (xdguserdatadir) {
- size = strlen(xdguserdatadir);
- } else {
- size = strlen(userdir) + sizeof(XDG_NSS_USER_PATH1) + sizeof(XDG_NSS_USER_PATH2);
- }
- size += sizeof(XDG_NSS_USER_PATH3) + sizeof(NSS_USER_PATH2);
-
- nssdir = PORT_Alloc(size);
- if (nssdir == NULL) {
return NULL;
}
-
- if (xdguserdatadir) {
- PORT_Strcpy(nssdir, xdguserdatadir);
- if (!testdir(nssdir)) {
- PORT_Free(nssdir);
- return NULL;
- }
-
- } else {
- PORT_Strcpy(nssdir, userdir);
- if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH1, 0755) ||
- appendDirAndCreate(nssdir, XDG_NSS_USER_PATH2, 0755)) {
- PORT_Free(nssdir);
- return NULL;
- }
+ PORT_Strcat(nssdir, NSS_USER_PATH1);
+ if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
+ PORT_Free(nssdir);
+ return NULL;
}
- /* ${XDG_DATA_HOME:-$HOME/.local/share}/pki/nssdb */
- if (appendDirAndCreate(nssdir, XDG_NSS_USER_PATH3, 0760) ||
- appendDirAndCreate(nssdir, NSS_USER_PATH2, 0760)) {
+ PORT_Strcat(nssdir, NSS_USER_PATH2);
+ if (!testdir(nssdir) && mkdir(nssdir, 0760)) {
PORT_Free(nssdir);
return NULL;
}

View File

@ -1,12 +1,14 @@
%global nspr_version 4.20.0
%global nss_version 3.41.0
%global nspr_version 4.21.0
%global nss_version 3.44.0
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir %{_libdir}/nss/saved
%global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/
%global dracutlibdir %{_prefix}/lib/dracut
%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
# The timestamp of our downstream manual pages, e.g., nss-config.1
%global manual_date "Nov 13 2013"
%bcond_without tests
# Produce .chk files for the final stripped binaries
@ -44,7 +46,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: 5%{?dist}
Release: 14%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version}
@ -70,7 +72,6 @@ Source1: nss-util.pc.in
Source2: nss-util-config.in
Source3: nss-softokn.pc.in
Source4: nss-softokn-config.in
Source5: nss-softokn-prelink.conf
Source6: nss-softokn-dracut-module-setup.sh
Source7: nss-softokn-dracut.conf
Source8: nss.pc.in
@ -91,11 +92,14 @@ Source25: key3.db.xml
Source26: key4.db.xml
Source27: secmod.db.xml
Source28: nss-p11-kit.config
Source29: nss-softokn-cavs-1.0.tar.gz
# To inject hardening flags for DSO
Patch1: nss-dso-ldflags.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
Patch2: nss-539183.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1549382
Patch3: nss-module-leak.patch
# This patch uses the GCC -iquote option documented at
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
# to give the in-tree headers a higher priority over the system headers,
@ -108,17 +112,49 @@ Patch2: nss-539183.patch
# Once the buildroot aha been bootstrapped the patch may be removed
# but it doesn't hurt to keep it.
Patch4: iquote.patch
# Local patch for enabling FIPS when the system is in FIPS mode:
# https://bugzilla.redhat.com/show_bug.cgi?id=852023
Patch55: enable-fips-when-system-is-in-fips-mode.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552767
Patch5: nss-skip-tls13-fips.patch
# TLS 1.3 currently doesn't work under FIPS mode:
# https://bugzilla.redhat.com/show_bug.cgi?id=1710372
Patch6: nss-fips-disable-tls13.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552208
Patch7: nss-disable-pkcs1-sigalgs-tls13.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1553443
Patch8: nss-post-handshake-auth-with-tickets.patch
# To revert the change in:
# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
Patch9: nss-sysinit-userdb.patch
# Disable nss-sysinit test which is sorely to test the above change
Patch10: nss-skip-sysinit-gtests.patch
# Upstream patch didn't make 3.44
# https://bugzilla.mozilla.org/show_bug.cgi?id=1546229
Patch200: nss-ike-patch.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1546477
Patch201: nss-softokn-fips-update.patch
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1493936
Patch129: nss-dsa.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1496124
Patch150: nss-3.39-create-public-key-on-private-import.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1513909
Patch151: nss-manpage-fixes.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1473806
Patch202: nss-8-fix-public-key-from-priv.patch
Patch204: nss-8-add-ipsec-usage-to-manpage.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1560329
Patch205: nss-drbg-continuous.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1559906
Patch206: nss-fipstest-tls12-prf.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1554336
Patch210: nss-mpi-loop.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1540541
Patch211: nss-leading-zero.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1515342
Patch212: nss-input-check.patch
Patch213: nss-3.44-missing-softokn-kdf.patch
Patch214: nss-3.44-cmac.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1566131
Patch215: nss-3.44-ske-policy.patch
Patch216: nss-3.44-kbkdf.patch
Patch217: nss-3.44-kbkdf-update.patch
Patch218: nss-3.44-encrypt-update.patch
Patch219: nss-3.44-kbkdf-coverity.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -213,7 +249,6 @@ Requires: nspr >= 4.12
# For NSS_SecureMemcmpZero() from nss-util >= 3.33
Requires: nss-util >= 3.33
Conflicts: nss < 3.12.2.99.3-5
Conflicts: prelink < 0.4.3
Conflicts: filesystem < 3
%description softokn-freebl
@ -247,11 +282,15 @@ Header and library files for doing development with Network Security Services.
%prep
%setup -q -n %{name}-%{nss_archive_version}
#autosetup -N -S quilt -n %{name}-%{nss_archive_version}
%autosetup -N -n %{name}-%{nss_archive_version} -a 29
pushd nss
%autopatch -p1
popd
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
%build
@ -292,6 +331,8 @@ export NSS_USE_SYSTEM_SQLITE=1
export NSS_ALLOW_SSLKEYLOGFILE=1
export NSS_SEED_ONLY_DEV_URANDOM=1
%ifnarch noarch
%if 0%{__isa_bits} == 64
export USE_64=1
@ -311,8 +352,12 @@ export POLICY_PATH="/etc/crypto-policies/back-ends"
make -C ./nss
# build the man pages clean
pushd ./nss
make clean_docs build_docs
pushd ./nss/doc
rm -rf ./nroff
make clean
echo -n %{manual_date} > date.xml
echo -n %{version} > version.xml
make
popd
# and copy them to the dist directory for %%install to find them
@ -493,35 +538,6 @@ pushd nss/tests
HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
popd
# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise,
# Grep exits with status greater than 1 if an error ocurred.
# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0,
# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas
# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
killall $RANDSERV || :
TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
echo "okay: test suite detected no failures"
else
if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
# while a situation in which grep return status is 0 and it doesn't output
# anything shouldn't happen, set the default to something that is
# obviously wrong (-1)
echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
exit 1
else
if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
echo "error: grep has not found log file"
exit 1
else
echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
exit 1
fi
fi
fi
echo "test suite completed"
%endif
%install
@ -535,7 +551,6 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}
mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
mkdir -p $RPM_BUILD_ROOT/%{prelink_conf_dir}
mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
@ -546,7 +561,6 @@ mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
%endif
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{prelink_conf_dir}
install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
@ -595,7 +609,7 @@ do
done
# Copy some freebl include files we also want
for file in blapi.h alghmac.h
for file in blapi.h alghmac.h cmac.h
do
install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
done
@ -657,10 +671,10 @@ install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/loc
/usr/bin/setup-nsssysinit.sh on
%post
update-crypto-policies --no-reload
update-crypto-policies --no-reload &> /dev/null || :
%postun
update-crypto-policies --no-reload
update-crypto-policies --no-reload &> /dev/null || :
%files
@ -880,8 +894,6 @@ update-crypto-policies --no-reload
%{_libdir}/libfreeblpriv3.so
%{_libdir}/libfreeblpriv3.chk
#shared
%dir %{prelink_conf_dir}
%{prelink_conf_dir}/nss-softokn-prelink.conf
%dir %{dracut_modules_dir}
%{dracut_modules_dir}/module-setup.sh
%{dracut_conf_dir}/50-nss-softokn.conf
@ -891,6 +903,7 @@ update-crypto-policies --no-reload
%{_includedir}/nss3/blapi.h
%{_includedir}/nss3/blapit.h
%{_includedir}/nss3/alghmac.h
%{_includedir}/nss3/cmac.h
%{_includedir}/nss3/lowkeyi.h
%{_includedir}/nss3/lowkeyti.h
@ -915,6 +928,67 @@ update-crypto-policies --no-reload
%changelog
* Tue Dec 3 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-14
- Fix coverify scan issue
* Mon Dec 2 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-13
- Fix endian problem in SP-800 108 code.
* Thu Nov 28 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-12
- Install cmac.h required by blapi.h (#1764513)
- Fix out-of-bounds write in NSC_EncryptUpdate (#1775913)
* Wed Nov 27 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-11
- Add SP-800 108 Generalized kdf
* Mon Nov 11 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-10
- Check policy against hash algorithms used for ServerKeyExchange (#1730039)
* Wed Nov 6 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-9
- Add CMAC
* Thu Aug 8 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-8
- CKM_NSS_IKE1_APP_B_PRF_DERIVE was missing from the mechanism list, preventing
PK11_Derive*() from using it. Add gtests for the PK11_Derive interface for
all the CKM_NSS_IKE*_DERIVE mechanism.
* Wed Jul 3 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-7
- Backport fixes from 3.44.1
* Wed Jun 26 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-6
- Add continuous RNG test required by FIPS
- fipstest: use CKM_TLS12_MASTER_KEY_DERIVE instead of vendor specific mechanism
* Mon Jun 10 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-5
- Rebuild with the correct build target
*Fri Jun 7 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-4.1
- rebuild to try to retrigger CI tests
*Wed Jun 5 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-4
- Fix certutil man page
- Fix extracting a public key from a private key for dh, ec, and dsa
* Thu May 30 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-3
- Disable TLS 1.3 under FIPS mode
- Disable RSASSA-PKCS1-v1_5 in TLS 1.3
- Fix post-handshake auth transcript calculation if
SSL_ENABLE_SESSION_TICKETS is set
- Revert the change to use XDG basedirs (mozilla#818686)
* Fri May 24 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-2
- Add ike mechanisms in softokn
- Add FIPS checks in softoken
* Fri May 24 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-1
- Update to NSS 3.44
- Define NSS_SEED_ONLY_DEV_URANDOM=1 to exclusively use getentropy
- Use %%autosetup
- Clean up manual pages generation
- Clean up %%check
- Remove prelink dependency, which is not available in RHEL-8
- Remove upstreamed patches
* Mon Dec 17 2018 Daiki Ueno <dueno@redhat.com> - 3.41.0-5
- Update manual pages to reflect recent changes in commands