rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-46839

Browse Source 
Rebase nss to 3.101 for Firefox 128
This commit is contained in:
Robert Relyea 2024-07-11 08:39:43 -07:00
parent 93b285fd32
commit 5fabc5f7a8
33 changed files with 4454 additions and 3753 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -89,3 +89,4 @@ TestUser51.cert
/nss-3.96-with-nspr-4.35.tar.gz
/nss-3.96.1-with-nspr-4.35.tar.gz
/nss-3.97-with-nspr-4.35.tar.gz
/nss-3.101-with-nspr-4.35.tar.gz

68
STAGE2-nss
View File

@ -1,68 +0,0 @@
#requires nspr
#requires perl
#requires nss-util
#requires nss-softokn
mcd $BUILDDIR/nss
export BUILD_OPT=1
export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
export NSPR_INCLUDE_DIR=/usr/include/nspr
export NSPR_LIB_DIR=/usr/lib${SUFFIX}
export NSS_USE_SYSTEM_SQLITE=1
export NSS_BUILD_WITHOUT_SOFTOKEN=1
export USE_SYSTEM_SOFTOKEN=1
export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX}
export NSSUTIL_INCLUDE_DIR=/usr/include/nss3
export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX}
export USE_SYSTEM_NSSUTIL=1
export FREEBL_INCLUDE_DIR=/usr/include/nss3
export FREEBL_LIB_DIR=/usr/lib${SUFFIX}
export USE_SYSTEM_FREEBL=1
export NSS_USE_SYSTEM_FREEBL=1
export FREEBL_NO_DEPEND=1
export IN_TREE_FREEBL_HEADERS_FIRST=1
export NSS_BLTEST_NOT_AVAILABLE=1
export NSS_NO_SSL2_NO_EXPORT=1
export NSS_ECC_MORE_THAN_SUITE_B=1
export NSS_NO_PKCS11_BYPASS=1
#export NSDISTMODE="copy"
if [ "$SUFFIX" = "64" ]; then
USE_64=1
export USE_64
fi
(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/)
make -C $SRC/nss-3.*/nss/coreconf
make -C $SRC/nss-3.*/nss/lib/dbm
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
# need nss/verref.h which is exported privately, move it to where it can be found.
(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/)
make -C $SRC/nss-3.*/nss
cd $SRC/nss-3.*/nss/coreconf
make install
cd $SRC/nss-3.*/nss/lib/dbm
make install
cd $SRC/nss-3.*/nss
make install
# Copy the binary libraries we want
NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so"
# BOZO: temporarily disable FIPS140 support
#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk"
NSSLIBCHKS=""
# END BOZO
cd $SRC/nss-3.*
for file in $NSSLIBS $NSSLIBCHKS
do
install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/
done
# Copy the include files we want
for file in $SRC/nss-*/dist/public/nss/*.h
do
install -p -m 644 $file /usr/include/nss3/
done

59
cert8.db.xml
View File

@ -1,59 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="cert8.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>cert8.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>cert8.db</refname>
<refpurpose>Legacy NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
<para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/cert8.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

59
key3.db.xml
View File

@ -1,59 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="key3.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>key3.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>key3.db</refname>
<refpurpose>Legacy NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
<para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/key3.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

51
nspr-4.34-fix-coverity-loop-issue.patch Normal file
View File

@ -0,0 +1,51 @@
diff --git a/pr/src/misc/prnetdb.c b/pr/src/misc/prnetdb.c
--- a/pr/src/misc/prnetdb.c
+++ b/pr/src/misc/prnetdb.c
@@ -2209,28 +2209,38 @@ PR_GetPrefLoopbackAddrInfo(PRNetAddr *re
PRBool result_still_empty = PR_TRUE;
PRADDRINFO *ai = res;
do {
PRNetAddr aNetAddr;
while (ai && ai->ai_addrlen > sizeof(PRNetAddr))
ai = ai->ai_next;
- if (ai) {
- /* copy sockaddr to PRNetAddr */
- memcpy(&aNetAddr, ai->ai_addr, ai->ai_addrlen);
- aNetAddr.raw.family = ai->ai_addr->sa_family;
+ if (!ai) {
+ break;
+ }
+
+ /* copy sockaddr to PRNetAddr */
+ memcpy(&aNetAddr, ai->ai_addr, ai->ai_addrlen);
+ aNetAddr.raw.family = ai->ai_addr->sa_family;
#ifdef _PR_INET6
- if (AF_INET6 == aNetAddr.raw.family)
- aNetAddr.raw.family = PR_AF_INET6;
+ if (AF_INET6 == aNetAddr.raw.family)
+ aNetAddr.raw.family = PR_AF_INET6;
#endif
- if (ai->ai_addrlen < sizeof(PRNetAddr))
- memset(((char*)result)+ai->ai_addrlen, 0,
- sizeof(PRNetAddr) - ai->ai_addrlen);
+ if (ai->ai_addrlen < sizeof(PRNetAddr))
+ memset(((char*)&aNetAddr)+ai->ai_addrlen, 0,
+ sizeof(PRNetAddr) - ai->ai_addrlen);
+
+ if (result->raw.family == PR_AF_INET) {
+ aNetAddr.inet.port = htons(port);
}
+ else {
+ aNetAddr.ipv6.port = htons(port);
+ }
+
/* If we obtain more than one result, prefer IPv6. */
if (result_still_empty || aNetAddr.raw.family == PR_AF_INET6) {
memcpy(result, &aNetAddr, sizeof(PRNetAddr));
}
result_still_empty = PR_FALSE;
ai = ai->ai_next;
}

12
nspr-4.34-server-passive.patch Normal file
View File

@ -0,0 +1,12 @@
diff -r c75b4e36b7e8 pr/src/misc/prnetdb.c
--- a/pr/src/misc/prnetdb.c Wed May 25 23:39:48 2022 +0200
+++ b/pr/src/misc/prnetdb.c Tue Jun 14 18:48:03 2022 -0400
@@ -2204,6 +2204,7 @@
memset(&hints, 0, sizeof(hints));
+ hints.ai_flags = AI_PASSIVE;
rv = GETADDRINFO(NULL, tmpBuf, &hints, &res);
if (rv == 0) {
PRBool result_still_empty = PR_TRUE;

107
nss-3.101-add-ems-policy.patch Normal file
View File

@ -0,0 +1,107 @@
diff -up ./lib/pk11wrap/pk11pars.c.ems ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.ems 2024-06-11 13:09:25.956760476 -0700
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 13:09:52.837067481 -0700
@@ -433,6 +433,8 @@ static const oidValDef kxOptList[] = {
{ CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
+ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
+
};
static const oidValDef smimeKxOptList[] = {
diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
@@ -202,4 +202,10 @@ struct PK11GenericObjectStr {
/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
+/* this oid value could change values if it's added after other new
+ * upstream oids. We protect applications by hiding the define in a private
+ * header file that only NSS sees. Currently it's only available through
+ * the policy code */
+#define SEC_OID_TLS_REQUIRE_EMS SEC_OID_PRIVATE_1
+
#endif /* _SECMODTI_H_ */
diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
--- ./lib/ssl/ssl3con.c.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/ssl/ssl3con.c 2023-06-12 17:18:35.130938525 -0700
@@ -36,6 +36,7 @@
#include "pk11func.h"
#include "secmod.h"
#include "blapi.h"
+#include "secmodti.h" /* until SEC_OID_TLS_REQUIRE_EMS is upstream */
#include <stdio.h>
@@ -3480,6 +3481,29 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
unsigned int master_params_len;
+ /* if we are using TLS and we aren't using the extended master secret,
+ * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will
+ * send and alert (eventually). In the RSA Server case, the alert
+ * won't happen until Finish time because the upper level code
+ * can't tell a difference between this failure and an RSA decrypt
+ * failure, so it will proceed with a faux key */
+ if (isTLS) {
+ PRUint32 policy;
+ SECStatus rv;
+
+ /* first fetch the policy for this algorithm */
+ rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy);
+ /* we only look at the policy if we can fetch it. */
+ if (rv == SECSuccess) {
+ if (policy & NSS_USE_ALG_IN_SSL_KX) {
+ /* just set the error, we don't want to map any errors
+ * set by NSS_GetAlgorithmPolicy here */
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
+ return SECFailure;
+ }
+ }
+ }
+
if (isTLS12) {
if (isDH)
master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
diff -up ./lib/util/secoid.c.ems ./lib/util/secoid.c
--- ./lib/util/secoid.c.ems 2024-06-11 13:11:28.078155282 -0700
+++ ./lib/util/secoid.c 2024-06-11 13:12:58.511188172 -0700
@@ -1890,6 +1890,12 @@ const static SECOidData oids[SEC_OID_TOT
ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION),
+
+ /* this will change upstream. for now apps shouldn't use it */
+ /* we need it for the policy code. */
+ ODE(SEC_OID_PRIVATE_1,
+ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
};
/* PRIVATE EXTENDED SECOID Table
@@ -2198,6 +2204,10 @@ SECOID_Init(void)
/* turn off NSS_USE_POLICY_IN_SSL by default */
xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
+ /* turn off TLS REQUIRE EMS by default */
+ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
+
+
envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
if (envVal)
diff -up ./lib/util/secoidt.h.ems ./lib/util/secoidt.h
--- ./lib/util/secoidt.h.ems 2024-06-11 13:16:13.212411967 -0700
+++ ./lib/util/secoidt.h 2024-06-11 13:16:48.098810434 -0700
@@ -530,6 +530,9 @@ typedef enum {
SEC_OID_RC2_64_CBC = 385,
SEC_OID_RC2_128_CBC = 386,
SEC_OID_ECDH_KEA = 387,
+ /* this will change upstream. for now apps shouldn't use it */
+ /* give it an obscure name here */
+ SEC_OID_PRIVATE_1 = 388,
SEC_OID_TOTAL
} SECOidTag;

81
nss-3.101-disable-ech.patch Normal file
View File

@ -0,0 +1,81 @@
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2024-06-12 13:29:17.162207862 -0700
+++ ./gtests/ssl_gtest/manifest.mn 2024-06-12 13:30:25.699047788 -0700
@@ -59,7 +59,6 @@ CPPSRCS = \
tls_protect.cc \
tls_psk_unittest.cc \
tls_subcerts_unittest.cc \
- tls_ech_unittest.cc \
tls_xyber_unittest.cc \
$(SSLKEYLOGFILE_FILES) \
$(NULL)
diff -up ./lib/ssl/sslsock.c.disable_ech ./lib/ssl/sslsock.c
--- ./lib/ssl/sslsock.c.disable_ech 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/ssl/sslsock.c 2024-06-12 13:29:17.162207862 -0700
@@ -4415,17 +4415,23 @@ ssl_ClearPRCList(PRCList *list, void (*f
SECStatus
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
{
+#ifdef notdef
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
ss->opt.enableTls13GreaseEch = enabled;
return SECSuccess;
+#else
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
+ return SECFailure;
+#endif
}
SECStatus
SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size)
{
+#ifdef notdef
sslSocket *ss = ssl_FindSocket(fd);
if (!ss || size == 0) {
return SECFailure;
@@ -4439,28 +4445,42 @@ SSLExp_SetTls13GreaseEchSize(PRFileDesc
ssl_Release1stHandshakeLock(ss);
return SECSuccess;
+#else
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
+ return SECFailure;
+#endif
}
SECStatus
SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled)
{
+#ifdef notdef
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
ss->opt.enableTls13BackendEch = enabled;
return SECSuccess;
+#else
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
+ return SECFailure;
+#endif
}
SECStatus
SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled)
{
+#ifdef notdef
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
ss->opt.callExtensionWriterOnEchInner = enabled;
return SECSuccess;
+#else
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
+ return SECFailure;
+#endif
}
SECStatus

81
nss-3.101-disable-md5.patch Normal file
View File

@ -0,0 +1,81 @@
diff -up ./lib/pk11wrap/pk11pars.c.no_md ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.no_md 2024-06-11 12:41:35.054654990 -0700
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 12:46:25.347979894 -0700
@@ -329,14 +329,11 @@ static const oidValDef curveOptList[] =
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
- NSS_USE_ALG_IN_PKCS12 },
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
- NSS_USE_ALG_IN_PKCS12 },
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
- NSS_USE_ALG_IN_PKCS12 },
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
NSS_USE_ALG_IN_PKCS12 },
diff -up ./lib/util/secoid.c.no_md ./lib/util/secoid.c
diff -r 699541a7793b lib/util/secoid.c
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
@@ -2042,6 +2042,19 @@
int i;
for (i = 1; i < SEC_OID_TOTAL; i++) {
+ switch (i) {
+ case SEC_OID_MD2:
+ case SEC_OID_MD4:
+ case SEC_OID_MD5:
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+ continue;
+ default:
+ break;
+ }
if (oids[i].desc && strstr(arg, oids[i].desc)) {
xOids[i].notPolicyFlags = notEnable |
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
diff -up ./tests/tools/pkcs12policy.txt.disable_md5_test ./tests/tools/pkcs12policy.txt
--- ./tests/tools/pkcs12policy.txt.disable_md5_test 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/tools/pkcs12policy.txt 2024-06-19 11:15:46.666728170 -0700
@@ -91,21 +91,21 @@
0 18 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc2 (read), RC4 and RC2
# integrity policy check the various has based controls.
# NOTE: md4, md2, and md5 are turned off by policy by default for encrypting
-# (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the
+# (decrypting is fine). To be enabled, you must allow=mdX/pkcs12 on the
# encryption side. These tests purposefully tests that the default fails to encrypt
# but succeeds when decrypting.
27 x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes
- 0 0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
- 0 0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
- 28 x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
+ 0 0 allow=md2/pkcs12 allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
+ 0 0 allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
+ 28 x disallow=sha1_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
27 x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write
- 29 x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
- 0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
- 0 18 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
- 0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
- 0 0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
- 0 0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
- 0 0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
+ 29 x disallow=sha256_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
+ 0 19 allow=all:md2/pkcs12 disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
+ 0 18 allow=md2/pkcs12 disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
+ 0 17 allow=md2/pkcs12 disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
+ 0 0 allow=md2/pkcs12 disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
+ 0 0 allow=md2/pkcs12 disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
+ 0 0 allow=md2/pkcs12 disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
0 0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
29 x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
0 18 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256

1347
nss-3.101-disable_dsa.patch Normal file
View File

File diff suppressed because it is too large Load Diff

13
nss-3.101-enable-kyber-policy.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy 2024-06-12 14:44:24.680338868 -0700
+++ ./lib/pk11wrap/pk11pars.c 2024-06-12 14:44:48.368609356 -0700
@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] =
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
{ CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
- { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 },
+ { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00,
+ NSS_USE_ALG_IN_SSL_KX },
/* ANSI X9.62 named elliptic curves (characteristic two field) */
{ CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },

63
nss-3.101-enable-sdb-tests.patch Normal file
View File

@ -0,0 +1,63 @@
diff -up ./tests/cert/cert.sh.no_dbm_tests ./tests/cert/cert.sh
--- ./tests/cert/cert.sh.no_dbm_tests 2024-06-20 17:08:03.146169243 -0700
+++ ./tests/cert/cert.sh 2024-06-20 17:08:23.282404259 -0700
@@ -2662,9 +2662,7 @@ cert_test_password
cert_test_distrust
cert_test_ocspresp
cert_test_rsapss
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
- cert_test_rsapss_policy
-fi
+cert_test_rsapss_policy
cert_test_token_uri
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
diff -up ./tests/smime/smime.sh.no_dbm_tests ./tests/smime/smime.sh
--- ./tests/smime/smime.sh.no_dbm_tests 2024-06-20 17:08:45.147659448 -0700
+++ ./tests/smime/smime.sh 2024-06-20 17:09:05.313894814 -0700
@@ -872,8 +872,6 @@ smime_init
smime_main
smime_data_tb
smime_p7
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
- smime_policy
-fi
+smime_policy
smime_cleanup
diff -up ./tests/ssl/ssl.sh.no_dbm_tests ./tests/ssl/ssl.sh
--- ./tests/ssl/ssl.sh.no_dbm_tests 2024-06-20 17:09:28.588166454 -0700
+++ ./tests/ssl/ssl.sh 2024-06-20 17:09:54.351467232 -0700
@@ -1600,12 +1600,10 @@ ssl_run_tests()
do
case "${SSL_TEST}" in
"policy")
- if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
- ssl_policy_listsuites
- ssl_policy_selfserv
- ssl_policy_pkix_ocsp
- ssl_policy
- fi
+ ssl_policy_listsuites
+ ssl_policy_selfserv
+ ssl_policy_pkix_ocsp
+ ssl_policy
;;
"crl")
ssl_crl_ssl
diff -up ./tests/tools/tools.sh.no_dbm_tests ./tests/tools/tools.sh
--- ./tests/tools/tools.sh.no_dbm_tests 2024-06-20 17:10:13.828694981 -0700
+++ ./tests/tools/tools.sh 2024-06-20 17:10:31.051896368 -0700
@@ -584,10 +584,8 @@ tools_p12()
tools_p12_export_with_invalid_ciphers
tools_p12_import_old_files
tools_p12_import_pbmac1_samples
- if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
- tools_p12_import_rsa_pss_private_key
- tools_p12_policy
- fi
+ tools_p12_import_rsa_pss_private_key
+ tools_p12_policy
}
############################## tools_sign ##############################

12
nss-3.101-extend-db-dump-time.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh
--- ./tests/dbtests/dbtests.sh.extend 2023-11-15 13:17:50.651020458 -0800
+++ ./tests/dbtests/dbtests.sh 2023-11-15 13:18:57.091608850 -0800
@@ -366,7 +366,7 @@ dbtest_main()
RARRAY=($dtime)
TIMEARRAY=(${RARRAY[1]//./ })
echo "${TIMEARRAY[0]} seconds"
- test ${TIMEARRAY[0]} -lt 5
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-5}
ret=$?
html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
fi

190
nss-3.101-fips-indicators.patch Normal file
View File

@ -0,0 +1,190 @@
diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.fips_indicators 2024-06-12 13:38:15.995811284 -0700
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:41:30.008188930 -0700
@@ -453,7 +453,7 @@ sftk_InitGeneric(SFTKSession *session, C
context->blockSize = 0;
context->maxLen = 0;
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
- operation, key);
+ operation, key, 0);
*contextPtr = context;
return CKR_OK;
}
@@ -4885,7 +4885,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
crv = sftk_handleObject(key, session);
/* we need to do this check at the end, so we can check the generated
* key length against fips requirements */
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0);
session->lastOpWasFIPS = key->isFIPS;
sftk_FreeSession(session);
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
@@ -6020,7 +6020,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
return crv;
}
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
- privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
+ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey, 0);
publicKey->isFIPS = privateKey->isFIPS;
session->lastOpWasFIPS = privateKey->isFIPS;
sftk_FreeSession(session);
@@ -7220,6 +7220,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
return CKR_TEMPLATE_INCONSISTENT;
}
+ if (!params->bExpand) {
+ keySize = hashLen;
+ }
+
/* sourceKey is NULL if we are called from the POST, skip the
* sensitiveCheck */
if (sourceKey != NULL) {
@@ -7269,7 +7273,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
mech.pParameter = params;
mech.ulParameterLen = sizeof(*params);
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
- CKA_DERIVE, saltKey);
+ CKA_DERIVE, saltKey,
+ keySize);
}
saltKeySource = saltKey->source;
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
@@ -7336,7 +7341,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
/* HKDF-Expand */
if (!params->bExpand) {
okm = prk;
- keySize = genLen = hashLen;
+ genLen = hashLen;
} else {
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
@@ -7583,7 +7588,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
return CKR_KEY_HANDLE_INVALID;
}
}
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey);
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
+ keySize);
switch (mechanism) {
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.fips_indicators 2024-06-12 13:38:15.988811198 -0700
+++ ./lib/softoken/pkcs11i.h 2024-06-12 13:38:15.996811296 -0700
@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
/* check the FIPS table to determine if this current operation is allowed by
* FIPS security policy */
PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech,
- CK_ATTRIBUTE_TYPE op, SFTKObject *source);
+ CK_ATTRIBUTE_TYPE op, SFTKObject *source,
+ CK_ULONG targetKeySize);
/* add validation objects to the slot */
CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips_indicators 2024-06-12 13:38:15.990811223 -0700
+++ ./lib/softoken/pkcs11u.c 2024-06-12 13:38:15.996811296 -0700
@@ -2336,7 +2336,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
static CK_ULONG
sftk_getKeyLength(SFTKObject *source)
{
- CK_KEY_TYPE keyType = CK_INVALID_HANDLE;
+ CK_KEY_TYPE keyType = CKK_INVALID_KEY_TYPE;
CK_ATTRIBUTE_TYPE keyAttribute;
CK_ULONG keyLength = 0;
SFTKAttribute *attribute;
@@ -2398,13 +2398,29 @@ sftk_getKeyLength(SFTKObject *source)
return keyLength;
}
+PRBool
+sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
+{
+ switch (hash) {
+ case CKM_SHA256:
+ case CKG_MGF1_SHA256:
+ case CKM_SHA384:
+ case CKG_MGF1_SHA384:
+ case CKM_SHA512:
+ case CKG_MGF1_SHA512:
+ return PR_TRUE;
+ }
+ return PR_FALSE;
+}
+
/*
* handle specialized FIPS semantics that are too complicated to
* handle with just a table. NOTE: this means any additional semantics
* would have to be coded here before they can be added to the table */
static PRBool
sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech,
- SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source)
+ SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
+ CK_ULONG keyLength, CK_ULONG targetKeyLength)
{
switch (mechInfo->special) {
case SFTKFIPSDH: {
@@ -2464,10 +2480,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
if (hashObj == NULL) {
return PR_FALSE;
}
+ /* cap the salt for legacy keys */
+ if ((keyLength <= 1024) && (pss->sLen > 63)) {
+ return PR_FALSE;
+ }
+ /* cap the salt for based on the hash */
if (pss->sLen > hashObj->length) {
return PR_FALSE;
}
- return PR_TRUE;
+ return sftk_CheckFIPSHash(pss->hashAlg);
}
case SFTKFIPSPBKDF2: {
/* PBKDF2 must have the following addition restrictions
@@ -2492,6 +2513,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
}
return PR_TRUE;
}
+ /* check the hash mechanisms to make sure they themselves are FIPS */
+ case SFTKFIPSChkHash:
+ if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
+ return PR_FALSE;
+ }
+ return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
+ + mechInfo->offset));
default:
break;
}
@@ -2502,7 +2530,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
PRBool
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
- SFTKObject *source)
+ SFTKObject *source, CK_ULONG targetKeyLength)
{
#ifndef NSS_HAS_FIPS_INDICATORS
return PR_FALSE;
@@ -2534,13 +2562,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
/* if we match the number of records exactly, then we are an
* approved algorithm in the approved mode with an approved key */
- if (((mech->mechanism == mechs->type) &&
- (opFlags == (mechs->info.flags & opFlags)) &&
- (keyLength <= mechs->info.ulMaxKeySize) &&
- (keyLength >= mechs->info.ulMinKeySize) &&
- ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
+ if ((mech->mechanism == mechs->type) &&
+ (opFlags == (mechs->info.flags & opFlags)) &&
+ (keyLength <= mechs->info.ulMaxKeySize) &&
+ (keyLength >= mechs->info.ulMinKeySize) &&
+ (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
+ ((targetKeyLength == 0) ||
+ ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
+ (targetKeyLength >= mechs->info.ulMinKeySize) &&
+ ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
((mechs->special == SFTKFIPSNone) ||
- sftk_handleSpecial(slot, mech, mechs, source))) {
+ sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
return PR_TRUE;
}
}

490
nss-3.101-fips-review.patches Normal file
View File

@ -0,0 +1,490 @@
diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
--- ./lib/freebl/dh.c.fips-review 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/freebl/dh.c 2024-06-12 12:04:10.639360404 -0700
@@ -445,7 +445,7 @@ cleanup:
PRBool
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
{
- mp_int p, q, y, r;
+ mp_int p, q, y, r, psub1;
mp_err err;
int cmp = 1; /* default is false */
if (!Y || !prime || !subPrime) {
@@ -456,13 +456,30 @@ KEA_Verify(SECItem *Y, SECItem *prime, S
MP_DIGITS(&q) = 0;
MP_DIGITS(&y) = 0;
MP_DIGITS(&r) = 0;
+ MP_DIGITS(&psub1) = 0;
CHECK_MPI_OK(mp_init(&p));
CHECK_MPI_OK(mp_init(&q));
CHECK_MPI_OK(mp_init(&y));
CHECK_MPI_OK(mp_init(&r));
+ CHECK_MPI_OK(mp_init(&psub1));
SECITEM_TO_MPINT(*prime, &p);
SECITEM_TO_MPINT(*subPrime, &q);
SECITEM_TO_MPINT(*Y, &y);
+ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1));
+ /*
+ * We check that the public value isn't zero (which isn't in the
+ * group), one (subgroup of order one) or p-1 (subgroup of order 2). We
+ * also check that the public value is less than p, to avoid being fooled
+ * by values like p+1 or 2*p-1.
+ * This check is required by SP-800-56Ar3. It's also done in derive,
+ * but this is only called in various FIPS cases, so put it here to help
+ * reviewers find it.
+ */
+ if (mp_cmp_d(&y, 1) <= 0 ||
+ mp_cmp(&y, &psub1) >= 0) {
+ err = MP_BADARG;
+ goto cleanup;
+ }
/* compute r = y**q mod p */
CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
/* compare to 1 */
@@ -472,6 +489,7 @@ cleanup:
mp_clear(&q);
mp_clear(&y);
mp_clear(&r);
+ mp_clear(&psub1);
if (err) {
MP_TO_SEC_ERROR(err);
return PR_FALSE;
diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.fips-review 2024-06-12 12:04:10.638360392 -0700
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:06:35.410551333 -0700
@@ -43,6 +43,7 @@
#include "prprf.h"
#include "prenv.h"
+#include "prerror.h"
#define __PASTE(x, y) x##y
#define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize)
@@ -4882,6 +4883,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
* handle the base object stuff
*/
crv = sftk_handleObject(key, session);
+ /* we need to do this check at the end, so we can check the generated
+ * key length against fips requirements */
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
+ session->lastOpWasFIPS = key->isFIPS;
sftk_FreeSession(session);
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
@@ -4889,9 +4894,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
}
- /* we need to do this check at the end, so we can check the generated key length against
- * fips requirements */
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
if (crv == CKR_OK) {
*phKey = key->handle;
}
@@ -5199,60 +5201,68 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
if (isDerivable) {
SFTKAttribute *pubAttribute = NULL;
- CK_OBJECT_HANDLE newKey;
PRBool isFIPS = sftk_isFIPS(slot->slotID);
- CK_RV crv2;
- CK_OBJECT_CLASS secret = CKO_SECRET_KEY;
- CK_KEY_TYPE generic = CKK_GENERIC_SECRET;
- CK_ULONG keyLen = 128;
- CK_BBOOL ckTrue = CK_TRUE;
- CK_ATTRIBUTE template[] = {
- { CKA_CLASS, &secret, sizeof(secret) },
- { CKA_KEY_TYPE, &generic, sizeof(generic) },
- { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) },
- { CKA_DERIVE, &ckTrue, sizeof(ckTrue) }
- };
- CK_ULONG templateCount = PR_ARRAY_SIZE(template);
- CK_ECDH1_DERIVE_PARAMS ecParams;
+ NSSLOWKEYPrivateKey *lowPrivKey = NULL;
+ ECPrivateKey *ecPriv;
+ SECItem *lowPubValue = NULL;
+ SECItem item;
+ SECStatus rv;
crv = CKR_OK; /*paranoia, already get's set before we drop to the end */
- /* FIPS 140-2 requires we verify that the resulting key is a valid key.
- * The easiest way to do this is to do a derive operation, which checks
- * the validity of the key */
-
+ /* FIPS 140-3 requires we verify that the resulting key is a valid key
+ * by recalculating the public can an compare it to our own public
+ * key. */
+ lowPrivKey = sftk_GetPrivKey(privateKey, keyType, &crv);
+ if (lowPrivKey == NULL) {
+ return sftk_MapCryptError(PORT_GetError());
+ }
+ /* recalculate the public key from the private key */
switch (keyType) {
- case CKK_DH:
- mech.mechanism = CKM_DH_PKCS_DERIVE;
- pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
- if (pubAttribute == NULL) {
- return CKR_DEVICE_ERROR;
- }
- mech.pParameter = pubAttribute->attrib.pValue;
- mech.ulParameterLen = pubAttribute->attrib.ulValueLen;
- break;
- case CKK_EC:
- mech.mechanism = CKM_ECDH1_DERIVE;
- pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
- if (pubAttribute == NULL) {
- return CKR_DEVICE_ERROR;
- }
- ecParams.kdf = CKD_NULL;
- ecParams.ulSharedDataLen = 0;
- ecParams.pSharedData = NULL;
- ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen;
- ecParams.pPublicData = pubAttribute->attrib.pValue;
- mech.pParameter = &ecParams;
- mech.ulParameterLen = sizeof(ecParams);
- break;
- default:
- return CKR_DEVICE_ERROR;
+ case CKK_DH:
+ rv = DH_Derive(&lowPrivKey->u.dh.base, &lowPrivKey->u.dh.prime,
+ &lowPrivKey->u.dh.privateValue, &item, 0);
+ if (rv != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+ lowPubValue = SECITEM_DupItem(&item);
+ SECITEM_ZfreeItem(&item, PR_FALSE);
+ pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
+ break;
+ case CKK_EC:
+ rv = EC_NewKeyFromSeed(&lowPrivKey->u.ec.ecParams, &ecPriv,
+ lowPrivKey->u.ec.privateValue.data,
+ lowPrivKey->u.ec.privateValue.len);
+ if (rv != SECSuccess) {
+ return CKR_GENERAL_ERROR;
+ }
+ /* make sure it has the same encoding */
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
+ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
+ } else {
+ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
+ SEC_ASN1_GET(SEC_OctetStringTemplate));;
+ }
+ pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
+ /* clear out our generated private key */
+ PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
+ break;
+ default:
+ return CKR_DEVICE_ERROR;
}
- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
- if (crv != CKR_OK) {
- sftk_FreeAttribute(pubAttribute);
- return crv;
+ /* now compare new public key with our already generated key */
+ if ((pubAttribute == NULL) || (lowPubValue == NULL) ||
+ (pubAttribute->attrib.ulValueLen != lowPubValue->len) ||
+ (PORT_Memcmp(pubAttribute->attrib.pValue, lowPubValue->data,
+ lowPubValue->len) != 0)) {
+ if (pubAttribute) sftk_FreeAttribute(pubAttribute);
+ if (lowPubValue) SECITEM_ZfreeItem(lowPubValue, PR_TRUE);
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return CKR_GENERAL_ERROR;
}
+ SECITEM_ZfreeItem(lowPubValue, PR_TRUE);
+
/* FIPS requires full validation, but in fipx mode NSC_Derive
* only does partial validation with approved primes, now handle
* full validation */
@@ -5260,44 +5270,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
SECItem pubKey;
SECItem prime;
SECItem subPrime;
+ SECItem base;
+ SECItem generator;
const SECItem *subPrimePtr = &subPrime;
pubKey.data = pubAttribute->attrib.pValue;
pubKey.len = pubAttribute->attrib.ulValueLen;
- prime.data = subPrime.data = NULL;
- prime.len = subPrime.len = 0;
+ base.data = prime.data = subPrime.data = NULL;
+ base.len = prime.len = subPrime.len = 0;
crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
if (crv != CKR_OK) {
goto done;
}
- crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
+ crv = sftk_Attribute2SecItem(NULL, &base, privateKey, CKA_BASE);
+ if (crv != CKR_OK) {
+ goto done;
+ }
/* we ignore the return code an only look at the length */
- if (subPrime.len == 0) {
- /* subprime not supplied, In this case look it up.
- * This only works with approved primes, but in FIPS mode
- * that's the only kine of prime that will get here */
- subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS);
- if (subPrimePtr == NULL) {
- crv = CKR_GENERAL_ERROR;
+ /* do we have a known prime ? */
+ subPrimePtr = sftk_VerifyDH_Prime(&prime, &generator, isFIPS);
+ if (subPrimePtr == NULL) {
+ if (subPrime.len == 0) {
+ /* if not a known prime, subprime must be supplied */
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto done;
+ } else {
+ /* not a known prime, check for primality of prime
+ * and subPrime */
+ if (!KEA_PrimeCheck(&prime)) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto done;
+ }
+ if (!KEA_PrimeCheck(&subPrime)) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto done;
+ }
+ /* if we aren't using a defined group, make sure base is in the
+ * subgroup. If it's not, then our key could fail or succeed sometimes.
+ * This makes the failure reliable */
+ if (!KEA_Verify(&base, &prime, (SECItem *)subPrimePtr)) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ }
+ }
+ subPrimePtr = &subPrime;
+ } else {
+ /* we're using a known group, make sure we are using the known generator for that group */
+ if (SECITEM_CompareItem(&generator, &base) != 0) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
goto done;
}
+ if (subPrime.len != 0) {
+ /* we have a known prime and a supplied subPrime,
+ * make sure the subPrime matches the subPrime for
+ * the known Prime */
+ if (SECITEM_CompareItem(subPrimePtr, &subPrime) != 0) {
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
+ goto done;
+ }
+ }
}
if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) {
- crv = CKR_GENERAL_ERROR;
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
}
done:
+ SECITEM_ZfreeItem(&base, PR_FALSE);
SECITEM_ZfreeItem(&subPrime, PR_FALSE);
SECITEM_ZfreeItem(&prime, PR_FALSE);
}
/* clean up before we return */
sftk_FreeAttribute(pubAttribute);
- crv2 = NSC_DestroyObject(hSession, newKey);
if (crv != CKR_OK) {
return crv;
}
- if (crv2 != CKR_OK) {
- return crv2;
- }
}
return CKR_OK;
@@ -5925,8 +5969,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
* created and linked.
*/
crv = sftk_handleObject(publicKey, session);
- sftk_FreeSession(session);
if (crv != CKR_OK) {
+ sftk_FreeSession(session);
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
@@ -5968,6 +6012,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
}
if (crv != CKR_OK) {
+ sftk_FreeSession(session);
NSC_DestroyObject(hSession, publicKey->handle);
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
@@ -5977,6 +6022,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
publicKey->isFIPS = privateKey->isFIPS;
+ session->lastOpWasFIPS = privateKey->isFIPS;
+ sftk_FreeSession(session);
*phPrivateKey = privateKey->handle;
*phPublicKey = publicKey->handle;
@@ -8610,7 +8657,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
/* if the prime is an approved prime, we can skip all the other
* checks. */
- subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS);
+ subPrime = sftk_VerifyDH_Prime(&dhPrime, NULL, isFIPS);
if (subPrime == NULL) {
SECItem dhSubPrime;
/* If the caller set the subprime value, it means that
@@ -8792,6 +8839,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
secretlen = tmp.len;
} else {
secretlen = keySize;
+ key->isFIPS = PR_FALSE;
crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
&tmp, mechParams->pSharedData,
mechParams->ulSharedDataLen, mechParams->kdf);
diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.fips-review 2024-06-12 12:04:10.638360392 -0700
+++ ./lib/softoken/pkcs11i.h 2024-06-12 12:04:10.640360416 -0700
@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
/* dh verify functions */
/* verify that dhPrime matches one of our known primes, and if so return
* it's subprime value */
-const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *generator, PRBool isFIPS);
/* check if dhSubPrime claims dhPrime is a safe prime. */
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
/* map an operation Attribute to a Mechanism flag */
diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips-review 2024-06-12 12:04:10.638360392 -0700
+++ ./lib/softoken/pkcs11u.c 2024-06-12 12:04:10.640360416 -0700
@@ -2409,15 +2409,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
switch (mechInfo->special) {
case SFTKFIPSDH: {
SECItem dhPrime;
+ SECItem dhBase;
+ SECItem dhGenerator;
+ PRBool val = PR_FALSE;
const SECItem *dhSubPrime;
CK_RV crv = sftk_Attribute2SecItem(NULL, &dhPrime,
source, CKA_PRIME);
if (crv != CKR_OK) {
return PR_FALSE;
}
- dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE);
+ crv = sftk_Attribute2SecItem(NULL, &dhBase, source, CKA_BASE);
+ if (crv != CKR_OK) {
+ return PR_FALSE;
+ }
+ dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, &dhGenerator, PR_TRUE);
+ val = (dhSubPrime) ? PR_TRUE : PR_FALSE;
+ if (val && (SECITEM_CompareItem(&dhBase, &dhGenerator) != 0)) {
+ val = PR_FALSE;
+ }
SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
- return (dhSubPrime) ? PR_TRUE : PR_FALSE;
+ SECITEM_ZfreeItem(&dhBase, PR_FALSE);
+ return val;
}
case SFTKFIPSNone:
return PR_FALSE;
diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
--- ./lib/softoken/sftkdhverify.c.fips-review 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/softoken/sftkdhverify.c 2024-06-12 12:04:10.641360427 -0700
@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
(unsigned char *)subprime_tls_8192_data,
sizeof(subprime_tls_8192_data) };
+/* generator for all the groups is 2 */
+static const unsigned char generator_2_data[] = { 2 };
+
+
+static const SECItem generator_2 =
+ { siBuffer,
+ (unsigned char *)generator_2_data,
+ sizeof(generator_2_data) };
+
/*
* verify that dhPrime matches one of our known primes
*/
const SECItem *
-sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
+sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *g, PRBool isFIPS)
{
/* use the length to decide which primes to check */
switch (dhPrime->len) {
@@ -6741,56 +6750,67 @@ sftk_VerifyDH_Prime(SECItem *dhPrime, PR
}
if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
sizeof(prime_ike_1536)) == 0) {
+ if (g) *g = generator_2;
return &subprime_ike_1536;
}
break;
case 2048 / PR_BITS_PER_BYTE:
if (PORT_Memcmp(dhPrime->data, prime_tls_2048,
sizeof(prime_tls_2048)) == 0) {
+ if (g) *g = generator_2;
return &subprime_tls_2048;
}
if (PORT_Memcmp(dhPrime->data, prime_ike_2048,
sizeof(prime_ike_2048)) == 0) {
+ if (g) *g = generator_2;
return &subprime_ike_2048;
}
break;
case 3072 / PR_BITS_PER_BYTE:
if (PORT_Memcmp(dhPrime->data, prime_tls_3072,
sizeof(prime_tls_3072)) == 0) {
+ if (g) *g = generator_2;
return &subprime_tls_3072;
}
if (PORT_Memcmp(dhPrime->data, prime_ike_3072,
sizeof(prime_ike_3072)) == 0) {
+ if (g) *g = generator_2;
return &subprime_ike_3072;
}
break;
case 4096 / PR_BITS_PER_BYTE:
if (PORT_Memcmp(dhPrime->data, prime_tls_4096,
sizeof(prime_tls_4096)) == 0) {
+ if (g) *g = generator_2;
return &subprime_tls_4096;
}
if (PORT_Memcmp(dhPrime->data, prime_ike_4096,
sizeof(prime_ike_4096)) == 0) {
+ if (g) *g = generator_2;
return &subprime_ike_4096;
}
break;
case 6144 / PR_BITS_PER_BYTE:
if (PORT_Memcmp(dhPrime->data, prime_tls_6144,
sizeof(prime_tls_6144)) == 0) {
+ if (g) *g = generator_2;
return &subprime_tls_6144;
}
if (PORT_Memcmp(dhPrime->data, prime_ike_6144,
sizeof(prime_ike_6144)) == 0) {
+ if (g) *g = generator_2;
return &subprime_ike_6144;
}
break;
case 8192 / PR_BITS_PER_BYTE:
if (PORT_Memcmp(dhPrime->data, prime_tls_8192,
sizeof(prime_tls_8192)) == 0) {
+ if (g) *g = generator_2;
return &subprime_tls_8192;
}
if (PORT_Memcmp(dhPrime->data, prime_ike_8192,
sizeof(prime_ike_8192)) == 0) {
+ if (g) *g = generator_2;
return &subprime_ike_8192;
}
break;
diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
--- ./lib/softoken/sftkike.c.fips-review 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/softoken/sftkike.c 2024-06-12 12:04:10.641360427 -0700
@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
goto fail;
}
} else {
+ /* ikev1 isn't validated, if we use this function in ikev1 mode,
+ * mark the resulting key as not FIPS */
+ if (!params->bRekey) {
+ outKey->isFIPS = PR_FALSE;
+ }
crv = prf_init(&context, inKey->attrib.pValue,
inKey->attrib.ulValueLen);
if (crv != CKR_OK) {

12
nss-3.101-fix-rsa-policy-test.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./tests/ssl/sslpolicy.txt.fix_rsa_policy ./tests/ssl/sslpolicy.txt
--- ./tests/ssl/sslpolicy.txt.fix_rsa_policy 2024-06-21 11:08:01.765937907 -0700
+++ ./tests/ssl/sslpolicy.txt 2024-06-21 11:08:55.598540079 -0700
@@ -195,7 +195,7 @@
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
- 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
+ 0 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
# test default settings

22
nss-3.101-skip-ocsp-if-not-connected.patch Normal file
View File

@ -0,0 +1,22 @@
diff -up ./tests/ssl/ssl.sh.disable_ocsp_policy ./tests/ssl/ssl.sh
--- ./tests/ssl/ssl.sh.disable_ocsp_policy 2024-07-05 14:18:03.985453657 -0700
+++ ./tests/ssl/ssl.sh 2024-07-05 14:21:59.308250122 -0700
@@ -968,6 +968,18 @@ ssl_policy_pkix_ocsp()
#verbose="-v"
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
+ # if we are running on a build machine that can't tolerate external
+ # references don't run.
+ vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} > ${P_R_SERVERDIR}/vfy2.out 2>&1
+ RET=$? ; cat ${P_R_SERVERDIR}/vfy2.out"
+ # 5961 reset by peer
+ grep 5961 ${P_R_SERVERDIR}/vfy2.out
+ GRET=$? ; echo "OCSP: RET=$RET GRET=$GRET"
+ if [ $RET -ne 0 -o $GRET -eq 0 ]; then
+ echo "$SCRIPTNAME: skipping Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE - can't reach external servers"
+ return 0
+ fi
+
PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
unset NSS_DISABLE_LIBPKIX_VERIFY

20
nss-3.71-camellia-pkcs12-doc.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml
--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800
+++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800
@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre
<refsection id="encryption">
<title>Password Encryption</title>
- <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
+ <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
<para>The private key is always protected with strong encryption by default.</para>
<para>Several types of ciphers are supported.</para>
<variablelist>
@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre
<listitem>
<itemizedlist>
<listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
+ <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>

26
nss-3.71-fix-lto-gtests.patch Normal file
View File

@ -0,0 +1,26 @@
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
@@ -15,13 +15,22 @@
#include "gtest_utils.h"
#include "tls_agent.h"
#include "tls_connect.h"
+#define LTO
namespace nss_test {
+#ifndef LTO
+// sigh this construction breaks LTO
const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048;
const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048;
const std::string kDCId = TlsAgent::kServerEcdsa256;
+#else
+#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256
+#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048
+#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048
+#define kDCId TlsAgent::kServerEcdsa256
+#endif
const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;

3411
nss-3.79-dbtool.patch
View File

File diff suppressed because it is too large Load Diff

375
nss-3.79-distrusted-certs.patch Normal file
View File

@ -0,0 +1,375 @@
# HG changeset patch
# User John M. Schanck <jschanck@mozilla.com>
# Date 1648094761 0
# Thu Mar 24 04:06:01 2022 +0000
# Node ID b722e523d66297fe4bc1fac0ebb06203138eccbb
# Parent 853b64626b19a46f41f4ba9c684490dc15923c94
Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt. r=KathleenWilson
Differential Revision: https://phabricator.services.mozilla.com/D141919
diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt
--- a/lib/ckfw/builtins/certdata.txt
+++ b/lib/ckfw/builtins/certdata.txt
@@ -7663,197 +7663,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL
\377\377
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
-# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
-#
-# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
-# Serial Number: 268435455 (0xfffffff)
-# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
-# Not Valid Before: Wed May 12 08:51:39 2010
-# Not Valid After : Mon Mar 23 09:50:05 2020
-# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
-# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
-CKA_SUBJECT MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
-\156\151\163\141\164\151\145\040\055\040\107\062
-END
-CKA_ID UTF8 "0"
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
-\156\151\163\141\164\151\145\040\055\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\017\377\377\377
-END
-CKA_VALUE MULTILINE_OCTAL
-\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017
-\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013
-\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
-\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151
-\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003
-\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120
-\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162
-\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036
-\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027
-\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132
-\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060
-\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141
-\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014
-\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166
-\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151
-\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015
-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
-\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047
-\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275
-\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366
-\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045
-\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004
-\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202
-\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072
-\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253
-\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154
-\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365
-\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257
-\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324
-\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063
-\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304
-\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241
-\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000
-\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052
-\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163
-\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205
-\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055
-\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231
-\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201
-\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216
-\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351
-\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124
-\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267
-\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247
-\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200
-\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325
-\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220
-\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017
-\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256
-\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001
-\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004
-\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006
-\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072
-\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056
-\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145
-\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003
-\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
-\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200
-\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216
-\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006
-\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
-\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144
-\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004
-\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144
-\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
-\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125
-\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164
-\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162
-\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156
-\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055
-\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004
-\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356
-\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001
-\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055
-\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234
-\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064
-\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066
-\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243
-\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364
-\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116
-\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164
-\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174
-\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103
-\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134
-\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323
-\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057
-\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347
-\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224
-\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015
-\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026
-\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053
-\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166
-\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135
-\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244
-\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025
-\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222
-\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235
-\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245
-\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327
-\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053
-\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377
-\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321
-\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374
-\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035
-\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305
-\244\363\116\272\067\230\173\202\271
-END
-
-# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
-# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
-# Serial Number: 268435455 (0xfffffff)
-# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
-# Not Valid Before: Wed May 12 08:51:39 2010
-# Not Valid After : Mon Mar 23 09:50:05 2020
-# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
-# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
-CKA_CERT_SHA1_HASH MULTILINE_OCTAL
-\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306
-\222\341\102\102
-END
-CKA_CERT_MD5_HASH MULTILINE_OCTAL
-\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034
-END
-CKA_ISSUER MULTILINE_OCTAL
-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
-\156\151\163\141\164\151\145\040\055\040\107\062
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\017\377\377\377
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-#
# Certificate "Security Communication RootCA2"
#
# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
# Serial Number: 0 (0x0)
# Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
# Not Valid Before: Fri May 29 05:00:39 2009
# Not Valid After : Tue May 29 05:00:39 2029
# Fingerprint (SHA-256): 51:3B:2C:EC:B8:10:D4:CD:E5:DD:85:39:1A:DF:C6:C2:DD:60:D8:7B:B7:36:D2:B5:21:48:4A:A4:7A:0E:BE:F6
@@ -8337,78 +8156,16 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\000
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
-# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
-# Serial Number: 1800000005 (0x6b49d205)
-# Not Before: Apr 7 15:37:15 2011 GMT
-# Not After : Apr 4 15:37:15 2021 GMT
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
-\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
-\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
-\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
-\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
-\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
-\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
-\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
-\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
-\100\164\162\165\163\164\167\141\166\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\153\111\322\005
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
-# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
-# Serial Number: 1800000006 (0x6b49d206)
-# Not Before: Apr 18 21:09:30 2011 GMT
-# Not After : Apr 15 21:09:30 2021 GMT
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
-\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
-\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
-\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
-\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
-\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
-\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
-\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
-\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
-\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
-\100\164\162\165\163\164\167\141\166\145\056\143\157\155
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\004\153\111\322\006
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
#
# Certificate "Actalis Authentication Root CA"
#
# Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
# Serial Number:57:0a:11:97:42:c4:e3:cc
# Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT
# Not Valid Before: Thu Sep 22 11:22:02 2011
# Not Valid After : Sun Sep 22 11:22:02 2030
@@ -9042,84 +8799,16 @@ END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\001\001
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
-# Serial Number: 2087 (0x827)
-# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
-# Not Valid Before: Mon Aug 08 07:07:51 2011
-# Not Valid After : Tue Jul 06 07:07:51 2021
-# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E
-# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
-\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
-\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
-\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
-\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
-\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
-\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
-\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
-\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
-\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\010\047
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
-# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022
-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
-# Serial Number: 2148 (0x864)
-# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR
-# Not Valid Before: Mon Aug 08 07:07:51 2011
-# Not Valid After : Thu Aug 05 07:07:51 2021
-# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2
-# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB
-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
-CKA_TOKEN CK_BBOOL CK_TRUE
-CKA_PRIVATE CK_BBOOL CK_FALSE
-CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2"
-CKA_ISSUER MULTILINE_OCTAL
-\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
-\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
-\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
-\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
-\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
-\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
-\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
-\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
-\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
-\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
-END
-CKA_SERIAL_NUMBER MULTILINE_OCTAL
-\002\002\010\144
-END
-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-
#
# Certificate "D-TRUST Root Class 3 CA 2 2009"
#
# Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
# Serial Number: 623603 (0x983f3)
# Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE
# Not Valid Before: Thu Nov 05 08:35:58 2009
# Not Valid After : Mon Nov 05 08:35:58 2029

578
nss-3.79-fips.patch Normal file
View File

@ -0,0 +1,578 @@
diff --git a/lib/freebl/config.mk b/lib/freebl/config.mk
--- a/lib/freebl/config.mk
+++ b/lib/freebl/config.mk
@@ -85,9 +85,13 @@ EXTRA_SHARED_LIBS += \
$(NULL)
endif
endif
ifeq ($(OS_ARCH), Darwin)
EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib
endif
+ifdef NSS_FIPS_140_3
+DEFINES += -DNSS_FIPS_140_3
endif
+
+endif
diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
--- a/lib/freebl/unix_urandom.c
+++ b/lib/freebl/unix_urandom.c
@@ -20,53 +20,110 @@ RNG_SystemInfoForRNG(void)
if (!numBytes) {
/* error is set */
return;
}
RNG_RandomUpdate(bytes, numBytes);
PORT_Memset(bytes, 0, sizeof bytes);
}
+#ifdef NSS_FIPS_140_3
+#include <sys/random.h>
+#include "prinit.h"
+
+static int rng_grndFlags= 0;
+static PRCallOnceType rng_KernelFips;
+
+static PRStatus
+rng_getKernelFips()
+{
+#ifdef LINUX
+ FILE *f;
+ char d;
+ size_t size;
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (!f)
+ return PR_FAILURE;
+
+ size = fread(&d, 1, 1, f);
+ fclose(f);
+ if (size != 1)
+ return PR_SUCCESS;
+ if (d != '1')
+ return PR_SUCCESS;
+ /* if the kernel is in FIPS mode, set the GRND_RANDOM flag */
+ rng_grndFlags = GRND_RANDOM;
+#endif /* LINUX */
+ return PR_SUCCESS;
+}
+#endif
+
size_t
RNG_SystemRNG(void *dest, size_t maxLen)
{
+ size_t fileBytes = 0;
+ unsigned char *buffer = dest;
+#ifndef NSS_FIPS_140_3
int fd;
int bytes;
- size_t fileBytes = 0;
- unsigned char *buffer = dest;
+#else
+ PR_CallOnce(&rng_KernelFips, rng_getKernelFips);
+#endif
#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
int result;
-
while (fileBytes < maxLen) {
size_t getBytes = maxLen - fileBytes;
if (getBytes > GETENTROPY_MAX_BYTES) {
getBytes = GETENTROPY_MAX_BYTES;
}
+#ifdef NSS_FIPS_140_3
+ /* FIP 140-3 requires full kernel reseeding for chained entropy sources
+ * so we need to use getrandom with GRND_RANDOM.
+ * getrandom returns -1 on failure, otherwise returns
+ * the number of bytes, which can be less than getBytes */
+ result = getrandom(buffer, getBytes, rng_grndFlags);
+ if (result < 0) {
+ break;
+ }
+ fileBytes += result;
+ buffer += result;
+#else
+ /* get entropy returns 0 on success and always return
+ * getBytes on success */
result = getentropy(buffer, getBytes);
if (result == 0) { /* success */
fileBytes += getBytes;
buffer += getBytes;
} else {
break;
}
+#endif
}
if (fileBytes == maxLen) { /* success */
return maxLen;
}
+#ifdef NSS_FIPS_140_3
+ /* in FIPS 104-3 we don't fallback, just fail */
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
+ return 0;
+#else
/* If we failed with an error other than ENOSYS, it means the destination
* buffer is not writeable. We don't need to try writing to it again. */
if (errno != ENOSYS) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
return 0;
}
+#endif /*!NSS_FIPS_140_3 */
+#endif /* platorm has getentropy */
+#ifndef NSS_FIPS_140_3
/* ENOSYS means the kernel doesn't support getentropy()/getrandom().
* Reset the number of bytes to get and fall back to /dev/urandom. */
fileBytes = 0;
-#endif
fd = open("/dev/urandom", O_RDONLY);
if (fd < 0) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
return 0;
}
while (fileBytes < maxLen) {
bytes = read(fd, buffer, maxLen - fileBytes);
if (bytes <= 0) {
@@ -76,9 +133,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)
buffer += bytes;
}
(void)close(fd);
if (fileBytes != maxLen) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
return 0;
}
return fileBytes;
+#endif
}
diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk
--- a/lib/softoken/config.mk
+++ b/lib/softoken/config.mk
@@ -58,8 +58,12 @@ endif
ifdef NSS_ENABLE_FIPS_INDICATORS
DEFINES += -DNSS_ENABLE_FIPS_INDICATORS
endif
ifdef NSS_FIPS_MODULE_ID
DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\"
endif
+ifdef NSS_FIPS_140_3
+DEFINES += -DNSS_FIPS_140_3
+endif
+
diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
--- a/lib/softoken/lowpbe.c
+++ b/lib/softoken/lowpbe.c
@@ -1766,16 +1766,20 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
unsigned char iteration_count = 5;
unsigned char keyLen = 64;
char *inKeyData = TEST_KEY;
- static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+ static const unsigned char saltData[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+ };
+
static const unsigned char pbkdf_known_answer[] = {
- 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
- 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
- 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37,
- 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90,
- 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa,
- 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1,
- 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66,
- 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5
+ 0x73, 0x8c, 0xfa, 0x02, 0xe8, 0xdb, 0x43, 0xe4,
+ 0x99, 0xc5, 0xfd, 0xd9, 0x4d, 0x8e, 0x3e, 0x7b,
+ 0xc4, 0xda, 0x22, 0x1b, 0xe1, 0xae, 0x23, 0x7a,
+ 0x21, 0x27, 0xbd, 0xcc, 0x78, 0xc4, 0xe6, 0xc5,
+ 0x33, 0x38, 0x35, 0xe0, 0x68, 0x1a, 0x1e, 0x06,
+ 0xad, 0xaf, 0x7f, 0xd7, 0x3f, 0x0e, 0xc0, 0x90,
+ 0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8,
+ 0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33
};
sftk_PBELockInit();
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -4609,16 +4609,17 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
goto loser;
}
/* make sure we don't have any class, key_type, or value fields */
sftk_DeleteAttributeType(key, CKA_CLASS);
sftk_DeleteAttributeType(key, CKA_KEY_TYPE);
sftk_DeleteAttributeType(key, CKA_VALUE);
+
/* Now Set up the parameters to generate the key (based on mechanism) */
key_gen_type = nsc_bulk; /* bulk key by default */
switch (pMechanism->mechanism) {
case CKM_CDMF_KEY_GEN:
case CKM_DES_KEY_GEN:
case CKM_DES2_KEY_GEN:
case CKM_DES3_KEY_GEN:
checkWeak = PR_TRUE;
@@ -4812,16 +4813,19 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
crv = sftk_handleObject(key, session);
sftk_FreeSession(session);
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
}
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
}
+ /* we need to do this check at the end, so we can check the generated key length against
+ * fips requirements */
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
if (crv == CKR_OK) {
*phKey = key->handle;
}
loser:
PORT_Memset(buf, 0, sizeof buf);
sftk_FreeObject(key);
return crv;
}
@@ -5780,16 +5784,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
if (crv != CKR_OK) {
NSC_DestroyObject(hSession, publicKey->handle);
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
return crv;
}
+ /* we need to do this check at the end to make sure the generated key meets the key length requirements */
+ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
+ publicKey->isFIPS = privateKey->isFIPS;
*phPrivateKey = privateKey->handle;
*phPublicKey = publicKey->handle;
sftk_FreeObject(publicKey);
sftk_FreeObject(privateKey);
return CKR_OK;
}
@@ -6990,16 +6997,17 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
}
/* HKDF-Extract(salt, base key value) */
if (params->bExtract) {
CK_BYTE *salt;
CK_ULONG saltLen;
HMACContext *hmac;
unsigned int bufLen;
+ SFTKSource saltKeySource = SFTK_SOURCE_DEFAULT;
switch (params->ulSaltType) {
case CKF_HKDF_SALT_NULL:
saltLen = hashLen;
salt = hashbuf;
memset(salt, 0, saltLen);
break;
case CKF_HKDF_SALT_DATA:
@@ -7026,29 +7034,54 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
if (isFIPS && (key->isFIPS == 0) && (saltKey->isFIPS == 1)) {
CK_MECHANISM mech;
mech.mechanism = CKM_HKDF_DERIVE;
mech.pParameter = params;
mech.ulParameterLen = sizeof(*params);
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
CKA_DERIVE, saltKey);
}
+ saltKeySource = saltKey->source;
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
if (saltKey_att == NULL) {
sftk_FreeObject(saltKey);
return CKR_KEY_HANDLE_INVALID;
}
/* save the resulting salt */
salt = saltKey_att->attrib.pValue;
saltLen = saltKey_att->attrib.ulValueLen;
break;
default:
return CKR_MECHANISM_PARAM_INVALID;
break;
}
+ /* only TLS style usage is FIPS approved,
+ * turn off the FIPS indicator for other usages */
+ if (isFIPS && key && sourceKey) {
+ PRBool fipsOK = PR_FALSE;
+ /* case one: mix the kea with a previous or default
+ * salt */
+ if ((sourceKey->source == SFTK_SOURCE_KEA) &&
+ (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) &&
+ (saltLen == rawHash->length)) {
+ fipsOK = PR_TRUE;
+ }
+ /* case two: restart, remix the previous secret as a salt */
+ if ((sourceKey->objclass == CKO_DATA) &&
+ (NSS_SecureMemcmpZero(sourceKeyBytes, sourceKeyLen) == 0) &&
+ (sourceKeyLen == rawHash->length) &&
+ (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) &&
+ (saltLen == rawHash->length)) {
+ fipsOK = PR_TRUE;
+ }
+ if (!fipsOK) {
+ key->isFIPS = PR_FALSE;
+ }
+ }
+ if (key) key->source = SFTK_SOURCE_HKDF_EXTRACT;
hmac = HMAC_Create(rawHash, salt, saltLen, isFIPS);
if (saltKey_att) {
sftk_FreeAttribute(saltKey_att);
}
if (saltKey) {
sftk_FreeObject(saltKey);
}
@@ -7076,16 +7109,40 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
* key material = T(1) | ... | T(n)
*/
HMACContext *hmac;
CK_BYTE bi;
unsigned iterations;
+ /* only TLS style usage is FIPS approved,
+ * turn off the FIPS indicator for other usages */
+ if (isFIPS && key && key->isFIPS && sourceKey) {
+ unsigned char *info=&params->pInfo[3];
+ /* only one case,
+ * 1) Expand only
+ * 2) with a key whose source was
+ * SFTK_SOURCE_HKDF_EXPAND or SFTK_SOURCE_HKDF_EXTRACT
+ * 3) source key length == rawHash->length
+ * 4) Info has tls or dtls
+ * If any of those conditions aren't met, then we turn
+ * off the fips indicator */
+ if (params->bExtract ||
+ ((sourceKey->source != SFTK_SOURCE_HKDF_EXTRACT) &&
+ (sourceKey->source != SFTK_SOURCE_HKDF_EXPAND)) ||
+ (sourceKeyLen != rawHash->length) ||
+ (params->ulInfoLen < 7) ||
+ ((PORT_Memcmp(info,"tls",3) != 0) &&
+ (PORT_Memcmp(info,"dtls",4) != 0))) {
+ key->isFIPS = PR_FALSE;
+ }
+ }
+ if (key) key->source = SFTK_SOURCE_HKDF_EXPAND;
+
genLen = PR_ROUNDUP(keySize, hashLen);
iterations = genLen / hashLen;
if (genLen > sizeof(keyBlock)) {
keyBlockAlloc = PORT_Alloc(genLen);
if (keyBlockAlloc == NULL) {
return CKR_HOST_MEMORY;
}
@@ -8434,16 +8491,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
/* calculate private value - oct */
rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize);
SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
SECITEM_ZfreeItem(&dhValue, PR_FALSE);
if (rv == SECSuccess) {
+ key->source = SFTK_SOURCE_KEA;
sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
SECITEM_ZfreeItem(&derived, PR_FALSE);
crv = CKR_OK;
} else
crv = CKR_HOST_MEMORY;
break;
}
@@ -8564,16 +8622,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
}
PORT_Memcpy(&keyData[keySize - secretlen], secret, secretlen);
secret = keyData;
} else {
secret += (secretlen - keySize);
}
secretlen = keySize;
}
+ key->source = SFTK_SOURCE_KEA;
sftk_forceAttribute(key, CKA_VALUE, secret, secretlen);
PORT_ZFree(tmp.data, tmp.len);
if (keyData) {
PORT_ZFree(keyData, keySize);
}
break;
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
--- a/lib/softoken/pkcs11i.h
+++ b/lib/softoken/pkcs11i.h
@@ -147,16 +147,26 @@ typedef enum {
*/
typedef enum {
SFTK_DestroyFailure,
SFTK_Destroyed,
SFTK_Busy
} SFTKFreeStatus;
/*
+ * Source of various objects
+ */
+typedef enum {
+ SFTK_SOURCE_DEFAULT=0,
+ SFTK_SOURCE_KEA,
+ SFTK_SOURCE_HKDF_EXPAND,
+ SFTK_SOURCE_HKDF_EXTRACT
+} SFTKSource;
+
+/*
* attribute values of an object.
*/
struct SFTKAttributeStr {
SFTKAttribute *next;
SFTKAttribute *prev;
PRBool freeAttr;
PRBool freeData;
/*must be called handle to make sftkqueue_find work */
@@ -189,16 +199,17 @@ struct SFTKObjectStr {
CK_OBJECT_CLASS objclass;
CK_OBJECT_HANDLE handle;
int refCount;
PZLock *refLock;
SFTKSlot *slot;
void *objectInfo;
SFTKFree infoFree;
PRBool isFIPS;
+ SFTKSource source;
};
struct SFTKTokenObjectStr {
SFTKObject obj;
SECItem dbKey;
};
struct SFTKSessionObjectStr {
diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c
--- a/lib/softoken/pkcs11u.c
+++ b/lib/softoken/pkcs11u.c
@@ -1090,16 +1090,17 @@ sftk_NewObject(SFTKSlot *slot)
sessObject->attrList[i].freeData = PR_FALSE;
}
sessObject->optimizeSpace = slot->optimizeSpace;
object->handle = 0;
object->next = object->prev = NULL;
object->slot = slot;
object->isFIPS = sftk_isFIPS(slot->slotID);
+ object->source = SFTK_SOURCE_DEFAULT;
object->refCount = 1;
sessObject->sessionList.next = NULL;
sessObject->sessionList.prev = NULL;
sessObject->sessionList.parent = object;
sessObject->session = NULL;
sessObject->wasDerived = PR_FALSE;
if (!hasLocks)
@@ -1674,16 +1675,17 @@ fail:
CK_RV
sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject)
{
SFTKAttribute *attribute;
SFTKSessionObject *src_so = sftk_narrowToSessionObject(srcObject);
unsigned int i;
destObject->isFIPS = srcObject->isFIPS;
+ destObject->source = srcObject->source;
if (src_so == NULL) {
return sftk_CopyTokenObject(destObject, srcObject);
}
PZ_Lock(src_so->attributeLock);
for (i = 0; i < src_so->hashSize; i++) {
attribute = src_so->head[i];
do {
@@ -2059,16 +2061,17 @@ sftk_NewTokenObject(SFTKSlot *slot, SECI
/* every object must have a class, if we can't get it, the object
* doesn't exist */
crv = handleToClass(slot, handle, &object->objclass);
if (crv != CKR_OK) {
goto loser;
}
object->slot = slot;
object->isFIPS = sftk_isFIPS(slot->slotID);
+ object->source = SFTK_SOURCE_DEFAULT;
object->objectInfo = NULL;
object->infoFree = NULL;
if (!hasLocks) {
object->refLock = PZ_NewLock(nssILockRefLock);
}
if (object->refLock == NULL) {
goto loser;
}
@@ -2225,16 +2228,25 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE
break;
case CKA_DERIVE:
flags = CKF_DERIVE;
break;
/* fake attribute to select digesting */
case CKA_DIGEST:
flags = CKF_DIGEST;
break;
+ /* fake attribute to select key gen */
+ case CKA_NSS_GENERATE:
+ flags = CKF_GENERATE;
+ break;
+ /* fake attribute to select key pair gen */
+ case CKA_NSS_GENERATE_KEY_PAIR:
+ flags = CKF_GENERATE_KEY_PAIR;
+ break;
+ /* fake attributes to to handle MESSAGE* flags */
case CKA_NSS_MESSAGE | CKA_ENCRYPT:
flags = CKF_MESSAGE_ENCRYPT;
break;
case CKA_NSS_MESSAGE | CKA_DECRYPT:
flags = CKF_MESSAGE_DECRYPT;
break;
case CKA_NSS_MESSAGE | CKA_SIGN:
flags = CKF_MESSAGE_SIGN;
@@ -2278,17 +2290,17 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
}
/* This function currently only returns valid lengths for
* FIPS approved ECC curves. If we want to make this generic
* in the future, that Curve determination can be done in
* the sftk_handleSpecial. Since it's currently only used
* in FIPS indicators, it's currently only compiled with
* the FIPS indicator code */
-static int
+static CK_ULONG
sftk_getKeyLength(SFTKObject *source)
{
CK_KEY_TYPE keyType = CK_INVALID_HANDLE;
CK_ATTRIBUTE_TYPE keyAttribute;
CK_ULONG keyLength = 0;
SFTKAttribute *attribute;
CK_RV crv;
diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
--- a/lib/util/pkcs11n.h
+++ b/lib/util/pkcs11n.h
@@ -58,16 +58,18 @@
/*
* NSS-defined certificate types
*
*/
#define CKC_NSS (CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
/* FAKE PKCS #11 defines */
#define CKA_DIGEST 0x81000000L
+#define CKA_NSS_GENERATE 0x81000001L
+#define CKA_NSS_GENERATE_KEY_PAIR 0x81000002L
#define CKA_NSS_MESSAGE 0x82000000L
#define CKA_NSS_MESSAGE_MASK 0xff000000L
#define CKA_FLAGS_ONLY 0 /* CKA_CLASS */
/*
* NSS-defined object attributes
*
*/

78
nss-3.89-dangling.patch
View File

@ -1,78 +0,0 @@
diff --git a/cmd/ecperf/ecperf.c b/cmd/ecperf/ecperf.c
--- a/cmd/ecperf/ecperf.c
+++ b/cmd/ecperf/ecperf.c
@@ -51,10 +51,11 @@
int iters = threadData->iters;
unsigned char sigData[256];
SECItem sig;
CK_SESSION_HANDLE session;
CK_RV crv;
+ void *tmp = NULL;
threadData->status = SECSuccess;
threadData->count = 0;
/* get our thread's session */
@@ -66,10 +67,11 @@
}
if (threadData->isSign) {
sig.data = sigData;
sig.len = sizeof(sigData);
+ tmp = threadData->p2;
threadData->p2 = (void *)&sig;
}
while (iters--) {
threadData->status = (*op)(session, threadData->p1,
@@ -77,27 +79,33 @@
if (threadData->status != SECSuccess) {
break;
}
threadData->count++;
}
+
+ if (threadData->isSign) {
+ threadData->p2 = tmp;
+ }
return;
}
void
genericThread(void *data)
{
ThreadData *threadData = (ThreadData *)data;
int iters = threadData->iters;
unsigned char sigData[256];
SECItem sig;
+ void *tmp = NULL;
threadData->status = SECSuccess;
threadData->count = 0;
if (threadData->isSign) {
sig.data = sigData;
sig.len = sizeof(sigData);
+ tmp = threadData->p2;
threadData->p2 = (void *)&sig;
}
while (iters--) {
threadData->status = (*threadData->op)(threadData->p1,
@@ -105,10 +113,14 @@
if (threadData->status != SECSuccess) {
break;
}
threadData->count++;
}
+
+ if (threadData->isSign) {
+ threadData->p2 = tmp;
+ }
return;
}
/* Time iter repetitions of operation op. */
SECStatus

42
nss-3.90-aes-gmc-indicator.patch Normal file
View File

@ -0,0 +1,42 @@
diff --git a/lib/softoken/sftkmessage.c b/lib/softoken/sftkmessage.c
--- a/lib/softoken/sftkmessage.c
+++ b/lib/softoken/sftkmessage.c
@@ -146,16 +146,38 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
CHECK_FORK();
/* make sure we're legal */
crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL);
if (crv != CKR_OK)
return crv;
+ if (context->isFIPS && (contextType == SFTK_MESSAGE_ENCRYPT)) {
+ if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) {
+ context->isFIPS = PR_FALSE;
+ } else {
+ CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
+ switch (p->ivGenerator) {
+ case CKG_NO_GENERATE:
+ context->isFIPS = PR_FALSE;
+ break;
+ case CKG_GENERATE_RANDOM:
+ if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
+ context->isFIPS = PR_FALSE;
+ }
+ break;
+ default:
+ if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
+ context->isFIPS = PR_FALSE;
+ }
+ }
+ }
+ }
+
if (!pOuttext) {
*pulOuttextLen = ulIntextLen;
return CKR_OK;
}
rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen,
maxout, pIntext, ulIntextLen,
pParameter, ulParameterLen,
pAssociatedData, ulAssociatedDataLen);

90
nss-3.90-dh-test-update.patch Normal file
View File

@ -0,0 +1,90 @@
diff -up ./lib/freebl/fipsfreebl.c.dh_test ./lib/freebl/fipsfreebl.c
--- ./lib/freebl/fipsfreebl.c.dh_test 2024-01-18 08:34:45.936944401 -0800
+++ ./lib/freebl/fipsfreebl.c 2024-01-18 09:20:57.555980326 -0800
@@ -1816,38 +1816,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
{
/* DH Known P (2048-bits) */
static const PRUint8 dh_known_P[] = {
- 0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd,
- 0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef,
- 0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b,
- 0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e,
- 0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03,
- 0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc,
- 0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85,
- 0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01,
- 0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c,
- 0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03,
- 0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0,
- 0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5,
- 0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f,
- 0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9,
- 0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57,
- 0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70,
- 0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c,
- 0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d,
- 0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e,
- 0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc,
- 0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62,
- 0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12,
- 0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e,
- 0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b,
- 0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b,
- 0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55,
- 0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b,
- 0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97,
- 0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34,
- 0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c,
- 0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60,
- 0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
+ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
+ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
+ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
+ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
+ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
+ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
+ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
+ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
+ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
+ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
+ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
+ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
+ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
+ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
+ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
+ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
+ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
+ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
+ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
+ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
+ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
+ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
+ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
+ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
+ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
+ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
+ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
+ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
+ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
+ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97,
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+
};
static const PRUint8 dh_known_Y_1[] = {
@@ -1893,10 +1894,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
};
static const PRUint8 dh_known_hash_result[] = {
- 0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf,
- 0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81,
- 0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f,
- 0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10
+ 0x40, 0xe3, 0x7a, 0x34, 0x83, 0x2d, 0x94, 0x57,
+ 0x99, 0x3d, 0x66, 0xec, 0x54, 0xdf, 0x82, 0x4a,
+ 0x37, 0x0d, 0xf9, 0x01, 0xb3, 0xbc, 0x54, 0xe5,
+ 0x5e, 0x63, 0xd3, 0x46, 0x4e, 0xa3, 0xe2, 0x8a
};
/* DH variables. */

176
nss-3.90-fips-indicators2.patch Normal file
View File

@ -0,0 +1,176 @@
diff -up ./lib/softoken/pkcs11c.c.fips_2 ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.fips_2 2024-01-19 09:21:19.632889660 -0800
+++ ./lib/softoken/pkcs11c.c 2024-01-19 09:22:18.541471306 -0800
@@ -7090,7 +7090,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
mech.ulParameterLen = sizeof(*params);
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
CKA_DERIVE, saltKey,
- keySize);
+ keySize*PR_BITS_PER_BYTE);
}
saltKeySource = saltKey->source;
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
@@ -7404,7 +7404,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
}
}
key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
- keySize);
+ keySize*PR_BITS_PER_BYTE);
switch (mechanism) {
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
diff -up ./lib/softoken/pkcs11u.c.fips_2 ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips_2 2024-01-19 09:21:19.633889670 -0800
+++ ./lib/softoken/pkcs11u.c 2024-01-19 09:28:00.082843565 -0800
@@ -2393,20 +2393,43 @@ sftk_getKeyLength(SFTKObject *source)
}
PRBool
-sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
+sftk_checkFIPSHash(CK_MECHANISM_TYPE hash, PRBool allowSmall, PRBool allowCMAC)
{
switch (hash) {
+ case CKM_AES_CMAC:
+ return allowCMAC;
+ case CKM_SHA_1:
+ case CKM_SHA_1_HMAC:
+ case CKM_SHA224:
+ case CKM_SHA224_HMAC:
+ return allowSmall;
case CKM_SHA256:
- case CKG_MGF1_SHA256:
+ case CKM_SHA256_HMAC:
case CKM_SHA384:
- case CKG_MGF1_SHA384:
+ case CKM_SHA384_HMAC:
case CKM_SHA512:
- case CKG_MGF1_SHA512:
+ case CKM_SHA512_HMAC:
return PR_TRUE;
}
return PR_FALSE;
}
+PRBool
+sftk_checkKeyLength(CK_ULONG keyLength, CK_ULONG min,
+ CK_ULONG max, CK_ULONG step)
+{
+ if (keyLength > max) {
+ return PR_FALSE;
+ }
+ if (keyLength < min ) {
+ return PR_FALSE;
+ }
+ if (((keyLength - min) % step) != 0) {
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+}
+
/*
* handle specialized FIPS semantics that are too complicated to
* handle with just a table. NOTE: this means any additional semantics
@@ -2416,6 +2439,8 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
CK_ULONG keyLength, CK_ULONG targetKeyLength)
{
+ PRBool allowSmall = PR_FALSE;
+ PRBool allowCMAC = PR_FALSE;
switch (mechInfo->special) {
case SFTKFIPSDH: {
SECItem dhPrime;
@@ -2482,7 +2507,11 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
if (pss->sLen > hashObj->length) {
return PR_FALSE;
}
- return sftk_CheckFIPSHash(pss->hashAlg);
+ /* Our code makes sure pss->hashAlg matches the explicit
+ * hash in the mechanism, and only mechanisms with approved
+ * hashes are included, so no need to check pss->hashAlg
+ * here */
+ return PR_TRUE;
}
case SFTKFIPSPBKDF2: {
/* PBKDF2 must have the following addition restrictions
@@ -2508,12 +2537,28 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
return PR_TRUE;
}
/* check the hash mechanisms to make sure they themselves are FIPS */
+ case SFTKFIPSChkHashSp800:
+ allowCMAC = PR_TRUE;
case SFTKFIPSChkHash:
+ allowSmall = PR_TRUE;
+ case SFTKFIPSChkHashTls:
if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
return PR_FALSE;
}
- return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
- + mechInfo->offset));
+ return sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
+ + mechInfo->offset), allowSmall, allowCMAC);
+ case SFTKFIPSTlsKeyCheck:
+ if (mech->mechanism != CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) {
+ /* unless the mechnism has a built-in hash, check the hash */
+ if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
+ return PR_FALSE;
+ }
+ if (!sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
+ + mechInfo->offset), PR_FALSE, PR_FALSE)) {
+ return PR_FALSE;
+ }
+ }
+ return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
default:
break;
}
@@ -2558,13 +2603,11 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
* approved algorithm in the approved mode with an approved key */
if ((mech->mechanism == mechs->type) &&
(opFlags == (mechs->info.flags & opFlags)) &&
- (keyLength <= mechs->info.ulMaxKeySize) &&
- (keyLength >= mechs->info.ulMinKeySize) &&
- (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
- ((targetKeyLength == 0) ||
- ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
- (targetKeyLength >= mechs->info.ulMinKeySize) &&
- ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
+ sftk_checkKeyLength(keyLength, mechs->info.ulMinKeySize,
+ mechs->info.ulMaxKeySize, mechs->step) &&
+ ((targetKeyLength == 0) || (mechs->special == SFTKFIPSTlsKeyCheck)
+ || sftk_checkKeyLength(targetKeyLength, mechs->info.ulMinKeySize,
+ mechs->info.ulMaxKeySize, mechs->step)) &&
((mechs->special == SFTKFIPSNone) ||
sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
return PR_TRUE;
diff -up ./lib/softoken/sftkmessage.c.fips_2 ./lib/softoken/sftkmessage.c
--- ./lib/softoken/sftkmessage.c.fips_2 2024-01-19 09:21:19.634889680 -0800
+++ ./lib/softoken/sftkmessage.c 2024-01-19 09:22:18.541471306 -0800
@@ -157,16 +157,25 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
} else {
CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
switch (p->ivGenerator) {
+ default:
case CKG_NO_GENERATE:
context->isFIPS = PR_FALSE;
break;
case CKG_GENERATE_RANDOM:
- if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
+ if ((p->ulIvLen < 96/PR_BITS_PER_BYTE) ||
+ (p->ulIvFixedBits != 0)) {
context->isFIPS = PR_FALSE;
}
break;
- default:
- if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
+ case CKG_GENERATE_COUNTER_XOR:
+ if ((p->ulIvLen != 96/PR_BITS_PER_BYTE) ||
+ (p->ulIvFixedBits != 32)) {
+ context->isFIPS = PR_FALSE;
+ }
+ break;
+ case CKG_GENERATE_COUNTER:
+ if ((p->ulIvFixedBits < 32) ||
+ ((p->ulIvLen*PR_BITS_PER_BYTE - p->ulIvFixedBits) < 32)) {
context->isFIPS = PR_FALSE;
}
}

506
nss-3.90-fips-safe-memset.patch Normal file
View File

@ -0,0 +1,506 @@
diff -up ./lib/freebl/aeskeywrap.c.safe_zero ./lib/freebl/aeskeywrap.c
--- ./lib/freebl/aeskeywrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/aeskeywrap.c 2023-11-22 14:42:24.246388369 -0800
@@ -512,7 +512,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen);
rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv,
outLen);
- PORT_Memset(iv, 0, sizeof(iv));
+ PORT_SafeZero(iv, sizeof(iv));
return rv;
}
@@ -528,7 +528,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
PORT_ZFree(newBuf, paddedInputLen);
/* a little overkill, we only need to clear out the length, but this
* is easier to verify we got it all */
- PORT_Memset(iv, 0, sizeof(iv));
+ PORT_SafeZero(iv, sizeof(iv));
return rv;
}
@@ -631,12 +631,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
loser:
/* if we failed, make sure we don't return any data to the user */
if ((rv != SECSuccess) && (output == newBuf)) {
- PORT_Memset(newBuf, 0, paddedLen);
+ PORT_SafeZero(newBuf, paddedLen);
}
/* clear out CSP sensitive data from the heap and stack */
if (allocBuf) {
PORT_ZFree(allocBuf, paddedLen);
}
- PORT_Memset(iv, 0, sizeof(iv));
+ PORT_SafeZero(iv, sizeof(iv));
return rv;
}
diff -up ./lib/freebl/blapii.h.safe_zero ./lib/freebl/blapii.h
--- ./lib/freebl/blapii.h.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/blapii.h 2023-11-22 14:42:24.246388369 -0800
@@ -101,10 +101,10 @@ PRBool ppc_crypto_support();
#ifdef NSS_FIPS_DISABLED
#define BLAPI_CLEAR_STACK(stack_size)
#else
-#define BLAPI_CLEAR_STACK(stack_size) \
- { \
- volatile char _stkclr[stack_size]; \
- PORT_Memset((void *)&_stkclr[0], 0, stack_size); \
+#define BLAPI_CLEAR_STACK(stack_size) \
+ { \
+ volatile char _stkclr[stack_size]; \
+ PORT_SafeZero((void *)&_stkclr[0], stack_size); \
}
#endif
diff -up ./lib/freebl/drbg.c.safe_zero ./lib/freebl/drbg.c
--- ./lib/freebl/drbg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/drbg.c 2023-11-22 14:42:24.246388369 -0800
@@ -197,7 +197,7 @@ prng_initEntropy(void)
SHA256_Update(&ctx, block, sizeof(block));
SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
sizeof(globalrng->previousEntropyHash));
- PORT_Memset(block, 0, sizeof(block));
+ PORT_SafeZero(block, sizeof(block));
SHA256_DestroyContext(&ctx, PR_FALSE);
return PR_SUCCESS;
}
@@ -246,8 +246,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
}
out:
- PORT_Memset(hash, 0, sizeof hash);
- PORT_Memset(block, 0, sizeof block);
+ PORT_SafeZero(hash, sizeof hash);
+ PORT_SafeZero(block, sizeof block);
return rv;
}
@@ -393,8 +393,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
SHA256_DestroyContext(&ctx, PR_FALSE);
}
- PORT_Memset(data, 0, sizeof data);
- PORT_Memset(thisHash, 0, sizeof thisHash);
+ PORT_SafeZero(data, sizeof data);
+ PORT_SafeZero(thisHash, sizeof thisHash);
}
/*
@@ -455,7 +455,7 @@ prng_generateNewBytes(RNGContext *rng,
PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry);
/* if the prng failed, don't return any output, signal softoken */
- PORT_Memset(H, 0, sizeof H);
+ PORT_SafeZero(H, sizeof H);
if (!rng->isValid) {
PORT_Memset(returned_bytes, 0, no_of_returned_bytes);
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
diff -up ./lib/freebl/dsa.c.safe_zero ./lib/freebl/dsa.c
--- ./lib/freebl/dsa.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/dsa.c 2023-11-22 14:42:24.246388369 -0800
@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
err = MP_OKAY;
signature->len = dsa_signature_len;
cleanup:
- PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
+ PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN);
mp_clear(&p);
mp_clear(&q);
mp_clear(&g);
@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt
rv = dsa_SignDigest(key, signature, digest, kSeed);
} while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
--retries > 0);
- PORT_Memset(kSeed, 0, sizeof kSeed);
+ PORT_SafeZero(kSeed, sizeof kSeed);
return rv;
}
@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons
verified = SECSuccess; /* Signature verified. */
}
cleanup:
- PORT_Memset(localDigestData, 0, sizeof localDigestData);
+ PORT_SafeZero(localDigestData, sizeof localDigestData);
mp_clear(&p);
mp_clear(&q);
mp_clear(&g);
diff -up ./lib/freebl/gcm.c.safe_zero ./lib/freebl/gcm.c
--- ./lib/freebl/gcm.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/gcm.c 2023-11-22 14:42:24.246388369 -0800
@@ -480,7 +480,7 @@ gcmHash_Final(gcmHashContext *ghash, uns
rv = SECSuccess;
cleanup:
- PORT_Memset(T, 0, sizeof(T));
+ PORT_SafeZero(T, sizeof(T));
return rv;
}
@@ -596,15 +596,15 @@ GCM_CreateContext(void *context, freeblC
if (rv != SECSuccess) {
goto loser;
}
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
gcm->ctr_context_init = PR_TRUE;
return gcm;
loser:
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
if (ghash && ghash->mem) {
void *mem = ghash->mem;
- PORT_Memset(ghash, 0, sizeof(gcmHashContext));
+ PORT_SafeZero(ghash, sizeof(gcmHashContext));
PORT_Free(mem);
}
if (gcm) {
@@ -682,11 +682,11 @@ gcm_InitCounter(GCMContext *gcm, const u
goto loser;
}
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
return SECSuccess;
loser:
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
if (freeCtr) {
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
}
@@ -866,10 +866,10 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
PORT_SetError(SEC_ERROR_BAD_DATA);
- PORT_Memset(tag, 0, sizeof(tag));
+ PORT_SafeZero(tag, sizeof(tag));
return SECFailure;
}
- PORT_Memset(tag, 0, sizeof(tag));
+ PORT_SafeZero(tag, sizeof(tag));
/* finish the decryption */
return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
inbuf, inlen, AES_BLOCK_SIZE);
@@ -1159,10 +1159,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
PORT_SetError(SEC_ERROR_BAD_DATA);
- PORT_Memset(tag, 0, sizeof(tag));
+ PORT_SafeZero(tag, sizeof(tag));
return SECFailure;
}
- PORT_Memset(tag, 0, sizeof(tag));
+ PORT_SafeZero(tag, sizeof(tag));
/* finish the decryption */
rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
inbuf, inlen, AES_BLOCK_SIZE);
diff -up ./lib/freebl/hmacct.c.safe_zero ./lib/freebl/hmacct.c
--- ./lib/freebl/hmacct.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/hmacct.c 2023-11-22 14:42:24.246388369 -0800
@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut,
hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
hashObj->destroy(mdState, PR_TRUE);
- PORT_Memset(lengthBytes, 0, sizeof lengthBytes);
- PORT_Memset(hmacPad, 0, sizeof hmacPad);
- PORT_Memset(firstBlock, 0, sizeof firstBlock);
- PORT_Memset(macOut, 0, sizeof macOut);
+ PORT_SafeZero(lengthBytes, sizeof lengthBytes);
+ PORT_SafeZero(hmacPad, sizeof hmacPad);
+ PORT_SafeZero(firstBlock, sizeof firstBlock);
+ PORT_SafeZero(macOut, sizeof macOut);
return SECSuccess;
}
diff -up ./lib/freebl/intel-gcm-wrap.c.safe_zero ./lib/freebl/intel-gcm-wrap.c
--- ./lib/freebl/intel-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/intel-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800
@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo
void
intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
{
- PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
+ PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext));
if (freeit) {
PORT_Free(gcm);
}
diff -up ./lib/freebl/ppc-gcm-wrap.c.safe_zero ./lib/freebl/ppc-gcm-wrap.c
--- ./lib/freebl/ppc-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/ppc-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800
@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex
void
ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit)
{
- PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext));
+ PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext));
if (freeit) {
PORT_Free(gcm);
}
diff -up ./lib/freebl/pqg.c.safe_zero ./lib/freebl/pqg.c
--- ./lib/freebl/pqg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/pqg.c 2023-11-22 14:42:24.246388369 -0800
@@ -703,7 +703,7 @@ cleanup:
mp_clear(&a);
mp_clear(&z);
mp_clear(&two_length_minus_1);
- PORT_Memset(x, 0, sizeof(x));
+ PORT_SafeZero(x, sizeof(x));
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
@@ -859,7 +859,7 @@ cleanup:
mp_clear(&c);
mp_clear(&c0);
mp_clear(&one);
- PORT_Memset(x, 0, sizeof(x));
+ PORT_SafeZero(x, sizeof(x));
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
@@ -1072,7 +1072,7 @@ makePfromQandSeed(
CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1 */
CHECK_MPI_OK(mp_sub(&X, &c, P)); /* P = X - c */
cleanup:
- PORT_Memset(V_j, 0, sizeof V_j);
+ PORT_SafeZero(V_j, sizeof V_j);
mp_clear(&W);
mp_clear(&X);
mp_clear(&c);
@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype,
/* step 11.
* return valid G */
cleanup:
- PORT_Memset(data, 0, sizeof(data));
+ PORT_SafeZero(data, sizeof(data));
if (hashcx) {
hashobj->destroy(hashcx, PR_TRUE);
}
diff -up ./lib/freebl/rijndael.c.safe_zero ./lib/freebl/rijndael.c
--- ./lib/freebl/rijndael.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/rijndael.c 2023-11-22 14:42:24.247388378 -0800
@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
cx->worker_cx = NULL;
cx->destroy = NULL;
}
- PORT_Memset(cx, 0, sizeof(AESContext));
+ PORT_SafeZero(cx, sizeof(AESContext));
if (freeit) {
PORT_Free(mem);
} else {
diff -up ./lib/freebl/rsa.c.safe_zero ./lib/freebl/rsa.c
--- ./lib/freebl/rsa.c.safe_zero 2023-11-22 14:41:24.066840894 -0800
+++ ./lib/freebl/rsa.c 2023-11-22 14:42:24.247388378 -0800
@@ -143,8 +143,8 @@ rsa_build_from_primes(const mp_int *p, c
/* 2. Compute phi = (p-1)*(q-1) */
CHECK_MPI_OK(mp_sub_d(p, 1, &psub1));
CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1));
+ CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
if (needPublicExponent || needPrivateExponent) {
- CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
/* 3. Compute d = e**-1 mod(phi) */
/* or e = d**-1 mod(phi) as necessary */
if (needPublicExponent) {
@@ -165,6 +165,15 @@ rsa_build_from_primes(const mp_int *p, c
goto cleanup;
}
+ /* make sure we weren't passed in a d or e = 1 mod phi */
+ /* just need to check d, because if one is = 1 mod phi, they both are */
+ CHECK_MPI_OK(mp_mod(d, &phi, &tmp));
+ if (mp_cmp_d(&tmp, 2) <= 0) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
+ goto cleanup;
+ }
+
/* 4. Compute exponent1 = d mod (p-1) */
CHECK_MPI_OK(mp_mod(d, &psub1, &tmp));
MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
@@ -1152,6 +1161,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv
/* Perform a public key operation v = m ** e mod n */
CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v));
if (mp_cmp(&v, c) != 0) {
+ /* this error triggers a fips fatal error lock */
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
rv = SECFailure;
}
cleanup:
diff -up ./lib/freebl/rsapkcs.c.safe_zero ./lib/freebl/rsapkcs.c
--- ./lib/freebl/rsapkcs.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/rsapkcs.c 2023-11-22 14:42:24.247388378 -0800
@@ -977,14 +977,14 @@ rsa_GetHMACContext(const SECHashObject *
/* now create the hmac key */
hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE);
if (hmac == NULL) {
- PORT_Memset(keyHash, 0, sizeof(keyHash));
+ PORT_SafeZero(keyHash, sizeof(keyHash));
return NULL;
}
HMAC_Begin(hmac);
HMAC_Update(hmac, input, inputLen);
rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash));
if (rv != SECSuccess) {
- PORT_Memset(keyHash, 0, sizeof(keyHash));
+ PORT_SafeZero(keyHash, sizeof(keyHash));
HMAC_Destroy(hmac, PR_TRUE);
return NULL;
}
@@ -992,7 +992,7 @@ rsa_GetHMACContext(const SECHashObject *
* reuse the original context allocated above so we don't
* need to allocate and free another one */
rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE);
- PORT_Memset(keyHash, 0, sizeof(keyHash));
+ PORT_SafeZero(keyHash, sizeof(keyHash));
if (rv != SECSuccess) {
HMAC_Destroy(hmac, PR_TRUE);
return NULL;
@@ -1042,7 +1042,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha
return rv;
}
PORT_Memcpy(output, hmacLast, left);
- PORT_Memset(hmacLast, 0, sizeof(hmacLast));
+ PORT_SafeZero(hmacLast, sizeof(hmacLast));
}
return rv;
}
@@ -1087,7 +1087,7 @@ rsa_GetErrorLength(HMACContext *hmac, in
outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen),
candidate, outLength);
}
- PORT_Memset(out, 0, sizeof(out));
+ PORT_SafeZero(out, sizeof(out));
return outLength;
}
diff -up ./lib/freebl/shvfy.c.safe_zero ./lib/freebl/shvfy.c
--- ./lib/freebl/shvfy.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/shvfy.c 2023-11-22 14:42:24.247388378 -0800
@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD,
/* verify the hash against the check file */
rv = DSA_VerifyDigest(key, signature, &hash);
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
return (rv == SECSuccess) ? PR_TRUE : PR_FALSE;
}
#endif
@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
if (rv == SECSuccess) {
result = SECITEM_ItemsAreEqual(signature, &hash);
}
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
return result;
}
@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P
#ifndef NSS_STRICT_INTEGRITY
DSAPublicKey key;
- PORT_Memset(&key, 0, sizeof(key));
+ PORT_SafeZero(&key, sizeof(key));
#endif
/* If our integrity check was never ran or failed, fail any other
@@ -597,7 +597,7 @@ blapi_SHVerifyFile(const char *shName, P
shFD = NULL;
loser:
- PORT_Memset(&header, 0, sizeof header);
+ PORT_SafeZero(&header, sizeof header);
if (checkName != NULL) {
PORT_Free(checkName);
}
diff -up ./lib/freebl/tlsprfalg.c.safe_zero ./lib/freebl/tlsprfalg.c
--- ./lib/freebl/tlsprfalg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/tlsprfalg.c 2023-11-22 14:42:24.247388378 -0800
@@ -82,8 +82,8 @@ loser:
/* clear out state so it's not left on the stack */
if (cx)
HMAC_Destroy(cx, PR_TRUE);
- PORT_Memset(state, 0, sizeof(state));
- PORT_Memset(outbuf, 0, sizeof(outbuf));
+ PORT_SafeZero(state, sizeof(state));
+ PORT_SafeZero(outbuf, sizeof(outbuf));
return rv;
}
diff -up ./lib/freebl/unix_urandom.c.safe_zero ./lib/freebl/unix_urandom.c
--- ./lib/freebl/unix_urandom.c.safe_zero 2023-11-22 14:42:24.247388378 -0800
+++ ./lib/freebl/unix_urandom.c 2023-11-22 14:44:15.519400684 -0800
@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void)
return;
}
RNG_RandomUpdate(bytes, numBytes);
- PORT_Memset(bytes, 0, sizeof bytes);
+ PORT_SafeZero(bytes, sizeof bytes);
}
#ifdef NSS_FIPS_140_3
diff -up ./lib/softoken/pkcs11c.c.safe_zero ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.safe_zero 2023-11-22 14:41:24.069840921 -0800
+++ ./lib/softoken/pkcs11c.c 2023-11-22 14:42:24.248388387 -0800
@@ -5092,7 +5092,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
if ((signature_length >= pairwise_digest_length) &&
(PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
PORT_Free(signature);
- return CKR_DEVICE_ERROR;
+ return CKR_GENERAL_ERROR;
}
/* Verify the known hash using the public key. */
diff -up ./lib/util/secport.h.safe_zero ./lib/util/secport.h
--- ./lib/util/secport.h.safe_zero 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/util/secport.h 2023-11-22 14:42:24.248388387 -0800
@@ -36,6 +36,9 @@
#include <sys/types.h>
#include <ctype.h>
+/* ask for Annex K for memset_s. will set the appropriate #define
+ * if Annex K is supported */
+#define __STDC_WANT_LIB_EXT1__ 1
#include <string.h>
#include <stddef.h>
#include <stdlib.h>
@@ -182,6 +185,39 @@ SEC_END_PROTOS
#endif /*SUNOS4*/
#define PORT_Memset memset
+/* there are cases where the compiler optimizes away our attempt to clear
+ * out our stack variables. There are multiple solutions for this problem,
+ * but they aren't universally accepted on all platforms. This attempts
+ * to select the best solution available given our os, compilier, and libc */
+#ifdef __STDC_LIB_EXT1__
+/* if the os implements C11 annex K, use memset_s */
+#define PORT_SafeZero(p, n) memset_s(p, n, 0, n)
+#else
+#ifdef XP_WIN
+/* windows has a secure zero funtion */
+#define PORT_SafeZero(p, n) SecureZeroMemory(p, n)
+#else
+/* _DEFAULT_SORUCE == BSD source in GCC based environments
+ * if other environmens support explicit_bzero, their defines
+ * should be added here */
+#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE)
+#define PORT_SafeZero(p, n) explicit_bzero(p, n)
+#else
+/* if the os doesn't support one of the above, but does support
+ * memset_explicit, you can add the definition for memset with the
+ * appropriate define check here */
+/* define an explicitly implementated Safe zero if the OS
+ * doesn't provide one */
+#define PORT_SafeZero(p, n) \
+ if (p != NULL) { \
+ volatile unsigned char *__vl = (unsigned char *)p; \
+ size_t __nl = n; \
+ while (__nl--) *__vl++ = 0; \
+ }
+#endif /* no explicit_bzero */
+#endif /* no windows SecureZeroMemory */
+#endif /* no memset_s */
+
#define PORT_Strcasecmp PL_strcasecmp
#define PORT_Strcat strcat
#define PORT_Strchr strchr

42
nss-3.90-pbkdf2-indicator.patch Normal file
View File

@ -0,0 +1,42 @@
diff -up ./lib/softoken/pkcs11u.c.pkcs12_indicator ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.pkcs12_indicator 2023-08-03 10:50:37.067109367 -0700
+++ ./lib/softoken/pkcs11u.c 2023-08-03 11:41:55.641541953 -0700
@@ -2429,7 +2429,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
return PR_FALSE;
case SFTKFIPSECC:
/* we've already handled the curve selection in the 'getlength'
- * function */
+ * function */
return PR_TRUE;
case SFTKFIPSAEAD: {
if (mech->ulParameterLen == 0) {
@@ -2463,6 +2463,29 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
}
return PR_TRUE;
}
+ case SFTKFIPSPBKDF2: {
+ /* PBKDF2 must have the following addition restrictions
+ * (independent of keysize).
+ * 1. iteration count must be at least 1000.
+ * 2. salt must be at least 128 bits (16 bytes).
+ * 3. password must match the length specified in the SP
+ */
+ CK_PKCS5_PBKD2_PARAMS *pbkdf2 = (CK_PKCS5_PBKD2_PARAMS *)
+ mech->pParameter;
+ if (mech->ulParameterLen != sizeof(*pbkdf2)) {
+ return PR_FALSE;
+ }
+ if (pbkdf2->iterations < 1000) {
+ return PR_FALSE;
+ }
+ if (pbkdf2->ulSaltSourceDataLen < 16) {
+ return PR_FALSE;
+ }
+ if (*(pbkdf2->ulPasswordLen) < SFTKFIPS_PBKDF2_MIN_PW_LEN) {
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+ }
default:
break;
}

36
nss-3.90-ppc_no_init.patch Normal file
View File

@ -0,0 +1,36 @@
diff -up ./lib/freebl/Makefile.ppc_no_init ./lib/freebl/Makefile
--- ./lib/freebl/Makefile.ppc_no_init 2024-06-03 14:12:24.216755903 -0700
+++ ./lib/freebl/Makefile 2024-06-03 14:11:36.464234903 -0700
@@ -303,7 +303,7 @@ endif
ifeq ($(CPU_ARCH),ppc)
EXTRA_SRCS += gcm-ppc.c
ifdef USE_64
- DEFINES += -DNSS_NO_INIT_SUPPORT
+# DEFINES += -DNSS_NO_INIT_SUPPORT
PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | awk '$$2 == "_CALL_ELF" {print $$3}')
ifeq ($(PPC_ABI),2)
ASFILES += sha512-p8.s
diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile
--- ./lib/softoken/Makefile.ppc_no_init 2024-06-03 14:12:44.664979003 -0700
+++ ./lib/softoken/Makefile 2024-06-03 14:10:26.703473806 -0700
@@ -23,13 +23,13 @@ include $(CORE_DEPTH)/coreconf/config.mk
ifdef NSS_NO_INIT_SUPPORT
DEFINES += -DNSS_NO_INIT_SUPPORT
endif
-ifeq ($(OS_TARGET),Linux)
-ifeq ($(CPU_ARCH),ppc)
-ifdef USE_64
- DEFINES += -DNSS_NO_INIT_SUPPORT
-endif # USE_64
-endif # ppc
-endif # Linux
+#ifeq ($(OS_TARGET),Linux)
+#ifeq ($(CPU_ARCH),ppc)
+#ifdef USE_64
+# DEFINES += -DNSS_NO_INIT_SUPPORT
+#endif # USE_64
+#endif # ppc
+#endif # Linux
#######################################################################

13
nss-dso-ldflags.patch Normal file
View File

@ -0,0 +1,13 @@
Index: nss/coreconf/Linux.mk
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
@@ -144,7 +144,7 @@ ifdef USE_PTHREADS
endif
DSO_CFLAGS = -fPIC
-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections
+DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS)
# The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8)
# incorrectly reports undefined references in the libraries we link with, so
# we don't use -z defs there.

80
nss.spec
View File

@ -1,13 +1,13 @@
%global nss_version 3.101.0
%global nspr_version 4.35.0
%global nss_version 3.97.0
# NOTE: To avoid NVR clashes of nspr* packages:
# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
# - increment %%{nspr_version}, when updating the NSS part only
%global baserelease 2
%global baserelease 1
%global nss_release %baserelease
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
# release number between nss and nspr are different.
%global nspr_release %[%baserelease+19]
%global nspr_release %[%baserelease+21]
# only need to update this as we added new
# algorithms under nss policy control
%global crypto_policies_version 20210118
@ -129,11 +129,53 @@ Source101: nspr-config.xml
# but it doesn't hurt to keep it.
Patch4: iquote.patch
Patch12: nss-signtool-format.patch
# fedora disabled dbm by default
Patch40: nss-no-dbm-man-page.patch
Patch20: nss-3.101-extend-db-dump-time.patch
Patch21: nss-3.101-enable-sdb-tests.patch
# connect our shared library to the build root loader flags (needed for -relro)
Patch31: nss-dso-ldflags.patch
Patch32: nss-3.101-disable-md5.patch
# rhel10 disabled dbm by default
Patch33: nss-no-dbm-man-page.patch
# not upstreamable patch...
Patch34: nss-3.71-fix-lto-gtests.patch
# camellia pkcs12 docs.
Patch35: nss-3.71-camellia-pkcs12-doc.patch
# disable ech
Patch36: nss-3.101-disable-ech.patch
# patches that expect to be upstreamed
# https://bugzilla.mozilla.org/show_bug.cgi?id=1767883
Patch50: nss-3.79-fips.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
Patch51: nss-3.101-fips-review.patches
Patch52: nss-3.90-pbkdf2-indicator.patch
Patch53: nss-3.101-skip-ocsp-if-not-connected.patch
# ems policy. needs to upstream
Patch60: nss-3.101-add-ems-policy.patch
Patch70: nss-3.90-fips-safe-memset.patch
Patch71: nss-3.101-fips-indicators.patch
Patch72: nss-3.90-aes-gmc-indicator.patch
Patch73: nss-3.90-fips-indicators2.patch
Patch74: nss-3.90-dh-test-update.patch
Patch75: nss-3.90-ppc_no_init.patch
Patch76: nss-3.101-enable-kyber-policy.patch
Patch77: nss-3.101-fix-rsa-policy-test.patch
# RHEL-10 specific
Patch90: nss-3.101-disable_dsa.patch
# NSS reverse patches
Patch300: nss-3.79-distrusted-certs.patch
Patch100: nspr-config-pc.patch
Patch101: nspr-gcc-atomics.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1769293
Patch110: nspr-4.34-fix-coverity-loop-issue.patch
Patch120: nspr-4.34-server-passive.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -289,13 +331,15 @@ Header files for doing development with the Netscape Portable Runtime.
%setup -q -T -b 0 -n %{name}-%{nss_archive_version}
cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
%patch 100 -p0 -b .flags
%patch -P 100 -p0 -b .flags
pushd nspr
%patch 101 -p1 -b .gcc-atomics
%autopatch -p 1 -m 101 -M 299
popd
pushd nss
%autopatch -p1 -M 99
# sigh it would be nice if autopatch supported -R
%patch -P 300 -R -p 1
popd
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
@ -360,6 +404,8 @@ popd
export IN_TREE_FREEBL_HEADERS_FIRST=1
export NSS_FORCE_FIPS=1
export NSS_DISABLE_DEPRECATED_SEED=1
export NSS_DISABLE_DSA=1
# Enable compiler optimizations and disable debugging code
export BUILD_OPT=1
@ -548,6 +594,8 @@ export FREEBL_NO_DEPEND=1
export BUILD_OPT=1
export NSS_DISABLE_PPC_GHASH=1
export NSS_DISABLE_DEPRECATED_SEED=1
export NSS_DISABLE_DSA=1
%ifnarch noarch
%if 0%{__isa_bits} == 64
@ -907,7 +955,6 @@ update-crypto-policies &> /dev/null || :
%{_includedir}/nss3/crmft.h
%{_includedir}/nss3/cryptohi.h
%{_includedir}/nss3/cryptoht.h
%{_includedir}/nss3/sechash.h
%{_includedir}/nss3/jar-ds.h
%{_includedir}/nss3/jar.h
%{_includedir}/nss3/jarfile.h
@ -932,6 +979,7 @@ update-crypto-policies &> /dev/null || :
%{_includedir}/nss3/pkcs12t.h
%{_includedir}/nss3/pkcs7t.h
%{_includedir}/nss3/preenc.h
%{_includedir}/nss3/sechash.h
%{_includedir}/nss3/secmime.h
%{_includedir}/nss3/secmod.h
%{_includedir}/nss3/secmodt.h
@ -975,16 +1023,17 @@ update-crypto-policies &> /dev/null || :
%{_includedir}/nss3/base64.h
%{_includedir}/nss3/ciferfam.h
%{_includedir}/nss3/eccutil.h
%{_includedir}/nss3/kyber.h
%{_includedir}/nss3/hasht.h
%{_includedir}/nss3/nssb64.h
%{_includedir}/nss3/nssb64t.h
%{_includedir}/nss3/nsslocks.h
%{_includedir}/nss3/nsshash.h
%{_includedir}/nss3/nssilock.h
%{_includedir}/nss3/nssilckt.h
%{_includedir}/nss3/nsslocks.h
%{_includedir}/nss3/nssrwlk.h
%{_includedir}/nss3/nssrwlkt.h
%{_includedir}/nss3/nssutil.h
%{_includedir}/nss3/pkcs1sig.h
%{_includedir}/nss3/pkcs11.h
%{_includedir}/nss3/pkcs11f.h
%{_includedir}/nss3/pkcs11n.h
@ -992,6 +1041,7 @@ update-crypto-policies &> /dev/null || :
%{_includedir}/nss3/pkcs11t.h
%{_includedir}/nss3/pkcs11u.h
%{_includedir}/nss3/pkcs11uri.h
%{_includedir}/nss3/pkcs1sig.h
%{_includedir}/nss3/portreg.h
%{_includedir}/nss3/secasn1.h
%{_includedir}/nss3/secasn1t.h
@ -1009,7 +1059,6 @@ update-crypto-policies &> /dev/null || :
%{_includedir}/nss3/utilpars.h
%{_includedir}/nss3/utilparst.h
%{_includedir}/nss3/utilrename.h
%{_includedir}/nss3/kyber.h
%{_includedir}/nss3/templates/templates.c
%files softokn
@ -1044,9 +1093,9 @@ update-crypto-policies &> /dev/null || :
%files softokn-freebl-devel
%{_libdir}/libfreebl.a
%{_includedir}/nss3/alghmac.h
%{_includedir}/nss3/blapi.h
%{_includedir}/nss3/blapit.h
%{_includedir}/nss3/alghmac.h
%{_includedir}/nss3/cmac.h
%{_includedir}/nss3/lowkeyi.h
%{_includedir}/nss3/lowkeyti.h
@ -1085,10 +1134,15 @@ update-crypto-policies &> /dev/null || :
%changelog
* Tue Jun 25 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
- Update NSS to 3.101.0
- Pick up RHEL FIPS and other patches
- Turn off SEED and DSA
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.97.0-2
- Bump release for June 2024 mass rebuild
* Sun Jan 27 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.97.0-1
* Sun Jan 28 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.97.0-1
- Update NSS to 3.97.0
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.96.1-3

63
secmod.db.xml
View File

@ -1,63 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="secmod.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>secmod.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>secmod.db</refname>
<refpurpose>Legacy NSS security modules database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
<para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
</para>
<para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
</para>
<para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/secmod.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

3
sources
View File

@ -1,4 +1,3 @@
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
SHA512 (nss-3.96.1-with-nspr-4.35.tar.gz) = 7831835936748adb7fdb050f06caea09ddcbf48e9c401bba9df1e405b05658204e1cea7800c565aae742551779ff0d4c9834b686b484055ee569ed3f4546f428
SHA512 (nss-3.97-with-nspr-4.35.tar.gz) = 5153eb99ca3a372dfa89671d2c589675d99755c04760d65280ce694ff5761b2a0502416cb9f0950bb5156c71a5c68491582dcb7a970e65ea0b1082fff0ba0153
SHA512 (nss-3.101-with-nspr-4.35.tar.gz) = 95c8ef1c12e1de7da4d918cebd1d5464b0ff4932083f6d395733345bd9f8598069028793fd1c08f974efcb31129cd84718487fd5326e45a878fba0d8c309bd39