From 6e0d39adc8a45f580f9b3086f51f957e80e0dd10 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 21 Mar 2023 09:24:15 +0000 Subject: [PATCH] import nss-3.79.0-17.el9_1 --- SOURCES/cve-2023-0767.patch | 92 ++++++ SOURCES/fips_algorithms.h | 43 ++- SOURCES/nss-3.79-fips-review.patches | 320 ++++++++++++++++++ SOURCES/nss-3.79-rsa-pss-salt-fips.patch | 397 +++++++++++++++++++++++ SPECS/nss.spec | 20 +- 5 files changed, 847 insertions(+), 25 deletions(-) create mode 100644 SOURCES/cve-2023-0767.patch create mode 100644 SOURCES/nss-3.79-fips-review.patches create mode 100644 SOURCES/nss-3.79-rsa-pss-salt-fips.patch diff --git a/SOURCES/cve-2023-0767.patch b/SOURCES/cve-2023-0767.patch new file mode 100644 index 0000000..fc5d4fa --- /dev/null +++ b/SOURCES/cve-2023-0767.patch @@ -0,0 +1,92 @@ +diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c +--- a/lib/pkcs12/p12d.c ++++ b/lib/pkcs12/p12d.c +@@ -335,35 +335,42 @@ + sec_PKCS12SafeContentsContext *safeContentsCtx = + (sec_PKCS12SafeContentsContext *)arg; + SEC_PKCS12DecoderContext *p12dcx; + SECStatus rv; + +- /* make sure that we are not skipping the current safeBag, +- * and that there are no errors. If so, just return rather +- * than continuing to process. +- */ +- if (!safeContentsCtx || !safeContentsCtx->p12dcx || +- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { + return; + } + p12dcx = safeContentsCtx->p12dcx; + ++ /* make sure that there are no errors and we are not skipping the current safeBag */ ++ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { ++ goto loser; ++ } ++ + rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); + if (rv != SECSuccess) { + p12dcx->errorValue = PORT_GetError(); ++ p12dcx->error = PR_TRUE; ++ goto loser; ++ } ++ ++ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we ++ * may not get another opportunity to clean up the decoder context. ++ */ ++ if (safeContentsCtx->skipCurrentSafeBag) { + goto loser; + } + + return; + + loser: +- /* set the error, and finish the decoder context. because there ++ /* Finish the decoder context. Because there + * is not a way of returning an error message, it may be worth + * while to do a check higher up and finish any decoding contexts + * that are still open. + */ +- p12dcx->error = PR_TRUE; + SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); + safeContentsCtx->currentSafeBagA1Dcx = NULL; + return; + } + +diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h +--- a/lib/pkcs12/p12t.h ++++ b/lib/pkcs12/p12t.h +@@ -71,10 +71,11 @@ + SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; + sec_PKCS12CertBag *certBag; + sec_PKCS12CRLBag *crlBag; + sec_PKCS12SecretBag *secretBag; + sec_PKCS12SafeContents *safeContents; ++ SECItem *unknownBag; + } safeBagContent; + + sec_PKCS12Attribute **attribs; + + /* used locally */ +diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c +--- a/lib/pkcs12/p12tmpl.c ++++ b/lib/pkcs12/p12tmpl.c +@@ -28,16 +28,16 @@ + + safeBag = (sec_PKCS12SafeBag *)src_or_dest; + + oiddata = SECOID_FindOID(&safeBag->safeBagType); + if (oiddata == NULL) { +- return SEC_ASN1_GET(SEC_AnyTemplate); ++ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); + } + + switch (oiddata->offset) { + default: +- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); ++ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); + break; + case SEC_OID_PKCS12_V1_KEY_BAG_ID: + theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); + break; + case SEC_OID_PKCS12_V1_CERT_BAG_ID: + diff --git a/SOURCES/fips_algorithms.h b/SOURCES/fips_algorithms.h index 5f6dbe3..6526ec7 100644 --- a/SOURCES/fips_algorithms.h +++ b/SOURCES/fips_algorithms.h @@ -13,7 +13,8 @@ typedef enum { SFTKFIPSNone = 0, SFTKFIPSDH, /* allow only specific primes */ SFTKFIPSECC, /* not just keys but specific curves */ - SFTKFIPSAEAD /* single shot AEAD functions not allowed in FIPS mode */ + SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */ + SFTKFIPSRSAPSS } SFTKFIPSSpecialClass; typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList; @@ -77,21 +78,20 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, - { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, - { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, - { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, - { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, - { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, /* ------------------------- DSA Operations --------------------------- */ { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, /* -------------------- Diffie Hellman Operations --------------------- */ - /* no diffie hellman yet */ { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH }, { CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH }, /* -------------------- Elliptic Curve Operations --------------------- */ @@ -131,18 +131,19 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { /* --------------------- Secret Key Operations ------------------------ */ { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, /* ---------------------- SSL/TLS operations ------------------------- */ - { CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_SHA256_KEY_DERIVATION, { 112, 256, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_SHA384_KEY_DERIVATION, { 112, 284, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_SHA512_KEY_DERIVATION, { 112, 512, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, - /* sigh, is this algorithm really tested. ssl doesn't seem to have a - * way of turning the extension off */ { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, @@ -159,15 +160,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, /* --------------------IPSEC ----------------------- */ - { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_IKE_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_IKE1_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, /* ------------------ PBE Key Derivations ------------------- */ { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 512, 512, CKF_GEN }, 1, SFTKFIPSNone } }; const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs); diff --git a/SOURCES/nss-3.79-fips-review.patches b/SOURCES/nss-3.79-fips-review.patches new file mode 100644 index 0000000..9b8e875 --- /dev/null +++ b/SOURCES/nss-3.79-fips-review.patches @@ -0,0 +1,320 @@ +diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c +--- ./lib/freebl/dh.c.fips-review 2022-05-26 02:54:33.000000000 -0700 ++++ ./lib/freebl/dh.c 2023-03-16 11:54:37.839935303 -0700 +@@ -445,7 +445,7 @@ cleanup: + PRBool + KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) + { +- mp_int p, q, y, r; ++ mp_int p, q, y, r, psub1; + mp_err err; + int cmp = 1; /* default is false */ + if (!Y || !prime || !subPrime) { +@@ -456,13 +456,30 @@ KEA_Verify(SECItem *Y, SECItem *prime, S + MP_DIGITS(&q) = 0; + MP_DIGITS(&y) = 0; + MP_DIGITS(&r) = 0; ++ MP_DIGITS(&psub1) = 0; + CHECK_MPI_OK(mp_init(&p)); + CHECK_MPI_OK(mp_init(&q)); + CHECK_MPI_OK(mp_init(&y)); + CHECK_MPI_OK(mp_init(&r)); ++ CHECK_MPI_OK(mp_init(&psub1)); + SECITEM_TO_MPINT(*prime, &p); + SECITEM_TO_MPINT(*subPrime, &q); + SECITEM_TO_MPINT(*Y, &y); ++ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1)); ++ /* ++ * We check that the public value isn't zero (which isn't in the ++ * group), one (subgroup of order one) or p-1 (subgroup of order 2). We ++ * also check that the public value is less than p, to avoid being fooled ++ * by values like p+1 or 2*p-1. ++ * This check is required by SP-800-56Ar3. It's also done in derive, ++ * but this is only called in various FIPS cases, so put it here to help ++ * reviewers find it. ++ */ ++ if (mp_cmp_d(&y, 1) <= 0 || ++ mp_cmp(&y, &psub1) >= 0) { ++ err = MP_BADARG; ++ goto cleanup; ++ } + /* compute r = y**q mod p */ + CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r)); + /* compare to 1 */ +@@ -472,6 +489,7 @@ cleanup: + mp_clear(&q); + mp_clear(&y); + mp_clear(&r); ++ mp_clear(&psub1); + if (err) { + MP_TO_SEC_ERROR(err); + return PR_FALSE; +diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c +--- ./lib/softoken/pkcs11c.c.fips-review 2023-03-16 11:53:04.703068972 -0700 ++++ ./lib/softoken/pkcs11c.c 2023-03-16 11:55:23.498360007 -0700 +@@ -4780,6 +4780,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + * handle the base object stuff + */ + crv = sftk_handleObject(key, session); ++ /* we need to do this check at the end, so we can check the generated ++ * key length against fips requirements */ ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); ++ session->lastOpWasFIPS = key->isFIPS; + sftk_FreeSession(session); + if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { + crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL)); +@@ -4787,9 +4791,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) { + crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL)); + } +- /* we need to do this check at the end, so we can check the generated key length against +- * fips requirements */ +- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); + if (crv == CKR_OK) { + *phKey = key->handle; + } +@@ -5093,60 +5094,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + + if (isDerivable) { + SFTKAttribute *pubAttribute = NULL; +- CK_OBJECT_HANDLE newKey; + PRBool isFIPS = sftk_isFIPS(slot->slotID); +- CK_RV crv2; +- CK_OBJECT_CLASS secret = CKO_SECRET_KEY; +- CK_KEY_TYPE generic = CKK_GENERIC_SECRET; +- CK_ULONG keyLen = 128; +- CK_BBOOL ckTrue = CK_TRUE; +- CK_ATTRIBUTE template[] = { +- { CKA_CLASS, &secret, sizeof(secret) }, +- { CKA_KEY_TYPE, &generic, sizeof(generic) }, +- { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, +- { CKA_DERIVE, &ckTrue, sizeof(ckTrue) } +- }; +- CK_ULONG templateCount = PR_ARRAY_SIZE(template); +- CK_ECDH1_DERIVE_PARAMS ecParams; ++ NSSLOWKEYPrivateKey *lowPrivKey = NULL; ++ ECPrivateKey *ecPriv; ++ SECItem *lowPubValue = NULL; ++ SECItem item; ++ SECStatus rv; + + crv = CKR_OK; /*paranoia, already get's set before we drop to the end */ +- /* FIPS 140-2 requires we verify that the resulting key is a valid key. +- * The easiest way to do this is to do a derive operation, which checks +- * the validity of the key */ +- ++ /* FIPS 140-3 requires we verify that the resulting key is a valid key ++ * by recalculating the public can an compare it to our own public ++ * key. */ ++ lowPrivKey = sftk_GetPrivKey(privateKey, keyType, &crv); ++ if (lowPrivKey == NULL) { ++ return sftk_MapCryptError(PORT_GetError()); ++ } ++ /* recalculate the public key from the private key */ + switch (keyType) { +- case CKK_DH: +- mech.mechanism = CKM_DH_PKCS_DERIVE; +- pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE); +- if (pubAttribute == NULL) { +- return CKR_DEVICE_ERROR; +- } +- mech.pParameter = pubAttribute->attrib.pValue; +- mech.ulParameterLen = pubAttribute->attrib.ulValueLen; +- break; +- case CKK_EC: +- mech.mechanism = CKM_ECDH1_DERIVE; +- pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT); +- if (pubAttribute == NULL) { +- return CKR_DEVICE_ERROR; +- } +- ecParams.kdf = CKD_NULL; +- ecParams.ulSharedDataLen = 0; +- ecParams.pSharedData = NULL; +- ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen; +- ecParams.pPublicData = pubAttribute->attrib.pValue; +- mech.pParameter = &ecParams; +- mech.ulParameterLen = sizeof(ecParams); +- break; +- default: +- return CKR_DEVICE_ERROR; ++ case CKK_DH: ++ rv = DH_Derive(&lowPrivKey->u.dh.base, &lowPrivKey->u.dh.prime, ++ &lowPrivKey->u.dh.privateValue, &item, 0); ++ if (rv != SECSuccess) { ++ return CKR_GENERAL_ERROR; ++ } ++ lowPubValue = SECITEM_DupItem(&item); ++ SECITEM_ZfreeItem(&item, PR_FALSE); ++ pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE); ++ break; ++ case CKK_EC: ++ rv = EC_NewKeyFromSeed(&lowPrivKey->u.ec.ecParams, &ecPriv, ++ lowPrivKey->u.ec.privateValue.data, ++ lowPrivKey->u.ec.privateValue.len); ++ if (rv != SECSuccess) { ++ return CKR_GENERAL_ERROR; ++ } ++ /* make sure it has the same encoding */ ++ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || ++ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) { ++ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue); ++ } else { ++ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue, ++ SEC_ASN1_GET(SEC_OctetStringTemplate));; ++ } ++ pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT); ++ /* clear out our generated private key */ ++ PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE); ++ break; ++ default: ++ return CKR_DEVICE_ERROR; + } +- +- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey); +- if (crv != CKR_OK) { +- sftk_FreeAttribute(pubAttribute); +- return crv; ++ /* now compare new public key with our already generated key */ ++ if ((pubAttribute == NULL) || (lowPubValue == NULL) || ++ (pubAttribute->attrib.ulValueLen != lowPubValue->len) || ++ (PORT_Memcmp(pubAttribute->attrib.pValue, lowPubValue->data, ++ lowPubValue->len) != 0)) { ++ if (pubAttribute) sftk_FreeAttribute(pubAttribute); ++ if (lowPubValue) SECITEM_ZfreeItem(lowPubValue, PR_TRUE); ++ PORT_SetError(SEC_ERROR_BAD_KEY); ++ return CKR_GENERAL_ERROR; + } ++ SECITEM_ZfreeItem(lowPubValue, PR_TRUE); ++ + /* FIPS requires full validation, but in fipx mode NSC_Derive + * only does partial validation with approved primes, now handle + * full validation */ +@@ -5166,18 +5174,41 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + } + crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME); + /* we ignore the return code an only look at the length */ +- if (subPrime.len == 0) { +- /* subprime not supplied, In this case look it up. +- * This only works with approved primes, but in FIPS mode +- * that's the only kine of prime that will get here */ +- subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS); +- if (subPrimePtr == NULL) { +- crv = CKR_GENERAL_ERROR; ++ /* do we have a known prime ? */ ++ subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS); ++ if (subPrimePtr == NULL) { ++ if (subPrime.len == 0) { ++ /* if not a known prime, subprime must be supplied */ ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto done; ++ } else { ++ /* not a known prime, check for primality of prime ++ * and subPrime */ ++ if (!KEA_PrimeCheck(&prime)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ if (!KEA_PrimeCheck(&subPrime)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } + } ++ subPrimePtr = &subPrime; ++ } else { ++ if (subPrime.len != 0) { ++ /* we have a known prime and a supplied subPrime, ++ * make sure the subPrime matches the subPrime for ++ * the known Prime */ ++ if ((subPrimePtr->len != subPrimeLen) || ++ (PORT_Memcmp(subPrimePtr->data, subPrime.data, ++ subPrime.len) != 0)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ } + } + if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) { +- crv = CKR_GENERAL_ERROR; ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; + } + done: + SECITEM_ZfreeItem(&subPrime, PR_FALSE); +@@ -5185,13 +5216,9 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + } + /* clean up before we return */ + sftk_FreeAttribute(pubAttribute); +- crv2 = NSC_DestroyObject(hSession, newKey); + if (crv != CKR_OK) { + return crv; + } +- if (crv2 != CKR_OK) { +- return crv2; +- } + } + + return CKR_OK; +@@ -5709,8 +5736,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + * created and linked. + */ + crv = sftk_handleObject(publicKey, session); +- sftk_FreeSession(session); + if (crv != CKR_OK) { ++ sftk_FreeSession(session); + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); +@@ -5752,6 +5779,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + } + + if (crv != CKR_OK) { ++ sftk_FreeSession(session); + NSC_DestroyObject(hSession, publicKey->handle); + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); +@@ -5761,6 +5789,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + /* we need to do this check at the end to make sure the generated key meets the key length requirements */ + privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey); + publicKey->isFIPS = privateKey->isFIPS; ++ session->lastOpWasFIPS = privateKey->isFIPS; ++ sftk_FreeSession(session); + + *phPrivateKey = privateKey->handle; + *phPublicKey = publicKey->handle; +@@ -8563,6 +8593,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + secretlen = tmp.len; + } else { + secretlen = keySize; ++ key->isFIPS = PR_FALSE; + crv = sftk_ANSI_X9_63_kdf(&secret, keySize, + &tmp, mechParams->pSharedData, + mechParams->ulSharedDataLen, mechParams->kdf); +diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c +--- ./lib/softoken/pkcs11.c.fips-review 2022-05-26 02:54:33.000000000 -0700 ++++ ./lib/softoken/pkcs11.c 2023-03-16 11:54:37.840935312 -0700 +@@ -4599,7 +4599,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess + if (object == NULL) { + return CKR_HOST_MEMORY; + } +- object->isFIPS = PR_FALSE; /* if we created the object on the fly, ++ /* object types that we aren't allowed to create in FIPS mode are ++ * already rejected explicitly. If we get here, then the object is ++ * FIPS OK (most notably public key objects )*/ ++ /* object->isFIPS = PR_FALSE; if we created the object on the fly, + * it's not a FIPS object */ + + /* +diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c +--- ./lib/softoken/sftkike.c.fips-review 2022-05-26 02:54:33.000000000 -0700 ++++ ./lib/softoken/sftkike.c 2023-03-16 11:54:37.840935312 -0700 +@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession, + goto fail; + } + } else { ++ /* ikev1 isn't validated, if we use this function in ikev1 mode, ++ * mark the resulting key as not FIPS */ ++ if (!params->bRekey) { ++ outKey->isFIPS = PR_FALSE; ++ } + crv = prf_init(&context, inKey->attrib.pValue, + inKey->attrib.ulValueLen); + if (crv != CKR_OK) { diff --git a/SOURCES/nss-3.79-rsa-pss-salt-fips.patch b/SOURCES/nss-3.79-rsa-pss-salt-fips.patch new file mode 100644 index 0000000..660ecbc --- /dev/null +++ b/SOURCES/nss-3.79-rsa-pss-salt-fips.patch @@ -0,0 +1,397 @@ +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -232,57 +232,26 @@ NSC_DestroyObject(CK_SESSION_HANDLE hSes + * be in the data base. + */ + status = sftk_FreeObject(object); + + return (status != SFTK_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR; + } + + /* +- ************** Crypto Functions: Utilities ************************ +- */ +-/* +- * Utility function for converting PSS/OAEP parameter types into +- * HASH_HashTypes. Note: Only SHA family functions are defined in RFC 3447. +- */ +-static HASH_HashType +-GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech) +-{ +- switch (mech) { +- case CKM_SHA_1: +- case CKG_MGF1_SHA1: +- return HASH_AlgSHA1; +- case CKM_SHA224: +- case CKG_MGF1_SHA224: +- return HASH_AlgSHA224; +- case CKM_SHA256: +- case CKG_MGF1_SHA256: +- return HASH_AlgSHA256; +- case CKM_SHA384: +- case CKG_MGF1_SHA384: +- return HASH_AlgSHA384; +- case CKM_SHA512: +- case CKG_MGF1_SHA512: +- return HASH_AlgSHA512; +- default: +- return HASH_AlgNULL; +- } +-} +- +-/* + * Returns true if "params" contains a valid set of PSS parameters + */ + static PRBool + sftk_ValidatePssParams(const CK_RSA_PKCS_PSS_PARAMS *params) + { + if (!params) { + return PR_FALSE; + } +- if (GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL || +- GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) { ++ if (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL || ++ sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) { + return PR_FALSE; + } + return PR_TRUE; + } + + /* + * Returns true if "params" contains a valid set of OAEP parameters + */ +@@ -293,18 +262,18 @@ sftk_ValidateOaepParams(const CK_RSA_PKC + return PR_FALSE; + } + /* The requirements of ulSourceLen/pSourceData come from PKCS #11, which + * state: + * If the parameter is empty, pSourceData must be NULL and + * ulSourceDataLen must be zero. + */ + if (params->source != CKZ_DATA_SPECIFIED || +- (GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL) || +- (GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) || ++ (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL) || ++ (sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) || + (params->ulSourceDataLen == 0 && params->pSourceData != NULL) || + (params->ulSourceDataLen != 0 && params->pSourceData == NULL)) { + return PR_FALSE; + } + return PR_TRUE; + } + + /* +@@ -606,18 +575,18 @@ sftk_RSAEncryptOAEP(SFTKOAEPInfo *info, + HASH_HashType maskHashAlg; + + PORT_Assert(info->key.pub->keyType == NSSLOWKEYRSAKey); + if (info->key.pub->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + +- hashAlg = GetHashTypeFromMechanism(info->params.hashAlg); +- maskHashAlg = GetHashTypeFromMechanism(info->params.mgf); ++ hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg); ++ maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf); + + return RSA_EncryptOAEP(&info->key.pub->u.rsa, hashAlg, maskHashAlg, + (const unsigned char *)info->params.pSourceData, + info->params.ulSourceDataLen, NULL, 0, + output, outputLen, maxLen, input, inputLen); + } + + static SECStatus +@@ -630,18 +599,18 @@ sftk_RSADecryptOAEP(SFTKOAEPInfo *info, + HASH_HashType maskHashAlg; + + PORT_Assert(info->key.priv->keyType == NSSLOWKEYRSAKey); + if (info->key.priv->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + +- hashAlg = GetHashTypeFromMechanism(info->params.hashAlg); +- maskHashAlg = GetHashTypeFromMechanism(info->params.mgf); ++ hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg); ++ maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf); + + rv = RSA_DecryptOAEP(&info->key.priv->u.rsa, hashAlg, maskHashAlg, + (const unsigned char *)info->params.pSourceData, + info->params.ulSourceDataLen, + output, outputLen, maxLen, input, inputLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } +@@ -2646,18 +2615,18 @@ sftk_RSASignPSS(SFTKPSSSignInfo *info, u + CK_RSA_PKCS_PSS_PARAMS *params = &info->params; + + PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey); + if (info->key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + +- hashAlg = GetHashTypeFromMechanism(params->hashAlg); +- maskHashAlg = GetHashTypeFromMechanism(params->mgf); ++ hashAlg = sftk_GetHashTypeFromMechanism(params->hashAlg); ++ maskHashAlg = sftk_GetHashTypeFromMechanism(params->mgf); + + rv = RSA_SignPSS(&info->key->u.rsa, hashAlg, maskHashAlg, NULL, + params->sLen, sig, sigLen, maxLen, hash, hashLen); + if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { + sftk_fatalError = PR_TRUE; + } + return rv; + } +@@ -3021,17 +2990,17 @@ NSC_SignInit(CK_SESSION_HANDLE hSession, + tlsPrfHash = HASH_AlgNULL; + if (tls12_mac_params->ulMacLength != 12) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + } else { + /* The hash function for the TLS 1.2 PRF */ + tlsPrfHash = +- GetHashTypeFromMechanism(tls12_mac_params->prfHashMechanism); ++ sftk_GetHashTypeFromMechanism(tls12_mac_params->prfHashMechanism); + if (tlsPrfHash == HASH_AlgNULL || + tls12_mac_params->ulMacLength < 12) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + } + if (tls12_mac_params->ulServerOrClient == 1) { + label = "server finished"; +@@ -3539,18 +3508,18 @@ sftk_RSACheckSignPSS(SFTKPSSVerifyInfo * + CK_RSA_PKCS_PSS_PARAMS *params = &info->params; + + PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey); + if (info->key->keyType != NSSLOWKEYRSAKey) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + +- hashAlg = GetHashTypeFromMechanism(params->hashAlg); +- maskHashAlg = GetHashTypeFromMechanism(params->mgf); ++ hashAlg = sftk_GetHashTypeFromMechanism(params->hashAlg); ++ maskHashAlg = sftk_GetHashTypeFromMechanism(params->mgf); + + return RSA_CheckSignPSS(&info->key->u.rsa, hashAlg, maskHashAlg, + params->sLen, sig, sigLen, digest, digestLen); + } + + /* NSC_VerifyInit initializes a verification operation, + * where the signature is an appendix to the data, + * and plaintext cannot be recovered from the signature (e.g. DSA) */ +@@ -6951,17 +6920,17 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + unsigned genLen = 0; + unsigned char hashbuf[HASH_LENGTH_MAX]; + unsigned char keyBlock[9 * SFTK_MAX_MAC_LENGTH]; + unsigned char *keyBlockAlloc = NULL; /* allocated keyBlock */ + unsigned char *keyBlockData = keyBlock; /* pointer to current keyBlock */ + const unsigned char *prk; /* psuedo-random key */ + CK_ULONG prkLen; + const unsigned char *okm; /* output keying material */ +- HASH_HashType hashType = GetHashTypeFromMechanism(params->prfHashMechanism); ++ HASH_HashType hashType = sftk_GetHashTypeFromMechanism(params->prfHashMechanism); + SFTKObject *saltKey = NULL; + CK_RV crv = CKR_OK; + + /* Spec says it should be the base hash, but also accept the HMAC */ + if (hashType == HASH_AlgNULL) { + hashType = sftk_HMACMechanismToHash(params->prfHashMechanism); + } + rawHash = HASH_GetRawHashObject(hashType); +@@ -7389,17 +7358,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + if ((mechanism == CKM_TLS12_MASTER_KEY_DERIVE) || + (mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + CK_TLS12_MASTER_KEY_DERIVE_PARAMS *tls12_master = + (CK_TLS12_MASTER_KEY_DERIVE_PARAMS *)pMechanism->pParameter; +- tlsPrfHash = GetHashTypeFromMechanism(tls12_master->prfHashMechanism); ++ tlsPrfHash = sftk_GetHashTypeFromMechanism(tls12_master->prfHashMechanism); + if (tlsPrfHash == HASH_AlgNULL) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + } else if ((mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256) || + (mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) { + tlsPrfHash = HASH_AlgSHA256; + } +@@ -7607,17 +7576,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + break; + } + + status = TLS_PRF(&pms, "extended master secret", + &seed, &master, isFIPS); + } else { + const SECHashObject *hashObj; + +- tlsPrfHash = GetHashTypeFromMechanism(ems_params->prfHashMechanism); ++ tlsPrfHash = sftk_GetHashTypeFromMechanism(ems_params->prfHashMechanism); + if (tlsPrfHash == HASH_AlgNULL) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + + hashObj = HASH_GetRawHashObject(tlsPrfHash); + if (seed.len != hashObj->length) { + crv = CKR_TEMPLATE_INCONSISTENT; +@@ -7665,17 +7634,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + + if (mechanism == CKM_TLS12_KEY_AND_MAC_DERIVE) { + if (BAD_PARAM_CAST(pMechanism, sizeof(CK_TLS12_KEY_MAT_PARAMS))) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + CK_TLS12_KEY_MAT_PARAMS *tls12_keys = + (CK_TLS12_KEY_MAT_PARAMS *)pMechanism->pParameter; +- tlsPrfHash = GetHashTypeFromMechanism(tls12_keys->prfHashMechanism); ++ tlsPrfHash = sftk_GetHashTypeFromMechanism(tls12_keys->prfHashMechanism); + if (tlsPrfHash == HASH_AlgNULL) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } + } else if (mechanism == CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) { + tlsPrfHash = HASH_AlgSHA256; + } + +diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h +--- a/lib/softoken/pkcs11i.h ++++ b/lib/softoken/pkcs11i.h +@@ -908,16 +908,19 @@ sftk_MACConstantTimeCtx *sftk_HMACConsta + sftk_MACConstantTimeCtx *sftk_SSLv3MACConstantTime_New( + CK_MECHANISM_PTR mech, SFTKObject *key); + void sftk_HMACConstantTime_Update(void *pctx, const void *data, unsigned int len); + void sftk_SSLv3MACConstantTime_Update(void *pctx, const void *data, unsigned int len); + void sftk_MACConstantTime_EndHash( + void *pctx, void *out, unsigned int *outLength, unsigned int maxLength); + void sftk_MACConstantTime_DestroyContext(void *pctx, PRBool); + ++/* Crypto Utilities */ ++HASH_HashType sftk_GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech); ++ + /**************************************** + * implement TLS Pseudo Random Function (PRF) + */ + + extern CK_RV + sftk_TLSPRFInit(SFTKSessionContext *context, + SFTKObject *key, + CK_KEY_TYPE key_type, +diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c +--- a/lib/softoken/pkcs11u.c ++++ b/lib/softoken/pkcs11u.c +@@ -95,16 +95,17 @@ CK_RV + sftk_MapVerifyError(int error) + { + CK_RV crv = sftk_MapCryptError(error); + if (crv == CKR_DEVICE_ERROR) + crv = CKR_SIGNATURE_INVALID; + return crv; + } + ++ + /* + * ******************** Attribute Utilities ******************************* + */ + + /* + * create a new attribute with type, value, and length. Space is allocated + * to hold value. + */ +@@ -2243,17 +2244,49 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE + flags = CKF_MESSAGE_VERIFY; + break; + default: + break; + } + return flags; + } + ++/* ++ * ******************** Hash Utilities ************************** ++ */ ++/* ++ * Utility function for converting PSS/OAEP parameter types into ++ * HASH_HashTypes. Note: Only SHA family functions are defined in RFC 3447. ++ */ ++HASH_HashType ++sftk_GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech) ++{ ++ switch (mech) { ++ case CKM_SHA_1: ++ case CKG_MGF1_SHA1: ++ return HASH_AlgSHA1; ++ case CKM_SHA224: ++ case CKG_MGF1_SHA224: ++ return HASH_AlgSHA224; ++ case CKM_SHA256: ++ case CKG_MGF1_SHA256: ++ return HASH_AlgSHA256; ++ case CKM_SHA384: ++ case CKG_MGF1_SHA384: ++ return HASH_AlgSHA384; ++ case CKM_SHA512: ++ case CKG_MGF1_SHA512: ++ return HASH_AlgSHA512; ++ default: ++ return HASH_AlgNULL; ++ } ++} ++ + #ifdef NSS_HAS_FIPS_INDICATORS ++/**************** FIPS Indicator Utilities *************************/ + /* sigh, we probably need a version of this in secutil so that both + * softoken and NSS can use it */ + static SECOidTag + sftk_quickGetECCCurveOid(SFTKObject *source) + { + SFTKAttribute *attribute = sftk_FindAttribute(source, CKA_EC_PARAMS); + unsigned char *encoded; + int len; +@@ -2379,16 +2412,39 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + if (mech->ulParameterLen == 0) { + /* AEAD ciphers are only in FIPS mode if we are using the + * MESSAGE interface. This takes an empty parameter + * in the init function */ + return PR_TRUE; + } + return PR_FALSE; + } ++ case SFTKFIPSRSAPSS: { ++ /* PSS salt must not be greater than the length of the ++ * underlying hash. We verify that the underlying hash of the ++ * parameters matches Hash of the combined hash mechanisms, so ++ * we don't need to look at the specific PSS mechanism */ ++ CK_RSA_PKCS_PSS_PARAMS *pss = (CK_RSA_PKCS_PSS_PARAMS *) ++ mech->pParameter; ++ const SECHashObject *hashObj = NULL; ++ if (mech->ulParameterLen != sizeof(*pss)) { ++ return PR_FALSE; ++ } ++ /* we use the existing hash utilities to find the length of ++ * the hash */ ++ hashObj = HASH_GetRawHashObject(sftk_GetHashTypeFromMechanism( ++ pss->hashAlg)); ++ if (hashObj == NULL) { ++ return PR_FALSE; ++ } ++ if (pss->sLen > hashObj->length) { ++ return PR_FALSE; ++ } ++ return PR_TRUE; ++ } + default: + break; + } + /* if we didn't understand the special processing, mark it non-fips */ + return PR_FALSE; + } + #endif + diff --git a/SPECS/nss.spec b/SPECS/nss.spec index fad31af..8dd0c18 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,6 +1,6 @@ %global nss_version 3.79.0 %global nspr_version 4.34.0 -%global baserelease 14 +%global baserelease 17 %global nss_release %baserelease # NOTE: To avoid NVR clashes of nspr* packages: # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when @@ -175,6 +175,12 @@ Patch55: nss-3.79-enable-POST-rerun.patch Patch56: nss-3.79-increase-pbe-cache.patch Patch57: nss-3.79-pkcs12-fix-null-password.patch Patch58: nss-3.79-fips.patch +Patch60: nss-3.79-rsa-pss-salt-fips.patch +Patch61: nss-3.79-fips-review.patches + +# cve 2023-0767, remove on rebase to nss 3.88.1 or later +# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640 +Patch70: cve-2023-0767.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1165,6 +1171,18 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Mar 16 2023 Bob Relyea - 3.79.0-17 +- fix consistency return errors. We shouldn't lock the FIPS + token if the application asked for invalid DH parameters on + on keygen. + +* Mon Mar 13 2023 Bob Relyea - 3.79.0-16 +- Add check for RSA PSS Salt required by FIPS +- Update fips_algorithms.sh according to the review. + +* Thu Mar 2 2023 Bob Relyea - 3.79.0-15 +- Fix CVE-2023-0767 + * Wed Aug 24 2022 Bob Relyea - 3.79.0-14 - Update fips_algorithms.h to match the final FIPS requirements - Disable delegated credentials