diff --git a/.gitignore b/.gitignore index ff74e46..8a0887e 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,4 @@ TestUser51.cert /nspr-4.34.tar.gz /nspr-4.35.tar.gz /nss-3.90.tar.gz +/NameConstraints_Certs.tar diff --git a/NameConstraints_Certs.tar b/NameConstraints_Certs.tar deleted file mode 100644 index 377a746..0000000 Binary files a/NameConstraints_Certs.tar and /dev/null differ diff --git a/fips_algorithms.h b/fips_algorithms.h index 80d7dcd..d634e0d 100644 --- a/fips_algorithms.h +++ b/fips_algorithms.h @@ -15,11 +15,12 @@ typedef enum { SFTKFIPSECC, /* not just keys but specific curves */ SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */ SFTKFIPSRSAPSS, /* make sure salt isn't too big */ - SFTKFIPSPBKDF2 /* handle pbkdf2 FIPS restrictions */ + SFTKFIPSPBKDF2, /* handle pbkdf2 FIPS restrictions */ + SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */ } SFTKFIPSSpecialClass; /* set according to your security policy */ -#define SFTKFIPS_PBKDF2_MIN_PW_LEN 7 +#define SFTKFIPS_PBKDF2_MIN_PW_LEN 8 typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList; struct SFTKFIPSAlgorithmListStr { @@ -27,6 +28,7 @@ struct SFTKFIPSAlgorithmListStr { CK_MECHANISM_INFO info; CK_ULONG step; SFTKFIPSSpecialClass special; + size_t offset; }; SFTKFIPSAlgorithmList sftk_fips_mechs[] = { @@ -50,7 +52,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { #define CKF_KPG CKF_GENERATE_KEY_PAIR #define CKF_GEN CKF_GENERATE #define CKF_SGN (CKF_SIGN | CKF_VERIFY) -#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP) +#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT ) +#define CKF_ECW (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP) +#define CKF_WRP (CKF_WRAP | CKF_UNWRAP) #define CKF_KEK (CKF_WRAP | CKF_UNWRAP) #define CKF_KEA CKF_DERIVE #define CKF_KDF CKF_DERIVE @@ -101,6 +105,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { /* -------------------- Elliptic Curve Operations --------------------- */ { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDH1_COFACTOR_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, @@ -115,10 +120,10 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD }, - { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_GCM, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSAEAD }, + { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone }, /* ------------------------- Hashing Operations ----------------------- */ { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, @@ -136,36 +141,41 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, /* ---------------------- SSL/TLS operations ------------------------- */ { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, + { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSChkHash, + offsetof(CK_TLS_MAC_PARAMS, prfHashMechanism) }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) }, /* ------------------------- HKDF Operations -------------------------- */ - { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_HKDF_PARAMS, prfHashMechanism) }, + { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_HKDF_PARAMS, prfHashMechanism) }, { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone }, { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone }, /* ------------------ NIST 800-108 Key Derivations ------------------- */ - { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, /* --------------------IPSEC ----------------------- */ - { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS, prfMechanism) }, + { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_IKE_PRF_DERIVE_PARAMS, prfMechanism) }, /* ------------------ PBE Key Derivations ------------------- */ { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 }, }; diff --git a/nss-3.90-aes-gmc-indicator.patch b/nss-3.90-aes-gmc-indicator.patch new file mode 100644 index 0000000..612bb9a --- /dev/null +++ b/nss-3.90-aes-gmc-indicator.patch @@ -0,0 +1,42 @@ +diff --git a/lib/softoken/sftkmessage.c b/lib/softoken/sftkmessage.c +--- a/lib/softoken/sftkmessage.c ++++ b/lib/softoken/sftkmessage.c +@@ -146,16 +146,38 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; + ++ if (context->isFIPS && (contextType == CKA_ENCRYPT)) { ++ if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) { ++ context->isFIPS = PR_FALSE; ++ } else { ++ CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter; ++ switch (p->ivGenerator) { ++ case CKG_NO_GENERATE: ++ context->isFIPS = PR_FALSE; ++ break; ++ case CKG_GENERATE_RANDOM: ++ if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) { ++ context->isFIPS = PR_FALSE; ++ } ++ break; ++ default: ++ if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) { ++ context->isFIPS = PR_FALSE; ++ } ++ } ++ } ++ } ++ + if (!pOuttext) { + *pulOuttextLen = ulIntextLen; + return CKR_OK; + } + rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen, + maxout, pIntext, ulIntextLen, + pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen); diff --git a/nss-3.90-fips-indicators.patch b/nss-3.90-fips-indicators.patch new file mode 100644 index 0000000..961d64b --- /dev/null +++ b/nss-3.90-fips-indicators.patch @@ -0,0 +1,190 @@ +diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c +--- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800 ++++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800 +@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C + context->blockSize = 0; + context->maxLen = 0; + context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism, +- operation, key); ++ operation, key, 0); + *contextPtr = context; + return CKR_OK; + } +@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + crv = sftk_handleObject(key, session); + /* we need to do this check at the end, so we can check the generated + * key length against fips requirements */ +- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0); + session->lastOpWasFIPS = key->isFIPS; + sftk_FreeSession(session); + if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { +@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + return crv; + } + /* we need to do this check at the end to make sure the generated key meets the key length requirements */ +- privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey); ++ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey, 0); + publicKey->isFIPS = privateKey->isFIPS; + session->lastOpWasFIPS = privateKey->isFIPS; + sftk_FreeSession(session); +@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + return CKR_TEMPLATE_INCONSISTENT; + } + ++ if (!params->bExpand) { ++ keySize = hashLen; ++ } ++ + /* sourceKey is NULL if we are called from the POST, skip the + * sensitiveCheck */ + if (sourceKey != NULL) { +@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + mech.pParameter = params; + mech.ulParameterLen = sizeof(*params); + key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech, +- CKA_DERIVE, saltKey); ++ CKA_DERIVE, saltKey, ++ keySize); + } + saltKeySource = saltKey->source; + saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE); +@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + /* HKDF-Expand */ + if (!params->bExpand) { + okm = prk; +- keySize = genLen = hashLen; ++ genLen = hashLen; + } else { + /* T(1) = HMAC-Hash(prk, "" | info | 0x01) + * T(n) = HMAC-Hash(prk, T(n-1) | info | n +@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + return CKR_KEY_HANDLE_INVALID; + } + } +- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey); ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey, ++ keySize); + + switch (mechanism) { + /* get a public key from a private key. nsslowkey_ConvertToPublickey() +diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h +--- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800 ++++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800 +@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB + /* check the FIPS table to determine if this current operation is allowed by + * FIPS security policy */ + PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, +- CK_ATTRIBUTE_TYPE op, SFTKObject *source); ++ CK_ATTRIBUTE_TYPE op, SFTKObject *source, ++ CK_ULONG targetKeySize); + /* add validation objects to the slot */ + CK_RV sftk_CreateValidationObjects(SFTKSlot *slot); + +diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800 ++++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800 +@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou + static CK_ULONG + sftk_getKeyLength(SFTKObject *source) + { +- CK_KEY_TYPE keyType = CK_INVALID_HANDLE; ++ CK_KEY_TYPE keyType = CKK_INVALID_KEY_TYPE; + CK_ATTRIBUTE_TYPE keyAttribute; + CK_ULONG keyLength = 0; + SFTKAttribute *attribute; +@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source) + return keyLength; + } + ++PRBool ++sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash) ++{ ++ switch (hash) { ++ case CKM_SHA256: ++ case CKG_MGF1_SHA256: ++ case CKM_SHA384: ++ case CKG_MGF1_SHA384: ++ case CKM_SHA512: ++ case CKG_MGF1_SHA512: ++ return PR_TRUE; ++ } ++ return PR_FALSE; ++} ++ + /* + * handle specialized FIPS semantics that are too complicated to + * handle with just a table. NOTE: this means any additional semantics + * would have to be coded here before they can be added to the table */ + static PRBool + sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech, +- SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source) ++ SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source, ++ CK_ULONG keyLength, CK_ULONG targetKeyLength) + { + switch (mechInfo->special) { + case SFTKFIPSDH: { +@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + if (hashObj == NULL) { + return PR_FALSE; + } ++ /* cap the salt for legacy keys */ ++ if ((keyLength <= 1024) && (pss->sLen > 63)) { ++ return PR_FALSE; ++ } ++ /* cap the salt for based on the hash */ + if (pss->sLen > hashObj->length) { + return PR_FALSE; + } +- return PR_TRUE; ++ return sftk_CheckFIPSHash(pss->hashAlg); + } + case SFTKFIPSPBKDF2: { + /* PBKDF2 must have the following addition restrictions +@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + } + return PR_TRUE; + } ++ /* check the hash mechanisms to make sure they themselves are FIPS */ ++ case SFTKFIPSChkHash: ++ if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) { ++ return PR_FALSE; ++ } ++ return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter) ++ + mechInfo->offset)); + default: + break; + } +@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + + PRBool + sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op, +- SFTKObject *source) ++ SFTKObject *source, CK_ULONG targetKeyLength) + { + #ifndef NSS_HAS_FIPS_INDICATORS + return PR_FALSE; +@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_ + SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i]; + /* if we match the number of records exactly, then we are an + * approved algorithm in the approved mode with an approved key */ +- if (((mech->mechanism == mechs->type) && +- (opFlags == (mechs->info.flags & opFlags)) && +- (keyLength <= mechs->info.ulMaxKeySize) && +- (keyLength >= mechs->info.ulMinKeySize) && +- ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) && ++ if ((mech->mechanism == mechs->type) && ++ (opFlags == (mechs->info.flags & opFlags)) && ++ (keyLength <= mechs->info.ulMaxKeySize) && ++ (keyLength >= mechs->info.ulMinKeySize) && ++ (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) && ++ ((targetKeyLength == 0) || ++ ((targetKeyLength <= mechs->info.ulMaxKeySize) && ++ (targetKeyLength >= mechs->info.ulMinKeySize) && ++ ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) && + ((mechs->special == SFTKFIPSNone) || +- sftk_handleSpecial(slot, mech, mechs, source))) { ++ sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) { + return PR_TRUE; + } + } diff --git a/nss-3.90-fips-pkcs11-long-hash.patch b/nss-3.90-fips-pkcs11-long-hash.patch new file mode 100644 index 0000000..7728732 --- /dev/null +++ b/nss-3.90-fips-pkcs11-long-hash.patch @@ -0,0 +1,83 @@ +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -15,10 +15,13 @@ + * keys and their associated Certificates are saved on the token. + * + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ ++ ++#include /* for UINT_MAX and ULONG_MAX */ ++ + #include "seccomon.h" + #include "secitem.h" + #include "secport.h" + #include "blapi.h" + #include "pkcs11.h" +@@ -1954,12 +1957,21 @@ + if (pDigest == NULL) { + *pulDigestLen = context->maxLen; + goto finish; + } + +- /* do it: */ ++#if (ULONG_MAX > UINT_MAX) ++ /* The context->hashUpdate function takes an unsigned int for its data ++ * length argument, but NSC_Digest takes an unsigned long. */ ++ while (ulDataLen > UINT_MAX) { ++ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX); ++ pData += UINT_MAX; ++ ulDataLen -= UINT_MAX; ++ } ++#endif + (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen); ++ + /* NOTE: this assumes buf size is bigenough for the algorithm */ + (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout); + *pulDigestLen = digestLen; + + sftk_TerminateOp(session, SFTK_HASH, context); +@@ -1980,12 +1992,22 @@ + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; +- /* do it: */ ++ ++#if (ULONG_MAX > UINT_MAX) ++ /* The context->hashUpdate function takes an unsigned int for its data ++ * length argument, but NSC_DigestUpdate takes an unsigned long. */ ++ while (ulPartLen > UINT_MAX) { ++ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX); ++ pPart += UINT_MAX; ++ ulPartLen -= UINT_MAX; ++ } ++#endif + (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen); ++ + return CKR_OK; + } + + /* NSC_DigestFinal finishes a multiple-part message-digesting operation. */ + CK_RV +@@ -3166,10 +3188,17 @@ + crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + if (context->hashInfo) { ++#if (ULONG_MAX > UINT_MAX) ++ while (ulPartLen > UINT_MAX) { ++ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX); ++ pPart += UINT_MAX; ++ ulPartLen -= UINT_MAX; ++ } ++#endif + (*context->hashUpdate)(context->hashInfo, pPart, ulPartLen); + } else { + /* must be block cipher MACing */ + + unsigned int blkSize = context->blockSize; + diff --git a/nss-3.90-fips-safe-memset.patch b/nss-3.90-fips-safe-memset.patch new file mode 100644 index 0000000..1503bd9 --- /dev/null +++ b/nss-3.90-fips-safe-memset.patch @@ -0,0 +1,506 @@ +diff -up ./lib/freebl/aeskeywrap.c.safe_zero ./lib/freebl/aeskeywrap.c +--- ./lib/freebl/aeskeywrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/aeskeywrap.c 2023-11-22 14:42:24.246388369 -0800 +@@ -512,7 +512,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext + PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen); + rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv, + outLen); +- PORT_Memset(iv, 0, sizeof(iv)); ++ PORT_SafeZero(iv, sizeof(iv)); + return rv; + } + +@@ -528,7 +528,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext + PORT_ZFree(newBuf, paddedInputLen); + /* a little overkill, we only need to clear out the length, but this + * is easier to verify we got it all */ +- PORT_Memset(iv, 0, sizeof(iv)); ++ PORT_SafeZero(iv, sizeof(iv)); + return rv; + } + +@@ -631,12 +631,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext + loser: + /* if we failed, make sure we don't return any data to the user */ + if ((rv != SECSuccess) && (output == newBuf)) { +- PORT_Memset(newBuf, 0, paddedLen); ++ PORT_SafeZero(newBuf, paddedLen); + } + /* clear out CSP sensitive data from the heap and stack */ + if (allocBuf) { + PORT_ZFree(allocBuf, paddedLen); + } +- PORT_Memset(iv, 0, sizeof(iv)); ++ PORT_SafeZero(iv, sizeof(iv)); + return rv; + } +diff -up ./lib/freebl/blapii.h.safe_zero ./lib/freebl/blapii.h +--- ./lib/freebl/blapii.h.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/blapii.h 2023-11-22 14:42:24.246388369 -0800 +@@ -101,10 +101,10 @@ PRBool ppc_crypto_support(); + #ifdef NSS_FIPS_DISABLED + #define BLAPI_CLEAR_STACK(stack_size) + #else +-#define BLAPI_CLEAR_STACK(stack_size) \ +- { \ +- volatile char _stkclr[stack_size]; \ +- PORT_Memset((void *)&_stkclr[0], 0, stack_size); \ ++#define BLAPI_CLEAR_STACK(stack_size) \ ++ { \ ++ volatile char _stkclr[stack_size]; \ ++ PORT_SafeZero((void *)&_stkclr[0], stack_size); \ + } + #endif + +diff -up ./lib/freebl/drbg.c.safe_zero ./lib/freebl/drbg.c +--- ./lib/freebl/drbg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/drbg.c 2023-11-22 14:42:24.246388369 -0800 +@@ -197,7 +197,7 @@ prng_initEntropy(void) + SHA256_Update(&ctx, block, sizeof(block)); + SHA256_End(&ctx, globalrng->previousEntropyHash, NULL, + sizeof(globalrng->previousEntropyHash)); +- PORT_Memset(block, 0, sizeof(block)); ++ PORT_SafeZero(block, sizeof(block)); + SHA256_DestroyContext(&ctx, PR_FALSE); + return PR_SUCCESS; + } +@@ -246,8 +246,8 @@ prng_getEntropy(PRUint8 *buffer, size_t + } + + out: +- PORT_Memset(hash, 0, sizeof hash); +- PORT_Memset(block, 0, sizeof block); ++ PORT_SafeZero(hash, sizeof hash); ++ PORT_SafeZero(block, sizeof block); + return rv; + } + +@@ -393,8 +393,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r + PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry); + SHA256_DestroyContext(&ctx, PR_FALSE); + } +- PORT_Memset(data, 0, sizeof data); +- PORT_Memset(thisHash, 0, sizeof thisHash); ++ PORT_SafeZero(data, sizeof data); ++ PORT_SafeZero(thisHash, sizeof thisHash); + } + + /* +@@ -455,7 +455,7 @@ prng_generateNewBytes(RNGContext *rng, + PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry); + + /* if the prng failed, don't return any output, signal softoken */ +- PORT_Memset(H, 0, sizeof H); ++ PORT_SafeZero(H, sizeof H); + if (!rng->isValid) { + PORT_Memset(returned_bytes, 0, no_of_returned_bytes); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); +diff -up ./lib/freebl/dsa.c.safe_zero ./lib/freebl/dsa.c +--- ./lib/freebl/dsa.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/dsa.c 2023-11-22 14:42:24.246388369 -0800 +@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt + err = MP_OKAY; + signature->len = dsa_signature_len; + cleanup: +- PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN); ++ PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN); + mp_clear(&p); + mp_clear(&q); + mp_clear(&g); +@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt + rv = dsa_SignDigest(key, signature, digest, kSeed); + } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM && + --retries > 0); +- PORT_Memset(kSeed, 0, sizeof kSeed); ++ PORT_SafeZero(kSeed, sizeof kSeed); + return rv; + } + +@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons + verified = SECSuccess; /* Signature verified. */ + } + cleanup: +- PORT_Memset(localDigestData, 0, sizeof localDigestData); ++ PORT_SafeZero(localDigestData, sizeof localDigestData); + mp_clear(&p); + mp_clear(&q); + mp_clear(&g); +diff -up ./lib/freebl/gcm.c.safe_zero ./lib/freebl/gcm.c +--- ./lib/freebl/gcm.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/gcm.c 2023-11-22 14:42:24.246388369 -0800 +@@ -480,7 +480,7 @@ gcmHash_Final(gcmHashContext *ghash, uns + rv = SECSuccess; + + cleanup: +- PORT_Memset(T, 0, sizeof(T)); ++ PORT_SafeZero(T, sizeof(T)); + return rv; + } + +@@ -596,15 +596,15 @@ GCM_CreateContext(void *context, freeblC + if (rv != SECSuccess) { + goto loser; + } +- PORT_Memset(H, 0, AES_BLOCK_SIZE); ++ PORT_SafeZero(H, AES_BLOCK_SIZE); + gcm->ctr_context_init = PR_TRUE; + return gcm; + + loser: +- PORT_Memset(H, 0, AES_BLOCK_SIZE); ++ PORT_SafeZero(H, AES_BLOCK_SIZE); + if (ghash && ghash->mem) { + void *mem = ghash->mem; +- PORT_Memset(ghash, 0, sizeof(gcmHashContext)); ++ PORT_SafeZero(ghash, sizeof(gcmHashContext)); + PORT_Free(mem); + } + if (gcm) { +@@ -682,11 +682,11 @@ gcm_InitCounter(GCMContext *gcm, const u + goto loser; + } + +- PORT_Memset(&ctrParams, 0, sizeof ctrParams); ++ PORT_SafeZero(&ctrParams, sizeof ctrParams); + return SECSuccess; + + loser: +- PORT_Memset(&ctrParams, 0, sizeof ctrParams); ++ PORT_SafeZero(&ctrParams, sizeof ctrParams); + if (freeCtr) { + CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); + } +@@ -866,10 +866,10 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig + if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) { + /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ + PORT_SetError(SEC_ERROR_BAD_DATA); +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + return SECFailure; + } +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + /* finish the decryption */ + return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen, AES_BLOCK_SIZE); +@@ -1159,10 +1159,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne + /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ + CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); + PORT_SetError(SEC_ERROR_BAD_DATA); +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + return SECFailure; + } +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + /* finish the decryption */ + rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen, AES_BLOCK_SIZE); +diff -up ./lib/freebl/hmacct.c.safe_zero ./lib/freebl/hmacct.c +--- ./lib/freebl/hmacct.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/hmacct.c 2023-11-22 14:42:24.246388369 -0800 +@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut, + hashObj->end(mdState, mdOut, mdOutLen, mdOutMax); + hashObj->destroy(mdState, PR_TRUE); + +- PORT_Memset(lengthBytes, 0, sizeof lengthBytes); +- PORT_Memset(hmacPad, 0, sizeof hmacPad); +- PORT_Memset(firstBlock, 0, sizeof firstBlock); +- PORT_Memset(macOut, 0, sizeof macOut); ++ PORT_SafeZero(lengthBytes, sizeof lengthBytes); ++ PORT_SafeZero(hmacPad, sizeof hmacPad); ++ PORT_SafeZero(firstBlock, sizeof firstBlock); ++ PORT_SafeZero(macOut, sizeof macOut); + + return SECSuccess; + } +diff -up ./lib/freebl/intel-gcm-wrap.c.safe_zero ./lib/freebl/intel-gcm-wrap.c +--- ./lib/freebl/intel-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/intel-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800 +@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo + void + intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit) + { +- PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext)); ++ PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext)); + if (freeit) { + PORT_Free(gcm); + } +diff -up ./lib/freebl/ppc-gcm-wrap.c.safe_zero ./lib/freebl/ppc-gcm-wrap.c +--- ./lib/freebl/ppc-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/ppc-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800 +@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex + void + ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit) + { +- PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext)); ++ PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext)); + if (freeit) { + PORT_Free(gcm); + } +diff -up ./lib/freebl/pqg.c.safe_zero ./lib/freebl/pqg.c +--- ./lib/freebl/pqg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/pqg.c 2023-11-22 14:42:24.246388369 -0800 +@@ -703,7 +703,7 @@ cleanup: + mp_clear(&a); + mp_clear(&z); + mp_clear(&two_length_minus_1); +- PORT_Memset(x, 0, sizeof(x)); ++ PORT_SafeZero(x, sizeof(x)); + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; +@@ -859,7 +859,7 @@ cleanup: + mp_clear(&c); + mp_clear(&c0); + mp_clear(&one); +- PORT_Memset(x, 0, sizeof(x)); ++ PORT_SafeZero(x, sizeof(x)); + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; +@@ -1072,7 +1072,7 @@ makePfromQandSeed( + CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1 */ + CHECK_MPI_OK(mp_sub(&X, &c, P)); /* P = X - c */ + cleanup: +- PORT_Memset(V_j, 0, sizeof V_j); ++ PORT_SafeZero(V_j, sizeof V_j); + mp_clear(&W); + mp_clear(&X); + mp_clear(&c); +@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype, + /* step 11. + * return valid G */ + cleanup: +- PORT_Memset(data, 0, sizeof(data)); ++ PORT_SafeZero(data, sizeof(data)); + if (hashcx) { + hashobj->destroy(hashcx, PR_TRUE); + } +diff -up ./lib/freebl/rijndael.c.safe_zero ./lib/freebl/rijndael.c +--- ./lib/freebl/rijndael.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/rijndael.c 2023-11-22 14:42:24.247388378 -0800 +@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo + cx->worker_cx = NULL; + cx->destroy = NULL; + } +- PORT_Memset(cx, 0, sizeof(AESContext)); ++ PORT_SafeZero(cx, sizeof(AESContext)); + if (freeit) { + PORT_Free(mem); + } else { +diff -up ./lib/freebl/rsa.c.safe_zero ./lib/freebl/rsa.c +--- ./lib/freebl/rsa.c.safe_zero 2023-11-22 14:41:24.066840894 -0800 ++++ ./lib/freebl/rsa.c 2023-11-22 14:42:24.247388378 -0800 +@@ -143,8 +143,8 @@ rsa_build_from_primes(const mp_int *p, c + /* 2. Compute phi = (p-1)*(q-1) */ + CHECK_MPI_OK(mp_sub_d(p, 1, &psub1)); + CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1)); ++ CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi)); + if (needPublicExponent || needPrivateExponent) { +- CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi)); + /* 3. Compute d = e**-1 mod(phi) */ + /* or e = d**-1 mod(phi) as necessary */ + if (needPublicExponent) { +@@ -165,6 +165,15 @@ rsa_build_from_primes(const mp_int *p, c + goto cleanup; + } + ++ /* make sure we weren't passed in a d or e = 1 mod phi */ ++ /* just need to check d, because if one is = 1 mod phi, they both are */ ++ CHECK_MPI_OK(mp_mod(d, &phi, &tmp)); ++ if (mp_cmp_d(&tmp, 2) <= 0) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ rv = SECFailure; ++ goto cleanup; ++ } ++ + /* 4. Compute exponent1 = d mod (p-1) */ + CHECK_MPI_OK(mp_mod(d, &psub1, &tmp)); + MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena); +@@ -1152,6 +1161,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv + /* Perform a public key operation v = m ** e mod n */ + CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v)); + if (mp_cmp(&v, c) != 0) { ++ /* this error triggers a fips fatal error lock */ ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + rv = SECFailure; + } + cleanup: +diff -up ./lib/freebl/rsapkcs.c.safe_zero ./lib/freebl/rsapkcs.c +--- ./lib/freebl/rsapkcs.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/rsapkcs.c 2023-11-22 14:42:24.247388378 -0800 +@@ -977,14 +977,14 @@ rsa_GetHMACContext(const SECHashObject * + /* now create the hmac key */ + hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE); + if (hmac == NULL) { +- PORT_Memset(keyHash, 0, sizeof(keyHash)); ++ PORT_SafeZero(keyHash, sizeof(keyHash)); + return NULL; + } + HMAC_Begin(hmac); + HMAC_Update(hmac, input, inputLen); + rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash)); + if (rv != SECSuccess) { +- PORT_Memset(keyHash, 0, sizeof(keyHash)); ++ PORT_SafeZero(keyHash, sizeof(keyHash)); + HMAC_Destroy(hmac, PR_TRUE); + return NULL; + } +@@ -992,7 +992,7 @@ rsa_GetHMACContext(const SECHashObject * + * reuse the original context allocated above so we don't + * need to allocate and free another one */ + rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE); +- PORT_Memset(keyHash, 0, sizeof(keyHash)); ++ PORT_SafeZero(keyHash, sizeof(keyHash)); + if (rv != SECSuccess) { + HMAC_Destroy(hmac, PR_TRUE); + return NULL; +@@ -1042,7 +1042,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha + return rv; + } + PORT_Memcpy(output, hmacLast, left); +- PORT_Memset(hmacLast, 0, sizeof(hmacLast)); ++ PORT_SafeZero(hmacLast, sizeof(hmacLast)); + } + return rv; + } +@@ -1087,7 +1087,7 @@ rsa_GetErrorLength(HMACContext *hmac, in + outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen), + candidate, outLength); + } +- PORT_Memset(out, 0, sizeof(out)); ++ PORT_SafeZero(out, sizeof(out)); + return outLength; + } + +diff -up ./lib/freebl/shvfy.c.safe_zero ./lib/freebl/shvfy.c +--- ./lib/freebl/shvfy.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/shvfy.c 2023-11-22 14:42:24.247388378 -0800 +@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD, + + /* verify the hash against the check file */ + rv = DSA_VerifyDigest(key, signature, &hash); +- PORT_Memset(hashBuf, 0, sizeof hashBuf); ++ PORT_SafeZero(hashBuf, sizeof hashBuf); + return (rv == SECSuccess) ? PR_TRUE : PR_FALSE; + } + #endif +@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + if (rv == SECSuccess) { + result = SECITEM_ItemsAreEqual(signature, &hash); + } +- PORT_Memset(hashBuf, 0, sizeof hashBuf); ++ PORT_SafeZero(hashBuf, sizeof hashBuf); + return result; + } + +@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P + #ifndef NSS_STRICT_INTEGRITY + DSAPublicKey key; + +- PORT_Memset(&key, 0, sizeof(key)); ++ PORT_SafeZero(&key, sizeof(key)); + #endif + + /* If our integrity check was never ran or failed, fail any other +@@ -597,7 +597,7 @@ blapi_SHVerifyFile(const char *shName, P + shFD = NULL; + + loser: +- PORT_Memset(&header, 0, sizeof header); ++ PORT_SafeZero(&header, sizeof header); + if (checkName != NULL) { + PORT_Free(checkName); + } +diff -up ./lib/freebl/tlsprfalg.c.safe_zero ./lib/freebl/tlsprfalg.c +--- ./lib/freebl/tlsprfalg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/tlsprfalg.c 2023-11-22 14:42:24.247388378 -0800 +@@ -82,8 +82,8 @@ loser: + /* clear out state so it's not left on the stack */ + if (cx) + HMAC_Destroy(cx, PR_TRUE); +- PORT_Memset(state, 0, sizeof(state)); +- PORT_Memset(outbuf, 0, sizeof(outbuf)); ++ PORT_SafeZero(state, sizeof(state)); ++ PORT_SafeZero(outbuf, sizeof(outbuf)); + return rv; + } + +diff -up ./lib/freebl/unix_urandom.c.safe_zero ./lib/freebl/unix_urandom.c +--- ./lib/freebl/unix_urandom.c.safe_zero 2023-11-22 14:42:24.247388378 -0800 ++++ ./lib/freebl/unix_urandom.c 2023-11-22 14:44:15.519400684 -0800 +@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void) + return; + } + RNG_RandomUpdate(bytes, numBytes); +- PORT_Memset(bytes, 0, sizeof bytes); ++ PORT_SafeZero(bytes, sizeof bytes); + } + + #ifdef NSS_FIPS_140_3 +diff -up ./lib/softoken/pkcs11c.c.safe_zero ./lib/softoken/pkcs11c.c +--- ./lib/softoken/pkcs11c.c.safe_zero 2023-11-22 14:41:24.069840921 -0800 ++++ ./lib/softoken/pkcs11c.c 2023-11-22 14:42:24.248388387 -0800 +@@ -5092,7 +5092,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + if ((signature_length >= pairwise_digest_length) && + (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) { + PORT_Free(signature); +- return CKR_DEVICE_ERROR; ++ return CKR_GENERAL_ERROR; + } + + /* Verify the known hash using the public key. */ +diff -up ./lib/util/secport.h.safe_zero ./lib/util/secport.h +--- ./lib/util/secport.h.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/util/secport.h 2023-11-22 14:42:24.248388387 -0800 +@@ -36,6 +36,9 @@ + #include + + #include ++/* ask for Annex K for memset_s. will set the appropriate #define ++ * if Annex K is supported */ ++#define __STDC_WANT_LIB_EXT1__ 1 + #include + #include + #include +@@ -182,6 +185,39 @@ SEC_END_PROTOS + #endif /*SUNOS4*/ + #define PORT_Memset memset + ++/* there are cases where the compiler optimizes away our attempt to clear ++ * out our stack variables. There are multiple solutions for this problem, ++ * but they aren't universally accepted on all platforms. This attempts ++ * to select the best solution available given our os, compilier, and libc */ ++#ifdef __STDC_LIB_EXT1__ ++/* if the os implements C11 annex K, use memset_s */ ++#define PORT_SafeZero(p, n) memset_s(p, n, 0, n) ++#else ++#ifdef XP_WIN ++/* windows has a secure zero funtion */ ++#define PORT_SafeZero(p, n) SecureZeroMemory(p, n) ++#else ++/* _DEFAULT_SORUCE == BSD source in GCC based environments ++ * if other environmens support explicit_bzero, their defines ++ * should be added here */ ++#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE) ++#define PORT_SafeZero(p, n) explicit_bzero(p, n) ++#else ++/* if the os doesn't support one of the above, but does support ++ * memset_explicit, you can add the definition for memset with the ++ * appropriate define check here */ ++/* define an explicitly implementated Safe zero if the OS ++ * doesn't provide one */ ++#define PORT_SafeZero(p, n) \ ++ if (p != NULL) { \ ++ volatile unsigned char *__vl = (unsigned char *)p; \ ++ size_t __nl = n; \ ++ while (__nl--) *__vl++ = 0; \ ++ } ++#endif /* no explicit_bzero */ ++#endif /* no windows SecureZeroMemory */ ++#endif /* no memset_s */ ++ + #define PORT_Strcasecmp PL_strcasecmp + #define PORT_Strcat strcat + #define PORT_Strchr strchr diff --git a/nss.spec b/nss.spec index b8c826d..68a1e96 100644 --- a/nss.spec +++ b/nss.spec @@ -1,6 +1,6 @@ %global nss_version 3.90.0 %global nspr_version 4.35.0 -%global baserelease 3.3 +%global baserelease 4 %global nss_release %baserelease # NOTE: To avoid NVR clashes of nspr* packages: # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when @@ -183,6 +183,10 @@ Patch63: nss-3.90-pbkdf2-indicator.patch Patch70: nss-3.90-add-ems-policy.patch Patch80: blinding_ct.patch +Patch81: nss-3.90-fips-pkcs11-long-hash.patch +Patch82: nss-3.90-fips-safe-memset.patch +Patch83: nss-3.90-fips-indicators.patch +Patch84: nss-3.90-aes-gmc-indicator.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -190,6 +194,7 @@ Patch101: nspr-gcc-atomics.patch Patch110: nspr-4.34-fix-coverity-loop-issue.patch Patch120: nspr-4.34-server-passive.patch + # NSS reverse patches Patch300: nss-3.79-distrusted-certs.patch @@ -1181,6 +1186,16 @@ update-crypto-policies &> /dev/null || : %changelog +* Wed Nov 22 2023 Bob Relyea - 3.90.0-3.3 +- FIPS review changes +- add PORT_SafeZero to avoid compiler optimizing a way zeroing memory. +- update the indicators for this release +- allow hashing of longer than int32 values in a single PKCS #11 call. + +* Tue Nov 21 2023 Bob Relyea - 3.90.0-3.3 +- Fix expired certs in tests +- Fix CVE-2023-5388 + * Fri Aug 4 2023 Bob Relyea - 3.90.0-3 - add indicator for pbkdf - fix ems policy bug diff --git a/sources b/sources index 293e348..9c44342 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ +SHA512 (NameConstraints_Certs.tar) = c732fd5e047bb360bafc75d6ea68649b334b7d1eb1ebc1489a4101a446941a5786f819b8ca1442749acbcf020a63b73c9722c9dd5757b00348b77c3fe8203a4d SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f