From 78737bcfaab756c75387d6bfdaaf72dedda4f971 Mon Sep 17 00:00:00 2001 From: Robert Relyea Date: Tue, 5 Dec 2023 09:25:50 -0800 Subject: [PATCH] Resolves: RHEL-17216 Incorporate Lab FIPS review requests. --- .gitignore | 1 + NameConstraints_Certs.tar | Bin 51200 -> 0 bytes fips_algorithms.h | 66 ++-- nss-3.90-aes-gmc-indicator.patch | 42 +++ nss-3.90-fips-indicators.patch | 190 ++++++++++ nss-3.90-fips-pkcs11-long-hash.patch | 83 +++++ nss-3.90-fips-safe-memset.patch | 506 +++++++++++++++++++++++++++ nss.spec | 17 +- sources | 1 + 9 files changed, 877 insertions(+), 29 deletions(-) delete mode 100644 NameConstraints_Certs.tar create mode 100644 nss-3.90-aes-gmc-indicator.patch create mode 100644 nss-3.90-fips-indicators.patch create mode 100644 nss-3.90-fips-pkcs11-long-hash.patch create mode 100644 nss-3.90-fips-safe-memset.patch diff --git a/.gitignore b/.gitignore index ff74e46..8a0887e 100644 --- a/.gitignore +++ b/.gitignore @@ -69,3 +69,4 @@ TestUser51.cert /nspr-4.34.tar.gz /nspr-4.35.tar.gz /nss-3.90.tar.gz +/NameConstraints_Certs.tar diff --git a/NameConstraints_Certs.tar b/NameConstraints_Certs.tar deleted file mode 100644 index 377a746411fe7dcca94b78dab46ba78d6e9ca48d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 51200 zcmeI51yohp_xS1VE+wVo(cRrC-S7ydq(teE4hca(LXhr|5S8w*2@wPY0ZA1JCH{{A zzoX0y0-`g&^?$6zg7a>jx6i(xz3<-poa+p9a&}^|u{L$MXzj*g26P0qluT@a;`Vk< z&W1sbyNQ*Riw%O6gOimNz{bYT2HMWX z%ErzLK?XSK1&?!_i<7g7BN-Wlqa)Df3ee;q5B<^he?0KNy#e3{We4zs97uTxo-yRYc0@^nM0^l106FD7HB#}1=10WzsvR3qwkG=qYMgn-Nh0GL4ofM^^j0~xq31_=oR0}TZM4?qEl z^b9r(EC3o3atDCC+d|*n1PS-;7Xl3@H0YZ|Q1z$Q`oa}pX(q(sKM+@Qn~)THIrtF& zJ_nO=L%UVI#d=74rb?!u``U(6`knT1#VC?@F0$}1F52p7YrhP88o|YO??Qe#`=ye0 zTQ1^ii9nIJ7O)=1GG?zQVCjpRUcq$YaXT+Hb=^!@vg9o53dSsM8sQL+$Me0{%!P?6 zhw|UPAO3&qo%0d+Z*FGoX7#T05~~0MK@K zK*EMsQDjkO z!Is(5-o=&K!g1e5@a)?No;@4!XA>a$O*cW7YTs-jU_*(EvZ4Tx_PPWuWpB@l55V1R zL1Uv?*xNG$-Ars9Y=FC$@PnlI_S^4T06$1{2+-$9P=1h*5Dj8!S1u^1U<5J0(Q8W( zmL^CDpkD7uOXpu`snyK4>%7o8nVEM%wk(5rhl+;&Cd

6?ogCn5sa9i*godezf&b z@v>4Rg7Q9OqTRvxTL`fZNHVe^qGL{%BGP7cvw{Q&r$#+i!lm30FL&%f$dhdK$6(Y2 zC?GOyv?5Kl$>(*}S+7RN7Te(%FOz1z>FyO~LQB={O)&~@AR5$uQ+zYA>|D9?$ab}-ld^v^~Ju3_H@fea7~6v&19 z(+EM=d@IvkBeW|@hi9(M#VfuWcV58QeTkM@_OS2Kt>%Q$WBg*?@z4S_bK;}_YD>Cw z&n;8wJC9}gFJkeyM97*GnG1}q@p38XFsZfQoTMtOdca?BCp-ELUd_7vD)jJdO`>Sc zQWjgg9MkAaUVjxEW)p36jK>!tc7(eJYi*XbEOj9RE{0pLYQeXz>S z0wOk;xZoC{Ff-tie#gCilxrNB|E4zfW*2`I|5^XSe*im}|3?|WpWO$>L{{~7*^eMSD>lgc6dCjj8>@gMzL{+rp`{?GvA3)ZXJ3Gpju;;iw6vTv(Q4zO!F zOg1iTQKI3KRVYwZZr5284-#BA#~cdm9=WBirPBXFv7wueXQl$a3#aDuSnIlLKleiX z1w=icJYij=ZQ(6r1s%l=(svKz%4y-w_;EhUqN|y|g6<(uz1jp!MzAAobB$sxykg+f zuZhlH$w!?7Dc8`~)mX2Csz$+|qDZlERo<&o9bur3c}@a=otg$gU*Gf{7`RN0Q9MHL;3Yof_1N`0Nz15Ho5+f z7|%hA%JM15&+JGs*`!x>T~%gm(;q2zuXH!|M5E;V7_Mv0))E%;p6SA+Spz~{=0|kX zeToE}Voy8jJ|hL(g?JN6rDoMcd!F4o;XY+yn7u3oN}fLa*l?~PUzR|a5nASTuW5CB zAshQ#JHbVVX52zXgv?3gdTZn@i%cuil4gI6{vQACS_2pYSzSQgn}zP`fTd-ug%>VQ zRMMG<%?Nb@c@vj9)Q#1LgFQ!Z@8OpUQIPpw;zLgZ;(slO|F{3g|BwG|{(p@T?fd_KHvcnr>PHU|W%1`z z2De|E8ecY-s1N0?82+4>;!$4GSd_Qo0_>y{DiPyCfK!yV$lqy*HF8zRY+u2vB*c??U|7=5! z70KFti140dLO@OmCoaNZ2xL?xjMkA4Uzu3TkZ5DkA%DClmo*ug|1M1)+1B~Def@5q`aDXZ|dcf`oX=!Nvo zjZdu_Jmd9_qAk(LsBto-Mu+oCP!%s)1MfTLwpYRx-a9x@^Y3Qg92pt z;^jXIw0sP6mK|Dg`j-}Vr% z`Z#g_a{$UcpPOVi?!TL1BKu#83208HW^eyZB7l28$iuxCJ?-xdhiZESYd_Q7f{D|D(3aAa$iY+QW9&H=ngKs0z~%v0NL8Yii}u zQzeBqGxA}dz7X~0G12PtQP(l7<@I>x^OL#_KK#cL*yH~X62PD=FwoH!Xl`xd3}ie0 zL%c0l$U z#UeXG9@y@bdvg{*vez5jzv&Gb8{jbh56c$fYIA4>6JjL1<^s?U7$rOiRxJ(@m3zS) zdx?33dL5tc0c0M!%7#Tn)XE|%saox*D&419xRLr!;dgD@UGdi8Ff-~+@p=BUcQ%aqF5rqi`vwlhz^zA=C2V1@bNH*n4q~iNE+hz8TFL> zXi!F&`Kqh*)7K&>wIY1^*O9I9F7N>X0K}vYhevMSR^gwXB6A9BtF=03F-@Q3{01I z1vVC{vph;Uo9Fj@eZia4>iHaun%Fs@q;x~d2%ZVYfY0OEi?wH%Ovd9)r}gXe`tE(! zchy6Ol?`%4iyJn3BB#gyadVtyQY>T-`&R*Of9Lkg?797-0O52&0IDDIH~9?!;~jbc z?Kk$*#p!DUlp{AY`94Q}yypZO+64>cfDrRaFBngt{tLMD0-S-_adA3Se1ta9S2iKh z$wFM@r5|E2nRsZ)N}l`88@epUs>eNY)T*|gsT3&+RaMy3Y~exGSL;@Tx7Vr~=Po6R z4i%S6yzJ=AZ4JLD476-Tm5U~hSo~5{Ji_o;gY)u>^%Vs-jX_U*>Y!r#|KAMLFZ&n7em#)?-?Gnt5H+&n4^351MQCu3bc2}i1YqKX$h6=?4GX9YPtc|8+L(L2#C zgX_<{p&XvFuDX2B*4?^lSRg(xT#; z(PloXofQX?!;-;g8ljyLj_HA5z8}#~r&!ss;}po&tOsRLLCrrpY(Nw-QdMPzbTi(_ z(-abxH^QLSHan9tCP`0S6({1Io6Y5f&LnJ&1wJvE^UL_#=cZ>`M9VUa2b4T7#|A>t zN|q_yewxW3Q}NE`MpGmbU18KO(_8R~Pe%gB=0E2z;6G??!1wk4Apf5O%>UCF;ls}Y z;=eJ7|DF5%7y6I$U-1zBV*=23oq8l}1Z8I{prf**CF{=^f$A#a_i3Eds5{s7#YPBu zc6Nwo-rLwze!z8@A5kqola*2)Kq9Ydz-=6iggiLx;53BWtgJG;u!X=S{^lcuxY!T(tGXj!wWuFQAwjuMslnB@glZX$@LqfF@`R4XbA$Hl{RB2-h8sA|L zy_2NZUrdZ<8Cu(h8${NDgRclqmckWm4fZjp*AErJwONvol z)EK={)UDjisNc3a2I(8C*JGjBn9LVRPhUXO>XT`NK}|_CdD+13a18`+{Wm3WZ2oio z3jVW$`Ts8|0f_%bApUpk^I!M}{Qs`1@|Wd*zdHQ;`QJaA0EOf6|Ij!O*P(HqcZNe; z`116h=he>&NYkJM-;jO&4k}2&#s}SbIe@c}gdnMPd0cvy*k<8QD!aZ_ombAQv`a3J zcsG}Q3%B6ph8=fAOTSp*WL-1qQ!gdkR6&k5#SYQW!5d~!LDPT7^Qd2#{+?!gl2I0l zj{ZZxh)0^KGOUr94bN6rIqoxYx4k|+{2M-jemw_$Q=2-~Gdg@27GH|XQ#x8?Wo5F& z0ROEEM~6ym2crGB1(OS5L(_oE`GCiCC7%?AnIYCm@R6sY`;w#qhac(Jp1#GlCT$%X2OI)3wi zNwdM1J&FX5&Hv-$|A+OTpjp2M`Ogk22?fvpJ<0(7-f?Su(tG#-qu#h}gQ#u2?Viz+q2?LaO(;D@iT&o(#| z)x5NNtDRAxb6vXT`j})@FRb~7?LGDxfHiK8-dzelWNI0jp?LN^v+zr+eqfrf3aCY# ze~&Qh-eF(b<ngA>rv73jzcI05?q=*o}ke?Sxe z5AYwf`~w@9|Hm1}lkN-RKO>0$H}?6@c#!|67jWMT?SGxHyC2$T-!JV1h4zIGaqYjK zzx(GJ5~e1O|Ep{~jM`-qp^vdJ8Rr1fQ1!7B4W=^>X(;D!srLka>TCI;-lnfg>$2ir z{2q4)`{AV^Sl_Z*{5;#2J|3z!haR69SG*D-92s##@ROKV=Vgy!)zwIkRB zzM)`k*tWg_6!J4Et|&>~9engNFGjy0jy4hLp%x zmMM!@E=C{erV^iLjh)j?o8j-!!J_iB%I`0eT8;4TLkTFwsg@&GU3h7{mMjF5kGkN$ zZL6(op*)*1MC1~~>UY+W)b8yXL5HYTL1IJ;Cz@o*j?s-OgZ4@;)-;P(&|M0ZiF)M5 zL{)7iUX00u_5n&53jUlm9+_x39+wACs%PNi{+kjw2LD-q75`aT56=Gu@gD%@|L@Qk z5dS4X{4d_;KhwX*f8itZ9~XeVSG|McWbF(*k^vZLopQh$cFFqUQeEy%>oa=R_v2O6 zYUxs&dk)!5WjKp4Nn=&q`si3YZuZ=m0#~WlEv@G+3pbKce2fkpFL#oy-O<`?eeCaW z*6UfGBp}HjQZRB!vo=;z!$vR4Y`8g0b}HsNWs~9RleUi!`p$|jBtxLNH5J1Ygb8vG zulXqH?HK?WfYcvTkI!JjfL77?zC7pPvOdQ(4EkemCJecrKv%3-kN$R?$Wfe-cN_E0 z2vxoa&vNQ-`>S>}MEl+H)-s72$|Sf>!;hAX7og%K9MVk48Alf?k~q+$S80a#WynD3 zuC!5fx0=!>YTr9cRtajlSAE19P(r0Ep9rAL?bBK}LzRos5)wGlNyh~G2$YLnILX2V zNbvj)Wd&d3)Fp5X{-2=of3Leg_WuvA{|4eexc>jt$NKM12;x68i2n)u{Ad36_%Cu~ z{_p1)*yq!Y&SH0z ziZw&Gq1miqLt77So2?+;-MmxraS&D^1DmT; zqWU`-h5Y!RtuBQZW7v=1?JOG+#9u14w5t&?)W?$4=s>+I^r^ypr7t$TH3ZUKVB=ao zl)D06hjyX6#HUCO>=2<$!I?}sivlw9+P~8x@Mr&5C2$P>pP=%8Pbxp;KR4H3;y-NQ z`k&vTQXu~Gf%u=f&wsju{6FP_o9}}_`}y6kK_G5jfb=0o;BV@C{#?n&)Wn(j+iLg2 zqCvIFRH!GUKxI^>wMlGtddu%e_@;g|}?u7NLkg!|AH`Dut z1h7}d?uZLYCKX8KZzI%EJF}G;T!5qlAmWJbATy8BWL$uC4tN!&lCml`amM}gAU>ny zxqF|m$CEqoMD+|EUFU?=iZ;iG+;re#dO3oaPR|z5Q@PD;=X|*NsS!7S_+j`O+cR~R z=jnCNMS9{?KnpgMBTd4|Oj9O@lFsugXcR!PL}3jY3}O?!3$iW}Lo62!x>O`)E6P7n z7HhXnJ9sNkg3J0XZrkwlD>!dB%@*B^-SMuYNYQ9SF0JdjzMnDj^Oq*N8a*L>^Xw9d zVNl+OY^C3#qTq}CLJ1s$|0k&Y-|P5^_z%wi{=!lJ^VHw-9}4o_zia@c4lw}VX9514 zNo-R$DxrMOhWr!MHJa6eC88FyO79rK(YqA_ zZ&ucymZ@jW+#$2x?4c-MzlU^Kp zkPTN-WcRft5fKlKRw-~UYs9E1NSsQllP$&dKY%Kg{)52z#vT>tYMR0_m@SCIez zdf)#SIf(z$Ex7!V`)~C<{eOD4*`Ln`yL!I+d|++o3VLzD;jyA@FJ0+(cxg{y#qyw1 z$dm7)zd=O2qGBMeNe>j!#8x&-#FjGE9<6_4HM#QEXf4DA*`rW$&e3^G0h^g86O6X9s^gJDwJ-p!XP^CEWxWUy#>WClV$4~YA)BH#=UOanXz&g7>ICeYWU1O zkm>cCmQ6krQ)rmGK`{DaA&?7y+J_dIeL@Oag;9z^ zK*2P$e@HF^&?Ir*OJ1vbz!&_Ka2hx2FFMCD_|N^z>VLTY8vkbp*Z=&Y5&!an$jVjdAzQ*Bn9oKgL8*cYn`lF~-e)sC z&W?4bR?3XsShz8P{IW5!9`-2)X(}|fk+yBMhAX{VhrX;{SCJ|2OvePkWI6zjx-<_wk|qd0=1D!=QO! zz*Dvle^!$2-Uml|ENHLFf0J4JZn+eZ&eT8)b{Q~)lz|7#A)b6u6H5Fs&0R!cBum6* zGXJJ#M|U(}sH$J#J#F9hi6`f?B6VXK&k!)Qay!?cXAxe_WhOB;lo%1u;4-;dCcWwP zfSD9dx1`2639lX=^5tu)I~S}?7O)#rzr2JUf0US0x6L$A^6)+Ko_W}v0QSck&zQSw zJo}-1*ZrTh4&)SV!izKh{QVzeblQj?uhOVkwY->KUASRluySJ+I;tBhbAd+u+(gzH z7h}yXl9gAb`f8oaQEl=@XW7OcG;L`5XRY^GNUvn#n9dDrmJ)YcM*B2~G2e#dMQ3}% z=vs|#ZUjrAP{{&&{fSA)yNS!Zw@Rhzq7|IpT_aR{XqZ3$TNEFBkv}AGbpD^X{PV~B z2fgg;`}Kcz-vbPe|NjmZ1@Ye-#Q&Lps{i?K@&8w?Mu&p)ZG7lRcHrUNj5LOd+NuB` z>5NF9+4VwkS|cyQXOw&;cJ~y{-)ijZO;Fv5A5YhPkHSP&Kj54e$DTbOb91HpT>tYA zTTO81)-M@Y&z12-fjI1a49$$zmwSR}2gRk)q z5;!{lPh9@_WB!ARJ^#XgaQ**3jM(XZe8B&w|Nq+m-+vYGp%V$xHcBbfH3{pe+YKKY z(Jf)C49>#>*zI-SF(iAm#e`94=T7Ofjn8GuncKP8joVcDpbO_>{S#7=oKpLCa>FbeXdh=J&_X8MR$oBGZQ9T?|TdE z->k}LSBq0+iqI>*c!>Z1wfjHo|K9*4M_=n(%o7mu$q|0it`^ZGFy{IMZnoI;xqRow z2}HYkJd3E?$@{Bib={?Rmc%!eKrhG>nOPIpXOqfJB(1Ul9Fwulfb(p5Q7ri zh%vTWAMJku-lGJFrU3P!A&kD>^@Bv`xk(l>#cNiqDiBDW*z{|ia|v`(++O^rtKs0Y z9VUUJ^Z&%y)GugsA?gZEM;))0cYN5hyPgl$QvjKVXTo#?>X>^N4GK$=e8lj(-f zQImRSrghjesks*@bQ_^ONIu_zP`(_7K1P1~#cjvKOu*Ojrk^zd*RX=DFVZx6TJky0 zcv%nj=3Yux&<~n)za$yiQga<1#ZP6a|6@Qopfck=pqR2{?t&v+(SxX%kLQ+A3P!J9 zY@tR=YQj@C$hTqRB{!hyiiKywB=)>f+`DY|m}zv=xBDJ%BzIeWmzMRf5+CRFs%RzVU&dqHgkw(l=;?uyB^)QZ!x{P zU%l}A0vsvKt|J^8!e&T_;&xaQDiidkEsapPx)_8-%$M}}K}fGwGnY$>t8(=Ut1*%y z7ArSoPi8!RWbNn-?86ZTgRUTQb9bYmj#>1ShM+MFe$uilyp+rGw@)twBr2YS_b}rF z-p*z}*<{<9=}V(VY74X}??|pL>jo=AUDr(>&bdx~-=*KM%BQK-eI_>}*1`*^2bd(L z#Csm&azEySRyTt=)4psSO)?tk?rUL=#IBihv08JprX5>PXu@VLKg=~{)=Z^lOmyfn z56ITIOIf@vfh*MbFg1)Fb6n??lo@=QV@u%Z{6BH|=a2c%_BZ}NIRAU>u{_BE2mF7I z|2qGFwg3M$hH}{a;nF}ypUYBdO@2Jni^Mk*xNFu?*Cr=1jP4te&BKV9Rf}STKYOF8 z|8h8$pI5{$u$P(wH;^Etb=yNS&!NTit+Tq=?d{N=8Dq@~m8{g>KpAer zQi#Xus5^@zB#9GOlo)TlZ{%uWF&|cHA`oG&y=AwPst(6Hp*ZpzLO>}+S$A_rY{RJ9 z=A|=}Qkq~UXl`Xnd3?mTC)SI~d}XI5l0NUNw@nv4sEHQat01sO2>qC1>k=#Ab2M*$ zE4-!tz1n9=FfI=?QN^@x_**+)y){c}K&&4u;q+;WNL)#_JRR$Chm)i>g-Zr8j-aA& zNkHuj_$mIpsI`YfULyp!CsAeaF(;6~(fNPk^3NagpB3C4z_Ye^O zg+Ts)&OhaUf8Y9_D&N=keD|h-?`Qt*w~(=+LF<3A{yE3%IBP)U&l0$FlW?w(L#GM0 zW<9nQOUlQxdy(-#>_wr|ij6MI8f)f9^?NPc`}U~XU5 z;BH|6lUIzmNZ7N9O;@h~HCN7b}5oO663O za&DMw?E@O^{hcQhkFKVhexT@T!EUaA3(cc`-H_ji@MSyV%M9btoWIJQY>4?NS>+B+ zI7;-pbyd*R_kwA@T)UW2JmTcB5$Lg_PC;nz<3kgKohPG@cv08irqbITfTzaVNdd1= z=;xNv*aF0{Q;X`vQdAx|J>tj4i;)fxPMjMk6^|0Rf^{Er`|R_Q7RLS}z5C8>5OQZB zVpDFzdYqdEzU5OKye(x?8w%9*b7LE?l@P;JcIY32q3JEZy>)I72TRTEq2}~3ozktD z5WVmm4xgvo<~=zz&#Ju$qMx=9aKwF1;@KX%yBw11N*($rG_b(5GOMR!;I}9y_#(eW z0!QaR@2}%O$KS+%xWWGa?@#~`|0zNI58vlM!@>B^@8dt`_x%6f{)V_~@TVd`3v&Hx(MXi+A zy+?V*D%;C|M0i=|vrJ#Q92_>e-4pt96g2sQZ%YVfQ(u{))4L|r@Zs|64o!SV=JZ(8Hwn((l zY~fxag!*anmh7mPI5j6c>PbIR%gOLpg(#dAxlfKvA1+s1OCIoYWSTVTNqocaP(|=H zz!CsU04xEp1i%siO8_hZumr#o080QY0k8zX5&%m8ECH|tz!CsU04xEp1i%siO8_hZ cumr#o080QY0k8zX5&%m8ECH|tP9TB*2MuDE?EnA( diff --git a/fips_algorithms.h b/fips_algorithms.h index 80d7dcd..d634e0d 100644 --- a/fips_algorithms.h +++ b/fips_algorithms.h @@ -15,11 +15,12 @@ typedef enum { SFTKFIPSECC, /* not just keys but specific curves */ SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */ SFTKFIPSRSAPSS, /* make sure salt isn't too big */ - SFTKFIPSPBKDF2 /* handle pbkdf2 FIPS restrictions */ + SFTKFIPSPBKDF2, /* handle pbkdf2 FIPS restrictions */ + SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */ } SFTKFIPSSpecialClass; /* set according to your security policy */ -#define SFTKFIPS_PBKDF2_MIN_PW_LEN 7 +#define SFTKFIPS_PBKDF2_MIN_PW_LEN 8 typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList; struct SFTKFIPSAlgorithmListStr { @@ -27,6 +28,7 @@ struct SFTKFIPSAlgorithmListStr { CK_MECHANISM_INFO info; CK_ULONG step; SFTKFIPSSpecialClass special; + size_t offset; }; SFTKFIPSAlgorithmList sftk_fips_mechs[] = { @@ -50,7 +52,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { #define CKF_KPG CKF_GENERATE_KEY_PAIR #define CKF_GEN CKF_GENERATE #define CKF_SGN (CKF_SIGN | CKF_VERIFY) -#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP) +#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT ) +#define CKF_ECW (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP) +#define CKF_WRP (CKF_WRAP | CKF_UNWRAP) #define CKF_KEK (CKF_WRAP | CKF_UNWRAP) #define CKF_KEA CKF_DERIVE #define CKF_KDF CKF_DERIVE @@ -101,6 +105,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { /* -------------------- Elliptic Curve Operations --------------------- */ { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDH1_COFACTOR_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, @@ -115,10 +120,10 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD }, - { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_GCM, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSAEAD }, + { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone }, /* ------------------------- Hashing Operations ----------------------- */ { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, @@ -136,36 +141,41 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, /* ---------------------- SSL/TLS operations ------------------------- */ { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, + { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSChkHash, + offsetof(CK_TLS_MAC_PARAMS, prfHashMechanism) }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) }, /* ------------------------- HKDF Operations -------------------------- */ - { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_HKDF_PARAMS, prfHashMechanism) }, + { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_HKDF_PARAMS, prfHashMechanism) }, { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone }, { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone }, /* ------------------ NIST 800-108 Key Derivations ------------------- */ - { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, + { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_SP800_108_KDF_PARAMS, prfType) }, /* --------------------IPSEC ----------------------- */ - { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS, prfMechanism) }, + { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash, + offsetof(CK_NSS_IKE_PRF_DERIVE_PARAMS, prfMechanism) }, /* ------------------ PBE Key Derivations ------------------- */ { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 }, }; diff --git a/nss-3.90-aes-gmc-indicator.patch b/nss-3.90-aes-gmc-indicator.patch new file mode 100644 index 0000000..612bb9a --- /dev/null +++ b/nss-3.90-aes-gmc-indicator.patch @@ -0,0 +1,42 @@ +diff --git a/lib/softoken/sftkmessage.c b/lib/softoken/sftkmessage.c +--- a/lib/softoken/sftkmessage.c ++++ b/lib/softoken/sftkmessage.c +@@ -146,16 +146,38 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes + + CHECK_FORK(); + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; + ++ if (context->isFIPS && (contextType == CKA_ENCRYPT)) { ++ if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) { ++ context->isFIPS = PR_FALSE; ++ } else { ++ CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter; ++ switch (p->ivGenerator) { ++ case CKG_NO_GENERATE: ++ context->isFIPS = PR_FALSE; ++ break; ++ case CKG_GENERATE_RANDOM: ++ if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) { ++ context->isFIPS = PR_FALSE; ++ } ++ break; ++ default: ++ if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) { ++ context->isFIPS = PR_FALSE; ++ } ++ } ++ } ++ } ++ + if (!pOuttext) { + *pulOuttextLen = ulIntextLen; + return CKR_OK; + } + rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen, + maxout, pIntext, ulIntextLen, + pParameter, ulParameterLen, + pAssociatedData, ulAssociatedDataLen); diff --git a/nss-3.90-fips-indicators.patch b/nss-3.90-fips-indicators.patch new file mode 100644 index 0000000..961d64b --- /dev/null +++ b/nss-3.90-fips-indicators.patch @@ -0,0 +1,190 @@ +diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c +--- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800 ++++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800 +@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C + context->blockSize = 0; + context->maxLen = 0; + context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism, +- operation, key); ++ operation, key, 0); + *contextPtr = context; + return CKR_OK; + } +@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + crv = sftk_handleObject(key, session); + /* we need to do this check at the end, so we can check the generated + * key length against fips requirements */ +- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0); + session->lastOpWasFIPS = key->isFIPS; + sftk_FreeSession(session); + if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { +@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + return crv; + } + /* we need to do this check at the end to make sure the generated key meets the key length requirements */ +- privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey); ++ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey, 0); + publicKey->isFIPS = privateKey->isFIPS; + session->lastOpWasFIPS = privateKey->isFIPS; + sftk_FreeSession(session); +@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + return CKR_TEMPLATE_INCONSISTENT; + } + ++ if (!params->bExpand) { ++ keySize = hashLen; ++ } ++ + /* sourceKey is NULL if we are called from the POST, skip the + * sensitiveCheck */ + if (sourceKey != NULL) { +@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + mech.pParameter = params; + mech.ulParameterLen = sizeof(*params); + key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech, +- CKA_DERIVE, saltKey); ++ CKA_DERIVE, saltKey, ++ keySize); + } + saltKeySource = saltKey->source; + saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE); +@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_ + /* HKDF-Expand */ + if (!params->bExpand) { + okm = prk; +- keySize = genLen = hashLen; ++ genLen = hashLen; + } else { + /* T(1) = HMAC-Hash(prk, "" | info | 0x01) + * T(n) = HMAC-Hash(prk, T(n-1) | info | n +@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + return CKR_KEY_HANDLE_INVALID; + } + } +- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey); ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey, ++ keySize); + + switch (mechanism) { + /* get a public key from a private key. nsslowkey_ConvertToPublickey() +diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h +--- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800 ++++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800 +@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB + /* check the FIPS table to determine if this current operation is allowed by + * FIPS security policy */ + PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, +- CK_ATTRIBUTE_TYPE op, SFTKObject *source); ++ CK_ATTRIBUTE_TYPE op, SFTKObject *source, ++ CK_ULONG targetKeySize); + /* add validation objects to the slot */ + CK_RV sftk_CreateValidationObjects(SFTKSlot *slot); + +diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800 ++++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800 +@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou + static CK_ULONG + sftk_getKeyLength(SFTKObject *source) + { +- CK_KEY_TYPE keyType = CK_INVALID_HANDLE; ++ CK_KEY_TYPE keyType = CKK_INVALID_KEY_TYPE; + CK_ATTRIBUTE_TYPE keyAttribute; + CK_ULONG keyLength = 0; + SFTKAttribute *attribute; +@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source) + return keyLength; + } + ++PRBool ++sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash) ++{ ++ switch (hash) { ++ case CKM_SHA256: ++ case CKG_MGF1_SHA256: ++ case CKM_SHA384: ++ case CKG_MGF1_SHA384: ++ case CKM_SHA512: ++ case CKG_MGF1_SHA512: ++ return PR_TRUE; ++ } ++ return PR_FALSE; ++} ++ + /* + * handle specialized FIPS semantics that are too complicated to + * handle with just a table. NOTE: this means any additional semantics + * would have to be coded here before they can be added to the table */ + static PRBool + sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech, +- SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source) ++ SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source, ++ CK_ULONG keyLength, CK_ULONG targetKeyLength) + { + switch (mechInfo->special) { + case SFTKFIPSDH: { +@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + if (hashObj == NULL) { + return PR_FALSE; + } ++ /* cap the salt for legacy keys */ ++ if ((keyLength <= 1024) && (pss->sLen > 63)) { ++ return PR_FALSE; ++ } ++ /* cap the salt for based on the hash */ + if (pss->sLen > hashObj->length) { + return PR_FALSE; + } +- return PR_TRUE; ++ return sftk_CheckFIPSHash(pss->hashAlg); + } + case SFTKFIPSPBKDF2: { + /* PBKDF2 must have the following addition restrictions +@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + } + return PR_TRUE; + } ++ /* check the hash mechanisms to make sure they themselves are FIPS */ ++ case SFTKFIPSChkHash: ++ if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) { ++ return PR_FALSE; ++ } ++ return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter) ++ + mechInfo->offset)); + default: + break; + } +@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + + PRBool + sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op, +- SFTKObject *source) ++ SFTKObject *source, CK_ULONG targetKeyLength) + { + #ifndef NSS_HAS_FIPS_INDICATORS + return PR_FALSE; +@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_ + SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i]; + /* if we match the number of records exactly, then we are an + * approved algorithm in the approved mode with an approved key */ +- if (((mech->mechanism == mechs->type) && +- (opFlags == (mechs->info.flags & opFlags)) && +- (keyLength <= mechs->info.ulMaxKeySize) && +- (keyLength >= mechs->info.ulMinKeySize) && +- ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) && ++ if ((mech->mechanism == mechs->type) && ++ (opFlags == (mechs->info.flags & opFlags)) && ++ (keyLength <= mechs->info.ulMaxKeySize) && ++ (keyLength >= mechs->info.ulMinKeySize) && ++ (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) && ++ ((targetKeyLength == 0) || ++ ((targetKeyLength <= mechs->info.ulMaxKeySize) && ++ (targetKeyLength >= mechs->info.ulMinKeySize) && ++ ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) && + ((mechs->special == SFTKFIPSNone) || +- sftk_handleSpecial(slot, mech, mechs, source))) { ++ sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) { + return PR_TRUE; + } + } diff --git a/nss-3.90-fips-pkcs11-long-hash.patch b/nss-3.90-fips-pkcs11-long-hash.patch new file mode 100644 index 0000000..7728732 --- /dev/null +++ b/nss-3.90-fips-pkcs11-long-hash.patch @@ -0,0 +1,83 @@ +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -15,10 +15,13 @@ + * keys and their associated Certificates are saved on the token. + * + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ ++ ++#include /* for UINT_MAX and ULONG_MAX */ ++ + #include "seccomon.h" + #include "secitem.h" + #include "secport.h" + #include "blapi.h" + #include "pkcs11.h" +@@ -1954,12 +1957,21 @@ + if (pDigest == NULL) { + *pulDigestLen = context->maxLen; + goto finish; + } + +- /* do it: */ ++#if (ULONG_MAX > UINT_MAX) ++ /* The context->hashUpdate function takes an unsigned int for its data ++ * length argument, but NSC_Digest takes an unsigned long. */ ++ while (ulDataLen > UINT_MAX) { ++ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX); ++ pData += UINT_MAX; ++ ulDataLen -= UINT_MAX; ++ } ++#endif + (*context->hashUpdate)(context->cipherInfo, pData, ulDataLen); ++ + /* NOTE: this assumes buf size is bigenough for the algorithm */ + (*context->end)(context->cipherInfo, pDigest, &digestLen, maxout); + *pulDigestLen = digestLen; + + sftk_TerminateOp(session, SFTK_HASH, context); +@@ -1980,12 +1992,22 @@ + + /* make sure we're legal */ + crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL); + if (crv != CKR_OK) + return crv; +- /* do it: */ ++ ++#if (ULONG_MAX > UINT_MAX) ++ /* The context->hashUpdate function takes an unsigned int for its data ++ * length argument, but NSC_DigestUpdate takes an unsigned long. */ ++ while (ulPartLen > UINT_MAX) { ++ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX); ++ pPart += UINT_MAX; ++ ulPartLen -= UINT_MAX; ++ } ++#endif + (*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen); ++ + return CKR_OK; + } + + /* NSC_DigestFinal finishes a multiple-part message-digesting operation. */ + CK_RV +@@ -3166,10 +3188,17 @@ + crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session); + if (crv != CKR_OK) + return crv; + + if (context->hashInfo) { ++#if (ULONG_MAX > UINT_MAX) ++ while (ulPartLen > UINT_MAX) { ++ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX); ++ pPart += UINT_MAX; ++ ulPartLen -= UINT_MAX; ++ } ++#endif + (*context->hashUpdate)(context->hashInfo, pPart, ulPartLen); + } else { + /* must be block cipher MACing */ + + unsigned int blkSize = context->blockSize; + diff --git a/nss-3.90-fips-safe-memset.patch b/nss-3.90-fips-safe-memset.patch new file mode 100644 index 0000000..1503bd9 --- /dev/null +++ b/nss-3.90-fips-safe-memset.patch @@ -0,0 +1,506 @@ +diff -up ./lib/freebl/aeskeywrap.c.safe_zero ./lib/freebl/aeskeywrap.c +--- ./lib/freebl/aeskeywrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/aeskeywrap.c 2023-11-22 14:42:24.246388369 -0800 +@@ -512,7 +512,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext + PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen); + rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv, + outLen); +- PORT_Memset(iv, 0, sizeof(iv)); ++ PORT_SafeZero(iv, sizeof(iv)); + return rv; + } + +@@ -528,7 +528,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext + PORT_ZFree(newBuf, paddedInputLen); + /* a little overkill, we only need to clear out the length, but this + * is easier to verify we got it all */ +- PORT_Memset(iv, 0, sizeof(iv)); ++ PORT_SafeZero(iv, sizeof(iv)); + return rv; + } + +@@ -631,12 +631,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext + loser: + /* if we failed, make sure we don't return any data to the user */ + if ((rv != SECSuccess) && (output == newBuf)) { +- PORT_Memset(newBuf, 0, paddedLen); ++ PORT_SafeZero(newBuf, paddedLen); + } + /* clear out CSP sensitive data from the heap and stack */ + if (allocBuf) { + PORT_ZFree(allocBuf, paddedLen); + } +- PORT_Memset(iv, 0, sizeof(iv)); ++ PORT_SafeZero(iv, sizeof(iv)); + return rv; + } +diff -up ./lib/freebl/blapii.h.safe_zero ./lib/freebl/blapii.h +--- ./lib/freebl/blapii.h.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/blapii.h 2023-11-22 14:42:24.246388369 -0800 +@@ -101,10 +101,10 @@ PRBool ppc_crypto_support(); + #ifdef NSS_FIPS_DISABLED + #define BLAPI_CLEAR_STACK(stack_size) + #else +-#define BLAPI_CLEAR_STACK(stack_size) \ +- { \ +- volatile char _stkclr[stack_size]; \ +- PORT_Memset((void *)&_stkclr[0], 0, stack_size); \ ++#define BLAPI_CLEAR_STACK(stack_size) \ ++ { \ ++ volatile char _stkclr[stack_size]; \ ++ PORT_SafeZero((void *)&_stkclr[0], stack_size); \ + } + #endif + +diff -up ./lib/freebl/drbg.c.safe_zero ./lib/freebl/drbg.c +--- ./lib/freebl/drbg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/drbg.c 2023-11-22 14:42:24.246388369 -0800 +@@ -197,7 +197,7 @@ prng_initEntropy(void) + SHA256_Update(&ctx, block, sizeof(block)); + SHA256_End(&ctx, globalrng->previousEntropyHash, NULL, + sizeof(globalrng->previousEntropyHash)); +- PORT_Memset(block, 0, sizeof(block)); ++ PORT_SafeZero(block, sizeof(block)); + SHA256_DestroyContext(&ctx, PR_FALSE); + return PR_SUCCESS; + } +@@ -246,8 +246,8 @@ prng_getEntropy(PRUint8 *buffer, size_t + } + + out: +- PORT_Memset(hash, 0, sizeof hash); +- PORT_Memset(block, 0, sizeof block); ++ PORT_SafeZero(hash, sizeof hash); ++ PORT_SafeZero(block, sizeof block); + return rv; + } + +@@ -393,8 +393,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r + PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry); + SHA256_DestroyContext(&ctx, PR_FALSE); + } +- PORT_Memset(data, 0, sizeof data); +- PORT_Memset(thisHash, 0, sizeof thisHash); ++ PORT_SafeZero(data, sizeof data); ++ PORT_SafeZero(thisHash, sizeof thisHash); + } + + /* +@@ -455,7 +455,7 @@ prng_generateNewBytes(RNGContext *rng, + PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry); + + /* if the prng failed, don't return any output, signal softoken */ +- PORT_Memset(H, 0, sizeof H); ++ PORT_SafeZero(H, sizeof H); + if (!rng->isValid) { + PORT_Memset(returned_bytes, 0, no_of_returned_bytes); + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); +diff -up ./lib/freebl/dsa.c.safe_zero ./lib/freebl/dsa.c +--- ./lib/freebl/dsa.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/dsa.c 2023-11-22 14:42:24.246388369 -0800 +@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt + err = MP_OKAY; + signature->len = dsa_signature_len; + cleanup: +- PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN); ++ PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN); + mp_clear(&p); + mp_clear(&q); + mp_clear(&g); +@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt + rv = dsa_SignDigest(key, signature, digest, kSeed); + } while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM && + --retries > 0); +- PORT_Memset(kSeed, 0, sizeof kSeed); ++ PORT_SafeZero(kSeed, sizeof kSeed); + return rv; + } + +@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons + verified = SECSuccess; /* Signature verified. */ + } + cleanup: +- PORT_Memset(localDigestData, 0, sizeof localDigestData); ++ PORT_SafeZero(localDigestData, sizeof localDigestData); + mp_clear(&p); + mp_clear(&q); + mp_clear(&g); +diff -up ./lib/freebl/gcm.c.safe_zero ./lib/freebl/gcm.c +--- ./lib/freebl/gcm.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/gcm.c 2023-11-22 14:42:24.246388369 -0800 +@@ -480,7 +480,7 @@ gcmHash_Final(gcmHashContext *ghash, uns + rv = SECSuccess; + + cleanup: +- PORT_Memset(T, 0, sizeof(T)); ++ PORT_SafeZero(T, sizeof(T)); + return rv; + } + +@@ -596,15 +596,15 @@ GCM_CreateContext(void *context, freeblC + if (rv != SECSuccess) { + goto loser; + } +- PORT_Memset(H, 0, AES_BLOCK_SIZE); ++ PORT_SafeZero(H, AES_BLOCK_SIZE); + gcm->ctr_context_init = PR_TRUE; + return gcm; + + loser: +- PORT_Memset(H, 0, AES_BLOCK_SIZE); ++ PORT_SafeZero(H, AES_BLOCK_SIZE); + if (ghash && ghash->mem) { + void *mem = ghash->mem; +- PORT_Memset(ghash, 0, sizeof(gcmHashContext)); ++ PORT_SafeZero(ghash, sizeof(gcmHashContext)); + PORT_Free(mem); + } + if (gcm) { +@@ -682,11 +682,11 @@ gcm_InitCounter(GCMContext *gcm, const u + goto loser; + } + +- PORT_Memset(&ctrParams, 0, sizeof ctrParams); ++ PORT_SafeZero(&ctrParams, sizeof ctrParams); + return SECSuccess; + + loser: +- PORT_Memset(&ctrParams, 0, sizeof ctrParams); ++ PORT_SafeZero(&ctrParams, sizeof ctrParams); + if (freeCtr) { + CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); + } +@@ -866,10 +866,10 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig + if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) { + /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ + PORT_SetError(SEC_ERROR_BAD_DATA); +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + return SECFailure; + } +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + /* finish the decryption */ + return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen, AES_BLOCK_SIZE); +@@ -1159,10 +1159,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne + /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ + CTR_DestroyContext(&gcm->ctr_context, PR_FALSE); + PORT_SetError(SEC_ERROR_BAD_DATA); +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + return SECFailure; + } +- PORT_Memset(tag, 0, sizeof(tag)); ++ PORT_SafeZero(tag, sizeof(tag)); + /* finish the decryption */ + rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen, AES_BLOCK_SIZE); +diff -up ./lib/freebl/hmacct.c.safe_zero ./lib/freebl/hmacct.c +--- ./lib/freebl/hmacct.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/hmacct.c 2023-11-22 14:42:24.246388369 -0800 +@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut, + hashObj->end(mdState, mdOut, mdOutLen, mdOutMax); + hashObj->destroy(mdState, PR_TRUE); + +- PORT_Memset(lengthBytes, 0, sizeof lengthBytes); +- PORT_Memset(hmacPad, 0, sizeof hmacPad); +- PORT_Memset(firstBlock, 0, sizeof firstBlock); +- PORT_Memset(macOut, 0, sizeof macOut); ++ PORT_SafeZero(lengthBytes, sizeof lengthBytes); ++ PORT_SafeZero(hmacPad, sizeof hmacPad); ++ PORT_SafeZero(firstBlock, sizeof firstBlock); ++ PORT_SafeZero(macOut, sizeof macOut); + + return SECSuccess; + } +diff -up ./lib/freebl/intel-gcm-wrap.c.safe_zero ./lib/freebl/intel-gcm-wrap.c +--- ./lib/freebl/intel-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/intel-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800 +@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo + void + intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit) + { +- PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext)); ++ PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext)); + if (freeit) { + PORT_Free(gcm); + } +diff -up ./lib/freebl/ppc-gcm-wrap.c.safe_zero ./lib/freebl/ppc-gcm-wrap.c +--- ./lib/freebl/ppc-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/ppc-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800 +@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex + void + ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit) + { +- PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext)); ++ PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext)); + if (freeit) { + PORT_Free(gcm); + } +diff -up ./lib/freebl/pqg.c.safe_zero ./lib/freebl/pqg.c +--- ./lib/freebl/pqg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/pqg.c 2023-11-22 14:42:24.246388369 -0800 +@@ -703,7 +703,7 @@ cleanup: + mp_clear(&a); + mp_clear(&z); + mp_clear(&two_length_minus_1); +- PORT_Memset(x, 0, sizeof(x)); ++ PORT_SafeZero(x, sizeof(x)); + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; +@@ -859,7 +859,7 @@ cleanup: + mp_clear(&c); + mp_clear(&c0); + mp_clear(&one); +- PORT_Memset(x, 0, sizeof(x)); ++ PORT_SafeZero(x, sizeof(x)); + if (err) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; +@@ -1072,7 +1072,7 @@ makePfromQandSeed( + CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1 */ + CHECK_MPI_OK(mp_sub(&X, &c, P)); /* P = X - c */ + cleanup: +- PORT_Memset(V_j, 0, sizeof V_j); ++ PORT_SafeZero(V_j, sizeof V_j); + mp_clear(&W); + mp_clear(&X); + mp_clear(&c); +@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype, + /* step 11. + * return valid G */ + cleanup: +- PORT_Memset(data, 0, sizeof(data)); ++ PORT_SafeZero(data, sizeof(data)); + if (hashcx) { + hashobj->destroy(hashcx, PR_TRUE); + } +diff -up ./lib/freebl/rijndael.c.safe_zero ./lib/freebl/rijndael.c +--- ./lib/freebl/rijndael.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/rijndael.c 2023-11-22 14:42:24.247388378 -0800 +@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo + cx->worker_cx = NULL; + cx->destroy = NULL; + } +- PORT_Memset(cx, 0, sizeof(AESContext)); ++ PORT_SafeZero(cx, sizeof(AESContext)); + if (freeit) { + PORT_Free(mem); + } else { +diff -up ./lib/freebl/rsa.c.safe_zero ./lib/freebl/rsa.c +--- ./lib/freebl/rsa.c.safe_zero 2023-11-22 14:41:24.066840894 -0800 ++++ ./lib/freebl/rsa.c 2023-11-22 14:42:24.247388378 -0800 +@@ -143,8 +143,8 @@ rsa_build_from_primes(const mp_int *p, c + /* 2. Compute phi = (p-1)*(q-1) */ + CHECK_MPI_OK(mp_sub_d(p, 1, &psub1)); + CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1)); ++ CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi)); + if (needPublicExponent || needPrivateExponent) { +- CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi)); + /* 3. Compute d = e**-1 mod(phi) */ + /* or e = d**-1 mod(phi) as necessary */ + if (needPublicExponent) { +@@ -165,6 +165,15 @@ rsa_build_from_primes(const mp_int *p, c + goto cleanup; + } + ++ /* make sure we weren't passed in a d or e = 1 mod phi */ ++ /* just need to check d, because if one is = 1 mod phi, they both are */ ++ CHECK_MPI_OK(mp_mod(d, &phi, &tmp)); ++ if (mp_cmp_d(&tmp, 2) <= 0) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ rv = SECFailure; ++ goto cleanup; ++ } ++ + /* 4. Compute exponent1 = d mod (p-1) */ + CHECK_MPI_OK(mp_mod(d, &psub1, &tmp)); + MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena); +@@ -1152,6 +1161,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv + /* Perform a public key operation v = m ** e mod n */ + CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v)); + if (mp_cmp(&v, c) != 0) { ++ /* this error triggers a fips fatal error lock */ ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + rv = SECFailure; + } + cleanup: +diff -up ./lib/freebl/rsapkcs.c.safe_zero ./lib/freebl/rsapkcs.c +--- ./lib/freebl/rsapkcs.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/rsapkcs.c 2023-11-22 14:42:24.247388378 -0800 +@@ -977,14 +977,14 @@ rsa_GetHMACContext(const SECHashObject * + /* now create the hmac key */ + hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE); + if (hmac == NULL) { +- PORT_Memset(keyHash, 0, sizeof(keyHash)); ++ PORT_SafeZero(keyHash, sizeof(keyHash)); + return NULL; + } + HMAC_Begin(hmac); + HMAC_Update(hmac, input, inputLen); + rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash)); + if (rv != SECSuccess) { +- PORT_Memset(keyHash, 0, sizeof(keyHash)); ++ PORT_SafeZero(keyHash, sizeof(keyHash)); + HMAC_Destroy(hmac, PR_TRUE); + return NULL; + } +@@ -992,7 +992,7 @@ rsa_GetHMACContext(const SECHashObject * + * reuse the original context allocated above so we don't + * need to allocate and free another one */ + rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE); +- PORT_Memset(keyHash, 0, sizeof(keyHash)); ++ PORT_SafeZero(keyHash, sizeof(keyHash)); + if (rv != SECSuccess) { + HMAC_Destroy(hmac, PR_TRUE); + return NULL; +@@ -1042,7 +1042,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha + return rv; + } + PORT_Memcpy(output, hmacLast, left); +- PORT_Memset(hmacLast, 0, sizeof(hmacLast)); ++ PORT_SafeZero(hmacLast, sizeof(hmacLast)); + } + return rv; + } +@@ -1087,7 +1087,7 @@ rsa_GetErrorLength(HMACContext *hmac, in + outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen), + candidate, outLength); + } +- PORT_Memset(out, 0, sizeof(out)); ++ PORT_SafeZero(out, sizeof(out)); + return outLength; + } + +diff -up ./lib/freebl/shvfy.c.safe_zero ./lib/freebl/shvfy.c +--- ./lib/freebl/shvfy.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/shvfy.c 2023-11-22 14:42:24.247388378 -0800 +@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD, + + /* verify the hash against the check file */ + rv = DSA_VerifyDigest(key, signature, &hash); +- PORT_Memset(hashBuf, 0, sizeof hashBuf); ++ PORT_SafeZero(hashBuf, sizeof hashBuf); + return (rv == SECSuccess) ? PR_TRUE : PR_FALSE; + } + #endif +@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + if (rv == SECSuccess) { + result = SECITEM_ItemsAreEqual(signature, &hash); + } +- PORT_Memset(hashBuf, 0, sizeof hashBuf); ++ PORT_SafeZero(hashBuf, sizeof hashBuf); + return result; + } + +@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P + #ifndef NSS_STRICT_INTEGRITY + DSAPublicKey key; + +- PORT_Memset(&key, 0, sizeof(key)); ++ PORT_SafeZero(&key, sizeof(key)); + #endif + + /* If our integrity check was never ran or failed, fail any other +@@ -597,7 +597,7 @@ blapi_SHVerifyFile(const char *shName, P + shFD = NULL; + + loser: +- PORT_Memset(&header, 0, sizeof header); ++ PORT_SafeZero(&header, sizeof header); + if (checkName != NULL) { + PORT_Free(checkName); + } +diff -up ./lib/freebl/tlsprfalg.c.safe_zero ./lib/freebl/tlsprfalg.c +--- ./lib/freebl/tlsprfalg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/tlsprfalg.c 2023-11-22 14:42:24.247388378 -0800 +@@ -82,8 +82,8 @@ loser: + /* clear out state so it's not left on the stack */ + if (cx) + HMAC_Destroy(cx, PR_TRUE); +- PORT_Memset(state, 0, sizeof(state)); +- PORT_Memset(outbuf, 0, sizeof(outbuf)); ++ PORT_SafeZero(state, sizeof(state)); ++ PORT_SafeZero(outbuf, sizeof(outbuf)); + return rv; + } + +diff -up ./lib/freebl/unix_urandom.c.safe_zero ./lib/freebl/unix_urandom.c +--- ./lib/freebl/unix_urandom.c.safe_zero 2023-11-22 14:42:24.247388378 -0800 ++++ ./lib/freebl/unix_urandom.c 2023-11-22 14:44:15.519400684 -0800 +@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void) + return; + } + RNG_RandomUpdate(bytes, numBytes); +- PORT_Memset(bytes, 0, sizeof bytes); ++ PORT_SafeZero(bytes, sizeof bytes); + } + + #ifdef NSS_FIPS_140_3 +diff -up ./lib/softoken/pkcs11c.c.safe_zero ./lib/softoken/pkcs11c.c +--- ./lib/softoken/pkcs11c.c.safe_zero 2023-11-22 14:41:24.069840921 -0800 ++++ ./lib/softoken/pkcs11c.c 2023-11-22 14:42:24.248388387 -0800 +@@ -5092,7 +5092,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + if ((signature_length >= pairwise_digest_length) && + (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) { + PORT_Free(signature); +- return CKR_DEVICE_ERROR; ++ return CKR_GENERAL_ERROR; + } + + /* Verify the known hash using the public key. */ +diff -up ./lib/util/secport.h.safe_zero ./lib/util/secport.h +--- ./lib/util/secport.h.safe_zero 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/util/secport.h 2023-11-22 14:42:24.248388387 -0800 +@@ -36,6 +36,9 @@ + #include + + #include ++/* ask for Annex K for memset_s. will set the appropriate #define ++ * if Annex K is supported */ ++#define __STDC_WANT_LIB_EXT1__ 1 + #include + #include + #include +@@ -182,6 +185,39 @@ SEC_END_PROTOS + #endif /*SUNOS4*/ + #define PORT_Memset memset + ++/* there are cases where the compiler optimizes away our attempt to clear ++ * out our stack variables. There are multiple solutions for this problem, ++ * but they aren't universally accepted on all platforms. This attempts ++ * to select the best solution available given our os, compilier, and libc */ ++#ifdef __STDC_LIB_EXT1__ ++/* if the os implements C11 annex K, use memset_s */ ++#define PORT_SafeZero(p, n) memset_s(p, n, 0, n) ++#else ++#ifdef XP_WIN ++/* windows has a secure zero funtion */ ++#define PORT_SafeZero(p, n) SecureZeroMemory(p, n) ++#else ++/* _DEFAULT_SORUCE == BSD source in GCC based environments ++ * if other environmens support explicit_bzero, their defines ++ * should be added here */ ++#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE) ++#define PORT_SafeZero(p, n) explicit_bzero(p, n) ++#else ++/* if the os doesn't support one of the above, but does support ++ * memset_explicit, you can add the definition for memset with the ++ * appropriate define check here */ ++/* define an explicitly implementated Safe zero if the OS ++ * doesn't provide one */ ++#define PORT_SafeZero(p, n) \ ++ if (p != NULL) { \ ++ volatile unsigned char *__vl = (unsigned char *)p; \ ++ size_t __nl = n; \ ++ while (__nl--) *__vl++ = 0; \ ++ } ++#endif /* no explicit_bzero */ ++#endif /* no windows SecureZeroMemory */ ++#endif /* no memset_s */ ++ + #define PORT_Strcasecmp PL_strcasecmp + #define PORT_Strcat strcat + #define PORT_Strchr strchr diff --git a/nss.spec b/nss.spec index b8c826d..68a1e96 100644 --- a/nss.spec +++ b/nss.spec @@ -1,6 +1,6 @@ %global nss_version 3.90.0 %global nspr_version 4.35.0 -%global baserelease 3.3 +%global baserelease 4 %global nss_release %baserelease # NOTE: To avoid NVR clashes of nspr* packages: # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when @@ -183,6 +183,10 @@ Patch63: nss-3.90-pbkdf2-indicator.patch Patch70: nss-3.90-add-ems-policy.patch Patch80: blinding_ct.patch +Patch81: nss-3.90-fips-pkcs11-long-hash.patch +Patch82: nss-3.90-fips-safe-memset.patch +Patch83: nss-3.90-fips-indicators.patch +Patch84: nss-3.90-aes-gmc-indicator.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -190,6 +194,7 @@ Patch101: nspr-gcc-atomics.patch Patch110: nspr-4.34-fix-coverity-loop-issue.patch Patch120: nspr-4.34-server-passive.patch + # NSS reverse patches Patch300: nss-3.79-distrusted-certs.patch @@ -1181,6 +1186,16 @@ update-crypto-policies &> /dev/null || : %changelog +* Wed Nov 22 2023 Bob Relyea - 3.90.0-3.3 +- FIPS review changes +- add PORT_SafeZero to avoid compiler optimizing a way zeroing memory. +- update the indicators for this release +- allow hashing of longer than int32 values in a single PKCS #11 call. + +* Tue Nov 21 2023 Bob Relyea - 3.90.0-3.3 +- Fix expired certs in tests +- Fix CVE-2023-5388 + * Fri Aug 4 2023 Bob Relyea - 3.90.0-3 - add indicator for pbkdf - fix ems policy bug diff --git a/sources b/sources index 293e348..9c44342 100644 --- a/sources +++ b/sources @@ -1,3 +1,4 @@ +SHA512 (NameConstraints_Certs.tar) = c732fd5e047bb360bafc75d6ea68649b334b7d1eb1ebc1489a4101a446941a5786f819b8ca1442749acbcf020a63b73c9722c9dd5757b00348b77c3fe8203a4d SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f