import UBI nss-3.101.0-7.el8_8
This commit is contained in:
parent
0602db546c
commit
8818c178b0
3
.gitignore
vendored
3
.gitignore
vendored
@ -1,7 +1,6 @@
|
||||
SOURCES/NameConstraints_Certs.tar
|
||||
SOURCES/blank-cert8.db
|
||||
SOURCES/blank-cert9.db
|
||||
SOURCES/blank-key3.db
|
||||
SOURCES/blank-key4.db
|
||||
SOURCES/blank-secmod.db
|
||||
SOURCES/nss-3.90.tar.gz
|
||||
SOURCES/nss-3.101.tar.gz
|
||||
|
@ -1,7 +1,6 @@
|
||||
39ad4988f85b50fdc3569d21b6c885cf9eb390b0 SOURCES/NameConstraints_Certs.tar
|
||||
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
|
||||
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
|
||||
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
|
||||
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
|
||||
bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
|
||||
1e7d2f16655281cfb2972688af1605e0de302481 SOURCES/nss-3.90.tar.gz
|
||||
90f6f1d5440e7cc72cd27f2ecf2e8f3f680a00aa SOURCES/nss-3.101.tar.gz
|
||||
|
@ -1,949 +0,0 @@
|
||||
diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h
|
||||
--- a/lib/freebl/mpi/mpi-priv.h
|
||||
+++ b/lib/freebl/mpi/mpi-priv.h
|
||||
@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d
|
||||
void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
|
||||
mp_digit b, mp_digit *c);
|
||||
|
||||
#endif
|
||||
|
||||
void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
|
||||
mp_size a_len, mp_digit b,
|
||||
mp_digit *c);
|
||||
+void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a,
|
||||
+ mp_size a_len, mp_digit b,
|
||||
+ mp_digit *c, mp_size c_len);
|
||||
void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
|
||||
mp_size a_len,
|
||||
mp_digit *sqrs);
|
||||
|
||||
mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
|
||||
mp_digit divisor, mp_digit *quot, mp_digit *rem);
|
||||
|
||||
/* c += a * b * (MP_RADIX ** offset); */
|
||||
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
|
||||
--- a/lib/freebl/mpi/mpi.c
|
||||
+++ b/lib/freebl/mpi/mpi.c
|
||||
@@ -5,16 +5,18 @@
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "mpi-priv.h"
|
||||
#include "mplogic.h"
|
||||
|
||||
+#include <assert.h>
|
||||
+
|
||||
#if defined(__arm__) && \
|
||||
((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
|
||||
/* 16-bit thumb or ARM v3 doesn't work inlined assember version */
|
||||
#undef MP_ASSEMBLY_MULTIPLY
|
||||
#undef MP_ASSEMBLY_SQUARE
|
||||
#endif
|
||||
|
||||
#if MP_LOGTAB
|
||||
@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b,
|
||||
|
||||
CLEANUP:
|
||||
return res;
|
||||
|
||||
} /* end mp_sub() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
-/* {{{ mp_mul(a, b, c) */
|
||||
+/* {{{ s_mp_mulg(a, b, c) */
|
||||
|
||||
/*
|
||||
- mp_mul(a, b, c)
|
||||
-
|
||||
- Compute c = a * b. All parameters may be identical.
|
||||
+ s_mp_mulg(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. All parameters may be identical. if constantTime is set,
|
||||
+ then the operations are done in constant time. The original is mostly
|
||||
+ constant time as long as s_mpv_mul_d_add() is constant time. This is true
|
||||
+ of the x86 assembler, as well as the current c code.
|
||||
*/
|
||||
mp_err
|
||||
-mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
||||
+s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime)
|
||||
{
|
||||
mp_digit *pb;
|
||||
mp_int tmp;
|
||||
mp_err res;
|
||||
mp_size ib;
|
||||
mp_size useda, usedb;
|
||||
|
||||
ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
|
||||
@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b,
|
||||
}
|
||||
|
||||
MP_USED(c) = 1;
|
||||
MP_DIGIT(c, 0) = 0;
|
||||
if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
|
||||
goto CLEANUP;
|
||||
|
||||
#ifdef NSS_USE_COMBA
|
||||
- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
||||
+ /* comba isn't constant time because it clamps! If we cared
|
||||
+ * (we needed a constant time version of multiply that was 'faster'
|
||||
+ * we could easily pass constantTime down to the comba code and
|
||||
+ * get it to skip the clamp... but here are assembler versions
|
||||
+ * which add comba to platforms that can't compile the normal
|
||||
+ * comba's imbedded assembler which would also need to change, so
|
||||
+ * for now we just skip comba when we are running constant time. */
|
||||
+ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
||||
if (MP_USED(a) == 4) {
|
||||
s_mp_mul_comba_4(a, b, c);
|
||||
goto CLEANUP;
|
||||
}
|
||||
if (MP_USED(a) == 8) {
|
||||
s_mp_mul_comba_8(a, b, c);
|
||||
goto CLEANUP;
|
||||
}
|
||||
@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b,
|
||||
|
||||
/* Outer loop: Digits of b */
|
||||
useda = MP_USED(a);
|
||||
usedb = MP_USED(b);
|
||||
for (ib = 1; ib < usedb; ib++) {
|
||||
mp_digit b_i = *pb++;
|
||||
|
||||
/* Inner product: Digits of a */
|
||||
- if (b_i)
|
||||
+ if (constantTime || b_i)
|
||||
s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
|
||||
else
|
||||
MP_DIGIT(c, ib + useda) = b_i;
|
||||
}
|
||||
|
||||
- s_mp_clamp(c);
|
||||
+ if (!constantTime) {
|
||||
+ s_mp_clamp(c);
|
||||
+ }
|
||||
|
||||
if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
|
||||
SIGN(c) = ZPOS;
|
||||
else
|
||||
SIGN(c) = NEG;
|
||||
|
||||
CLEANUP:
|
||||
mp_clear(&tmp);
|
||||
return res;
|
||||
+} /* end smp_mulg() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_mul(a, b, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mul(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. All parameters may be identical.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
||||
+{
|
||||
+ return s_mp_mulg(a, b, c, 0);
|
||||
} /* end mp_mul() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ mp_mulCT(a, b, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mulCT(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. In constant time. Parameters may not be identical.
|
||||
+ NOTE: a and b may be modified.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize)
|
||||
+{
|
||||
+ mp_err res;
|
||||
+
|
||||
+ /* make the multiply values fixed length so multiply
|
||||
+ * doesn't leak the length. at this point all the
|
||||
+ * values are blinded, but once we finish we want the
|
||||
+ * output size to be hidden (so no clamping the out put) */
|
||||
+ MP_CHECKOK(s_mp_pad(a, setSize));
|
||||
+ MP_CHECKOK(s_mp_pad(b, setSize));
|
||||
+ MP_CHECKOK(s_mp_pad(c, 2*setSize));
|
||||
+ MP_CHECKOK(s_mp_mulg(a, b, c, 1));
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_mulCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_sqr(a, sqr) */
|
||||
|
||||
#if MP_SQUARE
|
||||
/*
|
||||
Computes the square of a. This can be done more
|
||||
efficiently than a general multiplication, because many of the
|
||||
computation steps are redundant when squaring. The inner product
|
||||
step is a bit more complicated, but we save a fair number of
|
||||
@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m,
|
||||
}
|
||||
|
||||
return MP_OKAY;
|
||||
|
||||
} /* end mp_mod() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ s_mp_subCT_d(a, b, borrow, c) */
|
||||
+
|
||||
+/*
|
||||
+ s_mp_subCT_d(a, b, borrow, c)
|
||||
+
|
||||
+ Compute c = (a -b) - subtract in constant time. returns borrow
|
||||
+ */
|
||||
+mp_digit
|
||||
+s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) {
|
||||
+ mp_digit borrow1, borrow2, t;
|
||||
+#ifdef MP_COMPILER_USES_CARRY
|
||||
+ /* while it doesn't look constant-time, this is idiomatic code
|
||||
+ * to tell compilers to use the carry bit from subtraction */
|
||||
+ t = a - borrow;
|
||||
+ if (t > a) {
|
||||
+ borrow1 = 1;
|
||||
+ } else {
|
||||
+ borrow1 = 0;
|
||||
+ }
|
||||
+ *ret = t - b;
|
||||
+ if (*ret > t) {
|
||||
+ borrow2 = 1;
|
||||
+ } else {
|
||||
+ borrow2 = 0;
|
||||
+ }
|
||||
+#else
|
||||
+ mp_digit bitr, bitb, nbitt;
|
||||
+ /* this is constant time independent of compilier */
|
||||
+ t = a - borrow;
|
||||
+ borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1));
|
||||
+ *ret = t - b;
|
||||
+ bitb = b >> (MP_DIGIT_BIT-1);
|
||||
+ bitr = *ret >> (MP_DIGIT_BIT-1);
|
||||
+ nbitt = (~t) >> (MP_DIGIT_BIT-1);
|
||||
+ borrow2 = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr);
|
||||
+#endif
|
||||
+ /* only borrow 1 or borrow 2 should be 1, we want to guarrentee
|
||||
+ * the overall borrow is 1, so use | here */
|
||||
+ return borrow1 | borrow2;
|
||||
+} /* s_mp_subCT_d() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_subCT(a, b, ret, borrow) */
|
||||
+
|
||||
+/* return ret= a - b and borrow in borrow. done in constant time.
|
||||
+ * b could be modified.
|
||||
+ */
|
||||
+mp_err
|
||||
+mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow)
|
||||
+{
|
||||
+ mp_size used_a = MP_USED(a);
|
||||
+ mp_size i;
|
||||
+ mp_err res;
|
||||
+
|
||||
+ MP_CHECKOK(s_mp_pad(b, used_a));
|
||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
||||
+ *borrow = 0;
|
||||
+ for (i=0; i < used_a; i++) {
|
||||
+ *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow,
|
||||
+ &MP_DIGIT(ret,i));
|
||||
+ }
|
||||
+
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_subCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_selectCT(cond, a, b, ret) */
|
||||
+
|
||||
+/*
|
||||
+ * return ret= cond ? a : b; cond should be either 0 or 1
|
||||
+ */
|
||||
+mp_err
|
||||
+mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret)
|
||||
+{
|
||||
+ mp_size used_a = MP_USED(a);
|
||||
+ mp_err res;
|
||||
+ mp_size i;
|
||||
+
|
||||
+ cond *= MP_DIGIT_MAX;
|
||||
+
|
||||
+ /* we currently require these to be equal on input,
|
||||
+ * we could use pad to extend one of them, but that might
|
||||
+ * leak data as it wouldn't be constant time */
|
||||
+ assert(used_a == MP_USED(b));
|
||||
+
|
||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
||||
+ for (i=0; i < used_a; i++) {
|
||||
+ MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond);
|
||||
+ }
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_selectCT() */
|
||||
+
|
||||
+
|
||||
+/* {{{ mp_reduceCT(a, m, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_reduceCT(a, m, c)
|
||||
+
|
||||
+ Compute c = aR^-1 (mod m) in constant time.
|
||||
+ input should be in montgomery form. If input is the
|
||||
+ result of a montgomery multiply then out put will be
|
||||
+ in mongomery form.
|
||||
+ Result will be reduced to MP_USED(m), but not be
|
||||
+ clamped.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c)
|
||||
+{
|
||||
+ mp_size used_m = MP_USED(m);
|
||||
+ mp_size used_c = used_m*2+1;
|
||||
+ mp_digit *m_digits, *c_digits;
|
||||
+ mp_size i;
|
||||
+ mp_digit borrow, carry;
|
||||
+ mp_err res;
|
||||
+ mp_int sub;
|
||||
+
|
||||
+ MP_DIGITS(&sub) = 0;
|
||||
+ MP_CHECKOK(mp_init_size(&sub,used_m));
|
||||
+
|
||||
+ if (a != c) {
|
||||
+ MP_CHECKOK(mp_copy(a, c));
|
||||
+ }
|
||||
+ MP_CHECKOK(s_mp_pad(c, used_c));
|
||||
+ m_digits = MP_DIGITS(m);
|
||||
+ c_digits = MP_DIGITS(c);
|
||||
+ for (i=0; i < used_m; i++) {
|
||||
+ mp_digit m_i = MP_DIGIT(c,i)*n0i;
|
||||
+ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--);
|
||||
+ }
|
||||
+ s_mp_rshd(c, used_m);
|
||||
+ /* MP_USED(c) should be used_m+1 with the high word being any carry
|
||||
+ * from the previous multiply, save that carry and drop the high
|
||||
+ * word for the substraction below */
|
||||
+ carry = MP_DIGIT(c,used_m);
|
||||
+ MP_DIGIT(c,used_m) = 0;
|
||||
+ MP_USED(c) = used_m;
|
||||
+ /* mp_subCT wants c and m to be the same size, we've already
|
||||
+ * guarrenteed that in the previous statement, so mp_subCT won't actually
|
||||
+ * modify m, so it's safe to recast */
|
||||
+ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow));
|
||||
+
|
||||
+ /* we return c-m if c >= m no borrow or there was a borrow and a carry */
|
||||
+ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c));
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ mp_clear(&sub);
|
||||
+ return res;
|
||||
+} /* end mp_reduceCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_mod_d(a, d, c) */
|
||||
|
||||
/*
|
||||
mp_mod_d(a, d, c)
|
||||
|
||||
Compute c = a (mod d). Result will always be 0 <= c < d
|
||||
*/
|
||||
mp_err
|
||||
@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int
|
||||
if ((res = mp_mod(c, m, c)) != MP_OKAY)
|
||||
return res;
|
||||
|
||||
return MP_OKAY;
|
||||
}
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ mp_mulmontmodCT(a, b, m, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mulmontmodCT(a, b, m, c)
|
||||
+
|
||||
+ Compute c = (a * b) mod m in constant time wrt a and b. either a or b
|
||||
+ should be in montgomery form and the output is native. If both a and b
|
||||
+ are in montgomery form, then the output will also be in montgomery form
|
||||
+ and can be recovered with an mp_reduceCT call.
|
||||
+ NOTE: a and b may be modified.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i,
|
||||
+ mp_int *c)
|
||||
+{
|
||||
+ mp_err res;
|
||||
+
|
||||
+ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
|
||||
+
|
||||
+ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY)
|
||||
+ return res;
|
||||
+
|
||||
+ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY)
|
||||
+ return res;
|
||||
+
|
||||
+ return MP_OKAY;
|
||||
+}
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_sqrmod(a, m, c) */
|
||||
|
||||
#if MP_SQUARE
|
||||
mp_err
|
||||
mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
|
||||
{
|
||||
mp_err res;
|
||||
|
||||
@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b)
|
||||
{ \
|
||||
mp_digit a0b1, a1b0; \
|
||||
Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
|
||||
Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
|
||||
a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
|
||||
a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
|
||||
a1b0 += a0b1; \
|
||||
Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
|
||||
- if (a1b0 < a0b1) \
|
||||
- Phi += MP_HALF_RADIX; \
|
||||
+ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \
|
||||
a1b0 <<= MP_HALF_DIGIT_BIT; \
|
||||
Plo += a1b0; \
|
||||
- if (Plo < a1b0) \
|
||||
- ++Phi; \
|
||||
+ Phi += MP_CT_LTU(Plo, a1b0); \
|
||||
}
|
||||
#endif
|
||||
|
||||
+/* Constant time version of s_mpv_mul_d_add_prop.
|
||||
+ * Presently, this is only used by the Constant time Montgomery arithmetic code. */
|
||||
+/* c += a * b */
|
||||
+void
|
||||
+s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b,
|
||||
+ mp_digit *c, mp_size c_len)
|
||||
+{
|
||||
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
||||
+ mp_digit d = 0;
|
||||
+
|
||||
+ c_len -= a_len;
|
||||
+ /* Inner product: Digits of a */
|
||||
+ while (a_len--) {
|
||||
+ mp_word w = ((mp_word)b * *a++) + *c + d;
|
||||
+ *c++ = ACCUM(w);
|
||||
+ d = CARRYOUT(w);
|
||||
+ }
|
||||
+
|
||||
+ /* propagate the carry to the end, even if carry is zero */
|
||||
+ while (c_len--) {
|
||||
+ mp_word w = (mp_word)*c + d;
|
||||
+ *c++ = ACCUM(w);
|
||||
+ d = CARRYOUT(w);
|
||||
+ }
|
||||
+#else
|
||||
+ mp_digit carry = 0;
|
||||
+ c_len -= a_len;
|
||||
+ while (a_len--) {
|
||||
+ mp_digit a_i = *a++;
|
||||
+ mp_digit a0b0, a1b1;
|
||||
+ MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
+
|
||||
+ a0b0 += carry;
|
||||
+ a1b1 += MP_CT_LTU(a0b0, carry);
|
||||
+ a0b0 += a_i = *c;
|
||||
+ a1b1 += MP_CT_LTU(a0b0, a_i);
|
||||
+
|
||||
+ *c++ = a0b0;
|
||||
+ carry = a1b1;
|
||||
+ }
|
||||
+ /* propagate the carry to the end, even if carry is zero */
|
||||
+ while (c_len--) {
|
||||
+ mp_digit c_i = *c;
|
||||
+ carry += c_i;
|
||||
+ *c++ = carry;
|
||||
+ carry = MP_CT_LTU(carry, c_i);
|
||||
+ }
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
#if !defined(MP_ASSEMBLY_MULTIPLY)
|
||||
/* c = a * b */
|
||||
void
|
||||
s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
|
||||
{
|
||||
#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
||||
mp_digit d = 0;
|
||||
|
||||
@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a
|
||||
mp_digit carry = 0;
|
||||
while (a_len--) {
|
||||
mp_digit a_i = *a++;
|
||||
mp_digit a0b0, a1b1;
|
||||
|
||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
|
||||
a0b0 += carry;
|
||||
- if (a0b0 < carry)
|
||||
- ++a1b1;
|
||||
+ a1b1 += a0b0 < carry;
|
||||
*c++ = a0b0;
|
||||
carry = a1b1;
|
||||
}
|
||||
*c = carry;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* c += a * b */
|
||||
@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si
|
||||
mp_digit carry = 0;
|
||||
while (a_len--) {
|
||||
mp_digit a_i = *a++;
|
||||
mp_digit a0b0, a1b1;
|
||||
|
||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
|
||||
a0b0 += carry;
|
||||
- if (a0b0 < carry)
|
||||
- ++a1b1;
|
||||
+ a1b1 += (a0b0 < carry);
|
||||
a0b0 += a_i = *c;
|
||||
- if (a0b0 < a_i)
|
||||
- ++a1b1;
|
||||
+ a1b1 += (a0b0 < a_i);
|
||||
*c++ = a0b0;
|
||||
carry = a1b1;
|
||||
}
|
||||
*c = carry;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Presently, this is only used by the Montgomery arithmetic code. */
|
||||
diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h
|
||||
--- a/lib/freebl/mpi/mpi.h
|
||||
+++ b/lib/freebl/mpi/mpi.h
|
||||
@@ -145,16 +145,54 @@ typedef int mp_sword;
|
||||
#define MP_USED(MP) ((MP)->used)
|
||||
#define MP_ALLOC(MP) ((MP)->alloc)
|
||||
#define MP_DIGITS(MP) ((MP)->dp)
|
||||
#define MP_DIGIT(MP, N) (MP)->dp[(N)]
|
||||
|
||||
/* This defines the maximum I/O base (minimum is 2) */
|
||||
#define MP_MAX_RADIX 64
|
||||
|
||||
+/* Constant Time Macros on mp_digits */
|
||||
+#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1)))
|
||||
+
|
||||
+/* basic zero and non zero tests */
|
||||
+#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
||||
+#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
||||
+
|
||||
+
|
||||
+/* basic constant-time helper macro for equalities and inequalities.
|
||||
+ * The inequalities will produce incorrect results if
|
||||
+ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay
|
||||
+ * within the range 0-MP_DIGIT_MAX/2. */
|
||||
+#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b)))
|
||||
+#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b)))
|
||||
+#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a))
|
||||
+#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b))
|
||||
+#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b))
|
||||
+#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b))
|
||||
+#define MP_CT_TRUE ((mp_digit)1)
|
||||
+#define MP_CT_FALSE ((mp_digit)0)
|
||||
+
|
||||
+/* use constant time result to select a boolean value */
|
||||
+#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r)))
|
||||
+
|
||||
+/* full inequalities that work with full mp_digit values */
|
||||
+#define MP_CT_OVERFLOW(a,b,c,d) \
|
||||
+ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \
|
||||
+ (MP_CT_HIGH_TO_LOW(d)),c)
|
||||
+#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a)
|
||||
+#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b)
|
||||
+#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a)
|
||||
+#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b)
|
||||
+#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b)
|
||||
+#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a)
|
||||
+#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b)
|
||||
+#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a)
|
||||
+
|
||||
+
|
||||
typedef struct {
|
||||
mp_sign sign; /* sign of this quantity */
|
||||
mp_size alloc; /* how many digits allocated */
|
||||
mp_size used; /* how many digits used */
|
||||
mp_digit *dp; /* the digits themselves */
|
||||
} mp_int;
|
||||
|
||||
/* Default precision */
|
||||
@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig
|
||||
|
||||
/* Sign manipulations */
|
||||
mp_err mp_abs(const mp_int *a, mp_int *b);
|
||||
mp_err mp_neg(const mp_int *a, mp_int *b);
|
||||
|
||||
/* Full arithmetic */
|
||||
mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
+mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow);
|
||||
mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
+mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize);
|
||||
#if MP_SQUARE
|
||||
mp_err mp_sqr(const mp_int *a, mp_int *b);
|
||||
#else
|
||||
#define mp_sqr(a, b) mp_mul(a, a, b)
|
||||
#endif
|
||||
mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
|
||||
mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
|
||||
mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
|
||||
@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const
|
||||
mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
#else
|
||||
#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
|
||||
#endif
|
||||
mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
|
||||
mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
|
||||
#endif /* MP_MODARITH */
|
||||
|
||||
+/* montgomery math */
|
||||
+mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont);
|
||||
+mp_digit mp_calculate_mont_n0i(const mp_int *N);
|
||||
+mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct);
|
||||
+mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c);
|
||||
+
|
||||
/* Comparisons */
|
||||
int mp_cmp_z(const mp_int *a);
|
||||
int mp_cmp_d(const mp_int *a, mp_digit d);
|
||||
int mp_cmp(const mp_int *a, const mp_int *b);
|
||||
int mp_cmp_mag(const mp_int *a, const mp_int *b);
|
||||
int mp_isodd(const mp_int *a);
|
||||
int mp_iseven(const mp_int *a);
|
||||
+mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret);
|
||||
|
||||
/* Number theoretic */
|
||||
mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
|
||||
mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
|
||||
mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
|
||||
mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
|
||||
diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c
|
||||
--- a/lib/freebl/mpi/mpmontg.c
|
||||
+++ b/lib/freebl/mpi/mpmontg.c
|
||||
@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_
|
||||
}
|
||||
res = MP_OKAY;
|
||||
|
||||
CLEANUP:
|
||||
return res;
|
||||
}
|
||||
#endif
|
||||
|
||||
-STATIC
|
||||
mp_err
|
||||
-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
|
||||
+mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont)
|
||||
{
|
||||
mp_err res;
|
||||
|
||||
/* xMont = x * R mod N where N is modulus */
|
||||
- MP_CHECKOK(mp_copy(x, xMont));
|
||||
- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */
|
||||
- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */
|
||||
+ if (x != xMont) {
|
||||
+ MP_CHECKOK(mp_copy(x, xMont));
|
||||
+ }
|
||||
+ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */
|
||||
+ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */
|
||||
CLEANUP:
|
||||
return res;
|
||||
}
|
||||
|
||||
+mp_digit
|
||||
+mp_calculate_mont_n0i(const mp_int *N)
|
||||
+{
|
||||
+ return 0 - s_mp_invmod_radix(MP_DIGIT(N,0));
|
||||
+}
|
||||
+
|
||||
#ifdef MP_USING_MONT_MULF
|
||||
|
||||
/* the floating point multiply is already cache safe,
|
||||
* don't turn on cache safe unless we specifically
|
||||
* force it */
|
||||
#ifndef MP_FORCE_CACHE_SAFE
|
||||
#undef MP_USING_CACHE_SAFE_MOD_EXP
|
||||
#endif
|
||||
@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase,
|
||||
MP_DIGITS(&accum1) = 0;
|
||||
|
||||
for (i = 0; i < MAX_ODD_INTS; ++i)
|
||||
oddPowers[i] = 0;
|
||||
|
||||
MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2));
|
||||
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
MP_CHECKOK(s_mp_pad(&accum1, nLen));
|
||||
|
||||
oddPowSize = 2 * nLen + 1;
|
||||
dTmpSize = 2 * oddPowSize;
|
||||
dSize = sizeof(double) * (nLen * 4 + 1 +
|
||||
((odd_ints + 1) * oddPowSize) + dTmpSize);
|
||||
dBuf = malloc(dSize);
|
||||
if (!dBuf) {
|
||||
@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase,
|
||||
for (i = 1; i < odd_ints; ++i) {
|
||||
MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2));
|
||||
MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i));
|
||||
MP_CHECKOK(s_mp_redc(oddPowers + i, mmm));
|
||||
}
|
||||
|
||||
/* set accumulator to montgomery residue of 1 */
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
pa1 = &accum1;
|
||||
pa2 = &accum2;
|
||||
|
||||
for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
|
||||
mp_size smallExp;
|
||||
MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits));
|
||||
smallExp = (mp_size)res;
|
||||
|
||||
@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
||||
/* build the first WEAVE_WORD powers inline */
|
||||
/* if WEAVE_WORD_SIZE is not 4, this code will have to change */
|
||||
if (num_powers > 2) {
|
||||
MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2));
|
||||
mp_set(&accum[0], 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0]));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0]));
|
||||
MP_CHECKOK(mp_copy(montBase, &accum[1]));
|
||||
SQR(montBase, &accum[2]);
|
||||
MUL_NOWEAVE(montBase, &accum[2], &accum[3]);
|
||||
powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1));
|
||||
if (!powersArray) {
|
||||
res = MP_MEM;
|
||||
goto CLEANUP;
|
||||
}
|
||||
@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
||||
MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers));
|
||||
if (first_window < 4) {
|
||||
MP_CHECKOK(mp_copy(&accum[first_window], &accum1));
|
||||
first_window = num_powers;
|
||||
}
|
||||
} else {
|
||||
if (first_window == 0) {
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
} else {
|
||||
/* assert first_window == 1? */
|
||||
MP_CHECKOK(mp_copy(montBase, &accum1));
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* calculate all the powers in the powers array.
|
||||
@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m
|
||||
nLen = MP_USED(modulus);
|
||||
MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2));
|
||||
|
||||
mmm.N = *modulus; /* a copy of the mp_int struct */
|
||||
|
||||
/* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
|
||||
** where n0 = least significant mp_digit of N, the modulus.
|
||||
*/
|
||||
- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0));
|
||||
+ mmm.n0prime = mp_calculate_mont_n0i(modulus);
|
||||
|
||||
- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase));
|
||||
+ MP_CHECKOK(mp_to_mont(base, modulus, &montBase));
|
||||
|
||||
bits_in_exponent = mpl_significant_bits(exponent);
|
||||
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
|
||||
if (mp_using_cache_safe_exp) {
|
||||
if (bits_in_exponent > 780)
|
||||
window_bits = 6;
|
||||
else if (bits_in_exponent > 256)
|
||||
window_bits = 5;
|
||||
diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
|
||||
--- a/lib/freebl/rsa.c
|
||||
+++ b/lib/freebl/rsa.c
|
||||
@@ -65,16 +65,18 @@ struct blindingParamsStr {
|
||||
** the Handbook of Applied Cryptography, 11.118-11.119.
|
||||
*/
|
||||
struct RSABlindingParamsStr {
|
||||
/* Blinding-specific parameters */
|
||||
PRCList link; /* link to list of structs */
|
||||
SECItem modulus; /* list element "key" */
|
||||
blindingParams *free, *bp; /* Blinding parameters queue */
|
||||
blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
|
||||
+ /* precalculate montegomery reduction value */
|
||||
+ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */
|
||||
};
|
||||
typedef struct RSABlindingParamsStr RSABlindingParams;
|
||||
|
||||
/*
|
||||
** RSABlindingParamsListStr
|
||||
**
|
||||
** List of key-specific blinding params. The arena holds the volatile pool
|
||||
** of memory for each entry and the list itself. The lock is for list
|
||||
@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey *
|
||||
CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen));
|
||||
CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen));
|
||||
/* k < n */
|
||||
CHECK_MPI_OK(mp_mod(&k, n, &k));
|
||||
/* f = k**e mod n */
|
||||
CHECK_MPI_OK(mp_exptmod(&k, &e, n, f));
|
||||
/* g = k**-1 mod n */
|
||||
CHECK_MPI_OK(mp_invmod(&k, n, g));
|
||||
+ /* g in montgomery form.. */
|
||||
+ CHECK_MPI_OK(mp_to_mont(g, n, g));
|
||||
cleanup:
|
||||
if (kb)
|
||||
PORT_ZFree(kb, modLen);
|
||||
mp_clear(&k);
|
||||
mp_clear(&e);
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams *
|
||||
* of rsabp->array pointer and must be set to NULL
|
||||
*/
|
||||
rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL;
|
||||
|
||||
bp = rsabp->array;
|
||||
rsabp->bp = NULL;
|
||||
rsabp->free = bp;
|
||||
|
||||
+ /* precalculate montgomery reduction parameter */
|
||||
+ rsabp->n0i = mp_calculate_mont_n0i(n);
|
||||
+
|
||||
/* List elements are keyed using the modulus */
|
||||
return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
|
||||
- mp_int *f, mp_int *g)
|
||||
+ mp_int *f, mp_int *g, mp_digit *n0i)
|
||||
{
|
||||
RSABlindingParams *rsabp = NULL;
|
||||
blindingParams *bpUnlinked = NULL;
|
||||
blindingParams *bp;
|
||||
PRCList *el;
|
||||
SECStatus rv = SECSuccess;
|
||||
mp_err err = MP_OKAY;
|
||||
int cmp = -1;
|
||||
@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key,
|
||||
** head (since el would have looped back to the head).
|
||||
*/
|
||||
PR_INSERT_BEFORE(&rsabp->link, el);
|
||||
}
|
||||
|
||||
/* We've found (or created) the RSAblindingParams struct for this key.
|
||||
* Now, search its list of ready blinding params for a usable one.
|
||||
*/
|
||||
+ *n0i = rsabp->n0i;
|
||||
while (0 != (bp = rsabp->bp)) {
|
||||
#ifdef UNSAFE_FUZZER_MODE
|
||||
/* Found a match and there are still remaining uses left */
|
||||
/* Return the parameters */
|
||||
CHECK_MPI_OK(mp_copy(&bp->f, f));
|
||||
CHECK_MPI_OK(mp_copy(&bp->g, g));
|
||||
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
@@ -1426,16 +1434,17 @@ cleanup:
|
||||
rsabp->free = bp;
|
||||
}
|
||||
if (holdingLock) {
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
}
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
}
|
||||
+ *n0i = 0;
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
/*
|
||||
** Perform a raw private-key operation
|
||||
** Length of input and output buffers are equal to key's modulus len.
|
||||
*/
|
||||
static SECStatus
|
||||
@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
PRBool check)
|
||||
{
|
||||
unsigned int modLen;
|
||||
unsigned int offset;
|
||||
SECStatus rv = SECSuccess;
|
||||
mp_err err;
|
||||
mp_int n, c, m;
|
||||
mp_int f, g;
|
||||
+ mp_digit n0i;
|
||||
if (!key || !output || !input) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
/* check input out of range (needs to be in range [0..n-1]) */
|
||||
modLen = rsa_modulusLen(&key->modulus);
|
||||
if (modLen == 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
CHECK_MPI_OK(mp_init(&f));
|
||||
CHECK_MPI_OK(mp_init(&g));
|
||||
SECITEM_TO_MPINT(key->modulus, &n);
|
||||
OCTETS_TO_MPINT(input, &c, modLen);
|
||||
/* If blinding, compute pre-image of ciphertext by multiplying by
|
||||
** blinding factor
|
||||
*/
|
||||
if (nssRSAUseBlinding) {
|
||||
- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g));
|
||||
+ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i));
|
||||
/* c' = c*f mod n */
|
||||
CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c));
|
||||
}
|
||||
/* Do the private key operation m = c**d mod n */
|
||||
if (key->prime1.len == 0 ||
|
||||
key->prime2.len == 0 ||
|
||||
key->exponent1.len == 0 ||
|
||||
key->exponent2.len == 0 ||
|
||||
@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
} else {
|
||||
CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c));
|
||||
}
|
||||
/* If blinding, compute post-image of plaintext by multiplying by
|
||||
** blinding factor
|
||||
*/
|
||||
if (nssRSAUseBlinding) {
|
||||
/* m = m'*g mod n */
|
||||
- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m));
|
||||
+ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m));
|
||||
}
|
||||
err = mp_to_fixlen_octets(&m, output, modLen);
|
||||
if (err >= 0)
|
||||
err = MP_OKAY;
|
||||
cleanup:
|
||||
mp_clear(&n);
|
||||
mp_clear(&c);
|
||||
mp_clear(&m);
|
1383
SOURCES/nss-3.101-add-certificate-compression-test.patch
Normal file
1383
SOURCES/nss-3.101-add-certificate-compression-test.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,15 +1,15 @@
|
||||
diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700
|
||||
@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = {
|
||||
diff -up ./lib/pk11wrap/pk11pars.c.ems ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.ems 2024-06-11 13:09:25.956760476 -0700
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 13:09:52.837067481 -0700
|
||||
@@ -433,6 +433,8 @@ static const oidValDef kxOptList[] = {
|
||||
{ CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
{ CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
+ /* not really a key exchange, but it's the closest fit */
|
||||
+ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
|
||||
+
|
||||
};
|
||||
|
||||
static const oidValDef signOptList[] = {
|
||||
static const oidValDef smimeKxOptList[] = {
|
||||
diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
|
||||
--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
|
||||
@ -65,40 +65,43 @@ diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
|
||||
if (isTLS12) {
|
||||
if (isDH)
|
||||
master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
||||
diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c
|
||||
--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700
|
||||
+++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700
|
||||
@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
|
||||
"IPsec User",
|
||||
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
||||
diff -up ./lib/util/secoid.c.ems ./lib/util/secoid.c
|
||||
--- ./lib/util/secoid.c.ems 2024-06-11 13:11:28.078155282 -0700
|
||||
+++ ./lib/util/secoid.c 2024-06-11 13:12:58.511188172 -0700
|
||||
@@ -1890,6 +1890,12 @@ const static SECOidData oids[SEC_OID_TOT
|
||||
ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
|
||||
ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
|
||||
ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION),
|
||||
+
|
||||
+ /* this will change upstream. for now apps shouldn't use it */
|
||||
+ /* we need it for the policy code. */
|
||||
+ ODE(SEC_OID_PRIVATE_1,
|
||||
+ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
||||
+
|
||||
};
|
||||
|
||||
|
||||
/* PRIVATE EXTENDED SECOID Table
|
||||
@@ -2095,6 +2100,8 @@ SECOID_Init(void)
|
||||
|
||||
@@ -2198,6 +2204,10 @@ SECOID_Init(void)
|
||||
|
||||
/* turn off NSS_USE_POLICY_IN_SSL by default */
|
||||
xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
|
||||
+ /* turn off TLS REQUIRE EMS by default */
|
||||
+ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
|
||||
|
||||
+
|
||||
+
|
||||
|
||||
envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
|
||||
if (envVal)
|
||||
diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h
|
||||
--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700
|
||||
+++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700
|
||||
@@ -501,6 +501,9 @@ typedef enum {
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
|
||||
diff -up ./lib/util/secoidt.h.ems ./lib/util/secoidt.h
|
||||
--- ./lib/util/secoidt.h.ems 2024-06-11 13:16:13.212411967 -0700
|
||||
+++ ./lib/util/secoidt.h 2024-06-11 13:16:48.098810434 -0700
|
||||
@@ -530,6 +530,9 @@ typedef enum {
|
||||
SEC_OID_RC2_64_CBC = 385,
|
||||
SEC_OID_RC2_128_CBC = 386,
|
||||
SEC_OID_ECDH_KEA = 387,
|
||||
+ /* this will change upstream. for now apps shouldn't use it */
|
||||
+ /* give it an obscure name here */
|
||||
+ SEC_OID_PRIVATE_1 = 372,
|
||||
+ SEC_OID_PRIVATE_1 = 388,
|
||||
|
||||
SEC_OID_TOTAL
|
||||
} SECOidTag;
|
59
SOURCES/nss-3.101-chacha-timing-fix.patch
Normal file
59
SOURCES/nss-3.101-chacha-timing-fix.patch
Normal file
@ -0,0 +1,59 @@
|
||||
diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
|
||||
--- a/lib/freebl/chacha20poly1305.c
|
||||
+++ b/lib/freebl/chacha20poly1305.c
|
||||
@@ -213,27 +213,31 @@
|
||||
{
|
||||
#ifdef NSS_X64
|
||||
#ifndef NSS_DISABLE_AVX2
|
||||
if (avx2_support()) {
|
||||
Hacl_Chacha20_Vec256_chacha20_encrypt_256(len, output, block, k, nonce, ctr);
|
||||
+ return;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef NSS_DISABLE_SSE3
|
||||
if (ssse3_support() && sse4_1_support() && avx_support()) {
|
||||
Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr);
|
||||
+ return;
|
||||
}
|
||||
#endif
|
||||
|
||||
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
|
||||
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
|
||||
if (ppc_crypto_support()) {
|
||||
chacha20vsx(len, output, block, k, nonce, ctr);
|
||||
- } else
|
||||
+ return;
|
||||
+ }
|
||||
#endif
|
||||
{
|
||||
Hacl_Chacha20_chacha20_encrypt(len, output, block, k, nonce, ctr);
|
||||
+ return;
|
||||
}
|
||||
}
|
||||
#endif /* NSS_DISABLE_CHACHAPOLY */
|
||||
|
||||
SECStatus
|
||||
@@ -449,20 +453,18 @@
|
||||
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
|
||||
(uint8_t *)input, output, outTag);
|
||||
goto finish;
|
||||
}
|
||||
#endif
|
||||
-
|
||||
- else
|
||||
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
|
||||
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
|
||||
if (ppc_crypto_support()) {
|
||||
Chacha20Poly1305_vsx_aead_encrypt(
|
||||
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
|
||||
(uint8_t *)input, output, outTag);
|
||||
goto finish;
|
||||
- } else
|
||||
+ }
|
||||
#endif
|
||||
{
|
||||
Hacl_Chacha20Poly1305_32_aead_encrypt(
|
||||
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
|
||||
(uint8_t *)input, output, outTag);
|
||||
|
133
SOURCES/nss-3.101-default-libpkix.patch
Normal file
133
SOURCES/nss-3.101-default-libpkix.patch
Normal file
@ -0,0 +1,133 @@
|
||||
diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c
|
||||
--- a/lib/certhigh/certvfypkix.c
|
||||
+++ b/lib/certhigh/certvfypkix.c
|
||||
@@ -37,11 +37,11 @@
|
||||
pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
|
||||
|
||||
PRInt32 parallelFnInvocationCount;
|
||||
#endif /* PKIX_OBJECT_LEAK_TEST */
|
||||
|
||||
-static PRBool usePKIXValidationEngine = PR_FALSE;
|
||||
+static PRBool usePKIXValidationEngine = PR_TRUE;
|
||||
#endif /* NSS_DISABLE_LIBPKIX */
|
||||
|
||||
/*
|
||||
* FUNCTION: CERT_SetUsePKIXForValidation
|
||||
* DESCRIPTION:
|
||||
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
||||
--- a/lib/nss/nssinit.c
|
||||
+++ b/lib/nss/nssinit.c
|
||||
@@ -762,13 +762,13 @@
|
||||
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
||||
|
||||
if (pkixError != NULL) {
|
||||
goto loser;
|
||||
} else {
|
||||
- char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
|
||||
+ char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
|
||||
if (ev && ev[0]) {
|
||||
- CERT_SetUsePKIXForValidation(PR_TRUE);
|
||||
+ CERT_SetUsePKIXForValidation(PR_FALSE);
|
||||
}
|
||||
}
|
||||
#endif /* NSS_DISABLE_LIBPKIX */
|
||||
}
|
||||
|
||||
diff --git a/tests/all.sh b/tests/all.sh
|
||||
--- a/tests/all.sh
|
||||
+++ b/tests/all.sh
|
||||
@@ -141,17 +141,22 @@
|
||||
########################################################################
|
||||
run_cycle_standard()
|
||||
{
|
||||
TEST_MODE=STANDARD
|
||||
|
||||
+ NSS_DISABLE_LIBPKIX_VERIFY="1"
|
||||
+ export NSS_DISABLE_LIBPKIX_VERIFY
|
||||
+
|
||||
TESTS="${ALL_TESTS}"
|
||||
TESTS_SKIP="libpkix pkits"
|
||||
|
||||
NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"}
|
||||
export NSS_DEFAULT_DB_TYPE
|
||||
|
||||
run_tests
|
||||
+
|
||||
+ unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||
}
|
||||
|
||||
############################ run_cycle_pkix ############################
|
||||
# run test suites with PKIX enabled
|
||||
########################################################################
|
||||
@@ -165,13 +170,10 @@
|
||||
|
||||
HOSTDIR="${HOSTDIR}/pkix"
|
||||
mkdir -p "${HOSTDIR}"
|
||||
init_directories
|
||||
|
||||
- NSS_ENABLE_PKIX_VERIFY="1"
|
||||
- export NSS_ENABLE_PKIX_VERIFY
|
||||
-
|
||||
TESTS="${ALL_TESTS}"
|
||||
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
|
||||
|
||||
export -n NSS_SSL_RUN
|
||||
|
||||
diff --git a/tests/common/init.sh b/tests/common/init.sh
|
||||
--- a/tests/common/init.sh
|
||||
+++ b/tests/common/init.sh
|
||||
@@ -138,12 +138,12 @@
|
||||
echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
|
||||
echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
|
||||
echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
|
||||
echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
|
||||
echo "export NSS_DEFAULT_DB_TYPE"
|
||||
- echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
|
||||
- echo "export NSS_ENABLE_PKIX_VERIFY"
|
||||
+ echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
|
||||
+ echo "export NSS_DISABLE_PKIX_VERIFY"
|
||||
echo "init_directories"
|
||||
}
|
||||
|
||||
# Exit shellfunction to clean up at exit (error, regular or signal)
|
||||
Exit()
|
||||
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
|
||||
--- a/tests/ssl/ssl.sh
|
||||
+++ b/tests/ssl/ssl.sh
|
||||
@@ -960,13 +960,12 @@
|
||||
ssl_policy_pkix_ocsp()
|
||||
{
|
||||
#verbose="-v"
|
||||
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
|
||||
|
||||
- PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
|
||||
- NSS_ENABLE_PKIX_VERIFY="1"
|
||||
- export NSS_ENABLE_PKIX_VERIFY
|
||||
+ PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
|
||||
+ unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||
|
||||
testname=""
|
||||
|
||||
if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
|
||||
html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
|
||||
@@ -987,16 +986,14 @@
|
||||
grep 12276 ${P_R_SERVERDIR}/vfy.out
|
||||
RET=$?
|
||||
html_msg $RET $RET_EXP "${testname}" \
|
||||
"produced a returncode of $RET, expected is $RET_EXP"
|
||||
|
||||
- if [ "${PKIX_SAVE}" = "unset" ]; then
|
||||
- unset NSS_ENABLE_PKIX_VERIFY
|
||||
- else
|
||||
- NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
|
||||
- export NSS_ENABLE_PKIX_VERIFY
|
||||
+ if [ "{PKIX_SAVE}" != "unset" ]; then
|
||||
+ export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
|
||||
fi
|
||||
+
|
||||
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
|
||||
|
||||
html "</TABLE><BR>"
|
||||
|
||||
}
|
||||
|
@ -1,12 +1,18 @@
|
||||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f
|
||||
}
|
||||
PORT_Free(cursor);
|
||||
}
|
||||
}
|
||||
|
||||
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
|
||||
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2024-06-12 13:29:17.162207862 -0700
|
||||
+++ ./gtests/ssl_gtest/manifest.mn 2024-06-12 13:30:25.699047788 -0700
|
||||
@@ -59,7 +59,6 @@ CPPSRCS = \
|
||||
tls_protect.cc \
|
||||
tls_psk_unittest.cc \
|
||||
tls_subcerts_unittest.cc \
|
||||
- tls_ech_unittest.cc \
|
||||
tls_xyber_unittest.cc \
|
||||
$(SSLKEYLOGFILE_FILES) \
|
||||
$(NULL)
|
||||
diff -up ./lib/ssl/sslsock.c.disable_ech ./lib/ssl/sslsock.c
|
||||
--- ./lib/ssl/sslsock.c.disable_ech 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/ssl/sslsock.c 2024-06-12 13:29:17.162207862 -0700
|
||||
@@ -4415,17 +4415,23 @@ ssl_ClearPRCList(PRCList *list, void (*f
|
||||
SECStatus
|
||||
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
@ -30,13 +36,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss || size == 0) {
|
||||
return SECFailure;
|
||||
}
|
||||
ssl_Get1stHandshakeLock(ss);
|
||||
ssl_GetSSL3HandshakeLock(ss);
|
||||
|
||||
ss->ssl3.hs.greaseEchSize = size;
|
||||
|
||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
||||
@@ -4439,28 +4445,42 @@ SSLExp_SetTls13GreaseEchSize(PRFileDesc
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
|
||||
return SECSuccess;
|
||||
@ -79,18 +79,3 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
return SECFailure;
|
||||
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
|
||||
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200
|
||||
+++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200
|
||||
@@ -57,7 +57,6 @@ CPPSRCS = \
|
||||
tls_filter.cc \
|
||||
tls_protect.cc \
|
||||
tls_psk_unittest.cc \
|
||||
- tls_ech_unittest.cc \
|
||||
$(SSLKEYLOGFILE_FILES) \
|
||||
$(NULL)
|
81
SOURCES/nss-3.101-disable-md5.patch
Normal file
81
SOURCES/nss-3.101-disable-md5.patch
Normal file
@ -0,0 +1,81 @@
|
||||
diff -up ./lib/pk11wrap/pk11pars.c.no_md ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.no_md 2024-06-11 12:41:35.054654990 -0700
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 12:46:25.347979894 -0700
|
||||
@@ -329,14 +329,11 @@ static const oidValDef curveOptList[] =
|
||||
static const oidValDef hashOptList[] = {
|
||||
/* Hashes */
|
||||
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||
- NSS_USE_ALG_IN_PKCS12 },
|
||||
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
|
||||
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||
- NSS_USE_ALG_IN_PKCS12 },
|
||||
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
|
||||
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||
- NSS_USE_ALG_IN_PKCS12 },
|
||||
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
|
||||
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||
NSS_USE_ALG_IN_PKCS12 },
|
||||
diff -up ./lib/util/secoid.c.no_md ./lib/util/secoid.c
|
||||
diff -r 699541a7793b lib/util/secoid.c
|
||||
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
|
||||
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
|
||||
@@ -2042,6 +2042,19 @@
|
||||
int i;
|
||||
|
||||
for (i = 1; i < SEC_OID_TOTAL; i++) {
|
||||
+ switch (i) {
|
||||
+ case SEC_OID_MD2:
|
||||
+ case SEC_OID_MD4:
|
||||
+ case SEC_OID_MD5:
|
||||
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
|
||||
+ continue;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
if (oids[i].desc && strstr(arg, oids[i].desc)) {
|
||||
xOids[i].notPolicyFlags = notEnable |
|
||||
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
|
||||
diff -up ./tests/tools/pkcs12policy.txt.disable_md5_test ./tests/tools/pkcs12policy.txt
|
||||
--- ./tests/tools/pkcs12policy.txt.disable_md5_test 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./tests/tools/pkcs12policy.txt 2024-06-19 11:15:46.666728170 -0700
|
||||
@@ -91,21 +91,21 @@
|
||||
0 18 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc2 (read), RC4 and RC2
|
||||
# integrity policy check the various has based controls.
|
||||
# NOTE: md4, md2, and md5 are turned off by policy by default for encrypting
|
||||
-# (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the
|
||||
+# (decrypting is fine). To be enabled, you must allow=mdX/pkcs12 on the
|
||||
# encryption side. These tests purposefully tests that the default fails to encrypt
|
||||
# but succeeds when decrypting.
|
||||
27 x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes
|
||||
- 0 0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
|
||||
- 0 0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
|
||||
- 28 x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
|
||||
+ 0 0 allow=md2/pkcs12 allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
|
||||
+ 0 0 allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
|
||||
+ 28 x disallow=sha1_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
|
||||
27 x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write
|
||||
- 29 x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
|
||||
- 0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||
- 0 18 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||
- 0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||
- 0 0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||
- 0 0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||
- 0 0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||
+ 29 x disallow=sha256_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
|
||||
+ 0 19 allow=all:md2/pkcs12 disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||
+ 0 18 allow=md2/pkcs12 disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||
+ 0 17 allow=md2/pkcs12 disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||
+ 0 0 allow=md2/pkcs12 disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||
+ 0 0 allow=md2/pkcs12 disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||
+ 0 0 allow=md2/pkcs12 disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||
0 0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
|
||||
29 x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
|
||||
0 18 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256
|
@ -14,6 +14,8 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
|
||||
+ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
|
||||
+ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
|
||||
+ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
|
||||
{ CIPHER_NAME("ED25519"), SEC_OID_ED25519_PUBLIC_KEY,
|
||||
NSS_USE_ALG_IN_SIGNATURE },
|
||||
};
|
||||
|
||||
typedef struct {
|
||||
@ -21,6 +23,7 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
|
||||
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
|
||||
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
|
||||
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
|
||||
{ smimeKxOptList, PR_ARRAY_SIZE(smimeKxOptList), "SMIME-KX", PR_TRUE },
|
||||
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
|
||||
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
|
||||
};
|
24
SOURCES/nss-3.101-ec-dbm-test.patch
Normal file
24
SOURCES/nss-3.101-ec-dbm-test.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up ./tests/ec/ectest.sh.dbm ./tests/ec/ectest.sh
|
||||
--- ./tests/ec/ectest.sh.dbm 2024-06-18 14:53:51.201438651 -0700
|
||||
+++ ./tests/ec/ectest.sh 2024-06-18 14:56:09.993993637 -0700
|
||||
@@ -45,12 +45,20 @@ ectest_genkeydb_test()
|
||||
if [ $? -ne 0 ]; then
|
||||
return $?
|
||||
fi
|
||||
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
curves=( \
|
||||
"curve25519" \
|
||||
"secp256r1" \
|
||||
"secp384r1" \
|
||||
"secp521r1" \
|
||||
)
|
||||
+ else
|
||||
+ curves=( \
|
||||
+ "secp256r1" \
|
||||
+ "secp384r1" \
|
||||
+ "secp521r1" \
|
||||
+ )
|
||||
+ fi
|
||||
for curve in "${curves[@]}"; do
|
||||
echo "Test $curve key generation using certutil ..."
|
||||
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
|
12
SOURCES/nss-3.101-el8-fix-rsa-policy-test.patch
Normal file
12
SOURCES/nss-3.101-el8-fix-rsa-policy-test.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up ./tests/ssl/sslpolicy.txt.rsa_disable_test ./tests/ssl/sslpolicy.txt
|
||||
--- ./tests/ssl/sslpolicy.txt.rsa_disable_test 2024-06-19 11:17:10.261637015 -0700
|
||||
+++ ./tests/ssl/sslpolicy.txt 2024-06-19 11:18:22.797425628 -0700
|
||||
@@ -197,7 +197,7 @@
|
||||
# compatibility reasons
|
||||
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||
- 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
+ 0 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
||||
0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
||||
# test default settings
|
89
SOURCES/nss-3.101-el8-no-p12-smime-policy.patch
Normal file
89
SOURCES/nss-3.101-el8-no-p12-smime-policy.patch
Normal file
@ -0,0 +1,89 @@
|
||||
diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
|
||||
--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/pkcs12/p12plcy.c 2024-07-17 11:26:00.334836451 -0700
|
||||
@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
|
||||
static PRBool
|
||||
sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
|
||||
{
|
||||
+#ifdef notdef
|
||||
PRUint32 policy;
|
||||
SECStatus rv;
|
||||
|
||||
@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
|
||||
return PR_TRUE;
|
||||
}
|
||||
return PR_FALSE;
|
||||
+#else
|
||||
+ return PR_TRUE;
|
||||
+#endif
|
||||
}
|
||||
|
||||
PRBool
|
||||
diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
|
||||
--- ./lib/smime/smimeutil.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/smimeutil.c 2024-07-17 11:27:04.716617111 -0700
|
||||
@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
|
||||
PRBool
|
||||
smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
|
||||
{
|
||||
+#ifdef notdef
|
||||
PRUint32 policyFlags;
|
||||
|
||||
/* some S/MIME algs map to the same underlying KEA mechanism,
|
||||
@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
|
||||
PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
|
||||
return PR_FALSE;
|
||||
}
|
||||
+#endif
|
||||
return PR_TRUE;
|
||||
}
|
||||
|
||||
@@ -485,6 +487,7 @@ smime_init_once(void *arg)
|
||||
return PR_FAILURE;
|
||||
}
|
||||
|
||||
+#ifdef notdef
|
||||
/* At initialization time, we need to set up the defaults. We first
|
||||
* look to see if the system or application has set up certain algorithms
|
||||
* by policy. If they have set up values by policy we'll only allow those
|
||||
@@ -497,6 +500,11 @@ smime_init_once(void *arg)
|
||||
PORT_Free(tags);
|
||||
tags = NULL;
|
||||
}
|
||||
+#else
|
||||
+ /* just initialize the old maps */
|
||||
+ rv = SECSuccess;
|
||||
+ tagCount = 0;
|
||||
+#endif
|
||||
if ((rv != SECSuccess) || (tagCount == 0)) {
|
||||
/* No algorithms have been enabled by policy (either by the system
|
||||
* or by the application, we then will use the traditional default
|
||||
diff -up ./smime/smime.sh.no_p12_smime_policy ./smime/smime.sh
|
||||
--- ./tests/smime/smime.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
|
||||
700
|
||||
+++ ./tests/smime/smime.sh 2024-07-17 12:29:08.251207306 -0700
|
||||
@@ -872,8 +872,8 @@ smime_init
|
||||
smime_main
|
||||
smime_data_tb
|
||||
smime_p7
|
||||
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- smime_policy
|
||||
-fi
|
||||
+#if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
+# smime_policy
|
||||
+#fi
|
||||
smime_cleanup
|
||||
|
||||
diff -up ./tools/tools.sh.no_p12_smime_policy ./tools/tools.sh
|
||||
--- ./tests/tools/tools.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
|
||||
700
|
||||
+++ ./tests/tools/tools.sh 2024-07-17 12:28:32.418778346 -0700
|
||||
@@ -586,7 +586,7 @@ tools_p12()
|
||||
tools_p12_import_pbmac1_samples
|
||||
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
tools_p12_import_rsa_pss_private_key
|
||||
- tools_p12_policy
|
||||
+#tools_p12_policy
|
||||
fi
|
||||
}
|
||||
|
@ -26,6 +26,20 @@ diff -up ./cmd/pk12util/pk12util.c.orig ./cmd/pk12util/pk12util.c
|
||||
if (pk12util.options[opt_CertCipher].activated) {
|
||||
char *cipherString = pk12util.options[opt_CertCipher].arg;
|
||||
|
||||
--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default 2024-07-18 08:26:35.7732
|
||||
48450 -0700
|
||||
+++ ./cmd/pk12util/pk12util.c 2024-07-18 08:27:05.796595554 -0700
|
||||
@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
- /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
|
||||
- if (PK11_IsFIPS()) {
|
||||
- hash = SEC_OID_HMAC_SHA256;
|
||||
- }
|
||||
if (pk12util.options[opt_Mac].activated) {
|
||||
char *hashString = pk12util.options[opt_Mac].arg;
|
||||
|
||||
diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh
|
||||
--- ./tests/tools/tools.sh.orig 2021-06-15 17:06:27.650564449 -0700
|
||||
+++ ./tests/tools/tools.sh 2021-06-15 17:07:59.934117192 -0700
|
13
SOURCES/nss-3.101-enable-kyber-policy.patch
Normal file
13
SOURCES/nss-3.101-enable-kyber-policy.patch
Normal file
@ -0,0 +1,13 @@
|
||||
diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy 2024-06-12 14:44:24.680338868 -0700
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2024-06-12 14:44:48.368609356 -0700
|
||||
@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] =
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
{ CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
- { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 },
|
||||
+ { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00,
|
||||
+ NSS_USE_ALG_IN_SSL_KX },
|
||||
/* ANSI X9.62 named elliptic curves (characteristic two field) */
|
||||
{ CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
@ -5,8 +5,8 @@ diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh
|
||||
RARRAY=($dtime)
|
||||
TIMEARRAY=(${RARRAY[1]//./ })
|
||||
echo "${TIMEARRAY[0]} seconds"
|
||||
- test ${TIMEARRAY[0]} -lt 2
|
||||
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-3}
|
||||
- test ${TIMEARRAY[0]} -lt 5
|
||||
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-5}
|
||||
ret=$?
|
||||
html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
|
||||
fi
|
@ -1,7 +1,7 @@
|
||||
diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800
|
||||
+++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800
|
||||
@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C
|
||||
--- ./lib/softoken/pkcs11c.c.fips_indicators 2024-06-12 13:38:15.995811284 -0700
|
||||
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:41:30.008188930 -0700
|
||||
@@ -453,7 +453,7 @@ sftk_InitGeneric(SFTKSession *session, C
|
||||
context->blockSize = 0;
|
||||
context->maxLen = 0;
|
||||
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
|
||||
@ -10,16 +10,16 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||
*contextPtr = context;
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
@@ -4885,7 +4885,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
crv = sftk_handleObject(key, session);
|
||||
/* we need to do this check at the end, so we can check the generated
|
||||
/* we need to do this check at the end, so we can check the generated
|
||||
* key length against fips requirements */
|
||||
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
|
||||
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0);
|
||||
session->lastOpWasFIPS = key->isFIPS;
|
||||
sftk_FreeSession(session);
|
||||
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
||||
@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
@@ -6020,7 +6020,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
return crv;
|
||||
}
|
||||
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
||||
@ -28,7 +28,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||
publicKey->isFIPS = privateKey->isFIPS;
|
||||
session->lastOpWasFIPS = privateKey->isFIPS;
|
||||
sftk_FreeSession(session);
|
||||
@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
@@ -7220,6 +7220,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
return CKR_TEMPLATE_INCONSISTENT;
|
||||
}
|
||||
|
||||
@ -39,7 +39,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||
/* sourceKey is NULL if we are called from the POST, skip the
|
||||
* sensitiveCheck */
|
||||
if (sourceKey != NULL) {
|
||||
@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
@@ -7269,7 +7273,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
mech.pParameter = params;
|
||||
mech.ulParameterLen = sizeof(*params);
|
||||
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
|
||||
@ -49,7 +49,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||
}
|
||||
saltKeySource = saltKey->source;
|
||||
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
|
||||
@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
@@ -7336,7 +7341,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
/* HKDF-Expand */
|
||||
if (!params->bExpand) {
|
||||
okm = prk;
|
||||
@ -58,7 +58,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||
} else {
|
||||
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
|
||||
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
|
||||
@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
@@ -7583,7 +7588,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
return CKR_KEY_HANDLE_INVALID;
|
||||
}
|
||||
}
|
||||
@ -69,8 +69,8 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||
switch (mechanism) {
|
||||
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
|
||||
diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
|
||||
--- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800
|
||||
+++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800
|
||||
--- ./lib/softoken/pkcs11i.h.fips_indicators 2024-06-12 13:38:15.988811198 -0700
|
||||
+++ ./lib/softoken/pkcs11i.h 2024-06-12 13:38:15.996811296 -0700
|
||||
@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
|
||||
/* check the FIPS table to determine if this current operation is allowed by
|
||||
* FIPS security policy */
|
||||
@ -82,9 +82,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
|
||||
CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
|
||||
|
||||
diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800
|
||||
+++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800
|
||||
@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
|
||||
--- ./lib/softoken/pkcs11u.c.fips_indicators 2024-06-12 13:38:15.990811223 -0700
|
||||
+++ ./lib/softoken/pkcs11u.c 2024-06-12 13:38:15.996811296 -0700
|
||||
@@ -2336,7 +2336,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
|
||||
static CK_ULONG
|
||||
sftk_getKeyLength(SFTKObject *source)
|
||||
{
|
||||
@ -93,7 +93,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
||||
CK_ATTRIBUTE_TYPE keyAttribute;
|
||||
CK_ULONG keyLength = 0;
|
||||
SFTKAttribute *attribute;
|
||||
@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source)
|
||||
@@ -2398,13 +2398,29 @@ sftk_getKeyLength(SFTKObject *source)
|
||||
return keyLength;
|
||||
}
|
||||
|
||||
@ -124,7 +124,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
||||
{
|
||||
switch (mechInfo->special) {
|
||||
case SFTKFIPSDH: {
|
||||
@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
@@ -2464,10 +2480,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
if (hashObj == NULL) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
@ -141,7 +141,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
||||
}
|
||||
case SFTKFIPSPBKDF2: {
|
||||
/* PBKDF2 must have the following addition restrictions
|
||||
@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
@@ -2492,6 +2513,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
}
|
||||
return PR_TRUE;
|
||||
}
|
||||
@ -155,7 +155,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
@@ -2502,7 +2530,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
|
||||
PRBool
|
||||
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
|
||||
@ -164,7 +164,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
||||
{
|
||||
#ifndef NSS_HAS_FIPS_INDICATORS
|
||||
return PR_FALSE;
|
||||
@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||
@@ -2534,13 +2562,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
|
||||
/* if we match the number of records exactly, then we are an
|
||||
* approved algorithm in the approved mode with an approved key */
|
@ -1,6 +1,6 @@
|
||||
diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
|
||||
--- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700
|
||||
--- ./lib/freebl/dh.c.fips-review 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/freebl/dh.c 2024-06-12 12:04:10.639360404 -0700
|
||||
@@ -445,7 +445,7 @@ cleanup:
|
||||
PRBool
|
||||
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
|
||||
@ -50,20 +50,28 @@ diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
|
||||
MP_TO_SEC_ERROR(err);
|
||||
return PR_FALSE;
|
||||
diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700
|
||||
+++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
--- ./lib/softoken/pkcs11c.c.fips-review 2024-06-12 12:04:10.638360392 -0700
|
||||
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:06:35.410551333 -0700
|
||||
@@ -43,6 +43,7 @@
|
||||
|
||||
#include "prprf.h"
|
||||
#include "prenv.h"
|
||||
+#include "prerror.h"
|
||||
|
||||
#define __PASTE(x, y) x##y
|
||||
#define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize)
|
||||
@@ -4882,6 +4883,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
* handle the base object stuff
|
||||
*/
|
||||
crv = sftk_handleObject(key, session);
|
||||
+ /* we need to do this check at the end, so we can check the generated
|
||||
+ /* we need to do this check at the end, so we can check the generated
|
||||
+ * key length against fips requirements */
|
||||
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
|
||||
+ session->lastOpWasFIPS = key->isFIPS;
|
||||
sftk_FreeSession(session);
|
||||
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
||||
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
|
||||
@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
@@ -4889,9 +4894,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
|
||||
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
|
||||
}
|
||||
@ -73,7 +81,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
if (crv == CKR_OK) {
|
||||
*phKey = key->handle;
|
||||
}
|
||||
@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
@@ -5199,60 +5201,68 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
|
||||
if (isDerivable) {
|
||||
SFTKAttribute *pubAttribute = NULL;
|
||||
@ -156,7 +164,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
+ }
|
||||
+ /* make sure it has the same encoding */
|
||||
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||
+ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
|
||||
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
|
||||
+ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
|
||||
+ } else {
|
||||
+ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
|
||||
@ -169,7 +177,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
+ default:
|
||||
+ return CKR_DEVICE_ERROR;
|
||||
}
|
||||
-
|
||||
|
||||
- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
|
||||
- if (crv != CKR_OK) {
|
||||
- sftk_FreeAttribute(pubAttribute);
|
||||
@ -189,7 +197,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
/* FIPS requires full validation, but in fipx mode NSC_Derive
|
||||
* only does partial validation with approved primes, now handle
|
||||
* full validation */
|
||||
@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
@@ -5260,44 +5270,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
SECItem pubKey;
|
||||
SECItem prime;
|
||||
SECItem subPrime;
|
||||
@ -283,7 +291,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
@@ -5925,8 +5969,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
* created and linked.
|
||||
*/
|
||||
crv = sftk_handleObject(publicKey, session);
|
||||
@ -293,7 +301,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
sftk_FreeObject(publicKey);
|
||||
NSC_DestroyObject(hSession, privateKey->handle);
|
||||
sftk_FreeObject(privateKey);
|
||||
@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
@@ -5968,6 +6012,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
}
|
||||
|
||||
if (crv != CKR_OK) {
|
||||
@ -301,7 +309,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
NSC_DestroyObject(hSession, publicKey->handle);
|
||||
sftk_FreeObject(publicKey);
|
||||
NSC_DestroyObject(hSession, privateKey->handle);
|
||||
@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
@@ -5977,6 +6022,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
||||
privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
|
||||
publicKey->isFIPS = privateKey->isFIPS;
|
||||
@ -310,7 +318,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
|
||||
*phPrivateKey = privateKey->handle;
|
||||
*phPublicKey = publicKey->handle;
|
||||
@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
@@ -8610,7 +8657,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
|
||||
/* if the prime is an approved prime, we can skip all the other
|
||||
* checks. */
|
||||
@ -319,7 +327,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
if (subPrime == NULL) {
|
||||
SECItem dhSubPrime;
|
||||
/* If the caller set the subprime value, it means that
|
||||
@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
@@ -8792,6 +8839,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
secretlen = tmp.len;
|
||||
} else {
|
||||
secretlen = keySize;
|
||||
@ -327,24 +335,9 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
|
||||
&tmp, mechParams->pSharedData,
|
||||
mechParams->ulSharedDataLen, mechParams->kdf);
|
||||
diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c
|
||||
--- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess
|
||||
if (object == NULL) {
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
- object->isFIPS = PR_FALSE; /* if we created the object on the fly,
|
||||
+ /* object types that we aren't allowed to create in FIPS mode are
|
||||
+ * already rejected explicitly. If we get here, then the object is
|
||||
+ * FIPS OK (most notably public key objects )*/
|
||||
+ /* object->isFIPS = PR_FALSE; if we created the object on the fly,
|
||||
* it's not a FIPS object */
|
||||
|
||||
/*
|
||||
diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
|
||||
--- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700
|
||||
+++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700
|
||||
--- ./lib/softoken/pkcs11i.h.fips-review 2024-06-12 12:04:10.638360392 -0700
|
||||
+++ ./lib/softoken/pkcs11i.h 2024-06-12 12:04:10.640360416 -0700
|
||||
@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
|
||||
/* dh verify functions */
|
||||
/* verify that dhPrime matches one of our known primes, and if so return
|
||||
@ -355,9 +348,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
|
||||
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
|
||||
/* map an operation Attribute to a Mechanism flag */
|
||||
diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700
|
||||
+++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
--- ./lib/softoken/pkcs11u.c.fips-review 2024-06-12 12:04:10.638360392 -0700
|
||||
+++ ./lib/softoken/pkcs11u.c 2024-06-12 12:04:10.640360416 -0700
|
||||
@@ -2409,15 +2409,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
switch (mechInfo->special) {
|
||||
case SFTKFIPSDH: {
|
||||
SECItem dhPrime;
|
||||
@ -388,8 +381,8 @@ diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
|
||||
case SFTKFIPSNone:
|
||||
return PR_FALSE;
|
||||
diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
|
||||
--- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700
|
||||
--- ./lib/softoken/sftkdhverify.c.fips-review 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/softoken/sftkdhverify.c 2024-06-12 12:04:10.641360427 -0700
|
||||
@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
|
||||
(unsigned char *)subprime_tls_8192_data,
|
||||
sizeof(subprime_tls_8192_data) };
|
||||
@ -481,8 +474,8 @@ diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
|
||||
}
|
||||
break;
|
||||
diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
|
||||
--- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700
|
||||
--- ./lib/softoken/sftkike.c.fips-review 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/softoken/sftkike.c 2024-06-12 12:04:10.641360427 -0700
|
||||
@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
|
||||
goto fail;
|
||||
}
|
115
SOURCES/nss-3.101-fix-cms-abi-break.patch
Normal file
115
SOURCES/nss-3.101-fix-cms-abi-break.patch
Normal file
@ -0,0 +1,115 @@
|
||||
diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c
|
||||
--- ./lib/smime/cmsasn1.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmsasn1.c 2024-09-06 18:05:27.808338289 -0700
|
||||
@@ -350,7 +350,7 @@ static const SEC_ASN1Template NSSCMSKeyA
|
||||
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
|
||||
SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
|
||||
offsetof(NSSCMSKeyAgreeRecipientInfo, ukm),
|
||||
- SEC_ASN1_SUB(SEC_OctetStringTemplate) },
|
||||
+ SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
|
||||
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
|
||||
offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg),
|
||||
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
|
||||
diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h
|
||||
--- ./lib/smime/cmslocal.h.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmslocal.h 2024-09-06 18:04:47.647863624 -0700
|
||||
@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE
|
||||
|
||||
extern SECStatus
|
||||
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
|
||||
- SECItem *encKey, PRBool genUkm, SECItem *ukm,
|
||||
+ SECItem *encKey, PRBool genUkm, SECItem **ukm,
|
||||
SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx);
|
||||
|
||||
PK11SymKey *
|
||||
diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c
|
||||
--- ./lib/smime/cmspubkey.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmspubkey.c 2024-09-06 18:04:47.647863624 -0700
|
||||
@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
|
||||
unsigned char suppPubInfo[4] = { 0 };
|
||||
|
||||
SI.keyInfo = keyInfo;
|
||||
- SI.entityUInfo.type = ukm->type;
|
||||
- SI.entityUInfo.data = ukm->data;
|
||||
- SI.entityUInfo.len = ukm->len;
|
||||
+ if (ukm) {
|
||||
+ SI.entityUInfo.type = ukm->type;
|
||||
+ SI.entityUInfo.data = ukm->data;
|
||||
+ SI.entityUInfo.len = ukm->len;
|
||||
+ } else {
|
||||
+ SI.entityUInfo.type = siBuffer;
|
||||
+ SI.entityUInfo.data = NULL;
|
||||
+ SI.entityUInfo.len = 0;
|
||||
+ }
|
||||
|
||||
SI.suppPubInfo.type = siBuffer;
|
||||
SI.suppPubInfo.data = suppPubInfo;
|
||||
@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
|
||||
SECStatus
|
||||
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert,
|
||||
PK11SymKey *bulkkey, SECItem *encKey,
|
||||
- PRBool genUkm, SECItem *ukm,
|
||||
+ PRBool genUkm, SECItem **ukmp,
|
||||
SECAlgorithmID *keyEncAlg, SECItem *pubKey,
|
||||
void *wincx)
|
||||
{
|
||||
@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
|
||||
SECAlgorithmID keyWrapAlg;
|
||||
SECOidTag keyEncAlgtag;
|
||||
SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo;
|
||||
+ SECItem *ukm = *ukmp;
|
||||
CK_MECHANISM_TYPE keyDerivationType, keyWrapMech;
|
||||
CK_ULONG kdf;
|
||||
|
||||
- if (genUkm && (ukm->len != 0 || ukm->data != NULL)) {
|
||||
+ if (genUkm && (ukm != NULL)) {
|
||||
PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
|
||||
return SECFailure;
|
||||
}
|
||||
@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
|
||||
* contain 512 bits for Diffie-Hellman key agreement. */
|
||||
|
||||
if (genUkm) {
|
||||
- ukm->type = siBuffer;
|
||||
- ukm->len = 64;
|
||||
- ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len);
|
||||
-
|
||||
- if (ukm->data == NULL) {
|
||||
+ ukm = SECITEM_AllocItem(poolp, NULL, 64);
|
||||
+ if (ukm == NULL) {
|
||||
goto loser;
|
||||
}
|
||||
+ ukm->type = siBuffer;
|
||||
+
|
||||
rv = PK11_GenerateRandom(ukm->data, ukm->len);
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
+ *ukmp = ukm; /* return it */
|
||||
}
|
||||
|
||||
SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg,
|
||||
diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c
|
||||
--- ./lib/smime/cmsrecinfo.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmsrecinfo.c 2024-09-06 18:04:47.647863624 -0700
|
||||
@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM
|
||||
parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters);
|
||||
enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
|
||||
oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
|
||||
- ukm = &(ri->ri.keyAgreeRecipientInfo.ukm);
|
||||
+ ukm = ri->ri.keyAgreeRecipientInfo.ukm;
|
||||
break;
|
||||
case NSSCMSRecipientInfoID_KEK:
|
||||
algid = &(ri->ri.kekRecipientInfo.keyEncAlg);
|
||||
diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h
|
||||
--- ./lib/smime/cmst.h.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmst.h 2024-09-06 18:04:47.647863624 -0700
|
||||
@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK
|
||||
struct NSSCMSKeyAgreeRecipientInfoStr {
|
||||
SECItem version;
|
||||
NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
|
||||
- SECItem ukm; /* optional */
|
||||
+ SECItem *ukm; /* optional */
|
||||
SECAlgorithmID keyEncAlg;
|
||||
NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
|
||||
};
|
126
SOURCES/nss-3.101-fix-missing-size-checks.patch
Normal file
126
SOURCES/nss-3.101-fix-missing-size-checks.patch
Normal file
@ -0,0 +1,126 @@
|
||||
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
@@ -371,16 +371,21 @@ static void GenerateWeakRsaKey(ScopedSEC
|
||||
// Fail to connect with a weak RSA key.
|
||||
TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||
Reset(kPssDelegatorId);
|
||||
EnsureTlsSetup();
|
||||
static const SSLSignatureScheme kSchemes[] = {ssl_sig_rsa_pss_rsae_sha256,
|
||||
ssl_sig_rsa_pss_pss_sha256};
|
||||
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||
+ PRInt32 keySizeFlags;
|
||||
+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &keySizeFlags));
|
||||
+ // turn off the signing key sizes so we actually test the ssl tests
|
||||
+ ASSERT_EQ(SECSuccess,
|
||||
+ NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, NSS_KEY_SIZE_POLICY_SSL_FLAG ));
|
||||
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||
// save the MIN POLICY length.
|
||||
PRInt32 minRsa;
|
||||
|
||||
ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
|
||||
#if RSA_MIN_MODULUS_BITS >= 2048
|
||||
ASSERT_EQ(SECSuccess,
|
||||
NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
|
||||
@@ -408,16 +413,17 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||
client_->EnableDelegatedCredentials();
|
||||
|
||||
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
|
||||
client_, ssl_delegated_credentials_xtn);
|
||||
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
|
||||
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
|
||||
#endif
|
||||
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, keySizeFlags));
|
||||
}
|
||||
|
||||
class ReplaceDCSigScheme : public TlsHandshakeFilter {
|
||||
public:
|
||||
ReplaceDCSigScheme(const std::shared_ptr<TlsAgent>& a)
|
||||
: TlsHandshakeFilter(a, {ssl_hs_certificate_verify}) {}
|
||||
|
||||
protected:
|
||||
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
|
||||
--- a/lib/cryptohi/seckey.c
|
||||
+++ b/lib/cryptohi/seckey.c
|
||||
@@ -1134,22 +1134,31 @@ SECKEY_PrivateKeyStrengthInBits(const SE
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* interpret modulus length as key strength */
|
||||
switch (privk->keyType) {
|
||||
case rsaKey:
|
||||
case rsaPssKey:
|
||||
case rsaOaepKey:
|
||||
- /* some tokens don't export CKA_MODULUS on the private key,
|
||||
- * PK11_SignatureLen works around this if necessary */
|
||||
- bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
|
||||
- if (bitSize == -1) {
|
||||
- bitSize = 0;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||
+ CKA_MODULUS, NULL, ¶ms);
|
||||
+ if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||
+ /* some tokens don't export CKA_MODULUS on the private key,
|
||||
+ * PK11_SignatureLen works around this if necessary. This
|
||||
+ * method is less percise because it returns bytes instead
|
||||
+ * bits, so we only do it if we can't get the modulus */
|
||||
+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
|
||||
+ if (bitSize == -1) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return bitSize;
|
||||
}
|
||||
+ bitSize = SECKEY_BigIntegerBitLength(¶ms);
|
||||
+ PORT_Free(params.data);
|
||||
return bitSize;
|
||||
case dsaKey:
|
||||
case fortezzaKey:
|
||||
case dhKey:
|
||||
case keaKey:
|
||||
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||
CKA_PRIME, NULL, ¶ms);
|
||||
if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -1277,27 +1277,39 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *h
|
||||
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
goto done;
|
||||
}
|
||||
PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
|
||||
|
||||
if (useRsaPss || hash->hashAlg == ssl_hash_none) {
|
||||
CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType);
|
||||
int signatureLen = PK11_SignatureLen(key);
|
||||
+ PRInt32 optval;
|
||||
|
||||
SECItem *params = NULL;
|
||||
CK_RSA_PKCS_PSS_PARAMS pssParams;
|
||||
SECItem pssParamsItem = { siBuffer,
|
||||
(unsigned char *)&pssParams,
|
||||
sizeof(pssParams) };
|
||||
|
||||
if (signatureLen <= 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
goto done;
|
||||
}
|
||||
+ /* since we are calling PK11_SignWithMechanism directly, we need to check the
|
||||
+ * key policy ourselves (which is already checked in SGN_Digest */
|
||||
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
|
||||
+ if ((rv == SECSuccess) &&
|
||||
+ ((optval & NSS_KEY_SIZE_POLICY_SIGN_FLAG) == NSS_KEY_SIZE_POLICY_SIGN_FLAG)) {
|
||||
+ rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key),
|
||||
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ goto done; /* error code already set */
|
||||
+ }
|
||||
+ }
|
||||
|
||||
buf->len = (unsigned)signatureLen;
|
||||
buf->data = (unsigned char *)PORT_Alloc(signatureLen);
|
||||
if (!buf->data)
|
||||
goto done; /* error code was set. */
|
||||
|
||||
if (useRsaPss) {
|
||||
pssParams.hashAlg = ssl3_GetHashMechanismByHashType(hash->hashAlg);
|
43
SOURCES/nss-3.101-fix-pkcs12-md5-decode.patch
Normal file
43
SOURCES/nss-3.101-fix-pkcs12-md5-decode.patch
Normal file
@ -0,0 +1,43 @@
|
||||
diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
|
||||
--- a/lib/util/nsshash.c
|
||||
+++ b/lib/util/nsshash.c
|
||||
@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy
|
||||
SECOidTag
|
||||
HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
|
||||
{
|
||||
SECOidTag hashOid = SEC_OID_UNKNOWN;
|
||||
|
||||
switch (hmacOid) {
|
||||
/* no oid exists for HMAC_MD2 */
|
||||
/* NSS does not define a oid for HMAC_MD4 */
|
||||
+ case SEC_OID_HMAC_MD5:
|
||||
+ hashOid = SEC_OID_MD5;
|
||||
+ break;
|
||||
case SEC_OID_HMAC_SHA1:
|
||||
hashOid = SEC_OID_SHA1;
|
||||
break;
|
||||
case SEC_OID_HMAC_SHA224:
|
||||
hashOid = SEC_OID_SHA224;
|
||||
break;
|
||||
case SEC_OID_HMAC_SHA256:
|
||||
hashOid = SEC_OID_SHA256;
|
||||
@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
|
||||
SECOidTag
|
||||
HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
|
||||
{
|
||||
SECOidTag hmacOid = SEC_OID_UNKNOWN;
|
||||
|
||||
switch (hashOid) {
|
||||
/* no oid exists for HMAC_MD2 */
|
||||
/* NSS does not define a oid for HMAC_MD4 */
|
||||
+ case SEC_OID_MD5:
|
||||
+ hmacOid = SEC_OID_HMAC_MD5;
|
||||
+ break;
|
||||
case SEC_OID_SHA1:
|
||||
hmacOid = SEC_OID_HMAC_SHA1;
|
||||
break;
|
||||
case SEC_OID_SHA224:
|
||||
hmacOid = SEC_OID_HMAC_SHA224;
|
||||
break;
|
||||
case SEC_OID_SHA256:
|
||||
hmacOid = SEC_OID_HMAC_SHA256;
|
121
SOURCES/nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
Normal file
121
SOURCES/nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
Normal file
@ -0,0 +1,121 @@
|
||||
diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
|
||||
--- a/lib/pk11wrap/pk11mech.c
|
||||
+++ b/lib/pk11wrap/pk11mech.c
|
||||
@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
|
||||
case CKM_BATON_ECB96:
|
||||
case CKM_BATON_CBC128:
|
||||
case CKM_BATON_COUNTER:
|
||||
case CKM_BATON_SHUFFLE:
|
||||
case CKM_JUNIPER_ECB128:
|
||||
case CKM_JUNIPER_CBC128:
|
||||
case CKM_JUNIPER_COUNTER:
|
||||
case CKM_JUNIPER_SHUFFLE:
|
||||
- newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
||||
- SEC_ASN1_GET(SEC_OctetStringTemplate));
|
||||
- if (newParams == NULL)
|
||||
- break;
|
||||
+ /* if no parameters have been supplied, then encode a NULL params
|
||||
+ */
|
||||
+ if (param && param->len > 0) {
|
||||
+ newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
||||
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
|
||||
+ if (newParams == NULL)
|
||||
+ break;
|
||||
+ } else {
|
||||
+ newParams = NULL;
|
||||
+ }
|
||||
rv = SECSuccess;
|
||||
break;
|
||||
}
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
if (newParams)
|
||||
SECITEM_FreeItem(newParams, PR_TRUE);
|
||||
return rv;
|
||||
diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
|
||||
--- a/lib/pk11wrap/pk11pbe.c
|
||||
+++ b/lib/pk11wrap/pk11pbe.c
|
||||
@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
|
||||
* algorithm is). We use choose this algorithm oid based on the
|
||||
* cipherAlgorithm to determine what this should be (MAC1 or PBES2).
|
||||
*/
|
||||
if (algorithm == SEC_OID_PKCS5_PBKDF2) {
|
||||
/* choose mac or pbes */
|
||||
algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
|
||||
}
|
||||
|
||||
+ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
||||
+
|
||||
/* set the PKCS5v2 specific parameters */
|
||||
if (keyLength == 0) {
|
||||
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
||||
if (hashAlg != SEC_OID_UNKNOWN) {
|
||||
keyLength = HASH_ResultLenByOidTag(hashAlg);
|
||||
} else {
|
||||
keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm);
|
||||
}
|
||||
if (keyLength <= 0) {
|
||||
goto loser;
|
||||
}
|
||||
}
|
||||
/* currently SEC_OID_HMAC_SHA1 is the default */
|
||||
if (prfAlg == SEC_OID_UNKNOWN) {
|
||||
prfAlg = SEC_OID_HMAC_SHA1;
|
||||
}
|
||||
|
||||
- /* build the PKCS5v2 cipher algorithm id */
|
||||
- cipherParams = pk11_GenerateNewParamWithKeyLen(
|
||||
- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
||||
- if (!cipherParams) {
|
||||
- goto loser;
|
||||
+ /* build the PKCS5v2 cipher algorithm id, if cipher
|
||||
+ * is an HMAC, the cipherParams should be NULL */
|
||||
+ if (hashAlg == SEC_OID_UNKNOWN) {
|
||||
+ cipherParams = pk11_GenerateNewParamWithKeyLen(
|
||||
+ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
||||
+ if (!cipherParams) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+ } else {
|
||||
+ cipherParams = NULL;
|
||||
}
|
||||
|
||||
PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
|
||||
|
||||
rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
|
||||
poolp, &pbeV2_param.cipherAlgId);
|
||||
- SECITEM_FreeItem(cipherParams, PR_TRUE);
|
||||
+ if (cipherParams) {
|
||||
+ SECITEM_FreeItem(cipherParams, PR_TRUE);
|
||||
+ }
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
}
|
||||
|
||||
/* generate the parameter */
|
||||
pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
|
||||
keyLength, prfAlg);
|
||||
diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c
|
||||
--- a/lib/util/secalgid.c
|
||||
+++ b/lib/util/secalgid.c
|
||||
@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena
|
||||
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
|
||||
return SECFailure;
|
||||
|
||||
if ((secoid_IsRSAPKCS1(which)) ||
|
||||
- (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) {
|
||||
+ (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* ||
|
||||
+ (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) {
|
||||
add_null_param = PR_TRUE;
|
||||
} else {
|
||||
add_null_param = PR_FALSE;
|
||||
}
|
||||
|
||||
if (params) {
|
||||
/*
|
||||
* I am specifically *not* enforcing the following assertion
|
12
SOURCES/nss-3.101-long-pwd-fix.patch
Normal file
12
SOURCES/nss-3.101-long-pwd-fix.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c
|
||||
--- ./lib/pkcs12/p12local.c.long_pw_fix 2024-09-06 17:58:39.905517185 -0700
|
||||
+++ ./lib/pkcs12/p12local.c 2024-09-06 17:59:19.568985976 -0700
|
||||
@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
|
||||
*hmacMech = PK11_AlgtagToMechanism(hmacAlg);
|
||||
/* pkcs12v2 hmac uses UTF8 rather than unicode */
|
||||
if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
|
||||
- PR_TRUE, PR_FALSE, PR_FALSE)) {
|
||||
+ PR_FALSE, PR_FALSE, PR_FALSE)) {
|
||||
return NULL;
|
||||
}
|
||||
symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);
|
File diff suppressed because it is too large
Load Diff
@ -1,57 +0,0 @@
|
||||
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
|
||||
index 74e8e65..8995752 100644
|
||||
--- a/lib/freebl/Makefile
|
||||
+++ b/lib/freebl/Makefile
|
||||
@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
|
||||
HAVE_INT128_SUPPORT = 1
|
||||
DEFINES += -DHAVE_INT128_SUPPORT
|
||||
else ifeq (1,$(CC_IS_GCC))
|
||||
- SUPPORTS_VALE_CURVE25519 = 1
|
||||
ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
|
||||
HAVE_INT128_SUPPORT = 1
|
||||
DEFINES += -DHAVE_INT128_SUPPORT
|
||||
diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
|
||||
index 65f9a80..23940ef 100644
|
||||
--- a/lib/freebl/freebl.gyp
|
||||
+++ b/lib/freebl/freebl.gyp
|
||||
@@ -866,12 +866,6 @@
|
||||
}],
|
||||
],
|
||||
}],
|
||||
- [ 'supports_vale_curve25519==1', {
|
||||
- 'defines': [
|
||||
- # The Makefile does version-tests on GCC, but we're not doing that here.
|
||||
- 'HACL_CAN_COMPILE_INLINE_ASM',
|
||||
- ],
|
||||
- }],
|
||||
[ 'OS=="linux" or OS=="android"', {
|
||||
'conditions': [
|
||||
[ 'target_arch=="x64"', {
|
||||
@@ -934,11 +928,6 @@
|
||||
'variables': {
|
||||
'module': 'nss',
|
||||
'conditions': [
|
||||
- [ 'target_arch=="x64" and cc_is_gcc==1', {
|
||||
- 'supports_vale_curve25519%': 1,
|
||||
- }, {
|
||||
- 'supports_vale_curve25519%': 0,
|
||||
- }],
|
||||
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'have_int128_support%': 1,
|
||||
}, {
|
||||
diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
|
||||
index d198c44..34b6b3c 100644
|
||||
--- a/lib/freebl/freebl_base.gypi
|
||||
+++ b/lib/freebl/freebl_base.gypi
|
||||
@@ -151,11 +151,6 @@
|
||||
'ecl/curve25519_32.c',
|
||||
],
|
||||
}],
|
||||
- ['supports_vale_curve25519==1', {
|
||||
- 'sources': [
|
||||
- 'verified/Hacl_Curve25519_64.c',
|
||||
- ],
|
||||
- }],
|
||||
['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
|
||||
'sources': [
|
||||
# Gyp does not support per-file cflags, so working around like this.
|
@ -1,194 +0,0 @@
|
||||
diff -up ./cmd/pk11ectest/pk11ectest.c.ecc_wrap ./cmd/pk11ectest/pk11ectest.c
|
||||
--- ./cmd/pk11ectest/pk11ectest.c.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./cmd/pk11ectest/pk11ectest.c 2024-01-23 14:07:29.421036328 -0800
|
||||
@@ -10,6 +10,32 @@
|
||||
#include "pk11pub.h"
|
||||
#include <stdio.h>
|
||||
|
||||
+typedef struct KeyLengthEntryStr {
|
||||
+ SECOidTag tag;
|
||||
+ unsigned int len;
|
||||
+ PRBool encoded;
|
||||
+} KeyLengthEntry;
|
||||
+
|
||||
+const KeyLengthEntry keyLengthTable[] = {
|
||||
+ { SEC_OID_SECG_EC_SECP256R1, 65, PR_TRUE },
|
||||
+ { SEC_OID_SECG_EC_SECP384R1, 97, PR_TRUE },
|
||||
+ { SEC_OID_SECG_EC_SECP521R1, 133, PR_TRUE },
|
||||
+ { SEC_OID_CURVE25519, 32, PR_FALSE }
|
||||
+};
|
||||
+
|
||||
+const KeyLengthEntry *
|
||||
+getKeyLengthEntry(SECOidTag tag)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < PR_ARRAY_SIZE(keyLengthTable); i++) {
|
||||
+ if (keyLengthTable[i].tag == tag) {
|
||||
+ return &keyLengthTable[i];
|
||||
+ }
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
void
|
||||
printBuf(const SECItem *item)
|
||||
{
|
||||
@@ -53,6 +79,10 @@ ectest_curve_pkcs11(SECOidTag oid)
|
||||
CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
||||
PK11SymKey *symKey = NULL;
|
||||
SECStatus rv = SECFailure;
|
||||
+ const KeyLengthEntry *keyLengthEntry;
|
||||
+ SECItem point = { siBuffer, NULL, 0 };
|
||||
+ SECItem value = { siBuffer, NULL, 0 };
|
||||
+ PLArenaPool *arena = NULL;
|
||||
|
||||
oidData = SECOID_FindOIDByTag(oid);
|
||||
if (oidData == NULL) {
|
||||
@@ -79,8 +109,63 @@ ectest_curve_pkcs11(SECOidTag oid)
|
||||
goto cleanup;
|
||||
}
|
||||
PrintKey(symKey);
|
||||
- rv = SECSuccess;
|
||||
|
||||
+ keyLengthEntry = getKeyLengthEntry(oid);
|
||||
+ /* this shouldn't happen unless new curves are added without adding them
|
||||
+ * to the keyLengthTable */
|
||||
+ PR_ASSERT(keyLengthEntry);
|
||||
+
|
||||
+ /* make sure we are returning CKA_EC_POINT according to the PKCS #11 standard.
|
||||
+ * NSS itself can tolerate non-standard CKA_EC_POINT, so this is the only place
|
||||
+ * our test will detect incorrect behavior */
|
||||
+ rv = PK11_ReadRawAttribute(PK11_TypePubKey, pubKey, CKA_EC_POINT, &point);
|
||||
+ if (rv == SECFailure) {
|
||||
+ printf(" >>> Couldn't get CKA_EC_POINT from the ec pubKey.\n");
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ rv = SECFailure;
|
||||
+ if (keyLengthEntry->encoded) {
|
||||
+ if (point.len == keyLengthEntry->len) {
|
||||
+ printf(" >>> Expected encoded CKA_EC_POINT and got a decoded value.\n");
|
||||
+ printBuf(&point);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
||||
+ if (arena == NULL) {
|
||||
+ printf(" >>> arena alloc failed.\n");
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ rv = SEC_QuickDERDecodeItem(arena, &value, SEC_ASN1_GET(SEC_OctetStringTemplate),
|
||||
+ &point);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ printf(" >>> invalid endoded CKA_EC_POINT.\n");
|
||||
+ printBuf(&point);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ rv = SECFailure;
|
||||
+ if (value.len != keyLengthEntry->len) {
|
||||
+ printf(" >>> invalid decoded CKA_EC_POINT len (%d) expected %d.\n",
|
||||
+ value.len, keyLengthEntry->len);
|
||||
+ printBuf(&value);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ if (value.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
|
||||
+ printf(" >>> invalid CKA_EC_POINT format (%02x) expected %02x.\n",
|
||||
+ value.data[0], EC_POINT_FORM_UNCOMPRESSED);
|
||||
+ printBuf(&value);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (point.len != keyLengthEntry->len) {
|
||||
+ printf(" >>> invalid CKA_EC_POINT len (%d) expected %d.\n",
|
||||
+ point.len, keyLengthEntry->len);
|
||||
+ printBuf(&point);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ rv = SECSuccess;
|
||||
cleanup:
|
||||
if (privKey) {
|
||||
SECKEY_DestroyPrivateKey(privKey);
|
||||
@@ -91,7 +176,11 @@ cleanup:
|
||||
if (symKey) {
|
||||
PK11_FreeSymKey(symKey);
|
||||
}
|
||||
+ if (arena) {
|
||||
+ PORT_FreeArena(arena, PR_TRUE);
|
||||
+ }
|
||||
SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
|
||||
+ SECITEM_FreeItem(&point, PR_FALSE);
|
||||
|
||||
return rv;
|
||||
}
|
||||
diff -up ./lib/freebl/blapit.h.ecc_wrap ./lib/freebl/blapit.h
|
||||
--- ./lib/freebl/blapit.h.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/blapit.h 2024-01-23 14:07:29.421036328 -0800
|
||||
@@ -375,7 +375,9 @@ typedef struct DHPrivateKeyStr DHPrivate
|
||||
*/
|
||||
|
||||
typedef enum { ec_params_explicit,
|
||||
- ec_params_named
|
||||
+ ec_params_named,
|
||||
+ ec_params_edwards_named,
|
||||
+ ec_params_montgomery_named,
|
||||
} ECParamsType;
|
||||
|
||||
typedef enum { ec_field_GFp = 1,
|
||||
diff -up ./lib/freebl/ecdecode.c.ecc_wrap ./lib/freebl/ecdecode.c
|
||||
--- ./lib/freebl/ecdecode.c.ecc_wrap 2024-01-23 14:07:14.533870602 -0800
|
||||
+++ ./lib/freebl/ecdecode.c 2024-01-23 14:07:29.422036340 -0800
|
||||
@@ -176,6 +176,7 @@ EC_FillParams(PLArenaPool *arena, const
|
||||
|
||||
case SEC_OID_CURVE25519:
|
||||
/* Populate params for Curve25519 */
|
||||
+ params->type = ec_params_montgomery_named;
|
||||
CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
|
||||
ec_field_plain,
|
||||
params));
|
||||
diff -up ./lib/softoken/pkcs11c.c.ecc_wrap ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.ecc_wrap 2024-01-23 14:07:14.520870457 -0800
|
||||
+++ ./lib/softoken/pkcs11c.c 2024-01-23 14:08:38.198801966 -0800
|
||||
@@ -5164,7 +5164,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
}
|
||||
/* make sure it has the same encoding */
|
||||
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||
- lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
|
||||
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
|
||||
lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
|
||||
} else {
|
||||
lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
|
||||
@@ -5694,7 +5694,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
}
|
||||
|
||||
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||
- ecParams->fieldID.type == ec_field_plain) {
|
||||
+ ecParams->type != ec_params_named) {
|
||||
PORT_FreeArena(ecParams->arena, PR_TRUE);
|
||||
crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
|
||||
sftk_item_expand(&ecPriv->publicValue));
|
||||
diff -up ./lib/softoken/pkcs11.c.ecc_wrap ./lib/softoken/pkcs11.c
|
||||
--- ./lib/softoken/pkcs11.c.ecc_wrap 2024-01-23 14:07:14.505870290 -0800
|
||||
+++ ./lib/softoken/pkcs11.c 2024-01-23 14:07:29.423036351 -0800
|
||||
@@ -1897,8 +1897,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
|
||||
/* Handle the non-DER encoded case.
|
||||
* Some curves are always pressumed to be non-DER.
|
||||
*/
|
||||
- if (pubKey->u.ec.publicValue.len == keyLen &&
|
||||
- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
|
||||
+ if (pubKey->u.ec.ecParams.type != ec_params_named ||
|
||||
+ (pubKey->u.ec.publicValue.len == keyLen &&
|
||||
pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
|
||||
break; /* key was not DER encoded, no need to unwrap */
|
||||
}
|
||||
@@ -1918,8 +1918,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
|
||||
break;
|
||||
}
|
||||
/* we don't handle compressed points except in the case of ECCurve25519 */
|
||||
- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
|
||||
- (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
|
||||
+ if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
|
||||
crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
break;
|
||||
}
|
@ -1,335 +0,0 @@
|
||||
--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200
|
||||
+++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200
|
||||
@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[]
|
||||
0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77,
|
||||
0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77};
|
||||
|
||||
+const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'};
|
||||
+const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',};
|
||||
+const uint8_t kP521SpkiUnpaddedSig[] = {
|
||||
+ 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
|
||||
+ 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86,
|
||||
+ 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29,
|
||||
+ 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a,
|
||||
+ 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18,
|
||||
+ 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7,
|
||||
+ 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52,
|
||||
+ 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88,
|
||||
+ 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57,
|
||||
+ 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd,
|
||||
+ 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b,
|
||||
+ 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35,
|
||||
+ 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c,
|
||||
+ 0xe2, 0x9f};
|
||||
+const uint8_t kP521SignatureUnpaddedSigLong[] = {
|
||||
+ 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe,
|
||||
+ 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4,
|
||||
+ 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42,
|
||||
+ 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde,
|
||||
+ 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e,
|
||||
+ 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89,
|
||||
+ 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b,
|
||||
+ 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40,
|
||||
+ 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb,
|
||||
+ 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b,
|
||||
+ 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a};
|
||||
+const uint8_t kP521SignatureUnpaddedSigShort[] = {
|
||||
+ 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11,
|
||||
+ 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde,
|
||||
+ 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99,
|
||||
+ 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9,
|
||||
+ 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65,
|
||||
+ 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38,
|
||||
+ 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75,
|
||||
+ 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95,
|
||||
+ 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c,
|
||||
+ 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5,
|
||||
+ 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e};
|
||||
+const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'};
|
||||
+const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'};
|
||||
+const uint8_t kP384SpkiUnpaddedSig[] = {
|
||||
+ 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
||||
+ 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
|
||||
+ 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa,
|
||||
+ 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e,
|
||||
+ 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3,
|
||||
+ 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e,
|
||||
+ 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf,
|
||||
+ 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d,
|
||||
+ 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5,
|
||||
+ 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a};
|
||||
+const uint8_t kP384SignatureUnpaddedSigLong[] = {
|
||||
+ 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58,
|
||||
+ 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59,
|
||||
+ 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0,
|
||||
+ 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde,
|
||||
+ 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc,
|
||||
+ 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c,
|
||||
+ 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc,
|
||||
+ 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6};
|
||||
+const uint8_t kP384SignatureUnpaddedSigShort[] = {
|
||||
+ 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13,
|
||||
+ 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e,
|
||||
+ 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b,
|
||||
+ 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf,
|
||||
+ 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc,
|
||||
+ 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50,
|
||||
+ 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f,
|
||||
+ 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9};
|
||||
+const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'};
|
||||
+const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'};
|
||||
+const uint8_t kP256SpkiUnpaddedSig[] = {
|
||||
+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
||||
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
|
||||
+ 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b,
|
||||
+ 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa,
|
||||
+ 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e,
|
||||
+ 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f,
|
||||
+ 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75,
|
||||
+ 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 };
|
||||
+const uint8_t kP256SignatureUnpaddedSigLong[] = {
|
||||
+ 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56,
|
||||
+ 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6,
|
||||
+ 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11,
|
||||
+ 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80,
|
||||
+ 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47,
|
||||
+ 0xcf, 0x61, 0x91, 0x5f};
|
||||
+const uint8_t kP256SignatureUnpaddedSigShort[] = {
|
||||
+ 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61,
|
||||
+ 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28,
|
||||
+ 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16,
|
||||
+ 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c,
|
||||
+ 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9,
|
||||
+ 0x78, 0xc4};
|
||||
} // namespace nss_test
|
||||
--- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200
|
||||
+++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200
|
||||
@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun
|
||||
SEC_OID_SECG_EC_SECP521R1,
|
||||
SEC_OID_CURVE25519));
|
||||
|
||||
+class Pkcs11EcdsaUnpaddedSignatureTest
|
||||
+ : public Pkcs11EcdsaTestBase,
|
||||
+ public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
|
||||
+ public:
|
||||
+ Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
|
||||
+};
|
||||
+
|
||||
+static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = {
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)),
|
||||
+ DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)),
|
||||
+ DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)),
|
||||
+ DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)),
|
||||
+ DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)),
|
||||
+ DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)),
|
||||
+ DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}}
|
||||
+};
|
||||
+
|
||||
+TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); }
|
||||
+INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest,
|
||||
+ ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors));
|
||||
} // namespace nss_test
|
||||
--- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200
|
||||
+++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200
|
||||
@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
{
|
||||
SECStatus res = SECSuccess;
|
||||
|
||||
+ unsigned char _padded_sig_data[64] = { 0 };
|
||||
+ unsigned char *sig_r, *sig_s;
|
||||
+
|
||||
if (!key || !signature || !digest ||
|
||||
!key->publicValue.data ||
|
||||
!signature->data || !digest->data ||
|
||||
@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
- if (key->publicValue.len != 65 ||
|
||||
- digest->len == 0 ||
|
||||
- signature->len != 64) {
|
||||
+ unsigned int olen = key->ecParams.order.len;
|
||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
||||
+ signature->len > 2 * olen ||
|
||||
+ digest->len == 0 || key->publicValue.len != 65) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
res = SECFailure;
|
||||
return res;
|
||||
@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
+ /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */
|
||||
+ if (signature->len != 64) {
|
||||
+ unsigned split = signature->len / 2;
|
||||
+ unsigned pad = 32 - split;
|
||||
+
|
||||
+ unsigned char *o_sig = signature->data;
|
||||
+ unsigned char *p_sig = _padded_sig_data;
|
||||
+
|
||||
+ memcpy(p_sig + pad, o_sig, split);
|
||||
+ memcpy(p_sig + 32 + pad, o_sig + split, split);
|
||||
+
|
||||
+ sig_r = p_sig;
|
||||
+ sig_s = p_sig + 32;
|
||||
+ } else {
|
||||
+ sig_r = signature->data;
|
||||
+ sig_s = signature->data + 32;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
uint8_t hash[32] = { 0 };
|
||||
if (digest->len < 32) {
|
||||
memcpy(hash + 32 - digest->len, digest->data, digest->len);
|
||||
@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
bool b = Hacl_P256_ecdsa_verif_without_hash(
|
||||
32, hash,
|
||||
key->publicValue.data + 1,
|
||||
- signature->data, signature->data + 32);
|
||||
+ sig_r, sig_s);
|
||||
if (!b) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
res = SECFailure;
|
||||
--- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200
|
||||
+++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200
|
||||
@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
{
|
||||
SECStatus res = SECSuccess;
|
||||
|
||||
+ unsigned char _padded_sig_data[96] = { 0 };
|
||||
+ unsigned char *sig_r, *sig_s;
|
||||
+
|
||||
if (!key || !signature || !digest ||
|
||||
!key->publicValue.data ||
|
||||
!signature->data || !digest->data ||
|
||||
@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
- if (key->publicValue.len != 97 ||
|
||||
- digest->len == 0 ||
|
||||
- signature->len != 96) {
|
||||
+ unsigned int olen = key->ecParams.order.len;
|
||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
||||
+ signature->len > 2 * olen ||
|
||||
+ digest->len == 0 || key->publicValue.len != 97) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
res = SECFailure;
|
||||
return res;
|
||||
@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
+ /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */
|
||||
+ if (signature->len != 96) {
|
||||
+ unsigned split = signature->len / 2;
|
||||
+ unsigned pad = 48 - split;
|
||||
+
|
||||
+ unsigned char *o_sig = signature->data;
|
||||
+ unsigned char *p_sig = _padded_sig_data;
|
||||
+
|
||||
+ memcpy(p_sig + pad, o_sig, split);
|
||||
+ memcpy(p_sig + 48 + pad, o_sig + split, split);
|
||||
+
|
||||
+ sig_r = p_sig;
|
||||
+ sig_s = p_sig + 48;
|
||||
+ } else {
|
||||
+ sig_r = signature->data;
|
||||
+ sig_s = signature->data + 48;
|
||||
+ }
|
||||
+
|
||||
uint8_t hash[48] = { 0 };
|
||||
if (digest->len < 48) {
|
||||
memcpy(hash + 48 - digest->len, digest->data, digest->len);
|
||||
@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
bool b = Hacl_P384_ecdsa_verif_without_hash(
|
||||
48, hash,
|
||||
key->publicValue.data + 1,
|
||||
- signature->data, signature->data + 48);
|
||||
+ sig_r, sig_s);
|
||||
if (!b) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
res = SECFailure;
|
||||
--- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200
|
||||
+++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200
|
||||
@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
{
|
||||
SECStatus res = SECSuccess;
|
||||
|
||||
+ unsigned char _padded_sig_data[132] = { 0 };
|
||||
+ unsigned char *sig_r, *sig_s;
|
||||
+
|
||||
if (!key || !signature || !digest ||
|
||||
!key->publicValue.data ||
|
||||
!signature->data || !digest->data ||
|
||||
@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
- if (key->publicValue.len != 133 ||
|
||||
- digest->len == 0 ||
|
||||
- signature->len != 132) {
|
||||
+ unsigned int olen = key->ecParams.order.len;
|
||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
||||
+ signature->len > 2 * olen ||
|
||||
+ digest->len == 0 || key->publicValue.len != 133) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
res = SECFailure;
|
||||
return res;
|
||||
@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
+ /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */
|
||||
+ if (signature->len != 132) {
|
||||
+ unsigned split = signature->len / 2;
|
||||
+ unsigned pad = 66 - split;
|
||||
+
|
||||
+ unsigned char *o_sig = signature->data;
|
||||
+ unsigned char *p_sig = _padded_sig_data;
|
||||
+
|
||||
+ memcpy(p_sig + pad, o_sig, split);
|
||||
+ memcpy(p_sig + 66 + pad, o_sig + split, split);
|
||||
+
|
||||
+ sig_r = p_sig;
|
||||
+ sig_s = p_sig + 66;
|
||||
+ } else {
|
||||
+ sig_r = signature->data;
|
||||
+ sig_s = signature->data + 66;
|
||||
+ }
|
||||
+
|
||||
uint8_t hash[66] = { 0 };
|
||||
if (digest->len < 66) {
|
||||
memcpy(hash + 66 - digest->len, digest->data, digest->len);
|
||||
@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
bool b = Hacl_P521_ecdsa_verif_without_hash(
|
||||
66, hash,
|
||||
key->publicValue.data + 1,
|
||||
- signature->data, signature->data + 66);
|
||||
+ sig_r, sig_s);
|
||||
if (!b) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
res = SECFailure;
|
@ -1,83 +0,0 @@
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -15,10 +15,13 @@
|
||||
* keys and their associated Certificates are saved on the token.
|
||||
*
|
||||
* In this implementation, session objects are only visible to the session
|
||||
* that created or generated them.
|
||||
*/
|
||||
+
|
||||
+#include <limits.h> /* for UINT_MAX and ULONG_MAX */
|
||||
+
|
||||
#include "seccomon.h"
|
||||
#include "secitem.h"
|
||||
#include "secport.h"
|
||||
#include "blapi.h"
|
||||
#include "pkcs11.h"
|
||||
@@ -1954,12 +1957,21 @@
|
||||
if (pDigest == NULL) {
|
||||
*pulDigestLen = context->maxLen;
|
||||
goto finish;
|
||||
}
|
||||
|
||||
- /* do it: */
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
||||
+ * length argument, but NSC_Digest takes an unsigned long. */
|
||||
+ while (ulDataLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX);
|
||||
+ pData += UINT_MAX;
|
||||
+ ulDataLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
|
||||
+
|
||||
/* NOTE: this assumes buf size is bigenough for the algorithm */
|
||||
(*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
|
||||
*pulDigestLen = digestLen;
|
||||
|
||||
sftk_TerminateOp(session, SFTK_HASH, context);
|
||||
@@ -1980,12 +1992,22 @@
|
||||
|
||||
/* make sure we're legal */
|
||||
crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
- /* do it: */
|
||||
+
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
||||
+ * length argument, but NSC_DigestUpdate takes an unsigned long. */
|
||||
+ while (ulPartLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
||||
+ pPart += UINT_MAX;
|
||||
+ ulPartLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
|
||||
CK_RV
|
||||
@@ -3166,10 +3188,17 @@
|
||||
crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
|
||||
if (context->hashInfo) {
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ while (ulPartLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
||||
+ pPart += UINT_MAX;
|
||||
+ ulPartLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
|
||||
} else {
|
||||
/* must be block cipher MACing */
|
||||
|
||||
unsigned int blkSize = context->blockSize;
|
||||
|
@ -1,18 +0,0 @@
|
||||
diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh
|
||||
--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700
|
||||
+++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700
|
||||
@@ -46,11 +46,13 @@ ectest_genkeydb_test()
|
||||
return $?
|
||||
fi
|
||||
curves=( \
|
||||
- "curve25519" \
|
||||
"secp256r1" \
|
||||
"secp384r1" \
|
||||
"secp521r1" \
|
||||
)
|
||||
+ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then
|
||||
+ curves=( "curve25519" "${curves[@]}" )
|
||||
+ fi
|
||||
for curve in "${curves[@]}"; do
|
||||
echo "Test $curve key generation using certutil ..."
|
||||
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
|
36
SOURCES/nss-3.90-ppc_no_init.patch
Normal file
36
SOURCES/nss-3.90-ppc_no_init.patch
Normal file
@ -0,0 +1,36 @@
|
||||
diff -up ./lib/freebl/Makefile.ppc_no_init ./lib/freebl/Makefile
|
||||
--- ./lib/freebl/Makefile.ppc_no_init 2024-06-03 14:12:24.216755903 -0700
|
||||
+++ ./lib/freebl/Makefile 2024-06-03 14:11:36.464234903 -0700
|
||||
@@ -303,7 +303,7 @@ endif
|
||||
ifeq ($(CPU_ARCH),ppc)
|
||||
EXTRA_SRCS += gcm-ppc.c
|
||||
ifdef USE_64
|
||||
- DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
+# DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | awk '$$2 == "_CALL_ELF" {print $$3}')
|
||||
ifeq ($(PPC_ABI),2)
|
||||
ASFILES += sha512-p8.s
|
||||
diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile
|
||||
--- ./lib/softoken/Makefile.ppc_no_init 2024-06-03 14:12:44.664979003 -0700
|
||||
+++ ./lib/softoken/Makefile 2024-06-03 14:10:26.703473806 -0700
|
||||
@@ -23,13 +23,13 @@ include $(CORE_DEPTH)/coreconf/config.mk
|
||||
ifdef NSS_NO_INIT_SUPPORT
|
||||
DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
endif
|
||||
-ifeq ($(OS_TARGET),Linux)
|
||||
-ifeq ($(CPU_ARCH),ppc)
|
||||
-ifdef USE_64
|
||||
- DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
-endif # USE_64
|
||||
-endif # ppc
|
||||
-endif # Linux
|
||||
+#ifeq ($(OS_TARGET),Linux)
|
||||
+#ifeq ($(CPU_ARCH),ppc)
|
||||
+#ifdef USE_64
|
||||
+# DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
+#endif # USE_64
|
||||
+#endif # ppc
|
||||
+#endif # Linux
|
||||
|
||||
|
||||
#######################################################################
|
@ -1,32 +0,0 @@
|
||||
diff -up ./gtests/ssl_gtest/manifest.mn.orig ./gtests/ssl_gtest/manifest.mn
|
||||
--- ./gtests/ssl_gtest/manifest.mn.orig 2021-06-02 15:40:48.677355426 -0700
|
||||
+++ ./gtests/ssl_gtest/manifest.mn 2021-06-02 15:42:31.248977261 -0700
|
||||
@@ -57,7 +57,6 @@ CPPSRCS = \
|
||||
tls_filter.cc \
|
||||
tls_protect.cc \
|
||||
tls_psk_unittest.cc \
|
||||
- tls_subcerts_unittest.cc \
|
||||
tls_ech_unittest.cc \
|
||||
$(SSLKEYLOGFILE_FILES) \
|
||||
$(NULL)
|
||||
diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c
|
||||
--- ./lib/ssl/sslsock.c.orig 2021-05-28 02:50:43.000000000 -0700
|
||||
+++ ./lib/ssl/sslsock.c 2021-06-02 15:40:48.676355420 -0700
|
||||
@@ -819,7 +819,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_DELEGATED_CREDENTIALS:
|
||||
- ss->opt.enableDelegatedCredentials = val;
|
||||
+ /* disable it for now */
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_NPN:
|
||||
@@ -1337,7 +1337,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_DELEGATED_CREDENTIALS:
|
||||
- ssl_defaults.enableDelegatedCredentials = val;
|
||||
+ /* disable it for now */
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_NPN:
|
@ -1,41 +0,0 @@
|
||||
diff -r 699541a7793b lib/pk11wrap/pk11pars.c
|
||||
--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700
|
||||
+++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700
|
||||
@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
|
||||
static const oidValDef hashOptList[] = {
|
||||
/* Hashes */
|
||||
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ 0 },
|
||||
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ 0 },
|
||||
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ 0 },
|
||||
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
|
||||
diff -r 699541a7793b lib/util/secoid.c
|
||||
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
|
||||
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
|
||||
@@ -2042,6 +2042,19 @@
|
||||
int i;
|
||||
|
||||
for (i = 1; i < SEC_OID_TOTAL; i++) {
|
||||
+ switch (i) {
|
||||
+ case SEC_OID_MD2:
|
||||
+ case SEC_OID_MD4:
|
||||
+ case SEC_OID_MD5:
|
||||
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
|
||||
+ continue;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
if (oids[i].desc && strstr(arg, oids[i].desc)) {
|
||||
xOids[i].notPolicyFlags = notEnable |
|
||||
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,644 +0,0 @@
|
||||
diff -up ./automation/taskcluster/scripts/run_hacl.sh.p384 ./automation/taskcluster/scripts/run_hacl.sh
|
||||
--- ./automation/taskcluster/scripts/run_hacl.sh.p384 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./automation/taskcluster/scripts/run_hacl.sh 2024-01-09 11:49:58.650418434 -0800
|
||||
@@ -40,5 +40,14 @@ files=($(find ~/nss/lib/freebl/verified/
|
||||
for f in "${files[@]}"; do
|
||||
file_name=$(basename "$f")
|
||||
hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*"))
|
||||
+ # TODO(Bug 1854438): Remove P384 exception.
|
||||
+ # TODO(Bug 1854439): Remove P521 exception.
|
||||
+ if [ $file_name == "Hacl_P384.c" \
|
||||
+ -o $file_name == "Hacl_P384.h" \
|
||||
+ -o $file_name == "Hacl_P521.c" \
|
||||
+ -o $file_name == "Hacl_P521.h" ]
|
||||
+ then
|
||||
+ continue;
|
||||
+ fi
|
||||
diff $hacl_file $f
|
||||
done
|
||||
diff -up ./lib/freebl/ec.c.p384 ./lib/freebl/ec.c
|
||||
--- ./lib/freebl/ec.c.p384 2024-01-09 11:49:14.118980084 -0800
|
||||
+++ ./lib/freebl/ec.c 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -15,15 +15,62 @@
|
||||
#include "mplogic.h"
|
||||
#include "ec.h"
|
||||
#include "ecl.h"
|
||||
+#include "verified/Hacl_P384.h"
|
||||
+#include "verified/Hacl_P521.h"
|
||||
|
||||
#define EC_DOUBLECHECK PR_FALSE
|
||||
|
||||
+SECStatus
|
||||
+ec_secp384r1_scalar_validate(const SECItem *scalar)
|
||||
+{
|
||||
+ if (!scalar || !scalar->data) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (scalar->len != 48) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ bool b = Hacl_P384_validate_private_key(scalar->data);
|
||||
+
|
||||
+ if (!b) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+SECStatus
|
||||
+ec_secp521r1_scalar_validate(const SECItem *scalar)
|
||||
+{
|
||||
+ if (!scalar || !scalar->data) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (scalar->len != 66) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ bool b = Hacl_P521_validate_private_key(scalar->data);
|
||||
+
|
||||
+ if (!b) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
static const ECMethod kMethods[] = {
|
||||
{ ECCurve25519,
|
||||
ec_Curve25519_pt_mul,
|
||||
ec_Curve25519_pt_validate,
|
||||
ec_Curve25519_scalar_validate,
|
||||
- NULL, NULL },
|
||||
+ NULL,
|
||||
+ NULL },
|
||||
{
|
||||
ECCurve_NIST_P256,
|
||||
ec_secp256r1_pt_mul,
|
||||
@@ -352,8 +415,7 @@ EC_NewKeyFromSeed(ECParams *ecParams, EC
|
||||
SECStatus
|
||||
ec_GenerateRandomPrivateKey(ECParams *ecParams, SECItem *privKey)
|
||||
{
|
||||
- SECStatus rv = SECSuccess;
|
||||
- mp_err err;
|
||||
+ SECStatus rv = SECFailure;
|
||||
|
||||
unsigned int len = EC_GetScalarSize(ecParams);
|
||||
|
||||
@@ -362,82 +424,43 @@ ec_GenerateRandomPrivateKey(ECParams *ec
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- /* For known curves, use rejection sampling A.4.2 */
|
||||
- if (ecParams->fieldID.type == ec_field_plain) {
|
||||
- const ECMethod *method = ec_get_method_from_name(ecParams->name);
|
||||
- rv = SECFailure;
|
||||
- if (method == NULL || method->scalar_validate == NULL) {
|
||||
- /* unknown curve */
|
||||
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
- goto done;
|
||||
- }
|
||||
- int count = 100;
|
||||
- while (rv != SECSuccess && count >= 0) {
|
||||
- rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
|
||||
- if (rv != SECSuccess) {
|
||||
- PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
- goto done;
|
||||
- }
|
||||
- rv = method->scalar_validate(privKey);
|
||||
- count--;
|
||||
- }
|
||||
- if (rv != SECSuccess) {
|
||||
- PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
- }
|
||||
- goto done;
|
||||
+ const ECMethod *method = ec_get_method_from_name(ecParams->name);
|
||||
+ if (method == NULL || method->scalar_validate == NULL) {
|
||||
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
|
||||
+ return SECFailure;
|
||||
}
|
||||
|
||||
- /* For unknown curves, use algotithm A.4.1 */
|
||||
-
|
||||
- unsigned char *order = ecParams->order.data;
|
||||
- mp_int privKeyVal, order_1, one;
|
||||
- unsigned char *privKeyBytes = NULL;
|
||||
-
|
||||
- MP_DIGITS(&privKeyVal) = 0;
|
||||
- MP_DIGITS(&order_1) = 0;
|
||||
- MP_DIGITS(&one) = 0;
|
||||
- CHECK_MPI_OK(mp_init(&privKeyVal));
|
||||
- CHECK_MPI_OK(mp_init(&order_1));
|
||||
- CHECK_MPI_OK(mp_init(&one));
|
||||
-
|
||||
- /* Generates 2*len random bytes using the global random bit generator
|
||||
- * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
|
||||
- * reduces modulo the group order.
|
||||
- */
|
||||
-
|
||||
- if ((privKeyBytes = PORT_Alloc(2 * len)) == NULL) {
|
||||
- PORT_SetError(SEC_ERROR_NO_MEMORY);
|
||||
- rv = SECFailure;
|
||||
- goto cleanup;
|
||||
+ uint8_t leading_coeff_mask;
|
||||
+ switch (ecParams->name) {
|
||||
+ case ECCurve25519:
|
||||
+ case ECCurve_NIST_P256:
|
||||
+ case ECCurve_NIST_P384:
|
||||
+ leading_coeff_mask = 0xff;
|
||||
+ break;
|
||||
+ case ECCurve_NIST_P521:
|
||||
+ leading_coeff_mask = 0x01;
|
||||
+ break;
|
||||
+ default:
|
||||
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
|
||||
+ return SECFailure;
|
||||
}
|
||||
|
||||
- CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(privKeyBytes, 2 * len));
|
||||
- CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len));
|
||||
- CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len));
|
||||
- CHECK_MPI_OK(mp_set_int(&one, 1));
|
||||
- CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1));
|
||||
- CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal));
|
||||
- CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal));
|
||||
- CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len));
|
||||
- memcpy(privKey->data, privKeyBytes, len);
|
||||
+ /* The rejection sampling method from FIPS 186-5 A.4.2 */
|
||||
+ int count = 100;
|
||||
+ do {
|
||||
+ rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ privKey->data[0] &= leading_coeff_mask;
|
||||
+ rv = method->scalar_validate(privKey);
|
||||
+ } while (rv != SECSuccess && --count > 0);
|
||||
|
||||
-cleanup:
|
||||
- mp_clear(&privKeyVal);
|
||||
- mp_clear(&order_1);
|
||||
- mp_clear(&one);
|
||||
- if (privKeyBytes) {
|
||||
- PORT_ZFree(privKeyBytes, 2 * len);
|
||||
- }
|
||||
- if (err < MP_OKAY) {
|
||||
- MP_TO_SEC_ERROR(err);
|
||||
- rv = SECFailure;
|
||||
+ if (rv != SECSuccess) { // implies count == 0
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
}
|
||||
|
||||
-done:
|
||||
- if (rv != SECSuccess && privKey->data) {
|
||||
- SECITEM_ZfreeItem(privKey, PR_FALSE);
|
||||
- return rv;
|
||||
- }
|
||||
return rv;
|
||||
}
|
||||
|
||||
diff -up ./lib/freebl/ecl/ecl.h.p384 ./lib/freebl/ecl/ecl.h
|
||||
--- ./lib/freebl/ecl/ecl.h.p384 2024-01-09 11:49:14.118980084 -0800
|
||||
+++ ./lib/freebl/ecl/ecl.h 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -57,4 +57,8 @@ SECStatus ec_secp256r1_sign_digest(ECPri
|
||||
SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature,
|
||||
const SECItem *digest);
|
||||
|
||||
+SECStatus ec_secp384r1_scalar_validate(const SECItem *scalar);
|
||||
+
|
||||
+SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar);
|
||||
+
|
||||
#endif /* __ecl_h_ */
|
||||
diff -up ./lib/freebl/freebl_base.gypi.p384 ./lib/freebl/freebl_base.gypi
|
||||
--- ./lib/freebl/freebl_base.gypi.p384 2024-01-09 11:49:14.118980084 -0800
|
||||
+++ ./lib/freebl/freebl_base.gypi 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -38,6 +38,8 @@
|
||||
'ecl/ecp_secp384r1.c',
|
||||
'ecl/ecp_secp521r1.c',
|
||||
'verified/Hacl_P256.c',
|
||||
+ 'verified/Hacl_P384.c',
|
||||
+ 'verified/Hacl_P521.c',
|
||||
'fipsfreebl.c',
|
||||
'blinit.c',
|
||||
'freeblver.c',
|
||||
diff -up ./lib/freebl/Makefile.p384 ./lib/freebl/Makefile
|
||||
--- ./lib/freebl/Makefile.p384 2024-01-09 11:49:58.650418434 -0800
|
||||
+++ ./lib/freebl/Makefile 2024-01-09 11:51:20.500224176 -0800
|
||||
@@ -612,7 +612,7 @@ ifndef NSS_DISABLE_CHACHAPOLY
|
||||
VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c
|
||||
endif # NSS_DISABLE_CHACHAPOLY
|
||||
|
||||
-VERIFIED_SRCS += Hacl_P256.c
|
||||
+VERIFIED_SRCS += Hacl_P256.c Hacl_P384.c Hacl_P521.c
|
||||
|
||||
ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH)))
|
||||
# All 64-bit architectures get the 64 bit version.
|
||||
diff -up ./lib/freebl/verified/Hacl_P384.c.p384 ./lib/freebl/verified/Hacl_P384.c
|
||||
--- ./lib/freebl/verified/Hacl_P384.c.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P384.c 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,126 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#include "Hacl_P384.h"
|
||||
+
|
||||
+#include "internal/Hacl_Krmllib.h"
|
||||
+#include "internal/Hacl_Bignum_Base.h"
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
|
||||
+{
|
||||
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+ KRML_MAYBE_FOR6(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)6U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
|
||||
+ mask = uu____0 & mask;);
|
||||
+ uint64_t mask1 = mask;
|
||||
+ return mask1;
|
||||
+}
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
|
||||
+{
|
||||
+ uint64_t c1 = (uint64_t)0U;
|
||||
+ {
|
||||
+ uint64_t t1 = b[(uint32_t)4U * (uint32_t)0U];
|
||||
+ uint64_t t20 = c[(uint32_t)4U * (uint32_t)0U];
|
||||
+ uint64_t *res_i0 = a + (uint32_t)4U * (uint32_t)0U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
|
||||
+ uint64_t t10 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
|
||||
+ uint64_t t21 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
|
||||
+ uint64_t *res_i1 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
|
||||
+ uint64_t t11 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
|
||||
+ uint64_t t22 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
|
||||
+ uint64_t *res_i2 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
|
||||
+ uint64_t t12 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
|
||||
+ uint64_t t2 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
|
||||
+ uint64_t *res_i = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i);
|
||||
+ }
|
||||
+ KRML_MAYBE_FOR2(i,
|
||||
+ (uint32_t)4U,
|
||||
+ (uint32_t)6U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t t1 = b[i];
|
||||
+ uint64_t t2 = c[i];
|
||||
+ uint64_t *res_i = a + i;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i););
|
||||
+ uint64_t c10 = c1;
|
||||
+ return c10;
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
|
||||
+{
|
||||
+ KRML_MAYBE_FOR6(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)6U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t *os = a;
|
||||
+ uint64_t u = load64_be(b + ((uint32_t)6U - i - (uint32_t)1U) * (uint32_t)8U);
|
||||
+ uint64_t x = u;
|
||||
+ os[i] = x;);
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+p384_make_order(uint64_t *n)
|
||||
+{
|
||||
+ n[0U] = (uint64_t)0xecec196accc52973U;
|
||||
+ n[1U] = (uint64_t)0x581a0db248b0a77aU;
|
||||
+ n[2U] = (uint64_t)0xc7634d81f4372ddfU;
|
||||
+ n[3U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[4U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[5U] = (uint64_t)0xffffffffffffffffU;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 48 bytes of valid memory, i.e., uint8_t[48].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool
|
||||
+Hacl_P384_validate_private_key(uint8_t *private_key)
|
||||
+{
|
||||
+ uint64_t bn_sk[6U] = { 0U };
|
||||
+ bn_from_bytes_be(bn_sk, private_key);
|
||||
+ uint64_t tmp[6U] = { 0U };
|
||||
+ p384_make_order(tmp);
|
||||
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
|
||||
+ uint64_t is_lt_order = (uint64_t)0U - c;
|
||||
+ uint64_t bn_zero[6U] = { 0U };
|
||||
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
|
||||
+ uint64_t is_eq_zero = res;
|
||||
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
|
||||
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+}
|
||||
diff -up ./lib/freebl/verified/Hacl_P384.h.p384 ./lib/freebl/verified/Hacl_P384.h
|
||||
--- ./lib/freebl/verified/Hacl_P384.h.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P384.h 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,68 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#ifndef __Hacl_P384_H
|
||||
+#define __Hacl_P384_H
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+extern "C" {
|
||||
+#endif
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include "krml/internal/types.h"
|
||||
+#include "krml/lowstar_endianness.h"
|
||||
+
|
||||
+#include "lib_intrinsics.h"
|
||||
+
|
||||
+/*******************************************************************************
|
||||
+
|
||||
+ Verified C library for ECDSA and ECDH functions over the P-384 NIST curve.
|
||||
+
|
||||
+ This module implements signing and verification, key validation, conversions
|
||||
+ between various point representations, and ECDH key agreement.
|
||||
+
|
||||
+*******************************************************************************/
|
||||
+
|
||||
+/******************/
|
||||
+/* Key validation */
|
||||
+/******************/
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool Hacl_P384_validate_private_key(uint8_t *private_key);
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+#define __Hacl_P384_H_DEFINED
|
||||
+#endif
|
||||
diff -up ./lib/freebl/verified/Hacl_P521.c.p384 ./lib/freebl/verified/Hacl_P521.c
|
||||
--- ./lib/freebl/verified/Hacl_P521.c.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P521.c 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,131 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#include "Hacl_P521.h"
|
||||
+
|
||||
+#include "internal/Hacl_Krmllib.h"
|
||||
+#include "internal/Hacl_Bignum_Base.h"
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
|
||||
+{
|
||||
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+ KRML_MAYBE_FOR9(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)9U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
|
||||
+ mask = uu____0 & mask;);
|
||||
+ uint64_t mask1 = mask;
|
||||
+ return mask1;
|
||||
+}
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
|
||||
+{
|
||||
+ uint64_t c1 = (uint64_t)0U;
|
||||
+ KRML_MAYBE_FOR2(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)2U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t t1 = b[(uint32_t)4U * i];
|
||||
+ uint64_t t20 = c[(uint32_t)4U * i];
|
||||
+ uint64_t *res_i0 = a + (uint32_t)4U * i;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
|
||||
+ uint64_t t10 = b[(uint32_t)4U * i + (uint32_t)1U];
|
||||
+ uint64_t t21 = c[(uint32_t)4U * i + (uint32_t)1U];
|
||||
+ uint64_t *res_i1 = a + (uint32_t)4U * i + (uint32_t)1U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
|
||||
+ uint64_t t11 = b[(uint32_t)4U * i + (uint32_t)2U];
|
||||
+ uint64_t t22 = c[(uint32_t)4U * i + (uint32_t)2U];
|
||||
+ uint64_t *res_i2 = a + (uint32_t)4U * i + (uint32_t)2U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
|
||||
+ uint64_t t12 = b[(uint32_t)4U * i + (uint32_t)3U];
|
||||
+ uint64_t t2 = c[(uint32_t)4U * i + (uint32_t)3U];
|
||||
+ uint64_t *res_i = a + (uint32_t)4U * i + (uint32_t)3U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i););
|
||||
+ {
|
||||
+ uint64_t t1 = b[8U];
|
||||
+ uint64_t t2 = c[8U];
|
||||
+ uint64_t *res_i = a + (uint32_t)8U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i);
|
||||
+ }
|
||||
+ uint64_t c10 = c1;
|
||||
+ return c10;
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
|
||||
+{
|
||||
+ uint8_t tmp[72U] = { 0U };
|
||||
+ memcpy(tmp + (uint32_t)6U, b, (uint32_t)66U * sizeof(uint8_t));
|
||||
+ KRML_MAYBE_FOR9(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)9U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t *os = a;
|
||||
+ uint64_t u = load64_be(tmp + ((uint32_t)9U - i - (uint32_t)1U) * (uint32_t)8U);
|
||||
+ uint64_t x = u;
|
||||
+ os[i] = x;);
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+p521_make_order(uint64_t *n)
|
||||
+{
|
||||
+ n[0U] = (uint64_t)0xbb6fb71e91386409U;
|
||||
+ n[1U] = (uint64_t)0x3bb5c9b8899c47aeU;
|
||||
+ n[2U] = (uint64_t)0x7fcc0148f709a5d0U;
|
||||
+ n[3U] = (uint64_t)0x51868783bf2f966bU;
|
||||
+ n[4U] = (uint64_t)0xfffffffffffffffaU;
|
||||
+ n[5U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[6U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[7U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[8U] = (uint64_t)0x1ffU;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool
|
||||
+Hacl_P521_validate_private_key(uint8_t *private_key)
|
||||
+{
|
||||
+ uint64_t bn_sk[9U] = { 0U };
|
||||
+ bn_from_bytes_be(bn_sk, private_key);
|
||||
+ uint64_t tmp[9U] = { 0U };
|
||||
+ p521_make_order(tmp);
|
||||
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
|
||||
+ uint64_t is_lt_order = (uint64_t)0U - c;
|
||||
+ uint64_t bn_zero[9U] = { 0U };
|
||||
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
|
||||
+ uint64_t is_eq_zero = res;
|
||||
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
|
||||
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+}
|
||||
diff -up ./lib/freebl/verified/Hacl_P521.h.p384 ./lib/freebl/verified/Hacl_P521.h
|
||||
--- ./lib/freebl/verified/Hacl_P521.h.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P521.h 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,59 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#ifndef __Hacl_P521_H
|
||||
+#define __Hacl_P521_H
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+extern "C" {
|
||||
+#endif
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include "krml/internal/types.h"
|
||||
+#include "krml/lowstar_endianness.h"
|
||||
+
|
||||
+#include "lib_intrinsics.h"
|
||||
+
|
||||
+/******************/
|
||||
+/* Key validation */
|
||||
+/******************/
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool Hacl_P521_validate_private_key(uint8_t *private_key);
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+#define __Hacl_P521_H_DEFINED
|
||||
+#endif
|
File diff suppressed because it is too large
Load Diff
132
SPECS/nss.spec
132
SPECS/nss.spec
@ -1,7 +1,7 @@
|
||||
%global nspr_build_version 4.35.0-1
|
||||
%global nspr_release -1
|
||||
%global nspr_version 4.35.0
|
||||
%global nss_version 3.90.0
|
||||
%global nss_version 3.101.0
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global saved_files_dir %{_libdir}/nss/saved
|
||||
%global dracutlibdir %{_prefix}/lib/dracut
|
||||
@ -113,7 +113,7 @@ Source28: nss-p11-kit.config
|
||||
# will have their own validation
|
||||
Source30: fips_algorithms.h
|
||||
|
||||
Source50: NameConstraints_Certs.tar
|
||||
#Source50: NameConstraints_Certs.tar
|
||||
|
||||
# To inject hardening flags for DSO
|
||||
Patch1: nss-dso-ldflags.patch
|
||||
@ -129,67 +129,82 @@ Patch1: nss-dso-ldflags.patch
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed
|
||||
# but it doesn't hurt to keep it.
|
||||
Patch4: iquote.patch
|
||||
|
||||
#
|
||||
# RHEL-8 specific patches not in RHEL-9
|
||||
#
|
||||
# To revert the change in:
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
|
||||
Patch9: nss-sysinit-userdb.patch
|
||||
Patch10: nss-sysinit-userdb.patch
|
||||
# Disable nss-sysinit test which is solely to test the above change
|
||||
Patch10: nss-skip-sysinit-gtests.patch
|
||||
Patch15: nss-3.90-extend-db-dump-time.patch
|
||||
Patch11: nss-skip-sysinit-gtests.patch
|
||||
# For compatibility reasons, we stick with the old PKCS #11 2.40
|
||||
# definition of CK_GCM_PARAMS:
|
||||
%if 0%{?fedora} < 34
|
||||
%if 0%{?rhel} < 9
|
||||
Patch20: nss-gcm-param-default-pkcs11v2.patch
|
||||
Patch12: nss-gcm-param-default-pkcs11v2.patch
|
||||
%endif
|
||||
%endif
|
||||
# Local patch: disable MD5 (also MD2 and MD4) completely
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
|
||||
Patch25: nss-disable-md5.patch
|
||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch30: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
Patch34: nss-3.71-fix-lto-gtests.patch
|
||||
# Local patch: disable Delegated Credentials
|
||||
Patch35: nss-disable-dc.patch
|
||||
Patch13: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
|
||||
# is updated.
|
||||
Patch40: nss-3.66-disable-signature-policies.patch
|
||||
Patch14: nss-3.101-disable-signature-policies.patch
|
||||
Patch15: nss-3.101-el8-fix-rsa-policy-test.patch
|
||||
# Local patch: disable tests that require external reference so brew completes
|
||||
Patch45: nss-3.66-disable-external-host-test.patch
|
||||
Patch16: nss-3.66-disable-external-host-test.patch
|
||||
# Local patch: restore old pkcs 12 defaults on old version of rhel
|
||||
Patch50: nss-3.66-restore-old-pkcs12-default.patch
|
||||
Patch17: nss-3.101-el8-restore-old-pkcs12-default.patch
|
||||
# Local Patch: restore expired distrusted certs for now
|
||||
Patch51: nss-3.79-revert-distrusted-certs.patch
|
||||
Patch18: nss-3.79-revert-distrusted-certs.patch
|
||||
# Local Patch: update fipsdefaults to AES
|
||||
Patch52: nss-3.79-pkcs12-fips-defaults.patch
|
||||
Patch53: nss-3.71-camellia-pkcs12-doc.patch
|
||||
Patch54: nss-3.90-disable-ech.patch
|
||||
Patch19: nss-3.79-pkcs12-fips-defaults.patch
|
||||
# Local Patch: curve25519 keys can't be stored in dbm databases,
|
||||
# only rhel-8 has dbm databases left, don't try to store
|
||||
# curve25519 keys in the dbm database.
|
||||
Patch20: nss-3.101-ec-dbm-test.patch
|
||||
# end of RHEL-8 specific patches
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1774659
|
||||
Patch57: nss-3.79-dbtool.patch
|
||||
Patch58: nss-3.79-fips.patch
|
||||
# RHEL-specific shared with RHEL-9
|
||||
Patch30: nss-3.101-extend-db-dump-time.patch
|
||||
# Local patch: disable MD5 (also MD2 and MD4) completely
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
|
||||
Patch32: nss-3.101-disable-md5.patch
|
||||
Patch34: nss-3.71-fix-lto-gtests.patch
|
||||
Patch35: nss-3.71-camellia-pkcs12-doc.patch
|
||||
Patch36: nss-3.101-disable-ech.patch
|
||||
|
||||
# patches that expect to be upstreamed
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1767883
|
||||
Patch50: nss-3.79-fips.patch
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
|
||||
Patch60: nss-3.90-DisablingASM.patch
|
||||
Patch61: nss-3.79-fips-review.patches
|
||||
Patch62: nss-3.90-no-dbm-25519.patch
|
||||
Patch63: nss-3.90-pbkdf2-indicator.patch
|
||||
Patch51: nss-3.101-fips-review.patches
|
||||
Patch52: nss-3.90-pbkdf2-indicator.patch
|
||||
|
||||
#ems policy. needs to upstream
|
||||
Patch70: nss-3.90-add-ems-policy.patch
|
||||
# ems policy. needs to upstream
|
||||
Patch60: nss-3.101-add-ems-policy.patch
|
||||
Patch70: nss-3.90-fips-safe-memset.patch
|
||||
Patch71: nss-3.101-fips-indicators.patch
|
||||
Patch72: nss-3.90-aes-gmc-indicator.patch
|
||||
Patch73: nss-3.90-fips-indicators2.patch
|
||||
Patch74: nss-3.90-dh-test-update.patch
|
||||
Patch75: nss-3.90-ppc_no_init.patch
|
||||
Patch76: nss-3.101-enable-kyber-policy.patch
|
||||
Patch78: nss-3.101-fix-pkcs12-md5-decode.patch
|
||||
Patch80: nss-3.101-el8-no-p12-smime-policy.patch
|
||||
Patch81: nss-3.101-fix-missing-size-checks.patch
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
|
||||
Patch82: nss-3.101-chacha-timing-fix.patch
|
||||
Patch83: nss-3.101-add-certificate-compression-test.patch
|
||||
Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=676100
|
||||
Patch85: nss-3.101-fix-cms-abi-break.patch
|
||||
Patch86: nss-3.101-long-pwd-fix.patch
|
||||
|
||||
#revert patches
|
||||
Patch300: nss-3.101-default-libpkix.patch
|
||||
|
||||
Patch80: blinding_ct.patch
|
||||
Patch81: nss-3.90-fips-pkcs11-long-hash.patch
|
||||
Patch82: nss-3.90-fips-safe-memset.patch
|
||||
Patch83: nss-3.90-fips-indicators.patch
|
||||
Patch84: nss-3.90-aes-gmc-indicator.patch
|
||||
Patch85: nss-3.90-fips-indicators2.patch
|
||||
Patch86: nss-3.90-dh-test-update.patch
|
||||
Patch90: nss_p256_scalar_validated.patch
|
||||
Patch91: nss_p384_scalar_validated.patch
|
||||
Patch92: nss_p384_hacl.patch
|
||||
Patch93: nss_p521_hacl.patch
|
||||
Patch94: nss-3.90-ecc-wrap-fix.patch
|
||||
Patch95: nss-3.90-ecdsa-sign-padding-fix.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
@ -319,7 +334,8 @@ Header and library files for doing development with Network Security Services.
|
||||
%prep
|
||||
%autosetup -N -n %{name}-%{nss_archive_version}
|
||||
pushd nss
|
||||
%autopatch -p1
|
||||
%autopatch -M 299 -p1
|
||||
%patch -P 300 -p1 -R
|
||||
popd
|
||||
|
||||
# copy the fips_algorithms.h for this release
|
||||
@ -328,9 +344,9 @@ popd
|
||||
cp %{SOURCE30} nss/lib/softoken/
|
||||
|
||||
#update expired test certs
|
||||
pushd nss
|
||||
tar xvf %{SOURCE50}
|
||||
popd
|
||||
#pushd nss
|
||||
#tar xvf %{SOURCE50}
|
||||
#popd
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
|
||||
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
|
||||
@ -888,11 +904,13 @@ update-crypto-policies --no-reload &> /dev/null || :
|
||||
%{_includedir}/nss3/ciferfam.h
|
||||
%{_includedir}/nss3/eccutil.h
|
||||
%{_includedir}/nss3/hasht.h
|
||||
%{_includedir}/nss3/kyber.h
|
||||
%{_includedir}/nss3/nssb64.h
|
||||
%{_includedir}/nss3/nssb64t.h
|
||||
%{_includedir}/nss3/nsslocks.h
|
||||
%{_includedir}/nss3/nsshash.h
|
||||
%{_includedir}/nss3/nssilock.h
|
||||
%{_includedir}/nss3/nssilckt.h
|
||||
%{_includedir}/nss3/nsslocks.h
|
||||
%{_includedir}/nss3/nssrwlk.h
|
||||
%{_includedir}/nss3/nssrwlkt.h
|
||||
%{_includedir}/nss3/nssutil.h
|
||||
@ -981,6 +999,26 @@ update-crypto-policies --no-reload &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
|
||||
- fix cms abi breakage
|
||||
- fix long password issue on pbmac encodings
|
||||
|
||||
* Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
|
||||
- fix param encoding in pkcs12 pbamac encoding
|
||||
- add support for certificate compression in selfserv and tstclient
|
||||
|
||||
* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
|
||||
- Fix missing and inaccurate key length checks
|
||||
- Fix chacha timing issue
|
||||
|
||||
* Wed Jul 17 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
|
||||
- Fix MD-5 decode issue in pkcs #12
|
||||
- turn off policy processing for pkcs12 and smime
|
||||
- update the restore defaults for pkcs12
|
||||
|
||||
* Tue Jun 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
|
||||
- Rebase to NSS 3.101
|
||||
|
||||
* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
|
||||
- Allow for shorter ecdsa signatures by padding them to full length
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user