rpms/nss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: rhbz#2211937

Browse Source 
Rebase NSS to 3.90 for Firefox 115 ESR
Includes NSPR 4.35
This commit is contained in:
Robert Relyea 2023-06-22 08:21:33 +02:00
parent f2db67545b
commit 92cf70d178
34 changed files with 343 additions and 4410 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -67,3 +67,5 @@ TestUser51.cert
/nss-3.71.tar.gz
/nss-3.79.tar.gz
/nspr-4.34.tar.gz
/nspr-4.35.tar.gz
/nss-3.90.tar.gz

92
cve-2023-0767.patch
View File

@ -1,92 +0,0 @@
diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
--- a/lib/pkcs12/p12d.c
+++ b/lib/pkcs12/p12d.c
@@ -335,35 +335,42 @@
sec_PKCS12SafeContentsContext *safeContentsCtx =
(sec_PKCS12SafeContentsContext *)arg;
SEC_PKCS12DecoderContext *p12dcx;
SECStatus rv;
- /* make sure that we are not skipping the current safeBag,
- * and that there are no errors. If so, just return rather
- * than continuing to process.
- */
- if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
+ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
return;
}
p12dcx = safeContentsCtx->p12dcx;
+ /* make sure that there are no errors and we are not skipping the current safeBag */
+ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
+ goto loser;
+ }
+
rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
if (rv != SECSuccess) {
p12dcx->errorValue = PORT_GetError();
+ p12dcx->error = PR_TRUE;
+ goto loser;
+ }
+
+ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
+ * may not get another opportunity to clean up the decoder context.
+ */
+ if (safeContentsCtx->skipCurrentSafeBag) {
goto loser;
}
return;
loser:
- /* set the error, and finish the decoder context. because there
+ /* Finish the decoder context. Because there
* is not a way of returning an error message, it may be worth
* while to do a check higher up and finish any decoding contexts
* that are still open.
*/
- p12dcx->error = PR_TRUE;
SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
safeContentsCtx->currentSafeBagA1Dcx = NULL;
return;
}
diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h
--- a/lib/pkcs12/p12t.h
+++ b/lib/pkcs12/p12t.h
@@ -71,10 +71,11 @@
SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
sec_PKCS12CertBag *certBag;
sec_PKCS12CRLBag *crlBag;
sec_PKCS12SecretBag *secretBag;
sec_PKCS12SafeContents *safeContents;
+ SECItem *unknownBag;
} safeBagContent;
sec_PKCS12Attribute **attribs;
/* used locally */
diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c
--- a/lib/pkcs12/p12tmpl.c
+++ b/lib/pkcs12/p12tmpl.c
@@ -28,16 +28,16 @@
safeBag = (sec_PKCS12SafeBag *)src_or_dest;
oiddata = SECOID_FindOID(&safeBag->safeBagType);
if (oiddata == NULL) {
- return SEC_ASN1_GET(SEC_AnyTemplate);
+ return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
}
switch (oiddata->offset) {
default:
- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
+ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
break;
case SEC_OID_PKCS12_V1_KEY_BAG_ID:
theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
break;
case SEC_OID_PKCS12_V1_CERT_BAG_ID:

42
nspr-gcc-atomics.patch
View File

@ -1,12 +1,7 @@
diff --git a/pr/include/md/_linux.h b/pr/include/md/_linux.h
--- a/pr/include/md/_linux.h
+++ b/pr/include/md/_linux.h
@@ -82,53 +82,73 @@
#define NO_DLOPEN_NULL
#endif
#if defined(__FreeBSD_kernel__) || defined(__GNU__)
#define _PR_HAVE_SOCKADDR_LEN
diff -up ./pr/include/md/_linux.h.gcc-atomics ./pr/include/md/_linux.h
--- ./pr/include/md/_linux.h.gcc-atomics 2022-09-20 11:23:22.008942926 -0700
+++ ./pr/include/md/_linux.h 2022-09-20 11:34:45.536751340 -0700
@@ -105,6 +105,15 @@
#endif
#if defined(__i386__)
@ -22,11 +17,7 @@ diff --git a/pr/include/md/_linux.h b/pr/include/md/_linux.h
#define _PR_HAVE_ATOMIC_OPS
#define _MD_INIT_ATOMIC()
extern PRInt32 _PR_x86_AtomicIncrement(PRInt32 *val);
#define _MD_ATOMIC_INCREMENT _PR_x86_AtomicIncrement
extern PRInt32 _PR_x86_AtomicDecrement(PRInt32 *val);
#define _MD_ATOMIC_DECREMENT _PR_x86_AtomicDecrement
extern PRInt32 _PR_x86_AtomicAdd(PRInt32 *ptr, PRInt32 val);
#define _MD_ATOMIC_ADD _PR_x86_AtomicAdd
@@ -116,6 +125,7 @@ extern PRInt32 _PR_x86_AtomicAdd(PRInt32
extern PRInt32 _PR_x86_AtomicSet(PRInt32 *val, PRInt32 newval);
#define _MD_ATOMIC_SET _PR_x86_AtomicSet
#endif
@ -34,15 +25,7 @@ diff --git a/pr/include/md/_linux.h b/pr/include/md/_linux.h
#if defined(__ia64__)
#define _PR_HAVE_ATOMIC_OPS
#define _MD_INIT_ATOMIC()
extern PRInt32 _PR_ia64_AtomicIncrement(PRInt32 *val);
#define _MD_ATOMIC_INCREMENT _PR_ia64_AtomicIncrement
extern PRInt32 _PR_ia64_AtomicDecrement(PRInt32 *val);
#define _MD_ATOMIC_DECREMENT _PR_ia64_AtomicDecrement
extern PRInt32 _PR_ia64_AtomicAdd(PRInt32 *ptr, PRInt32 val);
#define _MD_ATOMIC_ADD _PR_ia64_AtomicAdd
extern PRInt32 _PR_ia64_AtomicSet(PRInt32 *val, PRInt32 newval);
#define _MD_ATOMIC_SET _PR_ia64_AtomicSet
@@ -131,6 +141,15 @@ extern PRInt32 _PR_ia64_AtomicSet(PRInt3
#endif
#if defined(__x86_64__)
@ -58,20 +41,11 @@ diff --git a/pr/include/md/_linux.h b/pr/include/md/_linux.h
#define _PR_HAVE_ATOMIC_OPS
#define _MD_INIT_ATOMIC()
extern PRInt32 _PR_x86_64_AtomicIncrement(PRInt32 *val);
#define _MD_ATOMIC_INCREMENT _PR_x86_64_AtomicIncrement
extern PRInt32 _PR_x86_64_AtomicDecrement(PRInt32 *val);
#define _MD_ATOMIC_DECREMENT _PR_x86_64_AtomicDecrement
extern PRInt32 _PR_x86_64_AtomicAdd(PRInt32 *ptr, PRInt32 val);
#define _MD_ATOMIC_ADD _PR_x86_64_AtomicAdd
@@ -142,6 +161,7 @@ extern PRInt32 _PR_x86_64_AtomicAdd(PRIn
extern PRInt32 _PR_x86_64_AtomicSet(PRInt32 *val, PRInt32 newval);
#define _MD_ATOMIC_SET _PR_x86_64_AtomicSet
#endif
+#endif
#if defined(__or1k__)
#if defined(__loongarch__)
#if defined(__GNUC__)
/* Use GCC built-in functions */
#define _PR_HAVE_ATOMIC_OPS
#define _MD_INIT_ATOMIC()
#define _MD_ATOMIC_INCREMENT(ptr) __sync_add_and_fetch(ptr, 1)
#define _MD_ATOMIC_DECREMENT(ptr) __sync_sub_and_fetch(ptr, 1)

39
nss-3.44-kbkdf-coverity.patch
View File

@ -1,39 +0,0 @@
diff -up ./lib/softoken/kbkdf.c.coverity ./lib/softoken/kbkdf.c
--- ./lib/softoken/kbkdf.c.coverity 2019-12-03 15:33:43.047732312 -0800
+++ ./lib/softoken/kbkdf.c 2019-12-03 15:39:40.982578357 -0800
@@ -534,6 +534,10 @@ CK_RV kbkdf_CreateKey(CK_SESSION_HANDLE
PR_ASSERT(derived_key != NULL);
PR_ASSERT(derived_key->phKey != NULL);
+ if (slot == NULL) {
+ return CKR_SESSION_HANDLE_INVALID;
+ }
+
/* Create the new key object for this additional derived key. */
key = sftk_NewObject(slot);
if (key == NULL) {
@@ -589,7 +593,9 @@ done:
sftk_FreeObject(key);
/* Doesn't do anything. */
- sftk_FreeSession(session);
+ if (session) {
+ sftk_FreeSession(session);
+ }
return ret;
}
diff -up ./lib/softoken/sftkhmac.c.coverity ./lib/softoken/sftkhmac.c
--- ./lib/softoken/sftkhmac.c.coverity 2019-12-03 15:40:06.108848341 -0800
+++ ./lib/softoken/sftkhmac.c 2019-12-03 15:41:04.919480267 -0800
@@ -232,7 +232,9 @@ sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHA
keyval->attrib.ulValueLen, isFIPS);
done:
- sftk_FreeAttribute(keyval);
+ if (keyval) {
+ sftk_FreeAttribute(keyval);
+ }
return ret;
}

24
nss-3.53.1-measure-fix.patch
View File

@ -1,24 +0,0 @@
diff -up ./coreconf/config.gypi.orig ./coreconf/config.gypi
--- ./coreconf/config.gypi.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./coreconf/config.gypi 2020-10-15 16:05:37.542761192 -0700
@@ -363,7 +363,7 @@
'_DEFAULT_SOURCE', # for <endian.h> functions, strdup, realpath, and getentropy
'_BSD_SOURCE', # for the above in glibc <= 2.19
'_POSIX_SOURCE', # for <signal.h>
- 'SQL_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
+ 'SDB_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
],
}],
[ 'OS=="dragonfly" or OS=="freebsd"', {
diff -up ./coreconf/Linux.mk.orig ./coreconf/Linux.mk
--- ./coreconf/Linux.mk.orig 2020-10-15 16:05:04.794591674 -0700
+++ ./coreconf/Linux.mk 2020-10-15 16:05:37.543761197 -0700
@@ -21,7 +21,7 @@ ifeq ($(USE_PTHREADS),1)
endif
DEFAULT_COMPILER = gcc
-DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSQL_MEASURE_USE_TEMP_DIR
+DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR
ifeq ($(OS_TARGET),Android)
ifndef ANDROID_NDK

39
nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
View File

@ -1,39 +0,0 @@
diff -up ./lib/pk11wrap/pk11pars.c.policy_revert ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.policy_revert 2020-11-04 10:26:59.085300799 -0800
+++ ./lib/pk11wrap/pk11pars.c 2020-11-04 10:29:52.774239468 -0800
@@ -391,12 +391,6 @@ static const oidValDef signOptList[] = {
/* Signatures */
{ CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
- { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
- { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
- { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
};
typedef struct {
@@ -412,7 +406,7 @@ static const algListsDef algOptLists[] =
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
};
static const optionFreeDef sslOptList[] = {
diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt
--- ./tests/ssl/sslpolicy.txt.policy_revert 2020-11-04 10:31:20.837715397 -0800
+++ ./tests/ssl/sslpolicy.txt 2020-11-04 10:33:19.598357223 -0800
@@ -193,7 +193,9 @@
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
- 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
+# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
+# compatibility reasons
+# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
# test default settings
# NOTE: tstclient will attempt to overide the defaults, so we detect we
# were successful by locking in our settings

16
nss-3.66-fix-gtest-parsing.patch
View File

@ -1,16 +0,0 @@
diff -up ./tests/common/parsegtestreport.sed.new_gtest ./tests/common/parsegtestreport.sed
--- ./tests/common/parsegtestreport.sed.new_gtest 2021-06-17 16:26:49.361035662 -0700
+++ ./tests/common/parsegtestreport.sed 2021-06-17 16:49:08.512261136 -0700
@@ -1,8 +1,11 @@
/\<testcase/{
- s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
+ s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\).*$/\3 '\4: \1 \2'/
t end
s/^.* name="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
t end
+ s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" result="[^"]*" time="[^"]*" timestamp="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
+ t end
+ s/^.* name="\([^"]*\)" status="\([^"]*\)" result="[^"]*" time="[^"]*" timestamp="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
}
d
: end

86
nss-3.66-no-small-primes.patch
View File

@ -1,86 +0,0 @@
diff -up ./gtests/softoken_gtest/softoken_dh_vectors.h.orig ./gtests/softoken_gtest/softoken_dh_vectors.h
--- ./gtests/softoken_gtest/softoken_dh_vectors.h.orig 2021-06-02 16:57:50.557008790 -0700
+++ ./gtests/softoken_gtest/softoken_dh_vectors.h 2021-06-02 16:59:52.781735096 -0700
@@ -2872,7 +2872,7 @@ static const DhTestVector DH_TEST_VECTOR
{siBuffer, (unsigned char *)g2, sizeof(g2)},
{siBuffer, NULL, 0},
{siBuffer, NULL, 0},
- IKE_APPROVED,
+ SAFE_PRIME,
CLASS_1536},
{"IKE 2048",
{siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)},
@@ -2952,7 +2952,7 @@ static const DhTestVector DH_TEST_VECTOR
{siBuffer, (unsigned char *)sub2_prime_ike_1536,
sizeof(sub2_prime_ike_1536)},
{siBuffer, NULL, 0},
- IKE_APPROVED,
+ SAFE_PRIME,
CLASS_1536},
{"IKE 2048 with subprime",
{siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)},
diff -up ./lib/softoken/pkcs11c.c.orig ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.orig 2021-05-28 02:50:43.000000000 -0700
+++ ./lib/softoken/pkcs11c.c 2021-06-02 16:52:01.196932757 -0700
@@ -5193,7 +5193,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
/* subprime not supplied, In this case look it up.
* This only works with approved primes, but in FIPS mode
* that's the only kine of prime that will get here */
- subPrimePtr = sftk_VerifyDH_Prime(&prime);
+ subPrimePtr = sftk_VerifyDH_Prime(&prime,isFIPS);
if (subPrimePtr == NULL) {
crv = CKR_GENERAL_ERROR;
goto done;
@@ -8351,7 +8351,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
/* if the prime is an approved prime, we can skip all the other
* checks. */
- subPrime = sftk_VerifyDH_Prime(&dhPrime);
+ subPrime = sftk_VerifyDH_Prime(&dhPrime,isFIPS);
if (subPrime == NULL) {
SECItem dhSubPrime;
/* If the caller set the subprime value, it means that
diff -up ./lib/softoken/pkcs11i.h.orig ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.orig 2021-06-02 16:52:01.196932757 -0700
+++ ./lib/softoken/pkcs11i.h 2021-06-02 16:52:54.281248207 -0700
@@ -946,7 +946,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
/* dh verify functions */
/* verify that dhPrime matches one of our known primes, and if so return
* it's subprime value */
-const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime);
+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
/* check if dhSubPrime claims dhPrime is a safe prime. */
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
/* map an operation Attribute to a Mechanism flag */
diff -up ./lib/softoken/pkcs11u.c.orig ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.orig 2021-06-02 16:54:23.387777705 -0700
+++ ./lib/softoken/pkcs11u.c 2021-06-02 16:54:51.012941866 -0700
@@ -2312,7 +2312,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
if (crv != CKR_OK) {
return PR_FALSE;
}
- dhSubPrime = sftk_VerifyDH_Prime(&dhPrime);
+ dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE);
SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
return (dhSubPrime) ? PR_TRUE : PR_FALSE;
}
diff -up ./lib/softoken/sftkdhverify.c.orig ./lib/softoken/sftkdhverify.c
--- ./lib/softoken/sftkdhverify.c.orig 2021-05-28 02:50:43.000000000 -0700
+++ ./lib/softoken/sftkdhverify.c 2021-06-02 16:52:01.196932757 -0700
@@ -1171,11 +1171,15 @@ static const SECItem subprime_tls_8192 =
* verify that dhPrime matches one of our known primes
*/
const SECItem *
-sftk_VerifyDH_Prime(SECItem *dhPrime)
+sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
{
/* use the length to decide which primes to check */
switch (dhPrime->len) {
case 1536 / PR_BITS_PER_BYTE:
+ /* don't accept 1536 bit primes in FIPS mode */
+ if (isFIPS) {
+ break;
+ }
if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
sizeof(prime_ike_1536)) == 0) {
return &subprime_ike_1536;

325
nss-3.67-cve-2021-43527-test.patch
View File

@ -1,325 +0,0 @@
diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt
new file mode 100644
--- /dev/null
+++ b/tests/cert/Leaf-bogus-dsa.crt
@@ -0,0 +1,143 @@
+-----BEGIN CERTIFICATE-----
+MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl
+RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw
+WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0
+dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq
+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
+u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
+zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG
+ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
+7u7u7u7uAoIIAQD/////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+////////////////////////////////////////////////////////////////
+/////////////////////////////////////////////////////////w==
+-----END CERTIFICATE-----
diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt
new file mode 100644
--- /dev/null
+++ b/tests/cert/Leaf-bogus-rsa-pss.crt
@@ -0,0 +1,126 @@
+-----BEGIN CERTIFICATE-----
+MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI
+AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x
+EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw
+MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE
+AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
+RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G
+CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL
+CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=
+-----END CERTIFICATE-----
diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
--- a/tests/cert/cert.sh
+++ b/tests/cert/cert.sh
@@ -114,16 +114,28 @@ certu()
cert_log "ERROR: ${CU_ACTION} failed $RET"
else
html_passed "${CU_ACTION}"
fi
return $RET
}
+cert_test_vfy()
+{
+ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
+ echo " vfychain -a Leaf-bogus-dsa.crt"
+ vfychain -a ${QADIR}/cert/Leaf-bogus-dsa.crt
+ html_msg $? 1 "Verify large dsa signature"
+ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
+ echo " vfychain -a Leaf-bogus-rsa-pss.crt"
+ vfychain -a ${QADIR}/cert/Leaf-bogus-rsa-pss.crt
+ html_msg $? 1 "Verify large rsa pss signature"
+}
+
################################ crlu #################################
# local shell function to call crlutil, also: writes action and options to
# stdout, sets variable RET and writes results to the html file results
########################################################################
crlu()
{
echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
else
echo "$SCRIPTNAME: Skipping CRL Tests"
fi
if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
cert_stresscerts
fi
+cert_test_vfy
+
cert_iopr_setup
cert_cleanup

279
nss-3.67-cve-2021-43527.patch
View File

@ -1,279 +0,0 @@
diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
--- a/lib/cryptohi/secvfy.c
+++ b/lib/cryptohi/secvfy.c
@@ -164,6 +164,37 @@
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
}
+static unsigned int
+checkedSignatureLen(const SECKEYPublicKey *pubk)
+{
+ unsigned int sigLen = SECKEY_SignatureLen(pubk);
+ if (sigLen == 0) {
+ /* Error set by SECKEY_SignatureLen */
+ return sigLen;
+ }
+ unsigned int maxSigLen;
+ switch (pubk->keyType) {
+ case rsaKey:
+ case rsaPssKey:
+ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
+ break;
+ case dsaKey:
+ maxSigLen = DSA_MAX_SIGNATURE_LEN;
+ break;
+ case ecKey:
+ maxSigLen = 2 * MAX_ECKEY_LEN;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+ return 0;
+ }
+ if (sigLen > maxSigLen) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return 0;
+ }
+ return sigLen;
+}
+
/*
* decode the ECDSA or DSA signature from it's DER wrapping.
* The unwrapped/raw signature is placed in the buffer pointed
@@ -174,38 +205,38 @@
unsigned int len)
{
SECItem *dsasig = NULL; /* also used for ECDSA */
- SECStatus rv = SECSuccess;
- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
- if (sig->len != len) {
- PORT_SetError(SEC_ERROR_BAD_DER);
- return SECFailure;
+ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
+ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
+ if (len > DSA_MAX_SIGNATURE_LEN) {
+ goto loser;
}
-
- PORT_Memcpy(dsig, sig->data, sig->len);
- return SECSuccess;
+ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+ if (len > MAX_ECKEY_LEN * 2) {
+ goto loser;
+ }
+ } else {
+ goto loser;
}
- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
- if (len > MAX_ECKEY_LEN * 2) {
- PORT_SetError(SEC_ERROR_BAD_DER);
- return SECFailure;
- }
+ /* Decode and pad to length */
+ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+ if (dsasig == NULL) {
+ goto loser;
}
- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
-
- if ((dsasig == NULL) || (dsasig->len != len)) {
- rv = SECFailure;
- } else {
- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
+ if (dsasig->len != len) {
+ SECITEM_FreeItem(dsasig, PR_TRUE);
+ goto loser;
}
- if (dsasig != NULL)
- SECITEM_FreeItem(dsasig, PR_TRUE);
- if (rv == SECFailure)
- PORT_SetError(SEC_ERROR_BAD_DER);
- return rv;
+ PORT_Memcpy(dsig, dsasig->data, len);
+ SECITEM_FreeItem(dsasig, PR_TRUE);
+
+ return SECSuccess;
+
+loser:
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ return SECFailure;
}
const SEC_ASN1Template hashParameterTemplate[] =
@@ -281,7 +312,7 @@
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
{
- int len;
+ unsigned int len;
PLArenaPool *arena;
SECStatus rv;
SECItem oid;
@@ -466,48 +497,52 @@
cx->pkcs1RSADigestInfo = NULL;
rv = SECSuccess;
if (sig) {
- switch (type) {
- case rsaKey:
- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
- &cx->pkcs1RSADigestInfo,
- &cx->pkcs1RSADigestInfoLen,
- cx->key,
- sig, wincx);
- break;
- case rsaPssKey:
- sigLen = SECKEY_SignatureLen(key);
- if (sigLen == 0) {
- /* error set by SECKEY_SignatureLen */
- rv = SECFailure;
+ rv = SECFailure;
+ if (type == rsaKey) {
+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+ &cx->pkcs1RSADigestInfo,
+ &cx->pkcs1RSADigestInfoLen,
+ cx->key,
+ sig, wincx);
+ } else {
+ sigLen = checkedSignatureLen(key);
+ /* Check signature length is within limits */
+ if (sigLen == 0) {
+ /* error set by checkedSignatureLen */
+ rv = SECFailure;
+ goto loser;
+ }
+ if (sigLen > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ goto loser;
+ }
+ switch (type) {
+ case rsaPssKey:
+ if (sig->len != sigLen) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ goto loser;
+ }
+ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+ rv = SECSuccess;
break;
- }
- if (sig->len != sigLen) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ case ecKey:
+ case dsaKey:
+ /* decodeECorDSASignature will check sigLen == sig->len after padding */
+ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
+ break;
+ default:
+ /* Unreachable */
rv = SECFailure;
- break;
- }
- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
- break;
- case dsaKey:
- case ecKey:
- sigLen = SECKEY_SignatureLen(key);
- if (sigLen == 0) {
- /* error set by SECKEY_SignatureLen */
- rv = SECFailure;
- break;
- }
- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
- break;
- default:
- rv = SECFailure;
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
- break;
+ goto loser;
+ }
+ }
+ if (rv != SECSuccess) {
+ goto loser;
}
}
- if (rv)
- goto loser;
-
/* check hash alg again, RSA may have changed it.*/
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
/* error set by HASH_GetHashTypeByOidTag */
@@ -650,11 +685,16 @@
switch (cx->key->keyType) {
case ecKey:
case dsaKey:
- dsasig.data = cx->u.buffer;
- dsasig.len = SECKEY_SignatureLen(cx->key);
+ dsasig.len = checkedSignatureLen(cx->key);
if (dsasig.len == 0) {
return SECFailure;
}
+ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ dsasig.data = cx->u.buffer;
+
if (sig) {
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
dsasig.len);
@@ -686,8 +726,13 @@
}
rsasig.data = cx->u.buffer;
- rsasig.len = SECKEY_SignatureLen(cx->key);
+ rsasig.len = checkedSignatureLen(cx->key);
if (rsasig.len == 0) {
+ /* Error set by checkedSignatureLen */
+ return SECFailure;
+ }
+ if (rsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
}
if (sig) {
@@ -749,7 +794,6 @@
SECStatus rv;
VFYContext *cx;
SECItem dsasig; /* also used for ECDSA */
-
rv = SECFailure;
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
@@ -757,19 +801,25 @@
switch (key->keyType) {
case rsaKey:
rv = verifyPKCS1DigestInfo(cx, digest);
+ /* Error (if any) set by verifyPKCS1DigestInfo */
break;
- case dsaKey:
case ecKey:
+ case dsaKey:
dsasig.data = cx->u.buffer;
- dsasig.len = SECKEY_SignatureLen(cx->key);
+ dsasig.len = checkedSignatureLen(cx->key);
if (dsasig.len == 0) {
+ /* Error set by checkedSignatureLen */
+ rv = SECFailure;
break;
}
- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
- SECSuccess) {
+ if (dsasig.len > sizeof(cx->u)) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- } else {
- rv = SECSuccess;
+ rv = SECFailure;
+ break;
+ }
+ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
}
break;
default:

45
nss-3.67-fix-coverity-issues.patch
View File

@ -1,45 +0,0 @@
diff -up ./lib/pk11wrap/pk11cxt.c.coverity ./lib/pk11wrap/pk11cxt.c
--- ./lib/pk11wrap/pk11cxt.c.coverity 2021-06-18 09:36:19.499203028 -0700
+++ ./lib/pk11wrap/pk11cxt.c 2021-06-18 09:37:57.993765299 -0700
@@ -382,7 +382,7 @@ pk11_CreateNewContextInSlot(CK_MECHANISM
* of the connection.*/
context->fortezzaHack = PR_FALSE;
if (type == CKM_SKIPJACK_CBC64) {
- if (symKey->origin == PK11_OriginFortezzaHack) {
+ if (symKey && (symKey->origin == PK11_OriginFortezzaHack)) {
context->fortezzaHack = PR_TRUE;
}
}
diff -up ./lib/pk11wrap/pk11hpke.c.coverity ./lib/pk11wrap/pk11hpke.c
--- ./lib/pk11wrap/pk11hpke.c.coverity 2021-06-18 13:40:05.410644464 -0700
+++ ./lib/pk11wrap/pk11hpke.c 2021-06-18 13:42:40.627606469 -0700
@@ -1164,8 +1164,6 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
unsigned char tagBuf[HASH_LENGTH_MAX];
size_t tagLen;
unsigned int fixedBits;
- PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
- PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
/* aad may be NULL, PT may be zero-length but not NULL. */
if (!cx || !cx->aeadContext ||
@@ -1176,6 +1174,9 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
return SECFailure;
}
+ PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
+ PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
+
tagLen = cx->aeadParams->tagLen;
maxOut = pt->len + tagLen;
fixedBits = (cx->baseNonce->len - 8) * 8;
diff -up ./lib/softoken/sftkike.c.coverity ./lib/softoken/sftkike.c
--- ./lib/softoken/sftkike.c.coverity 2021-06-18 09:33:59.633405513 -0700
+++ ./lib/softoken/sftkike.c 2021-06-18 09:34:20.305523382 -0700
@@ -1411,7 +1411,6 @@ sftk_fips_IKE_PowerUpSelfTests(void)
(outKeySize != sizeof(ike_known_sha256_prf_plus)) ||
(PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus,
sizeof(ike_known_sha256_prf_plus)) != 0)) {
- PORT_ZFree(outKeyData, outKeySize);
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}

81
nss-3.67-fix-private-key-mac.patch
View File

@ -1,81 +0,0 @@
diff -up ./lib/softoken/sftkpwd.c.orig ./lib/softoken/sftkpwd.c
--- ./lib/softoken/sftkpwd.c.orig 2021-06-10 05:33:12.000000000 -0700
+++ ./lib/softoken/sftkpwd.c 2021-07-01 14:04:34.068596942 -0700
@@ -287,9 +287,12 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
}
/* If we are using aes 256, we need to check authentication as well.*/
- if ((type != CKT_INVALID_TYPE) && (cipherValue.alg == SEC_OID_AES_256_CBC)) {
+ if ((type != CKT_INVALID_TYPE) &&
+ (cipherValue.alg == SEC_OID_PKCS5_PBES2) &&
+ (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
SECItem signature;
unsigned char signData[SDB_MAX_META_DATA_LEN];
+ CK_RV crv;
/* if we get here from the old legacy db, there is clearly an
* error, don't return the plaintext */
@@ -301,15 +304,28 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
signature.data = signData;
signature.len = sizeof(signData);
- rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+ rv = SECFailure;
+ /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */
+ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
&signature);
- if (rv != SECSuccess) {
- goto loser;
+ if (crv == CKR_OK) {
+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
+ type, *plain, &signature);
}
- rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
- *plain, &signature);
if (rv != SECSuccess) {
- goto loser;
+ /* handle a bug where old versions of NSS misfiled the signature
+ * attribute on password update */
+ id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
+ signature.len = sizeof(signData);
+ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+ &signature);
+ if (crv != CKR_OK) {
+ rv = SECFailure;
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ goto loser;
+ }
+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
+ type, *plain, &signature);
}
}
@@ -1198,6 +1214,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
unsigned int i;
for (i = 0; i < privAttrCount; i++) {
// Read the old attribute in the clear.
+ CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK;
CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
if (crv != CKR_OK) {
@@ -1222,7 +1239,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
plainText.data = privAttr.pValue;
plainText.len = privAttr.ulValueLen;
if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
- iterationCount, id, privAttr.type,
+ iterationCount, sdbId, privAttr.type,
&plainText, &result) != SECSuccess) {
return CKR_GENERAL_ERROR;
}
@@ -1232,10 +1249,9 @@ sftk_updateEncrypted(PLArenaPool *arena,
PORT_Memset(plainText.data, 0, plainText.len);
// Write the newly encrypted attributes out directly.
- CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
keydb->newKey = newKey;
keydb->newDefaultIterationCount = iterationCount;
- crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
+ crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1);
keydb->newKey = NULL;
if (crv != CKR_OK) {
return crv;

122
nss-3.67-fix-ssl-alerts.patch
View File

@ -1,122 +0,0 @@
diff -up ./lib/ssl/ssl3con.c.alert-fix ./lib/ssl/ssl3con.c
--- ./lib/ssl/ssl3con.c.alert-fix 2021-06-10 05:33:12.000000000 -0700
+++ ./lib/ssl/ssl3con.c 2021-07-06 17:08:25.894018521 -0700
@@ -4319,7 +4319,11 @@ ssl_SignatureSchemeValid(SSLSignatureSch
if (!ssl_IsSupportedSignatureScheme(scheme)) {
return PR_FALSE;
}
- if (!ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
+ /* if we are purposefully passed SEC_OID_UNKOWN, it means
+ * we not checking the scheme against a potential key, so skip
+ * the call */
+ if ((spkiOid != SEC_OID_UNKNOWN) &&
+ !ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
return PR_FALSE;
}
if (isTls13) {
@@ -4517,7 +4521,8 @@ ssl_CheckSignatureSchemeConsistency(sslS
}
/* Verify that the signature scheme matches the signing key. */
- if (!ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
+ if ((spkiOid == SEC_OID_UNKNOWN) ||
+ !ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
return SECFailure;
}
@@ -4533,6 +4538,7 @@ ssl_CheckSignatureSchemeConsistency(sslS
PRBool
ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
{
+ PRBool isSupported = PR_FALSE;
switch (scheme) {
case ssl_sig_rsa_pkcs1_sha1:
case ssl_sig_rsa_pkcs1_sha256:
@@ -4552,7 +4558,8 @@ ssl_IsSupportedSignatureScheme(SSLSignat
case ssl_sig_dsa_sha384:
case ssl_sig_dsa_sha512:
case ssl_sig_ecdsa_sha1:
- return PR_TRUE;
+ isSupported = PR_TRUE;
+ break;
case ssl_sig_rsa_pkcs1_sha1md5:
case ssl_sig_none:
@@ -4560,7 +4567,19 @@ ssl_IsSupportedSignatureScheme(SSLSignat
case ssl_sig_ed448:
return PR_FALSE;
}
- return PR_FALSE;
+ if (isSupported) {
+ SECOidTag hashOID = ssl3_HashTypeToOID(ssl_SignatureSchemeToHashType(scheme));
+ PRUint32 policy;
+ const PRUint32 sigSchemePolicy=
+ NSS_USE_ALG_IN_SSL_KX|NSS_USE_ALG_IN_SIGNATURE;
+ /* check hash policy */
+ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
+ ((policy & sigSchemePolicy) != sigSchemePolicy)) {
+ return PR_FALSE;
+ }
+ /* check algorithm policy */
+ }
+ return isSupported;
}
PRBool
@@ -6533,6 +6552,9 @@ ssl_PickSignatureScheme(sslSocket *ss,
}
spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm);
+ if (spkiOid == SEC_OID_UNKNOWN) {
+ goto loser;
+ }
/* Now we have to search based on the key type. Go through our preferred
* schemes in order and find the first that can be used. */
@@ -6547,6 +6569,7 @@ ssl_PickSignatureScheme(sslSocket *ss,
}
}
+loser:
PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
return SECFailure;
}
@@ -7700,7 +7723,8 @@ ssl_ParseSignatureSchemes(const sslSocke
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
- if (ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) {
+ if (ssl_SignatureSchemeValid((SSLSignatureScheme)tmp, SEC_OID_UNKNOWN,
+ (PRBool)ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)) {;
schemes[numSupported++] = (SSLSignatureScheme)tmp;
}
}
@@ -10286,7 +10310,12 @@ ssl3_HandleCertificateVerify(sslSocket *
PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_record);
rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
if (rv != SECSuccess) {
- goto loser; /* malformed or unsupported. */
+ errCode = PORT_GetError();
+ /* unsupported == illegal_parameter, others == handshake_failure. */
+ if (errCode == SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM) {
+ desc = illegal_parameter;
+ }
+ goto alert_loser;
}
rv = ssl_CheckSignatureSchemeConsistency(
ss, sigScheme, &ss->sec.peerCert->subjectPublicKeyInfo);
diff -up ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix ./gtests/ssl_gtest/ssl_extension_unittest.cc
--- ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix 2021-07-07 11:32:11.634376932 -0700
+++ ./gtests/ssl_gtest/ssl_extension_unittest.cc 2021-07-07 11:33:30.595841110 -0700
@@ -428,7 +428,10 @@ TEST_P(TlsExtensionTest12Plus, Signature
}
TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsTrailingData) {
- const uint8_t val[] = {0x00, 0x02, 0x04, 0x01, 0x00}; // sha-256, rsa
+ // make sure the test uses an algorithm that is legal for
+ // tls 1.3 (or tls 1.3 will through and illegalParameter
+ // instead of a decode error)
+ const uint8_t val[] = {0x00, 0x02, 0x08, 0x09, 0x00}; // sha-256, rsa-pss-pss
DataBuffer extension(val, sizeof(val));
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
client_, ssl_signature_algorithms_xtn, extension));

825
nss-3.71-fips-module-name.patch
View File

@ -1,825 +0,0 @@
diff --git a/cmd/manifest.mn b/cmd/manifest.mn
--- a/cmd/manifest.mn
+++ b/cmd/manifest.mn
@@ -76,6 +76,7 @@
symkeyutil \
tests \
tstclnt \
+ validation \
vfychain \
vfyserv \
modutil \
diff --git a/cmd/validation/Makefile b/cmd/validation/Makefile
new file mode 100644
--- /dev/null
+++ b/cmd/validation/Makefile
@@ -0,0 +1,48 @@
+#! gmake
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#######################################################################
+# (1) Include initial platform-independent assignments (MANDATORY). #
+#######################################################################
+
+include manifest.mn
+
+#######################################################################
+# (2) Include "global" configuration information. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/config.mk
+
+#######################################################################
+# (3) Include "component" configuration information. (OPTIONAL) #
+#######################################################################
+
+#######################################################################
+# (4) Include "local" platform-dependent assignments (OPTIONAL). #
+#######################################################################
+
+include ../platlibs.mk
+
+
+#######################################################################
+# (5) Execute "global" rules. (OPTIONAL) #
+#######################################################################
+
+include $(CORE_DEPTH)/coreconf/rules.mk
+
+#######################################################################
+# (6) Execute "component" rules. (OPTIONAL) #
+#######################################################################
+
+
+
+#######################################################################
+# (7) Execute "local" rules. (OPTIONAL). #
+#######################################################################
+
+
+include ../platrules.mk
+
diff --git a/cmd/validation/manifest.mn b/cmd/validation/manifest.mn
new file mode 100644
--- /dev/null
+++ b/cmd/validation/manifest.mn
@@ -0,0 +1,23 @@
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+CORE_DEPTH = ../..
+
+DEFINES += -DNSPR20
+
+# MODULE public and private header directories are implicitly REQUIRED.
+MODULE = nss
+
+CSRCS = \
+ validation.c \
+ $(NULL)
+
+# The MODULE is always implicitly required.
+# Listing it here in REQUIRES makes it appear twice in the cc command line.
+REQUIRES = dbm seccmd
+
+PROGRAM = validation
+
+# USE_STATIC_LIBS = 1
diff --git a/cmd/validation/validation.c b/cmd/validation/validation.c
new file mode 100644
--- /dev/null
+++ b/cmd/validation/validation.c
@@ -0,0 +1,249 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifdef _CRTDBG_MAP_ALLOC
+#include <stdlib.h>
+#include <crtdbg.h>
+#endif
+
+#include "nspr.h"
+#include "secutil.h"
+#include "pk11func.h"
+#include "nss.h"
+#include "secport.h"
+#include "secpkcs5.h"
+#include "sechash.h"
+#include "certdb.h"
+#include "secmod.h"
+
+#define PKCS12_IN_BUFFER_SIZE 200
+
+static char *progName;
+PRBool debug = PR_FALSE;
+
+#define ERR_USAGE 2
+#define ERR_PK11GETSLOT 13
+
+static void
+Usage()
+{
+#define FPS PR_fprintf(PR_STDERR,
+ FPS "Usage: %s [-d certdir] [-P dbprefix] [-h tokenname]\n",
+ progName);
+ FPS "\t\t [-k slotpwfile | -K slotpw] [-v]\n");
+
+ exit(ERR_USAGE);
+}
+
+typedef enum {
+ tagULong,
+ tagVersion,
+ tagUtf8
+} tagType;
+
+typedef struct {
+ const char *attributeName;
+ tagType attributeStorageType;
+} attributeTag;
+
+enum {
+ opt_CertDir = 0,
+ opt_TokenName,
+ opt_SlotPWFile,
+ opt_SlotPW,
+ opt_DBPrefix,
+ opt_Debug
+};
+
+static secuCommandFlag validation_options[] =
+ {
+ { /* opt_CertDir */ 'd', PR_TRUE, 0, PR_FALSE },
+ { /* opt_TokenName */ 'h', PR_TRUE, 0, PR_FALSE },
+ { /* opt_SlotPWFile */ 'k', PR_TRUE, 0, PR_FALSE },
+ { /* opt_SlotPW */ 'K', PR_TRUE, 0, PR_FALSE },
+ { /* opt_DBPrefix */ 'P', PR_TRUE, 0, PR_FALSE },
+ { /* opt_Debug */ 'v', PR_FALSE, 0, PR_FALSE }
+ };
+
+void
+dump_Raw(char *label, CK_ATTRIBUTE *attr)
+{
+ int i;
+ unsigned char *value = (unsigned char *)attr->pValue;
+ printf("0x");
+ for (i = 0; i < attr->ulValueLen; i++) {
+ printf("%02x", value[i]);
+ }
+ printf("<%s>\n", label);
+}
+
+SECStatus
+dump_validations(CK_OBJECT_CLASS objc, CK_ATTRIBUTE *template, int count,
+ attributeTag *tags, PK11SlotInfo *slot)
+{
+ PK11GenericObject *objs, *obj;
+
+ objs = PK11_FindGenericObjects(slot, objc);
+
+ for (obj = objs; obj != NULL; obj = PK11_GetNextGenericObject(obj)) {
+ int i;
+ printf("Validation Object:\n");
+ PK11_ReadRawAttributes(NULL, PK11_TypeGeneric, obj, template, count);
+ for (i = 0; i < count; i++) {
+ CK_ULONG ulong;
+ CK_VERSION version;
+ int len = template[i].ulValueLen;
+ printf(" %s: ", tags[i].attributeName);
+ if (len < 0) {
+ printf("<failed>\n");
+ } else if (len == 0) {
+ printf("<empty>\n");
+ } else
+ switch (tags[i].attributeStorageType) {
+ case tagULong:
+ if (len != sizeof(CK_ULONG)) {
+ dump_Raw("bad ulong", &template[i]);
+ break;
+ }
+ ulong = *(CK_ULONG *)template[i].pValue;
+ printf("%ld\n", ulong);
+ break;
+ case tagVersion:
+ if (len != sizeof(CK_VERSION)) {
+ dump_Raw("bad version", &template[i]);
+ break;
+ }
+ version = *(CK_VERSION *)template[i].pValue;
+ printf("%d.%d\n", version.major, version.minor);
+ break;
+ case tagUtf8:
+ printf("%.*s\n", len, (char *)template[i].pValue);
+ break;
+ default:
+ dump_Raw("unknown tag", &template[i]);
+ break;
+ }
+ PORT_Free(template[i].pValue);
+ template[i].pValue = NULL;
+ template[i].ulValueLen = 0;
+ }
+ }
+ PK11_DestroyGenericObjects(objs);
+ return SECSuccess;
+}
+
+int
+main(int argc, char **argv)
+{
+ secuPWData slotPw = { PW_NONE, NULL };
+ secuPWData p12FilePw = { PW_NONE, NULL };
+ PK11SlotInfo *slot;
+ char *slotname = NULL;
+ char *dbprefix = "";
+ char *nssdir = NULL;
+ SECStatus rv;
+ secuCommand validation;
+ int local_errno = 0;
+
+ CK_ATTRIBUTE validation_template[] = {
+ { CKA_NSS_VALIDATION_TYPE, NULL, 0 },
+ { CKA_NSS_VALIDATION_VERSION, NULL, 0 },
+ { CKA_NSS_VALIDATION_LEVEL, NULL, 0 },
+ { CKA_NSS_VALIDATION_MODULE_ID, NULL, 0 }
+ };
+ attributeTag validation_tags[] = {
+ { "Validation Type", tagULong },
+ { "Validation Version", tagVersion },
+ { "Validation Level", tagULong },
+ { "Validation Module ID", tagUtf8 },
+ };
+
+#ifdef _CRTDBG_MAP_ALLOC
+ _CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF);
+#endif
+
+ validation.numCommands = 0;
+ validation.commands = 0;
+ validation.numOptions = PR_ARRAY_SIZE(validation_options);
+ validation.options = validation_options;
+
+ progName = strrchr(argv[0], '/');
+ progName = progName ? progName + 1 : argv[0];
+
+ rv = SECU_ParseCommandLine(argc, argv, progName, &validation);
+
+ if (rv != SECSuccess)
+ Usage();
+
+ debug = validation.options[opt_Debug].activated;
+
+ slotname = SECU_GetOptionArg(&validation, opt_TokenName);
+
+ if (validation.options[opt_SlotPWFile].activated) {
+ slotPw.source = PW_FROMFILE;
+ slotPw.data = PORT_Strdup(validation.options[opt_SlotPWFile].arg);
+ }
+
+ if (validation.options[opt_SlotPW].activated) {
+ slotPw.source = PW_PLAINTEXT;
+ slotPw.data = PORT_Strdup(validation.options[opt_SlotPW].arg);
+ }
+
+ if (validation.options[opt_CertDir].activated) {
+ nssdir = validation.options[opt_CertDir].arg;
+ }
+ if (validation.options[opt_DBPrefix].activated) {
+ dbprefix = validation.options[opt_DBPrefix].arg;
+ }
+
+ PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
+ if (nssdir == NULL && NSS_NoDB_Init("") == SECSuccess) {
+ rv = SECSuccess;
+ /* if the system isn't already in FIPS mode, we need
+ * to switch to FIPS mode */
+ if (!PK11_IsFIPS()) {
+ /* flip to FIPS mode */
+ SECMODModule *module = SECMOD_GetInternalModule();
+ rv = SECMOD_DeleteInternalModule(module->commonName);
+ }
+ } else {
+ rv = NSS_Initialize(nssdir, dbprefix, dbprefix,
+ "secmod.db", 0);
+ }
+ if (rv != SECSuccess) {
+ SECU_PrintPRandOSError(progName);
+ exit(-1);
+ }
+
+ if (!slotname || PL_strcmp(slotname, "internal") == 0)
+ slot = PK11_GetInternalKeySlot();
+ else
+ slot = PK11_FindSlotByName(slotname);
+
+ if (!slot) {
+ SECU_PrintError(progName, "Invalid slot \"%s\"", slotname);
+ local_errno = ERR_PK11GETSLOT;
+ goto done;
+ }
+
+ rv = dump_validations(CKO_NSS_VALIDATION,
+ validation_template,
+ PR_ARRAY_SIZE(validation_template),
+ validation_tags,
+ slot);
+
+done:
+ if (slotPw.data != NULL)
+ PORT_ZFree(slotPw.data, PL_strlen(slotPw.data));
+ if (p12FilePw.data != NULL)
+ PORT_ZFree(p12FilePw.data, PL_strlen(p12FilePw.data));
+ if (slot)
+ PK11_FreeSlot(slot);
+ if (NSS_Shutdown() != SECSuccess) {
+ local_errno = 1;
+ }
+ PL_ArenaFinish();
+ PR_Cleanup();
+ return local_errno;
+}
diff --git a/cmd/validation/validation.gyp b/cmd/validation/validation.gyp
new file mode 100644
--- /dev/null
+++ b/cmd/validation/validation.gyp
@@ -0,0 +1,30 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+{
+ 'includes': [
+ '../../coreconf/config.gypi',
+ '../../cmd/platlibs.gypi'
+ ],
+ 'targets': [
+ {
+ 'target_name': 'validation',
+ 'type': 'executable',
+ 'sources': [
+ 'validation.c'
+ ],
+ 'dependencies': [
+ '<(DEPTH)/exports.gyp:dbm_exports',
+ '<(DEPTH)/exports.gyp:nss_exports'
+ ]
+ }
+ ],
+ 'target_defaults': {
+ 'defines': [
+ 'NSPR20'
+ ]
+ },
+ 'variables': {
+ 'module': 'nss'
+ }
+}
diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk
--- a/lib/softoken/config.mk
+++ b/lib/softoken/config.mk
@@ -59,3 +59,7 @@
DEFINES += -DNSS_ENABLE_FIPS_INDICATORS
endif
+ifdef NSS_FIPS_MODULE_ID
+DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\"
+endif
+
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -75,7 +75,6 @@
* failure so that there are at most 60 login attempts per minute.
*/
static PRIntervalTime loginWaitTime;
-static PRUint32 minSessionObjectHandle = 1U;
#define __PASTE(x, y) x##y
@@ -1672,8 +1671,6 @@
{
SFTKSlot *slot = session->slot;
SFTKAttribute *attribute;
- SFTKObject *duplicateObject = NULL;
- CK_OBJECT_HANDLE handle;
CK_BBOOL ckfalse = CK_FALSE;
CK_BBOOL cktrue = CK_TRUE;
CK_RV crv;
@@ -1711,30 +1708,13 @@
* token objects and will have a token object handle assigned to
* them by a call to sftk_mkHandle in the handler for each object
* class, invoked below.
- *
+ *
* It may be helpful to note/remember that
* sftk_narrowToXxxObject uses sftk_isToken,
* sftk_isToken examines the sign bit of the object's handle, but
* sftk_isTrue(...,CKA_TOKEN) examines the CKA_TOKEN attribute.
*/
- do {
- PRUint32 wrappedAround;
-
- duplicateObject = NULL;
- PZ_Lock(slot->objectLock);
- wrappedAround = slot->sessionObjectHandleCount & SFTK_TOKEN_MASK;
- handle = slot->sessionObjectHandleCount & ~SFTK_TOKEN_MASK;
- if (!handle) /* don't allow zero handle */
- handle = minSessionObjectHandle;
- slot->sessionObjectHandleCount = (handle + 1U) | wrappedAround;
- /* Is there already a session object with this handle? */
- if (wrappedAround) {
- sftkqueue_find(duplicateObject, handle, slot->sessObjHashTable,
- slot->sessObjHashSize);
- }
- PZ_Unlock(slot->objectLock);
- } while (duplicateObject != NULL);
- object->handle = handle;
+ object->handle = sftk_getNextHandle(slot);
/* get the object class */
attribute = sftk_FindAttribute(object, CKA_CLASS);
@@ -2875,10 +2855,15 @@
goto mem_loser;
slot->sessionIDCount = 0;
- slot->sessionObjectHandleCount = minSessionObjectHandle;
+ slot->sessionObjectHandleCount = NSC_MIN_SESSION_OBJECT_HANDLE;
slot->slotID = slotID;
sftk_setStringName(params->slotdes ? params->slotdes : sftk_getDefSlotName(slotID), slot->slotDescription,
sizeof(slot->slotDescription), PR_TRUE);
+ crv = sftk_InitSession(&slot->moduleObjects, slot, slotID, NULL, NULL,
+ CKF_SERIAL_SESSION);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
/* call the reinit code to set everything that changes between token
* init calls */
@@ -2887,6 +2872,12 @@
if (crv != CKR_OK) {
goto loser;
}
+ if (sftk_isFIPS(slotID)) {
+ crv = sftk_CreateValidationObjects(slot);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ }
crv = sftk_RegisterSlot(slot, moduleIndex);
if (crv != CKR_OK) {
goto loser;
@@ -3032,6 +3023,8 @@
SFTK_ShutdownSlot(slot);
+ sftk_ClearSession(&slot->moduleObjects);
+
if (slot->tokObjHashTable) {
PL_HashTableDestroy(slot->tokObjHashTable);
slot->tokObjHashTable = NULL;
@@ -3262,6 +3255,7 @@
CK_RV crv = CKR_OK;
SECStatus rv;
CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
+ PRBool destroy_freelist_on_error = PR_TRUE;
int i;
unsigned int moduleIndex = isFIPS ? NSC_FIPS_MODULE : NSC_NON_FIPS_MODULE;
@@ -3341,7 +3335,14 @@
"disabled FIPS mode");
}
}
+ /* if we have a peer open, we don't want to destroy the freelist
+ * from under the peer if we fail, the free list will be
+ * destroyed in that case when the C_Finalize is called for
+ * the peer */
+ destroy_freelist_on_error = PR_FALSE;
}
+ /* allow us to create objects in SFTK_SlotInit */
+ sftk_InitFreeLists();
for (i = 0; i < paramStrings.token_count; i++) {
crv = SFTK_SlotInit(paramStrings.configdir,
@@ -3355,8 +3356,9 @@
loser:
sftk_freeParams(&paramStrings);
}
- if (CKR_OK == crv) {
- sftk_InitFreeLists();
+ if (destroy_freelist_on_error && (CKR_OK != crv)) {
+ /* idempotent. If the list are already freed, this is a noop */
+ sftk_CleanupFreeLists();
}
#ifndef NO_FORK_CHECK
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
--- a/lib/softoken/pkcs11i.h
+++ b/lib/softoken/pkcs11i.h
@@ -49,6 +49,8 @@
#define NSC_SEARCH_BLOCK_SIZE 5
#define NSC_SLOT_LIST_BLOCK_SIZE 10
+#define NSC_MIN_SESSION_OBJECT_HANDLE 1U
+
#define NSC_FIPS_MODULE 1
#define NSC_NON_FIPS_MODULE 0
@@ -375,6 +377,9 @@
char tokDescription[33]; /* per load */
char updateTokDescription[33]; /* per load */
char slotDescription[65]; /* invariant */
+ SFTKSession moduleObjects; /* global session to hang module specific
+ * objects like profile objects or
+ * validation objects */
};
/*
@@ -766,6 +771,7 @@
extern void sftk_ReferenceObject(SFTKObject *object);
extern SFTKObject *sftk_ObjectFromHandle(CK_OBJECT_HANDLE handle,
SFTKSession *session);
+extern CK_OBJECT_HANDLE sftk_getNextHandle(SFTKSlot *slot);
extern void sftk_AddSlotObject(SFTKSlot *slot, SFTKObject *object);
extern void sftk_AddObject(SFTKSession *session, SFTKObject *object);
/* clear out all the existing object ID to database key mappings.
@@ -787,7 +793,11 @@
extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle);
extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle);
extern void sftk_FreeSession(SFTKSession *session);
+extern void sftk_ClearSession(SFTKSession *session);
extern void sftk_DestroySession(SFTKSession *session);
+extern CK_RV sftk_InitSession(SFTKSession *session, SFTKSlot *slot,
+ CK_SLOT_ID slotID, CK_NOTIFY notify,
+ CK_VOID_PTR pApplication, CK_FLAGS flags);
extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify,
CK_VOID_PTR pApplication, CK_FLAGS flags);
extern void sftk_update_state(SFTKSlot *slot, SFTKSession *session);
@@ -955,6 +965,9 @@
* FIPS security policy */
PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech,
CK_ATTRIBUTE_TYPE op, SFTKObject *source);
+/* add validation objects to the slot */
+CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
+
SEC_END_PROTOS
#endif /* _PKCS11I_H_ */
diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c
--- a/lib/softoken/pkcs11u.c
+++ b/lib/softoken/pkcs11u.c
@@ -14,6 +14,7 @@
#include "sftkdb.h"
#include "softoken.h"
#include "secoid.h"
+#include "softkver.h"
#if !defined(NSS_FIPS_DISABLED) && defined(NSS_ENABLE_FIPS_INDICATORS)
/* this file should be supplied by the vendor and include all the
@@ -1243,6 +1244,32 @@
return SFTK_Busy;
}
+/* find the next available object handle that isn't currently in use */
+CK_OBJECT_HANDLE
+sftk_getNextHandle(SFTKSlot *slot)
+{
+ CK_OBJECT_HANDLE handle;
+ SFTKObject *duplicateObject = NULL;
+ do {
+ PRUint32 wrappedAround;
+
+ duplicateObject = NULL;
+ PZ_Lock(slot->objectLock);
+ wrappedAround = slot->sessionObjectHandleCount & SFTK_TOKEN_MASK;
+ handle = slot->sessionObjectHandleCount & ~SFTK_TOKEN_MASK;
+ if (!handle) /* don't allow zero handle */
+ handle = NSC_MIN_SESSION_OBJECT_HANDLE;
+ slot->sessionObjectHandleCount = (handle + 1U) | wrappedAround;
+ /* Is there already a session object with this handle? */
+ if (wrappedAround) {
+ sftkqueue_find(duplicateObject, handle, slot->sessObjHashTable,
+ slot->sessObjHashSize);
+ }
+ PZ_Unlock(slot->objectLock);
+ } while (duplicateObject != NULL);
+ return handle;
+}
+
/*
* add an object to a slot and session queue. These two functions
* adopt the object.
@@ -1848,23 +1875,13 @@
}
/*
- * create a new nession. NOTE: The session handle is not set, and the
+ * Init a new session. NOTE: The session handle is not set, and the
* session is not added to the slot's session queue.
*/
-SFTKSession *
-sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
- CK_FLAGS flags)
+CK_RV
+sftk_InitSession(SFTKSession *session, SFTKSlot *slot, CK_SLOT_ID slotID,
+ CK_NOTIFY notify, CK_VOID_PTR pApplication, CK_FLAGS flags)
{
- SFTKSession *session;
- SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
-
- if (slot == NULL)
- return NULL;
-
- session = (SFTKSession *)PORT_Alloc(sizeof(SFTKSession));
- if (session == NULL)
- return NULL;
-
session->next = session->prev = NULL;
session->enc_context = NULL;
session->hash_context = NULL;
@@ -1873,8 +1890,7 @@
session->objectIDCount = 1;
session->objectLock = PZ_NewLock(nssILockObject);
if (session->objectLock == NULL) {
- PORT_Free(session);
- return NULL;
+ return CKR_HOST_MEMORY;
}
session->objects[0] = NULL;
@@ -1887,12 +1903,38 @@
sftk_update_state(slot, session);
/* no ops completed yet, so the last one couldn't be a FIPS op */
session->lastOpWasFIPS = PR_FALSE;
+ return CKR_OK;
+}
+
+/*
+ * Create a new session and init it.
+ */
+SFTKSession *
+sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, CK_VOID_PTR pApplication,
+ CK_FLAGS flags)
+{
+ SFTKSession *session;
+ SFTKSlot *slot = sftk_SlotFromID(slotID, PR_FALSE);
+ CK_RV crv;
+
+ if (slot == NULL)
+ return NULL;
+
+ session = (SFTKSession *)PORT_Alloc(sizeof(SFTKSession));
+ if (session == NULL)
+ return NULL;
+
+ crv = sftk_InitSession(session, slot, slotID, notify, pApplication, flags);
+ if (crv != CKR_OK) {
+ PORT_Free(session);
+ return NULL;
+ }
return session;
}
/* free all the data associated with a session. */
void
-sftk_DestroySession(SFTKSession *session)
+sftk_ClearSession(SFTKSession *session)
{
SFTKObjectList *op, *next;
@@ -1918,6 +1960,13 @@
if (session->search) {
sftk_FreeSearch(session->search);
}
+}
+
+/* free the data associated with the session, and the session */
+void
+sftk_DestroySession(SFTKSession *session)
+{
+ sftk_ClearSession(session);
PORT_Free(session);
}
@@ -2386,3 +2435,70 @@
return PR_FALSE;
#endif
}
+
+/*
+ * create the FIPS Validation objects. If the vendor
+ * doesn't supply an NSS_FIPS_MODULE_ID, at compile time,
+ * then we assumethis is an unvalidated module.
+ */
+CK_RV
+sftk_CreateValidationObjects(SFTKSlot *slot)
+{
+ const char *module_id;
+ int module_id_len;
+ CK_RV crv = CKR_OK;
+ /* we currently use vendor specific values until the validation
+ * objects are approved for PKCS #11 v3.2. */
+ CK_OBJECT_CLASS cko_validation = CKO_NSS_VALIDATION;
+ CK_NSS_VALIDATION_TYPE ckv_fips = CKV_NSS_FIPS_140;
+ CK_VERSION fips_version = { 3, 0 }; /* FIPS-140-3 */
+ CK_ULONG fips_level = 1; /* or 2 if you validated at level 2 */
+
+#ifndef NSS_FIPS_MODULE_ID
+#define NSS_FIPS_MODULE_ID "Generic NSS " SOFTOKEN_VERSION " Unvalidated"
+#endif
+ module_id = NSS_FIPS_MODULE_ID;
+ module_id_len = sizeof(NSS_FIPS_MODULE_ID) - 1;
+ SFTKObject *object;
+
+ object = sftk_NewObject(slot); /* fill in the handle later */
+ if (object == NULL) {
+ return CKR_HOST_MEMORY;
+ }
+ object->isFIPS = PR_FALSE;
+
+ crv = sftk_AddAttributeType(object, CKA_CLASS,
+ &cko_validation, sizeof(cko_validation));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_TYPE,
+ &ckv_fips, sizeof(ckv_fips));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_VERSION,
+ &fips_version, sizeof(fips_version));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_LEVEL,
+ &fips_level, sizeof(fips_level));
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+ crv = sftk_AddAttributeType(object, CKA_NSS_VALIDATION_MODULE_ID,
+ module_id, module_id_len);
+ if (crv != CKR_OK) {
+ goto loser;
+ }
+
+ /* future, fill in validation certificate information from a supplied
+ * pointer to a config file */
+ object->handle = sftk_getNextHandle(slot);
+ object->slot = slot;
+ sftk_AddObject(&slot->moduleObjects, object);
+loser:
+ sftk_FreeObject(object);
+ return crv;
+}
diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
--- a/lib/util/pkcs11n.h
+++ b/lib/util/pkcs11n.h
@@ -38,6 +38,9 @@
#define CKO_NSS_BUILTIN_ROOT_LIST (CKO_NSS + 4)
#define CKO_NSS_NEWSLOT (CKO_NSS + 5)
#define CKO_NSS_DELSLOT (CKO_NSS + 6)
+#define CKO_NSS_VALIDATION (CKO_NSS + 7)
+
+#define CKV_NSS_FIPS_140 (CKO_NSS + 1)
/*
* NSS-defined key types
@@ -99,6 +102,11 @@
#define CKA_NSS_SERVER_DISTRUST_AFTER (CKA_NSS + 35)
#define CKA_NSS_EMAIL_DISTRUST_AFTER (CKA_NSS + 36)
+#define CKA_NSS_VALIDATION_TYPE (CKA_NSS + 36)
+#define CKA_NSS_VALIDATION_VERSION (CKA_NSS + 37)
+#define CKA_NSS_VALIDATION_LEVEL (CKA_NSS + 38)
+#define CKA_NSS_VALIDATION_MODULE_ID (CKA_NSS + 39)
+
/*
* Trust attributes:
*
@@ -344,6 +352,9 @@
#define CKR_NSS_CERTDB_FAILED (CKR_NSS + 1)
#define CKR_NSS_KEYDB_FAILED (CKR_NSS + 2)
+/* NSS specific types */
+typedef CK_ULONG CK_NSS_VALIDATION_TYPE;
+
/* Mandatory parameter for the CKM_NSS_HKDF_* key deriviation mechanisms.
See RFC 5869.
diff --git a/nss.gyp b/nss.gyp
--- a/nss.gyp
+++ b/nss.gyp
@@ -131,6 +131,7 @@
'cmd/smimetools/smimetools.gyp:cmsutil',
'cmd/ssltap/ssltap.gyp:ssltap',
'cmd/symkeyutil/symkeyutil.gyp:symkeyutil',
+ 'cmd/validation/validation.gyp:validation',
'nss-tool/nss_tool.gyp:nss',
'nss-tool/nss_tool.gyp:hw-support',
],

18
nss-3.71-fix-lto-gtests.patch
View File

@ -1,19 +1,14 @@
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
@@ -8,23 +8,32 @@
#include "prtime.h"
#include "secerr.h"
#include "ssl.h"
@@ -15,13 +15,22 @@
#include "gtest_utils.h"
#include "tls_agent.h"
#include "tls_connect.h"
+#define LTO
namespace nss_test {
+#ifndef LTO
+// sigh this construction breaks LTO
const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
@ -28,9 +23,4 @@ diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_su
+#endif
const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
static void CheckPreliminaryPeerDelegCred(
const std::shared_ptr<TlsAgent>& client, bool expected,
PRUint32 key_bits = 0, SSLSignatureScheme sig_scheme = ssl_sig_none) {
EXPECT_NE(0U, (client->pre_info().valuesSet & ssl_preinfo_peer_auth));
EXPECT_EQ(expected, client->pre_info().peerDelegCred);

36
nss-3.71-ipv6-fix.patch
View File

@ -1,36 +0,0 @@
diff -up ./cmd/selfserv/selfserv.c.ipv6_fix ./cmd/selfserv/selfserv.c
--- ./cmd/selfserv/selfserv.c.ipv6_fix 2021-09-14 11:40:06.176408531 -0700
+++ ./cmd/selfserv/selfserv.c 2021-09-14 11:49:46.361907308 -0700
@@ -1717,14 +1717,28 @@ getBoundListenSocket(unsigned short port
PRNetAddr addr;
PRSocketOptionData opt;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
errExit("PR_NewTCPSocket");
}
+ /* NSPR has a bug where set inheritable doesn't work unless it's a pure
+ * NSPR socket. If we have an IPV6 emulator on an IPV4 socket, it will fail.
+ * In that case just open an IPV4 socket instead */
+ if (PR_NSPR_IO_LAYER != PR_GetLayersIdentity(listen_sock)) {
+ PR_Close(listen_sock);
+ addr.inet.family = PR_AF_INET;
+ addr.inet.ip = PR_INADDR_ANY;
+ addr.inet.port = PR_htons(port);
+
+ listen_sock = PR_NewTCPSocket();
+ if (listen_sock == NULL) {
+ errExit("PR_NewTCPSocket");
+ }
+ }
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;

257
nss-3.75-fix-pkcs12-passwords.patch
View File

@ -1,257 +0,0 @@
diff --git a/cmd/pk12util/pk12util.c b/cmd/pk12util/pk12util.c
--- a/cmd/pk12util/pk12util.c
+++ b/cmd/pk12util/pk12util.c
@@ -660,16 +660,27 @@ P12U_ExportPKCS12Object(char *nn, char *
}
/* Password to use for PKCS12 file. */
pwitem = P12U_GetP12FilePassword(PR_TRUE, p12FilePw);
if (!pwitem) {
goto loser;
}
+ /* we are passing UTF8, drop the NULL in the normal password value.
+ * UCS2 conversion will add it back if necessary. This only affects
+ * password > Blocksize of the Hash function and pkcs5v2 pbe (if password
+ * <=Blocksize then the password is zero padded anyway, so an extra NULL
+ * at the end has not effect). This is allows us to work with openssl and
+ * gnutls. Older versions of NSS already fail to decrypt long passwords
+ * in this case, so we aren't breaking anyone with this code */
+ if ((pwitem->len > 1) && (!pwitem->data[pwitem->len-1])) {
+ pwitem->len--;
+ }
+
p12cxt = p12u_InitContext(PR_FALSE, outfile);
if (!p12cxt) {
SECU_PrintError(progName, "Initialization failed: %s", outfile);
pk12uErrno = PK12UERR_INIT_FILE;
goto loser;
}
if (certlist) {
diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c
--- a/lib/pkcs12/p12local.c
+++ b/lib/pkcs12/p12local.c
@@ -903,31 +903,35 @@ sec_pkcs12_find_object(SEC_PKCS12SafeCon
i++;
}
}
PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME);
return NULL;
}
-/* this function converts a password to unicode and encures that the
- * required double 0 byte be placed at the end of the string
+/* this function converts a password to unicode and ensures that the
+ * required double 0 byte be placed at the end of the string (if zeroTerm
+ * is set), or the 0 bytes at the end are dropped (if zeroTerm is not set).
*/
PRBool
sec_pkcs12_convert_item_to_unicode(PLArenaPool *arena, SECItem *dest,
SECItem *src, PRBool zeroTerm,
PRBool asciiConvert, PRBool toUnicode)
{
PRBool success = PR_FALSE;
+ int bufferSize;
+
if (!src || !dest) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return PR_FALSE;
}
- dest->len = src->len * 3 + 2;
+ bufferSize = src->len * 3 + 2;
+ dest->len = bufferSize;
if (arena) {
dest->data = (unsigned char *)PORT_ArenaZAlloc(arena, dest->len);
} else {
dest->data = (unsigned char *)PORT_ZAlloc(dest->len);
}
if (!dest->data) {
dest->len = 0;
@@ -951,34 +955,44 @@ sec_pkcs12_convert_item_to_unicode(PLAre
if (!arena) {
PORT_Free(dest->data);
dest->data = NULL;
dest->len = 0;
}
return PR_FALSE;
}
- if ((dest->len >= 2) &&
- (dest->data[dest->len - 1] || dest->data[dest->len - 2]) && zeroTerm) {
- if (dest->len + 2 > 3 * src->len) {
- if (arena) {
- dest->data = (unsigned char *)PORT_ArenaGrow(arena,
- dest->data, dest->len,
- dest->len + 2);
- } else {
- dest->data = (unsigned char *)PORT_Realloc(dest->data,
- dest->len + 2);
+ /* in some cases we need to add NULL terminations and in others
+ * we need to drop null terminations */
+ if (zeroTerm) {
+ /* unicode adds two nulls a the end */
+ if (toUnicode) {
+ if ((dest->len >= 2) &&
+ (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
+ /* we've already allocated space for these new NULLs */
+ PORT_Assert(dest->len + 2 <= bufferSize);
+ dest->len += 2;
+ dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
}
-
- if (!dest->data) {
- return PR_FALSE;
+ /* ascii/utf-8 adds just 1 */
+ } else if ((dest->len >= 1) && dest->data[dest->len-1]) {
+ PORT_Assert(dest->len + 1 <= bufferSize);
+ dest->len ++;
+ dest->data[dest->len-1] = 0;
+ }
+ } else {
+ /* handle the drop case, no need to do any allocations here. */
+ if (toUnicode) {
+ while ((dest->len >=2) && !dest->data[dest->len - 1] &&
+ !dest->data[dest->len - 2]) {
+ dest->len -= 2;
}
+ } else while (dest->len && !dest->data[dest->len-1]) {
+ dest->len--;
}
- dest->len += 2;
- dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
}
return PR_TRUE;
}
PRBool
sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm)
{
@@ -1006,27 +1020,28 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi
}
}
/* this function decodes a password from Unicode if necessary,
* according to the PBE algorithm.
*
* we assume that the pwitem is already encoded in Unicode by the
* caller. if the encryption scheme is not the one defined in PKCS
- * #12, decode the pwitem back into UTF-8. */
+ * #12, decode the pwitem back into UTF-8. NOTE: UTF-8 strings are
+ * used in the PRF without the trailing NULL */
PRBool
sec_pkcs12_decode_password(PLArenaPool *arena,
SECItem *result,
SECOidTag algorithm,
const SECItem *pwitem)
{
if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm))
return sec_pkcs12_convert_item_to_unicode(arena, result,
(SECItem *)pwitem,
- PR_TRUE, PR_FALSE, PR_FALSE);
+ PR_FALSE, PR_FALSE, PR_FALSE);
return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess;
}
/* this function encodes a password into Unicode if necessary,
* according to the PBE algorithm.
*
* we assume that the pwitem holds a raw password. if the encryption
diff --git a/tests/common/init.sh b/tests/common/init.sh
--- a/tests/common/init.sh
+++ b/tests/common/init.sh
@@ -78,25 +78,27 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions
STAPLINGDIR=${HOSTDIR}/stapling
NOLOGINDIR=${HOSTDIR}/nologin
SSLGTESTDIR=${HOSTDIR}/ssl_gtests
GTESTDIR=${HOSTDIR}/gtests
PWFILE=${HOSTDIR}/tests.pw
+ LONGPWFILE=${HOSTDIR}/tests.longpw
EMPTY_FILE=${HOSTDIR}/tests_empty
NOISE_FILE=${HOSTDIR}/tests_noise
CORELIST_FILE=${HOSTDIR}/clist
FIPSPWFILE=${HOSTDIR}/tests.fipspw
FIPSBADPWFILE=${HOSTDIR}/tests.fipsbadpw
FIPSP12PWFILE=${HOSTDIR}/tests.fipsp12pw
echo nss > ${PWFILE}
+ echo "nss123456789012345678901234567890123456789012345678901234567890_" > ${LONGPWFILE}
echo > ${EMPTY_FILE}
echo "fIps140" > ${FIPSPWFILE}
echo "fips104" > ${FIPSBADPWFILE}
echo "pKcs12fips140" > ${FIPSP12PWFILE}
noise
P_SERVER_CADIR=${SERVER_CADIR}
@@ -656,16 +658,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
P_R_NOLOGINDIR="multiaccess:${D_NOLOGIN}"
P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}"
P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}"
P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}"
P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}"
fi
R_PWFILE=../tests.pw
+ R_LONGPWFILE=../tests.longpw
R_EMPTY_FILE=../tests_empty
R_NOISE_FILE=../tests_noise
R_FIPSPWFILE=../tests.fipspw
R_FIPSBADPWFILE=../tests.fipsbadpw
R_FIPSP12PWFILE=../tests.fipsp12pw
trap "Exit $0 Signal_caught" 2 3
diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh
--- a/tests/tools/tools.sh
+++ b/tests/tools/tools.sh
@@ -382,16 +382,40 @@ tools_p12_export_list_import_with_defaul
check_tmpfile
echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
ret=$?
html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
check_tmpfile
+
+ echo "$SCRIPTNAME: Exporting Alice's email EC cert & key with long pw------"
+ echo "pk12util -o Alice-ec-long.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+ echo " -w ${R_LONGPWFILE}"
+ ${BINDIR}/pk12util -o Alice-ec-long.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+ -w ${R_LONGPWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Exporting Alice's email EC cert & key with long pw (pk12util -o)"
+ check_tmpfile
+ verify_p12 Alice-ec-long.p12 "default" "default" "default"
+
+ echo "$SCRIPTNAME: Importing Alice's email EC cert & key with long pw-----"
+ echo "pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE}"
+ ${BINDIR}/pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Importing Alice's email EC cert & key with long pw (pk12util -i)"
+ check_tmpfile
+
+ echo "$SCRIPTNAME: Listing Alice's pk12 EC file with long pw ------------"
+ echo "pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE}"
+ ${BINDIR}/pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE} 2>&1
+ ret=$?
+ html_msg $ret 0 "Listing Alice's pk12 EC file with long pw (pk12util -l)"
+ check_tmpfile
}
tools_p12_import_old_files()
{
echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------"
echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
ret=$?

170
nss-3.79-dont-verify-default.patch
View File

@ -1,170 +0,0 @@
diff --git a/lib/softoken/legacydb/pcertdb.c b/lib/softoken/legacydb/pcertdb.c
--- a/lib/softoken/legacydb/pcertdb.c
+++ b/lib/softoken/legacydb/pcertdb.c
@@ -4272,16 +4272,17 @@ CreateTrust(void)
{
NSSLOWCERTTrust *trust = NULL;
nsslowcert_LockFreeList();
trust = trustListHead;
if (trust) {
trustListCount--;
trustListHead = trust->next;
+ trust->next = NULL;
}
PORT_Assert(trustListCount >= 0);
nsslowcert_UnlockFreeList();
if (trust) {
return trust;
}
return PORT_ZNew(NSSLOWCERTTrust);
@@ -5155,19 +5156,21 @@ done:
}
PRBool
nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)
{
if (trust == NULL) {
return PR_FALSE;
}
- return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) &&
- (trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) &&
- (trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));
+ /* if we only have CERTDB__USER and CERTDB_TRUSTED_UNKNOWN bits, then
+ * we don't have a trust record. */
+ return !(((trust->sslFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&
+ ((trust->emailFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&
+ ((trust->objectSigningFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0));
}
/*
* This function has the logic that decides if another person's cert and
* email profile from an S/MIME message should be saved. It can deal with
* the case when there is no profile.
*/
static SECStatus
diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
--- a/lib/softoken/sftkdb.c
+++ b/lib/softoken/sftkdb.c
@@ -119,47 +119,79 @@ sftkdb_isAuthenticatedAttribute(CK_ATTRI
case CKA_TRUST_STEP_UP_APPROVED:
case CKA_NSS_OVERRIDE_EXTENSIONS:
return PR_TRUE;
default:
break;
}
return PR_FALSE;
}
-
/*
* convert a native ULONG to a database ulong. Database ulong's
* are all 4 byte big endian values.
*/
void
sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value)
{
int i;
for (i = 0; i < SDB_ULONG_SIZE; i++) {
data[i] = (value >> (SDB_ULONG_SIZE - 1 - i) * BBP) & 0xff;
}
}
/*
* convert a database ulong back to a native ULONG. (reverse of the above
- * function.
+ * function).
*/
static CK_ULONG
sftk_SDBULong2ULong(unsigned char *data)
{
int i;
CK_ULONG value = 0;
for (i = 0; i < SDB_ULONG_SIZE; i++) {
value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) * BBP);
}
return value;
}
+/* certain trust records are default values, which are the values
+ * returned if the signature check fails anyway.
+ * In those cases, we can skip the signature check. */
+PRBool
+sftkdb_isNullTrust(const CK_ATTRIBUTE *template)
+{
+ switch (template->type) {
+ case CKA_TRUST_SERVER_AUTH:
+ case CKA_TRUST_CLIENT_AUTH:
+ case CKA_TRUST_EMAIL_PROTECTION:
+ case CKA_TRUST_CODE_SIGNING:
+ if (template->ulValueLen != SDB_ULONG_SIZE) {
+ break;
+ }
+ if (sftk_SDBULong2ULong(template->pValue) ==
+ CKT_NSS_TRUST_UNKNOWN) {
+ return PR_TRUE;
+ }
+ break;
+ case CKA_TRUST_STEP_UP_APPROVED:
+ if (template->ulValueLen != 1) {
+ break;
+ }
+ if (*((unsigned char *)(template->pValue)) == 0) {
+ return PR_TRUE;
+ }
+ break;
+ default:
+ break;
+ }
+ return PR_FALSE;
+}
+
/*
* fix up the input templates. Our fixed up ints are stored in data and must
* be freed by the caller. The new template must also be freed. If there are no
* CK_ULONG attributes, the orignal template is passed in as is.
*/
static CK_ATTRIBUTE *
sftkdb_fixupTemplateIn(const CK_ATTRIBUTE *template, int count,
unsigned char **dataOut, int *dataOutSize)
@@ -410,17 +442,18 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *te
}
/* copy the plain text back into the template */
PORT_Memcpy(template[i].pValue, plainText->data, plainText->len);
template[i].ulValueLen = plainText->len;
SECITEM_ZfreeItem(plainText, PR_TRUE);
}
/* make sure signed attributes are valid */
- if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)) {
+ if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)
+ && !sftkdb_isNullTrust(&ntemplate[i])) {
SECStatus rv;
CK_RV local_crv;
SECItem signText;
SECItem plainText;
unsigned char signData[SDB_MAX_META_DATA_LEN];
signText.data = signData;
signText.len = sizeof(signData);
@@ -2387,16 +2420,18 @@ sftkdb_mergeObject(SFTKDBHandle *handle,
crv = (*source->sdb_GetAttributeValue)(source, id,
ptemplate, max_attributes);
if (crv != CKR_OK) {
goto loser;
}
objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate,
max_attributes);
+/*printf(" - merging object Type 0x%08lx id=0x%08lx updateID=%s\n", objectType, id,
+ handle->updateID?handle->updateID: "<NULL>");*/
/*
* Update Object updates the object template if necessary then returns
* whether or not we need to actually write the object out to our target
* database.
*/
if (!handle->updateID) {
crv = sftkdb_CreateObject(arena, handle, target, &newID,

522
nss-3.79-enable-POST-rerun.patch
View File

@ -1,522 +0,0 @@
diff --git a/cmd/bltest/blapitest.c b/cmd/bltest/blapitest.c
--- a/cmd/bltest/blapitest.c
+++ b/cmd/bltest/blapitest.c
@@ -3870,17 +3870,17 @@ main(int argc, char **argv)
rv = blapi_selftest(modesToTest, numModesToTest, inoff, outoff,
encrypt, decrypt);
PORT_Free(cipherInfo);
return rv == SECSuccess ? 0 : 1;
}
/* Do FIPS self-test */
if (bltest.commands[cmd_FIPS].activated) {
- CK_RV ckrv = sftk_FIPSEntryOK();
+ CK_RV ckrv = sftk_FIPSEntryOK(PR_FALSE);
fprintf(stdout, "CK_RV: %ld.\n", ckrv);
PORT_Free(cipherInfo);
if (ckrv == CKR_OK)
return SECSuccess;
return SECFailure;
}
/*
diff --git a/cmd/pk11mode/pk11mode.c b/cmd/pk11mode/pk11mode.c
--- a/cmd/pk11mode/pk11mode.c
+++ b/cmd/pk11mode/pk11mode.c
@@ -318,23 +318,25 @@ static PRBool verbose = PR_FALSE;
int
main(int argc, char **argv)
{
CK_C_GetFunctionList pC_GetFunctionList;
CK_FUNCTION_LIST_PTR pFunctionList;
CK_RV crv = CKR_OK;
CK_C_INITIALIZE_ARGS_NSS initArgs;
+ CK_C_INITIALIZE_ARGS_NSS initArgsRerun; /* rerun selftests */
CK_SLOT_ID *pSlotList = NULL;
CK_TOKEN_INFO tokenInfo;
CK_ULONG slotID = 0; /* slotID == 0 for FIPSMODE */
CK_UTF8CHAR *pwd = NULL;
CK_ULONG pwdLen = 0;
char *moduleSpec = NULL;
+ char *moduleSpecRerun = NULL;
char *configDir = NULL;
char *dbPrefix = NULL;
char *disableUnload = NULL;
PRBool doForkTests = PR_TRUE;
PLOptStatus os;
PLOptState *opt = PL_CreateOptState(argc, argv, "nvhf:Fd:p:");
while (PL_OPT_EOL != (os = PL_GetNextOpt(opt))) {
@@ -458,18 +460,23 @@ main(int argc, char **argv)
initArgs.CreateMutex = NULL;
initArgs.DestroyMutex = NULL;
initArgs.LockMutex = NULL;
initArgs.UnlockMutex = NULL;
initArgs.flags = CKF_OS_LOCKING_OK;
moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' "
"keyPrefix='%s' secmod='secmod.db' flags= ",
configDir, dbPrefix, dbPrefix);
+ moduleSpecRerun = PR_smprintf("configdir='%s' certPrefix='%s' "
+ "keyPrefix='%s' secmod='secmod.db' flags=forcePOST ",
+ configDir, dbPrefix, dbPrefix);
initArgs.LibraryParameters = (CK_CHAR_PTR *)moduleSpec;
initArgs.pReserved = NULL;
+ initArgsRerun = initArgs;
+ initArgsRerun.LibraryParameters = (CK_CHAR_PTR *)moduleSpecRerun;
/*DebugBreak();*/
/* FIPSMODE invokes FC_Initialize as pFunctionList->C_Initialize */
/* NSS cryptographic module library initialization for the FIPS */
/* Approved mode when FC_Initialize is envoked will perfom */
/* software integrity test, and power-up self-tests before */
/* FC_Initialize returns */
crv = pFunctionList->C_Initialize(&initArgs);
@@ -705,17 +712,17 @@ main(int argc, char **argv)
PKM_Error("PKM_HybridMode failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
goto cleanup;
}
if (doForkTests) {
/* testing one more C_Initialize / C_Finalize to exercise getpid()
* fork check code */
- crv = pFunctionList->C_Initialize(&initArgs);
+ crv = pFunctionList->C_Initialize(&initArgsRerun);
if (crv == CKR_OK) {
PKM_LogIt("C_Initialize succeeded\n");
} else {
PKM_Error("C_Initialize failed with 0x%08X, %-26s\n", crv,
PKM_CK_RVtoStr(crv));
goto cleanup;
}
crv = pFunctionList->C_Finalize(NULL);
@@ -741,16 +748,19 @@ cleanup:
free(configDir);
}
if (dbPrefix) {
free(dbPrefix);
}
if (moduleSpec) {
PR_smprintf_free(moduleSpec);
}
+ if (moduleSpecRerun) {
+ PR_smprintf_free(moduleSpecRerun);
+ }
#ifdef _WIN32
FreeLibrary(hModule);
#else
disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
if (!disableUnload) {
PR_UnloadLibrary(lib);
}
diff --git a/lib/freebl/blapii.h b/lib/freebl/blapii.h
--- a/lib/freebl/blapii.h
+++ b/lib/freebl/blapii.h
@@ -24,17 +24,17 @@ typedef SECStatus (*freeblAeadFunc)(void
void *params, unsigned int paramsLen,
const unsigned char *aad, unsigned int aadLen,
unsigned int blocksize);
typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit);
SEC_BEGIN_PROTOS
#ifndef NSS_FIPS_DISABLED
-SECStatus BL_FIPSEntryOK(PRBool freeblOnly);
+SECStatus BL_FIPSEntryOK(PRBool freeblOnly, PRBool rerun);
PRBool BL_POSTRan(PRBool freeblOnly);
#endif
#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
extern PRBool bl_parentForkedAfterC_Initialize;
#define SKIP_AFTER_FORK(x) \
diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h
--- a/lib/freebl/blapit.h
+++ b/lib/freebl/blapit.h
@@ -223,16 +223,21 @@ typedef int __BLAPI_DEPRECATED __attribu
*
* If we arbitrarily set p = 10^-18 (1 chance in trillion trillion operation)
* we get GCMIV_RANDOM_BIRTHDAY_BITS = -(-18)/.301 -1 = 59 (.301 = log10 2)
* GCMIV_RANDOM_BIRTHDAY_BITS should be at least 59, call it a round 64. NOTE:
* the variable IV size for TLS is 64 bits, which explains why it's not safe
* to use a random value for the nonce in TLS. */
#define GCMIV_RANDOM_BIRTHDAY_BITS 64
+/* flag to tell BLAPI_Verify* to rerun the post and integrity tests */
+#define BLAPI_FIPS_RERUN_FLAG '\377' /* 0xff, 255 invalide code for UFT8/ASCII */
+#define BLAPI_FIPS_RERUN_FLAG_STRING "\377" /* The above as a C string */
+
+
/***************************************************************************
** Opaque objects
*/
struct DESContextStr;
struct RC2ContextStr;
struct RC4ContextStr;
struct RC5ContextStr;
diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
--- a/lib/freebl/fipsfreebl.c
+++ b/lib/freebl/fipsfreebl.c
@@ -2211,29 +2211,37 @@ bl_startup_tests(void)
}
/*
* this is called from the freebl init entry points that controll access to
* all other freebl functions. This prevents freebl from operating if our
* power on selftest failed.
*/
SECStatus
-BL_FIPSEntryOK(PRBool freebl_only)
+BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun)
{
#ifdef NSS_NO_INIT_SUPPORT
/* this should only be set on platforms that can't handle one of the INIT
* schemes. This code allows those platforms to continue to function,
* though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
* is not set, and init support has not been properly enabled, freebl
* will always fail because of the test below
*/
if (!self_tests_freebl_ran) {
bl_startup_tests();
}
#endif
+ if (rerun) {
+ /* reset the flags */
+ self_tests_freebl_ran = PR_FALSE;
+ self_tests_success = PR_FALSE;
+ self_tests_success = PR_FALSE;
+ self_tests_freebl_success = PR_FALSE;
+ bl_startup_tests();
+ }
/* if the general self tests succeeded, we're done */
if (self_tests_success) {
return SECSuccess;
}
/* standalone freebl can initialize */
if (freebl_only && self_tests_freebl_success) {
return SECSuccess;
}
diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
--- a/lib/freebl/nsslowhash.c
+++ b/lib/freebl/nsslowhash.c
@@ -55,17 +55,17 @@ NSSLOW_Init(void)
#ifdef FREEBL_NO_DEPEND
(void)FREEBL_InitStubs();
#endif
#ifndef NSS_FIPS_DISABLED
/* make sure the FIPS product is installed if we are trying to
* go into FIPS mode */
if (nsslow_GetFIPSEnabled()) {
- if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) {
+ if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
post_failed = PR_TRUE;
return NULL;
}
}
#endif
post_failed = PR_FALSE;
diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
--- a/lib/freebl/shvfy.c
+++ b/lib/freebl/shvfy.c
@@ -282,52 +282,62 @@ readItem(PRFileDesc *fd, SECItem *item)
PORT_Free(item->data);
item->data = NULL;
item->len = 0;
return SECFailure;
}
return SECSuccess;
}
-static PRBool blapi_SHVerifyFile(const char *shName, PRBool self);
+static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun);
static PRBool
-blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self)
+blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun)
{
PRBool result = PR_FALSE; /* if anything goes wrong,
* the signature does not verify */
/* find our shared library name */
char *shName = PR_GetLibraryFilePathname(name, addr);
if (!shName) {
goto loser;
}
- result = blapi_SHVerifyFile(shName, self);
+ result = blapi_SHVerifyFile(shName, self, rerun);
loser:
if (shName != NULL) {
PR_Free(shName);
}
return result;
}
PRBool
BLAPI_SHVerify(const char *name, PRFuncPtr addr)
{
- return blapi_SHVerify(name, addr, PR_FALSE);
+ PRBool rerun = PR_FALSE;
+ if (name && *name == BLAPI_FIPS_RERUN_FLAG) {
+ name++;
+ rerun = PR_TRUE;
+ }
+ return blapi_SHVerify(name, addr, PR_FALSE, rerun);
}
PRBool
BLAPI_SHVerifyFile(const char *shName)
{
- return blapi_SHVerifyFile(shName, PR_FALSE);
+ PRBool rerun = PR_FALSE;
+ if (shName && *shName == BLAPI_FIPS_RERUN_FLAG) {
+ shName++;
+ rerun = PR_TRUE;
+ }
+ return blapi_SHVerifyFile(shName, PR_FALSE, rerun);
}
static PRBool
-blapi_SHVerifyFile(const char *shName, PRBool self)
+blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun)
{
char *checkName = NULL;
PRFileDesc *checkFD = NULL;
PRFileDesc *shFD = NULL;
void *hashcx = NULL;
const SECHashObject *hashObj = NULL;
SECItem signature = { 0, NULL, 0 };
SECItem hash;
@@ -346,17 +356,17 @@ blapi_SHVerifyFile(const char *shName, P
unsigned char hashBuf[HASH_LENGTH_MAX];
PORT_Memset(&key, 0, sizeof(key));
hash.data = hashBuf;
hash.len = sizeof(hashBuf);
/* If our integrity check was never ran or failed, fail any other
* integrity checks to prevent any token going into FIPS mode. */
- if (!self && (BL_FIPSEntryOK(PR_FALSE) != SECSuccess)) {
+ if (!self && (BL_FIPSEntryOK(PR_FALSE, rerun) != SECSuccess)) {
return PR_FALSE;
}
if (!shName) {
goto loser;
}
/* figure out the name of our check file */
@@ -536,17 +546,17 @@ BLAPI_VerifySelf(const char *name)
{
if (name == NULL) {
/*
* If name is NULL, freebl is statically linked into softoken.
* softoken will call BLAPI_SHVerify next to verify itself.
*/
return PR_TRUE;
}
- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE);
}
#else /* NSS_FIPS_DISABLED */
PRBool
BLAPI_SHVerifyFile(const char *shName)
{
return PR_FALSE;
diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
--- a/lib/softoken/fipstest.c
+++ b/lib/softoken/fipstest.c
@@ -684,22 +684,25 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
static PRBool sftk_self_tests_ran = PR_FALSE;
static PRBool sftk_self_tests_success = PR_FALSE;
/*
* This function is called at dll load time, the code tha makes this
* happen is platform specific on defined above.
*/
-static void
-sftk_startup_tests(void)
+void sftk_startup_tests_with_rerun(PRBool rerun)
{
SECStatus rv;
- const char *libraryName = SOFTOKEN_LIB_NAME;
-
+ /*const char *nlibraryName = SOFTOKEN_LIB_NAME;
+ const char *rlibraryName = BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME; */
+ const char *libraryName = rerun ?
+ BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME :
+ SOFTOKEN_LIB_NAME;
+
PORT_Assert(!sftk_self_tests_ran);
PORT_Assert(!sftk_self_tests_success);
sftk_self_tests_ran = PR_TRUE;
sftk_self_tests_success = PR_FALSE; /* just in case */
/* need to initiallize the oid library before the RSA tests */
rv = SECOID_Init();
if (rv != SECSuccess) {
@@ -746,35 +749,46 @@ sftk_startup_tests(void)
rv = sftk_fips_pbkdf_PowerUpSelfTests();
if (rv != SECSuccess) {
return;
}
sftk_self_tests_success = PR_TRUE;
}
+static void
+sftk_startup_tests(void)
+{
+ sftk_startup_tests_with_rerun(PR_FALSE);
+}
+
/*
* this is called from nsc_Common_Initizialize entry points that gates access
* to * all other pkcs11 functions. This prevents softoken operation if our
* power on selftest failed.
*/
CK_RV
-sftk_FIPSEntryOK()
+sftk_FIPSEntryOK(PRBool rerun)
{
#ifdef NSS_NO_INIT_SUPPORT
/* this should only be set on platforms that can't handle one of the INIT
* schemes. This code allows those platforms to continue to function,
* though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
* is not set, and init support has not been properly enabled, softken
* will always fail because of the test below
*/
if (!sftk_self_tests_ran) {
sftk_startup_tests();
}
#endif
+ if (rerun) {
+ sftk_self_tests_ran = PR_FALSE;
+ sftk_self_tests_success = PR_FALSE;
+ sftk_startup_tests_with_rerun(PR_TRUE);
+ }
if (!sftk_self_tests_success) {
return CKR_DEVICE_ERROR;
}
return CKR_OK;
}
#else
#include "pkcs11t.h"
CK_RV
diff --git a/lib/softoken/fipstokn.c b/lib/softoken/fipstokn.c
--- a/lib/softoken/fipstokn.c
+++ b/lib/softoken/fipstokn.c
@@ -524,25 +524,32 @@ fc_log_init_error(CK_RV crv)
}
/* FC_Initialize initializes the PKCS #11 library. */
CK_RV
FC_Initialize(CK_VOID_PTR pReserved)
{
const char *envp;
CK_RV crv;
+ PRBool rerun;
if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) {
sftk_audit_enabled = (atoi(envp) == 1);
}
+ /* if we have the forcePOST flag on, rerun the integrity checks */
+ /* we need to know this before we fully parse the arguments in
+ * nsc_CommonInitialize, so read it now */
+ rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved);
+
/* At this point we should have already done post and integrity checks.
* if we haven't, it probably means the FIPS product has not been installed
- * or the tests failed. Don't let an application try to enter FIPS mode */
- crv = sftk_FIPSEntryOK();
+ * or the tests failed. Don't let an application try to enter FIPS mode. This
+ * also forces the tests to be rerun if forcePOST is set. */
+ crv = sftk_FIPSEntryOK(rerun);
if (crv != CKR_OK) {
sftk_fatalError = PR_TRUE;
fc_log_init_error(crv);
return crv;
}
sftk_ForkReset(pReserved, &crv);
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
--- a/lib/softoken/pkcs11i.h
+++ b/lib/softoken/pkcs11i.h
@@ -869,16 +869,17 @@ extern CK_RV sftk_MechAllowsOperation(CK
* acquiring a reference to the keydb from the slot */
NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
/*
* parameter parsing functions
*/
CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
void sftk_freeParams(sftk_parameters *params);
+PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved);
/*
* narrow objects
*/
SFTKSessionObject *sftk_narrowToSessionObject(SFTKObject *);
SFTKTokenObject *sftk_narrowToTokenObject(SFTKObject *);
/*
diff --git a/lib/softoken/sftkpars.c b/lib/softoken/sftkpars.c
--- a/lib/softoken/sftkpars.c
+++ b/lib/softoken/sftkpars.c
@@ -244,8 +244,21 @@ sftk_freeParams(sftk_parameters *params)
FREE_CLEAR(params->configdir);
FREE_CLEAR(params->secmodName);
FREE_CLEAR(params->man);
FREE_CLEAR(params->libdes);
FREE_CLEAR(params->tokens);
FREE_CLEAR(params->updatedir);
FREE_CLEAR(params->updateID);
}
+
+PRBool
+sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved)
+{
+ CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
+
+ /* if we don't have any params, the flag isn't set */
+ if ((!init_args || !init_args->LibraryParameters)) {
+ return PR_FALSE;
+ }
+
+ return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters);
+}
diff --git a/lib/softoken/softoken.h b/lib/softoken/softoken.h
--- a/lib/softoken/softoken.h
+++ b/lib/softoken/softoken.h
@@ -52,17 +52,17 @@ extern unsigned char *CBC_PadBuffer(PLAr
unsigned int inlen, unsigned int *outlen,
int blockSize);
/****************************************/
/*
** Power-Up selftests are required for FIPS.
*/
/* make sure Power-up selftests have been run. */
-extern CK_RV sftk_FIPSEntryOK(void);
+extern CK_RV sftk_FIPSEntryOK(PRBool rerun);
/*
** make known fixed PKCS #11 key types to their sizes in bytes
*/
unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
/*
** FIPS 140-2 auditing

58
nss-3.79-fips-review.patches
View File

@ -1,6 +1,6 @@
diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
--- ./lib/freebl/dh.c.fips-review 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/freebl/dh.c 2023-03-17 10:53:23.552658592 -0700
--- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700
@@ -445,7 +445,7 @@ cleanup:
PRBool
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
@ -50,9 +50,9 @@ diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
MP_TO_SEC_ERROR(err);
return PR_FALSE;
diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.fips-review 2023-03-17 10:53:13.569590567 -0700
+++ ./lib/softoken/pkcs11c.c 2023-03-17 10:53:23.552658592 -0700
@@ -4780,6 +4780,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
--- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700
+++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700
@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
* handle the base object stuff
*/
crv = sftk_handleObject(key, session);
@ -63,7 +63,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
sftk_FreeSession(session);
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
@@ -4787,9 +4791,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
}
@ -73,7 +73,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
if (crv == CKR_OK) {
*phKey = key->handle;
}
@@ -5093,60 +5094,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
if (isDerivable) {
SFTKAttribute *pubAttribute = NULL;
@ -189,7 +189,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
/* FIPS requires full validation, but in fipx mode NSC_Derive
* only does partial validation with approved primes, now handle
* full validation */
@@ -5154,44 +5162,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
SECItem pubKey;
SECItem prime;
SECItem subPrime;
@ -283,7 +283,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
}
return CKR_OK;
@@ -5709,8 +5751,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
* created and linked.
*/
crv = sftk_handleObject(publicKey, session);
@ -293,7 +293,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
@@ -5752,6 +5794,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
}
if (crv != CKR_OK) {
@ -301,7 +301,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
NSC_DestroyObject(hSession, publicKey->handle);
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
@@ -5761,6 +5804,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
publicKey->isFIPS = privateKey->isFIPS;
@ -310,7 +310,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
*phPrivateKey = privateKey->handle;
*phPublicKey = publicKey->handle;
@@ -8381,7 +8426,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
/* if the prime is an approved prime, we can skip all the other
* checks. */
@ -319,7 +319,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
if (subPrime == NULL) {
SECItem dhSubPrime;
/* If the caller set the subprime value, it means that
@@ -8563,6 +8608,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
secretlen = tmp.len;
} else {
secretlen = keySize;
@ -328,9 +328,9 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
&tmp, mechParams->pSharedData,
mechParams->ulSharedDataLen, mechParams->kdf);
diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.fips-review 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/softoken/pkcs11.c 2023-03-17 10:53:23.553658599 -0700
@@ -4599,7 +4599,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess
--- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700
@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess
if (object == NULL) {
return CKR_HOST_MEMORY;
}
@ -343,8 +343,8 @@ diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c
/*
diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.fips-review 2023-03-17 10:53:13.569590567 -0700
+++ ./lib/softoken/pkcs11i.h 2023-03-17 10:53:23.553658599 -0700
--- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700
+++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700
@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
/* dh verify functions */
/* verify that dhPrime matches one of our known primes, and if so return
@ -355,9 +355,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
/* map an operation Attribute to a Mechanism flag */
diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips-review 2023-03-17 10:53:13.570590574 -0700
+++ ./lib/softoken/pkcs11u.c 2023-03-17 10:54:53.009268164 -0700
@@ -2404,15 +2404,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
--- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700
+++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700
@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
switch (mechInfo->special) {
case SFTKFIPSDH: {
SECItem dhPrime;
@ -388,11 +388,11 @@ diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
case SFTKFIPSNone:
return PR_FALSE;
diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
--- ./lib/softoken/sftkdhverify.c.fips-review 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/softoken/sftkdhverify.c 2023-03-17 10:53:23.553658599 -0700
@@ -1167,11 +1167,20 @@ static const SECItem subprime_tls_8192 =
(unsigned char *)subprime_tls_8192_data,
sizeof(subprime_tls_8192_data) };
--- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700
@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
(unsigned char *)subprime_tls_8192_data,
sizeof(subprime_tls_8192_data) };
+/* generator for all the groups is 2 */
+static const unsigned char generator_2_data[] = { 2 };
@ -412,7 +412,7 @@ diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
{
/* use the length to decide which primes to check */
switch (dhPrime->len) {
@@ -1182,56 +1191,67 @@ sftk_VerifyDH_Prime(SECItem *dhPrime, PR
@@ -6741,56 +6750,67 @@ sftk_VerifyDH_Prime(SECItem *dhPrime, PR
}
if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
sizeof(prime_ike_1536)) == 0) {
@ -481,8 +481,8 @@ diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
}
break;
diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
--- ./lib/softoken/sftkike.c.fips-review 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/softoken/sftkike.c 2023-03-17 10:53:23.553658599 -0700
--- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700
@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
goto fail;
}

172
nss-3.79-fips.patch
View File

@ -160,178 +160,19 @@ diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk
+DEFINES += -DNSS_FIPS_140_3
+endif
+
diff --git a/lib/softoken/fips_algorithms.h b/lib/softoken/fips_algorithms.h
--- a/lib/softoken/fips_algorithms.h
+++ b/lib/softoken/fips_algorithms.h
@@ -49,33 +49,45 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
#define CKF_KEK (CKF_WRAP | CKF_UNWRAP)
#define CKF_KEA CKF_DERIVE
#define CKF_KDF CKF_DERIVE
#define CKF_HSH CKF_DIGEST
#define CK_MAX 0xffffffffUL
/* mechanisms using the same key types share the same key type
* limits */
#define RSA_FB_KEY 2048, 4096 /* min, max */
-#define RSA_FB_STEP 1024
+#define RSA_FB_STEP 1
+#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
+#define RSA_LEGACY_FB_STEP 256
+
#define DSA_FB_KEY 2048, 4096 /* min, max */
#define DSA_FB_STEP 1024
#define DH_FB_KEY 2048, 4096 /* min, max */
#define DH_FB_STEP 1024
#define EC_FB_KEY 256, 521 /* min, max */
#define EC_FB_STEP 1 /* key limits handled by special operation */
#define AES_FB_KEY 128, 256
#define AES_FB_STEP 64
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
- { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone },
+ { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+
/* -------------- RSA Multipart Signing Operations -------------------- */
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
/* ------------------------- DSA Operations --------------------------- */
{ CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
{ CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
{ CKM_DSA_PARAMETER_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
@@ -95,76 +107,73 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
{ CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
{ CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
{ CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
/* ------------------------- RC2 Operations --------------------------- */
/* ------------------------- AES Operations --------------------------- */
{ CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
- { CKM_AES_MAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
- { CKM_AES_MAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD },
{ CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
- { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone },
- { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone },
/* ------------------------- Hashing Operations ----------------------- */
{ CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
{ CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
{ CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
{ CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
- { CKM_SHA256_HMAC, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },
- { CKM_SHA256_HMAC_GENERAL, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
{ CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
- { CKM_SHA384_HMAC, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },
- { CKM_SHA384_HMAC_GENERAL, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
{ CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
- { CKM_SHA512_HMAC, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },
- { CKM_SHA512_HMAC_GENERAL, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
/* --------------------- Secret Key Operations ------------------------ */
- { CKM_GENERIC_SECRET_KEY_GEN, { 8, 256, CKF_GEN }, 1, SFTKFIPSNone },
+ { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
/* ---------------------- SSL/TLS operations ------------------------- */
{ CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_SHA384_KEY_DERIVATION, { 192, 284, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SHA256_KEY_DERIVATION, { 112, 256, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SHA384_KEY_DERIVATION, { 112, 284, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SHA512_KEY_DERIVATION, { 112, 512, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
{ CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_TLS_PRF_GENERAL, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },
- { CKM_TLS_MAC, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
/* sigh, is this algorithm really tested. ssl doesn't seem to have a
* way of turning the extension off */
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone },
/* ------------------------- HKDF Operations -------------------------- */
- { CKM_HKDF_DERIVE, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_HKDF_DATA, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
{ CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
{ CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
/* ------------------ NIST 800-108 Key Derivations ------------------- */
- { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
/* --------------------IPSEC ----------------------- */
- { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone },
- { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_IKE_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_IKE1_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone },
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone },
/* ------------------ PBE Key Derivations ------------------- */
- { CKM_PKCS5_PBKD2, { 1, 256, CKF_GEN }, 1, SFTKFIPSNone },
+ { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
{ CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone },
{ CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone },
{ CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
{ CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 512, 512, CKF_GEN }, 1, SFTKFIPSNone }
};
const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
--- a/lib/softoken/lowpbe.c
+++ b/lib/softoken/lowpbe.c
@@ -1765,27 +1765,29 @@ SECStatus
sftk_fips_pbkdf_PowerUpSelfTests(void)
{
SECItem *result;
SECItem inKey;
NSSPKCS5PBEParameter pbe_params;
@@ -1766,16 +1766,20 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
unsigned char iteration_count = 5;
unsigned char keyLen = 64;
char *inKeyData = TEST_KEY;
- static const unsigned char saltData[] =
- { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
- static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+ static const unsigned char saltData[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+ };
+
static const unsigned char pbkdf_known_answer[] = {
- 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
- 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
@ -350,13 +191,8 @@ diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
+ 0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8,
+ 0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33
};
sftk_PBELockInit();
inKey.data = (unsigned char *)inKeyData;
inKey.len = sizeof(TEST_KEY) - 1;
pbe_params.salt.data = (unsigned char *)saltData;
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c

23
nss-3.79-fix-client-cert-crash.patch
View File

@ -1,23 +0,0 @@
diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
--- a/lib/ssl/authcert.c
+++ b/lib/ssl/authcert.c
@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg,
/* otherwise look through the cache based on usage
* if chosenNickname is set, we ignore the expiration date */
if (certList == NULL) {
certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
certUsageSSLClient,
PR_FALSE, chosenNickName == NULL,
pw_arg);
+ if (certList == NULL) {
+ return SECFailure;
+ }
/* filter only the certs that meet the nickname requirements */
if (chosenNickName) {
rv = CERT_FilterCertListByNickname(certList, chosenNickName,
pw_arg);
} else {
int nnames = 0;
char **names = ssl_DistNamesToStrings(caNames, &nnames);
rv = CERT_FilterCertListByCANames(certList, nnames, names,

22
nss-3.79-increase-pbe-cache.patch
View File

@ -1,22 +0,0 @@
diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
--- a/lib/softoken/lowpbe.c
+++ b/lib/softoken/lowpbe.c
@@ -565,17 +565,17 @@ struct KDFCacheItemStr {
int iterations;
int keyLen;
};
typedef struct KDFCacheItemStr KDFCacheItem;
/* Bug 1606992 - Cache the hash result for the common case that we're
* asked to repeatedly compute the key for the same password item,
* hash, iterations and salt. */
-#define KDF2_CACHE_COUNT 3
+#define KDF2_CACHE_COUNT 150
static struct {
PZLock *lock;
struct {
KDFCacheItem common;
int ivLen;
PRBool faulty3DES;
} cacheKDF1;
struct {

21
nss-3.79-pkcs12-fix-null-password.patch
View File

@ -1,21 +0,0 @@
diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c
--- ./lib/pkcs12/p12local.c.fix_null_password 2022-07-20 14:15:45.081009438 -0700
+++ ./lib/pkcs12/p12local.c 2022-07-20 14:19:40.856546963 -0700
@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre
if (zeroTerm) {
/* unicode adds two nulls at the end */
if (toUnicode) {
- if ((dest->len >= 2) &&
- (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
+ if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) {
/* we've already allocated space for these new NULLs */
PORT_Assert(dest->len + 2 <= bufferSize);
dest->len += 2;
dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
}
/* ascii/utf-8 adds just 1 */
- } else if ((dest->len >= 1) && dest->data[dest->len - 1]) {
+ } else if (!dest->len || dest->data[dest->len - 1]) {
PORT_Assert(dest->len + 1 <= bufferSize);
dest->len++;
dest->data[dest->len - 1] = 0;

672
nss-3.79-rhel-9-fips-signature-policy.patch
View File

@ -1,672 +0,0 @@
diff -up ./cmd/crmftest/testcrmf.c.signature-policy ./cmd/crmftest/testcrmf.c
--- ./cmd/crmftest/testcrmf.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./cmd/crmftest/testcrmf.c 2022-06-21 09:16:23.916905015 -0700
@@ -85,7 +85,7 @@
#include "sechash.h"
#endif
-#define MAX_KEY_LEN 512
+#define MAX_KEY_LEN 1024
#define PATH_LEN 150
#define BUFF_SIZE 150
#define UID_BITS 800
diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.signature-policy ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
--- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc 2022-06-21 09:16:23.916905015 -0700
@@ -16,6 +16,7 @@
#include "secerr.h"
#include "sechash.h"
#include "pk11_signature_test.h"
+#include "blapit.h"
#include "testvectors/rsa_signature_2048_sha224-vectors.h"
#include "testvectors/rsa_signature_2048_sha256-vectors.h"
@@ -109,7 +110,11 @@ class Pkcs11RsaPkcs1WycheproofTest
* Use 6 as the invalid value since modLen % 16 must be zero.
*/
TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {
- const size_t kRsaShortKeyBits = 736;
+#define RSA_SHORT_KEY_LENGTH 736
+/* if our minimum supported key length is big enough to handle
+ * our largest Hash function, we can't test a short length */
+#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH
+ const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH;
const size_t kRsaKeyBits = 752;
static const std::vector<uint8_t> kMsg{'T', 'E', 'S', 'T'};
static const std::vector<uint8_t> kSha512DigestInfo{
@@ -209,6 +214,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding)
SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
nullptr);
EXPECT_EQ(SECSuccess, rv);
+#else
+ GTEST_SKIP();
+#endif
}
TEST(RsaPkcs1Test, RequireNullParameter) {
diff -up ./gtests/ssl_gtest/tls_subcerts_unittest.cc.signature-policy ./gtests/ssl_gtest/tls_subcerts_unittest.cc
--- ./gtests/ssl_gtest/tls_subcerts_unittest.cc.signature-policy 2022-06-21 09:16:23.901904919 -0700
+++ ./gtests/ssl_gtest/tls_subcerts_unittest.cc 2022-06-21 09:19:12.482981408 -0700
@@ -9,6 +9,8 @@
#include "prtime.h"
#include "secerr.h"
#include "ssl.h"
+#include "nss.h"
+#include "blapit.h"
#include "gtest_utils.h"
#include "tls_agent.h"
@@ -357,9 +359,14 @@ static void GenerateWeakRsaKey(ScopedSEC
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ASSERT_TRUE(slot);
PK11RSAGenParams rsaparams;
- // The absolute minimum size of RSA key that we can use with SHA-256 is
- // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
+// The absolute minimum size of RSA key that we can use with SHA-256 is
+// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
+#define RSA_WEAK_KEY 528
+#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY
rsaparams.keySizeInBits = 528;
+#else
+ rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1;
+#endif
rsaparams.pe = 65537;
// Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
@@ -399,6 +406,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
ssl_sig_rsa_pss_pss_sha256};
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
+ // save the MIN POLICY length.
+ PRInt32 minRsa;
+
+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
+#if RSA_MIN_MODULUS_BITS >= 2048
+ ASSERT_EQ(SECSuccess,
+ NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
+#else
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048));
+#endif
+#endif
ScopedSECKEYPrivateKey dc_priv;
ScopedSECKEYPublicKey dc_pub;
@@ -421,6 +440,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
client_, ssl_delegated_credentials_xtn);
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
+#endif
}
class ReplaceDCSigScheme : public TlsHandshakeFilter {
diff -up ./lib/cryptohi/keyhi.h.signature-policy ./lib/cryptohi/keyhi.h
--- ./lib/cryptohi/keyhi.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/cryptohi/keyhi.h 2022-06-21 09:16:23.917905021 -0700
@@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength
extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
/*
+** Return the strength of the private key in bits
+*/
+extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk);
+
+/*
** Return the length of the signature in bytes
*/
extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);
diff -up ./lib/cryptohi/keyi.h.signature-policy ./lib/cryptohi/keyi.h
--- ./lib/cryptohi/keyi.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/cryptohi/keyi.h 2022-06-21 09:16:23.917905021 -0700
@@ -4,6 +4,7 @@
#ifndef _KEYI_H_
#define _KEYI_H_
+#include "secerr.h"
SEC_BEGIN_PROTOS
/* NSS private functions */
@@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechan
const SECItem *params,
CK_RSA_PKCS_PSS_PARAMS *mech);
+/* make sure the key length matches the policy for keyType */
+SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength,
+ SECErrorCodes error);
SEC_END_PROTOS
#endif /* _KEYHI_H_ */
diff -up ./lib/cryptohi/seckey.c.signature-policy ./lib/cryptohi/seckey.c
--- ./lib/cryptohi/seckey.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/cryptohi/seckey.c 2022-06-21 09:16:23.917905021 -0700
@@ -14,6 +14,7 @@
#include "secdig.h"
#include "prtime.h"
#include "keyi.h"
+#include "nss.h"
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
SEC_ASN1_MKSUB(SEC_IntegerTemplate)
@@ -1042,6 +1043,62 @@ SECKEY_PublicKeyStrengthInBits(const SEC
return bitSize;
}
+unsigned
+SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
+{
+ unsigned bitSize = 0;
+ CK_ATTRIBUTE_TYPE attribute = CKT_INVALID_TYPE;
+ SECItem params;
+ SECStatus rv;
+
+ if (!privk) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return 0;
+ }
+
+ /* interpret modulus length as key strength */
+ switch (privk->keyType) {
+ case rsaKey:
+ case rsaPssKey:
+ case rsaOaepKey:
+ /* some tokens don't export CKA_MODULUS on the private key,
+ * PK11_SignatureLen works around this if necessary */
+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
+ if (bitSize == -1) {
+ bitSize = 0;
+ }
+ return bitSize;
+ case dsaKey:
+ case fortezzaKey:
+ case dhKey:
+ case keaKey:
+ attribute = CKA_PRIME;
+ break;
+ case ecKey:
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+ CKA_EC_PARAMS, NULL, &params);
+ if ((rv != SECSuccess) || (params.data == NULL)) {
+ return 0;
+ }
+ bitSize = SECKEY_ECParamsToKeySize(&params);
+ PORT_Free(params.data);
+ return bitSize;
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return 0;
+ }
+ PORT_Assert(attribute != CKT_INVALID_TYPE);
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+ attribute, NULL, &params);
+ if ((rv != SECSuccess) || (params.data == NULL)) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return 0;
+ }
+ bitSize = SECKEY_BigIntegerBitLength(&params);
+ PORT_Free(params.data);
+ return bitSize;
+}
+
/* returns signature length in bytes (not bits) */
unsigned
SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
@@ -1212,6 +1269,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
}
/*
+ * Check that a given key meets the policy limits for the given key
+ * size.
+ */
+SECStatus
+seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error)
+{
+ PRInt32 opt = -1;
+ PRInt32 optVal;
+ SECStatus rv;
+
+ switch (keyType) {
+ case rsaKey:
+ case rsaPssKey:
+ case rsaOaepKey:
+ opt = NSS_RSA_MIN_KEY_SIZE;
+ break;
+ case dsaKey:
+ case fortezzaKey:
+ opt = NSS_DSA_MIN_KEY_SIZE;
+ break;
+ case dhKey:
+ case keaKey:
+ opt = NSS_DH_MIN_KEY_SIZE;
+ break;
+ case ecKey:
+ opt = NSS_ECC_MIN_KEY_SIZE;
+ break;
+ case nullKey:
+ default:
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return SECFailure;
+ }
+ PORT_Assert(opt != -1);
+ rv = NSS_OptionGet(opt, &optVal);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ if (optVal < keyLength) {
+ PORT_SetError(error);
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+/*
* Use the private key to find a public key handle. The handle will be on
* the same slot as the private key.
*/
diff -up ./lib/cryptohi/secsign.c.signature-policy ./lib/cryptohi/secsign.c
--- ./lib/cryptohi/secsign.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/cryptohi/secsign.c 2022-06-21 09:16:23.917905021 -0700
@@ -15,6 +15,7 @@
#include "pk11func.h"
#include "secerr.h"
#include "keyi.h"
+#include "nss.h"
struct SGNContextStr {
SECOidTag signalg;
@@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *p
SECOidTag hashalg, signalg;
KeyType keyType;
PRUint32 policyFlags;
+ PRInt32 optFlags;
SECStatus rv;
/* OK, map a PKCS #7 hash and encrypt algorithm into
@@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *p
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return NULL;
}
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
+ rv = seckey_EnforceKeySize(key->keyType,
+ SECKEY_PrivateKeyStrengthInBits(key),
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
+ if (rv != SECSuccess) {
+ return NULL;
+ }
+ }
+ }
/* check the policy on the hash algorithm */
if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
@@ -467,9 +479,20 @@ SGN_Digest(SECKEYPrivateKey *privKey,
SGNDigestInfo *di = 0;
SECOidTag enctag;
PRUint32 policyFlags;
+ PRInt32 optFlags;
result->data = 0;
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
+ rv = seckey_EnforceKeySize(privKey->keyType,
+ SECKEY_PrivateKeyStrengthInBits(privKey),
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+ }
+ }
/* check the policy on the hash algorithm */
if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
diff -up ./lib/cryptohi/secvfy.c.signature-policy ./lib/cryptohi/secvfy.c
--- ./lib/cryptohi/secvfy.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/cryptohi/secvfy.c 2022-06-21 09:16:23.918905028 -0700
@@ -16,6 +16,7 @@
#include "secdig.h"
#include "secerr.h"
#include "keyi.h"
+#include "nss.h"
/*
** Recover the DigestInfo from an RSA PKCS#1 signature.
@@ -467,6 +468,7 @@ vfy_CreateContext(const SECKEYPublicKey
unsigned int sigLen;
KeyType type;
PRUint32 policyFlags;
+ PRInt32 optFlags;
/* make sure the encryption algorithm matches the key type */
/* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
@@ -476,7 +478,16 @@ vfy_CreateContext(const SECKEYPublicKey
PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);
return NULL;
}
-
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
+ if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) {
+ rv = seckey_EnforceKeySize(key->keyType,
+ SECKEY_PublicKeyStrengthInBits(key),
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
+ if (rv != SECSuccess) {
+ return NULL;
+ }
+ }
+ }
/* check the policy on the encryption algorithm */
if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
diff -up ./lib/freebl/blapit.h.signature-policy ./lib/freebl/blapit.h
--- ./lib/freebl/blapit.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/freebl/blapit.h 2022-06-21 09:16:23.918905028 -0700
@@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribu
* These values come from the initial key size limits from the PKCS #11
* module. They may be arbitrarily adjusted to any value freebl supports.
*/
-#define RSA_MIN_MODULUS_BITS 128
+#define RSA_MIN_MODULUS_BITS 1023 /* 128 */
#define RSA_MAX_MODULUS_BITS 16384
#define RSA_MAX_EXPONENT_BITS 64
#define DH_MIN_P_BITS 128
diff -up ./lib/nss/nss.h.signature-policy ./lib/nss/nss.h
--- ./lib/nss/nss.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/nss/nss.h 2022-06-21 09:16:23.918905028 -0700
@@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu
#define NSS_DEFAULT_LOCKS 0x00d /* lock default values */
#define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */
+/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to
+ * the NSS_XXX_MIN_KEY_SIZE values.
+ * NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input
+ * value
+ * On get it returns all the flags
+ * NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and
+ * does not affect the other flags
+ * On get it returns all the flags
+ * NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input
+ * value and does not affect the other flags
+ * On get it returns all the compliment of all the flags
+ * (cleared flags == 1) */
+#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e
+#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f
+#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010
+/* currently defined flags */
+#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1
+#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2
+#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4
+
+#define NSS_ECC_MIN_KEY_SIZE 0x011
+
/*
* Set and get global options for the NSS library.
*/
diff -up ./lib/nss/nssoptions.c.signature-policy ./lib/nss/nssoptions.c
--- ./lib/nss/nssoptions.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/nss/nssoptions.c 2022-06-21 09:16:23.918905028 -0700
@@ -26,6 +26,8 @@ struct nssOps {
PRInt32 dtlsVersionMaxPolicy;
PRInt32 pkcs12DecodeForceUnicode;
PRInt32 defaultLocks;
+ PRInt32 keySizePolicyFlags;
+ PRInt32 eccMinKeySize;
};
static struct nssOps nss_ops = {
@@ -37,7 +39,9 @@ static struct nssOps nss_ops = {
1,
0xffff,
PR_FALSE,
- 0
+ 0,
+ NSS_KEY_SIZE_POLICY_SSL_FLAG,
+ SSL_ECC_MIN_CURVE_BITS
};
SECStatus
@@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
case NSS_DEFAULT_LOCKS:
nss_ops.defaultLocks = value;
break;
+ case NSS_KEY_SIZE_POLICY_FLAGS:
+ nss_ops.keySizePolicyFlags = value;
+ break;
+ case NSS_KEY_SIZE_POLICY_SET_FLAGS:
+ nss_ops.keySizePolicyFlags |= value;
+ break;
+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
+ nss_ops.keySizePolicyFlags &= ~value;
+ break;
+ case NSS_ECC_MIN_KEY_SIZE:
+ nss_ops.eccMinKeySize = value;
+ break;
default:
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
@@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va
case NSS_DEFAULT_LOCKS:
*value = nss_ops.defaultLocks;
break;
+ case NSS_KEY_SIZE_POLICY_FLAGS:
+ case NSS_KEY_SIZE_POLICY_SET_FLAGS:
+ *value = nss_ops.keySizePolicyFlags;
+ break;
+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
+ *value = ~nss_ops.keySizePolicyFlags;
+ break;
+ case NSS_ECC_MIN_KEY_SIZE:
+ *value = nss_ops.eccMinKeySize;
+ break;
default:
rv = SECFailure;
}
diff -up ./lib/nss/nssoptions.h.signature-policy ./lib/nss/nssoptions.h
--- ./lib/nss/nssoptions.h.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/nss/nssoptions.h 2022-06-21 09:16:23.918905028 -0700
@@ -18,3 +18,5 @@
* happens because NSS used to count bit lengths incorrectly. */
#define SSL_DH_MIN_P_BITS 1023
#define SSL_DSA_MIN_P_BITS 1023
+/* not really used by SSL, but define it here for consistency */
+#define SSL_ECC_MIN_CURVE_BITS 256
diff -up ./lib/pk11wrap/pk11kea.c.signature-policy ./lib/pk11wrap/pk11kea.c
--- ./lib/pk11wrap/pk11kea.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/pk11wrap/pk11kea.c 2022-06-21 09:16:23.918905028 -0700
@@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_
if (privKeyHandle == CK_INVALID_HANDLE) {
PK11RSAGenParams rsaParams;
- if (symKeyLength > 53) /* bytes */ {
- /* we'd have to generate an RSA key pair > 512 bits long,
+ if (symKeyLength > 120) /* bytes */ {
+ /* we'd have to generate an RSA key pair > 1024 bits long,
** and that's too costly. Don't even try.
*/
PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);
goto rsa_failed;
}
- rsaParams.keySizeInBits =
- (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
+ rsaParams.keySizeInBits = 1024;
rsaParams.pe = 0x10001;
privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
&rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);
diff -up ./lib/pk11wrap/pk11pars.c.signature-policy ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.signature-policy 2022-06-21 09:16:23.898904900 -0700
+++ ./lib/pk11wrap/pk11pars.c 2022-06-21 09:16:23.918905028 -0700
@@ -430,12 +430,21 @@ static const optionFreeDef sslOptList[]
{ CIPHER_NAME("DTLS1.3"), 0x304 },
};
+static const optionFreeDef keySizeFlagsList[] = {
+ { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG },
+ { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG },
+ { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG },
+};
+
static const optionFreeDef freeOptList[] = {
/* Restrictions for asymetric keys */
{ CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE },
{ CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE },
{ CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE },
+ { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE },
+ /* what operations doe the key size apply to */
+ { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS },
/* constraints on SSL Protocols */
{ CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY },
{ CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },
@@ -543,6 +552,7 @@ secmod_getPolicyOptValue(const char *pol
*result = val;
return SECSuccess;
}
+ /* handle any ssl strings */
for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
if (policyValueLength == sslOptList[i].name_size &&
PORT_Strncasecmp(sslOptList[i].name, policyValue,
@@ -551,7 +561,29 @@ secmod_getPolicyOptValue(const char *pol
return SECSuccess;
}
}
- return SECFailure;
+ /* handle key_size flags. Each flag represents a bit, which
+ * gets or'd together. They can be separated by , | or + */
+ val = 0;
+ while (*policyValue) {
+ PRBool found = PR_FALSE;
+ for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) {
+ if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue,
+ keySizeFlagsList[i].name_size) == 0) {
+ val |= keySizeFlagsList[i].option;
+ found = PR_TRUE;
+ policyValue += keySizeFlagsList[i].name_size;
+ break;
+ }
+ }
+ if (!found) {
+ return SECFailure;
+ }
+ if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') {
+ policyValue++;
+ }
+ }
+ *result = val;
+ return SECSuccess;
}
/* Policy operations:
diff -up ./lib/ssl/ssl3con.c.signature-policy ./lib/ssl/ssl3con.c
--- ./lib/ssl/ssl3con.c.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./lib/ssl/ssl3con.c 2022-06-21 09:16:23.920905040 -0700
@@ -7409,6 +7409,8 @@ ssl_HandleDHServerKeyExchange(sslSocket
unsigned dh_p_bits;
unsigned dh_g_bits;
PRInt32 minDH;
+ PRInt32 optval;
+ PRBool usePolicyLength = PR_FALSE;
SSL3Hashes hashes;
SECItem signature = { siBuffer, NULL, 0 };
@@ -7419,8 +7421,13 @@ ssl_HandleDHServerKeyExchange(sslSocket
if (rv != SECSuccess) {
goto loser; /* malformed. */
}
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
+ if (rv == SECSuccess) {
+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
+ }
- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH)
+ : SECFailure;
if (rv != SECSuccess || minDH <= 0) {
minDH = SSL_DH_MIN_P_BITS;
}
@@ -11411,13 +11418,20 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
SECStatus rv;
PRUint32 minKey;
PRInt32 optval;
+ PRBool usePolicyLength = PR_TRUE;
+
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
+ if (rv == SECSuccess) {
+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
+ }
ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
switch (SECKEY_GetPublicKeyType(pubKey)) {
case rsaKey:
case rsaPssKey:
case rsaOaepKey:
- rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval);
+ rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval)
+ : SECFailure;
if (rv == SECSuccess && optval > 0) {
minKey = (PRUint32)optval;
} else {
@@ -11426,7 +11440,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
break;
case dsaKey:
- rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval);
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval)
+ : SECFailure;
if (rv == SECSuccess && optval > 0) {
minKey = (PRUint32)optval;
} else {
@@ -11435,7 +11450,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
break;
case dhKey:
- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval);
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval)
+ : SECFailure;
if (rv == SECSuccess && optval > 0) {
minKey = (PRUint32)optval;
} else {
@@ -11444,9 +11460,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
break;
case ecKey:
- /* Don't check EC strength here on the understanding that we only
- * support curves we like. */
- minKey = ss->sec.authKeyBits;
+ rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval)
+ : SECFailure;
+ if (rv == SECSuccess && optval > 0) {
+ minKey = (PRUint32)optval;
+ } else {
+ /* Don't check EC strength here on the understanding that we
+ * only support curves we like. */
+ minKey = ss->sec.authKeyBits;
+ }
break;
default:
diff -up ./tests/policy/crypto-policy.txt.signature-policy ./tests/policy/crypto-policy.txt
--- ./tests/policy/crypto-policy.txt.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./tests/policy/crypto-policy.txt 2022-06-21 09:16:23.920905040 -0700
@@ -6,6 +6,8 @@
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size
+2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size
2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
diff -up ./tests/ssl/sslpolicy.txt.signature-policy ./tests/ssl/sslpolicy.txt
--- ./tests/ssl/sslpolicy.txt.signature-policy 2022-05-26 02:54:33.000000000 -0700
+++ ./tests/ssl/sslpolicy.txt 2022-06-21 09:16:23.920905040 -0700
@@ -194,6 +194,10 @@
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
+ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
# test default settings
# NOTE: tstclient will attempt to overide the defaults, so we detect we
# were successful by locking in our settings

397
nss-3.79-rsa-pss-salt-fips.patch
View File

@ -1,397 +0,0 @@
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -232,57 +232,26 @@ NSC_DestroyObject(CK_SESSION_HANDLE hSes
* be in the data base.
*/
status = sftk_FreeObject(object);
return (status != SFTK_DestroyFailure) ? CKR_OK : CKR_DEVICE_ERROR;
}
/*
- ************** Crypto Functions: Utilities ************************
- */
-/*
- * Utility function for converting PSS/OAEP parameter types into
- * HASH_HashTypes. Note: Only SHA family functions are defined in RFC 3447.
- */
-static HASH_HashType
-GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
-{
- switch (mech) {
- case CKM_SHA_1:
- case CKG_MGF1_SHA1:
- return HASH_AlgSHA1;
- case CKM_SHA224:
- case CKG_MGF1_SHA224:
- return HASH_AlgSHA224;
- case CKM_SHA256:
- case CKG_MGF1_SHA256:
- return HASH_AlgSHA256;
- case CKM_SHA384:
- case CKG_MGF1_SHA384:
- return HASH_AlgSHA384;
- case CKM_SHA512:
- case CKG_MGF1_SHA512:
- return HASH_AlgSHA512;
- default:
- return HASH_AlgNULL;
- }
-}
-
-/*
* Returns true if "params" contains a valid set of PSS parameters
*/
static PRBool
sftk_ValidatePssParams(const CK_RSA_PKCS_PSS_PARAMS *params)
{
if (!params) {
return PR_FALSE;
}
- if (GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL ||
- GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) {
+ if (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL ||
+ sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) {
return PR_FALSE;
}
return PR_TRUE;
}
/*
* Returns true if "params" contains a valid set of OAEP parameters
*/
@@ -293,18 +262,18 @@ sftk_ValidateOaepParams(const CK_RSA_PKC
return PR_FALSE;
}
/* The requirements of ulSourceLen/pSourceData come from PKCS #11, which
* state:
* If the parameter is empty, pSourceData must be NULL and
* ulSourceDataLen must be zero.
*/
if (params->source != CKZ_DATA_SPECIFIED ||
- (GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL) ||
- (GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) ||
+ (sftk_GetHashTypeFromMechanism(params->hashAlg) == HASH_AlgNULL) ||
+ (sftk_GetHashTypeFromMechanism(params->mgf) == HASH_AlgNULL) ||
(params->ulSourceDataLen == 0 && params->pSourceData != NULL) ||
(params->ulSourceDataLen != 0 && params->pSourceData == NULL)) {
return PR_FALSE;
}
return PR_TRUE;
}
/*
@@ -606,18 +575,18 @@ sftk_RSAEncryptOAEP(SFTKOAEPInfo *info,
HASH_HashType maskHashAlg;
PORT_Assert(info->key.pub->keyType == NSSLOWKEYRSAKey);
if (info->key.pub->keyType != NSSLOWKEYRSAKey) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
return SECFailure;
}
- hashAlg = GetHashTypeFromMechanism(info->params.hashAlg);
- maskHashAlg = GetHashTypeFromMechanism(info->params.mgf);
+ hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg);
+ maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf);
return RSA_EncryptOAEP(&info->key.pub->u.rsa, hashAlg, maskHashAlg,
(const unsigned char *)info->params.pSourceData,
info->params.ulSourceDataLen, NULL, 0,
output, outputLen, maxLen, input, inputLen);
}
static SECStatus
@@ -630,18 +599,18 @@ sftk_RSADecryptOAEP(SFTKOAEPInfo *info,
HASH_HashType maskHashAlg;
PORT_Assert(info->key.priv->keyType == NSSLOWKEYRSAKey);
if (info->key.priv->keyType != NSSLOWKEYRSAKey) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
return SECFailure;
}
- hashAlg = GetHashTypeFromMechanism(info->params.hashAlg);
- maskHashAlg = GetHashTypeFromMechanism(info->params.mgf);
+ hashAlg = sftk_GetHashTypeFromMechanism(info->params.hashAlg);
+ maskHashAlg = sftk_GetHashTypeFromMechanism(info->params.mgf);
rv = RSA_DecryptOAEP(&info->key.priv->u.rsa, hashAlg, maskHashAlg,
(const unsigned char *)info->params.pSourceData,
info->params.ulSourceDataLen,
output, outputLen, maxLen, input, inputLen);
if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
sftk_fatalError = PR_TRUE;
}
@@ -2646,18 +2615,18 @@ sftk_RSASignPSS(SFTKPSSSignInfo *info, u
CK_RSA_PKCS_PSS_PARAMS *params = &info->params;
PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
if (info->key->keyType != NSSLOWKEYRSAKey) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
return SECFailure;
}
- hashAlg = GetHashTypeFromMechanism(params->hashAlg);
- maskHashAlg = GetHashTypeFromMechanism(params->mgf);
+ hashAlg = sftk_GetHashTypeFromMechanism(params->hashAlg);
+ maskHashAlg = sftk_GetHashTypeFromMechanism(params->mgf);
rv = RSA_SignPSS(&info->key->u.rsa, hashAlg, maskHashAlg, NULL,
params->sLen, sig, sigLen, maxLen, hash, hashLen);
if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
sftk_fatalError = PR_TRUE;
}
return rv;
}
@@ -3021,17 +2990,17 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
tlsPrfHash = HASH_AlgNULL;
if (tls12_mac_params->ulMacLength != 12) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;
}
} else {
/* The hash function for the TLS 1.2 PRF */
tlsPrfHash =
- GetHashTypeFromMechanism(tls12_mac_params->prfHashMechanism);
+ sftk_GetHashTypeFromMechanism(tls12_mac_params->prfHashMechanism);
if (tlsPrfHash == HASH_AlgNULL ||
tls12_mac_params->ulMacLength < 12) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;
}
}
if (tls12_mac_params->ulServerOrClient == 1) {
label = "server finished";
@@ -3539,18 +3508,18 @@ sftk_RSACheckSignPSS(SFTKPSSVerifyInfo *
CK_RSA_PKCS_PSS_PARAMS *params = &info->params;
PORT_Assert(info->key->keyType == NSSLOWKEYRSAKey);
if (info->key->keyType != NSSLOWKEYRSAKey) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
return SECFailure;
}
- hashAlg = GetHashTypeFromMechanism(params->hashAlg);
- maskHashAlg = GetHashTypeFromMechanism(params->mgf);
+ hashAlg = sftk_GetHashTypeFromMechanism(params->hashAlg);
+ maskHashAlg = sftk_GetHashTypeFromMechanism(params->mgf);
return RSA_CheckSignPSS(&info->key->u.rsa, hashAlg, maskHashAlg,
params->sLen, sig, sigLen, digest, digestLen);
}
/* NSC_VerifyInit initializes a verification operation,
* where the signature is an appendix to the data,
* and plaintext cannot be recovered from the signature (e.g. DSA) */
@@ -6951,17 +6920,17 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
unsigned genLen = 0;
unsigned char hashbuf[HASH_LENGTH_MAX];
unsigned char keyBlock[9 * SFTK_MAX_MAC_LENGTH];
unsigned char *keyBlockAlloc = NULL; /* allocated keyBlock */
unsigned char *keyBlockData = keyBlock; /* pointer to current keyBlock */
const unsigned char *prk; /* psuedo-random key */
CK_ULONG prkLen;
const unsigned char *okm; /* output keying material */
- HASH_HashType hashType = GetHashTypeFromMechanism(params->prfHashMechanism);
+ HASH_HashType hashType = sftk_GetHashTypeFromMechanism(params->prfHashMechanism);
SFTKObject *saltKey = NULL;
CK_RV crv = CKR_OK;
/* Spec says it should be the base hash, but also accept the HMAC */
if (hashType == HASH_AlgNULL) {
hashType = sftk_HMACMechanismToHash(params->prfHashMechanism);
}
rawHash = HASH_GetRawHashObject(hashType);
@@ -7389,17 +7358,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
if ((mechanism == CKM_TLS12_MASTER_KEY_DERIVE) ||
(mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) {
if (BAD_PARAM_CAST(pMechanism, sizeof(CK_TLS12_MASTER_KEY_DERIVE_PARAMS))) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;
}
CK_TLS12_MASTER_KEY_DERIVE_PARAMS *tls12_master =
(CK_TLS12_MASTER_KEY_DERIVE_PARAMS *)pMechanism->pParameter;
- tlsPrfHash = GetHashTypeFromMechanism(tls12_master->prfHashMechanism);
+ tlsPrfHash = sftk_GetHashTypeFromMechanism(tls12_master->prfHashMechanism);
if (tlsPrfHash == HASH_AlgNULL) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;
}
} else if ((mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256) ||
(mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) {
tlsPrfHash = HASH_AlgSHA256;
}
@@ -7607,17 +7576,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
break;
}
status = TLS_PRF(&pms, "extended master secret",
&seed, &master, isFIPS);
} else {
const SECHashObject *hashObj;
- tlsPrfHash = GetHashTypeFromMechanism(ems_params->prfHashMechanism);
+ tlsPrfHash = sftk_GetHashTypeFromMechanism(ems_params->prfHashMechanism);
if (tlsPrfHash == HASH_AlgNULL) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;
}
hashObj = HASH_GetRawHashObject(tlsPrfHash);
if (seed.len != hashObj->length) {
crv = CKR_TEMPLATE_INCONSISTENT;
@@ -7665,17 +7634,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
if (mechanism == CKM_TLS12_KEY_AND_MAC_DERIVE) {
if (BAD_PARAM_CAST(pMechanism, sizeof(CK_TLS12_KEY_MAT_PARAMS))) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;
}
CK_TLS12_KEY_MAT_PARAMS *tls12_keys =
(CK_TLS12_KEY_MAT_PARAMS *)pMechanism->pParameter;
- tlsPrfHash = GetHashTypeFromMechanism(tls12_keys->prfHashMechanism);
+ tlsPrfHash = sftk_GetHashTypeFromMechanism(tls12_keys->prfHashMechanism);
if (tlsPrfHash == HASH_AlgNULL) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;
}
} else if (mechanism == CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) {
tlsPrfHash = HASH_AlgSHA256;
}
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
--- a/lib/softoken/pkcs11i.h
+++ b/lib/softoken/pkcs11i.h
@@ -908,16 +908,19 @@ sftk_MACConstantTimeCtx *sftk_HMACConsta
sftk_MACConstantTimeCtx *sftk_SSLv3MACConstantTime_New(
CK_MECHANISM_PTR mech, SFTKObject *key);
void sftk_HMACConstantTime_Update(void *pctx, const void *data, unsigned int len);
void sftk_SSLv3MACConstantTime_Update(void *pctx, const void *data, unsigned int len);
void sftk_MACConstantTime_EndHash(
void *pctx, void *out, unsigned int *outLength, unsigned int maxLength);
void sftk_MACConstantTime_DestroyContext(void *pctx, PRBool);
+/* Crypto Utilities */
+HASH_HashType sftk_GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech);
+
/****************************************
* implement TLS Pseudo Random Function (PRF)
*/
extern CK_RV
sftk_TLSPRFInit(SFTKSessionContext *context,
SFTKObject *key,
CK_KEY_TYPE key_type,
diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c
--- a/lib/softoken/pkcs11u.c
+++ b/lib/softoken/pkcs11u.c
@@ -95,16 +95,17 @@ CK_RV
sftk_MapVerifyError(int error)
{
CK_RV crv = sftk_MapCryptError(error);
if (crv == CKR_DEVICE_ERROR)
crv = CKR_SIGNATURE_INVALID;
return crv;
}
+
/*
* ******************** Attribute Utilities *******************************
*/
/*
* create a new attribute with type, value, and length. Space is allocated
* to hold value.
*/
@@ -2243,17 +2244,49 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE
flags = CKF_MESSAGE_VERIFY;
break;
default:
break;
}
return flags;
}
+/*
+ * ******************** Hash Utilities **************************
+ */
+/*
+ * Utility function for converting PSS/OAEP parameter types into
+ * HASH_HashTypes. Note: Only SHA family functions are defined in RFC 3447.
+ */
+HASH_HashType
+sftk_GetHashTypeFromMechanism(CK_MECHANISM_TYPE mech)
+{
+ switch (mech) {
+ case CKM_SHA_1:
+ case CKG_MGF1_SHA1:
+ return HASH_AlgSHA1;
+ case CKM_SHA224:
+ case CKG_MGF1_SHA224:
+ return HASH_AlgSHA224;
+ case CKM_SHA256:
+ case CKG_MGF1_SHA256:
+ return HASH_AlgSHA256;
+ case CKM_SHA384:
+ case CKG_MGF1_SHA384:
+ return HASH_AlgSHA384;
+ case CKM_SHA512:
+ case CKG_MGF1_SHA512:
+ return HASH_AlgSHA512;
+ default:
+ return HASH_AlgNULL;
+ }
+}
+
#ifdef NSS_HAS_FIPS_INDICATORS
+/**************** FIPS Indicator Utilities *************************/
/* sigh, we probably need a version of this in secutil so that both
* softoken and NSS can use it */
static SECOidTag
sftk_quickGetECCCurveOid(SFTKObject *source)
{
SFTKAttribute *attribute = sftk_FindAttribute(source, CKA_EC_PARAMS);
unsigned char *encoded;
int len;
@@ -2379,16 +2412,39 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
if (mech->ulParameterLen == 0) {
/* AEAD ciphers are only in FIPS mode if we are using the
* MESSAGE interface. This takes an empty parameter
* in the init function */
return PR_TRUE;
}
return PR_FALSE;
}
+ case SFTKFIPSRSAPSS: {
+ /* PSS salt must not be greater than the length of the
+ * underlying hash. We verify that the underlying hash of the
+ * parameters matches Hash of the combined hash mechanisms, so
+ * we don't need to look at the specific PSS mechanism */
+ CK_RSA_PKCS_PSS_PARAMS *pss = (CK_RSA_PKCS_PSS_PARAMS *)
+ mech->pParameter;
+ const SECHashObject *hashObj = NULL;
+ if (mech->ulParameterLen != sizeof(*pss)) {
+ return PR_FALSE;
+ }
+ /* we use the existing hash utilities to find the length of
+ * the hash */
+ hashObj = HASH_GetRawHashObject(sftk_GetHashTypeFromMechanism(
+ pss->hashAlg));
+ if (hashObj == NULL) {
+ return PR_FALSE;
+ }
+ if (pss->sLen > hashObj->length) {
+ return PR_FALSE;
+ }
+ return PR_TRUE;
+ }
default:
break;
}
/* if we didn't understand the special processing, mark it non-fips */
return PR_FALSE;
}
#endif

57
nss-3.90-DisablingASM.patch Normal file
View File

@ -0,0 +1,57 @@
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
index 74e8e65..8995752 100644
--- a/lib/freebl/Makefile
+++ b/lib/freebl/Makefile
@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
HAVE_INT128_SUPPORT = 1
DEFINES += -DHAVE_INT128_SUPPORT
else ifeq (1,$(CC_IS_GCC))
- SUPPORTS_VALE_CURVE25519 = 1
ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
HAVE_INT128_SUPPORT = 1
DEFINES += -DHAVE_INT128_SUPPORT
diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
index 65f9a80..23940ef 100644
--- a/lib/freebl/freebl.gyp
+++ b/lib/freebl/freebl.gyp
@@ -866,12 +866,6 @@
}],
],
}],
- [ 'supports_vale_curve25519==1', {
- 'defines': [
- # The Makefile does version-tests on GCC, but we're not doing that here.
- 'HACL_CAN_COMPILE_INLINE_ASM',
- ],
- }],
[ 'OS=="linux" or OS=="android"', {
'conditions': [
[ 'target_arch=="x64"', {
@@ -934,11 +928,6 @@
'variables': {
'module': 'nss',
'conditions': [
- [ 'target_arch=="x64" and cc_is_gcc==1', {
- 'supports_vale_curve25519%': 1,
- }, {
- 'supports_vale_curve25519%': 0,
- }],
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
'have_int128_support%': 1,
}, {
diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
index d198c44..34b6b3c 100644
--- a/lib/freebl/freebl_base.gypi
+++ b/lib/freebl/freebl_base.gypi
@@ -151,11 +151,6 @@
'ecl/curve25519_32.c',
],
}],
- ['supports_vale_curve25519==1', {
- 'sources': [
- 'verified/Hacl_Curve25519_64.c',
- ],
- }],
['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
'sources': [
# Gyp does not support per-file cflags, so working around like this.

104
nss-3.90-add-ems-policy.patch Normal file
View File

@ -0,0 +1,104 @@
diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700
+++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700
@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = {
{ CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
+ /* not really a key exchange, but it's the closest fit */
+ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
};
static const oidValDef signOptList[] = {
diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
@@ -202,4 +202,10 @@ struct PK11GenericObjectStr {
/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
+/* this oid value could change values if it's added after other new
+ * upstream oids. We protect applications by hiding the define in a private
+ * header file that only NSS sees. Currently it's only available through
+ * the policy code */
+#define SEC_OID_TLS_REQUIRE_EMS SEC_OID_PRIVATE_1
+
#endif /* _SECMODTI_H_ */
diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
--- ./lib/ssl/ssl3con.c.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/ssl/ssl3con.c 2023-06-12 17:18:35.130938525 -0700
@@ -36,6 +36,7 @@
#include "pk11func.h"
#include "secmod.h"
#include "blapi.h"
+#include "secmodti.h" /* until SEC_OID_TLS_REQUIRE_EMS is upstream */
#include <stdio.h>
@@ -3480,6 +3481,29 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
unsigned int master_params_len;
+ /* if we are using TLS and we aren't using the extended master secret,
+ * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will
+ * send and alert (eventually). In the RSA Server case, the alert
+ * won't happen until Finish time because the upper level code
+ * can't tell a difference between this failure and an RSA decrypt
+ * failure, so it will proceed with a faux key */
+ if (isTLS) {
+ PRUint32 policy;
+ SECStatus rv;
+
+ /* first fetch the policy for this algorithm */
+ rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy);
+ /* we only look at the policy if we can fetch it. */
+ if (rv == SECSuccess) {
+ if (policy & NSS_USE_POLICY_IN_SSL) {
+ /* just set the error, we don't want to map any errors
+ * set by NSS_GetAlgorithmPolicy here */
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
+ return SECFailure;
+ }
+ }
+ }
+
if (isTLS12) {
if (isDH)
master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c
--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700
+++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700
@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT
SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
"IPsec User",
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
+ /* this will change upstream. for now apps shouldn't use it */
+ /* we need it for the policy code. */
+ ODE(SEC_OID_PRIVATE_1,
+ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
};
/* PRIVATE EXTENDED SECOID Table
@@ -2095,6 +2100,8 @@ SECOID_Init(void)
/* turn off NSS_USE_POLICY_IN_SSL by default */
xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
+ /* turn off TLS REQUIRE EMS by default */
+ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
if (envVal)
diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h
--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700
+++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700
@@ -501,6 +501,9 @@ typedef enum {
SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
+ /* this will change upstream. for now apps shouldn't use it */
+ /* give it an obscure name here */
+ SEC_OID_PRIVATE_1 = 372,
SEC_OID_TOTAL
} SECOidTag;

96
nss-3.90-disable-ech.patch Normal file
View File

@ -0,0 +1,96 @@
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f
}
PORT_Free(cursor);
}
}
SECStatus
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
{
+#ifdef notdef
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
ss->opt.enableTls13GreaseEch = enabled;
return SECSuccess;
+#else
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
+ return SECFailure;
+#endif
}
SECStatus
SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size)
{
+#ifdef notdef
sslSocket *ss = ssl_FindSocket(fd);
if (!ss || size == 0) {
return SECFailure;
}
ssl_Get1stHandshakeLock(ss);
ssl_GetSSL3HandshakeLock(ss);
ss->ssl3.hs.greaseEchSize = size;
ssl_ReleaseSSL3HandshakeLock(ss);
ssl_Release1stHandshakeLock(ss);
return SECSuccess;
+#else
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
+ return SECFailure;
+#endif
}
SECStatus
SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled)
{
+#ifdef notdef
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
ss->opt.enableTls13BackendEch = enabled;
return SECSuccess;
+#else
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
+ return SECFailure;
+#endif
}
SECStatus
SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled)
{
+#ifdef notdef
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
}
ss->opt.callExtensionWriterOnEchInner = enabled;
return SECSuccess;
+#else
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
+ return SECFailure;
+#endif
}
SECStatus
SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled)
{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200
+++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200
@@ -57,7 +57,6 @@ CPPSRCS = \
tls_filter.cc \
tls_protect.cc \
tls_psk_unittest.cc \
- tls_ech_unittest.cc \
$(SSLKEYLOGFILE_FILES) \
$(NULL)

18
nss-fedora-btrf-sql-hack.patch
View File

@ -1,18 +0,0 @@
diff -up ./lib/softoken/sdb.c.orig ./lib/softoken/sdb.c
--- ./lib/softoken/sdb.c.orig 2020-12-11 22:49:26.961726193 -0500
+++ ./lib/softoken/sdb.c 2020-12-11 23:01:30.739122494 -0500
@@ -690,8 +690,14 @@ sdb_openDB(const char *name, sqlite3 **s
openFlags = SQLITE_OPEN_READONLY;
} else {
openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE;
+ /* btrfs and sqlite seem to incorrectly open readwrite.
+ * when the file is readonly explicitly reject that issue here */
+ if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) {
+ return SQLITE_READONLY;
+ }
}
+
/* Requires SQLite 3.5.0 or newer. */
sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL);
if (sqlerr != SQLITE_OK) {

4
nss-signtool-format.patch
View File

@ -10,7 +10,7 @@ diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
- snprintf(filename, sizeof(filename), "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ PR_CloseDir(dir);
+ return -1;
@ -29,7 +29,7 @@ diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
@@ -138,6 +138,12 @@ rm_dash_r(char *path)
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
sprintf(filename, "%s/%s", path, entry->name);
snprintf(filename, sizeof(filename), "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name
+) >= sizeof(filename)) {
+ errorCount++;

19
nss-turn-off-expired-ocsp-cert.patch
View File

@ -1,19 +0,0 @@
diff --git a/tests/chains/scenarios/nameconstraints.cfg b/tests/chains/scenarios/nameconstraints.cfg
--- a/tests/chains/scenarios/nameconstraints.cfg
+++ b/tests/chains/scenarios/nameconstraints.cfg
@@ -159,12 +159,12 @@ verify NameConstraints.dcissblocked:x
verify NameConstraints.dcissallowed:x
result pass
# Subject: "O = IPA.LOCAL 201901211552, CN = OCSP Subsystem"
#
# This tests that a non server certificate (i.e. id-kp-serverAuth
# not present in EKU) does *NOT* have CN treated as dnsName for
# purposes of Name Constraints validation
-verify NameConstraints.ocsp1:x
- usage 10
- result pass
+#verify NameConstraints.ocsp1:x
+# usage 10
+# result pass

66
nss.spec
View File

@ -1,6 +1,6 @@
%global nss_version 3.79.0
%global nspr_version 4.34.0
%global baserelease 18
%global nss_version 3.90.0
%global nspr_version 4.35.0
%global baserelease 1
%global nss_release %baserelease
# NOTE: To avoid NVR clashes of nspr* packages:
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
@ -156,31 +156,24 @@ Patch32: nss-disable-md5.patch
Patch33: nss-no-dbm-man-page.patch
%endif
# not upstreamable patch...
# WARNING: Need to make this patch work before checking!!! $$$$@@@
Patch34: nss-3.71-fix-lto-gtests.patch
# camellia pkcs12 docs.
Patch35: nss-3.71-camellia-pkcs12-doc.patch
# disable delegated credentials
Patch36: nss-disable-dc.patch
# disable ech
Patch37: nss-3.90-disable-ech.patch
# patches that expect to be upstreamed
# https://bugzilla.mozilla.org/show_bug.cgi?id=1774659
Patch51: nss-3.79-dbtool.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1774657
Patch52: nss-3.79-dont-verify-default.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1774654
Patch53: nss-3.79-fix-client-cert-crash.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1767883
Patch54: nss-3.79-rhel-9-fips-signature-policy.patch
Patch55: nss-3.79-enable-POST-rerun.patch
Patch56: nss-3.79-increase-pbe-cache.patch
Patch57: nss-3.79-pkcs12-fix-null-password.patch
Patch58: nss-3.79-fips.patch
Patch60: nss-3.79-rsa-pss-salt-fips.patch
Patch61: nss-3.79-fips-review.patches
# cve 2023-0767, remove on rebase to nss 3.88.1 or later
# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640
Patch70: cve-2023-0767.patch
# ems policy. needs to upstream
Patch70: nss-3.90-add-ems-policy.patch
Patch100: nspr-config-pc.patch
Patch101: nspr-gcc-atomics.patch
@ -188,6 +181,12 @@ Patch101: nspr-gcc-atomics.patch
Patch110: nspr-4.34-fix-coverity-loop-issue.patch
Patch120: nspr-4.34-server-passive.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
Patch60: nss-3.90-DisablingASM.patch
# NSS reverse patches
Patch300: nss-3.79-distrusted-certs.patch
@ -202,7 +201,7 @@ v3 certificates, and other security standards.
%package tools
Summary: Tools for the Network Security Services
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: %{name}%{?_isa} = %{nss_version}-%{nss_release}
%description tools
Network Security Services (NSS) is a set of libraries designed to
@ -219,7 +218,7 @@ Summary: System NSS Initialization
# providing nss-system-init without version so that it can
# be replaced by a better one, e.g. supplied by the os vendor
Provides: nss-system-init
Requires: nss%{?_isa} = %{version}-%{release}
Requires: nss%{?_isa} = %{nss_version}-%{nss_release}
Requires(post): coreutils, sed
%description sysinit
@ -230,8 +229,8 @@ any system or user configured modules.
%package devel
Summary: Development libraries for Network Security Services
Provides: nss-static = %{version}-%{release}
Requires: nss%{?_isa} = %{version}-%{release}
Provides: nss-static = %{nss_version}-%{nss_release}
Requires: nss%{?_isa} = %{nss_version}-%{nss_release}
Requires: nss-util-devel
Requires: nss-softokn-devel
Requires: nspr-devel >= %{nspr_version}
@ -244,9 +243,9 @@ Header and Library files for doing development with Network Security Services.
%package pkcs11-devel
Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
Provides: nss-pkcs11-devel-static = %{version}-%{release}
Requires: nss-devel = %{version}-%{release}
Requires: nss-softokn-freebl-devel = %{version}-%{release}
Provides: nss-pkcs11-devel-static = %{nss_version}-%{nss_release}
Requires: nss-devel = %{nss_version}-%{nss_release}
Requires: nss-softokn-freebl-devel = %{nss_version}-%{nss_release}
%description pkcs11-devel
Library files for developing PKCS #11 modules using basic NSS
@ -262,7 +261,7 @@ Utilities for Network Security Services and the Softoken module
%package util-devel
Summary: Development libraries for Network Security Services Utilities
Requires: nss-util%{?_isa} = %{version}-%{release}
Requires: nss-util%{?_isa} = %{nss_version}-%{nss_release}
Requires: nspr-devel >= %{nspr_version}
Requires: pkgconfig
@ -273,8 +272,8 @@ Header and library files for doing development with Network Security Services.
%package softokn
Summary: Network Security Services Softoken Module
Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{version}-%{release}
Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release}
Requires: nss-util >= %{nss_version}-%{nss_release}
Requires: nss-softokn-freebl%{_isa} >= %{nss_version}-%{nss_release}
%description softokn
Network Security Services Softoken Cryptographic Module
@ -295,8 +294,8 @@ Install the nss-softokn-freebl package if you need the freebl library.
%package softokn-freebl-devel
Summary: Header and Library files for doing development with the Freebl library for NSS
Provides: nss-softokn-freebl-static = %{version}-%{release}
Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release}
Provides: nss-softokn-freebl-static = %{nss_version}-%{nss_release}
Requires: nss-softokn-freebl%{?_isa} = %{nss_version}-%{nss_release}
%description softokn-freebl-devel
NSS Softoken Cryptographic Module Freebl Library Development Tools
@ -307,10 +306,10 @@ Developers should rely only on the officially supported NSS public API.
%package softokn-devel
Summary: Development libraries for Network Security Services
Requires: nss-softokn%{?_isa} = %{version}-%{release}
Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
Requires: nss-softokn%{?_isa} = %{nss_version}-%{nss_release}
Requires: nss-softokn-freebl-devel%{?_isa} = %{nss_version}-%{nss_release}
Requires: nspr-devel >= %{nspr_version}
Requires: nss-util-devel >= %{version}-%{release}
Requires: nss-util-devel >= %{nss_version}-%{nss_release}
Requires: pkgconfig
%description softokn-devel
@ -434,7 +433,7 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
# FIPS related defines
export NSS_FORCE_FIPS=1
export NSS_FIPS_VERSION="%{name}\ %{version}-%{srpmhash}"
export NSS_FIPS_VERSION="%{name}\ %{nss_version}-%{srpmhash}"
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release | sed -e 's/ /\\ /g')
export FIPS_MODULE_OS="$OS_NAME\ ${OS_VERSION_ID%%.*}"
export NSS_FIPS_MODULE_ID="${FIPS_MODULE_OS}\ ${NSS_FIPS_VERSION}"
@ -1171,6 +1170,11 @@ update-crypto-policies &> /dev/null || :
%changelog
* Mon Jun 12 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-1
- Rebase to NSS-3.90
- Rebase to NSPR-3.35
- fix incorrect version values in the NSS spec file for FIPS
* Fri Mar 17 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-18
- fix memory leak, add generator test in FIPS mode.

4
sources
View File

@ -1,4 +1,4 @@
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
SHA512 (nspr-4.34.tar.gz) = 4cfac886c14cf7df4c4b79fa1c3bc92e1b14260c9c3018fa2562060d62fecb4e66c0b4e8f7edf4f4823def784a919d99dde88a89674f0cd8a644310b0569ead4
SHA512 (nss-3.79.tar.gz) = d3311da3bd0e6907760390221c1307a63d84dd8ad9b85dbfdbf59fe4678341c9856b6f93235731999a1236c98dc0ac66d2dc023eb439cb696f73509dae70c41d
SHA512 (nspr-4.35.tar.gz) = 502815833116e25f79ddf71d1526484908aa92fbc55f8a892729cb404a4daafcc0470a89854cd080d2d20299fdb7d9662507c5362c7ae661cbacf308ac56ef7f
SHA512 (nss-3.90.tar.gz) = e41f4de73f4971c8f35dffe3926b6845ef12a1ce7e8f3fe682e643ddb791a009d079c1706f66d065333af884726840dbc96d4e44762f9c3e48b8d919c09ae625