Auto sync2gitlab import of nss-3.79.0-7.el8_6.src.rpm
This commit is contained in:
CentOS Sources
parent
f0b7c76169
commit
a3663077aa
@ -1,39 +0,0 @@
|
|||||||
diff -up ./lib/softoken/kbkdf.c.coverity ./lib/softoken/kbkdf.c
|
|
||||||
--- ./lib/softoken/kbkdf.c.coverity 2019-12-03 15:33:43.047732312 -0800
|
|
||||||
+++ ./lib/softoken/kbkdf.c 2019-12-03 15:39:40.982578357 -0800
|
|
||||||
@@ -534,6 +534,10 @@ CK_RV kbkdf_CreateKey(CK_SESSION_HANDLE
|
|
||||||
PR_ASSERT(derived_key != NULL);
|
|
||||||
PR_ASSERT(derived_key->phKey != NULL);
|
|
||||||
|
|
||||||
+ if (slot == NULL) {
|
|
||||||
+ return CKR_SESSION_HANDLE_INVALID;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Create the new key object for this additional derived key. */
|
|
||||||
key = sftk_NewObject(slot);
|
|
||||||
if (key == NULL) {
|
|
||||||
@@ -589,7 +593,9 @@ done:
|
|
||||||
sftk_FreeObject(key);
|
|
||||||
|
|
||||||
/* Doesn't do anything. */
|
|
||||||
- sftk_FreeSession(session);
|
|
||||||
+ if (session) {
|
|
||||||
+ sftk_FreeSession(session);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
diff -up ./lib/softoken/sftkhmac.c.coverity ./lib/softoken/sftkhmac.c
|
|
||||||
--- ./lib/softoken/sftkhmac.c.coverity 2019-12-03 15:40:06.108848341 -0800
|
|
||||||
+++ ./lib/softoken/sftkhmac.c 2019-12-03 15:41:04.919480267 -0800
|
|
||||||
@@ -232,7 +232,9 @@ sftk_MAC_Init(sftk_MACCtx *ctx, CK_MECHA
|
|
||||||
keyval->attrib.ulValueLen, isFIPS);
|
|
||||||
|
|
||||||
done:
|
|
||||||
- sftk_FreeAttribute(keyval);
|
|
||||||
+ if (keyval) {
|
|
||||||
+ sftk_FreeAttribute(keyval);
|
|
||||||
+ }
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
@ -1,24 +0,0 @@
|
|||||||
diff -up ./coreconf/config.gypi.orig ./coreconf/config.gypi
|
|
||||||
--- ./coreconf/config.gypi.orig 2020-06-16 15:50:59.000000000 -0700
|
|
||||||
+++ ./coreconf/config.gypi 2020-10-15 16:05:37.542761192 -0700
|
|
||||||
@@ -363,7 +363,7 @@
|
|
||||||
'_DEFAULT_SOURCE', # for <endian.h> functions, strdup, realpath, and getentropy
|
|
||||||
'_BSD_SOURCE', # for the above in glibc <= 2.19
|
|
||||||
'_POSIX_SOURCE', # for <signal.h>
|
|
||||||
- 'SQL_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
|
|
||||||
+ 'SDB_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
|
|
||||||
],
|
|
||||||
}],
|
|
||||||
[ 'OS=="dragonfly" or OS=="freebsd"', {
|
|
||||||
diff -up ./coreconf/Linux.mk.orig ./coreconf/Linux.mk
|
|
||||||
--- ./coreconf/Linux.mk.orig 2020-10-15 16:05:04.794591674 -0700
|
|
||||||
+++ ./coreconf/Linux.mk 2020-10-15 16:05:37.543761197 -0700
|
|
||||||
@@ -21,7 +21,7 @@ ifeq ($(USE_PTHREADS),1)
|
|
||||||
endif
|
|
||||||
|
|
||||||
DEFAULT_COMPILER = gcc
|
|
||||||
-DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSQL_MEASURE_USE_TEMP_DIR
|
|
||||||
+DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR
|
|
||||||
|
|
||||||
ifeq ($(OS_TARGET),Android)
|
|
||||||
ifndef ANDROID_NDK
|
|
||||||
@ -1,16 +0,0 @@
|
|||||||
diff -up ./tests/common/parsegtestreport.sed.new_gtest ./tests/common/parsegtestreport.sed
|
|
||||||
--- ./tests/common/parsegtestreport.sed.new_gtest 2021-06-17 16:26:49.361035662 -0700
|
|
||||||
+++ ./tests/common/parsegtestreport.sed 2021-06-17 16:49:08.512261136 -0700
|
|
||||||
@@ -1,8 +1,11 @@
|
|
||||||
/\<testcase/{
|
|
||||||
- s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
|
|
||||||
+ s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\).*$/\3 '\4: \1 \2'/
|
|
||||||
t end
|
|
||||||
s/^.* name="\([^"]*\)" status="\([^"]*\)" time="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
|
|
||||||
t end
|
|
||||||
+ s/^.* name="\([^"]*\)" value_param="\([^"]*\)" status="\([^"]*\)" result="[^"]*" time="[^"]*" timestamp="[^"]*" classname="\([^"]*\)".*$/\3 '\4: \1 \2'/
|
|
||||||
+ t end
|
|
||||||
+ s/^.* name="\([^"]*\)" status="\([^"]*\)" result="[^"]*" time="[^"]*" timestamp="[^"]*" classname="\([^"]*\)".*$/\2 '\3: \1'/
|
|
||||||
}
|
|
||||||
d
|
|
||||||
: end
|
|
||||||
@ -1,86 +0,0 @@
|
|||||||
diff -up ./gtests/softoken_gtest/softoken_dh_vectors.h.orig ./gtests/softoken_gtest/softoken_dh_vectors.h
|
|
||||||
--- ./gtests/softoken_gtest/softoken_dh_vectors.h.orig 2021-06-02 16:57:50.557008790 -0700
|
|
||||||
+++ ./gtests/softoken_gtest/softoken_dh_vectors.h 2021-06-02 16:59:52.781735096 -0700
|
|
||||||
@@ -2872,7 +2872,7 @@ static const DhTestVector DH_TEST_VECTOR
|
|
||||||
{siBuffer, (unsigned char *)g2, sizeof(g2)},
|
|
||||||
{siBuffer, NULL, 0},
|
|
||||||
{siBuffer, NULL, 0},
|
|
||||||
- IKE_APPROVED,
|
|
||||||
+ SAFE_PRIME,
|
|
||||||
CLASS_1536},
|
|
||||||
{"IKE 2048",
|
|
||||||
{siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)},
|
|
||||||
@@ -2952,7 +2952,7 @@ static const DhTestVector DH_TEST_VECTOR
|
|
||||||
{siBuffer, (unsigned char *)sub2_prime_ike_1536,
|
|
||||||
sizeof(sub2_prime_ike_1536)},
|
|
||||||
{siBuffer, NULL, 0},
|
|
||||||
- IKE_APPROVED,
|
|
||||||
+ SAFE_PRIME,
|
|
||||||
CLASS_1536},
|
|
||||||
{"IKE 2048 with subprime",
|
|
||||||
{siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)},
|
|
||||||
diff -up ./lib/softoken/pkcs11c.c.orig ./lib/softoken/pkcs11c.c
|
|
||||||
--- ./lib/softoken/pkcs11c.c.orig 2021-05-28 02:50:43.000000000 -0700
|
|
||||||
+++ ./lib/softoken/pkcs11c.c 2021-06-02 16:52:01.196932757 -0700
|
|
||||||
@@ -5193,7 +5193,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
|
||||||
/* subprime not supplied, In this case look it up.
|
|
||||||
* This only works with approved primes, but in FIPS mode
|
|
||||||
* that's the only kine of prime that will get here */
|
|
||||||
- subPrimePtr = sftk_VerifyDH_Prime(&prime);
|
|
||||||
+ subPrimePtr = sftk_VerifyDH_Prime(&prime,isFIPS);
|
|
||||||
if (subPrimePtr == NULL) {
|
|
||||||
crv = CKR_GENERAL_ERROR;
|
|
||||||
goto done;
|
|
||||||
@@ -8351,7 +8351,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
|
||||||
|
|
||||||
/* if the prime is an approved prime, we can skip all the other
|
|
||||||
* checks. */
|
|
||||||
- subPrime = sftk_VerifyDH_Prime(&dhPrime);
|
|
||||||
+ subPrime = sftk_VerifyDH_Prime(&dhPrime,isFIPS);
|
|
||||||
if (subPrime == NULL) {
|
|
||||||
SECItem dhSubPrime;
|
|
||||||
/* If the caller set the subprime value, it means that
|
|
||||||
diff -up ./lib/softoken/pkcs11i.h.orig ./lib/softoken/pkcs11i.h
|
|
||||||
--- ./lib/softoken/pkcs11i.h.orig 2021-06-02 16:52:01.196932757 -0700
|
|
||||||
+++ ./lib/softoken/pkcs11i.h 2021-06-02 16:52:54.281248207 -0700
|
|
||||||
@@ -946,7 +946,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
|
|
||||||
/* dh verify functions */
|
|
||||||
/* verify that dhPrime matches one of our known primes, and if so return
|
|
||||||
* it's subprime value */
|
|
||||||
-const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime);
|
|
||||||
+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
|
|
||||||
/* check if dhSubPrime claims dhPrime is a safe prime. */
|
|
||||||
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
|
|
||||||
/* map an operation Attribute to a Mechanism flag */
|
|
||||||
diff -up ./lib/softoken/pkcs11u.c.orig ./lib/softoken/pkcs11u.c
|
|
||||||
--- ./lib/softoken/pkcs11u.c.orig 2021-06-02 16:54:23.387777705 -0700
|
|
||||||
+++ ./lib/softoken/pkcs11u.c 2021-06-02 16:54:51.012941866 -0700
|
|
||||||
@@ -2312,7 +2312,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
|
||||||
if (crv != CKR_OK) {
|
|
||||||
return PR_FALSE;
|
|
||||||
}
|
|
||||||
- dhSubPrime = sftk_VerifyDH_Prime(&dhPrime);
|
|
||||||
+ dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE);
|
|
||||||
SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
|
|
||||||
return (dhSubPrime) ? PR_TRUE : PR_FALSE;
|
|
||||||
}
|
|
||||||
diff -up ./lib/softoken/sftkdhverify.c.orig ./lib/softoken/sftkdhverify.c
|
|
||||||
--- ./lib/softoken/sftkdhverify.c.orig 2021-05-28 02:50:43.000000000 -0700
|
|
||||||
+++ ./lib/softoken/sftkdhverify.c 2021-06-02 16:52:01.196932757 -0700
|
|
||||||
@@ -1171,11 +1171,15 @@ static const SECItem subprime_tls_8192 =
|
|
||||||
* verify that dhPrime matches one of our known primes
|
|
||||||
*/
|
|
||||||
const SECItem *
|
|
||||||
-sftk_VerifyDH_Prime(SECItem *dhPrime)
|
|
||||||
+sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
|
|
||||||
{
|
|
||||||
/* use the length to decide which primes to check */
|
|
||||||
switch (dhPrime->len) {
|
|
||||||
case 1536 / PR_BITS_PER_BYTE:
|
|
||||||
+ /* don't accept 1536 bit primes in FIPS mode */
|
|
||||||
+ if (isFIPS) {
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
|
|
||||||
sizeof(prime_ike_1536)) == 0) {
|
|
||||||
return &subprime_ike_1536;
|
|
||||||
@ -1,325 +0,0 @@
|
|||||||
diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/cert/Leaf-bogus-dsa.crt
|
|
||||||
@@ -0,0 +1,143 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl
|
|
||||||
+RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw
|
|
||||||
+WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0
|
|
||||||
+dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq
|
|
||||||
+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
|
|
||||||
+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
|
|
||||||
+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
|
|
||||||
+u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
|
|
||||||
+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
|
|
||||||
+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM
|
|
||||||
+zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
|
|
||||||
+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d
|
|
||||||
+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG
|
|
||||||
+ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u
|
|
||||||
+7u7u7u7uAoIIAQD/////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+////////////////////////////////////////////////////////////////
|
|
||||||
+/////////////////////////////////////////////////////////w==
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt
|
|
||||||
new file mode 100644
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/tests/cert/Leaf-bogus-rsa-pss.crt
|
|
||||||
@@ -0,0 +1,126 @@
|
|
||||||
+-----BEGIN CERTIFICATE-----
|
|
||||||
+MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI
|
|
||||||
+AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x
|
|
||||||
+EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw
|
|
||||||
+MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE
|
|
||||||
+AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE
|
|
||||||
+RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G
|
|
||||||
+CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL
|
|
||||||
+CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
|
|
||||||
+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU=
|
|
||||||
+-----END CERTIFICATE-----
|
|
||||||
diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh
|
|
||||||
--- a/tests/cert/cert.sh
|
|
||||||
+++ b/tests/cert/cert.sh
|
|
||||||
@@ -114,16 +114,28 @@ certu()
|
|
||||||
cert_log "ERROR: ${CU_ACTION} failed $RET"
|
|
||||||
else
|
|
||||||
html_passed "${CU_ACTION}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
return $RET
|
|
||||||
}
|
|
||||||
|
|
||||||
+cert_test_vfy()
|
|
||||||
+{
|
|
||||||
+ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
|
|
||||||
+ echo " vfychain -a Leaf-bogus-dsa.crt"
|
|
||||||
+ vfychain -a ${QADIR}/cert/Leaf-bogus-dsa.crt
|
|
||||||
+ html_msg $? 1 "Verify large dsa signature"
|
|
||||||
+ echo "$SCRIPTNAME: Verify large rsa pss signature --------------"
|
|
||||||
+ echo " vfychain -a Leaf-bogus-rsa-pss.crt"
|
|
||||||
+ vfychain -a ${QADIR}/cert/Leaf-bogus-rsa-pss.crt
|
|
||||||
+ html_msg $? 1 "Verify large rsa pss signature"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
################################ crlu #################################
|
|
||||||
# local shell function to call crlutil, also: writes action and options to
|
|
||||||
# stdout, sets variable RET and writes results to the html file results
|
|
||||||
########################################################################
|
|
||||||
crlu()
|
|
||||||
{
|
|
||||||
echo "$SCRIPTNAME: ${CU_ACTION} --------------------------"
|
|
||||||
|
|
||||||
@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
|
|
||||||
else
|
|
||||||
echo "$SCRIPTNAME: Skipping CRL Tests"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then
|
|
||||||
cert_stresscerts
|
|
||||||
fi
|
|
||||||
|
|
||||||
+cert_test_vfy
|
|
||||||
+
|
|
||||||
cert_iopr_setup
|
|
||||||
|
|
||||||
cert_cleanup
|
|
||||||
@ -1,279 +0,0 @@
|
|||||||
diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
|
|
||||||
--- a/lib/cryptohi/secvfy.c
|
|
||||||
+++ b/lib/cryptohi/secvfy.c
|
|
||||||
@@ -164,6 +164,37 @@
|
|
||||||
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
|
|
||||||
}
|
|
||||||
|
|
||||||
+static unsigned int
|
|
||||||
+checkedSignatureLen(const SECKEYPublicKey *pubk)
|
|
||||||
+{
|
|
||||||
+ unsigned int sigLen = SECKEY_SignatureLen(pubk);
|
|
||||||
+ if (sigLen == 0) {
|
|
||||||
+ /* Error set by SECKEY_SignatureLen */
|
|
||||||
+ return sigLen;
|
|
||||||
+ }
|
|
||||||
+ unsigned int maxSigLen;
|
|
||||||
+ switch (pubk->keyType) {
|
|
||||||
+ case rsaKey:
|
|
||||||
+ case rsaPssKey:
|
|
||||||
+ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
|
|
||||||
+ break;
|
|
||||||
+ case dsaKey:
|
|
||||||
+ maxSigLen = DSA_MAX_SIGNATURE_LEN;
|
|
||||||
+ break;
|
|
||||||
+ case ecKey:
|
|
||||||
+ maxSigLen = 2 * MAX_ECKEY_LEN;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ if (sigLen > maxSigLen) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
|
||||||
+ return 0;
|
|
||||||
+ }
|
|
||||||
+ return sigLen;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
* decode the ECDSA or DSA signature from it's DER wrapping.
|
|
||||||
* The unwrapped/raw signature is placed in the buffer pointed
|
|
||||||
@@ -174,38 +205,38 @@
|
|
||||||
unsigned int len)
|
|
||||||
{
|
|
||||||
SECItem *dsasig = NULL; /* also used for ECDSA */
|
|
||||||
- SECStatus rv = SECSuccess;
|
|
||||||
|
|
||||||
- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
|
|
||||||
- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
|
|
||||||
- if (sig->len != len) {
|
|
||||||
- PORT_SetError(SEC_ERROR_BAD_DER);
|
|
||||||
- return SECFailure;
|
|
||||||
+ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
|
|
||||||
+ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
|
|
||||||
+ if (len > DSA_MAX_SIGNATURE_LEN) {
|
|
||||||
+ goto loser;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- PORT_Memcpy(dsig, sig->data, sig->len);
|
|
||||||
- return SECSuccess;
|
|
||||||
+ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
|
|
||||||
+ if (len > MAX_ECKEY_LEN * 2) {
|
|
||||||
+ goto loser;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ goto loser;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
|
|
||||||
- if (len > MAX_ECKEY_LEN * 2) {
|
|
||||||
- PORT_SetError(SEC_ERROR_BAD_DER);
|
|
||||||
- return SECFailure;
|
|
||||||
- }
|
|
||||||
+ /* Decode and pad to length */
|
|
||||||
+ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
|
|
||||||
+ if (dsasig == NULL) {
|
|
||||||
+ goto loser;
|
|
||||||
}
|
|
||||||
- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
|
|
||||||
-
|
|
||||||
- if ((dsasig == NULL) || (dsasig->len != len)) {
|
|
||||||
- rv = SECFailure;
|
|
||||||
- } else {
|
|
||||||
- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
|
|
||||||
+ if (dsasig->len != len) {
|
|
||||||
+ SECITEM_FreeItem(dsasig, PR_TRUE);
|
|
||||||
+ goto loser;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (dsasig != NULL)
|
|
||||||
- SECITEM_FreeItem(dsasig, PR_TRUE);
|
|
||||||
- if (rv == SECFailure)
|
|
||||||
- PORT_SetError(SEC_ERROR_BAD_DER);
|
|
||||||
- return rv;
|
|
||||||
+ PORT_Memcpy(dsig, dsasig->data, len);
|
|
||||||
+ SECITEM_FreeItem(dsasig, PR_TRUE);
|
|
||||||
+
|
|
||||||
+ return SECSuccess;
|
|
||||||
+
|
|
||||||
+loser:
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_DER);
|
|
||||||
+ return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
const SEC_ASN1Template hashParameterTemplate[] =
|
|
||||||
@@ -281,7 +312,7 @@
|
|
||||||
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
|
|
||||||
const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg)
|
|
||||||
{
|
|
||||||
- int len;
|
|
||||||
+ unsigned int len;
|
|
||||||
PLArenaPool *arena;
|
|
||||||
SECStatus rv;
|
|
||||||
SECItem oid;
|
|
||||||
@@ -466,48 +497,52 @@
|
|
||||||
cx->pkcs1RSADigestInfo = NULL;
|
|
||||||
rv = SECSuccess;
|
|
||||||
if (sig) {
|
|
||||||
- switch (type) {
|
|
||||||
- case rsaKey:
|
|
||||||
- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
|
|
||||||
- &cx->pkcs1RSADigestInfo,
|
|
||||||
- &cx->pkcs1RSADigestInfoLen,
|
|
||||||
- cx->key,
|
|
||||||
- sig, wincx);
|
|
||||||
- break;
|
|
||||||
- case rsaPssKey:
|
|
||||||
- sigLen = SECKEY_SignatureLen(key);
|
|
||||||
- if (sigLen == 0) {
|
|
||||||
- /* error set by SECKEY_SignatureLen */
|
|
||||||
- rv = SECFailure;
|
|
||||||
+ rv = SECFailure;
|
|
||||||
+ if (type == rsaKey) {
|
|
||||||
+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
|
|
||||||
+ &cx->pkcs1RSADigestInfo,
|
|
||||||
+ &cx->pkcs1RSADigestInfoLen,
|
|
||||||
+ cx->key,
|
|
||||||
+ sig, wincx);
|
|
||||||
+ } else {
|
|
||||||
+ sigLen = checkedSignatureLen(key);
|
|
||||||
+ /* Check signature length is within limits */
|
|
||||||
+ if (sigLen == 0) {
|
|
||||||
+ /* error set by checkedSignatureLen */
|
|
||||||
+ rv = SECFailure;
|
|
||||||
+ goto loser;
|
|
||||||
+ }
|
|
||||||
+ if (sigLen > sizeof(cx->u)) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
+ rv = SECFailure;
|
|
||||||
+ goto loser;
|
|
||||||
+ }
|
|
||||||
+ switch (type) {
|
|
||||||
+ case rsaPssKey:
|
|
||||||
+ if (sig->len != sigLen) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
+ rv = SECFailure;
|
|
||||||
+ goto loser;
|
|
||||||
+ }
|
|
||||||
+ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
|
|
||||||
+ rv = SECSuccess;
|
|
||||||
break;
|
|
||||||
- }
|
|
||||||
- if (sig->len != sigLen) {
|
|
||||||
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
+ case ecKey:
|
|
||||||
+ case dsaKey:
|
|
||||||
+ /* decodeECorDSASignature will check sigLen == sig->len after padding */
|
|
||||||
+ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ /* Unreachable */
|
|
||||||
rv = SECFailure;
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
|
|
||||||
- break;
|
|
||||||
- case dsaKey:
|
|
||||||
- case ecKey:
|
|
||||||
- sigLen = SECKEY_SignatureLen(key);
|
|
||||||
- if (sigLen == 0) {
|
|
||||||
- /* error set by SECKEY_SignatureLen */
|
|
||||||
- rv = SECFailure;
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
|
|
||||||
- break;
|
|
||||||
- default:
|
|
||||||
- rv = SECFailure;
|
|
||||||
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
|
|
||||||
- break;
|
|
||||||
+ goto loser;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ if (rv != SECSuccess) {
|
|
||||||
+ goto loser;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (rv)
|
|
||||||
- goto loser;
|
|
||||||
-
|
|
||||||
/* check hash alg again, RSA may have changed it.*/
|
|
||||||
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
|
|
||||||
/* error set by HASH_GetHashTypeByOidTag */
|
|
||||||
@@ -650,11 +685,16 @@
|
|
||||||
switch (cx->key->keyType) {
|
|
||||||
case ecKey:
|
|
||||||
case dsaKey:
|
|
||||||
- dsasig.data = cx->u.buffer;
|
|
||||||
- dsasig.len = SECKEY_SignatureLen(cx->key);
|
|
||||||
+ dsasig.len = checkedSignatureLen(cx->key);
|
|
||||||
if (dsasig.len == 0) {
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
+ if (dsasig.len > sizeof(cx->u)) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+ dsasig.data = cx->u.buffer;
|
|
||||||
+
|
|
||||||
if (sig) {
|
|
||||||
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
|
|
||||||
dsasig.len);
|
|
||||||
@@ -686,8 +726,13 @@
|
|
||||||
}
|
|
||||||
|
|
||||||
rsasig.data = cx->u.buffer;
|
|
||||||
- rsasig.len = SECKEY_SignatureLen(cx->key);
|
|
||||||
+ rsasig.len = checkedSignatureLen(cx->key);
|
|
||||||
if (rsasig.len == 0) {
|
|
||||||
+ /* Error set by checkedSignatureLen */
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+ if (rsasig.len > sizeof(cx->u)) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
if (sig) {
|
|
||||||
@@ -749,7 +794,6 @@
|
|
||||||
SECStatus rv;
|
|
||||||
VFYContext *cx;
|
|
||||||
SECItem dsasig; /* also used for ECDSA */
|
|
||||||
-
|
|
||||||
rv = SECFailure;
|
|
||||||
|
|
||||||
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
|
|
||||||
@@ -757,19 +801,25 @@
|
|
||||||
switch (key->keyType) {
|
|
||||||
case rsaKey:
|
|
||||||
rv = verifyPKCS1DigestInfo(cx, digest);
|
|
||||||
+ /* Error (if any) set by verifyPKCS1DigestInfo */
|
|
||||||
break;
|
|
||||||
- case dsaKey:
|
|
||||||
case ecKey:
|
|
||||||
+ case dsaKey:
|
|
||||||
dsasig.data = cx->u.buffer;
|
|
||||||
- dsasig.len = SECKEY_SignatureLen(cx->key);
|
|
||||||
+ dsasig.len = checkedSignatureLen(cx->key);
|
|
||||||
if (dsasig.len == 0) {
|
|
||||||
+ /* Error set by checkedSignatureLen */
|
|
||||||
+ rv = SECFailure;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
|
|
||||||
- SECSuccess) {
|
|
||||||
+ if (dsasig.len > sizeof(cx->u)) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
- } else {
|
|
||||||
- rv = SECSuccess;
|
|
||||||
+ rv = SECFailure;
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
|
|
||||||
+ if (rv != SECSuccess) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
|
|
||||||
@ -1,45 +0,0 @@
|
|||||||
diff -up ./lib/pk11wrap/pk11cxt.c.coverity ./lib/pk11wrap/pk11cxt.c
|
|
||||||
--- ./lib/pk11wrap/pk11cxt.c.coverity 2021-06-18 09:36:19.499203028 -0700
|
|
||||||
+++ ./lib/pk11wrap/pk11cxt.c 2021-06-18 09:37:57.993765299 -0700
|
|
||||||
@@ -382,7 +382,7 @@ pk11_CreateNewContextInSlot(CK_MECHANISM
|
|
||||||
* of the connection.*/
|
|
||||||
context->fortezzaHack = PR_FALSE;
|
|
||||||
if (type == CKM_SKIPJACK_CBC64) {
|
|
||||||
- if (symKey->origin == PK11_OriginFortezzaHack) {
|
|
||||||
+ if (symKey && (symKey->origin == PK11_OriginFortezzaHack)) {
|
|
||||||
context->fortezzaHack = PR_TRUE;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
diff -up ./lib/pk11wrap/pk11hpke.c.coverity ./lib/pk11wrap/pk11hpke.c
|
|
||||||
--- ./lib/pk11wrap/pk11hpke.c.coverity 2021-06-18 13:40:05.410644464 -0700
|
|
||||||
+++ ./lib/pk11wrap/pk11hpke.c 2021-06-18 13:42:40.627606469 -0700
|
|
||||||
@@ -1164,8 +1164,6 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
|
|
||||||
unsigned char tagBuf[HASH_LENGTH_MAX];
|
|
||||||
size_t tagLen;
|
|
||||||
unsigned int fixedBits;
|
|
||||||
- PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
|
|
||||||
- PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
|
|
||||||
|
|
||||||
/* aad may be NULL, PT may be zero-length but not NULL. */
|
|
||||||
if (!cx || !cx->aeadContext ||
|
|
||||||
@@ -1176,6 +1174,9 @@ PK11_HPKE_Seal(HpkeContext *cx, const SE
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ PORT_Assert(cx->baseNonce->len == sizeof(ivOut));
|
|
||||||
+ PORT_Memcpy(ivOut, cx->baseNonce->data, cx->baseNonce->len);
|
|
||||||
+
|
|
||||||
tagLen = cx->aeadParams->tagLen;
|
|
||||||
maxOut = pt->len + tagLen;
|
|
||||||
fixedBits = (cx->baseNonce->len - 8) * 8;
|
|
||||||
diff -up ./lib/softoken/sftkike.c.coverity ./lib/softoken/sftkike.c
|
|
||||||
--- ./lib/softoken/sftkike.c.coverity 2021-06-18 09:33:59.633405513 -0700
|
|
||||||
+++ ./lib/softoken/sftkike.c 2021-06-18 09:34:20.305523382 -0700
|
|
||||||
@@ -1411,7 +1411,6 @@ sftk_fips_IKE_PowerUpSelfTests(void)
|
|
||||||
(outKeySize != sizeof(ike_known_sha256_prf_plus)) ||
|
|
||||||
(PORT_Memcmp(outKeyData, ike_known_sha256_prf_plus,
|
|
||||||
sizeof(ike_known_sha256_prf_plus)) != 0)) {
|
|
||||||
- PORT_ZFree(outKeyData, outKeySize);
|
|
||||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
@ -1,81 +0,0 @@
|
|||||||
diff -up ./lib/softoken/sftkpwd.c.orig ./lib/softoken/sftkpwd.c
|
|
||||||
--- ./lib/softoken/sftkpwd.c.orig 2021-06-10 05:33:12.000000000 -0700
|
|
||||||
+++ ./lib/softoken/sftkpwd.c 2021-07-01 14:04:34.068596942 -0700
|
|
||||||
@@ -287,9 +287,12 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
|
|
||||||
}
|
|
||||||
|
|
||||||
/* If we are using aes 256, we need to check authentication as well.*/
|
|
||||||
- if ((type != CKT_INVALID_TYPE) && (cipherValue.alg == SEC_OID_AES_256_CBC)) {
|
|
||||||
+ if ((type != CKT_INVALID_TYPE) &&
|
|
||||||
+ (cipherValue.alg == SEC_OID_PKCS5_PBES2) &&
|
|
||||||
+ (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
|
|
||||||
SECItem signature;
|
|
||||||
unsigned char signData[SDB_MAX_META_DATA_LEN];
|
|
||||||
+ CK_RV crv;
|
|
||||||
|
|
||||||
/* if we get here from the old legacy db, there is clearly an
|
|
||||||
* error, don't return the plaintext */
|
|
||||||
@@ -301,15 +304,28 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
|
|
||||||
|
|
||||||
signature.data = signData;
|
|
||||||
signature.len = sizeof(signData);
|
|
||||||
- rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
|
|
||||||
+ rv = SECFailure;
|
|
||||||
+ /* sign sftkdb_GetAttriibuteSignature returns a crv, not an rv */
|
|
||||||
+ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
|
|
||||||
&signature);
|
|
||||||
- if (rv != SECSuccess) {
|
|
||||||
- goto loser;
|
|
||||||
+ if (crv == CKR_OK) {
|
|
||||||
+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
|
|
||||||
+ type, *plain, &signature);
|
|
||||||
}
|
|
||||||
- rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
|
|
||||||
- *plain, &signature);
|
|
||||||
if (rv != SECSuccess) {
|
|
||||||
- goto loser;
|
|
||||||
+ /* handle a bug where old versions of NSS misfiled the signature
|
|
||||||
+ * attribute on password update */
|
|
||||||
+ id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
|
|
||||||
+ signature.len = sizeof(signData);
|
|
||||||
+ crv = sftkdb_GetAttributeSignature(handle, handle, id, type,
|
|
||||||
+ &signature);
|
|
||||||
+ if (crv != CKR_OK) {
|
|
||||||
+ rv = SECFailure;
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
+ goto loser;
|
|
||||||
+ }
|
|
||||||
+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
|
|
||||||
+ type, *plain, &signature);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -1198,6 +1214,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
|
|
||||||
unsigned int i;
|
|
||||||
for (i = 0; i < privAttrCount; i++) {
|
|
||||||
// Read the old attribute in the clear.
|
|
||||||
+ CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK;
|
|
||||||
CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
|
|
||||||
CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
|
|
||||||
if (crv != CKR_OK) {
|
|
||||||
@@ -1222,7 +1239,7 @@ sftk_updateEncrypted(PLArenaPool *arena,
|
|
||||||
plainText.data = privAttr.pValue;
|
|
||||||
plainText.len = privAttr.ulValueLen;
|
|
||||||
if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
|
|
||||||
- iterationCount, id, privAttr.type,
|
|
||||||
+ iterationCount, sdbId, privAttr.type,
|
|
||||||
&plainText, &result) != SECSuccess) {
|
|
||||||
return CKR_GENERAL_ERROR;
|
|
||||||
}
|
|
||||||
@@ -1232,10 +1249,9 @@ sftk_updateEncrypted(PLArenaPool *arena,
|
|
||||||
PORT_Memset(plainText.data, 0, plainText.len);
|
|
||||||
|
|
||||||
// Write the newly encrypted attributes out directly.
|
|
||||||
- CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
|
|
||||||
keydb->newKey = newKey;
|
|
||||||
keydb->newDefaultIterationCount = iterationCount;
|
|
||||||
- crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
|
|
||||||
+ crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1);
|
|
||||||
keydb->newKey = NULL;
|
|
||||||
if (crv != CKR_OK) {
|
|
||||||
return crv;
|
|
||||||
@ -1,63 +0,0 @@
|
|||||||
diff --git a/lib/softoken/sdb.c b/lib/softoken/sdb.c
|
|
||||||
--- a/lib/softoken/sdb.c
|
|
||||||
+++ b/lib/softoken/sdb.c
|
|
||||||
@@ -1519,16 +1519,18 @@ sdb_Begin(SDB *sdb)
|
|
||||||
|
|
||||||
sqlerr = sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL);
|
|
||||||
|
|
||||||
do {
|
|
||||||
sqlerr = sqlite3_step(stmt);
|
|
||||||
if (sqlerr == SQLITE_BUSY) {
|
|
||||||
PR_Sleep(SDB_BUSY_RETRY_TIME);
|
|
||||||
}
|
|
||||||
+ /* don't retry BEGIN transaction*/
|
|
||||||
+ retry = 0;
|
|
||||||
} while (!sdb_done(sqlerr, &retry));
|
|
||||||
|
|
||||||
if (stmt) {
|
|
||||||
sqlite3_reset(stmt);
|
|
||||||
sqlite3_finalize(stmt);
|
|
||||||
}
|
|
||||||
|
|
||||||
loser:
|
|
||||||
diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
|
|
||||||
--- a/lib/softoken/sftkdb.c
|
|
||||||
+++ b/lib/softoken/sftkdb.c
|
|
||||||
@@ -1521,17 +1521,17 @@ sftkdb_DestroyObject(SFTKDBHandle *handl
|
|
||||||
if (handle == NULL) {
|
|
||||||
return CKR_TOKEN_WRITE_PROTECTED;
|
|
||||||
}
|
|
||||||
db = SFTK_GET_SDB(handle);
|
|
||||||
objectID &= SFTK_OBJ_ID_MASK;
|
|
||||||
|
|
||||||
crv = (*db->sdb_Begin)(db);
|
|
||||||
if (crv != CKR_OK) {
|
|
||||||
- goto loser;
|
|
||||||
+ return crv;
|
|
||||||
}
|
|
||||||
crv = (*db->sdb_DestroyObject)(db, objectID);
|
|
||||||
if (crv != CKR_OK) {
|
|
||||||
goto loser;
|
|
||||||
}
|
|
||||||
/* if the database supports meta data, delete any old signatures
|
|
||||||
* that we may have added */
|
|
||||||
if ((db->sdb_flags & SDB_HAS_META) == SDB_HAS_META) {
|
|
||||||
@@ -2456,17 +2456,17 @@ sftkdb_Update(SFTKDBHandle *handle, SECI
|
|
||||||
return CKR_OK;
|
|
||||||
}
|
|
||||||
/*
|
|
||||||
* put the whole update under a transaction. This allows us to handle
|
|
||||||
* any possible race conditions between with the updateID check.
|
|
||||||
*/
|
|
||||||
crv = (*handle->db->sdb_Begin)(handle->db);
|
|
||||||
if (crv != CKR_OK) {
|
|
||||||
- goto loser;
|
|
||||||
+ return crv;
|
|
||||||
}
|
|
||||||
inTransaction = PR_TRUE;
|
|
||||||
|
|
||||||
/* some one else has already updated this db */
|
|
||||||
if (sftkdb_hasUpdate(sftkdb_TypeString(handle),
|
|
||||||
handle->db, handle->updateID)) {
|
|
||||||
crv = CKR_OK;
|
|
||||||
goto done;
|
|
||||||
@ -1,122 +0,0 @@
|
|||||||
diff -up ./lib/ssl/ssl3con.c.alert-fix ./lib/ssl/ssl3con.c
|
|
||||||
--- ./lib/ssl/ssl3con.c.alert-fix 2021-06-10 05:33:12.000000000 -0700
|
|
||||||
+++ ./lib/ssl/ssl3con.c 2021-07-06 17:08:25.894018521 -0700
|
|
||||||
@@ -4319,7 +4319,11 @@ ssl_SignatureSchemeValid(SSLSignatureSch
|
|
||||||
if (!ssl_IsSupportedSignatureScheme(scheme)) {
|
|
||||||
return PR_FALSE;
|
|
||||||
}
|
|
||||||
- if (!ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
|
|
||||||
+ /* if we are purposefully passed SEC_OID_UNKOWN, it means
|
|
||||||
+ * we not checking the scheme against a potential key, so skip
|
|
||||||
+ * the call */
|
|
||||||
+ if ((spkiOid != SEC_OID_UNKNOWN) &&
|
|
||||||
+ !ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) {
|
|
||||||
return PR_FALSE;
|
|
||||||
}
|
|
||||||
if (isTls13) {
|
|
||||||
@@ -4517,7 +4521,8 @@ ssl_CheckSignatureSchemeConsistency(sslS
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Verify that the signature scheme matches the signing key. */
|
|
||||||
- if (!ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
|
|
||||||
+ if ((spkiOid == SEC_OID_UNKNOWN) ||
|
|
||||||
+ !ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) {
|
|
||||||
PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
@@ -4533,6 +4538,7 @@ ssl_CheckSignatureSchemeConsistency(sslS
|
|
||||||
PRBool
|
|
||||||
ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme)
|
|
||||||
{
|
|
||||||
+ PRBool isSupported = PR_FALSE;
|
|
||||||
switch (scheme) {
|
|
||||||
case ssl_sig_rsa_pkcs1_sha1:
|
|
||||||
case ssl_sig_rsa_pkcs1_sha256:
|
|
||||||
@@ -4552,7 +4558,8 @@ ssl_IsSupportedSignatureScheme(SSLSignat
|
|
||||||
case ssl_sig_dsa_sha384:
|
|
||||||
case ssl_sig_dsa_sha512:
|
|
||||||
case ssl_sig_ecdsa_sha1:
|
|
||||||
- return PR_TRUE;
|
|
||||||
+ isSupported = PR_TRUE;
|
|
||||||
+ break;
|
|
||||||
|
|
||||||
case ssl_sig_rsa_pkcs1_sha1md5:
|
|
||||||
case ssl_sig_none:
|
|
||||||
@@ -4560,7 +4567,19 @@ ssl_IsSupportedSignatureScheme(SSLSignat
|
|
||||||
case ssl_sig_ed448:
|
|
||||||
return PR_FALSE;
|
|
||||||
}
|
|
||||||
- return PR_FALSE;
|
|
||||||
+ if (isSupported) {
|
|
||||||
+ SECOidTag hashOID = ssl3_HashTypeToOID(ssl_SignatureSchemeToHashType(scheme));
|
|
||||||
+ PRUint32 policy;
|
|
||||||
+ const PRUint32 sigSchemePolicy=
|
|
||||||
+ NSS_USE_ALG_IN_SSL_KX|NSS_USE_ALG_IN_SIGNATURE;
|
|
||||||
+ /* check hash policy */
|
|
||||||
+ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
|
|
||||||
+ ((policy & sigSchemePolicy) != sigSchemePolicy)) {
|
|
||||||
+ return PR_FALSE;
|
|
||||||
+ }
|
|
||||||
+ /* check algorithm policy */
|
|
||||||
+ }
|
|
||||||
+ return isSupported;
|
|
||||||
}
|
|
||||||
|
|
||||||
PRBool
|
|
||||||
@@ -6533,6 +6552,9 @@ ssl_PickSignatureScheme(sslSocket *ss,
|
|
||||||
}
|
|
||||||
|
|
||||||
spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm);
|
|
||||||
+ if (spkiOid == SEC_OID_UNKNOWN) {
|
|
||||||
+ goto loser;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Now we have to search based on the key type. Go through our preferred
|
|
||||||
* schemes in order and find the first that can be used. */
|
|
||||||
@@ -6547,6 +6569,7 @@ ssl_PickSignatureScheme(sslSocket *ss,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+loser:
|
|
||||||
PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
@@ -7700,7 +7723,8 @@ ssl_ParseSignatureSchemes(const sslSocke
|
|
||||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
- if (ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) {
|
|
||||||
+ if (ssl_SignatureSchemeValid((SSLSignatureScheme)tmp, SEC_OID_UNKNOWN,
|
|
||||||
+ (PRBool)ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)) {;
|
|
||||||
schemes[numSupported++] = (SSLSignatureScheme)tmp;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -10286,7 +10310,12 @@ ssl3_HandleCertificateVerify(sslSocket *
|
|
||||||
PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_record);
|
|
||||||
rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme);
|
|
||||||
if (rv != SECSuccess) {
|
|
||||||
- goto loser; /* malformed or unsupported. */
|
|
||||||
+ errCode = PORT_GetError();
|
|
||||||
+ /* unsupported == illegal_parameter, others == handshake_failure. */
|
|
||||||
+ if (errCode == SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM) {
|
|
||||||
+ desc = illegal_parameter;
|
|
||||||
+ }
|
|
||||||
+ goto alert_loser;
|
|
||||||
}
|
|
||||||
rv = ssl_CheckSignatureSchemeConsistency(
|
|
||||||
ss, sigScheme, &ss->sec.peerCert->subjectPublicKeyInfo);
|
|
||||||
diff -up ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix ./gtests/ssl_gtest/ssl_extension_unittest.cc
|
|
||||||
--- ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix 2021-07-07 11:32:11.634376932 -0700
|
|
||||||
+++ ./gtests/ssl_gtest/ssl_extension_unittest.cc 2021-07-07 11:33:30.595841110 -0700
|
|
||||||
@@ -428,7 +428,10 @@ TEST_P(TlsExtensionTest12Plus, Signature
|
|
||||||
}
|
|
||||||
|
|
||||||
TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsTrailingData) {
|
|
||||||
- const uint8_t val[] = {0x00, 0x02, 0x04, 0x01, 0x00}; // sha-256, rsa
|
|
||||||
+ // make sure the test uses an algorithm that is legal for
|
|
||||||
+ // tls 1.3 (or tls 1.3 will through and illegalParameter
|
|
||||||
+ // instead of a decode error)
|
|
||||||
+ const uint8_t val[] = {0x00, 0x02, 0x08, 0x09, 0x00}; // sha-256, rsa-pss-pss
|
|
||||||
DataBuffer extension(val, sizeof(val));
|
|
||||||
ClientHelloErrorTest(std::make_shared<TlsExtensionReplacer>(
|
|
||||||
client_, ssl_signature_algorithms_xtn, extension));
|
|
||||||
3411
nss-3.79-dbtool.patch
Normal file
3411
nss-3.79-dbtool.patch
Normal file
File diff suppressed because it is too large
Load Diff
170
nss-3.79-dont-verify-default.patch
Normal file
170
nss-3.79-dont-verify-default.patch
Normal file
@ -0,0 +1,170 @@
|
|||||||
|
diff --git a/lib/softoken/legacydb/pcertdb.c b/lib/softoken/legacydb/pcertdb.c
|
||||||
|
--- a/lib/softoken/legacydb/pcertdb.c
|
||||||
|
+++ b/lib/softoken/legacydb/pcertdb.c
|
||||||
|
@@ -4272,16 +4272,17 @@ CreateTrust(void)
|
||||||
|
{
|
||||||
|
NSSLOWCERTTrust *trust = NULL;
|
||||||
|
|
||||||
|
nsslowcert_LockFreeList();
|
||||||
|
trust = trustListHead;
|
||||||
|
if (trust) {
|
||||||
|
trustListCount--;
|
||||||
|
trustListHead = trust->next;
|
||||||
|
+ trust->next = NULL;
|
||||||
|
}
|
||||||
|
PORT_Assert(trustListCount >= 0);
|
||||||
|
nsslowcert_UnlockFreeList();
|
||||||
|
if (trust) {
|
||||||
|
return trust;
|
||||||
|
}
|
||||||
|
|
||||||
|
return PORT_ZNew(NSSLOWCERTTrust);
|
||||||
|
@@ -5155,19 +5156,21 @@ done:
|
||||||
|
}
|
||||||
|
|
||||||
|
PRBool
|
||||||
|
nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)
|
||||||
|
{
|
||||||
|
if (trust == NULL) {
|
||||||
|
return PR_FALSE;
|
||||||
|
}
|
||||||
|
- return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) &&
|
||||||
|
- (trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) &&
|
||||||
|
- (trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));
|
||||||
|
+ /* if we only have CERTDB__USER and CERTDB_TRUSTED_UNKNOWN bits, then
|
||||||
|
+ * we don't have a trust record. */
|
||||||
|
+ return !(((trust->sslFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&
|
||||||
|
+ ((trust->emailFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&
|
||||||
|
+ ((trust->objectSigningFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0));
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This function has the logic that decides if another person's cert and
|
||||||
|
* email profile from an S/MIME message should be saved. It can deal with
|
||||||
|
* the case when there is no profile.
|
||||||
|
*/
|
||||||
|
static SECStatus
|
||||||
|
diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
|
||||||
|
--- a/lib/softoken/sftkdb.c
|
||||||
|
+++ b/lib/softoken/sftkdb.c
|
||||||
|
@@ -119,47 +119,79 @@ sftkdb_isAuthenticatedAttribute(CK_ATTRI
|
||||||
|
case CKA_TRUST_STEP_UP_APPROVED:
|
||||||
|
case CKA_NSS_OVERRIDE_EXTENSIONS:
|
||||||
|
return PR_TRUE;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
return PR_FALSE;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
/*
|
||||||
|
* convert a native ULONG to a database ulong. Database ulong's
|
||||||
|
* are all 4 byte big endian values.
|
||||||
|
*/
|
||||||
|
void
|
||||||
|
sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
|
||||||
|
for (i = 0; i < SDB_ULONG_SIZE; i++) {
|
||||||
|
data[i] = (value >> (SDB_ULONG_SIZE - 1 - i) * BBP) & 0xff;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* convert a database ulong back to a native ULONG. (reverse of the above
|
||||||
|
- * function.
|
||||||
|
+ * function).
|
||||||
|
*/
|
||||||
|
static CK_ULONG
|
||||||
|
sftk_SDBULong2ULong(unsigned char *data)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
CK_ULONG value = 0;
|
||||||
|
|
||||||
|
for (i = 0; i < SDB_ULONG_SIZE; i++) {
|
||||||
|
value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) * BBP);
|
||||||
|
}
|
||||||
|
return value;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* certain trust records are default values, which are the values
|
||||||
|
+ * returned if the signature check fails anyway.
|
||||||
|
+ * In those cases, we can skip the signature check. */
|
||||||
|
+PRBool
|
||||||
|
+sftkdb_isNullTrust(const CK_ATTRIBUTE *template)
|
||||||
|
+{
|
||||||
|
+ switch (template->type) {
|
||||||
|
+ case CKA_TRUST_SERVER_AUTH:
|
||||||
|
+ case CKA_TRUST_CLIENT_AUTH:
|
||||||
|
+ case CKA_TRUST_EMAIL_PROTECTION:
|
||||||
|
+ case CKA_TRUST_CODE_SIGNING:
|
||||||
|
+ if (template->ulValueLen != SDB_ULONG_SIZE) {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ if (sftk_SDBULong2ULong(template->pValue) ==
|
||||||
|
+ CKT_NSS_TRUST_UNKNOWN) {
|
||||||
|
+ return PR_TRUE;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ case CKA_TRUST_STEP_UP_APPROVED:
|
||||||
|
+ if (template->ulValueLen != 1) {
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ if (*((unsigned char *)(template->pValue)) == 0) {
|
||||||
|
+ return PR_TRUE;
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ return PR_FALSE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* fix up the input templates. Our fixed up ints are stored in data and must
|
||||||
|
* be freed by the caller. The new template must also be freed. If there are no
|
||||||
|
* CK_ULONG attributes, the orignal template is passed in as is.
|
||||||
|
*/
|
||||||
|
static CK_ATTRIBUTE *
|
||||||
|
sftkdb_fixupTemplateIn(const CK_ATTRIBUTE *template, int count,
|
||||||
|
unsigned char **dataOut, int *dataOutSize)
|
||||||
|
@@ -410,17 +442,18 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *te
|
||||||
|
}
|
||||||
|
|
||||||
|
/* copy the plain text back into the template */
|
||||||
|
PORT_Memcpy(template[i].pValue, plainText->data, plainText->len);
|
||||||
|
template[i].ulValueLen = plainText->len;
|
||||||
|
SECITEM_ZfreeItem(plainText, PR_TRUE);
|
||||||
|
}
|
||||||
|
/* make sure signed attributes are valid */
|
||||||
|
- if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)) {
|
||||||
|
+ if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)
|
||||||
|
+ && !sftkdb_isNullTrust(&ntemplate[i])) {
|
||||||
|
SECStatus rv;
|
||||||
|
CK_RV local_crv;
|
||||||
|
SECItem signText;
|
||||||
|
SECItem plainText;
|
||||||
|
unsigned char signData[SDB_MAX_META_DATA_LEN];
|
||||||
|
|
||||||
|
signText.data = signData;
|
||||||
|
signText.len = sizeof(signData);
|
||||||
|
@@ -2387,16 +2420,18 @@ sftkdb_mergeObject(SFTKDBHandle *handle,
|
||||||
|
crv = (*source->sdb_GetAttributeValue)(source, id,
|
||||||
|
ptemplate, max_attributes);
|
||||||
|
if (crv != CKR_OK) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
|
||||||
|
objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate,
|
||||||
|
max_attributes);
|
||||||
|
+/*printf(" - merging object Type 0x%08lx id=0x%08lx updateID=%s\n", objectType, id,
|
||||||
|
+ handle->updateID?handle->updateID: "<NULL>");*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Update Object updates the object template if necessary then returns
|
||||||
|
* whether or not we need to actually write the object out to our target
|
||||||
|
* database.
|
||||||
|
*/
|
||||||
|
if (!handle->updateID) {
|
||||||
|
crv = sftkdb_CreateObject(arena, handle, target, &newID,
|
||||||
522
nss-3.79-enable-POST-rerun.patch
Normal file
522
nss-3.79-enable-POST-rerun.patch
Normal file
@ -0,0 +1,522 @@
|
|||||||
|
diff --git a/cmd/bltest/blapitest.c b/cmd/bltest/blapitest.c
|
||||||
|
--- a/cmd/bltest/blapitest.c
|
||||||
|
+++ b/cmd/bltest/blapitest.c
|
||||||
|
@@ -3870,17 +3870,17 @@ main(int argc, char **argv)
|
||||||
|
rv = blapi_selftest(modesToTest, numModesToTest, inoff, outoff,
|
||||||
|
encrypt, decrypt);
|
||||||
|
PORT_Free(cipherInfo);
|
||||||
|
return rv == SECSuccess ? 0 : 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Do FIPS self-test */
|
||||||
|
if (bltest.commands[cmd_FIPS].activated) {
|
||||||
|
- CK_RV ckrv = sftk_FIPSEntryOK();
|
||||||
|
+ CK_RV ckrv = sftk_FIPSEntryOK(PR_FALSE);
|
||||||
|
fprintf(stdout, "CK_RV: %ld.\n", ckrv);
|
||||||
|
PORT_Free(cipherInfo);
|
||||||
|
if (ckrv == CKR_OK)
|
||||||
|
return SECSuccess;
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff --git a/cmd/pk11mode/pk11mode.c b/cmd/pk11mode/pk11mode.c
|
||||||
|
--- a/cmd/pk11mode/pk11mode.c
|
||||||
|
+++ b/cmd/pk11mode/pk11mode.c
|
||||||
|
@@ -318,23 +318,25 @@ static PRBool verbose = PR_FALSE;
|
||||||
|
|
||||||
|
int
|
||||||
|
main(int argc, char **argv)
|
||||||
|
{
|
||||||
|
CK_C_GetFunctionList pC_GetFunctionList;
|
||||||
|
CK_FUNCTION_LIST_PTR pFunctionList;
|
||||||
|
CK_RV crv = CKR_OK;
|
||||||
|
CK_C_INITIALIZE_ARGS_NSS initArgs;
|
||||||
|
+ CK_C_INITIALIZE_ARGS_NSS initArgsRerun; /* rerun selftests */
|
||||||
|
CK_SLOT_ID *pSlotList = NULL;
|
||||||
|
CK_TOKEN_INFO tokenInfo;
|
||||||
|
CK_ULONG slotID = 0; /* slotID == 0 for FIPSMODE */
|
||||||
|
|
||||||
|
CK_UTF8CHAR *pwd = NULL;
|
||||||
|
CK_ULONG pwdLen = 0;
|
||||||
|
char *moduleSpec = NULL;
|
||||||
|
+ char *moduleSpecRerun = NULL;
|
||||||
|
char *configDir = NULL;
|
||||||
|
char *dbPrefix = NULL;
|
||||||
|
char *disableUnload = NULL;
|
||||||
|
PRBool doForkTests = PR_TRUE;
|
||||||
|
|
||||||
|
PLOptStatus os;
|
||||||
|
PLOptState *opt = PL_CreateOptState(argc, argv, "nvhf:Fd:p:");
|
||||||
|
while (PL_OPT_EOL != (os = PL_GetNextOpt(opt))) {
|
||||||
|
@@ -458,18 +460,23 @@ main(int argc, char **argv)
|
||||||
|
initArgs.CreateMutex = NULL;
|
||||||
|
initArgs.DestroyMutex = NULL;
|
||||||
|
initArgs.LockMutex = NULL;
|
||||||
|
initArgs.UnlockMutex = NULL;
|
||||||
|
initArgs.flags = CKF_OS_LOCKING_OK;
|
||||||
|
moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' "
|
||||||
|
"keyPrefix='%s' secmod='secmod.db' flags= ",
|
||||||
|
configDir, dbPrefix, dbPrefix);
|
||||||
|
+ moduleSpecRerun = PR_smprintf("configdir='%s' certPrefix='%s' "
|
||||||
|
+ "keyPrefix='%s' secmod='secmod.db' flags=forcePOST ",
|
||||||
|
+ configDir, dbPrefix, dbPrefix);
|
||||||
|
initArgs.LibraryParameters = (CK_CHAR_PTR *)moduleSpec;
|
||||||
|
initArgs.pReserved = NULL;
|
||||||
|
+ initArgsRerun = initArgs;
|
||||||
|
+ initArgsRerun.LibraryParameters = (CK_CHAR_PTR *)moduleSpecRerun;
|
||||||
|
|
||||||
|
/*DebugBreak();*/
|
||||||
|
/* FIPSMODE invokes FC_Initialize as pFunctionList->C_Initialize */
|
||||||
|
/* NSS cryptographic module library initialization for the FIPS */
|
||||||
|
/* Approved mode when FC_Initialize is envoked will perfom */
|
||||||
|
/* software integrity test, and power-up self-tests before */
|
||||||
|
/* FC_Initialize returns */
|
||||||
|
crv = pFunctionList->C_Initialize(&initArgs);
|
||||||
|
@@ -705,17 +712,17 @@ main(int argc, char **argv)
|
||||||
|
PKM_Error("PKM_HybridMode failed with 0x%08X, %-26s\n", crv,
|
||||||
|
PKM_CK_RVtoStr(crv));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (doForkTests) {
|
||||||
|
/* testing one more C_Initialize / C_Finalize to exercise getpid()
|
||||||
|
* fork check code */
|
||||||
|
- crv = pFunctionList->C_Initialize(&initArgs);
|
||||||
|
+ crv = pFunctionList->C_Initialize(&initArgsRerun);
|
||||||
|
if (crv == CKR_OK) {
|
||||||
|
PKM_LogIt("C_Initialize succeeded\n");
|
||||||
|
} else {
|
||||||
|
PKM_Error("C_Initialize failed with 0x%08X, %-26s\n", crv,
|
||||||
|
PKM_CK_RVtoStr(crv));
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
crv = pFunctionList->C_Finalize(NULL);
|
||||||
|
@@ -741,16 +748,19 @@ cleanup:
|
||||||
|
free(configDir);
|
||||||
|
}
|
||||||
|
if (dbPrefix) {
|
||||||
|
free(dbPrefix);
|
||||||
|
}
|
||||||
|
if (moduleSpec) {
|
||||||
|
PR_smprintf_free(moduleSpec);
|
||||||
|
}
|
||||||
|
+ if (moduleSpecRerun) {
|
||||||
|
+ PR_smprintf_free(moduleSpecRerun);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
#ifdef _WIN32
|
||||||
|
FreeLibrary(hModule);
|
||||||
|
#else
|
||||||
|
disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
|
||||||
|
if (!disableUnload) {
|
||||||
|
PR_UnloadLibrary(lib);
|
||||||
|
}
|
||||||
|
diff --git a/lib/freebl/blapii.h b/lib/freebl/blapii.h
|
||||||
|
--- a/lib/freebl/blapii.h
|
||||||
|
+++ b/lib/freebl/blapii.h
|
||||||
|
@@ -24,17 +24,17 @@ typedef SECStatus (*freeblAeadFunc)(void
|
||||||
|
void *params, unsigned int paramsLen,
|
||||||
|
const unsigned char *aad, unsigned int aadLen,
|
||||||
|
unsigned int blocksize);
|
||||||
|
typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit);
|
||||||
|
|
||||||
|
SEC_BEGIN_PROTOS
|
||||||
|
|
||||||
|
#ifndef NSS_FIPS_DISABLED
|
||||||
|
-SECStatus BL_FIPSEntryOK(PRBool freeblOnly);
|
||||||
|
+SECStatus BL_FIPSEntryOK(PRBool freeblOnly, PRBool rerun);
|
||||||
|
PRBool BL_POSTRan(PRBool freeblOnly);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
|
||||||
|
|
||||||
|
extern PRBool bl_parentForkedAfterC_Initialize;
|
||||||
|
|
||||||
|
#define SKIP_AFTER_FORK(x) \
|
||||||
|
diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h
|
||||||
|
--- a/lib/freebl/blapit.h
|
||||||
|
+++ b/lib/freebl/blapit.h
|
||||||
|
@@ -223,16 +223,21 @@ typedef int __BLAPI_DEPRECATED __attribu
|
||||||
|
*
|
||||||
|
* If we arbitrarily set p = 10^-18 (1 chance in trillion trillion operation)
|
||||||
|
* we get GCMIV_RANDOM_BIRTHDAY_BITS = -(-18)/.301 -1 = 59 (.301 = log10 2)
|
||||||
|
* GCMIV_RANDOM_BIRTHDAY_BITS should be at least 59, call it a round 64. NOTE:
|
||||||
|
* the variable IV size for TLS is 64 bits, which explains why it's not safe
|
||||||
|
* to use a random value for the nonce in TLS. */
|
||||||
|
#define GCMIV_RANDOM_BIRTHDAY_BITS 64
|
||||||
|
|
||||||
|
+/* flag to tell BLAPI_Verify* to rerun the post and integrity tests */
|
||||||
|
+#define BLAPI_FIPS_RERUN_FLAG '\377' /* 0xff, 255 invalide code for UFT8/ASCII */
|
||||||
|
+#define BLAPI_FIPS_RERUN_FLAG_STRING "\377" /* The above as a C string */
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/***************************************************************************
|
||||||
|
** Opaque objects
|
||||||
|
*/
|
||||||
|
|
||||||
|
struct DESContextStr;
|
||||||
|
struct RC2ContextStr;
|
||||||
|
struct RC4ContextStr;
|
||||||
|
struct RC5ContextStr;
|
||||||
|
diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||||
|
--- a/lib/freebl/fipsfreebl.c
|
||||||
|
+++ b/lib/freebl/fipsfreebl.c
|
||||||
|
@@ -2211,29 +2211,37 @@ bl_startup_tests(void)
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* this is called from the freebl init entry points that controll access to
|
||||||
|
* all other freebl functions. This prevents freebl from operating if our
|
||||||
|
* power on selftest failed.
|
||||||
|
*/
|
||||||
|
SECStatus
|
||||||
|
-BL_FIPSEntryOK(PRBool freebl_only)
|
||||||
|
+BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun)
|
||||||
|
{
|
||||||
|
#ifdef NSS_NO_INIT_SUPPORT
|
||||||
|
/* this should only be set on platforms that can't handle one of the INIT
|
||||||
|
* schemes. This code allows those platforms to continue to function,
|
||||||
|
* though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
|
||||||
|
* is not set, and init support has not been properly enabled, freebl
|
||||||
|
* will always fail because of the test below
|
||||||
|
*/
|
||||||
|
if (!self_tests_freebl_ran) {
|
||||||
|
bl_startup_tests();
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
+ if (rerun) {
|
||||||
|
+ /* reset the flags */
|
||||||
|
+ self_tests_freebl_ran = PR_FALSE;
|
||||||
|
+ self_tests_success = PR_FALSE;
|
||||||
|
+ self_tests_success = PR_FALSE;
|
||||||
|
+ self_tests_freebl_success = PR_FALSE;
|
||||||
|
+ bl_startup_tests();
|
||||||
|
+ }
|
||||||
|
/* if the general self tests succeeded, we're done */
|
||||||
|
if (self_tests_success) {
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
/* standalone freebl can initialize */
|
||||||
|
if (freebl_only && self_tests_freebl_success) {
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
||||||
|
--- a/lib/freebl/nsslowhash.c
|
||||||
|
+++ b/lib/freebl/nsslowhash.c
|
||||||
|
@@ -55,17 +55,17 @@ NSSLOW_Init(void)
|
||||||
|
#ifdef FREEBL_NO_DEPEND
|
||||||
|
(void)FREEBL_InitStubs();
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef NSS_FIPS_DISABLED
|
||||||
|
/* make sure the FIPS product is installed if we are trying to
|
||||||
|
* go into FIPS mode */
|
||||||
|
if (nsslow_GetFIPSEnabled()) {
|
||||||
|
- if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) {
|
||||||
|
+ if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
|
||||||
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||||
|
post_failed = PR_TRUE;
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
post_failed = PR_FALSE;
|
||||||
|
|
||||||
|
diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||||
|
--- a/lib/freebl/shvfy.c
|
||||||
|
+++ b/lib/freebl/shvfy.c
|
||||||
|
@@ -282,52 +282,62 @@ readItem(PRFileDesc *fd, SECItem *item)
|
||||||
|
PORT_Free(item->data);
|
||||||
|
item->data = NULL;
|
||||||
|
item->len = 0;
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static PRBool blapi_SHVerifyFile(const char *shName, PRBool self);
|
||||||
|
+static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun);
|
||||||
|
|
||||||
|
static PRBool
|
||||||
|
-blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self)
|
||||||
|
+blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun)
|
||||||
|
{
|
||||||
|
PRBool result = PR_FALSE; /* if anything goes wrong,
|
||||||
|
* the signature does not verify */
|
||||||
|
/* find our shared library name */
|
||||||
|
char *shName = PR_GetLibraryFilePathname(name, addr);
|
||||||
|
if (!shName) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
- result = blapi_SHVerifyFile(shName, self);
|
||||||
|
+ result = blapi_SHVerifyFile(shName, self, rerun);
|
||||||
|
|
||||||
|
loser:
|
||||||
|
if (shName != NULL) {
|
||||||
|
PR_Free(shName);
|
||||||
|
}
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
|
||||||
|
PRBool
|
||||||
|
BLAPI_SHVerify(const char *name, PRFuncPtr addr)
|
||||||
|
{
|
||||||
|
- return blapi_SHVerify(name, addr, PR_FALSE);
|
||||||
|
+ PRBool rerun = PR_FALSE;
|
||||||
|
+ if (name && *name == BLAPI_FIPS_RERUN_FLAG) {
|
||||||
|
+ name++;
|
||||||
|
+ rerun = PR_TRUE;
|
||||||
|
+ }
|
||||||
|
+ return blapi_SHVerify(name, addr, PR_FALSE, rerun);
|
||||||
|
}
|
||||||
|
|
||||||
|
PRBool
|
||||||
|
BLAPI_SHVerifyFile(const char *shName)
|
||||||
|
{
|
||||||
|
- return blapi_SHVerifyFile(shName, PR_FALSE);
|
||||||
|
+ PRBool rerun = PR_FALSE;
|
||||||
|
+ if (shName && *shName == BLAPI_FIPS_RERUN_FLAG) {
|
||||||
|
+ shName++;
|
||||||
|
+ rerun = PR_TRUE;
|
||||||
|
+ }
|
||||||
|
+ return blapi_SHVerifyFile(shName, PR_FALSE, rerun);
|
||||||
|
}
|
||||||
|
|
||||||
|
static PRBool
|
||||||
|
-blapi_SHVerifyFile(const char *shName, PRBool self)
|
||||||
|
+blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun)
|
||||||
|
{
|
||||||
|
char *checkName = NULL;
|
||||||
|
PRFileDesc *checkFD = NULL;
|
||||||
|
PRFileDesc *shFD = NULL;
|
||||||
|
void *hashcx = NULL;
|
||||||
|
const SECHashObject *hashObj = NULL;
|
||||||
|
SECItem signature = { 0, NULL, 0 };
|
||||||
|
SECItem hash;
|
||||||
|
@@ -346,17 +356,17 @@ blapi_SHVerifyFile(const char *shName, P
|
||||||
|
unsigned char hashBuf[HASH_LENGTH_MAX];
|
||||||
|
|
||||||
|
PORT_Memset(&key, 0, sizeof(key));
|
||||||
|
hash.data = hashBuf;
|
||||||
|
hash.len = sizeof(hashBuf);
|
||||||
|
|
||||||
|
/* If our integrity check was never ran or failed, fail any other
|
||||||
|
* integrity checks to prevent any token going into FIPS mode. */
|
||||||
|
- if (!self && (BL_FIPSEntryOK(PR_FALSE) != SECSuccess)) {
|
||||||
|
+ if (!self && (BL_FIPSEntryOK(PR_FALSE, rerun) != SECSuccess)) {
|
||||||
|
return PR_FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!shName) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* figure out the name of our check file */
|
||||||
|
@@ -536,17 +546,17 @@ BLAPI_VerifySelf(const char *name)
|
||||||
|
{
|
||||||
|
if (name == NULL) {
|
||||||
|
/*
|
||||||
|
* If name is NULL, freebl is statically linked into softoken.
|
||||||
|
* softoken will call BLAPI_SHVerify next to verify itself.
|
||||||
|
*/
|
||||||
|
return PR_TRUE;
|
||||||
|
}
|
||||||
|
- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
|
||||||
|
+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE);
|
||||||
|
}
|
||||||
|
|
||||||
|
#else /* NSS_FIPS_DISABLED */
|
||||||
|
|
||||||
|
PRBool
|
||||||
|
BLAPI_SHVerifyFile(const char *shName)
|
||||||
|
{
|
||||||
|
return PR_FALSE;
|
||||||
|
diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
|
||||||
|
--- a/lib/softoken/fipstest.c
|
||||||
|
+++ b/lib/softoken/fipstest.c
|
||||||
|
@@ -684,22 +684,25 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
|
||||||
|
|
||||||
|
static PRBool sftk_self_tests_ran = PR_FALSE;
|
||||||
|
static PRBool sftk_self_tests_success = PR_FALSE;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This function is called at dll load time, the code tha makes this
|
||||||
|
* happen is platform specific on defined above.
|
||||||
|
*/
|
||||||
|
-static void
|
||||||
|
-sftk_startup_tests(void)
|
||||||
|
+void sftk_startup_tests_with_rerun(PRBool rerun)
|
||||||
|
{
|
||||||
|
SECStatus rv;
|
||||||
|
- const char *libraryName = SOFTOKEN_LIB_NAME;
|
||||||
|
-
|
||||||
|
+ /*const char *nlibraryName = SOFTOKEN_LIB_NAME;
|
||||||
|
+ const char *rlibraryName = BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME; */
|
||||||
|
+ const char *libraryName = rerun ?
|
||||||
|
+ BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME :
|
||||||
|
+ SOFTOKEN_LIB_NAME;
|
||||||
|
+
|
||||||
|
PORT_Assert(!sftk_self_tests_ran);
|
||||||
|
PORT_Assert(!sftk_self_tests_success);
|
||||||
|
sftk_self_tests_ran = PR_TRUE;
|
||||||
|
sftk_self_tests_success = PR_FALSE; /* just in case */
|
||||||
|
|
||||||
|
/* need to initiallize the oid library before the RSA tests */
|
||||||
|
rv = SECOID_Init();
|
||||||
|
if (rv != SECSuccess) {
|
||||||
|
@@ -746,35 +749,46 @@ sftk_startup_tests(void)
|
||||||
|
rv = sftk_fips_pbkdf_PowerUpSelfTests();
|
||||||
|
if (rv != SECSuccess) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
sftk_self_tests_success = PR_TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+sftk_startup_tests(void)
|
||||||
|
+{
|
||||||
|
+ sftk_startup_tests_with_rerun(PR_FALSE);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* this is called from nsc_Common_Initizialize entry points that gates access
|
||||||
|
* to * all other pkcs11 functions. This prevents softoken operation if our
|
||||||
|
* power on selftest failed.
|
||||||
|
*/
|
||||||
|
CK_RV
|
||||||
|
-sftk_FIPSEntryOK()
|
||||||
|
+sftk_FIPSEntryOK(PRBool rerun)
|
||||||
|
{
|
||||||
|
#ifdef NSS_NO_INIT_SUPPORT
|
||||||
|
/* this should only be set on platforms that can't handle one of the INIT
|
||||||
|
* schemes. This code allows those platforms to continue to function,
|
||||||
|
* though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
|
||||||
|
* is not set, and init support has not been properly enabled, softken
|
||||||
|
* will always fail because of the test below
|
||||||
|
*/
|
||||||
|
if (!sftk_self_tests_ran) {
|
||||||
|
sftk_startup_tests();
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
+ if (rerun) {
|
||||||
|
+ sftk_self_tests_ran = PR_FALSE;
|
||||||
|
+ sftk_self_tests_success = PR_FALSE;
|
||||||
|
+ sftk_startup_tests_with_rerun(PR_TRUE);
|
||||||
|
+ }
|
||||||
|
if (!sftk_self_tests_success) {
|
||||||
|
return CKR_DEVICE_ERROR;
|
||||||
|
}
|
||||||
|
return CKR_OK;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
#include "pkcs11t.h"
|
||||||
|
CK_RV
|
||||||
|
diff --git a/lib/softoken/fipstokn.c b/lib/softoken/fipstokn.c
|
||||||
|
--- a/lib/softoken/fipstokn.c
|
||||||
|
+++ b/lib/softoken/fipstokn.c
|
||||||
|
@@ -524,25 +524,32 @@ fc_log_init_error(CK_RV crv)
|
||||||
|
}
|
||||||
|
|
||||||
|
/* FC_Initialize initializes the PKCS #11 library. */
|
||||||
|
CK_RV
|
||||||
|
FC_Initialize(CK_VOID_PTR pReserved)
|
||||||
|
{
|
||||||
|
const char *envp;
|
||||||
|
CK_RV crv;
|
||||||
|
+ PRBool rerun;
|
||||||
|
|
||||||
|
if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) {
|
||||||
|
sftk_audit_enabled = (atoi(envp) == 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* if we have the forcePOST flag on, rerun the integrity checks */
|
||||||
|
+ /* we need to know this before we fully parse the arguments in
|
||||||
|
+ * nsc_CommonInitialize, so read it now */
|
||||||
|
+ rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved);
|
||||||
|
+
|
||||||
|
/* At this point we should have already done post and integrity checks.
|
||||||
|
* if we haven't, it probably means the FIPS product has not been installed
|
||||||
|
- * or the tests failed. Don't let an application try to enter FIPS mode */
|
||||||
|
- crv = sftk_FIPSEntryOK();
|
||||||
|
+ * or the tests failed. Don't let an application try to enter FIPS mode. This
|
||||||
|
+ * also forces the tests to be rerun if forcePOST is set. */
|
||||||
|
+ crv = sftk_FIPSEntryOK(rerun);
|
||||||
|
if (crv != CKR_OK) {
|
||||||
|
sftk_fatalError = PR_TRUE;
|
||||||
|
fc_log_init_error(crv);
|
||||||
|
return crv;
|
||||||
|
}
|
||||||
|
|
||||||
|
sftk_ForkReset(pReserved, &crv);
|
||||||
|
|
||||||
|
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
|
||||||
|
--- a/lib/softoken/pkcs11i.h
|
||||||
|
+++ b/lib/softoken/pkcs11i.h
|
||||||
|
@@ -869,16 +869,17 @@ extern CK_RV sftk_MechAllowsOperation(CK
|
||||||
|
* acquiring a reference to the keydb from the slot */
|
||||||
|
NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* parameter parsing functions
|
||||||
|
*/
|
||||||
|
CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
|
||||||
|
void sftk_freeParams(sftk_parameters *params);
|
||||||
|
+PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved);
|
||||||
|
|
||||||
|
/*
|
||||||
|
* narrow objects
|
||||||
|
*/
|
||||||
|
SFTKSessionObject *sftk_narrowToSessionObject(SFTKObject *);
|
||||||
|
SFTKTokenObject *sftk_narrowToTokenObject(SFTKObject *);
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff --git a/lib/softoken/sftkpars.c b/lib/softoken/sftkpars.c
|
||||||
|
--- a/lib/softoken/sftkpars.c
|
||||||
|
+++ b/lib/softoken/sftkpars.c
|
||||||
|
@@ -244,8 +244,21 @@ sftk_freeParams(sftk_parameters *params)
|
||||||
|
FREE_CLEAR(params->configdir);
|
||||||
|
FREE_CLEAR(params->secmodName);
|
||||||
|
FREE_CLEAR(params->man);
|
||||||
|
FREE_CLEAR(params->libdes);
|
||||||
|
FREE_CLEAR(params->tokens);
|
||||||
|
FREE_CLEAR(params->updatedir);
|
||||||
|
FREE_CLEAR(params->updateID);
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+PRBool
|
||||||
|
+sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved)
|
||||||
|
+{
|
||||||
|
+ CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
|
||||||
|
+
|
||||||
|
+ /* if we don't have any params, the flag isn't set */
|
||||||
|
+ if ((!init_args || !init_args->LibraryParameters)) {
|
||||||
|
+ return PR_FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters);
|
||||||
|
+}
|
||||||
|
diff --git a/lib/softoken/softoken.h b/lib/softoken/softoken.h
|
||||||
|
--- a/lib/softoken/softoken.h
|
||||||
|
+++ b/lib/softoken/softoken.h
|
||||||
|
@@ -52,17 +52,17 @@ extern unsigned char *CBC_PadBuffer(PLAr
|
||||||
|
unsigned int inlen, unsigned int *outlen,
|
||||||
|
int blockSize);
|
||||||
|
|
||||||
|
/****************************************/
|
||||||
|
/*
|
||||||
|
** Power-Up selftests are required for FIPS.
|
||||||
|
*/
|
||||||
|
/* make sure Power-up selftests have been run. */
|
||||||
|
-extern CK_RV sftk_FIPSEntryOK(void);
|
||||||
|
+extern CK_RV sftk_FIPSEntryOK(PRBool rerun);
|
||||||
|
|
||||||
|
/*
|
||||||
|
** make known fixed PKCS #11 key types to their sizes in bytes
|
||||||
|
*/
|
||||||
|
unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
|
||||||
|
|
||||||
|
/*
|
||||||
|
** FIPS 140-2 auditing
|
||||||
23
nss-3.79-fix-client-cert-crash.patch
Normal file
23
nss-3.79-fix-client-cert-crash.patch
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
|
||||||
|
--- a/lib/ssl/authcert.c
|
||||||
|
+++ b/lib/ssl/authcert.c
|
||||||
|
@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg,
|
||||||
|
|
||||||
|
/* otherwise look through the cache based on usage
|
||||||
|
* if chosenNickname is set, we ignore the expiration date */
|
||||||
|
if (certList == NULL) {
|
||||||
|
certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
|
||||||
|
certUsageSSLClient,
|
||||||
|
PR_FALSE, chosenNickName == NULL,
|
||||||
|
pw_arg);
|
||||||
|
+ if (certList == NULL) {
|
||||||
|
+ return SECFailure;
|
||||||
|
+ }
|
||||||
|
/* filter only the certs that meet the nickname requirements */
|
||||||
|
if (chosenNickName) {
|
||||||
|
rv = CERT_FilterCertListByNickname(certList, chosenNickName,
|
||||||
|
pw_arg);
|
||||||
|
} else {
|
||||||
|
int nnames = 0;
|
||||||
|
char **names = ssl_DistNamesToStrings(caNames, &nnames);
|
||||||
|
rv = CERT_FilterCertListByCANames(certList, nnames, names,
|
||||||
22
nss-3.79-increase-pbe-cache.patch
Normal file
22
nss-3.79-increase-pbe-cache.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
|
||||||
|
--- a/lib/softoken/lowpbe.c
|
||||||
|
+++ b/lib/softoken/lowpbe.c
|
||||||
|
@@ -565,17 +565,17 @@ struct KDFCacheItemStr {
|
||||||
|
int iterations;
|
||||||
|
int keyLen;
|
||||||
|
};
|
||||||
|
typedef struct KDFCacheItemStr KDFCacheItem;
|
||||||
|
|
||||||
|
/* Bug 1606992 - Cache the hash result for the common case that we're
|
||||||
|
* asked to repeatedly compute the key for the same password item,
|
||||||
|
* hash, iterations and salt. */
|
||||||
|
-#define KDF2_CACHE_COUNT 3
|
||||||
|
+#define KDF2_CACHE_COUNT 150
|
||||||
|
static struct {
|
||||||
|
PZLock *lock;
|
||||||
|
struct {
|
||||||
|
KDFCacheItem common;
|
||||||
|
int ivLen;
|
||||||
|
PRBool faulty3DES;
|
||||||
|
} cacheKDF1;
|
||||||
|
struct {
|
||||||
335
nss-3.79-revert-distrusted-certs.patch
Normal file
335
nss-3.79-revert-distrusted-certs.patch
Normal file
@ -0,0 +1,335 @@
|
|||||||
|
diff -up ./lib/ckfw/builtins/certdata.txt.revert-distrusted ./lib/ckfw/builtins/certdata.txt
|
||||||
|
--- ./lib/ckfw/builtins/certdata.txt.revert-distrusted 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/ckfw/builtins/certdata.txt 2022-06-24 10:51:32.035207662 -0700
|
||||||
|
@@ -7668,6 +7668,187 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_
|
||||||
|
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||||
|
|
||||||
|
#
|
||||||
|
+# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||||
|
+#
|
||||||
|
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||||
|
+# Serial Number: 268435455 (0xfffffff)
|
||||||
|
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||||
|
+# Not Valid Before: Wed May 12 08:51:39 2010
|
||||||
|
+# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||||
|
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||||
|
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||||
|
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
|
||||||
|
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||||
|
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||||
|
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
|
||||||
|
+CKA_SUBJECT MULTILINE_OCTAL
|
||||||
|
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||||
|
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||||
|
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||||
|
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||||
|
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||||
|
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||||
|
+END
|
||||||
|
+CKA_ID UTF8 "0"
|
||||||
|
+CKA_ISSUER MULTILINE_OCTAL
|
||||||
|
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||||
|
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||||
|
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||||
|
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||||
|
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||||
|
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||||
|
+END
|
||||||
|
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||||
|
+\002\004\017\377\377\377
|
||||||
|
+END
|
||||||
|
+CKA_VALUE MULTILINE_OCTAL
|
||||||
|
+\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017
|
||||||
|
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013
|
||||||
|
+\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
|
||||||
|
+\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151
|
||||||
|
+\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003
|
||||||
|
+\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120
|
||||||
|
+\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162
|
||||||
|
+\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036
|
||||||
|
+\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027
|
||||||
|
+\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132
|
||||||
|
+\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060
|
||||||
|
+\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141
|
||||||
|
+\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014
|
||||||
|
+\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166
|
||||||
|
+\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151
|
||||||
|
+\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015
|
||||||
|
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
|
||||||
|
+\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047
|
||||||
|
+\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275
|
||||||
|
+\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366
|
||||||
|
+\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045
|
||||||
|
+\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004
|
||||||
|
+\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202
|
||||||
|
+\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072
|
||||||
|
+\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253
|
||||||
|
+\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154
|
||||||
|
+\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365
|
||||||
|
+\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257
|
||||||
|
+\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324
|
||||||
|
+\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063
|
||||||
|
+\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304
|
||||||
|
+\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241
|
||||||
|
+\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000
|
||||||
|
+\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052
|
||||||
|
+\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163
|
||||||
|
+\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205
|
||||||
|
+\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055
|
||||||
|
+\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231
|
||||||
|
+\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201
|
||||||
|
+\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216
|
||||||
|
+\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351
|
||||||
|
+\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124
|
||||||
|
+\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267
|
||||||
|
+\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247
|
||||||
|
+\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200
|
||||||
|
+\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325
|
||||||
|
+\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220
|
||||||
|
+\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017
|
||||||
|
+\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256
|
||||||
|
+\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001
|
||||||
|
+\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004
|
||||||
|
+\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006
|
||||||
|
+\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072
|
||||||
|
+\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056
|
||||||
|
+\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145
|
||||||
|
+\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003
|
||||||
|
+\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
|
||||||
|
+\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200
|
||||||
|
+\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216
|
||||||
|
+\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006
|
||||||
|
+\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
|
||||||
|
+\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||||
|
+\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004
|
||||||
|
+\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||||
|
+\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
|
||||||
|
+\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125
|
||||||
|
+\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164
|
||||||
|
+\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162
|
||||||
|
+\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156
|
||||||
|
+\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055
|
||||||
|
+\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004
|
||||||
|
+\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356
|
||||||
|
+\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001
|
||||||
|
+\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055
|
||||||
|
+\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234
|
||||||
|
+\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064
|
||||||
|
+\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066
|
||||||
|
+\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243
|
||||||
|
+\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364
|
||||||
|
+\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116
|
||||||
|
+\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164
|
||||||
|
+\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174
|
||||||
|
+\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103
|
||||||
|
+\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134
|
||||||
|
+\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323
|
||||||
|
+\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057
|
||||||
|
+\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347
|
||||||
|
+\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224
|
||||||
|
+\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015
|
||||||
|
+\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026
|
||||||
|
+\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053
|
||||||
|
+\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166
|
||||||
|
+\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135
|
||||||
|
+\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244
|
||||||
|
+\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025
|
||||||
|
+\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222
|
||||||
|
+\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235
|
||||||
|
+\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245
|
||||||
|
+\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327
|
||||||
|
+\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053
|
||||||
|
+\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377
|
||||||
|
+\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321
|
||||||
|
+\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374
|
||||||
|
+\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035
|
||||||
|
+\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305
|
||||||
|
+\244\363\116\272\067\230\173\202\271
|
||||||
|
+END
|
||||||
|
+
|
||||||
|
+# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||||
|
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||||
|
+# Serial Number: 268435455 (0xfffffff)
|
||||||
|
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||||
|
+# Not Valid Before: Wed May 12 08:51:39 2010
|
||||||
|
+# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||||
|
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||||
|
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||||
|
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||||
|
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||||
|
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||||
|
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
|
||||||
|
+\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306
|
||||||
|
+\222\341\102\102
|
||||||
|
+END
|
||||||
|
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
|
||||||
|
+\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034
|
||||||
|
+END
|
||||||
|
+CKA_ISSUER MULTILINE_OCTAL
|
||||||
|
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||||
|
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||||
|
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||||
|
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||||
|
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||||
|
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||||
|
+END
|
||||||
|
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||||
|
+\002\004\017\377\377\377
|
||||||
|
+END
|
||||||
|
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
# Certificate "Security Communication RootCA2"
|
||||||
|
#
|
||||||
|
# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
|
||||||
|
@@ -8161,6 +8342,68 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
|
||||||
|
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||||
|
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||||
|
|
||||||
|
+# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
|
||||||
|
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||||
|
+# Serial Number: 1800000005 (0x6b49d205)
|
||||||
|
+# Not Before: Apr 7 15:37:15 2011 GMT
|
||||||
|
+# Not After : Apr 4 15:37:15 2021 GMT
|
||||||
|
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||||
|
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||||
|
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave"
|
||||||
|
+CKA_ISSUER MULTILINE_OCTAL
|
||||||
|
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||||
|
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||||
|
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||||
|
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||||
|
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||||
|
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||||
|
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||||
|
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||||
|
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||||
|
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||||
|
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||||
|
+END
|
||||||
|
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||||
|
+\002\004\153\111\322\005
|
||||||
|
+END
|
||||||
|
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||||
|
+
|
||||||
|
+# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
|
||||||
|
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||||
|
+# Serial Number: 1800000006 (0x6b49d206)
|
||||||
|
+# Not Before: Apr 18 21:09:30 2011 GMT
|
||||||
|
+# Not After : Apr 15 21:09:30 2021 GMT
|
||||||
|
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||||
|
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||||
|
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave"
|
||||||
|
+CKA_ISSUER MULTILINE_OCTAL
|
||||||
|
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||||
|
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||||
|
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||||
|
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||||
|
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||||
|
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||||
|
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||||
|
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||||
|
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||||
|
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||||
|
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||||
|
+END
|
||||||
|
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||||
|
+\002\004\153\111\322\006
|
||||||
|
+END
|
||||||
|
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# Certificate "Actalis Authentication Root CA"
|
||||||
|
#
|
||||||
|
@@ -8804,6 +9047,74 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
|
||||||
|
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||||
|
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||||
|
|
||||||
|
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
|
||||||
|
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||||
|
+# Serial Number: 2087 (0x827)
|
||||||
|
+# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
|
||||||
|
+# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||||
|
+# Not Valid After : Tue Jul 06 07:07:51 2021
|
||||||
|
+# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E
|
||||||
|
+# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1
|
||||||
|
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||||
|
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||||
|
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1"
|
||||||
|
+CKA_ISSUER MULTILINE_OCTAL
|
||||||
|
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||||
|
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||||
|
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||||
|
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||||
|
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||||
|
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||||
|
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||||
|
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||||
|
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||||
|
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||||
|
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||||
|
+END
|
||||||
|
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||||
|
+\002\002\010\047
|
||||||
|
+END
|
||||||
|
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||||
|
+
|
||||||
|
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022
|
||||||
|
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||||
|
+# Serial Number: 2148 (0x864)
|
||||||
|
+# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR
|
||||||
|
+# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||||
|
+# Not Valid After : Thu Aug 05 07:07:51 2021
|
||||||
|
+# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2
|
||||||
|
+# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB
|
||||||
|
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||||
|
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||||
|
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||||
|
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2"
|
||||||
|
+CKA_ISSUER MULTILINE_OCTAL
|
||||||
|
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||||
|
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||||
|
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||||
|
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||||
|
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||||
|
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||||
|
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||||
|
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||||
|
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||||
|
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||||
|
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||||
|
+END
|
||||||
|
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||||
|
+\002\002\010\144
|
||||||
|
+END
|
||||||
|
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||||
|
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||||
|
+
|
||||||
|
#
|
||||||
|
# Certificate "D-TRUST Root Class 3 CA 2 2009"
|
||||||
|
#
|
||||||
722
nss-3.79-rhel-8-fips-signature-policy.patch
Normal file
722
nss-3.79-rhel-8-fips-signature-policy.patch
Normal file
@ -0,0 +1,722 @@
|
|||||||
|
diff -up ./cmd/crmftest/testcrmf.c.sign_policy ./cmd/crmftest/testcrmf.c
|
||||||
|
--- ./cmd/crmftest/testcrmf.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./cmd/crmftest/testcrmf.c 2022-06-20 16:47:35.023785628 -0700
|
||||||
|
@@ -85,7 +85,7 @@
|
||||||
|
#include "sechash.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#define MAX_KEY_LEN 512
|
||||||
|
+#define MAX_KEY_LEN 1024
|
||||||
|
#define PATH_LEN 150
|
||||||
|
#define BUFF_SIZE 150
|
||||||
|
#define UID_BITS 800
|
||||||
|
diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
|
||||||
|
--- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc 2022-06-20 16:47:35.024785635 -0700
|
||||||
|
@@ -16,6 +16,7 @@
|
||||||
|
#include "secerr.h"
|
||||||
|
#include "sechash.h"
|
||||||
|
#include "pk11_signature_test.h"
|
||||||
|
+#include "blapit.h"
|
||||||
|
|
||||||
|
#include "testvectors/rsa_signature_2048_sha224-vectors.h"
|
||||||
|
#include "testvectors/rsa_signature_2048_sha256-vectors.h"
|
||||||
|
@@ -109,7 +110,11 @@ class Pkcs11RsaPkcs1WycheproofTest
|
||||||
|
* Use 6 as the invalid value since modLen % 16 must be zero.
|
||||||
|
*/
|
||||||
|
TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {
|
||||||
|
- const size_t kRsaShortKeyBits = 736;
|
||||||
|
+#define RSA_SHORT_KEY_LENGTH 736
|
||||||
|
+/* if our minimum supported key length is big enough to handle
|
||||||
|
+ * our largest Hash function, we can't test a short length */
|
||||||
|
+#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH
|
||||||
|
+ const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH;
|
||||||
|
const size_t kRsaKeyBits = 752;
|
||||||
|
static const std::vector<uint8_t> kMsg{'T', 'E', 'S', 'T'};
|
||||||
|
static const std::vector<uint8_t> kSha512DigestInfo{
|
||||||
|
@@ -209,6 +214,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding)
|
||||||
|
SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
|
||||||
|
nullptr);
|
||||||
|
EXPECT_EQ(SECSuccess, rv);
|
||||||
|
+#else
|
||||||
|
+ GTEST_SKIP();
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
TEST(RsaPkcs1Test, RequireNullParameter) {
|
||||||
|
diff -up ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy ./gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||||
|
--- ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./gtests/ssl_gtest/tls_subcerts_unittest.cc 2022-06-20 16:47:35.024785635 -0700
|
||||||
|
@@ -9,6 +9,8 @@
|
||||||
|
#include "prtime.h"
|
||||||
|
#include "secerr.h"
|
||||||
|
#include "ssl.h"
|
||||||
|
+#include "nss.h"
|
||||||
|
+#include "blapit.h"
|
||||||
|
|
||||||
|
#include "gtest_utils.h"
|
||||||
|
#include "tls_agent.h"
|
||||||
|
@@ -348,9 +350,14 @@ static void GenerateWeakRsaKey(ScopedSEC
|
||||||
|
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
||||||
|
ASSERT_TRUE(slot);
|
||||||
|
PK11RSAGenParams rsaparams;
|
||||||
|
- // The absolute minimum size of RSA key that we can use with SHA-256 is
|
||||||
|
- // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
|
||||||
|
+// The absolute minimum size of RSA key that we can use with SHA-256 is
|
||||||
|
+// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
|
||||||
|
+#define RSA_WEAK_KEY 528
|
||||||
|
+#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY
|
||||||
|
rsaparams.keySizeInBits = 528;
|
||||||
|
+#else
|
||||||
|
+ rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1;
|
||||||
|
+#endif
|
||||||
|
rsaparams.pe = 65537;
|
||||||
|
|
||||||
|
// Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
|
||||||
|
@@ -390,6 +397,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||||
|
ssl_sig_rsa_pss_pss_sha256};
|
||||||
|
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||||
|
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||||
|
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||||
|
+ // save the MIN POLICY length.
|
||||||
|
+ PRInt32 minRsa;
|
||||||
|
+
|
||||||
|
+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
|
||||||
|
+#if RSA_MIN_MODULUS_BITS >= 2048
|
||||||
|
+ ASSERT_EQ(SECSuccess,
|
||||||
|
+ NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
|
||||||
|
+#else
|
||||||
|
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048));
|
||||||
|
+#endif
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
ScopedSECKEYPrivateKey dc_priv;
|
||||||
|
ScopedSECKEYPublicKey dc_pub;
|
||||||
|
@@ -412,6 +431,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||||
|
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
|
||||||
|
client_, ssl_delegated_credentials_xtn);
|
||||||
|
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
|
||||||
|
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||||
|
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
class ReplaceDCSigScheme : public TlsHandshakeFilter {
|
||||||
|
diff -up ./lib/cryptohi/keyhi.h.sign_policy ./lib/cryptohi/keyhi.h
|
||||||
|
--- ./lib/cryptohi/keyhi.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/cryptohi/keyhi.h 2022-06-20 16:47:35.024785635 -0700
|
||||||
|
@@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength
|
||||||
|
extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
|
||||||
|
|
||||||
|
/*
|
||||||
|
+** Return the strength of the private key in bits
|
||||||
|
+*/
|
||||||
|
+extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk);
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
** Return the length of the signature in bytes
|
||||||
|
*/
|
||||||
|
extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);
|
||||||
|
diff -up ./lib/cryptohi/keyi.h.sign_policy ./lib/cryptohi/keyi.h
|
||||||
|
--- ./lib/cryptohi/keyi.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/cryptohi/keyi.h 2022-06-20 16:47:35.024785635 -0700
|
||||||
|
@@ -4,6 +4,7 @@
|
||||||
|
|
||||||
|
#ifndef _KEYI_H_
|
||||||
|
#define _KEYI_H_
|
||||||
|
+#include "secerr.h"
|
||||||
|
|
||||||
|
SEC_BEGIN_PROTOS
|
||||||
|
/* NSS private functions */
|
||||||
|
@@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechan
|
||||||
|
const SECItem *params,
|
||||||
|
CK_RSA_PKCS_PSS_PARAMS *mech);
|
||||||
|
|
||||||
|
+/* make sure the key length matches the policy for keyType */
|
||||||
|
+SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength,
|
||||||
|
+ SECErrorCodes error);
|
||||||
|
SEC_END_PROTOS
|
||||||
|
|
||||||
|
#endif /* _KEYHI_H_ */
|
||||||
|
diff -up ./lib/cryptohi/seckey.c.sign_policy ./lib/cryptohi/seckey.c
|
||||||
|
--- ./lib/cryptohi/seckey.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/cryptohi/seckey.c 2022-06-20 16:47:35.025785641 -0700
|
||||||
|
@@ -14,6 +14,7 @@
|
||||||
|
#include "secdig.h"
|
||||||
|
#include "prtime.h"
|
||||||
|
#include "keyi.h"
|
||||||
|
+#include "nss.h"
|
||||||
|
|
||||||
|
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
|
||||||
|
SEC_ASN1_MKSUB(SEC_IntegerTemplate)
|
||||||
|
@@ -1042,6 +1043,62 @@ SECKEY_PublicKeyStrengthInBits(const SEC
|
||||||
|
return bitSize;
|
||||||
|
}
|
||||||
|
|
||||||
|
+unsigned
|
||||||
|
+SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
|
||||||
|
+{
|
||||||
|
+ unsigned bitSize = 0;
|
||||||
|
+ CK_ATTRIBUTE_TYPE attribute = CKT_INVALID_TYPE;
|
||||||
|
+ SECItem params;
|
||||||
|
+ SECStatus rv;
|
||||||
|
+
|
||||||
|
+ if (!privk) {
|
||||||
|
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* interpret modulus length as key strength */
|
||||||
|
+ switch (privk->keyType) {
|
||||||
|
+ case rsaKey:
|
||||||
|
+ case rsaPssKey:
|
||||||
|
+ case rsaOaepKey:
|
||||||
|
+ /* some tokens don't export CKA_MODULUS on the private key,
|
||||||
|
+ * PK11_SignatureLen works around this if necessary */
|
||||||
|
+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
|
||||||
|
+ if (bitSize == -1) {
|
||||||
|
+ bitSize = 0;
|
||||||
|
+ }
|
||||||
|
+ return bitSize;
|
||||||
|
+ case dsaKey:
|
||||||
|
+ case fortezzaKey:
|
||||||
|
+ case dhKey:
|
||||||
|
+ case keaKey:
|
||||||
|
+ attribute = CKA_PRIME;
|
||||||
|
+ break;
|
||||||
|
+ case ecKey:
|
||||||
|
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||||
|
+ CKA_EC_PARAMS, NULL, ¶ms);
|
||||||
|
+ if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ bitSize = SECKEY_ECParamsToKeySize(¶ms);
|
||||||
|
+ PORT_Free(params.data);
|
||||||
|
+ return bitSize;
|
||||||
|
+ default:
|
||||||
|
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ PORT_Assert(attribute != CKT_INVALID_TYPE);
|
||||||
|
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||||
|
+ attribute, NULL, ¶ms);
|
||||||
|
+ if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||||
|
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ bitSize = SECKEY_BigIntegerBitLength(¶ms);
|
||||||
|
+ PORT_Free(params.data);
|
||||||
|
+ return bitSize;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
/* returns signature length in bytes (not bits) */
|
||||||
|
unsigned
|
||||||
|
SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
|
||||||
|
@@ -1212,6 +1269,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * Check that a given key meets the policy limits for the given key
|
||||||
|
+ * size.
|
||||||
|
+ */
|
||||||
|
+SECStatus
|
||||||
|
+seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error)
|
||||||
|
+{
|
||||||
|
+ PRInt32 opt = -1;
|
||||||
|
+ PRInt32 optVal;
|
||||||
|
+ SECStatus rv;
|
||||||
|
+
|
||||||
|
+ switch (keyType) {
|
||||||
|
+ case rsaKey:
|
||||||
|
+ case rsaPssKey:
|
||||||
|
+ case rsaOaepKey:
|
||||||
|
+ opt = NSS_RSA_MIN_KEY_SIZE;
|
||||||
|
+ break;
|
||||||
|
+ case dsaKey:
|
||||||
|
+ case fortezzaKey:
|
||||||
|
+ opt = NSS_DSA_MIN_KEY_SIZE;
|
||||||
|
+ break;
|
||||||
|
+ case dhKey:
|
||||||
|
+ case keaKey:
|
||||||
|
+ opt = NSS_DH_MIN_KEY_SIZE;
|
||||||
|
+ break;
|
||||||
|
+ case ecKey:
|
||||||
|
+ opt = NSS_ECC_MIN_KEY_SIZE;
|
||||||
|
+ break;
|
||||||
|
+ case nullKey:
|
||||||
|
+ default:
|
||||||
|
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||||
|
+ return SECFailure;
|
||||||
|
+ }
|
||||||
|
+ PORT_Assert(opt != -1);
|
||||||
|
+ rv = NSS_OptionGet(opt, &optVal);
|
||||||
|
+ if (rv != SECSuccess) {
|
||||||
|
+ return rv;
|
||||||
|
+ }
|
||||||
|
+ if (optVal < keyLength) {
|
||||||
|
+ PORT_SetError(error);
|
||||||
|
+ return SECFailure;
|
||||||
|
+ }
|
||||||
|
+ return SECSuccess;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* Use the private key to find a public key handle. The handle will be on
|
||||||
|
* the same slot as the private key.
|
||||||
|
*/
|
||||||
|
diff -up ./lib/cryptohi/secsign.c.sign_policy ./lib/cryptohi/secsign.c
|
||||||
|
--- ./lib/cryptohi/secsign.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/cryptohi/secsign.c 2022-06-20 16:47:35.025785641 -0700
|
||||||
|
@@ -15,6 +15,7 @@
|
||||||
|
#include "pk11func.h"
|
||||||
|
#include "secerr.h"
|
||||||
|
#include "keyi.h"
|
||||||
|
+#include "nss.h"
|
||||||
|
|
||||||
|
struct SGNContextStr {
|
||||||
|
SECOidTag signalg;
|
||||||
|
@@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *p
|
||||||
|
SECOidTag hashalg, signalg;
|
||||||
|
KeyType keyType;
|
||||||
|
PRUint32 policyFlags;
|
||||||
|
+ PRInt32 optFlags;
|
||||||
|
SECStatus rv;
|
||||||
|
|
||||||
|
/* OK, map a PKCS #7 hash and encrypt algorithm into
|
||||||
|
@@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *p
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
|
||||||
|
+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
|
||||||
|
+ rv = seckey_EnforceKeySize(key->keyType,
|
||||||
|
+ SECKEY_PrivateKeyStrengthInBits(key),
|
||||||
|
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
||||||
|
+ if (rv != SECSuccess) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
/* check the policy on the hash algorithm */
|
||||||
|
if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||
|
||||||
|
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
|
||||||
|
@@ -467,9 +479,20 @@ SGN_Digest(SECKEYPrivateKey *privKey,
|
||||||
|
SGNDigestInfo *di = 0;
|
||||||
|
SECOidTag enctag;
|
||||||
|
PRUint32 policyFlags;
|
||||||
|
+ PRInt32 optFlags;
|
||||||
|
|
||||||
|
result->data = 0;
|
||||||
|
|
||||||
|
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
|
||||||
|
+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
|
||||||
|
+ rv = seckey_EnforceKeySize(privKey->keyType,
|
||||||
|
+ SECKEY_PrivateKeyStrengthInBits(privKey),
|
||||||
|
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
||||||
|
+ if (rv != SECSuccess) {
|
||||||
|
+ return SECFailure;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
/* check the policy on the hash algorithm */
|
||||||
|
if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
|
||||||
|
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
|
||||||
|
diff -up ./lib/cryptohi/secvfy.c.sign_policy ./lib/cryptohi/secvfy.c
|
||||||
|
--- ./lib/cryptohi/secvfy.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/cryptohi/secvfy.c 2022-06-20 16:47:35.025785641 -0700
|
||||||
|
@@ -16,6 +16,7 @@
|
||||||
|
#include "secdig.h"
|
||||||
|
#include "secerr.h"
|
||||||
|
#include "keyi.h"
|
||||||
|
+#include "nss.h"
|
||||||
|
|
||||||
|
/*
|
||||||
|
** Recover the DigestInfo from an RSA PKCS#1 signature.
|
||||||
|
@@ -467,6 +468,7 @@ vfy_CreateContext(const SECKEYPublicKey
|
||||||
|
unsigned int sigLen;
|
||||||
|
KeyType type;
|
||||||
|
PRUint32 policyFlags;
|
||||||
|
+ PRInt32 optFlags;
|
||||||
|
|
||||||
|
/* make sure the encryption algorithm matches the key type */
|
||||||
|
/* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
|
||||||
|
@@ -476,7 +478,16 @@ vfy_CreateContext(const SECKEYPublicKey
|
||||||
|
PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
|
||||||
|
+ if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) {
|
||||||
|
+ rv = seckey_EnforceKeySize(key->keyType,
|
||||||
|
+ SECKEY_PublicKeyStrengthInBits(key),
|
||||||
|
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
||||||
|
+ if (rv != SECSuccess) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
/* check the policy on the encryption algorithm */
|
||||||
|
if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
|
||||||
|
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
|
||||||
|
diff -up ./lib/freebl/blapit.h.sign_policy ./lib/freebl/blapit.h
|
||||||
|
--- ./lib/freebl/blapit.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/freebl/blapit.h 2022-06-20 16:47:35.025785641 -0700
|
||||||
|
@@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribu
|
||||||
|
* These values come from the initial key size limits from the PKCS #11
|
||||||
|
* module. They may be arbitrarily adjusted to any value freebl supports.
|
||||||
|
*/
|
||||||
|
-#define RSA_MIN_MODULUS_BITS 128
|
||||||
|
+#define RSA_MIN_MODULUS_BITS 1023 /* 128 */
|
||||||
|
#define RSA_MAX_MODULUS_BITS 16384
|
||||||
|
#define RSA_MAX_EXPONENT_BITS 64
|
||||||
|
#define DH_MIN_P_BITS 128
|
||||||
|
diff -up ./lib/nss/nss.h.sign_policy ./lib/nss/nss.h
|
||||||
|
--- ./lib/nss/nss.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/nss/nss.h 2022-06-20 16:47:35.026785647 -0700
|
||||||
|
@@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu
|
||||||
|
#define NSS_DEFAULT_LOCKS 0x00d /* lock default values */
|
||||||
|
#define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */
|
||||||
|
|
||||||
|
+/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to
|
||||||
|
+ * the NSS_XXX_MIN_KEY_SIZE values.
|
||||||
|
+ * NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input
|
||||||
|
+ * value
|
||||||
|
+ * On get it returns all the flags
|
||||||
|
+ * NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and
|
||||||
|
+ * does not affect the other flags
|
||||||
|
+ * On get it returns all the flags
|
||||||
|
+ * NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input
|
||||||
|
+ * value and does not affect the other flags
|
||||||
|
+ * On get it returns all the compliment of all the flags
|
||||||
|
+ * (cleared flags == 1) */
|
||||||
|
+#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e
|
||||||
|
+#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f
|
||||||
|
+#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010
|
||||||
|
+/* currently defined flags */
|
||||||
|
+#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1
|
||||||
|
+#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2
|
||||||
|
+#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4
|
||||||
|
+
|
||||||
|
+#define NSS_ECC_MIN_KEY_SIZE 0x011
|
||||||
|
+
|
||||||
|
/*
|
||||||
|
* Set and get global options for the NSS library.
|
||||||
|
*/
|
||||||
|
diff -up ./lib/nss/nssoptions.c.sign_policy ./lib/nss/nssoptions.c
|
||||||
|
--- ./lib/nss/nssoptions.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/nss/nssoptions.c 2022-06-20 16:47:35.026785647 -0700
|
||||||
|
@@ -26,6 +26,8 @@ struct nssOps {
|
||||||
|
PRInt32 dtlsVersionMaxPolicy;
|
||||||
|
PRInt32 pkcs12DecodeForceUnicode;
|
||||||
|
PRInt32 defaultLocks;
|
||||||
|
+ PRInt32 keySizePolicyFlags;
|
||||||
|
+ PRInt32 eccMinKeySize;
|
||||||
|
};
|
||||||
|
|
||||||
|
static struct nssOps nss_ops = {
|
||||||
|
@@ -37,7 +39,9 @@ static struct nssOps nss_ops = {
|
||||||
|
1,
|
||||||
|
0xffff,
|
||||||
|
PR_FALSE,
|
||||||
|
- 0
|
||||||
|
+ 0,
|
||||||
|
+ NSS_KEY_SIZE_POLICY_SSL_FLAG,
|
||||||
|
+ SSL_ECC_MIN_CURVE_BITS
|
||||||
|
};
|
||||||
|
|
||||||
|
SECStatus
|
||||||
|
@@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
|
||||||
|
case NSS_DEFAULT_LOCKS:
|
||||||
|
nss_ops.defaultLocks = value;
|
||||||
|
break;
|
||||||
|
+ case NSS_KEY_SIZE_POLICY_FLAGS:
|
||||||
|
+ nss_ops.keySizePolicyFlags = value;
|
||||||
|
+ break;
|
||||||
|
+ case NSS_KEY_SIZE_POLICY_SET_FLAGS:
|
||||||
|
+ nss_ops.keySizePolicyFlags |= value;
|
||||||
|
+ break;
|
||||||
|
+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
|
||||||
|
+ nss_ops.keySizePolicyFlags &= ~value;
|
||||||
|
+ break;
|
||||||
|
+ case NSS_ECC_MIN_KEY_SIZE:
|
||||||
|
+ nss_ops.eccMinKeySize = value;
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||||
|
rv = SECFailure;
|
||||||
|
@@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va
|
||||||
|
case NSS_DEFAULT_LOCKS:
|
||||||
|
*value = nss_ops.defaultLocks;
|
||||||
|
break;
|
||||||
|
+ case NSS_KEY_SIZE_POLICY_FLAGS:
|
||||||
|
+ case NSS_KEY_SIZE_POLICY_SET_FLAGS:
|
||||||
|
+ *value = nss_ops.keySizePolicyFlags;
|
||||||
|
+ break;
|
||||||
|
+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
|
||||||
|
+ *value = ~nss_ops.keySizePolicyFlags;
|
||||||
|
+ break;
|
||||||
|
+ case NSS_ECC_MIN_KEY_SIZE:
|
||||||
|
+ *value = nss_ops.eccMinKeySize;
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
rv = SECFailure;
|
||||||
|
}
|
||||||
|
diff -up ./lib/nss/nssoptions.h.sign_policy ./lib/nss/nssoptions.h
|
||||||
|
--- ./lib/nss/nssoptions.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/nss/nssoptions.h 2022-06-20 16:47:35.026785647 -0700
|
||||||
|
@@ -18,3 +18,5 @@
|
||||||
|
* happens because NSS used to count bit lengths incorrectly. */
|
||||||
|
#define SSL_DH_MIN_P_BITS 1023
|
||||||
|
#define SSL_DSA_MIN_P_BITS 1023
|
||||||
|
+/* not really used by SSL, but define it here for consistency */
|
||||||
|
+#define SSL_ECC_MIN_CURVE_BITS 256
|
||||||
|
diff -up ./lib/pk11wrap/pk11kea.c.sign_policy ./lib/pk11wrap/pk11kea.c
|
||||||
|
--- ./lib/pk11wrap/pk11kea.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/pk11wrap/pk11kea.c 2022-06-20 16:47:35.026785647 -0700
|
||||||
|
@@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_
|
||||||
|
if (privKeyHandle == CK_INVALID_HANDLE) {
|
||||||
|
PK11RSAGenParams rsaParams;
|
||||||
|
|
||||||
|
- if (symKeyLength > 53) /* bytes */ {
|
||||||
|
- /* we'd have to generate an RSA key pair > 512 bits long,
|
||||||
|
+ if (symKeyLength > 120) /* bytes */ {
|
||||||
|
+ /* we'd have to generate an RSA key pair > 1024 bits long,
|
||||||
|
** and that's too costly. Don't even try.
|
||||||
|
*/
|
||||||
|
PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);
|
||||||
|
goto rsa_failed;
|
||||||
|
}
|
||||||
|
- rsaParams.keySizeInBits =
|
||||||
|
- (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
|
||||||
|
+ rsaParams.keySizeInBits = 1024;
|
||||||
|
rsaParams.pe = 0x10001;
|
||||||
|
privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
|
||||||
|
&rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);
|
||||||
|
diff -up ./lib/pk11wrap/pk11pars.c.sign_policy ./lib/pk11wrap/pk11pars.c
|
||||||
|
--- ./lib/pk11wrap/pk11pars.c.sign_policy 2022-06-20 16:47:35.004785510 -0700
|
||||||
|
+++ ./lib/pk11wrap/pk11pars.c 2022-06-20 16:47:35.026785647 -0700
|
||||||
|
@@ -427,12 +427,21 @@ static const optionFreeDef sslOptList[]
|
||||||
|
{ CIPHER_NAME("DTLS1.3"), 0x304 },
|
||||||
|
};
|
||||||
|
|
||||||
|
+static const optionFreeDef keySizeFlagsList[] = {
|
||||||
|
+ { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG },
|
||||||
|
+ { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG },
|
||||||
|
+ { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG },
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
static const optionFreeDef freeOptList[] = {
|
||||||
|
|
||||||
|
/* Restrictions for asymetric keys */
|
||||||
|
{ CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE },
|
||||||
|
{ CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE },
|
||||||
|
{ CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE },
|
||||||
|
+ { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE },
|
||||||
|
+ /* what operations doe the key size apply to */
|
||||||
|
+ { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS },
|
||||||
|
/* constraints on SSL Protocols */
|
||||||
|
{ CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY },
|
||||||
|
{ CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },
|
||||||
|
@@ -540,6 +549,7 @@ secmod_getPolicyOptValue(const char *pol
|
||||||
|
*result = val;
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
+ /* handle any ssl strings */
|
||||||
|
for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
|
||||||
|
if (policyValueLength == sslOptList[i].name_size &&
|
||||||
|
PORT_Strncasecmp(sslOptList[i].name, policyValue,
|
||||||
|
@@ -548,7 +558,29 @@ secmod_getPolicyOptValue(const char *pol
|
||||||
|
return SECSuccess;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- return SECFailure;
|
||||||
|
+ /* handle key_size flags. Each flag represents a bit, which
|
||||||
|
+ * gets or'd together. They can be separated by , | or + */
|
||||||
|
+ val = 0;
|
||||||
|
+ while (*policyValue) {
|
||||||
|
+ PRBool found = PR_FALSE;
|
||||||
|
+ for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) {
|
||||||
|
+ if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue,
|
||||||
|
+ keySizeFlagsList[i].name_size) == 0) {
|
||||||
|
+ val |= keySizeFlagsList[i].option;
|
||||||
|
+ found = PR_TRUE;
|
||||||
|
+ policyValue += keySizeFlagsList[i].name_size;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if (!found) {
|
||||||
|
+ return SECFailure;
|
||||||
|
+ }
|
||||||
|
+ if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') {
|
||||||
|
+ policyValue++;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ *result = val;
|
||||||
|
+ return SECSuccess;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Policy operations:
|
||||||
|
diff -up ./lib/softoken/fips_algorithms.h.sign_policy ./lib/softoken/fips_algorithms.h
|
||||||
|
--- ./lib/softoken/fips_algorithms.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./lib/softoken/fips_algorithms.h 2022-06-20 16:47:35.026785647 -0700
|
||||||
|
@@ -54,7 +54,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
|
||||||
|
/* mechanisms using the same key types share the same key type
|
||||||
|
* limits */
|
||||||
|
#define RSA_FB_KEY 2048, 4096 /* min, max */
|
||||||
|
-#define RSA_FB_STEP 1024
|
||||||
|
+#define RSA_FB_STEP 1
|
||||||
|
+#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
|
||||||
|
+#define RSA_LEGACY_FB_STEP 256
|
||||||
|
#define DSA_FB_KEY 2048, 4096 /* min, max */
|
||||||
|
#define DSA_FB_STEP 1024
|
||||||
|
#define DH_FB_KEY 2048, 4096 /* min, max */
|
||||||
|
@@ -66,6 +68,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
|
||||||
|
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
{ CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
{ CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
+ { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||||
|
/* -------------- RSA Multipart Signing Operations -------------------- */
|
||||||
|
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
@@ -75,6 +78,14 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
|
||||||
|
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
+ { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||||
|
+ { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||||
|
+ { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||||
|
+ { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||||
|
+ { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||||
|
+ { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||||
|
+ { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||||
|
+ { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||||
|
/* ------------------------- DSA Operations --------------------------- */
|
||||||
|
{ CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
{ CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone },
|
||||||
|
diff -up ./lib/ssl/ssl3con.c.sign_policy ./lib/ssl/ssl3con.c
|
||||||
|
--- ./lib/ssl/ssl3con.c.sign_policy 2022-06-20 16:47:34.998785473 -0700
|
||||||
|
+++ ./lib/ssl/ssl3con.c 2022-06-20 16:47:35.028785660 -0700
|
||||||
|
@@ -7409,6 +7409,8 @@ ssl_HandleDHServerKeyExchange(sslSocket
|
||||||
|
unsigned dh_p_bits;
|
||||||
|
unsigned dh_g_bits;
|
||||||
|
PRInt32 minDH;
|
||||||
|
+ PRInt32 optval;
|
||||||
|
+ PRBool usePolicyLength = PR_FALSE;
|
||||||
|
|
||||||
|
SSL3Hashes hashes;
|
||||||
|
SECItem signature = { siBuffer, NULL, 0 };
|
||||||
|
@@ -7419,8 +7421,13 @@ ssl_HandleDHServerKeyExchange(sslSocket
|
||||||
|
if (rv != SECSuccess) {
|
||||||
|
goto loser; /* malformed. */
|
||||||
|
}
|
||||||
|
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
|
||||||
|
+ if (rv == SECSuccess) {
|
||||||
|
+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
|
||||||
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH)
|
||||||
|
+ : SECFailure;
|
||||||
|
if (rv != SECSuccess || minDH <= 0) {
|
||||||
|
minDH = SSL_DH_MIN_P_BITS;
|
||||||
|
}
|
||||||
|
@@ -11411,13 +11418,20 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
||||||
|
SECStatus rv;
|
||||||
|
PRUint32 minKey;
|
||||||
|
PRInt32 optval;
|
||||||
|
+ PRBool usePolicyLength = PR_TRUE;
|
||||||
|
+
|
||||||
|
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
|
||||||
|
+ if (rv == SECSuccess) {
|
||||||
|
+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
|
||||||
|
switch (SECKEY_GetPublicKeyType(pubKey)) {
|
||||||
|
case rsaKey:
|
||||||
|
case rsaPssKey:
|
||||||
|
case rsaOaepKey:
|
||||||
|
- rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval);
|
||||||
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval)
|
||||||
|
+ : SECFailure;
|
||||||
|
if (rv == SECSuccess && optval > 0) {
|
||||||
|
minKey = (PRUint32)optval;
|
||||||
|
} else {
|
||||||
|
@@ -11426,7 +11440,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
||||||
|
break;
|
||||||
|
|
||||||
|
case dsaKey:
|
||||||
|
- rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval);
|
||||||
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval)
|
||||||
|
+ : SECFailure;
|
||||||
|
if (rv == SECSuccess && optval > 0) {
|
||||||
|
minKey = (PRUint32)optval;
|
||||||
|
} else {
|
||||||
|
@@ -11435,7 +11450,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
||||||
|
break;
|
||||||
|
|
||||||
|
case dhKey:
|
||||||
|
- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval);
|
||||||
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval)
|
||||||
|
+ : SECFailure;
|
||||||
|
if (rv == SECSuccess && optval > 0) {
|
||||||
|
minKey = (PRUint32)optval;
|
||||||
|
} else {
|
||||||
|
@@ -11444,9 +11460,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
||||||
|
break;
|
||||||
|
|
||||||
|
case ecKey:
|
||||||
|
- /* Don't check EC strength here on the understanding that we only
|
||||||
|
- * support curves we like. */
|
||||||
|
- minKey = ss->sec.authKeyBits;
|
||||||
|
+ rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval)
|
||||||
|
+ : SECFailure;
|
||||||
|
+ if (rv == SECSuccess && optval > 0) {
|
||||||
|
+ minKey = (PRUint32)optval;
|
||||||
|
+ } else {
|
||||||
|
+ /* Don't check EC strength here on the understanding that we
|
||||||
|
+ * only support curves we like. */
|
||||||
|
+ minKey = ss->sec.authKeyBits;
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
|
||||||
|
default:
|
||||||
|
diff -up ./tests/policy/crypto-policy.txt.sign_policy ./tests/policy/crypto-policy.txt
|
||||||
|
--- ./tests/policy/crypto-policy.txt.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||||
|
+++ ./tests/policy/crypto-policy.txt 2022-06-20 16:47:35.028785660 -0700
|
||||||
|
@@ -6,6 +6,8 @@
|
||||||
|
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
|
||||||
|
0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
|
||||||
|
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
|
||||||
|
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size
|
||||||
|
+2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size
|
||||||
|
2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
|
||||||
|
2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
|
||||||
|
2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
|
||||||
|
diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt
|
||||||
|
--- ./tests/ssl/sslpolicy.txt.sign_policy 2022-06-20 16:47:35.028785660 -0700
|
||||||
|
+++ ./tests/ssl/sslpolicy.txt 2022-06-20 16:50:08.958742135 -0700
|
||||||
|
@@ -196,6 +196,11 @@
|
||||||
|
# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
|
||||||
|
# compatibility reasons
|
||||||
|
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||||
|
++ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||||
|
++ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||||
|
++ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
||||||
|
++ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
||||||
|
+
|
||||||
|
# test default settings
|
||||||
|
# NOTE: tstclient will attempt to overide the defaults, so we detect we
|
||||||
|
# were successful by locking in our settings
|
||||||
|
diff -up ./tests/dbupgrade/dbupgrade.sh.sign_policy ./tests/dbupgrade/dbupgrade.sh
|
||||||
|
--- ./tests/dbupgrade/dbupgrade.sh.sign_policy 2022-06-22 08:43:55.905407738 -0700
|
||||||
|
+++ ./tests/dbupgrade/dbupgrade.sh 2022-06-22 08:43:58.837426779 -0700
|
||||||
|
@@ -69,7 +69,7 @@ dbupgrade_main()
|
||||||
|
echo $i
|
||||||
|
if [ -d $i ]; then
|
||||||
|
echo "upgrading db $i"
|
||||||
|
- ${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
|
||||||
|
+ ${BINDIR}/certutil -G -g 1024 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
|
||||||
|
html_msg $? 0 "Upgrading $i"
|
||||||
|
else
|
||||||
|
echo "skipping db $i"
|
||||||
@ -1,62 +0,0 @@
|
|||||||
--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
|
|
||||||
+++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
|
|
||||||
@@ -953,23 +953,23 @@
|
|
||||||
getBoundListenSocket(unsigned short port)
|
|
||||||
{
|
|
||||||
PRFileDesc *listen_sock;
|
|
||||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
|
||||||
PRStatus prStatus;
|
|
||||||
PRNetAddr addr;
|
|
||||||
PRSocketOptionData opt;
|
|
||||||
|
|
||||||
- addr.inet.family = PR_AF_INET;
|
|
||||||
- addr.inet.ip = PR_INADDR_ANY;
|
|
||||||
- addr.inet.port = PR_htons(port);
|
|
||||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
|
||||||
+ errExit("PR_SetNetAddr");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- listen_sock = PR_NewTCPSocket();
|
|
||||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
|
||||||
if (listen_sock == NULL) {
|
|
||||||
- errExit("PR_NewTCPSocket");
|
|
||||||
+ errExit("PR_OpenTCPSockett");
|
|
||||||
}
|
|
||||||
|
|
||||||
opt.option = PR_SockOpt_Nonblocking;
|
|
||||||
opt.value.non_blocking = PR_FALSE;
|
|
||||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
|
||||||
if (prStatus < 0) {
|
|
||||||
PR_Close(listen_sock);
|
|
||||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
|
||||||
--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
|
|
||||||
+++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
|
|
||||||
@@ -1711,23 +1711,23 @@
|
|
||||||
getBoundListenSocket(unsigned short port)
|
|
||||||
{
|
|
||||||
PRFileDesc *listen_sock;
|
|
||||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
|
||||||
PRStatus prStatus;
|
|
||||||
PRNetAddr addr;
|
|
||||||
PRSocketOptionData opt;
|
|
||||||
|
|
||||||
- addr.inet.family = PR_AF_INET;
|
|
||||||
- addr.inet.ip = PR_INADDR_ANY;
|
|
||||||
- addr.inet.port = PR_htons(port);
|
|
||||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
|
||||||
+ errExit("PR_SetNetAddr");
|
|
||||||
+ }
|
|
||||||
|
|
||||||
- listen_sock = PR_NewTCPSocket();
|
|
||||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
|
||||||
if (listen_sock == NULL) {
|
|
||||||
- errExit("PR_NewTCPSocket");
|
|
||||||
+ errExit("PR_OpenTCPSocket error");
|
|
||||||
}
|
|
||||||
|
|
||||||
opt.option = PR_SockOpt_Nonblocking;
|
|
||||||
opt.value.non_blocking = PR_FALSE;
|
|
||||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
|
||||||
if (prStatus < 0) {
|
|
||||||
PR_Close(listen_sock);
|
|
||||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
|
||||||
109
nss.spec
109
nss.spec
@ -1,6 +1,7 @@
|
|||||||
%global nspr_build_version 4.25.0
|
%global nspr_build_version 4.34.0-3
|
||||||
%global nspr_version 4.25.0
|
%global nspr_release -3
|
||||||
%global nss_version 3.67.0
|
%global nspr_version 4.34.0
|
||||||
|
%global nss_version 3.79.0
|
||||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||||
%global saved_files_dir %{_libdir}/nss/saved
|
%global saved_files_dir %{_libdir}/nss/saved
|
||||||
%global dracutlibdir %{_prefix}/lib/dracut
|
%global dracutlibdir %{_prefix}/lib/dracut
|
||||||
@ -44,13 +45,28 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
|
|||||||
string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
|
string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# This is taken from gnutls.spec
|
||||||
|
%define srpmhash() %{lua:
|
||||||
|
local files = rpm.expand("%_specdir/nss.spec")
|
||||||
|
for i, p in ipairs(patches) do
|
||||||
|
files = files.." "..p
|
||||||
|
end
|
||||||
|
for i, p in ipairs(sources) do
|
||||||
|
files = files.." "..p
|
||||||
|
end
|
||||||
|
local sha256sum = assert(io.popen("cat "..files.."| sha256sum"))
|
||||||
|
local hash = sha256sum:read("*a")
|
||||||
|
sha256sum:close()
|
||||||
|
print(string.sub(hash, 0, 16))
|
||||||
|
}
|
||||||
|
|
||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: %{nss_version}
|
Version: %{nss_version}
|
||||||
Release: 7%{?dist}
|
Release: 7%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Requires: nspr >= %{nspr_version}
|
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||||
Requires: nss-util >= %{nss_version}
|
Requires: nss-util >= %{nss_version}
|
||||||
# TODO: revert to same version as nss once we are done with the merge
|
# TODO: revert to same version as nss once we are done with the merge
|
||||||
Requires: nss-softokn%{_isa} >= %{nss_version}
|
Requires: nss-softokn%{_isa} >= %{nss_version}
|
||||||
@ -93,12 +109,9 @@ Source25: key3.db.xml
|
|||||||
Source26: key4.db.xml
|
Source26: key4.db.xml
|
||||||
Source27: secmod.db.xml
|
Source27: secmod.db.xml
|
||||||
Source28: nss-p11-kit.config
|
Source28: nss-p11-kit.config
|
||||||
Source30: PayPalEE.cert
|
|
||||||
|
|
||||||
# To inject hardening flags for DSO
|
# To inject hardening flags for DSO
|
||||||
Patch1: nss-dso-ldflags.patch
|
Patch1: nss-dso-ldflags.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
|
||||||
Patch2: nss-539183.patch
|
|
||||||
# This patch uses the GCC -iquote option documented at
|
# This patch uses the GCC -iquote option documented at
|
||||||
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
||||||
# to give the in-tree headers a higher priority over the system headers,
|
# to give the in-tree headers a higher priority over the system headers,
|
||||||
@ -138,27 +151,18 @@ Patch40: nss-3.66-disable-signature-policies.patch
|
|||||||
Patch45: nss-3.66-disable-external-host-test.patch
|
Patch45: nss-3.66-disable-external-host-test.patch
|
||||||
# Local patch: restore old pkcs 12 defaults on old version of rhel
|
# Local patch: restore old pkcs 12 defaults on old version of rhel
|
||||||
Patch50: nss-3.66-restore-old-pkcs12-default.patch
|
Patch50: nss-3.66-restore-old-pkcs12-default.patch
|
||||||
|
# Local Patch: restore expired distrusted certs for now
|
||||||
|
Patch51: nss-3.79-revert-distrusted-certs.patch
|
||||||
|
|
||||||
# Patches that should be upstreamed, and (hopefully) will disappear next
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1774659
|
||||||
# rebase
|
Patch60: nss-3.79-dbtool.patch
|
||||||
# Need upstream bug
|
Patch61: nss-3.79-dont-verify-default.patch
|
||||||
Patch219: nss-3.44-kbkdf-coverity.patch
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1774654
|
||||||
# no upsteam bug yet
|
Patch63: nss-3.79-fix-client-cert-crash.patch
|
||||||
Patch225: nss-3.67-fix-private-key-mac.patch
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1767883
|
||||||
# no upstream bug yet
|
Patch64: nss-3.79-rhel-8-fips-signature-policy.patch
|
||||||
Patch229: nss-3.53.1-measure-fix.patch
|
Patch65: nss-3.79-enable-POST-rerun.patch
|
||||||
# no upstream bug yet
|
Patch66: nss-3.79-increase-pbe-cache.patch
|
||||||
Patch230: nss-3.66-no-small-primes.patch
|
|
||||||
# no upstream bug yet
|
|
||||||
Patch232: nss-3.66-fix-gtest-parsing.patch
|
|
||||||
# no upstream bug yet
|
|
||||||
Patch233: nss-3.67-fix-coverity-issues.patch
|
|
||||||
# no upstream bug yet
|
|
||||||
Patch234: nss-3.67-fix-sdb-timeout.patch
|
|
||||||
# no upstream bug yet
|
|
||||||
Patch235: nss-3.67-fix-ssl-alerts.patch
|
|
||||||
Patch300: nss-3.67-cve-2021-43527.patch
|
|
||||||
Patch301: nss-3.67-cve-2021-43527-test.patch
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -203,7 +207,7 @@ Provides: nss-static = %{version}-%{release}
|
|||||||
Requires: nss%{?_isa} = %{version}-%{release}
|
Requires: nss%{?_isa} = %{version}-%{release}
|
||||||
Requires: nss-util-devel
|
Requires: nss-util-devel
|
||||||
Requires: nss-softokn-devel
|
Requires: nss-softokn-devel
|
||||||
Requires: nspr-devel >= %{nspr_version}
|
Requires: nspr-devel >= %{nspr_version}%{nspr_release}
|
||||||
Requires: pkgconfig
|
Requires: pkgconfig
|
||||||
BuildRequires: xmlto
|
BuildRequires: xmlto
|
||||||
|
|
||||||
@ -224,7 +228,7 @@ low level services.
|
|||||||
|
|
||||||
%package util
|
%package util
|
||||||
Summary: Network Security Services Utilities Library
|
Summary: Network Security Services Utilities Library
|
||||||
Requires: nspr >= %{nspr_version}
|
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||||
|
|
||||||
%description util
|
%description util
|
||||||
Utilities for Network Security Services and the Softoken module
|
Utilities for Network Security Services and the Softoken module
|
||||||
@ -232,7 +236,7 @@ Utilities for Network Security Services and the Softoken module
|
|||||||
%package util-devel
|
%package util-devel
|
||||||
Summary: Development libraries for Network Security Services Utilities
|
Summary: Development libraries for Network Security Services Utilities
|
||||||
Requires: nss-util%{?_isa} = %{version}-%{release}
|
Requires: nss-util%{?_isa} = %{version}-%{release}
|
||||||
Requires: nspr-devel >= %{nspr_version}
|
Requires: nspr-devel >= %{nspr_version}%{nspr_release}
|
||||||
Requires: pkgconfig
|
Requires: pkgconfig
|
||||||
|
|
||||||
%description util-devel
|
%description util-devel
|
||||||
@ -241,7 +245,7 @@ Header and library files for doing development with Network Security Services.
|
|||||||
|
|
||||||
%package softokn
|
%package softokn
|
||||||
Summary: Network Security Services Softoken Module
|
Summary: Network Security Services Softoken Module
|
||||||
Requires: nspr >= %{nspr_version}
|
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||||
Requires: nss-util >= %{version}-%{release}
|
Requires: nss-util >= %{version}-%{release}
|
||||||
Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release}
|
Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release}
|
||||||
|
|
||||||
@ -278,7 +282,7 @@ Developers should rely only on the officially supported NSS public API.
|
|||||||
Summary: Development libraries for Network Security Services
|
Summary: Development libraries for Network Security Services
|
||||||
Requires: nss-softokn%{?_isa} = %{version}-%{release}
|
Requires: nss-softokn%{?_isa} = %{version}-%{release}
|
||||||
Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
|
Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
|
||||||
Requires: nspr-devel >= %{nspr_version}
|
Requires: nspr-devel >= %{nspr_version}%{nspr_release}
|
||||||
Requires: nss-util-devel >= %{version}-%{release}
|
Requires: nss-util-devel >= %{version}-%{release}
|
||||||
Requires: pkgconfig
|
Requires: pkgconfig
|
||||||
BuildRequires: nspr-devel >= %{nspr_build_version}
|
BuildRequires: nspr-devel >= %{nspr_build_version}
|
||||||
@ -296,9 +300,6 @@ popd
|
|||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
|
||||||
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
|
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
|
||||||
|
|
||||||
#update paypal cert (git binary patches don't work with autopatch)
|
|
||||||
cp %{SOURCE30} nss/tests/libpkix/certs/
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
export FREEBL_NO_DEPEND=1
|
export FREEBL_NO_DEPEND=1
|
||||||
@ -312,7 +313,13 @@ export FREEBL_LOWHASH=1
|
|||||||
# uncomment if the iquote patch is activated
|
# uncomment if the iquote patch is activated
|
||||||
export IN_TREE_FREEBL_HEADERS_FIRST=1
|
export IN_TREE_FREEBL_HEADERS_FIRST=1
|
||||||
|
|
||||||
|
# FIPS related defines
|
||||||
export NSS_FORCE_FIPS=1
|
export NSS_FORCE_FIPS=1
|
||||||
|
export NSS_FIPS_VERSION="%{name}\ %{version}-%{srpmhash}"
|
||||||
|
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release | sed -e 's/ /\\ /g')
|
||||||
|
export FIPS_MODULE_OS="$OS_NAME\ ${OS_VERSION_ID%%.*}"
|
||||||
|
export NSS_FIPS_MODULE_ID="${FIPS_MODULE_OS}\ ${NSS_FIPS_VERSION}"
|
||||||
|
|
||||||
|
|
||||||
# Enable compiler optimizations and disable debugging code
|
# Enable compiler optimizations and disable debugging code
|
||||||
export BUILD_OPT=1
|
export BUILD_OPT=1
|
||||||
@ -603,7 +610,7 @@ do
|
|||||||
done
|
done
|
||||||
|
|
||||||
# Copy the binaries we ship as unsupported
|
# Copy the binaries we ship as unsupported
|
||||||
for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
|
for file in bltest dbtool ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt validation vfyserv vfychain
|
||||||
do
|
do
|
||||||
install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
|
install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
|
||||||
done
|
done
|
||||||
@ -728,6 +735,7 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||||||
%{unsupported_tools_directory}/strsclnt
|
%{unsupported_tools_directory}/strsclnt
|
||||||
%{unsupported_tools_directory}/symkeyutil
|
%{unsupported_tools_directory}/symkeyutil
|
||||||
%{unsupported_tools_directory}/tstclnt
|
%{unsupported_tools_directory}/tstclnt
|
||||||
|
%{unsupported_tools_directory}/validation
|
||||||
%{unsupported_tools_directory}/vfyserv
|
%{unsupported_tools_directory}/vfyserv
|
||||||
%{unsupported_tools_directory}/vfychain
|
%{unsupported_tools_directory}/vfychain
|
||||||
# instead of %%{_mandir}/man*/* let's list them explicitly
|
# instead of %%{_mandir}/man*/* let's list them explicitly
|
||||||
@ -885,6 +893,7 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||||||
%dir %{saved_files_dir}
|
%dir %{saved_files_dir}
|
||||||
%dir %{unsupported_tools_directory}
|
%dir %{unsupported_tools_directory}
|
||||||
%{unsupported_tools_directory}/bltest
|
%{unsupported_tools_directory}/bltest
|
||||||
|
%{unsupported_tools_directory}/dbtool
|
||||||
%{unsupported_tools_directory}/ecperf
|
%{unsupported_tools_directory}/ecperf
|
||||||
%{unsupported_tools_directory}/fbectest
|
%{unsupported_tools_directory}/fbectest
|
||||||
%{unsupported_tools_directory}/fipstest
|
%{unsupported_tools_directory}/fipstest
|
||||||
@ -932,6 +941,34 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jul 6 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-7
|
||||||
|
- Better fix for test regressions
|
||||||
|
|
||||||
|
* Mon Jun 27 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-6
|
||||||
|
- fix nss.spec so it works in a rhel-8.1.0 buildroot
|
||||||
|
|
||||||
|
* Mon Jun 20 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-5
|
||||||
|
- FIPS 140-3 changes
|
||||||
|
- Reject Small RSA keys, 1024 bit keys are marked as FIP OK when verifying, reject
|
||||||
|
signature keys by policy
|
||||||
|
- Allow applications to retrigger selftests on demand.
|
||||||
|
|
||||||
|
* Fri Jun 17 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-4
|
||||||
|
- Fix pkgconfig output
|
||||||
|
|
||||||
|
* Wed Jun 15 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-3
|
||||||
|
- NSR Coverity fix changed selfserv from passive to active, change it back
|
||||||
|
|
||||||
|
* Sat Jun 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
|
||||||
|
- Fix regressions found in test suites.
|
||||||
|
|
||||||
|
* Thu Jun 2 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
|
||||||
|
- Rebase to NSS 3.79
|
||||||
|
- Set FIPS Module ID
|
||||||
|
- skip attribute verification on attributes with default values
|
||||||
|
- don't export trust objects if they are default trust objects from dbm
|
||||||
|
- add dbtool to nss-tools
|
||||||
|
|
||||||
* Thu Nov 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-7
|
* Thu Nov 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-7
|
||||||
- Fix CVE 2021 43527
|
- Fix CVE 2021 43527
|
||||||
|
|
||||||
3
sources
3
sources
@ -1,7 +1,6 @@
|
|||||||
SHA512 (PayPalEE.cert) = 6b9dc010c6c4af510ace4357c16dc27a290673a2488299d4a577ee416f192e39c07d3c407585eb1ebd1c400ef7f44466626d8cb16692d93b2925d402ca23e9f0
|
|
||||||
SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
|
SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
|
||||||
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
|
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
|
||||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||||
SHA512 (nss-3.67.tar.gz) = 1d3fa3fafbf3e54c9c3b54b0b3c291aebb48542380a1b704fa07359d3cefab93f166b31928c9db190ed58118e289e67ce8aa1619e4219d69b2c098484a22bc9d
|
SHA512 (nss-3.79.tar.gz) = d3311da3bd0e6907760390221c1307a63d84dd8ad9b85dbfdbf59fe4678341c9856b6f93235731999a1236c98dc0ac66d2dc023eb439cb696f73509dae70c41d
|
||||||
Loading…
Reference in New Issue
Block a user