Resloves: RHEL-46841
Rebase NSS to nss-3.101
This commit is contained in:
parent
7d5fbbbfb8
commit
b427a91a63
1
.gitignore
vendored
1
.gitignore
vendored
@ -11,3 +11,4 @@ SOURCES/nss-3.79.tar.gz
|
|||||||
/blank-secmod.db
|
/blank-secmod.db
|
||||||
/nss-3.79.tar.gz
|
/nss-3.79.tar.gz
|
||||||
/nss-3.90.tar.gz
|
/nss-3.90.tar.gz
|
||||||
|
/nss-3.101.tar.gz
|
||||||
|
Binary file not shown.
@ -1,949 +0,0 @@
|
|||||||
diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h
|
|
||||||
--- a/lib/freebl/mpi/mpi-priv.h
|
|
||||||
+++ b/lib/freebl/mpi/mpi-priv.h
|
|
||||||
@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d
|
|
||||||
void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
|
|
||||||
mp_digit b, mp_digit *c);
|
|
||||||
|
|
||||||
#endif
|
|
||||||
|
|
||||||
void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
|
|
||||||
mp_size a_len, mp_digit b,
|
|
||||||
mp_digit *c);
|
|
||||||
+void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a,
|
|
||||||
+ mp_size a_len, mp_digit b,
|
|
||||||
+ mp_digit *c, mp_size c_len);
|
|
||||||
void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
|
|
||||||
mp_size a_len,
|
|
||||||
mp_digit *sqrs);
|
|
||||||
|
|
||||||
mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
|
|
||||||
mp_digit divisor, mp_digit *quot, mp_digit *rem);
|
|
||||||
|
|
||||||
/* c += a * b * (MP_RADIX ** offset); */
|
|
||||||
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
|
|
||||||
--- a/lib/freebl/mpi/mpi.c
|
|
||||||
+++ b/lib/freebl/mpi/mpi.c
|
|
||||||
@@ -5,16 +5,18 @@
|
|
||||||
*
|
|
||||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
||||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
||||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
||||||
|
|
||||||
#include "mpi-priv.h"
|
|
||||||
#include "mplogic.h"
|
|
||||||
|
|
||||||
+#include <assert.h>
|
|
||||||
+
|
|
||||||
#if defined(__arm__) && \
|
|
||||||
((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
|
|
||||||
/* 16-bit thumb or ARM v3 doesn't work inlined assember version */
|
|
||||||
#undef MP_ASSEMBLY_MULTIPLY
|
|
||||||
#undef MP_ASSEMBLY_SQUARE
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if MP_LOGTAB
|
|
||||||
@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b,
|
|
||||||
|
|
||||||
CLEANUP:
|
|
||||||
return res;
|
|
||||||
|
|
||||||
} /* end mp_sub() */
|
|
||||||
|
|
||||||
/* }}} */
|
|
||||||
|
|
||||||
-/* {{{ mp_mul(a, b, c) */
|
|
||||||
+/* {{{ s_mp_mulg(a, b, c) */
|
|
||||||
|
|
||||||
/*
|
|
||||||
- mp_mul(a, b, c)
|
|
||||||
-
|
|
||||||
- Compute c = a * b. All parameters may be identical.
|
|
||||||
+ s_mp_mulg(a, b, c)
|
|
||||||
+
|
|
||||||
+ Compute c = a * b. All parameters may be identical. if constantTime is set,
|
|
||||||
+ then the operations are done in constant time. The original is mostly
|
|
||||||
+ constant time as long as s_mpv_mul_d_add() is constant time. This is true
|
|
||||||
+ of the x86 assembler, as well as the current c code.
|
|
||||||
*/
|
|
||||||
mp_err
|
|
||||||
-mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
|
||||||
+s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime)
|
|
||||||
{
|
|
||||||
mp_digit *pb;
|
|
||||||
mp_int tmp;
|
|
||||||
mp_err res;
|
|
||||||
mp_size ib;
|
|
||||||
mp_size useda, usedb;
|
|
||||||
|
|
||||||
ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
|
|
||||||
@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b,
|
|
||||||
}
|
|
||||||
|
|
||||||
MP_USED(c) = 1;
|
|
||||||
MP_DIGIT(c, 0) = 0;
|
|
||||||
if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
|
|
||||||
goto CLEANUP;
|
|
||||||
|
|
||||||
#ifdef NSS_USE_COMBA
|
|
||||||
- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
|
||||||
+ /* comba isn't constant time because it clamps! If we cared
|
|
||||||
+ * (we needed a constant time version of multiply that was 'faster'
|
|
||||||
+ * we could easily pass constantTime down to the comba code and
|
|
||||||
+ * get it to skip the clamp... but here are assembler versions
|
|
||||||
+ * which add comba to platforms that can't compile the normal
|
|
||||||
+ * comba's imbedded assembler which would also need to change, so
|
|
||||||
+ * for now we just skip comba when we are running constant time. */
|
|
||||||
+ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
|
||||||
if (MP_USED(a) == 4) {
|
|
||||||
s_mp_mul_comba_4(a, b, c);
|
|
||||||
goto CLEANUP;
|
|
||||||
}
|
|
||||||
if (MP_USED(a) == 8) {
|
|
||||||
s_mp_mul_comba_8(a, b, c);
|
|
||||||
goto CLEANUP;
|
|
||||||
}
|
|
||||||
@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b,
|
|
||||||
|
|
||||||
/* Outer loop: Digits of b */
|
|
||||||
useda = MP_USED(a);
|
|
||||||
usedb = MP_USED(b);
|
|
||||||
for (ib = 1; ib < usedb; ib++) {
|
|
||||||
mp_digit b_i = *pb++;
|
|
||||||
|
|
||||||
/* Inner product: Digits of a */
|
|
||||||
- if (b_i)
|
|
||||||
+ if (constantTime || b_i)
|
|
||||||
s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
|
|
||||||
else
|
|
||||||
MP_DIGIT(c, ib + useda) = b_i;
|
|
||||||
}
|
|
||||||
|
|
||||||
- s_mp_clamp(c);
|
|
||||||
+ if (!constantTime) {
|
|
||||||
+ s_mp_clamp(c);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
|
|
||||||
SIGN(c) = ZPOS;
|
|
||||||
else
|
|
||||||
SIGN(c) = NEG;
|
|
||||||
|
|
||||||
CLEANUP:
|
|
||||||
mp_clear(&tmp);
|
|
||||||
return res;
|
|
||||||
+} /* end smp_mulg() */
|
|
||||||
+
|
|
||||||
+/* }}} */
|
|
||||||
+
|
|
||||||
+/* {{{ mp_mul(a, b, c) */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ mp_mul(a, b, c)
|
|
||||||
+
|
|
||||||
+ Compute c = a * b. All parameters may be identical.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+mp_err
|
|
||||||
+mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
|
||||||
+{
|
|
||||||
+ return s_mp_mulg(a, b, c, 0);
|
|
||||||
} /* end mp_mul() */
|
|
||||||
|
|
||||||
/* }}} */
|
|
||||||
|
|
||||||
+/* {{{ mp_mulCT(a, b, c) */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ mp_mulCT(a, b, c)
|
|
||||||
+
|
|
||||||
+ Compute c = a * b. In constant time. Parameters may not be identical.
|
|
||||||
+ NOTE: a and b may be modified.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+mp_err
|
|
||||||
+mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize)
|
|
||||||
+{
|
|
||||||
+ mp_err res;
|
|
||||||
+
|
|
||||||
+ /* make the multiply values fixed length so multiply
|
|
||||||
+ * doesn't leak the length. at this point all the
|
|
||||||
+ * values are blinded, but once we finish we want the
|
|
||||||
+ * output size to be hidden (so no clamping the out put) */
|
|
||||||
+ MP_CHECKOK(s_mp_pad(a, setSize));
|
|
||||||
+ MP_CHECKOK(s_mp_pad(b, setSize));
|
|
||||||
+ MP_CHECKOK(s_mp_pad(c, 2*setSize));
|
|
||||||
+ MP_CHECKOK(s_mp_mulg(a, b, c, 1));
|
|
||||||
+CLEANUP:
|
|
||||||
+ return res;
|
|
||||||
+} /* end mp_mulCT() */
|
|
||||||
+
|
|
||||||
+/* }}} */
|
|
||||||
+
|
|
||||||
/* {{{ mp_sqr(a, sqr) */
|
|
||||||
|
|
||||||
#if MP_SQUARE
|
|
||||||
/*
|
|
||||||
Computes the square of a. This can be done more
|
|
||||||
efficiently than a general multiplication, because many of the
|
|
||||||
computation steps are redundant when squaring. The inner product
|
|
||||||
step is a bit more complicated, but we save a fair number of
|
|
||||||
@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m,
|
|
||||||
}
|
|
||||||
|
|
||||||
return MP_OKAY;
|
|
||||||
|
|
||||||
} /* end mp_mod() */
|
|
||||||
|
|
||||||
/* }}} */
|
|
||||||
|
|
||||||
+/* {{{ s_mp_subCT_d(a, b, borrow, c) */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ s_mp_subCT_d(a, b, borrow, c)
|
|
||||||
+
|
|
||||||
+ Compute c = (a -b) - subtract in constant time. returns borrow
|
|
||||||
+ */
|
|
||||||
+mp_digit
|
|
||||||
+s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) {
|
|
||||||
+ mp_digit borrow1, borrow2, t;
|
|
||||||
+#ifdef MP_COMPILER_USES_CARRY
|
|
||||||
+ /* while it doesn't look constant-time, this is idiomatic code
|
|
||||||
+ * to tell compilers to use the carry bit from subtraction */
|
|
||||||
+ t = a - borrow;
|
|
||||||
+ if (t > a) {
|
|
||||||
+ borrow1 = 1;
|
|
||||||
+ } else {
|
|
||||||
+ borrow1 = 0;
|
|
||||||
+ }
|
|
||||||
+ *ret = t - b;
|
|
||||||
+ if (*ret > t) {
|
|
||||||
+ borrow2 = 1;
|
|
||||||
+ } else {
|
|
||||||
+ borrow2 = 0;
|
|
||||||
+ }
|
|
||||||
+#else
|
|
||||||
+ mp_digit bitr, bitb, nbitt;
|
|
||||||
+ /* this is constant time independent of compilier */
|
|
||||||
+ t = a - borrow;
|
|
||||||
+ borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1));
|
|
||||||
+ *ret = t - b;
|
|
||||||
+ bitb = b >> (MP_DIGIT_BIT-1);
|
|
||||||
+ bitr = *ret >> (MP_DIGIT_BIT-1);
|
|
||||||
+ nbitt = (~t) >> (MP_DIGIT_BIT-1);
|
|
||||||
+ borrow2 = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr);
|
|
||||||
+#endif
|
|
||||||
+ /* only borrow 1 or borrow 2 should be 1, we want to guarrentee
|
|
||||||
+ * the overall borrow is 1, so use | here */
|
|
||||||
+ return borrow1 | borrow2;
|
|
||||||
+} /* s_mp_subCT_d() */
|
|
||||||
+
|
|
||||||
+/* }}} */
|
|
||||||
+
|
|
||||||
+/* {{{ mp_subCT(a, b, ret, borrow) */
|
|
||||||
+
|
|
||||||
+/* return ret= a - b and borrow in borrow. done in constant time.
|
|
||||||
+ * b could be modified.
|
|
||||||
+ */
|
|
||||||
+mp_err
|
|
||||||
+mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow)
|
|
||||||
+{
|
|
||||||
+ mp_size used_a = MP_USED(a);
|
|
||||||
+ mp_size i;
|
|
||||||
+ mp_err res;
|
|
||||||
+
|
|
||||||
+ MP_CHECKOK(s_mp_pad(b, used_a));
|
|
||||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
|
||||||
+ *borrow = 0;
|
|
||||||
+ for (i=0; i < used_a; i++) {
|
|
||||||
+ *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow,
|
|
||||||
+ &MP_DIGIT(ret,i));
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ res = MP_OKAY;
|
|
||||||
+CLEANUP:
|
|
||||||
+ return res;
|
|
||||||
+} /* end mp_subCT() */
|
|
||||||
+
|
|
||||||
+/* }}} */
|
|
||||||
+
|
|
||||||
+/* {{{ mp_selectCT(cond, a, b, ret) */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * return ret= cond ? a : b; cond should be either 0 or 1
|
|
||||||
+ */
|
|
||||||
+mp_err
|
|
||||||
+mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret)
|
|
||||||
+{
|
|
||||||
+ mp_size used_a = MP_USED(a);
|
|
||||||
+ mp_err res;
|
|
||||||
+ mp_size i;
|
|
||||||
+
|
|
||||||
+ cond *= MP_DIGIT_MAX;
|
|
||||||
+
|
|
||||||
+ /* we currently require these to be equal on input,
|
|
||||||
+ * we could use pad to extend one of them, but that might
|
|
||||||
+ * leak data as it wouldn't be constant time */
|
|
||||||
+ assert(used_a == MP_USED(b));
|
|
||||||
+
|
|
||||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
|
||||||
+ for (i=0; i < used_a; i++) {
|
|
||||||
+ MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond);
|
|
||||||
+ }
|
|
||||||
+ res = MP_OKAY;
|
|
||||||
+CLEANUP:
|
|
||||||
+ return res;
|
|
||||||
+} /* end mp_selectCT() */
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+/* {{{ mp_reduceCT(a, m, c) */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ mp_reduceCT(a, m, c)
|
|
||||||
+
|
|
||||||
+ Compute c = aR^-1 (mod m) in constant time.
|
|
||||||
+ input should be in montgomery form. If input is the
|
|
||||||
+ result of a montgomery multiply then out put will be
|
|
||||||
+ in mongomery form.
|
|
||||||
+ Result will be reduced to MP_USED(m), but not be
|
|
||||||
+ clamped.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+mp_err
|
|
||||||
+mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c)
|
|
||||||
+{
|
|
||||||
+ mp_size used_m = MP_USED(m);
|
|
||||||
+ mp_size used_c = used_m*2+1;
|
|
||||||
+ mp_digit *m_digits, *c_digits;
|
|
||||||
+ mp_size i;
|
|
||||||
+ mp_digit borrow, carry;
|
|
||||||
+ mp_err res;
|
|
||||||
+ mp_int sub;
|
|
||||||
+
|
|
||||||
+ MP_DIGITS(&sub) = 0;
|
|
||||||
+ MP_CHECKOK(mp_init_size(&sub,used_m));
|
|
||||||
+
|
|
||||||
+ if (a != c) {
|
|
||||||
+ MP_CHECKOK(mp_copy(a, c));
|
|
||||||
+ }
|
|
||||||
+ MP_CHECKOK(s_mp_pad(c, used_c));
|
|
||||||
+ m_digits = MP_DIGITS(m);
|
|
||||||
+ c_digits = MP_DIGITS(c);
|
|
||||||
+ for (i=0; i < used_m; i++) {
|
|
||||||
+ mp_digit m_i = MP_DIGIT(c,i)*n0i;
|
|
||||||
+ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--);
|
|
||||||
+ }
|
|
||||||
+ s_mp_rshd(c, used_m);
|
|
||||||
+ /* MP_USED(c) should be used_m+1 with the high word being any carry
|
|
||||||
+ * from the previous multiply, save that carry and drop the high
|
|
||||||
+ * word for the substraction below */
|
|
||||||
+ carry = MP_DIGIT(c,used_m);
|
|
||||||
+ MP_DIGIT(c,used_m) = 0;
|
|
||||||
+ MP_USED(c) = used_m;
|
|
||||||
+ /* mp_subCT wants c and m to be the same size, we've already
|
|
||||||
+ * guarrenteed that in the previous statement, so mp_subCT won't actually
|
|
||||||
+ * modify m, so it's safe to recast */
|
|
||||||
+ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow));
|
|
||||||
+
|
|
||||||
+ /* we return c-m if c >= m no borrow or there was a borrow and a carry */
|
|
||||||
+ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c));
|
|
||||||
+ res = MP_OKAY;
|
|
||||||
+CLEANUP:
|
|
||||||
+ mp_clear(&sub);
|
|
||||||
+ return res;
|
|
||||||
+} /* end mp_reduceCT() */
|
|
||||||
+
|
|
||||||
+/* }}} */
|
|
||||||
+
|
|
||||||
/* {{{ mp_mod_d(a, d, c) */
|
|
||||||
|
|
||||||
/*
|
|
||||||
mp_mod_d(a, d, c)
|
|
||||||
|
|
||||||
Compute c = a (mod d). Result will always be 0 <= c < d
|
|
||||||
*/
|
|
||||||
mp_err
|
|
||||||
@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int
|
|
||||||
if ((res = mp_mod(c, m, c)) != MP_OKAY)
|
|
||||||
return res;
|
|
||||||
|
|
||||||
return MP_OKAY;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* }}} */
|
|
||||||
|
|
||||||
+/* {{{ mp_mulmontmodCT(a, b, m, c) */
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ mp_mulmontmodCT(a, b, m, c)
|
|
||||||
+
|
|
||||||
+ Compute c = (a * b) mod m in constant time wrt a and b. either a or b
|
|
||||||
+ should be in montgomery form and the output is native. If both a and b
|
|
||||||
+ are in montgomery form, then the output will also be in montgomery form
|
|
||||||
+ and can be recovered with an mp_reduceCT call.
|
|
||||||
+ NOTE: a and b may be modified.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+mp_err
|
|
||||||
+mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i,
|
|
||||||
+ mp_int *c)
|
|
||||||
+{
|
|
||||||
+ mp_err res;
|
|
||||||
+
|
|
||||||
+ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
|
|
||||||
+
|
|
||||||
+ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY)
|
|
||||||
+ return res;
|
|
||||||
+
|
|
||||||
+ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY)
|
|
||||||
+ return res;
|
|
||||||
+
|
|
||||||
+ return MP_OKAY;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/* }}} */
|
|
||||||
+
|
|
||||||
/* {{{ mp_sqrmod(a, m, c) */
|
|
||||||
|
|
||||||
#if MP_SQUARE
|
|
||||||
mp_err
|
|
||||||
mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
|
|
||||||
{
|
|
||||||
mp_err res;
|
|
||||||
|
|
||||||
@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b)
|
|
||||||
{ \
|
|
||||||
mp_digit a0b1, a1b0; \
|
|
||||||
Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
|
|
||||||
Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
|
|
||||||
a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
|
|
||||||
a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
|
|
||||||
a1b0 += a0b1; \
|
|
||||||
Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
|
|
||||||
- if (a1b0 < a0b1) \
|
|
||||||
- Phi += MP_HALF_RADIX; \
|
|
||||||
+ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \
|
|
||||||
a1b0 <<= MP_HALF_DIGIT_BIT; \
|
|
||||||
Plo += a1b0; \
|
|
||||||
- if (Plo < a1b0) \
|
|
||||||
- ++Phi; \
|
|
||||||
+ Phi += MP_CT_LTU(Plo, a1b0); \
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+/* Constant time version of s_mpv_mul_d_add_prop.
|
|
||||||
+ * Presently, this is only used by the Constant time Montgomery arithmetic code. */
|
|
||||||
+/* c += a * b */
|
|
||||||
+void
|
|
||||||
+s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b,
|
|
||||||
+ mp_digit *c, mp_size c_len)
|
|
||||||
+{
|
|
||||||
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
|
||||||
+ mp_digit d = 0;
|
|
||||||
+
|
|
||||||
+ c_len -= a_len;
|
|
||||||
+ /* Inner product: Digits of a */
|
|
||||||
+ while (a_len--) {
|
|
||||||
+ mp_word w = ((mp_word)b * *a++) + *c + d;
|
|
||||||
+ *c++ = ACCUM(w);
|
|
||||||
+ d = CARRYOUT(w);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* propagate the carry to the end, even if carry is zero */
|
|
||||||
+ while (c_len--) {
|
|
||||||
+ mp_word w = (mp_word)*c + d;
|
|
||||||
+ *c++ = ACCUM(w);
|
|
||||||
+ d = CARRYOUT(w);
|
|
||||||
+ }
|
|
||||||
+#else
|
|
||||||
+ mp_digit carry = 0;
|
|
||||||
+ c_len -= a_len;
|
|
||||||
+ while (a_len--) {
|
|
||||||
+ mp_digit a_i = *a++;
|
|
||||||
+ mp_digit a0b0, a1b1;
|
|
||||||
+ MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
|
||||||
+
|
|
||||||
+ a0b0 += carry;
|
|
||||||
+ a1b1 += MP_CT_LTU(a0b0, carry);
|
|
||||||
+ a0b0 += a_i = *c;
|
|
||||||
+ a1b1 += MP_CT_LTU(a0b0, a_i);
|
|
||||||
+
|
|
||||||
+ *c++ = a0b0;
|
|
||||||
+ carry = a1b1;
|
|
||||||
+ }
|
|
||||||
+ /* propagate the carry to the end, even if carry is zero */
|
|
||||||
+ while (c_len--) {
|
|
||||||
+ mp_digit c_i = *c;
|
|
||||||
+ carry += c_i;
|
|
||||||
+ *c++ = carry;
|
|
||||||
+ carry = MP_CT_LTU(carry, c_i);
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#if !defined(MP_ASSEMBLY_MULTIPLY)
|
|
||||||
/* c = a * b */
|
|
||||||
void
|
|
||||||
s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
|
|
||||||
{
|
|
||||||
#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
|
||||||
mp_digit d = 0;
|
|
||||||
|
|
||||||
@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a
|
|
||||||
mp_digit carry = 0;
|
|
||||||
while (a_len--) {
|
|
||||||
mp_digit a_i = *a++;
|
|
||||||
mp_digit a0b0, a1b1;
|
|
||||||
|
|
||||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
|
||||||
|
|
||||||
a0b0 += carry;
|
|
||||||
- if (a0b0 < carry)
|
|
||||||
- ++a1b1;
|
|
||||||
+ a1b1 += a0b0 < carry;
|
|
||||||
*c++ = a0b0;
|
|
||||||
carry = a1b1;
|
|
||||||
}
|
|
||||||
*c = carry;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/* c += a * b */
|
|
||||||
@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si
|
|
||||||
mp_digit carry = 0;
|
|
||||||
while (a_len--) {
|
|
||||||
mp_digit a_i = *a++;
|
|
||||||
mp_digit a0b0, a1b1;
|
|
||||||
|
|
||||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
|
||||||
|
|
||||||
a0b0 += carry;
|
|
||||||
- if (a0b0 < carry)
|
|
||||||
- ++a1b1;
|
|
||||||
+ a1b1 += (a0b0 < carry);
|
|
||||||
a0b0 += a_i = *c;
|
|
||||||
- if (a0b0 < a_i)
|
|
||||||
- ++a1b1;
|
|
||||||
+ a1b1 += (a0b0 < a_i);
|
|
||||||
*c++ = a0b0;
|
|
||||||
carry = a1b1;
|
|
||||||
}
|
|
||||||
*c = carry;
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Presently, this is only used by the Montgomery arithmetic code. */
|
|
||||||
diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h
|
|
||||||
--- a/lib/freebl/mpi/mpi.h
|
|
||||||
+++ b/lib/freebl/mpi/mpi.h
|
|
||||||
@@ -145,16 +145,54 @@ typedef int mp_sword;
|
|
||||||
#define MP_USED(MP) ((MP)->used)
|
|
||||||
#define MP_ALLOC(MP) ((MP)->alloc)
|
|
||||||
#define MP_DIGITS(MP) ((MP)->dp)
|
|
||||||
#define MP_DIGIT(MP, N) (MP)->dp[(N)]
|
|
||||||
|
|
||||||
/* This defines the maximum I/O base (minimum is 2) */
|
|
||||||
#define MP_MAX_RADIX 64
|
|
||||||
|
|
||||||
+/* Constant Time Macros on mp_digits */
|
|
||||||
+#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1)))
|
|
||||||
+
|
|
||||||
+/* basic zero and non zero tests */
|
|
||||||
+#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
|
||||||
+#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+/* basic constant-time helper macro for equalities and inequalities.
|
|
||||||
+ * The inequalities will produce incorrect results if
|
|
||||||
+ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay
|
|
||||||
+ * within the range 0-MP_DIGIT_MAX/2. */
|
|
||||||
+#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b)))
|
|
||||||
+#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b)))
|
|
||||||
+#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a))
|
|
||||||
+#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b))
|
|
||||||
+#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b))
|
|
||||||
+#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b))
|
|
||||||
+#define MP_CT_TRUE ((mp_digit)1)
|
|
||||||
+#define MP_CT_FALSE ((mp_digit)0)
|
|
||||||
+
|
|
||||||
+/* use constant time result to select a boolean value */
|
|
||||||
+#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r)))
|
|
||||||
+
|
|
||||||
+/* full inequalities that work with full mp_digit values */
|
|
||||||
+#define MP_CT_OVERFLOW(a,b,c,d) \
|
|
||||||
+ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \
|
|
||||||
+ (MP_CT_HIGH_TO_LOW(d)),c)
|
|
||||||
+#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a)
|
|
||||||
+#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b)
|
|
||||||
+#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a)
|
|
||||||
+#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b)
|
|
||||||
+#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b)
|
|
||||||
+#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a)
|
|
||||||
+#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b)
|
|
||||||
+#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
typedef struct {
|
|
||||||
mp_sign sign; /* sign of this quantity */
|
|
||||||
mp_size alloc; /* how many digits allocated */
|
|
||||||
mp_size used; /* how many digits used */
|
|
||||||
mp_digit *dp; /* the digits themselves */
|
|
||||||
} mp_int;
|
|
||||||
|
|
||||||
/* Default precision */
|
|
||||||
@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig
|
|
||||||
|
|
||||||
/* Sign manipulations */
|
|
||||||
mp_err mp_abs(const mp_int *a, mp_int *b);
|
|
||||||
mp_err mp_neg(const mp_int *a, mp_int *b);
|
|
||||||
|
|
||||||
/* Full arithmetic */
|
|
||||||
mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
|
|
||||||
mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
|
|
||||||
+mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow);
|
|
||||||
mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
|
|
||||||
+mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize);
|
|
||||||
#if MP_SQUARE
|
|
||||||
mp_err mp_sqr(const mp_int *a, mp_int *b);
|
|
||||||
#else
|
|
||||||
#define mp_sqr(a, b) mp_mul(a, a, b)
|
|
||||||
#endif
|
|
||||||
mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
|
|
||||||
mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
|
|
||||||
mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
|
|
||||||
@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const
|
|
||||||
mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
|
|
||||||
#else
|
|
||||||
#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
|
|
||||||
#endif
|
|
||||||
mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
|
|
||||||
mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
|
|
||||||
#endif /* MP_MODARITH */
|
|
||||||
|
|
||||||
+/* montgomery math */
|
|
||||||
+mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont);
|
|
||||||
+mp_digit mp_calculate_mont_n0i(const mp_int *N);
|
|
||||||
+mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct);
|
|
||||||
+mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c);
|
|
||||||
+
|
|
||||||
/* Comparisons */
|
|
||||||
int mp_cmp_z(const mp_int *a);
|
|
||||||
int mp_cmp_d(const mp_int *a, mp_digit d);
|
|
||||||
int mp_cmp(const mp_int *a, const mp_int *b);
|
|
||||||
int mp_cmp_mag(const mp_int *a, const mp_int *b);
|
|
||||||
int mp_isodd(const mp_int *a);
|
|
||||||
int mp_iseven(const mp_int *a);
|
|
||||||
+mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret);
|
|
||||||
|
|
||||||
/* Number theoretic */
|
|
||||||
mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
|
|
||||||
mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
|
|
||||||
mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
|
|
||||||
mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
|
|
||||||
mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
|
|
||||||
|
|
||||||
diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c
|
|
||||||
--- a/lib/freebl/mpi/mpmontg.c
|
|
||||||
+++ b/lib/freebl/mpi/mpmontg.c
|
|
||||||
@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_
|
|
||||||
}
|
|
||||||
res = MP_OKAY;
|
|
||||||
|
|
||||||
CLEANUP:
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
-STATIC
|
|
||||||
mp_err
|
|
||||||
-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
|
|
||||||
+mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont)
|
|
||||||
{
|
|
||||||
mp_err res;
|
|
||||||
|
|
||||||
/* xMont = x * R mod N where N is modulus */
|
|
||||||
- MP_CHECKOK(mp_copy(x, xMont));
|
|
||||||
- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */
|
|
||||||
- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */
|
|
||||||
+ if (x != xMont) {
|
|
||||||
+ MP_CHECKOK(mp_copy(x, xMont));
|
|
||||||
+ }
|
|
||||||
+ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */
|
|
||||||
+ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */
|
|
||||||
CLEANUP:
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
+mp_digit
|
|
||||||
+mp_calculate_mont_n0i(const mp_int *N)
|
|
||||||
+{
|
|
||||||
+ return 0 - s_mp_invmod_radix(MP_DIGIT(N,0));
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#ifdef MP_USING_MONT_MULF
|
|
||||||
|
|
||||||
/* the floating point multiply is already cache safe,
|
|
||||||
* don't turn on cache safe unless we specifically
|
|
||||||
* force it */
|
|
||||||
#ifndef MP_FORCE_CACHE_SAFE
|
|
||||||
#undef MP_USING_CACHE_SAFE_MOD_EXP
|
|
||||||
#endif
|
|
||||||
@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase,
|
|
||||||
MP_DIGITS(&accum1) = 0;
|
|
||||||
|
|
||||||
for (i = 0; i < MAX_ODD_INTS; ++i)
|
|
||||||
oddPowers[i] = 0;
|
|
||||||
|
|
||||||
MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2));
|
|
||||||
|
|
||||||
mp_set(&accum1, 1);
|
|
||||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
|
||||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
|
||||||
MP_CHECKOK(s_mp_pad(&accum1, nLen));
|
|
||||||
|
|
||||||
oddPowSize = 2 * nLen + 1;
|
|
||||||
dTmpSize = 2 * oddPowSize;
|
|
||||||
dSize = sizeof(double) * (nLen * 4 + 1 +
|
|
||||||
((odd_ints + 1) * oddPowSize) + dTmpSize);
|
|
||||||
dBuf = malloc(dSize);
|
|
||||||
if (!dBuf) {
|
|
||||||
@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase,
|
|
||||||
for (i = 1; i < odd_ints; ++i) {
|
|
||||||
MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2));
|
|
||||||
MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i));
|
|
||||||
MP_CHECKOK(s_mp_redc(oddPowers + i, mmm));
|
|
||||||
}
|
|
||||||
|
|
||||||
/* set accumulator to montgomery residue of 1 */
|
|
||||||
mp_set(&accum1, 1);
|
|
||||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
|
||||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
|
||||||
pa1 = &accum1;
|
|
||||||
pa2 = &accum2;
|
|
||||||
|
|
||||||
for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
|
|
||||||
mp_size smallExp;
|
|
||||||
MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits));
|
|
||||||
smallExp = (mp_size)res;
|
|
||||||
|
|
||||||
@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
|
||||||
/* build the first WEAVE_WORD powers inline */
|
|
||||||
/* if WEAVE_WORD_SIZE is not 4, this code will have to change */
|
|
||||||
if (num_powers > 2) {
|
|
||||||
MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2));
|
|
||||||
MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2));
|
|
||||||
MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2));
|
|
||||||
MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2));
|
|
||||||
mp_set(&accum[0], 1);
|
|
||||||
- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0]));
|
|
||||||
+ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0]));
|
|
||||||
MP_CHECKOK(mp_copy(montBase, &accum[1]));
|
|
||||||
SQR(montBase, &accum[2]);
|
|
||||||
MUL_NOWEAVE(montBase, &accum[2], &accum[3]);
|
|
||||||
powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1));
|
|
||||||
if (!powersArray) {
|
|
||||||
res = MP_MEM;
|
|
||||||
goto CLEANUP;
|
|
||||||
}
|
|
||||||
@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
|
||||||
MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers));
|
|
||||||
if (first_window < 4) {
|
|
||||||
MP_CHECKOK(mp_copy(&accum[first_window], &accum1));
|
|
||||||
first_window = num_powers;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
if (first_window == 0) {
|
|
||||||
mp_set(&accum1, 1);
|
|
||||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
|
||||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
|
||||||
} else {
|
|
||||||
/* assert first_window == 1? */
|
|
||||||
MP_CHECKOK(mp_copy(montBase, &accum1));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* calculate all the powers in the powers array.
|
|
||||||
@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m
|
|
||||||
nLen = MP_USED(modulus);
|
|
||||||
MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2));
|
|
||||||
|
|
||||||
mmm.N = *modulus; /* a copy of the mp_int struct */
|
|
||||||
|
|
||||||
/* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
|
|
||||||
** where n0 = least significant mp_digit of N, the modulus.
|
|
||||||
*/
|
|
||||||
- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0));
|
|
||||||
+ mmm.n0prime = mp_calculate_mont_n0i(modulus);
|
|
||||||
|
|
||||||
- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase));
|
|
||||||
+ MP_CHECKOK(mp_to_mont(base, modulus, &montBase));
|
|
||||||
|
|
||||||
bits_in_exponent = mpl_significant_bits(exponent);
|
|
||||||
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
|
|
||||||
if (mp_using_cache_safe_exp) {
|
|
||||||
if (bits_in_exponent > 780)
|
|
||||||
window_bits = 6;
|
|
||||||
else if (bits_in_exponent > 256)
|
|
||||||
window_bits = 5;
|
|
||||||
diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
|
|
||||||
--- a/lib/freebl/rsa.c
|
|
||||||
+++ b/lib/freebl/rsa.c
|
|
||||||
@@ -65,16 +65,18 @@ struct blindingParamsStr {
|
|
||||||
** the Handbook of Applied Cryptography, 11.118-11.119.
|
|
||||||
*/
|
|
||||||
struct RSABlindingParamsStr {
|
|
||||||
/* Blinding-specific parameters */
|
|
||||||
PRCList link; /* link to list of structs */
|
|
||||||
SECItem modulus; /* list element "key" */
|
|
||||||
blindingParams *free, *bp; /* Blinding parameters queue */
|
|
||||||
blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
|
|
||||||
+ /* precalculate montegomery reduction value */
|
|
||||||
+ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */
|
|
||||||
};
|
|
||||||
typedef struct RSABlindingParamsStr RSABlindingParams;
|
|
||||||
|
|
||||||
/*
|
|
||||||
** RSABlindingParamsListStr
|
|
||||||
**
|
|
||||||
** List of key-specific blinding params. The arena holds the volatile pool
|
|
||||||
** of memory for each entry and the list itself. The lock is for list
|
|
||||||
@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey *
|
|
||||||
CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen));
|
|
||||||
CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen));
|
|
||||||
/* k < n */
|
|
||||||
CHECK_MPI_OK(mp_mod(&k, n, &k));
|
|
||||||
/* f = k**e mod n */
|
|
||||||
CHECK_MPI_OK(mp_exptmod(&k, &e, n, f));
|
|
||||||
/* g = k**-1 mod n */
|
|
||||||
CHECK_MPI_OK(mp_invmod(&k, n, g));
|
|
||||||
+ /* g in montgomery form.. */
|
|
||||||
+ CHECK_MPI_OK(mp_to_mont(g, n, g));
|
|
||||||
cleanup:
|
|
||||||
if (kb)
|
|
||||||
PORT_ZFree(kb, modLen);
|
|
||||||
mp_clear(&k);
|
|
||||||
mp_clear(&e);
|
|
||||||
if (err) {
|
|
||||||
MP_TO_SEC_ERROR(err);
|
|
||||||
rv = SECFailure;
|
|
||||||
@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams *
|
|
||||||
* of rsabp->array pointer and must be set to NULL
|
|
||||||
*/
|
|
||||||
rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL;
|
|
||||||
|
|
||||||
bp = rsabp->array;
|
|
||||||
rsabp->bp = NULL;
|
|
||||||
rsabp->free = bp;
|
|
||||||
|
|
||||||
+ /* precalculate montgomery reduction parameter */
|
|
||||||
+ rsabp->n0i = mp_calculate_mont_n0i(n);
|
|
||||||
+
|
|
||||||
/* List elements are keyed using the modulus */
|
|
||||||
return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
|
|
||||||
}
|
|
||||||
|
|
||||||
static SECStatus
|
|
||||||
get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
|
|
||||||
- mp_int *f, mp_int *g)
|
|
||||||
+ mp_int *f, mp_int *g, mp_digit *n0i)
|
|
||||||
{
|
|
||||||
RSABlindingParams *rsabp = NULL;
|
|
||||||
blindingParams *bpUnlinked = NULL;
|
|
||||||
blindingParams *bp;
|
|
||||||
PRCList *el;
|
|
||||||
SECStatus rv = SECSuccess;
|
|
||||||
mp_err err = MP_OKAY;
|
|
||||||
int cmp = -1;
|
|
||||||
@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key,
|
|
||||||
** head (since el would have looped back to the head).
|
|
||||||
*/
|
|
||||||
PR_INSERT_BEFORE(&rsabp->link, el);
|
|
||||||
}
|
|
||||||
|
|
||||||
/* We've found (or created) the RSAblindingParams struct for this key.
|
|
||||||
* Now, search its list of ready blinding params for a usable one.
|
|
||||||
*/
|
|
||||||
+ *n0i = rsabp->n0i;
|
|
||||||
while (0 != (bp = rsabp->bp)) {
|
|
||||||
#ifdef UNSAFE_FUZZER_MODE
|
|
||||||
/* Found a match and there are still remaining uses left */
|
|
||||||
/* Return the parameters */
|
|
||||||
CHECK_MPI_OK(mp_copy(&bp->f, f));
|
|
||||||
CHECK_MPI_OK(mp_copy(&bp->g, g));
|
|
||||||
|
|
||||||
PZ_Unlock(blindingParamsList.lock);
|
|
||||||
@@ -1426,16 +1434,17 @@ cleanup:
|
|
||||||
rsabp->free = bp;
|
|
||||||
}
|
|
||||||
if (holdingLock) {
|
|
||||||
PZ_Unlock(blindingParamsList.lock);
|
|
||||||
}
|
|
||||||
if (err) {
|
|
||||||
MP_TO_SEC_ERROR(err);
|
|
||||||
}
|
|
||||||
+ *n0i = 0;
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
** Perform a raw private-key operation
|
|
||||||
** Length of input and output buffers are equal to key's modulus len.
|
|
||||||
*/
|
|
||||||
static SECStatus
|
|
||||||
@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
|
||||||
PRBool check)
|
|
||||||
{
|
|
||||||
unsigned int modLen;
|
|
||||||
unsigned int offset;
|
|
||||||
SECStatus rv = SECSuccess;
|
|
||||||
mp_err err;
|
|
||||||
mp_int n, c, m;
|
|
||||||
mp_int f, g;
|
|
||||||
+ mp_digit n0i;
|
|
||||||
if (!key || !output || !input) {
|
|
||||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
/* check input out of range (needs to be in range [0..n-1]) */
|
|
||||||
modLen = rsa_modulusLen(&key->modulus);
|
|
||||||
if (modLen == 0) {
|
|
||||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
||||||
@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
|
||||||
CHECK_MPI_OK(mp_init(&f));
|
|
||||||
CHECK_MPI_OK(mp_init(&g));
|
|
||||||
SECITEM_TO_MPINT(key->modulus, &n);
|
|
||||||
OCTETS_TO_MPINT(input, &c, modLen);
|
|
||||||
/* If blinding, compute pre-image of ciphertext by multiplying by
|
|
||||||
** blinding factor
|
|
||||||
*/
|
|
||||||
if (nssRSAUseBlinding) {
|
|
||||||
- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g));
|
|
||||||
+ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i));
|
|
||||||
/* c' = c*f mod n */
|
|
||||||
CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c));
|
|
||||||
}
|
|
||||||
/* Do the private key operation m = c**d mod n */
|
|
||||||
if (key->prime1.len == 0 ||
|
|
||||||
key->prime2.len == 0 ||
|
|
||||||
key->exponent1.len == 0 ||
|
|
||||||
key->exponent2.len == 0 ||
|
|
||||||
@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
|
||||||
} else {
|
|
||||||
CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c));
|
|
||||||
}
|
|
||||||
/* If blinding, compute post-image of plaintext by multiplying by
|
|
||||||
** blinding factor
|
|
||||||
*/
|
|
||||||
if (nssRSAUseBlinding) {
|
|
||||||
/* m = m'*g mod n */
|
|
||||||
- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m));
|
|
||||||
+ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m));
|
|
||||||
}
|
|
||||||
err = mp_to_fixlen_octets(&m, output, modLen);
|
|
||||||
if (err >= 0)
|
|
||||||
err = MP_OKAY;
|
|
||||||
cleanup:
|
|
||||||
mp_clear(&n);
|
|
||||||
mp_clear(&c);
|
|
||||||
mp_clear(&m);
|
|
1383
nss-3.101-add-certificate-compression-test.patch
Normal file
1383
nss-3.101-add-certificate-compression-test.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,15 +1,15 @@
|
|||||||
diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c
|
diff -up ./lib/pk11wrap/pk11pars.c.ems ./lib/pk11wrap/pk11pars.c
|
||||||
--- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700
|
--- ./lib/pk11wrap/pk11pars.c.ems 2024-06-11 13:09:25.956760476 -0700
|
||||||
+++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700
|
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 13:09:52.837067481 -0700
|
||||||
@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = {
|
@@ -433,6 +433,8 @@ static const oidValDef kxOptList[] = {
|
||||||
{ CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
|
{ CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||||
{ CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
|
{ CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
|
||||||
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
|
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||||
+ /* not really a key exchange, but it's the closest fit */
|
|
||||||
+ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
|
+ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
|
||||||
|
+
|
||||||
};
|
};
|
||||||
|
|
||||||
static const oidValDef signOptList[] = {
|
static const oidValDef smimeKxOptList[] = {
|
||||||
diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
|
diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
|
||||||
--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
|
--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
|
||||||
+++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
|
+++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
|
||||||
@ -65,40 +65,43 @@ diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
|
|||||||
if (isTLS12) {
|
if (isTLS12) {
|
||||||
if (isDH)
|
if (isDH)
|
||||||
master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
||||||
diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c
|
diff -up ./lib/util/secoid.c.ems ./lib/util/secoid.c
|
||||||
--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700
|
--- ./lib/util/secoid.c.ems 2024-06-11 13:11:28.078155282 -0700
|
||||||
+++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700
|
+++ ./lib/util/secoid.c 2024-06-11 13:12:58.511188172 -0700
|
||||||
@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT
|
@@ -1890,6 +1890,12 @@ const static SECOidData oids[SEC_OID_TOT
|
||||||
SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
|
ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
|
||||||
"IPsec User",
|
ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
|
||||||
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION),
|
||||||
+
|
+
|
||||||
+ /* this will change upstream. for now apps shouldn't use it */
|
+ /* this will change upstream. for now apps shouldn't use it */
|
||||||
+ /* we need it for the policy code. */
|
+ /* we need it for the policy code. */
|
||||||
+ ODE(SEC_OID_PRIVATE_1,
|
+ ODE(SEC_OID_PRIVATE_1,
|
||||||
+ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
+ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
||||||
|
+
|
||||||
};
|
};
|
||||||
|
|
||||||
/* PRIVATE EXTENDED SECOID Table
|
/* PRIVATE EXTENDED SECOID Table
|
||||||
@@ -2095,6 +2100,8 @@ SECOID_Init(void)
|
@@ -2198,6 +2204,10 @@ SECOID_Init(void)
|
||||||
|
|
||||||
/* turn off NSS_USE_POLICY_IN_SSL by default */
|
/* turn off NSS_USE_POLICY_IN_SSL by default */
|
||||||
xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
|
xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
|
||||||
+ /* turn off TLS REQUIRE EMS by default */
|
+ /* turn off TLS REQUIRE EMS by default */
|
||||||
+ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
|
+ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
|
||||||
envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
|
envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
|
||||||
if (envVal)
|
if (envVal)
|
||||||
diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h
|
diff -up ./lib/util/secoidt.h.ems ./lib/util/secoidt.h
|
||||||
--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700
|
--- ./lib/util/secoidt.h.ems 2024-06-11 13:16:13.212411967 -0700
|
||||||
+++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700
|
+++ ./lib/util/secoidt.h 2024-06-11 13:16:48.098810434 -0700
|
||||||
@@ -501,6 +501,9 @@ typedef enum {
|
@@ -530,6 +530,9 @@ typedef enum {
|
||||||
SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
|
SEC_OID_RC2_64_CBC = 385,
|
||||||
SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
|
SEC_OID_RC2_128_CBC = 386,
|
||||||
SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
|
SEC_OID_ECDH_KEA = 387,
|
||||||
+ /* this will change upstream. for now apps shouldn't use it */
|
+ /* this will change upstream. for now apps shouldn't use it */
|
||||||
+ /* give it an obscure name here */
|
+ /* give it an obscure name here */
|
||||||
+ SEC_OID_PRIVATE_1 = 372,
|
+ SEC_OID_PRIVATE_1 = 388,
|
||||||
|
|
||||||
SEC_OID_TOTAL
|
SEC_OID_TOTAL
|
||||||
} SECOidTag;
|
} SECOidTag;
|
59
nss-3.101-chacha-timing-fix.patch
Normal file
59
nss-3.101-chacha-timing-fix.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
|
||||||
|
--- a/lib/freebl/chacha20poly1305.c
|
||||||
|
+++ b/lib/freebl/chacha20poly1305.c
|
||||||
|
@@ -213,27 +213,31 @@
|
||||||
|
{
|
||||||
|
#ifdef NSS_X64
|
||||||
|
#ifndef NSS_DISABLE_AVX2
|
||||||
|
if (avx2_support()) {
|
||||||
|
Hacl_Chacha20_Vec256_chacha20_encrypt_256(len, output, block, k, nonce, ctr);
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef NSS_DISABLE_SSE3
|
||||||
|
if (ssse3_support() && sse4_1_support() && avx_support()) {
|
||||||
|
Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr);
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
|
||||||
|
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
|
||||||
|
if (ppc_crypto_support()) {
|
||||||
|
chacha20vsx(len, output, block, k, nonce, ctr);
|
||||||
|
- } else
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
Hacl_Chacha20_chacha20_encrypt(len, output, block, k, nonce, ctr);
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* NSS_DISABLE_CHACHAPOLY */
|
||||||
|
|
||||||
|
SECStatus
|
||||||
|
@@ -449,20 +453,18 @@
|
||||||
|
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
|
||||||
|
(uint8_t *)input, output, outTag);
|
||||||
|
goto finish;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
-
|
||||||
|
- else
|
||||||
|
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
|
||||||
|
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
|
||||||
|
if (ppc_crypto_support()) {
|
||||||
|
Chacha20Poly1305_vsx_aead_encrypt(
|
||||||
|
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
|
||||||
|
(uint8_t *)input, output, outTag);
|
||||||
|
goto finish;
|
||||||
|
- } else
|
||||||
|
+ }
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
Hacl_Chacha20Poly1305_32_aead_encrypt(
|
||||||
|
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
|
||||||
|
(uint8_t *)input, output, outTag);
|
||||||
|
|
133
nss-3.101-default-libpkix.patch
Normal file
133
nss-3.101-default-libpkix.patch
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c
|
||||||
|
--- a/lib/certhigh/certvfypkix.c
|
||||||
|
+++ b/lib/certhigh/certvfypkix.c
|
||||||
|
@@ -37,11 +37,11 @@
|
||||||
|
pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
|
||||||
|
|
||||||
|
PRInt32 parallelFnInvocationCount;
|
||||||
|
#endif /* PKIX_OBJECT_LEAK_TEST */
|
||||||
|
|
||||||
|
-static PRBool usePKIXValidationEngine = PR_FALSE;
|
||||||
|
+static PRBool usePKIXValidationEngine = PR_TRUE;
|
||||||
|
#endif /* NSS_DISABLE_LIBPKIX */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* FUNCTION: CERT_SetUsePKIXForValidation
|
||||||
|
* DESCRIPTION:
|
||||||
|
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
||||||
|
--- a/lib/nss/nssinit.c
|
||||||
|
+++ b/lib/nss/nssinit.c
|
||||||
|
@@ -762,13 +762,13 @@
|
||||||
|
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
||||||
|
|
||||||
|
if (pkixError != NULL) {
|
||||||
|
goto loser;
|
||||||
|
} else {
|
||||||
|
- char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
|
||||||
|
+ char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
|
||||||
|
if (ev && ev[0]) {
|
||||||
|
- CERT_SetUsePKIXForValidation(PR_TRUE);
|
||||||
|
+ CERT_SetUsePKIXForValidation(PR_FALSE);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* NSS_DISABLE_LIBPKIX */
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/tests/all.sh b/tests/all.sh
|
||||||
|
--- a/tests/all.sh
|
||||||
|
+++ b/tests/all.sh
|
||||||
|
@@ -141,17 +141,22 @@
|
||||||
|
########################################################################
|
||||||
|
run_cycle_standard()
|
||||||
|
{
|
||||||
|
TEST_MODE=STANDARD
|
||||||
|
|
||||||
|
+ NSS_DISABLE_LIBPKIX_VERIFY="1"
|
||||||
|
+ export NSS_DISABLE_LIBPKIX_VERIFY
|
||||||
|
+
|
||||||
|
TESTS="${ALL_TESTS}"
|
||||||
|
TESTS_SKIP="libpkix pkits"
|
||||||
|
|
||||||
|
NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"}
|
||||||
|
export NSS_DEFAULT_DB_TYPE
|
||||||
|
|
||||||
|
run_tests
|
||||||
|
+
|
||||||
|
+ unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||||
|
}
|
||||||
|
|
||||||
|
############################ run_cycle_pkix ############################
|
||||||
|
# run test suites with PKIX enabled
|
||||||
|
########################################################################
|
||||||
|
@@ -165,13 +170,10 @@
|
||||||
|
|
||||||
|
HOSTDIR="${HOSTDIR}/pkix"
|
||||||
|
mkdir -p "${HOSTDIR}"
|
||||||
|
init_directories
|
||||||
|
|
||||||
|
- NSS_ENABLE_PKIX_VERIFY="1"
|
||||||
|
- export NSS_ENABLE_PKIX_VERIFY
|
||||||
|
-
|
||||||
|
TESTS="${ALL_TESTS}"
|
||||||
|
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
|
||||||
|
|
||||||
|
export -n NSS_SSL_RUN
|
||||||
|
|
||||||
|
diff --git a/tests/common/init.sh b/tests/common/init.sh
|
||||||
|
--- a/tests/common/init.sh
|
||||||
|
+++ b/tests/common/init.sh
|
||||||
|
@@ -138,12 +138,12 @@
|
||||||
|
echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
|
||||||
|
echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
|
||||||
|
echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
|
||||||
|
echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
|
||||||
|
echo "export NSS_DEFAULT_DB_TYPE"
|
||||||
|
- echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
|
||||||
|
- echo "export NSS_ENABLE_PKIX_VERIFY"
|
||||||
|
+ echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
|
||||||
|
+ echo "export NSS_DISABLE_PKIX_VERIFY"
|
||||||
|
echo "init_directories"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Exit shellfunction to clean up at exit (error, regular or signal)
|
||||||
|
Exit()
|
||||||
|
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
|
||||||
|
--- a/tests/ssl/ssl.sh
|
||||||
|
+++ b/tests/ssl/ssl.sh
|
||||||
|
@@ -960,13 +960,12 @@
|
||||||
|
ssl_policy_pkix_ocsp()
|
||||||
|
{
|
||||||
|
#verbose="-v"
|
||||||
|
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
|
||||||
|
|
||||||
|
- PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
|
||||||
|
- NSS_ENABLE_PKIX_VERIFY="1"
|
||||||
|
- export NSS_ENABLE_PKIX_VERIFY
|
||||||
|
+ PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
|
||||||
|
+ unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||||
|
|
||||||
|
testname=""
|
||||||
|
|
||||||
|
if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
|
||||||
|
html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
|
||||||
|
@@ -987,16 +986,14 @@
|
||||||
|
grep 12276 ${P_R_SERVERDIR}/vfy.out
|
||||||
|
RET=$?
|
||||||
|
html_msg $RET $RET_EXP "${testname}" \
|
||||||
|
"produced a returncode of $RET, expected is $RET_EXP"
|
||||||
|
|
||||||
|
- if [ "${PKIX_SAVE}" = "unset" ]; then
|
||||||
|
- unset NSS_ENABLE_PKIX_VERIFY
|
||||||
|
- else
|
||||||
|
- NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
|
||||||
|
- export NSS_ENABLE_PKIX_VERIFY
|
||||||
|
+ if [ "{PKIX_SAVE}" != "unset" ]; then
|
||||||
|
+ export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
|
||||||
|
fi
|
||||||
|
+
|
||||||
|
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
|
||||||
|
|
||||||
|
html "</TABLE><BR>"
|
||||||
|
|
||||||
|
}
|
||||||
|
|
@ -1,12 +1,18 @@
|
|||||||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
|
||||||
--- a/lib/ssl/sslsock.c
|
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2024-06-12 13:29:17.162207862 -0700
|
||||||
+++ b/lib/ssl/sslsock.c
|
+++ ./gtests/ssl_gtest/manifest.mn 2024-06-12 13:30:25.699047788 -0700
|
||||||
@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f
|
@@ -59,7 +59,6 @@ CPPSRCS = \
|
||||||
}
|
tls_protect.cc \
|
||||||
PORT_Free(cursor);
|
tls_psk_unittest.cc \
|
||||||
}
|
tls_subcerts_unittest.cc \
|
||||||
}
|
- tls_ech_unittest.cc \
|
||||||
|
tls_xyber_unittest.cc \
|
||||||
|
$(SSLKEYLOGFILE_FILES) \
|
||||||
|
$(NULL)
|
||||||
|
diff -up ./lib/ssl/sslsock.c.disable_ech ./lib/ssl/sslsock.c
|
||||||
|
--- ./lib/ssl/sslsock.c.disable_ech 2024-06-07 09:26:03.000000000 -0700
|
||||||
|
+++ ./lib/ssl/sslsock.c 2024-06-12 13:29:17.162207862 -0700
|
||||||
|
@@ -4415,17 +4415,23 @@ ssl_ClearPRCList(PRCList *list, void (*f
|
||||||
SECStatus
|
SECStatus
|
||||||
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
|
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
|
||||||
{
|
{
|
||||||
@ -30,13 +36,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
|||||||
sslSocket *ss = ssl_FindSocket(fd);
|
sslSocket *ss = ssl_FindSocket(fd);
|
||||||
if (!ss || size == 0) {
|
if (!ss || size == 0) {
|
||||||
return SECFailure;
|
return SECFailure;
|
||||||
}
|
@@ -4439,28 +4445,42 @@ SSLExp_SetTls13GreaseEchSize(PRFileDesc
|
||||||
ssl_Get1stHandshakeLock(ss);
|
|
||||||
ssl_GetSSL3HandshakeLock(ss);
|
|
||||||
|
|
||||||
ss->ssl3.hs.greaseEchSize = size;
|
|
||||||
|
|
||||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
|
||||||
ssl_Release1stHandshakeLock(ss);
|
ssl_Release1stHandshakeLock(ss);
|
||||||
|
|
||||||
return SECSuccess;
|
return SECSuccess;
|
||||||
@ -79,18 +79,3 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
SECStatus
|
SECStatus
|
||||||
SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled)
|
|
||||||
{
|
|
||||||
sslSocket *ss = ssl_FindSocket(fd);
|
|
||||||
if (!ss) {
|
|
||||||
return SECFailure;
|
|
||||||
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
|
|
||||||
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200
|
|
||||||
+++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200
|
|
||||||
@@ -57,7 +57,6 @@ CPPSRCS = \
|
|
||||||
tls_filter.cc \
|
|
||||||
tls_protect.cc \
|
|
||||||
tls_psk_unittest.cc \
|
|
||||||
- tls_ech_unittest.cc \
|
|
||||||
$(SSLKEYLOGFILE_FILES) \
|
|
||||||
$(NULL)
|
|
81
nss-3.101-disable-md5.patch
Normal file
81
nss-3.101-disable-md5.patch
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
diff -up ./lib/pk11wrap/pk11pars.c.no_md ./lib/pk11wrap/pk11pars.c
|
||||||
|
--- ./lib/pk11wrap/pk11pars.c.no_md 2024-06-11 12:41:35.054654990 -0700
|
||||||
|
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 12:46:25.347979894 -0700
|
||||||
|
@@ -329,14 +329,11 @@ static const oidValDef curveOptList[] =
|
||||||
|
static const oidValDef hashOptList[] = {
|
||||||
|
/* Hashes */
|
||||||
|
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
|
||||||
|
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||||
|
- NSS_USE_ALG_IN_PKCS12 },
|
||||||
|
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
|
||||||
|
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
|
||||||
|
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||||
|
- NSS_USE_ALG_IN_PKCS12 },
|
||||||
|
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
|
||||||
|
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
|
||||||
|
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||||
|
- NSS_USE_ALG_IN_PKCS12 },
|
||||||
|
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
|
||||||
|
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
|
||||||
|
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||||
|
NSS_USE_ALG_IN_PKCS12 },
|
||||||
|
diff -up ./lib/util/secoid.c.no_md ./lib/util/secoid.c
|
||||||
|
diff -r 699541a7793b lib/util/secoid.c
|
||||||
|
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
|
||||||
|
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
|
||||||
|
@@ -2042,6 +2042,19 @@
|
||||||
|
int i;
|
||||||
|
|
||||||
|
for (i = 1; i < SEC_OID_TOTAL; i++) {
|
||||||
|
+ switch (i) {
|
||||||
|
+ case SEC_OID_MD2:
|
||||||
|
+ case SEC_OID_MD4:
|
||||||
|
+ case SEC_OID_MD5:
|
||||||
|
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
|
||||||
|
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
|
||||||
|
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
|
||||||
|
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
|
||||||
|
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
|
||||||
|
+ continue;
|
||||||
|
+ default:
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
if (oids[i].desc && strstr(arg, oids[i].desc)) {
|
||||||
|
xOids[i].notPolicyFlags = notEnable |
|
||||||
|
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
|
||||||
|
diff -up ./tests/tools/pkcs12policy.txt.disable_md5_test ./tests/tools/pkcs12policy.txt
|
||||||
|
--- ./tests/tools/pkcs12policy.txt.disable_md5_test 2024-06-07 09:26:03.000000000 -0700
|
||||||
|
+++ ./tests/tools/pkcs12policy.txt 2024-06-19 11:15:46.666728170 -0700
|
||||||
|
@@ -91,21 +91,21 @@
|
||||||
|
0 18 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc2 (read), RC4 and RC2
|
||||||
|
# integrity policy check the various has based controls.
|
||||||
|
# NOTE: md4, md2, and md5 are turned off by policy by default for encrypting
|
||||||
|
-# (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the
|
||||||
|
+# (decrypting is fine). To be enabled, you must allow=mdX/pkcs12 on the
|
||||||
|
# encryption side. These tests purposefully tests that the default fails to encrypt
|
||||||
|
# but succeeds when decrypting.
|
||||||
|
27 x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes
|
||||||
|
- 0 0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
|
||||||
|
- 0 0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
|
||||||
|
- 28 x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
|
||||||
|
+ 0 0 allow=md2/pkcs12 allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
|
||||||
|
+ 0 0 allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
|
||||||
|
+ 28 x disallow=sha1_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
|
||||||
|
27 x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write
|
||||||
|
- 29 x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
|
||||||
|
- 0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||||
|
- 0 18 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||||
|
- 0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||||
|
- 0 0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||||
|
- 0 0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||||
|
- 0 0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||||
|
+ 29 x disallow=sha256_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
|
||||||
|
+ 0 19 allow=all:md2/pkcs12 disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||||
|
+ 0 18 allow=md2/pkcs12 disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||||
|
+ 0 17 allow=md2/pkcs12 disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||||
|
+ 0 0 allow=md2/pkcs12 disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||||
|
+ 0 0 allow=md2/pkcs12 disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||||
|
+ 0 0 allow=md2/pkcs12 disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||||
|
0 0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
|
||||||
|
29 x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
|
||||||
|
0 18 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256
|
@ -14,6 +14,8 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
|
|||||||
+ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
|
+ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
|
||||||
+ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
|
+ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
|
||||||
+ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
|
+ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
|
||||||
|
{ CIPHER_NAME("ED25519"), SEC_OID_ED25519_PUBLIC_KEY,
|
||||||
|
NSS_USE_ALG_IN_SIGNATURE },
|
||||||
};
|
};
|
||||||
|
|
||||||
typedef struct {
|
typedef struct {
|
||||||
@ -21,6 +23,7 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
|
|||||||
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
|
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
|
||||||
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
|
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
|
||||||
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
|
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
|
||||||
|
{ smimeKxOptList, PR_ARRAY_SIZE(smimeKxOptList), "SMIME-KX", PR_TRUE },
|
||||||
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
|
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
|
||||||
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
|
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
|
||||||
};
|
};
|
24
nss-3.101-ec-dbm-test.patch
Normal file
24
nss-3.101-ec-dbm-test.patch
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
diff -up ./tests/ec/ectest.sh.dbm ./tests/ec/ectest.sh
|
||||||
|
--- ./tests/ec/ectest.sh.dbm 2024-06-18 14:53:51.201438651 -0700
|
||||||
|
+++ ./tests/ec/ectest.sh 2024-06-18 14:56:09.993993637 -0700
|
||||||
|
@@ -45,12 +45,20 @@ ectest_genkeydb_test()
|
||||||
|
if [ $? -ne 0 ]; then
|
||||||
|
return $?
|
||||||
|
fi
|
||||||
|
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||||
|
curves=( \
|
||||||
|
"curve25519" \
|
||||||
|
"secp256r1" \
|
||||||
|
"secp384r1" \
|
||||||
|
"secp521r1" \
|
||||||
|
)
|
||||||
|
+ else
|
||||||
|
+ curves=( \
|
||||||
|
+ "secp256r1" \
|
||||||
|
+ "secp384r1" \
|
||||||
|
+ "secp521r1" \
|
||||||
|
+ )
|
||||||
|
+ fi
|
||||||
|
for curve in "${curves[@]}"; do
|
||||||
|
echo "Test $curve key generation using certutil ..."
|
||||||
|
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
|
12
nss-3.101-el8-fix-rsa-policy-test.patch
Normal file
12
nss-3.101-el8-fix-rsa-policy-test.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up ./tests/ssl/sslpolicy.txt.rsa_disable_test ./tests/ssl/sslpolicy.txt
|
||||||
|
--- ./tests/ssl/sslpolicy.txt.rsa_disable_test 2024-06-19 11:17:10.261637015 -0700
|
||||||
|
+++ ./tests/ssl/sslpolicy.txt 2024-06-19 11:18:22.797425628 -0700
|
||||||
|
@@ -197,7 +197,7 @@
|
||||||
|
# compatibility reasons
|
||||||
|
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||||
|
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||||
|
- 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||||
|
+ 0 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||||
|
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
||||||
|
0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
||||||
|
# test default settings
|
89
nss-3.101-el8-no-p12-smime-policy.patch
Normal file
89
nss-3.101-el8-no-p12-smime-policy.patch
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
|
||||||
|
--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
|
||||||
|
+++ ./lib/pkcs12/p12plcy.c 2024-07-17 11:26:00.334836451 -0700
|
||||||
|
@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
|
||||||
|
static PRBool
|
||||||
|
sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
|
||||||
|
{
|
||||||
|
+#ifdef notdef
|
||||||
|
PRUint32 policy;
|
||||||
|
SECStatus rv;
|
||||||
|
|
||||||
|
@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
|
||||||
|
return PR_TRUE;
|
||||||
|
}
|
||||||
|
return PR_FALSE;
|
||||||
|
+#else
|
||||||
|
+ return PR_TRUE;
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
PRBool
|
||||||
|
diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
|
||||||
|
--- ./lib/smime/smimeutil.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
|
||||||
|
+++ ./lib/smime/smimeutil.c 2024-07-17 11:27:04.716617111 -0700
|
||||||
|
@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
|
||||||
|
PRBool
|
||||||
|
smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
|
||||||
|
{
|
||||||
|
+#ifdef notdef
|
||||||
|
PRUint32 policyFlags;
|
||||||
|
|
||||||
|
/* some S/MIME algs map to the same underlying KEA mechanism,
|
||||||
|
@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
|
||||||
|
PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
|
||||||
|
return PR_FALSE;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
return PR_TRUE;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -485,6 +487,7 @@ smime_init_once(void *arg)
|
||||||
|
return PR_FAILURE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef notdef
|
||||||
|
/* At initialization time, we need to set up the defaults. We first
|
||||||
|
* look to see if the system or application has set up certain algorithms
|
||||||
|
* by policy. If they have set up values by policy we'll only allow those
|
||||||
|
@@ -497,6 +500,11 @@ smime_init_once(void *arg)
|
||||||
|
PORT_Free(tags);
|
||||||
|
tags = NULL;
|
||||||
|
}
|
||||||
|
+#else
|
||||||
|
+ /* just initialize the old maps */
|
||||||
|
+ rv = SECSuccess;
|
||||||
|
+ tagCount = 0;
|
||||||
|
+#endif
|
||||||
|
if ((rv != SECSuccess) || (tagCount == 0)) {
|
||||||
|
/* No algorithms have been enabled by policy (either by the system
|
||||||
|
* or by the application, we then will use the traditional default
|
||||||
|
diff -up ./smime/smime.sh.no_p12_smime_policy ./smime/smime.sh
|
||||||
|
--- ./tests/smime/smime.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
|
||||||
|
700
|
||||||
|
+++ ./tests/smime/smime.sh 2024-07-17 12:29:08.251207306 -0700
|
||||||
|
@@ -872,8 +872,8 @@ smime_init
|
||||||
|
smime_main
|
||||||
|
smime_data_tb
|
||||||
|
smime_p7
|
||||||
|
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||||
|
- smime_policy
|
||||||
|
-fi
|
||||||
|
+#if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||||
|
+# smime_policy
|
||||||
|
+#fi
|
||||||
|
smime_cleanup
|
||||||
|
|
||||||
|
diff -up ./tools/tools.sh.no_p12_smime_policy ./tools/tools.sh
|
||||||
|
--- ./tests/tools/tools.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
|
||||||
|
700
|
||||||
|
+++ ./tests/tools/tools.sh 2024-07-17 12:28:32.418778346 -0700
|
||||||
|
@@ -586,7 +586,7 @@ tools_p12()
|
||||||
|
tools_p12_import_pbmac1_samples
|
||||||
|
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||||
|
tools_p12_import_rsa_pss_private_key
|
||||||
|
- tools_p12_policy
|
||||||
|
+#tools_p12_policy
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
@ -26,6 +26,20 @@ diff -up ./cmd/pk12util/pk12util.c.orig ./cmd/pk12util/pk12util.c
|
|||||||
if (pk12util.options[opt_CertCipher].activated) {
|
if (pk12util.options[opt_CertCipher].activated) {
|
||||||
char *cipherString = pk12util.options[opt_CertCipher].arg;
|
char *cipherString = pk12util.options[opt_CertCipher].arg;
|
||||||
|
|
||||||
|
--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default 2024-07-18 08:26:35.7732
|
||||||
|
48450 -0700
|
||||||
|
+++ ./cmd/pk12util/pk12util.c 2024-07-18 08:27:05.796595554 -0700
|
||||||
|
@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
|
||||||
|
- if (PK11_IsFIPS()) {
|
||||||
|
- hash = SEC_OID_HMAC_SHA256;
|
||||||
|
- }
|
||||||
|
if (pk12util.options[opt_Mac].activated) {
|
||||||
|
char *hashString = pk12util.options[opt_Mac].arg;
|
||||||
|
|
||||||
diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh
|
diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh
|
||||||
--- ./tests/tools/tools.sh.orig 2021-06-15 17:06:27.650564449 -0700
|
--- ./tests/tools/tools.sh.orig 2021-06-15 17:06:27.650564449 -0700
|
||||||
+++ ./tests/tools/tools.sh 2021-06-15 17:07:59.934117192 -0700
|
+++ ./tests/tools/tools.sh 2021-06-15 17:07:59.934117192 -0700
|
13
nss-3.101-enable-kyber-policy.patch
Normal file
13
nss-3.101-enable-kyber-policy.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c
|
||||||
|
--- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy 2024-06-12 14:44:24.680338868 -0700
|
||||||
|
+++ ./lib/pk11wrap/pk11pars.c 2024-06-12 14:44:48.368609356 -0700
|
||||||
|
@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] =
|
||||||
|
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||||
|
{ CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519,
|
||||||
|
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||||
|
- { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 },
|
||||||
|
+ { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00,
|
||||||
|
+ NSS_USE_ALG_IN_SSL_KX },
|
||||||
|
/* ANSI X9.62 named elliptic curves (characteristic two field) */
|
||||||
|
{ CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
|
||||||
|
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
@ -5,8 +5,8 @@ diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh
|
|||||||
RARRAY=($dtime)
|
RARRAY=($dtime)
|
||||||
TIMEARRAY=(${RARRAY[1]//./ })
|
TIMEARRAY=(${RARRAY[1]//./ })
|
||||||
echo "${TIMEARRAY[0]} seconds"
|
echo "${TIMEARRAY[0]} seconds"
|
||||||
- test ${TIMEARRAY[0]} -lt 2
|
- test ${TIMEARRAY[0]} -lt 5
|
||||||
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-3}
|
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-5}
|
||||||
ret=$?
|
ret=$?
|
||||||
html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
|
html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
|
||||||
fi
|
fi
|
@ -1,7 +1,7 @@
|
|||||||
diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||||
--- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800
|
--- ./lib/softoken/pkcs11c.c.fips_indicators 2024-06-12 13:38:15.995811284 -0700
|
||||||
+++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800
|
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:41:30.008188930 -0700
|
||||||
@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C
|
@@ -453,7 +453,7 @@ sftk_InitGeneric(SFTKSession *session, C
|
||||||
context->blockSize = 0;
|
context->blockSize = 0;
|
||||||
context->maxLen = 0;
|
context->maxLen = 0;
|
||||||
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
|
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
|
||||||
@ -10,7 +10,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
|||||||
*contextPtr = context;
|
*contextPtr = context;
|
||||||
return CKR_OK;
|
return CKR_OK;
|
||||||
}
|
}
|
||||||
@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
@@ -4885,7 +4885,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||||
crv = sftk_handleObject(key, session);
|
crv = sftk_handleObject(key, session);
|
||||||
/* we need to do this check at the end, so we can check the generated
|
/* we need to do this check at the end, so we can check the generated
|
||||||
* key length against fips requirements */
|
* key length against fips requirements */
|
||||||
@ -19,7 +19,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
|||||||
session->lastOpWasFIPS = key->isFIPS;
|
session->lastOpWasFIPS = key->isFIPS;
|
||||||
sftk_FreeSession(session);
|
sftk_FreeSession(session);
|
||||||
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
||||||
@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
@@ -6020,7 +6020,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||||
return crv;
|
return crv;
|
||||||
}
|
}
|
||||||
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
||||||
@ -28,7 +28,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
|||||||
publicKey->isFIPS = privateKey->isFIPS;
|
publicKey->isFIPS = privateKey->isFIPS;
|
||||||
session->lastOpWasFIPS = privateKey->isFIPS;
|
session->lastOpWasFIPS = privateKey->isFIPS;
|
||||||
sftk_FreeSession(session);
|
sftk_FreeSession(session);
|
||||||
@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
@@ -7220,6 +7220,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||||
return CKR_TEMPLATE_INCONSISTENT;
|
return CKR_TEMPLATE_INCONSISTENT;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -39,7 +39,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
|||||||
/* sourceKey is NULL if we are called from the POST, skip the
|
/* sourceKey is NULL if we are called from the POST, skip the
|
||||||
* sensitiveCheck */
|
* sensitiveCheck */
|
||||||
if (sourceKey != NULL) {
|
if (sourceKey != NULL) {
|
||||||
@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
@@ -7269,7 +7273,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||||
mech.pParameter = params;
|
mech.pParameter = params;
|
||||||
mech.ulParameterLen = sizeof(*params);
|
mech.ulParameterLen = sizeof(*params);
|
||||||
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
|
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
|
||||||
@ -49,7 +49,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
|||||||
}
|
}
|
||||||
saltKeySource = saltKey->source;
|
saltKeySource = saltKey->source;
|
||||||
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
|
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
|
||||||
@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
@@ -7336,7 +7341,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||||
/* HKDF-Expand */
|
/* HKDF-Expand */
|
||||||
if (!params->bExpand) {
|
if (!params->bExpand) {
|
||||||
okm = prk;
|
okm = prk;
|
||||||
@ -58,7 +58,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
|||||||
} else {
|
} else {
|
||||||
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
|
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
|
||||||
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
|
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
|
||||||
@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
@@ -7583,7 +7588,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||||
return CKR_KEY_HANDLE_INVALID;
|
return CKR_KEY_HANDLE_INVALID;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -69,8 +69,8 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
|||||||
switch (mechanism) {
|
switch (mechanism) {
|
||||||
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
|
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
|
||||||
diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
|
diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
|
||||||
--- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800
|
--- ./lib/softoken/pkcs11i.h.fips_indicators 2024-06-12 13:38:15.988811198 -0700
|
||||||
+++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800
|
+++ ./lib/softoken/pkcs11i.h 2024-06-12 13:38:15.996811296 -0700
|
||||||
@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
|
@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
|
||||||
/* check the FIPS table to determine if this current operation is allowed by
|
/* check the FIPS table to determine if this current operation is allowed by
|
||||||
* FIPS security policy */
|
* FIPS security policy */
|
||||||
@ -82,9 +82,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
|
|||||||
CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
|
CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
|
||||||
|
|
||||||
diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
||||||
--- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800
|
--- ./lib/softoken/pkcs11u.c.fips_indicators 2024-06-12 13:38:15.990811223 -0700
|
||||||
+++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800
|
+++ ./lib/softoken/pkcs11u.c 2024-06-12 13:38:15.996811296 -0700
|
||||||
@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
|
@@ -2336,7 +2336,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
|
||||||
static CK_ULONG
|
static CK_ULONG
|
||||||
sftk_getKeyLength(SFTKObject *source)
|
sftk_getKeyLength(SFTKObject *source)
|
||||||
{
|
{
|
||||||
@ -93,7 +93,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
|||||||
CK_ATTRIBUTE_TYPE keyAttribute;
|
CK_ATTRIBUTE_TYPE keyAttribute;
|
||||||
CK_ULONG keyLength = 0;
|
CK_ULONG keyLength = 0;
|
||||||
SFTKAttribute *attribute;
|
SFTKAttribute *attribute;
|
||||||
@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source)
|
@@ -2398,13 +2398,29 @@ sftk_getKeyLength(SFTKObject *source)
|
||||||
return keyLength;
|
return keyLength;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -124,7 +124,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
|||||||
{
|
{
|
||||||
switch (mechInfo->special) {
|
switch (mechInfo->special) {
|
||||||
case SFTKFIPSDH: {
|
case SFTKFIPSDH: {
|
||||||
@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
@@ -2464,10 +2480,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||||
if (hashObj == NULL) {
|
if (hashObj == NULL) {
|
||||||
return PR_FALSE;
|
return PR_FALSE;
|
||||||
}
|
}
|
||||||
@ -141,7 +141,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
|||||||
}
|
}
|
||||||
case SFTKFIPSPBKDF2: {
|
case SFTKFIPSPBKDF2: {
|
||||||
/* PBKDF2 must have the following addition restrictions
|
/* PBKDF2 must have the following addition restrictions
|
||||||
@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
@@ -2492,6 +2513,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||||
}
|
}
|
||||||
return PR_TRUE;
|
return PR_TRUE;
|
||||||
}
|
}
|
||||||
@ -155,7 +155,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
|||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
@@ -2502,7 +2530,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||||
|
|
||||||
PRBool
|
PRBool
|
||||||
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
|
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
|
||||||
@ -164,7 +164,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
|||||||
{
|
{
|
||||||
#ifndef NSS_HAS_FIPS_INDICATORS
|
#ifndef NSS_HAS_FIPS_INDICATORS
|
||||||
return PR_FALSE;
|
return PR_FALSE;
|
||||||
@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
@@ -2534,13 +2562,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||||
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
|
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
|
||||||
/* if we match the number of records exactly, then we are an
|
/* if we match the number of records exactly, then we are an
|
||||||
* approved algorithm in the approved mode with an approved key */
|
* approved algorithm in the approved mode with an approved key */
|
@ -1,6 +1,6 @@
|
|||||||
diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
|
diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
|
||||||
--- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
--- ./lib/freebl/dh.c.fips-review 2024-06-07 09:26:03.000000000 -0700
|
||||||
+++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700
|
+++ ./lib/freebl/dh.c 2024-06-12 12:04:10.639360404 -0700
|
||||||
@@ -445,7 +445,7 @@ cleanup:
|
@@ -445,7 +445,7 @@ cleanup:
|
||||||
PRBool
|
PRBool
|
||||||
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
|
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
|
||||||
@ -50,9 +50,17 @@ diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
|
|||||||
MP_TO_SEC_ERROR(err);
|
MP_TO_SEC_ERROR(err);
|
||||||
return PR_FALSE;
|
return PR_FALSE;
|
||||||
diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||||
--- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700
|
--- ./lib/softoken/pkcs11c.c.fips-review 2024-06-12 12:04:10.638360392 -0700
|
||||||
+++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700
|
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:06:35.410551333 -0700
|
||||||
@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
@@ -43,6 +43,7 @@
|
||||||
|
|
||||||
|
#include "prprf.h"
|
||||||
|
#include "prenv.h"
|
||||||
|
+#include "prerror.h"
|
||||||
|
|
||||||
|
#define __PASTE(x, y) x##y
|
||||||
|
#define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize)
|
||||||
|
@@ -4882,6 +4883,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||||
* handle the base object stuff
|
* handle the base object stuff
|
||||||
*/
|
*/
|
||||||
crv = sftk_handleObject(key, session);
|
crv = sftk_handleObject(key, session);
|
||||||
@ -63,7 +71,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
sftk_FreeSession(session);
|
sftk_FreeSession(session);
|
||||||
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
||||||
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
|
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
|
||||||
@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
@@ -4889,9 +4894,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||||
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
|
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
|
||||||
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
|
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
|
||||||
}
|
}
|
||||||
@ -73,7 +81,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
if (crv == CKR_OK) {
|
if (crv == CKR_OK) {
|
||||||
*phKey = key->handle;
|
*phKey = key->handle;
|
||||||
}
|
}
|
||||||
@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
@@ -5199,60 +5201,68 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||||
|
|
||||||
if (isDerivable) {
|
if (isDerivable) {
|
||||||
SFTKAttribute *pubAttribute = NULL;
|
SFTKAttribute *pubAttribute = NULL;
|
||||||
@ -156,7 +164,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
+ }
|
+ }
|
||||||
+ /* make sure it has the same encoding */
|
+ /* make sure it has the same encoding */
|
||||||
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||||
+ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
|
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
|
||||||
+ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
|
+ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
|
||||||
+ } else {
|
+ } else {
|
||||||
+ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
|
+ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
|
||||||
@ -169,7 +177,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
+ default:
|
+ default:
|
||||||
+ return CKR_DEVICE_ERROR;
|
+ return CKR_DEVICE_ERROR;
|
||||||
}
|
}
|
||||||
-
|
|
||||||
- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
|
- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
|
||||||
- if (crv != CKR_OK) {
|
- if (crv != CKR_OK) {
|
||||||
- sftk_FreeAttribute(pubAttribute);
|
- sftk_FreeAttribute(pubAttribute);
|
||||||
@ -189,7 +197,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
/* FIPS requires full validation, but in fipx mode NSC_Derive
|
/* FIPS requires full validation, but in fipx mode NSC_Derive
|
||||||
* only does partial validation with approved primes, now handle
|
* only does partial validation with approved primes, now handle
|
||||||
* full validation */
|
* full validation */
|
||||||
@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
@@ -5260,44 +5270,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||||
SECItem pubKey;
|
SECItem pubKey;
|
||||||
SECItem prime;
|
SECItem prime;
|
||||||
SECItem subPrime;
|
SECItem subPrime;
|
||||||
@ -283,7 +291,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
}
|
}
|
||||||
|
|
||||||
return CKR_OK;
|
return CKR_OK;
|
||||||
@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
@@ -5925,8 +5969,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||||
* created and linked.
|
* created and linked.
|
||||||
*/
|
*/
|
||||||
crv = sftk_handleObject(publicKey, session);
|
crv = sftk_handleObject(publicKey, session);
|
||||||
@ -293,7 +301,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
sftk_FreeObject(publicKey);
|
sftk_FreeObject(publicKey);
|
||||||
NSC_DestroyObject(hSession, privateKey->handle);
|
NSC_DestroyObject(hSession, privateKey->handle);
|
||||||
sftk_FreeObject(privateKey);
|
sftk_FreeObject(privateKey);
|
||||||
@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
@@ -5968,6 +6012,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||||
}
|
}
|
||||||
|
|
||||||
if (crv != CKR_OK) {
|
if (crv != CKR_OK) {
|
||||||
@ -301,7 +309,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
NSC_DestroyObject(hSession, publicKey->handle);
|
NSC_DestroyObject(hSession, publicKey->handle);
|
||||||
sftk_FreeObject(publicKey);
|
sftk_FreeObject(publicKey);
|
||||||
NSC_DestroyObject(hSession, privateKey->handle);
|
NSC_DestroyObject(hSession, privateKey->handle);
|
||||||
@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
@@ -5977,6 +6022,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||||
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
||||||
privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
|
privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
|
||||||
publicKey->isFIPS = privateKey->isFIPS;
|
publicKey->isFIPS = privateKey->isFIPS;
|
||||||
@ -310,7 +318,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
|
|
||||||
*phPrivateKey = privateKey->handle;
|
*phPrivateKey = privateKey->handle;
|
||||||
*phPublicKey = publicKey->handle;
|
*phPublicKey = publicKey->handle;
|
||||||
@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
@@ -8610,7 +8657,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||||
|
|
||||||
/* if the prime is an approved prime, we can skip all the other
|
/* if the prime is an approved prime, we can skip all the other
|
||||||
* checks. */
|
* checks. */
|
||||||
@ -319,7 +327,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
if (subPrime == NULL) {
|
if (subPrime == NULL) {
|
||||||
SECItem dhSubPrime;
|
SECItem dhSubPrime;
|
||||||
/* If the caller set the subprime value, it means that
|
/* If the caller set the subprime value, it means that
|
||||||
@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
@@ -8792,6 +8839,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||||
secretlen = tmp.len;
|
secretlen = tmp.len;
|
||||||
} else {
|
} else {
|
||||||
secretlen = keySize;
|
secretlen = keySize;
|
||||||
@ -327,24 +335,9 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
|||||||
crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
|
crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
|
||||||
&tmp, mechParams->pSharedData,
|
&tmp, mechParams->pSharedData,
|
||||||
mechParams->ulSharedDataLen, mechParams->kdf);
|
mechParams->ulSharedDataLen, mechParams->kdf);
|
||||||
diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c
|
|
||||||
--- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
|
||||||
+++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700
|
|
||||||
@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess
|
|
||||||
if (object == NULL) {
|
|
||||||
return CKR_HOST_MEMORY;
|
|
||||||
}
|
|
||||||
- object->isFIPS = PR_FALSE; /* if we created the object on the fly,
|
|
||||||
+ /* object types that we aren't allowed to create in FIPS mode are
|
|
||||||
+ * already rejected explicitly. If we get here, then the object is
|
|
||||||
+ * FIPS OK (most notably public key objects )*/
|
|
||||||
+ /* object->isFIPS = PR_FALSE; if we created the object on the fly,
|
|
||||||
* it's not a FIPS object */
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
|
diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
|
||||||
--- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700
|
--- ./lib/softoken/pkcs11i.h.fips-review 2024-06-12 12:04:10.638360392 -0700
|
||||||
+++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700
|
+++ ./lib/softoken/pkcs11i.h 2024-06-12 12:04:10.640360416 -0700
|
||||||
@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
|
@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
|
||||||
/* dh verify functions */
|
/* dh verify functions */
|
||||||
/* verify that dhPrime matches one of our known primes, and if so return
|
/* verify that dhPrime matches one of our known primes, and if so return
|
||||||
@ -355,9 +348,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
|
|||||||
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
|
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
|
||||||
/* map an operation Attribute to a Mechanism flag */
|
/* map an operation Attribute to a Mechanism flag */
|
||||||
diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
|
diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
|
||||||
--- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700
|
--- ./lib/softoken/pkcs11u.c.fips-review 2024-06-12 12:04:10.638360392 -0700
|
||||||
+++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700
|
+++ ./lib/softoken/pkcs11u.c 2024-06-12 12:04:10.640360416 -0700
|
||||||
@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
@@ -2409,15 +2409,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||||
switch (mechInfo->special) {
|
switch (mechInfo->special) {
|
||||||
case SFTKFIPSDH: {
|
case SFTKFIPSDH: {
|
||||||
SECItem dhPrime;
|
SECItem dhPrime;
|
||||||
@ -388,8 +381,8 @@ diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
|
|||||||
case SFTKFIPSNone:
|
case SFTKFIPSNone:
|
||||||
return PR_FALSE;
|
return PR_FALSE;
|
||||||
diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
|
diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
|
||||||
--- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
--- ./lib/softoken/sftkdhverify.c.fips-review 2024-06-07 09:26:03.000000000 -0700
|
||||||
+++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700
|
+++ ./lib/softoken/sftkdhverify.c 2024-06-12 12:04:10.641360427 -0700
|
||||||
@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
|
@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
|
||||||
(unsigned char *)subprime_tls_8192_data,
|
(unsigned char *)subprime_tls_8192_data,
|
||||||
sizeof(subprime_tls_8192_data) };
|
sizeof(subprime_tls_8192_data) };
|
||||||
@ -481,8 +474,8 @@ diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
|
diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
|
||||||
--- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
--- ./lib/softoken/sftkike.c.fips-review 2024-06-07 09:26:03.000000000 -0700
|
||||||
+++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700
|
+++ ./lib/softoken/sftkike.c 2024-06-12 12:04:10.641360427 -0700
|
||||||
@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
|
@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
126
nss-3.101-fix-missing-size-checks.patch
Normal file
126
nss-3.101-fix-missing-size-checks.patch
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||||
|
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||||
|
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||||
|
@@ -371,16 +371,21 @@ static void GenerateWeakRsaKey(ScopedSEC
|
||||||
|
// Fail to connect with a weak RSA key.
|
||||||
|
TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||||
|
Reset(kPssDelegatorId);
|
||||||
|
EnsureTlsSetup();
|
||||||
|
static const SSLSignatureScheme kSchemes[] = {ssl_sig_rsa_pss_rsae_sha256,
|
||||||
|
ssl_sig_rsa_pss_pss_sha256};
|
||||||
|
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||||
|
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||||
|
+ PRInt32 keySizeFlags;
|
||||||
|
+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &keySizeFlags));
|
||||||
|
+ // turn off the signing key sizes so we actually test the ssl tests
|
||||||
|
+ ASSERT_EQ(SECSuccess,
|
||||||
|
+ NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, NSS_KEY_SIZE_POLICY_SSL_FLAG ));
|
||||||
|
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||||
|
// save the MIN POLICY length.
|
||||||
|
PRInt32 minRsa;
|
||||||
|
|
||||||
|
ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
|
||||||
|
#if RSA_MIN_MODULUS_BITS >= 2048
|
||||||
|
ASSERT_EQ(SECSuccess,
|
||||||
|
NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
|
||||||
|
@@ -408,16 +413,17 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||||
|
client_->EnableDelegatedCredentials();
|
||||||
|
|
||||||
|
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
|
||||||
|
client_, ssl_delegated_credentials_xtn);
|
||||||
|
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
|
||||||
|
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||||
|
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
|
||||||
|
#endif
|
||||||
|
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, keySizeFlags));
|
||||||
|
}
|
||||||
|
|
||||||
|
class ReplaceDCSigScheme : public TlsHandshakeFilter {
|
||||||
|
public:
|
||||||
|
ReplaceDCSigScheme(const std::shared_ptr<TlsAgent>& a)
|
||||||
|
: TlsHandshakeFilter(a, {ssl_hs_certificate_verify}) {}
|
||||||
|
|
||||||
|
protected:
|
||||||
|
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
|
||||||
|
--- a/lib/cryptohi/seckey.c
|
||||||
|
+++ b/lib/cryptohi/seckey.c
|
||||||
|
@@ -1134,22 +1134,31 @@ SECKEY_PrivateKeyStrengthInBits(const SE
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* interpret modulus length as key strength */
|
||||||
|
switch (privk->keyType) {
|
||||||
|
case rsaKey:
|
||||||
|
case rsaPssKey:
|
||||||
|
case rsaOaepKey:
|
||||||
|
- /* some tokens don't export CKA_MODULUS on the private key,
|
||||||
|
- * PK11_SignatureLen works around this if necessary */
|
||||||
|
- bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
|
||||||
|
- if (bitSize == -1) {
|
||||||
|
- bitSize = 0;
|
||||||
|
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||||
|
+ CKA_MODULUS, NULL, ¶ms);
|
||||||
|
+ if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||||
|
+ /* some tokens don't export CKA_MODULUS on the private key,
|
||||||
|
+ * PK11_SignatureLen works around this if necessary. This
|
||||||
|
+ * method is less percise because it returns bytes instead
|
||||||
|
+ * bits, so we only do it if we can't get the modulus */
|
||||||
|
+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
|
||||||
|
+ if (bitSize == -1) {
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ return bitSize;
|
||||||
|
}
|
||||||
|
+ bitSize = SECKEY_BigIntegerBitLength(¶ms);
|
||||||
|
+ PORT_Free(params.data);
|
||||||
|
return bitSize;
|
||||||
|
case dsaKey:
|
||||||
|
case fortezzaKey:
|
||||||
|
case dhKey:
|
||||||
|
case keaKey:
|
||||||
|
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||||
|
CKA_PRIME, NULL, ¶ms);
|
||||||
|
if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||||
|
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||||
|
--- a/lib/ssl/ssl3con.c
|
||||||
|
+++ b/lib/ssl/ssl3con.c
|
||||||
|
@@ -1277,27 +1277,39 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *h
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
|
||||||
|
|
||||||
|
if (useRsaPss || hash->hashAlg == ssl_hash_none) {
|
||||||
|
CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType);
|
||||||
|
int signatureLen = PK11_SignatureLen(key);
|
||||||
|
+ PRInt32 optval;
|
||||||
|
|
||||||
|
SECItem *params = NULL;
|
||||||
|
CK_RSA_PKCS_PSS_PARAMS pssParams;
|
||||||
|
SECItem pssParamsItem = { siBuffer,
|
||||||
|
(unsigned char *)&pssParams,
|
||||||
|
sizeof(pssParams) };
|
||||||
|
|
||||||
|
if (signatureLen <= 0) {
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
+ /* since we are calling PK11_SignWithMechanism directly, we need to check the
|
||||||
|
+ * key policy ourselves (which is already checked in SGN_Digest */
|
||||||
|
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
|
||||||
|
+ if ((rv == SECSuccess) &&
|
||||||
|
+ ((optval & NSS_KEY_SIZE_POLICY_SIGN_FLAG) == NSS_KEY_SIZE_POLICY_SIGN_FLAG)) {
|
||||||
|
+ rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key),
|
||||||
|
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
||||||
|
+ if (rv != SECSuccess) {
|
||||||
|
+ goto done; /* error code already set */
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
|
||||||
|
buf->len = (unsigned)signatureLen;
|
||||||
|
buf->data = (unsigned char *)PORT_Alloc(signatureLen);
|
||||||
|
if (!buf->data)
|
||||||
|
goto done; /* error code was set. */
|
||||||
|
|
||||||
|
if (useRsaPss) {
|
||||||
|
pssParams.hashAlg = ssl3_GetHashMechanismByHashType(hash->hashAlg);
|
43
nss-3.101-fix-pkcs12-md5-decode.patch
Normal file
43
nss-3.101-fix-pkcs12-md5-decode.patch
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
|
||||||
|
--- a/lib/util/nsshash.c
|
||||||
|
+++ b/lib/util/nsshash.c
|
||||||
|
@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy
|
||||||
|
SECOidTag
|
||||||
|
HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
|
||||||
|
{
|
||||||
|
SECOidTag hashOid = SEC_OID_UNKNOWN;
|
||||||
|
|
||||||
|
switch (hmacOid) {
|
||||||
|
/* no oid exists for HMAC_MD2 */
|
||||||
|
/* NSS does not define a oid for HMAC_MD4 */
|
||||||
|
+ case SEC_OID_HMAC_MD5:
|
||||||
|
+ hashOid = SEC_OID_MD5;
|
||||||
|
+ break;
|
||||||
|
case SEC_OID_HMAC_SHA1:
|
||||||
|
hashOid = SEC_OID_SHA1;
|
||||||
|
break;
|
||||||
|
case SEC_OID_HMAC_SHA224:
|
||||||
|
hashOid = SEC_OID_SHA224;
|
||||||
|
break;
|
||||||
|
case SEC_OID_HMAC_SHA256:
|
||||||
|
hashOid = SEC_OID_SHA256;
|
||||||
|
@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
|
||||||
|
SECOidTag
|
||||||
|
HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
|
||||||
|
{
|
||||||
|
SECOidTag hmacOid = SEC_OID_UNKNOWN;
|
||||||
|
|
||||||
|
switch (hashOid) {
|
||||||
|
/* no oid exists for HMAC_MD2 */
|
||||||
|
/* NSS does not define a oid for HMAC_MD4 */
|
||||||
|
+ case SEC_OID_MD5:
|
||||||
|
+ hmacOid = SEC_OID_HMAC_MD5;
|
||||||
|
+ break;
|
||||||
|
case SEC_OID_SHA1:
|
||||||
|
hmacOid = SEC_OID_HMAC_SHA1;
|
||||||
|
break;
|
||||||
|
case SEC_OID_SHA224:
|
||||||
|
hmacOid = SEC_OID_HMAC_SHA224;
|
||||||
|
break;
|
||||||
|
case SEC_OID_SHA256:
|
||||||
|
hmacOid = SEC_OID_HMAC_SHA256;
|
121
nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
Normal file
121
nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
Normal file
@ -0,0 +1,121 @@
|
|||||||
|
diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
|
||||||
|
--- a/lib/pk11wrap/pk11mech.c
|
||||||
|
+++ b/lib/pk11wrap/pk11mech.c
|
||||||
|
@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
|
||||||
|
case CKM_BATON_ECB96:
|
||||||
|
case CKM_BATON_CBC128:
|
||||||
|
case CKM_BATON_COUNTER:
|
||||||
|
case CKM_BATON_SHUFFLE:
|
||||||
|
case CKM_JUNIPER_ECB128:
|
||||||
|
case CKM_JUNIPER_CBC128:
|
||||||
|
case CKM_JUNIPER_COUNTER:
|
||||||
|
case CKM_JUNIPER_SHUFFLE:
|
||||||
|
- newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
||||||
|
- SEC_ASN1_GET(SEC_OctetStringTemplate));
|
||||||
|
- if (newParams == NULL)
|
||||||
|
- break;
|
||||||
|
+ /* if no parameters have been supplied, then encode a NULL params
|
||||||
|
+ */
|
||||||
|
+ if (param && param->len > 0) {
|
||||||
|
+ newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
||||||
|
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
|
||||||
|
+ if (newParams == NULL)
|
||||||
|
+ break;
|
||||||
|
+ } else {
|
||||||
|
+ newParams = NULL;
|
||||||
|
+ }
|
||||||
|
rv = SECSuccess;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (rv != SECSuccess) {
|
||||||
|
if (newParams)
|
||||||
|
SECITEM_FreeItem(newParams, PR_TRUE);
|
||||||
|
return rv;
|
||||||
|
diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
|
||||||
|
--- a/lib/pk11wrap/pk11pbe.c
|
||||||
|
+++ b/lib/pk11wrap/pk11pbe.c
|
||||||
|
@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
|
||||||
|
* algorithm is). We use choose this algorithm oid based on the
|
||||||
|
* cipherAlgorithm to determine what this should be (MAC1 or PBES2).
|
||||||
|
*/
|
||||||
|
if (algorithm == SEC_OID_PKCS5_PBKDF2) {
|
||||||
|
/* choose mac or pbes */
|
||||||
|
algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
||||||
|
+
|
||||||
|
/* set the PKCS5v2 specific parameters */
|
||||||
|
if (keyLength == 0) {
|
||||||
|
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
||||||
|
if (hashAlg != SEC_OID_UNKNOWN) {
|
||||||
|
keyLength = HASH_ResultLenByOidTag(hashAlg);
|
||||||
|
} else {
|
||||||
|
keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm);
|
||||||
|
}
|
||||||
|
if (keyLength <= 0) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
/* currently SEC_OID_HMAC_SHA1 is the default */
|
||||||
|
if (prfAlg == SEC_OID_UNKNOWN) {
|
||||||
|
prfAlg = SEC_OID_HMAC_SHA1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* build the PKCS5v2 cipher algorithm id */
|
||||||
|
- cipherParams = pk11_GenerateNewParamWithKeyLen(
|
||||||
|
- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
||||||
|
- if (!cipherParams) {
|
||||||
|
- goto loser;
|
||||||
|
+ /* build the PKCS5v2 cipher algorithm id, if cipher
|
||||||
|
+ * is an HMAC, the cipherParams should be NULL */
|
||||||
|
+ if (hashAlg == SEC_OID_UNKNOWN) {
|
||||||
|
+ cipherParams = pk11_GenerateNewParamWithKeyLen(
|
||||||
|
+ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
||||||
|
+ if (!cipherParams) {
|
||||||
|
+ goto loser;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
+ cipherParams = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
|
||||||
|
|
||||||
|
rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
|
||||||
|
poolp, &pbeV2_param.cipherAlgId);
|
||||||
|
- SECITEM_FreeItem(cipherParams, PR_TRUE);
|
||||||
|
+ if (cipherParams) {
|
||||||
|
+ SECITEM_FreeItem(cipherParams, PR_TRUE);
|
||||||
|
+ }
|
||||||
|
if (rv != SECSuccess) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* generate the parameter */
|
||||||
|
pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
|
||||||
|
keyLength, prfAlg);
|
||||||
|
diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c
|
||||||
|
--- a/lib/util/secalgid.c
|
||||||
|
+++ b/lib/util/secalgid.c
|
||||||
|
@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena
|
||||||
|
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
|
||||||
|
return SECFailure;
|
||||||
|
|
||||||
|
if ((secoid_IsRSAPKCS1(which)) ||
|
||||||
|
- (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) {
|
||||||
|
+ (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* ||
|
||||||
|
+ (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) {
|
||||||
|
add_null_param = PR_TRUE;
|
||||||
|
} else {
|
||||||
|
add_null_param = PR_FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (params) {
|
||||||
|
/*
|
||||||
|
* I am specifically *not* enforcing the following assertion
|
File diff suppressed because it is too large
Load Diff
@ -1,57 +0,0 @@
|
|||||||
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
|
|
||||||
index 74e8e65..8995752 100644
|
|
||||||
--- a/lib/freebl/Makefile
|
|
||||||
+++ b/lib/freebl/Makefile
|
|
||||||
@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
|
|
||||||
HAVE_INT128_SUPPORT = 1
|
|
||||||
DEFINES += -DHAVE_INT128_SUPPORT
|
|
||||||
else ifeq (1,$(CC_IS_GCC))
|
|
||||||
- SUPPORTS_VALE_CURVE25519 = 1
|
|
||||||
ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
|
|
||||||
HAVE_INT128_SUPPORT = 1
|
|
||||||
DEFINES += -DHAVE_INT128_SUPPORT
|
|
||||||
diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
|
|
||||||
index 65f9a80..23940ef 100644
|
|
||||||
--- a/lib/freebl/freebl.gyp
|
|
||||||
+++ b/lib/freebl/freebl.gyp
|
|
||||||
@@ -866,12 +866,6 @@
|
|
||||||
}],
|
|
||||||
],
|
|
||||||
}],
|
|
||||||
- [ 'supports_vale_curve25519==1', {
|
|
||||||
- 'defines': [
|
|
||||||
- # The Makefile does version-tests on GCC, but we're not doing that here.
|
|
||||||
- 'HACL_CAN_COMPILE_INLINE_ASM',
|
|
||||||
- ],
|
|
||||||
- }],
|
|
||||||
[ 'OS=="linux" or OS=="android"', {
|
|
||||||
'conditions': [
|
|
||||||
[ 'target_arch=="x64"', {
|
|
||||||
@@ -934,11 +928,6 @@
|
|
||||||
'variables': {
|
|
||||||
'module': 'nss',
|
|
||||||
'conditions': [
|
|
||||||
- [ 'target_arch=="x64" and cc_is_gcc==1', {
|
|
||||||
- 'supports_vale_curve25519%': 1,
|
|
||||||
- }, {
|
|
||||||
- 'supports_vale_curve25519%': 0,
|
|
||||||
- }],
|
|
||||||
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
|
|
||||||
'have_int128_support%': 1,
|
|
||||||
}, {
|
|
||||||
diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
|
|
||||||
index d198c44..34b6b3c 100644
|
|
||||||
--- a/lib/freebl/freebl_base.gypi
|
|
||||||
+++ b/lib/freebl/freebl_base.gypi
|
|
||||||
@@ -151,11 +151,6 @@
|
|
||||||
'ecl/curve25519_32.c',
|
|
||||||
],
|
|
||||||
}],
|
|
||||||
- ['supports_vale_curve25519==1', {
|
|
||||||
- 'sources': [
|
|
||||||
- 'verified/Hacl_Curve25519_64.c',
|
|
||||||
- ],
|
|
||||||
- }],
|
|
||||||
['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
|
|
||||||
'sources': [
|
|
||||||
# Gyp does not support per-file cflags, so working around like this.
|
|
@ -1,194 +0,0 @@
|
|||||||
diff -up ./cmd/pk11ectest/pk11ectest.c.ecc_wrap ./cmd/pk11ectest/pk11ectest.c
|
|
||||||
--- ./cmd/pk11ectest/pk11ectest.c.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
|
|
||||||
+++ ./cmd/pk11ectest/pk11ectest.c 2024-01-23 14:07:29.421036328 -0800
|
|
||||||
@@ -10,6 +10,32 @@
|
|
||||||
#include "pk11pub.h"
|
|
||||||
#include <stdio.h>
|
|
||||||
|
|
||||||
+typedef struct KeyLengthEntryStr {
|
|
||||||
+ SECOidTag tag;
|
|
||||||
+ unsigned int len;
|
|
||||||
+ PRBool encoded;
|
|
||||||
+} KeyLengthEntry;
|
|
||||||
+
|
|
||||||
+const KeyLengthEntry keyLengthTable[] = {
|
|
||||||
+ { SEC_OID_SECG_EC_SECP256R1, 65, PR_TRUE },
|
|
||||||
+ { SEC_OID_SECG_EC_SECP384R1, 97, PR_TRUE },
|
|
||||||
+ { SEC_OID_SECG_EC_SECP521R1, 133, PR_TRUE },
|
|
||||||
+ { SEC_OID_CURVE25519, 32, PR_FALSE }
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+const KeyLengthEntry *
|
|
||||||
+getKeyLengthEntry(SECOidTag tag)
|
|
||||||
+{
|
|
||||||
+ int i;
|
|
||||||
+
|
|
||||||
+ for (i = 0; i < PR_ARRAY_SIZE(keyLengthTable); i++) {
|
|
||||||
+ if (keyLengthTable[i].tag == tag) {
|
|
||||||
+ return &keyLengthTable[i];
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ return NULL;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
void
|
|
||||||
printBuf(const SECItem *item)
|
|
||||||
{
|
|
||||||
@@ -53,6 +79,10 @@ ectest_curve_pkcs11(SECOidTag oid)
|
|
||||||
CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
|
||||||
PK11SymKey *symKey = NULL;
|
|
||||||
SECStatus rv = SECFailure;
|
|
||||||
+ const KeyLengthEntry *keyLengthEntry;
|
|
||||||
+ SECItem point = { siBuffer, NULL, 0 };
|
|
||||||
+ SECItem value = { siBuffer, NULL, 0 };
|
|
||||||
+ PLArenaPool *arena = NULL;
|
|
||||||
|
|
||||||
oidData = SECOID_FindOIDByTag(oid);
|
|
||||||
if (oidData == NULL) {
|
|
||||||
@@ -79,8 +109,63 @@ ectest_curve_pkcs11(SECOidTag oid)
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
PrintKey(symKey);
|
|
||||||
- rv = SECSuccess;
|
|
||||||
|
|
||||||
+ keyLengthEntry = getKeyLengthEntry(oid);
|
|
||||||
+ /* this shouldn't happen unless new curves are added without adding them
|
|
||||||
+ * to the keyLengthTable */
|
|
||||||
+ PR_ASSERT(keyLengthEntry);
|
|
||||||
+
|
|
||||||
+ /* make sure we are returning CKA_EC_POINT according to the PKCS #11 standard.
|
|
||||||
+ * NSS itself can tolerate non-standard CKA_EC_POINT, so this is the only place
|
|
||||||
+ * our test will detect incorrect behavior */
|
|
||||||
+ rv = PK11_ReadRawAttribute(PK11_TypePubKey, pubKey, CKA_EC_POINT, &point);
|
|
||||||
+ if (rv == SECFailure) {
|
|
||||||
+ printf(" >>> Couldn't get CKA_EC_POINT from the ec pubKey.\n");
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+ rv = SECFailure;
|
|
||||||
+ if (keyLengthEntry->encoded) {
|
|
||||||
+ if (point.len == keyLengthEntry->len) {
|
|
||||||
+ printf(" >>> Expected encoded CKA_EC_POINT and got a decoded value.\n");
|
|
||||||
+ printBuf(&point);
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
|
||||||
+ if (arena == NULL) {
|
|
||||||
+ printf(" >>> arena alloc failed.\n");
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rv = SEC_QuickDERDecodeItem(arena, &value, SEC_ASN1_GET(SEC_OctetStringTemplate),
|
|
||||||
+ &point);
|
|
||||||
+ if (rv != SECSuccess) {
|
|
||||||
+ printf(" >>> invalid endoded CKA_EC_POINT.\n");
|
|
||||||
+ printBuf(&point);
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+ rv = SECFailure;
|
|
||||||
+ if (value.len != keyLengthEntry->len) {
|
|
||||||
+ printf(" >>> invalid decoded CKA_EC_POINT len (%d) expected %d.\n",
|
|
||||||
+ value.len, keyLengthEntry->len);
|
|
||||||
+ printBuf(&value);
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+ if (value.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
|
|
||||||
+ printf(" >>> invalid CKA_EC_POINT format (%02x) expected %02x.\n",
|
|
||||||
+ value.data[0], EC_POINT_FORM_UNCOMPRESSED);
|
|
||||||
+ printBuf(&value);
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+ } else {
|
|
||||||
+ if (point.len != keyLengthEntry->len) {
|
|
||||||
+ printf(" >>> invalid CKA_EC_POINT len (%d) expected %d.\n",
|
|
||||||
+ point.len, keyLengthEntry->len);
|
|
||||||
+ printBuf(&point);
|
|
||||||
+ goto cleanup;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rv = SECSuccess;
|
|
||||||
cleanup:
|
|
||||||
if (privKey) {
|
|
||||||
SECKEY_DestroyPrivateKey(privKey);
|
|
||||||
@@ -91,7 +176,11 @@ cleanup:
|
|
||||||
if (symKey) {
|
|
||||||
PK11_FreeSymKey(symKey);
|
|
||||||
}
|
|
||||||
+ if (arena) {
|
|
||||||
+ PORT_FreeArena(arena, PR_TRUE);
|
|
||||||
+ }
|
|
||||||
SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
|
|
||||||
+ SECITEM_FreeItem(&point, PR_FALSE);
|
|
||||||
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
diff -up ./lib/freebl/blapit.h.ecc_wrap ./lib/freebl/blapit.h
|
|
||||||
--- ./lib/freebl/blapit.h.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
|
|
||||||
+++ ./lib/freebl/blapit.h 2024-01-23 14:07:29.421036328 -0800
|
|
||||||
@@ -375,7 +375,9 @@ typedef struct DHPrivateKeyStr DHPrivate
|
|
||||||
*/
|
|
||||||
|
|
||||||
typedef enum { ec_params_explicit,
|
|
||||||
- ec_params_named
|
|
||||||
+ ec_params_named,
|
|
||||||
+ ec_params_edwards_named,
|
|
||||||
+ ec_params_montgomery_named,
|
|
||||||
} ECParamsType;
|
|
||||||
|
|
||||||
typedef enum { ec_field_GFp = 1,
|
|
||||||
diff -up ./lib/freebl/ecdecode.c.ecc_wrap ./lib/freebl/ecdecode.c
|
|
||||||
--- ./lib/freebl/ecdecode.c.ecc_wrap 2024-01-23 14:07:14.533870602 -0800
|
|
||||||
+++ ./lib/freebl/ecdecode.c 2024-01-23 14:07:29.422036340 -0800
|
|
||||||
@@ -176,6 +176,7 @@ EC_FillParams(PLArenaPool *arena, const
|
|
||||||
|
|
||||||
case SEC_OID_CURVE25519:
|
|
||||||
/* Populate params for Curve25519 */
|
|
||||||
+ params->type = ec_params_montgomery_named;
|
|
||||||
CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
|
|
||||||
ec_field_plain,
|
|
||||||
params));
|
|
||||||
diff -up ./lib/softoken/pkcs11c.c.ecc_wrap ./lib/softoken/pkcs11c.c
|
|
||||||
--- ./lib/softoken/pkcs11c.c.ecc_wrap 2024-01-23 14:07:14.520870457 -0800
|
|
||||||
+++ ./lib/softoken/pkcs11c.c 2024-01-23 14:08:38.198801966 -0800
|
|
||||||
@@ -5164,7 +5164,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
|
||||||
}
|
|
||||||
/* make sure it has the same encoding */
|
|
||||||
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
|
||||||
- lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
|
|
||||||
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
|
|
||||||
lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
|
|
||||||
} else {
|
|
||||||
lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
|
|
||||||
@@ -5694,7 +5694,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
|
||||||
}
|
|
||||||
|
|
||||||
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
|
||||||
- ecParams->fieldID.type == ec_field_plain) {
|
|
||||||
+ ecParams->type != ec_params_named) {
|
|
||||||
PORT_FreeArena(ecParams->arena, PR_TRUE);
|
|
||||||
crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
|
|
||||||
sftk_item_expand(&ecPriv->publicValue));
|
|
||||||
diff -up ./lib/softoken/pkcs11.c.ecc_wrap ./lib/softoken/pkcs11.c
|
|
||||||
--- ./lib/softoken/pkcs11.c.ecc_wrap 2024-01-23 14:07:14.505870290 -0800
|
|
||||||
+++ ./lib/softoken/pkcs11.c 2024-01-23 14:07:29.423036351 -0800
|
|
||||||
@@ -1897,8 +1897,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
|
|
||||||
/* Handle the non-DER encoded case.
|
|
||||||
* Some curves are always pressumed to be non-DER.
|
|
||||||
*/
|
|
||||||
- if (pubKey->u.ec.publicValue.len == keyLen &&
|
|
||||||
- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
|
|
||||||
+ if (pubKey->u.ec.ecParams.type != ec_params_named ||
|
|
||||||
+ (pubKey->u.ec.publicValue.len == keyLen &&
|
|
||||||
pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
|
|
||||||
break; /* key was not DER encoded, no need to unwrap */
|
|
||||||
}
|
|
||||||
@@ -1918,8 +1918,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
/* we don't handle compressed points except in the case of ECCurve25519 */
|
|
||||||
- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
|
|
||||||
- (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
|
|
||||||
+ if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
|
|
||||||
crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
|
||||||
break;
|
|
||||||
}
|
|
@ -1,335 +0,0 @@
|
|||||||
--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200
|
|
||||||
+++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200
|
|
||||||
@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[]
|
|
||||||
0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77,
|
|
||||||
0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77};
|
|
||||||
|
|
||||||
+const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'};
|
|
||||||
+const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',};
|
|
||||||
+const uint8_t kP521SpkiUnpaddedSig[] = {
|
|
||||||
+ 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
|
|
||||||
+ 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86,
|
|
||||||
+ 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29,
|
|
||||||
+ 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a,
|
|
||||||
+ 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18,
|
|
||||||
+ 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7,
|
|
||||||
+ 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52,
|
|
||||||
+ 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88,
|
|
||||||
+ 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57,
|
|
||||||
+ 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd,
|
|
||||||
+ 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b,
|
|
||||||
+ 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35,
|
|
||||||
+ 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c,
|
|
||||||
+ 0xe2, 0x9f};
|
|
||||||
+const uint8_t kP521SignatureUnpaddedSigLong[] = {
|
|
||||||
+ 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe,
|
|
||||||
+ 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4,
|
|
||||||
+ 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42,
|
|
||||||
+ 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde,
|
|
||||||
+ 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e,
|
|
||||||
+ 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89,
|
|
||||||
+ 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b,
|
|
||||||
+ 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40,
|
|
||||||
+ 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb,
|
|
||||||
+ 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b,
|
|
||||||
+ 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a};
|
|
||||||
+const uint8_t kP521SignatureUnpaddedSigShort[] = {
|
|
||||||
+ 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11,
|
|
||||||
+ 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde,
|
|
||||||
+ 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99,
|
|
||||||
+ 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9,
|
|
||||||
+ 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65,
|
|
||||||
+ 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38,
|
|
||||||
+ 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75,
|
|
||||||
+ 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95,
|
|
||||||
+ 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c,
|
|
||||||
+ 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5,
|
|
||||||
+ 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e};
|
|
||||||
+const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'};
|
|
||||||
+const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'};
|
|
||||||
+const uint8_t kP384SpkiUnpaddedSig[] = {
|
|
||||||
+ 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
|
||||||
+ 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
|
|
||||||
+ 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa,
|
|
||||||
+ 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e,
|
|
||||||
+ 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3,
|
|
||||||
+ 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e,
|
|
||||||
+ 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf,
|
|
||||||
+ 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d,
|
|
||||||
+ 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5,
|
|
||||||
+ 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a};
|
|
||||||
+const uint8_t kP384SignatureUnpaddedSigLong[] = {
|
|
||||||
+ 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58,
|
|
||||||
+ 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59,
|
|
||||||
+ 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0,
|
|
||||||
+ 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde,
|
|
||||||
+ 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc,
|
|
||||||
+ 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c,
|
|
||||||
+ 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc,
|
|
||||||
+ 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6};
|
|
||||||
+const uint8_t kP384SignatureUnpaddedSigShort[] = {
|
|
||||||
+ 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13,
|
|
||||||
+ 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e,
|
|
||||||
+ 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b,
|
|
||||||
+ 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf,
|
|
||||||
+ 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc,
|
|
||||||
+ 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50,
|
|
||||||
+ 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f,
|
|
||||||
+ 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9};
|
|
||||||
+const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'};
|
|
||||||
+const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'};
|
|
||||||
+const uint8_t kP256SpkiUnpaddedSig[] = {
|
|
||||||
+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
|
||||||
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
|
|
||||||
+ 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b,
|
|
||||||
+ 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa,
|
|
||||||
+ 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e,
|
|
||||||
+ 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f,
|
|
||||||
+ 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75,
|
|
||||||
+ 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 };
|
|
||||||
+const uint8_t kP256SignatureUnpaddedSigLong[] = {
|
|
||||||
+ 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56,
|
|
||||||
+ 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6,
|
|
||||||
+ 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11,
|
|
||||||
+ 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80,
|
|
||||||
+ 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47,
|
|
||||||
+ 0xcf, 0x61, 0x91, 0x5f};
|
|
||||||
+const uint8_t kP256SignatureUnpaddedSigShort[] = {
|
|
||||||
+ 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61,
|
|
||||||
+ 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28,
|
|
||||||
+ 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16,
|
|
||||||
+ 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c,
|
|
||||||
+ 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9,
|
|
||||||
+ 0x78, 0xc4};
|
|
||||||
} // namespace nss_test
|
|
||||||
--- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200
|
|
||||||
+++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200
|
|
||||||
@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun
|
|
||||||
SEC_OID_SECG_EC_SECP521R1,
|
|
||||||
SEC_OID_CURVE25519));
|
|
||||||
|
|
||||||
+class Pkcs11EcdsaUnpaddedSignatureTest
|
|
||||||
+ : public Pkcs11EcdsaTestBase,
|
|
||||||
+ public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
|
|
||||||
+ public:
|
|
||||||
+ Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = {
|
|
||||||
+ {SEC_OID_SHA512,
|
|
||||||
+ {DataBuffer(NULL, 0),
|
|
||||||
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
|
||||||
+ DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)),
|
|
||||||
+ DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}},
|
|
||||||
+ {SEC_OID_SHA512,
|
|
||||||
+ {DataBuffer(NULL, 0),
|
|
||||||
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
|
||||||
+ DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)),
|
|
||||||
+ DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}},
|
|
||||||
+ {SEC_OID_SHA512,
|
|
||||||
+ {DataBuffer(NULL, 0),
|
|
||||||
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
|
||||||
+ DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)),
|
|
||||||
+ DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}},
|
|
||||||
+ {SEC_OID_SHA512,
|
|
||||||
+ {DataBuffer(NULL, 0),
|
|
||||||
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
|
||||||
+ DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)),
|
|
||||||
+ DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}},
|
|
||||||
+ {SEC_OID_SHA512,
|
|
||||||
+ {DataBuffer(NULL, 0),
|
|
||||||
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
|
||||||
+ DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)),
|
|
||||||
+ DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}},
|
|
||||||
+ {SEC_OID_SHA512,
|
|
||||||
+ {DataBuffer(NULL, 0),
|
|
||||||
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
|
||||||
+ DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)),
|
|
||||||
+ DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}}
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
+TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); }
|
|
||||||
+INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest,
|
|
||||||
+ ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors));
|
|
||||||
} // namespace nss_test
|
|
||||||
--- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200
|
|
||||||
+++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200
|
|
||||||
@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
|
||||||
{
|
|
||||||
SECStatus res = SECSuccess;
|
|
||||||
|
|
||||||
+ unsigned char _padded_sig_data[64] = { 0 };
|
|
||||||
+ unsigned char *sig_r, *sig_s;
|
|
||||||
+
|
|
||||||
if (!key || !signature || !digest ||
|
|
||||||
!key->publicValue.data ||
|
|
||||||
!signature->data || !digest->data ||
|
|
||||||
@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (key->publicValue.len != 65 ||
|
|
||||||
- digest->len == 0 ||
|
|
||||||
- signature->len != 64) {
|
|
||||||
+ unsigned int olen = key->ecParams.order.len;
|
|
||||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
|
||||||
+ signature->len > 2 * olen ||
|
|
||||||
+ digest->len == 0 || key->publicValue.len != 65) {
|
|
||||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
|
||||||
res = SECFailure;
|
|
||||||
return res;
|
|
||||||
@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */
|
|
||||||
+ if (signature->len != 64) {
|
|
||||||
+ unsigned split = signature->len / 2;
|
|
||||||
+ unsigned pad = 32 - split;
|
|
||||||
+
|
|
||||||
+ unsigned char *o_sig = signature->data;
|
|
||||||
+ unsigned char *p_sig = _padded_sig_data;
|
|
||||||
+
|
|
||||||
+ memcpy(p_sig + pad, o_sig, split);
|
|
||||||
+ memcpy(p_sig + 32 + pad, o_sig + split, split);
|
|
||||||
+
|
|
||||||
+ sig_r = p_sig;
|
|
||||||
+ sig_s = p_sig + 32;
|
|
||||||
+ } else {
|
|
||||||
+ sig_r = signature->data;
|
|
||||||
+ sig_s = signature->data + 32;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+
|
|
||||||
uint8_t hash[32] = { 0 };
|
|
||||||
if (digest->len < 32) {
|
|
||||||
memcpy(hash + 32 - digest->len, digest->data, digest->len);
|
|
||||||
@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
|
||||||
bool b = Hacl_P256_ecdsa_verif_without_hash(
|
|
||||||
32, hash,
|
|
||||||
key->publicValue.data + 1,
|
|
||||||
- signature->data, signature->data + 32);
|
|
||||||
+ sig_r, sig_s);
|
|
||||||
if (!b) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
res = SECFailure;
|
|
||||||
--- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200
|
|
||||||
+++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200
|
|
||||||
@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
|
||||||
{
|
|
||||||
SECStatus res = SECSuccess;
|
|
||||||
|
|
||||||
+ unsigned char _padded_sig_data[96] = { 0 };
|
|
||||||
+ unsigned char *sig_r, *sig_s;
|
|
||||||
+
|
|
||||||
if (!key || !signature || !digest ||
|
|
||||||
!key->publicValue.data ||
|
|
||||||
!signature->data || !digest->data ||
|
|
||||||
@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (key->publicValue.len != 97 ||
|
|
||||||
- digest->len == 0 ||
|
|
||||||
- signature->len != 96) {
|
|
||||||
+ unsigned int olen = key->ecParams.order.len;
|
|
||||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
|
||||||
+ signature->len > 2 * olen ||
|
|
||||||
+ digest->len == 0 || key->publicValue.len != 97) {
|
|
||||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
|
||||||
res = SECFailure;
|
|
||||||
return res;
|
|
||||||
@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */
|
|
||||||
+ if (signature->len != 96) {
|
|
||||||
+ unsigned split = signature->len / 2;
|
|
||||||
+ unsigned pad = 48 - split;
|
|
||||||
+
|
|
||||||
+ unsigned char *o_sig = signature->data;
|
|
||||||
+ unsigned char *p_sig = _padded_sig_data;
|
|
||||||
+
|
|
||||||
+ memcpy(p_sig + pad, o_sig, split);
|
|
||||||
+ memcpy(p_sig + 48 + pad, o_sig + split, split);
|
|
||||||
+
|
|
||||||
+ sig_r = p_sig;
|
|
||||||
+ sig_s = p_sig + 48;
|
|
||||||
+ } else {
|
|
||||||
+ sig_r = signature->data;
|
|
||||||
+ sig_s = signature->data + 48;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
uint8_t hash[48] = { 0 };
|
|
||||||
if (digest->len < 48) {
|
|
||||||
memcpy(hash + 48 - digest->len, digest->data, digest->len);
|
|
||||||
@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
|
||||||
bool b = Hacl_P384_ecdsa_verif_without_hash(
|
|
||||||
48, hash,
|
|
||||||
key->publicValue.data + 1,
|
|
||||||
- signature->data, signature->data + 48);
|
|
||||||
+ sig_r, sig_s);
|
|
||||||
if (!b) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
res = SECFailure;
|
|
||||||
--- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200
|
|
||||||
+++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200
|
|
||||||
@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
|
||||||
{
|
|
||||||
SECStatus res = SECSuccess;
|
|
||||||
|
|
||||||
+ unsigned char _padded_sig_data[132] = { 0 };
|
|
||||||
+ unsigned char *sig_r, *sig_s;
|
|
||||||
+
|
|
||||||
if (!key || !signature || !digest ||
|
|
||||||
!key->publicValue.data ||
|
|
||||||
!signature->data || !digest->data ||
|
|
||||||
@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (key->publicValue.len != 133 ||
|
|
||||||
- digest->len == 0 ||
|
|
||||||
- signature->len != 132) {
|
|
||||||
+ unsigned int olen = key->ecParams.order.len;
|
|
||||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
|
||||||
+ signature->len > 2 * olen ||
|
|
||||||
+ digest->len == 0 || key->publicValue.len != 133) {
|
|
||||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
|
||||||
res = SECFailure;
|
|
||||||
return res;
|
|
||||||
@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
|
||||||
return res;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */
|
|
||||||
+ if (signature->len != 132) {
|
|
||||||
+ unsigned split = signature->len / 2;
|
|
||||||
+ unsigned pad = 66 - split;
|
|
||||||
+
|
|
||||||
+ unsigned char *o_sig = signature->data;
|
|
||||||
+ unsigned char *p_sig = _padded_sig_data;
|
|
||||||
+
|
|
||||||
+ memcpy(p_sig + pad, o_sig, split);
|
|
||||||
+ memcpy(p_sig + 66 + pad, o_sig + split, split);
|
|
||||||
+
|
|
||||||
+ sig_r = p_sig;
|
|
||||||
+ sig_s = p_sig + 66;
|
|
||||||
+ } else {
|
|
||||||
+ sig_r = signature->data;
|
|
||||||
+ sig_s = signature->data + 66;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
uint8_t hash[66] = { 0 };
|
|
||||||
if (digest->len < 66) {
|
|
||||||
memcpy(hash + 66 - digest->len, digest->data, digest->len);
|
|
||||||
@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
|
||||||
bool b = Hacl_P521_ecdsa_verif_without_hash(
|
|
||||||
66, hash,
|
|
||||||
key->publicValue.data + 1,
|
|
||||||
- signature->data, signature->data + 66);
|
|
||||||
+ sig_r, sig_s);
|
|
||||||
if (!b) {
|
|
||||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
|
||||||
res = SECFailure;
|
|
@ -1,83 +0,0 @@
|
|||||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
|
||||||
--- a/lib/softoken/pkcs11c.c
|
|
||||||
+++ b/lib/softoken/pkcs11c.c
|
|
||||||
@@ -15,10 +15,13 @@
|
|
||||||
* keys and their associated Certificates are saved on the token.
|
|
||||||
*
|
|
||||||
* In this implementation, session objects are only visible to the session
|
|
||||||
* that created or generated them.
|
|
||||||
*/
|
|
||||||
+
|
|
||||||
+#include <limits.h> /* for UINT_MAX and ULONG_MAX */
|
|
||||||
+
|
|
||||||
#include "seccomon.h"
|
|
||||||
#include "secitem.h"
|
|
||||||
#include "secport.h"
|
|
||||||
#include "blapi.h"
|
|
||||||
#include "pkcs11.h"
|
|
||||||
@@ -1954,12 +1957,21 @@
|
|
||||||
if (pDigest == NULL) {
|
|
||||||
*pulDigestLen = context->maxLen;
|
|
||||||
goto finish;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* do it: */
|
|
||||||
+#if (ULONG_MAX > UINT_MAX)
|
|
||||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
|
||||||
+ * length argument, but NSC_Digest takes an unsigned long. */
|
|
||||||
+ while (ulDataLen > UINT_MAX) {
|
|
||||||
+ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX);
|
|
||||||
+ pData += UINT_MAX;
|
|
||||||
+ ulDataLen -= UINT_MAX;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
(*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
|
|
||||||
+
|
|
||||||
/* NOTE: this assumes buf size is bigenough for the algorithm */
|
|
||||||
(*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
|
|
||||||
*pulDigestLen = digestLen;
|
|
||||||
|
|
||||||
sftk_TerminateOp(session, SFTK_HASH, context);
|
|
||||||
@@ -1980,12 +1992,22 @@
|
|
||||||
|
|
||||||
/* make sure we're legal */
|
|
||||||
crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL);
|
|
||||||
if (crv != CKR_OK)
|
|
||||||
return crv;
|
|
||||||
- /* do it: */
|
|
||||||
+
|
|
||||||
+#if (ULONG_MAX > UINT_MAX)
|
|
||||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
|
||||||
+ * length argument, but NSC_DigestUpdate takes an unsigned long. */
|
|
||||||
+ while (ulPartLen > UINT_MAX) {
|
|
||||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
|
||||||
+ pPart += UINT_MAX;
|
|
||||||
+ ulPartLen -= UINT_MAX;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
(*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
|
|
||||||
+
|
|
||||||
return CKR_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
|
|
||||||
CK_RV
|
|
||||||
@@ -3166,10 +3188,17 @@
|
|
||||||
crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session);
|
|
||||||
if (crv != CKR_OK)
|
|
||||||
return crv;
|
|
||||||
|
|
||||||
if (context->hashInfo) {
|
|
||||||
+#if (ULONG_MAX > UINT_MAX)
|
|
||||||
+ while (ulPartLen > UINT_MAX) {
|
|
||||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
|
||||||
+ pPart += UINT_MAX;
|
|
||||||
+ ulPartLen -= UINT_MAX;
|
|
||||||
+ }
|
|
||||||
+#endif
|
|
||||||
(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
|
|
||||||
} else {
|
|
||||||
/* must be block cipher MACing */
|
|
||||||
|
|
||||||
unsigned int blkSize = context->blockSize;
|
|
||||||
|
|
@ -1,18 +0,0 @@
|
|||||||
diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh
|
|
||||||
--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700
|
|
||||||
+++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700
|
|
||||||
@@ -46,11 +46,13 @@ ectest_genkeydb_test()
|
|
||||||
return $?
|
|
||||||
fi
|
|
||||||
curves=( \
|
|
||||||
- "curve25519" \
|
|
||||||
"secp256r1" \
|
|
||||||
"secp384r1" \
|
|
||||||
"secp521r1" \
|
|
||||||
)
|
|
||||||
+ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then
|
|
||||||
+ curves=( "curve25519" "${curves[@]}" )
|
|
||||||
+ fi
|
|
||||||
for curve in "${curves[@]}"; do
|
|
||||||
echo "Test $curve key generation using certutil ..."
|
|
||||||
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
|
|
36
nss-3.90-ppc_no_init.patch
Normal file
36
nss-3.90-ppc_no_init.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
diff -up ./lib/freebl/Makefile.ppc_no_init ./lib/freebl/Makefile
|
||||||
|
--- ./lib/freebl/Makefile.ppc_no_init 2024-06-03 14:12:24.216755903 -0700
|
||||||
|
+++ ./lib/freebl/Makefile 2024-06-03 14:11:36.464234903 -0700
|
||||||
|
@@ -303,7 +303,7 @@ endif
|
||||||
|
ifeq ($(CPU_ARCH),ppc)
|
||||||
|
EXTRA_SRCS += gcm-ppc.c
|
||||||
|
ifdef USE_64
|
||||||
|
- DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||||
|
+# DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||||
|
PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | awk '$$2 == "_CALL_ELF" {print $$3}')
|
||||||
|
ifeq ($(PPC_ABI),2)
|
||||||
|
ASFILES += sha512-p8.s
|
||||||
|
diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile
|
||||||
|
--- ./lib/softoken/Makefile.ppc_no_init 2024-06-03 14:12:44.664979003 -0700
|
||||||
|
+++ ./lib/softoken/Makefile 2024-06-03 14:10:26.703473806 -0700
|
||||||
|
@@ -23,13 +23,13 @@ include $(CORE_DEPTH)/coreconf/config.mk
|
||||||
|
ifdef NSS_NO_INIT_SUPPORT
|
||||||
|
DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||||
|
endif
|
||||||
|
-ifeq ($(OS_TARGET),Linux)
|
||||||
|
-ifeq ($(CPU_ARCH),ppc)
|
||||||
|
-ifdef USE_64
|
||||||
|
- DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||||
|
-endif # USE_64
|
||||||
|
-endif # ppc
|
||||||
|
-endif # Linux
|
||||||
|
+#ifeq ($(OS_TARGET),Linux)
|
||||||
|
+#ifeq ($(CPU_ARCH),ppc)
|
||||||
|
+#ifdef USE_64
|
||||||
|
+# DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||||
|
+#endif # USE_64
|
||||||
|
+#endif # ppc
|
||||||
|
+#endif # Linux
|
||||||
|
|
||||||
|
|
||||||
|
#######################################################################
|
@ -1,32 +0,0 @@
|
|||||||
diff -up ./gtests/ssl_gtest/manifest.mn.orig ./gtests/ssl_gtest/manifest.mn
|
|
||||||
--- ./gtests/ssl_gtest/manifest.mn.orig 2021-06-02 15:40:48.677355426 -0700
|
|
||||||
+++ ./gtests/ssl_gtest/manifest.mn 2021-06-02 15:42:31.248977261 -0700
|
|
||||||
@@ -57,7 +57,6 @@ CPPSRCS = \
|
|
||||||
tls_filter.cc \
|
|
||||||
tls_protect.cc \
|
|
||||||
tls_psk_unittest.cc \
|
|
||||||
- tls_subcerts_unittest.cc \
|
|
||||||
tls_ech_unittest.cc \
|
|
||||||
$(SSLKEYLOGFILE_FILES) \
|
|
||||||
$(NULL)
|
|
||||||
diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c
|
|
||||||
--- ./lib/ssl/sslsock.c.orig 2021-05-28 02:50:43.000000000 -0700
|
|
||||||
+++ ./lib/ssl/sslsock.c 2021-06-02 15:40:48.676355420 -0700
|
|
||||||
@@ -819,7 +819,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
|
||||||
break;
|
|
||||||
|
|
||||||
case SSL_ENABLE_DELEGATED_CREDENTIALS:
|
|
||||||
- ss->opt.enableDelegatedCredentials = val;
|
|
||||||
+ /* disable it for now */
|
|
||||||
break;
|
|
||||||
|
|
||||||
case SSL_ENABLE_NPN:
|
|
||||||
@@ -1337,7 +1337,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn
|
|
||||||
break;
|
|
||||||
|
|
||||||
case SSL_ENABLE_DELEGATED_CREDENTIALS:
|
|
||||||
- ssl_defaults.enableDelegatedCredentials = val;
|
|
||||||
+ /* disable it for now */
|
|
||||||
break;
|
|
||||||
|
|
||||||
case SSL_ENABLE_NPN:
|
|
@ -1,41 +0,0 @@
|
|||||||
diff -r 699541a7793b lib/pk11wrap/pk11pars.c
|
|
||||||
--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700
|
|
||||||
+++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700
|
|
||||||
@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
|
|
||||||
static const oidValDef hashOptList[] = {
|
|
||||||
/* Hashes */
|
|
||||||
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
|
|
||||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
|
||||||
+ 0 },
|
|
||||||
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
|
|
||||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
|
||||||
+ 0 },
|
|
||||||
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
|
|
||||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
|
||||||
+ 0 },
|
|
||||||
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
|
|
||||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
|
||||||
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
|
|
||||||
diff -r 699541a7793b lib/util/secoid.c
|
|
||||||
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
|
|
||||||
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
|
|
||||||
@@ -2042,6 +2042,19 @@
|
|
||||||
int i;
|
|
||||||
|
|
||||||
for (i = 1; i < SEC_OID_TOTAL; i++) {
|
|
||||||
+ switch (i) {
|
|
||||||
+ case SEC_OID_MD2:
|
|
||||||
+ case SEC_OID_MD4:
|
|
||||||
+ case SEC_OID_MD5:
|
|
||||||
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
|
|
||||||
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
|
|
||||||
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
|
|
||||||
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
|
|
||||||
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
|
|
||||||
+ continue;
|
|
||||||
+ default:
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
if (oids[i].desc && strstr(arg, oids[i].desc)) {
|
|
||||||
xOids[i].notPolicyFlags = notEnable |
|
|
||||||
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
|
|
125
nss.spec
125
nss.spec
@ -1,7 +1,7 @@
|
|||||||
%global nspr_build_version 4.35.0-1
|
%global nspr_build_version 4.35.0-1
|
||||||
%global nspr_release -1
|
%global nspr_release -1
|
||||||
%global nspr_version 4.35.0
|
%global nspr_version 4.35.0
|
||||||
%global nss_version 3.90.0
|
%global nss_version 3.101.0
|
||||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||||
%global saved_files_dir %{_libdir}/nss/saved
|
%global saved_files_dir %{_libdir}/nss/saved
|
||||||
%global dracutlibdir %{_prefix}/lib/dracut
|
%global dracutlibdir %{_prefix}/lib/dracut
|
||||||
@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
|
|||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: %{nss_version}
|
Version: %{nss_version}
|
||||||
Release: 7%{?dist}
|
Release: 6%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Requires: nspr >= %{nspr_version}%{nspr_release}
|
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||||
@ -113,7 +113,7 @@ Source28: nss-p11-kit.config
|
|||||||
# will have their own validation
|
# will have their own validation
|
||||||
Source30: fips_algorithms.h
|
Source30: fips_algorithms.h
|
||||||
|
|
||||||
Source50: NameConstraints_Certs.tar
|
#Source50: NameConstraints_Certs.tar
|
||||||
|
|
||||||
# To inject hardening flags for DSO
|
# To inject hardening flags for DSO
|
||||||
Patch1: nss-dso-ldflags.patch
|
Patch1: nss-dso-ldflags.patch
|
||||||
@ -129,67 +129,79 @@ Patch1: nss-dso-ldflags.patch
|
|||||||
# Once the buildroot aha been bootstrapped the patch may be removed
|
# Once the buildroot aha been bootstrapped the patch may be removed
|
||||||
# but it doesn't hurt to keep it.
|
# but it doesn't hurt to keep it.
|
||||||
Patch4: iquote.patch
|
Patch4: iquote.patch
|
||||||
|
|
||||||
|
#
|
||||||
|
# RHEL-8 specific patches not in RHEL-9
|
||||||
|
#
|
||||||
# To revert the change in:
|
# To revert the change in:
|
||||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
|
||||||
Patch9: nss-sysinit-userdb.patch
|
Patch10: nss-sysinit-userdb.patch
|
||||||
# Disable nss-sysinit test which is solely to test the above change
|
# Disable nss-sysinit test which is solely to test the above change
|
||||||
Patch10: nss-skip-sysinit-gtests.patch
|
Patch11: nss-skip-sysinit-gtests.patch
|
||||||
Patch15: nss-3.90-extend-db-dump-time.patch
|
|
||||||
# For compatibility reasons, we stick with the old PKCS #11 2.40
|
# For compatibility reasons, we stick with the old PKCS #11 2.40
|
||||||
# definition of CK_GCM_PARAMS:
|
# definition of CK_GCM_PARAMS:
|
||||||
%if 0%{?fedora} < 34
|
%if 0%{?fedora} < 34
|
||||||
%if 0%{?rhel} < 9
|
%if 0%{?rhel} < 9
|
||||||
Patch20: nss-gcm-param-default-pkcs11v2.patch
|
Patch12: nss-gcm-param-default-pkcs11v2.patch
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
# Local patch: disable MD5 (also MD2 and MD4) completely
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
|
|
||||||
Patch25: nss-disable-md5.patch
|
|
||||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||||
Patch30: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
Patch13: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||||
Patch34: nss-3.71-fix-lto-gtests.patch
|
|
||||||
# Local patch: disable Delegated Credentials
|
|
||||||
Patch35: nss-disable-dc.patch
|
|
||||||
# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
|
# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
|
||||||
# is updated.
|
# is updated.
|
||||||
Patch40: nss-3.66-disable-signature-policies.patch
|
Patch14: nss-3.101-disable-signature-policies.patch
|
||||||
|
Patch15: nss-3.101-el8-fix-rsa-policy-test.patch
|
||||||
# Local patch: disable tests that require external reference so brew completes
|
# Local patch: disable tests that require external reference so brew completes
|
||||||
Patch45: nss-3.66-disable-external-host-test.patch
|
Patch16: nss-3.66-disable-external-host-test.patch
|
||||||
# Local patch: restore old pkcs 12 defaults on old version of rhel
|
# Local patch: restore old pkcs 12 defaults on old version of rhel
|
||||||
Patch50: nss-3.66-restore-old-pkcs12-default.patch
|
Patch17: nss-3.101-el8-restore-old-pkcs12-default.patch
|
||||||
# Local Patch: restore expired distrusted certs for now
|
# Local Patch: restore expired distrusted certs for now
|
||||||
Patch51: nss-3.79-revert-distrusted-certs.patch
|
Patch18: nss-3.79-revert-distrusted-certs.patch
|
||||||
# Local Patch: update fipsdefaults to AES
|
# Local Patch: update fipsdefaults to AES
|
||||||
Patch52: nss-3.79-pkcs12-fips-defaults.patch
|
Patch19: nss-3.79-pkcs12-fips-defaults.patch
|
||||||
Patch53: nss-3.71-camellia-pkcs12-doc.patch
|
# Local Patch: curve25519 keys can't be stored in dbm databases,
|
||||||
Patch54: nss-3.90-disable-ech.patch
|
# only rhel-8 has dbm databases left, don't try to store
|
||||||
|
# curve25519 keys in the dbm database.
|
||||||
|
Patch20: nss-3.101-ec-dbm-test.patch
|
||||||
|
# end of RHEL-8 specific patches
|
||||||
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1774659
|
# RHEL-specific shared with RHEL-9
|
||||||
Patch57: nss-3.79-dbtool.patch
|
Patch30: nss-3.101-extend-db-dump-time.patch
|
||||||
Patch58: nss-3.79-fips.patch
|
# Local patch: disable MD5 (also MD2 and MD4) completely
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
|
||||||
|
Patch32: nss-3.101-disable-md5.patch
|
||||||
|
Patch34: nss-3.71-fix-lto-gtests.patch
|
||||||
|
Patch35: nss-3.71-camellia-pkcs12-doc.patch
|
||||||
|
Patch36: nss-3.101-disable-ech.patch
|
||||||
|
|
||||||
|
# patches that expect to be upstreamed
|
||||||
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1767883
|
||||||
|
Patch50: nss-3.79-fips.patch
|
||||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
|
||||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
|
||||||
Patch60: nss-3.90-DisablingASM.patch
|
Patch51: nss-3.101-fips-review.patches
|
||||||
Patch61: nss-3.79-fips-review.patches
|
Patch52: nss-3.90-pbkdf2-indicator.patch
|
||||||
Patch62: nss-3.90-no-dbm-25519.patch
|
|
||||||
Patch63: nss-3.90-pbkdf2-indicator.patch
|
|
||||||
|
|
||||||
# ems policy. needs to upstream
|
# ems policy. needs to upstream
|
||||||
Patch70: nss-3.90-add-ems-policy.patch
|
Patch60: nss-3.101-add-ems-policy.patch
|
||||||
|
Patch70: nss-3.90-fips-safe-memset.patch
|
||||||
|
Patch71: nss-3.101-fips-indicators.patch
|
||||||
|
Patch72: nss-3.90-aes-gmc-indicator.patch
|
||||||
|
Patch73: nss-3.90-fips-indicators2.patch
|
||||||
|
Patch74: nss-3.90-dh-test-update.patch
|
||||||
|
Patch75: nss-3.90-ppc_no_init.patch
|
||||||
|
Patch76: nss-3.101-enable-kyber-policy.patch
|
||||||
|
Patch78: nss-3.101-fix-pkcs12-md5-decode.patch
|
||||||
|
Patch80: nss-3.101-el8-no-p12-smime-policy.patch
|
||||||
|
Patch81: nss-3.101-fix-missing-size-checks.patch
|
||||||
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
|
||||||
|
Patch82: nss-3.101-chacha-timing-fix.patch
|
||||||
|
Patch83: nss-3.101-add-certificate-compression-test.patch
|
||||||
|
Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
|
||||||
|
|
||||||
|
#revert patches
|
||||||
|
Patch300: nss-3.101-default-libpkix.patch
|
||||||
|
|
||||||
Patch80: blinding_ct.patch
|
|
||||||
Patch81: nss-3.90-fips-pkcs11-long-hash.patch
|
|
||||||
Patch82: nss-3.90-fips-safe-memset.patch
|
|
||||||
Patch83: nss-3.90-fips-indicators.patch
|
|
||||||
Patch84: nss-3.90-aes-gmc-indicator.patch
|
|
||||||
Patch85: nss-3.90-fips-indicators2.patch
|
|
||||||
Patch86: nss-3.90-dh-test-update.patch
|
|
||||||
Patch90: nss_p256_scalar_validated.patch
|
|
||||||
Patch91: nss_p384_scalar_validated.patch
|
|
||||||
Patch92: nss_p384_hacl.patch
|
|
||||||
Patch93: nss_p521_hacl.patch
|
|
||||||
Patch94: nss-3.90-ecc-wrap-fix.patch
|
|
||||||
Patch95: nss-3.90-ecdsa-sign-padding-fix.patch
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -319,7 +331,8 @@ Header and library files for doing development with Network Security Services.
|
|||||||
%prep
|
%prep
|
||||||
%autosetup -N -n %{name}-%{nss_archive_version}
|
%autosetup -N -n %{name}-%{nss_archive_version}
|
||||||
pushd nss
|
pushd nss
|
||||||
%autopatch -p1
|
%autopatch -M 299 -p1
|
||||||
|
%patch -P 300 -p1 -R
|
||||||
popd
|
popd
|
||||||
|
|
||||||
# copy the fips_algorithms.h for this release
|
# copy the fips_algorithms.h for this release
|
||||||
@ -328,9 +341,9 @@ popd
|
|||||||
cp %{SOURCE30} nss/lib/softoken/
|
cp %{SOURCE30} nss/lib/softoken/
|
||||||
|
|
||||||
#update expired test certs
|
#update expired test certs
|
||||||
pushd nss
|
#pushd nss
|
||||||
tar xvf %{SOURCE50}
|
#tar xvf %{SOURCE50}
|
||||||
popd
|
#popd
|
||||||
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
|
||||||
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
|
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
|
||||||
@ -888,11 +901,13 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||||||
%{_includedir}/nss3/ciferfam.h
|
%{_includedir}/nss3/ciferfam.h
|
||||||
%{_includedir}/nss3/eccutil.h
|
%{_includedir}/nss3/eccutil.h
|
||||||
%{_includedir}/nss3/hasht.h
|
%{_includedir}/nss3/hasht.h
|
||||||
|
%{_includedir}/nss3/kyber.h
|
||||||
%{_includedir}/nss3/nssb64.h
|
%{_includedir}/nss3/nssb64.h
|
||||||
%{_includedir}/nss3/nssb64t.h
|
%{_includedir}/nss3/nssb64t.h
|
||||||
%{_includedir}/nss3/nsslocks.h
|
%{_includedir}/nss3/nsshash.h
|
||||||
%{_includedir}/nss3/nssilock.h
|
%{_includedir}/nss3/nssilock.h
|
||||||
%{_includedir}/nss3/nssilckt.h
|
%{_includedir}/nss3/nssilckt.h
|
||||||
|
%{_includedir}/nss3/nsslocks.h
|
||||||
%{_includedir}/nss3/nssrwlk.h
|
%{_includedir}/nss3/nssrwlk.h
|
||||||
%{_includedir}/nss3/nssrwlkt.h
|
%{_includedir}/nss3/nssrwlkt.h
|
||||||
%{_includedir}/nss3/nssutil.h
|
%{_includedir}/nss3/nssutil.h
|
||||||
@ -981,6 +996,22 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
|
||||||
|
- fix param encoding in pkcs12 pbamac encoding
|
||||||
|
- add support for certificate compression in selfserv and tstclient
|
||||||
|
|
||||||
|
* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
|
||||||
|
- Fix missing and inaccurate key length checks
|
||||||
|
- Fix chacha timing issue
|
||||||
|
|
||||||
|
* Wed Jul 17 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
|
||||||
|
- Fix MD-5 decode issue in pkcs #12
|
||||||
|
- turn off policy processing for pkcs12 and smime
|
||||||
|
- update the restore defaults for pkcs12
|
||||||
|
|
||||||
|
* Tue Jun 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
|
||||||
|
- Rebase to NSS 3.101
|
||||||
|
|
||||||
* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
|
* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
|
||||||
- Allow for shorter ecdsa signatures by padding them to full length
|
- Allow for shorter ecdsa signatures by padding them to full length
|
||||||
|
|
||||||
|
File diff suppressed because it is too large
Load Diff
22992
nss_p384_hacl.patch
22992
nss_p384_hacl.patch
File diff suppressed because it is too large
Load Diff
@ -1,644 +0,0 @@
|
|||||||
diff -up ./automation/taskcluster/scripts/run_hacl.sh.p384 ./automation/taskcluster/scripts/run_hacl.sh
|
|
||||||
--- ./automation/taskcluster/scripts/run_hacl.sh.p384 2023-06-04 01:42:53.000000000 -0700
|
|
||||||
+++ ./automation/taskcluster/scripts/run_hacl.sh 2024-01-09 11:49:58.650418434 -0800
|
|
||||||
@@ -40,5 +40,14 @@ files=($(find ~/nss/lib/freebl/verified/
|
|
||||||
for f in "${files[@]}"; do
|
|
||||||
file_name=$(basename "$f")
|
|
||||||
hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*"))
|
|
||||||
+ # TODO(Bug 1854438): Remove P384 exception.
|
|
||||||
+ # TODO(Bug 1854439): Remove P521 exception.
|
|
||||||
+ if [ $file_name == "Hacl_P384.c" \
|
|
||||||
+ -o $file_name == "Hacl_P384.h" \
|
|
||||||
+ -o $file_name == "Hacl_P521.c" \
|
|
||||||
+ -o $file_name == "Hacl_P521.h" ]
|
|
||||||
+ then
|
|
||||||
+ continue;
|
|
||||||
+ fi
|
|
||||||
diff $hacl_file $f
|
|
||||||
done
|
|
||||||
diff -up ./lib/freebl/ec.c.p384 ./lib/freebl/ec.c
|
|
||||||
--- ./lib/freebl/ec.c.p384 2024-01-09 11:49:14.118980084 -0800
|
|
||||||
+++ ./lib/freebl/ec.c 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
@@ -15,15 +15,62 @@
|
|
||||||
#include "mplogic.h"
|
|
||||||
#include "ec.h"
|
|
||||||
#include "ecl.h"
|
|
||||||
+#include "verified/Hacl_P384.h"
|
|
||||||
+#include "verified/Hacl_P521.h"
|
|
||||||
|
|
||||||
#define EC_DOUBLECHECK PR_FALSE
|
|
||||||
|
|
||||||
+SECStatus
|
|
||||||
+ec_secp384r1_scalar_validate(const SECItem *scalar)
|
|
||||||
+{
|
|
||||||
+ if (!scalar || !scalar->data) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (scalar->len != 48) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ bool b = Hacl_P384_validate_private_key(scalar->data);
|
|
||||||
+
|
|
||||||
+ if (!b) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+ return SECSuccess;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+SECStatus
|
|
||||||
+ec_secp521r1_scalar_validate(const SECItem *scalar)
|
|
||||||
+{
|
|
||||||
+ if (!scalar || !scalar->data) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (scalar->len != 66) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ bool b = Hacl_P521_validate_private_key(scalar->data);
|
|
||||||
+
|
|
||||||
+ if (!b) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+ return SECSuccess;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static const ECMethod kMethods[] = {
|
|
||||||
{ ECCurve25519,
|
|
||||||
ec_Curve25519_pt_mul,
|
|
||||||
ec_Curve25519_pt_validate,
|
|
||||||
ec_Curve25519_scalar_validate,
|
|
||||||
- NULL, NULL },
|
|
||||||
+ NULL,
|
|
||||||
+ NULL },
|
|
||||||
{
|
|
||||||
ECCurve_NIST_P256,
|
|
||||||
ec_secp256r1_pt_mul,
|
|
||||||
@@ -352,8 +415,7 @@ EC_NewKeyFromSeed(ECParams *ecParams, EC
|
|
||||||
SECStatus
|
|
||||||
ec_GenerateRandomPrivateKey(ECParams *ecParams, SECItem *privKey)
|
|
||||||
{
|
|
||||||
- SECStatus rv = SECSuccess;
|
|
||||||
- mp_err err;
|
|
||||||
+ SECStatus rv = SECFailure;
|
|
||||||
|
|
||||||
unsigned int len = EC_GetScalarSize(ecParams);
|
|
||||||
|
|
||||||
@@ -362,82 +424,43 @@ ec_GenerateRandomPrivateKey(ECParams *ec
|
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* For known curves, use rejection sampling A.4.2 */
|
|
||||||
- if (ecParams->fieldID.type == ec_field_plain) {
|
|
||||||
- const ECMethod *method = ec_get_method_from_name(ecParams->name);
|
|
||||||
- rv = SECFailure;
|
|
||||||
- if (method == NULL || method->scalar_validate == NULL) {
|
|
||||||
- /* unknown curve */
|
|
||||||
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- int count = 100;
|
|
||||||
- while (rv != SECSuccess && count >= 0) {
|
|
||||||
- rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
|
|
||||||
- if (rv != SECSuccess) {
|
|
||||||
- PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- rv = method->scalar_validate(privKey);
|
|
||||||
- count--;
|
|
||||||
- }
|
|
||||||
- if (rv != SECSuccess) {
|
|
||||||
- PORT_SetError(SEC_ERROR_BAD_KEY);
|
|
||||||
- }
|
|
||||||
- goto done;
|
|
||||||
+ const ECMethod *method = ec_get_method_from_name(ecParams->name);
|
|
||||||
+ if (method == NULL || method->scalar_validate == NULL) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
|
|
||||||
+ return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* For unknown curves, use algotithm A.4.1 */
|
|
||||||
-
|
|
||||||
- unsigned char *order = ecParams->order.data;
|
|
||||||
- mp_int privKeyVal, order_1, one;
|
|
||||||
- unsigned char *privKeyBytes = NULL;
|
|
||||||
-
|
|
||||||
- MP_DIGITS(&privKeyVal) = 0;
|
|
||||||
- MP_DIGITS(&order_1) = 0;
|
|
||||||
- MP_DIGITS(&one) = 0;
|
|
||||||
- CHECK_MPI_OK(mp_init(&privKeyVal));
|
|
||||||
- CHECK_MPI_OK(mp_init(&order_1));
|
|
||||||
- CHECK_MPI_OK(mp_init(&one));
|
|
||||||
-
|
|
||||||
- /* Generates 2*len random bytes using the global random bit generator
|
|
||||||
- * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
|
|
||||||
- * reduces modulo the group order.
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
- if ((privKeyBytes = PORT_Alloc(2 * len)) == NULL) {
|
|
||||||
- PORT_SetError(SEC_ERROR_NO_MEMORY);
|
|
||||||
- rv = SECFailure;
|
|
||||||
- goto cleanup;
|
|
||||||
+ uint8_t leading_coeff_mask;
|
|
||||||
+ switch (ecParams->name) {
|
|
||||||
+ case ECCurve25519:
|
|
||||||
+ case ECCurve_NIST_P256:
|
|
||||||
+ case ECCurve_NIST_P384:
|
|
||||||
+ leading_coeff_mask = 0xff;
|
|
||||||
+ break;
|
|
||||||
+ case ECCurve_NIST_P521:
|
|
||||||
+ leading_coeff_mask = 0x01;
|
|
||||||
+ break;
|
|
||||||
+ default:
|
|
||||||
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
|
|
||||||
+ return SECFailure;
|
|
||||||
}
|
|
||||||
|
|
||||||
- CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(privKeyBytes, 2 * len));
|
|
||||||
- CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len));
|
|
||||||
- CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len));
|
|
||||||
- CHECK_MPI_OK(mp_set_int(&one, 1));
|
|
||||||
- CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1));
|
|
||||||
- CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal));
|
|
||||||
- CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal));
|
|
||||||
- CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len));
|
|
||||||
- memcpy(privKey->data, privKeyBytes, len);
|
|
||||||
+ /* The rejection sampling method from FIPS 186-5 A.4.2 */
|
|
||||||
+ int count = 100;
|
|
||||||
+ do {
|
|
||||||
+ rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
|
|
||||||
+ if (rv != SECSuccess) {
|
|
||||||
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+ privKey->data[0] &= leading_coeff_mask;
|
|
||||||
+ rv = method->scalar_validate(privKey);
|
|
||||||
+ } while (rv != SECSuccess && --count > 0);
|
|
||||||
|
|
||||||
-cleanup:
|
|
||||||
- mp_clear(&privKeyVal);
|
|
||||||
- mp_clear(&order_1);
|
|
||||||
- mp_clear(&one);
|
|
||||||
- if (privKeyBytes) {
|
|
||||||
- PORT_ZFree(privKeyBytes, 2 * len);
|
|
||||||
- }
|
|
||||||
- if (err < MP_OKAY) {
|
|
||||||
- MP_TO_SEC_ERROR(err);
|
|
||||||
- rv = SECFailure;
|
|
||||||
+ if (rv != SECSuccess) { // implies count == 0
|
|
||||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
|
||||||
}
|
|
||||||
|
|
||||||
-done:
|
|
||||||
- if (rv != SECSuccess && privKey->data) {
|
|
||||||
- SECITEM_ZfreeItem(privKey, PR_FALSE);
|
|
||||||
- return rv;
|
|
||||||
- }
|
|
||||||
return rv;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff -up ./lib/freebl/ecl/ecl.h.p384 ./lib/freebl/ecl/ecl.h
|
|
||||||
--- ./lib/freebl/ecl/ecl.h.p384 2024-01-09 11:49:14.118980084 -0800
|
|
||||||
+++ ./lib/freebl/ecl/ecl.h 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
@@ -57,4 +57,8 @@ SECStatus ec_secp256r1_sign_digest(ECPri
|
|
||||||
SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature,
|
|
||||||
const SECItem *digest);
|
|
||||||
|
|
||||||
+SECStatus ec_secp384r1_scalar_validate(const SECItem *scalar);
|
|
||||||
+
|
|
||||||
+SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar);
|
|
||||||
+
|
|
||||||
#endif /* __ecl_h_ */
|
|
||||||
diff -up ./lib/freebl/freebl_base.gypi.p384 ./lib/freebl/freebl_base.gypi
|
|
||||||
--- ./lib/freebl/freebl_base.gypi.p384 2024-01-09 11:49:14.118980084 -0800
|
|
||||||
+++ ./lib/freebl/freebl_base.gypi 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
@@ -38,6 +38,8 @@
|
|
||||||
'ecl/ecp_secp384r1.c',
|
|
||||||
'ecl/ecp_secp521r1.c',
|
|
||||||
'verified/Hacl_P256.c',
|
|
||||||
+ 'verified/Hacl_P384.c',
|
|
||||||
+ 'verified/Hacl_P521.c',
|
|
||||||
'fipsfreebl.c',
|
|
||||||
'blinit.c',
|
|
||||||
'freeblver.c',
|
|
||||||
diff -up ./lib/freebl/Makefile.p384 ./lib/freebl/Makefile
|
|
||||||
--- ./lib/freebl/Makefile.p384 2024-01-09 11:49:58.650418434 -0800
|
|
||||||
+++ ./lib/freebl/Makefile 2024-01-09 11:51:20.500224176 -0800
|
|
||||||
@@ -612,7 +612,7 @@ ifndef NSS_DISABLE_CHACHAPOLY
|
|
||||||
VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c
|
|
||||||
endif # NSS_DISABLE_CHACHAPOLY
|
|
||||||
|
|
||||||
-VERIFIED_SRCS += Hacl_P256.c
|
|
||||||
+VERIFIED_SRCS += Hacl_P256.c Hacl_P384.c Hacl_P521.c
|
|
||||||
|
|
||||||
ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH)))
|
|
||||||
# All 64-bit architectures get the 64 bit version.
|
|
||||||
diff -up ./lib/freebl/verified/Hacl_P384.c.p384 ./lib/freebl/verified/Hacl_P384.c
|
|
||||||
--- ./lib/freebl/verified/Hacl_P384.c.p384 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
+++ ./lib/freebl/verified/Hacl_P384.c 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
@@ -0,0 +1,126 @@
|
|
||||||
+/* MIT License
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
|
||||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
+ * of this software and associated documentation files (the "Software"), to deal
|
|
||||||
+ * in the Software without restriction, including without limitation the rights
|
|
||||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
+ * copies of the Software, and to permit persons to whom the Software is
|
|
||||||
+ * furnished to do so, subject to the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be included in all
|
|
||||||
+ * copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
||||||
+ * SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "Hacl_P384.h"
|
|
||||||
+
|
|
||||||
+#include "internal/Hacl_Krmllib.h"
|
|
||||||
+#include "internal/Hacl_Bignum_Base.h"
|
|
||||||
+
|
|
||||||
+static inline uint64_t
|
|
||||||
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
|
|
||||||
+{
|
|
||||||
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
|
||||||
+ KRML_MAYBE_FOR6(i,
|
|
||||||
+ (uint32_t)0U,
|
|
||||||
+ (uint32_t)6U,
|
|
||||||
+ (uint32_t)1U,
|
|
||||||
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
|
|
||||||
+ mask = uu____0 & mask;);
|
|
||||||
+ uint64_t mask1 = mask;
|
|
||||||
+ return mask1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static inline uint64_t
|
|
||||||
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
|
|
||||||
+{
|
|
||||||
+ uint64_t c1 = (uint64_t)0U;
|
|
||||||
+ {
|
|
||||||
+ uint64_t t1 = b[(uint32_t)4U * (uint32_t)0U];
|
|
||||||
+ uint64_t t20 = c[(uint32_t)4U * (uint32_t)0U];
|
|
||||||
+ uint64_t *res_i0 = a + (uint32_t)4U * (uint32_t)0U;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
|
|
||||||
+ uint64_t t10 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
|
|
||||||
+ uint64_t t21 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
|
|
||||||
+ uint64_t *res_i1 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
|
|
||||||
+ uint64_t t11 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
|
|
||||||
+ uint64_t t22 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
|
|
||||||
+ uint64_t *res_i2 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
|
|
||||||
+ uint64_t t12 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
|
|
||||||
+ uint64_t t2 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
|
|
||||||
+ uint64_t *res_i = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i);
|
|
||||||
+ }
|
|
||||||
+ KRML_MAYBE_FOR2(i,
|
|
||||||
+ (uint32_t)4U,
|
|
||||||
+ (uint32_t)6U,
|
|
||||||
+ (uint32_t)1U,
|
|
||||||
+ uint64_t t1 = b[i];
|
|
||||||
+ uint64_t t2 = c[i];
|
|
||||||
+ uint64_t *res_i = a + i;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i););
|
|
||||||
+ uint64_t c10 = c1;
|
|
||||||
+ return c10;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static inline void
|
|
||||||
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
|
|
||||||
+{
|
|
||||||
+ KRML_MAYBE_FOR6(i,
|
|
||||||
+ (uint32_t)0U,
|
|
||||||
+ (uint32_t)6U,
|
|
||||||
+ (uint32_t)1U,
|
|
||||||
+ uint64_t *os = a;
|
|
||||||
+ uint64_t u = load64_be(b + ((uint32_t)6U - i - (uint32_t)1U) * (uint32_t)8U);
|
|
||||||
+ uint64_t x = u;
|
|
||||||
+ os[i] = x;);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static inline void
|
|
||||||
+p384_make_order(uint64_t *n)
|
|
||||||
+{
|
|
||||||
+ n[0U] = (uint64_t)0xecec196accc52973U;
|
|
||||||
+ n[1U] = (uint64_t)0x581a0db248b0a77aU;
|
|
||||||
+ n[2U] = (uint64_t)0xc7634d81f4372ddfU;
|
|
||||||
+ n[3U] = (uint64_t)0xffffffffffffffffU;
|
|
||||||
+ n[4U] = (uint64_t)0xffffffffffffffffU;
|
|
||||||
+ n[5U] = (uint64_t)0xffffffffffffffffU;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+Private key validation.
|
|
||||||
+
|
|
||||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
|
||||||
+
|
|
||||||
+ The argument `private_key` points to 48 bytes of valid memory, i.e., uint8_t[48].
|
|
||||||
+
|
|
||||||
+ The private key is valid:
|
|
||||||
+ • 0 < `private_key` < the order of the curve
|
|
||||||
+*/
|
|
||||||
+bool
|
|
||||||
+Hacl_P384_validate_private_key(uint8_t *private_key)
|
|
||||||
+{
|
|
||||||
+ uint64_t bn_sk[6U] = { 0U };
|
|
||||||
+ bn_from_bytes_be(bn_sk, private_key);
|
|
||||||
+ uint64_t tmp[6U] = { 0U };
|
|
||||||
+ p384_make_order(tmp);
|
|
||||||
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
|
|
||||||
+ uint64_t is_lt_order = (uint64_t)0U - c;
|
|
||||||
+ uint64_t bn_zero[6U] = { 0U };
|
|
||||||
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
|
|
||||||
+ uint64_t is_eq_zero = res;
|
|
||||||
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
|
|
||||||
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
|
||||||
+}
|
|
||||||
diff -up ./lib/freebl/verified/Hacl_P384.h.p384 ./lib/freebl/verified/Hacl_P384.h
|
|
||||||
--- ./lib/freebl/verified/Hacl_P384.h.p384 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
+++ ./lib/freebl/verified/Hacl_P384.h 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
@@ -0,0 +1,68 @@
|
|
||||||
+/* MIT License
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
|
||||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
+ * of this software and associated documentation files (the "Software"), to deal
|
|
||||||
+ * in the Software without restriction, including without limitation the rights
|
|
||||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
+ * copies of the Software, and to permit persons to whom the Software is
|
|
||||||
+ * furnished to do so, subject to the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be included in all
|
|
||||||
+ * copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
||||||
+ * SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifndef __Hacl_P384_H
|
|
||||||
+#define __Hacl_P384_H
|
|
||||||
+
|
|
||||||
+#if defined(__cplusplus)
|
|
||||||
+extern "C" {
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#include <string.h>
|
|
||||||
+#include "krml/internal/types.h"
|
|
||||||
+#include "krml/lowstar_endianness.h"
|
|
||||||
+
|
|
||||||
+#include "lib_intrinsics.h"
|
|
||||||
+
|
|
||||||
+/*******************************************************************************
|
|
||||||
+
|
|
||||||
+ Verified C library for ECDSA and ECDH functions over the P-384 NIST curve.
|
|
||||||
+
|
|
||||||
+ This module implements signing and verification, key validation, conversions
|
|
||||||
+ between various point representations, and ECDH key agreement.
|
|
||||||
+
|
|
||||||
+*******************************************************************************/
|
|
||||||
+
|
|
||||||
+/******************/
|
|
||||||
+/* Key validation */
|
|
||||||
+/******************/
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+Private key validation.
|
|
||||||
+
|
|
||||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
|
||||||
+
|
|
||||||
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
|
|
||||||
+
|
|
||||||
+ The private key is valid:
|
|
||||||
+ • 0 < `private_key` < the order of the curve
|
|
||||||
+*/
|
|
||||||
+bool Hacl_P384_validate_private_key(uint8_t *private_key);
|
|
||||||
+
|
|
||||||
+#if defined(__cplusplus)
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#define __Hacl_P384_H_DEFINED
|
|
||||||
+#endif
|
|
||||||
diff -up ./lib/freebl/verified/Hacl_P521.c.p384 ./lib/freebl/verified/Hacl_P521.c
|
|
||||||
--- ./lib/freebl/verified/Hacl_P521.c.p384 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
+++ ./lib/freebl/verified/Hacl_P521.c 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
@@ -0,0 +1,131 @@
|
|
||||||
+/* MIT License
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
|
||||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
+ * of this software and associated documentation files (the "Software"), to deal
|
|
||||||
+ * in the Software without restriction, including without limitation the rights
|
|
||||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
+ * copies of the Software, and to permit persons to whom the Software is
|
|
||||||
+ * furnished to do so, subject to the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be included in all
|
|
||||||
+ * copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
||||||
+ * SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#include "Hacl_P521.h"
|
|
||||||
+
|
|
||||||
+#include "internal/Hacl_Krmllib.h"
|
|
||||||
+#include "internal/Hacl_Bignum_Base.h"
|
|
||||||
+
|
|
||||||
+static inline uint64_t
|
|
||||||
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
|
|
||||||
+{
|
|
||||||
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
|
||||||
+ KRML_MAYBE_FOR9(i,
|
|
||||||
+ (uint32_t)0U,
|
|
||||||
+ (uint32_t)9U,
|
|
||||||
+ (uint32_t)1U,
|
|
||||||
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
|
|
||||||
+ mask = uu____0 & mask;);
|
|
||||||
+ uint64_t mask1 = mask;
|
|
||||||
+ return mask1;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static inline uint64_t
|
|
||||||
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
|
|
||||||
+{
|
|
||||||
+ uint64_t c1 = (uint64_t)0U;
|
|
||||||
+ KRML_MAYBE_FOR2(i,
|
|
||||||
+ (uint32_t)0U,
|
|
||||||
+ (uint32_t)2U,
|
|
||||||
+ (uint32_t)1U,
|
|
||||||
+ uint64_t t1 = b[(uint32_t)4U * i];
|
|
||||||
+ uint64_t t20 = c[(uint32_t)4U * i];
|
|
||||||
+ uint64_t *res_i0 = a + (uint32_t)4U * i;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
|
|
||||||
+ uint64_t t10 = b[(uint32_t)4U * i + (uint32_t)1U];
|
|
||||||
+ uint64_t t21 = c[(uint32_t)4U * i + (uint32_t)1U];
|
|
||||||
+ uint64_t *res_i1 = a + (uint32_t)4U * i + (uint32_t)1U;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
|
|
||||||
+ uint64_t t11 = b[(uint32_t)4U * i + (uint32_t)2U];
|
|
||||||
+ uint64_t t22 = c[(uint32_t)4U * i + (uint32_t)2U];
|
|
||||||
+ uint64_t *res_i2 = a + (uint32_t)4U * i + (uint32_t)2U;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
|
|
||||||
+ uint64_t t12 = b[(uint32_t)4U * i + (uint32_t)3U];
|
|
||||||
+ uint64_t t2 = c[(uint32_t)4U * i + (uint32_t)3U];
|
|
||||||
+ uint64_t *res_i = a + (uint32_t)4U * i + (uint32_t)3U;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i););
|
|
||||||
+ {
|
|
||||||
+ uint64_t t1 = b[8U];
|
|
||||||
+ uint64_t t2 = c[8U];
|
|
||||||
+ uint64_t *res_i = a + (uint32_t)8U;
|
|
||||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i);
|
|
||||||
+ }
|
|
||||||
+ uint64_t c10 = c1;
|
|
||||||
+ return c10;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static inline void
|
|
||||||
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
|
|
||||||
+{
|
|
||||||
+ uint8_t tmp[72U] = { 0U };
|
|
||||||
+ memcpy(tmp + (uint32_t)6U, b, (uint32_t)66U * sizeof(uint8_t));
|
|
||||||
+ KRML_MAYBE_FOR9(i,
|
|
||||||
+ (uint32_t)0U,
|
|
||||||
+ (uint32_t)9U,
|
|
||||||
+ (uint32_t)1U,
|
|
||||||
+ uint64_t *os = a;
|
|
||||||
+ uint64_t u = load64_be(tmp + ((uint32_t)9U - i - (uint32_t)1U) * (uint32_t)8U);
|
|
||||||
+ uint64_t x = u;
|
|
||||||
+ os[i] = x;);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static inline void
|
|
||||||
+p521_make_order(uint64_t *n)
|
|
||||||
+{
|
|
||||||
+ n[0U] = (uint64_t)0xbb6fb71e91386409U;
|
|
||||||
+ n[1U] = (uint64_t)0x3bb5c9b8899c47aeU;
|
|
||||||
+ n[2U] = (uint64_t)0x7fcc0148f709a5d0U;
|
|
||||||
+ n[3U] = (uint64_t)0x51868783bf2f966bU;
|
|
||||||
+ n[4U] = (uint64_t)0xfffffffffffffffaU;
|
|
||||||
+ n[5U] = (uint64_t)0xffffffffffffffffU;
|
|
||||||
+ n[6U] = (uint64_t)0xffffffffffffffffU;
|
|
||||||
+ n[7U] = (uint64_t)0xffffffffffffffffU;
|
|
||||||
+ n[8U] = (uint64_t)0x1ffU;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+Private key validation.
|
|
||||||
+
|
|
||||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
|
||||||
+
|
|
||||||
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
|
|
||||||
+
|
|
||||||
+ The private key is valid:
|
|
||||||
+ • 0 < `private_key` < the order of the curve
|
|
||||||
+*/
|
|
||||||
+bool
|
|
||||||
+Hacl_P521_validate_private_key(uint8_t *private_key)
|
|
||||||
+{
|
|
||||||
+ uint64_t bn_sk[9U] = { 0U };
|
|
||||||
+ bn_from_bytes_be(bn_sk, private_key);
|
|
||||||
+ uint64_t tmp[9U] = { 0U };
|
|
||||||
+ p521_make_order(tmp);
|
|
||||||
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
|
|
||||||
+ uint64_t is_lt_order = (uint64_t)0U - c;
|
|
||||||
+ uint64_t bn_zero[9U] = { 0U };
|
|
||||||
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
|
|
||||||
+ uint64_t is_eq_zero = res;
|
|
||||||
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
|
|
||||||
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
|
||||||
+}
|
|
||||||
diff -up ./lib/freebl/verified/Hacl_P521.h.p384 ./lib/freebl/verified/Hacl_P521.h
|
|
||||||
--- ./lib/freebl/verified/Hacl_P521.h.p384 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
+++ ./lib/freebl/verified/Hacl_P521.h 2024-01-09 11:49:58.651418444 -0800
|
|
||||||
@@ -0,0 +1,59 @@
|
|
||||||
+/* MIT License
|
|
||||||
+ *
|
|
||||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
|
||||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
|
||||||
+ *
|
|
||||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
+ * of this software and associated documentation files (the "Software"), to deal
|
|
||||||
+ * in the Software without restriction, including without limitation the rights
|
|
||||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
+ * copies of the Software, and to permit persons to whom the Software is
|
|
||||||
+ * furnished to do so, subject to the following conditions:
|
|
||||||
+ *
|
|
||||||
+ * The above copyright notice and this permission notice shall be included in all
|
|
||||||
+ * copies or substantial portions of the Software.
|
|
||||||
+ *
|
|
||||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
||||||
+ * SOFTWARE.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+#ifndef __Hacl_P521_H
|
|
||||||
+#define __Hacl_P521_H
|
|
||||||
+
|
|
||||||
+#if defined(__cplusplus)
|
|
||||||
+extern "C" {
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#include <string.h>
|
|
||||||
+#include "krml/internal/types.h"
|
|
||||||
+#include "krml/lowstar_endianness.h"
|
|
||||||
+
|
|
||||||
+#include "lib_intrinsics.h"
|
|
||||||
+
|
|
||||||
+/******************/
|
|
||||||
+/* Key validation */
|
|
||||||
+/******************/
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+Private key validation.
|
|
||||||
+
|
|
||||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
|
||||||
+
|
|
||||||
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
|
|
||||||
+
|
|
||||||
+ The private key is valid:
|
|
||||||
+ • 0 < `private_key` < the order of the curve
|
|
||||||
+*/
|
|
||||||
+bool Hacl_P521_validate_private_key(uint8_t *private_key);
|
|
||||||
+
|
|
||||||
+#if defined(__cplusplus)
|
|
||||||
+}
|
|
||||||
+#endif
|
|
||||||
+
|
|
||||||
+#define __Hacl_P521_H_DEFINED
|
|
||||||
+#endif
|
|
14365
nss_p521_hacl.patch
14365
nss_p521_hacl.patch
File diff suppressed because it is too large
Load Diff
2
sources
2
sources
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
|
|||||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||||
SHA512 (nss-3.90.tar.gz) = e41f4de73f4971c8f35dffe3926b6845ef12a1ce7e8f3fe682e643ddb791a009d079c1706f66d065333af884726840dbc96d4e44762f9c3e48b8d919c09ae625
|
SHA512 (nss-3.101.tar.gz) = b1596e7d74c654825eabbcc1f71b1410cf44d816c3044429576782bc800186073d43da9ad76de2fbd7de73c4460ebeb91aa244457da9d0d0cdc08a50a11a165f
|
||||||
|
Loading…
Reference in New Issue
Block a user