Resloves: RHEL-46841

Rebase NSS to nss-3.101
This commit is contained in:
Robert Relyea 2024-08-05 11:23:49 -07:00
parent 7d5fbbbfb8
commit b427a91a63
36 changed files with 2317 additions and 47498 deletions

1
.gitignore vendored
View File

@ -11,3 +11,4 @@ SOURCES/nss-3.79.tar.gz
/blank-secmod.db
/nss-3.79.tar.gz
/nss-3.90.tar.gz
/nss-3.101.tar.gz

Binary file not shown.

View File

@ -1,949 +0,0 @@
diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h
--- a/lib/freebl/mpi/mpi-priv.h
+++ b/lib/freebl/mpi/mpi-priv.h
@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d
void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
mp_digit b, mp_digit *c);
#endif
void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
mp_size a_len, mp_digit b,
mp_digit *c);
+void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a,
+ mp_size a_len, mp_digit b,
+ mp_digit *c, mp_size c_len);
void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
mp_size a_len,
mp_digit *sqrs);
mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
mp_digit divisor, mp_digit *quot, mp_digit *rem);
/* c += a * b * (MP_RADIX ** offset); */
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
--- a/lib/freebl/mpi/mpi.c
+++ b/lib/freebl/mpi/mpi.c
@@ -5,16 +5,18 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "mpi-priv.h"
#include "mplogic.h"
+#include <assert.h>
+
#if defined(__arm__) && \
((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
/* 16-bit thumb or ARM v3 doesn't work inlined assember version */
#undef MP_ASSEMBLY_MULTIPLY
#undef MP_ASSEMBLY_SQUARE
#endif
#if MP_LOGTAB
@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b,
CLEANUP:
return res;
} /* end mp_sub() */
/* }}} */
-/* {{{ mp_mul(a, b, c) */
+/* {{{ s_mp_mulg(a, b, c) */
/*
- mp_mul(a, b, c)
-
- Compute c = a * b. All parameters may be identical.
+ s_mp_mulg(a, b, c)
+
+ Compute c = a * b. All parameters may be identical. if constantTime is set,
+ then the operations are done in constant time. The original is mostly
+ constant time as long as s_mpv_mul_d_add() is constant time. This is true
+ of the x86 assembler, as well as the current c code.
*/
mp_err
-mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
+s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime)
{
mp_digit *pb;
mp_int tmp;
mp_err res;
mp_size ib;
mp_size useda, usedb;
ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b,
}
MP_USED(c) = 1;
MP_DIGIT(c, 0) = 0;
if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
goto CLEANUP;
#ifdef NSS_USE_COMBA
- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
+ /* comba isn't constant time because it clamps! If we cared
+ * (we needed a constant time version of multiply that was 'faster'
+ * we could easily pass constantTime down to the comba code and
+ * get it to skip the clamp... but here are assembler versions
+ * which add comba to platforms that can't compile the normal
+ * comba's imbedded assembler which would also need to change, so
+ * for now we just skip comba when we are running constant time. */
+ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
if (MP_USED(a) == 4) {
s_mp_mul_comba_4(a, b, c);
goto CLEANUP;
}
if (MP_USED(a) == 8) {
s_mp_mul_comba_8(a, b, c);
goto CLEANUP;
}
@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b,
/* Outer loop: Digits of b */
useda = MP_USED(a);
usedb = MP_USED(b);
for (ib = 1; ib < usedb; ib++) {
mp_digit b_i = *pb++;
/* Inner product: Digits of a */
- if (b_i)
+ if (constantTime || b_i)
s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
else
MP_DIGIT(c, ib + useda) = b_i;
}
- s_mp_clamp(c);
+ if (!constantTime) {
+ s_mp_clamp(c);
+ }
if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
SIGN(c) = ZPOS;
else
SIGN(c) = NEG;
CLEANUP:
mp_clear(&tmp);
return res;
+} /* end smp_mulg() */
+
+/* }}} */
+
+/* {{{ mp_mul(a, b, c) */
+
+/*
+ mp_mul(a, b, c)
+
+ Compute c = a * b. All parameters may be identical.
+ */
+
+mp_err
+mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
+{
+ return s_mp_mulg(a, b, c, 0);
} /* end mp_mul() */
/* }}} */
+/* {{{ mp_mulCT(a, b, c) */
+
+/*
+ mp_mulCT(a, b, c)
+
+ Compute c = a * b. In constant time. Parameters may not be identical.
+ NOTE: a and b may be modified.
+ */
+
+mp_err
+mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize)
+{
+ mp_err res;
+
+ /* make the multiply values fixed length so multiply
+ * doesn't leak the length. at this point all the
+ * values are blinded, but once we finish we want the
+ * output size to be hidden (so no clamping the out put) */
+ MP_CHECKOK(s_mp_pad(a, setSize));
+ MP_CHECKOK(s_mp_pad(b, setSize));
+ MP_CHECKOK(s_mp_pad(c, 2*setSize));
+ MP_CHECKOK(s_mp_mulg(a, b, c, 1));
+CLEANUP:
+ return res;
+} /* end mp_mulCT() */
+
+/* }}} */
+
/* {{{ mp_sqr(a, sqr) */
#if MP_SQUARE
/*
Computes the square of a. This can be done more
efficiently than a general multiplication, because many of the
computation steps are redundant when squaring. The inner product
step is a bit more complicated, but we save a fair number of
@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m,
}
return MP_OKAY;
} /* end mp_mod() */
/* }}} */
+/* {{{ s_mp_subCT_d(a, b, borrow, c) */
+
+/*
+ s_mp_subCT_d(a, b, borrow, c)
+
+ Compute c = (a -b) - subtract in constant time. returns borrow
+ */
+mp_digit
+s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) {
+ mp_digit borrow1, borrow2, t;
+#ifdef MP_COMPILER_USES_CARRY
+ /* while it doesn't look constant-time, this is idiomatic code
+ * to tell compilers to use the carry bit from subtraction */
+ t = a - borrow;
+ if (t > a) {
+ borrow1 = 1;
+ } else {
+ borrow1 = 0;
+ }
+ *ret = t - b;
+ if (*ret > t) {
+ borrow2 = 1;
+ } else {
+ borrow2 = 0;
+ }
+#else
+ mp_digit bitr, bitb, nbitt;
+ /* this is constant time independent of compilier */
+ t = a - borrow;
+ borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1));
+ *ret = t - b;
+ bitb = b >> (MP_DIGIT_BIT-1);
+ bitr = *ret >> (MP_DIGIT_BIT-1);
+ nbitt = (~t) >> (MP_DIGIT_BIT-1);
+ borrow2 = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr);
+#endif
+ /* only borrow 1 or borrow 2 should be 1, we want to guarrentee
+ * the overall borrow is 1, so use | here */
+ return borrow1 | borrow2;
+} /* s_mp_subCT_d() */
+
+/* }}} */
+
+/* {{{ mp_subCT(a, b, ret, borrow) */
+
+/* return ret= a - b and borrow in borrow. done in constant time.
+ * b could be modified.
+ */
+mp_err
+mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow)
+{
+ mp_size used_a = MP_USED(a);
+ mp_size i;
+ mp_err res;
+
+ MP_CHECKOK(s_mp_pad(b, used_a));
+ MP_CHECKOK(s_mp_pad(ret, used_a));
+ *borrow = 0;
+ for (i=0; i < used_a; i++) {
+ *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow,
+ &MP_DIGIT(ret,i));
+ }
+
+ res = MP_OKAY;
+CLEANUP:
+ return res;
+} /* end mp_subCT() */
+
+/* }}} */
+
+/* {{{ mp_selectCT(cond, a, b, ret) */
+
+/*
+ * return ret= cond ? a : b; cond should be either 0 or 1
+ */
+mp_err
+mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret)
+{
+ mp_size used_a = MP_USED(a);
+ mp_err res;
+ mp_size i;
+
+ cond *= MP_DIGIT_MAX;
+
+ /* we currently require these to be equal on input,
+ * we could use pad to extend one of them, but that might
+ * leak data as it wouldn't be constant time */
+ assert(used_a == MP_USED(b));
+
+ MP_CHECKOK(s_mp_pad(ret, used_a));
+ for (i=0; i < used_a; i++) {
+ MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond);
+ }
+ res = MP_OKAY;
+CLEANUP:
+ return res;
+} /* end mp_selectCT() */
+
+
+/* {{{ mp_reduceCT(a, m, c) */
+
+/*
+ mp_reduceCT(a, m, c)
+
+ Compute c = aR^-1 (mod m) in constant time.
+ input should be in montgomery form. If input is the
+ result of a montgomery multiply then out put will be
+ in mongomery form.
+ Result will be reduced to MP_USED(m), but not be
+ clamped.
+ */
+
+mp_err
+mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c)
+{
+ mp_size used_m = MP_USED(m);
+ mp_size used_c = used_m*2+1;
+ mp_digit *m_digits, *c_digits;
+ mp_size i;
+ mp_digit borrow, carry;
+ mp_err res;
+ mp_int sub;
+
+ MP_DIGITS(&sub) = 0;
+ MP_CHECKOK(mp_init_size(&sub,used_m));
+
+ if (a != c) {
+ MP_CHECKOK(mp_copy(a, c));
+ }
+ MP_CHECKOK(s_mp_pad(c, used_c));
+ m_digits = MP_DIGITS(m);
+ c_digits = MP_DIGITS(c);
+ for (i=0; i < used_m; i++) {
+ mp_digit m_i = MP_DIGIT(c,i)*n0i;
+ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--);
+ }
+ s_mp_rshd(c, used_m);
+ /* MP_USED(c) should be used_m+1 with the high word being any carry
+ * from the previous multiply, save that carry and drop the high
+ * word for the substraction below */
+ carry = MP_DIGIT(c,used_m);
+ MP_DIGIT(c,used_m) = 0;
+ MP_USED(c) = used_m;
+ /* mp_subCT wants c and m to be the same size, we've already
+ * guarrenteed that in the previous statement, so mp_subCT won't actually
+ * modify m, so it's safe to recast */
+ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow));
+
+ /* we return c-m if c >= m no borrow or there was a borrow and a carry */
+ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c));
+ res = MP_OKAY;
+CLEANUP:
+ mp_clear(&sub);
+ return res;
+} /* end mp_reduceCT() */
+
+/* }}} */
+
/* {{{ mp_mod_d(a, d, c) */
/*
mp_mod_d(a, d, c)
Compute c = a (mod d). Result will always be 0 <= c < d
*/
mp_err
@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int
if ((res = mp_mod(c, m, c)) != MP_OKAY)
return res;
return MP_OKAY;
}
/* }}} */
+/* {{{ mp_mulmontmodCT(a, b, m, c) */
+
+/*
+ mp_mulmontmodCT(a, b, m, c)
+
+ Compute c = (a * b) mod m in constant time wrt a and b. either a or b
+ should be in montgomery form and the output is native. If both a and b
+ are in montgomery form, then the output will also be in montgomery form
+ and can be recovered with an mp_reduceCT call.
+ NOTE: a and b may be modified.
+ */
+
+mp_err
+mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i,
+ mp_int *c)
+{
+ mp_err res;
+
+ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
+
+ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY)
+ return res;
+
+ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY)
+ return res;
+
+ return MP_OKAY;
+}
+
+/* }}} */
+
/* {{{ mp_sqrmod(a, m, c) */
#if MP_SQUARE
mp_err
mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
{
mp_err res;
@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b)
{ \
mp_digit a0b1, a1b0; \
Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
a1b0 += a0b1; \
Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
- if (a1b0 < a0b1) \
- Phi += MP_HALF_RADIX; \
+ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \
a1b0 <<= MP_HALF_DIGIT_BIT; \
Plo += a1b0; \
- if (Plo < a1b0) \
- ++Phi; \
+ Phi += MP_CT_LTU(Plo, a1b0); \
}
#endif
+/* Constant time version of s_mpv_mul_d_add_prop.
+ * Presently, this is only used by the Constant time Montgomery arithmetic code. */
+/* c += a * b */
+void
+s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b,
+ mp_digit *c, mp_size c_len)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+ mp_digit d = 0;
+
+ c_len -= a_len;
+ /* Inner product: Digits of a */
+ while (a_len--) {
+ mp_word w = ((mp_word)b * *a++) + *c + d;
+ *c++ = ACCUM(w);
+ d = CARRYOUT(w);
+ }
+
+ /* propagate the carry to the end, even if carry is zero */
+ while (c_len--) {
+ mp_word w = (mp_word)*c + d;
+ *c++ = ACCUM(w);
+ d = CARRYOUT(w);
+ }
+#else
+ mp_digit carry = 0;
+ c_len -= a_len;
+ while (a_len--) {
+ mp_digit a_i = *a++;
+ mp_digit a0b0, a1b1;
+ MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+ a0b0 += carry;
+ a1b1 += MP_CT_LTU(a0b0, carry);
+ a0b0 += a_i = *c;
+ a1b1 += MP_CT_LTU(a0b0, a_i);
+
+ *c++ = a0b0;
+ carry = a1b1;
+ }
+ /* propagate the carry to the end, even if carry is zero */
+ while (c_len--) {
+ mp_digit c_i = *c;
+ carry += c_i;
+ *c++ = carry;
+ carry = MP_CT_LTU(carry, c_i);
+ }
+#endif
+}
+
#if !defined(MP_ASSEMBLY_MULTIPLY)
/* c = a * b */
void
s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
{
#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
mp_digit d = 0;
@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a
mp_digit carry = 0;
while (a_len--) {
mp_digit a_i = *a++;
mp_digit a0b0, a1b1;
MP_MUL_DxD(a_i, b, a1b1, a0b0);
a0b0 += carry;
- if (a0b0 < carry)
- ++a1b1;
+ a1b1 += a0b0 < carry;
*c++ = a0b0;
carry = a1b1;
}
*c = carry;
#endif
}
/* c += a * b */
@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si
mp_digit carry = 0;
while (a_len--) {
mp_digit a_i = *a++;
mp_digit a0b0, a1b1;
MP_MUL_DxD(a_i, b, a1b1, a0b0);
a0b0 += carry;
- if (a0b0 < carry)
- ++a1b1;
+ a1b1 += (a0b0 < carry);
a0b0 += a_i = *c;
- if (a0b0 < a_i)
- ++a1b1;
+ a1b1 += (a0b0 < a_i);
*c++ = a0b0;
carry = a1b1;
}
*c = carry;
#endif
}
/* Presently, this is only used by the Montgomery arithmetic code. */
diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h
--- a/lib/freebl/mpi/mpi.h
+++ b/lib/freebl/mpi/mpi.h
@@ -145,16 +145,54 @@ typedef int mp_sword;
#define MP_USED(MP) ((MP)->used)
#define MP_ALLOC(MP) ((MP)->alloc)
#define MP_DIGITS(MP) ((MP)->dp)
#define MP_DIGIT(MP, N) (MP)->dp[(N)]
/* This defines the maximum I/O base (minimum is 2) */
#define MP_MAX_RADIX 64
+/* Constant Time Macros on mp_digits */
+#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1)))
+
+/* basic zero and non zero tests */
+#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
+#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
+
+
+/* basic constant-time helper macro for equalities and inequalities.
+ * The inequalities will produce incorrect results if
+ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay
+ * within the range 0-MP_DIGIT_MAX/2. */
+#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b)))
+#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b)))
+#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a))
+#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b))
+#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b))
+#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b))
+#define MP_CT_TRUE ((mp_digit)1)
+#define MP_CT_FALSE ((mp_digit)0)
+
+/* use constant time result to select a boolean value */
+#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r)))
+
+/* full inequalities that work with full mp_digit values */
+#define MP_CT_OVERFLOW(a,b,c,d) \
+ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \
+ (MP_CT_HIGH_TO_LOW(d)),c)
+#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a)
+#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b)
+#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a)
+#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b)
+#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b)
+#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a)
+#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b)
+#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a)
+
+
typedef struct {
mp_sign sign; /* sign of this quantity */
mp_size alloc; /* how many digits allocated */
mp_size used; /* how many digits used */
mp_digit *dp; /* the digits themselves */
} mp_int;
/* Default precision */
@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig
/* Sign manipulations */
mp_err mp_abs(const mp_int *a, mp_int *b);
mp_err mp_neg(const mp_int *a, mp_int *b);
/* Full arithmetic */
mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow);
mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize);
#if MP_SQUARE
mp_err mp_sqr(const mp_int *a, mp_int *b);
#else
#define mp_sqr(a, b) mp_mul(a, a, b)
#endif
mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const
mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
#else
#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
#endif
mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
#endif /* MP_MODARITH */
+/* montgomery math */
+mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont);
+mp_digit mp_calculate_mont_n0i(const mp_int *N);
+mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct);
+mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c);
+
/* Comparisons */
int mp_cmp_z(const mp_int *a);
int mp_cmp_d(const mp_int *a, mp_digit d);
int mp_cmp(const mp_int *a, const mp_int *b);
int mp_cmp_mag(const mp_int *a, const mp_int *b);
int mp_isodd(const mp_int *a);
int mp_iseven(const mp_int *a);
+mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret);
/* Number theoretic */
mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c
--- a/lib/freebl/mpi/mpmontg.c
+++ b/lib/freebl/mpi/mpmontg.c
@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_
}
res = MP_OKAY;
CLEANUP:
return res;
}
#endif
-STATIC
mp_err
-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
+mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont)
{
mp_err res;
/* xMont = x * R mod N where N is modulus */
- MP_CHECKOK(mp_copy(x, xMont));
- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */
- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */
+ if (x != xMont) {
+ MP_CHECKOK(mp_copy(x, xMont));
+ }
+ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */
+ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */
CLEANUP:
return res;
}
+mp_digit
+mp_calculate_mont_n0i(const mp_int *N)
+{
+ return 0 - s_mp_invmod_radix(MP_DIGIT(N,0));
+}
+
#ifdef MP_USING_MONT_MULF
/* the floating point multiply is already cache safe,
* don't turn on cache safe unless we specifically
* force it */
#ifndef MP_FORCE_CACHE_SAFE
#undef MP_USING_CACHE_SAFE_MOD_EXP
#endif
@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase,
MP_DIGITS(&accum1) = 0;
for (i = 0; i < MAX_ODD_INTS; ++i)
oddPowers[i] = 0;
MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2));
mp_set(&accum1, 1);
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
MP_CHECKOK(s_mp_pad(&accum1, nLen));
oddPowSize = 2 * nLen + 1;
dTmpSize = 2 * oddPowSize;
dSize = sizeof(double) * (nLen * 4 + 1 +
((odd_ints + 1) * oddPowSize) + dTmpSize);
dBuf = malloc(dSize);
if (!dBuf) {
@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase,
for (i = 1; i < odd_ints; ++i) {
MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2));
MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i));
MP_CHECKOK(s_mp_redc(oddPowers + i, mmm));
}
/* set accumulator to montgomery residue of 1 */
mp_set(&accum1, 1);
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
pa1 = &accum1;
pa2 = &accum2;
for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
mp_size smallExp;
MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits));
smallExp = (mp_size)res;
@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase
/* build the first WEAVE_WORD powers inline */
/* if WEAVE_WORD_SIZE is not 4, this code will have to change */
if (num_powers > 2) {
MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2));
MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2));
MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2));
MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2));
mp_set(&accum[0], 1);
- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0]));
+ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0]));
MP_CHECKOK(mp_copy(montBase, &accum[1]));
SQR(montBase, &accum[2]);
MUL_NOWEAVE(montBase, &accum[2], &accum[3]);
powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1));
if (!powersArray) {
res = MP_MEM;
goto CLEANUP;
}
@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase
MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers));
if (first_window < 4) {
MP_CHECKOK(mp_copy(&accum[first_window], &accum1));
first_window = num_powers;
}
} else {
if (first_window == 0) {
mp_set(&accum1, 1);
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
} else {
/* assert first_window == 1? */
MP_CHECKOK(mp_copy(montBase, &accum1));
}
}
/*
* calculate all the powers in the powers array.
@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m
nLen = MP_USED(modulus);
MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2));
mmm.N = *modulus; /* a copy of the mp_int struct */
/* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
** where n0 = least significant mp_digit of N, the modulus.
*/
- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0));
+ mmm.n0prime = mp_calculate_mont_n0i(modulus);
- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase));
+ MP_CHECKOK(mp_to_mont(base, modulus, &montBase));
bits_in_exponent = mpl_significant_bits(exponent);
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
if (mp_using_cache_safe_exp) {
if (bits_in_exponent > 780)
window_bits = 6;
else if (bits_in_exponent > 256)
window_bits = 5;
diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
--- a/lib/freebl/rsa.c
+++ b/lib/freebl/rsa.c
@@ -65,16 +65,18 @@ struct blindingParamsStr {
** the Handbook of Applied Cryptography, 11.118-11.119.
*/
struct RSABlindingParamsStr {
/* Blinding-specific parameters */
PRCList link; /* link to list of structs */
SECItem modulus; /* list element "key" */
blindingParams *free, *bp; /* Blinding parameters queue */
blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
+ /* precalculate montegomery reduction value */
+ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */
};
typedef struct RSABlindingParamsStr RSABlindingParams;
/*
** RSABlindingParamsListStr
**
** List of key-specific blinding params. The arena holds the volatile pool
** of memory for each entry and the list itself. The lock is for list
@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey *
CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen));
CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen));
/* k < n */
CHECK_MPI_OK(mp_mod(&k, n, &k));
/* f = k**e mod n */
CHECK_MPI_OK(mp_exptmod(&k, &e, n, f));
/* g = k**-1 mod n */
CHECK_MPI_OK(mp_invmod(&k, n, g));
+ /* g in montgomery form.. */
+ CHECK_MPI_OK(mp_to_mont(g, n, g));
cleanup:
if (kb)
PORT_ZFree(kb, modLen);
mp_clear(&k);
mp_clear(&e);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams *
* of rsabp->array pointer and must be set to NULL
*/
rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL;
bp = rsabp->array;
rsabp->bp = NULL;
rsabp->free = bp;
+ /* precalculate montgomery reduction parameter */
+ rsabp->n0i = mp_calculate_mont_n0i(n);
+
/* List elements are keyed using the modulus */
return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
}
static SECStatus
get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
- mp_int *f, mp_int *g)
+ mp_int *f, mp_int *g, mp_digit *n0i)
{
RSABlindingParams *rsabp = NULL;
blindingParams *bpUnlinked = NULL;
blindingParams *bp;
PRCList *el;
SECStatus rv = SECSuccess;
mp_err err = MP_OKAY;
int cmp = -1;
@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key,
** head (since el would have looped back to the head).
*/
PR_INSERT_BEFORE(&rsabp->link, el);
}
/* We've found (or created) the RSAblindingParams struct for this key.
* Now, search its list of ready blinding params for a usable one.
*/
+ *n0i = rsabp->n0i;
while (0 != (bp = rsabp->bp)) {
#ifdef UNSAFE_FUZZER_MODE
/* Found a match and there are still remaining uses left */
/* Return the parameters */
CHECK_MPI_OK(mp_copy(&bp->f, f));
CHECK_MPI_OK(mp_copy(&bp->g, g));
PZ_Unlock(blindingParamsList.lock);
@@ -1426,16 +1434,17 @@ cleanup:
rsabp->free = bp;
}
if (holdingLock) {
PZ_Unlock(blindingParamsList.lock);
}
if (err) {
MP_TO_SEC_ERROR(err);
}
+ *n0i = 0;
return SECFailure;
}
/*
** Perform a raw private-key operation
** Length of input and output buffers are equal to key's modulus len.
*/
static SECStatus
@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
PRBool check)
{
unsigned int modLen;
unsigned int offset;
SECStatus rv = SECSuccess;
mp_err err;
mp_int n, c, m;
mp_int f, g;
+ mp_digit n0i;
if (!key || !output || !input) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* check input out of range (needs to be in range [0..n-1]) */
modLen = rsa_modulusLen(&key->modulus);
if (modLen == 0) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
CHECK_MPI_OK(mp_init(&f));
CHECK_MPI_OK(mp_init(&g));
SECITEM_TO_MPINT(key->modulus, &n);
OCTETS_TO_MPINT(input, &c, modLen);
/* If blinding, compute pre-image of ciphertext by multiplying by
** blinding factor
*/
if (nssRSAUseBlinding) {
- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g));
+ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i));
/* c' = c*f mod n */
CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c));
}
/* Do the private key operation m = c**d mod n */
if (key->prime1.len == 0 ||
key->prime2.len == 0 ||
key->exponent1.len == 0 ||
key->exponent2.len == 0 ||
@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
} else {
CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c));
}
/* If blinding, compute post-image of plaintext by multiplying by
** blinding factor
*/
if (nssRSAUseBlinding) {
/* m = m'*g mod n */
- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m));
+ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m));
}
err = mp_to_fixlen_octets(&m, output, modLen);
if (err >= 0)
err = MP_OKAY;
cleanup:
mp_clear(&n);
mp_clear(&c);
mp_clear(&m);

File diff suppressed because it is too large Load Diff

View File

@ -1,15 +1,15 @@
diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700
+++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700
@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = {
diff -up ./lib/pk11wrap/pk11pars.c.ems ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.ems 2024-06-11 13:09:25.956760476 -0700
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 13:09:52.837067481 -0700
@@ -433,6 +433,8 @@ static const oidValDef kxOptList[] = {
{ CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
+ /* not really a key exchange, but it's the closest fit */
+ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
+
};
static const oidValDef signOptList[] = {
static const oidValDef smimeKxOptList[] = {
diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
@ -65,40 +65,43 @@ diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
if (isTLS12) {
if (isDH)
master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c
--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700
+++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700
@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT
SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
"IPsec User",
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
diff -up ./lib/util/secoid.c.ems ./lib/util/secoid.c
--- ./lib/util/secoid.c.ems 2024-06-11 13:11:28.078155282 -0700
+++ ./lib/util/secoid.c 2024-06-11 13:12:58.511188172 -0700
@@ -1890,6 +1890,12 @@ const static SECOidData oids[SEC_OID_TOT
ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION),
+
+ /* this will change upstream. for now apps shouldn't use it */
+ /* we need it for the policy code. */
+ ODE(SEC_OID_PRIVATE_1,
+ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
};
/* PRIVATE EXTENDED SECOID Table
@@ -2095,6 +2100,8 @@ SECOID_Init(void)
@@ -2198,6 +2204,10 @@ SECOID_Init(void)
/* turn off NSS_USE_POLICY_IN_SSL by default */
xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
+ /* turn off TLS REQUIRE EMS by default */
+ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
+
+
envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
if (envVal)
diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h
--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700
+++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700
@@ -501,6 +501,9 @@ typedef enum {
SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
diff -up ./lib/util/secoidt.h.ems ./lib/util/secoidt.h
--- ./lib/util/secoidt.h.ems 2024-06-11 13:16:13.212411967 -0700
+++ ./lib/util/secoidt.h 2024-06-11 13:16:48.098810434 -0700
@@ -530,6 +530,9 @@ typedef enum {
SEC_OID_RC2_64_CBC = 385,
SEC_OID_RC2_128_CBC = 386,
SEC_OID_ECDH_KEA = 387,
+ /* this will change upstream. for now apps shouldn't use it */
+ /* give it an obscure name here */
+ SEC_OID_PRIVATE_1 = 372,
+ SEC_OID_PRIVATE_1 = 388,
SEC_OID_TOTAL
} SECOidTag;

View File

@ -0,0 +1,59 @@
diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
--- a/lib/freebl/chacha20poly1305.c
+++ b/lib/freebl/chacha20poly1305.c
@@ -213,27 +213,31 @@
{
#ifdef NSS_X64
#ifndef NSS_DISABLE_AVX2
if (avx2_support()) {
Hacl_Chacha20_Vec256_chacha20_encrypt_256(len, output, block, k, nonce, ctr);
+ return;
}
#endif
#ifndef NSS_DISABLE_SSE3
if (ssse3_support() && sse4_1_support() && avx_support()) {
Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr);
+ return;
}
#endif
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
if (ppc_crypto_support()) {
chacha20vsx(len, output, block, k, nonce, ctr);
- } else
+ return;
+ }
#endif
{
Hacl_Chacha20_chacha20_encrypt(len, output, block, k, nonce, ctr);
+ return;
}
}
#endif /* NSS_DISABLE_CHACHAPOLY */
SECStatus
@@ -449,20 +453,18 @@
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
(uint8_t *)input, output, outTag);
goto finish;
}
#endif
-
- else
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
if (ppc_crypto_support()) {
Chacha20Poly1305_vsx_aead_encrypt(
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
(uint8_t *)input, output, outTag);
goto finish;
- } else
+ }
#endif
{
Hacl_Chacha20Poly1305_32_aead_encrypt(
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
(uint8_t *)input, output, outTag);

View File

@ -0,0 +1,133 @@
diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c
--- a/lib/certhigh/certvfypkix.c
+++ b/lib/certhigh/certvfypkix.c
@@ -37,11 +37,11 @@
pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
PRInt32 parallelFnInvocationCount;
#endif /* PKIX_OBJECT_LEAK_TEST */
-static PRBool usePKIXValidationEngine = PR_FALSE;
+static PRBool usePKIXValidationEngine = PR_TRUE;
#endif /* NSS_DISABLE_LIBPKIX */
/*
* FUNCTION: CERT_SetUsePKIXForValidation
* DESCRIPTION:
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
--- a/lib/nss/nssinit.c
+++ b/lib/nss/nssinit.c
@@ -762,13 +762,13 @@
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
if (pkixError != NULL) {
goto loser;
} else {
- char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
+ char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
if (ev && ev[0]) {
- CERT_SetUsePKIXForValidation(PR_TRUE);
+ CERT_SetUsePKIXForValidation(PR_FALSE);
}
}
#endif /* NSS_DISABLE_LIBPKIX */
}
diff --git a/tests/all.sh b/tests/all.sh
--- a/tests/all.sh
+++ b/tests/all.sh
@@ -141,17 +141,22 @@
########################################################################
run_cycle_standard()
{
TEST_MODE=STANDARD
+ NSS_DISABLE_LIBPKIX_VERIFY="1"
+ export NSS_DISABLE_LIBPKIX_VERIFY
+
TESTS="${ALL_TESTS}"
TESTS_SKIP="libpkix pkits"
NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"}
export NSS_DEFAULT_DB_TYPE
run_tests
+
+ unset NSS_DISABLE_LIBPKIX_VERIFY
}
############################ run_cycle_pkix ############################
# run test suites with PKIX enabled
########################################################################
@@ -165,13 +170,10 @@
HOSTDIR="${HOSTDIR}/pkix"
mkdir -p "${HOSTDIR}"
init_directories
- NSS_ENABLE_PKIX_VERIFY="1"
- export NSS_ENABLE_PKIX_VERIFY
-
TESTS="${ALL_TESTS}"
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
export -n NSS_SSL_RUN
diff --git a/tests/common/init.sh b/tests/common/init.sh
--- a/tests/common/init.sh
+++ b/tests/common/init.sh
@@ -138,12 +138,12 @@
echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
echo "export NSS_DEFAULT_DB_TYPE"
- echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
- echo "export NSS_ENABLE_PKIX_VERIFY"
+ echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
+ echo "export NSS_DISABLE_PKIX_VERIFY"
echo "init_directories"
}
# Exit shellfunction to clean up at exit (error, regular or signal)
Exit()
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -960,13 +960,12 @@
ssl_policy_pkix_ocsp()
{
#verbose="-v"
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
- PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
- NSS_ENABLE_PKIX_VERIFY="1"
- export NSS_ENABLE_PKIX_VERIFY
+ PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
+ unset NSS_DISABLE_LIBPKIX_VERIFY
testname=""
if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
@@ -987,16 +986,14 @@
grep 12276 ${P_R_SERVERDIR}/vfy.out
RET=$?
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
- if [ "${PKIX_SAVE}" = "unset" ]; then
- unset NSS_ENABLE_PKIX_VERIFY
- else
- NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
- export NSS_ENABLE_PKIX_VERIFY
+ if [ "{PKIX_SAVE}" != "unset" ]; then
+ export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
fi
+
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
html "</TABLE><BR>"
}

View File

@ -1,12 +1,18 @@
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f
}
PORT_Free(cursor);
}
}
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2024-06-12 13:29:17.162207862 -0700
+++ ./gtests/ssl_gtest/manifest.mn 2024-06-12 13:30:25.699047788 -0700
@@ -59,7 +59,6 @@ CPPSRCS = \
tls_protect.cc \
tls_psk_unittest.cc \
tls_subcerts_unittest.cc \
- tls_ech_unittest.cc \
tls_xyber_unittest.cc \
$(SSLKEYLOGFILE_FILES) \
$(NULL)
diff -up ./lib/ssl/sslsock.c.disable_ech ./lib/ssl/sslsock.c
--- ./lib/ssl/sslsock.c.disable_ech 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/ssl/sslsock.c 2024-06-12 13:29:17.162207862 -0700
@@ -4415,17 +4415,23 @@ ssl_ClearPRCList(PRCList *list, void (*f
SECStatus
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
{
@ -30,13 +36,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
sslSocket *ss = ssl_FindSocket(fd);
if (!ss || size == 0) {
return SECFailure;
}
ssl_Get1stHandshakeLock(ss);
ssl_GetSSL3HandshakeLock(ss);
ss->ssl3.hs.greaseEchSize = size;
ssl_ReleaseSSL3HandshakeLock(ss);
@@ -4439,28 +4445,42 @@ SSLExp_SetTls13GreaseEchSize(PRFileDesc
ssl_Release1stHandshakeLock(ss);
return SECSuccess;
@ -79,18 +79,3 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
}
SECStatus
SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled)
{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200
+++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200
@@ -57,7 +57,6 @@ CPPSRCS = \
tls_filter.cc \
tls_protect.cc \
tls_psk_unittest.cc \
- tls_ech_unittest.cc \
$(SSLKEYLOGFILE_FILES) \
$(NULL)

View File

@ -0,0 +1,81 @@
diff -up ./lib/pk11wrap/pk11pars.c.no_md ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.no_md 2024-06-11 12:41:35.054654990 -0700
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 12:46:25.347979894 -0700
@@ -329,14 +329,11 @@ static const oidValDef curveOptList[] =
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
- NSS_USE_ALG_IN_PKCS12 },
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
- NSS_USE_ALG_IN_PKCS12 },
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
- NSS_USE_ALG_IN_PKCS12 },
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
NSS_USE_ALG_IN_PKCS12 },
diff -up ./lib/util/secoid.c.no_md ./lib/util/secoid.c
diff -r 699541a7793b lib/util/secoid.c
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
@@ -2042,6 +2042,19 @@
int i;
for (i = 1; i < SEC_OID_TOTAL; i++) {
+ switch (i) {
+ case SEC_OID_MD2:
+ case SEC_OID_MD4:
+ case SEC_OID_MD5:
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+ continue;
+ default:
+ break;
+ }
if (oids[i].desc && strstr(arg, oids[i].desc)) {
xOids[i].notPolicyFlags = notEnable |
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
diff -up ./tests/tools/pkcs12policy.txt.disable_md5_test ./tests/tools/pkcs12policy.txt
--- ./tests/tools/pkcs12policy.txt.disable_md5_test 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/tools/pkcs12policy.txt 2024-06-19 11:15:46.666728170 -0700
@@ -91,21 +91,21 @@
0 18 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc2 (read), RC4 and RC2
# integrity policy check the various has based controls.
# NOTE: md4, md2, and md5 are turned off by policy by default for encrypting
-# (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the
+# (decrypting is fine). To be enabled, you must allow=mdX/pkcs12 on the
# encryption side. These tests purposefully tests that the default fails to encrypt
# but succeeds when decrypting.
27 x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes
- 0 0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
- 0 0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
- 28 x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
+ 0 0 allow=md2/pkcs12 allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
+ 0 0 allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
+ 28 x disallow=sha1_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
27 x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write
- 29 x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
- 0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
- 0 18 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
- 0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
- 0 0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
- 0 0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
- 0 0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
+ 29 x disallow=sha256_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
+ 0 19 allow=all:md2/pkcs12 disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
+ 0 18 allow=md2/pkcs12 disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
+ 0 17 allow=md2/pkcs12 disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
+ 0 0 allow=md2/pkcs12 disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
+ 0 0 allow=md2/pkcs12 disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
+ 0 0 allow=md2/pkcs12 disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
0 0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
29 x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
0 18 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256

View File

@ -14,6 +14,8 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
+ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
+ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
+ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
{ CIPHER_NAME("ED25519"), SEC_OID_ED25519_PUBLIC_KEY,
NSS_USE_ALG_IN_SIGNATURE },
};
typedef struct {
@ -21,6 +23,7 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
{ smimeKxOptList, PR_ARRAY_SIZE(smimeKxOptList), "SMIME-KX", PR_TRUE },
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
};

View File

@ -0,0 +1,24 @@
diff -up ./tests/ec/ectest.sh.dbm ./tests/ec/ectest.sh
--- ./tests/ec/ectest.sh.dbm 2024-06-18 14:53:51.201438651 -0700
+++ ./tests/ec/ectest.sh 2024-06-18 14:56:09.993993637 -0700
@@ -45,12 +45,20 @@ ectest_genkeydb_test()
if [ $? -ne 0 ]; then
return $?
fi
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
curves=( \
"curve25519" \
"secp256r1" \
"secp384r1" \
"secp521r1" \
)
+ else
+ curves=( \
+ "secp256r1" \
+ "secp384r1" \
+ "secp521r1" \
+ )
+ fi
for curve in "${curves[@]}"; do
echo "Test $curve key generation using certutil ..."
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}

View File

@ -0,0 +1,12 @@
diff -up ./tests/ssl/sslpolicy.txt.rsa_disable_test ./tests/ssl/sslpolicy.txt
--- ./tests/ssl/sslpolicy.txt.rsa_disable_test 2024-06-19 11:17:10.261637015 -0700
+++ ./tests/ssl/sslpolicy.txt 2024-06-19 11:18:22.797425628 -0700
@@ -197,7 +197,7 @@
# compatibility reasons
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
- 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
+ 0 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
# test default settings

View File

@ -0,0 +1,89 @@
diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/pkcs12/p12plcy.c 2024-07-17 11:26:00.334836451 -0700
@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
static PRBool
sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
{
+#ifdef notdef
PRUint32 policy;
SECStatus rv;
@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
return PR_TRUE;
}
return PR_FALSE;
+#else
+ return PR_TRUE;
+#endif
}
PRBool
diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
--- ./lib/smime/smimeutil.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/smimeutil.c 2024-07-17 11:27:04.716617111 -0700
@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
PRBool
smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
{
+#ifdef notdef
PRUint32 policyFlags;
/* some S/MIME algs map to the same underlying KEA mechanism,
@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
return PR_FALSE;
}
+#endif
return PR_TRUE;
}
@@ -485,6 +487,7 @@ smime_init_once(void *arg)
return PR_FAILURE;
}
+#ifdef notdef
/* At initialization time, we need to set up the defaults. We first
* look to see if the system or application has set up certain algorithms
* by policy. If they have set up values by policy we'll only allow those
@@ -497,6 +500,11 @@ smime_init_once(void *arg)
PORT_Free(tags);
tags = NULL;
}
+#else
+ /* just initialize the old maps */
+ rv = SECSuccess;
+ tagCount = 0;
+#endif
if ((rv != SECSuccess) || (tagCount == 0)) {
/* No algorithms have been enabled by policy (either by the system
* or by the application, we then will use the traditional default
diff -up ./smime/smime.sh.no_p12_smime_policy ./smime/smime.sh
--- ./tests/smime/smime.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
700
+++ ./tests/smime/smime.sh 2024-07-17 12:29:08.251207306 -0700
@@ -872,8 +872,8 @@ smime_init
smime_main
smime_data_tb
smime_p7
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
- smime_policy
-fi
+#if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+# smime_policy
+#fi
smime_cleanup
diff -up ./tools/tools.sh.no_p12_smime_policy ./tools/tools.sh
--- ./tests/tools/tools.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
700
+++ ./tests/tools/tools.sh 2024-07-17 12:28:32.418778346 -0700
@@ -586,7 +586,7 @@ tools_p12()
tools_p12_import_pbmac1_samples
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
tools_p12_import_rsa_pss_private_key
- tools_p12_policy
+#tools_p12_policy
fi
}

View File

@ -26,6 +26,20 @@ diff -up ./cmd/pk12util/pk12util.c.orig ./cmd/pk12util/pk12util.c
if (pk12util.options[opt_CertCipher].activated) {
char *cipherString = pk12util.options[opt_CertCipher].arg;
--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default 2024-07-18 08:26:35.7732
48450 -0700
+++ ./cmd/pk12util/pk12util.c 2024-07-18 08:27:05.796595554 -0700
@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
}
}
}
- /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
- if (PK11_IsFIPS()) {
- hash = SEC_OID_HMAC_SHA256;
- }
if (pk12util.options[opt_Mac].activated) {
char *hashString = pk12util.options[opt_Mac].arg;
diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh
--- ./tests/tools/tools.sh.orig 2021-06-15 17:06:27.650564449 -0700
+++ ./tests/tools/tools.sh 2021-06-15 17:07:59.934117192 -0700

View File

@ -0,0 +1,13 @@
diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy 2024-06-12 14:44:24.680338868 -0700
+++ ./lib/pk11wrap/pk11pars.c 2024-06-12 14:44:48.368609356 -0700
@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] =
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
{ CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
- { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 },
+ { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00,
+ NSS_USE_ALG_IN_SSL_KX },
/* ANSI X9.62 named elliptic curves (characteristic two field) */
{ CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },

View File

@ -5,8 +5,8 @@ diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh
RARRAY=($dtime)
TIMEARRAY=(${RARRAY[1]//./ })
echo "${TIMEARRAY[0]} seconds"
- test ${TIMEARRAY[0]} -lt 2
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-3}
- test ${TIMEARRAY[0]} -lt 5
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-5}
ret=$?
html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
fi

View File

@ -1,7 +1,7 @@
diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800
+++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800
@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C
--- ./lib/softoken/pkcs11c.c.fips_indicators 2024-06-12 13:38:15.995811284 -0700
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:41:30.008188930 -0700
@@ -453,7 +453,7 @@ sftk_InitGeneric(SFTKSession *session, C
context->blockSize = 0;
context->maxLen = 0;
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
@ -10,7 +10,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
*contextPtr = context;
return CKR_OK;
}
@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
@@ -4885,7 +4885,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
crv = sftk_handleObject(key, session);
/* we need to do this check at the end, so we can check the generated
* key length against fips requirements */
@ -19,7 +19,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
session->lastOpWasFIPS = key->isFIPS;
sftk_FreeSession(session);
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -6020,7 +6020,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
return crv;
}
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
@ -28,7 +28,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
publicKey->isFIPS = privateKey->isFIPS;
session->lastOpWasFIPS = privateKey->isFIPS;
sftk_FreeSession(session);
@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7220,6 +7220,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
return CKR_TEMPLATE_INCONSISTENT;
}
@ -39,7 +39,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
/* sourceKey is NULL if we are called from the POST, skip the
* sensitiveCheck */
if (sourceKey != NULL) {
@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7269,7 +7273,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
mech.pParameter = params;
mech.ulParameterLen = sizeof(*params);
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
@ -49,7 +49,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
}
saltKeySource = saltKey->source;
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7336,7 +7341,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
/* HKDF-Expand */
if (!params->bExpand) {
okm = prk;
@ -58,7 +58,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
} else {
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7583,7 +7588,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
return CKR_KEY_HANDLE_INVALID;
}
}
@ -69,8 +69,8 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
switch (mechanism) {
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800
+++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800
--- ./lib/softoken/pkcs11i.h.fips_indicators 2024-06-12 13:38:15.988811198 -0700
+++ ./lib/softoken/pkcs11i.h 2024-06-12 13:38:15.996811296 -0700
@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
/* check the FIPS table to determine if this current operation is allowed by
* FIPS security policy */
@ -82,9 +82,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800
+++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800
@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
--- ./lib/softoken/pkcs11u.c.fips_indicators 2024-06-12 13:38:15.990811223 -0700
+++ ./lib/softoken/pkcs11u.c 2024-06-12 13:38:15.996811296 -0700
@@ -2336,7 +2336,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
static CK_ULONG
sftk_getKeyLength(SFTKObject *source)
{
@ -93,7 +93,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
CK_ATTRIBUTE_TYPE keyAttribute;
CK_ULONG keyLength = 0;
SFTKAttribute *attribute;
@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source)
@@ -2398,13 +2398,29 @@ sftk_getKeyLength(SFTKObject *source)
return keyLength;
}
@ -124,7 +124,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
{
switch (mechInfo->special) {
case SFTKFIPSDH: {
@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2464,10 +2480,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
if (hashObj == NULL) {
return PR_FALSE;
}
@ -141,7 +141,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
}
case SFTKFIPSPBKDF2: {
/* PBKDF2 must have the following addition restrictions
@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2492,6 +2513,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
}
return PR_TRUE;
}
@ -155,7 +155,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
default:
break;
}
@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2502,7 +2530,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
PRBool
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
@ -164,7 +164,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
{
#ifndef NSS_HAS_FIPS_INDICATORS
return PR_FALSE;
@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
@@ -2534,13 +2562,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
/* if we match the number of records exactly, then we are an
* approved algorithm in the approved mode with an approved key */

View File

@ -1,6 +1,6 @@
diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
--- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700
--- ./lib/freebl/dh.c.fips-review 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/freebl/dh.c 2024-06-12 12:04:10.639360404 -0700
@@ -445,7 +445,7 @@ cleanup:
PRBool
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
@ -50,9 +50,17 @@ diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
MP_TO_SEC_ERROR(err);
return PR_FALSE;
diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700
+++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700
@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
--- ./lib/softoken/pkcs11c.c.fips-review 2024-06-12 12:04:10.638360392 -0700
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:06:35.410551333 -0700
@@ -43,6 +43,7 @@
#include "prprf.h"
#include "prenv.h"
+#include "prerror.h"
#define __PASTE(x, y) x##y
#define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize)
@@ -4882,6 +4883,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
* handle the base object stuff
*/
crv = sftk_handleObject(key, session);
@ -63,7 +71,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
sftk_FreeSession(session);
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
@@ -4889,9 +4894,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
}
@ -73,7 +81,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
if (crv == CKR_OK) {
*phKey = key->handle;
}
@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5199,60 +5201,68 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
if (isDerivable) {
SFTKAttribute *pubAttribute = NULL;
@ -156,7 +164,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
+ }
+ /* make sure it has the same encoding */
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
+ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
+ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
+ } else {
+ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
@ -169,7 +177,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
+ default:
+ return CKR_DEVICE_ERROR;
}
-
- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
- if (crv != CKR_OK) {
- sftk_FreeAttribute(pubAttribute);
@ -189,7 +197,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
/* FIPS requires full validation, but in fipx mode NSC_Derive
* only does partial validation with approved primes, now handle
* full validation */
@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5260,44 +5270,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
SECItem pubKey;
SECItem prime;
SECItem subPrime;
@ -283,7 +291,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
}
return CKR_OK;
@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5925,8 +5969,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
* created and linked.
*/
crv = sftk_handleObject(publicKey, session);
@ -293,7 +301,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5968,6 +6012,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
}
if (crv != CKR_OK) {
@ -301,7 +309,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
NSC_DestroyObject(hSession, publicKey->handle);
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5977,6 +6022,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
publicKey->isFIPS = privateKey->isFIPS;
@ -310,7 +318,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
*phPrivateKey = privateKey->handle;
*phPublicKey = publicKey->handle;
@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -8610,7 +8657,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
/* if the prime is an approved prime, we can skip all the other
* checks. */
@ -319,7 +327,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
if (subPrime == NULL) {
SECItem dhSubPrime;
/* If the caller set the subprime value, it means that
@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -8792,6 +8839,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
secretlen = tmp.len;
} else {
secretlen = keySize;
@ -327,24 +335,9 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
&tmp, mechParams->pSharedData,
mechParams->ulSharedDataLen, mechParams->kdf);
diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700
@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess
if (object == NULL) {
return CKR_HOST_MEMORY;
}
- object->isFIPS = PR_FALSE; /* if we created the object on the fly,
+ /* object types that we aren't allowed to create in FIPS mode are
+ * already rejected explicitly. If we get here, then the object is
+ * FIPS OK (most notably public key objects )*/
+ /* object->isFIPS = PR_FALSE; if we created the object on the fly,
* it's not a FIPS object */
/*
diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700
+++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700
--- ./lib/softoken/pkcs11i.h.fips-review 2024-06-12 12:04:10.638360392 -0700
+++ ./lib/softoken/pkcs11i.h 2024-06-12 12:04:10.640360416 -0700
@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
/* dh verify functions */
/* verify that dhPrime matches one of our known primes, and if so return
@ -355,9 +348,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
/* map an operation Attribute to a Mechanism flag */
diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700
+++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700
@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
--- ./lib/softoken/pkcs11u.c.fips-review 2024-06-12 12:04:10.638360392 -0700
+++ ./lib/softoken/pkcs11u.c 2024-06-12 12:04:10.640360416 -0700
@@ -2409,15 +2409,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
switch (mechInfo->special) {
case SFTKFIPSDH: {
SECItem dhPrime;
@ -388,8 +381,8 @@ diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
case SFTKFIPSNone:
return PR_FALSE;
diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
--- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700
--- ./lib/softoken/sftkdhverify.c.fips-review 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/softoken/sftkdhverify.c 2024-06-12 12:04:10.641360427 -0700
@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
(unsigned char *)subprime_tls_8192_data,
sizeof(subprime_tls_8192_data) };
@ -481,8 +474,8 @@ diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
}
break;
diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
--- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700
--- ./lib/softoken/sftkike.c.fips-review 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/softoken/sftkike.c 2024-06-12 12:04:10.641360427 -0700
@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
goto fail;
}

View File

@ -0,0 +1,126 @@
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
@@ -371,16 +371,21 @@ static void GenerateWeakRsaKey(ScopedSEC
// Fail to connect with a weak RSA key.
TEST_P(TlsConnectTls13, DCWeakKey) {
Reset(kPssDelegatorId);
EnsureTlsSetup();
static const SSLSignatureScheme kSchemes[] = {ssl_sig_rsa_pss_rsae_sha256,
ssl_sig_rsa_pss_pss_sha256};
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
+ PRInt32 keySizeFlags;
+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &keySizeFlags));
+ // turn off the signing key sizes so we actually test the ssl tests
+ ASSERT_EQ(SECSuccess,
+ NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, NSS_KEY_SIZE_POLICY_SSL_FLAG ));
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
// save the MIN POLICY length.
PRInt32 minRsa;
ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
#if RSA_MIN_MODULUS_BITS >= 2048
ASSERT_EQ(SECSuccess,
NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
@@ -408,16 +413,17 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
client_->EnableDelegatedCredentials();
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
client_, ssl_delegated_credentials_xtn);
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
#endif
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, keySizeFlags));
}
class ReplaceDCSigScheme : public TlsHandshakeFilter {
public:
ReplaceDCSigScheme(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a, {ssl_hs_certificate_verify}) {}
protected:
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
@@ -1134,22 +1134,31 @@ SECKEY_PrivateKeyStrengthInBits(const SE
return 0;
}
/* interpret modulus length as key strength */
switch (privk->keyType) {
case rsaKey:
case rsaPssKey:
case rsaOaepKey:
- /* some tokens don't export CKA_MODULUS on the private key,
- * PK11_SignatureLen works around this if necessary */
- bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
- if (bitSize == -1) {
- bitSize = 0;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+ CKA_MODULUS, NULL, &params);
+ if ((rv != SECSuccess) || (params.data == NULL)) {
+ /* some tokens don't export CKA_MODULUS on the private key,
+ * PK11_SignatureLen works around this if necessary. This
+ * method is less percise because it returns bytes instead
+ * bits, so we only do it if we can't get the modulus */
+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
+ if (bitSize == -1) {
+ return 0;
+ }
+ return bitSize;
}
+ bitSize = SECKEY_BigIntegerBitLength(&params);
+ PORT_Free(params.data);
return bitSize;
case dsaKey:
case fortezzaKey:
case dhKey:
case keaKey:
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_PRIME, NULL, &params);
if ((rv != SECSuccess) || (params.data == NULL)) {
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -1277,27 +1277,39 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *h
PORT_SetError(SEC_ERROR_INVALID_KEY);
goto done;
}
PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
if (useRsaPss || hash->hashAlg == ssl_hash_none) {
CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType);
int signatureLen = PK11_SignatureLen(key);
+ PRInt32 optval;
SECItem *params = NULL;
CK_RSA_PKCS_PSS_PARAMS pssParams;
SECItem pssParamsItem = { siBuffer,
(unsigned char *)&pssParams,
sizeof(pssParams) };
if (signatureLen <= 0) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
goto done;
}
+ /* since we are calling PK11_SignWithMechanism directly, we need to check the
+ * key policy ourselves (which is already checked in SGN_Digest */
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
+ if ((rv == SECSuccess) &&
+ ((optval & NSS_KEY_SIZE_POLICY_SIGN_FLAG) == NSS_KEY_SIZE_POLICY_SIGN_FLAG)) {
+ rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key),
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
+ if (rv != SECSuccess) {
+ goto done; /* error code already set */
+ }
+ }
buf->len = (unsigned)signatureLen;
buf->data = (unsigned char *)PORT_Alloc(signatureLen);
if (!buf->data)
goto done; /* error code was set. */
if (useRsaPss) {
pssParams.hashAlg = ssl3_GetHashMechanismByHashType(hash->hashAlg);

View File

@ -0,0 +1,43 @@
diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
--- a/lib/util/nsshash.c
+++ b/lib/util/nsshash.c
@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy
SECOidTag
HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
{
SECOidTag hashOid = SEC_OID_UNKNOWN;
switch (hmacOid) {
/* no oid exists for HMAC_MD2 */
/* NSS does not define a oid for HMAC_MD4 */
+ case SEC_OID_HMAC_MD5:
+ hashOid = SEC_OID_MD5;
+ break;
case SEC_OID_HMAC_SHA1:
hashOid = SEC_OID_SHA1;
break;
case SEC_OID_HMAC_SHA224:
hashOid = SEC_OID_SHA224;
break;
case SEC_OID_HMAC_SHA256:
hashOid = SEC_OID_SHA256;
@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
SECOidTag
HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
{
SECOidTag hmacOid = SEC_OID_UNKNOWN;
switch (hashOid) {
/* no oid exists for HMAC_MD2 */
/* NSS does not define a oid for HMAC_MD4 */
+ case SEC_OID_MD5:
+ hmacOid = SEC_OID_HMAC_MD5;
+ break;
case SEC_OID_SHA1:
hmacOid = SEC_OID_HMAC_SHA1;
break;
case SEC_OID_SHA224:
hmacOid = SEC_OID_HMAC_SHA224;
break;
case SEC_OID_SHA256:
hmacOid = SEC_OID_HMAC_SHA256;

View File

@ -0,0 +1,121 @@
diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
--- a/lib/pk11wrap/pk11mech.c
+++ b/lib/pk11wrap/pk11mech.c
@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
case CKM_BATON_ECB96:
case CKM_BATON_CBC128:
case CKM_BATON_COUNTER:
case CKM_BATON_SHUFFLE:
case CKM_JUNIPER_ECB128:
case CKM_JUNIPER_CBC128:
case CKM_JUNIPER_COUNTER:
case CKM_JUNIPER_SHUFFLE:
- newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
- SEC_ASN1_GET(SEC_OctetStringTemplate));
- if (newParams == NULL)
- break;
+ /* if no parameters have been supplied, then encode a NULL params
+ */
+ if (param && param->len > 0) {
+ newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
+ if (newParams == NULL)
+ break;
+ } else {
+ newParams = NULL;
+ }
rv = SECSuccess;
break;
}
if (rv != SECSuccess) {
if (newParams)
SECITEM_FreeItem(newParams, PR_TRUE);
return rv;
diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
--- a/lib/pk11wrap/pk11pbe.c
+++ b/lib/pk11wrap/pk11pbe.c
@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
* algorithm is). We use choose this algorithm oid based on the
* cipherAlgorithm to determine what this should be (MAC1 or PBES2).
*/
if (algorithm == SEC_OID_PKCS5_PBKDF2) {
/* choose mac or pbes */
algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
}
+ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
+
/* set the PKCS5v2 specific parameters */
if (keyLength == 0) {
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
if (hashAlg != SEC_OID_UNKNOWN) {
keyLength = HASH_ResultLenByOidTag(hashAlg);
} else {
keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm);
}
if (keyLength <= 0) {
goto loser;
}
}
/* currently SEC_OID_HMAC_SHA1 is the default */
if (prfAlg == SEC_OID_UNKNOWN) {
prfAlg = SEC_OID_HMAC_SHA1;
}
- /* build the PKCS5v2 cipher algorithm id */
- cipherParams = pk11_GenerateNewParamWithKeyLen(
- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
- if (!cipherParams) {
- goto loser;
+ /* build the PKCS5v2 cipher algorithm id, if cipher
+ * is an HMAC, the cipherParams should be NULL */
+ if (hashAlg == SEC_OID_UNKNOWN) {
+ cipherParams = pk11_GenerateNewParamWithKeyLen(
+ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
+ if (!cipherParams) {
+ goto loser;
+ }
+ } else {
+ cipherParams = NULL;
}
PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
poolp, &pbeV2_param.cipherAlgId);
- SECITEM_FreeItem(cipherParams, PR_TRUE);
+ if (cipherParams) {
+ SECITEM_FreeItem(cipherParams, PR_TRUE);
+ }
if (rv != SECSuccess) {
goto loser;
}
}
/* generate the parameter */
pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
keyLength, prfAlg);
diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c
--- a/lib/util/secalgid.c
+++ b/lib/util/secalgid.c
@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
return SECFailure;
if ((secoid_IsRSAPKCS1(which)) ||
- (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) {
+ (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* ||
+ (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) {
add_null_param = PR_TRUE;
} else {
add_null_param = PR_FALSE;
}
if (params) {
/*
* I am specifically *not* enforcing the following assertion

File diff suppressed because it is too large Load Diff

View File

@ -1,57 +0,0 @@
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
index 74e8e65..8995752 100644
--- a/lib/freebl/Makefile
+++ b/lib/freebl/Makefile
@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
HAVE_INT128_SUPPORT = 1
DEFINES += -DHAVE_INT128_SUPPORT
else ifeq (1,$(CC_IS_GCC))
- SUPPORTS_VALE_CURVE25519 = 1
ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
HAVE_INT128_SUPPORT = 1
DEFINES += -DHAVE_INT128_SUPPORT
diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
index 65f9a80..23940ef 100644
--- a/lib/freebl/freebl.gyp
+++ b/lib/freebl/freebl.gyp
@@ -866,12 +866,6 @@
}],
],
}],
- [ 'supports_vale_curve25519==1', {
- 'defines': [
- # The Makefile does version-tests on GCC, but we're not doing that here.
- 'HACL_CAN_COMPILE_INLINE_ASM',
- ],
- }],
[ 'OS=="linux" or OS=="android"', {
'conditions': [
[ 'target_arch=="x64"', {
@@ -934,11 +928,6 @@
'variables': {
'module': 'nss',
'conditions': [
- [ 'target_arch=="x64" and cc_is_gcc==1', {
- 'supports_vale_curve25519%': 1,
- }, {
- 'supports_vale_curve25519%': 0,
- }],
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
'have_int128_support%': 1,
}, {
diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
index d198c44..34b6b3c 100644
--- a/lib/freebl/freebl_base.gypi
+++ b/lib/freebl/freebl_base.gypi
@@ -151,11 +151,6 @@
'ecl/curve25519_32.c',
],
}],
- ['supports_vale_curve25519==1', {
- 'sources': [
- 'verified/Hacl_Curve25519_64.c',
- ],
- }],
['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
'sources': [
# Gyp does not support per-file cflags, so working around like this.

View File

@ -1,194 +0,0 @@
diff -up ./cmd/pk11ectest/pk11ectest.c.ecc_wrap ./cmd/pk11ectest/pk11ectest.c
--- ./cmd/pk11ectest/pk11ectest.c.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
+++ ./cmd/pk11ectest/pk11ectest.c 2024-01-23 14:07:29.421036328 -0800
@@ -10,6 +10,32 @@
#include "pk11pub.h"
#include <stdio.h>
+typedef struct KeyLengthEntryStr {
+ SECOidTag tag;
+ unsigned int len;
+ PRBool encoded;
+} KeyLengthEntry;
+
+const KeyLengthEntry keyLengthTable[] = {
+ { SEC_OID_SECG_EC_SECP256R1, 65, PR_TRUE },
+ { SEC_OID_SECG_EC_SECP384R1, 97, PR_TRUE },
+ { SEC_OID_SECG_EC_SECP521R1, 133, PR_TRUE },
+ { SEC_OID_CURVE25519, 32, PR_FALSE }
+};
+
+const KeyLengthEntry *
+getKeyLengthEntry(SECOidTag tag)
+{
+ int i;
+
+ for (i = 0; i < PR_ARRAY_SIZE(keyLengthTable); i++) {
+ if (keyLengthTable[i].tag == tag) {
+ return &keyLengthTable[i];
+ }
+ }
+ return NULL;
+}
+
void
printBuf(const SECItem *item)
{
@@ -53,6 +79,10 @@ ectest_curve_pkcs11(SECOidTag oid)
CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
PK11SymKey *symKey = NULL;
SECStatus rv = SECFailure;
+ const KeyLengthEntry *keyLengthEntry;
+ SECItem point = { siBuffer, NULL, 0 };
+ SECItem value = { siBuffer, NULL, 0 };
+ PLArenaPool *arena = NULL;
oidData = SECOID_FindOIDByTag(oid);
if (oidData == NULL) {
@@ -79,8 +109,63 @@ ectest_curve_pkcs11(SECOidTag oid)
goto cleanup;
}
PrintKey(symKey);
- rv = SECSuccess;
+ keyLengthEntry = getKeyLengthEntry(oid);
+ /* this shouldn't happen unless new curves are added without adding them
+ * to the keyLengthTable */
+ PR_ASSERT(keyLengthEntry);
+
+ /* make sure we are returning CKA_EC_POINT according to the PKCS #11 standard.
+ * NSS itself can tolerate non-standard CKA_EC_POINT, so this is the only place
+ * our test will detect incorrect behavior */
+ rv = PK11_ReadRawAttribute(PK11_TypePubKey, pubKey, CKA_EC_POINT, &point);
+ if (rv == SECFailure) {
+ printf(" >>> Couldn't get CKA_EC_POINT from the ec pubKey.\n");
+ goto cleanup;
+ }
+ rv = SECFailure;
+ if (keyLengthEntry->encoded) {
+ if (point.len == keyLengthEntry->len) {
+ printf(" >>> Expected encoded CKA_EC_POINT and got a decoded value.\n");
+ printBuf(&point);
+ goto cleanup;
+ }
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ printf(" >>> arena alloc failed.\n");
+ goto cleanup;
+ }
+
+ rv = SEC_QuickDERDecodeItem(arena, &value, SEC_ASN1_GET(SEC_OctetStringTemplate),
+ &point);
+ if (rv != SECSuccess) {
+ printf(" >>> invalid endoded CKA_EC_POINT.\n");
+ printBuf(&point);
+ goto cleanup;
+ }
+ rv = SECFailure;
+ if (value.len != keyLengthEntry->len) {
+ printf(" >>> invalid decoded CKA_EC_POINT len (%d) expected %d.\n",
+ value.len, keyLengthEntry->len);
+ printBuf(&value);
+ goto cleanup;
+ }
+ if (value.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+ printf(" >>> invalid CKA_EC_POINT format (%02x) expected %02x.\n",
+ value.data[0], EC_POINT_FORM_UNCOMPRESSED);
+ printBuf(&value);
+ goto cleanup;
+ }
+ } else {
+ if (point.len != keyLengthEntry->len) {
+ printf(" >>> invalid CKA_EC_POINT len (%d) expected %d.\n",
+ point.len, keyLengthEntry->len);
+ printBuf(&point);
+ goto cleanup;
+ }
+ }
+
+ rv = SECSuccess;
cleanup:
if (privKey) {
SECKEY_DestroyPrivateKey(privKey);
@@ -91,7 +176,11 @@ cleanup:
if (symKey) {
PK11_FreeSymKey(symKey);
}
+ if (arena) {
+ PORT_FreeArena(arena, PR_TRUE);
+ }
SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
+ SECITEM_FreeItem(&point, PR_FALSE);
return rv;
}
diff -up ./lib/freebl/blapit.h.ecc_wrap ./lib/freebl/blapit.h
--- ./lib/freebl/blapit.h.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/blapit.h 2024-01-23 14:07:29.421036328 -0800
@@ -375,7 +375,9 @@ typedef struct DHPrivateKeyStr DHPrivate
*/
typedef enum { ec_params_explicit,
- ec_params_named
+ ec_params_named,
+ ec_params_edwards_named,
+ ec_params_montgomery_named,
} ECParamsType;
typedef enum { ec_field_GFp = 1,
diff -up ./lib/freebl/ecdecode.c.ecc_wrap ./lib/freebl/ecdecode.c
--- ./lib/freebl/ecdecode.c.ecc_wrap 2024-01-23 14:07:14.533870602 -0800
+++ ./lib/freebl/ecdecode.c 2024-01-23 14:07:29.422036340 -0800
@@ -176,6 +176,7 @@ EC_FillParams(PLArenaPool *arena, const
case SEC_OID_CURVE25519:
/* Populate params for Curve25519 */
+ params->type = ec_params_montgomery_named;
CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
ec_field_plain,
params));
diff -up ./lib/softoken/pkcs11c.c.ecc_wrap ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.ecc_wrap 2024-01-23 14:07:14.520870457 -0800
+++ ./lib/softoken/pkcs11c.c 2024-01-23 14:08:38.198801966 -0800
@@ -5164,7 +5164,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
/* make sure it has the same encoding */
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
- lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
} else {
lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
@@ -5694,7 +5694,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
}
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
- ecParams->fieldID.type == ec_field_plain) {
+ ecParams->type != ec_params_named) {
PORT_FreeArena(ecParams->arena, PR_TRUE);
crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
sftk_item_expand(&ecPriv->publicValue));
diff -up ./lib/softoken/pkcs11.c.ecc_wrap ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.ecc_wrap 2024-01-23 14:07:14.505870290 -0800
+++ ./lib/softoken/pkcs11.c 2024-01-23 14:07:29.423036351 -0800
@@ -1897,8 +1897,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
/* Handle the non-DER encoded case.
* Some curves are always pressumed to be non-DER.
*/
- if (pubKey->u.ec.publicValue.len == keyLen &&
- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
+ if (pubKey->u.ec.ecParams.type != ec_params_named ||
+ (pubKey->u.ec.publicValue.len == keyLen &&
pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
break; /* key was not DER encoded, no need to unwrap */
}
@@ -1918,8 +1918,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
break;
}
/* we don't handle compressed points except in the case of ECCurve25519 */
- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
- (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
+ if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
crv = CKR_ATTRIBUTE_VALUE_INVALID;
break;
}

View File

@ -1,335 +0,0 @@
--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200
+++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200
@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[]
0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77,
0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77};
+const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'};
+const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',};
+const uint8_t kP521SpkiUnpaddedSig[] = {
+ 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+ 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86,
+ 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29,
+ 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a,
+ 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18,
+ 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7,
+ 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52,
+ 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88,
+ 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57,
+ 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd,
+ 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b,
+ 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35,
+ 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c,
+ 0xe2, 0x9f};
+const uint8_t kP521SignatureUnpaddedSigLong[] = {
+ 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe,
+ 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4,
+ 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42,
+ 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde,
+ 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e,
+ 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89,
+ 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b,
+ 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40,
+ 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb,
+ 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b,
+ 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a};
+const uint8_t kP521SignatureUnpaddedSigShort[] = {
+ 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11,
+ 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde,
+ 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99,
+ 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9,
+ 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65,
+ 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38,
+ 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75,
+ 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95,
+ 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c,
+ 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5,
+ 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e};
+const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'};
+const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'};
+const uint8_t kP384SpkiUnpaddedSig[] = {
+ 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
+ 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa,
+ 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e,
+ 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3,
+ 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e,
+ 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf,
+ 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d,
+ 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5,
+ 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a};
+const uint8_t kP384SignatureUnpaddedSigLong[] = {
+ 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58,
+ 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59,
+ 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0,
+ 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde,
+ 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc,
+ 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c,
+ 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc,
+ 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6};
+const uint8_t kP384SignatureUnpaddedSigShort[] = {
+ 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13,
+ 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e,
+ 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b,
+ 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf,
+ 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc,
+ 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50,
+ 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f,
+ 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9};
+const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'};
+const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'};
+const uint8_t kP256SpkiUnpaddedSig[] = {
+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
+ 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b,
+ 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa,
+ 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e,
+ 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f,
+ 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75,
+ 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 };
+const uint8_t kP256SignatureUnpaddedSigLong[] = {
+ 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56,
+ 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6,
+ 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11,
+ 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80,
+ 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47,
+ 0xcf, 0x61, 0x91, 0x5f};
+const uint8_t kP256SignatureUnpaddedSigShort[] = {
+ 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61,
+ 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28,
+ 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16,
+ 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c,
+ 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9,
+ 0x78, 0xc4};
} // namespace nss_test
--- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200
+++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200
@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun
SEC_OID_SECG_EC_SECP521R1,
SEC_OID_CURVE25519));
+class Pkcs11EcdsaUnpaddedSignatureTest
+ : public Pkcs11EcdsaTestBase,
+ public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
+ public:
+ Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
+};
+
+static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = {
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
+ DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)),
+ DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
+ DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)),
+ DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
+ DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)),
+ DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
+ DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)),
+ DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
+ DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)),
+ DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
+ DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)),
+ DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}}
+};
+
+TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); }
+INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest,
+ ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors));
} // namespace nss_test
--- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200
+++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200
@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey *
{
SECStatus res = SECSuccess;
+ unsigned char _padded_sig_data[64] = { 0 };
+ unsigned char *sig_r, *sig_s;
+
if (!key || !signature || !digest ||
!key->publicValue.data ||
!signature->data || !digest->data ||
@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey *
return res;
}
- if (key->publicValue.len != 65 ||
- digest->len == 0 ||
- signature->len != 64) {
+ unsigned int olen = key->ecParams.order.len;
+ if (signature->len == 0 || signature->len % 2 != 0 ||
+ signature->len > 2 * olen ||
+ digest->len == 0 || key->publicValue.len != 65) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
res = SECFailure;
return res;
@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey *
return res;
}
+ /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */
+ if (signature->len != 64) {
+ unsigned split = signature->len / 2;
+ unsigned pad = 32 - split;
+
+ unsigned char *o_sig = signature->data;
+ unsigned char *p_sig = _padded_sig_data;
+
+ memcpy(p_sig + pad, o_sig, split);
+ memcpy(p_sig + 32 + pad, o_sig + split, split);
+
+ sig_r = p_sig;
+ sig_s = p_sig + 32;
+ } else {
+ sig_r = signature->data;
+ sig_s = signature->data + 32;
+ }
+
+
uint8_t hash[32] = { 0 };
if (digest->len < 32) {
memcpy(hash + 32 - digest->len, digest->data, digest->len);
@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey *
bool b = Hacl_P256_ecdsa_verif_without_hash(
32, hash,
key->publicValue.data + 1,
- signature->data, signature->data + 32);
+ sig_r, sig_s);
if (!b) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
res = SECFailure;
--- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200
+++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200
@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey *
{
SECStatus res = SECSuccess;
+ unsigned char _padded_sig_data[96] = { 0 };
+ unsigned char *sig_r, *sig_s;
+
if (!key || !signature || !digest ||
!key->publicValue.data ||
!signature->data || !digest->data ||
@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey *
return res;
}
- if (key->publicValue.len != 97 ||
- digest->len == 0 ||
- signature->len != 96) {
+ unsigned int olen = key->ecParams.order.len;
+ if (signature->len == 0 || signature->len % 2 != 0 ||
+ signature->len > 2 * olen ||
+ digest->len == 0 || key->publicValue.len != 97) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
res = SECFailure;
return res;
@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey *
return res;
}
+ /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */
+ if (signature->len != 96) {
+ unsigned split = signature->len / 2;
+ unsigned pad = 48 - split;
+
+ unsigned char *o_sig = signature->data;
+ unsigned char *p_sig = _padded_sig_data;
+
+ memcpy(p_sig + pad, o_sig, split);
+ memcpy(p_sig + 48 + pad, o_sig + split, split);
+
+ sig_r = p_sig;
+ sig_s = p_sig + 48;
+ } else {
+ sig_r = signature->data;
+ sig_s = signature->data + 48;
+ }
+
uint8_t hash[48] = { 0 };
if (digest->len < 48) {
memcpy(hash + 48 - digest->len, digest->data, digest->len);
@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey *
bool b = Hacl_P384_ecdsa_verif_without_hash(
48, hash,
key->publicValue.data + 1,
- signature->data, signature->data + 48);
+ sig_r, sig_s);
if (!b) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
res = SECFailure;
--- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200
+++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200
@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey *
{
SECStatus res = SECSuccess;
+ unsigned char _padded_sig_data[132] = { 0 };
+ unsigned char *sig_r, *sig_s;
+
if (!key || !signature || !digest ||
!key->publicValue.data ||
!signature->data || !digest->data ||
@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey *
return res;
}
- if (key->publicValue.len != 133 ||
- digest->len == 0 ||
- signature->len != 132) {
+ unsigned int olen = key->ecParams.order.len;
+ if (signature->len == 0 || signature->len % 2 != 0 ||
+ signature->len > 2 * olen ||
+ digest->len == 0 || key->publicValue.len != 133) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
res = SECFailure;
return res;
@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey *
return res;
}
+ /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */
+ if (signature->len != 132) {
+ unsigned split = signature->len / 2;
+ unsigned pad = 66 - split;
+
+ unsigned char *o_sig = signature->data;
+ unsigned char *p_sig = _padded_sig_data;
+
+ memcpy(p_sig + pad, o_sig, split);
+ memcpy(p_sig + 66 + pad, o_sig + split, split);
+
+ sig_r = p_sig;
+ sig_s = p_sig + 66;
+ } else {
+ sig_r = signature->data;
+ sig_s = signature->data + 66;
+ }
+
uint8_t hash[66] = { 0 };
if (digest->len < 66) {
memcpy(hash + 66 - digest->len, digest->data, digest->len);
@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey *
bool b = Hacl_P521_ecdsa_verif_without_hash(
66, hash,
key->publicValue.data + 1,
- signature->data, signature->data + 66);
+ sig_r, sig_s);
if (!b) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
res = SECFailure;

View File

@ -1,83 +0,0 @@
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -15,10 +15,13 @@
* keys and their associated Certificates are saved on the token.
*
* In this implementation, session objects are only visible to the session
* that created or generated them.
*/
+
+#include <limits.h> /* for UINT_MAX and ULONG_MAX */
+
#include "seccomon.h"
#include "secitem.h"
#include "secport.h"
#include "blapi.h"
#include "pkcs11.h"
@@ -1954,12 +1957,21 @@
if (pDigest == NULL) {
*pulDigestLen = context->maxLen;
goto finish;
}
- /* do it: */
+#if (ULONG_MAX > UINT_MAX)
+ /* The context->hashUpdate function takes an unsigned int for its data
+ * length argument, but NSC_Digest takes an unsigned long. */
+ while (ulDataLen > UINT_MAX) {
+ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX);
+ pData += UINT_MAX;
+ ulDataLen -= UINT_MAX;
+ }
+#endif
(*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
+
/* NOTE: this assumes buf size is bigenough for the algorithm */
(*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
*pulDigestLen = digestLen;
sftk_TerminateOp(session, SFTK_HASH, context);
@@ -1980,12 +1992,22 @@
/* make sure we're legal */
crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL);
if (crv != CKR_OK)
return crv;
- /* do it: */
+
+#if (ULONG_MAX > UINT_MAX)
+ /* The context->hashUpdate function takes an unsigned int for its data
+ * length argument, but NSC_DigestUpdate takes an unsigned long. */
+ while (ulPartLen > UINT_MAX) {
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
+ pPart += UINT_MAX;
+ ulPartLen -= UINT_MAX;
+ }
+#endif
(*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
+
return CKR_OK;
}
/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
CK_RV
@@ -3166,10 +3188,17 @@
crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session);
if (crv != CKR_OK)
return crv;
if (context->hashInfo) {
+#if (ULONG_MAX > UINT_MAX)
+ while (ulPartLen > UINT_MAX) {
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
+ pPart += UINT_MAX;
+ ulPartLen -= UINT_MAX;
+ }
+#endif
(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
} else {
/* must be block cipher MACing */
unsigned int blkSize = context->blockSize;

View File

@ -1,18 +0,0 @@
diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh
--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700
+++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700
@@ -46,11 +46,13 @@ ectest_genkeydb_test()
return $?
fi
curves=( \
- "curve25519" \
"secp256r1" \
"secp384r1" \
"secp521r1" \
)
+ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then
+ curves=( "curve25519" "${curves[@]}" )
+ fi
for curve in "${curves[@]}"; do
echo "Test $curve key generation using certutil ..."
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}

View File

@ -0,0 +1,36 @@
diff -up ./lib/freebl/Makefile.ppc_no_init ./lib/freebl/Makefile
--- ./lib/freebl/Makefile.ppc_no_init 2024-06-03 14:12:24.216755903 -0700
+++ ./lib/freebl/Makefile 2024-06-03 14:11:36.464234903 -0700
@@ -303,7 +303,7 @@ endif
ifeq ($(CPU_ARCH),ppc)
EXTRA_SRCS += gcm-ppc.c
ifdef USE_64
- DEFINES += -DNSS_NO_INIT_SUPPORT
+# DEFINES += -DNSS_NO_INIT_SUPPORT
PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | awk '$$2 == "_CALL_ELF" {print $$3}')
ifeq ($(PPC_ABI),2)
ASFILES += sha512-p8.s
diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile
--- ./lib/softoken/Makefile.ppc_no_init 2024-06-03 14:12:44.664979003 -0700
+++ ./lib/softoken/Makefile 2024-06-03 14:10:26.703473806 -0700
@@ -23,13 +23,13 @@ include $(CORE_DEPTH)/coreconf/config.mk
ifdef NSS_NO_INIT_SUPPORT
DEFINES += -DNSS_NO_INIT_SUPPORT
endif
-ifeq ($(OS_TARGET),Linux)
-ifeq ($(CPU_ARCH),ppc)
-ifdef USE_64
- DEFINES += -DNSS_NO_INIT_SUPPORT
-endif # USE_64
-endif # ppc
-endif # Linux
+#ifeq ($(OS_TARGET),Linux)
+#ifeq ($(CPU_ARCH),ppc)
+#ifdef USE_64
+# DEFINES += -DNSS_NO_INIT_SUPPORT
+#endif # USE_64
+#endif # ppc
+#endif # Linux
#######################################################################

View File

@ -1,32 +0,0 @@
diff -up ./gtests/ssl_gtest/manifest.mn.orig ./gtests/ssl_gtest/manifest.mn
--- ./gtests/ssl_gtest/manifest.mn.orig 2021-06-02 15:40:48.677355426 -0700
+++ ./gtests/ssl_gtest/manifest.mn 2021-06-02 15:42:31.248977261 -0700
@@ -57,7 +57,6 @@ CPPSRCS = \
tls_filter.cc \
tls_protect.cc \
tls_psk_unittest.cc \
- tls_subcerts_unittest.cc \
tls_ech_unittest.cc \
$(SSLKEYLOGFILE_FILES) \
$(NULL)
diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c
--- ./lib/ssl/sslsock.c.orig 2021-05-28 02:50:43.000000000 -0700
+++ ./lib/ssl/sslsock.c 2021-06-02 15:40:48.676355420 -0700
@@ -819,7 +819,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_ENABLE_DELEGATED_CREDENTIALS:
- ss->opt.enableDelegatedCredentials = val;
+ /* disable it for now */
break;
case SSL_ENABLE_NPN:
@@ -1337,7 +1337,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn
break;
case SSL_ENABLE_DELEGATED_CREDENTIALS:
- ssl_defaults.enableDelegatedCredentials = val;
+ /* disable it for now */
break;
case SSL_ENABLE_NPN:

View File

@ -1,41 +0,0 @@
diff -r 699541a7793b lib/pk11wrap/pk11pars.c
--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700
+++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700
@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ 0 },
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
diff -r 699541a7793b lib/util/secoid.c
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
@@ -2042,6 +2042,19 @@
int i;
for (i = 1; i < SEC_OID_TOTAL; i++) {
+ switch (i) {
+ case SEC_OID_MD2:
+ case SEC_OID_MD4:
+ case SEC_OID_MD5:
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+ continue;
+ default:
+ break;
+ }
if (oids[i].desc && strstr(arg, oids[i].desc)) {
xOids[i].notPolicyFlags = notEnable |
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));

125
nss.spec
View File

@ -1,7 +1,7 @@
%global nspr_build_version 4.35.0-1
%global nspr_release -1
%global nspr_version 4.35.0
%global nss_version 3.90.0
%global nss_version 3.101.0
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir %{_libdir}/nss/saved
%global dracutlibdir %{_prefix}/lib/dracut
@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: 7%{?dist}
Release: 6%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version}%{nspr_release}
@ -113,7 +113,7 @@ Source28: nss-p11-kit.config
# will have their own validation
Source30: fips_algorithms.h
Source50: NameConstraints_Certs.tar
#Source50: NameConstraints_Certs.tar
# To inject hardening flags for DSO
Patch1: nss-dso-ldflags.patch
@ -129,67 +129,79 @@ Patch1: nss-dso-ldflags.patch
# Once the buildroot aha been bootstrapped the patch may be removed
# but it doesn't hurt to keep it.
Patch4: iquote.patch
#
# RHEL-8 specific patches not in RHEL-9
#
# To revert the change in:
# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
Patch9: nss-sysinit-userdb.patch
Patch10: nss-sysinit-userdb.patch
# Disable nss-sysinit test which is solely to test the above change
Patch10: nss-skip-sysinit-gtests.patch
Patch15: nss-3.90-extend-db-dump-time.patch
Patch11: nss-skip-sysinit-gtests.patch
# For compatibility reasons, we stick with the old PKCS #11 2.40
# definition of CK_GCM_PARAMS:
%if 0%{?fedora} < 34
%if 0%{?rhel} < 9
Patch20: nss-gcm-param-default-pkcs11v2.patch
Patch12: nss-gcm-param-default-pkcs11v2.patch
%endif
%endif
# Local patch: disable MD5 (also MD2 and MD4) completely
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
Patch25: nss-disable-md5.patch
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
Patch30: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
Patch34: nss-3.71-fix-lto-gtests.patch
# Local patch: disable Delegated Credentials
Patch35: nss-disable-dc.patch
Patch13: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
# is updated.
Patch40: nss-3.66-disable-signature-policies.patch
Patch14: nss-3.101-disable-signature-policies.patch
Patch15: nss-3.101-el8-fix-rsa-policy-test.patch
# Local patch: disable tests that require external reference so brew completes
Patch45: nss-3.66-disable-external-host-test.patch
Patch16: nss-3.66-disable-external-host-test.patch
# Local patch: restore old pkcs 12 defaults on old version of rhel
Patch50: nss-3.66-restore-old-pkcs12-default.patch
Patch17: nss-3.101-el8-restore-old-pkcs12-default.patch
# Local Patch: restore expired distrusted certs for now
Patch51: nss-3.79-revert-distrusted-certs.patch
Patch18: nss-3.79-revert-distrusted-certs.patch
# Local Patch: update fipsdefaults to AES
Patch52: nss-3.79-pkcs12-fips-defaults.patch
Patch53: nss-3.71-camellia-pkcs12-doc.patch
Patch54: nss-3.90-disable-ech.patch
Patch19: nss-3.79-pkcs12-fips-defaults.patch
# Local Patch: curve25519 keys can't be stored in dbm databases,
# only rhel-8 has dbm databases left, don't try to store
# curve25519 keys in the dbm database.
Patch20: nss-3.101-ec-dbm-test.patch
# end of RHEL-8 specific patches
# https://bugzilla.redhat.com/show_bug.cgi?id=1774659
Patch57: nss-3.79-dbtool.patch
Patch58: nss-3.79-fips.patch
# RHEL-specific shared with RHEL-9
Patch30: nss-3.101-extend-db-dump-time.patch
# Local patch: disable MD5 (also MD2 and MD4) completely
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
Patch32: nss-3.101-disable-md5.patch
Patch34: nss-3.71-fix-lto-gtests.patch
Patch35: nss-3.71-camellia-pkcs12-doc.patch
Patch36: nss-3.101-disable-ech.patch
# patches that expect to be upstreamed
# https://bugzilla.mozilla.org/show_bug.cgi?id=1767883
Patch50: nss-3.79-fips.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
Patch60: nss-3.90-DisablingASM.patch
Patch61: nss-3.79-fips-review.patches
Patch62: nss-3.90-no-dbm-25519.patch
Patch63: nss-3.90-pbkdf2-indicator.patch
Patch51: nss-3.101-fips-review.patches
Patch52: nss-3.90-pbkdf2-indicator.patch
# ems policy. needs to upstream
Patch70: nss-3.90-add-ems-policy.patch
Patch60: nss-3.101-add-ems-policy.patch
Patch70: nss-3.90-fips-safe-memset.patch
Patch71: nss-3.101-fips-indicators.patch
Patch72: nss-3.90-aes-gmc-indicator.patch
Patch73: nss-3.90-fips-indicators2.patch
Patch74: nss-3.90-dh-test-update.patch
Patch75: nss-3.90-ppc_no_init.patch
Patch76: nss-3.101-enable-kyber-policy.patch
Patch78: nss-3.101-fix-pkcs12-md5-decode.patch
Patch80: nss-3.101-el8-no-p12-smime-policy.patch
Patch81: nss-3.101-fix-missing-size-checks.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
Patch82: nss-3.101-chacha-timing-fix.patch
Patch83: nss-3.101-add-certificate-compression-test.patch
Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
#revert patches
Patch300: nss-3.101-default-libpkix.patch
Patch80: blinding_ct.patch
Patch81: nss-3.90-fips-pkcs11-long-hash.patch
Patch82: nss-3.90-fips-safe-memset.patch
Patch83: nss-3.90-fips-indicators.patch
Patch84: nss-3.90-aes-gmc-indicator.patch
Patch85: nss-3.90-fips-indicators2.patch
Patch86: nss-3.90-dh-test-update.patch
Patch90: nss_p256_scalar_validated.patch
Patch91: nss_p384_scalar_validated.patch
Patch92: nss_p384_hacl.patch
Patch93: nss_p521_hacl.patch
Patch94: nss-3.90-ecc-wrap-fix.patch
Patch95: nss-3.90-ecdsa-sign-padding-fix.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -319,7 +331,8 @@ Header and library files for doing development with Network Security Services.
%prep
%autosetup -N -n %{name}-%{nss_archive_version}
pushd nss
%autopatch -p1
%autopatch -M 299 -p1
%patch -P 300 -p1 -R
popd
# copy the fips_algorithms.h for this release
@ -328,9 +341,9 @@ popd
cp %{SOURCE30} nss/lib/softoken/
#update expired test certs
pushd nss
tar xvf %{SOURCE50}
popd
#pushd nss
#tar xvf %{SOURCE50}
#popd
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
@ -888,11 +901,13 @@ update-crypto-policies --no-reload &> /dev/null || :
%{_includedir}/nss3/ciferfam.h
%{_includedir}/nss3/eccutil.h
%{_includedir}/nss3/hasht.h
%{_includedir}/nss3/kyber.h
%{_includedir}/nss3/nssb64.h
%{_includedir}/nss3/nssb64t.h
%{_includedir}/nss3/nsslocks.h
%{_includedir}/nss3/nsshash.h
%{_includedir}/nss3/nssilock.h
%{_includedir}/nss3/nssilckt.h
%{_includedir}/nss3/nsslocks.h
%{_includedir}/nss3/nssrwlk.h
%{_includedir}/nss3/nssrwlkt.h
%{_includedir}/nss3/nssutil.h
@ -981,6 +996,22 @@ update-crypto-policies --no-reload &> /dev/null || :
%changelog
* Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
- fix param encoding in pkcs12 pbamac encoding
- add support for certificate compression in selfserv and tstclient
* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
- Fix missing and inaccurate key length checks
- Fix chacha timing issue
* Wed Jul 17 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
- Fix MD-5 decode issue in pkcs #12
- turn off policy processing for pkcs12 and smime
- update the restore defaults for pkcs12
* Tue Jun 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
- Rebase to NSS 3.101
* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
- Allow for shorter ecdsa signatures by padding them to full length

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,644 +0,0 @@
diff -up ./automation/taskcluster/scripts/run_hacl.sh.p384 ./automation/taskcluster/scripts/run_hacl.sh
--- ./automation/taskcluster/scripts/run_hacl.sh.p384 2023-06-04 01:42:53.000000000 -0700
+++ ./automation/taskcluster/scripts/run_hacl.sh 2024-01-09 11:49:58.650418434 -0800
@@ -40,5 +40,14 @@ files=($(find ~/nss/lib/freebl/verified/
for f in "${files[@]}"; do
file_name=$(basename "$f")
hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*"))
+ # TODO(Bug 1854438): Remove P384 exception.
+ # TODO(Bug 1854439): Remove P521 exception.
+ if [ $file_name == "Hacl_P384.c" \
+ -o $file_name == "Hacl_P384.h" \
+ -o $file_name == "Hacl_P521.c" \
+ -o $file_name == "Hacl_P521.h" ]
+ then
+ continue;
+ fi
diff $hacl_file $f
done
diff -up ./lib/freebl/ec.c.p384 ./lib/freebl/ec.c
--- ./lib/freebl/ec.c.p384 2024-01-09 11:49:14.118980084 -0800
+++ ./lib/freebl/ec.c 2024-01-09 11:49:58.651418444 -0800
@@ -15,15 +15,62 @@
#include "mplogic.h"
#include "ec.h"
#include "ecl.h"
+#include "verified/Hacl_P384.h"
+#include "verified/Hacl_P521.h"
#define EC_DOUBLECHECK PR_FALSE
+SECStatus
+ec_secp384r1_scalar_validate(const SECItem *scalar)
+{
+ if (!scalar || !scalar->data) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ if (scalar->len != 48) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+
+ bool b = Hacl_P384_validate_private_key(scalar->data);
+
+ if (!b) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+SECStatus
+ec_secp521r1_scalar_validate(const SECItem *scalar)
+{
+ if (!scalar || !scalar->data) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ if (scalar->len != 66) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+
+ bool b = Hacl_P521_validate_private_key(scalar->data);
+
+ if (!b) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
static const ECMethod kMethods[] = {
{ ECCurve25519,
ec_Curve25519_pt_mul,
ec_Curve25519_pt_validate,
ec_Curve25519_scalar_validate,
- NULL, NULL },
+ NULL,
+ NULL },
{
ECCurve_NIST_P256,
ec_secp256r1_pt_mul,
@@ -352,8 +415,7 @@ EC_NewKeyFromSeed(ECParams *ecParams, EC
SECStatus
ec_GenerateRandomPrivateKey(ECParams *ecParams, SECItem *privKey)
{
- SECStatus rv = SECSuccess;
- mp_err err;
+ SECStatus rv = SECFailure;
unsigned int len = EC_GetScalarSize(ecParams);
@@ -362,82 +424,43 @@ ec_GenerateRandomPrivateKey(ECParams *ec
return SECFailure;
}
- /* For known curves, use rejection sampling A.4.2 */
- if (ecParams->fieldID.type == ec_field_plain) {
- const ECMethod *method = ec_get_method_from_name(ecParams->name);
- rv = SECFailure;
- if (method == NULL || method->scalar_validate == NULL) {
- /* unknown curve */
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto done;
- }
- int count = 100;
- while (rv != SECSuccess && count >= 0) {
- rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
- if (rv != SECSuccess) {
- PORT_SetError(SEC_ERROR_NEED_RANDOM);
- goto done;
- }
- rv = method->scalar_validate(privKey);
- count--;
- }
- if (rv != SECSuccess) {
- PORT_SetError(SEC_ERROR_BAD_KEY);
- }
- goto done;
+ const ECMethod *method = ec_get_method_from_name(ecParams->name);
+ if (method == NULL || method->scalar_validate == NULL) {
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ return SECFailure;
}
- /* For unknown curves, use algotithm A.4.1 */
-
- unsigned char *order = ecParams->order.data;
- mp_int privKeyVal, order_1, one;
- unsigned char *privKeyBytes = NULL;
-
- MP_DIGITS(&privKeyVal) = 0;
- MP_DIGITS(&order_1) = 0;
- MP_DIGITS(&one) = 0;
- CHECK_MPI_OK(mp_init(&privKeyVal));
- CHECK_MPI_OK(mp_init(&order_1));
- CHECK_MPI_OK(mp_init(&one));
-
- /* Generates 2*len random bytes using the global random bit generator
- * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
- * reduces modulo the group order.
- */
-
- if ((privKeyBytes = PORT_Alloc(2 * len)) == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- rv = SECFailure;
- goto cleanup;
+ uint8_t leading_coeff_mask;
+ switch (ecParams->name) {
+ case ECCurve25519:
+ case ECCurve_NIST_P256:
+ case ECCurve_NIST_P384:
+ leading_coeff_mask = 0xff;
+ break;
+ case ECCurve_NIST_P521:
+ leading_coeff_mask = 0x01;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ return SECFailure;
}
- CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(privKeyBytes, 2 * len));
- CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len));
- CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len));
- CHECK_MPI_OK(mp_set_int(&one, 1));
- CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1));
- CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal));
- CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal));
- CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len));
- memcpy(privKey->data, privKeyBytes, len);
+ /* The rejection sampling method from FIPS 186-5 A.4.2 */
+ int count = 100;
+ do {
+ rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
+ return SECFailure;
+ }
+ privKey->data[0] &= leading_coeff_mask;
+ rv = method->scalar_validate(privKey);
+ } while (rv != SECSuccess && --count > 0);
-cleanup:
- mp_clear(&privKeyVal);
- mp_clear(&order_1);
- mp_clear(&one);
- if (privKeyBytes) {
- PORT_ZFree(privKeyBytes, 2 * len);
- }
- if (err < MP_OKAY) {
- MP_TO_SEC_ERROR(err);
- rv = SECFailure;
+ if (rv != SECSuccess) { // implies count == 0
+ PORT_SetError(SEC_ERROR_BAD_KEY);
}
-done:
- if (rv != SECSuccess && privKey->data) {
- SECITEM_ZfreeItem(privKey, PR_FALSE);
- return rv;
- }
return rv;
}
diff -up ./lib/freebl/ecl/ecl.h.p384 ./lib/freebl/ecl/ecl.h
--- ./lib/freebl/ecl/ecl.h.p384 2024-01-09 11:49:14.118980084 -0800
+++ ./lib/freebl/ecl/ecl.h 2024-01-09 11:49:58.651418444 -0800
@@ -57,4 +57,8 @@ SECStatus ec_secp256r1_sign_digest(ECPri
SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature,
const SECItem *digest);
+SECStatus ec_secp384r1_scalar_validate(const SECItem *scalar);
+
+SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar);
+
#endif /* __ecl_h_ */
diff -up ./lib/freebl/freebl_base.gypi.p384 ./lib/freebl/freebl_base.gypi
--- ./lib/freebl/freebl_base.gypi.p384 2024-01-09 11:49:14.118980084 -0800
+++ ./lib/freebl/freebl_base.gypi 2024-01-09 11:49:58.651418444 -0800
@@ -38,6 +38,8 @@
'ecl/ecp_secp384r1.c',
'ecl/ecp_secp521r1.c',
'verified/Hacl_P256.c',
+ 'verified/Hacl_P384.c',
+ 'verified/Hacl_P521.c',
'fipsfreebl.c',
'blinit.c',
'freeblver.c',
diff -up ./lib/freebl/Makefile.p384 ./lib/freebl/Makefile
--- ./lib/freebl/Makefile.p384 2024-01-09 11:49:58.650418434 -0800
+++ ./lib/freebl/Makefile 2024-01-09 11:51:20.500224176 -0800
@@ -612,7 +612,7 @@ ifndef NSS_DISABLE_CHACHAPOLY
VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c
endif # NSS_DISABLE_CHACHAPOLY
-VERIFIED_SRCS += Hacl_P256.c
+VERIFIED_SRCS += Hacl_P256.c Hacl_P384.c Hacl_P521.c
ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH)))
# All 64-bit architectures get the 64 bit version.
diff -up ./lib/freebl/verified/Hacl_P384.c.p384 ./lib/freebl/verified/Hacl_P384.c
--- ./lib/freebl/verified/Hacl_P384.c.p384 2024-01-09 11:49:58.651418444 -0800
+++ ./lib/freebl/verified/Hacl_P384.c 2024-01-09 11:49:58.651418444 -0800
@@ -0,0 +1,126 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "Hacl_P384.h"
+
+#include "internal/Hacl_Krmllib.h"
+#include "internal/Hacl_Bignum_Base.h"
+
+static inline uint64_t
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
+{
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
+ KRML_MAYBE_FOR6(i,
+ (uint32_t)0U,
+ (uint32_t)6U,
+ (uint32_t)1U,
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
+ mask = uu____0 & mask;);
+ uint64_t mask1 = mask;
+ return mask1;
+}
+
+static inline uint64_t
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
+{
+ uint64_t c1 = (uint64_t)0U;
+ {
+ uint64_t t1 = b[(uint32_t)4U * (uint32_t)0U];
+ uint64_t t20 = c[(uint32_t)4U * (uint32_t)0U];
+ uint64_t *res_i0 = a + (uint32_t)4U * (uint32_t)0U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
+ uint64_t t10 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
+ uint64_t t21 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
+ uint64_t *res_i1 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
+ uint64_t t11 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
+ uint64_t t22 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
+ uint64_t *res_i2 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
+ uint64_t t12 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
+ uint64_t t2 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
+ uint64_t *res_i = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i);
+ }
+ KRML_MAYBE_FOR2(i,
+ (uint32_t)4U,
+ (uint32_t)6U,
+ (uint32_t)1U,
+ uint64_t t1 = b[i];
+ uint64_t t2 = c[i];
+ uint64_t *res_i = a + i;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i););
+ uint64_t c10 = c1;
+ return c10;
+}
+
+static inline void
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
+{
+ KRML_MAYBE_FOR6(i,
+ (uint32_t)0U,
+ (uint32_t)6U,
+ (uint32_t)1U,
+ uint64_t *os = a;
+ uint64_t u = load64_be(b + ((uint32_t)6U - i - (uint32_t)1U) * (uint32_t)8U);
+ uint64_t x = u;
+ os[i] = x;);
+}
+
+static inline void
+p384_make_order(uint64_t *n)
+{
+ n[0U] = (uint64_t)0xecec196accc52973U;
+ n[1U] = (uint64_t)0x581a0db248b0a77aU;
+ n[2U] = (uint64_t)0xc7634d81f4372ddfU;
+ n[3U] = (uint64_t)0xffffffffffffffffU;
+ n[4U] = (uint64_t)0xffffffffffffffffU;
+ n[5U] = (uint64_t)0xffffffffffffffffU;
+}
+
+/**
+Private key validation.
+
+ The function returns `true` if a private key is valid and `false` otherwise.
+
+ The argument `private_key` points to 48 bytes of valid memory, i.e., uint8_t[48].
+
+ The private key is valid:
+ • 0 < `private_key` < the order of the curve
+*/
+bool
+Hacl_P384_validate_private_key(uint8_t *private_key)
+{
+ uint64_t bn_sk[6U] = { 0U };
+ bn_from_bytes_be(bn_sk, private_key);
+ uint64_t tmp[6U] = { 0U };
+ p384_make_order(tmp);
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
+ uint64_t is_lt_order = (uint64_t)0U - c;
+ uint64_t bn_zero[6U] = { 0U };
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
+ uint64_t is_eq_zero = res;
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
+}
diff -up ./lib/freebl/verified/Hacl_P384.h.p384 ./lib/freebl/verified/Hacl_P384.h
--- ./lib/freebl/verified/Hacl_P384.h.p384 2024-01-09 11:49:58.651418444 -0800
+++ ./lib/freebl/verified/Hacl_P384.h 2024-01-09 11:49:58.651418444 -0800
@@ -0,0 +1,68 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef __Hacl_P384_H
+#define __Hacl_P384_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <string.h>
+#include "krml/internal/types.h"
+#include "krml/lowstar_endianness.h"
+
+#include "lib_intrinsics.h"
+
+/*******************************************************************************
+
+ Verified C library for ECDSA and ECDH functions over the P-384 NIST curve.
+
+ This module implements signing and verification, key validation, conversions
+ between various point representations, and ECDH key agreement.
+
+*******************************************************************************/
+
+/******************/
+/* Key validation */
+/******************/
+
+/**
+Private key validation.
+
+ The function returns `true` if a private key is valid and `false` otherwise.
+
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+
+ The private key is valid:
+ • 0 < `private_key` < the order of the curve
+*/
+bool Hacl_P384_validate_private_key(uint8_t *private_key);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __Hacl_P384_H_DEFINED
+#endif
diff -up ./lib/freebl/verified/Hacl_P521.c.p384 ./lib/freebl/verified/Hacl_P521.c
--- ./lib/freebl/verified/Hacl_P521.c.p384 2024-01-09 11:49:58.651418444 -0800
+++ ./lib/freebl/verified/Hacl_P521.c 2024-01-09 11:49:58.651418444 -0800
@@ -0,0 +1,131 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "Hacl_P521.h"
+
+#include "internal/Hacl_Krmllib.h"
+#include "internal/Hacl_Bignum_Base.h"
+
+static inline uint64_t
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
+{
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
+ KRML_MAYBE_FOR9(i,
+ (uint32_t)0U,
+ (uint32_t)9U,
+ (uint32_t)1U,
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
+ mask = uu____0 & mask;);
+ uint64_t mask1 = mask;
+ return mask1;
+}
+
+static inline uint64_t
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
+{
+ uint64_t c1 = (uint64_t)0U;
+ KRML_MAYBE_FOR2(i,
+ (uint32_t)0U,
+ (uint32_t)2U,
+ (uint32_t)1U,
+ uint64_t t1 = b[(uint32_t)4U * i];
+ uint64_t t20 = c[(uint32_t)4U * i];
+ uint64_t *res_i0 = a + (uint32_t)4U * i;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
+ uint64_t t10 = b[(uint32_t)4U * i + (uint32_t)1U];
+ uint64_t t21 = c[(uint32_t)4U * i + (uint32_t)1U];
+ uint64_t *res_i1 = a + (uint32_t)4U * i + (uint32_t)1U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
+ uint64_t t11 = b[(uint32_t)4U * i + (uint32_t)2U];
+ uint64_t t22 = c[(uint32_t)4U * i + (uint32_t)2U];
+ uint64_t *res_i2 = a + (uint32_t)4U * i + (uint32_t)2U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
+ uint64_t t12 = b[(uint32_t)4U * i + (uint32_t)3U];
+ uint64_t t2 = c[(uint32_t)4U * i + (uint32_t)3U];
+ uint64_t *res_i = a + (uint32_t)4U * i + (uint32_t)3U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i););
+ {
+ uint64_t t1 = b[8U];
+ uint64_t t2 = c[8U];
+ uint64_t *res_i = a + (uint32_t)8U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i);
+ }
+ uint64_t c10 = c1;
+ return c10;
+}
+
+static inline void
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
+{
+ uint8_t tmp[72U] = { 0U };
+ memcpy(tmp + (uint32_t)6U, b, (uint32_t)66U * sizeof(uint8_t));
+ KRML_MAYBE_FOR9(i,
+ (uint32_t)0U,
+ (uint32_t)9U,
+ (uint32_t)1U,
+ uint64_t *os = a;
+ uint64_t u = load64_be(tmp + ((uint32_t)9U - i - (uint32_t)1U) * (uint32_t)8U);
+ uint64_t x = u;
+ os[i] = x;);
+}
+
+static inline void
+p521_make_order(uint64_t *n)
+{
+ n[0U] = (uint64_t)0xbb6fb71e91386409U;
+ n[1U] = (uint64_t)0x3bb5c9b8899c47aeU;
+ n[2U] = (uint64_t)0x7fcc0148f709a5d0U;
+ n[3U] = (uint64_t)0x51868783bf2f966bU;
+ n[4U] = (uint64_t)0xfffffffffffffffaU;
+ n[5U] = (uint64_t)0xffffffffffffffffU;
+ n[6U] = (uint64_t)0xffffffffffffffffU;
+ n[7U] = (uint64_t)0xffffffffffffffffU;
+ n[8U] = (uint64_t)0x1ffU;
+}
+
+/**
+Private key validation.
+
+ The function returns `true` if a private key is valid and `false` otherwise.
+
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
+
+ The private key is valid:
+ • 0 < `private_key` < the order of the curve
+*/
+bool
+Hacl_P521_validate_private_key(uint8_t *private_key)
+{
+ uint64_t bn_sk[9U] = { 0U };
+ bn_from_bytes_be(bn_sk, private_key);
+ uint64_t tmp[9U] = { 0U };
+ p521_make_order(tmp);
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
+ uint64_t is_lt_order = (uint64_t)0U - c;
+ uint64_t bn_zero[9U] = { 0U };
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
+ uint64_t is_eq_zero = res;
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
+}
diff -up ./lib/freebl/verified/Hacl_P521.h.p384 ./lib/freebl/verified/Hacl_P521.h
--- ./lib/freebl/verified/Hacl_P521.h.p384 2024-01-09 11:49:58.651418444 -0800
+++ ./lib/freebl/verified/Hacl_P521.h 2024-01-09 11:49:58.651418444 -0800
@@ -0,0 +1,59 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef __Hacl_P521_H
+#define __Hacl_P521_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <string.h>
+#include "krml/internal/types.h"
+#include "krml/lowstar_endianness.h"
+
+#include "lib_intrinsics.h"
+
+/******************/
+/* Key validation */
+/******************/
+
+/**
+Private key validation.
+
+ The function returns `true` if a private key is valid and `false` otherwise.
+
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
+
+ The private key is valid:
+ • 0 < `private_key` < the order of the curve
+*/
+bool Hacl_P521_validate_private_key(uint8_t *private_key);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __Hacl_P521_H_DEFINED
+#endif

File diff suppressed because it is too large Load Diff

View File

@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
SHA512 (nss-3.90.tar.gz) = e41f4de73f4971c8f35dffe3926b6845ef12a1ce7e8f3fe682e643ddb791a009d079c1706f66d065333af884726840dbc96d4e44762f9c3e48b8d919c09ae625
SHA512 (nss-3.101.tar.gz) = b1596e7d74c654825eabbcc1f71b1410cf44d816c3044429576782bc800186073d43da9ad76de2fbd7de73c4460ebeb91aa244457da9d0d0cdc08a50a11a165f