rpms
/
nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import nss-3.53.1-17.el8_3

This commit is contained in:
CentOS Sources 2021-03-30 13:54:40 -04:00 committed by Stepan Oksanichenko
parent fa8cce37ed
commit e1c4a2e0f8
47 changed files with 43675 additions and 83259 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1,3 +1,4 @@
SOURCES/PayPalEE.cert
SOURCES/blank-cert8.db
SOURCES/blank-cert9.db
SOURCES/blank-key3.db
@ -7,7 +8,7 @@ SOURCES/cert8.db.xml
SOURCES/cert9.db.xml
SOURCES/key3.db.xml
SOURCES/key4.db.xml
SOURCES/nss-3.44.tar.gz
SOURCES/nss-3.53.1.tar.gz
SOURCES/nss-config.xml
SOURCES/nss-softokn-cavs-1.0.tar.gz
SOURCES/secmod.db.xml

3
.nss.metadata
View File

@ -1,3 +1,4 @@
bc5c03643bfa1a5ea8519b8e7e2d7d5e30abea30 SOURCES/PayPalEE.cert
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
@ -7,7 +8,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
ea6705e15999bdc6365f05b3d66f9c1d49677f84 SOURCES/cert9.db.xml
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
44a83b1bf4efd27605177ecdbf217e579ae8c8ae SOURCES/nss-3.44.tar.gz
ee522d99ff582b849fe5190c1461f0633ffe1721 SOURCES/nss-3.53.1.tar.gz
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
d8a7f044570732caf4ed06fd44a63b3e86ea2a16 SOURCES/nss-softokn-cavs-1.0.tar.gz
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml

1114
SOURCES/nss-3.44-cmac.patch
View File

File diff suppressed because it is too large Load Diff

21
SOURCES/nss-3.44-encrypt-update.patch
View File

@ -1,21 +0,0 @@
# HG changeset patch
# User Craig Disselkoen <cdisselk@cs.ucsd.edu>
# Date 1574189697 25200
# Tue Nov 19 11:54:57 2019 -0700
# Branch NSS_3_44_BRANCH
# Node ID 60bca7c6dc6dc44579b9b3e0fb62ca3b82d92eec
# Parent 64e55c9f658e2a75f0835d00a8a1cdc2f25c74d6
Bug 1586176 - EncryptUpdate should use maxout not block size. r=franziskus
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -1321,7 +1321,7 @@ NSC_EncryptUpdate(CK_SESSION_HANDLE hSes
}
/* encrypt the current padded data */
rv = (*context->update)(context->cipherInfo, pEncryptedPart,
- &padoutlen, context->blockSize, context->padBuf,
+ &padoutlen, maxout, context->padBuf,
context->blockSize);
if (rv != SECSuccess) {
return sftk_MapCryptError(PORT_GetError());

45
SOURCES/nss-3.44-fix-cmac-alignment-crash.patch
View File

@ -1,45 +0,0 @@
diff --git a/lib/freebl/cmac.c b/lib/freebl/cmac.c
--- a/lib/freebl/cmac.c
+++ b/lib/freebl/cmac.c
@@ -22,7 +22,7 @@
* add a new Context pointer to the cipher union with the correct type. */
CMACCipher cipherType;
union {
- AESContext aes;
+ AESContext *aes;
} cipher;
int blockSize;
@@ -62,7 +62,7 @@
{
if (ctx->cipherType == CMAC_AES) {
unsigned int tmpOutputLen;
- SECStatus rv = AES_Encrypt(&ctx->cipher.aes, output, &tmpOutputLen,
+ SECStatus rv = AES_Encrypt(ctx->cipher.aes, output, &tmpOutputLen,
ctx->blockSize, input, inputLen);
/* Assumption: AES_Encrypt (when in ECB mode) always returns an
@@ -156,8 +156,9 @@
ctx->blockSize = AES_BLOCK_SIZE;
ctx->cipherType = CMAC_AES;
- if (AES_InitContext(&ctx->cipher.aes, key, key_len, NULL, NSS_AES, 1,
- ctx->blockSize) != SECSuccess) {
+ ctx->cipher.aes = AES_CreateContext(key, NULL, NSS_AES, 1, key_len,
+ ctx->blockSize);
+ if (ctx->cipher.aes == NULL) {
return SECFailure;
}
@@ -308,8 +309,8 @@
return;
}
- if (ctx->cipherType == CMAC_AES) {
- AES_DestroyContext(&ctx->cipher.aes, PR_FALSE);
+ if (ctx->cipherType == CMAC_AES && ctx->cipher.aes != NULL) {
+ AES_DestroyContext(ctx->cipher.aes, PR_TRUE);
}
/* Destroy everything in the context. This includes sensitive data in

15
SOURCES/nss-3.44-fix-swapped-cmac.patch
View File

@ -1,15 +0,0 @@
diff --git a/lib/util/pkcs11t.h b/lib/util/pkcs11t.h
--- a/lib/util/pkcs11t.h
+++ b/lib/util/pkcs11t.h
@@ -898,8 +898,8 @@
#define CKM_AES_CCM 0x00001088
#define CKM_AES_CTS 0x00001089
/* AES-CMAC values copied from v2.40 errata 1 header file */
-#define CKM_AES_CMAC_GENERAL 0x0000108A
-#define CKM_AES_CMAC 0x0000108B
+#define CKM_AES_CMAC 0x0000108A
+#define CKM_AES_CMAC_GENERAL 0x0000108B
#define CKM_AES_XCBC_MAC 0x0000108C
#define CKM_AES_XCBC_MAC_96 0x0000108D

62
SOURCES/nss-3.44-kbkdf-update.patch
View File

@ -1,62 +0,0 @@
diff -up ./lib/softoken/kbkdf.c.kdf_update ./lib/softoken/kbkdf.c
--- ./lib/softoken/kbkdf.c.kdf_update 2019-11-27 16:48:01.864135431 -0800
+++ ./lib/softoken/kbkdf.c 2019-11-27 16:48:51.779661708 -0800
@@ -160,6 +160,9 @@ static CK_RV kbkdf_ValidateParameter(CK_
/* There is no additional data to validate for byte arrays; we can
* only assume the context is of the correct size. */
break;
+ default:
+ /* don't allow unknown types */
+ return CKR_MECHANISM_PARAM_INVALID;
}
return CKR_OK;
@@ -250,14 +253,16 @@ static CK_RV kbkdf_ValidateParameters(CK
return CKR_MECHANISM_PARAM_INVALID;
}
- /* Count that we have a parameter of this type. */
- param_type_count[params->pDataParams[offset].type] += 1;
-
/* Validate this parameter has acceptable values. */
ret = kbkdf_ValidateParameter(mech, params->pDataParams + offset);
if (ret != CKR_OK) {
- return CKR_MECHANISM_PARAM_INVALID;
+ return ret;
}
+ /* Count that we have a parameter of this type. */
+ /* Do this after we've validated the param to make sure we don't
+ * overflow our array */
+ PORT_Assert(params->pDataParams[offset].type < sizeof(param_type_count)/sizeof(param_type_count[0]));
+ param_type_count[params->pDataParams[offset].type] += 1;
}
if (mech == CKM_SP800_108_COUNTER_KDF || mech == CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA) {
@@ -306,18 +311,20 @@ static CK_RV kbkdf_ValidateParameters(CK
/* [ section: parameter helpers ] */
static void kbkdf_EncodeInteger(uint64_t integer, CK_ULONG num_bits, CK_BBOOL littleEndian, CK_BYTE_PTR output, CK_ULONG_PTR output_len) {
- uint64_t reordered;
+ CK_ULONG num_bytes = num_bits/8;
+ CK_ULONG i;
if (output_len) {
- *output_len = (num_bits / 8);
+ *output_len = num_bytes;
}
if (littleEndian == CK_TRUE) {
- reordered = htole64(integer);
- memcpy(output, &reordered, num_bits/8);
+ for (i=0; i < num_bytes; i++) {
+ output[i] = (integer >> i*8) & 0xff;
+ }
} else {
- reordered = htobe64(integer);
- reordered = reordered >> (64 - num_bits);
- memcpy(output, &reordered, (num_bits/8));
+ for (i=num_bytes; i > 0; i--) {
+ output[num_bytes-i] = (integer >> (i-1)*8) & 0xff;
+ }
}
}

74471
SOURCES/nss-3.44-kbkdf.patch
View File

File diff suppressed because it is too large Load Diff

65
SOURCES/nss-3.44-missing-softokn-kdf.patch
View File

@ -1,28 +1,19 @@
diff -up ./gtests/pk11_gtest/manifest.mn.missing_kdf ./gtests/pk11_gtest/manifest.mn
--- ./gtests/pk11_gtest/manifest.mn.missing_kdf 2019-08-08 10:22:53.072100034 -0700
+++ ./gtests/pk11_gtest/manifest.mn 2019-08-08 10:23:33.424061237 -0700
@@ -14,6 +14,7 @@ CPPSRCS = \
pk11_encrypt_derive_unittest.cc \
pk11_export_unittest.cc \
Index: nss/gtests/pk11_gtest/manifest.mn
===================================================================
--- nss.orig/gtests/pk11_gtest/manifest.mn
+++ nss/gtests/pk11_gtest/manifest.mn
@@ -23,6 +23,7 @@ CPPSRCS = \
pk11_find_certs_unittest.cc \
pk11_hkdf_unittest.cc \
pk11_import_unittest.cc \
+ pk11_kdf_unittest.cc \
pk11_pbkdf2_unittest.cc \
pk11_prf_unittest.cc \
pk11_prng_unittest.cc \
diff -up ./gtests/pk11_gtest/pk11_gtest.gyp.missing_kdf ./gtests/pk11_gtest/pk11_gtest.gyp
--- ./gtests/pk11_gtest/pk11_gtest.gyp.missing_kdf 2019-08-08 10:23:13.298080588 -0700
+++ ./gtests/pk11_gtest/pk11_gtest.gyp 2019-08-08 10:23:49.728045561 -0700
@@ -19,6 +19,7 @@
'pk11_ecdsa_unittest.cc',
'pk11_encrypt_derive_unittest.cc',
'pk11_import_unittest.cc',
+ 'pk11_kdf_unittest.cc',
'pk11_pbkdf2_unittest.cc',
'pk11_prf_unittest.cc',
'pk11_prng_unittest.cc',
diff -up ./gtests/pk11_gtest/pk11_kdf_unittest.cc.missing_kdf ./gtests/pk11_gtest/pk11_kdf_unittest.cc
--- ./gtests/pk11_gtest/pk11_kdf_unittest.cc.missing_kdf 2019-08-07 14:23:28.657960569 -0700
+++ ./gtests/pk11_gtest/pk11_kdf_unittest.cc 2019-08-08 10:22:38.015114511 -0700
pk11_kbkdf.cc \
pk11_keygen.cc \
pk11_key_unittest.cc \
Index: nss/gtests/pk11_gtest/pk11_kdf_unittest.cc
===================================================================
--- /dev/null
+++ nss/gtests/pk11_gtest/pk11_kdf_unittest.cc
@@ -0,0 +1,509 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
@ -533,28 +524,16 @@ diff -up ./gtests/pk11_gtest/pk11_kdf_unittest.cc.missing_kdf ./gtests/pk11_gtes
+}
+
+} // namespace nss_test
diff -up ./lib/softoken/pkcs11.c.missing_kdf ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.missing_kdf 2019-08-07 14:18:55.039435109 -0700
+++ ./lib/softoken/pkcs11.c 2019-08-08 10:28:12.449792962 -0700
@@ -516,7 +516,8 @@ static const struct mechanismList mechan
/* --------------------IPSEC ----------------------- */
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
{ CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
};
static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
diff -up ./lib/softoken/sftkike.c.missing_kdf ./lib/softoken/sftkike.c
--- ./lib/softoken/sftkike.c.missing_kdf 2019-08-08 10:24:27.872008887 -0700
+++ ./lib/softoken/sftkike.c 2019-08-08 10:27:34.416829530 -0700
@@ -744,7 +744,7 @@ sftk_ike1_appendix_b_prf(CK_SESSION_HAND
* key is inKey
*/
Index: nss/lib/softoken/sftkike.c
===================================================================
--- nss.orig/lib/softoken/sftkike.c
+++ nss/lib/softoken/sftkike.c
@@ -774,7 +774,7 @@ sftk_ike1_appendix_b_prf(CK_SESSION_HAND
* key is inKey
*/
thisKey = outKeyData;
- for (genKeySize = 0; genKeySize <= keySize; genKeySize += macSize) {
+ for (genKeySize = 0; genKeySize < keySize; genKeySize += macSize) {
PRBool hashedData = PR_FALSE;
crv = prf_init(&context, inKey->attrib.pValue, inKey->attrib.ulValueLen);
if (crv != CKR_OK) {
goto fail;

248
SOURCES/nss-3.44-ske-policy.patch
View File

@ -1,248 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1573203603 -3600
# Fri Nov 08 10:00:03 2019 +0100
# Node ID c08947c6af5789510641ad17373e2612361e4ec6
# Parent e766899c72a517976f5f4abfec2a56712841e411
Bug 1566131, check policy against hash algorithms used for ServerKeyExchange, r=mt
Summary: This adds necessary policy checks in `ssl3_ComputeCommonKeyHash()`, right before calculating hashes. Note that it currently doesn't check MD5 as it still needs to be allowed in TLS 1.1 or earlier and many tests fail if we change that.
Reviewers: mt
Reviewed By: mt
Bug #: 1566131
Differential Revision: https://phabricator.services.mozilla.com/D45867
diff --git a/gtests/ssl_gtest/ssl_dhe_unittest.cc b/gtests/ssl_gtest/ssl_dhe_unittest.cc
--- a/gtests/ssl_gtest/ssl_dhe_unittest.cc
+++ b/gtests/ssl_gtest/ssl_dhe_unittest.cc
@@ -682,4 +682,100 @@ TEST_P(TlsConnectTls12, ConnectInconsist
ConnectExpectAlert(client_, kTlsAlertIllegalParameter);
}
+static void CheckSkeSigScheme(
+ std::shared_ptr<TlsHandshakeRecorder>& capture_ske,
+ uint16_t expected_scheme) {
+ TlsParser parser(capture_ske->buffer());
+ EXPECT_TRUE(parser.SkipVariable(2)) << " read dh_p";
+ EXPECT_TRUE(parser.SkipVariable(2)) << " read dh_q";
+ EXPECT_TRUE(parser.SkipVariable(2)) << " read dh_Ys";
+
+ uint32_t tmp;
+ EXPECT_TRUE(parser.Read(&tmp, 2)) << " read sig_scheme";
+ EXPECT_EQ(expected_scheme, static_cast<uint16_t>(tmp));
+}
+
+TEST_P(TlsConnectTls12, ConnectSigAlgEnabledByPolicyDhe) {
+ EnableOnlyDheCiphers();
+
+ const std::vector<SSLSignatureScheme> schemes = {ssl_sig_rsa_pkcs1_sha1,
+ ssl_sig_rsa_pkcs1_sha384};
+
+ EnsureTlsSetup();
+ client_->SetSignatureSchemes(schemes.data(), schemes.size());
+ server_->SetSignatureSchemes(schemes.data(), schemes.size());
+ auto capture_ske = MakeTlsFilter<TlsHandshakeRecorder>(
+ server_, kTlsHandshakeServerKeyExchange);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Enable SHA-1 by policy.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SSL_KX, 0);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ Handshake(); // Remainder of handshake
+ // The server should now report that it is connected
+ EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
+
+ CheckSkeSigScheme(capture_ske, ssl_sig_rsa_pkcs1_sha1);
+}
+
+TEST_P(TlsConnectTls12, ConnectSigAlgDisabledByPolicyDhe) {
+ EnableOnlyDheCiphers();
+
+ const std::vector<SSLSignatureScheme> schemes = {ssl_sig_rsa_pkcs1_sha1,
+ ssl_sig_rsa_pkcs1_sha384};
+
+ EnsureTlsSetup();
+ client_->SetSignatureSchemes(schemes.data(), schemes.size());
+ server_->SetSignatureSchemes(schemes.data(), schemes.size());
+ auto capture_ske = MakeTlsFilter<TlsHandshakeRecorder>(
+ server_, kTlsHandshakeServerKeyExchange);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Disable SHA-1 by policy after sending ClientHello so that CH
+ // includes SHA-1 signature scheme.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, 0, NSS_USE_ALG_IN_SSL_KX);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ Handshake(); // Remainder of handshake
+ // The server should now report that it is connected
+ EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
+
+ CheckSkeSigScheme(capture_ske, ssl_sig_rsa_pkcs1_sha384);
+}
+
+TEST_P(TlsConnectPre12, ConnectSigAlgDisabledByPolicyDhePre12) {
+ EnableOnlyDheCiphers();
+
+ EnsureTlsSetup();
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Disable SHA-1 by policy. This will cause the connection fail as
+ // TLS 1.1 or earlier uses combined SHA-1 + MD5 signature.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, 0, NSS_USE_ALG_IN_SSL_KX);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ server_->ExpectSendAlert(kTlsAlertHandshakeFailure);
+ client_->ExpectReceiveAlert(kTlsAlertHandshakeFailure);
+
+ // Remainder of handshake
+ Handshake();
+
+ server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
+}
+
} // namespace nss_test
diff --git a/gtests/ssl_gtest/ssl_ecdh_unittest.cc b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
--- a/gtests/ssl_gtest/ssl_ecdh_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ecdh_unittest.cc
@@ -666,6 +666,80 @@ TEST_P(TlsConnectTls12, ConnectIncorrect
client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
}
+static void CheckSkeSigScheme(
+ std::shared_ptr<TlsHandshakeRecorder> &capture_ske,
+ uint16_t expected_scheme) {
+ TlsParser parser(capture_ske->buffer());
+ uint32_t tmp = 0;
+ EXPECT_TRUE(parser.Read(&tmp, 1)) << " read curve_type";
+ EXPECT_EQ(3U, tmp) << "curve type has to be 3";
+ EXPECT_TRUE(parser.Skip(2)) << " read namedcurve";
+ EXPECT_TRUE(parser.SkipVariable(1)) << " read public";
+
+ EXPECT_TRUE(parser.Read(&tmp, 2)) << " read sig_scheme";
+ EXPECT_EQ(expected_scheme, static_cast<uint16_t>(tmp));
+}
+
+TEST_P(TlsConnectTls12, ConnectSigAlgEnabledByPolicy) {
+ EnsureTlsSetup();
+ client_->DisableAllCiphers();
+ client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
+
+ const std::vector<SSLSignatureScheme> schemes = {ssl_sig_rsa_pkcs1_sha1,
+ ssl_sig_rsa_pkcs1_sha384};
+
+ client_->SetSignatureSchemes(schemes.data(), schemes.size());
+ server_->SetSignatureSchemes(schemes.data(), schemes.size());
+ auto capture_ske = MakeTlsFilter<TlsHandshakeRecorder>(
+ server_, kTlsHandshakeServerKeyExchange);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Enable SHA-1 by policy.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_SSL_KX, 0);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ Handshake(); // Remainder of handshake
+ // The server should now report that it is connected
+ EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
+
+ CheckSkeSigScheme(capture_ske, ssl_sig_rsa_pkcs1_sha1);
+}
+
+TEST_P(TlsConnectTls12, ConnectSigAlgDisabledByPolicy) {
+ EnsureTlsSetup();
+ client_->DisableAllCiphers();
+ client_->EnableCiphersByKeyExchange(ssl_kea_ecdh);
+
+ const std::vector<SSLSignatureScheme> schemes = {ssl_sig_rsa_pkcs1_sha1,
+ ssl_sig_rsa_pkcs1_sha384};
+
+ client_->SetSignatureSchemes(schemes.data(), schemes.size());
+ server_->SetSignatureSchemes(schemes.data(), schemes.size());
+ auto capture_ske = MakeTlsFilter<TlsHandshakeRecorder>(
+ server_, kTlsHandshakeServerKeyExchange);
+
+ StartConnect();
+ client_->Handshake(); // Send ClientHello
+
+ // Disable SHA-1 by policy.
+ SECStatus rv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, 0, NSS_USE_ALG_IN_SSL_KX);
+ ASSERT_EQ(SECSuccess, rv);
+ rv = NSS_SetAlgorithmPolicy(SEC_OID_APPLY_SSL_POLICY, NSS_USE_POLICY_IN_SSL,
+ 0);
+ ASSERT_EQ(SECSuccess, rv);
+
+ Handshake(); // Remainder of handshake
+ // The server should now report that it is connected
+ EXPECT_EQ(TlsAgent::STATE_CONNECTED, server_->state());
+
+ CheckSkeSigScheme(capture_ske, ssl_sig_rsa_pkcs1_sha384);
+}
+
INSTANTIATE_TEST_CASE_P(KeyExchangeTest, TlsKeyExchangeTest,
::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
TlsConnectTestBase::kTlsV11Plus));
diff --git a/gtests/ssl_gtest/tls_connect.h b/gtests/ssl_gtest/tls_connect.h
--- a/gtests/ssl_gtest/tls_connect.h
+++ b/gtests/ssl_gtest/tls_connect.h
@@ -164,7 +164,7 @@ class TlsConnectTestBase : public ::test
// ssl_extension_unittest.cc.
const std::vector<SECOidTag> algorithms_ = {SEC_OID_APPLY_SSL_POLICY,
SEC_OID_ANSIX9_DSA_SIGNATURE,
- SEC_OID_CURVE25519};
+ SEC_OID_CURVE25519, SEC_OID_SHA1};
std::vector<std::tuple<SECOidTag, uint32_t>> saved_policies_;
private:
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -1454,8 +1454,14 @@ ssl3_ComputeCommonKeyHash(SSLHashType ha
{
SECStatus rv;
SECOidTag hashOID;
+ PRUint32 policy;
if (hashAlg == ssl_hash_none) {
+ if ((NSS_GetAlgorithmPolicy(SEC_OID_SHA1, &policy) == SECSuccess) &&
+ !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+ ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
+ return SECFailure;
+ }
rv = PK11_HashBuf(SEC_OID_MD5, hashes->u.s.md5, hashBuf, bufLen);
if (rv != SECSuccess) {
ssl_MapLowLevelError(SSL_ERROR_MD5_DIGEST_FAILURE);
@@ -1469,6 +1475,11 @@ ssl3_ComputeCommonKeyHash(SSLHashType ha
hashes->len = MD5_LENGTH + SHA1_LENGTH;
} else {
hashOID = ssl3_HashTypeToOID(hashAlg);
+ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) &&
+ !(policy & NSS_USE_ALG_IN_SSL_KX)) {
+ ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);
+ return SECFailure;
+ }
hashes->len = HASH_ResultLenByOidTag(hashOID);
if (hashes->len == 0 || hashes->len > sizeof(hashes->u.raw)) {
ssl_MapLowLevelError(SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM);

104
SOURCES/nss-3.53-fix-private_key_mac.patch Normal file
View File

@ -0,0 +1,104 @@
diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c
--- a/lib/softoken/sftkpwd.c
+++ b/lib/softoken/sftkpwd.c
@@ -277,17 +277,19 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
*plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value,
PR_FALSE, NULL);
if (*plain == NULL) {
rv = SECFailure;
goto loser;
}
/* If we are using aes 256, we need to check authentication as well.*/
- if ((type != CKT_INVALID_TYPE) && (cipherValue.alg == SEC_OID_AES_256_CBC)) {
+ if ((type != CKT_INVALID_TYPE) &&
+ (cipherValue.alg == SEC_OID_PKCS5_PBES2) &&
+ (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) {
SECItem signature;
unsigned char signData[SDB_MAX_META_DATA_LEN];
/* if we get here from the old legacy db, there is clearly an
* error, don't return the plaintext */
if (handle == NULL) {
rv = SECFailure;
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
@@ -299,17 +301,27 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha
rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
&signature);
if (rv != SECSuccess) {
goto loser;
}
rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type,
*plain, &signature);
if (rv != SECSuccess) {
- goto loser;
+ /* handle a bug where old versions of NSS misfiled the signature
+ * attribute on password update */
+ id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE;
+ signature.len = sizeof(signData);
+ rv = sftkdb_GetAttributeSignature(handle, handle, id, type,
+ &signature);
+ if (rv != SECSuccess) {
+ goto loser;
+ }
+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE,
+ type, *plain, &signature);
}
}
loser:
if (cipherValue.param) {
nsspkcs5_DestroyPBEParameter(cipherValue.param);
}
if (cipherValue.arena) {
@@ -1186,16 +1198,17 @@ sftk_updateEncrypted(PLArenaPool *arena,
};
const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]);
// We don't know what attributes this object has, so we update them one at a
// time.
unsigned int i;
for (i = 0; i < privAttrCount; i++) {
// Read the old attribute in the clear.
+ CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK;
CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 };
CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1);
if (crv != CKR_OK) {
continue;
}
if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
continue;
}
@@ -1210,30 +1223,29 @@ sftk_updateEncrypted(PLArenaPool *arena,
if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) {
return CKR_GENERAL_ERROR;
}
SECItem plainText;
SECItem *result;
plainText.data = privAttr.pValue;
plainText.len = privAttr.ulValueLen;
if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey,
- iterationCount, id, privAttr.type,
+ iterationCount, sdbId, privAttr.type,
&plainText, &result) != SECSuccess) {
return CKR_GENERAL_ERROR;
}
privAttr.pValue = result->data;
privAttr.ulValueLen = result->len;
// Clear sensitive data.
PORT_Memset(plainText.data, 0, plainText.len);
// Write the newly encrypted attributes out directly.
- CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK;
keydb->newKey = newKey;
keydb->newDefaultIterationCount = iterationCount;
- crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1);
+ crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1);
keydb->newKey = NULL;
if (crv != CKR_OK) {
return crv;
}
}
return CKR_OK;
}

12
SOURCES/nss-3.53-strict-proto-fix.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./lib/pk11wrap/pk11pub.h.strict_proto_fix ./lib/pk11wrap/pk11pub.h
--- ./lib/pk11wrap/pk11pub.h.strict_proto_fix 2020-06-04 16:48:54.721954514 -0700
+++ ./lib/pk11wrap/pk11pub.h 2020-06-04 16:49:17.074066050 -0700
@@ -948,7 +948,7 @@ PRBool SECMOD_HasRootCerts(void);
* the system state independent of the database state and can be called
* before NSS initializes.
*/
-int SECMOD_GetSystemFIPSEnabled();
+int SECMOD_GetSystemFIPSEnabled(void);
SEC_END_PROTOS

74
SOURCES/nss-3.53.1-chacha-len.patch Normal file
View File

@ -0,0 +1,74 @@
# HG changeset patch
# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
# Date 1595031218 0
# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
# Parent f282556e6cc7715f5754aeaadda6f902590e7e38
Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D74801
diff --git a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
--- a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+++ b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@@ -40,28 +40,35 @@ class Pkcs11ChaCha20Poly1305Test
aead_params.ulNonceLen = iv_len;
aead_params.pAAD = toUcharPtr(aad);
aead_params.ulAADLen = aad_len;
aead_params.ulTagLen = 16;
SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
sizeof(aead_params)};
- // Encrypt with bad parameters.
+ // Encrypt with bad parameters (TagLen is too long).
unsigned int encrypted_len = 0;
std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen);
aead_params.ulTagLen = 158072;
SECStatus rv =
PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
&encrypted_len, encrypted.size(), data, data_len);
EXPECT_EQ(SECFailure, rv);
EXPECT_EQ(0U, encrypted_len);
- aead_params.ulTagLen = 16;
+
+ // Encrypt with bad parameters (TagLen is too short).
+ aead_params.ulTagLen = 2;
+ rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
+ &encrypted_len, encrypted.size(), data, data_len);
+ EXPECT_EQ(SECFailure, rv);
+ EXPECT_EQ(0U, encrypted_len);
// Encrypt.
+ aead_params.ulTagLen = 16;
rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
&encrypted_len, encrypted.size(), data, data_len);
// Return if encryption failure was expected due to invalid IV.
// Without valid ciphertext, all further tests can be skipped.
if (invalid_iv) {
EXPECT_EQ(rv, SECFailure);
EXPECT_EQ(0U, encrypted_len)
diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
--- a/lib/freebl/chacha20poly1305.c
+++ b/lib/freebl/chacha20poly1305.c
@@ -76,17 +76,17 @@ ChaCha20Poly1305_InitContext(ChaCha20Pol
{
#ifdef NSS_DISABLE_CHACHAPOLY
return SECFailure;
#else
if (keyLen != 32) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
- if (tagLen == 0 || tagLen > 16) {
+ if (tagLen != 16) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
return SECFailure;
}
PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
ctx->tagLen = tagLen;
return SECSuccess;

96
SOURCES/nss-3.53.1-chacha-multi.patch Normal file
View File

@ -0,0 +1,96 @@
# HG changeset patch
# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
# Date 1595031194 0
# Node ID f282556e6cc7715f5754aeaadda6f902590e7e38
# Parent 89733253df83ef7fe8dd0d49f6370b857e93d325
Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea
Depends on D74801
Differential Revision: https://phabricator.services.mozilla.com/D83994
diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
--- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
@@ -72,9 +72,58 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUn
ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
PK11_FreeSymKey(key);
PK11_FreeSlot(slot);
PK11_DestroyContext(ctx, PR_TRUE);
NSS_ShutdownContext(globalctx);
}
+TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
+ PK11SlotInfo* slot;
+ PK11SymKey* key;
+ PK11Context* ctx;
+
+ NSSInitContext* globalctx =
+ NSS_InitContext("", "", "", "", NULL,
+ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
+ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
+
+ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
+
+ slot = PK11_GetInternalSlot();
+ ASSERT_TRUE(slot);
+
+ // Use arbitrary bytes for the ChaCha20 key and IV
+ uint8_t key_bytes[32];
+ for (size_t i = 0; i < 32; i++) {
+ key_bytes[i] = i;
+ }
+ SECItem keyItem = {siBuffer, key_bytes, 32};
+
+ uint8_t iv_bytes[16];
+ for (size_t i = 0; i < 16; i++) {
+ key_bytes[i] = i;
+ }
+ SECItem ivItem = {siBuffer, iv_bytes, 16};
+
+ SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
+
+ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
+ &keyItem, NULL);
+ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
+ ASSERT_TRUE(key);
+ ASSERT_TRUE(ctx);
+
+ uint8_t outbuf[128];
+ // This is supposed to fail for Chacha20. This is because the underlying
+ // PK11_CipherOp operation is calling the C_EncryptUpdate function for
+ // which multi-part is disabled for ChaCha20 in counter mode.
+ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
+
+ PK11_FreeSymKey(key);
+ PK11_FreeSlot(slot);
+ SECITEM_FreeItem(param, PR_TRUE);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ NSS_ShutdownContext(globalctx);
+}
+
} // namespace nss_test
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -1251,16 +1251,17 @@ sftk_CryptInit(CK_SESSION_HANDLE hSessio
case CKM_NSS_CHACHA20_CTR: /* old NSS private version */
case CKM_CHACHA20: /* PKCS #11 v3 version */
{
unsigned char *counter;
unsigned char *nonce;
unsigned long counter_len;
unsigned long nonce_len;
+ context->multi = PR_FALSE;
if (pMechanism->mechanism == CKM_NSS_CHACHA20_CTR) {
if (key_type != CKK_NSS_CHACHA20) {
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
if (pMechanism->pParameter == NULL || pMechanism->ulParameterLen != 16) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;

1271
SOURCES/nss-3.53.1-cmac-kdf-selftests.patch Normal file
View File

File diff suppressed because it is too large Load Diff

19783
SOURCES/nss-3.53.1-constant-time-p384.patch Normal file
View File

File diff suppressed because it is too large Load Diff

11923
SOURCES/nss-3.53.1-constant-time-p521.patch Normal file
View File

File diff suppressed because it is too large Load Diff

5798
SOURCES/nss-3.53.1-diffie_hellman_checks.patch Normal file
View File

File diff suppressed because it is too large Load Diff

899
SOURCES/nss-3.53.1-enable-disable-policy.patch Normal file
View File

@ -0,0 +1,899 @@
diff -up ./lib/nss/nss.h.orig ./lib/nss/nss.h
--- ./lib/nss/nss.h.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./lib/nss/nss.h 2020-10-29 13:17:16.386664203 -0700
@@ -299,6 +299,8 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu
* old NSS versions. This option might be removed in the future NSS
* releases; don't rely on it. */
#define __NSS_PKCS12_DECODE_FORCE_UNICODE 0x00c
+#define NSS_DEFAULT_LOCKS 0x00d /* lock default values */
+#define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */
/*
* Set and get global options for the NSS library.
diff -up ./lib/nss/nssoptions.c.orig ./lib/nss/nssoptions.c
--- ./lib/nss/nssoptions.c.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./lib/nss/nssoptions.c 2020-10-29 13:17:16.386664203 -0700
@@ -14,6 +14,7 @@
#include "secoid.h"
#include "nss.h"
#include "nssoptions.h"
+#include "secerr.h"
struct nssOps {
PRInt32 rsaMinKeySize;
@@ -24,6 +25,7 @@ struct nssOps {
PRInt32 dtlsVersionMinPolicy;
PRInt32 dtlsVersionMaxPolicy;
PRInt32 pkcs12DecodeForceUnicode;
+ PRInt32 defaultLocks;
};
static struct nssOps nss_ops = {
@@ -34,7 +36,8 @@ static struct nssOps nss_ops = {
0xffff, /* set TLS max to more than the largest legal SSL value */
1,
0xffff,
- PR_FALSE
+ PR_FALSE,
+ 0
};
SECStatus
@@ -42,6 +45,11 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
{
SECStatus rv = SECSuccess;
+ if (NSS_IsPolicyLocked()) {
+ PORT_SetError(SEC_ERROR_POLICY_LOCKED);
+ return SECFailure;
+ }
+
switch (which) {
case NSS_RSA_MIN_KEY_SIZE:
nss_ops.rsaMinKeySize = value;
@@ -67,7 +75,11 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
case __NSS_PKCS12_DECODE_FORCE_UNICODE:
nss_ops.pkcs12DecodeForceUnicode = value;
break;
+ case NSS_DEFAULT_LOCKS:
+ nss_ops.defaultLocks = value;
+ break;
default:
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
@@ -104,6 +116,9 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va
case __NSS_PKCS12_DECODE_FORCE_UNICODE:
*value = nss_ops.pkcs12DecodeForceUnicode;
break;
+ case NSS_DEFAULT_LOCKS:
+ *value = nss_ops.defaultLocks;
+ break;
default:
rv = SECFailure;
}
diff -up ./lib/pk11wrap/pk11pars.c.orig ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.orig 2020-10-29 13:14:14.119727304 -0700
+++ ./lib/pk11wrap/pk11pars.c 2020-10-29 13:17:16.387664208 -0700
@@ -158,16 +158,17 @@ SECMOD_CreateModule(const char *library,
* Disallow values are parsed first, then allow values, independent of the
* order they appear.
*
- * Future key words (not yet implemented):
+ * flags: turn on the following flags:
+ * policy-lock: turn off the ability for applications to change policy with
+ * the call NSS_SetAlgorithmPolicy or the other system policy
+ * calls (SSL_SetPolicy, etc.)
+ * ssl-lock: turn off the ability to change the ssl defaults.
+ *
+ * The following only apply to ssl cipher suites (future smime)
+ *
* enable: turn on ciphersuites by default.
* disable: turn off ciphersuites by default without disallowing them by policy.
- * flags: turn on the following flags:
- * ssl-lock: turn off the ability for applications to change policy with
- * the SSL_SetCipherPolicy (or SSL_SetPolicy).
- * policy-lock: turn off the ability for applications to change policy with
- * the call NSS_SetAlgorithmPolicy.
- * ssl-default-lock: turn off the ability for applications to change cipher
- * suite states with SSL_EnableCipher, SSL_DisableCipher.
+ *
*
*/
@@ -389,7 +390,13 @@ static const oidValDef kxOptList[] = {
static const oidValDef signOptList[] = {
/* Signatures */
{ CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
+ NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
};
typedef struct {
@@ -405,7 +412,7 @@ static const algListsDef algOptLists[] =
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
};
static const optionFreeDef sslOptList[] = {
@@ -443,10 +450,19 @@ static const policyFlagDef policyFlagLis
/* add other key exhanges in the future */
{ CIPHER_NAME("KEY-EXCHANGE"), NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("CERT-SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE },
- /* add other signatures in the future */
- { CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_CERT_SIGNATURE },
- /* enable everything */
- { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+ { CIPHER_NAME("CMS-SIGNATURE"), NSS_USE_ALG_IN_CMS_SIGNATURE },
+ { CIPHER_NAME("ALL-SIGNATURE"), NSS_USE_ALG_IN_SIGNATURE },
+ /* sign turns off all signatures, but doesn't change the
+ * allowance for specific sigantures... for example:
+ * disallow=sha256/all allow=sha256/signature doesn't allow
+ * cert-sigantures, where disallow=sha256/all allow=sha256/all-signature
+ * does.
+ * however, disallow=sha356/signature and disallow=sha256/all-siganture are
+ * equivalent in effect */
+ { CIPHER_NAME("SIGNATURE"), NSS_USE_ALG_IN_ANY_SIGNATURE },
+ /* enable/disable everything */
+ { CIPHER_NAME("ALL"), NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX |
+ NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("NONE"), 0 }
};
@@ -538,8 +554,82 @@ secmod_getPolicyOptValue(const char *pol
return SECFailure;
}
+/* Policy operations:
+ * Disallow: operation is disallowed by policy. Implies disabled.
+ * Allow: operation is allowed by policy (but could be disabled).
+ * Disable: operation is turned off by default (but could be allowed).
+ * Enable: operation is enabled by default. Implies allowed.
+ */
+typedef enum {
+ NSS_DISALLOW,
+ NSS_ALLOW,
+ NSS_DISABLE,
+ NSS_ENABLE
+} NSSPolicyOperation;
+
+/* apply the operator specific policy */
+SECStatus
+secmod_setPolicyOperation(SECOidTag oid, NSSPolicyOperation operation,
+ PRUint32 value)
+{
+ SECStatus rv = SECSuccess;
+ switch (operation) {
+ case NSS_DISALLOW:
+ /* clear the requested policy bits */
+ rv = NSS_SetAlgorithmPolicy(oid, 0, value);
+ break;
+ case NSS_ALLOW:
+ /* set the requested policy bits */
+ rv = NSS_SetAlgorithmPolicy(oid, value, 0);
+ break;
+ /* enable/disable only apply to SSL cipher suites (future S/MIME).
+ * Enable/disable is implemented by clearing the DEFAULT_NOT_VALID
+ * flag, then setting the NSS_USE_DEFAULT_SSL_ENABLE flag to the
+ * correct value. The ssl policy code will then sort out what to
+ * set based on ciphers and cipher suite values.*/
+ case NSS_DISABLE:
+ if (value & (NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX)) {
+ /* clear not valid and enable */
+ rv = NSS_SetAlgorithmPolicy(oid, 0,
+ NSS_USE_DEFAULT_NOT_VALID |
+ NSS_USE_DEFAULT_SSL_ENABLE);
+ }
+ break;
+ case NSS_ENABLE:
+ if (value & (NSS_USE_ALG_IN_SSL | NSS_USE_ALG_IN_SSL_KX)) {
+ /* set enable, clear not valid. NOTE: enable implies allow! */
+ rv = NSS_SetAlgorithmPolicy(oid, value | NSS_USE_DEFAULT_SSL_ENABLE,
+ NSS_USE_DEFAULT_NOT_VALID);
+ }
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ rv = SECFailure;
+ break;
+ }
+ return rv;
+}
+
+const char *
+secmod_getOperationString(NSSPolicyOperation operation)
+{
+ switch (operation) {
+ case NSS_DISALLOW:
+ return "disallow";
+ case NSS_ALLOW:
+ return "allow";
+ case NSS_DISABLE:
+ return "disable";
+ case NSS_ENABLE:
+ return "enable";
+ default:
+ break;
+ }
+ return "invalid";
+}
+
static SECStatus
-secmod_applyCryptoPolicy(const char *policyString, PRBool allow,
+secmod_applyCryptoPolicy(const char *policyString, NSSPolicyOperation operation,
PRBool printPolicyFeedback)
{
const char *cipher, *currentString;
@@ -573,18 +663,10 @@ secmod_applyCryptoPolicy(const char *pol
for (i = 0; i < PR_ARRAY_SIZE(algOptLists); i++) {
const algListsDef *algOptList = &algOptLists[i];
for (j = 0; j < algOptList->entries; j++) {
- PRUint32 enable, disable;
if (!newValue) {
value = algOptList->list[j].val;
}
- if (allow) {
- enable = value;
- disable = 0;
- } else {
- enable = 0;
- disable = value;
- }
- NSS_SetAlgorithmPolicy(algOptList->list[j].oid, enable, disable);
+ secmod_setPolicyOperation(algOptList->list[j].oid, operation, value);
}
}
continue;
@@ -603,20 +685,12 @@ secmod_applyCryptoPolicy(const char *pol
if ((newOption || algOpt->name_size == length) &&
PORT_Strncasecmp(algOpt->name, cipher, name_size) == 0) {
PRUint32 value = algOpt->val;
- PRUint32 enable, disable;
if (newOption) {
value = secmod_parsePolicyValue(&cipher[name_size] + 1,
length - name_size - 1,
printPolicyFeedback);
}
- if (allow) {
- enable = value;
- disable = 0;
- } else {
- enable = 0;
- disable = value;
- }
- rv = NSS_SetAlgorithmPolicy(algOpt->oid, enable, disable);
+ rv = secmod_setPolicyOperation(algOptList->list[j].oid, operation, value);
if (rv != SECSuccess) {
/* could not enable option */
/* NSS_SetAlgorithPolicy should have set the error code */
@@ -666,7 +740,7 @@ secmod_applyCryptoPolicy(const char *pol
if (unknown && printPolicyFeedback) {
PR_SetEnv("NSS_POLICY_FAIL=1");
fprintf(stderr, "NSS-POLICY-FAIL %s: unknown identifier: %.*s\n",
- allow ? "allow" : "disallow", length, cipher);
+ secmod_getOperationString(operation), length, cipher);
}
}
return rv;
@@ -709,7 +783,8 @@ secmod_sanityCheckCryptoPolicy(void)
anyEnabled = PR_TRUE;
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for SSL\n", algOpt->name);
}
- if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) && (value & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+ if ((algOpt->val & NSS_USE_ALG_IN_CERT_SIGNATURE) &&
+ ((value & NSS_USE_CERT_SIGNATURE_OK) == NSS_USE_CERT_SIGNATURE_OK)) {
++num_sig_enabled;
anyEnabled = PR_TRUE;
fprintf(stderr, "NSS-POLICY-INFO: %s is enabled for CERT-SIGNATURE\n", algOpt->name);
@@ -740,7 +815,7 @@ secmod_sanityCheckCryptoPolicy(void)
static SECStatus
secmod_parseCryptoPolicy(const char *policyConfig, PRBool printPolicyFeedback)
{
- char *disallow, *allow;
+ char *args;
SECStatus rv;
if (policyConfig == NULL) {
@@ -752,20 +827,46 @@ secmod_parseCryptoPolicy(const char *pol
if (rv != SECSuccess) {
return rv;
}
- disallow = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
- rv = secmod_applyCryptoPolicy(disallow, PR_FALSE, printPolicyFeedback);
- if (disallow)
- PORT_Free(disallow);
+ args = NSSUTIL_ArgGetParamValue("disallow", policyConfig);
+ rv = secmod_applyCryptoPolicy(args, NSS_DISALLOW, printPolicyFeedback);
+ if (args)
+ PORT_Free(args);
if (rv != SECSuccess) {
return rv;
}
- allow = NSSUTIL_ArgGetParamValue("allow", policyConfig);
- rv = secmod_applyCryptoPolicy(allow, PR_TRUE, printPolicyFeedback);
- if (allow)
- PORT_Free(allow);
+ args = NSSUTIL_ArgGetParamValue("allow", policyConfig);
+ rv = secmod_applyCryptoPolicy(args, NSS_ALLOW, printPolicyFeedback);
+ if (args)
+ PORT_Free(args);
if (rv != SECSuccess) {
return rv;
}
+ args = NSSUTIL_ArgGetParamValue("disable", policyConfig);
+ rv = secmod_applyCryptoPolicy(args, NSS_DISABLE, printPolicyFeedback);
+ if (args)
+ PORT_Free(args);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ args = NSSUTIL_ArgGetParamValue("enable", policyConfig);
+ rv = secmod_applyCryptoPolicy(args, NSS_ENABLE, printPolicyFeedback);
+ if (args)
+ PORT_Free(args);
+ if (rv != SECSuccess) {
+ return rv;
+ }
+ /* this has to be last. Everything after this will be a noop */
+ if (NSSUTIL_ArgHasFlag("flags", "ssl-lock", policyConfig)) {
+ PRInt32 locks;
+ /* don't overwrite other (future) lock flags */
+ rv = NSS_OptionGet(NSS_DEFAULT_LOCKS, &locks);
+ if (rv == SECSuccess) {
+ NSS_OptionSet(NSS_DEFAULT_LOCKS, locks | NSS_DEFAULT_SSL_LOCK);
+ }
+ }
+ if (NSSUTIL_ArgHasFlag("flags", "policy-lock", policyConfig)) {
+ NSS_LockPolicy();
+ }
if (printPolicyFeedback) {
/* This helps to distinguish configurations that don't contain any
* policy config= statement. */
diff -up ./lib/ssl/ssl3con.c.orig ./lib/ssl/ssl3con.c
--- ./lib/ssl/ssl3con.c.orig 2020-10-29 13:14:14.122727319 -0700
+++ ./lib/ssl/ssl3con.c 2020-10-29 13:23:11.101487525 -0700
@@ -13534,6 +13534,61 @@ ssl3_DestroySSL3Info(sslSocket *ss)
tls13_DestroyEarlyData(&ss->ssl3.hs.bufferedEarlyData);
}
+/*
+ * parse the policy value for a single algorithm in a cipher_suite,
+ * return TRUE if we disallow by the cipher suite by policy
+ * (we don't have to parse any more algorithm policies on this cipher suite),
+ * otherwise return FALSE.
+ * 1. If we don't have the required policy, disable by default, disallow by
+ * policy and return TRUE (no more processing needed).
+ * 2. If we have the required policy, and we are disabled, return FALSE,
+ * (if we are disabled, we only need to parse policy, not default).
+ * 3. If we have the required policy, and we aren't adjusting the defaults
+ * return FALSE. (only parsing the policy, not default).
+ * 4. We have the required policy and we are adjusting the defaults.
+ * If we are setting default = FALSE, set isDisabled to true so that
+ * we don't try to re-enable the cipher suite based on a different
+ * algorithm.
+ */
+PRBool
+ssl_HandlePolicy(int cipher_suite, SECOidTag policyOid,
+ PRUint32 requiredPolicy, PRBool *isDisabled)
+{
+ PRUint32 policy;
+ SECStatus rv;
+
+ /* first fetch the policy for this algorithm */
+ rv = NSS_GetAlgorithmPolicy(policyOid, &policy);
+ if (rv != SECSuccess) {
+ return PR_FALSE; /* no policy value, continue to the next algorithm */
+ }
+ /* first, are we allowed by policy, if not turn off allow and disable */
+ if (!(policy & requiredPolicy)) {
+ ssl_CipherPrefSetDefault(cipher_suite, PR_FALSE);
+ ssl_CipherPolicySet(cipher_suite, SSL_NOT_ALLOWED);
+ return PR_TRUE;
+ }
+ /* If we are already disabled, or the policy isn't setting a default
+ * we are done processing this algorithm */
+ if (*isDisabled || (policy & NSS_USE_DEFAULT_NOT_VALID)) {
+ return PR_FALSE;
+ }
+ /* set the default value for the cipher suite. If we disable the cipher
+ * suite, remember that so we don't process the next default. This has
+ * the effect of disabling the whole cipher suite if any of the
+ * algorithms it uses are disabled by default. We still have to
+ * process the upper level because the cipher suite is still allowed
+ * by policy, and we may still have to disallow it based on other
+ * algorithms in the cipher suite. */
+ if (policy & NSS_USE_DEFAULT_SSL_ENABLE) {
+ ssl_CipherPrefSetDefault(cipher_suite, PR_TRUE);
+ } else {
+ *isDisabled = PR_TRUE;
+ ssl_CipherPrefSetDefault(cipher_suite, PR_FALSE);
+ }
+ return PR_FALSE;
+}
+
#define MAP_NULL(x) (((x) != 0) ? (x) : SEC_OID_NULL_CIPHER)
SECStatus
@@ -13552,30 +13607,30 @@ ssl3_ApplyNSSPolicy(void)
for (i = 1; i < PR_ARRAY_SIZE(cipher_suite_defs); ++i) {
const ssl3CipherSuiteDef *suite = &cipher_suite_defs[i];
SECOidTag policyOid;
+ PRBool isDisabled = PR_FALSE;
+
+ /* if we haven't explicitly disabled it below enable by policy */
+ ssl_CipherPolicySet(suite->cipher_suite, SSL_ALLOWED);
+ /* now check the various key exchange, ciphers and macs and
+ * if we ever disallow by policy, we are done, go to the next cipher
+ */
policyOid = MAP_NULL(kea_defs[suite->key_exchange_alg].oid);
- rv = NSS_GetAlgorithmPolicy(policyOid, &policy);
- if (rv == SECSuccess && !(policy & NSS_USE_ALG_IN_SSL_KX)) {
- ssl_CipherPrefSetDefault(suite->cipher_suite, PR_FALSE);
- ssl_CipherPolicySet(suite->cipher_suite, SSL_NOT_ALLOWED);
+ if (ssl_HandlePolicy(suite->cipher_suite, policyOid,
+ NSS_USE_ALG_IN_SSL_KX, &isDisabled)) {
continue;
}
policyOid = MAP_NULL(ssl_GetBulkCipherDef(suite)->oid);
- rv = NSS_GetAlgorithmPolicy(policyOid, &policy);
- if (rv == SECSuccess && !(policy & NSS_USE_ALG_IN_SSL)) {
- ssl_CipherPrefSetDefault(suite->cipher_suite, PR_FALSE);
- ssl_CipherPolicySet(suite->cipher_suite, SSL_NOT_ALLOWED);
+ if (ssl_HandlePolicy(suite->cipher_suite, policyOid,
+ NSS_USE_ALG_IN_SSL, &isDisabled)) {
continue;
}
if (ssl_GetBulkCipherDef(suite)->type != type_aead) {
policyOid = MAP_NULL(ssl_GetMacDefByAlg(suite->mac_alg)->oid);
- rv = NSS_GetAlgorithmPolicy(policyOid, &policy);
- if (rv == SECSuccess && !(policy & NSS_USE_ALG_IN_SSL)) {
- ssl_CipherPrefSetDefault(suite->cipher_suite, PR_FALSE);
- ssl_CipherPolicySet(suite->cipher_suite,
- SSL_NOT_ALLOWED);
+ if (ssl_HandlePolicy(suite->cipher_suite, policyOid,
+ NSS_USE_ALG_IN_SSL, &isDisabled)) {
continue;
}
}
diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c
--- ./lib/ssl/sslsock.c.orig 2020-10-29 13:14:14.201727725 -0700
+++ ./lib/ssl/sslsock.c 2020-10-29 13:17:16.389664218 -0700
@@ -1447,6 +1447,10 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
if (rv != SECSuccess) {
return rv;
}
+ if (NSS_IsPolicyLocked()) {
+ PORT_SetError(SEC_ERROR_POLICY_LOCKED);
+ return SECFailure;
+ }
return ssl_CipherPolicySet(which, policy);
}
@@ -1493,10 +1497,15 @@ SECStatus
SSL_CipherPrefSetDefault(PRInt32 which, PRBool enabled)
{
SECStatus rv = ssl_Init();
+ PRInt32 locks;
if (rv != SECSuccess) {
return rv;
}
+ rv = NSS_OptionGet(NSS_DEFAULT_LOCKS, &locks);
+ if ((rv == SECSuccess) && (locks & NSS_DEFAULT_SSL_LOCK)) {
+ return SECSuccess;
+ }
return ssl_CipherPrefSetDefault(which, enabled);
}
@@ -1522,11 +1531,17 @@ SECStatus
SSL_CipherPrefSet(PRFileDesc *fd, PRInt32 which, PRBool enabled)
{
sslSocket *ss = ssl_FindSocket(fd);
+ PRInt32 locks;
+ SECStatus rv;
if (!ss) {
SSL_DBG(("%d: SSL[%d]: bad socket in CipherPrefSet", SSL_GETPID(), fd));
return SECFailure;
}
+ rv = NSS_OptionGet(NSS_DEFAULT_LOCKS, &locks);
+ if ((rv == SECSuccess) && (locks & NSS_DEFAULT_SSL_LOCK)) {
+ return SECSuccess;
+ }
if (ssl_IsRemovedCipherSuite(which))
return SECSuccess;
return ssl3_CipherPrefSet(ss, (ssl3CipherSuite)which, enabled);
diff -up ./lib/util/nssutil.def.orig ./lib/util/nssutil.def
--- ./lib/util/nssutil.def.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./lib/util/nssutil.def 2020-10-29 13:17:16.390664223 -0700
@@ -334,3 +334,10 @@ NSSUTIL_AddNSSFlagToModuleSpec;
;+ local:
;+ *;
;+};
+;+NSSUTIL_3.59 { # NSS Utilities 3.59 release
+;+ global:
+NSS_IsPolicyLocked;
+NSS_LockPolicy;
+;+ local:
+;+ *;
+;+};
diff -up ./lib/util/secerr.h.orig ./lib/util/secerr.h
--- ./lib/util/secerr.h.orig 2020-10-29 13:17:16.390664223 -0700
+++ ./lib/util/secerr.h 2020-10-29 13:28:22.701093270 -0700
@@ -210,6 +210,11 @@ typedef enum {
SEC_ERROR_APPLICATION_CALLBACK_ERROR = (SEC_ERROR_BASE + 178),
+ SEC_ERROR_INVALID_STATE = (SEC_ERROR_BASE + 179),
+
+ SEC_ERROR_POLICY_LOCKED = (SEC_ERROR_BASE + 180),
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED = (SEC_ERROR_BASE + 181),
+
/* Add new error codes above here. */
SEC_ERROR_END_OF_LIST
} SECErrorCodes;
diff -up ./lib/util/SECerrs.h.orig ./lib/util/SECerrs.h
--- ./lib/util/SECerrs.h.orig 2020-10-29 13:17:16.389664218 -0700
+++ ./lib/util/SECerrs.h 2020-10-29 13:26:46.960599243 -0700
@@ -549,3 +549,12 @@ ER3(SEC_ERROR_LEGACY_DATABASE, (SEC_ERRO
ER3(SEC_ERROR_APPLICATION_CALLBACK_ERROR, (SEC_ERROR_BASE + 178),
"The certificate was rejected by extra checks in the application.")
+
+ER3(SEC_ERROR_INVALID_STATE, (SEC_ERROR_BASE + 179),
+ "The attempted operation is invalid for the current state.")
+
+ER3(SEC_ERROR_POLICY_LOCKED, (SEC_ERROR_BASE + 180),
+ "Could not change the policy because the policy is now locked.")
+
+ER3(SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED, (SEC_ERROR_BASE + 181),
+ "Could not create or verify a signature using a signature algorithm that is disabled because it is not secure.")
diff -up ./lib/util/secoid.c.orig ./lib/util/secoid.c
--- ./lib/util/secoid.c.orig 2020-10-29 13:14:14.119727304 -0700
+++ ./lib/util/secoid.c 2020-10-29 13:17:16.390664223 -0700
@@ -2257,6 +2257,8 @@ NSS_GetAlgorithmPolicy(SECOidTag tag, PR
return SECSuccess;
}
+static PRBool nss_policy_locked = PR_FALSE;
+
/* The Set function modifies the stored value according to the following
* algorithm:
* policy[tag] = (policy[tag] & ~clearBits) | setBits;
@@ -2268,6 +2270,11 @@ NSS_SetAlgorithmPolicy(SECOidTag tag, PR
PRUint32 policyFlags;
if (!pxo)
return SECFailure;
+
+ if (nss_policy_locked) {
+ PORT_SetError(SEC_ERROR_POLICY_LOCKED);
+ return SECFailure;
+ }
/* The stored policy flags are the ones complement of the flags as
* seen by the user. This is not atomic, but these changes should
* be done rarely, e.g. at initialization time.
@@ -2278,6 +2285,20 @@ NSS_SetAlgorithmPolicy(SECOidTag tag, PR
return SECSuccess;
}
+/* Get the state of nss_policy_locked */
+PRBool
+NSS_IsPolicyLocked(void)
+{
+ return nss_policy_locked;
+}
+
+/* Once the policy is locked, it can't be unlocked */
+void
+NSS_LockPolicy(void)
+{
+ nss_policy_locked = PR_TRUE;
+}
+
/* --------- END OF opaque extended OID table accessor functions ---------*/
/* for now, this is only used in a single place, so it can remain static */
@@ -2339,6 +2360,9 @@ SECOID_Shutdown(void)
dynOidEntriesAllocated = 0;
dynOidEntriesUsed = 0;
}
+ /* we are trashing the old policy state now, also reenable changing
+ * the policy as well */
+ nss_policy_locked = PR_FALSE;
memset(xOids, 0, sizeof xOids);
return SECSuccess;
}
diff -up ./lib/util/secoid.h.orig ./lib/util/secoid.h
--- ./lib/util/secoid.h.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./lib/util/secoid.h 2020-10-29 13:17:16.390664223 -0700
@@ -135,6 +135,15 @@ extern SECStatus NSS_GetAlgorithmPolicy(
extern SECStatus
NSS_SetAlgorithmPolicy(SECOidTag tag, PRUint32 setBits, PRUint32 clearBits);
+/* Lock the policy so NSS_SetAlgorithmPolicy (and other policy functions)
+ * No longer function */
+void
+NSS_LockPolicy(void);
+
+/* return true if policy changes are now locked out */
+PRBool
+NSS_IsPolicyLocked(void);
+
SEC_END_PROTOS
#endif /* _SECOID_H_ */
diff -up ./lib/util/secoidt.h.orig ./lib/util/secoidt.h
--- ./lib/util/secoidt.h.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./lib/util/secoidt.h 2020-10-29 13:17:16.390664223 -0700
@@ -538,7 +538,24 @@ struct SECOidDataStr {
#define NSS_USE_ALG_IN_SSL_KX 0x00000004 /* used in SSL key exchange */
#define NSS_USE_ALG_IN_SSL 0x00000008 /* used in SSL record protocol */
#define NSS_USE_POLICY_IN_SSL 0x00000010 /* enable policy in SSL protocol */
-#define NSS_USE_ALG_RESERVED 0xfffffffc /* may be used in future */
+#define NSS_USE_ALG_IN_ANY_SIGNATURE 0x00000020 /* used in S/MIME */
+#define NSS_USE_DEFAULT_NOT_VALID 0x80000000 /* clear to make the default flag valid */
+#define NSS_USE_DEFAULT_SSL_ENABLE 0x40000000 /* default cipher suite setting 1=enable */
+
+/* Combo policy bites */
+#define NSS_USE_ALG_RESERVED 0x3fffffc0 /* may be used in future */
+/* Alias of all the signature values. */
+#define NSS_USE_ALG_IN_SIGNATURE (NSS_USE_ALG_IN_CERT_SIGNATURE | \
+ NSS_USE_ALG_IN_CMS_SIGNATURE | \
+ NSS_USE_ALG_IN_ANY_SIGNATURE)
+/* all the bits needed for a certificate signature
+ * and only the bits needed for a certificate signature */
+#define NSS_USE_CERT_SIGNATURE_OK (NSS_USE_ALG_IN_CERT_SIGNATURE | \
+ NSS_USE_ALG_IN_ANY_SIGNATURE)
+/* all the bits needed for an SMIME signature
+ * and only the bits needed for an SMIME signature */
+#define NSS_USE_CMS_SIGNATURE_OK (NSS_USE_ALG_IN_CMS_SIGNATURE | \
+ NSS_USE_ALG_IN_ANY_SIGNATURE)
/* Code MUST NOT SET or CLEAR reserved bits, and must NOT depend on them
* being all zeros or having any other known value. The reserved bits
diff -up ./tests/policy/crypto-policy.txt.orig ./tests/policy/crypto-policy.txt
--- ./tests/policy/crypto-policy.txt.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./tests/policy/crypto-policy.txt 2020-10-29 13:17:16.390664223 -0700
@@ -3,14 +3,15 @@
# col 3: an extended regular expression, expected to match the output
# col 4: description of the test
#
-0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
-0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
-0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
+0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
1 disallow=all NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all
-1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes
+1 disallow=all/signature NSS-POLICY-WARN.*NUMBER-OF-CERT-SIG disallow all signatures
+1 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-WARN.*NUMBER-OF-HASH No Hashes
1 disallow=ALL_allow=tls-version-min=0:tls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS All TLS versions disabled
1 disallow=ALL_allow=dtls-version-min=0:dtls-version-max=0 NSS-POLICY-WARN.*NUMBER-OF-DTLS-VERSIONS All DTLS versions disabled
1 disallow=ALL_allow=tls-version-min=tls1.2:tls-version-max=tls1.1 NSS-POLICY-WARN.*NUMBER-OF-TLS-VERSIONS Invalid range of TLS versions
diff -up ./tests/policy/policy.sh.orig ./tests/policy/policy.sh
--- ./tests/policy/policy.sh.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./tests/policy/policy.sh 2020-10-29 13:17:16.391664228 -0700
@@ -12,6 +12,28 @@
#
########################################################################
+policy_init()
+{
+ SCRIPTNAME=policy.sh # sourced - $0 would point to all.sh
+
+ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for
+ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it
+ fi
+
+ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then
+ cd ../common
+ . ./init.sh
+ fi
+ SCRIPTNAME=policy.sh
+
+}
+
+policy_cleanup()
+{
+ cd ${QADIR}
+ . common/cleanup.sh
+}
+
ignore_blank_lines()
{
LC_ALL=C egrep -v '^[[:space:]]*(#|$)' "$1"
@@ -53,6 +75,9 @@ NSS=flags=policyOnly,moduleDB
html_msg $ret 0 "\"${testname}\" output is expected to match \"${match}\""
done
+ html "</TABLE><BR>"
}
+policy_init
policy_run_tests
+policy_cleanup
diff -up ./tests/ssl/sslpolicy.txt.orig ./tests/ssl/sslpolicy.txt
--- ./tests/ssl/sslpolicy.txt.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./tests/ssl/sslpolicy.txt 2020-10-29 13:17:16.391664228 -0700
@@ -7,8 +7,14 @@
# The policy string is set to the config= line in the pkcs11.txt
# it currently has 2 keywords:
#
-# disallow= turn off the use of this algorithm by policy.
+# disallow= turn off the use of this algorithm by policy. (implies disable)
# allow= allow this algorithm to by used if selected by policy.
+# disable= turn off the use of this algorithm even if allowed by policy
+# (application can override)
+# enable= turn off this algorithm by default (implies allow)
+# flags= policy-lock: can't change policy with NSS_SetAlgorithmPolicy,
+# NSS_SetOption, or SSL_SetCipherPolicy
+# ssl-lock: can't change the cipher suite settings with the application.
#
# The syntax is disallow=algorithm{/uses}:algorithm{/uses}
# where {} signifies an optional element
@@ -76,6 +82,9 @@
# SECT571R1
# Signatures:
# DSA
+# RSA-PKCS
+# RSA-PSS
+# ECDSA
# Hashes:
# MD2
# MD4
@@ -137,7 +146,8 @@
# ssl-key-exchange
# key-exchange (includes ssl-key-exchange)
# cert-signature
-# signature (includes cert-signature)
+# all-signature (includes cert-signature)
+# signature (all signatures off, some signature allowed based on other option)
# all (includes all of the above)
#-----------------------------------------------
# In addition there are the following options:
@@ -147,31 +157,48 @@
# they have the following syntax:
# allow=min-rsa=512:min-dh=1024
#
+# in the following tests, we use the cipher suite 'd':
+# d SSL3 RSA WITH 3DES EDE CBC SHA (=:000a).
+# NOTE: the certificates used in validation are rsa-pkcs1/sha256 signed.
+#
# Exp Enable Enable Cipher Config Policy Test Name
# Ret EC TLS
# turn on single cipher
- 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
- 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/cert-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
- 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
- 1 noECC SSL3 d disallow=all Disallow All Explicitly.
+ 0 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Narrow Policy
+ 0 noECC SSL3 d disallow=all_allow=hmac-sha1/ssl,ssl-key-exchange:sha256/all-signature:rsa-pkcs/all-signature:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Allowed by Strict Policy
+ 0 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:dsa/all:rsa-pss/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Allow All Explicitly
+ 1 noECC SSL3 d disallow=all Disallow All Explicitly
# turn off signature only
- 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Signatures Explicitly.
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow.
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly.
+ 0 noECC SSL3 d disallow=all/signature Disallow all signatures with Explicitly
+ 1 noECC SSL3 d disallow=sha256 Disallow SHA256 Explicitly
+ 1 noECC SSL3 d disallow=sha256/cert-signature Disallow SHA256 Certificate signature Explicitly
+ 0 noECC SSL3 d disallow=sha256/signature Disallow All SHA256 signatures Explicitly
+ 1 noECC SSL3 d disallow=sha256/all-signature Disallow Any SHA256 signature Explicitly
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:rsa/ssl-key-exchange:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow SHA256 Signatures Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:dsa/all:ecdsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow SHA256 Signatures Implicitly
# turn off single cipher
1 noECC SSL3 d disallow=des-ede3-cbc Disallow Cipher Explicitly
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow.
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly.
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Cipher Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-verion-max=tls1.2 Disallow Cipher Implicitly
# turn off H-Mac
1 noECC SSL3 d disallow=hmac-sha1 Disallow HMAC Explicitly
- 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow.
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly.
+ 1 noECC SSL3 d disallow=all_allow=md5:sha256:rsa:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow HMAC Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow HMAC Signatures Implicitly
# turn off key exchange
- 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly.
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow.
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchnage Signatures Implicitly.
+ 1 noECC SSL3 d disallow=rsa/ssl-key-exchange Disallow Key Exchange Explicitly
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:dh-dss:des-ede3-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0 Disallow Key Exchange Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=ssl2.0:tls-version-max=tls1.2 Disallow Key Exchange Signatures Implicitly
# turn off version
1 noECC SSL3 d allow=tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Exlicitly
- 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow.
- 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly.
- 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly.
+ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
+ 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
+ 0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
+ 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
+# test default settings
+# NOTE: tstclient will attempt to overide the defaults, so we detect we
+# were successful by locking in our settings
+ 0 noECC SSL3 d allow=all_disable=all Disable all by default, application override
+ 1 noECC SSL3 d allow=all_disable=all_flags=ssl-lock,policy-lock Disable all by default, prevent application from enabling
+ 0 noECC SSL3 d allow=all_disable=all_flags=policy-lock Disable all by default, lock policy (application can still change the ciphers)
+# explicitly enable :002f RSA_AES_128_CBC_SHA1 and lock it in
+ 0 noECC SSL3 d allow=all_disable=all_enable=hmac-sha1:sha256:rsa-pkcs:rsa:aes128-cbc:tls-version-min=ssl3.0:tls-version-max=ssl3.0_flags=ssl-lock Lock in a different ciphersuite that the one the application asks for
diff -up ./tests/ssl/ssl.sh.orig ./tests/ssl/ssl.sh
--- ./tests/ssl/ssl.sh.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./tests/ssl/ssl.sh 2020-10-29 13:17:16.391664228 -0700
@@ -886,6 +886,7 @@ ssl_policy_listsuites()
cp ${P_R_CLIENTDIR}/pkcs11.txt ${P_R_CLIENTDIR}/pkcs11.txt.sav
# Disallow all explicitly
+ testname="listsuites with all cipher disallowed by policy"
setup_policy "disallow=all" ${P_R_CLIENTDIR}
RET_EXP=1
list_enabled_suites | grep '^TLS_'
@@ -894,6 +895,7 @@ ssl_policy_listsuites()
"produced a returncode of $RET, expected is $RET_EXP"
# Disallow RSA in key exchange explicitly
+ testname="listsuites with rsa cipher disallowed by policy"
setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_CLIENTDIR}
RET_EXP=1
list_enabled_suites | grep '^TLS_RSA_'
@@ -901,6 +903,34 @@ ssl_policy_listsuites()
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
+ # allow by policy, but disable by default
+ testname="listsuites with all ciphers enabled by policy but disabled by default"
+ setup_policy "allow=all disable=all" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ list_enabled_suites | grep '^TLS_'
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ # allow by policy, but disable by default just rsa-kea
+ testname="listsuites with all ciphers enabled by policy but rsa disabled by default"
+ setup_policy "allow=all disable=rsa/ssl-key-exchange" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ list_enabled_suites | grep '^TLS_RSA_'
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
+ # list_enabled_suites tries to set a policy value explicitly, This will
+ # cause list_enabled_suites to fail if we lock the policy
+ testname="listsuites with policy locked"
+ setup_policy "allow=all flags=policy-lock" ${P_R_CLIENTDIR}
+ RET_EXP=1
+ SSL_DIR="${P_R_CLIENTDIR}" ${BINDIR}/listsuites
+ RET=$?
+ html_msg $RET $RET_EXP "${testname}" \
+ "produced a returncode of $RET, expected is $RET_EXP"
+
cp ${P_R_CLIENTDIR}/pkcs11.txt.sav ${P_R_CLIENTDIR}/pkcs11.txt
html "</TABLE><BR>"
@@ -925,6 +955,7 @@ ssl_policy_selfserv()
cp ${P_R_SERVERDIR}/pkcs11.txt ${P_R_SERVERDIR}/pkcs11.txt.sav
# Disallow RSA in key exchange explicitly
+ testname="Disallow RSA key exchange explicitly"
setup_policy "disallow=rsa/ssl-key-exchange" ${P_R_SERVERDIR}
SAVE_SERVER_OPTIONS=${SERVER_OPTIONS}

417
SOURCES/nss-3.53.1-ike-app-b-fix.patch Normal file
View File

@ -0,0 +1,417 @@
diff -up ./gtests/common/testvectors_base/test-structs.h.orig ./gtests/common/testvectors_base/test-structs.h
--- ./gtests/common/testvectors_base/test-structs.h.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./gtests/common/testvectors_base/test-structs.h 2020-12-05 10:54:36.648849921 -0800
@@ -66,6 +66,31 @@ typedef struct EcdhTestVectorStr {
bool valid;
} EcdhTestVector;
+enum class IkeTestType {
+ ikeGxy, /* CKM_NSS_IKE_PRF_DERIVE case 1 */
+ ikeV1Psk, /* CKM_NSS_IKE_PRF_DERIVE case 2 */
+ ikeV2Rekey, /* CKM_NSS_IKE_PRF_DERIVE case 3 */
+ ikeV1, /* CKM_NSS_IKE1_PRF_DERIVE */
+ ikeV1AppB, /* CKM_NSS_IKE1_PRF_APP_B_DERIVE base mode */
+ ikeV1AppBQuick, /* CKM_NSS_IKE1_PRF_APP_B_DERIVE quick mode */
+ ikePlus /* CKM_NSS_IKE_PRF_DERIVE */
+};
+
+typedef struct IkeTestVectorStr {
+ uint32_t id;
+ IkeTestType test_type;
+ std::string ikm;
+ std::string gxykm;
+ std::string prevkm;
+ std::string okm;
+ std::string Ni;
+ std::string Nr;
+ std::string seed_data;
+ uint8_t key_number;
+ uint32_t size;
+ bool valid;
+} IkeTestVector;
+
typedef struct RsaSignatureTestVectorStr {
SECOidTag hash_oid;
uint32_t id;
diff -up ./gtests/common/testvectors/ike-sha1-vectors.h.orig ./gtests/common/testvectors/ike-sha1-vectors.h
--- ./gtests/common/testvectors/ike-sha1-vectors.h.orig 2020-12-05 10:54:36.649849926 -0800
+++ ./gtests/common/testvectors/ike-sha1-vectors.h 2020-12-05 11:01:09.170017713 -0800
@@ -0,0 +1,114 @@
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* This file is generated from sources in nss/gtests/common/wycheproof
+ * automatically and should not be touched manually.
+ * Generation is trigged by calling python3 genTestVectors.py */
+
+#ifndef ike_sha1_vectors_h__
+#define ike_sha1_vectors_h__
+
+#include "testvectors_base/test-structs.h"
+
+const IkeTestVector kIkeSha1ProofVectors[] = {
+ // these vectors are from this NIST samples
+ {1, IkeTestType::ikeGxy,
+ "8ba4cbc73c0187301dc19a975823854dbd641c597f637f8d053a83b9514673eb",
+ "", "", "707197817fb2d90cf54d1842606bdea59b9f4823",
+ "69a62284195f1680", "80c94ba25c8abda5",
+ "", 0, 0, true },
+ {2, IkeTestType::ikeV1,
+ "707197817fb2d90cf54d1842606bdea59b9f4823",
+ "8ba4cbc73c0187301dc19a975823854dbd641c597f637f8d053a83b9514673eb",
+ "", "384be709a8a5e63c3ed160cfe3921c4b37d5b32d",
+ "8c3bcd3a69831d7f", "d2d9a7ff4fbe95a7",
+ "", 0, 0, true },
+ {3, IkeTestType::ikeV1,
+ "707197817fb2d90cf54d1842606bdea59b9f4823",
+ "8ba4cbc73c0187301dc19a975823854dbd641c597f637f8d053a83b9514673eb",
+ "384be709a8a5e63c3ed160cfe3921c4b37d5b32d",
+ "48b327575abe3adba0f279849e289022a13e2b47",
+ "8c3bcd3a69831d7f", "d2d9a7ff4fbe95a7",
+ "", 1, 0, true },
+ {4, IkeTestType::ikeV1,
+ "707197817fb2d90cf54d1842606bdea59b9f4823",
+ "8ba4cbc73c0187301dc19a975823854dbd641c597f637f8d053a83b9514673eb",
+ "48b327575abe3adba0f279849e289022a13e2b47",
+ "a4a415c8e0c38c0da847c356cc61c24df8025560",
+ "8c3bcd3a69831d7f", "d2d9a7ff4fbe95a7",
+ "", 2, 0, true },
+ {5, IkeTestType::ikeV1Psk, "c0", "", "",
+ "ab3be41bc62f2ef0c41a3076d58768be77fadd2e",
+ "03a6f25a83c8c2a3", "9d958a6618f77e7f",
+ "", 0, 0, true },
+ {6, IkeTestType::ikeGxy,
+ "4b2c1f971981a8ad8d0abeafabf38cf75fc8349c148142465ed9c8b516b8be52",
+ "", "", "a9a7b222b59f8f48645f28a1db5b5f5d7479cba7",
+ "32b50d5f4a3763f3", "9206a04b26564cb1",
+ "", 0, 0, true },
+ {7, IkeTestType::ikeV2Rekey,
+ "a14293677cc80ff8f9cc0eee30d895da9d8f4056",
+ "863f3c9d06efd39d2b907b97f8699e5dd5251ef64a2a176f36ee40c87d4f9330",
+ "", "63e81194946ebd05df7df5ebf5d8750056bf1f1d",
+ "32b50d5f4a3763f3", "9206a04b26564cb1",
+ "", 0, 0, true },
+ {8, IkeTestType::ikePlus,
+ "a9a7b222b59f8f48645f28a1db5b5f5d7479cba7", "", "",
+ "a14293677cc80ff8f9cc0eee30d895da9d8f405666e30ef0dfcb63c634a46002a2a63080e514a062768b76606f9fa5e992204fc5a670bde3f10d6b027113936a5c55b648a194ae587b0088d52204b702c979fa280870d2ed41efa9c549fd11198af1670b143d384bd275c5f594cf266b05ebadca855e4249520a441a81157435a7a56cc4", "", "",
+ // seed_data is Ni || Nr || SPIi || SPIr
+ // NOTE: there is no comma so the strings are concatenated together.
+ "32b50d5f4a3763f3" // Ni
+ "9206a04b26564cb1" // Nr
+ "34c9e7c188868785" // SPIi
+ "3ff77d760d2b2199", // SPIr
+ 0, 132, true },
+ {9, IkeTestType::ikePlus,
+ "a9a7b222b59f8f48645f28a1db5b5f5d7479cba7", "", "",
+ "a14293677cc80ff8f9cc0eee30d895da9d8f405666e30ef0dfcb63c634a46002a2a63080e514a062", "", "",
+ // seed_data is Ni || Nr || SPIi || SPIr
+ // NOTE: there is no comma so the strings are concatenated together.
+ "32b50d5f4a3763f3" // Ni
+ "9206a04b26564cb1" // Nr
+ "34c9e7c188868785" // SPIi
+ "3ff77d760d2b2199", // SPIr
+ 0, 40, true },
+ {10, IkeTestType::ikePlus,
+ "a9a7b222b59f8f48645f28a1db5b5f5d7479cba7", "", "",
+ "a14293677cc80ff8f9cc0eee30d895", "", "",
+ // seed_data is Ni || Nr || SPIi || SPIr
+ // NOTE: there is no comma so the strings are concatenated together.
+ "32b50d5f4a3763f3" // Ni
+ "9206a04b26564cb1" // Nr
+ "34c9e7c188868785" // SPIi
+ "3ff77d760d2b2199", // SPIr
+ 0, 15, true },
+ // these vectors are self-generated
+ {11, IkeTestType::ikeV1AppB,
+ "63e81194946ebd05df7df5ebf5d8750056bf1f1d", "", "",
+ "933347a07de5782247dd36d1562ffe0eecade1eb4134165257e3af1000af8ae3f165063828cbb60d910b7db38fa3c7f62c4afaaf3203da065c841729853edb23e9e7ac8286ae65c8cb6c667d79268c0bd6705abb9131698eb822b1c1f9dd142fc7be2c1010ee0152e10195add98999c6b6d42c8fe9c1b134d56ad5f2c6f20e815bd25c52",
+ "", "", "", 0, 132, true },
+ {12, IkeTestType::ikeV1AppB,
+ "63e81194946ebd05df7df5ebf5d8750056bf1f1d", "", "",
+ "933347a07de5782247dd36d1562ffe0eecade1eb4134165257e3af1000af8ae3f165063828cbb60d",
+ "", "", "", 0, 40, true },
+ {13, IkeTestType::ikeV1AppB,
+ "63e81194946ebd05df7df5ebf5d8750056bf1f1d", "", "",
+ "63e81194946ebd05df7df5ebf5d875",
+ "", "", "", 0, 15, true },
+ {14, IkeTestType::ikeV1AppBQuick,
+ "63e81194946ebd05df7df5ebf5d8750056bf1f1d", "", "",
+ "933347a07de5782247dd36d1562ffe0eecade1ebaeaa476a5f578c34a9b2b7101a621202f61db924c5ef9efa3bb2698095841603b7ac8a880329a927ecd4ad53a944b607a5ac2f3d154e2748c188d7370d76be83fc204fdacf0f66b99dd760ba619ffac65eda1420c8a936dac5a599afaf4043b29ef2b65dc042724355b550875316c6fd",
+ "", "", "0", 0, 132, true },
+ {15, IkeTestType::ikeV1AppBQuick,
+ "63e81194946ebd05df7df5ebf5d8750056bf1f1d", "", "",
+ "933347a07de5782247dd36d1562ffe0eecade1ebaeaa476a5f578c34a9b2b7101a621202f61db924",
+ "", "", "0", 0, 40, true },
+ {16, IkeTestType::ikeV1AppBQuick,
+ "63e81194946ebd05df7df5ebf5d8750056bf1f1d", "", "",
+ "933347a07de5782247dd36d1562ffe",
+ "", "", "0", 0, 15, true },
+ };
+
+#endif // ike_sha1_vectors_h__
diff -up ./gtests/pk11_gtest/manifest.mn.orig ./gtests/pk11_gtest/manifest.mn
--- ./gtests/pk11_gtest/manifest.mn.orig 2020-12-05 10:53:12.529385354 -0800
+++ ./gtests/pk11_gtest/manifest.mn 2020-12-05 10:54:36.649849926 -0800
@@ -22,6 +22,7 @@ CPPSRCS = \
pk11_export_unittest.cc \
pk11_find_certs_unittest.cc \
pk11_hkdf_unittest.cc \
+ pk11_ike_unittest.cc \
pk11_import_unittest.cc \
pk11_kdf_unittest.cc \
pk11_kbkdf.cc \
diff -up ./gtests/pk11_gtest/pk11_gtest.gyp.orig ./gtests/pk11_gtest/pk11_gtest.gyp
--- ./gtests/pk11_gtest/pk11_gtest.gyp.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./gtests/pk11_gtest/pk11_gtest.gyp 2020-12-05 10:54:36.649849926 -0800
@@ -27,6 +27,7 @@
'pk11_encrypt_derive_unittest.cc',
'pk11_find_certs_unittest.cc',
'pk11_hkdf_unittest.cc',
+ 'pk11_ike_unittest.cc',
'pk11_import_unittest.cc',
'pk11_kbkdf.cc',
'pk11_keygen.cc',
diff -up ./gtests/pk11_gtest/pk11_ike_unittest.cc.orig ./gtests/pk11_gtest/pk11_ike_unittest.cc
--- ./gtests/pk11_gtest/pk11_ike_unittest.cc.orig 2020-12-05 10:54:36.649849926 -0800
+++ ./gtests/pk11_gtest/pk11_ike_unittest.cc 2020-12-05 10:54:36.649849926 -0800
@@ -0,0 +1,197 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <memory>
+#include "blapi.h"
+#include "gtest/gtest.h"
+#include "nss.h"
+#include "nss_scoped_ptrs.h"
+#include "pk11pub.h"
+#include "secerr.h"
+#include "sechash.h"
+#include "util.h"
+
+#include "testvectors/ike-sha1-vectors.h"
+#ifdef notdef
+#include "testvectors/ike-sha256-vectors.h"
+#include "testvectors/ike-aesxcbc-vectors.h"
+#endif
+
+namespace nss_test {
+
+class Pkcs11IkeTest
+ : public ::testing::TestWithParam<
+ std::tuple<IkeTestVector, CK_MECHANISM_TYPE>> {
+ protected:
+ void dump_item(const char *label, SECItem *item) {
+ printf("%s: %d bytes { \"",label, item->len);
+ unsigned int i;
+ for (i=0; i < item->len; i++) {
+ printf("%02x",item->data[i]);
+ }
+ printf("\"\n");
+ }
+
+ ScopedPK11SymKey ImportKey(SECItem &ikm_item) {
+ ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+ if (!slot) {
+ ADD_FAILURE() << "Can't get slot";
+ return nullptr;
+ }
+ ScopedPK11SymKey ikm(PK11_ImportSymKey(slot.get(),
+ CKM_GENERIC_SECRET_KEY_GEN,
+ PK11_OriginUnwrap, CKA_DERIVE, &ikm_item,
+ nullptr));
+ return ikm;
+ }
+
+ void RunVectorTest(const IkeTestVector &vec, CK_MECHANISM_TYPE prf_mech) {
+ std::string msg = "Test #" + std::to_string(vec.id) + " failed";
+ std::vector<uint8_t> vec_ikm = hex_string_to_bytes(vec.ikm);
+ std::vector<uint8_t> vec_okm = hex_string_to_bytes(vec.okm);
+ std::vector<uint8_t> vec_gxykm = hex_string_to_bytes(vec.gxykm);
+ std::vector<uint8_t> vec_prevkm = hex_string_to_bytes(vec.prevkm);
+ std::vector<uint8_t> vec_Ni = hex_string_to_bytes(vec.Ni);
+ std::vector<uint8_t> vec_Nr = hex_string_to_bytes(vec.Nr);
+ std::vector<uint8_t> vec_seed_data = hex_string_to_bytes(vec.seed_data);
+ SECItem ikm_item = {siBuffer, vec_ikm.data(),
+ static_cast<unsigned int>(vec_ikm.size())};
+ SECItem okm_item = {siBuffer, vec_okm.data(),
+ static_cast<unsigned int>(vec_okm.size())};
+ SECItem prevkm_item = {siBuffer, vec_prevkm.data(),
+ static_cast<unsigned int>(vec_prevkm.size())};
+ SECItem gxykm_item = {siBuffer, vec_gxykm.data(),
+ static_cast<unsigned int>(vec_gxykm.size())};
+ CK_MECHANISM_TYPE derive_mech = CKM_NSS_IKE_PRF_DERIVE;
+ ScopedPK11SymKey gxy_key= nullptr;
+ ScopedPK11SymKey prev_key= nullptr;
+ ScopedPK11SymKey ikm = ImportKey(ikm_item);
+
+ // IKE_PRF structure (used in cases 1, 2 and 3)
+ CK_NSS_IKE_PRF_DERIVE_PARAMS nss_ike_prf_params = {
+ prf_mech, false, false,
+ vec_Ni.data(), static_cast<CK_ULONG>(vec_Ni.size()),
+ vec_Nr.data(), static_cast<CK_ULONG>(vec_Nr.size()),
+ CK_INVALID_HANDLE
+ };
+
+ // IKE_V1_PRF, used to derive session keys.
+ CK_NSS_IKE1_PRF_DERIVE_PARAMS nss_ike_v1_prf_params = {
+ prf_mech, false, CK_INVALID_HANDLE, CK_INVALID_HANDLE,
+ vec_Ni.data(), static_cast<CK_ULONG>(vec_Ni.size()),
+ vec_Nr.data(), static_cast<CK_ULONG>(vec_Nr.size()),
+ vec.key_number
+ };
+
+ // IKE_V1_APP_B, do quick mode (all session keys in one call).
+ CK_NSS_IKE1_APP_B_PRF_DERIVE_PARAMS nss_ike_app_b_prf_params_quick = {
+ prf_mech, false, CK_INVALID_HANDLE,
+ vec_seed_data.data(), static_cast<CK_ULONG>(vec_seed_data.size())
+ };
+
+ // IKE_V1_APP_B, used for long session keys in ike_v1
+ CK_MECHANISM_TYPE nss_ike_app_b_prf_params = prf_mech;
+
+ // IKE_PRF_PLUS, used to generate session keys in ike v2
+ CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS nss_ike_prf_plus_params = {
+ prf_mech, false, CK_INVALID_HANDLE,
+ vec_seed_data.data(), static_cast<CK_ULONG>(vec_seed_data.size())
+ };
+
+
+ SECItem params_item = {siBuffer, (unsigned char *)&nss_ike_prf_params,
+ sizeof(nss_ike_prf_params)};
+
+ switch (vec.test_type) {
+ case IkeTestType::ikeGxy:
+ nss_ike_prf_params.bDataAsKey = true;
+ break;
+ case IkeTestType::ikeV1Psk:
+ break;
+ case IkeTestType::ikeV2Rekey:
+ nss_ike_prf_params.bRekey = true;
+ gxy_key = ImportKey(gxykm_item);
+ nss_ike_prf_params.hNewKey = PK11_GetSymKeyHandle(gxy_key.get());
+ break;
+ case IkeTestType::ikeV1:
+ derive_mech = CKM_NSS_IKE1_PRF_DERIVE;
+ params_item.data = (unsigned char *) &nss_ike_v1_prf_params;
+ params_item.len = sizeof(nss_ike_v1_prf_params);
+ gxy_key = ImportKey(gxykm_item);
+ nss_ike_v1_prf_params.hKeygxy = PK11_GetSymKeyHandle(gxy_key.get());
+ if (prevkm_item.len != 0) {
+ prev_key = ImportKey(prevkm_item);
+ nss_ike_v1_prf_params.bHasPrevKey = true;
+ nss_ike_v1_prf_params.hPrevKey = PK11_GetSymKeyHandle(prev_key.get());
+ }
+ break;
+ case IkeTestType::ikeV1AppB:
+ derive_mech = CKM_NSS_IKE1_APP_B_PRF_DERIVE;
+ params_item.data = (unsigned char *) &nss_ike_app_b_prf_params;
+ params_item.len = sizeof(nss_ike_app_b_prf_params);
+ break;
+ case IkeTestType::ikeV1AppBQuick:
+ derive_mech = CKM_NSS_IKE1_APP_B_PRF_DERIVE;
+ params_item.data = (unsigned char *) &nss_ike_app_b_prf_params_quick;
+ params_item.len = sizeof(nss_ike_app_b_prf_params_quick);
+ if (gxykm_item.len != 0) {
+ gxy_key = ImportKey(gxykm_item);
+ nss_ike_app_b_prf_params_quick.bHasKeygxy = true;
+ nss_ike_app_b_prf_params_quick.hKeygxy =
+ PK11_GetSymKeyHandle(gxy_key.get());
+ }
+ break;
+ case IkeTestType::ikePlus:
+ derive_mech = CKM_NSS_IKE_PRF_PLUS_DERIVE;
+ params_item.data = (unsigned char *) &nss_ike_prf_plus_params;
+ params_item.len = sizeof(nss_ike_prf_plus_params);
+ break;
+ default:
+ ADD_FAILURE() << msg;
+ return;
+ }
+ ASSERT_NE(nullptr, ikm) << msg;
+
+ ScopedPK11SymKey okm = ScopedPK11SymKey(
+ PK11_Derive(ikm.get(), derive_mech, &params_item,
+ CKM_GENERIC_SECRET_KEY_GEN, CKA_DERIVE, vec.size));
+ if (vec.valid) {
+ ASSERT_NE(nullptr, okm.get()) << msg;
+ ASSERT_EQ(SECSuccess, PK11_ExtractKeyValue(okm.get())) << msg;
+ SECItem *outItem = PK11_GetKeyData(okm.get());
+ if (SECITEM_CompareItem(&okm_item, outItem) != 0) {
+ dump_item("expected key:", &okm_item);
+ dump_item("calculated key:", outItem);
+ }
+ ASSERT_EQ(0, SECITEM_CompareItem(&okm_item, PK11_GetKeyData(okm.get())))
+ << msg;
+ } else {
+ ASSERT_EQ(nullptr, okm.get()) << msg;
+ }
+ }
+};
+
+TEST_P(Pkcs11IkeTest, IkeproofVectors) {
+ RunVectorTest(std::get<0>(GetParam()), std::get<1>(GetParam()));
+}
+
+INSTANTIATE_TEST_CASE_P(
+ IkeSha1, Pkcs11IkeTest,
+ ::testing::Combine(::testing::ValuesIn(kIkeSha1ProofVectors),
+ ::testing::Values(CKM_SHA_1_HMAC)));
+#ifdef notdef
+INSTANTIATE_TEST_CASE_P(
+ IkeSha256, Pkcs11IkeTest,
+ ::testing::Combine(::testing::ValuesIn(kIkeSha256ProofVectors),
+ ::testing::Values(CKM_SHA256_HMAC)));
+
+INSTANTIATE_TEST_CASE_P(
+ IkeAESXCBC, Pkcs11IkeTest,
+ ::testing::Combine(::testing::ValuesIn(kIkeAesXcbcProofVectors),
+ ::testing::Values(CKM_AES_XCBC_MAC)));
+#endif
+
+} // namespace nss_test
diff -up ./lib/softoken/sftkike.c.orig ./lib/softoken/sftkike.c
--- ./lib/softoken/sftkike.c.orig 2020-12-05 10:53:12.629385906 -0800
+++ ./lib/softoken/sftkike.c 2020-12-05 10:59:16.073393113 -0800
@@ -720,6 +720,7 @@ sftk_ike1_appendix_b_prf(CK_SESSION_HAND
unsigned int macSize;
unsigned int outKeySize;
unsigned int genKeySize;
+ PRBool quickMode = PR_FALSE;
CK_RV crv;
prfContext context;
@@ -748,6 +749,11 @@ sftk_ike1_appendix_b_prf(CK_SESSION_HAND
crv = CKR_KEY_HANDLE_INVALID;
goto fail;
}
+ quickMode = PR_TRUE;
+ }
+
+ if (params->ulExtraDataLen !=0) {
+ quickMode = PR_TRUE;
}
macSize = prf_length(&context);
@@ -756,10 +762,16 @@ sftk_ike1_appendix_b_prf(CK_SESSION_HAND
keySize = macSize;
}
- if (keySize <= inKey->attrib.ulValueLen) {
+ /* In appendix B, we are just expanding or contracting a single key.
+ * If the input key is less than equal the the key size we want, just
+ * subset the original key. In quick mode we are actually getting new
+ * keys (salted with our seed data and our gxy key), so we want to run
+ * through our algorithm */
+ if ((!quickMode) && (keySize <= inKey->attrib.ulValueLen)) {
return sftk_forceAttribute(outKey, CKA_VALUE,
inKey->attrib.pValue, keySize);
}
+
outKeySize = PR_ROUNDUP(keySize, macSize);
outKeyData = PORT_Alloc(outKeySize);
if (outKeyData == NULL) {

24
SOURCES/nss-3.53.1-measure-fix.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up ./coreconf/config.gypi.orig ./coreconf/config.gypi
--- ./coreconf/config.gypi.orig 2020-06-16 15:50:59.000000000 -0700
+++ ./coreconf/config.gypi 2020-10-15 16:05:37.542761192 -0700
@@ -363,7 +363,7 @@
'_DEFAULT_SOURCE', # for <endian.h> functions, strdup, realpath, and getentropy
'_BSD_SOURCE', # for the above in glibc <= 2.19
'_POSIX_SOURCE', # for <signal.h>
- 'SQL_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
+ 'SDB_MEASURE_USE_TEMP_DIR', # use tmpdir for the access calls
],
}],
[ 'OS=="dragonfly" or OS=="freebsd"', {
diff -up ./coreconf/Linux.mk.orig ./coreconf/Linux.mk
--- ./coreconf/Linux.mk.orig 2020-10-15 16:05:04.794591674 -0700
+++ ./coreconf/Linux.mk 2020-10-15 16:05:37.543761197 -0700
@@ -21,7 +21,7 @@ ifeq ($(USE_PTHREADS),1)
endif
DEFAULT_COMPILER = gcc
-DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSQL_MEASURE_USE_TEMP_DIR
+DEFINES += -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR
ifeq ($(OS_TARGET),Android)
ifndef ANDROID_NDK

21
SOURCES/nss-3.53.1-no-small-primes-tests.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up ./gtests/softoken_gtest/softoken_dh_vectors.h.no-small-primes ./gtests/softoken_gtest/softoken_dh_vectors.h
--- ./gtests/softoken_gtest/softoken_dh_vectors.h.no-small-primes 2020-10-04 00:52:25.008998541 +0300
+++ ./gtests/softoken_gtest/softoken_dh_vectors.h 2020-10-04 00:54:50.095503256 +0300
@@ -2869,7 +2869,7 @@ static const DhTestVector DH_TEST_VECTOR
{siBuffer, (unsigned char *)g2, sizeof(g2)},
{siBuffer, NULL, 0},
{siBuffer, NULL, 0},
- IKE_APPROVED,
+ SAFE_PRIME,
CLASS_1536},
{"IKE 2048",
{siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)},
@@ -2949,7 +2949,7 @@ static const DhTestVector DH_TEST_VECTOR
{siBuffer, (unsigned char *)sub2_prime_ike_1536,
sizeof(sub2_prime_ike_1536)},
{siBuffer, NULL, 0},
- IKE_APPROVED,
+ SAFE_PRIME,
CLASS_1536},
{"IKE 2048 with subprime",
{siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)},

53
SOURCES/nss-3.53.1-no-small-primes.patch Normal file
View File

@ -0,0 +1,53 @@
diff -up ./lib/softoken/pkcs11c.c.orig ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.orig 2020-10-15 16:06:47.380122702 -0700
+++ ./lib/softoken/pkcs11c.c 2020-10-15 16:07:56.891482521 -0700
@@ -5101,7 +5101,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
/* subprime not supplied, In this case look it up.
* This only works with approved primes, but in FIPS mode
* that's the only kine of prime that will get here */
- subPrimePtr = sftk_VerifyDH_Prime(&prime);
+ subPrimePtr = sftk_VerifyDH_Prime(&prime,isFIPS);
if (subPrimePtr == NULL) {
crv = CKR_GENERAL_ERROR;
goto done;
@@ -8293,7 +8293,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
/* if the prime is an approved prime, we can skip all the other
* checks. */
- subPrime = sftk_VerifyDH_Prime(&dhPrime);
+ subPrime = sftk_VerifyDH_Prime(&dhPrime,isFIPS);
if (subPrime == NULL) {
SECItem dhSubPrime;
/* In FIPS mode we only accept approved primes */
diff -up ./lib/softoken/pkcs11i.h.orig ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.orig 2020-10-15 16:06:47.380122702 -0700
+++ ./lib/softoken/pkcs11i.h 2020-10-15 16:07:56.892482526 -0700
@@ -926,7 +926,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
/* dh verify functions */
/* verify that dhPrime matches one of our known primes, and if so return
* it's subprime value */
-const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime);
+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
/* check if dhSubPrime claims dhPrime is a safe prime. */
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
diff -up ./lib/softoken/sftkdhverify.c.orig ./lib/softoken/sftkdhverify.c
--- ./lib/softoken/sftkdhverify.c.orig 2020-10-15 16:06:47.370122650 -0700
+++ ./lib/softoken/sftkdhverify.c 2020-10-15 16:07:56.893482531 -0700
@@ -1171,11 +1171,15 @@ static const SECItem subprime_tls_8192=
* verify that dhPrime matches one of our known primes
*/
const SECItem *
-sftk_VerifyDH_Prime(SECItem *dhPrime)
+sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
{
/* use the length to decide which primes to check */
switch (dhPrime->len) {
case 1536 / PR_BITS_PER_BYTE:
+ /* don't accept 1536 bit primes in FIPS mode */
+ if (isFIPS) {
+ break;
+ }
if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
sizeof(prime_ike_1536)) == 0) {
return &subprime_ike_1536;

305
SOURCES/nss-3.53.1-oaep-api.patch Normal file
View File

@ -0,0 +1,305 @@
# HG changeset patch
# User Robert Relyea <rrelyea@redhat.com>
# Date 1603492441 25200
# Node ID 33f920fcd1753d2b8f4a5e4f31e317c102d8cbfe
# Parent e3bd9c2f925932b301440fb07ea1228f2d4e39ac
Bug 1666891 - Add PK11_Pub{Wrap,Unwrap}SymKeyWithMechanism r=mt,rrelyea
Summary
This is useful for RSA-OAEP support.
The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
be present for PKCS#11 calls. This provides required context for OAEP.
However, PK11_PubWrapSymKey lacks a way of providing this context and
historically silently converted CKM_RSA_PKCS_OAEP to CKM_RSA_PKCS when
a RSA key is provided. Introducing a new call will let us indicate
parameters and potentially support other mechanisms in the future.
This call mirrors the earlier calls introduced for RSA-PSS:
PK11_SignWithMechanism and PK11_VerifyWithMechanism.
The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
be present for PKCS#11 calls. This provides required context for OAEP.
However, PK11_PubUnwrapSymKey lacks a way of providing this context,
and additionally lacked a way of indicating which mechanism type to use
for the unwrap operation (instead detecting it by key type). Introducing
a new call will let us indicate parameters and potentially support other
mechanisms in the future.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Differential Revision: https://phabricator.services.mozilla.com/D93424
diff --git a/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc b/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
--- a/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
+++ b/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
@@ -111,9 +111,76 @@ INSTANTIATE_TEST_CASE_P(
INSTANTIATE_TEST_CASE_P(
WycheproofOaep2048Sha512Sha1Test, RsaOaepWycheproofTest,
::testing::ValuesIn(kRsaOaep2048Sha512Mgf1Sha1WycheproofVectors));
INSTANTIATE_TEST_CASE_P(
WycheproofOaep2048Sha512Sha512Test, RsaOaepWycheproofTest,
::testing::ValuesIn(kRsaOaep2048Sha512Mgf1Sha512WycheproofVectors));
+
+TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwrap) {
+ const size_t kRsaKeyBits = 2048;
+ const size_t kwrappedBufLen = 4096;
+
+ SECStatus rv = SECFailure;
+
+ ScopedSECKEYPrivateKey priv;
+ ScopedSECKEYPublicKey pub;
+ PK11RSAGenParams rsa_params;
+ rsa_params.keySizeInBits = kRsaKeyBits;
+ rsa_params.pe = 65537;
+
+ ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+ ASSERT_NE(slot, nullptr);
+
+ SECKEYPublicKey* p_pub_tmp = nullptr;
+ priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
+ &rsa_params, &p_pub_tmp, false, false,
+ nullptr));
+ pub.reset(p_pub_tmp);
+
+ ASSERT_NE(priv.get(), nullptr);
+ ASSERT_NE(pub.get(), nullptr);
+
+ ScopedPK11SymKey to_wrap(
+ PK11_KeyGen(slot.get(), CKM_AES_CBC, nullptr, 16, nullptr));
+
+ CK_RSA_PKCS_OAEP_PARAMS oaep_params = {CKM_SHA256, CKG_MGF1_SHA256,
+ CKZ_DATA_SPECIFIED, NULL, 0};
+
+ SECItem param = {siBuffer, (unsigned char*)&oaep_params, sizeof(oaep_params)};
+
+ ScopedSECItem wrapped(SECITEM_AllocItem(nullptr, nullptr, kwrappedBufLen));
+ rv = PK11_PubWrapSymKeyWithMechanism(pub.get(), CKM_RSA_PKCS_OAEP, &param,
+ to_wrap.get(), wrapped.get());
+ ASSERT_EQ(rv, SECSuccess);
+
+ PK11SymKey* p_unwrapped_tmp = nullptr;
+
+ // This fails because this method is broken and assumes CKM_RSA_PKCS and
+ // doesn't understand OAEP.
+ p_unwrapped_tmp = PK11_PubUnwrapSymKey(priv.get(), wrapped.get(), CKM_AES_CBC,
+ CKA_DECRYPT, 16);
+ ASSERT_EQ(p_unwrapped_tmp, nullptr);
+
+ ScopedPK11SymKey unwrapped;
+ p_unwrapped_tmp = PK11_PubUnwrapSymKeyWithMechanism(
+ priv.get(), CKM_RSA_PKCS_OAEP, &param, wrapped.get(), CKM_AES_CBC,
+ CKA_DECRYPT, 16);
+ ASSERT_NE(p_unwrapped_tmp, nullptr);
+
+ unwrapped.reset(p_unwrapped_tmp);
+
+ // Extract key's value in order to validate decryption worked.
+ rv = PK11_ExtractKeyValue(to_wrap.get());
+ ASSERT_EQ(rv, SECSuccess);
+
+ rv = PK11_ExtractKeyValue(unwrapped.get());
+ ASSERT_EQ(rv, SECSuccess);
+
+ // References owned by PKCS#11 layer; no need to scope and free.
+ SECItem* expectedItem = PK11_GetKeyData(to_wrap.get());
+ SECItem* actualItem = PK11_GetKeyData(unwrapped.get());
+
+ ASSERT_EQ(SECITEM_CompareItem(actualItem, expectedItem), 0);
+}
} // namespace nss_test
diff --git a/lib/nss/nss.def b/lib/nss/nss.def
--- a/lib/nss/nss.def
+++ b/lib/nss/nss.def
@@ -1181,3 +1181,10 @@ SECMOD_GetSystemFIPSEnabled;
;+ local:
;+ *;
;+};
+;+NSS_3.59 { # NSS 3.59 release
+;+ global:
+PK11_PubWrapSymKeyWithMechanism;
+PK11_PubUnwrapSymKeyWithMechanism;
+;+ local:
+;+ *;
+;+};
diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h
--- a/lib/pk11wrap/pk11pub.h
+++ b/lib/pk11wrap/pk11pub.h
@@ -352,16 +352,21 @@ void PK11_SetSymKeyUserData(PK11SymKey *
* will return NULL. Returned data is still owned and managed by the SymKey,
* the caller should not free the data.
*
*/
void *PK11_GetSymKeyUserData(PK11SymKey *symKey);
SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
PK11SymKey *symKey, SECItem *wrappedKey);
+SECStatus PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey *pubKey,
+ CK_MECHANISM_TYPE mechType,
+ SECItem *param,
+ PK11SymKey *symKey,
+ SECItem *wrappedKey);
SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
/* move a key to 'slot' optionally set the key attributes according to either
* operation or the flags and making the key permanent at the same time.
* If the key is moved to the same slot, operation and flags values are
* currently ignored */
PK11SymKey *PK11_MoveSymKey(PK11SlotInfo *slot, CK_ATTRIBUTE_TYPE operation,
CK_FLAGS flags, PRBool perm, PK11SymKey *symKey);
@@ -446,16 +451,23 @@ PK11SymKey *PK11_UnwrapSymKeyWithFlagsPe
* PK11_PubUnwrap returns a key which can do exactly one operation, and is
* ephemeral (session key).
* PK11_PubUnwrapWithFlagsPerm is the same as PK11_PubUnwrap except you can
* use * CKF_ flags to enable more than one operation, and optionally make
* the key permanent (token key).
*/
PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey *key,
+ CK_MECHANISM_TYPE mechType,
+ SECItem *param,
+ SECItem *wrapppedKey,
+ CK_MECHANISM_TYPE target,
+ CK_ATTRIBUTE_TYPE operation,
+ int keySize);
PK11SymKey *PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey,
SECItem *wrappedKey, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,
CK_FLAGS flags, PRBool isPerm);
PK11SymKey *PK11_FindFixedKey(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
SECItem *keyID, void *wincx);
SECStatus PK11_DeleteTokenPrivateKey(SECKEYPrivateKey *privKey, PRBool force);
SECStatus PK11_DeleteTokenPublicKey(SECKEYPublicKey *pubKey);
diff --git a/lib/pk11wrap/pk11skey.c b/lib/pk11wrap/pk11skey.c
--- a/lib/pk11wrap/pk11skey.c
+++ b/lib/pk11wrap/pk11skey.c
@@ -1270,53 +1270,69 @@ PK11_ConvertSessionSymKeyToTokenSymKey(P
PORT_SetError(PK11_MapError(crv));
return NULL;
}
return PK11_SymKeyFromHandle(slot, NULL /*parent*/, symk->origin,
symk->type, newKeyID, PR_FALSE /*owner*/, NULL /*wincx*/);
}
-/*
- * This function does a straight public key wrap (which only RSA can do).
- * Use PK11_PubGenKey and PK11_WrapSymKey to implement the FORTEZZA and
- * Diffie-Hellman Ciphers. */
+/* This function does a straight public key wrap with the CKM_RSA_PKCS
+ * mechanism. */
SECStatus
PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
PK11SymKey *symKey, SECItem *wrappedKey)
{
+ CK_MECHANISM_TYPE inferred = pk11_mapWrapKeyType(pubKey->keyType);
+ return PK11_PubWrapSymKeyWithMechanism(pubKey, inferred, NULL, symKey,
+ wrappedKey);
+}
+
+/* This function wraps a symmetric key with a public key, such as with the
+ * CKM_RSA_PKCS and CKM_RSA_PKCS_OAEP mechanisms. */
+SECStatus
+PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey *pubKey,
+ CK_MECHANISM_TYPE mechType, SECItem *param,
+ PK11SymKey *symKey, SECItem *wrappedKey)
+{
PK11SlotInfo *slot;
CK_ULONG len = wrappedKey->len;
PK11SymKey *newKey = NULL;
CK_OBJECT_HANDLE id;
CK_MECHANISM mechanism;
PRBool owner = PR_TRUE;
CK_SESSION_HANDLE session;
CK_RV crv;
if (symKey == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* if this slot doesn't support the mechanism, go to a slot that does */
- newKey = pk11_ForceSlot(symKey, type, CKA_ENCRYPT);
+ newKey = pk11_ForceSlot(symKey, mechType, CKA_ENCRYPT);
if (newKey != NULL) {
symKey = newKey;
}
if (symKey->slot == NULL) {
PORT_SetError(SEC_ERROR_NO_MODULE);
return SECFailure;
}
slot = symKey->slot;
- mechanism.mechanism = pk11_mapWrapKeyType(pubKey->keyType);
- mechanism.pParameter = NULL;
- mechanism.ulParameterLen = 0;
+
+ mechanism.mechanism = mechType;
+ if (param == NULL) {
+ mechanism.pParameter = NULL;
+ mechanism.ulParameterLen = 0;
+ } else {
+ mechanism.pParameter = param->data;
+ mechanism.ulParameterLen = param->len;
+ }
id = PK11_ImportPublicKey(slot, pubKey, PR_FALSE);
if (id == CK_INVALID_HANDLE) {
if (newKey) {
PK11_FreeSymKey(newKey);
}
return SECFailure; /* Error code has been set. */
}
@@ -2878,30 +2894,43 @@ PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKe
templateCount = attrs - keyTemplate;
templateCount += pk11_OpFlagsToAttributes(flags, attrs, &cktrue);
return pk11_AnyUnwrapKey(wrappingKey->slot, wrappingKey->objectID,
wrapType, param, wrappedKey, target, operation, keySize,
wrappingKey->cx, keyTemplate, templateCount, isPerm);
}
-/* unwrap a symetric key with a private key. */
+/* unwrap a symmetric key with a private key. Only supports CKM_RSA_PKCS. */
PK11SymKey *
PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize)
{
CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
+
+ return PK11_PubUnwrapSymKeyWithMechanism(wrappingKey, wrapType, NULL,
+ wrappedKey, target, operation,
+ keySize);
+}
+
+/* unwrap a symmetric key with a private key with the given parameters. */
+PK11SymKey *
+PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey *wrappingKey,
+ CK_MECHANISM_TYPE mechType, SECItem *param,
+ SECItem *wrappedKey, CK_MECHANISM_TYPE target,
+ CK_ATTRIBUTE_TYPE operation, int keySize)
+{
PK11SlotInfo *slot = wrappingKey->pkcs11Slot;
if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) {
PK11_HandlePasswordCheck(slot, wrappingKey->wincx);
}
- return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
- wrapType, NULL, wrappedKey, target, operation, keySize,
+ return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, mechType, param,
+ wrappedKey, target, operation, keySize,
wrappingKey->wincx, NULL, 0, PR_FALSE);
}
/* unwrap a symetric key with a private key. */
PK11SymKey *
PK11_PubUnwrapSymKeyWithFlags(SECKEYPrivateKey *wrappingKey,
SECItem *wrappedKey, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize, CK_FLAGS flags)

79
SOURCES/nss-3.53.1-remove-timing-tests.patch Normal file
View File

@ -0,0 +1,79 @@
diff -up ./gtests/softoken_gtest/softoken_gtest.cc.remove_timing_test ./gtests/softoken_gtest/softoken_gtest.cc
--- ./gtests/softoken_gtest/softoken_gtest.cc.remove_timing_test 2020-07-30 08:34:30.404750663 -0700
+++ ./gtests/softoken_gtest/softoken_gtest.cc 2020-07-30 08:43:39.640495618 -0700
@@ -605,11 +605,14 @@ SECStatus test_dh_value(const PQGParams
class SoftokenDhTest : public SoftokenTest {
protected:
SoftokenDhTest() : SoftokenTest("SoftokenDhTest.d-") {}
+#ifdef NSS_USE_REFERENCE_TIME
time_t reference_time[CLASS_LAST] = {0};
+#endif
virtual void SetUp() {
SoftokenTest::SetUp();
+#ifdef NSS_USE_REFERENCE_TIME
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ASSERT_TRUE(slot);
@@ -625,6 +628,7 @@ class SoftokenDhTest : public SoftokenTe
ASSERT_EQ(SECSuccess, test_dh_value(&params, nullptr, PR_FALSE, &time));
reference_time[i] = time + 2 * time;
}
+#endif
};
};
@@ -708,12 +712,16 @@ TEST_P(SoftokenDhValidate, DhVectors) {
case SAFE_PRIME:
case UNKNOWN_SUBPRIME:
EXPECT_EQ(SECSuccess, rv) << err;
+#ifdef NSS_USE_REFERENCE_TIME
EXPECT_LE(time, reference_time[dhTestValues.key_class]) << err;
+#endif
break;
case KNOWN_SUBPRIME:
case SAFE_PRIME_WITH_SUBPRIME:
EXPECT_EQ(SECSuccess, rv) << err;
+#ifdef NSS_USE_REFERENCE_TIME
EXPECT_GT(time, reference_time[dhTestValues.key_class]) << err;
+#endif
break;
case WRONG_SUBPRIME:
case BAD_PUB_KEY:
@@ -749,7 +757,9 @@ class SoftokenFipsTest : public Softoken
class SoftokenFipsDhTest : public SoftokenFipsTest {
protected:
SoftokenFipsDhTest() : SoftokenFipsTest("SoftokenFipsDhTest.d-") {}
+#ifdef NSS_USE_REFERENCE_TIME
time_t reference_time[CLASS_LAST] = {0};
+#endif
virtual void SetUp() {
SoftokenFipsTest::SetUp();
@@ -760,6 +770,7 @@ class SoftokenFipsDhTest : public Softok
ASSERT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, ""));
ASSERT_EQ(SECSuccess, PK11_Authenticate(slot.get(), PR_FALSE, nullptr));
+#ifdef NSS_USE_REFERENCE_TIME
time_t time;
for (int i = CLASS_FIRST; i < CLASS_LAST; i++) {
PQGParams params;
@@ -772,6 +783,7 @@ class SoftokenFipsDhTest : public Softok
ASSERT_EQ(SECSuccess, test_dh_value(&params, nullptr, PR_FALSE, &time));
reference_time[i] = time + 2 * time;
}
+#endif
};
};
@@ -883,7 +895,9 @@ TEST_P(SoftokenFipsDhValidate, DhVectors
case TLS_APPROVED:
case IKE_APPROVED:
EXPECT_EQ(SECSuccess, rv) << err;
+#ifdef NSS_USE_REFERENCE_TIME
EXPECT_LE(time, reference_time[dhTestValues.key_class]) << err;
+#endif
break;
case SAFE_PRIME:
case SAFE_PRIME_WITH_SUBPRIME:

39
SOURCES/nss-3.53.1-revert_rhel8_unsafe_policy_change.patch Normal file
View File

@ -0,0 +1,39 @@
diff -up ./lib/pk11wrap/pk11pars.c.policy_revert ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.policy_revert 2020-11-04 10:26:59.085300799 -0800
+++ ./lib/pk11wrap/pk11pars.c 2020-11-04 10:29:52.774239468 -0800
@@ -391,12 +391,6 @@ static const oidValDef signOptList[] = {
/* Signatures */
{ CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
- { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
- { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
- { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
};
typedef struct {
@@ -412,7 +406,7 @@ static const algListsDef algOptLists[] =
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
};
static const optionFreeDef sslOptList[] = {
diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt
--- ./tests/ssl/sslpolicy.txt.policy_revert 2020-11-04 10:31:20.837715397 -0800
+++ ./tests/ssl/sslpolicy.txt 2020-11-04 10:33:19.598357223 -0800
@@ -193,7 +193,9 @@
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
- 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
+# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
+# compatibility reasons
+# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
# test default settings
# NOTE: tstclient will attempt to overide the defaults, so we detect we
# were successful by locking in our settings

13
SOURCES/nss-8-add-ipsec-usage-to-manpage.patch
View File

@ -1,13 +0,0 @@
diff -up ./doc/certutil.xml.ipsec_doc ./doc/certutil.xml
--- ./doc/certutil.xml.ipsec_doc 2019-05-10 14:14:18.000000000 -0700
+++ ./doc/certutil.xml 2019-06-05 16:49:44.229301383 -0700
@@ -428,6 +428,9 @@ of the attribute codes:
<listitem>
<para><command>J</command> (as an object signer)</para>
</listitem>
+ <listitem>
+<para><command>I</command> (as an IPSEC user)</para>
+ </listitem>
</itemizedlist></listitem>
</varlistentry>

571
SOURCES/nss-8-fix-public-key-from-priv.patch
View File

@ -1,571 +0,0 @@
diff -up ./gtests/pk11_gtest/pk11_import_unittest.cc.pub-priv-mech ./gtests/pk11_gtest/pk11_import_unittest.cc
--- ./gtests/pk11_gtest/pk11_import_unittest.cc.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
+++ ./gtests/pk11_gtest/pk11_import_unittest.cc 2019-06-05 16:43:42.276498676 -0700
@@ -78,17 +78,40 @@ class Pk11KeyImportTestBase : public ::t
CK_MECHANISM_TYPE mech_;
private:
+ SECItem GetPublicComponent(ScopedSECKEYPublicKey& pub_key) {
+ SECItem null = { siBuffer, NULL, 0};
+ switch(SECKEY_GetPublicKeyType(pub_key.get())) {
+ case rsaKey:
+ case rsaPssKey:
+ case rsaOaepKey:
+ return pub_key->u.rsa.modulus;
+ case keaKey:
+ return pub_key->u.kea.publicValue;
+ case dsaKey:
+ return pub_key->u.dsa.publicValue;
+ case dhKey:
+ return pub_key->u.dh.publicValue;
+ case ecKey:
+ return pub_key->u.ec.publicValue;
+ case fortezzaKey: /* depricated */
+ case nullKey:
+ /* didn't use default here so we can catch new key types at compile time */
+ break;
+ }
+ return null;
+ }
void CheckForPublicKey(const ScopedSECKEYPrivateKey& priv_key,
const SECItem* expected_public) {
// Verify the public key exists.
StackSECItem priv_id;
+ KeyType type = SECKEY_GetPrivateKeyType(priv_key.get());
SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, priv_key.get(),
CKA_ID, &priv_id);
ASSERT_EQ(SECSuccess, rv) << "Couldn't read CKA_ID from private key: "
<< PORT_ErrorToName(PORT_GetError());
CK_ATTRIBUTE_TYPE value_type = CKA_VALUE;
- switch (SECKEY_GetPrivateKeyType(priv_key.get())) {
+ switch (type) {
case rsaKey:
value_type = CKA_MODULUS;
break;
@@ -106,6 +129,8 @@ class Pk11KeyImportTestBase : public ::t
FAIL() << "unknown key type";
}
+ // Scan public key objects until we find one with the same CKA_ID as
+ // priv_key
std::unique_ptr<PK11GenericObject, PK11GenericObjectsDeleter> objs(
PK11_FindGenericObjects(slot_.get(), CKO_PUBLIC_KEY));
ASSERT_NE(nullptr, objs);
@@ -128,20 +153,46 @@ class Pk11KeyImportTestBase : public ::t
ASSERT_EQ(1U, token.len);
ASSERT_NE(0, token.data[0]);
- StackSECItem value;
- rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &value);
+ StackSECItem raw_value;
+ SECItem decoded_value;
+ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &raw_value);
ASSERT_EQ(SECSuccess, rv);
+ SECItem value = raw_value;
+ // Decode the EC_POINT and check the output against expected.
// CKA_EC_POINT isn't stable, see Bug 1520649.
+ ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
+ ASSERT_TRUE(arena);
if (value_type == CKA_EC_POINT) {
- continue;
- }
+ // If this fails due to the noted inconsistency, we may need to
+ // check the whole raw_value, or remove a leading UNCOMPRESSED_POINT tag
+ rv = SEC_QuickDERDecodeItem(arena.get(), &decoded_value,
+ SEC_ASN1_GET(SEC_OctetStringTemplate),
+ &raw_value);
+ ASSERT_EQ(SECSuccess, rv);
+ value = decoded_value;
+ }
ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &value))
<< "expected: "
<< DataBuffer(expected_public->data, expected_public->len)
<< std::endl
<< "actual: " << DataBuffer(value.data, value.len) << std::endl;
+
+ // Finally, convert the private to public and ensure it matches.
+ ScopedSECKEYPublicKey pub_key(
+ SECKEY_ConvertToPublicKey(priv_key.get()));
+ ASSERT_TRUE(pub_key);
+ SECItem converted_public = GetPublicComponent(pub_key);
+ ASSERT_TRUE(converted_public.len != 0);
+
+ ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &converted_public))
+ << "expected: "
+ << DataBuffer(expected_public->data, expected_public->len)
+ << std::endl
+ << "actual: "
+ << DataBuffer(converted_public.data, converted_public.len)
+ << std::endl;
}
}
diff -up ./lib/cryptohi/seckey.c.pub-priv-mech ./lib/cryptohi/seckey.c
--- ./lib/cryptohi/seckey.c.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
+++ ./lib/cryptohi/seckey.c 2019-06-05 16:43:42.277498676 -0700
@@ -1206,6 +1206,37 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
return NULL;
}
+/*
+ * Use the private key to find a public key handle. The handle will be on
+ * the same slot as the private key.
+ */
+static CK_OBJECT_HANDLE
+seckey_FindPublicKeyHandle(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk)
+{
+ CK_OBJECT_HANDLE keyID;
+
+ /* this helper function is only used below. If we want to make this more
+ * general, we would need to free up any already cached handles if the
+ * slot doesn't match up with the private key slot */
+ PORT_Assert(pubk->pkcs11ID == CK_INVALID_HANDLE);
+
+ /* first look for a matching public key */
+ keyID = PK11_MatchItem(privk->pkcs11Slot, privk->pkcs11ID, CKO_PUBLIC_KEY);
+ if (keyID != CK_INVALID_HANDLE) {
+ return keyID;
+ }
+
+ /* none found, create a temp one, make the pubk the owner */
+ pubk->pkcs11ID = PK11_DerivePubKeyFromPrivKey(privk);
+ if (pubk->pkcs11ID == CK_INVALID_HANDLE) {
+ /* end of the road. Token doesn't have matching public key, nor can
+ * token regenerate a new public key from and existing private key. */
+ return CK_INVALID_HANDLE;
+ }
+ pubk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot);
+ return pubk->pkcs11ID;
+}
+
SECKEYPublicKey *
SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
{
@@ -1213,6 +1244,8 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
PLArenaPool *arena;
CERTCertificate *cert;
SECStatus rv;
+ CK_OBJECT_HANDLE pubKeyHandle;
+ SECItem decodedPoint;
/*
* First try to look up the cert.
@@ -1243,11 +1276,47 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
switch (privk->keyType) {
case nullKey:
- case dhKey:
- case dsaKey:
/* Nothing to query, if the cert isn't there, we're done -- no way
* to get the public key */
break;
+ case dsaKey:
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+ if (pubKeyHandle == CK_INVALID_HANDLE)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_BASE, arena, &pubk->u.dsa.params.base);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_PRIME, arena, &pubk->u.dsa.params.prime);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_SUBPRIME, arena, &pubk->u.dsa.params.subPrime);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_VALUE, arena, &pubk->u.dsa.publicValue);
+ if (rv != SECSuccess)
+ break;
+ return pubk;
+ case dhKey:
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+ if (pubKeyHandle == CK_INVALID_HANDLE)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_BASE, arena, &pubk->u.dh.base);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_PRIME, arena, &pubk->u.dh.prime);
+ if (rv != SECSuccess)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_VALUE, arena, &pubk->u.dh.publicValue);
+ if (rv != SECSuccess)
+ break;
+ return pubk;
case rsaKey:
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_MODULUS, arena, &pubk->u.rsa.modulus);
@@ -1258,7 +1327,6 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
if (rv != SECSuccess)
break;
return pubk;
- break;
case ecKey:
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_EC_PARAMS, arena, &pubk->u.ec.DEREncodedParams);
@@ -1268,7 +1336,23 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
if (rv != SECSuccess || pubk->u.ec.publicValue.len == 0) {
- break;
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
+ if (pubKeyHandle == CK_INVALID_HANDLE)
+ break;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
+ CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
+ if (rv != SECSuccess)
+ break;
+ }
+ /* ec.publicValue should be decoded, PKCS #11 defines CKA_EC_POINT
+ * as encoded, but it's not always. try do decoded it and if it
+ * succeeds store the decoded value */
+ rv = SEC_QuickDERDecodeItem(arena, &decodedPoint,
+ SEC_ASN1_GET(SEC_OctetStringTemplate), &pubk->u.ec.publicValue);
+ if (rv == SECSuccess) {
+ /* both values are in the public key arena, so it's safe to
+ * overwrite the old value */
+ pubk->u.ec.publicValue = decodedPoint;
}
pubk->u.ec.encoding = ECPoint_Undefined;
return pubk;
@@ -1276,7 +1360,9 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
break;
}
- PORT_FreeArena(arena, PR_FALSE);
+ /* must use Destroy public key here, because some paths create temporary
+ * PKCS #11 objects which need to be freed */
+ SECKEY_DestroyPublicKey(pubk);
return NULL;
}
diff -up ./lib/pk11wrap/pk11priv.h.pub-priv-mech ./lib/pk11wrap/pk11priv.h
--- ./lib/pk11wrap/pk11priv.h.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
+++ ./lib/pk11wrap/pk11priv.h 2019-06-05 16:43:42.277498676 -0700
@@ -111,6 +111,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert(
PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType);
+CK_OBJECT_HANDLE PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey);
/**********************************************************************
* Certs
diff -up ./lib/pk11wrap/pk11skey.c.pub-priv-mech ./lib/pk11wrap/pk11skey.c
--- ./lib/pk11wrap/pk11skey.c.pub-priv-mech 2019-06-05 16:37:38.726685789 -0700
+++ ./lib/pk11wrap/pk11skey.c 2019-06-05 16:43:42.278498675 -0700
@@ -1841,6 +1841,35 @@ loser:
}
/*
+ * This regenerate a public key from a private key. This function is currently
+ * NSS private. If we want to make it public, we need to add and optional
+ * template or at least flags (a.la. PK11_DeriveWithFlags).
+ */
+CK_OBJECT_HANDLE
+PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey)
+{
+ PK11SlotInfo *slot = privKey->pkcs11Slot;
+ CK_MECHANISM mechanism;
+ CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE;
+ CK_RV crv;
+
+ mechanism.mechanism = CKM_NSS_PUB_FROM_PRIV;
+ mechanism.pParameter = NULL;
+ mechanism.ulParameterLen = 0;
+
+ PK11_EnterSlotMonitor(slot);
+ crv = PK11_GETTAB(slot)->C_DeriveKey(slot->session, &mechanism,
+ privKey->pkcs11ID, NULL, 0,
+ &objectID);
+ PK11_ExitSlotMonitor(slot);
+ if (crv != CKR_OK) {
+ PORT_SetError(PK11_MapError(crv));
+ return CK_INVALID_HANDLE;
+ }
+ return objectID;
+}
+
+/*
* This Generates a wrapping key based on a privateKey, publicKey, and two
* random numbers. For Mail usage RandomB should be NULL. In the Sender's
* case RandomA is generate, outherwize it is passed.
diff -up ./lib/softoken/lowkey.c.pub-priv-mech ./lib/softoken/lowkey.c
--- ./lib/softoken/lowkey.c.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
+++ ./lib/softoken/lowkey.c 2019-06-05 16:44:20.469479019 -0700
@@ -261,6 +261,7 @@ NSSLOWKEYPublicKey *
nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
{
NSSLOWKEYPublicKey *pubk;
+ SECItem publicValue;
PLArenaPool *arena;
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
@@ -301,6 +302,19 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
pubk->arena = arena;
pubk->keyType = privk->keyType;
+ /* if the public key value doesn't exist, calculate it */
+ if (privk->u.dsa.publicValue.len == 0) {
+ rv = DH_Derive(&privk->u.dsa.params.base, &privk->u.dsa.params.prime,
+ &privk->u.dsa.privateValue, &publicValue, 0);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = SECITEM_CopyItem(privk->arena, &privk->u.dsa.publicValue, &publicValue);
+ SECITEM_FreeItem(&publicValue, PR_FALSE);
+ if (rv != SECSuccess) {
+ break;
+ }
+ }
rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
&privk->u.dsa.publicValue);
if (rv != SECSuccess)
@@ -327,6 +341,19 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
pubk->arena = arena;
pubk->keyType = privk->keyType;
+ /* if the public key value doesn't exist, calculate it */
+ if (privk->u.dh.publicValue.len == 0) {
+ rv = DH_Derive(&privk->u.dh.base, &privk->u.dh.prime,
+ &privk->u.dh.privateValue, &publicValue, 0);
+ if (rv != SECSuccess) {
+ break;
+ }
+ rv = SECITEM_CopyItem(privk->arena, &privk->u.dh.publicValue, &publicValue);
+ SECITEM_FreeItem(&publicValue, PR_FALSE);
+ if (rv != SECSuccess) {
+ break;
+ }
+ }
rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
&privk->u.dh.publicValue);
if (rv != SECSuccess)
diff -up ./lib/softoken/pkcs11c.c.pub-priv-mech ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.pub-priv-mech 2019-06-05 16:37:38.743685780 -0700
+++ ./lib/softoken/pkcs11c.c 2019-06-05 16:44:20.472479017 -0700
@@ -6569,6 +6569,10 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
extractValue = PR_FALSE;
classType = CKO_PRIVATE_KEY;
break;
+ case CKM_NSS_PUB_FROM_PRIV:
+ extractValue = PR_FALSE;
+ classType = CKO_PUBLIC_KEY;
+ break;
case CKM_NSS_JPAKE_FINAL_SHA1: /* fall through */
case CKM_NSS_JPAKE_FINAL_SHA256: /* fall through */
case CKM_NSS_JPAKE_FINAL_SHA384: /* fall through */
@@ -6610,6 +6614,35 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
}
switch (mechanism) {
+ /* get a public key from a private key. nsslowkey_ConvertToPublickey()
+ * will generate the public portion if it doesn't already exist. */
+ case CKM_NSS_PUB_FROM_PRIV: {
+ NSSLOWKEYPrivateKey *privKey;
+ NSSLOWKEYPublicKey *pubKey;
+ int error;
+
+ crv = sftk_GetULongAttribute(sourceKey, CKA_KEY_TYPE, &keyType);
+ if (crv != CKR_OK) {
+ break;
+ }
+
+ /* privKey is stored in sourceKey and will be destroyed when
+ * the sourceKey is freed. */
+ privKey = sftk_GetPrivKey(sourceKey, keyType, &crv);
+ if (privKey == NULL) {
+ break;
+ }
+ pubKey = nsslowkey_ConvertToPublicKey(privKey);
+ if (pubKey == NULL) {
+ error = PORT_GetError();
+ crv = sftk_MapCryptError(error);
+ break;
+ }
+ crv = sftk_PutPubKey(key, sourceKey, keyType, pubKey);
+ nsslowkey_DestroyPublicKey(pubKey);
+ break;
+ }
+
case CKM_NSS_IKE_PRF_DERIVE:
if (pMechanism->ulParameterLen !=
sizeof(CK_NSS_IKE_PRF_DERIVE_PARAMS)) {
diff -up ./lib/softoken/pkcs11.c.pub-priv-mech ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.pub-priv-mech 2019-06-05 16:37:38.728685788 -0700
+++ ./lib/softoken/pkcs11.c 2019-06-05 16:44:20.473479017 -0700
@@ -2206,6 +2206,123 @@ sftk_GetPrivKey(SFTKObject *object, CK_K
return priv;
}
+/* populate a public key object from a lowpublic keys structure */
+CK_RV
+sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType, NSSLOWKEYPublicKey *pubKey)
+{
+ CK_OBJECT_CLASS classType = CKO_PUBLIC_KEY;
+ CK_BBOOL cktrue = CK_TRUE;
+ CK_RV crv = CKR_OK;
+ sftk_DeleteAttributeType(publicKey, CKA_CLASS);
+ sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE);
+ sftk_DeleteAttributeType(publicKey, CKA_VALUE);
+
+ switch (keyType) {
+ case CKK_RSA:
+ sftk_DeleteAttributeType(publicKey, CKA_MODULUS);
+ sftk_DeleteAttributeType(publicKey, CKA_PUBLIC_EXPONENT);
+ /* format the keys */
+ /* fill in the RSA dependent paramenters in the public key */
+ crv = sftk_AddAttributeType(publicKey, CKA_MODULUS,
+ sftk_item_expand(&pubKey->u.rsa.modulus));
+ if (crv != CKR_OK)
+ break;
+ crv = sftk_AddAttributeType(publicKey, CKA_PUBLIC_EXPONENT,
+ sftk_item_expand(&pubKey->u.rsa.publicExponent));
+ break;
+ case CKK_DSA:
+ sftk_DeleteAttributeType(publicKey, CKA_PRIME);
+ sftk_DeleteAttributeType(publicKey, CKA_SUBPRIME);
+ sftk_DeleteAttributeType(publicKey, CKA_BASE);
+ crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
+ sftk_item_expand(&pubKey->u.dsa.params.prime));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_SUBPRIME,
+ sftk_item_expand(&pubKey->u.dsa.params.subPrime));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_BASE,
+ sftk_item_expand(&pubKey->u.dsa.params.base));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+ sftk_item_expand(&pubKey->u.dsa.publicValue));
+ break;
+
+ case CKK_DH:
+ sftk_DeleteAttributeType(publicKey, CKA_PRIME);
+ sftk_DeleteAttributeType(publicKey, CKA_BASE);
+ crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
+ sftk_item_expand(&pubKey->u.dh.prime));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_BASE,
+ sftk_item_expand(&pubKey->u.dh.base));
+ if (crv != CKR_OK) {
+ break;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
+ sftk_item_expand(&pubKey->u.dh.publicValue));
+ break;
+
+ case CKK_EC:
+ sftk_DeleteAttributeType(publicKey, CKA_EC_PARAMS);
+ sftk_DeleteAttributeType(publicKey, CKA_EC_POINT);
+
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_PARAMS,
+ sftk_item_expand(&pubKey->u.ec.ecParams.DEREncoding));
+ if (crv != CKR_OK) {
+ break;
+ }
+
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
+ sftk_item_expand(&pubKey->u.ec.publicValue));
+ break;
+
+ default:
+ return CKR_KEY_TYPE_INCONSISTENT;
+ }
+ crv = sftk_AddAttributeType(publicKey, CKA_CLASS, &classType,
+ sizeof(CK_OBJECT_CLASS));
+ if (crv != CKR_OK)
+ return crv;
+ crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE, &keyType,
+ sizeof(CK_KEY_TYPE));
+ if (crv != CKR_OK)
+ return crv;
+ /* now handle the operator attributes */
+ if (sftk_isTrue(privateKey, CKA_DECRYPT)) {
+ crv = sftk_forceAttribute(publicKey, CKA_ENCRYPT, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ if (sftk_isTrue(privateKey, CKA_SIGN)) {
+ crv = sftk_forceAttribute(publicKey, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ if (sftk_isTrue(privateKey, CKA_SIGN_RECOVER)) {
+ crv = sftk_forceAttribute(publicKey, CKA_VERIFY_RECOVER, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ if (sftk_isTrue(privateKey, CKA_DERIVE)) {
+ crv = sftk_forceAttribute(publicKey, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
+ if (crv != CKR_OK) {
+ return crv;
+ }
+ }
+ return crv;
+}
+
/*
**************************** Symetric Key utils ************************
*/
diff -up ./lib/softoken/pkcs11i.h.pub-priv-mech ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.pub-priv-mech 2019-06-05 16:37:38.730685787 -0700
+++ ./lib/softoken/pkcs11i.h 2019-06-05 16:44:20.473479017 -0700
@@ -695,6 +695,9 @@ extern NSSLOWKEYPublicKey *sftk_GetPubKe
CK_KEY_TYPE key_type, CK_RV *crvp);
extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object,
CK_KEY_TYPE key_type, CK_RV *crvp);
+extern CK_RV sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privKey,
+ CK_KEY_TYPE keyType,
+ NSSLOWKEYPublicKey *pubKey);
extern void sftk_FormatDESKey(unsigned char *key, int length);
extern PRBool sftk_CheckDESKey(unsigned char *key);
extern PRBool sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type);
diff -up ./lib/util/pkcs11n.h.pub-priv-mech ./lib/util/pkcs11n.h
--- ./lib/util/pkcs11n.h.pub-priv-mech 2019-06-05 16:37:38.733685785 -0700
+++ ./lib/util/pkcs11n.h 2019-06-05 16:44:54.389461561 -0700
@@ -152,11 +152,6 @@
#define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5)
#define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6)
-/* IKE mechanism (to be proposed to PKCS #11 */
-#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 7)
-#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 8)
-#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 9)
-#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 10)
/* J-PAKE round 1 key generation mechanisms.
*
@@ -238,6 +233,15 @@
#define CKM_NSS_CHACHA20_CTR (CKM_NSS + 33)
+/* IKE mechanism (to be proposed to PKCS #11 */
+#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 34)
+#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 35)
+#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 36)
+#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 37)
+
+/* Derive a public key from a bare private key */
+#define CKM_NSS_PUB_FROM_PRIV (CKM_NSS + 40)
+
/*
* HISTORICAL:
* Do not attempt to use these. They are only used by NETSCAPE's internal

32
SOURCES/nss-disable-dc.patch Normal file
View File

@ -0,0 +1,32 @@
diff -up nss/lib/ssl/sslsock.c.dc nss/lib/ssl/sslsock.c
--- nss/lib/ssl/sslsock.c.dc 2020-07-29 14:05:10.413370267 +0200
+++ nss/lib/ssl/sslsock.c 2020-07-29 14:06:38.339805833 +0200
@@ -798,7 +798,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_ENABLE_DELEGATED_CREDENTIALS:
- ss->opt.enableDelegatedCredentials = val;
+ /* disable it for now */
break;
case SSL_ENABLE_NPN:
@@ -1316,7 +1316,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn
break;
case SSL_ENABLE_DELEGATED_CREDENTIALS:
- ssl_defaults.enableDelegatedCredentials = val;
+ /* disable it for now */
break;
case SSL_ENABLE_NPN:
diff -up nss/gtests/ssl_gtest/manifest.mn.dc nss/gtests/ssl_gtest/manifest.mn
--- nss/gtests/ssl_gtest/manifest.mn.dc 2020-07-29 16:46:29.574134443 +0200
+++ nss/gtests/ssl_gtest/manifest.mn 2020-07-29 16:46:35.821094263 +0200
@@ -56,7 +56,6 @@ CPPSRCS = \
tls_hkdf_unittest.cc \
tls_filter.cc \
tls_protect.cc \
- tls_subcerts_unittest.cc \
tls_esni_unittest.cc \
$(SSLKEYLOGFILE_FILES) \
$(NULL)

41
SOURCES/nss-disable-md5.patch Normal file
View File

@ -0,0 +1,41 @@
diff -r 699541a7793b lib/pk11wrap/pk11pars.c
--- a/lib/pk11wrap/pk11pars.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/pk11wrap/pk11pars.c Thu Jun 25 14:33:09 2020 +0200
@@ -323,11 +323,11 @@
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
+ 0 },
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
diff -r 699541a7793b lib/util/secoid.c
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
@@ -2042,6 +2042,19 @@
int i;
for (i = 1; i < SEC_OID_TOTAL; i++) {
+ switch (i) {
+ case SEC_OID_MD2:
+ case SEC_OID_MD4:
+ case SEC_OID_MD5:
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+ continue;
+ default:
+ break;
+ }
if (oids[i].desc && strstr(arg, oids[i].desc)) {
xOids[i].notPolicyFlags = notEnable |
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));

202
SOURCES/nss-disable-pkcs1-sigalgs-tls13.patch
View File

@ -1,202 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1559031046 -7200
# Tue May 28 10:10:46 2019 +0200
# Node ID 0a4e8b72a92e144663c2f35d3836f7828cfc97f2
# Parent 370a9e85f216f5f4ff277995a997c5c9b23a819f
Bug 1552208, prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3, r=mt
Reviewers: mt
Reviewed By: mt
Subscribers: mt, jcj, ueno, rrelyea, HubertKario, KevinJacobs
Tags: #secure-revision, #bmo-crypto-core-security
Bug #: 1552208
Differential Revision: https://phabricator.services.mozilla.com/D32454
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -701,6 +701,44 @@ TEST_P(TlsConnectTls12, ClientAuthIncons
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
}
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureScheme) {
+ static const SSLSignatureScheme kSignatureScheme[] = {
+ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pss_rsae_sha256};
+
+ Reset(TlsAgent::kServerRsa, "rsa");
+ client_->SetSignatureSchemes(kSignatureScheme,
+ PR_ARRAY_SIZE(kSignatureScheme));
+ server_->SetSignatureSchemes(kSignatureScheme,
+ PR_ARRAY_SIZE(kSignatureScheme));
+ client_->SetupClientAuth();
+ server_->RequestClientAuth(true);
+
+ auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
+ client_, kTlsHandshakeCertificateVerify);
+ capture_cert_verify->EnableDecryption();
+
+ Connect();
+ CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_rsae_sha256,
+ 1024);
+}
+
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureSchemeOnly) {
+ static const SSLSignatureScheme kSignatureScheme[] = {
+ ssl_sig_rsa_pkcs1_sha256};
+
+ Reset(TlsAgent::kServerRsa, "rsa");
+ client_->SetSignatureSchemes(kSignatureScheme,
+ PR_ARRAY_SIZE(kSignatureScheme));
+ server_->SetSignatureSchemes(kSignatureScheme,
+ PR_ARRAY_SIZE(kSignatureScheme));
+ client_->SetupClientAuth();
+ server_->RequestClientAuth(true);
+
+ ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
+ server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
+ client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
+}
+
class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
public:
TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
@@ -933,7 +971,7 @@ TEST_P(TlsConnectTls13, InconsistentSign
client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
}
-TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
+TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) {
server_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
server_->RequestClientAuth(false);
@@ -1395,12 +1433,21 @@ TEST_P(TlsSignatureSchemeConfiguration,
INSTANTIATE_TEST_CASE_P(
SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
::testing::Combine(
- TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12Plus,
+ TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12,
::testing::Values(TlsAgent::kServerRsaSign),
::testing::Values(ssl_auth_rsa_sign),
::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_rsae_sha256,
ssl_sig_rsa_pss_rsae_sha384)));
+// RSASSA-PKCS1-v1_5 is not allowed to be used in TLS 1.3
+INSTANTIATE_TEST_CASE_P(
+ SignatureSchemeRsaTls13, TlsSignatureSchemeConfiguration,
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
+ TlsConnectTestBase::kTlsV13,
+ ::testing::Values(TlsAgent::kServerRsaSign),
+ ::testing::Values(ssl_auth_rsa_sign),
+ ::testing::Values(ssl_sig_rsa_pss_rsae_sha256,
+ ssl_sig_rsa_pss_rsae_sha384)));
// PSS with SHA-512 needs a bigger key to work.
INSTANTIATE_TEST_CASE_P(
SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
diff --git a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
--- a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
+++ b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
@@ -68,12 +68,6 @@ class TlsCipherSuiteTestBase : public Tl
virtual void SetupCertificate() {
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
switch (sig_scheme_) {
- case ssl_sig_rsa_pkcs1_sha256:
- case ssl_sig_rsa_pkcs1_sha384:
- case ssl_sig_rsa_pkcs1_sha512:
- Reset(TlsAgent::kServerRsaSign);
- auth_type_ = ssl_auth_rsa_sign;
- break;
case ssl_sig_rsa_pss_rsae_sha256:
case ssl_sig_rsa_pss_rsae_sha384:
Reset(TlsAgent::kServerRsaSign);
@@ -330,6 +324,12 @@ static SSLSignatureScheme kSignatureSche
ssl_sig_rsa_pss_pss_sha256, ssl_sig_rsa_pss_pss_sha384,
ssl_sig_rsa_pss_pss_sha512};
+static SSLSignatureScheme kSignatureSchemesParamsArrTls13[] = {
+ ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
+ ssl_sig_rsa_pss_rsae_sha256, ssl_sig_rsa_pss_rsae_sha384,
+ ssl_sig_rsa_pss_rsae_sha512, ssl_sig_rsa_pss_pss_sha256,
+ ssl_sig_rsa_pss_pss_sha384, ssl_sig_rsa_pss_pss_sha512};
+
INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams,
kDummySignatureSchemesParams,
TLS_RSA_WITH_RC4_128_SHA,
@@ -394,7 +394,7 @@ INSTANTIATE_CIPHER_TEST_P(
#ifndef NSS_DISABLE_TLS_1_3
INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
::testing::ValuesIn(kFasterDHEGroups),
- ::testing::ValuesIn(kSignatureSchemesParamsArr),
+ ::testing::ValuesIn(kSignatureSchemesParamsArrTls13),
TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
TLS_AES_256_GCM_SHA384);
INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13,
diff --git a/gtests/ssl_gtest/ssl_extension_unittest.cc b/gtests/ssl_gtest/ssl_extension_unittest.cc
--- a/gtests/ssl_gtest/ssl_extension_unittest.cc
+++ b/gtests/ssl_gtest/ssl_extension_unittest.cc
@@ -436,14 +436,14 @@ TEST_P(TlsExtensionTest12Plus, Signature
}
TEST_F(TlsExtensionTest13Stream, SignatureAlgorithmsPrecedingGarbage) {
- // 31 unknown signature algorithms followed by sha-256, rsa
+ // 31 unknown signature algorithms followed by sha-256, rsa-pss
const uint8_t val[] = {
0x00, 0x40, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x01};
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x08, 0x04};
DataBuffer extension(val, sizeof(val));
MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_signature_algorithms_xtn,
extension);
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -64,6 +64,7 @@ static SECStatus ssl3_FlushHandshakeMess
static CK_MECHANISM_TYPE ssl3_GetHashMechanismByHashType(SSLHashType hashType);
static CK_MECHANISM_TYPE ssl3_GetMgfMechanismByHashType(SSLHashType hash);
PRBool ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme);
+PRBool ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme);
PRBool ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme);
const PRUint8 ssl_hello_retry_random[] = {
@@ -4101,6 +4102,9 @@ ssl_SignatureSchemeValid(SSLSignatureSch
if (ssl_SignatureSchemeToHashType(scheme) == ssl_hash_sha1) {
return PR_FALSE;
}
+ if (ssl_IsRsaPkcs1SignatureScheme(scheme)) {
+ return PR_FALSE;
+ }
/* With TLS 1.3, EC keys should have been selected based on calling
* ssl_SignatureSchemeFromSpki(), reject them otherwise. */
return spkiOid != SEC_OID_ANSIX962_EC_PUBLIC_KEY;
@@ -4351,6 +4355,22 @@ ssl_IsRsaPssSignatureScheme(SSLSignature
}
PRBool
+ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme)
+{
+ switch (scheme) {
+ case ssl_sig_rsa_pkcs1_sha256:
+ case ssl_sig_rsa_pkcs1_sha384:
+ case ssl_sig_rsa_pkcs1_sha512:
+ case ssl_sig_rsa_pkcs1_sha1:
+ return PR_TRUE;
+
+ default:
+ return PR_FALSE;
+ }
+ return PR_FALSE;
+}
+
+PRBool
ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme)
{
switch (scheme) {

169
SOURCES/nss-drbg-continuous.patch
View File

@ -1,169 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1561465415 -7200
# Tue Jun 25 14:23:35 2019 +0200
# Node ID a0114e3d8b22d4c6ee77504c483a0fe0037f4c71
# Parent 313dfef345bd93bc67982249bffa2cfdd5a9d1b5
Bug 1560329, drbg: perform continuous test on entropy source
Summary: FIPS 140-2 section 4.9.2 requires a conditional self test to check that consecutive entropy blocks from the system are different. As neither getentropy() nor /dev/urandom provides that check on the output, this adds the self test at caller side.
Reviewers: rrelyea
Bug #: 1560329
Differential Revision: https://phabricator.services.mozilla.com/D35636
diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
--- a/lib/freebl/drbg.c
+++ b/lib/freebl/drbg.c
@@ -30,6 +30,7 @@
#define PRNG_ADDITONAL_DATA_CACHE_SIZE (8 * 1024) /* must be less than \
* PRNG_MAX_ADDITIONAL_BYTES \
*/
+#define PRNG_ENTROPY_BLOCK_SIZE SHA256_LENGTH
/* RESEED_COUNT is how many calls to the prng before we need to reseed
* under normal NIST rules, you must return an error. In the NSS case, we
@@ -96,6 +97,8 @@ struct RNGContextStr {
PRUint32 additionalAvail;
PRBool isValid; /* false if RNG reaches an invalid state */
PRBool isKatTest; /* true if running NIST PRNG KAT tests */
+ /* for continuous entropy check */
+ PRUint8 previousEntropyHash[SHA256_LENGTH];
};
typedef struct RNGContextStr RNGContext;
@@ -169,6 +172,82 @@ prng_instantiate(RNGContext *rng, const
return SECSuccess;
}
+static PRCallOnceType coRNGInitEntropy;
+
+static PRStatus
+prng_initEntropy(void)
+{
+ size_t length;
+ PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
+ SHA256Context ctx;
+
+ /* For FIPS 140-2 4.9.2 continuous random number generator test,
+ * fetch the initial entropy from the system RNG and keep it for
+ * later comparison. */
+ length = RNG_SystemRNG(block, sizeof(block));
+ if (length == 0) {
+ return PR_FAILURE; /* error is already set */
+ }
+ PORT_Assert(length == sizeof(block));
+
+ /* Store the hash of the entropy block rather than the block
+ * itself for backward secrecy. */
+ SHA256_Begin(&ctx);
+ SHA256_Update(&ctx, block, sizeof(block));
+ SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
+ sizeof(globalrng->previousEntropyHash));
+ PORT_Memset(block, 0, sizeof(block));
+ return PR_SUCCESS;
+}
+
+static SECStatus
+prng_getEntropy(PRUint8 *buffer, size_t requestLength)
+{
+ size_t total = 0;
+ PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
+ PRUint8 hash[SHA256_LENGTH];
+ SHA256Context ctx;
+ SECStatus rv = SECSuccess;
+
+ if (PR_CallOnce(&coRNGInitEntropy, prng_initEntropy) != PR_SUCCESS) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
+
+ /* For FIPS 140-2 4.9.2 continuous random generator test,
+ * iteratively fetch fixed sized blocks from the system and
+ * compare consecutive blocks. */
+ while (total < requestLength) {
+ size_t length = RNG_SystemRNG(block, sizeof(block));
+ if (length == 0) {
+ rv = SECFailure; /* error is already set */
+ goto out;
+ }
+ PORT_Assert(length == sizeof(block));
+
+ /* Store the hash of the entropy block rather than the block
+ * itself for backward secrecy. */
+ SHA256_Begin(&ctx);
+ SHA256_Update(&ctx, block, sizeof(block));
+ SHA256_End(&ctx, hash, NULL, sizeof(hash));
+
+ if (PORT_Memcmp(globalrng->previousEntropyHash, hash, sizeof(hash)) == 0) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ rv = SECFailure;
+ goto out;
+ }
+ PORT_Memcpy(globalrng->previousEntropyHash, hash, sizeof(hash));
+ length = PR_MIN(requestLength - total, sizeof(block));
+ PORT_Memcpy(buffer, block, length);
+ total += length;
+ buffer += length;
+ }
+
+ out:
+ PORT_Memset(block, 0, sizeof block);
+ return rv;
+}
+
/*
* Update the global random number generator with more seeding
* material. Use the Hash_DRBG reseed algorithm from NIST SP-800-90
@@ -182,11 +261,15 @@ prng_reseed(RNGContext *rng, const PRUin
{
PRUint8 noiseData[(sizeof rng->V_Data) + PRNG_SEEDLEN];
PRUint8 *noise = &noiseData[0];
+ SECStatus rv;
/* if entropy wasn't supplied, fetch it. (normal operation case) */
if (entropy == NULL) {
- entropy_len = (unsigned int)RNG_SystemRNG(
- &noiseData[sizeof rng->V_Data], PRNG_SEEDLEN);
+ entropy_len = PRNG_SEEDLEN;
+ rv = prng_getEntropy(&noiseData[sizeof rng->V_Data], entropy_len);
+ if (rv != SECSuccess) {
+ return SECFailure; /* error is already set */
+ }
} else {
/* NOTE: this code is only available for testing, not to applications */
/* if entropy was too big for the stack variable, get it from malloc */
@@ -384,7 +467,6 @@ static PRStatus
rng_init(void)
{
PRUint8 bytes[PRNG_SEEDLEN * 2]; /* entropy + nonce */
- unsigned int numBytes;
SECStatus rv = SECSuccess;
if (globalrng == NULL) {
@@ -403,18 +485,17 @@ rng_init(void)
}
/* Try to get some seed data for the RNG */
- numBytes = (unsigned int)RNG_SystemRNG(bytes, sizeof bytes);
- PORT_Assert(numBytes == 0 || numBytes == sizeof bytes);
- if (numBytes != 0) {
+ rv = prng_getEntropy(bytes, sizeof bytes);
+ if (rv == SECSuccess) {
/* if this is our first call, instantiate, otherwise reseed
* prng_instantiate gets a new clean state, we want to mix
* any previous entropy we may have collected */
if (V(globalrng)[0] == 0) {
- rv = prng_instantiate(globalrng, bytes, numBytes);
+ rv = prng_instantiate(globalrng, bytes, sizeof bytes);
} else {
- rv = prng_reseed_test(globalrng, bytes, numBytes, NULL, 0);
+ rv = prng_reseed_test(globalrng, bytes, sizeof bytes, NULL, 0);
}
- memset(bytes, 0, numBytes);
+ memset(bytes, 0, sizeof bytes);
} else {
PZ_DestroyLock(globalrng->lock);
globalrng->lock = NULL;

30
SOURCES/nss-fips-disable-tls13.patch
View File

@ -1,30 +0,0 @@
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -2382,16 +2382,26 @@ ssl3_CreateOverlapWithPolicy(SSLProtocol
rv = ssl3_GetEffectiveVersionPolicy(protocolVariant,
&effectivePolicyBoundary);
if (rv == SECFailure) {
/* SECFailure means internal failure or invalid configuration. */
overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
return SECFailure;
}
+ /* TODO: TLSv1.3 doesn't work yet under FIPS mode */
+ if (PK11_IsFIPS()) {
+ if (effectivePolicyBoundary.min >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ effectivePolicyBoundary.min = SSL_LIBRARY_VERSION_TLS_1_2;
+ }
+ if (effectivePolicyBoundary.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
+ effectivePolicyBoundary.max = SSL_LIBRARY_VERSION_TLS_1_2;
+ }
+ }
+
vrange.min = PR_MAX(input->min, effectivePolicyBoundary.min);
vrange.max = PR_MIN(input->max, effectivePolicyBoundary.max);
if (vrange.max < vrange.min) {
/* there was no overlap, turn off range altogether */
overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
return SECFailure;
}

81
SOURCES/nss-fipstest-tls12-prf.patch
View File

@ -1,81 +0,0 @@
# HG changeset patch
# User Tomas Mraz <tmraz@fedoraproject.org>
# Date 1560861770 -7200
# Tue Jun 18 14:42:50 2019 +0200
# Node ID 6ef49fe67d6227a1d290da5537ec0dade379a15a
# Parent ebc93d6daeaa9001d31fd18b5199779da99ae9aa
Bug 1559906, fipstest: use CKM_TLS12_MASTER_KEY_DERIVE in TLS test, r=rrelyea
This also lets us CAVS tests more than just SHA256.
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+++ b/cmd/fipstest/fipstest.c
@@ -6669,12 +6669,13 @@ tls(char *reqfn)
CK_MECHANISM master_mech = { CKM_TLS_MASTER_KEY_DERIVE, NULL, 0 };
CK_MECHANISM key_block_mech = { CKM_TLS_KEY_AND_MAC_DERIVE, NULL, 0 };
- CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
- CK_SSL3_KEY_MAT_PARAMS key_block_params;
+ CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
+ CK_TLS12_KEY_MAT_PARAMS key_block_params;
CK_SSL3_KEY_MAT_OUT key_material;
CK_RV crv;
/* set up PKCS #11 parameters */
+ master_params.prfHashMechanism = CKM_SHA256;
master_params.pVersion = NULL;
master_params.RandomInfo.pClientRandom = clientHello_random;
master_params.RandomInfo.ulClientRandomLen = sizeof(clientHello_random);
@@ -6682,6 +6683,7 @@ tls(char *reqfn)
master_params.RandomInfo.ulServerRandomLen = sizeof(serverHello_random);
master_mech.pParameter = (void *)&master_params;
master_mech.ulParameterLen = sizeof(master_params);
+ key_block_params.prfHashMechanism = CKM_SHA256;
key_block_params.ulMacSizeInBits = 0;
key_block_params.ulKeySizeInBits = 0;
key_block_params.ulIVSizeInBits = 0;
@@ -6724,13 +6726,39 @@ tls(char *reqfn)
if (buf[0] == '[') {
if (strncmp(buf, "[TLS", 4) == 0) {
if (buf[7] == '0') {
+ /* CK_SSL3_MASTER_KEY_DERIVE_PARAMS is a subset of
+ * CK_TLS12_MASTER_KEY_DERIVE_PARAMS and
+ * CK_SSL3_KEY_MAT_PARAMS is a subset of
+ * CK_TLS12_KEY_MAT_PARAMS. The latter params have
+ * an extra prfHashMechanism field at the end. */
master_mech.mechanism = CKM_TLS_MASTER_KEY_DERIVE;
key_block_mech.mechanism = CKM_TLS_KEY_AND_MAC_DERIVE;
+ master_mech.ulParameterLen = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
+ key_block_mech.ulParameterLen = sizeof(CK_SSL3_KEY_MAT_PARAMS);
} else if (buf[7] == '2') {
- master_mech.mechanism =
- CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
- key_block_mech.mechanism =
- CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
+ if (strncmp(&buf[10], "SHA-1", 5) == 0) {
+ master_params.prfHashMechanism = CKM_SHA_1;
+ key_block_params.prfHashMechanism = CKM_SHA_1;
+ } else if (strncmp(&buf[10], "SHA-224", 7) == 0) {
+ master_params.prfHashMechanism = CKM_SHA224;
+ key_block_params.prfHashMechanism = CKM_SHA224;
+ } else if (strncmp(&buf[10], "SHA-256", 7) == 0) {
+ master_params.prfHashMechanism = CKM_SHA256;
+ key_block_params.prfHashMechanism = CKM_SHA256;
+ } else if (strncmp(&buf[10], "SHA-384", 7) == 0) {
+ master_params.prfHashMechanism = CKM_SHA384;
+ key_block_params.prfHashMechanism = CKM_SHA384;
+ } else if (strncmp(&buf[10], "SHA-512", 7) == 0) {
+ master_params.prfHashMechanism = CKM_SHA512;
+ key_block_params.prfHashMechanism = CKM_SHA512;
+ } else {
+ fprintf(tlsresp, "ERROR: Unable to find prf Hash type");
+ goto loser;
+ }
+ master_mech.mechanism = CKM_TLS12_MASTER_KEY_DERIVE;
+ key_block_mech.mechanism = CKM_TLS12_KEY_AND_MAC_DERIVE;
+ master_mech.ulParameterLen = sizeof(master_params);
+ key_block_mech.ulParameterLen = sizeof(key_block_params);
} else {
fprintf(stderr, "Unknown TLS type %x\n",
(unsigned int)buf[0]);

21
SOURCES/nss-gcm-param-default-pkcs11v2.patch Normal file
View File

@ -0,0 +1,21 @@
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
/* deprecated #defines. Drop in future NSS releases */
-#ifdef NSS_PKCS11_2_0_COMPAT
+#ifndef NSS_PKCS11_3_0_STRICT
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
#define CKF_EC_FP CKF_EC_F_P
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
#else
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
#endif

4513
SOURCES/nss-ike-patch.patch
View File

File diff suppressed because it is too large Load Diff

127
SOURCES/nss-input-check.patch
View File

@ -1,127 +0,0 @@
# HG changeset patch
# User Martin Thomson <mt@lowentropy.net>
# Date 1560498951 0
# Fri Jun 14 07:55:51 2019 +0000
# Branch NSS_3_44_BRANCH
# Node ID fb9932d6e083322e7b5dfcd3d6e67477e0bb075a
# Parent 876bca2723a1f969422edc93e7504420d8331d3c
Bug 1515342 - More thorough input checking, r=jcj
All part of applying better discipline throughout.
Differential Revision: https://phabricator.services.mozilla.com/D33736
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
@@ -639,6 +639,11 @@ seckey_ExtractPublicKey(const CERTSubjec
return pubk;
break;
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
+ /* A basic sanity check on inputs. */
+ if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
+ break;
+ }
pubk->keyType = ecKey;
pubk->u.ec.size = 0;
diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
--- a/lib/freebl/dh.c
+++ b/lib/freebl/dh.c
@@ -210,7 +210,8 @@ DH_Derive(SECItem *publicValue,
unsigned int len = 0;
unsigned int nb;
unsigned char *secret = NULL;
- if (!publicValue || !prime || !privateValue || !derivedSecret) {
+ if (!publicValue || !publicValue->len || !prime || !prime->len ||
+ !privateValue || !privateValue->len || !derivedSecret) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c
--- a/lib/freebl/ec.c
+++ b/lib/freebl/ec.c
@@ -202,8 +202,8 @@ ec_NewKey(ECParams *ecParams, ECPrivateK
#endif
MP_DIGITS(&k) = 0;
- if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0) ||
- !ecParams->name) {
+ if (!ecParams || ecParams->name == ECCurve_noName ||
+ !privKey || !privKeyBytes || privKeyLen <= 0) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -391,7 +391,7 @@ EC_NewKey(ECParams *ecParams, ECPrivateK
int len;
unsigned char *privKeyBytes = NULL;
- if (!ecParams) {
+ if (!ecParams || ecParams->name == ECCurve_noName || !privKey) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -430,7 +430,8 @@ EC_ValidatePublicKey(ECParams *ecParams,
mp_err err = MP_OKAY;
int len;
- if (!ecParams || !publicValue || !ecParams->name) {
+ if (!ecParams || ecParams->name == ECCurve_noName ||
+ !publicValue || !publicValue->len) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
@@ -536,8 +537,9 @@ ECDH_Derive(SECItem *publicValue,
int i;
#endif
- if (!publicValue || !ecParams || !privateValue || !derivedSecret ||
- !ecParams->name) {
+ if (!publicValue || !publicValue->len ||
+ !ecParams || ecParams->name == ECCurve_noName ||
+ !privateValue || !privateValue->len || !derivedSecret) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
diff --git a/lib/util/quickder.c b/lib/util/quickder.c
--- a/lib/util/quickder.c
+++ b/lib/util/quickder.c
@@ -757,6 +757,13 @@ DecodeItem(void* dest,
}
case SEC_ASN1_BIT_STRING: {
+ /* Can't be 8 or more spare bits, or any spare bits
+ * if there are no octets. */
+ if (temp.data[0] >= 8 || (temp.data[0] > 0 && temp.len == 1)) {
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ rv = SECFailure;
+ break;
+ }
/* change the length in the SECItem to be the number
of bits */
temp.len = (temp.len - 1) * 8 - (temp.data[0] & 0x7);
# HG changeset patch
# User Kevin Jacobs <kjacobs@mozilla.com>
# Date 1561145635 0
# Fri Jun 21 19:33:55 2019 +0000
# Branch NSS_3_44_BRANCH
# Node ID 416a8f7cf8986103b4d74694aac1198edbb08b3e
# Parent fb9932d6e083322e7b5dfcd3d6e67477e0bb075a
Bug 1515342 - Ignore spki decode failures on negative (expect_fail) tests. r=jcj
Differential Revision: https://phabricator.services.mozilla.com/D35565
diff --git a/gtests/pk11_gtest/pk11_curve25519_unittest.cc b/gtests/pk11_gtest/pk11_curve25519_unittest.cc
--- a/gtests/pk11_gtest/pk11_curve25519_unittest.cc
+++ b/gtests/pk11_gtest/pk11_curve25519_unittest.cc
@@ -40,6 +40,9 @@ class Pkcs11Curve25519Test
ScopedCERTSubjectPublicKeyInfo certSpki(
SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
+ if (!expect_success && !certSpki) {
+ return;
+ }
ASSERT_TRUE(certSpki);
ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));

143
SOURCES/nss-leading-zero.patch
View File

@ -1,143 +0,0 @@
# HG changeset patch
# User Kevin Jacobs <kjacobs@mozilla.com>
# Date 1560499074 0
# Fri Jun 14 07:57:54 2019 +0000
# Branch NSS_3_44_BRANCH
# Node ID 876bca2723a1f969422edc93e7504420d8331d3c
# Parent 20671f860c2619dc27208d64a84a759fdffc5ed1
Bug 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import. r=jcj,mt
Differential Revision: https://phabricator.services.mozilla.com/D31671
diff --git a/lib/freebl/ecl/ecp_25519.c b/lib/freebl/ecl/ecp_25519.c
--- a/lib/freebl/ecl/ecp_25519.c
+++ b/lib/freebl/ecl/ecp_25519.c
@@ -114,6 +114,9 @@ ec_Curve25519_pt_mul(SECItem *X, SECItem
}
px = P->data;
}
+ if (k->len != 32) {
+ return SECFailure;
+ }
SECStatus rv = ec_Curve25519_mul(X->data, k->data, px);
if (NSS_SecureMemcmpZero(X->data, X->len) == 0) {
diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c
--- a/lib/pk11wrap/pk11akey.c
+++ b/lib/pk11wrap/pk11akey.c
@@ -190,7 +190,6 @@ PK11_ImportPublicKey(PK11SlotInfo *slot,
attrs++;
PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
attrs++;
- signedattr = attrs;
PK11_SETATTRS(attrs, CKA_EC_PARAMS,
pubKey->u.ec.DEREncodedParams.data,
pubKey->u.ec.DEREncodedParams.len);
@@ -222,12 +221,14 @@ PK11_ImportPublicKey(PK11SlotInfo *slot,
PORT_SetError(SEC_ERROR_BAD_KEY);
return CK_INVALID_HANDLE;
}
-
templateCount = attrs - theTemplate;
- signedcount = attrs - signedattr;
PORT_Assert(templateCount <= (sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)));
- for (attrs = signedattr; signedcount; attrs++, signedcount--) {
- pk11_SignedToUnsigned(attrs);
+ if (pubKey->keyType != ecKey) {
+ PORT_Assert(signedattr);
+ signedcount = attrs - signedattr;
+ for (attrs = signedattr; signedcount; attrs++, signedcount--) {
+ pk11_SignedToUnsigned(attrs);
+ }
}
rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
templateCount, isToken, &objectID);
@@ -1074,9 +1075,13 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *
&cktrue, &ckfalse);
/* Not everyone can handle zero padded key values, give
- * them the raw data as unsigned */
- for (ap = attrs; extra_count; ap++, extra_count--) {
- pk11_SignedToUnsigned(ap);
+ * them the raw data as unsigned. The exception is EC,
+ * where the values are encoded or zero-preserving
+ * per-RFC5915 */
+ if (privKey->keyType != ecKey) {
+ for (ap = attrs; extra_count; ap++, extra_count--) {
+ pk11_SignedToUnsigned(ap);
+ }
}
/* now Store the puppies */
diff --git a/lib/pk11wrap/pk11cert.c b/lib/pk11wrap/pk11cert.c
--- a/lib/pk11wrap/pk11cert.c
+++ b/lib/pk11wrap/pk11cert.c
@@ -184,7 +184,9 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERT
SECKEY_DestroyPublicKey(pubKey);
return PR_FALSE;
}
- pk11_SignedToUnsigned(&theTemplate);
+ if (pubKey->keyType != ecKey) {
+ pk11_SignedToUnsigned(&theTemplate);
+ }
if (pk11_FindObjectByTemplate(slot, &theTemplate, 1) != CK_INVALID_HANDLE) {
SECKEY_DestroyPublicKey(pubKey);
return PR_TRUE;
diff --git a/lib/pk11wrap/pk11pk12.c b/lib/pk11wrap/pk11pk12.c
--- a/lib/pk11wrap/pk11pk12.c
+++ b/lib/pk11wrap/pk11pk12.c
@@ -505,7 +505,7 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
}
PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len);
attrs++;
- signedattr = attrs;
+ /* No signed attrs for EC */
/* curveOID always is a copy of AlgorithmID.parameters. */
PK11_SETATTRS(attrs, CKA_EC_PARAMS, lpk->u.ec.curveOID.data,
lpk->u.ec.curveOID.len);
@@ -523,11 +523,12 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
}
templateCount = attrs - theTemplate;
PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
- PORT_Assert(signedattr != NULL);
- signedcount = attrs - signedattr;
-
- for (ap = signedattr; signedcount; ap++, signedcount--) {
- pk11_SignedToUnsigned(ap);
+ if (lpk->keyType != ecKey) {
+ PORT_Assert(signedattr);
+ signedcount = attrs - signedattr;
+ for (ap = signedattr; signedcount; ap++, signedcount--) {
+ pk11_SignedToUnsigned(ap);
+ }
}
rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
diff --git a/lib/softoken/legacydb/lgattr.c b/lib/softoken/legacydb/lgattr.c
--- a/lib/softoken/legacydb/lgattr.c
+++ b/lib/softoken/legacydb/lgattr.c
@@ -950,9 +950,9 @@ lg_FindECPrivateKeyAttribute(NSSLOWKEYPr
case CKA_UNWRAP:
return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
case CKA_VALUE:
- return lg_CopyPrivAttrSigned(attribute, type,
- key->u.ec.privateValue.data,
- key->u.ec.privateValue.len, sdbpw);
+ return lg_CopyPrivAttribute(attribute, type,
+ key->u.ec.privateValue.data,
+ key->u.ec.privateValue.len, sdbpw);
case CKA_EC_PARAMS:
return lg_CopyAttributeSigned(attribute, type,
key->u.ec.ecParams.DEREncoding.data,
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -7747,7 +7747,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar,
withCofactor, &tmp);
- PORT_Free(ecScalar.data);
+ PORT_ZFree(ecScalar.data, ecScalar.len);
ecScalar.data = NULL;
if (privKey != sourceKey->objectInfo) {
nsslowkey_DestroyPrivateKey(privKey);

35
SOURCES/nss-module-leak.patch
View File

@ -1,35 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1557150127 -7200
# Mon May 06 15:42:07 2019 +0200
# Node ID 438ac983bda9ec7944990d22a37877e9111caa90
# Parent b018f3e84d87cce99a1fd81feeecb31123058687
pk11slot: reference module from slot for finalization
diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
--- a/lib/pk11wrap/pk11slot.c
+++ b/lib/pk11wrap/pk11slot.c
@@ -1439,6 +1439,11 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
slot->slotID = slotID;
slot->isThreadSafe = mod->isThreadSafe;
slot->hasRSAInfo = PR_FALSE;
+ slot->module = mod; /* NOTE: we don't make a reference here because
+ * modules have references to their slots. This
+ * works because modules keep implicit references
+ * from their slots, and won't unload and disappear
+ * until all their slots have been freed */
if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID, &slotInfo) != CKR_OK) {
slot->disabled = PR_TRUE;
@@ -1448,11 +1453,6 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
/* test to make sure claimed mechanism work */
slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
- slot->module = mod; /* NOTE: we don't make a reference here because
- * modules have references to their slots. This
- * works because modules keep implicit references
- * from their slots, and won't unload and disappear
- * until all their slots have been freed */
(void)PK11_MakeString(NULL, slot->slot_name,
(char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);

24
SOURCES/nss-mpi-loop.patch
View File

@ -1,24 +0,0 @@
# HG changeset patch
# User Greg Rubin <rubin@amazon.com>
# Date 1558464083 25200
# Tue May 21 11:41:23 2019 -0700
# Branch NSS_3_44_BRANCH
# Node ID 1eac9016c021055018389a5cb117678ecc61782a
# Parent 416a8f7cf8986103b4d74694aac1198edbb08b3e
Bug 1554336 - Optimize away unneeded loop in mpi.c r=kevinjacobs,jcj
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
--- a/lib/freebl/mpi/mpi.c
+++ b/lib/freebl/mpi/mpi.c
@@ -2063,7 +2063,10 @@ s_mp_almost_inverse(const mp_int *a, con
}
}
if (res >= 0) {
- while (MP_SIGN(c) != MP_ZPOS) {
+ if (mp_cmp_mag(c, p) >= 0) {
+ MP_CHECKOK(mp_div(c, p, NULL, c));
+ }
+ if (MP_SIGN(c) != MP_ZPOS) {
MP_CHECKOK(mp_add(c, p, c));
}
res = k;

96
SOURCES/nss-post-handshake-auth-with-tickets.patch
View File

@ -1,96 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1559121620 -7200
# Wed May 29 11:20:20 2019 +0200
# Node ID 29a48b604602a523defd6f9322a5adeca7e284a5
# Parent 43a7fb4f994a31222c308113b0fccdd5480d5b8e
Bug 1553443, send session ticket only after handshake is marked as finished
Reviewers: mt
Reviewed By: mt
Bug #: 1553443
Differential Revision: https://phabricator.services.mozilla.com/D32128
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -537,6 +537,40 @@ TEST_F(TlsConnectStreamTls13, PostHandsh
capture_cert_req->buffer().len()));
}
+// Check if post-handshake auth still works when session tickets are enabled:
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1553443
+TEST_F(TlsConnectStreamTls13, PostHandshakeAuthWithSessionTicketsEnabled) {
+ EnsureTlsSetup();
+ client_->SetupClientAuth();
+ EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
+ SSL_ENABLE_POST_HANDSHAKE_AUTH, PR_TRUE));
+ EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
+ SSL_ENABLE_SESSION_TICKETS, PR_TRUE));
+ EXPECT_EQ(SECSuccess, SSL_OptionSet(server_->ssl_fd(),
+ SSL_ENABLE_SESSION_TICKETS, PR_TRUE));
+ size_t called = 0;
+ server_->SetAuthCertificateCallback(
+ [&called](TlsAgent*, PRBool, PRBool) -> SECStatus {
+ called++;
+ return SECSuccess;
+ });
+ Connect();
+ EXPECT_EQ(0U, called);
+ // Send CertificateRequest.
+ EXPECT_EQ(SECSuccess, SSL_GetClientAuthDataHook(
+ client_->ssl_fd(), GetClientAuthDataHook, nullptr));
+ EXPECT_EQ(SECSuccess, SSL_SendCertificateRequest(server_->ssl_fd()))
+ << "Unexpected error: " << PORT_ErrorToName(PORT_GetError());
+ server_->SendData(50);
+ client_->ReadBytes(50);
+ client_->SendData(50);
+ server_->ReadBytes(50);
+ EXPECT_EQ(1U, called);
+ ScopedCERTCertificate cert1(SSL_PeerCertificate(server_->ssl_fd()));
+ ScopedCERTCertificate cert2(SSL_LocalCertificate(client_->ssl_fd()));
+ EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert));
+}
+
// In TLS 1.3, the client sends its cert rejection on the
// second flight, and since it has already received the
// server's Finished, it transitions to complete and
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
--- a/lib/ssl/tls13con.c
+++ b/lib/ssl/tls13con.c
@@ -4561,6 +4561,11 @@ tls13_ServerHandleFinished(sslSocket *ss
return SECFailure;
}
+ rv = tls13_FinishHandshake(ss);
+ if (rv != SECSuccess) {
+ return SECFailure;
+ }
+
ssl_GetXmitBufLock(ss);
if (ss->opt.enableSessionTickets) {
rv = tls13_SendNewSessionTicket(ss, NULL, 0);
@@ -4573,8 +4578,7 @@ tls13_ServerHandleFinished(sslSocket *ss
}
}
ssl_ReleaseXmitBufLock(ss);
-
- return tls13_FinishHandshake(ss);
+ return SECSuccess;
loser:
ssl_ReleaseXmitBufLock(ss);
diff --git a/tests/ssl/sslauth.txt b/tests/ssl/sslauth.txt
--- a/tests/ssl/sslauth.txt
+++ b/tests/ssl/sslauth.txt
@@ -42,6 +42,7 @@
noECC 0 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Require client auth on post hs (client auth)
noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Request don't require client auth on post hs (client does not provide auth)
noECC 1 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Require client auth on post hs (client does not provide auth)
+ noECC 0 -r_-r_-r_-E_-u -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Request don't require client auth on post hs with session ticket (client auth)
#
# Use EC cert for client authentication
#

247
SOURCES/nss-rsa-pkcs1-sigalgs.patch Normal file
View File

@ -0,0 +1,247 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1594360877 -7200
# Fri Jul 10 08:01:17 2020 +0200
# Node ID df1d2695e115ed9e6f7e8df6ad4d7be2c9bc77d8
# Parent de661583d46713c9b4873a904dda3a8ba4a61976
Bug 1646324, advertise rsa_pkcs1_* schemes in CH and CR for certs, r=mt
Summary:
In TLS 1.3, unless "signature_algorithms_cert" is advertised, the
"signature_algorithms" extension is used as an indication of supported
algorithms for signatures on certificates. While rsa_pkcs1_*
signatures schemes cannot be used for signing handshake messages, they
should be advertised if the peer wants to to support certificates
signed with RSA PKCS#1.
This adds a flag to ssl3_EncodeSigAlgs() and ssl3_FilterSigAlgs() to
preserve rsa_pkcs1_* schemes in the output.
Reviewers: mt
Reviewed By: mt
Bug #: 1646324
Differential Revision: https://phabricator.services.mozilla.com/D80881
diff -r de661583d467 -r df1d2695e115 gtests/ssl_gtest/ssl_auth_unittest.cc
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc Thu Jul 09 22:45:27 2020 +0000
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc Fri Jul 10 08:01:17 2020 +0200
@@ -1591,6 +1591,47 @@
capture->extension());
}
+TEST_P(TlsConnectTls13, Tls13RsaPkcs1IsAdvertisedClient) {
+ EnsureTlsSetup();
+ static const SSLSignatureScheme kSchemes[] = {ssl_sig_rsa_pkcs1_sha256,
+ ssl_sig_rsa_pss_rsae_sha256};
+ client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
+ auto capture =
+ MakeTlsFilter<TlsExtensionCapture>(client_, ssl_signature_algorithms_xtn);
+ Connect();
+ // We should only have the one signature algorithm advertised.
+ static const uint8_t kExpectedExt[] = {0,
+ 4,
+ ssl_sig_rsa_pss_rsae_sha256 >> 8,
+ ssl_sig_rsa_pss_rsae_sha256 & 0xff,
+ ssl_sig_rsa_pkcs1_sha256 >> 8,
+ ssl_sig_rsa_pkcs1_sha256 & 0xff};
+ ASSERT_EQ(DataBuffer(kExpectedExt, sizeof(kExpectedExt)),
+ capture->extension());
+}
+
+TEST_P(TlsConnectTls13, Tls13RsaPkcs1IsAdvertisedServer) {
+ EnsureTlsSetup();
+ static const SSLSignatureScheme kSchemes[] = {ssl_sig_rsa_pkcs1_sha256,
+ ssl_sig_rsa_pss_rsae_sha256};
+ server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
+ auto capture = MakeTlsFilter<TlsExtensionCapture>(
+ server_, ssl_signature_algorithms_xtn, true);
+ capture->SetHandshakeTypes({kTlsHandshakeCertificateRequest});
+ capture->EnableDecryption();
+ server_->RequestClientAuth(false); // So we get a CertificateRequest.
+ Connect();
+ // We should only have the one signature algorithm advertised.
+ static const uint8_t kExpectedExt[] = {0,
+ 4,
+ ssl_sig_rsa_pss_rsae_sha256 >> 8,
+ ssl_sig_rsa_pss_rsae_sha256 & 0xff,
+ ssl_sig_rsa_pkcs1_sha256 >> 8,
+ ssl_sig_rsa_pkcs1_sha256 & 0xff};
+ ASSERT_EQ(DataBuffer(kExpectedExt, sizeof(kExpectedExt)),
+ capture->extension());
+}
+
// variant, version, certificate, auth type, signature scheme
typedef std::tuple<SSLProtocolVariant, uint16_t, std::string, SSLAuthType,
SSLSignatureScheme>
diff -r de661583d467 -r df1d2695e115 lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c Thu Jul 09 22:45:27 2020 +0000
+++ b/lib/ssl/ssl3con.c Fri Jul 10 08:01:17 2020 +0200
@@ -784,15 +784,19 @@
* Both by policy and by having a token that supports it. */
static PRBool
ssl_SignatureSchemeAccepted(PRUint16 minVersion,
- SSLSignatureScheme scheme)
+ SSLSignatureScheme scheme,
+ PRBool forCert)
{
/* Disable RSA-PSS schemes if there are no tokens to verify them. */
if (ssl_IsRsaPssSignatureScheme(scheme)) {
if (!PK11_TokenExists(auth_alg_defs[ssl_auth_rsa_pss])) {
return PR_FALSE;
}
- } else if (ssl_IsRsaPkcs1SignatureScheme(scheme)) {
- /* Disable PKCS#1 signatures if we are limited to TLS 1.3. */
+ } else if (!forCert && ssl_IsRsaPkcs1SignatureScheme(scheme)) {
+ /* Disable PKCS#1 signatures if we are limited to TLS 1.3.
+ * We still need to advertise PKCS#1 signatures in CH and CR
+ * for certificate signatures.
+ */
if (minVersion >= SSL_LIBRARY_VERSION_TLS_1_3) {
return PR_FALSE;
}
@@ -851,7 +855,8 @@
/* Ensure that there is a signature scheme that can be accepted.*/
for (unsigned int i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
if (ssl_SignatureSchemeAccepted(ss->vrange.min,
- ss->ssl3.signatureSchemes[i])) {
+ ss->ssl3.signatureSchemes[i],
+ PR_FALSE /* forCert */)) {
return SECSuccess;
}
}
@@ -880,7 +885,7 @@
PRBool acceptable = authType == schemeAuthType ||
(schemeAuthType == ssl_auth_rsa_pss &&
authType == ssl_auth_rsa_sign);
- if (acceptable && ssl_SignatureSchemeAccepted(ss->version, scheme)) {
+ if (acceptable && ssl_SignatureSchemeAccepted(ss->version, scheme, PR_FALSE /* forCert */)) {
return PR_TRUE;
}
}
@@ -9803,12 +9808,13 @@
}
SECStatus
-ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, sslBuffer *buf)
+ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
+ sslBuffer *buf)
{
SSLSignatureScheme filtered[MAX_SIGNATURE_SCHEMES] = { 0 };
unsigned int filteredCount = 0;
- SECStatus rv = ssl3_FilterSigAlgs(ss, minVersion, PR_FALSE,
+ SECStatus rv = ssl3_FilterSigAlgs(ss, minVersion, PR_FALSE, forCert,
PR_ARRAY_SIZE(filtered),
filtered, &filteredCount);
if (rv != SECSuccess) {
@@ -9843,8 +9849,21 @@
return sslBuffer_InsertLength(buf, lengthOffset, 2);
}
+/*
+ * In TLS 1.3 we are permitted to advertise support for PKCS#1
+ * schemes. This doesn't affect the signatures in TLS itself, just
+ * those on certificates. Not advertising PKCS#1 signatures creates a
+ * serious compatibility risk as it excludes many certificate chains
+ * that include PKCS#1. Hence, forCert is used to enable advertising
+ * PKCS#1 support. Note that we include these in signature_algorithms
+ * because we don't yet support signature_algorithms_cert. TLS 1.3
+ * requires that PKCS#1 schemes are placed last in the list if they
+ * are present. This sorting can be removed once we support
+ * signature_algorithms_cert.
+ */
SECStatus
ssl3_FilterSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool disableRsae,
+ PRBool forCert,
unsigned int maxSchemes, SSLSignatureScheme *filteredSchemes,
unsigned int *numFilteredSchemes)
{
@@ -9856,15 +9875,32 @@
}
*numFilteredSchemes = 0;
+ PRBool allowUnsortedPkcs1 = forCert && minVersion < SSL_LIBRARY_VERSION_TLS_1_3;
for (unsigned int i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
if (disableRsae && ssl_IsRsaeSignatureScheme(ss->ssl3.signatureSchemes[i])) {
continue;
}
if (ssl_SignatureSchemeAccepted(minVersion,
- ss->ssl3.signatureSchemes[i])) {
+ ss->ssl3.signatureSchemes[i],
+ allowUnsortedPkcs1)) {
filteredSchemes[(*numFilteredSchemes)++] = ss->ssl3.signatureSchemes[i];
}
}
+ if (forCert && !allowUnsortedPkcs1) {
+ for (unsigned int i = 0; i < ss->ssl3.signatureSchemeCount; ++i) {
+ if (disableRsae && ssl_IsRsaeSignatureScheme(ss->ssl3.signatureSchemes[i])) {
+ continue;
+ }
+ if (!ssl_SignatureSchemeAccepted(minVersion,
+ ss->ssl3.signatureSchemes[i],
+ PR_FALSE) &&
+ ssl_SignatureSchemeAccepted(minVersion,
+ ss->ssl3.signatureSchemes[i],
+ PR_TRUE)) {
+ filteredSchemes[(*numFilteredSchemes)++] = ss->ssl3.signatureSchemes[i];
+ }
+ }
+ }
return SECSuccess;
}
@@ -9901,7 +9937,7 @@
length = 1 + certTypesLength + 2 + calen;
if (isTLS12) {
- rv = ssl3_EncodeSigAlgs(ss, ss->version, &sigAlgsBuf);
+ rv = ssl3_EncodeSigAlgs(ss, ss->version, PR_TRUE /* forCert */, &sigAlgsBuf);
if (rv != SECSuccess) {
return rv;
}
diff -r de661583d467 -r df1d2695e115 lib/ssl/ssl3exthandle.c
--- a/lib/ssl/ssl3exthandle.c Thu Jul 09 22:45:27 2020 +0000
+++ b/lib/ssl/ssl3exthandle.c Fri Jul 10 08:01:17 2020 +0200
@@ -1652,7 +1652,7 @@
minVersion = ss->vrange.min; /* ClientHello */
}
- SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, buf);
+ SECStatus rv = ssl3_EncodeSigAlgs(ss, minVersion, PR_TRUE /* forCert */, buf);
if (rv != SECSuccess) {
return SECFailure;
}
diff -r de661583d467 -r df1d2695e115 lib/ssl/sslimpl.h
--- a/lib/ssl/sslimpl.h Thu Jul 09 22:45:27 2020 +0000
+++ b/lib/ssl/sslimpl.h Fri Jul 10 08:01:17 2020 +0200
@@ -1688,12 +1688,12 @@
SECStatus ssl3_AuthCertificate(sslSocket *ss);
SECStatus ssl_ReadCertificateStatus(sslSocket *ss, PRUint8 *b,
PRUint32 length);
-SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion,
+SECStatus ssl3_EncodeSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool forCert,
sslBuffer *buf);
SECStatus ssl3_EncodeFilteredSigAlgs(const sslSocket *ss,
const SSLSignatureScheme *schemes,
PRUint32 numSchemes, sslBuffer *buf);
-SECStatus ssl3_FilterSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool disableRsae,
+SECStatus ssl3_FilterSigAlgs(const sslSocket *ss, PRUint16 minVersion, PRBool disableRsae, PRBool forCert,
unsigned int maxSchemes, SSLSignatureScheme *filteredSchemes,
unsigned int *numFilteredSchemes);
SECStatus ssl_GetCertificateRequestCAs(const sslSocket *ss,
diff -r de661583d467 -r df1d2695e115 lib/ssl/tls13exthandle.c
--- a/lib/ssl/tls13exthandle.c Thu Jul 09 22:45:27 2020 +0000
+++ b/lib/ssl/tls13exthandle.c Fri Jul 10 08:01:17 2020 +0200
@@ -1519,7 +1519,8 @@
SSLSignatureScheme filtered[MAX_SIGNATURE_SCHEMES] = { 0 };
unsigned int filteredCount = 0;
SECStatus rv = ssl3_FilterSigAlgs(ss, ss->vrange.max,
- PR_TRUE,
+ PR_TRUE /* disableRsae */,
+ PR_FALSE /* forCert */,
MAX_SIGNATURE_SCHEMES,
filtered,
&filteredCount);

2266
SOURCES/nss-sha2-ppc.patch Normal file
View File

File diff suppressed because it is too large Load Diff

11
SOURCES/nss-skip-sysinit-gtests.patch
View File

@ -1,11 +1,12 @@
diff -up nss/gtests/manifest.mn.skip-sysinit-gtests nss/gtests/manifest.mn
--- nss/gtests/manifest.mn.skip-sysinit-gtests 2019-04-26 12:55:05.979302035 +0200
+++ nss/gtests/manifest.mn 2019-04-26 12:55:09.507228984 +0200
@@ -27,7 +27,6 @@ NSS_SRCDIRS = \
Index: nss/gtests/manifest.mn
===================================================================
--- nss.orig/gtests/manifest.mn
+++ nss/gtests/manifest.mn
@@ -31,7 +31,6 @@ NSS_SRCDIRS = \
smime_gtest \
softoken_gtest \
ssl_gtest \
- $(SYSINIT_GTEST) \
nss_bogo_shim \
pkcs11testmodule \
$(NULL)
endif

27
SOURCES/nss-skip-tls13-fips.patch
View File

@ -1,27 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1558341826 -7200
# Mon May 20 10:43:46 2019 +0200
# Node ID b447f0046807b718d2928d0e33313620d38a287a
# Parent 02ea5f29ac3c1f1c6e6eb4b655afd9b4fc075a9e
tests: skip TLS 1.3 tests under FIPS mode
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -393,6 +393,15 @@ ssl_auth()
echo "${testname}" | grep "TLS 1.3" > /dev/null
TLS13=$?
+ # Currently TLS 1.3 tests are known to fail under FIPS mode,
+ # because HKDF is implemented using the PKCS #11 functions
+ # prohibited under FIPS mode.
+ if [ "${TLS13}" -eq 0 ] && \
+ [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
+ continue
+ fi
+
if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then

1148
SOURCES/nss-softokn-fips-update.patch
View File

File diff suppressed because it is too large Load Diff

192
SPECS/nss.spec
View File

@ -1,5 +1,5 @@
%global nspr_version 4.21.0
%global nss_version 3.44.0
%global nspr_version 4.25.0
%global nss_version 3.53.1
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir %{_libdir}/nss/saved
%global dracutlibdir %{_prefix}/lib/dracut
@ -46,7 +46,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: 15%{?dist}
Release: 17%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version}
@ -55,7 +55,7 @@ Requires: nss-util >= %{nss_version}
Requires: nss-softokn%{_isa} >= %{nss_version}
Requires: nss-system-init
Requires: p11-kit-trust
Requires: crypto-policies
Requires: /usr/bin/update-crypto-policies
BuildRequires: nspr-devel >= %{nspr_version}
# for shlibsign
BuildRequires: nss-softokn
@ -93,13 +93,12 @@ Source26: key4.db.xml
Source27: secmod.db.xml
Source28: nss-p11-kit.config
Source29: nss-softokn-cavs-1.0.tar.gz
Source30: PayPalEE.cert
# To inject hardening flags for DSO
Patch1: nss-dso-ldflags.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
Patch2: nss-539183.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1549382
Patch3: nss-module-leak.patch
# This patch uses the GCC -iquote option documented at
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
# to give the in-tree headers a higher priority over the system headers,
@ -112,52 +111,71 @@ Patch3: nss-module-leak.patch
# Once the buildroot aha been bootstrapped the patch may be removed
# but it doesn't hurt to keep it.
Patch4: iquote.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552767
Patch5: nss-skip-tls13-fips.patch
# TLS 1.3 currently doesn't work under FIPS mode:
# https://bugzilla.redhat.com/show_bug.cgi?id=1710372
Patch6: nss-fips-disable-tls13.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552208
Patch7: nss-disable-pkcs1-sigalgs-tls13.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1553443
Patch8: nss-post-handshake-auth-with-tickets.patch
# To revert the change in:
# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
Patch9: nss-sysinit-userdb.patch
# Disable nss-sysinit test which is sorely to test the above change
Patch10: nss-skip-sysinit-gtests.patch
# Upstream patch didn't make 3.44
# https://bugzilla.mozilla.org/show_bug.cgi?id=1546229
Patch200: nss-ike-patch.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1546477
Patch201: nss-softokn-fips-update.patch
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1473806
Patch202: nss-8-fix-public-key-from-priv.patch
Patch204: nss-8-add-ipsec-usage-to-manpage.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1560329
Patch205: nss-drbg-continuous.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1559906
Patch206: nss-fipstest-tls12-prf.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1554336
Patch210: nss-mpi-loop.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1540541
Patch211: nss-leading-zero.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1515342
Patch212: nss-input-check.patch
# This patch has a minor conflict with the upstream version:
# off-by-one in sftk_ike1_appendix_b_prf is not fixed, gtests are not
# upstreamed:
Patch213: nss-3.44-missing-softokn-kdf.patch
Patch214: nss-3.44-cmac.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1566131
Patch215: nss-3.44-ske-policy.patch
Patch216: nss-3.44-kbkdf.patch
Patch217: nss-3.44-kbkdf-update.patch
Patch218: nss-3.44-encrypt-update.patch
Patch219: nss-3.44-kbkdf-coverity.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1611209
Patch220: nss-3.44-fix-swapped-cmac.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1610687
Patch221: nss-3.44-fix-cmac-alignment-crash.patch
# To revert the upstream change that causes erroneous SHA-2
# calculation with older gcc:
# https://bugzilla.mozilla.org/show_bug.cgi?id=1613238
Patch220: nss-sha2-ppc.patch
# Local patch: disable MD5 (also MD2 and MD4) completely
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
Patch221: nss-disable-md5.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1646324
Patch222: nss-rsa-pkcs1-sigalgs.patch
# Local patch: https://bugzilla.redhat.com/show_bug.cgi?id=1843417
Patch223: nss-3.53-strict-proto-fix.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1648822
Patch224: nss-3.53.1-diffie_hellman_checks.patch
# no upsteam bug yet
Patch225: nss-3.53-fix-private_key_mac.patch
# Local patch: disable Delegated Credentials
Patch226: nss-disable-dc.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1648822
Patch227: nss-3.53.1-remove-timing-tests.patch
Patch228: nss-3.53.1-cmac-kdf-selftests.patch
Patch229: nss-3.53.1-measure-fix.patch
Patch230: nss-3.53.1-no-small-primes.patch
Patch231: nss-3.53.1-no-small-primes-tests.patch
#Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1666891
Patch232: nss-3.53.1-oaep-api.patch
#Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1670835
Patch233: nss-3.53.1-enable-disable-policy.patch
# not everything in that patch is appropriate for rhel8 since it requires
# changes to the policy generator to wind up with a working system
Patch234: nss-3.53.1-revert_rhel8_unsafe_policy_change.patch
#Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1636771
# CVE-2020-12403
Patch235: nss-3.53.1-chacha-len.patch
Patch236: nss-3.53.1-chacha-multi.patch
# CVE-2020-12400
# CVE-2020-6829
Patch237: nss-3.53.1-constant-time-p384.patch
Patch238: nss-3.53.1-constant-time-p521.patch
# IKE fix
Patch239: nss-3.53.1-ike-app-b-fix.patch
# For compatibility reasons, we stick with the old PKCS #11 2.40
# definition of CK_GCM_PARAMS:
%if 0%{?fedora} < 34
%if 0%{?rhel} < 9
Patch20: nss-gcm-param-default-pkcs11v2.patch
%endif
%endif
%description
@ -186,7 +204,7 @@ Summary: System NSS Initialization
# providing nss-system-init without version so that it can
# be replaced by a better one, e.g. supplied by the os vendor
Provides: nss-system-init
Requires: nss = %{version}-%{release}
Requires: nss%{?_isa} = %{version}-%{release}
Requires(post): coreutils, sed
%description sysinit
@ -295,6 +313,8 @@ popd
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
#update paypal cert (git binary patches don't work with autopatch)
cp %{SOURCE30} nss/tests/libpkix/certs/
%build
@ -343,17 +363,14 @@ export USE_64=1
%endif
%endif
##### phase 2: build the rest of nss
make -C ./nss/coreconf
make -C ./nss/lib/dbm
# Set the policy file location
# if set NSS will always check for the policy file and load if it exists
export POLICY_FILE="nss.config"
# location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends"
make -C ./nss
%{__make} -C ./nss all
%{__make} -C ./nss latest
# build the man pages clean
pushd ./nss/doc
@ -527,7 +544,9 @@ pushd nss/tests
# all.sh is the test suite script
# don't need to run all the tests when testing packaging
# nss_cycles: standard pkix upgradedb sharedb
export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 8, the default db is sql, but we want
# standard to test dbm, or upgradedb will fail
%define nss_cycles "standard pkix upgradedb sharedb"
# the full list from all.sh is:
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
@ -674,10 +693,7 @@ install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/loc
# from previous versions of nss.spec
/usr/bin/setup-nsssysinit.sh on
%post
update-crypto-policies --no-reload &> /dev/null || :
%postun
%posttrans
update-crypto-policies --no-reload &> /dev/null || :
@ -932,6 +948,74 @@ update-crypto-policies --no-reload &> /dev/null || :
%changelog
* Thu Dec 3 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-17
- Fix various corner cases with ike v1 app b support.
* Thu Nov 19 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-16
- Fix the following CVE
- CVE-2020-12403 chacha-poly issues
- CVE-2020-12400 constant time ECC.
- CVE-2020-6829 constant time ECC.
* Wed Nov 4 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-15
- Revert some policy changes the generate ABI runtime issues.
* Thu Oct 29 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-14
- Add support for enable/disable in policy. Now if your policy
file has disallow=x enable=y it will act just like our other
libraries.
* Mon Oct 26 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-13
- Add OAEP interface so applications can wrap keys with RSA-OAEP
rather than RSA-PKCS-1.
* Mon Oct 19 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-12
- fips need to reject small primes even if they are approved
- code to autodetect whether or not to use the cache needs to do so
in a way that doesn't mess with filesystem negative file caching.
- add kdf selftests
* Thu Jul 30 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-11
- Fix issue with upgradedb where upgradedb expects standard to
generate dbm databases, not sql databases (default in RHEL8)
* Thu Jul 30 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-10
- Disable dh timing test because it's unreliable on s390
* Thu Jul 30 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-9
- Explicitly enable upgradedb/sharedb test cycles
* Wed Jul 29 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-8
- Disable Delegated Credentials for TLS
* Fri Jul 24 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-7
- Fix attribute decryption issue where the private key components
integrity check on private attributes where not being checked.
* Mon Jul 13 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-6
- Update nss-rsa-pkcs1-sigalgs.patch to the upstream version
* Sat Jul 11 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-5
- Include required checks for dh and ecdh key generation in FIPS mode.
* Wed Jul 8 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-4
- Add better checks for dh derive operations in FIPS mode.
* Thu Jun 25 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-3
- Disable NSS_HASH_ALG_SUPPORT as well for MD5 (#1849938)
- Adjust for update-crypto-policies packaging change (#1848649)
- Fix compilation with -Werror=strict-prototypes (#1843417)
* Wed Jun 24 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-2
- Fix regression in MD5 disablement (#1849938)
- Include rsa_pkcs1_* in signature_algorithms extension (#1847945)
* Mon Jun 22 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-1
- Update to NSS 3.53.1
* Sat Jun 6 2020 Daiki Ueno <dueno@redhat.com> - 3.53.0-1
- Update to NSS 3.53
* Fri Jan 31 2020 Bob Relyea <rrelyea@redhat.com> - 3.44.0-15
- Fix swapped CMAC PKCS #11 values.
- Fix data alignment crash in CMAC.