Compare commits
11 Commits
imports/c8
...
c8
Author | SHA1 | Date |
---|---|---|
eabdullin | 0602db546c | |
eabdullin | 66bc735e51 | |
eabdullin | 0df7624fca | |
eabdullin | 69f2c418a9 | |
CentOS Sources | 22aeef2bcc | |
CentOS Sources | 12155fa416 | |
CentOS Sources | adb9f30f72 | |
CentOS Sources | 09cc015c89 | |
CentOS Sources | 02c51bd6bb | |
CentOS Sources | 523619f371 | |
CentOS Sources | 5475051399 |
|
@ -1,14 +1,7 @@
|
|||
SOURCES/NameConstraints_Certs.tar
|
||||
SOURCES/blank-cert8.db
|
||||
SOURCES/blank-cert9.db
|
||||
SOURCES/blank-key3.db
|
||||
SOURCES/blank-key4.db
|
||||
SOURCES/blank-secmod.db
|
||||
SOURCES/cert8.db.xml
|
||||
SOURCES/cert9.db.xml
|
||||
SOURCES/key3.db.xml
|
||||
SOURCES/key4.db.xml
|
||||
SOURCES/nss-3.44.tar.gz
|
||||
SOURCES/nss-config.xml
|
||||
SOURCES/nss-softokn-cavs-1.0.tar.gz
|
||||
SOURCES/secmod.db.xml
|
||||
SOURCES/setup-nsssysinit.xml
|
||||
SOURCES/nss-3.90.tar.gz
|
||||
|
|
|
@ -1,14 +1,7 @@
|
|||
39ad4988f85b50fdc3569d21b6c885cf9eb390b0 SOURCES/NameConstraints_Certs.tar
|
||||
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
|
||||
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
|
||||
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
|
||||
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
|
||||
bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
|
||||
6a43a6788fff0f2a967051209adbd354fad4c346 SOURCES/cert8.db.xml
|
||||
ea6705e15999bdc6365f05b3d66f9c1d49677f84 SOURCES/cert9.db.xml
|
||||
24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml
|
||||
af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml
|
||||
44a83b1bf4efd27605177ecdbf217e579ae8c8ae SOURCES/nss-3.44.tar.gz
|
||||
2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml
|
||||
d8a7f044570732caf4ed06fd44a63b3e86ea2a16 SOURCES/nss-softokn-cavs-1.0.tar.gz
|
||||
ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml
|
||||
bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml
|
||||
1e7d2f16655281cfb2972688af1605e0de302481 SOURCES/nss-3.90.tar.gz
|
||||
|
|
|
@ -0,0 +1,949 @@
|
|||
diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h
|
||||
--- a/lib/freebl/mpi/mpi-priv.h
|
||||
+++ b/lib/freebl/mpi/mpi-priv.h
|
||||
@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d
|
||||
void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
|
||||
mp_digit b, mp_digit *c);
|
||||
|
||||
#endif
|
||||
|
||||
void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
|
||||
mp_size a_len, mp_digit b,
|
||||
mp_digit *c);
|
||||
+void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a,
|
||||
+ mp_size a_len, mp_digit b,
|
||||
+ mp_digit *c, mp_size c_len);
|
||||
void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
|
||||
mp_size a_len,
|
||||
mp_digit *sqrs);
|
||||
|
||||
mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
|
||||
mp_digit divisor, mp_digit *quot, mp_digit *rem);
|
||||
|
||||
/* c += a * b * (MP_RADIX ** offset); */
|
||||
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
|
||||
--- a/lib/freebl/mpi/mpi.c
|
||||
+++ b/lib/freebl/mpi/mpi.c
|
||||
@@ -5,16 +5,18 @@
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "mpi-priv.h"
|
||||
#include "mplogic.h"
|
||||
|
||||
+#include <assert.h>
|
||||
+
|
||||
#if defined(__arm__) && \
|
||||
((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
|
||||
/* 16-bit thumb or ARM v3 doesn't work inlined assember version */
|
||||
#undef MP_ASSEMBLY_MULTIPLY
|
||||
#undef MP_ASSEMBLY_SQUARE
|
||||
#endif
|
||||
|
||||
#if MP_LOGTAB
|
||||
@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b,
|
||||
|
||||
CLEANUP:
|
||||
return res;
|
||||
|
||||
} /* end mp_sub() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
-/* {{{ mp_mul(a, b, c) */
|
||||
+/* {{{ s_mp_mulg(a, b, c) */
|
||||
|
||||
/*
|
||||
- mp_mul(a, b, c)
|
||||
-
|
||||
- Compute c = a * b. All parameters may be identical.
|
||||
+ s_mp_mulg(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. All parameters may be identical. if constantTime is set,
|
||||
+ then the operations are done in constant time. The original is mostly
|
||||
+ constant time as long as s_mpv_mul_d_add() is constant time. This is true
|
||||
+ of the x86 assembler, as well as the current c code.
|
||||
*/
|
||||
mp_err
|
||||
-mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
||||
+s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime)
|
||||
{
|
||||
mp_digit *pb;
|
||||
mp_int tmp;
|
||||
mp_err res;
|
||||
mp_size ib;
|
||||
mp_size useda, usedb;
|
||||
|
||||
ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
|
||||
@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b,
|
||||
}
|
||||
|
||||
MP_USED(c) = 1;
|
||||
MP_DIGIT(c, 0) = 0;
|
||||
if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
|
||||
goto CLEANUP;
|
||||
|
||||
#ifdef NSS_USE_COMBA
|
||||
- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
||||
+ /* comba isn't constant time because it clamps! If we cared
|
||||
+ * (we needed a constant time version of multiply that was 'faster'
|
||||
+ * we could easily pass constantTime down to the comba code and
|
||||
+ * get it to skip the clamp... but here are assembler versions
|
||||
+ * which add comba to platforms that can't compile the normal
|
||||
+ * comba's imbedded assembler which would also need to change, so
|
||||
+ * for now we just skip comba when we are running constant time. */
|
||||
+ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
||||
if (MP_USED(a) == 4) {
|
||||
s_mp_mul_comba_4(a, b, c);
|
||||
goto CLEANUP;
|
||||
}
|
||||
if (MP_USED(a) == 8) {
|
||||
s_mp_mul_comba_8(a, b, c);
|
||||
goto CLEANUP;
|
||||
}
|
||||
@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b,
|
||||
|
||||
/* Outer loop: Digits of b */
|
||||
useda = MP_USED(a);
|
||||
usedb = MP_USED(b);
|
||||
for (ib = 1; ib < usedb; ib++) {
|
||||
mp_digit b_i = *pb++;
|
||||
|
||||
/* Inner product: Digits of a */
|
||||
- if (b_i)
|
||||
+ if (constantTime || b_i)
|
||||
s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
|
||||
else
|
||||
MP_DIGIT(c, ib + useda) = b_i;
|
||||
}
|
||||
|
||||
- s_mp_clamp(c);
|
||||
+ if (!constantTime) {
|
||||
+ s_mp_clamp(c);
|
||||
+ }
|
||||
|
||||
if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
|
||||
SIGN(c) = ZPOS;
|
||||
else
|
||||
SIGN(c) = NEG;
|
||||
|
||||
CLEANUP:
|
||||
mp_clear(&tmp);
|
||||
return res;
|
||||
+} /* end smp_mulg() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_mul(a, b, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mul(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. All parameters may be identical.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
||||
+{
|
||||
+ return s_mp_mulg(a, b, c, 0);
|
||||
} /* end mp_mul() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ mp_mulCT(a, b, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mulCT(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. In constant time. Parameters may not be identical.
|
||||
+ NOTE: a and b may be modified.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize)
|
||||
+{
|
||||
+ mp_err res;
|
||||
+
|
||||
+ /* make the multiply values fixed length so multiply
|
||||
+ * doesn't leak the length. at this point all the
|
||||
+ * values are blinded, but once we finish we want the
|
||||
+ * output size to be hidden (so no clamping the out put) */
|
||||
+ MP_CHECKOK(s_mp_pad(a, setSize));
|
||||
+ MP_CHECKOK(s_mp_pad(b, setSize));
|
||||
+ MP_CHECKOK(s_mp_pad(c, 2*setSize));
|
||||
+ MP_CHECKOK(s_mp_mulg(a, b, c, 1));
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_mulCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_sqr(a, sqr) */
|
||||
|
||||
#if MP_SQUARE
|
||||
/*
|
||||
Computes the square of a. This can be done more
|
||||
efficiently than a general multiplication, because many of the
|
||||
computation steps are redundant when squaring. The inner product
|
||||
step is a bit more complicated, but we save a fair number of
|
||||
@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m,
|
||||
}
|
||||
|
||||
return MP_OKAY;
|
||||
|
||||
} /* end mp_mod() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ s_mp_subCT_d(a, b, borrow, c) */
|
||||
+
|
||||
+/*
|
||||
+ s_mp_subCT_d(a, b, borrow, c)
|
||||
+
|
||||
+ Compute c = (a -b) - subtract in constant time. returns borrow
|
||||
+ */
|
||||
+mp_digit
|
||||
+s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) {
|
||||
+ mp_digit borrow1, borrow2, t;
|
||||
+#ifdef MP_COMPILER_USES_CARRY
|
||||
+ /* while it doesn't look constant-time, this is idiomatic code
|
||||
+ * to tell compilers to use the carry bit from subtraction */
|
||||
+ t = a - borrow;
|
||||
+ if (t > a) {
|
||||
+ borrow1 = 1;
|
||||
+ } else {
|
||||
+ borrow1 = 0;
|
||||
+ }
|
||||
+ *ret = t - b;
|
||||
+ if (*ret > t) {
|
||||
+ borrow2 = 1;
|
||||
+ } else {
|
||||
+ borrow2 = 0;
|
||||
+ }
|
||||
+#else
|
||||
+ mp_digit bitr, bitb, nbitt;
|
||||
+ /* this is constant time independent of compilier */
|
||||
+ t = a - borrow;
|
||||
+ borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1));
|
||||
+ *ret = t - b;
|
||||
+ bitb = b >> (MP_DIGIT_BIT-1);
|
||||
+ bitr = *ret >> (MP_DIGIT_BIT-1);
|
||||
+ nbitt = (~t) >> (MP_DIGIT_BIT-1);
|
||||
+ borrow2 = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr);
|
||||
+#endif
|
||||
+ /* only borrow 1 or borrow 2 should be 1, we want to guarrentee
|
||||
+ * the overall borrow is 1, so use | here */
|
||||
+ return borrow1 | borrow2;
|
||||
+} /* s_mp_subCT_d() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_subCT(a, b, ret, borrow) */
|
||||
+
|
||||
+/* return ret= a - b and borrow in borrow. done in constant time.
|
||||
+ * b could be modified.
|
||||
+ */
|
||||
+mp_err
|
||||
+mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow)
|
||||
+{
|
||||
+ mp_size used_a = MP_USED(a);
|
||||
+ mp_size i;
|
||||
+ mp_err res;
|
||||
+
|
||||
+ MP_CHECKOK(s_mp_pad(b, used_a));
|
||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
||||
+ *borrow = 0;
|
||||
+ for (i=0; i < used_a; i++) {
|
||||
+ *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow,
|
||||
+ &MP_DIGIT(ret,i));
|
||||
+ }
|
||||
+
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_subCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_selectCT(cond, a, b, ret) */
|
||||
+
|
||||
+/*
|
||||
+ * return ret= cond ? a : b; cond should be either 0 or 1
|
||||
+ */
|
||||
+mp_err
|
||||
+mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret)
|
||||
+{
|
||||
+ mp_size used_a = MP_USED(a);
|
||||
+ mp_err res;
|
||||
+ mp_size i;
|
||||
+
|
||||
+ cond *= MP_DIGIT_MAX;
|
||||
+
|
||||
+ /* we currently require these to be equal on input,
|
||||
+ * we could use pad to extend one of them, but that might
|
||||
+ * leak data as it wouldn't be constant time */
|
||||
+ assert(used_a == MP_USED(b));
|
||||
+
|
||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
||||
+ for (i=0; i < used_a; i++) {
|
||||
+ MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond);
|
||||
+ }
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_selectCT() */
|
||||
+
|
||||
+
|
||||
+/* {{{ mp_reduceCT(a, m, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_reduceCT(a, m, c)
|
||||
+
|
||||
+ Compute c = aR^-1 (mod m) in constant time.
|
||||
+ input should be in montgomery form. If input is the
|
||||
+ result of a montgomery multiply then out put will be
|
||||
+ in mongomery form.
|
||||
+ Result will be reduced to MP_USED(m), but not be
|
||||
+ clamped.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c)
|
||||
+{
|
||||
+ mp_size used_m = MP_USED(m);
|
||||
+ mp_size used_c = used_m*2+1;
|
||||
+ mp_digit *m_digits, *c_digits;
|
||||
+ mp_size i;
|
||||
+ mp_digit borrow, carry;
|
||||
+ mp_err res;
|
||||
+ mp_int sub;
|
||||
+
|
||||
+ MP_DIGITS(&sub) = 0;
|
||||
+ MP_CHECKOK(mp_init_size(&sub,used_m));
|
||||
+
|
||||
+ if (a != c) {
|
||||
+ MP_CHECKOK(mp_copy(a, c));
|
||||
+ }
|
||||
+ MP_CHECKOK(s_mp_pad(c, used_c));
|
||||
+ m_digits = MP_DIGITS(m);
|
||||
+ c_digits = MP_DIGITS(c);
|
||||
+ for (i=0; i < used_m; i++) {
|
||||
+ mp_digit m_i = MP_DIGIT(c,i)*n0i;
|
||||
+ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--);
|
||||
+ }
|
||||
+ s_mp_rshd(c, used_m);
|
||||
+ /* MP_USED(c) should be used_m+1 with the high word being any carry
|
||||
+ * from the previous multiply, save that carry and drop the high
|
||||
+ * word for the substraction below */
|
||||
+ carry = MP_DIGIT(c,used_m);
|
||||
+ MP_DIGIT(c,used_m) = 0;
|
||||
+ MP_USED(c) = used_m;
|
||||
+ /* mp_subCT wants c and m to be the same size, we've already
|
||||
+ * guarrenteed that in the previous statement, so mp_subCT won't actually
|
||||
+ * modify m, so it's safe to recast */
|
||||
+ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow));
|
||||
+
|
||||
+ /* we return c-m if c >= m no borrow or there was a borrow and a carry */
|
||||
+ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c));
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ mp_clear(&sub);
|
||||
+ return res;
|
||||
+} /* end mp_reduceCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_mod_d(a, d, c) */
|
||||
|
||||
/*
|
||||
mp_mod_d(a, d, c)
|
||||
|
||||
Compute c = a (mod d). Result will always be 0 <= c < d
|
||||
*/
|
||||
mp_err
|
||||
@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int
|
||||
if ((res = mp_mod(c, m, c)) != MP_OKAY)
|
||||
return res;
|
||||
|
||||
return MP_OKAY;
|
||||
}
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ mp_mulmontmodCT(a, b, m, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mulmontmodCT(a, b, m, c)
|
||||
+
|
||||
+ Compute c = (a * b) mod m in constant time wrt a and b. either a or b
|
||||
+ should be in montgomery form and the output is native. If both a and b
|
||||
+ are in montgomery form, then the output will also be in montgomery form
|
||||
+ and can be recovered with an mp_reduceCT call.
|
||||
+ NOTE: a and b may be modified.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i,
|
||||
+ mp_int *c)
|
||||
+{
|
||||
+ mp_err res;
|
||||
+
|
||||
+ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
|
||||
+
|
||||
+ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY)
|
||||
+ return res;
|
||||
+
|
||||
+ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY)
|
||||
+ return res;
|
||||
+
|
||||
+ return MP_OKAY;
|
||||
+}
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_sqrmod(a, m, c) */
|
||||
|
||||
#if MP_SQUARE
|
||||
mp_err
|
||||
mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
|
||||
{
|
||||
mp_err res;
|
||||
|
||||
@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b)
|
||||
{ \
|
||||
mp_digit a0b1, a1b0; \
|
||||
Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
|
||||
Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
|
||||
a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
|
||||
a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
|
||||
a1b0 += a0b1; \
|
||||
Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
|
||||
- if (a1b0 < a0b1) \
|
||||
- Phi += MP_HALF_RADIX; \
|
||||
+ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \
|
||||
a1b0 <<= MP_HALF_DIGIT_BIT; \
|
||||
Plo += a1b0; \
|
||||
- if (Plo < a1b0) \
|
||||
- ++Phi; \
|
||||
+ Phi += MP_CT_LTU(Plo, a1b0); \
|
||||
}
|
||||
#endif
|
||||
|
||||
+/* Constant time version of s_mpv_mul_d_add_prop.
|
||||
+ * Presently, this is only used by the Constant time Montgomery arithmetic code. */
|
||||
+/* c += a * b */
|
||||
+void
|
||||
+s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b,
|
||||
+ mp_digit *c, mp_size c_len)
|
||||
+{
|
||||
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
||||
+ mp_digit d = 0;
|
||||
+
|
||||
+ c_len -= a_len;
|
||||
+ /* Inner product: Digits of a */
|
||||
+ while (a_len--) {
|
||||
+ mp_word w = ((mp_word)b * *a++) + *c + d;
|
||||
+ *c++ = ACCUM(w);
|
||||
+ d = CARRYOUT(w);
|
||||
+ }
|
||||
+
|
||||
+ /* propagate the carry to the end, even if carry is zero */
|
||||
+ while (c_len--) {
|
||||
+ mp_word w = (mp_word)*c + d;
|
||||
+ *c++ = ACCUM(w);
|
||||
+ d = CARRYOUT(w);
|
||||
+ }
|
||||
+#else
|
||||
+ mp_digit carry = 0;
|
||||
+ c_len -= a_len;
|
||||
+ while (a_len--) {
|
||||
+ mp_digit a_i = *a++;
|
||||
+ mp_digit a0b0, a1b1;
|
||||
+ MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
+
|
||||
+ a0b0 += carry;
|
||||
+ a1b1 += MP_CT_LTU(a0b0, carry);
|
||||
+ a0b0 += a_i = *c;
|
||||
+ a1b1 += MP_CT_LTU(a0b0, a_i);
|
||||
+
|
||||
+ *c++ = a0b0;
|
||||
+ carry = a1b1;
|
||||
+ }
|
||||
+ /* propagate the carry to the end, even if carry is zero */
|
||||
+ while (c_len--) {
|
||||
+ mp_digit c_i = *c;
|
||||
+ carry += c_i;
|
||||
+ *c++ = carry;
|
||||
+ carry = MP_CT_LTU(carry, c_i);
|
||||
+ }
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
#if !defined(MP_ASSEMBLY_MULTIPLY)
|
||||
/* c = a * b */
|
||||
void
|
||||
s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
|
||||
{
|
||||
#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
||||
mp_digit d = 0;
|
||||
|
||||
@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a
|
||||
mp_digit carry = 0;
|
||||
while (a_len--) {
|
||||
mp_digit a_i = *a++;
|
||||
mp_digit a0b0, a1b1;
|
||||
|
||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
|
||||
a0b0 += carry;
|
||||
- if (a0b0 < carry)
|
||||
- ++a1b1;
|
||||
+ a1b1 += a0b0 < carry;
|
||||
*c++ = a0b0;
|
||||
carry = a1b1;
|
||||
}
|
||||
*c = carry;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* c += a * b */
|
||||
@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si
|
||||
mp_digit carry = 0;
|
||||
while (a_len--) {
|
||||
mp_digit a_i = *a++;
|
||||
mp_digit a0b0, a1b1;
|
||||
|
||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
|
||||
a0b0 += carry;
|
||||
- if (a0b0 < carry)
|
||||
- ++a1b1;
|
||||
+ a1b1 += (a0b0 < carry);
|
||||
a0b0 += a_i = *c;
|
||||
- if (a0b0 < a_i)
|
||||
- ++a1b1;
|
||||
+ a1b1 += (a0b0 < a_i);
|
||||
*c++ = a0b0;
|
||||
carry = a1b1;
|
||||
}
|
||||
*c = carry;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Presently, this is only used by the Montgomery arithmetic code. */
|
||||
diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h
|
||||
--- a/lib/freebl/mpi/mpi.h
|
||||
+++ b/lib/freebl/mpi/mpi.h
|
||||
@@ -145,16 +145,54 @@ typedef int mp_sword;
|
||||
#define MP_USED(MP) ((MP)->used)
|
||||
#define MP_ALLOC(MP) ((MP)->alloc)
|
||||
#define MP_DIGITS(MP) ((MP)->dp)
|
||||
#define MP_DIGIT(MP, N) (MP)->dp[(N)]
|
||||
|
||||
/* This defines the maximum I/O base (minimum is 2) */
|
||||
#define MP_MAX_RADIX 64
|
||||
|
||||
+/* Constant Time Macros on mp_digits */
|
||||
+#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1)))
|
||||
+
|
||||
+/* basic zero and non zero tests */
|
||||
+#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
||||
+#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
||||
+
|
||||
+
|
||||
+/* basic constant-time helper macro for equalities and inequalities.
|
||||
+ * The inequalities will produce incorrect results if
|
||||
+ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay
|
||||
+ * within the range 0-MP_DIGIT_MAX/2. */
|
||||
+#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b)))
|
||||
+#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b)))
|
||||
+#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a))
|
||||
+#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b))
|
||||
+#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b))
|
||||
+#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b))
|
||||
+#define MP_CT_TRUE ((mp_digit)1)
|
||||
+#define MP_CT_FALSE ((mp_digit)0)
|
||||
+
|
||||
+/* use constant time result to select a boolean value */
|
||||
+#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r)))
|
||||
+
|
||||
+/* full inequalities that work with full mp_digit values */
|
||||
+#define MP_CT_OVERFLOW(a,b,c,d) \
|
||||
+ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \
|
||||
+ (MP_CT_HIGH_TO_LOW(d)),c)
|
||||
+#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a)
|
||||
+#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b)
|
||||
+#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a)
|
||||
+#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b)
|
||||
+#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b)
|
||||
+#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a)
|
||||
+#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b)
|
||||
+#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a)
|
||||
+
|
||||
+
|
||||
typedef struct {
|
||||
mp_sign sign; /* sign of this quantity */
|
||||
mp_size alloc; /* how many digits allocated */
|
||||
mp_size used; /* how many digits used */
|
||||
mp_digit *dp; /* the digits themselves */
|
||||
} mp_int;
|
||||
|
||||
/* Default precision */
|
||||
@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig
|
||||
|
||||
/* Sign manipulations */
|
||||
mp_err mp_abs(const mp_int *a, mp_int *b);
|
||||
mp_err mp_neg(const mp_int *a, mp_int *b);
|
||||
|
||||
/* Full arithmetic */
|
||||
mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
+mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow);
|
||||
mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
+mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize);
|
||||
#if MP_SQUARE
|
||||
mp_err mp_sqr(const mp_int *a, mp_int *b);
|
||||
#else
|
||||
#define mp_sqr(a, b) mp_mul(a, a, b)
|
||||
#endif
|
||||
mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
|
||||
mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
|
||||
mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
|
||||
@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const
|
||||
mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
#else
|
||||
#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
|
||||
#endif
|
||||
mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
|
||||
mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
|
||||
#endif /* MP_MODARITH */
|
||||
|
||||
+/* montgomery math */
|
||||
+mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont);
|
||||
+mp_digit mp_calculate_mont_n0i(const mp_int *N);
|
||||
+mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct);
|
||||
+mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c);
|
||||
+
|
||||
/* Comparisons */
|
||||
int mp_cmp_z(const mp_int *a);
|
||||
int mp_cmp_d(const mp_int *a, mp_digit d);
|
||||
int mp_cmp(const mp_int *a, const mp_int *b);
|
||||
int mp_cmp_mag(const mp_int *a, const mp_int *b);
|
||||
int mp_isodd(const mp_int *a);
|
||||
int mp_iseven(const mp_int *a);
|
||||
+mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret);
|
||||
|
||||
/* Number theoretic */
|
||||
mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
|
||||
mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
|
||||
mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
|
||||
mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
|
||||
diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c
|
||||
--- a/lib/freebl/mpi/mpmontg.c
|
||||
+++ b/lib/freebl/mpi/mpmontg.c
|
||||
@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_
|
||||
}
|
||||
res = MP_OKAY;
|
||||
|
||||
CLEANUP:
|
||||
return res;
|
||||
}
|
||||
#endif
|
||||
|
||||
-STATIC
|
||||
mp_err
|
||||
-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
|
||||
+mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont)
|
||||
{
|
||||
mp_err res;
|
||||
|
||||
/* xMont = x * R mod N where N is modulus */
|
||||
- MP_CHECKOK(mp_copy(x, xMont));
|
||||
- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */
|
||||
- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */
|
||||
+ if (x != xMont) {
|
||||
+ MP_CHECKOK(mp_copy(x, xMont));
|
||||
+ }
|
||||
+ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */
|
||||
+ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */
|
||||
CLEANUP:
|
||||
return res;
|
||||
}
|
||||
|
||||
+mp_digit
|
||||
+mp_calculate_mont_n0i(const mp_int *N)
|
||||
+{
|
||||
+ return 0 - s_mp_invmod_radix(MP_DIGIT(N,0));
|
||||
+}
|
||||
+
|
||||
#ifdef MP_USING_MONT_MULF
|
||||
|
||||
/* the floating point multiply is already cache safe,
|
||||
* don't turn on cache safe unless we specifically
|
||||
* force it */
|
||||
#ifndef MP_FORCE_CACHE_SAFE
|
||||
#undef MP_USING_CACHE_SAFE_MOD_EXP
|
||||
#endif
|
||||
@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase,
|
||||
MP_DIGITS(&accum1) = 0;
|
||||
|
||||
for (i = 0; i < MAX_ODD_INTS; ++i)
|
||||
oddPowers[i] = 0;
|
||||
|
||||
MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2));
|
||||
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
MP_CHECKOK(s_mp_pad(&accum1, nLen));
|
||||
|
||||
oddPowSize = 2 * nLen + 1;
|
||||
dTmpSize = 2 * oddPowSize;
|
||||
dSize = sizeof(double) * (nLen * 4 + 1 +
|
||||
((odd_ints + 1) * oddPowSize) + dTmpSize);
|
||||
dBuf = malloc(dSize);
|
||||
if (!dBuf) {
|
||||
@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase,
|
||||
for (i = 1; i < odd_ints; ++i) {
|
||||
MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2));
|
||||
MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i));
|
||||
MP_CHECKOK(s_mp_redc(oddPowers + i, mmm));
|
||||
}
|
||||
|
||||
/* set accumulator to montgomery residue of 1 */
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
pa1 = &accum1;
|
||||
pa2 = &accum2;
|
||||
|
||||
for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
|
||||
mp_size smallExp;
|
||||
MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits));
|
||||
smallExp = (mp_size)res;
|
||||
|
||||
@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
||||
/* build the first WEAVE_WORD powers inline */
|
||||
/* if WEAVE_WORD_SIZE is not 4, this code will have to change */
|
||||
if (num_powers > 2) {
|
||||
MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2));
|
||||
mp_set(&accum[0], 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0]));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0]));
|
||||
MP_CHECKOK(mp_copy(montBase, &accum[1]));
|
||||
SQR(montBase, &accum[2]);
|
||||
MUL_NOWEAVE(montBase, &accum[2], &accum[3]);
|
||||
powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1));
|
||||
if (!powersArray) {
|
||||
res = MP_MEM;
|
||||
goto CLEANUP;
|
||||
}
|
||||
@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
||||
MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers));
|
||||
if (first_window < 4) {
|
||||
MP_CHECKOK(mp_copy(&accum[first_window], &accum1));
|
||||
first_window = num_powers;
|
||||
}
|
||||
} else {
|
||||
if (first_window == 0) {
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
} else {
|
||||
/* assert first_window == 1? */
|
||||
MP_CHECKOK(mp_copy(montBase, &accum1));
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* calculate all the powers in the powers array.
|
||||
@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m
|
||||
nLen = MP_USED(modulus);
|
||||
MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2));
|
||||
|
||||
mmm.N = *modulus; /* a copy of the mp_int struct */
|
||||
|
||||
/* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
|
||||
** where n0 = least significant mp_digit of N, the modulus.
|
||||
*/
|
||||
- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0));
|
||||
+ mmm.n0prime = mp_calculate_mont_n0i(modulus);
|
||||
|
||||
- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase));
|
||||
+ MP_CHECKOK(mp_to_mont(base, modulus, &montBase));
|
||||
|
||||
bits_in_exponent = mpl_significant_bits(exponent);
|
||||
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
|
||||
if (mp_using_cache_safe_exp) {
|
||||
if (bits_in_exponent > 780)
|
||||
window_bits = 6;
|
||||
else if (bits_in_exponent > 256)
|
||||
window_bits = 5;
|
||||
diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
|
||||
--- a/lib/freebl/rsa.c
|
||||
+++ b/lib/freebl/rsa.c
|
||||
@@ -65,16 +65,18 @@ struct blindingParamsStr {
|
||||
** the Handbook of Applied Cryptography, 11.118-11.119.
|
||||
*/
|
||||
struct RSABlindingParamsStr {
|
||||
/* Blinding-specific parameters */
|
||||
PRCList link; /* link to list of structs */
|
||||
SECItem modulus; /* list element "key" */
|
||||
blindingParams *free, *bp; /* Blinding parameters queue */
|
||||
blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
|
||||
+ /* precalculate montegomery reduction value */
|
||||
+ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */
|
||||
};
|
||||
typedef struct RSABlindingParamsStr RSABlindingParams;
|
||||
|
||||
/*
|
||||
** RSABlindingParamsListStr
|
||||
**
|
||||
** List of key-specific blinding params. The arena holds the volatile pool
|
||||
** of memory for each entry and the list itself. The lock is for list
|
||||
@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey *
|
||||
CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen));
|
||||
CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen));
|
||||
/* k < n */
|
||||
CHECK_MPI_OK(mp_mod(&k, n, &k));
|
||||
/* f = k**e mod n */
|
||||
CHECK_MPI_OK(mp_exptmod(&k, &e, n, f));
|
||||
/* g = k**-1 mod n */
|
||||
CHECK_MPI_OK(mp_invmod(&k, n, g));
|
||||
+ /* g in montgomery form.. */
|
||||
+ CHECK_MPI_OK(mp_to_mont(g, n, g));
|
||||
cleanup:
|
||||
if (kb)
|
||||
PORT_ZFree(kb, modLen);
|
||||
mp_clear(&k);
|
||||
mp_clear(&e);
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams *
|
||||
* of rsabp->array pointer and must be set to NULL
|
||||
*/
|
||||
rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL;
|
||||
|
||||
bp = rsabp->array;
|
||||
rsabp->bp = NULL;
|
||||
rsabp->free = bp;
|
||||
|
||||
+ /* precalculate montgomery reduction parameter */
|
||||
+ rsabp->n0i = mp_calculate_mont_n0i(n);
|
||||
+
|
||||
/* List elements are keyed using the modulus */
|
||||
return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
|
||||
- mp_int *f, mp_int *g)
|
||||
+ mp_int *f, mp_int *g, mp_digit *n0i)
|
||||
{
|
||||
RSABlindingParams *rsabp = NULL;
|
||||
blindingParams *bpUnlinked = NULL;
|
||||
blindingParams *bp;
|
||||
PRCList *el;
|
||||
SECStatus rv = SECSuccess;
|
||||
mp_err err = MP_OKAY;
|
||||
int cmp = -1;
|
||||
@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key,
|
||||
** head (since el would have looped back to the head).
|
||||
*/
|
||||
PR_INSERT_BEFORE(&rsabp->link, el);
|
||||
}
|
||||
|
||||
/* We've found (or created) the RSAblindingParams struct for this key.
|
||||
* Now, search its list of ready blinding params for a usable one.
|
||||
*/
|
||||
+ *n0i = rsabp->n0i;
|
||||
while (0 != (bp = rsabp->bp)) {
|
||||
#ifdef UNSAFE_FUZZER_MODE
|
||||
/* Found a match and there are still remaining uses left */
|
||||
/* Return the parameters */
|
||||
CHECK_MPI_OK(mp_copy(&bp->f, f));
|
||||
CHECK_MPI_OK(mp_copy(&bp->g, g));
|
||||
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
@@ -1426,16 +1434,17 @@ cleanup:
|
||||
rsabp->free = bp;
|
||||
}
|
||||
if (holdingLock) {
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
}
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
}
|
||||
+ *n0i = 0;
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
/*
|
||||
** Perform a raw private-key operation
|
||||
** Length of input and output buffers are equal to key's modulus len.
|
||||
*/
|
||||
static SECStatus
|
||||
@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
PRBool check)
|
||||
{
|
||||
unsigned int modLen;
|
||||
unsigned int offset;
|
||||
SECStatus rv = SECSuccess;
|
||||
mp_err err;
|
||||
mp_int n, c, m;
|
||||
mp_int f, g;
|
||||
+ mp_digit n0i;
|
||||
if (!key || !output || !input) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
/* check input out of range (needs to be in range [0..n-1]) */
|
||||
modLen = rsa_modulusLen(&key->modulus);
|
||||
if (modLen == 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
CHECK_MPI_OK(mp_init(&f));
|
||||
CHECK_MPI_OK(mp_init(&g));
|
||||
SECITEM_TO_MPINT(key->modulus, &n);
|
||||
OCTETS_TO_MPINT(input, &c, modLen);
|
||||
/* If blinding, compute pre-image of ciphertext by multiplying by
|
||||
** blinding factor
|
||||
*/
|
||||
if (nssRSAUseBlinding) {
|
||||
- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g));
|
||||
+ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i));
|
||||
/* c' = c*f mod n */
|
||||
CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c));
|
||||
}
|
||||
/* Do the private key operation m = c**d mod n */
|
||||
if (key->prime1.len == 0 ||
|
||||
key->prime2.len == 0 ||
|
||||
key->exponent1.len == 0 ||
|
||||
key->exponent2.len == 0 ||
|
||||
@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
} else {
|
||||
CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c));
|
||||
}
|
||||
/* If blinding, compute post-image of plaintext by multiplying by
|
||||
** blinding factor
|
||||
*/
|
||||
if (nssRSAUseBlinding) {
|
||||
/* m = m'*g mod n */
|
||||
- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m));
|
||||
+ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m));
|
||||
}
|
||||
err = mp_to_fixlen_octets(&m, output, modLen);
|
||||
if (err >= 0)
|
||||
err = MP_OKAY;
|
||||
cleanup:
|
||||
mp_clear(&n);
|
||||
mp_clear(&c);
|
||||
mp_clear(&m);
|
|
@ -0,0 +1,59 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="cert8.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>cert8.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>cert8.db</refname>
|
||||
<refpurpose>Legacy NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
|
||||
<para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/cert8.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,59 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="cert9.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>cert9.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>cert9.db</refname>
|
||||
<refpurpose>NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
|
||||
<para>This certificate database is the sqlite-based shared database with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/cert9.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>pkcs11.txt(5)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,188 @@
|
|||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
/*
|
||||
* Vendors should replace this header file with the file containing those
|
||||
* algorithms which have NIST algorithm Certificates.
|
||||
*/
|
||||
|
||||
/* handle special cases. Classes require existing code to already be
|
||||
* in place for that class */
|
||||
typedef enum {
|
||||
SFTKFIPSNone = 0,
|
||||
SFTKFIPSDH, /* allow only specific primes */
|
||||
SFTKFIPSECC, /* not just keys but specific curves */
|
||||
SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */
|
||||
SFTKFIPSRSAPSS, /* make sure salt isn't too big */
|
||||
SFTKFIPSPBKDF2, /* handle pbkdf2 FIPS restrictions */
|
||||
SFTKFIPSTlsKeyCheck, /* check the output of TLS prf functions */
|
||||
SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */
|
||||
SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */
|
||||
SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */
|
||||
} SFTKFIPSSpecialClass;
|
||||
|
||||
/* set according to your security policy */
|
||||
#define SFTKFIPS_PBKDF2_MIN_PW_LEN 8
|
||||
|
||||
typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList;
|
||||
struct SFTKFIPSAlgorithmListStr {
|
||||
CK_MECHANISM_TYPE type;
|
||||
CK_MECHANISM_INFO info;
|
||||
CK_ULONG step;
|
||||
SFTKFIPSSpecialClass special;
|
||||
size_t offset;
|
||||
};
|
||||
|
||||
SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
/* A sample set of algorithms to allow basic testing in our continous
|
||||
* testing infrastructure. The vendor version should replace this with
|
||||
* a version that matches their algorithm testing and security policy */
|
||||
/* NOTE, This looks a lot like the PKCS #11 mechanism list in pkcs11.c, it
|
||||
* differs in the following ways:
|
||||
* 1) the addition of step and class elements to help restrict
|
||||
* the supported key sizes and types.
|
||||
* 2) The mechanism flags are restricted to only those that map to
|
||||
* fips approved operations.
|
||||
* 3) All key sizes are in bits, independent of mechanism.
|
||||
* 4) You can add more then one entry for the same mechanism to handle
|
||||
* multiple descrete keys where the MIN/MAX/STEP semantics doesn't apply
|
||||
* or where different operations have different key requirements.
|
||||
* This table does not encode all the modules legal FIPS semantics, only
|
||||
* those semantics that might possibly change due to algorithms dropping
|
||||
* of the security policy late in the process. */
|
||||
/* handy common flag types */
|
||||
#define CKF_KPG CKF_GENERATE_KEY_PAIR
|
||||
#define CKF_GEN CKF_GENERATE
|
||||
#define CKF_SGN (CKF_SIGN | CKF_VERIFY)
|
||||
#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT )
|
||||
#define CKF_ECW (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP)
|
||||
#define CKF_WRP (CKF_WRAP | CKF_UNWRAP)
|
||||
#define CKF_KEK (CKF_WRAP | CKF_UNWRAP)
|
||||
#define CKF_KEA CKF_DERIVE
|
||||
#define CKF_KDF CKF_DERIVE
|
||||
#define CKF_HSH CKF_DIGEST
|
||||
#define CK_MAX 0xffffffffUL
|
||||
/* mechanisms using the same key types share the same key type
|
||||
* limits */
|
||||
#define RSA_FB_KEY 2048, 4096 /* min, max */
|
||||
#define RSA_FB_STEP 1
|
||||
#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
|
||||
#define RSA_LEGACY_FB_STEP 256
|
||||
|
||||
#define DSA_FB_KEY 2048, 4096 /* min, max */
|
||||
#define DSA_FB_STEP 1024
|
||||
#define DH_FB_KEY 2048, 8192 /* min, max */
|
||||
#define DH_FB_STEP 1024
|
||||
#define EC_FB_KEY 256, 521 /* min, max */
|
||||
#define EC_FB_STEP 1 /* key limits handled by special operation */
|
||||
#define AES_FB_KEY 128, 256
|
||||
#define AES_FB_STEP 64
|
||||
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
|
||||
/* -------------- RSA Multipart Signing Operations -------------------- */
|
||||
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
/* -------------------- Diffie Hellman Operations --------------------- */
|
||||
{ CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH },
|
||||
{ CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH },
|
||||
/* -------------------- Elliptic Curve Operations --------------------- */
|
||||
{ CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDH1_COFACTOR_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
/* ------------------------- RC2 Operations --------------------------- */
|
||||
/* ------------------------- AES Operations --------------------------- */
|
||||
{ CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_GCM, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSAEAD },
|
||||
{ CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
/* ------------------------- Hashing Operations ----------------------- */
|
||||
{ CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
/* --------------------- Secret Key Operations ------------------------ */
|
||||
{ CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
|
||||
/* ---------------------- SSL/TLS operations ------------------------- */
|
||||
{ CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSTlsKeyCheck, offsetof(CK_TLS12_KEY_MAT_PARAMS, prfHashMechanism) },
|
||||
{ CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSChkHashTls,
|
||||
offsetof(CK_TLS_MAC_PARAMS, prfHashMechanism) },
|
||||
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSChkHashTls,
|
||||
offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },
|
||||
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSChkHashTls,
|
||||
offsetof(CK_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_PARAMS, prfHashMechanism) },
|
||||
|
||||
/* ------------------------- HKDF Operations -------------------------- */
|
||||
{ CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_HKDF_PARAMS, prfHashMechanism) },
|
||||
{ CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_HKDF_PARAMS, prfHashMechanism) },
|
||||
{ CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
|
||||
{ CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
|
||||
/* ------------------ NIST 800-108 Key Derivations ------------------- */
|
||||
{ CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
/* --------------------IPSEC ----------------------- */
|
||||
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS, prfMechanism) },
|
||||
{ CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSChkHash,
|
||||
offsetof(CK_NSS_IKE_PRF_DERIVE_PARAMS, prfMechanism) },
|
||||
/* ------------------ PBE Key Derivations ------------------- */
|
||||
{ CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 },
|
||||
/* the deprecated mechanisms, don't use for some reason we are supposed
|
||||
* to set the FIPS indicators on these (sigh) */
|
||||
{ CKM_NSS_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_NSS_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_DERIVE }, 1, SFTKFIPSTlsKeyCheck },
|
||||
{ CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_HKDF_SHA1, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_HKDF_SHA256, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_HKDF_SHA384, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_HKDF_SHA512, { 1, 128, CKF_DERIVE }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
{ CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSChkHashSp800,
|
||||
offsetof(CK_SP800_108_KDF_PARAMS, prfType) },
|
||||
};
|
||||
const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
|
|
@ -0,0 +1,59 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="key3.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>key3.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>key3.db</refname>
|
||||
<refpurpose>Legacy NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
|
||||
<para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/key3.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,59 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="key4.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>key4.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>key4.db</refname>
|
||||
<refpurpose>NSS certificate database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>key4.db</emphasis> is an NSS key database.</para>
|
||||
<para>This key database is the sqlite-based shared database format with support for concurrent access.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/key4.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>pkcs11.txt(5)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
|
@ -1,21 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Craig Disselkoen <cdisselk@cs.ucsd.edu>
|
||||
# Date 1574189697 25200
|
||||
# Tue Nov 19 11:54:57 2019 -0700
|
||||
# Branch NSS_3_44_BRANCH
|
||||
# Node ID 60bca7c6dc6dc44579b9b3e0fb62ca3b82d92eec
|
||||
# Parent 64e55c9f658e2a75f0835d00a8a1cdc2f25c74d6
|
||||
Bug 1586176 - EncryptUpdate should use maxout not block size. r=franziskus
|
||||
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -1321,7 +1321,7 @@ NSC_EncryptUpdate(CK_SESSION_HANDLE hSes
|
||||
}
|
||||
/* encrypt the current padded data */
|
||||
rv = (*context->update)(context->cipherInfo, pEncryptedPart,
|
||||
- &padoutlen, context->blockSize, context->padBuf,
|
||||
+ &padoutlen, maxout, context->padBuf,
|
||||
context->blockSize);
|
||||
if (rv != SECSuccess) {
|
||||
return sftk_MapCryptError(PORT_GetError());
|
|
@ -1,560 +0,0 @@
|
|||
diff -up ./gtests/pk11_gtest/manifest.mn.missing_kdf ./gtests/pk11_gtest/manifest.mn
|
||||
--- ./gtests/pk11_gtest/manifest.mn.missing_kdf 2019-08-08 10:22:53.072100034 -0700
|
||||
+++ ./gtests/pk11_gtest/manifest.mn 2019-08-08 10:23:33.424061237 -0700
|
||||
@@ -14,6 +14,7 @@ CPPSRCS = \
|
||||
pk11_encrypt_derive_unittest.cc \
|
||||
pk11_export_unittest.cc \
|
||||
pk11_import_unittest.cc \
|
||||
+ pk11_kdf_unittest.cc \
|
||||
pk11_pbkdf2_unittest.cc \
|
||||
pk11_prf_unittest.cc \
|
||||
pk11_prng_unittest.cc \
|
||||
diff -up ./gtests/pk11_gtest/pk11_gtest.gyp.missing_kdf ./gtests/pk11_gtest/pk11_gtest.gyp
|
||||
--- ./gtests/pk11_gtest/pk11_gtest.gyp.missing_kdf 2019-08-08 10:23:13.298080588 -0700
|
||||
+++ ./gtests/pk11_gtest/pk11_gtest.gyp 2019-08-08 10:23:49.728045561 -0700
|
||||
@@ -19,6 +19,7 @@
|
||||
'pk11_ecdsa_unittest.cc',
|
||||
'pk11_encrypt_derive_unittest.cc',
|
||||
'pk11_import_unittest.cc',
|
||||
+ 'pk11_kdf_unittest.cc',
|
||||
'pk11_pbkdf2_unittest.cc',
|
||||
'pk11_prf_unittest.cc',
|
||||
'pk11_prng_unittest.cc',
|
||||
diff -up ./gtests/pk11_gtest/pk11_kdf_unittest.cc.missing_kdf ./gtests/pk11_gtest/pk11_kdf_unittest.cc
|
||||
--- ./gtests/pk11_gtest/pk11_kdf_unittest.cc.missing_kdf 2019-08-07 14:23:28.657960569 -0700
|
||||
+++ ./gtests/pk11_gtest/pk11_kdf_unittest.cc 2019-08-08 10:22:38.015114511 -0700
|
||||
@@ -0,0 +1,509 @@
|
||||
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
+/* vim: set ts=2 et sw=2 tw=80: */
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
||||
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
+
|
||||
+#include <memory>
|
||||
+#include "nss.h"
|
||||
+#include "pk11pub.h"
|
||||
+
|
||||
+#include "cpputil.h"
|
||||
+
|
||||
+#include "gtest/gtest.h"
|
||||
+
|
||||
+namespace nss_test {
|
||||
+
|
||||
+const size_t kGxySize = 256;
|
||||
+const size_t kSeedSize = 8;
|
||||
+const size_t kKeySize = 64;
|
||||
+const size_t kLongKeySize = 1056;
|
||||
+const size_t kAesXcbcLen = 16;
|
||||
+const size_t kSha1Len = 20;
|
||||
+const size_t kSha224Len = 28;
|
||||
+const size_t kSha256Len = 32;
|
||||
+const size_t kSha384Len = 48;
|
||||
+const size_t kSha512Len = 64;
|
||||
+
|
||||
+// This is not the right size for anything
|
||||
+const size_t kIncorrectSize = 17;
|
||||
+
|
||||
+const uint8_t kGxyData[] = {
|
||||
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
|
||||
+ 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
|
||||
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
|
||||
+ 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
|
||||
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
|
||||
+ 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
|
||||
+ 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53,
|
||||
+ 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f,
|
||||
+ 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b,
|
||||
+ 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77,
|
||||
+ 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80, 0x21, 0x22, 0x23,
|
||||
+ 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
|
||||
+ 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b,
|
||||
+ 0x9c, 0x9d, 0x9e, 0x9f, 0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
|
||||
+ 0xa8, 0xa9, 0xaa, 0xab, 0xac, 0xad, 0xae, 0xaf, 0xb0, 0xb1, 0xb2, 0xb3,
|
||||
+ 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb, 0xbc, 0xbd, 0xbe, 0xbf,
|
||||
+ 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7, 0xc8, 0xc9, 0xca, 0xcb,
|
||||
+ 0xcc, 0xcd, 0xce, 0xcf, 0xd0, 0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7,
|
||||
+ 0xd8, 0xd9, 0xda, 0xdb, 0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3,
|
||||
+ 0xe4, 0xe5, 0xe6, 0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
|
||||
+ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
|
||||
+ 0xfc, 0xfd, 0xfe, 0xff};
|
||||
+
|
||||
+const uint8_t kKeyData[] = {
|
||||
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
|
||||
+ 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
|
||||
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23,
|
||||
+ 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
|
||||
+ 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b,
|
||||
+ 0x3c, 0x3d, 0x3e, 0x3f};
|
||||
+
|
||||
+const uint8_t kSeed[] = {
|
||||
+ 0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7, 0xf8, 0xf9, 0xfa, 0xfb,
|
||||
+ 0xfc, 0xfd, 0xfe, 0xff, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6, 0xe7,
|
||||
+ 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef, 0xd0, 0xd1, 0xd2, 0xd3};
|
||||
+
|
||||
+const uint8_t kExpectedOutputIkeSha256[] = {
|
||||
+ 0xd3, 0x9d, 0xb2, 0x77, 0x4b, 0x7f, 0xea, 0x81, 0xfc, 0xe5, 0x22, 0xb7,
|
||||
+ 0xdf, 0xa5, 0x65, 0x15, 0xc9, 0x8f, 0x89, 0x45, 0xda, 0xd9, 0x5d, 0x12,
|
||||
+ 0xbb, 0x52, 0xb6, 0x3b, 0xf4, 0x4d, 0xaf, 0x16};
|
||||
+
|
||||
+const uint8_t kExpectedOutputIke1Sha256[] = {
|
||||
+ 0x25, 0x45, 0x68, 0xd2, 0x98, 0x96, 0xa3, 0xda, 0x89, 0x76, 0x06, 0x01,
|
||||
+ 0xd0, 0xce, 0xf8, 0x05, 0x26, 0x3f, 0xaf, 0x95, 0x92, 0x48, 0x02, 0x0e,
|
||||
+ 0x39, 0x75, 0x94, 0x00, 0x22, 0xd8, 0x5a, 0x50};
|
||||
+
|
||||
+const uint8_t kExpectedOutputIkePlusSha256[] = {
|
||||
+ 0x03, 0x1e, 0xe7, 0x13, 0x6e, 0x58, 0x11, 0xc4, 0x81, 0x56, 0x42, 0x3c,
|
||||
+ 0x3c, 0xaa, 0xdb, 0xad, 0x8a, 0x84, 0xdc, 0xa3, 0x0f, 0xe7, 0x67, 0x55,
|
||||
+ 0x9c, 0x9f, 0xb8, 0x57, 0xa9, 0x5b, 0x41, 0x53, 0x86, 0xe0, 0xb3, 0x21,
|
||||
+ 0x08, 0x1b, 0x38, 0x24, 0xce, 0xef, 0x7c, 0x89, 0x0d, 0xa7, 0xae, 0x14,
|
||||
+ 0x58, 0xbd, 0x79, 0x9c, 0x32, 0x25, 0x7f, 0x3e, 0xbd, 0xe1, 0xfb, 0x3a,
|
||||
+ 0x38, 0x51, 0x05, 0xaa, 0xc8, 0x37, 0x3e, 0x4e, 0x9b, 0x70, 0xb8, 0xe2,
|
||||
+ 0x21, 0xe7, 0x12, 0xb3, 0xf7, 0x64, 0x21, 0x9d, 0x52, 0x38, 0x41, 0xfb,
|
||||
+ 0x54, 0xaf, 0x59, 0xc3, 0xab, 0xf3, 0x7f, 0x64, 0xee, 0x17, 0xf5, 0xa8,
|
||||
+ 0x2b, 0xdf, 0x2d, 0xd3, 0x29, 0x0e, 0x4f, 0x31, 0x54, 0x25, 0x4e, 0x65,
|
||||
+ 0x52, 0xdf, 0x66, 0xfd, 0x49, 0x85, 0x1f, 0x87, 0x71, 0xa1, 0x5c, 0xfa,
|
||||
+ 0x99, 0xf5, 0x21, 0x9a, 0xbc, 0x55, 0x5b, 0x1c, 0x19, 0xd9, 0x4b, 0x42,
|
||||
+ 0xc5, 0xa0, 0xed, 0x1a, 0x1e, 0xf0, 0x04, 0x52, 0xb3, 0xd0, 0x0f, 0x48,
|
||||
+ 0x45, 0x00, 0xdc, 0x94, 0xae, 0xd8, 0x70, 0x2e, 0xdd, 0x12, 0xe1, 0x66,
|
||||
+ 0x72, 0xc2, 0x39, 0xd2, 0xc6, 0xfa, 0xdd, 0x8c, 0x11, 0x9c, 0x9d, 0x60,
|
||||
+ 0xd1, 0x08, 0x79, 0x62, 0xbb, 0x97, 0x45, 0x38, 0x2d, 0x83, 0x9c, 0x2e,
|
||||
+ 0x8f, 0x88, 0xa3, 0xad, 0x5b, 0x8e, 0x4e, 0x0e, 0xdb, 0xee, 0xaf, 0x1d,
|
||||
+ 0xf6, 0xe7, 0x7e, 0x28, 0xc5, 0xcf, 0x0c, 0xd9, 0xee, 0xde, 0xc8, 0x87,
|
||||
+ 0x00, 0xfe, 0x02, 0xd8, 0x30, 0xa6, 0x68, 0xec, 0x51, 0x22, 0xac, 0x4c,
|
||||
+ 0x38, 0x0f, 0xbb, 0x5c, 0xcb, 0xd5, 0x93, 0xda, 0xea, 0xd0, 0x1b, 0x41,
|
||||
+ 0x85, 0x8d, 0x12, 0x56, 0xbb, 0x90, 0x62, 0xc9, 0x91, 0x62, 0xf8, 0x29,
|
||||
+ 0x9a, 0x4f, 0xd8, 0x5e, 0x7d, 0x1f, 0x69, 0xe8, 0x23, 0x53, 0x26, 0x98,
|
||||
+ 0x98, 0x88, 0xfa, 0x14, 0xdc, 0xa3, 0x0f, 0xc7, 0x58, 0xb2, 0x6d, 0xa5,
|
||||
+ 0x34, 0x53, 0xb5, 0xc3, 0xcc, 0xbb, 0xd7, 0xd4, 0x80, 0xf3, 0x8c, 0x79,
|
||||
+ 0xd2, 0xac, 0x12, 0xa5, 0xf9, 0x99, 0xe7, 0x1b, 0x46, 0x16, 0x02, 0x6a,
|
||||
+ 0xa3, 0xc5, 0x20, 0xb5, 0x5a, 0x55, 0xbd, 0xac, 0x70, 0xf1, 0x5b, 0xe4,
|
||||
+ 0x45, 0x12, 0x7e, 0xcf, 0x12, 0xbf, 0x53, 0x7e, 0x3d, 0xbe, 0x53, 0x77,
|
||||
+ 0xc4, 0x2c, 0x17, 0x5f, 0xe5, 0xb9, 0x73, 0x01, 0x5d, 0x9b, 0x34, 0x3c,
|
||||
+ 0x45, 0xf0, 0xa4, 0x91, 0xaf, 0x34, 0xa2, 0xd6, 0x0a, 0x14, 0x98, 0x2c,
|
||||
+ 0x91, 0xd5, 0x8f, 0x12, 0xde, 0x7c, 0x61, 0xd8, 0x42, 0x07, 0x42, 0x1a,
|
||||
+ 0x01, 0x2b, 0xf6, 0x54, 0xd1, 0xde, 0x6d, 0x9c, 0x8b, 0x51, 0x81, 0x3e,
|
||||
+ 0x01, 0xd1, 0xfb, 0x5a, 0xcd, 0xf0, 0xeb, 0xcc, 0x03, 0xe2, 0xc1, 0x31,
|
||||
+ 0x92, 0x11, 0x88, 0x1f, 0xec, 0x81, 0x07, 0x78, 0x89, 0x89, 0x29, 0x19,
|
||||
+ 0x3f, 0x75, 0x01, 0x0e, 0x73, 0xbc, 0x1e, 0x76, 0x23, 0x80, 0x36, 0xaa,
|
||||
+ 0x2a, 0xd0, 0x77, 0x57, 0x6a, 0xea, 0xe2, 0xdb, 0xed, 0x17, 0x79, 0x3d,
|
||||
+ 0x8b, 0x8a, 0xbe, 0x32, 0x90, 0x2e, 0x1c, 0x00, 0xc2, 0x27, 0xb5, 0x64,
|
||||
+ 0x7c, 0xc3, 0xca, 0xb8, 0xaf, 0xcb, 0x17, 0x29, 0xec, 0x00, 0x5b, 0x83,
|
||||
+ 0x9f, 0xfe, 0x8b, 0xb6, 0x6f, 0x01, 0x23, 0x6b, 0xb3, 0xaa, 0x34, 0x3f,
|
||||
+ 0x5c, 0x66, 0x7c, 0xec, 0x15, 0x5a, 0xa9, 0x3c, 0xe2, 0xef, 0xcb, 0xe5,
|
||||
+ 0x79, 0xfa, 0xf2, 0x7c, 0x4e, 0x0f, 0x70, 0x41, 0xa4, 0x09, 0x07, 0x30,
|
||||
+ 0xbd, 0x28, 0x3f, 0x30, 0xd3, 0xc2, 0xbd, 0x06, 0x5e, 0x21, 0xbd, 0x20,
|
||||
+ 0xae, 0xa4, 0xa9, 0x7d, 0x91, 0xe8, 0x9d, 0x0a, 0x81, 0x02, 0xf7, 0xd6,
|
||||
+ 0x7c, 0x1f, 0xb6, 0xa5, 0x40, 0xb6, 0x25, 0xac, 0xce, 0x77, 0x20, 0xfa,
|
||||
+ 0x71, 0x79, 0x21, 0x94, 0xcd, 0x63, 0xcf, 0x62, 0xd4, 0xda, 0xc6, 0xe8,
|
||||
+ 0x3c, 0xdb, 0x86, 0x1e, 0x8d, 0x2d, 0x12, 0xf6, 0xea, 0xb0, 0xed, 0xf8,
|
||||
+ 0xfa, 0xc6, 0x37, 0xee, 0xca, 0x11, 0x1a, 0xac, 0x95, 0xf6, 0xe3, 0x02,
|
||||
+ 0x97, 0xba, 0xb2, 0xb2, 0x02, 0x82, 0xbe, 0x32, 0xa3, 0xe8, 0xf4, 0xae,
|
||||
+ 0x4e, 0xaf, 0x47, 0xb9, 0xe7, 0x91, 0x18, 0x90, 0xd8, 0xcb, 0x59, 0xed,
|
||||
+ 0xc2, 0x47, 0x6d, 0xe1, 0x9d, 0x74, 0xe6, 0xc7, 0xc0, 0xdc, 0x82, 0x5b,
|
||||
+ 0x6a, 0x7d, 0x1c, 0x58, 0xc8, 0x3d, 0x7d, 0xed, 0xdd, 0x60, 0x91, 0x9e,
|
||||
+ 0x68, 0x6e, 0x56, 0x33, 0x8b, 0xca, 0x35, 0xf8, 0x96, 0x67, 0x22, 0x3a,
|
||||
+ 0xb9, 0x02, 0xe9, 0x7c, 0xb1, 0xca, 0x25, 0xc2, 0xc8, 0xc7, 0xd8, 0x71,
|
||||
+ 0xfa, 0xfa, 0x76, 0xeb, 0x1d, 0x52, 0x75, 0xc6, 0x56, 0xf3, 0x1a, 0xd3,
|
||||
+ 0xda, 0xe4, 0x49, 0x7b, 0xd0, 0x77, 0x72, 0x06, 0xe7, 0xb9, 0xd9, 0x06,
|
||||
+ 0x87, 0x43, 0x6a, 0x52, 0xee, 0x3a, 0x71, 0x6e, 0x51, 0x8d, 0x55, 0x7a,
|
||||
+ 0xb1, 0x62, 0x75, 0xac, 0xa9, 0x89, 0x77, 0x93, 0x40, 0xef, 0x66, 0x44,
|
||||
+ 0x08, 0x49, 0xbb, 0xdb, 0x85, 0x0b, 0xd3, 0xfa, 0x37, 0x27, 0x41, 0xd1,
|
||||
+ 0x57, 0xc3, 0x95, 0xaa, 0x85, 0x5a, 0x43, 0x74, 0x39, 0x72, 0x08, 0xdf,
|
||||
+ 0x58, 0xe1, 0xf7, 0x95, 0x6c, 0xc1, 0xb1, 0x9b, 0x21, 0x53, 0xc1, 0xf9,
|
||||
+ 0xcc, 0x74, 0xf9, 0x62, 0xa4, 0xa0, 0x34, 0x22, 0xaa, 0x84, 0x78, 0x49,
|
||||
+ 0x50, 0xa9, 0x8e, 0x7b, 0xfa, 0xaa, 0xc2, 0xe8, 0xae, 0x34, 0x3d, 0xa7,
|
||||
+ 0xe1, 0x5a, 0x14, 0xa6, 0xd7, 0x6c, 0x67, 0xc7, 0x5e, 0xda, 0x79, 0x36,
|
||||
+ 0x57, 0x85, 0x5e, 0x09, 0xa2, 0x1f, 0x96, 0x5a, 0x71, 0xc2, 0xfe, 0x57,
|
||||
+ 0x5c, 0x4c, 0xe8, 0xbf, 0x9b, 0x5c, 0xd7, 0x06, 0x09, 0xb5, 0x63, 0x93,
|
||||
+ 0x7e, 0xee, 0x65, 0xef, 0x88, 0xe1, 0x60, 0x3e, 0x50, 0x84, 0x39, 0xb9,
|
||||
+ 0xae, 0xab, 0xad, 0xee, 0x31, 0x04, 0x7f, 0xed, 0x78, 0x35, 0xc0, 0x14,
|
||||
+ 0xa6, 0xc3, 0xeb, 0x3c, 0xd7, 0xc3, 0xb3, 0x6b, 0x58, 0x63, 0x7e, 0xa8,
|
||||
+ 0xc9, 0xb9, 0x23, 0xd3, 0xe5, 0xe7, 0xcc, 0x84, 0x63, 0xc8, 0xbd, 0x31,
|
||||
+ 0x9f, 0x02, 0x4e, 0x74, 0x98, 0xba, 0x8a, 0x0c, 0x80, 0xab, 0x10, 0xc4,
|
||||
+ 0xb2, 0x61, 0xad, 0x3d, 0x93, 0x9d, 0xdc, 0x76, 0xe5, 0x0e, 0x2e, 0x4b,
|
||||
+ 0x81, 0x3b, 0x1f, 0xd3, 0x54, 0xc0, 0x2a, 0xde, 0x0e, 0x1d, 0x59, 0x31,
|
||||
+ 0x5c, 0x28, 0xf8, 0x75, 0xfc, 0x71, 0x2e, 0xc1, 0x85, 0x90, 0x23, 0xfd,
|
||||
+ 0x2e, 0x8b, 0xb9, 0x52, 0x1a, 0xdf, 0x61, 0x54, 0x9b, 0x43, 0xa6, 0x8d,
|
||||
+ 0x5f, 0xd0, 0x52, 0x0b, 0x66, 0xbc, 0xf5, 0x1a, 0xce, 0x58, 0xef, 0xb3,
|
||||
+ 0x1d, 0x8d, 0x4b, 0x1b, 0xf3, 0x8e, 0xe6, 0x68, 0xc3, 0xd5, 0x95, 0x42,
|
||||
+ 0xf5, 0xb0, 0x73, 0x2c, 0x31, 0x71, 0x20, 0xf5, 0xdc, 0xbf, 0x56, 0x72,
|
||||
+ 0x53, 0xf9, 0xfe, 0xfa, 0x19, 0xdc, 0x46, 0xd1, 0x2b, 0xe3, 0xdb, 0x50,
|
||||
+ 0xec, 0x14, 0xee, 0x70, 0xcc, 0xe6, 0x11, 0x75, 0xb4, 0x63, 0xfc, 0xd1,
|
||||
+ 0x8f, 0x54, 0xfa, 0xcc, 0x99, 0xcc, 0xb8, 0x61, 0xa7, 0x33, 0x18, 0xa2,
|
||||
+ 0x17, 0xee, 0xb1, 0x82, 0x3d, 0x6a, 0x8d, 0x63, 0xe0, 0x15, 0x1b, 0x5c,
|
||||
+ 0x20, 0x53, 0x33, 0xa7, 0x85, 0x17, 0x81, 0xba, 0x18, 0x2a, 0x73, 0x00,
|
||||
+ 0x1e, 0x3e, 0x2c, 0xb5, 0x5f, 0x4e, 0x82, 0xa8, 0x09, 0xa0, 0x22, 0xdc,
|
||||
+ 0xc4, 0x76, 0x7c, 0x66, 0xf4, 0x78, 0xa1, 0x0a, 0xf7, 0x39, 0x06, 0x0a,
|
||||
+ 0xd7, 0x43, 0x72, 0x12, 0x3b, 0x8e, 0x7e, 0x62, 0x4f, 0x5a, 0x03, 0xe5,
|
||||
+ 0x22, 0x97, 0xdc, 0xbb, 0xaa, 0xa2, 0xc0, 0x03, 0x8e, 0x60, 0xd1, 0x61,
|
||||
+ 0xc7, 0xef, 0x0f, 0x54, 0x43, 0x4e, 0x38, 0xda, 0xb6, 0xe2, 0x5b, 0x0e,
|
||||
+ 0x45, 0xae, 0x39, 0x86, 0x85, 0x25, 0x30, 0xb1, 0x9d, 0xda, 0xdb, 0x70,
|
||||
+ 0xa7, 0xe5, 0x77, 0xb8, 0x47, 0xaa, 0xe7, 0x3e, 0xe8, 0x5a, 0x96, 0xc6,
|
||||
+ 0x0a, 0x0b, 0x07, 0x8d, 0x6d, 0xeb, 0x80, 0x0c, 0xd9, 0x80, 0x2d, 0x4d};
|
||||
+
|
||||
+const uint8_t kExpectedOutputIkeAppBSha256[] = {
|
||||
+ 0xe7, 0x11, 0x54, 0x6e, 0x3f, 0xaa, 0xd4, 0xc7, 0xc4, 0xaa, 0x75, 0x6b,
|
||||
+ 0xc2, 0x6c, 0xad, 0x6a, 0xbe, 0xa8, 0x24, 0x19, 0x84, 0xa0, 0xf6, 0xb0,
|
||||
+ 0x83, 0x9c, 0x70, 0xca, 0x61, 0xc4, 0xef, 0x88, 0xd7, 0xd5, 0xb7, 0x2e,
|
||||
+ 0x45, 0x32, 0xe1, 0x1d, 0x12, 0x38, 0xfb, 0xcb, 0x08, 0x54, 0xc7, 0xdb,
|
||||
+ 0xc4, 0x80, 0x2d, 0xd4, 0xf3, 0xbf, 0x51, 0x80, 0xf3, 0xa6, 0xdf, 0x77,
|
||||
+ 0x51, 0x61, 0xd8, 0xdb, 0x98, 0x2c, 0xc2, 0xe6, 0x72, 0x36, 0x90, 0xf9,
|
||||
+ 0xd2, 0x2a, 0x6d, 0x6c, 0xeb, 0x10, 0x3f, 0xa0, 0xa3, 0xff, 0xe4, 0x8b,
|
||||
+ 0x5a, 0x4a, 0x1b, 0xec, 0xb0, 0x48, 0xb0, 0xed, 0x16, 0x8a, 0x89, 0x31,
|
||||
+ 0x96, 0x5e, 0xa9, 0x11, 0x1f, 0x28, 0x68, 0x07, 0xf1, 0xa3, 0x2b, 0x01,
|
||||
+ 0x4f, 0x0b, 0x73, 0x78, 0x3b, 0xca, 0x4f, 0x8f, 0x34, 0xc0, 0x21, 0x14,
|
||||
+ 0xe3, 0xdf, 0xa1, 0xf7, 0x05, 0x63, 0xcb, 0x74, 0x7a, 0x90, 0x59, 0x19,
|
||||
+ 0xc9, 0xa9, 0x47, 0xcf, 0xe7, 0xbe, 0x04, 0xa7, 0x0c, 0x32, 0xdd, 0x34,
|
||||
+ 0x07, 0x8f, 0x4f, 0xb5, 0x75, 0xfb, 0xb9, 0x06, 0xd2, 0x55, 0x08, 0xce,
|
||||
+ 0x0a, 0x47, 0xc2, 0x64, 0x5f, 0xd5, 0xab, 0x55, 0x2a, 0x1a, 0x7e, 0xbd,
|
||||
+ 0xd5, 0x6d, 0x43, 0x89, 0x3c, 0x53, 0xde, 0x01, 0xfe, 0x19, 0x19, 0xc3,
|
||||
+ 0xaf, 0xa0, 0x64, 0x2d, 0x7e, 0xe1, 0x7e, 0x31, 0x61, 0xf9, 0xe6, 0x4f,
|
||||
+ 0x56, 0xc3, 0xc9, 0x7e, 0x92, 0xd7, 0x88, 0x58, 0x1a, 0x7f, 0x3c, 0x3e,
|
||||
+ 0xae, 0x3f, 0x86, 0xec, 0xb2, 0xaa, 0x8b, 0xaf, 0x22, 0x49, 0xa5, 0x3d,
|
||||
+ 0xc2, 0xb1, 0x94, 0x0f, 0x5b, 0x08, 0x49, 0xac, 0x23, 0xa4, 0x79, 0x33,
|
||||
+ 0xde, 0xfb, 0x8b, 0xd3, 0xe6, 0x6c, 0x83, 0xce, 0x01, 0xc7, 0xb4, 0x23,
|
||||
+ 0x5c, 0x6d, 0x81, 0xda, 0x70, 0x71, 0x43, 0x9c, 0x94, 0x6a, 0x9e, 0x03,
|
||||
+ 0x6d, 0xc3, 0x71, 0x69, 0x53, 0x83, 0x89, 0x08, 0x1b, 0x2b, 0x4b, 0xa8,
|
||||
+ 0x4a, 0x2a, 0xdf, 0x26, 0xaf, 0xc3, 0x8e, 0x59, 0x15, 0xa7, 0x24, 0x8f,
|
||||
+ 0x3c, 0xad, 0x08, 0xf2, 0x12, 0xe1, 0x42, 0x41, 0x0c, 0xcb, 0x3e, 0xf4,
|
||||
+ 0x71, 0xab, 0xb1, 0x16, 0x2c, 0xb7, 0xe1, 0x3f, 0x94, 0x03, 0x01, 0x78,
|
||||
+ 0xd7, 0x84, 0x1d, 0x63, 0x03, 0xfe, 0x4b, 0x3f, 0x40, 0xce, 0x30, 0x75,
|
||||
+ 0x10, 0xd1, 0xa4, 0xd3, 0x3c, 0x68, 0x9b, 0xc0, 0x6b, 0xdc, 0xe1, 0xda,
|
||||
+ 0x06, 0x41, 0x71, 0x20, 0x88, 0x82, 0x60, 0x2e, 0x48, 0x93, 0x78, 0x30,
|
||||
+ 0xb4, 0xb9, 0xe3, 0x88, 0x79, 0xf7, 0x0d, 0x0b, 0xa4, 0xae, 0x2e, 0x7b,
|
||||
+ 0x00, 0x82, 0x49, 0xbf, 0xe8, 0x07, 0xb4, 0x51, 0xd9, 0xa0, 0xf7, 0x8f,
|
||||
+ 0xe6, 0x24, 0x17, 0xd0, 0xa5, 0x58, 0xcc, 0x37, 0xf2, 0x86, 0x6e, 0xc2,
|
||||
+ 0xf0, 0xf0, 0x87, 0x64, 0xfa, 0x6e, 0x94, 0x99, 0x1a, 0xbc, 0xd9, 0xea,
|
||||
+ 0x48, 0x07, 0x38, 0x2e, 0x79, 0x61, 0x82, 0x69, 0x09, 0x6f, 0xbc, 0x8e,
|
||||
+ 0x44, 0x38, 0x0e, 0xc9, 0x6f, 0xcd, 0xb7, 0x39, 0x92, 0x02, 0x27, 0x23,
|
||||
+ 0x35, 0xcf, 0x4f, 0xf7, 0x52, 0x7b, 0x33, 0x93, 0xbd, 0x6c, 0x7c, 0xef,
|
||||
+ 0x39, 0x4b, 0x1a, 0x9f, 0xdf, 0x8f, 0x5c, 0x5b, 0x7b, 0xdb, 0x6b, 0xfd,
|
||||
+ 0x72, 0xe0, 0xb0, 0xc5, 0x97, 0x5b, 0x08, 0x6b, 0x17, 0x2f, 0x38, 0xd7,
|
||||
+ 0xbe, 0xf8, 0xd7, 0x20, 0xf5, 0x33, 0x68, 0x69, 0x16, 0xe5, 0x08, 0x05,
|
||||
+ 0x6c, 0x1b, 0xfa, 0xa8, 0x63, 0x55, 0xb4, 0x03, 0xb9, 0x89, 0xd7, 0x61,
|
||||
+ 0xf3, 0x9a, 0xf6, 0x45, 0xb4, 0xb2, 0x16, 0x5d, 0xf3, 0x09, 0x7b, 0x09,
|
||||
+ 0x09, 0x75, 0x0a, 0xbd, 0xdf, 0x7d, 0xe6, 0x1e, 0x07, 0xec, 0x7c, 0x14,
|
||||
+ 0xac, 0x4b, 0x68, 0xa8, 0x44, 0x5f, 0x77, 0x36, 0xb8, 0x1d, 0x7c, 0x73,
|
||||
+ 0x82, 0x80, 0xc2, 0x52, 0x55, 0x2c, 0x5d, 0xba, 0x53, 0x79, 0x45, 0xad,
|
||||
+ 0x51, 0x98, 0xbb, 0x8a, 0xea, 0x4f, 0x19, 0x22, 0x22, 0x69, 0xd3, 0x3a,
|
||||
+ 0x72, 0xd8, 0xe3, 0x37, 0xf4, 0x3b, 0xf3, 0xf1, 0x52, 0x48, 0x4d, 0xbf,
|
||||
+ 0xa5, 0x7a, 0xef, 0x44, 0x53, 0x7b, 0x6e, 0x6c, 0xb7, 0x1a, 0xa8, 0x75,
|
||||
+ 0xaf, 0xdb, 0x15, 0x05, 0x53, 0xc8, 0xb9, 0x9c, 0xea, 0x1a, 0xf7, 0x9d,
|
||||
+ 0x9b, 0xb6, 0xa6, 0x5e, 0x0f, 0xf7, 0x49, 0x7e, 0xc9, 0x12, 0x38, 0x3d,
|
||||
+ 0x78, 0xaf, 0x80, 0x3d, 0x76, 0x6d, 0x96, 0x4f, 0x06, 0xff, 0xdf, 0xc5,
|
||||
+ 0x9c, 0x47, 0xbe, 0x3e, 0x3d, 0xc2, 0x2a, 0x41, 0x15, 0x7e, 0xbd, 0xab,
|
||||
+ 0x12, 0x02, 0xfe, 0xa5, 0x4f, 0xb4, 0x1a, 0xf5, 0x6a, 0xed, 0xff, 0x50,
|
||||
+ 0x5a, 0x56, 0x7b, 0x2f, 0xff, 0xff, 0x29, 0xb5, 0x77, 0xf4, 0x38, 0xb3,
|
||||
+ 0x40, 0xd9, 0x17, 0x89, 0x43, 0x3f, 0x86, 0x29, 0x50, 0xce, 0x72, 0xde,
|
||||
+ 0x55, 0x63, 0x06, 0x14, 0x50, 0xae, 0xc1, 0x49, 0x10, 0x55, 0x21, 0xeb,
|
||||
+ 0x68, 0xe7, 0xfc, 0xc7, 0xf5, 0x92, 0xc5, 0xf2, 0xe2, 0xc9, 0xdb, 0x42,
|
||||
+ 0x59, 0x44, 0x0e, 0xda, 0x23, 0x50, 0x62, 0xef, 0x6e, 0xae, 0x1c, 0x0e,
|
||||
+ 0x93, 0x74, 0xa6, 0xdb, 0x4c, 0xc7, 0x4b, 0xa6, 0xe2, 0x3a, 0xe3, 0x03,
|
||||
+ 0x22, 0xd1, 0xe4, 0x21, 0x13, 0x98, 0x6a, 0xeb, 0x43, 0xbf, 0xe6, 0x8a,
|
||||
+ 0xfb, 0x28, 0x15, 0x47, 0x7e, 0xaa, 0x12, 0x60, 0x08, 0x23, 0xc6, 0x59,
|
||||
+ 0xeb, 0xc1, 0x71, 0x18, 0x03, 0x16, 0x7f, 0x75, 0x5f, 0x65, 0x8a, 0x7f,
|
||||
+ 0x1d, 0xae, 0x98, 0x94, 0xa4, 0xb1, 0xf5, 0xcc, 0x0a, 0x6f, 0x62, 0x79,
|
||||
+ 0x27, 0x38, 0x32, 0x73, 0x90, 0xc8, 0x3f, 0x70, 0xf7, 0x44, 0xcf, 0xfd,
|
||||
+ 0xc8, 0xfa, 0xcb, 0x3e, 0x73, 0x5f, 0x1d, 0xde, 0xb5, 0x73, 0x4d, 0x00,
|
||||
+ 0x2a, 0xce, 0x77, 0x92, 0x17, 0x0f, 0xcf, 0xbf, 0x87, 0x78, 0xdc, 0xbc,
|
||||
+ 0x83, 0xb3, 0x86, 0xd5, 0x32, 0xf5, 0x17, 0x73, 0xba, 0x90, 0xae, 0xc4,
|
||||
+ 0x40, 0x25, 0x26, 0xde, 0x8c, 0x5e, 0xbb, 0x83, 0x0e, 0x27, 0xd5, 0x0a,
|
||||
+ 0x4d, 0x89, 0xf0, 0xf3, 0x0f, 0xb5, 0x7d, 0xe3, 0x04, 0x6b, 0x5a, 0x59,
|
||||
+ 0xf4, 0x0a, 0x23, 0xc9, 0xe9, 0xe5, 0x1c, 0x20, 0x43, 0xac, 0xe2, 0x61,
|
||||
+ 0x10, 0x8d, 0x20, 0x83, 0xe7, 0x60, 0x28, 0x32, 0xd0, 0x15, 0x67, 0xf1,
|
||||
+ 0xaf, 0xd4, 0xcb, 0x2a, 0xec, 0xc5, 0xe2, 0xe7, 0xa2, 0x57, 0x18, 0x3d,
|
||||
+ 0x5e, 0xdd, 0x14, 0x88, 0x39, 0x59, 0x10, 0x9c, 0xa9, 0xf9, 0xd9, 0xb9,
|
||||
+ 0xdd, 0x09, 0xb0, 0x2f, 0x5a, 0x30, 0x0f, 0xbf, 0x34, 0x8a, 0xf1, 0x62,
|
||||
+ 0x40, 0x15, 0x4e, 0xe9, 0x69, 0x2f, 0x94, 0x87, 0x07, 0xf0, 0x01, 0xa2,
|
||||
+ 0x8f, 0x11, 0xb9, 0x31, 0x4c, 0x2b, 0x7d, 0x7f, 0x6c, 0x04, 0xd6, 0x91,
|
||||
+ 0x4d, 0x71, 0x6b, 0x8c, 0xa7, 0x47, 0xb1, 0x34, 0x34, 0x08, 0xda, 0x5b,
|
||||
+ 0xcb, 0x82, 0xbb, 0x5b, 0x14, 0x27, 0x2a, 0x20, 0x25, 0xda, 0xbe, 0x1d,
|
||||
+ 0x21, 0xa8, 0x68, 0x77, 0xf4, 0x17, 0xaf, 0x7f, 0x22, 0xda, 0xd4, 0xc6,
|
||||
+ 0x38, 0x0c, 0xbe, 0xf1, 0xa5, 0x0b, 0x17, 0x83, 0x22, 0xb3, 0x5b, 0x12,
|
||||
+ 0x1f, 0x0a, 0x18, 0x14, 0x46, 0xbf, 0x9b, 0xc0, 0x53, 0x7a, 0x83, 0x40,
|
||||
+ 0xde, 0x1a, 0x9d, 0xf0, 0x3b, 0x66, 0x74, 0x01, 0xa1, 0xfc, 0x29, 0xde,
|
||||
+ 0x08, 0x66, 0x85, 0x56, 0x2c, 0xc8, 0x30, 0xb7, 0x42, 0x1f, 0xa2, 0x32,
|
||||
+ 0x28, 0xc4, 0xc5, 0xfe, 0xea, 0xb0, 0x4e, 0x81, 0x59, 0x74, 0x90, 0x93,
|
||||
+ 0xb1, 0x1c, 0x5c, 0x4f, 0x54, 0x5e, 0xcc, 0xd7, 0x1d, 0x75, 0xd2, 0x3d,
|
||||
+ 0x77, 0xff, 0x72, 0xa8, 0x74, 0x31, 0xec, 0x74, 0xe8, 0xcc, 0x69, 0xce,
|
||||
+ 0xde, 0xe5, 0x05, 0x1e, 0xc2, 0x99, 0x90, 0x22, 0xe5, 0x10, 0xd4, 0xaf,
|
||||
+ 0x52, 0xe3, 0x47, 0xf4, 0x38, 0xeb, 0xa3, 0xd2, 0x72, 0x64, 0xb2, 0xd3,
|
||||
+ 0x0c, 0x0c, 0xaa, 0xae, 0x29, 0xb5, 0x38, 0xd4, 0x52, 0xfa, 0x96, 0x17,
|
||||
+ 0x7a, 0x18, 0xe8, 0x89, 0xd2, 0xd5, 0xd9, 0xae, 0x5a, 0x0e, 0x25, 0x8d};
|
||||
+
|
||||
+class IkeKdfTest : public ::testing::Test {
|
||||
+ public:
|
||||
+ IkeKdfTest()
|
||||
+ : params_({siBuffer, nullptr, 0}),
|
||||
+ gxy_item_({siBuffer, toUcharPtr(kGxyData), kGxySize}),
|
||||
+ skey_item_({siBuffer, toUcharPtr(kKeyData), kKeySize}),
|
||||
+ key_mech_(0),
|
||||
+ slot_(nullptr),
|
||||
+ gxy_(nullptr),
|
||||
+ skey_(nullptr),
|
||||
+ okey_(nullptr) {}
|
||||
+
|
||||
+ ~IkeKdfTest() {
|
||||
+ if (slot_) {
|
||||
+ PK11_FreeSlot(slot_);
|
||||
+ }
|
||||
+ if (gxy_) {
|
||||
+ PK11_FreeSymKey(gxy_);
|
||||
+ }
|
||||
+ ClearTempVars();
|
||||
+ }
|
||||
+
|
||||
+ void ClearTempVars() {
|
||||
+ if (skey_) {
|
||||
+ PK11_FreeSymKey(skey_);
|
||||
+ skey_ = nullptr;
|
||||
+ }
|
||||
+ if (okey_) {
|
||||
+ PK11_FreeSymKey(okey_);
|
||||
+ okey_ = nullptr;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ void Init() {
|
||||
+ params_.type = siBuffer;
|
||||
+
|
||||
+ gxy_item_.type = siBuffer;
|
||||
+ gxy_item_.data =
|
||||
+ const_cast<unsigned char*>(static_cast<const unsigned char*>(kGxyData));
|
||||
+ gxy_item_.len = sizeof(kGxyData);
|
||||
+ skey_item_.type = siBuffer;
|
||||
+ skey_item_.data =
|
||||
+ const_cast<unsigned char*>(static_cast<const unsigned char*>(kKeyData));
|
||||
+
|
||||
+ slot_ = PK11_GetInternalSlot();
|
||||
+ ASSERT_NE(nullptr, slot_);
|
||||
+ gxy_ = PK11_ImportSymKey(slot_, CKM_NSS_IKE_PRF_DERIVE, PK11_OriginUnwrap,
|
||||
+ CKA_DERIVE, &gxy_item_, NULL);
|
||||
+ ASSERT_NE(nullptr, gxy_);
|
||||
+ }
|
||||
+
|
||||
+ void ComputeAndVerifyKey(CK_MECHANISM_TYPE derive_mech,
|
||||
+ CK_MECHANISM_TYPE hash_mech, const uint8_t* expected) {
|
||||
+ // Infer prf length from mechanism
|
||||
+ int prf_len = 0;
|
||||
+ std::string mac = "unknown";
|
||||
+
|
||||
+ switch (hash_mech) {
|
||||
+ case CKM_AES_XCBC_MAC:
|
||||
+ prf_len = kAesXcbcLen;
|
||||
+ mac = "CKM_AES_XCBC_MAC";
|
||||
+ break;
|
||||
+ case CKM_SHA_1_HMAC:
|
||||
+ prf_len = kSha1Len;
|
||||
+ mac = "CKM_SHA_1_HMAC";
|
||||
+ break;
|
||||
+ case CKM_SHA224_HMAC:
|
||||
+ prf_len = kSha224Len;
|
||||
+ mac = "CKM_SHA224_HMAC";
|
||||
+ break;
|
||||
+ case CKM_SHA256_HMAC:
|
||||
+ prf_len = kSha256Len;
|
||||
+ mac = "CKM_SHA256_HMAC";
|
||||
+ break;
|
||||
+ case CKM_SHA384_HMAC:
|
||||
+ prf_len = kSha384Len;
|
||||
+ mac = "CKM_SHA384_HMAC";
|
||||
+ break;
|
||||
+ case CKM_SHA512_HMAC:
|
||||
+ prf_len = kSha512Len;
|
||||
+ mac = "CKM_SHA512_HMAC";
|
||||
+ break;
|
||||
+ default:
|
||||
+ ASSERT_TRUE(false) << "Invalid PRF Mechanism";
|
||||
+ }
|
||||
+
|
||||
+ Inner(derive_mech, hash_mech, mac, prf_len, expected);
|
||||
+ }
|
||||
+
|
||||
+ // Set output == nullptr to test when errors occur
|
||||
+ void Inner(CK_MECHANISM_TYPE derive_mech, CK_MECHANISM_TYPE hash_mech,
|
||||
+ std::string mac, size_t prf_len, const uint8_t* expected) {
|
||||
+ PRBool use_skey = PR_FALSE;
|
||||
+ size_t output_len = 0;
|
||||
+ PK11SymKey *derive_key = nullptr;
|
||||
+ std::stringstream s;
|
||||
+ s << "Derive:";
|
||||
+ std::string msg;
|
||||
+
|
||||
+ ClearTempVars();
|
||||
+
|
||||
+ // Import the params
|
||||
+ CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf;
|
||||
+ CK_NSS_IKE1_PRF_DERIVE_PARAMS ike1_prf;
|
||||
+ CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS ikep_prf;
|
||||
+ CK_MECHANISM_TYPE ike1_app_b;
|
||||
+
|
||||
+ switch (derive_mech) {
|
||||
+ case CKM_NSS_IKE_PRF_DERIVE:
|
||||
+ ike_prf.prfMechanism = hash_mech;
|
||||
+ ike_prf.bDataAsKey = PR_TRUE;
|
||||
+ ike_prf.bRekey = PR_FALSE;
|
||||
+ ike_prf.pNi = toUcharPtr(kSeed);
|
||||
+ ike_prf.ulNiLen = kSeedSize;
|
||||
+ ike_prf.pNr = toUcharPtr(kSeed);
|
||||
+ ike_prf.ulNrLen = kSeedSize;
|
||||
+ ike_prf.hNewKey = CK_INVALID_HANDLE;
|
||||
+ output_len = 0;
|
||||
+ use_skey = PR_FALSE;
|
||||
+ params_.data = reinterpret_cast<unsigned char*>(&ike_prf);
|
||||
+ params_.len = sizeof(ike_prf);
|
||||
+ s << "CKM_NSS_IKE_PRF_DERIVE";
|
||||
+ break;
|
||||
+ case CKM_NSS_IKE_PRF_PLUS_DERIVE:
|
||||
+ ikep_prf.prfMechanism = hash_mech;
|
||||
+ ikep_prf.bHasSeedKey = PR_FALSE;
|
||||
+ ikep_prf.pSeedData= toUcharPtr(kSeed);
|
||||
+ ikep_prf.ulSeedDataLen = kSeedSize*4;
|
||||
+ output_len = kLongKeySize;
|
||||
+ use_skey = PR_TRUE;
|
||||
+ params_.data = reinterpret_cast<unsigned char*>(&ikep_prf);
|
||||
+ params_.len = sizeof(ikep_prf);
|
||||
+ s << "CKM_NSS_IKE_PRF_PLUS_DERIVE";
|
||||
+ break;
|
||||
+ case CKM_NSS_IKE1_PRF_DERIVE:
|
||||
+ ike1_prf.prfMechanism = hash_mech;
|
||||
+ ike1_prf.bHasPrevKey = PR_FALSE;
|
||||
+ ike1_prf.hKeygxy = PK11_GetSymKeyHandle(gxy_);
|
||||
+ ike1_prf.hPrevKey = CK_INVALID_HANDLE;
|
||||
+ ike1_prf.pCKYi = toUcharPtr(kSeed);
|
||||
+ ike1_prf.ulCKYiLen = kSeedSize;
|
||||
+ ike1_prf.pCKYr = toUcharPtr(kSeed);
|
||||
+ ike1_prf.ulCKYrLen = kSeedSize;
|
||||
+ ike1_prf.keyNumber = 0;
|
||||
+ output_len = prf_len;
|
||||
+ use_skey = PR_TRUE;
|
||||
+ params_.data = reinterpret_cast<unsigned char*>(&ike1_prf);
|
||||
+ params_.len = sizeof(ike1_prf);
|
||||
+ s << "CKM_NSS_IKE1_PRF_DERIVE";
|
||||
+ break;
|
||||
+ case CKM_NSS_IKE1_APP_B_PRF_DERIVE:
|
||||
+ ike1_app_b = hash_mech;
|
||||
+ output_len = kLongKeySize;
|
||||
+ use_skey = PR_TRUE;
|
||||
+ params_.data = reinterpret_cast<unsigned char*>(&ike1_app_b);
|
||||
+ params_.len = sizeof(ike1_app_b);
|
||||
+ s << "CKM_NSS_IKE1_APP_B_DERIVE";
|
||||
+ break;
|
||||
+ default:
|
||||
+ ASSERT_TRUE(false) << "Invalid IKE DERIVE mechanism";
|
||||
+ }
|
||||
+
|
||||
+ s << " Mac/Prf:" << mac;
|
||||
+ msg = s.str();
|
||||
+
|
||||
+
|
||||
+ // Import the PMS
|
||||
+ derive_key = gxy_;
|
||||
+ if (use_skey) {
|
||||
+ skey_item_.len = prf_len;
|
||||
+ skey_ = PK11_ImportSymKey(slot_, derive_mech, PK11_OriginUnwrap,
|
||||
+ CKA_DERIVE, &skey_item_, NULL);
|
||||
+ ASSERT_NE(nullptr, skey_) << msg;
|
||||
+ derive_key = skey_;
|
||||
+ }
|
||||
+
|
||||
+ // Compute the result key
|
||||
+ okey_ = PK11_DeriveWithFlags(derive_key, derive_mech, ¶ms_, key_mech_,
|
||||
+ CKA_DERIVE, output_len, CKF_SIGN | CKF_VERIFY);
|
||||
+
|
||||
+ // Verify the result has the expected value (null or otherwise)
|
||||
+ int error = PORT_GetError();
|
||||
+ s << " Error=" << error;
|
||||
+ msg = s.str();
|
||||
+ if (!expected) {
|
||||
+ EXPECT_EQ(nullptr, okey_) << msg;
|
||||
+ } else {
|
||||
+ ASSERT_NE(nullptr, okey_) << msg;
|
||||
+
|
||||
+ SECStatus rv = PK11_ExtractKeyValue(okey_);
|
||||
+ ASSERT_EQ(SECSuccess, rv) << "PK11_ExtractKeyValue";
|
||||
+
|
||||
+ SECItem* oData = PK11_GetKeyData(okey_);
|
||||
+ ASSERT_NE(nullptr, oData) << "PK11_GetKeyData";
|
||||
+
|
||||
+ if (output_len == 0) {
|
||||
+ output_len = prf_len;
|
||||
+ }
|
||||
+ s << "\n" << "output_len=" << output_len << " oData->len=" << oData->len << ".\n";
|
||||
+ for (unsigned int i=0; i < oData->len; i++) {
|
||||
+ if (i % 12 == 0) s << "\n ";
|
||||
+ s << " 0x" << std::setfill('0')
|
||||
+ << std::setw(2) << std::hex << (int) oData->data[i] << ",";
|
||||
+ }
|
||||
+ s << "};\n";
|
||||
+ msg = s.str();
|
||||
+ ASSERT_EQ(output_len, oData->len) << msg ;
|
||||
+
|
||||
+ EXPECT_EQ(0, memcmp(oData->data, expected, output_len)) << msg;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ protected:
|
||||
+ SECItem params_;
|
||||
+ SECItem gxy_item_;
|
||||
+ SECItem skey_item_;
|
||||
+ CK_MECHANISM_TYPE key_mech_;
|
||||
+ PK11SlotInfo* slot_;
|
||||
+ PK11SymKey* gxy_;
|
||||
+ PK11SymKey* skey_;
|
||||
+ PK11SymKey* okey_;
|
||||
+};
|
||||
+
|
||||
+//
|
||||
+// The full range is tested with the FIPS vectors in the cavs tests.
|
||||
+// just make sure the NSS Derive iterfaces are working for everything.
|
||||
+//
|
||||
+TEST_F(IkeKdfTest, IkePrfSha256) {
|
||||
+ Init();
|
||||
+ ComputeAndVerifyKey(CKM_NSS_IKE_PRF_DERIVE, CKM_SHA256_HMAC,
|
||||
+ kExpectedOutputIkeSha256);
|
||||
+}
|
||||
+
|
||||
+TEST_F(IkeKdfTest, Ike1PrfSha256) {
|
||||
+ Init();
|
||||
+ ComputeAndVerifyKey(CKM_NSS_IKE1_PRF_DERIVE, CKM_SHA256_HMAC,
|
||||
+ kExpectedOutputIke1Sha256);
|
||||
+}
|
||||
+
|
||||
+TEST_F(IkeKdfTest, IkePlusPrfSha256) {
|
||||
+ Init();
|
||||
+ ComputeAndVerifyKey(CKM_NSS_IKE_PRF_PLUS_DERIVE, CKM_SHA256_HMAC,
|
||||
+ kExpectedOutputIkePlusSha256);
|
||||
+}
|
||||
+
|
||||
+TEST_F(IkeKdfTest, Ike1AppBPrfSha256) {
|
||||
+ Init();
|
||||
+ ComputeAndVerifyKey(CKM_NSS_IKE1_APP_B_PRF_DERIVE, CKM_SHA256_HMAC,
|
||||
+ kExpectedOutputIkeAppBSha256);
|
||||
+}
|
||||
+
|
||||
+} // namespace nss_test
|
||||
diff -up ./lib/softoken/pkcs11.c.missing_kdf ./lib/softoken/pkcs11.c
|
||||
--- ./lib/softoken/pkcs11.c.missing_kdf 2019-08-07 14:18:55.039435109 -0700
|
||||
+++ ./lib/softoken/pkcs11.c 2019-08-08 10:28:12.449792962 -0700
|
||||
@@ -516,7 +516,8 @@ static const struct mechanismList mechan
|
||||
/* --------------------IPSEC ----------------------- */
|
||||
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
|
||||
{ CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
|
||||
- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
|
||||
+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
|
||||
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
|
||||
};
|
||||
static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
|
||||
|
||||
diff -up ./lib/softoken/sftkike.c.missing_kdf ./lib/softoken/sftkike.c
|
||||
--- ./lib/softoken/sftkike.c.missing_kdf 2019-08-08 10:24:27.872008887 -0700
|
||||
+++ ./lib/softoken/sftkike.c 2019-08-08 10:27:34.416829530 -0700
|
||||
@@ -744,7 +744,7 @@ sftk_ike1_appendix_b_prf(CK_SESSION_HAND
|
||||
* key is inKey
|
||||
*/
|
||||
thisKey = outKeyData;
|
||||
- for (genKeySize = 0; genKeySize <= keySize; genKeySize += macSize) {
|
||||
+ for (genKeySize = 0; genKeySize < keySize; genKeySize += macSize) {
|
||||
crv = prf_init(&context, inKey->attrib.pValue, inKey->attrib.ulValueLen);
|
||||
if (crv != CKR_OK) {
|
||||
goto fail;
|
|
@ -0,0 +1,14 @@
|
|||
diff -up ./tests/ssl/ssl.sh.brew ./tests/ssl/ssl.sh
|
||||
--- ./tests/ssl/ssl.sh.brew 2021-06-12 11:37:46.153265942 -0700
|
||||
+++ ./tests/ssl/ssl.sh 2021-06-12 11:39:43.069925034 -0700
|
||||
@@ -1641,7 +1641,9 @@ ssl_run_tests()
|
||||
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
ssl_policy_listsuites
|
||||
ssl_policy_selfserv
|
||||
- ssl_policy_pkix_ocsp
|
||||
+ # requires access to external servers, which fails
|
||||
+ # when running in brew
|
||||
+ #ssl_policy_pkix_ocsp
|
||||
ssl_policy
|
||||
fi
|
||||
;;
|
|
@ -0,0 +1,42 @@
|
|||
diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.no_signature_policy 2023-06-21 08:54:54.802785229 +0200
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2023-06-21 08:58:24.748282499 +0200
|
||||
@@ -395,12 +395,9 @@ static const oidValDef signOptList[] = {
|
||||
/* Signatures */
|
||||
{ CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
- { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
- { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
- { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
|
||||
+ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
|
||||
+ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
|
||||
};
|
||||
|
||||
typedef struct {
|
||||
@@ -416,7 +413,7 @@ static const algListsDef algOptLists[] =
|
||||
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
|
||||
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
|
||||
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
|
||||
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
|
||||
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
|
||||
};
|
||||
|
||||
static const optionFreeDef sslOptList[] = {
|
||||
diff -up ./tests/ssl/sslpolicy.txt.no_signature_policy ./tests/ssl/sslpolicy.txt
|
||||
--- ./tests/ssl/sslpolicy.txt.no_signature_policy 2023-06-21 09:00:17.720181306 +0200
|
||||
+++ ./tests/ssl/sslpolicy.txt 2023-06-21 09:00:55.637501208 +0200
|
||||
@@ -193,7 +193,9 @@
|
||||
1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow
|
||||
1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly
|
||||
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
|
||||
- 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
+# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
|
||||
+# compatibility reasons
|
||||
+# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
|
@ -0,0 +1,44 @@
|
|||
diff -up ./cmd/pk12util/pk12util.c.orig ./cmd/pk12util/pk12util.c
|
||||
--- ./cmd/pk12util/pk12util.c.orig 2021-05-28 02:50:43.000000000 -0700
|
||||
+++ ./cmd/pk12util/pk12util.c 2021-06-15 17:05:37.200262345 -0700
|
||||
@@ -1031,9 +1031,11 @@ main(int argc, char **argv)
|
||||
char *export_file = NULL;
|
||||
char *dbprefix = "";
|
||||
SECStatus rv;
|
||||
- SECOidTag cipher = SEC_OID_AES_256_CBC;
|
||||
- SECOidTag hash = SEC_OID_SHA256;
|
||||
- SECOidTag certCipher = SEC_OID_AES_128_CBC;
|
||||
+ SECOidTag cipher =
|
||||
+ SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_3KEY_TRIPLE_DES_CBC;
|
||||
+ SECOidTag hash = SEC_OID_SHA1;
|
||||
+ SECOidTag certCipher =
|
||||
+ SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC;
|
||||
int keyLen = 0;
|
||||
int certKeyLen = 0;
|
||||
secuCommand pk12util;
|
||||
@@ -1147,6 +1149,9 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
+ if (PK11_IsFIPS()) {
|
||||
+ certCipher = SEC_OID_UNKNOWN;
|
||||
+ }
|
||||
if (pk12util.options[opt_CertCipher].activated) {
|
||||
char *cipherString = pk12util.options[opt_CertCipher].arg;
|
||||
|
||||
diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh
|
||||
--- ./tests/tools/tools.sh.orig 2021-06-15 17:06:27.650564449 -0700
|
||||
+++ ./tests/tools/tools.sh 2021-06-15 17:07:59.934117192 -0700
|
||||
@@ -47,9 +47,9 @@
|
||||
"PKCS #5 Password Based Encryption with SHA-1 and DES-CBC"
|
||||
|
||||
# if we change the defaults in pk12util, update these variables
|
||||
- export CERT_ENCRYPTION_DEFAULT="AES-128-CBC"
|
||||
- export KEY_ENCRYPTION_DEFAULT="AES-256-CBC"
|
||||
- export HASH_DEFAULT="SHA-256"
|
||||
+ export CERT_ENCRYPTION_DEFAULT=${pkcs12v2pbeWithSha1And40BitRc2Cbc}
|
||||
+ export KEY_ENCRYPTION_DEFAULT=${pkcs12v2pbeWithSha1AndTripleDESCBC}
|
||||
+ export HASH_DEFAULT="SHA-1"
|
||||
|
||||
export PKCS5v1_PBE_CIPHERS="${pkcs5pbeWithMD2AndDEScbc},\
|
||||
${pkcs5pbeWithMD5AndDEScbc},\
|
|
@ -0,0 +1,20 @@
|
|||
diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml
|
||||
--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800
|
||||
+++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800
|
||||
@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre
|
||||
|
||||
<refsection id="encryption">
|
||||
<title>Password Encryption</title>
|
||||
- <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||
+ <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||
<para>The private key is always protected with strong encryption by default.</para>
|
||||
<para>Several types of ciphers are supported.</para>
|
||||
<variablelist>
|
||||
@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre
|
||||
<listitem>
|
||||
<itemizedlist>
|
||||
<listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
|
||||
+ <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
|
@ -0,0 +1,26 @@
|
|||
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
@@ -15,13 +15,22 @@
|
||||
#include "gtest_utils.h"
|
||||
#include "tls_agent.h"
|
||||
#include "tls_connect.h"
|
||||
+#define LTO
|
||||
|
||||
namespace nss_test {
|
||||
|
||||
+#ifndef LTO
|
||||
+// sigh this construction breaks LTO
|
||||
const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
|
||||
const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048;
|
||||
const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048;
|
||||
const std::string kDCId = TlsAgent::kServerEcdsa256;
|
||||
+#else
|
||||
+#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256
|
||||
+#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048
|
||||
+#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048
|
||||
+#define kDCId TlsAgent::kServerEcdsa256
|
||||
+#endif
|
||||
const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
|
||||
const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
|
||||
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,497 @@
|
|||
diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
|
||||
--- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700
|
||||
@@ -445,7 +445,7 @@ cleanup:
|
||||
PRBool
|
||||
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
|
||||
{
|
||||
- mp_int p, q, y, r;
|
||||
+ mp_int p, q, y, r, psub1;
|
||||
mp_err err;
|
||||
int cmp = 1; /* default is false */
|
||||
if (!Y || !prime || !subPrime) {
|
||||
@@ -456,13 +456,30 @@ KEA_Verify(SECItem *Y, SECItem *prime, S
|
||||
MP_DIGITS(&q) = 0;
|
||||
MP_DIGITS(&y) = 0;
|
||||
MP_DIGITS(&r) = 0;
|
||||
+ MP_DIGITS(&psub1) = 0;
|
||||
CHECK_MPI_OK(mp_init(&p));
|
||||
CHECK_MPI_OK(mp_init(&q));
|
||||
CHECK_MPI_OK(mp_init(&y));
|
||||
CHECK_MPI_OK(mp_init(&r));
|
||||
+ CHECK_MPI_OK(mp_init(&psub1));
|
||||
SECITEM_TO_MPINT(*prime, &p);
|
||||
SECITEM_TO_MPINT(*subPrime, &q);
|
||||
SECITEM_TO_MPINT(*Y, &y);
|
||||
+ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1));
|
||||
+ /*
|
||||
+ * We check that the public value isn't zero (which isn't in the
|
||||
+ * group), one (subgroup of order one) or p-1 (subgroup of order 2). We
|
||||
+ * also check that the public value is less than p, to avoid being fooled
|
||||
+ * by values like p+1 or 2*p-1.
|
||||
+ * This check is required by SP-800-56Ar3. It's also done in derive,
|
||||
+ * but this is only called in various FIPS cases, so put it here to help
|
||||
+ * reviewers find it.
|
||||
+ */
|
||||
+ if (mp_cmp_d(&y, 1) <= 0 ||
|
||||
+ mp_cmp(&y, &psub1) >= 0) {
|
||||
+ err = MP_BADARG;
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
/* compute r = y**q mod p */
|
||||
CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
|
||||
/* compare to 1 */
|
||||
@@ -472,6 +489,7 @@ cleanup:
|
||||
mp_clear(&q);
|
||||
mp_clear(&y);
|
||||
mp_clear(&r);
|
||||
+ mp_clear(&psub1);
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
return PR_FALSE;
|
||||
diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700
|
||||
+++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
* handle the base object stuff
|
||||
*/
|
||||
crv = sftk_handleObject(key, session);
|
||||
+ /* we need to do this check at the end, so we can check the generated
|
||||
+ * key length against fips requirements */
|
||||
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
|
||||
+ session->lastOpWasFIPS = key->isFIPS;
|
||||
sftk_FreeSession(session);
|
||||
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
||||
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
|
||||
@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
|
||||
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
|
||||
}
|
||||
- /* we need to do this check at the end, so we can check the generated key length against
|
||||
- * fips requirements */
|
||||
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
|
||||
if (crv == CKR_OK) {
|
||||
*phKey = key->handle;
|
||||
}
|
||||
@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
|
||||
if (isDerivable) {
|
||||
SFTKAttribute *pubAttribute = NULL;
|
||||
- CK_OBJECT_HANDLE newKey;
|
||||
PRBool isFIPS = sftk_isFIPS(slot->slotID);
|
||||
- CK_RV crv2;
|
||||
- CK_OBJECT_CLASS secret = CKO_SECRET_KEY;
|
||||
- CK_KEY_TYPE generic = CKK_GENERIC_SECRET;
|
||||
- CK_ULONG keyLen = 128;
|
||||
- CK_BBOOL ckTrue = CK_TRUE;
|
||||
- CK_ATTRIBUTE template[] = {
|
||||
- { CKA_CLASS, &secret, sizeof(secret) },
|
||||
- { CKA_KEY_TYPE, &generic, sizeof(generic) },
|
||||
- { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) },
|
||||
- { CKA_DERIVE, &ckTrue, sizeof(ckTrue) }
|
||||
- };
|
||||
- CK_ULONG templateCount = PR_ARRAY_SIZE(template);
|
||||
- CK_ECDH1_DERIVE_PARAMS ecParams;
|
||||
+ NSSLOWKEYPrivateKey *lowPrivKey = NULL;
|
||||
+ ECPrivateKey *ecPriv;
|
||||
+ SECItem *lowPubValue = NULL;
|
||||
+ SECItem item;
|
||||
+ SECStatus rv;
|
||||
|
||||
crv = CKR_OK; /*paranoia, already get's set before we drop to the end */
|
||||
- /* FIPS 140-2 requires we verify that the resulting key is a valid key.
|
||||
- * The easiest way to do this is to do a derive operation, which checks
|
||||
- * the validity of the key */
|
||||
-
|
||||
+ /* FIPS 140-3 requires we verify that the resulting key is a valid key
|
||||
+ * by recalculating the public can an compare it to our own public
|
||||
+ * key. */
|
||||
+ lowPrivKey = sftk_GetPrivKey(privateKey, keyType, &crv);
|
||||
+ if (lowPrivKey == NULL) {
|
||||
+ return sftk_MapCryptError(PORT_GetError());
|
||||
+ }
|
||||
+ /* recalculate the public key from the private key */
|
||||
switch (keyType) {
|
||||
- case CKK_DH:
|
||||
- mech.mechanism = CKM_DH_PKCS_DERIVE;
|
||||
- pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
|
||||
- if (pubAttribute == NULL) {
|
||||
- return CKR_DEVICE_ERROR;
|
||||
- }
|
||||
- mech.pParameter = pubAttribute->attrib.pValue;
|
||||
- mech.ulParameterLen = pubAttribute->attrib.ulValueLen;
|
||||
- break;
|
||||
- case CKK_EC:
|
||||
- mech.mechanism = CKM_ECDH1_DERIVE;
|
||||
- pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
|
||||
- if (pubAttribute == NULL) {
|
||||
- return CKR_DEVICE_ERROR;
|
||||
- }
|
||||
- ecParams.kdf = CKD_NULL;
|
||||
- ecParams.ulSharedDataLen = 0;
|
||||
- ecParams.pSharedData = NULL;
|
||||
- ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen;
|
||||
- ecParams.pPublicData = pubAttribute->attrib.pValue;
|
||||
- mech.pParameter = &ecParams;
|
||||
- mech.ulParameterLen = sizeof(ecParams);
|
||||
- break;
|
||||
- default:
|
||||
- return CKR_DEVICE_ERROR;
|
||||
+ case CKK_DH:
|
||||
+ rv = DH_Derive(&lowPrivKey->u.dh.base, &lowPrivKey->u.dh.prime,
|
||||
+ &lowPrivKey->u.dh.privateValue, &item, 0);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
+ }
|
||||
+ lowPubValue = SECITEM_DupItem(&item);
|
||||
+ SECITEM_ZfreeItem(&item, PR_FALSE);
|
||||
+ pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
|
||||
+ break;
|
||||
+ case CKK_EC:
|
||||
+ rv = EC_NewKeyFromSeed(&lowPrivKey->u.ec.ecParams, &ecPriv,
|
||||
+ lowPrivKey->u.ec.privateValue.data,
|
||||
+ lowPrivKey->u.ec.privateValue.len);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
+ }
|
||||
+ /* make sure it has the same encoding */
|
||||
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||
+ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
|
||||
+ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
|
||||
+ } else {
|
||||
+ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
|
||||
+ SEC_ASN1_GET(SEC_OctetStringTemplate));;
|
||||
+ }
|
||||
+ pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
|
||||
+ /* clear out our generated private key */
|
||||
+ PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
|
||||
+ break;
|
||||
+ default:
|
||||
+ return CKR_DEVICE_ERROR;
|
||||
}
|
||||
-
|
||||
- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
|
||||
- if (crv != CKR_OK) {
|
||||
- sftk_FreeAttribute(pubAttribute);
|
||||
- return crv;
|
||||
+ /* now compare new public key with our already generated key */
|
||||
+ if ((pubAttribute == NULL) || (lowPubValue == NULL) ||
|
||||
+ (pubAttribute->attrib.ulValueLen != lowPubValue->len) ||
|
||||
+ (PORT_Memcmp(pubAttribute->attrib.pValue, lowPubValue->data,
|
||||
+ lowPubValue->len) != 0)) {
|
||||
+ if (pubAttribute) sftk_FreeAttribute(pubAttribute);
|
||||
+ if (lowPubValue) SECITEM_ZfreeItem(lowPubValue, PR_TRUE);
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
}
|
||||
+ SECITEM_ZfreeItem(lowPubValue, PR_TRUE);
|
||||
+
|
||||
/* FIPS requires full validation, but in fipx mode NSC_Derive
|
||||
* only does partial validation with approved primes, now handle
|
||||
* full validation */
|
||||
@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
SECItem pubKey;
|
||||
SECItem prime;
|
||||
SECItem subPrime;
|
||||
+ SECItem base;
|
||||
+ SECItem generator;
|
||||
const SECItem *subPrimePtr = &subPrime;
|
||||
|
||||
pubKey.data = pubAttribute->attrib.pValue;
|
||||
pubKey.len = pubAttribute->attrib.ulValueLen;
|
||||
- prime.data = subPrime.data = NULL;
|
||||
- prime.len = subPrime.len = 0;
|
||||
+ base.data = prime.data = subPrime.data = NULL;
|
||||
+ base.len = prime.len = subPrime.len = 0;
|
||||
crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
|
||||
if (crv != CKR_OK) {
|
||||
goto done;
|
||||
}
|
||||
- crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
|
||||
+ crv = sftk_Attribute2SecItem(NULL, &base, privateKey, CKA_BASE);
|
||||
+ if (crv != CKR_OK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
/* we ignore the return code an only look at the length */
|
||||
- if (subPrime.len == 0) {
|
||||
- /* subprime not supplied, In this case look it up.
|
||||
- * This only works with approved primes, but in FIPS mode
|
||||
- * that's the only kine of prime that will get here */
|
||||
- subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS);
|
||||
- if (subPrimePtr == NULL) {
|
||||
- crv = CKR_GENERAL_ERROR;
|
||||
+ /* do we have a known prime ? */
|
||||
+ subPrimePtr = sftk_VerifyDH_Prime(&prime, &generator, isFIPS);
|
||||
+ if (subPrimePtr == NULL) {
|
||||
+ if (subPrime.len == 0) {
|
||||
+ /* if not a known prime, subprime must be supplied */
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ goto done;
|
||||
+ } else {
|
||||
+ /* not a known prime, check for primality of prime
|
||||
+ * and subPrime */
|
||||
+ if (!KEA_PrimeCheck(&prime)) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ if (!KEA_PrimeCheck(&subPrime)) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ /* if we aren't using a defined group, make sure base is in the
|
||||
+ * subgroup. If it's not, then our key could fail or succeed sometimes.
|
||||
+ * This makes the failure reliable */
|
||||
+ if (!KEA_Verify(&base, &prime, (SECItem *)subPrimePtr)) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ }
|
||||
+ }
|
||||
+ subPrimePtr = &subPrime;
|
||||
+ } else {
|
||||
+ /* we're using a known group, make sure we are using the known generator for that group */
|
||||
+ if (SECITEM_CompareItem(&generator, &base) != 0) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
goto done;
|
||||
}
|
||||
+ if (subPrime.len != 0) {
|
||||
+ /* we have a known prime and a supplied subPrime,
|
||||
+ * make sure the subPrime matches the subPrime for
|
||||
+ * the known Prime */
|
||||
+ if (SECITEM_CompareItem(subPrimePtr, &subPrime) != 0) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) {
|
||||
- crv = CKR_GENERAL_ERROR;
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
}
|
||||
done:
|
||||
+ SECITEM_ZfreeItem(&base, PR_FALSE);
|
||||
SECITEM_ZfreeItem(&subPrime, PR_FALSE);
|
||||
SECITEM_ZfreeItem(&prime, PR_FALSE);
|
||||
}
|
||||
/* clean up before we return */
|
||||
sftk_FreeAttribute(pubAttribute);
|
||||
- crv2 = NSC_DestroyObject(hSession, newKey);
|
||||
if (crv != CKR_OK) {
|
||||
return crv;
|
||||
}
|
||||
- if (crv2 != CKR_OK) {
|
||||
- return crv2;
|
||||
- }
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
* created and linked.
|
||||
*/
|
||||
crv = sftk_handleObject(publicKey, session);
|
||||
- sftk_FreeSession(session);
|
||||
if (crv != CKR_OK) {
|
||||
+ sftk_FreeSession(session);
|
||||
sftk_FreeObject(publicKey);
|
||||
NSC_DestroyObject(hSession, privateKey->handle);
|
||||
sftk_FreeObject(privateKey);
|
||||
@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
}
|
||||
|
||||
if (crv != CKR_OK) {
|
||||
+ sftk_FreeSession(session);
|
||||
NSC_DestroyObject(hSession, publicKey->handle);
|
||||
sftk_FreeObject(publicKey);
|
||||
NSC_DestroyObject(hSession, privateKey->handle);
|
||||
@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
||||
privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
|
||||
publicKey->isFIPS = privateKey->isFIPS;
|
||||
+ session->lastOpWasFIPS = privateKey->isFIPS;
|
||||
+ sftk_FreeSession(session);
|
||||
|
||||
*phPrivateKey = privateKey->handle;
|
||||
*phPublicKey = publicKey->handle;
|
||||
@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
|
||||
/* if the prime is an approved prime, we can skip all the other
|
||||
* checks. */
|
||||
- subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS);
|
||||
+ subPrime = sftk_VerifyDH_Prime(&dhPrime, NULL, isFIPS);
|
||||
if (subPrime == NULL) {
|
||||
SECItem dhSubPrime;
|
||||
/* If the caller set the subprime value, it means that
|
||||
@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
secretlen = tmp.len;
|
||||
} else {
|
||||
secretlen = keySize;
|
||||
+ key->isFIPS = PR_FALSE;
|
||||
crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
|
||||
&tmp, mechParams->pSharedData,
|
||||
mechParams->ulSharedDataLen, mechParams->kdf);
|
||||
diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c
|
||||
--- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess
|
||||
if (object == NULL) {
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
- object->isFIPS = PR_FALSE; /* if we created the object on the fly,
|
||||
+ /* object types that we aren't allowed to create in FIPS mode are
|
||||
+ * already rejected explicitly. If we get here, then the object is
|
||||
+ * FIPS OK (most notably public key objects )*/
|
||||
+ /* object->isFIPS = PR_FALSE; if we created the object on the fly,
|
||||
* it's not a FIPS object */
|
||||
|
||||
/*
|
||||
diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
|
||||
--- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700
|
||||
+++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
|
||||
/* dh verify functions */
|
||||
/* verify that dhPrime matches one of our known primes, and if so return
|
||||
* it's subprime value */
|
||||
-const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
|
||||
+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *generator, PRBool isFIPS);
|
||||
/* check if dhSubPrime claims dhPrime is a safe prime. */
|
||||
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
|
||||
/* map an operation Attribute to a Mechanism flag */
|
||||
diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700
|
||||
+++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
switch (mechInfo->special) {
|
||||
case SFTKFIPSDH: {
|
||||
SECItem dhPrime;
|
||||
+ SECItem dhBase;
|
||||
+ SECItem dhGenerator;
|
||||
+ PRBool val = PR_FALSE;
|
||||
const SECItem *dhSubPrime;
|
||||
CK_RV crv = sftk_Attribute2SecItem(NULL, &dhPrime,
|
||||
source, CKA_PRIME);
|
||||
if (crv != CKR_OK) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE);
|
||||
+ crv = sftk_Attribute2SecItem(NULL, &dhBase, source, CKA_BASE);
|
||||
+ if (crv != CKR_OK) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, &dhGenerator, PR_TRUE);
|
||||
+ val = (dhSubPrime) ? PR_TRUE : PR_FALSE;
|
||||
+ if (val && (SECITEM_CompareItem(&dhBase, &dhGenerator) != 0)) {
|
||||
+ val = PR_FALSE;
|
||||
+ }
|
||||
SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
|
||||
- return (dhSubPrime) ? PR_TRUE : PR_FALSE;
|
||||
+ SECITEM_ZfreeItem(&dhBase, PR_FALSE);
|
||||
+ return val;
|
||||
}
|
||||
case SFTKFIPSNone:
|
||||
return PR_FALSE;
|
||||
diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
|
||||
--- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700
|
||||
@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
|
||||
(unsigned char *)subprime_tls_8192_data,
|
||||
sizeof(subprime_tls_8192_data) };
|
||||
|
||||
+/* generator for all the groups is 2 */
|
||||
+static const unsigned char generator_2_data[] = { 2 };
|
||||
+
|
||||
+
|
||||
+static const SECItem generator_2 =
|
||||
+ { siBuffer,
|
||||
+ (unsigned char *)generator_2_data,
|
||||
+ sizeof(generator_2_data) };
|
||||
+
|
||||
/*
|
||||
* verify that dhPrime matches one of our known primes
|
||||
*/
|
||||
const SECItem *
|
||||
-sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
|
||||
+sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *g, PRBool isFIPS)
|
||||
{
|
||||
/* use the length to decide which primes to check */
|
||||
switch (dhPrime->len) {
|
||||
@@ -6741,56 +6750,67 @@ sftk_VerifyDH_Prime(SECItem *dhPrime, PR
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
|
||||
sizeof(prime_ike_1536)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_1536;
|
||||
}
|
||||
break;
|
||||
case 2048 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_2048,
|
||||
sizeof(prime_tls_2048)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_2048;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_2048,
|
||||
sizeof(prime_ike_2048)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_2048;
|
||||
}
|
||||
break;
|
||||
case 3072 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_3072,
|
||||
sizeof(prime_tls_3072)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_3072;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_3072,
|
||||
sizeof(prime_ike_3072)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_3072;
|
||||
}
|
||||
break;
|
||||
case 4096 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_4096,
|
||||
sizeof(prime_tls_4096)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_4096;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_4096,
|
||||
sizeof(prime_ike_4096)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_4096;
|
||||
}
|
||||
break;
|
||||
case 6144 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_6144,
|
||||
sizeof(prime_tls_6144)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_6144;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_6144,
|
||||
sizeof(prime_ike_6144)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_6144;
|
||||
}
|
||||
break;
|
||||
case 8192 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_8192,
|
||||
sizeof(prime_tls_8192)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_8192;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_8192,
|
||||
sizeof(prime_ike_8192)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_8192;
|
||||
}
|
||||
break;
|
||||
diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
|
||||
--- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700
|
||||
@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
|
||||
goto fail;
|
||||
}
|
||||
} else {
|
||||
+ /* ikev1 isn't validated, if we use this function in ikev1 mode,
|
||||
+ * mark the resulting key as not FIPS */
|
||||
+ if (!params->bRekey) {
|
||||
+ outKey->isFIPS = PR_FALSE;
|
||||
+ }
|
||||
crv = prf_init(&context, inKey->attrib.pValue,
|
||||
inKey->attrib.ulValueLen);
|
||||
if (crv != CKR_OK) {
|
|
@ -0,0 +1,578 @@
|
|||
diff --git a/lib/freebl/config.mk b/lib/freebl/config.mk
|
||||
--- a/lib/freebl/config.mk
|
||||
+++ b/lib/freebl/config.mk
|
||||
@@ -85,9 +85,13 @@ EXTRA_SHARED_LIBS += \
|
||||
$(NULL)
|
||||
endif
|
||||
endif
|
||||
|
||||
ifeq ($(OS_ARCH), Darwin)
|
||||
EXTRA_SHARED_LIBS += -dylib_file @executable_path/libplc4.dylib:$(DIST)/lib/libplc4.dylib -dylib_file @executable_path/libplds4.dylib:$(DIST)/lib/libplds4.dylib
|
||||
endif
|
||||
|
||||
+ifdef NSS_FIPS_140_3
|
||||
+DEFINES += -DNSS_FIPS_140_3
|
||||
endif
|
||||
+
|
||||
+endif
|
||||
diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
||||
--- a/lib/freebl/unix_urandom.c
|
||||
+++ b/lib/freebl/unix_urandom.c
|
||||
@@ -20,53 +20,110 @@ RNG_SystemInfoForRNG(void)
|
||||
if (!numBytes) {
|
||||
/* error is set */
|
||||
return;
|
||||
}
|
||||
RNG_RandomUpdate(bytes, numBytes);
|
||||
PORT_Memset(bytes, 0, sizeof bytes);
|
||||
}
|
||||
|
||||
+#ifdef NSS_FIPS_140_3
|
||||
+#include <sys/random.h>
|
||||
+#include "prinit.h"
|
||||
+
|
||||
+static int rng_grndFlags= 0;
|
||||
+static PRCallOnceType rng_KernelFips;
|
||||
+
|
||||
+static PRStatus
|
||||
+rng_getKernelFips()
|
||||
+{
|
||||
+#ifdef LINUX
|
||||
+ FILE *f;
|
||||
+ char d;
|
||||
+ size_t size;
|
||||
+
|
||||
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||
+ if (!f)
|
||||
+ return PR_FAILURE;
|
||||
+
|
||||
+ size = fread(&d, 1, 1, f);
|
||||
+ fclose(f);
|
||||
+ if (size != 1)
|
||||
+ return PR_SUCCESS;
|
||||
+ if (d != '1')
|
||||
+ return PR_SUCCESS;
|
||||
+ /* if the kernel is in FIPS mode, set the GRND_RANDOM flag */
|
||||
+ rng_grndFlags = GRND_RANDOM;
|
||||
+#endif /* LINUX */
|
||||
+ return PR_SUCCESS;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
size_t
|
||||
RNG_SystemRNG(void *dest, size_t maxLen)
|
||||
{
|
||||
+ size_t fileBytes = 0;
|
||||
+ unsigned char *buffer = dest;
|
||||
+#ifndef NSS_FIPS_140_3
|
||||
int fd;
|
||||
int bytes;
|
||||
- size_t fileBytes = 0;
|
||||
- unsigned char *buffer = dest;
|
||||
+#else
|
||||
+ PR_CallOnce(&rng_KernelFips, rng_getKernelFips);
|
||||
+#endif
|
||||
|
||||
#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
|
||||
int result;
|
||||
-
|
||||
while (fileBytes < maxLen) {
|
||||
size_t getBytes = maxLen - fileBytes;
|
||||
if (getBytes > GETENTROPY_MAX_BYTES) {
|
||||
getBytes = GETENTROPY_MAX_BYTES;
|
||||
}
|
||||
+#ifdef NSS_FIPS_140_3
|
||||
+ /* FIP 140-3 requires full kernel reseeding for chained entropy sources
|
||||
+ * so we need to use getrandom with GRND_RANDOM.
|
||||
+ * getrandom returns -1 on failure, otherwise returns
|
||||
+ * the number of bytes, which can be less than getBytes */
|
||||
+ result = getrandom(buffer, getBytes, rng_grndFlags);
|
||||
+ if (result < 0) {
|
||||
+ break;
|
||||
+ }
|
||||
+ fileBytes += result;
|
||||
+ buffer += result;
|
||||
+#else
|
||||
+ /* get entropy returns 0 on success and always return
|
||||
+ * getBytes on success */
|
||||
result = getentropy(buffer, getBytes);
|
||||
if (result == 0) { /* success */
|
||||
fileBytes += getBytes;
|
||||
buffer += getBytes;
|
||||
} else {
|
||||
break;
|
||||
}
|
||||
+#endif
|
||||
}
|
||||
if (fileBytes == maxLen) { /* success */
|
||||
return maxLen;
|
||||
}
|
||||
+#ifdef NSS_FIPS_140_3
|
||||
+ /* in FIPS 104-3 we don't fallback, just fail */
|
||||
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
+ return 0;
|
||||
+#else
|
||||
/* If we failed with an error other than ENOSYS, it means the destination
|
||||
* buffer is not writeable. We don't need to try writing to it again. */
|
||||
if (errno != ENOSYS) {
|
||||
PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
return 0;
|
||||
}
|
||||
+#endif /*!NSS_FIPS_140_3 */
|
||||
+#endif /* platorm has getentropy */
|
||||
+#ifndef NSS_FIPS_140_3
|
||||
/* ENOSYS means the kernel doesn't support getentropy()/getrandom().
|
||||
* Reset the number of bytes to get and fall back to /dev/urandom. */
|
||||
fileBytes = 0;
|
||||
-#endif
|
||||
fd = open("/dev/urandom", O_RDONLY);
|
||||
if (fd < 0) {
|
||||
PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
return 0;
|
||||
}
|
||||
while (fileBytes < maxLen) {
|
||||
bytes = read(fd, buffer, maxLen - fileBytes);
|
||||
if (bytes <= 0) {
|
||||
@@ -76,9 +133,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
||||
buffer += bytes;
|
||||
}
|
||||
(void)close(fd);
|
||||
if (fileBytes != maxLen) {
|
||||
PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
return 0;
|
||||
}
|
||||
return fileBytes;
|
||||
+#endif
|
||||
}
|
||||
diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk
|
||||
--- a/lib/softoken/config.mk
|
||||
+++ b/lib/softoken/config.mk
|
||||
@@ -58,8 +58,12 @@ endif
|
||||
ifdef NSS_ENABLE_FIPS_INDICATORS
|
||||
DEFINES += -DNSS_ENABLE_FIPS_INDICATORS
|
||||
endif
|
||||
|
||||
ifdef NSS_FIPS_MODULE_ID
|
||||
DEFINES += -DNSS_FIPS_MODULE_ID=\"${NSS_FIPS_MODULE_ID}\"
|
||||
endif
|
||||
|
||||
+ifdef NSS_FIPS_140_3
|
||||
+DEFINES += -DNSS_FIPS_140_3
|
||||
+endif
|
||||
+
|
||||
diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
|
||||
--- a/lib/softoken/lowpbe.c
|
||||
+++ b/lib/softoken/lowpbe.c
|
||||
@@ -1766,16 +1766,20 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
|
||||
unsigned char iteration_count = 5;
|
||||
unsigned char keyLen = 64;
|
||||
char *inKeyData = TEST_KEY;
|
||||
- static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
|
||||
+ static const unsigned char saltData[] = {
|
||||
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
|
||||
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
|
||||
+ };
|
||||
+
|
||||
static const unsigned char pbkdf_known_answer[] = {
|
||||
- 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
|
||||
- 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
|
||||
- 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37,
|
||||
- 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90,
|
||||
- 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa,
|
||||
- 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1,
|
||||
- 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66,
|
||||
- 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5
|
||||
+ 0x73, 0x8c, 0xfa, 0x02, 0xe8, 0xdb, 0x43, 0xe4,
|
||||
+ 0x99, 0xc5, 0xfd, 0xd9, 0x4d, 0x8e, 0x3e, 0x7b,
|
||||
+ 0xc4, 0xda, 0x22, 0x1b, 0xe1, 0xae, 0x23, 0x7a,
|
||||
+ 0x21, 0x27, 0xbd, 0xcc, 0x78, 0xc4, 0xe6, 0xc5,
|
||||
+ 0x33, 0x38, 0x35, 0xe0, 0x68, 0x1a, 0x1e, 0x06,
|
||||
+ 0xad, 0xaf, 0x7f, 0xd7, 0x3f, 0x0e, 0xc0, 0x90,
|
||||
+ 0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8,
|
||||
+ 0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33
|
||||
};
|
||||
|
||||
sftk_PBELockInit();
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -4609,16 +4609,17 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* make sure we don't have any class, key_type, or value fields */
|
||||
sftk_DeleteAttributeType(key, CKA_CLASS);
|
||||
sftk_DeleteAttributeType(key, CKA_KEY_TYPE);
|
||||
sftk_DeleteAttributeType(key, CKA_VALUE);
|
||||
|
||||
+
|
||||
/* Now Set up the parameters to generate the key (based on mechanism) */
|
||||
key_gen_type = nsc_bulk; /* bulk key by default */
|
||||
switch (pMechanism->mechanism) {
|
||||
case CKM_CDMF_KEY_GEN:
|
||||
case CKM_DES_KEY_GEN:
|
||||
case CKM_DES2_KEY_GEN:
|
||||
case CKM_DES3_KEY_GEN:
|
||||
checkWeak = PR_TRUE;
|
||||
@@ -4812,16 +4813,19 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
crv = sftk_handleObject(key, session);
|
||||
sftk_FreeSession(session);
|
||||
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
||||
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
|
||||
}
|
||||
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
|
||||
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
|
||||
}
|
||||
+ /* we need to do this check at the end, so we can check the generated key length against
|
||||
+ * fips requirements */
|
||||
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
|
||||
if (crv == CKR_OK) {
|
||||
*phKey = key->handle;
|
||||
}
|
||||
loser:
|
||||
PORT_Memset(buf, 0, sizeof buf);
|
||||
sftk_FreeObject(key);
|
||||
return crv;
|
||||
}
|
||||
@@ -5780,16 +5784,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
|
||||
if (crv != CKR_OK) {
|
||||
NSC_DestroyObject(hSession, publicKey->handle);
|
||||
sftk_FreeObject(publicKey);
|
||||
NSC_DestroyObject(hSession, privateKey->handle);
|
||||
sftk_FreeObject(privateKey);
|
||||
return crv;
|
||||
}
|
||||
+ /* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
||||
+ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
|
||||
+ publicKey->isFIPS = privateKey->isFIPS;
|
||||
|
||||
*phPrivateKey = privateKey->handle;
|
||||
*phPublicKey = publicKey->handle;
|
||||
sftk_FreeObject(publicKey);
|
||||
sftk_FreeObject(privateKey);
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -6990,16 +6997,17 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
}
|
||||
|
||||
/* HKDF-Extract(salt, base key value) */
|
||||
if (params->bExtract) {
|
||||
CK_BYTE *salt;
|
||||
CK_ULONG saltLen;
|
||||
HMACContext *hmac;
|
||||
unsigned int bufLen;
|
||||
+ SFTKSource saltKeySource = SFTK_SOURCE_DEFAULT;
|
||||
|
||||
switch (params->ulSaltType) {
|
||||
case CKF_HKDF_SALT_NULL:
|
||||
saltLen = hashLen;
|
||||
salt = hashbuf;
|
||||
memset(salt, 0, saltLen);
|
||||
break;
|
||||
case CKF_HKDF_SALT_DATA:
|
||||
@@ -7026,29 +7034,54 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
if (isFIPS && (key->isFIPS == 0) && (saltKey->isFIPS == 1)) {
|
||||
CK_MECHANISM mech;
|
||||
mech.mechanism = CKM_HKDF_DERIVE;
|
||||
mech.pParameter = params;
|
||||
mech.ulParameterLen = sizeof(*params);
|
||||
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
|
||||
CKA_DERIVE, saltKey);
|
||||
}
|
||||
+ saltKeySource = saltKey->source;
|
||||
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
|
||||
if (saltKey_att == NULL) {
|
||||
sftk_FreeObject(saltKey);
|
||||
return CKR_KEY_HANDLE_INVALID;
|
||||
}
|
||||
/* save the resulting salt */
|
||||
salt = saltKey_att->attrib.pValue;
|
||||
saltLen = saltKey_att->attrib.ulValueLen;
|
||||
break;
|
||||
default:
|
||||
return CKR_MECHANISM_PARAM_INVALID;
|
||||
break;
|
||||
}
|
||||
+ /* only TLS style usage is FIPS approved,
|
||||
+ * turn off the FIPS indicator for other usages */
|
||||
+ if (isFIPS && key && sourceKey) {
|
||||
+ PRBool fipsOK = PR_FALSE;
|
||||
+ /* case one: mix the kea with a previous or default
|
||||
+ * salt */
|
||||
+ if ((sourceKey->source == SFTK_SOURCE_KEA) &&
|
||||
+ (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) &&
|
||||
+ (saltLen == rawHash->length)) {
|
||||
+ fipsOK = PR_TRUE;
|
||||
+ }
|
||||
+ /* case two: restart, remix the previous secret as a salt */
|
||||
+ if ((sourceKey->objclass == CKO_DATA) &&
|
||||
+ (NSS_SecureMemcmpZero(sourceKeyBytes, sourceKeyLen) == 0) &&
|
||||
+ (sourceKeyLen == rawHash->length) &&
|
||||
+ (saltKeySource == SFTK_SOURCE_HKDF_EXPAND) &&
|
||||
+ (saltLen == rawHash->length)) {
|
||||
+ fipsOK = PR_TRUE;
|
||||
+ }
|
||||
+ if (!fipsOK) {
|
||||
+ key->isFIPS = PR_FALSE;
|
||||
+ }
|
||||
+ }
|
||||
+ if (key) key->source = SFTK_SOURCE_HKDF_EXTRACT;
|
||||
|
||||
hmac = HMAC_Create(rawHash, salt, saltLen, isFIPS);
|
||||
if (saltKey_att) {
|
||||
sftk_FreeAttribute(saltKey_att);
|
||||
}
|
||||
if (saltKey) {
|
||||
sftk_FreeObject(saltKey);
|
||||
}
|
||||
@@ -7076,16 +7109,40 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
|
||||
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
|
||||
* key material = T(1) | ... | T(n)
|
||||
*/
|
||||
HMACContext *hmac;
|
||||
CK_BYTE bi;
|
||||
unsigned iterations;
|
||||
|
||||
+ /* only TLS style usage is FIPS approved,
|
||||
+ * turn off the FIPS indicator for other usages */
|
||||
+ if (isFIPS && key && key->isFIPS && sourceKey) {
|
||||
+ unsigned char *info=¶ms->pInfo[3];
|
||||
+ /* only one case,
|
||||
+ * 1) Expand only
|
||||
+ * 2) with a key whose source was
|
||||
+ * SFTK_SOURCE_HKDF_EXPAND or SFTK_SOURCE_HKDF_EXTRACT
|
||||
+ * 3) source key length == rawHash->length
|
||||
+ * 4) Info has tls or dtls
|
||||
+ * If any of those conditions aren't met, then we turn
|
||||
+ * off the fips indicator */
|
||||
+ if (params->bExtract ||
|
||||
+ ((sourceKey->source != SFTK_SOURCE_HKDF_EXTRACT) &&
|
||||
+ (sourceKey->source != SFTK_SOURCE_HKDF_EXPAND)) ||
|
||||
+ (sourceKeyLen != rawHash->length) ||
|
||||
+ (params->ulInfoLen < 7) ||
|
||||
+ ((PORT_Memcmp(info,"tls",3) != 0) &&
|
||||
+ (PORT_Memcmp(info,"dtls",4) != 0))) {
|
||||
+ key->isFIPS = PR_FALSE;
|
||||
+ }
|
||||
+ }
|
||||
+ if (key) key->source = SFTK_SOURCE_HKDF_EXPAND;
|
||||
+
|
||||
genLen = PR_ROUNDUP(keySize, hashLen);
|
||||
iterations = genLen / hashLen;
|
||||
|
||||
if (genLen > sizeof(keyBlock)) {
|
||||
keyBlockAlloc = PORT_Alloc(genLen);
|
||||
if (keyBlockAlloc == NULL) {
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
@@ -8434,16 +8491,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
|
||||
/* calculate private value - oct */
|
||||
rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize);
|
||||
|
||||
SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
|
||||
SECITEM_ZfreeItem(&dhValue, PR_FALSE);
|
||||
|
||||
if (rv == SECSuccess) {
|
||||
+ key->source = SFTK_SOURCE_KEA;
|
||||
sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
|
||||
SECITEM_ZfreeItem(&derived, PR_FALSE);
|
||||
crv = CKR_OK;
|
||||
} else
|
||||
crv = CKR_HOST_MEMORY;
|
||||
|
||||
break;
|
||||
}
|
||||
@@ -8564,16 +8622,17 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
}
|
||||
PORT_Memcpy(&keyData[keySize - secretlen], secret, secretlen);
|
||||
secret = keyData;
|
||||
} else {
|
||||
secret += (secretlen - keySize);
|
||||
}
|
||||
secretlen = keySize;
|
||||
}
|
||||
+ key->source = SFTK_SOURCE_KEA;
|
||||
|
||||
sftk_forceAttribute(key, CKA_VALUE, secret, secretlen);
|
||||
PORT_ZFree(tmp.data, tmp.len);
|
||||
if (keyData) {
|
||||
PORT_ZFree(keyData, keySize);
|
||||
}
|
||||
break;
|
||||
|
||||
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
|
||||
--- a/lib/softoken/pkcs11i.h
|
||||
+++ b/lib/softoken/pkcs11i.h
|
||||
@@ -147,16 +147,26 @@ typedef enum {
|
||||
*/
|
||||
typedef enum {
|
||||
SFTK_DestroyFailure,
|
||||
SFTK_Destroyed,
|
||||
SFTK_Busy
|
||||
} SFTKFreeStatus;
|
||||
|
||||
/*
|
||||
+ * Source of various objects
|
||||
+ */
|
||||
+typedef enum {
|
||||
+ SFTK_SOURCE_DEFAULT=0,
|
||||
+ SFTK_SOURCE_KEA,
|
||||
+ SFTK_SOURCE_HKDF_EXPAND,
|
||||
+ SFTK_SOURCE_HKDF_EXTRACT
|
||||
+} SFTKSource;
|
||||
+
|
||||
+/*
|
||||
* attribute values of an object.
|
||||
*/
|
||||
struct SFTKAttributeStr {
|
||||
SFTKAttribute *next;
|
||||
SFTKAttribute *prev;
|
||||
PRBool freeAttr;
|
||||
PRBool freeData;
|
||||
/*must be called handle to make sftkqueue_find work */
|
||||
@@ -189,16 +199,17 @@ struct SFTKObjectStr {
|
||||
CK_OBJECT_CLASS objclass;
|
||||
CK_OBJECT_HANDLE handle;
|
||||
int refCount;
|
||||
PZLock *refLock;
|
||||
SFTKSlot *slot;
|
||||
void *objectInfo;
|
||||
SFTKFree infoFree;
|
||||
PRBool isFIPS;
|
||||
+ SFTKSource source;
|
||||
};
|
||||
|
||||
struct SFTKTokenObjectStr {
|
||||
SFTKObject obj;
|
||||
SECItem dbKey;
|
||||
};
|
||||
|
||||
struct SFTKSessionObjectStr {
|
||||
diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c
|
||||
--- a/lib/softoken/pkcs11u.c
|
||||
+++ b/lib/softoken/pkcs11u.c
|
||||
@@ -1090,16 +1090,17 @@ sftk_NewObject(SFTKSlot *slot)
|
||||
sessObject->attrList[i].freeData = PR_FALSE;
|
||||
}
|
||||
sessObject->optimizeSpace = slot->optimizeSpace;
|
||||
|
||||
object->handle = 0;
|
||||
object->next = object->prev = NULL;
|
||||
object->slot = slot;
|
||||
object->isFIPS = sftk_isFIPS(slot->slotID);
|
||||
+ object->source = SFTK_SOURCE_DEFAULT;
|
||||
|
||||
object->refCount = 1;
|
||||
sessObject->sessionList.next = NULL;
|
||||
sessObject->sessionList.prev = NULL;
|
||||
sessObject->sessionList.parent = object;
|
||||
sessObject->session = NULL;
|
||||
sessObject->wasDerived = PR_FALSE;
|
||||
if (!hasLocks)
|
||||
@@ -1674,16 +1675,17 @@ fail:
|
||||
CK_RV
|
||||
sftk_CopyObject(SFTKObject *destObject, SFTKObject *srcObject)
|
||||
{
|
||||
SFTKAttribute *attribute;
|
||||
SFTKSessionObject *src_so = sftk_narrowToSessionObject(srcObject);
|
||||
unsigned int i;
|
||||
|
||||
destObject->isFIPS = srcObject->isFIPS;
|
||||
+ destObject->source = srcObject->source;
|
||||
if (src_so == NULL) {
|
||||
return sftk_CopyTokenObject(destObject, srcObject);
|
||||
}
|
||||
|
||||
PZ_Lock(src_so->attributeLock);
|
||||
for (i = 0; i < src_so->hashSize; i++) {
|
||||
attribute = src_so->head[i];
|
||||
do {
|
||||
@@ -2059,16 +2061,17 @@ sftk_NewTokenObject(SFTKSlot *slot, SECI
|
||||
/* every object must have a class, if we can't get it, the object
|
||||
* doesn't exist */
|
||||
crv = handleToClass(slot, handle, &object->objclass);
|
||||
if (crv != CKR_OK) {
|
||||
goto loser;
|
||||
}
|
||||
object->slot = slot;
|
||||
object->isFIPS = sftk_isFIPS(slot->slotID);
|
||||
+ object->source = SFTK_SOURCE_DEFAULT;
|
||||
object->objectInfo = NULL;
|
||||
object->infoFree = NULL;
|
||||
if (!hasLocks) {
|
||||
object->refLock = PZ_NewLock(nssILockRefLock);
|
||||
}
|
||||
if (object->refLock == NULL) {
|
||||
goto loser;
|
||||
}
|
||||
@@ -2225,16 +2228,25 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE
|
||||
break;
|
||||
case CKA_DERIVE:
|
||||
flags = CKF_DERIVE;
|
||||
break;
|
||||
/* fake attribute to select digesting */
|
||||
case CKA_DIGEST:
|
||||
flags = CKF_DIGEST;
|
||||
break;
|
||||
+ /* fake attribute to select key gen */
|
||||
+ case CKA_NSS_GENERATE:
|
||||
+ flags = CKF_GENERATE;
|
||||
+ break;
|
||||
+ /* fake attribute to select key pair gen */
|
||||
+ case CKA_NSS_GENERATE_KEY_PAIR:
|
||||
+ flags = CKF_GENERATE_KEY_PAIR;
|
||||
+ break;
|
||||
+ /* fake attributes to to handle MESSAGE* flags */
|
||||
case CKA_NSS_MESSAGE | CKA_ENCRYPT:
|
||||
flags = CKF_MESSAGE_ENCRYPT;
|
||||
break;
|
||||
case CKA_NSS_MESSAGE | CKA_DECRYPT:
|
||||
flags = CKF_MESSAGE_DECRYPT;
|
||||
break;
|
||||
case CKA_NSS_MESSAGE | CKA_SIGN:
|
||||
flags = CKF_MESSAGE_SIGN;
|
||||
@@ -2278,17 +2290,17 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
|
||||
}
|
||||
|
||||
/* This function currently only returns valid lengths for
|
||||
* FIPS approved ECC curves. If we want to make this generic
|
||||
* in the future, that Curve determination can be done in
|
||||
* the sftk_handleSpecial. Since it's currently only used
|
||||
* in FIPS indicators, it's currently only compiled with
|
||||
* the FIPS indicator code */
|
||||
-static int
|
||||
+static CK_ULONG
|
||||
sftk_getKeyLength(SFTKObject *source)
|
||||
{
|
||||
CK_KEY_TYPE keyType = CK_INVALID_HANDLE;
|
||||
CK_ATTRIBUTE_TYPE keyAttribute;
|
||||
CK_ULONG keyLength = 0;
|
||||
SFTKAttribute *attribute;
|
||||
CK_RV crv;
|
||||
|
||||
diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h
|
||||
--- a/lib/util/pkcs11n.h
|
||||
+++ b/lib/util/pkcs11n.h
|
||||
@@ -58,16 +58,18 @@
|
||||
/*
|
||||
* NSS-defined certificate types
|
||||
*
|
||||
*/
|
||||
#define CKC_NSS (CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS)
|
||||
|
||||
/* FAKE PKCS #11 defines */
|
||||
#define CKA_DIGEST 0x81000000L
|
||||
+#define CKA_NSS_GENERATE 0x81000001L
|
||||
+#define CKA_NSS_GENERATE_KEY_PAIR 0x81000002L
|
||||
#define CKA_NSS_MESSAGE 0x82000000L
|
||||
#define CKA_NSS_MESSAGE_MASK 0xff000000L
|
||||
#define CKA_FLAGS_ONLY 0 /* CKA_CLASS */
|
||||
|
||||
/*
|
||||
* NSS-defined object attributes
|
||||
*
|
||||
*/
|
|
@ -0,0 +1,25 @@
|
|||
diff -up ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults ./cmd/pk12util/pk12util.c
|
||||
--- ./cmd/pk12util/pk12util.c.pkcs12_fips_defaults 2022-07-20 13:40:24.152212683 -0700
|
||||
+++ ./cmd/pk12util/pk12util.c 2022-07-20 13:42:40.031094190 -0700
|
||||
@@ -1146,6 +1146,11 @@ main(int argc, char **argv)
|
||||
goto done;
|
||||
}
|
||||
|
||||
+ if (PK11_IsFIPS()) {
|
||||
+ cipher = SEC_OID_AES_256_CBC;
|
||||
+ certCipher = SEC_OID_AES_128_CBC;
|
||||
+ }
|
||||
+
|
||||
if (pk12util.options[opt_Cipher].activated) {
|
||||
char *cipherString = pk12util.options[opt_Cipher].arg;
|
||||
|
||||
@@ -1160,9 +1165,6 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
|
||||
- if (PK11_IsFIPS()) {
|
||||
- certCipher = SEC_OID_UNKNOWN;
|
||||
- }
|
||||
if (pk12util.options[opt_CertCipher].activated) {
|
||||
char *cipherString = pk12util.options[opt_CertCipher].arg;
|
||||
|
|
@ -0,0 +1,335 @@
|
|||
diff -up ./lib/ckfw/builtins/certdata.txt.revert-distrusted ./lib/ckfw/builtins/certdata.txt
|
||||
--- ./lib/ckfw/builtins/certdata.txt.revert-distrusted 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/ckfw/builtins/certdata.txt 2022-06-24 10:51:32.035207662 -0700
|
||||
@@ -7668,6 +7668,187 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
#
|
||||
+# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+#
|
||||
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Serial Number: 268435455 (0xfffffff)
|
||||
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Not Valid Before: Wed May 12 08:51:39 2010
|
||||
+# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
|
||||
+CKA_SUBJECT MULTILINE_OCTAL
|
||||
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
+END
|
||||
+CKA_ID UTF8 "0"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\017\377\377\377
|
||||
+END
|
||||
+CKA_VALUE MULTILINE_OCTAL
|
||||
+\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017
|
||||
+\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013
|
||||
+\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116
|
||||
+\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151
|
||||
+\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003
|
||||
+\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120
|
||||
+\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162
|
||||
+\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036
|
||||
+\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027
|
||||
+\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132
|
||||
+\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060
|
||||
+\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141
|
||||
+\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014
|
||||
+\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166
|
||||
+\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151
|
||||
+\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015
|
||||
+\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002
|
||||
+\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047
|
||||
+\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275
|
||||
+\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366
|
||||
+\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045
|
||||
+\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004
|
||||
+\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202
|
||||
+\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072
|
||||
+\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253
|
||||
+\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154
|
||||
+\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365
|
||||
+\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257
|
||||
+\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324
|
||||
+\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063
|
||||
+\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304
|
||||
+\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241
|
||||
+\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000
|
||||
+\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052
|
||||
+\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163
|
||||
+\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205
|
||||
+\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055
|
||||
+\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231
|
||||
+\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201
|
||||
+\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216
|
||||
+\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351
|
||||
+\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124
|
||||
+\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267
|
||||
+\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247
|
||||
+\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200
|
||||
+\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325
|
||||
+\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220
|
||||
+\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017
|
||||
+\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256
|
||||
+\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001
|
||||
+\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004
|
||||
+\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006
|
||||
+\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072
|
||||
+\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056
|
||||
+\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145
|
||||
+\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003
|
||||
+\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
|
||||
+\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200
|
||||
+\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216
|
||||
+\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006
|
||||
+\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004
|
||||
+\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||
+\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004
|
||||
+\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144
|
||||
+\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101
|
||||
+\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125
|
||||
+\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164
|
||||
+\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162
|
||||
+\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156
|
||||
+\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055
|
||||
+\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004
|
||||
+\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356
|
||||
+\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001
|
||||
+\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055
|
||||
+\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234
|
||||
+\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064
|
||||
+\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066
|
||||
+\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243
|
||||
+\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364
|
||||
+\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116
|
||||
+\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164
|
||||
+\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174
|
||||
+\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103
|
||||
+\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134
|
||||
+\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323
|
||||
+\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057
|
||||
+\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347
|
||||
+\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224
|
||||
+\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015
|
||||
+\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026
|
||||
+\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053
|
||||
+\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166
|
||||
+\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135
|
||||
+\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244
|
||||
+\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025
|
||||
+\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222
|
||||
+\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235
|
||||
+\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245
|
||||
+\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327
|
||||
+\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053
|
||||
+\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377
|
||||
+\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321
|
||||
+\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374
|
||||
+\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035
|
||||
+\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305
|
||||
+\244\363\116\272\067\230\173\202\271
|
||||
+END
|
||||
+
|
||||
+# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Serial Number: 268435455 (0xfffffff)
|
||||
+# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
|
||||
+# Not Valid Before: Wed May 12 08:51:39 2010
|
||||
+# Not Valid After : Mon Mar 23 09:50:05 2020
|
||||
+# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C
|
||||
+# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2"
|
||||
+CKA_CERT_SHA1_HASH MULTILINE_OCTAL
|
||||
+\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306
|
||||
+\222\341\102\102
|
||||
+END
|
||||
+CKA_CERT_MD5_HASH MULTILINE_OCTAL
|
||||
+\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034
|
||||
+END
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061
|
||||
+\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157
|
||||
+\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004
|
||||
+\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111
|
||||
+\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141
|
||||
+\156\151\163\141\164\151\145\040\055\040\107\062
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\017\377\377\377
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
+#
|
||||
# Certificate "Security Communication RootCA2"
|
||||
#
|
||||
# Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP
|
||||
@@ -8161,6 +8342,68 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
+# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929
|
||||
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||
+# Serial Number: 1800000005 (0x6b49d205)
|
||||
+# Not Before: Apr 7 15:37:15 2011 GMT
|
||||
+# Not After : Apr 4 15:37:15 2021 GMT
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\153\111\322\005
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
+# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929
|
||||
+# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US
|
||||
+# Serial Number: 1800000006 (0x6b49d206)
|
||||
+# Not Before: Apr 18 21:09:30 2011 GMT
|
||||
+# Not After : Apr 15 21:09:30 2021 GMT
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123
|
||||
+\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156
|
||||
+\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150
|
||||
+\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030
|
||||
+\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156
|
||||
+\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004
|
||||
+\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147
|
||||
+\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156
|
||||
+\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060
|
||||
+\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141
|
||||
+\100\164\162\165\163\164\167\141\166\145\056\143\157\155
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\004\153\111\322\006
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
#
|
||||
# Certificate "Actalis Authentication Root CA"
|
||||
#
|
||||
@@ -8804,6 +9047,74 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_
|
||||
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
|
||||
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
|
||||
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022
|
||||
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||
+# Serial Number: 2087 (0x827)
|
||||
+# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR
|
||||
+# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||
+# Not Valid After : Tue Jul 06 07:07:51 2021
|
||||
+# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E
|
||||
+# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\002\010\047
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
+# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022
|
||||
+# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri
|
||||
+# Serial Number: 2148 (0x864)
|
||||
+# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR
|
||||
+# Not Valid Before: Mon Aug 08 07:07:51 2011
|
||||
+# Not Valid After : Thu Aug 05 07:07:51 2021
|
||||
+# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2
|
||||
+# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB
|
||||
+CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
|
||||
+CKA_TOKEN CK_BBOOL CK_TRUE
|
||||
+CKA_PRIVATE CK_BBOOL CK_FALSE
|
||||
+CKA_MODIFIABLE CK_BBOOL CK_FALSE
|
||||
+CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2"
|
||||
+CKA_ISSUER MULTILINE_OCTAL
|
||||
+\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303
|
||||
+\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157
|
||||
+\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151
|
||||
+\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145
|
||||
+\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061
|
||||
+\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124
|
||||
+\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164
|
||||
+\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151
|
||||
+\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151
|
||||
+\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050
|
||||
+\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065
|
||||
+END
|
||||
+CKA_SERIAL_NUMBER MULTILINE_OCTAL
|
||||
+\002\002\010\144
|
||||
+END
|
||||
+CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
|
||||
+CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
|
||||
+
|
||||
#
|
||||
# Certificate "D-TRUST Root Class 3 CA 2 2009"
|
||||
#
|
|
@ -0,0 +1,57 @@
|
|||
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
|
||||
index 74e8e65..8995752 100644
|
||||
--- a/lib/freebl/Makefile
|
||||
+++ b/lib/freebl/Makefile
|
||||
@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
|
||||
HAVE_INT128_SUPPORT = 1
|
||||
DEFINES += -DHAVE_INT128_SUPPORT
|
||||
else ifeq (1,$(CC_IS_GCC))
|
||||
- SUPPORTS_VALE_CURVE25519 = 1
|
||||
ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
|
||||
HAVE_INT128_SUPPORT = 1
|
||||
DEFINES += -DHAVE_INT128_SUPPORT
|
||||
diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
|
||||
index 65f9a80..23940ef 100644
|
||||
--- a/lib/freebl/freebl.gyp
|
||||
+++ b/lib/freebl/freebl.gyp
|
||||
@@ -866,12 +866,6 @@
|
||||
}],
|
||||
],
|
||||
}],
|
||||
- [ 'supports_vale_curve25519==1', {
|
||||
- 'defines': [
|
||||
- # The Makefile does version-tests on GCC, but we're not doing that here.
|
||||
- 'HACL_CAN_COMPILE_INLINE_ASM',
|
||||
- ],
|
||||
- }],
|
||||
[ 'OS=="linux" or OS=="android"', {
|
||||
'conditions': [
|
||||
[ 'target_arch=="x64"', {
|
||||
@@ -934,11 +928,6 @@
|
||||
'variables': {
|
||||
'module': 'nss',
|
||||
'conditions': [
|
||||
- [ 'target_arch=="x64" and cc_is_gcc==1', {
|
||||
- 'supports_vale_curve25519%': 1,
|
||||
- }, {
|
||||
- 'supports_vale_curve25519%': 0,
|
||||
- }],
|
||||
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'have_int128_support%': 1,
|
||||
}, {
|
||||
diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
|
||||
index d198c44..34b6b3c 100644
|
||||
--- a/lib/freebl/freebl_base.gypi
|
||||
+++ b/lib/freebl/freebl_base.gypi
|
||||
@@ -151,11 +151,6 @@
|
||||
'ecl/curve25519_32.c',
|
||||
],
|
||||
}],
|
||||
- ['supports_vale_curve25519==1', {
|
||||
- 'sources': [
|
||||
- 'verified/Hacl_Curve25519_64.c',
|
||||
- ],
|
||||
- }],
|
||||
['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
|
||||
'sources': [
|
||||
# Gyp does not support per-file cflags, so working around like this.
|
|
@ -0,0 +1,104 @@
|
|||
diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700
|
||||
@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = {
|
||||
{ CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
{ CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
+ /* not really a key exchange, but it's the closest fit */
|
||||
+ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
|
||||
};
|
||||
|
||||
static const oidValDef signOptList[] = {
|
||||
diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
|
||||
--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
|
||||
@@ -202,4 +202,10 @@ struct PK11GenericObjectStr {
|
||||
/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
|
||||
#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
|
||||
|
||||
+/* this oid value could change values if it's added after other new
|
||||
+ * upstream oids. We protect applications by hiding the define in a private
|
||||
+ * header file that only NSS sees. Currently it's only available through
|
||||
+ * the policy code */
|
||||
+#define SEC_OID_TLS_REQUIRE_EMS SEC_OID_PRIVATE_1
|
||||
+
|
||||
#endif /* _SECMODTI_H_ */
|
||||
diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
|
||||
--- ./lib/ssl/ssl3con.c.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/ssl/ssl3con.c 2023-06-12 17:18:35.130938525 -0700
|
||||
@@ -36,6 +36,7 @@
|
||||
#include "pk11func.h"
|
||||
#include "secmod.h"
|
||||
#include "blapi.h"
|
||||
+#include "secmodti.h" /* until SEC_OID_TLS_REQUIRE_EMS is upstream */
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
@@ -3480,6 +3481,29 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
|
||||
CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
|
||||
unsigned int master_params_len;
|
||||
|
||||
+ /* if we are using TLS and we aren't using the extended master secret,
|
||||
+ * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will
|
||||
+ * send and alert (eventually). In the RSA Server case, the alert
|
||||
+ * won't happen until Finish time because the upper level code
|
||||
+ * can't tell a difference between this failure and an RSA decrypt
|
||||
+ * failure, so it will proceed with a faux key */
|
||||
+ if (isTLS) {
|
||||
+ PRUint32 policy;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ /* first fetch the policy for this algorithm */
|
||||
+ rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy);
|
||||
+ /* we only look at the policy if we can fetch it. */
|
||||
+ if (rv == SECSuccess) {
|
||||
+ if (policy & NSS_USE_ALG_IN_SSL_KX) {
|
||||
+ /* just set the error, we don't want to map any errors
|
||||
+ * set by NSS_GetAlgorithmPolicy here */
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (isTLS12) {
|
||||
if (isDH)
|
||||
master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
||||
diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c
|
||||
--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700
|
||||
+++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700
|
||||
@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
|
||||
"IPsec User",
|
||||
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
||||
+
|
||||
+ /* this will change upstream. for now apps shouldn't use it */
|
||||
+ /* we need it for the policy code. */
|
||||
+ ODE(SEC_OID_PRIVATE_1,
|
||||
+ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
||||
};
|
||||
|
||||
/* PRIVATE EXTENDED SECOID Table
|
||||
@@ -2095,6 +2100,8 @@ SECOID_Init(void)
|
||||
|
||||
/* turn off NSS_USE_POLICY_IN_SSL by default */
|
||||
xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
|
||||
+ /* turn off TLS REQUIRE EMS by default */
|
||||
+ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
|
||||
|
||||
envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
|
||||
if (envVal)
|
||||
diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h
|
||||
--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700
|
||||
+++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700
|
||||
@@ -501,6 +501,9 @@ typedef enum {
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
|
||||
+ /* this will change upstream. for now apps shouldn't use it */
|
||||
+ /* give it an obscure name here */
|
||||
+ SEC_OID_PRIVATE_1 = 372,
|
||||
|
||||
SEC_OID_TOTAL
|
||||
} SECOidTag;
|
|
@ -0,0 +1,42 @@
|
|||
diff --git a/lib/softoken/sftkmessage.c b/lib/softoken/sftkmessage.c
|
||||
--- a/lib/softoken/sftkmessage.c
|
||||
+++ b/lib/softoken/sftkmessage.c
|
||||
@@ -146,16 +146,38 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
|
||||
|
||||
CHECK_FORK();
|
||||
|
||||
/* make sure we're legal */
|
||||
crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
|
||||
+ if (context->isFIPS && (contextType == SFTK_MESSAGE_ENCRYPT)) {
|
||||
+ if ((pParameter == NULL) || (ulParameterLen != sizeof(CK_GCM_MESSAGE_PARAMS))) {
|
||||
+ context->isFIPS = PR_FALSE;
|
||||
+ } else {
|
||||
+ CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
|
||||
+ switch (p->ivGenerator) {
|
||||
+ case CKG_NO_GENERATE:
|
||||
+ context->isFIPS = PR_FALSE;
|
||||
+ break;
|
||||
+ case CKG_GENERATE_RANDOM:
|
||||
+ if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
|
||||
+ context->isFIPS = PR_FALSE;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
|
||||
+ context->isFIPS = PR_FALSE;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!pOuttext) {
|
||||
*pulOuttextLen = ulIntextLen;
|
||||
return CKR_OK;
|
||||
}
|
||||
rv = (*context->aeadUpdate)(context->cipherInfo, pOuttext, &outlen,
|
||||
maxout, pIntext, ulIntextLen,
|
||||
pParameter, ulParameterLen,
|
||||
pAssociatedData, ulAssociatedDataLen);
|
|
@ -0,0 +1,90 @@
|
|||
diff -up ./lib/freebl/fipsfreebl.c.dh_test ./lib/freebl/fipsfreebl.c
|
||||
--- ./lib/freebl/fipsfreebl.c.dh_test 2024-01-18 08:34:45.936944401 -0800
|
||||
+++ ./lib/freebl/fipsfreebl.c 2024-01-18 09:20:57.555980326 -0800
|
||||
@@ -1816,38 +1816,39 @@ freebl_fips_DH_PowerUpSelfTest(void)
|
||||
{
|
||||
/* DH Known P (2048-bits) */
|
||||
static const PRUint8 dh_known_P[] = {
|
||||
- 0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd,
|
||||
- 0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef,
|
||||
- 0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b,
|
||||
- 0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e,
|
||||
- 0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03,
|
||||
- 0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc,
|
||||
- 0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85,
|
||||
- 0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01,
|
||||
- 0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c,
|
||||
- 0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03,
|
||||
- 0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0,
|
||||
- 0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5,
|
||||
- 0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f,
|
||||
- 0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9,
|
||||
- 0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57,
|
||||
- 0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70,
|
||||
- 0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c,
|
||||
- 0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d,
|
||||
- 0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e,
|
||||
- 0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc,
|
||||
- 0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62,
|
||||
- 0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12,
|
||||
- 0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e,
|
||||
- 0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b,
|
||||
- 0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b,
|
||||
- 0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55,
|
||||
- 0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b,
|
||||
- 0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97,
|
||||
- 0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34,
|
||||
- 0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c,
|
||||
- 0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60,
|
||||
- 0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f
|
||||
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
|
||||
+ 0xAD, 0xF8, 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A,
|
||||
+ 0xAF, 0xDC, 0x56, 0x20, 0x27, 0x3D, 0x3C, 0xF1,
|
||||
+ 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, 0x36, 0x95,
|
||||
+ 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB,
|
||||
+ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9,
|
||||
+ 0x7D, 0x2F, 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8,
|
||||
+ 0xF6, 0x81, 0xB2, 0x02, 0xAE, 0xC4, 0x61, 0x7A,
|
||||
+ 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, 0x65, 0x61,
|
||||
+ 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0,
|
||||
+ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3,
|
||||
+ 0xB5, 0x57, 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35,
|
||||
+ 0x98, 0x4F, 0x0C, 0x70, 0xE0, 0xE6, 0x8B, 0x77,
|
||||
+ 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, 0xE8, 0x72,
|
||||
+ 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35,
|
||||
+ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A,
|
||||
+ 0xBC, 0x0A, 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61,
|
||||
+ 0xD1, 0x08, 0xA9, 0x4B, 0xB2, 0xC8, 0xE3, 0xFB,
|
||||
+ 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, 0xF4, 0x68,
|
||||
+ 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4,
|
||||
+ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19,
|
||||
+ 0x0B, 0x07, 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70,
|
||||
+ 0x9E, 0x02, 0xFC, 0xE1, 0xCD, 0xF7, 0xE2, 0xEC,
|
||||
+ 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, 0x2F, 0x61,
|
||||
+ 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF,
|
||||
+ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83,
|
||||
+ 0xC3, 0xFE, 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73,
|
||||
+ 0x3B, 0xB5, 0xFC, 0xBC, 0x2E, 0xC2, 0x20, 0x05,
|
||||
+ 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, 0x83, 0xB2,
|
||||
+ 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA,
|
||||
+ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97,
|
||||
+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
|
||||
+
|
||||
};
|
||||
|
||||
static const PRUint8 dh_known_Y_1[] = {
|
||||
@@ -1893,10 +1894,10 @@ freebl_fips_DH_PowerUpSelfTest(void)
|
||||
};
|
||||
|
||||
static const PRUint8 dh_known_hash_result[] = {
|
||||
- 0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf,
|
||||
- 0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81,
|
||||
- 0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f,
|
||||
- 0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10
|
||||
+ 0x40, 0xe3, 0x7a, 0x34, 0x83, 0x2d, 0x94, 0x57,
|
||||
+ 0x99, 0x3d, 0x66, 0xec, 0x54, 0xdf, 0x82, 0x4a,
|
||||
+ 0x37, 0x0d, 0xf9, 0x01, 0xb3, 0xbc, 0x54, 0xe5,
|
||||
+ 0x5e, 0x63, 0xd3, 0x46, 0x4e, 0xa3, 0xe2, 0x8a
|
||||
};
|
||||
|
||||
/* DH variables. */
|
|
@ -0,0 +1,96 @@
|
|||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f
|
||||
}
|
||||
PORT_Free(cursor);
|
||||
}
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
+#ifdef notdef
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
return SECFailure;
|
||||
}
|
||||
ss->opt.enableTls13GreaseEch = enabled;
|
||||
return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
||||
+ return SECFailure;
|
||||
+#endif
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size)
|
||||
{
|
||||
+#ifdef notdef
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss || size == 0) {
|
||||
return SECFailure;
|
||||
}
|
||||
ssl_Get1stHandshakeLock(ss);
|
||||
ssl_GetSSL3HandshakeLock(ss);
|
||||
|
||||
ss->ssl3.hs.greaseEchSize = size;
|
||||
|
||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
|
||||
return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
||||
+ return SECFailure;
|
||||
+#endif
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
+#ifdef notdef
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
return SECFailure;
|
||||
}
|
||||
ss->opt.enableTls13BackendEch = enabled;
|
||||
return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
||||
+ return SECFailure;
|
||||
+#endif
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
+#ifdef notdef
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
return SECFailure;
|
||||
}
|
||||
ss->opt.callExtensionWriterOnEchInner = enabled;
|
||||
return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
||||
+ return SECFailure;
|
||||
+#endif
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
return SECFailure;
|
||||
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
|
||||
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200
|
||||
+++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200
|
||||
@@ -57,7 +57,6 @@ CPPSRCS = \
|
||||
tls_filter.cc \
|
||||
tls_protect.cc \
|
||||
tls_psk_unittest.cc \
|
||||
- tls_ech_unittest.cc \
|
||||
$(SSLKEYLOGFILE_FILES) \
|
||||
$(NULL)
|
|
@ -0,0 +1,194 @@
|
|||
diff -up ./cmd/pk11ectest/pk11ectest.c.ecc_wrap ./cmd/pk11ectest/pk11ectest.c
|
||||
--- ./cmd/pk11ectest/pk11ectest.c.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./cmd/pk11ectest/pk11ectest.c 2024-01-23 14:07:29.421036328 -0800
|
||||
@@ -10,6 +10,32 @@
|
||||
#include "pk11pub.h"
|
||||
#include <stdio.h>
|
||||
|
||||
+typedef struct KeyLengthEntryStr {
|
||||
+ SECOidTag tag;
|
||||
+ unsigned int len;
|
||||
+ PRBool encoded;
|
||||
+} KeyLengthEntry;
|
||||
+
|
||||
+const KeyLengthEntry keyLengthTable[] = {
|
||||
+ { SEC_OID_SECG_EC_SECP256R1, 65, PR_TRUE },
|
||||
+ { SEC_OID_SECG_EC_SECP384R1, 97, PR_TRUE },
|
||||
+ { SEC_OID_SECG_EC_SECP521R1, 133, PR_TRUE },
|
||||
+ { SEC_OID_CURVE25519, 32, PR_FALSE }
|
||||
+};
|
||||
+
|
||||
+const KeyLengthEntry *
|
||||
+getKeyLengthEntry(SECOidTag tag)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < PR_ARRAY_SIZE(keyLengthTable); i++) {
|
||||
+ if (keyLengthTable[i].tag == tag) {
|
||||
+ return &keyLengthTable[i];
|
||||
+ }
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
void
|
||||
printBuf(const SECItem *item)
|
||||
{
|
||||
@@ -53,6 +79,10 @@ ectest_curve_pkcs11(SECOidTag oid)
|
||||
CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
||||
PK11SymKey *symKey = NULL;
|
||||
SECStatus rv = SECFailure;
|
||||
+ const KeyLengthEntry *keyLengthEntry;
|
||||
+ SECItem point = { siBuffer, NULL, 0 };
|
||||
+ SECItem value = { siBuffer, NULL, 0 };
|
||||
+ PLArenaPool *arena = NULL;
|
||||
|
||||
oidData = SECOID_FindOIDByTag(oid);
|
||||
if (oidData == NULL) {
|
||||
@@ -79,8 +109,63 @@ ectest_curve_pkcs11(SECOidTag oid)
|
||||
goto cleanup;
|
||||
}
|
||||
PrintKey(symKey);
|
||||
- rv = SECSuccess;
|
||||
|
||||
+ keyLengthEntry = getKeyLengthEntry(oid);
|
||||
+ /* this shouldn't happen unless new curves are added without adding them
|
||||
+ * to the keyLengthTable */
|
||||
+ PR_ASSERT(keyLengthEntry);
|
||||
+
|
||||
+ /* make sure we are returning CKA_EC_POINT according to the PKCS #11 standard.
|
||||
+ * NSS itself can tolerate non-standard CKA_EC_POINT, so this is the only place
|
||||
+ * our test will detect incorrect behavior */
|
||||
+ rv = PK11_ReadRawAttribute(PK11_TypePubKey, pubKey, CKA_EC_POINT, &point);
|
||||
+ if (rv == SECFailure) {
|
||||
+ printf(" >>> Couldn't get CKA_EC_POINT from the ec pubKey.\n");
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ rv = SECFailure;
|
||||
+ if (keyLengthEntry->encoded) {
|
||||
+ if (point.len == keyLengthEntry->len) {
|
||||
+ printf(" >>> Expected encoded CKA_EC_POINT and got a decoded value.\n");
|
||||
+ printBuf(&point);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
||||
+ if (arena == NULL) {
|
||||
+ printf(" >>> arena alloc failed.\n");
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ rv = SEC_QuickDERDecodeItem(arena, &value, SEC_ASN1_GET(SEC_OctetStringTemplate),
|
||||
+ &point);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ printf(" >>> invalid endoded CKA_EC_POINT.\n");
|
||||
+ printBuf(&point);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ rv = SECFailure;
|
||||
+ if (value.len != keyLengthEntry->len) {
|
||||
+ printf(" >>> invalid decoded CKA_EC_POINT len (%d) expected %d.\n",
|
||||
+ value.len, keyLengthEntry->len);
|
||||
+ printBuf(&value);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ if (value.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
|
||||
+ printf(" >>> invalid CKA_EC_POINT format (%02x) expected %02x.\n",
|
||||
+ value.data[0], EC_POINT_FORM_UNCOMPRESSED);
|
||||
+ printBuf(&value);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (point.len != keyLengthEntry->len) {
|
||||
+ printf(" >>> invalid CKA_EC_POINT len (%d) expected %d.\n",
|
||||
+ point.len, keyLengthEntry->len);
|
||||
+ printBuf(&point);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ rv = SECSuccess;
|
||||
cleanup:
|
||||
if (privKey) {
|
||||
SECKEY_DestroyPrivateKey(privKey);
|
||||
@@ -91,7 +176,11 @@ cleanup:
|
||||
if (symKey) {
|
||||
PK11_FreeSymKey(symKey);
|
||||
}
|
||||
+ if (arena) {
|
||||
+ PORT_FreeArena(arena, PR_TRUE);
|
||||
+ }
|
||||
SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
|
||||
+ SECITEM_FreeItem(&point, PR_FALSE);
|
||||
|
||||
return rv;
|
||||
}
|
||||
diff -up ./lib/freebl/blapit.h.ecc_wrap ./lib/freebl/blapit.h
|
||||
--- ./lib/freebl/blapit.h.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/blapit.h 2024-01-23 14:07:29.421036328 -0800
|
||||
@@ -375,7 +375,9 @@ typedef struct DHPrivateKeyStr DHPrivate
|
||||
*/
|
||||
|
||||
typedef enum { ec_params_explicit,
|
||||
- ec_params_named
|
||||
+ ec_params_named,
|
||||
+ ec_params_edwards_named,
|
||||
+ ec_params_montgomery_named,
|
||||
} ECParamsType;
|
||||
|
||||
typedef enum { ec_field_GFp = 1,
|
||||
diff -up ./lib/freebl/ecdecode.c.ecc_wrap ./lib/freebl/ecdecode.c
|
||||
--- ./lib/freebl/ecdecode.c.ecc_wrap 2024-01-23 14:07:14.533870602 -0800
|
||||
+++ ./lib/freebl/ecdecode.c 2024-01-23 14:07:29.422036340 -0800
|
||||
@@ -176,6 +176,7 @@ EC_FillParams(PLArenaPool *arena, const
|
||||
|
||||
case SEC_OID_CURVE25519:
|
||||
/* Populate params for Curve25519 */
|
||||
+ params->type = ec_params_montgomery_named;
|
||||
CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
|
||||
ec_field_plain,
|
||||
params));
|
||||
diff -up ./lib/softoken/pkcs11c.c.ecc_wrap ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.ecc_wrap 2024-01-23 14:07:14.520870457 -0800
|
||||
+++ ./lib/softoken/pkcs11c.c 2024-01-23 14:08:38.198801966 -0800
|
||||
@@ -5164,7 +5164,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
}
|
||||
/* make sure it has the same encoding */
|
||||
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||
- lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
|
||||
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
|
||||
lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
|
||||
} else {
|
||||
lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
|
||||
@@ -5694,7 +5694,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
}
|
||||
|
||||
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||
- ecParams->fieldID.type == ec_field_plain) {
|
||||
+ ecParams->type != ec_params_named) {
|
||||
PORT_FreeArena(ecParams->arena, PR_TRUE);
|
||||
crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
|
||||
sftk_item_expand(&ecPriv->publicValue));
|
||||
diff -up ./lib/softoken/pkcs11.c.ecc_wrap ./lib/softoken/pkcs11.c
|
||||
--- ./lib/softoken/pkcs11.c.ecc_wrap 2024-01-23 14:07:14.505870290 -0800
|
||||
+++ ./lib/softoken/pkcs11.c 2024-01-23 14:07:29.423036351 -0800
|
||||
@@ -1897,8 +1897,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
|
||||
/* Handle the non-DER encoded case.
|
||||
* Some curves are always pressumed to be non-DER.
|
||||
*/
|
||||
- if (pubKey->u.ec.publicValue.len == keyLen &&
|
||||
- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
|
||||
+ if (pubKey->u.ec.ecParams.type != ec_params_named ||
|
||||
+ (pubKey->u.ec.publicValue.len == keyLen &&
|
||||
pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
|
||||
break; /* key was not DER encoded, no need to unwrap */
|
||||
}
|
||||
@@ -1918,8 +1918,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
|
||||
break;
|
||||
}
|
||||
/* we don't handle compressed points except in the case of ECCurve25519 */
|
||||
- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
|
||||
- (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
|
||||
+ if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
|
||||
crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
break;
|
||||
}
|
|
@ -0,0 +1,335 @@
|
|||
--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200
|
||||
+++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200
|
||||
@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[]
|
||||
0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77,
|
||||
0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77};
|
||||
|
||||
+const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'};
|
||||
+const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',};
|
||||
+const uint8_t kP521SpkiUnpaddedSig[] = {
|
||||
+ 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
|
||||
+ 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86,
|
||||
+ 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29,
|
||||
+ 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a,
|
||||
+ 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18,
|
||||
+ 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7,
|
||||
+ 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52,
|
||||
+ 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88,
|
||||
+ 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57,
|
||||
+ 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd,
|
||||
+ 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b,
|
||||
+ 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35,
|
||||
+ 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c,
|
||||
+ 0xe2, 0x9f};
|
||||
+const uint8_t kP521SignatureUnpaddedSigLong[] = {
|
||||
+ 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe,
|
||||
+ 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4,
|
||||
+ 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42,
|
||||
+ 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde,
|
||||
+ 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e,
|
||||
+ 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89,
|
||||
+ 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b,
|
||||
+ 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40,
|
||||
+ 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb,
|
||||
+ 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b,
|
||||
+ 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a};
|
||||
+const uint8_t kP521SignatureUnpaddedSigShort[] = {
|
||||
+ 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11,
|
||||
+ 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde,
|
||||
+ 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99,
|
||||
+ 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9,
|
||||
+ 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65,
|
||||
+ 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38,
|
||||
+ 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75,
|
||||
+ 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95,
|
||||
+ 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c,
|
||||
+ 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5,
|
||||
+ 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e};
|
||||
+const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'};
|
||||
+const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'};
|
||||
+const uint8_t kP384SpkiUnpaddedSig[] = {
|
||||
+ 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
||||
+ 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
|
||||
+ 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa,
|
||||
+ 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e,
|
||||
+ 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3,
|
||||
+ 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e,
|
||||
+ 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf,
|
||||
+ 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d,
|
||||
+ 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5,
|
||||
+ 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a};
|
||||
+const uint8_t kP384SignatureUnpaddedSigLong[] = {
|
||||
+ 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58,
|
||||
+ 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59,
|
||||
+ 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0,
|
||||
+ 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde,
|
||||
+ 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc,
|
||||
+ 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c,
|
||||
+ 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc,
|
||||
+ 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6};
|
||||
+const uint8_t kP384SignatureUnpaddedSigShort[] = {
|
||||
+ 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13,
|
||||
+ 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e,
|
||||
+ 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b,
|
||||
+ 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf,
|
||||
+ 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc,
|
||||
+ 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50,
|
||||
+ 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f,
|
||||
+ 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9};
|
||||
+const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'};
|
||||
+const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'};
|
||||
+const uint8_t kP256SpkiUnpaddedSig[] = {
|
||||
+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
||||
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
|
||||
+ 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b,
|
||||
+ 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa,
|
||||
+ 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e,
|
||||
+ 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f,
|
||||
+ 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75,
|
||||
+ 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 };
|
||||
+const uint8_t kP256SignatureUnpaddedSigLong[] = {
|
||||
+ 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56,
|
||||
+ 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6,
|
||||
+ 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11,
|
||||
+ 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80,
|
||||
+ 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47,
|
||||
+ 0xcf, 0x61, 0x91, 0x5f};
|
||||
+const uint8_t kP256SignatureUnpaddedSigShort[] = {
|
||||
+ 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61,
|
||||
+ 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28,
|
||||
+ 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16,
|
||||
+ 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c,
|
||||
+ 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9,
|
||||
+ 0x78, 0xc4};
|
||||
} // namespace nss_test
|
||||
--- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200
|
||||
+++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200
|
||||
@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun
|
||||
SEC_OID_SECG_EC_SECP521R1,
|
||||
SEC_OID_CURVE25519));
|
||||
|
||||
+class Pkcs11EcdsaUnpaddedSignatureTest
|
||||
+ : public Pkcs11EcdsaTestBase,
|
||||
+ public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
|
||||
+ public:
|
||||
+ Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
|
||||
+};
|
||||
+
|
||||
+static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = {
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)),
|
||||
+ DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)),
|
||||
+ DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)),
|
||||
+ DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)),
|
||||
+ DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)),
|
||||
+ DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)),
|
||||
+ DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}}
|
||||
+};
|
||||
+
|
||||
+TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); }
|
||||
+INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest,
|
||||
+ ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors));
|
||||
} // namespace nss_test
|
||||
--- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200
|
||||
+++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200
|
||||
@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
{
|
||||
SECStatus res = SECSuccess;
|
||||
|
||||
+ unsigned char _padded_sig_data[64] = { 0 };
|
||||
+ unsigned char *sig_r, *sig_s;
|
||||
+
|
||||
if (!key || !signature || !digest ||
|
||||
!key->publicValue.data ||
|
||||
!signature->data || !digest->data ||
|
||||
@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
- if (key->publicValue.len != 65 ||
|
||||
- digest->len == 0 ||
|
||||
- signature->len != 64) {
|
||||
+ unsigned int olen = key->ecParams.order.len;
|
||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
||||
+ signature->len > 2 * olen ||
|
||||
+ digest->len == 0 || key->publicValue.len != 65) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
res = SECFailure;
|
||||
return res;
|
||||
@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
+ /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */
|
||||
+ if (signature->len != 64) {
|
||||
+ unsigned split = signature->len / 2;
|
||||
+ unsigned pad = 32 - split;
|
||||
+
|
||||
+ unsigned char *o_sig = signature->data;
|
||||
+ unsigned char *p_sig = _padded_sig_data;
|
||||
+
|
||||
+ memcpy(p_sig + pad, o_sig, split);
|
||||
+ memcpy(p_sig + 32 + pad, o_sig + split, split);
|
||||
+
|
||||
+ sig_r = p_sig;
|
||||
+ sig_s = p_sig + 32;
|
||||
+ } else {
|
||||
+ sig_r = signature->data;
|
||||
+ sig_s = signature->data + 32;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
uint8_t hash[32] = { 0 };
|
||||
if (digest->len < 32) {
|
||||
memcpy(hash + 32 - digest->len, digest->data, digest->len);
|
||||
@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
bool b = Hacl_P256_ecdsa_verif_without_hash(
|
||||
32, hash,
|
||||
key->publicValue.data + 1,
|
||||
- signature->data, signature->data + 32);
|
||||
+ sig_r, sig_s);
|
||||
if (!b) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
res = SECFailure;
|
||||
--- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200
|
||||
+++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200
|
||||
@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
{
|
||||
SECStatus res = SECSuccess;
|
||||
|
||||
+ unsigned char _padded_sig_data[96] = { 0 };
|
||||
+ unsigned char *sig_r, *sig_s;
|
||||
+
|
||||
if (!key || !signature || !digest ||
|
||||
!key->publicValue.data ||
|
||||
!signature->data || !digest->data ||
|
||||
@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
- if (key->publicValue.len != 97 ||
|
||||
- digest->len == 0 ||
|
||||
- signature->len != 96) {
|
||||
+ unsigned int olen = key->ecParams.order.len;
|
||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
||||
+ signature->len > 2 * olen ||
|
||||
+ digest->len == 0 || key->publicValue.len != 97) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
res = SECFailure;
|
||||
return res;
|
||||
@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
+ /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */
|
||||
+ if (signature->len != 96) {
|
||||
+ unsigned split = signature->len / 2;
|
||||
+ unsigned pad = 48 - split;
|
||||
+
|
||||
+ unsigned char *o_sig = signature->data;
|
||||
+ unsigned char *p_sig = _padded_sig_data;
|
||||
+
|
||||
+ memcpy(p_sig + pad, o_sig, split);
|
||||
+ memcpy(p_sig + 48 + pad, o_sig + split, split);
|
||||
+
|
||||
+ sig_r = p_sig;
|
||||
+ sig_s = p_sig + 48;
|
||||
+ } else {
|
||||
+ sig_r = signature->data;
|
||||
+ sig_s = signature->data + 48;
|
||||
+ }
|
||||
+
|
||||
uint8_t hash[48] = { 0 };
|
||||
if (digest->len < 48) {
|
||||
memcpy(hash + 48 - digest->len, digest->data, digest->len);
|
||||
@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
bool b = Hacl_P384_ecdsa_verif_without_hash(
|
||||
48, hash,
|
||||
key->publicValue.data + 1,
|
||||
- signature->data, signature->data + 48);
|
||||
+ sig_r, sig_s);
|
||||
if (!b) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
res = SECFailure;
|
||||
--- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200
|
||||
+++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200
|
||||
@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
{
|
||||
SECStatus res = SECSuccess;
|
||||
|
||||
+ unsigned char _padded_sig_data[132] = { 0 };
|
||||
+ unsigned char *sig_r, *sig_s;
|
||||
+
|
||||
if (!key || !signature || !digest ||
|
||||
!key->publicValue.data ||
|
||||
!signature->data || !digest->data ||
|
||||
@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
- if (key->publicValue.len != 133 ||
|
||||
- digest->len == 0 ||
|
||||
- signature->len != 132) {
|
||||
+ unsigned int olen = key->ecParams.order.len;
|
||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
||||
+ signature->len > 2 * olen ||
|
||||
+ digest->len == 0 || key->publicValue.len != 133) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
res = SECFailure;
|
||||
return res;
|
||||
@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
+ /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */
|
||||
+ if (signature->len != 132) {
|
||||
+ unsigned split = signature->len / 2;
|
||||
+ unsigned pad = 66 - split;
|
||||
+
|
||||
+ unsigned char *o_sig = signature->data;
|
||||
+ unsigned char *p_sig = _padded_sig_data;
|
||||
+
|
||||
+ memcpy(p_sig + pad, o_sig, split);
|
||||
+ memcpy(p_sig + 66 + pad, o_sig + split, split);
|
||||
+
|
||||
+ sig_r = p_sig;
|
||||
+ sig_s = p_sig + 66;
|
||||
+ } else {
|
||||
+ sig_r = signature->data;
|
||||
+ sig_s = signature->data + 66;
|
||||
+ }
|
||||
+
|
||||
uint8_t hash[66] = { 0 };
|
||||
if (digest->len < 66) {
|
||||
memcpy(hash + 66 - digest->len, digest->data, digest->len);
|
||||
@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
bool b = Hacl_P521_ecdsa_verif_without_hash(
|
||||
66, hash,
|
||||
key->publicValue.data + 1,
|
||||
- signature->data, signature->data + 66);
|
||||
+ sig_r, sig_s);
|
||||
if (!b) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
res = SECFailure;
|
|
@ -0,0 +1,12 @@
|
|||
diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh
|
||||
--- ./tests/dbtests/dbtests.sh.extend 2023-11-15 13:17:50.651020458 -0800
|
||||
+++ ./tests/dbtests/dbtests.sh 2023-11-15 13:18:57.091608850 -0800
|
||||
@@ -366,7 +366,7 @@ dbtest_main()
|
||||
RARRAY=($dtime)
|
||||
TIMEARRAY=(${RARRAY[1]//./ })
|
||||
echo "${TIMEARRAY[0]} seconds"
|
||||
- test ${TIMEARRAY[0]} -lt 2
|
||||
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-3}
|
||||
ret=$?
|
||||
html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
|
||||
fi
|
|
@ -0,0 +1,190 @@
|
|||
diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800
|
||||
+++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800
|
||||
@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C
|
||||
context->blockSize = 0;
|
||||
context->maxLen = 0;
|
||||
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
|
||||
- operation, key);
|
||||
+ operation, key, 0);
|
||||
*contextPtr = context;
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
crv = sftk_handleObject(key, session);
|
||||
/* we need to do this check at the end, so we can check the generated
|
||||
* key length against fips requirements */
|
||||
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
|
||||
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0);
|
||||
session->lastOpWasFIPS = key->isFIPS;
|
||||
sftk_FreeSession(session);
|
||||
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
||||
@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
return crv;
|
||||
}
|
||||
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
||||
- privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
|
||||
+ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey, 0);
|
||||
publicKey->isFIPS = privateKey->isFIPS;
|
||||
session->lastOpWasFIPS = privateKey->isFIPS;
|
||||
sftk_FreeSession(session);
|
||||
@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
return CKR_TEMPLATE_INCONSISTENT;
|
||||
}
|
||||
|
||||
+ if (!params->bExpand) {
|
||||
+ keySize = hashLen;
|
||||
+ }
|
||||
+
|
||||
/* sourceKey is NULL if we are called from the POST, skip the
|
||||
* sensitiveCheck */
|
||||
if (sourceKey != NULL) {
|
||||
@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
mech.pParameter = params;
|
||||
mech.ulParameterLen = sizeof(*params);
|
||||
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
|
||||
- CKA_DERIVE, saltKey);
|
||||
+ CKA_DERIVE, saltKey,
|
||||
+ keySize);
|
||||
}
|
||||
saltKeySource = saltKey->source;
|
||||
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
|
||||
@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
/* HKDF-Expand */
|
||||
if (!params->bExpand) {
|
||||
okm = prk;
|
||||
- keySize = genLen = hashLen;
|
||||
+ genLen = hashLen;
|
||||
} else {
|
||||
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
|
||||
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
|
||||
@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
return CKR_KEY_HANDLE_INVALID;
|
||||
}
|
||||
}
|
||||
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey);
|
||||
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
|
||||
+ keySize);
|
||||
|
||||
switch (mechanism) {
|
||||
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
|
||||
diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
|
||||
--- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800
|
||||
+++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800
|
||||
@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
|
||||
/* check the FIPS table to determine if this current operation is allowed by
|
||||
* FIPS security policy */
|
||||
PRBool sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech,
|
||||
- CK_ATTRIBUTE_TYPE op, SFTKObject *source);
|
||||
+ CK_ATTRIBUTE_TYPE op, SFTKObject *source,
|
||||
+ CK_ULONG targetKeySize);
|
||||
/* add validation objects to the slot */
|
||||
CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
|
||||
|
||||
diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800
|
||||
+++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800
|
||||
@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
|
||||
static CK_ULONG
|
||||
sftk_getKeyLength(SFTKObject *source)
|
||||
{
|
||||
- CK_KEY_TYPE keyType = CK_INVALID_HANDLE;
|
||||
+ CK_KEY_TYPE keyType = CKK_INVALID_KEY_TYPE;
|
||||
CK_ATTRIBUTE_TYPE keyAttribute;
|
||||
CK_ULONG keyLength = 0;
|
||||
SFTKAttribute *attribute;
|
||||
@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source)
|
||||
return keyLength;
|
||||
}
|
||||
|
||||
+PRBool
|
||||
+sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
|
||||
+{
|
||||
+ switch (hash) {
|
||||
+ case CKM_SHA256:
|
||||
+ case CKG_MGF1_SHA256:
|
||||
+ case CKM_SHA384:
|
||||
+ case CKG_MGF1_SHA384:
|
||||
+ case CKM_SHA512:
|
||||
+ case CKG_MGF1_SHA512:
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ return PR_FALSE;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* handle specialized FIPS semantics that are too complicated to
|
||||
* handle with just a table. NOTE: this means any additional semantics
|
||||
* would have to be coded here before they can be added to the table */
|
||||
static PRBool
|
||||
sftk_handleSpecial(SFTKSlot *slot, CK_MECHANISM *mech,
|
||||
- SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source)
|
||||
+ SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
|
||||
+ CK_ULONG keyLength, CK_ULONG targetKeyLength)
|
||||
{
|
||||
switch (mechInfo->special) {
|
||||
case SFTKFIPSDH: {
|
||||
@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
if (hashObj == NULL) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
+ /* cap the salt for legacy keys */
|
||||
+ if ((keyLength <= 1024) && (pss->sLen > 63)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ /* cap the salt for based on the hash */
|
||||
if (pss->sLen > hashObj->length) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- return PR_TRUE;
|
||||
+ return sftk_CheckFIPSHash(pss->hashAlg);
|
||||
}
|
||||
case SFTKFIPSPBKDF2: {
|
||||
/* PBKDF2 must have the following addition restrictions
|
||||
@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
}
|
||||
return PR_TRUE;
|
||||
}
|
||||
+ /* check the hash mechanisms to make sure they themselves are FIPS */
|
||||
+ case SFTKFIPSChkHash:
|
||||
+ if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
|
||||
+ + mechInfo->offset));
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
|
||||
PRBool
|
||||
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
|
||||
- SFTKObject *source)
|
||||
+ SFTKObject *source, CK_ULONG targetKeyLength)
|
||||
{
|
||||
#ifndef NSS_HAS_FIPS_INDICATORS
|
||||
return PR_FALSE;
|
||||
@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
|
||||
/* if we match the number of records exactly, then we are an
|
||||
* approved algorithm in the approved mode with an approved key */
|
||||
- if (((mech->mechanism == mechs->type) &&
|
||||
- (opFlags == (mechs->info.flags & opFlags)) &&
|
||||
- (keyLength <= mechs->info.ulMaxKeySize) &&
|
||||
- (keyLength >= mechs->info.ulMinKeySize) &&
|
||||
- ((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
|
||||
+ if ((mech->mechanism == mechs->type) &&
|
||||
+ (opFlags == (mechs->info.flags & opFlags)) &&
|
||||
+ (keyLength <= mechs->info.ulMaxKeySize) &&
|
||||
+ (keyLength >= mechs->info.ulMinKeySize) &&
|
||||
+ (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
|
||||
+ ((targetKeyLength == 0) ||
|
||||
+ ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
|
||||
+ (targetKeyLength >= mechs->info.ulMinKeySize) &&
|
||||
+ ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
|
||||
((mechs->special == SFTKFIPSNone) ||
|
||||
- sftk_handleSpecial(slot, mech, mechs, source))) {
|
||||
+ sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
|
||||
return PR_TRUE;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,176 @@
|
|||
diff -up ./lib/softoken/pkcs11c.c.fips_2 ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.fips_2 2024-01-19 09:21:19.632889660 -0800
|
||||
+++ ./lib/softoken/pkcs11c.c 2024-01-19 09:22:18.541471306 -0800
|
||||
@@ -7090,7 +7090,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
mech.ulParameterLen = sizeof(*params);
|
||||
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
|
||||
CKA_DERIVE, saltKey,
|
||||
- keySize);
|
||||
+ keySize*PR_BITS_PER_BYTE);
|
||||
}
|
||||
saltKeySource = saltKey->source;
|
||||
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
|
||||
@@ -7404,7 +7404,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
}
|
||||
}
|
||||
key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_DERIVE, sourceKey,
|
||||
- keySize);
|
||||
+ keySize*PR_BITS_PER_BYTE);
|
||||
|
||||
switch (mechanism) {
|
||||
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
|
||||
diff -up ./lib/softoken/pkcs11u.c.fips_2 ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.fips_2 2024-01-19 09:21:19.633889670 -0800
|
||||
+++ ./lib/softoken/pkcs11u.c 2024-01-19 09:28:00.082843565 -0800
|
||||
@@ -2393,20 +2393,43 @@ sftk_getKeyLength(SFTKObject *source)
|
||||
}
|
||||
|
||||
PRBool
|
||||
-sftk_CheckFIPSHash(CK_MECHANISM_TYPE hash)
|
||||
+sftk_checkFIPSHash(CK_MECHANISM_TYPE hash, PRBool allowSmall, PRBool allowCMAC)
|
||||
{
|
||||
switch (hash) {
|
||||
+ case CKM_AES_CMAC:
|
||||
+ return allowCMAC;
|
||||
+ case CKM_SHA_1:
|
||||
+ case CKM_SHA_1_HMAC:
|
||||
+ case CKM_SHA224:
|
||||
+ case CKM_SHA224_HMAC:
|
||||
+ return allowSmall;
|
||||
case CKM_SHA256:
|
||||
- case CKG_MGF1_SHA256:
|
||||
+ case CKM_SHA256_HMAC:
|
||||
case CKM_SHA384:
|
||||
- case CKG_MGF1_SHA384:
|
||||
+ case CKM_SHA384_HMAC:
|
||||
case CKM_SHA512:
|
||||
- case CKG_MGF1_SHA512:
|
||||
+ case CKM_SHA512_HMAC:
|
||||
return PR_TRUE;
|
||||
}
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
+PRBool
|
||||
+sftk_checkKeyLength(CK_ULONG keyLength, CK_ULONG min,
|
||||
+ CK_ULONG max, CK_ULONG step)
|
||||
+{
|
||||
+ if (keyLength > max) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ if (keyLength < min ) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ if (((keyLength - min) % step) != 0) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ return PR_TRUE;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* handle specialized FIPS semantics that are too complicated to
|
||||
* handle with just a table. NOTE: this means any additional semantics
|
||||
@@ -2416,6 +2439,8 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
SFTKFIPSAlgorithmList *mechInfo, SFTKObject *source,
|
||||
CK_ULONG keyLength, CK_ULONG targetKeyLength)
|
||||
{
|
||||
+ PRBool allowSmall = PR_FALSE;
|
||||
+ PRBool allowCMAC = PR_FALSE;
|
||||
switch (mechInfo->special) {
|
||||
case SFTKFIPSDH: {
|
||||
SECItem dhPrime;
|
||||
@@ -2482,7 +2507,11 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
if (pss->sLen > hashObj->length) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- return sftk_CheckFIPSHash(pss->hashAlg);
|
||||
+ /* Our code makes sure pss->hashAlg matches the explicit
|
||||
+ * hash in the mechanism, and only mechanisms with approved
|
||||
+ * hashes are included, so no need to check pss->hashAlg
|
||||
+ * here */
|
||||
+ return PR_TRUE;
|
||||
}
|
||||
case SFTKFIPSPBKDF2: {
|
||||
/* PBKDF2 must have the following addition restrictions
|
||||
@@ -2508,12 +2537,28 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
return PR_TRUE;
|
||||
}
|
||||
/* check the hash mechanisms to make sure they themselves are FIPS */
|
||||
+ case SFTKFIPSChkHashSp800:
|
||||
+ allowCMAC = PR_TRUE;
|
||||
case SFTKFIPSChkHash:
|
||||
+ allowSmall = PR_TRUE;
|
||||
+ case SFTKFIPSChkHashTls:
|
||||
if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- return sftk_CheckFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
|
||||
- + mechInfo->offset));
|
||||
+ return sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
|
||||
+ + mechInfo->offset), allowSmall, allowCMAC);
|
||||
+ case SFTKFIPSTlsKeyCheck:
|
||||
+ if (mech->mechanism != CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) {
|
||||
+ /* unless the mechnism has a built-in hash, check the hash */
|
||||
+ if (mech->ulParameterLen < mechInfo->offset +sizeof(CK_ULONG)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ if (!sftk_checkFIPSHash(*(CK_ULONG *)(((char *)mech->pParameter)
|
||||
+ + mechInfo->offset), PR_FALSE, PR_FALSE)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ }
|
||||
+ return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@@ -2558,13 +2603,11 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||
* approved algorithm in the approved mode with an approved key */
|
||||
if ((mech->mechanism == mechs->type) &&
|
||||
(opFlags == (mechs->info.flags & opFlags)) &&
|
||||
- (keyLength <= mechs->info.ulMaxKeySize) &&
|
||||
- (keyLength >= mechs->info.ulMinKeySize) &&
|
||||
- (((keyLength - mechs->info.ulMinKeySize) % mechs->step) == 0) &&
|
||||
- ((targetKeyLength == 0) ||
|
||||
- ((targetKeyLength <= mechs->info.ulMaxKeySize) &&
|
||||
- (targetKeyLength >= mechs->info.ulMinKeySize) &&
|
||||
- ((targetKeyLength - mechs->info.ulMinKeySize) % mechs->step) == 0)) &&
|
||||
+ sftk_checkKeyLength(keyLength, mechs->info.ulMinKeySize,
|
||||
+ mechs->info.ulMaxKeySize, mechs->step) &&
|
||||
+ ((targetKeyLength == 0) || (mechs->special == SFTKFIPSTlsKeyCheck)
|
||||
+ || sftk_checkKeyLength(targetKeyLength, mechs->info.ulMinKeySize,
|
||||
+ mechs->info.ulMaxKeySize, mechs->step)) &&
|
||||
((mechs->special == SFTKFIPSNone) ||
|
||||
sftk_handleSpecial(slot, mech, mechs, source, keyLength, targetKeyLength))) {
|
||||
return PR_TRUE;
|
||||
diff -up ./lib/softoken/sftkmessage.c.fips_2 ./lib/softoken/sftkmessage.c
|
||||
--- ./lib/softoken/sftkmessage.c.fips_2 2024-01-19 09:21:19.634889680 -0800
|
||||
+++ ./lib/softoken/sftkmessage.c 2024-01-19 09:22:18.541471306 -0800
|
||||
@@ -157,16 +157,25 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
|
||||
} else {
|
||||
CK_GCM_MESSAGE_PARAMS *p = (CK_GCM_MESSAGE_PARAMS *)pParameter;
|
||||
switch (p->ivGenerator) {
|
||||
+ default:
|
||||
case CKG_NO_GENERATE:
|
||||
context->isFIPS = PR_FALSE;
|
||||
break;
|
||||
case CKG_GENERATE_RANDOM:
|
||||
- if ((p->ulIvLen < 12) || (p->ulIvFixedBits != 0)) {
|
||||
+ if ((p->ulIvLen < 96/PR_BITS_PER_BYTE) ||
|
||||
+ (p->ulIvFixedBits != 0)) {
|
||||
context->isFIPS = PR_FALSE;
|
||||
}
|
||||
break;
|
||||
- default:
|
||||
- if ((p->ulIvLen < 12) || (p->ulIvFixedBits < 32)) {
|
||||
+ case CKG_GENERATE_COUNTER_XOR:
|
||||
+ if ((p->ulIvLen != 96/PR_BITS_PER_BYTE) ||
|
||||
+ (p->ulIvFixedBits != 32)) {
|
||||
+ context->isFIPS = PR_FALSE;
|
||||
+ }
|
||||
+ break;
|
||||
+ case CKG_GENERATE_COUNTER:
|
||||
+ if ((p->ulIvFixedBits < 32) ||
|
||||
+ ((p->ulIvLen*PR_BITS_PER_BYTE - p->ulIvFixedBits) < 32)) {
|
||||
context->isFIPS = PR_FALSE;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,83 @@
|
|||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -15,10 +15,13 @@
|
||||
* keys and their associated Certificates are saved on the token.
|
||||
*
|
||||
* In this implementation, session objects are only visible to the session
|
||||
* that created or generated them.
|
||||
*/
|
||||
+
|
||||
+#include <limits.h> /* for UINT_MAX and ULONG_MAX */
|
||||
+
|
||||
#include "seccomon.h"
|
||||
#include "secitem.h"
|
||||
#include "secport.h"
|
||||
#include "blapi.h"
|
||||
#include "pkcs11.h"
|
||||
@@ -1954,12 +1957,21 @@
|
||||
if (pDigest == NULL) {
|
||||
*pulDigestLen = context->maxLen;
|
||||
goto finish;
|
||||
}
|
||||
|
||||
- /* do it: */
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
||||
+ * length argument, but NSC_Digest takes an unsigned long. */
|
||||
+ while (ulDataLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX);
|
||||
+ pData += UINT_MAX;
|
||||
+ ulDataLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
|
||||
+
|
||||
/* NOTE: this assumes buf size is bigenough for the algorithm */
|
||||
(*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
|
||||
*pulDigestLen = digestLen;
|
||||
|
||||
sftk_TerminateOp(session, SFTK_HASH, context);
|
||||
@@ -1980,12 +1992,22 @@
|
||||
|
||||
/* make sure we're legal */
|
||||
crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
- /* do it: */
|
||||
+
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
||||
+ * length argument, but NSC_DigestUpdate takes an unsigned long. */
|
||||
+ while (ulPartLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
||||
+ pPart += UINT_MAX;
|
||||
+ ulPartLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
|
||||
CK_RV
|
||||
@@ -3166,10 +3188,17 @@
|
||||
crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
|
||||
if (context->hashInfo) {
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ while (ulPartLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
||||
+ pPart += UINT_MAX;
|
||||
+ ulPartLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
|
||||
} else {
|
||||
/* must be block cipher MACing */
|
||||
|
||||
unsigned int blkSize = context->blockSize;
|
||||
|
|
@ -0,0 +1,506 @@
|
|||
diff -up ./lib/freebl/aeskeywrap.c.safe_zero ./lib/freebl/aeskeywrap.c
|
||||
--- ./lib/freebl/aeskeywrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/aeskeywrap.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -512,7 +512,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
|
||||
PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen);
|
||||
rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv,
|
||||
outLen);
|
||||
- PORT_Memset(iv, 0, sizeof(iv));
|
||||
+ PORT_SafeZero(iv, sizeof(iv));
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -528,7 +528,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
|
||||
PORT_ZFree(newBuf, paddedInputLen);
|
||||
/* a little overkill, we only need to clear out the length, but this
|
||||
* is easier to verify we got it all */
|
||||
- PORT_Memset(iv, 0, sizeof(iv));
|
||||
+ PORT_SafeZero(iv, sizeof(iv));
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -631,12 +631,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
|
||||
loser:
|
||||
/* if we failed, make sure we don't return any data to the user */
|
||||
if ((rv != SECSuccess) && (output == newBuf)) {
|
||||
- PORT_Memset(newBuf, 0, paddedLen);
|
||||
+ PORT_SafeZero(newBuf, paddedLen);
|
||||
}
|
||||
/* clear out CSP sensitive data from the heap and stack */
|
||||
if (allocBuf) {
|
||||
PORT_ZFree(allocBuf, paddedLen);
|
||||
}
|
||||
- PORT_Memset(iv, 0, sizeof(iv));
|
||||
+ PORT_SafeZero(iv, sizeof(iv));
|
||||
return rv;
|
||||
}
|
||||
diff -up ./lib/freebl/blapii.h.safe_zero ./lib/freebl/blapii.h
|
||||
--- ./lib/freebl/blapii.h.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/blapii.h 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -101,10 +101,10 @@ PRBool ppc_crypto_support();
|
||||
#ifdef NSS_FIPS_DISABLED
|
||||
#define BLAPI_CLEAR_STACK(stack_size)
|
||||
#else
|
||||
-#define BLAPI_CLEAR_STACK(stack_size) \
|
||||
- { \
|
||||
- volatile char _stkclr[stack_size]; \
|
||||
- PORT_Memset((void *)&_stkclr[0], 0, stack_size); \
|
||||
+#define BLAPI_CLEAR_STACK(stack_size) \
|
||||
+ { \
|
||||
+ volatile char _stkclr[stack_size]; \
|
||||
+ PORT_SafeZero((void *)&_stkclr[0], stack_size); \
|
||||
}
|
||||
#endif
|
||||
|
||||
diff -up ./lib/freebl/drbg.c.safe_zero ./lib/freebl/drbg.c
|
||||
--- ./lib/freebl/drbg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/drbg.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -197,7 +197,7 @@ prng_initEntropy(void)
|
||||
SHA256_Update(&ctx, block, sizeof(block));
|
||||
SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
|
||||
sizeof(globalrng->previousEntropyHash));
|
||||
- PORT_Memset(block, 0, sizeof(block));
|
||||
+ PORT_SafeZero(block, sizeof(block));
|
||||
SHA256_DestroyContext(&ctx, PR_FALSE);
|
||||
return PR_SUCCESS;
|
||||
}
|
||||
@@ -246,8 +246,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
|
||||
}
|
||||
|
||||
out:
|
||||
- PORT_Memset(hash, 0, sizeof hash);
|
||||
- PORT_Memset(block, 0, sizeof block);
|
||||
+ PORT_SafeZero(hash, sizeof hash);
|
||||
+ PORT_SafeZero(block, sizeof block);
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -393,8 +393,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
|
||||
PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
|
||||
SHA256_DestroyContext(&ctx, PR_FALSE);
|
||||
}
|
||||
- PORT_Memset(data, 0, sizeof data);
|
||||
- PORT_Memset(thisHash, 0, sizeof thisHash);
|
||||
+ PORT_SafeZero(data, sizeof data);
|
||||
+ PORT_SafeZero(thisHash, sizeof thisHash);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -455,7 +455,7 @@ prng_generateNewBytes(RNGContext *rng,
|
||||
PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry);
|
||||
|
||||
/* if the prng failed, don't return any output, signal softoken */
|
||||
- PORT_Memset(H, 0, sizeof H);
|
||||
+ PORT_SafeZero(H, sizeof H);
|
||||
if (!rng->isValid) {
|
||||
PORT_Memset(returned_bytes, 0, no_of_returned_bytes);
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
diff -up ./lib/freebl/dsa.c.safe_zero ./lib/freebl/dsa.c
|
||||
--- ./lib/freebl/dsa.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/dsa.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
|
||||
err = MP_OKAY;
|
||||
signature->len = dsa_signature_len;
|
||||
cleanup:
|
||||
- PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
|
||||
+ PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN);
|
||||
mp_clear(&p);
|
||||
mp_clear(&q);
|
||||
mp_clear(&g);
|
||||
@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt
|
||||
rv = dsa_SignDigest(key, signature, digest, kSeed);
|
||||
} while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
|
||||
--retries > 0);
|
||||
- PORT_Memset(kSeed, 0, sizeof kSeed);
|
||||
+ PORT_SafeZero(kSeed, sizeof kSeed);
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons
|
||||
verified = SECSuccess; /* Signature verified. */
|
||||
}
|
||||
cleanup:
|
||||
- PORT_Memset(localDigestData, 0, sizeof localDigestData);
|
||||
+ PORT_SafeZero(localDigestData, sizeof localDigestData);
|
||||
mp_clear(&p);
|
||||
mp_clear(&q);
|
||||
mp_clear(&g);
|
||||
diff -up ./lib/freebl/gcm.c.safe_zero ./lib/freebl/gcm.c
|
||||
--- ./lib/freebl/gcm.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/gcm.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -480,7 +480,7 @@ gcmHash_Final(gcmHashContext *ghash, uns
|
||||
rv = SECSuccess;
|
||||
|
||||
cleanup:
|
||||
- PORT_Memset(T, 0, sizeof(T));
|
||||
+ PORT_SafeZero(T, sizeof(T));
|
||||
return rv;
|
||||
}
|
||||
|
||||
@@ -596,15 +596,15 @@ GCM_CreateContext(void *context, freeblC
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
|
||||
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
|
||||
gcm->ctr_context_init = PR_TRUE;
|
||||
return gcm;
|
||||
|
||||
loser:
|
||||
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
|
||||
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
|
||||
if (ghash && ghash->mem) {
|
||||
void *mem = ghash->mem;
|
||||
- PORT_Memset(ghash, 0, sizeof(gcmHashContext));
|
||||
+ PORT_SafeZero(ghash, sizeof(gcmHashContext));
|
||||
PORT_Free(mem);
|
||||
}
|
||||
if (gcm) {
|
||||
@@ -682,11 +682,11 @@ gcm_InitCounter(GCMContext *gcm, const u
|
||||
goto loser;
|
||||
}
|
||||
|
||||
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
|
||||
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
|
||||
return SECSuccess;
|
||||
|
||||
loser:
|
||||
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
|
||||
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
|
||||
if (freeCtr) {
|
||||
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
|
||||
}
|
||||
@@ -866,10 +866,10 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
||||
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
|
||||
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
|
||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||
- PORT_Memset(tag, 0, sizeof(tag));
|
||||
+ PORT_SafeZero(tag, sizeof(tag));
|
||||
return SECFailure;
|
||||
}
|
||||
- PORT_Memset(tag, 0, sizeof(tag));
|
||||
+ PORT_SafeZero(tag, sizeof(tag));
|
||||
/* finish the decryption */
|
||||
return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
|
||||
inbuf, inlen, AES_BLOCK_SIZE);
|
||||
@@ -1159,10 +1159,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne
|
||||
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
|
||||
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
|
||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||
- PORT_Memset(tag, 0, sizeof(tag));
|
||||
+ PORT_SafeZero(tag, sizeof(tag));
|
||||
return SECFailure;
|
||||
}
|
||||
- PORT_Memset(tag, 0, sizeof(tag));
|
||||
+ PORT_SafeZero(tag, sizeof(tag));
|
||||
/* finish the decryption */
|
||||
rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
|
||||
inbuf, inlen, AES_BLOCK_SIZE);
|
||||
diff -up ./lib/freebl/hmacct.c.safe_zero ./lib/freebl/hmacct.c
|
||||
--- ./lib/freebl/hmacct.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/hmacct.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut,
|
||||
hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
|
||||
hashObj->destroy(mdState, PR_TRUE);
|
||||
|
||||
- PORT_Memset(lengthBytes, 0, sizeof lengthBytes);
|
||||
- PORT_Memset(hmacPad, 0, sizeof hmacPad);
|
||||
- PORT_Memset(firstBlock, 0, sizeof firstBlock);
|
||||
- PORT_Memset(macOut, 0, sizeof macOut);
|
||||
+ PORT_SafeZero(lengthBytes, sizeof lengthBytes);
|
||||
+ PORT_SafeZero(hmacPad, sizeof hmacPad);
|
||||
+ PORT_SafeZero(firstBlock, sizeof firstBlock);
|
||||
+ PORT_SafeZero(macOut, sizeof macOut);
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
diff -up ./lib/freebl/intel-gcm-wrap.c.safe_zero ./lib/freebl/intel-gcm-wrap.c
|
||||
--- ./lib/freebl/intel-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/intel-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo
|
||||
void
|
||||
intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
|
||||
{
|
||||
- PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
|
||||
+ PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext));
|
||||
if (freeit) {
|
||||
PORT_Free(gcm);
|
||||
}
|
||||
diff -up ./lib/freebl/ppc-gcm-wrap.c.safe_zero ./lib/freebl/ppc-gcm-wrap.c
|
||||
--- ./lib/freebl/ppc-gcm-wrap.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/ppc-gcm-wrap.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex
|
||||
void
|
||||
ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit)
|
||||
{
|
||||
- PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext));
|
||||
+ PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext));
|
||||
if (freeit) {
|
||||
PORT_Free(gcm);
|
||||
}
|
||||
diff -up ./lib/freebl/pqg.c.safe_zero ./lib/freebl/pqg.c
|
||||
--- ./lib/freebl/pqg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/pqg.c 2023-11-22 14:42:24.246388369 -0800
|
||||
@@ -703,7 +703,7 @@ cleanup:
|
||||
mp_clear(&a);
|
||||
mp_clear(&z);
|
||||
mp_clear(&two_length_minus_1);
|
||||
- PORT_Memset(x, 0, sizeof(x));
|
||||
+ PORT_SafeZero(x, sizeof(x));
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
@@ -859,7 +859,7 @@ cleanup:
|
||||
mp_clear(&c);
|
||||
mp_clear(&c0);
|
||||
mp_clear(&one);
|
||||
- PORT_Memset(x, 0, sizeof(x));
|
||||
+ PORT_SafeZero(x, sizeof(x));
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
@@ -1072,7 +1072,7 @@ makePfromQandSeed(
|
||||
CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1 */
|
||||
CHECK_MPI_OK(mp_sub(&X, &c, P)); /* P = X - c */
|
||||
cleanup:
|
||||
- PORT_Memset(V_j, 0, sizeof V_j);
|
||||
+ PORT_SafeZero(V_j, sizeof V_j);
|
||||
mp_clear(&W);
|
||||
mp_clear(&X);
|
||||
mp_clear(&c);
|
||||
@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype,
|
||||
/* step 11.
|
||||
* return valid G */
|
||||
cleanup:
|
||||
- PORT_Memset(data, 0, sizeof(data));
|
||||
+ PORT_SafeZero(data, sizeof(data));
|
||||
if (hashcx) {
|
||||
hashobj->destroy(hashcx, PR_TRUE);
|
||||
}
|
||||
diff -up ./lib/freebl/rijndael.c.safe_zero ./lib/freebl/rijndael.c
|
||||
--- ./lib/freebl/rijndael.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/rijndael.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
|
||||
cx->worker_cx = NULL;
|
||||
cx->destroy = NULL;
|
||||
}
|
||||
- PORT_Memset(cx, 0, sizeof(AESContext));
|
||||
+ PORT_SafeZero(cx, sizeof(AESContext));
|
||||
if (freeit) {
|
||||
PORT_Free(mem);
|
||||
} else {
|
||||
diff -up ./lib/freebl/rsa.c.safe_zero ./lib/freebl/rsa.c
|
||||
--- ./lib/freebl/rsa.c.safe_zero 2023-11-22 14:41:24.066840894 -0800
|
||||
+++ ./lib/freebl/rsa.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -143,8 +143,8 @@ rsa_build_from_primes(const mp_int *p, c
|
||||
/* 2. Compute phi = (p-1)*(q-1) */
|
||||
CHECK_MPI_OK(mp_sub_d(p, 1, &psub1));
|
||||
CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1));
|
||||
+ CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
|
||||
if (needPublicExponent || needPrivateExponent) {
|
||||
- CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
|
||||
/* 3. Compute d = e**-1 mod(phi) */
|
||||
/* or e = d**-1 mod(phi) as necessary */
|
||||
if (needPublicExponent) {
|
||||
@@ -165,6 +165,15 @@ rsa_build_from_primes(const mp_int *p, c
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
+ /* make sure we weren't passed in a d or e = 1 mod phi */
|
||||
+ /* just need to check d, because if one is = 1 mod phi, they both are */
|
||||
+ CHECK_MPI_OK(mp_mod(d, &phi, &tmp));
|
||||
+ if (mp_cmp_d(&tmp, 2) <= 0) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ rv = SECFailure;
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
/* 4. Compute exponent1 = d mod (p-1) */
|
||||
CHECK_MPI_OK(mp_mod(d, &psub1, &tmp));
|
||||
MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
|
||||
@@ -1152,6 +1161,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv
|
||||
/* Perform a public key operation v = m ** e mod n */
|
||||
CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v));
|
||||
if (mp_cmp(&v, c) != 0) {
|
||||
+ /* this error triggers a fips fatal error lock */
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
rv = SECFailure;
|
||||
}
|
||||
cleanup:
|
||||
diff -up ./lib/freebl/rsapkcs.c.safe_zero ./lib/freebl/rsapkcs.c
|
||||
--- ./lib/freebl/rsapkcs.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/rsapkcs.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -977,14 +977,14 @@ rsa_GetHMACContext(const SECHashObject *
|
||||
/* now create the hmac key */
|
||||
hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE);
|
||||
if (hmac == NULL) {
|
||||
- PORT_Memset(keyHash, 0, sizeof(keyHash));
|
||||
+ PORT_SafeZero(keyHash, sizeof(keyHash));
|
||||
return NULL;
|
||||
}
|
||||
HMAC_Begin(hmac);
|
||||
HMAC_Update(hmac, input, inputLen);
|
||||
rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash));
|
||||
if (rv != SECSuccess) {
|
||||
- PORT_Memset(keyHash, 0, sizeof(keyHash));
|
||||
+ PORT_SafeZero(keyHash, sizeof(keyHash));
|
||||
HMAC_Destroy(hmac, PR_TRUE);
|
||||
return NULL;
|
||||
}
|
||||
@@ -992,7 +992,7 @@ rsa_GetHMACContext(const SECHashObject *
|
||||
* reuse the original context allocated above so we don't
|
||||
* need to allocate and free another one */
|
||||
rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE);
|
||||
- PORT_Memset(keyHash, 0, sizeof(keyHash));
|
||||
+ PORT_SafeZero(keyHash, sizeof(keyHash));
|
||||
if (rv != SECSuccess) {
|
||||
HMAC_Destroy(hmac, PR_TRUE);
|
||||
return NULL;
|
||||
@@ -1042,7 +1042,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha
|
||||
return rv;
|
||||
}
|
||||
PORT_Memcpy(output, hmacLast, left);
|
||||
- PORT_Memset(hmacLast, 0, sizeof(hmacLast));
|
||||
+ PORT_SafeZero(hmacLast, sizeof(hmacLast));
|
||||
}
|
||||
return rv;
|
||||
}
|
||||
@@ -1087,7 +1087,7 @@ rsa_GetErrorLength(HMACContext *hmac, in
|
||||
outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen),
|
||||
candidate, outLength);
|
||||
}
|
||||
- PORT_Memset(out, 0, sizeof(out));
|
||||
+ PORT_SafeZero(out, sizeof(out));
|
||||
return outLength;
|
||||
}
|
||||
|
||||
diff -up ./lib/freebl/shvfy.c.safe_zero ./lib/freebl/shvfy.c
|
||||
--- ./lib/freebl/shvfy.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/shvfy.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD,
|
||||
|
||||
/* verify the hash against the check file */
|
||||
rv = DSA_VerifyDigest(key, signature, &hash);
|
||||
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
|
||||
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
|
||||
return (rv == SECSuccess) ? PR_TRUE : PR_FALSE;
|
||||
}
|
||||
#endif
|
||||
@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
|
||||
if (rv == SECSuccess) {
|
||||
result = SECITEM_ItemsAreEqual(signature, &hash);
|
||||
}
|
||||
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
|
||||
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
|
||||
return result;
|
||||
}
|
||||
|
||||
@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
#ifndef NSS_STRICT_INTEGRITY
|
||||
DSAPublicKey key;
|
||||
|
||||
- PORT_Memset(&key, 0, sizeof(key));
|
||||
+ PORT_SafeZero(&key, sizeof(key));
|
||||
#endif
|
||||
|
||||
/* If our integrity check was never ran or failed, fail any other
|
||||
@@ -597,7 +597,7 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
shFD = NULL;
|
||||
|
||||
loser:
|
||||
- PORT_Memset(&header, 0, sizeof header);
|
||||
+ PORT_SafeZero(&header, sizeof header);
|
||||
if (checkName != NULL) {
|
||||
PORT_Free(checkName);
|
||||
}
|
||||
diff -up ./lib/freebl/tlsprfalg.c.safe_zero ./lib/freebl/tlsprfalg.c
|
||||
--- ./lib/freebl/tlsprfalg.c.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/tlsprfalg.c 2023-11-22 14:42:24.247388378 -0800
|
||||
@@ -82,8 +82,8 @@ loser:
|
||||
/* clear out state so it's not left on the stack */
|
||||
if (cx)
|
||||
HMAC_Destroy(cx, PR_TRUE);
|
||||
- PORT_Memset(state, 0, sizeof(state));
|
||||
- PORT_Memset(outbuf, 0, sizeof(outbuf));
|
||||
+ PORT_SafeZero(state, sizeof(state));
|
||||
+ PORT_SafeZero(outbuf, sizeof(outbuf));
|
||||
return rv;
|
||||
}
|
||||
|
||||
diff -up ./lib/freebl/unix_urandom.c.safe_zero ./lib/freebl/unix_urandom.c
|
||||
--- ./lib/freebl/unix_urandom.c.safe_zero 2023-11-22 14:42:24.247388378 -0800
|
||||
+++ ./lib/freebl/unix_urandom.c 2023-11-22 14:44:15.519400684 -0800
|
||||
@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void)
|
||||
return;
|
||||
}
|
||||
RNG_RandomUpdate(bytes, numBytes);
|
||||
- PORT_Memset(bytes, 0, sizeof bytes);
|
||||
+ PORT_SafeZero(bytes, sizeof bytes);
|
||||
}
|
||||
|
||||
#ifdef NSS_FIPS_140_3
|
||||
diff -up ./lib/softoken/pkcs11c.c.safe_zero ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.safe_zero 2023-11-22 14:41:24.069840921 -0800
|
||||
+++ ./lib/softoken/pkcs11c.c 2023-11-22 14:42:24.248388387 -0800
|
||||
@@ -5092,7 +5092,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
if ((signature_length >= pairwise_digest_length) &&
|
||||
(PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
|
||||
PORT_Free(signature);
|
||||
- return CKR_DEVICE_ERROR;
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
}
|
||||
|
||||
/* Verify the known hash using the public key. */
|
||||
diff -up ./lib/util/secport.h.safe_zero ./lib/util/secport.h
|
||||
--- ./lib/util/secport.h.safe_zero 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/util/secport.h 2023-11-22 14:42:24.248388387 -0800
|
||||
@@ -36,6 +36,9 @@
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <ctype.h>
|
||||
+/* ask for Annex K for memset_s. will set the appropriate #define
|
||||
+ * if Annex K is supported */
|
||||
+#define __STDC_WANT_LIB_EXT1__ 1
|
||||
#include <string.h>
|
||||
#include <stddef.h>
|
||||
#include <stdlib.h>
|
||||
@@ -182,6 +185,39 @@ SEC_END_PROTOS
|
||||
#endif /*SUNOS4*/
|
||||
#define PORT_Memset memset
|
||||
|
||||
+/* there are cases where the compiler optimizes away our attempt to clear
|
||||
+ * out our stack variables. There are multiple solutions for this problem,
|
||||
+ * but they aren't universally accepted on all platforms. This attempts
|
||||
+ * to select the best solution available given our os, compilier, and libc */
|
||||
+#ifdef __STDC_LIB_EXT1__
|
||||
+/* if the os implements C11 annex K, use memset_s */
|
||||
+#define PORT_SafeZero(p, n) memset_s(p, n, 0, n)
|
||||
+#else
|
||||
+#ifdef XP_WIN
|
||||
+/* windows has a secure zero funtion */
|
||||
+#define PORT_SafeZero(p, n) SecureZeroMemory(p, n)
|
||||
+#else
|
||||
+/* _DEFAULT_SORUCE == BSD source in GCC based environments
|
||||
+ * if other environmens support explicit_bzero, their defines
|
||||
+ * should be added here */
|
||||
+#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE)
|
||||
+#define PORT_SafeZero(p, n) explicit_bzero(p, n)
|
||||
+#else
|
||||
+/* if the os doesn't support one of the above, but does support
|
||||
+ * memset_explicit, you can add the definition for memset with the
|
||||
+ * appropriate define check here */
|
||||
+/* define an explicitly implementated Safe zero if the OS
|
||||
+ * doesn't provide one */
|
||||
+#define PORT_SafeZero(p, n) \
|
||||
+ if (p != NULL) { \
|
||||
+ volatile unsigned char *__vl = (unsigned char *)p; \
|
||||
+ size_t __nl = n; \
|
||||
+ while (__nl--) *__vl++ = 0; \
|
||||
+ }
|
||||
+#endif /* no explicit_bzero */
|
||||
+#endif /* no windows SecureZeroMemory */
|
||||
+#endif /* no memset_s */
|
||||
+
|
||||
#define PORT_Strcasecmp PL_strcasecmp
|
||||
#define PORT_Strcat strcat
|
||||
#define PORT_Strchr strchr
|
|
@ -0,0 +1,18 @@
|
|||
diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh
|
||||
--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700
|
||||
+++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700
|
||||
@@ -46,11 +46,13 @@ ectest_genkeydb_test()
|
||||
return $?
|
||||
fi
|
||||
curves=( \
|
||||
- "curve25519" \
|
||||
"secp256r1" \
|
||||
"secp384r1" \
|
||||
"secp521r1" \
|
||||
)
|
||||
+ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then
|
||||
+ curves=( "curve25519" "${curves[@]}" )
|
||||
+ fi
|
||||
for curve in "${curves[@]}"; do
|
||||
echo "Test $curve key generation using certutil ..."
|
||||
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
|
|
@ -0,0 +1,42 @@
|
|||
diff -up ./lib/softoken/pkcs11u.c.pkcs12_indicator ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.pkcs12_indicator 2023-08-03 10:50:37.067109367 -0700
|
||||
+++ ./lib/softoken/pkcs11u.c 2023-08-03 11:41:55.641541953 -0700
|
||||
@@ -2429,7 +2429,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
return PR_FALSE;
|
||||
case SFTKFIPSECC:
|
||||
/* we've already handled the curve selection in the 'getlength'
|
||||
- * function */
|
||||
+ * function */
|
||||
return PR_TRUE;
|
||||
case SFTKFIPSAEAD: {
|
||||
if (mech->ulParameterLen == 0) {
|
||||
@@ -2463,6 +2463,29 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
}
|
||||
return PR_TRUE;
|
||||
}
|
||||
+ case SFTKFIPSPBKDF2: {
|
||||
+ /* PBKDF2 must have the following addition restrictions
|
||||
+ * (independent of keysize).
|
||||
+ * 1. iteration count must be at least 1000.
|
||||
+ * 2. salt must be at least 128 bits (16 bytes).
|
||||
+ * 3. password must match the length specified in the SP
|
||||
+ */
|
||||
+ CK_PKCS5_PBKD2_PARAMS *pbkdf2 = (CK_PKCS5_PBKD2_PARAMS *)
|
||||
+ mech->pParameter;
|
||||
+ if (mech->ulParameterLen != sizeof(*pbkdf2)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ if (pbkdf2->iterations < 1000) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ if (pbkdf2->ulSaltSourceDataLen < 16) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ if (*(pbkdf2->ulPasswordLen) < SFTKFIPS_PBKDF2_MIN_PW_LEN) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
default:
|
||||
break;
|
||||
}
|
|
@ -1,62 +0,0 @@
|
|||
--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
|
||||
+++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
|
||||
@@ -953,23 +953,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSockett");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
||||
--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
|
||||
+++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
|
||||
@@ -1711,23 +1711,23 @@
|
||||
getBoundListenSocket(unsigned short port)
|
||||
{
|
||||
PRFileDesc *listen_sock;
|
||||
int listenQueueDepth = 5 + (2 * maxThreads);
|
||||
PRStatus prStatus;
|
||||
PRNetAddr addr;
|
||||
PRSocketOptionData opt;
|
||||
|
||||
- addr.inet.family = PR_AF_INET;
|
||||
- addr.inet.ip = PR_INADDR_ANY;
|
||||
- addr.inet.port = PR_htons(port);
|
||||
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
|
||||
+ errExit("PR_SetNetAddr");
|
||||
+ }
|
||||
|
||||
- listen_sock = PR_NewTCPSocket();
|
||||
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
|
||||
if (listen_sock == NULL) {
|
||||
- errExit("PR_NewTCPSocket");
|
||||
+ errExit("PR_OpenTCPSocket error");
|
||||
}
|
||||
|
||||
opt.option = PR_SockOpt_Nonblocking;
|
||||
opt.value.non_blocking = PR_FALSE;
|
||||
prStatus = PR_SetSocketOption(listen_sock, &opt);
|
||||
if (prStatus < 0) {
|
||||
PR_Close(listen_sock);
|
||||
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
|
|
@ -1,13 +0,0 @@
|
|||
diff -up ./doc/certutil.xml.ipsec_doc ./doc/certutil.xml
|
||||
--- ./doc/certutil.xml.ipsec_doc 2019-05-10 14:14:18.000000000 -0700
|
||||
+++ ./doc/certutil.xml 2019-06-05 16:49:44.229301383 -0700
|
||||
@@ -428,6 +428,9 @@ of the attribute codes:
|
||||
<listitem>
|
||||
<para><command>J</command> (as an object signer)</para>
|
||||
</listitem>
|
||||
+ <listitem>
|
||||
+<para><command>I</command> (as an IPSEC user)</para>
|
||||
+ </listitem>
|
||||
</itemizedlist></listitem>
|
||||
</varlistentry>
|
||||
|
|
@ -1,571 +0,0 @@
|
|||
diff -up ./gtests/pk11_gtest/pk11_import_unittest.cc.pub-priv-mech ./gtests/pk11_gtest/pk11_import_unittest.cc
|
||||
--- ./gtests/pk11_gtest/pk11_import_unittest.cc.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
|
||||
+++ ./gtests/pk11_gtest/pk11_import_unittest.cc 2019-06-05 16:43:42.276498676 -0700
|
||||
@@ -78,17 +78,40 @@ class Pk11KeyImportTestBase : public ::t
|
||||
CK_MECHANISM_TYPE mech_;
|
||||
|
||||
private:
|
||||
+ SECItem GetPublicComponent(ScopedSECKEYPublicKey& pub_key) {
|
||||
+ SECItem null = { siBuffer, NULL, 0};
|
||||
+ switch(SECKEY_GetPublicKeyType(pub_key.get())) {
|
||||
+ case rsaKey:
|
||||
+ case rsaPssKey:
|
||||
+ case rsaOaepKey:
|
||||
+ return pub_key->u.rsa.modulus;
|
||||
+ case keaKey:
|
||||
+ return pub_key->u.kea.publicValue;
|
||||
+ case dsaKey:
|
||||
+ return pub_key->u.dsa.publicValue;
|
||||
+ case dhKey:
|
||||
+ return pub_key->u.dh.publicValue;
|
||||
+ case ecKey:
|
||||
+ return pub_key->u.ec.publicValue;
|
||||
+ case fortezzaKey: /* depricated */
|
||||
+ case nullKey:
|
||||
+ /* didn't use default here so we can catch new key types at compile time */
|
||||
+ break;
|
||||
+ }
|
||||
+ return null;
|
||||
+ }
|
||||
void CheckForPublicKey(const ScopedSECKEYPrivateKey& priv_key,
|
||||
const SECItem* expected_public) {
|
||||
// Verify the public key exists.
|
||||
StackSECItem priv_id;
|
||||
+ KeyType type = SECKEY_GetPrivateKeyType(priv_key.get());
|
||||
SECStatus rv = PK11_ReadRawAttribute(PK11_TypePrivKey, priv_key.get(),
|
||||
CKA_ID, &priv_id);
|
||||
ASSERT_EQ(SECSuccess, rv) << "Couldn't read CKA_ID from private key: "
|
||||
<< PORT_ErrorToName(PORT_GetError());
|
||||
|
||||
CK_ATTRIBUTE_TYPE value_type = CKA_VALUE;
|
||||
- switch (SECKEY_GetPrivateKeyType(priv_key.get())) {
|
||||
+ switch (type) {
|
||||
case rsaKey:
|
||||
value_type = CKA_MODULUS;
|
||||
break;
|
||||
@@ -106,6 +129,8 @@ class Pk11KeyImportTestBase : public ::t
|
||||
FAIL() << "unknown key type";
|
||||
}
|
||||
|
||||
+ // Scan public key objects until we find one with the same CKA_ID as
|
||||
+ // priv_key
|
||||
std::unique_ptr<PK11GenericObject, PK11GenericObjectsDeleter> objs(
|
||||
PK11_FindGenericObjects(slot_.get(), CKO_PUBLIC_KEY));
|
||||
ASSERT_NE(nullptr, objs);
|
||||
@@ -128,20 +153,46 @@ class Pk11KeyImportTestBase : public ::t
|
||||
ASSERT_EQ(1U, token.len);
|
||||
ASSERT_NE(0, token.data[0]);
|
||||
|
||||
- StackSECItem value;
|
||||
- rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &value);
|
||||
+ StackSECItem raw_value;
|
||||
+ SECItem decoded_value;
|
||||
+ rv = PK11_ReadRawAttribute(PK11_TypeGeneric, obj, value_type, &raw_value);
|
||||
ASSERT_EQ(SECSuccess, rv);
|
||||
+ SECItem value = raw_value;
|
||||
|
||||
+ // Decode the EC_POINT and check the output against expected.
|
||||
// CKA_EC_POINT isn't stable, see Bug 1520649.
|
||||
+ ScopedPLArenaPool arena(PORT_NewArena(DER_DEFAULT_CHUNKSIZE));
|
||||
+ ASSERT_TRUE(arena);
|
||||
if (value_type == CKA_EC_POINT) {
|
||||
- continue;
|
||||
- }
|
||||
|
||||
+ // If this fails due to the noted inconsistency, we may need to
|
||||
+ // check the whole raw_value, or remove a leading UNCOMPRESSED_POINT tag
|
||||
+ rv = SEC_QuickDERDecodeItem(arena.get(), &decoded_value,
|
||||
+ SEC_ASN1_GET(SEC_OctetStringTemplate),
|
||||
+ &raw_value);
|
||||
+ ASSERT_EQ(SECSuccess, rv);
|
||||
+ value = decoded_value;
|
||||
+ }
|
||||
ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &value))
|
||||
<< "expected: "
|
||||
<< DataBuffer(expected_public->data, expected_public->len)
|
||||
<< std::endl
|
||||
<< "actual: " << DataBuffer(value.data, value.len) << std::endl;
|
||||
+
|
||||
+ // Finally, convert the private to public and ensure it matches.
|
||||
+ ScopedSECKEYPublicKey pub_key(
|
||||
+ SECKEY_ConvertToPublicKey(priv_key.get()));
|
||||
+ ASSERT_TRUE(pub_key);
|
||||
+ SECItem converted_public = GetPublicComponent(pub_key);
|
||||
+ ASSERT_TRUE(converted_public.len != 0);
|
||||
+
|
||||
+ ASSERT_TRUE(SECITEM_ItemsAreEqual(expected_public, &converted_public))
|
||||
+ << "expected: "
|
||||
+ << DataBuffer(expected_public->data, expected_public->len)
|
||||
+ << std::endl
|
||||
+ << "actual: "
|
||||
+ << DataBuffer(converted_public.data, converted_public.len)
|
||||
+ << std::endl;
|
||||
}
|
||||
}
|
||||
|
||||
diff -up ./lib/cryptohi/seckey.c.pub-priv-mech ./lib/cryptohi/seckey.c
|
||||
--- ./lib/cryptohi/seckey.c.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
|
||||
+++ ./lib/cryptohi/seckey.c 2019-06-05 16:43:42.277498676 -0700
|
||||
@@ -1206,6 +1206,37 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Use the private key to find a public key handle. The handle will be on
|
||||
+ * the same slot as the private key.
|
||||
+ */
|
||||
+static CK_OBJECT_HANDLE
|
||||
+seckey_FindPublicKeyHandle(SECKEYPrivateKey *privk, SECKEYPublicKey *pubk)
|
||||
+{
|
||||
+ CK_OBJECT_HANDLE keyID;
|
||||
+
|
||||
+ /* this helper function is only used below. If we want to make this more
|
||||
+ * general, we would need to free up any already cached handles if the
|
||||
+ * slot doesn't match up with the private key slot */
|
||||
+ PORT_Assert(pubk->pkcs11ID == CK_INVALID_HANDLE);
|
||||
+
|
||||
+ /* first look for a matching public key */
|
||||
+ keyID = PK11_MatchItem(privk->pkcs11Slot, privk->pkcs11ID, CKO_PUBLIC_KEY);
|
||||
+ if (keyID != CK_INVALID_HANDLE) {
|
||||
+ return keyID;
|
||||
+ }
|
||||
+
|
||||
+ /* none found, create a temp one, make the pubk the owner */
|
||||
+ pubk->pkcs11ID = PK11_DerivePubKeyFromPrivKey(privk);
|
||||
+ if (pubk->pkcs11ID == CK_INVALID_HANDLE) {
|
||||
+ /* end of the road. Token doesn't have matching public key, nor can
|
||||
+ * token regenerate a new public key from and existing private key. */
|
||||
+ return CK_INVALID_HANDLE;
|
||||
+ }
|
||||
+ pubk->pkcs11Slot = PK11_ReferenceSlot(privk->pkcs11Slot);
|
||||
+ return pubk->pkcs11ID;
|
||||
+}
|
||||
+
|
||||
SECKEYPublicKey *
|
||||
SECKEY_ConvertToPublicKey(SECKEYPrivateKey *privk)
|
||||
{
|
||||
@@ -1213,6 +1244,8 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
|
||||
PLArenaPool *arena;
|
||||
CERTCertificate *cert;
|
||||
SECStatus rv;
|
||||
+ CK_OBJECT_HANDLE pubKeyHandle;
|
||||
+ SECItem decodedPoint;
|
||||
|
||||
/*
|
||||
* First try to look up the cert.
|
||||
@@ -1243,11 +1276,47 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
|
||||
|
||||
switch (privk->keyType) {
|
||||
case nullKey:
|
||||
- case dhKey:
|
||||
- case dsaKey:
|
||||
/* Nothing to query, if the cert isn't there, we're done -- no way
|
||||
* to get the public key */
|
||||
break;
|
||||
+ case dsaKey:
|
||||
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
|
||||
+ if (pubKeyHandle == CK_INVALID_HANDLE)
|
||||
+ break;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
|
||||
+ CKA_BASE, arena, &pubk->u.dsa.params.base);
|
||||
+ if (rv != SECSuccess)
|
||||
+ break;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
|
||||
+ CKA_PRIME, arena, &pubk->u.dsa.params.prime);
|
||||
+ if (rv != SECSuccess)
|
||||
+ break;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
|
||||
+ CKA_SUBPRIME, arena, &pubk->u.dsa.params.subPrime);
|
||||
+ if (rv != SECSuccess)
|
||||
+ break;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
|
||||
+ CKA_VALUE, arena, &pubk->u.dsa.publicValue);
|
||||
+ if (rv != SECSuccess)
|
||||
+ break;
|
||||
+ return pubk;
|
||||
+ case dhKey:
|
||||
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
|
||||
+ if (pubKeyHandle == CK_INVALID_HANDLE)
|
||||
+ break;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
|
||||
+ CKA_BASE, arena, &pubk->u.dh.base);
|
||||
+ if (rv != SECSuccess)
|
||||
+ break;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
|
||||
+ CKA_PRIME, arena, &pubk->u.dh.prime);
|
||||
+ if (rv != SECSuccess)
|
||||
+ break;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
|
||||
+ CKA_VALUE, arena, &pubk->u.dh.publicValue);
|
||||
+ if (rv != SECSuccess)
|
||||
+ break;
|
||||
+ return pubk;
|
||||
case rsaKey:
|
||||
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||
CKA_MODULUS, arena, &pubk->u.rsa.modulus);
|
||||
@@ -1258,7 +1327,6 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
|
||||
if (rv != SECSuccess)
|
||||
break;
|
||||
return pubk;
|
||||
- break;
|
||||
case ecKey:
|
||||
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||
CKA_EC_PARAMS, arena, &pubk->u.ec.DEREncodedParams);
|
||||
@@ -1268,7 +1336,23 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
|
||||
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||
CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
|
||||
if (rv != SECSuccess || pubk->u.ec.publicValue.len == 0) {
|
||||
- break;
|
||||
+ pubKeyHandle = seckey_FindPublicKeyHandle(privk, pubk);
|
||||
+ if (pubKeyHandle == CK_INVALID_HANDLE)
|
||||
+ break;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, pubKeyHandle,
|
||||
+ CKA_EC_POINT, arena, &pubk->u.ec.publicValue);
|
||||
+ if (rv != SECSuccess)
|
||||
+ break;
|
||||
+ }
|
||||
+ /* ec.publicValue should be decoded, PKCS #11 defines CKA_EC_POINT
|
||||
+ * as encoded, but it's not always. try do decoded it and if it
|
||||
+ * succeeds store the decoded value */
|
||||
+ rv = SEC_QuickDERDecodeItem(arena, &decodedPoint,
|
||||
+ SEC_ASN1_GET(SEC_OctetStringTemplate), &pubk->u.ec.publicValue);
|
||||
+ if (rv == SECSuccess) {
|
||||
+ /* both values are in the public key arena, so it's safe to
|
||||
+ * overwrite the old value */
|
||||
+ pubk->u.ec.publicValue = decodedPoint;
|
||||
}
|
||||
pubk->u.ec.encoding = ECPoint_Undefined;
|
||||
return pubk;
|
||||
@@ -1276,7 +1360,9 @@ SECKEY_ConvertToPublicKey(SECKEYPrivateK
|
||||
break;
|
||||
}
|
||||
|
||||
- PORT_FreeArena(arena, PR_FALSE);
|
||||
+ /* must use Destroy public key here, because some paths create temporary
|
||||
+ * PKCS #11 objects which need to be freed */
|
||||
+ SECKEY_DestroyPublicKey(pubk);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
diff -up ./lib/pk11wrap/pk11priv.h.pub-priv-mech ./lib/pk11wrap/pk11priv.h
|
||||
--- ./lib/pk11wrap/pk11priv.h.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
|
||||
+++ ./lib/pk11wrap/pk11priv.h 2019-06-05 16:43:42.277498676 -0700
|
||||
@@ -111,6 +111,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert(
|
||||
PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
|
||||
CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
|
||||
unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType);
|
||||
+CK_OBJECT_HANDLE PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey);
|
||||
|
||||
/**********************************************************************
|
||||
* Certs
|
||||
diff -up ./lib/pk11wrap/pk11skey.c.pub-priv-mech ./lib/pk11wrap/pk11skey.c
|
||||
--- ./lib/pk11wrap/pk11skey.c.pub-priv-mech 2019-06-05 16:37:38.726685789 -0700
|
||||
+++ ./lib/pk11wrap/pk11skey.c 2019-06-05 16:43:42.278498675 -0700
|
||||
@@ -1841,6 +1841,35 @@ loser:
|
||||
}
|
||||
|
||||
/*
|
||||
+ * This regenerate a public key from a private key. This function is currently
|
||||
+ * NSS private. If we want to make it public, we need to add and optional
|
||||
+ * template or at least flags (a.la. PK11_DeriveWithFlags).
|
||||
+ */
|
||||
+CK_OBJECT_HANDLE
|
||||
+PK11_DerivePubKeyFromPrivKey(SECKEYPrivateKey *privKey)
|
||||
+{
|
||||
+ PK11SlotInfo *slot = privKey->pkcs11Slot;
|
||||
+ CK_MECHANISM mechanism;
|
||||
+ CK_OBJECT_HANDLE objectID = CK_INVALID_HANDLE;
|
||||
+ CK_RV crv;
|
||||
+
|
||||
+ mechanism.mechanism = CKM_NSS_PUB_FROM_PRIV;
|
||||
+ mechanism.pParameter = NULL;
|
||||
+ mechanism.ulParameterLen = 0;
|
||||
+
|
||||
+ PK11_EnterSlotMonitor(slot);
|
||||
+ crv = PK11_GETTAB(slot)->C_DeriveKey(slot->session, &mechanism,
|
||||
+ privKey->pkcs11ID, NULL, 0,
|
||||
+ &objectID);
|
||||
+ PK11_ExitSlotMonitor(slot);
|
||||
+ if (crv != CKR_OK) {
|
||||
+ PORT_SetError(PK11_MapError(crv));
|
||||
+ return CK_INVALID_HANDLE;
|
||||
+ }
|
||||
+ return objectID;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* This Generates a wrapping key based on a privateKey, publicKey, and two
|
||||
* random numbers. For Mail usage RandomB should be NULL. In the Sender's
|
||||
* case RandomA is generate, outherwize it is passed.
|
||||
diff -up ./lib/softoken/lowkey.c.pub-priv-mech ./lib/softoken/lowkey.c
|
||||
--- ./lib/softoken/lowkey.c.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700
|
||||
+++ ./lib/softoken/lowkey.c 2019-06-05 16:44:20.469479019 -0700
|
||||
@@ -261,6 +261,7 @@ NSSLOWKEYPublicKey *
|
||||
nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk)
|
||||
{
|
||||
NSSLOWKEYPublicKey *pubk;
|
||||
+ SECItem publicValue;
|
||||
PLArenaPool *arena;
|
||||
|
||||
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
||||
@@ -301,6 +302,19 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
|
||||
|
||||
pubk->arena = arena;
|
||||
pubk->keyType = privk->keyType;
|
||||
+ /* if the public key value doesn't exist, calculate it */
|
||||
+ if (privk->u.dsa.publicValue.len == 0) {
|
||||
+ rv = DH_Derive(&privk->u.dsa.params.base, &privk->u.dsa.params.prime,
|
||||
+ &privk->u.dsa.privateValue, &publicValue, 0);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ break;
|
||||
+ }
|
||||
+ rv = SECITEM_CopyItem(privk->arena, &privk->u.dsa.publicValue, &publicValue);
|
||||
+ SECITEM_FreeItem(&publicValue, PR_FALSE);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue,
|
||||
&privk->u.dsa.publicValue);
|
||||
if (rv != SECSuccess)
|
||||
@@ -327,6 +341,19 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
|
||||
|
||||
pubk->arena = arena;
|
||||
pubk->keyType = privk->keyType;
|
||||
+ /* if the public key value doesn't exist, calculate it */
|
||||
+ if (privk->u.dh.publicValue.len == 0) {
|
||||
+ rv = DH_Derive(&privk->u.dh.base, &privk->u.dh.prime,
|
||||
+ &privk->u.dh.privateValue, &publicValue, 0);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ break;
|
||||
+ }
|
||||
+ rv = SECITEM_CopyItem(privk->arena, &privk->u.dh.publicValue, &publicValue);
|
||||
+ SECITEM_FreeItem(&publicValue, PR_FALSE);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue,
|
||||
&privk->u.dh.publicValue);
|
||||
if (rv != SECSuccess)
|
||||
diff -up ./lib/softoken/pkcs11c.c.pub-priv-mech ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.pub-priv-mech 2019-06-05 16:37:38.743685780 -0700
|
||||
+++ ./lib/softoken/pkcs11c.c 2019-06-05 16:44:20.472479017 -0700
|
||||
@@ -6569,6 +6569,10 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
extractValue = PR_FALSE;
|
||||
classType = CKO_PRIVATE_KEY;
|
||||
break;
|
||||
+ case CKM_NSS_PUB_FROM_PRIV:
|
||||
+ extractValue = PR_FALSE;
|
||||
+ classType = CKO_PUBLIC_KEY;
|
||||
+ break;
|
||||
case CKM_NSS_JPAKE_FINAL_SHA1: /* fall through */
|
||||
case CKM_NSS_JPAKE_FINAL_SHA256: /* fall through */
|
||||
case CKM_NSS_JPAKE_FINAL_SHA384: /* fall through */
|
||||
@@ -6610,6 +6614,35 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
}
|
||||
|
||||
switch (mechanism) {
|
||||
+ /* get a public key from a private key. nsslowkey_ConvertToPublickey()
|
||||
+ * will generate the public portion if it doesn't already exist. */
|
||||
+ case CKM_NSS_PUB_FROM_PRIV: {
|
||||
+ NSSLOWKEYPrivateKey *privKey;
|
||||
+ NSSLOWKEYPublicKey *pubKey;
|
||||
+ int error;
|
||||
+
|
||||
+ crv = sftk_GetULongAttribute(sourceKey, CKA_KEY_TYPE, &keyType);
|
||||
+ if (crv != CKR_OK) {
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ /* privKey is stored in sourceKey and will be destroyed when
|
||||
+ * the sourceKey is freed. */
|
||||
+ privKey = sftk_GetPrivKey(sourceKey, keyType, &crv);
|
||||
+ if (privKey == NULL) {
|
||||
+ break;
|
||||
+ }
|
||||
+ pubKey = nsslowkey_ConvertToPublicKey(privKey);
|
||||
+ if (pubKey == NULL) {
|
||||
+ error = PORT_GetError();
|
||||
+ crv = sftk_MapCryptError(error);
|
||||
+ break;
|
||||
+ }
|
||||
+ crv = sftk_PutPubKey(key, sourceKey, keyType, pubKey);
|
||||
+ nsslowkey_DestroyPublicKey(pubKey);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
case CKM_NSS_IKE_PRF_DERIVE:
|
||||
if (pMechanism->ulParameterLen !=
|
||||
sizeof(CK_NSS_IKE_PRF_DERIVE_PARAMS)) {
|
||||
diff -up ./lib/softoken/pkcs11.c.pub-priv-mech ./lib/softoken/pkcs11.c
|
||||
--- ./lib/softoken/pkcs11.c.pub-priv-mech 2019-06-05 16:37:38.728685788 -0700
|
||||
+++ ./lib/softoken/pkcs11.c 2019-06-05 16:44:20.473479017 -0700
|
||||
@@ -2206,6 +2206,123 @@ sftk_GetPrivKey(SFTKObject *object, CK_K
|
||||
return priv;
|
||||
}
|
||||
|
||||
+/* populate a public key object from a lowpublic keys structure */
|
||||
+CK_RV
|
||||
+sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType, NSSLOWKEYPublicKey *pubKey)
|
||||
+{
|
||||
+ CK_OBJECT_CLASS classType = CKO_PUBLIC_KEY;
|
||||
+ CK_BBOOL cktrue = CK_TRUE;
|
||||
+ CK_RV crv = CKR_OK;
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_CLASS);
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE);
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_VALUE);
|
||||
+
|
||||
+ switch (keyType) {
|
||||
+ case CKK_RSA:
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_MODULUS);
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_PUBLIC_EXPONENT);
|
||||
+ /* format the keys */
|
||||
+ /* fill in the RSA dependent paramenters in the public key */
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_MODULUS,
|
||||
+ sftk_item_expand(&pubKey->u.rsa.modulus));
|
||||
+ if (crv != CKR_OK)
|
||||
+ break;
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_PUBLIC_EXPONENT,
|
||||
+ sftk_item_expand(&pubKey->u.rsa.publicExponent));
|
||||
+ break;
|
||||
+ case CKK_DSA:
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_PRIME);
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_SUBPRIME);
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_BASE);
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
|
||||
+ sftk_item_expand(&pubKey->u.dsa.params.prime));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ break;
|
||||
+ }
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_SUBPRIME,
|
||||
+ sftk_item_expand(&pubKey->u.dsa.params.subPrime));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ break;
|
||||
+ }
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_BASE,
|
||||
+ sftk_item_expand(&pubKey->u.dsa.params.base));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ break;
|
||||
+ }
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
|
||||
+ sftk_item_expand(&pubKey->u.dsa.publicValue));
|
||||
+ break;
|
||||
+
|
||||
+ case CKK_DH:
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_PRIME);
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_BASE);
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_PRIME,
|
||||
+ sftk_item_expand(&pubKey->u.dh.prime));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ break;
|
||||
+ }
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_BASE,
|
||||
+ sftk_item_expand(&pubKey->u.dh.base));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ break;
|
||||
+ }
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_VALUE,
|
||||
+ sftk_item_expand(&pubKey->u.dh.publicValue));
|
||||
+ break;
|
||||
+
|
||||
+ case CKK_EC:
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_EC_PARAMS);
|
||||
+ sftk_DeleteAttributeType(publicKey, CKA_EC_POINT);
|
||||
+
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_PARAMS,
|
||||
+ sftk_item_expand(&pubKey->u.ec.ecParams.DEREncoding));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
|
||||
+ sftk_item_expand(&pubKey->u.ec.publicValue));
|
||||
+ break;
|
||||
+
|
||||
+ default:
|
||||
+ return CKR_KEY_TYPE_INCONSISTENT;
|
||||
+ }
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_CLASS, &classType,
|
||||
+ sizeof(CK_OBJECT_CLASS));
|
||||
+ if (crv != CKR_OK)
|
||||
+ return crv;
|
||||
+ crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE, &keyType,
|
||||
+ sizeof(CK_KEY_TYPE));
|
||||
+ if (crv != CKR_OK)
|
||||
+ return crv;
|
||||
+ /* now handle the operator attributes */
|
||||
+ if (sftk_isTrue(privateKey, CKA_DECRYPT)) {
|
||||
+ crv = sftk_forceAttribute(publicKey, CKA_ENCRYPT, &cktrue, sizeof(CK_BBOOL));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ return crv;
|
||||
+ }
|
||||
+ }
|
||||
+ if (sftk_isTrue(privateKey, CKA_SIGN)) {
|
||||
+ crv = sftk_forceAttribute(publicKey, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ return crv;
|
||||
+ }
|
||||
+ }
|
||||
+ if (sftk_isTrue(privateKey, CKA_SIGN_RECOVER)) {
|
||||
+ crv = sftk_forceAttribute(publicKey, CKA_VERIFY_RECOVER, &cktrue, sizeof(CK_BBOOL));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ return crv;
|
||||
+ }
|
||||
+ }
|
||||
+ if (sftk_isTrue(privateKey, CKA_DERIVE)) {
|
||||
+ crv = sftk_forceAttribute(publicKey, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
|
||||
+ if (crv != CKR_OK) {
|
||||
+ return crv;
|
||||
+ }
|
||||
+ }
|
||||
+ return crv;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
**************************** Symetric Key utils ************************
|
||||
*/
|
||||
diff -up ./lib/softoken/pkcs11i.h.pub-priv-mech ./lib/softoken/pkcs11i.h
|
||||
--- ./lib/softoken/pkcs11i.h.pub-priv-mech 2019-06-05 16:37:38.730685787 -0700
|
||||
+++ ./lib/softoken/pkcs11i.h 2019-06-05 16:44:20.473479017 -0700
|
||||
@@ -695,6 +695,9 @@ extern NSSLOWKEYPublicKey *sftk_GetPubKe
|
||||
CK_KEY_TYPE key_type, CK_RV *crvp);
|
||||
extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object,
|
||||
CK_KEY_TYPE key_type, CK_RV *crvp);
|
||||
+extern CK_RV sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privKey,
|
||||
+ CK_KEY_TYPE keyType,
|
||||
+ NSSLOWKEYPublicKey *pubKey);
|
||||
extern void sftk_FormatDESKey(unsigned char *key, int length);
|
||||
extern PRBool sftk_CheckDESKey(unsigned char *key);
|
||||
extern PRBool sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type);
|
||||
diff -up ./lib/util/pkcs11n.h.pub-priv-mech ./lib/util/pkcs11n.h
|
||||
--- ./lib/util/pkcs11n.h.pub-priv-mech 2019-06-05 16:37:38.733685785 -0700
|
||||
+++ ./lib/util/pkcs11n.h 2019-06-05 16:44:54.389461561 -0700
|
||||
@@ -152,11 +152,6 @@
|
||||
#define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5)
|
||||
#define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6)
|
||||
|
||||
-/* IKE mechanism (to be proposed to PKCS #11 */
|
||||
-#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 7)
|
||||
-#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 8)
|
||||
-#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 9)
|
||||
-#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 10)
|
||||
|
||||
/* J-PAKE round 1 key generation mechanisms.
|
||||
*
|
||||
@@ -238,6 +233,15 @@
|
||||
|
||||
#define CKM_NSS_CHACHA20_CTR (CKM_NSS + 33)
|
||||
|
||||
+/* IKE mechanism (to be proposed to PKCS #11 */
|
||||
+#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 34)
|
||||
+#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 35)
|
||||
+#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 36)
|
||||
+#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 37)
|
||||
+
|
||||
+/* Derive a public key from a bare private key */
|
||||
+#define CKM_NSS_PUB_FROM_PRIV (CKM_NSS + 40)
|
||||
+
|
||||
/*
|
||||
* HISTORICAL:
|
||||
* Do not attempt to use these. They are only used by NETSCAPE's internal
|
|
@ -0,0 +1,132 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="nss-config">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>nss-config</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>nss-config</refname>
|
||||
<refpurpose>Return meta information about nss libraries</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>nss-config</command>
|
||||
<arg><option>--prefix</option></arg>
|
||||
<arg><option>--exec-prefix</option></arg>
|
||||
<arg><option>--includedir</option></arg>
|
||||
<arg><option>--libs</option></arg>
|
||||
<arg><option>--cflags</option></arg>
|
||||
<arg><option>--libdir</option></arg>
|
||||
<arg><option>--version</option></arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
|
||||
<para><command>nss-config</command> is a shell scrip
|
||||
tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Options</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>--prefix</option></term>
|
||||
<listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--exec-prefix</option></term>
|
||||
<listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--includedir</option> <replaceable>count</replaceable></term>
|
||||
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--version</option></term>
|
||||
<listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--libs</option></term>
|
||||
<listitem><simpara>returns the compiler linking flags.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--cflags</option></term>
|
||||
<listitem><simpara>returns the compiler include flags.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--libdir</option></term>
|
||||
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Examples</title>
|
||||
|
||||
<para>The following example will query for both include path and linkage flags:
|
||||
|
||||
<programlisting>
|
||||
/usr/bin/nss-config --cflags --libs
|
||||
</programlisting>
|
||||
|
||||
</para>
|
||||
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
|
||||
<para><filename>/usr/bin/nss-config</filename></para>
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>pkg-config(1)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>
|
||||
Authors: Elio Maldonado <emaldona@redhat.com>.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
</refentry>
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
diff -up ./gtests/ssl_gtest/manifest.mn.orig ./gtests/ssl_gtest/manifest.mn
|
||||
--- ./gtests/ssl_gtest/manifest.mn.orig 2021-06-02 15:40:48.677355426 -0700
|
||||
+++ ./gtests/ssl_gtest/manifest.mn 2021-06-02 15:42:31.248977261 -0700
|
||||
@@ -57,7 +57,6 @@ CPPSRCS = \
|
||||
tls_filter.cc \
|
||||
tls_protect.cc \
|
||||
tls_psk_unittest.cc \
|
||||
- tls_subcerts_unittest.cc \
|
||||
tls_ech_unittest.cc \
|
||||
$(SSLKEYLOGFILE_FILES) \
|
||||
$(NULL)
|
||||
diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c
|
||||
--- ./lib/ssl/sslsock.c.orig 2021-05-28 02:50:43.000000000 -0700
|
||||
+++ ./lib/ssl/sslsock.c 2021-06-02 15:40:48.676355420 -0700
|
||||
@@ -819,7 +819,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_DELEGATED_CREDENTIALS:
|
||||
- ss->opt.enableDelegatedCredentials = val;
|
||||
+ /* disable it for now */
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_NPN:
|
||||
@@ -1337,7 +1337,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_DELEGATED_CREDENTIALS:
|
||||
- ssl_defaults.enableDelegatedCredentials = val;
|
||||
+ /* disable it for now */
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_NPN:
|
|
@ -0,0 +1,41 @@
|
|||
diff -r 699541a7793b lib/pk11wrap/pk11pars.c
|
||||
--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700
|
||||
+++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700
|
||||
@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
|
||||
static const oidValDef hashOptList[] = {
|
||||
/* Hashes */
|
||||
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ 0 },
|
||||
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ 0 },
|
||||
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ 0 },
|
||||
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
|
||||
diff -r 699541a7793b lib/util/secoid.c
|
||||
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
|
||||
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
|
||||
@@ -2042,6 +2042,19 @@
|
||||
int i;
|
||||
|
||||
for (i = 1; i < SEC_OID_TOTAL; i++) {
|
||||
+ switch (i) {
|
||||
+ case SEC_OID_MD2:
|
||||
+ case SEC_OID_MD4:
|
||||
+ case SEC_OID_MD5:
|
||||
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
|
||||
+ continue;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
if (oids[i].desc && strstr(arg, oids[i].desc)) {
|
||||
xOids[i].notPolicyFlags = notEnable |
|
||||
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
|
|
@ -1,202 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Daiki Ueno <dueno@redhat.com>
|
||||
# Date 1559031046 -7200
|
||||
# Tue May 28 10:10:46 2019 +0200
|
||||
# Node ID 0a4e8b72a92e144663c2f35d3836f7828cfc97f2
|
||||
# Parent 370a9e85f216f5f4ff277995a997c5c9b23a819f
|
||||
Bug 1552208, prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3, r=mt
|
||||
|
||||
Reviewers: mt
|
||||
|
||||
Reviewed By: mt
|
||||
|
||||
Subscribers: mt, jcj, ueno, rrelyea, HubertKario, KevinJacobs
|
||||
|
||||
Tags: #secure-revision, #bmo-crypto-core-security
|
||||
|
||||
Bug #: 1552208
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D32454
|
||||
|
||||
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
|
||||
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
|
||||
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
|
||||
@@ -701,6 +701,44 @@ TEST_P(TlsConnectTls12, ClientAuthIncons
|
||||
ConnectExpectAlert(server_, kTlsAlertIllegalParameter);
|
||||
}
|
||||
|
||||
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureScheme) {
|
||||
+ static const SSLSignatureScheme kSignatureScheme[] = {
|
||||
+ ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pss_rsae_sha256};
|
||||
+
|
||||
+ Reset(TlsAgent::kServerRsa, "rsa");
|
||||
+ client_->SetSignatureSchemes(kSignatureScheme,
|
||||
+ PR_ARRAY_SIZE(kSignatureScheme));
|
||||
+ server_->SetSignatureSchemes(kSignatureScheme,
|
||||
+ PR_ARRAY_SIZE(kSignatureScheme));
|
||||
+ client_->SetupClientAuth();
|
||||
+ server_->RequestClientAuth(true);
|
||||
+
|
||||
+ auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
|
||||
+ client_, kTlsHandshakeCertificateVerify);
|
||||
+ capture_cert_verify->EnableDecryption();
|
||||
+
|
||||
+ Connect();
|
||||
+ CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pss_rsae_sha256,
|
||||
+ 1024);
|
||||
+}
|
||||
+
|
||||
+TEST_P(TlsConnectTls13, ClientAuthPkcs1SignatureSchemeOnly) {
|
||||
+ static const SSLSignatureScheme kSignatureScheme[] = {
|
||||
+ ssl_sig_rsa_pkcs1_sha256};
|
||||
+
|
||||
+ Reset(TlsAgent::kServerRsa, "rsa");
|
||||
+ client_->SetSignatureSchemes(kSignatureScheme,
|
||||
+ PR_ARRAY_SIZE(kSignatureScheme));
|
||||
+ server_->SetSignatureSchemes(kSignatureScheme,
|
||||
+ PR_ARRAY_SIZE(kSignatureScheme));
|
||||
+ client_->SetupClientAuth();
|
||||
+ server_->RequestClientAuth(true);
|
||||
+
|
||||
+ ConnectExpectAlert(server_, kTlsAlertHandshakeFailure);
|
||||
+ server_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
|
||||
+ client_->CheckErrorCode(SSL_ERROR_NO_CYPHER_OVERLAP);
|
||||
+}
|
||||
+
|
||||
class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
|
||||
public:
|
||||
TlsZeroCertificateRequestSigAlgsFilter(const std::shared_ptr<TlsAgent>& a)
|
||||
@@ -933,7 +971,7 @@ TEST_P(TlsConnectTls13, InconsistentSign
|
||||
client_->CheckErrorCode(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
|
||||
}
|
||||
|
||||
-TEST_P(TlsConnectTls12Plus, RequestClientAuthWithSha384) {
|
||||
+TEST_P(TlsConnectTls12, RequestClientAuthWithSha384) {
|
||||
server_->SetSignatureSchemes(kSignatureSchemeRsaSha384,
|
||||
PR_ARRAY_SIZE(kSignatureSchemeRsaSha384));
|
||||
server_->RequestClientAuth(false);
|
||||
@@ -1395,12 +1433,21 @@ TEST_P(TlsSignatureSchemeConfiguration,
|
||||
INSTANTIATE_TEST_CASE_P(
|
||||
SignatureSchemeRsa, TlsSignatureSchemeConfiguration,
|
||||
::testing::Combine(
|
||||
- TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12Plus,
|
||||
+ TlsConnectTestBase::kTlsVariantsAll, TlsConnectTestBase::kTlsV12,
|
||||
::testing::Values(TlsAgent::kServerRsaSign),
|
||||
::testing::Values(ssl_auth_rsa_sign),
|
||||
::testing::Values(ssl_sig_rsa_pkcs1_sha256, ssl_sig_rsa_pkcs1_sha384,
|
||||
ssl_sig_rsa_pkcs1_sha512, ssl_sig_rsa_pss_rsae_sha256,
|
||||
ssl_sig_rsa_pss_rsae_sha384)));
|
||||
+// RSASSA-PKCS1-v1_5 is not allowed to be used in TLS 1.3
|
||||
+INSTANTIATE_TEST_CASE_P(
|
||||
+ SignatureSchemeRsaTls13, TlsSignatureSchemeConfiguration,
|
||||
+ ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll,
|
||||
+ TlsConnectTestBase::kTlsV13,
|
||||
+ ::testing::Values(TlsAgent::kServerRsaSign),
|
||||
+ ::testing::Values(ssl_auth_rsa_sign),
|
||||
+ ::testing::Values(ssl_sig_rsa_pss_rsae_sha256,
|
||||
+ ssl_sig_rsa_pss_rsae_sha384)));
|
||||
// PSS with SHA-512 needs a bigger key to work.
|
||||
INSTANTIATE_TEST_CASE_P(
|
||||
SignatureSchemeBigRsa, TlsSignatureSchemeConfiguration,
|
||||
diff --git a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
|
||||
--- a/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
|
||||
+++ b/gtests/ssl_gtest/ssl_ciphersuite_unittest.cc
|
||||
@@ -68,12 +68,6 @@ class TlsCipherSuiteTestBase : public Tl
|
||||
virtual void SetupCertificate() {
|
||||
if (version_ >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
switch (sig_scheme_) {
|
||||
- case ssl_sig_rsa_pkcs1_sha256:
|
||||
- case ssl_sig_rsa_pkcs1_sha384:
|
||||
- case ssl_sig_rsa_pkcs1_sha512:
|
||||
- Reset(TlsAgent::kServerRsaSign);
|
||||
- auth_type_ = ssl_auth_rsa_sign;
|
||||
- break;
|
||||
case ssl_sig_rsa_pss_rsae_sha256:
|
||||
case ssl_sig_rsa_pss_rsae_sha384:
|
||||
Reset(TlsAgent::kServerRsaSign);
|
||||
@@ -330,6 +324,12 @@ static SSLSignatureScheme kSignatureSche
|
||||
ssl_sig_rsa_pss_pss_sha256, ssl_sig_rsa_pss_pss_sha384,
|
||||
ssl_sig_rsa_pss_pss_sha512};
|
||||
|
||||
+static SSLSignatureScheme kSignatureSchemesParamsArrTls13[] = {
|
||||
+ ssl_sig_ecdsa_secp256r1_sha256, ssl_sig_ecdsa_secp384r1_sha384,
|
||||
+ ssl_sig_rsa_pss_rsae_sha256, ssl_sig_rsa_pss_rsae_sha384,
|
||||
+ ssl_sig_rsa_pss_rsae_sha512, ssl_sig_rsa_pss_pss_sha256,
|
||||
+ ssl_sig_rsa_pss_pss_sha384, ssl_sig_rsa_pss_pss_sha512};
|
||||
+
|
||||
INSTANTIATE_CIPHER_TEST_P(RC4, Stream, V10ToV12, kDummyNamedGroupParams,
|
||||
kDummySignatureSchemesParams,
|
||||
TLS_RSA_WITH_RC4_128_SHA,
|
||||
@@ -394,7 +394,7 @@ INSTANTIATE_CIPHER_TEST_P(
|
||||
#ifndef NSS_DISABLE_TLS_1_3
|
||||
INSTANTIATE_CIPHER_TEST_P(TLS13, All, V13,
|
||||
::testing::ValuesIn(kFasterDHEGroups),
|
||||
- ::testing::ValuesIn(kSignatureSchemesParamsArr),
|
||||
+ ::testing::ValuesIn(kSignatureSchemesParamsArrTls13),
|
||||
TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256,
|
||||
TLS_AES_256_GCM_SHA384);
|
||||
INSTANTIATE_CIPHER_TEST_P(TLS13AllGroups, All, V13,
|
||||
diff --git a/gtests/ssl_gtest/ssl_extension_unittest.cc b/gtests/ssl_gtest/ssl_extension_unittest.cc
|
||||
--- a/gtests/ssl_gtest/ssl_extension_unittest.cc
|
||||
+++ b/gtests/ssl_gtest/ssl_extension_unittest.cc
|
||||
@@ -436,14 +436,14 @@ TEST_P(TlsExtensionTest12Plus, Signature
|
||||
}
|
||||
|
||||
TEST_F(TlsExtensionTest13Stream, SignatureAlgorithmsPrecedingGarbage) {
|
||||
- // 31 unknown signature algorithms followed by sha-256, rsa
|
||||
+ // 31 unknown signature algorithms followed by sha-256, rsa-pss
|
||||
const uint8_t val[] = {
|
||||
0x00, 0x40, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
|
||||
- 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x01};
|
||||
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x08, 0x04};
|
||||
DataBuffer extension(val, sizeof(val));
|
||||
MakeTlsFilter<TlsExtensionReplacer>(client_, ssl_signature_algorithms_xtn,
|
||||
extension);
|
||||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -64,6 +64,7 @@ static SECStatus ssl3_FlushHandshakeMess
|
||||
static CK_MECHANISM_TYPE ssl3_GetHashMechanismByHashType(SSLHashType hashType);
|
||||
static CK_MECHANISM_TYPE ssl3_GetMgfMechanismByHashType(SSLHashType hash);
|
||||
PRBool ssl_IsRsaPssSignatureScheme(SSLSignatureScheme scheme);
|
||||
+PRBool ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme);
|
||||
PRBool ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme);
|
||||
|
||||
const PRUint8 ssl_hello_retry_random[] = {
|
||||
@@ -4101,6 +4102,9 @@ ssl_SignatureSchemeValid(SSLSignatureSch
|
||||
if (ssl_SignatureSchemeToHashType(scheme) == ssl_hash_sha1) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
+ if (ssl_IsRsaPkcs1SignatureScheme(scheme)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
/* With TLS 1.3, EC keys should have been selected based on calling
|
||||
* ssl_SignatureSchemeFromSpki(), reject them otherwise. */
|
||||
return spkiOid != SEC_OID_ANSIX962_EC_PUBLIC_KEY;
|
||||
@@ -4351,6 +4355,22 @@ ssl_IsRsaPssSignatureScheme(SSLSignature
|
||||
}
|
||||
|
||||
PRBool
|
||||
+ssl_IsRsaPkcs1SignatureScheme(SSLSignatureScheme scheme)
|
||||
+{
|
||||
+ switch (scheme) {
|
||||
+ case ssl_sig_rsa_pkcs1_sha256:
|
||||
+ case ssl_sig_rsa_pkcs1_sha384:
|
||||
+ case ssl_sig_rsa_pkcs1_sha512:
|
||||
+ case ssl_sig_rsa_pkcs1_sha1:
|
||||
+ return PR_TRUE;
|
||||
+
|
||||
+ default:
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ return PR_FALSE;
|
||||
+}
|
||||
+
|
||||
+PRBool
|
||||
ssl_IsDsaSignatureScheme(SSLSignatureScheme scheme)
|
||||
{
|
||||
switch (scheme) {
|
|
@ -1,169 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Daiki Ueno <dueno@redhat.com>
|
||||
# Date 1561465415 -7200
|
||||
# Tue Jun 25 14:23:35 2019 +0200
|
||||
# Node ID a0114e3d8b22d4c6ee77504c483a0fe0037f4c71
|
||||
# Parent 313dfef345bd93bc67982249bffa2cfdd5a9d1b5
|
||||
Bug 1560329, drbg: perform continuous test on entropy source
|
||||
|
||||
Summary: FIPS 140-2 section 4.9.2 requires a conditional self test to check that consecutive entropy blocks from the system are different. As neither getentropy() nor /dev/urandom provides that check on the output, this adds the self test at caller side.
|
||||
|
||||
Reviewers: rrelyea
|
||||
|
||||
Bug #: 1560329
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D35636
|
||||
|
||||
diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
|
||||
--- a/lib/freebl/drbg.c
|
||||
+++ b/lib/freebl/drbg.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#define PRNG_ADDITONAL_DATA_CACHE_SIZE (8 * 1024) /* must be less than \
|
||||
* PRNG_MAX_ADDITIONAL_BYTES \
|
||||
*/
|
||||
+#define PRNG_ENTROPY_BLOCK_SIZE SHA256_LENGTH
|
||||
|
||||
/* RESEED_COUNT is how many calls to the prng before we need to reseed
|
||||
* under normal NIST rules, you must return an error. In the NSS case, we
|
||||
@@ -96,6 +97,8 @@ struct RNGContextStr {
|
||||
PRUint32 additionalAvail;
|
||||
PRBool isValid; /* false if RNG reaches an invalid state */
|
||||
PRBool isKatTest; /* true if running NIST PRNG KAT tests */
|
||||
+ /* for continuous entropy check */
|
||||
+ PRUint8 previousEntropyHash[SHA256_LENGTH];
|
||||
};
|
||||
|
||||
typedef struct RNGContextStr RNGContext;
|
||||
@@ -169,6 +172,82 @@ prng_instantiate(RNGContext *rng, const
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
+static PRCallOnceType coRNGInitEntropy;
|
||||
+
|
||||
+static PRStatus
|
||||
+prng_initEntropy(void)
|
||||
+{
|
||||
+ size_t length;
|
||||
+ PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
|
||||
+ SHA256Context ctx;
|
||||
+
|
||||
+ /* For FIPS 140-2 4.9.2 continuous random number generator test,
|
||||
+ * fetch the initial entropy from the system RNG and keep it for
|
||||
+ * later comparison. */
|
||||
+ length = RNG_SystemRNG(block, sizeof(block));
|
||||
+ if (length == 0) {
|
||||
+ return PR_FAILURE; /* error is already set */
|
||||
+ }
|
||||
+ PORT_Assert(length == sizeof(block));
|
||||
+
|
||||
+ /* Store the hash of the entropy block rather than the block
|
||||
+ * itself for backward secrecy. */
|
||||
+ SHA256_Begin(&ctx);
|
||||
+ SHA256_Update(&ctx, block, sizeof(block));
|
||||
+ SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
|
||||
+ sizeof(globalrng->previousEntropyHash));
|
||||
+ PORT_Memset(block, 0, sizeof(block));
|
||||
+ return PR_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+static SECStatus
|
||||
+prng_getEntropy(PRUint8 *buffer, size_t requestLength)
|
||||
+{
|
||||
+ size_t total = 0;
|
||||
+ PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
|
||||
+ PRUint8 hash[SHA256_LENGTH];
|
||||
+ SHA256Context ctx;
|
||||
+ SECStatus rv = SECSuccess;
|
||||
+
|
||||
+ if (PR_CallOnce(&coRNGInitEntropy, prng_initEntropy) != PR_SUCCESS) {
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ /* For FIPS 140-2 4.9.2 continuous random generator test,
|
||||
+ * iteratively fetch fixed sized blocks from the system and
|
||||
+ * compare consecutive blocks. */
|
||||
+ while (total < requestLength) {
|
||||
+ size_t length = RNG_SystemRNG(block, sizeof(block));
|
||||
+ if (length == 0) {
|
||||
+ rv = SECFailure; /* error is already set */
|
||||
+ goto out;
|
||||
+ }
|
||||
+ PORT_Assert(length == sizeof(block));
|
||||
+
|
||||
+ /* Store the hash of the entropy block rather than the block
|
||||
+ * itself for backward secrecy. */
|
||||
+ SHA256_Begin(&ctx);
|
||||
+ SHA256_Update(&ctx, block, sizeof(block));
|
||||
+ SHA256_End(&ctx, hash, NULL, sizeof(hash));
|
||||
+
|
||||
+ if (PORT_Memcmp(globalrng->previousEntropyHash, hash, sizeof(hash)) == 0) {
|
||||
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
+ rv = SECFailure;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ PORT_Memcpy(globalrng->previousEntropyHash, hash, sizeof(hash));
|
||||
+ length = PR_MIN(requestLength - total, sizeof(block));
|
||||
+ PORT_Memcpy(buffer, block, length);
|
||||
+ total += length;
|
||||
+ buffer += length;
|
||||
+ }
|
||||
+
|
||||
+ out:
|
||||
+ PORT_Memset(block, 0, sizeof block);
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Update the global random number generator with more seeding
|
||||
* material. Use the Hash_DRBG reseed algorithm from NIST SP-800-90
|
||||
@@ -182,11 +261,15 @@ prng_reseed(RNGContext *rng, const PRUin
|
||||
{
|
||||
PRUint8 noiseData[(sizeof rng->V_Data) + PRNG_SEEDLEN];
|
||||
PRUint8 *noise = &noiseData[0];
|
||||
+ SECStatus rv;
|
||||
|
||||
/* if entropy wasn't supplied, fetch it. (normal operation case) */
|
||||
if (entropy == NULL) {
|
||||
- entropy_len = (unsigned int)RNG_SystemRNG(
|
||||
- &noiseData[sizeof rng->V_Data], PRNG_SEEDLEN);
|
||||
+ entropy_len = PRNG_SEEDLEN;
|
||||
+ rv = prng_getEntropy(&noiseData[sizeof rng->V_Data], entropy_len);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return SECFailure; /* error is already set */
|
||||
+ }
|
||||
} else {
|
||||
/* NOTE: this code is only available for testing, not to applications */
|
||||
/* if entropy was too big for the stack variable, get it from malloc */
|
||||
@@ -384,7 +467,6 @@ static PRStatus
|
||||
rng_init(void)
|
||||
{
|
||||
PRUint8 bytes[PRNG_SEEDLEN * 2]; /* entropy + nonce */
|
||||
- unsigned int numBytes;
|
||||
SECStatus rv = SECSuccess;
|
||||
|
||||
if (globalrng == NULL) {
|
||||
@@ -403,18 +485,17 @@ rng_init(void)
|
||||
}
|
||||
|
||||
/* Try to get some seed data for the RNG */
|
||||
- numBytes = (unsigned int)RNG_SystemRNG(bytes, sizeof bytes);
|
||||
- PORT_Assert(numBytes == 0 || numBytes == sizeof bytes);
|
||||
- if (numBytes != 0) {
|
||||
+ rv = prng_getEntropy(bytes, sizeof bytes);
|
||||
+ if (rv == SECSuccess) {
|
||||
/* if this is our first call, instantiate, otherwise reseed
|
||||
* prng_instantiate gets a new clean state, we want to mix
|
||||
* any previous entropy we may have collected */
|
||||
if (V(globalrng)[0] == 0) {
|
||||
- rv = prng_instantiate(globalrng, bytes, numBytes);
|
||||
+ rv = prng_instantiate(globalrng, bytes, sizeof bytes);
|
||||
} else {
|
||||
- rv = prng_reseed_test(globalrng, bytes, numBytes, NULL, 0);
|
||||
+ rv = prng_reseed_test(globalrng, bytes, sizeof bytes, NULL, 0);
|
||||
}
|
||||
- memset(bytes, 0, numBytes);
|
||||
+ memset(bytes, 0, sizeof bytes);
|
||||
} else {
|
||||
PZ_DestroyLock(globalrng->lock);
|
||||
globalrng->lock = NULL;
|
|
@ -1,30 +0,0 @@
|
|||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -2382,16 +2382,26 @@ ssl3_CreateOverlapWithPolicy(SSLProtocol
|
||||
rv = ssl3_GetEffectiveVersionPolicy(protocolVariant,
|
||||
&effectivePolicyBoundary);
|
||||
if (rv == SECFailure) {
|
||||
/* SECFailure means internal failure or invalid configuration. */
|
||||
overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
+ /* TODO: TLSv1.3 doesn't work yet under FIPS mode */
|
||||
+ if (PK11_IsFIPS()) {
|
||||
+ if (effectivePolicyBoundary.min >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
+ effectivePolicyBoundary.min = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||
+ }
|
||||
+ if (effectivePolicyBoundary.max >= SSL_LIBRARY_VERSION_TLS_1_3) {
|
||||
+ effectivePolicyBoundary.max = SSL_LIBRARY_VERSION_TLS_1_2;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
vrange.min = PR_MAX(input->min, effectivePolicyBoundary.min);
|
||||
vrange.max = PR_MIN(input->max, effectivePolicyBoundary.max);
|
||||
|
||||
if (vrange.max < vrange.min) {
|
||||
/* there was no overlap, turn off range altogether */
|
||||
overlap->min = overlap->max = SSL_LIBRARY_VERSION_NONE;
|
||||
return SECFailure;
|
||||
}
|
|
@ -1,81 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Tomas Mraz <tmraz@fedoraproject.org>
|
||||
# Date 1560861770 -7200
|
||||
# Tue Jun 18 14:42:50 2019 +0200
|
||||
# Node ID 6ef49fe67d6227a1d290da5537ec0dade379a15a
|
||||
# Parent ebc93d6daeaa9001d31fd18b5199779da99ae9aa
|
||||
Bug 1559906, fipstest: use CKM_TLS12_MASTER_KEY_DERIVE in TLS test, r=rrelyea
|
||||
|
||||
This also lets us CAVS tests more than just SHA256.
|
||||
|
||||
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
||||
--- a/cmd/fipstest/fipstest.c
|
||||
+++ b/cmd/fipstest/fipstest.c
|
||||
@@ -6669,12 +6669,13 @@ tls(char *reqfn)
|
||||
|
||||
CK_MECHANISM master_mech = { CKM_TLS_MASTER_KEY_DERIVE, NULL, 0 };
|
||||
CK_MECHANISM key_block_mech = { CKM_TLS_KEY_AND_MAC_DERIVE, NULL, 0 };
|
||||
- CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params;
|
||||
- CK_SSL3_KEY_MAT_PARAMS key_block_params;
|
||||
+ CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
|
||||
+ CK_TLS12_KEY_MAT_PARAMS key_block_params;
|
||||
CK_SSL3_KEY_MAT_OUT key_material;
|
||||
CK_RV crv;
|
||||
|
||||
/* set up PKCS #11 parameters */
|
||||
+ master_params.prfHashMechanism = CKM_SHA256;
|
||||
master_params.pVersion = NULL;
|
||||
master_params.RandomInfo.pClientRandom = clientHello_random;
|
||||
master_params.RandomInfo.ulClientRandomLen = sizeof(clientHello_random);
|
||||
@@ -6682,6 +6683,7 @@ tls(char *reqfn)
|
||||
master_params.RandomInfo.ulServerRandomLen = sizeof(serverHello_random);
|
||||
master_mech.pParameter = (void *)&master_params;
|
||||
master_mech.ulParameterLen = sizeof(master_params);
|
||||
+ key_block_params.prfHashMechanism = CKM_SHA256;
|
||||
key_block_params.ulMacSizeInBits = 0;
|
||||
key_block_params.ulKeySizeInBits = 0;
|
||||
key_block_params.ulIVSizeInBits = 0;
|
||||
@@ -6724,13 +6726,39 @@ tls(char *reqfn)
|
||||
if (buf[0] == '[') {
|
||||
if (strncmp(buf, "[TLS", 4) == 0) {
|
||||
if (buf[7] == '0') {
|
||||
+ /* CK_SSL3_MASTER_KEY_DERIVE_PARAMS is a subset of
|
||||
+ * CK_TLS12_MASTER_KEY_DERIVE_PARAMS and
|
||||
+ * CK_SSL3_KEY_MAT_PARAMS is a subset of
|
||||
+ * CK_TLS12_KEY_MAT_PARAMS. The latter params have
|
||||
+ * an extra prfHashMechanism field at the end. */
|
||||
master_mech.mechanism = CKM_TLS_MASTER_KEY_DERIVE;
|
||||
key_block_mech.mechanism = CKM_TLS_KEY_AND_MAC_DERIVE;
|
||||
+ master_mech.ulParameterLen = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS);
|
||||
+ key_block_mech.ulParameterLen = sizeof(CK_SSL3_KEY_MAT_PARAMS);
|
||||
} else if (buf[7] == '2') {
|
||||
- master_mech.mechanism =
|
||||
- CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256;
|
||||
- key_block_mech.mechanism =
|
||||
- CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256;
|
||||
+ if (strncmp(&buf[10], "SHA-1", 5) == 0) {
|
||||
+ master_params.prfHashMechanism = CKM_SHA_1;
|
||||
+ key_block_params.prfHashMechanism = CKM_SHA_1;
|
||||
+ } else if (strncmp(&buf[10], "SHA-224", 7) == 0) {
|
||||
+ master_params.prfHashMechanism = CKM_SHA224;
|
||||
+ key_block_params.prfHashMechanism = CKM_SHA224;
|
||||
+ } else if (strncmp(&buf[10], "SHA-256", 7) == 0) {
|
||||
+ master_params.prfHashMechanism = CKM_SHA256;
|
||||
+ key_block_params.prfHashMechanism = CKM_SHA256;
|
||||
+ } else if (strncmp(&buf[10], "SHA-384", 7) == 0) {
|
||||
+ master_params.prfHashMechanism = CKM_SHA384;
|
||||
+ key_block_params.prfHashMechanism = CKM_SHA384;
|
||||
+ } else if (strncmp(&buf[10], "SHA-512", 7) == 0) {
|
||||
+ master_params.prfHashMechanism = CKM_SHA512;
|
||||
+ key_block_params.prfHashMechanism = CKM_SHA512;
|
||||
+ } else {
|
||||
+ fprintf(tlsresp, "ERROR: Unable to find prf Hash type");
|
||||
+ goto loser;
|
||||
+ }
|
||||
+ master_mech.mechanism = CKM_TLS12_MASTER_KEY_DERIVE;
|
||||
+ key_block_mech.mechanism = CKM_TLS12_KEY_AND_MAC_DERIVE;
|
||||
+ master_mech.ulParameterLen = sizeof(master_params);
|
||||
+ key_block_mech.ulParameterLen = sizeof(key_block_params);
|
||||
} else {
|
||||
fprintf(stderr, "Unknown TLS type %x\n",
|
||||
(unsigned int)buf[0]);
|
|
@ -0,0 +1,21 @@
|
|||
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
|
||||
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
|
||||
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
|
||||
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
|
||||
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
|
||||
|
||||
/* deprecated #defines. Drop in future NSS releases */
|
||||
-#ifdef NSS_PKCS11_2_0_COMPAT
|
||||
+#ifndef NSS_PKCS11_3_0_STRICT
|
||||
|
||||
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
|
||||
#define CKF_EC_FP CKF_EC_F_P
|
||||
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
|
||||
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
|
||||
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
|
||||
#else
|
||||
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
|
||||
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
|
||||
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
|
||||
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
|
||||
#endif
|
File diff suppressed because it is too large
Load Diff
|
@ -1,127 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Martin Thomson <mt@lowentropy.net>
|
||||
# Date 1560498951 0
|
||||
# Fri Jun 14 07:55:51 2019 +0000
|
||||
# Branch NSS_3_44_BRANCH
|
||||
# Node ID fb9932d6e083322e7b5dfcd3d6e67477e0bb075a
|
||||
# Parent 876bca2723a1f969422edc93e7504420d8331d3c
|
||||
Bug 1515342 - More thorough input checking, r=jcj
|
||||
|
||||
All part of applying better discipline throughout.
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D33736
|
||||
|
||||
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
|
||||
--- a/lib/cryptohi/seckey.c
|
||||
+++ b/lib/cryptohi/seckey.c
|
||||
@@ -639,6 +639,11 @@ seckey_ExtractPublicKey(const CERTSubjec
|
||||
return pubk;
|
||||
break;
|
||||
case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
|
||||
+ /* A basic sanity check on inputs. */
|
||||
+ if (spki->algorithm.parameters.len == 0 || newOs.len == 0) {
|
||||
+ PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
+ break;
|
||||
+ }
|
||||
pubk->keyType = ecKey;
|
||||
pubk->u.ec.size = 0;
|
||||
|
||||
diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
|
||||
--- a/lib/freebl/dh.c
|
||||
+++ b/lib/freebl/dh.c
|
||||
@@ -210,7 +210,8 @@ DH_Derive(SECItem *publicValue,
|
||||
unsigned int len = 0;
|
||||
unsigned int nb;
|
||||
unsigned char *secret = NULL;
|
||||
- if (!publicValue || !prime || !privateValue || !derivedSecret) {
|
||||
+ if (!publicValue || !publicValue->len || !prime || !prime->len ||
|
||||
+ !privateValue || !privateValue->len || !derivedSecret) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c
|
||||
--- a/lib/freebl/ec.c
|
||||
+++ b/lib/freebl/ec.c
|
||||
@@ -202,8 +202,8 @@ ec_NewKey(ECParams *ecParams, ECPrivateK
|
||||
#endif
|
||||
MP_DIGITS(&k) = 0;
|
||||
|
||||
- if (!ecParams || !privKey || !privKeyBytes || (privKeyLen < 0) ||
|
||||
- !ecParams->name) {
|
||||
+ if (!ecParams || ecParams->name == ECCurve_noName ||
|
||||
+ !privKey || !privKeyBytes || privKeyLen <= 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
@@ -391,7 +391,7 @@ EC_NewKey(ECParams *ecParams, ECPrivateK
|
||||
int len;
|
||||
unsigned char *privKeyBytes = NULL;
|
||||
|
||||
- if (!ecParams) {
|
||||
+ if (!ecParams || ecParams->name == ECCurve_noName || !privKey) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
@@ -430,7 +430,8 @@ EC_ValidatePublicKey(ECParams *ecParams,
|
||||
mp_err err = MP_OKAY;
|
||||
int len;
|
||||
|
||||
- if (!ecParams || !publicValue || !ecParams->name) {
|
||||
+ if (!ecParams || ecParams->name == ECCurve_noName ||
|
||||
+ !publicValue || !publicValue->len) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
@@ -536,8 +537,9 @@ ECDH_Derive(SECItem *publicValue,
|
||||
int i;
|
||||
#endif
|
||||
|
||||
- if (!publicValue || !ecParams || !privateValue || !derivedSecret ||
|
||||
- !ecParams->name) {
|
||||
+ if (!publicValue || !publicValue->len ||
|
||||
+ !ecParams || ecParams->name == ECCurve_noName ||
|
||||
+ !privateValue || !privateValue->len || !derivedSecret) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
diff --git a/lib/util/quickder.c b/lib/util/quickder.c
|
||||
--- a/lib/util/quickder.c
|
||||
+++ b/lib/util/quickder.c
|
||||
@@ -757,6 +757,13 @@ DecodeItem(void* dest,
|
||||
}
|
||||
|
||||
case SEC_ASN1_BIT_STRING: {
|
||||
+ /* Can't be 8 or more spare bits, or any spare bits
|
||||
+ * if there are no octets. */
|
||||
+ if (temp.data[0] >= 8 || (temp.data[0] > 0 && temp.len == 1)) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_DER);
|
||||
+ rv = SECFailure;
|
||||
+ break;
|
||||
+ }
|
||||
/* change the length in the SECItem to be the number
|
||||
of bits */
|
||||
temp.len = (temp.len - 1) * 8 - (temp.data[0] & 0x7);
|
||||
# HG changeset patch
|
||||
# User Kevin Jacobs <kjacobs@mozilla.com>
|
||||
# Date 1561145635 0
|
||||
# Fri Jun 21 19:33:55 2019 +0000
|
||||
# Branch NSS_3_44_BRANCH
|
||||
# Node ID 416a8f7cf8986103b4d74694aac1198edbb08b3e
|
||||
# Parent fb9932d6e083322e7b5dfcd3d6e67477e0bb075a
|
||||
Bug 1515342 - Ignore spki decode failures on negative (expect_fail) tests. r=jcj
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D35565
|
||||
|
||||
diff --git a/gtests/pk11_gtest/pk11_curve25519_unittest.cc b/gtests/pk11_gtest/pk11_curve25519_unittest.cc
|
||||
--- a/gtests/pk11_gtest/pk11_curve25519_unittest.cc
|
||||
+++ b/gtests/pk11_gtest/pk11_curve25519_unittest.cc
|
||||
@@ -40,6 +40,9 @@ class Pkcs11Curve25519Test
|
||||
|
||||
ScopedCERTSubjectPublicKeyInfo certSpki(
|
||||
SECKEY_DecodeDERSubjectPublicKeyInfo(&spkiItem));
|
||||
+ if (!expect_success && !certSpki) {
|
||||
+ return;
|
||||
+ }
|
||||
ASSERT_TRUE(certSpki);
|
||||
|
||||
ScopedSECKEYPublicKey pubKey(SECKEY_ExtractPublicKey(certSpki.get()));
|
|
@ -1,143 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Kevin Jacobs <kjacobs@mozilla.com>
|
||||
# Date 1560499074 0
|
||||
# Fri Jun 14 07:57:54 2019 +0000
|
||||
# Branch NSS_3_44_BRANCH
|
||||
# Node ID 876bca2723a1f969422edc93e7504420d8331d3c
|
||||
# Parent 20671f860c2619dc27208d64a84a759fdffc5ed1
|
||||
Bug 1540541 - Don't unnecessarily strip leading 0's from key material during PKCS11 import. r=jcj,mt
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D31671
|
||||
|
||||
diff --git a/lib/freebl/ecl/ecp_25519.c b/lib/freebl/ecl/ecp_25519.c
|
||||
--- a/lib/freebl/ecl/ecp_25519.c
|
||||
+++ b/lib/freebl/ecl/ecp_25519.c
|
||||
@@ -114,6 +114,9 @@ ec_Curve25519_pt_mul(SECItem *X, SECItem
|
||||
}
|
||||
px = P->data;
|
||||
}
|
||||
+ if (k->len != 32) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
|
||||
SECStatus rv = ec_Curve25519_mul(X->data, k->data, px);
|
||||
if (NSS_SecureMemcmpZero(X->data, X->len) == 0) {
|
||||
diff --git a/lib/pk11wrap/pk11akey.c b/lib/pk11wrap/pk11akey.c
|
||||
--- a/lib/pk11wrap/pk11akey.c
|
||||
+++ b/lib/pk11wrap/pk11akey.c
|
||||
@@ -190,7 +190,6 @@ PK11_ImportPublicKey(PK11SlotInfo *slot,
|
||||
attrs++;
|
||||
PK11_SETATTRS(attrs, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL));
|
||||
attrs++;
|
||||
- signedattr = attrs;
|
||||
PK11_SETATTRS(attrs, CKA_EC_PARAMS,
|
||||
pubKey->u.ec.DEREncodedParams.data,
|
||||
pubKey->u.ec.DEREncodedParams.len);
|
||||
@@ -222,12 +221,14 @@ PK11_ImportPublicKey(PK11SlotInfo *slot,
|
||||
PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
return CK_INVALID_HANDLE;
|
||||
}
|
||||
-
|
||||
templateCount = attrs - theTemplate;
|
||||
- signedcount = attrs - signedattr;
|
||||
PORT_Assert(templateCount <= (sizeof(theTemplate) / sizeof(CK_ATTRIBUTE)));
|
||||
- for (attrs = signedattr; signedcount; attrs++, signedcount--) {
|
||||
- pk11_SignedToUnsigned(attrs);
|
||||
+ if (pubKey->keyType != ecKey) {
|
||||
+ PORT_Assert(signedattr);
|
||||
+ signedcount = attrs - signedattr;
|
||||
+ for (attrs = signedattr; signedcount; attrs++, signedcount--) {
|
||||
+ pk11_SignedToUnsigned(attrs);
|
||||
+ }
|
||||
}
|
||||
rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION, theTemplate,
|
||||
templateCount, isToken, &objectID);
|
||||
@@ -1074,9 +1075,13 @@ pk11_loadPrivKeyWithFlags(PK11SlotInfo *
|
||||
&cktrue, &ckfalse);
|
||||
|
||||
/* Not everyone can handle zero padded key values, give
|
||||
- * them the raw data as unsigned */
|
||||
- for (ap = attrs; extra_count; ap++, extra_count--) {
|
||||
- pk11_SignedToUnsigned(ap);
|
||||
+ * them the raw data as unsigned. The exception is EC,
|
||||
+ * where the values are encoded or zero-preserving
|
||||
+ * per-RFC5915 */
|
||||
+ if (privKey->keyType != ecKey) {
|
||||
+ for (ap = attrs; extra_count; ap++, extra_count--) {
|
||||
+ pk11_SignedToUnsigned(ap);
|
||||
+ }
|
||||
}
|
||||
|
||||
/* now Store the puppies */
|
||||
diff --git a/lib/pk11wrap/pk11cert.c b/lib/pk11wrap/pk11cert.c
|
||||
--- a/lib/pk11wrap/pk11cert.c
|
||||
+++ b/lib/pk11wrap/pk11cert.c
|
||||
@@ -184,7 +184,9 @@ PK11_IsUserCert(PK11SlotInfo *slot, CERT
|
||||
SECKEY_DestroyPublicKey(pubKey);
|
||||
return PR_FALSE;
|
||||
}
|
||||
- pk11_SignedToUnsigned(&theTemplate);
|
||||
+ if (pubKey->keyType != ecKey) {
|
||||
+ pk11_SignedToUnsigned(&theTemplate);
|
||||
+ }
|
||||
if (pk11_FindObjectByTemplate(slot, &theTemplate, 1) != CK_INVALID_HANDLE) {
|
||||
SECKEY_DestroyPublicKey(pubKey);
|
||||
return PR_TRUE;
|
||||
diff --git a/lib/pk11wrap/pk11pk12.c b/lib/pk11wrap/pk11pk12.c
|
||||
--- a/lib/pk11wrap/pk11pk12.c
|
||||
+++ b/lib/pk11wrap/pk11pk12.c
|
||||
@@ -505,7 +505,7 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
|
||||
}
|
||||
PK11_SETATTRS(attrs, CKA_ID, ck_id->data, ck_id->len);
|
||||
attrs++;
|
||||
- signedattr = attrs;
|
||||
+ /* No signed attrs for EC */
|
||||
/* curveOID always is a copy of AlgorithmID.parameters. */
|
||||
PK11_SETATTRS(attrs, CKA_EC_PARAMS, lpk->u.ec.curveOID.data,
|
||||
lpk->u.ec.curveOID.len);
|
||||
@@ -523,11 +523,12 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
|
||||
}
|
||||
templateCount = attrs - theTemplate;
|
||||
PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
|
||||
- PORT_Assert(signedattr != NULL);
|
||||
- signedcount = attrs - signedattr;
|
||||
-
|
||||
- for (ap = signedattr; signedcount; ap++, signedcount--) {
|
||||
- pk11_SignedToUnsigned(ap);
|
||||
+ if (lpk->keyType != ecKey) {
|
||||
+ PORT_Assert(signedattr);
|
||||
+ signedcount = attrs - signedattr;
|
||||
+ for (ap = signedattr; signedcount; ap++, signedcount--) {
|
||||
+ pk11_SignedToUnsigned(ap);
|
||||
+ }
|
||||
}
|
||||
|
||||
rv = PK11_CreateNewObject(slot, CK_INVALID_SESSION,
|
||||
diff --git a/lib/softoken/legacydb/lgattr.c b/lib/softoken/legacydb/lgattr.c
|
||||
--- a/lib/softoken/legacydb/lgattr.c
|
||||
+++ b/lib/softoken/legacydb/lgattr.c
|
||||
@@ -950,9 +950,9 @@ lg_FindECPrivateKeyAttribute(NSSLOWKEYPr
|
||||
case CKA_UNWRAP:
|
||||
return LG_CLONE_ATTR(attribute, type, lg_StaticFalseAttr);
|
||||
case CKA_VALUE:
|
||||
- return lg_CopyPrivAttrSigned(attribute, type,
|
||||
- key->u.ec.privateValue.data,
|
||||
- key->u.ec.privateValue.len, sdbpw);
|
||||
+ return lg_CopyPrivAttribute(attribute, type,
|
||||
+ key->u.ec.privateValue.data,
|
||||
+ key->u.ec.privateValue.len, sdbpw);
|
||||
case CKA_EC_PARAMS:
|
||||
return lg_CopyAttributeSigned(attribute, type,
|
||||
key->u.ec.ecParams.DEREncoding.data,
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -7747,7 +7747,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
|
||||
rv = ECDH_Derive(&ecPoint, &privKey->u.ec.ecParams, &ecScalar,
|
||||
withCofactor, &tmp);
|
||||
- PORT_Free(ecScalar.data);
|
||||
+ PORT_ZFree(ecScalar.data, ecScalar.len);
|
||||
ecScalar.data = NULL;
|
||||
if (privKey != sourceKey->objectInfo) {
|
||||
nsslowkey_DestroyPrivateKey(privKey);
|
|
@ -1,35 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Daiki Ueno <dueno@redhat.com>
|
||||
# Date 1557150127 -7200
|
||||
# Mon May 06 15:42:07 2019 +0200
|
||||
# Node ID 438ac983bda9ec7944990d22a37877e9111caa90
|
||||
# Parent b018f3e84d87cce99a1fd81feeecb31123058687
|
||||
pk11slot: reference module from slot for finalization
|
||||
|
||||
diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
|
||||
--- a/lib/pk11wrap/pk11slot.c
|
||||
+++ b/lib/pk11wrap/pk11slot.c
|
||||
@@ -1439,6 +1439,11 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
|
||||
slot->slotID = slotID;
|
||||
slot->isThreadSafe = mod->isThreadSafe;
|
||||
slot->hasRSAInfo = PR_FALSE;
|
||||
+ slot->module = mod; /* NOTE: we don't make a reference here because
|
||||
+ * modules have references to their slots. This
|
||||
+ * works because modules keep implicit references
|
||||
+ * from their slots, and won't unload and disappear
|
||||
+ * until all their slots have been freed */
|
||||
|
||||
if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID, &slotInfo) != CKR_OK) {
|
||||
slot->disabled = PR_TRUE;
|
||||
@@ -1448,11 +1453,6 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
|
||||
|
||||
/* test to make sure claimed mechanism work */
|
||||
slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
|
||||
- slot->module = mod; /* NOTE: we don't make a reference here because
|
||||
- * modules have references to their slots. This
|
||||
- * works because modules keep implicit references
|
||||
- * from their slots, and won't unload and disappear
|
||||
- * until all their slots have been freed */
|
||||
(void)PK11_MakeString(NULL, slot->slot_name,
|
||||
(char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
|
||||
slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);
|
|
@ -1,24 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Greg Rubin <rubin@amazon.com>
|
||||
# Date 1558464083 25200
|
||||
# Tue May 21 11:41:23 2019 -0700
|
||||
# Branch NSS_3_44_BRANCH
|
||||
# Node ID 1eac9016c021055018389a5cb117678ecc61782a
|
||||
# Parent 416a8f7cf8986103b4d74694aac1198edbb08b3e
|
||||
Bug 1554336 - Optimize away unneeded loop in mpi.c r=kevinjacobs,jcj
|
||||
|
||||
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
|
||||
--- a/lib/freebl/mpi/mpi.c
|
||||
+++ b/lib/freebl/mpi/mpi.c
|
||||
@@ -2063,7 +2063,10 @@ s_mp_almost_inverse(const mp_int *a, con
|
||||
}
|
||||
}
|
||||
if (res >= 0) {
|
||||
- while (MP_SIGN(c) != MP_ZPOS) {
|
||||
+ if (mp_cmp_mag(c, p) >= 0) {
|
||||
+ MP_CHECKOK(mp_div(c, p, NULL, c));
|
||||
+ }
|
||||
+ if (MP_SIGN(c) != MP_ZPOS) {
|
||||
MP_CHECKOK(mp_add(c, p, c));
|
||||
}
|
||||
res = k;
|
|
@ -1,96 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Daiki Ueno <dueno@redhat.com>
|
||||
# Date 1559121620 -7200
|
||||
# Wed May 29 11:20:20 2019 +0200
|
||||
# Node ID 29a48b604602a523defd6f9322a5adeca7e284a5
|
||||
# Parent 43a7fb4f994a31222c308113b0fccdd5480d5b8e
|
||||
Bug 1553443, send session ticket only after handshake is marked as finished
|
||||
|
||||
Reviewers: mt
|
||||
|
||||
Reviewed By: mt
|
||||
|
||||
Bug #: 1553443
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D32128
|
||||
|
||||
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
|
||||
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
|
||||
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
|
||||
@@ -537,6 +537,40 @@ TEST_F(TlsConnectStreamTls13, PostHandsh
|
||||
capture_cert_req->buffer().len()));
|
||||
}
|
||||
|
||||
+// Check if post-handshake auth still works when session tickets are enabled:
|
||||
+// https://bugzilla.mozilla.org/show_bug.cgi?id=1553443
|
||||
+TEST_F(TlsConnectStreamTls13, PostHandshakeAuthWithSessionTicketsEnabled) {
|
||||
+ EnsureTlsSetup();
|
||||
+ client_->SetupClientAuth();
|
||||
+ EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
|
||||
+ SSL_ENABLE_POST_HANDSHAKE_AUTH, PR_TRUE));
|
||||
+ EXPECT_EQ(SECSuccess, SSL_OptionSet(client_->ssl_fd(),
|
||||
+ SSL_ENABLE_SESSION_TICKETS, PR_TRUE));
|
||||
+ EXPECT_EQ(SECSuccess, SSL_OptionSet(server_->ssl_fd(),
|
||||
+ SSL_ENABLE_SESSION_TICKETS, PR_TRUE));
|
||||
+ size_t called = 0;
|
||||
+ server_->SetAuthCertificateCallback(
|
||||
+ [&called](TlsAgent*, PRBool, PRBool) -> SECStatus {
|
||||
+ called++;
|
||||
+ return SECSuccess;
|
||||
+ });
|
||||
+ Connect();
|
||||
+ EXPECT_EQ(0U, called);
|
||||
+ // Send CertificateRequest.
|
||||
+ EXPECT_EQ(SECSuccess, SSL_GetClientAuthDataHook(
|
||||
+ client_->ssl_fd(), GetClientAuthDataHook, nullptr));
|
||||
+ EXPECT_EQ(SECSuccess, SSL_SendCertificateRequest(server_->ssl_fd()))
|
||||
+ << "Unexpected error: " << PORT_ErrorToName(PORT_GetError());
|
||||
+ server_->SendData(50);
|
||||
+ client_->ReadBytes(50);
|
||||
+ client_->SendData(50);
|
||||
+ server_->ReadBytes(50);
|
||||
+ EXPECT_EQ(1U, called);
|
||||
+ ScopedCERTCertificate cert1(SSL_PeerCertificate(server_->ssl_fd()));
|
||||
+ ScopedCERTCertificate cert2(SSL_LocalCertificate(client_->ssl_fd()));
|
||||
+ EXPECT_TRUE(SECITEM_ItemsAreEqual(&cert1->derCert, &cert2->derCert));
|
||||
+}
|
||||
+
|
||||
// In TLS 1.3, the client sends its cert rejection on the
|
||||
// second flight, and since it has already received the
|
||||
// server's Finished, it transitions to complete and
|
||||
diff --git a/lib/ssl/tls13con.c b/lib/ssl/tls13con.c
|
||||
--- a/lib/ssl/tls13con.c
|
||||
+++ b/lib/ssl/tls13con.c
|
||||
@@ -4561,6 +4561,11 @@ tls13_ServerHandleFinished(sslSocket *ss
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
+ rv = tls13_FinishHandshake(ss);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
ssl_GetXmitBufLock(ss);
|
||||
if (ss->opt.enableSessionTickets) {
|
||||
rv = tls13_SendNewSessionTicket(ss, NULL, 0);
|
||||
@@ -4573,8 +4578,7 @@ tls13_ServerHandleFinished(sslSocket *ss
|
||||
}
|
||||
}
|
||||
ssl_ReleaseXmitBufLock(ss);
|
||||
-
|
||||
- return tls13_FinishHandshake(ss);
|
||||
+ return SECSuccess;
|
||||
|
||||
loser:
|
||||
ssl_ReleaseXmitBufLock(ss);
|
||||
diff --git a/tests/ssl/sslauth.txt b/tests/ssl/sslauth.txt
|
||||
--- a/tests/ssl/sslauth.txt
|
||||
+++ b/tests/ssl/sslauth.txt
|
||||
@@ -42,6 +42,7 @@
|
||||
noECC 0 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Require client auth on post hs (client auth)
|
||||
noECC 0 -r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Request don't require client auth on post hs (client does not provide auth)
|
||||
noECC 1 -r_-r_-r_-r_-E -V_tls1.3:tls1.3_-E_-n_none_-w_nss TLS 1.3 Require client auth on post hs (client does not provide auth)
|
||||
+ noECC 0 -r_-r_-r_-E_-u -V_tls1.3:tls1.3_-E_-n_TestUser_-w_nss TLS 1.3 Request don't require client auth on post hs with session ticket (client auth)
|
||||
#
|
||||
# Use EC cert for client authentication
|
||||
#
|
|
@ -1,11 +1,12 @@
|
|||
diff -up nss/gtests/manifest.mn.skip-sysinit-gtests nss/gtests/manifest.mn
|
||||
--- nss/gtests/manifest.mn.skip-sysinit-gtests 2019-04-26 12:55:05.979302035 +0200
|
||||
+++ nss/gtests/manifest.mn 2019-04-26 12:55:09.507228984 +0200
|
||||
@@ -27,7 +27,6 @@ NSS_SRCDIRS = \
|
||||
Index: nss/gtests/manifest.mn
|
||||
===================================================================
|
||||
--- nss.orig/gtests/manifest.mn
|
||||
+++ nss/gtests/manifest.mn
|
||||
@@ -31,7 +31,6 @@ NSS_SRCDIRS = \
|
||||
smime_gtest \
|
||||
softoken_gtest \
|
||||
ssl_gtest \
|
||||
- $(SYSINIT_GTEST) \
|
||||
nss_bogo_shim \
|
||||
pkcs11testmodule \
|
||||
$(NULL)
|
||||
endif
|
||||
|
|
|
@ -1,27 +0,0 @@
|
|||
# HG changeset patch
|
||||
# User Daiki Ueno <dueno@redhat.com>
|
||||
# Date 1558341826 -7200
|
||||
# Mon May 20 10:43:46 2019 +0200
|
||||
# Node ID b447f0046807b718d2928d0e33313620d38a287a
|
||||
# Parent 02ea5f29ac3c1f1c6e6eb4b655afd9b4fc075a9e
|
||||
tests: skip TLS 1.3 tests under FIPS mode
|
||||
|
||||
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
|
||||
--- a/tests/ssl/ssl.sh
|
||||
+++ b/tests/ssl/ssl.sh
|
||||
@@ -393,6 +393,15 @@ ssl_auth()
|
||||
echo "${testname}" | grep "TLS 1.3" > /dev/null
|
||||
TLS13=$?
|
||||
|
||||
+ # Currently TLS 1.3 tests are known to fail under FIPS mode,
|
||||
+ # because HKDF is implemented using the PKCS #11 functions
|
||||
+ # prohibited under FIPS mode.
|
||||
+ if [ "${TLS13}" -eq 0 ] && \
|
||||
+ [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
|
||||
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
||||
+ continue
|
||||
+ fi
|
||||
+
|
||||
if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
|
||||
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
||||
elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,644 @@
|
|||
diff -up ./automation/taskcluster/scripts/run_hacl.sh.p384 ./automation/taskcluster/scripts/run_hacl.sh
|
||||
--- ./automation/taskcluster/scripts/run_hacl.sh.p384 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./automation/taskcluster/scripts/run_hacl.sh 2024-01-09 11:49:58.650418434 -0800
|
||||
@@ -40,5 +40,14 @@ files=($(find ~/nss/lib/freebl/verified/
|
||||
for f in "${files[@]}"; do
|
||||
file_name=$(basename "$f")
|
||||
hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*"))
|
||||
+ # TODO(Bug 1854438): Remove P384 exception.
|
||||
+ # TODO(Bug 1854439): Remove P521 exception.
|
||||
+ if [ $file_name == "Hacl_P384.c" \
|
||||
+ -o $file_name == "Hacl_P384.h" \
|
||||
+ -o $file_name == "Hacl_P521.c" \
|
||||
+ -o $file_name == "Hacl_P521.h" ]
|
||||
+ then
|
||||
+ continue;
|
||||
+ fi
|
||||
diff $hacl_file $f
|
||||
done
|
||||
diff -up ./lib/freebl/ec.c.p384 ./lib/freebl/ec.c
|
||||
--- ./lib/freebl/ec.c.p384 2024-01-09 11:49:14.118980084 -0800
|
||||
+++ ./lib/freebl/ec.c 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -15,15 +15,62 @@
|
||||
#include "mplogic.h"
|
||||
#include "ec.h"
|
||||
#include "ecl.h"
|
||||
+#include "verified/Hacl_P384.h"
|
||||
+#include "verified/Hacl_P521.h"
|
||||
|
||||
#define EC_DOUBLECHECK PR_FALSE
|
||||
|
||||
+SECStatus
|
||||
+ec_secp384r1_scalar_validate(const SECItem *scalar)
|
||||
+{
|
||||
+ if (!scalar || !scalar->data) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (scalar->len != 48) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ bool b = Hacl_P384_validate_private_key(scalar->data);
|
||||
+
|
||||
+ if (!b) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+SECStatus
|
||||
+ec_secp521r1_scalar_validate(const SECItem *scalar)
|
||||
+{
|
||||
+ if (!scalar || !scalar->data) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (scalar->len != 66) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ bool b = Hacl_P521_validate_private_key(scalar->data);
|
||||
+
|
||||
+ if (!b) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
static const ECMethod kMethods[] = {
|
||||
{ ECCurve25519,
|
||||
ec_Curve25519_pt_mul,
|
||||
ec_Curve25519_pt_validate,
|
||||
ec_Curve25519_scalar_validate,
|
||||
- NULL, NULL },
|
||||
+ NULL,
|
||||
+ NULL },
|
||||
{
|
||||
ECCurve_NIST_P256,
|
||||
ec_secp256r1_pt_mul,
|
||||
@@ -352,8 +415,7 @@ EC_NewKeyFromSeed(ECParams *ecParams, EC
|
||||
SECStatus
|
||||
ec_GenerateRandomPrivateKey(ECParams *ecParams, SECItem *privKey)
|
||||
{
|
||||
- SECStatus rv = SECSuccess;
|
||||
- mp_err err;
|
||||
+ SECStatus rv = SECFailure;
|
||||
|
||||
unsigned int len = EC_GetScalarSize(ecParams);
|
||||
|
||||
@@ -362,82 +424,43 @@ ec_GenerateRandomPrivateKey(ECParams *ec
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- /* For known curves, use rejection sampling A.4.2 */
|
||||
- if (ecParams->fieldID.type == ec_field_plain) {
|
||||
- const ECMethod *method = ec_get_method_from_name(ecParams->name);
|
||||
- rv = SECFailure;
|
||||
- if (method == NULL || method->scalar_validate == NULL) {
|
||||
- /* unknown curve */
|
||||
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
- goto done;
|
||||
- }
|
||||
- int count = 100;
|
||||
- while (rv != SECSuccess && count >= 0) {
|
||||
- rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
|
||||
- if (rv != SECSuccess) {
|
||||
- PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
- goto done;
|
||||
- }
|
||||
- rv = method->scalar_validate(privKey);
|
||||
- count--;
|
||||
- }
|
||||
- if (rv != SECSuccess) {
|
||||
- PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
- }
|
||||
- goto done;
|
||||
+ const ECMethod *method = ec_get_method_from_name(ecParams->name);
|
||||
+ if (method == NULL || method->scalar_validate == NULL) {
|
||||
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
|
||||
+ return SECFailure;
|
||||
}
|
||||
|
||||
- /* For unknown curves, use algotithm A.4.1 */
|
||||
-
|
||||
- unsigned char *order = ecParams->order.data;
|
||||
- mp_int privKeyVal, order_1, one;
|
||||
- unsigned char *privKeyBytes = NULL;
|
||||
-
|
||||
- MP_DIGITS(&privKeyVal) = 0;
|
||||
- MP_DIGITS(&order_1) = 0;
|
||||
- MP_DIGITS(&one) = 0;
|
||||
- CHECK_MPI_OK(mp_init(&privKeyVal));
|
||||
- CHECK_MPI_OK(mp_init(&order_1));
|
||||
- CHECK_MPI_OK(mp_init(&one));
|
||||
-
|
||||
- /* Generates 2*len random bytes using the global random bit generator
|
||||
- * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
|
||||
- * reduces modulo the group order.
|
||||
- */
|
||||
-
|
||||
- if ((privKeyBytes = PORT_Alloc(2 * len)) == NULL) {
|
||||
- PORT_SetError(SEC_ERROR_NO_MEMORY);
|
||||
- rv = SECFailure;
|
||||
- goto cleanup;
|
||||
+ uint8_t leading_coeff_mask;
|
||||
+ switch (ecParams->name) {
|
||||
+ case ECCurve25519:
|
||||
+ case ECCurve_NIST_P256:
|
||||
+ case ECCurve_NIST_P384:
|
||||
+ leading_coeff_mask = 0xff;
|
||||
+ break;
|
||||
+ case ECCurve_NIST_P521:
|
||||
+ leading_coeff_mask = 0x01;
|
||||
+ break;
|
||||
+ default:
|
||||
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
|
||||
+ return SECFailure;
|
||||
}
|
||||
|
||||
- CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(privKeyBytes, 2 * len));
|
||||
- CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len));
|
||||
- CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len));
|
||||
- CHECK_MPI_OK(mp_set_int(&one, 1));
|
||||
- CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1));
|
||||
- CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal));
|
||||
- CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal));
|
||||
- CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len));
|
||||
- memcpy(privKey->data, privKeyBytes, len);
|
||||
+ /* The rejection sampling method from FIPS 186-5 A.4.2 */
|
||||
+ int count = 100;
|
||||
+ do {
|
||||
+ rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ privKey->data[0] &= leading_coeff_mask;
|
||||
+ rv = method->scalar_validate(privKey);
|
||||
+ } while (rv != SECSuccess && --count > 0);
|
||||
|
||||
-cleanup:
|
||||
- mp_clear(&privKeyVal);
|
||||
- mp_clear(&order_1);
|
||||
- mp_clear(&one);
|
||||
- if (privKeyBytes) {
|
||||
- PORT_ZFree(privKeyBytes, 2 * len);
|
||||
- }
|
||||
- if (err < MP_OKAY) {
|
||||
- MP_TO_SEC_ERROR(err);
|
||||
- rv = SECFailure;
|
||||
+ if (rv != SECSuccess) { // implies count == 0
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
}
|
||||
|
||||
-done:
|
||||
- if (rv != SECSuccess && privKey->data) {
|
||||
- SECITEM_ZfreeItem(privKey, PR_FALSE);
|
||||
- return rv;
|
||||
- }
|
||||
return rv;
|
||||
}
|
||||
|
||||
diff -up ./lib/freebl/ecl/ecl.h.p384 ./lib/freebl/ecl/ecl.h
|
||||
--- ./lib/freebl/ecl/ecl.h.p384 2024-01-09 11:49:14.118980084 -0800
|
||||
+++ ./lib/freebl/ecl/ecl.h 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -57,4 +57,8 @@ SECStatus ec_secp256r1_sign_digest(ECPri
|
||||
SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature,
|
||||
const SECItem *digest);
|
||||
|
||||
+SECStatus ec_secp384r1_scalar_validate(const SECItem *scalar);
|
||||
+
|
||||
+SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar);
|
||||
+
|
||||
#endif /* __ecl_h_ */
|
||||
diff -up ./lib/freebl/freebl_base.gypi.p384 ./lib/freebl/freebl_base.gypi
|
||||
--- ./lib/freebl/freebl_base.gypi.p384 2024-01-09 11:49:14.118980084 -0800
|
||||
+++ ./lib/freebl/freebl_base.gypi 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -38,6 +38,8 @@
|
||||
'ecl/ecp_secp384r1.c',
|
||||
'ecl/ecp_secp521r1.c',
|
||||
'verified/Hacl_P256.c',
|
||||
+ 'verified/Hacl_P384.c',
|
||||
+ 'verified/Hacl_P521.c',
|
||||
'fipsfreebl.c',
|
||||
'blinit.c',
|
||||
'freeblver.c',
|
||||
diff -up ./lib/freebl/Makefile.p384 ./lib/freebl/Makefile
|
||||
--- ./lib/freebl/Makefile.p384 2024-01-09 11:49:58.650418434 -0800
|
||||
+++ ./lib/freebl/Makefile 2024-01-09 11:51:20.500224176 -0800
|
||||
@@ -612,7 +612,7 @@ ifndef NSS_DISABLE_CHACHAPOLY
|
||||
VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c
|
||||
endif # NSS_DISABLE_CHACHAPOLY
|
||||
|
||||
-VERIFIED_SRCS += Hacl_P256.c
|
||||
+VERIFIED_SRCS += Hacl_P256.c Hacl_P384.c Hacl_P521.c
|
||||
|
||||
ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH)))
|
||||
# All 64-bit architectures get the 64 bit version.
|
||||
diff -up ./lib/freebl/verified/Hacl_P384.c.p384 ./lib/freebl/verified/Hacl_P384.c
|
||||
--- ./lib/freebl/verified/Hacl_P384.c.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P384.c 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,126 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#include "Hacl_P384.h"
|
||||
+
|
||||
+#include "internal/Hacl_Krmllib.h"
|
||||
+#include "internal/Hacl_Bignum_Base.h"
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
|
||||
+{
|
||||
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+ KRML_MAYBE_FOR6(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)6U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
|
||||
+ mask = uu____0 & mask;);
|
||||
+ uint64_t mask1 = mask;
|
||||
+ return mask1;
|
||||
+}
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
|
||||
+{
|
||||
+ uint64_t c1 = (uint64_t)0U;
|
||||
+ {
|
||||
+ uint64_t t1 = b[(uint32_t)4U * (uint32_t)0U];
|
||||
+ uint64_t t20 = c[(uint32_t)4U * (uint32_t)0U];
|
||||
+ uint64_t *res_i0 = a + (uint32_t)4U * (uint32_t)0U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
|
||||
+ uint64_t t10 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
|
||||
+ uint64_t t21 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
|
||||
+ uint64_t *res_i1 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
|
||||
+ uint64_t t11 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
|
||||
+ uint64_t t22 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
|
||||
+ uint64_t *res_i2 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
|
||||
+ uint64_t t12 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
|
||||
+ uint64_t t2 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
|
||||
+ uint64_t *res_i = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i);
|
||||
+ }
|
||||
+ KRML_MAYBE_FOR2(i,
|
||||
+ (uint32_t)4U,
|
||||
+ (uint32_t)6U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t t1 = b[i];
|
||||
+ uint64_t t2 = c[i];
|
||||
+ uint64_t *res_i = a + i;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i););
|
||||
+ uint64_t c10 = c1;
|
||||
+ return c10;
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
|
||||
+{
|
||||
+ KRML_MAYBE_FOR6(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)6U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t *os = a;
|
||||
+ uint64_t u = load64_be(b + ((uint32_t)6U - i - (uint32_t)1U) * (uint32_t)8U);
|
||||
+ uint64_t x = u;
|
||||
+ os[i] = x;);
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+p384_make_order(uint64_t *n)
|
||||
+{
|
||||
+ n[0U] = (uint64_t)0xecec196accc52973U;
|
||||
+ n[1U] = (uint64_t)0x581a0db248b0a77aU;
|
||||
+ n[2U] = (uint64_t)0xc7634d81f4372ddfU;
|
||||
+ n[3U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[4U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[5U] = (uint64_t)0xffffffffffffffffU;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 48 bytes of valid memory, i.e., uint8_t[48].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool
|
||||
+Hacl_P384_validate_private_key(uint8_t *private_key)
|
||||
+{
|
||||
+ uint64_t bn_sk[6U] = { 0U };
|
||||
+ bn_from_bytes_be(bn_sk, private_key);
|
||||
+ uint64_t tmp[6U] = { 0U };
|
||||
+ p384_make_order(tmp);
|
||||
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
|
||||
+ uint64_t is_lt_order = (uint64_t)0U - c;
|
||||
+ uint64_t bn_zero[6U] = { 0U };
|
||||
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
|
||||
+ uint64_t is_eq_zero = res;
|
||||
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
|
||||
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+}
|
||||
diff -up ./lib/freebl/verified/Hacl_P384.h.p384 ./lib/freebl/verified/Hacl_P384.h
|
||||
--- ./lib/freebl/verified/Hacl_P384.h.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P384.h 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,68 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#ifndef __Hacl_P384_H
|
||||
+#define __Hacl_P384_H
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+extern "C" {
|
||||
+#endif
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include "krml/internal/types.h"
|
||||
+#include "krml/lowstar_endianness.h"
|
||||
+
|
||||
+#include "lib_intrinsics.h"
|
||||
+
|
||||
+/*******************************************************************************
|
||||
+
|
||||
+ Verified C library for ECDSA and ECDH functions over the P-384 NIST curve.
|
||||
+
|
||||
+ This module implements signing and verification, key validation, conversions
|
||||
+ between various point representations, and ECDH key agreement.
|
||||
+
|
||||
+*******************************************************************************/
|
||||
+
|
||||
+/******************/
|
||||
+/* Key validation */
|
||||
+/******************/
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool Hacl_P384_validate_private_key(uint8_t *private_key);
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+#define __Hacl_P384_H_DEFINED
|
||||
+#endif
|
||||
diff -up ./lib/freebl/verified/Hacl_P521.c.p384 ./lib/freebl/verified/Hacl_P521.c
|
||||
--- ./lib/freebl/verified/Hacl_P521.c.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P521.c 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,131 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#include "Hacl_P521.h"
|
||||
+
|
||||
+#include "internal/Hacl_Krmllib.h"
|
||||
+#include "internal/Hacl_Bignum_Base.h"
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
|
||||
+{
|
||||
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+ KRML_MAYBE_FOR9(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)9U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
|
||||
+ mask = uu____0 & mask;);
|
||||
+ uint64_t mask1 = mask;
|
||||
+ return mask1;
|
||||
+}
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
|
||||
+{
|
||||
+ uint64_t c1 = (uint64_t)0U;
|
||||
+ KRML_MAYBE_FOR2(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)2U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t t1 = b[(uint32_t)4U * i];
|
||||
+ uint64_t t20 = c[(uint32_t)4U * i];
|
||||
+ uint64_t *res_i0 = a + (uint32_t)4U * i;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
|
||||
+ uint64_t t10 = b[(uint32_t)4U * i + (uint32_t)1U];
|
||||
+ uint64_t t21 = c[(uint32_t)4U * i + (uint32_t)1U];
|
||||
+ uint64_t *res_i1 = a + (uint32_t)4U * i + (uint32_t)1U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
|
||||
+ uint64_t t11 = b[(uint32_t)4U * i + (uint32_t)2U];
|
||||
+ uint64_t t22 = c[(uint32_t)4U * i + (uint32_t)2U];
|
||||
+ uint64_t *res_i2 = a + (uint32_t)4U * i + (uint32_t)2U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
|
||||
+ uint64_t t12 = b[(uint32_t)4U * i + (uint32_t)3U];
|
||||
+ uint64_t t2 = c[(uint32_t)4U * i + (uint32_t)3U];
|
||||
+ uint64_t *res_i = a + (uint32_t)4U * i + (uint32_t)3U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i););
|
||||
+ {
|
||||
+ uint64_t t1 = b[8U];
|
||||
+ uint64_t t2 = c[8U];
|
||||
+ uint64_t *res_i = a + (uint32_t)8U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i);
|
||||
+ }
|
||||
+ uint64_t c10 = c1;
|
||||
+ return c10;
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
|
||||
+{
|
||||
+ uint8_t tmp[72U] = { 0U };
|
||||
+ memcpy(tmp + (uint32_t)6U, b, (uint32_t)66U * sizeof(uint8_t));
|
||||
+ KRML_MAYBE_FOR9(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)9U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t *os = a;
|
||||
+ uint64_t u = load64_be(tmp + ((uint32_t)9U - i - (uint32_t)1U) * (uint32_t)8U);
|
||||
+ uint64_t x = u;
|
||||
+ os[i] = x;);
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+p521_make_order(uint64_t *n)
|
||||
+{
|
||||
+ n[0U] = (uint64_t)0xbb6fb71e91386409U;
|
||||
+ n[1U] = (uint64_t)0x3bb5c9b8899c47aeU;
|
||||
+ n[2U] = (uint64_t)0x7fcc0148f709a5d0U;
|
||||
+ n[3U] = (uint64_t)0x51868783bf2f966bU;
|
||||
+ n[4U] = (uint64_t)0xfffffffffffffffaU;
|
||||
+ n[5U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[6U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[7U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[8U] = (uint64_t)0x1ffU;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool
|
||||
+Hacl_P521_validate_private_key(uint8_t *private_key)
|
||||
+{
|
||||
+ uint64_t bn_sk[9U] = { 0U };
|
||||
+ bn_from_bytes_be(bn_sk, private_key);
|
||||
+ uint64_t tmp[9U] = { 0U };
|
||||
+ p521_make_order(tmp);
|
||||
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
|
||||
+ uint64_t is_lt_order = (uint64_t)0U - c;
|
||||
+ uint64_t bn_zero[9U] = { 0U };
|
||||
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
|
||||
+ uint64_t is_eq_zero = res;
|
||||
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
|
||||
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+}
|
||||
diff -up ./lib/freebl/verified/Hacl_P521.h.p384 ./lib/freebl/verified/Hacl_P521.h
|
||||
--- ./lib/freebl/verified/Hacl_P521.h.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P521.h 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,59 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#ifndef __Hacl_P521_H
|
||||
+#define __Hacl_P521_H
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+extern "C" {
|
||||
+#endif
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include "krml/internal/types.h"
|
||||
+#include "krml/lowstar_endianness.h"
|
||||
+
|
||||
+#include "lib_intrinsics.h"
|
||||
+
|
||||
+/******************/
|
||||
+/* Key validation */
|
||||
+/******************/
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool Hacl_P521_validate_private_key(uint8_t *private_key);
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+#define __Hacl_P521_H_DEFINED
|
||||
+#endif
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,63 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="secmod.db">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>secmod.db</refentrytitle>
|
||||
<manvolnum>5</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>secmod.db</refname>
|
||||
<refpurpose>Legacy NSS security modules database</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
|
||||
<para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
|
||||
</para>
|
||||
<para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
|
||||
</para>
|
||||
<para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/etc/pki/nssdb/secmod.db</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
|
||||
</refentry>
|
|
@ -0,0 +1,106 @@
|
|||
<?xml version='1.0' encoding='utf-8'?>
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
|
||||
<!ENTITY date SYSTEM "date.xml">
|
||||
<!ENTITY version SYSTEM "version.xml">
|
||||
]>
|
||||
|
||||
<refentry id="setup-nsssysinit">
|
||||
|
||||
<refentryinfo>
|
||||
<date>&date;</date>
|
||||
<title>Network Security Services</title>
|
||||
<productname>nss</productname>
|
||||
<productnumber>&version;</productnumber>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>setup-nsssysinit</refentrytitle>
|
||||
<manvolnum>1</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>setup-nsssysinit</refname>
|
||||
<refpurpose>Query or enable the nss-sysinit module</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>setup-nsssysinit</command>
|
||||
<arg><option>on</option></arg>
|
||||
<arg><option>off</option></arg>
|
||||
<arg><option>status</option></arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsection id="description">
|
||||
<title>Description</title>
|
||||
<para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
|
||||
<para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Options</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><option>on</option></term>
|
||||
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>off</option></term>
|
||||
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>status</option></term>
|
||||
<listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Examples</title>
|
||||
|
||||
<para>The following example will query for the status of nss-sysinit:
|
||||
<programlisting>
|
||||
/usr/bin/setup-nsssysinit status
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<para>The following example, when run as superuser, will turn on nss-sysinit:
|
||||
<programlisting>
|
||||
/usr/bin/setup-nsssysinit on
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>Files</title>
|
||||
<para><filename>/usr/bin/setup-nsssysinit</filename></para>
|
||||
</refsection>
|
||||
|
||||
<refsection>
|
||||
<title>See also</title>
|
||||
<para>pkg-config(1)</para>
|
||||
</refsection>
|
||||
|
||||
<refsection id="authors">
|
||||
<title>Authors</title>
|
||||
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
|
||||
<para>Authors: Elio Maldonado <emaldona@redhat.com>.</para>
|
||||
</refsection>
|
||||
|
||||
<!-- don't change -->
|
||||
<refsection id="license">
|
||||
<title>LICENSE</title>
|
||||
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
</para>
|
||||
</refsection>
|
||||
|
||||
</refentry>
|
||||
|
394
SPECS/nss.spec
394
SPECS/nss.spec
|
@ -1,5 +1,7 @@
|
|||
%global nspr_version 4.21.0
|
||||
%global nss_version 3.44.0
|
||||
%global nspr_build_version 4.35.0-1
|
||||
%global nspr_release -1
|
||||
%global nspr_version 4.35.0
|
||||
%global nss_version 3.90.0
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global saved_files_dir %{_libdir}/nss/saved
|
||||
%global dracutlibdir %{_prefix}/lib/dracut
|
||||
|
@ -43,20 +45,35 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
|
|||
string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
|
||||
}
|
||||
|
||||
# This is taken from gnutls.spec
|
||||
%define srpmhash() %{lua:
|
||||
local files = rpm.expand("%_specdir/nss.spec")
|
||||
for i, p in ipairs(patches) do
|
||||
files = files.." "..p
|
||||
end
|
||||
for i, p in ipairs(sources) do
|
||||
files = files.." "..p
|
||||
end
|
||||
local sha256sum = assert(io.popen("cat "..files.."| sha256sum"))
|
||||
local hash = sha256sum:read("*a")
|
||||
sha256sum:close()
|
||||
print(string.sub(hash, 0, 16))
|
||||
}
|
||||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: %{nss_version}
|
||||
Release: 9%{?dist}
|
||||
Release: 7%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Requires: nspr >= %{nspr_version}
|
||||
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||
Requires: nss-util >= %{nss_version}
|
||||
# TODO: revert to same version as nss once we are done with the merge
|
||||
Requires: nss-softokn%{_isa} >= %{nss_version}
|
||||
Requires: nss-system-init
|
||||
Requires: p11-kit-trust
|
||||
Requires: crypto-policies
|
||||
BuildRequires: nspr-devel >= %{nspr_version}
|
||||
Requires: /usr/bin/update-crypto-policies
|
||||
BuildRequires: nspr-devel >= %{nspr_build_version}
|
||||
# for shlibsign
|
||||
BuildRequires: nss-softokn
|
||||
BuildRequires: sqlite-devel
|
||||
|
@ -92,14 +109,14 @@ Source25: key3.db.xml
|
|||
Source26: key4.db.xml
|
||||
Source27: secmod.db.xml
|
||||
Source28: nss-p11-kit.config
|
||||
Source29: nss-softokn-cavs-1.0.tar.gz
|
||||
# fips algorithms are tied to the red hat validation, others
|
||||
# will have their own validation
|
||||
Source30: fips_algorithms.h
|
||||
|
||||
Source50: NameConstraints_Certs.tar
|
||||
|
||||
# To inject hardening flags for DSO
|
||||
Patch1: nss-dso-ldflags.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
||||
Patch2: nss-539183.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1549382
|
||||
Patch3: nss-module-leak.patch
|
||||
# This patch uses the GCC -iquote option documented at
|
||||
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
||||
# to give the in-tree headers a higher priority over the system headers,
|
||||
|
@ -112,43 +129,67 @@ Patch3: nss-module-leak.patch
|
|||
# Once the buildroot aha been bootstrapped the patch may be removed
|
||||
# but it doesn't hurt to keep it.
|
||||
Patch4: iquote.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552767
|
||||
Patch5: nss-skip-tls13-fips.patch
|
||||
# TLS 1.3 currently doesn't work under FIPS mode:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1710372
|
||||
Patch6: nss-fips-disable-tls13.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552208
|
||||
Patch7: nss-disable-pkcs1-sigalgs-tls13.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1553443
|
||||
Patch8: nss-post-handshake-auth-with-tickets.patch
|
||||
# To revert the change in:
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
|
||||
Patch9: nss-sysinit-userdb.patch
|
||||
# Disable nss-sysinit test which is sorely to test the above change
|
||||
Patch10: nss-skip-sysinit-gtests.patch
|
||||
# Upstream patch didn't make 3.44
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1546229
|
||||
Patch200: nss-ike-patch.patch
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1546477
|
||||
Patch201: nss-softokn-fips-update.patch
|
||||
# Disable nss-sysinit test which is solely to test the above change
|
||||
Patch10: nss-skip-sysinit-gtests.patch
|
||||
Patch15: nss-3.90-extend-db-dump-time.patch
|
||||
# For compatibility reasons, we stick with the old PKCS #11 2.40
|
||||
# definition of CK_GCM_PARAMS:
|
||||
%if 0%{?fedora} < 34
|
||||
%if 0%{?rhel} < 9
|
||||
Patch20: nss-gcm-param-default-pkcs11v2.patch
|
||||
%endif
|
||||
%endif
|
||||
# Local patch: disable MD5 (also MD2 and MD4) completely
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
|
||||
Patch25: nss-disable-md5.patch
|
||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1473806
|
||||
Patch202: nss-8-fix-public-key-from-priv.patch
|
||||
Patch204: nss-8-add-ipsec-usage-to-manpage.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1560329
|
||||
Patch205: nss-drbg-continuous.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1559906
|
||||
Patch206: nss-fipstest-tls12-prf.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1554336
|
||||
Patch210: nss-mpi-loop.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1540541
|
||||
Patch211: nss-leading-zero.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1515342
|
||||
Patch212: nss-input-check.patch
|
||||
Patch213: nss-3.44-missing-softokn-kdf.patch
|
||||
Patch218: nss-3.44-encrypt-update.patch
|
||||
Patch30: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
Patch34: nss-3.71-fix-lto-gtests.patch
|
||||
# Local patch: disable Delegated Credentials
|
||||
Patch35: nss-disable-dc.patch
|
||||
# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
|
||||
# is updated.
|
||||
Patch40: nss-3.66-disable-signature-policies.patch
|
||||
# Local patch: disable tests that require external reference so brew completes
|
||||
Patch45: nss-3.66-disable-external-host-test.patch
|
||||
# Local patch: restore old pkcs 12 defaults on old version of rhel
|
||||
Patch50: nss-3.66-restore-old-pkcs12-default.patch
|
||||
# Local Patch: restore expired distrusted certs for now
|
||||
Patch51: nss-3.79-revert-distrusted-certs.patch
|
||||
# Local Patch: update fipsdefaults to AES
|
||||
Patch52: nss-3.79-pkcs12-fips-defaults.patch
|
||||
Patch53: nss-3.71-camellia-pkcs12-doc.patch
|
||||
Patch54: nss-3.90-disable-ech.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1774659
|
||||
Patch57: nss-3.79-dbtool.patch
|
||||
Patch58: nss-3.79-fips.patch
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
|
||||
Patch60: nss-3.90-DisablingASM.patch
|
||||
Patch61: nss-3.79-fips-review.patches
|
||||
Patch62: nss-3.90-no-dbm-25519.patch
|
||||
Patch63: nss-3.90-pbkdf2-indicator.patch
|
||||
|
||||
#ems policy. needs to upstream
|
||||
Patch70: nss-3.90-add-ems-policy.patch
|
||||
|
||||
Patch80: blinding_ct.patch
|
||||
Patch81: nss-3.90-fips-pkcs11-long-hash.patch
|
||||
Patch82: nss-3.90-fips-safe-memset.patch
|
||||
Patch83: nss-3.90-fips-indicators.patch
|
||||
Patch84: nss-3.90-aes-gmc-indicator.patch
|
||||
Patch85: nss-3.90-fips-indicators2.patch
|
||||
Patch86: nss-3.90-dh-test-update.patch
|
||||
Patch90: nss_p256_scalar_validated.patch
|
||||
Patch91: nss_p384_scalar_validated.patch
|
||||
Patch92: nss_p384_hacl.patch
|
||||
Patch93: nss_p521_hacl.patch
|
||||
Patch94: nss-3.90-ecc-wrap-fix.patch
|
||||
Patch95: nss-3.90-ecdsa-sign-padding-fix.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -176,7 +217,7 @@ Summary: System NSS Initialization
|
|||
# providing nss-system-init without version so that it can
|
||||
# be replaced by a better one, e.g. supplied by the os vendor
|
||||
Provides: nss-system-init
|
||||
Requires: nss = %{version}-%{release}
|
||||
Requires: nss%{?_isa} = %{version}-%{release}
|
||||
Requires(post): coreutils, sed
|
||||
|
||||
%description sysinit
|
||||
|
@ -191,7 +232,7 @@ Provides: nss-static = %{version}-%{release}
|
|||
Requires: nss%{?_isa} = %{version}-%{release}
|
||||
Requires: nss-util-devel
|
||||
Requires: nss-softokn-devel
|
||||
Requires: nspr-devel >= %{nspr_version}
|
||||
Requires: nspr-devel >= %{nspr_version}%{nspr_release}
|
||||
Requires: pkgconfig
|
||||
BuildRequires: xmlto
|
||||
|
||||
|
@ -212,7 +253,7 @@ low level services.
|
|||
|
||||
%package util
|
||||
Summary: Network Security Services Utilities Library
|
||||
Requires: nspr >= %{nspr_version}
|
||||
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||
|
||||
%description util
|
||||
Utilities for Network Security Services and the Softoken module
|
||||
|
@ -220,7 +261,7 @@ Utilities for Network Security Services and the Softoken module
|
|||
%package util-devel
|
||||
Summary: Development libraries for Network Security Services Utilities
|
||||
Requires: nss-util%{?_isa} = %{version}-%{release}
|
||||
Requires: nspr-devel >= %{nspr_version}
|
||||
Requires: nspr-devel >= %{nspr_version}%{nspr_release}
|
||||
Requires: pkgconfig
|
||||
|
||||
%description util-devel
|
||||
|
@ -229,7 +270,7 @@ Header and library files for doing development with Network Security Services.
|
|||
|
||||
%package softokn
|
||||
Summary: Network Security Services Softoken Module
|
||||
Requires: nspr >= %{nspr_version}
|
||||
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||
Requires: nss-util >= %{version}-%{release}
|
||||
Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release}
|
||||
|
||||
|
@ -266,26 +307,34 @@ Developers should rely only on the officially supported NSS public API.
|
|||
Summary: Development libraries for Network Security Services
|
||||
Requires: nss-softokn%{?_isa} = %{version}-%{release}
|
||||
Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release}
|
||||
Requires: nspr-devel >= %{nspr_version}
|
||||
Requires: nspr-devel >= %{nspr_version}%{nspr_release}
|
||||
Requires: nss-util-devel >= %{version}-%{release}
|
||||
Requires: pkgconfig
|
||||
BuildRequires: nspr-devel >= %{nspr_version}
|
||||
BuildRequires: nspr-devel >= %{nspr_build_version}
|
||||
|
||||
%description softokn-devel
|
||||
Header and library files for doing development with Network Security Services.
|
||||
|
||||
|
||||
%prep
|
||||
#autosetup -N -S quilt -n %{name}-%{nss_archive_version}
|
||||
%autosetup -N -n %{name}-%{nss_archive_version} -a 29
|
||||
%autosetup -N -n %{name}-%{nss_archive_version}
|
||||
pushd nss
|
||||
%autopatch -p1
|
||||
%autopatch -p1
|
||||
popd
|
||||
|
||||
# copy the fips_algorithms.h for this release
|
||||
# this file is release specific and matches what
|
||||
# each vendors claim in their own FIPS certification
|
||||
cp %{SOURCE30} nss/lib/softoken/
|
||||
|
||||
#update expired test certs
|
||||
pushd nss
|
||||
tar xvf %{SOURCE50}
|
||||
popd
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
|
||||
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
|
||||
|
||||
|
||||
%build
|
||||
|
||||
export FREEBL_NO_DEPEND=1
|
||||
|
@ -299,7 +348,14 @@ export FREEBL_LOWHASH=1
|
|||
# uncomment if the iquote patch is activated
|
||||
export IN_TREE_FREEBL_HEADERS_FIRST=1
|
||||
|
||||
# FIPS related defines
|
||||
export NSS_FORCE_FIPS=1
|
||||
export NSS_FIPS_VERSION="%{name}\ %{version}-%{srpmhash}"
|
||||
eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release | sed -e 's/ /\\ /g')
|
||||
export FIPS_MODULE_OS="$OS_NAME\ ${OS_VERSION_ID%%.*}"
|
||||
export NSS_FIPS_MODULE_ID="${FIPS_MODULE_OS}\ ${NSS_FIPS_VERSION}"
|
||||
export NSS_FIPS_140_3=1
|
||||
export NSS_ENABLE_FIPS_INDICATORS=1
|
||||
|
||||
# Enable compiler optimizations and disable debugging code
|
||||
export BUILD_OPT=1
|
||||
|
@ -333,17 +389,14 @@ export USE_64=1
|
|||
%endif
|
||||
%endif
|
||||
|
||||
##### phase 2: build the rest of nss
|
||||
make -C ./nss/coreconf
|
||||
make -C ./nss/lib/dbm
|
||||
|
||||
# Set the policy file location
|
||||
# if set NSS will always check for the policy file and load if it exists
|
||||
export POLICY_FILE="nss.config"
|
||||
# location of the policy file
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
|
||||
make -C ./nss
|
||||
%{__make} -C ./nss all
|
||||
%{__make} -C ./nss latest
|
||||
|
||||
# build the man pages clean
|
||||
pushd ./nss/doc
|
||||
|
@ -478,6 +531,10 @@ export USE_64=1
|
|||
# disabled by the system policy.
|
||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||
|
||||
%ifarch i686 ppcle64
|
||||
export NSS_DB_DUMP_TIME=10
|
||||
%endif
|
||||
|
||||
# enable the following line to force a test failure
|
||||
# find ./nss -name \*.chk | xargs rm -f
|
||||
|
||||
|
@ -517,7 +574,9 @@ pushd nss/tests
|
|||
# all.sh is the test suite script
|
||||
|
||||
# don't need to run all the tests when testing packaging
|
||||
# nss_cycles: standard pkix upgradedb sharedb
|
||||
export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 8, the default db is sql, but we want
|
||||
# standard to test dbm, or upgradedb will fail
|
||||
%define nss_cycles "standard pkix upgradedb sharedb threadunsafe"
|
||||
# the full list from all.sh is:
|
||||
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
|
||||
|
@ -591,7 +650,7 @@ do
|
|||
done
|
||||
|
||||
# Copy the binaries we ship as unsupported
|
||||
for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
|
||||
for file in bltest dbtool ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt validation vfyserv vfychain
|
||||
do
|
||||
install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
|
||||
done
|
||||
|
@ -603,7 +662,7 @@ do
|
|||
done
|
||||
|
||||
# Copy some freebl include files we also want
|
||||
for file in blapi.h alghmac.h
|
||||
for file in blapi.h alghmac.h cmac.h
|
||||
do
|
||||
install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
|
||||
done
|
||||
|
@ -664,10 +723,7 @@ install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/loc
|
|||
# from previous versions of nss.spec
|
||||
/usr/bin/setup-nsssysinit.sh on
|
||||
|
||||
%post
|
||||
update-crypto-policies --no-reload &> /dev/null || :
|
||||
|
||||
%postun
|
||||
%posttrans
|
||||
update-crypto-policies --no-reload &> /dev/null || :
|
||||
|
||||
|
||||
|
@ -719,6 +775,7 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||
%{unsupported_tools_directory}/strsclnt
|
||||
%{unsupported_tools_directory}/symkeyutil
|
||||
%{unsupported_tools_directory}/tstclnt
|
||||
%{unsupported_tools_directory}/validation
|
||||
%{unsupported_tools_directory}/vfyserv
|
||||
%{unsupported_tools_directory}/vfychain
|
||||
# instead of %%{_mandir}/man*/* let's list them explicitly
|
||||
|
@ -778,6 +835,7 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||
%{_includedir}/nss3/p12plcy.h
|
||||
%{_includedir}/nss3/p12t.h
|
||||
%{_includedir}/nss3/pk11func.h
|
||||
%{_includedir}/nss3/pk11hpke.h
|
||||
%{_includedir}/nss3/pk11pqg.h
|
||||
%{_includedir}/nss3/pk11priv.h
|
||||
%{_includedir}/nss3/pk11pub.h
|
||||
|
@ -875,6 +933,7 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||
%dir %{saved_files_dir}
|
||||
%dir %{unsupported_tools_directory}
|
||||
%{unsupported_tools_directory}/bltest
|
||||
%{unsupported_tools_directory}/dbtool
|
||||
%{unsupported_tools_directory}/ecperf
|
||||
%{unsupported_tools_directory}/fbectest
|
||||
%{unsupported_tools_directory}/fipstest
|
||||
|
@ -897,6 +956,7 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||
%{_includedir}/nss3/blapi.h
|
||||
%{_includedir}/nss3/blapit.h
|
||||
%{_includedir}/nss3/alghmac.h
|
||||
%{_includedir}/nss3/cmac.h
|
||||
%{_includedir}/nss3/lowkeyi.h
|
||||
%{_includedir}/nss3/lowkeyti.h
|
||||
|
||||
|
@ -921,8 +981,206 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Dec 4 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-9
|
||||
- Fix out-of-bounds write in NSC_EncryptUpdate (#1775912)
|
||||
* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
|
||||
- Allow for shorter ecdsa signatures by padding them to full length
|
||||
|
||||
* Tue Jan 23 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-6
|
||||
- Fix ecc DER wrapping.
|
||||
|
||||
* Wed Jan 17 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-5
|
||||
- Pick up validated constant time implementations of p256, p384, and p521
|
||||
from upsream
|
||||
- More Fips indicator changes
|
||||
|
||||
* Wed Dec 6 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-4
|
||||
- FIPS review changes
|
||||
- add PORT_SafeZero to avoid compiler optimizing a way zeroing memory.
|
||||
- update the indicators for this release
|
||||
- allow hashing of longer than int32 values in a single PKCS #11 call.
|
||||
|
||||
* Tue Nov 21 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3.1
|
||||
- Fix expired certs in tests
|
||||
- Fix CVE-2023-5388
|
||||
|
||||
* Thu Aug 3 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3
|
||||
- add indicators for pbkdf2
|
||||
- add camellia to pkcs12 doc files
|
||||
- fix ems policy bug
|
||||
- disable ech
|
||||
|
||||
* Thu Jul 27 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-2
|
||||
- fix the change log
|
||||
|
||||
* Thu Jul 27 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-1
|
||||
- rebase to NSS 3.90
|
||||
|
||||
* Wed Mar 8 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
|
||||
- Fix CVE-2023-0767
|
||||
|
||||
* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-10
|
||||
- Fix QA found failures:
|
||||
- remove extra '+' from sslpolicy.txt file causing test error values
|
||||
- only use GRND_RANDOM if the kernel is in FIPS mode.
|
||||
|
||||
* Fri Aug 5 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-9
|
||||
- FIPS 140-3 changes
|
||||
|
||||
* Wed Jul 13 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-8
|
||||
- Update fips default for pk12util to AES rather than TDES
|
||||
- Fix bug in pkcs12 files with null passwords
|
||||
|
||||
* Wed Jul 6 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-7
|
||||
- Better fix for test regressions
|
||||
|
||||
* Mon Jun 27 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-6
|
||||
- fix nss.spec so it works in a rhel-8.1.0 buildroot
|
||||
|
||||
* Mon Jun 20 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-5
|
||||
- FIPS 140-3 changes
|
||||
- Reject Small RSA keys, 1024 bit keys are marked as FIP OK when verifying, reject
|
||||
signature keys by policy
|
||||
- Allow applications to retrigger selftests on demand.
|
||||
|
||||
* Fri Jun 17 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-4
|
||||
- Fix pkgconfig output
|
||||
|
||||
* Wed Jun 15 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-3
|
||||
- NSR Coverity fix changed selfserv from passive to active, change it back
|
||||
|
||||
* Sat Jun 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
|
||||
- Fix regressions found in test suites.
|
||||
|
||||
* Thu Jun 2 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
|
||||
- Rebase to NSS 3.79
|
||||
- Set FIPS Module ID
|
||||
- skip attribute verification on attributes with default values
|
||||
- don't export trust objects if they are default trust objects from dbm
|
||||
- add dbtool to nss-tools
|
||||
|
||||
* Thu Nov 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-7
|
||||
- Fix CVE 2021 43527
|
||||
|
||||
* Tue Jul 6 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-6
|
||||
- Fix ssl alert issue
|
||||
|
||||
* Thu Jul 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-5
|
||||
- Fix issue with reading databases that were updated using
|
||||
unpatched versions of nss
|
||||
|
||||
* Tue Jun 29 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
|
||||
- Better fix for the sdb timeout. The issue wasn't a race, it was
|
||||
the sqlite timeout waiting to begin a transaction under heavy
|
||||
thread usage.
|
||||
|
||||
* Mon Jun 28 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3
|
||||
- Fix sdb race condition
|
||||
|
||||
* Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-2
|
||||
- Fix coverity issues
|
||||
|
||||
* Thu Jun 17 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-1
|
||||
- Rebase to NSS 3.67
|
||||
|
||||
* Tue Jun 15 2021 Bob Relyea <rrelyea@redhat.com> - 3.66.0-2
|
||||
- Restore old pkcs12 defaults.
|
||||
|
||||
* Mon Jun 14 2021 Bob Relyea <rrelyea@redhat.com> - 3.66.0-1.1
|
||||
- build nss for older nspr so we can pass gating with
|
||||
the new nspr in the build root
|
||||
|
||||
* Wed Jun 2 2021 Bob Relyea <rrelyea@redhat.com> - 3.66.0-1
|
||||
- Rebase to NSS 3.66
|
||||
|
||||
* Thu Dec 3 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-17
|
||||
- Fix various corner cases with ike v1 app b support.
|
||||
|
||||
* Thu Nov 19 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-16
|
||||
- Fix the following CVE
|
||||
- CVE-2020-12403 chacha-poly issues
|
||||
- CVE-2020-12400 constant time ECC.
|
||||
- CVE-2020-6829 constant time ECC.
|
||||
|
||||
* Wed Nov 4 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-15
|
||||
- Revert some policy changes the generate ABI runtime issues.
|
||||
|
||||
* Thu Oct 29 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-14
|
||||
- Add support for enable/disable in policy. Now if your policy
|
||||
file has disallow=x enable=y it will act just like our other
|
||||
libraries.
|
||||
|
||||
* Mon Oct 26 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-13
|
||||
- Add OAEP interface so applications can wrap keys with RSA-OAEP
|
||||
rather than RSA-PKCS-1.
|
||||
|
||||
* Mon Oct 19 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-12
|
||||
- fips need to reject small primes even if they are approved
|
||||
- code to autodetect whether or not to use the cache needs to do so
|
||||
in a way that doesn't mess with filesystem negative file caching.
|
||||
- add kdf selftests
|
||||
|
||||
* Thu Jul 30 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-11
|
||||
- Fix issue with upgradedb where upgradedb expects standard to
|
||||
generate dbm databases, not sql databases (default in RHEL8)
|
||||
|
||||
* Thu Jul 30 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-10
|
||||
- Disable dh timing test because it's unreliable on s390
|
||||
|
||||
* Thu Jul 30 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-9
|
||||
- Explicitly enable upgradedb/sharedb test cycles
|
||||
|
||||
* Wed Jul 29 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-8
|
||||
- Disable Delegated Credentials for TLS
|
||||
|
||||
* Fri Jul 24 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-7
|
||||
- Fix attribute decryption issue where the private key components
|
||||
integrity check on private attributes where not being checked.
|
||||
|
||||
* Mon Jul 13 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-6
|
||||
- Update nss-rsa-pkcs1-sigalgs.patch to the upstream version
|
||||
|
||||
* Sat Jul 11 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-5
|
||||
- Include required checks for dh and ecdh key generation in FIPS mode.
|
||||
|
||||
* Wed Jul 8 2020 Bob Relyea <rrelyea@redhat.com> - 3.53.1-4
|
||||
- Add better checks for dh derive operations in FIPS mode.
|
||||
|
||||
* Thu Jun 25 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-3
|
||||
- Disable NSS_HASH_ALG_SUPPORT as well for MD5 (#1849938)
|
||||
- Adjust for update-crypto-policies packaging change (#1848649)
|
||||
- Fix compilation with -Werror=strict-prototypes (#1843417)
|
||||
|
||||
* Wed Jun 24 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-2
|
||||
- Fix regression in MD5 disablement (#1849938)
|
||||
- Include rsa_pkcs1_* in signature_algorithms extension (#1847945)
|
||||
|
||||
* Mon Jun 22 2020 Daiki Ueno <dueno@redhat.com> - 3.53.1-1
|
||||
- Update to NSS 3.53.1
|
||||
|
||||
* Sat Jun 6 2020 Daiki Ueno <dueno@redhat.com> - 3.53.0-1
|
||||
- Update to NSS 3.53
|
||||
|
||||
* Fri Jan 31 2020 Bob Relyea <rrelyea@redhat.com> - 3.44.0-15
|
||||
- Fix swapped CMAC PKCS #11 values.
|
||||
- Fix data alignment crash in CMAC.
|
||||
|
||||
* Tue Dec 3 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-14
|
||||
- Fix coverify scan issue
|
||||
|
||||
* Mon Dec 2 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-13
|
||||
- Fix endian problem in SP-800 108 code.
|
||||
|
||||
* Thu Nov 28 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-12
|
||||
- Install cmac.h required by blapi.h (#1764513)
|
||||
- Fix out-of-bounds write in NSC_EncryptUpdate (#1775913)
|
||||
|
||||
* Wed Nov 27 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-11
|
||||
- Add SP-800 108 Generalized kdf
|
||||
|
||||
* Mon Nov 11 2019 Daiki Ueno <dueno@redhat.com> - 3.44.0-10
|
||||
- Check policy against hash algorithms used for ServerKeyExchange (#1730039)
|
||||
|
||||
* Wed Nov 6 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-9
|
||||
- Add CMAC
|
||||
|
||||
* Thu Aug 8 2019 Bob Relyea <rrelyea@redhat.com> - 3.44.0-8
|
||||
- CKM_NSS_IKE1_APP_B_PRF_DERIVE was missing from the mechanism list, preventing
|
||||
|
|
Loading…
Reference in New Issue