- update to NSS 3.66
* no releasenotes available yet https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.66_release_notes - update to NSS 3.65 * bmo#1709654 - Update for NetBSD configuration. * bmo#1709750 - Disable HPKE test when fuzzing. * bmo#1566124 - Optimize AES-GCM for ppc64le. * bmo#1699021 - Add AES-256-GCM to HPKE. * bmo#1698419 - ECH -10 updates. * bmo#1692930 - Update HPKE to final version. * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. * bmo#1703936 - New coverity/cpp scanner errors. * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. - refreshed patches - Firefox 90.0 requires NSS 3.66 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=361
This commit is contained in:
parent
2607747af9
commit
009bd2b01c
@ -1,7 +1,8 @@
|
||||
diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
|
||||
--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700
|
||||
+++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700
|
||||
@@ -174,6 +174,12 @@ endif
|
||||
Index: nss/coreconf/Linux.mk
|
||||
===================================================================
|
||||
--- nss.orig/coreconf/Linux.mk
|
||||
+++ nss/coreconf/Linux.mk
|
||||
@@ -183,6 +183,12 @@ endif
|
||||
endif
|
||||
endif
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
mozilla-nss
|
||||
requires "mozilla-nspr-<targettype> >= 4.30"
|
||||
requires "mozilla-nspr-<targettype> >= 4.31"
|
||||
requires "libfreebl3-<targettype>"
|
||||
requires "libsoftokn3-<targettype>"
|
||||
requires "libnssckbi.so"
|
||||
|
10
malloc.patch
10
malloc.patch
@ -1,8 +1,8 @@
|
||||
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
|
||||
index c1730d8..5eee525 100755
|
||||
--- a/tests/ssl/ssl.sh
|
||||
+++ b/tests/ssl/ssl.sh
|
||||
@@ -1449,6 +1449,7 @@ ssl_run_tests()
|
||||
Index: nss/tests/ssl/ssl.sh
|
||||
===================================================================
|
||||
--- nss.orig/tests/ssl/ssl.sh
|
||||
+++ nss/tests/ssl/ssl.sh
|
||||
@@ -1683,6 +1683,7 @@ ssl_run_tests()
|
||||
|
||||
################################# main #################################
|
||||
|
||||
|
@ -1,3 +1,24 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Jul 10 08:50:18 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
||||
|
||||
- update to NSS 3.66
|
||||
* no releasenotes available yet
|
||||
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.66_release_notes
|
||||
- update to NSS 3.65
|
||||
* bmo#1709654 - Update for NetBSD configuration.
|
||||
* bmo#1709750 - Disable HPKE test when fuzzing.
|
||||
* bmo#1566124 - Optimize AES-GCM for ppc64le.
|
||||
* bmo#1699021 - Add AES-256-GCM to HPKE.
|
||||
* bmo#1698419 - ECH -10 updates.
|
||||
* bmo#1692930 - Update HPKE to final version.
|
||||
* bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default.
|
||||
* bmo#1703936 - New coverity/cpp scanner errors.
|
||||
* bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards.
|
||||
* bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms.
|
||||
* bmo#1705119 - Deadlock when using GCM and non-thread safe tokens.
|
||||
- refreshed patches
|
||||
- Firefox 90.0 requires NSS 3.66
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 27 17:24:41 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
|
||||
|
||||
|
@ -17,14 +17,14 @@
|
||||
#
|
||||
|
||||
|
||||
%global nss_softokn_fips_version 3.64
|
||||
%define NSPR_min_version 4.30
|
||||
%global nss_softokn_fips_version 3.66
|
||||
%define NSPR_min_version 4.31
|
||||
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
|
||||
%define nssdbdir %{_sysconfdir}/pki/nssdb
|
||||
Name: mozilla-nss
|
||||
Version: 3.64
|
||||
Version: 3.66
|
||||
Release: 0
|
||||
%define underscore_version 3_64
|
||||
%define underscore_version 3_66
|
||||
Summary: Network Security Services
|
||||
License: MPL-2.0
|
||||
Group: System/Libraries
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:d3175427172e9c3a6f1ebc74452cb791590f28191c6a1a443dbc0d87c9df1126
|
||||
size 82173054
|
3
nss-3.66.tar.gz
Normal file
3
nss-3.66.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:89a79e3a756cf0ac9ba645f4d4c0fc58d4133134401fb0b6c8a74c420bb4cdc9
|
||||
size 82401896
|
@ -6,9 +6,10 @@
|
||||
# Parent 3f4d682c9a1e8b3d939c744ee249e23179db5191
|
||||
imported patch nss-fips-approved-crypto-non-ec.patch
|
||||
|
||||
diff --git a/lib/freebl/deprecated/alg2268.c b/lib/freebl/deprecated/alg2268.c
|
||||
--- a/lib/freebl/deprecated/alg2268.c
|
||||
+++ b/lib/freebl/deprecated/alg2268.c
|
||||
Index: nss/lib/freebl/deprecated/alg2268.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/deprecated/alg2268.c
|
||||
+++ nss/lib/freebl/deprecated/alg2268.c
|
||||
@@ -16,6 +16,8 @@
|
||||
#include <stddef.h> /* for ptrdiff_t */
|
||||
#endif
|
||||
@ -18,7 +19,7 @@ diff --git a/lib/freebl/deprecated/alg2268.c b/lib/freebl/deprecated/alg2268.c
|
||||
/*
|
||||
** RC2 symmetric block cypher
|
||||
*/
|
||||
@@ -119,6 +121,7 @@
|
||||
@@ -119,6 +121,7 @@ static const PRUint8 S[256] = {
|
||||
RC2Context *
|
||||
RC2_AllocateContext(void)
|
||||
{
|
||||
@ -26,7 +27,7 @@ diff --git a/lib/freebl/deprecated/alg2268.c b/lib/freebl/deprecated/alg2268.c
|
||||
return PORT_ZNew(RC2Context);
|
||||
}
|
||||
SECStatus
|
||||
@@ -133,6 +136,8 @@
|
||||
@@ -133,6 +136,8 @@ RC2_InitContext(RC2Context *cx, const un
|
||||
#endif
|
||||
PRUint8 tmpB;
|
||||
|
||||
@ -35,7 +36,7 @@ diff --git a/lib/freebl/deprecated/alg2268.c b/lib/freebl/deprecated/alg2268.c
|
||||
if (!key || !cx || !len || len > (sizeof cx->B) ||
|
||||
efLen8 > (sizeof cx->B)) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -204,7 +209,11 @@
|
||||
@@ -204,7 +209,11 @@ RC2Context *
|
||||
RC2_CreateContext(const unsigned char *key, unsigned int len,
|
||||
const unsigned char *iv, int mode, unsigned efLen8)
|
||||
{
|
||||
@ -48,7 +49,7 @@ diff --git a/lib/freebl/deprecated/alg2268.c b/lib/freebl/deprecated/alg2268.c
|
||||
if (cx) {
|
||||
SECStatus rv = RC2_InitContext(cx, key, len, iv, mode, efLen8, 0);
|
||||
if (rv != SECSuccess) {
|
||||
@@ -456,7 +465,11 @@
|
||||
@@ -456,7 +465,11 @@ RC2_Encrypt(RC2Context *cx, unsigned cha
|
||||
unsigned int *outputLen, unsigned int maxOutputLen,
|
||||
const unsigned char *input, unsigned int inputLen)
|
||||
{
|
||||
@ -61,7 +62,7 @@ diff --git a/lib/freebl/deprecated/alg2268.c b/lib/freebl/deprecated/alg2268.c
|
||||
if (inputLen) {
|
||||
if (inputLen % RC2_BLOCK_SIZE) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
@@ -490,7 +503,11 @@
|
||||
@@ -490,7 +503,11 @@ RC2_Decrypt(RC2Context *cx, unsigned cha
|
||||
unsigned int *outputLen, unsigned int maxOutputLen,
|
||||
const unsigned char *input, unsigned int inputLen)
|
||||
{
|
||||
@ -74,9 +75,10 @@ diff --git a/lib/freebl/deprecated/alg2268.c b/lib/freebl/deprecated/alg2268.c
|
||||
if (inputLen) {
|
||||
if (inputLen % RC2_BLOCK_SIZE) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
diff --git a/lib/freebl/arcfour.c b/lib/freebl/arcfour.c
|
||||
--- a/lib/freebl/arcfour.c
|
||||
+++ b/lib/freebl/arcfour.c
|
||||
Index: nss/lib/freebl/arcfour.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/arcfour.c
|
||||
+++ nss/lib/freebl/arcfour.c
|
||||
@@ -13,6 +13,7 @@
|
||||
|
||||
#include "prtypes.h"
|
||||
@ -85,7 +87,7 @@ diff --git a/lib/freebl/arcfour.c b/lib/freebl/arcfour.c
|
||||
|
||||
/* Architecture-dependent defines */
|
||||
|
||||
@@ -108,6 +109,7 @@
|
||||
@@ -108,6 +109,7 @@ static const Stype Kinit[256] = {
|
||||
RC4Context *
|
||||
RC4_AllocateContext(void)
|
||||
{
|
||||
@ -93,7 +95,7 @@ diff --git a/lib/freebl/arcfour.c b/lib/freebl/arcfour.c
|
||||
return PORT_ZNew(RC4Context);
|
||||
}
|
||||
|
||||
@@ -121,6 +123,8 @@
|
||||
@@ -121,6 +123,8 @@ RC4_InitContext(RC4Context *cx, const un
|
||||
PRUint8 K[256];
|
||||
PRUint8 *L;
|
||||
|
||||
@ -102,7 +104,7 @@ diff --git a/lib/freebl/arcfour.c b/lib/freebl/arcfour.c
|
||||
/* verify the key length. */
|
||||
PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE);
|
||||
if (len == 0 || len >= ARCFOUR_STATE_SIZE) {
|
||||
@@ -162,7 +166,11 @@
|
||||
@@ -162,7 +166,11 @@ RC4_InitContext(RC4Context *cx, const un
|
||||
RC4Context *
|
||||
RC4_CreateContext(const unsigned char *key, int len)
|
||||
{
|
||||
@ -115,7 +117,7 @@ diff --git a/lib/freebl/arcfour.c b/lib/freebl/arcfour.c
|
||||
if (cx) {
|
||||
SECStatus rv = RC4_InitContext(cx, key, len, NULL, 0, 0, 0);
|
||||
if (rv != SECSuccess) {
|
||||
@@ -176,6 +184,7 @@
|
||||
@@ -176,6 +184,7 @@ RC4_CreateContext(const unsigned char *k
|
||||
void
|
||||
RC4_DestroyContext(RC4Context *cx, PRBool freeit)
|
||||
{
|
||||
@ -123,7 +125,7 @@ diff --git a/lib/freebl/arcfour.c b/lib/freebl/arcfour.c
|
||||
if (freeit)
|
||||
PORT_ZFree(cx, sizeof(*cx));
|
||||
}
|
||||
@@ -548,6 +557,8 @@
|
||||
@@ -548,6 +557,8 @@ RC4_Encrypt(RC4Context *cx, unsigned cha
|
||||
unsigned int *outputLen, unsigned int maxOutputLen,
|
||||
const unsigned char *input, unsigned int inputLen)
|
||||
{
|
||||
@ -132,7 +134,7 @@ diff --git a/lib/freebl/arcfour.c b/lib/freebl/arcfour.c
|
||||
PORT_Assert(maxOutputLen >= inputLen);
|
||||
if (maxOutputLen < inputLen) {
|
||||
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
||||
@@ -571,6 +582,8 @@
|
||||
@@ -571,6 +582,8 @@ RC4_Decrypt(RC4Context *cx, unsigned cha
|
||||
unsigned int *outputLen, unsigned int maxOutputLen,
|
||||
const unsigned char *input, unsigned int inputLen)
|
||||
{
|
||||
@ -141,9 +143,10 @@ diff --git a/lib/freebl/arcfour.c b/lib/freebl/arcfour.c
|
||||
PORT_Assert(maxOutputLen >= inputLen);
|
||||
if (maxOutputLen < inputLen) {
|
||||
PORT_SetError(SEC_ERROR_OUTPUT_LEN);
|
||||
diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
--- a/lib/freebl/deprecated/seed.c
|
||||
+++ b/lib/freebl/deprecated/seed.c
|
||||
Index: nss/lib/freebl/deprecated/seed.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/deprecated/seed.c
|
||||
+++ nss/lib/freebl/deprecated/seed.c
|
||||
@@ -17,6 +17,8 @@
|
||||
#include "seed.h"
|
||||
#include "secerr.h"
|
||||
@ -153,7 +156,7 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
static const seed_word SS[4][256] = {
|
||||
{ 0x2989a1a8, 0x05858184, 0x16c6d2d4, 0x13c3d3d0,
|
||||
0x14445054, 0x1d0d111c, 0x2c8ca0ac, 0x25052124,
|
||||
@@ -301,6 +303,8 @@
|
||||
@@ -301,6 +303,8 @@ SEED_set_key(const unsigned char rawkey[
|
||||
seed_word K0, K1, K2, K3;
|
||||
seed_word t0, t1;
|
||||
|
||||
@ -162,7 +165,7 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
char2word(rawkey, K0);
|
||||
char2word(rawkey + 4, K1);
|
||||
char2word(rawkey + 8, K2);
|
||||
@@ -349,6 +353,8 @@
|
||||
@@ -349,6 +353,8 @@ SEED_encrypt(const unsigned char s[SEED_
|
||||
seed_word L0, L1, R0, R1;
|
||||
seed_word t0, t1;
|
||||
|
||||
@ -171,7 +174,7 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
char2word(s, L0);
|
||||
char2word(s + 4, L1);
|
||||
char2word(s + 8, R0);
|
||||
@@ -385,6 +391,8 @@
|
||||
@@ -385,6 +391,8 @@ SEED_decrypt(const unsigned char s[SEED_
|
||||
seed_word L0, L1, R0, R1;
|
||||
seed_word t0, t1;
|
||||
|
||||
@ -180,7 +183,7 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
char2word(s, L0);
|
||||
char2word(s + 4, L1);
|
||||
char2word(s + 8, R0);
|
||||
@@ -419,6 +427,8 @@
|
||||
@@ -419,6 +427,8 @@ SEED_ecb_encrypt(const unsigned char *in
|
||||
size_t inLen,
|
||||
const SEED_KEY_SCHEDULE *ks, int enc)
|
||||
{
|
||||
@ -189,7 +192,7 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
if (enc) {
|
||||
while (inLen > 0) {
|
||||
SEED_encrypt(in, out, ks);
|
||||
@@ -445,6 +455,8 @@
|
||||
@@ -445,6 +455,8 @@ SEED_cbc_encrypt(const unsigned char *in
|
||||
unsigned char tmp[SEED_BLOCK_SIZE];
|
||||
const unsigned char *iv = ivec;
|
||||
|
||||
@ -198,7 +201,7 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
if (enc) {
|
||||
while (len >= SEED_BLOCK_SIZE) {
|
||||
for (n = 0; n < SEED_BLOCK_SIZE; ++n) {
|
||||
@@ -528,6 +540,7 @@
|
||||
@@ -528,6 +540,7 @@ SEED_cbc_encrypt(const unsigned char *in
|
||||
SEEDContext *
|
||||
SEED_AllocateContext(void)
|
||||
{
|
||||
@ -206,7 +209,7 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
return PORT_ZNew(SEEDContext);
|
||||
}
|
||||
|
||||
@@ -536,6 +549,8 @@
|
||||
@@ -536,6 +549,8 @@ SEED_InitContext(SEEDContext *cx, const
|
||||
unsigned int keylen, const unsigned char *iv,
|
||||
int mode, unsigned int encrypt, unsigned int unused)
|
||||
{
|
||||
@ -215,7 +218,7 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
if (!cx) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
@@ -567,10 +582,14 @@
|
||||
@@ -567,10 +582,14 @@ SEEDContext *
|
||||
SEED_CreateContext(const unsigned char *key, const unsigned char *iv,
|
||||
int mode, PRBool encrypt)
|
||||
{
|
||||
@ -224,16 +227,16 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
- encrypt, 0);
|
||||
+ SEEDContext *cx;
|
||||
+ SECStatus rv;
|
||||
|
||||
+ IN_FIPS_RETURN(NULL);
|
||||
+
|
||||
+ IN_FIPS_RETURN(NULL);
|
||||
|
||||
+ cx = PORT_ZNew(SEEDContext);
|
||||
+ rv = SEED_InitContext(cx, key, SEED_KEY_LENGTH, iv, mode,
|
||||
+ encrypt, 0);
|
||||
if (rv != SECSuccess) {
|
||||
PORT_ZFree(cx, sizeof *cx);
|
||||
cx = NULL;
|
||||
@@ -595,6 +614,8 @@
|
||||
@@ -595,6 +614,8 @@ SEED_Encrypt(SEEDContext *cx, unsigned c
|
||||
unsigned int maxOutLen, const unsigned char *in,
|
||||
unsigned int inLen)
|
||||
{
|
||||
@ -242,7 +245,7 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
if (!cx) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
@@ -635,6 +656,8 @@
|
||||
@@ -635,6 +656,8 @@ SEED_Decrypt(SEEDContext *cx, unsigned c
|
||||
unsigned int maxOutLen, const unsigned char *in,
|
||||
unsigned int inLen)
|
||||
{
|
||||
@ -251,9 +254,10 @@ diff --git a/lib/freebl/deprecated/seed.c b/lib/freebl/deprecated/seed.c
|
||||
if (!cx) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
diff --git a/lib/freebl/fips.h b/lib/freebl/fips.h
|
||||
--- a/lib/freebl/fips.h
|
||||
+++ b/lib/freebl/fips.h
|
||||
Index: nss/lib/freebl/fips.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/fips.h
|
||||
+++ nss/lib/freebl/fips.h
|
||||
@@ -8,8 +8,20 @@
|
||||
#ifndef FIPS_H
|
||||
#define FIPS_H
|
||||
@ -275,9 +279,10 @@ diff --git a/lib/freebl/fips.h b/lib/freebl/fips.h
|
||||
|
||||
#endif
|
||||
|
||||
diff --git a/lib/freebl/md2.c b/lib/freebl/md2.c
|
||||
--- a/lib/freebl/md2.c
|
||||
+++ b/lib/freebl/md2.c
|
||||
Index: nss/lib/freebl/md2.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/md2.c
|
||||
+++ nss/lib/freebl/md2.c
|
||||
@@ -13,6 +13,8 @@
|
||||
|
||||
#include "blapi.h"
|
||||
@ -287,7 +292,7 @@ diff --git a/lib/freebl/md2.c b/lib/freebl/md2.c
|
||||
#define MD2_DIGEST_LEN 16
|
||||
#define MD2_BUFSIZE 16
|
||||
#define MD2_X_SIZE 48 /* The X array, [CV | INPUT | TMP VARS] */
|
||||
@@ -66,7 +68,11 @@
|
||||
@@ -66,7 +68,11 @@ SECStatus
|
||||
MD2_Hash(unsigned char *dest, const char *src)
|
||||
{
|
||||
unsigned int len;
|
||||
@ -300,7 +305,7 @@ diff --git a/lib/freebl/md2.c b/lib/freebl/md2.c
|
||||
if (!cx) {
|
||||
PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
|
||||
return SECFailure;
|
||||
@@ -81,7 +87,11 @@
|
||||
@@ -81,7 +87,11 @@ MD2_Hash(unsigned char *dest, const char
|
||||
MD2Context *
|
||||
MD2_NewContext(void)
|
||||
{
|
||||
@ -313,7 +318,7 @@ diff --git a/lib/freebl/md2.c b/lib/freebl/md2.c
|
||||
if (cx == NULL) {
|
||||
PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
|
||||
return NULL;
|
||||
@@ -99,6 +109,8 @@
|
||||
@@ -99,6 +109,8 @@ MD2_DestroyContext(MD2Context *cx, PRBoo
|
||||
void
|
||||
MD2_Begin(MD2Context *cx)
|
||||
{
|
||||
@ -322,7 +327,7 @@ diff --git a/lib/freebl/md2.c b/lib/freebl/md2.c
|
||||
memset(cx, 0, sizeof(*cx));
|
||||
cx->unusedBuffer = MD2_BUFSIZE;
|
||||
}
|
||||
@@ -196,6 +208,8 @@
|
||||
@@ -196,6 +208,8 @@ MD2_Update(MD2Context *cx, const unsigne
|
||||
{
|
||||
PRUint32 bytesToConsume;
|
||||
|
||||
@ -331,7 +336,7 @@ diff --git a/lib/freebl/md2.c b/lib/freebl/md2.c
|
||||
/* Fill the remaining input buffer. */
|
||||
if (cx->unusedBuffer != MD2_BUFSIZE) {
|
||||
bytesToConsume = PR_MIN(inputLen, cx->unusedBuffer);
|
||||
@@ -226,6 +240,9 @@
|
||||
@@ -226,6 +240,9 @@ MD2_End(MD2Context *cx, unsigned char *d
|
||||
unsigned int *digestLen, unsigned int maxDigestLen)
|
||||
{
|
||||
PRUint8 padStart;
|
||||
@ -341,9 +346,10 @@ diff --git a/lib/freebl/md2.c b/lib/freebl/md2.c
|
||||
if (maxDigestLen < MD2_BUFSIZE) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return;
|
||||
diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
--- a/lib/freebl/md5.c
|
||||
+++ b/lib/freebl/md5.c
|
||||
Index: nss/lib/freebl/md5.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/md5.c
|
||||
+++ nss/lib/freebl/md5.c
|
||||
@@ -15,6 +15,8 @@
|
||||
#include "blapi.h"
|
||||
#include "blapii.h"
|
||||
@ -353,7 +359,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
#define MD5_HASH_LEN 16
|
||||
#define MD5_BUFFER_SIZE 64
|
||||
#define MD5_END_BUFFER (MD5_BUFFER_SIZE - 8)
|
||||
@@ -195,6 +197,7 @@
|
||||
@@ -195,6 +197,7 @@ struct MD5ContextStr {
|
||||
SECStatus
|
||||
MD5_Hash(unsigned char *dest, const char *src)
|
||||
{
|
||||
@ -361,7 +367,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
return MD5_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src));
|
||||
}
|
||||
|
||||
@@ -204,6 +207,8 @@
|
||||
@@ -204,6 +207,8 @@ MD5_HashBuf(unsigned char *dest, const u
|
||||
unsigned int len;
|
||||
MD5Context cx;
|
||||
|
||||
@ -370,7 +376,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
MD5_Begin(&cx);
|
||||
MD5_Update(&cx, src, src_length);
|
||||
MD5_End(&cx, dest, &len, MD5_HASH_LEN);
|
||||
@@ -215,7 +220,11 @@
|
||||
@@ -215,7 +220,11 @@ MD5Context *
|
||||
MD5_NewContext(void)
|
||||
{
|
||||
/* no need to ZAlloc, MD5_Begin will init the context */
|
||||
@ -383,7 +389,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
if (cx == NULL) {
|
||||
PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
|
||||
return NULL;
|
||||
@@ -226,7 +235,8 @@
|
||||
@@ -226,7 +235,8 @@ MD5_NewContext(void)
|
||||
void
|
||||
MD5_DestroyContext(MD5Context *cx, PRBool freeit)
|
||||
{
|
||||
@ -393,7 +399,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
if (freeit) {
|
||||
PORT_Free(cx);
|
||||
}
|
||||
@@ -235,6 +245,8 @@
|
||||
@@ -235,6 +245,8 @@ MD5_DestroyContext(MD5Context *cx, PRBoo
|
||||
void
|
||||
MD5_Begin(MD5Context *cx)
|
||||
{
|
||||
@ -402,7 +408,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
cx->lsbInput = 0;
|
||||
cx->msbInput = 0;
|
||||
/* memset(cx->inBuf, 0, sizeof(cx->inBuf)); */
|
||||
@@ -425,6 +437,8 @@
|
||||
@@ -425,6 +437,8 @@ MD5_Update(MD5Context *cx, const unsigne
|
||||
PRUint32 inBufIndex = cx->lsbInput & 63;
|
||||
const PRUint32 *wBuf;
|
||||
|
||||
@ -411,7 +417,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
/* Add the number of input bytes to the 64-bit input counter. */
|
||||
addto64(cx->msbInput, cx->lsbInput, inputLen);
|
||||
if (inBufIndex) {
|
||||
@@ -498,6 +512,8 @@
|
||||
@@ -498,6 +512,8 @@ MD5_End(MD5Context *cx, unsigned char *d
|
||||
PRUint32 lowInput, highInput;
|
||||
PRUint32 inBufIndex = cx->lsbInput & 63;
|
||||
|
||||
@ -420,7 +426,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
if (maxDigestLen < MD5_HASH_LEN) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return;
|
||||
@@ -546,6 +562,8 @@
|
||||
@@ -546,6 +562,8 @@ MD5_EndRaw(MD5Context *cx, unsigned char
|
||||
#endif
|
||||
PRUint32 cv[4];
|
||||
|
||||
@ -429,9 +435,10 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
if (maxDigestLen < MD5_HASH_LEN) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return;
|
||||
diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
||||
--- a/lib/freebl/nsslowhash.c
|
||||
+++ b/lib/freebl/nsslowhash.c
|
||||
Index: nss/lib/freebl/nsslowhash.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/nsslowhash.c
|
||||
+++ nss/lib/freebl/nsslowhash.c
|
||||
@@ -12,6 +12,7 @@
|
||||
#include "plhash.h"
|
||||
#include "nsslowhash.h"
|
||||
@ -440,7 +447,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
||||
|
||||
struct NSSLOWInitContextStr {
|
||||
int count;
|
||||
@@ -92,6 +93,12 @@
|
||||
@@ -92,6 +93,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
|
||||
{
|
||||
NSSLOWHASHContext *context;
|
||||
|
||||
@ -453,9 +460,10 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
||||
if (post_failed) {
|
||||
PORT_SetError(SEC_ERROR_PKCS11_DEVICE_ERROR);
|
||||
return NULL;
|
||||
diff --git a/lib/freebl/rawhash.c b/lib/freebl/rawhash.c
|
||||
--- a/lib/freebl/rawhash.c
|
||||
+++ b/lib/freebl/rawhash.c
|
||||
Index: nss/lib/freebl/rawhash.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/rawhash.c
|
||||
+++ nss/lib/freebl/rawhash.c
|
||||
@@ -10,6 +10,7 @@
|
||||
#include "hasht.h"
|
||||
#include "blapi.h" /* below the line */
|
||||
@ -464,7 +472,7 @@ diff --git a/lib/freebl/rawhash.c b/lib/freebl/rawhash.c
|
||||
|
||||
static void *
|
||||
null_hash_new_context(void)
|
||||
@@ -146,7 +147,8 @@
|
||||
@@ -146,7 +147,8 @@ const SECHashObject SECRawHashObjects[]
|
||||
const SECHashObject *
|
||||
HASH_GetRawHashObject(HASH_HashType hashType)
|
||||
{
|
||||
@ -474,15 +482,16 @@ diff --git a/lib/freebl/rawhash.c b/lib/freebl/rawhash.c
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return NULL;
|
||||
}
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -7282,7 +7282,7 @@
|
||||
Index: nss/lib/softoken/pkcs11c.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11c.c
|
||||
+++ nss/lib/softoken/pkcs11c.c
|
||||
@@ -7491,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
} else {
|
||||
/* now allocate the hash contexts */
|
||||
md5 = MD5_NewContext();
|
||||
- if (md5 == NULL) {
|
||||
+ if (md5 == NULL && !isTLS) {
|
||||
PORT_Memset(crsrdata, 0, sizeof crsrdata);
|
||||
crv = CKR_HOST_MEMORY;
|
||||
break;
|
||||
}
|
||||
|
@ -6,9 +6,10 @@
|
||||
# Parent 60c5e5d73ce1177fa66d8fd6cf49d9b371ca9be4
|
||||
imported patch nss-fips-cavs-general.patch
|
||||
|
||||
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
||||
--- a/cmd/fipstest/fipstest.c
|
||||
+++ b/cmd/fipstest/fipstest.c
|
||||
Index: nss/cmd/fipstest/fipstest.c
|
||||
===================================================================
|
||||
--- nss.orig/cmd/fipstest/fipstest.c
|
||||
+++ nss/cmd/fipstest/fipstest.c
|
||||
@@ -5,6 +5,7 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
@ -27,7 +28,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
||||
#define __PASTE(x, y) x##y
|
||||
#undef CK_PKCS11_FUNCTION_INFO
|
||||
#undef CK_NEED_ARG_LIST
|
||||
@@ -55,6 +59,10 @@
|
||||
@@ -55,6 +59,10 @@ EC_CopyParams(PLArenaPool *arena, ECPara
|
||||
#define RSA_MAX_TEST_EXPONENT_BYTES 8
|
||||
#define PQG_TEST_SEED_BYTES 20
|
||||
|
||||
@ -38,7 +39,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
||||
SECStatus
|
||||
hex_to_byteval(const char *c2, unsigned char *byteval)
|
||||
{
|
||||
@@ -168,6 +176,62 @@
|
||||
@@ -168,6 +176,62 @@ from_hex_str(unsigned char *buf, unsigne
|
||||
return PR_TRUE;
|
||||
}
|
||||
|
||||
@ -101,7 +102,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
||||
SECStatus
|
||||
tdea_encrypt_buf(
|
||||
int mode,
|
||||
@@ -8930,41 +8994,6 @@
|
||||
@@ -8930,41 +8994,6 @@ out:
|
||||
}
|
||||
}
|
||||
|
||||
@ -143,7 +144,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
||||
void
|
||||
kas_ffc_test(char *reqfn, int do_validity)
|
||||
{
|
||||
@@ -9387,12 +9416,34 @@
|
||||
@@ -9387,12 +9416,34 @@ out:
|
||||
free_param_specs (pspecs);
|
||||
}
|
||||
|
||||
@ -178,9 +179,10 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
||||
RNG_RNGInit();
|
||||
SECOID_Init();
|
||||
|
||||
diff --git a/lib/freebl/freebl.def b/lib/freebl/freebl.def
|
||||
--- a/lib/freebl/freebl.def
|
||||
+++ b/lib/freebl/freebl.def
|
||||
Index: nss/lib/freebl/freebl.def
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/freebl.def
|
||||
+++ nss/lib/freebl/freebl.def
|
||||
@@ -21,6 +21,7 @@
|
||||
LIBRARY freebl3 ;-
|
||||
EXPORTS ;-
|
||||
@ -189,9 +191,10 @@ diff --git a/lib/freebl/freebl.def b/lib/freebl/freebl.def
|
||||
;+ local:
|
||||
;+ *;
|
||||
;+};
|
||||
diff --git a/lib/freebl/freebl_hash.def b/lib/freebl/freebl_hash.def
|
||||
--- a/lib/freebl/freebl_hash.def
|
||||
+++ b/lib/freebl/freebl_hash.def
|
||||
Index: nss/lib/freebl/freebl_hash.def
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/freebl_hash.def
|
||||
+++ nss/lib/freebl/freebl_hash.def
|
||||
@@ -21,6 +21,7 @@
|
||||
LIBRARY freebl3 ;-
|
||||
EXPORTS ;-
|
||||
@ -200,9 +203,10 @@ diff --git a/lib/freebl/freebl_hash.def b/lib/freebl/freebl_hash.def
|
||||
;+ local:
|
||||
;+ *;
|
||||
;+};
|
||||
diff --git a/lib/freebl/freebl_hash_vector.def b/lib/freebl/freebl_hash_vector.def
|
||||
--- a/lib/freebl/freebl_hash_vector.def
|
||||
+++ b/lib/freebl/freebl_hash_vector.def
|
||||
Index: nss/lib/freebl/freebl_hash_vector.def
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/freebl_hash_vector.def
|
||||
+++ nss/lib/freebl/freebl_hash_vector.def
|
||||
@@ -21,6 +21,7 @@
|
||||
LIBRARY freebl3 ;-
|
||||
EXPORTS ;-
|
||||
@ -211,10 +215,11 @@ diff --git a/lib/freebl/freebl_hash_vector.def b/lib/freebl/freebl_hash_vector.d
|
||||
;+ local:
|
||||
;+ *;
|
||||
;+};
|
||||
diff --git a/lib/freebl/pqg.c b/lib/freebl/pqg.c
|
||||
--- a/lib/freebl/pqg.c
|
||||
+++ b/lib/freebl/pqg.c
|
||||
@@ -1231,7 +1231,8 @@
|
||||
Index: nss/lib/freebl/pqg.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/pqg.c
|
||||
+++ nss/lib/freebl/pqg.c
|
||||
@@ -1242,7 +1242,8 @@ cleanup:
|
||||
**/
|
||||
static SECStatus
|
||||
pqg_ParamGen(unsigned int L, unsigned int N, pqgGenType type,
|
||||
@ -224,7 +229,7 @@ diff --git a/lib/freebl/pqg.c b/lib/freebl/pqg.c
|
||||
{
|
||||
unsigned int n; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
|
||||
unsigned int seedlen; /* Per FIPS 186-3 app A.1.1.2 (was 'g' 186-1)*/
|
||||
@@ -1239,7 +1240,6 @@
|
||||
@@ -1250,7 +1251,6 @@ pqg_ParamGen(unsigned int L, unsigned in
|
||||
unsigned int offset; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
|
||||
unsigned int outlen; /* Per FIPS 186-3, appendix A.1.1.2. */
|
||||
unsigned int maxCount;
|
||||
@ -232,7 +237,7 @@ diff --git a/lib/freebl/pqg.c b/lib/freebl/pqg.c
|
||||
SECItem *seed; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */
|
||||
PLArenaPool *arena = NULL;
|
||||
PQGParams *params = NULL;
|
||||
@@ -1290,7 +1290,8 @@
|
||||
@@ -1301,7 +1301,8 @@ pqg_ParamGen(unsigned int L, unsigned in
|
||||
/* fill in P Q, */
|
||||
SECITEM_TO_MPINT((*pParams)->prime, &P);
|
||||
SECITEM_TO_MPINT((*pParams)->subPrime, &Q);
|
||||
@ -242,7 +247,7 @@ diff --git a/lib/freebl/pqg.c b/lib/freebl/pqg.c
|
||||
CHECK_SEC_OK(makeGfromIndex(hashtype, &P, &Q, &(*pVfy)->seed,
|
||||
(*pVfy)->h.data[0], &G));
|
||||
MPINT_TO_SECITEM(&G, &(*pParams)->base, (*pParams)->arena);
|
||||
@@ -1330,7 +1331,8 @@
|
||||
@@ -1341,7 +1342,8 @@ pqg_ParamGen(unsigned int L, unsigned in
|
||||
/* Select Hash and Compute lengths. */
|
||||
/* getFirstHash gives us the smallest acceptable hash for this key
|
||||
* strength */
|
||||
@ -252,7 +257,7 @@ diff --git a/lib/freebl/pqg.c b/lib/freebl/pqg.c
|
||||
outlen = HASH_ResultLen(hashtype) * PR_BITS_PER_BYTE;
|
||||
|
||||
/* Step 3: n = Ceil(L/outlen)-1; (same as n = Floor((L-1)/outlen)) */
|
||||
@@ -1532,6 +1534,10 @@
|
||||
@@ -1543,6 +1545,10 @@ generate_G:
|
||||
verify->counter = counter;
|
||||
*pParams = params;
|
||||
*pVfy = verify;
|
||||
@ -262,8 +267,8 @@ diff --git a/lib/freebl/pqg.c b/lib/freebl/pqg.c
|
||||
+
|
||||
cleanup:
|
||||
if (pseed.data) {
|
||||
PORT_Free(pseed.data);
|
||||
@@ -1576,7 +1582,7 @@
|
||||
SECITEM_ZfreeItem(&pseed, PR_FALSE);
|
||||
@@ -1587,7 +1593,7 @@ PQG_ParamGen(unsigned int j, PQGParams *
|
||||
L = 512 + (j * 64); /* bits in P */
|
||||
seedBytes = L / 8;
|
||||
return pqg_ParamGen(L, DSA1_Q_BITS, FIPS186_1_TYPE, seedBytes,
|
||||
@ -272,7 +277,7 @@ diff --git a/lib/freebl/pqg.c b/lib/freebl/pqg.c
|
||||
}
|
||||
|
||||
SECStatus
|
||||
@@ -1591,7 +1597,7 @@
|
||||
@@ -1602,7 +1608,7 @@ PQG_ParamGenSeedLen(unsigned int j, unsi
|
||||
}
|
||||
L = 512 + (j * 64); /* bits in P */
|
||||
return pqg_ParamGen(L, DSA1_Q_BITS, FIPS186_1_TYPE, seedBytes,
|
||||
@ -281,7 +286,7 @@ diff --git a/lib/freebl/pqg.c b/lib/freebl/pqg.c
|
||||
}
|
||||
|
||||
SECStatus
|
||||
@@ -1609,7 +1615,26 @@
|
||||
@@ -1620,7 +1626,26 @@ PQG_ParamGenV2(unsigned int L, unsigned
|
||||
/* error code already set */
|
||||
return SECFailure;
|
||||
}
|
||||
|
@ -12,10 +12,10 @@ power-on self tests.
|
||||
lib/softoken/softoken.h | 10 ++
|
||||
4 files changed, 169 insertions(+), 70 deletions(-)
|
||||
|
||||
diff --git a/cmd/lib/pk11table.c b/cmd/lib/pk11table.c
|
||||
index f7a45fa..d302436 100644
|
||||
--- a/cmd/lib/pk11table.c
|
||||
+++ b/cmd/lib/pk11table.c
|
||||
Index: nss/cmd/lib/pk11table.c
|
||||
===================================================================
|
||||
--- nss.orig/cmd/lib/pk11table.c
|
||||
+++ nss/cmd/lib/pk11table.c
|
||||
@@ -273,6 +273,10 @@ const Constant _consts[] = {
|
||||
mkEntry(CKM_DSA_KEY_PAIR_GEN, Mechanism),
|
||||
mkEntry(CKM_DSA, Mechanism),
|
||||
@ -38,11 +38,11 @@ index f7a45fa..d302436 100644
|
||||
mkEntry(CKM_ECDH1_DERIVE, Mechanism),
|
||||
mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism),
|
||||
mkEntry(CKM_ECMQV_DERIVE, Mechanism),
|
||||
diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
|
||||
index d94d59a..ac280f0 100644
|
||||
--- a/lib/pk11wrap/pk11mech.c
|
||||
+++ b/lib/pk11wrap/pk11mech.c
|
||||
@@ -376,6 +376,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, unsigned long len)
|
||||
Index: nss/lib/pk11wrap/pk11mech.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/pk11wrap/pk11mech.c
|
||||
+++ nss/lib/pk11wrap/pk11mech.c
|
||||
@@ -376,6 +376,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
|
||||
return CKK_RSA;
|
||||
case CKM_DSA:
|
||||
case CKM_DSA_SHA1:
|
||||
@ -53,7 +53,7 @@ index d94d59a..ac280f0 100644
|
||||
case CKM_DSA_KEY_PAIR_GEN:
|
||||
return CKK_DSA;
|
||||
case CKM_DH_PKCS_DERIVE:
|
||||
@@ -386,6 +390,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, unsigned long len)
|
||||
@@ -386,6 +390,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
|
||||
return CKK_KEA;
|
||||
case CKM_ECDSA:
|
||||
case CKM_ECDSA_SHA1:
|
||||
@ -64,11 +64,11 @@ index d94d59a..ac280f0 100644
|
||||
case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */
|
||||
case CKM_ECDH1_DERIVE:
|
||||
return CKK_EC; /* CKK_ECDSA is deprecated */
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
index 08f94bc..ec6b205 100644
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -2606,7 +2606,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sigBuf, unsigned int sigLen,
|
||||
Index: nss/lib/softoken/pkcs11c.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11c.c
|
||||
+++ nss/lib/softoken/pkcs11c.c
|
||||
@@ -2675,7 +2675,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
|
||||
static SECStatus
|
||||
nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
|
||||
unsigned int *sigLen, unsigned int maxSigLen,
|
||||
@ -77,7 +77,7 @@ index 08f94bc..ec6b205 100644
|
||||
{
|
||||
SECItem signature, digest;
|
||||
SECStatus rv;
|
||||
@@ -2624,6 +2624,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
|
||||
@@ -2693,6 +2693,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
|
||||
return rv;
|
||||
}
|
||||
|
||||
@ -100,7 +100,7 @@ index 08f94bc..ec6b205 100644
|
||||
static SECStatus
|
||||
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
|
||||
void *dataBuf, unsigned int dataLen)
|
||||
@@ -2641,7 +2657,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
|
||||
@@ -2710,7 +2726,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
|
||||
static SECStatus
|
||||
nsc_ECDSASignStub(void *ctx, void *sigBuf,
|
||||
unsigned int *sigLen, unsigned int maxSigLen,
|
||||
@ -109,7 +109,7 @@ index 08f94bc..ec6b205 100644
|
||||
{
|
||||
SECItem signature, digest;
|
||||
SECStatus rv;
|
||||
@@ -2659,6 +2675,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBuf,
|
||||
@@ -2728,6 +2744,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
|
||||
return rv;
|
||||
}
|
||||
|
||||
@ -132,7 +132,7 @@ index 08f94bc..ec6b205 100644
|
||||
/* NSC_SignInit setups up the signing operations. There are three basic
|
||||
* types of signing:
|
||||
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
|
||||
@@ -3511,6 +3543,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSession,
|
||||
@@ -3597,6 +3629,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
|
||||
info->hashOid = SEC_OID_##mmm; \
|
||||
goto finish_rsa;
|
||||
|
||||
@ -155,51 +155,7 @@ index 08f94bc..ec6b205 100644
|
||||
switch (pMechanism->mechanism) {
|
||||
INIT_RSA_VFY_MECH(MD5)
|
||||
INIT_RSA_VFY_MECH(MD2)
|
||||
@@ -3575,13 +3623,15 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSession,
|
||||
context->destroy = (SFTKDestroy)sftk_Space;
|
||||
context->verify = (SFTKVerify)sftk_RSACheckSignPSS;
|
||||
break;
|
||||
- case CKM_DSA_SHA1:
|
||||
- context->multi = PR_TRUE;
|
||||
- crv = sftk_doSubSHA1(context);
|
||||
- if (crv != CKR_OK)
|
||||
- break;
|
||||
- /* fall through */
|
||||
+
|
||||
+ INIT_DSA_VFY_MECH(SHA1)
|
||||
+ INIT_DSA_VFY_MECH(SHA224)
|
||||
+ INIT_DSA_VFY_MECH(SHA256)
|
||||
+ INIT_DSA_VFY_MECH(SHA384)
|
||||
+ INIT_DSA_VFY_MECH(SHA512)
|
||||
+
|
||||
case CKM_DSA:
|
||||
+ finish_dsa:
|
||||
if (key_type != CKK_DSA) {
|
||||
crv = CKR_KEY_TYPE_INCONSISTENT;
|
||||
break;
|
||||
@@ -3594,13 +3644,15 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSession,
|
||||
context->verify = (SFTKVerify)nsc_DSA_Verify_Stub;
|
||||
context->destroy = sftk_Null;
|
||||
break;
|
||||
- case CKM_ECDSA_SHA1:
|
||||
- context->multi = PR_TRUE;
|
||||
- crv = sftk_doSubSHA1(context);
|
||||
- if (crv != CKR_OK)
|
||||
- break;
|
||||
- /* fall through */
|
||||
+
|
||||
+ INIT_ECDSA_VFY_MECH(SHA1)
|
||||
+ INIT_ECDSA_VFY_MECH(SHA224)
|
||||
+ INIT_ECDSA_VFY_MECH(SHA256)
|
||||
+ INIT_ECDSA_VFY_MECH(SHA384)
|
||||
+ INIT_ECDSA_VFY_MECH(SHA512)
|
||||
+
|
||||
case CKM_ECDSA:
|
||||
+ finish_ecdsa:
|
||||
if (key_type != CKK_EC) {
|
||||
crv = CKR_KEY_TYPE_INCONSISTENT;
|
||||
break;
|
||||
@@ -4733,6 +4785,73 @@ loser:
|
||||
@@ -4825,6 +4873,73 @@ loser:
|
||||
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
|
||||
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
|
||||
|
||||
@ -273,7 +229,7 @@ index 08f94bc..ec6b205 100644
|
||||
/*
|
||||
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
|
||||
*
|
||||
@@ -4780,8 +4899,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession,
|
||||
@@ -4878,8 +4993,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
|
||||
/* Variables used for Signature/Verification functions. */
|
||||
/* Must be at least 256 bits for DSA2 digest */
|
||||
@ -282,7 +238,7 @@ index 08f94bc..ec6b205 100644
|
||||
CK_ULONG signature_length;
|
||||
|
||||
if (keyType == CKK_RSA) {
|
||||
@@ -4935,76 +5052,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession,
|
||||
@@ -5033,76 +5146,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
}
|
||||
}
|
||||
|
||||
@ -369,11 +325,11 @@ index 08f94bc..ec6b205 100644
|
||||
if (crv != CKR_OK) {
|
||||
return crv;
|
||||
}
|
||||
diff --git a/lib/softoken/softoken.h b/lib/softoken/softoken.h
|
||||
index 30586fc..d5aaffa 100644
|
||||
--- a/lib/softoken/softoken.h
|
||||
+++ b/lib/softoken/softoken.h
|
||||
@@ -35,6 +35,16 @@ RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
|
||||
Index: nss/lib/softoken/softoken.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/softoken.h
|
||||
+++ nss/lib/softoken/softoken.h
|
||||
@@ -35,6 +35,16 @@ RSA_HashCheckSign(SECOidTag hashOid, NSS
|
||||
const unsigned char *sig, unsigned int sigLen,
|
||||
const unsigned char *hash, unsigned int hashLen);
|
||||
|
||||
@ -390,6 +346,3 @@ index 30586fc..d5aaffa 100644
|
||||
/*
|
||||
** Prepare a buffer for padded CBC encryption, growing to the appropriate
|
||||
** boundary, filling with the appropriate padding.
|
||||
--
|
||||
2.26.2
|
||||
|
||||
|
@ -4,15 +4,11 @@ Date: Sun Mar 15 21:54:30 2020 +0100
|
||||
|
||||
Patch 23: nss-fips-constructor-self-tests.patch
|
||||
|
||||
diff --git a/cmd/chktest/chktest.c b/cmd/chktest/chktest.c
|
||||
--- a/cmd/chktest/chktest.c
|
||||
+++ b/cmd/chktest/chktest.c
|
||||
@@ -33,13 +33,13 @@ main(int argc, char **argv)
|
||||
}
|
||||
rv = BL_Init();
|
||||
if (rv != SECSuccess) {
|
||||
SECU_PrintPRandOSError("");
|
||||
return -1;
|
||||
Index: nss/cmd/chktest/chktest.c
|
||||
===================================================================
|
||||
--- nss.orig/cmd/chktest/chktest.c
|
||||
+++ nss/cmd/chktest/chktest.c
|
||||
@@ -38,7 +38,7 @@ main(int argc, char **argv)
|
||||
}
|
||||
RNG_SystemInfoForRNG();
|
||||
|
||||
@ -21,16 +17,11 @@ diff --git a/cmd/chktest/chktest.c b/cmd/chktest/chktest.c
|
||||
printf("%s\n",
|
||||
(good_result ? "SUCCESS" : "FAILURE"));
|
||||
return (good_result) ? SECSuccess : SECFailure;
|
||||
}
|
||||
diff --git a/cmd/shlibsign/shlibsign.c b/cmd/shlibsign/shlibsign.c
|
||||
--- a/cmd/shlibsign/shlibsign.c
|
||||
+++ b/cmd/shlibsign/shlibsign.c
|
||||
@@ -941,20 +941,22 @@ main(int argc, char **argv)
|
||||
|
||||
if (keySize && (mechInfo.ulMaxKeySize < keySize)) {
|
||||
PR_fprintf(PR_STDERR,
|
||||
"token doesn't support DSA2 (Max key size=%d)\n",
|
||||
mechInfo.ulMaxKeySize);
|
||||
Index: nss/cmd/shlibsign/shlibsign.c
|
||||
===================================================================
|
||||
--- nss.orig/cmd/shlibsign/shlibsign.c
|
||||
+++ nss/cmd/shlibsign/shlibsign.c
|
||||
@@ -946,10 +946,12 @@ main(int argc, char **argv)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
@ -47,20 +38,11 @@ diff --git a/cmd/shlibsign/shlibsign.c b/cmd/shlibsign/shlibsign.c
|
||||
}
|
||||
}
|
||||
|
||||
/* DSA key init */
|
||||
if (keySize == 1024) {
|
||||
dsaPubKeyTemplate[0].type = CKA_PRIME;
|
||||
dsaPubKeyTemplate[0].pValue = (CK_VOID_PTR)′
|
||||
dsaPubKeyTemplate[0].ulValueLen = sizeof(prime);
|
||||
diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h
|
||||
--- a/lib/freebl/blapi.h
|
||||
+++ b/lib/freebl/blapi.h
|
||||
@@ -1734,27 +1734,27 @@ extern void PQG_DestroyVerify(PQGVerify
|
||||
extern void BL_Cleanup(void);
|
||||
|
||||
/* unload freebl shared library from memory */
|
||||
extern void BL_Unload(void);
|
||||
|
||||
Index: nss/lib/freebl/blapi.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/blapi.h
|
||||
+++ nss/lib/freebl/blapi.h
|
||||
@@ -1759,17 +1759,17 @@ extern void BL_Unload(void);
|
||||
/**************************************************************************
|
||||
* Verify a given Shared library signature *
|
||||
**************************************************************************/
|
||||
@ -81,15 +63,10 @@ diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h
|
||||
|
||||
/*********************************************************************/
|
||||
extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
|
||||
|
||||
extern void BL_SetForkState(PRBool forked);
|
||||
|
||||
/*
|
||||
** pepare an ECParam structure from DEREncoded params
|
||||
diff --git a/lib/freebl/fips-selftest.inc b/lib/freebl/fips-selftest.inc
|
||||
new file mode 100644
|
||||
Index: nss/lib/freebl/fips-selftest.inc
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/lib/freebl/fips-selftest.inc
|
||||
+++ nss/lib/freebl/fips-selftest.inc
|
||||
@@ -0,0 +1,293 @@
|
||||
+/*
|
||||
+ * PKCS #11 FIPS Power-Up Self Test - common stuff.
|
||||
@ -384,10 +361,10 @@ new file mode 100644
|
||||
+}
|
||||
+
|
||||
+#endif
|
||||
diff --git a/lib/freebl/fips.c b/lib/freebl/fips.c
|
||||
new file mode 100644
|
||||
Index: nss/lib/freebl/fips.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/lib/freebl/fips.c
|
||||
+++ nss/lib/freebl/fips.c
|
||||
@@ -0,0 +1,7 @@
|
||||
+/*
|
||||
+ * PKCS #11 FIPS Power-Up Self Test.
|
||||
@ -396,10 +373,10 @@ new file mode 100644
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
+
|
||||
diff --git a/lib/freebl/fips.h b/lib/freebl/fips.h
|
||||
new file mode 100644
|
||||
Index: nss/lib/freebl/fips.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/lib/freebl/fips.h
|
||||
+++ nss/lib/freebl/fips.h
|
||||
@@ -0,0 +1,15 @@
|
||||
+/*
|
||||
+ * PKCS #11 FIPS Power-Up Self Test.
|
||||
@ -416,15 +393,11 @@ new file mode 100644
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
--- a/lib/freebl/fipsfreebl.c
|
||||
+++ b/lib/freebl/fipsfreebl.c
|
||||
@@ -16,16 +16,23 @@
|
||||
#include "secerr.h"
|
||||
#include "prtypes.h"
|
||||
#include "secitem.h"
|
||||
#include "pkcs11t.h"
|
||||
#include "cmac.h"
|
||||
Index: nss/lib/freebl/fipsfreebl.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/fipsfreebl.c
|
||||
+++ nss/lib/freebl/fipsfreebl.c
|
||||
@@ -21,6 +21,13 @@
|
||||
|
||||
#include "ec.h" /* Required for EC */
|
||||
|
||||
@ -438,17 +411,7 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
/*
|
||||
* different platforms have different ways of calling and initial entry point
|
||||
* when the dll/.so is loaded. Most platforms support either a posix pragma
|
||||
* or the GCC attribute. Some platforms suppor a pre-defined name, and some
|
||||
* platforms have a link line way of invoking this function.
|
||||
*/
|
||||
|
||||
/* The pragma */
|
||||
@@ -1993,57 +2000,57 @@ freebl_fips_RNG_PowerUpSelfTest(void)
|
||||
0x3f, 0xf7, 0x0c, 0xcd, 0xa6, 0xca, 0xbf, 0xce,
|
||||
0x84, 0x0e, 0xb6, 0xf1, 0x0d, 0xbe, 0xa9, 0xa3
|
||||
};
|
||||
static const PRUint8 rng_known_DSAX[] = {
|
||||
0x7a, 0x86, 0xf1, 0x7f, 0xbd, 0x4e, 0x6e, 0xd9,
|
||||
@@ -1998,9 +2005,8 @@ freebl_fips_RNG_PowerUpSelfTest(void)
|
||||
0x0a, 0x26, 0x21, 0xd0, 0x19, 0xcb, 0x86, 0x73,
|
||||
0x10, 0x1f, 0x60, 0xd7
|
||||
};
|
||||
@ -459,13 +422,7 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
|
||||
/*******************************************/
|
||||
/* Run the SP 800-90 Health tests */
|
||||
/*******************************************/
|
||||
rng_status = PRNGTEST_RunHealthTests();
|
||||
if (rng_status != SECSuccess) {
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
@@ -2014,13 +2020,12 @@ freebl_fips_RNG_PowerUpSelfTest(void)
|
||||
/*******************************************/
|
||||
/* Generate DSAX fow given Q. */
|
||||
/*******************************************/
|
||||
@ -480,7 +437,7 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
@@ -2028,17 +2033,19 @@ freebl_fips_RNG_PowerUpSelfTest(void)
|
||||
return (SECSuccess);
|
||||
}
|
||||
|
||||
@ -501,17 +458,7 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
|
||||
#define DO_FREEBL 1
|
||||
#define DO_REST 2
|
||||
|
||||
static SECStatus
|
||||
freebl_fipsPowerUpSelfTest(unsigned int tests)
|
||||
{
|
||||
SECStatus rv;
|
||||
@@ -2151,34 +2158,36 @@ freebl_fipsPowerUpSelfTest(unsigned int
|
||||
* to prevent the softoken function pointer table from operating until the
|
||||
* libraries are loaded and we try to use them.
|
||||
*/
|
||||
static PRBool self_tests_freebl_ran = PR_FALSE;
|
||||
static PRBool self_tests_ran = PR_FALSE;
|
||||
@@ -2156,11 +2163,13 @@ static PRBool self_tests_ran = PR_FALSE;
|
||||
static PRBool self_tests_freebl_success = PR_FALSE;
|
||||
static PRBool self_tests_success = PR_FALSE;
|
||||
|
||||
@ -526,12 +473,7 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
{
|
||||
SECStatus rv;
|
||||
/* if the freebl self tests didn't run, there is something wrong with
|
||||
* our on load tests */
|
||||
if (!self_tests_freebl_ran) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
/* if all the self tests have run, we are good */
|
||||
if (self_tests_ran) {
|
||||
@@ -2173,7 +2182,7 @@ BL_POSTRan(PRBool freebl_only)
|
||||
return PR_TRUE;
|
||||
}
|
||||
/* if we only care about the freebl tests, we are good */
|
||||
@ -540,34 +482,27 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
return PR_TRUE;
|
||||
}
|
||||
/* run the rest of the self tests */
|
||||
/* We could get there if freebl was loaded without the rest of the support
|
||||
* libraries, but now we want to use more than just a standalone freebl.
|
||||
* This requires the other libraries to be loaded.
|
||||
* If they are now loaded, Try to run the rest of the selftests,
|
||||
* otherwise fail (disabling access to these algorithms) */
|
||||
@@ -2187,92 +2196,174 @@ BL_POSTRan(PRBool freebl_only)
|
||||
RNG_RNGInit(); /* required by RSA */
|
||||
rv = freebl_fipsPowerUpSelfTest(DO_REST);
|
||||
if (rv == SECSuccess) {
|
||||
self_tests_success = PR_TRUE;
|
||||
}
|
||||
@@ -2192,32 +2201,16 @@ BL_POSTRan(PRBool freebl_only)
|
||||
return PR_TRUE;
|
||||
}
|
||||
|
||||
+#if 0
|
||||
#include "blname.c"
|
||||
-
|
||||
+#endif
|
||||
|
||||
-/*
|
||||
- * This function is called at dll load time, the code tha makes this
|
||||
- * happen is platform specific on defined above.
|
||||
- */
|
||||
-static void
|
||||
-bl_startup_tests(void)
|
||||
-{
|
||||
+/* crypto algorithms selftest wrapper */
|
||||
+static fips_check_status
|
||||
+fips_checkCryptoFreebl(void)
|
||||
{
|
||||
- const char *libraryName;
|
||||
- PRBool freebl_only = PR_FALSE;
|
||||
- SECStatus rv;
|
||||
+#endif
|
||||
SECStatus rv;
|
||||
|
||||
- PORT_Assert(self_tests_freebl_ran == PR_FALSE);
|
||||
- PORT_Assert(self_tests_success == PR_FALSE);
|
||||
@ -581,20 +516,11 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
- freebl_only = PR_TRUE;
|
||||
- }
|
||||
-#endif
|
||||
+/* crypto algorithms selftest wrapper */
|
||||
+static fips_check_status
|
||||
+fips_checkCryptoFreebl(void)
|
||||
+{
|
||||
+ SECStatus rv;
|
||||
|
||||
-
|
||||
self_tests_freebl_ran = PR_TRUE; /* we are running the tests */
|
||||
|
||||
if (!freebl_only) {
|
||||
self_tests_ran = PR_TRUE; /* we're running all the tests */
|
||||
BL_Init(); /* needs to be called before RSA can be used */
|
||||
RNG_RNGInit();
|
||||
}
|
||||
|
||||
@@ -2229,20 +2222,55 @@ bl_startup_tests(void)
|
||||
/* always run the post tests */
|
||||
rv = freebl_fipsPowerUpSelfTest(freebl_only ? DO_FREEBL : DO_FREEBL | DO_REST);
|
||||
if (rv != SECSuccess) {
|
||||
@ -652,8 +578,7 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
}
|
||||
|
||||
/*
|
||||
* this is called from the freebl init entry points that controll access to
|
||||
* all other freebl functions. This prevents freebl from operating if our
|
||||
@@ -2251,28 +2279,91 @@ bl_startup_tests(void)
|
||||
* power on selftest failed.
|
||||
*/
|
||||
SECStatus
|
||||
@ -755,15 +680,11 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
+}
|
||||
+
|
||||
#endif
|
||||
diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c
|
||||
--- a/lib/freebl/loader.c
|
||||
+++ b/lib/freebl/loader.c
|
||||
@@ -1208,36 +1208,36 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
|
||||
{
|
||||
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
|
||||
return SECFailure;
|
||||
return vector->p_AESKeyWrap_DecryptKWP(cx, output, outputLen, maxOutputLen,
|
||||
input, inputLen);
|
||||
Index: nss/lib/freebl/loader.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/loader.c
|
||||
+++ nss/lib/freebl/loader.c
|
||||
@@ -1213,11 +1213,11 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
|
||||
}
|
||||
|
||||
PRBool
|
||||
@ -777,9 +698,7 @@ diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c
|
||||
}
|
||||
|
||||
/*
|
||||
* The Caller is expected to pass NULL as the name, which will
|
||||
* trigger the p_BLAPI_VerifySelf() to return 'TRUE'. Pass the real
|
||||
* name of the shared library we loaded (the static libraryName set
|
||||
@@ -1227,12 +1227,12 @@ BLAPI_SHVerify(const char *name, PRFuncP
|
||||
* in freebl_LoadDSO) to p_BLAPI_VerifySelf.
|
||||
*/
|
||||
PRBool
|
||||
@ -794,17 +713,7 @@ diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c
|
||||
}
|
||||
|
||||
/* ============== New for 3.006 =============================== */
|
||||
|
||||
SECStatus
|
||||
EC_NewKey(ECParams *params, ECPrivateKey **privKey)
|
||||
{
|
||||
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
|
||||
@@ -1831,21 +1831,21 @@ void
|
||||
SHA224_Clone(SHA224Context *dest, SHA224Context *src)
|
||||
{
|
||||
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
|
||||
return;
|
||||
(vector->p_SHA224_Clone)(dest, src);
|
||||
@@ -1836,11 +1836,11 @@ SHA224_Clone(SHA224Context *dest, SHA224
|
||||
}
|
||||
|
||||
PRBool
|
||||
@ -818,20 +727,11 @@ diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c
|
||||
}
|
||||
|
||||
/* === new for DSA-2 === */
|
||||
SECStatus
|
||||
PQG_ParamGenV2(unsigned int L, unsigned int N, unsigned int seedBytes,
|
||||
PQGParams **pParams, PQGVerify **pVfy)
|
||||
{
|
||||
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
|
||||
diff --git a/lib/freebl/loader.h b/lib/freebl/loader.h
|
||||
--- a/lib/freebl/loader.h
|
||||
+++ b/lib/freebl/loader.h
|
||||
@@ -294,18 +294,18 @@ struct FREEBLVectorStr {
|
||||
|
||||
SECStatus (*p_AESKeyWrap_Decrypt)(AESKeyWrapContext *cx,
|
||||
unsigned char *output,
|
||||
unsigned int *outputLen, unsigned int maxOutputLen,
|
||||
const unsigned char *input, unsigned int inputLen);
|
||||
Index: nss/lib/freebl/loader.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/loader.h
|
||||
+++ nss/lib/freebl/loader.h
|
||||
@@ -299,8 +299,8 @@ struct FREEBLVectorStr {
|
||||
|
||||
/* Version 3.004 came to here */
|
||||
|
||||
@ -842,17 +742,7 @@ diff --git a/lib/freebl/loader.h b/lib/freebl/loader.h
|
||||
|
||||
/* Version 3.005 came to here */
|
||||
|
||||
SECStatus (*p_EC_NewKey)(ECParams *params,
|
||||
ECPrivateKey **privKey);
|
||||
|
||||
SECStatus (*p_EC_NewKeyFromSeed)(ECParams *params,
|
||||
ECPrivateKey **privKey,
|
||||
@@ -551,17 +551,17 @@ struct FREEBLVectorStr {
|
||||
SECStatus (*p_SHA224_HashBuf)(unsigned char *dest, const unsigned char *src,
|
||||
PRUint32 src_length);
|
||||
SECStatus (*p_SHA224_Hash)(unsigned char *dest, const char *src);
|
||||
void (*p_SHA224_TraceState)(SHA224Context *cx);
|
||||
unsigned int (*p_SHA224_FlattenSize)(SHA224Context *cx);
|
||||
@@ -556,7 +556,7 @@ struct FREEBLVectorStr {
|
||||
SECStatus (*p_SHA224_Flatten)(SHA224Context *cx, unsigned char *space);
|
||||
SHA224Context *(*p_SHA224_Resurrect)(unsigned char *space, void *arg);
|
||||
void (*p_SHA224_Clone)(SHA224Context *dest, SHA224Context *src);
|
||||
@ -861,20 +751,11 @@ diff --git a/lib/freebl/loader.h b/lib/freebl/loader.h
|
||||
|
||||
/* Version 3.013 came to here */
|
||||
|
||||
SECStatus (*p_PQG_ParamGenV2)(unsigned int L, unsigned int N,
|
||||
unsigned int seedBytes,
|
||||
PQGParams **pParams, PQGVerify **pVfy);
|
||||
SECStatus (*p_PRNGTEST_RunHealthTests)(void);
|
||||
|
||||
diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn
|
||||
--- a/lib/freebl/manifest.mn
|
||||
+++ b/lib/freebl/manifest.mn
|
||||
@@ -92,16 +92,17 @@ PRIVATE_EXPORTS = \
|
||||
chacha20poly1305.h \
|
||||
hmacct.h \
|
||||
secmpi.h \
|
||||
secrng.h \
|
||||
ec.h \
|
||||
Index: nss/lib/freebl/manifest.mn
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/manifest.mn
|
||||
+++ nss/lib/freebl/manifest.mn
|
||||
@@ -97,6 +97,7 @@ PRIVATE_EXPORTS = \
|
||||
ecl.h \
|
||||
ecl-curve.h \
|
||||
eclt.h \
|
||||
@ -882,17 +763,7 @@ diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn
|
||||
$(NULL)
|
||||
|
||||
MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
|
||||
MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c
|
||||
|
||||
|
||||
ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h
|
||||
ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \
|
||||
@@ -181,16 +182,17 @@ ALL_HDRS = \
|
||||
rijndael.h \
|
||||
camellia.h \
|
||||
secmpi.h \
|
||||
sha_fast.h \
|
||||
sha256.h \
|
||||
@@ -186,6 +187,7 @@ ALL_HDRS = \
|
||||
shsign.h \
|
||||
vis_proto.h \
|
||||
seed.h \
|
||||
@ -900,20 +771,11 @@ diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn
|
||||
$(NULL)
|
||||
|
||||
|
||||
ifdef AES_GEN_VAL
|
||||
DEFINES += -DRIJNDAEL_GENERATE_VALUES
|
||||
else
|
||||
ifdef AES_GEN_VAL_M
|
||||
DEFINES += -DRIJNDAEL_GENERATE_VALUES_MACRO
|
||||
diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
--- a/lib/freebl/shvfy.c
|
||||
+++ b/lib/freebl/shvfy.c
|
||||
@@ -16,16 +16,18 @@
|
||||
#include "stdio.h"
|
||||
#include "prmem.h"
|
||||
#include "hasht.h"
|
||||
#include "pqg.h"
|
||||
#include "blapii.h"
|
||||
Index: nss/lib/freebl/shvfy.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/shvfy.c
|
||||
+++ nss/lib/freebl/shvfy.c
|
||||
@@ -22,6 +22,8 @@
|
||||
|
||||
#ifndef NSS_FIPS_DISABLED
|
||||
|
||||
@ -922,17 +784,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
/*
|
||||
* Most modern version of Linux support a speed optimization scheme where an
|
||||
* application called prelink modifies programs and shared libraries to quickly
|
||||
* load if they fit into an already designed address space. In short, prelink
|
||||
* scans the list of programs and libraries on your system, assigns them a
|
||||
* predefined space in the the address space, then provides the fixups to the
|
||||
* library.
|
||||
|
||||
@@ -225,18 +227,16 @@ bl_CloseUnPrelink(PRFileDesc *file, int
|
||||
PR_Close(file);
|
||||
/* reap the child */
|
||||
if (pid) {
|
||||
waitpid(pid, NULL, 0);
|
||||
}
|
||||
@@ -231,8 +233,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -941,17 +793,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
static char *
|
||||
mkCheckFileName(const char *libName)
|
||||
{
|
||||
int ln_len = PORT_Strlen(libName);
|
||||
int index = ln_len + 1 - sizeof("." SHLIB_SUFFIX);
|
||||
char *output = PORT_Alloc(ln_len + sizeof(SGN_SUFFIX));
|
||||
if (!output) {
|
||||
PORT_SetError(SEC_ERROR_NO_MEMORY);
|
||||
@@ -281,52 +281,52 @@ readItem(PRFileDesc *fd, SECItem *item)
|
||||
PORT_Free(item->data);
|
||||
item->data = NULL;
|
||||
item->len = 0;
|
||||
return SECFailure;
|
||||
}
|
||||
@@ -287,19 +287,19 @@ readItem(PRFileDesc *fd, SECItem *item)
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
@ -975,10 +817,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
|
||||
loser:
|
||||
if (shName != NULL) {
|
||||
PR_Free(shName);
|
||||
}
|
||||
|
||||
return result;
|
||||
@@ -310,19 +310,19 @@ loser:
|
||||
}
|
||||
|
||||
PRBool
|
||||
@ -1003,17 +842,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
{
|
||||
char *checkName = NULL;
|
||||
PRFileDesc *checkFD = NULL;
|
||||
PRFileDesc *shFD = NULL;
|
||||
void *hashcx = NULL;
|
||||
const SECHashObject *hashObj = NULL;
|
||||
SECItem signature = { 0, NULL, 0 };
|
||||
SECItem hash;
|
||||
@@ -334,17 +334,17 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
SECStatus rv;
|
||||
DSAPublicKey key;
|
||||
int count;
|
||||
#ifdef FREEBL_USE_PRELINK
|
||||
int pid = 0;
|
||||
@@ -340,7 +340,7 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
#endif
|
||||
|
||||
PRBool result = PR_FALSE; /* if anything goes wrong,
|
||||
@ -1022,17 +851,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
unsigned char buf[4096];
|
||||
unsigned char hashBuf[HASH_LENGTH_MAX];
|
||||
|
||||
PORT_Memset(&key, 0, sizeof(key));
|
||||
hash.data = hashBuf;
|
||||
hash.len = sizeof(hashBuf);
|
||||
|
||||
/* If our integrity check was never ran or failed, fail any other
|
||||
@@ -361,24 +361,27 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
checkName = mkCheckFileName(shName);
|
||||
if (!checkName) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
@@ -367,14 +367,17 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
/* open the check File */
|
||||
checkFD = PR_Open(checkName, PR_RDONLY, 0);
|
||||
if (checkFD == NULL) {
|
||||
@ -1053,17 +872,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
bytesRead = PR_Read(checkFD, buf, 12);
|
||||
if (bytesRead != 12) {
|
||||
goto loser;
|
||||
}
|
||||
if ((buf[0] != NSS_SIGN_CHK_MAGIC1) || (buf[1] != NSS_SIGN_CHK_MAGIC2)) {
|
||||
goto loser;
|
||||
}
|
||||
if ((buf[2] != NSS_SIGN_CHK_MAJOR_VERSION) ||
|
||||
@@ -409,46 +412,47 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
rv = readItem(checkFD, &key.params.base);
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
rv = readItem(checkFD, &key.publicValue);
|
||||
@@ -415,7 +418,8 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
@ -1073,14 +882,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
rv = readItem(checkFD, &signature);
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* done with the check file */
|
||||
PR_Close(checkFD);
|
||||
checkFD = NULL;
|
||||
|
||||
hashObj = HASH_GetRawHashObject(PQG_GetHashType(&key.params));
|
||||
if (hashObj == NULL) {
|
||||
@@ -430,7 +434,7 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
goto loser;
|
||||
}
|
||||
|
||||
@ -1089,7 +891,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
#ifdef FREEBL_USE_PRELINK
|
||||
shFD = bl_OpenUnPrelink(shName, &pid);
|
||||
#else
|
||||
shFD = PR_Open(shName, PR_RDONLY, 0);
|
||||
@@ -438,13 +442,13 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
#endif
|
||||
if (shFD == NULL) {
|
||||
#ifdef DEBUG_SHVERIFY
|
||||
@ -1106,17 +908,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
hashcx = hashObj->create();
|
||||
if (hashcx == NULL) {
|
||||
goto loser;
|
||||
}
|
||||
hashObj->begin(hashcx);
|
||||
|
||||
count = 0;
|
||||
while ((bytesRead = PR_Read(shFD, buf, sizeof(buf))) > 0) {
|
||||
@@ -523,26 +527,26 @@ loser:
|
||||
if (key.publicValue.data != NULL) {
|
||||
PORT_Free(key.publicValue.data);
|
||||
}
|
||||
|
||||
return result;
|
||||
@@ -531,7 +535,7 @@ loser:
|
||||
}
|
||||
|
||||
PRBool
|
||||
@ -1125,8 +917,7 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
{
|
||||
if (name == NULL) {
|
||||
/*
|
||||
* If name is NULL, freebl is statically linked into softoken.
|
||||
* softoken will call BLAPI_SHVerify next to verify itself.
|
||||
@@ -540,7 +544,7 @@ BLAPI_VerifySelf(const char *name)
|
||||
*/
|
||||
return PR_TRUE;
|
||||
}
|
||||
@ -1135,15 +926,10 @@ diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
}
|
||||
|
||||
#else /* NSS_FIPS_DISABLED */
|
||||
|
||||
PRBool
|
||||
BLAPI_SHVerifyFile(const char *shName)
|
||||
{
|
||||
return PR_FALSE;
|
||||
diff --git a/lib/softoken/fips.c b/lib/softoken/fips.c
|
||||
new file mode 100644
|
||||
Index: nss/lib/softoken/fips.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/lib/softoken/fips.c
|
||||
+++ nss/lib/softoken/fips.c
|
||||
@@ -0,0 +1,33 @@
|
||||
+#include "../freebl/fips-selftest.inc"
|
||||
+
|
||||
@ -1178,10 +964,10 @@ new file mode 100644
|
||||
+
|
||||
+ return;
|
||||
+}
|
||||
diff --git a/lib/softoken/fips.h b/lib/softoken/fips.h
|
||||
new file mode 100644
|
||||
Index: nss/lib/softoken/fips.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/lib/softoken/fips.h
|
||||
+++ nss/lib/softoken/fips.h
|
||||
@@ -0,0 +1,10 @@
|
||||
+#ifndef FIPS_H
|
||||
+#define FIPS_H
|
||||
@ -1193,15 +979,11 @@ new file mode 100644
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
|
||||
--- a/lib/softoken/fipstest.c
|
||||
+++ b/lib/softoken/fipstest.c
|
||||
@@ -677,39 +677,360 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
return (SECFailure);
|
||||
}
|
||||
#endif
|
||||
|
||||
Index: nss/lib/softoken/fipstest.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/fipstest.c
|
||||
+++ nss/lib/softoken/fipstest.c
|
||||
@@ -682,6 +682,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
|
||||
return (SECSuccess);
|
||||
}
|
||||
|
||||
@ -1529,11 +1311,7 @@ diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
|
||||
static PRBool sftk_self_tests_ran = PR_FALSE;
|
||||
static PRBool sftk_self_tests_success = PR_FALSE;
|
||||
|
||||
/*
|
||||
* This function is called at dll load time, the code tha makes this
|
||||
* happen is platform specific on defined above.
|
||||
*/
|
||||
static void
|
||||
@@ -693,7 +1014,6 @@ static void
|
||||
sftk_startup_tests(void)
|
||||
{
|
||||
SECStatus rv;
|
||||
@ -1541,11 +1319,7 @@ diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
|
||||
|
||||
PORT_Assert(!sftk_self_tests_ran);
|
||||
PORT_Assert(!sftk_self_tests_success);
|
||||
sftk_self_tests_ran = PR_TRUE;
|
||||
sftk_self_tests_success = PR_FALSE; /* just in case */
|
||||
|
||||
/* need to initiallize the oid library before the RSA tests */
|
||||
rv = SECOID_Init();
|
||||
@@ -705,6 +1025,7 @@ sftk_startup_tests(void)
|
||||
if (rv != SECSuccess) {
|
||||
return;
|
||||
}
|
||||
@ -1553,17 +1327,7 @@ diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
|
||||
/* make sure freebl is initialized, or our RSA check
|
||||
* may fail. This is normally done at freebl load time, but it's
|
||||
* possible we may have shut freebl down without unloading it. */
|
||||
rv = BL_Init();
|
||||
if (rv != SECSuccess) {
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -717,22 +1038,31 @@ sftk_startup_tests(void)
|
||||
if (rv != SECSuccess) {
|
||||
return;
|
||||
}
|
||||
/* check the RSA combined functions in softoken */
|
||||
rv = sftk_fips_RSA_PowerUpSelfTest();
|
||||
@@ -722,12 +1043,21 @@ sftk_startup_tests(void)
|
||||
if (rv != SECSuccess) {
|
||||
return;
|
||||
}
|
||||
@ -1589,17 +1353,7 @@ diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
|
||||
rv = sftk_fips_IKE_PowerUpSelfTests();
|
||||
if (rv != SECSuccess) {
|
||||
return;
|
||||
}
|
||||
|
||||
rv = sftk_fips_SP800_108_PowerUpSelfTests();
|
||||
if (rv != SECSuccess) {
|
||||
return;
|
||||
@@ -754,27 +1084,21 @@ sftk_startup_tests(void)
|
||||
/*
|
||||
* this is called from nsc_Common_Initizialize entry points that gates access
|
||||
* to * all other pkcs11 functions. This prevents softoken operation if our
|
||||
* power on selftest failed.
|
||||
*/
|
||||
@@ -759,17 +1089,11 @@ sftk_startup_tests(void)
|
||||
CK_RV
|
||||
sftk_FIPSEntryOK()
|
||||
{
|
||||
@ -1619,15 +1373,10 @@ diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
|
||||
if (!sftk_self_tests_success) {
|
||||
return CKR_DEVICE_ERROR;
|
||||
}
|
||||
return CKR_OK;
|
||||
}
|
||||
#else
|
||||
#include "pkcs11t.h"
|
||||
CK_RV
|
||||
diff --git a/lib/softoken/legacydb/fips.c b/lib/softoken/legacydb/fips.c
|
||||
new file mode 100644
|
||||
Index: nss/lib/softoken/legacydb/fips.c
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/lib/softoken/legacydb/fips.c
|
||||
+++ nss/lib/softoken/legacydb/fips.c
|
||||
@@ -0,0 +1,25 @@
|
||||
+#include "../../freebl/fips-selftest.inc"
|
||||
+
|
||||
@ -1654,25 +1403,21 @@ new file mode 100644
|
||||
+
|
||||
+/*** public per-module symbols ***/
|
||||
+
|
||||
diff --git a/lib/softoken/legacydb/fips.h b/lib/softoken/legacydb/fips.h
|
||||
new file mode 100644
|
||||
Index: nss/lib/softoken/legacydb/fips.h
|
||||
===================================================================
|
||||
--- /dev/null
|
||||
+++ b/lib/softoken/legacydb/fips.h
|
||||
+++ nss/lib/softoken/legacydb/fips.h
|
||||
@@ -0,0 +1,5 @@
|
||||
+#ifndef FIPS_H
|
||||
+#define FIPS_H
|
||||
+
|
||||
+#endif
|
||||
+
|
||||
diff --git a/lib/softoken/legacydb/lgfips.c b/lib/softoken/legacydb/lgfips.c
|
||||
--- a/lib/softoken/legacydb/lgfips.c
|
||||
+++ b/lib/softoken/legacydb/lgfips.c
|
||||
@@ -85,17 +85,17 @@ lg_startup_tests(void)
|
||||
|
||||
PORT_Assert(!lg_self_tests_ran);
|
||||
PORT_Assert(!lg_self_tests_success);
|
||||
lg_self_tests_ran = PR_TRUE;
|
||||
lg_self_tests_success = PR_FALSE; /* just in case */
|
||||
Index: nss/lib/softoken/legacydb/lgfips.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/legacydb/lgfips.c
|
||||
+++ nss/lib/softoken/legacydb/lgfips.c
|
||||
@@ -90,7 +90,7 @@ lg_startup_tests(void)
|
||||
|
||||
/* no self tests required for the legacy db, only the integrity check */
|
||||
/* check the integrity of our shared library */
|
||||
@ -1681,20 +1426,11 @@ diff --git a/lib/softoken/legacydb/lgfips.c b/lib/softoken/legacydb/lgfips.c
|
||||
/* something is wrong with the library, fail without enabling
|
||||
* the fips token */
|
||||
return;
|
||||
}
|
||||
/* FIPS product has been installed and is functioning, allow
|
||||
* the module to operate in fips mode */
|
||||
lg_self_tests_success = PR_TRUE;
|
||||
}
|
||||
diff --git a/lib/softoken/legacydb/manifest.mn b/lib/softoken/legacydb/manifest.mn
|
||||
--- a/lib/softoken/legacydb/manifest.mn
|
||||
+++ b/lib/softoken/legacydb/manifest.mn
|
||||
@@ -7,26 +7,27 @@ CORE_DEPTH = ../../..
|
||||
MODULE = nss
|
||||
|
||||
REQUIRES = dbm
|
||||
|
||||
LIBRARY_NAME = nssdbm
|
||||
Index: nss/lib/softoken/legacydb/manifest.mn
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/legacydb/manifest.mn
|
||||
+++ nss/lib/softoken/legacydb/manifest.mn
|
||||
@@ -12,7 +12,7 @@ LIBRARY_NAME = nssdbm
|
||||
LIBRARY_VERSION = 3
|
||||
MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def
|
||||
|
||||
@ -1703,30 +1439,18 @@ diff --git a/lib/softoken/legacydb/manifest.mn b/lib/softoken/legacydb/manifest.
|
||||
|
||||
CSRCS = \
|
||||
dbmshim.c \
|
||||
keydb.c \
|
||||
lgattr.c \
|
||||
lgcreate.c \
|
||||
lgdestroy.c \
|
||||
lgfind.c \
|
||||
lgfips.c \
|
||||
lginit.c \
|
||||
lgutil.c \
|
||||
lowcert.c \
|
||||
@@ -28,5 +28,6 @@ CSRCS = \
|
||||
lowkey.c \
|
||||
pcertdb.c \
|
||||
pk11db.c \
|
||||
+ fips.c \
|
||||
$(NULL)
|
||||
|
||||
diff --git a/lib/softoken/manifest.mn b/lib/softoken/manifest.mn
|
||||
--- a/lib/softoken/manifest.mn
|
||||
+++ b/lib/softoken/manifest.mn
|
||||
@@ -26,16 +26,17 @@ EXPORTS = \
|
||||
|
||||
PRIVATE_EXPORTS = \
|
||||
pkcs11ni.h \
|
||||
softoken.h \
|
||||
softoknt.h \
|
||||
Index: nss/lib/softoken/manifest.mn
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/manifest.mn
|
||||
+++ nss/lib/softoken/manifest.mn
|
||||
@@ -31,6 +31,7 @@ PRIVATE_EXPORTS = \
|
||||
softkver.h \
|
||||
sdb.h \
|
||||
sftkdbt.h \
|
||||
@ -1734,17 +1458,7 @@ diff --git a/lib/softoken/manifest.mn b/lib/softoken/manifest.mn
|
||||
$(NULL)
|
||||
|
||||
CSRCS = \
|
||||
fipsaudt.c \
|
||||
fipstest.c \
|
||||
fipstokn.c \
|
||||
kbkdf.c \
|
||||
lowkey.c \
|
||||
@@ -50,16 +51,17 @@ CSRCS = \
|
||||
sftkhmac.c \
|
||||
sftkike.c \
|
||||
sftkmessage.c \
|
||||
sftkpars.c \
|
||||
sftkpwd.c \
|
||||
@@ -55,6 +56,7 @@ CSRCS = \
|
||||
softkver.c \
|
||||
tlsprf.c \
|
||||
jpakesftk.c \
|
||||
@ -1752,8 +1466,3 @@ diff --git a/lib/softoken/manifest.mn b/lib/softoken/manifest.mn
|
||||
$(NULL)
|
||||
|
||||
ifndef NSS_DISABLE_DBM
|
||||
PRIVATE_EXPORTS += lgglue.h
|
||||
CSRCS += lgglue.c
|
||||
endif
|
||||
|
||||
ifdef SQLITE_UNSAFE_THREADS
|
||||
|
@ -11,10 +11,11 @@ From b88701933a284ba8640df66b954c04d36ee592c9 Mon Sep 17 00:00:00 2001
|
||||
nss/lib/freebl/fipsfreebl.c | 143 +++++++++++++++++++++++++++-----------------
|
||||
2 files changed, 90 insertions(+), 55 deletions(-)
|
||||
|
||||
diff --git a/lib/freebl/dsa.c b/lib/freebl/dsa.c
|
||||
--- a/lib/freebl/dsa.c
|
||||
+++ b/lib/freebl/dsa.c
|
||||
@@ -533,7 +533,7 @@
|
||||
Index: nss/lib/freebl/dsa.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/dsa.c
|
||||
+++ nss/lib/freebl/dsa.c
|
||||
@@ -536,7 +536,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt
|
||||
return rv;
|
||||
}
|
||||
|
||||
@ -23,10 +24,11 @@ diff --git a/lib/freebl/dsa.c b/lib/freebl/dsa.c
|
||||
SECStatus
|
||||
DSA_SignDigestWithSeed(DSAPrivateKey *key,
|
||||
SECItem *signature,
|
||||
diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
--- a/lib/freebl/fipsfreebl.c
|
||||
+++ b/lib/freebl/fipsfreebl.c
|
||||
@@ -124,11 +124,11 @@
|
||||
Index: nss/lib/freebl/fipsfreebl.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/fipsfreebl.c
|
||||
+++ nss/lib/freebl/fipsfreebl.c
|
||||
@@ -126,11 +126,11 @@ BOOL WINAPI DllMain(
|
||||
|
||||
/* FIPS preprocessor directives for DSA. */
|
||||
#define FIPS_DSA_TYPE siBuffer
|
||||
@ -43,7 +45,7 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
|
||||
/* FIPS preprocessor directives for RNG. */
|
||||
#define FIPS_RNG_XKEY_LENGTH 32 /* 256-bits */
|
||||
@@ -1445,70 +1445,105 @@
|
||||
@@ -1669,70 +1669,105 @@ freebl_fips_EC_PowerUpSelfTest()
|
||||
static SECStatus
|
||||
freebl_fips_DSA_PowerUpSelfTest(void)
|
||||
{
|
||||
@ -197,7 +199,7 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
};
|
||||
|
||||
/* DSA variables. */
|
||||
@@ -1550,7 +1585,7 @@
|
||||
@@ -1774,7 +1809,7 @@ freebl_fips_DSA_PowerUpSelfTest(void)
|
||||
dsa_signature_item.len = sizeof dsa_computed_signature;
|
||||
|
||||
dsa_digest_item.data = (unsigned char *)dsa_known_digest;
|
||||
|
@ -10,10 +10,11 @@ From 41dd171b242b0cb550d12760da110db7e2c21daf Mon Sep 17 00:00:00 2001
|
||||
nss/lib/freebl/gcm.c | 16 ++++++++++++++++
|
||||
1 file changed, 16 insertions(+)
|
||||
|
||||
diff -r f5cf5d16deb6 -r 5396ffb26887 lib/freebl/gcm.c
|
||||
--- a/lib/freebl/gcm.c Wed Nov 20 08:23:35 2019 +0100
|
||||
+++ b/lib/freebl/gcm.c Wed Nov 20 08:25:39 2019 +0100
|
||||
@@ -532,8 +532,14 @@
|
||||
Index: nss/lib/freebl/gcm.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/gcm.c
|
||||
+++ nss/lib/freebl/gcm.c
|
||||
@@ -532,8 +532,14 @@ struct GCMContextStr {
|
||||
unsigned char tagKey[MAX_BLOCK_SIZE];
|
||||
PRBool ctr_context_init;
|
||||
gcmIVContext gcm_iv;
|
||||
@ -28,7 +29,7 @@ diff -r f5cf5d16deb6 -r 5396ffb26887 lib/freebl/gcm.c
|
||||
SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv,
|
||||
unsigned int ivLen, unsigned int tagBits,
|
||||
const unsigned char *aad, unsigned int aadLen);
|
||||
@@ -669,6 +675,8 @@
|
||||
@@ -673,6 +679,8 @@ gcm_InitCounter(GCMContext *gcm, const u
|
||||
goto loser;
|
||||
}
|
||||
|
||||
@ -37,7 +38,7 @@ diff -r f5cf5d16deb6 -r 5396ffb26887 lib/freebl/gcm.c
|
||||
/* finally mix in the AAD data */
|
||||
rv = gcmHash_Reset(ghash, aad, aadLen);
|
||||
if (rv != SECSuccess) {
|
||||
@@ -766,6 +774,13 @@
|
||||
@@ -774,6 +782,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
@ -51,7 +52,7 @@ diff -r f5cf5d16deb6 -r 5396ffb26887 lib/freebl/gcm.c
|
||||
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
|
||||
if (UINT_MAX - inlen < tagBytes) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
@@ -794,6 +809,7 @@
|
||||
@@ -802,6 +817,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
|
||||
*outlen = 0;
|
||||
return SECFailure;
|
||||
};
|
||||
|
@ -10,10 +10,11 @@ From 2a162c34b7aad7399f33069cd9930fd92714861c Mon Sep 17 00:00:00 2001
|
||||
nss/lib/softoken/pkcs11c.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -4730,8 +4730,8 @@
|
||||
Index: nss/lib/softoken/pkcs11c.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11c.c
|
||||
+++ nss/lib/softoken/pkcs11c.c
|
||||
@@ -4822,8 +4822,8 @@ loser:
|
||||
return crv;
|
||||
}
|
||||
|
||||
@ -24,7 +25,7 @@ diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
|
||||
/*
|
||||
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
|
||||
@@ -5591,6 +5591,7 @@
|
||||
@@ -5771,6 +5771,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
(PRUint32)crv);
|
||||
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
|
||||
}
|
||||
|
@ -13,10 +13,11 @@ From ca3b695ac461eccf4ed97e1b3fe0a311c80a792f Mon Sep 17 00:00:00 2001
|
||||
nss/lib/softoken/pkcs11c.c | 4 +--
|
||||
4 files changed, 90 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
--- a/lib/freebl/md5.c
|
||||
+++ b/lib/freebl/md5.c
|
||||
@@ -217,13 +217,11 @@
|
||||
Index: nss/lib/freebl/md5.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/md5.c
|
||||
+++ nss/lib/freebl/md5.c
|
||||
@@ -217,13 +217,11 @@ MD5_HashBuf(unsigned char *dest, const u
|
||||
}
|
||||
|
||||
MD5Context *
|
||||
@ -31,7 +32,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
cx = (MD5Context *)PORT_Alloc(sizeof(MD5Context));
|
||||
if (cx == NULL) {
|
||||
PORT_SetError(PR_OUT_OF_MEMORY_ERROR);
|
||||
@@ -232,6 +230,13 @@
|
||||
@@ -232,6 +230,13 @@ MD5_NewContext(void)
|
||||
return cx;
|
||||
}
|
||||
|
||||
@ -45,7 +46,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
void
|
||||
MD5_DestroyContext(MD5Context *cx, PRBool freeit)
|
||||
{
|
||||
@@ -243,10 +248,8 @@
|
||||
@@ -243,10 +248,8 @@ MD5_DestroyContext(MD5Context *cx, PRBoo
|
||||
}
|
||||
|
||||
void
|
||||
@ -57,7 +58,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
cx->lsbInput = 0;
|
||||
cx->msbInput = 0;
|
||||
/* memset(cx->inBuf, 0, sizeof(cx->inBuf)); */
|
||||
@@ -256,6 +259,13 @@
|
||||
@@ -256,6 +259,13 @@ MD5_Begin(MD5Context *cx)
|
||||
cx->cv[3] = CV0_4;
|
||||
}
|
||||
|
||||
@ -71,7 +72,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
#define cls(i32, s) (tmp = i32, tmp << s | tmp >> (32 - s))
|
||||
|
||||
#if defined(SOLARIS) || defined(HPUX)
|
||||
@@ -431,14 +441,12 @@
|
||||
@@ -431,14 +441,12 @@ md5_compress(MD5Context *cx, const PRUin
|
||||
}
|
||||
|
||||
void
|
||||
@ -87,7 +88,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
/* Add the number of input bytes to the 64-bit input counter. */
|
||||
addto64(cx->msbInput, cx->lsbInput, inputLen);
|
||||
if (inBufIndex) {
|
||||
@@ -487,6 +495,13 @@
|
||||
@@ -487,6 +495,13 @@ MD5_Update(MD5Context *cx, const unsigne
|
||||
memcpy(cx->inBuf, input, inputLen);
|
||||
}
|
||||
|
||||
@ -101,7 +102,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
static const unsigned char padbytes[] = {
|
||||
0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
||||
@@ -503,8 +518,8 @@
|
||||
@@ -503,8 +518,8 @@ static const unsigned char padbytes[] =
|
||||
};
|
||||
|
||||
void
|
||||
@ -112,7 +113,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
{
|
||||
#ifndef IS_LITTLE_ENDIAN
|
||||
PRUint32 tmp;
|
||||
@@ -512,8 +527,6 @@
|
||||
@@ -512,8 +527,6 @@ MD5_End(MD5Context *cx, unsigned char *d
|
||||
PRUint32 lowInput, highInput;
|
||||
PRUint32 inBufIndex = cx->lsbInput & 63;
|
||||
|
||||
@ -121,7 +122,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
if (maxDigestLen < MD5_HASH_LEN) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return;
|
||||
@@ -525,10 +538,10 @@
|
||||
@@ -525,10 +538,10 @@ MD5_End(MD5Context *cx, unsigned char *d
|
||||
lowInput <<= 3;
|
||||
|
||||
if (inBufIndex < MD5_END_BUFFER) {
|
||||
@ -135,7 +136,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
}
|
||||
|
||||
/* Store the number of bytes input (before padding) in final 64 bits. */
|
||||
@@ -554,16 +567,22 @@
|
||||
@@ -554,16 +567,22 @@ MD5_End(MD5Context *cx, unsigned char *d
|
||||
}
|
||||
|
||||
void
|
||||
@ -162,7 +163,7 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
if (maxDigestLen < MD5_HASH_LEN) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return;
|
||||
@@ -581,6 +600,14 @@
|
||||
@@ -581,6 +600,14 @@ MD5_EndRaw(MD5Context *cx, unsigned char
|
||||
*digestLen = MD5_HASH_LEN;
|
||||
}
|
||||
|
||||
@ -177,10 +178,11 @@ diff --git a/lib/freebl/md5.c b/lib/freebl/md5.c
|
||||
unsigned int
|
||||
MD5_FlattenSize(MD5Context *cx)
|
||||
{
|
||||
diff --git a/lib/freebl/rawhash.c b/lib/freebl/rawhash.c
|
||||
--- a/lib/freebl/rawhash.c
|
||||
+++ b/lib/freebl/rawhash.c
|
||||
@@ -154,3 +154,40 @@
|
||||
Index: nss/lib/freebl/rawhash.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/rawhash.c
|
||||
+++ nss/lib/freebl/rawhash.c
|
||||
@@ -154,3 +154,40 @@ HASH_GetRawHashObject(HASH_HashType hash
|
||||
}
|
||||
return &SECRawHashObjects[hashType];
|
||||
}
|
||||
@ -221,9 +223,10 @@ diff --git a/lib/freebl/rawhash.c b/lib/freebl/rawhash.c
|
||||
+
|
||||
+ return &SECRawHashObjects[hashType];
|
||||
+}
|
||||
diff --git a/lib/freebl/tlsprfalg.c b/lib/freebl/tlsprfalg.c
|
||||
--- a/lib/freebl/tlsprfalg.c
|
||||
+++ b/lib/freebl/tlsprfalg.c
|
||||
Index: nss/lib/freebl/tlsprfalg.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/tlsprfalg.c
|
||||
+++ nss/lib/freebl/tlsprfalg.c
|
||||
@@ -12,6 +12,9 @@
|
||||
#include "hasht.h"
|
||||
#include "alghmac.h"
|
||||
@ -234,7 +237,7 @@ diff --git a/lib/freebl/tlsprfalg.c b/lib/freebl/tlsprfalg.c
|
||||
#define PHASH_STATE_MAX_LEN HASH_LENGTH_MAX
|
||||
|
||||
/* TLS P_hash function */
|
||||
@@ -27,7 +30,7 @@
|
||||
@@ -27,7 +30,7 @@ TLS_P_hash(HASH_HashType hashType, const
|
||||
SECStatus status;
|
||||
HMACContext *cx;
|
||||
SECStatus rv = SECFailure;
|
||||
@ -243,10 +246,11 @@ diff --git a/lib/freebl/tlsprfalg.c b/lib/freebl/tlsprfalg.c
|
||||
|
||||
PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len));
|
||||
PORT_Assert((seed != NULL) && (seed->data != NULL));
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -6953,7 +6953,7 @@
|
||||
Index: nss/lib/softoken/pkcs11c.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11c.c
|
||||
+++ nss/lib/softoken/pkcs11c.c
|
||||
@@ -7158,7 +7158,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
SFTKAttribute *att2 = NULL;
|
||||
unsigned char *buf;
|
||||
SHA1Context *sha;
|
||||
@ -255,7 +259,7 @@ diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
MD2Context *md2;
|
||||
CK_ULONG macSize;
|
||||
CK_ULONG tmpKeySize;
|
||||
@@ -7484,7 +7484,7 @@
|
||||
@@ -7698,7 +7698,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
}
|
||||
sftk_FreeAttribute(att2);
|
||||
md5 = MD5_NewContext();
|
||||
|
@ -8,10 +8,11 @@ commit c2a88344b616c75b1873fb163491d7362a4c3e5b
|
||||
Author: Hans Petter Jansson <hpj@cl.no>
|
||||
11
|
||||
|
||||
diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
|
||||
--- a/coreconf/Linux.mk
|
||||
+++ b/coreconf/Linux.mk
|
||||
@@ -184,6 +184,18 @@
|
||||
Index: nss/coreconf/Linux.mk
|
||||
===================================================================
|
||||
--- nss.orig/coreconf/Linux.mk
|
||||
+++ nss/coreconf/Linux.mk
|
||||
@@ -189,6 +189,18 @@ DSO_LDOPTS+=-Wl,-z,relro
|
||||
LDFLAGS += -Wl,-z,relro
|
||||
endif
|
||||
|
||||
@ -30,9 +31,10 @@ diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
|
||||
USE_SYSTEM_ZLIB = 1
|
||||
ZLIB_LIBS = -lz
|
||||
|
||||
diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
|
||||
--- a/lib/freebl/unix_rand.c
|
||||
+++ b/lib/freebl/unix_rand.c
|
||||
Index: nss/lib/freebl/unix_rand.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/unix_rand.c
|
||||
+++ nss/lib/freebl/unix_rand.c
|
||||
@@ -13,6 +13,10 @@
|
||||
#include <sys/wait.h>
|
||||
#include <sys/stat.h>
|
||||
@ -88,7 +90,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
|
||||
size_t RNG_FileUpdate(const char *fileName, size_t limit);
|
||||
|
||||
/*
|
||||
@@ -862,6 +903,26 @@
|
||||
@@ -862,6 +903,26 @@ ReadFileOK(char *dir, char *file)
|
||||
size_t
|
||||
RNG_SystemRNG(void *dest, size_t maxLen)
|
||||
{
|
||||
@ -115,7 +117,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
|
||||
FILE *file;
|
||||
int fd;
|
||||
int bytes;
|
||||
@@ -895,4 +956,5 @@
|
||||
@@ -895,4 +956,5 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
||||
fileBytes = 0;
|
||||
}
|
||||
return fileBytes;
|
||||
|
@ -14,10 +14,11 @@ From 76da775313bd40a1353a9d2f6cc43ebe1a287574 Mon Sep 17 00:00:00 2001
|
||||
nss/lib/freebl/gcm.c | 45 +++++++++++++++++++++++++++++++++----
|
||||
5 files changed, 58 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/lib/freebl/aeskeywrap.c b/lib/freebl/aeskeywrap.c
|
||||
--- a/lib/freebl/aeskeywrap.c
|
||||
+++ b/lib/freebl/aeskeywrap.c
|
||||
@@ -102,6 +102,7 @@
|
||||
Index: nss/lib/freebl/aeskeywrap.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/aeskeywrap.c
|
||||
+++ nss/lib/freebl/aeskeywrap.c
|
||||
@@ -102,6 +102,7 @@ AESKeyWrap_DestroyContext(AESKeyWrapCont
|
||||
{
|
||||
if (cx) {
|
||||
AES_DestroyContext(&cx->aescx, PR_FALSE);
|
||||
@ -25,10 +26,11 @@ diff --git a/lib/freebl/aeskeywrap.c b/lib/freebl/aeskeywrap.c
|
||||
/* memset(cx, 0, sizeof *cx); */
|
||||
if (freeit) {
|
||||
PORT_Free(cx->mem);
|
||||
diff --git a/lib/freebl/cts.c b/lib/freebl/cts.c
|
||||
--- a/lib/freebl/cts.c
|
||||
+++ b/lib/freebl/cts.c
|
||||
@@ -37,6 +37,7 @@
|
||||
Index: nss/lib/freebl/cts.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/cts.c
|
||||
+++ nss/lib/freebl/cts.c
|
||||
@@ -37,6 +37,7 @@ CTS_CreateContext(void *context, freeblC
|
||||
void
|
||||
CTS_DestroyContext(CTSContext *cts, PRBool freeit)
|
||||
{
|
||||
@ -36,7 +38,7 @@ diff --git a/lib/freebl/cts.c b/lib/freebl/cts.c
|
||||
if (freeit) {
|
||||
PORT_Free(cts);
|
||||
}
|
||||
@@ -135,7 +136,7 @@
|
||||
@@ -135,7 +136,7 @@ CTS_EncryptUpdate(CTSContext *cts, unsig
|
||||
PORT_Memset(lastBlock + inlen, 0, blocksize - inlen);
|
||||
rv = (*cts->cipher)(cts->context, outbuf, &tmp, maxout, lastBlock,
|
||||
blocksize, blocksize);
|
||||
@ -45,7 +47,7 @@ diff --git a/lib/freebl/cts.c b/lib/freebl/cts.c
|
||||
if (rv == SECSuccess) {
|
||||
*outlen = written + blocksize;
|
||||
} else {
|
||||
@@ -230,13 +231,15 @@
|
||||
@@ -230,13 +231,15 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
|
||||
rv = (*cts->cipher)(cts->context, outbuf, outlen, maxout, inbuf,
|
||||
fullblocks, blocksize);
|
||||
if (rv != SECSuccess) {
|
||||
@ -63,7 +65,7 @@ diff --git a/lib/freebl/cts.c b/lib/freebl/cts.c
|
||||
}
|
||||
outbuf += fullblocks;
|
||||
|
||||
@@ -280,9 +283,9 @@
|
||||
@@ -280,9 +283,9 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
|
||||
rv = (*cts->cipher)(cts->context, Pn, &tmpLen, blocksize, lastBlock,
|
||||
blocksize, blocksize);
|
||||
if (rv != SECSuccess) {
|
||||
@ -75,7 +77,7 @@ diff --git a/lib/freebl/cts.c b/lib/freebl/cts.c
|
||||
}
|
||||
/* make up for the out of order CBC decryption */
|
||||
XOR_BLOCK(Pn, Cn_2, blocksize);
|
||||
@@ -297,7 +300,8 @@
|
||||
@@ -297,7 +300,8 @@ CTS_DecryptUpdate(CTSContext *cts, unsig
|
||||
/* clear last block. At this point last block contains Pn xor Cn_1 xor
|
||||
* Cn_2, both of with an attacker would know, so we need to clear this
|
||||
* buffer out */
|
||||
@ -86,10 +88,11 @@ diff --git a/lib/freebl/cts.c b/lib/freebl/cts.c
|
||||
- return SECSuccess;
|
||||
+ return rv;
|
||||
}
|
||||
diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
|
||||
--- a/lib/freebl/dh.c
|
||||
+++ b/lib/freebl/dh.c
|
||||
@@ -192,6 +192,10 @@
|
||||
Index: nss/lib/freebl/dh.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/dh.c
|
||||
+++ nss/lib/freebl/dh.c
|
||||
@@ -193,6 +193,10 @@ cleanup:
|
||||
rv = SECFailure;
|
||||
}
|
||||
if (rv) {
|
||||
@ -100,10 +103,11 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
|
||||
*privKey = NULL;
|
||||
PORT_FreeArena(arena, PR_TRUE);
|
||||
}
|
||||
diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c
|
||||
--- a/lib/freebl/ec.c
|
||||
+++ b/lib/freebl/ec.c
|
||||
@@ -958,7 +958,7 @@
|
||||
Index: nss/lib/freebl/ec.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/ec.c
|
||||
+++ nss/lib/freebl/ec.c
|
||||
@@ -943,7 +943,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
|
||||
ECParams *ecParams = NULL;
|
||||
SECItem pointC = { siBuffer, NULL, 0 };
|
||||
int slen; /* length in bytes of a half signature (r or s) */
|
||||
@ -112,10 +116,11 @@ diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c
|
||||
unsigned olen; /* length in bytes of the base point order */
|
||||
unsigned obits; /* length in bits of the base point order */
|
||||
|
||||
diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c
|
||||
--- a/lib/freebl/gcm.c
|
||||
+++ b/lib/freebl/gcm.c
|
||||
@@ -162,6 +162,9 @@
|
||||
Index: nss/lib/freebl/gcm.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/gcm.c
|
||||
+++ nss/lib/freebl/gcm.c
|
||||
@@ -162,6 +162,9 @@ bmul(uint64_t x, uint64_t y, uint64_t *r
|
||||
|
||||
*r_high = (uint64_t)(r >> 64);
|
||||
*r_low = (uint64_t)r;
|
||||
@ -125,7 +130,7 @@ diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c
|
||||
}
|
||||
|
||||
SECStatus
|
||||
@@ -200,6 +203,12 @@
|
||||
@@ -200,6 +203,12 @@ gcm_HashMult_sftw(gcmHashContext *ghash,
|
||||
}
|
||||
ghash->x_low = ci_low;
|
||||
ghash->x_high = ci_high;
|
||||
@ -138,7 +143,7 @@ diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c
|
||||
return SECSuccess;
|
||||
}
|
||||
#else
|
||||
@@ -239,6 +248,10 @@
|
||||
@@ -239,6 +248,10 @@ bmul32(uint32_t x, uint32_t y, uint32_t
|
||||
z = z0 | z1 | z2 | z3;
|
||||
*r_high = (uint32_t)(z >> 32);
|
||||
*r_low = (uint32_t)z;
|
||||
@ -149,7 +154,7 @@ diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c
|
||||
}
|
||||
|
||||
SECStatus
|
||||
@@ -324,6 +337,20 @@
|
||||
@@ -324,6 +337,20 @@ gcm_HashMult_sftw32(gcmHashContext *ghas
|
||||
ghash->x_high = z_high_h;
|
||||
ghash->x_low = z_high_l;
|
||||
}
|
||||
@ -170,7 +175,7 @@ diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c
|
||||
return SECSuccess;
|
||||
}
|
||||
#endif /* HAVE_INT128_SUPPORT */
|
||||
@@ -859,11 +886,13 @@
|
||||
@@ -867,11 +894,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
||||
/* verify the block */
|
||||
rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
|
||||
if (rv != SECSuccess) {
|
||||
@ -186,7 +191,7 @@ diff --git a/lib/freebl/gcm.c b/lib/freebl/gcm.c
|
||||
}
|
||||
/* Don't decrypt if we can't authenticate the encrypted data!
|
||||
* This assumes that if tagBits is not a multiple of 8, intag will
|
||||
@@ -871,10 +900,18 @@
|
||||
@@ -879,10 +908,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
||||
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
|
||||
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
|
||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||
|
@ -1,8 +1,8 @@
|
||||
diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
|
||||
index 956f0e4..b3a352a 100644
|
||||
--- a/coreconf/Linux.mk
|
||||
+++ b/coreconf/Linux.mk
|
||||
@@ -108,11 +108,7 @@ LIBC_TAG = _glibc
|
||||
Index: nss/coreconf/Linux.mk
|
||||
===================================================================
|
||||
--- nss.orig/coreconf/Linux.mk
|
||||
+++ nss/coreconf/Linux.mk
|
||||
@@ -113,11 +113,7 @@ LIBC_TAG = _glibc
|
||||
endif
|
||||
|
||||
ifdef BUILD_OPT
|
||||
|
Loading…
Reference in New Issue
Block a user