From 846be6085c105cade0495881af5fb36ea680d7654bcc87b9a9c3b328283e3ee7 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Wed, 5 Jul 2023 11:49:19 +0000 Subject: [PATCH] - update to NSS 3.90 * bmo#1623338 - ride along: remove a duplicated doc page * bmo#1623338 - remove a reference to IRC * bmo#1831983 - clang-format lib/freebl/stubs.c * bmo#1831983 - Add a constant time select function * bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. * bmo#1830973 - output early build errors by default * bmo#1804505 - Update the technical constraints for KamuSM * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates * bmo#1790763 - Enable default UBSan Checks * bmo#1786018 - Add explicit handling of zero length records * bmo#1829391 - Tidy up DTLS ACK Error Handling Path * bmo#1786018 - Refactor zero length record tests * bmo#1829112 - Fix compiler warning via correct assert * bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp * bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator * bmo#1784163 - Fix reading raw negative numbers * bmo#1748237 - Repairing unreachable code in clang built with gyp * bmo#1783647 - Integrate Vale Curve25519 * bmo#1799468 - Removing unused flags for Hacl* * bmo#1748237 - Adding a better error message * bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 * bmo#1782980 - Fall back to the softokn when writing certificate trust * bmo#1806010 - FIPS-104-3 requires we restart post programmatically * bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13 * bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=418 --- baselibs.conf | 2 +- mozilla-nss.changes | 54 +++ mozilla-nss.spec | 27 +- nss-3.89.1.tar.gz | 3 - nss-3.90.tar.gz | 3 + nss-allow-slow-tests.patch | 28 ++ nss-fips-180-3-csp-clearing.patch | 2 +- nss-fips-approved-crypto-non-ec.patch | 498 +++++++++++++------- nss-fips-combined-hash-sign-dsa-ecdsa.patch | 16 +- nss-fips-constructor-self-tests.patch | 333 +++++++++---- nss-fips-detect-fips-mode-fixes.patch | 14 +- nss-fips-drbg-libjitter.patch | 111 +++++ nss-fips-pairwise-consistency-check.patch | 4 +- nss-fips-pbkdf-kat-compliance.patch | 11 +- nss-fips-pct-pubkeys.patch | 135 ++++++ nss-fips-rsa-keygen-strictness.patch | 28 +- nss-fips-tests-skip.patch | 19 - nss-fips-tls-allow-md5-prf.patch | 270 ----------- nss-fix-bmo1836925.patch | 69 +++ 19 files changed, 1032 insertions(+), 595 deletions(-) delete mode 100644 nss-3.89.1.tar.gz create mode 100644 nss-3.90.tar.gz create mode 100644 nss-allow-slow-tests.patch create mode 100644 nss-fips-drbg-libjitter.patch create mode 100644 nss-fips-pct-pubkeys.patch delete mode 100644 nss-fips-tests-skip.patch delete mode 100644 nss-fips-tls-allow-md5-prf.patch create mode 100644 nss-fix-bmo1836925.patch diff --git a/baselibs.conf b/baselibs.conf index 50299e9..7842a35 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -10,7 +10,7 @@ libsoftokn3 +/usr/lib/libsoftokn3.chk +/usr/lib/libnssdbm3.chk libfreebl3 - provides "libfreebl3-hmac- = -%release" + provides "libfreebl3-hmac- = -%release" obsoletes "libfreebl3-hmac- < -%release" +/lib/libfreebl3.chk +/lib/libfreeblpriv3.chk diff --git a/mozilla-nss.changes b/mozilla-nss.changes index df87f0c..48c5305 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Tue Jul 4 08:20:31 UTC 2023 - Wolfgang Rosenauer + +- update to NSS 3.90 + * bmo#1623338 - ride along: remove a duplicated doc page + * bmo#1623338 - remove a reference to IRC + * bmo#1831983 - clang-format lib/freebl/stubs.c + * bmo#1831983 - Add a constant time select function + * bmo#1774657 - Updating an old dbm with lots of certs with keys to + sql results in a database that is slow to access. + * bmo#1830973 - output early build errors by default + * bmo#1804505 - Update the technical constraints for KamuSM + * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates + * bmo#1790763 - Enable default UBSan Checks + * bmo#1786018 - Add explicit handling of zero length records + * bmo#1829391 - Tidy up DTLS ACK Error Handling Path + * bmo#1786018 - Refactor zero length record tests + * bmo#1829112 - Fix compiler warning via correct assert + * bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp + * bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths + larger than the output size of the hash function used, + or provide an indicator + * bmo#1784163 - Fix reading raw negative numbers + * bmo#1748237 - Repairing unreachable code in clang built with gyp + * bmo#1783647 - Integrate Vale Curve25519 + * bmo#1799468 - Removing unused flags for Hacl* + * bmo#1748237 - Adding a better error message + * bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 + * bmo#1782980 - Fall back to the softokn when writing certificate trust + * bmo#1806010 - FIPS-104-3 requires we restart post programmatically + * bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13 + * bmo#1818766 - Update ACVP dockerfile for compatibility with debian + package changes + * bmo#1815796 - Add a CI task for tracking ECCKiila code status, update + whitespace in ECCKiila files + * bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf + * bmo#1822076 - fix rst warnings in nss doc + * bmo#1821997 - Fix incorrect pygment style + * bmo#1821292 - Change GYP directive to apply across platforms + * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag +- add nss-fix-bmo1836925.patch to fix build-errors +- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need + the workaround in FIPS mode (bsc#1200325) +- Remove nss-fips-tests-skip.patch. This is no longer needed since + we removed the code to short-circuit broken hashes and moved to + using the SLI +- Add nss-allow-slow-tests.patch, which allows a timed test to run + longer than 1s. This avoids turning slow builds into broken builds +- Add nss-fips-drbg-libjitter.patch to use libjitterentropy for + entropy. This is disabled until we can avoid the inline assembler + in the latter's header file that relies on GNU extensions +- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency + checks + ------------------------------------------------------------------- Fri Jun 9 10:41:35 UTC 2023 - Pedro Monreal diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 70ce11d..af9b806 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -17,14 +17,14 @@ # -%global nss_softokn_fips_version 3.89 +%global nss_softokn_fips_version 3.90 %define NSPR_min_version 4.35 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb Name: mozilla-nss -Version: 3.89.1 +Version: 3.90 Release: 0 -%define underscore_version 3_89_1 +%define underscore_version 3_90 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries @@ -65,7 +65,6 @@ Patch19: nss-fips-cavs-dsa-fixes.patch Patch20: nss-fips-cavs-rsa-fixes.patch Patch21: nss-fips-approved-crypto-non-ec.patch Patch22: nss-fips-zeroization.patch -Patch23: nss-fips-tls-allow-md5-prf.patch Patch24: nss-fips-use-strong-random-pool.patch Patch25: nss-fips-detect-fips-mode-fixes.patch Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch @@ -74,8 +73,11 @@ Patch37: nss-fips-fix-missing-nspr.patch Patch38: nss-fips-stricter-dh.patch Patch40: nss-fips-180-3-csp-clearing.patch Patch41: nss-fips-pbkdf-kat-compliance.patch -Patch42: nss-fips-tests-skip.patch Patch44: nss-fips-tests-enable-fips.patch +Patch45: nss-fips-drbg-libjitter.patch +Patch46: nss-allow-slow-tests.patch +Patch47: nss-fips-pct-pubkeys.patch +Patch48: nss-fix-bmo1836925.patch %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references BuildRequires: gcc9-c++ @@ -86,6 +88,12 @@ BuildRequires: pkgconfig BuildRequires: pkgconfig(nspr) >= %{NSPR_min_version} BuildRequires: pkgconfig(sqlite3) BuildRequires: pkgconfig(zlib) +%if 0%{?sle_version} >= 150400 +BuildRequires: jitterentropy-devel +# Libjitter needs to be present before AND after the install +Requires(pre): libjitterentropy3 +Requires: libjitterentropy3 +%endif Requires: libfreebl3 >= %{nss_softokn_fips_version} Requires: libsoftokn3 >= %{nss_softokn_fips_version} Requires: mozilla-nspr >= %{NSPR_min_version} @@ -209,7 +217,6 @@ cd nss %patch20 -p1 %patch21 -p1 %patch22 -p1 -%patch23 -p1 %patch24 -p1 %patch25 -p1 %patch26 -p1 @@ -218,8 +225,14 @@ cd nss %patch38 -p1 %patch40 -p1 %patch41 -p1 -%patch42 -p1 %patch44 -p1 +# Libjitter only for SLE15 SP4+ +%if 0%{?sle_version} >= 150400 +%patch45 -p1 +%endif +%patch46 -p1 +%patch47 -p1 +%patch48 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins diff --git a/nss-3.89.1.tar.gz b/nss-3.89.1.tar.gz deleted file mode 100644 index f0d2c35..0000000 --- a/nss-3.89.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3adaedb9e70c3c5f40603bf60a01e336190a6dbe01929d395f16b01fe84a0156 -size 71624456 diff --git a/nss-3.90.tar.gz b/nss-3.90.tar.gz new file mode 100644 index 0000000..b601bed --- /dev/null +++ b/nss-3.90.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9acd6534c41d8ead19fca6fcb3fffed2f9f09c437c3d79fee6a4ee668aaa93b6 +size 72211928 diff --git a/nss-allow-slow-tests.patch b/nss-allow-slow-tests.patch new file mode 100644 index 0000000..6378fdf --- /dev/null +++ b/nss-allow-slow-tests.patch @@ -0,0 +1,28 @@ +Index: nss/tests/sdr/sdr.sh +=================================================================== +--- nss.orig/tests/sdr/sdr.sh ++++ nss/tests/sdr/sdr.sh +@@ -146,7 +146,8 @@ sdr_main() + RARRAY=($dtime) + TIMEARRAY=(${RARRAY[1]//./ }) + echo "${TIMEARRAY[0]} seconds" +- html_msg ${TIMEARRAY[0]} 0 "pwdecrypt no time regression" ++ # Suse 2022-10-04: Need more time for slow build servers ++ html_msg $(( ${TIMEARRAY[0]} >= 5 )) 0 "pwdecrypt no time regression" + export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS + } + +Index: nss/tests/dbtests/dbtests.sh +=================================================================== +--- nss.orig/tests/dbtests/dbtests.sh ++++ nss/tests/dbtests/dbtests.sh +@@ -366,7 +366,8 @@ dbtest_main() + RARRAY=($dtime) + TIMEARRAY=(${RARRAY[1]//./ }) + echo "${TIMEARRAY[0]} seconds" +- test ${TIMEARRAY[0]} -lt 2 ++ # Was 2, but that is too small for OBS-workers. ++ test ${TIMEARRAY[0]} -lt 6 + ret=$? + html_msg ${ret} 0 "certutil dump keys with explicit default trust flags" + fi diff --git a/nss-fips-180-3-csp-clearing.patch b/nss-fips-180-3-csp-clearing.patch index f4be260..f92a3b5 100644 --- a/nss-fips-180-3-csp-clearing.patch +++ b/nss-fips-180-3-csp-clearing.patch @@ -16,7 +16,7 @@ Index: nss/lib/softoken/sftkdb.c =================================================================== --- nss.orig/lib/softoken/sftkdb.c +++ nss/lib/softoken/sftkdb.c -@@ -1506,7 +1506,7 @@ loser: +@@ -1538,7 +1538,7 @@ loser: PORT_ZFree(data, dataSize); } if (arena) { diff --git a/nss-fips-approved-crypto-non-ec.patch b/nss-fips-approved-crypto-non-ec.patch index 8686578..9965cdc 100644 --- a/nss-fips-approved-crypto-non-ec.patch +++ b/nss-fips-approved-crypto-non-ec.patch @@ -87,62 +87,17 @@ Index: nss/lib/freebl/arcfour.c /* Architecture-dependent defines */ -@@ -108,6 +109,7 @@ static const Stype Kinit[256] = { - RC4Context * - RC4_AllocateContext(void) - { -+ IN_FIPS_RETURN(NULL); - return PORT_ZNew(RC4Context); - } - -@@ -121,6 +123,8 @@ RC4_InitContext(RC4Context *cx, const un - PRUint8 K[256]; - PRUint8 *L; - -+ IN_FIPS_RETURN(SECFailure); -+ - /* verify the key length. */ - PORT_Assert(len > 0 && len < ARCFOUR_STATE_SIZE); - if (len == 0 || len >= ARCFOUR_STATE_SIZE) { -@@ -162,7 +166,11 @@ RC4_InitContext(RC4Context *cx, const un +@@ -162,7 +163,9 @@ RC4_InitContext(RC4Context *cx, const un RC4Context * RC4_CreateContext(const unsigned char *key, int len) { - RC4Context *cx = RC4_AllocateContext(); + RC4Context *cx; + -+ IN_FIPS_RETURN(NULL); -+ + cx = RC4_AllocateContext(); if (cx) { SECStatus rv = RC4_InitContext(cx, key, len, NULL, 0, 0, 0); if (rv != SECSuccess) { -@@ -176,6 +184,7 @@ RC4_CreateContext(const unsigned char *k - void - RC4_DestroyContext(RC4Context *cx, PRBool freeit) - { -+ IN_FIPS_RETURN(); - if (freeit) - PORT_ZFree(cx, sizeof(*cx)); - } -@@ -548,6 +557,8 @@ RC4_Encrypt(RC4Context *cx, unsigned cha - unsigned int *outputLen, unsigned int maxOutputLen, - const unsigned char *input, unsigned int inputLen) - { -+ IN_FIPS_RETURN(SECFailure); -+ - PORT_Assert(maxOutputLen >= inputLen); - if (maxOutputLen < inputLen) { - PORT_SetError(SEC_ERROR_OUTPUT_LEN); -@@ -571,6 +582,8 @@ RC4_Decrypt(RC4Context *cx, unsigned cha - unsigned int *outputLen, unsigned int maxOutputLen, - const unsigned char *input, unsigned int inputLen) - { -+ IN_FIPS_RETURN(SECFailure); -+ - PORT_Assert(maxOutputLen >= inputLen); - if (maxOutputLen < inputLen) { - PORT_SetError(SEC_ERROR_OUTPUT_LEN); Index: nss/lib/freebl/deprecated/seed.c =================================================================== --- nss.orig/lib/freebl/deprecated/seed.c @@ -293,56 +248,32 @@ Index: nss/lib/freebl/md2.c #define MD2_DIGEST_LEN 16 #define MD2_BUFSIZE 16 #define MD2_X_SIZE 48 /* The X array, [CV | INPUT | TMP VARS] */ -@@ -66,7 +68,11 @@ SECStatus +@@ -66,7 +68,9 @@ SECStatus MD2_Hash(unsigned char *dest, const char *src) { unsigned int len; - MD2Context *cx = MD2_NewContext(); + MD2Context *cx; + -+ IN_FIPS_RETURN(SECFailure); -+ + cx = MD2_NewContext(); if (!cx) { PORT_SetError(PR_OUT_OF_MEMORY_ERROR); return SECFailure; -@@ -81,7 +87,11 @@ MD2_Hash(unsigned char *dest, const char +@@ -81,7 +85,9 @@ MD2_Hash(unsigned char *dest, const char MD2Context * MD2_NewContext(void) { - MD2Context *cx = (MD2Context *)PORT_ZAlloc(sizeof(MD2Context)); + MD2Context *cx; + -+ IN_FIPS_RETURN(NULL); -+ + cx = (MD2Context *)PORT_ZAlloc(sizeof(MD2Context)); if (cx == NULL) { PORT_SetError(PR_OUT_OF_MEMORY_ERROR); return NULL; -@@ -99,6 +109,8 @@ MD2_DestroyContext(MD2Context *cx, PRBoo - void - MD2_Begin(MD2Context *cx) - { -+ IN_FIPS_RETURN(); -+ - memset(cx, 0, sizeof(*cx)); - cx->unusedBuffer = MD2_BUFSIZE; - } -@@ -196,6 +208,8 @@ MD2_Update(MD2Context *cx, const unsigne - { - PRUint32 bytesToConsume; - -+ IN_FIPS_RETURN(); -+ - /* Fill the remaining input buffer. */ - if (cx->unusedBuffer != MD2_BUFSIZE) { - bytesToConsume = PR_MIN(inputLen, cx->unusedBuffer); -@@ -226,6 +240,9 @@ MD2_End(MD2Context *cx, unsigned char *d +@@ -226,6 +232,7 @@ MD2_End(MD2Context *cx, unsigned char *d unsigned int *digestLen, unsigned int maxDigestLen) { PRUint8 padStart; -+ -+ IN_FIPS_RETURN(); + if (maxDigestLen < MD2_BUFSIZE) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -360,37 +291,18 @@ Index: nss/lib/freebl/md5.c #define MD5_HASH_LEN 16 #define MD5_BUFFER_SIZE 64 #define MD5_END_BUFFER (MD5_BUFFER_SIZE - 8) -@@ -195,6 +197,7 @@ struct MD5ContextStr { - SECStatus - MD5_Hash(unsigned char *dest, const char *src) - { -+ IN_FIPS_RETURN(SECFailure); - return MD5_HashBuf(dest, (const unsigned char *)src, PORT_Strlen(src)); - } - -@@ -204,6 +207,8 @@ MD5_HashBuf(unsigned char *dest, const u - unsigned int len; - MD5Context cx; - -+ IN_FIPS_RETURN(SECFailure); -+ - MD5_Begin(&cx); - MD5_Update(&cx, src, src_length); - MD5_End(&cx, dest, &len, MD5_HASH_LEN); -@@ -215,7 +220,11 @@ MD5Context * +@@ -215,7 +217,9 @@ MD5Context * MD5_NewContext(void) { /* no need to ZAlloc, MD5_Begin will init the context */ - MD5Context *cx = (MD5Context *)PORT_Alloc(sizeof(MD5Context)); + MD5Context *cx; + -+ IN_FIPS_RETURN(NULL); -+ + cx = (MD5Context *)PORT_Alloc(sizeof(MD5Context)); if (cx == NULL) { PORT_SetError(PR_OUT_OF_MEMORY_ERROR); return NULL; -@@ -226,7 +235,8 @@ MD5_NewContext(void) +@@ -226,7 +230,8 @@ MD5_NewContext(void) void MD5_DestroyContext(MD5Context *cx, PRBool freeit) { @@ -400,42 +312,6 @@ Index: nss/lib/freebl/md5.c if (freeit) { PORT_Free(cx); } -@@ -235,6 +245,8 @@ MD5_DestroyContext(MD5Context *cx, PRBoo - void - MD5_Begin(MD5Context *cx) - { -+ IN_FIPS_RETURN(); -+ - cx->lsbInput = 0; - cx->msbInput = 0; - /* memset(cx->inBuf, 0, sizeof(cx->inBuf)); */ -@@ -425,6 +437,8 @@ MD5_Update(MD5Context *cx, const unsigne - PRUint32 inBufIndex = cx->lsbInput & 63; - const PRUint32 *wBuf; - -+ IN_FIPS_RETURN(); -+ - /* Add the number of input bytes to the 64-bit input counter. */ - addto64(cx->msbInput, cx->lsbInput, inputLen); - if (inBufIndex) { -@@ -498,6 +512,8 @@ MD5_End(MD5Context *cx, unsigned char *d - PRUint32 lowInput, highInput; - PRUint32 inBufIndex = cx->lsbInput & 63; - -+ IN_FIPS_RETURN(); -+ - if (maxDigestLen < MD5_HASH_LEN) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return; -@@ -546,6 +562,8 @@ MD5_EndRaw(MD5Context *cx, unsigned char - #endif - PRUint32 cv[4]; - -+ IN_FIPS_RETURN(); -+ - if (maxDigestLen < MD5_HASH_LEN) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return; Index: nss/lib/freebl/nsslowhash.c =================================================================== --- nss.orig/lib/freebl/nsslowhash.c @@ -448,15 +324,18 @@ Index: nss/lib/freebl/nsslowhash.c struct NSSLOWInitContextStr { int count; -@@ -99,6 +100,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext +@@ -99,6 +100,15 @@ NSSLOWHASH_NewContext(NSSLOWInitContext { NSSLOWHASHContext *context; ++#if 0 + /* return with an error if unapproved hash is requested in FIPS mode */ ++ /* This is now handled by the service level indicator */ + if (!FIPS_hashAlgApproved(hashType)) { + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } ++#endif + if (post_failed) { PORT_SetError(SEC_ERROR_PKCS11_DEVICE_ERROR); @@ -473,13 +352,16 @@ Index: nss/lib/freebl/rawhash.c static void * null_hash_new_context(void) -@@ -146,7 +147,8 @@ const SECHashObject SECRawHashObjects[] +@@ -146,7 +147,11 @@ const SECHashObject SECRawHashObjects[] const SECHashObject * HASH_GetRawHashObject(HASH_HashType hashType) { - if (hashType <= HASH_AlgNULL || hashType >= HASH_AlgTOTAL) { ++ /* We rely on the service level indicator for algorithm approval now, so ++ * the FIPS check here has been commented out */ ++ + if (hashType <= HASH_AlgNULL || hashType >= HASH_AlgTOTAL -+ || (!FIPS_hashAlgApproved(hashType))) { ++ /* || (!FIPS_hashAlgApproved(hashType)) */) { PORT_SetError(SEC_ERROR_INVALID_ARGS); return NULL; } @@ -487,7 +369,58 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -7495,7 +7495,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -4780,6 +4780,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + goto loser; + } + ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_GEN_MECHANISM, key); ++ session->lastOpWasFIPS = key->isFIPS; ++ + /* + * handle the base object stuff + */ +@@ -4794,6 +4797,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + if (crv == CKR_OK) { + *phKey = key->handle; + } ++ + loser: + PORT_Memset(buf, 0, sizeof buf); + sftk_FreeObject(key); +@@ -5710,11 +5714,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + * created and linked. + */ + crv = sftk_handleObject(publicKey, session); +- sftk_FreeSession(session); + if (crv != CKR_OK) { + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); ++ sftk_FreeSession(session); + return crv; + } + if (sftk_isTrue(privateKey, CKA_SENSITIVE)) { +@@ -5758,13 +5762,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); ++ sftk_FreeSession(session); + return crv; + } + ++ publicKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, publicKey); ++ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, privateKey); ++ session->lastOpWasFIPS = privateKey->isFIPS; ++ + *phPrivateKey = privateKey->handle; + *phPublicKey = publicKey->handle; + sftk_FreeObject(publicKey); + sftk_FreeObject(privateKey); ++ sftk_FreeSession(session); + + return CKR_OK; + } +@@ -7469,7 +7479,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession } else { /* now allocate the hash contexts */ md5 = MD5_NewContext(); @@ -496,6 +429,14 @@ Index: nss/lib/softoken/pkcs11c.c PORT_Memset(crsrdata, 0, sizeof crsrdata); crv = CKR_HOST_MEMORY; break; +@@ -7858,6 +7868,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + PORT_Assert(i <= sizeof key_block); + } + ++ session->lastOpWasFIPS = key->isFIPS; + crv = CKR_OK; + + if (0) { Index: nss/lib/freebl/desblapi.c =================================================================== --- nss.orig/lib/freebl/desblapi.c @@ -509,21 +450,10 @@ Index: nss/lib/freebl/desblapi.c #if defined(NSS_X86_OR_X64) /* Intel X86 CPUs do unaligned loads and stores without complaint. */ #define COPY8B(to, from, ptr) \ -@@ -136,6 +138,8 @@ DES_EDE3CBCDe(DESContext *cx, BYTE *out, - DESContext * - DES_AllocateContext(void) - { -+ IN_FIPS_RETURN(NULL); -+ - return PORT_ZNew(DESContext); - } - -@@ -145,12 +149,16 @@ DES_InitContext(DESContext *cx, const un +@@ -145,12 +147,14 @@ DES_InitContext(DESContext *cx, const un unsigned int unused) { DESDirection opposite; -+ -+ IN_FIPS_RETURN(SECFailure); + if (!cx) { PORT_SetError(SEC_ERROR_INVALID_ARGS); @@ -535,7 +465,7 @@ Index: nss/lib/freebl/desblapi.c switch (mode) { case NSS_DES: /* DES ECB */ DES_MakeSchedule(cx->ks0, key, cx->direction); -@@ -201,8 +209,13 @@ DES_InitContext(DESContext *cx, const un +@@ -201,8 +205,11 @@ DES_InitContext(DESContext *cx, const un DESContext * DES_CreateContext(const BYTE *key, const BYTE *iv, int mode, PRBool encrypt) { @@ -544,43 +474,114 @@ Index: nss/lib/freebl/desblapi.c + DESContext *cx; + SECStatus rv; + -+ IN_FIPS_RETURN(NULL); -+ + cx = PORT_ZNew(DESContext); + rv = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0); if (rv != SECSuccess) { PORT_ZFree(cx, sizeof *cx); -@@ -214,6 +227,8 @@ DES_CreateContext(const BYTE *key, const - void - DES_DestroyContext(DESContext *cx, PRBool freeit) - { -+ IN_FIPS_RETURN(); -+ - if (cx) { - memset(cx, 0, sizeof *cx); - if (freeit) -@@ -225,6 +240,7 @@ SECStatus +@@ -225,7 +232,6 @@ SECStatus DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen, unsigned int maxOutLen, const BYTE *in, unsigned int inLen) { -+ IN_FIPS_RETURN(SECFailure); - +- if ((inLen % 8) != 0 || maxOutLen < inLen || !cx || cx->direction != DES_ENCRYPT) { -@@ -242,6 +258,7 @@ SECStatus + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -242,7 +248,6 @@ SECStatus DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen, unsigned int maxOutLen, const BYTE *in, unsigned int inLen) { -+ IN_FIPS_RETURN(SECFailure); - +- if ((inLen % 8) != 0 || maxOutLen < inLen || !cx || cx->direction != DES_DECRYPT) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); Index: nss/lib/softoken/fips_algorithms.h =================================================================== --- nss.orig/lib/softoken/fips_algorithms.h +++ nss/lib/softoken/fips_algorithms.h -@@ -111,8 +111,11 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] +@@ -58,18 +58,35 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + #define RSA_FB_STEP 1 + #define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */ + #define RSA_LEGACY_FB_STEP 256 +-#define DSA_FB_KEY 2048, 4096 /* min, max */ ++#define DSA_FB_KEY 2048, 3072 /* min, max */ + #define DSA_FB_STEP 1024 +-#define DH_FB_KEY 2048, 4096 /* min, max */ ++#define DH_FB_KEY 2048, 8192 /* min, max */ + #define DH_FB_STEP 1024 + #define EC_FB_KEY 256, 521 /* min, max */ + #define EC_FB_STEP 1 /* key limits handled by special operation */ +-#define AES_FB_KEY 128, 256 ++#define AES_FB_KEY 128, 512 + #define AES_FB_STEP 64 + { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, ++#if 0 + { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, ++ /* Non-approved */ + { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, ++#endif ++ ++ { CKM_SHA_1_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA224_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA256_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA384_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA512_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA512_224_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA512_256_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ ++ { CKM_SHA3_224_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA3_256_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA3_384_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA3_512_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ + /* -------------- RSA Multipart Signing Operations -------------------- */ + { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, +@@ -88,13 +105,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + /* ------------------------- DSA Operations --------------------------- */ +- { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_PARAMETER_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, ++ ++ { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, ++ { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, ++ { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, ++ { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, ++ + /* -------------------- Diffie Hellman Operations --------------------- */ + /* no diffie hellman yet */ + { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH }, +@@ -102,7 +118,10 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + /* -------------------- Elliptic Curve Operations --------------------- */ + { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, ++#if 0 ++ /* Doesn't consider hash algo. Non-approved */ + { CKM_ECDSA, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, ++#endif + { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, +@@ -112,8 +131,11 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, ++#if 0 ++ /* Non-approved */ + { CKM_AES_MAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_MAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, ++#endif + { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, +@@ -123,8 +145,11 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, @@ -592,3 +593,170 @@ Index: nss/lib/softoken/fips_algorithms.h /* ------------------------- Hashing Operations ----------------------- */ { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, +@@ -139,41 +164,56 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + { CKM_SHA512_HMAC, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA512_HMAC_GENERAL, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone }, + /* --------------------- Secret Key Operations ------------------------ */ +- { CKM_GENERIC_SECRET_KEY_GEN, { 8, 256, CKF_GEN }, 1, SFTKFIPSNone }, ++ { CKM_GENERIC_SECRET_KEY_GEN, { 112, 512, CKF_GEN }, 1, SFTKFIPSNone }, + /* ---------------------- SSL/TLS operations ------------------------- */ + { CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SHA384_KEY_DERIVATION, { 192, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_TLS12_MASTER_KEY_DERIVE_DH, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS_PRF_GENERAL, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, +- { CKM_TLS_MAC, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, ++ { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, ++ ++ { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, ++ { CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 128, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_TLS_MASTER_KEY_DERIVE_DH, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 128, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ ++ { CKM_SSL3_PRE_MASTER_KEY_GEN, { 128, 512, CKF_GEN }, 1, SFTKFIPSNone }, ++ { CKM_TLS_PRE_MASTER_KEY_GEN, { 128, 512, CKF_GEN }, 1, SFTKFIPSNone }, ++ + /* sigh, is this algorithm really tested. ssl doesn't seem to have a + * way of turning the extension off */ + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, + + /* ------------------------- HKDF Operations -------------------------- */ ++#if 0 ++ /* Only approved in the context of TLS 1.3 */ + { CKM_HKDF_DERIVE, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_DATA, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone }, ++#endif + /* ------------------ NIST 800-108 Key Derivations ------------------- */ +- { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + /* --------------------IPSEC ----------------------- */ +- { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_IKE_PRF_DERIVE, { 112, 112, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_IKE1_PRF_DERIVE, { 112, 112, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, + /* ------------------ PBE Key Derivations ------------------- */ +- { CKM_PKCS5_PBKD2, { 1, 256, CKF_GEN }, 1, SFTKFIPSNone }, ++ { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, +Index: nss/lib/softoken/pkcs11u.c +=================================================================== +--- nss.orig/lib/softoken/pkcs11u.c ++++ nss/lib/softoken/pkcs11u.c +@@ -2242,6 +2242,12 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE + case CKA_NSS_MESSAGE | CKA_VERIFY: + flags = CKF_MESSAGE_VERIFY; + break; ++ case CKA_KEY_GEN_MECHANISM: ++ flags = CKF_GENERATE; ++ break; ++ case CKA_KEY_PAIR_GEN_MECHANISM: ++ flags = CKF_GENERATE_KEY_PAIR; ++ break; + default: + break; + } +@@ -2462,18 +2468,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_ + if (!sftk_isFIPS(slot->slotID)) { + return PR_FALSE; + } +- if (source && !source->isFIPS) { +- return PR_FALSE; +- } + if (mech == NULL) { + return PR_FALSE; + } +- + /* now get the calculated values */ + opFlags = sftk_AttributeToFlags(op); + if (opFlags == 0) { + return PR_FALSE; + } ++ if (source && !source->isFIPS ++ && !((mech->mechanism == CKM_DSA_SHA224 ++ || mech->mechanism == CKM_DSA_SHA256 ++ || mech->mechanism == CKM_DSA_SHA384 ++ || mech->mechanism == CKM_DSA_SHA512))) { ++ return PR_FALSE; ++ } ++ ++ if (mech->mechanism == CKM_PKCS5_PBKD2) { ++ CK_PKCS5_PBKD2_PARAMS *pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *) mech->pParameter; ++ ++ if (!pbkd2_params ++ || !pbkd2_params->ulPasswordLen ++ || *pbkd2_params->ulPasswordLen < 20 ++ || pbkd2_params->saltSource != CKZ_SALT_SPECIFIED ++ || pbkd2_params->ulSaltSourceDataLen < 128 / 8 ++ || pbkd2_params->iterations < 1000) { ++ return PR_FALSE; ++ } ++ } ++ + keyLength = sftk_getKeyLength(source); + + /* check against our algorithm array */ +Index: nss/lib/util/pkcs11t.h +=================================================================== +--- nss.orig/lib/util/pkcs11t.h ++++ nss/lib/util/pkcs11t.h +@@ -576,6 +576,7 @@ typedef CK_ULONG CK_JAVA_MIDP_SECURITY_D + + /* CKA_KEY_GEN_MECHANISM is new for v2.11 */ + #define CKA_KEY_GEN_MECHANISM 0x00000166UL ++#define CKA_KEY_PAIR_GEN_MECHANISM 0x00000167UL + + #define CKA_MODIFIABLE 0x00000170UL + +Index: nss/lib/softoken/pkcs11.c +=================================================================== +--- nss.orig/lib/softoken/pkcs11.c ++++ nss/lib/softoken/pkcs11.c +@@ -534,17 +534,17 @@ static const struct mechanismList mechan + { CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, +- { 48, 48, CKF_DERIVE }, ++ { 16, 48, CKF_DERIVE }, + PR_FALSE }, +- { CKM_TLS_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE }, +- { CKM_TLS12_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE }, ++ { CKM_TLS_MASTER_KEY_DERIVE_DH, { 48, 48, CKF_DERIVE }, PR_FALSE }, ++ { CKM_TLS12_MASTER_KEY_DERIVE_DH, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, +- { 8, 128, CKF_DERIVE }, ++ { 48, 48, CKF_DERIVE }, + PR_FALSE }, + { CKM_TLS_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_TLS12_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, +- { 48, 48, CKF_DERIVE }, ++ { 16, 48, CKF_DERIVE }, + PR_FALSE }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, + { 48, 128, CKF_DERIVE }, diff --git a/nss-fips-combined-hash-sign-dsa-ecdsa.patch b/nss-fips-combined-hash-sign-dsa-ecdsa.patch index 1bfaef6..e3d7a61 100644 --- a/nss-fips-combined-hash-sign-dsa-ecdsa.patch +++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch @@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -2679,7 +2679,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig +@@ -2653,7 +2653,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig static SECStatus nsc_DSA_Sign_Stub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, @@ -77,7 +77,7 @@ Index: nss/lib/softoken/pkcs11c.c { SECItem signature, digest; SECStatus rv; -@@ -2697,6 +2697,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu +@@ -2671,6 +2671,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu return rv; } @@ -100,7 +100,7 @@ Index: nss/lib/softoken/pkcs11c.c static SECStatus nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen, void *dataBuf, unsigned int dataLen) -@@ -2714,7 +2730,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig +@@ -2688,7 +2704,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig static SECStatus nsc_ECDSASignStub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, @@ -109,7 +109,7 @@ Index: nss/lib/softoken/pkcs11c.c { SECItem signature, digest; SECStatus rv; -@@ -2732,6 +2748,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu +@@ -2706,6 +2722,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu return rv; } @@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c /* NSC_SignInit setups up the signing operations. There are three basic * types of signing: * (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied -@@ -3601,6 +3633,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio +@@ -3575,6 +3607,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio info->hashOid = SEC_OID_##mmm; \ goto finish_rsa; @@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c switch (pMechanism->mechanism) { INIT_RSA_VFY_MECH(MD5) INIT_RSA_VFY_MECH(MD2) -@@ -4829,6 +4877,73 @@ loser: +@@ -4807,6 +4855,73 @@ loser: #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */ #define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ @@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. * -@@ -4882,8 +4997,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -4860,8 +4975,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION /* Variables used for Signature/Verification functions. */ /* Must be at least 256 bits for DSA2 digest */ @@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c CK_ULONG signature_length; if (keyType == CKK_RSA) { -@@ -5037,76 +5150,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -5015,76 +5128,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION } } diff --git a/nss-fips-constructor-self-tests.patch b/nss-fips-constructor-self-tests.patch index 5be667b..c2a2198 100644 --- a/nss-fips-constructor-self-tests.patch +++ b/nss-fips-constructor-self-tests.patch @@ -63,6 +63,16 @@ Index: nss/lib/freebl/blapi.h /*********************************************************************/ extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType); +@@ -1791,6 +1791,9 @@ extern SECStatus EC_CopyParams(PLArenaPo + */ + extern int EC_GetPointSize(const ECParams *params); + ++/* Unconditionally run the integrity check. */ ++extern void BL_FIPSRepeatIntegrityCheck(void); ++ + SEC_END_PROTOS + + #endif /* _BLAPI_H_ */ Index: nss/lib/freebl/fips-selftest.inc =================================================================== --- /dev/null @@ -149,7 +159,7 @@ Index: nss/lib/freebl/fips-selftest.inc + abort(); +} + -+/* check whether FIPS moode is mandated by the kernel */ ++/* check whether FIPS mode is mandated by the kernel */ +static int +fips_isWantedProc(void) +{ @@ -247,7 +257,7 @@ Index: nss/lib/freebl/fips-selftest.inc + } + fips_requests += fips_isWantedEnv(); + -+ return fips_requests; ++ return fips_requests < 1 ? 0 : 1; +} + +static PRBool @@ -641,12 +651,12 @@ Index: nss/lib/freebl/fipsfreebl.c } /* -@@ -2251,28 +2279,104 @@ bl_startup_tests(void) +@@ -2251,19 +2279,12 @@ bl_startup_tests(void) * power on selftest failed. */ SECStatus --BL_FIPSEntryOK(PRBool freebl_only) -+BL_FIPSEntryOK(PRBool my_freebl_only) +-BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun) ++BL_FIPSEntryOK(PRBool my_freebl_only, PRBool rerun) { -#ifdef NSS_NO_INIT_SUPPORT - /* this should only be set on platforms that can't handle one of the INIT @@ -660,9 +670,10 @@ Index: nss/lib/freebl/fipsfreebl.c bl_startup_tests(); } -#endif -+ - /* if the general self tests succeeded, we're done */ - if (self_tests_success) { + if (rerun) { + /* reset the flags */ + self_tests_freebl_ran = PR_FALSE; +@@ -2277,10 +2298,104 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo return SECSuccess; } /* standalone freebl can initialize */ @@ -674,6 +685,17 @@ Index: nss/lib/freebl/fipsfreebl.c return SECFailure; } + ++void ++BL_FIPSRepeatIntegrityCheck(void) ++{ ++ fips_state = fips_initTest("freebl", NULL, NULL); ++ ++ if (!fips_state) ++ { ++ fatal ("fips - freebl: Integrity test re-run failed - aborting."); ++ } ++} ++ +/* returns the FIPS mode we are running in or the one that we aspire to if the + * tests have not completed yet - which might happen during the crypto selftest + */ @@ -756,11 +778,27 @@ Index: nss/lib/freebl/fipsfreebl.c +} + #endif ++ Index: nss/lib/freebl/loader.c =================================================================== --- nss.orig/lib/freebl/loader.c +++ nss/lib/freebl/loader.c -@@ -1213,11 +1213,11 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext +@@ -95,6 +95,14 @@ BL_Init(void) + return (vector->p_BL_Init)(); + } + ++void ++BL_FIPSRepeatIntegrityCheck(void) ++{ ++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) ++ return; ++ (vector->p_BL_FIPSRepeatIntegrityCheck)(); ++} ++ + RSAPrivateKey * + RSA_NewKey(int keySizeInBits, SECItem *publicExponent) + { +@@ -1213,11 +1221,11 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext } PRBool @@ -774,7 +812,7 @@ Index: nss/lib/freebl/loader.c } /* -@@ -1227,12 +1227,12 @@ BLAPI_SHVerify(const char *name, PRFuncP +@@ -1227,12 +1235,12 @@ BLAPI_SHVerify(const char *name, PRFuncP * in freebl_LoadDSO) to p_BLAPI_VerifySelf. */ PRBool @@ -789,7 +827,7 @@ Index: nss/lib/freebl/loader.c } /* ============== New for 3.006 =============================== */ -@@ -1836,11 +1836,11 @@ SHA224_Clone(SHA224Context *dest, SHA224 +@@ -1836,11 +1844,11 @@ SHA224_Clone(SHA224Context *dest, SHA224 } PRBool @@ -827,6 +865,16 @@ Index: nss/lib/freebl/loader.h /* Version 3.013 came to here */ +@@ -834,6 +834,9 @@ struct FREEBLVectorStr { + + /* Add new function pointers at the end of this struct and bump + * FREEBL_VERSION at the beginning of this file. */ ++ ++ /* SUSE patch: Goes last */ ++ void (*p_BL_FIPSRepeatIntegrityCheck)(void); + }; + + typedef struct FREEBLVectorStr FREEBLVector; Index: nss/lib/freebl/manifest.mn =================================================================== --- nss.orig/lib/freebl/manifest.mn @@ -873,12 +921,12 @@ Index: nss/lib/freebl/shvfy.c return SECSuccess; } --static PRBool blapi_SHVerifyFile(const char *shName, PRBool self); -+static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, int *err); +-static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun); ++static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun, int *err); static PRBool --blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self) -+blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, int *err) +-blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun) ++blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun, int *err) { PRBool result = PR_FALSE; /* if anything goes wrong, - * the signature does not verify */ @@ -888,100 +936,119 @@ Index: nss/lib/freebl/shvfy.c if (!shName) { goto loser; } -- result = blapi_SHVerifyFile(shName, self); -+ result = blapi_SHVerifyFile(shName, self, err); +- result = blapi_SHVerifyFile(shName, self, rerun); ++ result = blapi_SHVerifyFile(shName, self, rerun, err); loser: if (shName != NULL) { -@@ -311,15 +311,15 @@ loser: +@@ -311,25 +311,25 @@ loser: } PRBool -BLAPI_SHVerify(const char *name, PRFuncPtr addr) +BLAPI_SHVerify(const char *name, PRFuncPtr addr, int *err) { -- return blapi_SHVerify(name, addr, PR_FALSE); -+ return blapi_SHVerify(name, addr, PR_FALSE, err); + PRBool rerun = PR_FALSE; + if (name && *name == BLAPI_FIPS_RERUN_FLAG) { + name++; + rerun = PR_TRUE; + } +- return blapi_SHVerify(name, addr, PR_FALSE, rerun); ++ return blapi_SHVerify(name, addr, PR_FALSE, rerun, err); } PRBool -BLAPI_SHVerifyFile(const char *shName) +BLAPI_SHVerifyFile(const char *shName, int *err) { -- return blapi_SHVerifyFile(shName, PR_FALSE); -+ return blapi_SHVerifyFile(shName, PR_FALSE, err); + PRBool rerun = PR_FALSE; + if (shName && *shName == BLAPI_FIPS_RERUN_FLAG) { + shName++; + rerun = PR_TRUE; + } +- return blapi_SHVerifyFile(shName, PR_FALSE, rerun); ++ return blapi_SHVerifyFile(shName, PR_FALSE, rerun, err); } #ifndef NSS_STRICT_INTEGRITY -@@ -421,7 +421,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD +@@ -432,7 +432,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + } + + static PRBool +-blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun) ++blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun, int *err) + { + char *checkName = NULL; + PRFileDesc *checkFD = NULL; +@@ -446,7 +446,7 @@ blapi_SHVerifyFile(const char *shName, P + int pid = 0; + #endif + PRBool result = PR_FALSE; /* if anything goes wrong, +- * the signature does not verify */ ++ * the signature does not verify */ + NSSSignChkHeader header; + #ifndef NSS_STRICT_INTEGRITY + DSAPublicKey key; +@@ -473,14 +473,17 @@ blapi_SHVerifyFile(const char *shName, P + /* open the check File */ + checkFD = PR_Open(checkName, PR_RDONLY, 0); + if (checkFD == NULL) { ++ if (err) { ++ *err = PORT_GetError(); ++ } + #ifdef DEBUG_SHVERIFY +- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n", +- checkName, (int)PR_GetError(), (int)PR_GetOSError()); ++ fprintf(stderr, "Failed to open the check file %s: (%d)\n", ++ checkName, (int)PORT_GetError()); + #endif /* DEBUG_SHVERIFY */ + goto loser; } - static PRBool -- blapi_SHVerifyFile(const char *shName, PRBool self) -+ blapi_SHVerifyFile(const char *shName, PRBool self, int *err) - { - char *checkName = NULL; - PRFileDesc *checkFD = NULL; -@@ -462,14 +462,17 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD - /* open the check File */ - checkFD = PR_Open(checkName, PR_RDONLY, 0); - if (checkFD == NULL) { -+ if (err) { -+ *err = PORT_GetError(); -+ } - #ifdef DEBUG_SHVERIFY -- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n", -- checkName, (int)PR_GetError(), (int)PR_GetOSError()); -+ fprintf(stderr, "Failed to open the check file %s: (%d)\n", -+ checkName, (int)PR_GetError()); - #endif /* DEBUG_SHVERIFY */ - goto loser; - } - -- /* read and Verify the headerthe header */ -+ /* read and Verify the header */ - bytesRead = PR_Read(checkFD, &header, sizeof(header)); - if (bytesRead != sizeof(header)) { - goto loser; -@@ -550,7 +553,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD - goto loser; - } +- /* read and Verify the headerthe header */ ++ /* read and Verify the header */ + bytesRead = PR_Read(checkFD, &header, sizeof(header)); + if (bytesRead != sizeof(header)) { + goto loser; +@@ -561,7 +564,7 @@ blapi_SHVerifyFile(const char *shName, P + goto loser; + } -/* open our library file */ + /* open our library file */ #ifdef FREEBL_USE_PRELINK - shFD = bl_OpenUnPrelink(shName, &pid); + shFD = bl_OpenUnPrelink(shName, &pid); #else -@@ -558,8 +561,8 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD +@@ -569,8 +572,8 @@ blapi_SHVerifyFile(const char *shName, P #endif - if (shFD == NULL) { + if (shFD == NULL) { #ifdef DEBUG_SHVERIFY -- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n", -- shName, (int)PR_GetError(), (int)PR_GetOSError()); -+ fprintf(stderr, "Failed to open the library file %s: (%d)\n", -+ shName, (int)PR_GetError()); +- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n", +- shName, (int)PR_GetError(), (int)PR_GetOSError()); ++ fprintf(stderr, "Failed to open the library file %s: (%d)\n", ++ shName, (int)PORT_GetError()); #endif /* DEBUG_SHVERIFY */ - goto loser; - } -@@ -620,7 +623,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + goto loser; } +@@ -631,7 +634,7 @@ loser: + } - PRBool -- BLAPI_VerifySelf(const char *name) -+ BLAPI_VerifySelf(const char *name, int *err) - { - if (name == NULL) { - /* -@@ -629,7 +632,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD - */ - return PR_TRUE; - } -- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE); -+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err); + PRBool +-BLAPI_VerifySelf(const char *name) ++BLAPI_VerifySelf(const char *name, int *err) + { + if (name == NULL) { + /* +@@ -640,7 +643,7 @@ BLAPI_VerifySelf(const char *name) + */ + return PR_TRUE; } +- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE); ++ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE, err); + } #else /* NSS_FIPS_DISABLED */ -@@ -645,7 +648,7 @@ BLAPI_SHVerify(const char *name, PRFuncP +@@ -656,7 +659,7 @@ BLAPI_SHVerify(const char *name, PRFuncP return PR_FALSE; } PRBool @@ -994,7 +1061,7 @@ Index: nss/lib/softoken/fips.c =================================================================== --- /dev/null +++ nss/lib/softoken/fips.c -@@ -0,0 +1,40 @@ +@@ -0,0 +1,50 @@ +#include "../freebl/fips-selftest.inc" + +#include "fips.h" @@ -1007,7 +1074,7 @@ Index: nss/lib/softoken/fips.c +static fips_check_status +fips_checkCryptoSoftoken(void) +{ -+ if (CKR_OK == sftk_FIPSEntryOK()) { ++ if (CKR_OK == sftk_FIPSEntryOK(PR_FALSE)) { + return CHECK_OK; + } else { + return CHECK_FAIL_CRYPTO; @@ -1035,18 +1102,33 @@ Index: nss/lib/softoken/fips.c + + return; +} ++ ++void ++fips_repeatTestSoftoken(void) ++{ ++ fips_initTestSoftoken(); ++ if (!fips_state) ++ { ++ fatal ("fips - softokn: Integrity test re-run failed - aborting."); ++ } ++} Index: nss/lib/softoken/fips.h =================================================================== --- /dev/null +++ nss/lib/softoken/fips.h -@@ -0,0 +1,10 @@ +@@ -0,0 +1,15 @@ +#ifndef FIPS_H +#define FIPS_H + ++#include "prtypes.h" +#include "softoken.h" + -+CK_RV FIPS_cryptoSelftestSoftoken(void); ++SEC_BEGIN_PROTOS ++ +CK_RV sftk_fipsPowerUpSelfTest(void); ++extern void sftk_FIPSRepeatIntegrityCheck(void); ++ ++SEC_END_PROTOS + +#endif + @@ -1382,15 +1464,15 @@ Index: nss/lib/softoken/fipstest.c static PRBool sftk_self_tests_ran = PR_FALSE; static PRBool sftk_self_tests_success = PR_FALSE; -@@ -694,7 +1015,6 @@ static void - sftk_startup_tests(void) +@@ -694,7 +1015,6 @@ void + sftk_startup_tests_with_rerun(PRBool rerun) { SECStatus rv; -- const char *libraryName = SOFTOKEN_LIB_NAME; +- const char *libraryName = rerun ? BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME : SOFTOKEN_LIB_NAME; PORT_Assert(!sftk_self_tests_ran); PORT_Assert(!sftk_self_tests_success); -@@ -706,6 +1026,7 @@ sftk_startup_tests(void) +@@ -706,6 +1026,7 @@ sftk_startup_tests_with_rerun(PRBool rer if (rv != SECSuccess) { return; } @@ -1398,7 +1480,7 @@ Index: nss/lib/softoken/fipstest.c /* make sure freebl is initialized, or our RSA check * may fail. This is normally done at freebl load time, but it's * possible we may have shut freebl down without unloading it. */ -@@ -723,12 +1044,21 @@ sftk_startup_tests(void) +@@ -723,12 +1044,21 @@ sftk_startup_tests_with_rerun(PRBool rer if (rv != SECSuccess) { return; } @@ -1424,9 +1506,9 @@ Index: nss/lib/softoken/fipstest.c rv = sftk_fips_IKE_PowerUpSelfTests(); if (rv != SECSuccess) { return; -@@ -760,17 +1090,11 @@ sftk_startup_tests(void) +@@ -766,17 +1096,10 @@ sftk_startup_tests(void) CK_RV - sftk_FIPSEntryOK() + sftk_FIPSEntryOK(PRBool rerun) { -#ifdef NSS_NO_INIT_SUPPORT - /* this should only be set on platforms that can't handle one of the INIT @@ -1440,10 +1522,27 @@ Index: nss/lib/softoken/fipstest.c sftk_startup_tests(); } -#endif -+ - if (!sftk_self_tests_success) { - return CKR_DEVICE_ERROR; + if (rerun) { + sftk_self_tests_ran = PR_FALSE; + sftk_self_tests_success = PR_FALSE; +@@ -787,6 +1110,17 @@ sftk_FIPSEntryOK(PRBool rerun) } + return CKR_OK; + } ++ ++void fips_repeatTestSoftoken(void); ++ ++void ++sftk_FIPSRepeatIntegrityCheck() ++{ ++ /* These will abort if the checksum fails in FIPS mode */ ++ BL_FIPSRepeatIntegrityCheck(); ++ fips_repeatTestSoftoken(); ++} ++ + #else + #include "pkcs11t.h" + CK_RV Index: nss/lib/softoken/legacydb/fips.c =================================================================== --- /dev/null @@ -1521,14 +1620,14 @@ Index: nss/lib/softoken/manifest.mn =================================================================== --- nss.orig/lib/softoken/manifest.mn +++ nss/lib/softoken/manifest.mn -@@ -31,6 +31,7 @@ PRIVATE_EXPORTS = \ - softkver.h \ - sdb.h \ - sftkdbt.h \ +@@ -22,6 +22,7 @@ endif + EXPORTS = \ + lowkeyi.h \ + lowkeyti.h \ + fips.h \ $(NULL) - CSRCS = \ + PRIVATE_EXPORTS = \ @@ -55,6 +56,7 @@ CSRCS = \ softkver.c \ tlsprf.c \ @@ -1537,3 +1636,47 @@ Index: nss/lib/softoken/manifest.mn $(NULL) ifndef NSS_DISABLE_DBM +Index: nss/lib/softoken/softoken.h +=================================================================== +--- nss.orig/lib/softoken/softoken.h ++++ nss/lib/softoken/softoken.h +@@ -59,6 +59,9 @@ extern unsigned char *CBC_PadBuffer(PLAr + /* make sure Power-up selftests have been run. */ + extern CK_RV sftk_FIPSEntryOK(PRBool rerun); + ++/* Unconditionally run the crypto self-tests. */ ++extern PRBool sftk_FIPSRunTests(); ++ + /* + ** make known fixed PKCS #11 key types to their sizes in bytes + */ +Index: nss/lib/freebl/ldvector.c +=================================================================== +--- nss.orig/lib/freebl/ldvector.c ++++ nss/lib/freebl/ldvector.c +@@ -375,9 +375,12 @@ static const struct FREEBLVectorStr vect + /* End of version 3.024 */ + ChaCha20_InitContext, + ChaCha20_CreateContext, +- ChaCha20_DestroyContext ++ ChaCha20_DestroyContext, + + /* End of version 3.025 */ ++ ++ /* SUSE patch: Goes last */ ++ BL_FIPSRepeatIntegrityCheck + }; + + const FREEBLVector* +Index: nss/lib/softoken/softokn.def +=================================================================== +--- nss.orig/lib/softoken/softokn.def ++++ nss/lib/softoken/softokn.def +@@ -34,6 +34,7 @@ NSC_GetInterfaceList; + C_GetInterface; + FC_GetInterface; + NSC_GetInterface; ++sftk_FIPSRepeatIntegrityCheck; + ;+ local: + ;+ *; + ;+}; diff --git a/nss-fips-detect-fips-mode-fixes.patch b/nss-fips-detect-fips-mode-fixes.patch index c2edcf4..c91a750 100644 --- a/nss-fips-detect-fips-mode-fixes.patch +++ b/nss-fips-detect-fips-mode-fixes.patch @@ -12,7 +12,7 @@ Index: nss/lib/freebl/nsslowhash.c =================================================================== --- nss.orig/lib/freebl/nsslowhash.c +++ nss/lib/freebl/nsslowhash.c -@@ -2,6 +2,9 @@ +@@ -2,9 +2,13 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ @@ -22,7 +22,11 @@ Index: nss/lib/freebl/nsslowhash.c #ifdef FREEBL_NO_DEPEND #include "stubs.h" #endif -@@ -25,6 +28,23 @@ struct NSSLOWHASHContextStr { ++ + #include "prtypes.h" + #include "prenv.h" + #include "secerr.h" +@@ -25,6 +29,23 @@ struct NSSLOWHASHContextStr { }; #ifndef NSS_FIPS_DISABLED @@ -46,7 +50,7 @@ Index: nss/lib/freebl/nsslowhash.c static int nsslow_GetFIPSEnabled(void) { -@@ -52,6 +72,7 @@ nsslow_GetFIPSEnabled(void) +@@ -52,6 +73,7 @@ nsslow_GetFIPSEnabled(void) #endif /* LINUX */ return 1; } @@ -54,13 +58,13 @@ Index: nss/lib/freebl/nsslowhash.c #endif /* NSS_FIPS_DISABLED */ static NSSLOWInitContext dummyContext = { 0 }; -@@ -67,7 +88,7 @@ NSSLOW_Init(void) +@@ -67,7 +89,7 @@ NSSLOW_Init(void) #ifndef NSS_FIPS_DISABLED /* make sure the FIPS product is installed if we are trying to * go into FIPS mode */ - if (nsslow_GetFIPSEnabled()) { + if (nsslow_GetFIPSEnabled() || getFIPSEnv()) { - if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) { + if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); post_failed = PR_TRUE; Index: nss/lib/sysinit/nsssysinit.c diff --git a/nss-fips-drbg-libjitter.patch b/nss-fips-drbg-libjitter.patch new file mode 100644 index 0000000..9b30694 --- /dev/null +++ b/nss-fips-drbg-libjitter.patch @@ -0,0 +1,111 @@ +Index: nss/coreconf/Linux.mk +=================================================================== +--- nss.orig/coreconf/Linux.mk ++++ nss/coreconf/Linux.mk +@@ -136,7 +136,7 @@ OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLA + ifeq ($(KERNEL),Linux) + OS_CFLAGS += -DLINUX -Dlinux + endif +-OS_LIBS = $(OS_PTHREAD) -ldl -lc ++OS_LIBS = $(OS_PTHREAD) -ldl -lc -ljitterentropy + + ifeq ($(OS_TARGET),Android) + OS_LIBS += -llog +Index: nss/lib/freebl/drbg.c +=================================================================== +--- nss.orig/lib/freebl/drbg.c ++++ nss/lib/freebl/drbg.c +@@ -6,6 +6,8 @@ + #include "stubs.h" + #endif + ++#include ++ + #include + + #include "prerror.h" +@@ -107,6 +109,45 @@ typedef struct RNGContextStr RNGContext; + static RNGContext *globalrng = NULL; + static RNGContext theGlobalRng; + ++/* Jitterentropy */ ++#define JITTER_FLAGS JENT_FORCE_FIPS ++static struct rand_data *jitter; ++ ++static ssize_t ++FIPS_jent_get_entropy (void *dest, ssize_t len) ++{ ++ int result = -1; ++ ++ /* Ensure that the jitterentropy generator is initialized */ ++ ++ if (!jitter) ++ { ++ if (jent_entropy_init_ex (1, JITTER_FLAGS)) ++ goto out; ++ ++ jitter = jent_entropy_collector_alloc (1, JITTER_FLAGS); ++ if (!jitter) ++ goto out; ++ } ++ ++ /* Get some entropy */ ++ ++ result = jent_read_entropy_safe (&jitter, dest, len); ++ ++out: ++ return result; ++} ++ ++static void ++FIPS_jent_deinit (void) ++{ ++ if (jitter) ++ { ++ jent_entropy_collector_free (jitter); ++ jitter = NULL; ++ } ++} ++ + /* + * The next several functions are derived from the NIST SP 800-90 + * spec. In these functions, an attempt was made to use names consistent +@@ -180,7 +221,7 @@ static PRCallOnceType coRNGInitEntropy; + static PRStatus + prng_initEntropy(void) + { +- size_t length; ++ ssize_t length; + PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE]; + SHA256Context ctx; + +@@ -203,8 +244,8 @@ prng_initEntropy(void) + /* For FIPS 140-2 4.9.2 continuous random number generator test, + * fetch the initial entropy from the system RNG and keep it for + * later comparison. */ +- length = RNG_SystemRNG(block, sizeof(block)); +- if (length == 0) { ++ length = FIPS_jent_get_entropy(block, sizeof(block)); ++ if (length < 1) { + coRNGInitEntropy.status = PR_FAILURE; + __sync_synchronize (); + coRNGInitEntropy.initialized = 1; +@@ -244,8 +285,8 @@ prng_getEntropy(PRUint8 *buffer, size_t + * iteratively fetch fixed sized blocks from the system and + * compare consecutive blocks. */ + while (total < requestLength) { +- size_t length = RNG_SystemRNG(block, sizeof(block)); +- if (length == 0) { ++ ssize_t length = FIPS_jent_get_entropy(block, sizeof(block)); ++ if (length < 1) { + rv = SECFailure; /* error is already set */ + goto out; + } +@@ -792,6 +833,7 @@ RNG_RNGShutdown(void) + /* clear */ + prng_freeRNGContext(globalrng); + globalrng = NULL; ++ FIPS_jent_deinit (); + /* reset the callonce struct to allow a new call to RNG_RNGInit() */ + coRNGInit = pristineCallOnce; + } diff --git a/nss-fips-pairwise-consistency-check.patch b/nss-fips-pairwise-consistency-check.patch index 205c757..bdb1a9f 100644 --- a/nss-fips-pairwise-consistency-check.patch +++ b/nss-fips-pairwise-consistency-check.patch @@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -4826,8 +4826,8 @@ loser: +@@ -4800,8 +4800,8 @@ loser: return crv; } @@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. -@@ -5775,6 +5775,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5749,6 +5749,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS (PRUint32)crv); sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); } diff --git a/nss-fips-pbkdf-kat-compliance.patch b/nss-fips-pbkdf-kat-compliance.patch index a134813..7b84c10 100644 --- a/nss-fips-pbkdf-kat-compliance.patch +++ b/nss-fips-pbkdf-kat-compliance.patch @@ -1,6 +1,6 @@ -diff --git nss/lib/softoken/lowpbe.c b/nss/lib/softoken/lowpbe.c -index fae9e18..1c55642 100644 ---- nss/lib/softoken/lowpbe.c +Index: nss/lib/softoken/lowpbe.c +=================================================================== +--- nss.orig/lib/softoken/lowpbe.c +++ nss/lib/softoken/lowpbe.c @@ -1756,7 +1756,7 @@ loser: return ret_algid; @@ -11,7 +11,7 @@ index fae9e18..1c55642 100644 SECStatus sftk_fips_pbkdf_PowerUpSelfTests(void) { -@@ -1766,16 +1766,21 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) +@@ -1766,16 +1766,22 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) unsigned char iteration_count = 5; unsigned char keyLen = 64; char *inKeyData = TEST_KEY; @@ -22,6 +22,7 @@ index fae9e18..1c55642 100644 + 0x48, 0x99, 0xF4, 0x6D, 0xB7, 0x48, 0xE3, 0x3B, + 0x91, 0xBF, 0x65, 0xA9, 0x26, 0x83, 0xE8, 0x22 + }; ++ static const unsigned char pbkdf_known_answer[] = { - 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29, - 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c, @@ -42,7 +43,7 @@ index fae9e18..1c55642 100644 }; sftk_PBELockInit(); -@@ -1804,11 +1809,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) +@@ -1804,11 +1810,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) * for NSSPKCS5_PBKDF2 */ pbe_params.iter = iteration_count; pbe_params.keyLen = keyLen; diff --git a/nss-fips-pct-pubkeys.patch b/nss-fips-pct-pubkeys.patch new file mode 100644 index 0000000..4b76701 --- /dev/null +++ b/nss-fips-pct-pubkeys.patch @@ -0,0 +1,135 @@ +# HG changeset patch +# Parent 5786c2bb5c229b530e95e435ee0cf51314359e7b + +Index: nss/lib/softoken/pkcs11c.c +=================================================================== +--- nss.orig/lib/softoken/pkcs11c.c ++++ nss/lib/softoken/pkcs11c.c +@@ -17,6 +17,7 @@ + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ ++#include "lowkeyti.h" + #include "seccomon.h" + #include "secitem.h" + #include "secport.h" +@@ -4922,6 +4923,88 @@ pairwise_signverify_mech (CK_SESSION_HAN + return crv; + } + ++/* This function regenerates a public key from a private key ++ * (not simply returning the saved public key) and compares it ++ * to the given publicKey ++ */ ++static CK_RV ++regeneratePublicKeyFromPrivateKeyAndCompare(NSSLOWKEYPrivateKey *currPrivKey, ++ NSSLOWKEYPublicKey *currPubKey) ++{ ++ NSSLOWKEYPublicKey *pubk; ++ SECItem publicValue; ++ PLArenaPool *arena; ++ ++ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); ++ if (arena == NULL) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return CKR_HOST_MEMORY; ++ } ++ ++ switch (currPrivKey->keyType) { ++ case NSSLOWKEYDHKey: ++ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, ++ sizeof(NSSLOWKEYPublicKey)); ++ if (pubk != NULL) { ++ SECStatus rv; ++ ++ pubk->arena = arena; ++ pubk->keyType = currPrivKey->keyType; ++ ++ // Regenerate the publicValue ++ rv = DH_Derive(&currPrivKey->u.dh.base, &currPrivKey->u.dh.prime, ++ &currPrivKey->u.dh.privateValue, &publicValue, 0); ++ if (rv != SECSuccess) { ++ break; ++ } ++ rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue, ++ &publicValue); ++ SECITEM_ZfreeItem(&publicValue, PR_FALSE); ++ if (rv != SECSuccess) { ++ break; ++ } ++ ++ if (SECITEM_CompareItem(&pubk->u.dh.publicValue, &currPubKey->u.dh.publicValue) != SECEqual) { ++ nsslowkey_DestroyPublicKey(pubk); ++ return CKR_GENERAL_ERROR; ++ } ++ nsslowkey_DestroyPublicKey(pubk); ++ return CKR_OK; ++ } ++ break; ++ case NSSLOWKEYECKey: ++ { ++ ECPrivateKey *privk = NULL; ++ SECStatus rv; ++ ++ /* The "seed" is an octet stream corresponding to our private key. ++ * The new public key is derived from this + the parameters and ++ * stored in the new private key's publicValue. */ ++ rv = EC_NewKeyFromSeed (&currPrivKey->u.ec.ecParams, ++ &privk, ++ currPrivKey->u.ec.privateValue.data, ++ currPrivKey->u.ec.privateValue.len); ++ if (rv != SECSuccess) ++ break; ++ ++ /* Verify that the passed-in public value is equal to the one derived */ ++ if (SECITEM_CompareItem (&privk->publicValue, &currPubKey->u.ec.publicValue) != SECEqual) { ++ PORT_FreeArena (privk->ecParams.arena, PR_TRUE); ++ return CKR_GENERAL_ERROR; ++ } ++ ++ PORT_FreeArena (privk->ecParams.arena, PR_TRUE); ++ return CKR_OK; ++ } ++ break; ++ default: ++ break; ++ } ++ ++ PORT_FreeArena(arena, PR_TRUE); ++ return CKR_GENERAL_ERROR; ++} ++ + /* + * FIPS 140-2 pairwise consistency check utilized to validate key pair. + * +@@ -5268,6 +5351,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + } + } + ++ // Regenerate the publicKey from the privateKey and compare it to the ++ // original publicKey ++ if (keyType == CKK_DH || keyType == CKK_EC) { ++ NSSLOWKEYPrivateKey *currPrivKey = sftk_GetPrivKey(privateKey, CKK_DH, &crv); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ if (!currPrivKey) { ++ return CKR_DEVICE_ERROR; ++ } ++ ++ NSSLOWKEYPublicKey *currPubKey = sftk_GetPubKey(publicKey, CKK_DH, &crv); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ if (!currPubKey) { ++ return CKR_DEVICE_ERROR; ++ } ++ ++ crv = regeneratePublicKeyFromPrivateKeyAndCompare(currPrivKey, currPubKey); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ } + return CKR_OK; + } + diff --git a/nss-fips-rsa-keygen-strictness.patch b/nss-fips-rsa-keygen-strictness.patch index ce99316..80a4698 100644 --- a/nss-fips-rsa-keygen-strictness.patch +++ b/nss-fips-rsa-keygen-strictness.patch @@ -8,10 +8,10 @@ commit 4b8c0eac6b092717157b4141c82b4d76ccdc91b3 Author: Hans Petter Jansson Patch 16: nss-fips-rsa-keygen-strictness.patch -diff --git a/lib/freebl/mpi/mpprime.c b/lib/freebl/mpi/mpprime.c -index b757150..41d08b1 100644 ---- a/lib/freebl/mpi/mpprime.c -+++ b/lib/freebl/mpi/mpprime.c +Index: nss/lib/freebl/mpi/mpprime.c +=================================================================== +--- nss.orig/lib/freebl/mpi/mpprime.c ++++ nss/lib/freebl/mpi/mpprime.c @@ -14,6 +14,8 @@ #include #include @@ -21,7 +21,7 @@ index b757150..41d08b1 100644 #define SMALL_TABLE 0 /* determines size of hard-wired prime table */ #define RANDOM() rand() -@@ -465,6 +467,25 @@ mpp_make_prime_ext_random(mp_int *start, mp_size nBits, mp_size strong, mpp_rand +@@ -465,6 +467,25 @@ mpp_make_prime_ext_random(mp_int *start, } else num_tests = 50; @@ -47,10 +47,10 @@ index b757150..41d08b1 100644 if (strong) --nBits; MP_CHECKOK(mpl_set_bit(start, nBits - 1, 1)); -diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c -index 2b8a3bf..8d40d11 100644 ---- a/lib/freebl/rsa.c -+++ b/lib/freebl/rsa.c +Index: nss/lib/freebl/rsa.c +=================================================================== +--- nss.orig/lib/freebl/rsa.c ++++ nss/lib/freebl/rsa.c @@ -16,11 +16,13 @@ #include "prinit.h" #include "blapi.h" @@ -65,7 +65,7 @@ index 2b8a3bf..8d40d11 100644 /* The minimal required randomness is 64 bits */ /* EXP_BLINDING_RANDOMNESS_LEN is the length of the randomness in mp_digits */ -@@ -149,11 +151,24 @@ rsa_build_from_primes(const mp_int *p, const mp_int *q, +@@ -149,11 +151,24 @@ rsa_build_from_primes(const mp_int *p, c err = mp_invmod(d, &phi, e); } else { err = mp_invmod(e, &phi, d); @@ -92,7 +92,7 @@ index 2b8a3bf..8d40d11 100644 if (err != MP_OKAY) { if (err == MP_UNDEF) { PORT_SetError(SEC_ERROR_NEED_RANDOM); -@@ -286,10 +301,12 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) +@@ -286,10 +301,12 @@ RSA_NewKey(int keySizeInBits, SECItem *p mp_int q = { 0, 0, 0, NULL }; mp_int e = { 0, 0, 0, NULL }; mp_int d = { 0, 0, 0, NULL }; @@ -106,7 +106,7 @@ index 2b8a3bf..8d40d11 100644 int prerr = 0; RSAPrivateKey *key = NULL; PLArenaPool *arena = NULL; -@@ -307,11 +324,40 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) +@@ -307,11 +324,40 @@ RSA_NewKey(int keySizeInBits, SECItem *p PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; } @@ -151,7 +151,7 @@ index 2b8a3bf..8d40d11 100644 } #endif -@@ -329,12 +375,7 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) +@@ -329,12 +375,7 @@ RSA_NewKey(int keySizeInBits, SECItem *p key->arena = arena; /* length of primes p and q (in bytes) */ primeLen = keySizeInBits / (2 * PR_BITS_PER_BYTE); @@ -165,7 +165,7 @@ index 2b8a3bf..8d40d11 100644 /* 3. Set the version number (PKCS1 v1.5 says it should be zero) */ SECITEM_AllocItem(arena, &key->version, 1); key->version.data[0] = 0; -@@ -345,13 +386,64 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) +@@ -345,13 +386,64 @@ RSA_NewKey(int keySizeInBits, SECItem *p PORT_SetError(0); CHECK_SEC_OK(generate_prime(&p, primeLen)); CHECK_SEC_OK(generate_prime(&q, primeLen)); diff --git a/nss-fips-tests-skip.patch b/nss-fips-tests-skip.patch deleted file mode 100644 index 7661085..0000000 --- a/nss-fips-tests-skip.patch +++ /dev/null @@ -1,19 +0,0 @@ -Index: nss/tests/lowhash/lowhash.sh -=================================================================== ---- nss.orig/tests/lowhash/lowhash.sh -+++ nss/tests/lowhash/lowhash.sh -@@ -61,11 +61,13 @@ lowhash_test() - ! -f ${BINDIR}/lowhashtest${PROG_SUFFIX} ]; then - echo "freebl lowhash not supported in this plaform." - else -- TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512" -+ TESTS_FIPS_0="MD5 SHA1 SHA224 SHA256 SHA384 SHA512" -+ TESTS_FIPS_1="SHA224 SHA256 SHA384 SHA512" - OLD_MODE=`echo ${NSS_FIPS}` - for fips_mode in 0 1; do - echo "lowhashtest with fips mode=${fips_mode}" - export NSS_FIPS=${fips_mode} -+ eval TESTS=\${TESTS_FIPS_${fips_mode}} - for TEST in ${TESTS} - do - echo "lowhashtest ${TEST}" diff --git a/nss-fips-tls-allow-md5-prf.patch b/nss-fips-tls-allow-md5-prf.patch deleted file mode 100644 index 2d2aed0..0000000 --- a/nss-fips-tls-allow-md5-prf.patch +++ /dev/null @@ -1,270 +0,0 @@ -# HG changeset patch -# User Hans Petter Jansson -# Date 1574240734 -3600 -# Wed Nov 20 10:05:34 2019 +0100 -# Node ID 0efca22bbafd7575b20461f255c46157c9321822 -# Parent 3a2cb65dc157344cdad19e8e16e9c33e36f82d96 -[PATCH] 30 -From ca3b695ac461eccf4ed97e1b3fe0a311c80a792f Mon Sep 17 00:00:00 2001 ---- - nss/lib/freebl/md5.c | 67 ++++++++++++++++++++++++++------------ - nss/lib/freebl/rawhash.c | 37 +++++++++++++++++++++ - nss/lib/freebl/tlsprfalg.c | 5 ++- - nss/lib/softoken/pkcs11c.c | 4 +-- - 4 files changed, 90 insertions(+), 23 deletions(-) - -Index: nss/lib/freebl/md5.c -=================================================================== ---- nss.orig/lib/freebl/md5.c -+++ nss/lib/freebl/md5.c -@@ -217,13 +217,11 @@ MD5_HashBuf(unsigned char *dest, const u - } - - MD5Context * --MD5_NewContext(void) -+MD5_NewContext_NonFIPS(void) - { - /* no need to ZAlloc, MD5_Begin will init the context */ - MD5Context *cx; - -- IN_FIPS_RETURN(NULL); -- - cx = (MD5Context *)PORT_Alloc(sizeof(MD5Context)); - if (cx == NULL) { - PORT_SetError(PR_OUT_OF_MEMORY_ERROR); -@@ -232,6 +230,13 @@ MD5_NewContext(void) - return cx; - } - -+MD5Context * -+MD5_NewContext(void) -+{ -+ IN_FIPS_RETURN(NULL); -+ return MD5_NewContext_NonFIPS(); -+} -+ - void - MD5_DestroyContext(MD5Context *cx, PRBool freeit) - { -@@ -243,10 +248,8 @@ MD5_DestroyContext(MD5Context *cx, PRBoo - } - - void --MD5_Begin(MD5Context *cx) -+MD5_Begin_NonFIPS(MD5Context *cx) - { -- IN_FIPS_RETURN(); -- - cx->lsbInput = 0; - cx->msbInput = 0; - /* memset(cx->inBuf, 0, sizeof(cx->inBuf)); */ -@@ -256,6 +259,13 @@ MD5_Begin(MD5Context *cx) - cx->cv[3] = CV0_4; - } - -+void -+MD5_Begin(MD5Context *cx) -+{ -+ IN_FIPS_RETURN(); -+ MD5_Begin_NonFIPS(cx); -+} -+ - #define cls(i32, s) (tmp = i32, tmp << s | tmp >> (32 - s)) - - #if defined(SOLARIS) || defined(HPUX) -@@ -431,14 +441,12 @@ md5_compress(MD5Context *cx, const PRUin - } - - void --MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen) -+MD5_Update_NonFIPS(MD5Context *cx, const unsigned char *input, unsigned int inputLen) - { - PRUint32 bytesToConsume; - PRUint32 inBufIndex = cx->lsbInput & 63; - const PRUint32 *wBuf; - -- IN_FIPS_RETURN(); -- - /* Add the number of input bytes to the 64-bit input counter. */ - addto64(cx->msbInput, cx->lsbInput, inputLen); - if (inBufIndex) { -@@ -487,6 +495,13 @@ MD5_Update(MD5Context *cx, const unsigne - memcpy(cx->inBuf, input, inputLen); - } - -+void -+MD5_Update(MD5Context *cx, const unsigned char *input, unsigned int inputLen) -+{ -+ IN_FIPS_RETURN(); -+ MD5_Update_NonFIPS(cx, input, inputLen); -+} -+ - static const unsigned char padbytes[] = { - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -@@ -503,8 +518,8 @@ static const unsigned char padbytes[] = - }; - - void --MD5_End(MD5Context *cx, unsigned char *digest, -- unsigned int *digestLen, unsigned int maxDigestLen) -+MD5_End_NonFIPS(MD5Context *cx, unsigned char *digest, -+ unsigned int *digestLen, unsigned int maxDigestLen) - { - #ifndef IS_LITTLE_ENDIAN - PRUint32 tmp; -@@ -512,8 +527,6 @@ MD5_End(MD5Context *cx, unsigned char *d - PRUint32 lowInput, highInput; - PRUint32 inBufIndex = cx->lsbInput & 63; - -- IN_FIPS_RETURN(); -- - if (maxDigestLen < MD5_HASH_LEN) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return; -@@ -525,10 +538,10 @@ MD5_End(MD5Context *cx, unsigned char *d - lowInput <<= 3; - - if (inBufIndex < MD5_END_BUFFER) { -- MD5_Update(cx, padbytes, MD5_END_BUFFER - inBufIndex); -+ MD5_Update_NonFIPS(cx, padbytes, MD5_END_BUFFER - inBufIndex); - } else { -- MD5_Update(cx, padbytes, -- MD5_END_BUFFER + MD5_BUFFER_SIZE - inBufIndex); -+ MD5_Update_NonFIPS(cx, padbytes, -+ MD5_END_BUFFER + MD5_BUFFER_SIZE - inBufIndex); - } - - /* Store the number of bytes input (before padding) in final 64 bits. */ -@@ -554,16 +567,22 @@ MD5_End(MD5Context *cx, unsigned char *d - } - - void --MD5_EndRaw(MD5Context *cx, unsigned char *digest, -- unsigned int *digestLen, unsigned int maxDigestLen) -+MD5_End(MD5Context *cx, unsigned char *digest, -+ unsigned int *digestLen, unsigned int maxDigestLen) -+{ -+ IN_FIPS_RETURN(); -+ MD5_End_NonFIPS(cx, digest, digestLen, maxDigestLen); -+} -+ -+void -+MD5_EndRaw_NonFIPS(MD5Context *cx, unsigned char *digest, -+ unsigned int *digestLen, unsigned int maxDigestLen) - { - #ifndef IS_LITTLE_ENDIAN - PRUint32 tmp; - #endif - PRUint32 cv[4]; - -- IN_FIPS_RETURN(); -- - if (maxDigestLen < MD5_HASH_LEN) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return; -@@ -581,6 +600,14 @@ MD5_EndRaw(MD5Context *cx, unsigned char - *digestLen = MD5_HASH_LEN; - } - -+void -+MD5_EndRaw(MD5Context *cx, unsigned char *digest, -+ unsigned int *digestLen, unsigned int maxDigestLen) -+{ -+ IN_FIPS_RETURN(); -+ MD5_EndRaw_NonFIPS(cx, digest, digestLen, maxDigestLen); -+} -+ - unsigned int - MD5_FlattenSize(MD5Context *cx) - { -Index: nss/lib/freebl/rawhash.c -=================================================================== ---- nss.orig/lib/freebl/rawhash.c -+++ nss/lib/freebl/rawhash.c -@@ -154,3 +154,40 @@ HASH_GetRawHashObject(HASH_HashType hash - } - return &SECRawHashObjects[hashType]; - } -+ -+/* Defined in md5.c */ -+ -+MD5Context *MD5_NewContext_NonFIPS(void); -+void MD5_Begin_NonFIPS(MD5Context *cx); -+void MD5_Update_NonFIPS(MD5Context *cx, const unsigned char *input, unsigned int inputLen); -+void MD5_End_NonFIPS(MD5Context *cx, unsigned char *digest, -+ unsigned int *digestLen, unsigned int maxDigestLen); -+void MD5_EndRaw_NonFIPS(MD5Context *cx, unsigned char *digest, -+ unsigned int *digestLen, unsigned int maxDigestLen); -+ -+static const SECHashObject SECRawHashObjectMD5NonFIPS = { -+ MD5_LENGTH, -+ (void *(*)(void))MD5_NewContext_NonFIPS, -+ (void *(*)(void *))null_hash_clone_context, -+ (void (*)(void *, PRBool))MD5_DestroyContext, -+ (void (*)(void *))MD5_Begin_NonFIPS, -+ (void (*)(void *, const unsigned char *, unsigned int))MD5_Update_NonFIPS, -+ (void (*)(void *, unsigned char *, unsigned int *, unsigned int))MD5_End_NonFIPS, -+ MD5_BLOCK_LENGTH, -+ HASH_AlgMD5, -+ (void (*)(void *, unsigned char *, unsigned int *, unsigned int))MD5_EndRaw_NonFIPS -+}; -+ -+const SECHashObject * -+HASH_GetRawHashObjectNonFIPS(HASH_HashType hashType) -+{ -+ if (hashType <= HASH_AlgNULL || hashType >= HASH_AlgTOTAL) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ return NULL; -+ } -+ -+ if (hashType == HASH_AlgMD5) -+ return &SECRawHashObjectMD5NonFIPS; -+ -+ return &SECRawHashObjects[hashType]; -+} -Index: nss/lib/freebl/tlsprfalg.c -=================================================================== ---- nss.orig/lib/freebl/tlsprfalg.c -+++ nss/lib/freebl/tlsprfalg.c -@@ -12,6 +12,9 @@ - #include "hasht.h" - #include "alghmac.h" - -+/* To get valid MD5 object in FIPS mode */ -+const SECHashObject *HASH_GetRawHashObjectNonFIPS(HASH_HashType hashType); -+ - #define PHASH_STATE_MAX_LEN HASH_LENGTH_MAX - - /* TLS P_hash function */ -@@ -27,7 +30,7 @@ TLS_P_hash(HASH_HashType hashType, const - SECStatus status; - HMACContext *cx; - SECStatus rv = SECFailure; -- const SECHashObject *hashObj = HASH_GetRawHashObject(hashType); -+ const SECHashObject *hashObj = HASH_GetRawHashObjectNonFIPS(hashType); - - PORT_Assert((secret != NULL) && (secret->data != NULL || !secret->len)); - PORT_Assert((seed != NULL) && (seed->data != NULL)); -Index: nss/lib/softoken/pkcs11c.c -=================================================================== ---- nss.orig/lib/softoken/pkcs11c.c -+++ nss/lib/softoken/pkcs11c.c -@@ -7162,7 +7162,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession - SFTKAttribute *att2 = NULL; - unsigned char *buf; - SHA1Context *sha; -- MD5Context *md5; -+ MD5Context *md5 = NULL; - MD2Context *md2; - CK_ULONG macSize; - CK_ULONG tmpKeySize; -@@ -7702,7 +7702,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession - } - sftk_FreeAttribute(att2); - md5 = MD5_NewContext(); -- if (md5 == NULL) { -+ if (md5 == NULL && !isTLS) { - crv = CKR_HOST_MEMORY; - break; - } diff --git a/nss-fix-bmo1836925.patch b/nss-fix-bmo1836925.patch new file mode 100644 index 0000000..71cc9e1 --- /dev/null +++ b/nss-fix-bmo1836925.patch @@ -0,0 +1,69 @@ +Index: nss/lib/freebl/Makefile +=================================================================== +--- nss.orig/lib/freebl/Makefile ++++ nss/lib/freebl/Makefile +@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null + HAVE_INT128_SUPPORT = 1 + DEFINES += -DHAVE_INT128_SUPPORT + else ifeq (1,$(CC_IS_GCC)) +- SUPPORTS_VALE_CURVE25519 = 1 + ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION)))) + HAVE_INT128_SUPPORT = 1 + DEFINES += -DHAVE_INT128_SUPPORT +@@ -593,11 +592,6 @@ ifndef HAVE_INT128_SUPPORT + DEFINES += -DKRML_VERIFIED_UINT128 + endif + +-ifdef SUPPORTS_VALE_CURVE25519 +- VERIFIED_SRCS += Hacl_Curve25519_64.c +- DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM +-endif +- + ifndef NSS_DISABLE_CHACHAPOLY + ifeq ($(CPU_ARCH),x86_64) + ifndef NSS_DISABLE_AVX2 +Index: nss/lib/freebl/freebl.gyp +=================================================================== +--- nss.orig/lib/freebl/freebl.gyp ++++ nss/lib/freebl/freebl.gyp +@@ -866,12 +866,6 @@ + }], + ], + }], +- [ 'supports_vale_curve25519==1', { +- 'defines': [ +- # The Makefile does version-tests on GCC, but we're not doing that here. +- 'HACL_CAN_COMPILE_INLINE_ASM', +- ], +- }], + [ 'OS=="linux" or OS=="android"', { + 'conditions': [ + [ 'target_arch=="x64"', { +@@ -934,11 +928,6 @@ + 'variables': { + 'module': 'nss', + 'conditions': [ +- [ 'target_arch=="x64" and cc_is_gcc==1', { +- 'supports_vale_curve25519%': 1, +- }, { +- 'supports_vale_curve25519%': 0, +- }], + [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', { + 'have_int128_support%': 1, + }, { +Index: nss/lib/freebl/freebl_base.gypi +=================================================================== +--- nss.orig/lib/freebl/freebl_base.gypi ++++ nss/lib/freebl/freebl_base.gypi +@@ -151,11 +151,6 @@ + 'ecl/curve25519_32.c', + ], + }], +- ['supports_vale_curve25519==1', { +- 'sources': [ +- 'verified/Hacl_Curve25519_64.c', +- ], +- }], + ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', { + 'sources': [ + # Gyp does not support per-file cflags, so working around like this.