pool/mozilla-nss
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1250499 from mozilla:Factory

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1250499
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=227
This commit is contained in:
Ana Guerrero 2025-03-07 15:38:48 +00:00 committed by Git OBS Bridge
commit e3d9c6a2d9
11 changed files with 126 additions and 908 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
mozilla-nss.changes
View File

@ -1,3 +1,71 @@
-------------------------------------------------------------------
Wed Mar 5 10:17:10 UTC 2025 - Martin Sirringhaus <martin.sirringhaus@suse.com>
- Updated nss-fips-approved-crypto-non-ec.patch to not pass in
bad targetKeyLength parameters when checking for FIPS approval
after keygen. This was causing false rejections.
- Updated nss-fips-approved-crypto-non-ec.patch to approve
RSA signature verification mechanisms with PKCS padding and
legacy moduli (bsc#1222834).
-------------------------------------------------------------------
Sun Mar 2 09:04:20 UTC 2025 - Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.108
* bmo#1923285 - libclang-16 -> libclang-19
* bmo#1939086 - Turn off Secure Email Trust Bit for Security
Communication ECC RootCA1
* bmo#1937332 - Turn off Secure Email Trust Bit for BJCA Global Root
CA1 and BJCA Global Root CA2
* bmo#1915902 - Remove SwissSign Silver CA G2
* bmo#1938245 - Add D-Trust 2023 TLS Roots to NSS
* bmo#1942301 - fix fips test failure on windows
* bmo#1935925 - change default sensitivity of KEM keys
* bmo#1936001 - Part 1: Introduce frida hooks and script
* bmo#1942350 - add missing arm_neon.h include to gcm.c
* bmo#1831552 - ci: update windows workers to win2022
* bmo#1831552 - strip trailing carriage returns in tools tests
* bmo#1880256 - work around unix/windows path translation issues
in cert test script
* bmo#1831552 - ci: let the windows setup script work without $m
* bmo#1880255 - detect msys
* bmo#1936680 - add a specialized CTR_Update variant for AES-GCM
* bmo#1930807 - NSS policy updates
* bmo#1930806 - FIPS changes need to be upstreamed: FIPS 140-3 RNG
* bmo#1930806 - FIPS changes need to be upstreamed: Add SafeZero
* bmo#1930806 - FIPS changes need to be upstreamed - updated POST
* bmo#1933031 - Segmentation fault in SECITEM_Hash during pkcs12 processing
* bmo#1929922 - Extending NSS with LoadModuleFromFunction functionality
* bmo#1935984 - Ensure zero-initialization of collectArgs.cert
* bmo#1934526 - pkcs7 fuzz target use CERT_DestroyCertificate
* bmo#1915898 - Fix actual underlying ODR violations issue
* bmo#1184059 - mozilla::pkix: allow reference ID labels to begin
and/or end with hyphens
* bmo#1927953 - don't look for secmod.db in nssutil_ReadSecmodDB if
NSS_DISABLE_DBM is set
* bmo#1934526 - Fix memory leak in pkcs7 fuzz target
* bmo#1934529 - Set -O2 for ASan builds in CI
* bmo#1934543 - Change branch of tlsfuzzer dependency
* bmo#1915898 - Run tests in CI for ASan builds with detect_odr_violation=1
* bmo#1934241 - Fix coverage failure in CI
* bmo#1934213 - Add fuzzing for delegated credentials, DTLS short
header and Tls13BackendEch
* bmo#1927142 - Add fuzzing for SSL_EnableTls13GreaseEch and
SSL_SetDtls13VersionWorkaround
* bmo#1913677 - Part 3: Restructure fuzz/
* bmo#1931925 - Extract testcases from ssl gtests for fuzzing
* bmo#1923037 - Force Cryptofuzz to use NSS in CI
* bmo#1923037 - Fix Cryptofuzz on 32 bit in CI
* bmo#1933154 - Update Cryptofuzz repository link
* bmo#1926256 - fix build error from 9505f79d
* bmo#1926256 - simplify error handling in get_token_objects_for_cache
* bmo#1931973 - nss doc: fix a warning
* bmo#1930797 - pkcs12 fixes from RHEL need to be picked up
- remove obsolete patches
* nss-fips-safe-memset.patch
* nss-bmo1930797.patch
-------------------------------------------------------------------
Tue Jan 7 12:47:09 UTC 2025 - Wolfgang Rosenauer <wr@rosenauer.org>

13
mozilla-nss.spec
View File

@ -17,15 +17,15 @@
#
%global nss_softokn_fips_version 3.107
%global nss_softokn_fips_version 3.108
%define NSPR_min_version 4.36
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
%global crypto_policies_version 20210218
Name: mozilla-nss
Version: 3.107
Version: 3.108
Release: 0
%define underscore_version 3_107
%define underscore_version 3_108
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@ -51,7 +51,6 @@ Patch3: nss-no-rpath.patch
Patch4: add-relro-linker-option.patch
Patch5: malloc.patch
Patch7: nss-sqlitename.patch
Patch8: nss-bmo1930797.patch
Patch9: nss-fips-use-getrandom.patch
Patch10: nss-fips-dsa-kat.patch
Patch11: nss-fips-pairwise-consistency-check.patch
@ -82,7 +81,6 @@ Patch48: nss-fips-test.patch
Patch49: nss-allow-slow-tests-s390x.patch
Patch50: nss-fips-bsc1223724.patch
Patch51: nss-fips-aes-gcm-restrict.patch
Patch52: nss-fips-safe-memset.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@ -211,7 +209,6 @@ cd nss
%patch -P 5 -p1
%endif
%patch -P 7 -p1
%patch -P 8 -p1
# FIPS patches
%patch -P 9 -p1
%patch -P 10 -p1
@ -249,10 +246,6 @@ cd nss
%endif
%patch -P 50 -p1
%patch -P 51 -p1
%if 0%{?sle_version} >= 150000
# glibc on SLE-12 is too old and doesn't have explicit_bzero yet.
%patch -P 52 -p1
%endif
# additional CA certificates
#cd security/nss/lib/ckfw/builtins

3
nss-3.107.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7f7e96473e38150771a615f5d40e8c41ba3a19385301ae0c525091f2fc9d6729
size 76617725

3
nss-3.108.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a0f6fcb5dbadc1635b43827517a979e3a6d005d0788527802a6b31e2c5f66eec
size 76630022

309
nss-bmo1930797.patch
View File

@ -1,309 +0,0 @@
# HG changeset patch
# User Robert Relyea <rrelyea@redhat.com>
# Date 1731716524 28800
# Node ID 03e207e378dd37a87e172febb58012472611a78f
# Parent fe06bec77d445965548ee6f9d803bf8d035863c7
Bug 1930797 pkcs12 fixes from RHEL need to be picked up.
1. add ignore integrity option to pk12util
2. update pk12util manpage
a. with new ignore integrity option.
b. with the correct current defaults for pk12util.
3. don't include a fake iv in the param portion of the pbmac1.
4. restore the ability to decode md5 mac'ed pkcs12 files.
5. restore tests for bad pkcs12 encodings
Differential Revision: https://phabricator.services.mozilla.com/D229394
Index: nss/cmd/pk12util/pk12util.c
===================================================================
--- nss.orig/cmd/pk12util/pk12util.c
+++ nss/cmd/pk12util/pk12util.c
@@ -32,12 +32,12 @@ static void
Usage()
{
#define FPS PR_fprintf(PR_STDERR,
- FPS "Usage: %s -i importfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
+ FPS "Usage: %s -i importfile [-I] [-d certdir] [-P dbprefix] [-h tokenname]\n",
progName);
FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
FPS "\t\t [-v]\n");
- FPS "Usage: %s -l listfile [-d certdir] [-P dbprefix] [-h tokenname]\n",
+ FPS "Usage: %s -l listfile [-I] [-d certdir] [-P dbprefix] [-h tokenname]\n",
progName);
FPS "\t\t [-k slotpwfile | -K slotpw] [-w p12filepwfile | -W p12filepw]\n");
FPS "\t\t [-v]\n");
@@ -351,7 +351,8 @@ P12U_InitSlot(PK11SlotInfo *slot, secuPW
*/
SEC_PKCS12DecoderContext *
p12U_ReadPKCS12File(SECItem *uniPwp, char *in_file, PK11SlotInfo *slot,
- secuPWData *slotPw, secuPWData *p12FilePw)
+ secuPWData *slotPw, secuPWData *p12FilePw,
+ PRBool ignoreIntegrity)
{
SEC_PKCS12DecoderContext *p12dcx = NULL;
p12uContext *p12cxt = NULL;
@@ -458,7 +459,10 @@ p12U_ReadPKCS12File(SECItem *uniPwp, cha
/* rv has been set at this point */
done:
- if (rv != SECSuccess) {
+ /* if we are ignoring Integrity and we failed because we couldn't
+ * verify the integrity code, go ahead and succeed */
+ if (rv != SECSuccess && !(ignoreIntegrity &&
+ (pk12uErrno == PK12UERR_DECODEVERIFY))) {
if (p12dcx != NULL) {
SEC_PKCS12DecoderFinish(p12dcx);
p12dcx = NULL;
@@ -490,7 +494,8 @@ done:
*/
PRIntn
P12U_ImportPKCS12Object(char *in_file, PK11SlotInfo *slot,
- secuPWData *slotPw, secuPWData *p12FilePw)
+ secuPWData *slotPw, secuPWData *p12FilePw,
+ PRBool ignoreIntegrity)
{
SEC_PKCS12DecoderContext *p12dcx = NULL;
SECItem uniPwitem = { 0 };
@@ -509,7 +514,8 @@ P12U_ImportPKCS12Object(char *in_file, P
do {
trypw = PR_FALSE; /* normally we do this once */
rv = SECFailure;
- p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
+ p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw,
+ p12FilePw, ignoreIntegrity);
if (p12dcx == NULL) {
goto loser;
@@ -777,14 +783,16 @@ loser:
PRIntn
P12U_ListPKCS12File(char *in_file, PK11SlotInfo *slot,
- secuPWData *slotPw, secuPWData *p12FilePw)
+ secuPWData *slotPw, secuPWData *p12FilePw,
+ PRBool ignoreIntegrity)
{
SEC_PKCS12DecoderContext *p12dcx = NULL;
SECItem uniPwitem = { 0 };
SECStatus rv = SECFailure;
const SEC_PKCS12DecoderItem *dip;
- p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw);
+ p12dcx = p12U_ReadPKCS12File(&uniPwitem, in_file, slot, slotPw, p12FilePw,
+ ignoreIntegrity);
/* did the blob authenticate properly? */
if (p12dcx == NULL) {
SECU_PrintError(progName, "PKCS12 decode not verified");
@@ -997,7 +1005,8 @@ enum {
opt_CertCipher,
opt_KeyLength,
opt_CertKeyLength,
- opt_Mac
+ opt_Mac,
+ opt_IgnoreIntegrity
};
static secuCommandFlag pk12util_options[] = {
@@ -1018,7 +1027,8 @@ static secuCommandFlag pk12util_options[
{ /* opt_CertCipher */ 'C', PR_TRUE, 0, PR_FALSE },
{ /* opt_KeyLength */ 'm', PR_TRUE, 0, PR_FALSE, "key_len" },
{ /* opt_CertKeyLength */ 0, PR_TRUE, 0, PR_FALSE, "cert_key_len" },
- { /* opt_Mac */ 'M', PR_TRUE, 0, PR_FALSE, PR_FALSE }
+ { /* opt_Mac */ 'M', PR_TRUE, 0, PR_FALSE },
+ { /* opt_IgnoreIntegrity */ 'I', PR_FALSE, 0, PR_FALSE }
};
int
@@ -1039,6 +1049,7 @@ main(int argc, char **argv)
int certKeyLen = 0;
secuCommand pk12util;
PRInt32 forceUnicode;
+ PRBool ignoreIntegrity = PR_FALSE;
#ifdef _CRTDBG_MAP_ALLOC
_CrtSetDbgFlag(_CRTDBG_ALLOC_MEM_DF | _CRTDBG_LEAK_CHECK_DF);
@@ -1113,6 +1124,9 @@ main(int argc, char **argv)
if (pk12util.options[opt_Raw].activated) {
dumpRawFile = PR_TRUE;
}
+ if (pk12util.options[opt_IgnoreIntegrity].activated) {
+ ignoreIntegrity = PR_TRUE;
+ }
if (pk12util.options[opt_KeyLength].activated) {
keyLen = atoi(pk12util.options[opt_KeyLength].arg);
}
@@ -1183,7 +1197,8 @@ main(int argc, char **argv)
}
if (pk12util.options[opt_Import].activated) {
- P12U_ImportPKCS12Object(import_file, slot, &slotPw, &p12FilePw);
+ P12U_ImportPKCS12Object(import_file, slot, &slotPw, &p12FilePw,
+ ignoreIntegrity);
} else if (pk12util.options[opt_Export].activated) {
P12U_ExportPKCS12Object(pk12util.options[opt_Nickname].arg,
@@ -1191,7 +1206,8 @@ main(int argc, char **argv)
hash, &slotPw, &p12FilePw);
} else if (pk12util.options[opt_List].activated) {
- P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw);
+ P12U_ListPKCS12File(import_file, slot, &slotPw, &p12FilePw,
+ ignoreIntegrity);
} else {
Usage();
Index: nss/doc/pk12util.xml
===================================================================
--- nss.orig/doc/pk12util.xml
+++ nss/doc/pk12util.xml
@@ -38,6 +38,7 @@
<arg>-P dbprefix</arg>
<arg>-r</arg>
<arg>-v</arg>
+ <arg>-I</arg>
<arg>--cert-key-len certKeyLength</arg>
<arg>-k slotPasswordFile|-K slotPassword</arg>
<arg>-w p12filePasswordFile|-W p12filePassword</arg>
@@ -147,6 +148,11 @@
</varlistentry>
<varlistentry>
+ <term>-I </term>
+ <listitem><para>Ignore integrity check results on importing and listing.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>-w p12filePasswordFile</term>
<listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem>
</varlistentry>
@@ -317,7 +323,7 @@ Certificate Friendly Name: Thawte Fre
<refsection id="encryption">
<title>Password Encryption</title>
- <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
+ <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
<para>The private key is always protected with strong encryption by default.</para>
<para>Several types of ciphers are supported.</para>
<variablelist>
@@ -327,6 +333,7 @@ Certificate Friendly Name: Thawte Fre
<listitem>
<itemizedlist>
<listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
+ <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
</itemizedlist>
</listitem>
</varlistentry>
Index: nss/lib/pk11wrap/pk11mech.c
===================================================================
--- nss.orig/lib/pk11wrap/pk11mech.c
+++ nss/lib/pk11wrap/pk11mech.c
@@ -1719,10 +1719,19 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
case CKM_JUNIPER_CBC128:
case CKM_JUNIPER_COUNTER:
case CKM_JUNIPER_SHUFFLE:
- newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
- SEC_ASN1_GET(SEC_OctetStringTemplate));
- if (newParams == NULL)
- break;
+ if (param && param->len > 0) {
+ newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
+ if (newParams == NULL)
+ break;
+ } else {
+ /* if no parameters have been supplied, then use NULL params
+ * The SECOID_SetAlgorithmID encoder will encode that as no
+ * params (since params are optional) or with an explicit NULL
+ * (for some historical cases where explicit NULL is expected).
+ */
+ newParams = NULL;
+ }
rv = SECSuccess;
break;
}
Index: nss/lib/pk11wrap/pk11pbe.c
===================================================================
--- nss.orig/lib/pk11wrap/pk11pbe.c
+++ nss/lib/pk11wrap/pk11pbe.c
@@ -770,9 +770,10 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
}
+ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
+
/* set the PKCS5v2 specific parameters */
if (keyLength == 0) {
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
if (hashAlg != SEC_OID_UNKNOWN) {
keyLength = HASH_ResultLenByOidTag(hashAlg);
} else {
@@ -787,18 +788,25 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
prfAlg = SEC_OID_HMAC_SHA1;
}
- /* build the PKCS5v2 cipher algorithm id */
- cipherParams = pk11_GenerateNewParamWithKeyLen(
- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
- if (!cipherParams) {
- goto loser;
+ /* build the PKCS5v2 cipher algorithm id, if cipher
+ * is an HMAC, the cipherParams should be NULL */
+ if (hashAlg == SEC_OID_UNKNOWN) {
+ cipherParams = pk11_GenerateNewParamWithKeyLen(
+ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
+ if (!cipherParams) {
+ goto loser;
+ }
+ } else {
+ cipherParams = NULL;
}
PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
poolp, &pbeV2_param.cipherAlgId);
- SECITEM_FreeItem(cipherParams, PR_TRUE);
+ if (cipherParams) {
+ SECITEM_FreeItem(cipherParams, PR_TRUE);
+ }
if (rv != SECSuccess) {
goto loser;
}
Index: nss/lib/pkcs12/p12local.c
===================================================================
--- nss.orig/lib/pkcs12/p12local.c
+++ nss/lib/pkcs12/p12local.c
@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
*hmacMech = PK11_AlgtagToMechanism(hmacAlg);
/* pkcs12v2 hmac uses UTF8 rather than unicode */
if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
- PR_TRUE, PR_FALSE, PR_FALSE)) {
+ PR_FALSE, PR_FALSE, PR_FALSE)) {
return NULL;
}
symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);
Index: nss/lib/util/nsshash.c
===================================================================
--- nss.orig/lib/util/nsshash.c
+++ nss/lib/util/nsshash.c
@@ -107,6 +107,9 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
switch (hmacOid) {
/* no oid exists for HMAC_MD2 */
/* NSS does not define a oid for HMAC_MD4 */
+ case SEC_OID_HMAC_MD5:
+ hashOid = SEC_OID_MD5;
+ break;
case SEC_OID_HMAC_SHA1:
hashOid = SEC_OID_SHA1;
break;
@@ -150,6 +153,9 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag
switch (hashOid) {
/* no oid exists for HMAC_MD2 */
/* NSS does not define a oid for HMAC_MD4 */
+ case SEC_OID_MD5:
+ hmacOid = SEC_OID_HMAC_MD5;
+ break;
case SEC_OID_SHA1:
hmacOid = SEC_OID_HMAC_SHA1;
break;

25
nss-fips-approved-crypto-non-ec.patch
View File

@ -426,8 +426,8 @@ Index: nss/lib/softoken/pkcs11c.c
return crv;
}
+ publicKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, publicKey, bitSize);
+ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, privateKey, bitSize);
+ publicKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, publicKey, 0);
+ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, privateKey, 0);
+ session->lastOpWasFIPS = privateKey->isFIPS;
+
*phPrivateKey = privateKey->handle;
@ -472,7 +472,7 @@ Index: nss/lib/softoken/pkcs11c.c
} else {
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
@@ -7597,7 +7617,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7598,7 +7618,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
return CKR_KEY_HANDLE_INVALID;
}
}
@ -482,7 +482,7 @@ Index: nss/lib/softoken/pkcs11c.c
switch (mechanism) {
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
@@ -7798,7 +7819,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7799,7 +7820,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
} else {
/* now allocate the hash contexts */
md5 = MD5_NewContext();
@ -491,7 +491,7 @@ Index: nss/lib/softoken/pkcs11c.c
PORT_Memset(crsrdata, 0, sizeof crsrdata);
crv = CKR_HOST_MEMORY;
break;
@@ -8187,6 +8208,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -8188,6 +8209,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
PORT_Assert(i <= sizeof key_block);
}
@ -636,7 +636,20 @@ Index: nss/lib/softoken/fips_algorithms.h
/* -------------- RSA Multipart Signing Operations -------------------- */
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
@@ -88,21 +116,33 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
@@ -79,30 +107,42 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
- { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
- { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
- { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
- { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+ { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+ { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
/* ------------------------- DSA Operations --------------------------- */

20
nss-fips-fix-missing-nspr.patch
View File

@ -1,7 +1,7 @@
diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
index 3ed1751..56a1a58 100644
--- a/lib/freebl/drbg.c
+++ b/lib/freebl/drbg.c
Index: nss/lib/freebl/drbg.c
===================================================================
--- nss.orig/lib/freebl/drbg.c
+++ nss/lib/freebl/drbg.c
@@ -6,6 +6,8 @@
#include "stubs.h"
#endif
@ -11,7 +11,7 @@ index 3ed1751..56a1a58 100644
#include "prerror.h"
#include "secerr.h"
@@ -182,11 +184,30 @@ prng_initEntropy(void)
@@ -183,11 +185,30 @@ prng_initEntropy(void)
PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
SHA256Context ctx;
@ -42,9 +42,9 @@ index 3ed1751..56a1a58 100644
return PR_FAILURE; /* error is already set */
}
PORT_Assert(length == sizeof(block));
@@ -199,6 +220,9 @@ prng_initEntropy(void)
@@ -200,6 +221,9 @@ prng_initEntropy(void)
sizeof(globalrng->previousEntropyHash));
PORT_Memset(block, 0, sizeof(block));
PORT_SafeZero(block, sizeof(block));
SHA256_DestroyContext(&ctx, PR_FALSE);
+ coRNGInitEntropy.status = PR_SUCCESS;
+ __sync_synchronize ();
@ -52,7 +52,7 @@ index 3ed1751..56a1a58 100644
return PR_SUCCESS;
}
@@ -211,7 +235,7 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength)
@@ -212,7 +236,7 @@ prng_getEntropy(PRUint8 *buffer, size_t
SHA256Context ctx;
SECStatus rv = SECSuccess;
@ -61,7 +61,7 @@ index 3ed1751..56a1a58 100644
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
@@ -564,10 +588,34 @@ prng_freeRNGContext(RNGContext *rng)
@@ -566,10 +590,34 @@ prng_freeRNGContext(RNGContext *rng)
SECStatus
RNG_RNGInit(void)
{
@ -98,7 +98,7 @@ index 3ed1751..56a1a58 100644
}
/*
@@ -842,7 +890,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
@@ -844,7 +892,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsign
}
/* replicate reseed test from prng_GenerateGlobalRandomBytes */
if (testContext.reseed_counter[0] >= RESEED_VALUE) {

8
nss-fips-gcm-ctr.patch
View File

@ -14,7 +14,7 @@ Index: nss/lib/freebl/gcm.c
===================================================================
--- nss.orig/lib/freebl/gcm.c
+++ nss/lib/freebl/gcm.c
@@ -535,8 +535,14 @@ struct GCMContextStr {
@@ -539,8 +539,14 @@ struct GCMContextStr {
unsigned char tagKey[MAX_BLOCK_SIZE];
PRBool ctr_context_init;
gcmIVContext gcm_iv;
@ -29,7 +29,7 @@ Index: nss/lib/freebl/gcm.c
SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv,
unsigned int ivLen, unsigned int tagBits,
const unsigned char *aad, unsigned int aadLen);
@@ -676,6 +682,8 @@ gcm_InitCounter(GCMContext *gcm, const u
@@ -794,6 +800,8 @@ gcm_InitCounter(GCMContext *gcm, const u
goto loser;
}
@ -38,7 +38,7 @@ Index: nss/lib/freebl/gcm.c
/* finally mix in the AAD data */
rv = gcmHash_Reset(ghash, aad, aadLen);
if (rv != SECSuccess) {
@@ -777,6 +785,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
@@ -895,6 +903,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
return SECFailure;
}
@ -52,7 +52,7 @@ Index: nss/lib/freebl/gcm.c
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
if (UINT_MAX - inlen < tagBytes) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
@@ -805,6 +820,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
@@ -923,6 +938,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
*outlen = 0;
return SECFailure;
};

30
nss-fips-pbkdf-kat-compliance.patch
View File

@ -11,27 +11,27 @@ Index: nss/lib/softoken/lowpbe.c
SECStatus
sftk_fips_pbkdf_PowerUpSelfTests(void)
{
@@ -1765,16 +1765,22 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
unsigned char iteration_count = 5;
@@ -1766,19 +1766,21 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
unsigned char keyLen = 64;
char *inKeyData = TEST_KEY;
- static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+ static const unsigned char saltData[] = {
static const unsigned char saltData[] = {
- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
- 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+ 0x11, 0x39, 0x93, 0x54, 0x1C, 0xDD, 0xD7, 0x18,
+ 0x2F, 0x4A, 0xC1, 0x14, 0x03, 0x7A, 0x0B, 0x64,
+ 0x48, 0x99, 0xF4, 0x6D, 0xB7, 0x48, 0xE3, 0x3B,
+ 0x91, 0xBF, 0x65, 0xA9, 0x26, 0x83, 0xE8, 0x22
+ };
+
};
static const unsigned char pbkdf_known_answer[] = {
- 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
- 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
- 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37,
- 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90,
- 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa,
- 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1,
- 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66,
- 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5
- 0x73, 0x8c, 0xfa, 0x02, 0xe8, 0xdb, 0x43, 0xe4,
- 0x99, 0xc5, 0xfd, 0xd9, 0x4d, 0x8e, 0x3e, 0x7b,
- 0xc4, 0xda, 0x22, 0x1b, 0xe1, 0xae, 0x23, 0x7a,
- 0x21, 0x27, 0xbd, 0xcc, 0x78, 0xc4, 0xe6, 0xc5,
- 0x33, 0x38, 0x35, 0xe0, 0x68, 0x1a, 0x1e, 0x06,
- 0xad, 0xaf, 0x7f, 0xd7, 0x3f, 0x0e, 0xc0, 0x90,
- 0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8,
- 0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33
+ 0x44, 0xd2, 0xae, 0x2d, 0x45, 0xb9, 0x42, 0x70,
+ 0xcb, 0x3e, 0x40, 0xc5, 0xcf, 0x36, 0x9b, 0x5f,
+ 0xfc, 0x64, 0xb1, 0x10, 0x18, 0x4d, 0xd8, 0xb6,
@ -43,7 +43,7 @@ Index: nss/lib/softoken/lowpbe.c
};
sftk_PBELockInit();
@@ -1803,11 +1809,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
@@ -1807,11 +1809,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
* for NSSPKCS5_PBKDF2 */
pbe_params.iter = iteration_count;
pbe_params.keyLen = keyLen;

510
nss-fips-safe-memset.patch
View File

@ -1,510 +0,0 @@
Index: nss/lib/freebl/aeskeywrap.c
===================================================================
--- nss.orig/lib/freebl/aeskeywrap.c
+++ nss/lib/freebl/aeskeywrap.c
@@ -513,7 +513,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
PORT_Memcpy(iv + AES_KEY_WRAP_BLOCK_SIZE, input, inputLen);
rv = AES_Encrypt(&cx->aescx, output, pOutputLen, maxOutputLen, iv,
outLen);
- PORT_Memset(iv, 0, sizeof(iv));
+ PORT_SafeZero(iv, sizeof(iv));
return rv;
}
@@ -529,7 +529,7 @@ AESKeyWrap_EncryptKWP(AESKeyWrapContext
PORT_ZFree(newBuf, paddedInputLen);
/* a little overkill, we only need to clear out the length, but this
* is easier to verify we got it all */
- PORT_Memset(iv, 0, sizeof(iv));
+ PORT_SafeZero(iv, sizeof(iv));
return rv;
}
@@ -632,12 +632,12 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
loser:
/* if we failed, make sure we don't return any data to the user */
if ((rv != SECSuccess) && (output == newBuf)) {
- PORT_Memset(newBuf, 0, paddedLen);
+ PORT_SafeZero(newBuf, paddedLen);
}
/* clear out CSP sensitive data from the heap and stack */
if (allocBuf) {
PORT_ZFree(allocBuf, paddedLen);
}
- PORT_Memset(iv, 0, sizeof(iv));
+ PORT_SafeZero(iv, sizeof(iv));
return rv;
}
Index: nss/lib/freebl/blapii.h
===================================================================
--- nss.orig/lib/freebl/blapii.h
+++ nss/lib/freebl/blapii.h
@@ -113,10 +113,10 @@ PRBool ppc_crypto_support();
#ifdef NSS_FIPS_DISABLED
#define BLAPI_CLEAR_STACK(stack_size)
#else
-#define BLAPI_CLEAR_STACK(stack_size) \
- { \
- volatile char _stkclr[stack_size]; \
- PORT_Memset((void *)&_stkclr[0], 0, stack_size); \
+#define BLAPI_CLEAR_STACK(stack_size) \
+ { \
+ volatile char _stkclr[stack_size]; \
+ PORT_SafeZero((void *)&_stkclr[0], stack_size); \
}
#endif
Index: nss/lib/freebl/drbg.c
===================================================================
--- nss.orig/lib/freebl/drbg.c
+++ nss/lib/freebl/drbg.c
@@ -218,7 +218,7 @@ prng_initEntropy(void)
SHA256_Update(&ctx, block, sizeof(block));
SHA256_End(&ctx, globalrng->previousEntropyHash, NULL,
sizeof(globalrng->previousEntropyHash));
- PORT_Memset(block, 0, sizeof(block));
+ PORT_SafeZero(block, sizeof(block));
SHA256_DestroyContext(&ctx, PR_FALSE);
coRNGInitEntropy.status = PR_SUCCESS;
__sync_synchronize ();
@@ -270,8 +270,8 @@ prng_getEntropy(PRUint8 *buffer, size_t
}
out:
- PORT_Memset(hash, 0, sizeof hash);
- PORT_Memset(block, 0, sizeof block);
+ PORT_SafeZero(hash, sizeof hash);
+ PORT_SafeZero(block, sizeof block);
return rv;
}
@@ -417,8 +417,8 @@ prng_Hashgen(RNGContext *rng, PRUint8 *r
PRNG_ADD_CARRY_ONLY(data, (sizeof data) - 1, carry);
SHA256_DestroyContext(&ctx, PR_FALSE);
}
- PORT_Memset(data, 0, sizeof data);
- PORT_Memset(thisHash, 0, sizeof thisHash);
+ PORT_SafeZero(data, sizeof data);
+ PORT_SafeZero(thisHash, sizeof thisHash);
}
/*
@@ -479,7 +479,7 @@ prng_generateNewBytes(RNGContext *rng,
PRNG_ADD_CARRY_ONLY(rng->reseed_counter, (sizeof rng->reseed_counter) - 1, carry);
/* if the prng failed, don't return any output, signal softoken */
- PORT_Memset(H, 0, sizeof H);
+ PORT_SafeZero(H, sizeof H);
if (!rng->isValid) {
PORT_Memset(returned_bytes, 0, no_of_returned_bytes);
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
Index: nss/lib/freebl/dsa.c
===================================================================
--- nss.orig/lib/freebl/dsa.c
+++ nss/lib/freebl/dsa.c
@@ -471,7 +471,7 @@ dsa_SignDigest(DSAPrivateKey *key, SECIt
err = MP_OKAY;
signature->len = dsa_signature_len;
cleanup:
- PORT_Memset(localDigestData, 0, DSA_MAX_SUBPRIME_LEN);
+ PORT_SafeZero(localDigestData, DSA_MAX_SUBPRIME_LEN);
mp_clear(&p);
mp_clear(&q);
mp_clear(&g);
@@ -532,7 +532,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt
rv = dsa_SignDigest(key, signature, digest, kSeed);
} while (rv != SECSuccess && PORT_GetError() == SEC_ERROR_NEED_RANDOM &&
--retries > 0);
- PORT_Memset(kSeed, 0, sizeof kSeed);
+ PORT_SafeZero(kSeed, sizeof kSeed);
return rv;
}
@@ -673,7 +673,7 @@ DSA_VerifyDigest(DSAPublicKey *key, cons
verified = SECSuccess; /* Signature verified. */
}
cleanup:
- PORT_Memset(localDigestData, 0, sizeof localDigestData);
+ PORT_SafeZero(localDigestData, sizeof localDigestData);
mp_clear(&p);
mp_clear(&q);
mp_clear(&g);
Index: nss/lib/freebl/gcm.c
===================================================================
--- nss.orig/lib/freebl/gcm.c
+++ nss/lib/freebl/gcm.c
@@ -507,7 +507,7 @@ gcmHash_Final(gcmHashContext *ghash, uns
rv = SECSuccess;
cleanup:
- PORT_Memset(T, 0, sizeof(T));
+ PORT_SafeZero(T, sizeof(T));
return rv;
}
@@ -629,15 +629,15 @@ GCM_CreateContext(void *context, freeblC
if (rv != SECSuccess) {
goto loser;
}
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
gcm->ctr_context_init = PR_TRUE;
return gcm;
loser:
- PORT_Memset(H, 0, AES_BLOCK_SIZE);
+ PORT_SafeZero(H, AES_BLOCK_SIZE);
if (ghash && ghash->mem) {
void *mem = ghash->mem;
- PORT_Memset(ghash, 0, sizeof(gcmHashContext));
+ PORT_SafeZero(ghash, sizeof(gcmHashContext));
PORT_Free(mem);
}
if (gcm) {
@@ -717,11 +717,11 @@ gcm_InitCounter(GCMContext *gcm, const u
goto loser;
}
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
return SECSuccess;
loser:
- PORT_Memset(&ctrParams, 0, sizeof ctrParams);
+ PORT_SafeZero(&ctrParams, sizeof ctrParams);
if (freeCtr) {
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
}
@@ -1212,10 +1212,10 @@ GCM_DecryptAEAD(GCMContext *gcm, unsigne
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
CTR_DestroyContext(&gcm->ctr_context, PR_FALSE);
PORT_SetError(SEC_ERROR_BAD_DATA);
- PORT_Memset(tag, 0, sizeof(tag));
+ PORT_SafeZero(tag, sizeof(tag));
return SECFailure;
}
- PORT_Memset(tag, 0, sizeof(tag));
+ PORT_SafeZero(tag, sizeof(tag));
/* finish the decryption */
rv = CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
inbuf, inlen, AES_BLOCK_SIZE);
Index: nss/lib/freebl/hmacct.c
===================================================================
--- nss.orig/lib/freebl/hmacct.c
+++ nss/lib/freebl/hmacct.c
@@ -274,10 +274,10 @@ MAC(unsigned char *mdOut,
hashObj->end(mdState, mdOut, mdOutLen, mdOutMax);
hashObj->destroy(mdState, PR_TRUE);
- PORT_Memset(lengthBytes, 0, sizeof lengthBytes);
- PORT_Memset(hmacPad, 0, sizeof hmacPad);
- PORT_Memset(firstBlock, 0, sizeof firstBlock);
- PORT_Memset(macOut, 0, sizeof macOut);
+ PORT_SafeZero(lengthBytes, sizeof lengthBytes);
+ PORT_SafeZero(hmacPad, sizeof hmacPad);
+ PORT_SafeZero(firstBlock, sizeof firstBlock);
+ PORT_SafeZero(macOut, sizeof macOut);
return SECSuccess;
}
Index: nss/lib/freebl/intel-gcm-wrap.c
===================================================================
--- nss.orig/lib/freebl/intel-gcm-wrap.c
+++ nss/lib/freebl/intel-gcm-wrap.c
@@ -195,7 +195,7 @@ intel_aes_gcmInitCounter(intel_AES_GCMCo
void
intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
{
- PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
+ PORT_SafeZero(gcm, sizeof(intel_AES_GCMContext));
if (freeit) {
PORT_Free(gcm);
}
Index: nss/lib/freebl/ppc-gcm-wrap.c
===================================================================
--- nss.orig/lib/freebl/ppc-gcm-wrap.c
+++ nss/lib/freebl/ppc-gcm-wrap.c
@@ -169,7 +169,7 @@ ppc_aes_gcmInitCounter(ppc_AES_GCMContex
void
ppc_AES_GCM_DestroyContext(ppc_AES_GCMContext *gcm, PRBool freeit)
{
- PORT_Memset(gcm, 0, sizeof(ppc_AES_GCMContext));
+ PORT_SafeZero(gcm, sizeof(ppc_AES_GCMContext));
if (freeit) {
PORT_Free(gcm);
}
Index: nss/lib/freebl/pqg.c
===================================================================
--- nss.orig/lib/freebl/pqg.c
+++ nss/lib/freebl/pqg.c
@@ -703,7 +703,7 @@ cleanup:
mp_clear(&a);
mp_clear(&z);
mp_clear(&two_length_minus_1);
- PORT_Memset(x, 0, sizeof(x));
+ PORT_SafeZero(x, sizeof(x));
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
@@ -859,7 +859,7 @@ cleanup:
mp_clear(&c);
mp_clear(&c0);
mp_clear(&one);
- PORT_Memset(x, 0, sizeof(x));
+ PORT_SafeZero(x, sizeof(x));
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
@@ -1072,7 +1072,7 @@ makePfromQandSeed(
CHECK_MPI_OK(mp_sub_d(&c, 1, &c)); /* c -= 1 */
CHECK_MPI_OK(mp_sub(&X, &c, P)); /* P = X - c */
cleanup:
- PORT_Memset(V_j, 0, sizeof V_j);
+ PORT_SafeZero(V_j, sizeof V_j);
mp_clear(&W);
mp_clear(&X);
mp_clear(&c);
@@ -1221,7 +1221,7 @@ makeGfromIndex(HASH_HashType hashtype,
/* step 11.
* return valid G */
cleanup:
- PORT_Memset(data, 0, sizeof(data));
+ PORT_SafeZero(data, sizeof(data));
if (hashcx) {
hashobj->destroy(hashcx, PR_TRUE);
}
Index: nss/lib/freebl/rijndael.c
===================================================================
--- nss.orig/lib/freebl/rijndael.c
+++ nss/lib/freebl/rijndael.c
@@ -1251,7 +1251,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
cx->worker_cx = NULL;
cx->destroy = NULL;
}
- PORT_Memset(cx, 0, sizeof(AESContext));
+ PORT_SafeZero(cx, sizeof(AESContext));
if (freeit) {
PORT_Free(mem);
} else {
Index: nss/lib/freebl/rsa.c
===================================================================
--- nss.orig/lib/freebl/rsa.c
+++ nss/lib/freebl/rsa.c
@@ -145,8 +145,8 @@ rsa_build_from_primes(const mp_int *p, c
/* 2. Compute phi = (p-1)*(q-1) */
CHECK_MPI_OK(mp_sub_d(p, 1, &psub1));
CHECK_MPI_OK(mp_sub_d(q, 1, &qsub1));
+ CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
if (needPublicExponent || needPrivateExponent) {
- CHECK_MPI_OK(mp_lcm(&psub1, &qsub1, &phi));
/* 3. Compute d = e**-1 mod(phi) */
/* or e = d**-1 mod(phi) as necessary */
if (needPublicExponent) {
@@ -180,6 +180,15 @@ rsa_build_from_primes(const mp_int *p, c
goto cleanup;
}
+ /* make sure we weren't passed in a d or e = 1 mod phi */
+ /* just need to check d, because if one is = 1 mod phi, they both are */
+ CHECK_MPI_OK(mp_mod(d, &phi, &tmp));
+ if (mp_cmp_d(&tmp, 2) <= 0) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ rv = SECFailure;
+ goto cleanup;
+ }
+
/* 4. Compute exponent1 = d mod (p-1) */
CHECK_MPI_OK(mp_mod(d, &psub1, &tmp));
MPINT_TO_SECITEM(&tmp, &key->exponent1, key->arena);
@@ -1251,6 +1260,8 @@ rsa_PrivateKeyOpCRTCheckedPubKey(RSAPriv
/* Perform a public key operation v = m ** e mod n */
CHECK_MPI_OK(mp_exptmod(m, &e, &n, &v));
if (mp_cmp(&v, c) != 0) {
+ /* this error triggers a fips fatal error lock */
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
rv = SECFailure;
}
cleanup:
Index: nss/lib/freebl/rsapkcs.c
===================================================================
--- nss.orig/lib/freebl/rsapkcs.c
+++ nss/lib/freebl/rsapkcs.c
@@ -978,14 +978,14 @@ rsa_GetHMACContext(const SECHashObject *
/* now create the hmac key */
hmac = HMAC_Create(hash, keyHash, keyLen, PR_TRUE);
if (hmac == NULL) {
- PORT_Memset(keyHash, 0, sizeof(keyHash));
+ PORT_SafeZero(keyHash, sizeof(keyHash));
return NULL;
}
HMAC_Begin(hmac);
HMAC_Update(hmac, input, inputLen);
rv = HMAC_Finish(hmac, keyHash, &keyLen, sizeof(keyHash));
if (rv != SECSuccess) {
- PORT_Memset(keyHash, 0, sizeof(keyHash));
+ PORT_SafeZero(keyHash, sizeof(keyHash));
HMAC_Destroy(hmac, PR_TRUE);
return NULL;
}
@@ -993,7 +993,7 @@ rsa_GetHMACContext(const SECHashObject *
* reuse the original context allocated above so we don't
* need to allocate and free another one */
rv = HMAC_ReInit(hmac, hash, keyHash, keyLen, PR_TRUE);
- PORT_Memset(keyHash, 0, sizeof(keyHash));
+ PORT_SafeZero(keyHash, sizeof(keyHash));
if (rv != SECSuccess) {
HMAC_Destroy(hmac, PR_TRUE);
return NULL;
@@ -1043,7 +1043,7 @@ rsa_HMACPrf(HMACContext *hmac, const cha
return rv;
}
PORT_Memcpy(output, hmacLast, left);
- PORT_Memset(hmacLast, 0, sizeof(hmacLast));
+ PORT_SafeZero(hmacLast, sizeof(hmacLast));
}
return rv;
}
@@ -1088,7 +1088,7 @@ rsa_GetErrorLength(HMACContext *hmac, in
outLength = PORT_CT_SEL(PORT_CT_LT(candidate, maxLegalLen),
candidate, outLength);
}
- PORT_Memset(out, 0, sizeof(out));
+ PORT_SafeZero(out, sizeof(out));
return outLength;
}
Index: nss/lib/freebl/shvfy.c
===================================================================
--- nss.orig/lib/freebl/shvfy.c
+++ nss/lib/freebl/shvfy.c
@@ -365,7 +365,7 @@ blapi_SHVerifyDSACheck(PRFileDesc *shFD,
/* verify the hash against the check file */
rv = DSA_VerifyDigest(key, signature, &hash);
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
return (rv == SECSuccess) ? PR_TRUE : PR_FALSE;
}
#endif
@@ -427,7 +427,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
if (rv == SECSuccess) {
result = SECITEM_ItemsAreEqual(signature, &hash);
}
- PORT_Memset(hashBuf, 0, sizeof hashBuf);
+ PORT_SafeZero(hashBuf, sizeof hashBuf);
return result;
}
@@ -451,7 +451,7 @@ blapi_SHVerifyFile(const char *shName, P
#ifndef NSS_STRICT_INTEGRITY
DSAPublicKey key;
- PORT_Memset(&key, 0, sizeof(key));
+ PORT_SafeZero(&key, sizeof(key));
#endif
/* If our integrity check was never ran or failed, fail any other
@@ -600,7 +600,7 @@ blapi_SHVerifyFile(const char *shName, P
shFD = NULL;
loser:
- PORT_Memset(&header, 0, sizeof header);
+ PORT_SafeZero(&header, sizeof header);
if (checkName != NULL) {
PORT_Free(checkName);
}
Index: nss/lib/freebl/tlsprfalg.c
===================================================================
--- nss.orig/lib/freebl/tlsprfalg.c
+++ nss/lib/freebl/tlsprfalg.c
@@ -82,8 +82,8 @@ loser:
/* clear out state so it's not left on the stack */
if (cx)
HMAC_Destroy(cx, PR_TRUE);
- PORT_Memset(state, 0, sizeof(state));
- PORT_Memset(outbuf, 0, sizeof(outbuf));
+ PORT_SafeZero(state, sizeof(state));
+ PORT_SafeZero(outbuf, sizeof(outbuf));
return rv;
}
Index: nss/lib/freebl/unix_urandom.c
===================================================================
--- nss.orig/lib/freebl/unix_urandom.c
+++ nss/lib/freebl/unix_urandom.c
@@ -22,7 +22,7 @@ RNG_SystemInfoForRNG(void)
return;
}
RNG_RandomUpdate(bytes, numBytes);
- PORT_Memset(bytes, 0, sizeof bytes);
+ PORT_SafeZero(bytes, sizeof bytes);
}
size_t
Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -5105,7 +5105,7 @@ pairwise_signverify_mech (CK_SESSION_HAN
if ((signature_length >= pairwise_digest_length) &&
(PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
PORT_Free(signature);
- return CKR_DEVICE_ERROR;
+ return CKR_GENERAL_ERROR;
}
/* Verify the known hash using the public key. */
Index: nss/lib/util/secport.h
===================================================================
--- nss.orig/lib/util/secport.h
+++ nss/lib/util/secport.h
@@ -36,6 +36,9 @@
#include <sys/types.h>
#include <ctype.h>
+/* ask for Annex K for memset_s. will set the appropriate #define
+ * if Annex K is supported */
+#define __STDC_WANT_LIB_EXT1__ 1
#include <string.h>
#include <stddef.h>
#include <stdlib.h>
@@ -178,6 +181,39 @@ SEC_END_PROTOS
#define PORT_Memmove memmove
#define PORT_Memset memset
+/* there are cases where the compiler optimizes away our attempt to clear
+ * out our stack variables. There are multiple solutions for this problem,
+ * but they aren't universally accepted on all platforms. This attempts
+ * to select the best solution available given our os, compilier, and libc */
+#ifdef __STDC_LIB_EXT1__
+/* if the os implements C11 annex K, use memset_s */
+#define PORT_SafeZero(p, n) memset_s(p, n, 0, n)
+#else
+#ifdef XP_WIN
+/* windows has a secure zero funtion */
+#define PORT_SafeZero(p, n) SecureZeroMemory(p, n)
+#else
+/* _DEFAULT_SORUCE == BSD source in GCC based environments
+ * if other environmens support explicit_bzero, their defines
+ * should be added here */
+#if defined(_DEFAULT_SOURCE) || defined(_BSD_SOURCE)
+#define PORT_SafeZero(p, n) explicit_bzero(p, n)
+#else
+/* if the os doesn't support one of the above, but does support
+ * memset_explicit, you can add the definition for memset with the
+ * appropriate define check here */
+/* define an explicitly implementated Safe zero if the OS
+ * doesn't provide one */
+#define PORT_SafeZero(p, n) \
+ if (p != NULL) { \
+ volatile unsigned char *__vl = (unsigned char *)p; \
+ size_t __nl = n; \
+ while (__nl--) *__vl++ = 0; \
+ }
+#endif /* no explicit_bzero */
+#endif /* no windows SecureZeroMemory */
+#endif /* no memset_s */
+
#define PORT_Strcasecmp PL_strcasecmp
#define PORT_Strcat strcat
#define PORT_Strchr strchr

45
nss-fips-zeroization.patch
View File

@ -107,7 +107,7 @@ Index: nss/lib/freebl/gcm.c
===================================================================
--- nss.orig/lib/freebl/gcm.c
+++ nss/lib/freebl/gcm.c
@@ -162,6 +162,9 @@ bmul(uint64_t x, uint64_t y, uint64_t *r
@@ -166,6 +166,9 @@ bmul(uint64_t x, uint64_t y, uint64_t *r
*r_high = (uint64_t)(r >> 64);
*r_low = (uint64_t)r;
@ -117,7 +117,7 @@ Index: nss/lib/freebl/gcm.c
}
SECStatus
@@ -200,6 +203,12 @@ gcm_HashMult_sftw(gcmHashContext *ghash,
@@ -204,6 +207,12 @@ gcm_HashMult_sftw(gcmHashContext *ghash,
}
ghash->x_low = ci_low;
ghash->x_high = ci_high;
@ -130,7 +130,7 @@ Index: nss/lib/freebl/gcm.c
return SECSuccess;
}
#else
@@ -239,6 +248,10 @@ bmul32(uint32_t x, uint32_t y, uint32_t
@@ -243,6 +252,10 @@ bmul32(uint32_t x, uint32_t y, uint32_t
z = z0 | z1 | z2 | z3;
*r_high = (uint32_t)(z >> 32);
*r_low = (uint32_t)z;
@ -141,7 +141,7 @@ Index: nss/lib/freebl/gcm.c
}
SECStatus
@@ -324,6 +337,20 @@ gcm_HashMult_sftw32(gcmHashContext *ghas
@@ -328,6 +341,20 @@ gcm_HashMult_sftw32(gcmHashContext *ghas
ghash->x_high = z_high_h;
ghash->x_low = z_high_l;
}
@ -162,40 +162,3 @@ Index: nss/lib/freebl/gcm.c
return SECSuccess;
}
#endif /* HAVE_INT128_SUPPORT */
@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
/* verify the block */
rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
if (rv != SECSuccess) {
- return SECFailure;
+ rv = SECFailure;
+ goto cleanup;
}
rv = gcm_GetTag(gcm, tag, &len, AES_BLOCK_SIZE);
if (rv != SECSuccess) {
- return SECFailure;
+ rv = SECFailure;
+ goto cleanup;
}
/* Don't decrypt if we can't authenticate the encrypted data!
* This assumes that if tagBits is not a multiple of 8, intag will
@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
PORT_SetError(SEC_ERROR_BAD_DATA);
- PORT_Memset(tag, 0, sizeof(tag));
- return SECFailure;
+ rv = SECFailure;
+ goto cleanup;
}
+cleanup:
+ tagBytes = 0;
PORT_Memset(tag, 0, sizeof(tag));
+ intag = NULL;
+ len = 0;
+ if (rv != SECSuccess) {
+ return rv;
+ }
+
/* finish the decryption */
return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
inbuf, inlen, AES_BLOCK_SIZE);