mozilla-nss/nss-fips-cavs-dsa-fixes.patch
Wolfgang Rosenauer b91ce5d4d5 - update to NSS 3.104
* bmo#1910071 - Copy original corpus to heap-allocated buffer
  * bmo#1910079 - Fix min ssl version for DTLS client fuzzer
  * bmo#1908990 - Remove OS2 support just like we did on NSPR
  * bmo#1910605 - clang-format NSS improvements
  * bmo#1902078 - Adding basicutil.h to use HexString2SECItem function
  * bmo#1908990 - removing dirent.c from build
  * bmo#1902078 - Allow handing in keymaterial to shlibsign to make
                  the output reproducible
  * bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references
  * bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR,
                  openunix, sco, unixware or reliantUnix
  * bmo#1908990 - remove mentions of WIN95
  * bmo#1908990 - remove mentions of WIN16
  * bmo#1913750 - More explicit directory naming
  * bmo#1913755 - Add more options to TLS server fuzz target
  * bmo#1913675 - Add more options to TLS client fuzz target
  * bmo#1835240 - Use OSS-Fuzz corpus in NSS CI
  * bmo#1908012 - set nssckbi version number to 2.70.
  * bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert.
  * bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA.
  * bmo#1908006 - Add Cybertrust Japan Roots to NSS.
  * bmo#1908004 - Add Taiwan CA Roots to NSS.
  * bmo#1911354 - remove search by decoded serial in
                  nssToken_FindCertificateByIssuerAndSerialNumber
  * bmo#1913132 - Fix tstclnt CI build failure
  * bmo#1913047 - vfyserv: ensure peer cert chain is in db for
                  CERT_VerifyCertificateNow
  * bmo#1912427 - Enable all supported protocol versions for UDP
  * bmo#1910361 - Actually use random PSK hash type

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=457
2024-09-28 11:15:50 +00:00

207 lines
7.9 KiB
Diff

# HG changeset patch
# User Hans Petter Jansson <hpj@cl.no>
# Date 1574237264 -3600
# Wed Nov 20 09:07:44 2019 +0100
# Node ID 0e904e6179d1db21965df2c405c80c3fc0258658
# Parent 969310ea4c573aac64bf08846b8938b8fa783870
[PATCH] 24
From ef2620b770082c77dbbbccae2e773157897b005d Mon Sep 17 00:00:00 2001
---
nss/cmd/fipstest/fipstest.c | 112 ++++++++++++++++++++++++++++++++----
1 file changed, 101 insertions(+), 11 deletions(-)
Index: nss/cmd/fipstest/fipstest.c
===================================================================
--- nss.orig/cmd/fipstest/fipstest.c
+++ nss/cmd/fipstest/fipstest.c
@@ -5575,7 +5575,7 @@ loser:
void
dsa_pqggen_test(char *reqfn)
{
- char buf[800]; /* holds one line from the input REQUEST file
+ char buf[2048]; /* holds one line from the input REQUEST file
* or to the output RESPONSE file.
* 800 to hold seed = (384 public key (x2 for HEX)
*/
@@ -5591,6 +5591,13 @@ dsa_pqggen_test(char *reqfn)
PQGVerify *vfy = NULL;
unsigned int keySizeIndex = 0;
dsa_pqg_type type = FIPS186_1;
+ SECItem P = { 0, 0, 0 };
+ SECItem Q = { 0, 0, 0 };
+ SECItem firstseed = { 0, 0, 0 };
+ SECItem pseed = { 0, 0, 0 };
+ SECItem qseed = { 0, 0, 0 };
+ SECItem index = { 0, 0, 0 };
+ HASH_HashType hashtype = HASH_AlgNULL;
dsareq = fopen(reqfn, "r");
dsaresp = stdout;
@@ -5611,8 +5618,8 @@ dsa_pqggen_test(char *reqfn)
output_g = 1;
exit(1);
} else if (strncmp(&buf[1], "A.2.3", 5) == 0) {
- fprintf(stderr, "NSS only Generates G with P&Q\n");
- exit(1);
+ type = A_2_3;
+ output_g = 1;
} else if (strncmp(&buf[1], "A.1.2.1", 7) == 0) {
type = A_1_2_1;
output_g = 0;
@@ -5626,14 +5633,17 @@ dsa_pqggen_test(char *reqfn)
/* [Mod = ... ] */
if (buf[0] == '[') {
+ int hashbits;
if (type == FIPS186_1) {
N = 160;
if (sscanf(buf, "[mod = %d]", &L) != 1) {
goto loser;
}
- } else if (sscanf(buf, "[mod = L=%d, N=%d", &L, &N) != 2) {
+ } else if (sscanf(buf, "[mod = L=%d, N=%d, SHA-%d", &L, &N, &hashbits) != 3) {
goto loser;
+ } else {
+ hashtype = sha_get_hashType (hashbits);
}
fputs(buf, dsaresp);
@@ -5655,7 +5665,7 @@ dsa_pqggen_test(char *reqfn)
continue;
}
/* N = ... */
- if (buf[0] == 'N') {
+ if (buf[0] == 'N' && type != A_2_3) {
if (strncmp(buf, "Num", 3) == 0) {
if (sscanf(buf, "Num = %d", &count) != 1) {
goto loser;
@@ -5670,7 +5680,10 @@ dsa_pqggen_test(char *reqfn)
rv = PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
&pqg, &vfy);
} else {
- rv = PQG_ParamGenV2(L, N, N, &pqg, &vfy);
+ if (firstseed.data)
+ SECITEM_ZfreeItem(&firstseed, PR_FALSE);
+
+ rv = FREEBL_Test_PQG_ParamGenV2_p(L, N, 0, &pqg, &vfy, &firstseed, hashtype);
}
if (rv != SECSuccess) {
fprintf(dsaresp,
@@ -5681,6 +5694,10 @@ dsa_pqggen_test(char *reqfn)
fprintf(dsaresp, "P = %s\n", buf);
to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
fprintf(dsaresp, "Q = %s\n", buf);
+ if (firstseed.data) {
+ to_hex_str(buf, firstseed.data, firstseed.len);
+ fprintf(dsaresp, "firstseed = %s\n", buf);
+ }
if (output_g) {
to_hex_str(buf, pqg->base.data, pqg->base.len);
fprintf(dsaresp, "G = %s\n", buf);
@@ -5696,13 +5713,13 @@ dsa_pqggen_test(char *reqfn)
}
fprintf(dsaresp, "%s\n", buf);
} else {
- unsigned int seedlen = vfy->seed.len / 2;
- unsigned int pgen_counter = vfy->counter >> 16;
- unsigned int qgen_counter = vfy->counter & 0xffff;
+ unsigned int seedlen = (vfy->seed.len - firstseed.len) / 2;
+ unsigned int pgen_counter = vfy->counter & 0xffff;
+ unsigned int qgen_counter = vfy->counter >> 16;
/*fprintf(dsaresp, "index = %02x\n", vfy->h.data[0]); */
- to_hex_str(buf, vfy->seed.data, seedlen);
+ to_hex_str(buf, vfy->seed.data + firstseed.len, seedlen);
fprintf(dsaresp, "pseed = %s\n", buf);
- to_hex_str(buf, vfy->seed.data + seedlen, seedlen);
+ to_hex_str(buf, vfy->seed.data + firstseed.len + seedlen, seedlen);
fprintf(dsaresp, "qseed = %s\n", buf);
fprintf(dsaresp, "pgen_counter = %d\n", pgen_counter);
fprintf(dsaresp, "qgen_counter = %d\n", qgen_counter);
@@ -5722,12 +5739,85 @@ dsa_pqggen_test(char *reqfn)
vfy = NULL;
}
}
+ continue;
+ }
+
+ if (parse_secitem ("P", buf, &P)) {
+ fputs(buf, dsaresp);
+ continue;
+ }
+ if (parse_secitem ("Q", buf, &Q)) {
+ fputs(buf, dsaresp);
+ continue;
+ }
+ if (parse_secitem ("firstseed", buf, &firstseed)) {
+ fputs(buf, dsaresp);
+ continue;
+ }
+ if (parse_secitem ("pseed", buf, &pseed)) {
+ fputs(buf, dsaresp);
+ continue;
+ }
+ if (parse_secitem ("qseed", buf, &qseed)) {
+ fputs(buf, dsaresp);
+ continue;
+ }
+ if (parse_secitem ("index", buf, &index) && type == A_2_3) {
+ SECStatus rv;
+ PLArenaPool *arena;
+
+ fputs(buf, dsaresp);
+
+ arena = PORT_NewArena (NSS_FREEBL_DEFAULT_CHUNKSIZE);
+ pqg = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams));
+ pqg->arena = arena;
+
+ arena = PORT_NewArena (NSS_FREEBL_DEFAULT_CHUNKSIZE);
+ vfy = (PQGVerify *)PORT_ArenaZAlloc(arena, sizeof(PQGVerify));
+ vfy->arena = arena;
+
+ SECITEM_CopyItem(pqg->arena, &pqg->prime, &P);
+ SECITEM_CopyItem(pqg->arena, &pqg->subPrime, &Q);
+
+ SECITEM_AllocItem(vfy->arena, &vfy->seed, firstseed.len + pseed.len + qseed.len);
+ memcpy (vfy->seed.data, firstseed.data, firstseed.len);
+ memcpy (vfy->seed.data + firstseed.len, pseed.data, pseed.len);
+ memcpy (vfy->seed.data + firstseed.len + pseed.len, qseed.data, qseed.len);
+
+ SECITEM_AllocItem(vfy->arena, &vfy->h, 1);
+ vfy->h.data [0] = index.data [0];
+
+ rv = FREEBL_Test_PQG_ParamGenV2_p(L, N, 0, &pqg, &vfy, &firstseed, hashtype);
+ if (rv != SECSuccess) {
+ fprintf(dsaresp,
+ "ERROR: Unable to verify PQG parameters");
+ goto loser;
+ }
+
+ to_hex_str(buf, pqg->base.data, pqg->base.len);
+ fprintf(dsaresp, "G = %s\n\n", buf);
+ PQG_DestroyParams(pqg);
+ pqg = NULL;
+ PQG_DestroyVerify(vfy);
+ vfy = NULL;
continue;
}
}
loser:
fclose(dsareq);
+ if (P.data)
+ SECITEM_ZfreeItem(&P, PR_FALSE);
+ if (Q.data)
+ SECITEM_ZfreeItem(&Q, PR_FALSE);
+ if (firstseed.data)
+ SECITEM_ZfreeItem(&firstseed, PR_FALSE);
+ if (pseed.data)
+ SECITEM_ZfreeItem(&pseed, PR_FALSE);
+ if (qseed.data)
+ SECITEM_ZfreeItem(&qseed, PR_FALSE);
+ if (index.data)
+ SECITEM_ZfreeItem(&index, PR_FALSE);
if (pqg != NULL) {
PQG_DestroyParams(pqg);
}