import nss-3.101.0-7.el8_8

i8c changed/i8c/nss-3.101.0-7.el8_8
MSVSphere Packaging Team 3 months ago
parent 5e17bcdd66
commit 476a951817
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

3
.gitignore vendored

@ -1,7 +1,6 @@
SOURCES/NameConstraints_Certs.tar
SOURCES/blank-cert8.db
SOURCES/blank-cert9.db
SOURCES/blank-key3.db
SOURCES/blank-key4.db
SOURCES/blank-secmod.db
SOURCES/nss-3.90.tar.gz
SOURCES/nss-3.101.tar.gz

@ -1,7 +1,6 @@
39ad4988f85b50fdc3569d21b6c885cf9eb390b0 SOURCES/NameConstraints_Certs.tar
d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db
1e7d2f16655281cfb2972688af1605e0de302481 SOURCES/nss-3.90.tar.gz
90f6f1d5440e7cc72cd27f2ecf2e8f3f680a00aa SOURCES/nss-3.101.tar.gz

@ -1,949 +0,0 @@
diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h
--- a/lib/freebl/mpi/mpi-priv.h
+++ b/lib/freebl/mpi/mpi-priv.h
@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d
void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
mp_digit b, mp_digit *c);
#endif
void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
mp_size a_len, mp_digit b,
mp_digit *c);
+void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a,
+ mp_size a_len, mp_digit b,
+ mp_digit *c, mp_size c_len);
void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
mp_size a_len,
mp_digit *sqrs);
mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
mp_digit divisor, mp_digit *quot, mp_digit *rem);
/* c += a * b * (MP_RADIX ** offset); */
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
--- a/lib/freebl/mpi/mpi.c
+++ b/lib/freebl/mpi/mpi.c
@@ -5,16 +5,18 @@
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "mpi-priv.h"
#include "mplogic.h"
+#include <assert.h>
+
#if defined(__arm__) && \
((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
/* 16-bit thumb or ARM v3 doesn't work inlined assember version */
#undef MP_ASSEMBLY_MULTIPLY
#undef MP_ASSEMBLY_SQUARE
#endif
#if MP_LOGTAB
@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b,
CLEANUP:
return res;
} /* end mp_sub() */
/* }}} */
-/* {{{ mp_mul(a, b, c) */
+/* {{{ s_mp_mulg(a, b, c) */
/*
- mp_mul(a, b, c)
-
- Compute c = a * b. All parameters may be identical.
+ s_mp_mulg(a, b, c)
+
+ Compute c = a * b. All parameters may be identical. if constantTime is set,
+ then the operations are done in constant time. The original is mostly
+ constant time as long as s_mpv_mul_d_add() is constant time. This is true
+ of the x86 assembler, as well as the current c code.
*/
mp_err
-mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
+s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime)
{
mp_digit *pb;
mp_int tmp;
mp_err res;
mp_size ib;
mp_size useda, usedb;
ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b,
}
MP_USED(c) = 1;
MP_DIGIT(c, 0) = 0;
if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
goto CLEANUP;
#ifdef NSS_USE_COMBA
- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
+ /* comba isn't constant time because it clamps! If we cared
+ * (we needed a constant time version of multiply that was 'faster'
+ * we could easily pass constantTime down to the comba code and
+ * get it to skip the clamp... but here are assembler versions
+ * which add comba to platforms that can't compile the normal
+ * comba's imbedded assembler which would also need to change, so
+ * for now we just skip comba when we are running constant time. */
+ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
if (MP_USED(a) == 4) {
s_mp_mul_comba_4(a, b, c);
goto CLEANUP;
}
if (MP_USED(a) == 8) {
s_mp_mul_comba_8(a, b, c);
goto CLEANUP;
}
@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b,
/* Outer loop: Digits of b */
useda = MP_USED(a);
usedb = MP_USED(b);
for (ib = 1; ib < usedb; ib++) {
mp_digit b_i = *pb++;
/* Inner product: Digits of a */
- if (b_i)
+ if (constantTime || b_i)
s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
else
MP_DIGIT(c, ib + useda) = b_i;
}
- s_mp_clamp(c);
+ if (!constantTime) {
+ s_mp_clamp(c);
+ }
if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
SIGN(c) = ZPOS;
else
SIGN(c) = NEG;
CLEANUP:
mp_clear(&tmp);
return res;
+} /* end smp_mulg() */
+
+/* }}} */
+
+/* {{{ mp_mul(a, b, c) */
+
+/*
+ mp_mul(a, b, c)
+
+ Compute c = a * b. All parameters may be identical.
+ */
+
+mp_err
+mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
+{
+ return s_mp_mulg(a, b, c, 0);
} /* end mp_mul() */
/* }}} */
+/* {{{ mp_mulCT(a, b, c) */
+
+/*
+ mp_mulCT(a, b, c)
+
+ Compute c = a * b. In constant time. Parameters may not be identical.
+ NOTE: a and b may be modified.
+ */
+
+mp_err
+mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize)
+{
+ mp_err res;
+
+ /* make the multiply values fixed length so multiply
+ * doesn't leak the length. at this point all the
+ * values are blinded, but once we finish we want the
+ * output size to be hidden (so no clamping the out put) */
+ MP_CHECKOK(s_mp_pad(a, setSize));
+ MP_CHECKOK(s_mp_pad(b, setSize));
+ MP_CHECKOK(s_mp_pad(c, 2*setSize));
+ MP_CHECKOK(s_mp_mulg(a, b, c, 1));
+CLEANUP:
+ return res;
+} /* end mp_mulCT() */
+
+/* }}} */
+
/* {{{ mp_sqr(a, sqr) */
#if MP_SQUARE
/*
Computes the square of a. This can be done more
efficiently than a general multiplication, because many of the
computation steps are redundant when squaring. The inner product
step is a bit more complicated, but we save a fair number of
@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m,
}
return MP_OKAY;
} /* end mp_mod() */
/* }}} */
+/* {{{ s_mp_subCT_d(a, b, borrow, c) */
+
+/*
+ s_mp_subCT_d(a, b, borrow, c)
+
+ Compute c = (a -b) - subtract in constant time. returns borrow
+ */
+mp_digit
+s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) {
+ mp_digit borrow1, borrow2, t;
+#ifdef MP_COMPILER_USES_CARRY
+ /* while it doesn't look constant-time, this is idiomatic code
+ * to tell compilers to use the carry bit from subtraction */
+ t = a - borrow;
+ if (t > a) {
+ borrow1 = 1;
+ } else {
+ borrow1 = 0;
+ }
+ *ret = t - b;
+ if (*ret > t) {
+ borrow2 = 1;
+ } else {
+ borrow2 = 0;
+ }
+#else
+ mp_digit bitr, bitb, nbitt;
+ /* this is constant time independent of compilier */
+ t = a - borrow;
+ borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1));
+ *ret = t - b;
+ bitb = b >> (MP_DIGIT_BIT-1);
+ bitr = *ret >> (MP_DIGIT_BIT-1);
+ nbitt = (~t) >> (MP_DIGIT_BIT-1);
+ borrow2 = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr);
+#endif
+ /* only borrow 1 or borrow 2 should be 1, we want to guarrentee
+ * the overall borrow is 1, so use | here */
+ return borrow1 | borrow2;
+} /* s_mp_subCT_d() */
+
+/* }}} */
+
+/* {{{ mp_subCT(a, b, ret, borrow) */
+
+/* return ret= a - b and borrow in borrow. done in constant time.
+ * b could be modified.
+ */
+mp_err
+mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow)
+{
+ mp_size used_a = MP_USED(a);
+ mp_size i;
+ mp_err res;
+
+ MP_CHECKOK(s_mp_pad(b, used_a));
+ MP_CHECKOK(s_mp_pad(ret, used_a));
+ *borrow = 0;
+ for (i=0; i < used_a; i++) {
+ *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow,
+ &MP_DIGIT(ret,i));
+ }
+
+ res = MP_OKAY;
+CLEANUP:
+ return res;
+} /* end mp_subCT() */
+
+/* }}} */
+
+/* {{{ mp_selectCT(cond, a, b, ret) */
+
+/*
+ * return ret= cond ? a : b; cond should be either 0 or 1
+ */
+mp_err
+mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret)
+{
+ mp_size used_a = MP_USED(a);
+ mp_err res;
+ mp_size i;
+
+ cond *= MP_DIGIT_MAX;
+
+ /* we currently require these to be equal on input,
+ * we could use pad to extend one of them, but that might
+ * leak data as it wouldn't be constant time */
+ assert(used_a == MP_USED(b));
+
+ MP_CHECKOK(s_mp_pad(ret, used_a));
+ for (i=0; i < used_a; i++) {
+ MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond);
+ }
+ res = MP_OKAY;
+CLEANUP:
+ return res;
+} /* end mp_selectCT() */
+
+
+/* {{{ mp_reduceCT(a, m, c) */
+
+/*
+ mp_reduceCT(a, m, c)
+
+ Compute c = aR^-1 (mod m) in constant time.
+ input should be in montgomery form. If input is the
+ result of a montgomery multiply then out put will be
+ in mongomery form.
+ Result will be reduced to MP_USED(m), but not be
+ clamped.
+ */
+
+mp_err
+mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c)
+{
+ mp_size used_m = MP_USED(m);
+ mp_size used_c = used_m*2+1;
+ mp_digit *m_digits, *c_digits;
+ mp_size i;
+ mp_digit borrow, carry;
+ mp_err res;
+ mp_int sub;
+
+ MP_DIGITS(&sub) = 0;
+ MP_CHECKOK(mp_init_size(&sub,used_m));
+
+ if (a != c) {
+ MP_CHECKOK(mp_copy(a, c));
+ }
+ MP_CHECKOK(s_mp_pad(c, used_c));
+ m_digits = MP_DIGITS(m);
+ c_digits = MP_DIGITS(c);
+ for (i=0; i < used_m; i++) {
+ mp_digit m_i = MP_DIGIT(c,i)*n0i;
+ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--);
+ }
+ s_mp_rshd(c, used_m);
+ /* MP_USED(c) should be used_m+1 with the high word being any carry
+ * from the previous multiply, save that carry and drop the high
+ * word for the substraction below */
+ carry = MP_DIGIT(c,used_m);
+ MP_DIGIT(c,used_m) = 0;
+ MP_USED(c) = used_m;
+ /* mp_subCT wants c and m to be the same size, we've already
+ * guarrenteed that in the previous statement, so mp_subCT won't actually
+ * modify m, so it's safe to recast */
+ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow));
+
+ /* we return c-m if c >= m no borrow or there was a borrow and a carry */
+ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c));
+ res = MP_OKAY;
+CLEANUP:
+ mp_clear(&sub);
+ return res;
+} /* end mp_reduceCT() */
+
+/* }}} */
+
/* {{{ mp_mod_d(a, d, c) */
/*
mp_mod_d(a, d, c)
Compute c = a (mod d). Result will always be 0 <= c < d
*/
mp_err
@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int
if ((res = mp_mod(c, m, c)) != MP_OKAY)
return res;
return MP_OKAY;
}
/* }}} */
+/* {{{ mp_mulmontmodCT(a, b, m, c) */
+
+/*
+ mp_mulmontmodCT(a, b, m, c)
+
+ Compute c = (a * b) mod m in constant time wrt a and b. either a or b
+ should be in montgomery form and the output is native. If both a and b
+ are in montgomery form, then the output will also be in montgomery form
+ and can be recovered with an mp_reduceCT call.
+ NOTE: a and b may be modified.
+ */
+
+mp_err
+mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i,
+ mp_int *c)
+{
+ mp_err res;
+
+ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
+
+ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY)
+ return res;
+
+ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY)
+ return res;
+
+ return MP_OKAY;
+}
+
+/* }}} */
+
/* {{{ mp_sqrmod(a, m, c) */
#if MP_SQUARE
mp_err
mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
{
mp_err res;
@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b)
{ \
mp_digit a0b1, a1b0; \
Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
a1b0 += a0b1; \
Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
- if (a1b0 < a0b1) \
- Phi += MP_HALF_RADIX; \
+ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \
a1b0 <<= MP_HALF_DIGIT_BIT; \
Plo += a1b0; \
- if (Plo < a1b0) \
- ++Phi; \
+ Phi += MP_CT_LTU(Plo, a1b0); \
}
#endif
+/* Constant time version of s_mpv_mul_d_add_prop.
+ * Presently, this is only used by the Constant time Montgomery arithmetic code. */
+/* c += a * b */
+void
+s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b,
+ mp_digit *c, mp_size c_len)
+{
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
+ mp_digit d = 0;
+
+ c_len -= a_len;
+ /* Inner product: Digits of a */
+ while (a_len--) {
+ mp_word w = ((mp_word)b * *a++) + *c + d;
+ *c++ = ACCUM(w);
+ d = CARRYOUT(w);
+ }
+
+ /* propagate the carry to the end, even if carry is zero */
+ while (c_len--) {
+ mp_word w = (mp_word)*c + d;
+ *c++ = ACCUM(w);
+ d = CARRYOUT(w);
+ }
+#else
+ mp_digit carry = 0;
+ c_len -= a_len;
+ while (a_len--) {
+ mp_digit a_i = *a++;
+ mp_digit a0b0, a1b1;
+ MP_MUL_DxD(a_i, b, a1b1, a0b0);
+
+ a0b0 += carry;
+ a1b1 += MP_CT_LTU(a0b0, carry);
+ a0b0 += a_i = *c;
+ a1b1 += MP_CT_LTU(a0b0, a_i);
+
+ *c++ = a0b0;
+ carry = a1b1;
+ }
+ /* propagate the carry to the end, even if carry is zero */
+ while (c_len--) {
+ mp_digit c_i = *c;
+ carry += c_i;
+ *c++ = carry;
+ carry = MP_CT_LTU(carry, c_i);
+ }
+#endif
+}
+
#if !defined(MP_ASSEMBLY_MULTIPLY)
/* c = a * b */
void
s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
{
#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
mp_digit d = 0;
@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a
mp_digit carry = 0;
while (a_len--) {
mp_digit a_i = *a++;
mp_digit a0b0, a1b1;
MP_MUL_DxD(a_i, b, a1b1, a0b0);
a0b0 += carry;
- if (a0b0 < carry)
- ++a1b1;
+ a1b1 += a0b0 < carry;
*c++ = a0b0;
carry = a1b1;
}
*c = carry;
#endif
}
/* c += a * b */
@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si
mp_digit carry = 0;
while (a_len--) {
mp_digit a_i = *a++;
mp_digit a0b0, a1b1;
MP_MUL_DxD(a_i, b, a1b1, a0b0);
a0b0 += carry;
- if (a0b0 < carry)
- ++a1b1;
+ a1b1 += (a0b0 < carry);
a0b0 += a_i = *c;
- if (a0b0 < a_i)
- ++a1b1;
+ a1b1 += (a0b0 < a_i);
*c++ = a0b0;
carry = a1b1;
}
*c = carry;
#endif
}
/* Presently, this is only used by the Montgomery arithmetic code. */
diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h
--- a/lib/freebl/mpi/mpi.h
+++ b/lib/freebl/mpi/mpi.h
@@ -145,16 +145,54 @@ typedef int mp_sword;
#define MP_USED(MP) ((MP)->used)
#define MP_ALLOC(MP) ((MP)->alloc)
#define MP_DIGITS(MP) ((MP)->dp)
#define MP_DIGIT(MP, N) (MP)->dp[(N)]
/* This defines the maximum I/O base (minimum is 2) */
#define MP_MAX_RADIX 64
+/* Constant Time Macros on mp_digits */
+#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1)))
+
+/* basic zero and non zero tests */
+#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
+#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
+
+
+/* basic constant-time helper macro for equalities and inequalities.
+ * The inequalities will produce incorrect results if
+ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay
+ * within the range 0-MP_DIGIT_MAX/2. */
+#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b)))
+#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b)))
+#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a))
+#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b))
+#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b))
+#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b))
+#define MP_CT_TRUE ((mp_digit)1)
+#define MP_CT_FALSE ((mp_digit)0)
+
+/* use constant time result to select a boolean value */
+#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r)))
+
+/* full inequalities that work with full mp_digit values */
+#define MP_CT_OVERFLOW(a,b,c,d) \
+ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \
+ (MP_CT_HIGH_TO_LOW(d)),c)
+#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a)
+#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b)
+#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a)
+#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b)
+#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b)
+#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a)
+#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b)
+#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a)
+
+
typedef struct {
mp_sign sign; /* sign of this quantity */
mp_size alloc; /* how many digits allocated */
mp_size used; /* how many digits used */
mp_digit *dp; /* the digits themselves */
} mp_int;
/* Default precision */
@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig
/* Sign manipulations */
mp_err mp_abs(const mp_int *a, mp_int *b);
mp_err mp_neg(const mp_int *a, mp_int *b);
/* Full arithmetic */
mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow);
mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
+mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize);
#if MP_SQUARE
mp_err mp_sqr(const mp_int *a, mp_int *b);
#else
#define mp_sqr(a, b) mp_mul(a, a, b)
#endif
mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const
mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
#else
#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
#endif
mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
#endif /* MP_MODARITH */
+/* montgomery math */
+mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont);
+mp_digit mp_calculate_mont_n0i(const mp_int *N);
+mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct);
+mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c);
+
/* Comparisons */
int mp_cmp_z(const mp_int *a);
int mp_cmp_d(const mp_int *a, mp_digit d);
int mp_cmp(const mp_int *a, const mp_int *b);
int mp_cmp_mag(const mp_int *a, const mp_int *b);
int mp_isodd(const mp_int *a);
int mp_iseven(const mp_int *a);
+mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret);
/* Number theoretic */
mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c
--- a/lib/freebl/mpi/mpmontg.c
+++ b/lib/freebl/mpi/mpmontg.c
@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_
}
res = MP_OKAY;
CLEANUP:
return res;
}
#endif
-STATIC
mp_err
-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
+mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont)
{
mp_err res;
/* xMont = x * R mod N where N is modulus */
- MP_CHECKOK(mp_copy(x, xMont));
- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */
- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */
+ if (x != xMont) {
+ MP_CHECKOK(mp_copy(x, xMont));
+ }
+ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */
+ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */
CLEANUP:
return res;
}
+mp_digit
+mp_calculate_mont_n0i(const mp_int *N)
+{
+ return 0 - s_mp_invmod_radix(MP_DIGIT(N,0));
+}
+
#ifdef MP_USING_MONT_MULF
/* the floating point multiply is already cache safe,
* don't turn on cache safe unless we specifically
* force it */
#ifndef MP_FORCE_CACHE_SAFE
#undef MP_USING_CACHE_SAFE_MOD_EXP
#endif
@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase,
MP_DIGITS(&accum1) = 0;
for (i = 0; i < MAX_ODD_INTS; ++i)
oddPowers[i] = 0;
MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2));
mp_set(&accum1, 1);
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
MP_CHECKOK(s_mp_pad(&accum1, nLen));
oddPowSize = 2 * nLen + 1;
dTmpSize = 2 * oddPowSize;
dSize = sizeof(double) * (nLen * 4 + 1 +
((odd_ints + 1) * oddPowSize) + dTmpSize);
dBuf = malloc(dSize);
if (!dBuf) {
@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase,
for (i = 1; i < odd_ints; ++i) {
MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2));
MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i));
MP_CHECKOK(s_mp_redc(oddPowers + i, mmm));
}
/* set accumulator to montgomery residue of 1 */
mp_set(&accum1, 1);
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
pa1 = &accum1;
pa2 = &accum2;
for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
mp_size smallExp;
MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits));
smallExp = (mp_size)res;
@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase
/* build the first WEAVE_WORD powers inline */
/* if WEAVE_WORD_SIZE is not 4, this code will have to change */
if (num_powers > 2) {
MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2));
MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2));
MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2));
MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2));
mp_set(&accum[0], 1);
- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0]));
+ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0]));
MP_CHECKOK(mp_copy(montBase, &accum[1]));
SQR(montBase, &accum[2]);
MUL_NOWEAVE(montBase, &accum[2], &accum[3]);
powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1));
if (!powersArray) {
res = MP_MEM;
goto CLEANUP;
}
@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase
MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers));
if (first_window < 4) {
MP_CHECKOK(mp_copy(&accum[first_window], &accum1));
first_window = num_powers;
}
} else {
if (first_window == 0) {
mp_set(&accum1, 1);
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
} else {
/* assert first_window == 1? */
MP_CHECKOK(mp_copy(montBase, &accum1));
}
}
/*
* calculate all the powers in the powers array.
@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m
nLen = MP_USED(modulus);
MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2));
mmm.N = *modulus; /* a copy of the mp_int struct */
/* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
** where n0 = least significant mp_digit of N, the modulus.
*/
- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0));
+ mmm.n0prime = mp_calculate_mont_n0i(modulus);
- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase));
+ MP_CHECKOK(mp_to_mont(base, modulus, &montBase));
bits_in_exponent = mpl_significant_bits(exponent);
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
if (mp_using_cache_safe_exp) {
if (bits_in_exponent > 780)
window_bits = 6;
else if (bits_in_exponent > 256)
window_bits = 5;
diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
--- a/lib/freebl/rsa.c
+++ b/lib/freebl/rsa.c
@@ -65,16 +65,18 @@ struct blindingParamsStr {
** the Handbook of Applied Cryptography, 11.118-11.119.
*/
struct RSABlindingParamsStr {
/* Blinding-specific parameters */
PRCList link; /* link to list of structs */
SECItem modulus; /* list element "key" */
blindingParams *free, *bp; /* Blinding parameters queue */
blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
+ /* precalculate montegomery reduction value */
+ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */
};
typedef struct RSABlindingParamsStr RSABlindingParams;
/*
** RSABlindingParamsListStr
**
** List of key-specific blinding params. The arena holds the volatile pool
** of memory for each entry and the list itself. The lock is for list
@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey *
CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen));
CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen));
/* k < n */
CHECK_MPI_OK(mp_mod(&k, n, &k));
/* f = k**e mod n */
CHECK_MPI_OK(mp_exptmod(&k, &e, n, f));
/* g = k**-1 mod n */
CHECK_MPI_OK(mp_invmod(&k, n, g));
+ /* g in montgomery form.. */
+ CHECK_MPI_OK(mp_to_mont(g, n, g));
cleanup:
if (kb)
PORT_ZFree(kb, modLen);
mp_clear(&k);
mp_clear(&e);
if (err) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams *
* of rsabp->array pointer and must be set to NULL
*/
rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL;
bp = rsabp->array;
rsabp->bp = NULL;
rsabp->free = bp;
+ /* precalculate montgomery reduction parameter */
+ rsabp->n0i = mp_calculate_mont_n0i(n);
+
/* List elements are keyed using the modulus */
return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
}
static SECStatus
get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
- mp_int *f, mp_int *g)
+ mp_int *f, mp_int *g, mp_digit *n0i)
{
RSABlindingParams *rsabp = NULL;
blindingParams *bpUnlinked = NULL;
blindingParams *bp;
PRCList *el;
SECStatus rv = SECSuccess;
mp_err err = MP_OKAY;
int cmp = -1;
@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key,
** head (since el would have looped back to the head).
*/
PR_INSERT_BEFORE(&rsabp->link, el);
}
/* We've found (or created) the RSAblindingParams struct for this key.
* Now, search its list of ready blinding params for a usable one.
*/
+ *n0i = rsabp->n0i;
while (0 != (bp = rsabp->bp)) {
#ifdef UNSAFE_FUZZER_MODE
/* Found a match and there are still remaining uses left */
/* Return the parameters */
CHECK_MPI_OK(mp_copy(&bp->f, f));
CHECK_MPI_OK(mp_copy(&bp->g, g));
PZ_Unlock(blindingParamsList.lock);
@@ -1426,16 +1434,17 @@ cleanup:
rsabp->free = bp;
}
if (holdingLock) {
PZ_Unlock(blindingParamsList.lock);
}
if (err) {
MP_TO_SEC_ERROR(err);
}
+ *n0i = 0;
return SECFailure;
}
/*
** Perform a raw private-key operation
** Length of input and output buffers are equal to key's modulus len.
*/
static SECStatus
@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
PRBool check)
{
unsigned int modLen;
unsigned int offset;
SECStatus rv = SECSuccess;
mp_err err;
mp_int n, c, m;
mp_int f, g;
+ mp_digit n0i;
if (!key || !output || !input) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
/* check input out of range (needs to be in range [0..n-1]) */
modLen = rsa_modulusLen(&key->modulus);
if (modLen == 0) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
CHECK_MPI_OK(mp_init(&f));
CHECK_MPI_OK(mp_init(&g));
SECITEM_TO_MPINT(key->modulus, &n);
OCTETS_TO_MPINT(input, &c, modLen);
/* If blinding, compute pre-image of ciphertext by multiplying by
** blinding factor
*/
if (nssRSAUseBlinding) {
- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g));
+ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i));
/* c' = c*f mod n */
CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c));
}
/* Do the private key operation m = c**d mod n */
if (key->prime1.len == 0 ||
key->prime2.len == 0 ||
key->exponent1.len == 0 ||
key->exponent2.len == 0 ||
@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
} else {
CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c));
}
/* If blinding, compute post-image of plaintext by multiplying by
** blinding factor
*/
if (nssRSAUseBlinding) {
/* m = m'*g mod n */
- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m));
+ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m));
}
err = mp_to_fixlen_octets(&m, output, modLen);
if (err >= 0)
err = MP_OKAY;
cleanup:
mp_clear(&n);
mp_clear(&c);
mp_clear(&m);

File diff suppressed because it is too large Load Diff

@ -1,15 +1,15 @@
diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700
+++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700
@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = {
diff -up ./lib/pk11wrap/pk11pars.c.ems ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.ems 2024-06-11 13:09:25.956760476 -0700
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 13:09:52.837067481 -0700
@@ -433,6 +433,8 @@ static const oidValDef kxOptList[] = {
{ CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
+ /* not really a key exchange, but it's the closest fit */
+ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
+
};
static const oidValDef signOptList[] = {
static const oidValDef smimeKxOptList[] = {
diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
@ -65,40 +65,43 @@ diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
if (isTLS12) {
if (isDH)
master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c
--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700
+++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700
@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT
SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
"IPsec User",
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
diff -up ./lib/util/secoid.c.ems ./lib/util/secoid.c
--- ./lib/util/secoid.c.ems 2024-06-11 13:11:28.078155282 -0700
+++ ./lib/util/secoid.c 2024-06-11 13:12:58.511188172 -0700
@@ -1890,6 +1890,12 @@ const static SECOidData oids[SEC_OID_TOT
ODE(SEC_OID_RC2_64_CBC, "RC2-64-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
ODE(SEC_OID_RC2_128_CBC, "RC2-128-CBC", CKM_RC2_CBC, INVALID_CERT_EXTENSION),
ODE(SEC_OID_ECDH_KEA, "ECDH", CKM_ECDH1_DERIVE, INVALID_CERT_EXTENSION),
+
+ /* this will change upstream. for now apps shouldn't use it */
+ /* we need it for the policy code. */
+ ODE(SEC_OID_PRIVATE_1,
+ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+
};
/* PRIVATE EXTENDED SECOID Table
@@ -2095,6 +2100,8 @@ SECOID_Init(void)
@@ -2198,6 +2204,10 @@ SECOID_Init(void)
/* turn off NSS_USE_POLICY_IN_SSL by default */
xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
+ /* turn off TLS REQUIRE EMS by default */
+ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
+
+
envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
if (envVal)
diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h
--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700
+++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700
@@ -501,6 +501,9 @@ typedef enum {
SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
diff -up ./lib/util/secoidt.h.ems ./lib/util/secoidt.h
--- ./lib/util/secoidt.h.ems 2024-06-11 13:16:13.212411967 -0700
+++ ./lib/util/secoidt.h 2024-06-11 13:16:48.098810434 -0700
@@ -530,6 +530,9 @@ typedef enum {
SEC_OID_RC2_64_CBC = 385,
SEC_OID_RC2_128_CBC = 386,
SEC_OID_ECDH_KEA = 387,
+ /* this will change upstream. for now apps shouldn't use it */
+ /* give it an obscure name here */
+ SEC_OID_PRIVATE_1 = 372,
+ SEC_OID_PRIVATE_1 = 388,
SEC_OID_TOTAL
} SECOidTag;

@ -0,0 +1,59 @@
diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
--- a/lib/freebl/chacha20poly1305.c
+++ b/lib/freebl/chacha20poly1305.c
@@ -213,27 +213,31 @@
{
#ifdef NSS_X64
#ifndef NSS_DISABLE_AVX2
if (avx2_support()) {
Hacl_Chacha20_Vec256_chacha20_encrypt_256(len, output, block, k, nonce, ctr);
+ return;
}
#endif
#ifndef NSS_DISABLE_SSE3
if (ssse3_support() && sse4_1_support() && avx_support()) {
Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr);
+ return;
}
#endif
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
if (ppc_crypto_support()) {
chacha20vsx(len, output, block, k, nonce, ctr);
- } else
+ return;
+ }
#endif
{
Hacl_Chacha20_chacha20_encrypt(len, output, block, k, nonce, ctr);
+ return;
}
}
#endif /* NSS_DISABLE_CHACHAPOLY */
SECStatus
@@ -449,20 +453,18 @@
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
(uint8_t *)input, output, outTag);
goto finish;
}
#endif
-
- else
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
if (ppc_crypto_support()) {
Chacha20Poly1305_vsx_aead_encrypt(
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
(uint8_t *)input, output, outTag);
goto finish;
- } else
+ }
#endif
{
Hacl_Chacha20Poly1305_32_aead_encrypt(
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
(uint8_t *)input, output, outTag);

@ -0,0 +1,133 @@
diff --git a/lib/certhigh/certvfypkix.c b/lib/certhigh/certvfypkix.c
--- a/lib/certhigh/certvfypkix.c
+++ b/lib/certhigh/certvfypkix.c
@@ -37,11 +37,11 @@
pkix_pl_lifecycle_ObjectTableUpdate(int *objCountTable);
PRInt32 parallelFnInvocationCount;
#endif /* PKIX_OBJECT_LEAK_TEST */
-static PRBool usePKIXValidationEngine = PR_FALSE;
+static PRBool usePKIXValidationEngine = PR_TRUE;
#endif /* NSS_DISABLE_LIBPKIX */
/*
* FUNCTION: CERT_SetUsePKIXForValidation
* DESCRIPTION:
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
--- a/lib/nss/nssinit.c
+++ b/lib/nss/nssinit.c
@@ -762,13 +762,13 @@
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
if (pkixError != NULL) {
goto loser;
} else {
- char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
+ char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
if (ev && ev[0]) {
- CERT_SetUsePKIXForValidation(PR_TRUE);
+ CERT_SetUsePKIXForValidation(PR_FALSE);
}
}
#endif /* NSS_DISABLE_LIBPKIX */
}
diff --git a/tests/all.sh b/tests/all.sh
--- a/tests/all.sh
+++ b/tests/all.sh
@@ -141,17 +141,22 @@
########################################################################
run_cycle_standard()
{
TEST_MODE=STANDARD
+ NSS_DISABLE_LIBPKIX_VERIFY="1"
+ export NSS_DISABLE_LIBPKIX_VERIFY
+
TESTS="${ALL_TESTS}"
TESTS_SKIP="libpkix pkits"
NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE:-"sql"}
export NSS_DEFAULT_DB_TYPE
run_tests
+
+ unset NSS_DISABLE_LIBPKIX_VERIFY
}
############################ run_cycle_pkix ############################
# run test suites with PKIX enabled
########################################################################
@@ -165,13 +170,10 @@
HOSTDIR="${HOSTDIR}/pkix"
mkdir -p "${HOSTDIR}"
init_directories
- NSS_ENABLE_PKIX_VERIFY="1"
- export NSS_ENABLE_PKIX_VERIFY
-
TESTS="${ALL_TESTS}"
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
export -n NSS_SSL_RUN
diff --git a/tests/common/init.sh b/tests/common/init.sh
--- a/tests/common/init.sh
+++ b/tests/common/init.sh
@@ -138,12 +138,12 @@
echo "NSS_TEST_DISABLE_CRL=${NSS_TEST_DISABLE_CRL}"
echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
echo "export NSS_DEFAULT_DB_TYPE"
- echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
- echo "export NSS_ENABLE_PKIX_VERIFY"
+ echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
+ echo "export NSS_DISABLE_PKIX_VERIFY"
echo "init_directories"
}
# Exit shellfunction to clean up at exit (error, regular or signal)
Exit()
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -960,13 +960,12 @@
ssl_policy_pkix_ocsp()
{
#verbose="-v"
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
- PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
- NSS_ENABLE_PKIX_VERIFY="1"
- export NSS_ENABLE_PKIX_VERIFY
+ PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
+ unset NSS_DISABLE_LIBPKIX_VERIFY
testname=""
if [ ! -f "${P_R_SERVERDIR}/pkcs11.txt" ] ; then
html_failed "${SCRIPTNAME}: ${P_R_SERVERDIR} is not initialized"
@@ -987,16 +986,14 @@
grep 12276 ${P_R_SERVERDIR}/vfy.out
RET=$?
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
- if [ "${PKIX_SAVE}" = "unset" ]; then
- unset NSS_ENABLE_PKIX_VERIFY
- else
- NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
- export NSS_ENABLE_PKIX_VERIFY
+ if [ "{PKIX_SAVE}" != "unset" ]; then
+ export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
fi
+
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
html "</TABLE><BR>"
}

@ -1,12 +1,18 @@
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f
}
PORT_Free(cursor);
}
}
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2024-06-12 13:29:17.162207862 -0700
+++ ./gtests/ssl_gtest/manifest.mn 2024-06-12 13:30:25.699047788 -0700
@@ -59,7 +59,6 @@ CPPSRCS = \
tls_protect.cc \
tls_psk_unittest.cc \
tls_subcerts_unittest.cc \
- tls_ech_unittest.cc \
tls_xyber_unittest.cc \
$(SSLKEYLOGFILE_FILES) \
$(NULL)
diff -up ./lib/ssl/sslsock.c.disable_ech ./lib/ssl/sslsock.c
--- ./lib/ssl/sslsock.c.disable_ech 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/ssl/sslsock.c 2024-06-12 13:29:17.162207862 -0700
@@ -4415,17 +4415,23 @@ ssl_ClearPRCList(PRCList *list, void (*f
SECStatus
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
{
@ -30,13 +36,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
sslSocket *ss = ssl_FindSocket(fd);
if (!ss || size == 0) {
return SECFailure;
}
ssl_Get1stHandshakeLock(ss);
ssl_GetSSL3HandshakeLock(ss);
ss->ssl3.hs.greaseEchSize = size;
ssl_ReleaseSSL3HandshakeLock(ss);
@@ -4439,28 +4445,42 @@ SSLExp_SetTls13GreaseEchSize(PRFileDesc
ssl_Release1stHandshakeLock(ss);
return SECSuccess;
@ -79,18 +79,3 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
}
SECStatus
SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled)
{
sslSocket *ss = ssl_FindSocket(fd);
if (!ss) {
return SECFailure;
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200
+++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200
@@ -57,7 +57,6 @@ CPPSRCS = \
tls_filter.cc \
tls_protect.cc \
tls_psk_unittest.cc \
- tls_ech_unittest.cc \
$(SSLKEYLOGFILE_FILES) \
$(NULL)

@ -0,0 +1,81 @@
diff -up ./lib/pk11wrap/pk11pars.c.no_md ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.no_md 2024-06-11 12:41:35.054654990 -0700
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 12:46:25.347979894 -0700
@@ -329,14 +329,11 @@ static const oidValDef curveOptList[] =
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
- NSS_USE_ALG_IN_PKCS12 },
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
- NSS_USE_ALG_IN_PKCS12 },
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
- NSS_USE_ALG_IN_PKCS12 },
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
NSS_USE_ALG_IN_PKCS12 },
diff -up ./lib/util/secoid.c.no_md ./lib/util/secoid.c
diff -r 699541a7793b lib/util/secoid.c
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
@@ -2042,6 +2042,19 @@
int i;
for (i = 1; i < SEC_OID_TOTAL; i++) {
+ switch (i) {
+ case SEC_OID_MD2:
+ case SEC_OID_MD4:
+ case SEC_OID_MD5:
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+ continue;
+ default:
+ break;
+ }
if (oids[i].desc && strstr(arg, oids[i].desc)) {
xOids[i].notPolicyFlags = notEnable |
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
diff -up ./tests/tools/pkcs12policy.txt.disable_md5_test ./tests/tools/pkcs12policy.txt
--- ./tests/tools/pkcs12policy.txt.disable_md5_test 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/tools/pkcs12policy.txt 2024-06-19 11:15:46.666728170 -0700
@@ -91,21 +91,21 @@
0 18 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc2 (read), RC4 and RC2
# integrity policy check the various has based controls.
# NOTE: md4, md2, and md5 are turned off by policy by default for encrypting
-# (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the
+# (decrypting is fine). To be enabled, you must allow=mdX/pkcs12 on the
# encryption side. These tests purposefully tests that the default fails to encrypt
# but succeeds when decrypting.
27 x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes
- 0 0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
- 0 0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
- 28 x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
+ 0 0 allow=md2/pkcs12 allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
+ 0 0 allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
+ 28 x disallow=sha1_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
27 x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write
- 29 x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
- 0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
- 0 18 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
- 0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
- 0 0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
- 0 0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
- 0 0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
+ 29 x disallow=sha256_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
+ 0 19 allow=all:md2/pkcs12 disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
+ 0 18 allow=md2/pkcs12 disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
+ 0 17 allow=md2/pkcs12 disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
+ 0 0 allow=md2/pkcs12 disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
+ 0 0 allow=md2/pkcs12 disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
+ 0 0 allow=md2/pkcs12 disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
0 0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
29 x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
0 18 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256

@ -14,6 +14,8 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
+ { CIPHER_NAME("RSA-PKCS"), SEC_OID_PKCS1_RSA_ENCRYPTION, 0},
+ { CIPHER_NAME("RSA-PSS"), SEC_OID_PKCS1_RSA_PSS_SIGNATURE, 0},
+ { CIPHER_NAME("ECDSA"), SEC_OID_ANSIX962_EC_PUBLIC_KEY, 0},
{ CIPHER_NAME("ED25519"), SEC_OID_ED25519_PUBLIC_KEY,
NSS_USE_ALG_IN_SIGNATURE },
};
typedef struct {
@ -21,6 +23,7 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c
{ macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE },
{ cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE },
{ kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE },
{ smimeKxOptList, PR_ARRAY_SIZE(smimeKxOptList), "SMIME-KX", PR_TRUE },
- { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_FALSE },
+ { signOptList, PR_ARRAY_SIZE(signOptList), "OTHER-SIGN", PR_TRUE },
};

@ -0,0 +1,24 @@
diff -up ./tests/ec/ectest.sh.dbm ./tests/ec/ectest.sh
--- ./tests/ec/ectest.sh.dbm 2024-06-18 14:53:51.201438651 -0700
+++ ./tests/ec/ectest.sh 2024-06-18 14:56:09.993993637 -0700
@@ -45,12 +45,20 @@ ectest_genkeydb_test()
if [ $? -ne 0 ]; then
return $?
fi
+ if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
curves=( \
"curve25519" \
"secp256r1" \
"secp384r1" \
"secp521r1" \
)
+ else
+ curves=( \
+ "secp256r1" \
+ "secp384r1" \
+ "secp521r1" \
+ )
+ fi
for curve in "${curves[@]}"; do
echo "Test $curve key generation using certutil ..."
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}

@ -0,0 +1,12 @@
diff -up ./tests/ssl/sslpolicy.txt.rsa_disable_test ./tests/ssl/sslpolicy.txt
--- ./tests/ssl/sslpolicy.txt.rsa_disable_test 2024-06-19 11:17:10.261637015 -0700
+++ ./tests/ssl/sslpolicy.txt 2024-06-19 11:18:22.797425628 -0700
@@ -197,7 +197,7 @@
# compatibility reasons
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
- 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
+ 0 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
# test default settings

@ -0,0 +1,89 @@
diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/pkcs12/p12plcy.c 2024-07-17 11:26:00.334836451 -0700
@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
static PRBool
sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
{
+#ifdef notdef
PRUint32 policy;
SECStatus rv;
@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
return PR_TRUE;
}
return PR_FALSE;
+#else
+ return PR_TRUE;
+#endif
}
PRBool
diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
--- ./lib/smime/smimeutil.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/smimeutil.c 2024-07-17 11:27:04.716617111 -0700
@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
PRBool
smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
{
+#ifdef notdef
PRUint32 policyFlags;
/* some S/MIME algs map to the same underlying KEA mechanism,
@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
return PR_FALSE;
}
+#endif
return PR_TRUE;
}
@@ -485,6 +487,7 @@ smime_init_once(void *arg)
return PR_FAILURE;
}
+#ifdef notdef
/* At initialization time, we need to set up the defaults. We first
* look to see if the system or application has set up certain algorithms
* by policy. If they have set up values by policy we'll only allow those
@@ -497,6 +500,11 @@ smime_init_once(void *arg)
PORT_Free(tags);
tags = NULL;
}
+#else
+ /* just initialize the old maps */
+ rv = SECSuccess;
+ tagCount = 0;
+#endif
if ((rv != SECSuccess) || (tagCount == 0)) {
/* No algorithms have been enabled by policy (either by the system
* or by the application, we then will use the traditional default
diff -up ./smime/smime.sh.no_p12_smime_policy ./smime/smime.sh
--- ./tests/smime/smime.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
700
+++ ./tests/smime/smime.sh 2024-07-17 12:29:08.251207306 -0700
@@ -872,8 +872,8 @@ smime_init
smime_main
smime_data_tb
smime_p7
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
- smime_policy
-fi
+#if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
+# smime_policy
+#fi
smime_cleanup
diff -up ./tools/tools.sh.no_p12_smime_policy ./tools/tools.sh
--- ./tests/tools/tools.sh.no_p12_smime_policy 2024-07-17 12:27:36.262106070 -0
700
+++ ./tests/tools/tools.sh 2024-07-17 12:28:32.418778346 -0700
@@ -586,7 +586,7 @@ tools_p12()
tools_p12_import_pbmac1_samples
if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
tools_p12_import_rsa_pss_private_key
- tools_p12_policy
+#tools_p12_policy
fi
}

@ -26,6 +26,20 @@ diff -up ./cmd/pk12util/pk12util.c.orig ./cmd/pk12util/pk12util.c
if (pk12util.options[opt_CertCipher].activated) {
char *cipherString = pk12util.options[opt_CertCipher].arg;
--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default 2024-07-18 08:26:35.7732
48450 -0700
+++ ./cmd/pk12util/pk12util.c 2024-07-18 08:27:05.796595554 -0700
@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
}
}
}
- /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
- if (PK11_IsFIPS()) {
- hash = SEC_OID_HMAC_SHA256;
- }
if (pk12util.options[opt_Mac].activated) {
char *hashString = pk12util.options[opt_Mac].arg;
diff -up ./tests/tools/tools.sh.orig ./tests/tools/tools.sh
--- ./tests/tools/tools.sh.orig 2021-06-15 17:06:27.650564449 -0700
+++ ./tests/tools/tools.sh 2021-06-15 17:07:59.934117192 -0700

@ -0,0 +1,13 @@
diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c
--- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy 2024-06-12 14:44:24.680338868 -0700
+++ ./lib/pk11wrap/pk11pars.c 2024-06-12 14:44:48.368609356 -0700
@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] =
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
{ CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
- { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 },
+ { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00,
+ NSS_USE_ALG_IN_SSL_KX },
/* ANSI X9.62 named elliptic curves (characteristic two field) */
{ CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },

@ -5,8 +5,8 @@ diff -up ./tests/dbtests/dbtests.sh.extend ./tests/dbtests/dbtests.sh
RARRAY=($dtime)
TIMEARRAY=(${RARRAY[1]//./ })
echo "${TIMEARRAY[0]} seconds"
- test ${TIMEARRAY[0]} -lt 2
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-3}
- test ${TIMEARRAY[0]} -lt 5
+ test ${TIMEARRAY[0]} -lt ${NSS_DB_DUMP_TIME-5}
ret=$?
html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
fi

@ -1,7 +1,7 @@
diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.fips_indicators 2023-11-27 11:21:42.459523398 -0800
+++ ./lib/softoken/pkcs11c.c 2023-11-27 11:22:56.821120920 -0800
@@ -450,7 +450,7 @@ sftk_InitGeneric(SFTKSession *session, C
--- ./lib/softoken/pkcs11c.c.fips_indicators 2024-06-12 13:38:15.995811284 -0700
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:41:30.008188930 -0700
@@ -453,7 +453,7 @@ sftk_InitGeneric(SFTKSession *session, C
context->blockSize = 0;
context->maxLen = 0;
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
@ -10,16 +10,16 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
*contextPtr = context;
return CKR_OK;
}
@@ -4816,7 +4816,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
@@ -4885,7 +4885,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
crv = sftk_handleObject(key, session);
/* we need to do this check at the end, so we can check the generated
/* we need to do this check at the end, so we can check the generated
* key length against fips requirements */
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key, 0);
session->lastOpWasFIPS = key->isFIPS;
sftk_FreeSession(session);
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
@@ -5836,7 +5836,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -6020,7 +6020,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
return crv;
}
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
@ -28,7 +28,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
publicKey->isFIPS = privateKey->isFIPS;
session->lastOpWasFIPS = privateKey->isFIPS;
sftk_FreeSession(session);
@@ -7036,6 +7036,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7220,6 +7220,10 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
return CKR_TEMPLATE_INCONSISTENT;
}
@ -39,7 +39,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
/* sourceKey is NULL if we are called from the POST, skip the
* sensitiveCheck */
if (sourceKey != NULL) {
@@ -7085,7 +7089,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7269,7 +7273,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
mech.pParameter = params;
mech.ulParameterLen = sizeof(*params);
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
@ -49,7 +49,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
}
saltKeySource = saltKey->source;
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
@@ -7152,7 +7157,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7336,7 +7341,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
/* HKDF-Expand */
if (!params->bExpand) {
okm = prk;
@ -58,7 +58,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
} else {
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
@@ -7398,7 +7403,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7583,7 +7588,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
return CKR_KEY_HANDLE_INVALID;
}
}
@ -69,8 +69,8 @@ diff -up ./lib/softoken/pkcs11c.c.fips_indicators ./lib/softoken/pkcs11c.c
switch (mechanism) {
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.fips_indicators 2023-11-27 11:21:42.450523326 -0800
+++ ./lib/softoken/pkcs11i.h 2023-11-27 11:22:56.821120920 -0800
--- ./lib/softoken/pkcs11i.h.fips_indicators 2024-06-12 13:38:15.988811198 -0700
+++ ./lib/softoken/pkcs11i.h 2024-06-12 13:38:15.996811296 -0700
@@ -979,7 +979,8 @@ CK_FLAGS sftk_AttributeToFlags(CK_ATTRIB
/* check the FIPS table to determine if this current operation is allowed by
* FIPS security policy */
@ -82,9 +82,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips_indicators ./lib/softoken/pkcs11i.h
CK_RV sftk_CreateValidationObjects(SFTKSlot *slot);
diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips_indicators 2023-11-27 11:21:42.451523334 -0800
+++ ./lib/softoken/pkcs11u.c 2023-11-27 11:31:51.812419789 -0800
@@ -2330,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
--- ./lib/softoken/pkcs11u.c.fips_indicators 2024-06-12 13:38:15.990811223 -0700
+++ ./lib/softoken/pkcs11u.c 2024-06-12 13:38:15.996811296 -0700
@@ -2336,7 +2336,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
static CK_ULONG
sftk_getKeyLength(SFTKObject *source)
{
@ -93,7 +93,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
CK_ATTRIBUTE_TYPE keyAttribute;
CK_ULONG keyLength = 0;
SFTKAttribute *attribute;
@@ -2392,13 +2392,29 @@ sftk_getKeyLength(SFTKObject *source)
@@ -2398,13 +2398,29 @@ sftk_getKeyLength(SFTKObject *source)
return keyLength;
}
@ -124,7 +124,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
{
switch (mechInfo->special) {
case SFTKFIPSDH: {
@@ -2458,10 +2474,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2464,10 +2480,15 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
if (hashObj == NULL) {
return PR_FALSE;
}
@ -141,7 +141,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
}
case SFTKFIPSPBKDF2: {
/* PBKDF2 must have the following addition restrictions
@@ -2486,6 +2507,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2492,6 +2513,13 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
}
return PR_TRUE;
}
@ -155,7 +155,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
default:
break;
}
@@ -2496,7 +2524,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2502,7 +2530,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
PRBool
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
@ -164,7 +164,7 @@ diff -up ./lib/softoken/pkcs11u.c.fips_indicators ./lib/softoken/pkcs11u.c
{
#ifndef NSS_HAS_FIPS_INDICATORS
return PR_FALSE;
@@ -2528,13 +2556,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
@@ -2534,13 +2562,17 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
/* if we match the number of records exactly, then we are an
* approved algorithm in the approved mode with an approved key */

@ -1,6 +1,6 @@
diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
--- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700
--- ./lib/freebl/dh.c.fips-review 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/freebl/dh.c 2024-06-12 12:04:10.639360404 -0700
@@ -445,7 +445,7 @@ cleanup:
PRBool
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
@ -50,20 +50,28 @@ diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
MP_TO_SEC_ERROR(err);
return PR_FALSE;
diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700
+++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700
@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
--- ./lib/softoken/pkcs11c.c.fips-review 2024-06-12 12:04:10.638360392 -0700
+++ ./lib/softoken/pkcs11c.c 2024-06-12 13:06:35.410551333 -0700
@@ -43,6 +43,7 @@
#include "prprf.h"
#include "prenv.h"
+#include "prerror.h"
#define __PASTE(x, y) x##y
#define BAD_PARAM_CAST(pMech, typeSize) (!pMech->pParameter || pMech->ulParameterLen < typeSize)
@@ -4882,6 +4883,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
* handle the base object stuff
*/
crv = sftk_handleObject(key, session);
+ /* we need to do this check at the end, so we can check the generated
+ /* we need to do this check at the end, so we can check the generated
+ * key length against fips requirements */
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
+ session->lastOpWasFIPS = key->isFIPS;
sftk_FreeSession(session);
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
@@ -4889,9 +4894,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
}
@ -73,7 +81,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
if (crv == CKR_OK) {
*phKey = key->handle;
}
@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5199,60 +5201,68 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
if (isDerivable) {
SFTKAttribute *pubAttribute = NULL;
@ -156,7 +164,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
+ }
+ /* make sure it has the same encoding */
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
+ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
+ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
+ } else {
+ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
@ -169,7 +177,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
+ default:
+ return CKR_DEVICE_ERROR;
}
-
- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
- if (crv != CKR_OK) {
- sftk_FreeAttribute(pubAttribute);
@ -189,7 +197,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
/* FIPS requires full validation, but in fipx mode NSC_Derive
* only does partial validation with approved primes, now handle
* full validation */
@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5260,44 +5270,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
SECItem pubKey;
SECItem prime;
SECItem subPrime;
@ -283,7 +291,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
}
return CKR_OK;
@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5925,8 +5969,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
* created and linked.
*/
crv = sftk_handleObject(publicKey, session);
@ -293,7 +301,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5968,6 +6012,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
}
if (crv != CKR_OK) {
@ -301,7 +309,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
NSC_DestroyObject(hSession, publicKey->handle);
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5977,6 +6022,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
publicKey->isFIPS = privateKey->isFIPS;
@ -310,7 +318,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
*phPrivateKey = privateKey->handle;
*phPublicKey = publicKey->handle;
@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -8610,7 +8657,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
/* if the prime is an approved prime, we can skip all the other
* checks. */
@ -319,7 +327,7 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
if (subPrime == NULL) {
SECItem dhSubPrime;
/* If the caller set the subprime value, it means that
@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -8792,6 +8839,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
secretlen = tmp.len;
} else {
secretlen = keySize;
@ -327,24 +335,9 @@ diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
&tmp, mechParams->pSharedData,
mechParams->ulSharedDataLen, mechParams->kdf);
diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700
@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess
if (object == NULL) {
return CKR_HOST_MEMORY;
}
- object->isFIPS = PR_FALSE; /* if we created the object on the fly,
+ /* object types that we aren't allowed to create in FIPS mode are
+ * already rejected explicitly. If we get here, then the object is
+ * FIPS OK (most notably public key objects )*/
+ /* object->isFIPS = PR_FALSE; if we created the object on the fly,
* it's not a FIPS object */
/*
diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700
+++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700
--- ./lib/softoken/pkcs11i.h.fips-review 2024-06-12 12:04:10.638360392 -0700
+++ ./lib/softoken/pkcs11i.h 2024-06-12 12:04:10.640360416 -0700
@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
/* dh verify functions */
/* verify that dhPrime matches one of our known primes, and if so return
@ -355,9 +348,9 @@ diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
/* map an operation Attribute to a Mechanism flag */
diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700
+++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700
@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
--- ./lib/softoken/pkcs11u.c.fips-review 2024-06-12 12:04:10.638360392 -0700
+++ ./lib/softoken/pkcs11u.c 2024-06-12 12:04:10.640360416 -0700
@@ -2409,15 +2409,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
switch (mechInfo->special) {
case SFTKFIPSDH: {
SECItem dhPrime;
@ -388,8 +381,8 @@ diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
case SFTKFIPSNone:
return PR_FALSE;
diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
--- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700
--- ./lib/softoken/sftkdhverify.c.fips-review 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/softoken/sftkdhverify.c 2024-06-12 12:04:10.641360427 -0700
@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
(unsigned char *)subprime_tls_8192_data,
sizeof(subprime_tls_8192_data) };
@ -481,8 +474,8 @@ diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
}
break;
diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
--- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700
--- ./lib/softoken/sftkike.c.fips-review 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/softoken/sftkike.c 2024-06-12 12:04:10.641360427 -0700
@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
goto fail;
}

@ -0,0 +1,115 @@
diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c
--- ./lib/smime/cmsasn1.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmsasn1.c 2024-09-06 18:05:27.808338289 -0700
@@ -350,7 +350,7 @@ static const SEC_ASN1Template NSSCMSKeyA
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
offsetof(NSSCMSKeyAgreeRecipientInfo, ukm),
- SEC_ASN1_SUB(SEC_OctetStringTemplate) },
+ SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg),
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h
--- ./lib/smime/cmslocal.h.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmslocal.h 2024-09-06 18:04:47.647863624 -0700
@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE
extern SECStatus
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
- SECItem *encKey, PRBool genUkm, SECItem *ukm,
+ SECItem *encKey, PRBool genUkm, SECItem **ukm,
SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx);
PK11SymKey *
diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c
--- ./lib/smime/cmspubkey.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmspubkey.c 2024-09-06 18:04:47.647863624 -0700
@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
unsigned char suppPubInfo[4] = { 0 };
SI.keyInfo = keyInfo;
- SI.entityUInfo.type = ukm->type;
- SI.entityUInfo.data = ukm->data;
- SI.entityUInfo.len = ukm->len;
+ if (ukm) {
+ SI.entityUInfo.type = ukm->type;
+ SI.entityUInfo.data = ukm->data;
+ SI.entityUInfo.len = ukm->len;
+ } else {
+ SI.entityUInfo.type = siBuffer;
+ SI.entityUInfo.data = NULL;
+ SI.entityUInfo.len = 0;
+ }
SI.suppPubInfo.type = siBuffer;
SI.suppPubInfo.data = suppPubInfo;
@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
SECStatus
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert,
PK11SymKey *bulkkey, SECItem *encKey,
- PRBool genUkm, SECItem *ukm,
+ PRBool genUkm, SECItem **ukmp,
SECAlgorithmID *keyEncAlg, SECItem *pubKey,
void *wincx)
{
@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
SECAlgorithmID keyWrapAlg;
SECOidTag keyEncAlgtag;
SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo;
+ SECItem *ukm = *ukmp;
CK_MECHANISM_TYPE keyDerivationType, keyWrapMech;
CK_ULONG kdf;
- if (genUkm && (ukm->len != 0 || ukm->data != NULL)) {
+ if (genUkm && (ukm != NULL)) {
PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
return SECFailure;
}
@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
* contain 512 bits for Diffie-Hellman key agreement. */
if (genUkm) {
- ukm->type = siBuffer;
- ukm->len = 64;
- ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len);
-
- if (ukm->data == NULL) {
+ ukm = SECITEM_AllocItem(poolp, NULL, 64);
+ if (ukm == NULL) {
goto loser;
}
+ ukm->type = siBuffer;
+
rv = PK11_GenerateRandom(ukm->data, ukm->len);
if (rv != SECSuccess) {
goto loser;
}
+ *ukmp = ukm; /* return it */
}
SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg,
diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c
--- ./lib/smime/cmsrecinfo.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmsrecinfo.c 2024-09-06 18:04:47.647863624 -0700
@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM
parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters);
enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
- ukm = &(ri->ri.keyAgreeRecipientInfo.ukm);
+ ukm = ri->ri.keyAgreeRecipientInfo.ukm;
break;
case NSSCMSRecipientInfoID_KEK:
algid = &(ri->ri.kekRecipientInfo.keyEncAlg);
diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h
--- ./lib/smime/cmst.h.restore_abi 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/cmst.h 2024-09-06 18:04:47.647863624 -0700
@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK
struct NSSCMSKeyAgreeRecipientInfoStr {
SECItem version;
NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
- SECItem ukm; /* optional */
+ SECItem *ukm; /* optional */
SECAlgorithmID keyEncAlg;
NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
};

@ -0,0 +1,126 @@
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
@@ -371,16 +371,21 @@ static void GenerateWeakRsaKey(ScopedSEC
// Fail to connect with a weak RSA key.
TEST_P(TlsConnectTls13, DCWeakKey) {
Reset(kPssDelegatorId);
EnsureTlsSetup();
static const SSLSignatureScheme kSchemes[] = {ssl_sig_rsa_pss_rsae_sha256,
ssl_sig_rsa_pss_pss_sha256};
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
+ PRInt32 keySizeFlags;
+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &keySizeFlags));
+ // turn off the signing key sizes so we actually test the ssl tests
+ ASSERT_EQ(SECSuccess,
+ NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, NSS_KEY_SIZE_POLICY_SSL_FLAG ));
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
// save the MIN POLICY length.
PRInt32 minRsa;
ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
#if RSA_MIN_MODULUS_BITS >= 2048
ASSERT_EQ(SECSuccess,
NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
@@ -408,16 +413,17 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
client_->EnableDelegatedCredentials();
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
client_, ssl_delegated_credentials_xtn);
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
#endif
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, keySizeFlags));
}
class ReplaceDCSigScheme : public TlsHandshakeFilter {
public:
ReplaceDCSigScheme(const std::shared_ptr<TlsAgent>& a)
: TlsHandshakeFilter(a, {ssl_hs_certificate_verify}) {}
protected:
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
@@ -1134,22 +1134,31 @@ SECKEY_PrivateKeyStrengthInBits(const SE
return 0;
}
/* interpret modulus length as key strength */
switch (privk->keyType) {
case rsaKey:
case rsaPssKey:
case rsaOaepKey:
- /* some tokens don't export CKA_MODULUS on the private key,
- * PK11_SignatureLen works around this if necessary */
- bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
- if (bitSize == -1) {
- bitSize = 0;
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+ CKA_MODULUS, NULL, &params);
+ if ((rv != SECSuccess) || (params.data == NULL)) {
+ /* some tokens don't export CKA_MODULUS on the private key,
+ * PK11_SignatureLen works around this if necessary. This
+ * method is less percise because it returns bytes instead
+ * bits, so we only do it if we can't get the modulus */
+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
+ if (bitSize == -1) {
+ return 0;
+ }
+ return bitSize;
}
+ bitSize = SECKEY_BigIntegerBitLength(&params);
+ PORT_Free(params.data);
return bitSize;
case dsaKey:
case fortezzaKey:
case dhKey:
case keaKey:
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
CKA_PRIME, NULL, &params);
if ((rv != SECSuccess) || (params.data == NULL)) {
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -1277,27 +1277,39 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *h
PORT_SetError(SEC_ERROR_INVALID_KEY);
goto done;
}
PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
if (useRsaPss || hash->hashAlg == ssl_hash_none) {
CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType);
int signatureLen = PK11_SignatureLen(key);
+ PRInt32 optval;
SECItem *params = NULL;
CK_RSA_PKCS_PSS_PARAMS pssParams;
SECItem pssParamsItem = { siBuffer,
(unsigned char *)&pssParams,
sizeof(pssParams) };
if (signatureLen <= 0) {
PORT_SetError(SEC_ERROR_INVALID_KEY);
goto done;
}
+ /* since we are calling PK11_SignWithMechanism directly, we need to check the
+ * key policy ourselves (which is already checked in SGN_Digest */
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
+ if ((rv == SECSuccess) &&
+ ((optval & NSS_KEY_SIZE_POLICY_SIGN_FLAG) == NSS_KEY_SIZE_POLICY_SIGN_FLAG)) {
+ rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key),
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
+ if (rv != SECSuccess) {
+ goto done; /* error code already set */
+ }
+ }
buf->len = (unsigned)signatureLen;
buf->data = (unsigned char *)PORT_Alloc(signatureLen);
if (!buf->data)
goto done; /* error code was set. */
if (useRsaPss) {
pssParams.hashAlg = ssl3_GetHashMechanismByHashType(hash->hashAlg);

@ -0,0 +1,43 @@
diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
--- a/lib/util/nsshash.c
+++ b/lib/util/nsshash.c
@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy
SECOidTag
HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
{
SECOidTag hashOid = SEC_OID_UNKNOWN;
switch (hmacOid) {
/* no oid exists for HMAC_MD2 */
/* NSS does not define a oid for HMAC_MD4 */
+ case SEC_OID_HMAC_MD5:
+ hashOid = SEC_OID_MD5;
+ break;
case SEC_OID_HMAC_SHA1:
hashOid = SEC_OID_SHA1;
break;
case SEC_OID_HMAC_SHA224:
hashOid = SEC_OID_SHA224;
break;
case SEC_OID_HMAC_SHA256:
hashOid = SEC_OID_SHA256;
@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
SECOidTag
HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
{
SECOidTag hmacOid = SEC_OID_UNKNOWN;
switch (hashOid) {
/* no oid exists for HMAC_MD2 */
/* NSS does not define a oid for HMAC_MD4 */
+ case SEC_OID_MD5:
+ hmacOid = SEC_OID_HMAC_MD5;
+ break;
case SEC_OID_SHA1:
hmacOid = SEC_OID_HMAC_SHA1;
break;
case SEC_OID_SHA224:
hmacOid = SEC_OID_HMAC_SHA224;
break;
case SEC_OID_SHA256:
hmacOid = SEC_OID_HMAC_SHA256;

@ -0,0 +1,121 @@
diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
--- a/lib/pk11wrap/pk11mech.c
+++ b/lib/pk11wrap/pk11mech.c
@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
case CKM_BATON_ECB96:
case CKM_BATON_CBC128:
case CKM_BATON_COUNTER:
case CKM_BATON_SHUFFLE:
case CKM_JUNIPER_ECB128:
case CKM_JUNIPER_CBC128:
case CKM_JUNIPER_COUNTER:
case CKM_JUNIPER_SHUFFLE:
- newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
- SEC_ASN1_GET(SEC_OctetStringTemplate));
- if (newParams == NULL)
- break;
+ /* if no parameters have been supplied, then encode a NULL params
+ */
+ if (param && param->len > 0) {
+ newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
+ if (newParams == NULL)
+ break;
+ } else {
+ newParams = NULL;
+ }
rv = SECSuccess;
break;
}
if (rv != SECSuccess) {
if (newParams)
SECITEM_FreeItem(newParams, PR_TRUE);
return rv;
diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
--- a/lib/pk11wrap/pk11pbe.c
+++ b/lib/pk11wrap/pk11pbe.c
@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
* algorithm is). We use choose this algorithm oid based on the
* cipherAlgorithm to determine what this should be (MAC1 or PBES2).
*/
if (algorithm == SEC_OID_PKCS5_PBKDF2) {
/* choose mac or pbes */
algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
}
+ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
+
/* set the PKCS5v2 specific parameters */
if (keyLength == 0) {
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
if (hashAlg != SEC_OID_UNKNOWN) {
keyLength = HASH_ResultLenByOidTag(hashAlg);
} else {
keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm);
}
if (keyLength <= 0) {
goto loser;
}
}
/* currently SEC_OID_HMAC_SHA1 is the default */
if (prfAlg == SEC_OID_UNKNOWN) {
prfAlg = SEC_OID_HMAC_SHA1;
}
- /* build the PKCS5v2 cipher algorithm id */
- cipherParams = pk11_GenerateNewParamWithKeyLen(
- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
- if (!cipherParams) {
- goto loser;
+ /* build the PKCS5v2 cipher algorithm id, if cipher
+ * is an HMAC, the cipherParams should be NULL */
+ if (hashAlg == SEC_OID_UNKNOWN) {
+ cipherParams = pk11_GenerateNewParamWithKeyLen(
+ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
+ if (!cipherParams) {
+ goto loser;
+ }
+ } else {
+ cipherParams = NULL;
}
PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
poolp, &pbeV2_param.cipherAlgId);
- SECITEM_FreeItem(cipherParams, PR_TRUE);
+ if (cipherParams) {
+ SECITEM_FreeItem(cipherParams, PR_TRUE);
+ }
if (rv != SECSuccess) {
goto loser;
}
}
/* generate the parameter */
pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
keyLength, prfAlg);
diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c
--- a/lib/util/secalgid.c
+++ b/lib/util/secalgid.c
@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
return SECFailure;
}
if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
return SECFailure;
if ((secoid_IsRSAPKCS1(which)) ||
- (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) {
+ (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* ||
+ (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) {
add_null_param = PR_TRUE;
} else {
add_null_param = PR_FALSE;
}
if (params) {
/*
* I am specifically *not* enforcing the following assertion

@ -0,0 +1,12 @@
diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c
--- ./lib/pkcs12/p12local.c.long_pw_fix 2024-09-06 17:58:39.905517185 -0700
+++ ./lib/pkcs12/p12local.c 2024-09-06 17:59:19.568985976 -0700
@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
*hmacMech = PK11_AlgtagToMechanism(hmacAlg);
/* pkcs12v2 hmac uses UTF8 rather than unicode */
if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
- PR_TRUE, PR_FALSE, PR_FALSE)) {
+ PR_FALSE, PR_FALSE, PR_FALSE)) {
return NULL;
}
symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);

File diff suppressed because it is too large Load Diff

@ -1,57 +0,0 @@
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
index 74e8e65..8995752 100644
--- a/lib/freebl/Makefile
+++ b/lib/freebl/Makefile
@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
HAVE_INT128_SUPPORT = 1
DEFINES += -DHAVE_INT128_SUPPORT
else ifeq (1,$(CC_IS_GCC))
- SUPPORTS_VALE_CURVE25519 = 1
ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
HAVE_INT128_SUPPORT = 1
DEFINES += -DHAVE_INT128_SUPPORT
diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
index 65f9a80..23940ef 100644
--- a/lib/freebl/freebl.gyp
+++ b/lib/freebl/freebl.gyp
@@ -866,12 +866,6 @@
}],
],
}],
- [ 'supports_vale_curve25519==1', {
- 'defines': [
- # The Makefile does version-tests on GCC, but we're not doing that here.
- 'HACL_CAN_COMPILE_INLINE_ASM',
- ],
- }],
[ 'OS=="linux" or OS=="android"', {
'conditions': [
[ 'target_arch=="x64"', {
@@ -934,11 +928,6 @@
'variables': {
'module': 'nss',
'conditions': [
- [ 'target_arch=="x64" and cc_is_gcc==1', {
- 'supports_vale_curve25519%': 1,
- }, {
- 'supports_vale_curve25519%': 0,
- }],
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
'have_int128_support%': 1,
}, {
diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
index d198c44..34b6b3c 100644
--- a/lib/freebl/freebl_base.gypi
+++ b/lib/freebl/freebl_base.gypi
@@ -151,11 +151,6 @@
'ecl/curve25519_32.c',
],
}],
- ['supports_vale_curve25519==1', {
- 'sources': [
- 'verified/Hacl_Curve25519_64.c',
- ],
- }],
['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
'sources': [
# Gyp does not support per-file cflags, so working around like this.

@ -1,194 +0,0 @@
diff -up ./cmd/pk11ectest/pk11ectest.c.ecc_wrap ./cmd/pk11ectest/pk11ectest.c
--- ./cmd/pk11ectest/pk11ectest.c.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
+++ ./cmd/pk11ectest/pk11ectest.c 2024-01-23 14:07:29.421036328 -0800
@@ -10,6 +10,32 @@
#include "pk11pub.h"
#include <stdio.h>
+typedef struct KeyLengthEntryStr {
+ SECOidTag tag;
+ unsigned int len;
+ PRBool encoded;
+} KeyLengthEntry;
+
+const KeyLengthEntry keyLengthTable[] = {
+ { SEC_OID_SECG_EC_SECP256R1, 65, PR_TRUE },
+ { SEC_OID_SECG_EC_SECP384R1, 97, PR_TRUE },
+ { SEC_OID_SECG_EC_SECP521R1, 133, PR_TRUE },
+ { SEC_OID_CURVE25519, 32, PR_FALSE }
+};
+
+const KeyLengthEntry *
+getKeyLengthEntry(SECOidTag tag)
+{
+ int i;
+
+ for (i = 0; i < PR_ARRAY_SIZE(keyLengthTable); i++) {
+ if (keyLengthTable[i].tag == tag) {
+ return &keyLengthTable[i];
+ }
+ }
+ return NULL;
+}
+
void
printBuf(const SECItem *item)
{
@@ -53,6 +79,10 @@ ectest_curve_pkcs11(SECOidTag oid)
CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
PK11SymKey *symKey = NULL;
SECStatus rv = SECFailure;
+ const KeyLengthEntry *keyLengthEntry;
+ SECItem point = { siBuffer, NULL, 0 };
+ SECItem value = { siBuffer, NULL, 0 };
+ PLArenaPool *arena = NULL;
oidData = SECOID_FindOIDByTag(oid);
if (oidData == NULL) {
@@ -79,8 +109,63 @@ ectest_curve_pkcs11(SECOidTag oid)
goto cleanup;
}
PrintKey(symKey);
- rv = SECSuccess;
+ keyLengthEntry = getKeyLengthEntry(oid);
+ /* this shouldn't happen unless new curves are added without adding them
+ * to the keyLengthTable */
+ PR_ASSERT(keyLengthEntry);
+
+ /* make sure we are returning CKA_EC_POINT according to the PKCS #11 standard.
+ * NSS itself can tolerate non-standard CKA_EC_POINT, so this is the only place
+ * our test will detect incorrect behavior */
+ rv = PK11_ReadRawAttribute(PK11_TypePubKey, pubKey, CKA_EC_POINT, &point);
+ if (rv == SECFailure) {
+ printf(" >>> Couldn't get CKA_EC_POINT from the ec pubKey.\n");
+ goto cleanup;
+ }
+ rv = SECFailure;
+ if (keyLengthEntry->encoded) {
+ if (point.len == keyLengthEntry->len) {
+ printf(" >>> Expected encoded CKA_EC_POINT and got a decoded value.\n");
+ printBuf(&point);
+ goto cleanup;
+ }
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL) {
+ printf(" >>> arena alloc failed.\n");
+ goto cleanup;
+ }
+
+ rv = SEC_QuickDERDecodeItem(arena, &value, SEC_ASN1_GET(SEC_OctetStringTemplate),
+ &point);
+ if (rv != SECSuccess) {
+ printf(" >>> invalid endoded CKA_EC_POINT.\n");
+ printBuf(&point);
+ goto cleanup;
+ }
+ rv = SECFailure;
+ if (value.len != keyLengthEntry->len) {
+ printf(" >>> invalid decoded CKA_EC_POINT len (%d) expected %d.\n",
+ value.len, keyLengthEntry->len);
+ printBuf(&value);
+ goto cleanup;
+ }
+ if (value.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
+ printf(" >>> invalid CKA_EC_POINT format (%02x) expected %02x.\n",
+ value.data[0], EC_POINT_FORM_UNCOMPRESSED);
+ printBuf(&value);
+ goto cleanup;
+ }
+ } else {
+ if (point.len != keyLengthEntry->len) {
+ printf(" >>> invalid CKA_EC_POINT len (%d) expected %d.\n",
+ point.len, keyLengthEntry->len);
+ printBuf(&point);
+ goto cleanup;
+ }
+ }
+
+ rv = SECSuccess;
cleanup:
if (privKey) {
SECKEY_DestroyPrivateKey(privKey);
@@ -91,7 +176,11 @@ cleanup:
if (symKey) {
PK11_FreeSymKey(symKey);
}
+ if (arena) {
+ PORT_FreeArena(arena, PR_TRUE);
+ }
SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
+ SECITEM_FreeItem(&point, PR_FALSE);
return rv;
}
diff -up ./lib/freebl/blapit.h.ecc_wrap ./lib/freebl/blapit.h
--- ./lib/freebl/blapit.h.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
+++ ./lib/freebl/blapit.h 2024-01-23 14:07:29.421036328 -0800
@@ -375,7 +375,9 @@ typedef struct DHPrivateKeyStr DHPrivate
*/
typedef enum { ec_params_explicit,
- ec_params_named
+ ec_params_named,
+ ec_params_edwards_named,
+ ec_params_montgomery_named,
} ECParamsType;
typedef enum { ec_field_GFp = 1,
diff -up ./lib/freebl/ecdecode.c.ecc_wrap ./lib/freebl/ecdecode.c
--- ./lib/freebl/ecdecode.c.ecc_wrap 2024-01-23 14:07:14.533870602 -0800
+++ ./lib/freebl/ecdecode.c 2024-01-23 14:07:29.422036340 -0800
@@ -176,6 +176,7 @@ EC_FillParams(PLArenaPool *arena, const
case SEC_OID_CURVE25519:
/* Populate params for Curve25519 */
+ params->type = ec_params_montgomery_named;
CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
ec_field_plain,
params));
diff -up ./lib/softoken/pkcs11c.c.ecc_wrap ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.ecc_wrap 2024-01-23 14:07:14.520870457 -0800
+++ ./lib/softoken/pkcs11c.c 2024-01-23 14:08:38.198801966 -0800
@@ -5164,7 +5164,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
/* make sure it has the same encoding */
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
- lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
} else {
lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
@@ -5694,7 +5694,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
}
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
- ecParams->fieldID.type == ec_field_plain) {
+ ecParams->type != ec_params_named) {
PORT_FreeArena(ecParams->arena, PR_TRUE);
crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
sftk_item_expand(&ecPriv->publicValue));
diff -up ./lib/softoken/pkcs11.c.ecc_wrap ./lib/softoken/pkcs11.c
--- ./lib/softoken/pkcs11.c.ecc_wrap 2024-01-23 14:07:14.505870290 -0800
+++ ./lib/softoken/pkcs11.c 2024-01-23 14:07:29.423036351 -0800
@@ -1897,8 +1897,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
/* Handle the non-DER encoded case.
* Some curves are always pressumed to be non-DER.
*/
- if (pubKey->u.ec.publicValue.len == keyLen &&
- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
+ if (pubKey->u.ec.ecParams.type != ec_params_named ||
+ (pubKey->u.ec.publicValue.len == keyLen &&
pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
break; /* key was not DER encoded, no need to unwrap */
}
@@ -1918,8 +1918,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
break;
}
/* we don't handle compressed points except in the case of ECCurve25519 */
- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
- (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
+ if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
crv = CKR_ATTRIBUTE_VALUE_INVALID;
break;
}

@ -1,335 +0,0 @@
--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200
+++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200
@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[]
0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77,
0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77};
+const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'};
+const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',};
+const uint8_t kP521SpkiUnpaddedSig[] = {
+ 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+ 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86,
+ 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29,
+ 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a,
+ 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18,
+ 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7,
+ 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52,
+ 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88,
+ 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57,
+ 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd,
+ 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b,
+ 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35,
+ 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c,
+ 0xe2, 0x9f};
+const uint8_t kP521SignatureUnpaddedSigLong[] = {
+ 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe,
+ 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4,
+ 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42,
+ 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde,
+ 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e,
+ 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89,
+ 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b,
+ 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40,
+ 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb,
+ 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b,
+ 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a};
+const uint8_t kP521SignatureUnpaddedSigShort[] = {
+ 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11,
+ 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde,
+ 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99,
+ 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9,
+ 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65,
+ 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38,
+ 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75,
+ 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95,
+ 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c,
+ 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5,
+ 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e};
+const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'};
+const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'};
+const uint8_t kP384SpkiUnpaddedSig[] = {
+ 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
+ 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa,
+ 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e,
+ 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3,
+ 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e,
+ 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf,
+ 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d,
+ 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5,
+ 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a};
+const uint8_t kP384SignatureUnpaddedSigLong[] = {
+ 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58,
+ 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59,
+ 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0,
+ 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde,
+ 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc,
+ 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c,
+ 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc,
+ 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6};
+const uint8_t kP384SignatureUnpaddedSigShort[] = {
+ 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13,
+ 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e,
+ 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b,
+ 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf,
+ 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc,
+ 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50,
+ 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f,
+ 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9};
+const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'};
+const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'};
+const uint8_t kP256SpkiUnpaddedSig[] = {
+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
+ 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b,
+ 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa,
+ 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e,
+ 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f,
+ 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75,
+ 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 };
+const uint8_t kP256SignatureUnpaddedSigLong[] = {
+ 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56,
+ 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6,
+ 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11,
+ 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80,
+ 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47,
+ 0xcf, 0x61, 0x91, 0x5f};
+const uint8_t kP256SignatureUnpaddedSigShort[] = {
+ 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61,
+ 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28,
+ 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16,
+ 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c,
+ 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9,
+ 0x78, 0xc4};
} // namespace nss_test
--- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200
+++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200
@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun
SEC_OID_SECG_EC_SECP521R1,
SEC_OID_CURVE25519));
+class Pkcs11EcdsaUnpaddedSignatureTest
+ : public Pkcs11EcdsaTestBase,
+ public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
+ public:
+ Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
+};
+
+static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = {
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
+ DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)),
+ DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
+ DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)),
+ DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
+ DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)),
+ DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
+ DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)),
+ DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
+ DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)),
+ DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}},
+ {SEC_OID_SHA512,
+ {DataBuffer(NULL, 0),
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
+ DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)),
+ DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}}
+};
+
+TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); }
+INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest,
+ ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors));
} // namespace nss_test
--- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200
+++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200
@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey *
{
SECStatus res = SECSuccess;
+ unsigned char _padded_sig_data[64] = { 0 };
+ unsigned char *sig_r, *sig_s;
+
if (!key || !signature || !digest ||
!key->publicValue.data ||
!signature->data || !digest->data ||
@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey *
return res;
}
- if (key->publicValue.len != 65 ||
- digest->len == 0 ||
- signature->len != 64) {
+ unsigned int olen = key->ecParams.order.len;
+ if (signature->len == 0 || signature->len % 2 != 0 ||
+ signature->len > 2 * olen ||
+ digest->len == 0 || key->publicValue.len != 65) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
res = SECFailure;
return res;
@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey *
return res;
}
+ /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */
+ if (signature->len != 64) {
+ unsigned split = signature->len / 2;
+ unsigned pad = 32 - split;
+
+ unsigned char *o_sig = signature->data;
+ unsigned char *p_sig = _padded_sig_data;
+
+ memcpy(p_sig + pad, o_sig, split);
+ memcpy(p_sig + 32 + pad, o_sig + split, split);
+
+ sig_r = p_sig;
+ sig_s = p_sig + 32;
+ } else {
+ sig_r = signature->data;
+ sig_s = signature->data + 32;
+ }
+
+
uint8_t hash[32] = { 0 };
if (digest->len < 32) {
memcpy(hash + 32 - digest->len, digest->data, digest->len);
@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey *
bool b = Hacl_P256_ecdsa_verif_without_hash(
32, hash,
key->publicValue.data + 1,
- signature->data, signature->data + 32);
+ sig_r, sig_s);
if (!b) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
res = SECFailure;
--- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200
+++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200
@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey *
{
SECStatus res = SECSuccess;
+ unsigned char _padded_sig_data[96] = { 0 };
+ unsigned char *sig_r, *sig_s;
+
if (!key || !signature || !digest ||
!key->publicValue.data ||
!signature->data || !digest->data ||
@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey *
return res;
}
- if (key->publicValue.len != 97 ||
- digest->len == 0 ||
- signature->len != 96) {
+ unsigned int olen = key->ecParams.order.len;
+ if (signature->len == 0 || signature->len % 2 != 0 ||
+ signature->len > 2 * olen ||
+ digest->len == 0 || key->publicValue.len != 97) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
res = SECFailure;
return res;
@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey *
return res;
}
+ /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */
+ if (signature->len != 96) {
+ unsigned split = signature->len / 2;
+ unsigned pad = 48 - split;
+
+ unsigned char *o_sig = signature->data;
+ unsigned char *p_sig = _padded_sig_data;
+
+ memcpy(p_sig + pad, o_sig, split);
+ memcpy(p_sig + 48 + pad, o_sig + split, split);
+
+ sig_r = p_sig;
+ sig_s = p_sig + 48;
+ } else {
+ sig_r = signature->data;
+ sig_s = signature->data + 48;
+ }
+
uint8_t hash[48] = { 0 };
if (digest->len < 48) {
memcpy(hash + 48 - digest->len, digest->data, digest->len);
@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey *
bool b = Hacl_P384_ecdsa_verif_without_hash(
48, hash,
key->publicValue.data + 1,
- signature->data, signature->data + 48);
+ sig_r, sig_s);
if (!b) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
res = SECFailure;
--- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200
+++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200
@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey *
{
SECStatus res = SECSuccess;
+ unsigned char _padded_sig_data[132] = { 0 };
+ unsigned char *sig_r, *sig_s;
+
if (!key || !signature || !digest ||
!key->publicValue.data ||
!signature->data || !digest->data ||
@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey *
return res;
}
- if (key->publicValue.len != 133 ||
- digest->len == 0 ||
- signature->len != 132) {
+ unsigned int olen = key->ecParams.order.len;
+ if (signature->len == 0 || signature->len % 2 != 0 ||
+ signature->len > 2 * olen ||
+ digest->len == 0 || key->publicValue.len != 133) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
res = SECFailure;
return res;
@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey *
return res;
}
+ /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */
+ if (signature->len != 132) {
+ unsigned split = signature->len / 2;
+ unsigned pad = 66 - split;
+
+ unsigned char *o_sig = signature->data;
+ unsigned char *p_sig = _padded_sig_data;
+
+ memcpy(p_sig + pad, o_sig, split);
+ memcpy(p_sig + 66 + pad, o_sig + split, split);
+
+ sig_r = p_sig;
+ sig_s = p_sig + 66;
+ } else {
+ sig_r = signature->data;
+ sig_s = signature->data + 66;
+ }
+
uint8_t hash[66] = { 0 };
if (digest->len < 66) {
memcpy(hash + 66 - digest->len, digest->data, digest->len);
@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey *
bool b = Hacl_P521_ecdsa_verif_without_hash(
66, hash,
key->publicValue.data + 1,
- signature->data, signature->data + 66);
+ sig_r, sig_s);
if (!b) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
res = SECFailure;

@ -1,83 +0,0 @@
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -15,10 +15,13 @@
* keys and their associated Certificates are saved on the token.
*
* In this implementation, session objects are only visible to the session
* that created or generated them.
*/
+
+#include <limits.h> /* for UINT_MAX and ULONG_MAX */
+
#include "seccomon.h"
#include "secitem.h"
#include "secport.h"
#include "blapi.h"
#include "pkcs11.h"
@@ -1954,12 +1957,21 @@
if (pDigest == NULL) {
*pulDigestLen = context->maxLen;
goto finish;
}
- /* do it: */
+#if (ULONG_MAX > UINT_MAX)
+ /* The context->hashUpdate function takes an unsigned int for its data
+ * length argument, but NSC_Digest takes an unsigned long. */
+ while (ulDataLen > UINT_MAX) {
+ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX);
+ pData += UINT_MAX;
+ ulDataLen -= UINT_MAX;
+ }
+#endif
(*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
+
/* NOTE: this assumes buf size is bigenough for the algorithm */
(*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
*pulDigestLen = digestLen;
sftk_TerminateOp(session, SFTK_HASH, context);
@@ -1980,12 +1992,22 @@
/* make sure we're legal */
crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL);
if (crv != CKR_OK)
return crv;
- /* do it: */
+
+#if (ULONG_MAX > UINT_MAX)
+ /* The context->hashUpdate function takes an unsigned int for its data
+ * length argument, but NSC_DigestUpdate takes an unsigned long. */
+ while (ulPartLen > UINT_MAX) {
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
+ pPart += UINT_MAX;
+ ulPartLen -= UINT_MAX;
+ }
+#endif
(*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
+
return CKR_OK;
}
/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
CK_RV
@@ -3166,10 +3188,17 @@
crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session);
if (crv != CKR_OK)
return crv;
if (context->hashInfo) {
+#if (ULONG_MAX > UINT_MAX)
+ while (ulPartLen > UINT_MAX) {
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
+ pPart += UINT_MAX;
+ ulPartLen -= UINT_MAX;
+ }
+#endif
(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
} else {
/* must be block cipher MACing */
unsigned int blkSize = context->blockSize;

@ -1,18 +0,0 @@
diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh
--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700
+++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700
@@ -46,11 +46,13 @@ ectest_genkeydb_test()
return $?
fi
curves=( \
- "curve25519" \
"secp256r1" \
"secp384r1" \
"secp521r1" \
)
+ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then
+ curves=( "curve25519" "${curves[@]}" )
+ fi
for curve in "${curves[@]}"; do
echo "Test $curve key generation using certutil ..."
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}

@ -0,0 +1,36 @@
diff -up ./lib/freebl/Makefile.ppc_no_init ./lib/freebl/Makefile
--- ./lib/freebl/Makefile.ppc_no_init 2024-06-03 14:12:24.216755903 -0700
+++ ./lib/freebl/Makefile 2024-06-03 14:11:36.464234903 -0700
@@ -303,7 +303,7 @@ endif
ifeq ($(CPU_ARCH),ppc)
EXTRA_SRCS += gcm-ppc.c
ifdef USE_64
- DEFINES += -DNSS_NO_INIT_SUPPORT
+# DEFINES += -DNSS_NO_INIT_SUPPORT
PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | awk '$$2 == "_CALL_ELF" {print $$3}')
ifeq ($(PPC_ABI),2)
ASFILES += sha512-p8.s
diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile
--- ./lib/softoken/Makefile.ppc_no_init 2024-06-03 14:12:44.664979003 -0700
+++ ./lib/softoken/Makefile 2024-06-03 14:10:26.703473806 -0700
@@ -23,13 +23,13 @@ include $(CORE_DEPTH)/coreconf/config.mk
ifdef NSS_NO_INIT_SUPPORT
DEFINES += -DNSS_NO_INIT_SUPPORT
endif
-ifeq ($(OS_TARGET),Linux)
-ifeq ($(CPU_ARCH),ppc)
-ifdef USE_64
- DEFINES += -DNSS_NO_INIT_SUPPORT
-endif # USE_64
-endif # ppc
-endif # Linux
+#ifeq ($(OS_TARGET),Linux)
+#ifeq ($(CPU_ARCH),ppc)
+#ifdef USE_64
+# DEFINES += -DNSS_NO_INIT_SUPPORT
+#endif # USE_64
+#endif # ppc
+#endif # Linux
#######################################################################

@ -1,32 +0,0 @@
diff -up ./gtests/ssl_gtest/manifest.mn.orig ./gtests/ssl_gtest/manifest.mn
--- ./gtests/ssl_gtest/manifest.mn.orig 2021-06-02 15:40:48.677355426 -0700
+++ ./gtests/ssl_gtest/manifest.mn 2021-06-02 15:42:31.248977261 -0700
@@ -57,7 +57,6 @@ CPPSRCS = \
tls_filter.cc \
tls_protect.cc \
tls_psk_unittest.cc \
- tls_subcerts_unittest.cc \
tls_ech_unittest.cc \
$(SSLKEYLOGFILE_FILES) \
$(NULL)
diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c
--- ./lib/ssl/sslsock.c.orig 2021-05-28 02:50:43.000000000 -0700
+++ ./lib/ssl/sslsock.c 2021-06-02 15:40:48.676355420 -0700
@@ -819,7 +819,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
break;
case SSL_ENABLE_DELEGATED_CREDENTIALS:
- ss->opt.enableDelegatedCredentials = val;
+ /* disable it for now */
break;
case SSL_ENABLE_NPN:
@@ -1337,7 +1337,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn
break;
case SSL_ENABLE_DELEGATED_CREDENTIALS:
- ssl_defaults.enableDelegatedCredentials = val;
+ /* disable it for now */
break;
case SSL_ENABLE_NPN:

@ -1,41 +0,0 @@
diff -r 699541a7793b lib/pk11wrap/pk11pars.c
--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700
+++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700
@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
static const oidValDef hashOptList[] = {
/* Hashes */
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ 0 },
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
+ 0 },
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
diff -r 699541a7793b lib/util/secoid.c
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
@@ -2042,6 +2042,19 @@
int i;
for (i = 1; i < SEC_OID_TOTAL; i++) {
+ switch (i) {
+ case SEC_OID_MD2:
+ case SEC_OID_MD4:
+ case SEC_OID_MD5:
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
+ continue;
+ default:
+ break;
+ }
if (oids[i].desc && strstr(arg, oids[i].desc)) {
xOids[i].notPolicyFlags = notEnable |
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

@ -1,644 +0,0 @@
diff -up ./automation/taskcluster/scripts/run_hacl.sh.p384 ./automation/taskcluster/scripts/run_hacl.sh
--- ./automation/taskcluster/scripts/run_hacl.sh.p384 2023-06-04 01:42:53.000000000 -0700
+++ ./automation/taskcluster/scripts/run_hacl.sh 2024-01-09 11:49:58.650418434 -0800
@@ -40,5 +40,14 @@ files=($(find ~/nss/lib/freebl/verified/
for f in "${files[@]}"; do
file_name=$(basename "$f")
hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*"))
+ # TODO(Bug 1854438): Remove P384 exception.
+ # TODO(Bug 1854439): Remove P521 exception.
+ if [ $file_name == "Hacl_P384.c" \
+ -o $file_name == "Hacl_P384.h" \
+ -o $file_name == "Hacl_P521.c" \
+ -o $file_name == "Hacl_P521.h" ]
+ then
+ continue;
+ fi
diff $hacl_file $f
done
diff -up ./lib/freebl/ec.c.p384 ./lib/freebl/ec.c
--- ./lib/freebl/ec.c.p384 2024-01-09 11:49:14.118980084 -0800
+++ ./lib/freebl/ec.c 2024-01-09 11:49:58.651418444 -0800
@@ -15,15 +15,62 @@
#include "mplogic.h"
#include "ec.h"
#include "ecl.h"
+#include "verified/Hacl_P384.h"
+#include "verified/Hacl_P521.h"
#define EC_DOUBLECHECK PR_FALSE
+SECStatus
+ec_secp384r1_scalar_validate(const SECItem *scalar)
+{
+ if (!scalar || !scalar->data) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ if (scalar->len != 48) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+
+ bool b = Hacl_P384_validate_private_key(scalar->data);
+
+ if (!b) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
+SECStatus
+ec_secp521r1_scalar_validate(const SECItem *scalar)
+{
+ if (!scalar || !scalar->data) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+
+ if (scalar->len != 66) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+
+ bool b = Hacl_P521_validate_private_key(scalar->data);
+
+ if (!b) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return SECFailure;
+ }
+ return SECSuccess;
+}
+
static const ECMethod kMethods[] = {
{ ECCurve25519,
ec_Curve25519_pt_mul,
ec_Curve25519_pt_validate,
ec_Curve25519_scalar_validate,
- NULL, NULL },
+ NULL,
+ NULL },
{
ECCurve_NIST_P256,
ec_secp256r1_pt_mul,
@@ -352,8 +415,7 @@ EC_NewKeyFromSeed(ECParams *ecParams, EC
SECStatus
ec_GenerateRandomPrivateKey(ECParams *ecParams, SECItem *privKey)
{
- SECStatus rv = SECSuccess;
- mp_err err;
+ SECStatus rv = SECFailure;
unsigned int len = EC_GetScalarSize(ecParams);
@@ -362,82 +424,43 @@ ec_GenerateRandomPrivateKey(ECParams *ec
return SECFailure;
}
- /* For known curves, use rejection sampling A.4.2 */
- if (ecParams->fieldID.type == ec_field_plain) {
- const ECMethod *method = ec_get_method_from_name(ecParams->name);
- rv = SECFailure;
- if (method == NULL || method->scalar_validate == NULL) {
- /* unknown curve */
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- goto done;
- }
- int count = 100;
- while (rv != SECSuccess && count >= 0) {
- rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
- if (rv != SECSuccess) {
- PORT_SetError(SEC_ERROR_NEED_RANDOM);
- goto done;
- }
- rv = method->scalar_validate(privKey);
- count--;
- }
- if (rv != SECSuccess) {
- PORT_SetError(SEC_ERROR_BAD_KEY);
- }
- goto done;
+ const ECMethod *method = ec_get_method_from_name(ecParams->name);
+ if (method == NULL || method->scalar_validate == NULL) {
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ return SECFailure;
}
- /* For unknown curves, use algotithm A.4.1 */
-
- unsigned char *order = ecParams->order.data;
- mp_int privKeyVal, order_1, one;
- unsigned char *privKeyBytes = NULL;
-
- MP_DIGITS(&privKeyVal) = 0;
- MP_DIGITS(&order_1) = 0;
- MP_DIGITS(&one) = 0;
- CHECK_MPI_OK(mp_init(&privKeyVal));
- CHECK_MPI_OK(mp_init(&order_1));
- CHECK_MPI_OK(mp_init(&one));
-
- /* Generates 2*len random bytes using the global random bit generator
- * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
- * reduces modulo the group order.
- */
-
- if ((privKeyBytes = PORT_Alloc(2 * len)) == NULL) {
- PORT_SetError(SEC_ERROR_NO_MEMORY);
- rv = SECFailure;
- goto cleanup;
+ uint8_t leading_coeff_mask;
+ switch (ecParams->name) {
+ case ECCurve25519:
+ case ECCurve_NIST_P256:
+ case ECCurve_NIST_P384:
+ leading_coeff_mask = 0xff;
+ break;
+ case ECCurve_NIST_P521:
+ leading_coeff_mask = 0x01;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
+ return SECFailure;
}
- CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(privKeyBytes, 2 * len));
- CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len));
- CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len));
- CHECK_MPI_OK(mp_set_int(&one, 1));
- CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1));
- CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal));
- CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal));
- CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len));
- memcpy(privKey->data, privKeyBytes, len);
+ /* The rejection sampling method from FIPS 186-5 A.4.2 */
+ int count = 100;
+ do {
+ rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
+ if (rv != SECSuccess) {
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
+ return SECFailure;
+ }
+ privKey->data[0] &= leading_coeff_mask;
+ rv = method->scalar_validate(privKey);
+ } while (rv != SECSuccess && --count > 0);
-cleanup:
- mp_clear(&privKeyVal);
- mp_clear(&order_1);
- mp_clear(&one);
- if (privKeyBytes) {
- PORT_ZFree(privKeyBytes, 2 * len);
- }
- if (err < MP_OKAY) {
- MP_TO_SEC_ERROR(err);
- rv = SECFailure;
+ if (rv != SECSuccess) { // implies count == 0
+ PORT_SetError(SEC_ERROR_BAD_KEY);
}
-done:
- if (rv != SECSuccess && privKey->data) {
- SECITEM_ZfreeItem(privKey, PR_FALSE);
- return rv;
- }
return rv;
}
diff -up ./lib/freebl/ecl/ecl.h.p384 ./lib/freebl/ecl/ecl.h
--- ./lib/freebl/ecl/ecl.h.p384 2024-01-09 11:49:14.118980084 -0800
+++ ./lib/freebl/ecl/ecl.h 2024-01-09 11:49:58.651418444 -0800
@@ -57,4 +57,8 @@ SECStatus ec_secp256r1_sign_digest(ECPri
SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature,
const SECItem *digest);
+SECStatus ec_secp384r1_scalar_validate(const SECItem *scalar);
+
+SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar);
+
#endif /* __ecl_h_ */
diff -up ./lib/freebl/freebl_base.gypi.p384 ./lib/freebl/freebl_base.gypi
--- ./lib/freebl/freebl_base.gypi.p384 2024-01-09 11:49:14.118980084 -0800
+++ ./lib/freebl/freebl_base.gypi 2024-01-09 11:49:58.651418444 -0800
@@ -38,6 +38,8 @@
'ecl/ecp_secp384r1.c',
'ecl/ecp_secp521r1.c',
'verified/Hacl_P256.c',
+ 'verified/Hacl_P384.c',
+ 'verified/Hacl_P521.c',
'fipsfreebl.c',
'blinit.c',
'freeblver.c',
diff -up ./lib/freebl/Makefile.p384 ./lib/freebl/Makefile
--- ./lib/freebl/Makefile.p384 2024-01-09 11:49:58.650418434 -0800
+++ ./lib/freebl/Makefile 2024-01-09 11:51:20.500224176 -0800
@@ -612,7 +612,7 @@ ifndef NSS_DISABLE_CHACHAPOLY
VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c
endif # NSS_DISABLE_CHACHAPOLY
-VERIFIED_SRCS += Hacl_P256.c
+VERIFIED_SRCS += Hacl_P256.c Hacl_P384.c Hacl_P521.c
ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH)))
# All 64-bit architectures get the 64 bit version.
diff -up ./lib/freebl/verified/Hacl_P384.c.p384 ./lib/freebl/verified/Hacl_P384.c
--- ./lib/freebl/verified/Hacl_P384.c.p384 2024-01-09 11:49:58.651418444 -0800
+++ ./lib/freebl/verified/Hacl_P384.c 2024-01-09 11:49:58.651418444 -0800
@@ -0,0 +1,126 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "Hacl_P384.h"
+
+#include "internal/Hacl_Krmllib.h"
+#include "internal/Hacl_Bignum_Base.h"
+
+static inline uint64_t
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
+{
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
+ KRML_MAYBE_FOR6(i,
+ (uint32_t)0U,
+ (uint32_t)6U,
+ (uint32_t)1U,
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
+ mask = uu____0 & mask;);
+ uint64_t mask1 = mask;
+ return mask1;
+}
+
+static inline uint64_t
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
+{
+ uint64_t c1 = (uint64_t)0U;
+ {
+ uint64_t t1 = b[(uint32_t)4U * (uint32_t)0U];
+ uint64_t t20 = c[(uint32_t)4U * (uint32_t)0U];
+ uint64_t *res_i0 = a + (uint32_t)4U * (uint32_t)0U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
+ uint64_t t10 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
+ uint64_t t21 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
+ uint64_t *res_i1 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
+ uint64_t t11 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
+ uint64_t t22 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
+ uint64_t *res_i2 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
+ uint64_t t12 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
+ uint64_t t2 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
+ uint64_t *res_i = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i);
+ }
+ KRML_MAYBE_FOR2(i,
+ (uint32_t)4U,
+ (uint32_t)6U,
+ (uint32_t)1U,
+ uint64_t t1 = b[i];
+ uint64_t t2 = c[i];
+ uint64_t *res_i = a + i;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i););
+ uint64_t c10 = c1;
+ return c10;
+}
+
+static inline void
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
+{
+ KRML_MAYBE_FOR6(i,
+ (uint32_t)0U,
+ (uint32_t)6U,
+ (uint32_t)1U,
+ uint64_t *os = a;
+ uint64_t u = load64_be(b + ((uint32_t)6U - i - (uint32_t)1U) * (uint32_t)8U);
+ uint64_t x = u;
+ os[i] = x;);
+}
+
+static inline void
+p384_make_order(uint64_t *n)
+{
+ n[0U] = (uint64_t)0xecec196accc52973U;
+ n[1U] = (uint64_t)0x581a0db248b0a77aU;
+ n[2U] = (uint64_t)0xc7634d81f4372ddfU;
+ n[3U] = (uint64_t)0xffffffffffffffffU;
+ n[4U] = (uint64_t)0xffffffffffffffffU;
+ n[5U] = (uint64_t)0xffffffffffffffffU;
+}
+
+/**
+Private key validation.
+
+ The function returns `true` if a private key is valid and `false` otherwise.
+
+ The argument `private_key` points to 48 bytes of valid memory, i.e., uint8_t[48].
+
+ The private key is valid:
+ • 0 < `private_key` < the order of the curve
+*/
+bool
+Hacl_P384_validate_private_key(uint8_t *private_key)
+{
+ uint64_t bn_sk[6U] = { 0U };
+ bn_from_bytes_be(bn_sk, private_key);
+ uint64_t tmp[6U] = { 0U };
+ p384_make_order(tmp);
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
+ uint64_t is_lt_order = (uint64_t)0U - c;
+ uint64_t bn_zero[6U] = { 0U };
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
+ uint64_t is_eq_zero = res;
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
+}
diff -up ./lib/freebl/verified/Hacl_P384.h.p384 ./lib/freebl/verified/Hacl_P384.h
--- ./lib/freebl/verified/Hacl_P384.h.p384 2024-01-09 11:49:58.651418444 -0800
+++ ./lib/freebl/verified/Hacl_P384.h 2024-01-09 11:49:58.651418444 -0800
@@ -0,0 +1,68 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef __Hacl_P384_H
+#define __Hacl_P384_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <string.h>
+#include "krml/internal/types.h"
+#include "krml/lowstar_endianness.h"
+
+#include "lib_intrinsics.h"
+
+/*******************************************************************************
+
+ Verified C library for ECDSA and ECDH functions over the P-384 NIST curve.
+
+ This module implements signing and verification, key validation, conversions
+ between various point representations, and ECDH key agreement.
+
+*******************************************************************************/
+
+/******************/
+/* Key validation */
+/******************/
+
+/**
+Private key validation.
+
+ The function returns `true` if a private key is valid and `false` otherwise.
+
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
+
+ The private key is valid:
+ • 0 < `private_key` < the order of the curve
+*/
+bool Hacl_P384_validate_private_key(uint8_t *private_key);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __Hacl_P384_H_DEFINED
+#endif
diff -up ./lib/freebl/verified/Hacl_P521.c.p384 ./lib/freebl/verified/Hacl_P521.c
--- ./lib/freebl/verified/Hacl_P521.c.p384 2024-01-09 11:49:58.651418444 -0800
+++ ./lib/freebl/verified/Hacl_P521.c 2024-01-09 11:49:58.651418444 -0800
@@ -0,0 +1,131 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#include "Hacl_P521.h"
+
+#include "internal/Hacl_Krmllib.h"
+#include "internal/Hacl_Bignum_Base.h"
+
+static inline uint64_t
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
+{
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
+ KRML_MAYBE_FOR9(i,
+ (uint32_t)0U,
+ (uint32_t)9U,
+ (uint32_t)1U,
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
+ mask = uu____0 & mask;);
+ uint64_t mask1 = mask;
+ return mask1;
+}
+
+static inline uint64_t
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
+{
+ uint64_t c1 = (uint64_t)0U;
+ KRML_MAYBE_FOR2(i,
+ (uint32_t)0U,
+ (uint32_t)2U,
+ (uint32_t)1U,
+ uint64_t t1 = b[(uint32_t)4U * i];
+ uint64_t t20 = c[(uint32_t)4U * i];
+ uint64_t *res_i0 = a + (uint32_t)4U * i;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
+ uint64_t t10 = b[(uint32_t)4U * i + (uint32_t)1U];
+ uint64_t t21 = c[(uint32_t)4U * i + (uint32_t)1U];
+ uint64_t *res_i1 = a + (uint32_t)4U * i + (uint32_t)1U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
+ uint64_t t11 = b[(uint32_t)4U * i + (uint32_t)2U];
+ uint64_t t22 = c[(uint32_t)4U * i + (uint32_t)2U];
+ uint64_t *res_i2 = a + (uint32_t)4U * i + (uint32_t)2U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
+ uint64_t t12 = b[(uint32_t)4U * i + (uint32_t)3U];
+ uint64_t t2 = c[(uint32_t)4U * i + (uint32_t)3U];
+ uint64_t *res_i = a + (uint32_t)4U * i + (uint32_t)3U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i););
+ {
+ uint64_t t1 = b[8U];
+ uint64_t t2 = c[8U];
+ uint64_t *res_i = a + (uint32_t)8U;
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i);
+ }
+ uint64_t c10 = c1;
+ return c10;
+}
+
+static inline void
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
+{
+ uint8_t tmp[72U] = { 0U };
+ memcpy(tmp + (uint32_t)6U, b, (uint32_t)66U * sizeof(uint8_t));
+ KRML_MAYBE_FOR9(i,
+ (uint32_t)0U,
+ (uint32_t)9U,
+ (uint32_t)1U,
+ uint64_t *os = a;
+ uint64_t u = load64_be(tmp + ((uint32_t)9U - i - (uint32_t)1U) * (uint32_t)8U);
+ uint64_t x = u;
+ os[i] = x;);
+}
+
+static inline void
+p521_make_order(uint64_t *n)
+{
+ n[0U] = (uint64_t)0xbb6fb71e91386409U;
+ n[1U] = (uint64_t)0x3bb5c9b8899c47aeU;
+ n[2U] = (uint64_t)0x7fcc0148f709a5d0U;
+ n[3U] = (uint64_t)0x51868783bf2f966bU;
+ n[4U] = (uint64_t)0xfffffffffffffffaU;
+ n[5U] = (uint64_t)0xffffffffffffffffU;
+ n[6U] = (uint64_t)0xffffffffffffffffU;
+ n[7U] = (uint64_t)0xffffffffffffffffU;
+ n[8U] = (uint64_t)0x1ffU;
+}
+
+/**
+Private key validation.
+
+ The function returns `true` if a private key is valid and `false` otherwise.
+
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
+
+ The private key is valid:
+ • 0 < `private_key` < the order of the curve
+*/
+bool
+Hacl_P521_validate_private_key(uint8_t *private_key)
+{
+ uint64_t bn_sk[9U] = { 0U };
+ bn_from_bytes_be(bn_sk, private_key);
+ uint64_t tmp[9U] = { 0U };
+ p521_make_order(tmp);
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
+ uint64_t is_lt_order = (uint64_t)0U - c;
+ uint64_t bn_zero[9U] = { 0U };
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
+ uint64_t is_eq_zero = res;
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
+}
diff -up ./lib/freebl/verified/Hacl_P521.h.p384 ./lib/freebl/verified/Hacl_P521.h
--- ./lib/freebl/verified/Hacl_P521.h.p384 2024-01-09 11:49:58.651418444 -0800
+++ ./lib/freebl/verified/Hacl_P521.h 2024-01-09 11:49:58.651418444 -0800
@@ -0,0 +1,59 @@
+/* MIT License
+ *
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
+ * Copyright (c) 2022-2023 HACL* Contributors
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+#ifndef __Hacl_P521_H
+#define __Hacl_P521_H
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+#include <string.h>
+#include "krml/internal/types.h"
+#include "krml/lowstar_endianness.h"
+
+#include "lib_intrinsics.h"
+
+/******************/
+/* Key validation */
+/******************/
+
+/**
+Private key validation.
+
+ The function returns `true` if a private key is valid and `false` otherwise.
+
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
+
+ The private key is valid:
+ • 0 < `private_key` < the order of the curve
+*/
+bool Hacl_P521_validate_private_key(uint8_t *private_key);
+
+#if defined(__cplusplus)
+}
+#endif
+
+#define __Hacl_P521_H_DEFINED
+#endif

File diff suppressed because it is too large Load Diff

@ -1,7 +1,7 @@
%global nspr_build_version 4.35.0-1
%global nspr_release -1
%global nspr_version 4.35.0
%global nss_version 3.90.0
%global nss_version 3.101.0
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir %{_libdir}/nss/saved
%global dracutlibdir %{_prefix}/lib/dracut
@ -113,7 +113,7 @@ Source28: nss-p11-kit.config
# will have their own validation
Source30: fips_algorithms.h
Source50: NameConstraints_Certs.tar
#Source50: NameConstraints_Certs.tar
# To inject hardening flags for DSO
Patch1: nss-dso-ldflags.patch
@ -129,67 +129,82 @@ Patch1: nss-dso-ldflags.patch
# Once the buildroot aha been bootstrapped the patch may be removed
# but it doesn't hurt to keep it.
Patch4: iquote.patch
#
# RHEL-8 specific patches not in RHEL-9
#
# To revert the change in:
# https://bugzilla.mozilla.org/show_bug.cgi?id=818686
Patch9: nss-sysinit-userdb.patch
Patch10: nss-sysinit-userdb.patch
# Disable nss-sysinit test which is solely to test the above change
Patch10: nss-skip-sysinit-gtests.patch
Patch15: nss-3.90-extend-db-dump-time.patch
Patch11: nss-skip-sysinit-gtests.patch
# For compatibility reasons, we stick with the old PKCS #11 2.40
# definition of CK_GCM_PARAMS:
%if 0%{?fedora} < 34
%if 0%{?rhel} < 9
Patch20: nss-gcm-param-default-pkcs11v2.patch
Patch12: nss-gcm-param-default-pkcs11v2.patch
%endif
%endif
# Local patch: disable MD5 (also MD2 and MD4) completely
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
Patch25: nss-disable-md5.patch
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
Patch30: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
Patch34: nss-3.71-fix-lto-gtests.patch
# Local patch: disable Delegated Credentials
Patch35: nss-disable-dc.patch
Patch13: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# Local patch: ignore rsa, rsa-pss, ecdsa policies until crypto-policies
# is updated.
Patch40: nss-3.66-disable-signature-policies.patch
Patch14: nss-3.101-disable-signature-policies.patch
Patch15: nss-3.101-el8-fix-rsa-policy-test.patch
# Local patch: disable tests that require external reference so brew completes
Patch45: nss-3.66-disable-external-host-test.patch
Patch16: nss-3.66-disable-external-host-test.patch
# Local patch: restore old pkcs 12 defaults on old version of rhel
Patch50: nss-3.66-restore-old-pkcs12-default.patch
Patch17: nss-3.101-el8-restore-old-pkcs12-default.patch
# Local Patch: restore expired distrusted certs for now
Patch51: nss-3.79-revert-distrusted-certs.patch
Patch18: nss-3.79-revert-distrusted-certs.patch
# Local Patch: update fipsdefaults to AES
Patch52: nss-3.79-pkcs12-fips-defaults.patch
Patch53: nss-3.71-camellia-pkcs12-doc.patch
Patch54: nss-3.90-disable-ech.patch
Patch19: nss-3.79-pkcs12-fips-defaults.patch
# Local Patch: curve25519 keys can't be stored in dbm databases,
# only rhel-8 has dbm databases left, don't try to store
# curve25519 keys in the dbm database.
Patch20: nss-3.101-ec-dbm-test.patch
# end of RHEL-8 specific patches
# RHEL-specific shared with RHEL-9
Patch30: nss-3.101-extend-db-dump-time.patch
# Local patch: disable MD5 (also MD2 and MD4) completely
# https://bugzilla.redhat.com/show_bug.cgi?id=1849938
Patch32: nss-3.101-disable-md5.patch
Patch34: nss-3.71-fix-lto-gtests.patch
Patch35: nss-3.71-camellia-pkcs12-doc.patch
Patch36: nss-3.101-disable-ech.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1774659
Patch57: nss-3.79-dbtool.patch
Patch58: nss-3.79-fips.patch
# patches that expect to be upstreamed
# https://bugzilla.mozilla.org/show_bug.cgi?id=1767883
Patch50: nss-3.79-fips.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781
# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
Patch60: nss-3.90-DisablingASM.patch
Patch61: nss-3.79-fips-review.patches
Patch62: nss-3.90-no-dbm-25519.patch
Patch63: nss-3.90-pbkdf2-indicator.patch
#ems policy. needs to upstream
Patch70: nss-3.90-add-ems-policy.patch
Patch80: blinding_ct.patch
Patch81: nss-3.90-fips-pkcs11-long-hash.patch
Patch82: nss-3.90-fips-safe-memset.patch
Patch83: nss-3.90-fips-indicators.patch
Patch84: nss-3.90-aes-gmc-indicator.patch
Patch85: nss-3.90-fips-indicators2.patch
Patch86: nss-3.90-dh-test-update.patch
Patch90: nss_p256_scalar_validated.patch
Patch91: nss_p384_scalar_validated.patch
Patch92: nss_p384_hacl.patch
Patch93: nss_p521_hacl.patch
Patch94: nss-3.90-ecc-wrap-fix.patch
Patch95: nss-3.90-ecdsa-sign-padding-fix.patch
Patch51: nss-3.101-fips-review.patches
Patch52: nss-3.90-pbkdf2-indicator.patch
# ems policy. needs to upstream
Patch60: nss-3.101-add-ems-policy.patch
Patch70: nss-3.90-fips-safe-memset.patch
Patch71: nss-3.101-fips-indicators.patch
Patch72: nss-3.90-aes-gmc-indicator.patch
Patch73: nss-3.90-fips-indicators2.patch
Patch74: nss-3.90-dh-test-update.patch
Patch75: nss-3.90-ppc_no_init.patch
Patch76: nss-3.101-enable-kyber-policy.patch
Patch78: nss-3.101-fix-pkcs12-md5-decode.patch
Patch80: nss-3.101-el8-no-p12-smime-policy.patch
Patch81: nss-3.101-fix-missing-size-checks.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
Patch82: nss-3.101-chacha-timing-fix.patch
Patch83: nss-3.101-add-certificate-compression-test.patch
Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=676100
Patch85: nss-3.101-fix-cms-abi-break.patch
Patch86: nss-3.101-long-pwd-fix.patch
#revert patches
Patch300: nss-3.101-default-libpkix.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -319,7 +334,8 @@ Header and library files for doing development with Network Security Services.
%prep
%autosetup -N -n %{name}-%{nss_archive_version}
pushd nss
%autopatch -p1
%autopatch -M 299 -p1
%patch -P 300 -p1 -R
popd
# copy the fips_algorithms.h for this release
@ -328,9 +344,9 @@ popd
cp %{SOURCE30} nss/lib/softoken/
#update expired test certs
pushd nss
tar xvf %{SOURCE50}
popd
#pushd nss
#tar xvf %{SOURCE50}
#popd
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
@ -888,11 +904,13 @@ update-crypto-policies --no-reload &> /dev/null || :
%{_includedir}/nss3/ciferfam.h
%{_includedir}/nss3/eccutil.h
%{_includedir}/nss3/hasht.h
%{_includedir}/nss3/kyber.h
%{_includedir}/nss3/nssb64.h
%{_includedir}/nss3/nssb64t.h
%{_includedir}/nss3/nsslocks.h
%{_includedir}/nss3/nsshash.h
%{_includedir}/nss3/nssilock.h
%{_includedir}/nss3/nssilckt.h
%{_includedir}/nss3/nsslocks.h
%{_includedir}/nss3/nssrwlk.h
%{_includedir}/nss3/nssrwlkt.h
%{_includedir}/nss3/nssutil.h
@ -981,6 +999,26 @@ update-crypto-policies --no-reload &> /dev/null || :
%changelog
* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
- fix cms abi breakage
- fix long password issue on pbmac encodings
* Thu Aug 1 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-6
- fix param encoding in pkcs12 pbamac encoding
- add support for certificate compression in selfserv and tstclient
* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
- Fix missing and inaccurate key length checks
- Fix chacha timing issue
* Wed Jul 17 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
- Fix MD-5 decode issue in pkcs #12
- turn off policy processing for pkcs12 and smime
- update the restore defaults for pkcs12
* Tue Jun 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
- Rebase to NSS 3.101
* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
- Allow for shorter ecdsa signatures by padding them to full length

Loading…
Cancel
Save