parent
28f38e694e
commit
62274c3ae9
@ -1,92 +0,0 @@
|
||||
diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c
|
||||
--- a/lib/pkcs12/p12d.c
|
||||
+++ b/lib/pkcs12/p12d.c
|
||||
@@ -335,35 +335,42 @@
|
||||
sec_PKCS12SafeContentsContext *safeContentsCtx =
|
||||
(sec_PKCS12SafeContentsContext *)arg;
|
||||
SEC_PKCS12DecoderContext *p12dcx;
|
||||
SECStatus rv;
|
||||
|
||||
- /* make sure that we are not skipping the current safeBag,
|
||||
- * and that there are no errors. If so, just return rather
|
||||
- * than continuing to process.
|
||||
- */
|
||||
- if (!safeContentsCtx || !safeContentsCtx->p12dcx ||
|
||||
- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
|
||||
+ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) {
|
||||
return;
|
||||
}
|
||||
p12dcx = safeContentsCtx->p12dcx;
|
||||
|
||||
+ /* make sure that there are no errors and we are not skipping the current safeBag */
|
||||
+ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+
|
||||
rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len);
|
||||
if (rv != SECSuccess) {
|
||||
p12dcx->errorValue = PORT_GetError();
|
||||
+ p12dcx->error = PR_TRUE;
|
||||
+ goto loser;
|
||||
+ }
|
||||
+
|
||||
+ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we
|
||||
+ * may not get another opportunity to clean up the decoder context.
|
||||
+ */
|
||||
+ if (safeContentsCtx->skipCurrentSafeBag) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
return;
|
||||
|
||||
loser:
|
||||
- /* set the error, and finish the decoder context. because there
|
||||
+ /* Finish the decoder context. Because there
|
||||
* is not a way of returning an error message, it may be worth
|
||||
* while to do a check higher up and finish any decoding contexts
|
||||
* that are still open.
|
||||
*/
|
||||
- p12dcx->error = PR_TRUE;
|
||||
SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx);
|
||||
safeContentsCtx->currentSafeBagA1Dcx = NULL;
|
||||
return;
|
||||
}
|
||||
|
||||
diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h
|
||||
--- a/lib/pkcs12/p12t.h
|
||||
+++ b/lib/pkcs12/p12t.h
|
||||
@@ -71,10 +71,11 @@
|
||||
SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag;
|
||||
sec_PKCS12CertBag *certBag;
|
||||
sec_PKCS12CRLBag *crlBag;
|
||||
sec_PKCS12SecretBag *secretBag;
|
||||
sec_PKCS12SafeContents *safeContents;
|
||||
+ SECItem *unknownBag;
|
||||
} safeBagContent;
|
||||
|
||||
sec_PKCS12Attribute **attribs;
|
||||
|
||||
/* used locally */
|
||||
diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c
|
||||
--- a/lib/pkcs12/p12tmpl.c
|
||||
+++ b/lib/pkcs12/p12tmpl.c
|
||||
@@ -28,16 +28,16 @@
|
||||
|
||||
safeBag = (sec_PKCS12SafeBag *)src_or_dest;
|
||||
|
||||
oiddata = SECOID_FindOID(&safeBag->safeBagType);
|
||||
if (oiddata == NULL) {
|
||||
- return SEC_ASN1_GET(SEC_AnyTemplate);
|
||||
+ return SEC_ASN1_GET(SEC_PointerToAnyTemplate);
|
||||
}
|
||||
|
||||
switch (oiddata->offset) {
|
||||
default:
|
||||
- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate);
|
||||
+ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate);
|
||||
break;
|
||||
case SEC_OID_PKCS12_V1_KEY_BAG_ID:
|
||||
theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate);
|
||||
break;
|
||||
case SEC_OID_PKCS12_V1_CERT_BAG_ID:
|
||||
|
@ -0,0 +1,172 @@
|
||||
/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
/*
|
||||
* Vendors should replace this header file with the file containing those
|
||||
* algorithms which have NIST algorithm Certificates.
|
||||
*/
|
||||
|
||||
/* handle special cases. Classes require existing code to already be
|
||||
* in place for that class */
|
||||
typedef enum {
|
||||
SFTKFIPSNone = 0,
|
||||
SFTKFIPSDH, /* allow only specific primes */
|
||||
SFTKFIPSECC, /* not just keys but specific curves */
|
||||
SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */
|
||||
SFTKFIPSRSAPSS, /* make sure salt isn't too big */
|
||||
SFTKFIPSPBKDF2 /* handle pbkdf2 FIPS restrictions */
|
||||
} SFTKFIPSSpecialClass;
|
||||
|
||||
/* set according to your security policy */
|
||||
#define SFTKFIPS_PBKDF2_MIN_PW_LEN 7
|
||||
|
||||
typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList;
|
||||
struct SFTKFIPSAlgorithmListStr {
|
||||
CK_MECHANISM_TYPE type;
|
||||
CK_MECHANISM_INFO info;
|
||||
CK_ULONG step;
|
||||
SFTKFIPSSpecialClass special;
|
||||
};
|
||||
|
||||
SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
/* A sample set of algorithms to allow basic testing in our continous
|
||||
* testing infrastructure. The vendor version should replace this with
|
||||
* a version that matches their algorithm testing and security policy */
|
||||
/* NOTE, This looks a lot like the PKCS #11 mechanism list in pkcs11.c, it
|
||||
* differs in the following ways:
|
||||
* 1) the addition of step and class elements to help restrict
|
||||
* the supported key sizes and types.
|
||||
* 2) The mechanism flags are restricted to only those that map to
|
||||
* fips approved operations.
|
||||
* 3) All key sizes are in bits, independent of mechanism.
|
||||
* 4) You can add more then one entry for the same mechanism to handle
|
||||
* multiple descrete keys where the MIN/MAX/STEP semantics doesn't apply
|
||||
* or where different operations have different key requirements.
|
||||
* This table does not encode all the modules legal FIPS semantics, only
|
||||
* those semantics that might possibly change due to algorithms dropping
|
||||
* of the security policy late in the process. */
|
||||
/* handy common flag types */
|
||||
#define CKF_KPG CKF_GENERATE_KEY_PAIR
|
||||
#define CKF_GEN CKF_GENERATE
|
||||
#define CKF_SGN (CKF_SIGN | CKF_VERIFY)
|
||||
#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP)
|
||||
#define CKF_KEK (CKF_WRAP | CKF_UNWRAP)
|
||||
#define CKF_KEA CKF_DERIVE
|
||||
#define CKF_KDF CKF_DERIVE
|
||||
#define CKF_HSH CKF_DIGEST
|
||||
#define CK_MAX 0xffffffffUL
|
||||
/* mechanisms using the same key types share the same key type
|
||||
* limits */
|
||||
#define RSA_FB_KEY 2048, 4096 /* min, max */
|
||||
#define RSA_FB_STEP 1
|
||||
#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */
|
||||
#define RSA_LEGACY_FB_STEP 256
|
||||
|
||||
#define DSA_FB_KEY 2048, 4096 /* min, max */
|
||||
#define DSA_FB_STEP 1024
|
||||
#define DH_FB_KEY 2048, 8192 /* min, max */
|
||||
#define DH_FB_STEP 1024
|
||||
#define EC_FB_KEY 256, 521 /* min, max */
|
||||
#define EC_FB_STEP 1 /* key limits handled by special operation */
|
||||
#define AES_FB_KEY 128, 256
|
||||
#define AES_FB_STEP 64
|
||||
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
|
||||
/* -------------- RSA Multipart Signing Operations -------------------- */
|
||||
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
/* ------------------------- DSA Operations --------------------------- */
|
||||
{ CKM_DSA_SHA224, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_DSA_SHA256, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_DSA_SHA384, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_DSA_SHA512, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone },
|
||||
/* -------------------- Diffie Hellman Operations --------------------- */
|
||||
{ CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH },
|
||||
{ CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH },
|
||||
/* -------------------- Elliptic Curve Operations --------------------- */
|
||||
{ CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
/* ------------------------- RC2 Operations --------------------------- */
|
||||
/* ------------------------- AES Operations --------------------------- */
|
||||
{ CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD },
|
||||
{ CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
|
||||
/* ------------------------- Hashing Operations ----------------------- */
|
||||
{ CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
/* --------------------- Secret Key Operations ------------------------ */
|
||||
{ CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone },
|
||||
/* ---------------------- SSL/TLS operations ------------------------- */
|
||||
{ CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone },
|
||||
|
||||
/* ------------------------- HKDF Operations -------------------------- */
|
||||
{ CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone },
|
||||
{ CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone },
|
||||
/* ------------------ NIST 800-108 Key Derivations ------------------- */
|
||||
{ CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
/* --------------------IPSEC ----------------------- */
|
||||
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
{ CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone },
|
||||
/* ------------------ PBE Key Derivations ------------------- */
|
||||
{ CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 },
|
||||
};
|
||||
const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs);
|
@ -0,0 +1,20 @@
|
||||
diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml
|
||||
--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800
|
||||
+++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800
|
||||
@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre
|
||||
|
||||
<refsection id="encryption">
|
||||
<title>Password Encryption</title>
|
||||
- <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||
+ <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||
<para>The private key is always protected with strong encryption by default.</para>
|
||||
<para>Several types of ciphers are supported.</para>
|
||||
<variablelist>
|
||||
@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre
|
||||
<listitem>
|
||||
<itemizedlist>
|
||||
<listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
|
||||
+ <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
@ -1,170 +0,0 @@
|
||||
diff --git a/lib/softoken/legacydb/pcertdb.c b/lib/softoken/legacydb/pcertdb.c
|
||||
--- a/lib/softoken/legacydb/pcertdb.c
|
||||
+++ b/lib/softoken/legacydb/pcertdb.c
|
||||
@@ -4272,16 +4272,17 @@ CreateTrust(void)
|
||||
{
|
||||
NSSLOWCERTTrust *trust = NULL;
|
||||
|
||||
nsslowcert_LockFreeList();
|
||||
trust = trustListHead;
|
||||
if (trust) {
|
||||
trustListCount--;
|
||||
trustListHead = trust->next;
|
||||
+ trust->next = NULL;
|
||||
}
|
||||
PORT_Assert(trustListCount >= 0);
|
||||
nsslowcert_UnlockFreeList();
|
||||
if (trust) {
|
||||
return trust;
|
||||
}
|
||||
|
||||
return PORT_ZNew(NSSLOWCERTTrust);
|
||||
@@ -5155,19 +5156,21 @@ done:
|
||||
}
|
||||
|
||||
PRBool
|
||||
nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust)
|
||||
{
|
||||
if (trust == NULL) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) &&
|
||||
- (trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) &&
|
||||
- (trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN));
|
||||
+ /* if we only have CERTDB__USER and CERTDB_TRUSTED_UNKNOWN bits, then
|
||||
+ * we don't have a trust record. */
|
||||
+ return !(((trust->sslFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&
|
||||
+ ((trust->emailFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) &&
|
||||
+ ((trust->objectSigningFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0));
|
||||
}
|
||||
|
||||
/*
|
||||
* This function has the logic that decides if another person's cert and
|
||||
* email profile from an S/MIME message should be saved. It can deal with
|
||||
* the case when there is no profile.
|
||||
*/
|
||||
static SECStatus
|
||||
diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c
|
||||
--- a/lib/softoken/sftkdb.c
|
||||
+++ b/lib/softoken/sftkdb.c
|
||||
@@ -119,47 +119,79 @@ sftkdb_isAuthenticatedAttribute(CK_ATTRI
|
||||
case CKA_TRUST_STEP_UP_APPROVED:
|
||||
case CKA_NSS_OVERRIDE_EXTENSIONS:
|
||||
return PR_TRUE;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
return PR_FALSE;
|
||||
}
|
||||
-
|
||||
/*
|
||||
* convert a native ULONG to a database ulong. Database ulong's
|
||||
* are all 4 byte big endian values.
|
||||
*/
|
||||
void
|
||||
sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value)
|
||||
{
|
||||
int i;
|
||||
|
||||
for (i = 0; i < SDB_ULONG_SIZE; i++) {
|
||||
data[i] = (value >> (SDB_ULONG_SIZE - 1 - i) * BBP) & 0xff;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* convert a database ulong back to a native ULONG. (reverse of the above
|
||||
- * function.
|
||||
+ * function).
|
||||
*/
|
||||
static CK_ULONG
|
||||
sftk_SDBULong2ULong(unsigned char *data)
|
||||
{
|
||||
int i;
|
||||
CK_ULONG value = 0;
|
||||
|
||||
for (i = 0; i < SDB_ULONG_SIZE; i++) {
|
||||
value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) * BBP);
|
||||
}
|
||||
return value;
|
||||
}
|
||||
|
||||
+/* certain trust records are default values, which are the values
|
||||
+ * returned if the signature check fails anyway.
|
||||
+ * In those cases, we can skip the signature check. */
|
||||
+PRBool
|
||||
+sftkdb_isNullTrust(const CK_ATTRIBUTE *template)
|
||||
+{
|
||||
+ switch (template->type) {
|
||||
+ case CKA_TRUST_SERVER_AUTH:
|
||||
+ case CKA_TRUST_CLIENT_AUTH:
|
||||
+ case CKA_TRUST_EMAIL_PROTECTION:
|
||||
+ case CKA_TRUST_CODE_SIGNING:
|
||||
+ if (template->ulValueLen != SDB_ULONG_SIZE) {
|
||||
+ break;
|
||||
+ }
|
||||
+ if (sftk_SDBULong2ULong(template->pValue) ==
|
||||
+ CKT_NSS_TRUST_UNKNOWN) {
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ break;
|
||||
+ case CKA_TRUST_STEP_UP_APPROVED:
|
||||
+ if (template->ulValueLen != 1) {
|
||||
+ break;
|
||||
+ }
|
||||
+ if (*((unsigned char *)(template->pValue)) == 0) {
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
+ break;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ return PR_FALSE;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* fix up the input templates. Our fixed up ints are stored in data and must
|
||||
* be freed by the caller. The new template must also be freed. If there are no
|
||||
* CK_ULONG attributes, the orignal template is passed in as is.
|
||||
*/
|
||||
static CK_ATTRIBUTE *
|
||||
sftkdb_fixupTemplateIn(const CK_ATTRIBUTE *template, int count,
|
||||
unsigned char **dataOut, int *dataOutSize)
|
||||
@@ -410,17 +442,18 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *te
|
||||
}
|
||||
|
||||
/* copy the plain text back into the template */
|
||||
PORT_Memcpy(template[i].pValue, plainText->data, plainText->len);
|
||||
template[i].ulValueLen = plainText->len;
|
||||
SECITEM_ZfreeItem(plainText, PR_TRUE);
|
||||
}
|
||||
/* make sure signed attributes are valid */
|
||||
- if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)) {
|
||||
+ if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)
|
||||
+ && !sftkdb_isNullTrust(&ntemplate[i])) {
|
||||
SECStatus rv;
|
||||
CK_RV local_crv;
|
||||
SECItem signText;
|
||||
SECItem plainText;
|
||||
unsigned char signData[SDB_MAX_META_DATA_LEN];
|
||||
|
||||
signText.data = signData;
|
||||
signText.len = sizeof(signData);
|
||||
@@ -2387,16 +2420,18 @@ sftkdb_mergeObject(SFTKDBHandle *handle,
|
||||
crv = (*source->sdb_GetAttributeValue)(source, id,
|
||||
ptemplate, max_attributes);
|
||||
if (crv != CKR_OK) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate,
|
||||
max_attributes);
|
||||
+/*printf(" - merging object Type 0x%08lx id=0x%08lx updateID=%s\n", objectType, id,
|
||||
+ handle->updateID?handle->updateID: "<NULL>");*/
|
||||
|
||||
/*
|
||||
* Update Object updates the object template if necessary then returns
|
||||
* whether or not we need to actually write the object out to our target
|
||||
* database.
|
||||
*/
|
||||
if (!handle->updateID) {
|
||||
crv = sftkdb_CreateObject(arena, handle, target, &newID,
|
@ -1,522 +0,0 @@
|
||||
diff --git a/cmd/bltest/blapitest.c b/cmd/bltest/blapitest.c
|
||||
--- a/cmd/bltest/blapitest.c
|
||||
+++ b/cmd/bltest/blapitest.c
|
||||
@@ -3870,17 +3870,17 @@ main(int argc, char **argv)
|
||||
rv = blapi_selftest(modesToTest, numModesToTest, inoff, outoff,
|
||||
encrypt, decrypt);
|
||||
PORT_Free(cipherInfo);
|
||||
return rv == SECSuccess ? 0 : 1;
|
||||
}
|
||||
|
||||
/* Do FIPS self-test */
|
||||
if (bltest.commands[cmd_FIPS].activated) {
|
||||
- CK_RV ckrv = sftk_FIPSEntryOK();
|
||||
+ CK_RV ckrv = sftk_FIPSEntryOK(PR_FALSE);
|
||||
fprintf(stdout, "CK_RV: %ld.\n", ckrv);
|
||||
PORT_Free(cipherInfo);
|
||||
if (ckrv == CKR_OK)
|
||||
return SECSuccess;
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
/*
|
||||
diff --git a/cmd/pk11mode/pk11mode.c b/cmd/pk11mode/pk11mode.c
|
||||
--- a/cmd/pk11mode/pk11mode.c
|
||||
+++ b/cmd/pk11mode/pk11mode.c
|
||||
@@ -318,23 +318,25 @@ static PRBool verbose = PR_FALSE;
|
||||
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
CK_C_GetFunctionList pC_GetFunctionList;
|
||||
CK_FUNCTION_LIST_PTR pFunctionList;
|
||||
CK_RV crv = CKR_OK;
|
||||
CK_C_INITIALIZE_ARGS_NSS initArgs;
|
||||
+ CK_C_INITIALIZE_ARGS_NSS initArgsRerun; /* rerun selftests */
|
||||
CK_SLOT_ID *pSlotList = NULL;
|
||||
CK_TOKEN_INFO tokenInfo;
|
||||
CK_ULONG slotID = 0; /* slotID == 0 for FIPSMODE */
|
||||
|
||||
CK_UTF8CHAR *pwd = NULL;
|
||||
CK_ULONG pwdLen = 0;
|
||||
char *moduleSpec = NULL;
|
||||
+ char *moduleSpecRerun = NULL;
|
||||
char *configDir = NULL;
|
||||
char *dbPrefix = NULL;
|
||||
char *disableUnload = NULL;
|
||||
PRBool doForkTests = PR_TRUE;
|
||||
|
||||
PLOptStatus os;
|
||||
PLOptState *opt = PL_CreateOptState(argc, argv, "nvhf:Fd:p:");
|
||||
while (PL_OPT_EOL != (os = PL_GetNextOpt(opt))) {
|
||||
@@ -458,18 +460,23 @@ main(int argc, char **argv)
|
||||
initArgs.CreateMutex = NULL;
|
||||
initArgs.DestroyMutex = NULL;
|
||||
initArgs.LockMutex = NULL;
|
||||
initArgs.UnlockMutex = NULL;
|
||||
initArgs.flags = CKF_OS_LOCKING_OK;
|
||||
moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' "
|
||||
"keyPrefix='%s' secmod='secmod.db' flags= ",
|
||||
configDir, dbPrefix, dbPrefix);
|
||||
+ moduleSpecRerun = PR_smprintf("configdir='%s' certPrefix='%s' "
|
||||
+ "keyPrefix='%s' secmod='secmod.db' flags=forcePOST ",
|
||||
+ configDir, dbPrefix, dbPrefix);
|
||||
initArgs.LibraryParameters = (CK_CHAR_PTR *)moduleSpec;
|
||||
initArgs.pReserved = NULL;
|
||||
+ initArgsRerun = initArgs;
|
||||
+ initArgsRerun.LibraryParameters = (CK_CHAR_PTR *)moduleSpecRerun;
|
||||
|
||||
/*DebugBreak();*/
|
||||
/* FIPSMODE invokes FC_Initialize as pFunctionList->C_Initialize */
|
||||
/* NSS cryptographic module library initialization for the FIPS */
|
||||
/* Approved mode when FC_Initialize is envoked will perfom */
|
||||
/* software integrity test, and power-up self-tests before */
|
||||
/* FC_Initialize returns */
|
||||
crv = pFunctionList->C_Initialize(&initArgs);
|
||||
@@ -705,17 +712,17 @@ main(int argc, char **argv)
|
||||
PKM_Error("PKM_HybridMode failed with 0x%08X, %-26s\n", crv,
|
||||
PKM_CK_RVtoStr(crv));
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (doForkTests) {
|
||||
/* testing one more C_Initialize / C_Finalize to exercise getpid()
|
||||
* fork check code */
|
||||
- crv = pFunctionList->C_Initialize(&initArgs);
|
||||
+ crv = pFunctionList->C_Initialize(&initArgsRerun);
|
||||
if (crv == CKR_OK) {
|
||||
PKM_LogIt("C_Initialize succeeded\n");
|
||||
} else {
|
||||
PKM_Error("C_Initialize failed with 0x%08X, %-26s\n", crv,
|
||||
PKM_CK_RVtoStr(crv));
|
||||
goto cleanup;
|
||||
}
|
||||
crv = pFunctionList->C_Finalize(NULL);
|
||||
@@ -741,16 +748,19 @@ cleanup:
|
||||
free(configDir);
|
||||
}
|
||||
if (dbPrefix) {
|
||||
free(dbPrefix);
|
||||
}
|
||||
if (moduleSpec) {
|
||||
PR_smprintf_free(moduleSpec);
|
||||
}
|
||||
+ if (moduleSpecRerun) {
|
||||
+ PR_smprintf_free(moduleSpecRerun);
|
||||
+ }
|
||||
|
||||
#ifdef _WIN32
|
||||
FreeLibrary(hModule);
|
||||
#else
|
||||
disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
|
||||
if (!disableUnload) {
|
||||
PR_UnloadLibrary(lib);
|
||||
}
|
||||
diff --git a/lib/freebl/blapii.h b/lib/freebl/blapii.h
|
||||
--- a/lib/freebl/blapii.h
|
||||
+++ b/lib/freebl/blapii.h
|
||||
@@ -24,17 +24,17 @@ typedef SECStatus (*freeblAeadFunc)(void
|
||||
void *params, unsigned int paramsLen,
|
||||
const unsigned char *aad, unsigned int aadLen,
|
||||
unsigned int blocksize);
|
||||
typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit);
|
||||
|
||||
SEC_BEGIN_PROTOS
|
||||
|
||||
#ifndef NSS_FIPS_DISABLED
|
||||
-SECStatus BL_FIPSEntryOK(PRBool freeblOnly);
|
||||
+SECStatus BL_FIPSEntryOK(PRBool freeblOnly, PRBool rerun);
|
||||
PRBool BL_POSTRan(PRBool freeblOnly);
|
||||
#endif
|
||||
|
||||
#if defined(XP_UNIX) && !defined(NO_FORK_CHECK)
|
||||
|
||||
extern PRBool bl_parentForkedAfterC_Initialize;
|
||||
|
||||
#define SKIP_AFTER_FORK(x) \
|
||||
diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h
|
||||
--- a/lib/freebl/blapit.h
|
||||
+++ b/lib/freebl/blapit.h
|
||||
@@ -223,16 +223,21 @@ typedef int __BLAPI_DEPRECATED __attribu
|
||||
*
|
||||
* If we arbitrarily set p = 10^-18 (1 chance in trillion trillion operation)
|
||||
* we get GCMIV_RANDOM_BIRTHDAY_BITS = -(-18)/.301 -1 = 59 (.301 = log10 2)
|
||||
* GCMIV_RANDOM_BIRTHDAY_BITS should be at least 59, call it a round 64. NOTE:
|
||||
* the variable IV size for TLS is 64 bits, which explains why it's not safe
|
||||
* to use a random value for the nonce in TLS. */
|
||||
#define GCMIV_RANDOM_BIRTHDAY_BITS 64
|
||||
|
||||
+/* flag to tell BLAPI_Verify* to rerun the post and integrity tests */
|
||||
+#define BLAPI_FIPS_RERUN_FLAG '\377' /* 0xff, 255 invalide code for UFT8/ASCII */
|
||||
+#define BLAPI_FIPS_RERUN_FLAG_STRING "\377" /* The above as a C string */
|
||||
+
|
||||
+
|
||||
/***************************************************************************
|
||||
** Opaque objects
|
||||
*/
|
||||
|
||||
struct DESContextStr;
|
||||
struct RC2ContextStr;
|
||||
struct RC4ContextStr;
|
||||
struct RC5ContextStr;
|
||||
diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
|
||||
--- a/lib/freebl/fipsfreebl.c
|
||||
+++ b/lib/freebl/fipsfreebl.c
|
||||
@@ -2211,29 +2211,37 @@ bl_startup_tests(void)
|
||||
}
|
||||
|
||||
/*
|
||||
* this is called from the freebl init entry points that controll access to
|
||||
* all other freebl functions. This prevents freebl from operating if our
|
||||
* power on selftest failed.
|
||||
*/
|
||||
SECStatus
|
||||
-BL_FIPSEntryOK(PRBool freebl_only)
|
||||
+BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun)
|
||||
{
|
||||
#ifdef NSS_NO_INIT_SUPPORT
|
||||
/* this should only be set on platforms that can't handle one of the INIT
|
||||
* schemes. This code allows those platforms to continue to function,
|
||||
* though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
|
||||
* is not set, and init support has not been properly enabled, freebl
|
||||
* will always fail because of the test below
|
||||
*/
|
||||
if (!self_tests_freebl_ran) {
|
||||
bl_startup_tests();
|
||||
}
|
||||
#endif
|
||||
+ if (rerun) {
|
||||
+ /* reset the flags */
|
||||
+ self_tests_freebl_ran = PR_FALSE;
|
||||
+ self_tests_success = PR_FALSE;
|
||||
+ self_tests_success = PR_FALSE;
|
||||
+ self_tests_freebl_success = PR_FALSE;
|
||||
+ bl_startup_tests();
|
||||
+ }
|
||||
/* if the general self tests succeeded, we're done */
|
||||
if (self_tests_success) {
|
||||
return SECSuccess;
|
||||
}
|
||||
/* standalone freebl can initialize */
|
||||
if (freebl_only && self_tests_freebl_success) {
|
||||
return SECSuccess;
|
||||
}
|
||||
diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
||||
--- a/lib/freebl/nsslowhash.c
|
||||
+++ b/lib/freebl/nsslowhash.c
|
||||
@@ -55,17 +55,17 @@ NSSLOW_Init(void)
|
||||
#ifdef FREEBL_NO_DEPEND
|
||||
(void)FREEBL_InitStubs();
|
||||
#endif
|
||||
|
||||
#ifndef NSS_FIPS_DISABLED
|
||||
/* make sure the FIPS product is installed if we are trying to
|
||||
* go into FIPS mode */
|
||||
if (nsslow_GetFIPSEnabled()) {
|
||||
- if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) {
|
||||
+ if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
|
||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||
post_failed = PR_TRUE;
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
post_failed = PR_FALSE;
|
||||
|
||||
diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
|
||||
--- a/lib/freebl/shvfy.c
|
||||
+++ b/lib/freebl/shvfy.c
|
||||
@@ -282,52 +282,62 @@ readItem(PRFileDesc *fd, SECItem *item)
|
||||
PORT_Free(item->data);
|
||||
item->data = NULL;
|
||||
item->len = 0;
|
||||
return SECFailure;
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
|
||||
-static PRBool blapi_SHVerifyFile(const char *shName, PRBool self);
|
||||
+static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun);
|
||||
|
||||
static PRBool
|
||||
-blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self)
|
||||
+blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun)
|
||||
{
|
||||
PRBool result = PR_FALSE; /* if anything goes wrong,
|
||||
* the signature does not verify */
|
||||
/* find our shared library name */
|
||||
char *shName = PR_GetLibraryFilePathname(name, addr);
|
||||
if (!shName) {
|
||||
goto loser;
|
||||
}
|
||||
- result = blapi_SHVerifyFile(shName, self);
|
||||
+ result = blapi_SHVerifyFile(shName, self, rerun);
|
||||
|
||||
loser:
|
||||
if (shName != NULL) {
|
||||
PR_Free(shName);
|
||||
}
|
||||
|
||||
return result;
|
||||
}
|
||||
|
||||
PRBool
|
||||
BLAPI_SHVerify(const char *name, PRFuncPtr addr)
|
||||
{
|
||||
- return blapi_SHVerify(name, addr, PR_FALSE);
|
||||
+ PRBool rerun = PR_FALSE;
|
||||
+ if (name && *name == BLAPI_FIPS_RERUN_FLAG) {
|
||||
+ name++;
|
||||
+ rerun = PR_TRUE;
|
||||
+ }
|
||||
+ return blapi_SHVerify(name, addr, PR_FALSE, rerun);
|
||||
}
|
||||
|
||||
PRBool
|
||||
BLAPI_SHVerifyFile(const char *shName)
|
||||
{
|
||||
- return blapi_SHVerifyFile(shName, PR_FALSE);
|
||||
+ PRBool rerun = PR_FALSE;
|
||||
+ if (shName && *shName == BLAPI_FIPS_RERUN_FLAG) {
|
||||
+ shName++;
|
||||
+ rerun = PR_TRUE;
|
||||
+ }
|
||||
+ return blapi_SHVerifyFile(shName, PR_FALSE, rerun);
|
||||
}
|
||||
|
||||
static PRBool
|
||||
-blapi_SHVerifyFile(const char *shName, PRBool self)
|
||||
+blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun)
|
||||
{
|
||||
char *checkName = NULL;
|
||||
PRFileDesc *checkFD = NULL;
|
||||
PRFileDesc *shFD = NULL;
|
||||
void *hashcx = NULL;
|
||||
const SECHashObject *hashObj = NULL;
|
||||
SECItem signature = { 0, NULL, 0 };
|
||||
SECItem hash;
|
||||
@@ -346,17 +356,17 @@ blapi_SHVerifyFile(const char *shName, P
|
||||
unsigned char hashBuf[HASH_LENGTH_MAX];
|
||||
|
||||
PORT_Memset(&key, 0, sizeof(key));
|
||||
hash.data = hashBuf;
|
||||
hash.len = sizeof(hashBuf);
|
||||
|
||||
/* If our integrity check was never ran or failed, fail any other
|
||||
* integrity checks to prevent any token going into FIPS mode. */
|
||||
- if (!self && (BL_FIPSEntryOK(PR_FALSE) != SECSuccess)) {
|
||||
+ if (!self && (BL_FIPSEntryOK(PR_FALSE, rerun) != SECSuccess)) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
|
||||
if (!shName) {
|
||||
goto loser;
|
||||
}
|
||||
|
||||
/* figure out the name of our check file */
|
||||
@@ -536,17 +546,17 @@ BLAPI_VerifySelf(const char *name)
|
||||
{
|
||||
if (name == NULL) {
|
||||
/*
|
||||
* If name is NULL, freebl is statically linked into softoken.
|
||||
* softoken will call BLAPI_SHVerify next to verify itself.
|
||||
*/
|
||||
return PR_TRUE;
|
||||
}
|
||||
- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
|
||||
+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE);
|
||||
}
|
||||
|
||||
#else /* NSS_FIPS_DISABLED */
|
||||
|
||||
PRBool
|
||||
BLAPI_SHVerifyFile(const char *shName)
|
||||
{
|
||||
return PR_FALSE;
|
||||
diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
|
||||
--- a/lib/softoken/fipstest.c
|
||||
+++ b/lib/softoken/fipstest.c
|
||||
@@ -684,22 +684,25 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
|
||||
|
||||
static PRBool sftk_self_tests_ran = PR_FALSE;
|
||||
static PRBool sftk_self_tests_success = PR_FALSE;
|
||||
|
||||
/*
|
||||
* This function is called at dll load time, the code tha makes this
|
||||
* happen is platform specific on defined above.
|
||||
*/
|
||||
-static void
|
||||
-sftk_startup_tests(void)
|
||||
+void sftk_startup_tests_with_rerun(PRBool rerun)
|
||||
{
|
||||
SECStatus rv;
|
||||
- const char *libraryName = SOFTOKEN_LIB_NAME;
|
||||
-
|
||||
+ /*const char *nlibraryName = SOFTOKEN_LIB_NAME;
|
||||
+ const char *rlibraryName = BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME; */
|
||||
+ const char *libraryName = rerun ?
|
||||
+ BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME :
|
||||
+ SOFTOKEN_LIB_NAME;
|
||||
+
|
||||
PORT_Assert(!sftk_self_tests_ran);
|
||||
PORT_Assert(!sftk_self_tests_success);
|
||||
sftk_self_tests_ran = PR_TRUE;
|
||||
sftk_self_tests_success = PR_FALSE; /* just in case */
|
||||
|
||||
/* need to initiallize the oid library before the RSA tests */
|
||||
rv = SECOID_Init();
|
||||
if (rv != SECSuccess) {
|
||||
@@ -746,35 +749,46 @@ sftk_startup_tests(void)
|
||||
rv = sftk_fips_pbkdf_PowerUpSelfTests();
|
||||
if (rv != SECSuccess) {
|
||||
return;
|
||||
}
|
||||
|
||||
sftk_self_tests_success = PR_TRUE;
|
||||
}
|
||||
|
||||
+static void
|
||||
+sftk_startup_tests(void)
|
||||
+{
|
||||
+ sftk_startup_tests_with_rerun(PR_FALSE);
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* this is called from nsc_Common_Initizialize entry points that gates access
|
||||
* to * all other pkcs11 functions. This prevents softoken operation if our
|
||||
* power on selftest failed.
|
||||
*/
|
||||
CK_RV
|
||||
-sftk_FIPSEntryOK()
|
||||
+sftk_FIPSEntryOK(PRBool rerun)
|
||||
{
|
||||
#ifdef NSS_NO_INIT_SUPPORT
|
||||
/* this should only be set on platforms that can't handle one of the INIT
|
||||
* schemes. This code allows those platforms to continue to function,
|
||||
* though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT
|
||||
* is not set, and init support has not been properly enabled, softken
|
||||
* will always fail because of the test below
|
||||
*/
|
||||
if (!sftk_self_tests_ran) {
|
||||
sftk_startup_tests();
|
||||
}
|
||||
#endif
|
||||
+ if (rerun) {
|
||||
+ sftk_self_tests_ran = PR_FALSE;
|
||||
+ sftk_self_tests_success = PR_FALSE;
|
||||
+ sftk_startup_tests_with_rerun(PR_TRUE);
|
||||
+ }
|
||||
if (!sftk_self_tests_success) {
|
||||
return CKR_DEVICE_ERROR;
|
||||
}
|
||||
return CKR_OK;
|
||||
}
|
||||
#else
|
||||
#include "pkcs11t.h"
|
||||
CK_RV
|
||||
diff --git a/lib/softoken/fipstokn.c b/lib/softoken/fipstokn.c
|
||||
--- a/lib/softoken/fipstokn.c
|
||||
+++ b/lib/softoken/fipstokn.c
|
||||
@@ -524,25 +524,32 @@ fc_log_init_error(CK_RV crv)
|
||||
}
|
||||
|
||||
/* FC_Initialize initializes the PKCS #11 library. */
|
||||
CK_RV
|
||||
FC_Initialize(CK_VOID_PTR pReserved)
|
||||
{
|
||||
const char *envp;
|
||||
CK_RV crv;
|
||||
+ PRBool rerun;
|
||||
|
||||
if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) {
|
||||
sftk_audit_enabled = (atoi(envp) == 1);
|
||||
}
|
||||
|
||||
+ /* if we have the forcePOST flag on, rerun the integrity checks */
|
||||
+ /* we need to know this before we fully parse the arguments in
|
||||
+ * nsc_CommonInitialize, so read it now */
|
||||
+ rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved);
|
||||
+
|
||||
/* At this point we should have already done post and integrity checks.
|
||||
* if we haven't, it probably means the FIPS product has not been installed
|
||||
- * or the tests failed. Don't let an application try to enter FIPS mode */
|
||||
- crv = sftk_FIPSEntryOK();
|
||||
+ * or the tests failed. Don't let an application try to enter FIPS mode. This
|
||||
+ * also forces the tests to be rerun if forcePOST is set. */
|
||||
+ crv = sftk_FIPSEntryOK(rerun);
|
||||
if (crv != CKR_OK) {
|
||||
sftk_fatalError = PR_TRUE;
|
||||
fc_log_init_error(crv);
|
||||
return crv;
|
||||
}
|
||||
|
||||
sftk_ForkReset(pReserved, &crv);
|
||||
|
||||
diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h
|
||||
--- a/lib/softoken/pkcs11i.h
|
||||
+++ b/lib/softoken/pkcs11i.h
|
||||
@@ -869,16 +869,17 @@ extern CK_RV sftk_MechAllowsOperation(CK
|
||||
* acquiring a reference to the keydb from the slot */
|
||||
NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey);
|
||||
|
||||
/*
|
||||
* parameter parsing functions
|
||||
*/
|
||||
CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS);
|
||||
void sftk_freeParams(sftk_parameters *params);
|
||||
+PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved);
|
||||
|
||||
/*
|
||||
* narrow objects
|
||||
*/
|
||||
SFTKSessionObject *sftk_narrowToSessionObject(SFTKObject *);
|
||||
SFTKTokenObject *sftk_narrowToTokenObject(SFTKObject *);
|
||||
|
||||
/*
|
||||
diff --git a/lib/softoken/sftkpars.c b/lib/softoken/sftkpars.c
|
||||
--- a/lib/softoken/sftkpars.c
|
||||
+++ b/lib/softoken/sftkpars.c
|
||||
@@ -244,8 +244,21 @@ sftk_freeParams(sftk_parameters *params)
|
||||
FREE_CLEAR(params->configdir);
|
||||
FREE_CLEAR(params->secmodName);
|
||||
FREE_CLEAR(params->man);
|
||||
FREE_CLEAR(params->libdes);
|
||||
FREE_CLEAR(params->tokens);
|
||||
FREE_CLEAR(params->updatedir);
|
||||
FREE_CLEAR(params->updateID);
|
||||
}
|
||||
+
|
||||
+PRBool
|
||||
+sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved)
|
||||
+{
|
||||
+ CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved;
|
||||
+
|
||||
+ /* if we don't have any params, the flag isn't set */
|
||||
+ if ((!init_args || !init_args->LibraryParameters)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+
|
||||
+ return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters);
|
||||
+}
|
||||
diff --git a/lib/softoken/softoken.h b/lib/softoken/softoken.h
|
||||
--- a/lib/softoken/softoken.h
|
||||
+++ b/lib/softoken/softoken.h
|
||||
@@ -52,17 +52,17 @@ extern unsigned char *CBC_PadBuffer(PLAr
|
||||
unsigned int inlen, unsigned int *outlen,
|
||||
int blockSize);
|
||||
|
||||
/****************************************/
|
||||
/*
|
||||
** Power-Up selftests are required for FIPS.
|
||||
*/
|
||||
/* make sure Power-up selftests have been run. */
|
||||
-extern CK_RV sftk_FIPSEntryOK(void);
|
||||
+extern CK_RV sftk_FIPSEntryOK(PRBool rerun);
|
||||
|
||||
/*
|
||||
** make known fixed PKCS #11 key types to their sizes in bytes
|
||||
*/
|
||||
unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType);
|
||||
|
||||
/*
|
||||
** FIPS 140-2 auditing
|
@ -0,0 +1,497 @@
|
||||
diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c
|
||||
--- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700
|
||||
@@ -445,7 +445,7 @@ cleanup:
|
||||
PRBool
|
||||
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
|
||||
{
|
||||
- mp_int p, q, y, r;
|
||||
+ mp_int p, q, y, r, psub1;
|
||||
mp_err err;
|
||||
int cmp = 1; /* default is false */
|
||||
if (!Y || !prime || !subPrime) {
|
||||
@@ -456,13 +456,30 @@ KEA_Verify(SECItem *Y, SECItem *prime, S
|
||||
MP_DIGITS(&q) = 0;
|
||||
MP_DIGITS(&y) = 0;
|
||||
MP_DIGITS(&r) = 0;
|
||||
+ MP_DIGITS(&psub1) = 0;
|
||||
CHECK_MPI_OK(mp_init(&p));
|
||||
CHECK_MPI_OK(mp_init(&q));
|
||||
CHECK_MPI_OK(mp_init(&y));
|
||||
CHECK_MPI_OK(mp_init(&r));
|
||||
+ CHECK_MPI_OK(mp_init(&psub1));
|
||||
SECITEM_TO_MPINT(*prime, &p);
|
||||
SECITEM_TO_MPINT(*subPrime, &q);
|
||||
SECITEM_TO_MPINT(*Y, &y);
|
||||
+ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1));
|
||||
+ /*
|
||||
+ * We check that the public value isn't zero (which isn't in the
|
||||
+ * group), one (subgroup of order one) or p-1 (subgroup of order 2). We
|
||||
+ * also check that the public value is less than p, to avoid being fooled
|
||||
+ * by values like p+1 or 2*p-1.
|
||||
+ * This check is required by SP-800-56Ar3. It's also done in derive,
|
||||
+ * but this is only called in various FIPS cases, so put it here to help
|
||||
+ * reviewers find it.
|
||||
+ */
|
||||
+ if (mp_cmp_d(&y, 1) <= 0 ||
|
||||
+ mp_cmp(&y, &psub1) >= 0) {
|
||||
+ err = MP_BADARG;
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
/* compute r = y**q mod p */
|
||||
CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
|
||||
/* compare to 1 */
|
||||
@@ -472,6 +489,7 @@ cleanup:
|
||||
mp_clear(&q);
|
||||
mp_clear(&y);
|
||||
mp_clear(&r);
|
||||
+ mp_clear(&psub1);
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
return PR_FALSE;
|
||||
diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700
|
||||
+++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
* handle the base object stuff
|
||||
*/
|
||||
crv = sftk_handleObject(key, session);
|
||||
+ /* we need to do this check at the end, so we can check the generated
|
||||
+ * key length against fips requirements */
|
||||
+ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
|
||||
+ session->lastOpWasFIPS = key->isFIPS;
|
||||
sftk_FreeSession(session);
|
||||
if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) {
|
||||
crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL));
|
||||
@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) {
|
||||
crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL));
|
||||
}
|
||||
- /* we need to do this check at the end, so we can check the generated key length against
|
||||
- * fips requirements */
|
||||
- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key);
|
||||
if (crv == CKR_OK) {
|
||||
*phKey = key->handle;
|
||||
}
|
||||
@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
|
||||
if (isDerivable) {
|
||||
SFTKAttribute *pubAttribute = NULL;
|
||||
- CK_OBJECT_HANDLE newKey;
|
||||
PRBool isFIPS = sftk_isFIPS(slot->slotID);
|
||||
- CK_RV crv2;
|
||||
- CK_OBJECT_CLASS secret = CKO_SECRET_KEY;
|
||||
- CK_KEY_TYPE generic = CKK_GENERIC_SECRET;
|
||||
- CK_ULONG keyLen = 128;
|
||||
- CK_BBOOL ckTrue = CK_TRUE;
|
||||
- CK_ATTRIBUTE template[] = {
|
||||
- { CKA_CLASS, &secret, sizeof(secret) },
|
||||
- { CKA_KEY_TYPE, &generic, sizeof(generic) },
|
||||
- { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) },
|
||||
- { CKA_DERIVE, &ckTrue, sizeof(ckTrue) }
|
||||
- };
|
||||
- CK_ULONG templateCount = PR_ARRAY_SIZE(template);
|
||||
- CK_ECDH1_DERIVE_PARAMS ecParams;
|
||||
+ NSSLOWKEYPrivateKey *lowPrivKey = NULL;
|
||||
+ ECPrivateKey *ecPriv;
|
||||
+ SECItem *lowPubValue = NULL;
|
||||
+ SECItem item;
|
||||
+ SECStatus rv;
|
||||
|
||||
crv = CKR_OK; /*paranoia, already get's set before we drop to the end */
|
||||
- /* FIPS 140-2 requires we verify that the resulting key is a valid key.
|
||||
- * The easiest way to do this is to do a derive operation, which checks
|
||||
- * the validity of the key */
|
||||
-
|
||||
+ /* FIPS 140-3 requires we verify that the resulting key is a valid key
|
||||
+ * by recalculating the public can an compare it to our own public
|
||||
+ * key. */
|
||||
+ lowPrivKey = sftk_GetPrivKey(privateKey, keyType, &crv);
|
||||
+ if (lowPrivKey == NULL) {
|
||||
+ return sftk_MapCryptError(PORT_GetError());
|
||||
+ }
|
||||
+ /* recalculate the public key from the private key */
|
||||
switch (keyType) {
|
||||
- case CKK_DH:
|
||||
- mech.mechanism = CKM_DH_PKCS_DERIVE;
|
||||
- pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
|
||||
- if (pubAttribute == NULL) {
|
||||
- return CKR_DEVICE_ERROR;
|
||||
- }
|
||||
- mech.pParameter = pubAttribute->attrib.pValue;
|
||||
- mech.ulParameterLen = pubAttribute->attrib.ulValueLen;
|
||||
- break;
|
||||
- case CKK_EC:
|
||||
- mech.mechanism = CKM_ECDH1_DERIVE;
|
||||
- pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
|
||||
- if (pubAttribute == NULL) {
|
||||
- return CKR_DEVICE_ERROR;
|
||||
- }
|
||||
- ecParams.kdf = CKD_NULL;
|
||||
- ecParams.ulSharedDataLen = 0;
|
||||
- ecParams.pSharedData = NULL;
|
||||
- ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen;
|
||||
- ecParams.pPublicData = pubAttribute->attrib.pValue;
|
||||
- mech.pParameter = &ecParams;
|
||||
- mech.ulParameterLen = sizeof(ecParams);
|
||||
- break;
|
||||
- default:
|
||||
- return CKR_DEVICE_ERROR;
|
||||
+ case CKK_DH:
|
||||
+ rv = DH_Derive(&lowPrivKey->u.dh.base, &lowPrivKey->u.dh.prime,
|
||||
+ &lowPrivKey->u.dh.privateValue, &item, 0);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
+ }
|
||||
+ lowPubValue = SECITEM_DupItem(&item);
|
||||
+ SECITEM_ZfreeItem(&item, PR_FALSE);
|
||||
+ pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
|
||||
+ break;
|
||||
+ case CKK_EC:
|
||||
+ rv = EC_NewKeyFromSeed(&lowPrivKey->u.ec.ecParams, &ecPriv,
|
||||
+ lowPrivKey->u.ec.privateValue.data,
|
||||
+ lowPrivKey->u.ec.privateValue.len);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
+ }
|
||||
+ /* make sure it has the same encoding */
|
||||
+ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||
+ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
|
||||
+ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
|
||||
+ } else {
|
||||
+ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
|
||||
+ SEC_ASN1_GET(SEC_OctetStringTemplate));;
|
||||
+ }
|
||||
+ pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
|
||||
+ /* clear out our generated private key */
|
||||
+ PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
|
||||
+ break;
|
||||
+ default:
|
||||
+ return CKR_DEVICE_ERROR;
|
||||
}
|
||||
-
|
||||
- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
|
||||
- if (crv != CKR_OK) {
|
||||
- sftk_FreeAttribute(pubAttribute);
|
||||
- return crv;
|
||||
+ /* now compare new public key with our already generated key */
|
||||
+ if ((pubAttribute == NULL) || (lowPubValue == NULL) ||
|
||||
+ (pubAttribute->attrib.ulValueLen != lowPubValue->len) ||
|
||||
+ (PORT_Memcmp(pubAttribute->attrib.pValue, lowPubValue->data,
|
||||
+ lowPubValue->len) != 0)) {
|
||||
+ if (pubAttribute) sftk_FreeAttribute(pubAttribute);
|
||||
+ if (lowPubValue) SECITEM_ZfreeItem(lowPubValue, PR_TRUE);
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return CKR_GENERAL_ERROR;
|
||||
}
|
||||
+ SECITEM_ZfreeItem(lowPubValue, PR_TRUE);
|
||||
+
|
||||
/* FIPS requires full validation, but in fipx mode NSC_Derive
|
||||
* only does partial validation with approved primes, now handle
|
||||
* full validation */
|
||||
@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
SECItem pubKey;
|
||||
SECItem prime;
|
||||
SECItem subPrime;
|
||||
+ SECItem base;
|
||||
+ SECItem generator;
|
||||
const SECItem *subPrimePtr = &subPrime;
|
||||
|
||||
pubKey.data = pubAttribute->attrib.pValue;
|
||||
pubKey.len = pubAttribute->attrib.ulValueLen;
|
||||
- prime.data = subPrime.data = NULL;
|
||||
- prime.len = subPrime.len = 0;
|
||||
+ base.data = prime.data = subPrime.data = NULL;
|
||||
+ base.len = prime.len = subPrime.len = 0;
|
||||
crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
|
||||
if (crv != CKR_OK) {
|
||||
goto done;
|
||||
}
|
||||
- crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
|
||||
+ crv = sftk_Attribute2SecItem(NULL, &base, privateKey, CKA_BASE);
|
||||
+ if (crv != CKR_OK) {
|
||||
+ goto done;
|
||||
+ }
|
||||
/* we ignore the return code an only look at the length */
|
||||
- if (subPrime.len == 0) {
|
||||
- /* subprime not supplied, In this case look it up.
|
||||
- * This only works with approved primes, but in FIPS mode
|
||||
- * that's the only kine of prime that will get here */
|
||||
- subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS);
|
||||
- if (subPrimePtr == NULL) {
|
||||
- crv = CKR_GENERAL_ERROR;
|
||||
+ /* do we have a known prime ? */
|
||||
+ subPrimePtr = sftk_VerifyDH_Prime(&prime, &generator, isFIPS);
|
||||
+ if (subPrimePtr == NULL) {
|
||||
+ if (subPrime.len == 0) {
|
||||
+ /* if not a known prime, subprime must be supplied */
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ goto done;
|
||||
+ } else {
|
||||
+ /* not a known prime, check for primality of prime
|
||||
+ * and subPrime */
|
||||
+ if (!KEA_PrimeCheck(&prime)) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ if (!KEA_PrimeCheck(&subPrime)) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ /* if we aren't using a defined group, make sure base is in the
|
||||
+ * subgroup. If it's not, then our key could fail or succeed sometimes.
|
||||
+ * This makes the failure reliable */
|
||||
+ if (!KEA_Verify(&base, &prime, (SECItem *)subPrimePtr)) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ }
|
||||
+ }
|
||||
+ subPrimePtr = &subPrime;
|
||||
+ } else {
|
||||
+ /* we're using a known group, make sure we are using the known generator for that group */
|
||||
+ if (SECITEM_CompareItem(&generator, &base) != 0) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
goto done;
|
||||
}
|
||||
+ if (subPrime.len != 0) {
|
||||
+ /* we have a known prime and a supplied subPrime,
|
||||
+ * make sure the subPrime matches the subPrime for
|
||||
+ * the known Prime */
|
||||
+ if (SECITEM_CompareItem(subPrimePtr, &subPrime) != 0) {
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
+ goto done;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) {
|
||||
- crv = CKR_GENERAL_ERROR;
|
||||
+ crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
}
|
||||
done:
|
||||
+ SECITEM_ZfreeItem(&base, PR_FALSE);
|
||||
SECITEM_ZfreeItem(&subPrime, PR_FALSE);
|
||||
SECITEM_ZfreeItem(&prime, PR_FALSE);
|
||||
}
|
||||
/* clean up before we return */
|
||||
sftk_FreeAttribute(pubAttribute);
|
||||
- crv2 = NSC_DestroyObject(hSession, newKey);
|
||||
if (crv != CKR_OK) {
|
||||
return crv;
|
||||
}
|
||||
- if (crv2 != CKR_OK) {
|
||||
- return crv2;
|
||||
- }
|
||||
}
|
||||
|
||||
return CKR_OK;
|
||||
@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
* created and linked.
|
||||
*/
|
||||
crv = sftk_handleObject(publicKey, session);
|
||||
- sftk_FreeSession(session);
|
||||
if (crv != CKR_OK) {
|
||||
+ sftk_FreeSession(session);
|
||||
sftk_FreeObject(publicKey);
|
||||
NSC_DestroyObject(hSession, privateKey->handle);
|
||||
sftk_FreeObject(privateKey);
|
||||
@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
}
|
||||
|
||||
if (crv != CKR_OK) {
|
||||
+ sftk_FreeSession(session);
|
||||
NSC_DestroyObject(hSession, publicKey->handle);
|
||||
sftk_FreeObject(publicKey);
|
||||
NSC_DestroyObject(hSession, privateKey->handle);
|
||||
@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
/* we need to do this check at the end to make sure the generated key meets the key length requirements */
|
||||
privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey);
|
||||
publicKey->isFIPS = privateKey->isFIPS;
|
||||
+ session->lastOpWasFIPS = privateKey->isFIPS;
|
||||
+ sftk_FreeSession(session);
|
||||
|
||||
*phPrivateKey = privateKey->handle;
|
||||
*phPublicKey = publicKey->handle;
|
||||
@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
|
||||
/* if the prime is an approved prime, we can skip all the other
|
||||
* checks. */
|
||||
- subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS);
|
||||
+ subPrime = sftk_VerifyDH_Prime(&dhPrime, NULL, isFIPS);
|
||||
if (subPrime == NULL) {
|
||||
SECItem dhSubPrime;
|
||||
/* If the caller set the subprime value, it means that
|
||||
@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
secretlen = tmp.len;
|
||||
} else {
|
||||
secretlen = keySize;
|
||||
+ key->isFIPS = PR_FALSE;
|
||||
crv = sftk_ANSI_X9_63_kdf(&secret, keySize,
|
||||
&tmp, mechParams->pSharedData,
|
||||
mechParams->ulSharedDataLen, mechParams->kdf);
|
||||
diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c
|
||||
--- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess
|
||||
if (object == NULL) {
|
||||
return CKR_HOST_MEMORY;
|
||||
}
|
||||
- object->isFIPS = PR_FALSE; /* if we created the object on the fly,
|
||||
+ /* object types that we aren't allowed to create in FIPS mode are
|
||||
+ * already rejected explicitly. If we get here, then the object is
|
||||
+ * FIPS OK (most notably public key objects )*/
|
||||
+ /* object->isFIPS = PR_FALSE; if we created the object on the fly,
|
||||
* it's not a FIPS object */
|
||||
|
||||
/*
|
||||
diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h
|
||||
--- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700
|
||||
+++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
|
||||
/* dh verify functions */
|
||||
/* verify that dhPrime matches one of our known primes, and if so return
|
||||
* it's subprime value */
|
||||
-const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
|
||||
+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *generator, PRBool isFIPS);
|
||||
/* check if dhSubPrime claims dhPrime is a safe prime. */
|
||||
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
|
||||
/* map an operation Attribute to a Mechanism flag */
|
||||
diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700
|
||||
+++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700
|
||||
@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
switch (mechInfo->special) {
|
||||
case SFTKFIPSDH: {
|
||||
SECItem dhPrime;
|
||||
+ SECItem dhBase;
|
||||
+ SECItem dhGenerator;
|
||||
+ PRBool val = PR_FALSE;
|
||||
const SECItem *dhSubPrime;
|
||||
CK_RV crv = sftk_Attribute2SecItem(NULL, &dhPrime,
|
||||
source, CKA_PRIME);
|
||||
if (crv != CKR_OK) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
- dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE);
|
||||
+ crv = sftk_Attribute2SecItem(NULL, &dhBase, source, CKA_BASE);
|
||||
+ if (crv != CKR_OK) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, &dhGenerator, PR_TRUE);
|
||||
+ val = (dhSubPrime) ? PR_TRUE : PR_FALSE;
|
||||
+ if (val && (SECITEM_CompareItem(&dhBase, &dhGenerator) != 0)) {
|
||||
+ val = PR_FALSE;
|
||||
+ }
|
||||
SECITEM_ZfreeItem(&dhPrime, PR_FALSE);
|
||||
- return (dhSubPrime) ? PR_TRUE : PR_FALSE;
|
||||
+ SECITEM_ZfreeItem(&dhBase, PR_FALSE);
|
||||
+ return val;
|
||||
}
|
||||
case SFTKFIPSNone:
|
||||
return PR_FALSE;
|
||||
diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c
|
||||
--- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700
|
||||
@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 =
|
||||
(unsigned char *)subprime_tls_8192_data,
|
||||
sizeof(subprime_tls_8192_data) };
|
||||
|
||||
+/* generator for all the groups is 2 */
|
||||
+static const unsigned char generator_2_data[] = { 2 };
|
||||
+
|
||||
+
|
||||
+static const SECItem generator_2 =
|
||||
+ { siBuffer,
|
||||
+ (unsigned char *)generator_2_data,
|
||||
+ sizeof(generator_2_data) };
|
||||
+
|
||||
/*
|
||||
* verify that dhPrime matches one of our known primes
|
||||
*/
|
||||
const SECItem *
|
||||
-sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
|
||||
+sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *g, PRBool isFIPS)
|
||||
{
|
||||
/* use the length to decide which primes to check */
|
||||
switch (dhPrime->len) {
|
||||
@@ -6741,56 +6750,67 @@ sftk_VerifyDH_Prime(SECItem *dhPrime, PR
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
|
||||
sizeof(prime_ike_1536)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_1536;
|
||||
}
|
||||
break;
|
||||
case 2048 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_2048,
|
||||
sizeof(prime_tls_2048)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_2048;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_2048,
|
||||
sizeof(prime_ike_2048)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_2048;
|
||||
}
|
||||
break;
|
||||
case 3072 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_3072,
|
||||
sizeof(prime_tls_3072)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_3072;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_3072,
|
||||
sizeof(prime_ike_3072)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_3072;
|
||||
}
|
||||
break;
|
||||
case 4096 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_4096,
|
||||
sizeof(prime_tls_4096)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_4096;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_4096,
|
||||
sizeof(prime_ike_4096)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_4096;
|
||||
}
|
||||
break;
|
||||
case 6144 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_6144,
|
||||
sizeof(prime_tls_6144)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_6144;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_6144,
|
||||
sizeof(prime_ike_6144)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_6144;
|
||||
}
|
||||
break;
|
||||
case 8192 / PR_BITS_PER_BYTE:
|
||||
if (PORT_Memcmp(dhPrime->data, prime_tls_8192,
|
||||
sizeof(prime_tls_8192)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_tls_8192;
|
||||
}
|
||||
if (PORT_Memcmp(dhPrime->data, prime_ike_8192,
|
||||
sizeof(prime_ike_8192)) == 0) {
|
||||
+ if (g) *g = generator_2;
|
||||
return &subprime_ike_8192;
|
||||
}
|
||||
break;
|
||||
diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c
|
||||
--- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700
|
||||
@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession,
|
||||
goto fail;
|
||||
}
|
||||
} else {
|
||||
+ /* ikev1 isn't validated, if we use this function in ikev1 mode,
|
||||
+ * mark the resulting key as not FIPS */
|
||||
+ if (!params->bRekey) {
|
||||
+ outKey->isFIPS = PR_FALSE;
|
||||
+ }
|
||||
crv = prf_init(&context, inKey->attrib.pValue,
|
||||
inKey->attrib.ulValueLen);
|
||||
if (crv != CKR_OK) {
|
@ -1,23 +0,0 @@
|
||||
diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c
|
||||
--- a/lib/ssl/authcert.c
|
||||
+++ b/lib/ssl/authcert.c
|
||||
@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg,
|
||||
|
||||
/* otherwise look through the cache based on usage
|
||||
* if chosenNickname is set, we ignore the expiration date */
|
||||
if (certList == NULL) {
|
||||
certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(),
|
||||
certUsageSSLClient,
|
||||
PR_FALSE, chosenNickName == NULL,
|
||||
pw_arg);
|
||||
+ if (certList == NULL) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
/* filter only the certs that meet the nickname requirements */
|
||||
if (chosenNickName) {
|
||||
rv = CERT_FilterCertListByNickname(certList, chosenNickName,
|
||||
pw_arg);
|
||||
} else {
|
||||
int nnames = 0;
|
||||
char **names = ssl_DistNamesToStrings(caNames, &nnames);
|
||||
rv = CERT_FilterCertListByCANames(certList, nnames, names,
|
@ -1,22 +0,0 @@
|
||||
diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c
|
||||
--- a/lib/softoken/lowpbe.c
|
||||
+++ b/lib/softoken/lowpbe.c
|
||||
@@ -565,17 +565,17 @@ struct KDFCacheItemStr {
|
||||
int iterations;
|
||||
int keyLen;
|
||||
};
|
||||
typedef struct KDFCacheItemStr KDFCacheItem;
|
||||
|
||||
/* Bug 1606992 - Cache the hash result for the common case that we're
|
||||
* asked to repeatedly compute the key for the same password item,
|
||||
* hash, iterations and salt. */
|
||||
-#define KDF2_CACHE_COUNT 3
|
||||
+#define KDF2_CACHE_COUNT 150
|
||||
static struct {
|
||||
PZLock *lock;
|
||||
struct {
|
||||
KDFCacheItem common;
|
||||
int ivLen;
|
||||
PRBool faulty3DES;
|
||||
} cacheKDF1;
|
||||
struct {
|
@ -1,21 +0,0 @@
|
||||
diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c
|
||||
--- ./lib/pkcs12/p12local.c.fix_null_password 2022-07-20 14:15:45.081009438 -0700
|
||||
+++ ./lib/pkcs12/p12local.c 2022-07-20 14:19:40.856546963 -0700
|
||||
@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre
|
||||
if (zeroTerm) {
|
||||
/* unicode adds two nulls at the end */
|
||||
if (toUnicode) {
|
||||
- if ((dest->len >= 2) &&
|
||||
- (dest->data[dest->len - 1] || dest->data[dest->len - 2])) {
|
||||
+ if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) {
|
||||
/* we've already allocated space for these new NULLs */
|
||||
PORT_Assert(dest->len + 2 <= bufferSize);
|
||||
dest->len += 2;
|
||||
dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0;
|
||||
}
|
||||
/* ascii/utf-8 adds just 1 */
|
||||
- } else if ((dest->len >= 1) && dest->data[dest->len - 1]) {
|
||||
+ } else if (!dest->len || dest->data[dest->len - 1]) {
|
||||
PORT_Assert(dest->len + 1 <= bufferSize);
|
||||
dest->len++;
|
||||
dest->data[dest->len - 1] = 0;
|
@ -1,685 +0,0 @@
|
||||
diff -up ./cmd/crmftest/testcrmf.c.sign_policy ./cmd/crmftest/testcrmf.c
|
||||
--- ./cmd/crmftest/testcrmf.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./cmd/crmftest/testcrmf.c 2022-06-20 16:47:35.023785628 -0700
|
||||
@@ -85,7 +85,7 @@
|
||||
#include "sechash.h"
|
||||
#endif
|
||||
|
||||
-#define MAX_KEY_LEN 512
|
||||
+#define MAX_KEY_LEN 1024
|
||||
#define PATH_LEN 150
|
||||
#define BUFF_SIZE 150
|
||||
#define UID_BITS 800
|
||||
diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc
|
||||
--- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc 2022-06-20 16:47:35.024785635 -0700
|
||||
@@ -16,6 +16,7 @@
|
||||
#include "secerr.h"
|
||||
#include "sechash.h"
|
||||
#include "pk11_signature_test.h"
|
||||
+#include "blapit.h"
|
||||
|
||||
#include "testvectors/rsa_signature_2048_sha224-vectors.h"
|
||||
#include "testvectors/rsa_signature_2048_sha256-vectors.h"
|
||||
@@ -109,7 +110,11 @@ class Pkcs11RsaPkcs1WycheproofTest
|
||||
* Use 6 as the invalid value since modLen % 16 must be zero.
|
||||
*/
|
||||
TEST(RsaPkcs1Test, Pkcs1MinimumPadding) {
|
||||
- const size_t kRsaShortKeyBits = 736;
|
||||
+#define RSA_SHORT_KEY_LENGTH 736
|
||||
+/* if our minimum supported key length is big enough to handle
|
||||
+ * our largest Hash function, we can't test a short length */
|
||||
+#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH
|
||||
+ const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH;
|
||||
const size_t kRsaKeyBits = 752;
|
||||
static const std::vector<uint8_t> kMsg{'T', 'E', 'S', 'T'};
|
||||
static const std::vector<uint8_t> kSha512DigestInfo{
|
||||
@@ -209,6 +214,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding)
|
||||
SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512,
|
||||
nullptr);
|
||||
EXPECT_EQ(SECSuccess, rv);
|
||||
+#else
|
||||
+ GTEST_SKIP();
|
||||
+#endif
|
||||
}
|
||||
|
||||
TEST(RsaPkcs1Test, RequireNullParameter) {
|
||||
diff -up ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy ./gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
--- ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./gtests/ssl_gtest/tls_subcerts_unittest.cc 2022-06-20 16:47:35.024785635 -0700
|
||||
@@ -9,6 +9,8 @@
|
||||
#include "prtime.h"
|
||||
#include "secerr.h"
|
||||
#include "ssl.h"
|
||||
+#include "nss.h"
|
||||
+#include "blapit.h"
|
||||
|
||||
#include "gtest_utils.h"
|
||||
#include "tls_agent.h"
|
||||
@@ -348,9 +350,14 @@ static void GenerateWeakRsaKey(ScopedSEC
|
||||
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
|
||||
ASSERT_TRUE(slot);
|
||||
PK11RSAGenParams rsaparams;
|
||||
- // The absolute minimum size of RSA key that we can use with SHA-256 is
|
||||
- // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
|
||||
+// The absolute minimum size of RSA key that we can use with SHA-256 is
|
||||
+// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528.
|
||||
+#define RSA_WEAK_KEY 528
|
||||
+#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY
|
||||
rsaparams.keySizeInBits = 528;
|
||||
+#else
|
||||
+ rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1;
|
||||
+#endif
|
||||
rsaparams.pe = 65537;
|
||||
|
||||
// Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
|
||||
@@ -390,6 +397,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||
ssl_sig_rsa_pss_pss_sha256};
|
||||
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||
+ // save the MIN POLICY length.
|
||||
+ PRInt32 minRsa;
|
||||
+
|
||||
+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
|
||||
+#if RSA_MIN_MODULUS_BITS >= 2048
|
||||
+ ASSERT_EQ(SECSuccess,
|
||||
+ NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
|
||||
+#else
|
||||
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048));
|
||||
+#endif
|
||||
+#endif
|
||||
|
||||
ScopedSECKEYPrivateKey dc_priv;
|
||||
ScopedSECKEYPublicKey dc_pub;
|
||||
@@ -412,6 +431,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
|
||||
client_, ssl_delegated_credentials_xtn);
|
||||
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
|
||||
+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
|
||||
+#endif
|
||||
}
|
||||
|
||||
class ReplaceDCSigScheme : public TlsHandshakeFilter {
|
||||
diff -up ./lib/cryptohi/keyhi.h.sign_policy ./lib/cryptohi/keyhi.h
|
||||
--- ./lib/cryptohi/keyhi.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/cryptohi/keyhi.h 2022-06-20 16:47:35.024785635 -0700
|
||||
@@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength
|
||||
extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
|
||||
|
||||
/*
|
||||
+** Return the strength of the private key in bits
|
||||
+*/
|
||||
+extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk);
|
||||
+
|
||||
+/*
|
||||
** Return the length of the signature in bytes
|
||||
*/
|
||||
extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);
|
||||
diff -up ./lib/cryptohi/keyi.h.sign_policy ./lib/cryptohi/keyi.h
|
||||
--- ./lib/cryptohi/keyi.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/cryptohi/keyi.h 2022-06-20 16:47:35.024785635 -0700
|
||||
@@ -4,6 +4,7 @@
|
||||
|
||||
#ifndef _KEYI_H_
|
||||
#define _KEYI_H_
|
||||
+#include "secerr.h"
|
||||
|
||||
SEC_BEGIN_PROTOS
|
||||
/* NSS private functions */
|
||||
@@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechan
|
||||
const SECItem *params,
|
||||
CK_RSA_PKCS_PSS_PARAMS *mech);
|
||||
|
||||
+/* make sure the key length matches the policy for keyType */
|
||||
+SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength,
|
||||
+ SECErrorCodes error);
|
||||
SEC_END_PROTOS
|
||||
|
||||
#endif /* _KEYHI_H_ */
|
||||
diff -up ./lib/cryptohi/seckey.c.sign_policy ./lib/cryptohi/seckey.c
|
||||
--- ./lib/cryptohi/seckey.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/cryptohi/seckey.c 2022-06-20 16:47:35.025785641 -0700
|
||||
@@ -14,6 +14,7 @@
|
||||
#include "secdig.h"
|
||||
#include "prtime.h"
|
||||
#include "keyi.h"
|
||||
+#include "nss.h"
|
||||
|
||||
SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
|
||||
SEC_ASN1_MKSUB(SEC_IntegerTemplate)
|
||||
@@ -1042,6 +1043,62 @@ SECKEY_PublicKeyStrengthInBits(const SEC
|
||||
return bitSize;
|
||||
}
|
||||
|
||||
+unsigned
|
||||
+SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
|
||||
+{
|
||||
+ unsigned bitSize = 0;
|
||||
+ CK_ATTRIBUTE_TYPE attribute = CKT_INVALID_TYPE;
|
||||
+ SECItem params;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ if (!privk) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* interpret modulus length as key strength */
|
||||
+ switch (privk->keyType) {
|
||||
+ case rsaKey:
|
||||
+ case rsaPssKey:
|
||||
+ case rsaOaepKey:
|
||||
+ /* some tokens don't export CKA_MODULUS on the private key,
|
||||
+ * PK11_SignatureLen works around this if necessary */
|
||||
+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
|
||||
+ if (bitSize == -1) {
|
||||
+ bitSize = 0;
|
||||
+ }
|
||||
+ return bitSize;
|
||||
+ case dsaKey:
|
||||
+ case fortezzaKey:
|
||||
+ case dhKey:
|
||||
+ case keaKey:
|
||||
+ attribute = CKA_PRIME;
|
||||
+ break;
|
||||
+ case ecKey:
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||
+ CKA_EC_PARAMS, NULL, ¶ms);
|
||||
+ if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ bitSize = SECKEY_ECParamsToKeySize(¶ms);
|
||||
+ PORT_Free(params.data);
|
||||
+ return bitSize;
|
||||
+ default:
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ PORT_Assert(attribute != CKT_INVALID_TYPE);
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||
+ attribute, NULL, ¶ms);
|
||||
+ if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
+ return 0;
|
||||
+ }
|
||||
+ bitSize = SECKEY_BigIntegerBitLength(¶ms);
|
||||
+ PORT_Free(params.data);
|
||||
+ return bitSize;
|
||||
+}
|
||||
+
|
||||
/* returns signature length in bytes (not bits) */
|
||||
unsigned
|
||||
SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
|
||||
@@ -1212,6 +1269,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicK
|
||||
}
|
||||
|
||||
/*
|
||||
+ * Check that a given key meets the policy limits for the given key
|
||||
+ * size.
|
||||
+ */
|
||||
+SECStatus
|
||||
+seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error)
|
||||
+{
|
||||
+ PRInt32 opt = -1;
|
||||
+ PRInt32 optVal;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ switch (keyType) {
|
||||
+ case rsaKey:
|
||||
+ case rsaPssKey:
|
||||
+ case rsaOaepKey:
|
||||
+ opt = NSS_RSA_MIN_KEY_SIZE;
|
||||
+ break;
|
||||
+ case dsaKey:
|
||||
+ case fortezzaKey:
|
||||
+ opt = NSS_DSA_MIN_KEY_SIZE;
|
||||
+ break;
|
||||
+ case dhKey:
|
||||
+ case keaKey:
|
||||
+ opt = NSS_DH_MIN_KEY_SIZE;
|
||||
+ break;
|
||||
+ case ecKey:
|
||||
+ opt = NSS_ECC_MIN_KEY_SIZE;
|
||||
+ break;
|
||||
+ case nullKey:
|
||||
+ default:
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ PORT_Assert(opt != -1);
|
||||
+ rv = NSS_OptionGet(opt, &optVal);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return rv;
|
||||
+ }
|
||||
+ if (optVal < keyLength) {
|
||||
+ PORT_SetError(error);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Use the private key to find a public key handle. The handle will be on
|
||||
* the same slot as the private key.
|
||||
*/
|
||||
diff -up ./lib/cryptohi/secsign.c.sign_policy ./lib/cryptohi/secsign.c
|
||||
--- ./lib/cryptohi/secsign.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/cryptohi/secsign.c 2022-06-20 16:47:35.025785641 -0700
|
||||
@@ -15,6 +15,7 @@
|
||||
#include "pk11func.h"
|
||||
#include "secerr.h"
|
||||
#include "keyi.h"
|
||||
+#include "nss.h"
|
||||
|
||||
struct SGNContextStr {
|
||||
SECOidTag signalg;
|
||||
@@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *p
|
||||
SECOidTag hashalg, signalg;
|
||||
KeyType keyType;
|
||||
PRUint32 policyFlags;
|
||||
+ PRInt32 optFlags;
|
||||
SECStatus rv;
|
||||
|
||||
/* OK, map a PKCS #7 hash and encrypt algorithm into
|
||||
@@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *p
|
||||
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
||||
return NULL;
|
||||
}
|
||||
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
|
||||
+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
|
||||
+ rv = seckey_EnforceKeySize(key->keyType,
|
||||
+ SECKEY_PrivateKeyStrengthInBits(key),
|
||||
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
/* check the policy on the hash algorithm */
|
||||
if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||
|
||||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
|
||||
@@ -467,9 +479,20 @@ SGN_Digest(SECKEYPrivateKey *privKey,
|
||||
SGNDigestInfo *di = 0;
|
||||
SECOidTag enctag;
|
||||
PRUint32 policyFlags;
|
||||
+ PRInt32 optFlags;
|
||||
|
||||
result->data = 0;
|
||||
|
||||
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
|
||||
+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
|
||||
+ rv = seckey_EnforceKeySize(privKey->keyType,
|
||||
+ SECKEY_PrivateKeyStrengthInBits(privKey),
|
||||
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
/* check the policy on the hash algorithm */
|
||||
if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
|
||||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
|
||||
diff -up ./lib/cryptohi/secvfy.c.sign_policy ./lib/cryptohi/secvfy.c
|
||||
--- ./lib/cryptohi/secvfy.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/cryptohi/secvfy.c 2022-06-20 16:47:35.025785641 -0700
|
||||
@@ -16,6 +16,7 @@
|
||||
#include "secdig.h"
|
||||
#include "secerr.h"
|
||||
#include "keyi.h"
|
||||
+#include "nss.h"
|
||||
|
||||
/*
|
||||
** Recover the DigestInfo from an RSA PKCS#1 signature.
|
||||
@@ -467,6 +468,7 @@ vfy_CreateContext(const SECKEYPublicKey
|
||||
unsigned int sigLen;
|
||||
KeyType type;
|
||||
PRUint32 policyFlags;
|
||||
+ PRInt32 optFlags;
|
||||
|
||||
/* make sure the encryption algorithm matches the key type */
|
||||
/* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
|
||||
@@ -476,7 +478,16 @@ vfy_CreateContext(const SECKEYPublicKey
|
||||
PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);
|
||||
return NULL;
|
||||
}
|
||||
-
|
||||
+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
|
||||
+ if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) {
|
||||
+ rv = seckey_EnforceKeySize(key->keyType,
|
||||
+ SECKEY_PublicKeyStrengthInBits(key),
|
||||
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
/* check the policy on the encryption algorithm */
|
||||
if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
|
||||
!(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
|
||||
diff -up ./lib/freebl/blapit.h.sign_policy ./lib/freebl/blapit.h
|
||||
--- ./lib/freebl/blapit.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/freebl/blapit.h 2022-06-20 16:47:35.025785641 -0700
|
||||
@@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribu
|
||||
* These values come from the initial key size limits from the PKCS #11
|
||||
* module. They may be arbitrarily adjusted to any value freebl supports.
|
||||
*/
|
||||
-#define RSA_MIN_MODULUS_BITS 128
|
||||
+#define RSA_MIN_MODULUS_BITS 1023 /* 128 */
|
||||
#define RSA_MAX_MODULUS_BITS 16384
|
||||
#define RSA_MAX_EXPONENT_BITS 64
|
||||
#define DH_MIN_P_BITS 128
|
||||
diff -up ./lib/nss/nss.h.sign_policy ./lib/nss/nss.h
|
||||
--- ./lib/nss/nss.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/nss/nss.h 2022-06-20 16:47:35.026785647 -0700
|
||||
@@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu
|
||||
#define NSS_DEFAULT_LOCKS 0x00d /* lock default values */
|
||||
#define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */
|
||||
|
||||
+/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to
|
||||
+ * the NSS_XXX_MIN_KEY_SIZE values.
|
||||
+ * NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input
|
||||
+ * value
|
||||
+ * On get it returns all the flags
|
||||
+ * NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and
|
||||
+ * does not affect the other flags
|
||||
+ * On get it returns all the flags
|
||||
+ * NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input
|
||||
+ * value and does not affect the other flags
|
||||
+ * On get it returns all the compliment of all the flags
|
||||
+ * (cleared flags == 1) */
|
||||
+#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e
|
||||
+#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f
|
||||
+#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010
|
||||
+/* currently defined flags */
|
||||
+#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1
|
||||
+#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2
|
||||
+#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4
|
||||
+
|
||||
+#define NSS_ECC_MIN_KEY_SIZE 0x011
|
||||
+
|
||||
/*
|
||||
* Set and get global options for the NSS library.
|
||||
*/
|
||||
diff -up ./lib/nss/nssoptions.c.sign_policy ./lib/nss/nssoptions.c
|
||||
--- ./lib/nss/nssoptions.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/nss/nssoptions.c 2022-06-20 16:47:35.026785647 -0700
|
||||
@@ -26,6 +26,8 @@ struct nssOps {
|
||||
PRInt32 dtlsVersionMaxPolicy;
|
||||
PRInt32 pkcs12DecodeForceUnicode;
|
||||
PRInt32 defaultLocks;
|
||||
+ PRInt32 keySizePolicyFlags;
|
||||
+ PRInt32 eccMinKeySize;
|
||||
};
|
||||
|
||||
static struct nssOps nss_ops = {
|
||||
@@ -37,7 +39,9 @@ static struct nssOps nss_ops = {
|
||||
1,
|
||||
0xffff,
|
||||
PR_FALSE,
|
||||
- 0
|
||||
+ 0,
|
||||
+ NSS_KEY_SIZE_POLICY_SSL_FLAG,
|
||||
+ SSL_ECC_MIN_CURVE_BITS
|
||||
};
|
||||
|
||||
SECStatus
|
||||
@@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 val
|
||||
case NSS_DEFAULT_LOCKS:
|
||||
nss_ops.defaultLocks = value;
|
||||
break;
|
||||
+ case NSS_KEY_SIZE_POLICY_FLAGS:
|
||||
+ nss_ops.keySizePolicyFlags = value;
|
||||
+ break;
|
||||
+ case NSS_KEY_SIZE_POLICY_SET_FLAGS:
|
||||
+ nss_ops.keySizePolicyFlags |= value;
|
||||
+ break;
|
||||
+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
|
||||
+ nss_ops.keySizePolicyFlags &= ~value;
|
||||
+ break;
|
||||
+ case NSS_ECC_MIN_KEY_SIZE:
|
||||
+ nss_ops.eccMinKeySize = value;
|
||||
+ break;
|
||||
default:
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
rv = SECFailure;
|
||||
@@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va
|
||||
case NSS_DEFAULT_LOCKS:
|
||||
*value = nss_ops.defaultLocks;
|
||||
break;
|
||||
+ case NSS_KEY_SIZE_POLICY_FLAGS:
|
||||
+ case NSS_KEY_SIZE_POLICY_SET_FLAGS:
|
||||
+ *value = nss_ops.keySizePolicyFlags;
|
||||
+ break;
|
||||
+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS:
|
||||
+ *value = ~nss_ops.keySizePolicyFlags;
|
||||
+ break;
|
||||
+ case NSS_ECC_MIN_KEY_SIZE:
|
||||
+ *value = nss_ops.eccMinKeySize;
|
||||
+ break;
|
||||
default:
|
||||
rv = SECFailure;
|
||||
}
|
||||
diff -up ./lib/nss/nssoptions.h.sign_policy ./lib/nss/nssoptions.h
|
||||
--- ./lib/nss/nssoptions.h.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/nss/nssoptions.h 2022-06-20 16:47:35.026785647 -0700
|
||||
@@ -18,3 +18,5 @@
|
||||
* happens because NSS used to count bit lengths incorrectly. */
|
||||
#define SSL_DH_MIN_P_BITS 1023
|
||||
#define SSL_DSA_MIN_P_BITS 1023
|
||||
+/* not really used by SSL, but define it here for consistency */
|
||||
+#define SSL_ECC_MIN_CURVE_BITS 256
|
||||
diff -up ./lib/pk11wrap/pk11kea.c.sign_policy ./lib/pk11wrap/pk11kea.c
|
||||
--- ./lib/pk11wrap/pk11kea.c.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./lib/pk11wrap/pk11kea.c 2022-06-20 16:47:35.026785647 -0700
|
||||
@@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_
|
||||
if (privKeyHandle == CK_INVALID_HANDLE) {
|
||||
PK11RSAGenParams rsaParams;
|
||||
|
||||
- if (symKeyLength > 53) /* bytes */ {
|
||||
- /* we'd have to generate an RSA key pair > 512 bits long,
|
||||
+ if (symKeyLength > 120) /* bytes */ {
|
||||
+ /* we'd have to generate an RSA key pair > 1024 bits long,
|
||||
** and that's too costly. Don't even try.
|
||||
*/
|
||||
PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY);
|
||||
goto rsa_failed;
|
||||
}
|
||||
- rsaParams.keySizeInBits =
|
||||
- (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256;
|
||||
+ rsaParams.keySizeInBits = 1024;
|
||||
rsaParams.pe = 0x10001;
|
||||
privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN,
|
||||
&rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx);
|
||||
diff -up ./lib/pk11wrap/pk11pars.c.sign_policy ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.sign_policy 2022-06-20 16:47:35.004785510 -0700
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2022-06-20 16:47:35.026785647 -0700
|
||||
@@ -427,12 +427,21 @@ static const optionFreeDef sslOptList[]
|
||||
{ CIPHER_NAME("DTLS1.3"), 0x304 },
|
||||
};
|
||||
|
||||
+static const optionFreeDef keySizeFlagsList[] = {
|
||||
+ { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG },
|
||||
+ { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG },
|
||||
+ { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG },
|
||||
+};
|
||||
+
|
||||
static const optionFreeDef freeOptList[] = {
|
||||
|
||||
/* Restrictions for asymetric keys */
|
||||
{ CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE },
|
||||
{ CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE },
|
||||
{ CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE },
|
||||
+ { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE },
|
||||
+ /* what operations doe the key size apply to */
|
||||
+ { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS },
|
||||
/* constraints on SSL Protocols */
|
||||
{ CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY },
|
||||
{ CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY },
|
||||
@@ -540,6 +549,7 @@ secmod_getPolicyOptValue(const char *pol
|
||||
*result = val;
|
||||
return SECSuccess;
|
||||
}
|
||||
+ /* handle any ssl strings */
|
||||
for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) {
|
||||
if (policyValueLength == sslOptList[i].name_size &&
|
||||
PORT_Strncasecmp(sslOptList[i].name, policyValue,
|
||||
@@ -548,7 +558,29 @@ secmod_getPolicyOptValue(const char *pol
|
||||
return SECSuccess;
|
||||
}
|
||||
}
|
||||
- return SECFailure;
|
||||
+ /* handle key_size flags. Each flag represents a bit, which
|
||||
+ * gets or'd together. They can be separated by , | or + */
|
||||
+ val = 0;
|
||||
+ while (*policyValue) {
|
||||
+ PRBool found = PR_FALSE;
|
||||
+ for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) {
|
||||
+ if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue,
|
||||
+ keySizeFlagsList[i].name_size) == 0) {
|
||||
+ val |= keySizeFlagsList[i].option;
|
||||
+ found = PR_TRUE;
|
||||
+ policyValue += keySizeFlagsList[i].name_size;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ if (!found) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') {
|
||||
+ policyValue++;
|
||||
+ }
|
||||
+ }
|
||||
+ *result = val;
|
||||
+ return SECSuccess;
|
||||
}
|
||||
|
||||
/* Policy operations:
|
||||
diff -up ./lib/ssl/ssl3con.c.sign_policy ./lib/ssl/ssl3con.c
|
||||
--- ./lib/ssl/ssl3con.c.sign_policy 2022-06-20 16:47:34.998785473 -0700
|
||||
+++ ./lib/ssl/ssl3con.c 2022-06-20 16:47:35.028785660 -0700
|
||||
@@ -7409,6 +7409,8 @@ ssl_HandleDHServerKeyExchange(sslSocket
|
||||
unsigned dh_p_bits;
|
||||
unsigned dh_g_bits;
|
||||
PRInt32 minDH;
|
||||
+ PRInt32 optval;
|
||||
+ PRBool usePolicyLength = PR_FALSE;
|
||||
|
||||
SSL3Hashes hashes;
|
||||
SECItem signature = { siBuffer, NULL, 0 };
|
||||
@@ -7419,8 +7421,13 @@ ssl_HandleDHServerKeyExchange(sslSocket
|
||||
if (rv != SECSuccess) {
|
||||
goto loser; /* malformed. */
|
||||
}
|
||||
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
|
||||
+ if (rv == SECSuccess) {
|
||||
+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
|
||||
+ }
|
||||
|
||||
- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH);
|
||||
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH)
|
||||
+ : SECFailure;
|
||||
if (rv != SECSuccess || minDH <= 0) {
|
||||
minDH = SSL_DH_MIN_P_BITS;
|
||||
}
|
||||
@@ -11411,13 +11418,20 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
||||
SECStatus rv;
|
||||
PRUint32 minKey;
|
||||
PRInt32 optval;
|
||||
+ PRBool usePolicyLength = PR_TRUE;
|
||||
+
|
||||
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
|
||||
+ if (rv == SECSuccess) {
|
||||
+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG);
|
||||
+ }
|
||||
|
||||
ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey);
|
||||
switch (SECKEY_GetPublicKeyType(pubKey)) {
|
||||
case rsaKey:
|
||||
case rsaPssKey:
|
||||
case rsaOaepKey:
|
||||
- rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval);
|
||||
+ rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval)
|
||||
+ : SECFailure;
|
||||
if (rv == SECSuccess && optval > 0) {
|
||||
minKey = (PRUint32)optval;
|
||||
} else {
|
||||
@@ -11426,7 +11440,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
||||
break;
|
||||
|
||||
case dsaKey:
|
||||
- rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval);
|
||||
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval)
|
||||
+ : SECFailure;
|
||||
if (rv == SECSuccess && optval > 0) {
|
||||
minKey = (PRUint32)optval;
|
||||
} else {
|
||||
@@ -11435,7 +11450,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
||||
break;
|
||||
|
||||
case dhKey:
|
||||
- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval);
|
||||
+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval)
|
||||
+ : SECFailure;
|
||||
if (rv == SECSuccess && optval > 0) {
|
||||
minKey = (PRUint32)optval;
|
||||
} else {
|
||||
@@ -11444,9 +11460,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const
|
||||
break;
|
||||
|
||||
case ecKey:
|
||||
- /* Don't check EC strength here on the understanding that we only
|
||||
- * support curves we like. */
|
||||
- minKey = ss->sec.authKeyBits;
|
||||
+ rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval)
|
||||
+ : SECFailure;
|
||||
+ if (rv == SECSuccess && optval > 0) {
|
||||
+ minKey = (PRUint32)optval;
|
||||
+ } else {
|
||||
+ /* Don't check EC strength here on the understanding that we
|
||||
+ * only support curves we like. */
|
||||
+ minKey = ss->sec.authKeyBits;
|
||||
+ }
|
||||
break;
|
||||
|
||||
default:
|
||||
diff -up ./tests/policy/crypto-policy.txt.sign_policy ./tests/policy/crypto-policy.txt
|
||||
--- ./tests/policy/crypto-policy.txt.sign_policy 2022-05-26 02:54:33.000000000 -0700
|
||||
+++ ./tests/policy/crypto-policy.txt 2022-06-20 16:47:35.028785660 -0700
|
||||
@@ -6,6 +6,8 @@
|
||||
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy
|
||||
0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy
|
||||
0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy
|
||||
+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size
|
||||
+2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size
|
||||
2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value
|
||||
2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value
|
||||
2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier
|
||||
diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt
|
||||
--- ./tests/ssl/sslpolicy.txt.sign_policy 2022-06-20 16:47:35.028785660 -0700
|
||||
+++ ./tests/ssl/sslpolicy.txt 2022-06-20 16:50:08.958742135 -0700
|
||||
@@ -196,6 +196,11 @@
|
||||
# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
|
||||
# compatibility reasons
|
||||
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
||||
+ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
||||
+
|
||||
# test default settings
|
||||
# NOTE: tstclient will attempt to overide the defaults, so we detect we
|
||||
# were successful by locking in our settings
|
||||
diff -up ./tests/dbupgrade/dbupgrade.sh.sign_policy ./tests/dbupgrade/dbupgrade.sh
|
||||
--- ./tests/dbupgrade/dbupgrade.sh.sign_policy 2022-06-22 08:43:55.905407738 -0700
|
||||
+++ ./tests/dbupgrade/dbupgrade.sh 2022-06-22 08:43:58.837426779 -0700
|
||||
@@ -69,7 +69,7 @@ dbupgrade_main()
|
||||
echo $i
|
||||
if [ -d $i ]; then
|
||||
echo "upgrading db $i"
|
||||
- ${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
|
||||
+ ${BINDIR}/certutil -G -g 1024 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1
|
||||
html_msg $? 0 "Upgrading $i"
|
||||
else
|
||||
echo "skipping db $i"
|
@ -0,0 +1,57 @@
|
||||
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
|
||||
index 74e8e65..8995752 100644
|
||||
--- a/lib/freebl/Makefile
|
||||
+++ b/lib/freebl/Makefile
|
||||
@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
|
||||
HAVE_INT128_SUPPORT = 1
|
||||
DEFINES += -DHAVE_INT128_SUPPORT
|
||||
else ifeq (1,$(CC_IS_GCC))
|
||||
- SUPPORTS_VALE_CURVE25519 = 1
|
||||
ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
|
||||
HAVE_INT128_SUPPORT = 1
|
||||
DEFINES += -DHAVE_INT128_SUPPORT
|
||||
diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
|
||||
index 65f9a80..23940ef 100644
|
||||
--- a/lib/freebl/freebl.gyp
|
||||
+++ b/lib/freebl/freebl.gyp
|
||||
@@ -866,12 +866,6 @@
|
||||
}],
|
||||
],
|
||||
}],
|
||||
- [ 'supports_vale_curve25519==1', {
|
||||
- 'defines': [
|
||||
- # The Makefile does version-tests on GCC, but we're not doing that here.
|
||||
- 'HACL_CAN_COMPILE_INLINE_ASM',
|
||||
- ],
|
||||
- }],
|
||||
[ 'OS=="linux" or OS=="android"', {
|
||||
'conditions': [
|
||||
[ 'target_arch=="x64"', {
|
||||
@@ -934,11 +928,6 @@
|
||||
'variables': {
|
||||
'module': 'nss',
|
||||
'conditions': [
|
||||
- [ 'target_arch=="x64" and cc_is_gcc==1', {
|
||||
- 'supports_vale_curve25519%': 1,
|
||||
- }, {
|
||||
- 'supports_vale_curve25519%': 0,
|
||||
- }],
|
||||
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'have_int128_support%': 1,
|
||||
}, {
|
||||
diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
|
||||
index d198c44..34b6b3c 100644
|
||||
--- a/lib/freebl/freebl_base.gypi
|
||||
+++ b/lib/freebl/freebl_base.gypi
|
||||
@@ -151,11 +151,6 @@
|
||||
'ecl/curve25519_32.c',
|
||||
],
|
||||
}],
|
||||
- ['supports_vale_curve25519==1', {
|
||||
- 'sources': [
|
||||
- 'verified/Hacl_Curve25519_64.c',
|
||||
- ],
|
||||
- }],
|
||||
['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
|
||||
'sources': [
|
||||
# Gyp does not support per-file cflags, so working around like this.
|
@ -0,0 +1,104 @@
|
||||
diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700
|
||||
@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = {
|
||||
{ CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
{ CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
{ CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX },
|
||||
+ /* not really a key exchange, but it's the closest fit */
|
||||
+ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX },
|
||||
};
|
||||
|
||||
static const oidValDef signOptList[] = {
|
||||
diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h
|
||||
--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700
|
||||
@@ -202,4 +202,10 @@ struct PK11GenericObjectStr {
|
||||
/* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */
|
||||
#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL
|
||||
|
||||
+/* this oid value could change values if it's added after other new
|
||||
+ * upstream oids. We protect applications by hiding the define in a private
|
||||
+ * header file that only NSS sees. Currently it's only available through
|
||||
+ * the policy code */
|
||||
+#define SEC_OID_TLS_REQUIRE_EMS SEC_OID_PRIVATE_1
|
||||
+
|
||||
#endif /* _SECMODTI_H_ */
|
||||
diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c
|
||||
--- ./lib/ssl/ssl3con.c.add_ems_policy 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/ssl/ssl3con.c 2023-06-12 17:18:35.130938525 -0700
|
||||
@@ -36,6 +36,7 @@
|
||||
#include "pk11func.h"
|
||||
#include "secmod.h"
|
||||
#include "blapi.h"
|
||||
+#include "secmodti.h" /* until SEC_OID_TLS_REQUIRE_EMS is upstream */
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
@@ -3480,6 +3481,29 @@ ssl3_ComputeMasterSecretInt(sslSocket *s
|
||||
CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params;
|
||||
unsigned int master_params_len;
|
||||
|
||||
+ /* if we are using TLS and we aren't using the extended master secret,
|
||||
+ * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will
|
||||
+ * send and alert (eventually). In the RSA Server case, the alert
|
||||
+ * won't happen until Finish time because the upper level code
|
||||
+ * can't tell a difference between this failure and an RSA decrypt
|
||||
+ * failure, so it will proceed with a faux key */
|
||||
+ if (isTLS) {
|
||||
+ PRUint32 policy;
|
||||
+ SECStatus rv;
|
||||
+
|
||||
+ /* first fetch the policy for this algorithm */
|
||||
+ rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy);
|
||||
+ /* we only look at the policy if we can fetch it. */
|
||||
+ if (rv == SECSuccess) {
|
||||
+ if (policy & NSS_USE_ALG_IN_SSL_KX) {
|
||||
+ /* just set the error, we don't want to map any errors
|
||||
+ * set by NSS_GetAlgorithmPolicy here */
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (isTLS12) {
|
||||
if (isDH)
|
||||
master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
||||
diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c
|
||||
--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700
|
||||
+++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700
|
||||
@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_USER,
|
||||
"IPsec User",
|
||||
CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
||||
+
|
||||
+ /* this will change upstream. for now apps shouldn't use it */
|
||||
+ /* we need it for the policy code. */
|
||||
+ ODE(SEC_OID_PRIVATE_1,
|
||||
+ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
|
||||
};
|
||||
|
||||
/* PRIVATE EXTENDED SECOID Table
|
||||
@@ -2095,6 +2100,8 @@ SECOID_Init(void)
|
||||
|
||||
/* turn off NSS_USE_POLICY_IN_SSL by default */
|
||||
xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL;
|
||||
+ /* turn off TLS REQUIRE EMS by default */
|
||||
+ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0;
|
||||
|
||||
envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT");
|
||||
if (envVal)
|
||||
diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h
|
||||
--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700
|
||||
+++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700
|
||||
@@ -501,6 +501,9 @@ typedef enum {
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361,
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362,
|
||||
SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363,
|
||||
+ /* this will change upstream. for now apps shouldn't use it */
|
||||
+ /* give it an obscure name here */
|
||||
+ SEC_OID_PRIVATE_1 = 372,
|
||||
|
||||
SEC_OID_TOTAL
|
||||
} SECOidTag;
|
@ -0,0 +1,96 @@
|
||||
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
|
||||
--- a/lib/ssl/sslsock.c
|
||||
+++ b/lib/ssl/sslsock.c
|
||||
@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f
|
||||
}
|
||||
PORT_Free(cursor);
|
||||
}
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
+#ifdef notdef
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
return SECFailure;
|
||||
}
|
||||
ss->opt.enableTls13GreaseEch = enabled;
|
||||
return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
||||
+ return SECFailure;
|
||||
+#endif
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size)
|
||||
{
|
||||
+#ifdef notdef
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss || size == 0) {
|
||||
return SECFailure;
|
||||
}
|
||||
ssl_Get1stHandshakeLock(ss);
|
||||
ssl_GetSSL3HandshakeLock(ss);
|
||||
|
||||
ss->ssl3.hs.greaseEchSize = size;
|
||||
|
||||
ssl_ReleaseSSL3HandshakeLock(ss);
|
||||
ssl_Release1stHandshakeLock(ss);
|
||||
|
||||
return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
||||
+ return SECFailure;
|
||||
+#endif
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
+#ifdef notdef
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
return SECFailure;
|
||||
}
|
||||
ss->opt.enableTls13BackendEch = enabled;
|
||||
return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
||||
+ return SECFailure;
|
||||
+#endif
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
+#ifdef notdef
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
return SECFailure;
|
||||
}
|
||||
ss->opt.callExtensionWriterOnEchInner = enabled;
|
||||
return SECSuccess;
|
||||
+#else
|
||||
+ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API);
|
||||
+ return SECFailure;
|
||||
+#endif
|
||||
}
|
||||
|
||||
SECStatus
|
||||
SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled)
|
||||
{
|
||||
sslSocket *ss = ssl_FindSocket(fd);
|
||||
if (!ss) {
|
||||
return SECFailure;
|
||||
diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn
|
||||
--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200
|
||||
+++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200
|
||||
@@ -57,7 +57,6 @@ CPPSRCS = \
|
||||
tls_filter.cc \
|
||||
tls_protect.cc \
|
||||
tls_psk_unittest.cc \
|
||||
- tls_ech_unittest.cc \
|
||||
$(SSLKEYLOGFILE_FILES) \
|
||||
$(NULL)
|
@ -0,0 +1,18 @@
|
||||
diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh
|
||||
--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700
|
||||
+++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700
|
||||
@@ -46,11 +46,13 @@ ectest_genkeydb_test()
|
||||
return $?
|
||||
fi
|
||||
curves=( \
|
||||
- "curve25519" \
|
||||
"secp256r1" \
|
||||
"secp384r1" \
|
||||
"secp521r1" \
|
||||
)
|
||||
+ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then
|
||||
+ curves=( "curve25519" "${curves[@]}" )
|
||||
+ fi
|
||||
for curve in "${curves[@]}"; do
|
||||
echo "Test $curve key generation using certutil ..."
|
||||
certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE}
|
@ -0,0 +1,42 @@
|
||||
diff -up ./lib/softoken/pkcs11u.c.pkcs12_indicator ./lib/softoken/pkcs11u.c
|
||||
--- ./lib/softoken/pkcs11u.c.pkcs12_indicator 2023-08-03 10:50:37.067109367 -0700
|
||||
+++ ./lib/softoken/pkcs11u.c 2023-08-03 11:41:55.641541953 -0700
|
||||
@@ -2429,7 +2429,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
return PR_FALSE;
|
||||
case SFTKFIPSECC:
|
||||
/* we've already handled the curve selection in the 'getlength'
|
||||
- * function */
|
||||
+ * function */
|
||||
return PR_TRUE;
|
||||
case SFTKFIPSAEAD: {
|
||||
if (mech->ulParameterLen == 0) {
|
||||
@@ -2463,6 +2463,29 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
}
|
||||
return PR_TRUE;
|
||||
}
|
||||
+ case SFTKFIPSPBKDF2: {
|
||||
+ /* PBKDF2 must have the following addition restrictions
|
||||
+ * (independent of keysize).
|
||||
+ * 1. iteration count must be at least 1000.
|
||||
+ * 2. salt must be at least 128 bits (16 bytes).
|
||||
+ * 3. password must match the length specified in the SP
|
||||
+ */
|
||||
+ CK_PKCS5_PBKD2_PARAMS *pbkdf2 = (CK_PKCS5_PBKD2_PARAMS *)
|
||||
+ mech->pParameter;
|
||||
+ if (mech->ulParameterLen != sizeof(*pbkdf2)) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ if (pbkdf2->iterations < 1000) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ if (pbkdf2->ulSaltSourceDataLen < 16) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ if (*(pbkdf2->ulPasswordLen) < SFTKFIPS_PBKDF2_MIN_PW_LEN) {
|
||||
+ return PR_FALSE;
|
||||
+ }
|
||||
+ return PR_TRUE;
|
||||
+ }
|
||||
default:
|
||||
break;
|
||||
}
|
Loading…
Reference in new issue