From 62274c3ae9612c2b82a6b73d0d8455020e6040f0 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 11 Dec 2023 16:45:44 +0300 Subject: [PATCH] import nss-3.90.0-3.el8_8 --- .gitignore | 2 +- .nss.metadata | 2 +- SOURCES/cve-2023-0767.patch | 92 --- SOURCES/fips_algorithms.h | 172 +++++ .../nss-3.66-disable-signature-policies.patch | 20 +- SOURCES/nss-3.71-camellia-pkcs12-doc.patch | 20 + SOURCES/nss-3.79-dont-verify-default.patch | 170 ----- SOURCES/nss-3.79-enable-POST-rerun.patch | 522 ------------- SOURCES/nss-3.79-fips-review.patches | 497 +++++++++++++ SOURCES/nss-3.79-fips.patch | 172 +---- SOURCES/nss-3.79-fix-client-cert-crash.patch | 23 - SOURCES/nss-3.79-increase-pbe-cache.patch | 22 - .../nss-3.79-pkcs12-fix-null-password.patch | 21 - ...ss-3.79-rhel-8-fips-signature-policy.patch | 685 ------------------ SOURCES/nss-3.90-DisablingASM.patch | 57 ++ SOURCES/nss-3.90-add-ems-policy.patch | 104 +++ SOURCES/nss-3.90-disable-ech.patch | 96 +++ SOURCES/nss-3.90-no-dbm-25519.patch | 18 + SOURCES/nss-3.90-pbkdf2-indicator.patch | 42 ++ SPECS/nss.spec | 56 +- 20 files changed, 1060 insertions(+), 1733 deletions(-) delete mode 100644 SOURCES/cve-2023-0767.patch create mode 100644 SOURCES/fips_algorithms.h create mode 100644 SOURCES/nss-3.71-camellia-pkcs12-doc.patch delete mode 100644 SOURCES/nss-3.79-dont-verify-default.patch delete mode 100644 SOURCES/nss-3.79-enable-POST-rerun.patch create mode 100644 SOURCES/nss-3.79-fips-review.patches delete mode 100644 SOURCES/nss-3.79-fix-client-cert-crash.patch delete mode 100644 SOURCES/nss-3.79-increase-pbe-cache.patch delete mode 100644 SOURCES/nss-3.79-pkcs12-fix-null-password.patch delete mode 100644 SOURCES/nss-3.79-rhel-8-fips-signature-policy.patch create mode 100644 SOURCES/nss-3.90-DisablingASM.patch create mode 100644 SOURCES/nss-3.90-add-ems-policy.patch create mode 100644 SOURCES/nss-3.90-disable-ech.patch create mode 100644 SOURCES/nss-3.90-no-dbm-25519.patch create mode 100644 SOURCES/nss-3.90-pbkdf2-indicator.patch diff --git a/.gitignore b/.gitignore index 4befa78..eda990c 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,4 @@ SOURCES/blank-cert9.db SOURCES/blank-key3.db SOURCES/blank-key4.db SOURCES/blank-secmod.db -SOURCES/nss-3.79.tar.gz +SOURCES/nss-3.90.tar.gz diff --git a/.nss.metadata b/.nss.metadata index b374a5a..f78c944 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -3,4 +3,4 @@ b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db -3719dd97c8ec9cb04aa61e6aca41b129b4adc004 SOURCES/nss-3.79.tar.gz +1e7d2f16655281cfb2972688af1605e0de302481 SOURCES/nss-3.90.tar.gz diff --git a/SOURCES/cve-2023-0767.patch b/SOURCES/cve-2023-0767.patch deleted file mode 100644 index fc5d4fa..0000000 --- a/SOURCES/cve-2023-0767.patch +++ /dev/null @@ -1,92 +0,0 @@ -diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c ---- a/lib/pkcs12/p12d.c -+++ b/lib/pkcs12/p12d.c -@@ -335,35 +335,42 @@ - sec_PKCS12SafeContentsContext *safeContentsCtx = - (sec_PKCS12SafeContentsContext *)arg; - SEC_PKCS12DecoderContext *p12dcx; - SECStatus rv; - -- /* make sure that we are not skipping the current safeBag, -- * and that there are no errors. If so, just return rather -- * than continuing to process. -- */ -- if (!safeContentsCtx || !safeContentsCtx->p12dcx || -- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { -+ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { - return; - } - p12dcx = safeContentsCtx->p12dcx; - -+ /* make sure that there are no errors and we are not skipping the current safeBag */ -+ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { -+ goto loser; -+ } -+ - rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); - if (rv != SECSuccess) { - p12dcx->errorValue = PORT_GetError(); -+ p12dcx->error = PR_TRUE; -+ goto loser; -+ } -+ -+ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we -+ * may not get another opportunity to clean up the decoder context. -+ */ -+ if (safeContentsCtx->skipCurrentSafeBag) { - goto loser; - } - - return; - - loser: -- /* set the error, and finish the decoder context. because there -+ /* Finish the decoder context. Because there - * is not a way of returning an error message, it may be worth - * while to do a check higher up and finish any decoding contexts - * that are still open. - */ -- p12dcx->error = PR_TRUE; - SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); - safeContentsCtx->currentSafeBagA1Dcx = NULL; - return; - } - -diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h ---- a/lib/pkcs12/p12t.h -+++ b/lib/pkcs12/p12t.h -@@ -71,10 +71,11 @@ - SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; - sec_PKCS12CertBag *certBag; - sec_PKCS12CRLBag *crlBag; - sec_PKCS12SecretBag *secretBag; - sec_PKCS12SafeContents *safeContents; -+ SECItem *unknownBag; - } safeBagContent; - - sec_PKCS12Attribute **attribs; - - /* used locally */ -diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c ---- a/lib/pkcs12/p12tmpl.c -+++ b/lib/pkcs12/p12tmpl.c -@@ -28,16 +28,16 @@ - - safeBag = (sec_PKCS12SafeBag *)src_or_dest; - - oiddata = SECOID_FindOID(&safeBag->safeBagType); - if (oiddata == NULL) { -- return SEC_ASN1_GET(SEC_AnyTemplate); -+ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); - } - - switch (oiddata->offset) { - default: -- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); -+ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); - break; - case SEC_OID_PKCS12_V1_KEY_BAG_ID: - theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); - break; - case SEC_OID_PKCS12_V1_CERT_BAG_ID: - diff --git a/SOURCES/fips_algorithms.h b/SOURCES/fips_algorithms.h new file mode 100644 index 0000000..80d7dcd --- /dev/null +++ b/SOURCES/fips_algorithms.h @@ -0,0 +1,172 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +/* + * Vendors should replace this header file with the file containing those + * algorithms which have NIST algorithm Certificates. + */ + +/* handle special cases. Classes require existing code to already be + * in place for that class */ +typedef enum { + SFTKFIPSNone = 0, + SFTKFIPSDH, /* allow only specific primes */ + SFTKFIPSECC, /* not just keys but specific curves */ + SFTKFIPSAEAD, /* single shot AEAD functions not allowed in FIPS mode */ + SFTKFIPSRSAPSS, /* make sure salt isn't too big */ + SFTKFIPSPBKDF2 /* handle pbkdf2 FIPS restrictions */ +} SFTKFIPSSpecialClass; + +/* set according to your security policy */ +#define SFTKFIPS_PBKDF2_MIN_PW_LEN 7 + +typedef struct SFTKFIPSAlgorithmListStr SFTKFIPSAlgorithmList; +struct SFTKFIPSAlgorithmListStr { + CK_MECHANISM_TYPE type; + CK_MECHANISM_INFO info; + CK_ULONG step; + SFTKFIPSSpecialClass special; +}; + +SFTKFIPSAlgorithmList sftk_fips_mechs[] = { +/* A sample set of algorithms to allow basic testing in our continous + * testing infrastructure. The vendor version should replace this with + * a version that matches their algorithm testing and security policy */ +/* NOTE, This looks a lot like the PKCS #11 mechanism list in pkcs11.c, it + * differs in the following ways: + * 1) the addition of step and class elements to help restrict + * the supported key sizes and types. + * 2) The mechanism flags are restricted to only those that map to + * fips approved operations. + * 3) All key sizes are in bits, independent of mechanism. + * 4) You can add more then one entry for the same mechanism to handle + * multiple descrete keys where the MIN/MAX/STEP semantics doesn't apply + * or where different operations have different key requirements. + * This table does not encode all the modules legal FIPS semantics, only + * those semantics that might possibly change due to algorithms dropping + * of the security policy late in the process. */ +/* handy common flag types */ +#define CKF_KPG CKF_GENERATE_KEY_PAIR +#define CKF_GEN CKF_GENERATE +#define CKF_SGN (CKF_SIGN | CKF_VERIFY) +#define CKF_ENC (CKF_ENCRYPT | CKF_DECRYPT | CKF_WRAP | CKF_UNWRAP) +#define CKF_KEK (CKF_WRAP | CKF_UNWRAP) +#define CKF_KEA CKF_DERIVE +#define CKF_KDF CKF_DERIVE +#define CKF_HSH CKF_DIGEST +#define CK_MAX 0xffffffffUL +/* mechanisms using the same key types share the same key type + * limits */ +#define RSA_FB_KEY 2048, 4096 /* min, max */ +#define RSA_FB_STEP 1 +#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */ +#define RSA_LEGACY_FB_STEP 256 + +#define DSA_FB_KEY 2048, 4096 /* min, max */ +#define DSA_FB_STEP 1024 +#define DH_FB_KEY 2048, 8192 /* min, max */ +#define DH_FB_STEP 1024 +#define EC_FB_KEY 256, 521 /* min, max */ +#define EC_FB_STEP 1 /* key limits handled by special operation */ +#define AES_FB_KEY 128, 256 +#define AES_FB_STEP 64 + { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, + + /* -------------- RSA Multipart Signing Operations -------------------- */ + { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, + /* ------------------------- DSA Operations --------------------------- */ + { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, + { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, + /* -------------------- Diffie Hellman Operations --------------------- */ + { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH }, + { CKM_DH_PKCS_DERIVE, { DH_FB_KEY, CKF_KEA }, DH_FB_STEP, SFTKFIPSDH }, + /* -------------------- Elliptic Curve Operations --------------------- */ + { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + /* ------------------------- RC2 Operations --------------------------- */ + /* ------------------------- AES Operations --------------------------- */ + { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD }, + { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + /* ------------------------- Hashing Operations ----------------------- */ + { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + /* --------------------- Secret Key Operations ------------------------ */ + { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, + /* ---------------------- SSL/TLS operations ------------------------- */ + { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, + + /* ------------------------- HKDF Operations -------------------------- */ + { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone }, + /* ------------------ NIST 800-108 Key Derivations ------------------- */ + { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + /* --------------------IPSEC ----------------------- */ + { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_IKE_PRF_DERIVE, { 112, 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + /* ------------------ PBE Key Derivations ------------------- */ + { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 }, +}; +const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs); diff --git a/SOURCES/nss-3.66-disable-signature-policies.patch b/SOURCES/nss-3.66-disable-signature-policies.patch index 3329634..001983d 100644 --- a/SOURCES/nss-3.66-disable-signature-policies.patch +++ b/SOURCES/nss-3.66-disable-signature-policies.patch @@ -1,7 +1,7 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c ---- ./lib/pk11wrap/pk11pars.c.no_signature_policy 2021-06-03 10:08:49.988118880 -0700 -+++ ./lib/pk11wrap/pk11pars.c 2021-06-03 10:16:26.059935708 -0700 -@@ -391,12 +391,9 @@ static const oidValDef signOptList[] = { +--- ./lib/pk11wrap/pk11pars.c.no_signature_policy 2023-06-21 08:54:54.802785229 +0200 ++++ ./lib/pk11wrap/pk11pars.c 2023-06-21 08:58:24.748282499 +0200 +@@ -395,12 +395,9 @@ static const oidValDef signOptList[] = { /* Signatures */ { CIPHER_NAME("DSA"), SEC_OID_ANSIX9_DSA_SIGNATURE, NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, @@ -17,7 +17,7 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c }; typedef struct { -@@ -412,7 +409,7 @@ static const algListsDef algOptLists[] = +@@ -416,7 +413,7 @@ static const algListsDef algOptLists[] = { macOptList, PR_ARRAY_SIZE(macOptList), "MAC", PR_FALSE }, { cipherOptList, PR_ARRAY_SIZE(cipherOptList), "CIPHER", PR_FALSE }, { kxOptList, PR_ARRAY_SIZE(kxOptList), "OTHER-KX", PR_FALSE }, @@ -26,9 +26,9 @@ diff -up ./lib/pk11wrap/pk11pars.c.no_signature_policy ./lib/pk11wrap/pk11pars.c }; static const optionFreeDef sslOptList[] = { -diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt ---- ./tests/ssl/sslpolicy.txt.policy_revert 2020-11-04 10:31:20.837715397 -0800 -+++ ./tests/ssl/sslpolicy.txt 2020-11-04 10:33:19.598357223 -0800 +diff -up ./tests/ssl/sslpolicy.txt.no_signature_policy ./tests/ssl/sslpolicy.txt +--- ./tests/ssl/sslpolicy.txt.no_signature_policy 2023-06-21 09:00:17.720181306 +0200 ++++ ./tests/ssl/sslpolicy.txt 2023-06-21 09:00:55.637501208 +0200 @@ -193,7 +193,9 @@ 1 noECC SSL3 d disallow=all_allow=hmac-sha1:sha256:rsa-pkcs:rsa:des-ede3-cbc:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly Narrow 1 noECC SSL3 d disallow=all_allow=md2/all:md4/all:md5/all:sha1/all:sha256/all:sha384/all:sha512/all:rsa-pkcs/all:rsa-pss/all:ecdsa/all:dsa/all:hmac-sha1/all:hmac-sha224/all:hmac-sha256/all:hmac-sha384/all:hmac-sha512/all:hmac-md5/all:camellia128-cbc/all:camellia192-cbc/all:camellia256-cbc/all:seed-cbc/all:des-ede3-cbc/all:des-40-cbc/all:des-cbc/all:null-cipher/all:rc2/all:rc4/all:idea/all:rsa/all:rsa-export/all:dhe-rsa/all:dhe-dss/all:ecdhe-ecdsa/all:ecdhe-rsa/all:ecdh-ecdsa/all:ecdh-rsa/all:tls-version-min=tls1.0:tls-version-max=tls1.2 Disallow Version Implicitly @@ -37,6 +37,6 @@ diff -up ./tests/ssl/sslpolicy.txt.policy_revert ./tests/ssl/sslpolicy.txt +# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary +# compatibility reasons +# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly - # test default settings - # NOTE: tstclient will attempt to overide the defaults, so we detect we - # were successful by locking in our settings + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing + 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL diff --git a/SOURCES/nss-3.71-camellia-pkcs12-doc.patch b/SOURCES/nss-3.71-camellia-pkcs12-doc.patch new file mode 100644 index 0000000..f14b5a9 --- /dev/null +++ b/SOURCES/nss-3.71-camellia-pkcs12-doc.patch @@ -0,0 +1,20 @@ +diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml +--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800 ++++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800 +@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre + + + Password Encryption +- PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. ++ PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. + The private key is always protected with strong encryption by default. + Several types of ciphers are supported. + +@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre + + + PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC") ++ PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme ("CAMELLIA-128-CBC", "CAMELLIA-192-CBC", and "CAMELLIA-256-CBC") + + + diff --git a/SOURCES/nss-3.79-dont-verify-default.patch b/SOURCES/nss-3.79-dont-verify-default.patch deleted file mode 100644 index 6c747b6..0000000 --- a/SOURCES/nss-3.79-dont-verify-default.patch +++ /dev/null @@ -1,170 +0,0 @@ -diff --git a/lib/softoken/legacydb/pcertdb.c b/lib/softoken/legacydb/pcertdb.c ---- a/lib/softoken/legacydb/pcertdb.c -+++ b/lib/softoken/legacydb/pcertdb.c -@@ -4272,16 +4272,17 @@ CreateTrust(void) - { - NSSLOWCERTTrust *trust = NULL; - - nsslowcert_LockFreeList(); - trust = trustListHead; - if (trust) { - trustListCount--; - trustListHead = trust->next; -+ trust->next = NULL; - } - PORT_Assert(trustListCount >= 0); - nsslowcert_UnlockFreeList(); - if (trust) { - return trust; - } - - return PORT_ZNew(NSSLOWCERTTrust); -@@ -5155,19 +5156,21 @@ done: - } - - PRBool - nsslowcert_hasTrust(NSSLOWCERTCertTrust *trust) - { - if (trust == NULL) { - return PR_FALSE; - } -- return !((trust->sslFlags & CERTDB_TRUSTED_UNKNOWN) && -- (trust->emailFlags & CERTDB_TRUSTED_UNKNOWN) && -- (trust->objectSigningFlags & CERTDB_TRUSTED_UNKNOWN)); -+ /* if we only have CERTDB__USER and CERTDB_TRUSTED_UNKNOWN bits, then -+ * we don't have a trust record. */ -+ return !(((trust->sslFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) && -+ ((trust->emailFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0) && -+ ((trust->objectSigningFlags & ~(CERTDB_USER|CERTDB_TRUSTED_UNKNOWN)) == 0)); - } - - /* - * This function has the logic that decides if another person's cert and - * email profile from an S/MIME message should be saved. It can deal with - * the case when there is no profile. - */ - static SECStatus -diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c ---- a/lib/softoken/sftkdb.c -+++ b/lib/softoken/sftkdb.c -@@ -119,47 +119,79 @@ sftkdb_isAuthenticatedAttribute(CK_ATTRI - case CKA_TRUST_STEP_UP_APPROVED: - case CKA_NSS_OVERRIDE_EXTENSIONS: - return PR_TRUE; - default: - break; - } - return PR_FALSE; - } -- - /* - * convert a native ULONG to a database ulong. Database ulong's - * are all 4 byte big endian values. - */ - void - sftk_ULong2SDBULong(unsigned char *data, CK_ULONG value) - { - int i; - - for (i = 0; i < SDB_ULONG_SIZE; i++) { - data[i] = (value >> (SDB_ULONG_SIZE - 1 - i) * BBP) & 0xff; - } - } - - /* - * convert a database ulong back to a native ULONG. (reverse of the above -- * function. -+ * function). - */ - static CK_ULONG - sftk_SDBULong2ULong(unsigned char *data) - { - int i; - CK_ULONG value = 0; - - for (i = 0; i < SDB_ULONG_SIZE; i++) { - value |= (((CK_ULONG)data[i]) << (SDB_ULONG_SIZE - 1 - i) * BBP); - } - return value; - } - -+/* certain trust records are default values, which are the values -+ * returned if the signature check fails anyway. -+ * In those cases, we can skip the signature check. */ -+PRBool -+sftkdb_isNullTrust(const CK_ATTRIBUTE *template) -+{ -+ switch (template->type) { -+ case CKA_TRUST_SERVER_AUTH: -+ case CKA_TRUST_CLIENT_AUTH: -+ case CKA_TRUST_EMAIL_PROTECTION: -+ case CKA_TRUST_CODE_SIGNING: -+ if (template->ulValueLen != SDB_ULONG_SIZE) { -+ break; -+ } -+ if (sftk_SDBULong2ULong(template->pValue) == -+ CKT_NSS_TRUST_UNKNOWN) { -+ return PR_TRUE; -+ } -+ break; -+ case CKA_TRUST_STEP_UP_APPROVED: -+ if (template->ulValueLen != 1) { -+ break; -+ } -+ if (*((unsigned char *)(template->pValue)) == 0) { -+ return PR_TRUE; -+ } -+ break; -+ default: -+ break; -+ } -+ return PR_FALSE; -+} -+ - /* - * fix up the input templates. Our fixed up ints are stored in data and must - * be freed by the caller. The new template must also be freed. If there are no - * CK_ULONG attributes, the orignal template is passed in as is. - */ - static CK_ATTRIBUTE * - sftkdb_fixupTemplateIn(const CK_ATTRIBUTE *template, int count, - unsigned char **dataOut, int *dataOutSize) -@@ -410,17 +442,18 @@ sftkdb_fixupTemplateOut(CK_ATTRIBUTE *te - } - - /* copy the plain text back into the template */ - PORT_Memcpy(template[i].pValue, plainText->data, plainText->len); - template[i].ulValueLen = plainText->len; - SECITEM_ZfreeItem(plainText, PR_TRUE); - } - /* make sure signed attributes are valid */ -- if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type)) { -+ if (checkSig && sftkdb_isAuthenticatedAttribute(ntemplate[i].type) -+ && !sftkdb_isNullTrust(&ntemplate[i])) { - SECStatus rv; - CK_RV local_crv; - SECItem signText; - SECItem plainText; - unsigned char signData[SDB_MAX_META_DATA_LEN]; - - signText.data = signData; - signText.len = sizeof(signData); -@@ -2387,16 +2420,18 @@ sftkdb_mergeObject(SFTKDBHandle *handle, - crv = (*source->sdb_GetAttributeValue)(source, id, - ptemplate, max_attributes); - if (crv != CKR_OK) { - goto loser; - } - - objectType = sftkdb_getULongFromTemplate(CKA_CLASS, ptemplate, - max_attributes); -+/*printf(" - merging object Type 0x%08lx id=0x%08lx updateID=%s\n", objectType, id, -+ handle->updateID?handle->updateID: "");*/ - - /* - * Update Object updates the object template if necessary then returns - * whether or not we need to actually write the object out to our target - * database. - */ - if (!handle->updateID) { - crv = sftkdb_CreateObject(arena, handle, target, &newID, diff --git a/SOURCES/nss-3.79-enable-POST-rerun.patch b/SOURCES/nss-3.79-enable-POST-rerun.patch deleted file mode 100644 index 47c1ff8..0000000 --- a/SOURCES/nss-3.79-enable-POST-rerun.patch +++ /dev/null @@ -1,522 +0,0 @@ -diff --git a/cmd/bltest/blapitest.c b/cmd/bltest/blapitest.c ---- a/cmd/bltest/blapitest.c -+++ b/cmd/bltest/blapitest.c -@@ -3870,17 +3870,17 @@ main(int argc, char **argv) - rv = blapi_selftest(modesToTest, numModesToTest, inoff, outoff, - encrypt, decrypt); - PORT_Free(cipherInfo); - return rv == SECSuccess ? 0 : 1; - } - - /* Do FIPS self-test */ - if (bltest.commands[cmd_FIPS].activated) { -- CK_RV ckrv = sftk_FIPSEntryOK(); -+ CK_RV ckrv = sftk_FIPSEntryOK(PR_FALSE); - fprintf(stdout, "CK_RV: %ld.\n", ckrv); - PORT_Free(cipherInfo); - if (ckrv == CKR_OK) - return SECSuccess; - return SECFailure; - } - - /* -diff --git a/cmd/pk11mode/pk11mode.c b/cmd/pk11mode/pk11mode.c ---- a/cmd/pk11mode/pk11mode.c -+++ b/cmd/pk11mode/pk11mode.c -@@ -318,23 +318,25 @@ static PRBool verbose = PR_FALSE; - - int - main(int argc, char **argv) - { - CK_C_GetFunctionList pC_GetFunctionList; - CK_FUNCTION_LIST_PTR pFunctionList; - CK_RV crv = CKR_OK; - CK_C_INITIALIZE_ARGS_NSS initArgs; -+ CK_C_INITIALIZE_ARGS_NSS initArgsRerun; /* rerun selftests */ - CK_SLOT_ID *pSlotList = NULL; - CK_TOKEN_INFO tokenInfo; - CK_ULONG slotID = 0; /* slotID == 0 for FIPSMODE */ - - CK_UTF8CHAR *pwd = NULL; - CK_ULONG pwdLen = 0; - char *moduleSpec = NULL; -+ char *moduleSpecRerun = NULL; - char *configDir = NULL; - char *dbPrefix = NULL; - char *disableUnload = NULL; - PRBool doForkTests = PR_TRUE; - - PLOptStatus os; - PLOptState *opt = PL_CreateOptState(argc, argv, "nvhf:Fd:p:"); - while (PL_OPT_EOL != (os = PL_GetNextOpt(opt))) { -@@ -458,18 +460,23 @@ main(int argc, char **argv) - initArgs.CreateMutex = NULL; - initArgs.DestroyMutex = NULL; - initArgs.LockMutex = NULL; - initArgs.UnlockMutex = NULL; - initArgs.flags = CKF_OS_LOCKING_OK; - moduleSpec = PR_smprintf("configdir='%s' certPrefix='%s' " - "keyPrefix='%s' secmod='secmod.db' flags= ", - configDir, dbPrefix, dbPrefix); -+ moduleSpecRerun = PR_smprintf("configdir='%s' certPrefix='%s' " -+ "keyPrefix='%s' secmod='secmod.db' flags=forcePOST ", -+ configDir, dbPrefix, dbPrefix); - initArgs.LibraryParameters = (CK_CHAR_PTR *)moduleSpec; - initArgs.pReserved = NULL; -+ initArgsRerun = initArgs; -+ initArgsRerun.LibraryParameters = (CK_CHAR_PTR *)moduleSpecRerun; - - /*DebugBreak();*/ - /* FIPSMODE invokes FC_Initialize as pFunctionList->C_Initialize */ - /* NSS cryptographic module library initialization for the FIPS */ - /* Approved mode when FC_Initialize is envoked will perfom */ - /* software integrity test, and power-up self-tests before */ - /* FC_Initialize returns */ - crv = pFunctionList->C_Initialize(&initArgs); -@@ -705,17 +712,17 @@ main(int argc, char **argv) - PKM_Error("PKM_HybridMode failed with 0x%08X, %-26s\n", crv, - PKM_CK_RVtoStr(crv)); - goto cleanup; - } - - if (doForkTests) { - /* testing one more C_Initialize / C_Finalize to exercise getpid() - * fork check code */ -- crv = pFunctionList->C_Initialize(&initArgs); -+ crv = pFunctionList->C_Initialize(&initArgsRerun); - if (crv == CKR_OK) { - PKM_LogIt("C_Initialize succeeded\n"); - } else { - PKM_Error("C_Initialize failed with 0x%08X, %-26s\n", crv, - PKM_CK_RVtoStr(crv)); - goto cleanup; - } - crv = pFunctionList->C_Finalize(NULL); -@@ -741,16 +748,19 @@ cleanup: - free(configDir); - } - if (dbPrefix) { - free(dbPrefix); - } - if (moduleSpec) { - PR_smprintf_free(moduleSpec); - } -+ if (moduleSpecRerun) { -+ PR_smprintf_free(moduleSpecRerun); -+ } - - #ifdef _WIN32 - FreeLibrary(hModule); - #else - disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); - if (!disableUnload) { - PR_UnloadLibrary(lib); - } -diff --git a/lib/freebl/blapii.h b/lib/freebl/blapii.h ---- a/lib/freebl/blapii.h -+++ b/lib/freebl/blapii.h -@@ -24,17 +24,17 @@ typedef SECStatus (*freeblAeadFunc)(void - void *params, unsigned int paramsLen, - const unsigned char *aad, unsigned int aadLen, - unsigned int blocksize); - typedef void (*freeblDestroyFunc)(void *cx, PRBool freeit); - - SEC_BEGIN_PROTOS - - #ifndef NSS_FIPS_DISABLED --SECStatus BL_FIPSEntryOK(PRBool freeblOnly); -+SECStatus BL_FIPSEntryOK(PRBool freeblOnly, PRBool rerun); - PRBool BL_POSTRan(PRBool freeblOnly); - #endif - - #if defined(XP_UNIX) && !defined(NO_FORK_CHECK) - - extern PRBool bl_parentForkedAfterC_Initialize; - - #define SKIP_AFTER_FORK(x) \ -diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h ---- a/lib/freebl/blapit.h -+++ b/lib/freebl/blapit.h -@@ -223,16 +223,21 @@ typedef int __BLAPI_DEPRECATED __attribu - * - * If we arbitrarily set p = 10^-18 (1 chance in trillion trillion operation) - * we get GCMIV_RANDOM_BIRTHDAY_BITS = -(-18)/.301 -1 = 59 (.301 = log10 2) - * GCMIV_RANDOM_BIRTHDAY_BITS should be at least 59, call it a round 64. NOTE: - * the variable IV size for TLS is 64 bits, which explains why it's not safe - * to use a random value for the nonce in TLS. */ - #define GCMIV_RANDOM_BIRTHDAY_BITS 64 - -+/* flag to tell BLAPI_Verify* to rerun the post and integrity tests */ -+#define BLAPI_FIPS_RERUN_FLAG '\377' /* 0xff, 255 invalide code for UFT8/ASCII */ -+#define BLAPI_FIPS_RERUN_FLAG_STRING "\377" /* The above as a C string */ -+ -+ - /*************************************************************************** - ** Opaque objects - */ - - struct DESContextStr; - struct RC2ContextStr; - struct RC4ContextStr; - struct RC5ContextStr; -diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c ---- a/lib/freebl/fipsfreebl.c -+++ b/lib/freebl/fipsfreebl.c -@@ -2211,29 +2211,37 @@ bl_startup_tests(void) - } - - /* - * this is called from the freebl init entry points that controll access to - * all other freebl functions. This prevents freebl from operating if our - * power on selftest failed. - */ - SECStatus --BL_FIPSEntryOK(PRBool freebl_only) -+BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun) - { - #ifdef NSS_NO_INIT_SUPPORT - /* this should only be set on platforms that can't handle one of the INIT - * schemes. This code allows those platforms to continue to function, - * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT - * is not set, and init support has not been properly enabled, freebl - * will always fail because of the test below - */ - if (!self_tests_freebl_ran) { - bl_startup_tests(); - } - #endif -+ if (rerun) { -+ /* reset the flags */ -+ self_tests_freebl_ran = PR_FALSE; -+ self_tests_success = PR_FALSE; -+ self_tests_success = PR_FALSE; -+ self_tests_freebl_success = PR_FALSE; -+ bl_startup_tests(); -+ } - /* if the general self tests succeeded, we're done */ - if (self_tests_success) { - return SECSuccess; - } - /* standalone freebl can initialize */ - if (freebl_only && self_tests_freebl_success) { - return SECSuccess; - } -diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c ---- a/lib/freebl/nsslowhash.c -+++ b/lib/freebl/nsslowhash.c -@@ -55,17 +55,17 @@ NSSLOW_Init(void) - #ifdef FREEBL_NO_DEPEND - (void)FREEBL_InitStubs(); - #endif - - #ifndef NSS_FIPS_DISABLED - /* make sure the FIPS product is installed if we are trying to - * go into FIPS mode */ - if (nsslow_GetFIPSEnabled()) { -- if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) { -+ if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) { - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - post_failed = PR_TRUE; - return NULL; - } - } - #endif - post_failed = PR_FALSE; - -diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c ---- a/lib/freebl/shvfy.c -+++ b/lib/freebl/shvfy.c -@@ -282,52 +282,62 @@ readItem(PRFileDesc *fd, SECItem *item) - PORT_Free(item->data); - item->data = NULL; - item->len = 0; - return SECFailure; - } - return SECSuccess; - } - --static PRBool blapi_SHVerifyFile(const char *shName, PRBool self); -+static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun); - - static PRBool --blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self) -+blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun) - { - PRBool result = PR_FALSE; /* if anything goes wrong, - * the signature does not verify */ - /* find our shared library name */ - char *shName = PR_GetLibraryFilePathname(name, addr); - if (!shName) { - goto loser; - } -- result = blapi_SHVerifyFile(shName, self); -+ result = blapi_SHVerifyFile(shName, self, rerun); - - loser: - if (shName != NULL) { - PR_Free(shName); - } - - return result; - } - - PRBool - BLAPI_SHVerify(const char *name, PRFuncPtr addr) - { -- return blapi_SHVerify(name, addr, PR_FALSE); -+ PRBool rerun = PR_FALSE; -+ if (name && *name == BLAPI_FIPS_RERUN_FLAG) { -+ name++; -+ rerun = PR_TRUE; -+ } -+ return blapi_SHVerify(name, addr, PR_FALSE, rerun); - } - - PRBool - BLAPI_SHVerifyFile(const char *shName) - { -- return blapi_SHVerifyFile(shName, PR_FALSE); -+ PRBool rerun = PR_FALSE; -+ if (shName && *shName == BLAPI_FIPS_RERUN_FLAG) { -+ shName++; -+ rerun = PR_TRUE; -+ } -+ return blapi_SHVerifyFile(shName, PR_FALSE, rerun); - } - - static PRBool --blapi_SHVerifyFile(const char *shName, PRBool self) -+blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun) - { - char *checkName = NULL; - PRFileDesc *checkFD = NULL; - PRFileDesc *shFD = NULL; - void *hashcx = NULL; - const SECHashObject *hashObj = NULL; - SECItem signature = { 0, NULL, 0 }; - SECItem hash; -@@ -346,17 +356,17 @@ blapi_SHVerifyFile(const char *shName, P - unsigned char hashBuf[HASH_LENGTH_MAX]; - - PORT_Memset(&key, 0, sizeof(key)); - hash.data = hashBuf; - hash.len = sizeof(hashBuf); - - /* If our integrity check was never ran or failed, fail any other - * integrity checks to prevent any token going into FIPS mode. */ -- if (!self && (BL_FIPSEntryOK(PR_FALSE) != SECSuccess)) { -+ if (!self && (BL_FIPSEntryOK(PR_FALSE, rerun) != SECSuccess)) { - return PR_FALSE; - } - - if (!shName) { - goto loser; - } - - /* figure out the name of our check file */ -@@ -536,17 +546,17 @@ BLAPI_VerifySelf(const char *name) - { - if (name == NULL) { - /* - * If name is NULL, freebl is statically linked into softoken. - * softoken will call BLAPI_SHVerify next to verify itself. - */ - return PR_TRUE; - } -- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE); -+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE); - } - - #else /* NSS_FIPS_DISABLED */ - - PRBool - BLAPI_SHVerifyFile(const char *shName) - { - return PR_FALSE; -diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c ---- a/lib/softoken/fipstest.c -+++ b/lib/softoken/fipstest.c -@@ -684,22 +684,25 @@ sftk_fips_HKDF_PowerUpSelfTest(void) - - static PRBool sftk_self_tests_ran = PR_FALSE; - static PRBool sftk_self_tests_success = PR_FALSE; - - /* - * This function is called at dll load time, the code tha makes this - * happen is platform specific on defined above. - */ --static void --sftk_startup_tests(void) -+void sftk_startup_tests_with_rerun(PRBool rerun) - { - SECStatus rv; -- const char *libraryName = SOFTOKEN_LIB_NAME; -- -+ /*const char *nlibraryName = SOFTOKEN_LIB_NAME; -+ const char *rlibraryName = BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME; */ -+ const char *libraryName = rerun ? -+ BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME : -+ SOFTOKEN_LIB_NAME; -+ - PORT_Assert(!sftk_self_tests_ran); - PORT_Assert(!sftk_self_tests_success); - sftk_self_tests_ran = PR_TRUE; - sftk_self_tests_success = PR_FALSE; /* just in case */ - - /* need to initiallize the oid library before the RSA tests */ - rv = SECOID_Init(); - if (rv != SECSuccess) { -@@ -746,35 +749,46 @@ sftk_startup_tests(void) - rv = sftk_fips_pbkdf_PowerUpSelfTests(); - if (rv != SECSuccess) { - return; - } - - sftk_self_tests_success = PR_TRUE; - } - -+static void -+sftk_startup_tests(void) -+{ -+ sftk_startup_tests_with_rerun(PR_FALSE); -+} -+ - /* - * this is called from nsc_Common_Initizialize entry points that gates access - * to * all other pkcs11 functions. This prevents softoken operation if our - * power on selftest failed. - */ - CK_RV --sftk_FIPSEntryOK() -+sftk_FIPSEntryOK(PRBool rerun) - { - #ifdef NSS_NO_INIT_SUPPORT - /* this should only be set on platforms that can't handle one of the INIT - * schemes. This code allows those platforms to continue to function, - * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT - * is not set, and init support has not been properly enabled, softken - * will always fail because of the test below - */ - if (!sftk_self_tests_ran) { - sftk_startup_tests(); - } - #endif -+ if (rerun) { -+ sftk_self_tests_ran = PR_FALSE; -+ sftk_self_tests_success = PR_FALSE; -+ sftk_startup_tests_with_rerun(PR_TRUE); -+ } - if (!sftk_self_tests_success) { - return CKR_DEVICE_ERROR; - } - return CKR_OK; - } - #else - #include "pkcs11t.h" - CK_RV -diff --git a/lib/softoken/fipstokn.c b/lib/softoken/fipstokn.c ---- a/lib/softoken/fipstokn.c -+++ b/lib/softoken/fipstokn.c -@@ -524,25 +524,32 @@ fc_log_init_error(CK_RV crv) - } - - /* FC_Initialize initializes the PKCS #11 library. */ - CK_RV - FC_Initialize(CK_VOID_PTR pReserved) - { - const char *envp; - CK_RV crv; -+ PRBool rerun; - - if ((envp = PR_GetEnv("NSS_ENABLE_AUDIT")) != NULL) { - sftk_audit_enabled = (atoi(envp) == 1); - } - -+ /* if we have the forcePOST flag on, rerun the integrity checks */ -+ /* we need to know this before we fully parse the arguments in -+ * nsc_CommonInitialize, so read it now */ -+ rerun = sftk_RawArgHasFlag("flags", "forcePost", pReserved); -+ - /* At this point we should have already done post and integrity checks. - * if we haven't, it probably means the FIPS product has not been installed -- * or the tests failed. Don't let an application try to enter FIPS mode */ -- crv = sftk_FIPSEntryOK(); -+ * or the tests failed. Don't let an application try to enter FIPS mode. This -+ * also forces the tests to be rerun if forcePOST is set. */ -+ crv = sftk_FIPSEntryOK(rerun); - if (crv != CKR_OK) { - sftk_fatalError = PR_TRUE; - fc_log_init_error(crv); - return crv; - } - - sftk_ForkReset(pReserved, &crv); - -diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h ---- a/lib/softoken/pkcs11i.h -+++ b/lib/softoken/pkcs11i.h -@@ -869,16 +869,17 @@ extern CK_RV sftk_MechAllowsOperation(CK - * acquiring a reference to the keydb from the slot */ - NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey); - - /* - * parameter parsing functions - */ - CK_RV sftk_parseParameters(char *param, sftk_parameters *parsed, PRBool isFIPS); - void sftk_freeParams(sftk_parameters *params); -+PRBool sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved); - - /* - * narrow objects - */ - SFTKSessionObject *sftk_narrowToSessionObject(SFTKObject *); - SFTKTokenObject *sftk_narrowToTokenObject(SFTKObject *); - - /* -diff --git a/lib/softoken/sftkpars.c b/lib/softoken/sftkpars.c ---- a/lib/softoken/sftkpars.c -+++ b/lib/softoken/sftkpars.c -@@ -244,8 +244,21 @@ sftk_freeParams(sftk_parameters *params) - FREE_CLEAR(params->configdir); - FREE_CLEAR(params->secmodName); - FREE_CLEAR(params->man); - FREE_CLEAR(params->libdes); - FREE_CLEAR(params->tokens); - FREE_CLEAR(params->updatedir); - FREE_CLEAR(params->updateID); - } -+ -+PRBool -+sftk_RawArgHasFlag(const char *entry, const char *flag, const void *pReserved) -+{ -+ CK_C_INITIALIZE_ARGS *init_args = (CK_C_INITIALIZE_ARGS *)pReserved; -+ -+ /* if we don't have any params, the flag isn't set */ -+ if ((!init_args || !init_args->LibraryParameters)) { -+ return PR_FALSE; -+ } -+ -+ return NSSUTIL_ArgHasFlag(entry, flag, (const char *)init_args->LibraryParameters); -+} -diff --git a/lib/softoken/softoken.h b/lib/softoken/softoken.h ---- a/lib/softoken/softoken.h -+++ b/lib/softoken/softoken.h -@@ -52,17 +52,17 @@ extern unsigned char *CBC_PadBuffer(PLAr - unsigned int inlen, unsigned int *outlen, - int blockSize); - - /****************************************/ - /* - ** Power-Up selftests are required for FIPS. - */ - /* make sure Power-up selftests have been run. */ --extern CK_RV sftk_FIPSEntryOK(void); -+extern CK_RV sftk_FIPSEntryOK(PRBool rerun); - - /* - ** make known fixed PKCS #11 key types to their sizes in bytes - */ - unsigned long sftk_MapKeySize(CK_KEY_TYPE keyType); - - /* - ** FIPS 140-2 auditing diff --git a/SOURCES/nss-3.79-fips-review.patches b/SOURCES/nss-3.79-fips-review.patches new file mode 100644 index 0000000..14c904a --- /dev/null +++ b/SOURCES/nss-3.79-fips-review.patches @@ -0,0 +1,497 @@ +diff -up ./lib/freebl/dh.c.fips-review ./lib/freebl/dh.c +--- ./lib/freebl/dh.c.fips-review 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/freebl/dh.c 2023-06-12 15:30:23.453233170 -0700 +@@ -445,7 +445,7 @@ cleanup: + PRBool + KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) + { +- mp_int p, q, y, r; ++ mp_int p, q, y, r, psub1; + mp_err err; + int cmp = 1; /* default is false */ + if (!Y || !prime || !subPrime) { +@@ -456,13 +456,30 @@ KEA_Verify(SECItem *Y, SECItem *prime, S + MP_DIGITS(&q) = 0; + MP_DIGITS(&y) = 0; + MP_DIGITS(&r) = 0; ++ MP_DIGITS(&psub1) = 0; + CHECK_MPI_OK(mp_init(&p)); + CHECK_MPI_OK(mp_init(&q)); + CHECK_MPI_OK(mp_init(&y)); + CHECK_MPI_OK(mp_init(&r)); ++ CHECK_MPI_OK(mp_init(&psub1)); + SECITEM_TO_MPINT(*prime, &p); + SECITEM_TO_MPINT(*subPrime, &q); + SECITEM_TO_MPINT(*Y, &y); ++ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1)); ++ /* ++ * We check that the public value isn't zero (which isn't in the ++ * group), one (subgroup of order one) or p-1 (subgroup of order 2). We ++ * also check that the public value is less than p, to avoid being fooled ++ * by values like p+1 or 2*p-1. ++ * This check is required by SP-800-56Ar3. It's also done in derive, ++ * but this is only called in various FIPS cases, so put it here to help ++ * reviewers find it. ++ */ ++ if (mp_cmp_d(&y, 1) <= 0 || ++ mp_cmp(&y, &psub1) >= 0) { ++ err = MP_BADARG; ++ goto cleanup; ++ } + /* compute r = y**q mod p */ + CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r)); + /* compare to 1 */ +@@ -472,6 +489,7 @@ cleanup: + mp_clear(&q); + mp_clear(&y); + mp_clear(&r); ++ mp_clear(&psub1); + if (err) { + MP_TO_SEC_ERROR(err); + return PR_FALSE; +diff -up ./lib/softoken/pkcs11c.c.fips-review ./lib/softoken/pkcs11c.c +--- ./lib/softoken/pkcs11c.c.fips-review 2023-06-12 15:29:04.096403884 -0700 ++++ ./lib/softoken/pkcs11c.c 2023-06-12 15:30:23.454233181 -0700 +@@ -4785,6 +4785,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + * handle the base object stuff + */ + crv = sftk_handleObject(key, session); ++ /* we need to do this check at the end, so we can check the generated ++ * key length against fips requirements */ ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); ++ session->lastOpWasFIPS = key->isFIPS; + sftk_FreeSession(session); + if (crv == CKR_OK && sftk_isTrue(key, CKA_SENSITIVE)) { + crv = sftk_forceAttribute(key, CKA_ALWAYS_SENSITIVE, &cktrue, sizeof(CK_BBOOL)); +@@ -4792,9 +4796,6 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + if (crv == CKR_OK && !sftk_isTrue(key, CKA_EXTRACTABLE)) { + crv = sftk_forceAttribute(key, CKA_NEVER_EXTRACTABLE, &cktrue, sizeof(CK_BBOOL)); + } +- /* we need to do this check at the end, so we can check the generated key length against +- * fips requirements */ +- key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE, key); + if (crv == CKR_OK) { + *phKey = key->handle; + } +@@ -5098,60 +5099,67 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + + if (isDerivable) { + SFTKAttribute *pubAttribute = NULL; +- CK_OBJECT_HANDLE newKey; + PRBool isFIPS = sftk_isFIPS(slot->slotID); +- CK_RV crv2; +- CK_OBJECT_CLASS secret = CKO_SECRET_KEY; +- CK_KEY_TYPE generic = CKK_GENERIC_SECRET; +- CK_ULONG keyLen = 128; +- CK_BBOOL ckTrue = CK_TRUE; +- CK_ATTRIBUTE template[] = { +- { CKA_CLASS, &secret, sizeof(secret) }, +- { CKA_KEY_TYPE, &generic, sizeof(generic) }, +- { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, +- { CKA_DERIVE, &ckTrue, sizeof(ckTrue) } +- }; +- CK_ULONG templateCount = PR_ARRAY_SIZE(template); +- CK_ECDH1_DERIVE_PARAMS ecParams; ++ NSSLOWKEYPrivateKey *lowPrivKey = NULL; ++ ECPrivateKey *ecPriv; ++ SECItem *lowPubValue = NULL; ++ SECItem item; ++ SECStatus rv; + + crv = CKR_OK; /*paranoia, already get's set before we drop to the end */ +- /* FIPS 140-2 requires we verify that the resulting key is a valid key. +- * The easiest way to do this is to do a derive operation, which checks +- * the validity of the key */ +- ++ /* FIPS 140-3 requires we verify that the resulting key is a valid key ++ * by recalculating the public can an compare it to our own public ++ * key. */ ++ lowPrivKey = sftk_GetPrivKey(privateKey, keyType, &crv); ++ if (lowPrivKey == NULL) { ++ return sftk_MapCryptError(PORT_GetError()); ++ } ++ /* recalculate the public key from the private key */ + switch (keyType) { +- case CKK_DH: +- mech.mechanism = CKM_DH_PKCS_DERIVE; +- pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE); +- if (pubAttribute == NULL) { +- return CKR_DEVICE_ERROR; +- } +- mech.pParameter = pubAttribute->attrib.pValue; +- mech.ulParameterLen = pubAttribute->attrib.ulValueLen; +- break; +- case CKK_EC: +- mech.mechanism = CKM_ECDH1_DERIVE; +- pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT); +- if (pubAttribute == NULL) { +- return CKR_DEVICE_ERROR; +- } +- ecParams.kdf = CKD_NULL; +- ecParams.ulSharedDataLen = 0; +- ecParams.pSharedData = NULL; +- ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen; +- ecParams.pPublicData = pubAttribute->attrib.pValue; +- mech.pParameter = &ecParams; +- mech.ulParameterLen = sizeof(ecParams); +- break; +- default: +- return CKR_DEVICE_ERROR; ++ case CKK_DH: ++ rv = DH_Derive(&lowPrivKey->u.dh.base, &lowPrivKey->u.dh.prime, ++ &lowPrivKey->u.dh.privateValue, &item, 0); ++ if (rv != SECSuccess) { ++ return CKR_GENERAL_ERROR; ++ } ++ lowPubValue = SECITEM_DupItem(&item); ++ SECITEM_ZfreeItem(&item, PR_FALSE); ++ pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE); ++ break; ++ case CKK_EC: ++ rv = EC_NewKeyFromSeed(&lowPrivKey->u.ec.ecParams, &ecPriv, ++ lowPrivKey->u.ec.privateValue.data, ++ lowPrivKey->u.ec.privateValue.len); ++ if (rv != SECSuccess) { ++ return CKR_GENERAL_ERROR; ++ } ++ /* make sure it has the same encoding */ ++ if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || ++ lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) { ++ lowPubValue = SECITEM_DupItem(&ecPriv->publicValue); ++ } else { ++ lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue, ++ SEC_ASN1_GET(SEC_OctetStringTemplate));; ++ } ++ pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT); ++ /* clear out our generated private key */ ++ PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE); ++ break; ++ default: ++ return CKR_DEVICE_ERROR; + } +- +- crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey); +- if (crv != CKR_OK) { +- sftk_FreeAttribute(pubAttribute); +- return crv; ++ /* now compare new public key with our already generated key */ ++ if ((pubAttribute == NULL) || (lowPubValue == NULL) || ++ (pubAttribute->attrib.ulValueLen != lowPubValue->len) || ++ (PORT_Memcmp(pubAttribute->attrib.pValue, lowPubValue->data, ++ lowPubValue->len) != 0)) { ++ if (pubAttribute) sftk_FreeAttribute(pubAttribute); ++ if (lowPubValue) SECITEM_ZfreeItem(lowPubValue, PR_TRUE); ++ PORT_SetError(SEC_ERROR_BAD_KEY); ++ return CKR_GENERAL_ERROR; + } ++ SECITEM_ZfreeItem(lowPubValue, PR_TRUE); ++ + /* FIPS requires full validation, but in fipx mode NSC_Derive + * only does partial validation with approved primes, now handle + * full validation */ +@@ -5159,44 +5167,78 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + SECItem pubKey; + SECItem prime; + SECItem subPrime; ++ SECItem base; ++ SECItem generator; + const SECItem *subPrimePtr = &subPrime; + + pubKey.data = pubAttribute->attrib.pValue; + pubKey.len = pubAttribute->attrib.ulValueLen; +- prime.data = subPrime.data = NULL; +- prime.len = subPrime.len = 0; ++ base.data = prime.data = subPrime.data = NULL; ++ base.len = prime.len = subPrime.len = 0; + crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME); + if (crv != CKR_OK) { + goto done; + } +- crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME); ++ crv = sftk_Attribute2SecItem(NULL, &base, privateKey, CKA_BASE); ++ if (crv != CKR_OK) { ++ goto done; ++ } + /* we ignore the return code an only look at the length */ +- if (subPrime.len == 0) { +- /* subprime not supplied, In this case look it up. +- * This only works with approved primes, but in FIPS mode +- * that's the only kine of prime that will get here */ +- subPrimePtr = sftk_VerifyDH_Prime(&prime, isFIPS); +- if (subPrimePtr == NULL) { +- crv = CKR_GENERAL_ERROR; ++ /* do we have a known prime ? */ ++ subPrimePtr = sftk_VerifyDH_Prime(&prime, &generator, isFIPS); ++ if (subPrimePtr == NULL) { ++ if (subPrime.len == 0) { ++ /* if not a known prime, subprime must be supplied */ ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } else { ++ /* not a known prime, check for primality of prime ++ * and subPrime */ ++ if (!KEA_PrimeCheck(&prime)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ if (!KEA_PrimeCheck(&subPrime)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ /* if we aren't using a defined group, make sure base is in the ++ * subgroup. If it's not, then our key could fail or succeed sometimes. ++ * This makes the failure reliable */ ++ if (!KEA_Verify(&base, &prime, (SECItem *)subPrimePtr)) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ } ++ } ++ subPrimePtr = &subPrime; ++ } else { ++ /* we're using a known group, make sure we are using the known generator for that group */ ++ if (SECITEM_CompareItem(&generator, &base) != 0) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; + goto done; + } ++ if (subPrime.len != 0) { ++ /* we have a known prime and a supplied subPrime, ++ * make sure the subPrime matches the subPrime for ++ * the known Prime */ ++ if (SECITEM_CompareItem(subPrimePtr, &subPrime) != 0) { ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; ++ goto done; ++ } ++ } + } + if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) { +- crv = CKR_GENERAL_ERROR; ++ crv = CKR_ATTRIBUTE_VALUE_INVALID; + } + done: ++ SECITEM_ZfreeItem(&base, PR_FALSE); + SECITEM_ZfreeItem(&subPrime, PR_FALSE); + SECITEM_ZfreeItem(&prime, PR_FALSE); + } + /* clean up before we return */ + sftk_FreeAttribute(pubAttribute); +- crv2 = NSC_DestroyObject(hSession, newKey); + if (crv != CKR_OK) { + return crv; + } +- if (crv2 != CKR_OK) { +- return crv2; +- } + } + + return CKR_OK; +@@ -5714,8 +5756,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + * created and linked. + */ + crv = sftk_handleObject(publicKey, session); +- sftk_FreeSession(session); + if (crv != CKR_OK) { ++ sftk_FreeSession(session); + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); +@@ -5757,6 +5799,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + } + + if (crv != CKR_OK) { ++ sftk_FreeSession(session); + NSC_DestroyObject(hSession, publicKey->handle); + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); +@@ -5766,6 +5809,8 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + /* we need to do this check at the end to make sure the generated key meets the key length requirements */ + privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_NSS_GENERATE_KEY_PAIR, privateKey); + publicKey->isFIPS = privateKey->isFIPS; ++ session->lastOpWasFIPS = privateKey->isFIPS; ++ sftk_FreeSession(session); + + *phPrivateKey = privateKey->handle; + *phPublicKey = publicKey->handle; +@@ -8386,7 +8431,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + + /* if the prime is an approved prime, we can skip all the other + * checks. */ +- subPrime = sftk_VerifyDH_Prime(&dhPrime, isFIPS); ++ subPrime = sftk_VerifyDH_Prime(&dhPrime, NULL, isFIPS); + if (subPrime == NULL) { + SECItem dhSubPrime; + /* If the caller set the subprime value, it means that +@@ -8568,6 +8613,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + secretlen = tmp.len; + } else { + secretlen = keySize; ++ key->isFIPS = PR_FALSE; + crv = sftk_ANSI_X9_63_kdf(&secret, keySize, + &tmp, mechParams->pSharedData, + mechParams->ulSharedDataLen, mechParams->kdf); +diff -up ./lib/softoken/pkcs11.c.fips-review ./lib/softoken/pkcs11.c +--- ./lib/softoken/pkcs11.c.fips-review 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/softoken/pkcs11.c 2023-06-12 15:30:23.454233181 -0700 +@@ -4625,7 +4625,10 @@ NSC_CreateObject(CK_SESSION_HANDLE hSess + if (object == NULL) { + return CKR_HOST_MEMORY; + } +- object->isFIPS = PR_FALSE; /* if we created the object on the fly, ++ /* object types that we aren't allowed to create in FIPS mode are ++ * already rejected explicitly. If we get here, then the object is ++ * FIPS OK (most notably public key objects )*/ ++ /* object->isFIPS = PR_FALSE; if we created the object on the fly, + * it's not a FIPS object */ + + /* +diff -up ./lib/softoken/pkcs11i.h.fips-review ./lib/softoken/pkcs11i.h +--- ./lib/softoken/pkcs11i.h.fips-review 2023-06-12 15:29:04.097403894 -0700 ++++ ./lib/softoken/pkcs11i.h 2023-06-12 15:30:23.454233181 -0700 +@@ -971,7 +971,7 @@ char **NSC_ModuleDBFunc(unsigned long fu + /* dh verify functions */ + /* verify that dhPrime matches one of our known primes, and if so return + * it's subprime value */ +-const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS); ++const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *generator, PRBool isFIPS); + /* check if dhSubPrime claims dhPrime is a safe prime. */ + SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe); + /* map an operation Attribute to a Mechanism flag */ +diff -up ./lib/softoken/pkcs11u.c.fips-review ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fips-review 2023-06-12 15:29:04.097403894 -0700 ++++ ./lib/softoken/pkcs11u.c 2023-06-12 15:30:23.454233181 -0700 +@@ -2403,15 +2403,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + switch (mechInfo->special) { + case SFTKFIPSDH: { + SECItem dhPrime; ++ SECItem dhBase; ++ SECItem dhGenerator; ++ PRBool val = PR_FALSE; + const SECItem *dhSubPrime; + CK_RV crv = sftk_Attribute2SecItem(NULL, &dhPrime, + source, CKA_PRIME); + if (crv != CKR_OK) { + return PR_FALSE; + } +- dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE); ++ crv = sftk_Attribute2SecItem(NULL, &dhBase, source, CKA_BASE); ++ if (crv != CKR_OK) { ++ return PR_FALSE; ++ } ++ dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, &dhGenerator, PR_TRUE); ++ val = (dhSubPrime) ? PR_TRUE : PR_FALSE; ++ if (val && (SECITEM_CompareItem(&dhBase, &dhGenerator) != 0)) { ++ val = PR_FALSE; ++ } + SECITEM_ZfreeItem(&dhPrime, PR_FALSE); +- return (dhSubPrime) ? PR_TRUE : PR_FALSE; ++ SECITEM_ZfreeItem(&dhBase, PR_FALSE); ++ return val; + } + case SFTKFIPSNone: + return PR_FALSE; +diff -up ./lib/softoken/sftkdhverify.c.fips-review ./lib/softoken/sftkdhverify.c +--- ./lib/softoken/sftkdhverify.c.fips-review 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/softoken/sftkdhverify.c 2023-06-12 15:30:23.455233191 -0700 +@@ -6726,11 +6726,20 @@ static const SECItem subprime_tls_8192 = + (unsigned char *)subprime_tls_8192_data, + sizeof(subprime_tls_8192_data) }; + ++/* generator for all the groups is 2 */ ++static const unsigned char generator_2_data[] = { 2 }; ++ ++ ++static const SECItem generator_2 = ++ { siBuffer, ++ (unsigned char *)generator_2_data, ++ sizeof(generator_2_data) }; ++ + /* + * verify that dhPrime matches one of our known primes + */ + const SECItem * +-sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS) ++sftk_VerifyDH_Prime(SECItem *dhPrime, SECItem *g, PRBool isFIPS) + { + /* use the length to decide which primes to check */ + switch (dhPrime->len) { +@@ -6741,56 +6750,67 @@ sftk_VerifyDH_Prime(SECItem *dhPrime, PR + } + if (PORT_Memcmp(dhPrime->data, prime_ike_1536, + sizeof(prime_ike_1536)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_1536; + } + break; + case 2048 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_2048, + sizeof(prime_tls_2048)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_2048; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_2048, + sizeof(prime_ike_2048)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_2048; + } + break; + case 3072 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_3072, + sizeof(prime_tls_3072)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_3072; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_3072, + sizeof(prime_ike_3072)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_3072; + } + break; + case 4096 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_4096, + sizeof(prime_tls_4096)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_4096; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_4096, + sizeof(prime_ike_4096)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_4096; + } + break; + case 6144 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_6144, + sizeof(prime_tls_6144)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_6144; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_6144, + sizeof(prime_ike_6144)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_6144; + } + break; + case 8192 / PR_BITS_PER_BYTE: + if (PORT_Memcmp(dhPrime->data, prime_tls_8192, + sizeof(prime_tls_8192)) == 0) { ++ if (g) *g = generator_2; + return &subprime_tls_8192; + } + if (PORT_Memcmp(dhPrime->data, prime_ike_8192, + sizeof(prime_ike_8192)) == 0) { ++ if (g) *g = generator_2; + return &subprime_ike_8192; + } + break; +diff -up ./lib/softoken/sftkike.c.fips-review ./lib/softoken/sftkike.c +--- ./lib/softoken/sftkike.c.fips-review 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/softoken/sftkike.c 2023-06-12 15:30:23.455233191 -0700 +@@ -516,6 +516,11 @@ sftk_ike_prf(CK_SESSION_HANDLE hSession, + goto fail; + } + } else { ++ /* ikev1 isn't validated, if we use this function in ikev1 mode, ++ * mark the resulting key as not FIPS */ ++ if (!params->bRekey) { ++ outKey->isFIPS = PR_FALSE; ++ } + crv = prf_init(&context, inKey->attrib.pValue, + inKey->attrib.ulValueLen); + if (crv != CKR_OK) { diff --git a/SOURCES/nss-3.79-fips.patch b/SOURCES/nss-3.79-fips.patch index eadcb26..07c500f 100644 --- a/SOURCES/nss-3.79-fips.patch +++ b/SOURCES/nss-3.79-fips.patch @@ -160,178 +160,19 @@ diff --git a/lib/softoken/config.mk b/lib/softoken/config.mk +DEFINES += -DNSS_FIPS_140_3 +endif + -diff --git a/lib/softoken/fips_algorithms.h b/lib/softoken/fips_algorithms.h ---- a/lib/softoken/fips_algorithms.h -+++ b/lib/softoken/fips_algorithms.h -@@ -49,33 +49,46 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] - #define CKF_KEK (CKF_WRAP | CKF_UNWRAP) - #define CKF_KEA CKF_DERIVE - #define CKF_KDF CKF_DERIVE - #define CKF_HSH CKF_DIGEST - #define CK_MAX 0xffffffffUL - /* mechanisms using the same key types share the same key type - * limits */ - #define RSA_FB_KEY 2048, 4096 /* min, max */ --#define RSA_FB_STEP 1024 -+#define RSA_FB_STEP 1 -+#define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */ -+#define RSA_LEGACY_FB_STEP 256 -+ - #define DSA_FB_KEY 2048, 4096 /* min, max */ - #define DSA_FB_STEP 1024 - #define DH_FB_KEY 2048, 4096 /* min, max */ - #define DH_FB_STEP 1024 - #define EC_FB_KEY 256, 521 /* min, max */ - #define EC_FB_STEP 1 /* key limits handled by special operation */ - #define AES_FB_KEY 128, 256 - #define AES_FB_STEP 64 - { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone }, -+ { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, -+ - /* -------------- RSA Multipart Signing Operations -------------------- */ - { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, -+ { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, -+ { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, -+ { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, -+ { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, -+ { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, -+ { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, -+ { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, -+ { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone }, - { CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, - /* ------------------------- DSA Operations --------------------------- */ - { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone }, - { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, - { CKM_DSA_PARAMETER_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone }, -@@ -95,76 +108,73 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] - { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, - { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, - { CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, - /* ------------------------- RC2 Operations --------------------------- */ - /* ------------------------- AES Operations --------------------------- */ - { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, -- { CKM_AES_MAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, -- { CKM_AES_MAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_CTS, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_CTR, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_GCM, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSAEAD }, - { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, - { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, -- { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone }, -- { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone }, - /* ------------------------- Hashing Operations ----------------------- */ - { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, - { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_SHA224_HMAC_GENERAL, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_SHA256, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, -- { CKM_SHA256_HMAC, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone }, -- { CKM_SHA256_HMAC_GENERAL, { 128, 256, CKF_SGN }, 1, SFTKFIPSNone }, -+ { CKM_SHA256_HMAC, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone }, -+ { CKM_SHA256_HMAC_GENERAL, { 112, 256, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_SHA384, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, -- { CKM_SHA384_HMAC, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone }, -- { CKM_SHA384_HMAC_GENERAL, { 192, 384, CKF_SGN }, 1, SFTKFIPSNone }, -+ { CKM_SHA384_HMAC, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone }, -+ { CKM_SHA384_HMAC_GENERAL, { 112, 384, CKF_SGN }, 1, SFTKFIPSNone }, - { CKM_SHA512, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, -- { CKM_SHA512_HMAC, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone }, -- { CKM_SHA512_HMAC_GENERAL, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone }, -+ { CKM_SHA512_HMAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, -+ { CKM_SHA512_HMAC_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, - /* --------------------- Secret Key Operations ------------------------ */ -- { CKM_GENERIC_SECRET_KEY_GEN, { 8, 256, CKF_GEN }, 1, SFTKFIPSNone }, -+ { CKM_GENERIC_SECRET_KEY_GEN, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, - /* ---------------------- SSL/TLS operations ------------------------- */ - { CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_SHA384_KEY_DERIVATION, { 192, 284, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_SHA256_KEY_DERIVATION, { 112, 256, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_SHA384_KEY_DERIVATION, { 112, 284, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_SHA512_KEY_DERIVATION, { 112, 512, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_SSL3_PRE_MASTER_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_TLS_PRF_GENERAL, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, -- { CKM_TLS_MAC, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, -+ { CKM_TLS_PRF_GENERAL, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, -+ { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, - /* sigh, is this algorithm really tested. ssl doesn't seem to have a - * way of turning the extension off */ - { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, - - /* ------------------------- HKDF Operations -------------------------- */ -- { CKM_HKDF_DERIVE, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_HKDF_DATA, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_HKDF_DERIVE, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_HKDF_DATA, { 112, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, - { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone }, - /* ------------------ NIST 800-108 Key Derivations ------------------- */ -- { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, - /* --------------------IPSEC ----------------------- */ -- { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone }, -- { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_NSS_IKE_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_NSS_IKE1_PRF_DERIVE, { 112, 64, CKF_KDF }, 1, SFTKFIPSNone }, -+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, - /* ------------------ PBE Key Derivations ------------------- */ -- { CKM_PKCS5_PBKD2, { 1, 256, CKF_GEN }, 1, SFTKFIPSNone }, -+ { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, - { CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN, { 512, 512, CKF_GEN }, 1, SFTKFIPSNone } - }; - const int SFTK_NUMBER_FIPS_ALGORITHMS = PR_ARRAY_SIZE(sftk_fips_mechs); diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c --- a/lib/softoken/lowpbe.c +++ b/lib/softoken/lowpbe.c -@@ -1765,27 +1765,29 @@ SECStatus - sftk_fips_pbkdf_PowerUpSelfTests(void) - { - SECItem *result; - SECItem inKey; - NSSPKCS5PBEParameter pbe_params; +@@ -1766,16 +1766,20 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) unsigned char iteration_count = 5; unsigned char keyLen = 64; char *inKeyData = TEST_KEY; -- static const unsigned char saltData[] = -- { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; +- static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; + static const unsigned char saltData[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f + }; ++ static const unsigned char pbkdf_known_answer[] = { - 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29, - 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c, @@ -350,13 +191,8 @@ diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c + 0x17, 0x97, 0x73, 0x75, 0x7b, 0x88, 0x49, 0xd8, + 0x6f, 0x78, 0x5a, 0xde, 0x50, 0x20, 0x55, 0x33 }; - + sftk_PBELockInit(); - - inKey.data = (unsigned char *)inKeyData; - inKey.len = sizeof(TEST_KEY) - 1; - - pbe_params.salt.data = (unsigned char *)saltData; diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c --- a/lib/softoken/pkcs11c.c +++ b/lib/softoken/pkcs11c.c diff --git a/SOURCES/nss-3.79-fix-client-cert-crash.patch b/SOURCES/nss-3.79-fix-client-cert-crash.patch deleted file mode 100644 index 2d752e4..0000000 --- a/SOURCES/nss-3.79-fix-client-cert-crash.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c ---- a/lib/ssl/authcert.c -+++ b/lib/ssl/authcert.c -@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg, - - /* otherwise look through the cache based on usage - * if chosenNickname is set, we ignore the expiration date */ - if (certList == NULL) { - certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), - certUsageSSLClient, - PR_FALSE, chosenNickName == NULL, - pw_arg); -+ if (certList == NULL) { -+ return SECFailure; -+ } - /* filter only the certs that meet the nickname requirements */ - if (chosenNickName) { - rv = CERT_FilterCertListByNickname(certList, chosenNickName, - pw_arg); - } else { - int nnames = 0; - char **names = ssl_DistNamesToStrings(caNames, &nnames); - rv = CERT_FilterCertListByCANames(certList, nnames, names, diff --git a/SOURCES/nss-3.79-increase-pbe-cache.patch b/SOURCES/nss-3.79-increase-pbe-cache.patch deleted file mode 100644 index e175766..0000000 --- a/SOURCES/nss-3.79-increase-pbe-cache.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/lib/softoken/lowpbe.c b/lib/softoken/lowpbe.c ---- a/lib/softoken/lowpbe.c -+++ b/lib/softoken/lowpbe.c -@@ -565,17 +565,17 @@ struct KDFCacheItemStr { - int iterations; - int keyLen; - }; - typedef struct KDFCacheItemStr KDFCacheItem; - - /* Bug 1606992 - Cache the hash result for the common case that we're - * asked to repeatedly compute the key for the same password item, - * hash, iterations and salt. */ --#define KDF2_CACHE_COUNT 3 -+#define KDF2_CACHE_COUNT 150 - static struct { - PZLock *lock; - struct { - KDFCacheItem common; - int ivLen; - PRBool faulty3DES; - } cacheKDF1; - struct { diff --git a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch deleted file mode 100644 index 1195e5c..0000000 --- a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c ---- ./lib/pkcs12/p12local.c.fix_null_password 2022-07-20 14:15:45.081009438 -0700 -+++ ./lib/pkcs12/p12local.c 2022-07-20 14:19:40.856546963 -0700 -@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre - if (zeroTerm) { - /* unicode adds two nulls at the end */ - if (toUnicode) { -- if ((dest->len >= 2) && -- (dest->data[dest->len - 1] || dest->data[dest->len - 2])) { -+ if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) { - /* we've already allocated space for these new NULLs */ - PORT_Assert(dest->len + 2 <= bufferSize); - dest->len += 2; - dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0; - } - /* ascii/utf-8 adds just 1 */ -- } else if ((dest->len >= 1) && dest->data[dest->len - 1]) { -+ } else if (!dest->len || dest->data[dest->len - 1]) { - PORT_Assert(dest->len + 1 <= bufferSize); - dest->len++; - dest->data[dest->len - 1] = 0; diff --git a/SOURCES/nss-3.79-rhel-8-fips-signature-policy.patch b/SOURCES/nss-3.79-rhel-8-fips-signature-policy.patch deleted file mode 100644 index f2692c0..0000000 --- a/SOURCES/nss-3.79-rhel-8-fips-signature-policy.patch +++ /dev/null @@ -1,685 +0,0 @@ -diff -up ./cmd/crmftest/testcrmf.c.sign_policy ./cmd/crmftest/testcrmf.c ---- ./cmd/crmftest/testcrmf.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./cmd/crmftest/testcrmf.c 2022-06-20 16:47:35.023785628 -0700 -@@ -85,7 +85,7 @@ - #include "sechash.h" - #endif - --#define MAX_KEY_LEN 512 -+#define MAX_KEY_LEN 1024 - #define PATH_LEN 150 - #define BUFF_SIZE 150 - #define UID_BITS 800 -diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc ---- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc 2022-06-20 16:47:35.024785635 -0700 -@@ -16,6 +16,7 @@ - #include "secerr.h" - #include "sechash.h" - #include "pk11_signature_test.h" -+#include "blapit.h" - - #include "testvectors/rsa_signature_2048_sha224-vectors.h" - #include "testvectors/rsa_signature_2048_sha256-vectors.h" -@@ -109,7 +110,11 @@ class Pkcs11RsaPkcs1WycheproofTest - * Use 6 as the invalid value since modLen % 16 must be zero. - */ - TEST(RsaPkcs1Test, Pkcs1MinimumPadding) { -- const size_t kRsaShortKeyBits = 736; -+#define RSA_SHORT_KEY_LENGTH 736 -+/* if our minimum supported key length is big enough to handle -+ * our largest Hash function, we can't test a short length */ -+#if RSA_MIN_MODULUS_BITS < RSA_SHORT_KEY_LENGTH -+ const size_t kRsaShortKeyBits = RSA_SHORT_KEY_LENGTH; - const size_t kRsaKeyBits = 752; - static const std::vector kMsg{'T', 'E', 'S', 'T'}; - static const std::vector kSha512DigestInfo{ -@@ -209,6 +214,9 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding) - SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512, - nullptr); - EXPECT_EQ(SECSuccess, rv); -+#else -+ GTEST_SKIP(); -+#endif - } - - TEST(RsaPkcs1Test, RequireNullParameter) { -diff -up ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy ./gtests/ssl_gtest/tls_subcerts_unittest.cc ---- ./gtests/ssl_gtest/tls_subcerts_unittest.cc.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./gtests/ssl_gtest/tls_subcerts_unittest.cc 2022-06-20 16:47:35.024785635 -0700 -@@ -9,6 +9,8 @@ - #include "prtime.h" - #include "secerr.h" - #include "ssl.h" -+#include "nss.h" -+#include "blapit.h" - - #include "gtest_utils.h" - #include "tls_agent.h" -@@ -348,9 +350,14 @@ static void GenerateWeakRsaKey(ScopedSEC - ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); - ASSERT_TRUE(slot); - PK11RSAGenParams rsaparams; -- // The absolute minimum size of RSA key that we can use with SHA-256 is -- // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528. -+// The absolute minimum size of RSA key that we can use with SHA-256 is -+// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528. -+#define RSA_WEAK_KEY 528 -+#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY - rsaparams.keySizeInBits = 528; -+#else -+ rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1; -+#endif - rsaparams.pe = 65537; - - // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient -@@ -390,6 +397,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) { - ssl_sig_rsa_pss_pss_sha256}; - client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); - server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); -+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY -+ // save the MIN POLICY length. -+ PRInt32 minRsa; -+ -+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa)); -+#if RSA_MIN_MODULUS_BITS >= 2048 -+ ASSERT_EQ(SECSuccess, -+ NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024)); -+#else -+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048)); -+#endif -+#endif - - ScopedSECKEYPrivateKey dc_priv; - ScopedSECKEYPublicKey dc_pub; -@@ -412,6 +431,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) { - auto cfilter = MakeTlsFilter( - client_, ssl_delegated_credentials_xtn); - ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity); -+#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY -+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa)); -+#endif - } - - class ReplaceDCSigScheme : public TlsHandshakeFilter { -diff -up ./lib/cryptohi/keyhi.h.sign_policy ./lib/cryptohi/keyhi.h ---- ./lib/cryptohi/keyhi.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/cryptohi/keyhi.h 2022-06-20 16:47:35.024785635 -0700 -@@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength - extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk); - - /* -+** Return the strength of the private key in bits -+*/ -+extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk); -+ -+/* - ** Return the length of the signature in bytes - */ - extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk); -diff -up ./lib/cryptohi/keyi.h.sign_policy ./lib/cryptohi/keyi.h ---- ./lib/cryptohi/keyi.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/cryptohi/keyi.h 2022-06-20 16:47:35.024785635 -0700 -@@ -4,6 +4,7 @@ - - #ifndef _KEYI_H_ - #define _KEYI_H_ -+#include "secerr.h" - - SEC_BEGIN_PROTOS - /* NSS private functions */ -@@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechan - const SECItem *params, - CK_RSA_PKCS_PSS_PARAMS *mech); - -+/* make sure the key length matches the policy for keyType */ -+SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, -+ SECErrorCodes error); - SEC_END_PROTOS - - #endif /* _KEYHI_H_ */ -diff -up ./lib/cryptohi/seckey.c.sign_policy ./lib/cryptohi/seckey.c ---- ./lib/cryptohi/seckey.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/cryptohi/seckey.c 2022-06-20 16:47:35.025785641 -0700 -@@ -14,6 +14,7 @@ - #include "secdig.h" - #include "prtime.h" - #include "keyi.h" -+#include "nss.h" - - SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) - SEC_ASN1_MKSUB(SEC_IntegerTemplate) -@@ -1042,6 +1043,62 @@ SECKEY_PublicKeyStrengthInBits(const SEC - return bitSize; - } - -+unsigned -+SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk) -+{ -+ unsigned bitSize = 0; -+ CK_ATTRIBUTE_TYPE attribute = CKT_INVALID_TYPE; -+ SECItem params; -+ SECStatus rv; -+ -+ if (!privk) { -+ PORT_SetError(SEC_ERROR_INVALID_KEY); -+ return 0; -+ } -+ -+ /* interpret modulus length as key strength */ -+ switch (privk->keyType) { -+ case rsaKey: -+ case rsaPssKey: -+ case rsaOaepKey: -+ /* some tokens don't export CKA_MODULUS on the private key, -+ * PK11_SignatureLen works around this if necessary */ -+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE; -+ if (bitSize == -1) { -+ bitSize = 0; -+ } -+ return bitSize; -+ case dsaKey: -+ case fortezzaKey: -+ case dhKey: -+ case keaKey: -+ attribute = CKA_PRIME; -+ break; -+ case ecKey: -+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, -+ CKA_EC_PARAMS, NULL, ¶ms); -+ if ((rv != SECSuccess) || (params.data == NULL)) { -+ return 0; -+ } -+ bitSize = SECKEY_ECParamsToKeySize(¶ms); -+ PORT_Free(params.data); -+ return bitSize; -+ default: -+ PORT_SetError(SEC_ERROR_INVALID_KEY); -+ return 0; -+ } -+ PORT_Assert(attribute != CKT_INVALID_TYPE); -+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, -+ attribute, NULL, ¶ms); -+ if ((rv != SECSuccess) || (params.data == NULL)) { -+ PORT_SetError(SEC_ERROR_INVALID_KEY); -+ return 0; -+ } -+ bitSize = SECKEY_BigIntegerBitLength(¶ms); -+ PORT_Free(params.data); -+ return bitSize; -+} -+ - /* returns signature length in bytes (not bits) */ - unsigned - SECKEY_SignatureLen(const SECKEYPublicKey *pubk) -@@ -1212,6 +1269,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicK - } - - /* -+ * Check that a given key meets the policy limits for the given key -+ * size. -+ */ -+SECStatus -+seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error) -+{ -+ PRInt32 opt = -1; -+ PRInt32 optVal; -+ SECStatus rv; -+ -+ switch (keyType) { -+ case rsaKey: -+ case rsaPssKey: -+ case rsaOaepKey: -+ opt = NSS_RSA_MIN_KEY_SIZE; -+ break; -+ case dsaKey: -+ case fortezzaKey: -+ opt = NSS_DSA_MIN_KEY_SIZE; -+ break; -+ case dhKey: -+ case keaKey: -+ opt = NSS_DH_MIN_KEY_SIZE; -+ break; -+ case ecKey: -+ opt = NSS_ECC_MIN_KEY_SIZE; -+ break; -+ case nullKey: -+ default: -+ PORT_SetError(SEC_ERROR_INVALID_KEY); -+ return SECFailure; -+ } -+ PORT_Assert(opt != -1); -+ rv = NSS_OptionGet(opt, &optVal); -+ if (rv != SECSuccess) { -+ return rv; -+ } -+ if (optVal < keyLength) { -+ PORT_SetError(error); -+ return SECFailure; -+ } -+ return SECSuccess; -+} -+ -+/* - * Use the private key to find a public key handle. The handle will be on - * the same slot as the private key. - */ -diff -up ./lib/cryptohi/secsign.c.sign_policy ./lib/cryptohi/secsign.c ---- ./lib/cryptohi/secsign.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/cryptohi/secsign.c 2022-06-20 16:47:35.025785641 -0700 -@@ -15,6 +15,7 @@ - #include "pk11func.h" - #include "secerr.h" - #include "keyi.h" -+#include "nss.h" - - struct SGNContextStr { - SECOidTag signalg; -@@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *p - SECOidTag hashalg, signalg; - KeyType keyType; - PRUint32 policyFlags; -+ PRInt32 optFlags; - SECStatus rv; - - /* OK, map a PKCS #7 hash and encrypt algorithm into -@@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *p - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; - } -+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { -+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { -+ rv = seckey_EnforceKeySize(key->keyType, -+ SECKEY_PrivateKeyStrengthInBits(key), -+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); -+ if (rv != SECSuccess) { -+ return NULL; -+ } -+ } -+ } - /* check the policy on the hash algorithm */ - if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) || - !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { -@@ -467,9 +479,20 @@ SGN_Digest(SECKEYPrivateKey *privKey, - SGNDigestInfo *di = 0; - SECOidTag enctag; - PRUint32 policyFlags; -+ PRInt32 optFlags; - - result->data = 0; - -+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { -+ if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { -+ rv = seckey_EnforceKeySize(privKey->keyType, -+ SECKEY_PrivateKeyStrengthInBits(privKey), -+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); -+ if (rv != SECSuccess) { -+ return SECFailure; -+ } -+ } -+ } - /* check the policy on the hash algorithm */ - if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) || - !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { -diff -up ./lib/cryptohi/secvfy.c.sign_policy ./lib/cryptohi/secvfy.c ---- ./lib/cryptohi/secvfy.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/cryptohi/secvfy.c 2022-06-20 16:47:35.025785641 -0700 -@@ -16,6 +16,7 @@ - #include "secdig.h" - #include "secerr.h" - #include "keyi.h" -+#include "nss.h" - - /* - ** Recover the DigestInfo from an RSA PKCS#1 signature. -@@ -467,6 +468,7 @@ vfy_CreateContext(const SECKEYPublicKey - unsigned int sigLen; - KeyType type; - PRUint32 policyFlags; -+ PRInt32 optFlags; - - /* make sure the encryption algorithm matches the key type */ - /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */ -@@ -476,7 +478,16 @@ vfy_CreateContext(const SECKEYPublicKey - PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); - return NULL; - } -- -+ if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { -+ if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) { -+ rv = seckey_EnforceKeySize(key->keyType, -+ SECKEY_PublicKeyStrengthInBits(key), -+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); -+ if (rv != SECSuccess) { -+ return NULL; -+ } -+ } -+ } - /* check the policy on the encryption algorithm */ - if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) || - !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { -diff -up ./lib/freebl/blapit.h.sign_policy ./lib/freebl/blapit.h ---- ./lib/freebl/blapit.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/freebl/blapit.h 2022-06-20 16:47:35.025785641 -0700 -@@ -135,7 +135,7 @@ typedef int __BLAPI_DEPRECATED __attribu - * These values come from the initial key size limits from the PKCS #11 - * module. They may be arbitrarily adjusted to any value freebl supports. - */ --#define RSA_MIN_MODULUS_BITS 128 -+#define RSA_MIN_MODULUS_BITS 1023 /* 128 */ - #define RSA_MAX_MODULUS_BITS 16384 - #define RSA_MAX_EXPONENT_BITS 64 - #define DH_MIN_P_BITS 128 -diff -up ./lib/nss/nss.h.sign_policy ./lib/nss/nss.h ---- ./lib/nss/nss.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/nss/nss.h 2022-06-20 16:47:35.026785647 -0700 -@@ -302,6 +302,28 @@ SECStatus NSS_UnregisterShutdown(NSS_Shu - #define NSS_DEFAULT_LOCKS 0x00d /* lock default values */ - #define NSS_DEFAULT_SSL_LOCK 1 /* lock the ssl default values */ - -+/* NSS_KEY_SIZE_POLICY controls what kinds of operations are subject to -+ * the NSS_XXX_MIN_KEY_SIZE values. -+ * NSS_KEY_SIZE_POLICY_FLAGS sets and clears all the flags to the input -+ * value -+ * On get it returns all the flags -+ * NSS_KEY_SIZE_POLICY_SET_FLAGS sets only the flags=1 in theinput value and -+ * does not affect the other flags -+ * On get it returns all the flags -+ * NSS_KEY_SIZE_POLICY_CLEAR_FLAGS clears only the flags=1 in the input -+ * value and does not affect the other flags -+ * On get it returns all the compliment of all the flags -+ * (cleared flags == 1) */ -+#define NSS_KEY_SIZE_POLICY_FLAGS 0x00e -+#define NSS_KEY_SIZE_POLICY_SET_FLAGS 0x00f -+#define NSS_KEY_SIZE_POLICY_CLEAR_FLAGS 0x010 -+/* currently defined flags */ -+#define NSS_KEY_SIZE_POLICY_SSL_FLAG 1 -+#define NSS_KEY_SIZE_POLICY_VERIFY_FLAG 2 -+#define NSS_KEY_SIZE_POLICY_SIGN_FLAG 4 -+ -+#define NSS_ECC_MIN_KEY_SIZE 0x011 -+ - /* - * Set and get global options for the NSS library. - */ -diff -up ./lib/nss/nssoptions.c.sign_policy ./lib/nss/nssoptions.c ---- ./lib/nss/nssoptions.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/nss/nssoptions.c 2022-06-20 16:47:35.026785647 -0700 -@@ -26,6 +26,8 @@ struct nssOps { - PRInt32 dtlsVersionMaxPolicy; - PRInt32 pkcs12DecodeForceUnicode; - PRInt32 defaultLocks; -+ PRInt32 keySizePolicyFlags; -+ PRInt32 eccMinKeySize; - }; - - static struct nssOps nss_ops = { -@@ -37,7 +39,9 @@ static struct nssOps nss_ops = { - 1, - 0xffff, - PR_FALSE, -- 0 -+ 0, -+ NSS_KEY_SIZE_POLICY_SSL_FLAG, -+ SSL_ECC_MIN_CURVE_BITS - }; - - SECStatus -@@ -78,6 +82,18 @@ NSS_OptionSet(PRInt32 which, PRInt32 val - case NSS_DEFAULT_LOCKS: - nss_ops.defaultLocks = value; - break; -+ case NSS_KEY_SIZE_POLICY_FLAGS: -+ nss_ops.keySizePolicyFlags = value; -+ break; -+ case NSS_KEY_SIZE_POLICY_SET_FLAGS: -+ nss_ops.keySizePolicyFlags |= value; -+ break; -+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS: -+ nss_ops.keySizePolicyFlags &= ~value; -+ break; -+ case NSS_ECC_MIN_KEY_SIZE: -+ nss_ops.eccMinKeySize = value; -+ break; - default: - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; -@@ -119,6 +135,16 @@ NSS_OptionGet(PRInt32 which, PRInt32 *va - case NSS_DEFAULT_LOCKS: - *value = nss_ops.defaultLocks; - break; -+ case NSS_KEY_SIZE_POLICY_FLAGS: -+ case NSS_KEY_SIZE_POLICY_SET_FLAGS: -+ *value = nss_ops.keySizePolicyFlags; -+ break; -+ case NSS_KEY_SIZE_POLICY_CLEAR_FLAGS: -+ *value = ~nss_ops.keySizePolicyFlags; -+ break; -+ case NSS_ECC_MIN_KEY_SIZE: -+ *value = nss_ops.eccMinKeySize; -+ break; - default: - rv = SECFailure; - } -diff -up ./lib/nss/nssoptions.h.sign_policy ./lib/nss/nssoptions.h ---- ./lib/nss/nssoptions.h.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/nss/nssoptions.h 2022-06-20 16:47:35.026785647 -0700 -@@ -18,3 +18,5 @@ - * happens because NSS used to count bit lengths incorrectly. */ - #define SSL_DH_MIN_P_BITS 1023 - #define SSL_DSA_MIN_P_BITS 1023 -+/* not really used by SSL, but define it here for consistency */ -+#define SSL_ECC_MIN_CURVE_BITS 256 -diff -up ./lib/pk11wrap/pk11kea.c.sign_policy ./lib/pk11wrap/pk11kea.c ---- ./lib/pk11wrap/pk11kea.c.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./lib/pk11wrap/pk11kea.c 2022-06-20 16:47:35.026785647 -0700 -@@ -78,15 +78,14 @@ pk11_KeyExchange(PK11SlotInfo *slot, CK_ - if (privKeyHandle == CK_INVALID_HANDLE) { - PK11RSAGenParams rsaParams; - -- if (symKeyLength > 53) /* bytes */ { -- /* we'd have to generate an RSA key pair > 512 bits long, -+ if (symKeyLength > 120) /* bytes */ { -+ /* we'd have to generate an RSA key pair > 1024 bits long, - ** and that's too costly. Don't even try. - */ - PORT_SetError(SEC_ERROR_CANNOT_MOVE_SENSITIVE_KEY); - goto rsa_failed; - } -- rsaParams.keySizeInBits = -- (symKeyLength > 21 || symKeyLength == 0) ? 512 : 256; -+ rsaParams.keySizeInBits = 1024; - rsaParams.pe = 0x10001; - privKey = PK11_GenerateKeyPair(slot, CKM_RSA_PKCS_KEY_PAIR_GEN, - &rsaParams, &pubKey, PR_FALSE, PR_TRUE, symKey->cx); -diff -up ./lib/pk11wrap/pk11pars.c.sign_policy ./lib/pk11wrap/pk11pars.c ---- ./lib/pk11wrap/pk11pars.c.sign_policy 2022-06-20 16:47:35.004785510 -0700 -+++ ./lib/pk11wrap/pk11pars.c 2022-06-20 16:47:35.026785647 -0700 -@@ -427,12 +427,21 @@ static const optionFreeDef sslOptList[] - { CIPHER_NAME("DTLS1.3"), 0x304 }, - }; - -+static const optionFreeDef keySizeFlagsList[] = { -+ { CIPHER_NAME("KEY-SIZE-SSL"), NSS_KEY_SIZE_POLICY_SSL_FLAG }, -+ { CIPHER_NAME("KEY-SIZE-SIGN"), NSS_KEY_SIZE_POLICY_SIGN_FLAG }, -+ { CIPHER_NAME("KEY-SIZE-VERIFY"), NSS_KEY_SIZE_POLICY_VERIFY_FLAG }, -+}; -+ - static const optionFreeDef freeOptList[] = { - - /* Restrictions for asymetric keys */ - { CIPHER_NAME("RSA-MIN"), NSS_RSA_MIN_KEY_SIZE }, - { CIPHER_NAME("DH-MIN"), NSS_DH_MIN_KEY_SIZE }, - { CIPHER_NAME("DSA-MIN"), NSS_DSA_MIN_KEY_SIZE }, -+ { CIPHER_NAME("ECC-MIN"), NSS_ECC_MIN_KEY_SIZE }, -+ /* what operations doe the key size apply to */ -+ { CIPHER_NAME("KEY-SIZE-FLAGS"), NSS_KEY_SIZE_POLICY_FLAGS }, - /* constraints on SSL Protocols */ - { CIPHER_NAME("TLS-VERSION-MIN"), NSS_TLS_VERSION_MIN_POLICY }, - { CIPHER_NAME("TLS-VERSION-MAX"), NSS_TLS_VERSION_MAX_POLICY }, -@@ -540,6 +549,7 @@ secmod_getPolicyOptValue(const char *pol - *result = val; - return SECSuccess; - } -+ /* handle any ssl strings */ - for (i = 0; i < PR_ARRAY_SIZE(sslOptList); i++) { - if (policyValueLength == sslOptList[i].name_size && - PORT_Strncasecmp(sslOptList[i].name, policyValue, -@@ -548,7 +558,29 @@ secmod_getPolicyOptValue(const char *pol - return SECSuccess; - } - } -- return SECFailure; -+ /* handle key_size flags. Each flag represents a bit, which -+ * gets or'd together. They can be separated by , | or + */ -+ val = 0; -+ while (*policyValue) { -+ PRBool found = PR_FALSE; -+ for (i = 0; i < PR_ARRAY_SIZE(keySizeFlagsList); i++) { -+ if (PORT_Strncasecmp(keySizeFlagsList[i].name, policyValue, -+ keySizeFlagsList[i].name_size) == 0) { -+ val |= keySizeFlagsList[i].option; -+ found = PR_TRUE; -+ policyValue += keySizeFlagsList[i].name_size; -+ break; -+ } -+ } -+ if (!found) { -+ return SECFailure; -+ } -+ if (*policyValue == ',' || *policyValue == '|' || *policyValue == '+') { -+ policyValue++; -+ } -+ } -+ *result = val; -+ return SECSuccess; - } - - /* Policy operations: -diff -up ./lib/ssl/ssl3con.c.sign_policy ./lib/ssl/ssl3con.c ---- ./lib/ssl/ssl3con.c.sign_policy 2022-06-20 16:47:34.998785473 -0700 -+++ ./lib/ssl/ssl3con.c 2022-06-20 16:47:35.028785660 -0700 -@@ -7409,6 +7409,8 @@ ssl_HandleDHServerKeyExchange(sslSocket - unsigned dh_p_bits; - unsigned dh_g_bits; - PRInt32 minDH; -+ PRInt32 optval; -+ PRBool usePolicyLength = PR_FALSE; - - SSL3Hashes hashes; - SECItem signature = { siBuffer, NULL, 0 }; -@@ -7419,8 +7421,13 @@ ssl_HandleDHServerKeyExchange(sslSocket - if (rv != SECSuccess) { - goto loser; /* malformed. */ - } -+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); -+ if (rv == SECSuccess) { -+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG); -+ } - -- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH); -+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &minDH) -+ : SECFailure; - if (rv != SECSuccess || minDH <= 0) { - minDH = SSL_DH_MIN_P_BITS; - } -@@ -11411,13 +11418,20 @@ ssl_SetAuthKeyBits(sslSocket *ss, const - SECStatus rv; - PRUint32 minKey; - PRInt32 optval; -+ PRBool usePolicyLength = PR_TRUE; -+ -+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval); -+ if (rv == SECSuccess) { -+ usePolicyLength = (PRBool)((optval & NSS_KEY_SIZE_POLICY_SSL_FLAG) == NSS_KEY_SIZE_POLICY_SSL_FLAG); -+ } - - ss->sec.authKeyBits = SECKEY_PublicKeyStrengthInBits(pubKey); - switch (SECKEY_GetPublicKeyType(pubKey)) { - case rsaKey: - case rsaPssKey: - case rsaOaepKey: -- rv = NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval); -+ rv = usePolicyLength ? NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &optval) -+ : SECFailure; - if (rv == SECSuccess && optval > 0) { - minKey = (PRUint32)optval; - } else { -@@ -11426,7 +11440,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const - break; - - case dsaKey: -- rv = NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval); -+ rv = usePolicyLength ? NSS_OptionGet(NSS_DSA_MIN_KEY_SIZE, &optval) -+ : SECFailure; - if (rv == SECSuccess && optval > 0) { - minKey = (PRUint32)optval; - } else { -@@ -11435,7 +11450,8 @@ ssl_SetAuthKeyBits(sslSocket *ss, const - break; - - case dhKey: -- rv = NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval); -+ rv = usePolicyLength ? NSS_OptionGet(NSS_DH_MIN_KEY_SIZE, &optval) -+ : SECFailure; - if (rv == SECSuccess && optval > 0) { - minKey = (PRUint32)optval; - } else { -@@ -11444,9 +11460,15 @@ ssl_SetAuthKeyBits(sslSocket *ss, const - break; - - case ecKey: -- /* Don't check EC strength here on the understanding that we only -- * support curves we like. */ -- minKey = ss->sec.authKeyBits; -+ rv = usePolicyLength ? NSS_OptionGet(NSS_ECC_MIN_KEY_SIZE, &optval) -+ : SECFailure; -+ if (rv == SECSuccess && optval > 0) { -+ minKey = (PRUint32)optval; -+ } else { -+ /* Don't check EC strength here on the understanding that we -+ * only support curves we like. */ -+ minKey = ss->sec.authKeyBits; -+ } - break; - - default: -diff -up ./tests/policy/crypto-policy.txt.sign_policy ./tests/policy/crypto-policy.txt ---- ./tests/policy/crypto-policy.txt.sign_policy 2022-05-26 02:54:33.000000000 -0700 -+++ ./tests/policy/crypto-policy.txt 2022-06-20 16:47:35.028785660 -0700 -@@ -6,6 +6,8 @@ - 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=dtls1.0:DH-MIN=1023:DSA-MIN=2048:RSA-MIN=2048 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Standard policy - 0 disallow=ALL_allow=HMAC-SHA1:HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:camellia256-cbc:aes128-gcm:aes128-cbc:camellia128-cbc:des-ede3-cbc:rc4:SHA256:SHA384:SHA512:SHA1:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:DHE-DSS:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.0:dtls-version-min=tls1.0:DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Legacy policy - 0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072 NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Reduced policy -+0 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=KEY-SIZE-SSL,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-INFO.*LOADED-SUCCESSFULLY Valid key size -+2 disallow=ALL_allow=HMAC-SHA256:HMAC-SHA384:HMAC-SHA512:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:SHA384:SHA512:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:rsa-pkcs:rsa-pss:ecdsa:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=3072:DSA-MIN=3072:RSA-MIN=3072:KEY-SIZE-FLAGS=UNKNOWN,KEY-SIZE-SIGN,KEY-SIZE-VERIFY NSS-POLICY-FAIL.*unknown.* Invalid key size - 2 disallow=ALL_allow=dtls-version-min=:dtls-version-max= NSS-POLICY-FAIL Missing value - 2 disallow=ALL_allow=RSA-MIN=whatever NSS-POLICY-FAIL Invalid value - 2 disallow=ALL_allow=flower NSS-POLICY-FAIL Invalid identifier -diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt ---- ./tests/ssl/sslpolicy.txt.sign_policy 2022-06-20 16:47:35.028785660 -0700 -+++ ./tests/ssl/sslpolicy.txt 2022-06-20 16:50:08.958742135 -0700 -@@ -196,6 +196,11 @@ - # rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary - # compatibility reasons - # 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly -+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification -+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing -+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL -+ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL -+ - # test default settings - # NOTE: tstclient will attempt to overide the defaults, so we detect we - # were successful by locking in our settings -diff -up ./tests/dbupgrade/dbupgrade.sh.sign_policy ./tests/dbupgrade/dbupgrade.sh ---- ./tests/dbupgrade/dbupgrade.sh.sign_policy 2022-06-22 08:43:55.905407738 -0700 -+++ ./tests/dbupgrade/dbupgrade.sh 2022-06-22 08:43:58.837426779 -0700 -@@ -69,7 +69,7 @@ dbupgrade_main() - echo $i - if [ -d $i ]; then - echo "upgrading db $i" -- ${BINDIR}/certutil -G -g 512 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1 -+ ${BINDIR}/certutil -G -g 1024 -d sql:$i -f ${PWFILE} -z ${NOISE_FILE} 2>&1 - html_msg $? 0 "Upgrading $i" - else - echo "skipping db $i" diff --git a/SOURCES/nss-3.90-DisablingASM.patch b/SOURCES/nss-3.90-DisablingASM.patch new file mode 100644 index 0000000..7d1a17f --- /dev/null +++ b/SOURCES/nss-3.90-DisablingASM.patch @@ -0,0 +1,57 @@ +diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile +index 74e8e65..8995752 100644 +--- a/lib/freebl/Makefile ++++ b/lib/freebl/Makefile +@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null + +@@ -3480,6 +3481,29 @@ ssl3_ComputeMasterSecretInt(sslSocket *s + CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; + unsigned int master_params_len; + ++ /* if we are using TLS and we aren't using the extended master secret, ++ * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will ++ * send and alert (eventually). In the RSA Server case, the alert ++ * won't happen until Finish time because the upper level code ++ * can't tell a difference between this failure and an RSA decrypt ++ * failure, so it will proceed with a faux key */ ++ if (isTLS) { ++ PRUint32 policy; ++ SECStatus rv; ++ ++ /* first fetch the policy for this algorithm */ ++ rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy); ++ /* we only look at the policy if we can fetch it. */ ++ if (rv == SECSuccess) { ++ if (policy & NSS_USE_ALG_IN_SSL_KX) { ++ /* just set the error, we don't want to map any errors ++ * set by NSS_GetAlgorithmPolicy here */ ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION); ++ return SECFailure; ++ } ++ } ++ } ++ + if (isTLS12) { + if (isDH) + master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; +diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c +--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700 ++++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700 +@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT + SEC_OID_EXT_KEY_USAGE_IPSEC_USER, + "IPsec User", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ ++ /* this will change upstream. for now apps shouldn't use it */ ++ /* we need it for the policy code. */ ++ ODE(SEC_OID_PRIVATE_1, ++ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + }; + + /* PRIVATE EXTENDED SECOID Table +@@ -2095,6 +2100,8 @@ SECOID_Init(void) + + /* turn off NSS_USE_POLICY_IN_SSL by default */ + xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL; ++ /* turn off TLS REQUIRE EMS by default */ ++ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0; + + envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT"); + if (envVal) +diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h +--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700 ++++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700 +@@ -501,6 +501,9 @@ typedef enum { + SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361, + SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362, + SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363, ++ /* this will change upstream. for now apps shouldn't use it */ ++ /* give it an obscure name here */ ++ SEC_OID_PRIVATE_1 = 372, + + SEC_OID_TOTAL + } SECOidTag; diff --git a/SOURCES/nss-3.90-disable-ech.patch b/SOURCES/nss-3.90-disable-ech.patch new file mode 100644 index 0000000..eee8c39 --- /dev/null +++ b/SOURCES/nss-3.90-disable-ech.patch @@ -0,0 +1,96 @@ +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f + } + PORT_Free(cursor); + } + } + + SECStatus + SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; + } + ss->opt.enableTls13GreaseEch = enabled; + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss || size == 0) { + return SECFailure; + } + ssl_Get1stHandshakeLock(ss); + ssl_GetSSL3HandshakeLock(ss); + + ss->ssl3.hs.greaseEchSize = size; + + ssl_ReleaseSSL3HandshakeLock(ss); + ssl_Release1stHandshakeLock(ss); + + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; + } + ss->opt.enableTls13BackendEch = enabled; + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; + } + ss->opt.callExtensionWriterOnEchInner = enabled; + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled) + { + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; +diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn +--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200 ++++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200 +@@ -57,7 +57,6 @@ CPPSRCS = \ + tls_filter.cc \ + tls_protect.cc \ + tls_psk_unittest.cc \ +- tls_ech_unittest.cc \ + $(SSLKEYLOGFILE_FILES) \ + $(NULL) diff --git a/SOURCES/nss-3.90-no-dbm-25519.patch b/SOURCES/nss-3.90-no-dbm-25519.patch new file mode 100644 index 0000000..3c7c614 --- /dev/null +++ b/SOURCES/nss-3.90-no-dbm-25519.patch @@ -0,0 +1,18 @@ +diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh +--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700 ++++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700 +@@ -46,11 +46,13 @@ ectest_genkeydb_test() + return $? + fi + curves=( \ +- "curve25519" \ + "secp256r1" \ + "secp384r1" \ + "secp521r1" \ + ) ++ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then ++ curves=( "curve25519" "${curves[@]}" ) ++ fi + for curve in "${curves[@]}"; do + echo "Test $curve key generation using certutil ..." + certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE} diff --git a/SOURCES/nss-3.90-pbkdf2-indicator.patch b/SOURCES/nss-3.90-pbkdf2-indicator.patch new file mode 100644 index 0000000..dbb7765 --- /dev/null +++ b/SOURCES/nss-3.90-pbkdf2-indicator.patch @@ -0,0 +1,42 @@ +diff -up ./lib/softoken/pkcs11u.c.pkcs12_indicator ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.pkcs12_indicator 2023-08-03 10:50:37.067109367 -0700 ++++ ./lib/softoken/pkcs11u.c 2023-08-03 11:41:55.641541953 -0700 +@@ -2429,7 +2429,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + return PR_FALSE; + case SFTKFIPSECC: + /* we've already handled the curve selection in the 'getlength' +- * function */ ++ * function */ + return PR_TRUE; + case SFTKFIPSAEAD: { + if (mech->ulParameterLen == 0) { +@@ -2463,6 +2463,29 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + } + return PR_TRUE; + } ++ case SFTKFIPSPBKDF2: { ++ /* PBKDF2 must have the following addition restrictions ++ * (independent of keysize). ++ * 1. iteration count must be at least 1000. ++ * 2. salt must be at least 128 bits (16 bytes). ++ * 3. password must match the length specified in the SP ++ */ ++ CK_PKCS5_PBKD2_PARAMS *pbkdf2 = (CK_PKCS5_PBKD2_PARAMS *) ++ mech->pParameter; ++ if (mech->ulParameterLen != sizeof(*pbkdf2)) { ++ return PR_FALSE; ++ } ++ if (pbkdf2->iterations < 1000) { ++ return PR_FALSE; ++ } ++ if (pbkdf2->ulSaltSourceDataLen < 16) { ++ return PR_FALSE; ++ } ++ if (*(pbkdf2->ulPasswordLen) < SFTKFIPS_PBKDF2_MIN_PW_LEN) { ++ return PR_FALSE; ++ } ++ return PR_TRUE; ++ } + default: + break; + } diff --git a/SPECS/nss.spec b/SPECS/nss.spec index f4c4670..30119a4 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,7 +1,7 @@ -%global nspr_build_version 4.34.0-3 -%global nspr_release -3 -%global nspr_version 4.34.0 -%global nss_version 3.79.0 +%global nspr_build_version 4.35.0-1 +%global nspr_release -1 +%global nspr_version 4.35.0 +%global nss_version 3.90.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16)) Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 11%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version}%{nspr_release} @@ -109,6 +109,9 @@ Source25: key3.db.xml Source26: key4.db.xml Source27: secmod.db.xml Source28: nss-p11-kit.config +# fips algorithms are tied to the red hat validation, others +# will have their own validation +Source30: fips_algorithms.h # To inject hardening flags for DSO Patch1: nss-dso-ldflags.patch @@ -155,21 +158,21 @@ Patch50: nss-3.66-restore-old-pkcs12-default.patch Patch51: nss-3.79-revert-distrusted-certs.patch # Local Patch: update fipsdefaults to AES Patch52: nss-3.79-pkcs12-fips-defaults.patch +Patch53: nss-3.71-camellia-pkcs12-doc.patch +Patch54: nss-3.90-disable-ech.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1774659 -Patch60: nss-3.79-dbtool.patch -Patch61: nss-3.79-dont-verify-default.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1774654 -Patch63: nss-3.79-fix-client-cert-crash.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1767883 -Patch64: nss-3.79-rhel-8-fips-signature-policy.patch -Patch65: nss-3.79-enable-POST-rerun.patch -Patch66: nss-3.79-increase-pbe-cache.patch -Patch67: nss-3.79-pkcs12-fix-null-password.patch -Patch68: nss-3.79-fips.patch -# cve 2023-0767, remove on rebase to nss 3.88.1 or later -# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640 -Patch70: cve-2023-0767.patch +Patch57: nss-3.79-dbtool.patch +Patch58: nss-3.79-fips.patch +Patch61: nss-3.79-fips-review.patches +# https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 +# https://bugzilla.mozilla.org/show_bug.cgi?id=1836925 +Patch62: nss-3.90-DisablingASM.patch +Patch63: nss-3.90-no-dbm-25519.patch +Patch64: nss-3.90-pbkdf2-indicator.patch + +#ems policy. needs to upstream +Patch70: nss-3.90-add-ems-policy.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -302,6 +305,11 @@ pushd nss %autopatch -p1 popd +# copy the fips_algorithms.h for this release +# this file is release specific and matches what +# each vendors claim in their own FIPS certification +cp %{SOURCE30} nss/lib/softoken/ + # https://bugzilla.redhat.com/show_bug.cgi?id=1247353 find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \; @@ -947,6 +955,18 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog +* Thu Aug 3 2023 Bob Relyea - 3.90.0-3 +- add indicators for pbkdf2 +- add camellia to pkcs12 doc files +- fix ems policy bug +- disable ech + +* Thu Jul 27 2023 Bob Relyea - 3.90.0-2 +- fix the change log + +* Thu Jul 27 2023 Bob Relyea - 3.90.0-1 +- rebase to NSS 3.90 + * Wed Jul 26 2023 MSVSphere Packaging Team - 3.79.0-11 - Rebuilt for MSVSphere 8.8