parent
c5c55514b5
commit
b979e5f1cc
@ -1,5 +1,4 @@
|
||||
SOURCES/NameConstraints_Certs.tar
|
||||
SOURCES/blank-cert9.db
|
||||
SOURCES/blank-key4.db
|
||||
SOURCES/nspr-4.35.tar.gz
|
||||
SOURCES/nss-3.90.tar.gz
|
||||
SOURCES/nss-3.101.tar.gz
|
||||
|
@ -1,5 +1,4 @@
|
||||
39ad4988f85b50fdc3569d21b6c885cf9eb390b0 SOURCES/NameConstraints_Certs.tar
|
||||
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
|
||||
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
|
||||
71267859a581d61fea8d7d36c25f716750271cac SOURCES/nspr-4.35.tar.gz
|
||||
1e7d2f16655281cfb2972688af1605e0de302481 SOURCES/nss-3.90.tar.gz
|
||||
90f6f1d5440e7cc72cd27f2ecf2e8f3f680a00aa SOURCES/nss-3.101.tar.gz
|
||||
|
@ -1,949 +0,0 @@
|
||||
diff --git a/lib/freebl/mpi/mpi-priv.h b/lib/freebl/mpi/mpi-priv.h
|
||||
--- a/lib/freebl/mpi/mpi-priv.h
|
||||
+++ b/lib/freebl/mpi/mpi-priv.h
|
||||
@@ -199,16 +199,19 @@ void MPI_ASM_DECL s_mpv_mul_d(const mp_d
|
||||
void MPI_ASM_DECL s_mpv_mul_d_add(const mp_digit *a, mp_size a_len,
|
||||
mp_digit b, mp_digit *c);
|
||||
|
||||
#endif
|
||||
|
||||
void MPI_ASM_DECL s_mpv_mul_d_add_prop(const mp_digit *a,
|
||||
mp_size a_len, mp_digit b,
|
||||
mp_digit *c);
|
||||
+void MPI_ASM_DECL s_mpv_mul_d_add_propCT(const mp_digit *a,
|
||||
+ mp_size a_len, mp_digit b,
|
||||
+ mp_digit *c, mp_size c_len);
|
||||
void MPI_ASM_DECL s_mpv_sqr_add_prop(const mp_digit *a,
|
||||
mp_size a_len,
|
||||
mp_digit *sqrs);
|
||||
|
||||
mp_err MPI_ASM_DECL s_mpv_div_2dx1d(mp_digit Nhi, mp_digit Nlo,
|
||||
mp_digit divisor, mp_digit *quot, mp_digit *rem);
|
||||
|
||||
/* c += a * b * (MP_RADIX ** offset); */
|
||||
diff --git a/lib/freebl/mpi/mpi.c b/lib/freebl/mpi/mpi.c
|
||||
--- a/lib/freebl/mpi/mpi.c
|
||||
+++ b/lib/freebl/mpi/mpi.c
|
||||
@@ -5,16 +5,18 @@
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
|
||||
#include "mpi-priv.h"
|
||||
#include "mplogic.h"
|
||||
|
||||
+#include <assert.h>
|
||||
+
|
||||
#if defined(__arm__) && \
|
||||
((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
|
||||
/* 16-bit thumb or ARM v3 doesn't work inlined assember version */
|
||||
#undef MP_ASSEMBLY_MULTIPLY
|
||||
#undef MP_ASSEMBLY_SQUARE
|
||||
#endif
|
||||
|
||||
#if MP_LOGTAB
|
||||
@@ -797,25 +799,28 @@ mp_sub(const mp_int *a, const mp_int *b,
|
||||
|
||||
CLEANUP:
|
||||
return res;
|
||||
|
||||
} /* end mp_sub() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
-/* {{{ mp_mul(a, b, c) */
|
||||
+/* {{{ s_mp_mulg(a, b, c) */
|
||||
|
||||
/*
|
||||
- mp_mul(a, b, c)
|
||||
-
|
||||
- Compute c = a * b. All parameters may be identical.
|
||||
+ s_mp_mulg(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. All parameters may be identical. if constantTime is set,
|
||||
+ then the operations are done in constant time. The original is mostly
|
||||
+ constant time as long as s_mpv_mul_d_add() is constant time. This is true
|
||||
+ of the x86 assembler, as well as the current c code.
|
||||
*/
|
||||
mp_err
|
||||
-mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
||||
+s_mp_mulg(const mp_int *a, const mp_int *b, mp_int *c, int constantTime)
|
||||
{
|
||||
mp_digit *pb;
|
||||
mp_int tmp;
|
||||
mp_err res;
|
||||
mp_size ib;
|
||||
mp_size useda, usedb;
|
||||
|
||||
ARGCHK(a != NULL && b != NULL && c != NULL, MP_BADARG);
|
||||
@@ -841,17 +846,24 @@ mp_mul(const mp_int *a, const mp_int *b,
|
||||
}
|
||||
|
||||
MP_USED(c) = 1;
|
||||
MP_DIGIT(c, 0) = 0;
|
||||
if ((res = s_mp_pad(c, USED(a) + USED(b))) != MP_OKAY)
|
||||
goto CLEANUP;
|
||||
|
||||
#ifdef NSS_USE_COMBA
|
||||
- if ((MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
||||
+ /* comba isn't constant time because it clamps! If we cared
|
||||
+ * (we needed a constant time version of multiply that was 'faster'
|
||||
+ * we could easily pass constantTime down to the comba code and
|
||||
+ * get it to skip the clamp... but here are assembler versions
|
||||
+ * which add comba to platforms that can't compile the normal
|
||||
+ * comba's imbedded assembler which would also need to change, so
|
||||
+ * for now we just skip comba when we are running constant time. */
|
||||
+ if (!constantTime && (MP_USED(a) == MP_USED(b)) && IS_POWER_OF_2(MP_USED(b))) {
|
||||
if (MP_USED(a) == 4) {
|
||||
s_mp_mul_comba_4(a, b, c);
|
||||
goto CLEANUP;
|
||||
}
|
||||
if (MP_USED(a) == 8) {
|
||||
s_mp_mul_comba_8(a, b, c);
|
||||
goto CLEANUP;
|
||||
}
|
||||
@@ -871,36 +883,82 @@ mp_mul(const mp_int *a, const mp_int *b,
|
||||
|
||||
/* Outer loop: Digits of b */
|
||||
useda = MP_USED(a);
|
||||
usedb = MP_USED(b);
|
||||
for (ib = 1; ib < usedb; ib++) {
|
||||
mp_digit b_i = *pb++;
|
||||
|
||||
/* Inner product: Digits of a */
|
||||
- if (b_i)
|
||||
+ if (constantTime || b_i)
|
||||
s_mpv_mul_d_add(MP_DIGITS(a), useda, b_i, MP_DIGITS(c) + ib);
|
||||
else
|
||||
MP_DIGIT(c, ib + useda) = b_i;
|
||||
}
|
||||
|
||||
- s_mp_clamp(c);
|
||||
+ if (!constantTime) {
|
||||
+ s_mp_clamp(c);
|
||||
+ }
|
||||
|
||||
if (SIGN(a) == SIGN(b) || s_mp_cmp_d(c, 0) == MP_EQ)
|
||||
SIGN(c) = ZPOS;
|
||||
else
|
||||
SIGN(c) = NEG;
|
||||
|
||||
CLEANUP:
|
||||
mp_clear(&tmp);
|
||||
return res;
|
||||
+} /* end smp_mulg() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_mul(a, b, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mul(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. All parameters may be identical.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mul(const mp_int *a, const mp_int *b, mp_int *c)
|
||||
+{
|
||||
+ return s_mp_mulg(a, b, c, 0);
|
||||
} /* end mp_mul() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ mp_mulCT(a, b, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mulCT(a, b, c)
|
||||
+
|
||||
+ Compute c = a * b. In constant time. Parameters may not be identical.
|
||||
+ NOTE: a and b may be modified.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize)
|
||||
+{
|
||||
+ mp_err res;
|
||||
+
|
||||
+ /* make the multiply values fixed length so multiply
|
||||
+ * doesn't leak the length. at this point all the
|
||||
+ * values are blinded, but once we finish we want the
|
||||
+ * output size to be hidden (so no clamping the out put) */
|
||||
+ MP_CHECKOK(s_mp_pad(a, setSize));
|
||||
+ MP_CHECKOK(s_mp_pad(b, setSize));
|
||||
+ MP_CHECKOK(s_mp_pad(c, 2*setSize));
|
||||
+ MP_CHECKOK(s_mp_mulg(a, b, c, 1));
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_mulCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_sqr(a, sqr) */
|
||||
|
||||
#if MP_SQUARE
|
||||
/*
|
||||
Computes the square of a. This can be done more
|
||||
efficiently than a general multiplication, because many of the
|
||||
computation steps are redundant when squaring. The inner product
|
||||
step is a bit more complicated, but we save a fair number of
|
||||
@@ -1263,16 +1321,174 @@ mp_mod(const mp_int *a, const mp_int *m,
|
||||
}
|
||||
|
||||
return MP_OKAY;
|
||||
|
||||
} /* end mp_mod() */
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ s_mp_subCT_d(a, b, borrow, c) */
|
||||
+
|
||||
+/*
|
||||
+ s_mp_subCT_d(a, b, borrow, c)
|
||||
+
|
||||
+ Compute c = (a -b) - subtract in constant time. returns borrow
|
||||
+ */
|
||||
+mp_digit
|
||||
+s_mp_subCT_d(mp_digit a, mp_digit b, mp_digit borrow, mp_digit *ret) {
|
||||
+ mp_digit borrow1, borrow2, t;
|
||||
+#ifdef MP_COMPILER_USES_CARRY
|
||||
+ /* while it doesn't look constant-time, this is idiomatic code
|
||||
+ * to tell compilers to use the carry bit from subtraction */
|
||||
+ t = a - borrow;
|
||||
+ if (t > a) {
|
||||
+ borrow1 = 1;
|
||||
+ } else {
|
||||
+ borrow1 = 0;
|
||||
+ }
|
||||
+ *ret = t - b;
|
||||
+ if (*ret > t) {
|
||||
+ borrow2 = 1;
|
||||
+ } else {
|
||||
+ borrow2 = 0;
|
||||
+ }
|
||||
+#else
|
||||
+ mp_digit bitr, bitb, nbitt;
|
||||
+ /* this is constant time independent of compilier */
|
||||
+ t = a - borrow;
|
||||
+ borrow1 = ((~a) >> (MP_DIGIT_BIT-1)) & ((t) >> (MP_DIGIT_BIT-1));
|
||||
+ *ret = t - b;
|
||||
+ bitb = b >> (MP_DIGIT_BIT-1);
|
||||
+ bitr = *ret >> (MP_DIGIT_BIT-1);
|
||||
+ nbitt = (~t) >> (MP_DIGIT_BIT-1);
|
||||
+ borrow2 = (nbitt & bitb) | (bitb & bitr) | (nbitt & bitr);
|
||||
+#endif
|
||||
+ /* only borrow 1 or borrow 2 should be 1, we want to guarrentee
|
||||
+ * the overall borrow is 1, so use | here */
|
||||
+ return borrow1 | borrow2;
|
||||
+} /* s_mp_subCT_d() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_subCT(a, b, ret, borrow) */
|
||||
+
|
||||
+/* return ret= a - b and borrow in borrow. done in constant time.
|
||||
+ * b could be modified.
|
||||
+ */
|
||||
+mp_err
|
||||
+mp_subCT(const mp_int *a, mp_int *b, mp_int *ret, mp_digit *borrow)
|
||||
+{
|
||||
+ mp_size used_a = MP_USED(a);
|
||||
+ mp_size i;
|
||||
+ mp_err res;
|
||||
+
|
||||
+ MP_CHECKOK(s_mp_pad(b, used_a));
|
||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
||||
+ *borrow = 0;
|
||||
+ for (i=0; i < used_a; i++) {
|
||||
+ *borrow = s_mp_subCT_d(MP_DIGIT(a,i), MP_DIGIT(b,i), *borrow,
|
||||
+ &MP_DIGIT(ret,i));
|
||||
+ }
|
||||
+
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_subCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
+/* {{{ mp_selectCT(cond, a, b, ret) */
|
||||
+
|
||||
+/*
|
||||
+ * return ret= cond ? a : b; cond should be either 0 or 1
|
||||
+ */
|
||||
+mp_err
|
||||
+mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret)
|
||||
+{
|
||||
+ mp_size used_a = MP_USED(a);
|
||||
+ mp_err res;
|
||||
+ mp_size i;
|
||||
+
|
||||
+ cond *= MP_DIGIT_MAX;
|
||||
+
|
||||
+ /* we currently require these to be equal on input,
|
||||
+ * we could use pad to extend one of them, but that might
|
||||
+ * leak data as it wouldn't be constant time */
|
||||
+ assert(used_a == MP_USED(b));
|
||||
+
|
||||
+ MP_CHECKOK(s_mp_pad(ret, used_a));
|
||||
+ for (i=0; i < used_a; i++) {
|
||||
+ MP_DIGIT(ret,i) = (MP_DIGIT(a,i)&cond) | (MP_DIGIT(b,i)&~cond);
|
||||
+ }
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ return res;
|
||||
+} /* end mp_selectCT() */
|
||||
+
|
||||
+
|
||||
+/* {{{ mp_reduceCT(a, m, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_reduceCT(a, m, c)
|
||||
+
|
||||
+ Compute c = aR^-1 (mod m) in constant time.
|
||||
+ input should be in montgomery form. If input is the
|
||||
+ result of a montgomery multiply then out put will be
|
||||
+ in mongomery form.
|
||||
+ Result will be reduced to MP_USED(m), but not be
|
||||
+ clamped.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *c)
|
||||
+{
|
||||
+ mp_size used_m = MP_USED(m);
|
||||
+ mp_size used_c = used_m*2+1;
|
||||
+ mp_digit *m_digits, *c_digits;
|
||||
+ mp_size i;
|
||||
+ mp_digit borrow, carry;
|
||||
+ mp_err res;
|
||||
+ mp_int sub;
|
||||
+
|
||||
+ MP_DIGITS(&sub) = 0;
|
||||
+ MP_CHECKOK(mp_init_size(&sub,used_m));
|
||||
+
|
||||
+ if (a != c) {
|
||||
+ MP_CHECKOK(mp_copy(a, c));
|
||||
+ }
|
||||
+ MP_CHECKOK(s_mp_pad(c, used_c));
|
||||
+ m_digits = MP_DIGITS(m);
|
||||
+ c_digits = MP_DIGITS(c);
|
||||
+ for (i=0; i < used_m; i++) {
|
||||
+ mp_digit m_i = MP_DIGIT(c,i)*n0i;
|
||||
+ s_mpv_mul_d_add_propCT(m_digits, used_m, m_i, c_digits++, used_c--);
|
||||
+ }
|
||||
+ s_mp_rshd(c, used_m);
|
||||
+ /* MP_USED(c) should be used_m+1 with the high word being any carry
|
||||
+ * from the previous multiply, save that carry and drop the high
|
||||
+ * word for the substraction below */
|
||||
+ carry = MP_DIGIT(c,used_m);
|
||||
+ MP_DIGIT(c,used_m) = 0;
|
||||
+ MP_USED(c) = used_m;
|
||||
+ /* mp_subCT wants c and m to be the same size, we've already
|
||||
+ * guarrenteed that in the previous statement, so mp_subCT won't actually
|
||||
+ * modify m, so it's safe to recast */
|
||||
+ MP_CHECKOK(mp_subCT(c, (mp_int *)m, &sub, &borrow));
|
||||
+
|
||||
+ /* we return c-m if c >= m no borrow or there was a borrow and a carry */
|
||||
+ MP_CHECKOK(mp_selectCT(borrow ^ carry, c, &sub, c));
|
||||
+ res = MP_OKAY;
|
||||
+CLEANUP:
|
||||
+ mp_clear(&sub);
|
||||
+ return res;
|
||||
+} /* end mp_reduceCT() */
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_mod_d(a, d, c) */
|
||||
|
||||
/*
|
||||
mp_mod_d(a, d, c)
|
||||
|
||||
Compute c = a (mod d). Result will always be 0 <= c < d
|
||||
*/
|
||||
mp_err
|
||||
@@ -1379,16 +1595,47 @@ mp_mulmod(const mp_int *a, const mp_int
|
||||
if ((res = mp_mod(c, m, c)) != MP_OKAY)
|
||||
return res;
|
||||
|
||||
return MP_OKAY;
|
||||
}
|
||||
|
||||
/* }}} */
|
||||
|
||||
+/* {{{ mp_mulmontmodCT(a, b, m, c) */
|
||||
+
|
||||
+/*
|
||||
+ mp_mulmontmodCT(a, b, m, c)
|
||||
+
|
||||
+ Compute c = (a * b) mod m in constant time wrt a and b. either a or b
|
||||
+ should be in montgomery form and the output is native. If both a and b
|
||||
+ are in montgomery form, then the output will also be in montgomery form
|
||||
+ and can be recovered with an mp_reduceCT call.
|
||||
+ NOTE: a and b may be modified.
|
||||
+ */
|
||||
+
|
||||
+mp_err
|
||||
+mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i,
|
||||
+ mp_int *c)
|
||||
+{
|
||||
+ mp_err res;
|
||||
+
|
||||
+ ARGCHK(a != NULL && b != NULL && m != NULL && c != NULL, MP_BADARG);
|
||||
+
|
||||
+ if ((res = mp_mulCT(a, b, c, MP_USED(m))) != MP_OKAY)
|
||||
+ return res;
|
||||
+
|
||||
+ if ((res = mp_reduceCT(c, m, n0i, c)) != MP_OKAY)
|
||||
+ return res;
|
||||
+
|
||||
+ return MP_OKAY;
|
||||
+}
|
||||
+
|
||||
+/* }}} */
|
||||
+
|
||||
/* {{{ mp_sqrmod(a, m, c) */
|
||||
|
||||
#if MP_SQUARE
|
||||
mp_err
|
||||
mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c)
|
||||
{
|
||||
mp_err res;
|
||||
|
||||
@@ -3936,25 +4183,73 @@ s_mp_mul(mp_int *a, const mp_int *b)
|
||||
{ \
|
||||
mp_digit a0b1, a1b0; \
|
||||
Plo = (a & MP_HALF_DIGIT_MAX) * (b & MP_HALF_DIGIT_MAX); \
|
||||
Phi = (a >> MP_HALF_DIGIT_BIT) * (b >> MP_HALF_DIGIT_BIT); \
|
||||
a0b1 = (a & MP_HALF_DIGIT_MAX) * (b >> MP_HALF_DIGIT_BIT); \
|
||||
a1b0 = (a >> MP_HALF_DIGIT_BIT) * (b & MP_HALF_DIGIT_MAX); \
|
||||
a1b0 += a0b1; \
|
||||
Phi += a1b0 >> MP_HALF_DIGIT_BIT; \
|
||||
- if (a1b0 < a0b1) \
|
||||
- Phi += MP_HALF_RADIX; \
|
||||
+ Phi += (MP_CT_LTU(a1b0, a0b1)) << MP_HALF_DIGIT_BIT; \
|
||||
a1b0 <<= MP_HALF_DIGIT_BIT; \
|
||||
Plo += a1b0; \
|
||||
- if (Plo < a1b0) \
|
||||
- ++Phi; \
|
||||
+ Phi += MP_CT_LTU(Plo, a1b0); \
|
||||
}
|
||||
#endif
|
||||
|
||||
+/* Constant time version of s_mpv_mul_d_add_prop.
|
||||
+ * Presently, this is only used by the Constant time Montgomery arithmetic code. */
|
||||
+/* c += a * b */
|
||||
+void
|
||||
+s_mpv_mul_d_add_propCT(const mp_digit *a, mp_size a_len, mp_digit b,
|
||||
+ mp_digit *c, mp_size c_len)
|
||||
+{
|
||||
+#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
||||
+ mp_digit d = 0;
|
||||
+
|
||||
+ c_len -= a_len;
|
||||
+ /* Inner product: Digits of a */
|
||||
+ while (a_len--) {
|
||||
+ mp_word w = ((mp_word)b * *a++) + *c + d;
|
||||
+ *c++ = ACCUM(w);
|
||||
+ d = CARRYOUT(w);
|
||||
+ }
|
||||
+
|
||||
+ /* propagate the carry to the end, even if carry is zero */
|
||||
+ while (c_len--) {
|
||||
+ mp_word w = (mp_word)*c + d;
|
||||
+ *c++ = ACCUM(w);
|
||||
+ d = CARRYOUT(w);
|
||||
+ }
|
||||
+#else
|
||||
+ mp_digit carry = 0;
|
||||
+ c_len -= a_len;
|
||||
+ while (a_len--) {
|
||||
+ mp_digit a_i = *a++;
|
||||
+ mp_digit a0b0, a1b1;
|
||||
+ MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
+
|
||||
+ a0b0 += carry;
|
||||
+ a1b1 += MP_CT_LTU(a0b0, carry);
|
||||
+ a0b0 += a_i = *c;
|
||||
+ a1b1 += MP_CT_LTU(a0b0, a_i);
|
||||
+
|
||||
+ *c++ = a0b0;
|
||||
+ carry = a1b1;
|
||||
+ }
|
||||
+ /* propagate the carry to the end, even if carry is zero */
|
||||
+ while (c_len--) {
|
||||
+ mp_digit c_i = *c;
|
||||
+ carry += c_i;
|
||||
+ *c++ = carry;
|
||||
+ carry = MP_CT_LTU(carry, c_i);
|
||||
+ }
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
#if !defined(MP_ASSEMBLY_MULTIPLY)
|
||||
/* c = a * b */
|
||||
void
|
||||
s_mpv_mul_d(const mp_digit *a, mp_size a_len, mp_digit b, mp_digit *c)
|
||||
{
|
||||
#if !defined(MP_NO_MP_WORD) && !defined(MP_NO_MUL_WORD)
|
||||
mp_digit d = 0;
|
||||
|
||||
@@ -3969,18 +4264,17 @@ s_mpv_mul_d(const mp_digit *a, mp_size a
|
||||
mp_digit carry = 0;
|
||||
while (a_len--) {
|
||||
mp_digit a_i = *a++;
|
||||
mp_digit a0b0, a1b1;
|
||||
|
||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
|
||||
a0b0 += carry;
|
||||
- if (a0b0 < carry)
|
||||
- ++a1b1;
|
||||
+ a1b1 += a0b0 < carry;
|
||||
*c++ = a0b0;
|
||||
carry = a1b1;
|
||||
}
|
||||
*c = carry;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* c += a * b */
|
||||
@@ -4002,21 +4296,19 @@ s_mpv_mul_d_add(const mp_digit *a, mp_si
|
||||
mp_digit carry = 0;
|
||||
while (a_len--) {
|
||||
mp_digit a_i = *a++;
|
||||
mp_digit a0b0, a1b1;
|
||||
|
||||
MP_MUL_DxD(a_i, b, a1b1, a0b0);
|
||||
|
||||
a0b0 += carry;
|
||||
- if (a0b0 < carry)
|
||||
- ++a1b1;
|
||||
+ a1b1 += (a0b0 < carry);
|
||||
a0b0 += a_i = *c;
|
||||
- if (a0b0 < a_i)
|
||||
- ++a1b1;
|
||||
+ a1b1 += (a0b0 < a_i);
|
||||
*c++ = a0b0;
|
||||
carry = a1b1;
|
||||
}
|
||||
*c = carry;
|
||||
#endif
|
||||
}
|
||||
|
||||
/* Presently, this is only used by the Montgomery arithmetic code. */
|
||||
diff --git a/lib/freebl/mpi/mpi.h b/lib/freebl/mpi/mpi.h
|
||||
--- a/lib/freebl/mpi/mpi.h
|
||||
+++ b/lib/freebl/mpi/mpi.h
|
||||
@@ -145,16 +145,54 @@ typedef int mp_sword;
|
||||
#define MP_USED(MP) ((MP)->used)
|
||||
#define MP_ALLOC(MP) ((MP)->alloc)
|
||||
#define MP_DIGITS(MP) ((MP)->dp)
|
||||
#define MP_DIGIT(MP, N) (MP)->dp[(N)]
|
||||
|
||||
/* This defines the maximum I/O base (minimum is 2) */
|
||||
#define MP_MAX_RADIX 64
|
||||
|
||||
+/* Constant Time Macros on mp_digits */
|
||||
+#define MP_CT_HIGH_TO_LOW(x) ((mp_digit)((mp_digit)(x) >> (MP_DIGIT_BIT - 1)))
|
||||
+
|
||||
+/* basic zero and non zero tests */
|
||||
+#define MP_CT_NOT_ZERO(x) (MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
||||
+#define MP_CT_ZERO(x) (~MP_CT_HIGH_TO_LOW(((x) | (((mp_digit)0) - (x)))))
|
||||
+
|
||||
+
|
||||
+/* basic constant-time helper macro for equalities and inequalities.
|
||||
+ * The inequalities will produce incorrect results if
|
||||
+ * abs(a-b) >= MP_DIGIT_SIZE/2. This can be avoided if unsigned values stay
|
||||
+ * within the range 0-MP_DIGIT_MAX/2. */
|
||||
+#define MP_CT_EQ(a, b) MP_CT_ZERO(((a) - (b)))
|
||||
+#define MP_CT_NE(a, b) MP_CT_NOT_ZERO(((a) - (b)))
|
||||
+#define MP_CT_GT(a, b) MP_CT_HIGH_TO_LOW((b) - (a))
|
||||
+#define MP_CT_LT(a, b) MP_CT_HIGH_TO_LOW((a) - (b))
|
||||
+#define MP_CT_GE(a, b) (1^MP_CT_LT(a, b))
|
||||
+#define MP_CT_LE(a, b) (1^MP_CT_GT(a, b))
|
||||
+#define MP_CT_TRUE ((mp_digit)1)
|
||||
+#define MP_CT_FALSE ((mp_digit)0)
|
||||
+
|
||||
+/* use constant time result to select a boolean value */
|
||||
+#define MP_CT_SELB(m, l, r) (((m) & (l)) | (~(m) & (r)))
|
||||
+
|
||||
+/* full inequalities that work with full mp_digit values */
|
||||
+#define MP_CT_OVERFLOW(a,b,c,d) \
|
||||
+ MP_CT_SELB(MP_CT_HIGH_TO_LOW((a)^(b)), \
|
||||
+ (MP_CT_HIGH_TO_LOW(d)),c)
|
||||
+#define MP_CT_GTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),a)
|
||||
+#define MP_CT_LTU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),b)
|
||||
+#define MP_CT_GEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),a)
|
||||
+#define MP_CT_LEU(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),b)
|
||||
+#define MP_CT_GTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GT(a,b),b)
|
||||
+#define MP_CT_LTS(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LT(a,b),a)
|
||||
+#define MP_CT_GES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_GE(a,b),b)
|
||||
+#define MP_CT_LES(a,b) MP_CT_OVERFLOW(a,b,MP_CT_LE(a,b),a)
|
||||
+
|
||||
+
|
||||
typedef struct {
|
||||
mp_sign sign; /* sign of this quantity */
|
||||
mp_size alloc; /* how many digits allocated */
|
||||
mp_size used; /* how many digits used */
|
||||
mp_digit *dp; /* the digits themselves */
|
||||
} mp_int;
|
||||
|
||||
/* Default precision */
|
||||
@@ -185,17 +223,19 @@ mp_err mp_expt_d(const mp_int *a, mp_dig
|
||||
|
||||
/* Sign manipulations */
|
||||
mp_err mp_abs(const mp_int *a, mp_int *b);
|
||||
mp_err mp_neg(const mp_int *a, mp_int *b);
|
||||
|
||||
/* Full arithmetic */
|
||||
mp_err mp_add(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
mp_err mp_sub(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
+mp_err mp_subCT(const mp_int *a, mp_int *b, mp_int *c, mp_digit *borrow);
|
||||
mp_err mp_mul(const mp_int *a, const mp_int *b, mp_int *c);
|
||||
+mp_err mp_mulCT(mp_int *a, mp_int *b, mp_int *c, mp_size setSize);
|
||||
#if MP_SQUARE
|
||||
mp_err mp_sqr(const mp_int *a, mp_int *b);
|
||||
#else
|
||||
#define mp_sqr(a, b) mp_mul(a, a, b)
|
||||
#endif
|
||||
mp_err mp_div(const mp_int *a, const mp_int *b, mp_int *q, mp_int *r);
|
||||
mp_err mp_div_2d(const mp_int *a, mp_digit d, mp_int *q, mp_int *r);
|
||||
mp_err mp_expt(mp_int *a, mp_int *b, mp_int *c);
|
||||
@@ -212,23 +252,30 @@ mp_err mp_mulmod(const mp_int *a, const
|
||||
mp_err mp_sqrmod(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
#else
|
||||
#define mp_sqrmod(a, m, c) mp_mulmod(a, a, m, c)
|
||||
#endif
|
||||
mp_err mp_exptmod(const mp_int *a, const mp_int *b, const mp_int *m, mp_int *c);
|
||||
mp_err mp_exptmod_d(const mp_int *a, mp_digit d, const mp_int *m, mp_int *c);
|
||||
#endif /* MP_MODARITH */
|
||||
|
||||
+/* montgomery math */
|
||||
+mp_err mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont);
|
||||
+mp_digit mp_calculate_mont_n0i(const mp_int *N);
|
||||
+mp_err mp_reduceCT(const mp_int *a, const mp_int *m, mp_digit n0i, mp_int *ct);
|
||||
+mp_err mp_mulmontmodCT(mp_int *a, mp_int *b, const mp_int *m, mp_digit n0i, mp_int *c);
|
||||
+
|
||||
/* Comparisons */
|
||||
int mp_cmp_z(const mp_int *a);
|
||||
int mp_cmp_d(const mp_int *a, mp_digit d);
|
||||
int mp_cmp(const mp_int *a, const mp_int *b);
|
||||
int mp_cmp_mag(const mp_int *a, const mp_int *b);
|
||||
int mp_isodd(const mp_int *a);
|
||||
int mp_iseven(const mp_int *a);
|
||||
+mp_err mp_selectCT(mp_digit cond, const mp_int *a, const mp_int *b, mp_int *ret);
|
||||
|
||||
/* Number theoretic */
|
||||
mp_err mp_gcd(mp_int *a, mp_int *b, mp_int *c);
|
||||
mp_err mp_lcm(mp_int *a, mp_int *b, mp_int *c);
|
||||
mp_err mp_xgcd(const mp_int *a, const mp_int *b, mp_int *g, mp_int *x, mp_int *y);
|
||||
mp_err mp_invmod(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
mp_err mp_invmod_xgcd(const mp_int *a, const mp_int *m, mp_int *c);
|
||||
|
||||
diff --git a/lib/freebl/mpi/mpmontg.c b/lib/freebl/mpi/mpmontg.c
|
||||
--- a/lib/freebl/mpi/mpmontg.c
|
||||
+++ b/lib/freebl/mpi/mpmontg.c
|
||||
@@ -124,30 +124,37 @@ s_mp_mul_mont(const mp_int *a, const mp_
|
||||
}
|
||||
res = MP_OKAY;
|
||||
|
||||
CLEANUP:
|
||||
return res;
|
||||
}
|
||||
#endif
|
||||
|
||||
-STATIC
|
||||
mp_err
|
||||
-s_mp_to_mont(const mp_int *x, mp_mont_modulus *mmm, mp_int *xMont)
|
||||
+mp_to_mont(const mp_int *x, const mp_int *N, mp_int *xMont)
|
||||
{
|
||||
mp_err res;
|
||||
|
||||
/* xMont = x * R mod N where N is modulus */
|
||||
- MP_CHECKOK(mp_copy(x, xMont));
|
||||
- MP_CHECKOK(s_mp_lshd(xMont, MP_USED(&mmm->N))); /* xMont = x << b */
|
||||
- MP_CHECKOK(mp_div(xMont, &mmm->N, 0, xMont)); /* mod N */
|
||||
+ if (x != xMont) {
|
||||
+ MP_CHECKOK(mp_copy(x, xMont));
|
||||
+ }
|
||||
+ MP_CHECKOK(s_mp_lshd(xMont, MP_USED(N))); /* xMont = x << b */
|
||||
+ MP_CHECKOK(mp_div(xMont, N, 0, xMont)); /* mod N */
|
||||
CLEANUP:
|
||||
return res;
|
||||
}
|
||||
|
||||
+mp_digit
|
||||
+mp_calculate_mont_n0i(const mp_int *N)
|
||||
+{
|
||||
+ return 0 - s_mp_invmod_radix(MP_DIGIT(N,0));
|
||||
+}
|
||||
+
|
||||
#ifdef MP_USING_MONT_MULF
|
||||
|
||||
/* the floating point multiply is already cache safe,
|
||||
* don't turn on cache safe unless we specifically
|
||||
* force it */
|
||||
#ifndef MP_FORCE_CACHE_SAFE
|
||||
#undef MP_USING_CACHE_SAFE_MOD_EXP
|
||||
#endif
|
||||
@@ -193,17 +200,17 @@ mp_exptmod_f(const mp_int *montBase,
|
||||
MP_DIGITS(&accum1) = 0;
|
||||
|
||||
for (i = 0; i < MAX_ODD_INTS; ++i)
|
||||
oddPowers[i] = 0;
|
||||
|
||||
MP_CHECKOK(mp_init_size(&accum1, 3 * nLen + 2));
|
||||
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
MP_CHECKOK(s_mp_pad(&accum1, nLen));
|
||||
|
||||
oddPowSize = 2 * nLen + 1;
|
||||
dTmpSize = 2 * oddPowSize;
|
||||
dSize = sizeof(double) * (nLen * 4 + 1 +
|
||||
((odd_ints + 1) * oddPowSize) + dTmpSize);
|
||||
dBuf = malloc(dSize);
|
||||
if (!dBuf) {
|
||||
@@ -473,17 +480,17 @@ mp_exptmod_i(const mp_int *montBase,
|
||||
for (i = 1; i < odd_ints; ++i) {
|
||||
MP_CHECKOK(mp_init_size(oddPowers + i, nLen + 2 * MP_USED(&power2) + 2));
|
||||
MP_CHECKOK(mp_mul(oddPowers + (i - 1), &power2, oddPowers + i));
|
||||
MP_CHECKOK(s_mp_redc(oddPowers + i, mmm));
|
||||
}
|
||||
|
||||
/* set accumulator to montgomery residue of 1 */
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
pa1 = &accum1;
|
||||
pa2 = &accum2;
|
||||
|
||||
for (expOff = bits_in_exponent - window_bits; expOff >= 0; expOff -= window_bits) {
|
||||
mp_size smallExp;
|
||||
MP_CHECKOK(mpl_get_bits(exponent, expOff, window_bits));
|
||||
smallExp = (mp_size)res;
|
||||
|
||||
@@ -862,17 +869,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
||||
/* build the first WEAVE_WORD powers inline */
|
||||
/* if WEAVE_WORD_SIZE is not 4, this code will have to change */
|
||||
if (num_powers > 2) {
|
||||
MP_CHECKOK(mp_init_size(&accum[0], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[1], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[2], 3 * nLen + 2));
|
||||
MP_CHECKOK(mp_init_size(&accum[3], 3 * nLen + 2));
|
||||
mp_set(&accum[0], 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum[0], mmm, &accum[0]));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum[0], &(mmm->N), &accum[0]));
|
||||
MP_CHECKOK(mp_copy(montBase, &accum[1]));
|
||||
SQR(montBase, &accum[2]);
|
||||
MUL_NOWEAVE(montBase, &accum[2], &accum[3]);
|
||||
powersArray = (mp_digit *)malloc(num_powers * (nLen * sizeof(mp_digit) + 1));
|
||||
if (!powersArray) {
|
||||
res = MP_MEM;
|
||||
goto CLEANUP;
|
||||
}
|
||||
@@ -881,17 +888,17 @@ mp_exptmod_safe_i(const mp_int *montBase
|
||||
MP_CHECKOK(mpi_to_weave(accum, powers, nLen, num_powers));
|
||||
if (first_window < 4) {
|
||||
MP_CHECKOK(mp_copy(&accum[first_window], &accum1));
|
||||
first_window = num_powers;
|
||||
}
|
||||
} else {
|
||||
if (first_window == 0) {
|
||||
mp_set(&accum1, 1);
|
||||
- MP_CHECKOK(s_mp_to_mont(&accum1, mmm, &accum1));
|
||||
+ MP_CHECKOK(mp_to_mont(&accum1, &(mmm->N), &accum1));
|
||||
} else {
|
||||
/* assert first_window == 1? */
|
||||
MP_CHECKOK(mp_copy(montBase, &accum1));
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* calculate all the powers in the powers array.
|
||||
@@ -1054,19 +1061,19 @@ mp_exptmod(const mp_int *inBase, const m
|
||||
nLen = MP_USED(modulus);
|
||||
MP_CHECKOK(mp_init_size(&montBase, 2 * nLen + 2));
|
||||
|
||||
mmm.N = *modulus; /* a copy of the mp_int struct */
|
||||
|
||||
/* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
|
||||
** where n0 = least significant mp_digit of N, the modulus.
|
||||
*/
|
||||
- mmm.n0prime = 0 - s_mp_invmod_radix(MP_DIGIT(modulus, 0));
|
||||
+ mmm.n0prime = mp_calculate_mont_n0i(modulus);
|
||||
|
||||
- MP_CHECKOK(s_mp_to_mont(base, &mmm, &montBase));
|
||||
+ MP_CHECKOK(mp_to_mont(base, modulus, &montBase));
|
||||
|
||||
bits_in_exponent = mpl_significant_bits(exponent);
|
||||
#ifdef MP_USING_CACHE_SAFE_MOD_EXP
|
||||
if (mp_using_cache_safe_exp) {
|
||||
if (bits_in_exponent > 780)
|
||||
window_bits = 6;
|
||||
else if (bits_in_exponent > 256)
|
||||
window_bits = 5;
|
||||
diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
|
||||
--- a/lib/freebl/rsa.c
|
||||
+++ b/lib/freebl/rsa.c
|
||||
@@ -65,16 +65,18 @@ struct blindingParamsStr {
|
||||
** the Handbook of Applied Cryptography, 11.118-11.119.
|
||||
*/
|
||||
struct RSABlindingParamsStr {
|
||||
/* Blinding-specific parameters */
|
||||
PRCList link; /* link to list of structs */
|
||||
SECItem modulus; /* list element "key" */
|
||||
blindingParams *free, *bp; /* Blinding parameters queue */
|
||||
blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
|
||||
+ /* precalculate montegomery reduction value */
|
||||
+ mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */
|
||||
};
|
||||
typedef struct RSABlindingParamsStr RSABlindingParams;
|
||||
|
||||
/*
|
||||
** RSABlindingParamsListStr
|
||||
**
|
||||
** List of key-specific blinding params. The arena holds the volatile pool
|
||||
** of memory for each entry and the list itself. The lock is for list
|
||||
@@ -1210,16 +1212,18 @@ generate_blinding_params(RSAPrivateKey *
|
||||
CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(kb, modLen));
|
||||
CHECK_MPI_OK(mp_read_unsigned_octets(&k, kb, modLen));
|
||||
/* k < n */
|
||||
CHECK_MPI_OK(mp_mod(&k, n, &k));
|
||||
/* f = k**e mod n */
|
||||
CHECK_MPI_OK(mp_exptmod(&k, &e, n, f));
|
||||
/* g = k**-1 mod n */
|
||||
CHECK_MPI_OK(mp_invmod(&k, n, g));
|
||||
+ /* g in montgomery form.. */
|
||||
+ CHECK_MPI_OK(mp_to_mont(g, n, g));
|
||||
cleanup:
|
||||
if (kb)
|
||||
PORT_ZFree(kb, modLen);
|
||||
mp_clear(&k);
|
||||
mp_clear(&e);
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
rv = SECFailure;
|
||||
@@ -1246,23 +1250,26 @@ init_blinding_params(RSABlindingParams *
|
||||
* of rsabp->array pointer and must be set to NULL
|
||||
*/
|
||||
rsabp->array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE - 1].next = NULL;
|
||||
|
||||
bp = rsabp->array;
|
||||
rsabp->bp = NULL;
|
||||
rsabp->free = bp;
|
||||
|
||||
+ /* precalculate montgomery reduction parameter */
|
||||
+ rsabp->n0i = mp_calculate_mont_n0i(n);
|
||||
+
|
||||
/* List elements are keyed using the modulus */
|
||||
return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
|
||||
}
|
||||
|
||||
static SECStatus
|
||||
get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
|
||||
- mp_int *f, mp_int *g)
|
||||
+ mp_int *f, mp_int *g, mp_digit *n0i)
|
||||
{
|
||||
RSABlindingParams *rsabp = NULL;
|
||||
blindingParams *bpUnlinked = NULL;
|
||||
blindingParams *bp;
|
||||
PRCList *el;
|
||||
SECStatus rv = SECSuccess;
|
||||
mp_err err = MP_OKAY;
|
||||
int cmp = -1;
|
||||
@@ -1312,16 +1319,17 @@ get_blinding_params(RSAPrivateKey *key,
|
||||
** head (since el would have looped back to the head).
|
||||
*/
|
||||
PR_INSERT_BEFORE(&rsabp->link, el);
|
||||
}
|
||||
|
||||
/* We've found (or created) the RSAblindingParams struct for this key.
|
||||
* Now, search its list of ready blinding params for a usable one.
|
||||
*/
|
||||
+ *n0i = rsabp->n0i;
|
||||
while (0 != (bp = rsabp->bp)) {
|
||||
#ifdef UNSAFE_FUZZER_MODE
|
||||
/* Found a match and there are still remaining uses left */
|
||||
/* Return the parameters */
|
||||
CHECK_MPI_OK(mp_copy(&bp->f, f));
|
||||
CHECK_MPI_OK(mp_copy(&bp->g, g));
|
||||
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
@@ -1426,16 +1434,17 @@ cleanup:
|
||||
rsabp->free = bp;
|
||||
}
|
||||
if (holdingLock) {
|
||||
PZ_Unlock(blindingParamsList.lock);
|
||||
}
|
||||
if (err) {
|
||||
MP_TO_SEC_ERROR(err);
|
||||
}
|
||||
+ *n0i = 0;
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
/*
|
||||
** Perform a raw private-key operation
|
||||
** Length of input and output buffers are equal to key's modulus len.
|
||||
*/
|
||||
static SECStatus
|
||||
@@ -1445,16 +1454,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
PRBool check)
|
||||
{
|
||||
unsigned int modLen;
|
||||
unsigned int offset;
|
||||
SECStatus rv = SECSuccess;
|
||||
mp_err err;
|
||||
mp_int n, c, m;
|
||||
mp_int f, g;
|
||||
+ mp_digit n0i;
|
||||
if (!key || !output || !input) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
return SECFailure;
|
||||
}
|
||||
/* check input out of range (needs to be in range [0..n-1]) */
|
||||
modLen = rsa_modulusLen(&key->modulus);
|
||||
if (modLen == 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -1476,17 +1486,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
CHECK_MPI_OK(mp_init(&f));
|
||||
CHECK_MPI_OK(mp_init(&g));
|
||||
SECITEM_TO_MPINT(key->modulus, &n);
|
||||
OCTETS_TO_MPINT(input, &c, modLen);
|
||||
/* If blinding, compute pre-image of ciphertext by multiplying by
|
||||
** blinding factor
|
||||
*/
|
||||
if (nssRSAUseBlinding) {
|
||||
- CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g));
|
||||
+ CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i));
|
||||
/* c' = c*f mod n */
|
||||
CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c));
|
||||
}
|
||||
/* Do the private key operation m = c**d mod n */
|
||||
if (key->prime1.len == 0 ||
|
||||
key->prime2.len == 0 ||
|
||||
key->exponent1.len == 0 ||
|
||||
key->exponent2.len == 0 ||
|
||||
@@ -1497,17 +1507,17 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
|
||||
} else {
|
||||
CHECK_SEC_OK(rsa_PrivateKeyOpCRTNoCheck(key, &m, &c));
|
||||
}
|
||||
/* If blinding, compute post-image of plaintext by multiplying by
|
||||
** blinding factor
|
||||
*/
|
||||
if (nssRSAUseBlinding) {
|
||||
/* m = m'*g mod n */
|
||||
- CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m));
|
||||
+ CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m));
|
||||
}
|
||||
err = mp_to_fixlen_octets(&m, output, modLen);
|
||||
if (err >= 0)
|
||||
err = MP_OKAY;
|
||||
cleanup:
|
||||
mp_clear(&n);
|
||||
mp_clear(&c);
|
||||
mp_clear(&m);
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,59 @@
|
||||
diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
|
||||
--- a/lib/freebl/chacha20poly1305.c
|
||||
+++ b/lib/freebl/chacha20poly1305.c
|
||||
@@ -213,27 +213,31 @@
|
||||
{
|
||||
#ifdef NSS_X64
|
||||
#ifndef NSS_DISABLE_AVX2
|
||||
if (avx2_support()) {
|
||||
Hacl_Chacha20_Vec256_chacha20_encrypt_256(len, output, block, k, nonce, ctr);
|
||||
+ return;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef NSS_DISABLE_SSE3
|
||||
if (ssse3_support() && sse4_1_support() && avx_support()) {
|
||||
Hacl_Chacha20_Vec128_chacha20_encrypt_128(len, output, block, k, nonce, ctr);
|
||||
+ return;
|
||||
}
|
||||
#endif
|
||||
|
||||
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
|
||||
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
|
||||
if (ppc_crypto_support()) {
|
||||
chacha20vsx(len, output, block, k, nonce, ctr);
|
||||
- } else
|
||||
+ return;
|
||||
+ }
|
||||
#endif
|
||||
{
|
||||
Hacl_Chacha20_chacha20_encrypt(len, output, block, k, nonce, ctr);
|
||||
+ return;
|
||||
}
|
||||
}
|
||||
#endif /* NSS_DISABLE_CHACHAPOLY */
|
||||
|
||||
SECStatus
|
||||
@@ -449,20 +453,18 @@
|
||||
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
|
||||
(uint8_t *)input, output, outTag);
|
||||
goto finish;
|
||||
}
|
||||
#endif
|
||||
-
|
||||
- else
|
||||
#elif defined(__powerpc64__) && defined(__LITTLE_ENDIAN__) && \
|
||||
!defined(NSS_DISABLE_ALTIVEC) && !defined(NSS_DISABLE_CRYPTO_VSX)
|
||||
if (ppc_crypto_support()) {
|
||||
Chacha20Poly1305_vsx_aead_encrypt(
|
||||
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
|
||||
(uint8_t *)input, output, outTag);
|
||||
goto finish;
|
||||
- } else
|
||||
+ }
|
||||
#endif
|
||||
{
|
||||
Hacl_Chacha20Poly1305_32_aead_encrypt(
|
||||
(uint8_t *)ctx->key, (uint8_t *)nonce, adLen, (uint8_t *)ad, inputLen,
|
||||
(uint8_t *)input, output, outTag);
|
||||
|
@ -0,0 +1,81 @@
|
||||
diff -up ./lib/pk11wrap/pk11pars.c.no_md ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.no_md 2024-06-11 12:41:35.054654990 -0700
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2024-06-11 12:46:25.347979894 -0700
|
||||
@@ -329,14 +329,11 @@ static const oidValDef curveOptList[] =
|
||||
static const oidValDef hashOptList[] = {
|
||||
/* Hashes */
|
||||
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||
- NSS_USE_ALG_IN_PKCS12 },
|
||||
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
|
||||
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||
- NSS_USE_ALG_IN_PKCS12 },
|
||||
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
|
||||
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||
- NSS_USE_ALG_IN_PKCS12 },
|
||||
+ NSS_USE_ALG_IN_SMIME_LEGACY | NSS_USE_ALG_IN_PKCS12_DECRYPT },
|
||||
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE | NSS_USE_ALG_IN_SMIME |
|
||||
NSS_USE_ALG_IN_PKCS12 },
|
||||
diff -up ./lib/util/secoid.c.no_md ./lib/util/secoid.c
|
||||
diff -r 699541a7793b lib/util/secoid.c
|
||||
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
|
||||
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
|
||||
@@ -2042,6 +2042,19 @@
|
||||
int i;
|
||||
|
||||
for (i = 1; i < SEC_OID_TOTAL; i++) {
|
||||
+ switch (i) {
|
||||
+ case SEC_OID_MD2:
|
||||
+ case SEC_OID_MD4:
|
||||
+ case SEC_OID_MD5:
|
||||
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
|
||||
+ continue;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
if (oids[i].desc && strstr(arg, oids[i].desc)) {
|
||||
xOids[i].notPolicyFlags = notEnable |
|
||||
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
|
||||
diff -up ./tests/tools/pkcs12policy.txt.disable_md5_test ./tests/tools/pkcs12policy.txt
|
||||
--- ./tests/tools/pkcs12policy.txt.disable_md5_test 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./tests/tools/pkcs12policy.txt 2024-06-19 11:15:46.666728170 -0700
|
||||
@@ -91,21 +91,21 @@
|
||||
0 18 allow_all disallow=rc2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC4 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC SHA-1 disallow rc2 (read), RC4 and RC2
|
||||
# integrity policy check the various has based controls.
|
||||
# NOTE: md4, md2, and md5 are turned off by policy by default for encrypting
|
||||
-# (decrypting is fine). To be enabled, you must allow=all or allow=mdX on the
|
||||
+# (decrypting is fine). To be enabled, you must allow=mdX/pkcs12 on the
|
||||
# encryption side. These tests purposefully tests that the default fails to encrypt
|
||||
# but succeeds when decrypting.
|
||||
27 x allow=tls allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Use default policy with multiple hashes
|
||||
- 0 0 allow=all allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
|
||||
- 0 0 allow=all allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
|
||||
- 28 x disallow=sha1_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
|
||||
+ 0 0 allow=md2/pkcs12 allow=tls PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all encrypt, use default decrypt with multiple hashes
|
||||
+ 0 0 allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Allow all with multiple hashes
|
||||
+ 28 x disallow=sha1_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on write
|
||||
27 x disallow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on write
|
||||
- 29 x disallow=sha256_allow=md2 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
|
||||
- 0 19 allow=all disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||
- 0 18 allow=all disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||
- 0 17 allow=all disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||
- 0 0 allow=all disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||
- 0 0 allow=all disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||
- 0 0 allow=all disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||
+ 29 x disallow=sha256_allow=md2/pkcs12 allow=all PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on write
|
||||
+ 0 19 allow=all:md2/pkcs12 disallow=sha1 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||
+ 0 18 allow=md2/pkcs12 disallow=md2 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||
+ 0 17 allow=md2/pkcs12 disallow=sha256 PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||
+ 0 0 allow=md2/pkcs12 disallow=md2/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow md2 on read
|
||||
+ 0 0 allow=md2/pkcs12 disallow=sha1/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha1 on read
|
||||
+ 0 0 allow=md2/pkcs12 disallow=sha256/pkcs12-encrypt PKCS_#12_V2_PBE_With_SHA-1_And_128_Bit_RC2_CBC PKCS_#5_Password_Based_Encryption_with_MD2_and_DES-CBC SHA-256 Disallow sha256 on read
|
||||
0 0 allow=all allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
|
||||
29 x disallow=hmac-sha256 allow=all AES-128-CBC AES-128-CBC HMAC_SHA-256
|
||||
0 18 allow=all disallow=hmac-sha256 AES-128-CBC AES-128-CBC HMAC_SHA-256
|
@ -0,0 +1,14 @@
|
||||
diff -up ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default ./cmd/pk12util/pk12util.c
|
||||
--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default 2024-07-18 08:26:35.773248450 -0700
|
||||
+++ ./cmd/pk12util/pk12util.c 2024-07-18 08:27:05.796595554 -0700
|
||||
@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
- /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
|
||||
- if (PK11_IsFIPS()) {
|
||||
- hash = SEC_OID_HMAC_SHA256;
|
||||
- }
|
||||
if (pk12util.options[opt_Mac].activated) {
|
||||
char *hashString = pk12util.options[opt_Mac].arg;
|
||||
|
@ -0,0 +1,13 @@
|
||||
diff -up ./lib/pk11wrap/pk11pars.c.enable_kyber_policy ./lib/pk11wrap/pk11pars.c
|
||||
--- ./lib/pk11wrap/pk11pars.c.enable_kyber_policy 2024-06-12 14:44:24.680338868 -0700
|
||||
+++ ./lib/pk11wrap/pk11pars.c 2024-06-12 14:44:48.368609356 -0700
|
||||
@@ -245,7 +245,8 @@ static const oidValDef curveOptList[] =
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
{ CIPHER_NAME("CURVE25519"), SEC_OID_CURVE25519,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
||||
- { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00, 0 },
|
||||
+ { CIPHER_NAME("XYBER768D00"), SEC_OID_XYBER768D00,
|
||||
+ NSS_USE_ALG_IN_SSL_KX },
|
||||
/* ANSI X9.62 named elliptic curves (characteristic two field) */
|
||||
{ CIPHER_NAME("C2PNB163V1"), SEC_OID_ANSIX962_EC_C2PNB163V1,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_CERT_SIGNATURE },
|
@ -0,0 +1,63 @@
|
||||
diff -up ./tests/cert/cert.sh.no_dbm_tests ./tests/cert/cert.sh
|
||||
--- ./tests/cert/cert.sh.no_dbm_tests 2024-06-20 17:08:03.146169243 -0700
|
||||
+++ ./tests/cert/cert.sh 2024-06-20 17:08:23.282404259 -0700
|
||||
@@ -2662,9 +2662,7 @@ cert_test_password
|
||||
cert_test_distrust
|
||||
cert_test_ocspresp
|
||||
cert_test_rsapss
|
||||
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- cert_test_rsapss_policy
|
||||
-fi
|
||||
+cert_test_rsapss_policy
|
||||
cert_test_token_uri
|
||||
|
||||
if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then
|
||||
diff -up ./tests/smime/smime.sh.no_dbm_tests ./tests/smime/smime.sh
|
||||
--- ./tests/smime/smime.sh.no_dbm_tests 2024-06-20 17:08:45.147659448 -0700
|
||||
+++ ./tests/smime/smime.sh 2024-06-20 17:09:05.313894814 -0700
|
||||
@@ -872,8 +872,6 @@ smime_init
|
||||
smime_main
|
||||
smime_data_tb
|
||||
smime_p7
|
||||
-if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- smime_policy
|
||||
-fi
|
||||
+smime_policy
|
||||
smime_cleanup
|
||||
|
||||
diff -up ./tests/ssl/ssl.sh.no_dbm_tests ./tests/ssl/ssl.sh
|
||||
--- ./tests/ssl/ssl.sh.no_dbm_tests 2024-06-20 17:09:28.588166454 -0700
|
||||
+++ ./tests/ssl/ssl.sh 2024-06-20 17:09:54.351467232 -0700
|
||||
@@ -1600,12 +1600,10 @@ ssl_run_tests()
|
||||
do
|
||||
case "${SSL_TEST}" in
|
||||
"policy")
|
||||
- if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- ssl_policy_listsuites
|
||||
- ssl_policy_selfserv
|
||||
- ssl_policy_pkix_ocsp
|
||||
- ssl_policy
|
||||
- fi
|
||||
+ ssl_policy_listsuites
|
||||
+ ssl_policy_selfserv
|
||||
+ ssl_policy_pkix_ocsp
|
||||
+ ssl_policy
|
||||
;;
|
||||
"crl")
|
||||
ssl_crl_ssl
|
||||
diff -up ./tests/tools/tools.sh.no_dbm_tests ./tests/tools/tools.sh
|
||||
--- ./tests/tools/tools.sh.no_dbm_tests 2024-06-20 17:10:13.828694981 -0700
|
||||
+++ ./tests/tools/tools.sh 2024-06-20 17:10:31.051896368 -0700
|
||||
@@ -584,10 +584,8 @@ tools_p12()
|
||||
tools_p12_export_with_invalid_ciphers
|
||||
tools_p12_import_old_files
|
||||
tools_p12_import_pbmac1_samples
|
||||
- if [ "${TEST_MODE}" = "SHARED_DB" ] ; then
|
||||
- tools_p12_import_rsa_pss_private_key
|
||||
- tools_p12_policy
|
||||
- fi
|
||||
+ tools_p12_import_rsa_pss_private_key
|
||||
+ tools_p12_policy
|
||||
}
|
||||
|
||||
############################## tools_sign ##############################
|
@ -0,0 +1,115 @@
|
||||
diff -up ./lib/smime/cmsasn1.c.restore_abi ./lib/smime/cmsasn1.c
|
||||
--- ./lib/smime/cmsasn1.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmsasn1.c 2024-09-06 18:05:27.808338289 -0700
|
||||
@@ -350,7 +350,7 @@ static const SEC_ASN1Template NSSCMSKeyA
|
||||
{ SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT |
|
||||
SEC_ASN1_CONTEXT_SPECIFIC | SEC_ASN1_XTRN | 1,
|
||||
offsetof(NSSCMSKeyAgreeRecipientInfo, ukm),
|
||||
- SEC_ASN1_SUB(SEC_OctetStringTemplate) },
|
||||
+ SEC_ASN1_SUB(SEC_PointerToOctetStringTemplate) },
|
||||
{ SEC_ASN1_INLINE | SEC_ASN1_XTRN,
|
||||
offsetof(NSSCMSKeyAgreeRecipientInfo, keyEncAlg),
|
||||
SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
|
||||
diff -up ./lib/smime/cmslocal.h.restore_abi ./lib/smime/cmslocal.h
|
||||
--- ./lib/smime/cmslocal.h.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmslocal.h 2024-09-06 18:04:47.647863624 -0700
|
||||
@@ -174,7 +174,7 @@ NSS_CMSUtil_DecryptSymKey_RSA_OAEP(SECKE
|
||||
|
||||
extern SECStatus
|
||||
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert, PK11SymKey *key,
|
||||
- SECItem *encKey, PRBool genUkm, SECItem *ukm,
|
||||
+ SECItem *encKey, PRBool genUkm, SECItem **ukm,
|
||||
SECAlgorithmID *keyEncAlg, SECItem *originatorPubKey, void *wincx);
|
||||
|
||||
PK11SymKey *
|
||||
diff -up ./lib/smime/cmspubkey.c.restore_abi ./lib/smime/cmspubkey.c
|
||||
--- ./lib/smime/cmspubkey.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmspubkey.c 2024-09-06 18:04:47.647863624 -0700
|
||||
@@ -292,9 +292,15 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
|
||||
unsigned char suppPubInfo[4] = { 0 };
|
||||
|
||||
SI.keyInfo = keyInfo;
|
||||
- SI.entityUInfo.type = ukm->type;
|
||||
- SI.entityUInfo.data = ukm->data;
|
||||
- SI.entityUInfo.len = ukm->len;
|
||||
+ if (ukm) {
|
||||
+ SI.entityUInfo.type = ukm->type;
|
||||
+ SI.entityUInfo.data = ukm->data;
|
||||
+ SI.entityUInfo.len = ukm->len;
|
||||
+ } else {
|
||||
+ SI.entityUInfo.type = siBuffer;
|
||||
+ SI.entityUInfo.data = NULL;
|
||||
+ SI.entityUInfo.len = 0;
|
||||
+ }
|
||||
|
||||
SI.suppPubInfo.type = siBuffer;
|
||||
SI.suppPubInfo.data = suppPubInfo;
|
||||
@@ -322,7 +328,7 @@ Create_ECC_CMS_SharedInfo(PLArenaPool *p
|
||||
SECStatus
|
||||
NSS_CMSUtil_EncryptSymKey_ESECDH(PLArenaPool *poolp, CERTCertificate *cert,
|
||||
PK11SymKey *bulkkey, SECItem *encKey,
|
||||
- PRBool genUkm, SECItem *ukm,
|
||||
+ PRBool genUkm, SECItem **ukmp,
|
||||
SECAlgorithmID *keyEncAlg, SECItem *pubKey,
|
||||
void *wincx)
|
||||
{
|
||||
@@ -337,10 +343,11 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
|
||||
SECAlgorithmID keyWrapAlg;
|
||||
SECOidTag keyEncAlgtag;
|
||||
SECItem keyWrapAlg_params, *keyEncAlg_params, *SharedInfo;
|
||||
+ SECItem *ukm = *ukmp;
|
||||
CK_MECHANISM_TYPE keyDerivationType, keyWrapMech;
|
||||
CK_ULONG kdf;
|
||||
|
||||
- if (genUkm && (ukm->len != 0 || ukm->data != NULL)) {
|
||||
+ if (genUkm && (ukm != NULL)) {
|
||||
PORT_SetError(PR_INVALID_ARGUMENT_ERROR);
|
||||
return SECFailure;
|
||||
}
|
||||
@@ -427,17 +434,17 @@ NSS_CMSUtil_EncryptSymKey_ESECDH(PLArena
|
||||
* contain 512 bits for Diffie-Hellman key agreement. */
|
||||
|
||||
if (genUkm) {
|
||||
- ukm->type = siBuffer;
|
||||
- ukm->len = 64;
|
||||
- ukm->data = (unsigned char *)PORT_ArenaAlloc(poolp, ukm->len);
|
||||
-
|
||||
- if (ukm->data == NULL) {
|
||||
+ ukm = SECITEM_AllocItem(poolp, NULL, 64);
|
||||
+ if (ukm == NULL) {
|
||||
goto loser;
|
||||
}
|
||||
+ ukm->type = siBuffer;
|
||||
+
|
||||
rv = PK11_GenerateRandom(ukm->data, ukm->len);
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
+ *ukmp = ukm; /* return it */
|
||||
}
|
||||
|
||||
SharedInfo = Create_ECC_CMS_SharedInfo(poolp, &keyWrapAlg,
|
||||
diff -up ./lib/smime/cmsrecinfo.c.restore_abi ./lib/smime/cmsrecinfo.c
|
||||
--- ./lib/smime/cmsrecinfo.c.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmsrecinfo.c 2024-09-06 18:04:47.647863624 -0700
|
||||
@@ -582,7 +582,7 @@ NSS_CMSRecipientInfo_UnwrapBulkKey(NSSCM
|
||||
parameters = &(ri->ri.keyAgreeRecipientInfo.keyEncAlg.parameters);
|
||||
enckey = &(ri->ri.keyAgreeRecipientInfo.recipientEncryptedKeys[subIndex]->encKey);
|
||||
oiok = &(ri->ri.keyAgreeRecipientInfo.originatorIdentifierOrKey);
|
||||
- ukm = &(ri->ri.keyAgreeRecipientInfo.ukm);
|
||||
+ ukm = ri->ri.keyAgreeRecipientInfo.ukm;
|
||||
break;
|
||||
case NSSCMSRecipientInfoID_KEK:
|
||||
algid = &(ri->ri.kekRecipientInfo.keyEncAlg);
|
||||
diff -up ./lib/smime/cmst.h.restore_abi ./lib/smime/cmst.h
|
||||
--- ./lib/smime/cmst.h.restore_abi 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/cmst.h 2024-09-06 18:04:47.647863624 -0700
|
||||
@@ -376,7 +376,7 @@ typedef struct NSSCMSRecipientEncryptedK
|
||||
struct NSSCMSKeyAgreeRecipientInfoStr {
|
||||
SECItem version;
|
||||
NSSCMSOriginatorIdentifierOrKey originatorIdentifierOrKey;
|
||||
- SECItem ukm; /* optional */
|
||||
+ SECItem *ukm; /* optional */
|
||||
SECAlgorithmID keyEncAlg;
|
||||
NSSCMSRecipientEncryptedKey **recipientEncryptedKeys;
|
||||
};
|
@ -0,0 +1,126 @@
|
||||
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
@@ -371,16 +371,21 @@ static void GenerateWeakRsaKey(ScopedSEC
|
||||
// Fail to connect with a weak RSA key.
|
||||
TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||
Reset(kPssDelegatorId);
|
||||
EnsureTlsSetup();
|
||||
static const SSLSignatureScheme kSchemes[] = {ssl_sig_rsa_pss_rsae_sha256,
|
||||
ssl_sig_rsa_pss_pss_sha256};
|
||||
client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||
server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes));
|
||||
+ PRInt32 keySizeFlags;
|
||||
+ ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &keySizeFlags));
|
||||
+ // turn off the signing key sizes so we actually test the ssl tests
|
||||
+ ASSERT_EQ(SECSuccess,
|
||||
+ NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, NSS_KEY_SIZE_POLICY_SSL_FLAG ));
|
||||
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||
// save the MIN POLICY length.
|
||||
PRInt32 minRsa;
|
||||
|
||||
ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa));
|
||||
#if RSA_MIN_MODULUS_BITS >= 2048
|
||||
ASSERT_EQ(SECSuccess,
|
||||
NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024));
|
||||
@@ -408,16 +413,17 @@ TEST_P(TlsConnectTls13, DCWeakKey) {
|
||||
client_->EnableDelegatedCredentials();
|
||||
|
||||
auto cfilter = MakeTlsFilter<TlsExtensionCapture>(
|
||||
client_, ssl_delegated_credentials_xtn);
|
||||
ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity);
|
||||
#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY
|
||||
ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa));
|
||||
#endif
|
||||
+ ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_KEY_SIZE_POLICY_FLAGS, keySizeFlags));
|
||||
}
|
||||
|
||||
class ReplaceDCSigScheme : public TlsHandshakeFilter {
|
||||
public:
|
||||
ReplaceDCSigScheme(const std::shared_ptr<TlsAgent>& a)
|
||||
: TlsHandshakeFilter(a, {ssl_hs_certificate_verify}) {}
|
||||
|
||||
protected:
|
||||
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
|
||||
--- a/lib/cryptohi/seckey.c
|
||||
+++ b/lib/cryptohi/seckey.c
|
||||
@@ -1134,22 +1134,31 @@ SECKEY_PrivateKeyStrengthInBits(const SE
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* interpret modulus length as key strength */
|
||||
switch (privk->keyType) {
|
||||
case rsaKey:
|
||||
case rsaPssKey:
|
||||
case rsaOaepKey:
|
||||
- /* some tokens don't export CKA_MODULUS on the private key,
|
||||
- * PK11_SignatureLen works around this if necessary */
|
||||
- bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
|
||||
- if (bitSize == -1) {
|
||||
- bitSize = 0;
|
||||
+ rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||
+ CKA_MODULUS, NULL, ¶ms);
|
||||
+ if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||
+ /* some tokens don't export CKA_MODULUS on the private key,
|
||||
+ * PK11_SignatureLen works around this if necessary. This
|
||||
+ * method is less percise because it returns bytes instead
|
||||
+ * bits, so we only do it if we can't get the modulus */
|
||||
+ bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
|
||||
+ if (bitSize == -1) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ return bitSize;
|
||||
}
|
||||
+ bitSize = SECKEY_BigIntegerBitLength(¶ms);
|
||||
+ PORT_Free(params.data);
|
||||
return bitSize;
|
||||
case dsaKey:
|
||||
case fortezzaKey:
|
||||
case dhKey:
|
||||
case keaKey:
|
||||
rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
|
||||
CKA_PRIME, NULL, ¶ms);
|
||||
if ((rv != SECSuccess) || (params.data == NULL)) {
|
||||
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
|
||||
--- a/lib/ssl/ssl3con.c
|
||||
+++ b/lib/ssl/ssl3con.c
|
||||
@@ -1277,27 +1277,39 @@ ssl3_SignHashesWithPrivKey(SSL3Hashes *h
|
||||
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
goto done;
|
||||
}
|
||||
PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
|
||||
|
||||
if (useRsaPss || hash->hashAlg == ssl_hash_none) {
|
||||
CK_MECHANISM_TYPE mech = PK11_MapSignKeyType(key->keyType);
|
||||
int signatureLen = PK11_SignatureLen(key);
|
||||
+ PRInt32 optval;
|
||||
|
||||
SECItem *params = NULL;
|
||||
CK_RSA_PKCS_PSS_PARAMS pssParams;
|
||||
SECItem pssParamsItem = { siBuffer,
|
||||
(unsigned char *)&pssParams,
|
||||
sizeof(pssParams) };
|
||||
|
||||
if (signatureLen <= 0) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_KEY);
|
||||
goto done;
|
||||
}
|
||||
+ /* since we are calling PK11_SignWithMechanism directly, we need to check the
|
||||
+ * key policy ourselves (which is already checked in SGN_Digest */
|
||||
+ rv = NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optval);
|
||||
+ if ((rv == SECSuccess) &&
|
||||
+ ((optval & NSS_KEY_SIZE_POLICY_SIGN_FLAG) == NSS_KEY_SIZE_POLICY_SIGN_FLAG)) {
|
||||
+ rv = SECKEY_EnforceKeySize(key->keyType, SECKEY_PrivateKeyStrengthInBits(key),
|
||||
+ SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ goto done; /* error code already set */
|
||||
+ }
|
||||
+ }
|
||||
|
||||
buf->len = (unsigned)signatureLen;
|
||||
buf->data = (unsigned char *)PORT_Alloc(signatureLen);
|
||||
if (!buf->data)
|
||||
goto done; /* error code was set. */
|
||||
|
||||
if (useRsaPss) {
|
||||
pssParams.hashAlg = ssl3_GetHashMechanismByHashType(hash->hashAlg);
|
@ -0,0 +1,43 @@
|
||||
diff --git a/lib/util/nsshash.c b/lib/util/nsshash.c
|
||||
--- a/lib/util/nsshash.c
|
||||
+++ b/lib/util/nsshash.c
|
||||
@@ -102,16 +102,19 @@ HASH_GetHashOidTagByHashType(HASH_HashTy
|
||||
SECOidTag
|
||||
HASH_GetHashOidTagByHMACOidTag(SECOidTag hmacOid)
|
||||
{
|
||||
SECOidTag hashOid = SEC_OID_UNKNOWN;
|
||||
|
||||
switch (hmacOid) {
|
||||
/* no oid exists for HMAC_MD2 */
|
||||
/* NSS does not define a oid for HMAC_MD4 */
|
||||
+ case SEC_OID_HMAC_MD5:
|
||||
+ hashOid = SEC_OID_MD5;
|
||||
+ break;
|
||||
case SEC_OID_HMAC_SHA1:
|
||||
hashOid = SEC_OID_SHA1;
|
||||
break;
|
||||
case SEC_OID_HMAC_SHA224:
|
||||
hashOid = SEC_OID_SHA224;
|
||||
break;
|
||||
case SEC_OID_HMAC_SHA256:
|
||||
hashOid = SEC_OID_SHA256;
|
||||
@@ -145,16 +148,19 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag
|
||||
SECOidTag
|
||||
HASH_GetHMACOidTagByHashOidTag(SECOidTag hashOid)
|
||||
{
|
||||
SECOidTag hmacOid = SEC_OID_UNKNOWN;
|
||||
|
||||
switch (hashOid) {
|
||||
/* no oid exists for HMAC_MD2 */
|
||||
/* NSS does not define a oid for HMAC_MD4 */
|
||||
+ case SEC_OID_MD5:
|
||||
+ hmacOid = SEC_OID_HMAC_MD5;
|
||||
+ break;
|
||||
case SEC_OID_SHA1:
|
||||
hmacOid = SEC_OID_HMAC_SHA1;
|
||||
break;
|
||||
case SEC_OID_SHA224:
|
||||
hmacOid = SEC_OID_HMAC_SHA224;
|
||||
break;
|
||||
case SEC_OID_SHA256:
|
||||
hmacOid = SEC_OID_HMAC_SHA256;
|
@ -0,0 +1,121 @@
|
||||
diff --git a/lib/pk11wrap/pk11mech.c b/lib/pk11wrap/pk11mech.c
|
||||
--- a/lib/pk11wrap/pk11mech.c
|
||||
+++ b/lib/pk11wrap/pk11mech.c
|
||||
@@ -1710,20 +1710,26 @@ PK11_ParamToAlgid(SECOidTag algTag, SECI
|
||||
case CKM_BATON_ECB96:
|
||||
case CKM_BATON_CBC128:
|
||||
case CKM_BATON_COUNTER:
|
||||
case CKM_BATON_SHUFFLE:
|
||||
case CKM_JUNIPER_ECB128:
|
||||
case CKM_JUNIPER_CBC128:
|
||||
case CKM_JUNIPER_COUNTER:
|
||||
case CKM_JUNIPER_SHUFFLE:
|
||||
- newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
||||
- SEC_ASN1_GET(SEC_OctetStringTemplate));
|
||||
- if (newParams == NULL)
|
||||
- break;
|
||||
+ /* if no parameters have been supplied, then encode a NULL params
|
||||
+ */
|
||||
+ if (param && param->len > 0) {
|
||||
+ newParams = SEC_ASN1EncodeItem(NULL, NULL, param,
|
||||
+ SEC_ASN1_GET(SEC_OctetStringTemplate));
|
||||
+ if (newParams == NULL)
|
||||
+ break;
|
||||
+ } else {
|
||||
+ newParams = NULL;
|
||||
+ }
|
||||
rv = SECSuccess;
|
||||
break;
|
||||
}
|
||||
|
||||
if (rv != SECSuccess) {
|
||||
if (newParams)
|
||||
SECITEM_FreeItem(newParams, PR_TRUE);
|
||||
return rv;
|
||||
diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
|
||||
--- a/lib/pk11wrap/pk11pbe.c
|
||||
+++ b/lib/pk11wrap/pk11pbe.c
|
||||
@@ -765,45 +765,53 @@ sec_pkcs5CreateAlgorithmID(SECOidTag alg
|
||||
* algorithm is). We use choose this algorithm oid based on the
|
||||
* cipherAlgorithm to determine what this should be (MAC1 or PBES2).
|
||||
*/
|
||||
if (algorithm == SEC_OID_PKCS5_PBKDF2) {
|
||||
/* choose mac or pbes */
|
||||
algorithm = sec_pkcs5v2_get_pbe(cipherAlgorithm);
|
||||
}
|
||||
|
||||
+ SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
||||
+
|
||||
/* set the PKCS5v2 specific parameters */
|
||||
if (keyLength == 0) {
|
||||
- SECOidTag hashAlg = HASH_GetHashOidTagByHMACOidTag(cipherAlgorithm);
|
||||
if (hashAlg != SEC_OID_UNKNOWN) {
|
||||
keyLength = HASH_ResultLenByOidTag(hashAlg);
|
||||
} else {
|
||||
keyLength = sec_pkcs5v2_default_key_length(cipherAlgorithm);
|
||||
}
|
||||
if (keyLength <= 0) {
|
||||
goto loser;
|
||||
}
|
||||
}
|
||||
/* currently SEC_OID_HMAC_SHA1 is the default */
|
||||
if (prfAlg == SEC_OID_UNKNOWN) {
|
||||
prfAlg = SEC_OID_HMAC_SHA1;
|
||||
}
|
||||
|
||||
- /* build the PKCS5v2 cipher algorithm id */
|
||||
- cipherParams = pk11_GenerateNewParamWithKeyLen(
|
||||
- PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
||||
- if (!cipherParams) {
|
||||
- goto loser;
|
||||
+ /* build the PKCS5v2 cipher algorithm id, if cipher
|
||||
+ * is an HMAC, the cipherParams should be NULL */
|
||||
+ if (hashAlg == SEC_OID_UNKNOWN) {
|
||||
+ cipherParams = pk11_GenerateNewParamWithKeyLen(
|
||||
+ PK11_AlgtagToMechanism(cipherAlgorithm), keyLength);
|
||||
+ if (!cipherParams) {
|
||||
+ goto loser;
|
||||
+ }
|
||||
+ } else {
|
||||
+ cipherParams = NULL;
|
||||
}
|
||||
|
||||
PORT_Memset(&pbeV2_param, 0, sizeof(pbeV2_param));
|
||||
|
||||
rv = PK11_ParamToAlgid(cipherAlgorithm, cipherParams,
|
||||
poolp, &pbeV2_param.cipherAlgId);
|
||||
- SECITEM_FreeItem(cipherParams, PR_TRUE);
|
||||
+ if (cipherParams) {
|
||||
+ SECITEM_FreeItem(cipherParams, PR_TRUE);
|
||||
+ }
|
||||
if (rv != SECSuccess) {
|
||||
goto loser;
|
||||
}
|
||||
}
|
||||
|
||||
/* generate the parameter */
|
||||
pbe_param = sec_pkcs5_create_pbe_parameter(pbeAlgorithm, salt, iteration,
|
||||
keyLength, prfAlg);
|
||||
diff --git a/lib/util/secalgid.c b/lib/util/secalgid.c
|
||||
--- a/lib/util/secalgid.c
|
||||
+++ b/lib/util/secalgid.c
|
||||
@@ -50,17 +50,18 @@ SECOID_SetAlgorithmID(PLArenaPool *arena
|
||||
PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
if (SECITEM_CopyItem(arena, &id->algorithm, &oiddata->oid))
|
||||
return SECFailure;
|
||||
|
||||
if ((secoid_IsRSAPKCS1(which)) ||
|
||||
- (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL)) {
|
||||
+ (HASH_GetHashTypeByOidTag(which) != HASH_AlgNULL) /* ||
|
||||
+ (HASH_GetHashOidTagByHMACOidTag(which) != SEC_OID_UNKNOWN) */) {
|
||||
add_null_param = PR_TRUE;
|
||||
} else {
|
||||
add_null_param = PR_FALSE;
|
||||
}
|
||||
|
||||
if (params) {
|
||||
/*
|
||||
* I am specifically *not* enforcing the following assertion
|
@ -0,0 +1,12 @@
|
||||
diff -up ./tests/ssl/sslpolicy.txt.fix_rsa_policy ./tests/ssl/sslpolicy.txt
|
||||
--- ./tests/ssl/sslpolicy.txt.fix_rsa_policy 2024-06-21 11:08:01.765937907 -0700
|
||||
+++ ./tests/ssl/sslpolicy.txt 2024-06-21 11:08:55.598540079 -0700
|
||||
@@ -195,7 +195,7 @@
|
||||
0 noECC SSL3 d disallow=dsa Disallow DSA Signatures Explicitly
|
||||
1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||
- 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
+ 0 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
||||
0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
||||
# test default settings
|
@ -0,0 +1,12 @@
|
||||
diff -up ./lib/pkcs12/p12local.c.long_pw_fix ./lib/pkcs12/p12local.c
|
||||
--- ./lib/pkcs12/p12local.c.long_pw_fix 2024-09-06 17:58:39.905517185 -0700
|
||||
+++ ./lib/pkcs12/p12local.c 2024-09-06 17:59:19.568985976 -0700
|
||||
@@ -102,7 +102,7 @@ sec_pkcs12_integrity_key(PK11SlotInfo *s
|
||||
*hmacMech = PK11_AlgtagToMechanism(hmacAlg);
|
||||
/* pkcs12v2 hmac uses UTF8 rather than unicode */
|
||||
if (!sec_pkcs12_convert_item_to_unicode(NULL, &utf8Pw, pwitem,
|
||||
- PR_TRUE, PR_FALSE, PR_FALSE)) {
|
||||
+ PR_FALSE, PR_FALSE, PR_FALSE)) {
|
||||
return NULL;
|
||||
}
|
||||
symKey = PK11_PBEKeyGen(slot, prfAlgid, &utf8Pw, PR_FALSE, pwarg);
|
@ -0,0 +1,83 @@
|
||||
diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
|
||||
--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/pkcs12/p12plcy.c 2024-07-17 11:26:00.334836451 -0700
|
||||
@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
|
||||
static PRBool
|
||||
sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
|
||||
{
|
||||
+#ifdef notdef
|
||||
PRUint32 policy;
|
||||
SECStatus rv;
|
||||
|
||||
@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
|
||||
return PR_TRUE;
|
||||
}
|
||||
return PR_FALSE;
|
||||
+#else
|
||||
+ return PR_TRUE;
|
||||
+#endif
|
||||
}
|
||||
|
||||
PRBool
|
||||
diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
|
||||
--- ./lib/smime/smimeutil.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/smime/smimeutil.c 2024-07-17 11:27:04.716617111 -0700
|
||||
@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
|
||||
PRBool
|
||||
smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
|
||||
{
|
||||
+#ifdef notdef
|
||||
PRUint32 policyFlags;
|
||||
|
||||
/* some S/MIME algs map to the same underlying KEA mechanism,
|
||||
@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
|
||||
PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
|
||||
return PR_FALSE;
|
||||
}
|
||||
+#endif
|
||||
return PR_TRUE;
|
||||
}
|
||||
|
||||
@@ -485,6 +487,7 @@ smime_init_once(void *arg)
|
||||
return PR_FAILURE;
|
||||
}
|
||||
|
||||
+#ifdef notdef
|
||||
/* At initialization time, we need to set up the defaults. We first
|
||||
* look to see if the system or application has set up certain algorithms
|
||||
* by policy. If they have set up values by policy we'll only allow those
|
||||
@@ -497,6 +500,11 @@ smime_init_once(void *arg)
|
||||
PORT_Free(tags);
|
||||
tags = NULL;
|
||||
}
|
||||
+#else
|
||||
+ /* just initialize the old maps */
|
||||
+ rv = SECSuccess;
|
||||
+ tagCount = 0;
|
||||
+#endif
|
||||
if ((rv != SECSuccess) || (tagCount == 0)) {
|
||||
/* No algorithms have been enabled by policy (either by the system
|
||||
* or by the application, we then will use the traditional default
|
||||
diff -up ./tests/smime/smime.sh.no_p12_smime_policy ./tests/smime/smime.sh
|
||||
--- ./tests/smime/smime.sh.no_p12_smime_policy 2024-07-17 11:26:00.303836075 -0700
|
||||
+++ ./tests/smime/smime.sh 2024-07-17 11:26:00.334836451 -0700
|
||||
@@ -872,6 +872,6 @@ smime_init
|
||||
smime_main
|
||||
smime_data_tb
|
||||
smime_p7
|
||||
-smime_policy
|
||||
+#smime_policy
|
||||
smime_cleanup
|
||||
|
||||
diff -up ./tests/tools/tools.sh.no_p12_smime_policy ./tests/tools/tools.sh
|
||||
--- ./tests/tools/tools.sh.no_p12_smime_policy 2024-07-17 11:26:00.304836087 -0700
|
||||
+++ ./tests/tools/tools.sh 2024-07-17 11:26:00.334836451 -0700
|
||||
@@ -585,7 +585,7 @@ tools_p12()
|
||||
tools_p12_import_old_files
|
||||
tools_p12_import_pbmac1_samples
|
||||
tools_p12_import_rsa_pss_private_key
|
||||
- tools_p12_policy
|
||||
+ #tools_p12_policy
|
||||
}
|
||||
|
||||
############################## tools_sign ##############################
|
@ -0,0 +1,104 @@
|
||||
diff -up ./lib/certhigh/certvfypkix.c.revert_libpkix ./lib/certhigh/certvfypkix.c
|
||||
--- ./lib/certhigh/certvfypkix.c.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/certhigh/certvfypkix.c 2024-07-05 13:18:34.285174699 -0700
|
||||
@@ -39,7 +39,7 @@ pkix_pl_lifecycle_ObjectTableUpdate(int
|
||||
PRInt32 parallelFnInvocationCount;
|
||||
#endif /* PKIX_OBJECT_LEAK_TEST */
|
||||
|
||||
-static PRBool usePKIXValidationEngine = PR_TRUE;
|
||||
+static PRBool usePKIXValidationEngine = PR_FALSE;
|
||||
#endif /* NSS_DISABLE_LIBPKIX */
|
||||
|
||||
/*
|
||||
diff -up ./lib/nss/nssinit.c.revert_libpkix ./lib/nss/nssinit.c
|
||||
--- ./lib/nss/nssinit.c.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./lib/nss/nssinit.c 2024-07-05 13:18:34.285174699 -0700
|
||||
@@ -764,9 +764,9 @@ nss_Init(const char *configdir, const ch
|
||||
if (pkixError != NULL) {
|
||||
goto loser;
|
||||
} else {
|
||||
- char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
|
||||
+ char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
|
||||
if (ev && ev[0]) {
|
||||
- CERT_SetUsePKIXForValidation(PR_FALSE);
|
||||
+ CERT_SetUsePKIXForValidation(PR_TRUE);
|
||||
}
|
||||
}
|
||||
#endif /* NSS_DISABLE_LIBPKIX */
|
||||
diff -up ./tests/all.sh.revert_libpkix ./tests/all.sh
|
||||
--- ./tests/all.sh.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./tests/all.sh 2024-07-05 13:18:34.285174699 -0700
|
||||
@@ -143,9 +143,6 @@ run_cycle_standard()
|
||||
{
|
||||
TEST_MODE=STANDARD
|
||||
|
||||
- NSS_DISABLE_LIBPKIX_VERIFY="1"
|
||||
- export NSS_DISABLE_LIBPKIX_VERIFY
|
||||
-
|
||||
TESTS="${ALL_TESTS}"
|
||||
TESTS_SKIP="libpkix pkits"
|
||||
|
||||
@@ -153,8 +150,6 @@ run_cycle_standard()
|
||||
export NSS_DEFAULT_DB_TYPE
|
||||
|
||||
run_tests
|
||||
-
|
||||
- unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||
}
|
||||
|
||||
############################ run_cycle_pkix ############################
|
||||
@@ -172,6 +167,9 @@ run_cycle_pkix()
|
||||
mkdir -p "${HOSTDIR}"
|
||||
init_directories
|
||||
|
||||
+ NSS_ENABLE_PKIX_VERIFY="1"
|
||||
+ export NSS_ENABLE_PKIX_VERIFY
|
||||
+
|
||||
TESTS="${ALL_TESTS}"
|
||||
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
|
||||
|
||||
diff -up ./tests/common/init.sh.revert_libpkix ./tests/common/init.sh
|
||||
--- ./tests/common/init.sh.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
|
||||
+++ ./tests/common/init.sh 2024-07-05 13:18:34.285174699 -0700
|
||||
@@ -140,8 +140,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
|
||||
echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
|
||||
echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
|
||||
echo "export NSS_DEFAULT_DB_TYPE"
|
||||
- echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
|
||||
- echo "export NSS_DISABLE_PKIX_VERIFY"
|
||||
+ echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
|
||||
+ echo "export NSS_ENABLE_PKIX_VERIFY"
|
||||
echo "init_directories"
|
||||
}
|
||||
|
||||
diff -up ./tests/ssl/ssl.sh.revert_libpkix ./tests/ssl/ssl.sh
|
||||
--- ./tests/ssl/ssl.sh.revert_libpkix 2024-07-05 13:18:34.267174492 -0700
|
||||
+++ ./tests/ssl/ssl.sh 2024-07-05 13:23:15.295402481 -0700
|
||||
@@ -971,8 +971,9 @@ ssl_policy_pkix_ocsp()
|
||||
return 0
|
||||
fi
|
||||
|
||||
- PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
|
||||
- unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||
+ PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
|
||||
+ NSS_ENABLE_PKIX_VERIFY="1"
|
||||
+ export NSS_ENABLE_PKIX_VERIFY
|
||||
|
||||
testname=""
|
||||
|
||||
@@ -997,10 +998,12 @@ ssl_policy_pkix_ocsp()
|
||||
html_msg $RET $RET_EXP "${testname}" \
|
||||
"produced a returncode of $RET, expected is $RET_EXP"
|
||||
|
||||
- if [ "{PKIX_SAVE}" != "unset" ]; then
|
||||
- export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
|
||||
+ if [ "${PKIX_SAVE}" = "unset" ]; then
|
||||
+ unset NSS_ENABLE_PKIX_VERIFY
|
||||
+ else
|
||||
+ NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
|
||||
+ export NSS_ENABLE_PKIX_VERIFY
|
||||
fi
|
||||
-
|
||||
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
|
||||
|
||||
html "</TABLE><BR>"
|
@ -0,0 +1,22 @@
|
||||
diff -up ./tests/ssl/ssl.sh.disable_ocsp_policy ./tests/ssl/ssl.sh
|
||||
--- ./tests/ssl/ssl.sh.disable_ocsp_policy 2024-07-05 14:18:03.985453657 -0700
|
||||
+++ ./tests/ssl/ssl.sh 2024-07-05 14:21:59.308250122 -0700
|
||||
@@ -968,6 +968,18 @@ ssl_policy_pkix_ocsp()
|
||||
#verbose="-v"
|
||||
html_head "Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
|
||||
|
||||
+ # if we are running on a build machine that can't tolerate external
|
||||
+ # references don't run.
|
||||
+ vfyserv -o wrong.host.badssl.com -d ${P_R_SERVERDIR} > ${P_R_SERVERDIR}/vfy2.out 2>&1
|
||||
+ RET=$? ; cat "${P_R_SERVERDIR}/vfy2.out"
|
||||
+ # 5961 reset by peer
|
||||
+ grep 5961 ${P_R_SERVERDIR}/vfy2.out
|
||||
+ GRET=$? ; echo "OCSP: RET=$RET GRET=$GRET"
|
||||
+ if [ $RET -ne 0 -o $GRET -eq 0 ]; then
|
||||
+ echo "$SCRIPTNAME: skipping Check that OCSP doesn't break if we disable sha1 $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE - can't reach external servers"
|
||||
+ return 0
|
||||
+ fi
|
||||
+
|
||||
PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
|
||||
unset NSS_DISABLE_LIBPKIX_VERIFY
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,57 +0,0 @@
|
||||
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
|
||||
index 74e8e65..8995752 100644
|
||||
--- a/lib/freebl/Makefile
|
||||
+++ b/lib/freebl/Makefile
|
||||
@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
|
||||
HAVE_INT128_SUPPORT = 1
|
||||
DEFINES += -DHAVE_INT128_SUPPORT
|
||||
else ifeq (1,$(CC_IS_GCC))
|
||||
- SUPPORTS_VALE_CURVE25519 = 1
|
||||
ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
|
||||
HAVE_INT128_SUPPORT = 1
|
||||
DEFINES += -DHAVE_INT128_SUPPORT
|
||||
diff --git a/lib/freebl/freebl.gyp b/lib/freebl/freebl.gyp
|
||||
index 65f9a80..23940ef 100644
|
||||
--- a/lib/freebl/freebl.gyp
|
||||
+++ b/lib/freebl/freebl.gyp
|
||||
@@ -866,12 +866,6 @@
|
||||
}],
|
||||
],
|
||||
}],
|
||||
- [ 'supports_vale_curve25519==1', {
|
||||
- 'defines': [
|
||||
- # The Makefile does version-tests on GCC, but we're not doing that here.
|
||||
- 'HACL_CAN_COMPILE_INLINE_ASM',
|
||||
- ],
|
||||
- }],
|
||||
[ 'OS=="linux" or OS=="android"', {
|
||||
'conditions': [
|
||||
[ 'target_arch=="x64"', {
|
||||
@@ -934,11 +928,6 @@
|
||||
'variables': {
|
||||
'module': 'nss',
|
||||
'conditions': [
|
||||
- [ 'target_arch=="x64" and cc_is_gcc==1', {
|
||||
- 'supports_vale_curve25519%': 1,
|
||||
- }, {
|
||||
- 'supports_vale_curve25519%': 0,
|
||||
- }],
|
||||
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
|
||||
'have_int128_support%': 1,
|
||||
}, {
|
||||
diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi
|
||||
index d198c44..34b6b3c 100644
|
||||
--- a/lib/freebl/freebl_base.gypi
|
||||
+++ b/lib/freebl/freebl_base.gypi
|
||||
@@ -151,11 +151,6 @@
|
||||
'ecl/curve25519_32.c',
|
||||
],
|
||||
}],
|
||||
- ['supports_vale_curve25519==1', {
|
||||
- 'sources': [
|
||||
- 'verified/Hacl_Curve25519_64.c',
|
||||
- ],
|
||||
- }],
|
||||
['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
|
||||
'sources': [
|
||||
# Gyp does not support per-file cflags, so working around like this.
|
@ -1,194 +0,0 @@
|
||||
diff -up ./cmd/pk11ectest/pk11ectest.c.ecc_wrap ./cmd/pk11ectest/pk11ectest.c
|
||||
--- ./cmd/pk11ectest/pk11ectest.c.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./cmd/pk11ectest/pk11ectest.c 2024-01-23 14:07:29.421036328 -0800
|
||||
@@ -10,6 +10,32 @@
|
||||
#include "pk11pub.h"
|
||||
#include <stdio.h>
|
||||
|
||||
+typedef struct KeyLengthEntryStr {
|
||||
+ SECOidTag tag;
|
||||
+ unsigned int len;
|
||||
+ PRBool encoded;
|
||||
+} KeyLengthEntry;
|
||||
+
|
||||
+const KeyLengthEntry keyLengthTable[] = {
|
||||
+ { SEC_OID_SECG_EC_SECP256R1, 65, PR_TRUE },
|
||||
+ { SEC_OID_SECG_EC_SECP384R1, 97, PR_TRUE },
|
||||
+ { SEC_OID_SECG_EC_SECP521R1, 133, PR_TRUE },
|
||||
+ { SEC_OID_CURVE25519, 32, PR_FALSE }
|
||||
+};
|
||||
+
|
||||
+const KeyLengthEntry *
|
||||
+getKeyLengthEntry(SECOidTag tag)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ for (i = 0; i < PR_ARRAY_SIZE(keyLengthTable); i++) {
|
||||
+ if (keyLengthTable[i].tag == tag) {
|
||||
+ return &keyLengthTable[i];
|
||||
+ }
|
||||
+ }
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
void
|
||||
printBuf(const SECItem *item)
|
||||
{
|
||||
@@ -53,6 +79,10 @@ ectest_curve_pkcs11(SECOidTag oid)
|
||||
CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
|
||||
PK11SymKey *symKey = NULL;
|
||||
SECStatus rv = SECFailure;
|
||||
+ const KeyLengthEntry *keyLengthEntry;
|
||||
+ SECItem point = { siBuffer, NULL, 0 };
|
||||
+ SECItem value = { siBuffer, NULL, 0 };
|
||||
+ PLArenaPool *arena = NULL;
|
||||
|
||||
oidData = SECOID_FindOIDByTag(oid);
|
||||
if (oidData == NULL) {
|
||||
@@ -79,8 +109,63 @@ ectest_curve_pkcs11(SECOidTag oid)
|
||||
goto cleanup;
|
||||
}
|
||||
PrintKey(symKey);
|
||||
- rv = SECSuccess;
|
||||
|
||||
+ keyLengthEntry = getKeyLengthEntry(oid);
|
||||
+ /* this shouldn't happen unless new curves are added without adding them
|
||||
+ * to the keyLengthTable */
|
||||
+ PR_ASSERT(keyLengthEntry);
|
||||
+
|
||||
+ /* make sure we are returning CKA_EC_POINT according to the PKCS #11 standard.
|
||||
+ * NSS itself can tolerate non-standard CKA_EC_POINT, so this is the only place
|
||||
+ * our test will detect incorrect behavior */
|
||||
+ rv = PK11_ReadRawAttribute(PK11_TypePubKey, pubKey, CKA_EC_POINT, &point);
|
||||
+ if (rv == SECFailure) {
|
||||
+ printf(" >>> Couldn't get CKA_EC_POINT from the ec pubKey.\n");
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ rv = SECFailure;
|
||||
+ if (keyLengthEntry->encoded) {
|
||||
+ if (point.len == keyLengthEntry->len) {
|
||||
+ printf(" >>> Expected encoded CKA_EC_POINT and got a decoded value.\n");
|
||||
+ printBuf(&point);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
|
||||
+ if (arena == NULL) {
|
||||
+ printf(" >>> arena alloc failed.\n");
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ rv = SEC_QuickDERDecodeItem(arena, &value, SEC_ASN1_GET(SEC_OctetStringTemplate),
|
||||
+ &point);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ printf(" >>> invalid endoded CKA_EC_POINT.\n");
|
||||
+ printBuf(&point);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ rv = SECFailure;
|
||||
+ if (value.len != keyLengthEntry->len) {
|
||||
+ printf(" >>> invalid decoded CKA_EC_POINT len (%d) expected %d.\n",
|
||||
+ value.len, keyLengthEntry->len);
|
||||
+ printBuf(&value);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ if (value.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
|
||||
+ printf(" >>> invalid CKA_EC_POINT format (%02x) expected %02x.\n",
|
||||
+ value.data[0], EC_POINT_FORM_UNCOMPRESSED);
|
||||
+ printBuf(&value);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (point.len != keyLengthEntry->len) {
|
||||
+ printf(" >>> invalid CKA_EC_POINT len (%d) expected %d.\n",
|
||||
+ point.len, keyLengthEntry->len);
|
||||
+ printBuf(&point);
|
||||
+ goto cleanup;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ rv = SECSuccess;
|
||||
cleanup:
|
||||
if (privKey) {
|
||||
SECKEY_DestroyPrivateKey(privKey);
|
||||
@@ -91,7 +176,11 @@ cleanup:
|
||||
if (symKey) {
|
||||
PK11_FreeSymKey(symKey);
|
||||
}
|
||||
+ if (arena) {
|
||||
+ PORT_FreeArena(arena, PR_TRUE);
|
||||
+ }
|
||||
SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
|
||||
+ SECITEM_FreeItem(&point, PR_FALSE);
|
||||
|
||||
return rv;
|
||||
}
|
||||
diff -up ./lib/freebl/blapit.h.ecc_wrap ./lib/freebl/blapit.h
|
||||
--- ./lib/freebl/blapit.h.ecc_wrap 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./lib/freebl/blapit.h 2024-01-23 14:07:29.421036328 -0800
|
||||
@@ -375,7 +375,9 @@ typedef struct DHPrivateKeyStr DHPrivate
|
||||
*/
|
||||
|
||||
typedef enum { ec_params_explicit,
|
||||
- ec_params_named
|
||||
+ ec_params_named,
|
||||
+ ec_params_edwards_named,
|
||||
+ ec_params_montgomery_named,
|
||||
} ECParamsType;
|
||||
|
||||
typedef enum { ec_field_GFp = 1,
|
||||
diff -up ./lib/freebl/ecdecode.c.ecc_wrap ./lib/freebl/ecdecode.c
|
||||
--- ./lib/freebl/ecdecode.c.ecc_wrap 2024-01-23 14:07:14.533870602 -0800
|
||||
+++ ./lib/freebl/ecdecode.c 2024-01-23 14:07:29.422036340 -0800
|
||||
@@ -176,6 +176,7 @@ EC_FillParams(PLArenaPool *arena, const
|
||||
|
||||
case SEC_OID_CURVE25519:
|
||||
/* Populate params for Curve25519 */
|
||||
+ params->type = ec_params_montgomery_named;
|
||||
CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
|
||||
ec_field_plain,
|
||||
params));
|
||||
diff -up ./lib/softoken/pkcs11c.c.ecc_wrap ./lib/softoken/pkcs11c.c
|
||||
--- ./lib/softoken/pkcs11c.c.ecc_wrap 2024-01-23 14:07:14.520870457 -0800
|
||||
+++ ./lib/softoken/pkcs11c.c 2024-01-23 14:08:38.198801966 -0800
|
||||
@@ -5164,7 +5164,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
}
|
||||
/* make sure it has the same encoding */
|
||||
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||
- lowPrivKey->u.ec.ecParams.fieldID.type == ec_field_plain) {
|
||||
+ lowPrivKey->u.ec.ecParams.type != ec_params_named) {
|
||||
lowPubValue = SECITEM_DupItem(&ecPriv->publicValue);
|
||||
} else {
|
||||
lowPubValue = SEC_ASN1EncodeItem(NULL, NULL, &ecPriv->publicValue,
|
||||
@@ -5694,7 +5694,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
}
|
||||
|
||||
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
|
||||
- ecParams->fieldID.type == ec_field_plain) {
|
||||
+ ecParams->type != ec_params_named) {
|
||||
PORT_FreeArena(ecParams->arena, PR_TRUE);
|
||||
crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
|
||||
sftk_item_expand(&ecPriv->publicValue));
|
||||
diff -up ./lib/softoken/pkcs11.c.ecc_wrap ./lib/softoken/pkcs11.c
|
||||
--- ./lib/softoken/pkcs11.c.ecc_wrap 2024-01-23 14:07:14.505870290 -0800
|
||||
+++ ./lib/softoken/pkcs11.c 2024-01-23 14:07:29.423036351 -0800
|
||||
@@ -1897,8 +1897,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
|
||||
/* Handle the non-DER encoded case.
|
||||
* Some curves are always pressumed to be non-DER.
|
||||
*/
|
||||
- if (pubKey->u.ec.publicValue.len == keyLen &&
|
||||
- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
|
||||
+ if (pubKey->u.ec.ecParams.type != ec_params_named ||
|
||||
+ (pubKey->u.ec.publicValue.len == keyLen &&
|
||||
pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
|
||||
break; /* key was not DER encoded, no need to unwrap */
|
||||
}
|
||||
@@ -1918,8 +1918,7 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
|
||||
break;
|
||||
}
|
||||
/* we don't handle compressed points except in the case of ECCurve25519 */
|
||||
- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
|
||||
- (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
|
||||
+ if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
|
||||
crv = CKR_ATTRIBUTE_VALUE_INVALID;
|
||||
break;
|
||||
}
|
@ -1,335 +0,0 @@
|
||||
--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200
|
||||
+++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200
|
||||
@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[]
|
||||
0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77,
|
||||
0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77};
|
||||
|
||||
+const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'};
|
||||
+const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',};
|
||||
+const uint8_t kP521SpkiUnpaddedSig[] = {
|
||||
+ 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
|
||||
+ 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86,
|
||||
+ 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29,
|
||||
+ 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a,
|
||||
+ 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18,
|
||||
+ 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7,
|
||||
+ 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52,
|
||||
+ 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88,
|
||||
+ 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57,
|
||||
+ 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd,
|
||||
+ 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b,
|
||||
+ 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35,
|
||||
+ 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c,
|
||||
+ 0xe2, 0x9f};
|
||||
+const uint8_t kP521SignatureUnpaddedSigLong[] = {
|
||||
+ 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe,
|
||||
+ 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4,
|
||||
+ 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42,
|
||||
+ 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde,
|
||||
+ 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e,
|
||||
+ 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89,
|
||||
+ 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b,
|
||||
+ 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40,
|
||||
+ 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb,
|
||||
+ 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b,
|
||||
+ 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a};
|
||||
+const uint8_t kP521SignatureUnpaddedSigShort[] = {
|
||||
+ 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11,
|
||||
+ 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde,
|
||||
+ 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99,
|
||||
+ 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9,
|
||||
+ 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65,
|
||||
+ 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38,
|
||||
+ 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75,
|
||||
+ 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95,
|
||||
+ 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c,
|
||||
+ 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5,
|
||||
+ 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e};
|
||||
+const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'};
|
||||
+const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'};
|
||||
+const uint8_t kP384SpkiUnpaddedSig[] = {
|
||||
+ 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
||||
+ 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04,
|
||||
+ 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa,
|
||||
+ 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e,
|
||||
+ 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3,
|
||||
+ 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e,
|
||||
+ 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf,
|
||||
+ 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d,
|
||||
+ 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5,
|
||||
+ 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a};
|
||||
+const uint8_t kP384SignatureUnpaddedSigLong[] = {
|
||||
+ 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58,
|
||||
+ 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59,
|
||||
+ 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0,
|
||||
+ 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde,
|
||||
+ 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc,
|
||||
+ 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c,
|
||||
+ 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc,
|
||||
+ 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6};
|
||||
+const uint8_t kP384SignatureUnpaddedSigShort[] = {
|
||||
+ 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13,
|
||||
+ 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e,
|
||||
+ 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b,
|
||||
+ 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf,
|
||||
+ 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc,
|
||||
+ 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50,
|
||||
+ 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f,
|
||||
+ 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9};
|
||||
+const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'};
|
||||
+const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'};
|
||||
+const uint8_t kP256SpkiUnpaddedSig[] = {
|
||||
+ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
|
||||
+ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
|
||||
+ 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b,
|
||||
+ 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa,
|
||||
+ 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e,
|
||||
+ 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f,
|
||||
+ 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75,
|
||||
+ 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 };
|
||||
+const uint8_t kP256SignatureUnpaddedSigLong[] = {
|
||||
+ 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56,
|
||||
+ 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6,
|
||||
+ 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11,
|
||||
+ 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80,
|
||||
+ 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47,
|
||||
+ 0xcf, 0x61, 0x91, 0x5f};
|
||||
+const uint8_t kP256SignatureUnpaddedSigShort[] = {
|
||||
+ 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61,
|
||||
+ 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28,
|
||||
+ 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16,
|
||||
+ 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c,
|
||||
+ 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9,
|
||||
+ 0x78, 0xc4};
|
||||
} // namespace nss_test
|
||||
--- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200
|
||||
+++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200
|
||||
@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun
|
||||
SEC_OID_SECG_EC_SECP521R1,
|
||||
SEC_OID_CURVE25519));
|
||||
|
||||
+class Pkcs11EcdsaUnpaddedSignatureTest
|
||||
+ : public Pkcs11EcdsaTestBase,
|
||||
+ public ::testing::WithParamInterface<Pkcs11EcdsaTestParams> {
|
||||
+ public:
|
||||
+ Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {}
|
||||
+};
|
||||
+
|
||||
+static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = {
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)),
|
||||
+ DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)),
|
||||
+ DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)),
|
||||
+ DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)),
|
||||
+ DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)),
|
||||
+ DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}},
|
||||
+ {SEC_OID_SHA512,
|
||||
+ {DataBuffer(NULL, 0),
|
||||
+ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)),
|
||||
+ DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)),
|
||||
+ DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}}
|
||||
+};
|
||||
+
|
||||
+TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); }
|
||||
+INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest,
|
||||
+ ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors));
|
||||
} // namespace nss_test
|
||||
--- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200
|
||||
+++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200
|
||||
@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
{
|
||||
SECStatus res = SECSuccess;
|
||||
|
||||
+ unsigned char _padded_sig_data[64] = { 0 };
|
||||
+ unsigned char *sig_r, *sig_s;
|
||||
+
|
||||
if (!key || !signature || !digest ||
|
||||
!key->publicValue.data ||
|
||||
!signature->data || !digest->data ||
|
||||
@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
- if (key->publicValue.len != 65 ||
|
||||
- digest->len == 0 ||
|
||||
- signature->len != 64) {
|
||||
+ unsigned int olen = key->ecParams.order.len;
|
||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
||||
+ signature->len > 2 * olen ||
|
||||
+ digest->len == 0 || key->publicValue.len != 65) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
res = SECFailure;
|
||||
return res;
|
||||
@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
+ /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */
|
||||
+ if (signature->len != 64) {
|
||||
+ unsigned split = signature->len / 2;
|
||||
+ unsigned pad = 32 - split;
|
||||
+
|
||||
+ unsigned char *o_sig = signature->data;
|
||||
+ unsigned char *p_sig = _padded_sig_data;
|
||||
+
|
||||
+ memcpy(p_sig + pad, o_sig, split);
|
||||
+ memcpy(p_sig + 32 + pad, o_sig + split, split);
|
||||
+
|
||||
+ sig_r = p_sig;
|
||||
+ sig_s = p_sig + 32;
|
||||
+ } else {
|
||||
+ sig_r = signature->data;
|
||||
+ sig_s = signature->data + 32;
|
||||
+ }
|
||||
+
|
||||
+
|
||||
uint8_t hash[32] = { 0 };
|
||||
if (digest->len < 32) {
|
||||
memcpy(hash + 32 - digest->len, digest->data, digest->len);
|
||||
@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey *
|
||||
bool b = Hacl_P256_ecdsa_verif_without_hash(
|
||||
32, hash,
|
||||
key->publicValue.data + 1,
|
||||
- signature->data, signature->data + 32);
|
||||
+ sig_r, sig_s);
|
||||
if (!b) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
res = SECFailure;
|
||||
--- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200
|
||||
+++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200
|
||||
@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
{
|
||||
SECStatus res = SECSuccess;
|
||||
|
||||
+ unsigned char _padded_sig_data[96] = { 0 };
|
||||
+ unsigned char *sig_r, *sig_s;
|
||||
+
|
||||
if (!key || !signature || !digest ||
|
||||
!key->publicValue.data ||
|
||||
!signature->data || !digest->data ||
|
||||
@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
- if (key->publicValue.len != 97 ||
|
||||
- digest->len == 0 ||
|
||||
- signature->len != 96) {
|
||||
+ unsigned int olen = key->ecParams.order.len;
|
||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
||||
+ signature->len > 2 * olen ||
|
||||
+ digest->len == 0 || key->publicValue.len != 97) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
res = SECFailure;
|
||||
return res;
|
||||
@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
+ /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */
|
||||
+ if (signature->len != 96) {
|
||||
+ unsigned split = signature->len / 2;
|
||||
+ unsigned pad = 48 - split;
|
||||
+
|
||||
+ unsigned char *o_sig = signature->data;
|
||||
+ unsigned char *p_sig = _padded_sig_data;
|
||||
+
|
||||
+ memcpy(p_sig + pad, o_sig, split);
|
||||
+ memcpy(p_sig + 48 + pad, o_sig + split, split);
|
||||
+
|
||||
+ sig_r = p_sig;
|
||||
+ sig_s = p_sig + 48;
|
||||
+ } else {
|
||||
+ sig_r = signature->data;
|
||||
+ sig_s = signature->data + 48;
|
||||
+ }
|
||||
+
|
||||
uint8_t hash[48] = { 0 };
|
||||
if (digest->len < 48) {
|
||||
memcpy(hash + 48 - digest->len, digest->data, digest->len);
|
||||
@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey *
|
||||
bool b = Hacl_P384_ecdsa_verif_without_hash(
|
||||
48, hash,
|
||||
key->publicValue.data + 1,
|
||||
- signature->data, signature->data + 48);
|
||||
+ sig_r, sig_s);
|
||||
if (!b) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
res = SECFailure;
|
||||
--- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200
|
||||
+++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200
|
||||
@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
{
|
||||
SECStatus res = SECSuccess;
|
||||
|
||||
+ unsigned char _padded_sig_data[132] = { 0 };
|
||||
+ unsigned char *sig_r, *sig_s;
|
||||
+
|
||||
if (!key || !signature || !digest ||
|
||||
!key->publicValue.data ||
|
||||
!signature->data || !digest->data ||
|
||||
@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
- if (key->publicValue.len != 133 ||
|
||||
- digest->len == 0 ||
|
||||
- signature->len != 132) {
|
||||
+ unsigned int olen = key->ecParams.order.len;
|
||||
+ if (signature->len == 0 || signature->len % 2 != 0 ||
|
||||
+ signature->len > 2 * olen ||
|
||||
+ digest->len == 0 || key->publicValue.len != 133) {
|
||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||
res = SECFailure;
|
||||
return res;
|
||||
@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
return res;
|
||||
}
|
||||
|
||||
+ /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */
|
||||
+ if (signature->len != 132) {
|
||||
+ unsigned split = signature->len / 2;
|
||||
+ unsigned pad = 66 - split;
|
||||
+
|
||||
+ unsigned char *o_sig = signature->data;
|
||||
+ unsigned char *p_sig = _padded_sig_data;
|
||||
+
|
||||
+ memcpy(p_sig + pad, o_sig, split);
|
||||
+ memcpy(p_sig + 66 + pad, o_sig + split, split);
|
||||
+
|
||||
+ sig_r = p_sig;
|
||||
+ sig_s = p_sig + 66;
|
||||
+ } else {
|
||||
+ sig_r = signature->data;
|
||||
+ sig_s = signature->data + 66;
|
||||
+ }
|
||||
+
|
||||
uint8_t hash[66] = { 0 };
|
||||
if (digest->len < 66) {
|
||||
memcpy(hash + 66 - digest->len, digest->data, digest->len);
|
||||
@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey *
|
||||
bool b = Hacl_P521_ecdsa_verif_without_hash(
|
||||
66, hash,
|
||||
key->publicValue.data + 1,
|
||||
- signature->data, signature->data + 66);
|
||||
+ sig_r, sig_s);
|
||||
if (!b) {
|
||||
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
|
||||
res = SECFailure;
|
@ -1,83 +0,0 @@
|
||||
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
|
||||
--- a/lib/softoken/pkcs11c.c
|
||||
+++ b/lib/softoken/pkcs11c.c
|
||||
@@ -15,10 +15,13 @@
|
||||
* keys and their associated Certificates are saved on the token.
|
||||
*
|
||||
* In this implementation, session objects are only visible to the session
|
||||
* that created or generated them.
|
||||
*/
|
||||
+
|
||||
+#include <limits.h> /* for UINT_MAX and ULONG_MAX */
|
||||
+
|
||||
#include "seccomon.h"
|
||||
#include "secitem.h"
|
||||
#include "secport.h"
|
||||
#include "blapi.h"
|
||||
#include "pkcs11.h"
|
||||
@@ -1954,12 +1957,21 @@
|
||||
if (pDigest == NULL) {
|
||||
*pulDigestLen = context->maxLen;
|
||||
goto finish;
|
||||
}
|
||||
|
||||
- /* do it: */
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
||||
+ * length argument, but NSC_Digest takes an unsigned long. */
|
||||
+ while (ulDataLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pData, UINT_MAX);
|
||||
+ pData += UINT_MAX;
|
||||
+ ulDataLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->cipherInfo, pData, ulDataLen);
|
||||
+
|
||||
/* NOTE: this assumes buf size is bigenough for the algorithm */
|
||||
(*context->end)(context->cipherInfo, pDigest, &digestLen, maxout);
|
||||
*pulDigestLen = digestLen;
|
||||
|
||||
sftk_TerminateOp(session, SFTK_HASH, context);
|
||||
@@ -1980,12 +1992,22 @@
|
||||
|
||||
/* make sure we're legal */
|
||||
crv = sftk_GetContext(hSession, &context, SFTK_HASH, PR_TRUE, NULL);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
- /* do it: */
|
||||
+
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ /* The context->hashUpdate function takes an unsigned int for its data
|
||||
+ * length argument, but NSC_DigestUpdate takes an unsigned long. */
|
||||
+ while (ulPartLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
||||
+ pPart += UINT_MAX;
|
||||
+ ulPartLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->cipherInfo, pPart, ulPartLen);
|
||||
+
|
||||
return CKR_OK;
|
||||
}
|
||||
|
||||
/* NSC_DigestFinal finishes a multiple-part message-digesting operation. */
|
||||
CK_RV
|
||||
@@ -3166,10 +3188,17 @@
|
||||
crv = sftk_GetContext(hSession, &context, type, PR_TRUE, &session);
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
|
||||
if (context->hashInfo) {
|
||||
+#if (ULONG_MAX > UINT_MAX)
|
||||
+ while (ulPartLen > UINT_MAX) {
|
||||
+ (*context->hashUpdate)(context->cipherInfo, pPart, UINT_MAX);
|
||||
+ pPart += UINT_MAX;
|
||||
+ ulPartLen -= UINT_MAX;
|
||||
+ }
|
||||
+#endif
|
||||
(*context->hashUpdate)(context->hashInfo, pPart, ulPartLen);
|
||||
} else {
|
||||
/* must be block cipher MACing */
|
||||
|
||||
unsigned int blkSize = context->blockSize;
|
||||
|
@ -0,0 +1,36 @@
|
||||
diff -up ./lib/freebl/Makefile.ppc_no_init ./lib/freebl/Makefile
|
||||
--- ./lib/freebl/Makefile.ppc_no_init 2024-06-03 14:12:24.216755903 -0700
|
||||
+++ ./lib/freebl/Makefile 2024-06-03 14:11:36.464234903 -0700
|
||||
@@ -303,7 +303,7 @@ endif
|
||||
ifeq ($(CPU_ARCH),ppc)
|
||||
EXTRA_SRCS += gcm-ppc.c
|
||||
ifdef USE_64
|
||||
- DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
+# DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
PPC_ABI := $(shell $(CC) -dM -E - < /dev/null | awk '$$2 == "_CALL_ELF" {print $$3}')
|
||||
ifeq ($(PPC_ABI),2)
|
||||
ASFILES += sha512-p8.s
|
||||
diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile
|
||||
--- ./lib/softoken/Makefile.ppc_no_init 2024-06-03 14:12:44.664979003 -0700
|
||||
+++ ./lib/softoken/Makefile 2024-06-03 14:10:26.703473806 -0700
|
||||
@@ -23,13 +23,13 @@ include $(CORE_DEPTH)/coreconf/config.mk
|
||||
ifdef NSS_NO_INIT_SUPPORT
|
||||
DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
endif
|
||||
-ifeq ($(OS_TARGET),Linux)
|
||||
-ifeq ($(CPU_ARCH),ppc)
|
||||
-ifdef USE_64
|
||||
- DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
-endif # USE_64
|
||||
-endif # ppc
|
||||
-endif # Linux
|
||||
+#ifeq ($(OS_TARGET),Linux)
|
||||
+#ifeq ($(CPU_ARCH),ppc)
|
||||
+#ifdef USE_64
|
||||
+# DEFINES += -DNSS_NO_INIT_SUPPORT
|
||||
+#endif # USE_64
|
||||
+#endif # ppc
|
||||
+#endif # Linux
|
||||
|
||||
|
||||
#######################################################################
|
@ -1,32 +0,0 @@
|
||||
diff -up ./gtests/ssl_gtest/manifest.mn.orig ./gtests/ssl_gtest/manifest.mn
|
||||
--- ./gtests/ssl_gtest/manifest.mn.orig 2021-06-02 15:40:48.677355426 -0700
|
||||
+++ ./gtests/ssl_gtest/manifest.mn 2021-06-02 15:42:31.248977261 -0700
|
||||
@@ -57,7 +57,6 @@ CPPSRCS = \
|
||||
tls_filter.cc \
|
||||
tls_protect.cc \
|
||||
tls_psk_unittest.cc \
|
||||
- tls_subcerts_unittest.cc \
|
||||
tls_ech_unittest.cc \
|
||||
$(SSLKEYLOGFILE_FILES) \
|
||||
$(NULL)
|
||||
diff -up ./lib/ssl/sslsock.c.orig ./lib/ssl/sslsock.c
|
||||
--- ./lib/ssl/sslsock.c.orig 2021-05-28 02:50:43.000000000 -0700
|
||||
+++ ./lib/ssl/sslsock.c 2021-06-02 15:40:48.676355420 -0700
|
||||
@@ -819,7 +819,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_DELEGATED_CREDENTIALS:
|
||||
- ss->opt.enableDelegatedCredentials = val;
|
||||
+ /* disable it for now */
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_NPN:
|
||||
@@ -1337,7 +1337,7 @@ SSL_OptionSetDefault(PRInt32 which, PRIn
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_DELEGATED_CREDENTIALS:
|
||||
- ssl_defaults.enableDelegatedCredentials = val;
|
||||
+ /* disable it for now */
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_NPN:
|
@ -1,41 +0,0 @@
|
||||
diff -r 699541a7793b lib/pk11wrap/pk11pars.c
|
||||
--- a/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:41.668835607 -0700
|
||||
+++ b/lib/pk11wrap/pk11pars.c 2021-04-16 14:43:50.585888411 -0700
|
||||
@@ -324,11 +324,11 @@ static const oidValDef curveOptList[] =
|
||||
static const oidValDef hashOptList[] = {
|
||||
/* Hashes */
|
||||
{ CIPHER_NAME("MD2"), SEC_OID_MD2,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ 0 },
|
||||
{ CIPHER_NAME("MD4"), SEC_OID_MD4,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ 0 },
|
||||
{ CIPHER_NAME("MD5"), SEC_OID_MD5,
|
||||
- NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
+ 0 },
|
||||
{ CIPHER_NAME("SHA1"), SEC_OID_SHA1,
|
||||
NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE },
|
||||
{ CIPHER_NAME("SHA224"), SEC_OID_SHA224,
|
||||
diff -r 699541a7793b lib/util/secoid.c
|
||||
--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000
|
||||
+++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200
|
||||
@@ -2042,6 +2042,19 @@
|
||||
int i;
|
||||
|
||||
for (i = 1; i < SEC_OID_TOTAL; i++) {
|
||||
+ switch (i) {
|
||||
+ case SEC_OID_MD2:
|
||||
+ case SEC_OID_MD4:
|
||||
+ case SEC_OID_MD5:
|
||||
+ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC:
|
||||
+ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC:
|
||||
+ continue;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
if (oids[i].desc && strstr(arg, oids[i].desc)) {
|
||||
xOids[i].notPolicyFlags = notEnable |
|
||||
(xOids[i].notPolicyFlags & ~(DEF_FLAGS));
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,644 +0,0 @@
|
||||
diff -up ./automation/taskcluster/scripts/run_hacl.sh.p384 ./automation/taskcluster/scripts/run_hacl.sh
|
||||
--- ./automation/taskcluster/scripts/run_hacl.sh.p384 2023-06-04 01:42:53.000000000 -0700
|
||||
+++ ./automation/taskcluster/scripts/run_hacl.sh 2024-01-09 11:49:58.650418434 -0800
|
||||
@@ -40,5 +40,14 @@ files=($(find ~/nss/lib/freebl/verified/
|
||||
for f in "${files[@]}"; do
|
||||
file_name=$(basename "$f")
|
||||
hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*"))
|
||||
+ # TODO(Bug 1854438): Remove P384 exception.
|
||||
+ # TODO(Bug 1854439): Remove P521 exception.
|
||||
+ if [ $file_name == "Hacl_P384.c" \
|
||||
+ -o $file_name == "Hacl_P384.h" \
|
||||
+ -o $file_name == "Hacl_P521.c" \
|
||||
+ -o $file_name == "Hacl_P521.h" ]
|
||||
+ then
|
||||
+ continue;
|
||||
+ fi
|
||||
diff $hacl_file $f
|
||||
done
|
||||
diff -up ./lib/freebl/ec.c.p384 ./lib/freebl/ec.c
|
||||
--- ./lib/freebl/ec.c.p384 2024-01-09 11:49:14.118980084 -0800
|
||||
+++ ./lib/freebl/ec.c 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -15,15 +15,62 @@
|
||||
#include "mplogic.h"
|
||||
#include "ec.h"
|
||||
#include "ecl.h"
|
||||
+#include "verified/Hacl_P384.h"
|
||||
+#include "verified/Hacl_P521.h"
|
||||
|
||||
#define EC_DOUBLECHECK PR_FALSE
|
||||
|
||||
+SECStatus
|
||||
+ec_secp384r1_scalar_validate(const SECItem *scalar)
|
||||
+{
|
||||
+ if (!scalar || !scalar->data) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (scalar->len != 48) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ bool b = Hacl_P384_validate_private_key(scalar->data);
|
||||
+
|
||||
+ if (!b) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
+SECStatus
|
||||
+ec_secp521r1_scalar_validate(const SECItem *scalar)
|
||||
+{
|
||||
+ if (!scalar || !scalar->data) {
|
||||
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ if (scalar->len != 66) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
+ bool b = Hacl_P521_validate_private_key(scalar->data);
|
||||
+
|
||||
+ if (!b) {
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ return SECSuccess;
|
||||
+}
|
||||
+
|
||||
static const ECMethod kMethods[] = {
|
||||
{ ECCurve25519,
|
||||
ec_Curve25519_pt_mul,
|
||||
ec_Curve25519_pt_validate,
|
||||
ec_Curve25519_scalar_validate,
|
||||
- NULL, NULL },
|
||||
+ NULL,
|
||||
+ NULL },
|
||||
{
|
||||
ECCurve_NIST_P256,
|
||||
ec_secp256r1_pt_mul,
|
||||
@@ -352,8 +415,7 @@ EC_NewKeyFromSeed(ECParams *ecParams, EC
|
||||
SECStatus
|
||||
ec_GenerateRandomPrivateKey(ECParams *ecParams, SECItem *privKey)
|
||||
{
|
||||
- SECStatus rv = SECSuccess;
|
||||
- mp_err err;
|
||||
+ SECStatus rv = SECFailure;
|
||||
|
||||
unsigned int len = EC_GetScalarSize(ecParams);
|
||||
|
||||
@@ -362,82 +424,43 @@ ec_GenerateRandomPrivateKey(ECParams *ec
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
- /* For known curves, use rejection sampling A.4.2 */
|
||||
- if (ecParams->fieldID.type == ec_field_plain) {
|
||||
- const ECMethod *method = ec_get_method_from_name(ecParams->name);
|
||||
- rv = SECFailure;
|
||||
- if (method == NULL || method->scalar_validate == NULL) {
|
||||
- /* unknown curve */
|
||||
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
- goto done;
|
||||
- }
|
||||
- int count = 100;
|
||||
- while (rv != SECSuccess && count >= 0) {
|
||||
- rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
|
||||
- if (rv != SECSuccess) {
|
||||
- PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
- goto done;
|
||||
- }
|
||||
- rv = method->scalar_validate(privKey);
|
||||
- count--;
|
||||
- }
|
||||
- if (rv != SECSuccess) {
|
||||
- PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
- }
|
||||
- goto done;
|
||||
+ const ECMethod *method = ec_get_method_from_name(ecParams->name);
|
||||
+ if (method == NULL || method->scalar_validate == NULL) {
|
||||
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
|
||||
+ return SECFailure;
|
||||
}
|
||||
|
||||
- /* For unknown curves, use algotithm A.4.1 */
|
||||
-
|
||||
- unsigned char *order = ecParams->order.data;
|
||||
- mp_int privKeyVal, order_1, one;
|
||||
- unsigned char *privKeyBytes = NULL;
|
||||
-
|
||||
- MP_DIGITS(&privKeyVal) = 0;
|
||||
- MP_DIGITS(&order_1) = 0;
|
||||
- MP_DIGITS(&one) = 0;
|
||||
- CHECK_MPI_OK(mp_init(&privKeyVal));
|
||||
- CHECK_MPI_OK(mp_init(&order_1));
|
||||
- CHECK_MPI_OK(mp_init(&one));
|
||||
-
|
||||
- /* Generates 2*len random bytes using the global random bit generator
|
||||
- * (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
|
||||
- * reduces modulo the group order.
|
||||
- */
|
||||
-
|
||||
- if ((privKeyBytes = PORT_Alloc(2 * len)) == NULL) {
|
||||
- PORT_SetError(SEC_ERROR_NO_MEMORY);
|
||||
- rv = SECFailure;
|
||||
- goto cleanup;
|
||||
+ uint8_t leading_coeff_mask;
|
||||
+ switch (ecParams->name) {
|
||||
+ case ECCurve25519:
|
||||
+ case ECCurve_NIST_P256:
|
||||
+ case ECCurve_NIST_P384:
|
||||
+ leading_coeff_mask = 0xff;
|
||||
+ break;
|
||||
+ case ECCurve_NIST_P521:
|
||||
+ leading_coeff_mask = 0x01;
|
||||
+ break;
|
||||
+ default:
|
||||
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
|
||||
+ return SECFailure;
|
||||
}
|
||||
|
||||
- CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(privKeyBytes, 2 * len));
|
||||
- CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len));
|
||||
- CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len));
|
||||
- CHECK_MPI_OK(mp_set_int(&one, 1));
|
||||
- CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1));
|
||||
- CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal));
|
||||
- CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal));
|
||||
- CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len));
|
||||
- memcpy(privKey->data, privKeyBytes, len);
|
||||
+ /* The rejection sampling method from FIPS 186-5 A.4.2 */
|
||||
+ int count = 100;
|
||||
+ do {
|
||||
+ rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
|
||||
+ if (rv != SECSuccess) {
|
||||
+ PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+ privKey->data[0] &= leading_coeff_mask;
|
||||
+ rv = method->scalar_validate(privKey);
|
||||
+ } while (rv != SECSuccess && --count > 0);
|
||||
|
||||
-cleanup:
|
||||
- mp_clear(&privKeyVal);
|
||||
- mp_clear(&order_1);
|
||||
- mp_clear(&one);
|
||||
- if (privKeyBytes) {
|
||||
- PORT_ZFree(privKeyBytes, 2 * len);
|
||||
- }
|
||||
- if (err < MP_OKAY) {
|
||||
- MP_TO_SEC_ERROR(err);
|
||||
- rv = SECFailure;
|
||||
+ if (rv != SECSuccess) { // implies count == 0
|
||||
+ PORT_SetError(SEC_ERROR_BAD_KEY);
|
||||
}
|
||||
|
||||
-done:
|
||||
- if (rv != SECSuccess && privKey->data) {
|
||||
- SECITEM_ZfreeItem(privKey, PR_FALSE);
|
||||
- return rv;
|
||||
- }
|
||||
return rv;
|
||||
}
|
||||
|
||||
diff -up ./lib/freebl/ecl/ecl.h.p384 ./lib/freebl/ecl/ecl.h
|
||||
--- ./lib/freebl/ecl/ecl.h.p384 2024-01-09 11:49:14.118980084 -0800
|
||||
+++ ./lib/freebl/ecl/ecl.h 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -57,4 +57,8 @@ SECStatus ec_secp256r1_sign_digest(ECPri
|
||||
SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature,
|
||||
const SECItem *digest);
|
||||
|
||||
+SECStatus ec_secp384r1_scalar_validate(const SECItem *scalar);
|
||||
+
|
||||
+SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar);
|
||||
+
|
||||
#endif /* __ecl_h_ */
|
||||
diff -up ./lib/freebl/freebl_base.gypi.p384 ./lib/freebl/freebl_base.gypi
|
||||
--- ./lib/freebl/freebl_base.gypi.p384 2024-01-09 11:49:14.118980084 -0800
|
||||
+++ ./lib/freebl/freebl_base.gypi 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -38,6 +38,8 @@
|
||||
'ecl/ecp_secp384r1.c',
|
||||
'ecl/ecp_secp521r1.c',
|
||||
'verified/Hacl_P256.c',
|
||||
+ 'verified/Hacl_P384.c',
|
||||
+ 'verified/Hacl_P521.c',
|
||||
'fipsfreebl.c',
|
||||
'blinit.c',
|
||||
'freeblver.c',
|
||||
diff -up ./lib/freebl/Makefile.p384 ./lib/freebl/Makefile
|
||||
--- ./lib/freebl/Makefile.p384 2024-01-09 11:49:58.650418434 -0800
|
||||
+++ ./lib/freebl/Makefile 2024-01-09 11:51:20.500224176 -0800
|
||||
@@ -612,7 +612,7 @@ ifndef NSS_DISABLE_CHACHAPOLY
|
||||
VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c
|
||||
endif # NSS_DISABLE_CHACHAPOLY
|
||||
|
||||
-VERIFIED_SRCS += Hacl_P256.c
|
||||
+VERIFIED_SRCS += Hacl_P256.c Hacl_P384.c Hacl_P521.c
|
||||
|
||||
ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH)))
|
||||
# All 64-bit architectures get the 64 bit version.
|
||||
diff -up ./lib/freebl/verified/Hacl_P384.c.p384 ./lib/freebl/verified/Hacl_P384.c
|
||||
--- ./lib/freebl/verified/Hacl_P384.c.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P384.c 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,126 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#include "Hacl_P384.h"
|
||||
+
|
||||
+#include "internal/Hacl_Krmllib.h"
|
||||
+#include "internal/Hacl_Bignum_Base.h"
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
|
||||
+{
|
||||
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+ KRML_MAYBE_FOR6(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)6U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
|
||||
+ mask = uu____0 & mask;);
|
||||
+ uint64_t mask1 = mask;
|
||||
+ return mask1;
|
||||
+}
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
|
||||
+{
|
||||
+ uint64_t c1 = (uint64_t)0U;
|
||||
+ {
|
||||
+ uint64_t t1 = b[(uint32_t)4U * (uint32_t)0U];
|
||||
+ uint64_t t20 = c[(uint32_t)4U * (uint32_t)0U];
|
||||
+ uint64_t *res_i0 = a + (uint32_t)4U * (uint32_t)0U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
|
||||
+ uint64_t t10 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
|
||||
+ uint64_t t21 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
|
||||
+ uint64_t *res_i1 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
|
||||
+ uint64_t t11 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
|
||||
+ uint64_t t22 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
|
||||
+ uint64_t *res_i2 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
|
||||
+ uint64_t t12 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
|
||||
+ uint64_t t2 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
|
||||
+ uint64_t *res_i = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i);
|
||||
+ }
|
||||
+ KRML_MAYBE_FOR2(i,
|
||||
+ (uint32_t)4U,
|
||||
+ (uint32_t)6U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t t1 = b[i];
|
||||
+ uint64_t t2 = c[i];
|
||||
+ uint64_t *res_i = a + i;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i););
|
||||
+ uint64_t c10 = c1;
|
||||
+ return c10;
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
|
||||
+{
|
||||
+ KRML_MAYBE_FOR6(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)6U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t *os = a;
|
||||
+ uint64_t u = load64_be(b + ((uint32_t)6U - i - (uint32_t)1U) * (uint32_t)8U);
|
||||
+ uint64_t x = u;
|
||||
+ os[i] = x;);
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+p384_make_order(uint64_t *n)
|
||||
+{
|
||||
+ n[0U] = (uint64_t)0xecec196accc52973U;
|
||||
+ n[1U] = (uint64_t)0x581a0db248b0a77aU;
|
||||
+ n[2U] = (uint64_t)0xc7634d81f4372ddfU;
|
||||
+ n[3U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[4U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[5U] = (uint64_t)0xffffffffffffffffU;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 48 bytes of valid memory, i.e., uint8_t[48].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool
|
||||
+Hacl_P384_validate_private_key(uint8_t *private_key)
|
||||
+{
|
||||
+ uint64_t bn_sk[6U] = { 0U };
|
||||
+ bn_from_bytes_be(bn_sk, private_key);
|
||||
+ uint64_t tmp[6U] = { 0U };
|
||||
+ p384_make_order(tmp);
|
||||
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
|
||||
+ uint64_t is_lt_order = (uint64_t)0U - c;
|
||||
+ uint64_t bn_zero[6U] = { 0U };
|
||||
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
|
||||
+ uint64_t is_eq_zero = res;
|
||||
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
|
||||
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+}
|
||||
diff -up ./lib/freebl/verified/Hacl_P384.h.p384 ./lib/freebl/verified/Hacl_P384.h
|
||||
--- ./lib/freebl/verified/Hacl_P384.h.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P384.h 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,68 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#ifndef __Hacl_P384_H
|
||||
+#define __Hacl_P384_H
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+extern "C" {
|
||||
+#endif
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include "krml/internal/types.h"
|
||||
+#include "krml/lowstar_endianness.h"
|
||||
+
|
||||
+#include "lib_intrinsics.h"
|
||||
+
|
||||
+/*******************************************************************************
|
||||
+
|
||||
+ Verified C library for ECDSA and ECDH functions over the P-384 NIST curve.
|
||||
+
|
||||
+ This module implements signing and verification, key validation, conversions
|
||||
+ between various point representations, and ECDH key agreement.
|
||||
+
|
||||
+*******************************************************************************/
|
||||
+
|
||||
+/******************/
|
||||
+/* Key validation */
|
||||
+/******************/
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool Hacl_P384_validate_private_key(uint8_t *private_key);
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+#define __Hacl_P384_H_DEFINED
|
||||
+#endif
|
||||
diff -up ./lib/freebl/verified/Hacl_P521.c.p384 ./lib/freebl/verified/Hacl_P521.c
|
||||
--- ./lib/freebl/verified/Hacl_P521.c.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P521.c 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,131 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#include "Hacl_P521.h"
|
||||
+
|
||||
+#include "internal/Hacl_Krmllib.h"
|
||||
+#include "internal/Hacl_Bignum_Base.h"
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_is_eq_mask(uint64_t *x, uint64_t *y)
|
||||
+{
|
||||
+ uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+ KRML_MAYBE_FOR9(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)9U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
|
||||
+ mask = uu____0 & mask;);
|
||||
+ uint64_t mask1 = mask;
|
||||
+ return mask1;
|
||||
+}
|
||||
+
|
||||
+static inline uint64_t
|
||||
+bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
|
||||
+{
|
||||
+ uint64_t c1 = (uint64_t)0U;
|
||||
+ KRML_MAYBE_FOR2(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)2U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t t1 = b[(uint32_t)4U * i];
|
||||
+ uint64_t t20 = c[(uint32_t)4U * i];
|
||||
+ uint64_t *res_i0 = a + (uint32_t)4U * i;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
|
||||
+ uint64_t t10 = b[(uint32_t)4U * i + (uint32_t)1U];
|
||||
+ uint64_t t21 = c[(uint32_t)4U * i + (uint32_t)1U];
|
||||
+ uint64_t *res_i1 = a + (uint32_t)4U * i + (uint32_t)1U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
|
||||
+ uint64_t t11 = b[(uint32_t)4U * i + (uint32_t)2U];
|
||||
+ uint64_t t22 = c[(uint32_t)4U * i + (uint32_t)2U];
|
||||
+ uint64_t *res_i2 = a + (uint32_t)4U * i + (uint32_t)2U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
|
||||
+ uint64_t t12 = b[(uint32_t)4U * i + (uint32_t)3U];
|
||||
+ uint64_t t2 = c[(uint32_t)4U * i + (uint32_t)3U];
|
||||
+ uint64_t *res_i = a + (uint32_t)4U * i + (uint32_t)3U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i););
|
||||
+ {
|
||||
+ uint64_t t1 = b[8U];
|
||||
+ uint64_t t2 = c[8U];
|
||||
+ uint64_t *res_i = a + (uint32_t)8U;
|
||||
+ c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i);
|
||||
+ }
|
||||
+ uint64_t c10 = c1;
|
||||
+ return c10;
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+bn_from_bytes_be(uint64_t *a, uint8_t *b)
|
||||
+{
|
||||
+ uint8_t tmp[72U] = { 0U };
|
||||
+ memcpy(tmp + (uint32_t)6U, b, (uint32_t)66U * sizeof(uint8_t));
|
||||
+ KRML_MAYBE_FOR9(i,
|
||||
+ (uint32_t)0U,
|
||||
+ (uint32_t)9U,
|
||||
+ (uint32_t)1U,
|
||||
+ uint64_t *os = a;
|
||||
+ uint64_t u = load64_be(tmp + ((uint32_t)9U - i - (uint32_t)1U) * (uint32_t)8U);
|
||||
+ uint64_t x = u;
|
||||
+ os[i] = x;);
|
||||
+}
|
||||
+
|
||||
+static inline void
|
||||
+p521_make_order(uint64_t *n)
|
||||
+{
|
||||
+ n[0U] = (uint64_t)0xbb6fb71e91386409U;
|
||||
+ n[1U] = (uint64_t)0x3bb5c9b8899c47aeU;
|
||||
+ n[2U] = (uint64_t)0x7fcc0148f709a5d0U;
|
||||
+ n[3U] = (uint64_t)0x51868783bf2f966bU;
|
||||
+ n[4U] = (uint64_t)0xfffffffffffffffaU;
|
||||
+ n[5U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[6U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[7U] = (uint64_t)0xffffffffffffffffU;
|
||||
+ n[8U] = (uint64_t)0x1ffU;
|
||||
+}
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool
|
||||
+Hacl_P521_validate_private_key(uint8_t *private_key)
|
||||
+{
|
||||
+ uint64_t bn_sk[9U] = { 0U };
|
||||
+ bn_from_bytes_be(bn_sk, private_key);
|
||||
+ uint64_t tmp[9U] = { 0U };
|
||||
+ p521_make_order(tmp);
|
||||
+ uint64_t c = bn_sub(tmp, bn_sk, tmp);
|
||||
+ uint64_t is_lt_order = (uint64_t)0U - c;
|
||||
+ uint64_t bn_zero[9U] = { 0U };
|
||||
+ uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
|
||||
+ uint64_t is_eq_zero = res;
|
||||
+ uint64_t res0 = is_lt_order & ~is_eq_zero;
|
||||
+ return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
|
||||
+}
|
||||
diff -up ./lib/freebl/verified/Hacl_P521.h.p384 ./lib/freebl/verified/Hacl_P521.h
|
||||
--- ./lib/freebl/verified/Hacl_P521.h.p384 2024-01-09 11:49:58.651418444 -0800
|
||||
+++ ./lib/freebl/verified/Hacl_P521.h 2024-01-09 11:49:58.651418444 -0800
|
||||
@@ -0,0 +1,59 @@
|
||||
+/* MIT License
|
||||
+ *
|
||||
+ * Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
|
||||
+ * Copyright (c) 2022-2023 HACL* Contributors
|
||||
+ *
|
||||
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
+ * of this software and associated documentation files (the "Software"), to deal
|
||||
+ * in the Software without restriction, including without limitation the rights
|
||||
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
+ * copies of the Software, and to permit persons to whom the Software is
|
||||
+ * furnished to do so, subject to the following conditions:
|
||||
+ *
|
||||
+ * The above copyright notice and this permission notice shall be included in all
|
||||
+ * copies or substantial portions of the Software.
|
||||
+ *
|
||||
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
+ * SOFTWARE.
|
||||
+ */
|
||||
+
|
||||
+#ifndef __Hacl_P521_H
|
||||
+#define __Hacl_P521_H
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+extern "C" {
|
||||
+#endif
|
||||
+
|
||||
+#include <string.h>
|
||||
+#include "krml/internal/types.h"
|
||||
+#include "krml/lowstar_endianness.h"
|
||||
+
|
||||
+#include "lib_intrinsics.h"
|
||||
+
|
||||
+/******************/
|
||||
+/* Key validation */
|
||||
+/******************/
|
||||
+
|
||||
+/**
|
||||
+Private key validation.
|
||||
+
|
||||
+ The function returns `true` if a private key is valid and `false` otherwise.
|
||||
+
|
||||
+ The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
|
||||
+
|
||||
+ The private key is valid:
|
||||
+ • 0 < `private_key` < the order of the curve
|
||||
+*/
|
||||
+bool Hacl_P521_validate_private_key(uint8_t *private_key);
|
||||
+
|
||||
+#if defined(__cplusplus)
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+#define __Hacl_P521_H_DEFINED
|
||||
+#endif
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue