diff --git a/SOURCES/nss-3.90-ecdsa-sign-padding-fix.patch b/SOURCES/nss-3.90-ecdsa-sign-padding-fix.patch new file mode 100644 index 0000000..6c9c744 --- /dev/null +++ b/SOURCES/nss-3.90-ecdsa-sign-padding-fix.patch @@ -0,0 +1,335 @@ +--- ./gtests/pk11_gtest/pk11_ecdsa_vectors.h.ecdsa-sign-padding-fix 2024-04-04 21:20:23.166838534 +0200 ++++ ./gtests/pk11_gtest/pk11_ecdsa_vectors.h 2024-04-10 09:05:12.664050773 +0200 +@@ -280,4 +280,101 @@ const uint8_t kP256SpkiPointNotOnCurve[] + 0x28, 0xbc, 0x64, 0xf2, 0xf1, 0xb2, 0x0c, 0x2d, 0x7e, 0x9f, 0x51, 0x77, + 0xa3, 0xc2, 0x94, 0x00, 0x33, 0x11, 0x77}; + ++const uint8_t kP521DataUnpaddedSigLong[] = {'W', 'T', 'F', '6', '0', 'M', 'W', 'M', 'N', '3'}; ++const uint8_t kP521DataUnpaddedSigShort[] = { 'M', 'I', '6', '3', 'V', 'N', 'G', 'L', 'F', 'R',}; ++const uint8_t kP521SpkiUnpaddedSig[] = { ++ 0x30, 0x81, 0x9b, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, ++ 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, 0x03, 0x81, 0x86, ++ 0x00, 0x04, 0x01, 0xd2, 0x37, 0xeb, 0x78, 0xc7, 0x9b, 0x86, 0xff, 0x29, ++ 0x7b, 0x55, 0x4d, 0x11, 0xc7, 0x9c, 0x2d, 0xc1, 0x67, 0x9f, 0xad, 0x2a, ++ 0xa9, 0xb9, 0x51, 0x30, 0x6d, 0xde, 0x14, 0x16, 0xea, 0xb3, 0x9d, 0x18, ++ 0xfc, 0xf0, 0x38, 0x6e, 0x7f, 0xa6, 0x82, 0xb9, 0x19, 0x01, 0xaf, 0xe7, ++ 0xc3, 0xd8, 0xec, 0x9a, 0x62, 0x7b, 0xbf, 0x41, 0xc7, 0x86, 0x89, 0x52, ++ 0x76, 0x8e, 0x01, 0x97, 0x1b, 0x16, 0x97, 0x69, 0x01, 0x2d, 0x07, 0x88, ++ 0x6f, 0xe0, 0x17, 0xbe, 0x82, 0xc4, 0x12, 0xd6, 0x16, 0x72, 0xf8, 0x57, ++ 0x75, 0x5c, 0x69, 0x79, 0xd0, 0x11, 0x05, 0x96, 0x2f, 0xa4, 0x61, 0xcd, ++ 0x8f, 0x54, 0x95, 0x58, 0xbd, 0x7d, 0x71, 0x84, 0x63, 0x18, 0xb8, 0x5b, ++ 0xaa, 0x1b, 0xd2, 0xe9, 0x65, 0x63, 0x15, 0x34, 0x25, 0x35, 0x2f, 0x35, ++ 0x27, 0x3a, 0x84, 0x42, 0x7a, 0x42, 0x8e, 0xfd, 0x15, 0xbe, 0x0c, 0x0c, ++ 0xe2, 0x9f}; ++const uint8_t kP521SignatureUnpaddedSigLong[] = { ++ 0x01, 0xa7, 0x3a, 0x14, 0x79, 0x77, 0x9e, 0x48, 0xb0, 0xff, 0xb5, 0xbe, ++ 0xfb, 0xfa, 0x7a, 0x84, 0x24, 0xb3, 0x5c, 0xf0, 0xfd, 0x77, 0x9d, 0xd4, ++ 0x66, 0x49, 0xfd, 0xbf, 0x04, 0xbf, 0xbb, 0x75, 0x22, 0xbb, 0x35, 0x42, ++ 0xdb, 0xe7, 0xed, 0x5a, 0x8f, 0x15, 0xf3, 0xa9, 0x0e, 0xb6, 0x5b, 0xde, ++ 0x23, 0x79, 0x47, 0xa7, 0x1d, 0x25, 0x24, 0x68, 0x63, 0xf6, 0x9c, 0x2e, ++ 0x21, 0xe0, 0x30, 0xfc, 0xd3, 0x65, 0x01, 0x12, 0x4e, 0xf0, 0xbb, 0x89, ++ 0xec, 0xec, 0x4f, 0xef, 0xbe, 0xdc, 0xd6, 0xac, 0xa4, 0x16, 0x68, 0x2b, ++ 0x78, 0xdf, 0x6c, 0x6e, 0xb8, 0xf4, 0x5b, 0x45, 0x1b, 0xdd, 0x84, 0x40, ++ 0x94, 0x07, 0xc7, 0xbc, 0xb6, 0x57, 0x92, 0xf1, 0x64, 0xb9, 0x2c, 0xcb, ++ 0x1d, 0xbe, 0x1c, 0x93, 0x78, 0x97, 0x8b, 0x84, 0x4e, 0x69, 0x6d, 0x0b, ++ 0xb0, 0x5f, 0xf1, 0x84, 0x18, 0x82, 0x8d, 0x55, 0xdf, 0x36, 0x43, 0x8a}; ++const uint8_t kP521SignatureUnpaddedSigShort[] = { ++ 0x40, 0x12, 0xa7, 0x96, 0x5d, 0x77, 0xba, 0x8a, 0x90, 0x57, 0x52, 0x11, ++ 0xad, 0x72, 0x21, 0xd6, 0x6c, 0x73, 0x81, 0x43, 0x5d, 0x09, 0xe4, 0xde, ++ 0xee, 0xc2, 0xb5, 0x03, 0x1f, 0x0f, 0xd1, 0x6a, 0xfc, 0x26, 0x6d, 0x99, ++ 0x6d, 0x84, 0x32, 0x05, 0x56, 0x66, 0xe3, 0x6b, 0xf7, 0xf2, 0x04, 0xc9, ++ 0x44, 0x17, 0xaa, 0xbd, 0x24, 0xd8, 0x87, 0x4e, 0x53, 0x9d, 0x08, 0x65, ++ 0x91, 0x95, 0xeb, 0xeb, 0x92, 0x0b, 0xdb, 0x34, 0x80, 0xe8, 0x9f, 0x38, ++ 0x73, 0x00, 0x7c, 0xfc, 0x2b, 0xfa, 0xcf, 0xa6, 0x6c, 0x1c, 0xb0, 0x75, ++ 0x76, 0x01, 0x22, 0xe7, 0x3c, 0xd8, 0xc4, 0x1f, 0x5e, 0xde, 0x0b, 0x95, ++ 0x7a, 0x50, 0x2b, 0x8c, 0x87, 0xc4, 0x12, 0x8e, 0x00, 0x09, 0x29, 0x2c, ++ 0x21, 0xd1, 0x96, 0xa0, 0xf3, 0x0f, 0x54, 0xdb, 0x6a, 0xbb, 0x90, 0xf5, ++ 0x5c, 0x7a, 0x8d, 0x83, 0x9c, 0x39, 0x38, 0x58, 0x5a, 0x0e}; ++const uint8_t kP384DataUnpaddedSigLong[] = {'L', 'T', 'N', '4', 'B', 'P', 'X', 'Y', '5', 'N'}; ++const uint8_t kP384DataUnpaddedSigShort[] = {'3', 'U', 'S', 'N', 'N', 'U', '6', 'E', 'E', '0'}; ++const uint8_t kP384SpkiUnpaddedSig[] = { ++ 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, ++ 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22, 0x03, 0x62, 0x00, 0x04, ++ 0x1e, 0x98, 0x4c, 0xcf, 0x05, 0xd4, 0x9b, 0x98, 0x11, 0xae, 0xa1, 0xaa, ++ 0x72, 0x27, 0xac, 0xde, 0x7f, 0xe8, 0x4d, 0xda, 0xaa, 0x67, 0x51, 0x2e, ++ 0x0b, 0x30, 0x31, 0xab, 0x05, 0xac, 0x95, 0xdf, 0x09, 0x96, 0xcf, 0xe3, ++ 0xf5, 0xfa, 0x30, 0xad, 0x43, 0x0b, 0xa5, 0x7e, 0xd7, 0xd1, 0xee, 0x4e, ++ 0x83, 0x53, 0xe3, 0x26, 0xeb, 0xc1, 0xc9, 0xe5, 0x35, 0x36, 0x1a, 0xbf, ++ 0xbf, 0x99, 0xd6, 0xe2, 0x14, 0x43, 0xcb, 0x54, 0xde, 0x06, 0xb5, 0x7d, ++ 0x27, 0xb7, 0xc2, 0x27, 0xaf, 0xb6, 0x12, 0x4f, 0x47, 0xa0, 0xdb, 0xb5, ++ 0x6e, 0x7b, 0x44, 0x0d, 0xc8, 0xbd, 0x13, 0x3c, 0x27, 0x7c, 0xf2, 0x3a}; ++const uint8_t kP384SignatureUnpaddedSigLong[] = { ++ 0x19, 0x22, 0x21, 0x72, 0x8a, 0xa4, 0x22, 0x26, 0x75, 0x16, 0x9c, 0x58, ++ 0x93, 0xd8, 0x43, 0xac, 0x28, 0x78, 0xe7, 0xe2, 0xf2, 0x5d, 0xa6, 0x59, ++ 0x74, 0x6d, 0x55, 0x95, 0xe1, 0xa8, 0xc9, 0x18, 0x54, 0x5d, 0x03, 0xa0, ++ 0xb0, 0x90, 0xe9, 0xf1, 0xc5, 0xf6, 0x29, 0x1a, 0x50, 0x9d, 0xe3, 0xde, ++ 0x4a, 0x69, 0xdf, 0x1b, 0xe5, 0x53, 0xd7, 0xe8, 0xd4, 0xbf, 0x8c, 0xfc, ++ 0x07, 0x66, 0xbc, 0xa7, 0xb5, 0x47, 0x29, 0xbd, 0x15, 0x8c, 0x57, 0x6c, ++ 0xde, 0x37, 0x57, 0xa4, 0xd4, 0x61, 0x79, 0x92, 0x67, 0x25, 0x2e, 0xbc, ++ 0x8b, 0x88, 0x6a, 0xfa, 0xa5, 0x00, 0x19, 0x11, 0x64, 0x69, 0x7b, 0xf6}; ++const uint8_t kP384SignatureUnpaddedSigShort[] = { ++ 0x69, 0xe6, 0xc2, 0xd0, 0xb0, 0x59, 0xca, 0x1f, 0x07, 0x4c, 0x90, 0x13, ++ 0x75, 0xe0, 0xc5, 0xb9, 0x38, 0xf2, 0xd8, 0x55, 0xf7, 0x08, 0xbd, 0x8e, ++ 0x61, 0xbd, 0x50, 0x7e, 0xb6, 0xb5, 0xea, 0xbc, 0xa4, 0xa0, 0x18, 0x9b, ++ 0x63, 0x6b, 0x8a, 0x91, 0x88, 0x39, 0x0a, 0xbe, 0x6a, 0xb6, 0x4b, 0xaf, ++ 0xcb, 0x31, 0x89, 0xcf, 0x43, 0x28, 0x4b, 0x04, 0x6a, 0xe0, 0x8d, 0xbc, ++ 0xbf, 0xa2, 0x45, 0xdf, 0x1c, 0x83, 0x82, 0x3e, 0x2b, 0xa3, 0xea, 0x50, ++ 0x80, 0xec, 0x31, 0x48, 0x20, 0x30, 0x75, 0x94, 0xd9, 0x08, 0x9f, 0x6f, ++ 0x53, 0x21, 0x6f, 0x72, 0x74, 0x0c, 0xc4, 0x21, 0x28, 0xc9}; ++const uint8_t kP256DataUnpaddedSigLong[] = {'J', '5', 'C', 'N', 'Q', 'T', 'F', 'A', 'J', 'T'}; ++const uint8_t kP256DataUnpaddedSigShort[] = {'K', 'O', 'S', '9', '4', 'F', 'V', 'C', 'Y', 'C'}; ++const uint8_t kP256SpkiUnpaddedSig[] = { ++ 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, ++ 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, ++ 0x42, 0x00, 0x04, 0x30, 0x40, 0x9d, 0x57, 0xdd, 0xd0, 0x70, 0x1d, 0x4b, ++ 0x40, 0x84, 0xd4, 0x7a, 0xc0, 0x30, 0x68, 0x33, 0xf1, 0x1d, 0x47, 0xaa, ++ 0x37, 0x4d, 0xe2, 0xc8, 0xce, 0xdc, 0x82, 0x1d, 0xf7, 0xcf, 0xdd, 0x9e, ++ 0xb6, 0x6c, 0x85, 0x87, 0x9d, 0x31, 0x79, 0x7e, 0xe4, 0xe9, 0xc7, 0x4f, ++ 0xd6, 0x07, 0x1d, 0x2f, 0x54, 0x82, 0x5d, 0x22, 0xbf, 0xbc, 0xf0, 0x75, ++ 0x01, 0x09, 0x43, 0xc6, 0x52, 0xcb, 0x45 }; ++const uint8_t kP256SignatureUnpaddedSigLong[] = { ++ 0xad, 0x6f, 0xcf, 0x41, 0xc1, 0x83, 0xe3, 0x6f, 0xe0, 0x2c, 0x9f, 0x56, ++ 0xa5, 0x17, 0x60, 0xbf, 0x80, 0x71, 0x18, 0x54, 0x1d, 0x82, 0xdb, 0xe6, ++ 0xc2, 0x4e, 0x60, 0x4a, 0xa6, 0x0c, 0xed, 0xcf, 0xe9, 0xbf, 0xda, 0x11, ++ 0xc2, 0x0a, 0x9c, 0x02, 0x5f, 0xb6, 0xa0, 0xb8, 0xbc, 0xda, 0xbf, 0x80, ++ 0xb4, 0xfb, 0x68, 0xab, 0xc8, 0xa8, 0x07, 0xeb, 0x50, 0x5c, 0x8a, 0x47, ++ 0xcf, 0x61, 0x91, 0x5f}; ++const uint8_t kP256SignatureUnpaddedSigShort[] = { ++ 0x3d, 0x99, 0x94, 0xa9, 0x80, 0x12, 0x43, 0x27, 0xde, 0x78, 0x9e, 0x61, ++ 0xaf, 0x10, 0xee, 0xd2, 0x22, 0xc6, 0x6e, 0x1c, 0xdf, 0xe7, 0x75, 0x28, ++ 0x84, 0xae, 0xb8, 0xdb, 0x7b, 0xf1, 0x91, 0x86, 0x5b, 0x5a, 0x28, 0x16, ++ 0x15, 0xfe, 0xd9, 0x48, 0x33, 0x95, 0xa8, 0x8f, 0x92, 0xbb, 0xe3, 0x9c, ++ 0xca, 0x04, 0xef, 0x56, 0x48, 0x16, 0x73, 0xa6, 0xb6, 0x6a, 0x38, 0xc9, ++ 0x78, 0xc4}; + } // namespace nss_test +--- ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc.ecdsa-sign-padding-fix 2024-04-04 21:19:59.583677319 +0200 ++++ ./gtests/pk11_gtest/pk11_ecdsa_unittest.cc 2024-04-10 17:03:24.202133898 +0200 +@@ -326,4 +326,47 @@ INSTANTIATE_TEST_SUITE_P(Pkcs11EcdsaRoun + SEC_OID_SECG_EC_SECP521R1, + SEC_OID_CURVE25519)); + ++class Pkcs11EcdsaUnpaddedSignatureTest ++ : public Pkcs11EcdsaTestBase, ++ public ::testing::WithParamInterface { ++ public: ++ Pkcs11EcdsaUnpaddedSignatureTest() : Pkcs11EcdsaTestBase(GetParam().hash_oid_) {} ++}; ++ ++static const Pkcs11EcdsaTestParams kEcdsaUnpaddedSignaturesVectors[] = { ++ {SEC_OID_SHA512, ++ {DataBuffer(NULL, 0), ++ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)), ++ DataBuffer(kP256DataUnpaddedSigLong, sizeof(kP256DataUnpaddedSigLong)), ++ DataBuffer(kP256SignatureUnpaddedSigLong, sizeof(kP256SignatureUnpaddedSigLong))}}, ++ {SEC_OID_SHA512, ++ {DataBuffer(NULL, 0), ++ DataBuffer(kP256SpkiUnpaddedSig, sizeof(kP256SpkiUnpaddedSig)), ++ DataBuffer(kP256DataUnpaddedSigShort, sizeof(kP256DataUnpaddedSigShort)), ++ DataBuffer(kP256SignatureUnpaddedSigShort, sizeof(kP256SignatureUnpaddedSigShort))}}, ++ {SEC_OID_SHA512, ++ {DataBuffer(NULL, 0), ++ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)), ++ DataBuffer(kP384DataUnpaddedSigLong, sizeof(kP384DataUnpaddedSigLong)), ++ DataBuffer(kP384SignatureUnpaddedSigLong, sizeof(kP384SignatureUnpaddedSigLong))}}, ++ {SEC_OID_SHA512, ++ {DataBuffer(NULL, 0), ++ DataBuffer(kP384SpkiUnpaddedSig, sizeof(kP384SpkiUnpaddedSig)), ++ DataBuffer(kP384DataUnpaddedSigShort, sizeof(kP384DataUnpaddedSigShort)), ++ DataBuffer(kP384SignatureUnpaddedSigShort, sizeof(kP384SignatureUnpaddedSigShort))}}, ++ {SEC_OID_SHA512, ++ {DataBuffer(NULL, 0), ++ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)), ++ DataBuffer(kP521DataUnpaddedSigLong, sizeof(kP521DataUnpaddedSigLong)), ++ DataBuffer(kP521SignatureUnpaddedSigLong, sizeof(kP521SignatureUnpaddedSigLong))}}, ++ {SEC_OID_SHA512, ++ {DataBuffer(NULL, 0), ++ DataBuffer(kP521SpkiUnpaddedSig, sizeof(kP521SpkiUnpaddedSig)), ++ DataBuffer(kP521DataUnpaddedSigShort, sizeof(kP521DataUnpaddedSigShort)), ++ DataBuffer(kP521SignatureUnpaddedSigShort, sizeof(kP521SignatureUnpaddedSigShort))}} ++}; ++ ++TEST_P(Pkcs11EcdsaUnpaddedSignatureTest, Verify) { Verify(GetParam().sig_params_); } ++INSTANTIATE_TEST_SUITE_P(EcdsaVerifyUnpaddedSignatures, Pkcs11EcdsaUnpaddedSignatureTest, ++ ::testing::ValuesIn(kEcdsaUnpaddedSignaturesVectors)); + } // namespace nss_test +--- ./lib/freebl/ecl/ecp_secp256r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:28.413482715 +0200 ++++ ./lib/freebl/ecl/ecp_secp256r1.c 2024-04-09 21:15:23.717222679 +0200 +@@ -214,6 +214,9 @@ ec_secp256r1_verify_digest(ECPublicKey * + { + SECStatus res = SECSuccess; + ++ unsigned char _padded_sig_data[64] = { 0 }; ++ unsigned char *sig_r, *sig_s; ++ + if (!key || !signature || !digest || + !key->publicValue.data || + !signature->data || !digest->data || +@@ -223,9 +226,10 @@ ec_secp256r1_verify_digest(ECPublicKey * + return res; + } + +- if (key->publicValue.len != 65 || +- digest->len == 0 || +- signature->len != 64) { ++ unsigned int olen = key->ecParams.order.len; ++ if (signature->len == 0 || signature->len % 2 != 0 || ++ signature->len > 2 * olen || ++ digest->len == 0 || key->publicValue.len != 65) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + res = SECFailure; + return res; +@@ -237,6 +241,25 @@ ec_secp256r1_verify_digest(ECPublicKey * + return res; + } + ++ /* P-256 signature has to be 64 bytes long, pad it with 0s if it isn't */ ++ if (signature->len != 64) { ++ unsigned split = signature->len / 2; ++ unsigned pad = 32 - split; ++ ++ unsigned char *o_sig = signature->data; ++ unsigned char *p_sig = _padded_sig_data; ++ ++ memcpy(p_sig + pad, o_sig, split); ++ memcpy(p_sig + 32 + pad, o_sig + split, split); ++ ++ sig_r = p_sig; ++ sig_s = p_sig + 32; ++ } else { ++ sig_r = signature->data; ++ sig_s = signature->data + 32; ++ } ++ ++ + uint8_t hash[32] = { 0 }; + if (digest->len < 32) { + memcpy(hash + 32 - digest->len, digest->data, digest->len); +@@ -247,7 +270,7 @@ ec_secp256r1_verify_digest(ECPublicKey * + bool b = Hacl_P256_ecdsa_verif_without_hash( + 32, hash, + key->publicValue.data + 1, +- signature->data, signature->data + 32); ++ sig_r, sig_s); + if (!b) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + res = SECFailure; +--- ./lib/freebl/ecl/ecp_secp384r1.c.ecdsa-sign-padding-fix 2024-04-09 14:58:12.726377972 +0200 ++++ ./lib/freebl/ecl/ecp_secp384r1.c 2024-04-09 14:50:47.932425779 +0200 +@@ -185,6 +185,9 @@ ec_secp384r1_verify_digest(ECPublicKey * + { + SECStatus res = SECSuccess; + ++ unsigned char _padded_sig_data[96] = { 0 }; ++ unsigned char *sig_r, *sig_s; ++ + if (!key || !signature || !digest || + !key->publicValue.data || + !signature->data || !digest->data || +@@ -194,9 +197,10 @@ ec_secp384r1_verify_digest(ECPublicKey * + return res; + } + +- if (key->publicValue.len != 97 || +- digest->len == 0 || +- signature->len != 96) { ++ unsigned int olen = key->ecParams.order.len; ++ if (signature->len == 0 || signature->len % 2 != 0 || ++ signature->len > 2 * olen || ++ digest->len == 0 || key->publicValue.len != 97) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + res = SECFailure; + return res; +@@ -208,6 +212,24 @@ ec_secp384r1_verify_digest(ECPublicKey * + return res; + } + ++ /* P-384 signature has to be 96 bytes long, pad it with 0s if it isn't */ ++ if (signature->len != 96) { ++ unsigned split = signature->len / 2; ++ unsigned pad = 48 - split; ++ ++ unsigned char *o_sig = signature->data; ++ unsigned char *p_sig = _padded_sig_data; ++ ++ memcpy(p_sig + pad, o_sig, split); ++ memcpy(p_sig + 48 + pad, o_sig + split, split); ++ ++ sig_r = p_sig; ++ sig_s = p_sig + 48; ++ } else { ++ sig_r = signature->data; ++ sig_s = signature->data + 48; ++ } ++ + uint8_t hash[48] = { 0 }; + if (digest->len < 48) { + memcpy(hash + 48 - digest->len, digest->data, digest->len); +@@ -218,7 +240,7 @@ ec_secp384r1_verify_digest(ECPublicKey * + bool b = Hacl_P384_ecdsa_verif_without_hash( + 48, hash, + key->publicValue.data + 1, +- signature->data, signature->data + 48); ++ sig_r, sig_s); + if (!b) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + res = SECFailure; +--- ./lib/freebl/ecl/ecp_secp521r1.c.ecdsa-sign-padding-fix 2024-04-05 22:42:26.553728340 +0200 ++++ ./lib/freebl/ecl/ecp_secp521r1.c 2024-04-09 13:02:14.821865860 +0200 +@@ -189,6 +189,9 @@ ec_secp521r1_verify_digest(ECPublicKey * + { + SECStatus res = SECSuccess; + ++ unsigned char _padded_sig_data[132] = { 0 }; ++ unsigned char *sig_r, *sig_s; ++ + if (!key || !signature || !digest || + !key->publicValue.data || + !signature->data || !digest->data || +@@ -198,9 +201,10 @@ ec_secp521r1_verify_digest(ECPublicKey * + return res; + } + +- if (key->publicValue.len != 133 || +- digest->len == 0 || +- signature->len != 132) { ++ unsigned int olen = key->ecParams.order.len; ++ if (signature->len == 0 || signature->len % 2 != 0 || ++ signature->len > 2 * olen || ++ digest->len == 0 || key->publicValue.len != 133) { + PORT_SetError(SEC_ERROR_INPUT_LEN); + res = SECFailure; + return res; +@@ -212,6 +216,24 @@ ec_secp521r1_verify_digest(ECPublicKey * + return res; + } + ++ /* P-521 signature has to be 132 bytes long, pad it with 0s if it isn't */ ++ if (signature->len != 132) { ++ unsigned split = signature->len / 2; ++ unsigned pad = 66 - split; ++ ++ unsigned char *o_sig = signature->data; ++ unsigned char *p_sig = _padded_sig_data; ++ ++ memcpy(p_sig + pad, o_sig, split); ++ memcpy(p_sig + 66 + pad, o_sig + split, split); ++ ++ sig_r = p_sig; ++ sig_s = p_sig + 66; ++ } else { ++ sig_r = signature->data; ++ sig_s = signature->data + 66; ++ } ++ + uint8_t hash[66] = { 0 }; + if (digest->len < 66) { + memcpy(hash + 66 - digest->len, digest->data, digest->len); +@@ -227,7 +249,7 @@ ec_secp521r1_verify_digest(ECPublicKey * + bool b = Hacl_P521_ecdsa_verif_without_hash( + 66, hash, + key->publicValue.data + 1, +- signature->data, signature->data + 66); ++ sig_r, sig_s); + if (!b) { + PORT_SetError(SEC_ERROR_BAD_SIGNATURE); + res = SECFailure; diff --git a/SPECS/nss.spec b/SPECS/nss.spec index b69600a..bd12996 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,6 +1,6 @@ %global nss_version 3.90.0 %global nspr_version 4.35.0 -%global baserelease 6 +%global baserelease 7 %global nss_release %baserelease # NOTE: To avoid NVR clashes of nspr* packages: # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when @@ -194,6 +194,7 @@ Patch91: nss_p384_scalar_validated.patch Patch92: nss_p384_hacl.patch Patch93: nss_p521_hacl.patch Patch94: nss-3.90-ecc-wrap-fix.patch +Patch95: nss-3.90-ecdsa-sign-padding-fix.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1193,6 +1194,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Wed Apr 10 2024 Frantisek Krenzelok - 3.90.0-7 +- Allow for shorter ecdsa signatures by padding them to full length + * Tue Jan 23 2024 Bob Relyea - 3.90.0-6 - Fix ecc DER wrapping.