mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Backed out 2 changesets (bug 1856658, bug 1856659) for causing doc-generate failures UPGRADE_NSS_RELEASE 

Backed out changeset 39ecb02fd8de (bug 1856658)
Backed out changeset d9201f9640a1 (bug 1856659)
This commit is contained in:
Sandor Molnar 2023-11-15 19:35:57 +02:00
Родитель 8f0b907808
Коммит 53139f761e
35 изменённых файлов: 2037 добавлений и 1824 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
build/moz.configure/nss.configure
Просмотреть файл

@ -9,7 +9,7 @@ system_lib_option("--with-system-nss", help="Use system NSS")
imply_option("--with-system-nspr", True, when="--with-system-nss")
nss_pkg = pkg_check_modules(
"NSS", "nss >= 3.95", when="--with-system-nss", config=False
"NSS", "nss >= 3.94", when="--with-system-nss", config=False
)
set_config("MOZ_SYSTEM_NSS", True, when="--with-system-nss")

21
security/manager/ssl/tests/unit/test_cert_isBuiltInRoot.js
Просмотреть файл

@ -78,32 +78,11 @@ const sLetsEncryptBase64 =
"6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj" +
"f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=";
// This is a certificate that (currently) ships with the platform.
// It should be considered a built-in root.
const sSectigoBase64 =
"" +
"MIICOjCCAcGgAwIBAgIQQvLM2htpN0RfFf51KBC49DAKBggqhkjOPQQDAzBfMQsw" +
"CQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1T" +
"ZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwHhcN" +
"MjEwMzIyMDAwMDAwWhcNNDYwMzIxMjM1OTU5WjBfMQswCQYDVQQGEwJHQjEYMBYG" +
"A1UEChMPU2VjdGlnbyBMaW1pdGVkMTYwNAYDVQQDEy1TZWN0aWdvIFB1YmxpYyBT" +
"ZXJ2ZXIgQXV0aGVudGljYXRpb24gUm9vdCBFNDYwdjAQBgcqhkjOPQIBBgUrgQQA" +
"IgNiAAR2+pmpbiDt+dd34wc7qNs9Xzjoq1WmVk/WSOrsfy2qw7LFeeyZYX8QeccC" +
"WvkEN/U0NSt3zn8gj1KjAIns1aeibVvjS5KToID1AZTc8GgHHs3u/iVStSBDHBv+" +
"6xnOQ6OjQjBAMB0GA1UdDgQWBBTRItpMWfFLXyY4qp3W7usNw/upYTAOBgNVHQ8B" +
"Af8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNnADBkAjAn7qRa" +
"qCG76UeXlImldCBteU/IvZNeWBj7LRoAasm4PdCkT0RHlAFWovgzJQxC36oCMB3q" +
"4S6ILuH5px0CMk7yn2xVdOOurvulGu7t0vzCAxHrRVxgED1cf5kDW21USAGKcw==";
function run_test() {
let builtInCert = certdb.constructX509FromBase64(sNaverBase64);
ok(builtInCert, "should be able to decode base-64 of built-in cert");
ok(builtInCert.isBuiltInRoot, "cert should be considered built-in");
let otherbuiltInCert = certdb.constructX509FromBase64(sSectigoBase64);
ok(otherbuiltInCert, "should be able to decode base-64 of built-in cert");
ok(otherbuiltInCert.isBuiltInRoot, "cert should be considered built-in");
let notBuiltInCert = certdb.constructX509FromBase64(sLetsEncryptBase64);
ok(notBuiltInCert, "should be able to decode base-64 of built-in cert");
ok(!notBuiltInCert.isBuiltInRoot, "cert should not be considered built-in");

20
security/manager/ssl/tests/unit/test_cert_isBuiltInRoot_reload.js
Просмотреть файл

@ -109,14 +109,18 @@ function run_test() {
// This is a built-in root, but not one that was added to the preexisting
// certificate DB.
// Sectigo Public Server Authentication Root E46
// Certificate fingerprint (SHA256): C90F26F0FB1B4018B22227519B5CA2B53E2CA5B3BE5CF18EFE1BEF47380C5383
const sectigoDBKey = `AAAAAAAAAAAAAAAQAAAAYULyzNobaTdEXxX+dSgQuPQwXzELMAk
GA1UEBhMCR0IxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE2MDQGA1UEAxMtU2VjdGlnbyBQd
WJsaWMgU2VydmVyIEF1dGhlbnRpY2F0aW9uIFJvb3QgRTQ2`;
let sectigoCert = certdb.findCertByDBKey(sectigoDBKey);
ok(sectigoCert, "Should be able to find Sectigo root");
ok(sectigoCert.isBuiltInRoot, "Sectigo root is a built-in");
// Verisign Class 1 Public Primary Certification Authority - G3
// Certificate fingerprint (SHA1): 204285DCF7EB764195578E136BD4B7D1E98E46A5
// https://crt.sh/?id=8984570
const veriSignCertDBKey = `AAAAAAAAAAAAAAARAAAAzQCLW3VWhFSFCwDPrzhI
zrGkMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdB
gNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAxOTk5IF
ZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAM
TPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgLSBHMw==`;
let veriSignCert = certdb.findCertByDBKey(veriSignCertDBKey);
ok(veriSignCert, "Should be able to find VeriSign root");
ok(veriSignCert.isBuiltInRoot, "VeriSign root is a built-in");
// This is a built-in root. It was added to the preexisting certificate DB. It
// should still be considered a built-in.

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
NSS_3_95_BETA1
NSS_3_94_RTM

5
security/nss/automation/abi-check/expected-report-libnssutil3.so.txt
Просмотреть файл

@ -0,0 +1,5 @@
1 Added function:
'function PRBool NSS_GetSystemFIPSEnabled()' {NSS_GetSystemFIPSEnabled@@NSSUTIL_3.94}

2
security/nss/automation/abi-check/previous-nss-release
Просмотреть файл

@ -1 +1 @@
NSS_3_94_BRANCH
NSS_3_93_BRANCH

9
security/nss/automation/taskcluster/scripts/run_hacl.sh
Просмотреть файл

@ -40,14 +40,5 @@ files=($(find ~/nss/lib/freebl/verified/ -type f -name '*.[ch]' -not -path "*/fr
for f in "${files[@]}"; do
file_name=$(basename "$f")
hacl_file=($(find ~/hacl-star/dist/mozilla/ ~/hacl-star/dist/karamel/ -type f -name $file_name -not -path "*/hacl-star/dist/mozilla/internal/*"))
# TODO(Bug 1854438): Remove P384 exception.
# TODO(Bug 1854439): Remove P521 exception.
if [ $file_name == "Hacl_P384.c" \
-o $file_name == "Hacl_P384.h" \
-o $file_name == "Hacl_P521.c" \
-o $file_name == "Hacl_P521.h" ]
then
continue;
fi
diff $hacl_file $f
done

91
security/nss/cmd/pk11ectest/pk11ectest.c
Просмотреть файл

@ -10,32 +10,6 @@
#include "pk11pub.h"
#include <stdio.h>
typedef struct KeyLengthEntryStr {
SECOidTag tag;
unsigned int len;
PRBool encoded;
} KeyLengthEntry;
const KeyLengthEntry keyLengthTable[] = {
{ SEC_OID_SECG_EC_SECP256R1, 65, PR_TRUE },
{ SEC_OID_SECG_EC_SECP384R1, 97, PR_TRUE },
{ SEC_OID_SECG_EC_SECP521R1, 133, PR_TRUE },
{ SEC_OID_CURVE25519, 32, PR_FALSE }
};
const KeyLengthEntry *
getKeyLengthEntry(SECOidTag tag)
{
int i;
for (i = 0; i < PR_ARRAY_SIZE(keyLengthTable); i++) {
if (keyLengthTable[i].tag == tag) {
return &keyLengthTable[i];
}
}
return NULL;
}
void
printBuf(const SECItem *item)
{
@ -79,10 +53,6 @@ ectest_curve_pkcs11(SECOidTag oid)
CK_MECHANISM_TYPE target = CKM_TLS12_MASTER_KEY_DERIVE_DH;
PK11SymKey *symKey = NULL;
SECStatus rv = SECFailure;
const KeyLengthEntry *keyLengthEntry;
SECItem point = { siBuffer, NULL, 0 };
SECItem value = { siBuffer, NULL, 0 };
PLArenaPool *arena = NULL;
oidData = SECOID_FindOIDByTag(oid);
if (oidData == NULL) {
@ -109,63 +79,8 @@ ectest_curve_pkcs11(SECOidTag oid)
goto cleanup;
}
PrintKey(symKey);
keyLengthEntry = getKeyLengthEntry(oid);
/* this shouldn't happen unless new curves are added without adding them
* to the keyLengthTable */
PR_ASSERT(keyLengthEntry);
/* make sure we are returning CKA_EC_POINT according to the PKCS #11 standard.
* NSS itself can tolerate non-standard CKA_EC_POINT, so this is the only place
* our test will detect incorrect behavior */
rv = PK11_ReadRawAttribute(PK11_TypePubKey, pubKey, CKA_EC_POINT, &point);
if (rv == SECFailure) {
printf(" >>> Couldn't get CKA_EC_POINT from the ec pubKey.\n");
goto cleanup;
}
rv = SECFailure;
if (keyLengthEntry->encoded) {
if (point.len == keyLengthEntry->len) {
printf(" >>> Expected encoded CKA_EC_POINT and got a decoded value.\n");
printBuf(&point);
goto cleanup;
}
arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (arena == NULL) {
printf(" >>> arena alloc failed.\n");
goto cleanup;
}
rv = SEC_QuickDERDecodeItem(arena, &value, SEC_ASN1_GET(SEC_OctetStringTemplate),
&point);
if (rv != SECSuccess) {
printf(" >>> invalid endoded CKA_EC_POINT.\n");
printBuf(&point);
goto cleanup;
}
rv = SECFailure;
if (value.len != keyLengthEntry->len) {
printf(" >>> invalid decoded CKA_EC_POINT len (%d) expected %d.\n",
value.len, keyLengthEntry->len);
printBuf(&value);
goto cleanup;
}
if (value.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
printf(" >>> invalid CKA_EC_POINT format (%02x) expected %02x.\n",
value.data[0], EC_POINT_FORM_UNCOMPRESSED);
printBuf(&value);
goto cleanup;
}
} else {
if (point.len != keyLengthEntry->len) {
printf(" >>> invalid CKA_EC_POINT len (%d) expected %d.\n",
point.len, keyLengthEntry->len);
printBuf(&point);
goto cleanup;
}
}
rv = SECSuccess;
cleanup:
if (privKey) {
SECKEY_DestroyPrivateKey(privKey);
@ -176,11 +91,7 @@ cleanup:
if (symKey) {
PK11_FreeSymKey(symKey);
}
if (arena) {
PORT_FreeArena(arena, PR_TRUE);
}
SECITEM_FreeItem(&pk_11_ecParams, PR_FALSE);
SECITEM_FreeItem(&point, PR_FALSE);
return rv;
}

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,4 +10,3 @@
*/
#error "Do not include this header file."

4
security/nss/doc/rst/releases/index.rst
Просмотреть файл

@ -61,8 +61,8 @@ Releases
**NSS 3.94.0** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_94_0_release_notes`
**NSS 3.90.1 (ESR)** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_90_1_release_notes`
**NSS 3.90.0 (ESR)** is the latest version of NSS.
Complete release notes are available here: :ref:`mozilla_projects_nss_nss_3_90_0_release_notes`
.. container::

59
security/nss/doc/rst/releases/nss_3_90_1.rst
Просмотреть файл

@ -1,59 +0,0 @@
.. _mozilla_projects_nss_nss_3_90_1_release_notes:
NSS 3.90.1 release notes
========================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.90.1 was released on *10th November 2023**.
.. _distribution_information:
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_90_1_RTM. NSS 3.90.1 requires NSPR 4.35 or newer.
NSS 3.90.1 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_90_1_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.90.1:
`Changes in NSS 3.90.1 <#changes_in_nss_3.90.1>`__
--------------------------------------------------
.. container::
- Bug 1813401 - regenerate NameConstraints test certificates.
- Bug 1854795 - add OSXSAVE and XCR0 tests to AVX2 detection.
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.90.1 shared libraries are backwards-compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with
this new version of the shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report on
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

68
security/nss/doc/rst/releases/nss_3_94.rst Normal file
Просмотреть файл

@ -0,0 +1,68 @@
.. _mozilla_projects_nss_nss_3_94_release_notes:
NSS 3.94 release notes
======================
`Introduction <#introduction>`__
--------------------------------
.. container::
Network Security Services (NSS) 3.94 was released on *2 October 2023**.
.. _distribution_information:
`Distribution Information <#distribution_information>`__
--------------------------------------------------------
.. container::
The HG tag is NSS_3_94_RTM. NSS 3.94 requires NSPR 4.35 or newer.
NSS 3.94 source distributions are available on ftp.mozilla.org for secure HTTPS download:
- Source tarballs:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_94_RTM/src/
Other releases are available :ref:`mozilla_projects_nss_releases`.
.. _changes_in_nss_3.94:
`Changes in NSS 3.94 <#changes_in_nss_3.94>`__
----------------------------------------------------
.. container::
- Bug 1853737 - Updated code and commit ID for HACL*.
- Bug 1840510 - update ACVP fuzzed test vector: refuzzed with current NSS
- Bug 1827303 - Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants.
- Bug 1774659 - NSS needs a database tool that can dump the low level representation of the database.
- Bug 1852179 - declare string literals using char in pkixnames_tests.cpp.
- Bug 1852179 - avoid implicit conversion for ByteString.
- Bug 1818766 - update rust version for acvp docker.
- Bug 1852011 - Moving the init function of the mpi_ints before clean-up in ec.c
- Bug 1615555 - P-256 ECDH and ECDSA from HACL*.
- Bug 1840510 - Add ACVP test vectors to the repository
- Bug 1849077 - Stop relying on std::basic_string<uint8_t>.
- Bug 1847845 - Transpose the PPC_ABI check from Makefile to gyp.
`Compatibility <#compatibility>`__
----------------------------------
.. container::
NSS 3.94 shared libraries are backwards-compatible with all older NSS 3.x shared
libraries. A program linked with older NSS 3.x shared libraries will work with
this new version of the shared libraries without recompiling or
relinking. Furthermore, applications that restrict their use of NSS APIs to the
functions listed in NSS Public Functions will remain compatible with future
versions of the NSS shared libraries.
`Feedback <#feedback>`__
------------------------
.. container::
Bugs discovered should be reported by filing a bug report on
`bugzilla.mozilla.org <https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS>`__ (product NSS).

2630
security/nss/lib/ckfw/builtins/certdata.txt
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

4
security/nss/lib/ckfw/builtins/nssckbi.h
Просмотреть файл

@ -46,8 +46,8 @@
* It's recommend to switch back to 0 after having reached version 98/99.
*/
#define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 64
#define NSS_BUILTINS_LIBRARY_VERSION "2.64"
#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 62
#define NSS_BUILTINS_LIBRARY_VERSION "2.62"
/* These version numbers detail the semantic changes to the ckfw engine. */
#define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1

46
security/nss/lib/ckfw/instance.c
Просмотреть файл

@ -511,28 +511,6 @@ nssCKFWInstance_GetInitArgs(
return fwInstance->pInitArgs;
}
#if defined(_MSC_VER)
#pragma warning(push)
#pragma warning(disable : 4312)
#elif defined(__clang__) || defined(__GNUC__)
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wpointer-to-int-cast"
#endif
PR_STATIC_ASSERT(sizeof(CK_SESSION_HANDLE) <= sizeof(void *));
static inline void *
CKSessionHandleToVoidPtr(CK_SESSION_HANDLE handle)
{
return (void *)(uintptr_t)handle;
}
#if defined(_MSC_VER)
#pragma warning(pop)
#elif defined(__clang__) || defined(__GNUC__)
#pragma GCC diagnostic pop
#endif
/*
* nssCKFWInstance_CreateSessionHandle
*
@ -571,7 +549,7 @@ nssCKFWInstance_CreateSessionHandle(
}
*pError = nssCKFWHash_Add(fwInstance->sessionHandleHash,
CKSessionHandleToVoidPtr(hSession), (const void *)fwSession);
(const void *)(uintptr_t)hSession, (const void *)fwSession);
if (CKR_OK != *pError) {
hSession = (CK_SESSION_HANDLE)0;
goto done;
@ -604,7 +582,7 @@ nssCKFWInstance_ResolveSessionHandle(
}
fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
fwInstance->sessionHandleHash, CKSessionHandleToVoidPtr(hSession));
fwInstance->sessionHandleHash, (const void *)(uintptr_t)hSession);
/* Assert(hSession == nssCKFWSession_GetHandle(fwSession)) */
@ -635,9 +613,9 @@ nssCKFWInstance_DestroySessionHandle(
}
fwSession = (NSSCKFWSession *)nssCKFWHash_Lookup(
fwInstance->sessionHandleHash, CKSessionHandleToVoidPtr(hSession));
fwInstance->sessionHandleHash, (const void *)(uintptr_t)hSession);
if (fwSession) {
nssCKFWHash_Remove(fwInstance->sessionHandleHash, CKSessionHandleToVoidPtr(hSession));
nssCKFWHash_Remove(fwInstance->sessionHandleHash, (const void *)(uintptr_t)hSession);
nssCKFWSession_SetHandle(fwSession, (CK_SESSION_HANDLE)0);
}
@ -706,7 +684,7 @@ nssCKFWInstance_CreateObjectHandle(
}
*pError = nssCKFWHash_Add(fwInstance->objectHandleHash,
CKSessionHandleToVoidPtr(hObject), (const void *)fwObject);
(const void *)(uintptr_t)hObject, (const void *)fwObject);
if (CKR_OK != *pError) {
hObject = (CK_OBJECT_HANDLE)0;
goto done;
@ -739,7 +717,7 @@ nssCKFWInstance_ResolveObjectHandle(
}
fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
fwInstance->objectHandleHash, CKSessionHandleToVoidPtr(hObject));
fwInstance->objectHandleHash, (const void *)(uintptr_t)hObject);
/* Assert(hObject == nssCKFWObject_GetHandle(fwObject)) */
@ -773,11 +751,11 @@ nssCKFWInstance_ReassignObjectHandle(
}
oldObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
fwInstance->objectHandleHash, CKSessionHandleToVoidPtr(hObject));
fwInstance->objectHandleHash, (const void *)(uintptr_t)hObject);
if (oldObject) {
/* Assert(hObject == nssCKFWObject_GetHandle(oldObject) */
(void)nssCKFWObject_SetHandle(oldObject, (CK_SESSION_HANDLE)0);
nssCKFWHash_Remove(fwInstance->objectHandleHash, CKSessionHandleToVoidPtr(hObject));
nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)(uintptr_t)hObject);
}
error = nssCKFWObject_SetHandle(fwObject, hObject);
@ -785,7 +763,7 @@ nssCKFWInstance_ReassignObjectHandle(
goto done;
}
error = nssCKFWHash_Add(fwInstance->objectHandleHash,
CKSessionHandleToVoidPtr(hObject), (const void *)fwObject);
(const void *)(uintptr_t)hObject, (const void *)fwObject);
done:
(void)nssCKFWMutex_Unlock(fwInstance->mutex);
@ -814,10 +792,10 @@ nssCKFWInstance_DestroyObjectHandle(
}
fwObject = (NSSCKFWObject *)nssCKFWHash_Lookup(
fwInstance->objectHandleHash, CKSessionHandleToVoidPtr(hObject));
fwInstance->objectHandleHash, (const void *)(uintptr_t)hObject);
if (fwObject) {
/* Assert(hObject == nssCKFWObject_GetHandle(fwObject)) */
nssCKFWHash_Remove(fwInstance->objectHandleHash, CKSessionHandleToVoidPtr(hObject));
/* Assert(hObject = nssCKFWObject_GetHandle(fwObject)) */
nssCKFWHash_Remove(fwInstance->objectHandleHash, (const void *)(uintptr_t)hObject);
(void)nssCKFWObject_SetHandle(fwObject, (CK_SESSION_HANDLE)0);
}

2
security/nss/lib/freebl/Makefile
Просмотреть файл

@ -607,7 +607,7 @@ ifndef NSS_DISABLE_CHACHAPOLY
VERIFIED_SRCS += Hacl_Poly1305_32.c Hacl_Chacha20.c Hacl_Chacha20Poly1305_32.c
endif # NSS_DISABLE_CHACHAPOLY
VERIFIED_SRCS += Hacl_Hash_SHA3.c Hacl_P256.c Hacl_P384.c Hacl_P521.c
VERIFIED_SRCS += Hacl_Hash_SHA3.c Hacl_P256.c
ifeq (,$(filter-out x86_64 aarch64,$(CPU_ARCH)))
# All 64-bit architectures get the 64 bit version.

4
security/nss/lib/freebl/blapit.h
Просмотреть файл

@ -392,9 +392,7 @@ typedef struct DHPrivateKeyStr DHPrivateKey;
*/
typedef enum { ec_params_explicit,
ec_params_named,
ec_params_edwards_named,
ec_params_montgomery_named,
ec_params_named
} ECParamsType;
typedef enum { ec_field_GFp = 1,

18
security/nss/lib/freebl/blinit.c
Просмотреть файл

@ -48,7 +48,6 @@ static PRBool ppc_crypto_support_ = PR_FALSE;
/*
* Adapted from the example code in "How to detect New Instruction support in
* the 4th generation Intel Core processor family" by Max Locktyukhin.
* https://www.intel.com/content/dam/develop/external/us/en/documents/how-to-detect-new-instruction-support-in-the-4th-generation-intel-core-processor-family.pdf
*
* XGETBV:
* Reads an extended control register (XCR) specified by ECX into EDX:EAX.
@ -116,20 +115,13 @@ CheckX86CPUSupport()
aesni_support_ = (PRBool)((ecx & ECX_AESNI) != 0 && disable_hw_aes == NULL);
clmul_support_ = (PRBool)((ecx & ECX_CLMUL) != 0 && disable_pclmul == NULL);
sha_support_ = (PRBool)((ebx7 & EBX_SHA) != 0 && disable_hw_sha == NULL);
/* For AVX we ensure that:
* - The AVX, OSXSAVE, and XSAVE bits of ECX from CPUID(EAX=1) are set, and
* - the SSE and AVX state bits of XCR0 are set (check_xcr0_ymm).
*/
/* For AVX we check AVX, OSXSAVE, and XSAVE
* as well as XMM and YMM state. */
avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() &&
disable_avx == NULL;
/* For AVX2 we ensure that:
* - AVX is supported,
* - the AVX2, BMI1, and BMI2 bits of EBX from CPUID(EAX=7) are set, and
* - the FMA, and MOVBE bits of ECX from CPUID(EAX=1) are set.
* We do not check for LZCNT support.
*/
avx2_support_ = (PRBool)(avx_support_ == PR_TRUE &&
(ebx7 & AVX2_EBX_BITS) == AVX2_EBX_BITS &&
/* For AVX2 we check AVX2, BMI1, BMI2, FMA, MOVBE.
* We do not check for AVX above. */
avx2_support_ = (PRBool)((ebx7 & AVX2_EBX_BITS) == AVX2_EBX_BITS &&
(ecx & AVX2_ECX_BITS) == AVX2_ECX_BITS &&
disable_avx2 == NULL);
/* CPUID.(EAX=07H, ECX=0H):EBX.ADX[bit 19]=1 indicates

218
security/nss/lib/freebl/ec.c
Просмотреть файл

@ -15,86 +15,21 @@
#include "mplogic.h"
#include "ec.h"
#include "ecl.h"
#include "verified/Hacl_P384.h"
#include "verified/Hacl_P521.h"
#define EC_DOUBLECHECK PR_FALSE
SECStatus
ec_secp384r1_scalar_validate(const SECItem *scalar)
{
if (!scalar || !scalar->data) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (scalar->len != 48) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
bool b = Hacl_P384_validate_private_key(scalar->data);
if (!b) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
return SECSuccess;
}
SECStatus
ec_secp521r1_scalar_validate(const SECItem *scalar)
{
if (!scalar || !scalar->data) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (scalar->len != 66) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
bool b = Hacl_P521_validate_private_key(scalar->data);
if (!b) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
return SECSuccess;
}
static const ECMethod kMethods[] = {
{ ECCurve25519,
ec_Curve25519_pt_mul,
ec_Curve25519_pt_validate,
ec_Curve25519_scalar_validate,
NULL,
NULL },
NULL, NULL },
{
ECCurve_NIST_P256,
ec_secp256r1_pt_mul,
ec_secp256r1_pt_validate,
ec_secp256r1_scalar_validate,
ec_secp256r1_sign_digest,
ec_secp256r1_verify_digest,
},
{
ECCurve_NIST_P384,
NULL,
NULL,
ec_secp384r1_scalar_validate,
NULL,
NULL,
},
{
ECCurve_NIST_P521,
NULL,
NULL,
ec_secp521r1_scalar_validate,
NULL,
NULL,
},
}
};
static const ECMethod *
@ -354,12 +289,12 @@ ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
/* Use curve specific code for point multiplication */
if (ecParams->fieldID.type == ec_field_plain) {
const ECMethod *method = ec_get_method_from_name(ecParams->name);
if (method == NULL || method->pt_mul == NULL) {
if (method == NULL || method->mul == NULL) {
/* unknown curve */
rv = SECFailure;
goto cleanup;
}
rv = method->pt_mul(&key->publicValue, &key->privateValue, NULL);
rv = method->mul(&key->publicValue, &key->privateValue, NULL);
if (rv != SECSuccess) {
goto cleanup;
} else {
@ -407,61 +342,62 @@ EC_NewKeyFromSeed(ECParams *ecParams, ECPrivateKey **privKey,
return rv;
}
/* Generate a random private key using the algorithm A.4.1 or A.4.2 of ANSI X9.62,
/* Generate a random private key using the algorithm A.4.1 of ANSI X9.62,
* modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the
* random number generator.
*
* Parameters
* - order: a buffer that holds the curve's group order
* - len: the length in octets of the order buffer
*
* Return Value
* Returns a buffer of len octets that holds the private key. The caller
* is responsible for freeing the buffer with PORT_ZFree.
*/
SECStatus
ec_GenerateRandomPrivateKey(ECParams *ecParams, SECItem *privKey)
static unsigned char *
ec_GenerateRandomPrivateKey(const unsigned char *order, int len)
{
SECStatus rv = SECFailure;
SECStatus rv = SECSuccess;
mp_err err;
unsigned char *privKeyBytes = NULL;
mp_int privKeyVal, order_1, one;
unsigned int len = EC_GetScalarSize(ecParams);
MP_DIGITS(&privKeyVal) = 0;
MP_DIGITS(&order_1) = 0;
MP_DIGITS(&one) = 0;
CHECK_MPI_OK(mp_init(&privKeyVal));
CHECK_MPI_OK(mp_init(&order_1));
CHECK_MPI_OK(mp_init(&one));
if (privKey->len != len || privKey->data == NULL) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
/* Generates 2*len random bytes using the global random bit generator
* (which implements Algorithm 1 of FIPS 186-2 Change Notice 1) then
* reduces modulo the group order.
*/
if ((privKeyBytes = PORT_Alloc(2 * len)) == NULL)
goto cleanup;
CHECK_SEC_OK(RNG_GenerateGlobalRandomBytes(privKeyBytes, 2 * len));
CHECK_MPI_OK(mp_read_unsigned_octets(&privKeyVal, privKeyBytes, 2 * len));
CHECK_MPI_OK(mp_read_unsigned_octets(&order_1, order, len));
CHECK_MPI_OK(mp_set_int(&one, 1));
CHECK_MPI_OK(mp_sub(&order_1, &one, &order_1));
CHECK_MPI_OK(mp_mod(&privKeyVal, &order_1, &privKeyVal));
CHECK_MPI_OK(mp_add(&privKeyVal, &one, &privKeyVal));
CHECK_MPI_OK(mp_to_fixlen_octets(&privKeyVal, privKeyBytes, len));
memset(privKeyBytes + len, 0, len);
cleanup:
mp_clear(&privKeyVal);
mp_clear(&order_1);
mp_clear(&one);
if (err < MP_OKAY) {
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
const ECMethod *method = ec_get_method_from_name(ecParams->name);
if (method == NULL || method->scalar_validate == NULL) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
if (rv != SECSuccess && privKeyBytes) {
PORT_ZFree(privKeyBytes, 2 * len);
privKeyBytes = NULL;
}
uint8_t leading_coeff_mask;
switch (ecParams->name) {
case ECCurve25519:
case ECCurve_NIST_P256:
case ECCurve_NIST_P384:
leading_coeff_mask = 0xff;
break;
case ECCurve_NIST_P521:
leading_coeff_mask = 0x01;
break;
default:
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
return SECFailure;
}
/* The rejection sampling method from FIPS 186-5 A.4.2 */
int count = 100;
do {
rv = RNG_GenerateGlobalRandomBytes(privKey->data, len);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
return SECFailure;
}
privKey->data[0] &= leading_coeff_mask;
rv = method->scalar_validate(privKey);
} while (rv != SECSuccess && --count > 0);
if (rv != SECSuccess) { // implies count == 0
PORT_SetError(SEC_ERROR_BAD_KEY);
}
return rv;
return privKeyBytes;
}
/* Generates a new EC key pair. The private key is a random value and
@ -472,28 +408,24 @@ SECStatus
EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
{
SECStatus rv = SECFailure;
SECItem privKeyRand = { siBuffer, NULL, 0 };
int len;
unsigned char *privKeyBytes = NULL;
if (!ecParams || ecParams->name == ECCurve_noName || !privKey) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
SECITEM_AllocItem(NULL, &privKeyRand, EC_GetScalarSize(ecParams));
if (privKeyRand.data == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
rv = SECFailure;
goto cleanup;
}
rv = ec_GenerateRandomPrivateKey(ecParams, &privKeyRand);
if (rv != SECSuccess || privKeyRand.data == NULL)
len = ecParams->order.len;
privKeyBytes = ec_GenerateRandomPrivateKey(ecParams->order.data, len);
if (privKeyBytes == NULL)
goto cleanup;
/* generate public key */
CHECK_SEC_OK(ec_NewKey(ecParams, privKey, privKeyRand.data, privKeyRand.len));
CHECK_SEC_OK(ec_NewKey(ecParams, privKey, privKeyBytes, len));
cleanup:
if (privKeyRand.data) {
SECITEM_ZfreeItem(&privKeyRand, PR_FALSE);
if (privKeyBytes) {
PORT_ZFree(privKeyBytes, len);
}
#if EC_DEBUG
printf("EC_NewKey returning %s\n",
@ -528,13 +460,13 @@ EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue)
/* Uses curve specific code for point validation. */
if (ecParams->fieldID.type == ec_field_plain) {
const ECMethod *method = ec_get_method_from_name(ecParams->name);
if (method == NULL || method->pt_validate == NULL) {
if (method == NULL || method->validate == NULL) {
/* unknown curve */
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
return rv;
}
rv = method->pt_validate(publicValue);
rv = method->validate(publicValue);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_BAD_KEY);
}
@ -655,13 +587,13 @@ ECDH_Derive(SECItem *publicValue,
return rv;
}
method = ec_get_method_from_name(ecParams->name);
if (method == NULL || method->pt_validate == NULL ||
method->pt_mul == NULL) {
if (method == NULL || method->validate == NULL ||
method->mul == NULL) {
PORT_SetError(SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE);
rv = SECFailure;
goto done;
}
rv = method->pt_mul(derivedSecret, privateValue, publicValue);
rv = method->mul(derivedSecret, privateValue, publicValue);
if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_BAD_KEY);
}
@ -1041,7 +973,8 @@ SECStatus
ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
{
SECStatus rv = SECFailure;
SECItem nonceRand = { siBuffer, NULL, 0 };
int len;
unsigned char *kBytes = NULL;
if (!key) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
@ -1049,22 +982,17 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
}
/* Generate random value k */
SECITEM_AllocItem(NULL, &nonceRand, EC_GetScalarSize(&key->ecParams));
if (nonceRand.data == NULL) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
rv = SECFailure;
goto cleanup;
}
rv = ec_GenerateRandomPrivateKey(&key->ecParams, &nonceRand);
if (rv != SECSuccess || nonceRand.data == NULL)
len = key->ecParams.order.len;
kBytes = ec_GenerateRandomPrivateKey(key->ecParams.order.data, len);
if (kBytes == NULL)
goto cleanup;
/* Generate ECDSA signature with the specified k value */
rv = ECDSA_SignDigestWithSeed(key, signature, digest, nonceRand.data, nonceRand.len);
rv = ECDSA_SignDigestWithSeed(key, signature, digest, kBytes, len);
cleanup:
if (nonceRand.data) {
SECITEM_ZfreeItem(&nonceRand, PR_FALSE);
if (kBytes) {
PORT_ZFree(kBytes, len);
}
#if EC_DEBUG

5
security/nss/lib/freebl/ec.h
Просмотреть файл

@ -13,9 +13,8 @@
struct ECMethodStr {
ECCurveName name;
SECStatus (*pt_mul)(SECItem *result, SECItem *scalar, SECItem *point);
SECStatus (*pt_validate)(const SECItem *point);
SECStatus (*scalar_validate)(const SECItem *scalar);
SECStatus (*mul)(SECItem *result, SECItem *scalar, SECItem *point);
SECStatus (*validate)(const SECItem *point);
SECStatus (*sign_digest)(ECPrivateKey *key, SECItem *signature, const SECItem *digest, const unsigned char *kb, const unsigned int kblen);
SECStatus (*verify_digest)(ECPublicKey *key, const SECItem *signature, const SECItem *digest);
};

1
security/nss/lib/freebl/ecdecode.c
Просмотреть файл

@ -176,7 +176,6 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
case SEC_OID_CURVE25519:
/* Populate params for Curve25519 */
params->type = ec_params_montgomery_named;
CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
ec_field_plain,
params));

6
security/nss/lib/freebl/ecl/ecl.h
Просмотреть файл

@ -45,11 +45,9 @@ mp_err ECPoint_validate(const ECGroup *group, const mp_int *px, const mp_int *py
SECStatus ec_Curve25519_pt_mul(SECItem *X, SECItem *k, SECItem *P);
SECStatus ec_Curve25519_pt_validate(const SECItem *px);
SECStatus ec_Curve25519_scalar_validate(const SECItem *scalar);
SECStatus ec_secp256r1_pt_mul(SECItem *X, SECItem *k, SECItem *P);
SECStatus ec_secp256r1_pt_validate(const SECItem *px);
SECStatus ec_secp256r1_scalar_validate(const SECItem *scalar);
SECStatus ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature,
const SECItem *digest, const unsigned char *kb,
@ -57,8 +55,4 @@ SECStatus ec_secp256r1_sign_digest(ECPrivateKey *key, SECItem *signature,
SECStatus ec_secp256r1_verify_digest(ECPublicKey *key, const SECItem *signature,
const SECItem *digest);
SECStatus ec_secp384r1_scalar_validate(const SECItem *scalar);
SECStatus ec_secp521r1_scalar_validate(const SECItem *scalar);
#endif /* __ecl_h_ */

19
security/nss/lib/freebl/ecl/ecp_25519.c
Просмотреть файл

@ -15,7 +15,6 @@
#include "mpi-priv.h"
#include "secmpi.h"
#include "secitem.h"
#include "secerr.h"
#include "secport.h"
#include <stdlib.h>
#include <stdio.h>
@ -95,24 +94,6 @@ ec_Curve25519_pt_validate(const SECItem *px)
return SECSuccess;
}
/*
* scalar validation is not necessary.
*/
SECStatus
ec_Curve25519_scalar_validate(const SECItem *scalar)
{
if (!scalar || !scalar->data) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
if (scalar->len != 32) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
return SECSuccess;
}
/*
* Scalar multiplication for Curve25519.
* If P == NULL, the base point is used.

29
security/nss/lib/freebl/ecl/ecp_secp256r1.c
Просмотреть файл

@ -45,35 +45,6 @@ ec_secp256r1_pt_validate(const SECItem *pt)
return res;
}
/*
* Scalar Validation for P-256.
*/
SECStatus
ec_secp256r1_scalar_validate(const SECItem *scalar)
{
SECStatus res = SECSuccess;
if (!scalar || !scalar->data) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
res = SECFailure;
return res;
}
if (scalar->len != 32) {
PORT_SetError(SEC_ERROR_BAD_KEY);
res = SECFailure;
return res;
}
bool b = Hacl_P256_validate_private_key(scalar->data);
if (!b) {
PORT_SetError(SEC_ERROR_BAD_KEY);
res = SECFailure;
}
return res;
}
/*
* Scalar multiplication for P-256.
* If P == NULL, the base point is used.

2
security/nss/lib/freebl/freebl_base.gypi
Просмотреть файл

@ -38,8 +38,6 @@
'ecl/ecp_secp384r1.c',
'ecl/ecp_secp521r1.c',
'verified/Hacl_P256.c',
'verified/Hacl_P384.c',
'verified/Hacl_P521.c',
'fipsfreebl.c',
'blinit.c',
'freeblver.c',

126
security/nss/lib/freebl/verified/Hacl_P384.c
Просмотреть файл

@ -1,126 +0,0 @@
/* MIT License
*
* Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
* Copyright (c) 2022-2023 HACL* Contributors
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_P384.h"
#include "internal/Hacl_Krmllib.h"
#include "internal/Hacl_Bignum_Base.h"
static inline uint64_t
bn_is_eq_mask(uint64_t *x, uint64_t *y)
{
uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
KRML_MAYBE_FOR6(i,
(uint32_t)0U,
(uint32_t)6U,
(uint32_t)1U,
uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
mask = uu____0 & mask;);
uint64_t mask1 = mask;
return mask1;
}
static inline uint64_t
bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
{
uint64_t c1 = (uint64_t)0U;
{
uint64_t t1 = b[(uint32_t)4U * (uint32_t)0U];
uint64_t t20 = c[(uint32_t)4U * (uint32_t)0U];
uint64_t *res_i0 = a + (uint32_t)4U * (uint32_t)0U;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
uint64_t t10 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
uint64_t t21 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)1U];
uint64_t *res_i1 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)1U;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
uint64_t t11 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
uint64_t t22 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)2U];
uint64_t *res_i2 = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)2U;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
uint64_t t12 = b[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
uint64_t t2 = c[(uint32_t)4U * (uint32_t)0U + (uint32_t)3U];
uint64_t *res_i = a + (uint32_t)4U * (uint32_t)0U + (uint32_t)3U;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i);
}
KRML_MAYBE_FOR2(i,
(uint32_t)4U,
(uint32_t)6U,
(uint32_t)1U,
uint64_t t1 = b[i];
uint64_t t2 = c[i];
uint64_t *res_i = a + i;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i););
uint64_t c10 = c1;
return c10;
}
static inline void
bn_from_bytes_be(uint64_t *a, uint8_t *b)
{
KRML_MAYBE_FOR6(i,
(uint32_t)0U,
(uint32_t)6U,
(uint32_t)1U,
uint64_t *os = a;
uint64_t u = load64_be(b + ((uint32_t)6U - i - (uint32_t)1U) * (uint32_t)8U);
uint64_t x = u;
os[i] = x;);
}
static inline void
p384_make_order(uint64_t *n)
{
n[0U] = (uint64_t)0xecec196accc52973U;
n[1U] = (uint64_t)0x581a0db248b0a77aU;
n[2U] = (uint64_t)0xc7634d81f4372ddfU;
n[3U] = (uint64_t)0xffffffffffffffffU;
n[4U] = (uint64_t)0xffffffffffffffffU;
n[5U] = (uint64_t)0xffffffffffffffffU;
}
/**
Private key validation.
The function returns `true` if a private key is valid and `false` otherwise.
The argument `private_key` points to 48 bytes of valid memory, i.e., uint8_t[48].
The private key is valid:
0 < `private_key` < the order of the curve
*/
bool
Hacl_P384_validate_private_key(uint8_t *private_key)
{
uint64_t bn_sk[6U] = { 0U };
bn_from_bytes_be(bn_sk, private_key);
uint64_t tmp[6U] = { 0U };
p384_make_order(tmp);
uint64_t c = bn_sub(tmp, bn_sk, tmp);
uint64_t is_lt_order = (uint64_t)0U - c;
uint64_t bn_zero[6U] = { 0U };
uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
uint64_t is_eq_zero = res;
uint64_t res0 = is_lt_order & ~is_eq_zero;
return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
}

68
security/nss/lib/freebl/verified/Hacl_P384.h
Просмотреть файл

@ -1,68 +0,0 @@
/* MIT License
*
* Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
* Copyright (c) 2022-2023 HACL* Contributors
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef __Hacl_P384_H
#define __Hacl_P384_H
#if defined(__cplusplus)
extern "C" {
#endif
#include <string.h>
#include "krml/internal/types.h"
#include "krml/lowstar_endianness.h"
#include "lib_intrinsics.h"
/*******************************************************************************
Verified C library for ECDSA and ECDH functions over the P-384 NIST curve.
This module implements signing and verification, key validation, conversions
between various point representations, and ECDH key agreement.
*******************************************************************************/
/******************/
/* Key validation */
/******************/
/**
Private key validation.
The function returns `true` if a private key is valid and `false` otherwise.
The argument `private_key` points to 32 bytes of valid memory, i.e., uint8_t[32].
The private key is valid:
0 < `private_key` < the order of the curve
*/
bool Hacl_P384_validate_private_key(uint8_t *private_key);
#if defined(__cplusplus)
}
#endif
#define __Hacl_P384_H_DEFINED
#endif

131
security/nss/lib/freebl/verified/Hacl_P521.c
Просмотреть файл

@ -1,131 +0,0 @@
/* MIT License
*
* Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
* Copyright (c) 2022-2023 HACL* Contributors
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#include "Hacl_P521.h"
#include "internal/Hacl_Krmllib.h"
#include "internal/Hacl_Bignum_Base.h"
static inline uint64_t
bn_is_eq_mask(uint64_t *x, uint64_t *y)
{
uint64_t mask = (uint64_t)0xFFFFFFFFFFFFFFFFU;
KRML_MAYBE_FOR9(i,
(uint32_t)0U,
(uint32_t)9U,
(uint32_t)1U,
uint64_t uu____0 = FStar_UInt64_eq_mask(x[i], y[i]);
mask = uu____0 & mask;);
uint64_t mask1 = mask;
return mask1;
}
static inline uint64_t
bn_sub(uint64_t *a, uint64_t *b, uint64_t *c)
{
uint64_t c1 = (uint64_t)0U;
KRML_MAYBE_FOR2(i,
(uint32_t)0U,
(uint32_t)2U,
(uint32_t)1U,
uint64_t t1 = b[(uint32_t)4U * i];
uint64_t t20 = c[(uint32_t)4U * i];
uint64_t *res_i0 = a + (uint32_t)4U * i;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t20, res_i0);
uint64_t t10 = b[(uint32_t)4U * i + (uint32_t)1U];
uint64_t t21 = c[(uint32_t)4U * i + (uint32_t)1U];
uint64_t *res_i1 = a + (uint32_t)4U * i + (uint32_t)1U;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t10, t21, res_i1);
uint64_t t11 = b[(uint32_t)4U * i + (uint32_t)2U];
uint64_t t22 = c[(uint32_t)4U * i + (uint32_t)2U];
uint64_t *res_i2 = a + (uint32_t)4U * i + (uint32_t)2U;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t11, t22, res_i2);
uint64_t t12 = b[(uint32_t)4U * i + (uint32_t)3U];
uint64_t t2 = c[(uint32_t)4U * i + (uint32_t)3U];
uint64_t *res_i = a + (uint32_t)4U * i + (uint32_t)3U;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t12, t2, res_i););
{
uint64_t t1 = b[8U];
uint64_t t2 = c[8U];
uint64_t *res_i = a + (uint32_t)8U;
c1 = Lib_IntTypes_Intrinsics_sub_borrow_u64(c1, t1, t2, res_i);
}
uint64_t c10 = c1;
return c10;
}
static inline void
bn_from_bytes_be(uint64_t *a, uint8_t *b)
{
uint8_t tmp[72U] = { 0U };
memcpy(tmp + (uint32_t)6U, b, (uint32_t)66U * sizeof(uint8_t));
KRML_MAYBE_FOR9(i,
(uint32_t)0U,
(uint32_t)9U,
(uint32_t)1U,
uint64_t *os = a;
uint64_t u = load64_be(tmp + ((uint32_t)9U - i - (uint32_t)1U) * (uint32_t)8U);
uint64_t x = u;
os[i] = x;);
}
static inline void
p521_make_order(uint64_t *n)
{
n[0U] = (uint64_t)0xbb6fb71e91386409U;
n[1U] = (uint64_t)0x3bb5c9b8899c47aeU;
n[2U] = (uint64_t)0x7fcc0148f709a5d0U;
n[3U] = (uint64_t)0x51868783bf2f966bU;
n[4U] = (uint64_t)0xfffffffffffffffaU;
n[5U] = (uint64_t)0xffffffffffffffffU;
n[6U] = (uint64_t)0xffffffffffffffffU;
n[7U] = (uint64_t)0xffffffffffffffffU;
n[8U] = (uint64_t)0x1ffU;
}
/**
Private key validation.
The function returns `true` if a private key is valid and `false` otherwise.
The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
The private key is valid:
0 < `private_key` < the order of the curve
*/
bool
Hacl_P521_validate_private_key(uint8_t *private_key)
{
uint64_t bn_sk[9U] = { 0U };
bn_from_bytes_be(bn_sk, private_key);
uint64_t tmp[9U] = { 0U };
p521_make_order(tmp);
uint64_t c = bn_sub(tmp, bn_sk, tmp);
uint64_t is_lt_order = (uint64_t)0U - c;
uint64_t bn_zero[9U] = { 0U };
uint64_t res = bn_is_eq_mask(bn_sk, bn_zero);
uint64_t is_eq_zero = res;
uint64_t res0 = is_lt_order & ~is_eq_zero;
return res0 == (uint64_t)0xFFFFFFFFFFFFFFFFU;
}

59
security/nss/lib/freebl/verified/Hacl_P521.h
Просмотреть файл

@ -1,59 +0,0 @@
/* MIT License
*
* Copyright (c) 2016-2022 INRIA, CMU and Microsoft Corporation
* Copyright (c) 2022-2023 HACL* Contributors
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
#ifndef __Hacl_P521_H
#define __Hacl_P521_H
#if defined(__cplusplus)
extern "C" {
#endif
#include <string.h>
#include "krml/internal/types.h"
#include "krml/lowstar_endianness.h"
#include "lib_intrinsics.h"
/******************/
/* Key validation */
/******************/
/**
Private key validation.
The function returns `true` if a private key is valid and `false` otherwise.
The argument `private_key` points to 66 bytes of valid memory, i.e., uint8_t[66].
The private key is valid:
0 < `private_key` < the order of the curve
*/
bool Hacl_P521_validate_private_key(uint8_t *private_key);
#if defined(__cplusplus)
}
#endif
#define __Hacl_P521_H_DEFINED
#endif

6
security/nss/lib/nss/nss.h
Просмотреть файл

@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.95" _NSS_CUSTOMIZED " Beta"
#define NSS_VERSION "3.94" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 95
#define NSS_VMINOR 94
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_TRUE
#define NSS_BETA PR_FALSE
#ifndef RC_INVOKED

102
security/nss/lib/softoken/pkcs11.c
Просмотреть файл

@ -60,11 +60,6 @@ PRBool usePthread_atfork;
#endif
#ifdef XP_UNIX
#define LIB_PARAM_DEFAULT_FILE_LOCATION "/etc/nss/params.config"
#endif
#define LIB_PARAM_DEFAULT " configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB,noModDB "
/*
* ******************** Static data *******************************
*/
@ -1925,8 +1920,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KEY_TYPE key_type,
/* Handle the non-DER encoded case.
* Some curves are always pressumed to be non-DER.
*/
if (pubKey->u.ec.ecParams.type != ec_params_named ||
(pubKey->u.ec.publicValue.len == keyLen &&
if (pubKey->u.ec.publicValue.len == keyLen &&
(pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
break; /* key was not DER encoded, no need to unwrap */
}
@ -1946,7 +1941,8 @@ sftk_GetPubKey(SFTKObject *object, CK_KEY_TYPE key_type,
break;
}
/* we don't handle compressed points except in the case of ECCurve25519 */
if (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) {
if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
(publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
crv = CKR_ATTRIBUTE_VALUE_INVALID;
break;
}
@ -3305,81 +3301,6 @@ sftk_closePeer(PRBool isFIPS)
extern void sftk_PBELockInit(void);
extern void sftk_PBELockShutdown(void);
/* Parse the library parameters from the first occurance in the following src.:
* 1. C_INITIALIZED_ARGS - lib params are included in LibraryParameters field
* 2. NSS_LIB_PARAMS - env. var. containing the lib. params.
* 3. NSS_LIB_PARAMS_FILE - env. var. pointion to a file with lib. params.
* 4. /etc/nss/params.config - default lib. param. file location [Linux only]
* 5. LIB_PARAM_DEFAULT - string ensureing the pressence at all times
* "configdir='' certPrefix='' keyPrefix='' secmod='' flags=noCertDB,noModDB"
*/
static CK_RV
sftk_getParameters(CK_C_INITIALIZE_ARGS *init_args, PRBool isFIPS,
sftk_parameters *paramStrings)
{
CK_RV crv;
char *libParams;
const char *filename;
PRFileDesc *file_dc;
PRBool free_mem = PR_FALSE;
if (!init_args || !init_args->LibraryParameters) {
/* Library parameters were not provided via C_Initialize_args*/
/* Enviromental value has precedence to configuration filename */
libParams = PR_GetEnvSecure("NSS_LIB_PARAMS");
if (!libParams) {
/* Load from config filename or use default */
filename = PR_GetEnvSecure("NSS_LIB_PARAMS_FILE");
#ifdef XP_UNIX
/* Use default configuration file for Linux only */
if (!filename)
filename = LIB_PARAM_DEFAULT_FILE_LOCATION;
#endif
if (filename) {
file_dc = PR_OpenFile(filename, PR_RDONLY, 444);
if (file_dc) {
/* file opened */
PRInt32 len = PR_Available(file_dc);
libParams = PORT_NewArray(char, len + 1);
if (libParams) {
/* memory allocated */
if (PR_Read(file_dc, libParams, len) == -1) {
PR_Free(libParams);
} else {
free_mem = PR_TRUE;
libParams[len] = '\0';
}
}
PR_Close(file_dc);
}
}
}
if (!libParams)
libParams = LIB_PARAM_DEFAULT;
} else {
/* Use parameters provided with C_Initialize_args */
libParams = (char *)init_args->LibraryParameters;
}
crv = sftk_parseParameters(libParams, paramStrings, isFIPS);
if (crv != CKR_OK) {
crv = CKR_ARGUMENTS_BAD;
goto loser;
}
crv = CKR_OK;
loser:
if (free_mem)
PR_Free(libParams);
return crv;
}
/* NSC_Initialize initializes the Cryptoki library. */
CK_RV
nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
@ -3441,15 +3362,14 @@ nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
return crv;
}
}
crv = CKR_ARGUMENTS_BAD;
if ((init_args && init_args->LibraryParameters)) {
sftk_parameters paramStrings;
/* load and parse the library parameters */
crv = sftk_getParameters(init_args, isFIPS, &paramStrings);
crv = sftk_parseParameters((char *)init_args->LibraryParameters, &paramStrings, isFIPS);
if (crv != CKR_OK) {
goto loser;
return crv;
}
crv = sftk_configure(paramStrings.man, paramStrings.libdes);
if (crv != CKR_OK) {
goto loser;
@ -3486,11 +3406,9 @@ nsc_CommonInitialize(CK_VOID_PTR pReserved, PRBool isFIPS)
break;
}
}
loser:
loser:
sftk_freeParams(&paramStrings);
}
if (destroy_freelist_on_error && (CKR_OK != crv)) {
/* idempotent. If the list are already freed, this is a noop */
sftk_CleanupFreeLists();

2
security/nss/lib/softoken/pkcs11c.c
Просмотреть файл

@ -5660,7 +5660,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hSession,
}
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
ecParams->type != ec_params_named) {
ecParams->fieldID.type == ec_field_plain) {
PORT_FreeArena(ecParams->arena, PR_TRUE);
crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
sftk_item_expand(&ecPriv->publicValue));

6
security/nss/lib/softoken/softkver.h
Просмотреть файл

@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.95" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VERSION "3.94" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 95
#define SOFTOKEN_VMINOR 94
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_TRUE
#define SOFTOKEN_BETA PR_FALSE
#endif /* _SOFTKVER_H_ */

5
security/nss/lib/ssl/sslencode.c
Просмотреть файл

@ -344,11 +344,6 @@ ssl3_AppendHandshake(sslSocket *ss, const void *void_src, unsigned int bytes)
SECStatus
ssl3_AppendHandshakeNumber(sslSocket *ss, PRUint64 num, unsigned int lenSize)
{
if ((lenSize > 8) || ((lenSize < 8) && (num >= (1ULL << (8 * lenSize))))) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
PRUint8 b[sizeof(num)];
SSL_TRC(60, ("%d: number:", SSL_GETPID()));
ssl_EncodeUintX(b, num, lenSize);

6
security/nss/lib/util/nssutil.h
Просмотреть файл

@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.95 Beta"
#define NSSUTIL_VERSION "3.94"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 95
#define NSSUTIL_VMINOR 94
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_TRUE
#define NSSUTIL_BETA PR_FALSE
SEC_BEGIN_PROTOS