mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1655105 - land NSS afa38fb2f0b5 UPGRADE_NSS_RELEASE, r=jcj 

2020-07-27  Jan-Marek Glogowski  <glogow@fbihome.de>

	* lib/freebl/Makefile:
	Bug 1652032 Disable all freebl assembler code for MSVC arm64
	r=rrelyea,bbeurdouche

	There are two places, where NSS tries to compile either x86_64 MSVC
	assembler or GCC aarch64 code, which will fail the build. And also
	drop the non-MSVC arch build flags for them.

	AFAI could identify, there isn't any armasm64 compatible asm code in
	the whole NSS library, so I don't even adapt AS for the build. The
	cross-build finishes this way.

	[d98bbb6168f4]

2020-07-24  Benjamin Beurdouche  <bbeurdouche@mozilla.com>

	* cmd/bltest/blapitest.c, coreconf/config.gypi, coreconf/config.mk,
	lib/freebl/alg2268.c, lib/freebl/deprecated/alg2268.c,
	lib/freebl/freebl_base.gypi, lib/freebl/ldvector.c,
	lib/freebl/loader.c, lib/freebl/loader.h, lib/freebl/manifest.mn,
	lib/softoken/lowpbe.c, lib/softoken/pkcs11c.c:
	Bug 1652729 - Add build flag to disable RC2 and relocate to
	lib/freebl/deprecated. r=kjacobs

	[e6c6f1d2d544]

2020-07-27  Robert Relyea  <rrelyea@redhat.com>

	* gtests/softoken_gtest/manifest.mn,
	gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc,
	gtests/softoken_gtest/softoken_gtest.gyp, lib/freebl/blapi.h,
	lib/freebl/dh.c, lib/freebl/ldvector.c, lib/freebl/loader.c,
	lib/freebl/loader.h, lib/softoken/manifest.mn,
	lib/softoken/pkcs11.c, lib/softoken/pkcs11c.c,
	lib/softoken/pkcs11i.h, lib/softoken/pkcs11u.c,
	lib/softoken/sftkdhverify.c, lib/softoken/softoken.gyp:
	Bug 1648822 Add stricter validation of DH keys when in FIPS mode.

	Update: FIPS now also requires us to do y^q mod p testing on key
	generation (always). We now do that in FIPS mode only, but in all
	modes we do full DH verification for DH and ECDH. Because of this,
	the path has now separated out the prime checks, which are now only
	done for the DH operation if we aren't using a known prime and the
	subprime value has been provided. I've also learned we can accept
	keys that we do full validation on in FIPS mode, so I've added that
	to this patch, though we still can't generate those kinds of keys
	without adding the subprime at keygen time.

	The new FIPS standard is dh operations must use approved primes.
	Approved primes are those selected in the tls and ike RFCs.
	Currently tls and ike have modes with checks whether the primes are
	approved, but the check may not always happen. The safest thing to
	do in FIPS mode is only allow those primes. In addition, FIPS
	requires 1< y < p-1 (or technically 2<=y<=p-2, since y is an integer
	those two tests are identical).

	While making changes I realized we would want a mode where we can do
	more strict checks on the prime while not requiring that the prime
	be an approved prime. We already allow for strict checking if q is
	supplied with the private key, but there were a couple of issues
	with that check:

	 1. there was no way of actually setting q in the current NSS
	pk11wrap interfaces. 2. If the prime was a safe prime, but g was an
	actual generator, then we would fail the y^q mod p = 1 tests for 50%
	of the keys, even though those keys are safe. 3. We weren't checking
	primality of p and q.

	So the old code:

	 if (q) { check y^q mod p = 1 if not fail }

	 check 1 <y < p-1 (done in DH_Derive).

	New code:

	 if (! p is approved prime) { if (FIPS) fail; if (q) { y_test = y if
	(p,q-> p is a safe prime) { y_test = 1 } check prime is prime Fail
	if not check subprime is subprime fail if not y_test^q mod p = 1 } }
	check 1 < y < p-1 (done in DH_Derive)

	This means:

	Existing code non-fips without setting the subprime continues to run
	as before. Non-fips code which sets the subprime now runs slower,
	but p and q are checked if p or q where not prime, the derive fails
	(which it should). In FIPS mode only approved primes will succeed
	now. Non-fips code can now set the subprime to q=(p-1)/2 if it
	doesn't have an explicit q value (like in tls). If the derive
	succeeds, we know that p is a safe prime. If p is approved, the
	checks are skipped because we already know that p is a safe prime.
	Code can optionally do a test derive on a new p and remember it's
	safe so that we know longer need to check ever call (though if q is
	not (p-1)/2, you will need to continue to do the checks each call
	because y could still be a small subgroup).

	This patch:

	gtests/softoken_gtest

	 1. Added New dh tests to softoken_gtests. The tests were added to
	softoken_gtests because we need to test both non-FIPS and FIPS mode.
	Test vectors include a category, so the same test vectors can be
	used in FIPS and non-FIPS even though each class may have different
	results. Most of the test vectors where created either by dhparams
	command in openssl, dsaparams in openssl, and the nss makepqg
	command. Each vector includes a label, prime, base, optional
	subprime, optional public key, test type, and key class (basically
	size). 2. If public key is not supplied, we use a generated public
	key. 3. If subPrime is supplied to wet it on the private key after
	generation.

	lib/freebl/dh.c

	 add primality tests to KEA_VerifyKey().

	lib/softokn/

	 1. Allow CKA_SUBPRIME to be set after key generation or import.
	This affects how we test for it's existance, since it is now always
	there on the key, we check it's length to make sure it's non-zero.
	2. We implement the psuedocode above as real code. 3. We create two
	new functions: sftl_VerifyDH_Prime which return SECSuccess if Prime
	is an approved prime. sftk_IsSafePrime which returns SECSuess of
	both prime and subprime look reasonable, and sets a Bool to PR_TRUE
	is subprime -> prime is safe (subprime = (prime-1)/2. These
	functions are implemented in sftkdhverify.c 4.Cleanup incorrect
	nominclature on primes (safe primes are not strong primes).
	[0be91fa2217a]

	* gtests/softoken_gtest/softoken_dh_vectors.h,
	gtests/softoken_gtest/softoken_gtest.cc:
	Fix more of the timeout issues on tests. (Drop expensive 4098 dh
	tests ).
	[4014c075a31b]

2020-07-29  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* coreconf/config.gypi, lib/freebl/Makefile, lib/freebl/blinit.c,
	lib/freebl/freebl.gyp, lib/freebl/sha1-armv8.c,
	lib/freebl/sha_fast.c, lib/freebl/sha_fast.h:
	Bug 1650702 - Use ARM's crypt extension for SHA1. r=kjacobs

	ARM Crypto extension has SHA1 acceleration. Using this, SHA1 is 3
	times faster on ARMv8 CPU. The following data is AWS's a1 instance
	(Cortex-A72).

	Before ====== ``` # mode in opreps cxreps context op time(sec)
	thrgput sha1_e 954Mb 31M 0 0.000 10000.000 10.000 95Mb ```

	After ===== ``` # mode in opreps cxreps context op time(sec) thrgput
	sha1_e 2Gb 94M 0 0.000 10000.000 10.000 288Mb ```

	[68b6eb737689]

2020-07-29  Jan-Marek Glogowski  <glogow@fbihome.de>

	* manifest.mn:
	Bug 1653975 - Set "all" as the default Makefile target r=jcj,rrelyea

	Just reorder the rules in manifest.mn, so all is again the first
	rule. This restores pre-3.53 Makefile defaults.

	[eb52747b7000]

2020-07-31  Makoto Kato  <m_kato@ga2.so-net.ne.jp>

	* lib/freebl/blapii.h, lib/freebl/blinit.c, nss-tool/hw-support.c:
	Bug 1654142 - Add CPU feature detection for Intel SHA extension.
	r=kjacobs

	[e6b77a9c417a]

2020-08-03  Nathan Froyd  <froydnj@mozilla.com>

	* coreconf/detect_host_arch.py:
	Bug 1656986 - special-case arm64 in detect_host_arch.py; r=jcj

	This case comes up when attempting to build NSS on ARM64 Mac. If we
	don't do this, we wind up detecting arm64 as "arm", with predictably
	bad consequences.

	[afa38fb2f0b5] [tip]

Differential Revision: https://phabricator.services.mozilla.com/D85888
This commit is contained in:
Kevin Jacobs 2020-08-04 19:54:56 +00:00
Родитель 46f0d532dc
Коммит cb86341c99
41 изменённых файлов: 5784 добавлений и 100 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
build/moz.configure/nss.configure
Просмотреть файл

@ -8,7 +8,7 @@ option('--with-system-nss', help='Use system NSS')
imply_option('--with-system-nspr', True, when='--with-system-nss')
nss_pkg = pkg_check_modules('NSS', 'nss >= 3.55', when='--with-system-nss', config=False)
nss_pkg = pkg_check_modules('NSS', 'nss >= 3.56', when='--with-system-nss', config=False)
set_config('MOZ_SYSTEM_NSS', True, when='--with-system-nss')

2
security/nss/TAG-INFO
Просмотреть файл

@ -1 +1 @@
NSS_3_55_RTM
afa38fb2f0b5

5
security/nss/automation/abi-check/expected-report-libnss3.so.txt
Просмотреть файл

@ -1,5 +0,0 @@
1 Added function:
[A] 'function CK_OBJECT_HANDLE PK11_FindEncodedCertInSlot(PK11SlotInfo*, SECItem*, void*)' {PK11_FindEncodedCertInSlot@@NSS_3.55}

2
security/nss/automation/abi-check/previous-nss-release
Просмотреть файл

@ -1 +1 @@
NSS_3_54_BRANCH
NSS_3_55_BRANCH

26
security/nss/cmd/bltest/blapitest.c
Просмотреть файл

@ -608,9 +608,11 @@ typedef enum {
bltestDES_CBC, /* . */
bltestDES_EDE_ECB, /* . */
bltestDES_EDE_CBC, /* . */
bltestRC2_ECB, /* . */
bltestRC2_CBC, /* . */
bltestRC4, /* . */
#ifndef NSS_DISABLE_DEPRECATED_RC2
bltestRC2_ECB, /* . */
bltestRC2_CBC, /* . */
#endif
bltestRC4, /* . */
#ifdef NSS_SOFTOKEN_DOES_RC5
bltestRC5_ECB, /* . */
bltestRC5_CBC, /* . */
@ -648,8 +650,10 @@ static char *mode_strings[] =
"des_cbc",
"des3_ecb",
"des3_cbc",
#ifndef NSS_DISABLE_DEPRECATED_RC2
"rc2_ecb",
"rc2_cbc",
#endif
"rc4",
#ifdef NSS_SOFTOKEN_DOES_RC5
"rc5_ecb",
@ -879,7 +883,9 @@ cipher_requires_IV(bltestCipherMode mode)
switch (mode) {
case bltestDES_CBC:
case bltestDES_EDE_CBC:
#ifndef NSS_DISABLE_DEPRECATED_RC2
case bltestRC2_CBC:
#endif
#ifdef NSS_SOFTOKEN_DOES_RC5
case bltestRC5_CBC:
#endif
@ -1088,6 +1094,7 @@ des_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
input, inputLen);
}
#ifndef NSS_DISABLE_DEPRECATED_RC2
SECStatus
rc2_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
unsigned int maxOutputLen, const unsigned char *input,
@ -1105,6 +1112,7 @@ rc2_Decrypt(void *cx, unsigned char *output, unsigned int *outputLen,
return RC2_Decrypt((RC2Context *)cx, output, outputLen, maxOutputLen,
input, inputLen);
}
#endif /* NSS_DISABLE_DEPRECATED_RC2 */
SECStatus
rc4_Encrypt(void *cx, unsigned char *output, unsigned int *outputLen,
@ -1373,6 +1381,7 @@ bltest_des_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
return SECSuccess;
}
#ifndef NSS_DISABLE_DEPRECATED_RC2
SECStatus
bltest_rc2_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
{
@ -1418,6 +1427,7 @@ bltest_rc2_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
cipherInfo->cipher.symmkeyCipher = rc2_Decrypt;
return SECSuccess;
}
#endif /* NSS_DISABLE_DEPRECATED_RC2 */
SECStatus
bltest_rc4_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
@ -2259,12 +2269,14 @@ cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
cipherInfo->input.pBuf.len);
return bltest_des_init(cipherInfo, encrypt);
break;
#ifndef NSS_DISABLE_DEPRECATED_RC2
case bltestRC2_ECB:
case bltestRC2_CBC:
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
cipherInfo->input.pBuf.len);
return bltest_rc2_init(cipherInfo, encrypt);
break;
#endif /* NSS_DISABLE_DEPRECATED_RC2 */
case bltestRC4:
SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
cipherInfo->input.pBuf.len);
@ -2613,10 +2625,12 @@ cipherFinish(bltestCipherInfo *cipherInfo)
cipherInfo->cx,
PR_TRUE);
break;
#ifndef NSS_DISABLE_DEPRECATED_RC2
case bltestRC2_ECB:
case bltestRC2_CBC:
RC2_DestroyContext((RC2Context *)cipherInfo->cx, PR_TRUE);
break;
#endif /* NSS_DISABLE_DEPRECATED_RC2 */
case bltestRC4:
RC4_DestroyContext((RC4Context *)cipherInfo->cx, PR_TRUE);
break;
@ -2769,8 +2783,10 @@ print_td:
case bltestSEED_ECB:
case bltestSEED_CBC:
#endif
#ifndef NSS_DISABLE_DEPRECATED_RC2
case bltestRC2_ECB:
case bltestRC2_CBC:
#endif
case bltestRC4:
if (td)
fprintf(stdout, "%8s", "symmkey");
@ -2954,7 +2970,9 @@ get_params(PLArenaPool *arena, bltestParams *params,
load_file_data(arena, &params->ask.aad, filename, bltestBinary);
case bltestDES_CBC:
case bltestDES_EDE_CBC:
#ifndef NSS_DISABLE_DEPRECATED_RC2
case bltestRC2_CBC:
#endif
case bltestAES_CBC:
case bltestAES_CTS:
case bltestAES_CTR:
@ -2966,7 +2984,9 @@ get_params(PLArenaPool *arena, bltestParams *params,
load_file_data(arena, &params->sk.iv, filename, bltestBinary);
case bltestDES_ECB:
case bltestDES_EDE_ECB:
#ifndef NSS_DISABLE_DEPRECATED_RC2
case bltestRC2_ECB:
#endif
case bltestRC4:
case bltestAES_ECB:
case bltestCAMELLIA_ECB:

7
security/nss/coreconf/config.gypi
Просмотреть файл

@ -97,10 +97,12 @@
'cc_use_gnu_ld%': '<(cc_use_gnu_ld)',
# Some defaults
'disable_arm_hw_aes%': 0,
'disable_arm_hw_sha1%': 0,
'disable_arm_hw_sha2%': 0,
'disable_tests%': 0,
'disable_chachapoly%': 0,
'disable_deprecated_seed%': 0,
'disable_deprecated_rc2%': 0,
'disable_dbm%': 1,
'disable_libpkix%': 1,
'disable_werror%': 0,
@ -576,6 +578,11 @@
'NSS_DISABLE_DEPRECATED_SEED',
],
}],
[ 'disable_deprecated_rc2==1', {
'defines': [
'NSS_DISABLE_DEPRECATED_RC2',
],
}],
],
},
# Common settings for debug should go here.

4
security/nss/coreconf/config.mk
Просмотреть файл

@ -162,6 +162,10 @@ ifdef NSS_DISABLE_DEPRECATED_SEED
DEFINES += -DNSS_DISABLE_DEPRECATED_SEED
endif
ifdef NSS_DISABLE_DEPRECATED_RC2
DEFINES += -DNSS_DISABLE_DEPRECATED_RC2
endif
ifdef NSS_PKIX_NO_LDAP
DEFINES += -DNSS_PKIX_NO_LDAP
endif

1
security/nss/coreconf/coreconf.dep
Просмотреть файл

@ -10,3 +10,4 @@
*/
#error "Do not include this header file."

2
security/nss/coreconf/detect_host_arch.py
Просмотреть файл

@ -15,6 +15,8 @@ def main():
host_arch = 'x64'
elif fnmatch.fnmatch(host_arch, 'i?86') or host_arch == 'i86pc':
host_arch = 'ia32'
elif host_arch == 'arm64':
pass
elif host_arch.startswith('arm'):
host_arch = 'arm'
elif host_arch.startswith('mips'):

3
security/nss/gtests/softoken_gtest/manifest.mn
Просмотреть файл

@ -25,11 +25,12 @@ INCLUDES += \
-I$(CORE_DEPTH)/cpputil \
$(NULL)
REQUIRES = nspr gtest
REQUIRES = nspr gtest cpputil
PROGRAM = softoken_gtest
EXTRA_LIBS = \
$(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)gtestutil.$(LIB_SUFFIX) \
$(NULL)

3411
security/nss/gtests/softoken_gtest/softoken_dh_vectors.h Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

302
security/nss/gtests/softoken_gtest/softoken_gtest.cc
Просмотреть файл

@ -11,10 +11,14 @@
#define GTEST_HAS_RTTI 0
#include "gtest/gtest.h"
#include "databuffer.h"
#include <fstream>
#include <chrono>
using namespace std::chrono;
#include "softoken_dh_vectors.h"
namespace nss_test {
class SoftokenTest : public ::testing::Test {
protected:
SoftokenTest() : mNSSDBDir("SoftokenTest.d-") {}
@ -527,11 +531,213 @@ TEST_F(SoftokenNoDBTest, NeedUserInitNoDB) {
ASSERT_EQ(SECSuccess, NSS_Shutdown());
}
SECStatus test_dh_value(const PQGParams *params, const SECItem *pub_key_value,
PRBool genFailOK, time_t *time) {
SECKEYDHParams dh_params;
dh_params.base = params->base;
dh_params.prime = params->prime;
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
EXPECT_TRUE(slot);
if (!slot) return SECFailure;
/* create a private/public key pair in with the given params */
SECKEYPublicKey *pub_tmp = nullptr;
ScopedSECKEYPrivateKey priv_key(
PK11_GenerateKeyPair(slot.get(), CKM_DH_PKCS_KEY_PAIR_GEN, &dh_params,
&pub_tmp, PR_FALSE, PR_TRUE, nullptr));
if ((genFailOK) && ((priv_key.get() == nullptr) || (pub_tmp == nullptr))) {
return SECFailure;
}
EXPECT_NE(nullptr, priv_key.get()) << "PK11_GenerateKeyPair failed: "
<< PORT_ErrorToName(PORT_GetError());
EXPECT_NE(nullptr, pub_tmp);
if ((priv_key.get() == nullptr) || (pub_tmp == nullptr)) return SECFailure;
ScopedSECKEYPublicKey pub_key(pub_tmp);
ScopedSECKEYPublicKey peer_pub_key_manager(nullptr);
SECKEYPublicKey *peer_pub_key = pub_key.get();
/* if a subprime has been given set it on the PKCS #11 key */
if (params->subPrime.data != nullptr) {
SECStatus rv;
EXPECT_EQ(SECSuccess, rv = PK11_WriteRawAttribute(
PK11_TypePrivKey, priv_key.get(), CKA_SUBPRIME,
(SECItem *)&params->subPrime))
<< "PK11_WriteRawAttribute failed: "
<< PORT_ErrorToString(PORT_GetError());
if (rv != SECSuccess) {
return rv;
}
}
/* find if we weren't passed a public value in, use the
* one we just generated */
if (pub_key_value && pub_key_value->data) {
peer_pub_key = SECKEY_CopyPublicKey(pub_key.get());
EXPECT_NE(nullptr, peer_pub_key);
if (peer_pub_key == nullptr) {
return SECFailure;
}
peer_pub_key->u.dh.publicValue = *pub_key_value;
peer_pub_key_manager.reset(peer_pub_key);
}
/* now do the derive. time it and return the time if
* the caller requested it. */
auto start = high_resolution_clock::now();
ScopedPK11SymKey derivedKey(PK11_PubDerive(
priv_key.get(), peer_pub_key, PR_FALSE, nullptr, nullptr,
CKM_DH_PKCS_DERIVE, CKM_HKDF_DERIVE, CKA_DERIVE, 32, nullptr));
auto stop = high_resolution_clock::now();
if (!derivedKey) {
std::cerr << "PK11_PubDerive failed: "
<< PORT_ErrorToString(PORT_GetError()) << std::endl;
}
if (time) {
auto duration = duration_cast<microseconds>(stop - start);
*time = duration.count();
}
return derivedKey ? SECSuccess : SECFailure;
}
class SoftokenDhTest : public SoftokenTest {
protected:
SoftokenDhTest() : SoftokenTest("SoftokenDhTest.d-") {}
#ifdef NSS_USE_TIMING_CODE
time_t reference_time[CLASS_LAST] = {0};
#endif
virtual void SetUp() {
SoftokenTest::SetUp();
#ifdef NSS_USE_TIMING_CODE
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ASSERT_TRUE(slot);
time_t time;
for (int i = CLASS_FIRST; i < CLASS_LAST; i++) {
PQGParams params;
params.prime.data = (unsigned char *)reference_prime[i];
params.prime.len = reference_prime_len[i];
params.base.data = (unsigned char *)g2;
params.base.len = sizeof(g2);
params.subPrime.data = nullptr;
params.subPrime.len = 0;
ASSERT_EQ(SECSuccess, test_dh_value(&params, nullptr, PR_FALSE, &time));
reference_time[i] = time / 2 + 3 * time;
}
#endif
};
};
const char *param_value(DhParamType param_type) {
switch (param_type) {
case TLS_APPROVED:
return "TLS_APPROVED";
case IKE_APPROVED:
return "IKE_APPROVED";
case SAFE_PRIME:
return "SAFE_PRIME";
case SAFE_PRIME_WITH_SUBPRIME:
return "SAFE_PRIME_WITH_SUBPRIME";
case KNOWN_SUBPRIME:
return "KNOWN_SUBPRIME";
case UNKNOWN_SUBPRIME:
return "UNKNOWN_SUBPRIME";
case WRONG_SUBPRIME:
return "WRONG_SUBPRIME";
case BAD_PUB_KEY:
return "BAD_PUB_KEY";
}
return "**Invalid**";
}
const char *key_value(DhKeyClass key_class) {
switch (key_class) {
case CLASS_1536:
return "CLASS_1536";
case CLASS_2048:
return "CLASS_2048";
case CLASS_3072:
return "CLASS_3072";
case CLASS_4096:
return "CLASS_4096";
case CLASS_6144:
return "CLASS_6144";
case CLASS_8192:
return "CLASS_8192";
case CLASS_LAST:
break;
}
return "**Invalid**";
}
class SoftokenDhValidate : public SoftokenDhTest,
public ::testing::WithParamInterface<DhTestVector> {
};
/* test the DH validation process. In non-fips mode, only BAD_PUB_KEY tests
* should fail */
TEST_P(SoftokenDhValidate, DhVectors) {
const DhTestVector dhTestValues = GetParam();
std::string testId = (char *)(dhTestValues.id);
std::string err = "Test(" + testId + ") failed";
SECStatus rv;
time_t time;
PQGParams params;
params.prime = dhTestValues.p;
params.base = dhTestValues.g;
params.subPrime = dhTestValues.q;
std::cerr << "Test: " + testId << std::endl
<< "param_type: " << param_value(dhTestValues.param_type)
<< ", key_class: " << key_value(dhTestValues.key_class) << std::endl
<< "p: " << DataBuffer(dhTestValues.p.data, dhTestValues.p.len)
<< std::endl
<< "g: " << DataBuffer(dhTestValues.g.data, dhTestValues.g.len)
<< std::endl
<< "q: " << DataBuffer(dhTestValues.q.data, dhTestValues.q.len)
<< std::endl
<< "pub_key: "
<< DataBuffer(dhTestValues.pub_key.data, dhTestValues.pub_key.len)
<< std::endl;
rv = test_dh_value(&params, &dhTestValues.pub_key, PR_FALSE, &time);
switch (dhTestValues.param_type) {
case TLS_APPROVED:
case IKE_APPROVED:
case SAFE_PRIME:
case UNKNOWN_SUBPRIME:
EXPECT_EQ(SECSuccess, rv) << err;
#ifdef NSS_USE_TIMING_CODE
EXPECT_LE(time, reference_time[dhTestValues.key_class]) << err;
#endif
break;
case KNOWN_SUBPRIME:
case SAFE_PRIME_WITH_SUBPRIME:
EXPECT_EQ(SECSuccess, rv) << err;
#ifdef NSS_USE_TIMING_CODE
EXPECT_GT(time, reference_time[dhTestValues.key_class]) << err;
#endif
break;
case WRONG_SUBPRIME:
case BAD_PUB_KEY:
EXPECT_EQ(SECFailure, rv) << err;
break;
}
}
INSTANTIATE_TEST_CASE_P(DhValidateCases, SoftokenDhValidate,
::testing::ValuesIn(DH_TEST_VECTORS));
#ifndef NSS_FIPS_DISABLED
class SoftokenFipsTest : public SoftokenTest {
protected:
SoftokenFipsTest() : SoftokenTest("SoftokenFipsTest.d-") {}
SoftokenFipsTest(const std::string &prefix) : SoftokenTest(prefix) {}
virtual void SetUp() {
SoftokenTest::SetUp();
@ -540,12 +746,46 @@ class SoftokenFipsTest : public SoftokenTest {
char *internal_name;
ASSERT_FALSE(PK11_IsFIPS());
internal_name = PR_smprintf("%s", SECMOD_GetInternalModule()->commonName);
ASSERT_EQ(SECSuccess, SECMOD_DeleteInternalModule(internal_name));
ASSERT_EQ(SECSuccess, SECMOD_DeleteInternalModule(internal_name))
<< PORT_ErrorToName(PORT_GetError());
PR_smprintf_free(internal_name);
ASSERT_TRUE(PK11_IsFIPS());
}
};
class SoftokenFipsDhTest : public SoftokenFipsTest {
protected:
SoftokenFipsDhTest() : SoftokenFipsTest("SoftokenFipsDhTest.d-") {}
#ifdef NSS_USE_TIMING_CODE
time_t reference_time[CLASS_LAST] = {0};
#endif
virtual void SetUp() {
SoftokenFipsTest::SetUp();
ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
ASSERT_TRUE(slot);
ASSERT_EQ(SECSuccess, PK11_InitPin(slot.get(), nullptr, ""));
ASSERT_EQ(SECSuccess, PK11_Authenticate(slot.get(), PR_FALSE, nullptr));
#ifdef NSS_USE_TIMING_CODE
time_t time;
for (int i = CLASS_FIRST; i < CLASS_LAST; i++) {
PQGParams params;
params.prime.data = (unsigned char *)reference_prime[i];
params.prime.len = reference_prime_len[i];
params.base.data = (unsigned char *)g2;
params.base.len = sizeof(g2);
params.subPrime.data = nullptr;
params.subPrime.len = 0;
ASSERT_EQ(SECSuccess, test_dh_value(&params, nullptr, PR_FALSE, &time));
reference_time[i] = time / 2 + 3 * time;
}
#endif
};
};
const std::vector<std::string> kFipsPasswordCases[] = {
// FIPS level1 -> level1 -> level1
{"", "", ""},
@ -613,12 +853,70 @@ TEST_P(SoftokenFipsBadPasswordTest, SetBadPassword) {
}
}
class SoftokenFipsDhValidate
: public SoftokenFipsDhTest,
public ::testing::WithParamInterface<DhTestVector> {};
/* test the DH validation process. In fips mode, primes with unknown
* subprimes, and all sorts of bad public keys should fail */
TEST_P(SoftokenFipsDhValidate, DhVectors) {
const DhTestVector dhTestValues = GetParam();
std::string testId = (char *)(dhTestValues.id);
std::string err = "Test(" + testId + ") failed";
time_t time;
PRBool genFailOK = PR_FALSE;
SECStatus rv;
PQGParams params;
params.prime = dhTestValues.p;
params.base = dhTestValues.g;
params.subPrime = dhTestValues.q;
std::cerr << "Test:" + testId << std::endl
<< "param_type: " << param_value(dhTestValues.param_type)
<< ", key_class: " << key_value(dhTestValues.key_class) << std::endl
<< "p: " << DataBuffer(dhTestValues.p.data, dhTestValues.p.len)
<< std::endl
<< "g: " << DataBuffer(dhTestValues.g.data, dhTestValues.g.len)
<< std::endl
<< "q: " << DataBuffer(dhTestValues.q.data, dhTestValues.q.len)
<< std::endl
<< "pub_key: "
<< DataBuffer(dhTestValues.pub_key.data, dhTestValues.pub_key.len)
<< std::endl;
if ((dhTestValues.param_type != TLS_APPROVED) &&
(dhTestValues.param_type != IKE_APPROVED)) {
genFailOK = PR_TRUE;
}
rv = test_dh_value(&params, &dhTestValues.pub_key, genFailOK, &time);
switch (dhTestValues.param_type) {
case TLS_APPROVED:
case IKE_APPROVED:
EXPECT_EQ(SECSuccess, rv) << err;
#ifdef NSS_USE_TIMING_CODE
EXPECT_LE(time, reference_time[dhTestValues.key_class]) << err;
#endif
break;
case SAFE_PRIME:
case SAFE_PRIME_WITH_SUBPRIME:
case KNOWN_SUBPRIME:
case UNKNOWN_SUBPRIME:
case WRONG_SUBPRIME:
case BAD_PUB_KEY:
EXPECT_EQ(SECFailure, rv) << err;
break;
}
}
INSTANTIATE_TEST_CASE_P(FipsPasswordCases, SoftokenFipsPasswordTest,
::testing::ValuesIn(kFipsPasswordCases));
INSTANTIATE_TEST_CASE_P(BadFipsPasswordCases, SoftokenFipsBadPasswordTest,
::testing::ValuesIn(kFipsPasswordBadCases));
INSTANTIATE_TEST_CASE_P(FipsDhCases, SoftokenFipsDhValidate,
::testing::ValuesIn(DH_TEST_VECTORS));
#endif
} // namespace nss_test

1
security/nss/gtests/softoken_gtest/softoken_gtest.gyp
Просмотреть файл

@ -16,6 +16,7 @@
],
'dependencies': [
'<(DEPTH)/exports.gyp:nss_exports',
'<(DEPTH)/cpputil/cpputil.gyp:cpputil',
'<(DEPTH)/lib/util/util.gyp:nssutil3',
'<(DEPTH)/gtests/google_test/google_test.gyp:gtest',
],

25
security/nss/lib/freebl/Makefile
Просмотреть файл

@ -119,26 +119,28 @@ else
DEFINES += -DNSS_X86
endif
endif
ifdef NS_USE_GCC
ifeq ($(CPU_ARCH),aarch64)
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c gcm-aarch64.c sha256-armv8.c
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c gcm-aarch64.c sha1-armv8.c sha256-armv8.c
endif
endif
ifeq ($(CPU_ARCH),arm)
ifndef NSS_DISABLE_ARM32_NEON
EXTRA_SRCS += gcm-arm32-neon.c
endif
ifdef CC_IS_CLANG
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c sha256-armv8.c
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c sha1-armv8.c sha256-armv8.c
else ifeq (1,$(CC_IS_GCC))
# Old compiler doesn't support ARM AES.
ifneq (,$(filter 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c sha256-armv8.c
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c sha1-armv8.c sha256-armv8.c
endif
ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c sha256-armv8.c
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c sha1-armv8.c sha256-armv8.c
endif
endif
endif
@ -198,6 +200,7 @@ else
ifdef BUILD_OPT
OPTIMIZER += -Ox # maximum optimization for freebl
endif
ifeq ($(CPU_ARCH),x86_64)
ASFILES = arcfour-amd64-masm.asm mpi_amd64_masm.asm mp_comba_amd64_masm.asm
DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
DEFINES += -DNSS_USE_COMBA
@ -215,6 +218,7 @@ else
endif
endif
endif
endif
ifeq ($(OS_TARGET),IRIX)
ifeq ($(USE_N32),1)
@ -711,16 +715,21 @@ ifeq ($(CPU_ARCH),arm)
# Confusingly, __SOFTFP__ is the name of the define for the softfloat ABI, not for the softfp ABI.
USES_SOFTFLOAT_ABI := $(shell $(CC) -o - -E -dM - $(CFLAGS) < /dev/null | grep __SOFTFP__ > /dev/null && echo 1)
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
$(OBJDIR)/$(PROG_PREFIX)sha1-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
$(OBJDIR)/$(PROG_PREFIX)sha256-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
ifndef NSS_DISABLE_ARM32_NEON
$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
endif
endif
ifdef NS_USE_GCC
ifeq ($(CPU_ARCH),aarch64)
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
$(OBJDIR)/$(PROG_PREFIX)gcm-aarch64$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
$(OBJDIR)/$(PROG_PREFIX)sha1-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
$(OBJDIR)/$(PROG_PREFIX)sha256-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
endif
endif
ifeq ($(CPU_ARCH),ppc)
ifndef NSS_DISABLE_ALTIVEC

3
security/nss/lib/freebl/blapi.h
Просмотреть файл

@ -380,6 +380,9 @@ extern SECStatus KEA_Derive(SECItem *prime,
*/
extern PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime);
/* verify a value is prime */
PRBool KEA_PrimeCheck(SECItem *prime);
/****************************************
* J-PAKE key transport
*/

1
security/nss/lib/freebl/blapii.h
Просмотреть файл

@ -85,6 +85,7 @@ SECStatus generate_prime(mp_int *prime, int primeLen);
/* Freebl state. */
PRBool aesni_support();
PRBool clmul_support();
PRBool sha_support();
PRBool avx_support();
PRBool avx2_support();
PRBool ssse3_support();

11
security/nss/lib/freebl/blinit.c
Просмотреть файл

@ -30,6 +30,7 @@ static PRCallOnceType coFreeblInit;
/* State variables. */
static PRBool aesni_support_ = PR_FALSE;
static PRBool clmul_support_ = PR_FALSE;
static PRBool sha_support_ = PR_FALSE;
static PRBool avx_support_ = PR_FALSE;
static PRBool avx2_support_ = PR_FALSE;
static PRBool ssse3_support_ = PR_FALSE;
@ -83,6 +84,7 @@ check_xcr0_ymm()
#define EBX_AVX2 (1 << 5)
#define EBX_BMI1 (1 << 3)
#define EBX_BMI2 (1 << 8)
#define EBX_SHA (1 << 29)
#define ECX_FMA (1 << 12)
#define ECX_MOVBE (1 << 22)
#define ECX_SSSE3 (1 << 9)
@ -99,6 +101,7 @@ CheckX86CPUSupport()
unsigned long eax7, ebx7, ecx7, edx7;
char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES");
char *disable_pclmul = PR_GetEnvSecure("NSS_DISABLE_PCLMUL");
char *disable_hw_sha = PR_GetEnvSecure("NSS_DISABLE_HW_SHA");
char *disable_avx = PR_GetEnvSecure("NSS_DISABLE_AVX");
char *disable_avx2 = PR_GetEnvSecure("NSS_DISABLE_AVX2");
char *disable_ssse3 = PR_GetEnvSecure("NSS_DISABLE_SSSE3");
@ -108,6 +111,7 @@ CheckX86CPUSupport()
freebl_cpuid(7, &eax7, &ebx7, &ecx7, &edx7);
aesni_support_ = (PRBool)((ecx & ECX_AESNI) != 0 && disable_hw_aes == NULL);
clmul_support_ = (PRBool)((ecx & ECX_CLMUL) != 0 && disable_pclmul == NULL);
sha_support_ = (PRBool)((ebx7 & EBX_SHA) != 0 && disable_hw_sha == NULL);
/* For AVX we check AVX, OSXSAVE, and XSAVE
* as well as XMM and YMM state. */
avx_support_ = (PRBool)((ecx & AVX_BITS) == AVX_BITS) && check_xcr0_ymm() &&
@ -232,6 +236,7 @@ CheckARMSupport()
arm_neon_support_ = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON") == NULL;
arm_aes_support_ &= PR_GetEnvSecure("NSS_DISABLE_HW_AES") == NULL;
arm_pmull_support_ &= PR_GetEnvSecure("NSS_DISABLE_PMULL") == NULL;
arm_sha1_support_ &= PR_GetEnvSecure("NSS_DISABLE_HW_SHA1") == NULL;
arm_sha2_support_ &= PR_GetEnvSecure("NSS_DISABLE_HW_SHA2") == NULL;
}
#endif /* defined(__aarch64__) */
@ -356,6 +361,7 @@ CheckARMSupport()
arm_sha2_support_ = hwcaps & HWCAP2_SHA2;
}
arm_neon_support_ = GetNeonSupport();
arm_sha1_support_ &= PR_GetEnvSecure("NSS_DISABLE_HW_SHA1") == NULL;
arm_sha2_support_ &= PR_GetEnvSecure("NSS_DISABLE_HW_SHA2") == NULL;
}
#endif /* defined(__arm__) */
@ -401,6 +407,11 @@ clmul_support()
return clmul_support_;
}
PRBool
sha_support()
{
return sha_support_;
}
PRBool
avx_support()
{
return avx_support_;

6
security/nss/lib/freebl/alg2268.c → security/nss/lib/freebl/deprecated/alg2268.c
Просмотреть файл

@ -6,11 +6,11 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#include "../stubs.h"
#endif
#include "blapi.h"
#include "blapii.h"
#include "../blapi.h"
#include "../blapii.h"
#include "secerr.h"
#ifdef XP_UNIX_XXX
#include <stddef.h> /* for ptrdiff_t */

40
security/nss/lib/freebl/dh.c
Просмотреть файл

@ -17,6 +17,7 @@
#include "blapii.h"
#include "secitem.h"
#include "mpi.h"
#include "mpprime.h"
#include "secmpi.h"
#define KEA_DERIVED_SECRET_LEN 128
@ -78,7 +79,7 @@ DH_GenParam(int primeLen, DHParams **params)
CHECK_MPI_OK(mp_init(&h));
CHECK_MPI_OK(mp_init(&psub1));
CHECK_MPI_OK(mp_init(&test));
/* generate prime with MPI, uses Miller-Rabin to generate strong prime. */
/* generate prime with MPI, uses Miller-Rabin to generate safe prime. */
CHECK_SEC_OK(generate_prime(&p, primeLen));
/* construct Sophie-Germain prime q = (p-1)/2. */
CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1));
@ -257,17 +258,17 @@ DH_Derive(SECItem *publicValue,
}
/*
* We check to make sure that ZZ is not equal to 1 or -1 mod p.
* We check to make sure that ZZ is not equal to 0, 1 or -1 mod p.
* This helps guard against small subgroup attacks, since an attacker
* using a subgroup of size N will produce 1 or -1 with probability 1/N.
* using a subgroup of size N will produce 0, 1 or -1 with probability 1/N.
* When the protocol is executed within a properly large subgroup, the
* probability of this result will be negligibly small. For example,
* with a strong prime of the form 2p+1, the probability will be 1/p.
* with a safe prime of the form 2q+1, the probability will be 1/q.
*
* We return MP_BADARG because this is probably the result of a bad
* public value or a bad prime having been provided.
*/
if (mp_cmp_d(&ZZ, 1) == 0 ||
if (mp_cmp_d(&ZZ, 0) == 0 || mp_cmp_d(&ZZ, 1) == 0 ||
mp_cmp(&ZZ, &psub1) == 0) {
err = MP_BADARG;
goto cleanup;
@ -413,6 +414,35 @@ cleanup:
return SECSuccess;
}
/* Test counts based on the fact the prime and subprime
* were given to us */
static int
dh_prime_testcount(int prime_length)
{
if (prime_length < 1024) {
return 50;
} else if (prime_length < 2048) {
return 40;
} else if (prime_length < 3072) {
return 56;
}
return 64;
}
PRBool
KEA_PrimeCheck(SECItem *prime)
{
mp_int p;
mp_err err = 0;
MP_DIGITS(&p) = 0;
CHECK_MPI_OK(mp_init(&p));
SECITEM_TO_MPINT(*prime, &p);
CHECK_MPI_OK(mpp_pprime(&p, dh_prime_testcount(prime->len)));
cleanup:
mp_clear(&p);
return err ? PR_FALSE : PR_TRUE;
}
PRBool
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
{

13
security/nss/lib/freebl/freebl.gyp
Просмотреть файл

@ -329,6 +329,7 @@
'type': 'static_library',
'sources': [
'aes-armv8.c',
'sha1-armv8.c',
'sha256-armv8.c',
],
'dependencies': [
@ -385,7 +386,7 @@
'dependencies': [
'gcm-aes-x86_c_lib',
],
}, '(disable_arm_hw_aes==0 or disable_arm_hw_sha2==0) and (target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64")', {
}, '(disable_arm_hw_aes==0 or disable_arm_hw_sha1==0 or disable_arm_hw_sha2==0) and (target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64")', {
'dependencies': [
'armv8_c_lib'
],
@ -643,6 +644,11 @@
'USE_HW_AES',
],
}],
[ 'OS=="win" and (target_arch=="arm64" or target_arch=="aarch64") and disable_arm_hw_sha1==0', {
'defines': [
'USE_HW_SHA1',
],
}],
[ 'OS=="win" and (target_arch=="arm64" or target_arch=="aarch64") and disable_arm_hw_sha2==0', {
'defines': [
'USE_HW_SHA2',
@ -712,6 +718,11 @@
'USE_HW_AES',
],
}],
[ 'disable_arm_hw_sha1==0 and (target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64")', {
'defines': [
'USE_HW_SHA1',
],
}],
[ 'disable_arm_hw_sha2==0 and (target_arch=="arm" or target_arch=="arm64" or target_arch=="aarch64")', {
'defines': [
'USE_HW_SHA2',

6
security/nss/lib/freebl/freebl_base.gypi
Просмотреть файл

@ -4,7 +4,6 @@
{
'sources': [
'aeskeywrap.c',
'alg2268.c',
'cmac.c',
'alghmac.c',
'arcfive.c',
@ -167,6 +166,11 @@
'deprecated/seed.c',
],
}],
[ 'disable_deprecated_rc2==0', {
'sources': [
'deprecated/alg2268.c',
],
}],
[ 'fuzz==1', {
'sources!': [ 'drbg.c' ],
'sources': [ 'det_rng.c' ],

20
security/nss/lib/freebl/ldvector.c
Просмотреть файл

@ -48,10 +48,17 @@ static const struct FREEBLVectorStr vector =
RC4_DestroyContext,
RC4_Encrypt,
RC4_Decrypt,
#ifndef NSS_DISABLE_DEPRECATED_RC2
RC2_CreateContext,
RC2_DestroyContext,
RC2_Encrypt,
RC2_Decrypt,
#else
(F_RC2_CreateContext)FREEBL_Deprecated,
(F_RC2_DestroyContext)FREEBL_Deprecated,
(F_RC2_Encrypt)FREEBL_Deprecated,
(F_RC2_Decrypt)FREEBL_Deprecated,
#endif
RC5_CreateContext,
RC5_DestroyContext,
RC5_Encrypt,
@ -175,13 +182,21 @@ static const struct FREEBLVectorStr vector =
AES_InitContext,
AESKeyWrap_InitContext,
DES_InitContext,
#ifndef NSS_DISABLE_DEPRECATED_RC2
RC2_InitContext,
#else
(F_RC2_InitContext)FREEBL_Deprecated,
#endif
RC4_InitContext,
AES_AllocateContext,
AESKeyWrap_AllocateContext,
DES_AllocateContext,
#ifndef NSS_DISABLE_DEPRECATED_RC2
RC2_AllocateContext,
#else
(F_RC2_AllocateContext)FREEBL_Deprecated,
#endif
RC4_AllocateContext,
MD2_Clone,
@ -353,9 +368,12 @@ static const struct FREEBLVectorStr vector =
ChaCha20Poly1305_Decrypt,
AES_AEAD,
AESKeyWrap_EncryptKWP,
AESKeyWrap_DecryptKWP
AESKeyWrap_DecryptKWP,
/* End of version 3.023 */
KEA_PrimeCheck
/* End of version 3.024 */
};
const FREEBLVector*

32
security/nss/lib/freebl/loader.c
Просмотреть файл

@ -236,6 +236,14 @@ KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
return (vector->p_KEA_Verify)(Y, prime, subPrime);
}
PRBool
KEA_PrimeCheck(SECItem *prime)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return PR_FALSE;
return (vector->p_KEA_PrimeCheck)(prime);
}
RC4Context *
RC4_CreateContext(const unsigned char *key, int len)
{
@ -280,7 +288,11 @@ RC2_CreateContext(const unsigned char *key, unsigned int len,
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return NULL;
#ifndef NSS_DISABLE_DEPRECATED_RC2
return (vector->p_RC2_CreateContext)(key, len, iv, mode, effectiveKeyLen);
#else
return NULL;
#endif
}
void
@ -288,7 +300,11 @@ RC2_DestroyContext(RC2Context *cx, PRBool freeit)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return;
#ifndef NSS_DISABLE_DEPRECATED_RC2
(vector->p_RC2_DestroyContext)(cx, freeit);
#else
return;
#endif
}
SECStatus
@ -298,8 +314,12 @@ RC2_Encrypt(RC2Context *cx, unsigned char *output, unsigned int *outputLen,
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
#ifndef NSS_DISABLE_DEPRECATED_RC2
return (vector->p_RC2_Encrypt)(cx, output, outputLen, maxOutputLen, input,
inputLen);
#else
return SECFailure;
#endif
}
SECStatus
@ -309,8 +329,12 @@ RC2_Decrypt(RC2Context *cx, unsigned char *output, unsigned int *outputLen,
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
#ifndef NSS_DISABLE_DEPRECATED_RC2
return (vector->p_RC2_Decrypt)(cx, output, outputLen, maxOutputLen, input,
inputLen);
#else
return SECFailure;
#endif
}
RC5Context *
@ -1307,7 +1331,11 @@ RC2_AllocateContext(void)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return NULL;
#ifndef NSS_DISABLE_DEPRECATED_RC2
return (vector->p_RC2_AllocateContext)();
#else
return NULL;
#endif
}
RC4Context *
@ -1371,8 +1399,12 @@ RC2_InitContext(RC2Context *cx, const unsigned char *key,
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
#ifndef NSS_DISABLE_DEPRECATED_RC2
return (vector->p_RC2_InitContext)(cx, key, keylen, iv, mode,
effectiveKeyLen, xtra);
#else
return SECFailure;
#endif
}
SECStatus

31
security/nss/lib/freebl/loader.h
Просмотреть файл

@ -10,7 +10,7 @@
#include "blapi.h"
#define FREEBL_VERSION 0x0323
#define FREEBL_VERSION 0x0324
struct FREEBLVectorStr {
@ -812,6 +812,9 @@ struct FREEBLVectorStr {
/* Version 3.023 came to here */
PRBool (*p_KEA_PrimeCheck)(SECItem *prime);
/* Version 3.024 came to here */
/* Add new function pointers at the end of this struct and bump
* FREEBL_VERSION at the beginning of this file. */
};
@ -888,3 +891,29 @@ typedef SECStatus (*F_SEED_Decrypt)(SEEDContext *cx, unsigned char *output,
unsigned int *outputLen, unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen);
#endif
#ifdef NSS_DISABLE_DEPRECATED_RC2
typedef RC2Context *(*F_RC2_CreateContext)(const unsigned char *key,
unsigned int len, const unsigned char *iv,
int mode, unsigned effectiveKeyLen);
typedef void (*F_RC2_DestroyContext)(RC2Context *cx, PRBool freeit);
typedef SECStatus (*F_RC2_Encrypt)(RC2Context *cx, unsigned char *output,
unsigned int *outputLen, unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen);
typedef SECStatus (*F_RC2_Decrypt)(RC2Context *cx, unsigned char *output,
unsigned int *outputLen, unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen);
typedef SECStatus (*F_RC2_InitContext)(RC2Context *cx,
const unsigned char *key,
unsigned int keylen,
const unsigned char *iv,
int mode,
unsigned int effectiveKeyLen,
unsigned int);
typedef RC2Context *(*F_RC2_AllocateContext)(void);
#endif

5
security/nss/lib/freebl/manifest.mn
Просмотреть файл

@ -123,7 +123,6 @@ CSRCS = \
cmac.c \
alghmac.c \
rawhash.c \
alg2268.c \
arcfour.c \
arcfive.c \
crypto_primitives.c \
@ -164,6 +163,10 @@ ifndef NSS_DISABLE_DEPRECATED_SEED
CSRCS += deprecated/seed.c
endif
ifndef NSS_DISABLE_DEPRECATED_RC2
CSRCS += deprecated/alg2268.c
endif
ALL_CSRCS := $(CSRCS)
ALL_HDRS = \

260
security/nss/lib/freebl/sha1-armv8.c Normal file
Просмотреть файл

@ -0,0 +1,260 @@
/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifdef __ARM_FEATURE_CRYPTO
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
#include <arm_neon.h>
#include <memory.h>
#include "blapi.h"
#include "sha_fast.h"
#if !defined(SHA_PUT_W_IN_STACK)
#define H2X 11
#else
#define H2X 0
#endif
static void shaCompress(SHA_HW_t *X, const PRUint32 *datain);
void
SHA1_Compress_Native(SHA1Context *ctx)
{
shaCompress(&ctx->H[H2X], ctx->u.w);
}
/*
* SHA: Add data to context.
*/
void
SHA1_Update_Native(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len)
{
unsigned int lenB;
unsigned int togo;
if (!len) {
return;
}
/* accumulate the byte count. */
lenB = (unsigned int)(ctx->size) & 63U;
ctx->size += len;
/*
* Read the data into W and process blocks as they get full
*/
if (lenB > 0) {
togo = 64U - lenB;
if (len < togo) {
togo = len;
}
memcpy(ctx->u.b + lenB, dataIn, togo);
len -= togo;
dataIn += togo;
lenB = (lenB + togo) & 63U;
if (!lenB) {
shaCompress(&ctx->H[H2X], ctx->u.w);
}
}
while (len >= 64U) {
len -= 64U;
shaCompress(&ctx->H[H2X], (PRUint32 *)dataIn);
dataIn += 64U;
}
if (len) {
memcpy(ctx->u.b, dataIn, len);
}
}
/*
* SHA: Compression function, unrolled.
*/
static void
shaCompress(SHA_HW_t *X, const PRUint32 *inbuf)
{
#define XH(n) X[n - H2X]
const uint32x4_t K0 = vdupq_n_u32(0x5a827999);
const uint32x4_t K1 = vdupq_n_u32(0x6ed9eba1);
const uint32x4_t K2 = vdupq_n_u32(0x8f1bbcdc);
const uint32x4_t K3 = vdupq_n_u32(0xca62c1d6);
uint32x4_t abcd = vld1q_u32(&XH(0));
PRUint32 e = XH(4);
const uint32x4_t origABCD = abcd;
const PRUint32 origE = e;
uint32x4_t w0 = vld1q_u32(inbuf);
uint32x4_t w1 = vld1q_u32(inbuf + 4);
uint32x4_t w2 = vld1q_u32(inbuf + 8);
uint32x4_t w3 = vld1q_u32(inbuf + 12);
w0 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(w0)));
w1 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(w1)));
w2 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(w2)));
w3 = vreinterpretq_u32_u8(vrev32q_u8(vreinterpretq_u8_u32(w3)));
uint32x4_t t0 = vaddq_u32(w0, K0);
uint32x4_t t1 = vaddq_u32(w1, K0);
PRUint32 tmpE;
/*
* Using the following ARM instructions to accelerate SHA1
*
* sha1c for round 0 - 20
* sha1p for round 20 - 40
* sha1m for round 40 - 60
* sha1p for round 60 - 80
* sha1su0 and shasu1 for message schedule
* sha1h for rotate left 30
*/
/* Round 0-3 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1cq_u32(abcd, e, t0);
t0 = vaddq_u32(w2, K0);
w0 = vsha1su0q_u32(w0, w1, w2);
/* Round 4-7 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1cq_u32(abcd, tmpE, t1);
t1 = vaddq_u32(w3, K0);
w0 = vsha1su1q_u32(w0, w3);
w1 = vsha1su0q_u32(w1, w2, w3);
/* Round 8-11 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1cq_u32(abcd, e, t0);
t0 = vaddq_u32(w0, K0);
w1 = vsha1su1q_u32(w1, w0);
w2 = vsha1su0q_u32(w2, w3, w0);
/* Round 12-15 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1cq_u32(abcd, tmpE, t1);
t1 = vaddq_u32(w1, K1);
w2 = vsha1su1q_u32(w2, w1);
w3 = vsha1su0q_u32(w3, w0, w1);
/* Round 16-19 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1cq_u32(abcd, e, t0);
t0 = vaddq_u32(w2, K1);
w3 = vsha1su1q_u32(w3, w2);
w0 = vsha1su0q_u32(w0, w1, w2);
/* Round 20-23 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, tmpE, t1);
t1 = vaddq_u32(w3, K1);
w0 = vsha1su1q_u32(w0, w3);
w1 = vsha1su0q_u32(w1, w2, w3);
/* Round 24-27 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, e, t0);
t0 = vaddq_u32(w0, K1);
w1 = vsha1su1q_u32(w1, w0);
w2 = vsha1su0q_u32(w2, w3, w0);
/* Round 28-31 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, tmpE, t1);
t1 = vaddq_u32(w1, K1);
w2 = vsha1su1q_u32(w2, w1);
w3 = vsha1su0q_u32(w3, w0, w1);
/* Round 32-35 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, e, t0);
t0 = vaddq_u32(w2, K2);
w3 = vsha1su1q_u32(w3, w2);
w0 = vsha1su0q_u32(w0, w1, w2);
/* Round 36-39 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, tmpE, t1);
t1 = vaddq_u32(w3, K2);
w0 = vsha1su1q_u32(w0, w3);
w1 = vsha1su0q_u32(w1, w2, w3);
/* Round 40-43 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1mq_u32(abcd, e, t0);
t0 = vaddq_u32(w0, K2);
w1 = vsha1su1q_u32(w1, w0);
w2 = vsha1su0q_u32(w2, w3, w0);
/* Round 44-47 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1mq_u32(abcd, tmpE, t1);
t1 = vaddq_u32(w1, K2);
w2 = vsha1su1q_u32(w2, w1);
w3 = vsha1su0q_u32(w3, w0, w1);
/* Round 48-51 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1mq_u32(abcd, e, t0);
t0 = vaddq_u32(w2, K2);
w3 = vsha1su1q_u32(w3, w2);
w0 = vsha1su0q_u32(w0, w1, w2);
/* Round 52-55 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1mq_u32(abcd, tmpE, t1);
t1 = vaddq_u32(w3, K3);
w0 = vsha1su1q_u32(w0, w3);
w1 = vsha1su0q_u32(w1, w2, w3);
/* Round 56-59 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1mq_u32(abcd, e, t0);
t0 = vaddq_u32(w0, K3);
w1 = vsha1su1q_u32(w1, w0);
w2 = vsha1su0q_u32(w2, w3, w0);
/* Round 60-63 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, tmpE, t1);
t1 = vaddq_u32(w1, K3);
w2 = vsha1su1q_u32(w2, w1);
w3 = vsha1su0q_u32(w3, w0, w1);
/* Round 64-67 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, e, t0);
t0 = vaddq_u32(w2, K3);
w3 = vsha1su1q_u32(w3, w2);
w0 = vsha1su0q_u32(w0, w1, w2);
/* Round 68-71 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, tmpE, t1);
t1 = vaddq_u32(w3, K3);
w0 = vsha1su1q_u32(w0, w3);
/* Round 72-75 */
tmpE = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, e, t0);
/* Round 76-79 */
e = vsha1h_u32(vgetq_lane_u32(abcd, 0));
abcd = vsha1pq_u32(abcd, tmpE, t1);
e += origE;
abcd = vaddq_u32(origABCD, abcd);
vst1q_u32(&XH(0), abcd);
XH(4) = e;
}
#endif /* __ARM_FEATURE_CRYPTO */

51
security/nss/lib/freebl/sha_fast.c
Просмотреть файл

@ -10,6 +10,7 @@
#include "blapi.h"
#include "sha_fast.h"
#include "prerror.h"
#include "secerr.h"
#ifdef TRACING_SSL
#include "ssl.h"
@ -28,6 +29,28 @@ static void shaCompress(volatile SHA_HW_t *X, const PRUint32 *datain);
#define SHA_MIX(n, a, b, c) XW(n) = SHA_ROTL(XW(a) ^ XW(b) ^ XW(c) ^ XW(n), 1)
void SHA1_Compress_Native(SHA1Context *ctx);
void SHA1_Update_Native(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len);
static void SHA1_Compress_Generic(SHA1Context *ctx);
static void SHA1_Update_Generic(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len);
#ifndef USE_HW_SHA1
void
SHA1_Compress_Native(SHA1Context *ctx)
{
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
PORT_Assert(0);
}
void
SHA1_Update_Native(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len)
{
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
PORT_Assert(0);
}
#endif
/*
* SHA: initialize context
*/
@ -43,6 +66,18 @@ SHA1_Begin(SHA1Context *ctx)
ctx->H[2] = 0x98badcfeL;
ctx->H[3] = 0x10325476L;
ctx->H[4] = 0xc3d2e1f0L;
#if defined(USE_HW_SHA1) && defined(IS_LITTLE_ENDIAN)
/* arm's implementation is tested on little endian only */
if (arm_sha1_support()) {
ctx->compress = SHA1_Compress_Native;
ctx->update = SHA1_Update_Native;
} else
#endif
{
ctx->compress = SHA1_Compress_Generic;
ctx->update = SHA1_Update_Generic;
}
}
/* Explanation of H array and index values:
@ -88,6 +123,12 @@ SHA1_Begin(SHA1Context *ctx)
*/
void
SHA1_Update(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len)
{
ctx->update(ctx, dataIn, len);
}
static void
SHA1_Update_Generic(SHA1Context *ctx, const unsigned char *dataIn, unsigned int len)
{
register unsigned int lenB;
register unsigned int togo;
@ -166,7 +207,7 @@ SHA1_End(SHA1Context *ctx, unsigned char *hashout,
size <<= 3;
ctx->W[14] = SHA_HTONL((PRUint32)(size >> 32));
ctx->W[15] = SHA_HTONL((PRUint32)size);
shaCompress(&ctx->H[H2X], ctx->W);
ctx->compress(ctx);
/*
* Output hash
@ -460,6 +501,12 @@ shaCompress(volatile SHA_HW_t *X, const PRUint32 *inbuf)
XH(4) += E;
}
static void
SHA1_Compress_Generic(SHA1Context *ctx)
{
shaCompress(&ctx->H[H2X], ctx->u.w);
}
/*************************************************************************
** Code below this line added to make SHA code support BLAPI interface
*/
@ -491,7 +538,7 @@ SHA1_HashBuf(unsigned char *dest, const unsigned char *src, PRUint32 src_length)
unsigned int outLen;
SHA1_Begin(&ctx);
SHA1_Update(&ctx, src, src_length);
ctx.update(&ctx, src, src_length);
SHA1_End(&ctx, dest, &outLen, SHA1_LENGTH);
memset(&ctx, 0, sizeof ctx);
return SECSuccess;

12
security/nss/lib/freebl/sha_fast.h
Просмотреть файл

@ -10,13 +10,19 @@
#define SHA1_INPUT_LEN 64
#if defined(IS_64) && !defined(__sparc)
#if defined(IS_64) && !defined(__sparc) && !defined(__aarch64__)
typedef PRUint64 SHA_HW_t;
#define SHA1_USING_64_BIT 1
#else
typedef PRUint32 SHA_HW_t;
#endif
struct SHA1ContextStr;
typedef void (*sha1_compress_t)(struct SHA1ContextStr *);
typedef void (*sha1_update_t)(struct SHA1ContextStr *, const unsigned char *,
unsigned int);
struct SHA1ContextStr {
union {
PRUint32 w[16]; /* input buffer */
@ -24,6 +30,8 @@ struct SHA1ContextStr {
} u;
PRUint64 size; /* count of hashed bytes. */
SHA_HW_t H[22]; /* 5 state variables, 16 tmp values, 1 extra */
sha1_compress_t compress;
sha1_update_t update;
};
#if defined(_MSC_VER)
@ -135,7 +143,7 @@ swap4b(PRUint32 value)
#define SHA_BYTESWAP(x) x = SHA_HTONL(x)
#define SHA_STORE(n) ((PRUint32*)hashout)[n] = SHA_HTONL(ctx->H[n])
#define SHA_STORE(n) ((PRUint32 *)hashout)[n] = SHA_HTONL(ctx->H[n])
#if defined(HAVE_UNALIGNED_ACCESS)
#define SHA_STORE_RESULT \
SHA_STORE(0); \

6
security/nss/lib/nss/nss.h
Просмотреть файл

@ -22,12 +22,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define NSS_VERSION "3.55" _NSS_CUSTOMIZED
#define NSS_VERSION "3.56" _NSS_CUSTOMIZED " Beta"
#define NSS_VMAJOR 3
#define NSS_VMINOR 55
#define NSS_VMINOR 56
#define NSS_VPATCH 0
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
#define NSS_BETA PR_TRUE
#ifndef RC_INVOKED

6
security/nss/lib/softoken/lowpbe.c
Просмотреть файл

@ -889,6 +889,7 @@ nsspkcs5_FillInParam(SECOidTag algorithm, HASH_HashType hashType,
pbe_param->encAlg = SEC_OID_DES_CBC;
break;
#ifndef NSS_DISABLE_DEPRECATED_RC2
/* RC2 Algorithms */
case SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_128_BIT_RC2_CBC:
pbe_param->keyLen = 16;
@ -901,6 +902,7 @@ nsspkcs5_FillInParam(SECOidTag algorithm, HASH_HashType hashType,
/* fall through */
case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_40_BIT_RC2_CBC:
break;
#endif
/* RC4 algorithms */
case SEC_OID_PKCS12_PBE_WITH_SHA1_AND_128_BIT_RC4:
@ -1408,6 +1410,7 @@ loser:
return dest;
}
#ifndef NSS_DISABLE_DEPRECATED_RC2
/* perform rc2 encryption/decryption if an error occurs, NULL is returned
*/
static SECItem *
@ -1485,6 +1488,7 @@ sec_pkcs5_rc2(SECItem *key, SECItem *iv, SECItem *src, PRBool dummy,
return dest;
}
#endif /* NSS_DISABLE_DEPRECATED_RC2 */
/* perform rc4 encryption and decryption */
static SECItem *
@ -1580,9 +1584,11 @@ nsspkcs5_CipherData(NSSPKCS5PBEParameter *pbe_param, SECItem *pwitem,
cryptof = sec_pkcs5_des;
tripleDES = PR_FALSE;
break;
#ifndef NSS_DISABLE_DEPRECATED_RC2
case SEC_OID_RC2_CBC:
cryptof = sec_pkcs5_rc2;
break;
#endif
case SEC_OID_RC4:
cryptof = sec_pkcs5_rc4;
break;

1
security/nss/lib/softoken/manifest.mn
Просмотреть файл

@ -44,6 +44,7 @@ CSRCS = \
pkcs11u.c \
sdb.c \
sftkdb.c \
sftkdhverify.c \
sftkhmac.c \
sftkike.c \
sftkmessage.c \

5
security/nss/lib/softoken/pkcs11.c
Просмотреть файл

@ -1196,6 +1196,11 @@ sftk_handlePrivateKeyObject(SFTKSession *session, SFTKObject *object, CK_KEY_TYP
if (!sftk_hasAttribute(object, CKA_VALUE)) {
return CKR_TEMPLATE_INCOMPLETE;
}
/* allow subprime to be set after the fact */
crv = sftk_defaultAttribute(object, CKA_SUBPRIME, NULL, 0);
if (crv != CKR_OK) {
return crv;
}
encrypt = CK_FALSE;
recover = CK_FALSE;
wrap = CK_FALSE;

255
security/nss/lib/softoken/pkcs11c.c
Просмотреть файл

@ -749,7 +749,10 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
SFTKObject *key;
SFTKSessionContext *context;
SFTKAttribute *att;
#ifndef NSS_DISABLE_DEPRECATED_RC2
CK_RC2_CBC_PARAMS *rc2_param;
unsigned effectiveKeyLength;
#endif
#if NSS_SOFTOKEN_DOES_RC5
CK_RC5_CBC_PARAMS *rc5_param;
SECItem rc5Key;
@ -760,7 +763,6 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
CK_NSS_AEAD_PARAMS *nss_aead_params_ptr = NULL;
CK_KEY_TYPE key_type;
CK_RV crv = CKR_OK;
unsigned effectiveKeyLength;
unsigned char newdeskey[24];
PRBool useNewKey = PR_FALSE;
int t;
@ -867,6 +869,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
}
context->destroy = (SFTKDestroy)sftk_Space;
break;
#ifndef NSS_DISABLE_DEPRECATED_RC2
case CKM_RC2_CBC_PAD:
context->doPad = PR_TRUE;
/* fall thru */
@ -901,6 +904,8 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
context->update = (SFTKCipher)(isEncrypt ? RC2_Encrypt : RC2_Decrypt);
context->destroy = (SFTKDestroy)RC2_DestroyContext;
break;
#endif /* NSS_DISABLE_DEPRECATED_RC2 */
#if NSS_SOFTOKEN_DOES_RC5
case CKM_RC5_CBC_PAD:
context->doPad = PR_TRUE;
@ -2229,7 +2234,9 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
{
CK_MECHANISM cbc_mechanism;
CK_ULONG mac_bytes = SFTK_INVALID_MAC_SIZE;
#ifndef NSS_DISABLE_DEPRECATED_RC2
CK_RC2_CBC_PARAMS rc2_params;
#endif
#if NSS_SOFTOKEN_DOES_RC5
CK_RC5_CBC_PARAMS rc5_params;
CK_RC5_MAC_GENERAL_PARAMS *rc5_mac;
@ -2247,6 +2254,7 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
}
switch (pMechanism->mechanism) {
#ifndef NSS_DISABLE_DEPRECATED_RC2
case CKM_RC2_MAC_GENERAL:
if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC2_MAC_GENERAL_PARAMS))) {
return CKR_MECHANISM_PARAM_INVALID;
@ -2266,6 +2274,8 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
cbc_mechanism.ulParameterLen = sizeof(rc2_params);
blockSize = 8;
break;
#endif /* NSS_DISABLE_DEPRECATED_RC2 */
#if NSS_SOFTOKEN_DOES_RC5
case CKM_RC5_MAC_GENERAL:
if (BAD_PARAM_CAST(pMechanism, sizeof(CK_RC5_MAC_GENERAL_PARAMS))) {
@ -4178,11 +4188,13 @@ nsc_SetupBulkKeyGen(CK_MECHANISM_TYPE mechanism, CK_KEY_TYPE *key_type,
CK_RV crv = CKR_OK;
switch (mechanism) {
#ifndef NSS_DISABLE_DEPRECATED_RC2
case CKM_RC2_KEY_GEN:
*key_type = CKK_RC2;
if (*key_length == 0)
crv = CKR_TEMPLATE_INCOMPLETE;
break;
#endif /* NSS_DISABLE_DEPRECATED_RC2 */
#if NSS_SOFTOKEN_DOES_RC5
case CKM_RC5_KEY_GEN:
*key_type = CKK_RC5;
@ -4411,10 +4423,12 @@ nsc_SetupPBEKeyGen(CK_MECHANISM_PTR pMechanism, NSSPKCS5PBEParameter **pbe,
*key_type = params->is2KeyDES ? CKK_DES2 : CKK_DES3;
*key_length = params->keyLen;
break;
#ifndef NSS_DISABLE_DEPRECATED_RC2
case SEC_OID_RC2_CBC:
*key_type = CKK_RC2;
*key_length = params->keyLen;
break;
#endif /* NSS_DISABLE_DEPRECATED_RC2 */
case SEC_OID_RC4:
*key_type = CKK_RC4;
*key_length = params->keyLen;
@ -4529,8 +4543,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSession,
case CKM_DES2_KEY_GEN:
case CKM_DES3_KEY_GEN:
checkWeak = PR_TRUE;
/* fall through */
/* fall through */
#ifndef NSS_DISABLE_DEPRECATED_RC2
case CKM_RC2_KEY_GEN:
#endif
case CKM_RC4_KEY_GEN:
case CKM_GENERIC_SECRET_KEY_GEN:
#ifndef NSS_DISABLE_DEPRECATED_SEED
@ -4566,15 +4582,17 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSession,
faultyPBE3DES = PR_TRUE;
/* fall through */
case CKM_NSS_PBE_SHA1_TRIPLE_DES_CBC:
#ifndef NSS_DISABLE_DEPRECATED_RC2
case CKM_NSS_PBE_SHA1_40_BIT_RC2_CBC:
case CKM_NSS_PBE_SHA1_DES_CBC:
case CKM_NSS_PBE_SHA1_128_BIT_RC2_CBC:
case CKM_PBE_SHA1_RC2_128_CBC:
case CKM_PBE_SHA1_RC2_40_CBC:
#endif
case CKM_NSS_PBE_SHA1_DES_CBC:
case CKM_NSS_PBE_SHA1_40_BIT_RC4:
case CKM_NSS_PBE_SHA1_128_BIT_RC4:
case CKM_PBE_SHA1_DES3_EDE_CBC:
case CKM_PBE_SHA1_DES2_EDE_CBC:
case CKM_PBE_SHA1_RC2_128_CBC:
case CKM_PBE_SHA1_RC2_40_CBC:
case CKM_PBE_SHA1_RC4_128:
case CKM_PBE_SHA1_RC4_40:
case CKM_PBE_MD5_DES_CBC:
@ -4741,7 +4759,7 @@ loser:
* performed, for example, CKR_HOST_MEMORY.
*/
static CK_RV
sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession,
sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession, SFTKSlot *slot,
SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType)
{
/*
@ -4756,6 +4774,12 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession,
* others => CKM_INVALID_MECHANISM
*
* None of these mechanisms has a parameter.
*
* For derive CKK_DH => CKM_DH_PKCS_DERIVE
* CKK_EC => CKM_ECDH1_DERIVE
* others => CKM_INVALID_MECHANISM
*
* The parameters for these mechanisms is the public key.
*/
CK_MECHANISM mech = { 0, NULL, 0 };
@ -5015,24 +5039,106 @@ sftk_PairwiseConsistencyCheck(CK_SESSION_HANDLE hSession,
isDerivable = sftk_isTrue(privateKey, CKA_DERIVE);
if (isDerivable) {
/*
* We are not doing consistency check for Diffie-Hellman Key -
* otherwise it would be here
* This is also true for Elliptic Curve Diffie-Hellman keys
* NOTE: EC keys are currently subjected to pairwise
* consistency check for signing/verification.
*/
/*
* FIPS 140-2 had the following pairwise consistency test for
* public and private keys used for key agreement:
* If the keys are used to perform key agreement, then the
* cryptographic module shall create a second, compatible
* key pair. The cryptographic module shall perform both
* sides of the key agreement algorithm and shall compare
* the resulting shared values. If the shared values are
* not equal, the test shall fail.
* This test was removed in Change Notice 3.
*/
SFTKAttribute *pubAttribute = NULL;
CK_OBJECT_HANDLE newKey;
PRBool isFIPS = (slot->slotID == FIPS_SLOT_ID);
CK_RV crv2;
CK_OBJECT_CLASS secret = CKO_SECRET_KEY;
CK_KEY_TYPE generic = CKK_GENERIC_SECRET;
CK_ULONG keyLen = 128;
CK_BBOOL ckTrue = CK_TRUE;
CK_ATTRIBUTE template[] = {
{ CKA_CLASS, &secret, sizeof(secret) },
{ CKA_KEY_TYPE, &generic, sizeof(generic) },
{ CKA_VALUE_LEN, &keyLen, sizeof(keyLen) },
{ CKA_DERIVE, &ckTrue, sizeof(ckTrue) }
};
CK_ULONG templateCount = PR_ARRAY_SIZE(template);
CK_ECDH1_DERIVE_PARAMS ecParams;
crv = CKR_OK; /*paranoia, already get's set before we drop to the end */
/* FIPS 140-2 requires we verify that the resulting key is a valid key.
* The easiest way to do this is to do a derive operation, which checks
* the validity of the key */
switch (keyType) {
case CKK_DH:
mech.mechanism = CKM_DH_PKCS_DERIVE;
pubAttribute = sftk_FindAttribute(publicKey, CKA_VALUE);
if (pubAttribute == NULL) {
return CKR_DEVICE_ERROR;
}
mech.pParameter = pubAttribute->attrib.pValue;
mech.ulParameterLen = pubAttribute->attrib.ulValueLen;
break;
case CKK_EC:
mech.mechanism = CKM_ECDH1_DERIVE;
pubAttribute = sftk_FindAttribute(publicKey, CKA_EC_POINT);
if (pubAttribute == NULL) {
return CKR_DEVICE_ERROR;
}
ecParams.kdf = CKD_NULL;
ecParams.ulSharedDataLen = 0;
ecParams.pSharedData = NULL;
ecParams.ulPublicDataLen = pubAttribute->attrib.ulValueLen;
ecParams.pPublicData = pubAttribute->attrib.pValue;
mech.pParameter = &ecParams;
mech.ulParameterLen = sizeof(ecParams);
break;
default:
return CKR_DEVICE_ERROR;
}
crv = NSC_DeriveKey(hSession, &mech, privateKey->handle, template, templateCount, &newKey);
if (crv != CKR_OK) {
sftk_FreeAttribute(pubAttribute);
return crv;
}
/* FIPS requires full validation, but in fipx mode NSC_Derive
* only does partial validation with approved primes, now handle
* full validation */
if (isFIPS && keyType == CKK_DH) {
SECItem pubKey;
SECItem prime;
SECItem subPrime;
const SECItem *subPrimePtr = &subPrime;
pubKey.data = pubAttribute->attrib.pValue;
pubKey.len = pubAttribute->attrib.ulValueLen;
prime.data = subPrime.data = NULL;
prime.len = subPrime.len = 0;
crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
if (crv != CKR_OK) {
goto done;
}
crv = sftk_Attribute2SecItem(NULL, &prime, privateKey, CKA_PRIME);
/* we ignore the return code an only look at the length */
if (subPrime.len == 0) {
/* subprime not supplied, In this case look it up.
* This only works with approved primes, but in FIPS mode
* that's the only kine of prime that will get here */
subPrimePtr = sftk_VerifyDH_Prime(&prime);
if (subPrimePtr == NULL) {
crv = CKR_GENERAL_ERROR;
goto done;
}
}
if (!KEA_Verify(&pubKey, &prime, (SECItem *)subPrimePtr)) {
crv = CKR_GENERAL_ERROR;
}
done:
PORT_Free(subPrime.data);
PORT_Free(prime.data);
}
/* clean up before we return */
sftk_FreeAttribute(pubAttribute);
crv2 = NSC_DestroyObject(hSession, newKey);
if (crv != CKR_OK) {
return crv;
}
if (crv2 != CKR_OK) {
return crv2;
}
}
return CKR_OK;
@ -5576,7 +5682,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hSession,
if (crv == CKR_OK) {
/* Perform FIPS 140-2 pairwise consistency check. */
crv = sftk_PairwiseConsistencyCheck(hSession,
crv = sftk_PairwiseConsistencyCheck(hSession, slot,
publicKey, privateKey, key_type);
if (crv != CKR_OK) {
if (sftk_audit_enabled) {
@ -8179,40 +8285,101 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession,
case CKM_DH_PKCS_DERIVE: {
SECItem derived, dhPublic;
SECItem dhPrime, dhSubPrime, dhValue;
SECItem dhPrime, dhValue;
const SECItem *subPrime;
/* sourceKey - values for the local existing low key */
/* get prime and value attributes */
crv = sftk_Attribute2SecItem(NULL, &dhPrime, sourceKey, CKA_PRIME);
if (crv != CKR_OK)
break;
dhPublic.data = pMechanism->pParameter;
dhPublic.len = pMechanism->ulParameterLen;
/* if the prime is an approved prime, we can skip all the other
* checks. */
subPrime = sftk_VerifyDH_Prime(&dhPrime);
if (subPrime == NULL) {
SECItem dhSubPrime;
/* If the caller set the subprime value, it means that
* either the caller knows the subprime value and wants us
* to validate the key against the subprime, or that the
* caller wants us to verify that the prime is a safe prime
* by passing in subprime = (prime-1)/2 */
dhSubPrime.data = NULL;
dhSubPrime.len = 0;
crv = sftk_Attribute2SecItem(NULL, &dhSubPrime,
sourceKey, CKA_SUBPRIME);
/* we ignore the value of crv here, We treat a valid
* return of len = 0 and a failure to find a subrime the same
* NOTE: we free the subprime in both cases depending on
* PORT_Free of NULL to be a noop */
if (dhSubPrime.len != 0) {
PRBool isSafe = PR_FALSE;
/* Callers can set dhSubPrime to q=(p-1)/2 to force
* checks for safe primes. If so we only need to check
* q and p for primality and skip the group test. */
rv = sftk_IsSafePrime(&dhPrime, &dhSubPrime, &isSafe);
if (rv != SECSuccess) {
/* either p or q was even and therefore not prime,
* we can stop processing here and fail now */
crv = CKR_ARGUMENTS_BAD;
PORT_Free(dhPrime.data);
PORT_Free(dhSubPrime.data);
break;
}
/* first make sure the primes are really prime */
if (!KEA_PrimeCheck(&dhPrime)) {
crv = CKR_ARGUMENTS_BAD;
PORT_Free(dhPrime.data);
PORT_Free(dhSubPrime.data);
break;
}
if (!KEA_PrimeCheck(&dhSubPrime)) {
crv = CKR_ARGUMENTS_BAD;
PORT_Free(dhPrime.data);
PORT_Free(dhSubPrime.data);
break;
}
if (isFIPS || !isSafe) {
/* With safe primes, there is only one other small
* subgroup. As long as y isn't 0, 1, or -1 mod p,
* any other y is safe. Only do the full check for
* non-safe primes, except in FIPS mode we need
* to do this check on all primes in which
* we receive the subprime value */
if (!KEA_Verify(&dhPublic, &dhPrime, &dhSubPrime)) {
crv = CKR_ARGUMENTS_BAD;
PORT_Free(dhPrime.data);
PORT_Free(dhSubPrime.data);
break;
}
}
} else if (isFIPS) {
/* In FIPS mode we only accept approved primes, or
* primes with the full subprime value */
crv = CKR_ARGUMENTS_BAD;
PORT_Free(dhPrime.data);
break;
}
/* checks are complete, no need for the subPrime any longer */
PORT_Free(dhSubPrime.data);
}
/* now that the prime is validated, get the private value */
crv = sftk_Attribute2SecItem(NULL, &dhValue, sourceKey, CKA_VALUE);
if (crv != CKR_OK) {
PORT_Free(dhPrime.data);
break;
}
dhPublic.data = pMechanism->pParameter;
dhPublic.len = pMechanism->ulParameterLen;
/* If the caller bothered to provide Q, use Q to validate
* the public key. */
crv = sftk_Attribute2SecItem(NULL, &dhSubPrime, sourceKey, CKA_SUBPRIME);
if (crv == CKR_OK) {
rv = KEA_Verify(&dhPublic, &dhPrime, &dhSubPrime);
PORT_Free(dhSubPrime.data);
if (rv != SECSuccess) {
crv = CKR_ARGUMENTS_BAD;
PORT_Free(dhPrime.data);
PORT_Free(dhValue.data);
break;
}
}
/* calculate private value - oct */
rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize);
PORT_Free(dhPrime.data);
PORT_Free(dhValue.data);
PORT_ZFree(dhValue.data, dhValue.len);
if (rv == SECSuccess) {
sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);

7
security/nss/lib/softoken/pkcs11i.h
Просмотреть файл

@ -914,6 +914,13 @@ CK_RV sftk_CheckCBCPadding(CK_BYTE_PTR pBuf, unsigned int bufLen,
extern CK_RV kbkdf_Dispatch(CK_MECHANISM_TYPE mech, CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, SFTKObject *base_key, SFTKObject *ret_key, CK_ULONG keySize);
char **NSC_ModuleDBFunc(unsigned long function, char *parameters, void *args);
/* dh verify functions */
/* verify that dhPrime matches one of our known primes, and if so return
* it's subprime value */
const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime);
/* check if dhSubPrime claims dhPrime is a safe prime. */
SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
SEC_END_PROTOS
#endif /* _PKCS11I_H_ */

6
security/nss/lib/softoken/pkcs11u.c
Просмотреть файл

@ -716,7 +716,6 @@ sftk_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
case CKA_PUBLIC_EXPONENT:
case CKA_PRIVATE_EXPONENT:
case CKA_PRIME:
case CKA_SUBPRIME:
case CKA_BASE:
case CKA_PRIME_1:
case CKA_PRIME_2:
@ -767,6 +766,11 @@ sftk_modifyType(CK_ATTRIBUTE_TYPE type, CK_OBJECT_CLASS inClass)
mtype = (inClass == CKO_DATA) ? SFTK_ALWAYS : SFTK_NEVER;
break;
case CKA_SUBPRIME:
/* allow the CKA_SUBPRIME to be added to dh private keys */
mtype = (inClass == CKO_PRIVATE_KEY) ? SFTK_ALWAYS : SFTK_NEVER;
break;
case CKA_SUBJECT:
mtype = (inClass == CKO_CERTIFICATE) ? SFTK_NEVER : SFTK_ALWAYS;
break;

1282
security/nss/lib/softoken/sftkdhverify.c Normal file
Просмотреть файл

Разница между файлами не показана из-за своего большого размера Загрузить разницу

6
security/nss/lib/softoken/softkver.h
Просмотреть файл

@ -17,11 +17,11 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
#define SOFTOKEN_VERSION "3.55" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VERSION "3.56" SOFTOKEN_ECC_STRING " Beta"
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 55
#define SOFTOKEN_VMINOR 56
#define SOFTOKEN_VPATCH 0
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
#define SOFTOKEN_BETA PR_TRUE
#endif /* _SOFTKVER_H_ */

1
security/nss/lib/softoken/softoken.gyp
Просмотреть файл

@ -56,6 +56,7 @@
'pkcs11c.c',
'pkcs11u.c',
'sdb.c',
'sftkdhverify.c',
'sftkdb.c',
'sftkhmac.c',
'sftkike.c',

6
security/nss/lib/util/nssutil.h
Просмотреть файл

@ -19,12 +19,12 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
#define NSSUTIL_VERSION "3.55"
#define NSSUTIL_VERSION "3.56 Beta"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 55
#define NSSUTIL_VMINOR 56
#define NSSUTIL_VPATCH 0
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
#define NSSUTIL_BETA PR_TRUE
SEC_BEGIN_PROTOS

18
security/nss/manifest.mn
Просмотреть файл

@ -12,17 +12,21 @@ RELEASE = nss
DIRS = coreconf lib cmd cpputil gtests
lib: coreconf
cmd: lib
cpputil: lib
gtests: cmd cpputil
HAVE_ALL_TARGET := 1
#
# make sure all is the first (default) target
#
all: prepare_build
$(MAKE) libs
prepare_build:
# no real way to encode these in any sensible way
$(MAKE) -C coreconf/nsinstall program
$(MAKE) export
all: prepare_build
$(MAKE) libs
lib: coreconf
cmd: lib
cpputil: lib
gtests: cmd cpputil

1
security/nss/nss-tool/hw-support.c
Просмотреть файл

@ -22,6 +22,7 @@ int main(int argc, char const *argv[]) {
#if defined(NSS_X86_OR_X64)
printf("\tAES-NI \t%s supported\n", aesni_support() ? "" : "not");
printf("\tPCLMUL \t%s supported\n", clmul_support() ? "" : "not");
printf("\tSHA \t%s supported\n", sha_support() ? "" : "not");
printf("\tAVX \t%s supported\n", avx_support() ? "" : "not");
printf("\tAVX2 \t%s supported\n", avx2_support() ? "" : "not");
printf("\tSSSE3 \t%s supported\n", ssse3_support() ? "" : "not");