|
|
a7d761 |
From ab0bb8952fbd0f2c06703f26c49c0c039cd67c00 Mon Sep 17 00:00:00 2001
|
|
|
a7d761 |
From: Alexander Scheel <ascheel@redhat.com>
|
|
|
a7d761 |
Date: Wed, 23 Jan 2019 10:57:27 -0500
|
|
|
a7d761 |
Subject: [PATCH] Disable x25519 in FIPS mode
|
|
|
a7d761 |
|
|
|
a7d761 |
NSS's pkcs11.txt includes global ciphersuite options, however, it
|
|
|
a7d761 |
doesn't understand Curve25519 as a parameter. Until such support is
|
|
|
a7d761 |
added (or NIST finally approves Curve25519 for FIPS 140-2 usage!),
|
|
|
a7d761 |
manually disable Curve25519 when FIPS mode is enabled.
|
|
|
a7d761 |
|
|
|
a7d761 |
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
|
|
|
a7d761 |
---
|
|
|
a7d761 |
org/mozilla/jss/CryptoManager.c | 6 ++++++
|
|
|
a7d761 |
org/mozilla/jss/CryptoManager.java | 2 ++
|
|
|
a7d761 |
2 files changed, 8 insertions(+)
|
|
|
a7d761 |
|
|
|
a7d761 |
diff --git a/org/mozilla/jss/CryptoManager.c b/org/mozilla/jss/CryptoManager.c
|
|
|
a7d761 |
index 56e66b2..eb8b922 100644
|
|
|
a7d761 |
--- a/jss/org/mozilla/jss/CryptoManager.c
|
|
|
a7d761 |
+++ b/jss/org/mozilla/jss/CryptoManager.c
|
|
|
a7d761 |
@@ -976,8 +976,14 @@ JNIEXPORT jboolean JNICALL
|
|
|
a7d761 |
Java_org_mozilla_jss_CryptoManager_FIPSEnabled(JNIEnv *env, jobject this)
|
|
|
a7d761 |
{
|
|
|
a7d761 |
if( PK11_IsFIPS() ) {
|
|
|
a7d761 |
+ /* There's a bug in NSS where it won't disable x25519 in FIPS mode.
|
|
|
a7d761 |
+ * Since they won't fix the bug, we have to do it ourselves. */
|
|
|
a7d761 |
+ NSS_SetAlgorithmPolicy(SEC_OID_CURVE25519, 0, NSS_USE_ALG_IN_SSL_KX);
|
|
|
a7d761 |
return JNI_TRUE;
|
|
|
a7d761 |
} else {
|
|
|
a7d761 |
+ /* In case FIPS mode is toggled, re-enable x25519 as it is a good
|
|
|
a7d761 |
+ * curve. */
|
|
|
a7d761 |
+ NSS_SetAlgorithmPolicy(SEC_OID_CURVE25519, 1, NSS_USE_ALG_IN_SSL_KX);
|
|
|
a7d761 |
return JNI_FALSE;
|
|
|
a7d761 |
}
|
|
|
a7d761 |
}
|
|
|
a7d761 |
diff --git a/org/mozilla/jss/CryptoManager.java b/org/mozilla/jss/CryptoManager.java
|
|
|
a7d761 |
index 9e5503d..f223361 100644
|
|
|
a7d761 |
--- a/jss/org/mozilla/jss/CryptoManager.java
|
|
|
a7d761 |
+++ b/jss/org/mozilla/jss/CryptoManager.java
|
|
|
a7d761 |
@@ -838,6 +838,8 @@ public final class CryptoManager implements TokenSupplier
|
|
|
a7d761 |
if(instance==null) {
|
|
|
a7d761 |
throw new NotInitializedException();
|
|
|
a7d761 |
}
|
|
|
a7d761 |
+ /* throw away call -- disables x25519 if we're in FIPS mode */
|
|
|
a7d761 |
+ instance.FIPSEnabled();
|
|
|
a7d761 |
return instance;
|
|
|
a7d761 |
}
|
|
|
a7d761 |
|
|
|
a7d761 |
--
|
|
|
a7d761 |
1.8.3.1
|
|
|
a7d761 |
|