diff --git a/SOURCES/nss-softokn-3.16-sha384-key-derive.patch b/SOURCES/nss-softokn-3.16-sha384-key-derive.patch new file mode 100644 index 0000000..4333382 --- /dev/null +++ b/SOURCES/nss-softokn-3.16-sha384-key-derive.patch @@ -0,0 +1,50 @@ +diff -up ./nss/lib/softoken/pkcs11c.c.sha384_key_derive ./nss/lib/softoken/pkcs11c.c +--- ./nss/lib/softoken/pkcs11c.c.sha384_key_derive 2015-05-28 14:14:14.326097673 -0700 ++++ ./nss/lib/softoken/pkcs11c.c 2015-05-28 14:35:51.208984276 -0700 +@@ -5974,7 +5974,7 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE h + int i; + unsigned int outLen; + unsigned char sha_out[SHA1_LENGTH]; +- unsigned char key_block[NUM_MIXERS * MD5_LENGTH]; ++ unsigned char key_block[NUM_MIXERS * SFTK_MAX_MAC_LENGTH]; + unsigned char key_block2[MD5_LENGTH]; + unsigned char des3key[24]; + PRBool isFIPS; +@@ -6245,19 +6245,24 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE h + CK_SSL3_KEY_MAT_OUT * ssl3_keys_out; + CK_ULONG effKeySize; + unsigned int block_needed; ++ unsigned int max_block_size = NUM_MIXERS * MD5_LENGTH; + unsigned char srcrdata[SSL3_RANDOM_LENGTH * 2]; + unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2]; + + if (mechanism == CKM_TLS12_KEY_AND_MAC_DERIVE) { + CK_TLS12_KEY_MAT_PARAMS *tls12_keys = + (CK_TLS12_KEY_MAT_PARAMS *) pMechanism->pParameter; ++ SECHashObject *rawHash; + tlsPrfHash = GetHashTypeFromMechanism(tls12_keys->prfHashMechanism); + if (tlsPrfHash == HASH_AlgNULL) { + crv = CKR_MECHANISM_PARAM_INVALID; + break; + } ++ rawHash = HASH_GetRawHashObject(tlsPrfHash); ++ max_block_size = NUM_MIXERS*rawHash->length; + } else if (mechanism == CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) { + tlsPrfHash = HASH_AlgSHA256; ++ max_block_size = NUM_MIXERS*SHA256_LENGTH; + } + + if (mechanism != CKM_SSL3_KEY_AND_MAC_DERIVE) { +@@ -6322,9 +6327,9 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE h + } + block_needed = 2 * (macSize + effKeySize + + ((!ssl3_keys->bIsExport) * IVSize)); +- PORT_Assert(block_needed <= sizeof key_block); +- if (block_needed > sizeof key_block) +- block_needed = sizeof key_block; ++ PORT_Assert(block_needed <= max_block_size); ++ if (block_needed > max_block_size) ++ block_needed = max_block_size; + + /* + * generate the key material: This looks amazingly similar to the diff --git a/SOURCES/nss-softokn-3.16-tls12-mechanisms-fipstest.patch b/SOURCES/nss-softokn-3.16-tls12-mechanisms-fipstest.patch new file mode 100644 index 0000000..902d4dc --- /dev/null +++ b/SOURCES/nss-softokn-3.16-tls12-mechanisms-fipstest.patch @@ -0,0 +1,83 @@ +diff -up nss/cmd/fipstest/fipstest.c.1212106 nss/cmd/fipstest/fipstest.c +--- nss/cmd/fipstest/fipstest.c.1212106 2015-04-28 15:10:27.428991019 -0700 ++++ nss/cmd/fipstest/fipstest.c 2015-04-28 15:14:18.281661223 -0700 +@@ -5746,12 +5746,13 @@ tls(char *reqfn) + + CK_MECHANISM master_mech = { CKM_TLS_MASTER_KEY_DERIVE , NULL, 0 }; + CK_MECHANISM key_block_mech = { CKM_TLS_KEY_AND_MAC_DERIVE , NULL, 0}; +- CK_SSL3_MASTER_KEY_DERIVE_PARAMS master_params; +- CK_SSL3_KEY_MAT_PARAMS key_block_params; ++ CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; ++ CK_TLS12_KEY_MAT_PARAMS key_block_params; + CK_SSL3_KEY_MAT_OUT key_material; + CK_RV crv; + + /* set up PKCS #11 parameters */ ++ master_params.prfHashMechanism = CKM_SHA256; + master_params.pVersion = NULL; + master_params.RandomInfo.pClientRandom = clientHello_random; + master_params.RandomInfo.ulClientRandomLen = sizeof(clientHello_random); +@@ -5759,6 +5760,7 @@ tls(char *reqfn) + master_params.RandomInfo.ulServerRandomLen = sizeof(serverHello_random); + master_mech.pParameter = (void *) &master_params; + master_mech.ulParameterLen = sizeof(master_params); ++ key_block_params.prfHashMechanism = CKM_SHA256; + key_block_params.ulMacSizeInBits = 0; + key_block_params.ulKeySizeInBits = 0; + key_block_params.ulIVSizeInBits = 0; +@@ -5801,14 +5803,35 @@ tls(char *reqfn) + /* [Xchange - SHA1] */ + if (buf[0] == '[') { + if (strncmp(buf, "[TLS", 4) == 0) { +- if (buf[7] == '0') { +- master_mech.mechanism = CKM_TLS_MASTER_KEY_DERIVE; +- key_block_mech.mechanism = CKM_TLS_KEY_AND_MAC_DERIVE; +- } else if (buf[7] == '2') { +- master_mech.mechanism = +- CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256; +- key_block_mech.mechanism = +- CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256; ++ if (buf[7] == '0') { ++ master_mech.mechanism = CKM_TLS_MASTER_KEY_DERIVE; ++ key_block_mech.mechanism = CKM_TLS_KEY_AND_MAC_DERIVE; ++ master_mech.ulParameterLen = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS); ++ key_block_mech.ulParameterLen = sizeof(CK_SSL3_KEY_MAT_PARAMS); ++ } else if (buf[7] == '2') { ++ if (strncmp(&buf[10], "SHA-1", 5) == 0) { ++ master_params.prfHashMechanism = CKM_SHA_1; ++ key_block_params.prfHashMechanism = CKM_SHA_1; ++ } else if (strncmp(&buf[10], "SHA-224", 7) == 0) { ++ master_params.prfHashMechanism = CKM_SHA224; ++ key_block_params.prfHashMechanism = CKM_SHA224; ++ } else if (strncmp(&buf[10], "SHA-256", 7) == 0) { ++ master_params.prfHashMechanism = CKM_SHA256; ++ key_block_params.prfHashMechanism = CKM_SHA256; ++ } else if (strncmp(&buf[10], "SHA-384", 7)== 0) { ++ master_params.prfHashMechanism = CKM_SHA384; ++ key_block_params.prfHashMechanism = CKM_SHA384; ++ } else if (strncmp(&buf[10], "SHA-512", 7) == 0) { ++ master_params.prfHashMechanism = CKM_SHA512; ++ key_block_params.prfHashMechanism = CKM_SHA512; ++ } else { ++ fprintf(tlsresp, "ERROR: Unable to find prf Hash type"); ++ goto loser; ++ } ++ master_mech.mechanism = CKM_TLS12_MASTER_KEY_DERIVE; ++ key_block_mech.mechanism = CKM_TLS12_KEY_AND_MAC_DERIVE; ++ master_mech.ulParameterLen = sizeof(master_params); ++ key_block_mech.ulParameterLen = sizeof(key_block_params); + } else { + fprintf(stderr, "Unknown TLS type %x\n", buf); + goto loser; +@@ -6121,6 +6144,11 @@ int main(int argc, char **argv) + } else if (strcmp(argv[1], "ddrbg") == 0) { + debug = 1; + drbg(argv[2]); ++ /*************/ ++ /* TLS */ ++ /*************/ ++ } else if (strcmp(argv[1], "tls") == 0) { ++ tls(argv[2]); + } + return 0; + } diff --git a/SOURCES/nss-softokn-3.16-tls12-mechanisms.patch b/SOURCES/nss-softokn-3.16-tls12-mechanisms.patch new file mode 100644 index 0000000..58be595 --- /dev/null +++ b/SOURCES/nss-softokn-3.16-tls12-mechanisms.patch @@ -0,0 +1,481 @@ +diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c +--- a/lib/softoken/pkcs11.c ++++ b/lib/softoken/pkcs11.c +@@ -388,16 +388,17 @@ static const struct mechanismList mechan + {CKM_SHA256_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA384, {0, 0, CKF_DIGEST}, PR_FALSE}, + {CKM_SHA384_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA384_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA512, {0, 0, CKF_DIGEST}, PR_FALSE}, + {CKM_SHA512_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA512_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_TLS_PRF_GENERAL, {0, 512, CKF_SN_VR}, PR_FALSE}, ++ {CKM_TLS12_MAC, {0, 512, CKF_SN_VR}, PR_FALSE}, + {CKM_NSS_TLS_PRF_GENERAL_SHA256, + {0, 512, CKF_SN_VR}, PR_FALSE}, + /* ------------------------- HKDF Operations -------------------------- */ + {CKM_NSS_HKDF_SHA1, {1, 128, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_HKDF_SHA256, {1, 128, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_HKDF_SHA384, {1, 128, CKF_DERIVE}, PR_TRUE}, + {CKM_NSS_HKDF_SHA512, {1, 128, CKF_DERIVE}, PR_TRUE}, + /* ------------------------- CAST Operations --------------------------- */ +@@ -468,22 +469,25 @@ static const struct mechanismList mechan + {CKM_MD5_KEY_DERIVATION, { 0, 16, CKF_DERIVE}, PR_FALSE}, + {CKM_MD2_KEY_DERIVATION, { 0, 16, CKF_DERIVE}, PR_FALSE}, + {CKM_SHA1_KEY_DERIVATION, { 0, 20, CKF_DERIVE}, PR_FALSE}, + {CKM_SHA224_KEY_DERIVATION, { 0, 28, CKF_DERIVE}, PR_FALSE}, + {CKM_SHA256_KEY_DERIVATION, { 0, 32, CKF_DERIVE}, PR_FALSE}, + {CKM_SHA384_KEY_DERIVATION, { 0, 48, CKF_DERIVE}, PR_FALSE}, + {CKM_SHA512_KEY_DERIVATION, { 0, 64, CKF_DERIVE}, PR_FALSE}, + {CKM_TLS_MASTER_KEY_DERIVE, {48, 48, CKF_DERIVE}, PR_FALSE}, ++ {CKM_TLS12_MASTER_KEY_DERIVE, {48, 48, CKF_DERIVE}, PR_FALSE}, + {CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, + {48, 48, CKF_DERIVE}, PR_FALSE}, + {CKM_TLS_MASTER_KEY_DERIVE_DH, {8, 128, CKF_DERIVE}, PR_FALSE}, ++ {CKM_TLS12_MASTER_KEY_DERIVE_DH, {8, 128, CKF_DERIVE}, PR_FALSE}, + {CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, + {8, 128, CKF_DERIVE}, PR_FALSE}, + {CKM_TLS_KEY_AND_MAC_DERIVE, {48, 48, CKF_DERIVE}, PR_FALSE}, ++ {CKM_TLS12_KEY_AND_MAC_DERIVE, {48, 48, CKF_DERIVE}, PR_FALSE}, + {CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, + {48, 48, CKF_DERIVE}, PR_FALSE}, + /* ---------------------- PBE Key Derivations ------------------------ */ + {CKM_PBE_MD2_DES_CBC, {8, 8, CKF_DERIVE}, PR_TRUE}, + {CKM_PBE_MD5_DES_CBC, {8, 8, CKF_DERIVE}, PR_TRUE}, + /* ------------------ NETSCAPE PBE Key Derivations ------------------- */ + {CKM_NETSCAPE_PBE_SHA1_DES_CBC, { 8, 8, CKF_GENERATE}, PR_TRUE}, + {CKM_NETSCAPE_PBE_SHA1_FAULTY_3DES_CBC, {24,24, CKF_GENERATE}, PR_TRUE}, +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -2512,20 +2527,62 @@ finish_rsa: + crv = sftk_doSSLMACInit(context,SEC_OID_MD5,key, + *(CK_ULONG *)pMechanism->pParameter); + break; + case CKM_SSL3_SHA1_MAC: + crv = sftk_doSSLMACInit(context,SEC_OID_SHA1,key, + *(CK_ULONG *)pMechanism->pParameter); + break; + case CKM_TLS_PRF_GENERAL: +- crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL); ++ crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0); + break; ++ case CKM_TLS12_MAC: { ++ CK_TLS12_MAC_PARAMS *tls12_mac_params; ++ HASH_HashType tlsPrfHash; ++ const char *label; ++ ++ if (pMechanism->ulParameterLen != sizeof(CK_TLS12_MAC_PARAMS)) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ tls12_mac_params = (CK_TLS12_MAC_PARAMS *)pMechanism->pParameter; ++ if (tls12_mac_params->prfHashMechanism == CKM_TLS_PRF) { ++ /* The TLS 1.0 and 1.1 PRF */ ++ tlsPrfHash = HASH_AlgNULL; ++ if (tls12_mac_params->ulMacLength != 12) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ } else { ++ /* The hash function for the TLS 1.2 PRF */ ++ tlsPrfHash = ++ GetHashTypeFromMechanism(tls12_mac_params->prfHashMechanism); ++ if (tlsPrfHash == HASH_AlgNULL || ++ tls12_mac_params->ulMacLength < 12) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ } ++ if (tls12_mac_params->ulServerOrClient == 1) { ++ label = "server finished"; ++ } else if (tls12_mac_params->ulServerOrClient == 2) { ++ label = "client finished"; ++ } else { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ crv = sftk_TLSPRFInit(context, key, key_type, tlsPrfHash, ++ tls12_mac_params->ulMacLength); ++ if (crv == CKR_OK) { ++ context->hashUpdate(context->hashInfo, label, 15); ++ } ++ break; ++ } + case CKM_NSS_TLS_PRF_GENERAL_SHA256: +- crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256); ++ crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256, 0); + break; + + case CKM_NSS_HMAC_CONSTANT_TIME: { + sftk_MACConstantTimeCtx *ctx = + sftk_HMACConstantTime_New(pMechanism,key); + CK_ULONG *intpointer; + + if (ctx == NULL) { +@@ -3109,20 +3166,20 @@ finish_rsa: + crv = sftk_doSSLMACInit(context,SEC_OID_MD5,key, + *(CK_ULONG *)pMechanism->pParameter); + break; + case CKM_SSL3_SHA1_MAC: + crv = sftk_doSSLMACInit(context,SEC_OID_SHA1,key, + *(CK_ULONG *)pMechanism->pParameter); + break; + case CKM_TLS_PRF_GENERAL: +- crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL); ++ crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0); + break; + case CKM_NSS_TLS_PRF_GENERAL_SHA256: +- crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256); ++ crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgSHA256, 0); + break; + + default: + crv = CKR_MECHANISM_INVALID; + break; + } + + if (crv != CKR_OK) { +@@ -5916,22 +5973,23 @@ + CK_ULONG tmpKeySize; + CK_ULONG IVSize; + CK_ULONG keySize = 0; + CK_RV crv = CKR_OK; + CK_BBOOL cktrue = CK_TRUE; + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_OBJECT_CLASS classType = CKO_SECRET_KEY; + CK_KEY_DERIVATION_STRING_DATA *stringPtr; ++ CK_MECHANISM_TYPE mechanism = pMechanism->mechanism; + CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr; + CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr; + void *cipherInfo; + PRBool isTLS = PR_FALSE; +- PRBool isSHA256 = PR_FALSE; + PRBool isDH = PR_FALSE; ++ HASH_HashType tlsPrfHash = HASH_AlgNULL; + SECStatus rv; + int i; + unsigned int outLen; + unsigned char sha_out[SHA1_LENGTH]; + unsigned char key_block[NUM_MIXERS * MD5_LENGTH]; + unsigned char key_block2[MD5_LENGTH]; + unsigned char des3key[24]; + PRBool isFIPS; +@@ -5969,17 +6027,17 @@ + } + } + if (crv != CKR_OK) { sftk_FreeObject(key); return crv; } + + if (keySize == 0) { + keySize = sftk_MapKeySize(keyType); + } + +- switch (pMechanism->mechanism) { ++ switch (mechanism) { + case CKM_NSS_JPAKE_ROUND2_SHA1: /* fall through */ + case CKM_NSS_JPAKE_ROUND2_SHA256: /* fall through */ + case CKM_NSS_JPAKE_ROUND2_SHA384: /* fall through */ + case CKM_NSS_JPAKE_ROUND2_SHA512: + extractValue = PR_FALSE; + classType = CKO_PRIVATE_KEY; + break; + case CKM_NSS_JPAKE_FINAL_SHA1: /* fall through */ +@@ -6017,39 +6075,57 @@ + att = sftk_FindAttribute(sourceKey,CKA_VALUE); + if (att == NULL) { + sftk_FreeObject(key); + sftk_FreeObject(sourceKey); + return CKR_KEY_HANDLE_INVALID; + } + } + +- switch (pMechanism->mechanism) { ++ switch (mechanism) { + /* + * generate the master secret + */ ++ case CKM_TLS12_MASTER_KEY_DERIVE: ++ case CKM_TLS12_MASTER_KEY_DERIVE_DH: + case CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256: + case CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256: +- isSHA256 = PR_TRUE; +- /* fall thru */ + case CKM_TLS_MASTER_KEY_DERIVE: + case CKM_TLS_MASTER_KEY_DERIVE_DH: +- isTLS = PR_TRUE; +- /* fall thru */ + case CKM_SSL3_MASTER_KEY_DERIVE: + case CKM_SSL3_MASTER_KEY_DERIVE_DH: + { + CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ssl3_master; + SSL3RSAPreMasterSecret * rsa_pms; + unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2]; + +- if ((pMechanism->mechanism == CKM_SSL3_MASTER_KEY_DERIVE_DH) || +- (pMechanism->mechanism == CKM_TLS_MASTER_KEY_DERIVE_DH) || +- (pMechanism->mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) +- isDH = PR_TRUE; ++ if ((mechanism == CKM_TLS12_MASTER_KEY_DERIVE) || ++ (mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) { ++ CK_TLS12_MASTER_KEY_DERIVE_PARAMS *tls12_master = ++ (CK_TLS12_MASTER_KEY_DERIVE_PARAMS *) pMechanism->pParameter; ++ tlsPrfHash = GetHashTypeFromMechanism(tls12_master->prfHashMechanism); ++ if (tlsPrfHash == HASH_AlgNULL) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ } else if ((mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256) || ++ (mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256)) { ++ tlsPrfHash = HASH_AlgSHA256; ++ } ++ ++ if ((mechanism != CKM_SSL3_MASTER_KEY_DERIVE) && ++ (mechanism != CKM_SSL3_MASTER_KEY_DERIVE_DH)) { ++ isTLS = PR_TRUE; ++ } ++ if ((mechanism == CKM_SSL3_MASTER_KEY_DERIVE_DH) || ++ (mechanism == CKM_TLS_MASTER_KEY_DERIVE_DH) || ++ (mechanism == CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256) || ++ (mechanism == CKM_TLS12_MASTER_KEY_DERIVE_DH)) { ++ isDH = PR_TRUE; ++ } + + /* first do the consistancy checks */ + if (!isDH && (att->attrib.ulValueLen != SSL3_PMS_LENGTH)) { + crv = CKR_KEY_TYPE_INCONSISTENT; + break; + } + att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE); + if ((att2 == NULL) || (*(CK_KEY_TYPE *)att2->attrib.pValue != +@@ -6106,18 +6182,18 @@ + + crsr.data = crsrdata; + crsr.len = sizeof crsrdata; + master.data = key_block; + master.len = SSL3_MASTER_SECRET_LENGTH; + pms.data = (unsigned char*)att->attrib.pValue; + pms.len = att->attrib.ulValueLen; + +- if (isSHA256) { +- status = TLS_P_hash(HASH_AlgSHA256, &pms, "master secret", ++ if (tlsPrfHash != HASH_AlgNULL) { ++ status = TLS_P_hash(tlsPrfHash, &pms, "master secret", + &crsr, &master, isFIPS); + } else { + status = TLS_PRF(&pms, "master secret", &crsr, &master, isFIPS); + } + if (status != SECSuccess) { + crv = CKR_FUNCTION_FAILED; + break; + } +@@ -6170,31 +6246,44 @@ + if (crv != CKR_OK) break; + /* While we're here, we might as well force this, too. */ + crv = sftk_forceAttribute(key,CKA_DERIVE,&cktrue,sizeof(CK_BBOOL)); + if (crv != CKR_OK) break; + } + break; + } + ++ case CKM_TLS12_KEY_AND_MAC_DERIVE: + case CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256: +- isSHA256 = PR_TRUE; +- /* fall thru */ + case CKM_TLS_KEY_AND_MAC_DERIVE: +- isTLS = PR_TRUE; +- /* fall thru */ + case CKM_SSL3_KEY_AND_MAC_DERIVE: + { + CK_SSL3_KEY_MAT_PARAMS *ssl3_keys; + CK_SSL3_KEY_MAT_OUT * ssl3_keys_out; + CK_ULONG effKeySize; + unsigned int block_needed; + unsigned char srcrdata[SSL3_RANDOM_LENGTH * 2]; + unsigned char crsrdata[SSL3_RANDOM_LENGTH * 2]; + ++ if (mechanism == CKM_TLS12_KEY_AND_MAC_DERIVE) { ++ CK_TLS12_KEY_MAT_PARAMS *tls12_keys = ++ (CK_TLS12_KEY_MAT_PARAMS *) pMechanism->pParameter; ++ tlsPrfHash = GetHashTypeFromMechanism(tls12_keys->prfHashMechanism); ++ if (tlsPrfHash == HASH_AlgNULL) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ } else if (mechanism == CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256) { ++ tlsPrfHash = HASH_AlgSHA256; ++ } ++ ++ if (mechanism != CKM_SSL3_KEY_AND_MAC_DERIVE) { ++ isTLS = PR_TRUE; ++ } ++ + crv = sftk_DeriveSensitiveCheck(sourceKey,key); + if (crv != CKR_OK) break; + + if (att->attrib.ulValueLen != SSL3_MASTER_SECRET_LENGTH) { + crv = CKR_KEY_FUNCTION_NOT_PERMITTED; + break; + } + att2 = sftk_FindAttribute(sourceKey,CKA_KEY_TYPE); +@@ -6264,18 +6353,18 @@ + + srcr.data = srcrdata; + srcr.len = sizeof srcrdata; + keyblk.data = key_block; + keyblk.len = block_needed; + master.data = (unsigned char*)att->attrib.pValue; + master.len = att->attrib.ulValueLen; + +- if (isSHA256) { +- status = TLS_P_hash(HASH_AlgSHA256, &master, "key expansion", ++ if (tlsPrfHash != HASH_AlgNULL) { ++ status = TLS_P_hash(tlsPrfHash, &master, "key expansion", + &srcr, &keyblk, isFIPS); + } else { + status = TLS_PRF(&master, "key expansion", &srcr, &keyblk, + isFIPS); + } + if (status != SECSuccess) { + goto key_and_mac_derive_fail; + } +@@ -7011,17 +7100,17 @@ + SEC_ASN1_GET(SEC_OctetStringTemplate), + &ecPoint); + if (rv != SECSuccess) { + goto ec_loser; + } + ecPoint = newPoint; + } + +- if (pMechanism->mechanism == CKM_ECDH1_COFACTOR_DERIVE) { ++ if (mechanism == CKM_ECDH1_COFACTOR_DERIVE) { + withCofactor = PR_TRUE; + } else { + /* When not using cofactor derivation, one should + * validate the public key to avoid small subgroup + * attacks. + */ + if (EC_ValidatePublicKey(&privKey->u.ec.ecParams, &ecPoint) + != SECSuccess) { +diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h +--- a/lib/softoken/pkcs11i.h ++++ b/lib/softoken/pkcs11i.h +@@ -733,13 +733,14 @@ void sftk_MACConstantTime_DestroyContext + /**************************************** + * implement TLS Pseudo Random Function (PRF) + */ + + extern CK_RV + sftk_TLSPRFInit(SFTKSessionContext *context, + SFTKObject * key, + CK_KEY_TYPE key_type, +- HASH_HashType hash_alg); ++ HASH_HashType hash_alg, ++ unsigned int out_len); + + SEC_END_PROTOS + + #endif /* _PKCS11I_H_ */ +diff --git a/lib/softoken/tlsprf.c b/lib/softoken/tlsprf.c +--- a/lib/softoken/tlsprf.c ++++ b/lib/softoken/tlsprf.c +@@ -1,16 +1,17 @@ + /* tlsprf.c - TLS Pseudo Random Function (PRF) implementation + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + + #include "pkcs11i.h" + #include "blapi.h" ++#include "secerr.h" + + #define SFTK_OFFSETOF(str, memb) ((PRPtrdiff)(&(((str *)0)->memb))) + + static void sftk_TLSPRFNull(void *data, PRBool freeit) + { + return; + } + +@@ -18,16 +19,17 @@ typedef struct { + PRUint32 cxSize; /* size of allocated block, in bytes. */ + PRUint32 cxBufSize; /* sizeof buffer at cxBufPtr. */ + unsigned char *cxBufPtr; /* points to real buffer, may be cxBuf. */ + PRUint32 cxKeyLen; /* bytes of cxBufPtr containing key. */ + PRUint32 cxDataLen; /* bytes of cxBufPtr containing data. */ + SECStatus cxRv; /* records failure of void functions. */ + PRBool cxIsFIPS; /* true if conforming to FIPS 198. */ + HASH_HashType cxHashAlg; /* hash algorithm to use for TLS 1.2+ */ ++ unsigned int cxOutLen; /* bytes of output if nonzero */ + unsigned char cxBuf[512]; /* actual size may be larger than 512. */ + } TLSPRFContext; + + static void + sftk_TLSPRFHashUpdate(TLSPRFContext *cx, const unsigned char *data, + unsigned int data_len) + { + PRUint32 bytesUsed = cx->cxKeyLen + cx->cxDataLen; +@@ -82,17 +84,24 @@ sftk_TLSPRFUpdate(TLSPRFContext *cx, + + secretItem.data = cx->cxBufPtr; + secretItem.len = cx->cxKeyLen; + + seedItem.data = cx->cxBufPtr + cx->cxKeyLen; + seedItem.len = cx->cxDataLen; + + sigItem.data = sig; +- sigItem.len = maxLen; ++ if (cx->cxOutLen == 0) { ++ sigItem.len = maxLen; ++ } else if (cx->cxOutLen <= maxLen) { ++ sigItem.len = cx->cxOutLen; ++ } else { ++ PORT_SetError(SEC_ERROR_OUTPUT_LEN); ++ return SECFailure; ++ } + + if (cx->cxHashAlg != HASH_AlgNULL) { + rv = TLS_P_hash(cx->cxHashAlg, &secretItem, NULL, &seedItem, &sigItem, + cx->cxIsFIPS); + } else { + rv = TLS_PRF(&secretItem, NULL, &seedItem, &sigItem, cx->cxIsFIPS); + } + if (rv == SECSuccess && sigLen != NULL) +@@ -137,17 +146,18 @@ sftk_TLSPRFHashDestroy(TLSPRFContext *cx + PORT_ZFree(cx, cx->cxSize); + } + } + + CK_RV + sftk_TLSPRFInit(SFTKSessionContext *context, + SFTKObject * key, + CK_KEY_TYPE key_type, +- HASH_HashType hash_alg) ++ HASH_HashType hash_alg, ++ unsigned int out_len) + { + SFTKAttribute * keyVal; + TLSPRFContext * prf_cx; + CK_RV crv = CKR_HOST_MEMORY; + PRUint32 keySize; + PRUint32 blockSize; + + if (key_type != CKK_GENERIC_SECRET) +@@ -164,16 +174,17 @@ sftk_TLSPRFInit(SFTKSessionContext *cont + prf_cx->cxSize = blockSize; + prf_cx->cxKeyLen = keySize; + prf_cx->cxDataLen = 0; + prf_cx->cxBufSize = blockSize - SFTK_OFFSETOF(TLSPRFContext, cxBuf); + prf_cx->cxRv = SECSuccess; + prf_cx->cxIsFIPS = (key->slot->slotID == FIPS_SLOT_ID); + prf_cx->cxBufPtr = prf_cx->cxBuf; + prf_cx->cxHashAlg = hash_alg; ++ prf_cx->cxOutLen = out_len; + if (keySize) + PORT_Memcpy(prf_cx->cxBufPtr, keyVal->attrib.pValue, keySize); + + context->hashInfo = (void *) prf_cx; + context->cipherInfo = (void *) prf_cx; + context->hashUpdate = (SFTKHash) sftk_TLSPRFHashUpdate; + context->end = (SFTKEnd) sftk_TLSPRFEnd; + context->update = (SFTKCipher) sftk_TLSPRFUpdate; diff --git a/SPECS/nss-softokn.spec b/SPECS/nss-softokn.spec index aac58ed..c8a836b 100644 --- a/SPECS/nss-softokn.spec +++ b/SPECS/nss-softokn.spec @@ -1,6 +1,6 @@ %global nspr_version 4.10.6 %global nss_name nss -%global nss_util_version 3.16.2.3 +%global nss_util_version 3.19.1 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/ @@ -31,7 +31,7 @@ Summary: Network Security Services Softoken Module Name: nss-softokn Version: 3.16.2.3 -Release: 9%{?dist} +Release: 12%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -80,6 +80,8 @@ Patch8: softoken-minimal-test-dependencies.patch Patch10: iquote.patch Patch11: nss-softokn-allow-level1.patch Patch12: additional-covscan-fixes.patch +Patch13: nss-softokn-3.16-tls12-mechanisms.patch +Patch14: nss-softokn-3.16-sha384-key-derive.patch # FIPS update @@ -99,7 +101,8 @@ Patch201: nss-softokn-3.16-fipstest-186-4.patch Patch202: nss-softokn-fix-error-handling.patch Patch203: nss-softokn-3.16-freebl_dyload.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1113632 -Patch204: limit-create-fipscheck.patch +Patch204: limit-create-fipscheck.patch +Patch205: nss-softokn-3.16-tls12-mechanisms-fipstest.patch %description @@ -173,7 +176,12 @@ Header and library files for doing development with Network Security Services. %patch202 -p0 -b .1154764 %patch203 -p0 -b .freebl-dyload %patch204 -p0 -b .limit_create_fips_check +%patch205 -p0 -b .1212106 %patch12 -p0 -b .1154764extras +pushd nss +%patch13 -p1 -b .1212106 +popd +%patch14 -p1 -b .sha384_key_derive %build @@ -479,6 +487,17 @@ done %{_includedir}/nss3/shsign.h %changelog +* Wed Jun 24 2015 Elio Maldonado - 3.16.2.3-12 +- Bump nss_util_version to 3.19.1 + +* Fri May 29 2015 Robert Relyea - 3.16.2.3-11 +- Make sure we have enough space for generating keyblocks for ciphers with HMAC_SHA384 (TLS). +- Resolves: Bug 1216909 - Need to support SHA384 TLS cipher suites + +* Wed Apr 29 2015 Elio Maldonado - 3.16.2.3-10 +- Use the TLS 1.2 mechanisms for PKCS #11 added for V2.40 +- Resolves: Bug 1216909 - Need to support SHA384 TLS cipher suites + * Mon Feb 02 2015 Tomáš Mráz - 3.16.2.3-9 - add configuration file for dracut to add the nss-softokn module by default