diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8c31731 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/nss-softokn-3.44.tar.gz +SOURCES/nss-softokn-cavs-1.0.tar.gz diff --git a/.nss-softokn.metadata b/.nss-softokn.metadata new file mode 100644 index 0000000..5ef9862 --- /dev/null +++ b/.nss-softokn.metadata @@ -0,0 +1,2 @@ +a46411f9b88d1653cd0cfce840b5f932219695d2 SOURCES/nss-softokn-3.44.tar.gz +d8a7f044570732caf4ed06fd44a63b3e86ea2a16 SOURCES/nss-softokn-cavs-1.0.tar.gz diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch new file mode 100644 index 0000000..3d1aa60 --- /dev/null +++ b/SOURCES/iquote.patch @@ -0,0 +1,37 @@ +diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile +--- nss/cmd/bltest/Makefile.iquote 2013-04-04 21:56:59.329249213 -0700 ++++ nss/cmd/bltest/Makefile 2013-04-04 21:57:47.583579084 -0700 +@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../private/nss + + + ####################################################################### +diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk +--- nss/coreconf/location.mk.iquote 2013-04-04 21:54:59.710477106 -0700 ++++ nss/coreconf/location.mk 2013-04-04 21:56:21.091163121 -0700 +@@ -45,6 +45,10 @@ endif + + ifdef NSS_INCLUDE_DIR + INCLUDES += -I$(NSS_INCLUDE_DIR) ++ ifdef IN_TREE_FREEBL_HEADERS_FIRST ++ INCLUDES += -iquote $(DIST)/../public/nss ++ INCLUDES += -iquote $(DIST)/../private/nss ++ endif + endif + + ifndef NSS_LIB_DIR +diff -up ./nss/lib/softoken/Makefile.iquote ./nss/lib/softoken/Makefile +--- ./nss/lib/softoken/Makefile.iquote 2014-01-06 20:35:19.931937299 -0800 ++++ ./nss/lib/softoken/Makefile 2014-01-06 20:36:15.336390664 -0800 +@@ -42,6 +42,8 @@ ifdef NSS_DISABLE_DBM + DIRS= + endif + ++INCLUDES += -iquote $(DIST)/../private/nss ++ + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # + ####################################################################### diff --git a/SOURCES/nss-softokn-3.16-add_encrypt_derive.patch b/SOURCES/nss-softokn-3.16-add_encrypt_derive.patch new file mode 100644 index 0000000..b6ba1d7 --- /dev/null +++ b/SOURCES/nss-softokn-3.16-add_encrypt_derive.patch @@ -0,0 +1,59 @@ +diff -up nss/lib/softoken/pkcs11.c.add_encrypt_derive nss/lib/softoken/pkcs11.c +--- nss/lib/softoken/pkcs11.c.add_encrypt_derive 2018-02-27 15:47:47.000000000 +0100 ++++ nss/lib/softoken/pkcs11.c 2018-03-01 16:01:05.853165433 +0100 +@@ -426,6 +426,8 @@ static const struct mechanismList mechan + { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_DES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_DES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_DES3_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_DES3_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_AES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, +diff -up nss/lib/softoken/pkcs11c.c.add_encrypt_derive nss/lib/softoken/pkcs11c.c +--- nss/lib/softoken/pkcs11c.c.add_encrypt_derive 2018-02-27 15:47:47.000000000 +0100 ++++ nss/lib/softoken/pkcs11c.c 2018-03-01 16:01:18.468880916 +0100 +@@ -6935,6 +6935,43 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + break; + } + ++ case CKM_DES_ECB_ENCRYPT_DATA: ++ case CKM_DES_CBC_ENCRYPT_DATA: { ++ void *cipherInfo; ++ CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr; ++ int mode; ++ unsigned char *iv; ++ unsigned char *data; ++ CK_ULONG len; ++ ++ if (mechanism == CKM_DES_ECB_ENCRYPT_DATA) { ++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) ++ pMechanism->pParameter; ++ mode = NSS_DES; ++ iv = NULL; ++ data = stringPtr->pData; ++ len = stringPtr->ulLen; ++ } else { ++ mode = NSS_DES_CBC; ++ desEncryptPtr = ++ (CK_DES_CBC_ENCRYPT_DATA_PARAMS *) ++ pMechanism->pParameter; ++ iv = desEncryptPtr->iv; ++ data = desEncryptPtr->pData; ++ len = desEncryptPtr->length; ++ } ++ cipherInfo = DES_CreateContext((unsigned char *)att->attrib.pValue, iv, mode, PR_TRUE); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt((SFTKCipher)DES_Encrypt, ++ cipherInfo, 8, key, keySize, ++ data, len); ++ DES_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ } ++ + case CKM_DES3_ECB_ENCRYPT_DATA: + case CKM_DES3_CBC_ENCRYPT_DATA: { + void *cipherInfo; diff --git a/SOURCES/nss-softokn-config.in b/SOURCES/nss-softokn-config.in new file mode 100644 index 0000000..f46ba24 --- /dev/null +++ b/SOURCES/nss-softokn-config.in @@ -0,0 +1,116 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-softokn` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-softokn` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-softokn` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + echo $libdirs +fi + diff --git a/SOURCES/nss-softokn-dracut-module-setup.sh b/SOURCES/nss-softokn-dracut-module-setup.sh new file mode 100644 index 0000000..951f427 --- /dev/null +++ b/SOURCES/nss-softokn-dracut-module-setup.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +check() { + return 255 +} + +depends() { + return 0 +} + +install() { + local _dir + + inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \ + libfreebl3.so +} + diff --git a/SOURCES/nss-softokn-dracut.conf b/SOURCES/nss-softokn-dracut.conf new file mode 100644 index 0000000..2d9232e --- /dev/null +++ b/SOURCES/nss-softokn-dracut.conf @@ -0,0 +1,3 @@ +# turn on nss-softokn module + +add_dracutmodules+=" nss-softokn " diff --git a/SOURCES/nss-softokn-fips-update.patch b/SOURCES/nss-softokn-fips-update.patch new file mode 100644 index 0000000..604b947 --- /dev/null +++ b/SOURCES/nss-softokn-fips-update.patch @@ -0,0 +1,1148 @@ +diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c +--- a/lib/freebl/fipsfreebl.c ++++ b/lib/freebl/fipsfreebl.c +@@ -10,18 +10,20 @@ + #ifdef FREEBL_NO_DEPEND + #include "stubs.h" + #endif + + #include "blapi.h" + #include "seccomon.h" /* Required for RSA and DSA. */ + #include "secerr.h" + #include "prtypes.h" ++#include "secitem.h" ++#include "pkcs11t.h" + +-#include "ec.h" /* Required for ECDSA */ ++#include "ec.h" /* Required for EC */ + + /* + * different platforms have different ways of calling and initial entry point + * when the dll/.so is loaded. Most platforms support either a posix pragma + * or the GCC attribute. Some platforms suppor a pre-defined name, and some + * platforms have a link line way of invoking this function. + */ + +@@ -283,61 +285,88 @@ freebl_fips_AES_PowerUpSelfTest(int aes_ + + /* AES-CBC Known Initialization Vector (128-bits). */ + static const PRUint8 aes_cbc_known_initialization_vector[] = + { "SecurityytiruceS" }; + + /* AES Known Plaintext (128-bits). (blocksize is 128-bits) */ + static const PRUint8 aes_known_plaintext[] = { "NetscapeepacsteN" }; + ++ static const PRUint8 aes_gcm_known_aad[] = { "MozillaallizoM" }; ++ + /* AES Known Ciphertext (128-bit key). */ + static const PRUint8 aes_ecb128_known_ciphertext[] = { + 0x3c, 0xa5, 0x96, 0xf3, 0x34, 0x6a, 0x96, 0xc1, + 0x03, 0x88, 0x16, 0x7b, 0x20, 0xbf, 0x35, 0x47 + }; + + static const PRUint8 aes_cbc128_known_ciphertext[] = { + 0xcf, 0x15, 0x1d, 0x4f, 0x96, 0xe4, 0x4f, 0x63, + 0x15, 0x54, 0x14, 0x1d, 0x4e, 0xd8, 0xd5, 0xea + }; + ++ static const PRUint8 aes_gcm128_known_ciphertext[] = { ++ 0x63, 0xf4, 0x95, 0x28, 0xe6, 0x78, 0xee, 0x6e, ++ 0x4f, 0xe0, 0xfc, 0x8d, 0xd7, 0xa2, 0xb1, 0xff, ++ 0x0c, 0x97, 0x1b, 0x0a, 0xdd, 0x97, 0x75, 0xed, ++ 0x8b, 0xde, 0xbf, 0x16, 0x5e, 0x57, 0x6b, 0x4f ++ }; ++ + /* AES Known Ciphertext (192-bit key). */ + static const PRUint8 aes_ecb192_known_ciphertext[] = { + 0xa0, 0x18, 0x62, 0xed, 0x88, 0x19, 0xcb, 0x62, + 0x88, 0x1d, 0x4d, 0xfe, 0x84, 0x02, 0x89, 0x0e + }; + + static const PRUint8 aes_cbc192_known_ciphertext[] = { + 0x83, 0xf7, 0xa4, 0x76, 0xd1, 0x6f, 0x07, 0xbe, + 0x07, 0xbc, 0x43, 0x2f, 0x6d, 0xad, 0x29, 0xe1 + }; + ++ static const PRUint8 aes_gcm192_known_ciphertext[] = { ++ 0xc1, 0x0b, 0x92, 0x1d, 0x68, 0x21, 0xf4, 0x25, ++ 0x41, 0x61, 0x20, 0x2d, 0x59, 0x7f, 0x53, 0xde, ++ 0x93, 0x39, 0xab, 0x09, 0x76, 0x41, 0x57, 0x2b, ++ 0x90, 0x2e, 0x44, 0xbb, 0x52, 0x03, 0xe9, 0x07 ++ }; ++ + /* AES Known Ciphertext (256-bit key). */ + static const PRUint8 aes_ecb256_known_ciphertext[] = { + 0xdb, 0xa6, 0x52, 0x01, 0x8a, 0x70, 0xae, 0x66, + 0x3a, 0x99, 0xd8, 0x95, 0x7f, 0xfb, 0x01, 0x67 + }; + + static const PRUint8 aes_cbc256_known_ciphertext[] = { + 0x37, 0xea, 0x07, 0x06, 0x31, 0x1c, 0x59, 0x27, + 0xc5, 0xc5, 0x68, 0x71, 0x6e, 0x34, 0x40, 0x16 + }; + ++ static const PRUint8 aes_gcm256_known_ciphertext[] = { ++ 0x5d, 0x9e, 0xd2, 0xa2, 0x74, 0x9c, 0xd9, 0x1c, ++ 0xd1, 0xc9, 0xee, 0x5d, 0xb6, 0xf2, 0xc9, 0xb6, ++ 0x79, 0x27, 0x53, 0x02, 0xa3, 0xdc, 0x22, 0xce, ++ 0xf4, 0xb0, 0xc1, 0x8c, 0x86, 0x51, 0xf5, 0xa1 ++ }; ++ + const PRUint8 *aes_ecb_known_ciphertext = + (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext : aes_ecb256_known_ciphertext; + + const PRUint8 *aes_cbc_known_ciphertext = + (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cbc128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cbc192_known_ciphertext : aes_cbc256_known_ciphertext; + ++ const PRUint8 *aes_gcm_known_ciphertext = ++ (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_gcm128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_gcm192_known_ciphertext : aes_gcm256_known_ciphertext; ++ + /* AES variables. */ +- PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH]; +- PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH]; ++ PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH * 2]; ++ PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH * 2]; + AESContext *aes_context; + unsigned int aes_bytes_encrypted; + unsigned int aes_bytes_decrypted; ++ CK_GCM_PARAMS gcmParams; + SECStatus aes_status; + + /*check if aes_key_size is 128, 192, or 256 bits */ + if ((aes_key_size != FIPS_AES_128_KEY_SIZE) && + (aes_key_size != FIPS_AES_192_KEY_SIZE) && + (aes_key_size != FIPS_AES_256_KEY_SIZE)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return (SECFailure); +@@ -450,16 +479,79 @@ freebl_fips_AES_PowerUpSelfTest(int aes_ + if ((aes_status != SECSuccess) || + (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) || + (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext, + FIPS_AES_DECRYPT_LENGTH) != 0)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return (SECFailure); + } + ++ /******************************************************/ ++ /* AES-GCM Single-Round Known Answer Encryption Test. */ ++ /******************************************************/ ++ ++ gcmParams.pIv = (PRUint8 *)aes_cbc_known_initialization_vector; ++ gcmParams.ulIvLen = FIPS_AES_BLOCK_SIZE; ++ gcmParams.pAAD = (PRUint8 *)aes_gcm_known_aad; ++ gcmParams.ulAADLen = sizeof(aes_gcm_known_aad); ++ gcmParams.ulTagBits = FIPS_AES_BLOCK_SIZE * 8; ++ aes_context = AES_CreateContext(aes_known_key, ++ (PRUint8 *)&gcmParams, ++ NSS_AES_GCM, PR_TRUE, aes_key_size, ++ FIPS_AES_BLOCK_SIZE); ++ ++ if (aes_context == NULL) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return (SECFailure); ++ } ++ ++ aes_status = AES_Encrypt(aes_context, aes_computed_ciphertext, ++ &aes_bytes_encrypted, FIPS_AES_ENCRYPT_LENGTH * 2, ++ aes_known_plaintext, ++ FIPS_AES_DECRYPT_LENGTH); ++ ++ AES_DestroyContext(aes_context, PR_TRUE); ++ ++ if ((aes_status != SECSuccess) || ++ (aes_bytes_encrypted != FIPS_AES_ENCRYPT_LENGTH * 2) || ++ (PORT_Memcmp(aes_computed_ciphertext, aes_gcm_known_ciphertext, ++ FIPS_AES_ENCRYPT_LENGTH * 2) != 0)) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return (SECFailure); ++ } ++ ++ /******************************************************/ ++ /* AES-GCM Single-Round Known Answer Decryption Test. */ ++ /******************************************************/ ++ ++ aes_context = AES_CreateContext(aes_known_key, ++ (PRUint8 *)&gcmParams, ++ NSS_AES_GCM, PR_FALSE, aes_key_size, ++ FIPS_AES_BLOCK_SIZE); ++ ++ if (aes_context == NULL) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return (SECFailure); ++ } ++ ++ aes_status = AES_Decrypt(aes_context, aes_computed_plaintext, ++ &aes_bytes_decrypted, FIPS_AES_DECRYPT_LENGTH * 2, ++ aes_gcm_known_ciphertext, ++ FIPS_AES_ENCRYPT_LENGTH * 2); ++ ++ AES_DestroyContext(aes_context, PR_TRUE); ++ ++ if ((aes_status != SECSuccess) || ++ (aes_bytes_decrypted != FIPS_AES_DECRYPT_LENGTH) || ++ (PORT_Memcmp(aes_computed_plaintext, aes_known_plaintext, ++ FIPS_AES_DECRYPT_LENGTH) != 0)) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return (SECFailure); ++ } ++ + return (SECSuccess); + } + + /* Known Hash Message (512-bits). Used for all hashes (incl. SHA-N [N>1]). */ + static const PRUint8 known_hash_message[] = { + "The test message for the MD2, MD5, and SHA-1 hashing algorithms." + }; + +@@ -1089,17 +1181,17 @@ freebl_fips_ECDSA_Test(ECParams *ecparam + 0x7b, 0x5a, 0x3b, 0x76, 0x4e, 0x7b, 0x7c, 0xbc, + 0xf2, 0x76, 0x1c, 0x1c, 0x7f, 0xc5, 0x53, 0x2f + }; + + static const PRUint8 msg[] = { + "Firefox and ThunderBird are awesome!" + }; + +- unsigned char sha1[SHA1_LENGTH]; /* SHA-1 hash (160 bits) */ ++ unsigned char sha256[SHA256_LENGTH]; /* SHA-256 hash (256 bits) */ + unsigned char sig[2 * MAX_ECKEY_LEN]; + SECItem signature, digest; + ECPrivateKey *ecdsa_private_key = NULL; + ECPublicKey ecdsa_public_key; + SECStatus ecdsaStatus = SECSuccess; + + /* Generates a new EC key pair. The private key is a supplied + * random value (in seed) and the public key is the result of +@@ -1131,23 +1223,23 @@ freebl_fips_ECDSA_Test(ECParams *ecparam + if (ecdsaStatus != SECSuccess) { + goto loser; + } + + /***************************************************/ + /* ECDSA Single-Round Known Answer Signature Test. */ + /***************************************************/ + +- ecdsaStatus = SHA1_HashBuf(sha1, msg, sizeof msg); ++ ecdsaStatus = SHA256_HashBuf(sha256, msg, sizeof msg); + if (ecdsaStatus != SECSuccess) { + goto loser; + } + digest.type = siBuffer; +- digest.data = sha1; +- digest.len = SHA1_LENGTH; ++ digest.data = sha256; ++ digest.len = SHA256_LENGTH; + + memset(sig, 0, sizeof sig); + signature.type = siBuffer; + signature.data = sig; + signature.len = sizeof sig; + + ecdsaStatus = ECDSA_SignDigestWithSeed(ecdsa_private_key, &signature, + &digest, ecdsa_Known_Seed, sizeof ecdsa_Known_Seed); +@@ -1176,20 +1268,93 @@ loser: + if (ecdsaStatus != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return (SECFailure); + } + return (SECSuccess); + } + + static SECStatus +-freebl_fips_ECDSA_PowerUpSelfTest() ++freebl_fips_ECDH_Test(ECParams *ecparams) + { + +- /* ECDSA Known curve nistp256 == ECCCurve_X9_62_PRIME_256V1 params */ ++ /* ECDH Known result (reused old CAVS vector) */ ++ static const PRUint8 ecdh_known_pub_key_1[] = { ++ EC_POINT_FORM_UNCOMPRESSED, ++ /* pubX */ ++ 0x16, 0x81, 0x32, 0x86, 0xc8, 0xe4, 0x3a, 0x1f, ++ 0x5d, 0xe3, 0x06, 0x22, 0x8b, 0x99, 0x14, 0x25, ++ 0xf7, 0x9c, 0x5b, 0x1e, 0x96, 0x84, 0x85, 0x3b, ++ 0x17, 0xfe, 0xf3, 0x1c, 0x0e, 0xed, 0xc4, 0xce, ++ /* pubY */ ++ 0x7a, 0x44, 0xfe, 0xbd, 0x91, 0x71, 0x7d, 0x73, ++ 0xd9, 0x45, 0xea, 0xae, 0x66, 0x78, 0xfa, 0x6e, ++ 0x46, 0xcd, 0xfa, 0x95, 0x15, 0x47, 0x62, 0x5d, ++ 0xbb, 0x1b, 0x9f, 0xe6, 0x39, 0xfc, 0xfd, 0x47 ++ }; ++ static const PRUint8 ecdh_known_priv_key_2[] = { ++ 0xb4, 0x2a, 0xe3, 0x69, 0x19, 0xec, 0xf0, 0x42, ++ 0x6d, 0x45, 0x8c, 0x94, 0x4a, 0x26, 0xa7, 0x5c, ++ 0xea, 0x9d, 0xd9, 0x0f, 0x59, 0xe0, 0x1a, 0x9d, ++ 0x7c, 0xb7, 0x1c, 0x04, 0x53, 0xb8, 0x98, 0x5a ++ }; ++ static const PRUint8 ecdh_known_hash_result[] = { ++ 0x16, 0xf3, 0x85, 0xa2, 0x41, 0xf3, 0x7f, 0xc4, ++ 0x0b, 0x56, 0x47, 0xee, 0xa7, 0x74, 0xb9, 0xdb, ++ 0xe1, 0xfa, 0x22, 0xe9, 0x04, 0xf1, 0xb6, 0x12, ++ 0x4b, 0x44, 0x8a, 0xbb, 0xbc, 0x08, 0x2b, 0xa7, ++ }; ++ ++ SECItem ecdh_priv_2, ecdh_pub_1; ++ SECItem ZZ = { 0, 0, 0 }; ++ SECStatus ecdhStatus = SECSuccess; ++ PRUint8 computed_hash_result[HASH_LENGTH_MAX]; ++ ++ ecdh_priv_2.data = (PRUint8 *)ecdh_known_priv_key_2; ++ ecdh_priv_2.len = sizeof(ecdh_known_priv_key_2); ++ ecdh_pub_1.data = (PRUint8 *)ecdh_known_pub_key_1; ++ ecdh_pub_1.len = sizeof(ecdh_known_pub_key_1); ++ ++ /* Generates a new EC key pair. The private key is a supplied ++ * random value (in seed) and the public key is the result of ++ * performing a scalar point multiplication of that value with ++ * the curve's base point. ++ */ ++ ecdhStatus = ECDH_Derive(&ecdh_pub_1, ecparams, &ecdh_priv_2, PR_FALSE, &ZZ); ++ if (ecdhStatus != SECSuccess) { ++ goto loser; ++ } ++ ecdhStatus = SHA256_HashBuf(computed_hash_result, ZZ.data, ZZ.len); ++ if (ecdhStatus != SECSuccess) { ++ goto loser; ++ } ++ ++ if (PORT_Memcmp(computed_hash_result, ecdh_known_hash_result, ++ sizeof(ecdh_known_hash_result)) != 0) { ++ ecdhStatus = SECFailure; ++ goto loser; ++ } ++ ++loser: ++ if (ZZ.data) { ++ SECITEM_FreeItem(&ZZ, PR_FALSE); ++ } ++ ++ if (ecdhStatus != SECSuccess) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return (SECFailure); ++ } ++ return (SECSuccess); ++} ++ ++static SECStatus ++freebl_fips_EC_PowerUpSelfTest() ++{ ++ ++ /* EC Known curve nistp256 == ECCCurve_X9_62_PRIME_256V1 params */ + static const unsigned char p256_prime[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF + }; + static const unsigned char p256_a[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +@@ -1212,17 +1377,17 @@ freebl_fips_ECDSA_PowerUpSelfTest() + static const unsigned char p256_order[] = { + 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, + 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 + }; + static const unsigned char p256_encoding[] = { + 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 + }; +- static const ECParams ecdsa_known_P256_Params = { ++ static const ECParams ec_known_P256_Params = { + NULL, ec_params_named, /* arena, type */ + /* fieldID */ + { 256, ec_field_GFp, /* size and type */ + { { siBuffer, (unsigned char *)p256_prime, sizeof(p256_prime) } }, /* u.prime */ + 0, + 0, + 0 }, + /* curve */ +@@ -1245,34 +1410,39 @@ freebl_fips_ECDSA_PowerUpSelfTest() + { siBuffer, (unsigned char *)(p256_encoding) + 2, sizeof(p256_encoding) - 2 }, + }; + + static const PRUint8 ecdsa_known_P256_signature[] = { + 0x07, 0xb1, 0xcb, 0x57, 0x20, 0xa7, 0x10, 0xd6, + 0x9d, 0x37, 0x4b, 0x1c, 0xdc, 0x35, 0x90, 0xff, + 0x1a, 0x2d, 0x98, 0x95, 0x1b, 0x2f, 0xeb, 0x7f, + 0xbb, 0x81, 0xca, 0xc0, 0x69, 0x75, 0xea, 0xc5, +- 0x59, 0x6a, 0x62, 0x49, 0x3d, 0x50, 0xc9, 0xe1, +- 0x27, 0x3b, 0xff, 0x9b, 0x13, 0x66, 0x67, 0xdd, +- 0x7d, 0xd1, 0x0d, 0x2d, 0x7c, 0x44, 0x04, 0x1b, +- 0x16, 0x21, 0x12, 0xc5, 0xcb, 0xbd, 0x9e, 0x75 ++ 0xa7, 0xd2, 0x20, 0xdd, 0x45, 0xf9, 0x2b, 0xdd, ++ 0xda, 0x98, 0x99, 0x5b, 0x1c, 0x02, 0x3a, 0x27, ++ 0x8b, 0x7d, 0xb6, 0xed, 0x0e, 0xe0, 0xa7, 0xac, ++ 0xaa, 0x36, 0x2c, 0xfa, 0x1a, 0xdf, 0x0d, 0xe1, + }; + + ECParams ecparams; + + SECStatus rv; + + /* ECDSA GF(p) prime field curve test */ +- ecparams = ecdsa_known_P256_Params; ++ ecparams = ec_known_P256_Params; + rv = freebl_fips_ECDSA_Test(&ecparams, + ecdsa_known_P256_signature, + sizeof ecdsa_known_P256_signature); + if (rv != SECSuccess) { + return (SECFailure); + } ++ /* ECDH GF(p) prime field curve test */ ++ rv = freebl_fips_ECDH_Test(&ecparams); ++ if (rv != SECSuccess) { ++ return (SECFailure); ++ } + + return (SECSuccess); + } + + static SECStatus + freebl_fips_DSA_PowerUpSelfTest(void) + { + /* DSA Known P (1024-bits), Q (160-bits), and G (1024-bits) Values. */ +@@ -1413,16 +1583,148 @@ freebl_fips_DSA_PowerUpSelfTest(void) + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } + + return (SECSuccess); + } + + static SECStatus ++freebl_fips_DH_PowerUpSelfTest(void) ++{ ++ /* DH Known P (2048-bits) */ ++ static const PRUint8 dh_known_P[] = { ++ 0xc2, 0x79, 0xbb, 0x76, 0x32, 0x0d, 0x43, 0xfd, ++ 0x1b, 0x8c, 0xa2, 0x3c, 0x00, 0xdd, 0x6d, 0xef, ++ 0xf8, 0x1a, 0xd9, 0xc1, 0xa2, 0xf5, 0x73, 0x2b, ++ 0xdb, 0x1a, 0x3e, 0x84, 0x90, 0xeb, 0xe7, 0x8e, ++ 0x5f, 0x5c, 0x6b, 0xb6, 0x61, 0x89, 0xd1, 0x03, ++ 0xb0, 0x5f, 0x91, 0xe4, 0xd2, 0x82, 0x90, 0xfc, ++ 0x3c, 0x49, 0x69, 0x59, 0xc1, 0x51, 0x6a, 0x85, ++ 0x71, 0xe7, 0x5d, 0x72, 0x5a, 0x45, 0xad, 0x01, ++ 0x6f, 0x82, 0xae, 0xec, 0x91, 0x08, 0x2e, 0x7c, ++ 0x64, 0x93, 0x46, 0x1c, 0x68, 0xef, 0xc2, 0x03, ++ 0x28, 0x1d, 0x75, 0x3a, 0xeb, 0x9c, 0x46, 0xf0, ++ 0xc9, 0xdb, 0x99, 0x95, 0x13, 0x66, 0x4d, 0xd5, ++ 0x1a, 0x78, 0x92, 0x51, 0x89, 0x72, 0x28, 0x7f, ++ 0x20, 0x70, 0x41, 0x49, 0xa2, 0x86, 0xe9, 0xf9, ++ 0x78, 0x5f, 0x8d, 0x2e, 0x5d, 0xfa, 0xdb, 0x57, ++ 0xd4, 0x71, 0xdf, 0x66, 0xe3, 0x9e, 0x88, 0x70, ++ 0xa4, 0x21, 0x44, 0x6a, 0xc7, 0xae, 0x30, 0x2c, ++ 0x9c, 0x1f, 0x91, 0x57, 0xc8, 0x24, 0x34, 0x2d, ++ 0x7a, 0x4a, 0x43, 0xc2, 0x5f, 0xab, 0x64, 0x2e, ++ 0xaa, 0x28, 0x32, 0x95, 0x42, 0x7b, 0xa0, 0xcc, ++ 0xdf, 0xfd, 0x22, 0xc8, 0x56, 0x84, 0xc1, 0x62, ++ 0x15, 0xb2, 0x77, 0x86, 0x81, 0xfc, 0xa5, 0x12, ++ 0x3c, 0xca, 0x28, 0x17, 0x8f, 0x03, 0x16, 0x6e, ++ 0xb8, 0x24, 0xfa, 0x1b, 0x15, 0x02, 0xfd, 0x8b, ++ 0xb6, 0x0a, 0x1a, 0xf7, 0x47, 0x41, 0xc5, 0x2b, ++ 0x37, 0x3e, 0xa1, 0xbf, 0x68, 0xda, 0x1c, 0x55, ++ 0x44, 0xc3, 0xee, 0xa1, 0x63, 0x07, 0x11, 0x3b, ++ 0x5f, 0x00, 0x84, 0xb4, 0xc4, 0xe4, 0xa7, 0x97, ++ 0x29, 0xf8, 0xce, 0xab, 0xfc, 0x27, 0x3e, 0x34, ++ 0xe4, 0xc7, 0x81, 0x52, 0x32, 0x0e, 0x27, 0x3c, ++ 0xa6, 0x70, 0x3f, 0x4a, 0x54, 0xda, 0xdd, 0x60, ++ 0x26, 0xb3, 0x6e, 0x45, 0x26, 0x19, 0x41, 0x6f ++ }; ++ ++ static const PRUint8 dh_known_Y_1[] = { ++ 0xb4, 0xc7, 0x85, 0xba, 0xa6, 0x98, 0xb3, 0x77, ++ 0x41, 0x2b, 0xd9, 0x9a, 0x72, 0x90, 0xa4, 0xac, ++ 0xc4, 0xf7, 0xc2, 0x23, 0x9a, 0x68, 0xe2, 0x7d, ++ 0x3a, 0x54, 0x45, 0x91, 0xc1, 0xd7, 0x8a, 0x17, ++ 0x54, 0xd3, 0x37, 0xaa, 0x0c, 0xcd, 0x0b, 0xe2, ++ 0xf2, 0x34, 0x0f, 0x17, 0xa8, 0x07, 0x88, 0xaf, ++ 0xed, 0xc1, 0x02, 0xd4, 0xdb, 0xdc, 0x0f, 0x22, ++ 0x51, 0x23, 0x40, 0xb9, 0x65, 0x6d, 0x39, 0xf4, ++ 0xe1, 0x8b, 0x57, 0x7d, 0xb6, 0xd3, 0xf2, 0x6b, ++ 0x02, 0xa9, 0x36, 0xf0, 0x0d, 0xe3, 0xdb, 0x9a, ++ 0xbf, 0x20, 0x00, 0x4d, 0xec, 0x6f, 0x68, 0x95, ++ 0xee, 0x59, 0x4e, 0x3c, 0xb6, 0xda, 0x7b, 0x19, ++ 0x08, 0x9a, 0xef, 0x61, 0x43, 0xf5, 0xfb, 0x25, ++ 0x70, 0x19, 0xc1, 0x5f, 0x0e, 0x0f, 0x6a, 0x63, ++ 0x44, 0xe9, 0xcf, 0x33, 0xce, 0x13, 0x4f, 0x34, ++ 0x3c, 0x94, 0x40, 0x8d, 0xf2, 0x65, 0x42, 0xef, ++ 0x70, 0x54, 0xdd, 0x5f, 0xc1, 0xd7, 0x0b, 0xa6, ++ 0x06, 0xd5, 0xa6, 0x47, 0xae, 0x2c, 0x1f, 0x5a, ++ 0xa6, 0xb3, 0xc1, 0x38, 0x3a, 0x3b, 0x60, 0x94, ++ 0xa2, 0x95, 0xab, 0xb2, 0x86, 0x82, 0xc5, 0x3b, ++ 0xb8, 0x6f, 0x3e, 0x55, 0x86, 0x84, 0xe0, 0x00, ++ 0xe5, 0xef, 0xca, 0x5c, 0xec, 0x7e, 0x38, 0x0f, ++ 0x82, 0xa2, 0xb1, 0xee, 0x48, 0x1b, 0x32, 0xbb, ++ 0x5a, 0x33, 0xa5, 0x01, 0xba, 0xca, 0xa6, 0x64, ++ 0x61, 0xb6, 0xe5, 0x5c, 0x0e, 0x5f, 0x2c, 0x66, ++ 0x0d, 0x01, 0x6a, 0x20, 0x04, 0x70, 0x68, 0x82, ++ 0x93, 0x29, 0x15, 0x3b, 0x7a, 0x06, 0xb2, 0x92, ++ 0x61, 0xcd, 0x7e, 0xa4, 0xc1, 0x15, 0x64, 0x3b, ++ 0x3c, 0x51, 0x10, 0x4c, 0x87, 0xa6, 0xaf, 0x07, ++ 0xce, 0x46, 0x82, 0x75, 0xf3, 0x90, 0xf3, 0x21, ++ 0x55, 0x74, 0xc2, 0xe4, 0x96, 0x7d, 0xc3, 0xe6, ++ 0x33, 0xa5, 0xc6, 0x51, 0xef, 0xec, 0x90, 0x08 ++ }; ++ ++ static const PRUint8 dh_known_x_2[] = { ++ 0x9e, 0x9b, 0xc3, 0x25, 0x53, 0xf9, 0xfc, 0x92, ++ 0xb6, 0xae, 0x54, 0x8e, 0x23, 0x4c, 0x94, 0xba, ++ 0x41, 0xe6, 0x29, 0x33, 0xb9, 0xdb, 0xff, 0x6d, ++ 0xa8, 0xb8, 0x48, 0x49, 0x66, 0x11, 0xa6, 0x13 ++ }; ++ ++ static const PRUint8 dh_known_hash_result[] = { ++ 0x93, 0xa2, 0x89, 0x1c, 0x8a, 0xc3, 0x70, 0xbf, ++ 0xa7, 0xdf, 0xb6, 0xd7, 0x82, 0xfb, 0x87, 0x81, ++ 0x09, 0x47, 0xf3, 0x9f, 0x5a, 0xbf, 0x4f, 0x3f, ++ 0x8e, 0x5e, 0x06, 0xca, 0x30, 0xa7, 0xaf, 0x10 ++ }; ++ ++ /* DH variables. */ ++ SECStatus dhStatus; ++ SECItem dh_prime; ++ SECItem dh_pub_key_1; ++ SECItem dh_priv_key_2; ++ SECItem ZZ = { 0, 0, 0 }; ++ PRUint8 computed_hash_result[HASH_LENGTH_MAX]; ++ ++ dh_prime.data = (PRUint8 *)dh_known_P; ++ dh_prime.len = sizeof(dh_known_P); ++ dh_pub_key_1.data = (PRUint8 *)dh_known_Y_1; ++ dh_pub_key_1.len = sizeof(dh_known_Y_1); ++ dh_priv_key_2.data = (PRUint8 *)dh_known_x_2; ++ dh_priv_key_2.len = sizeof(dh_known_x_2); ++ ++ /* execute the derive */ ++ dhStatus = DH_Derive(&dh_pub_key_1, &dh_prime, &dh_priv_key_2, &ZZ, dh_prime.len); ++ if (dhStatus != SECSuccess) { ++ goto loser; ++ } ++ ++ dhStatus = SHA256_HashBuf(computed_hash_result, ZZ.data, ZZ.len); ++ if (dhStatus != SECSuccess) { ++ goto loser; ++ } ++ ++ if (PORT_Memcmp(computed_hash_result, dh_known_hash_result, ++ sizeof(dh_known_hash_result)) != 0) { ++ dhStatus = SECFailure; ++ goto loser; ++ } ++ ++loser: ++ if (ZZ.data) { ++ SECITEM_FreeItem(&ZZ, PR_FALSE); ++ } ++ ++ if (dhStatus != SECSuccess) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return (SECFailure); ++ } ++ return (SECSuccess); ++} ++ ++static SECStatus + freebl_fips_RNG_PowerUpSelfTest(void) + { + static const PRUint8 Q[] = { + 0x85, 0x89, 0x9c, 0x77, 0xa3, 0x79, 0xff, 0x1a, + 0x86, 0x6f, 0x2f, 0x3e, 0x2e, 0xf9, 0x8c, 0x9c, + 0x9d, 0xef, 0xeb, 0xed + }; + static const PRUint8 GENX[] = { +@@ -1536,31 +1838,37 @@ freebl_fipsPowerUpSelfTest(unsigned int + + /* HMAC SHA-X Power-Up SelfTest(s). */ + rv = freebl_fips_HMAC_PowerUpSelfTest(); + + if (rv != SECSuccess) + return rv; + + /* NOTE: RSA can only be tested in full freebl. It requires access to +- * the locking primitives */ ++ * the locking primitives */ + /* RSA Power-Up SelfTest(s). */ + rv = freebl_fips_RSA_PowerUpSelfTest(); + + if (rv != SECSuccess) + return rv; + + /* DSA Power-Up SelfTest(s). */ + rv = freebl_fips_DSA_PowerUpSelfTest(); + + if (rv != SECSuccess) + return rv; + +- /* ECDSA Power-Up SelfTest(s). */ +- rv = freebl_fips_ECDSA_PowerUpSelfTest(); ++ /* DH Power-Up SelfTest(s). */ ++ rv = freebl_fips_DH_PowerUpSelfTest(); ++ ++ if (rv != SECSuccess) ++ return rv; ++ ++ /* EC Power-Up SelfTest(s). */ ++ rv = freebl_fips_EC_PowerUpSelfTest(); + + if (rv != SECSuccess) + return rv; + } + /* Passed Power-Up SelfTest(s). */ + return (SECSuccess); + } + +diff --git a/lib/freebl/intel-gcm-wrap.c b/lib/freebl/intel-gcm-wrap.c +--- a/lib/freebl/intel-gcm-wrap.c ++++ b/lib/freebl/intel-gcm-wrap.c +@@ -138,16 +138,17 @@ intel_AES_GCM_CreateContext(void *contex + loser: + PORT_Free(gcm); + return NULL; + } + + void + intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit) + { ++ PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext)); + if (freeit) { + PORT_Free(gcm); + } + } + + SECStatus + intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext *gcm, + unsigned char *outbuf, +diff --git a/lib/freebl/pqg.c b/lib/freebl/pqg.c +--- a/lib/freebl/pqg.c ++++ b/lib/freebl/pqg.c +@@ -486,21 +486,21 @@ cleanup: + ** Perform steps from FIPS 186-3, Appendix A.1.2.1 and Appendix C.6 + ** + ** This generates a provable prime from two smaller prime. The resulting + ** prime p will have q0 as a multiple of p-1. q0 can be 1. + ** + ** This implments steps 4 thorough 22 of FIPS 186-3 A.1.2.1 and + ** steps 16 through 34 of FIPS 186-2 C.6 + */ +-#define MAX_ST_SEED_BITS (HASH_LENGTH_MAX * PR_BITS_PER_BYTE) + static SECStatus + makePrimefromPrimesShaweTaylor( + HASH_HashType hashtype, /* selected Hashing algorithm */ + unsigned int length, /* input. Length of prime in bits. */ ++ unsigned int seedlen, /* input seed length in bits */ + mp_int *c0, /* seed prime */ + mp_int *q, /* sub prime, can be 1 */ + mp_int *prime, /* output. */ + SECItem *prime_seed, /* input/output. */ + unsigned int *prime_gen_counter) /* input/output. */ + { + mp_int c; + mp_int c0_2; +@@ -552,33 +552,32 @@ makePrimefromPrimesShaweTaylor( + */ + + /* Step 4/16 iterations = ceiling(length/outlen)-1 */ + iterations = (length + outlen - 1) / outlen; /* NOTE: iterations +1 */ + /* Step 5/17 old_counter = prime_gen_counter */ + old_counter = *prime_gen_counter; + /* + ** Comment: Generate a pseudorandom integer x in the interval +- ** [2**(lenght-1), 2**length]. ++ ** [2**(length-1), 2**length]. + ** + ** Step 6/18 x = 0 + */ + PORT_Memset(x, 0, sizeof(x)); + /* + ** Step 7/19 for i = 0 to iterations do + ** x = x + (HASH(prime_seed + i) * 2^(i*outlen)) + */ + for (i = 0; i < iterations; i++) { + /* is bigger than prime_seed should get to */ + CHECK_SEC_OK(addToSeedThenHash(hashtype, prime_seed, i, +- MAX_ST_SEED_BITS, &x[(iterations - i - 1) * hashlen])); ++ seedlen, &x[(iterations - i - 1) * hashlen])); + } + /* Step 8/20 prime_seed = prime_seed + iterations + 1 */ +- CHECK_SEC_OK(addToSeed(prime_seed, iterations, MAX_ST_SEED_BITS, +- prime_seed)); ++ CHECK_SEC_OK(addToSeed(prime_seed, iterations, seedlen, prime_seed)); + /* + ** Step 9/21 x = 2 ** (length-1) + x mod 2 ** (length-1) + ** + ** This step mathematically sets the high bit and clears out + ** all the other bits higher than length. 'x' is stored + ** in the x array, MSB first. The above formula gives us an 'x' + ** which is length bytes long and has the high bit set. We also know + ** that length <= iterations*outlen since +@@ -590,17 +589,17 @@ makePrimefromPrimesShaweTaylor( + * multiple of 8,*/ + bit = 1 << ((length - 1) & 0x7); /* select the proper bit in the byte */ + /* we need to zero out the rest of the bits in the byte above */ + mask = (bit - 1); + /* now we set it */ + x[offset] = (mask & x[offset]) | bit; + /* + ** Comment: Generate a candidate prime c in the interval +- ** [2**(lenght-1), 2**length]. ++ ** [2**(length-1), 2**length]. + ** + ** Step 10 t = ceiling(x/(2q(p0))) + ** Step 22 t = ceiling(x/(2(c0))) + */ + CHECK_MPI_OK(mp_read_unsigned_octets(&t, &x[offset], + hashlen * iterations - offset)); /* t = x */ + CHECK_MPI_OK(mp_mul(c0, q, &c0_2)); /* c0_2 is now c0*q */ + CHECK_MPI_OK(mp_add(&c0_2, &c0_2, &c0_2)); /* c0_2 is now 2*q*c0 */ +@@ -619,17 +618,17 @@ makePrimefromPrimesShaweTaylor( + step_23: + CHECK_MPI_OK(mp_mul(&t, &c0_2, &c)); /* c = t*2qc0 */ + CHECK_MPI_OK(mp_add_d(&c, (mp_digit)1, &c)); /* c= 2tqc0 + 1*/ + if (mpl_significant_bits(&c) > length) { /* if c > 2**length */ + CHECK_MPI_OK(mp_sub_d(&c0_2, (mp_digit)1, &t)); /* t = 2qc0-1 */ + /* t = 2**(length-1) + 2qc0 -1 */ + CHECK_MPI_OK(mp_add(&two_length_minus_1, &t, &t)); + /* t = floor((2**(length-1)+2qc0 -1)/2qco) +- * = ceil(2**(lenght-2)/2qc0) */ ++ * = ceil(2**(length-2)/2qc0) */ + CHECK_MPI_OK(mp_div(&t, &c0_2, &t, NULL)); + CHECK_MPI_OK(mp_mul(&t, &c0_2, &c)); + CHECK_MPI_OK(mp_add_d(&c, (mp_digit)1, &c)); /* c= 2tqc0 + 1*/ + } + /* Step 13/25 prime_gen_counter = prime_gen_counter + 1*/ + (*prime_gen_counter)++; + /* + ** Comment: Test the candidate prime c for primality; first pick an +@@ -640,23 +639,21 @@ step_23: + PORT_Memset(x, 0, sizeof(x)); /* use x for a */ + /* + ** Step 15/27 for i = 0 to iterations do + ** a = a + (HASH(prime_seed + i) * 2^(i*outlen)) + ** + ** NOTE: we reuse the x array for 'a' initially. + */ + for (i = 0; i < iterations; i++) { +- /* MAX_ST_SEED_BITS is bigger than prime_seed should get to */ + CHECK_SEC_OK(addToSeedThenHash(hashtype, prime_seed, i, +- MAX_ST_SEED_BITS, &x[(iterations - i - 1) * hashlen])); ++ seedlen, &x[(iterations - i - 1) * hashlen])); + } + /* Step 16/28 prime_seed = prime_seed + iterations + 1 */ +- CHECK_SEC_OK(addToSeed(prime_seed, iterations, MAX_ST_SEED_BITS, +- prime_seed)); ++ CHECK_SEC_OK(addToSeed(prime_seed, iterations, seedlen, prime_seed)); + /* Step 17/29 a = 2 + (a mod (c-3)). */ + CHECK_MPI_OK(mp_read_unsigned_octets(&a, x, iterations * hashlen)); + CHECK_MPI_OK(mp_sub_d(&c, (mp_digit)3, &z)); /* z = c -3 */ + CHECK_MPI_OK(mp_mod(&a, &z, &a)); /* a = a mod c -3 */ + CHECK_MPI_OK(mp_add_d(&a, (mp_digit)2, &a)); /* a = 2 + a mod c -3 */ + /* + ** Step 18 z = a**(2tq) mod p. + ** Step 30 z = a**(2t) mod c. +@@ -737,16 +734,17 @@ makePrimefromSeedShaweTaylor( + { + mp_int c; + mp_int c0; + mp_int one; + SECStatus rv = SECFailure; + int hashlen = HASH_ResultLen(hashtype); + int outlen = hashlen * PR_BITS_PER_BYTE; + int offset; ++ int seedlen = input_seed->len * 8; /*seedlen is in bits */ + unsigned char bit, mask; + unsigned char x[HASH_LENGTH_MAX * 2]; + mp_digit dummy; + mp_err err = MP_OKAY; + int i; + + MP_DIGITS(&c) = 0; + MP_DIGITS(&c0) = 0; +@@ -770,30 +768,29 @@ makePrimefromSeedShaweTaylor( + */ + rv = makePrimefromSeedShaweTaylor(hashtype, (length + 1) / 2 + 1, + input_seed, &c0, prime_seed, prime_gen_counter); + /* Step 15 if FAILURE is returned, return (FAILURE, 0, 0, 0). */ + if (rv != SECSuccess) { + goto cleanup; + } + /* Steps 16-34 */ +- rv = makePrimefromPrimesShaweTaylor(hashtype, length, &c0, &one, ++ rv = makePrimefromPrimesShaweTaylor(hashtype, length, seedlen, &c0, &one, + prime, prime_seed, prime_gen_counter); + goto cleanup; /* we're done, one way or the other */ + } + /* Step 3 prime_seed = input_seed */ + CHECK_SEC_OK(SECITEM_CopyItem(NULL, prime_seed, input_seed)); + /* Step 4 prime_gen_count = 0 */ + *prime_gen_counter = 0; + + step_5: + /* Step 5 c = Hash(prime_seed) xor Hash(prime_seed+1). */ + CHECK_SEC_OK(HASH_HashBuf(hashtype, x, prime_seed->data, prime_seed->len)); +- CHECK_SEC_OK(addToSeedThenHash(hashtype, prime_seed, 1, +- MAX_ST_SEED_BITS, &x[hashlen])); ++ CHECK_SEC_OK(addToSeedThenHash(hashtype, prime_seed, 1, seedlen, &x[hashlen])); + for (i = 0; i < hashlen; i++) { + x[i] = x[i] ^ x[i + hashlen]; + } + /* Step 6 c = 2**length-1 + c mod 2**length-1 */ + /* This step mathematically sets the high bit and clears out + ** all the other bits higher than length. Right now c is stored + ** in the x array, MSB first. The above formula gives us a c which + ** is length bytes long and has the high bit set. We also know that +@@ -812,17 +809,17 @@ step_5: + /* Step 7 c = c*floor(c/2) + 1 */ + /* set the low bit. much easier to find (the end of the array) */ + x[hashlen - 1] |= 1; + /* now that we've set our bits, we can create our candidate "c" */ + CHECK_MPI_OK(mp_read_unsigned_octets(&c, &x[offset], hashlen - offset)); + /* Step 8 prime_gen_counter = prime_gen_counter + 1 */ + (*prime_gen_counter)++; + /* Step 9 prime_seed = prime_seed + 2 */ +- CHECK_SEC_OK(addToSeed(prime_seed, 2, MAX_ST_SEED_BITS, prime_seed)); ++ CHECK_SEC_OK(addToSeed(prime_seed, 2, seedlen, prime_seed)); + /* Step 10 Perform deterministic primality test on c. For example, since + ** c is small, it's primality can be tested by trial division, See + ** See Appendic C.7. + ** + ** We in fact test with trial division. mpi has a built int trial divider + ** that divides all divisors up to 2^16. + */ + if (prime_tab[prime_tab_size - 1] < 0xFFF1) { +@@ -885,17 +882,18 @@ findQfromSeed( + unsigned int L, /* input. Length of p in bits. */ + unsigned int N, /* input. Length of q in bits. */ + unsigned int g, /* input. Length of seed in bits. */ + const SECItem *seed, /* input. */ + mp_int *Q, /* input. */ + mp_int *Q_, /* output. */ + unsigned int *qseed_len, /* output */ + HASH_HashType *hashtypePtr, /* output. Hash uses */ +- pqgGenType *typePtr) /* output. Generation Type used */ ++ pqgGenType *typePtr, /* output. Generation Type used */ ++ unsigned int *qgen_counter) /* output. q_counter */ + { + HASH_HashType hashtype; + SECItem firstseed = { 0, 0, 0 }; + SECItem qseed = { 0, 0, 0 }; + SECStatus rv; + + *qseed_len = 0; /* only set if FIPS186_3_ST_TYPE */ + +@@ -959,16 +957,17 @@ findQfromSeed( + * accident, someone has been tweeking with the seeds, just + * fail a this point. */ + SECITEM_FreeItem(&qseed, PR_FALSE); + return SECFailure; + } + *qseed_len = qseed.len; + *hashtypePtr = hashtype; + *typePtr = FIPS186_3_ST_TYPE; ++ *qgen_counter = count; + SECITEM_FreeItem(&qseed, PR_FALSE); + return SECSuccess; + } + SECITEM_FreeItem(&qseed, PR_FALSE); + } + /* no hash algorithms found which match seed to Q, fail */ + return SECFailure; + } +@@ -1383,29 +1382,33 @@ step_5: + CHECK_SEC_OK(makePrimefromSeedShaweTaylor(hashtype, N, &firstseed, &Q, + &qseed, &qgen_counter)); + /* Step 3. Use floor(L/2+1) and qseed to generate random prime p0 + * using Appendix C.6 */ + pgen_counter = 0; + CHECK_SEC_OK(makePrimefromSeedShaweTaylor(hashtype, (L + 1) / 2 + 1, + &qseed, &p0, &pseed, &pgen_counter)); + /* Steps 4-22 FIPS 186-3 appendix A.1.2.1.2 */ +- CHECK_SEC_OK(makePrimefromPrimesShaweTaylor(hashtype, L, ++ CHECK_SEC_OK(makePrimefromPrimesShaweTaylor(hashtype, L, seedBytes * 8, + &p0, &Q, &P, &pseed, &pgen_counter)); + + /* combine all the seeds */ +- seed->len = firstseed.len + qseed.len + pseed.len; ++ if ((qseed.len > firstseed.len) || (pseed.len > firstseed.len)) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); /* shouldn't happen */ ++ goto cleanup; ++ } ++ seed->len = firstseed.len * 3; /*handle leading zeros in pseed and qseed*/ + seed->data = PORT_ArenaZAlloc(verify->arena, seed->len); + if (seed->data == NULL) { + goto cleanup; + } + PORT_Memcpy(seed->data, firstseed.data, firstseed.len); +- PORT_Memcpy(seed->data + firstseed.len, pseed.data, pseed.len); +- PORT_Memcpy(seed->data + firstseed.len + pseed.len, qseed.data, qseed.len); +- counter = 0; /* (qgen_counter << 16) | pgen_counter; */ ++ PORT_Memcpy(seed->data + 2 * firstseed.len - pseed.len, pseed.data, pseed.len); ++ PORT_Memcpy(seed->data + 3 * firstseed.len - qseed.len, qseed.data, qseed.len); ++ counter = (qgen_counter << 16) | pgen_counter; + + /* we've generated both P and Q now, skip to generating G */ + goto generate_G; + } + /* ****************************************************************** + ** Step 8. (Step 4 in 186-1) + ** "Use a robust primality testing algorithm to test whether q is prime." + ** +@@ -1615,16 +1618,17 @@ PQG_VerifyParams(const PQGParams *params + { + SECStatus rv = SECSuccess; + unsigned int g, n, L, N, offset, outlen; + mp_int p0, P, Q, G, P_, Q_, G_, r, h; + mp_err err = MP_OKAY; + int j; + unsigned int counter_max = 0; /* handle legacy L < 1024 */ + unsigned int qseed_len; ++ unsigned int qgen_counter_ = 0; + SECItem pseed_ = { 0, 0, 0 }; + HASH_HashType hashtype; + pqgGenType type; + + #define CHECKPARAM(cond) \ + if (!(cond)) { \ + *result = SECFailure; \ + goto cleanup; \ +@@ -1694,77 +1698,104 @@ PQG_VerifyParams(const PQGParams *params + CHECKPARAM(mp_cmp_d(&r, 1) == 0); + /* 5. Q is prime */ + CHECKPARAM(mpp_pprime(&Q, prime_testcount_q(L, N)) == MP_YES); + /* 6. P is prime */ + CHECKPARAM(mpp_pprime(&P, prime_testcount_p(L, N)) == MP_YES); + /* Steps 7-12 are done only if the optional PQGVerify is supplied. */ + /* continue processing P */ + /* 7. counter < 4*L */ +- CHECKPARAM((vfy->counter == -1) || (vfy->counter < counter_max)); + /* 8. g >= N and g < 2*L (g is length of seed in bits) */ +- g = vfy->seed.len * 8; +- CHECKPARAM(g >= N && g < counter_max / 2); ++ /* step 7 and 8 are delayed until we determine which type of generation ++ * was used */ + /* 9. Q generated from SEED matches Q in PQGParams. */ + /* This function checks all possible hash and generation types to + * find a Q_ which matches Q. */ ++ g = vfy->seed.len * 8; + CHECKPARAM(findQfromSeed(L, N, g, &vfy->seed, &Q, &Q_, &qseed_len, +- &hashtype, &type) == SECSuccess); ++ &hashtype, &type, &qgen_counter_) == SECSuccess); + CHECKPARAM(mp_cmp(&Q, &Q_) == 0); ++ /* now we can do steps 7 & 8*/ ++ if ((type == FIPS186_1_TYPE) || (type == FIPS186_3_TYPE)) { ++ CHECKPARAM((vfy->counter == -1) || (vfy->counter < counter_max)); ++ CHECKPARAM(g >= N && g < counter_max / 2); ++ } + if (type == FIPS186_3_ST_TYPE) { + SECItem qseed = { 0, 0, 0 }; + SECItem pseed = { 0, 0, 0 }; + unsigned int first_seed_len; +- unsigned int pgen_counter = 0; ++ unsigned int pgen_counter_ = 0; ++ unsigned int qgen_counter = (vfy->counter >> 16) & 0xffff; ++ unsigned int pgen_counter = (vfy->counter) & 0xffff; + + /* extract pseed and qseed from domain_parameter_seed, which is + * first_seed || pseed || qseed. qseed is first_seed + small_integer +- * pseed is qseed + small_integer. This means most of the time ++ * mod the length of first_seed. pseed is qseed + small_integer mod ++ * the length of first_seed. This means most of the time + * first_seed.len == qseed.len == pseed.len. Rarely qseed.len and/or +- * pseed.len will be one greater than first_seed.len, so we can +- * depend on the fact that +- * first_seed.len = floor(domain_parameter_seed.len/3). +- * findQfromSeed returned qseed.len, so we can calculate pseed.len as +- * pseed.len = domain_parameter_seed.len - first_seed.len - qseed.len +- * this is probably over kill, since 99.999% of the time they will all +- * be equal. +- * +- * With the lengths, we can now find the offsets; ++ * pseed.len will be smaller because mpi clamps them. pqgGen ++ * automatically adds the zero pad back though, so we can depend ++ * domain_parameter_seed.len to be a multiple of three. We only have ++ * to deal with the fact that the returned seeds from our functions ++ * could be shorter. ++ * first_seed.len = domain_parameter_seed.len/3 ++ * We can now find the offsets; + * first_seed.data = domain_parameter_seed.data + 0 + * pseed.data = domain_parameter_seed.data + first_seed.len + * qseed.data = domain_parameter_seed.data + * + domain_paramter_seed.len - qseed.len +- * ++ * We deal with pseed possibly having zero pad in the pseed check later. + */ + first_seed_len = vfy->seed.len / 3; + CHECKPARAM(qseed_len < vfy->seed.len); + CHECKPARAM(first_seed_len * 8 > N - 1); +- CHECKPARAM(first_seed_len + qseed_len < vfy->seed.len); ++ CHECKPARAM(first_seed_len * 8 < counter_max / 2); ++ CHECKPARAM(first_seed_len >= qseed_len); + qseed.len = qseed_len; + qseed.data = vfy->seed.data + vfy->seed.len - qseed.len; +- pseed.len = vfy->seed.len - (first_seed_len + qseed_len); ++ pseed.len = first_seed_len; + pseed.data = vfy->seed.data + first_seed_len; + + /* + * now complete FIPS 186-3 A.1.2.1.2. Step 1 was completed + * above in our initial checks, Step 2 was completed by + * findQfromSeed */ + + /* Step 3 (status, c0, prime_seed, prime_gen_counter) = + ** (ST_Random_Prime((ceil(length/2)+1, input_seed) + */ + CHECK_SEC_OK(makePrimefromSeedShaweTaylor(hashtype, (L + 1) / 2 + 1, +- &qseed, &p0, &pseed_, &pgen_counter)); ++ &qseed, &p0, &pseed_, &pgen_counter_)); + /* Steps 4-22 FIPS 186-3 appendix A.1.2.1.2 */ +- CHECK_SEC_OK(makePrimefromPrimesShaweTaylor(hashtype, L, +- &p0, &Q_, &P_, &pseed_, &pgen_counter)); ++ CHECK_SEC_OK(makePrimefromPrimesShaweTaylor(hashtype, L, first_seed_len * 8, ++ &p0, &Q_, &P_, &pseed_, &pgen_counter_)); + CHECKPARAM(mp_cmp(&P, &P_) == 0); + /* make sure pseed wasn't tampered with (since it is part of + * calculating G) */ ++ if (pseed.len > pseed_.len) { ++ /* handle the case of zero pad for pseed */ ++ int extra = pseed.len - pseed_.len; ++ int i; ++ for (i = 0; i < extra; i++) { ++ if (pseed.data[i] != 0) { ++ *result = SECFailure; ++ goto cleanup; ++ } ++ } ++ pseed.data += extra; ++ pseed.len -= extra; ++ /* the rest is handled in the normal compare below */ ++ } + CHECKPARAM(SECITEM_CompareItem(&pseed, &pseed_) == SECEqual); ++ if (vfy->counter != -1) { ++ CHECKPARAM(pgen_counter < counter_max); ++ CHECKPARAM(qgen_counter < counter_max); ++ CHECKPARAM((pgen_counter_ == pgen_counter)); ++ CHECKPARAM((qgen_counter_ == qgen_counter)); ++ } + } else if (vfy->counter == -1) { + /* If counter is set to -1, we are really only verifying G, skip + * the remainder of the checks for P */ + CHECKPARAM(type != FIPS186_1_TYPE); /* we only do this for DSA2 */ + } else { + /* 10. P generated from (L, counter, g, SEED, Q) matches P + * in PQGParams. */ + outlen = HASH_ResultLen(hashtype) * PR_BITS_PER_BYTE; +diff --git a/lib/freebl/rijndael.c b/lib/freebl/rijndael.c +--- a/lib/freebl/rijndael.c ++++ b/lib/freebl/rijndael.c +@@ -1027,23 +1027,25 @@ AES_CreateContext(const unsigned char *k + * AES_DestroyContext + * + * Zero an AES cipher context. If freeit is true, also free the pointer + * to the context. + */ + void + AES_DestroyContext(AESContext *cx, PRBool freeit) + { ++ void *mem = cx->mem; + if (cx->worker_cx && cx->destroy) { + (*cx->destroy)(cx->worker_cx, PR_TRUE); + cx->worker_cx = NULL; + cx->destroy = NULL; + } ++ PORT_Memset(cx, 0, sizeof(AESContext)); + if (freeit) { +- PORT_Free(cx->mem); ++ PORT_Free(mem); + } + } + + /* + * AES_Encrypt + * + * Encrypt an arbitrary-length buffer. The output buffer must already be + * allocated to at least inputLen. +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -4708,16 +4708,24 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + pairwise_digest_length, + signature, + &signature_length); + if (crv != CKR_OK) { + PORT_Free(signature); + return crv; + } + ++ /* detect trivial signing transforms */ ++ if (signature_length >= pairwise_digest_length) { ++ if (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0) { ++ PORT_Free(signature); ++ return CKR_DEVICE_ERROR; ++ } ++ } ++ + /* Verify the known hash using the public key. */ + crv = NSC_VerifyInit(hSession, &mech, publicKey->handle); + if (crv != CKR_OK) { + PORT_Free(signature); + return crv; + } + + crv = NSC_Verify(hSession, +@@ -7543,40 +7551,55 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + SHA512_HashBuf(key_block, (const unsigned char *)att->attrib.pValue, + att->attrib.ulValueLen); + + crv = sftk_forceAttribute(key, CKA_VALUE, key_block, keySize); + break; + + case CKM_DH_PKCS_DERIVE: { + SECItem derived, dhPublic; +- SECItem dhPrime, dhValue; ++ SECItem dhPrime, dhSubPrime, dhValue; + /* sourceKey - values for the local existing low key */ + /* get prime and value attributes */ + crv = sftk_Attribute2SecItem(NULL, &dhPrime, sourceKey, CKA_PRIME); +- if (crv != SECSuccess) ++ if (crv != CKR_OK) + break; + crv = sftk_Attribute2SecItem(NULL, &dhValue, sourceKey, CKA_VALUE); +- if (crv != SECSuccess) { ++ if (crv != CKR_OK) { + PORT_Free(dhPrime.data); + break; + } + + dhPublic.data = pMechanism->pParameter; + dhPublic.len = pMechanism->ulParameterLen; + ++ /* if the caller bothered to provide Q, use Q to validate. ++ * the public key */ ++ crv = sftk_Attribute2SecItem(NULL, &dhSubPrime, sourceKey, CKA_SUBPRIME); ++ if (crv == CKR_OK) { ++ rv = KEA_Verify(&dhPublic, &dhPrime, &dhSubPrime); ++ PORT_Free(dhSubPrime.data); ++ if (rv != SECSuccess) { ++ crv = CKR_ARGUMENTS_BAD; ++ PORT_Free(dhPrime.data); ++ PORT_Free(dhValue.data); ++ break; ++ } ++ } ++ + /* calculate private value - oct */ + rv = DH_Derive(&dhPublic, &dhPrime, &dhValue, &derived, keySize); + + PORT_Free(dhPrime.data); + PORT_Free(dhValue.data); + + if (rv == SECSuccess) { + sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len); + PORT_ZFree(derived.data, derived.len); ++ crv = CKR_OK; + } else + crv = CKR_HOST_MEMORY; + + break; + } + + case CKM_ECDH1_DERIVE: + case CKM_ECDH1_COFACTOR_DERIVE: { diff --git a/SOURCES/nss-softokn-fix-public-key-from-priv.patch b/SOURCES/nss-softokn-fix-public-key-from-priv.patch new file mode 100644 index 0000000..a5e43e3 --- /dev/null +++ b/SOURCES/nss-softokn-fix-public-key-from-priv.patch @@ -0,0 +1,241 @@ +diff -up ./nss/lib/softoken/lowkey.c.pub-priv-mech ./nss/lib/softoken/lowkey.c +--- ./nss/lib/softoken/lowkey.c.pub-priv-mech 2019-05-10 14:14:18.000000000 -0700 ++++ ./nss/lib/softoken/lowkey.c 2019-06-05 10:40:34.302002920 -0700 +@@ -261,6 +261,7 @@ NSSLOWKEYPublicKey * + nsslowkey_ConvertToPublicKey(NSSLOWKEYPrivateKey *privk) + { + NSSLOWKEYPublicKey *pubk; ++ SECItem publicValue; + PLArenaPool *arena; + + arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); +@@ -301,6 +302,19 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr + + pubk->arena = arena; + pubk->keyType = privk->keyType; ++ /* if the public key value doesn't exist, calculate it */ ++ if (privk->u.dsa.publicValue.len == 0) { ++ rv = DH_Derive(&privk->u.dsa.params.base, &privk->u.dsa.params.prime, ++ &privk->u.dsa.privateValue, &publicValue, 0); ++ if (rv != SECSuccess) { ++ break; ++ } ++ rv = SECITEM_CopyItem(privk->arena, &privk->u.dsa.publicValue, &publicValue); ++ SECITEM_FreeItem(&publicValue, PR_FALSE); ++ if (rv != SECSuccess) { ++ break; ++ } ++ } + rv = SECITEM_CopyItem(arena, &pubk->u.dsa.publicValue, + &privk->u.dsa.publicValue); + if (rv != SECSuccess) +@@ -327,6 +341,19 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr + + pubk->arena = arena; + pubk->keyType = privk->keyType; ++ /* if the public key value doesn't exist, calculate it */ ++ if (privk->u.dh.publicValue.len == 0) { ++ rv = DH_Derive(&privk->u.dh.base, &privk->u.dh.prime, ++ &privk->u.dh.privateValue, &publicValue, 0); ++ if (rv != SECSuccess) { ++ break; ++ } ++ rv = SECITEM_CopyItem(privk->arena, &privk->u.dh.publicValue, &publicValue); ++ SECITEM_FreeItem(&publicValue, PR_FALSE); ++ if (rv != SECSuccess) { ++ break; ++ } ++ } + rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue, + &privk->u.dh.publicValue); + if (rv != SECSuccess) +diff -up ./nss/lib/softoken/pkcs11c.c.pub-priv-mech ./nss/lib/softoken/pkcs11c.c +--- ./nss/lib/softoken/pkcs11c.c.pub-priv-mech 2019-06-05 10:40:34.298002922 -0700 ++++ ./nss/lib/softoken/pkcs11c.c 2019-06-05 10:43:38.610909153 -0700 +@@ -6569,6 +6569,10 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + extractValue = PR_FALSE; + classType = CKO_PRIVATE_KEY; + break; ++ case CKM_NSS_PUB_FROM_PRIV: ++ extractValue = PR_FALSE; ++ classType = CKO_PUBLIC_KEY; ++ break; + case CKM_NSS_JPAKE_FINAL_SHA1: /* fall through */ + case CKM_NSS_JPAKE_FINAL_SHA256: /* fall through */ + case CKM_NSS_JPAKE_FINAL_SHA384: /* fall through */ +@@ -6610,6 +6614,35 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + } + + switch (mechanism) { ++ /* get a public key from a private key. nsslowkey_ConvertToPublickey() ++ * will generate the public portion if it doesn't already exist. */ ++ case CKM_NSS_PUB_FROM_PRIV: { ++ NSSLOWKEYPrivateKey *privKey; ++ NSSLOWKEYPublicKey *pubKey; ++ int error; ++ ++ crv = sftk_GetULongAttribute(sourceKey, CKA_KEY_TYPE, &keyType); ++ if (crv != CKR_OK) { ++ break; ++ } ++ ++ /* privKey is stored in sourceKey and will be destroyed when ++ * the sourceKey is freed. */ ++ privKey = sftk_GetPrivKey(sourceKey, keyType, &crv); ++ if (privKey == NULL) { ++ break; ++ } ++ pubKey = nsslowkey_ConvertToPublicKey(privKey); ++ if (pubKey == NULL) { ++ error = PORT_GetError(); ++ crv = sftk_MapCryptError(error); ++ break; ++ } ++ crv = sftk_PutPubKey(key, sourceKey, keyType, pubKey); ++ nsslowkey_DestroyPublicKey(pubKey); ++ break; ++ } ++ + case CKM_NSS_IKE_PRF_DERIVE: + if (pMechanism->ulParameterLen != + sizeof(CK_NSS_IKE_PRF_DERIVE_PARAMS)) { +diff -up ./nss/lib/softoken/pkcs11.c.pub-priv-mech ./nss/lib/softoken/pkcs11.c +--- ./nss/lib/softoken/pkcs11.c.pub-priv-mech 2019-06-05 10:40:34.284002929 -0700 ++++ ./nss/lib/softoken/pkcs11.c 2019-06-05 10:40:34.303002919 -0700 +@@ -2208,6 +2208,123 @@ sftk_GetPrivKey(SFTKObject *object, CK_K + return priv; + } + ++/* populate a public key object from a lowpublic keys structure */ ++CK_RV ++sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privateKey, CK_KEY_TYPE keyType, NSSLOWKEYPublicKey *pubKey) ++{ ++ CK_OBJECT_CLASS classType = CKO_PUBLIC_KEY; ++ CK_BBOOL cktrue = CK_TRUE; ++ CK_RV crv = CKR_OK; ++ sftk_DeleteAttributeType(publicKey, CKA_CLASS); ++ sftk_DeleteAttributeType(publicKey, CKA_KEY_TYPE); ++ sftk_DeleteAttributeType(publicKey, CKA_VALUE); ++ ++ switch (keyType) { ++ case CKK_RSA: ++ sftk_DeleteAttributeType(publicKey, CKA_MODULUS); ++ sftk_DeleteAttributeType(publicKey, CKA_PUBLIC_EXPONENT); ++ /* format the keys */ ++ /* fill in the RSA dependent paramenters in the public key */ ++ crv = sftk_AddAttributeType(publicKey, CKA_MODULUS, ++ sftk_item_expand(&pubKey->u.rsa.modulus)); ++ if (crv != CKR_OK) ++ break; ++ crv = sftk_AddAttributeType(publicKey, CKA_PUBLIC_EXPONENT, ++ sftk_item_expand(&pubKey->u.rsa.publicExponent)); ++ break; ++ case CKK_DSA: ++ sftk_DeleteAttributeType(publicKey, CKA_PRIME); ++ sftk_DeleteAttributeType(publicKey, CKA_SUBPRIME); ++ sftk_DeleteAttributeType(publicKey, CKA_BASE); ++ crv = sftk_AddAttributeType(publicKey, CKA_PRIME, ++ sftk_item_expand(&pubKey->u.dsa.params.prime)); ++ if (crv != CKR_OK) { ++ break; ++ } ++ crv = sftk_AddAttributeType(publicKey, CKA_SUBPRIME, ++ sftk_item_expand(&pubKey->u.dsa.params.subPrime)); ++ if (crv != CKR_OK) { ++ break; ++ } ++ crv = sftk_AddAttributeType(publicKey, CKA_BASE, ++ sftk_item_expand(&pubKey->u.dsa.params.base)); ++ if (crv != CKR_OK) { ++ break; ++ } ++ crv = sftk_AddAttributeType(publicKey, CKA_VALUE, ++ sftk_item_expand(&pubKey->u.dsa.publicValue)); ++ break; ++ ++ case CKK_DH: ++ sftk_DeleteAttributeType(publicKey, CKA_PRIME); ++ sftk_DeleteAttributeType(publicKey, CKA_BASE); ++ crv = sftk_AddAttributeType(publicKey, CKA_PRIME, ++ sftk_item_expand(&pubKey->u.dh.prime)); ++ if (crv != CKR_OK) { ++ break; ++ } ++ crv = sftk_AddAttributeType(publicKey, CKA_BASE, ++ sftk_item_expand(&pubKey->u.dh.base)); ++ if (crv != CKR_OK) { ++ break; ++ } ++ crv = sftk_AddAttributeType(publicKey, CKA_VALUE, ++ sftk_item_expand(&pubKey->u.dh.publicValue)); ++ break; ++ ++ case CKK_EC: ++ sftk_DeleteAttributeType(publicKey, CKA_EC_PARAMS); ++ sftk_DeleteAttributeType(publicKey, CKA_EC_POINT); ++ ++ crv = sftk_AddAttributeType(publicKey, CKA_EC_PARAMS, ++ sftk_item_expand(&pubKey->u.ec.ecParams.DEREncoding)); ++ if (crv != CKR_OK) { ++ break; ++ } ++ ++ crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, ++ sftk_item_expand(&pubKey->u.ec.publicValue)); ++ break; ++ ++ default: ++ return CKR_KEY_TYPE_INCONSISTENT; ++ } ++ crv = sftk_AddAttributeType(publicKey, CKA_CLASS, &classType, ++ sizeof(CK_OBJECT_CLASS)); ++ if (crv != CKR_OK) ++ return crv; ++ crv = sftk_AddAttributeType(publicKey, CKA_KEY_TYPE, &keyType, ++ sizeof(CK_KEY_TYPE)); ++ if (crv != CKR_OK) ++ return crv; ++ /* now handle the operator attributes */ ++ if (sftk_isTrue(privateKey, CKA_DECRYPT)) { ++ crv = sftk_forceAttribute(publicKey, CKA_ENCRYPT, &cktrue, sizeof(CK_BBOOL)); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ } ++ if (sftk_isTrue(privateKey, CKA_SIGN)) { ++ crv = sftk_forceAttribute(publicKey, CKA_VERIFY, &cktrue, sizeof(CK_BBOOL)); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ } ++ if (sftk_isTrue(privateKey, CKA_SIGN_RECOVER)) { ++ crv = sftk_forceAttribute(publicKey, CKA_VERIFY_RECOVER, &cktrue, sizeof(CK_BBOOL)); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ } ++ if (sftk_isTrue(privateKey, CKA_DERIVE)) { ++ crv = sftk_forceAttribute(publicKey, CKA_DERIVE, &cktrue, sizeof(CK_BBOOL)); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ } ++ return crv; ++} ++ + /* + **************************** Symetric Key utils ************************ + */ +diff -up ./nss/lib/softoken/pkcs11i.h.pub-priv-mech ./nss/lib/softoken/pkcs11i.h +--- ./nss/lib/softoken/pkcs11i.h.pub-priv-mech 2019-06-05 10:40:34.306002918 -0700 ++++ ./nss/lib/softoken/pkcs11i.h 2019-06-05 10:45:24.205855432 -0700 +@@ -695,6 +695,9 @@ extern NSSLOWKEYPublicKey *sftk_GetPubKe + CK_KEY_TYPE key_type, CK_RV *crvp); + extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object, + CK_KEY_TYPE key_type, CK_RV *crvp); ++extern CK_RV sftk_PutPubKey(SFTKObject *publicKey, SFTKObject *privKey, ++ CK_KEY_TYPE keyType, ++ NSSLOWKEYPublicKey *pubKey); + extern void sftk_FormatDESKey(unsigned char *key, int length); + extern PRBool sftk_CheckDESKey(unsigned char *key); + extern PRBool sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type); diff --git a/SOURCES/nss-softokn-fs-probe.patch b/SOURCES/nss-softokn-fs-probe.patch new file mode 100644 index 0000000..957fd7f --- /dev/null +++ b/SOURCES/nss-softokn-fs-probe.patch @@ -0,0 +1,23 @@ +diff -up nss/lib/softoken/sdb.c.fs-probe nss/lib/softoken/sdb.c +--- nss/lib/softoken/sdb.c.fs-probe 2019-05-10 23:14:18.000000000 +0200 ++++ nss/lib/softoken/sdb.c 2019-05-16 13:26:17.898377555 +0200 +@@ -1954,7 +1954,7 @@ sdb_init(char *dbname, char *table, sdbD + /* By default, with no variable set, we avoid expensive measuring for + * most FS types. We start with inexpensive FS type checking, and + * might perform measuring for some types. */ +- checkFSType = PR_TRUE; ++ measureSpeed = PR_TRUE; + } else if (PORT_Strcasecmp(env, "yes") == 0) { + enableCache = PR_TRUE; + } else if (PORT_Strcasecmp(env, "no") != 0) { /* not "no" => "auto" */ +@@ -2135,8 +2135,8 @@ s_open(const char *directory, const char + /* If the environment variable is undefined or set to yes or no, + * sdb_init() will ignore the value of accessOps, and we can skip the + * measuring.*/ +- if (env && PORT_Strcasecmp(env, "no") != 0 && +- PORT_Strcasecmp(env, "yes") != 0) { ++ if (!env || (PORT_Strcasecmp(env, "no") != 0 && ++ PORT_Strcasecmp(env, "yes") != 0)) { + accessOps = sdb_measureAccess(directory); + } + } diff --git a/SOURCES/nss-softokn-ike-patch.patch b/SOURCES/nss-softokn-ike-patch.patch new file mode 100644 index 0000000..784a2b0 --- /dev/null +++ b/SOURCES/nss-softokn-ike-patch.patch @@ -0,0 +1,4581 @@ +diff --git a/cmd/fipstest/README b/cmd/fipstest/README +new file mode 100644 +--- /dev/null ++++ b/cmd/fipstest/README +@@ -0,0 +1,1 @@ ++The scripts have been moved to tests/fips/cavs_scripts +diff --git a/cmd/fipstest/aes.sh b/cmd/fipstest/aes.sh +deleted file mode 100644 +--- a/cmd/fipstest/aes.sh ++++ /dev/null +@@ -1,112 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# +-# A Bourne shell script for running the NIST AES Algorithm Validation Suite +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +- +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/AES +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +-cbc_kat_requests=" +-CBCGFSbox128.req +-CBCGFSbox192.req +-CBCGFSbox256.req +-CBCKeySbox128.req +-CBCKeySbox192.req +-CBCKeySbox256.req +-CBCVarKey128.req +-CBCVarKey192.req +-CBCVarKey256.req +-CBCVarTxt128.req +-CBCVarTxt192.req +-CBCVarTxt256.req +-" +- +-cbc_mct_requests=" +-CBCMCT128.req +-CBCMCT192.req +-CBCMCT256.req +-" +- +-cbc_mmt_requests=" +-CBCMMT128.req +-CBCMMT192.req +-CBCMMT256.req +-" +- +-ecb_kat_requests=" +-ECBGFSbox128.req +-ECBGFSbox192.req +-ECBGFSbox256.req +-ECBKeySbox128.req +-ECBKeySbox192.req +-ECBKeySbox256.req +-ECBVarKey128.req +-ECBVarKey192.req +-ECBVarKey256.req +-ECBVarTxt128.req +-ECBVarTxt192.req +-ECBVarTxt256.req +-" +- +-ecb_mct_requests=" +-ECBMCT128.req +-ECBMCT192.req +-ECBMCT256.req +-" +- +-ecb_mmt_requests=" +-ECBMMT128.req +-ECBMMT192.req +-ECBMMT256.req +-" +- +-if [ ${COMMAND} = "verify" ]; then +- for request in $cbc_kat_requests $cbc_mct_requests $cbc_mmt_requests $ecb_kat_requests $ecb_mct_requests $ecb_mmt_requests; do +- sh ./validate1.sh ${TESTDIR} $request +- done +- exit 0 +-fi +- +-for request in $cbc_kat_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest aes kat cbc ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $cbc_mct_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest aes mct cbc ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $cbc_mmt_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest aes mmt cbc ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $ecb_kat_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest aes kat ecb ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $ecb_mct_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest aes mct ecb ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $ecb_mmt_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest aes mmt ecb ${REQDIR}/$request > ${RSPDIR}/$response +-done +diff --git a/cmd/fipstest/aesgcm.sh b/cmd/fipstest/aesgcm.sh +deleted file mode 100644 +--- a/cmd/fipstest/aesgcm.sh ++++ /dev/null +@@ -1,67 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST AES Algorithm Validation Suite +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +- +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/AES_GCM +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +-gcm_decrypt_requests=" +-gcmDecrypt128.req +-gcmDecrypt192.req +-gcmDecrypt256.req +-" +- +-gcm_encrypt_extiv_requests=" +-gcmEncryptExtIV128.req +-gcmEncryptExtIV192.req +-gcmEncryptExtIV256.req +-" +-gcm_encrypt_intiv_requests=" +-" +- +-#gcm_encrypt_intiv_requests=" +-#gcmEncryptIntIV128.req +-#gcmEncryptIntIV192.req +-#gcmEncryptIntIV256.req +-#" +- +-if [ ${COMMAND} = "verify" ]; then +- for request in $gcm_decrypt_requests $gcm_encrypt_extiv_requests; do +- sh ./validate1.sh ${TESTDIR} $request ' ' '-e /Reason:/d' +- done +- for request in $gcm_encrypt_intiv_requests; do +- name=`basename $request .req` +- echo ">>>>> $name" +- fipstest aes gcm decrypt ${RSPDIR}/$name.rsp | grep FAIL +- done +- exit 0 +-fi +- +-for request in $gcm_decrypt_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest aes gcm decrypt ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $gcm_encrypt_intiv_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest aes gcm encrypt_intiv ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $gcm_encrypt_extiv_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest aes gcm encrypt_extiv ${REQDIR}/$request > ${RSPDIR}/$response +-done +diff --git a/cmd/fipstest/dsa.sh b/cmd/fipstest/dsa.sh +deleted file mode 100755 +--- a/cmd/fipstest/dsa.sh ++++ /dev/null +@@ -1,71 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST DSA Validation System +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/DSA2 +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +- +-# +-# several of the DSA tests do use known answer tests to verify the result. +-# in those cases, feed generated tests back into the fipstest tool and +-# see if we can verify those value. NOTE: th PQGVer and SigVer tests verify +-# the dsa pqgver and dsa sigver functions, so we know they can detect errors +-# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular. +-# +-if [ ${COMMAND} = "verify" ]; then +-# verify generated keys +- name=KeyPair +- echo ">>>>> $name" +- fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F +-# verify generated pqg values +- name=PQGGen +- echo ">>>>> $name" +- fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F +-# verify PQGVer with known answer +-# sh ./validate1.sh ${TESTDIR} PQGVer.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' +-# verify signatures +- name=SigGen +- echo ">>>>> $name" +- fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F +-# verify SigVer with known answer +- sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;' +- exit 0 +-fi +- +-request=KeyPair.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest dsa keypair ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=PQGGen.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest dsa pqggen ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=PQGVer1863.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest dsa pqgver ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=SigGen.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest dsa siggen ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=SigVer.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest dsa sigver ${REQDIR}/$request > ${RSPDIR}/$response +diff --git a/cmd/fipstest/ecdsa.sh b/cmd/fipstest/ecdsa.sh +deleted file mode 100644 +--- a/cmd/fipstest/ecdsa.sh ++++ /dev/null +@@ -1,60 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST ECDSA Validation System +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/ECDSA2 +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +-# +-# several of the ECDSA tests do not use known answer tests to verify the result. +-# In those cases, feed generated tests back into the fipstest tool and +-# see if we can verify those value. NOTE: PQGVer and SigVer tests verify +-# the dsa pqgver and dsa sigver functions, so we know they can detect errors +-# in those PQGGen and SigGen. Only the KeyPair verify is potentially circular. +-# +-if [ ${COMMAND} = "verify" ]; then +-# verify generated keys +- name=KeyPair +- echo ">>>>> $name" +- fipstest ecdsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F +- sh ./validate1.sh ${TESTDIR} PKV.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' +-# verify signatures +- name=SigGen +- echo ">>>>> $name" +- fipstest ecdsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F +-# verify SigVer with known answer +- sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' +- exit 0 +-fi +- +-request=KeyPair.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest ecdsa keypair ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=PKV.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest ecdsa pkv ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=SigGen.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest ecdsa siggen ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=SigVer.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest ecdsa sigver ${REQDIR}/$request > ${RSPDIR}/$response +diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c +--- a/cmd/fipstest/fipstest.c ++++ b/cmd/fipstest/fipstest.c +@@ -29,16 +29,21 @@ + #undef CK_PKCS11_FUNCTION_INFO + #undef CK_NEED_ARG_LIST + #undef __PASTE + #define SSL3_RANDOM_LENGTH 32 + + #if 0 + #include "../../lib/freebl/mpi/mpi.h" + #endif ++#define MATCH_OPENSSL 1 ++/*#define MATCH_NIST 1 */ ++#ifdef MATCH_NIST ++#define VERBOSE_REASON 1 ++#endif + + extern SECStatus + EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams); + extern SECStatus + EC_CopyParams(PLArenaPool *arena, ECParams *dstParams, + const ECParams *srcParams); + + #define ENCRYPT 1 +@@ -3164,16 +3169,20 @@ ecdh_functional(char *reqfn, PRBool resp + fprintf(stderr, "generate key had invalid public value len\n"); + goto loser; + } + uit_len = (uit_len - 1) / 2; + if (ecpriv->publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED) { + fprintf(stderr, "generate key was compressed\n"); + goto loser; + } ++ fputs("deIUT = ", ecdhresp); ++ to_hex_str(buf, ecpriv->privateValue.data, ecpriv->privateValue.len); ++ fputs(buf, ecdhresp); ++ fputc('\n', ecdhresp); + fputs("QeIUTx = ", ecdhresp); + to_hex_str(buf, &ecpriv->publicValue.data[1], uit_len); + fputs(buf, ecdhresp); + fputc('\n', ecdhresp); + fputs("QeIUTy = ", ecdhresp); + to_hex_str(buf, &ecpriv->publicValue.data[1 + uit_len], uit_len); + fputs(buf, ecdhresp); + fputc('\n', ecdhresp); +@@ -3210,17 +3219,16 @@ loser: + } + } + if (pubkey.data != NULL) { + PORT_Free(pubkey.data); + } + fclose(ecdhreq); + } + +-#define MATCH_OPENSSL 1 + /* + * Perform the ECDH Validity Test. + * + * reqfn is the pathname of the REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ + void +@@ -3403,42 +3411,47 @@ ecdh_verify(char *reqfn, PRBool response + if (strncmp(buf, "QeIUTx", 6) == 0) { + fputs(buf, ecdhresp); + continue; + } + if (strncmp(buf, "QeIUTy", 6) == 0) { + fputs(buf, ecdhresp); + continue; + } +- if (strncmp(buf, "CAVSHashZZ", 10) == 0) { ++ if ((strncmp(buf, "CAVSHashZZ", 10) == 0) || ++ (strncmp(buf, "HashZZ", 6) == 0)) { + fputs(buf, ecdhresp); +- i = 10; ++ i = (buf[0] == 'C') ? 10 : 6; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + from_hex_str(cavsHashBuf, fips_hashLen(hash), &buf[i]); + if (current_ecparams == NULL) { + fprintf(stderr, "no curve defined for type defined\n"); + goto loser; + } + /* validate CAVS public key */ + if (EC_ValidatePublicKey(current_ecparams, &pubkey) != SECSuccess) { +-#ifdef MATCH_OPENSSL ++#ifdef VERBOSE_REASON ++ fprintf(ecdhresp, "Result = F # key didn't validate\n"); ++#else + fprintf(ecdhresp, "Result = F\n"); +-#else +- fprintf(ecdhresp, "Result = F # key didn't validate\n"); + #endif + continue; + } + + /* ECDH */ + if (ECDH_Derive(&pubkey, current_ecparams, &private_value, + PR_FALSE, &ZZ) != SECSuccess) { +- fprintf(stderr, "Derive failed\n"); +- goto loser; ++#ifdef VERBOSE_REASON ++ fprintf(ecdhresp, "Result = F # derive failure\n"); ++#else ++ fprintf(ecdhresp, "Result = F\n"); ++#endif ++ continue; + } + /* output ZZ */ + #ifndef MATCH_OPENSSL + fputs("Z = ", ecdhresp); + to_hex_str(buf, ZZ.data, ZZ.len); + fputs(buf, ecdhresp); + fputc('\n', ecdhresp); + #endif +@@ -3450,20 +3463,20 @@ ecdh_verify(char *reqfn, PRBool response + SECITEM_FreeItem(&ZZ, PR_FALSE); + #ifndef MATCH_NIST + fputs("IUTHashZZ = ", ecdhresp); + to_hex_str(buf, hashBuf, fips_hashLen(hash)); + fputs(buf, ecdhresp); + fputc('\n', ecdhresp); + #endif + if (memcmp(hashBuf, cavsHashBuf, fips_hashLen(hash)) != 0) { +-#ifdef MATCH_OPENSSL ++#ifdef VERBOSE_REASON ++ fprintf(ecdhresp, "Result = F # hash doesn't match\n"); ++#else + fprintf(ecdhresp, "Result = F\n"); +-#else +- fprintf(ecdhresp, "Result = F # hash doesn't match\n"); + #endif + } else { + fprintf(ecdhresp, "Result = P\n"); + } + #ifndef MATCH_OPENSSL + fputc('\n', ecdhresp); + #endif + continue; +@@ -3670,17 +3683,16 @@ dh_functional(char *reqfn, PRBool respon + } + loser: + if (dsapriv != NULL) { + PORT_FreeArena(dsapriv->params.arena, PR_TRUE); + } + fclose(dhreq); + } + +-#define MATCH_OPENSSL 1 + /* + * Perform the DH Validity Test. + * + * reqfn is the pathname of the REQUEST file. + * + * The output RESPONSE file is written to stdout. + */ + void +@@ -3841,19 +3853,20 @@ dh_verify(char *reqfn, PRBool response) + continue; + } + /* YephemUIT = ... */ + if (strncmp(buf, "YephemIUT", 9) == 0) { + fputs(buf, dhresp); + continue; + } + /* CAVSHashZZ = ... */ +- if (strncmp(buf, "CAVSHashZZ", 10) == 0) { ++ if ((strncmp(buf, "CAVSHashZZ", 10) == 0) || ++ (strncmp(buf, "HashZZ", 6) == 0)) { + fputs(buf, dhresp); +- i = 10; ++ i = buf[0] == 'C' ? 10 : 6; + while (isspace(buf[i]) || buf[i] == '=') { + i++; + } + from_hex_str(cavsHashBuf, fips_hashLen(hash), &buf[i]); + /* do the DH operation*/ + if (DH_Derive(&pubkey, &pqg.prime, &privkey, + &ZZ, pqg.prime.len) != SECSuccess) { + fprintf(stderr, "Derive failed\n"); +@@ -3866,17 +3879,17 @@ dh_verify(char *reqfn, PRBool response) + fputs(buf, dhresp); + fputc('\n', dhresp); + #endif + if (fips_hashBuf(hash, hashBuf, ZZ.data, ZZ.len) != SECSuccess) { + fprintf(stderr, "hash of derived key failed\n"); + goto loser; + } + SECITEM_FreeItem(&ZZ, PR_FALSE); +-#ifndef MATCH_NIST_ ++#ifndef MATCH_NIST + fputs("IUTHashZZ = ", dhresp); + to_hex_str(buf, hashBuf, fips_hashLen(hash)); + fputs(buf, dhresp); + fputc('\n', dhresp); + #endif + if (memcmp(hashBuf, cavsHashBuf, fips_hashLen(hash)) != 0) { + fprintf(dhresp, "Result = F\n"); + } else { +@@ -6895,16 +6908,1306 @@ loser: + if (master_secret) + free(master_secret); + if (key_block) + free(key_block); + if (tlsreq) + fclose(tlsreq); + } + ++void ++ikev1(char *reqfn) ++{ ++ char buf[4096]; /* holds one line from the input REQUEST file. ++ * needs to be large enough to hold the longest ++ * line "g^xy = <2048 hex digits>\n". ++ */ ++ unsigned char *gxy = NULL; ++ int gxy_len; ++ unsigned char *Ni = NULL; ++ int Ni_len; ++ unsigned char *Nr = NULL; ++ int Nr_len; ++ unsigned char CKYi[8]; ++ int CKYi_len; ++ unsigned char CKYr[8]; ++ int CKYr_len; ++ unsigned int i, j; ++ FILE *ikereq = NULL; /* input stream from the REQUEST file */ ++ FILE *ikeresp; /* output stream to the RESPONSE file */ ++ ++ CK_SLOT_ID slotList[10]; ++ CK_SLOT_ID slotID; ++ CK_ULONG slotListCount = sizeof(slotList) / sizeof(slotList[0]); ++ CK_ULONG count; ++ static const CK_C_INITIALIZE_ARGS pk11args = { ++ NULL, NULL, NULL, NULL, CKF_LIBRARY_CANT_CREATE_OS_THREADS, ++ (void *)"flags=readOnly,noCertDB,noModDB", NULL ++ }; ++ static CK_OBJECT_CLASS ck_secret = CKO_SECRET_KEY; ++ static CK_KEY_TYPE ck_generic = CKK_GENERIC_SECRET; ++ static CK_BBOOL ck_true = CK_TRUE; ++ static CK_ULONG keyLen = 1; ++ CK_ATTRIBUTE gxy_template[] = { ++ { CKA_VALUE, NULL, 0 }, /* must be first */ ++ { CKA_CLASS, &ck_secret, sizeof(ck_secret) }, ++ { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) }, ++ { CKA_DERIVE, &ck_true, sizeof(ck_true) }, ++ }; ++ CK_ULONG gxy_template_count = ++ sizeof(gxy_template) / sizeof(gxy_template[0]); ++ CK_ATTRIBUTE derive_template[] = { ++ { CKA_CLASS, &ck_secret, sizeof(ck_secret) }, ++ { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) }, ++ { CKA_DERIVE, &ck_true, sizeof(ck_true) }, ++ { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, /* must be last */ ++ }; ++ CK_ULONG derive_template_count = ++ sizeof(derive_template) / sizeof(derive_template[0]); ++ CK_ATTRIBUTE skeyid_template = ++ { CKA_VALUE, NULL, 0 }; ++ CK_ATTRIBUTE skeyid_d_template = ++ { CKA_VALUE, NULL, 0 }; ++ CK_ATTRIBUTE skeyid_a_template = ++ { CKA_VALUE, NULL, 0 }; ++ CK_ATTRIBUTE skeyid_e_template = ++ { CKA_VALUE, NULL, 0 }; ++ unsigned char skeyid_secret[HASH_LENGTH_MAX]; ++ unsigned char skeyid_d_secret[HASH_LENGTH_MAX]; ++ unsigned char skeyid_a_secret[HASH_LENGTH_MAX]; ++ unsigned char skeyid_e_secret[HASH_LENGTH_MAX]; ++ ++ CK_MECHANISM ike_mech = { CKM_NSS_IKE_PRF_DERIVE, NULL, 0 }; ++ CK_MECHANISM ike1_mech = { CKM_NSS_IKE1_PRF_DERIVE, NULL, 0 }; ++ CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf; ++ CK_NSS_IKE1_PRF_DERIVE_PARAMS ike1_prf; ++ CK_RV crv; ++ ++ /* set up PKCS #11 parameters */ ++ ike_prf.bDataAsKey = PR_TRUE; ++ ike_prf.bRekey = PR_FALSE; ++ ike_prf.hNewKey = CK_INVALID_HANDLE; ++ CKYi_len = sizeof(CKYi); ++ CKYr_len = sizeof(CKYr); ++ ike1_prf.pCKYi = CKYi; ++ ike1_prf.ulCKYiLen = CKYi_len; ++ ike1_prf.pCKYr = CKYr; ++ ike1_prf.ulCKYrLen = CKYr_len; ++ ike_mech.pParameter = &ike_prf; ++ ike_mech.ulParameterLen = sizeof(ike_prf); ++ ike1_mech.pParameter = &ike1_prf; ++ ike1_mech.ulParameterLen = sizeof(ike1_prf); ++ skeyid_template.pValue = skeyid_secret; ++ skeyid_template.ulValueLen = HASH_LENGTH_MAX; ++ skeyid_d_template.pValue = skeyid_d_secret; ++ skeyid_d_template.ulValueLen = HASH_LENGTH_MAX; ++ skeyid_a_template.pValue = skeyid_a_secret; ++ skeyid_a_template.ulValueLen = HASH_LENGTH_MAX; ++ skeyid_e_template.pValue = skeyid_e_secret; ++ skeyid_e_template.ulValueLen = HASH_LENGTH_MAX; ++ ++ crv = NSC_Initialize((CK_VOID_PTR)&pk11args); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_Initialize failed crv=0x%x\n", (unsigned int)crv); ++ goto loser; ++ } ++ count = slotListCount; ++ crv = NSC_GetSlotList(PR_TRUE, slotList, &count); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetSlotList failed crv=0x%x\n", (unsigned int)crv); ++ goto loser; ++ } ++ if ((count > slotListCount) || count < 1) { ++ fprintf(stderr, ++ "NSC_GetSlotList returned too many or too few slots: %d slots max=%d min=1\n", ++ (int)count, (int)slotListCount); ++ goto loser; ++ } ++ slotID = slotList[0]; ++ ikereq = fopen(reqfn, "r"); ++ ikeresp = stdout; ++ while (fgets(buf, sizeof buf, ikereq) != NULL) { ++ /* a comment or blank line */ ++ if (buf[0] == '#' || buf[0] == '\n') { ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* [.....] */ ++ if (buf[0] == '[') { ++ if (strncmp(buf, "[SHA-1]", 7) == 0) { ++ ike_prf.prfMechanism = CKM_SHA_1_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA_1_HMAC; ++ } ++ if (strncmp(buf, "[SHA-224]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA224_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA224_HMAC; ++ } ++ if (strncmp(buf, "[SHA-256]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA256_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA256_HMAC; ++ } ++ if (strncmp(buf, "[SHA-384]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA384_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA384_HMAC; ++ } ++ if (strncmp(buf, "[SHA-512]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA512_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA512_HMAC; ++ } ++ if (strncmp(buf, "[AES-XCBC", 9) == 0) { ++ ike_prf.prfMechanism = CKM_AES_XCBC_MAC; ++ ike1_prf.prfMechanism = CKM_AES_XCBC_MAC; ++ } ++ if (strncmp(buf, "[g^xy", 5) == 0) { ++ if (sscanf(buf, "[g^xy length = %d]", ++ &gxy_len) != 1) { ++ goto loser; ++ } ++ gxy_len = gxy_len / 8; ++ if (gxy) ++ free(gxy); ++ gxy = malloc(gxy_len); ++ gxy_template[0].pValue = gxy; ++ gxy_template[0].ulValueLen = gxy_len; ++ } ++ if (strncmp(buf, "[Ni", 3) == 0) { ++ if (sscanf(buf, "[Ni length = %d]", &Ni_len) != 1) { ++ goto loser; ++ } ++ Ni_len = Ni_len / 8; ++ if (Ni) ++ free(Ni); ++ Ni = malloc(Ni_len); ++ ike_prf.pNi = Ni; ++ ike_prf.ulNiLen = Ni_len; ++ } ++ if (strncmp(buf, "[Nr", 3) == 0) { ++ if (sscanf(buf, "[Nr length = %d]", &Nr_len) != 1) { ++ goto loser; ++ } ++ Nr_len = Nr_len / 8; ++ if (Nr) ++ free(Nr); ++ Nr = malloc(Nr_len); ++ ike_prf.pNr = Nr; ++ ike_prf.ulNrLen = Nr_len; ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* "COUNT = x" begins a new data set */ ++ if (strncmp(buf, "COUNT", 5) == 0) { ++ /* zeroize the variables for the test with this data set */ ++ memset(gxy, 0, gxy_len); ++ memset(Ni, 0, Ni_len); ++ memset(Nr, 0, Nr_len); ++ memset(CKYi, 0, CKYi_len); ++ memset(CKYr, 0, CKYr_len); ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* Ni = ... */ ++ if (strncmp(buf, "Ni", 2) == 0) { ++ i = 2; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < Ni_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &Ni[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* Nr = ... */ ++ if (strncmp(buf, "Nr", 2) == 0) { ++ i = 2; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < Nr_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &Nr[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* CKYi = ... */ ++ if (strncmp(buf, "CKY_I", 5) == 0) { ++ i = 5; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < CKYi_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &CKYi[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* CKYr = ... */ ++ if (strncmp(buf, "CKY_R", 5) == 0) { ++ i = 5; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < CKYr_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &CKYr[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* g^xy = ... */ ++ if (strncmp(buf, "g^xy", 4) == 0) { ++ CK_SESSION_HANDLE session; ++ CK_OBJECT_HANDLE gxy_handle; ++ CK_OBJECT_HANDLE skeyid_handle; ++ CK_OBJECT_HANDLE skeyid_d_handle; ++ CK_OBJECT_HANDLE skeyid_a_handle; ++ CK_OBJECT_HANDLE skeyid_e_handle; ++ i = 4; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < gxy_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &gxy[j]); ++ } ++ fputs(buf, ikeresp); ++ crv = NSC_OpenSession(slotID, 0, NULL, NULL, &session); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_OpenSession failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ crv = NSC_CreateObject(session, gxy_template, ++ gxy_template_count, &gxy_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_CreateObject failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ /* get the skeyid key */ ++ crv = NSC_DeriveKey(session, &ike_mech, gxy_handle, ++ derive_template, derive_template_count - 1, ++ &skeyid_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ skeyid_template.ulValueLen = HASH_LENGTH_MAX; ++ crv = NSC_GetAttributeValue(session, skeyid_handle, ++ &skeyid_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ /* use the length of the skeyid to set the target length of all the ++ * other keys */ ++ keyLen = skeyid_template.ulValueLen; ++ ike1_prf.hKeygxy = gxy_handle; ++ ike1_prf.bHasPrevKey = PR_FALSE; ++ ike1_prf.keyNumber = 0; ++ crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle, ++ derive_template, derive_template_count, ++ &skeyid_d_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid_d) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ ++ ike1_prf.hKeygxy = gxy_handle; ++ ike1_prf.bHasPrevKey = CK_TRUE; ++ ike1_prf.hPrevKey = skeyid_d_handle; ++ ike1_prf.keyNumber = 1; ++ crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle, ++ derive_template, derive_template_count, ++ &skeyid_a_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid_a) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ ike1_prf.hKeygxy = gxy_handle; ++ ike1_prf.bHasPrevKey = CK_TRUE; ++ ike1_prf.hPrevKey = skeyid_a_handle; ++ ike1_prf.keyNumber = 2; ++ crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle, ++ derive_template, derive_template_count, ++ &skeyid_e_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid_e) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYID = ", ikeresp); ++ to_hex_str(buf, skeyid_secret, keyLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ skeyid_d_template.ulValueLen = keyLen; ++ crv = NSC_GetAttributeValue(session, skeyid_d_handle, ++ &skeyid_d_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid_d) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYID_d = ", ikeresp); ++ to_hex_str(buf, skeyid_d_secret, skeyid_d_template.ulValueLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ skeyid_a_template.ulValueLen = keyLen; ++ crv = NSC_GetAttributeValue(session, skeyid_a_handle, ++ &skeyid_a_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid_a) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYID_a = ", ikeresp); ++ to_hex_str(buf, skeyid_a_secret, skeyid_a_template.ulValueLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ skeyid_e_template.ulValueLen = keyLen; ++ crv = NSC_GetAttributeValue(session, skeyid_e_handle, ++ &skeyid_e_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid_e) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYID_e = ", ikeresp); ++ to_hex_str(buf, skeyid_e_secret, skeyid_e_template.ulValueLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ crv = NSC_CloseSession(session); ++ continue; ++ } ++ } ++loser: ++ NSC_Finalize(NULL); ++ if (gxy) ++ free(gxy); ++ if (Ni) ++ free(Ni); ++ if (Nr) ++ free(Nr); ++ if (ikereq) ++ fclose(ikereq); ++} ++ ++void ++ikev1_psk(char *reqfn) ++{ ++ char buf[4096]; /* holds one line from the input REQUEST file. ++ * needs to be large enough to hold the longest ++ * line "g^xy = <2048 hex digits>\n". ++ */ ++ unsigned char *gxy = NULL; ++ int gxy_len; ++ unsigned char *Ni = NULL; ++ int Ni_len; ++ unsigned char *Nr = NULL; ++ int Nr_len; ++ unsigned char CKYi[8]; ++ int CKYi_len; ++ unsigned char CKYr[8]; ++ int CKYr_len; ++ unsigned char *psk = NULL; ++ int psk_len; ++ unsigned int i, j; ++ FILE *ikereq = NULL; /* input stream from the REQUEST file */ ++ FILE *ikeresp; /* output stream to the RESPONSE file */ ++ ++ CK_SLOT_ID slotList[10]; ++ CK_SLOT_ID slotID; ++ CK_ULONG slotListCount = sizeof(slotList) / sizeof(slotList[0]); ++ CK_ULONG count; ++ static const CK_C_INITIALIZE_ARGS pk11args = { ++ NULL, NULL, NULL, NULL, CKF_LIBRARY_CANT_CREATE_OS_THREADS, ++ (void *)"flags=readOnly,noCertDB,noModDB", NULL ++ }; ++ static CK_OBJECT_CLASS ck_secret = CKO_SECRET_KEY; ++ static CK_KEY_TYPE ck_generic = CKK_GENERIC_SECRET; ++ static CK_BBOOL ck_true = CK_TRUE; ++ static CK_ULONG keyLen = 1; ++ CK_ATTRIBUTE gxy_template[] = { ++ { CKA_VALUE, NULL, 0 }, /* must be first */ ++ { CKA_CLASS, &ck_secret, sizeof(ck_secret) }, ++ { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) }, ++ { CKA_DERIVE, &ck_true, sizeof(ck_true) }, ++ }; ++ CK_ULONG gxy_template_count = ++ sizeof(gxy_template) / sizeof(gxy_template[0]); ++ CK_ATTRIBUTE psk_template[] = { ++ { CKA_VALUE, NULL, 0 }, /* must be first */ ++ { CKA_CLASS, &ck_secret, sizeof(ck_secret) }, ++ { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) }, ++ { CKA_DERIVE, &ck_true, sizeof(ck_true) }, ++ }; ++ CK_ULONG psk_template_count = ++ sizeof(psk_template) / sizeof(psk_template[0]); ++ CK_ATTRIBUTE derive_template[] = { ++ { CKA_CLASS, &ck_secret, sizeof(ck_secret) }, ++ { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) }, ++ { CKA_DERIVE, &ck_true, sizeof(ck_true) }, ++ { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, /* must be last */ ++ }; ++ CK_ULONG derive_template_count = ++ sizeof(derive_template) / sizeof(derive_template[0]); ++ CK_ATTRIBUTE skeyid_template = ++ { CKA_VALUE, NULL, 0 }; ++ CK_ATTRIBUTE skeyid_d_template = ++ { CKA_VALUE, NULL, 0 }; ++ CK_ATTRIBUTE skeyid_a_template = ++ { CKA_VALUE, NULL, 0 }; ++ CK_ATTRIBUTE skeyid_e_template = ++ { CKA_VALUE, NULL, 0 }; ++ unsigned char skeyid_secret[HASH_LENGTH_MAX]; ++ unsigned char skeyid_d_secret[HASH_LENGTH_MAX]; ++ unsigned char skeyid_a_secret[HASH_LENGTH_MAX]; ++ unsigned char skeyid_e_secret[HASH_LENGTH_MAX]; ++ ++ CK_MECHANISM ike_mech = { CKM_NSS_IKE_PRF_DERIVE, NULL, 0 }; ++ CK_MECHANISM ike1_mech = { CKM_NSS_IKE1_PRF_DERIVE, NULL, 0 }; ++ CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf; ++ CK_NSS_IKE1_PRF_DERIVE_PARAMS ike1_prf; ++ CK_RV crv; ++ ++ /* set up PKCS #11 parameters */ ++ ike_prf.bDataAsKey = PR_FALSE; ++ ike_prf.bRekey = PR_FALSE; ++ ike_prf.hNewKey = CK_INVALID_HANDLE; ++ CKYi_len = 8; ++ CKYr_len = 8; ++ ike1_prf.pCKYi = CKYi; ++ ike1_prf.ulCKYiLen = CKYi_len; ++ ike1_prf.pCKYr = CKYr; ++ ike1_prf.ulCKYrLen = CKYr_len; ++ ike_mech.pParameter = &ike_prf; ++ ike_mech.ulParameterLen = sizeof(ike_prf); ++ ike1_mech.pParameter = &ike1_prf; ++ ike1_mech.ulParameterLen = sizeof(ike1_prf); ++ skeyid_template.pValue = skeyid_secret; ++ skeyid_template.ulValueLen = HASH_LENGTH_MAX; ++ skeyid_d_template.pValue = skeyid_d_secret; ++ skeyid_d_template.ulValueLen = HASH_LENGTH_MAX; ++ skeyid_a_template.pValue = skeyid_a_secret; ++ skeyid_a_template.ulValueLen = HASH_LENGTH_MAX; ++ skeyid_e_template.pValue = skeyid_e_secret; ++ skeyid_e_template.ulValueLen = HASH_LENGTH_MAX; ++ ++ crv = NSC_Initialize((CK_VOID_PTR)&pk11args); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_Initialize failed crv=0x%x\n", (unsigned int)crv); ++ goto loser; ++ } ++ count = slotListCount; ++ crv = NSC_GetSlotList(PR_TRUE, slotList, &count); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetSlotList failed crv=0x%x\n", (unsigned int)crv); ++ goto loser; ++ } ++ if ((count > slotListCount) || count < 1) { ++ fprintf(stderr, ++ "NSC_GetSlotList returned too many or too few slots: %d slots max=%d min=1\n", ++ (int)count, (int)slotListCount); ++ goto loser; ++ } ++ slotID = slotList[0]; ++ ikereq = fopen(reqfn, "r"); ++ ikeresp = stdout; ++ while (fgets(buf, sizeof buf, ikereq) != NULL) { ++ /* a comment or blank line */ ++ if (buf[0] == '#' || buf[0] == '\n') { ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* [.....] */ ++ if (buf[0] == '[') { ++ if (strncmp(buf, "[SHA-1]", 7) == 0) { ++ ike_prf.prfMechanism = CKM_SHA_1_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA_1_HMAC; ++ } ++ if (strncmp(buf, "[SHA-224]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA224_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA224_HMAC; ++ } ++ if (strncmp(buf, "[SHA-256]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA256_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA256_HMAC; ++ } ++ if (strncmp(buf, "[SHA-384]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA384_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA384_HMAC; ++ } ++ if (strncmp(buf, "[SHA-512]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA512_HMAC; ++ ike1_prf.prfMechanism = CKM_SHA512_HMAC; ++ } ++ if (strncmp(buf, "[AES-XCBC", 9) == 0) { ++ ike_prf.prfMechanism = CKM_AES_XCBC_MAC; ++ ike1_prf.prfMechanism = CKM_AES_XCBC_MAC; ++ } ++ if (strncmp(buf, "[g^xy", 5) == 0) { ++ if (sscanf(buf, "[g^xy length = %d]", ++ &gxy_len) != 1) { ++ goto loser; ++ } ++ gxy_len = gxy_len / 8; ++ if (gxy) ++ free(gxy); ++ gxy = malloc(gxy_len); ++ gxy_template[0].pValue = gxy; ++ gxy_template[0].ulValueLen = gxy_len; ++ } ++ if (strncmp(buf, "[pre-shared-key", 15) == 0) { ++ if (sscanf(buf, "[pre-shared-key length = %d]", ++ &psk_len) != 1) { ++ goto loser; ++ } ++ psk_len = psk_len / 8; ++ if (psk) ++ free(psk); ++ psk = malloc(psk_len); ++ psk_template[0].pValue = psk; ++ psk_template[0].ulValueLen = psk_len; ++ } ++ if (strncmp(buf, "[Ni", 3) == 0) { ++ if (sscanf(buf, "[Ni length = %d]", &Ni_len) != 1) { ++ goto loser; ++ } ++ Ni_len = Ni_len / 8; ++ if (Ni) ++ free(Ni); ++ Ni = malloc(Ni_len); ++ ike_prf.pNi = Ni; ++ ike_prf.ulNiLen = Ni_len; ++ } ++ if (strncmp(buf, "[Nr", 3) == 0) { ++ if (sscanf(buf, "[Nr length = %d]", &Nr_len) != 1) { ++ goto loser; ++ } ++ Nr_len = Nr_len / 8; ++ if (Nr) ++ free(Nr); ++ Nr = malloc(Nr_len); ++ ike_prf.pNr = Nr; ++ ike_prf.ulNrLen = Nr_len; ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* "COUNT = x" begins a new data set */ ++ if (strncmp(buf, "COUNT", 5) == 0) { ++ /* zeroize the variables for the test with this data set */ ++ memset(gxy, 0, gxy_len); ++ memset(Ni, 0, Ni_len); ++ memset(Nr, 0, Nr_len); ++ memset(CKYi, 0, CKYi_len); ++ memset(CKYr, 0, CKYr_len); ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* Ni = ... */ ++ if (strncmp(buf, "Ni", 2) == 0) { ++ i = 2; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < Ni_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &Ni[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* Nr = ... */ ++ if (strncmp(buf, "Nr", 2) == 0) { ++ i = 2; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < Nr_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &Nr[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* CKYi = ... */ ++ if (strncmp(buf, "CKY_I", 5) == 0) { ++ i = 5; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < CKYi_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &CKYi[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* CKYr = ... */ ++ if (strncmp(buf, "CKY_R", 5) == 0) { ++ i = 5; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < CKYr_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &CKYr[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* g^xy = ... */ ++ if (strncmp(buf, "g^xy", 4) == 0) { ++ i = 4; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < gxy_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &gxy[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* pre-shared-key = ... */ ++ if (strncmp(buf, "pre-shared-key", 14) == 0) { ++ CK_SESSION_HANDLE session; ++ CK_OBJECT_HANDLE gxy_handle; ++ CK_OBJECT_HANDLE psk_handle; ++ CK_OBJECT_HANDLE skeyid_handle; ++ CK_OBJECT_HANDLE skeyid_d_handle; ++ CK_OBJECT_HANDLE skeyid_a_handle; ++ CK_OBJECT_HANDLE skeyid_e_handle; ++ i = 14; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < psk_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &psk[j]); ++ } ++ fputs(buf, ikeresp); ++ crv = NSC_OpenSession(slotID, 0, NULL, NULL, &session); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_OpenSession failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ crv = NSC_CreateObject(session, psk_template, ++ psk_template_count, &psk_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_CreateObject(psk) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ crv = NSC_CreateObject(session, gxy_template, ++ gxy_template_count, &gxy_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_CreateObject(gxy) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ /* get the skeyid key */ ++ crv = NSC_DeriveKey(session, &ike_mech, psk_handle, ++ derive_template, derive_template_count - 1, ++ &skeyid_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ skeyid_template.ulValueLen = HASH_LENGTH_MAX; ++ crv = NSC_GetAttributeValue(session, skeyid_handle, ++ &skeyid_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ /* use the length of the skeyid to set the target length of all the ++ * other keys */ ++ keyLen = skeyid_template.ulValueLen; ++ ike1_prf.hKeygxy = gxy_handle; ++ ike1_prf.bHasPrevKey = PR_FALSE; ++ ike1_prf.keyNumber = 0; ++ crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle, ++ derive_template, derive_template_count, ++ &skeyid_d_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid_d) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ ++ ike1_prf.hKeygxy = gxy_handle; ++ ike1_prf.bHasPrevKey = CK_TRUE; ++ ike1_prf.hPrevKey = skeyid_d_handle; ++ ike1_prf.keyNumber = 1; ++ crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle, ++ derive_template, derive_template_count, ++ &skeyid_a_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid_a) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ ike1_prf.hKeygxy = gxy_handle; ++ ike1_prf.bHasPrevKey = CK_TRUE; ++ ike1_prf.hPrevKey = skeyid_a_handle; ++ ike1_prf.keyNumber = 2; ++ crv = NSC_DeriveKey(session, &ike1_mech, skeyid_handle, ++ derive_template, derive_template_count, ++ &skeyid_e_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid_e) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYID = ", ikeresp); ++ to_hex_str(buf, skeyid_secret, keyLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ skeyid_d_template.ulValueLen = keyLen; ++ crv = NSC_GetAttributeValue(session, skeyid_d_handle, ++ &skeyid_d_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid_d) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYID_d = ", ikeresp); ++ to_hex_str(buf, skeyid_d_secret, skeyid_d_template.ulValueLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ skeyid_a_template.ulValueLen = keyLen; ++ crv = NSC_GetAttributeValue(session, skeyid_a_handle, ++ &skeyid_a_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid_a) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYID_a = ", ikeresp); ++ to_hex_str(buf, skeyid_a_secret, skeyid_a_template.ulValueLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ skeyid_e_template.ulValueLen = keyLen; ++ crv = NSC_GetAttributeValue(session, skeyid_e_handle, ++ &skeyid_e_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid_e) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYID_e = ", ikeresp); ++ to_hex_str(buf, skeyid_e_secret, skeyid_e_template.ulValueLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ crv = NSC_CloseSession(session); ++ continue; ++ } ++ } ++loser: ++ NSC_Finalize(NULL); ++ if (psk) ++ free(psk); ++ if (gxy) ++ free(gxy); ++ if (Ni) ++ free(Ni); ++ if (Nr) ++ free(Nr); ++ if (ikereq) ++ fclose(ikereq); ++} ++ ++void ++ikev2(char *reqfn) ++{ ++ char buf[4096]; /* holds one line from the input REQUEST file. ++ * needs to be large enough to hold the longest ++ * line "g^xy = <2048 hex digits>\n". ++ */ ++ unsigned char *gir = NULL; ++ unsigned char *gir_new = NULL; ++ int gir_len; ++ unsigned char *Ni = NULL; ++ int Ni_len; ++ unsigned char *Nr = NULL; ++ int Nr_len; ++ unsigned char *SPIi = NULL; ++ int SPIi_len = 8; ++ unsigned char *SPIr = NULL; ++ int SPIr_len = 8; ++ unsigned char *DKM = NULL; ++ int DKM_len; ++ unsigned char *DKM_child = NULL; ++ int DKM_child_len; ++ unsigned char *seed_data = NULL; ++ int seed_data_len = 0; ++ unsigned int i, j; ++ FILE *ikereq = NULL; /* input stream from the REQUEST file */ ++ FILE *ikeresp; /* output stream to the RESPONSE file */ ++ ++ CK_SLOT_ID slotList[10]; ++ CK_SLOT_ID slotID; ++ CK_ULONG slotListCount = sizeof(slotList) / sizeof(slotList[0]); ++ CK_ULONG count; ++ static const CK_C_INITIALIZE_ARGS pk11args = { ++ NULL, NULL, NULL, NULL, CKF_LIBRARY_CANT_CREATE_OS_THREADS, ++ (void *)"flags=readOnly,noCertDB,noModDB", NULL ++ }; ++ static CK_OBJECT_CLASS ck_secret = CKO_SECRET_KEY; ++ static CK_KEY_TYPE ck_generic = CKK_GENERIC_SECRET; ++ static CK_BBOOL ck_true = CK_TRUE; ++ static CK_ULONG keyLen = 1; ++ CK_ATTRIBUTE gir_template[] = { ++ { CKA_VALUE, NULL, 0 }, ++ { CKA_CLASS, &ck_secret, sizeof(ck_secret) }, ++ { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) }, ++ { CKA_DERIVE, &ck_true, sizeof(ck_true) }, ++ }; ++ CK_ULONG gir_template_count = ++ sizeof(gir_template) / sizeof(gir_template[0]); ++ CK_ATTRIBUTE gir_new_template[] = { ++ { CKA_VALUE, NULL, 0 }, ++ { CKA_CLASS, &ck_secret, sizeof(ck_secret) }, ++ { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) }, ++ { CKA_DERIVE, &ck_true, sizeof(ck_true) }, ++ }; ++ CK_ULONG gir_new_template_count = ++ sizeof(gir_new_template) / sizeof(gir_new_template[0]); ++ CK_ATTRIBUTE derive_template[] = { ++ { CKA_CLASS, &ck_secret, sizeof(ck_secret) }, ++ { CKA_KEY_TYPE, &ck_generic, sizeof(ck_generic) }, ++ { CKA_DERIVE, &ck_true, sizeof(ck_true) }, ++ { CKA_VALUE_LEN, &keyLen, sizeof(keyLen) }, ++ }; ++ CK_ULONG derive_template_count = ++ sizeof(derive_template) / sizeof(derive_template[0]); ++ CK_ATTRIBUTE skeyseed_template = ++ { CKA_VALUE, NULL, 0 }; ++ CK_ATTRIBUTE dkm_template = ++ { CKA_VALUE, NULL, 0 }; ++ CK_ATTRIBUTE dkm_child_template = ++ { CKA_VALUE, NULL, 0 }; ++ unsigned char skeyseed_secret[HASH_LENGTH_MAX]; ++ ++ CK_MECHANISM ike_mech = { CKM_NSS_IKE_PRF_DERIVE, NULL, 0 }; ++ CK_MECHANISM ike2_mech = { CKM_NSS_IKE_PRF_PLUS_DERIVE, NULL, 0 }; ++ CK_MECHANISM subset_mech = { CKM_EXTRACT_KEY_FROM_KEY, NULL, 0 }; ++ CK_NSS_IKE_PRF_DERIVE_PARAMS ike_prf; ++ CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS ike2_prf; ++ CK_EXTRACT_PARAMS subset_params; ++ CK_RV crv; ++ ++ /* set up PKCS #11 parameters */ ++ ike_mech.pParameter = &ike_prf; ++ ike_mech.ulParameterLen = sizeof(ike_prf); ++ ike2_mech.pParameter = &ike2_prf; ++ ike2_mech.ulParameterLen = sizeof(ike2_prf); ++ subset_mech.pParameter = &subset_params; ++ subset_mech.ulParameterLen = sizeof(subset_params); ++ subset_params = 0; ++ skeyseed_template.pValue = skeyseed_secret; ++ skeyseed_template.ulValueLen = HASH_LENGTH_MAX; ++ ++ crv = NSC_Initialize((CK_VOID_PTR)&pk11args); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_Initialize failed crv=0x%x\n", (unsigned int)crv); ++ goto loser; ++ } ++ count = slotListCount; ++ crv = NSC_GetSlotList(PR_TRUE, slotList, &count); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetSlotList failed crv=0x%x\n", (unsigned int)crv); ++ goto loser; ++ } ++ if ((count > slotListCount) || count < 1) { ++ fprintf(stderr, ++ "NSC_GetSlotList returned too many or too few slots: %d slots max=%d min=1\n", ++ (int)count, (int)slotListCount); ++ goto loser; ++ } ++ slotID = slotList[0]; ++ ikereq = fopen(reqfn, "r"); ++ ikeresp = stdout; ++ while (fgets(buf, sizeof buf, ikereq) != NULL) { ++ /* a comment or blank line */ ++ if (buf[0] == '#' || buf[0] == '\n') { ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* [.....] */ ++ if (buf[0] == '[') { ++ if (strncmp(buf, "[SHA-1]", 7) == 0) { ++ ike_prf.prfMechanism = CKM_SHA_1_HMAC; ++ ike2_prf.prfMechanism = CKM_SHA_1_HMAC; ++ } ++ if (strncmp(buf, "[SHA-224]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA224_HMAC; ++ ike2_prf.prfMechanism = CKM_SHA224_HMAC; ++ } ++ if (strncmp(buf, "[SHA-256]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA256_HMAC; ++ ike2_prf.prfMechanism = CKM_SHA256_HMAC; ++ } ++ if (strncmp(buf, "[SHA-384]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA384_HMAC; ++ ike2_prf.prfMechanism = CKM_SHA384_HMAC; ++ } ++ if (strncmp(buf, "[SHA-512]", 9) == 0) { ++ ike_prf.prfMechanism = CKM_SHA512_HMAC; ++ ike2_prf.prfMechanism = CKM_SHA512_HMAC; ++ } ++ if (strncmp(buf, "[AES-XCBC", 9) == 0) { ++ ike_prf.prfMechanism = CKM_AES_XCBC_MAC; ++ ike2_prf.prfMechanism = CKM_AES_XCBC_MAC; ++ } ++ if (strncmp(buf, "[g^ir", 5) == 0) { ++ if (sscanf(buf, "[g^ir length = %d]", ++ &gir_len) != 1) { ++ goto loser; ++ } ++ gir_len = gir_len / 8; ++ if (gir) ++ free(gir); ++ if (gir_new) ++ free(gir_new); ++ gir = malloc(gir_len); ++ gir_new = malloc(gir_len); ++ gir_template[0].pValue = gir; ++ gir_template[0].ulValueLen = gir_len; ++ gir_new_template[0].pValue = gir_new; ++ gir_new_template[0].ulValueLen = gir_len; ++ } ++ if (strncmp(buf, "[Ni", 3) == 0) { ++ if (sscanf(buf, "[Ni length = %d]", &Ni_len) != 1) { ++ goto loser; ++ } ++ Ni_len = Ni_len / 8; ++ } ++ if (strncmp(buf, "[Nr", 3) == 0) { ++ if (sscanf(buf, "[Nr length = %d]", &Nr_len) != 1) { ++ goto loser; ++ } ++ Nr_len = Nr_len / 8; ++ } ++ if (strncmp(buf, "[DKM", 4) == 0) { ++ if (sscanf(buf, "[DKM length = %d]", ++ &DKM_len) != 1) { ++ goto loser; ++ } ++ DKM_len = DKM_len / 8; ++ if (DKM) ++ free(DKM); ++ DKM = malloc(DKM_len); ++ dkm_template.pValue = DKM; ++ dkm_template.ulValueLen = DKM_len; ++ } ++ if (strncmp(buf, "[Child SA DKM", 13) == 0) { ++ if (sscanf(buf, "[Child SA DKM length = %d]", ++ &DKM_child_len) != 1) { ++ goto loser; ++ } ++ DKM_child_len = DKM_child_len / 8; ++ if (DKM_child) ++ free(DKM_child); ++ DKM_child = malloc(DKM_child_len); ++ dkm_child_template.pValue = DKM_child; ++ dkm_child_template.ulValueLen = DKM_child_len; ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* "COUNT = x" begins a new data set */ ++ if (strncmp(buf, "COUNT", 5) == 0) { ++ /* zeroize the variables for the test with this data set */ ++ int new_seed_len = Ni_len + Nr_len + SPIi_len + SPIr_len; ++ if (seed_data_len != new_seed_len) { ++ if (seed_data) ++ free(seed_data); ++ seed_data_len = new_seed_len; ++ seed_data = malloc(seed_data_len); ++ Ni = seed_data; ++ Nr = &seed_data[Ni_len]; ++ SPIi = &seed_data[Ni_len + Nr_len]; ++ SPIr = &seed_data[new_seed_len - SPIr_len]; ++ ike_prf.pNi = Ni; ++ ike_prf.ulNiLen = Ni_len; ++ ike_prf.pNr = Nr; ++ ike_prf.ulNrLen = Nr_len; ++ ike2_prf.pSeedData = seed_data; ++ } ++ memset(gir, 0, gir_len); ++ memset(gir_new, 0, gir_len); ++ memset(seed_data, 0, seed_data_len); ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* Ni = ... */ ++ if (strncmp(buf, "Ni", 2) == 0) { ++ i = 2; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < Ni_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &Ni[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* Nr = ... */ ++ if (strncmp(buf, "Nr", 2) == 0) { ++ i = 2; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < Nr_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &Nr[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* g^ir (new) = ... */ ++ if (strncmp(buf, "g^ir (new)", 10) == 0) { ++ i = 10; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < gir_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &gir_new[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* g^ir = ... */ ++ if (strncmp(buf, "g^ir", 4) == 0) { ++ i = 4; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < gir_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &gir[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* SPIi = ... */ ++ if (strncmp(buf, "SPIi", 4) == 0) { ++ i = 4; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < SPIi_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &SPIi[j]); ++ } ++ fputs(buf, ikeresp); ++ continue; ++ } ++ /* SPIr = ... */ ++ if (strncmp(buf, "SPIr", 4) == 0) { ++ CK_SESSION_HANDLE session; ++ CK_OBJECT_HANDLE gir_handle; ++ CK_OBJECT_HANDLE gir_new_handle; ++ CK_OBJECT_HANDLE skeyseed_handle; ++ CK_OBJECT_HANDLE sk_d_handle; ++ CK_OBJECT_HANDLE skeyseed_new_handle; ++ CK_OBJECT_HANDLE dkm_handle; ++ CK_OBJECT_HANDLE dkm_child_handle; ++ i = 4; ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ for (j = 0; j < SPIr_len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &SPIr[j]); ++ } ++ fputs(buf, ikeresp); ++ crv = NSC_OpenSession(slotID, 0, NULL, NULL, &session); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_OpenSession failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ crv = NSC_CreateObject(session, gir_template, ++ gir_template_count, &gir_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_CreateObject (g^ir) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ crv = NSC_CreateObject(session, gir_new_template, ++ gir_new_template_count, &gir_new_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_CreateObject (g^ir new) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ /* get the SKEYSEED key */ ++ ike_prf.bDataAsKey = CK_TRUE; ++ ike_prf.bRekey = CK_FALSE; ++ ike_prf.hNewKey = CK_INVALID_HANDLE; ++ crv = NSC_DeriveKey(session, &ike_mech, gir_handle, ++ derive_template, derive_template_count - 1, ++ &skeyseed_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ skeyseed_template.ulValueLen = HASH_LENGTH_MAX; ++ crv = NSC_GetAttributeValue(session, skeyseed_handle, ++ &skeyseed_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYSEED = ", ikeresp); ++ to_hex_str(buf, skeyseed_secret, skeyseed_template.ulValueLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ /* get DKM */ ++ keyLen = DKM_len; ++ ike2_prf.bHasSeedKey = CK_FALSE; ++ ike2_prf.hSeedKey = CK_INVALID_HANDLE; ++ ike2_prf.ulSeedDataLen = seed_data_len; ++ crv = NSC_DeriveKey(session, &ike2_mech, skeyseed_handle, ++ derive_template, derive_template_count, ++ &dkm_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(DKM) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ crv = NSC_GetAttributeValue(session, dkm_handle, ++ &dkm_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(DKM) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("DKM = ", ikeresp); ++ to_hex_str(buf, DKM, DKM_len); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ /* get the sk_d from the DKM */ ++ keyLen = skeyseed_template.ulValueLen; ++ crv = NSC_DeriveKey(session, &subset_mech, dkm_handle, ++ derive_template, derive_template_count, ++ &sk_d_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(sk_d) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ ++ /* get DKM child */ ++ keyLen = DKM_child_len; ++ ike2_prf.bHasSeedKey = CK_FALSE; ++ ike2_prf.hSeedKey = CK_INVALID_HANDLE; ++ ike2_prf.ulSeedDataLen = Ni_len + Nr_len; ++ crv = NSC_DeriveKey(session, &ike2_mech, sk_d_handle, ++ derive_template, derive_template_count, ++ &dkm_child_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(DKM Child SA) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ crv = NSC_GetAttributeValue(session, dkm_child_handle, ++ &dkm_child_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(DKM Child SA) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("DKM(Child SA) = ", ikeresp); ++ to_hex_str(buf, DKM_child, DKM_child_len); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ /* get DKM child D-H*/ ++ keyLen = DKM_child_len; ++ ike2_prf.bHasSeedKey = CK_TRUE; ++ ike2_prf.hSeedKey = gir_new_handle; ++ ike2_prf.ulSeedDataLen = Ni_len + Nr_len; ++ crv = NSC_DeriveKey(session, &ike2_mech, sk_d_handle, ++ derive_template, derive_template_count, ++ &dkm_child_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(DKM Child SA D-H) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ crv = NSC_GetAttributeValue(session, dkm_child_handle, ++ &dkm_child_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(DKM Child SA D-H) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("DKM(Child SA D-H) = ", ikeresp); ++ to_hex_str(buf, DKM_child, DKM_child_len); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ /* get SKEYSEED(rekey) */ ++ ike_prf.bDataAsKey = CK_FALSE; ++ ike_prf.bRekey = CK_TRUE; ++ ike_prf.hNewKey = gir_new_handle; ++ crv = NSC_DeriveKey(session, &ike_mech, sk_d_handle, ++ derive_template, derive_template_count - 1, ++ &skeyseed_new_handle); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_DeriveKey(skeyid rekey) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ skeyseed_template.ulValueLen = HASH_LENGTH_MAX; ++ crv = NSC_GetAttributeValue(session, skeyseed_new_handle, ++ &skeyseed_template, 1); ++ if (crv != CKR_OK) { ++ fprintf(stderr, "NSC_GetAttribute(skeyid) failed crv=0x%x\n", ++ (unsigned int)crv); ++ goto loser; ++ } ++ fputs("SKEYSEED(rekey) = ", ikeresp); ++ to_hex_str(buf, skeyseed_secret, skeyseed_template.ulValueLen); ++ fputs(buf, ikeresp); ++ fputc('\n', ikeresp); ++ ++ crv = NSC_CloseSession(session); ++ continue; ++ } ++ } ++loser: ++ NSC_Finalize(NULL); ++ if (gir) ++ free(gir); ++ if (gir_new) ++ free(gir_new); ++ if (seed_data) ++ free(seed_data); ++ if (DKM) ++ free(DKM); ++ if (DKM_child) ++ free(DKM_child); ++ if (ikereq) ++ fclose(ikereq); ++} ++ + int + main(int argc, char **argv) + { + if (argc < 2) + exit(-1); + + RNG_RNGInit(); + SECOID_Init(); +@@ -7066,11 +8369,19 @@ main(int argc, char **argv) + rng_mct(argv[3]); + } + } else if (strcmp(argv[1], "drbg") == 0) { + /* Variable Seed Test */ + drbg(argv[2]); + } else if (strcmp(argv[1], "ddrbg") == 0) { + debug = 1; + drbg(argv[2]); ++ } else if (strcmp(argv[1], "tls") == 0) { ++ tls(argv[2]); ++ } else if (strcmp(argv[1], "ikev1") == 0) { ++ ikev1(argv[2]); ++ } else if (strcmp(argv[1], "ikev1-psk") == 0) { ++ ikev1_psk(argv[2]); ++ } else if (strcmp(argv[1], "ikev2") == 0) { ++ ikev2(argv[2]); + } + return 0; + } +diff --git a/cmd/fipstest/hmac.sh b/cmd/fipstest/hmac.sh +deleted file mode 100755 +--- a/cmd/fipstest/hmac.sh ++++ /dev/null +@@ -1,36 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST HMAC Algorithm Validation Suite +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +- +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/HMAC +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +-hmac_requests=" +-HMAC.req +-" +- +-if [ ${COMMAND} = "verify" ]; then +- for request in $hmac_requests; do +- sh ./validate1.sh ${TESTDIR} $request +- done +- exit 0 +-fi +-for request in $hmac_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest hmac ${REQDIR}/$request > ${RSPDIR}/$response +-done +- +diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh +deleted file mode 100755 +--- a/cmd/fipstest/kas.sh ++++ /dev/null +@@ -1,84 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST DSA Validation System +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/KAS +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +- +-# +-if [ ${COMMAND} = "verify" ]; then +-# +-# need verify for KAS tests +- +-# verify generated keys +-# name=KeyPair +-# echo ">>>>> $name" +-# fipstest dsa keyver ${RSPDIR}/$name.rsp | grep ^Result.=.F +-# verify generated pqg values +-# name=PQGGen +-# echo ">>>>> $name" +-# fipstest dsa pqgver ${RSPDIR}/$name.rsp | grep ^Result.=.F +-# verify PQGVer with known answer +-# sh ./validate1.sh ${TESTDIR} PQGVer.req ' ' '-e /^Result.=.F/s;.(.*);; -e /^Result.=.P/s;.(.*);;' +-# verify signatures +-# name=SigGen +-# echo ">>>>> $name" +-# fipstest dsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F +-# verify SigVer with known answer +-# sh ./validate1.sh ${TESTDIR} SigVer.req ' ' '-e /^X.=/d -e /^Result.=.F/s;.(.*);;' +- exit 0 +-fi +- +-request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest ecdh init-func ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest ecdh resp-func ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest ecdh init-verify ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest ecdh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest dh init-func ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest dh resp-func ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest dh init-verify ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest dh resp-verify ${REQDIR}/$request > ${RSPDIR}/$response +- +diff --git a/cmd/fipstest/rng.sh b/cmd/fipstest/rng.sh +deleted file mode 100644 +--- a/cmd/fipstest/rng.sh ++++ /dev/null +@@ -1,34 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST RNG Validation Suite +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/DRBG800-90A +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +-drbg_requests=" +-Hash_DRBG.req +-" +- +-if [ ${COMMAND} = "verify" ]; then +- for request in $drbg_requests; do +- sh ./validate1.sh ${TESTDIR} $request +- done +- exit 0 +-fi +-for request in $drbg_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest drbg ${REQDIR}/$request > ${RSPDIR}/$response +-done +diff --git a/cmd/fipstest/rsa.sh b/cmd/fipstest/rsa.sh +deleted file mode 100644 +--- a/cmd/fipstest/rsa.sh ++++ /dev/null +@@ -1,50 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST RSA Validation System +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/RSA2 +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +-if [ ${COMMAND} = "verify" ]; then +-#verify the signatures. The fax file does not have any known answers, so +-#use our own verify function. +- name=SigGen15_186-3 +- echo ">>>>> $name" +- fipstest rsa sigver ${RSPDIR}/$name.rsp | grep ^Result.=.F +-# fipstest rsa sigver ${REQDIR}/SigVer15_186-3.req | grep ^Result.=.F +-#The Fax file has the private exponent and the salt value, remove it +-#also remove the false reason +- sh ./validate1.sh ${TESTDIR} SigVer15_186-3.req ' ' '-e /^SaltVal/d -e/^d.=/d -e /^p.=/d -e /^q.=/d -e /^EM.with/d -e /^Result.=.F/s;.(.*);;' +-# +-# currently don't have a way to verify the RSA keygen +-# +- exit 0 +-fi +- +-request=SigGen15_186-3.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest rsa siggen ${REQDIR}/$request > ${RSPDIR}/$response +- +-request=SigVer15_186-3.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest rsa sigver ${REQDIR}/$request > ${RSPDIR}/$response +- +-#request=KeyGen_186-3.req +-request=KeyGen_RandomProbablyPrime3_3.req +-response=`echo $request | sed -e "s/req/rsp/"` +-echo $request $response +-fipstest rsa keypair ${REQDIR}/$request > ${RSPDIR}/$response +diff --git a/cmd/fipstest/runtest.sh b/cmd/fipstest/runtest.sh +deleted file mode 100644 +--- a/cmd/fipstest/runtest.sh ++++ /dev/null +@@ -1,14 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-TESTDIR=${1-.} +-COMMAND=${2-run} +-TESTS="aes aesgcm dsa ecdsa hmac kas tls rng rsa sha tdea" +-for i in $TESTS +-do +- echo "********************Running $i tests" +- sh ./${i}.sh ${TESTDIR} ${COMMAND} +-done +diff --git a/cmd/fipstest/sha.sh b/cmd/fipstest/sha.sh +deleted file mode 100644 +--- a/cmd/fipstest/sha.sh ++++ /dev/null +@@ -1,66 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST SHA Algorithm Validation Suite +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/SHA +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +-sha_ShortMsg_requests=" +-SHA1ShortMsg.req +-SHA224ShortMsg.req +-SHA256ShortMsg.req +-SHA384ShortMsg.req +-SHA512ShortMsg.req +-" +- +-sha_LongMsg_requests=" +-SHA1LongMsg.req +-SHA224LongMsg.req +-SHA256LongMsg.req +-SHA384LongMsg.req +-SHA512LongMsg.req +-" +- +-sha_Monte_requests=" +-SHA1Monte.req +-SHA224Monte.req +-SHA256Monte.req +-SHA384Monte.req +-SHA512Monte.req +-" +- +-if [ ${COMMAND} = "verify" ]; then +- for request in $sha_ShortMsg_requests $sha_LongMsg_requests $sha_Monte_requests; do +- sh ./validate1.sh ${TESTDIR} $request +- done +- exit 0 +-fi +- +-for request in $sha_ShortMsg_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $sha_LongMsg_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $sha_Monte_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest sha ${REQDIR}/$request > ${RSPDIR}/$response +-done +- +diff --git a/cmd/fipstest/tdea.sh b/cmd/fipstest/tdea.sh +deleted file mode 100644 +--- a/cmd/fipstest/tdea.sh ++++ /dev/null +@@ -1,106 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST tdea Algorithm Validation Suite +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +- +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/TDES +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +-#CBC_Known_Answer_tests +-#Initial Permutation KAT +-#Permutation Operation KAT +-#Subsitution Table KAT +-#Variable Key KAT +-#Variable PlainText KAT +-cbc_kat_requests=" +-TCBCinvperm.req +-TCBCpermop.req +-TCBCsubtab.req +-TCBCvarkey.req +-TCBCvartext.req +-" +- +-#CBC Monte Carlo KATs +-cbc_monte_requests=" +-TCBCMonte1.req +-TCBCMonte2.req +-TCBCMonte3.req +-" +-#Multi-block Message KATs +-cbc_mmt_requests=" +-TCBCMMT1.req +-TCBCMMT2.req +-TCBCMMT3.req +-" +- +-ecb_kat_requests=" +-TECBinvperm.req +-TECBpermop.req +-TECBsubtab.req +-TECBvarkey.req +-TECBvartext.req +-" +- +-ecb_monte_requests=" +-TECBMonte1.req +-TECBMonte2.req +-TECBMonte3.req +-" +- +-ecb_mmt_requests=" +-TECBMMT1.req +-TECBMMT2.req +-TECBMMT3.req +-" +- +- +-if [ ${COMMAND} = "verify" ]; then +- for request in $cbc_kat_requests $cbc_monte_requests $cbc_mmt_requests $ecb_kat_requests $ecb_monte_requests $ecb_mmt_requests +- do +- sh ./validate1.sh ${TESTDIR} $request "-e /^NumKeys/d" +- done +- exit 0 +-fi +- +-for request in $cbc_kat_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest tdea kat cbc ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $cbc_mmt_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest tdea mmt cbc ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $cbc_monte_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest tdea mct cbc ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $ecb_kat_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest tdea kat ecb ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $ecb_mmt_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest tdea mmt ecb ${REQDIR}/$request > ${RSPDIR}/$response +-done +-for request in $ecb_monte_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest tdea mct ecb ${REQDIR}/$request > ${RSPDIR}/$response +-done +diff --git a/cmd/fipstest/tls.sh b/cmd/fipstest/tls.sh +deleted file mode 100644 +--- a/cmd/fipstest/tls.sh ++++ /dev/null +@@ -1,34 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# A Bourne shell script for running the NIST RNG Validation Suite +-# +-# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment +-# variables appropriately so that the fipstest command and the NSPR and NSS +-# shared libraries/DLLs are on the search path. Then run this script in the +-# directory where the REQUEST (.req) files reside. The script generates the +-# RESPONSE (.rsp) files in the same directory. +-BASEDIR=${1-.} +-TESTDIR=${BASEDIR}/KDF135 +-COMMAND=${2-run} +-REQDIR=${TESTDIR}/req +-RSPDIR=${TESTDIR}/resp +- +-drbg_requests=" +-tls.req +-" +- +-if [ ${COMMAND} = "verify" ]; then +- for request in $drbg_requests; do +- sh ./validate1.sh ${TESTDIR} $request +- done +- exit 0 +-fi +-for request in $drbg_requests; do +- response=`echo $request | sed -e "s/req/rsp/"` +- echo $request $response +- fipstest tls ${REQDIR}/$request > ${RSPDIR}/$response +-done +diff --git a/cmd/fipstest/validate.sh b/cmd/fipstest/validate.sh +deleted file mode 100644 +--- a/cmd/fipstest/validate.sh ++++ /dev/null +@@ -1,7 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-sh ./runtest.sh ${1-.} verify +diff --git a/cmd/fipstest/validate1.sh b/cmd/fipstest/validate1.sh +deleted file mode 100644 +--- a/cmd/fipstest/validate1.sh ++++ /dev/null +@@ -1,30 +0,0 @@ +-#!/bin/sh +-# +-# This Source Code Form is subject to the terms of the Mozilla Public +-# License, v. 2.0. If a copy of the MPL was not distributed with this +-# file, You can obtain one at http://mozilla.org/MPL/2.0/. +-# +-# Validate1.sh is a helper shell script that each of the base test shell +-# scripts call to help validate that the generated response (response) +-# matches the known answer response (fax). Sometimes (depending on the +-# individual tests) there are extraneous output in either or both response +-# and fax files. These allow the caller to pass in additional sed commands +-# to clear out those extraneous outputs before we compare the two files. +-# The sed line always clears out Windows line endings, replaces tabs with +-# spaces, and removed comments. +-# +-TESTDIR=${1-.} +-request=${2} +-extraneous_response=${3} +-extraneous_fax=${4} +-name=`basename $request .req` +-echo ">>>>> $name" +-sed -e 's; ;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1 +-# if we didn't generate any output, flag that as an error +-size=`sum /tmp/y1 | awk '{ print $NF }'` +-if [ $size -eq 0 ]; then +- echo "${TESTDIR}/resp/${name}.rsp: empty" +- exit 1; +-fi +-sed -e 's; ;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_fax ${TESTDIR}/fax/${name}.fax > /tmp/y2 +-diff -i -w -B /tmp/y1 /tmp/y2 +diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c +--- a/lib/softoken/fipstest.c ++++ b/lib/softoken/fipstest.c +@@ -7,16 +7,17 @@ + + #ifndef NSS_FIPS_DISABLED + #include "seccomon.h" + #include "blapi.h" + #include "softoken.h" + #include "lowkeyi.h" + #include "secoid.h" + #include "secerr.h" ++#include "pkcs11i.h" + + /* + * different platforms have different ways of calling and initial entry point + * when the dll/.so is loaded. Most platforms support either a posix pragma + * or the GCC attribute. Some platforms suppor a pre-defined name, and some + * platforms have a link line way of invoking this function. + */ + +@@ -621,16 +622,20 @@ sftk_startup_tests(void) + return; + } + if (!BLAPI_SHVerify(libraryName, + (PRFuncPtr)&sftk_fips_RSA_PowerUpSelfTest)) { + /* something is wrong with the library, fail without enabling + * the token */ + return; + } ++ rv = sftk_fips_IKE_PowerUpSelfTests(); ++ if (rv != SECSuccess) { ++ return; ++ } + sftk_self_tests_success = PR_TRUE; + } + + /* + * this is called from nsc_Common_Initizialize entry points that gates access + * to * all other pkcs11 functions. This prevents softoken operation if our + * power on selftest failed. + */ +diff --git a/lib/softoken/manifest.mn b/lib/softoken/manifest.mn +--- a/lib/softoken/manifest.mn ++++ b/lib/softoken/manifest.mn +@@ -41,16 +41,17 @@ CSRCS = \ + lowpbe.c \ + padbuf.c \ + pkcs11.c \ + pkcs11c.c \ + pkcs11u.c \ + sdb.c \ + sftkdb.c \ + sftkhmac.c \ ++ sftkike.c \ + sftkpars.c \ + sftkpwd.c \ + softkver.c \ + tlsprf.c \ + jpakesftk.c \ + $(NULL) + + ifdef SQLITE_UNSAFE_THREADS +diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c +--- a/lib/softoken/pkcs11.c ++++ b/lib/softoken/pkcs11.c +@@ -323,16 +323,18 @@ static const struct mechanismList mechan + { CKM_AES_ECB, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_AES_CBC, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_AES_MAC, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_AES_MAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_AES_CBC_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE }, + { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE }, + { CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE }, ++ { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE }, ++ { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE }, + /* ------------------------- Camellia Operations --------------------- */ + { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE }, + { CKM_CAMELLIA_ECB, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAMELLIA_CBC, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + { CKM_CAMELLIA_MAC, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_CAMELLIA_MAC_GENERAL, { 16, 32, CKF_SN_VR }, PR_TRUE }, + { CKM_CAMELLIA_CBC_PAD, { 16, 32, CKF_EN_DE_WR_UN }, PR_TRUE }, + /* ------------------------- SEED Operations --------------------------- */ +@@ -504,17 +506,21 @@ static const struct mechanismList mechan + { CKM_NSS_JPAKE_ROUND2_SHA384, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_ROUND2_SHA512, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_FINAL_SHA1, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_FINAL_SHA256, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_FINAL_SHA384, { 0, 0, CKF_DERIVE }, PR_TRUE }, + { CKM_NSS_JPAKE_FINAL_SHA512, { 0, 0, CKF_DERIVE }, PR_TRUE }, + /* -------------------- Constant Time TLS MACs ----------------------- */ + { CKM_NSS_HMAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE }, +- { CKM_NSS_SSL3_MAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE } ++ { CKM_NSS_SSL3_MAC_CONSTANT_TIME, { 0, 0, CKF_DIGEST }, PR_TRUE }, ++ /* --------------------IPSEC ----------------------- */ ++ { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }, ++ { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, ++ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE } + }; + static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]); + + /* sigh global so fipstokn can read it */ + PRBool nsc_init = PR_FALSE; + + #if defined(CHECK_FORK_PTHREAD) || defined(CHECK_FORK_MIXED) + +diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c +--- a/lib/softoken/pkcs11c.c ++++ b/lib/softoken/pkcs11c.c +@@ -94,49 +94,16 @@ sftk_Space(void *data, PRBool freeit) + PORT_Free(data); + } + + /* + * map all the SEC_ERROR_xxx error codes that may be returned by freebl + * functions to CKR_xxx. return CKR_DEVICE_ERROR by default for backward + * compatibility. + */ +-static CK_RV +-sftk_MapCryptError(int error) +-{ +- switch (error) { +- case SEC_ERROR_INVALID_ARGS: +- case SEC_ERROR_BAD_DATA: /* MP_RANGE gets mapped to this */ +- return CKR_ARGUMENTS_BAD; +- case SEC_ERROR_INPUT_LEN: +- return CKR_DATA_LEN_RANGE; +- case SEC_ERROR_OUTPUT_LEN: +- return CKR_BUFFER_TOO_SMALL; +- case SEC_ERROR_LIBRARY_FAILURE: +- return CKR_GENERAL_ERROR; +- case SEC_ERROR_NO_MEMORY: +- return CKR_HOST_MEMORY; +- case SEC_ERROR_BAD_SIGNATURE: +- return CKR_SIGNATURE_INVALID; +- case SEC_ERROR_INVALID_KEY: +- return CKR_KEY_SIZE_RANGE; +- case SEC_ERROR_BAD_KEY: /* an EC public key that fails validation */ +- return CKR_KEY_SIZE_RANGE; /* the closest error code */ +- case SEC_ERROR_UNSUPPORTED_EC_POINT_FORM: +- return CKR_TEMPLATE_INCONSISTENT; +- case SEC_ERROR_UNSUPPORTED_KEYALG: +- return CKR_MECHANISM_INVALID; +- case SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE: +- return CKR_DOMAIN_PARAMS_INVALID; +- /* key pair generation failed after max number of attempts */ +- case SEC_ERROR_NEED_RANDOM: +- return CKR_FUNCTION_FAILED; +- } +- return CKR_DEVICE_ERROR; +-} + + /* used by Decrypt and UnwrapKey (indirectly) */ + static CK_RV + sftk_MapDecryptError(int error) + { + switch (error) { + case SEC_ERROR_BAD_DATA: + return CKR_ENCRYPTED_DATA_INVALID; +@@ -2075,19 +2042,22 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSessi + CK_MECHANISM cbc_mechanism; + CK_ULONG mac_bytes = SFTK_INVALID_MAC_SIZE; + CK_RC2_CBC_PARAMS rc2_params; + #if NSS_SOFTOKEN_DOES_RC5 + CK_RC5_CBC_PARAMS rc5_params; + CK_RC5_MAC_GENERAL_PARAMS *rc5_mac; + #endif + unsigned char ivBlock[SFTK_MAX_BLOCK_SIZE]; ++ unsigned char k2[SFTK_MAX_BLOCK_SIZE]; ++ unsigned char k3[SFTK_MAX_BLOCK_SIZE]; + SFTKSessionContext *context; + CK_RV crv; + unsigned int blockSize; ++ PRBool isXCBC = PR_FALSE; + + switch (pMechanism->mechanism) { + case CKM_RC2_MAC_GENERAL: + if (!pMechanism->pParameter) { + return CKR_MECHANISM_PARAM_INVALID; + } + mac_bytes = + ((CK_RC2_MAC_GENERAL_PARAMS *)pMechanism->pParameter)->ulMacLength; +@@ -2181,43 +2151,82 @@ sftk_InitCBCMac(CK_SESSION_HANDLE hSessi + /* fall through */ + case CKM_AES_MAC: + blockSize = 16; + PORT_Memset(ivBlock, 0, blockSize); + cbc_mechanism.mechanism = CKM_AES_CBC; + cbc_mechanism.pParameter = &ivBlock; + cbc_mechanism.ulParameterLen = blockSize; + break; ++ case CKM_AES_XCBC_MAC_96: ++ case CKM_AES_XCBC_MAC: ++ /* The only difference between CKM_AES_XCBC_MAC ++ * and CKM_AES_XCBC_MAC_96 is the size of the returned mac. */ ++ mac_bytes = pMechanism->mechanism == CKM_AES_XCBC_MAC_96 ? 12 : 16; ++ blockSize = 16; ++ PORT_Memset(ivBlock, 0, blockSize); ++ cbc_mechanism.mechanism = CKM_AES_CBC; ++ cbc_mechanism.pParameter = &ivBlock; ++ cbc_mechanism.ulParameterLen = blockSize; ++ /* is XCBC requires extra processing at the end of the operation */ ++ isXCBC = PR_TRUE; ++ /* The input key is used to generate k1, k2, and k3. k2 and k3 ++ * are used at the end in the pad step. k1 replaces the input ++ * key in the aes cbc mac */ ++ crv = sftk_aes_xcbc_new_keys(hSession, hKey, &hKey, k2, k3); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ break; + default: + return CKR_FUNCTION_NOT_SUPPORTED; + } + + /* if MAC size is externally supplied, it should be checked. + */ + if (mac_bytes == SFTK_INVALID_MAC_SIZE) + mac_bytes = blockSize >> 1; + else { +- if (mac_bytes > blockSize) +- return CKR_MECHANISM_PARAM_INVALID; ++ if (mac_bytes > blockSize) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ goto fail; ++ } + } + + crv = sftk_CryptInit(hSession, &cbc_mechanism, hKey, + CKA_ENCRYPT, /* CBC mech is able to ENCRYPT, not SIGN/VERIFY */ + keyUsage, contextType, PR_TRUE); + if (crv != CKR_OK) +- return crv; ++ goto fail; + crv = sftk_GetContext(hSession, &context, contextType, PR_TRUE, NULL); + + /* this shouldn't happen! */ + PORT_Assert(crv == CKR_OK); + if (crv != CKR_OK) +- return crv; ++ goto fail; + context->blockSize = blockSize; + context->macSize = mac_bytes; ++ context->isXCBC = isXCBC; ++ if (isXCBC) { ++ /* save the xcbc specific parameters */ ++ PORT_Memcpy(context->k2, k2, blockSize); ++ PORT_Memcpy(context->k3, k3, blockSize); ++ PORT_Memset(k2, 0, blockSize); ++ PORT_Memset(k3, 0, blockSize); ++ /* get rid of the temp key now that the context has been created */ ++ NSC_DestroyObject(hSession, hKey); ++ } + return CKR_OK; ++fail: ++ if (isXCBC) { ++ PORT_Memset(k2, 0, blockSize); ++ PORT_Memset(k3, 0, blockSize); ++ NSC_DestroyObject(hSession, hKey); /* get rid of our temp key */ ++ } ++ return crv; + } + + /* + * encode RSA PKCS #1 Signature data before signing... + */ + static SECStatus + sftk_RSAHashSign(SFTKHashSignInfo *info, unsigned char *sig, + unsigned int *sigLen, unsigned int maxLen, +@@ -2823,16 +2832,23 @@ sftk_MACBlock(SFTKSessionContext *ctx, v + * + * Call once, then terminate MACing operation. + */ + static CK_RV + sftk_MACFinal(SFTKSessionContext *ctx) + { + unsigned int padLen = ctx->padDataLength; + /* pad and proceed the residual */ ++ if (ctx->isXCBC) { ++ CK_RV crv = sftk_xcbc_mac_pad(ctx->padBuf, padLen, ctx->blockSize, ++ ctx->k2, ctx->k3); ++ if (crv != CKR_OK) ++ return crv; ++ return sftk_MACBlock(ctx, ctx->padBuf); ++ } + if (padLen) { + /* shd clr ctx->padLen to make sftk_MACFinal idempotent */ + PORT_Memset(ctx->padBuf + padLen, 0, ctx->blockSize - padLen); + return sftk_MACBlock(ctx, ctx->padBuf); + } else + return CKR_OK; + } + +@@ -2861,31 +2877,31 @@ sftk_MACUpdate(CK_SESSION_HANDLE hSessio + + unsigned int blkSize = context->blockSize; + unsigned char *residual = /* free room in context->padBuf */ + context->padBuf + context->padDataLength; + unsigned int minInput = /* min input for MACing at least one block */ + blkSize - context->padDataLength; + + /* not enough data even for one block */ +- if (ulPartLen < minInput) { ++ if (ulPartLen <= minInput) { + PORT_Memcpy(residual, pPart, ulPartLen); + context->padDataLength += ulPartLen; + goto cleanup; + } + /* MACing residual */ + if (context->padDataLength) { + PORT_Memcpy(residual, pPart, minInput); + ulPartLen -= minInput; + pPart += minInput; + if (CKR_OK != (crv = sftk_MACBlock(context, context->padBuf))) + goto terminate; + } + /* MACing full blocks */ +- while (ulPartLen >= blkSize) { ++ while (ulPartLen > blkSize) { + if (CKR_OK != (crv = sftk_MACBlock(context, pPart))) + goto terminate; + ulPartLen -= blkSize; + pPart += blkSize; + } + /* save the residual */ + if ((context->padDataLength = ulPartLen)) + PORT_Memcpy(context->padBuf, pPart, ulPartLen); +@@ -6513,16 +6529,55 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + if (att == NULL) { + sftk_FreeObject(key); + sftk_FreeObject(sourceKey); + return CKR_KEY_HANDLE_INVALID; + } + } + + switch (mechanism) { ++ case CKM_NSS_IKE_PRF_DERIVE: ++ if (pMechanism->ulParameterLen != ++ sizeof(CK_NSS_IKE_PRF_DERIVE_PARAMS)) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ crv = sftk_ike_prf(hSession, att, ++ (CK_NSS_IKE_PRF_DERIVE_PARAMS *)pMechanism->pParameter, key); ++ break; ++ case CKM_NSS_IKE1_PRF_DERIVE: ++ if (pMechanism->ulParameterLen != ++ sizeof(CK_NSS_IKE1_PRF_DERIVE_PARAMS)) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ crv = sftk_ike1_prf(hSession, att, ++ (CK_NSS_IKE1_PRF_DERIVE_PARAMS *)pMechanism->pParameter, ++ key, keySize); ++ break; ++ case CKM_NSS_IKE1_APP_B_PRF_DERIVE: ++ if (pMechanism->ulParameterLen != ++ sizeof(CK_MECHANISM_TYPE)) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ crv = sftk_ike1_appendix_b_prf(hSession, att, ++ (CK_MECHANISM_TYPE *)pMechanism->pParameter, ++ key, keySize); ++ break; ++ case CKM_NSS_IKE_PRF_PLUS_DERIVE: ++ if (pMechanism->ulParameterLen != ++ sizeof(CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS)) { ++ crv = CKR_MECHANISM_PARAM_INVALID; ++ break; ++ } ++ crv = sftk_ike_prf_plus(hSession, att, ++ (CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *)pMechanism->pParameter, ++ key, keySize); ++ break; + /* + * generate the master secret + */ + case CKM_TLS12_MASTER_KEY_DERIVE: + case CKM_TLS12_MASTER_KEY_DERIVE_DH: + case CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256: + case CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256: + case CKM_TLS_MASTER_KEY_DERIVE: +diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h +--- a/lib/softoken/pkcs11i.h ++++ b/lib/softoken/pkcs11i.h +@@ -248,22 +248,25 @@ typedef enum { + * multi=0 hashInfo=0 PKC S/V one shot (w/o hashing) + * multi=0 hashInfo=X *** shouldn't happen *** + */ + struct SFTKSessionContextStr { + SFTKContextType type; + PRBool multi; /* is multipart */ + PRBool rsa; /* is rsa */ + PRBool doPad; /* use PKCS padding for block ciphers */ ++ PRBool isXCBC; /* xcbc, use special handling in final */ + unsigned int blockSize; /* blocksize for padding */ + unsigned int padDataLength; /* length of the valid data in padbuf */ + /** latest incomplete block of data for block cipher */ + unsigned char padBuf[SFTK_MAX_BLOCK_SIZE]; + /** result of MAC'ing of latest full block of data with block cipher */ + unsigned char macBuf[SFTK_MAX_BLOCK_SIZE]; ++ unsigned char k2[SFTK_MAX_BLOCK_SIZE]; ++ unsigned char k3[SFTK_MAX_BLOCK_SIZE]; + CK_ULONG macSize; /* size of a general block cipher mac*/ + void *cipherInfo; + void *hashInfo; + unsigned int cipherInfoLen; + CK_MECHANISM_TYPE currentMech; + SFTKCipher update; + SFTKHash hashUpdate; + SFTKEnd end; +@@ -600,16 +603,17 @@ extern CK_RV SFTK_SlotInit(char *configd + extern CK_RV SFTK_SlotReInit(SFTKSlot *slot, char *configdir, + char *updatedir, char *updateID, + sftk_token_parameters *params, int moduleIndex); + extern CK_RV SFTK_DestroySlotData(SFTKSlot *slot); + extern CK_RV SFTK_ShutdownSlot(SFTKSlot *slot); + extern CK_RV sftk_CloseAllSessions(SFTKSlot *slot, PRBool logout); + + /* internal utility functions used by pkcs11.c */ ++extern CK_RV sftk_MapCryptError(int error); + extern SFTKAttribute *sftk_FindAttribute(SFTKObject *object, + CK_ATTRIBUTE_TYPE type); + extern void sftk_FreeAttribute(SFTKAttribute *attribute); + extern CK_RV sftk_AddAttributeType(SFTKObject *object, CK_ATTRIBUTE_TYPE type, + const void *valPtr, CK_ULONG length); + extern CK_RV sftk_Attribute2SecItem(PLArenaPool *arena, SECItem *item, + SFTKObject *object, CK_ATTRIBUTE_TYPE type); + extern CK_RV sftk_MultipleAttribute2SecItem(PLArenaPool *arena, +@@ -681,16 +685,40 @@ extern void sftk_CleanupFreeLists(void); + extern NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKObject *object, + CK_KEY_TYPE key_type, CK_RV *crvp); + extern NSSLOWKEYPrivateKey *sftk_GetPrivKey(SFTKObject *object, + CK_KEY_TYPE key_type, CK_RV *crvp); + extern void sftk_FormatDESKey(unsigned char *key, int length); + extern PRBool sftk_CheckDESKey(unsigned char *key); + extern PRBool sftk_IsWeakKey(unsigned char *key, CK_KEY_TYPE key_type); + ++/* ike and xcbc helpers */ ++extern CK_RV sftk_ike_prf(CK_SESSION_HANDLE hSession, ++ const SFTKAttribute *inKey, ++ const CK_NSS_IKE_PRF_DERIVE_PARAMS *params, SFTKObject *outKey); ++extern CK_RV sftk_ike1_prf(CK_SESSION_HANDLE hSession, ++ const SFTKAttribute *inKey, ++ const CK_NSS_IKE1_PRF_DERIVE_PARAMS *params, SFTKObject *outKey, ++ unsigned int keySize); ++extern CK_RV sftk_ike1_appendix_b_prf(CK_SESSION_HANDLE hSession, ++ const SFTKAttribute *inKey, ++ const CK_MECHANISM_TYPE *params, SFTKObject *outKey, ++ unsigned int keySize); ++extern CK_RV sftk_ike_prf_plus(CK_SESSION_HANDLE hSession, ++ const SFTKAttribute *inKey, ++ const CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *params, SFTKObject *outKey, ++ unsigned int keySize); ++extern CK_RV sftk_aes_xcbc_new_keys(CK_SESSION_HANDLE hSession, ++ CK_OBJECT_HANDLE hKey, CK_OBJECT_HANDLE_PTR phKey, ++ unsigned char *k2, unsigned char *k3); ++extern CK_RV sftk_xcbc_mac_pad(unsigned char *padBuf, unsigned int bufLen, ++ int blockSize, const unsigned char *k2, ++ const unsigned char *k3); ++extern SECStatus sftk_fips_IKE_PowerUpSelfTests(void); ++ + /* mechanism allows this operation */ + extern CK_RV sftk_MechAllowsOperation(CK_MECHANISM_TYPE type, CK_ATTRIBUTE_TYPE op); + + /* helper function which calls nsslowkey_FindKeyByPublicKey after safely + * acquiring a reference to the keydb from the slot */ + NSSLOWKEYPrivateKey *sftk_FindKeyByPublicKey(SFTKSlot *slot, SECItem *dbKey); + + /* +diff --git a/lib/softoken/pkcs11u.c b/lib/softoken/pkcs11u.c +--- a/lib/softoken/pkcs11u.c ++++ b/lib/softoken/pkcs11u.c +@@ -10,16 +10,57 @@ + #include "secasn1.h" + #include "blapi.h" + #include "secerr.h" + #include "prnetdb.h" /* for PR_ntohl */ + #include "sftkdb.h" + #include "softoken.h" + + /* ++ * ******************** Error mapping ******************************* ++ */ ++/* ++ * map all the SEC_ERROR_xxx error codes that may be returned by freebl ++ * functions to CKR_xxx. return CKR_DEVICE_ERROR by default for backward ++ * compatibility. ++ */ ++CK_RV ++sftk_MapCryptError(int error) ++{ ++ switch (error) { ++ case SEC_ERROR_INVALID_ARGS: ++ case SEC_ERROR_BAD_DATA: /* MP_RANGE gets mapped to this */ ++ return CKR_ARGUMENTS_BAD; ++ case SEC_ERROR_INPUT_LEN: ++ return CKR_DATA_LEN_RANGE; ++ case SEC_ERROR_OUTPUT_LEN: ++ return CKR_BUFFER_TOO_SMALL; ++ case SEC_ERROR_LIBRARY_FAILURE: ++ return CKR_GENERAL_ERROR; ++ case SEC_ERROR_NO_MEMORY: ++ return CKR_HOST_MEMORY; ++ case SEC_ERROR_BAD_SIGNATURE: ++ return CKR_SIGNATURE_INVALID; ++ case SEC_ERROR_INVALID_KEY: ++ return CKR_KEY_SIZE_RANGE; ++ case SEC_ERROR_BAD_KEY: /* an EC public key that fails validation */ ++ return CKR_KEY_SIZE_RANGE; /* the closest error code */ ++ case SEC_ERROR_UNSUPPORTED_EC_POINT_FORM: ++ return CKR_TEMPLATE_INCONSISTENT; ++ case SEC_ERROR_UNSUPPORTED_KEYALG: ++ return CKR_MECHANISM_INVALID; ++ case SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE: ++ return CKR_DOMAIN_PARAMS_INVALID; ++ /* key pair generation failed after max number of attempts */ ++ case SEC_ERROR_NEED_RANDOM: ++ return CKR_FUNCTION_FAILED; ++ } ++ return CKR_DEVICE_ERROR; ++} ++/* + * ******************** Attribute Utilities ******************************* + */ + + /* + * create a new attribute with type, value, and length. Space is allocated + * to hold value. + */ + static SFTKAttribute * +diff --git a/lib/softoken/sftkike.c b/lib/softoken/sftkike.c +new file mode 100644 +--- /dev/null ++++ b/lib/softoken/sftkike.c +@@ -0,0 +1,1289 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++/* ++ * This file implements PKCS 11 on top of our existing security modules ++ * ++ * For more information about PKCS 11 See PKCS 11 Token Inteface Standard. ++ * This implementation has two slots: ++ * slot 1 is our generic crypto support. It does not require login. ++ * It supports Public Key ops, and all they bulk ciphers and hashes. ++ * It can also support Private Key ops for imported Private keys. It does ++ * not have any token storage. ++ * slot 2 is our private key support. It requires a login before use. It ++ * can store Private Keys and Certs as token objects. Currently only private ++ * keys and their associated Certificates are saved on the token. ++ * ++ * In this implementation, session objects are only visible to the session ++ * that created or generated them. ++ */ ++#include "seccomon.h" ++#include "secitem.h" ++#include "secport.h" ++#include "blapi.h" ++#include "pkcs11.h" ++#include "pkcs11i.h" ++#include "pkcs1sig.h" ++#include "lowkeyi.h" ++#include "secder.h" ++#include "secdig.h" ++#include "lowpbe.h" /* We do PBE below */ ++#include "pkcs11t.h" ++#include "secoid.h" ++#include "alghmac.h" ++#include "softoken.h" ++#include "secasn1.h" ++#include "secerr.h" ++ ++#include "prprf.h" ++#include "prenv.h" ++ ++/* ++ * A common prfContext to handle both hmac and aes xcbc ++ * hash contexts have non-null hashObj and hmac, aes ++ * contexts have non-null aes */ ++typedef struct prfContextStr { ++ HASH_HashType hashType; ++ const SECHashObject *hashObj; ++ HMACContext *hmac; ++ AESContext *aes; ++ unsigned int nextChar; ++ unsigned char padBuf[AES_BLOCK_SIZE]; ++ unsigned char macBuf[AES_BLOCK_SIZE]; ++ unsigned char k1[AES_BLOCK_SIZE]; ++ unsigned char k2[AES_BLOCK_SIZE]; ++ unsigned char k3[AES_BLOCK_SIZE]; ++} prfContext; ++ ++/* iv full of zeros used in several places in aex xcbc */ ++static const unsigned char iv_zero[] = { ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++}; ++ ++/* ++ * Generate AES XCBC keys from the AES MAC key. ++ * k1 is used in the actual mac. ++ * k2 and k3 are used in the final pad step. ++ */ ++static CK_RV ++sftk_aes_xcbc_get_keys(const unsigned char *keyValue, unsigned int keyLen, ++ unsigned char *k1, unsigned char *k2, unsigned char *k3) ++{ ++ SECStatus rv; ++ CK_RV crv; ++ unsigned int tmpLen; ++ AESContext *aes_context = NULL; ++ unsigned char newKey[AES_BLOCK_SIZE]; ++ ++ /* AES XCBC keys. k1, k2, and k3 are derived by encrypting ++ * k1data, k2data, and k3data with the mac key. ++ */ ++ static const unsigned char k1data[] = { ++ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, ++ 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01 ++ }; ++ static const unsigned char k2data[] = { ++ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, ++ 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02 ++ }; ++ static const unsigned char k3data[] = { ++ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, ++ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 ++ }; ++ ++ /* k1_0 = aes_ecb(0, k1data) */ ++ static const unsigned char k1_0[] = { ++ 0xe1, 0x4d, 0x5d, 0x0e, 0xe2, 0x77, 0x15, 0xdf, ++ 0x08, 0xb4, 0x15, 0x2b, 0xa2, 0x3d, 0xa8, 0xe0 ++ ++ }; ++ /* k2_0 = aes_ecb(0, k2data) */ ++ static const unsigned char k2_0[] = { ++ 0x5e, 0xba, 0x73, 0xf8, 0x91, 0x42, 0xc5, 0x48, ++ 0x80, 0xf6, 0x85, 0x94, 0x37, 0x3c, 0x5c, 0x37 ++ }; ++ /* k3_0 = aes_ecb(0, k3data) */ ++ static const unsigned char k3_0[] = { ++ 0x8d, 0x34, 0xef, 0xcb, 0x3b, 0xd5, 0x45, 0xca, ++ 0x06, 0x2a, 0xec, 0xdf, 0xef, 0x7c, 0x0b, 0xfa ++ }; ++ ++ /* first make sure out input key is the correct length ++ * rfc 4434. If key is shorter, pad with zeros to the ++ * the right. If key is longer newKey = aes_xcbc(0, key, keyLen). ++ */ ++ if (keyLen < AES_BLOCK_SIZE) { ++ PORT_Memcpy(newKey, keyValue, keyLen); ++ PORT_Memset(&newKey[keyLen], 0, AES_BLOCK_SIZE - keyLen); ++ keyValue = newKey; ++ } else if (keyLen > AES_BLOCK_SIZE) { ++ /* calculate our new key = aes_xcbc(0, key, keyLen). Because the ++ * key above is fixed (0), we can precalculate k1, k2, and k2. ++ * if this code ever needs to be more generic (support any xcbc ++ * function rather than just aes, we would probably want to just ++ * recurse here using our prf functions. This would be safe because ++ * the recurse case would have keyLen == blocksize and thus skip ++ * this conditional. ++ */ ++ aes_context = AES_CreateContext(k1_0, iv_zero, NSS_AES_CBC, ++ PR_TRUE, AES_BLOCK_SIZE, AES_BLOCK_SIZE); ++ /* we know the following loop will execute at least once */ ++ while (keyLen > AES_BLOCK_SIZE) { ++ rv = AES_Encrypt(aes_context, newKey, &tmpLen, AES_BLOCK_SIZE, ++ keyValue, AES_BLOCK_SIZE); ++ if (rv != SECSuccess) { ++ goto fail; ++ } ++ keyValue += AES_BLOCK_SIZE; ++ keyLen -= AES_BLOCK_SIZE; ++ } ++ PORT_Memcpy(newKey, keyValue, keyLen); ++ sftk_xcbc_mac_pad(newKey, keyLen, AES_BLOCK_SIZE, k2_0, k3_0); ++ rv = AES_Encrypt(aes_context, newKey, &tmpLen, AES_BLOCK_SIZE, ++ newKey, AES_BLOCK_SIZE); ++ if (rv != SECSuccess) { ++ goto fail; ++ } ++ keyValue = newKey; ++ AES_DestroyContext(aes_context, PR_TRUE); ++ } ++ /* the length of the key in keyValue is known to be AES_BLOCK_SIZE, ++ * either because it was on input, or it was shorter and extended, or ++ * because it was mac'd down using aes_xcbc_prf. ++ */ ++ aes_context = AES_CreateContext(keyValue, iv_zero, ++ NSS_AES, PR_TRUE, AES_BLOCK_SIZE, AES_BLOCK_SIZE); ++ if (aes_context == NULL) { ++ goto fail; ++ } ++ rv = AES_Encrypt(aes_context, k1, &tmpLen, AES_BLOCK_SIZE, ++ k1data, sizeof(k1data)); ++ if (rv != SECSuccess) { ++ goto fail; ++ } ++ rv = AES_Encrypt(aes_context, k2, &tmpLen, AES_BLOCK_SIZE, ++ k2data, sizeof(k2data)); ++ if (rv != SECSuccess) { ++ goto fail; ++ } ++ rv = AES_Encrypt(aes_context, k3, &tmpLen, AES_BLOCK_SIZE, ++ k3data, sizeof(k3data)); ++ if (rv != SECSuccess) { ++ goto fail; ++ } ++ AES_DestroyContext(aes_context, PR_TRUE); ++ PORT_Memset(newKey, 0, AES_BLOCK_SIZE); ++ return CKR_OK; ++fail: ++ crv = sftk_MapCryptError(PORT_GetError()); ++ if (aes_context) { ++ AES_DestroyContext(aes_context, PR_TRUE); ++ } ++ PORT_Memset(k1, 0, AES_BLOCK_SIZE); ++ PORT_Memset(k2, 0, AES_BLOCK_SIZE); ++ PORT_Memset(k3, 0, AES_BLOCK_SIZE); ++ PORT_Memset(newKey, 0, AES_BLOCK_SIZE); ++ return crv; ++} ++ ++/* encode the final pad block of aes xcbc, padBuf is modified */ ++CK_RV ++sftk_xcbc_mac_pad(unsigned char *padBuf, unsigned int bufLen, int blockSize, ++ const unsigned char *k2, const unsigned char *k3) ++{ ++ int i; ++ if (bufLen == blockSize) { ++ for (i = 0; i < blockSize; i++) { ++ padBuf[i] ^= k2[i]; ++ } ++ } else { ++ padBuf[bufLen++] = 0x80; ++ for (i = bufLen; i < blockSize; i++) { ++ padBuf[i] = 0x00; ++ } ++ for (i = 0; i < blockSize; i++) { ++ padBuf[i] ^= k3[i]; ++ } ++ } ++ return CKR_OK; ++} ++ ++/* Map the mechanism to the underlying hash. If the type is not a hash ++ * or HMAC, return HASH_AlgNULL. This can happen legitimately if ++ * we are doing AES XCBC */ ++static HASH_HashType ++sftk_map_hmac_to_hash(CK_MECHANISM_TYPE type) ++{ ++ switch (type) { ++ case CKM_SHA_1_HMAC: ++ case CKM_SHA_1: ++ return HASH_AlgSHA1; ++ case CKM_MD5_HMAC: ++ case CKM_MD5: ++ return HASH_AlgMD5; ++ case CKM_MD2_HMAC: ++ case CKM_MD2: ++ return HASH_AlgMD2; ++ case CKM_SHA224_HMAC: ++ case CKM_SHA224: ++ return HASH_AlgSHA224; ++ case CKM_SHA256_HMAC: ++ case CKM_SHA256: ++ return HASH_AlgSHA256; ++ case CKM_SHA384_HMAC: ++ case CKM_SHA384: ++ return HASH_AlgSHA384; ++ case CKM_SHA512_HMAC: ++ case CKM_SHA512: ++ return HASH_AlgSHA512; ++ } ++ return HASH_AlgNULL; ++} ++ ++/* ++ * Generally setup the context based on the mechanism. ++ * If the mech is HMAC, context->hashObj should be set ++ * Otherwise it is assumed to be AES XCBC. prf_setup ++ * checks these assumptions and will return an error ++ * if they are not met. NOTE: this function does not allocate ++ * anything, so there is no requirement to free context after ++ * prf_setup like there is if you call prf_init. ++ */ ++static CK_RV ++prf_setup(prfContext *context, CK_MECHANISM_TYPE mech) ++{ ++ context->hashType = sftk_map_hmac_to_hash(mech); ++ context->hashObj = NULL; ++ context->hmac = NULL; ++ context->aes = NULL; ++ if (context->hashType != HASH_AlgNULL) { ++ context->hashObj = HASH_GetRawHashObject(context->hashType); ++ if (context->hashObj == NULL) { ++ return CKR_GENERAL_ERROR; ++ } ++ return CKR_OK; ++ } else if (mech == CKM_AES_XCBC_MAC) { ++ return CKR_OK; ++ } ++ return CKR_MECHANISM_PARAM_INVALID; ++} ++ ++/* return the underlying prf length for this context. This will ++ * function once the context is setup */ ++static CK_RV ++prf_length(prfContext *context) ++{ ++ if (context->hashObj) { ++ return context->hashObj->length; ++ } ++ return AES_BLOCK_SIZE; /* AES */ ++} ++ ++/* set up the key for the prf. prf_update or prf_final should not be called if ++ * prf_init has not been called first. Once prf_init returns hmac and ++ * aes contexts should set and valid. ++ */ ++static CK_RV ++prf_init(prfContext *context, const unsigned char *keyValue, ++ unsigned int keyLen) ++{ ++ CK_RV crv; ++ ++ context->hmac = NULL; ++ if (context->hashObj) { ++ context->hmac = HMAC_Create(context->hashObj, ++ keyValue, keyLen, PR_FALSE); ++ if (context->hmac == NULL) { ++ return sftk_MapCryptError(PORT_GetError()); ++ } ++ HMAC_Begin(context->hmac); ++ } else { ++ crv = sftk_aes_xcbc_get_keys(keyValue, keyLen, context->k1, ++ context->k2, context->k3); ++ if (crv != CKR_OK) ++ return crv; ++ context->nextChar = 0; ++ context->aes = AES_CreateContext(context->k1, iv_zero, NSS_AES_CBC, ++ PR_TRUE, sizeof(context->k1), AES_BLOCK_SIZE); ++ if (context->aes == NULL) { ++ crv = sftk_MapCryptError(PORT_GetError()); ++ PORT_Memset(context->k1, 0, sizeof(context->k1)); ++ PORT_Memset(context->k2, 0, sizeof(context->k2)); ++ PORT_Memset(context->k3, 0, sizeof(context->k2)); ++ return crv; ++ } ++ } ++ return CKR_OK; ++} ++ ++/* ++ * process input to the prf ++ */ ++static CK_RV ++prf_update(prfContext *context, const unsigned char *buf, unsigned int len) ++{ ++ unsigned int tmpLen; ++ SECStatus rv; ++ ++ if (context->hmac) { ++ HMAC_Update(context->hmac, buf, len); ++ } else { ++ /* AES MAC XCBC*/ ++ /* We must keep the last block back so that it can be processed in ++ * final. This is why we only check that nextChar + len > blocksize, ++ * rather than checking that nextChar + len >= blocksize */ ++ while (context->nextChar + len > AES_BLOCK_SIZE) { ++ if (context->nextChar != 0) { ++ /* first handle fill in any partial blocks in the buffer */ ++ unsigned int left = AES_BLOCK_SIZE - context->nextChar; ++ /* note: left can be zero */ ++ PORT_Memcpy(context->padBuf + context->nextChar, buf, left); ++ /* NOTE: AES MAC XCBC xors the data with the previous block ++ * We don't do that step here because our AES_Encrypt mode ++ * is CBC, which does the xor automatically */ ++ rv = AES_Encrypt(context->aes, context->macBuf, &tmpLen, ++ sizeof(context->macBuf), context->padBuf, ++ sizeof(context->padBuf)); ++ if (rv != SECSuccess) { ++ return sftk_MapCryptError(PORT_GetError()); ++ } ++ context->nextChar = 0; ++ len -= left; ++ buf += left; ++ } else { ++ /* optimization. if we have complete blocks to write out ++ * (and will still have leftover blocks for padbuf in the end). ++ * we can mac directly out of our buffer without first copying ++ * them to padBuf */ ++ rv = AES_Encrypt(context->aes, context->macBuf, &tmpLen, ++ sizeof(context->macBuf), buf, AES_BLOCK_SIZE); ++ if (rv != SECSuccess) { ++ return sftk_MapCryptError(PORT_GetError()); ++ } ++ len -= AES_BLOCK_SIZE; ++ buf += AES_BLOCK_SIZE; ++ } ++ } ++ PORT_Memcpy(context->padBuf + context->nextChar, buf, len); ++ context->nextChar += len; ++ } ++ return CKR_OK; ++} ++ ++/* ++ * free the data associated with the prf. Clear any possible CSPs ++ * This can safely be called on any context after prf_setup. It can ++ * also be called an an already freed context. ++ * A free context can be reused by calling prf_init again without ++ * the need to call prf_setup. ++ */ ++static void ++prf_free(prfContext *context) ++{ ++ if (context->hmac) { ++ HMAC_Destroy(context->hmac, PR_TRUE); ++ context->hmac = NULL; ++ } ++ if (context->aes) { ++ PORT_Memset(context->k1, 0, sizeof(context->k1)); ++ PORT_Memset(context->k2, 0, sizeof(context->k2)); ++ PORT_Memset(context->k3, 0, sizeof(context->k2)); ++ PORT_Memset(context->padBuf, 0, sizeof(context->padBuf)); ++ PORT_Memset(context->macBuf, 0, sizeof(context->macBuf)); ++ AES_DestroyContext(context->aes, PR_TRUE); ++ context->aes = NULL; ++ } ++} ++ ++/* ++ * extract the final prf value. On success, this has the side effect of ++ * also freeing the context data and clearing the keys ++ */ ++static CK_RV ++prf_final(prfContext *context, unsigned char *buf, unsigned int len) ++{ ++ unsigned int tmpLen; ++ SECStatus rv; ++ ++ if (context->hmac) { ++ unsigned int outLen; ++ HMAC_Finish(context->hmac, buf, &outLen, len); ++ if (outLen != len) { ++ return CKR_GENERAL_ERROR; ++ } ++ } else { ++ /* prf_update had guarrenteed that the last full block is still in ++ * the padBuf if the input data is a multiple of the blocksize. This ++ * allows sftk_xcbc_mac_pad to process that pad buf accordingly */ ++ sftk_xcbc_mac_pad(context->padBuf, context->nextChar, AES_BLOCK_SIZE, ++ context->k2, context->k3); ++ rv = AES_Encrypt(context->aes, context->macBuf, &tmpLen, ++ sizeof(context->macBuf), context->padBuf, AES_BLOCK_SIZE); ++ if (rv != SECSuccess) { ++ return sftk_MapCryptError(PORT_GetError()); ++ } ++ PORT_Memcpy(buf, context->macBuf, len); ++ } ++ prf_free(context); ++ return CKR_OK; ++} ++ ++/* ++ * There are four flavors of ike prf functions here. ++ * ike_prf is useb in both ikeV1 and ikeV2 to generate ++ * an initial key that all the other keys are generated with. ++ * ++ * These functions are called from NSC_DeriveKey with the inKey value ++ * already looked up, and it expects the CKA_VALUE for outKey to be set. ++ * ++ * Depending on usage it returns either: ++ * 1. prf(Ni|Nr, inKey); (bDataAsKey=TRUE, bRekey=FALSE) ++ * 2. prf(inKey, Ni|Nr); (bDataAsKkey=FALSE, bRekey=FALSE) ++ * 3. prf(inKey, newKey | Ni | Nr); (bDataAsKey=FALSE, bRekey=TRUE) ++ * The resulting output key is always the length of the underlying prf ++ * (as returned by prf_length()). ++ * The combination of bDataAsKey=TRUE and bRekey=TRUE is not allowed ++ * ++ * Case 1 is used in ++ * a. ikev2 (rfc5996) inKey is called g^ir, the output is called SKEYSEED ++ * b. ikev1 (rfc2409) inKey is called g^ir, the output is called SKEYID ++ * Case 2 is used in ikev1 (rfc2409) inkey is called pre-shared-key, output ++ * id called SKEYID ++ * Case 3 is used in ikev2 (rfc5996) rekey case, inKey is SK_d, newKey is ++ * g^ir (new), the output is called SKEYSEED ++ */ ++CK_RV ++sftk_ike_prf(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey, ++ const CK_NSS_IKE_PRF_DERIVE_PARAMS *params, SFTKObject *outKey) ++{ ++ SFTKAttribute *newKeyValue = NULL; ++ SFTKObject *newKeyObj = NULL; ++ unsigned char outKeyData[HASH_LENGTH_MAX]; ++ unsigned char *newInKey = NULL; ++ unsigned int newInKeySize; ++ unsigned int macSize; ++ CK_RV crv = CKR_OK; ++ prfContext context; ++ ++ crv = prf_setup(&context, params->prfMechanism); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ macSize = prf_length(&context); ++ if ((params->bDataAsKey) && (params->bRekey)) { ++ return CKR_ARGUMENTS_BAD; ++ } ++ if (params->bRekey) { ++ /* lookup the value of new key from the session and key handle */ ++ SFTKSession *session = sftk_SessionFromHandle(hSession); ++ if (session == NULL) { ++ return CKR_SESSION_HANDLE_INVALID; ++ } ++ newKeyObj = sftk_ObjectFromHandle(params->hNewKey, session); ++ sftk_FreeSession(session); ++ if (newKeyObj == NULL) { ++ return CKR_KEY_HANDLE_INVALID; ++ } ++ newKeyValue = sftk_FindAttribute(newKeyObj, CKA_VALUE); ++ if (newKeyValue == NULL) { ++ crv = CKR_KEY_HANDLE_INVALID; ++ goto fail; ++ } ++ } ++ if (params->bDataAsKey) { ++ /* The key is Ni || Np, so we need to concatenate them together first */ ++ newInKeySize = params->ulNiLen + params->ulNrLen; ++ newInKey = PORT_Alloc(newInKeySize); ++ if (newInKey == NULL) { ++ crv = CKR_HOST_MEMORY; ++ goto fail; ++ } ++ PORT_Memcpy(newInKey, params->pNi, params->ulNiLen); ++ PORT_Memcpy(newInKey + params->ulNiLen, params->pNr, params->ulNrLen); ++ crv = prf_init(&context, newInKey, newInKeySize); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ /* key as the data */ ++ crv = prf_update(&context, inKey->attrib.pValue, ++ inKey->attrib.ulValueLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ } else { ++ crv = prf_init(&context, inKey->attrib.pValue, ++ inKey->attrib.ulValueLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ if (newKeyValue) { ++ crv = prf_update(&context, newKeyValue->attrib.pValue, ++ newKeyValue->attrib.ulValueLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ } ++ crv = prf_update(&context, params->pNi, params->ulNiLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_update(&context, params->pNr, params->ulNrLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ } ++ crv = prf_final(&context, outKeyData, macSize); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ ++ crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, macSize); ++fail: ++ if (newInKey) { ++ PORT_Free(newInKey); ++ } ++ if (newKeyValue) { ++ sftk_FreeAttribute(newKeyValue); ++ } ++ if (newKeyObj) { ++ sftk_FreeObject(newKeyObj); ++ } ++ PORT_Memset(outKeyData, 0, macSize); ++ prf_free(&context); ++ return crv; ++} ++ ++/* ++ * The second flavor of ike prf is ike1_prf. ++ * ++ * It is used by ikeV1 to generate the various session keys used in the ++ * connection. It uses the initial key, an optional previous key, and a one byte ++ * key number to generate a unique key for each of the various session ++ * functions (encryption, decryption, mac). These keys expect a key size ++ * (as they may vary in length based on usage). If no length is provided, ++ * it will default to the length of the prf. ++ * ++ * This function returns either: ++ * prf(inKey, gxyKey || CKYi || CKYr || key_number) ++ * or ++ * prf(inKey, prefkey || gxyKey || CKYi || CKYr || key_number) ++ * depending on the stats of bHasPrevKey ++ * ++ * This is defined in rfc2409. For each of the following keys. ++ * inKey is SKEYID, gxyKey is g^xy ++ * for outKey = SKEYID_d, bHasPrevKey = false, key_number = 0 ++ * for outKey = SKEYID_a, prevKey= SKEYID_d, key_number = 1 ++ * for outKey = SKEYID_e, prevKey= SKEYID_a, key_number = 2 ++ */ ++CK_RV ++sftk_ike1_prf(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey, ++ const CK_NSS_IKE1_PRF_DERIVE_PARAMS *params, SFTKObject *outKey, ++ unsigned int keySize) ++{ ++ SFTKAttribute *gxyKeyValue = NULL; ++ SFTKObject *gxyKeyObj = NULL; ++ SFTKAttribute *prevKeyValue = NULL; ++ SFTKObject *prevKeyObj = NULL; ++ SFTKSession *session; ++ unsigned char outKeyData[HASH_LENGTH_MAX]; ++ unsigned int macSize; ++ CK_RV crv; ++ prfContext context; ++ ++ crv = prf_setup(&context, params->prfMechanism); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ macSize = prf_length(&context); ++ if (keySize > macSize) { ++ return CKR_KEY_SIZE_RANGE; ++ } ++ if (keySize == 0) { ++ keySize = macSize; ++ } ++ ++ /* lookup the two keys from their passed in handles */ ++ session = sftk_SessionFromHandle(hSession); ++ if (session == NULL) { ++ return CKR_SESSION_HANDLE_INVALID; ++ } ++ gxyKeyObj = sftk_ObjectFromHandle(params->hKeygxy, session); ++ if (params->bHasPrevKey) { ++ prevKeyObj = sftk_ObjectFromHandle(params->hPrevKey, session); ++ } ++ sftk_FreeSession(session); ++ if ((gxyKeyObj == NULL) || ((params->bHasPrevKey) && ++ (prevKeyObj == NULL))) { ++ crv = CKR_KEY_HANDLE_INVALID; ++ goto fail; ++ } ++ gxyKeyValue = sftk_FindAttribute(gxyKeyObj, CKA_VALUE); ++ if (gxyKeyValue == NULL) { ++ crv = CKR_KEY_HANDLE_INVALID; ++ goto fail; ++ } ++ if (prevKeyObj) { ++ prevKeyValue = sftk_FindAttribute(prevKeyObj, CKA_VALUE); ++ if (prevKeyValue == NULL) { ++ crv = CKR_KEY_HANDLE_INVALID; ++ goto fail; ++ } ++ } ++ ++ /* outKey = prf(inKey, [prevKey|] gxyKey | CKYi | CKYr | keyNumber) */ ++ crv = prf_init(&context, inKey->attrib.pValue, inKey->attrib.ulValueLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ if (prevKeyValue) { ++ crv = prf_update(&context, prevKeyValue->attrib.pValue, ++ prevKeyValue->attrib.ulValueLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ } ++ crv = prf_update(&context, gxyKeyValue->attrib.pValue, ++ gxyKeyValue->attrib.ulValueLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_update(&context, params->pCKYi, params->ulCKYiLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_update(&context, params->pCKYr, params->ulCKYrLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_update(&context, ¶ms->keyNumber, 1); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_final(&context, outKeyData, macSize); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ ++ crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, keySize); ++fail: ++ if (gxyKeyValue) { ++ sftk_FreeAttribute(gxyKeyValue); ++ } ++ if (prevKeyValue) { ++ sftk_FreeAttribute(prevKeyValue); ++ } ++ if (gxyKeyObj) { ++ sftk_FreeObject(gxyKeyObj); ++ } ++ if (prevKeyObj) { ++ sftk_FreeObject(prevKeyObj); ++ } ++ PORT_Memset(outKeyData, 0, macSize); ++ prf_free(&context); ++ return crv; ++} ++ ++/* ++ * The third flavor of ike prf is ike1_appendix_b. ++ * ++ * It is used by ikeV1 to generate longer key material from skeyid_e. ++ * Unlike ike1_prf, if no length is provided, this function ++ * will generate a KEY_RANGE_ERROR. ++ * ++ * This function returns (from rfc2409 appendix b): ++ * Ka = K1 | K2 | K3 | K4 |... Kn ++ * where: ++ * K1 = prf(K, 0x00) ++ * K2 = prf(K, K1) ++ * K3 = prf(K, K2) ++ * K4 = prf(K, K3) ++ * . ++ * Kn = prf(K, T(n-1)) ++ * K = inKey, S = seedKey | seedData ++ */ ++CK_RV ++sftk_ike1_appendix_b_prf(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey, ++ const CK_MECHANISM_TYPE *mech, SFTKObject *outKey, unsigned int keySize) ++{ ++ unsigned char *outKeyData = NULL; ++ unsigned char *thisKey = NULL; ++ unsigned char *lastKey = NULL; ++ unsigned int macSize; ++ unsigned int outKeySize; ++ unsigned int genKeySize; ++ CK_RV crv; ++ prfContext context; ++ ++ crv = prf_setup(&context, *mech); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ ++ macSize = prf_length(&context); ++ ++ if (keySize == 0) { ++ keySize = macSize; ++ } ++ ++ if (keySize <= inKey->attrib.ulValueLen) { ++ return sftk_forceAttribute(outKey, CKA_VALUE, ++ inKey->attrib.pValue, keySize); ++ ++ } ++ outKeySize = PR_ROUNDUP(keySize, macSize); ++ outKeyData = PORT_Alloc(outKeySize); ++ if (outKeyData == NULL) { ++ crv = CKR_HOST_MEMORY; ++ goto fail; ++ } ++ ++ /* ++ * this loop generates on block of the prf, basically ++ * kn = prf(key, Kn-1) ++ * Kn is thisKey, Kn-1 is lastKey ++ * key is inKey ++ */ ++ thisKey = outKeyData; ++ for (genKeySize = 0; genKeySize <= keySize; genKeySize += macSize) { ++ crv = prf_init(&context, inKey->attrib.pValue, inKey->attrib.ulValueLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ if (lastKey == NULL) { ++ const unsigned char zero = 0; ++ crv = prf_update(&context, &zero, 1); ++ } else { ++ crv = prf_update(&context, lastKey, macSize); ++ } ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_final(&context, thisKey, macSize); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ lastKey = thisKey; ++ thisKey += macSize; ++ } ++ crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, keySize); ++fail: ++ if (outKeyData) { ++ PORT_ZFree(outKeyData, outKeySize); ++ } ++ prf_free(&context); ++ return crv; ++} ++ ++/* ++ * The final flavor of ike prf is ike_prf_plus ++ * ++ * It is used by ikeV2 to generate the various session keys used in the ++ * connection. It uses the initial key and a feedback version of the prf ++ * to generate sufficient bytes to cover all the session keys. The application ++ * will then use CK_EXTRACT_KEY_FROM_KEY to pull out the various subkeys. ++ * This function expects a key size to be set by the application to cover ++ * all the keys. Unlike ike1_prf, if no length is provided, this function ++ * will generate a KEY_RANGE_ERROR ++ * ++ * This function returns (from rfc5996): ++ * prfplus = T1 | T2 | T3 | T4 |... Tn ++ * where: ++ * T1 = prf(K, S | 0x01) ++ * T2 = prf(K, T1 | S | 0x02) ++ * T3 = prf(K, T3 | S | 0x03) ++ * T4 = prf(K, T4 | S | 0x04) ++ * . ++ * Tn = prf(K, T(n-1) | n) ++ * K = inKey, S = seedKey | seedData ++ */ ++ ++CK_RV ++sftk_ike_prf_plus(CK_SESSION_HANDLE hSession, const SFTKAttribute *inKey, ++ const CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS *params, SFTKObject *outKey, ++ unsigned int keySize) ++{ ++ SFTKAttribute *seedValue = NULL; ++ SFTKObject *seedKeyObj = NULL; ++ unsigned char *outKeyData = NULL; ++ unsigned int outKeySize; ++ unsigned char *thisKey; ++ unsigned char *lastKey = NULL; ++ unsigned char currentByte = 0; ++ unsigned int getKeySize; ++ unsigned int macSize; ++ CK_RV crv; ++ prfContext context; ++ ++ if (keySize == 0) { ++ return CKR_KEY_SIZE_RANGE; ++ } ++ ++ crv = prf_setup(&context, params->prfMechanism); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ /* pull in optional seedKey */ ++ if (params->bHasSeedKey) { ++ SFTKSession *session = sftk_SessionFromHandle(hSession); ++ if (session == NULL) { ++ return CKR_SESSION_HANDLE_INVALID; ++ } ++ seedKeyObj = sftk_ObjectFromHandle(params->hSeedKey, session); ++ sftk_FreeSession(session); ++ if (seedKeyObj == NULL) { ++ return CKR_KEY_HANDLE_INVALID; ++ } ++ seedValue = sftk_FindAttribute(seedKeyObj, CKA_VALUE); ++ if (seedValue == NULL) { ++ crv = CKR_KEY_HANDLE_INVALID; ++ goto fail; ++ } ++ } else if (params->ulSeedDataLen == 0) { ++ crv = CKR_ARGUMENTS_BAD; ++ goto fail; ++ } ++ macSize = prf_length(&context); ++ outKeySize = PR_ROUNDUP(keySize, macSize); ++ outKeyData = PORT_Alloc(outKeySize); ++ if (outKeyData == NULL) { ++ crv = CKR_HOST_MEMORY; ++ goto fail; ++ } ++ ++ /* ++ * this loop generates on block of the prf, basically ++ * Tn = prf(key, Tn-1 | S | n) ++ * Tn is thisKey, Tn-2 is lastKey, S is seedKey || seedData, ++ * key is inKey. currentByte = n-1 on entry. ++ */ ++ thisKey = outKeyData; ++ for (getKeySize = 0; getKeySize < keySize; getKeySize += macSize) { ++ /* if currentByte is 255, we'll overflow when we increment it below. ++ * This can only happen if keysize > 255*macSize. In that case ++ * the application has asked for too much key material, so return ++ * an error */ ++ if (currentByte == 255) { ++ crv = CKR_KEY_SIZE_RANGE; ++ goto fail; ++ } ++ crv = prf_init(&context, inKey->attrib.pValue, ++ inKey->attrib.ulValueLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ ++ if (lastKey) { ++ crv = prf_update(&context, lastKey, macSize); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ } ++ /* prf the key first */ ++ if (seedValue) { ++ crv = prf_update(&context, seedValue->attrib.pValue, ++ seedValue->attrib.ulValueLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ } ++ /* then prf the data */ ++ if (params->ulSeedDataLen != 0) { ++ crv = prf_update(&context, params->pSeedData, ++ params->ulSeedDataLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ } ++ currentByte++; ++ crv = prf_update(&context, ¤tByte, 1); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_final(&context, thisKey, macSize); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ lastKey = thisKey; ++ thisKey += macSize; ++ } ++ crv = sftk_forceAttribute(outKey, CKA_VALUE, outKeyData, keySize); ++fail: ++ if (outKeyData) { ++ PORT_ZFree(outKeyData, outKeySize); ++ } ++ if (seedValue) { ++ sftk_FreeAttribute(seedValue); ++ } ++ if (seedKeyObj) { ++ sftk_FreeObject(seedKeyObj); ++ } ++ prf_free(&context); ++ return crv; ++} ++ ++/* sftk_aes_xcbc_new_keys: ++ * ++ * aes xcbc creates 3 new keys from the input key. The first key will be the ++ * base key of the underlying cbc. The sign code hooks directly into encrypt ++ * so we'll have to create a full PKCS #11 key with handle for that key. The ++ * caller needs to delete the key when it's through setting up the context. ++ * ++ * The other two keys will be stored in the sign context until we need them ++ * at the end. ++ */ ++CK_RV ++sftk_aes_xcbc_new_keys(CK_SESSION_HANDLE hSession, ++ CK_OBJECT_HANDLE hKey, CK_OBJECT_HANDLE_PTR phKey, ++ unsigned char *k2, unsigned char *k3) ++{ ++ SFTKObject *key = NULL; ++ SFTKSession *session = NULL; ++ SFTKObject *inKeyObj = NULL; ++ SFTKAttribute *inKeyValue = NULL; ++ CK_KEY_TYPE key_type = CKK_AES; ++ CK_OBJECT_CLASS objclass = CKO_SECRET_KEY; ++ CK_BBOOL ck_true = CK_TRUE; ++ CK_RV crv = CKR_OK; ++ SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession); ++ unsigned char buf[AES_BLOCK_SIZE]; ++ ++ if (!slot) { ++ return CKR_SESSION_HANDLE_INVALID; ++ } ++ ++ /* get the session */ ++ session = sftk_SessionFromHandle(hSession); ++ if (session == NULL) { ++ crv = CKR_SESSION_HANDLE_INVALID; ++ goto fail; ++ } ++ ++ inKeyObj = sftk_ObjectFromHandle(hKey, session); ++ if (inKeyObj == NULL) { ++ crv = CKR_KEY_HANDLE_INVALID; ++ goto fail; ++ } ++ ++ inKeyValue = sftk_FindAttribute(inKeyObj, CKA_VALUE); ++ if (inKeyValue == NULL) { ++ crv = CKR_KEY_HANDLE_INVALID; ++ goto fail; ++ } ++ ++ crv = sftk_aes_xcbc_get_keys(inKeyValue->attrib.pValue, ++ inKeyValue->attrib.ulValueLen, buf, k2, k3); ++ ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ ++ /* ++ * now lets create an object to hang the attributes off of ++ */ ++ key = sftk_NewObject(slot); /* fill in the handle later */ ++ if (key == NULL) { ++ crv = CKR_HOST_MEMORY; ++ goto fail; ++ } ++ ++ /* make sure we don't have any class, key_type, or value fields */ ++ sftk_DeleteAttributeType(key, CKA_CLASS); ++ sftk_DeleteAttributeType(key, CKA_KEY_TYPE); ++ sftk_DeleteAttributeType(key, CKA_VALUE); ++ sftk_DeleteAttributeType(key, CKA_SIGN); ++ ++ /* Add the class, key_type, and value */ ++ crv = sftk_AddAttributeType(key, CKA_CLASS, &objclass, sizeof(CK_OBJECT_CLASS)); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &key_type, sizeof(CK_KEY_TYPE)); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = sftk_AddAttributeType(key, CKA_SIGN, &ck_true, sizeof(CK_BBOOL)); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = sftk_AddAttributeType(key, CKA_VALUE, buf, AES_BLOCK_SIZE); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ ++ /* ++ * finish filling in the key and link it with our global system. ++ */ ++ crv = sftk_handleObject(key, session); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ *phKey = key->handle; ++fail: ++ if (session) { ++ sftk_FreeSession(session); ++ } ++ ++ if (inKeyValue) { ++ sftk_FreeAttribute(inKeyValue); ++ } ++ if (inKeyObj) { ++ sftk_FreeObject(inKeyObj); ++ } ++ if (key) { ++ sftk_FreeObject(key); ++ } ++ /* clear our CSPs */ ++ if (crv != CKR_OK) { ++ PORT_Memset(k2, 0, AES_BLOCK_SIZE); ++ PORT_Memset(k3, 0, AES_BLOCK_SIZE); ++ } ++ return crv; ++} ++ ++/* ++ * Helper function that tests a single prf test vector ++ */ ++static SECStatus ++prf_test(CK_MECHANISM_TYPE mech, ++ const unsigned char *inKey, unsigned int inKeyLen, ++ const unsigned char *plainText, unsigned int plainTextLen, ++ const unsigned char *expectedResult, unsigned int expectedResultLen) ++{ ++ PRUint8 ike_computed_mac[HASH_LENGTH_MAX]; ++ prfContext context; ++ unsigned int macSize; ++ CK_RV crv; ++ ++ crv = prf_setup(&context, mech); ++ if (crv != CKR_OK) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return SECFailure; ++ } ++ macSize = prf_length(&context); ++ crv = prf_init(&context, inKey, inKeyLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_update(&context, plainText, plainTextLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_final(&context, ike_computed_mac, macSize); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ ++ if (macSize != expectedResultLen) { ++ goto fail; ++ } ++ if (PORT_Memcmp(expectedResult, ike_computed_mac, macSize) != 0) { ++ goto fail; ++ } ++ ++ /* only do the alignment if the plaintext is long enough */ ++ if (plainTextLen <= macSize) { ++ return SECSuccess; ++ } ++ /* do it again, but this time tweak with the alignment */ ++ crv = prf_init(&context, inKey, inKeyLen); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_update(&context, plainText, 1); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_update(&context, &plainText[1], macSize); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_update(&context, &plainText[1 + macSize], plainTextLen - (macSize + 1)); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ crv = prf_final(&context, ike_computed_mac, macSize); ++ if (crv != CKR_OK) { ++ goto fail; ++ } ++ if (PORT_Memcmp(expectedResult, ike_computed_mac, macSize) != 0) { ++ goto fail; ++ } ++ return SECSuccess; ++fail: ++ prf_free(&context); ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return SECFailure; ++} ++ ++/* ++ * FIPS Power up Self Tests for IKE. This is in this function so it ++ * can access the private prf_ functions here. It's called out of fipstest.c ++ */ ++SECStatus ++sftk_fips_IKE_PowerUpSelfTests(void) ++{ ++ /* PRF known test vectors */ ++ static const PRUint8 ike_xcbc_known_key[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f ++ }; ++ static const PRUint8 ike_xcbc_known_plain_text[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f ++ }; ++ static const PRUint8 ike_xcbc_known_mac[] = { ++ 0xd2, 0xa2, 0x46, 0xfa, 0x34, 0x9b, 0x68, 0xa7, ++ 0x99, 0x98, 0xa4, 0x39, 0x4f, 0xf7, 0xa2, 0x63 ++ }; ++ /* test 2 uses the same key as test 1 */ ++ static const PRUint8 ike_xcbc_known_plain_text_2[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0x10, 0x11, 0x12, 0x13 ++ }; ++ static const PRUint8 ike_xcbc_known_mac_2[] = { ++ 0x47, 0xf5, 0x1b, 0x45, 0x64, 0x96, 0x62, 0x15, ++ 0xb8, 0x98, 0x5c, 0x63, 0x05, 0x5e, 0xd3, 0x08 ++ }; ++ static const PRUint8 ike_xcbc_known_key_3[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09 ++ }; ++ /* test 3 uses the same plaintest as test 2 */ ++ static const PRUint8 ike_xcbc_known_mac_3[] = { ++ 0x0f, 0xa0, 0x87, 0xaf, 0x7d, 0x86, 0x6e, 0x76, ++ 0x53, 0x43, 0x4e, 0x60, 0x2f, 0xdd, 0xe8, 0x35 ++ }; ++ static const PRUint8 ike_xcbc_known_key_4[] = { ++ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, ++ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, ++ 0xed, 0xcb ++ }; ++ /* test 4 uses the same plaintest as test 2 */ ++ static const PRUint8 ike_xcbc_known_mac_4[] = { ++ 0x8c, 0xd3, 0xc9, 0x3a, 0xe5, 0x98, 0xa9, 0x80, ++ 0x30, 0x06, 0xff, 0xb6, 0x7c, 0x40, 0xe9, 0xe4 ++ }; ++ static const PRUint8 ike_sha1_known_key[] = { ++ 0x59, 0x98, 0x2b, 0x5b, 0xa5, 0x7e, 0x62, 0xc0, ++ 0x46, 0x0d, 0xef, 0xc7, 0x1e, 0x18, 0x64, 0x63 ++ }; ++ static const PRUint8 ike_sha1_known_plain_text[] = { ++ 0x1c, 0x07, 0x32, 0x1a, 0x9a, 0x7e, 0x41, 0xcd, ++ 0x88, 0x0c, 0xa3, 0x7a, 0xdb, 0x10, 0xc7, 0x3b, ++ 0xf0, 0x0e, 0x7a, 0xe3, 0xcf, 0xc6, 0xfd, 0x8b, ++ 0x51, 0xbc, 0xe2, 0xb9, 0x90, 0xe6, 0xf2, 0x01 ++ }; ++ static const PRUint8 ike_sha1_known_mac[] = { ++ 0x0c, 0x2a, 0xf3, 0x42, 0x97, 0x15, 0x62, 0x1d, ++ 0x2a, 0xad, 0xc9, 0x94, 0x5a, 0x90, 0x26, 0xfa, ++ 0xc7, 0x91, 0xe2, 0x4b ++ }; ++ static const PRUint8 ike_sha256_known_key[] = { ++ 0x9d, 0xa2, 0xd5, 0x8f, 0x57, 0xf0, 0x39, 0xf9, ++ 0x20, 0x4e, 0x0d, 0xd0, 0xef, 0x04, 0xf3, 0x72 ++ }; ++ static const PRUint8 ike_sha256_known_plain_text[] = { ++ 0x33, 0xf1, 0x7a, 0xfc, 0xb6, 0x13, 0x4c, 0xbf, ++ 0x1c, 0xab, 0x59, 0x87, 0x7d, 0x42, 0xdb, 0x35, ++ 0x82, 0x22, 0x6e, 0xff, 0x74, 0xdd, 0x37, 0xeb, ++ 0x8b, 0x75, 0xe6, 0x75, 0x64, 0x5f, 0xc1, 0x69 ++ }; ++ static const PRUint8 ike_sha256_known_mac[] = { ++ 0x80, 0x4b, 0x4a, 0x1e, 0x0e, 0xc5, 0x93, 0xcf, 0xb6, ++ 0xe4, 0x54, 0x52, 0x41, 0x49, 0x39, 0x6d, 0xe2, 0x34, ++ 0xd0, 0xda, 0xe2, 0x9f, 0x34, 0xa8, 0xfd, 0xb5, 0xf9, ++ 0xaf, 0xe7, 0x6e, 0xa6, 0x52 ++ }; ++ static const PRUint8 ike_sha384_known_key[] = { ++ 0xce, 0xc8, 0x9d, 0x84, 0x5a, 0xdd, 0x83, 0xef, ++ 0xce, 0xbd, 0x43, 0xab, 0x71, 0xd1, 0x7d, 0xb9 ++ }; ++ static const PRUint8 ike_sha384_known_plain_text[] = { ++ 0x17, 0x24, 0xdb, 0xd8, 0x93, 0x52, 0x37, 0x64, ++ 0xbf, 0xef, 0x8c, 0x6f, 0xa9, 0x27, 0x85, 0x6f, ++ 0xcc, 0xfb, 0x77, 0xae, 0x25, 0x43, 0x58, 0xcc, ++ 0xe2, 0x9c, 0x27, 0x69, 0xa3, 0x29, 0x15, 0xc1 ++ }; ++ static const PRUint8 ike_sha384_known_mac[] = { ++ 0x6e, 0x45, 0x14, 0x61, 0x0b, 0xf8, 0x2d, 0x0a, ++ 0xb7, 0xbf, 0x02, 0x60, 0x09, 0x6f, 0x61, 0x46, ++ 0xa1, 0x53, 0xc7, 0x12, 0x07, 0x1a, 0xbb, 0x63, ++ 0x3c, 0xed, 0x81, 0x3c, 0x57, 0x21, 0x56, 0xc7, ++ 0x83, 0xe3, 0x68, 0x74, 0xa6, 0x5a, 0x64, 0x69, ++ 0x0c, 0xa7, 0x01, 0xd4, 0x0d, 0x56, 0xea, 0x18 ++ }; ++ static const PRUint8 ike_sha512_known_key[] = { ++ 0xac, 0xad, 0xc6, 0x31, 0x4a, 0x69, 0xcf, 0xcd, ++ 0x4e, 0x4a, 0xd1, 0x77, 0x18, 0xfe, 0xa7, 0xce ++ }; ++ static const PRUint8 ike_sha512_known_plain_text[] = { ++ 0xb1, 0x5a, 0x9c, 0xfc, 0xe8, 0xc8, 0xd7, 0xea, ++ 0xb8, 0x79, 0xd6, 0x24, 0x30, 0x29, 0xd4, 0x01, ++ 0x88, 0xd3, 0xb7, 0x40, 0x87, 0x5a, 0x6a, 0xc6, ++ 0x2f, 0x56, 0xca, 0xc4, 0x37, 0x7e, 0x2e, 0xdd ++ }; ++ static const PRUint8 ike_sha512_known_mac[] = { ++ 0xf0, 0x5a, 0xa0, 0x36, 0xdf, 0xce, 0x45, 0xa5, ++ 0x58, 0xd4, 0x04, 0x18, 0xde, 0xa9, 0x80, 0x96, ++ 0xe5, 0x19, 0xbc, 0x78, 0x41, 0xe3, 0xdb, 0x3d, ++ 0xd9, 0x36, 0x58, 0xd1, 0x18, 0xc3, 0xe8, 0x3b, ++ 0x50, 0x2f, 0x39, 0x8e, 0xcb, 0x13, 0x61, 0xec, ++ 0x77, 0xd3, 0x8a, 0x88, 0x55, 0xef, 0xff, 0x40, ++ 0x7f, 0x6f, 0x77, 0x2e, 0x5d, 0x65, 0xb5, 0x8e, ++ 0xb1, 0x13, 0x40, 0x96, 0xe8, 0x47, 0x8d, 0x2b ++ }; ++ SECStatus rv; ++ ++ rv = prf_test(CKM_AES_XCBC_MAC, ++ ike_xcbc_known_key, sizeof(ike_xcbc_known_key), ++ ike_xcbc_known_plain_text, sizeof(ike_xcbc_known_plain_text), ++ ike_xcbc_known_mac, sizeof(ike_xcbc_known_mac)); ++ if (rv != SECSuccess) ++ return rv; ++ rv = prf_test(CKM_AES_XCBC_MAC, ++ ike_xcbc_known_key, sizeof(ike_xcbc_known_key), ++ ike_xcbc_known_plain_text_2, sizeof(ike_xcbc_known_plain_text_2), ++ ike_xcbc_known_mac_2, sizeof(ike_xcbc_known_mac_2)); ++ if (rv != SECSuccess) ++ return rv; ++ rv = prf_test(CKM_AES_XCBC_MAC, ++ ike_xcbc_known_key_3, sizeof(ike_xcbc_known_key_3), ++ ike_xcbc_known_plain_text_2, sizeof(ike_xcbc_known_plain_text_2), ++ ike_xcbc_known_mac_3, sizeof(ike_xcbc_known_mac_3)); ++ if (rv != SECSuccess) ++ return rv; ++ rv = prf_test(CKM_AES_XCBC_MAC, ++ ike_xcbc_known_key_4, sizeof(ike_xcbc_known_key_4), ++ ike_xcbc_known_plain_text_2, sizeof(ike_xcbc_known_plain_text_2), ++ ike_xcbc_known_mac_4, sizeof(ike_xcbc_known_mac_4)); ++ if (rv != SECSuccess) ++ return rv; ++ rv = prf_test(CKM_SHA_1_HMAC, ++ ike_sha1_known_key, sizeof(ike_sha1_known_key), ++ ike_sha1_known_plain_text, sizeof(ike_sha1_known_plain_text), ++ ike_sha1_known_mac, sizeof(ike_sha1_known_mac)); ++ if (rv != SECSuccess) ++ return rv; ++ rv = prf_test(CKM_SHA256_HMAC, ++ ike_sha256_known_key, sizeof(ike_sha256_known_key), ++ ike_sha256_known_plain_text, ++ sizeof(ike_sha256_known_plain_text), ++ ike_sha256_known_mac, sizeof(ike_sha256_known_mac)); ++ if (rv != SECSuccess) ++ return rv; ++ rv = prf_test(CKM_SHA384_HMAC, ++ ike_sha384_known_key, sizeof(ike_sha384_known_key), ++ ike_sha384_known_plain_text, ++ sizeof(ike_sha384_known_plain_text), ++ ike_sha384_known_mac, sizeof(ike_sha384_known_mac)); ++ if (rv != SECSuccess) ++ return rv; ++ rv = prf_test(CKM_SHA512_HMAC, ++ ike_sha512_known_key, sizeof(ike_sha512_known_key), ++ ike_sha512_known_plain_text, ++ sizeof(ike_sha512_known_plain_text), ++ ike_sha512_known_mac, sizeof(ike_sha512_known_mac)); ++ return rv; ++} +diff --git a/lib/softoken/softoken.gyp b/lib/softoken/softoken.gyp +--- a/lib/softoken/softoken.gyp ++++ b/lib/softoken/softoken.gyp +@@ -53,16 +53,17 @@ + 'lowpbe.c', + 'padbuf.c', + 'pkcs11.c', + 'pkcs11c.c', + 'pkcs11u.c', + 'sdb.c', + 'sftkdb.c', + 'sftkhmac.c', ++ 'sftkike.c', + 'sftkpars.c', + 'sftkpwd.c', + 'softkver.c', + 'tlsprf.c' + ], + }, + }, + { +diff --git a/tests/common/init.sh b/tests/common/init.sh +--- a/tests/common/init.sh ++++ b/tests/common/init.sh +@@ -646,18 +646,21 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU + + TOTAL_CRL_RANGE=`expr ${CRL_GRP_1_RANGE} + ${CRL_GRP_2_RANGE} + \ + ${CRL_GRP_3_RANGE}` + + TOTAL_GRP_NUM=3 + + RELOAD_CRL=1 + +- NSS_DEFAULT_DB_TYPE="dbm" +- export NSS_DEFAULT_DB_TYPE ++ # if test mode isn't set, test scripts default to expecting dbm ++ if [ "${TEST_MODE}" = "" ]; then ++ NSS_DEFAULT_DB_TYPE="dbm" ++ export NSS_DEFAULT_DB_TYPE ++ fi + + MSG_ID=0 + + ################################################# + # Interoperability testing constatnts + # + # if suite is setup for testing, IOPR_HOSTADDR_LIST should have + # at least one host name(FQDN) +diff -up ./tests/fips/fips.sh.ike_mechs ./tests/fips/fips.sh +new file mode 100755 +--- ./tests/fips/fips.sh.ike_mechs 2019-04-19 10:00:54.535025153 -0700 ++++ ./tests/fips/fips.sh 2019-04-19 10:00:03.619825955 -0700 +@@ -0,0 +1,323 @@ ++#! /bin/bash ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ ++######################################################################## ++# mozilla/security/nss/tests/fips/fips.sh ++# ++# Script to test basic functionallity of NSS in FIPS-compliant mode ++# ++# needs to work on all Unix and Windows platforms ++# ++# tests implemented: ++# ++# special strings ++# --------------- ++# ++######################################################################## ++ ++############################## fips_init ############################## ++# local shell function to initialize this script ++######################################################################## ++fips_init() ++{ ++ SCRIPTNAME=fips.sh # sourced - $0 would point to all.sh ++ ++ if [ -z "${CLEANUP}" ] ; then # if nobody else is responsible for ++ CLEANUP="${SCRIPTNAME}" # cleaning this script will do it ++ fi ++ ++ if [ -z "${INIT_SOURCED}" -o "${INIT_SOURCED}" != "TRUE" ]; then ++ cd ../common ++ . ./init.sh ++ fi ++# if [ ! -r $CERT_LOG_FILE ]; then # we need certificates here ++# cd ../cert ++# . ./cert.sh ++# fi ++ SCRIPTNAME=fips.sh ++ html_head "FIPS 140 Compliance Tests" ++ ++# grep "SUCCESS: FIPS passed" $CERT_LOG_FILE >/dev/null || { ++# Exit 15 "Fatal - FIPS of cert.sh needs to pass first" ++# } ++ ++ COPYDIR=${FIPSDIR}/copydir ++ CAVSDIR=${FIPSDIR}/cavs/tests ++ CAVSRUNDIR=${FIPSDIR}/cavs/scripts ++ ++ R_FIPSDIR=../fips ++ P_R_FIPSDIR=../fips ++ R_COPYDIR=../fips/copydir ++ ++ if [ -n "${MULTIACCESS_DBM}" ]; then ++ P_R_FIPSDIR="multiaccess:${D_FIPS}" ++ fi ++ ++ mkdir -p ${FIPSDIR} ++ mkdir -p ${COPYDIR} ++ mkdir -p ${CAVSDIR} ++ mkdir -p ${CAVSRUNDIR} ++ ++ cd ${FIPSDIR} ++} ++ ++############################## fips_140 ############################## ++# local shell function to test basic functionality of NSS while in ++# FIPS 140 compliant mode ++######################################################################## ++fips_140() ++{ ++ echo "$SCRIPTNAME: Verify this module is in FIPS mode -----------------" ++ echo "modutil -dbdir ${P_R_FIPSDIR} -list" ++ ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -list 2>&1 ++ ${BINDIR}/modutil -dbdir ${P_R_FIPSDIR} -chkfips true 2>&1 ++ html_msg $? 0 "Verify this module is in FIPS mode (modutil -chkfips true)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module certificates -----------------" ++ echo "certutil -d ${P_R_FIPSDIR} -L" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1 ++ html_msg $? 0 "List the FIPS module certificates (certutil -L)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module keys -------------------------" ++ echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 ++ html_msg $? 0 "List the FIPS module keys (certutil -K)" "." ++ ++ echo "$SCRIPTNAME: Attempt to list FIPS module keys with incorrect password" ++ echo "certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE}" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${FIPSBADPWFILE} 2>&1 ++ RET=$? ++ html_msg $RET 255 "Attempt to list FIPS module keys with incorrect password (certutil -K)" "." ++ echo "certutil -K returned $RET" ++ ++ echo "$SCRIPTNAME: Validate the certificate --------------------------" ++ echo "certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE}" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -V -n ${FIPSCERTNICK} -u SR -e -f ${R_FIPSPWFILE} ++ html_msg $? 0 "Validate the certificate (certutil -V -e)" "." ++ ++ echo "$SCRIPTNAME: Export the certificate and key as a PKCS#12 file --" ++ echo "pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" ++ ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -o fips140.p12 -n ${FIPSCERTNICK} -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 ++ html_msg $? 0 "Export the certificate and key as a PKCS#12 file (pk12util -o)" "." ++ ++ echo "$SCRIPTNAME: Export the certificate as a DER-encoded file ------" ++ echo "certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -L -n ${FIPSCERTNICK} -r -o fips140.crt 2>&1 ++ html_msg $? 0 "Export the certificate as a DER (certutil -L -r)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module certificates -----------------" ++ echo "certutil -d ${P_R_FIPSDIR} -L" ++ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ++ ret=$? ++ echo "${certs}" ++ if [ ${ret} -eq 0 ]; then ++ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null ++ ret=$? ++ fi ++ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." ++ ++ ++ echo "$SCRIPTNAME: Delete the certificate and key from the FIPS module" ++ echo "certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE}" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -F -n ${FIPSCERTNICK} -f ${R_FIPSPWFILE} 2>&1 ++ html_msg $? 0 "Delete the certificate and key from the FIPS module (certutil -F)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module certificates -----------------" ++ echo "certutil -d ${P_R_FIPSDIR} -L" ++ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ++ ret=$? ++ echo "${certs}" ++ if [ ${ret} -eq 0 ]; then ++ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null ++ if [ $? -eq 0 ]; then ++ ret=255 ++ fi ++ fi ++ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module keys." ++ echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 ++ # certutil -K now returns a failure if no keys are found. This verifies that ++ # our delete succeded. ++ html_msg $? 255 "List the FIPS module keys (certutil -K)" "." ++ ++ ++ echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" ++ echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" ++ ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 ++ html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module certificates -----------------" ++ echo "certutil -d ${P_R_FIPSDIR} -L" ++ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ++ ret=$? ++ echo "${certs}" ++ if [ ${ret} -eq 0 ]; then ++ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null ++ ret=$? ++ fi ++ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module keys --------------------------" ++ echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 ++ html_msg $? 0 "List the FIPS module keys (certutil -K)" "." ++ ++ ++ echo "$SCRIPTNAME: Delete the certificate from the FIPS module" ++ echo "certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK}" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -D -n ${FIPSCERTNICK} 2>&1 ++ html_msg $? 0 "Delete the certificate from the FIPS module (certutil -D)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module certificates -----------------" ++ echo "certutil -d ${P_R_FIPSDIR} -L" ++ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ++ ret=$? ++ echo "${certs}" ++ if [ ${ret} -eq 0 ]; then ++ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null ++ if [ $? -eq 0 ]; then ++ ret=255 ++ fi ++ fi ++ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." ++ ++ ++ echo "$SCRIPTNAME: Import the certificate and key from the PKCS#12 file" ++ echo "pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE}" ++ ${BINDIR}/pk12util -d ${P_R_FIPSDIR} -i fips140.p12 -w ${R_FIPSP12PWFILE} -k ${R_FIPSPWFILE} 2>&1 ++ html_msg $? 0 "Import the certificate and key from the PKCS#12 file (pk12util -i)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module certificates -----------------" ++ echo "certutil -d ${P_R_FIPSDIR} -L" ++ certs=`${BINDIR}/certutil -d ${P_R_FIPSDIR} -L 2>&1` ++ ret=$? ++ echo "${certs}" ++ if [ ${ret} -eq 0 ]; then ++ echo "${certs}" | grep FIPS_PUB_140_Test_Certificate > /dev/null ++ ret=$? ++ fi ++ html_msg $ret 0 "List the FIPS module certificates (certutil -L)" "." ++ ++ echo "$SCRIPTNAME: List the FIPS module keys --------------------------" ++ echo "certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE}" ++ ${BINDIR}/certutil -d ${P_R_FIPSDIR} -K -f ${R_FIPSPWFILE} 2>&1 ++ html_msg $? 0 "List the FIPS module keys (certutil -K)" "." ++ ++ ++ echo "$SCRIPTNAME: Run PK11MODE in FIPSMODE -----------------" ++ echo "pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE}" ++ ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p fips- -f ${R_FIPSPWFILE} 2>&1 ++ html_msg $? 0 "Run PK11MODE in FIPS mode (pk11mode)" "." ++ ++ echo "$SCRIPTNAME: Run PK11MODE in Non FIPSMODE -----------------" ++ echo "pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n" ++ ${BINDIR}/pk11mode -d ${P_R_FIPSDIR} -p nonfips- -f ${R_FIPSPWFILE} -n 2>&1 ++ html_msg $? 0 "Run PK11MODE in Non FIPS mode (pk11mode -n)" "." ++ ++ LIBDIR="${DIST}/${OBJDIR}/lib" ++ MANGLEDIR="${FIPSDIR}/mangle" ++ ++ # There are different versions of cp command on different systems, some of them ++ # copies only symlinks, others doesn't have option to disable links, so there ++ # is needed to copy files one by one. ++ echo "mkdir ${MANGLEDIR}" ++ mkdir ${MANGLEDIR} ++ for lib in `ls ${LIBDIR}`; do ++ echo "cp ${LIBDIR}/${lib} ${MANGLEDIR}" ++ cp ${LIBDIR}/${lib} ${MANGLEDIR} ++ done ++ ++ echo "$SCRIPTNAME: Detect mangled softoken--------------------------" ++ SOFTOKEN=${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ++ ++ echo "mangling ${SOFTOKEN}" ++ echo "mangle -i ${SOFTOKEN} -o -8 -b 5" ++ # If nss was built without softoken use the system installed one. ++ # It's location must be specified by the package maintainer. ++ if [ ! -e ${MANGLEDIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ]; then ++ echo "cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR}" ++ cp ${SOFTOKEN_LIB_DIR}/${DLL_PREFIX}softokn3.${DLL_SUFFIX} ${MANGLEDIR} ++ fi ++ ${BINDIR}/mangle -i ${SOFTOKEN} -o -8 -b 5 2>&1 ++ if [ $? -eq 0 ]; then ++ if [ "${OS_ARCH}" = "WINNT" ]; then ++ DBTEST=`which dbtest` ++ if [ "${OS_ARCH}" = "WINNT" -a "$OS_NAME" = "CYGWIN_NT" ]; then ++ DBTEST=`cygpath -m ${DBTEST}` ++ MANGLEDIR=`cygpath -u ${MANGLEDIR}` ++ fi ++ echo "PATH=${MANGLEDIR} ${DBTEST} -r -d ${P_R_FIPSDIR}" ++ PATH="${MANGLEDIR}" ${DBTEST} -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 ++ RESULT=$? ++ elif [ "${OS_ARCH}" = "HP-UX" ]; then ++ echo "SHLIB_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" ++ LD_LIBRARY_PATH="" SHLIB_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 ++ RESULT=$? ++ elif [ "${OS_ARCH}" = "AIX" ]; then ++ echo "LIBPATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" ++ LIBPATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 ++ RESULT=$? ++ elif [ "${OS_ARCH}" = "Darwin" ]; then ++ echo "DYLD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" ++ DYLD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 ++ RESULT=$? ++ else ++ echo "LD_LIBRARY_PATH=${MANGLEDIR} dbtest -r -d ${P_R_FIPSDIR}" ++ LD_LIBRARY_PATH="${MANGLEDIR}" ${BINDIR}/dbtest -r -d ${P_R_FIPSDIR} > ${TMP}/dbtestoutput.txt 2>&1 ++ RESULT=$? ++ fi ++ ++ html_msg ${RESULT} 46 "Init NSS with a corrupted library (dbtest -r)" "." ++ else ++ html_failed "Mangle ${DLL_PREFIX}softokn3.${DLL_SUFFIX}" ++ fi ++} ++ ++fips_cavs() ++{ ++ if [ "${CAVS_VECTORS}" = "all" ]; then ++ VECTORS= ++ elif [ "${CAVS_VECTORS}" = "" ]; then ++ VECTORS="aesgcm ecdsa hmac kas tls ike rng sha" ++ else ++ VECTORS=${CAVS_VECTORS} ++ fi ++ echo "Copying CAVS vectors" ++ cp -r ${QADIR}/fips/cavs_samples/* ${CAVSDIR} ++# we copy the scripts to the test directory because they are designed to run from their ++# own directory and we want any resulting core dumps to wind up in the test_results directory. ++ echo "Copying CAVS scripts" ++ cp -r ${QADIR}/fips/cavs_scripts/* ${CAVSRUNDIR} ++ echo "cd ${CAVSRUNDIR}" ++ cd ${CAVSRUNDIR} ++ echo "Running CAVS tests in ${CAVSDIR}" ++ ./runtest.sh ${CAVSDIR} run ${VECTORS} ++ echo "Verifying CAVS results in ${CAVSDIR}" ++ ./runtest.sh ${CAVSDIR} verify ${VECTORS} ++ RESULT=$? ++ html_msg $RESULT 0 "NIST CAVS test" "${CAVSDIR}" ++} ++ ++############################## fips_cleanup ############################ ++# local shell function to finish this script (no exit since it might be ++# sourced) ++######################################################################## ++fips_cleanup() ++{ ++ html "
" ++ cd ${QADIR} ++ . common/cleanup.sh ++} ++ ++################## main ################################################# ++ ++fips_init ++#fips_140 ++fips_cavs ++fips_cleanup ++echo "fips.sh done" diff --git a/SOURCES/nss-softokn-prelink.conf b/SOURCES/nss-softokn-prelink.conf new file mode 100644 index 0000000..11d7fb0 --- /dev/null +++ b/SOURCES/nss-softokn-prelink.conf @@ -0,0 +1,6 @@ +-b /lib{,64}/libfreeblpriv3.so +-b /lib{,64}/libsoftokn3.so +-b /lib{,64}/libnssdbm3.so +-b /usr/lib{,64}/libfreeblpriv3.so +-b /usr/lib{,64}/libsoftokn3.so +-b /usr/lib{,64}/libnssdbm3.so diff --git a/SOURCES/nss-softokn-tls-abi-fix.patch b/SOURCES/nss-softokn-tls-abi-fix.patch new file mode 100644 index 0000000..18ac79b --- /dev/null +++ b/SOURCES/nss-softokn-tls-abi-fix.patch @@ -0,0 +1,26 @@ +diff -up ./nss/lib/softoken/pkcs11c.c.tls_abi_fix ./nss/lib/softoken/pkcs11c.c +--- ./nss/lib/softoken/pkcs11c.c.tls_abi_fix 2017-03-23 14:44:59.059880273 -0700 ++++ ./nss/lib/softoken/pkcs11c.c 2017-03-23 14:45:24.738316707 -0700 +@@ -2672,6 +2672,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession, + case CKM_TLS_PRF_GENERAL: + crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0); + break; ++ case CKM_TLS_KDF: + case CKM_TLS_MAC: { + CK_TLS_MAC_PARAMS *tls12_mac_params; + HASH_HashType tlsPrfHash; +diff -up ./nss/lib/softoken/pkcs11.c.tls_abi_fix ./nss/lib/softoken/pkcs11.c +--- ./nss/lib/softoken/pkcs11.c.tls_abi_fix 2017-03-23 14:42:21.055194120 -0700 ++++ ./nss/lib/softoken/pkcs11.c 2017-03-23 14:44:44.321629780 -0700 +@@ -373,6 +373,11 @@ static const struct mechanismList mechan + { CKM_SHA512_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_TLS_PRF_GENERAL, { 0, 512, CKF_SN_VR }, PR_FALSE }, + { CKM_TLS_MAC, { 0, 512, CKF_SN_VR }, PR_FALSE }, ++ { CKM_TLS_KDF, { 0, 512, CKF_SN_VR }, PR_FALSE }, /* in RHEL 7.3 we had the wrong ++ * number for TLS_MAC. keep the old ++ * number to allow old versions of ++ * nss on * RHEL 7 to work with ++ * this softoken */ + { CKM_NSS_TLS_PRF_GENERAL_SHA256, + { 0, 512, CKF_SN_VR }, + PR_FALSE }, diff --git a/SOURCES/nss-softokn.pc.in b/SOURCES/nss-softokn.pc.in new file mode 100644 index 0000000..022ebbf --- /dev/null +++ b/SOURCES/nss-softokn.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-SOFTOKN +Description: Network Security Services Softoken PKCS #11 Module +Version: %SOFTOKEN_VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 +Cflags: -I${includedir} diff --git a/SOURCES/nss-split-softokn.sh b/SOURCES/nss-split-softokn.sh new file mode 100755 index 0000000..e8c5ab9 --- /dev/null +++ b/SOURCES/nss-split-softokn.sh @@ -0,0 +1,115 @@ +#!/bin/sh +# +# Splits NSS into nss-util and nss-softokn +# Takes as command line input the version of nss +# and assumes that a file nss-${nss_version}.tar.gz +# exists in the current directory + +set -e + +if test -z $1 +then + echo "usage: $0 nss-version" + exit +fi + +export name=nss +export version=$1 + +echo "Extracting ${name}-${version}.tar.gz" + +tar -xzf ${name}-${version}.tar.gz + +# the directory will be named ${name}-${version} + +nss_source_dir=${name}-${version} +softokn_dir=${name}-softokn-${version} + +# make_nss_softokn +#------------------------------------------------- +# create the nss-softokn subset consisting of +# nss/dbm full directory +# nss/coreconf full directory +# nss top files only +# nss/lib top files only +# nss/lib/freebl full directory +# nss/lib/softoken full directory +# nss/lib/softoken/dbm full directory +#------------------------------------------------------- + +WORK=${softokn_dir}-work +rm -rf ${WORK} +mkdir ${WORK} + +# copy everything +cp -a ${nss_source_dir} ${WORK}/${softokn_dir} + +# remove subdirectories that we don't want +rm -rf ${WORK}/${softokn_dir}/nss/cmd +rm -rf ${WORK}/${softokn_dir}/nss/tests +rm -rf ${WORK}/${softokn_dir}/nss/lib +rm -rf ${WORK}/${softokn_dir}/nss/pkg +rm -rf ${WORK}/${softokn_dir}/nss/automation +rm -rf ${WORK}/${softokn_dir}/nss/external_tests +rm -rf ${WORK}/${softokn_dir}/nss/doc +# start with an empty lib directory and copy only what we need +mkdir ${WORK}/${softokn_dir}/nss/lib +# copy the top files from nss/lib/ +topFilesL=`find ${nss_source_dir}/nss/lib/ -maxdepth 1 -mindepth 1 -type f` +for f in $topFilesL; do + cp -p $f ${WORK}/${softokn_dir}/nss/lib +done +mkdir ${WORK}/${softokn_dir}/nss/lib/util +# copy entire dbm, freebl and softoken directories recursively +cp -a ${nss_source_dir}/nss/lib/dbm ${WORK}/${softokn_dir}/nss/lib/dbm +cp -a ${nss_source_dir}/nss/lib/freebl ${WORK}/${softokn_dir}/nss/lib/freebl +cp -a ${nss_source_dir}/nss/lib/softoken ${WORK}/${softokn_dir}/nss/lib/softoken +# and some Makefiles and related files from nss +topFilesN=`find ${nss_source_dir}/nss/ -maxdepth 1 -mindepth 1 -type f` +for f in $topFilesN; do + cp -p $f ${WORK}/${softokn_dir}/nss/ +done +# copy private headers that nss-softoken needs +for f in verref.h; do + cp -p ${nss_source_dir}/nss/lib/util/$f ${WORK}/${softokn_dir}/nss/lib/util +done + +# we do need bltest, ecperf, fbectest, lib, lowhashtest, and shlibsign +# from nss/cmd +mkdir ${WORK}/${softokn_dir}/nss/cmd +# copy some files at the top and the slhlib subdirectory +topFilesC=`find ${nss_source_dir}/nss/cmd/ -maxdepth 1 -mindepth 1 -type f` +for f in $topFilesC; do + cp -p $f ${WORK}/${softokn_dir}/nss/cmd/ +done + +cp -a ${nss_source_dir}/nss/cmd/bltest ${WORK}/${softokn_dir}/nss/cmd/bltest +cp -a ${nss_source_dir}/nss/cmd/ecperf ${WORK}/${softokn_dir}/nss/cmd/ecperf +cp -a ${nss_source_dir}/nss/cmd/fbectest ${WORK}/${softokn_dir}/nss/cmd/fbectest +cp -a ${nss_source_dir}/nss/cmd/fipstest ${WORK}/${softokn_dir}/nss/cmd/fipstest +cp -a ${nss_source_dir}/nss/cmd/lib ${WORK}/${softokn_dir}/nss/cmd/lib +cp -a ${nss_source_dir}/nss/cmd/lowhashtest ${WORK}/${softokn_dir}/nss/cmd/lowhashtest +cp -a ${nss_source_dir}/nss/cmd/shlibsign ${WORK}/${softokn_dir}/nss/cmd/shlibsign + +# plus common, crypto, and lowhash from nss/tests +mkdir ${WORK}/${softokn_dir}/nss/tests +topFilesT=`find ${nss_source_dir}/nss/tests/ -maxdepth 1 -mindepth 1 -type f` +for f in $topFilesT; do + cp -p $f ${WORK}/${softokn_dir}/nss/tests/ +done +keepers="cipher common ec lowhash" +for t in $keepers; do + cp -a ${nss_source_dir}/nss/tests/$t ${WORK}/${softokn_dir}/nss/tests/$t +done + +pushd ${WORK} +# the compressed tar ball for nss-softokn +tar -czf ../${name}-softokn-${version}.tar.gz ${softokn_dir} +popd + +# cleanup after ourselves +rm -fr ${nss_source_dir} +rm -rf ${WORK} + + + diff --git a/SPECS/nss-softokn.spec b/SPECS/nss-softokn.spec new file mode 100644 index 0000000..c753ac1 --- /dev/null +++ b/SPECS/nss-softokn.spec @@ -0,0 +1,1136 @@ +%global nspr_version 4.21.0 +%global nss_name nss +%global nss_util_version 3.44.0 +%global nss_util_build -3 +%global nss_softokn_version 3.44.0 +%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%global saved_files_dir %{_libdir}/nss/saved +%global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/ +%define dracutlibdir %{_prefix}/lib/dracut +%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/ +%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d + +# The upstream omits the trailing ".0", while we need it for +# consistency with the pkg-config version: +# https://bugzilla.redhat.com/show_bug.cgi?id=1578106 +%{lua: +rpm.define(string.format("nss_softokn_archive_version %s", + string.gsub(rpm.expand("%nss_softokn_version"), "(.*)%.0$", "%1"))) +} + +# Produce .chk files for the final stripped binaries +# +# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links +# against the freebl that we just built. This is necessary +# because the signing algorithm changed on 3.14 to DSA2 with SHA256 +# whereas we previously signed with DSA and SHA1. We must Keep this line +# until all mock platforms have been updated. +# After %%{__os_install_post} we would add +#export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%%{_libdir} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \ +%{nil} + +Summary: Network Security Services Softoken Module +Name: nss-softokn +Version: %{nss_softokn_version} +Release: 5%{?dist} +License: MPLv2.0 +URL: http://www.mozilla.org/projects/security/pki/nss/ +Group: System Environment/Libraries +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{nss_util_version}%{nss_util_build} +Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release} +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: nspr-devel >= %{nspr_version} +BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build} +BuildRequires: sqlite-devel +BuildRequires: zlib-devel +BuildRequires: pkgconfig +BuildRequires: gawk +BuildRequires: psmisc +BuildRequires: perl + +Source0: %{name}-%{nss_softokn_archive_version}.tar.gz +# The nss-softokn tar ball is a subset of nss-{version}.tar.gz. +# We use the nss-split-softokn.sh script to keep only what we need +# via via nss-split-softokn.sh ${version} +# Detailed Steps: +# rhpkg clone nss-softokn +# cd nss-softokn +# Split off nss-softokn out of the full nss source tar ball: +# sh ./nss-split-softokn.sh ${version} +# A file named {name}-{version}.tar.gz should appear +# which is ready for uploading to the lookaside cache. +Source1: nss-split-softokn.sh +Source2: nss-softokn.pc.in +Source3: nss-softokn-config.in +Source4: nss-softokn-prelink.conf +Source5: nss-softokn-dracut-module-setup.sh +Source6: nss-softokn-dracut.conf +Source7: nss-softokn-cavs-1.0.tar.gz + +# Select the tests to run based on the type of build +# This patch uses the gcc-iquote dir option documented at +# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options +# to place the in-tree directories at the head of the list on list of directories +# to be searched for for header files. This ensures a build even when system freebl +# headers are older. Such is the case when we are starting a major update. +# NSSUTIL_INCLUDE_DIR, after all, contains both util and freebl headers. +# Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it. +Patch10: iquote.patch + +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1236720 +# Although the greater part of the patch has been upstreamed, we still +# need a downstream patch to keep the single DES mechanisms we had +# provided in a downstream patch for compatibility reasons. +Patch97: nss-softokn-3.16-add_encrypt_derive.patch + +Patch102: nss-softokn-tls-abi-fix.patch + +# To revert the upstream change in the default behavior in: +# https://bugzilla.mozilla.org/show_bug.cgi?id=1382736 +Patch104: nss-softokn-fs-probe.patch + +# Not upstreamed: https://bugzilla.redhat.com/show_bug.cgi?id=1555108 +# included in nss-softkn-fips-update +#Patch105: nss-softokn-aes-zeroize.patch + +# Upstream patch didn't make 3.44 +# https://bugzilla.mozilla.org/show_bug.cgi?id=1546229 +Patch200: nss-softokn-ike-patch.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1546477 +Patch201: nss-softokn-fips-update.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1473806 +Patch202: nss-softokn-fix-public-key-from-priv.patch + +%description +Network Security Services Softoken Cryptographic Module + +%package freebl +Summary: Freebl library for the Network Security Services +Group: System Environment/Base +# Needed because nss-softokn-freebl dlopen()'s nspr and nss-util +# https://bugzilla.redhat.com/show_bug.cgi?id=1477308 +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{nss_util_version}%{nss_util_build} +Conflicts: nss < 3.12.2.99.3-5 +Conflicts: prelink < 0.4.3 +Conflicts: filesystem < 3 + +%description freebl +NSS Softoken Cryptographic Module Freebl Library + +Install the nss-softokn-freebl package if you need the freebl +library. + +%package freebl-devel +Summary: Header and Library files for doing development with the Freebl library for NSS +Group: System Environment/Base +Provides: nss-softokn-freebl-static = %{version}-%{release} +Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release} + +%description freebl-devel +NSS Softoken Cryptographic Module Freebl Library Development Tools +This package supports special needs of some PKCS #11 module developers and +is otherwise considered private to NSS. As such, the programming interfaces +may change and the usual NSS binary compatibility commitments do not apply. +Developers should rely only on the officially supported NSS public API. + +%package devel +Summary: Development libraries for Network Security Services +Group: Development/Libraries +Requires: nss-softokn%{?_isa} = %{version}-%{release} +Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: nss-util-devel >= %{nss_util_version}%{nss_util_build} +Requires: pkgconfig +BuildRequires: nspr-devel >= %{nspr_version} +BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build} +# require nss at least the version when we split via subpackages + +%description devel +Header and library files for doing development with Network Security Services. + + +%prep +%setup -q -n %{name}-%{nss_softokn_archive_version} -a 7 + +# activate if needed when doing a major update with new apis +%patch10 -p0 -b .iquote + +pushd nss +%patch97 -p1 -b .add_encrypt_derive +%patch104 -p1 -b .fs-probe +#%patch105 -p1 -b .aes-zeroize +%patch200 -p1 -b .ike-mech +%patch201 -p1 -b .fips-update +popd +%patch202 -p1 -b .pub-priv-mech + +%patch102 -p1 -b .tls-abi-fix + +%build + +# partial RELRO support as a security enhancement +LDFLAGS+=-Wl,-z,relro +export LDFLAGS + +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets +# copied to dist and the rpm install phase can find it +# This due of the upstream changes to fix +# https://bugzilla.mozilla.org/show_bug.cgi?id=717906 +FREEBL_LOWHASH=1 +export FREEBL_LOWHASH + +NSS_FORCE_FIPS=1 +export NSS_FORCE_FIPS + +#FREEBL_USE_PRELINK=1 +#export FREEBL_USE_PRELINK + +# Enable compiler optimizations and disable debugging code +BUILD_OPT=1 +export BUILD_OPT + +# Uncomment to disable optimizations +#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` +#export RPM_OPT_FLAGS + +# Generate symbolic info for debuggers +XCFLAGS=$RPM_OPT_FLAGS +export XCFLAGS + +PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'` + +export NSPR_INCLUDE_DIR +export NSPR_LIB_DIR + +export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` +export NSSUTIL_LIB_DIR=%{_libdir} + +NSS_USE_SYSTEM_SQLITE=1 +export NSS_USE_SYSTEM_SQLITE + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif +%endif + +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 + +# Use only the basicutil subset for sectools.a +export NSS_BUILD_SOFTOKEN_ONLY=1 + +export NSS_DISABLE_GTESTS=1 + +# display processor information +CPU_INFO=`cat /proc/cpuinfo` +echo "############## CPU INFO ##################" +echo "${CPU_INFO}" +echo "##########################################" + +# Compile softokn plus needed support +%{__make} -C ./nss/coreconf +%{__make} -C ./nss/lib/dbm + +# ldvector.c, pkcs11.c, and lginit.c include nss/lib/util/verref.h, +# which is private export, move it to where it can be found. +%{__mkdir_p} ./dist/private/nss +%{__mv} ./nss/lib/util/verref.h ./dist/private/nss/verref.h + +%{__make} -C ./nss + +# Set up our package file +# The nspr_version and nss_util_version globals used here +# must match the ones nss-softokn has for its Requires. +%{__mkdir_p} ./dist/pkgconfig +%{__cat} %{SOURCE2} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-softokn.pc + +SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'` +SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'` +SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'` + +export SOFTOKEN_VMAJOR +export SOFTOKEN_VMINOR +export SOFTOKEN_VPATCH + +%{__cat} %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \ + > ./dist/pkgconfig/nss-softokn-config + +chmod 755 ./dist/pkgconfig/nss-softokn-config + + +%check +if [ ${DISABLETEST:-0} -eq 1 ]; then + echo "testing disabled" + exit 0 +fi + +# Begin -- copied from the build section +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +BUILD_OPT=1 +export BUILD_OPT + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif +%endif + +# to test for the last tool built correctly +export NSS_BUILD_SOFTOKEN_ONLY=1 + +# End -- copied from the build section + +# enable the following line to force a test failure +# find . -name \*.chk | xargs rm -f + +# Run test suite. + +SPACEISBAD=`find ./nss/tests | grep -c ' '` ||: +if [ $SPACEISBAD -ne 0 ]; then + echo "error: filenames containing space are not supported (xargs)" + exit 1 +fi + +rm -rf ./tests_results +pushd ./nss/tests/ +# all.sh is the test suite script + +# only run cipher tests for nss-softokn +%global nss_cycles "standard" +%global nss_tests "cipher lowhash fips" +%global nss_ssl_tests " " +%global nss_ssl_run " " + +HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh + +popd + +# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, +# Grep exits with status greater than 1 if an error ocurred. +# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, +# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas +# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. +killall $RANDSERV || : + +TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? +if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then + echo "okay: test suite detected no failures" +else + %ifarch %{arm} + : + # do nothing on arm where the test suite is failing and has been + # for while, do run the test suite but make it non fatal on arm + %else + if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then + # while a situation in which grep return status is 0 and it doesn't output + # anything shouldn't happen, set the default to something that is + # obviously wrong (-1) + echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" + exit 1 + else + if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then + echo "error: grep has not found log file" + exit 1 + else + echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" + exit 1 + fi + fi +%endif +fi +echo "test suite completed" + +%install + +%{__rm} -rf $RPM_BUILD_ROOT + +# There is no make install target so we'll do it ourselves. + +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 +%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +%{__mkdir_p} $RPM_BUILD_ROOT/%{saved_files_dir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{prelink_conf_dir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_modules_dir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_conf_dir} + +%{__install} -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{prelink_conf_dir} +%{__install} -m 755 %{SOURCE5} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh +%{__install} -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf + + +# Copy the binary libraries we want +for file in libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so +do + %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the binaries we ship as unsupported +for file in bltest fipstest shlibsign +do + %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} +done + +# Copy the include files we want +for file in dist/public/nss/*.h +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy some freebl include files we also want +for file in blapi.h alghmac.h +do + %{__install} -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the static freebl library +for file in libfreebl.a +do +%{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the package configuration files +%{__install} -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc +%{__install} -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config + + +%clean +%{__rm} -rf $RPM_BUILD_ROOT + + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%{_libdir}/libnssdbm3.so +%{_libdir}/libnssdbm3.chk +%{_libdir}/libsoftokn3.so +%{_libdir}/libsoftokn3.chk +# shared with nss-tools +%dir %{_libdir}/nss +%dir %{saved_files_dir} +%dir %{unsupported_tools_directory} +%{unsupported_tools_directory}/bltest +%{unsupported_tools_directory}/fipstest +%{unsupported_tools_directory}/shlibsign +#shared + +%files freebl +%defattr(-,root,root) +%{_libdir}/libfreebl3.so +%{_libdir}/libfreebl3.chk +%{_libdir}/libfreeblpriv3.so +%{_libdir}/libfreeblpriv3.chk +#shared +%dir %{prelink_conf_dir} +%{prelink_conf_dir}/nss-softokn-prelink.conf +%dir %{dracut_modules_dir} +%{dracut_modules_dir}/module-setup.sh +%{dracut_conf_dir}/50-nss-softokn.conf + +%files freebl-devel +%defattr(-,root,root) +%{_libdir}/libfreebl.a +%{_includedir}/nss3/blapi.h +%{_includedir}/nss3/blapit.h +%{_includedir}/nss3/alghmac.h +%{_includedir}/nss3/lowkeyi.h +%{_includedir}/nss3/lowkeyti.h + +%files devel +%defattr(-,root,root) +%{_libdir}/pkgconfig/nss-softokn.pc +%{_bindir}/nss-softokn-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# +# The following headers are those exported public in +# nss/lib/freebl/manifest.mn and +# nss/lib/softoken/manifest.mn +# +# The following list is short because many headers, such as +# the pkcs #11 ones, have been provided by nss-util-devel +# which installed them before us. +# +%{_includedir}/nss3/ecl-exp.h +%{_includedir}/nss3/nsslowhash.h +%{_includedir}/nss3/shsign.h + +%changelog +* Wed Jun 5 2019 Bob Relyea - 3.44.0-5 +- Add pub from priv mechanism + +* Fri May 24 2019 Bob Relyea - 3.44.0-4 +- Add ike mechanisms +- FIPS update + +* Fri May 24 2019 Daiki Ueno - 3.44.0-3 +- Remove stray "exit" in %%prep + +* Thu May 16 2019 Daiki Ueno - 3.44.0-2 +- Fix nss-softokn-fs-probe.patch to detect threshold correctly + +* Wed May 15 2019 Daiki Ueno - 3.44.0-1 +- Rebase to NSS 3.44 + +* Thu Apr 25 2019 Daiki Ueno - 3.43.0-5 +- Restore nss-softokn-fs-probe.patch + +* Wed Mar 27 2019 Daiki Ueno - 3.43.0-4 +- Enable iquote.patch + +* Wed Mar 27 2019 Daiki Ueno - 3.43.0-2 +- Rebuild + +* Mon Mar 19 2018 Daiki Ueno - 3.36.0-5 +- Use correct tarball of NSS 3.36.0 release + +* Thu Mar 15 2018 Bob Relyea - 3.36.0-4 +- Clear AES key information after use + +* Wed Mar 7 2018 Daiki Ueno - 3.36.0-3 +- Revert the default behavior change in filesystem probes + +* Wed Mar 7 2018 Bob Relyea - 3.36.0-2 +- Add KAS tests to fipstest + +* Mon Mar 5 2018 Daiki Ueno - 3.36.0-1 +- Update to NSS 3.36.0 + +* Mon Mar 5 2018 Daiki Ueno - 3.36.0-0.3.beta +- Apply upstream patch likely to be part of the official release + +* Thu Mar 1 2018 Daiki Ueno - 3.36.0-0.2.beta +- Restore nss-softokn-3.16-add_encrypt_derive.patch to add back + support for single DES mechanisms + +* Thu Mar 1 2018 Daiki Ueno - 3.36.0-0.1.beta +- Update to NSS 3.36 BETA +- Remove upstreamed nss-softokn-3.16-add_encrypt_derive.patch +- Remove upstreamed nss-softokn-3.28-fix-fips-login.patch +- Remove upstreamed nss-softokn-fix-ecc-post.patch + +* Tue Jan 16 2018 Daiki Ueno - 3.34.0-2 +- Rebuild to utilize ECC slotFlag added in nss-util + +* Thu Nov 23 2017 Daiki Ueno - 3.34.0-1 +- Update to NSS 3.34.0 + +* Tue Nov 14 2017 Daiki Ueno - 3.34.0-0.3.beta1 +- let nss-softokn-freebl depend on recent version of nss-util, + reported by Bob Peterson + +* Fri Nov 3 2017 Daiki Ueno - 3.34.0-0.2.beta1 +- Fix indentation of nss-softokn-3.16-add_encrypt_derive.patch + +* Mon Oct 30 2017 Daiki Ueno - 3.34.0-0.1.beta1 +- Update to NSS 3.34.BETA1 + +* Mon Oct 9 2017 Daiki Ueno - 3.33.0-1 +- Update to NSS 3.33.0 +- Remove upstreamed patches: nss-softokn-basicutil-dependency.patch, + nss-softokn-pss-modulus-bits.patch, nss-softokn-pkcs12-sha2.patch, + nss-softokn-pkcs12-rsa-pss.patch, + nss-softokn-ec-derive-pubkey-check.patch, and nss-softokn-fix-drbg.patch + +* Wed Aug 2 2017 Daiki Ueno - 3.28.3-8 +- let nss-softokn-freebl depend on recent version of nspr (rhbz#1477308), + patch by Kyle Walker + +* Fri Jul 21 2017 Bob Relyea - 3.28.3-7 +- fix fips post so that they actually run at startup + +* Fri May 26 2017 Daiki Ueno - 3.28.3-6 +- restore nss-softokn-3.16-add_encrypt_derive.patch + +* Wed May 17 2017 Daiki Ueno - 3.28.3-5 +- fix login handling for FIPS slots, patch from rhbz#1390154 +- backport upstream fix for CVE-2017-5462 (DRBG leak) + +* Thu Mar 23 2017 Bob Relyea - 3.28.3-4 +- include new PKCS12 NSS specific mechanisms. +- alias CKM_TLS_KDF to CKM_TLS_MAC to preserve ABI +- add RSA PSS oid to decrypting PKCS #5 key blobs. +- move ec public key check from softokn to freebl so apps like Java can benefit. + +* Tue Mar 7 2017 Daiki Ueno - 3.28.3-3 +- Fix RSA-PSS corner case when the modulus is not of size multiple of 8 + +* Mon Mar 6 2017 Daiki Ueno - 3.28.3-2 +- Update to NSS 3.28.3 +- Remove upstreamed patches for the previous FIPS validation +- Package lowkeyi.h and lowkeyti.h in freebl-devel +- Pick up a patch in the Fedora package to fix build issue + +* Tue Jun 28 2016 Kai Engert - 3.16.2.3-14.4 +- escape all percent characters in all changelog comments + +* Wed Apr 20 2016 Elio Maldonado - 3.16.2.3-14.3 +- Fix a flaw in %%check for nss not building on arm +- Resolves: Bug 1200856 + +* Fri Apr 15 2016 Kai Engert - 3.16.2.3-14.2 +- Adjust for a renamed variable in newer nss-util, require a compatible nss-util version. + +* Mon Apr 11 2016 Kai Engert - 3.16.2.3-14.1 +- Pick up a bugfix related to fork(), to avoid a regression with NSS 3.21 + +* Fri Aug 07 2015 Elio Maldonado - 3.16.2.3-14 +- Pick up upstream freebl patch for CVE-2015-2730 +- Check for P == Q or P ==-Q before adding P and Q + +* Thu Jul 16 2015 Elio Maldonado - 3.16.2.3-13 +- Add links to filed upstream bugs to better track patches in spec file + +* Wed Jun 24 2015 Elio Maldonado - 3.16.2.3-12 +- Bump nss_util_version to 3.19.1 + +* Fri May 29 2015 Robert Relyea - 3.16.2.3-11 +- Make sure we have enough space for generating keyblocks for ciphers with HMAC_SHA384 (TLS). + +* Wed Apr 29 2015 Elio Maldonado - 3.16.2.3-10 +- Use the TLS 1.2 mechanisms for PKCS #11 added for V2.40 + +* Mon Feb 02 2015 Tomáš Mráz - 3.16.2.3-9 +- add configuration file for dracut to add the nss-softokn module by default + +* Thu Jan 29 2015 Elio Maldonado - 3.16.2.3-8 +- fix permissions on dracut install file. +- Resolves: Bug 1169957 - curl unable to download url when url is https and environment is dracut + +* Tue Jan 20 2015 Robert Relyea - 3.16.2.3-7 +- Use RHEL-7 dracut semantics rather than RHEL-6 +- fix dependencies so nss-softokn pulls in nss-softokn-freebl +- keep dummy libfreebl3.chk for dracut kernel. + +* Tue Jan 13 2015 Elio Maldonado - 3.16.2.3-6 +- Update fix for flaws reported by coverity scan +- Resolves: Bug 1154764 - Defects found in nss-softokn + +* Fri Jan 09 2015 Elio Maldonado - 3.16.2.3-5 +- Skip the fips checks if the action is newslot or delslot. +- Resolves: Bug 1156406 - NSS fails to access sql:/etc/pki/nssdb in system FIPS mode + +* Wed Dec 10 2014 Robert Relyea - 3.16.2.3-4 +- add libfreeblpriv3.so to dracut. + +* Tue Nov 18 2014 Robert Relyea - 3.16.2.3-3 +- Resolves: Bug 1153602 - libfreebl3.so runs prelink during the initialization phase +- Decouple libfreebl3.so from the actual library. +- Blacklist the freebl libraries +- Turn off calling prelink to unprelink the binary + +* Tue Nov 18 2014 Elio Maldonado - 3.16.2.3-2 +- Remove temporary workaround for brew build problems now resolved +- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 + +* Thu Nov 13 2014 Elio Maldonado - 3.16.2-13 +- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 + +* Wed Nov 05 2014 Robert Relyea 3.16.2-12 +- Add support for encrypt_derive. +- Allow us to init database at level1 while already in FIPS mode. +- Allow UserDBOpen'ed FIPS tokens to do all the mechanisms as well as + the main fips token. +- Silence SIGCHLD when prelink is used. + +* Tue Oct 21 2014 Elio Maldonado - 3.16.2-11 +- Fix the location of an upstream URL reference + +* Tue Oct 21 2014 Elio Maldonado - 3.16.2-10 +- Resolves: Bug 1154232 - nss tools core dump on ppc64 + +* Tue Oct 21 2014 Elio Maldonado - 3.16.2-9 +- Resolves: Bug 1154764 - Defects found in nss-softokn-3.16.2-7.el7 + +* Thu Oct 16 2014 Robert Relyea 3.16.2-8 +- Conform RSA keygen to FIPS 186-4 tests + +* Fri Oct 10 2014 Elio Maldonado - 3.16.2-7 +- Change RSA_PrivateKeyCheck to not require p > q +- Resolves: Bug 1150645 - Importing an RSA private key fails if p < q + +* Sat Sep 27 2014 Elio Maldonado - 3.16.2-6 +- Add lowhash to the softoken tests to run as done on rhel-6.6 +- Adapt suboptimal shell code in nss.spec fix from bug 108750 +- Resolves: Bug 1145434 - CVE-2014-1568 + +* Sat Sep 27 2014 Elio Maldonado - 3.16.2-5- +- Fix incorrect path in the %%check section +- Add way to skip test suite execution during development work +- Resolves: Bug 1145434 - CVE-2014-1568 + +* Thu Sep 25 2014 Elio Maldonado - 3.16.2-4 +- Resolves: Bug 1145434 - CVE-2014-1568 + +* Mon Sep 22 2014 Robert Relyea 3.16.2-3 +- Update for FIPS validation + +* Tue Aug 05 2014 Elio Maldonado 3.16.2-2 +- Generic 32/64 bit platform detection (fix ppc64le build) +- Resolves: Bug 1125620 - nss-softokn fails to build on arch: ppc64le (build failure) +- Fix contributed by Peter Robinson + +* Tue Jul 08 2014 Elio Maldonado - 3.16.2-1 +- Update to nss-3.16.2 +- Resolves: Bug 1103925 - Rebase RHEL 7.1 to at least NSS-SOFTOKN 3.16.1 (FF 31) + +* Fri Jan 24 2014 Daniel Mach - 3.15.4-2 +- Mass rebuild 2014-01-24 + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-4 +- Rebase to nss-3.15.4 +- Resolves: Bug 1054457 - CVE-2013-1740 +- Update softokn splitting script to oparate on the upstream pristine source +- Using the .gz archives directly, not repackaging as .bz2 ones +- Avoid unneeded manual steps that could introduce errors +- Update the iquote and build softoken only patches on account of the rebase + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-3 +- Fix to allow level 1 fips mode if the db has no password +- Resolves: Bug 852023 - FIPS mode detection does not work + +* Fri Dec 27 2013 Daniel Mach - 3.15.3-2 +- Mass rebuild 2013-12-27 + +* Mon Nov 25 2013 Elio Maldonado - 3.15.3-1 +- Rebase to NSS_3_15_3_RTM +- Related: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 + +* Tue Oct 29 2013 Elio Maldonado - 3.15.2-2 +- Resolves: rhbz#1020395 - Allow Level 1 FIPS mode if the nss db has no password + +* Mon Oct 21 2013 Elio Maldonado - 3.15.2-1 +- Rebase to nss-softoken from nss-3.15.2 +- Resolves: rhbz#1012679 - pick up NSS-SOFTOKN 3.15.2 (required for bug 1012656) + +* Thu Oct 10 2013 Elio Maldonado - 3.15.1-3 +- Add export NSS_ENABLE_ECC=1 rto the %%build and %%check sections +- Resolves: rhbz#752980 - [7.0 FEAT] Support ECDSA algorithm in the nss packag + +* Tue Aug 06 2013 Elio Maldonado - 3.15.1-2 +- Remove an obsolete script and adjust the sources numbering accordingly + +* Fri Jul 26 2013 Elio Maldonado - 3.15.1-1 +- Update to NSS_3_15_1_RTM + +* Tue Jul 02 2013 Elio Maldonado - 3.15-4 +- Split off nss-softokn from the unstripped nss source tar ball + +* Mon Jun 17 2013 Elio Maldonado - 3.15-3 +- Update to NSS_3_15_RTM +- Require nspr-4.10 or greater +- Fix patch that selects tests to run + +* Tue Apr 23 2013 Elio Maldonado - 3.15-0.1.beta.3 +- Reverse the last changes since pk11gcmtest properly belongs to nss + +* Tue Apr 23 2013 Elio Maldonado - 3.15-0.1.beta.2 +- Add lowhashtest and pk11gcmtest as unsupported tools +- Modify nss-softoken-split script to include them in the split + +* Fri Apr 05 2013 Elio Maldonado - 3.15-0.1.beta.1 +- Update to NSS_3_15_BETA1 +- Update spec file, patches, and helper scrips on account of a shallwer source tree + +* Fri Feb 15 2013 Elio Maldonado - 3.14.3-1 +- Update to NSS_3_14_3_RTM +- Resolves: rhbz#909781 - specfile support for AArch64 + +* Mon Feb 04 2013 Elio Maldonado - 3.14.2-3 +- Allow building nss-softokn against older system sqlite + +* Sat Feb 02 2013 Elio Maldonado - 3.14.2-2 +- Update to NSS_3_14_2_RTM +- Restore comments on how to transition when signing algorithm changes +- Remove unused patches + +* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1 +- Update to NSS_3_14_2_RTM + +* Thu Dec 27 2012 Elio Maldonado - 3.14.1-5 +- Add RSA performance test for freebl +- Fix bogus date in changelog warnings + +* Mon Dec 24 2012 Elio Maldonado - 3.14.1-4 +- Fix bogus date warnings in %%changelog + +* Sat Dec 22 2012 Elio Maldonado - 3.14.1-3 +- Cleanup patches for building softoken only libraries and tests + +* Mon Dec 17 2012 Elio Maldonado - 3.14.1-2 +- Require nspr version >= 4.9.4 + +* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1 +- Update to NSS_3_14_1_RTM + +* Mon Dec 03 2012 Elio Maldonado - 3.14-6 +- Bug 883114 - Install bltest and fipstest as unsupported tools + +* Mon Nov 19 2012 Elio Maldonado - 3.14-5 +- Truly apply the bug 829088 patch this time +- Resolves: rhbz#829088 - Fix failure in sha244 self-test + +* Mon Nov 19 2012 Elio Maldonado - 3.14-4 +- Apply the bug 829088 patch in question +- Adjust the patch to account for code changes in nss-3.14 +- Resolves: rhbz#829088 - Fix failure in sha244 self-test + +* Sun Nov 18 2012 Elio Maldonado - 3.14-3 +- Resolves: rhbz#829088 - Fix failure in sha244 self-test +- Fixes login failures on fips mode + +* Sat Oct 27 2012 Elio Maldonado - 3.14-2 + - Update the license to MPLv2.0 + +* Mon Oct 22 2012 Elio Maldonado - 3.14-1 +- Update to NSS_3_14_RTM + +* Sun Oct 21 2012 Elio Maldonado - 3.14-0.1.rc1.2 +- Update to NSS_3_14_RC +- Remove the temporary bootstrapping modifications + +* Sun Oct 21 2012 Elio Maldonado - 3.14-0.1.rc.1 +- Update to NSS_3_14_RC1 +- Remove patches rendered obsolete by this update and update others +- Temporarily modifiy the spec file while bootstrapping the buildroot a follows: +- Remove unwanted headers that we lo loger ship +- Modified the post install scriplet to ensure the in-tree freebl library is loaded + +* Fri Jul 20 2012 Fedora Release Engineering - 3.13.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jun 20 2012 Elio Maldonado - 3.13.5-2 +- Resolves: rhbz#833529 - revert unwanted change to nss-softokn.pc.in + +* Mon Jun 18 2012 Elio Maldonado - 3.13.5-1 +- Update to NSS_3_13_5_RTM +- Remove unneeded fix for gcc 4.7 c++ issue in secmodt.h which undoes the upstream fix +- Fix Libs: line on nss-softokn.pc.in + +* Wed Jun 13 2012 Elio Maldonado - 3.13.4-3 +- Resolves: rhbz#745224 - nss-softokn sha224 self-test fails in fips mode + +* Tue Apr 10 2012 Elio Maldonado - 3.13.4-2 +- Resolves: Bug 801975 Restore use of NSS_NoDB_Init or alternate to fipstest + +* Fri Apr 06 2012 Elio Maldonado - 3.13.4-1 +- Update to NSS_3_13_4 + +* Sun Apr 01 2012 Elio Maldonado - 3.13.4-0.1.beta.1 +- Update to NSS_3_13_4_BETA1 +- Improve steps for splitting off softokn from the full nss + +* Wed Mar 21 2012 Elio Maldonado - 3.13.3-2 +- Resolves: Bug 805719 - Library needs partial RELRO support added + +* Thu Mar 01 2012 Elio Maldonado - 3.13.3-1 +- Update to NSS_3_13_3_RTM + +* Wed Feb 1 2012 Tom Callaway 3.13.1-20 +- re-enable /usrmove changes + +* Wed Feb 1 2012 Tom Callaway 3.13.1-19.1 +- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals +- temporarily revert /usrmove changes. they will be restored in -20 for the f17-usrmove tag. + +* Wed Jan 25 2012 Harald Hoyer 3.13.1-19 +- add filesystem guard + +* Wed Jan 25 2012 Harald Hoyer 3.13.1-18 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Fri Jan 13 2012 Elio Maldonado Batiz - 3.13.1-17 +- Remove unneeded prelink patch afterthe nss update to 3.13.1 + +* Fri Jan 13 2012 Fedora Release Engineering - 3.13.1-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 30 2011 Elio Maldonado - 3.13.1-15 +- Bug 770999 - Fix segmentation violation when turning on fips mode +- Reintroduce the iquote patch but don't apply it unless needed + +* Tue Dec 13 2011 Elio Maldonado - 3.12.9-14 +- Restore the update to 3.13.1 +- Update the patch for freebl to deal with prelinked shared libraries +- Add additional dbrg power-up self-tests as required by fips +- Reactivate the tests + +* Tue Dec 06 2011 Elio Maldonado - 3.12.9-13 +- Bug 757005 Build nss-softokn for rhel 7 +- Make it almost like nss-softokn-3.12.9 in rhel 6.2 +- Added a patch to build with Linux 3 and higher +- Meant to work with nss and nss-utul 3.1.3.1 +- Download only the 3.12.9 sources from the lookaside cache + +* Fri Dec 02 2011 Elio Maldonado - 3.12.9-12 +- Retagging + +* Wed Nov 23 2011 Elio Maldonado - 3.12.9-11 +- Downgrading to 3.12.9 for a merge into new RHEL git repo +- This build is for the buildroot for a limited time only +- Do not not push it to update-testing + +* Tue Nov 08 2011 Elio Maldonado - 3.13.1-1 +- Update to NSS_3_13_1_RTM + +* Wed Oct 12 2011 Elio Maldonado - 3.12.10-6 +- Fix failure to switch nss-softokn to FIPS mode (#745571) + +* Tue Oct 11 2011 Elio Maldonado - 3.13-0.1.rc0.3 +- Update to NSS_3_13_RC0 post bootstrapping +- Don't incude util in sources for the lookaside cache +- Reenable building the fipstest tool +- Restore full cli argument parsing in the sectool library + +* Sun Oct 09 2011 Elio Maldonado - 3.13-0.1.rc0.2 +- Update to NSS_3_13_RC0 bootstrapping the system phase 2 +- Reenable the cipher test suite + +* Sat Oct 08 2011 Elio Maldonado - 3.13-0.rc0.1 +- Update to NSS_3_13_RC0 + +* Thu Sep 8 2011 Ville Skyttä - 3.12.11-3 +- Avoid %%post/un shell invocations and dependencies. + +* Wed Aug 17 2011 Elio Maldonado - 3.12.10-5 +- rebuilt as recommended to deal with an rpm 4.9.1 issue + +* Wed Jul 20 2011 Elio Maldonado - 3.12.10-4 +- Adjustements from code review (#715402) + +* Sun Jun 26 2011 Elio Maldonado - 3.12.10-3 +- Add %%{check} section to run crypto tests as part of the build (#715402) + +* Tue Jun 14 2011 Elio Maldonado - 3.12.10-2 +- Fix intel optimized aes code to deal with case where input and ouput are in the same buffer (#709517) + +* Fri May 06 2011 Elio Maldonado - 3.12.10-1 +- Update to NSS_3_12_10_RTM + +* Wed Apr 27 2011 Elio Maldonado - 3.12.10-0.1.beta1 +- Update to NSS_3_12_10_BETA1 + +* Fri Feb 25 2011 Elio Maldonado - 3.12.9-7 +- Add requires nss-softokn-freebl-devel to nss-softokn-devel (#675196) + +* Mon Feb 14 2011 Elio Maldonado - 3.12.9-5 +- Expand the nss-softokn-freebl-devel package description (#675196) + +* Mon Feb 14 2011 Elio Maldonado - 3.12.9-5 +- Remove duplicates from the file lists + +* Sun Feb 13 2011 Elio Maldonado - 3.12.9-4 +- Add blapit.h to headers provided by nss-softokn-freebl-devel (#675196) +- Expand the freebl-devel package description + +* Tue Feb 08 2011 Fedora Release Engineering - 3.12.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Feb 04 2011 Elio Maldonado - 3.12.9-2 +- Add header for nss-softokn-freebl-devel (#675196) + +* Wed Jan 12 2011 Elio Maldonado - 3.12.9-1 +- Update to 3.12.9 + +* Mon Dec 27 2010 Elio Maldonado - 3.12.9-0.1.beta2 +- Rebuilt according to fedora pre-release package naming guidelines + +* Fri Dec 10 2010 Elio Maldonado - 3.12.8.99.2-1 +- Update to NSS_3_12_9_BETA2 + +* Wed Dec 08 2010 Elio Maldonado - 3.12.8.99.1-1 +- Update to NSS_3_12_9_BETA1 + +* Wed Sep 29 2010 jkeating - 3.12.8-2 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Elio Maldonado - 3.12.8-1 +- Update to 3.12.8 +- Adhere to static library packaging guidelines (#609613) +- Fix nss-util-devel version dependency line +- Shorten freebl and freebl subpackages descriptions + +* Sat Sep 18 2010 Elio Maldonado - 3.12.99.4-1 +- NSS 3.12.8 RC0 + +* Sun Sep 12 2010 Elio Maldonado - 3.12.7.99.3-2 +- Update the required version of nss-util to 3.12.7.99.3 + +* Sat Sep 04 2010 Elio Maldonado - 3.12.7.99.3-1 +- NSS 3.12.8 Beta 3 + +* Mon Aug 30 2010 Elio Maldonado - 3.12.7-3 +- Update BuildRequires on nspr-devel and nss-util-devel + +* Sun Aug 29 2010 Elio Maldonado - 3.12.7-2 +- Define NSS_USE_SYSTEM_SQLITE and remove nss-nolocalsql patch +- Fix rpmlint warnings about macros in comments and changelog + +* Mon Aug 16 2010 Elio Maldonado - 3.12.7-1 +- Update to 3.12.7 +- Fix build files to ensure nsslowhash.h is included in public headers + +* Tue Jun 08 2010 Elio Maldonado - 3.12.6-3 +- Retagging + +* Mon Jun 07 2010 Elio Maldonado - 3.12.6-2 +- Bump NVR to be greater than those for nss-softokn subpackages in F11 (rhbz#601407) + +* Sun Jun 06 2010 Elio Maldonado - 3.12.4-23 +- Bump release number + +* Fri Jun 04 2010 Elio Maldonado - 3.12.4-22 +- Cleanup changelog comments to avoid unwanted macro expansions + +* Wed Jun 02 2010 Elio Maldonado - 3.12.4-21 +- Retagging + +* Wed Jun 02 2010 Elio Maldonado - 3.12.4-20 +- Add %%{?_isa} to the requires in the devel packages (#596840) +- Fix typo in the package description (#598295) +- Update nspr version to 4.8.4 + +* Sat May 08 2010 Elio Maldonado - 3.12.4-19 +- Consider the system as not fips enabled when /proc/sys/crypto/fips_enabled isn't present (rhbz#590199) + +* Sat May 08 2010 Elio Maldonado - 3.12.4-18 +- Fix Conflicts line to prevent update when prelink is not yet the right version (rhbz#590199) + +* Mon Apr 19 2010 Elio Maldonado - 3.12.4-17 +- Updated prelink patch rhbz#504949 + +* Thu Apr 15 2010 Elio Maldonado - 3.12.4-16 +- allow prelink of softoken and freebl. Change the verify code to use + prelink -u if prelink is installed. Fix by Robert Relyea rhbz#504949 + +* Mon Jan 18 2010 Elio Maldonado - 3.12.4-15 +- Move libfreebl3.so and its .chk file to /lib{64} (rhbz#561544) + +* Mon Jan 18 2010 Elio Maldonado - 3.12.4-13 +- Fix in nss-softokn-spec.in +- Require nss-util >= 3.12.4 + +* Thu Dec 03 2009 Elio Maldonado - 3.12.4-12 +- Require nss-util 3.12.5 + +* Fri Nov 20 2009 Elio Maldonado - 3.12.4-11 +- export freebl devel tools (#538226) + +* Wed Sep 23 2009 Elio Maldonado - 3.12.4-10 +- Fix paths in nss-softokn-prelink so signed libraries don't get touched, rhbz#524794 + +* Thu Sep 17 2009 Elio Maldonado - 3.12.4-9 +- Add nssdbm3.so to nss-softokn-prelink.conf, rhbz#524077 + +* Thu Sep 10 2009 Elio Maldonado - 3.12.4-8 +- Retagging for a chained build + +* Thu Sep 10 2009 Elio Maldonado - 3.12.4-6 +- Don't list libraries in nss-softokn-config, dynamic linking required + +* Tue Sep 08 2009 Elio Maldonado - 3.12.4-5 +- Installing shared libraries to %%{_libdir} + +* Sun Sep 06 2009 Elio Maldonado - 3.12.4-4 +- Postuninstall scriptlet finishes quietly + +* Sat Sep 05 2009 Elio Maldonado - 3.12.4-3 +- Remove symblic links to shared libraries from devel, rhbz#521155 +- Apply the nss-nolocalsql patch +- No rpath-link in nss-softokn-config + +* Fri Sep 04 2009 serstring=Elio Maldonado - 3.12.4-2 +- Retagging to pick up the correct .cvsignore + +* Tue Sep 01 2009 Elio Maldonado - 3.12.4-1 +- Update to 3.12.4 +- Fix logic on postun +- Don't require sqlite + +* Mon Aug 31 2009 Elio Maldonado - 3.12.3.99.3-24 +- Fixed test on %%postun to avoid returning 1 when nss-softokn instances still remain + +* Sun Aug 30 2009 Elio Maldonado - 3.12.3.99.3-23 +- Explicitly state via nss_util_version the nss-util version we require + +* Fri Aug 28 2009 Warren Togami - 3.12.3.99.3-22 +- caolan's nss-softokn.pc patch + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-21 +- Bump the release number for a chained build of nss-util, nss-softokn and nss + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-20 +- List freebl, nssdbm and softokn libraries in nss-softokn-config and nss-softokn.pc + +* Thu Aug 27 2009 Elio Maldonado@ - 3.12.3.99.3-19 +- Determine NSSUTIL_INCLUDE_DIR and NSSUTIL_LIB_DIR with a pkg-config query on nss-util +- Remove the release 17 hack + +* Thu Aug 27 2009 Elio maldonado - 3.12.3.99.3-18 +- fix spurious executable permissions on nss-softokn.pc + +* Thu Aug 27 2009 Adel Gadllah - 3.12.3.99.3-17 +- Add hack to fix build + +* Tue Aug 25 2009 Dennis Gilmore - 3.12.3.99.3-16 +- only have a single Requires: line in the .pc file + +* Tue Aug 25 2009 Dennis Gilmore - 3.12.3.99.3-12 +- bump to unique rpm nvr + +* Tue Aug 25 2009 Elio Maldonado - 3.12.3.99.3-10 +- Build after nss with subpackages and new nss-util + +* Thu Aug 20 2009 Dennis Gilmore 3.12.3.99.3-9 +- revert to shipping bits + +* Wed Aug 19 2009 Elio Maldonado 3.12.3.99.3-8.1 +- Disable installing until conflicts are relsoved + +* Wed Aug 19 2009 Elio Maldonado 3.12.3.99.3-8 +- Initial build