Tree - rpms/nss - CentOS Git server

rpms / nss

Files

Commit: 128873d222ce75a1c7ce9a328ef408768a7831ca
Blob Blame History Raw
diff -up ./lib/softoken/pkcs11c.c.orig ./lib/softoken/pkcs11c.c
--- ./lib/softoken/pkcs11c.c.orig	2020-10-15 16:06:47.380122702 -0700
+++ ./lib/softoken/pkcs11c.c	2020-10-15 16:07:56.891482521 -0700
@@ -5101,7 +5101,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
                 /* subprime not supplied, In this case look it up. 
                  * This only works with approved primes, but in FIPS mode
                  * that's the only kine of prime that will get here */
-                subPrimePtr = sftk_VerifyDH_Prime(&prime);
+                subPrimePtr = sftk_VerifyDH_Prime(&prime,isFIPS);
                 if (subPrimePtr == NULL) {
                     crv = CKR_GENERAL_ERROR;
                     goto done;
@@ -8293,7 +8293,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
 
             /* if the prime is an approved prime, we can skip all the other
              * checks. */
-            subPrime = sftk_VerifyDH_Prime(&dhPrime);
+            subPrime = sftk_VerifyDH_Prime(&dhPrime,isFIPS);
             if (subPrime == NULL) {
                 SECItem dhSubPrime;
                 /* In FIPS mode we only accept approved primes */
diff -up ./lib/softoken/pkcs11i.h.orig ./lib/softoken/pkcs11i.h
--- ./lib/softoken/pkcs11i.h.orig	2020-10-15 16:06:47.380122702 -0700
+++ ./lib/softoken/pkcs11i.h	2020-10-15 16:07:56.892482526 -0700
@@ -926,7 +926,7 @@ char **NSC_ModuleDBFunc(unsigned long fu
 /* dh verify functions */
 /* verify that dhPrime matches one of our known primes, and if so return
  * it's subprime value */
-const SECItem  *sftk_VerifyDH_Prime(SECItem *dhPrime);
+const SECItem  *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS);
 /* check if dhSubPrime claims dhPrime is a safe prime. */
 SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe);
 
diff -up ./lib/softoken/sftkdhverify.c.orig ./lib/softoken/sftkdhverify.c
--- ./lib/softoken/sftkdhverify.c.orig	2020-10-15 16:06:47.370122650 -0700
+++ ./lib/softoken/sftkdhverify.c	2020-10-15 16:07:56.893482531 -0700
@@ -1171,11 +1171,15 @@ static const SECItem subprime_tls_8192=
  * verify that dhPrime matches one of our known primes
  */
 const SECItem *
-sftk_VerifyDH_Prime(SECItem *dhPrime)
+sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS)
 {
     /* use the length to decide which primes to check */
     switch (dhPrime->len) {
         case 1536 / PR_BITS_PER_BYTE:
+            /* don't accept 1536 bit primes in FIPS mode */
+            if (isFIPS) {
+                break;
+            }
             if (PORT_Memcmp(dhPrime->data, prime_ike_1536,
                             sizeof(prime_ike_1536)) == 0) {
                 return &subprime_ike_1536;
rpms / nss

Source Code

Files
