packages/nss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:a48f8cfcd1ba0c5532f7943c86d42853d128f09e
Branches Tags
packages:main
...
compare: packages:fc71c528b45739ccc040de0a506ecf9b041c8bb5
Branches Tags
packages:main

10 Commits
a48f8cfcd1 ... fc71c528b4

Author SHA1 Message Date
openeuler-ci-bot
fc71c528b4
!119 [sync] PR-118: Add PK11_Pub{Wrap, Unwrap}SymkeyWithMechanism r=mt,rrelyea Summary 
From: @openeuler-sync-bot 
Reviewed-by: @zcfsite 
Signed-off-by: @zcfsite
 2024-02-21 02:26:01 +00:00
jinlun
4312ab5632 Add PK11_Pub{Wrap, Unwrap}SymkeyWithMechanism r=mt,rrelyea Summary 
(cherry picked from commit c791712ab68aaa41e64ee361a4a47862bd668fe4)
 2024-02-21 09:54:42 +08:00
openeuler-ci-bot
01a160252f
!80 remove nss-help from Requires of nss and nss-util 
From: @renxichen 
Reviewed-by: @zcfsite 
Signed-off-by: @zcfsite
 2022-08-04 10:45:04 +00:00
rwx403335
38895c35e3 remove nss-help from Requires of nss and nss-util 2022-08-04 14:31:38 +08:00
openeuler-ci-bot
4a446d43b9
!63 [sync] PR-59: fix CVE-2021-43527 
Merge pull request !63 from openeuler-sync-bot/sync-pr59-openEuler-20.03-LTS-SP1-to-openEuler-20.03-LTS-SP3
 2022-01-11 03:30:22 +00:00
shangyibin
21517a0802 fix CVE-2021-43527 
(cherry picked from commit f349ae7b950d4e59b013b2607472ba2254137d29)
 2022-01-04 15:21:13 +08:00
openeuler-ci-bot
df7d7a17d9 !48 fix version problem in changelog 
From: @tong_1001
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
 2021-06-11 06:28:20 +00:00
桐小哥
757d5f49c8 fix version problem in changelog 2021-05-29 13:36:26 +08:00
openeuler-ci-bot
d61ec30bfb !46 【openEuler-20.03-LTS-Next】Fix CVE-2020-12403 
From: @yixiangzhike
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
 2021-03-18 12:21:00 +08:00
yixiangzhike
d073f963ee Fix CVE-2020-12403 2021-03-17 18:28:53 +08:00
5 changed files with 748 additions and 4 deletions
Show Stats Expand all files Collapse all files

96
backport-0001-CVE-2020-12403.patch Normal file
View File

@ -0,0 +1,96 @@
# HG changeset patch
# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
# Date 1595031194 0
# Node ID f282556e6cc7715f5754aeaadda6f902590e7e38
# Parent 89733253df83ef7fe8dd0d49f6370b857e93d325
Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea
Depends on D74801
Differential Revision: https://phabricator.services.mozilla.com/D83994
diff --git a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
--- a/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
+++ b/nss/gtests/pk11_gtest/pk11_cipherop_unittest.cc
@@ -72,9 +72,58 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUn
ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
PK11_FreeSymKey(key);
PK11_FreeSlot(slot);
PK11_DestroyContext(ctx, PR_TRUE);
NSS_ShutdownContext(globalctx);
}
+TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
+ PK11SlotInfo* slot;
+ PK11SymKey* key;
+ PK11Context* ctx;
+
+ NSSInitContext* globalctx =
+ NSS_InitContext("", "", "", "", NULL,
+ NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
+ NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
+
+ const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
+
+ slot = PK11_GetInternalSlot();
+ ASSERT_TRUE(slot);
+
+ // Use arbitrary bytes for the ChaCha20 key and IV
+ uint8_t key_bytes[32];
+ for (size_t i = 0; i < 32; i++) {
+ key_bytes[i] = i;
+ }
+ SECItem keyItem = {siBuffer, key_bytes, 32};
+
+ uint8_t iv_bytes[16];
+ for (size_t i = 0; i < 16; i++) {
+ key_bytes[i] = i;
+ }
+ SECItem ivItem = {siBuffer, iv_bytes, 16};
+
+ SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
+
+ key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
+ &keyItem, NULL);
+ ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
+ ASSERT_TRUE(key);
+ ASSERT_TRUE(ctx);
+
+ uint8_t outbuf[128];
+ // This is supposed to fail for Chacha20. This is because the underlying
+ // PK11_CipherOp operation is calling the C_EncryptUpdate function for
+ // which multi-part is disabled for ChaCha20 in counter mode.
+ ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
+
+ PK11_FreeSymKey(key);
+ PK11_FreeSlot(slot);
+ SECITEM_FreeItem(param, PR_TRUE);
+ PK11_DestroyContext(ctx, PR_TRUE);
+ NSS_ShutdownContext(globalctx);
+}
+
} // namespace nss_test
diff --git a/nss/lib/softoken/pkcs11c.c b/nss/lib/softoken/pkcs11c.c
--- a/nss/lib/softoken/pkcs11c.c
+++ b/nss/lib/softoken/pkcs11c.c
@@ -1251,16 +1251,17 @@ sftk_CryptInit(CK_SESSION_HANDLE hSessio
case CKM_NSS_CHACHA20_CTR: /* old NSS private version */
case CKM_CHACHA20: /* PKCS #11 v3 version */
{
unsigned char *counter;
unsigned char *nonce;
unsigned long counter_len;
unsigned long nonce_len;
+ context->multi = PR_FALSE;
if (pMechanism->mechanism == CKM_NSS_CHACHA20_CTR) {
if (key_type != CKK_NSS_CHACHA20) {
crv = CKR_KEY_TYPE_INCONSISTENT;
break;
}
if (pMechanism->pParameter == NULL || pMechanism->ulParameterLen != 16) {
crv = CKR_MECHANISM_PARAM_INVALID;
break;

74
backport-0002-CVE-2020-12403.patch Normal file
View File

@ -0,0 +1,74 @@
# HG changeset patch
# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
# Date 1595031218 0
# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
# Parent f282556e6cc7715f5754aeaadda6f902590e7e38
Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D74801
diff --git a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
--- a/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
+++ b/nss/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
@@ -40,28 +40,35 @@ class Pkcs11ChaCha20Poly1305Test
aead_params.ulNonceLen = iv_len;
aead_params.pAAD = toUcharPtr(aad);
aead_params.ulAADLen = aad_len;
aead_params.ulTagLen = 16;
SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
sizeof(aead_params)};
- // Encrypt with bad parameters.
+ // Encrypt with bad parameters (TagLen is too long).
unsigned int encrypted_len = 0;
std::vector<uint8_t> encrypted(data_len + aead_params.ulTagLen);
aead_params.ulTagLen = 158072;
SECStatus rv =
PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
&encrypted_len, encrypted.size(), data, data_len);
EXPECT_EQ(SECFailure, rv);
EXPECT_EQ(0U, encrypted_len);
- aead_params.ulTagLen = 16;
+
+ // Encrypt with bad parameters (TagLen is too short).
+ aead_params.ulTagLen = 2;
+ rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
+ &encrypted_len, encrypted.size(), data, data_len);
+ EXPECT_EQ(SECFailure, rv);
+ EXPECT_EQ(0U, encrypted_len);
// Encrypt.
+ aead_params.ulTagLen = 16;
rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
&encrypted_len, encrypted.size(), data, data_len);
// Return if encryption failure was expected due to invalid IV.
// Without valid ciphertext, all further tests can be skipped.
if (invalid_iv) {
EXPECT_EQ(rv, SECFailure);
EXPECT_EQ(0U, encrypted_len)
diff --git a/nss/lib/freebl/chacha20poly1305.c b/nss/lib/freebl/chacha20poly1305.c
--- a/nss/lib/freebl/chacha20poly1305.c
+++ b/nss/lib/freebl/chacha20poly1305.c
@@ -76,17 +76,17 @@ ChaCha20Poly1305_InitContext(ChaCha20Pol
{
#ifdef NSS_DISABLE_CHACHAPOLY
return SECFailure;
#else
if (keyLen != 32) {
PORT_SetError(SEC_ERROR_BAD_KEY);
return SECFailure;
}
- if (tagLen == 0 || tagLen > 16) {
+ if (tagLen != 16) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
return SECFailure;
}
PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
ctx->tagLen = tagLen;
return SECSuccess;

256
backport-Bug-1666891-Add-PK11_Pub-Wrap-Unwrap.patch Normal file
View File

@ -0,0 +1,256 @@
From d055ada2383eaf28d7b28dd7b0b639e2515279e1 Mon Sep 17 00:00:00 2001
From: jinlun <jinlun@huawei.com>
Date: Tue, 20 Feb 2024 14:41:43 +0800
Subject: [PATCH] Bug 1666891 - Add PK11_Pub{Wrap,Unwrap}SymKeyWithMechanism
r=mt,rrelyea Summary
This is useful for RSA-OAEP support.
The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
be present for PKCS#11 calls. This provides required context for OAEP.
However, PK11_PubWrapSymKey lacks a way of providing this context and
historically silently converted CKM_RSA_PKCS_OAEP to CKM_RSA_PKCS when
a RSA key is provided. Introducing a new call will let us indicate
parameters and potentially support other mechanisms in the future.
This call mirrors the earlier calls introduced for RSA-PSS:
PK11_SignWithMechanism and PK11_VerifyWithMechanism.
The CKM_RSA_PKCS_OAEP mechanism requires a CK_RSA_PKCS_OAEP_PARAMS
be present for PKCS#11 calls. This provides required context for OAEP.
However, PK11_PubUnwrapSymKey lacks a way of providing this context,
and additionally lacked a way of indicating which mechanism type to use
for the unwrap operation (instead detecting it by key type). Introducing
a new call will let us indicate parameters and potentially support other
mechanisms in the future.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Differential Revision: https://phabricator.services.mozilla.com/D93424
---
gtests/pk11_gtest/pk11_rsaoaep_unittest.cc | 67 ++++++++++++++++++++++
lib/nss/nss.def | 7 +++
lib/pk11wrap/pk11pub.h | 12 ++++
lib/pk11wrap/pk11skey.c | 51 ++++++++++++----
4 files changed, 126 insertions(+), 11 deletions(-)
diff --git a/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc b/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
index 3a986b4..d14eb9c 100644
--- a/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
+++ b/gtests/pk11_gtest/pk11_rsaoaep_unittest.cc
@@ -116,4 +116,71 @@ INSTANTIATE_TEST_CASE_P(
INSTANTIATE_TEST_CASE_P(
WycheproofOaep2048Sha512Sha512Test, RsaOaepWycheproofTest,
::testing::ValuesIn(kRsaOaep2048Sha512Mgf1Sha512WycheproofVectors));
+
+TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwrap) {
+ const size_t kRsaKeyBits = 2048;
+ const size_t kwrappedBufLen = 4096;
+
+ SECStatus rv = SECFailure;
+
+ ScopedSECKEYPrivateKey priv;
+ ScopedSECKEYPublicKey pub;
+ PK11RSAGenParams rsa_params;
+ rsa_params.keySizeInBits = kRsaKeyBits;
+ rsa_params.pe = 65537;
+
+ ScopedPK11SlotInfo slot(PK11_GetInternalSlot());
+ ASSERT_NE(slot, nullptr);
+
+ SECKEYPublicKey* p_pub_tmp = nullptr;
+ priv.reset(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
+ &rsa_params, &p_pub_tmp, false, false,
+ nullptr));
+ pub.reset(p_pub_tmp);
+
+ ASSERT_NE(priv.get(), nullptr);
+ ASSERT_NE(pub.get(), nullptr);
+
+ ScopedPK11SymKey to_wrap(
+ PK11_KeyGen(slot.get(), CKM_AES_CBC, nullptr, 16, nullptr));
+
+ CK_RSA_PKCS_OAEP_PARAMS oaep_params = {CKM_SHA256, CKG_MGF1_SHA256,
+ CKZ_DATA_SPECIFIED, NULL, 0};
+
+ SECItem param = {siBuffer, (unsigned char*)&oaep_params, sizeof(oaep_params)};
+
+ ScopedSECItem wrapped(SECITEM_AllocItem(nullptr, nullptr, kwrappedBufLen));
+ rv = PK11_PubWrapSymKeyWithMechanism(pub.get(), CKM_RSA_PKCS_OAEP, &param,
+ to_wrap.get(), wrapped.get());
+ ASSERT_EQ(rv, SECSuccess);
+
+ PK11SymKey* p_unwrapped_tmp = nullptr;
+
+ // This fails because this method is broken and assumes CKM_RSA_PKCS and
+ // doesn't understand OAEP.
+ p_unwrapped_tmp = PK11_PubUnwrapSymKey(priv.get(), wrapped.get(), CKM_AES_CBC,
+ CKA_DECRYPT, 16);
+ ASSERT_EQ(p_unwrapped_tmp, nullptr);
+
+ ScopedPK11SymKey unwrapped;
+ p_unwrapped_tmp = PK11_PubUnwrapSymKeyWithMechanism(
+ priv.get(), CKM_RSA_PKCS_OAEP, &param, wrapped.get(), CKM_AES_CBC,
+ CKA_DECRYPT, 16);
+ ASSERT_NE(p_unwrapped_tmp, nullptr);
+
+ unwrapped.reset(p_unwrapped_tmp);
+
+ // Extract key's value in order to validate decryption worked.
+ rv = PK11_ExtractKeyValue(to_wrap.get());
+ ASSERT_EQ(rv, SECSuccess);
+
+ rv = PK11_ExtractKeyValue(unwrapped.get());
+ ASSERT_EQ(rv, SECSuccess);
+
+ // References owned by PKCS#11 layer; no need to scope and free.
+ SECItem* expectedItem = PK11_GetKeyData(to_wrap.get());
+ SECItem* actualItem = PK11_GetKeyData(unwrapped.get());
+
+ ASSERT_EQ(SECITEM_CompareItem(actualItem, expectedItem), 0);
+}
} // namespace nss_test
diff --git a/lib/nss/nss.def b/lib/nss/nss.def
index 1840b8d..4055a98 100644
--- a/lib/nss/nss.def
+++ b/lib/nss/nss.def
@@ -1181,3 +1181,10 @@ SECMOD_GetSystemFIPSEnabled;
;+ local:
;+ *;
;+};
+;+NSS_3.59 { # NSS 3.59 release
+;+ global:
+PK11_PubWrapSymKeyWithMechanism;
+PK11_PubUnwrapSymKeyWithMechanism;
+;+ local:
+;+ *;
+;+};
diff --git a/lib/pk11wrap/pk11pub.h b/lib/pk11wrap/pk11pub.h
index 5edcbf9..3af8487 100644
--- a/lib/pk11wrap/pk11pub.h
+++ b/lib/pk11wrap/pk11pub.h
@@ -354,6 +354,11 @@ void *PK11_GetSymKeyUserData(PK11SymKey *symKey);
SECStatus PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
PK11SymKey *symKey, SECItem *wrappedKey);
+SECStatus PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey *pubKey,
+ CK_MECHANISM_TYPE mechType,
+ SECItem *param,
+ PK11SymKey *symKey,
+ SECItem *wrappedKey);
SECStatus PK11_WrapSymKey(CK_MECHANISM_TYPE type, SECItem *params,
PK11SymKey *wrappingKey, PK11SymKey *symKey, SECItem *wrappedKey);
/* move a key to 'slot' optionally set the key attributes according to either
@@ -448,6 +453,13 @@ PK11SymKey *PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey,
*/
PK11SymKey *PK11_PubUnwrapSymKey(SECKEYPrivateKey *key, SECItem *wrapppedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize);
+PK11SymKey *PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey *key,
+ CK_MECHANISM_TYPE mechType,
+ SECItem *param,
+ SECItem *wrapppedKey,
+ CK_MECHANISM_TYPE target,
+ CK_ATTRIBUTE_TYPE operation,
+ int keySize);
PK11SymKey *PK11_PubUnwrapSymKeyWithFlagsPerm(SECKEYPrivateKey *wrappingKey,
SECItem *wrappedKey, CK_MECHANISM_TYPE target,
CK_ATTRIBUTE_TYPE operation, int keySize,
diff --git a/lib/pk11wrap/pk11skey.c b/lib/pk11wrap/pk11skey.c
index 996c039..eed833a 100644
--- a/lib/pk11wrap/pk11skey.c
+++ b/lib/pk11wrap/pk11skey.c
@@ -1248,13 +1248,23 @@ PK11_ConvertSessionSymKeyToTokenSymKey(PK11SymKey *symk, void *wincx)
symk->type, newKeyID, PR_FALSE /*owner*/, NULL /*wincx*/);
}
-/*
- * This function does a straight public key wrap (which only RSA can do).
- * Use PK11_PubGenKey and PK11_WrapSymKey to implement the FORTEZZA and
- * Diffie-Hellman Ciphers. */
+/* This function does a straight public key wrap with the CKM_RSA_PKCS
+ * mechanism. */
SECStatus
PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
PK11SymKey *symKey, SECItem *wrappedKey)
+{
+ CK_MECHANISM_TYPE inferred = pk11_mapWrapKeyType(pubKey->keyType);
+ return PK11_PubWrapSymKeyWithMechanism(pubKey, inferred, NULL, symKey,
+ wrappedKey);
+}
+
+/* This function wraps a symmetric key with a public key, such as with the
+ * CKM_RSA_PKCS and CKM_RSA_PKCS_OAEP mechanisms. */
+SECStatus
+PK11_PubWrapSymKeyWithMechanism(SECKEYPublicKey *pubKey,
+ CK_MECHANISM_TYPE mechType, SECItem *param,
+ PK11SymKey *symKey, SECItem *wrappedKey)
{
PK11SlotInfo *slot;
CK_ULONG len = wrappedKey->len;
@@ -1271,7 +1281,7 @@ PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
}
/* if this slot doesn't support the mechanism, go to a slot that does */
- newKey = pk11_ForceSlot(symKey, type, CKA_ENCRYPT);
+ newKey = pk11_ForceSlot(symKey, mechType, CKA_ENCRYPT);
if (newKey != NULL) {
symKey = newKey;
}
@@ -1282,9 +1292,15 @@ PK11_PubWrapSymKey(CK_MECHANISM_TYPE type, SECKEYPublicKey *pubKey,
}
slot = symKey->slot;
- mechanism.mechanism = pk11_mapWrapKeyType(pubKey->keyType);
- mechanism.pParameter = NULL;
- mechanism.ulParameterLen = 0;
+
+ mechanism.mechanism = mechType;
+ if (param == NULL) {
+ mechanism.pParameter = NULL;
+ mechanism.ulParameterLen = 0;
+ } else {
+ mechanism.pParameter = param->data;
+ mechanism.ulParameterLen = param->len;
+ }
id = PK11_ImportPublicKey(slot, pubKey, PR_FALSE);
if (id == CK_INVALID_HANDLE) {
@@ -2856,20 +2872,33 @@ PK11_UnwrapSymKeyWithFlagsPerm(PK11SymKey *wrappingKey,
wrappingKey->cx, keyTemplate, templateCount, isPerm);
}
-/* unwrap a symetric key with a private key. */
+/* unwrap a symmetric key with a private key. Only supports CKM_RSA_PKCS. */
PK11SymKey *
PK11_PubUnwrapSymKey(SECKEYPrivateKey *wrappingKey, SECItem *wrappedKey,
CK_MECHANISM_TYPE target, CK_ATTRIBUTE_TYPE operation, int keySize)
{
CK_MECHANISM_TYPE wrapType = pk11_mapWrapKeyType(wrappingKey->keyType);
+
+ return PK11_PubUnwrapSymKeyWithMechanism(wrappingKey, wrapType, NULL,
+ wrappedKey, target, operation,
+ keySize);
+}
+
+/* unwrap a symmetric key with a private key with the given parameters. */
+PK11SymKey *
+PK11_PubUnwrapSymKeyWithMechanism(SECKEYPrivateKey *wrappingKey,
+ CK_MECHANISM_TYPE mechType, SECItem *param,
+ SECItem *wrappedKey, CK_MECHANISM_TYPE target,
+ CK_ATTRIBUTE_TYPE operation, int keySize)
+{
PK11SlotInfo *slot = wrappingKey->pkcs11Slot;
if (SECKEY_HAS_ATTRIBUTE_SET(wrappingKey, CKA_PRIVATE)) {
PK11_HandlePasswordCheck(slot, wrappingKey->wincx);
}
- return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID,
- wrapType, NULL, wrappedKey, target, operation, keySize,
+ return pk11_AnyUnwrapKey(slot, wrappingKey->pkcs11ID, mechType, param,
+ wrappedKey, target, operation, keySize,
wrappingKey->wincx, NULL, 0, PR_FALSE);
}
--
2.33.0

292
backport-CVE-2021-43527.patch Normal file
View File

@ -0,0 +1,292 @@
From 73a449016a1ff68539031ad600d88eab4399911f Mon Sep 17 00:00:00 2001
From: Dennis Jackson <djackson@mozilla.com>
Date: Mon, 22 Nov 2021 10:40:42 +0000
Subject: [PATCH] Bug 1737470 - Ensure DER encoded signatures are within size
limits. r=jschanck,mt,bbeurdouche,rrelyea
Differential Revision: https://phabricator.services.mozilla.com/D129514
---
lib/cryptohi/secvfy.c | 192 ++++++++++++++++++++++++++----------------
1 file changed, 121 insertions(+), 71 deletions(-)
diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
index aa3d677..faa5668 100644
--- a/lib/cryptohi/secvfy.c
+++ b/lib/cryptohi/secvfy.c
@@ -164,6 +164,37 @@ verifyPKCS1DigestInfo(const VFYContext *cx, const SECItem *digest)
PR_FALSE /*XXX: unsafeAllowMissingParameters*/);
}
+static unsigned int
+checkedSignatureLen(const SECKEYPublicKey *pubk)
+{
+ unsigned int sigLen = SECKEY_SignatureLen(pubk);
+ if (sigLen == 0) {
+ /* Error set by SECKEY_SignatureLen */
+ return sigLen;
+ }
+ unsigned int maxSigLen;
+ switch (pubk->keyType) {
+ case rsaKey:
+ case rsaPssKey:
+ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8;
+ break;
+ case dsaKey:
+ maxSigLen = DSA_MAX_SIGNATURE_LEN;
+ break;
+ case ecKey:
+ maxSigLen = 2 * MAX_ECKEY_LEN;
+ break;
+ default:
+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
+ return 0;
+ }
+ if (sigLen > maxSigLen) {
+ PORT_SetError(SEC_ERROR_INVALID_KEY);
+ return 0;
+ }
+ return sigLen;
+}
+
/*
* decode the ECDSA or DSA signature from it's DER wrapping.
* The unwrapped/raw signature is placed in the buffer pointed
@@ -174,38 +205,38 @@ decodeECorDSASignature(SECOidTag algid, const SECItem *sig, unsigned char *dsig,
unsigned int len)
{
SECItem *dsasig = NULL; /* also used for ECDSA */
- SECStatus rv = SECSuccess;
-
- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) &&
- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) {
- if (sig->len != len) {
- PORT_SetError(SEC_ERROR_BAD_DER);
- return SECFailure;
+ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */
+ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) {
+ if (len > DSA_MAX_SIGNATURE_LEN) {
+ goto loser;
}
-
- PORT_Memcpy(dsig, sig->data, sig->len);
- return SECSuccess;
- }
-
- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
+ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) {
if (len > MAX_ECKEY_LEN * 2) {
- PORT_SetError(SEC_ERROR_BAD_DER);
- return SECFailure;
+ goto loser;
}
- }
- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
-
- if ((dsasig == NULL) || (dsasig->len != len)) {
- rv = SECFailure;
} else {
- PORT_Memcpy(dsig, dsasig->data, dsasig->len);
+ goto loser;
}
if (dsasig != NULL)
+ /* Decode and pad to length */
+ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len);
+ if (dsasig == NULL) {
+ goto loser;
+ }
+ if (dsasig->len != len) {
SECITEM_FreeItem(dsasig, PR_TRUE);
- if (rv == SECFailure)
- PORT_SetError(SEC_ERROR_BAD_DER);
- return rv;
+ goto loser;
+ }
+
+ PORT_Memcpy(dsig, dsasig->data, len);
+ SECITEM_FreeItem(dsasig, PR_TRUE);
+
+ return SECSuccess;
+
+loser:
+ PORT_SetError(SEC_ERROR_BAD_DER);
+ return SECFailure;
}
const SEC_ASN1Template hashParameterTemplate[] =
@@ -231,7 +262,7 @@ SECStatus
sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg,
const SECItem *param, SECOidTag *encalg, SECOidTag *hashalg)
{
- int len;
+ unsigned int len;
PLArenaPool *arena;
SECStatus rv;
SECItem oid;
@@ -446,48 +477,52 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
cx->pkcs1RSADigestInfo = NULL;
rv = SECSuccess;
if (sig) {
- switch (type) {
- case rsaKey:
- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
- &cx->pkcs1RSADigestInfo,
- &cx->pkcs1RSADigestInfoLen,
- cx->key,
- sig, wincx);
- break;
- case rsaPssKey:
- sigLen = SECKEY_SignatureLen(key);
- if (sigLen == 0) {
- /* error set by SECKEY_SignatureLen */
- rv = SECFailure;
+ rv = SECFailure;
+ if (type == rsaKey) {
+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg,
+ &cx->pkcs1RSADigestInfo,
+ &cx->pkcs1RSADigestInfoLen,
+ cx->key,
+ sig, wincx);
+ } else {
+ sigLen = checkedSignatureLen(key);
+ /* Check signature length is within limits */
+ if (sigLen == 0) {
+ /* error set by checkedSignatureLen */
+ rv = SECFailure;
+ goto loser;
+ }
+ if (sigLen > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ goto loser;
+ }
+ switch (type) {
+ case rsaPssKey:
+ if (sig->len != sigLen) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ goto loser;
+ }
+ PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
+ rv = SECSuccess;
break;
- }
- if (sig->len != sigLen) {
- PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- rv = SECFailure;
+ case ecKey:
+ case dsaKey:
+ /* decodeECorDSASignature will check sigLen == sig->len after padding */
+ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
break;
- }
- PORT_Memcpy(cx->u.buffer, sig->data, sigLen);
- break;
- case dsaKey:
- case ecKey:
- sigLen = SECKEY_SignatureLen(key);
- if (sigLen == 0) {
- /* error set by SECKEY_SignatureLen */
+ default:
+ /* Unreachable */
rv = SECFailure;
- break;
- }
- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen);
- break;
- default:
- rv = SECFailure;
- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
- break;
+ goto loser;
+ }
+ }
+ if (rv != SECSuccess) {
+ goto loser;
}
}
- if (rv)
- goto loser;
-
/* check hash alg again, RSA may have changed it.*/
if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) {
/* error set by HASH_GetHashTypeByOidTag */
@@ -622,11 +657,16 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
switch (cx->key->keyType) {
case ecKey:
case dsaKey:
- dsasig.data = cx->u.buffer;
- dsasig.len = SECKEY_SignatureLen(cx->key);
+ dsasig.len = checkedSignatureLen(cx->key);
if (dsasig.len == 0) {
return SECFailure;
}
+ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ return SECFailure;
+ }
+ dsasig.data = cx->u.buffer;
+
if (sig) {
rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data,
dsasig.len);
@@ -658,8 +698,13 @@ VFY_EndWithSignature(VFYContext *cx, SECItem *sig)
}
rsasig.data = cx->u.buffer;
- rsasig.len = SECKEY_SignatureLen(cx->key);
+ rsasig.len = checkedSignatureLen(cx->key);
if (rsasig.len == 0) {
+ /* Error set by checkedSignatureLen */
+ return SECFailure;
+ }
+ if (rsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
return SECFailure;
}
if (sig) {
@@ -721,7 +766,6 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
SECStatus rv;
VFYContext *cx;
SECItem dsasig; /* also used for ECDSA */
-
rv = SECFailure;
cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx);
@@ -729,19 +773,25 @@ vfy_VerifyDigest(const SECItem *digest, const SECKEYPublicKey *key,
switch (key->keyType) {
case rsaKey:
rv = verifyPKCS1DigestInfo(cx, digest);
+ /* Error (if any) set by verifyPKCS1DigestInfo */
break;
- case dsaKey:
case ecKey:
+ case dsaKey:
dsasig.data = cx->u.buffer;
- dsasig.len = SECKEY_SignatureLen(cx->key);
+ dsasig.len = checkedSignatureLen(cx->key);
if (dsasig.len == 0) {
+ /* Error set by checkedSignatureLen */
+ rv = SECFailure;
break;
}
- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) !=
- SECSuccess) {
+ if (dsasig.len > sizeof(cx->u)) {
+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
+ rv = SECFailure;
+ break;
+ }
+ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx);
+ if (rv != SECSuccess) {
PORT_SetError(SEC_ERROR_BAD_SIGNATURE);
- } else {
- rv = SECSuccess;
}
break;
default:
--
2.27.0

34
nss.spec
View File

@ -14,12 +14,12 @@
Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: 5
Release: 10
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Provides: nss-system-init
Requires: nspr >= %{nspr_version} nss-util >= %{nss_version} nss-softokn%{_isa} >= %{nss_version}
Requires: p11-kit-trust crypto-policies nss-help
Requires: p11-kit-trust crypto-policies
Requires(post): coreutils, sed
BuildRequires: nspr-devel >= %{nspr_version} nss-softokn sqlite-devel zlib-devel
BuildRequires: pkgconf gawk psmisc perl-interpreter gcc-c++ gdb
@ -44,6 +44,11 @@ Patch1: 0001-CVE-2020-6829-and-CVE-2020-12400.patch
Patch2: 0002-CVE-2020-6829-and-CVE-2020-12400.patch
Patch3: CVE-2020-12401.patch
Patch4: backport-CVE-2020-25648-tighten-CSS-handling-in-compatibility-mode.patch
Patch5: backport-0001-CVE-2020-12403.patch
Patch6: backport-0002-CVE-2020-12403.patch
Patch7: backport-Bug-1666891-Add-PK11_Pub-Wrap-Unwrap.patch
Patch6000: backport-CVE-2021-43527.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -68,7 +73,7 @@ Header and Library files for doing development with Network Security Services.
%package util
Summary: Network Security Services Utilities Library
Requires: nspr >= %{nspr_version} nss-help
Requires: nspr >= %{nspr_version}
Requires: %{name}%{?_isa} = %{version}-%{release}
Provides: nss-tools = %{version}-%{release}
Obsoletes: nss-tools < %{version}-%{release}
@ -131,6 +136,12 @@ Help document for NSS
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
pushd nss
%patch7 -p1
%patch6000 -p1
popd
%build
@ -183,7 +194,7 @@ export POLICY_FILE="nss.config"
# location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends"
make -j16 -C ./nss all
make %{?_smp_mflags} -C ./nss all
make -C ./nss latest
# build the man pages clean
@ -551,6 +562,21 @@ update-crypto-policies &> /dev/null || :
%doc %{_mandir}/man*
%changelog
* Tue Feb 20 2024 jinlun <jinlun@huawei.com> - 3.54.0-10
- Add PK11_Pub{Wrap, Unwrap}SymkeyWithMechanism r=mt,rrelyea Summary
* Thu Aug 04 2022 renhongxun <renhongxun@h-partners.com> - 3.54.0-9
- remove nss-help from Requires of nss and nss-util
* Tue Dec 28 2021 shangyibin <shangyibin1@huawei> - 3.54.0-8
- fix CVE-2021-43527
* Sat May 29 2021 shuxuantong <shixuantong@huawei> - 3.54.0-7
- fix version problem in changelog
* Wed Mar 17 2021 yixiangzhike <zhangxingliang3@huawei.com> - 3.54-6
- fix CVE-2020-12403
* Tue Mar 16 2021 yixiangzhike <zhangxingliang3@huawei.com> - 3.54-5
- optimize compilation time