[nss-softokn] Resolves: Bug 1155306 - Provide sym key derive mechansm as result of encryption of message
Elio Maldonado
emaldonado at fedoraproject.org
Sat Nov 8 16:31:09 UTC 2014
commit ed67e9a11af68a7dee377bcbe94d535a9a65a55b
Author: Elio Maldonado <emaldona at redhat.com>
Date: Sat Nov 8 08:20:25 2014 -0800
Resolves: Bug 1155306 - Provide sym key derive mechansm as result of
encryption of message
nss-softokn-add_encrypt_derive.patch | 233 ++++++++++++++++++++++++++++++++++
nss-softokn.spec | 8 +-
2 files changed, 240 insertions(+), 1 deletions(-)
---
diff --git a/nss-softokn-add_encrypt_derive.patch b/nss-softokn-add_encrypt_derive.patch
new file mode 100644
index 0000000..456d2b3
--- /dev/null
+++ b/nss-softokn-add_encrypt_derive.patch
@@ -0,0 +1,233 @@
+diff -up ./nss/lib/softoken/pkcs11.c.add_encrypt_derive ./nss/lib/softoken/pkcs11.c
+--- ./nss/lib/softoken/pkcs11.c.add_encrypt_derive 2014-06-24 13:45:27.000000000 -0700
++++ ./nss/lib/softoken/pkcs11.c 2014-10-31 17:24:58.021526521 -0700
+@@ -442,11 +442,22 @@ static const struct mechanismList mechan
+ #endif
+ /* --------------------- Secret Key Operations ------------------------ */
+ {CKM_GENERIC_SECRET_KEY_GEN, {1, 32, CKF_GENERATE}, PR_TRUE},
+- {CKM_CONCATENATE_BASE_AND_KEY, {1, 32, CKF_GENERATE}, PR_FALSE},
+- {CKM_CONCATENATE_BASE_AND_DATA, {1, 32, CKF_GENERATE}, PR_FALSE},
+- {CKM_CONCATENATE_DATA_AND_BASE, {1, 32, CKF_GENERATE}, PR_FALSE},
+- {CKM_XOR_BASE_AND_DATA, {1, 32, CKF_GENERATE}, PR_FALSE},
++ {CKM_CONCATENATE_BASE_AND_KEY, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_CONCATENATE_BASE_AND_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_CONCATENATE_DATA_AND_BASE, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_XOR_BASE_AND_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ {CKM_EXTRACT_KEY_FROM_KEY, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_EXTRACT_KEY_FROM_KEY, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_DES_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_DES_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_DES3_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_DES3_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_AES_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_AES_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_CAMELLIA_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_CAMELLIA_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_SEED_ECB_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
++ {CKM_SEED_CBC_ENCRYPT_DATA, {1, 32, CKF_DERIVE}, PR_FALSE},
+ /* ---------------------- SSL Key Derivations ------------------------- */
+ {CKM_SSL3_PRE_MASTER_KEY_GEN, {48, 48, CKF_GENERATE}, PR_FALSE},
+ {CKM_SSL3_MASTER_KEY_DERIVE, {48, 48, CKF_DERIVE}, PR_FALSE},
+diff -up ./nss/lib/softoken/pkcs11c.c.add_encrypt_derive ./nss/lib/softoken/pkcs11c.c
+--- ./nss/lib/softoken/pkcs11c.c.add_encrypt_derive 2014-10-31 17:24:58.007526287 -0700
++++ ./nss/lib/softoken/pkcs11c.c 2014-10-31 17:33:59.457507480 -0700
+@@ -5840,6 +5840,44 @@ static CK_RV sftk_ANSI_X9_63_kdf(CK_BYTE
+ #endif /* NSS_DISABLE_ECC */
+
+ /*
++ * Handle The derive from a block encryption cipher
++ */
++CK_RV
++sftk_DeriveEncrypt(SFTKObject *key, CK_ULONG keySize, void *cipherInfo,
++ int blockSize, unsigned char *data, CK_ULONG len, SFTKCipher encrypt)
++{
++ unsigned char *tmpdata = NULL;
++ SECStatus rv;
++ unsigned int outLen;
++ CK_RV crv;
++
++ if ((len % blockSize) != 0) {
++ return CKR_MECHANISM_PARAM_INVALID;
++ }
++ if (keySize && (len < keySize)) {
++ return CKR_MECHANISM_PARAM_INVALID;
++ }
++ if (keySize == 0) {
++ keySize = len;
++ }
++
++ tmpdata = PORT_Alloc(len);
++ if (tmpdata == NULL) {
++ return CKR_HOST_MEMORY;
++ }
++ rv = (*encrypt)(cipherInfo, tmpdata, &outLen, len, data, len);
++ if (rv != SECSuccess) {
++ crv = sftk_MapCryptError(PORT_GetError());
++ PORT_ZFree(tmpdata, len);
++ return crv;
++ }
++
++ crv = sftk_forceAttribute (key,CKA_VALUE,tmpdata,keySize);
++ PORT_ZFree(tmpdata,len);
++ return crv;
++}
++
++/*
+ * SSL Key generation given pre master secret
+ */
+ #define NUM_MIXERS 9
+@@ -5883,6 +5921,9 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE h
+ CK_KEY_TYPE keyType = CKK_GENERIC_SECRET;
+ CK_OBJECT_CLASS classType = CKO_SECRET_KEY;
+ CK_KEY_DERIVATION_STRING_DATA *stringPtr;
++ CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr;
++ CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr;
++ void *cipherInfo;
+ PRBool isTLS = PR_FALSE;
+ PRBool isSHA256 = PR_FALSE;
+ PRBool isDH = PR_FALSE;
+@@ -5892,6 +5933,7 @@ CK_RV NSC_DeriveKey( CK_SESSION_HANDLE h
+ unsigned char sha_out[SHA1_LENGTH];
+ unsigned char key_block[NUM_MIXERS * MD5_LENGTH];
+ unsigned char key_block2[MD5_LENGTH];
++ unsigned char des3key[24];
+ PRBool isFIPS;
+ HASH_HashType hashType;
+ PRBool extractValue = PR_TRUE;
+@@ -6544,6 +6586,136 @@ key_and_mac_derive_fail:
+ break;
+ }
+
++ case CKM_DES_ECB_ENCRYPT_DATA:
++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
++ cipherInfo = DES_CreateContext( (unsigned char*)att->attrib.pValue,
++ NULL, NSS_DES, PR_TRUE);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8,
++ stringPtr->pData, stringPtr->ulLen, (SFTKCipher) DES_Encrypt);
++ DES_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
++ case CKM_DES_CBC_ENCRYPT_DATA:
++ desEncryptPtr = (CK_DES_CBC_ENCRYPT_DATA_PARAMS *)
++ pMechanism->pParameter;
++ cipherInfo = DES_CreateContext( (unsigned char*)att->attrib.pValue,
++ desEncryptPtr->iv, NSS_DES_CBC, PR_TRUE);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8,
++ desEncryptPtr->pData, desEncryptPtr->length,
++ (SFTKCipher) DES_Encrypt);
++ DES_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
++ case CKM_DES3_ECB_ENCRYPT_DATA:
++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
++ if (att->attrib.ulValueLen == 16) {
++ PORT_Memcpy(des3key, att->attrib.pValue, 16);
++ PORT_Memcpy(des3key + 16, des3key, 8);
++ } else if (att->attrib.ulValueLen == 24) {
++ PORT_Memcpy(des3key, att->attrib.pValue, 24);
++ } else {
++ crv = CKR_KEY_SIZE_RANGE; break;
++ }
++ cipherInfo = DES_CreateContext( des3key, NULL, NSS_DES_EDE3, PR_TRUE);
++ PORT_Memset(des3key, 0, 24);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8,
++ stringPtr->pData, stringPtr->ulLen, (SFTKCipher) DES_Encrypt);
++ DES_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
++ case CKM_DES3_CBC_ENCRYPT_DATA:
++ desEncryptPtr = (CK_DES_CBC_ENCRYPT_DATA_PARAMS *)
++ pMechanism->pParameter;
++ if (att->attrib.ulValueLen == 16) {
++ PORT_Memcpy(des3key, att->attrib.pValue, 16);
++ PORT_Memcpy(des3key + 16, des3key, 8);
++ } else if (att->attrib.ulValueLen == 24) {
++ PORT_Memcpy(des3key, att->attrib.pValue, 24);
++ } else {
++ crv = CKR_KEY_SIZE_RANGE; break;
++ }
++ cipherInfo = DES_CreateContext( des3key, desEncryptPtr->iv,
++ NSS_DES_EDE3_CBC, PR_TRUE);
++ PORT_Memset(des3key, 0, 24);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8,
++ desEncryptPtr->pData, desEncryptPtr->length,
++ (SFTKCipher) DES_Encrypt);
++ DES_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
++ case CKM_AES_ECB_ENCRYPT_DATA:
++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
++ cipherInfo = AES_CreateContext( (unsigned char*)att->attrib.pValue,
++ NULL, NSS_AES, PR_TRUE, att->attrib.ulValueLen, 16);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
++ stringPtr->pData, stringPtr->ulLen, (SFTKCipher) AES_Encrypt);
++ AES_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
++ case CKM_AES_CBC_ENCRYPT_DATA:
++ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
++ pMechanism->pParameter;
++ cipherInfo = AES_CreateContext( (unsigned char*)att->attrib.pValue,
++ aesEncryptPtr->iv, NSS_AES_CBC,
++ PR_TRUE, att->attrib.ulValueLen, 16);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
++ aesEncryptPtr->pData, aesEncryptPtr->length,
++ (SFTKCipher) AES_Encrypt);
++ AES_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
++ case CKM_CAMELLIA_ECB_ENCRYPT_DATA:
++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
++ cipherInfo = Camellia_CreateContext( (unsigned char*)att->attrib.pValue,
++ NULL, NSS_CAMELLIA, PR_TRUE,att->attrib.ulValueLen);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
++ stringPtr->pData, stringPtr->ulLen,
++ (SFTKCipher) Camellia_Encrypt);
++ Camellia_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
++ case CKM_CAMELLIA_CBC_ENCRYPT_DATA:
++ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
++ pMechanism->pParameter;
++ cipherInfo = Camellia_CreateContext((unsigned char*)att->attrib.pValue,
++ aesEncryptPtr->iv,NSS_CAMELLIA_CBC,
++ PR_TRUE, att->attrib.ulValueLen);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
++ aesEncryptPtr->pData, aesEncryptPtr->length,
++ (SFTKCipher) Camellia_Encrypt);
++ Camellia_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
++ case CKM_SEED_ECB_ENCRYPT_DATA:
++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *) pMechanism->pParameter;
++ cipherInfo = SEED_CreateContext( (unsigned char*)att->attrib.pValue,
++ NULL, NSS_SEED, PR_TRUE);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
++ stringPtr->pData, stringPtr->ulLen, (SFTKCipher) SEED_Encrypt);
++ SEED_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
++ case CKM_SEED_CBC_ENCRYPT_DATA:
++ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *)
++ pMechanism->pParameter;
++ cipherInfo = SEED_CreateContext( (unsigned char*)att->attrib.pValue,
++ aesEncryptPtr->iv, NSS_SEED_CBC, PR_TRUE);
++ if (cipherInfo == NULL) { crv = CKR_HOST_MEMORY; break; }
++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16,
++ aesEncryptPtr->pData, aesEncryptPtr->length,
++ (SFTKCipher) SEED_Encrypt);
++ SEED_DestroyContext(cipherInfo, PR_TRUE);
++ break;
++
+ case CKM_CONCATENATE_BASE_AND_DATA:
+ crv = sftk_DeriveSensitiveCheck(sourceKey,key);
+ if (crv != CKR_OK) break;
diff --git a/nss-softokn.spec b/nss-softokn.spec
index 019aaf3..818a693 100644
--- a/nss-softokn.spec
+++ b/nss-softokn.spec
@@ -25,7 +25,7 @@
Summary: Network Security Services Softoken Module
Name: nss-softokn
Version: 3.17.2
-Release: 1%{?dist}
+Release: 2%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -69,6 +69,8 @@ Patch8: softoken-minimal-test-dependencies.patch
# NSSUTIL_INCLUDE_DIR, after all, contains both util and freebl headers.
# Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it.
Patch10: iquote.patch
+# TODO: File an upstream bug
+Patch97: nss-softokn-add_encrypt_derive.patch
%description
Network Security Services Softoken Cryptographic Module
@@ -122,6 +124,7 @@ Header and library files for doing development with Network Security Services.
%patch8 -p0 -b .crypto
# activate if needed when doing a major update with new apis
%patch10 -p0 -b .iquote
+%patch97 -p0 -b .add_encrypt_derive
%build
@@ -394,6 +397,9 @@ done
%{_includedir}/nss3/shsign.h
%changelog
+* Wed Nov 08 2014 Elio Maldonado <emaldona at redhat.com> - 3.17.2-2
+- Resolves: Bug 1155306 - Provide sym key derive mechansm as result of encryption of message
+
* Sun Oct 12 2014 Elio Maldonado <emaldona at redhat.com> - 3.17.2-1
- Update to nss-3.17.2
More information about the scm-commits
mailing list