File nss-CC-approved_crypto-ECs.patch of Package mozilla-nss.972

# HG changeset patch
# Parent  d9a01714b36cd0410dbe6b2d1c3c3bb8fe4b7805
Disable non-approved elliptic curves in FIPS mode - return errors when one of
them is requested and do not offer these curves in SSL/TLS negotiation.

Approved curves for FIPS-140-2 are: NIST P-224, P-256, P-384, P-521.

bsc#924307

diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c
--- a/lib/freebl/ecdecode.c
+++ b/lib/freebl/ecdecode.c
@@ -9,19 +9,27 @@
 #endif
 
 #include "blapi.h"
 #include "secoid.h"
 #include "secitem.h"
 #include "secerr.h"
 #include "ec.h"
 #include "ecl-curve.h"
+#include "fips.h"
 
 #define CHECK_OK(func) if (func == NULL) goto cleanup
 #define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
+#define DISABLED_IF(x) \
+    do { \
+	if (x) { \
+	    rv = SECFailure; \
+	    goto cleanup; \
+	} \
+    } while (0)
 
 /*
  * Initializes a SECItem from a hexadecimal string
  *
  * Warning: This function ignores leading 00's, so any leading 00's
  * in the hexadecimal string must be optional.
  */
 static SECItem *
@@ -197,350 +205,400 @@ EC_FillParams(PLArenaPool *arena, const 
     printf("Curve: %s\n", SECOID_FindOIDTagDescription(tag));
 #endif
 
     switch (tag) {
 
     /* Binary curves */
 
     case SEC_OID_ANSIX962_EC_C2PNB163V1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2pnb163v1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2PNB163V2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2pnb163v2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V2, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2PNB163V3:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2pnb163v3 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB163V3, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2PNB176V1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2pnb176v1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB176V1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2TNB191V1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2tnb191v1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2TNB191V2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2tnb191v2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V2, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2TNB191V3:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2tnb191v3 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB191V3, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2PNB208W1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2pnb208w1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB208W1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2TNB239V1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2tnb239v1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2TNB239V2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2tnb239v2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V2, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2TNB239V3:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2tnb239v3 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB239V3, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2PNB272W1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2pnb272w1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB272W1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2PNB304W1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2pnb304w1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB304W1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2TNB359V1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2tnb359v1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB359V1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2PNB368W1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2pnb368w1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_PNB368W1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_C2TNB431R1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for c2tnb431r1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_CHAR2_TNB431R1, ec_field_GF2m,
 	    params) );
 	break;
 	
     case SEC_OID_SECG_EC_SECT113R1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect113r1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_113R1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT113R2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect113r2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_113R2, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT131R1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect131r1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_131R1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT131R2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect131r2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_131R2, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT163K1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect163k1
 	 * (the NIST K-163 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_163K1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT163R1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect163r1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_163R1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT163R2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect163r2
 	 * (the NIST B-163 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_163R2, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT193R1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect193r1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_193R1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT193R2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect193r2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_193R2, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT233K1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect233k1
 	 * (the NIST K-233 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_233K1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT233R1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect233r1
 	 * (the NIST B-233 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_233R1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT239K1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect239k1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_239K1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT283K1:
+	DISABLED_IF(FIPS_mode());
         /* Populate params for sect283k1
 	 * (the NIST K-283 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_283K1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT283R1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect283r1
 	 * (the NIST B-283 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_283R1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT409K1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect409k1
 	 * (the NIST K-409 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_409K1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT409R1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect409r1
 	 * (the NIST B-409 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_409R1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT571K1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect571k1
 	 * (the NIST K-571 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_571K1, ec_field_GF2m,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECT571R1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for sect571r1
 	 * (the NIST B-571 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_CHAR2_571R1, ec_field_GF2m,
 	    params) );
 	break;
 
     /* Prime curves */
 
     case SEC_OID_ANSIX962_EC_PRIME192V1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for prime192v1 aka secp192r1 
 	 * (the NIST P-192 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_192V1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_PRIME192V2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for prime192v2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_192V2, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_PRIME192V3:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for prime192v3 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_192V3, ec_field_GFp,
 	    params) );
 	break;
 	
     case SEC_OID_ANSIX962_EC_PRIME239V1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for prime239v1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_239V1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_PRIME239V2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for prime239v2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_239V2, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_PRIME239V3:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for prime239v3 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_239V3, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_ANSIX962_EC_PRIME256V1:
 	/* Populate params for prime256v1 aka secp256r1
 	 * (the NIST P-256 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_X9_62_PRIME_256V1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP112R1:
+	DISABLED_IF(FIPS_mode());
         /* Populate params for secp112r1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_112R1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP112R2:
+	DISABLED_IF(FIPS_mode());
         /* Populate params for secp112r2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_112R2, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP128R1:
+	DISABLED_IF(FIPS_mode());
         /* Populate params for secp128r1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_128R1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP128R2:
+	DISABLED_IF(FIPS_mode());
         /* Populate params for secp128r2 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_128R2, ec_field_GFp,
 	    params) );
 	break;
 	
     case SEC_OID_SECG_EC_SECP160K1:
+	DISABLED_IF(FIPS_mode());
         /* Populate params for secp160k1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_160K1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP160R1:
+	DISABLED_IF(FIPS_mode());
         /* Populate params for secp160r1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_160R1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP160R2:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for secp160r1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_160R2, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP192K1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for secp192k1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_192K1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP224K1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for secp224k1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_224K1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP224R1:
 	/* Populate params for secp224r1 
 	 * (the NIST P-224 curve)
 	 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_224R1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP256K1:
+	DISABLED_IF(FIPS_mode());
 	/* Populate params for secp256k1 */
 	CHECK_SEC_OK( gf_populate_params(ECCurve_SECG_PRIME_256K1, ec_field_GFp,
 	    params) );
 	break;
 
     case SEC_OID_SECG_EC_SECP384R1:
 	/* Populate params for secp384r1
 	 * (the NIST P-384 curve)
diff --git a/lib/ssl/ssl3ecc.c b/lib/ssl/ssl3ecc.c
--- a/lib/ssl/ssl3ecc.c
+++ b/lib/ssl/ssl3ecc.c
@@ -1139,20 +1139,24 @@ ssl3_SendSupportedCurvesXtn(
         }
     }
     return ecListSize;
 }
 
 PRUint32
 ssl3_GetSupportedECCurveMask(sslSocket *ss)
 {
+    PRUint32 mask = SSL3_ALL_SUPPORTED_CURVES_MASK;
     if (ssl3_SuiteBOnly(ss)) {
-        return SSL3_SUITE_B_SUPPORTED_CURVES_MASK;
+        mask = SSL3_SUITE_B_SUPPORTED_CURVES_MASK;
     }
-    return SSL3_ALL_SUPPORTED_CURVES_MASK;
+    if (PK11_IsFIPS()) {
+        mask &= SSL3_FIPS_SUPPORTED_CURVES_MASK;
+    }
+    return mask;
 }
 
 /* Send our "canned" (precompiled) Supported Point Formats extension,
  * which says that we only support uncompressed points.
  */
 PRInt32
 ssl3_SendSupportedPointFormatsXtn(
                         sslSocket * ss,
diff --git a/lib/ssl/sslimpl.h b/lib/ssl/sslimpl.h
--- a/lib/ssl/sslimpl.h
+++ b/lib/ssl/sslimpl.h
@@ -141,16 +141,18 @@ typedef enum { SSLAppOpRead = 0,
 #define SSL_MAX_CACHED_CERT_LEN		4060
 
 #define NUM_MIXERS                      9
 
 /* Mask of the 25 named curves we support. */
 #define SSL3_ALL_SUPPORTED_CURVES_MASK 0x3fffffe
 /* Mask of only 3 curves, suite B */
 #define SSL3_SUITE_B_SUPPORTED_CURVES_MASK 0x3800000
+/* Mask of the curces supported in FIPS: P-224, P-256, P-384, P-521 */
+#define SSL3_FIPS_SUPPORTED_CURVES_MASK 0x3a00000
 
 #ifndef BPB
 #define BPB 8 /* Bits Per Byte */
 #endif
 
 #define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
 
 /* The minimum server key sizes accepted by the clients.
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -12,16 +12,17 @@
 #include "ssl.h"
 #include "sslimpl.h"
 #include "sslproto.h"
 #include "nspr.h"
 #include "private/pprio.h"
 #ifndef NO_PKCS11_BYPASS
 #include "blapi.h"
 #endif
+#include "pk11pub.h"
 #include "nss.h"
 
 #define SET_ERROR_CODE   /* reminder */
 
 static const sslSocketOps ssl_default_ops = {   /* No SSL. */
     ssl_DefConnect,
     NULL,
     ssl_DefBind,
@@ -2979,16 +2980,21 @@ ssl_NewSocket(PRBool makeLocks, SSLProto
         ss->pkcs11PinArg       = NULL;
         ss->ephemeralECDHKeyPair = NULL;
 
         ssl_ChooseOps(ss);
         ssl2_InitSocketPolicy(ss);
         ssl3_InitSocketPolicy(ss);
         PR_INIT_CLIST(&ss->ssl3.hs.lastMessageFlight);
 
+        /* cannot cresate step down keys in fips mode */
+        if (!ss->opt.noStepDown && PK11_IsFIPS()) {
+            ss->opt.noStepDown = PR_TRUE;
+        }
+
         if (makeLocks) {
             status = ssl_MakeLocks(ss);
             if (status != SECSuccess)
                 goto loser;
         }
         status = ssl_CreateSecurityInfo(ss);
         if (status != SECSuccess)
             goto loser;