File nss-fips-zeroization.patch of Package mozilla-nss.6625

Overview Repositories Revisions Requests Users Attributes Meta

File nss-fips-zeroization.patch of Package mozilla-nss.6625

diff --git a/nss/lib/freebl/aeskeywrap.c b/nss/lib/freebl/aeskeywrap.c
index 79ff8a8..9158521 100644
--- a/nss/lib/freebl/aeskeywrap.c
+++ b/nss/lib/freebl/aeskeywrap.c
@@ -93,6 +93,7 @@ AESKeyWrap_DestroyContext(AESKeyWrapContext *cx, PRBool freeit)
 {
     if (cx) {
         AES_DestroyContext(&cx->aescx, PR_FALSE);
+	memset(cx->iv, 0, sizeof (cx->iv));
         /*  memset(cx, 0, sizeof *cx); */
         if (freeit)
             PORT_Free(cx);
diff --git a/nss/lib/freebl/cts.c b/nss/lib/freebl/cts.c
index 99ccebb..456b179 100644
--- a/nss/lib/freebl/cts.c
+++ b/nss/lib/freebl/cts.c
@@ -41,6 +41,7 @@ CTS_CreateContext(void *context, freeblCipherFunc cipher,
 void
 CTS_DestroyContext(CTSContext *cts, PRBool freeit)
 {
+    PORT_Memset(cts, 0, sizeof(CTSContext));
     if (freeit) {
         PORT_Free(cts);
     }
@@ -139,7 +140,7 @@ CTS_EncryptUpdate(CTSContext *cts, unsigned char *outbuf,
     PORT_Memset(lastBlock + inlen, 0, blocksize - inlen);
     rv = (*cts->cipher)(cts->context, outbuf, &tmp, maxout, lastBlock,
                         blocksize, blocksize);
-    PORT_Memset(lastBlock, 0, blocksize);
+    PORT_Memset(lastBlock, 0, MAX_BLOCK_SIZE);
     if (rv == SECSuccess) {
         *outlen = written + blocksize;
     } else {
@@ -234,13 +235,15 @@ CTS_DecryptUpdate(CTSContext *cts, unsigned char *outbuf,
     rv = (*cts->cipher)(cts->context, outbuf, outlen, maxout, inbuf,
                         fullblocks, blocksize);
     if (rv != SECSuccess) {
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
     *outlen = fullblocks; /* AES low level doesn't set outlen */
     inbuf += fullblocks;
     inlen -= fullblocks;
     if (inlen == 0) {
-        return SECSuccess;
+        rv = SECSuccess;
+        goto cleanup;
     }
     outbuf += fullblocks;
 
@@ -284,9 +287,9 @@ CTS_DecryptUpdate(CTSContext *cts, unsigned char *outbuf,
     rv = (*cts->cipher)(cts->context, Pn, &tmpLen, blocksize, lastBlock,
                         blocksize, blocksize);
     if (rv != SECSuccess) {
-        PORT_Memset(lastBlock, 0, blocksize);
         PORT_Memset(saveout, 0, *outlen);
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
     /* make up for the out of order CBC decryption */
     XOR_BLOCK(Pn, Cn_2, blocksize);
@@ -301,7 +304,8 @@ CTS_DecryptUpdate(CTSContext *cts, unsigned char *outbuf,
     /* clear last block. At this point last block contains Pn xor Cn_1 xor
      * Cn_2, both of with an attacker would know, so we need to clear this
      * buffer out */
-    PORT_Memset(lastBlock, 0, blocksize);
+cleanup:
+    PORT_Memset(lastBlock, 0, MAX_BLOCK_SIZE);
     /* Cn, Cn_1, and Cn_2 have encrypted data, so no need to clear them */
-    return SECSuccess;
+    return rv;
 }
diff --git a/nss/lib/freebl/dh.c b/nss/lib/freebl/dh.c
index 97025c7..28eefb1 100644
--- a/nss/lib/freebl/dh.c
+++ b/nss/lib/freebl/dh.c
@@ -194,6 +194,10 @@ cleanup:
         rv = SECFailure;
     }
     if (rv) {
+        SECITEM_ZfreeItem(&key->prime, PR_FALSE);
+        SECITEM_ZfreeItem(&key->base, PR_FALSE);
+        SECITEM_ZfreeItem(&key->publicValue, PR_FALSE);
+        SECITEM_ZfreeItem(&key->privateValue, PR_FALSE);
         *privKey = NULL;
         PORT_FreeArena(arena, PR_TRUE);
     }
diff --git a/nss/lib/freebl/ec.c b/nss/lib/freebl/ec.c
index 669c9b1..dd4afe3 100644
--- a/nss/lib/freebl/ec.c
+++ b/nss/lib/freebl/ec.c
@@ -970,7 +970,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,
     ECParams *ecParams = NULL;
     SECItem pointC = { siBuffer, NULL, 0 };
     int slen;       /* length in bytes of a half signature (r or s) */
-    int flen;       /* length in bytes of the field size */
+    int flen = 0;   /* length in bytes of the field size */
     unsigned olen;  /* length in bytes of the base point order */
     unsigned obits; /* length in bits  of the base point order */
 
diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c
index cf8e027..1934aa5 100644
--- a/nss/lib/freebl/gcm.c
+++ b/nss/lib/freebl/gcm.c
@@ -37,6 +37,12 @@ static SECStatus gcmHash_Reset(gcmHashContext *ghash,
                                const unsigned char *inbuf,
                                unsigned int inbufLen, unsigned int blocksize);
 
+/* the ALGORITHM_1 implementation lacks any data structure zeroizations and is
+ * slower (see below) - cancel compilation if it somehow got requested */
+#ifdef GCM_USE_ALGORITHM_1
+#error "ALGORITHM_1 is not supported in this build"
+#endif
+
 /* compile time defines to select how the GF2 multiply is calculated.
  * There are currently 2 algorithms implemented here: MPI and ALGORITHM_1.
  *
@@ -271,6 +277,7 @@ gcm_HashMult(gcmHashContext *ghash, const unsigned char *buf,
     }
     rv = SECSuccess;
 cleanup:
+    mp_zero(&ghash->C_i);
     PORT_Memset(tmp_buf, 0, sizeof(tmp_buf));
     if (rv != SECSuccess) {
         MP_TO_SEC_ERROR(err);
@@ -287,7 +294,8 @@ gcm_zeroX(gcmHashContext *ghash)
 
 #endif
 
-#ifdef GCM_USE_ALGORITHM_1
+#if 0
+/* ifdef GCM_USE_ALGORITHM_1 */
 /* use algorithm 1 of McGrew & Viega "The Galois/Counter Mode of Operation" */
 
 #define GCM_ARRAY_SIZE (MAX_BLOCK_SIZE / sizeof(unsigned long))
@@ -854,11 +862,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf,
     /* verify the block */
     rv = gcmHash_Update(&gcm->ghash_context, inbuf, inlen, blocksize);
     if (rv != SECSuccess) {
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
     rv = gcm_GetTag(gcm, tag, &len, blocksize, blocksize);
     if (rv != SECSuccess) {
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
     /* Don't decrypt if we can't authenticate the encrypted data!
      * This assumes that if tagBits is not a multiple of 8, intag will
@@ -866,10 +876,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsigned char *outbuf,
     if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
         /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
         PORT_SetError(SEC_ERROR_BAD_DATA);
-        PORT_Memset(tag, 0, sizeof(tag));
-        return SECFailure;
+        rv = SECFailure;
+        goto cleanup;
     }
+cleanup:
+    tagBytes = 0;
     PORT_Memset(tag, 0, sizeof(tag));
+    intag = NULL;
+    len = 0;
+    if (rv != SECSuccess) {
+        return rv;
+    }
+
     /* finish the decryption */
     return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout,
                       inbuf, inlen, blocksize);
diff --git a/nss/lib/freebl/mpi/mpi.c b/nss/lib/freebl/mpi/mpi.c
index f6f7543..fefcf4f 100644
--- a/nss/lib/freebl/mpi/mpi.c
+++ b/nss/lib/freebl/mpi/mpi.c
@@ -12,6 +12,10 @@
 #include <c_asm.h>
 #endif
 
+#if !MP_CRYPTO
+#error "MP_CRYPTO has to be defined to make sure data is zeroed before being freed"
+#endif
+
 #if defined(__arm__) && \
     ((defined(__thumb__) && !defined(__thumb2__)) || defined(__ARM_ARCH_3__))
 /* 16-bit thumb or ARM v3 doesn't work inlined assember version */

Places

File nss-fips-zeroization.patch of Package mozilla-nss.6625

Places