Bug 1697303 NSS needs to update it's csp clearing to FIPS 180-3 standards.
FIPS 180-3 updated the standard for clearing sensitive key material in FIPS modules. I've done a complete review of the portions of NSS affected by the FIPS requirements and identified all the areas where we need to update. The report is available here: https://docs.google.com/document/d/1v9kedUiwVYYIUagyT_vQdtrktjGUrA3SFsVP-LA6vOw/edit?usp=sharing This patch does the following: - Clears the stack in gcm and ecc to deal with large stack leakages. This only happens in FIPS enabled case. The size of the stack is based on the size of the leakage, with some extra to make sure we reach down into that area. Most of the leakage happens in either auto generated code or machine dependent acceleration code. - Clears hash related data that wasn't cleared previously - Clears public key exponents that wasn't cleared previously. - Clears components that should have been cleared previously but wasn't. Usually clearing takes one of the following forms: PORT_Free(x) -> PORT_Free(x, size). This means we need to know what the size is supposed to be. In some cases we need to add code to preserve the size. PORT_Free(x.data) -> SECITEM_ZfreeItem(&x, PR_FALSE). In this case x is a SECITEM, which carries the length. PR_FALSE means clear and free the data in the item, not the item itself. The code should have had SECITEM_FreeItem before anyway. SECIEM_FreeItem(item, bool) -> SECITEM_ZfreeItem(item, bool). Simply change the normal SECITEM free call to the one that clears the item. PR_ArenaFree(arena, PR_FALSE) -> PR_ArenaFree(arena, PR_TRUE). The bool here means whether or not to clear as well as free the data in the arena. PORT_Memset(value, 0, size). This the obvious clear operation. It happens if the variable is a stack variable, or if the memory isn't cleared with one of the three clearing functions above. In addition this patch fixes the following: - moves the determination if whether or not a slot is in FIPS mode by slotID to a macro. NSS allows user defined slots to be opened. If you open a user defined slot using the FIPS slot, the resulting slots will also be FIPS slots. In areas where the semantics change based on the slot, these slots should have the FIPS semantics. Directly checking if the slot is the FIPS slot now only happens when we really mean the main FIPS slot and not just any FIPS slot. - In handling the clearing of PSS and OAEP, I identified an issue. These functions where holding a pointer to the pMechanismParams in their C_XXXXInit calls for later use in the C_XXXXUpdate/C_XXXXFinal/C_XXXX calls. The problem is applications are allowed to free their pMechanismParams once C_XXXXInit is complete. We need to make a copy of the params to use them. Differential Revision: https://phabricator.services.mozilla.com/D108223 --HG-- extra : rebase_source : 7ac6f9d40bffbaf1a45e9e0996893afe618d4fc5
Showing with 466 additions and 356 deletions