• Robert Relyea's avatar
    Bug 1546229 Add IPSEC IKE support to softoken. · ecde5131
    Robert Relyea authored
    Differential Revision: https://phabricator.services.mozilla.com/D28519
    
    Patch notes:
    
    cmd/fipstest:
    
      Update fipstest to allow using old CAVS vectors in our all.sh. The various scripts have been moved to tests/fips/cavs_scripts. IKE functions were added to fipstest, and fipstest was updated to support verifying the output of ecdh and dh key agreement tests (kas).
    fipstest.c:
      NOTE: fipstest is the program NSS uses to process CAVS vectors from NIST. For historical reasons, it has known memory management issues. In general if there is a mistake, fipstest will likely crash. It has very little error checking. It has a very simplistic parser for the CAVS files. It requires the elements of the CAVS files to be in the correct order (most notably it requires the last element to always be in the last position. This is true of all the tests in fipstest, not just the new code.
      1. when verifying ec_dh and dh, accept both CAVSHashZZ and HashZZ as the input hash. This allows verify not only to verify NIST CAVS vectors, but also the output of ec_dh and dh functional tests.
      2. create ike functions modelled after the tls test functions. We test ike at the pkcs #11 level. There are three ike tests (driven by the three types of ike tests that NIST supplies):
          2.1) ikev1. This generates the ike v1 keys from the provided input. It used ike_prf to generate SKEYID and ikev1_prf to generate SKEYID_d, SKEYID_a, and SKEYID_e.
          2.2) ikev1_psk. This generates ike v1 keys from the provided input. It uses a pre-shared-secret-key. It also
    
    used ike_prf to generate SKEYID (though it uses it with bDataAsKey=false), and ikev1_prf to generate SKEYID_d, SKEYID_a, and SKEYID_e.
    
        2.3) ikev2. This generates ike v2 keys from the provided input. It uses ike_prf to generate SKEYSEED and ike_prf_plus to generate the key material. It also does a rekey using ike_prf and bRekey = true.
    3. Add parameters so the tls can be called.
    
    lib/softoken
    
      This is the main location where the new functionality is provided.
    fipstest.c
      Add the power up self test for ike. The actual test lives in sftkike.c.
    manifest.mn
      Add sftkike.c to the build.
    pkcs11.c
      Add AES XCBC MAC and IKE Mechanisms to the softoken mechanism table.
    pkcs11c.c
      sftk_MapCryptError() is now a 'global' within softoken and lives in pkcs11u.c. This was done so that sftkike.c can use it.
      sftk_InitCBCMac(). Update to handle AES XCBC., which is AES CBC MAC except 1) the underlying AES key is derived from the input key, and 2) the pad block is obscured using 2 new keys (k2, k3) also derived from the input key.
      sftk_MACFinal() handle the special pad processing for the XCBC case.
      sftk_MACUpdate() change the padding code to keep one full pad in the buffer. This won't affect normal MACs, but means that the last block in the Mac is always in the buffer so it can be processed in the XCBC case.
      NSC_DerviceKey() add the ike functions into the mechanism swtich table. The actual implementations are in sftkike.c
    pkcs11i.h
       Add the XCBC state information into the SessionContext structure.
       sftk_MapCryptError is now global, include it in the header.
       include the ike and aes_xcbc helper functions.
    pkcs11u.c
       sftk_MapCryptError() now lives in pkcs11 utilities.
    sftkike.c
       prf_* functions implement all the underlying prf specific stuff. It hides whether the prf is an hmac or aes_xcbc. If there are additional prfs, they can be implemented here without affecting the rest of the derivation code. The AES_XCBC code is aes specific. If we ever add another XCBC type operation, we would probably want to initialize some encryption functions in prf_setup and only handle the difference between hmac and xcbc in the other prf functions.
       sftk_aes_xcbc_get_keys - takes in input key and derives k1, k2, and k3. This function handles this derivation for both the prf_ functions in sftkike and the exported AES_XCBC Mac in pkcs11c.c
       sftk_xcbc_mac_pad - function to handle the correct padding method for the last block of an xcbc operation. Unlike sftk_aes_xcbc_get_keys, it is independent of the xcbc's underlying encryption method, though only AES_XCBC is defined at this time.
       sftk_ike_prf - common prf between ikev1 and ikev2 to generate SKEYID/SKEYSEED. See comments in code.
       sftk_ike1_prf - ikev1 prf to generate the session keys in ikev1 from SKEYID. See comments in code.
       sftk_ike_prf_plus - ike prf+ to generate the session keys in ikev2 from SKEYSEED. See comments in code.
       sftk_aes_xcbc_new_keys - used in pkcs11c.c to generate the 2 derived keys used in aes_xcbc. Loads k1 into the pkcs11 slot as a session key.
       prf_test - helper function to test our known test vectors for our FIPS powerup self tests.
       sftk_fips_IKE_PowerUpSelfTests - test to make sure our basic system is working correctly.
    softokn.gyp - add sftkike.c to gyp
    
    lib/util
    
    pkcs11n.h
       add defines and structures for IKE. Since they are not yet an official PKCS #11 mechanism, use CKM_NSS and CK_NSS names for them.
    pkcs11t.h
       add CKM_AES_XCBC* mechanisms. These are defined in the latest PKCS #11 spec.
    
    tests/fips
    
    The work in this directory hooks up the CAVS tests we run to do fips validation into our normal test suite. This lets us use the NIST generated samples for
    cavs_samples/* These are all vectors generated by the NIST CAVS tools (*.req) or the expected results generated by the last openssl or NSS runs and verified by the NIST CAVS tools (*.fax). These are the inputs to our fipstest. No need to detail review these. The are not explicitly included in this patch because they are too big for phabricator to handle.
    cavs_scripts/* See the read me in that directory. These scripts were originally in cmd/fipstest. I added ike.sh, and I updated the verify target of all the scripts so they they return 0 on success and 1 on failure. This allows us to use the tests in fips.sh
    fips.sh run the CAVS tests as part of the fips tests. This works to test our IKE support. Three of the cavs tests can take significant type (dsa and rsa takes several minutes, tdea is just over a minute). The code currently skips running those tests. You can run all the cavs tests by setting CAV_VECTORS=all
    
    --HG--
    branch : NSS_3_44_BRANCH
    ecde5131
Name
Last commit
Last update
..
html Loading commit data...
nroff Loading commit data...
.hgignore Loading commit data...
Makefile Loading commit data...
README Loading commit data...
certutil.xml Loading commit data...
cmsutil.xml Loading commit data...
crlutil.xml Loading commit data...
derdump.xml Loading commit data...
modutil.xml Loading commit data...
nss-policy-check.xml Loading commit data...
pk12util.xml Loading commit data...
pp.xml Loading commit data...
signtool.xml Loading commit data...
signver.xml Loading commit data...
ssltap.xml Loading commit data...
vfychain.xml Loading commit data...
vfyserv.xml Loading commit data...