diff options
author | Robert Relyea <rrelyea@redhat.com> | 2020-03-30 15:57:00 -0700 |
---|---|---|
committer | Robert Relyea <rrelyea@redhat.com> | 2020-03-30 15:57:00 -0700 |
commit | 65df257e8b610009a38ab624dad8d05d07df35d0 (patch) | |
tree | c0bc907f3fe727c39b9e79220cd117353f2fa5c9 /automation/abi-check | |
parent | 2336ecfeb4d3b57bd992564958e068059e81dcd4 (diff) | |
download | nss-hg-65df257e8b610009a38ab624dad8d05d07df35d0.tar.gz |
Bug 1561637 TLS 1.3 does not work in FIPS mode
Patch 1 of 2.
This patch updates softoken and helper functions with the new PKCS #11 v3 HKDF,
which handles all the correct key management so that we can work in FIPS mode
1) Salts can be passed in as data, as and explicit NULL (which per spec means
a zero filled buffer of length of the underlying HMAC), or through a key handle
2) A Data object can be used as a key (explicitly allowed for this mechanism by
the spec).
3) A special mechansism produces a data object rather than a key, the latter
which can be exported. Softoken does not do the optional validation on the pInfo
to verify that the requested values are supposed to be data rather than keys.
Some other tokens may.
The old hkdf mechanism has been retained for compatibility (well namely until
patch 2 is created, tls is still using it). The hkdf function has been broken
off into it's own function rather than inline in the derive function.
Note: because the base key and/or the export key could really be a data object,
our explicit handling of sensitive and extractable are adjusted to take into
account that those flags do not exist in data objects.
Differential Revision: https://phabricator.services.mozilla.com/D68940
Diffstat (limited to 'automation/abi-check')
-rw-r--r-- | automation/abi-check/expected-report-libnss3.so.txt | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/automation/abi-check/expected-report-libnss3.so.txt b/automation/abi-check/expected-report-libnss3.so.txt index 29bbc6a1c..604046200 100644 --- a/automation/abi-check/expected-report-libnss3.so.txt +++ b/automation/abi-check/expected-report-libnss3.so.txt @@ -1,7 +1,8 @@ -4 Added functions: +5 Added functions: [A] 'function SECStatus PK11_AEADOp(PK11Context*, CK_GENERATOR_FUNCTION, int, unsigned char*, int, const unsigned char*, int, unsigned char*, int*, int, unsigned char*, int, const unsigned char*, int)' {PK11_AEADOp@@NSS_3.52} [A] 'function SECStatus PK11_AEADRawOp(PK11Context*, void*, int, const unsigned char*, int, unsigned char*, int*, int, const unsigned char*, int)' {PK11_AEADRawOp@@NSS_3.52} + [A] 'function CK_OBJECT_HANDLE PK11_GetObjectHandle(PK11ObjectType, void*, PK11SlotInfo**)' {PK11_GetObjectHandle@@NSS_3.52} [A] 'function PRBool _PK11_ContextGetAEADSimulation(PK11Context*)' {_PK11_ContextGetAEADSimulation@@NSS_3.52} [A] 'function SECStatus _PK11_ContextSetAEADSimulation(PK11Context*)' {_PK11_ContextSetAEADSimulation@@NSS_3.52} |