import nss-3.79.0-10.el8_6
This commit is contained in:
parent
dea9c83a5e
commit
71e16f9258
|
@ -18,7 +18,7 @@ diff --git a/lib/freebl/config.mk b/lib/freebl/config.mk
|
|||
diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
||||
--- a/lib/freebl/unix_urandom.c
|
||||
+++ b/lib/freebl/unix_urandom.c
|
||||
@@ -20,53 +20,80 @@ RNG_SystemInfoForRNG(void)
|
||||
@@ -20,53 +20,110 @@ RNG_SystemInfoForRNG(void)
|
||||
if (!numBytes) {
|
||||
/* error is set */
|
||||
return;
|
||||
|
@ -29,17 +29,49 @@ diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
|||
|
||||
+#ifdef NSS_FIPS_140_3
|
||||
+#include <sys/random.h>
|
||||
+#include "prinit.h"
|
||||
+
|
||||
+static int rng_grndFlags= 0;
|
||||
+static PRCallOnceType rng_KernelFips;
|
||||
+
|
||||
+static PRStatus
|
||||
+rng_getKernelFips()
|
||||
+{
|
||||
+#ifdef LINUX
|
||||
+ FILE *f;
|
||||
+ char d;
|
||||
+ size_t size;
|
||||
+
|
||||
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||
+ if (!f)
|
||||
+ return PR_FAILURE;
|
||||
+
|
||||
+ size = fread(&d, 1, 1, f);
|
||||
+ fclose(f);
|
||||
+ if (size != 1)
|
||||
+ return PR_SUCCESS;
|
||||
+ if (d != '1')
|
||||
+ return PR_SUCCESS;
|
||||
+ /* if the kernel is in FIPS mode, set the GRND_RANDOM flag */
|
||||
+ rng_grndFlags = GRND_RANDOM;
|
||||
+#endif /* LINUX */
|
||||
+ return PR_SUCCESS;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
size_t
|
||||
RNG_SystemRNG(void *dest, size_t maxLen)
|
||||
{
|
||||
+ size_t fileBytes = 0;
|
||||
+ unsigned char *buffer = dest;
|
||||
+#ifndef NSS_FIPS_140_3
|
||||
int fd;
|
||||
int bytes;
|
||||
- size_t fileBytes = 0;
|
||||
- unsigned char *buffer = dest;
|
||||
+#else
|
||||
+ PR_CallOnce(&rng_KernelFips, rng_getKernelFips);
|
||||
+#endif
|
||||
size_t fileBytes = 0;
|
||||
unsigned char *buffer = dest;
|
||||
|
||||
#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
|
||||
int result;
|
||||
|
@ -54,7 +86,7 @@ diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
|||
+ * so we need to use getrandom with GRND_RANDOM.
|
||||
+ * getrandom returns -1 on failure, otherwise returns
|
||||
+ * the number of bytes, which can be less than getBytes */
|
||||
+ result = getrandom(buffer, getBytes, GRND_RANDOM);
|
||||
+ result = getrandom(buffer, getBytes, rng_grndFlags);
|
||||
+ if (result < 0) {
|
||||
+ break;
|
||||
+ }
|
||||
|
@ -101,7 +133,7 @@ diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
|||
while (fileBytes < maxLen) {
|
||||
bytes = read(fd, buffer, maxLen - fileBytes);
|
||||
if (bytes <= 0) {
|
||||
@@ -76,9 +103,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
||||
@@ -76,9 +133,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
||||
buffer += bytes;
|
||||
}
|
||||
(void)close(fd);
|
||||
|
|
|
@ -663,10 +663,10 @@ diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt
|
|||
# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
|
||||
# compatibility reasons
|
||||
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||
++ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||
++ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
++ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
||||
++ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
||||
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
||||
+ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
||||
+
|
||||
# test default settings
|
||||
# NOTE: tstclient will attempt to overide the defaults, so we detect we
|
||||
|
|
|
@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
|
|||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: %{nss_version}
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||
|
@ -944,6 +944,11 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
|
||||
- Fix QA found failures:
|
||||
- remove extra '+' from sslpolicy.txt file causing test error values
|
||||
- only use GRND_RANDOM if the kernel is in FIPS mode.
|
||||
|
||||
* Fri Aug 5 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-9
|
||||
- FIPS 140-3 changes
|
||||
|
||||
|
|
Loading…
Reference in New Issue