import nss-3.79.0-10.el8_6

SOURCES/nss-3.79-fips.patch

@@ -18,7 +18,7 @@ diff --git a/lib/freebl/config.mk b/lib/freebl/config.mk
 diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
 --- a/lib/freebl/unix_urandom.c
 +++ b/lib/freebl/unix_urandom.c
-@@ -20,53 +20,80 @@ RNG_SystemInfoForRNG(void)
+@@ -20,53 +20,110 @@ RNG_SystemInfoForRNG(void)
      if (!numBytes) {
          /* error is set */
          return;
@@ -29,17 +29,49 @@ diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
  
 +#ifdef NSS_FIPS_140_3
 +#include <sys/random.h>
++#include "prinit.h"
++
++static int rng_grndFlags= 0;
++static PRCallOnceType rng_KernelFips;
++
++static PRStatus
++rng_getKernelFips()
++{
++#ifdef LINUX
++    FILE *f;
++    char d;
++    size_t size;
++
++    f = fopen("/proc/sys/crypto/fips_enabled", "r");
++    if (!f)
++        return PR_FAILURE;
++
++    size = fread(&d, 1, 1, f);
++    fclose(f);
++    if (size != 1)
++        return PR_SUCCESS;
++    if (d != '1')
++        return PR_SUCCESS;
++    /* if the kernel is in FIPS mode, set the GRND_RANDOM flag */
++    rng_grndFlags = GRND_RANDOM;
++#endif /* LINUX */
++    return PR_SUCCESS;
++}
 +#endif
 +
  size_t
  RNG_SystemRNG(void *dest, size_t maxLen)
  {
++    size_t fileBytes = 0;
++    unsigned char *buffer = dest;
 +#ifndef NSS_FIPS_140_3
      int fd;
      int bytes;
+-    size_t fileBytes = 0;
+-    unsigned char *buffer = dest;
++#else
++    PR_CallOnce(&rng_KernelFips, rng_getKernelFips);
 +#endif
-     size_t fileBytes = 0;
-     unsigned char *buffer = dest;
  
  #if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
      int result;
@@ -54,7 +86,7 @@ diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
 +         * so we need to use getrandom with GRND_RANDOM.
 +         * getrandom returns -1 on failure, otherwise returns
 +         * the number of bytes, which can be less than getBytes */
-+        result = getrandom(buffer, getBytes, GRND_RANDOM);
++        result = getrandom(buffer, getBytes, rng_grndFlags);
 +        if (result < 0) {
 +            break;
 +        }
@@ -101,7 +133,7 @@ diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
      while (fileBytes < maxLen) {
          bytes = read(fd, buffer, maxLen - fileBytes);
          if (bytes <= 0) {
-@@ -76,9 +103,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)
+@@ -76,9 +133,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)
          buffer += bytes;
      }
      (void)close(fd);

SOURCES/nss-3.79-rhel-8-fips-signature-policy.patch

@@ -663,10 +663,10 @@ diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt
  # rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
  # compatibility reasons
  #  1 noECC  SSL3   d    disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
-++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
-++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
-++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
-++  0 noECC  SSL3   d    allow=rsa-min=1023 Restrict RSA keys when used in SSL
++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
++  1 noECC  SSL3   d    allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
++  0 noECC  SSL3   d    allow=rsa-min=1023 Restrict RSA keys when used in SSL
 +
  # test default settings
  # NOTE: tstclient will attempt to overide the defaults, so we detect we

SPECS/nss.spec

@@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          9%{?dist}
+Release:          10%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}%{nspr_release}
@@ -944,6 +944,11 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
+- Fix QA found failures:
+-  remove extra '+' from sslpolicy.txt file causing test error values
+-  only use GRND_RANDOM if the kernel is in FIPS mode.
+
 * Fri Aug 5 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-9
 - FIPS 140-3 changes