import nss-3.79.0-10.el8_6
This commit is contained in:
parent
dea9c83a5e
commit
71e16f9258
@ -18,7 +18,7 @@ diff --git a/lib/freebl/config.mk b/lib/freebl/config.mk
|
|||||||
diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
||||||
--- a/lib/freebl/unix_urandom.c
|
--- a/lib/freebl/unix_urandom.c
|
||||||
+++ b/lib/freebl/unix_urandom.c
|
+++ b/lib/freebl/unix_urandom.c
|
||||||
@@ -20,53 +20,80 @@ RNG_SystemInfoForRNG(void)
|
@@ -20,53 +20,110 @@ RNG_SystemInfoForRNG(void)
|
||||||
if (!numBytes) {
|
if (!numBytes) {
|
||||||
/* error is set */
|
/* error is set */
|
||||||
return;
|
return;
|
||||||
@ -29,17 +29,49 @@ diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
|||||||
|
|
||||||
+#ifdef NSS_FIPS_140_3
|
+#ifdef NSS_FIPS_140_3
|
||||||
+#include <sys/random.h>
|
+#include <sys/random.h>
|
||||||
|
+#include "prinit.h"
|
||||||
|
+
|
||||||
|
+static int rng_grndFlags= 0;
|
||||||
|
+static PRCallOnceType rng_KernelFips;
|
||||||
|
+
|
||||||
|
+static PRStatus
|
||||||
|
+rng_getKernelFips()
|
||||||
|
+{
|
||||||
|
+#ifdef LINUX
|
||||||
|
+ FILE *f;
|
||||||
|
+ char d;
|
||||||
|
+ size_t size;
|
||||||
|
+
|
||||||
|
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||||
|
+ if (!f)
|
||||||
|
+ return PR_FAILURE;
|
||||||
|
+
|
||||||
|
+ size = fread(&d, 1, 1, f);
|
||||||
|
+ fclose(f);
|
||||||
|
+ if (size != 1)
|
||||||
|
+ return PR_SUCCESS;
|
||||||
|
+ if (d != '1')
|
||||||
|
+ return PR_SUCCESS;
|
||||||
|
+ /* if the kernel is in FIPS mode, set the GRND_RANDOM flag */
|
||||||
|
+ rng_grndFlags = GRND_RANDOM;
|
||||||
|
+#endif /* LINUX */
|
||||||
|
+ return PR_SUCCESS;
|
||||||
|
+}
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
size_t
|
size_t
|
||||||
RNG_SystemRNG(void *dest, size_t maxLen)
|
RNG_SystemRNG(void *dest, size_t maxLen)
|
||||||
{
|
{
|
||||||
|
+ size_t fileBytes = 0;
|
||||||
|
+ unsigned char *buffer = dest;
|
||||||
+#ifndef NSS_FIPS_140_3
|
+#ifndef NSS_FIPS_140_3
|
||||||
int fd;
|
int fd;
|
||||||
int bytes;
|
int bytes;
|
||||||
|
- size_t fileBytes = 0;
|
||||||
|
- unsigned char *buffer = dest;
|
||||||
|
+#else
|
||||||
|
+ PR_CallOnce(&rng_KernelFips, rng_getKernelFips);
|
||||||
+#endif
|
+#endif
|
||||||
size_t fileBytes = 0;
|
|
||||||
unsigned char *buffer = dest;
|
|
||||||
|
|
||||||
#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
|
#if defined(__OpenBSD__) || (defined(__FreeBSD__) && __FreeBSD_version >= 1200000) || (defined(LINUX) && defined(__GLIBC__) && ((__GLIBC__ > 2) || ((__GLIBC__ == 2) && (__GLIBC_MINOR__ >= 25))))
|
||||||
int result;
|
int result;
|
||||||
@ -54,7 +86,7 @@ diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
|||||||
+ * so we need to use getrandom with GRND_RANDOM.
|
+ * so we need to use getrandom with GRND_RANDOM.
|
||||||
+ * getrandom returns -1 on failure, otherwise returns
|
+ * getrandom returns -1 on failure, otherwise returns
|
||||||
+ * the number of bytes, which can be less than getBytes */
|
+ * the number of bytes, which can be less than getBytes */
|
||||||
+ result = getrandom(buffer, getBytes, GRND_RANDOM);
|
+ result = getrandom(buffer, getBytes, rng_grndFlags);
|
||||||
+ if (result < 0) {
|
+ if (result < 0) {
|
||||||
+ break;
|
+ break;
|
||||||
+ }
|
+ }
|
||||||
@ -101,7 +133,7 @@ diff --git a/lib/freebl/unix_urandom.c b/lib/freebl/unix_urandom.c
|
|||||||
while (fileBytes < maxLen) {
|
while (fileBytes < maxLen) {
|
||||||
bytes = read(fd, buffer, maxLen - fileBytes);
|
bytes = read(fd, buffer, maxLen - fileBytes);
|
||||||
if (bytes <= 0) {
|
if (bytes <= 0) {
|
||||||
@@ -76,9 +103,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
@@ -76,9 +133,10 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
||||||
buffer += bytes;
|
buffer += bytes;
|
||||||
}
|
}
|
||||||
(void)close(fd);
|
(void)close(fd);
|
||||||
|
@ -663,10 +663,10 @@ diff -up ./tests/ssl/sslpolicy.txt.sign_policy ./tests/ssl/sslpolicy.txt
|
|||||||
# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
|
# rsa-pkcs, rsa-pss, and ecdsa policy checking reverted in rhel8 for binary
|
||||||
# compatibility reasons
|
# compatibility reasons
|
||||||
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
# 1 noECC SSL3 d disallow=rsa-pkcs Disallow RSA PKCS 1 Signatures Explicitly
|
||||||
++ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-verify Restrict RSA keys on signature verification
|
||||||
++ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-sign Restrict RSA keys on signing
|
||||||
++ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
+ 1 noECC SSL3 d allow=rsa-min=16384:key-size-flags=key-size-ssl Restrict RSA keys when used in SSL
|
||||||
++ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
+ 0 noECC SSL3 d allow=rsa-min=1023 Restrict RSA keys when used in SSL
|
||||||
+
|
+
|
||||||
# test default settings
|
# test default settings
|
||||||
# NOTE: tstclient will attempt to overide the defaults, so we detect we
|
# NOTE: tstclient will attempt to overide the defaults, so we detect we
|
||||||
|
@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
|
|||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: %{nss_version}
|
Version: %{nss_version}
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Requires: nspr >= %{nspr_version}%{nspr_release}
|
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||||
@ -944,6 +944,11 @@ update-crypto-policies --no-reload &> /dev/null || :
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
|
||||||
|
- Fix QA found failures:
|
||||||
|
- remove extra '+' from sslpolicy.txt file causing test error values
|
||||||
|
- only use GRND_RANDOM if the kernel is in FIPS mode.
|
||||||
|
|
||||||
* Fri Aug 5 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-9
|
* Fri Aug 5 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-9
|
||||||
- FIPS 140-3 changes
|
- FIPS 140-3 changes
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user