Resolves: RHEL-103370
- fix issues found by QE - fips changes
This commit is contained in:
parent
af5bf173e1
commit
9a73b38b2d
@ -21,8 +21,17 @@ typedef enum {
|
||||
SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */
|
||||
SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */
|
||||
SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */
|
||||
#ifndef NSS_DISABLE_KYBER
|
||||
SFKFIPSMLKEM, /* make sure the keys are only mlkem and not kyber */
|
||||
#endif
|
||||
} SFTKFIPSSpecialClass;
|
||||
|
||||
#ifdef NSS_DISABLE_KYBER
|
||||
/* if kyber is disable, we don't need to check that we are using
|
||||
* a kyber key in the ML_KEM code */
|
||||
#define SFTKFIPSMLKEM SFTKFIPSNone
|
||||
#endif
|
||||
|
||||
/* set according to your security policy */
|
||||
#define SFTKFIPS_PBKDF2_MIN_PW_LEN 8
|
||||
|
||||
@ -64,6 +73,10 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
#define CKF_KDF CKF_DERIVE
|
||||
#define CKF_HSH CKF_DIGEST
|
||||
#define CK_MAX 0xffffffffUL
|
||||
#define CK_ALL_KEY 1, CK_MAX /* key limits are handled by special ops or the
|
||||
* implementation itself */
|
||||
#define CK_ALL_STEP 1
|
||||
|
||||
/* mechanisms using the same key types share the same key type
|
||||
* limits */
|
||||
#define RSA_FB_KEY 2048, 4096 /* min, max */
|
||||
@ -87,14 +100,6 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
@ -110,6 +115,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
{ CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
/* only allowed keys are implented for ML_DSA */
|
||||
{ CKM_ML_DSA_KEY_PAIR_GEN, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSNone },
|
||||
{ CKM_ML_DSA, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSNone },
|
||||
/* only allowed keys are implented for ML_KEM */
|
||||
{ CKM_ML_KEM_KEY_PAIR_GEN, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSMLKEM },
|
||||
{ CKM_ML_KEM, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSMLKEM },
|
||||
/* ------------------------- RC2 Operations --------------------------- */
|
||||
/* ------------------------- AES Operations --------------------------- */
|
||||
{ CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },
|
||||
@ -172,6 +183,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
{ CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 },
|
||||
/* the deprecated mechanisms, don't use for some reason we are supposed
|
||||
* to set the FIPS indicators on these (sigh) */
|
||||
/* NOTE: CKM_NSS_ML_KEM_KEY_GEN and the KYBER equivalent does not do
|
||||
* pairwise consistency checks on key gen, so are not FIPS */
|
||||
{ CKM_NSS_ML_KEM, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSNone },
|
||||
{ CKM_NSS_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_NSS_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_DERIVE }, 1, SFTKFIPSTlsKeyCheck },
|
||||
|
||||
4069
nss-3.112-fips-and-fixes.patch
Normal file
4069
nss-3.112-fips-and-fixes.patch
Normal file
File diff suppressed because it is too large
Load Diff
7
nss.spec
7
nss.spec
@ -1,6 +1,6 @@
|
||||
%global nss_version 3.112.0
|
||||
%global nspr_version 4.36.0
|
||||
%global baserelease 1
|
||||
%global baserelease 2
|
||||
%global nss_release %baserelease
|
||||
# NOTE: To avoid NVR clashes of nspr* packages:
|
||||
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
|
||||
@ -187,6 +187,7 @@ Patch92: nss-3.112-add-sec384r1-mlkem-1024.patch
|
||||
Patch93: nss-3.112-add-ml-dsa-base-dsa.patch
|
||||
Patch94: nss-3.112-add-ml-dsa-gtests-dsa.patch
|
||||
Patch95: nss-3.112-add-ml-dsa-ssl-support-dsa.patch
|
||||
Patch96: nss-3.112-fips-and-fixes.patch
|
||||
|
||||
Patch100: nspr-config-pc.patch
|
||||
Patch101: nspr-gcc-atomics.patch
|
||||
@ -1193,6 +1194,10 @@ update-crypto-policies &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jul 30 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-2
|
||||
- add fips required changes.
|
||||
- fix bugs found by QE
|
||||
|
||||
* Mon Jul 14 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-1
|
||||
- rebase to NSS 3.112
|
||||
- add ml-kem-1024 support
|
||||
|
||||
Loading…
Reference in New Issue
Block a user