Resolves: RHEL-104169
- fix issues found by QE - fips changes
This commit is contained in:
parent
c7385ea4f6
commit
9c96f696b5
@ -21,8 +21,17 @@ typedef enum {
|
||||
SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */
|
||||
SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */
|
||||
SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */
|
||||
#ifndef NSS_DISABLE_KYBER
|
||||
SFKFIPSMLKEM, /* make sure the keys are only mlkem and not kyber */
|
||||
#endif
|
||||
} SFTKFIPSSpecialClass;
|
||||
|
||||
#ifdef NSS_DISABLE_KYBER
|
||||
/* if kyber is disable, we don't need to check that we are using
|
||||
* a kyber key in the ML_KEM code */
|
||||
#define SFTKFIPSMLKEM SFTKFIPSNone
|
||||
#endif
|
||||
|
||||
/* set according to your security policy */
|
||||
#define SFTKFIPS_PBKDF2_MIN_PW_LEN 8
|
||||
|
||||
@ -64,6 +73,10 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
#define CKF_KDF CKF_DERIVE
|
||||
#define CKF_HSH CKF_DIGEST
|
||||
#define CK_MAX 0xffffffffUL
|
||||
#define CK_ALL_KEY 1, CK_MAX /* key limits are handled by special ops or the
|
||||
* implementation itself */
|
||||
#define CK_ALL_STEP 1
|
||||
|
||||
/* mechanisms using the same key types share the same key type
|
||||
* limits */
|
||||
#define RSA_FB_KEY 2048, 4096 /* min, max */
|
||||
@ -87,14 +100,6 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
{ CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA384_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA512_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA224_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
{ CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
|
||||
@ -110,6 +115,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
{ CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
{ CKM_ECDSA_SHA512, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC },
|
||||
/* only allowed keys are implented for ML_DSA */
|
||||
{ CKM_ML_DSA_KEY_PAIR_GEN, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSNone },
|
||||
{ CKM_ML_DSA, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSNone },
|
||||
/* only allowed keys are implented for ML_KEM */
|
||||
{ CKM_ML_KEM_KEY_PAIR_GEN, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSMLKEM },
|
||||
{ CKM_ML_KEM, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSMLKEM },
|
||||
/* ------------------------- RC2 Operations --------------------------- */
|
||||
/* ------------------------- AES Operations --------------------------- */
|
||||
{ CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone },
|
||||
@ -172,6 +183,9 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
|
||||
{ CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSPBKDF2 },
|
||||
/* the deprecated mechanisms, don't use for some reason we are supposed
|
||||
* to set the FIPS indicators on these (sigh) */
|
||||
/* NOTE: CKM_NSS_ML_KEM_KEY_GEN and the KYBER equivalent does not do
|
||||
* pairwise consistency checks on key gen, so are not FIPS */
|
||||
{ CKM_NSS_ML_KEM, { CK_ALL_KEY, CKF_SGN }, CK_ALL_STEP, SFTKFIPSNone },
|
||||
{ CKM_NSS_AES_KEY_WRAP, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_NSS_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ECW }, AES_FB_STEP, SFTKFIPSNone },
|
||||
{ CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 384, 384, CKF_DERIVE }, 1, SFTKFIPSTlsKeyCheck },
|
||||
|
||||
3988
nss-3.112-fips-and-fixes-el8.patch
Normal file
3988
nss-3.112-fips-and-fixes-el8.patch
Normal file
File diff suppressed because it is too large
Load Diff
12
nss.spec
12
nss.spec
@ -1,5 +1,5 @@
|
||||
%global nspr_build_version 4.35.0-1
|
||||
%global nspr_release -1
|
||||
%global nspr_build_version 4.36.0-2
|
||||
%global nspr_release -2
|
||||
%global nspr_version 4.35.0
|
||||
%global nss_version 3.112.0
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: %{nss_version}
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Requires: nspr >= %{nspr_version}%{nspr_release}
|
||||
@ -192,7 +192,7 @@ Patch92: nss-3.112-add-sec384r1-mlkem-1024.patch
|
||||
Patch93: nss-3.112-add-ml-dsa-base-el8.patch
|
||||
Patch94: nss-3.112-add-ml-dsa-gtests-el8.patch
|
||||
Patch95: nss-3.112-add-ml-dsa-ssl-support-el8.patch
|
||||
|
||||
Patch96: nss-3.112-fips-and-fixes-el8.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
@ -994,6 +994,10 @@ update-crypto-policies --no-reload &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jul 30 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-2
|
||||
- add fips required changes.
|
||||
- fix bugs found by QE
|
||||
|
||||
* Wed Jul 16 2025 Bob Relyea <rrelyea@redhat.com> - 3.112.0-1
|
||||
- rebase to NSS 3.112
|
||||
- add ml-kem-1024 support
|
||||
|
||||
Loading…
Reference in New Issue
Block a user