rpms/nss
5
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI nss-3.101.0-11.el8_8

Browse Source
This commit is contained in:
eabdullin 2024-12-19 19:10:37 +00:00
parent 8818c178b0
commit ebdfa6e8e7
6 changed files with 92 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
SOURCES/fips_algorithms.h
View File

@ -20,6 +20,7 @@ typedef enum {
SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */ SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */
SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */ SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */
SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */ SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */
SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */
} SFTKFIPSSpecialClass; } SFTKFIPSSpecialClass;
/* set according to your security policy */ /* set according to your security policy */
@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
#define AES_FB_KEY 128, 256 #define AES_FB_KEY 128, 256
#define AES_FB_STEP 64 #define AES_FB_STEP 64
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP },
/* -------------- RSA Multipart Signing Operations -------------------- */ /* -------------- RSA Multipart Signing Operations -------------------- */
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

20
SOURCES/nss-3.101-allow-fips-rsa-oaep.patch Normal file
View File

@ -0,0 +1,20 @@
diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fipsrsaoaep 2024-10-24 09:27:17.971673855 +0200
+++ ./lib/softoken/pkcs11u.c 2024-10-24 09:23:35.006352872 +0200
@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
}
}
return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
+ case SFTKFIPSRSAOAEP:;
+ CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *)
+ mech->pParameter;
+
+ HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg);
+ HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf);
+ /* message hash and mask generation function must be the same */
+ if (hash_pad != hash_msg) return PR_FALSE;
+
+ return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE);
default:
break;
}

12
SOURCES/nss-3.101-fips-check-ec25519-size.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips_check_curver25519 2024-11-11 11:24:25.186654635 +0100
+++ ./lib/softoken/pkcs11u.c 2024-11-07 10:26:03.806562274 +0100
@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
* key length is CKA_VALUE, which is the default */
keyType = CKK_INVALID_KEY_TYPE;
}
- if (keyType == CKK_EC) {
+ if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
SECOidTag curve = sftk_quickGetECCCurveOid(source);
switch (curve) {
case SEC_OID_CURVE25519:

12
SOURCES/nss-3.101-fix-shlibsign-fips.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c
--- ./cmd/shlibsign/shlibsign.c.shlibsign 2024-06-07 09:26:03.000000000 -0700
+++ ./cmd/shlibsign/shlibsign.c 2024-10-31 10:49:28.637449054 -0700
@@ -1426,7 +1426,7 @@ main(int argc, char **argv)
} else {
/* NON FIPS mode == C_GetFunctionList */
pC_GetFunctionList = (CK_C_GetFunctionList)
- PR_FindFunctionSymbol(lib, "C_GetFunctionList");
+ PR_FindFunctionSymbol(lib, "NSC_GetFunctionList");
}
assert(pC_GetFunctionList != NULL);
if (!pC_GetFunctionList) {

29
SOURCES/nss-3.90-ppc_no_init.patch
View File

@ -34,3 +34,32 @@ diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile
####################################################################### #######################################################################
diff -up ./lib/softoken/legacydb/Makefile.ppc_no_init ./lib/softoken/legacydb/Makefile
--- ./lib/softoken/legacydb/Makefile.ppc_no_init 2024-11-12 11:51:16.535343581 +0100
+++ ./lib/softoken/legacydb/Makefile 2024-11-12 12:09:58.968187800 +0100
@@ -23,16 +23,17 @@ include $(CORE_DEPTH)/coreconf/config.mk
ifdef NSS_NO_INIT_SUPPORT
DEFINES += -DNSS_NO_INIT_SUPPORT
endif
-ifeq ($(OS_TARGET),Linux)
-ifeq ($(CPU_ARCH),ppc)
-ifdef USE_64
- DEFINES += -DNSS_NO_INIT_SUPPORT
-endif # USE_64
-endif # ppc
-else # !Linux
+#ifeq ($(OS_TARGET),Linux)
+#ifeq ($(CPU_ARCH),ppc)
+#ifdef USE_64
+# DEFINES += -DNSS_NO_INIT_SUPPORT
+#endif # USE_64
+#endif # ppc
+#else # !Linux
+ifneq ($(OS_TARGET),Linux)
# turn off no init support everywhere for now
DEFINES += -DNSS_NO_INIT_SUPPORT
-endif # Linux
+endif # !Linux
#######################################################################
# (4) Include "local" platform-dependent assignments (OPTIONAL). #

18
SPECS/nss.spec
View File

@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16))
Summary: Network Security Services Summary: Network Security Services
Name: nss Name: nss
Version: %{nss_version} Version: %{nss_version}
Release: 7%{?dist} Release: 11%{?dist}
License: MPLv2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version}%{nspr_release} Requires: nspr >= %{nspr_version}%{nspr_release}
@ -201,6 +201,9 @@ Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=676100 # https://bugzilla.mozilla.org/show_bug.cgi?id=676100
Patch85: nss-3.101-fix-cms-abi-break.patch Patch85: nss-3.101-fix-cms-abi-break.patch
Patch86: nss-3.101-long-pwd-fix.patch Patch86: nss-3.101-long-pwd-fix.patch
Patch87: nss-3.101-fix-shlibsign-fips.patch
Patch88: nss-3.101-fips-check-ec25519-size.patch
Patch89: nss-3.101-allow-fips-rsa-oaep.patch
#revert patches #revert patches
Patch300: nss-3.101-default-libpkix.patch Patch300: nss-3.101-default-libpkix.patch
@ -999,6 +1002,19 @@ update-crypto-policies --no-reload &> /dev/null || :
%changelog %changelog
* Tue Nov 12 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-11
- don't define -DNSS_NO_INIT_SUPPORT for legacydb on pcc systems
* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-10
- Allow RSA-OAEP in FIPS mode
* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-9
- Add SEC_OID_CURVE25519 to FIPS checks.
- This will mark algorithm using it as FIPS unapproved.
* Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-8
- fix shlibsign to work when the system is in FIPS mode.
* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7 * Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
- fix cms abi breakage - fix cms abi breakage
- fix long password issue on pbmac encodings - fix long password issue on pbmac encodings