commit 09a54cbc271b82f4fd21a0faf499f434ee97c775 Author: Adrian Schröter Date: Thu Dec 21 13:40:03 2023 +0100 Sync from SUSE:ALP:Source:Standard:1.0 mozilla-nss revision 3c88f4bb2768de62f2fb7a1eede19aab diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/_constraints b/_constraints new file mode 100644 index 0000000..5bb4308 --- /dev/null +++ b/_constraints @@ -0,0 +1,11 @@ + + + + + 5 + + + 6 + + + diff --git a/add-relro-linker-option.patch b/add-relro-linker-option.patch new file mode 100644 index 0000000..5b0ebd2 --- /dev/null +++ b/add-relro-linker-option.patch @@ -0,0 +1,17 @@ +Index: nss/coreconf/Linux.mk +=================================================================== +--- nss.orig/coreconf/Linux.mk ++++ nss/coreconf/Linux.mk +@@ -184,6 +184,12 @@ endif + endif + endif + ++# harden DSOs/executables a bit against exploits ++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE)))) ++DSO_LDOPTS+=-Wl,-z,relro ++LDFLAGS += -Wl,-z,relro ++endif ++ + USE_SYSTEM_ZLIB = 1 + ZLIB_LIBS = -lz + diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..fa5768f --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,18 @@ +mozilla-nss + requires "mozilla-nspr- >= 4.35" + requires "libfreebl3-" + requires "libsoftokn3-" + requires "libnssckbi.so" +libsoftokn3 + requires "libfreebl3- = " + provides "libsoftokn3-hmac- = -%release" + obsoletes "libsoftokn3-hmac- < -%release" + +/usr/lib/libsoftokn3.chk + +/usr/lib/libnssdbm3.chk +libfreebl3 + provides "libfreebl3-hmac- = -%release" + obsoletes "libfreebl3-hmac- < -%release" + +/lib/libfreebl3.chk + +/lib/libfreeblpriv3.chk +mozilla-nss-sysinit +mozilla-nss-certs diff --git a/bmo-1400603.patch b/bmo-1400603.patch new file mode 100644 index 0000000..37d0e7c --- /dev/null +++ b/bmo-1400603.patch @@ -0,0 +1,337 @@ +From b2f3a6407d2d6ec89522410d7ac4c56d310c92b1 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 18 Sep 2017 11:24:00 +0200 +Subject: [PATCH] freebl: Reorganize AES-GCM source code based on hw/sw + implementation + +diff --git a/lib/freebl/gcm-hw.c b/lib/freebl/gcm-hw.c +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/gcm-hw.c +@@ -0,0 +1,151 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#ifdef FREEBL_NO_DEPEND ++#include "stubs.h" ++#endif ++#include "gcm.h" ++#include "secerr.h" ++ ++#ifdef NSS_X86_OR_X64 ++#include /* clmul */ ++#endif ++ ++#define WRITE64(x, bytes) \ ++ (bytes)[0] = (x) >> 56; \ ++ (bytes)[1] = (x) >> 48; \ ++ (bytes)[2] = (x) >> 40; \ ++ (bytes)[3] = (x) >> 32; \ ++ (bytes)[4] = (x) >> 24; \ ++ (bytes)[5] = (x) >> 16; \ ++ (bytes)[6] = (x) >> 8; \ ++ (bytes)[7] = (x); ++ ++SECStatus ++gcm_HashWrite_hw(gcmHashContext *ghash, unsigned char *outbuf, ++ unsigned int maxout) ++{ ++#ifdef NSS_X86_OR_X64 ++ uint64_t tmp_out[2]; ++ _mm_storeu_si128((__m128i *)tmp_out, ghash->x); ++ PORT_Assert(maxout >= 16); ++ WRITE64(tmp_out[0], outbuf + 8); ++ WRITE64(tmp_out[1], outbuf); ++ return SECSuccess; ++#else ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return SECFailure; ++#endif /* NSS_X86_OR_X64 */ ++} ++ ++SECStatus ++gcm_HashMult_hw(gcmHashContext *ghash, const unsigned char *buf, ++ unsigned int count) ++{ ++#ifdef NSS_X86_OR_X64 ++ size_t i; ++ pre_align __m128i z_high post_align; ++ pre_align __m128i z_low post_align; ++ pre_align __m128i C post_align; ++ pre_align __m128i D post_align; ++ pre_align __m128i E post_align; ++ pre_align __m128i F post_align; ++ pre_align __m128i bin post_align; ++ pre_align __m128i Ci post_align; ++ pre_align __m128i tmp post_align; ++ ++ for (i = 0; i < count; i++, buf += 16) { ++ bin = _mm_set_epi16(((uint16_t)buf[0] << 8) | buf[1], ++ ((uint16_t)buf[2] << 8) | buf[3], ++ ((uint16_t)buf[4] << 8) | buf[5], ++ ((uint16_t)buf[6] << 8) | buf[7], ++ ((uint16_t)buf[8] << 8) | buf[9], ++ ((uint16_t)buf[10] << 8) | buf[11], ++ ((uint16_t)buf[12] << 8) | buf[13], ++ ((uint16_t)buf[14] << 8) | buf[15]); ++ Ci = _mm_xor_si128(bin, ghash->x); ++ ++ /* Do binary mult ghash->X = Ci * ghash->H. */ ++ C = _mm_clmulepi64_si128(Ci, ghash->h, 0x00); ++ D = _mm_clmulepi64_si128(Ci, ghash->h, 0x11); ++ E = _mm_clmulepi64_si128(Ci, ghash->h, 0x01); ++ F = _mm_clmulepi64_si128(Ci, ghash->h, 0x10); ++ tmp = _mm_xor_si128(E, F); ++ z_high = _mm_xor_si128(tmp, _mm_slli_si128(D, 8)); ++ z_high = _mm_unpackhi_epi64(z_high, D); ++ z_low = _mm_xor_si128(_mm_slli_si128(tmp, 8), C); ++ z_low = _mm_unpackhi_epi64(_mm_slli_si128(C, 8), z_low); ++ ++ /* Shift one to the left (multiply by x) as gcm spec is stupid. */ ++ C = _mm_slli_si128(z_low, 8); ++ E = _mm_srli_epi64(C, 63); ++ D = _mm_slli_si128(z_high, 8); ++ F = _mm_srli_epi64(D, 63); ++ /* Carry over */ ++ C = _mm_srli_si128(z_low, 8); ++ D = _mm_srli_epi64(C, 63); ++ z_low = _mm_or_si128(_mm_slli_epi64(z_low, 1), E); ++ z_high = _mm_or_si128(_mm_or_si128(_mm_slli_epi64(z_high, 1), F), D); ++ ++ /* Reduce */ ++ C = _mm_slli_si128(z_low, 8); ++ /* D = z_low << 127 */ ++ D = _mm_slli_epi64(C, 63); ++ /* E = z_low << 126 */ ++ E = _mm_slli_epi64(C, 62); ++ /* F = z_low << 121 */ ++ F = _mm_slli_epi64(C, 57); ++ /* z_low ^= (z_low << 127) ^ (z_low << 126) ^ (z_low << 121); */ ++ z_low = _mm_xor_si128(_mm_xor_si128(_mm_xor_si128(z_low, D), E), F); ++ C = _mm_srli_si128(z_low, 8); ++ /* D = z_low >> 1 */ ++ D = _mm_slli_epi64(C, 63); ++ D = _mm_or_si128(_mm_srli_epi64(z_low, 1), D); ++ /* E = z_low >> 2 */ ++ E = _mm_slli_epi64(C, 62); ++ E = _mm_or_si128(_mm_srli_epi64(z_low, 2), E); ++ /* F = z_low >> 7 */ ++ F = _mm_slli_epi64(C, 57); ++ F = _mm_or_si128(_mm_srli_epi64(z_low, 7), F); ++ /* ghash->x ^= z_low ^ (z_low >> 1) ^ (z_low >> 2) ^ (z_low >> 7); */ ++ ghash->x = _mm_xor_si128(_mm_xor_si128( ++ _mm_xor_si128(_mm_xor_si128(z_high, z_low), D), E), ++ F); ++ } ++ return SECSuccess; ++#else ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return SECFailure; ++#endif /* NSS_X86_OR_X64 */ ++} ++ ++SECStatus ++gcm_HashInit_hw(gcmHashContext *ghash) ++{ ++#ifdef NSS_X86_OR_X64 ++ ghash->ghash_mul = gcm_HashMult_hw; ++ ghash->x = _mm_setzero_si128(); ++ /* MSVC requires __m64 to load epi64. */ ++ ghash->h = _mm_set_epi32(ghash->h_high >> 32, (uint32_t)ghash->h_high, ++ ghash->h_low >> 32, (uint32_t)ghash->h_low); ++ ghash->hw = PR_TRUE; ++ return SECSuccess; ++#else ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return SECFailure; ++#endif /* NSS_X86_OR_X64 */ ++} ++ ++SECStatus ++gcm_HashZeroX_hw(gcmHashContext *ghash) ++{ ++#ifdef NSS_X86_OR_X64 ++ ghash->x = _mm_setzero_si128(); ++ return SECSuccess; ++#else ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return SECFailure; ++#endif /* NSS_X86_OR_X64 */ ++} ++ +diff --git a/lib/freebl/rijndael-hw.c b/lib/freebl/rijndael-hw.c +new file mode 100644 +--- /dev/null ++++ b/lib/freebl/rijndael-hw.c +@@ -0,0 +1,170 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#ifdef FREEBL_NO_DEPEND ++#include "stubs.h" ++#endif ++#include "rijndael.h" ++#include "secerr.h" ++ ++#ifdef NSS_X86_OR_X64 ++#include /* aes-ni */ ++#endif ++ ++#if defined(NSS_X86_OR_X64) ++#define EXPAND_KEY128(k, rcon, res) \ ++ tmp_key = _mm_aeskeygenassist_si128(k, rcon); \ ++ tmp_key = _mm_shuffle_epi32(tmp_key, 0xFF); \ ++ tmp = _mm_xor_si128(k, _mm_slli_si128(k, 4)); \ ++ tmp = _mm_xor_si128(tmp, _mm_slli_si128(tmp, 4)); \ ++ tmp = _mm_xor_si128(tmp, _mm_slli_si128(tmp, 4)); \ ++ res = _mm_xor_si128(tmp, tmp_key) ++ ++static void ++native_key_expansion128(AESContext *cx, const unsigned char *key) ++{ ++ __m128i *keySchedule = cx->keySchedule; ++ pre_align __m128i tmp_key post_align; ++ pre_align __m128i tmp post_align; ++ keySchedule[0] = _mm_loadu_si128((__m128i *)key); ++ EXPAND_KEY128(keySchedule[0], 0x01, keySchedule[1]); ++ EXPAND_KEY128(keySchedule[1], 0x02, keySchedule[2]); ++ EXPAND_KEY128(keySchedule[2], 0x04, keySchedule[3]); ++ EXPAND_KEY128(keySchedule[3], 0x08, keySchedule[4]); ++ EXPAND_KEY128(keySchedule[4], 0x10, keySchedule[5]); ++ EXPAND_KEY128(keySchedule[5], 0x20, keySchedule[6]); ++ EXPAND_KEY128(keySchedule[6], 0x40, keySchedule[7]); ++ EXPAND_KEY128(keySchedule[7], 0x80, keySchedule[8]); ++ EXPAND_KEY128(keySchedule[8], 0x1B, keySchedule[9]); ++ EXPAND_KEY128(keySchedule[9], 0x36, keySchedule[10]); ++} ++ ++#define EXPAND_KEY192_PART1(res, k0, kt, rcon) \ ++ tmp2 = _mm_slli_si128(k0, 4); \ ++ tmp1 = _mm_xor_si128(k0, tmp2); \ ++ tmp2 = _mm_slli_si128(tmp2, 4); \ ++ tmp1 = _mm_xor_si128(_mm_xor_si128(tmp1, tmp2), _mm_slli_si128(tmp2, 4)); \ ++ tmp2 = _mm_aeskeygenassist_si128(kt, rcon); \ ++ res = _mm_xor_si128(tmp1, _mm_shuffle_epi32(tmp2, 0x55)) ++ ++#define EXPAND_KEY192_PART2(res, k1, k2) \ ++ tmp2 = _mm_xor_si128(k1, _mm_slli_si128(k1, 4)); \ ++ res = _mm_xor_si128(tmp2, _mm_shuffle_epi32(k2, 0xFF)) ++ ++#define EXPAND_KEY192(k0, res1, res2, res3, carry, rcon1, rcon2) \ ++ EXPAND_KEY192_PART1(tmp3, k0, res1, rcon1); \ ++ EXPAND_KEY192_PART2(carry, res1, tmp3); \ ++ res1 = _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(res1), \ ++ _mm_castsi128_pd(tmp3), 0)); \ ++ res2 = _mm_castpd_si128(_mm_shuffle_pd(_mm_castsi128_pd(tmp3), \ ++ _mm_castsi128_pd(carry), 1)); \ ++ EXPAND_KEY192_PART1(res3, tmp3, carry, rcon2) ++ ++static void ++native_key_expansion192(AESContext *cx, const unsigned char *key) ++{ ++ __m128i *keySchedule = cx->keySchedule; ++ pre_align __m128i tmp1 post_align; ++ pre_align __m128i tmp2 post_align; ++ pre_align __m128i tmp3 post_align; ++ pre_align __m128i carry post_align; ++ keySchedule[0] = _mm_loadu_si128((__m128i *)key); ++ keySchedule[1] = _mm_loadu_si128((__m128i *)(key + 16)); ++ EXPAND_KEY192(keySchedule[0], keySchedule[1], keySchedule[2], ++ keySchedule[3], carry, 0x1, 0x2); ++ EXPAND_KEY192_PART2(keySchedule[4], carry, keySchedule[3]); ++ EXPAND_KEY192(keySchedule[3], keySchedule[4], keySchedule[5], ++ keySchedule[6], carry, 0x4, 0x8); ++ EXPAND_KEY192_PART2(keySchedule[7], carry, keySchedule[6]); ++ EXPAND_KEY192(keySchedule[6], keySchedule[7], keySchedule[8], ++ keySchedule[9], carry, 0x10, 0x20); ++ EXPAND_KEY192_PART2(keySchedule[10], carry, keySchedule[9]); ++ EXPAND_KEY192(keySchedule[9], keySchedule[10], keySchedule[11], ++ keySchedule[12], carry, 0x40, 0x80); ++} ++ ++#define EXPAND_KEY256_PART(res, rconx, k1x, k2x, X) \ ++ tmp_key = _mm_shuffle_epi32(_mm_aeskeygenassist_si128(k2x, rconx), X); \ ++ tmp2 = _mm_slli_si128(k1x, 4); \ ++ tmp1 = _mm_xor_si128(k1x, tmp2); \ ++ tmp2 = _mm_slli_si128(tmp2, 4); \ ++ tmp1 = _mm_xor_si128(_mm_xor_si128(tmp1, tmp2), _mm_slli_si128(tmp2, 4)); \ ++ res = _mm_xor_si128(tmp1, tmp_key); ++ ++#define EXPAND_KEY256(res1, res2, k1, k2, rcon) \ ++ EXPAND_KEY256_PART(res1, rcon, k1, k2, 0xFF); \ ++ EXPAND_KEY256_PART(res2, 0x00, k2, res1, 0xAA) ++ ++static void ++native_key_expansion256(AESContext *cx, const unsigned char *key) ++{ ++ __m128i *keySchedule = cx->keySchedule; ++ pre_align __m128i tmp_key post_align; ++ pre_align __m128i tmp1 post_align; ++ pre_align __m128i tmp2 post_align; ++ keySchedule[0] = _mm_loadu_si128((__m128i *)key); ++ keySchedule[1] = _mm_loadu_si128((__m128i *)(key + 16)); ++ EXPAND_KEY256(keySchedule[2], keySchedule[3], keySchedule[0], ++ keySchedule[1], 0x01); ++ EXPAND_KEY256(keySchedule[4], keySchedule[5], keySchedule[2], ++ keySchedule[3], 0x02); ++ EXPAND_KEY256(keySchedule[6], keySchedule[7], keySchedule[4], ++ keySchedule[5], 0x04); ++ EXPAND_KEY256(keySchedule[8], keySchedule[9], keySchedule[6], ++ keySchedule[7], 0x08); ++ EXPAND_KEY256(keySchedule[10], keySchedule[11], keySchedule[8], ++ keySchedule[9], 0x10); ++ EXPAND_KEY256(keySchedule[12], keySchedule[13], keySchedule[10], ++ keySchedule[11], 0x20); ++ EXPAND_KEY256_PART(keySchedule[14], 0x40, keySchedule[12], ++ keySchedule[13], 0xFF); ++} ++ ++#endif /* NSS_X86_OR_X64 */ ++ ++/* ++ * AES key expansion using aes-ni instructions. ++ */ ++void ++rijndael_native_key_expansion(AESContext *cx, const unsigned char *key, ++ unsigned int Nk) ++{ ++#ifdef NSS_X86_OR_X64 ++ switch (Nk) { ++ case 4: ++ native_key_expansion128(cx, key); ++ return; ++ case 6: ++ native_key_expansion192(cx, key); ++ return; ++ case 8: ++ native_key_expansion256(cx, key); ++ return; ++ default: ++ /* This shouldn't happen. */ ++ PORT_Assert(0); ++ } ++#else ++ PORT_Assert(0); ++#endif /* NSS_X86_OR_X64 */ ++} ++ ++void ++rijndael_native_encryptBlock(AESContext *cx, ++ unsigned char *output, ++ const unsigned char *input) ++{ ++#ifdef NSS_X86_OR_X64 ++ int i; ++ pre_align __m128i m post_align = _mm_loadu_si128((__m128i *)input); ++ m = _mm_xor_si128(m, cx->keySchedule[0]); ++ for (i = 1; i < cx->Nr; ++i) { ++ m = _mm_aesenc_si128(m, cx->keySchedule[i]); ++ } ++ m = _mm_aesenclast_si128(m, cx->keySchedule[cx->Nr]); ++ _mm_storeu_si128((__m128i *)output, m); ++#else ++ PORT_Assert(0); ++#endif /* NSS_X86_OR_X64 */ ++} diff --git a/cert9.db b/cert9.db new file mode 100644 index 0000000..1763264 Binary files /dev/null and b/cert9.db differ diff --git a/key4.db b/key4.db new file mode 100644 index 0000000..987ffe0 Binary files /dev/null and b/key4.db differ diff --git a/malloc.patch b/malloc.patch new file mode 100644 index 0000000..9e9c8b2 --- /dev/null +++ b/malloc.patch @@ -0,0 +1,12 @@ +Index: nss/tests/ssl/ssl.sh +=================================================================== +--- nss.orig/tests/ssl/ssl.sh ++++ nss/tests/ssl/ssl.sh +@@ -1696,6 +1696,7 @@ ssl_run_tests() + + ################################# main ################################# + ++unset MALLOC_CHECK_ + ssl_init + ssl_run_tests + ssl_cleanup diff --git a/mozilla-nss-rpmlintrc b/mozilla-nss-rpmlintrc new file mode 100644 index 0000000..213f56b --- /dev/null +++ b/mozilla-nss-rpmlintrc @@ -0,0 +1,5 @@ +addFilter("shlib-policy-name-error") +addFilter("shlib-policy-missing-lib") +addFilter("shlib-policy-missing-suffix") +addFilter("shlib-unversioned-lib") +addFilter("shlib-fixed-dependency") diff --git a/mozilla-nss.changes b/mozilla-nss.changes new file mode 100644 index 0000000..b74d074 --- /dev/null +++ b/mozilla-nss.changes @@ -0,0 +1,3995 @@ +------------------------------------------------------------------- +Mon Dec 11 07:12:57 UTC 2023 - Martin Sirringhaus + +- update to NSS 3.90.1 + * bmo#1813401 - regenerate NameConstraints test certificates. + * bmo#1854795 - add OSXSAVE and XCR0 tests to AVX2 detection. +- Remove nss-fix-bmo1813401.patch which is now upstream. + +------------------------------------------------------------------- +Thu Sep 7 08:59:14 UTC 2023 - Martin Sirringhaus + +- Add nss-fix-bmo1813401.patch to fix bsc#1214980 + +------------------------------------------------------------------- +Mon May 15 11:15:52 UTC 2023 - Martin Sirringhaus + +- update to NSS 3.90 + * bmo#1623338 - ride along: remove a duplicated doc page + * bmo#1623338 - remove a reference to IRC + * bmo#1831983 - clang-format lib/freebl/stubs.c + * bmo#1831983 - Add a constant time select function + * bmo#1774657 - Updating an old dbm with lots of certs with keys to sql results in a database that is slow to access. + * bmo#1830973 - output early build errors by default + * bmo#1804505 - Update the technical constraints for KamuSM + * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates + * bmo#1790763 - Enable default UBSan Checks + * bmo#1786018 - Add explicit handling of zero length records + * bmo#1829391 - Tidy up DTLS ACK Error Handling Path + * bmo#1786018 - Refactor zero length record tests + * bmo#1829112 - Fix compiler warning via correct assert + * bmo#1755267 - run linux tests on nss-t/t-linux-xlarge-gcp + * bmo#1806496 - In FIPS mode, nss should reject RSASSA-PSS salt lengths larger than the output size of the hash function used, or provide an indicator + * bmo#1784163 - Fix reading raw negative numbers + * bmo#1748237 - Repairing unreachable code in clang built with gyp + * bmo#1783647 - Integrate Vale Curve25519 + * bmo#1799468 - Removing unused flags for Hacl* + * bmo#1748237 - Adding a better error message + * bmo#1727555 - Update HACL* till 51a72a953a4ee6f91e63b2816ae5c4e62edf35d6 + * bmo#1782980 - Fall back to the softokn when writing certificate trust + * bmo#1806010 - FIPS-104-3 requires we restart post programmatically + * bmo#1826650 - cmd/ecperf: fix dangling pointer warning on gcc 13 + * bmo#1818766 - Update ACVP dockerfile for compatibility with debian package changes + * bmo#1815796 - Add a CI task for tracking ECCKiila code status, update whitespace in ECCKiila files + * bmo#1819958 - Removed deprecated sprintf function and replaced with snprintf + * bmo#1822076 - fix rst warnings in nss doc + * bmo#1821997 - Fix incorrect pygment style + * bmo#1821292 - Change GYP directive to apply across platforms + * Add libsmime3 abi-check exception for NSS_CMSSignerInfo_GetDigestAlgTag + +- Add nss-fix-bmo1836925.patch to fix build-errors + +- Merge the libfreebl3-hmac and libsoftokn3-hmac packages + into the respective libraries. (bsc#1185116) + +- update to NSS 3.89.1 + * bmo#1804505 - Update the technical constraints for KamuSM. + * bmo#1822921 - Add BJCA Global Root CA1 and CA2 root certificates. + +- update to NSS 3.89 + * bmo#1820834 - revert freebl/softoken RSA_MIN_MODULUS_BITS increase + * bmo#1820175 - PR_STATIC_ASSERT is cursed + * bmo#1767883 - Need to add policy control to keys lengths for signatures + * bmo#1820175 - Fix unreachable code warning in fuzz builds + * bmo#1820175 - Fix various compiler warnings in NSS + * bmo#1820175 - Enable various compiler warnings for clang builds + * bmo#1815136 - set PORT error after sftk_HMACCmp failure + * bmo#1767883 - Need to add policy control to keys lengths for signatures + * bmo#1804662 - remove data length assertion in sec_PKCS7Decrypt + * bmo#1804660 - Make high tag number assertion failure an error + * bmo#1817513 - CKM_SHA384_KEY_DERIVATION correction maximum key + length from 284 to 384 + * bmo#1815167 - Tolerate certificate_authorities xtn in ClientHello + * bmo#1789436 - Fix build failure on Windows + * bmo#1811337 - migrate Win 2012 tasks to Azure + * bmo#1810702 - fix title length in doc + * bmo#1570615 - Add interop tests for HRR and PSK to GREASE suite + * bmo#1570615 - Add presence/absence tests for TLS GREASE + * bmo#1804688 - Correct addition of GREASE value to ALPN xtn + * bmo#1789436 - CH extension permutation + * bmo#1570615 - TLS GREASE (RFC8701) + * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types + * bmo#1815870 - use a different treeherder symbol for each docker + image build task + * bmo#1815868 - pin an older version of the ubuntu:18.04 and + 20.04 docker images + * bmo#1810702 - remove nested table in rst doc + * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag + * bmo#1812671 - build failure while implicitly casting SECStatus + to PRUInt32 + +- update to NSS 3.88.1 + * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types + +- update to NSS 3.88 + * bmo#1815870 - use a different treeherder symbol for each docker + image build task + * bmo#1815868 - pin an older version of the ubuntu:18.04 and + 20.04 docker images + * bmo#1810702 - remove nested table in rst doc + * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag. + * bmo#1812671 - build failure while implicitly casting SECStatus + to PRUInt32 + * bmo#1212915 - Add check for ClientHello SID max length + * bmo#1771100 - Added EarlyData ALPN test support to BoGo shim + * bmo#1790357 - ECH client - Discard resumption TLS < 1.3 + Session(IDs|Tickets) if ECH configs are setup + * bmo#1714245 - On HRR skip PSK incompatible with negotiated + ciphersuites hash algorithm + * bmo#1789410 - ECH client: Send ech_required alert on server + negotiating TLS 1.2. Fixed misleading Gtest, + enabled corresponding BoGo test + * bmo#1771100 - Added Bogo ECH rejection test support + * bmo#1771100 - Added ECH 0Rtt support to BoGo shim + * bmo#1747957 - RSA OAEP Wycheproof JSON + * bmo#1747957 - RSA decrypt Wycheproof JSON + * bmo#1747957 - ECDSA Wycheproof JSON + * bmo#1747957 - ECDH Wycheproof JSON + * bmo#1747957 - PKCS#1v1.5 wycheproof json + * bmo#1747957 - Use X25519 wycheproof json + * bmo#1766767 - Move scripts to python3 + * bmo#1809627 - Properly link FuzzingEngine for oss-fuzz. + * bmo#1805907 - Extending RSA-PSS bltest test coverage + (Adding SHA-256 and SHA-384) + * bmo#1804091 - NSS needs to move off of DSA for integrity checks + * bmo#1805815 - Add initial testing with ACVP vector sets using + acvp-rust + * bmo#1806369 - Don't clone libFuzzer, rely on clang instead + +- update to NSS 3.87 + * bmo#1803226 - NULL password encoding incorrect + * bmo#1804071 - Fix rng stub signature for fuzzing builds + * bmo#1803595 - Updating the compiler parsing for build + * bmo#1749030 - Modification of supported compilers + * bmo#1774654 - tstclnt crashes when accessing gnutls server + without a user cert in the database. + * bmo#1751707 - Add configuration option to enable source-based + coverage sanitizer + * bmo#1751705 - Update ECCKiila generated files. + * bmo#1730353 - Add support for the LoongArch 64-bit architecture + * bmo#1798823 - add checks for zero-length RSA modulus to avoid + memory errors and failed assertions later + * bmo#1798823 - Additional zero-length RSA modulus checks +- Remove nss-fix-bmo1774654.patch which is now upstream + +- update to NSS 3.86 + * bmo#1803190 - conscious language removal in NSS + * bmo#1794506 - Set nssckbi version number to 2.60 + * bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and + CKA_NSS_EMAIL_DISTRUST_AFTER for 3 + TrustCor Root Certificates + * bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS + * bmo#1797559 - Remove EC-ACC root cert from NSS + * bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS + * bmo#1794495 - Remove Network Solutions Certificate Authority + * bmo#1802331 - compress docker image artifact with zstd + * bmo#1799315 - Migrate nss from AWS to GCP + * bmo#1800989 - Enable static builds in the CI + * bmo#1765759 - Removing SAW docker from the NSS build system + * bmo#1783231 - Initialising variables in the rsa blinding code + * bmo#320582 - Implementation of the double-signing of the message + for ECDSA + * bmo#1783231 - Adding exponent blinding for RSA. + +- update to NSS 3.85 + * bmo#1792821 - Modification of the primes.c and dhe-params.c in + order to have better looking tables + * bmo#1796815 - Update zlib in NSS to 1.2.13 + * bmo#1796504 - Skip building modutil and shlibsign when building + in Firefox + * bmo#1796504 - Use __STDC_VERSION__ rather than __STDC__ as a guard + * bmo#1796407 - Fix -Wunused-but-set-variable warning from clang 15 + * bmo#1796308 - Fix -Wtautological-constant-out-of-range-compare + and -Wtype-limits warnings + * bmo#1796281 - Followup: add missing stdint.h include + * bmo#1796281 - Fix -Wint-to-void-pointer-cast warnings + * bmo#1796280 - Fix -Wunused-{function,variable,but-set-variable} + warnings on Windows + * bmo#1796079 - Fix -Wstring-conversion warnings + * bmo#1796075 - Fix -Wempty-body warnings + * bmo#1795242 - Fix unused-but-set-parameter warning + * bmo#1795241 - Fix unreachable-code warnings + * bmo#1795222 - Mark _nss_version_c unused on clang-cl + * bmo#1795668 - Remove redundant variable definitions in lowhashtest + * Add note about python executable to build instructions. + +- update to NSS 3.84 + * bmo#1791699 - Bump minimum NSPR version to 4.35 + * bmo#1792103 - Add a flag to disable building libnssckbi. + +- update to NSS 3.83 + * bmo#1788875 - Remove set-but-unused variables from + SEC_PKCS12DecoderValidateBags + * bmo#1563221 - remove older oses that are unused part3/ BeOS + * bmo#1563221 - remove older unix support in NSS part 3 Irix + * bmo#1563221 - remove support for older unix in NSS part 2 DGUX + * bmo#1563221 - remove support for older unix in NSS part 1 OSF + * bmo#1778413 - Set nssckbi version number to 2.58 + * bmp#1785297 - Add two SECOM root certificates to NSS + * bmo#1787075 - Add two DigitalSign root certificates to NSS + * bmo#1778412 - Remove Camerfirma Global Chambersign Root from NSS + * bmo#1771100 - Added bug reference and description to disabled + UnsolicitedServerNameAck bogo ECH test + * bmo#1779361 - Removed skipping of ECH on equality of private and + public server name + * bmo#1779357 - Added comment and bug reference to + ECHRandomHRRExtension bogo test + * bmo#1779370 - Added Bogo shim client HRR test support. Fixed + overwriting of CHInner.random on HRR + * bmo#1779234 - Added check for server only sending ECH extension + with retry configs in EncryptedExtensions and if not + accepting ECH. Changed config setting behavior to + skip configs with unsupported mandatory extensions + instead of failing + * bmo# 1771100 - Added ECH client support to BoGo shim. Changed + CHInner creation to skip TLS 1.2 only extensions to + comply with BoGo + * bmo#1771100 - Added ECH server support to BoGo shim. Fixed NSS ECH + server accept_confirmation bugs + * bmo#1771100 - Update BoGo tests to recent BoringSSL version + * bmo#1785846 - Bump minimum NSPR version to 4.34.1 + +- update to NSS 3.82 + * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state + * bmo#1735925 - QuickDER: Forbid NULL tags with non-zero length + * bmo#1784724 - Initialize local variables in + TlsConnectTestBase::ConnectAndCheckCipherSuite + * bmo#1784191 - Cast the result of GetProcAddress + * bmo#1681099 - pk11wrap: Tighten certificate lookup based on + PKCS #11 URI. + +- update to NSS 3.81 + * bmo#1762831 - Enable aarch64 hardware crypto support on OpenBSD + * bmo#1775359 - make NSS_SecureMemcmp 0/1 valued + * bmo#1779285 - Add no_application_protocol alert handler and + test client error code is set + * bmo#1777672 - Gracefully handle null nickname in + CERT_GetCertNicknameWithValidity + * required for Firefox 104 +- raised NSPR requirement to 4.34.1 +- changing some Requires from (pre) to generic as (pre) is not + sufficient (boo#1202118) + +- update to NSS 3.80 + * bmo#1774720 - Fix SEC_ERROR_ALGORITHM_MISMATCH entry in SECerrs.h. + * bmo#1617956 - Add support for asynchronous client auth hooks. + * bmo#1497537 - nss-policy-check: make unknown keyword check optional. + * bmo#1765383 - GatherBuffer: Reduced plaintext buffer allocations + by allocating it on initialization. Replaced + redundant code with assert. Debug builds: Added + buffer freeing/allocation for each record. + * bmo#1773022 - Mark 3.79 as an ESR release. + * bmo#1764206 - Bump nssckbi version number for June. + * bmo#1759815 - Remove Hellenic Academic 2011 Root. + * bmo#1770267 - Add E-Tugra Roots. + * bmo#1768970 - Add Certainly Roots. + * bmo#1764392 - Add DigitCert Roots. + * bmo#1759794 - Protect SFTKSlot needLogin with slotLock. + * bmo#1366464 - Compare signature and signatureAlgorithm fields in + legacy certificate verifier. + * bmo#1771497 - Uninitialized value in cert_VerifyCertChainOld. + * bmo#1771495 - Unchecked return code in sec_DecodeSigAlg. + * bmo#1771498 - Uninitialized value in cert_ComputeCertType. + * bmo#1760998 - Avoid data race on primary password change. + * bmo#1769063 - Replace ppc64 dcbzl intrinisic. + * bmo#1771036 - Allow LDFLAGS override in makefile builds. + +------------------------------------------------------------------- +Fri Apr 7 23:05:51 UTC 2023 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) with + fixes to PBKDF2 parameter validation. + +------------------------------------------------------------------- +Mon Mar 27 23:27:47 UTC 2023 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1208999) to + validate extra PBKDF2 parameters according to FIPS 140-3. + +------------------------------------------------------------------- +Sat Mar 18 17:08:21 UTC 2023 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546) to + update session->lastOpWasFIPS before destroying the key after + derivation in the CKM_TLS12_KEY_AND_MAC_DERIVE, + CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, + CKM_TLS_KEY_AND_MAC_DERIVE and CKM_SSL3_KEY_AND_MAC_DERIVE cases. +- Update nss-fips-pct-pubkeys.patch (bsc#1207209) to remove some + excess code. + +------------------------------------------------------------------- +Thu Mar 2 22:02:08 UTC 2023 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch (bsc#1191546). + +------------------------------------------------------------------- +Tue Feb 28 23:39:54 UTC 2023 - Hans Petter Jansson + +- Add nss-fips-pct-pubkeys.patch (bsc#1207209) for pairwise consistency + checks. Thanks to Martin for the DHKey parts. + +------------------------------------------------------------------- +Wed Feb 15 14:04:02 UTC 2023 - Martin Sirringhaus + +- Add manpages to mozilla-nss-tools (bsc#1208242) + +------------------------------------------------------------------- +Fri Feb 10 07:58:12 UTC 2023 - Martin Sirringhaus + +- update to NSS 3.79.4 (bsc#1208138) + * Bug 1804640 - improve handling of unknown PKCS#12 safe bag types. + (CVE-2023-0767) + +------------------------------------------------------------------- +Thu Jan 12 08:04:05 UTC 2023 - Martin Sirringhaus + +- Add upstream patch nss-fix-bmo1774654.patch to fix CVE-2022-3479 + (bsc#1204272) + +------------------------------------------------------------------- +Wed Jan 11 07:28:05 UTC 2023 - Martin Sirringhaus + +- update to NSS 3.79.3 (bsc#1207038) + * Bug 1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and + CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates + (CVE-2022-23491) + +------------------------------------------------------------------- +Fri Dec 2 08:43:10 UTC 2022 - Martin Sirringhaus + +- Update nss-fips-approved-crypto-non-ec.patch to disapprove the + creation of DSA keys, i.e. mark them as not-fips (bsc#1201298) + +------------------------------------------------------------------- +Thu Nov 10 03:48:07 UTC 2022 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch to allow the use SHA + keygen mechs (bsc#1191546). +- Update nss-fips-constructor-self-tests.patch to ensure abort() is + called when the repeat integrity check fails (bsc#1198980). + +------------------------------------------------------------------- +Thu Oct 27 12:03:34 UTC 2022 - Martin Sirringhaus + +- Require libjitter only for SLE15-SP4 and greater + +------------------------------------------------------------------- +Wed Oct 26 05:55:00 UTC 2022 - Martin Sirringhaus + +- update to NSS 3.79.2 (bsc#1204729) + * bmo#1785846 - Bump minimum NSPR version to 4.34.1. + * bmo#1777672 - Gracefully handle null nickname in CERT_GetCertNicknameWithValidity. + +------------------------------------------------------------------- +Wed Oct 12 03:14:44 UTC 2022 - Hans Petter Jansson + +- Add nss-allow-slow-tests.patch, which allows a timed test to run + longer than 1s. This avoids turning slow builds into broken + builds. + +------------------------------------------------------------------- +Mon Oct 3 01:47:59 UTC 2022 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch to allow the use of + DSA keys (verification only) (bsc#1201298). +- Update nss-fips-constructor-self-tests.patch to add + sftk_FIPSRepeatIntegrityCheck() to softoken's .def file + (bsc#1198980). + +------------------------------------------------------------------- +Tue Sep 27 02:33:27 UTC 2022 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch to allow the use of + longer symmetric keys via the service level indicator + (bsc#1191546). +- Update nss-fips-constructor-self-tests.patch to hopefully export + sftk_FIPSRepeatIntegrityCheck() correctly (bsc#1198980). + +------------------------------------------------------------------- +Thu Sep 22 01:26:23 UTC 2022 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch to prevent sessions + from getting flagged as non-FIPS (bsc#1191546). +- Mark DSA keygen unapproved (bsc#1191546, bsc#1201298). +- Enable nss-fips-drbg-libjitter.patch now that we have a patched + libjitter to build with (bsc#1202870). + +------------------------------------------------------------------- +Fri Sep 16 02:02:27 UTC 2022 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch to prevent keys + from getting flagged as non-FIPS and add remaining TLS mechanisms. +- Add nss-fips-drbg-libjitter.patch to use libjitterentropy for + entropy. This is disabled until we can avoid the inline assembler + in the latter's header file that relies on GNU extensions. +- Update nss-fips-constructor-self-tests.patch to fix an abort() + when both NSS_FIPS and /proc FIPS mode are enabled. + +------------------------------------------------------------------- +Wed Aug 24 11:13:09 UTC 2022 - Martin Sirringhaus + +- update to NSS 3.79.1 (bsc#1202645) + * bmo#1366464 - compare signature and signatureAlgorithm fields in legacy certificate verifier. + * bmo#1771498 - Uninitialized value in cert_ComputeCertType. + * bmo#1759794 - protect SFTKSlot needLogin with slotLock. + * bmo#1760998 - avoid data race on primary password change. + * bmo#1330271 - check for null template in sec_asn1{d,e}_push_state. + +------------------------------------------------------------------- +Wed Jul 27 18:14:49 UTC 2022 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch to unapprove the + rest of the DSA ciphers, keeping signature verification only + (bsc#1201298). +- Update nss-fips-constructor-self-tests.patch to fix compiler + warning. + +------------------------------------------------------------------- +Wed Jul 13 07:43:02 UTC 2022 - Hans Petter Jansson + +- Update nss-fips-constructor-self-tests.patch to add on-demand + integrity tests through sftk_FIPSRepeatIntegrityCheck() + (bsc#1198980). +- Update nss-fips-approved-crypto-non-ec.patch to mark algorithms + as approved/non-approved according to security policy + (bsc#1191546, bsc#1201298). +- Update nss-fips-approved-crypto-non-ec.patch to remove hard + disabling of unapproved algorithms. This requirement is now + fulfilled by the service level indicator (bsc#1200325). +- Remove nss-fips-tls-allow-md5-prf.patch, since we no longer need + the workaround in FIPS mode (bsc#1200325). +- Remove nss-fips-tests-skip.patch. This is no longer needed since + we removed the code to short-circuit broken hashes and moved to + using the SLI. + +------------------------------------------------------------------- +Tue Jun 7 12:22:12 UTC 2022 - Martin Sirringhaus + +- Remove upstreamed patches: + * nss-fips-version-indicators.patch + * nss-fips-tests-pin-paypalee-cert.patch + +- update to NSS 3.79 + - bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. + - bmo#1766907 - Update mercurial in clang-format docker image. + - bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail. + - bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. + - bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots. + - bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. + - bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. + - bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. + - bmo#1764788 - Correct invalid record inner and outer content type alerts. + - bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. + - bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle. + - bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. + - bmo#1769302 - NSS 3.79 should depend on NSPR 4.34 + +- update to NSS 3.78.1 + * bmo#1767590 - Initialize pointers passed to + NSS_CMSDigestContext_FinishMultiple + +- update to NSS 3.78 + bmo#1755264 - Added TLS 1.3 zero-length inner plaintext checks and tests, zero-length record/fragment handling tests. + bmo#1294978 - Reworked overlong record size checks and added TLS1.3 specific boundaries. + bmo#1763120 - Add ECH Grease Support to tstclnt + bmo#1765003 - Add a strict variant of moz::pkix::CheckCertHostname. + bmo#1166338 - Change SSL_REUSE_SERVER_ECDHE_KEY default to false. + bmo#1760813 - Make SEC_PKCS12EnableCipher succeed + bmo#1762489 - Update zlib in NSS to 1.2.12. + +- update to NSS 3.77 + * Bug 1762244 - resolve mpitests build failure on Windows. + * bmo#1761779 - Fix link to TLS page on wireshark wiki + * bmo#1754890 - Add two D-TRUST 2020 root certificates. + * bmo#1751298 - Add Telia Root CA v2 root certificate. + * bmo#1751305 - Remove expired explicitly distrusted certificates + from certdata.txt. + * bmo#1005084 - support specific RSA-PSS parameters in mozilla::pkix + * bmo#1753535 - Remove obsolete stateEnd check in SEC_ASN1DecoderUpdate. + * bmo#1756271 - Remove token member from NSSSlot struct. + * bmo#1602379 - Provide secure variants of mpp_pprime and mpp_make_prime. + * bmo#1757279 - Support UTF-8 library path in the module spec string. + * bmo#1396616 - Update nssUTF8_Length to RFC 3629 and fix buffer overrun. + * bmo#1760827 - Add a CI Target for gcc-11. + * bmo#1760828 - Change to makefiles for gcc-4.8. + * bmo#1741688 - Update googletest to 1.11.0 + * bmo#1759525 - Add SetTls13GreaseEchSize to experimental API. + * bmo#1755264 - TLS 1.3 Illegal legacy_version handling/alerts. + * bmo#1755904 - Fix calculation of ECH HRR Transcript. + * bmo#1758741 - Allow ld path to be set as environment variable. + * bmo#1760653 - Ensure we don't read uninitialized memory in ssl gtests. + * bmo#1758478 - Fix DataBuffer Move Assignment. + * bmo#1552254 - internal_error alert on Certificate Request with + sha1+ecdsa in TLS 1.3 + * bmo#1755092 - rework signature verification in mozilla::pkix + +- Require nss-util in nss.pc and subsequently remove -lnssutil3 + +- update to NSS 3.76.1 + NSS 3.76.1 + * bmo#1756271 - Remove token member from NSSSlot struct. + NSS 3.76 + * bmo#1755555 - Hold tokensLock through nssToken_GetSlot calls in + nssTrustDomain_GetActiveSlots. + * bmo#1370866 - Check return value of PK11Slot_GetNSSToken. + * bmo#1747957 - Use Wycheproof JSON for RSASSA-PSS + * bmo#1679803 - Add SHA256 fingerprint comments to old + certdata.txt entries. + * bmo#1753505 - Avoid truncating files in nss-release-helper.py. + * bmo#1751157 - Throw illegal_parameter alert for illegal extensions + in handshake message. + +- Add nss-util pkgconfig and config files (copied from RH/Fedora) + +- update to NSS 3.75 + * bmo#1749030 - This patch adds gcc-9 and gcc-10 to the CI. + * bmo#1749794 - Make DottedOIDToCode.py compatible with python3. + * bmo#1749475 - Avoid undefined shift in SSL_CERT_IS while fuzzing. + * bmo#1748386 - Remove redundant key type check. + * bmo#1749869 - Update ABI expectations to match ECH changes. + * bmo#1748386 - Enable CKM_CHACHA20. + * bmo#1747327 - check return on NSS_NoDB_Init and NSS_Shutdown. + * bmo#1747310 - real move assignment operator. + * bmo#1748245 - Run ECDSA test vectors from bltest as part of the CI tests. + * bmo#1743302 - Add ECDSA test vectors to the bltest command line tool. + * bmo#1747772 - Allow to build using clang's integrated assembler. + * bmo#1321398 - Allow to override python for the build. + * bmo#1747317 - test HKDF output rather than input. + * bmo#1747316 - Use ASSERT macros to end failed tests early. + * bmo#1747310 - move assignment operator for DataBuffer. + * bmo#1712879 - Add test cases for ECH compression and unexpected + extensions in SH. + * bmo#1725938 - Update tests for ECH-13. + * bmo#1725938 - Tidy up error handling. + * bmo#1728281 - Add tests for ECH HRR Changes. + * bmo#1728281 - Server only sends GREASE HRR extension if enabled + by preference. + * bmo#1725938 - Update generation of the Associated Data for ECH-13. + * bmo#1712879 - When ECH is accepted, reject extensions which were + only advertised in the Outer Client Hello. + * bmo#1712879 - Allow for compressed, non-contiguous, extensions. + * bmo#1712879 - Scramble the PSK extension in CHOuter. + * bmo#1712647 - Split custom extension handling for ECH. + * bmo#1728281 - Add ECH-13 HRR Handling. + * bmo#1677181 - Client side ECH padding. + * bmo#1725938 - Stricter ClientHelloInner Decompression. + * bmo#1725938 - Remove ECH_inner extension, use new enum format. + * bmo#1725938 - Update the version number for ECH-13 and adjust + the ECHConfig size. + +- update to NSS 3.74 + * bmo#966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in + OCSP responses + * bmo#1553612 - Ensure clients offer consistent ciphersuites after HRR + * bmo#1721426 - NSS does not properly restrict server keys based on policy + * bmo#1733003 - Set nssckbi version number to 2.54 + * bmo#1735407 - Replace Google Trust Services LLC (GTS) R4 root certificate + * bmo#1735407 - Replace Google Trust Services LLC (GTS) R3 root certificate + * bmo#1735407 - Replace Google Trust Services LLC (GTS) R2 root certificate + * bmo#1735407 - Replace Google Trust Services LLC (GTS) R1 root certificate + * bmo#1735407 - Replace GlobalSign ECC Root CA R4 + * bmo#1733560 - Remove Expired Root Certificates - DST Root CA X3 + * bmo#1740807 - Remove Expiring Cybertrust Global Root and GlobalSign root + certificates + * bmo#1741930 - Add renewed Autoridad de Certificacion Firmaprofesional + CIF A62634068 root certificate + * bmo#1740095 - Add iTrusChina ECC root certificate + * bmo#1740095 - Add iTrusChina RSA root certificate + * bmo#1738805 - Add ISRG Root X2 root certificate + * bmo#1733012 - Add Chunghwa Telecom's HiPKI Root CA - G1 root certificate + * bmo#1738028 - Avoid a clang 13 unused variable warning in opt build + * bmo#1735028 - Check for missing signedData field + * bmo#1737470 - Ensure DER encoded signatures are within size limits +- enable key logging option (boo#1195040) + +- update to NSS 3.73.1: + * Add SHA-2 support to mozilla::pkix's OSCP implementation + +- update to NSS 3.73 + * bmo#1735028 - check for missing signedData field. + * bmo#1737470 - Ensure DER encoded signatures are within size limits. + * bmo#1729550 - NSS needs FiPS 140-3 version indicators. + * bmo#1692132 - pkix_CacheCert_Lookup doesn't return cached certs + * bmo#1738600 - sunset Coverity from NSS + MFSA 2021-51 (bsc#1193170) + * CVE-2021-43527 (bmo#1737470) + Memory corruption via DER-encoded DSA and RSA-PSS signatures + +- update to NSS 3.72 + * Remove newline at the end of coreconf.dep + * bmo#1731911 - Fix nsinstall parallel failure. + * bmo#1729930 - Increase KDF cache size to mitigate perf + regression in about:logins + +- update to NSS 3.71 + * bmo#1717716 - Set nssckbi version number to 2.52. + * bmo#1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py + * bmo#1373716 - Import of PKCS#12 files with Camellia encryption is not supported + * bmo#1717707 - Add HARICA Client ECC Root CA 2021. + * bmo#1717707 - Add HARICA Client RSA Root CA 2021. + * bmo#1717707 - Add HARICA TLS ECC Root CA 2021. + * bmo#1717707 - Add HARICA TLS RSA Root CA 2021. + * bmo#1728394 - Add TunTrust Root CA certificate to NSS. + +- update to NSS 3.70 + * bmo#1726022 - Update test case to verify fix. + * bmo#1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max + * bmo#1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback + * bmo#1681975 - Avoid using a lookup table in nssb64d. + * bmo#1724629 - Use HW accelerated SHA2 on AArch64 Big Endian. + * bmo#1714579 - Change default value of enableHelloDowngradeCheck to true. + * bmo#1726022 - Cache additional PBE entries. + * bmo#1709750 - Read HPKE vectors from official JSON. + +- Update to NSS 3.69.1 + * bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default + * bmo#1720226 (Backout) - integrity checks in key4.db not happening + on private components with AES_CBC + NSS 3.69 + * bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again) + * bmo#1720226 - integrity checks in key4.db not happening on private + components with AES_CBC (backed out again) + * bmo#1720235 - SSL handling of signature algorithms ignores + environmental invalid algorithms. + * bmo#1721476 - sqlite 3.34 changed it's open semantics, causing + nss failures. + (removed obsolete nss-btrfs-sqlite.patch) + * bmo#1720230 - Gtest update changed the gtest reports, losing gtest + details in all.sh reports. + * bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode + * bmo#1720232 - SQLite calls could timeout in starvation situations. + * bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67 + * bmo#1709817 - Import the NSS documentation from MDN in nss/doc. + * bmo#1720227 - NSS using a tempdir to measure sql performance not active +- add nss-fips-stricter-dh.patch +- updated existing patches with latest SLE + +------------------------------------------------------------------- +Thu Jun 2 08:03:32 UTC 2022 - Martin Sirringhaus + +- Mozilla NSS 3.68.4 (bsc#1200027) + * Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. + (bmo#1767590) + +------------------------------------------------------------------- +Fri May 20 21:18:01 UTC 2022 - Hans Petter Jansson + +- Update nss-fips-constructor-self-tests.patch to scan + LD_LIBRARY_PATH for external libraries to be checksummed. + +------------------------------------------------------------------- +Wed May 11 16:23:28 UTC 2022 - Hans Petter Jansson + +- Run test suite at build time, and make it pass (bsc#1198486). + Based on work by Marcus Meissner. +- Add nss-fips-tests-skip.patch to skip algorithms that are hard + disabled in FIPS mode. +- Add nss-fips-tests-pin-paypalee-cert.patch to prevent expired + PayPalEE cert from failing the tests. +- Add nss-fips-tests-enable-fips.patch, which enables FIPS during + test certificate creation and disables the library checksum + validation during same. +- Update nss-fips-constructor-self-tests.patch to allow + checksumming to be disabled, but only if we entered FIPS mode + due to NSS_FIPS being set, not if it came from /proc. + +------------------------------------------------------------------- +Wed Apr 13 21:10:46 UTC 2022 - Hans Petter Jansson + +- Add nss-fips-pbkdf-kat-compliance.patch (bsc#1192079). This + makes the PBKDF known answer test compliant with NIST SP800-132. + +------------------------------------------------------------------- +Fri Apr 1 07:58:24 UTC 2022 - Martin Sirringhaus + +- Mozilla NSS 3.68.3 (bsc#1197903) + This release improves the stability of NSS when used in a multi-threaded + environment. In particular, it fixes memory safety violations that + can occur when PKCS#11 tokens are removed while in use (CVE-2022-1097). + We presume that with enough effort these memory safety violations are exploitable. + * Remove token member from NSSSlot struct (bmo#1756271). + * Hold tokensLock through nssToken_GetSlot calls in nssTrustDomain_GetActiveSlots + (bmo#1755555). + * Check return value of PK11Slot_GetNSSToken (bmo#1370866). + +------------------------------------------------------------------- +Thu Dec 16 12:20:48 UTC 2021 - Martin Sirringhaus + +- Mozilla NSS 3.68.2 (bsc#1193845) + * mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses + (bmo#966856) + +------------------------------------------------------------------- +Mon Dec 6 13:32:46 UTC 2021 - Hans Petter Jansson + +- Update FIPS validation string to version-release format. +- Update nss-fips-approved-crypto-non-ec.patch to remove XCBC MAC + from list of FIPS approved algorithms. + +------------------------------------------------------------------- +Thu Dec 2 09:06:17 UTC 2021 - Martin Sirringhaus + +- Mozilla NSS 3.68.1 + MFSA 2021-51 (bsc#1193170) + * CVE-2021-43527 (bmo#1737470) + Memory corruption via DER-encoded DSA and RSA-PSS signatures +- Remove now obsolete patch nss-bsc1193170.patch + +------------------------------------------------------------------- +Tue Nov 30 09:14:03 UTC 2021 - Martin Sirringhaus + +- Add patch to fix CVE-2021-43527 (bsc#1193170): + nss-bsc1193170.patch + +------------------------------------------------------------------- +Tue Nov 23 23:41:42 UTC 2021 - Hans Petter Jansson + +- Enable NSS_ENABLE_FIPS_INDICATORS and set NSS_FIPS_MODULE_ID + for build. + +------------------------------------------------------------------- +Mon Nov 1 23:45:02 UTC 2021 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch to claim 3DES + unapproved in FIPS mode (bsc#1192080). +- Update nss-fips-constructor-self-tests.patch to allow testing + of unapproved algorithms (bsc#1192228). +- Add nss-fips-version-indicators.patch (bmo#1729550, bsc#1192086). + This adds FIPS version indicators. +- Add nss-fips-180-3-csp-clearing.patch (bmo#1697303, bsc#1192087). + Most of the relevant changes are already upstream since NSS 3.60. + +------------------------------------------------------------------- +Tue Aug 31 20:41:27 UTC 2021 - Charles Robertson + +- Removed nss-fips-kdf-self-tests.patch. This was made + obsolete by upstream changes. (bmo#1660304) +- Rebase nss-fips-stricter-dh.patch needed due to upstream changes. + +------------------------------------------------------------------- +Wed Aug 18 12:41:56 UTC 2021 - Hans Petter Jansson + +- Update nss-fips-constructor-self-tests.patch to fix crashes + reported by upstream. This was likely affecting WebRTC calls. + +------------------------------------------------------------------- +Thu Jul 29 07:42:35 UTC 2021 - Martin Sirringhaus + +- update to NSS 3.68 + * bmo#1713562 - Fix test leak. + * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. + * bmo#1693206 - Implement PKCS8 export of ECDSA keys. + * bmo#1712883 - DTLS 1.3 draft-43. + * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. + * bmo#1713562 - Validate ECH public names. + * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. + +- update to NSS 3.67 + * bmo#1683710 - Add a means to disable ALPN. + * bmo#1715720 - Fix nssckbi version number in NSS 3.67 (was supposed to be incremented in 3.66). + * bmo#1714719 - Set NSS_USE_64 on riscv64 target when using GYP/Ninja. + * bmo#1566124 - Fix counter increase in ppc-gcm-wrap.c. + * bmo#1566124 - Fix AES_GCM mode on ppc64le for messages of length more than 255-byte. + +------------------------------------------------------------------- +Sat Jul 10 08:50:18 UTC 2021 - Wolfgang Rosenauer + +- update to NSS 3.66 + * bmo#1710716 - Remove Expired Sonera Class2 CA from NSS. + * bmo#1710716 - Remove Expired Root Certificates from NSS - QuoVadis Root Certification Authority. + * bmo#1708307 - Remove Trustis FPS Root CA from NSS. + * bmo#1707097 - Add Certum Trusted Root CA to NSS. + * bmo#1707097 - Add Certum EC-384 CA to NSS. + * bmo#1703942 - Add ANF Secure Server Root CA to NSS. + * bmo#1697071 - Add GLOBALTRUST 2020 root cert to NSS. + * bmo#1712184 - NSS tools manpages need to be updated to reflect that sqlite is the default database. + * bmo#1712230 - Don't build ppc-gcm.s with clang integrated assembler. + * bmo#1712211 - Strict prototype error when trying to compile nss code that includes blapi.h. + * bmo#1710773 - NSS needs FIPS 180-3 FIPS indicators. + * bmo#1709291 - Add VerifyCodeSigningCertificateChain. + * Use GNU tar for the release helper script. + +- update to NSS 3.65 + * bmo#1709654 - Update for NetBSD configuration. + * bmo#1709750 - Disable HPKE test when fuzzing. + * bmo#1566124 - Optimize AES-GCM for ppc64le. + * bmo#1699021 - Add AES-256-GCM to HPKE. + * bmo#1698419 - ECH -10 updates. + * bmo#1692930 - Update HPKE to final version. + * bmo#1707130 - NSS should use modern algorithms in PKCS#12 files by default. + * bmo#1703936 - New coverity/cpp scanner errors. + * bmo#1697303 - NSS needs to update it's csp clearing to FIPS 180-3 standards. + * bmo#1702663 - Need to support RSA PSS with Hashing PKCS #11 Mechanisms. + * bmo#1705119 - Deadlock when using GCM and non-thread safe tokens. +- refreshed patches +- Firefox 90.0 requires NSS 3.66 + +------------------------------------------------------------------- +Thu May 27 17:24:41 UTC 2021 - Andreas Stieger + +- update to NSS 3.64 + * bmo#1705286 - Properly detect mips64. + * bmo#1687164 - Introduce NSS_DISABLE_CRYPTO_VSX and + disable_crypto_vsx. + * bmo#1698320 - replace __builtin_cpu_supports("vsx") with + ppc_crypto_support() for clang. + * bmo#1613235 - Add POWER ChaCha20 stream cipher vector + acceleration. + +------------------------------------------------------------------- +Sun Apr 18 07:32:55 UTC 2021 - Wolfgang Rosenauer + +- update to NSS 3.63.1 + * no upstream release notes for 3.63.1 (yet) + Fixed in 3.63 + * bmo#1697380 - Make a clang-format run on top of helpful contributions. + * bmo#1683520 - ECCKiila P384, change syntax of nested structs + initialization to prevent build isses with GCC 4.8. + * bmo#1683520 - [lib/freebl/ecl] P-384: allow zero scalars in dual + scalar multiplication. + * bmo#1683520 - ECCKiila P521, change syntax of nested structs + initialization to prevent build isses with GCC 4.8. + * bmo#1683520 - [lib/freebl/ecl] P-521: allow zero scalars in dual + scalar multiplication. + * bmo#1696800 - HACL* update March 2021 - c95ab70fcb2bc21025d8845281bc4bc8987ca683. + * bmo#1694214 - tstclnt can't enable middlebox compat mode. + * bmo#1694392 - NSS does not work with PKCS #11 modules not supporting + profiles. + * bmo#1685880 - Minor fix to prevent unused variable on early return. + * bmo#1685880 - Fix for the gcc compiler version 7 to support setenv + with nss build. + * bmo#1693217 - Increase nssckbi.h version number for March 2021 batch + of root CA changes, CA list version 2.48. + * bmo#1692094 - Set email distrust after to 21-03-01 for Camerfirma's + 'Chambers of Commerce' and 'Global Chambersign' roots. + * bmo#1618407 - Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER. + * bmo#1693173 - Add GlobalSign R45, E45, R46, and E46 root certs to NSS. + * bmo#1683738 - Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS root cert to NSS. + * bmo#1686854 - Remove GeoTrust PCA-G2 and VeriSign Universal root certs + from NSS. + * bmo#1687822 - Turn off Websites trust bit for the “Staat der + Nederlanden Root CA - G3” root cert in NSS. + * bmo#1692094 - Turn off Websites Trust Bit for 'Chambers of Commerce + Root - 2008' and 'Global Chambersign Root - 2008’. + * bmo#1694291 - Tracing fixes for ECH. +- required for Firefox 88 + +------------------------------------------------------------------- +Tue Mar 16 14:10:43 UTC 2021 - Wolfgang Rosenauer + +- update to NSS 3.62 + * bmo#1688374 - Fix parallel build NSS-3.61 with make + * bmo#1682044 - pkix_Build_GatherCerts() + pkix_CacheCert_Add() + can corrupt "cachedCertTable" + * bmo#1690583 - Fix CH padding extension size calculation + * bmo#1690421 - Adjust 3.62 ABI report formatting for new libabigail + * bmo#1690421 - Install packaged libabigail in docker-builds image + * bmo#1689228 - Minor ECH -09 fixes for interop testing, fuzzing + * bmo#1674819 - Fixup a51fae403328, enum type may be signed + * bmo#1681585 - Add ECH support to selfserv + * bmo#1681585 - Update ECH to Draft-09 + * bmo#1678398 - Add Export/Import functions for HPKE context + * bmo#1678398 - Update HPKE to draft-07 +- required for Firefox 87 + +------------------------------------------------------------------- +Sun Feb 28 12:01:32 UTC 2021 - Sasi Olin + +- Add nss-btrfs-sqlite.patch to address bmo#1690232 + +------------------------------------------------------------------- +Sun Feb 21 14:46:47 UTC 2021 - Wolfgang Rosenauer + +- update to NSS 3.61 + * required for Firefox 86 + * bmo#1682071 - Fix issue with IKE Quick mode deriving incorrect key + values under certain conditions. + * bmo#1684300 - Fix default PBE iteration count when NSS is compiled + with NSS_DISABLE_DBM. + * bmo#1651411 - Improve constant-timeness in RSA operations. + * bmo#1677207 - Upgrade Google Test version to latest release. + * bmo#1654332 - Add aarch64-make target to nss-try. + +------------------------------------------------------------------- +Sun Jan 24 09:55:03 UTC 2021 - Wolfgang Rosenauer + +- update to NSS 3.60.1 + Notable changes in NSS 3.60: + * TLS 1.3 Encrypted Client Hello (draft-ietf-tls-esni-08) support + has been added, replacing the previous ESNI (draft-ietf-tls-esni-01) + implementation. See bmo#1654332 for more information. + * December 2020 batch of Root CA changes, builtins library updated + to version 2.46. See bmo#1678189, bmo#1678166, and bmo#1670769 + for more information. +- removed obsolete ppc-old-abi-v3.patch + +------------------------------------------------------------------- +Sun Dec 27 10:46:57 UTC 2020 - Wolfgang Rosenauer + +- update to NSS 3.59.1 + * bmo#1679290 - Fix potential deadlock with certain third-party + PKCS11 modules + +------------------------------------------------------------------- +Tue Dec 1 12:22:57 UTC 2020 - Wolfgang Rosenauer + +- update to NSS 3.59 + Notable changes + * Exported two existing functions from libnss: + CERT_AddCertToListHeadWithData and CERT_AddCertToListTailWithData + Bugfixes + * bmo#1607449 - Lock cert->nssCertificate to prevent a potential data race + * bmo#1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA + * bmo#1663661 - Guard against NULL token in nssSlot_IsTokenPresent + * bmo#1670835 - Support enabling and disabling signatures via Crypto Policy + * bmo#1672291 - Resolve libpkix OCSP failures on SHA1 self-signed + root certs when SHA1 signatures are disabled. + * bmo#1644209 - Fix broken SelectedCipherSuiteReplacer filter to + solve some test intermittents + * bmo#1672703 - Tolerate the first CCS in TLS 1.3 to fix a regression in + our CVE-2020-25648 fix that broke purple-discord + (boo#1179382) + * bmo#1666891 - Support key wrap/unwrap with RSA-OAEP + * bmo#1667989 - Fix gyp linking on Solaris + * bmo#1668123 - Export CERT_AddCertToListHeadWithData and + CERT_AddCertToListTailWithData from libnss + * bmo#1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA + * bmo#1663091 - Remove unnecessary assertions in the streaming + ASN.1 decoder that affected decoding certain PKCS8 + private keys when using NSS debug builds + * bmo#670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS. + +------------------------------------------------------------------- +Sun Nov 15 08:17:37 UTC 2020 - Wolfgang Rosenauer + +- update to NSS 3.58 + Bugs fixed: + * bmo#1641480 (CVE-2020-25648) + Tighten CCS handling for middlebox compatibility mode. + * bmo#1631890 - Add support for Hybrid Public Key Encryption + (draft-irtf-cfrg-hpke) support for TLS Encrypted Client Hello + (draft-ietf-tls-esni). + * bmo#1657255 - Add CI tests that disable SHA1/SHA2 ARM crypto + extensions. + * bmo#1668328 - Handle spaces in the Python path name when using + gyp on Windows. + * bmo#1667153 - Add PK11_ImportDataKey for data object import. + * bmo#1665715 - Pass the embedded SCT list extension (if present) + to TrustDomain::CheckRevocation instead of the notBefore value. + +------------------------------------------------------------------- +Thu Nov 12 09:00:33 UTC 2020 - Ludwig Nussel + +- install libraries in %{_libdir} (boo#1029961) + +------------------------------------------------------------------- +Mon Oct 12 15:31:33 UTC 2020 - Dominique Leuenberger + +- Fix build with RPM 4.16: error: bare words are no longer + supported, please use "...": lib64 == lib64. + +------------------------------------------------------------------- +Wed Sep 30 21:06:01 UTC 2020 - Wolfgang Rosenauer + +- update to NSS 3.57 + * The following CA certificates were Added: + bmo#1663049 - CN=Trustwave Global Certification Authority + SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 + bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority + SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 + bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority + SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 + * The following CA certificates were Removed: + bmo#1651211 - CN=EE Certification Centre Root CA + SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 + bmo#1656077 - O=Government Root Certification Authority; C=TW + SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 + * Trust settings for the following CA certificates were Modified: + bmo#1653092 - CN=OISTE WISeKey Global Root GA CA + Websites (server authentication) trust bit removed. + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes +- requires NSPR 4.29 +- removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256) +- introduced _constraints due to high memory requirements especially + for LTO on Tumbleweed + +------------------------------------------------------------------- +Fri Sep 25 06:55:40 UTC 2020 - Guillaume GARDET + +- Add patch to fix build on aarch64 - boo#1176934: + * nss-freebl-fix-aarch64.patch + +------------------------------------------------------------------- +Thu Sep 17 13:57:18 UTC 2020 - Hans Petter Jansson + +- Update nss-fips-approved-crypto-non-ec.patch to match RC2 code + being moved to deprecated/. +- Remove nss-fix-dh-pkcs-derive-inverted-logic.patch. This was made + obsolete by upstream changes. + +------------------------------------------------------------------- +Thu Sep 10 00:01:35 UTC 2020 - Charles Robertson + +- Modifications for NIST SP 800-56Ar3 compliance. This adds checks + and restricts Diffie-Hellman parameters in FIPS mode + (bsc#1176173). + + New patches: + * nss-fips-stricter-dh.patch + * nss-fips-kdf-self-tests.patch + +------------------------------------------------------------------- +Tue Sep 8 20:17:19 UTC 2020 - Wolfgang Rosenauer + +- update to NSS 3.56 + Notable changes + * bmo#1650702 - Support SHA-1 HW acceleration on ARMv8 + * bmo#1656981 - Use MPI comba and mulq optimizations on x86-64 MacOS. + * bmo#1654142 - Add CPU feature detection for Intel SHA extension. + * bmo#1648822 - Add stricter validation of DH keys in FIPS mode. + * bmo#1656986 - Properly detect arm64 during GYP build architecture + detection. + * bmo#1652729 - Add build flag to disable RC2 and relocate to + lib/freebl/deprecated. + * bmo#1656429 - Correct RTT estimate used in 0-RTT anti-replay. + * bmo#1588941 - Send empty certificate message when scheme selection + fails. + * bmo#1652032 - Fix failure to build in Windows arm64 makefile + cross-compilation. + * bmo#1625791 - Fix deadlock issue in nssSlot_IsTokenPresent. + * bmo#1653975 - Fix 3.53 regression by setting "all" as the default + makefile target. + * bmo#1659792 - Fix broken libpkix tests with unexpired PayPal cert. + * bmo#1659814 - Fix interop.sh failures with newer tls-interop + commit and dependencies. + * bmo#1656519 - NSPR dependency updated to 4.28 +- do not hard require mozilla-nss-certs-32bit via baselibs + (boo#1176206) + +------------------------------------------------------------------- +Sat Aug 22 06:41:15 UTC 2020 - Wolfgang Rosenauer + +- update to NSS 3.55 + Notable changes + * P384 and P521 elliptic curve implementations are replaced with + verifiable implementations from Fiat-Crypto [0] and ECCKiila [1]. + * PK11_FindCertInSlot is added. With this function, a given slot + can be queried with a DER-Encoded certificate, providing performance + and usability improvements over other mechanisms. (bmo#1649633) + * DTLS 1.3 implementation is updated to draft-38. (bmo#1647752) + Relevant Bugfixes + * bmo#1631583 (CVE-2020-6829, CVE-2020-12400) - Replace P384 and + P521 with new, verifiable implementations from Fiat-Crypto and ECCKiila. + * bmo#1649487 - Move overzealous assertion in VFY_EndWithSignature. + * bmo#1631573 (CVE-2020-12401) - Remove unnecessary scalar padding. + * bmo#1636771 (CVE-2020-12403) - Explicitly disable multi-part + ChaCha20 (which was not functioning correctly) and more strictly + enforce tag length. + * bmo#1649648 - Don't memcpy zero bytes (sanitizer fix). + * bmo#1649316 - Don't memcpy zero bytes (sanitizer fix). + * bmo#1649322 - Don't memcpy zero bytes (sanitizer fix). + * bmo#1653202 - Fix initialization bug in blapitest when compiled + with NSS_DISABLE_DEPRECATED_SEED. + * bmo#1646594 - Fix AVX2 detection in makefile builds. + * bmo#1649633 - Add PK11_FindCertInSlot to search a given slot + for a DER-encoded certificate. + * bmo#1651520 - Fix slotLock race in NSC_GetTokenInfo. + * bmo#1647752 - Update DTLS 1.3 implementation to draft-38. + * bmo#1649190 - Run cipher, sdr, and ocsp tests under standard test cycle in CI. + * bmo#1649226 - Add Wycheproof ECDSA tests. + * bmo#1637222 - Consistently enforce IV requirements for DES and 3DES. + * bmo#1067214 - Enforce minimum PKCS#1 v1.5 padding length in + RSA_CheckSignRecover. + * bmo#1646324 - Advertise PKCS#1 schemes for certificates in the + signature_algorithms extension. + +------------------------------------------------------------------- +Tue Aug 11 00:39:46 UTC 2020 - Charles Robertson + +- Fix for Firefox failing in fips mode (bsc#1174697) + Updated and rebased patch nss-fips-constructor-self-tests.patch + Rebased patches: + add-relro-linker-option.patch + malloc.patch + nss-fips-constructor-self-tests.patch + nss-fips-fix-missing-nspr.patch + nss-fix-dh-pkcs-derive-inverted-logic.patch + nss-opt.patch + +------------------------------------------------------------------- +Thu Jul 23 13:31:51 UTC 2020 - Wolfgang Rosenauer + +- update to NSS 3.54 + Notable changes + * Support for TLS 1.3 external pre-shared keys (bmo#1603042). + * Use ARM Cryptography Extension for SHA256, when available + (bmo#1528113) + * The following CA certificates were Added: + bmo#1645186 - certSIGN Root CA G2. + bmo#1645174 - e-Szigno Root CA 2017. + bmo#1641716 - Microsoft ECC Root Certificate Authority 2017. + bmo#1641716 - Microsoft RSA Root Certificate Authority 2017. + * The following CA certificates were Removed: + bmo#1645199 - AddTrust Class 1 CA Root. + bmo#1645199 - AddTrust External CA Root. + bmo#1641718 - LuxTrust Global Root 2. + bmo#1639987 - Staat der Nederlanden Root CA - G2. + bmo#1618402 - Symantec Class 2 Public Primary Certification Authority - G4. + bmo#1618402 - Symantec Class 1 Public Primary Certification Authority - G4. + bmo#1618402 - VeriSign Class 3 Public Primary Certification Authority - G3. + * A number of certificates had their Email trust bit disabled. + See bmo#1618402 for a complete list. + Bugs fixed + * bmo#1528113 - Use ARM Cryptography Extension for SHA256. + * bmo#1603042 - Add TLS 1.3 external PSK support. + * bmo#1642802 - Add uint128 support for HACL* curve25519 on Windows. + * bmo#1645186 - Add "certSIGN Root CA G2" root certificate. + * bmo#1645174 - Add Microsec's "e-Szigno Root CA 2017" root certificate. + * bmo#1641716 - Add Microsoft's non-EV root certificates. + * bmo1621151 - Disable email trust bit for "O=Government + Root Certification Authority; C=TW" root. + * bmo#1645199 - Remove AddTrust root certificates. + * bmo#1641718 - Remove "LuxTrust Global Root 2" root certificate. + * bmo#1639987 - Remove "Staat der Nederlanden Root CA - G2" root + certificate. + * bmo#1618402 - Remove Symantec root certificates and disable email trust + bit. + * bmo#1640516 - NSS 3.54 should depend on NSPR 4.26. + * bmo#1642146 - Fix undefined reference to `PORT_ZAlloc_stub' in seed.c. + * bmo#1642153 - Fix infinite recursion building NSS. + * bmo#1642638 - Fix fuzzing assertion crash. + * bmo#1642871 - Enable SSL_SendSessionTicket after resumption. + * bmo#1643123 - Support SSL_ExportEarlyKeyingMaterial with External PSKs. + * bmo#1643557 - Fix numerous compile warnings in NSS. + * bmo#1644774 - SSL gtests to use ClearServerCache when resetting + self-encrypt keys. + * bmo#1645479 - Don't use SECITEM_MakeItem in secutil.c. + * bmo#1646520 - Stricter enforcement of ASN.1 INTEGER encoding. + +------------------------------------------------------------------- +Mon Jun 29 10:49:17 UTC 2020 - Hans Petter Jansson + +- Expand nss-fips-fix-missing-nspr.patch to avoid spurious + initialization attempt of global RNG (bsc#1168669). + +------------------------------------------------------------------- +Thu Jun 25 21:59:23 UTC 2020 - Hans Petter Jansson + +- Add nss-fips-fix-missing-nspr.patch (bsc#1168669). + +------------------------------------------------------------------- +Wed Jun 17 08:36:45 UTC 2020 - Martin Sirringhaus + +- update to NSS 3.53.1 + * CVE-2020-12402 - Use constant-time GCD and modular inversion + in MPI (bmo#1631597, bsc#1173032) + +------------------------------------------------------------------- +Tue Jun 2 06:30:54 UTC 2020 - Martin Sirringhaus + +- update to NSS 3.53 + Notable changes: + * When using the Makefiles, NSS can be built in parallel, speeding up + those builds to more similar performance as the build.sh/ninja/gyp + system. (bmo#290526) + * SEED is now moved into a new freebl directory + freebl/deprecated (Bug 1636389). SEED will be disabled by default in + a future release of NSS. At that time, users will need to set the + compile-time flag (bmo#1622033) to disable that deprecation in order + to use the algorithm. + Algorithms marked as deprecated will ultimately + be removed. + * Several root certificates in the Mozilla program now set + the CKA_NSS_SERVER_DISTRUST_AFTER attribute, which NSS consumers can + query to further refine trust decisions. (bmo#1618404, bmo#1621159) + If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp + before the SCT or NotBefore date of a certificate that builtin + issued, then clients can elect not to trust it. This attribute + provides a more graceful phase-out for certificate authorities than + complete removal from the root certificate builtin store. + + Bugs fixed + * Initialize PBE params (ASAN fix) (bmo#1640260) + * Set CKA_NSS_SERVER_DISTRUST_AFTER for Symantec root certs + (bmo#1618404) + * Set CKA_NSS_SERVER_DISTRUST_AFTER for Consorci AOC, GRCA, and SK ID + root certs (bmo#1621159) + * PPC64: Correct compilation error between VMX vs. VSX vector + instructions (bmo#1629414) + * Fix various compile warnings in NSS (bmo#1639033) + * Fix a null pointer in security/nss/lib/ssl/sslencode.c:67 + (bmo#1640041) + * Fix a null pointer in security/nss/lib/ssl/sslsock.c:4460 + (bmo#1640042) + * Avoid multiple definitions of SHA{256,384,512}_* symbols when linking + libfreeblpriv3.so in Firefox on ppc64le (bmo#1638289) + * Relocate deprecated SEED algorithm (bmo#1636389) + * lib/ckfw: No such file or directory. Stop. (bmo#1637083) + * Additional modular inverse test (bmo#1561331) + * Rework and cleanup gmake builds (bmo#1629553) + * Remove mkdepend and "depend" make target (bmo#1438431) + * Support parallel building of NSS when using the Makefiles (bmo#290526) + * HACL* update after changes in libintvector.h (bmo#1636206) + * Fix building NSS on Debian s390x, mips64el, and riscv64 (bmo#1636058) + * Add option to build without SEED (bmo#1622033) + +- Remove upstreamed patches nss-kremlin-ppc64le.patch + and nss-unit-test-fixes.patch + +------------------------------------------------------------------- +Tue May 26 11:30:05 UTC 2020 - Martin Sirringhaus + +- update to NSS 3.52.1 + Notable changes + * Update NSS to support PKCS#11 v3.0 (bmo#1603628) + * Support new PKCS #11 v3.0 Message Interface for AES-GCM and + ChaChaPoly (bmo#1623374) + * Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from HACL* + (bmo#1612493) + * CVE-2020-12399 - Force a fixed length for DSA exponentiation + (bmo#1631576, bsc#1171978) + +- Set NSS_ENABLE_WERROR=0 in order to fix boo#1169746. + +- update to NSS 3.52: + * Update NSS to support PKCS #11 v3.0. (bmo#1603628) + Note: This change modifies the CK_GCM_PARAMS struct to include + the ulIvBits field which, prior to PKCS #11 v3.0, was + ambiguously defined and not included in the NSS definition. + If an application is recompiled with NSS 3.52+, this field + must be initialized to a value corresponding to ulIvLen. + Alternatively, defining NSS_PKCS11_2_0_COMPAT will yield the + old definition. See the bug for more information. + * Support new PKCS #11 v3.0 Message Interface for AES-GCM and + ChaChaPoly (bmo#1623374). + * Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from + HACL* (bmo#1612493). + * Fix unused variable 'getauxval' error on iOS compilation. + (bmo#1633498) + * Add Softoken functions for FIPS. (bmo#1630721) + * Fix problem of GYP MSVC builds not producing debug symbol files. + (bmo#1630458) + * Add IKEv1 Quick Mode KDF. (bmo#1629663) + * MPConfig calls in SSL initialize policy before NSS is initialized. + (bmo#1629661) + * Support temporary session objects in ckfw. (bmo#1629655) + * Add PKCS11 v3.0 functions to module debug logger. (bmo#1629105) + * Fix error in generation of fuzz32 docker image after updates. + (bmo#1626751) + * Fix implicit declaration of function 'getopt' error. (bmo#1625133) + * Allow building of gcm-arm32-neon on non-armv7 architectures. + (bmo#1624864) + * Fix compilation error in Firefox Android. (bmo#1624402) + * Require CK_FUNCTION_LIST structs to be packed. (bmo#1624130) + * Fix clang warning for unknown argument '-msse4'. (bmo#1624377) + * Support new PKCS #11 v3.0 Message Interface for AES-GCM and + ChaChaPoly. (bmo#1623374) + * Fix freebl_cpuid for querying Extended Features. (bmo#1623184) + * Fix argument parsing in lowhashtest. (bmo#1622555) + * Introduce NSS_DISABLE_GCM_ARM32_NEON to build on arm32 without + NEON support. (bmo#1620799) + * Add workaround option to include both DTLS and TLS versions in + DTLS supported_versions. (bmo#1619102) + * Update README: TLS 1.3 is not experimental anymore. (bmo#1619056) + * Fix UBSAN issue in ssl_ParseSessionTicket. (bmo#1618915) + * Don't assert fuzzer behavior in SSL_ParseSessionTicket. + (bmo#1618739) + * Update Delegated Credentials implementation to draft-07. + (bmo#1617968) + * Update HACL* dependencies for libintvector.h (bmo#1617533) + * Add vector accelerated SHA2 for POWER 8+. (bmo#1613238) + * Integrate AVX2 ChaCha20, Poly1305, and ChaCha20Poly1305 from + HACL*. (bmo#1612493) + * Maintain PKCS11 C_GetAttributeValue semantics on attributes that + lack NSS database columns. (bmo#1612281) + * Add Wycheproof RSA test vectors. (bmo#1612260) + * broken fipstest handling of KI_len. (bmo#1608250) + * Consistently handle NULL slot/session. (bmo#1608245) + * Avoid dcache pollution from sdb_measureAccess(). (bmo#1603801) + * Update NSS to support PKCS #11 v3.0. (bmo#1603628) + * TLS 1.3 does not work in FIPS mode. (bmo#1561637) + * Fix overzealous assertion when evicting a cached sessionID or + using external cache. (bmo#1531906) + * Fix issue where testlib makefile build produced extraneous object + files. (bmo#1465613) + * Properly handle multi-block SEED ECB inputs. (bmo#1619959) + * Guard all instances of NSSCMSSignedData.signerInfo to avoid a CMS + crash (bmo#1630925) + * Name Constraints validation: CN treated as DNS name even when + syntactically invalid as DNS name (bmo#1571677) + +- update to NSS 3.51.1: + * Update Delegated Credentials implementation to draft-07 + (bmo#1617968) + * Add workaround option to include both DTLS and TLS versions in + DTLS supported_versions (bmo#1619102) + * Update README: TLS 1.3 is not experimental anymore + (bmo#1619056) + * Don't assert fuzzer behavior in SSL_ParseSessionTicket + (bmo#1618739) + * Fix UBSAN issue in ssl_ParseSessionTicket (bmo#1618915) + * Consistently handle NULL slot/session (bmo#1608245) + * broken fipstest handling of KI_len (bmo#1608250) + * Update Delegated Credentials implementation to draft-07 + (bmo#1617968) + +- Add patch nss-kremlin-ppc64le.patch to fix ppc and s390x builds + +- update to NSS 3.51 + * Updated DTLS 1.3 implementation to Draft-34. (bmo#1608892) + * Correct swapped PKCS11 values of CKM_AES_CMAC and + CKM_AES_CMAC_GENERAL (bmo#1611209) + * Complete integration of Wycheproof ECDH test cases (bmo#1612259) + * Check if PPC __has_include() (bmo#1614183) + * Fix a compilation error for ‘getFIPSEnv’ "defined but not used" + (bmo#1614786) + * Send DTLS version numbers in DTLS 1.3 supported_versions extension + to avoid an incompatibility. (bmo#1615208) + * SECU_ReadDERFromFile calls strstr on a string that isn't guaranteed + to be null-terminated (bmo#1538980) + * Correct a warning for comparison of integers of different signs: + 'int' and 'unsigned long' in security/nss/lib/freebl/ecl/ecp_25519.c:88 + (bmo#1561337) + * Add test for mp_int clamping (bmo#1609751) + * Don't attempt to read the fips_enabled flag on the machine unless + NSS was built with FIPS enabled (bmo#1582169) + * Fix a null pointer dereference in BLAKE2B_Update (bmo#1431940) + * Fix compiler warning in secsign.c (bmo#1617387) + * Fix a OpenBSD/arm64 compilation error: unused variable 'getauxval' + (bmo#1618400) + * Fix a crash on unaligned CMACContext.aes.keySchedule when using + AES-NI intrinsics (bmo#1610687) + +- update to NSS 3.50 + * Verified primitives from HACL* were updated, bringing performance + improvements for several platforms. + Note that Intel processors with SSE4 but without AVX are currently + unable to use the improved ChaCha20/Poly1305 due to a build issue; + such platforms will fall-back to less optimized algorithms. + See bmo#1609569 for details + * Updated DTLS 1.3 implementation to Draft-30. + See bmo#1599514 for details. + * Added NIST SP800-108 KBKDF - PKCS#11 implementation. + See bmo#1599603 for details. + * Several bugfixes and minor changes + +- Disable LTO on %arm as LTO fails on neon errors + +- update to NSS 3.49.2 + Fixed bugs: + * Fix compilation problems with NEON-specific code in freebl + (bmo#1608327) + * Fix a taskcluster issue with Python 2 / Python 3 (bmo#1608895) + +- update to NSS 3.49.1 + 3.49.1 + https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49.1_release_notes + * Cache the most recent PBKDF2 password hash, to speed up repeated + SDR operations, important with the increased KDF iteration counts (bmo#1606992) + 3.49 + https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.49_release_notes + * The legacy DBM database, libnssdbm, is no longer built by default + when using gyp builds (bmo#1594933) + * several bugfixes + +- update to NSS 3.48 + https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes + Notable Changes + * TLS 1.3 is the default maximum TLS version (bmo#1573118) + * TLS extended master secret is enabled by default, where possible + (bmo#1575411) + * The master password PBE now uses 10,000 iterations by default when + using the default sql (key4.db) storage (bmo#1562671) + Certificate Authority Changes + * Added Entrust Root Certification Authority - G4 Cert (bmo#1591178) + Bugfixes +- requires NSPR 4.24 + +------------------------------------------------------------------- +Tue May 19 02:15:54 UTC 2020 - Hans Petter Jansson + +- nss-fips-aes-keywrap-post.patch: Add AES Keywrap POST. +- nss-fips-constructor-self-tests.patch: Accept EACCES in lieu + of ENOENT when trying to access /proc/sys/crypto/fips_enabled + (bsc#1170908). + +------------------------------------------------------------------- +Sun Apr 26 03:42:23 UTC 2020 - Hans Petter Jansson + +- nss-fips-constructor-self-tests.patch: Add Softoken POSTs for + new DSA and ECDSA hash-and-sign update functinos. + +------------------------------------------------------------------- +Fri Apr 24 01:39:03 UTC 2020 - Hans Petter Jansson + +- nss-fips-combined-hash-sign-dsa-ecdsa.patch: Add pairwise + consistency check for CKM_SHA224_RSA_PKCS. Remove ditto checks + for CKM_RSA_PKCS, CKM_DSA and CKM_ECDSA, since these are served + by the new CKM_SHA224_RSA_PKCS, CKM_DSA_SHA224, CKM_ECDSA_SHA224 + checks. + +- nss-fips-constructor-self-tests.patch: Replace bad attempt at + unconditional nssdbm checksumming with a dlopen(), so it can be + located consistently and perform its own self-tests. + +------------------------------------------------------------------- +Tue Apr 21 13:27:47 UTC 2020 - Hans Petter Jansson + +- Add nss-fix-dh-pkcs-derive-inverted-logic.patch. This fixes an + instance of inverted logic due to a boolean being mistaken for + a SECStatus, which caused key derivation to fail when the caller + provided a valid subprime. + +------------------------------------------------------------------- +Fri Apr 17 00:59:27 UTC 2020 - Hans Petter Jansson + +- Add nss-fips-combined-hash-sign-dsa-ecdsa.patch. This implements + API mechanisms for performing DSA and ECDSA hash-and-sign + in a single call, which will be required in future FIPS cycles. + +------------------------------------------------------------------- +Wed Apr 15 23:54:45 UTC 2020 - Hans Petter Jansson + +- nss-fips-constructor-self-tests.patch: Always perform nssdbm + checksumming on softoken load, even if nssdbm itself is not + loaded. + +------------------------------------------------------------------- +Mon Apr 6 17:47:25 UTC 2020 - Hans Petter Jansson + +- nss-fips-detect-fips-mode-fixes.patch: Use secure_getenv() to + avoid PR_GetEnvSecure() being called when NSPR is unavailable, + resulting in an abort (bsc#1168669). + +------------------------------------------------------------------- +Wed Mar 18 14:33:42 UTC 2020 - Hans Petter Jansson + +- Added patches related to FIPS certification: + * nss-fips-use-getrandom.patch: Use getrandom() to obtain entropy + where possible. + * nss-fips-dsa-kat.patch: Make DSA KAT FIPS compliant. + * nss-fips-pairwise-consistency-check.patch: Use FIPS compliant + hash when validating keypair. + * nss-fips-rsa-keygen-strictness.patch: Enforce FIPS requirements + on RSA key generation. + * nss-fips-cavs-keywrap.patch, + nss-fips-cavs-kas-ffc.patch, + nss-fips-cavs-kas-ecc.patch, + nss-fips-cavs-general.patch, + nss-fips-cavs-dsa-fixes.patch, + nss-fips-cavs-rsa-fixes.patch: Miscellaneous fixes to CAVS + tests. + * nss-fips-gcm-ctr.patch: Enforce FIPS limits on how much data + can be processed without rekeying. + * nss-fips-constructor-self-tests.patch: Run self tests on + library initialization in FIPS mode. + * nss-fips-approved-crypto-non-ec.patch: Disable non-compliant + algorithms in FIPS mode (hashes and the SEED cipher). + * nss-fips-zeroization.patch: Clear various temporary variables + after use. + * nss-fips-tls-allow-md5-prf.patch: Allow MD5 to be used in TLS + PRF. + * nss-fips-use-strong-random-pool.patch: Preferentially gather + entropy from /dev/random over /dev/urandom. + * nss-fips-detect-fips-mode-fixes.patch: Allow enabling FIPS mode + consistently with NSS_FIPS environment variable. + * nss-unit-test-fixes.patch: Fix argument parsing bug in + lowhashtest. + +------------------------------------------------------------------- +Wed Dec 4 09:48:02 UTC 2019 - Martin Sirringhaus + +- update to NSS 3.47.1 + * CVE-2019-11745 - EncryptUpdate should use maxout, not block size + (boo#1158527) + * Fix a crash that could be caused by client certificates during startup + (bmo#1590495, bsc#1158527) + * Fix compile-time warnings from uninitialized variables in a perl script + (bmo#1589810) +- update to NSS 3.47 + * Support AES HW acceleration on ARMv8 (bmo#1152625) + * Allow per-socket run-time ordering of the cipher suites presented + in ClientHello (bmo#1267894) + * Add CMAC to FreeBL and PKCS #11 libraries (bmo#1570501) +- update to NSS 3.46.1 + * The following CA certificates were Removed: + expired Class 2 Primary root certificate + expired UTN-USERFirst-Client root certificate + expired Deutsche Telekom Root CA 2 root certificate + Swisscom Root CA 2 root certificate + * Significant improvements to AES-GCM performance on ARM + * Soft token MAC verification not constant time (bmo#1582343) + * Remove arbitrary HKDF output limit by allocating space as needed + (bmo#1577953) +- update to NSS 3.46 + * CVE-2019-17006 - Add length checks for cryptographic primitives + (bmo#1539788, bsc#1159819) + * The following CA certificates were Removed: + expired Class 2 Primary root certificate + expired UTN-USERFirst-Client root certificate + expired Deutsche Telekom Root CA 2 root certificate + Swisscom Root CA 2 root certificate + * Significant improvements to AES-GCM performance on ARM + +------------------------------------------------------------------- +Mon Jul 15 06:07:37 UTC 2019 - Martin Sirringhaus + +- update to NSS 3.45 (bsc#1141322) + * New function in pk11pub.h: PK11_FindRawCertsWithSubject + * The following CA certificates were Removed: + CN = Certinomis - Root CA (bmo#1552374) + * Implement Delegated Credentials (draft-ietf-tls-subcerts) + (bmo#1540403) + This adds a new experimental function SSL_DelegateCredential + Note: In 3.45, selfserv does not yet support delegated + credentials (See bmo#1548360). + Note: In 3.45 the SSLChannelInfo is left unmodified, + while an upcoming change in 3.46 will set + SSLChannelInfo.authKeyBits to that of the delegated + credential for better policy enforcement + (See bmo#1563078). + * Replace ARM32 Curve25519 implementation with one from + fiat-crypto (bmo#1550579) + * Support static linking on Windows (bmo#1551129) + * Expose a function PK11_FindRawCertsWithSubject for finding + certificates with a given subject on a given slot + (bmo#1552262) + * Add IPSEC IKE support to softoken (bmo#1546229) + * Add support for the Elbrus lcc compiler (<=1.23) + (bmo#1554616) + * Expose an external clock for SSL (bmo#1543874) + This adds new experimental functions: SSL_SetTimeFunc, + SSL_CreateAntiReplayContext, SSL_SetAntiReplayContext, and + SSL_ReleaseAntiReplayContext. + The experimental function SSL_InitAntiReplay is removed. + * Various changes in response to the ongoing FIPS review + (bmo#1546477) + Note: The source package size has increased substantially + due to the new FIPS test vectors. This will likely + prompt follow-on work, but please accept our + apologies in the meantime. + +------------------------------------------------------------------- +Fri Jun 28 16:58:58 UTC 2019 - Charles Robertson + +- update to NSS 3.44.1 + * (3.44.1) now required by Firefox 68.0 + New Functionality: + * Add IPSEC IKE support to softoken (bmo#1546229) + * Many new FIPS test cases (Note: This has increased the source + archive by approximately 50 megabytes for this release.) + Bugs fixed: + * Optimize away unneeded loop in mpi.c (bmo#1554336) + * More thorough input checking (bmo#1515342) + * Don't unnecessarily strip leading 0's from key material during + PKCS11 import (bmo#1540541) + * Add a SSLKEYLOGFILE enable/disable flag at build.sh + (bmo#1515236) + * Fix SECKEY_ConvertToPublicKey handling of non-RSA keys + (bmo#1473806) + * Updates to testing for FIPS validation (bmo#1546477) + * Prohibit use of RSASSA-PKCS1-v1_5 algorithms in TLS 1.3 + (bmo#1552208) + * Unbreak build on GCC < 4.3 big-endian (bmo#1551041) +- Activate -fPIE -pie during the compile + +------------------------------------------------------------------- +Fri May 24 11:59:48 UTC 2019 - Martin Sirringhaus + +- update to NSS 3.44 + * (3.44) required by Firefox 68.0 + New functionality + * Support XDG basedir specification (bmo#818686) + * HASH_GetHashOidTagByHashType - convert type HASH_HashType to + type SECOidTag + * SSL_SendCertificateRequest - allow server to request + post-handshake client authentication. To use this both peers + need to enable the SSL_ENABLE_POST_HANDSHAKE_AUTH option. + Notable changes + * The following CA certificates were added: + CN = emSign Root CA - G1 + CN = emSign ECC Root CA - G3 + CN = emSign Root CA - C1 + CN = emSign ECC Root CA - C3 + CN = Hongkong Post Root CA 3 + Bugs fixed: + * CVE-2018-18508 (bmo#1507135, bmo#1507174) + Add additional null checks to several CMS functions to fix a + rare CMS crash. + * Improve Gyp build system handling (bmo#1528669, bmo#1529308) + * Reject invalid CH.legacy_version in TLS 1.3 (bmo#1490006) + * A fix for Solaris where Firefox 60 core dumps during start when + using profile from version 52 (bmo#1513913) + * Improve NSS S/MIME tests for Thunderbird (bmo#1529950, bmo#1521174) + * If Docker isn't installed, try running a local clang-format as a + fallback (bmo#1530134) + * Enable FIPS mode automatically if the system FIPS mode flag is + set (bmo#1531267) + * Add a -J option to the strsclnt command to specify + sigschemes (bmo#1528262) + * Add manual for nss-policy-check (bmo#1513909) + * Fix a deref after a null check in SECKEY_SetPublicValue (bmo#1531074) + * Properly handle ESNI with HRR (bmo#1517714) + * Expose HKDF-Expand-Label with mechanism (bmo#1529813) + * Align TLS 1.3 HKDF trace levels (bmo#1535122) + * Use getentropy on compatible versions of FreeBSD. (bmo#1530102) + +------------------------------------------------------------------- +Thu Jan 31 16:12:09 UTC 2019 - cgrobertson@suse.com + +- update to NSS 3.41.1 + * (3.41) required by Firefox 65.0 + New functionality + * Implemented EKU handling for IPsec IKE. (bmo#1252891) + * Enable half-closed states for TLS. (bmo#1423043) + * Enabled the following ciphersuites by default: (bmo#1493215) + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + TLS_RSA_WITH_AES_256_GCM_SHA384 + Notable changes + * The following CA certificates were added: + CN = Certigna Root CA + CN = GTS Root R1 + CN = GTS Root R2 + CN = GTS Root R3 + CN = GTS Root R4 + CN = UCA Global G2 Root + CN = UCA Extended Validation Root + * The following CA certificates were removed: + CN = AC Raíz Certicámara S.A. + CN = Certplus Root CA G1 + CN = Certplus Root CA G2 + CN = OpenTrust Root CA G1 + CN = OpenTrust Root CA G2 + CN = OpenTrust Root CA G3 + Bugs fixed + * Reject empty supported_signature_algorithms in Certificate + Request in TLS 1.2 (bmo#1412829) + * Cache side-channel variant of the Bleichenbacher attack (bmo#1485864) + (CVE-2018-12404) + * Resend the same ticket in ClientHello after HelloRetryRequest (bmo#1481271) + * Set session_id for external resumption tokens (bmo#1493769) + * Reject CCS after handshake is complete in TLS 1.3 (bmo#1507179) + * Add additional null checks to several CMS functions to fix a rare + CMS crash. (bmo#1507135, bmo#1507174) (3.41.1) +- removed obsolete patches + nss-disable-ocsp-test.patch + +------------------------------------------------------------------- +Thu Jan 10 23:33:23 UTC 2019 - cgrobertson@suse.com + +- hmac packages inadvertently removed in last update: re-added. + (bnc#1121207) +- Added "Suggest:" for libfreebl3 and libsoftokn3 respective -hmac + packages to avoid dependency issues during updates + (bsc#1090767, bsc#1121045) + +------------------------------------------------------------------- +Thu Dec 13 18:22:56 UTC 2018 - cgrobertson@suse.com + +- update to NSS 3.40.1 + * required by Firefox 64.0 + * patch release fixes CVE-2018-12404 + Notable bug fixes + * FFDHE key exchange sometimes fails with decryption failure (bmo#1478698) + New functionality + * The draft-00 version of encrypted SNI support is implemented + * tstclnt now takes -N option to specify encrypted SNI key + Notable changes + * The mozilla::pkix library has been ported from Mozilla PSM to NSS. + This is a C++ library for building certification paths. + mozilla::pkix APIs are not exposed in the libraries NSS builds. + * It is easier to build NSS on Windows in mozilla-build environments + * The following CA certificates were Removed: + CN = Visa eCommerce Root + +------------------------------------------------------------------- +Mon Oct 29 17:31:27 UTC 2018 - alarrosa@suse.com + +- update to NSS 3.39 + * required by Firefox 63.0 + Notable bug fixes + * NSS responded to an SSLv2-compatible ClientHello with a + ServerHello that had an all-zero random (CVE-2018-12384) (bmo#1483128) + New functionality + * The tstclnt and selfserv utilities added support for configuring + the enabled TLS signature schemes using the -J parameter. + * NSS will use RSA-PSS keys to authenticate in TLS. Support for + these keys is disabled by default but can be enabled using + SSL_SignatureSchemePrefSet(). + * certutil added the ability to delete an orphan private key from + an NSS key database. + * Added the nss-policy-check utility, which can be used to check + an NSS policy configuration for problems. + * A PKCS#11 URI can be used as an identifier for a PKCS#11 token. + Notable changes + * The TLS 1.3 implementation uses the final version number from + RFC 8446. + * Previous versions of NSS accepted an RSA PKCS#1 v1.5 signature + where the DigestInfo structure was missing the NULL parameter. + Starting with version 3.39, NSS requires the encoding to contain + the NULL parameter. + * The tstclnt and selfserv test utilities no longer accept the -z + parameter, as support for TLS compression was removed in a + previous NSS version. + * The CA certificates list was updated to version 2.26. + * The following CA certificates were Added: + - OU = GlobalSign Root CA - R6 + - CN = OISTE WISeKey Global Root GC CA + * The following CA certificate was Removed: + - CN = ComSign + * The following CA certificates had the Websites trust bit disabled: + - CN = Certplus Root CA G1 + - CN = Certplus Root CA G2 + - CN = OpenTrust Root CA G1 + - CN = OpenTrust Root CA G2 + - CN = OpenTrust Root CA G3 + +- enable PIE support for the included binaries + +- update to NSS 3.38 + * required by Firefox 62.0 + New Functionality + * Added support for the TLS Record Size Limit Extension + * When creating a certificate request (CSR) using certutil -R, an + existing orphan private key can be reused. Parameter -k may be + used to specify the ID of an existing orphan key. The available + orphan key IDs can be displayed using command certutil -K. + * When using certutil -O to print the chain for a given certificate + nickname, the new parameter --simple-self-signed may be provided, + which can avoid ambiguous output in some scenarios. + New Functions + * SECITEM_MakeItem - Allocate and make an item with the requested contents + (secitem.h) + New Macros + * SSL_RECORD_SIZE_LIMIT - used to control the TLS Record Size Limit + Extension (in ssl.h) + Notable Changes + * Fixed CVE-2018-0495 (bmo#1464971) + * Various security fixes in the ASN.1 code + * NSS automatically enables caching for SQL database storage on + Linux, if it is located on a network filesystem that's known to + benefit from caching. + * When repeatedly importing the same certificate into an SQL database, + the existing nickname will be kept. + +- update to NSS 3.37.3 + * required by Firefox 61.0 + Notable changes: + * The TLS 1.3 implementation was updated to Draft 28. + * Added HACL* Poly1305 32-bit + * The code to support the NPN protocol has been fully removed. + * NSS allows servers now to register ALPN handling callbacks to + select a protocol. + * NSS supports opening SQL databases in read-only mode. + * On Linux, some build configurations can use glibc's function + getentropy(), which uses the kernel's getrandom() function. + * The CA list was updated to version 2.24, which removed the + following CA certificates: + - CN = S-TRUST Universal Root CA + - CN = TC TrustCenter Class 3 CA II + - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 + * Fix build on armv6/armv7 and other platforms (bmo#1459739) + +- Set USE_64 on riscv64 + +------------------------------------------------------------------- +Thu Jun 7 12:30:44 UTC 2018 - wr@rosenauer.org + +- update to NSS 3.36.4 + * required for Firefox 60.0.2 (bsc#1096515) + * Fix crash on macOS related to authentication tokens, e.g. PK11or + WebAuthn. (bmo#1461731) + Bugfixes from 3.36.2 + * Connecting to a server that was recently upgraded to TLS 1.3 + would result in a SSL_RX_MALFORMED_SERVER_HELLO error. (bmo#1462303) + * Fix a rare bug with PKCS#12 files. (bmo#1460673) +- use relro linker option (add-relro-linker-option.patch) + +------------------------------------------------------------------- +Tue Apr 24 05:58:54 UTC 2018 - wr@rosenauer.org + +- update to NSS 3.36.1 + Notable changes + * In NSS version 3.35 the iteration count in optimized builds, + which is used for password based encryption algorithm related to + encrypted PKCS#7 or PKCS#12 data, was increased to one million + iterations. That change had caused an interoperability regression + with operating systems that are limited to 600 K iterations. + NSS 3.36.1 has been changed to use the same 600 K limit. + Bugs fixed + * Certain smartcard operations could result in a deadlock. + +------------------------------------------------------------------- +Thu Mar 15 18:13:38 UTC 2018 - cgrobertson@suse.com + +- update to NSS 3.36 + New functionality + * Experimental APIs for TLS session cache handling + Notable Changes + * Replaces existing vectorized ChaCha20 code with verified + HACL* implementation. +- Removed patch as no longer needed: renegotiate-transitional.patch + upstream fix + +------------------------------------------------------------------- +Thu Feb 8 06:11:12 UTC 2018 - wr@rosenauer.org + +- update to NSS 3.35 + New functionality + * TLS 1.3 support has been updated to draft -23. This includes a + large number of changes since 3.34, which supported only draft + -18. See below for details. + New Types + * SSLHandshakeType - The type of a TLS handshake message. + * For the SSLSignatureScheme enum, the enumerated values + ssl_sig_rsa_pss_sha* are deprecated in response to a change in + TLS 1.3. Please use the equivalent ssl_sig_rsa_pss_rsae_sha* + for rsaEncryption keys, or ssl_sig_rsa_pss_pss_sha* for PSS keys. + Note that this release does not include support for the latter. + Notable Changes + * Previously, NSS used the DBM file format by default. Starting + with version 3.35, NSS uses the SQL file format by default. + Additional information can be found on this Fedora Linux project + page: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql + * Added formally verified implementations of non-vectorized Chacha20 + and non-vectorized Poly1305 64-bit. + * For stronger security, when creating encrypted PKCS#7 or PKCS#12 data, + the iteration count for the password based encryption algorithm + has been increased to one million iterations. Note that debug builds + will use a lower count, for better performance in test environments. + * NSS 3.30 had introduced a regression, preventing NSS from reading + some AES encrypted data, produced by older versions of NSS. + NSS 3.35 fixes this regression and restores the ability to read + affected data. + * The following CA certificates were Removed: + OU = Security Communication EV RootCA1 + CN = CA Disig Root R1 + CN = DST ACES CA X6 + Subject CN = VeriSign Class 3 Secure Server CA - G2 + * The Websites (TLS/SSL) trust bit was turned off for the following + CA certificates: + CN = Chambers of Commerce Root + CN = Global Chambersign Root + * TLS servers are able to handle a ClientHello statelessly, if the + client supports TLS 1.3. If the server sends a HelloRetryRequest, + it is possible to discard the server socket, and make a new socket + to handle any subsequent ClientHello. This better enables stateless + server operation. (This feature is added in support of QUIC, but it + also has utility for DTLS 1.3 servers.) + * The tstclnt utility now supports DTLS, using the -P option. Note that + a DTLS server is also provided in tstclnt. + * TLS compression is no longer possible with NSS. The option can be + enabled, but NSS will no longer negotiate compression. + * The signatures of functions SSL_OptionSet, SSL_OptionGet, + SSL_OptionSetDefault and SSL_OptionGetDefault have been modified, + to take a PRIntn argument rather than PRBool. This makes it clearer, + that options can have values other than 0 or 1. Note this does + not affect ABI compatibility, because PRBool is a typedef for PRIntn. + +------------------------------------------------------------------- +Tue Jan 9 12:50:19 UTC 2018 - wr@rosenauer.org + +- update to NSS 3.34.1 + Changes in 3.34: + Notable changes + * The following CA certificates were Added: + GDCA TrustAUTH R5 ROOT + SSL.com Root Certification Authority RSA + SSL.com Root Certification Authority ECC + SSL.com EV Root Certification Authority RSA R2 + SSL.com EV Root Certification Authority ECC + TrustCor RootCert CA-1 + TrustCor RootCert CA-2 + TrustCor ECA-1 + * The following CA certificates were Removed: + Certum CA, O=Unizeto Sp. z o.o. + StartCom Certification Authority + StartCom Certification Authority G2 + TÜBİTAK UEKAE Kök Sertifika Hizmet Sağlayıcısı - Sürüm 3 + ACEDICOM Root + Certinomis - Autorité Racine + TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı + PSCProcert + CA 沃通根证书, O=WoSign CA Limited + Certification Authority of WoSign + Certification Authority of WoSign G2 + CA WoSign ECC Root + * libfreebl no longer requires SSE2 instructions + New functionality + * When listing an NSS database using certutil -L, but the database + hasn't yet been initialized with any non-empty or empty password, + the text "Database needs user init" will be included in the listing. + * When using certutil to set an inacceptable password in FIPS mode, + a correct explanation of acceptable passwords will be printed. + * SSLKEYLOGFILE is now supported with TLS 1.3, see bmo#1287711 for details. + * SSLChannelInfo has two new fields (bmo#1396525): + SSLNamedGroup originalKeaGroup holds the key exchange group of + the original handshake when the session was resumed. + PRBool resumed is PR_TRUE when the session is resumed and PR_FALSE + otherwise. + * RSA-PSS signatures are now supported on certificates. Certificates + with RSA-PSS or RSA-PKCS#1v1.5 keys can be used to create an RSA-PSS + signature on a certificate using the --pss-sign argument to certutil. + Changes in 3.34.1: + * The following CA certificate was Re-Added. It was removed in NSS + 3.34, but has been re-added with only the Email trust bit set. + (bmo#1418678): + libfreebl no longer requires SSE2 instructionsCN = Certum CA, O=Unizeto Sp. z o.o. + * Removed entries from certdata.txt for actively distrusted + certificates that have expired (bmo#1409872) + * The version of the CA list was set to 2.20. + +------------------------------------------------------------------- +Thu Dec 7 11:13:11 UTC 2017 - dimstar@opensuse.org + +- Escape the usage of %{VERSION} when calling out to rpm. + RPM 4.14 has %{VERSION} defined as 'the main packages version'. + +------------------------------------------------------------------- +Tue Oct 3 17:53:11 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.33 + Notable changes + * TLS compression is no longer supported. API calls that attempt + to enable compression are accepted without failure. However, + TLS compression will remain disabled. + * This version of NSS uses a formally verified implementation of + Curve25519 on 64-bit systems. + * The compile time flag DISABLE_ECC has been removed. + * When NSS is compiled without NSS_FORCE_FIPS=1 startup checks + are not performed anymore. + * Various minor improvements and correctness fixes. + New functionality + * When listing an NSS database using certutil -L, but the database + hasn't yet been initialized with any non-empty or empty password, + the text "Database needs user init" will be included in the listing. + * When using certutil to set an inacceptable password in FIPS mode, + a correct explanation of acceptable passwords will be printed. + New functions + * CERT_FindCertByIssuerAndSNCX - a variation of existing function + CERT_FindCertByIssuerAndSN that accepts an additional password + context parameter. + * CERT_FindCertByNicknameOrEmailAddrCX - a variation of existing + function CERT_FindCertByNicknameOrEmailAddr that accepts an + additional password context parameter. + * CERT_FindCertByNicknameOrEmailAddrForUsageCX - a variation of + existing function CERT_FindCertByNicknameOrEmailAddrForUsage that + accepts an additional password context parameter. + * NSS_SecureMemcmpZero - check if a memory region is all zero in + constant time. + * PORT_ZAllocAligned - allocate aligned memory. + * PORT_ZAllocAlignedOffset - allocate aligned memory for structs. + * SSL_GetExperimentalAPI - access experimental APIs in libssl. +- add patch to separate hw and sw implementations for AES and GCM + to avoid implicit execution of SSE2 methods if compiled for i586 + (bmo-1400603.patch, boo#1061204) + +------------------------------------------------------------------- +Fri Sep 15 13:56:36 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.32.1 + * no upstream changelog/releasenote provided + +------------------------------------------------------------------- +Tue Sep 12 09:26:03 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.32 + Notable changes + * Various minor improvements and correctness fixes. + * The Code Signing trust bit was turned off for all included root certificates. + * The Websites (TLS/SSL) trust bit was turned off for the following + root certificates: + AddTrust Class 1 CA Root + Swisscom Root CA 2 + * The following CA certificates were Removed: + AddTrust Public CA Root + AddTrust Qualified CA Root + China Internet Network Information Center EV Certificates Root + CNNIC ROOT + ComSign Secured CA + GeoTrust Global CA 2 + Secure Certificate Services + Swisscom Root CA 1 + Swisscom Root EV CA 2 + Trusted Certificate Services + UTN-USERFirst-Hardware + UTN-USERFirst-Object +- requires NSPR 4.16 + +------------------------------------------------------------------- +Tue Sep 12 08:56:48 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.31.1 + * Potential deadlock when using an external PKCS#11 token (bmo#1381784) + +------------------------------------------------------------------- +Sat Aug 5 13:15:09 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.31 + New functionality + * Allow certificates to be specified by RFC7512 PKCS#11 URIs. + * Allow querying a certificate object for its temporary or permanent + storage status in a thread safe way. + New functions + * CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a + certificate in a thread safe way. + * CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a + certificate in a thread safe way. + * PK11_FindCertFromURI - find a certificate identified by the given URI. + * PK11_FindCertsFromURI - find a list of certificates identified by the given + URI. + * PK11_GetModuleURI - retrieve the URI of the given module. + * PK11_GetTokenURI - retrieve the URI of a token based on the given slot + information. + * PK11URI_CreateURI - create a new PK11URI object from a set of attributes. + * PK11URI_DestroyURI - destroy a PK11URI object. + * PK11URI_FormatURI - format a PK11URI object to a string. + * PK11URI_GetPathAttribute - retrieve a path attribute with the given name. + * PK11URI_GetQueryAttribute - retrieve a query attribute with the given name. + * PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object. + New macros + * Several new macros that start with PK11URI_PATTR_ for path attributes defined + in RFC7512. + * Several new macros that start with PK11URI_QATTR_ for query attributes defined + in RFC7512. + Notable changes + * The APIs that set a TLS version range have been changed to trim the requested + range to the overlap with a systemwide crypto policy, if configured. + SSL_VersionRangeGetSupported can be used to query the overlap between the + library's supported range of TLS versions and the systemwide policy. + * Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a + failure if the requested version range wasn't fully allowed by the systemwide + crypto policy. They have been changed to return success, if at least one TLS + version overlaps between the requested range and the systemwide policy. An + application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to + query the TLS version range that was effectively activated. + * Corrected the encoding of Domain Name Constraints extensions created by + certutil. + * NSS supports a clean seeding mechanism for *NIX systems now using only + /dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile + time. + * CERT_AsciiToName can handle OIDs in dotted decimal form now. +- removed obsolete nss-fix-hash.patch + +------------------------------------------------------------------- +Wed Apr 26 21:30:30 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.30.2 + New Functionality + * In the PKCS#11 root CA module (nssckbi), CAs with positive trust + are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY, + set to true. Applications that need to distinguish them from other + other root CAs, may use the exported function PK11_HasAttributeSet. + * Support for callback functions that can be used to monitor SSL/TLS + alerts that are sent or received. + New Functions + * CERT_CompareAVA - performs a comparison of two CERTAVA structures, + and returns a SECComparison result. + * PK11_HasAttributeSet - allows to check if a PKCS#11 object in a + given slot has a specific boolean attribute set. + * SSL_AlertReceivedCallback - register a callback function, that will + be called whenever an SSL/TLS alert is received + * SSL_AlertSentCallback - register a callback function, that will be + called whenever an SSL/TLS alert is sent + * SSL_SetSessionTicketKeyPair - configures an asymmetric key pair, + for use in wrapping session ticket keys, used by the server. This + function currently only accepts an RSA public/private key pair. + New Macros + * PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256 + cipher family identifiers corresponding to the PKCS#5 v2.1 AES + based encryption schemes used in the PKCS#12 support in NSS + * CKA_NSS_MOZILLA_CA_POLICY - identifier for a boolean PKCS#11 + attribute, that should be set to true, if a CA is present because + of it's acceptance according to the Mozilla CA Policy + Notable Changes + * The TLS server code has been enhanced to support session tickets + when no RSA certificate (e.g. only an ECDSA certificate) is configured. + * RSA-PSS signatures produced by key pairs with a modulus bit length + that is not a multiple of 8 are now supported. + * The pk12util tool now supports importing and exporting data encrypted + in the AES based schemes defined in PKCS#5 v2.1. + Root CA updates + * The following CA certificates were Removed + - O = Japanese Government, OU = ApplicationCA + - CN = WellsSecure Public Root Certificate Authority + - CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 + - CN = Microsec e-Szigno Root + * The following CA certificates were Added + - CN = D-TRUST Root CA 3 2013 + - CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1 + * The version number of the updated root CA list has been set to 2.14 + (bmo#1350859) + * Domain name constraints for one of the new CAs have been added to the + NSS code (bmo#1349705) +- removed obsolete nss-bmo1320695.patch + +------------------------------------------------------------------- +Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.29.5 + * Rare crashes in the base 64 decoder and encoder were fixed. + (bmo#1344380) + * A carry over bug in the RNG was fixed. (bmo#1345089) +- Allow use of session tickets when there is no ticket wrapping key + (boo#1015499, bmo#1320695) (nss-bmo1320695.patch) + +------------------------------------------------------------------- +Thu Mar 16 20:27:50 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.29.3 + * enables TLS 1.3 by default +- TLS 1.3 was already enabled in 3.28.x builds for openSUSE. + This build option was removed. +- required for Firefox 53 + +------------------------------------------------------------------- +Thu Mar 16 09:11:53 UTC 2017 - rguenther@suse.com + +- Add nss-fix-hash.patch to fix hash computation (and build with + GCC 7 which complains about shifts of boolean values). + +------------------------------------------------------------------- +Mon Feb 20 11:53:55 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.28.3 + * This is a patch release to fix binary compatibility issues. + NSS version 3.28, 3.28.1 and 3.28.2 contained changes that were + in violation with the NSS compatibility promise. + + ECParams, which is part of the public API of the freebl/softokn + parts of NSS, had been changed to include an additional attribute. + That size increase caused crashes or malfunctioning with applications + that use that data structure directly, or indirectly through + ECPublicKey, ECPrivateKey, NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, + or potentially other data structures that reference ECParams. + The change has been reverted to the original state in bug + bmo#1334108. + + SECKEYECPublicKey had been extended with a new attribute, named + "encoding". If an application passed type SECKEYECPublicKey to NSS + (as part of SECKEYPublicKey), the NSS library read the uninitialized + attribute. With this NSS release SECKEYECPublicKey.encoding is + deprecated. NSS no longer reads the attribute, and will always + set it to ECPoint_Undefined. See bug bmo#1340103. +- requires NSPR >= 4.13.1 + +------------------------------------------------------------------- +Sun Feb 12 07:31:29 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.28.2 + This is a stability and compatibility release. Below is a summary of + the changes. + * Fixed a NSS 3.28 regression in the signature scheme flexibility that + causes connectivity issues between iOS 8 clients and NSS servers + with ECDSA certificates (bmo#1334114) + * Fixed a possible crash on some Windows systems (bmo#1323150) + * Fixed a compatibility issue with TLS clients that do not provide a + list of supported key exchange groups (bmo#1330612) + +------------------------------------------------------------------- +Wed Jan 18 22:00:31 UTC 2017 - wr@rosenauer.org + +- update to NSS 3.28.1 + No new functionality is introduced in this release. This is a patch release to + update the list of root CA certificates and address a minor TLS compatibility + issue that some applications experienced with NSS 3.28. + * The following CA certificates were Removed + CN = Buypass Class 2 CA 1 + CN = Root CA Generalitat Valenciana + OU = RSA Security 2048 V3 + * The following CA certificates were Added + OU = AC RAIZ FNMT-RCM + CN = Amazon Root CA 1 + CN = Amazon Root CA 2 + CN = Amazon Root CA 3 + CN = Amazon Root CA 4 + CN = LuxTrust Global Root 2 + CN = Symantec Class 1 Public Primary Certification Authority - G4 + CN = Symantec Class 1 Public Primary Certification Authority - G6 + CN = Symantec Class 2 Public Primary Certification Authority - G4 + CN = Symantec Class 2 Public Primary Certification Authority - G6 + * The version number of the updated root CA list has been set to 2.11 + * A misleading assertion/alert has been removed when NSS tries to flush data + to the peer but the connection was already reset. +- update to NSS 3.28 + New functionality: + * NSS includes support for TLS 1.3 draft -18. This includes a number + of improvements to TLS 1.3: + - The signed certificate timestamp, used in certificate + transparency, is supported in TLS 1.3. + - Key exporters for TLS 1.3 are supported. This includes the early + key exporter, which can be used if 0-RTT is enabled. Note that + there is a difference between TLS 1.3 and key exporters in older + versions of TLS. TLS 1.3 does not distinguish between an empty + context and no context. + - The TLS 1.3 (draft) protocol can be enabled, by defining + NSS_ENABLE_TLS_1_3=1 when building NSS. + - NSS includes support for the X25519 key exchange algorithm, + which is supported and enabled by default in all versions of TLS. + New Functions: + * SSL_ExportEarlyKeyingMaterial + * SSL_SendAdditionalKeyShares + * SSL_SignatureSchemePrefSet + * SSL_SignatureSchemePrefGet + Notable Changes: + * NSS can no longer be compiled with support for additional elliptic curves. + This was previously possible by replacing certain NSS source files. + * NSS will now detect the presence of tokens that support additional + elliptic curves and enable those curves for use in TLS. + Note that this detection has a one-off performance cost, which can be + avoided by using the SSL_NamedGroupConfig function to limit supported + groups to those that NSS provides. + * PKCS#11 bypass for TLS is no longer supported and has been removed. + * Support for "export" grade SSL/TLS cipher suites has been removed. + * NSS now uses the signature schemes definition in TLS 1.3. + This also affects TLS 1.2. NSS will now only generate signatures with the + combinations of hash and signature scheme that are defined in TLS 1.3, + even when negotiating TLS 1.2. + - This means that SHA-256 will only be used with P-256 ECDSA certificates, + SHA-384 with P-384 certificates, and SHA-512 with P-521 certificates. + SHA-1 is permitted (in TLS 1.2 only) with any certificate for backward + compatibility reasons. + - New functions to configure signature schemes are provided: + SSL_SignatureSchemePrefSet, SSL_SignatureSchemePrefGet. + The old SSL_SignaturePrefSet and SSL_SignaturePrefSet functions are + now deprecated. + - NSS will now no longer assume that default signature schemes are + supported by a peer if there was no commonly supported signature scheme. + * NSS will now check if RSA-PSS signing is supported by the token that holds + the private key prior to using it for TLS. + * The certificate validation code contains checks to no longer trust + certificates that are issued by old WoSign and StartCom CAs after + October 21, 2016. This is equivalent to the behavior that Mozilla will + release with Firefox 51. +- update to NSS 3.27.2 + * SSL_SetTrustAnchors leaks (bmo#1318561) +- removed upstreamed patch + * nss-uninitialized.patch +- raised the minimum softokn/freebl version to 3.28 as reported in + boo#1021636 + +------------------------------------------------------------------- +Mon Nov 14 12:35:55 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.26.2 + * required for Firefox 50.0 + Changes in 3.26 + New Functionality: + * the selfserv test utility has been enhanced to support ALPN + (HTTP/1.1) and 0-RTT + * added support for the System-wide crypto policy available on + Fedora Linux see http://fedoraproject.org/wiki/Changes/CryptoPolicy + * introduced build flag NSS_DISABLE_LIBPKIX that allows compilation + of NSS without the libpkix library + Notable Changes: + * The following CA certificate was Added + CN = ISRG Root X1 + * NPN is disabled and ALPN is enabled by default + * the NSS test suite now completes with the experimental TLS 1.3 + code enabled + * several test improvements and additions, including a NIST known answer test + Changes in 3.26.2 + * MD5 signature algorithms sent by the server in CertificateRequest + messages are now properly ignored. Previously, with rare server + configurations, an MD5 signature algorithm might have been selected + for client authentication and caused the client to abort the + connection soon after. + +------------------------------------------------------------------- +Mon Aug 22 13:02:08 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.25 + New functionality: + * Implemented DHE key agreement for TLS 1.3 + * Added support for ChaCha with TLS 1.3 + * Added support for TLS 1.2 ciphersuites that use SHA384 as the PRF + * In previous versions, when using client authentication with TLS 1.2, + NSS only supported certificate_verify messages that used the same + signature hash algorithm as used by the PRF. This limitation has + been removed. + * Several functions have been added to the public API of the + NSS Cryptoki Framework. + New functions: + * NSSCKFWSlot_GetSlotID + * NSSCKFWSession_GetFWSlot + * NSSCKFWInstance_DestroySessionHandle + * NSSCKFWInstance_FindSessionHandle + Notable changes: + * An SSL socket can no longer be configured to allow both TLS 1.3 and SSLv3 + * Regression fix: NSS no longer reports a failure if an application + attempts to disable the SSLv2 protocol. + * The list of trusted CA certificates has been updated to version 2.8 + * The following CA certificate was Removed + Sonera Class1 CA + * The following CA certificates were Added + Hellenic Academic and Research Institutions RootCA 2015 + Hellenic Academic and Research Institutions ECC RootCA 2015 + Certplus Root CA G1 + Certplus Root CA G2 + OpenTrust Root CA G1 + OpenTrust Root CA G2 + OpenTrust Root CA G3 + +------------------------------------------------------------------- +Mon Aug 22 12:54:15 UTC 2016 - wr@rosenauer.org + +- fix build on certain toolchains (nss-uninitialized.patch) + jarfile.c:805:13: error: 'it' may be used uninitialized in this + function [-Werror=maybe-uninitialized] + +------------------------------------------------------------------- +Thu Aug 4 20:28:32 UTC 2016 - wr@rosenauer.org + +- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236) + +------------------------------------------------------------------- +Sat Jul 30 08:53:02 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.24 + New functionality: + * NSS softoken has been updated with the latest National Institute + of Standards and Technology (NIST) guidance (as of 2015): + - Software integrity checks and POST functions are executed on + shared library load. These checks have been disabled by default, + as they can cause a performance regression. To enable these + checks, you must define symbol NSS_FORCE_FIPS when building NSS. + - Counter mode and Galois/Counter Mode (GCM) have checks to + prevent counter overflow. + - Additional CSPs are zeroed in the code. + - NSS softoken uses new guidance for how many Rabin-Miller tests + are needed to verify a prime based on prime size. + * NSS softoken has also been updated to allow NSS to run in FIPS + Level 1 (no password). This mode is triggered by setting the + database password to the empty string. In FIPS mode, you may move + from Level 1 to Level 2 (by setting an appropriate password), + but not the reverse. + * A SSL_ConfigServerCert function has been added for configuring + SSL/TLS server sockets with a certificate and private key. Use + this new function in place of SSL_ConfigSecureServer, + SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, + and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically + determines the certificate type from the certificate and private key. + The caller is no longer required to use SSLKEAType explicitly to + select a "slot" into which the certificate is configured (which + incorrectly identifies a key agreement type rather than a certificate). + Separate functions for configuring Online Certificate Status Protocol + (OCSP) responses or Signed Certificate Timestamps are not needed, + since these can be added to the optional SSLExtraServerCertData struct + provided to SSL_ConfigServerCert. Also, partial support for RSA + Probabilistic Signature Scheme (RSA-PSS) certificates has been added. + Although these certificates can be configured, they will not be + used by NSS in this version. + New functions + * SSL_ConfigServerCert - Configures an SSL/TLS socket with a + certificate, private key, and other information. + * PORT_InitCheapArena - Initializes an arena that was created on + the stack. (See PORTCheapArenaPool.= + * PORT_DestroyCheapArena - Destroys an arena that was created on + the stack. (See PORTCheapArenaPool.) + New types + * SSLExtraServerCertData - Optionally passed as an argument to + SSL_ConfigServerCert. This struct contains supplementary information + about a certificate, such as the intended type of the certificate, + stapled OCSP responses, or Signed Certificate Timestamps (used for + certificate transparency). + * PORTCheapArenaPool - A stack-allocated arena pool, to be used for + temporary arena allocations. + New macros + * CKM_TLS12_MAC + * SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the + TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used + only for session resumption in TLS 1.3. + Notable changes: + * Deprecate the following functions. (Applications should instead use the new + SSL_ConfigServerCert function.): + - SSL_SetStapledOCSPResponses + - SSL_SetSignedCertTimestamps + - SSL_ConfigSecureServer + - SSL_ConfigSecureServerWithCertChain + * Deprecate the NSS_FindCertKEAType function, as it reports a misleading + value for certificates that might be used for signing rather than + key exchange. + * Update SSLAuthType to define a larger number of authentication key types. + * Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo. + Instead, applications should use the newly added attribute authType. + * Rename ssl_auth_rsa to ssl_auth_rsa_decrypt. + * Add a shared library (libfreeblpriv3) on Linux platforms that + define FREEBL_LOWHASH. + * Remove most code related to SSL v2, including the ability to actively + send a SSLv2-compatible client hello. However, the server-side + implementation of the SSL/TLS protocol still supports processing + of received v2-compatible client hello messages. + * Disable (by default) NSS support in optimized builds for logging SSL/TLS + key material to a logfile if the SSLKEYLOGFILE environment variable + is set. To enable the functionality in optimized builds, you must define + the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS. + * Update NSS to protect it against the Cachebleed attack. + * Disable support for DTLS compression. + * Improve support for TLS 1.3. This includes support for DTLS 1.3. + Note that TLS 1.3 support is experimental and not suitable for + production use. +- removed obsolete nss-bmo1236011.patch + +------------------------------------------------------------------- +Thu May 26 05:59:03 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.23 + New functionality: + * ChaCha20/Poly1305 cipher and TLS cipher suites now supported + * Experimental-only support TLS 1.3 1-RTT mode (draft-11). + This code is not ready for production use. + New functions: + * SSL_SetDowngradeCheckVersion - Set maximum version for new + ServerRandom anti-downgrade mechanism. Clients that perform a + version downgrade (which is generally a very bad idea) call this + with the highest version number that they possibly support. + This gives them access to the version downgrade protection from + TLS 1.3. + Notable changes: + * The copy of SQLite shipped with NSS has been updated to version + 3.10.2 + * The list of TLS extensions sent in the TLS handshake has been + reordered to increase compatibility of the Extended Master Secret + with with servers + * The build time environment variable NSS_ENABLE_ZLIB has been + renamed to NSS_SSL_ENABLE_ZLIB + * The build time environment variable NSS_DISABLE_CHACHAPOLY was + added, which can be used to prevent compilation of the + ChaCha20/Poly1305 code. + * The following CA certificates were Removed + - Staat der Nederlanden Root CA + - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado + - NetLock Kozjegyzoi (Class A) Tanusitvanykiado + - NetLock Uzleti (Class B) Tanusitvanykiado + - NetLock Expressz (Class C) Tanusitvanykiado + - VeriSign Class 1 Public PCA – G2 + - VeriSign Class 3 Public PCA + - VeriSign Class 3 Public PCA – G2 + - CA Disig + * The following CA certificates were Added + + SZAFIR ROOT CA2 + + Certum Trusted Network CA 2 + * The following CA certificate had the Email trust bit turned on + + Actalis Authentication Root CA + Security fixes: + * CVE-2016-2834: Memory safety bugs (boo#983639) + MFSA-2016-61 bmo#1206283 bmo#1221620 bmo#1241034 bmo#1241037 +- removed obsolete nss_gcc6_change.patch + +------------------------------------------------------------------- +Mon Apr 18 15:53:40 UTC 2016 - normand@linux.vnet.ibm.com + +- add nss_gcc6_change.patch + +------------------------------------------------------------------- +Tue Mar 15 10:25:38 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.22.3 + * required for Firefox 46.0 + * Increase compatibility of TLS extended master secret, + don't send an empty TLS extension last in the handshake + (bmo#1243641) + * Fixed a heap-based buffer overflow related to the parsing of + certain ASN.1 structures. An attacker could create a specially-crafted + certificate which, when parsed by NSS, would cause a crash or + execution of arbitrary code with the permissions of the user. + (CVE-2016-1950, bmo#1245528) + +------------------------------------------------------------------- +Wed Mar 9 15:42:01 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.22.2 + New functionality: + * RSA-PSS signatures are now supported (bmo#1215295) + * Pseudorandom functions based on hashes other than SHA-1 are now supported + * Enforce an External Policy on NSS from a config file (bmo#1009429) + New functions: + * PK11_SignWithMechanism - an extended version PK11_Sign() + * PK11_VerifyWithMechanism - an extended version of PK11_Verify() + * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp + TLS extension data + * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp + TLS extension data + New types: + * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType + * Constants for several object IDs are added to SECOidTag + New macros: + * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS + * NSS_USE_ALG_IN_SSL + * NSS_USE_POLICY_IN_SSL + * NSS_RSA_MIN_KEY_SIZE + * NSS_DH_MIN_KEY_SIZE + * NSS_DSA_MIN_KEY_SIZE + * NSS_TLS_VERSION_MIN_POLICY + * NSS_TLS_VERSION_MAX_POLICY + * NSS_DTLS_VERSION_MIN_POLICY + * NSS_DTLS_VERSION_MAX_POLICY + * CKP_PKCS5_PBKD2_HMAC_SHA224 + * CKP_PKCS5_PBKD2_HMAC_SHA256 + * CKP_PKCS5_PBKD2_HMAC_SHA384 + * CKP_PKCS5_PBKD2_HMAC_SHA512 + * CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported) + * CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported) + * CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported) + Notable changes: + * NSS C++ tests are built by default, requiring a C++11 compiler. + Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests. + * NSS has been changed to use the PR_GetEnvSecure function that + was made available in NSPR 4.12 + +------------------------------------------------------------------- +Mon Mar 7 15:41:50 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.21.1 (bmo#969894) + * required for Firefox 45.0 + * MFSA 2016-35/CVE-2016-1950 (bmo#1245528) + Buffer overflow during ASN.1 decoding in NSS + * MFSA 2016-36/CVE-2016-1979 (bmo#1185033) + Use-after-free during processing of DER encoded keys in NSS + +------------------------------------------------------------------- +Sun Dec 20 10:12:35 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.21 + * required for Firefox 44.0 + New functionality: + * certutil now supports a --rename option to change a nickname (bmo#1142209) + * TLS extended master secret extension (RFC 7627) is supported (bmo#1117022) + * New info functions added for use during mid-handshake callbacks (bmo#1084669) + New Functions: + * NSS_OptionSet - sets NSS global options + * NSS_OptionGet - gets the current value of NSS global options + * SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name + string, module parameters string, NSS specific parameters string, and NSS + configuration parameter string. The module represented by the module + structure is not loaded. The difference with SECMOD_CreateModule is the new + function handles NSS configuration parameter strings. + * SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior + to the handshake being completed, for use with the callbacks that are invoked + during the handshake + * SSL_SignaturePrefSet - configures the enabled signature and hash algorithms + for TLS + * SSL_SignaturePrefGet - retrieves the currently configured signature and hash + algorithms + * SSL_SignatureMaxCount - obtains the maximum number signature algorithms that + can be configured with SSL_SignaturePrefSet + * NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared + library string, module name string, module parameters string, NSS specific + parameters string, and NSS configuration parameter strings. The returned + strings must be freed by the caller. The difference with + NSS_ArgParseModuleSpec is the new function handles NSS configuration + parameter strings. + * NSSUTIL_MkModuleSpecEx - take a shared library string, module name string, + module parameters string, NSS specific parameters string, and NSS + configuration parameter string and returns a module string which the caller + must free when it is done. The difference with NSS_MkModuleSpec is the new + function handles NSS configuration parameter strings. + New Types: + * CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for + CKM_TLS12_MASTER_KEY_DERIVE + * CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for + CKM_TLS12_KEY_AND_MAC_DERIVE + * CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF + * CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC + * SSLHashType - identifies a hash function + * SSLSignatureAndHashAlg - identifies a signature and hash function + * SSLPreliminaryChannelInfo - provides information about the session state + prior to handshake completion + New Macros: + * NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or + get the minimum RSA key size + * NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or + get the minimum DH key size + * NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or + get the minimum DSA key size + * CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret + * CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV + * CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and + ECDH) cipher suites + * CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional + PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS. + * CKM_TLS_MAC - computes TLS Finished MAC + * NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key + exchange + * SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete + DTLS record in a UDP packet + * SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid + signature and hash algorithm is available + * SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an + unsupported signature and hash algorithm is configured + * SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended + master secret is missing after having been negotiated + * SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an + extended master secret when previously not negotiated + * SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended + master secret extension (RFC 7627) + * ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a + TLS version has been selected + * ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate + that a TLS cipher suite has been selected + * ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all + preliminary information has been set + Notable Changes: + * NSS now builds with elliptic curve ciphers enabled by default (bmo#1205688) + * NSS now builds with warnings as errors (bmo#1182667) + * The following CA certificates were Removed + - CN = VeriSign Class 4 Public Primary Certification Authority - G3 + - CN = UTN-USERFirst-Network Applications + - CN = TC TrustCenter Universal CA III + - CN = A-Trust-nQual-03 + - CN = USERTrust Legacy Secure Server CA + - Friendly Name: Digital Signature Trust Co. Global CA 1 + - Friendly Name: Digital Signature Trust Co. Global CA 3 + - CN = UTN - DATACorp SGC + - O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005 + * The following CA certificate had the Websites trust bit turned off + - OU = Equifax Secure Certificate Authority + * The following CA certificates were Added + - CN = Certification Authority of WoSign G2 + - CN = CA WoSign ECC Root + - CN = OISTE WISeKey Global Root GB CA +- increased the minimum level of possible mixed installations + (softokn3, freebl3) to 3.21 +- added nss-bmo1236011.patch to fix compiler error (bmo#1236011) +- disabled testsuite as it currently breaks (bmo#1236340) + +------------------------------------------------------------------- +Sat Dec 19 17:13:21 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.20.2 (bnc#959888) + * MFSA 2015-150/CVE-2015-7575 (bmo#1158489) + MD5 signatures accepted within TLS 1.2 ServerKeyExchange in + server signature + +------------------------------------------------------------------- +Sun Oct 25 14:44:21 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.20.1 (bnc#952810) + * requires NSPR 4.10.10 + * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182 (bmo#1192028, bmo#1202868) + memory corruption issues + +------------------------------------------------------------------- +Thu Sep 24 15:41:09 UTC 2015 - fstrba@suse.com + +- Install the static libfreebl.a that is needed in order to link + Sun elliptical curves provider in Java 7. + +------------------------------------------------------------------- +Thu Sep 24 09:39:17 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.20 + New functionality: + * The TLS library has been extended to support DHE ciphersuites in + server applications. + New Functions: + * SSL_DHEGroupPrefSet - Configure the set of allowed/enabled DHE group + parameters that can be used by NSS for a server socket. + * SSL_EnableWeakDHEPrimeGroup - Enable the use of weak DHE group + parameters that are smaller than the library default's minimum size. + New Types: + * SSLDHEGroupType - Enumerates the set of DHE parameters embedded in + NSS that can be used with function SSL_DHEGroupPrefSet. + New Macros: + * SSL_ENABLE_SERVER_DHE - A socket option user to enable or disable + DHE ciphersuites for a server socket. + Notable Changes: + * For backwards compatibility reasons, the server side implementation + of the TLS library keeps all DHE ciphersuites disabled by default. + They can be enabled with the new socket option SSL_ENABLE_SERVER_DHE + and the SSL_OptionSet or the SSL_OptionSetDefault API. + * The server side implementation of the TLS implementation does not + support session tickets when using a DHE ciphersuite (see bmo#1174677). + * Support for the following ciphersuites has been added: + - TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 + - TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 + - TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 + * By default, the server side TLS implementation will use DHE + parameters with a size of 2048 bits when using DHE ciphersuites. + * NSS embeds fixed DHE parameters sized 2048, 3072, 4096, 6144 and + 8192 bits, which were copied from version 08 of the Internet-Draft + "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for + TLS", Appendix A. + * A new API SSL_DHEGroupPrefSet has been added to NSS, which allows a + server application to select one or multiple of the embedded DHE + parameters as the preferred parameters. The current implementation of + NSS will always use the first entry in the array that is passed as a + parameter to the SSL_DHEGroupPrefSet API. In future versions of the + TLS implementation, a TLS client might signal a preference for + certain DHE parameters, and the NSS TLS server side implementation + might select a matching entry from the set of parameters that have + been configured as preferred on the server side. + * NSS optionally supports the use of weak DHE parameters with DHE + ciphersuites to support legacy clients. In order to enable this + support, the new API SSL_EnableWeakDHEPrimeGroup must be used. Each + time this API is called for the first time in a process, a fresh set + of weak DHE parameters will be randomly created, which may take a + long amount of time. Please refer to the comments in the header file + that declares the SSL_EnableWeakDHEPrimeGroup API for additional + details. + * The size of the default PQG parameters used by certutil when + creating DSA keys has been increased to use 2048 bit parameters. + * The selfserv utility has been enhanced to support the new DHE features. + * NSS no longer supports C compilers that predate the ANSI C standard (C89). + +------------------------------------------------------------------- +Thu Sep 24 09:38:17 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.19.3; certstore updates only + * The following CA certificates were removed + - Buypass Class 3 CA 1 + - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı + - SG TRUST SERVICES RACINE + - TC TrustCenter Universal CA I + - TC TrustCenter Class 2 CA II + * The following CA certificate had the Websites trust bit turned off + - ComSign Secured CA + * The following CA certificates were added + - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H5 + - TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6 + - Certinomis - Root CA + * The version number of the updated root CA list has been set to 2.5 + +------------------------------------------------------------------- +Thu Sep 24 09:31:11 UTC 2015 - fstrba@suse.com + +- Install blapi.h and algmac.h that are needed in order to build + Sun elliptical curves provider in Java 7 + +------------------------------------------------------------------- +Wed Jun 24 12:45:09 UTC 2015 - meissner@suse.com + +- as the .chk files are contained in libfreebl3 and libsoftokn + directly, provide the -hmac alias names to help :42 building. + +------------------------------------------------------------------- +Tue Jun 23 06:00:13 UTC 2015 - wr@rosenauer.org + +- update to 3.19.2 + * required for Firefox 39.0 + * No new functionality is introduced in this release. This release + addresses a backwards compatibility issue with the NSS 3.19.1 + release. + * In NSS 3.19.1, the minimum key sizes that the freebl cryptographic + implementation (part of the softoken cryptographic module used + by default by NSS) was willing to generate or use was increased + - for RSA keys, to 512 bits, and for DH keys, 1023 bits. This + was done as part of a security fix for Bug 1138554 / CVE-2015-4000. + Applications that requested or attempted to use keys smaller + then the minimum size would fail. However, this change in behaviour + unintentionally broke existing NSS applications that need to + generate or use such keys, via APIs such as + SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey. + +------------------------------------------------------------------- +Sun May 31 13:22:47 UTC 2015 - wr@rosenauer.org + +- update to 3.19.1 + No new functionality is introduced in this release. This patch + release includes a fix for the recently published logjam attack. + Notable Changes: + * The minimum strength of keys that libssl will accept for + finite field algorithms (RSA, Diffie-Hellman, and DSA) have + been increased to 1023 bits (bmo#1138554). + (MFSA 2015-70/CVE-2015-4000) + * NSS reports the bit length of keys more accurately. Thus, + the SECKEY_PublicKeyStrength and SECKEY_PublicKeyStrengthInBits + functions could report smaller values for values that have + leading zero values. This affects the key strength values that + are reported by SSL_GetChannelInfo. + * NSS incorrectly permits skipping of ServerKeyExchange + (bmo#1086145) (MFSA 2015-71/CVE-2015-2721) + +------------------------------------------------------------------- +Sat May 23 07:36:27 UTC 2015 - wr@rosenauer.org + +- update to 3.19 + * Firefox target release 39 + New functionality: + * For some certificates, such as root CA certificates, that don't + embed any constraints, NSS might impose additional constraints, + such as name constraints. A new API has been added that allows + to lookup imposed constraints. + * It is possible to override the directory in which the NSS build + system will look for the sqlite library. + New Functions: + * CERT_GetImposedNameConstraints + Notable Changes: + * The SSL 3 protocol has been disabled by default. + * NSS now more strictly validates TLS extensions and will fail a + handshake that contains malformed extensions. + * Fixed a bug related to the ordering of TLS handshake messages. + * In TLS 1.2 handshakes, NSS advertises support for the SHA512 + hash algorithm, in order to be compatible with TLS servers + that use certificates with a SHA512 signature. + +------------------------------------------------------------------- +Thu Apr 23 06:35:27 UTC 2015 - wr@rosenauer.org + +- update to 3.18.1 + * Firefox target release 38 + * No new functionality is introduced in this release. + Notable Changes: + * The following CA certificate had the Websites and Code Signing + trust bits restored to their original state to allow more time + to develop a better transition strategy for affected sites: + - OU = Equifax Secure Certificate Authority + * The following CA certificate was removed: + - CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi + * The following intermediate CA certificate has been added as + actively distrusted because it was mis-used to issue certificates + for domain names the holder did not own or control: + - CN=MCSHOLDING TEST, O=MCSHOLDING, C=EG + * The version number of the updated root CA list has been set + to 2.4 + +------------------------------------------------------------------- +Fri Apr 3 08:34:59 UTC 2015 - wr@rosenauer.org + +- update to 3.18 + * Firefox target release 38 + New functionality: + * When importing certificates and keys from a PKCS#12 source, + it's now possible to override the nicknames, prior to importing + them into the NSS database, using new API + SEC_PKCS12DecoderRenameCertNicknames. + * The tstclnt test utility program has new command-line options + -C, -D, -b and -R. + Use -C one, two or three times to print information about the + certificates received from a server, and information about the + locally found and trusted issuer certificates, to diagnose + server side configuration issues. It is possible to run tstclnt + without providing a database (-D). A PKCS#11 library that + contains root CA certificates can be loaded by tstclnt, which + may either be the nssckbi library provided by NSS (-b) or + another compatible library (-R). + New Functions: + * SEC_CheckCrlTimes + * SEC_GetCrlTimes + * SEC_PKCS12DecoderRenameCertNicknames + New Types: + * SEC_PKCS12NicknameRenameCallback + Notable Changes: + * The highest TLS protocol version enabled by default has been + increased from TLS 1.0 to TLS 1.2. Similarly, the highest DTLS + protocol version enabled by default has been increased from + DTLS 1.0 to DTLS 1.2. + * The default key size used by certutil when creating an RSA key + pair has been increased from 1024 bits to 2048 bits. + * The following CA certificates had the Websites and Code Signing + trust bits turned off: + - Equifax Secure Certificate Authority + - Equifax Secure Global eBusiness CA-1 + - TC TrustCenter Class 3 CA II + * The following CA certificates were added: + - Staat der Nederlanden Root CA - G3 + - Staat der Nederlanden EV Root CA + - IdenTrust Commercial Root CA 1 + - IdenTrust Public Sector Root CA 1 + - S-TRUST Universal Root CA + - Entrust Root Certification Authority - G2 + - Entrust Root Certification Authority - EC1 + - CFCA EV ROOT + * The version number of the updated root CA list has been set + to 2.3 +- add the changes file as source so the .src.rpm builds (used for + fake build time) + +------------------------------------------------------------------- +Sat Jan 31 17:53:49 UTC 2015 - wr@rosenauer.org + +- update to 3.17.4 + * Firefox target release 36 + Notable Changes: + * bmo#1084986: If an SSL/TLS connection fails, because client and + server don't have any common protocol version enabled, + NSS has been changed to report error code + SSL_ERROR_UNSUPPORTED_VERSION (instead of reporting + SSL_ERROR_NO_CYPHER_OVERLAP). + * bmo#1112461: libpkix was fixed to prefer the newest certificate, + if multiple certificates match. + * bmo#1094492: fixed a memory corruption issue during failure of + keypair generation. + * bmo#1113632: fixed a failure to reload a PKCS#11 module in FIPS + mode. + * bmo#1119983: fixed interoperability of NSS server code with a + LibreSSL client. + +------------------------------------------------------------------- +Sat Dec 6 18:27:12 UTC 2014 - wr@rosenauer.org + +- update to 3.17.3 + New functionality: + * Support for TLS_FALLBACK_SCSV has been added to the ssltap and + tstclnt utilities + Notable Changes: + * The QuickDER decoder now decodes lengths robustly + (CVE-2014-1569) + * The following 1024-bit CA certificates were removed: + - GTE CyberTrust Global Root + - Thawte Server CA + - Thawte Premium Server CA + - America Online Root Certification Authority 1 + - America Online Root Certification Authority 2 + * The following CA certificates had the Websites and Code Signing + trust bits turned off: + - Class 3 Public Primary Certification Authority - G2 + - Equifax Secure eBusiness CA-1 + * The following CA certificates were added: + - COMODO RSA Certification Authority + - USERTrust RSA Certification Authority + - USERTrust ECC Certification Authority + - GlobalSign ECC Root CA - R4 + - GlobalSign ECC Root CA - R5 + * the version number of the updated root CA list has been set + to 2.2 + +------------------------------------------------------------------- +Thu Oct 16 19:15:27 UTC 2014 - wr@rosenauer.org + +- update to 3.17.2 + Bugfix release + * bmo#1049435 - Importing an RSA private key fails if p < q + * bmo#1057161 - NSS hangs with 100% CPU on invalid EC key + * bmo#1078669 - certutil crashes when using the --certVersion parameter + +------------------------------------------------------------------- +Tue Sep 23 21:30:16 UTC 2014 - wr@rosenauer.org + +- update to 3.17.1 (bnc#897890) + * MFSA 2014-73/CVE-2014-1568 (bmo#1064636, bmo#1069405) + RSA Signature Forgery in NSS + * Change library's signature algorithm default to SHA256 + * Add support for draft-ietf-tls-downgrade-scsv + * Add clang-cl support to the NSS build system + * Implement TLS 1.3: + * Part 1. Negotiate TLS 1.3 + * Part 2. Remove deprecated cipher suites andcompression. + * Add support for little-endian powerpc64 + +------------------------------------------------------------------- +Fri Aug 29 11:53:10 UTC 2014 - wr@rosenauer.org + +- update to 3.17 + * required for Firefox 33 + New functionality: + * When using ECDHE, the TLS server code may be configured to generate + a fresh ephemeral ECDH key for each handshake, by setting the + SSL_REUSE_SERVER_ECDHE_KEY socket option to PR_FALSE. The + SSL_REUSE_SERVER_ECDHE_KEY option defaults to PR_TRUE, which means + the server's ephemeral ECDH key is reused for multiple handshakes. + This option does not affect the TLS client code, which always + generates a fresh ephemeral ECDH key for each handshake. + New Macros + * SSL_REUSE_SERVER_ECDHE_KEY + Notable Changes: + * The manual pages for the certutil and pp tools have been updated to + document the new parameters that had been added in NSS 3.16.2. + * On Windows, the new build variable USE_STATIC_RTL can be used to + specify the static C runtime library should be used. By default the + dynamic C runtime library is used. + +------------------------------------------------------------------- +Tue Aug 12 10:56:55 UTC 2014 - wr@rosenauer.org + +- update to 3.16.4 (bnc#894201) + * now required for Firefox 32 + Notable Changes: + * The following 1024-bit root CA certificate was restored to allow more + time to develop a better transition strategy for affected sites. It was + removed in NSS 3.16.3, but discussion in the mozilla.dev.security.policy + forum led to the decision to keep this root included longer in order to + give website administrators more time to update their web servers. + - CN = GTE CyberTrust Global Root + * In NSS 3.16.3, the 1024-bit "Entrust.net Secure Server Certification + Authority" root CA certificate was removed. In NSS 3.16.4, a 2048-bit + intermediate CA certificate has been included, without explicit trust. + The intention is to mitigate the effects of the previous removal of the + 1024-bit Entrust.net root certificate, because many public Internet + sites still use the "USERTrust Legacy Secure Server CA" intermediate + certificate that is signed by the 1024-bit Entrust.net root certificate. + The inclusion of the intermediate certificate is a temporary measure to + allow those sites to function, by allowing them to find a trust path to + another 2048-bit root CA certificate. The temporarily included + intermediate certificate expires November 1, 2015. + +------------------------------------------------------------------- +Sat Jul 5 12:10:36 UTC 2014 - wr@rosenauer.org + +- update to 3.16.3 + * required for Firefox 32 + New Functions: + * CERT_GetGeneralNameTypeFromString (This function was already added + in NSS 3.16.2, however, it wasn't declared in a public header file.) + Notable Changes: + * The following 1024-bit CA certificates were removed + - Entrust.net Secure Server Certification Authority + - GTE CyberTrust Global Root + - ValiCert Class 1 Policy Validation Authority + - ValiCert Class 2 Policy Validation Authority + - ValiCert Class 3 Policy Validation Authority + * Additionally, the following CA certificate was removed as + requested by the CA: + - TDC Internet Root CA + * The following CA certificates were added: + - Certification Authority of WoSign + - CA 沃通根证书 + - DigiCert Assured ID Root G2 + - DigiCert Assured ID Root G3 + - DigiCert Global Root G2 + - DigiCert Global Root G3 + - DigiCert Trusted Root G4 + - QuoVadis Root CA 1 G3 + - QuoVadis Root CA 2 G3 + - QuoVadis Root CA 3 G3 + * The Trust Bits were changed for the following CA certificates + - Class 3 Public Primary Certification Authority + - Class 3 Public Primary Certification Authority + - Class 2 Public Primary Certification Authority - G2 + - VeriSign Class 2 Public Primary Certification Authority - G3 + - AC Raíz Certicámara S.A. + - NetLock Uzleti (Class B) Tanusitvanykiado + - NetLock Expressz (Class C) Tanusitvanykiado +- changes in 3.16.2 + New functionality: + * DTLS 1.2 is supported. + * The TLS application layer protocol negotiation (ALPN) extension + is also supported on the server side. + * RSA-OEAP is supported. Use the new PK11_PrivDecrypt and + PK11_PubEncrypt functions with the CKM_RSA_PKCS_OAEP mechanism. + * New Intel AES assembly code for 32-bit and 64-bit Windows, + contributed by Shay Gueron and Vlad Krasnov of Intel. + New Functions: + * CERT_AddExtensionByOID + * PK11_PrivDecrypt + * PK11_PubEncrypt + New Macros + * SSL_ERROR_NEXT_PROTOCOL_NO_CALLBACK + * SSL_ERROR_NEXT_PROTOCOL_NO_PROTOCOL + Notable Changes: + * The btoa command has a new command-line option -w suffix, which + causes the output to be wrapped in BEGIN/END lines with the + given suffix + * The certutil commands supports additionals types of subject + alt name extensions. + * The certutil command supports generic certificate extensions, + by loading binary data from files, which have been prepared using + external tools, or which have been extracted from other existing + certificates and dumped to file. + * The certutil command supports three new certificate usage specifiers. + * The pp command supports printing UTF-8 (-u). + * On Linux, NSS is built with the -ffunction-sections -fdata-sections + compiler flags and the --gc-sections linker flag to allow unused + functions to be discarded. + +------------------------------------------------------------------- +Thu May 8 05:46:17 UTC 2014 - wr@rosenauer.org + +- update to 3.16.1 + * required for Firefox 31 + New functionality: + * Added the "ECC" flag for modutil to select the module used for + elliptic curve cryptography (ECC) operations. + New Functions: + * PK11_ExportDERPrivateKeyInfo/PK11_ExportPrivKeyInfo + exports a private key in a DER-encoded ASN.1 PrivateKeyInfo type + or a SECKEYPrivateKeyInfo structure. Only RSA private keys are + supported now. + * SECMOD_InternalToPubMechFlags + converts from NSS-internal to public representation of mechanism + flags + New Types: + * ssl_padding_xtn + the value of this enum constant changed from the experimental + value 35655 to the IANA-assigned value 21 + New Macros + * PUBLIC_MECH_ECC_FLAG + a public mechanism flag for elliptic curve cryptography (ECC) + operations + * SECMOD_ECC_FLAG + an NSS-internal mechanism flag for elliptic curve cryptography + (ECC) operations. This macro has the same numeric value as + PUBLIC_MECH_ECC_FLAG. + Notable Changes: + * Imposed name constraints on the French government root CA ANSSI + (DCISS). + +------------------------------------------------------------------- +Fri Mar 21 21:16:31 UTC 2014 - wr@rosenauer.org + +- update to 3.16 + * required for Firefox 29 + * bmo#903885 - (CVE-2014-1492) In a wildcard certificate, the wildcard + character should not be embedded within the U-label of an + internationalized domain name. See the last bullet point in RFC 6125, + Section 7.2. + * Supports the Linux x32 ABI. To build for the Linux x32 target, set + the environment variable USE_X32=1 when building NSS. + New Functions: + * NSS_CMSSignerInfo_Verify + New Macros + * TLS_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, etc., + cipher suites that were first defined in SSL 3.0 can now be referred + to with their official IANA names in TLS, with the TLS_ prefix. + Previously, they had to be referred to with their names in SSL 3.0, + with the SSL_ prefix. + Notable Changes: + * ECC is enabled by default. It is no longer necessary to set the + environment variable NSS_ENABLE_ECC=1 when building NSS. To disable + ECC, set the environment variable NSS_DISABLE_ECC=1 when building NSS. + * libpkix should not include the common name of CA as DNS names when + evaluating name constraints. + * AESKeyWrap_Decrypt should not return SECSuccess for invalid keys. + * Fix a memory corruption in sec_pkcs12_new_asafe. + * If the NSS_SDB_USE_CACHE environment variable is set, skip the runtime + test sdb_measureAccess. + * The built-in roots module has been updated to version 1.97, which + adds, removes, and distrusts several certificates. + * The atob utility has been improved to automatically ignore lines of + text that aren't in base64 format. + * The certutil utility has been improved to support creation of + version 1 and version 2 certificates, in addition to the existing + version 3 support. + +------------------------------------------------------------------- +Tue Feb 25 11:31:18 UTC 2014 - wr@rosenauer.org + +- update to 3.15.5 + * required for Firefox 28 + * export FREEBL_LOWHASH to get the correct default headers + (bnc#865539) + New functionality + * Added support for the TLS application layer protocol negotiation + (ALPN) extension. Two SSL socket options, SSL_ENABLE_NPN and + SSL_ENABLE_ALPN, can be used to control whether NPN or ALPN (or both) + should be used for application layer protocol negotiation. + * Added the TLS padding extension. The extension type value is 35655, + which may change when an official extension type value is assigned + by IANA. NSS automatically adds the padding extension to ClientHello + when necessary. + * Added a new macro CERT_LIST_TAIL, defined in certt.h, for getting + the tail of a CERTCertList. + Notable Changes + * bmo#950129: Improve the OCSP fetching policy when verifying OCSP + responses + * bmo#949060: Validate the iov input argument (an array of PRIOVec + structures) of ssl_WriteV (called via PR_Writev). Applications should + still take care when converting struct iov to PRIOVec because the + iov_len members of the two structures have different types + (size_t vs. int). size_t is unsigned and may be larger than int. + +------------------------------------------------------------------- +Thu Feb 20 10:55:30 UTC 2014 - aj@ajaissle.de + +- BuildRequire mozilla-nspr >= 4.9 + +------------------------------------------------------------------- +Tue Jan 7 08:39:04 UTC 2014 - wr@rosenauer.org + +- update to 3.15.4 + * required for Firefox 27 + * regular CA root store update (1.96) + * Reordered the cipher suites offered in SSL/TLS client hello + messages to match modern best practices. + * Improved SSL/TLS false start. In addition to enabling the + SSL_ENABLE_FALSE_START option, an application must now register + a callback using the SSL_SetCanFalseStartCallback function. + * When false start is enabled, libssl will sometimes return + unencrypted, unauthenticated data from PR_Recv + (CVE-2013-1740, bmo#919877) + * MFSA 2014-12/CVE-2014-1490/CVE-2014-1491 + NSS ticket handling issues + New functionality + * Implemented OCSP querying using the HTTP GET method, which is + the new default, and will fall back to the HTTP POST method. + * Implemented OCSP server functionality for testing purposes + (httpserv utility). + * Support SHA-1 signatures with TLS 1.2 client authentication. + * Added the --empty-password command-line option to certutil, + to be used with -N: use an empty password when creating a new + database. + * Added the -w command-line option to pp: don't wrap long output + lines. + New functions + * CERT_ForcePostMethodForOCSP + * CERT_GetSubjectNameDigest + * CERT_GetSubjectPublicKeyDigest + * SSL_PeerCertificateChain + * SSL_RecommendedCanFalseStart + * SSL_SetCanFalseStartCallback + New types + * CERT_REV_M_FORCE_POST_METHOD_FOR_OCSP: When this flag is used, + libpkix will never attempt to use the HTTP GET method for OCSP + requests; it will always use POST. +- removed obsolete char.patch + +------------------------------------------------------------------- +Thu Dec 5 18:59:27 UTC 2013 - wr@rosenauer.org + +- update to 3.15.3.1 (bnc#854367) + * includes certstore update (1.95) (bmo#946351) + (explicitely distrust AC DG Tresor SSL) + +------------------------------------------------------------------- +Wed Dec 4 14:40:39 CET 2013 - mls@suse.de + +- adapt specfile to ppc64le + +------------------------------------------------------------------- +Mon Nov 11 22:11:57 UTC 2013 - wr@rosenauer.org + +- update to 3.15.3 (bnc#850148) + * CERT_VerifyCert returns SECSuccess (saying certificate is good) + even for bad certificates, when the CERTVerifyLog log parameter + is given (bmo#910438) + * NSS advertises TLS 1.2 ciphersuites in a TLS 1.1 ClientHello + (bmo#919677) + * fix CVE-2013-5605 + +------------------------------------------------------------------- +Sat Sep 28 04:20:41 UTC 2013 - crrodriguez@opensuse.org + +- update to 3.15.2 (bnc#842979) + * Support for AES-GCM ciphersuites that use the SHA-256 PRF + * MD2, MD4, and MD5 signatures are no longer accepted for OCSP + or CRLs + * Add PK11_CipherFinal macro + * sizeof() used incorrectly + * nssutil_ReadSecmodDB() leaks memory + * Allow SSL_HandshakeNegotiatedExtension to be called before + the handshake is finished. + * Deprecate the SSL cipher policy code + * Avoid uninitialized data read in the event of a decryption + failure. (CVE-2013-1739) + +------------------------------------------------------------------- +Fri Jul 5 08:08:57 UTC 2013 - lnussel@suse.de + +- fix 32bit requirement, it's without () actually + +------------------------------------------------------------------- +Wed Jul 3 11:55:58 UTC 2013 - wr@rosenauer.org + +- update to 3.15.1 + * TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites + (RFC 5246 and RFC 5289) are supported, allowing TLS to be used + without MD5 and SHA-1. + Note the following limitations: + The hash function used in the signature for TLS 1.2 client + authentication must be the hash function of the TLS 1.2 PRF, + which is always SHA-256 in NSS 3.15.1. + AES GCM cipher suites are not yet supported. + * some bugfixes and improvements + +------------------------------------------------------------------- +Fri Jun 28 09:27:24 UTC 2013 - lnussel@suse.de + +- require libnssckbi instead of mozilla-nss-certs so p11-kit can + conflict with the latter (fate#314991) + +------------------------------------------------------------------- +Tue Jun 11 04:58:56 UTC 2013 - wr@rosenauer.org + +- update to 3.15 + * Packaging + + removed obsolete patches + * nss-disable-expired-testcerts.patch + * bug-834091.patch + * New Functionality + + Support for OCSP Stapling (RFC 6066, Certificate Status + Request) has been added for both client and server sockets. + TLS client applications may enable this via a call to + SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); + + Added function SECITEM_ReallocItemV2. It replaces function + SECITEM_ReallocItem, which is now declared as obsolete. + + Support for single-operation (eg: not multi-part) symmetric + key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. + + certutil has been updated to support creating name constraints + extensions. + * New Functions + in ssl.h + SSL_PeerStapledOCSPResponse - Returns the server's stapled + OCSP response, when used with a TLS client socket that + negotiated the status_request extension. + SSL_SetStapledOCSPResponses - Set's a stapled OCSP response + for a TLS server socket to return when clients send the + status_request extension. + in ocsp.h + CERT_PostOCSPRequest - Primarily intended for testing, permits + the sending and receiving of raw OCSP request/responses. + in secpkcs7.h + SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 + signature at a specific time other than the present time. + in xconst.h + CERT_EncodeNameConstraintsExtension - Matching function for + CERT_DecodeNameConstraintsExtension, added in NSS 3.10. + in secitem.h + SECITEM_AllocArray + SECITEM_DupArray + SECITEM_FreeArray + SECITEM_ZfreeArray - Utility functions to handle the + allocation and deallocation of SECItemArrays + SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is + now obsolete. SECITEM_ReallocItemV2 better matches caller + expectations, in that it updates item->len on allocation. + For more details of the issues with SECITEM_ReallocItem, + see Bug 298649 and Bug 298938. + in pk11pub.h + PK11_Decrypt - Performs decryption as a single PKCS#11 + operation (eg: not multi-part). This is necessary for AES-GCM. + PK11_Encrypt - Performs encryption as a single PKCS#11 + operation (eg: not multi-part). This is necessary for AES-GCM. + * New Types + in secitem.h + SECItemArray - Represents a variable-length array of SECItems. + * New Macros + in ssl.h + SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure + TLS client sockets to request the certificate_status extension + (eg: OCSP stapling) when set to PR_TRUE + * Notable changes + + SECITEM_ReallocItem is now deprecated. Please consider using + SECITEM_ReallocItemV2 in all future code. + + The list of root CA certificates in the nssckbi module has + been updated. + + The default implementation of SSL_AuthCertificate has been + updated to add certificate status responses stapled by the TLS + server to the OCSP cache. + * a lot of bugfixes + +------------------------------------------------------------------- +Tue Apr 16 10:27:04 UTC 2013 - idonmez@suse.com + +- Add Source URL, see https://en.opensuse.org/SourceUrls + +------------------------------------------------------------------- +Sun Mar 24 20:07:59 UTC 2013 - wr@rosenauer.org + +- disable tests with expired certificates + (nss-disable-expired-testcerts.patch) +- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from + mozilla tree to fulfill Firefox 21 requirements + (bug-834091.patch; bmo#834091) + +------------------------------------------------------------------- +Thu Feb 28 21:55:49 UTC 2013 - wr@rosenauer.org + +- update to 3.14.3 + * No new major functionality is introduced in this release. This + release is a patch release to address CVE-2013-1620 (bmo#822365) + * "certutil -a" was not correctly producing ASCII output as + requested. (bmo#840714) + * NSS 3.14.2 broke compilation with older versions of sqlite that + lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now + properly compiles when used with older versions of sqlite + (bmo#837799) - remove system-sqlite.patch +- add aarch64 support + +------------------------------------------------------------------- +Tue Feb 5 12:51:56 UTC 2013 - wr@rosenauer.org + +- added system-sqlite.patch (bmo#837799) + * do not depend on latest sqlite just for a #define +- enable system sqlite usage again + +------------------------------------------------------------------- +Sat Feb 2 16:05:20 UTC 2013 - wr@rosenauer.org + +- update to 3.14.2 + * required for Firefox >= 20 + * removed obsolete nssckbi update patch + * MFSA 2013-40/CVE-2013-0791 (bmo#629816) + Out-of-bounds array read in CERT_DecodeCertPackage +- disable system sqlite usage since we depend on 3.7.15 which is + not provided in any openSUSE distribution + * add nss-sqlitename.patch to avoid any name clash + +------------------------------------------------------------------- +Sun Dec 30 17:59:34 UTC 2012 - wr@rosenauer.org + +- updated CA database (nssckbi-1.93.patch) + * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) + revoke mis-issued intermediate certificates from TURKTRUST + +------------------------------------------------------------------- +Tue Dec 18 13:36:09 UTC 2012 - wr@rosenauer.org + +- update to 3.14.1 RTM + * minimal requirement for Gecko 20 + * several bugfixes + +------------------------------------------------------------------- +Thu Oct 25 12:02:22 UTC 2012 - wr@rosenauer.org + +- update to 3.14 RTM + * Support for TLS 1.1 (RFC 4346) + * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) + * Support for AES-CTR, AES-CTS, and AES-GCM + * Support for Keying Material Exporters for TLS (RFC 5705) + * Support for certificate signatures using the MD5 hash algorithm + is now disabled by default + * The NSS license has changed to MPL 2.0. Previous releases were + released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more + information about MPL 2.0, please see + http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional + explanation on GPL/LGPL compatibility, see security/nss/COPYING + in the source code. + * Export and DES cipher suites are disabled by default. Non-ECC + AES and Triple DES cipher suites are enabled by default +- disabled OCSP testcases since they need external network + (nss-disable-ocsp-test.patch) + +------------------------------------------------------------------- +Wed Aug 15 13:57:42 UTC 2012 - wr@rosenauer.org + +- update to 3.13.6 RTM + * root CA update + * other bugfixes + +------------------------------------------------------------------- +Fri Jun 1 18:46:28 UTC 2012 - wr@rosenauer.org + +- update to 3.13.5 RTM + +------------------------------------------------------------------- +Fri Apr 13 18:55:57 UTC 2012 - wr@rosenauer.org + +- update to 3.13.4 RTM + * fixed some bugs + * fixed cert verification regression in PKIX mode (bmo#737802) + introduced in 3.13.2 + +------------------------------------------------------------------- +Thu Feb 23 15:06:34 UTC 2012 - wr@rosenauer.org + +- update to 3.13.3 RTM + - distrust Trustwave's MITM certificates (bmo#724929) + - fix generic blacklisting mechanism (bmo#727204) + +------------------------------------------------------------------- +Thu Feb 16 08:48:42 UTC 2012 - wr@rosenauer.org + +- update to 3.13.2 RTM + * requirement with Gecko >= 11 +- removed obsolete patches + * ckbi-1.88 + * pkcs11n-header-fix.patch + +------------------------------------------------------------------- +Sun Dec 18 15:59:08 UTC 2011 - adrian@suse.de + +- fix spec file syntax for qemu-workaround + +------------------------------------------------------------------- +Mon Nov 14 10:13:17 UTC 2011 - john@redux.org.uk + +- Added a patch to fix errors in the pkcs11n.h header file. + (bmo#702090) + +------------------------------------------------------------------- +Sat Nov 5 10:58:20 UTC 2011 - wolfgang@rosenauer.org + +- update to 3.13.1 RTM + * better SHA-224 support (bmo#647706) + * fixed a regression (causing hangs in some situations) + introduced in 3.13 (bmo#693228) +- update to 3.13.0 RTM + * SSL 2.0 is disabled by default + * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext + attack demonstrated by Rizzo and Duong (CVE-2011-3389) is + enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to + PR_FALSE to disable it. + * SHA-224 is supported + * Ported to iOS. (Requires NSPR 4.9.) + * Added PORT_ErrorToString and PORT_ErrorToName to return the + error message and symbolic name of an NSS error code + * Added NSS_GetVersion to return the NSS version string + * Added experimental support of RSA-PSS to the softoken only + * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db + anymore (bmo#641052, bnc#726096) + +------------------------------------------------------------------- +Sat Nov 5 10:47:51 UTC 2011 - wr@rosenauer.org + +- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) +- make sure NSS_NoDB_Init does not try to use wrong certificate + databases (CVE-2011-3640, bnc#726096, bmo#641052) + +------------------------------------------------------------------- +Fri Sep 30 23:27:07 UTC 2011 - crrodriguez@opensuse.org + +- Workaround qemu-arm bugs. + +------------------------------------------------------------------- +Fri Sep 9 05:44:15 UTC 2011 - wr@rosenauer.org + +- explicitely distrust/override DigiNotar certs (bmo#683261) + (trustdb version 1.87) + +------------------------------------------------------------------- +Fri Sep 2 14:40:07 UTC 2011 - pcerny@suse.com + +- removed DigiNotar root certificate from trusted db + (bmo#682927, bnc#714931) + +------------------------------------------------------------------- +Wed Aug 24 08:37:13 UTC 2011 - andrea.turrini@gmail.com + +- fixed typo in summary of mozilla-nss (libsoftokn3) + +------------------------------------------------------------------- +Fri Aug 12 20:55:38 UTC 2011 - wr@rosenauer.org + +- update to 3.12.11 RTM + * no upstream release notes available + +------------------------------------------------------------------- +Wed Jul 13 16:45:23 CEST 2011 - meissner@suse.de + +- Linux3.0 is the new Linux2.6 (make it build) + +------------------------------------------------------------------- +Mon May 23 17:37:34 UTC 2011 - crrodriguez@opensuse.org + +- Do not include build dates in binaries, messes up + build compare + +------------------------------------------------------------------- +Thu May 19 05:37:02 UTC 2011 - wr@rosenauer.org + +- update to 3.12.10 RTM + * no changes except internal release information + +------------------------------------------------------------------- +Thu Apr 28 06:34:50 UTC 2011 - wr@rosenauer.org + +- update to 3.12.10beta1 + * root CA changes + * filter certain bogus certs (bmo#642815) + * fix minor memory leaks + * other bugfixes + +------------------------------------------------------------------- +Sun Jan 9 23:05:11 UTC 2011 - wr@rosenauer.org + +- update to 3.12.9rc0 + * fix minor memory leaks (bmo#619268) + * fix crash in nss_cms_decoder_work_data (bmo#607058) + * fix crash in certutil (bmo#620908) + * handle invalid argument in JPAKE (bmo#609068) + +------------------------------------------------------------------- +Thu Dec 9 15:03:00 UTC 2010 - wr@rosenauer.org + +- update to 3.12.9beta2 + * J-PAKE support (API requirement for Firefox >= 4.0b8) + +------------------------------------------------------------------- +Tue Nov 9 08:51:51 UTC 2010 - wr@rosenauer.org + +- replaced expired PayPal test certificate (fixing testsuite) + +------------------------------------------------------------------- +Sat Sep 25 08:18:59 CEST 2010 - wr@rosenauer.org + +- update to 3.12.8 RTM release + * support TLS false start (needed for Firefox4) (bmo#525092) + * fix wildcard matching for IP addresses (bnc#637290, bmo#578697) + (CVE-2010-3170) + * bugfixes + +------------------------------------------------------------------- +Fri Jul 23 21:18:30 CEST 2010 - wr@rosenauer.org + +- update to 3.12.7 RTM release + * bugfix release + * updated root CA list +- removed obsolete patches + +------------------------------------------------------------------- +Fri Jul 9 16:32:33 UTC 2010 - jengelh@medozas.de + +- Disable testsuite on SPARC. Some tests fails, probably due to + just bad timing/luck. + +------------------------------------------------------------------- +Thu Jun 3 22:45:51 CEST 2010 - wr@rosenauer.org + +- Use preloaded empty system database since creating with + modutil leaves database in nonusable state + +------------------------------------------------------------------- +Sat Apr 24 11:38:23 UTC 2010 - coolo@novell.com + +- buildrequire pkg-config to fix provides + +------------------------------------------------------------------- +Sun Apr 4 12:19:43 CEST 2010 - wr@rosenauer.org + +- disabled a test using an expired cert (bmo#557071) + +------------------------------------------------------------------- +Sat Mar 20 20:19:50 CET 2010 - wr@rosenauer.org + +- fixed builds for older dists where internal sqlite3 is used + (nss-sqlitename.patch was not refreshed correctly) +- fixed baselibs.conf as is not a valid identifier + +------------------------------------------------------------------- +Tue Mar 9 19:18:24 CET 2010 - wr@rosenauer.org + +- update to 3.12.6 RTM release + * added mozilla-nss-sysinit subpackage +- change renegotiation behaviour to the old default for a + transition phase + +------------------------------------------------------------------- +Tue Mar 9 13:08:24 CET 2010 - wr@rosenauer.org + +- split off libsoftokn3 subpackage to allow mixed NSS installation + +------------------------------------------------------------------- +Sat Dec 26 12:42:56 CET 2009 - wr@rosenauer.org + +- added mozilla-nss-certs baselibs (bnc#567322) + +------------------------------------------------------------------- +Fri Dec 18 13:24:16 CET 2009 - wr@rosenauer.org + +- split mozilla-nss-certs from main package +- added rpmlintrc to ignore expected warnings +- added baselibs.conf as source + +------------------------------------------------------------------- +Mon Dec 14 07:56:26 CET 2009 - wr@rosenauer.org + +- updated builtin certs (version 1.77) + +------------------------------------------------------------------- +Mon Nov 23 17:19:43 CET 2009 - wr@rosenauer.org + +- rebased patches to apply w/o fuzz + +------------------------------------------------------------------- +Fri Aug 14 08:51:00 CEST 2009 - wr@rosenauer.org + +- update to 3.12.4 RTM release + +------------------------------------------------------------------- +Fri Aug 7 13:10:22 CEST 2009 - wr@rosenauer.org + +- update to recent snapshot (20090806) +- libnssdbm3.so has to be signed starting with 3.12.4 + +------------------------------------------------------------------- +Mon Aug 3 18:45:02 CEST 2009 - wr@rosenauer.org + +- update to NSS 3.12.4pre snapshot +- rebased existing patches +- enable testsuite again (was disabled accidentally before) + +------------------------------------------------------------------- +Wed Jul 29 09:40:02 CEST 2009 - wr@rosenauer.org + +- update to NSS 3.12.3.1 (upstream use in FF 3.5.1) (bmo#504611) + * RNG_SystemInfoForRNG called twice by nsc_CommonInitialize + (bmo#489811; other changes are unrelated to Linux) +- moved shlibsign to tools package again (as it's not needed at + library install time anymore) +- use %{_libexecdir} for the tools + +------------------------------------------------------------------- +Sat Jun 6 15:37:13 CEST 2009 - wr@rosenauer.org + +- Temporary testsuite fix for Factory (bnc#509308) (malloc.patch) +- remove the post scriptlet which created the *.chk files and + use a RPM feature to create them after debuginfo stuff + +------------------------------------------------------------------- +Tue Jun 2 09:41:34 CEST 2009 - wr@rosenauer.org + +- updated builtin root certs by updating to + NSS_3_12_3_WITH_CKBI_1_75_RTM tag which is supposed to be the + base for Firefox 3.5.0 +- PreReq coreutils in the main package already as "rm" is used + in its %post script +- disable testsuite for this moment as it crashes on Factory + currently for an unknown reason + +------------------------------------------------------------------- +Thu May 21 09:03:17 CEST 2009 - wr@rosenauer.org + +- renew Paypal certs to fix testsuite errors (bmo#491163) + +------------------------------------------------------------------- +Mon Apr 20 14:47:43 CEST 2009 - wr@rosenauer.org + +- update to version 3.12.3 RTM + * default behaviour changed slightly but can be set up + backward compatible using environment variables + https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables + * New Korean SEED cipher + * Some new functions in the nss library: + CERT_RFC1485_EscapeAndQuote (see cert.h) + CERT_CompareCerts (see cert.h) + CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) + PK11_GetSymKeyHandle (see pk11pqg.h) + UTIL_SetForkState (see secoid.h) + NSS_GetAlgorithmPolicy (see secoid.h) + NSS_SetAlgorithmPolicy (see secoid.h) +- created libfreebl3 subpackage and build it w/o nspr and nss deps +- added patch to make all ASM noexecstack +- create the softokn3 and freebl3 checksums at installation time + (moved shlibsign to the main package to achieve that) +- applied upstream patch to avoid OSCP test failures (bmo#488646) +- applied upstream patch to fix libjar crashes (bmo#485145) + +------------------------------------------------------------------- +Wed Feb 4 08:46:15 CET 2009 - wr@rosenauer.org + +- update to version 3.12.2 RTM (with CKBI 1.73) as in FF 3.0.6 + +------------------------------------------------------------------- +Tue Jan 13 09:10:29 CET 2009 - wr@rosenauer.org + +- update to version 3.12.2rc1 (as used by FF 3.0.5) + * NSS is now using system zlib (bmo#302670) +- create a system wide, sql based NSS database in /etc/pki/nssdb + (let previously created /etc/ssl/nssdb untouched) + +------------------------------------------------------------------- +Wed Jan 7 12:34:56 CET 2009 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Thu Oct 23 15:03:11 CDT 2008 - maw@suse.de + +- Review and approve changes. + +------------------------------------------------------------------- +Thu Aug 21 11:36:37 CEST 2008 - wr@rosenauer.org + +- run testsuite (bnc#418233) + +------------------------------------------------------------------- +Tue Jun 17 19:15:49 CEST 2008 - maw@suse.de + +- Merge changes from the build service (thanks, Wolfgang) + (bnc#400001 and SWAMP#18164). + +------------------------------------------------------------------- +Wed May 28 21:05:13 CEST 2008 - wr@rosenauer.org + +- update to 3.12.0rc4 (20080528) (featuring FF3.0) + +------------------------------------------------------------------- +Tue Apr 29 20:41:34 CEST 2008 - maw@suse.de + +- Prerequire coretools in the -tools subpackage (bnc#379540) +- Require sqlite3-devel to build. + +------------------------------------------------------------------- +Mon Apr 14 18:52:59 CEST 2008 - maw@suse.de + +- Merge some fixes from the build service's version. + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Mon Mar 31 18:55:42 CEST 2008 - maw@suse.de + +- Undo the shared library package split, per discussion in + opensuse-packaging. + +------------------------------------------------------------------- +Mon Mar 31 14:22:17 CEST 2008 - wr@rosenauer.org + +- new snapshot still based on 3.12.0 Beta 3 (20080330) + +------------------------------------------------------------------- +Tue Mar 25 22:21:18 CET 2008 - maw@suse.de + +- Merge changes from the build service (thanks, Wolfgang) +- Update to a new snapshot of nss based on 3.12.0 Beta 2: + + Update build requirements accordingly + + Add nss-sqlitename.patch and nss-no-rpath.patch +- Split out a shared library subpackage. + +------------------------------------------------------------------- +Mon Dec 10 16:22:37 CET 2007 - rguenther@suse.de + +- disable use of freebl/mpi/mp_comba.c. [#346256] + +------------------------------------------------------------------- +Sun Sep 16 10:27:06 CEST 2007 - coolo@suse.de + +- fixing errors in %post during installation + +------------------------------------------------------------------- +Thu Sep 13 22:26:57 CEST 2007 - jberkman@novell.com + +- merge -tools package into main package +- create system-wide nssdb for system configuration of smart cards, + as used by pam_pkcs11, krb5 pkinit, and others + +------------------------------------------------------------------- +Thu Jul 26 20:18:38 CEST 2007 - maw@suse.de + +- Update to version 3.11.7 (from the build service) +- Bug fixes. + +------------------------------------------------------------------- +Mon Jun 11 11:41:27 CEST 2007 - ro@suse.de + +- use string[0] instead of string in char.patch + +------------------------------------------------------------------- +Mon Jun 11 11:33:34 CEST 2007 - ro@suse.de + +- update to NSS 3.11.6 (pull in from wr from opensuse BS) + +------------------------------------------------------------------- +Wed Feb 21 16:55:06 CST 2007 - maw@suse.de + +- Update to NSS 3.11.5 (thanks, Wolfgang) + +------------------------------------------------------------------- +Sun Oct 1 23:01:38 CEST 2006 - wr@rosenauer.org + +- update to NSS 3.11.3 +- requires NSPR 4.6.3 (pkgconfig) + +------------------------------------------------------------------- +Wed Sep 6 08:23:45 CEST 2006 - stark@suse.de + +- update to NSS_3_11_20060905_TAG to be in sync with + Gecko 1.8.1 + +------------------------------------------------------------------- +Mon Aug 7 13:53:55 CEST 2006 - stark@suse.de + +- enabled usage of ECC + +------------------------------------------------------------------- +Sat Aug 5 09:50:47 CEST 2006 - stark@suse.de + +- update to NSS_3_11_20060731_TAG to be in sync with + Gecko 1.8.1 + +------------------------------------------------------------------- +Fri Jul 28 07:09:44 CEST 2006 - stark@suse.de + +- fixed usage of uninitialized pointers (uninit.patch) +- requires NSPR 4.6.2 + +------------------------------------------------------------------- +Sat Jul 1 23:37:52 CEST 2006 - stark@suse.de + +- update to 3.11.2 RTM version + * ECC not enabled but defines needed symbols + +------------------------------------------------------------------- +Thu Jun 8 11:45:14 CEST 2006 - stark@suse.de + +- update to 3.11.2 beta + * enabled ECC (needed since MOZILLA_1_8_BRANCH) + +------------------------------------------------------------------- +Mon May 15 20:38:37 CEST 2006 - stark@suse.de + +- update to 3.11.1 RTM version + including: + * TLS server name indication extension support + * implement RFC 3546 (TLS v1.0 extensions) + * fixed bugs found by Coverity + +------------------------------------------------------------------- +Mon Jan 30 08:34:45 CET 2006 - stark@suse.de + +- removed additional CA certs +- removed zip from BuildRequires + +------------------------------------------------------------------- +Wed Jan 25 21:32:31 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Jan 11 16:15:18 CET 2006 - stark@suse.de + +- install nss-config executable + +------------------------------------------------------------------- +Fri Dec 16 20:24:05 CET 2005 - stark@suse.de + +- marked libfreebl3.so noexec stack + +------------------------------------------------------------------- +Fri Dec 16 09:41:15 CET 2005 - stark@suse.de + +- update to 3.11 RTM version +- provide nss-config file +- added static libs +- moved include files to /usr/include/nss3 +- only ship a subset of the tools + +------------------------------------------------------------------- +Sat Nov 26 14:54:03 CET 2005 - stark@suse.de + +- update to 3.11rc1 +- fixed PC file for 64bit archs + +------------------------------------------------------------------- +Tue Nov 15 07:35:25 CET 2005 - stark@suse.de + +- update to current 3.10.2 snapshot (20051114) + +------------------------------------------------------------------- +Wed Nov 2 12:17:23 CET 2005 - stark@suse.de + +- added tools subpackage which provides all NSS related + tools for managing and debugging NSS stuff + +------------------------------------------------------------------- +Tue Oct 11 07:08:38 CEST 2005 - stark@suse.de + +- update to current 3.10.2 snapshot + +------------------------------------------------------------------- +Mon Sep 26 21:59:00 CEST 2005 - stark@suse.de + +- prerequire the correct NSPR version + +------------------------------------------------------------------- +Thu Sep 22 07:15:30 CEST 2005 - stark@suse.de + +- update to NSS_3_10_2_BETA1 + +------------------------------------------------------------------- +Tue Jul 5 15:33:18 CEST 2005 - stark@suse.de + +- use RPM_OPT_FLAGS +- fixed requirements for devel package + +------------------------------------------------------------------- +Wed Jun 8 09:19:59 CEST 2005 - stark@suse.de + +- added pkgconfig file +- fixed permission for include directory +- fixed compiler/abuild warning +- included correct header files + +------------------------------------------------------------------- +Mon May 9 09:34:30 CEST 2005 - stark@suse.de + +- update to 3.10 RTM version + +------------------------------------------------------------------- +Wed Apr 27 07:52:55 CEST 2005 - stark@suse.de + +- don't package static libs +- copy NSPR static libs from new location + +------------------------------------------------------------------- +Thu Apr 7 09:08:22 CEST 2005 - stark@suse.de + +- update to 3.10beta3 + +------------------------------------------------------------------- +Fri Apr 1 15:55:58 CEST 2005 - stark@suse.de + +- don't parallelize build + +------------------------------------------------------------------- +Thu Mar 31 07:39:45 CEST 2005 - stark@suse.de + +- fixed build on other archs +- update to 3.10beta2 + +------------------------------------------------------------------- +Sat Mar 19 13:36:51 CET 2005 - stark@suse.de + +- update to 3.10beta1 + +------------------------------------------------------------------- +Tue Mar 8 09:16:59 CET 2005 - stark@suse.de + +- initial standalone package + diff --git a/mozilla-nss.spec b/mozilla-nss.spec new file mode 100644 index 0000000..19f0677 --- /dev/null +++ b/mozilla-nss.spec @@ -0,0 +1,502 @@ +# +# spec file for package mozilla-nss +# +# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2006-2023 Wolfgang Rosenauer +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%global nss_softokn_fips_version 3.90 +%define NSPR_min_version 4.35 +%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) +%define nssdbdir %{_sysconfdir}/pki/nssdb +Name: mozilla-nss +Version: 3.90.1 +Release: 0 +%define underscore_version 3_90_1 +Summary: Network Security Services +License: MPL-2.0 +Group: System/Libraries +URL: https://www.mozilla.org/projects/security/pki/nss/ +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_%{underscore_version}_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-%%{version}/nss ; cd nss-%%{version}/nss ; hg up NSS_%%{underscore_version}_RTM +#Source: nss-%%{version}.tar.gz +Source1: nss.pc.in +Source3: nss-config.in +Source4: %{name}-rpmlintrc +Source5: baselibs.conf +Source6: setup-nsssysinit.sh +Source7: cert9.db +Source8: key4.db +Source9: pkcs11.txt +#Source10: PayPalEE.cert +Source11: nss-util.pc.in +Source13: nss-util-config.in +Source99: %{name}.changes +Patch1: nss-opt.patch +Patch2: system-nspr.patch +Patch3: nss-no-rpath.patch +Patch4: add-relro-linker-option.patch +Patch5: malloc.patch +Patch6: bmo-1400603.patch +Patch7: nss-sqlitename.patch +Patch9: nss-fips-use-getrandom.patch +Patch10: nss-fips-dsa-kat.patch +Patch11: nss-fips-pairwise-consistency-check.patch +Patch12: nss-fips-rsa-keygen-strictness.patch +Patch13: nss-fips-cavs-keywrap.patch +Patch14: nss-fips-cavs-kas-ffc.patch +Patch15: nss-fips-cavs-kas-ecc.patch +Patch16: nss-fips-gcm-ctr.patch +Patch17: nss-fips-constructor-self-tests.patch +Patch18: nss-fips-cavs-general.patch +Patch19: nss-fips-cavs-dsa-fixes.patch +Patch20: nss-fips-cavs-rsa-fixes.patch +Patch21: nss-fips-approved-crypto-non-ec.patch +Patch22: nss-fips-zeroization.patch +Patch24: nss-fips-use-strong-random-pool.patch +Patch25: nss-fips-detect-fips-mode-fixes.patch +Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch +Patch27: nss-fips-aes-keywrap-post.patch +Patch37: nss-fips-fix-missing-nspr.patch +Patch38: nss-fips-stricter-dh.patch +Patch40: nss-fips-180-3-csp-clearing.patch +Patch41: nss-fips-pbkdf-kat-compliance.patch +Patch44: nss-fips-tests-enable-fips.patch +Patch45: nss-fips-drbg-libjitter.patch +Patch46: nss-allow-slow-tests.patch +Patch47: nss-fips-pct-pubkeys.patch +Patch48: nss-fix-bmo1836925.patch +%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 +# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references +BuildRequires: gcc9-c++ +%else +BuildRequires: gcc-c++ +%endif +BuildRequires: pkgconfig +BuildRequires: pkgconfig(nspr) >= %{NSPR_min_version} +BuildRequires: pkgconfig(sqlite3) +BuildRequires: pkgconfig(zlib) +%if 0%{?sle_version} >= 150400 +BuildRequires: jitterentropy-devel +# Libjitter needs to be present before AND after the install +Requires(pre): libjitterentropy3 +Requires: libjitterentropy3 +%endif +Requires: libfreebl3 >= %{nss_softokn_fips_version} +Requires: libsoftokn3 >= %{nss_softokn_fips_version} +Requires: mozilla-nspr >= %{NSPR_min_version} +%if "%{_lib}" == "lib64" +Requires: libnssckbi.so()(64bit) +%else +Requires: libnssckbi.so +%endif +%ifnarch %sparc +%if ! 0%{?qemu_user_space_build} +%define run_testsuite 1 +%endif +%endif + +%description +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled server +applications. Applications built with NSS can support SSL v3, +TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +certificates, and other security standards. + +%package devel +Summary: Network (Netscape) Security Services development files +Group: Development/Libraries/C and C++ +Requires: libfreebl3 +Requires: libsoftokn3 +Requires: mozilla-nss = %{version}-%{release} +Requires: pkgconfig(nspr) >= %{NSPR_min_version} + +%description devel +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled server +applications. Applications built with NSS can support SSL v3, +TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +certificates, and other security standards. + +%package tools +Summary: Tools for developing, debugging, and managing applications that use NSS +Group: System/Management +Requires(pre): mozilla-nss >= %{version} + +%description tools +The NSS Security Tools allow developers to test, debug, and manage +applications that use NSS. + +%package sysinit +Summary: System NSS Initialization +Group: System/Management +Requires: mozilla-nss >= %{version} +Requires(post): coreutils + +%description sysinit +Default Operation System module that manages applications loading +NSS globally on the system. This module loads the system defined +PKCS #11 modules for NSS and chains with other NSS modules to load +any system or user configured modules. + +%package -n libfreebl3 +Summary: Freebl library for the Network Security Services +Group: System/Libraries +Provides: libfreebl3-hmac = %{version}-%{release} +Obsoletes: libfreebl3-hmac < %{version}-%{release} + +%description -n libfreebl3 +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled server +applications. Applications built with NSS can support SSL v3, +TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +certificates, and other security standards. + +This package installs the freebl library from NSS. + +%package -n libsoftokn3 +Summary: Network Security Services Softoken Module +Group: System/Libraries +Requires: libfreebl3 = %{version}-%{release} +Provides: libsoftokn3-hmac = %{version}-%{release} +Obsoletes: libsoftokn3-hmac < %{version}-%{release} + +%description -n libsoftokn3 +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled server +applications. Applications built with NSS can support SSL v3, +TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +certificates, and other security standards. + +Network Security Services Softoken Cryptographic Module + +%package certs +Summary: CA certificates for NSS +Group: Productivity/Networking/Security + +%description certs +This package contains the integrated CA root certificates from the +Mozilla project. + +%prep +%setup -q -n nss-%{version} +cd nss +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%if 0%{?suse_version} > 1110 +%patch5 -p1 +%endif +%patch6 -p1 +%patch7 -p1 +# FIPS patches +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 +%patch37 -p1 +%patch38 -p1 +%patch40 -p1 +%patch41 -p1 +%patch44 -p1 +# Libjitter only for SLE15 SP4+ +%if 0%{?sle_version} >= 150400 +%patch45 -p1 +%endif +%patch46 -p1 +%patch47 -p1 +%patch48 -p1 + +# additional CA certificates +#cd security/nss/lib/ckfw/builtins +#cat %{SOURCE2} >> certdata.txt +#make generate + +%build +%ifarch %arm +# LTO fails on neon errors +%global _lto_cflags %{nil} +%else +%global _lto_cflags %{_lto_cflags} -ffat-lto-objects +%endif +cd nss +cat > ../obsenv.sh <= 120000 && 0%{?sle_version} < 150000 +export CC=gcc-9 +# Yes, they use both... +export CXX=g++-9 +export CCC=g++-9 +%endif +export NSS_ALLOW_SSLKEYLOGFILE=1 +export NSS_ENABLE_WERROR=0 +export NSS_NO_PKCS11_BYPASS=1 +export FREEBL_NO_DEPEND=1 +export FREEBL_LOWHASH=1 +export NSPR_INCLUDE_DIR=`nspr-config --includedir` +export NSPR_LIB_DIR=`nspr-config --libdir` +export OPT_FLAGS="%{optflags} -fno-strict-aliasing -fPIE -pie" +export LIBDIR=%{_libdir} +%ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64 riscv64 +export USE_64=1 +%endif +export NSS_DISABLE_GTESTS=1 +export NSS_USE_SYSTEM_SQLITE=1 +export NSS_ENABLE_FIPS_INDICATORS=1 +export NSS_FIPS_MODULE_ID="\"SUSE Linux Enterprise NSS %{version}-%{release}\"" +#export SQLITE_LIB_NAME=nsssqlite3 +export MAKE_FLAGS="BUILD_OPT=1" +EOF + +source ../obsenv.sh + +modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{SOURCE99}")" +DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" +TIME="\"$(date -d "${modified}" "+%%R")\"" +find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} + + +make %{?_smp_mflags} nss_build_all $MAKE_FLAGS + +%check +cd nss +# run testsuite +%if 0%{?run_testsuite} +cat > ../obstestenv.sh < %{buildroot}%{_libdir}/pkgconfig/nss.pc +sed "s:%%LIBDIR%%:%{_libdir}:g +s:%%VERSION%%:%{version}:g +s:%%NSPR_VERSION%%:%{nspr_ver}:g" \ + %{SOURCE11} > %{buildroot}%{_libdir}/pkgconfig/nss-util.pc +# prepare nss-config file +popd +NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | gawk '{print $3}'` +NSS_VMINOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMINOR" | gawk '{print $3}'` +NSS_VPATCH=`cat lib/nss/nss.h | grep "#define.*NSS_VPATCH" | gawk '{print $3}'` +cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ + > %{buildroot}/%{_bindir}/nss-config +chmod 755 %{buildroot}/%{_bindir}/nss-config +NSSUTIL_VMAJOR=`cat lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'` +NSSUTIL_VMINOR=`cat lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'` +NSSUTIL_VPATCH=`cat lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'` +cat %{SOURCE13} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \ + > %{buildroot}/%{_bindir}/nss-util-config +chmod 755 %{buildroot}/%{_bindir}/nss-util-config +# setup-nsssysinfo.sh +install -m 744 %{SOURCE6} %{buildroot}%{_sbindir}/ +# create empty NSS database +#LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_bindir}/modutil -force -dbdir "sql:%{buildroot}%{nssdbdir}" -create +#LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_bindir}/certutil -N -d "sql:%{buildroot}%{nssdbdir}" -f /dev/null 2>&1 > /dev/null +#chmod 644 "%{buildroot}%{nssdbdir}"/* +#sed "s:%{buildroot}::g +#s/^library=$/library=libnsssysinit.so/ +#/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \ +# %{buildroot}%{nssdbdir}/pkcs11.txt > %{buildroot}%{nssdbdir}/pkcs11.txt.sed +# mv %{buildroot}%{nssdbdir}/pkcs11.txt{.sed,} +# copy empty NSS database +install -m 644 %{SOURCE7} %{buildroot}%{nssdbdir} +install -m 644 %{SOURCE8} %{buildroot}%{nssdbdir} +install -m 644 %{SOURCE9} %{buildroot}%{nssdbdir} +# create shlib sigs after extracting debuginfo +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %__os_install_post \ + LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libsoftokn3.so \ + LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libnssdbm3.so \ + LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_libdir}/libfreebl3.so \ + LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_libdir}/libfreeblpriv3.so \ +%{nil} + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig +%post -n libfreebl3 -p /sbin/ldconfig +%postun -n libfreebl3 -p /sbin/ldconfig +%post -n libsoftokn3 -p /sbin/ldconfig +%postun -n libsoftokn3 -p /sbin/ldconfig + +%post sysinit +/sbin/ldconfig +# make sure the current config is enabled +%{_sbindir}/setup-nsssysinit.sh on + +%preun sysinit +if [ $1 = 0 ]; then + %{_sbindir}/setup-nsssysinit.sh off +fi + +%postun sysinit -p /sbin/ldconfig + +%files +%{_libdir}/libnss3.so +%{_libdir}/libnssutil3.so +%{_libdir}/libsmime3.so +%{_libdir}/libssl3.so +#%%{_libdir}/libnsssqlite3.so + +%files devel +%defattr(644, root, root, 755) +%{_includedir}/nss3/ +%{_libdir}/*.a +%{_libdir}/pkgconfig/* +%attr(755,root,root) %{_bindir}/nss-config +%attr(755,root,root) %{_bindir}/nss-util-config + +%files tools +%{_bindir}/* +%exclude %{_sbindir}/setup-nsssysinit.sh +%{_libexecdir}/nss/ +%{_mandir}/*/* +%exclude %{_bindir}/nss-config +%exclude %{_bindir}/nss-util-config + +%files sysinit +%dir %{_sysconfdir}/pki +%dir %{_sysconfdir}/pki/nssdb +%config(noreplace) %{_sysconfdir}/pki/nssdb/* +%{_libdir}/libnsssysinit.so +%{_sbindir}/setup-nsssysinit.sh + +%files -n libfreebl3 +%{_libdir}/libfreebl3.so +%{_libdir}/libfreeblpriv3.so +%{_libdir}/libfreebl3.chk +%{_libdir}/libfreeblpriv3.chk + +%files -n libsoftokn3 +%{_libdir}/libsoftokn3.so +%{_libdir}/libnssdbm3.so +%{_libdir}/libsoftokn3.chk +%{_libdir}/libnssdbm3.chk + +%files certs +%{_libdir}/libnssckbi.so + +%changelog diff --git a/nss-3.90.1.tar.gz b/nss-3.90.1.tar.gz new file mode 100644 index 0000000..80c47e5 --- /dev/null +++ b/nss-3.90.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:da181ea28c910c07feca1580c0944ed53f025b25f104e27df02b96661192264b +size 72212598 diff --git a/nss-allow-slow-tests.patch b/nss-allow-slow-tests.patch new file mode 100644 index 0000000..d83dcaf --- /dev/null +++ b/nss-allow-slow-tests.patch @@ -0,0 +1,28 @@ +Index: nss/tests/sdr/sdr.sh +=================================================================== +--- nss.orig/tests/sdr/sdr.sh ++++ nss/tests/sdr/sdr.sh +@@ -146,7 +146,8 @@ sdr_main() + RARRAY=($dtime) + TIMEARRAY=(${RARRAY[1]//./ }) + echo "${TIMEARRAY[0]} seconds" +- html_msg ${TIMEARRAY[0]} 0 "pwdecrypt no time regression" ++ # Suse 2022-10-04: Need more time for slow build servers ++ html_msg $(( ${TIMEARRAY[0]} >= 5 )) 0 "pwdecrypt no time regression" + export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS + } + +Index: nss/tests/dbtests/dbtests.sh +=================================================================== +--- nss.orig/tests/dbtests/dbtests.sh ++++ nss/tests/dbtests/dbtests.sh +@@ -366,7 +366,8 @@ dbtest_main() + RARRAY=($dtime) + TIMEARRAY=(${RARRAY[1]//./ }) + echo "${TIMEARRAY[0]} seconds" +- test ${TIMEARRAY[0]} -lt 2 ++ # Was 2, but that is too small for OBS-workers. ++ test ${TIMEARRAY[0]} -lt 6 + ret=$? + html_msg ${ret} 0 "certutil dump keys with explicit default trust flags" + fi diff --git a/nss-config.in b/nss-config.in new file mode 100644 index 0000000..5ca037e --- /dev/null +++ b/nss-config.in @@ -0,0 +1,144 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_ssl=yes +lib_smime=yes +lib_nss=yes +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + ssl) + lib_ssl=yes + ;; + smime) + lib_smime=yes + ;; + nss) + lib_nss=yes + ;; + nssutil) + lib_nssutil=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=@exec_prefix@ +fi +if test -z "$includedir"; then + includedir=@includedir@ +fi +if test -z "$libdir"; then + libdir=@libdir@ +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_ssl"; then + libdirs="$libdirs -lssl${major_version}" + fi + if test -n "$lib_smime"; then + libdirs="$libdirs -lsmime${major_version}" + fi + if test -n "$lib_nss"; then + libdirs="$libdirs -lnss${major_version}" + fi + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/nss-fips-180-3-csp-clearing.patch b/nss-fips-180-3-csp-clearing.patch new file mode 100644 index 0000000..5a33e0e --- /dev/null +++ b/nss-fips-180-3-csp-clearing.patch @@ -0,0 +1,40 @@ +Index: nss/lib/freebl/pqg.c +=================================================================== +--- nss.orig/lib/freebl/pqg.c ++++ nss/lib/freebl/pqg.c +@@ -1232,6 +1232,9 @@ cleanup: + MP_TO_SEC_ERROR(err); + rv = SECFailure; + } ++ if (rv != SECSuccess) { ++ mp_zero(G); ++ } + return rv; + } + +Index: nss/lib/softoken/sftkdb.c +=================================================================== +--- nss.orig/lib/softoken/sftkdb.c ++++ nss/lib/softoken/sftkdb.c +@@ -1538,7 +1538,7 @@ loser: + PORT_ZFree(data, dataSize); + } + if (arena) { +- PORT_FreeArena(arena, PR_FALSE); ++ PORT_FreeArena(arena, PR_TRUE); + } + return crv; + } +Index: nss/lib/softoken/sftkpwd.c +=================================================================== +--- nss.orig/lib/softoken/sftkpwd.c ++++ nss/lib/softoken/sftkpwd.c +@@ -1459,7 +1459,7 @@ loser: + PORT_ZFree(newKey.data, newKey.len); + } + if (result) { +- SECITEM_FreeItem(result, PR_TRUE); ++ SECITEM_ZfreeItem(result, PR_TRUE); + } + if (rv != SECSuccess) { + (*keydb->db->sdb_Abort)(keydb->db); diff --git a/nss-fips-aes-keywrap-post.patch b/nss-fips-aes-keywrap-post.patch new file mode 100644 index 0000000..bfa03e8 --- /dev/null +++ b/nss-fips-aes-keywrap-post.patch @@ -0,0 +1,130 @@ +# HG changeset patch +# User M. Sirringhaus +# Date 1589854460 -7200 +# Tue May 19 04:14:20 2020 +0200 +# Node ID ce99bba6375432c55a73c1367f619dfef7c7e9fc +# Parent 2c820431829b3e5c7e161bd0bf73b48def9d3822 +commit e78f5a6a2124ce88002796d6aaefc6232f132526 +Author: Hans Petter Jansson + AES Keywrap POST. + + +diff --git nss/lib/freebl/fipsfreebl.c b/nss/lib/freebl/fipsfreebl.c +index ecbe9e0..3fec612 100644 +--- nss/lib/freebl/fipsfreebl.c ++++ nss/lib/freebl/fipsfreebl.c +@@ -113,6 +113,9 @@ DllMain( + #define FIPS_AES_192_KEY_SIZE 24 /* 192-bits */ + #define FIPS_AES_256_KEY_SIZE 32 /* 256-bits */ + ++/* FIPS preprocessor directives for AES Keywrap */ ++#define FIPS_AES_KEYWRAP_KNOWN_CIPHERTEXT_SIZE 24 /* 192-bits */ ++ + /* FIPS preprocessor directives for message digests */ + #define FIPS_KNOWN_HASH_MESSAGE_LENGTH 64 /* 512-bits */ + +@@ -300,6 +303,9 @@ freebl_fips_AES_PowerUpSelfTest(int aes_key_size) + + static const PRUint8 aes_gcm_known_aad[] = { "MozillaallizoM" }; + ++ /* AES Keywrap Known Initialization Vector (64 bits) */ ++ static const PRUint8 aes_key_wrap_iv[] = { "WrapparW" }; ++ + /* AES Known Ciphertext (128-bit key). */ + static const PRUint8 aes_ecb128_known_ciphertext[] = { + 0x3c, 0xa5, 0x96, 0xf3, 0x34, 0x6a, 0x96, 0xc1, +@@ -370,6 +376,25 @@ freebl_fips_AES_PowerUpSelfTest(int aes_key_size) + + }; + ++ /* AES Keywrap Known Ciphertexts. */ ++ static const PRUint8 aes_kw128_known_ciphertext[] = { ++ 0xd7, 0xec, 0x33, 0x3a, 0x35, 0x50, 0x91, 0x4d, ++ 0x04, 0x69, 0x1f, 0xbc, 0x9b, 0x3a, 0x51, 0x9d, ++ 0xf3, 0x45, 0x01, 0xec, 0xaa, 0x43, 0x33, 0x42 ++ }; ++ ++ static const PRUint8 aes_kw192_known_ciphertext[] = { ++ 0x18, 0x44, 0xab, 0x72, 0xbd, 0x35, 0x6c, 0x8f, ++ 0x34, 0x34, 0x2e, 0x0b, 0xb0, 0x19, 0xd3, 0x46, ++ 0x3e, 0x53, 0x4f, 0x2f, 0x43, 0xcc, 0xf5, 0x8c ++ }; ++ ++ static const PRUint8 aes_kw256_known_ciphertext[] = { ++ 0x3e, 0xaf, 0xf3, 0x36, 0xaf, 0xc3, 0x68, 0xab, ++ 0x5a, 0x07, 0xed, 0x64, 0x5b, 0xf8, 0x81, 0x0d, ++ 0x9e, 0x67, 0x75, 0xbd, 0x66, 0xe1, 0x52, 0xdc ++ }; ++ + const PRUint8 *aes_ecb_known_ciphertext = + (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext : aes_ecb256_known_ciphertext; + +@@ -382,11 +407,15 @@ freebl_fips_AES_PowerUpSelfTest(int aes_key_size) + const PRUint8 *aes_cmac_known_ciphertext = + (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext : aes_cmac256_known_ciphertext; + ++ const PRUint8 *aes_keywrap_known_ciphertext = ++ (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_kw128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_kw192_known_ciphertext : aes_kw256_known_ciphertext; ++ + /* AES variables. */ + PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH * 2]; + PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH * 2]; + AESContext *aes_context; + CMACContext *cmac_context; ++ AESKeyWrapContext *aes_keywrap_context; + unsigned int aes_bytes_encrypted; + unsigned int aes_bytes_decrypted; + CK_NSS_GCM_PARAMS gcmParams; +@@ -613,6 +642,52 @@ freebl_fips_AES_PowerUpSelfTest(int aes_key_size) + return (SECFailure); + } + ++ /********************************/ ++ /* AES Keywrap En/Decrypt Test. */ ++ /********************************/ ++ ++ /* Create encryption context */ ++ aes_keywrap_context = AESKeyWrap_CreateContext(aes_known_key, aes_key_wrap_iv, PR_TRUE, ++ aes_key_size); ++ if (aes_keywrap_context == NULL) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return (SECFailure); ++ } ++ ++ aes_status = AESKeyWrap_Encrypt(aes_keywrap_context, ++ aes_computed_ciphertext, &aes_bytes_encrypted, ++ FIPS_AES_ENCRYPT_LENGTH * 2, ++ aes_known_plaintext, FIPS_AES_ENCRYPT_LENGTH); ++ ++ AESKeyWrap_DestroyContext(aes_keywrap_context, PR_TRUE); ++ ++ if ((aes_status != SECSuccess) || ++ (aes_bytes_encrypted != FIPS_AES_KEYWRAP_KNOWN_CIPHERTEXT_SIZE) || ++ (PORT_Memcmp (aes_computed_ciphertext, aes_keywrap_known_ciphertext, ++ FIPS_AES_KEYWRAP_KNOWN_CIPHERTEXT_SIZE) != 0)) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return (SECFailure); ++ } ++ ++ /* Create decryption context */ ++ aes_keywrap_context = AESKeyWrap_CreateContext(aes_known_key, aes_key_wrap_iv, PR_FALSE, ++ aes_key_size); ++ ++ aes_status = AESKeyWrap_Decrypt(aes_keywrap_context, ++ aes_computed_plaintext, &aes_bytes_decrypted, ++ FIPS_AES_ENCRYPT_LENGTH, ++ aes_computed_ciphertext, aes_bytes_encrypted); ++ ++ AESKeyWrap_DestroyContext(aes_keywrap_context, PR_TRUE); ++ ++ if ((aes_status != SECSuccess) || ++ (aes_bytes_decrypted != FIPS_AES_ENCRYPT_LENGTH) || ++ (PORT_Memcmp (aes_computed_plaintext, aes_known_plaintext, ++ FIPS_AES_ENCRYPT_LENGTH) != 0)) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return (SECFailure); ++ } ++ + return (SECSuccess); + } + diff --git a/nss-fips-approved-crypto-non-ec.patch b/nss-fips-approved-crypto-non-ec.patch new file mode 100644 index 0000000..8e93085 --- /dev/null +++ b/nss-fips-approved-crypto-non-ec.patch @@ -0,0 +1,762 @@ +# HG changeset patch +# User M. Sirringhaus +# Date 1590413430 -7200 +# Mon May 25 15:30:30 2020 +0200 +# Node ID 2d4483f4a1259f965f32ff4c65436e92aef83be7 +# Parent 3f4d682c9a1e8b3d939c744ee249e23179db5191 +imported patch nss-fips-approved-crypto-non-ec.patch + +Index: nss/lib/freebl/deprecated/alg2268.c +=================================================================== +--- nss.orig/lib/freebl/deprecated/alg2268.c ++++ nss/lib/freebl/deprecated/alg2268.c +@@ -16,6 +16,8 @@ + #include /* for ptrdiff_t */ + #endif + ++#include "../fips.h" ++ + /* + ** RC2 symmetric block cypher + */ +@@ -119,6 +121,7 @@ static const PRUint8 S[256] = { + RC2Context * + RC2_AllocateContext(void) + { ++ IN_FIPS_RETURN(NULL); + return PORT_ZNew(RC2Context); + } + SECStatus +@@ -133,6 +136,8 @@ RC2_InitContext(RC2Context *cx, const un + #endif + PRUint8 tmpB; + ++ IN_FIPS_RETURN(SECFailure); ++ + if (!key || !cx || !len || len > (sizeof cx->B) || + efLen8 > (sizeof cx->B)) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -204,7 +209,11 @@ RC2Context * + RC2_CreateContext(const unsigned char *key, unsigned int len, + const unsigned char *iv, int mode, unsigned efLen8) + { +- RC2Context *cx = PORT_ZNew(RC2Context); ++ RC2Context *cx; ++ ++ IN_FIPS_RETURN(NULL); ++ ++ cx = PORT_ZNew(RC2Context); + if (cx) { + SECStatus rv = RC2_InitContext(cx, key, len, iv, mode, efLen8, 0); + if (rv != SECSuccess) { +@@ -456,7 +465,11 @@ RC2_Encrypt(RC2Context *cx, unsigned cha + unsigned int *outputLen, unsigned int maxOutputLen, + const unsigned char *input, unsigned int inputLen) + { +- SECStatus rv = SECSuccess; ++ SECStatus rv; ++ ++ IN_FIPS_RETURN(SECFailure); ++ ++ rv = SECSuccess; + if (inputLen) { + if (inputLen % RC2_BLOCK_SIZE) { + PORT_SetError(SEC_ERROR_INPUT_LEN); +@@ -490,7 +503,11 @@ RC2_Decrypt(RC2Context *cx, unsigned cha + unsigned int *outputLen, unsigned int maxOutputLen, + const unsigned char *input, unsigned int inputLen) + { +- SECStatus rv = SECSuccess; ++ SECStatus rv; ++ ++ IN_FIPS_RETURN(SECFailure); ++ ++ rv = SECSuccess; + if (inputLen) { + if (inputLen % RC2_BLOCK_SIZE) { + PORT_SetError(SEC_ERROR_INPUT_LEN); +Index: nss/lib/freebl/arcfour.c +=================================================================== +--- nss.orig/lib/freebl/arcfour.c ++++ nss/lib/freebl/arcfour.c +@@ -13,6 +13,7 @@ + + #include "prtypes.h" + #include "blapi.h" ++#include "fips.h" + + /* Architecture-dependent defines */ + +@@ -162,7 +163,9 @@ RC4_InitContext(RC4Context *cx, const un + RC4Context * + RC4_CreateContext(const unsigned char *key, int len) + { +- RC4Context *cx = RC4_AllocateContext(); ++ RC4Context *cx; ++ ++ cx = RC4_AllocateContext(); + if (cx) { + SECStatus rv = RC4_InitContext(cx, key, len, NULL, 0, 0, 0); + if (rv != SECSuccess) { +Index: nss/lib/freebl/deprecated/seed.c +=================================================================== +--- nss.orig/lib/freebl/deprecated/seed.c ++++ nss/lib/freebl/deprecated/seed.c +@@ -17,6 +17,8 @@ + #include "seed.h" + #include "secerr.h" + ++#include "../fips.h" ++ + static const seed_word SS[4][256] = { + { 0x2989a1a8, 0x05858184, 0x16c6d2d4, 0x13c3d3d0, + 0x14445054, 0x1d0d111c, 0x2c8ca0ac, 0x25052124, +@@ -301,6 +303,8 @@ SEED_set_key(const unsigned char rawkey[ + seed_word K0, K1, K2, K3; + seed_word t0, t1; + ++ IN_FIPS_RETURN(); ++ + char2word(rawkey, K0); + char2word(rawkey + 4, K1); + char2word(rawkey + 8, K2); +@@ -349,6 +353,8 @@ SEED_encrypt(const unsigned char s[SEED_ + seed_word L0, L1, R0, R1; + seed_word t0, t1; + ++ IN_FIPS_RETURN(); ++ + char2word(s, L0); + char2word(s + 4, L1); + char2word(s + 8, R0); +@@ -385,6 +391,8 @@ SEED_decrypt(const unsigned char s[SEED_ + seed_word L0, L1, R0, R1; + seed_word t0, t1; + ++ IN_FIPS_RETURN(); ++ + char2word(s, L0); + char2word(s + 4, L1); + char2word(s + 8, R0); +@@ -419,6 +427,8 @@ SEED_ecb_encrypt(const unsigned char *in + size_t inLen, + const SEED_KEY_SCHEDULE *ks, int enc) + { ++ IN_FIPS_RETURN(); ++ + if (enc) { + while (inLen > 0) { + SEED_encrypt(in, out, ks); +@@ -445,6 +455,8 @@ SEED_cbc_encrypt(const unsigned char *in + unsigned char tmp[SEED_BLOCK_SIZE]; + const unsigned char *iv = ivec; + ++ IN_FIPS_RETURN(); ++ + if (enc) { + while (len >= SEED_BLOCK_SIZE) { + for (n = 0; n < SEED_BLOCK_SIZE; ++n) { +@@ -528,6 +540,7 @@ SEED_cbc_encrypt(const unsigned char *in + SEEDContext * + SEED_AllocateContext(void) + { ++ IN_FIPS_RETURN(NULL); + return PORT_ZNew(SEEDContext); + } + +@@ -536,6 +549,8 @@ SEED_InitContext(SEEDContext *cx, const + unsigned int keylen, const unsigned char *iv, + int mode, unsigned int encrypt, unsigned int unused) + { ++ IN_FIPS_RETURN(SECFailure); ++ + if (!cx) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; +@@ -567,10 +582,14 @@ SEEDContext * + SEED_CreateContext(const unsigned char *key, const unsigned char *iv, + int mode, PRBool encrypt) + { +- SEEDContext *cx = PORT_ZNew(SEEDContext); +- SECStatus rv = SEED_InitContext(cx, key, SEED_KEY_LENGTH, iv, mode, +- encrypt, 0); ++ SEEDContext *cx; ++ SECStatus rv; ++ ++ IN_FIPS_RETURN(NULL); + ++ cx = PORT_ZNew(SEEDContext); ++ rv = SEED_InitContext(cx, key, SEED_KEY_LENGTH, iv, mode, ++ encrypt, 0); + if (rv != SECSuccess) { + PORT_ZFree(cx, sizeof *cx); + cx = NULL; +@@ -595,6 +614,8 @@ SEED_Encrypt(SEEDContext *cx, unsigned c + unsigned int maxOutLen, const unsigned char *in, + unsigned int inLen) + { ++ IN_FIPS_RETURN(SECFailure); ++ + if (!cx) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; +@@ -635,6 +656,8 @@ SEED_Decrypt(SEEDContext *cx, unsigned c + unsigned int maxOutLen, const unsigned char *in, + unsigned int inLen) + { ++ IN_FIPS_RETURN(SECFailure); ++ + if (!cx) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; +Index: nss/lib/freebl/fips.h +=================================================================== +--- nss.orig/lib/freebl/fips.h ++++ nss/lib/freebl/fips.h +@@ -8,9 +8,21 @@ + #ifndef FIPS_H + #define FIPS_H + ++#include "hasht.h" ++#include "secerr.h" ++ ++#define IN_FIPS_RETURN(rv) \ ++ do { \ ++ if (FIPS_mode_allow_tests()) { \ ++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); \ ++ return rv; \ ++ } \ ++ } while (0) ++ + int FIPS_mode(void); + int FIPS_mode_allow_tests(void); + char* FIPS_rngDev(void); ++PRBool FIPS_hashAlgApproved(HASH_HashType hashAlg); + + #endif + +Index: nss/lib/freebl/md2.c +=================================================================== +--- nss.orig/lib/freebl/md2.c ++++ nss/lib/freebl/md2.c +@@ -13,6 +13,8 @@ + + #include "blapi.h" + ++#include "fips.h" ++ + #define MD2_DIGEST_LEN 16 + #define MD2_BUFSIZE 16 + #define MD2_X_SIZE 48 /* The X array, [CV | INPUT | TMP VARS] */ +@@ -66,7 +68,9 @@ SECStatus + MD2_Hash(unsigned char *dest, const char *src) + { + unsigned int len; +- MD2Context *cx = MD2_NewContext(); ++ MD2Context *cx; ++ ++ cx = MD2_NewContext(); + if (!cx) { + PORT_SetError(PR_OUT_OF_MEMORY_ERROR); + return SECFailure; +@@ -81,7 +85,9 @@ MD2_Hash(unsigned char *dest, const char + MD2Context * + MD2_NewContext(void) + { +- MD2Context *cx = (MD2Context *)PORT_ZAlloc(sizeof(MD2Context)); ++ MD2Context *cx; ++ ++ cx = (MD2Context *)PORT_ZAlloc(sizeof(MD2Context)); + if (cx == NULL) { + PORT_SetError(PR_OUT_OF_MEMORY_ERROR); + return NULL; +@@ -226,6 +232,7 @@ MD2_End(MD2Context *cx, unsigned char *d + unsigned int *digestLen, unsigned int maxDigestLen) + { + PRUint8 padStart; ++ + if (maxDigestLen < MD2_BUFSIZE) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return; +Index: nss/lib/freebl/md5.c +=================================================================== +--- nss.orig/lib/freebl/md5.c ++++ nss/lib/freebl/md5.c +@@ -15,6 +15,8 @@ + #include "blapi.h" + #include "blapii.h" + ++#include "fips.h" ++ + #define MD5_HASH_LEN 16 + #define MD5_BUFFER_SIZE 64 + #define MD5_END_BUFFER (MD5_BUFFER_SIZE - 8) +@@ -215,7 +217,9 @@ MD5Context * + MD5_NewContext(void) + { + /* no need to ZAlloc, MD5_Begin will init the context */ +- MD5Context *cx = (MD5Context *)PORT_Alloc(sizeof(MD5Context)); ++ MD5Context *cx; ++ ++ cx = (MD5Context *)PORT_Alloc(sizeof(MD5Context)); + if (cx == NULL) { + PORT_SetError(PR_OUT_OF_MEMORY_ERROR); + return NULL; +@@ -226,7 +230,8 @@ MD5_NewContext(void) + void + MD5_DestroyContext(MD5Context *cx, PRBool freeit) + { +- memset(cx, 0, sizeof *cx); ++ if (cx) ++ memset(cx, 0, sizeof *cx); + if (freeit) { + PORT_Free(cx); + } +Index: nss/lib/freebl/nsslowhash.c +=================================================================== +--- nss.orig/lib/freebl/nsslowhash.c ++++ nss/lib/freebl/nsslowhash.c +@@ -13,6 +13,7 @@ + #include "plhash.h" + #include "nsslowhash.h" + #include "blapii.h" ++#include "fips.h" + + struct NSSLOWInitContextStr { + int count; +@@ -99,6 +100,15 @@ NSSLOWHASH_NewContext(NSSLOWInitContext + { + NSSLOWHASHContext *context; + ++#if 0 ++ /* return with an error if unapproved hash is requested in FIPS mode */ ++ /* This is now handled by the service level indicator */ ++ if (!FIPS_hashAlgApproved(hashType)) { ++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); ++ return NULL; ++ } ++#endif ++ + if (post_failed) { + PORT_SetError(SEC_ERROR_PKCS11_DEVICE_ERROR); + return NULL; +Index: nss/lib/freebl/rawhash.c +=================================================================== +--- nss.orig/lib/freebl/rawhash.c ++++ nss/lib/freebl/rawhash.c +@@ -10,6 +10,7 @@ + #include "hasht.h" + #include "blapi.h" /* below the line */ + #include "secerr.h" ++#include "fips.h" + + static void * + null_hash_new_context(void) +@@ -146,7 +147,11 @@ const SECHashObject SECRawHashObjects[] + const SECHashObject * + HASH_GetRawHashObject(HASH_HashType hashType) + { +- if (hashType <= HASH_AlgNULL || hashType >= HASH_AlgTOTAL) { ++ /* We rely on the service level indicator for algorithm approval now, so ++ * the FIPS check here has been commented out */ ++ ++ if (hashType <= HASH_AlgNULL || hashType >= HASH_AlgTOTAL ++ /* || (!FIPS_hashAlgApproved(hashType)) */) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } +Index: nss/lib/softoken/pkcs11c.c +=================================================================== +--- nss.orig/lib/softoken/pkcs11c.c ++++ nss/lib/softoken/pkcs11c.c +@@ -4780,6 +4780,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + goto loser; + } + ++ key->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_GEN_MECHANISM, key); ++ session->lastOpWasFIPS = key->isFIPS; ++ + /* + * handle the base object stuff + */ +@@ -4794,6 +4797,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi + if (crv == CKR_OK) { + *phKey = key->handle; + } ++ + loser: + PORT_Memset(buf, 0, sizeof buf); + sftk_FreeObject(key); +@@ -5710,11 +5714,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + * created and linked. + */ + crv = sftk_handleObject(publicKey, session); +- sftk_FreeSession(session); + if (crv != CKR_OK) { + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); ++ sftk_FreeSession(session); + return crv; + } + if (sftk_isTrue(privateKey, CKA_SENSITIVE)) { +@@ -5758,13 +5762,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + sftk_FreeObject(publicKey); + NSC_DestroyObject(hSession, privateKey->handle); + sftk_FreeObject(privateKey); ++ sftk_FreeSession(session); + return crv; + } + ++ publicKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, publicKey); ++ privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, privateKey); ++ session->lastOpWasFIPS = privateKey->isFIPS; ++ + *phPrivateKey = privateKey->handle; + *phPublicKey = publicKey->handle; + sftk_FreeObject(publicKey); + sftk_FreeObject(privateKey); ++ sftk_FreeSession(session); + + return CKR_OK; + } +@@ -7469,7 +7479,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + } else { + /* now allocate the hash contexts */ + md5 = MD5_NewContext(); +- if (md5 == NULL) { ++ if (md5 == NULL && !isTLS) { + PORT_Memset(crsrdata, 0, sizeof crsrdata); + crv = CKR_HOST_MEMORY; + break; +@@ -7858,6 +7868,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + PORT_Assert(i <= sizeof key_block); + } + ++ session->lastOpWasFIPS = key->isFIPS; + crv = CKR_OK; + + if (0) { +Index: nss/lib/freebl/desblapi.c +=================================================================== +--- nss.orig/lib/freebl/desblapi.c ++++ nss/lib/freebl/desblapi.c +@@ -18,6 +18,8 @@ + #include + #include "secerr.h" + ++#include "fips.h" ++ + #if defined(NSS_X86_OR_X64) + /* Intel X86 CPUs do unaligned loads and stores without complaint. */ + #define COPY8B(to, from, ptr) \ +@@ -145,12 +147,14 @@ DES_InitContext(DESContext *cx, const un + unsigned int unused) + { + DESDirection opposite; ++ + if (!cx) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + cx->direction = encrypt ? DES_ENCRYPT : DES_DECRYPT; + opposite = encrypt ? DES_DECRYPT : DES_ENCRYPT; ++ + switch (mode) { + case NSS_DES: /* DES ECB */ + DES_MakeSchedule(cx->ks0, key, cx->direction); +@@ -201,8 +205,11 @@ DES_InitContext(DESContext *cx, const un + DESContext * + DES_CreateContext(const BYTE *key, const BYTE *iv, int mode, PRBool encrypt) + { +- DESContext *cx = PORT_ZNew(DESContext); +- SECStatus rv = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0); ++ DESContext *cx; ++ SECStatus rv; ++ ++ cx = PORT_ZNew(DESContext); ++ rv = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0); + + if (rv != SECSuccess) { + PORT_ZFree(cx, sizeof *cx); +@@ -225,7 +232,6 @@ SECStatus + DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen, + unsigned int maxOutLen, const BYTE *in, unsigned int inLen) + { +- + if ((inLen % 8) != 0 || maxOutLen < inLen || !cx || + cx->direction != DES_ENCRYPT) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -242,7 +248,6 @@ SECStatus + DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen, + unsigned int maxOutLen, const BYTE *in, unsigned int inLen) + { +- + if ((inLen % 8) != 0 || maxOutLen < inLen || !cx || + cx->direction != DES_DECRYPT) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); +Index: nss/lib/softoken/fips_algorithms.h +=================================================================== +--- nss.orig/lib/softoken/fips_algorithms.h ++++ nss/lib/softoken/fips_algorithms.h +@@ -58,18 +58,35 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + #define RSA_FB_STEP 1 + #define RSA_LEGACY_FB_KEY 1024, 1792 /* min, max */ + #define RSA_LEGACY_FB_STEP 256 +-#define DSA_FB_KEY 2048, 4096 /* min, max */ ++#define DSA_FB_KEY 2048, 3072 /* min, max */ + #define DSA_FB_STEP 1024 +-#define DH_FB_KEY 2048, 4096 /* min, max */ ++#define DH_FB_KEY 2048, 8192 /* min, max */ + #define DH_FB_STEP 1024 + #define EC_FB_KEY 256, 521 /* min, max */ + #define EC_FB_STEP 1 /* key limits handled by special operation */ +-#define AES_FB_KEY 128, 256 ++#define AES_FB_KEY 128, 512 + #define AES_FB_STEP 64 + { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, ++#if 0 + { CKM_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS }, ++ /* Non-approved */ + { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, ++#endif ++ ++ { CKM_SHA_1_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA224_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA256_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA384_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA512_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA512_224_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA512_256_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ ++ { CKM_SHA3_224_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA3_256_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA3_384_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ { CKM_SHA3_512_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, ++ + /* -------------- RSA Multipart Signing Operations -------------------- */ + { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, +@@ -88,13 +105,12 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS }, + /* ------------------------- DSA Operations --------------------------- */ +- { CKM_DSA_KEY_PAIR_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_PARAMETER_GEN, { DSA_FB_KEY, CKF_KPG }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, +- { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_SGN }, DSA_FB_STEP, SFTKFIPSNone }, ++ ++ { CKM_DSA_SHA224, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, ++ { CKM_DSA_SHA256, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, ++ { CKM_DSA_SHA384, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, ++ { CKM_DSA_SHA512, { DSA_FB_KEY, CKF_VERIFY }, DSA_FB_STEP, SFTKFIPSNone }, ++ + /* -------------------- Diffie Hellman Operations --------------------- */ + /* no diffie hellman yet */ + { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_FB_KEY, CKF_KPG }, DH_FB_STEP, SFTKFIPSDH }, +@@ -102,7 +118,10 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + /* -------------------- Elliptic Curve Operations --------------------- */ + { CKM_EC_KEY_PAIR_GEN, { EC_FB_KEY, CKF_KPG }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDH1_DERIVE, { EC_FB_KEY, CKF_KEA }, EC_FB_STEP, SFTKFIPSECC }, ++#if 0 ++ /* Doesn't consider hash algo. Non-approved */ + { CKM_ECDSA, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, ++#endif + { CKM_ECDSA_SHA224, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA256, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, + { CKM_ECDSA_SHA384, { EC_FB_KEY, CKF_SGN }, EC_FB_STEP, SFTKFIPSECC }, +@@ -112,8 +131,11 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + { CKM_AES_KEY_GEN, { AES_FB_KEY, CKF_GEN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_ECB, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, ++#if 0 ++ /* Non-approved */ + { CKM_AES_MAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_MAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, ++#endif + { CKM_AES_CMAC, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CMAC_GENERAL, { AES_FB_KEY, CKF_SGN }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_CBC_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, +@@ -123,8 +145,11 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, ++#if 0 ++ /* Not approved in FIPS mode */ + { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone }, ++#endif + /* ------------------------- Hashing Operations ----------------------- */ + { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, +@@ -139,41 +164,56 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + { CKM_SHA512_HMAC, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_SHA512_HMAC_GENERAL, { 256, 512, CKF_SGN }, 1, SFTKFIPSNone }, + /* --------------------- Secret Key Operations ------------------------ */ +- { CKM_GENERIC_SECRET_KEY_GEN, { 8, 256, CKF_GEN }, 1, SFTKFIPSNone }, ++ { CKM_GENERIC_SECRET_KEY_GEN, { 112, 512, CKF_GEN }, 1, SFTKFIPSNone }, + /* ---------------------- SSL/TLS operations ------------------------- */ + { CKM_SHA224_KEY_DERIVATION, { 112, 224, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SHA256_KEY_DERIVATION, { 128, 256, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SHA384_KEY_DERIVATION, { 192, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_SHA512_KEY_DERIVATION, { 256, 512, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_TLS12_MASTER_KEY_DERIVE_DH, { DH_FB_KEY, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_TLS12_MASTER_KEY_DERIVE_DH, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS12_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_TLS_PRF_GENERAL, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, +- { CKM_TLS_MAC, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, ++ { CKM_TLS_MAC, { 112, 512, CKF_SGN }, 1, SFTKFIPSNone }, ++ ++ { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 8, 512, CKF_SGN }, 1, SFTKFIPSNone }, ++ { CKM_TLS_MASTER_KEY_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, { 128, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_TLS_MASTER_KEY_DERIVE_DH, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_TLS_KEY_AND_MAC_DERIVE, { 384, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, { 128, 384, CKF_KDF }, 1, SFTKFIPSNone }, ++ ++ { CKM_SSL3_PRE_MASTER_KEY_GEN, { 128, 512, CKF_GEN }, 1, SFTKFIPSNone }, ++ { CKM_TLS_PRE_MASTER_KEY_GEN, { 128, 512, CKF_GEN }, 1, SFTKFIPSNone }, ++ + /* sigh, is this algorithm really tested. ssl doesn't seem to have a + * way of turning the extension off */ + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, { 192, 1024, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH, { 192, 1024, CKF_DERIVE }, 1, SFTKFIPSNone }, + + /* ------------------------- HKDF Operations -------------------------- */ ++#if 0 ++ /* Only approved in the context of TLS 1.3 */ + { CKM_HKDF_DERIVE, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_DATA, { 8, 255 * 64 * 8, CKF_KDF }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 160, 224, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_HKDF_KEY_GEN, { 256, 512, CKF_GEN }, 128, SFTKFIPSNone }, ++#endif + /* ------------------ NIST 800-108 Key Derivations ------------------- */ +- { CKM_SP800_108_COUNTER_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_SP800_108_FEEDBACK_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 0, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_SP800_108_COUNTER_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_SP800_108_FEEDBACK_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_SP800_108_DOUBLE_PIPELINE_KDF, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_SP800_108_COUNTER_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA, { 112, CK_MAX, CKF_KDF }, 1, SFTKFIPSNone }, + /* --------------------IPSEC ----------------------- */ +- { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_KDF }, 1, SFTKFIPSNone }, +- { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_IKE_PRF_DERIVE, { 112, 112, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_IKE1_PRF_DERIVE, { 112, 112, CKF_KDF }, 1, SFTKFIPSNone }, ++ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 112, 255 * 64, CKF_KDF }, 1, SFTKFIPSNone }, + /* ------------------ PBE Key Derivations ------------------- */ +- { CKM_PKCS5_PBKD2, { 1, 256, CKF_GEN }, 1, SFTKFIPSNone }, ++ { CKM_PKCS5_PBKD2, { 112, 256, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN, { 224, 224, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN, { 256, 256, CKF_GEN }, 1, SFTKFIPSNone }, + { CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN, { 384, 384, CKF_GEN }, 1, SFTKFIPSNone }, +Index: nss/lib/softoken/pkcs11u.c +=================================================================== +--- nss.orig/lib/softoken/pkcs11u.c ++++ nss/lib/softoken/pkcs11u.c +@@ -2242,6 +2242,12 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE + case CKA_NSS_MESSAGE | CKA_VERIFY: + flags = CKF_MESSAGE_VERIFY; + break; ++ case CKA_KEY_GEN_MECHANISM: ++ flags = CKF_GENERATE; ++ break; ++ case CKA_KEY_PAIR_GEN_MECHANISM: ++ flags = CKF_GENERATE_KEY_PAIR; ++ break; + default: + break; + } +@@ -2462,18 +2468,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_ + if (!sftk_isFIPS(slot->slotID)) { + return PR_FALSE; + } +- if (source && !source->isFIPS) { +- return PR_FALSE; +- } + if (mech == NULL) { + return PR_FALSE; + } +- + /* now get the calculated values */ + opFlags = sftk_AttributeToFlags(op); + if (opFlags == 0) { + return PR_FALSE; + } ++ if (source && !source->isFIPS ++ && !((mech->mechanism == CKM_DSA_SHA224 ++ || mech->mechanism == CKM_DSA_SHA256 ++ || mech->mechanism == CKM_DSA_SHA384 ++ || mech->mechanism == CKM_DSA_SHA512))) { ++ return PR_FALSE; ++ } ++ ++ if (mech->mechanism == CKM_PKCS5_PBKD2) { ++ CK_PKCS5_PBKD2_PARAMS *pbkd2_params = (CK_PKCS5_PBKD2_PARAMS *) mech->pParameter; ++ ++ if (!pbkd2_params ++ || !pbkd2_params->ulPasswordLen ++ || *pbkd2_params->ulPasswordLen < 20 ++ || pbkd2_params->saltSource != CKZ_SALT_SPECIFIED ++ || pbkd2_params->ulSaltSourceDataLen < 128 / 8 ++ || pbkd2_params->iterations < 1000) { ++ return PR_FALSE; ++ } ++ } ++ + keyLength = sftk_getKeyLength(source); + + /* check against our algorithm array */ +Index: nss/lib/util/pkcs11t.h +=================================================================== +--- nss.orig/lib/util/pkcs11t.h ++++ nss/lib/util/pkcs11t.h +@@ -576,6 +576,7 @@ typedef CK_ULONG CK_JAVA_MIDP_SECURITY_D + + /* CKA_KEY_GEN_MECHANISM is new for v2.11 */ + #define CKA_KEY_GEN_MECHANISM 0x00000166UL ++#define CKA_KEY_PAIR_GEN_MECHANISM 0x00000167UL + + #define CKA_MODIFIABLE 0x00000170UL + +Index: nss/lib/softoken/pkcs11.c +=================================================================== +--- nss.orig/lib/softoken/pkcs11.c ++++ nss/lib/softoken/pkcs11.c +@@ -534,17 +534,17 @@ static const struct mechanismList mechan + { CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, +- { 48, 48, CKF_DERIVE }, ++ { 16, 48, CKF_DERIVE }, + PR_FALSE }, +- { CKM_TLS_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE }, +- { CKM_TLS12_MASTER_KEY_DERIVE_DH, { 8, 128, CKF_DERIVE }, PR_FALSE }, ++ { CKM_TLS_MASTER_KEY_DERIVE_DH, { 48, 48, CKF_DERIVE }, PR_FALSE }, ++ { CKM_TLS12_MASTER_KEY_DERIVE_DH, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_NSS_TLS_MASTER_KEY_DERIVE_DH_SHA256, +- { 8, 128, CKF_DERIVE }, ++ { 48, 48, CKF_DERIVE }, + PR_FALSE }, + { CKM_TLS_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_TLS12_KEY_AND_MAC_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, + { CKM_NSS_TLS_KEY_AND_MAC_DERIVE_SHA256, +- { 48, 48, CKF_DERIVE }, ++ { 16, 48, CKF_DERIVE }, + PR_FALSE }, + { CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE, + { 48, 128, CKF_DERIVE }, diff --git a/nss-fips-cavs-dsa-fixes.patch b/nss-fips-cavs-dsa-fixes.patch new file mode 100644 index 0000000..1f06a39 --- /dev/null +++ b/nss-fips-cavs-dsa-fixes.patch @@ -0,0 +1,206 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1574237264 -3600 +# Wed Nov 20 09:07:44 2019 +0100 +# Node ID 0e904e6179d1db21965df2c405c80c3fc0258658 +# Parent 969310ea4c573aac64bf08846b8938b8fa783870 +[PATCH] 24 +From ef2620b770082c77dbbbccae2e773157897b005d Mon Sep 17 00:00:00 2001 +--- + nss/cmd/fipstest/fipstest.c | 112 ++++++++++++++++++++++++++++++++---- + 1 file changed, 101 insertions(+), 11 deletions(-) + +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -5575,7 +5575,7 @@ loser: + void + dsa_pqggen_test(char *reqfn) + { +- char buf[800]; /* holds one line from the input REQUEST file ++ char buf[2048]; /* holds one line from the input REQUEST file + * or to the output RESPONSE file. + * 800 to hold seed = (384 public key (x2 for HEX) + */ +@@ -5591,6 +5591,13 @@ dsa_pqggen_test(char *reqfn) + PQGVerify *vfy = NULL; + unsigned int keySizeIndex = 0; + dsa_pqg_type type = FIPS186_1; ++ SECItem P = { 0, 0, 0 }; ++ SECItem Q = { 0, 0, 0 }; ++ SECItem firstseed = { 0, 0, 0 }; ++ SECItem pseed = { 0, 0, 0 }; ++ SECItem qseed = { 0, 0, 0 }; ++ SECItem index = { 0, 0, 0 }; ++ HASH_HashType hashtype = HASH_AlgNULL; + + dsareq = fopen(reqfn, "r"); + dsaresp = stdout; +@@ -5611,8 +5618,8 @@ dsa_pqggen_test(char *reqfn) + output_g = 1; + exit(1); + } else if (strncmp(&buf[1], "A.2.3", 5) == 0) { +- fprintf(stderr, "NSS only Generates G with P&Q\n"); +- exit(1); ++ type = A_2_3; ++ output_g = 1; + } else if (strncmp(&buf[1], "A.1.2.1", 7) == 0) { + type = A_1_2_1; + output_g = 0; +@@ -5626,14 +5633,17 @@ dsa_pqggen_test(char *reqfn) + + /* [Mod = ... ] */ + if (buf[0] == '[') { ++ int hashbits; + + if (type == FIPS186_1) { + N = 160; + if (sscanf(buf, "[mod = %d]", &L) != 1) { + goto loser; + } +- } else if (sscanf(buf, "[mod = L=%d, N=%d", &L, &N) != 2) { ++ } else if (sscanf(buf, "[mod = L=%d, N=%d, SHA-%d", &L, &N, &hashbits) != 3) { + goto loser; ++ } else { ++ hashtype = sha_get_hashType (hashbits); + } + + fputs(buf, dsaresp); +@@ -5655,7 +5665,7 @@ dsa_pqggen_test(char *reqfn) + continue; + } + /* N = ... */ +- if (buf[0] == 'N') { ++ if (buf[0] == 'N' && type != A_2_3) { + if (strncmp(buf, "Num", 3) == 0) { + if (sscanf(buf, "Num = %d", &count) != 1) { + goto loser; +@@ -5670,7 +5680,10 @@ dsa_pqggen_test(char *reqfn) + rv = PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES, + &pqg, &vfy); + } else { +- rv = PQG_ParamGenV2(L, N, N, &pqg, &vfy); ++ if (firstseed.data) ++ SECITEM_ZfreeItem(&firstseed, PR_FALSE); ++ ++ rv = FREEBL_Test_PQG_ParamGenV2_p(L, N, 0, &pqg, &vfy, &firstseed, hashtype); + } + if (rv != SECSuccess) { + fprintf(dsaresp, +@@ -5681,6 +5694,10 @@ dsa_pqggen_test(char *reqfn) + fprintf(dsaresp, "P = %s\n", buf); + to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len); + fprintf(dsaresp, "Q = %s\n", buf); ++ if (firstseed.data) { ++ to_hex_str(buf, firstseed.data, firstseed.len); ++ fprintf(dsaresp, "firstseed = %s\n", buf); ++ } + if (output_g) { + to_hex_str(buf, pqg->base.data, pqg->base.len); + fprintf(dsaresp, "G = %s\n", buf); +@@ -5696,13 +5713,13 @@ dsa_pqggen_test(char *reqfn) + } + fprintf(dsaresp, "%s\n", buf); + } else { +- unsigned int seedlen = vfy->seed.len / 2; +- unsigned int pgen_counter = vfy->counter >> 16; +- unsigned int qgen_counter = vfy->counter & 0xffff; ++ unsigned int seedlen = (vfy->seed.len - firstseed.len) / 2; ++ unsigned int pgen_counter = vfy->counter & 0xffff; ++ unsigned int qgen_counter = vfy->counter >> 16; + /*fprintf(dsaresp, "index = %02x\n", vfy->h.data[0]); */ +- to_hex_str(buf, vfy->seed.data, seedlen); ++ to_hex_str(buf, vfy->seed.data + firstseed.len, seedlen); + fprintf(dsaresp, "pseed = %s\n", buf); +- to_hex_str(buf, vfy->seed.data + seedlen, seedlen); ++ to_hex_str(buf, vfy->seed.data + firstseed.len + seedlen, seedlen); + fprintf(dsaresp, "qseed = %s\n", buf); + fprintf(dsaresp, "pgen_counter = %d\n", pgen_counter); + fprintf(dsaresp, "qgen_counter = %d\n", qgen_counter); +@@ -5722,12 +5739,85 @@ dsa_pqggen_test(char *reqfn) + vfy = NULL; + } + } ++ continue; ++ } ++ ++ if (parse_secitem ("P", buf, &P)) { ++ fputs(buf, dsaresp); ++ continue; ++ } ++ if (parse_secitem ("Q", buf, &Q)) { ++ fputs(buf, dsaresp); ++ continue; ++ } ++ if (parse_secitem ("firstseed", buf, &firstseed)) { ++ fputs(buf, dsaresp); ++ continue; ++ } ++ if (parse_secitem ("pseed", buf, &pseed)) { ++ fputs(buf, dsaresp); ++ continue; ++ } ++ if (parse_secitem ("qseed", buf, &qseed)) { ++ fputs(buf, dsaresp); ++ continue; ++ } ++ if (parse_secitem ("index", buf, &index) && type == A_2_3) { ++ SECStatus rv; ++ PLArenaPool *arena; ++ ++ fputs(buf, dsaresp); ++ ++ arena = PORT_NewArena (NSS_FREEBL_DEFAULT_CHUNKSIZE); ++ pqg = (PQGParams *)PORT_ArenaZAlloc(arena, sizeof(PQGParams)); ++ pqg->arena = arena; ++ ++ arena = PORT_NewArena (NSS_FREEBL_DEFAULT_CHUNKSIZE); ++ vfy = (PQGVerify *)PORT_ArenaZAlloc(arena, sizeof(PQGVerify)); ++ vfy->arena = arena; ++ ++ SECITEM_CopyItem(pqg->arena, &pqg->prime, &P); ++ SECITEM_CopyItem(pqg->arena, &pqg->subPrime, &Q); ++ ++ SECITEM_AllocItem(vfy->arena, &vfy->seed, firstseed.len + pseed.len + qseed.len); ++ memcpy (vfy->seed.data, firstseed.data, firstseed.len); ++ memcpy (vfy->seed.data + firstseed.len, pseed.data, pseed.len); ++ memcpy (vfy->seed.data + firstseed.len + pseed.len, qseed.data, qseed.len); ++ ++ SECITEM_AllocItem(vfy->arena, &vfy->h, 1); ++ vfy->h.data [0] = index.data [0]; ++ ++ rv = FREEBL_Test_PQG_ParamGenV2_p(L, N, 0, &pqg, &vfy, &firstseed, hashtype); ++ if (rv != SECSuccess) { ++ fprintf(dsaresp, ++ "ERROR: Unable to verify PQG parameters"); ++ goto loser; ++ } ++ ++ to_hex_str(buf, pqg->base.data, pqg->base.len); ++ fprintf(dsaresp, "G = %s\n\n", buf); + ++ PQG_DestroyParams(pqg); ++ pqg = NULL; ++ PQG_DestroyVerify(vfy); ++ vfy = NULL; + continue; + } + } + loser: + fclose(dsareq); ++ if (P.data) ++ SECITEM_ZfreeItem(&P, PR_FALSE); ++ if (Q.data) ++ SECITEM_ZfreeItem(&Q, PR_FALSE); ++ if (firstseed.data) ++ SECITEM_ZfreeItem(&firstseed, PR_FALSE); ++ if (pseed.data) ++ SECITEM_ZfreeItem(&pseed, PR_FALSE); ++ if (qseed.data) ++ SECITEM_ZfreeItem(&qseed, PR_FALSE); ++ if (index.data) ++ SECITEM_ZfreeItem(&index, PR_FALSE); + if (pqg != NULL) { + PQG_DestroyParams(pqg); + } diff --git a/nss-fips-cavs-general.patch b/nss-fips-cavs-general.patch new file mode 100644 index 0000000..d198a14 --- /dev/null +++ b/nss-fips-cavs-general.patch @@ -0,0 +1,316 @@ +# HG changeset patch +# User M. Sirringhaus +# Date 1590413427 -7200 +# Mon May 25 15:30:27 2020 +0200 +# Node ID 969310ea4c573aac64bf08846b8938b8fa783870 +# Parent 60c5e5d73ce1177fa66d8fd6cf49d9b371ca9be4 +imported patch nss-fips-cavs-general.patch + +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -5,6 +5,7 @@ + #include + #include + #include ++#include + + #include "secitem.h" + #include "blapi.h" +@@ -18,6 +19,9 @@ + #include "lowkeyi.h" + #include "softoken.h" + #include "pkcs11t.h" ++ ++#include "../../lib/freebl/fips.h" ++ + #define __PASTE(x, y) x##y + #undef CK_PKCS11_FUNCTION_INFO + #undef CK_NEED_ARG_LIST +@@ -55,6 +59,10 @@ EC_CopyParams(PLArenaPool *arena, ECPara + #define RSA_MAX_TEST_EXPONENT_BYTES 8 + #define PQG_TEST_SEED_BYTES 20 + ++SECStatus (*FREEBL_Test_PQG_ParamGenV2_p) (unsigned int L, unsigned int N, unsigned int seedBytes, ++ PQGParams **pParams, PQGVerify **pVfy, ++ SECItem *firstseed, HASH_HashType hashtype); ++ + SECStatus + hex_to_byteval(const char *c2, unsigned char *byteval) + { +@@ -168,6 +176,62 @@ from_hex_str(unsigned char *buf, unsigne + return PR_TRUE; + } + ++#if 0 ++ ++static void ++dump_secitem (FILE *out, SECItem *secitem) ++{ ++ char buf [4096]; ++ ++ to_hex_str(buf, secitem->data, secitem->len); ++ fputs (buf, out); ++} ++ ++static void ++dump_labeled_secitem (FILE *out, const char *name, SECItem *secitem) ++{ ++ fprintf (out, "%s = ", name); ++ dump_secitem (out, secitem); ++ fputs ("\n", out); ++} ++ ++#endif ++ ++static int ++parse_secitem (const char *name, const char *buf, SECItem *secitem) ++{ ++ if (!strncmp (buf, name, strlen (name))) { ++ int i, j, len; ++ ++ i = strlen (name); ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ ++ len = strspn (&buf[i], "0123456789abcdefABCDEF"); ++ if (!len) ++ return 0; ++ ++ if (secitem->data) { ++ SECITEM_ZfreeItem(secitem, PR_FALSE); ++ secitem->data = NULL; ++ } ++ ++ len = (len + 1) / 2; ++ SECITEM_AllocItem(NULL, secitem, len); ++ secitem->len = len; ++ ++ memset(secitem->data, 0, secitem->len); ++ for (j = 0; j < secitem->len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &secitem->data[j]); ++ } ++ ++ return 1; ++ } ++ ++ return 0; ++} ++ + SECStatus + tdea_encrypt_buf( + int mode, +@@ -8915,41 +8979,6 @@ out: + } + } + +-static int +-parse_secitem (const char *name, const char *buf, SECItem *secitem) +-{ +- if (!strncmp (buf, name, strlen (name))) { +- int i, j, len; +- +- i = strlen (name); +- while (isspace(buf[i]) || buf[i] == '=') { +- i++; +- } +- +- len = strspn (&buf[i], "0123456789abcdefABCDEF"); +- if (!len) +- return 0; +- +- if (secitem->data) { +- SECITEM_ZfreeItem(secitem, PR_FALSE); +- secitem->data = NULL; +- } +- +- len = (len + 1) / 2; +- SECITEM_AllocItem(NULL, secitem, len); +- secitem->len = len; +- +- memset(secitem->data, 0, secitem->len); +- for (j = 0; j < secitem->len; i += 2, j++) { +- hex_to_byteval(&buf[i], &secitem->data[j]); +- } +- +- return 1; +- } +- +- return 0; +-} +- + void + kas_ffc_test(char *reqfn, int do_validity) + { +@@ -9372,12 +9401,34 @@ out: + free_param_specs (pspecs); + } + ++static void ++init_functions (void) ++{ ++ void *freebl_so; ++ ++ freebl_so = dlopen ("libfreeblpriv3.so", RTLD_LAZY); ++ if (freebl_so == NULL) ++ { ++ fprintf (stderr, "Failed to load libfreeblpriv3.so."); ++ exit (1); ++ } ++ ++ FREEBL_Test_PQG_ParamGenV2_p = dlsym (freebl_so, "FREEBL_Test_PQG_ParamGenV2"); ++ ++ if (FREEBL_Test_PQG_ParamGenV2_p == NULL) ++ { ++ fprintf (stderr, "Failed to bind FREEBL_TEST_PQG_ParamGenV2."); ++ exit (1); ++ } ++} ++ + int + main(int argc, char **argv) + { + if (argc < 2) + exit(-1); + ++ init_functions(); + RNG_RNGInit(); + SECOID_Init(); + +Index: nss/lib/freebl/freebl.def +=================================================================== +--- nss.orig/lib/freebl/freebl.def ++++ nss/lib/freebl/freebl.def +@@ -21,6 +21,7 @@ + LIBRARY freebl3 ;- + EXPORTS ;- + FREEBL_GetVector; ++FREEBL_Test_PQG_ParamGenV2; + ;+ local: + ;+ *; + ;+}; +Index: nss/lib/freebl/freebl_hash.def +=================================================================== +--- nss.orig/lib/freebl/freebl_hash.def ++++ nss/lib/freebl/freebl_hash.def +@@ -21,6 +21,7 @@ + LIBRARY freebl3 ;- + EXPORTS ;- + FREEBL_GetVector; ++FREEBL_Test_PQG_ParamGenV2; + ;+ local: + ;+ *; + ;+}; +Index: nss/lib/freebl/freebl_hash_vector.def +=================================================================== +--- nss.orig/lib/freebl/freebl_hash_vector.def ++++ nss/lib/freebl/freebl_hash_vector.def +@@ -21,6 +21,7 @@ + LIBRARY freebl3 ;- + EXPORTS ;- + FREEBL_GetVector; ++FREEBL_Test_PQG_ParamGenV2; + ;+ local: + ;+ *; + ;+}; +Index: nss/lib/freebl/pqg.c +=================================================================== +--- nss.orig/lib/freebl/pqg.c ++++ nss/lib/freebl/pqg.c +@@ -1242,7 +1242,8 @@ cleanup: + **/ + static SECStatus + pqg_ParamGen(unsigned int L, unsigned int N, pqgGenType type, +- unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy) ++ unsigned int seedBytes, PQGParams **pParams, PQGVerify **pVfy, ++ SECItem *firstseed_out, HASH_HashType hashtype) + { + unsigned int n; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */ + unsigned int seedlen; /* Per FIPS 186-3 app A.1.1.2 (was 'g' 186-1)*/ +@@ -1250,7 +1251,6 @@ pqg_ParamGen(unsigned int L, unsigned in + unsigned int offset; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */ + unsigned int outlen; /* Per FIPS 186-3, appendix A.1.1.2. */ + unsigned int maxCount; +- HASH_HashType hashtype = HASH_AlgNULL; + SECItem *seed; /* Per FIPS 186, app 2.2. 186-3 app A.1.1.2 */ + PLArenaPool *arena = NULL; + PQGParams *params = NULL; +@@ -1301,7 +1301,8 @@ pqg_ParamGen(unsigned int L, unsigned in + /* fill in P Q, */ + SECITEM_TO_MPINT((*pParams)->prime, &P); + SECITEM_TO_MPINT((*pParams)->subPrime, &Q); +- hashtype = getFirstHash(L, N); ++ if (hashtype == HASH_AlgNULL) ++ hashtype = getFirstHash(L, N); + CHECK_SEC_OK(makeGfromIndex(hashtype, &P, &Q, &(*pVfy)->seed, + (*pVfy)->h.data[0], &G)); + MPINT_TO_SECITEM(&G, &(*pParams)->base, (*pParams)->arena); +@@ -1341,7 +1342,8 @@ pqg_ParamGen(unsigned int L, unsigned in + /* Select Hash and Compute lengths. */ + /* getFirstHash gives us the smallest acceptable hash for this key + * strength */ +- hashtype = getFirstHash(L, N); ++ if (hashtype == HASH_AlgNULL) ++ hashtype = getFirstHash(L, N); + outlen = HASH_ResultLen(hashtype) * PR_BITS_PER_BYTE; + + /* Step 3: n = Ceil(L/outlen)-1; (same as n = Floor((L-1)/outlen)) */ +@@ -1543,6 +1545,10 @@ generate_G: + verify->counter = counter; + *pParams = params; + *pVfy = verify; ++ ++ if (firstseed_out) ++ SECITEM_CopyItem (NULL, firstseed_out, &firstseed); ++ + cleanup: + if (pseed.data) { + SECITEM_ZfreeItem(&pseed, PR_FALSE); +@@ -1587,7 +1593,7 @@ PQG_ParamGen(unsigned int j, PQGParams * + L = 512 + (j * 64); /* bits in P */ + seedBytes = L / 8; + return pqg_ParamGen(L, DSA1_Q_BITS, FIPS186_1_TYPE, seedBytes, +- pParams, pVfy); ++ pParams, pVfy, NULL, HASH_AlgNULL); + } + + SECStatus +@@ -1602,7 +1608,7 @@ PQG_ParamGenSeedLen(unsigned int j, unsi + } + L = 512 + (j * 64); /* bits in P */ + return pqg_ParamGen(L, DSA1_Q_BITS, FIPS186_1_TYPE, seedBytes, +- pParams, pVfy); ++ pParams, pVfy, NULL, HASH_AlgNULL); + } + + SECStatus +@@ -1620,7 +1626,26 @@ PQG_ParamGenV2(unsigned int L, unsigned + /* error code already set */ + return SECFailure; + } +- return pqg_ParamGen(L, N, FIPS186_3_ST_TYPE, seedBytes, pParams, pVfy); ++ return pqg_ParamGen(L, N, FIPS186_3_ST_TYPE, seedBytes, pParams, pVfy, NULL, HASH_AlgNULL); ++} ++ ++SECStatus ++FREEBL_Test_PQG_ParamGenV2 (unsigned int L, unsigned int N, unsigned int seedBytes, ++ PQGParams **pParams, PQGVerify **pVfy, SECItem *firstseed_out, ++ HASH_HashType hashtype) ++{ ++ if (N == 0) { ++ N = pqg_get_default_N(L); ++ } ++ if (seedBytes == 0) { ++ /* seedBytes == L/8 for probable primes, N/8 for Shawe-Taylor Primes */ ++ seedBytes = N / 8; ++ } ++ if (pqg_validate_dsa2(L, N) != SECSuccess) { ++ /* error code already set */ ++ return SECFailure; ++ } ++ return pqg_ParamGen(L, N, FIPS186_3_ST_TYPE, seedBytes, pParams, pVfy, firstseed_out, hashtype); + } + + /* diff --git a/nss-fips-cavs-kas-ecc.patch b/nss-fips-cavs-kas-ecc.patch new file mode 100644 index 0000000..6d45fbc --- /dev/null +++ b/nss-fips-cavs-kas-ecc.patch @@ -0,0 +1,372 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1574234615 -3600 +# Wed Nov 20 08:23:35 2019 +0100 +# Node ID f5cf5d16deb68e65b5dd4e799d9e8e3098400d62 +# Parent af7d3ee4e96cf685be0b95dff7aa5a1d3ab64a89 +[PATCH] 21 +From 4c27df62aa425745620f45710465b0264acacbb0 Mon Sep 17 00:00:00 2001 +--- + nss/cmd/fipstest/fipstest.c | 304 ++++++++++++++++++++++++++++++++++++ + nss/cmd/fipstest/kas.sh | 22 +++ + 2 files changed, 326 insertions(+) + +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -9077,6 +9077,301 @@ out: + } + } + ++typedef struct ++{ ++ char param_name [2]; ++ ECParams *ecparams; ++ int hash_len; ++ HASH_HashType hash_type; ++} ++ParamSpec; ++ ++#define PARAM_SPECS_MAX 12 ++ ++static int ++find_free_param_spec (const ParamSpec *pspecs) ++{ ++ int i; ++ ++ for (i = 0; i < PARAM_SPECS_MAX; i++) ++ { ++ if (pspecs [i].param_name [0] == 0 ++ && pspecs [i].param_name [1] == 0) ++ return i; ++ } ++ ++ return 0; ++} ++ ++static int ++find_param_spec (const ParamSpec *pspecs, char *name) ++{ ++ int i; ++ ++ for (i = 0; i < PARAM_SPECS_MAX; i++) ++ { ++ if (pspecs [i].param_name [0] == name [0] ++ && pspecs [i].param_name [1] == name [1]) ++ return i; ++ } ++ ++ return 0; ++} ++ ++static void ++free_param_specs (ParamSpec *pspecs) ++{ ++ int i; ++ ++ for (i = 0; i < PARAM_SPECS_MAX; i++) ++ { ++ if (pspecs [i].ecparams) ++ PORT_FreeArena(pspecs [i].ecparams->arena, PR_FALSE); ++ } ++} ++ ++#define CURVE_NAME_MAX 64 ++ ++static ECParams * ++get_and_decode_nistp_params (int n) ++{ ++ char curve_name [CURVE_NAME_MAX]; ++ SECItem *encodedparams; ++ ECParams *ecparams = NULL; ++ ++ snprintf (curve_name, CURVE_NAME_MAX, "nistp%d", n); ++ ++ encodedparams = getECParams (curve_name); ++ if (!encodedparams) ++ return NULL; ++ ++ EC_DecodeParams (encodedparams, &ecparams); ++ SECITEM_FreeItem(encodedparams, PR_TRUE); ++ return ecparams; ++} ++ ++void ++kas_ecc_test(char *reqfn, int do_validity) ++{ ++ char buf[2048]; ++ FILE *req; /* input stream from the REQUEST file */ ++ FILE *resp; /* output stream to the RESPONSE file */ ++ ParamSpec pspecs [PARAM_SPECS_MAX]; ++ SECItem x_ephem_cavs; ++ SECItem y_ephem_cavs; ++ SECItem x_ephem_iut; ++ SECItem y_ephem_iut; ++ SECItem d_ephem_iut; ++ SECItem cavs_hash_zz; ++ SECItem publicValue; ++ int current_pspec_def = -1; ++ ++ req = fopen(reqfn, "r"); ++ resp = stdout; ++ memset(&pspecs, 0, sizeof (pspecs)); ++ memset(&x_ephem_cavs, 0, sizeof(x_ephem_cavs)); ++ memset(&y_ephem_cavs, 0, sizeof(y_ephem_cavs)); ++ memset(&x_ephem_iut, 0, sizeof(x_ephem_iut)); ++ memset(&y_ephem_iut, 0, sizeof(y_ephem_iut)); ++ memset(&d_ephem_iut, 0, sizeof(d_ephem_iut)); ++ memset(&cavs_hash_zz, 0, sizeof(cavs_hash_zz)); ++ memset(&publicValue, 0, sizeof(publicValue)); ++ ++ while (fgets(buf, sizeof buf, req) != NULL) { ++ /* [xx] or ++ * [xx - SHAxxx] or ++ * [SHA(s) supported (Used for hashing Z): SHAxxx] */ ++ if (buf[0] == '[') { ++ char tbuf [2]; ++ int num; ++ ++ if (strlen (buf) >= 4 && buf [3] == ']' ++ && sscanf(buf, "[%c%c]", &tbuf [0], &tbuf [1]) == 2) { ++ int i = current_pspec_def = find_free_param_spec (pspecs); ++ if (i < 0) ++ goto out; ++ ++ pspecs [i].param_name [0] = tbuf [0]; ++ pspecs [i].param_name [1] = tbuf [1]; ++ ++ fputs(buf, resp); ++ continue; ++ } ++ ++ if (strlen (buf) >= 6 && buf [3] == ' ' && buf [4] == '-' ++ && sscanf(buf, "[%c%c - ", &tbuf [0], &tbuf [1]) == 2) { ++ current_pspec_def = find_param_spec (pspecs, tbuf); ++ if (current_pspec_def < 0) ++ goto out; ++ ++ fputs(buf, resp); ++ continue; ++ } ++ ++ if (!strncmp(buf, "[Curve selected:", strlen ("[Curve selected:"))) { ++ char *p = buf + strlen ("[Curve selected:"); ++ p += strcspn (p, "0123456789"); ++ if (!*p) ++ goto out; ++ if (sscanf(p, "%d", &num) != 1) ++ goto out; ++ ++ if (current_pspec_def < 0) ++ goto out; ++ ++ pspecs [current_pspec_def].ecparams = get_and_decode_nistp_params (num); ++ if (!pspecs [current_pspec_def].ecparams) ++ goto out; ++ ++ fputs(buf, resp); ++ continue; ++ } ++ ++ if (sscanf(buf, "[SHA(s) supported (Used for hashing Z): SHA%d", &num) == 1) { ++ if (current_pspec_def < 0) ++ goto out; ++ ++ pspecs [current_pspec_def].hash_len = num; ++ pspecs [current_pspec_def].hash_type = sha_get_hashType(num); ++ fputs(buf, resp); ++ continue; ++ } ++ ++ fputs(buf, resp); ++ continue; ++ } else if (parse_secitem ("QeCAVSx", buf, &x_ephem_cavs)) { ++ fputs(buf, resp); ++ continue; ++ } else if (parse_secitem ("QeCAVSy", buf, &y_ephem_cavs)) { ++ fputs(buf, resp); ++ ++ if (!do_validity) { ++ SECItem ZZ; ++ unsigned char ZZ_hash_buf [1024]; ++ int field_len; ++ int len; ++ ECPrivateKey *privKey; ++ ++ field_len = (pspecs [current_pspec_def].ecparams->fieldID.size + 7) >> 3; ++ ++ if (EC_NewKey(pspecs [current_pspec_def].ecparams, &privKey) != SECSuccess) ++ goto out; ++ ++ len = privKey->publicValue.len; ++ if (len % 2 == 0) { ++ goto out; ++ } ++ len = (len - 1) / 2; ++ if (privKey->publicValue.data[0] != ++ EC_POINT_FORM_UNCOMPRESSED) { ++ goto out; ++ } ++ ++ to_hex_str(buf, &privKey->publicValue.data[1], len); ++ fprintf (resp, "QeIUTx = %s\n", buf); ++ to_hex_str(buf, &privKey->publicValue.data[1 + len], len); ++ fprintf (resp, "QeIUTy = %s\n", buf); ++ ++ SECITEM_AllocItem(NULL, &publicValue, 1 + 2 * field_len); ++ publicValue.len = 1 + 2 * field_len; ++ publicValue.data [0] = EC_POINT_FORM_UNCOMPRESSED; ++ memcpy (&publicValue.data [1], x_ephem_cavs.data + x_ephem_cavs.len - field_len, field_len); ++ memcpy (&publicValue.data [1 + field_len], y_ephem_cavs.data + y_ephem_cavs.len - field_len, field_len); ++ ++ if (ECDH_Derive (&publicValue, pspecs [current_pspec_def].ecparams, &privKey->privateValue, PR_TRUE, &ZZ) != SECSuccess) { ++ goto out; ++ } ++ ++ SECITEM_ZfreeItem(&publicValue, PR_FALSE); ++ publicValue.data = NULL; ++ ++ fips_hashBuf_zeropad(pspecs [current_pspec_def].hash_type, ZZ_hash_buf, ZZ.data, ZZ.len, len); ++ ++ to_hex_str(buf, ZZ_hash_buf, pspecs [current_pspec_def].hash_len / 8); ++ fprintf (resp, "HashZZ = %s\n", buf); ++ ++ PORT_FreeArena(privKey->ecParams.arena, PR_TRUE); ++ } ++ ++ continue; ++ } else if (parse_secitem ("deIUT", buf, &d_ephem_iut)) { ++ fputs(buf, resp); ++ continue; ++ } else if (parse_secitem ("QeIUTx", buf, &x_ephem_iut)) { ++ fputs(buf, resp); ++ continue; ++ } else if (parse_secitem ("QeIUTy", buf, &y_ephem_iut)) { ++ fputs(buf, resp); ++ continue; ++ } else if (parse_secitem ("CAVSHashZZ", buf, &cavs_hash_zz)) { ++ if (do_validity) { ++ SECItem ZZ; ++ unsigned char ZZ_hash_buf [1024]; ++ char Z_buf [1024]; ++ int field_len; ++ ++ field_len = (pspecs [current_pspec_def].ecparams->fieldID.size + 7) >> 3; ++ ++ SECITEM_AllocItem(NULL, &publicValue, 1 + 2 * field_len); ++ publicValue.len = 1 + 2 * field_len; ++ publicValue.data [0] = EC_POINT_FORM_UNCOMPRESSED; ++ memcpy (&publicValue.data [1], x_ephem_cavs.data + x_ephem_cavs.len - field_len, field_len); ++ memcpy (&publicValue.data [1 + field_len], y_ephem_cavs.data + y_ephem_cavs.len - field_len, field_len); ++ ++ if (ECDH_Derive (&publicValue, pspecs [current_pspec_def].ecparams, &d_ephem_iut, PR_TRUE, &ZZ) != SECSuccess) { ++ goto out; ++ } ++ ++ SECITEM_ZfreeItem(&publicValue, PR_FALSE); ++ publicValue.data = NULL; ++ ++ fputs(buf, resp); ++ ++ fips_hashBuf_zeropad(pspecs [current_pspec_def].hash_type, ZZ_hash_buf, ZZ.data, ZZ.len, field_len); ++ to_hex_str(Z_buf, ZZ_hash_buf, pspecs [current_pspec_def].hash_len / 8); ++ fprintf(resp, "IUTHashZZ = %s\n", Z_buf); ++ ++ fprintf(resp, "Result = %s\n", ++ (cavs_hash_zz.len == pspecs [current_pspec_def].hash_len / 8 ++ && memcmp (cavs_hash_zz.data, ZZ_hash_buf, pspecs [current_pspec_def].hash_len / 8) == 0) ? "P" : "F"); ++ } else { ++ fputs(buf, resp); ++ } ++ continue; ++ } else { ++ /* Comments, blank lines, ... */ ++ fputs(buf, resp); ++ } ++ } ++ ++out: ++ fclose(req); ++ ++ if (d_ephem_iut.data) { ++ SECITEM_ZfreeItem(&d_ephem_iut, PR_FALSE); ++ } ++ if (x_ephem_iut.data) { ++ SECITEM_ZfreeItem(&x_ephem_iut, PR_FALSE); ++ } ++ if (y_ephem_iut.data) { ++ SECITEM_ZfreeItem(&y_ephem_iut, PR_FALSE); ++ } ++ if (x_ephem_cavs.data) { ++ SECITEM_ZfreeItem(&x_ephem_cavs, PR_FALSE); ++ } ++ if (y_ephem_cavs.data) { ++ SECITEM_ZfreeItem(&y_ephem_cavs, PR_FALSE); ++ } ++ if (cavs_hash_zz.data) { ++ SECITEM_ZfreeItem(&cavs_hash_zz, PR_FALSE); ++ } ++ if (publicValue.data) { ++ SECITEM_ZfreeItem(&publicValue, PR_FALSE); ++ } ++ ++ free_param_specs (pspecs); ++} ++ + int + main(int argc, char **argv) + { +@@ -9272,6 +9567,15 @@ main(int argc, char **argv) + } else { + kas_ffc_test(argv[3], PR_FALSE); + } ++ } else if (strcmp(argv[1], "kasecc") == 0) { ++ /***************/ ++ /* KAS ECC */ ++ /***************/ ++ if (strcmp(argv[2], "validity") == 0) { ++ kas_ecc_test(argv[3], PR_TRUE); ++ } else { ++ kas_ecc_test(argv[3], PR_FALSE); ++ } + } + return 0; + } +Index: nss/cmd/fipstest/kas.sh +=================================================================== +--- nss.orig/cmd/fipstest/kas.sh ++++ nss/cmd/fipstest/kas.sh +@@ -27,6 +27,16 @@ KASValidityTest_FFCEphem_NOKC_ZZOnly_ini + KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req + " + ++kas_requests_ecc_function=" ++KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req ++KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req ++" ++ ++kas_requests_ecc_validity=" ++KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req ++KASValidityTest_ECCEphemeralUnified_NOKC_ZZOnly_resp.req ++" ++ + if [ ${COMMAND} = "verify" ]; then + for request in $kas_requests; do + sh ./validate1.sh ${TESTDIR} $request +@@ -45,3 +55,15 @@ for request in $kas_requests_ffc_validit + echo $request $response + fipstest kasffc validity ${REQDIR}/$request > ${RSPDIR}/$response + done ++ ++for request in $kas_requests_ecc_function; do ++ response=`echo $request | sed -e "s/req/rsp/"` ++ echo $request $response ++ fipstest kasecc function ${REQDIR}/$request > ${RSPDIR}/$response ++done ++ ++for request in $kas_requests_ecc_validity; do ++ response=`echo $request | sed -e "s/req/rsp/"` ++ echo $request $response ++ fipstest kasecc validity ${REQDIR}/$request > ${RSPDIR}/$response ++done diff --git a/nss-fips-cavs-kas-ffc.patch b/nss-fips-cavs-kas-ffc.patch new file mode 100644 index 0000000..14f32bf --- /dev/null +++ b/nss-fips-cavs-kas-ffc.patch @@ -0,0 +1,285 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1574234297 -3600 +# Wed Nov 20 08:18:17 2019 +0100 +# Node ID af7d3ee4e96cf685be0b95dff7aa5a1d3ab64a89 +# Parent 5d6e015d1af40b5f5b990d0cf4d97932774c2a61 +[PATCH] 20 +From ac98082c3bc0c9f85213078b730980483062f25c Mon Sep 17 00:00:00 2001 +--- + nss/cmd/fipstest/fipstest.c | 194 ++++++++++++++++++++++++++++++++++++ + nss/cmd/fipstest/kas.sh | 47 +++++++++ + 2 files changed, 241 insertions(+) + create mode 100644 nss/cmd/fipstest/kas.sh + +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -2257,6 +2257,29 @@ fips_hashBuf(HASH_HashType type, unsigne + return rv; + } + ++SECStatus ++fips_hashBuf_zeropad(HASH_HashType type, unsigned char *hashBuf, ++ unsigned char *msg, int len, int pad_to_len) ++{ ++ unsigned char buf [8192]; ++ ++ if (pad_to_len > 8192) ++ { ++ fprintf (stderr, "Internal buffer too small.\n"); ++ exit (1); ++ } ++ ++ if (len > pad_to_len) ++ { ++ fprintf (stderr, "Value to hash exceeds maximum length.\n"); ++ exit (1); ++ } ++ ++ memset (buf, 0, pad_to_len - len); ++ memcpy (buf + (pad_to_len - len), msg, len); ++ return fips_hashBuf (type, hashBuf, buf, pad_to_len); ++} ++ + int + fips_hashLen(HASH_HashType type) + { +@@ -8892,6 +8915,168 @@ out: + } + } + ++static int ++parse_secitem (const char *name, const char *buf, SECItem *secitem) ++{ ++ if (!strncmp (buf, name, strlen (name))) { ++ int i, j, len; ++ ++ i = strlen (name); ++ while (isspace(buf[i]) || buf[i] == '=') { ++ i++; ++ } ++ ++ len = strspn (&buf[i], "0123456789abcdefABCDEF"); ++ if (!len) ++ return 0; ++ ++ if (secitem->data) { ++ SECITEM_ZfreeItem(secitem, PR_FALSE); ++ secitem->data = NULL; ++ } ++ ++ len = (len + 1) / 2; ++ SECITEM_AllocItem(NULL, secitem, len); ++ secitem->len = len; ++ ++ memset(secitem->data, 0, secitem->len); ++ for (j = 0; j < secitem->len; i += 2, j++) { ++ hex_to_byteval(&buf[i], &secitem->data[j]); ++ } ++ ++ return 1; ++ } ++ ++ return 0; ++} ++ ++void ++kas_ffc_test(char *reqfn, int do_validity) ++{ ++ char buf[1024]; ++ FILE *req; /* input stream from the REQUEST file */ ++ FILE *resp; /* output stream to the RESPONSE file */ ++ PQGParams keyParams; ++ HASH_HashType hashType = HASH_AlgNULL; ++ int hashNum = 0; ++ SECItem y_ephem_cavs; ++ SECItem x_ephem_iut; ++ SECItem y_ephem_iut; ++ SECItem cavs_hash_zz; ++ ++ req = fopen(reqfn, "r"); ++ resp = stdout; ++ memset(&keyParams, 0, sizeof(keyParams)); ++ memset(&y_ephem_cavs, 0, sizeof(y_ephem_cavs)); ++ memset(&x_ephem_iut, 0, sizeof(x_ephem_iut)); ++ memset(&y_ephem_iut, 0, sizeof(y_ephem_iut)); ++ memset(&cavs_hash_zz, 0, sizeof(cavs_hash_zz)); ++ ++ while (fgets(buf, sizeof buf, req) != NULL) { ++ /* [xx] or ++ * [xx - SHAxxx] or ++ * [SHA(s) supported (Used for hashing Z): SHAxxx] */ ++ if (buf[0] == '[') { ++ unsigned char tbuf [2]; ++ ++ if (sscanf(buf, "[%c%c - SHA%d]", &tbuf [0], &tbuf [1], ++ &hashNum) != 3) { ++ fputs(buf, resp); ++ continue; ++ } ++ ++ fputs(buf, resp); ++ ++ hashType = sha_get_hashType(hashNum); ++ if (hashType == HASH_AlgNULL) { ++ fprintf(resp, "ERROR: invalid hash (SHA-%d)", hashNum); ++ goto out; ++ } ++ ++ continue; ++ } else if (parse_secitem ("YephemCAVS", buf, &y_ephem_cavs)) { ++ fputs(buf, resp); ++ ++ if (!do_validity) { ++ SECItem ZZ; ++ unsigned char ZZ_hash_buf [1024]; ++ DHParams dh_params; ++ DHPrivateKey *dh_privKey; ++ ++ dh_params.prime = keyParams.prime; ++ dh_params.base = keyParams.base; ++ ++ DH_NewKey (&dh_params, &dh_privKey); ++ DH_Derive(&y_ephem_cavs, &keyParams.prime, &dh_privKey->privateValue, &ZZ, 0); ++ ++ fips_hashBuf_zeropad(hashType, ZZ_hash_buf, ZZ.data, ZZ.len, keyParams.prime.len); ++ ++ to_hex_str(buf, dh_privKey->publicValue.data, dh_privKey->publicValue.len); ++ fprintf(resp, "YephemIUT = %s\n", buf); ++ ++ to_hex_str(buf, ZZ_hash_buf, hashNum / 8); ++ fprintf(resp, "HashZZ = %s\n", buf); ++ ++ PORT_FreeArena(dh_privKey->arena, PR_TRUE); ++ } ++ ++ continue; ++ } else if (parse_secitem ("XephemIUT", buf, &x_ephem_iut)) { ++ fputs(buf, resp); ++ continue; ++ } else if (parse_secitem ("YephemIUT", buf, &y_ephem_iut)) { ++ fputs(buf, resp); ++ continue; ++ } else if (parse_secitem ("CAVSHashZZ", buf, &cavs_hash_zz)) { ++ if (do_validity) { ++ SECItem ZZ; ++ unsigned char ZZ_hash_buf [1024]; ++ char Z_buf [1024]; ++ ++ DH_Derive(&y_ephem_cavs, &keyParams.prime, &x_ephem_iut, &ZZ, 0); ++ ++ fputs(buf, resp); ++ ++ to_hex_str(Z_buf, ZZ.data, ZZ.len); ++ ++ fips_hashBuf_zeropad(hashType, ZZ_hash_buf, ZZ.data, ZZ.len, keyParams.prime.len); ++ to_hex_str(Z_buf, ZZ_hash_buf, hashNum / 8); ++ fprintf(resp, "IUTHashZZ = %s\n", Z_buf); ++ ++ fprintf(resp, "Result = %s\n", ++ (cavs_hash_zz.len == hashNum / 8 && memcmp (cavs_hash_zz.data, ZZ_hash_buf, hashNum / 8) == 0) ? "P" : "F"); ++ } else { ++ fputs(buf, resp); ++ } ++ continue; ++ } else if (parse_secitem ("P", buf, &keyParams.prime)) { ++ fputs(buf, resp); ++ continue; ++ } else if (parse_secitem ("Q", buf, &keyParams.subPrime)) { ++ fputs(buf, resp); ++ continue; ++ } else if (parse_secitem ("G", buf, &keyParams.base)) { ++ fputs(buf, resp); ++ continue; ++ } else { ++ /* Comments, blank lines, ... */ ++ fputs(buf, resp); ++ } ++ } ++ ++out: ++ fclose(req); ++ if (keyParams.prime.data) { /* P */ ++ SECITEM_ZfreeItem(&keyParams.prime, PR_FALSE); ++ } ++ if (keyParams.subPrime.data) { /* Q */ ++ SECITEM_ZfreeItem(&keyParams.subPrime, PR_FALSE); ++ } ++ if (keyParams.base.data) { /* G */ ++ SECITEM_ZfreeItem(&keyParams.base, PR_FALSE); ++ } ++} ++ + int + main(int argc, char **argv) + { +@@ -9078,6 +9263,15 @@ main(int argc, char **argv) + /* AES Keywrap */ + /***************/ + keywrap(argv[2]); ++ } else if (strcmp(argv[1], "kasffc") == 0) { ++ /***************/ ++ /* KAS FFC */ ++ /***************/ ++ if (strcmp(argv[2], "validity") == 0) { ++ kas_ffc_test(argv[3], PR_TRUE); ++ } else { ++ kas_ffc_test(argv[3], PR_FALSE); ++ } + } + return 0; + } +Index: nss/cmd/fipstest/kas.sh +=================================================================== +--- /dev/null ++++ nss/cmd/fipstest/kas.sh +@@ -0,0 +1,47 @@ ++#!/bin/sh ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++# ++# A Bourne shell script for running the NIST RNG Validation Suite ++# ++# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment ++# variables appropriately so that the fipstest command and the NSPR and NSS ++# shared libraries/DLLs are on the search path. Then run this script in the ++# directory where the REQUEST (.req) files reside. The script generates the ++# RESPONSE (.rsp) files in the same directory. ++BASEDIR=${1-.} ++TESTDIR=${BASEDIR}/KAS ++COMMAND=${2-run} ++REQDIR=${TESTDIR}/req ++RSPDIR=${TESTDIR}/resp ++ ++kas_requests_ffc_function=" ++KASFunctionTest_FFCEphem_NOKC_ZZOnly_init.req ++KASFunctionTest_FFCEphem_NOKC_ZZOnly_resp.req ++" ++ ++kas_requests_ffc_validity=" ++KASValidityTest_FFCEphem_NOKC_ZZOnly_init.req ++KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req ++" ++ ++if [ ${COMMAND} = "verify" ]; then ++ for request in $kas_requests; do ++ sh ./validate1.sh ${TESTDIR} $request ++ done ++ exit 0 ++fi ++ ++for request in $kas_requests_ffc_function; do ++ response=`echo $request | sed -e "s/req/rsp/"` ++ echo $request $response ++ fipstest kasffc function ${REQDIR}/$request > ${RSPDIR}/$response ++done ++ ++for request in $kas_requests_ffc_validity; do ++ response=`echo $request | sed -e "s/req/rsp/"` ++ echo $request $response ++ fipstest kasffc validity ${REQDIR}/$request > ${RSPDIR}/$response ++done diff --git a/nss-fips-cavs-keywrap.patch b/nss-fips-cavs-keywrap.patch new file mode 100644 index 0000000..b1bb0ce --- /dev/null +++ b/nss-fips-cavs-keywrap.patch @@ -0,0 +1,237 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1574234023 -3600 +# Wed Nov 20 08:13:43 2019 +0100 +# Node ID 5d6e015d1af40b5f5b990d0cf4d97932774c2a61 +# Parent 2f570c6952d8edfc1ad9061cd3830f202eec1960 +[PATCH 1/2] 19 +From f4cbaf95fcf2519029bb3c4407b2f15aa27c94c1 Mon Sep 17 00:00:00 2001 +--- + nss/cmd/fipstest/fipstest.c | 160 ++++++++++++++++++++++++++++++++++++ + nss/cmd/fipstest/keywrap.sh | 40 +++++++++ + 2 files changed, 200 insertions(+) + create mode 100644 nss/cmd/fipstest/keywrap.sh + +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -8737,6 +8737,161 @@ done: + return; + } + ++void ++keywrap (char *reqfn) ++{ ++ char buf[1024]; ++ FILE *req; /* input stream from the REQUEST file */ ++ FILE *resp; /* output stream to the RESPONSE file */ ++ int i, j; ++ AESKeyWrapContext *ctx = NULL; ++ unsigned char key_data [1024]; ++ int key_data_len = 0; ++ ++ req = fopen(reqfn, "r"); ++ resp = stdout; ++ ++ while (fgets(buf, sizeof buf, req) != NULL) { ++ /* K = ... */ ++ if (buf[0] == 'K') { ++ /* Skip to value */ ++ for (i = 1; isspace(buf[i]) || buf[i] == '='; i++) ++ ; ++ ++ if (i == 1) { ++ /* Unknown variable starting with 'K' */ ++ fputs(buf, resp); ++ continue; ++ } ++ ++ for (j = 0; isxdigit(buf[i]) && j < sizeof key_data; i += 2, j++) { ++ hex_to_byteval(&buf[i], &key_data[j]); ++ } ++ ++ key_data_len = j; ++ ++ fputs(buf, resp); ++ continue; ++ } ++ /* C = ... */ ++ /* This means we're doing decryption */ ++ /* Make sure we don't pick up COUNT = ... here */ ++ else if (buf[0] == 'C' && (isspace (buf[1]) || buf[1] == '=')) { ++ unsigned char data_in [1024]; ++ unsigned char data_out [1024]; ++ unsigned int data_in_len, data_out_len; ++ ++ if (key_data_len <= 0) { ++ fprintf(resp, "ERROR: No key specified\n"); ++ goto out; ++ } ++ ++ /* Skip to value */ ++ for (i = 1; isspace(buf[i]) || buf[i] == '='; i++) ++ ; ++ ++ if (i == 1) { ++ /* Unknown variable starting with 'C' */ ++ fputs(buf, resp); ++ continue; ++ } ++ ++ fputs(buf, resp); ++ ++ for (j = 0; isxdigit(buf[i]) && j < sizeof data_in; i += 2, j++) { ++ hex_to_byteval(&buf[i], &data_in[j]); ++ } ++ ++ data_in_len = j; ++ ++ if (ctx) { ++ AESKeyWrap_DestroyContext (ctx, PR_TRUE); ++ ctx = NULL; ++ } ++ ++ ctx = AESKeyWrap_CreateContext(key_data, NULL, PR_FALSE, key_data_len); ++ if (!ctx) { ++ fprintf(resp, "ERROR: Unable to create context\n"); ++ goto out; ++ } ++ ++ if (AESKeyWrap_Decrypt(ctx, data_out, &data_out_len, 1024, data_in, data_in_len) ++ != SECSuccess) { ++ fprintf(resp, "FAIL\n"); ++ continue; ++ } ++ ++ fputs("P = ", resp); ++ to_hex_str(buf, data_out, data_out_len); ++ fputs(buf, resp); ++ fputc('\n', resp); ++ } ++ /* P = ... */ ++ /* This means we're doing encryption */ ++ else if (buf[0] == 'P') { ++ unsigned char data_in [1024]; ++ unsigned char data_out [1024]; ++ unsigned int data_in_len, data_out_len; ++ ++ if (key_data_len <= 0) { ++ fprintf(resp, "ERROR: No key specified\n"); ++ goto out; ++ } ++ ++ /* Skip to value */ ++ for (i = 1; isspace(buf[i]) || buf[i] == '='; i++) ++ ; ++ ++ if (i == 1) { ++ /* Unknown variable starting with 'P' */ ++ fputs(buf, resp); ++ continue; ++ } ++ ++ fputs(buf, resp); ++ ++ for (j = 0; isxdigit(buf[i]) && j < sizeof data_in; i += 2, j++) { ++ hex_to_byteval(&buf[i], &data_in[j]); ++ } ++ ++ data_in_len = j; ++ ++ if (ctx) { ++ AESKeyWrap_DestroyContext (ctx, PR_TRUE); ++ ctx = NULL; ++ } ++ ++ ctx = AESKeyWrap_CreateContext(key_data, NULL, PR_TRUE, key_data_len); ++ if (!ctx) { ++ fprintf(resp, "ERROR: Unable to create context\n"); ++ goto out; ++ } ++ ++ if (AESKeyWrap_Encrypt(ctx, data_out, &data_out_len, 1024, data_in, data_in_len) ++ != SECSuccess) { ++ fprintf(resp, "FAIL\n"); ++ continue; ++ } ++ ++ fputs("C = ", resp); ++ to_hex_str(buf, data_out, data_out_len); ++ fputs(buf, resp); ++ fputc('\n', resp); ++ } ++ /* Comments, blank lines, ... */ ++ else { ++ fputs(buf, resp); ++ continue; ++ } ++ } ++ ++out: ++ fclose(req); ++ if (ctx) { ++ AESKeyWrap_DestroyContext (ctx, PR_TRUE); ++ } ++} ++ + int + main(int argc, char **argv) + { +@@ -8918,6 +9073,11 @@ main(int argc, char **argv) + ikev2(argv[2]); + } else if (strcmp(argv[1], "kbkdf") == 0) { + kbkdf(argv[2]); ++ } else if (strcmp(argv[1], "keywrap") == 0) { ++ /***************/ ++ /* AES Keywrap */ ++ /***************/ ++ keywrap(argv[2]); + } + return 0; + } +Index: nss/cmd/fipstest/keywrap.sh +=================================================================== +--- /dev/null ++++ nss/cmd/fipstest/keywrap.sh +@@ -0,0 +1,40 @@ ++#!/bin/sh ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++# ++# A Bourne shell script for running the NIST AES keywrap Algorithm Validation Suite ++# ++# Before you run the script, set your PATH, LD_LIBRARY_PATH, ... environment ++# variables appropriately so that the fipstest command and the NSPR and NSS ++# shared libraries/DLLs are on the search path. Then run this script in the ++# directory where the REQUEST (.req) files reside. The script generates the ++# RESPONSE (.rsp) files in the same directory. ++BASEDIR=${1-.} ++TESTDIR=${BASEDIR}/KeyWrap38F ++COMMAND=${2-run} ++REQDIR=${TESTDIR}/req ++RSPDIR=${TESTDIR}/resp ++ ++keywrap_requests=" ++KW_AD_128.req ++KW_AD_192.req ++KW_AD_256.req ++KW_AE_128.req ++KW_AE_192.req ++KW_AE_256.req ++" ++ ++if [ ${COMMAND} = "verify" ]; then ++ for request in $keywrap_requests; do ++ sh ./validate1.sh ${TESTDIR} $request ++ done ++ exit 0 ++fi ++ ++for request in $keywrap_requests; do ++ response=`echo $request | sed -e "s/req/rsp/"` ++ echo $request $response ++ fipstest keywrap ${REQDIR}/$request > ${RSPDIR}/$response ++done diff --git a/nss-fips-cavs-rsa-fixes.patch b/nss-fips-cavs-rsa-fixes.patch new file mode 100644 index 0000000..d065b77 --- /dev/null +++ b/nss-fips-cavs-rsa-fixes.patch @@ -0,0 +1,33 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1574237297 -3600 +# Wed Nov 20 09:08:17 2019 +0100 +# Node ID 3f4d682c9a1e8b3d939c744ee249e23179db5191 +# Parent 0e904e6179d1db21965df2c405c80c3fc0258658 +[PATCH] 25 +From 9b4636ad75add2ac09ce1844b3071785d563c275 Mon Sep 17 00:00:00 2001 +--- + nss/cmd/fipstest/fipstest.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -6535,7 +6535,7 @@ rsa_siggen_test(char *reqfn) + /* Output the signature */ + fputs(buf, rsaresp); + to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed); +- fprintf(rsaresp, "S = %s\n", buf); ++ fprintf(rsaresp, "S = %s\n\n", buf); + + /* Perform RSA verification with the RSA public key. */ + rv = RSA_HashCheckSign(shaOid, +@@ -9521,6 +9521,7 @@ main(int argc, char **argv) + init_functions(); + RNG_RNGInit(); + SECOID_Init(); ++ BL_Init(); + + /*************/ + /* TDEA */ diff --git a/nss-fips-combined-hash-sign-dsa-ecdsa.patch b/nss-fips-combined-hash-sign-dsa-ecdsa.patch new file mode 100644 index 0000000..d78226b --- /dev/null +++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch @@ -0,0 +1,348 @@ +From 7f3606a84f6c62b002246ee73121279e59f83437 Mon Sep 17 00:00:00 2001 +From: Hans Petter Jansson +Date: Thu, 28 May 2020 22:44:22 +0200 +Subject: [PATCH] CKM_(EC)DSA_SHAxxx mechs: Add some missing pieces. + +This includes pairwise consistency checks and entry points for +power-on self tests. +--- + cmd/lib/pk11table.c | 8 ++ + lib/pk11wrap/pk11mech.c | 8 ++ + lib/softoken/pkcs11c.c | 213 +++++++++++++++++++++++++++------------- + lib/softoken/softoken.h | 10 ++ + 4 files changed, 169 insertions(+), 70 deletions(-) + +Index: nss/cmd/lib/pk11table.c +=================================================================== +--- nss.orig/cmd/lib/pk11table.c ++++ nss/cmd/lib/pk11table.c +@@ -273,6 +273,10 @@ const Constant _consts[] = { + mkEntry(CKM_DSA_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_DSA, Mechanism), + mkEntry(CKM_DSA_SHA1, Mechanism), ++ mkEntry(CKM_DSA_SHA224, Mechanism), ++ mkEntry(CKM_DSA_SHA256, Mechanism), ++ mkEntry(CKM_DSA_SHA384, Mechanism), ++ mkEntry(CKM_DSA_SHA512, Mechanism), + mkEntry(CKM_DH_PKCS_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_DH_PKCS_DERIVE, Mechanism), + mkEntry(CKM_X9_42_DH_DERIVE, Mechanism), +@@ -438,6 +442,10 @@ const Constant _consts[] = { + mkEntry(CKM_EC_KEY_PAIR_GEN, Mechanism), + mkEntry(CKM_ECDSA, Mechanism), + mkEntry(CKM_ECDSA_SHA1, Mechanism), ++ mkEntry(CKM_ECDSA_SHA224, Mechanism), ++ mkEntry(CKM_ECDSA_SHA256, Mechanism), ++ mkEntry(CKM_ECDSA_SHA384, Mechanism), ++ mkEntry(CKM_ECDSA_SHA512, Mechanism), + mkEntry(CKM_ECDH1_DERIVE, Mechanism), + mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism), + mkEntry(CKM_ECMQV_DERIVE, Mechanism), +Index: nss/lib/pk11wrap/pk11mech.c +=================================================================== +--- nss.orig/lib/pk11wrap/pk11mech.c ++++ nss/lib/pk11wrap/pk11mech.c +@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, + return CKK_RSA; + case CKM_DSA: + case CKM_DSA_SHA1: ++ case CKM_DSA_SHA224: ++ case CKM_DSA_SHA256: ++ case CKM_DSA_SHA384: ++ case CKM_DSA_SHA512: + case CKM_DSA_KEY_PAIR_GEN: + return CKK_DSA; + case CKM_DH_PKCS_DERIVE: +@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, + return CKK_KEA; + case CKM_ECDSA: + case CKM_ECDSA_SHA1: ++ case CKM_ECDSA_SHA224: ++ case CKM_ECDSA_SHA256: ++ case CKM_ECDSA_SHA384: ++ case CKM_ECDSA_SHA512: + case CKM_EC_KEY_PAIR_GEN: /* aka CKM_ECDSA_KEY_PAIR_GEN */ + case CKM_ECDH1_DERIVE: + return CKK_EC; /* CKK_ECDSA is deprecated */ +Index: nss/lib/softoken/pkcs11c.c +=================================================================== +--- nss.orig/lib/softoken/pkcs11c.c ++++ nss/lib/softoken/pkcs11c.c +@@ -2653,7 +2653,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig + static SECStatus + nsc_DSA_Sign_Stub(void *ctx, void *sigBuf, + unsigned int *sigLen, unsigned int maxSigLen, +- void *dataBuf, unsigned int dataLen) ++ const void *dataBuf, unsigned int dataLen) + { + SECItem signature, digest; + SECStatus rv; +@@ -2671,6 +2671,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu + return rv; + } + ++SECStatus ++DSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key, ++ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen, ++ const unsigned char *hash, unsigned int hashLen) ++{ ++ SECStatus rv; ++ ++ rv = nsc_DSA_Sign_Stub(key, sig, sigLen, maxLen, hash, hashLen); ++ ++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { ++ sftk_fatalError = PR_TRUE; ++ } ++ ++ return rv; ++} ++ + static SECStatus + nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen, + void *dataBuf, unsigned int dataLen) +@@ -2688,7 +2704,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig + static SECStatus + nsc_ECDSASignStub(void *ctx, void *sigBuf, + unsigned int *sigLen, unsigned int maxSigLen, +- void *dataBuf, unsigned int dataLen) ++ const void *dataBuf, unsigned int dataLen) + { + SECItem signature, digest; + SECStatus rv; +@@ -2706,6 +2722,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu + return rv; + } + ++SECStatus ++ECDSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key, ++ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen, ++ const unsigned char *hash, unsigned int hashLen) ++{ ++ SECStatus rv; ++ ++ rv = nsc_ECDSASignStub(key, sig, sigLen, maxLen, hash, hashLen); ++ ++ if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) { ++ sftk_fatalError = PR_TRUE; ++ } ++ ++ return rv; ++} ++ + /* NSC_SignInit setups up the signing operations. There are three basic + * types of signing: + * (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied +@@ -3575,6 +3607,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio + info->hashOid = SEC_OID_##mmm; \ + goto finish_rsa; + ++#define INIT_DSA_VFY_MECH(mmm) \ ++ case CKM_DSA_##mmm: \ ++ context->multi = PR_TRUE; \ ++ crv = sftk_doSub##mmm(context); \ ++ if (crv != CKR_OK) \ ++ break; \ ++ goto finish_dsa; ++ ++#define INIT_ECDSA_VFY_MECH(mmm) \ ++ case CKM_ECDSA_##mmm: \ ++ context->multi = PR_TRUE; \ ++ crv = sftk_doSub##mmm(context); \ ++ if (crv != CKR_OK) \ ++ break; \ ++ goto finish_ecdsa; ++ + switch (pMechanism->mechanism) { + INIT_RSA_VFY_MECH(MD5) + INIT_RSA_VFY_MECH(MD2) +@@ -4807,6 +4855,73 @@ loser: + #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */ + #define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ + ++static CK_RV ++pairwise_signverify_mech (CK_SESSION_HANDLE hSession, ++ SFTKObject *publicKey, SFTKObject *privateKey, ++ CK_MECHANISM mech, ++ CK_ULONG signature_length, ++ CK_ULONG pairwise_digest_length) ++{ ++ /* Variables used for Signature/Verification functions. */ ++ /* Must be at least 256 bits for DSA2 digest */ ++ unsigned char *known_digest = (unsigned char *)"Mozilla Rules the World through NSS!"; ++ unsigned char *signature; ++ CK_RV crv; ++ ++ /* Allocate space for signature data. */ ++ signature = (unsigned char *)PORT_ZAlloc(signature_length); ++ if (signature == NULL) { ++ return CKR_HOST_MEMORY; ++ } ++ ++ /* Sign the known hash using the private key. */ ++ crv = NSC_SignInit(hSession, &mech, privateKey->handle); ++ if (crv != CKR_OK) { ++ PORT_Free(signature); ++ return crv; ++ } ++ ++ crv = NSC_Sign(hSession, ++ known_digest, ++ pairwise_digest_length, ++ signature, ++ &signature_length); ++ if (crv != CKR_OK) { ++ PORT_Free(signature); ++ return crv; ++ } ++ ++ /* detect trivial signing transforms */ ++ if ((signature_length >= pairwise_digest_length) && ++ (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) { ++ PORT_Free(signature); ++ return CKR_DEVICE_ERROR; ++ } ++ ++ /* Verify the known hash using the public key. */ ++ crv = NSC_VerifyInit(hSession, &mech, publicKey->handle); ++ if (crv != CKR_OK) { ++ PORT_Free(signature); ++ return crv; ++ } ++ ++ crv = NSC_Verify(hSession, ++ known_digest, ++ pairwise_digest_length, ++ signature, ++ signature_length); ++ ++ /* Free signature data. */ ++ PORT_Free(signature); ++ ++ if ((crv == CKR_SIGNATURE_LEN_RANGE) || ++ (crv == CKR_SIGNATURE_INVALID)) { ++ return CKR_GENERAL_ERROR; ++ } ++ ++ return crv; ++} ++ + /* + * FIPS 140-2 pairwise consistency check utilized to validate key pair. + * +@@ -4860,8 +4975,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + + /* Variables used for Signature/Verification functions. */ + /* Must be at least 256 bits for DSA2 digest */ +- unsigned char *known_digest = (unsigned char *)"Mozilla Rules the World through NSS!"; +- unsigned char *signature; + CK_ULONG signature_length; + + if (keyType == CKK_RSA) { +@@ -5015,76 +5128,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + } + } + ++#define SIGNVERIFY_CHECK_MECH(vfymech) \ ++ mech.mechanism = vfymech; \ ++ crv = pairwise_signverify_mech (hSession, publicKey, privateKey, \ ++ mech, signature_length, pairwise_digest_length); \ ++ if (crv != CKR_OK) \ ++ return crv; ++ + if (canSignVerify) { +- /* Determine length of signature. */ + switch (keyType) { + case CKK_RSA: + signature_length = modulusLen; +- mech.mechanism = CKM_RSA_PKCS; ++ SIGNVERIFY_CHECK_MECH(CKM_SHA224_RSA_PKCS) + break; + case CKK_DSA: + signature_length = DSA_MAX_SIGNATURE_LEN; + pairwise_digest_length = subPrimeLen; +- mech.mechanism = CKM_DSA; ++ SIGNVERIFY_CHECK_MECH(CKM_DSA_SHA224) + break; + case CKK_EC: + signature_length = MAX_ECKEY_LEN * 2; +- mech.mechanism = CKM_ECDSA; ++ SIGNVERIFY_CHECK_MECH(CKM_ECDSA_SHA224) + break; + default: + return CKR_DEVICE_ERROR; + } + +- /* Allocate space for signature data. */ +- signature = (unsigned char *)PORT_ZAlloc(signature_length); +- if (signature == NULL) { +- return CKR_HOST_MEMORY; +- } +- +- /* Sign the known hash using the private key. */ +- crv = NSC_SignInit(hSession, &mech, privateKey->handle); +- if (crv != CKR_OK) { +- PORT_Free(signature); +- return crv; +- } +- +- crv = NSC_Sign(hSession, +- known_digest, +- pairwise_digest_length, +- signature, +- &signature_length); +- if (crv != CKR_OK) { +- PORT_Free(signature); +- return crv; +- } +- +- /* detect trivial signing transforms */ +- if ((signature_length >= pairwise_digest_length) && +- (PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) { +- PORT_Free(signature); +- return CKR_DEVICE_ERROR; +- } +- +- /* Verify the known hash using the public key. */ +- crv = NSC_VerifyInit(hSession, &mech, publicKey->handle); +- if (crv != CKR_OK) { +- PORT_Free(signature); +- return crv; +- } +- +- crv = NSC_Verify(hSession, +- known_digest, +- pairwise_digest_length, +- signature, +- signature_length); +- +- /* Free signature data. */ +- PORT_Free(signature); +- +- if ((crv == CKR_SIGNATURE_LEN_RANGE) || +- (crv == CKR_SIGNATURE_INVALID)) { +- return CKR_GENERAL_ERROR; +- } + if (crv != CKR_OK) { + return crv; + } +Index: nss/lib/softoken/softoken.h +=================================================================== +--- nss.orig/lib/softoken/softoken.h ++++ nss/lib/softoken/softoken.h +@@ -35,6 +35,16 @@ RSA_HashCheckSign(SECOidTag hashOid, NSS + const unsigned char *sig, unsigned int sigLen, + const unsigned char *hash, unsigned int hashLen); + ++extern SECStatus ++DSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key, ++ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen, ++ const unsigned char *hash, unsigned int hashLen); ++ ++extern SECStatus ++ECDSA_HashSign(SECOidTag hashOid, NSSLOWKEYPrivateKey *key, ++ unsigned char *sig, unsigned int *sigLen, unsigned int maxLen, ++ const unsigned char *hash, unsigned int hashLen); ++ + /* + ** Prepare a buffer for padded CBC encryption, growing to the appropriate + ** boundary, filling with the appropriate padding. diff --git a/nss-fips-constructor-self-tests.patch b/nss-fips-constructor-self-tests.patch new file mode 100644 index 0000000..ef90750 --- /dev/null +++ b/nss-fips-constructor-self-tests.patch @@ -0,0 +1,1682 @@ +commit d4f90dd0c5e15cfd9db416207d067cc3968b3a0c +Author: Hans Petter Jansson +Date: Sun Mar 15 21:54:30 2020 +0100 + + Patch 23: nss-fips-constructor-self-tests.patch + +Index: nss/cmd/chktest/chktest.c +=================================================================== +--- nss.orig/cmd/chktest/chktest.c ++++ nss/cmd/chktest/chktest.c +@@ -38,7 +38,7 @@ main(int argc, char **argv) + } + RNG_SystemInfoForRNG(); + +- good_result = BLAPI_SHVerifyFile(argv[1]); ++ good_result = BLAPI_SHVerifyFile(argv[1], NULL); + printf("%s\n", + (good_result ? "SUCCESS" : "FAILURE")); + return (good_result) ? SECSuccess : SECFailure; +Index: nss/cmd/shlibsign/shlibsign.c +=================================================================== +--- nss.orig/cmd/shlibsign/shlibsign.c ++++ nss/cmd/shlibsign/shlibsign.c +@@ -814,10 +814,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct + return crv; + } + +- if ((keySize == 0) && mechInfo.ulMaxKeySize >= 2048) { +- keySize = 2048; +- } else { +- keySize = 1024; ++ if (keySize == 0) { ++ if (mechInfo.ulMaxKeySize >= 2048) { ++ keySize = 2048; ++ } else { ++ keySize = 1024; ++ } + } + } + +Index: nss/lib/freebl/blapi.h +=================================================================== +--- nss.orig/lib/freebl/blapi.h ++++ nss/lib/freebl/blapi.h +@@ -1759,17 +1759,17 @@ extern void BL_Unload(void); + /************************************************************************** + * Verify a given Shared library signature * + **************************************************************************/ +-PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr); ++PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr, int *err); + + /************************************************************************** + * Verify a given filename's signature * + **************************************************************************/ +-PRBool BLAPI_SHVerifyFile(const char *shName); ++PRBool BLAPI_SHVerifyFile(const char *shName, int *err); + + /************************************************************************** + * Verify Are Own Shared library signature * + **************************************************************************/ +-PRBool BLAPI_VerifySelf(const char *name); ++PRBool BLAPI_VerifySelf(const char *name, int *err); + + /*********************************************************************/ + extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType); +@@ -1791,6 +1791,9 @@ extern SECStatus EC_CopyParams(PLArenaPo + */ + extern int EC_GetPointSize(const ECParams *params); + ++/* Unconditionally run the integrity check. */ ++extern void BL_FIPSRepeatIntegrityCheck(void); ++ + SEC_END_PROTOS + + #endif /* _BLAPI_H_ */ +Index: nss/lib/freebl/fips-selftest.inc +=================================================================== +--- /dev/null ++++ nss/lib/freebl/fips-selftest.inc +@@ -0,0 +1,355 @@ ++/* ++ * PKCS #11 FIPS Power-Up Self Test - common stuff. ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#ifndef FIPS_INC ++#define FIPS_INC ++ ++/* common functions used for FIPS selftests. Due to the modular design of NSS ++ * putting these into libfreebl would mean either amending the API represented ++ * by FREEBLVectorStr - which might cause problems with newer applications, or ++ * extending the API with another similar function set. Thus, to make things ++ * less complicated in the binaries, we mess up the source a bit. */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++ ++#include ++ ++#include "blapi.h" ++ ++#define NSS_FORCE_FIPS_ENV "NSS_FIPS" ++#define FIPS_PROC_PATH "/proc/sys/crypto/fips_enabled" ++ ++#define CHECKSUM_SUFFIX ".chk" ++ ++typedef enum fips_check_status { ++ CHECK_UNCHECKED = -1, ++ CHECK_OK = 0, ++ CHECK_FAIL, ++ CHECK_FAIL_CRYPTO, ++ CHECK_MISSING ++} fips_check_status; ++ ++/* initial value of FIPS state is -1 */ ++static int fips_state = -1; ++ ++static int fips_wanted = -1; ++ ++static int fips_is_env = 0; ++static int fips_ignore_checksums = 0; ++ ++/* debug messages are sent to stderr */ ++static void ++debug(const char *fmt,...) ++{ ++#if 0 ++ va_list args; ++ ++ va_start(args, fmt); ++ vfprintf(stderr, fmt, args); ++ va_end(args); ++ fputc('\n', stderr); ++#endif ++ return; ++} ++ ++/* Fatal messages ending with abort(); this function never returns */ ++static void __attribute__ ((__noreturn__)) ++fatal(const char *fmt,...) ++{ ++ va_list args; ++ ++ va_start(args, fmt); ++ vfprintf(stderr, fmt, args); ++ va_end(args); ++ fputc('\n', stderr); ++ abort(); ++} ++ ++/* check whether FIPS mode is mandated by the kernel */ ++static int ++fips_isWantedProc(void) ++{ ++ int my_fips_wanted = 0; ++ int fips_fd; ++ char fips_sys = 0; ++ ++ struct stat dummy; ++ if (-1 == stat(FIPS_PROC_PATH, &dummy)) { ++ switch (errno) { ++ case ENOENT: ++ case EACCES: /* Mozilla sandboxing returns EACCES instead of ENOENT */ ++ case ENOTDIR: ++ break; ++ default: ++ fatal("Check for system-wide FIPS mode is required and %s cannot" ++ " be accessed for reason other than non-existence - aborting" ++ , FIPS_PROC_PATH); ++ break; ++ } ++ } else { ++ if (-1 == (fips_fd = open(FIPS_PROC_PATH, O_RDONLY))) { ++ fatal("Check for system-wide FIPS mode is required and %s cannot" ++ " be opened for reading - aborting" ++ , FIPS_PROC_PATH); ++ } ++ if (1 > read(fips_fd, &fips_sys, 1)) { ++ fatal("Check for system-wide FIPS mode is required and %s doesn't" ++ " return at least one character - aborting" ++ , FIPS_PROC_PATH); ++ } ++ close(fips_fd); ++ switch (fips_sys) { ++ case '0': ++ case '1': ++ my_fips_wanted = fips_sys - '0'; ++ break; ++ default: ++ fatal("Bogus character %c found in %s - aborting" ++ , fips_sys, FIPS_PROC_PATH); ++ } ++ } ++ return my_fips_wanted; ++} ++ ++/* "legacy" from lib/sysinit/nsssysinit.c */ ++static PRBool ++getFIPSEnv(void) ++{ ++ char *fipsEnv = getenv("NSS_FIPS"); ++ if (!fipsEnv) { ++ return PR_FALSE; ++ } ++ if ((strcasecmp(fipsEnv,"fips") == 0) || ++ (strcasecmp(fipsEnv,"true") == 0) || ++ (strcasecmp(fipsEnv,"on") == 0) || ++ (strcasecmp(fipsEnv,"1") == 0)) { ++ return PR_TRUE; ++ } ++ return PR_FALSE; ++} ++ ++static PRBool ++getIgnoreChecksumsEnv(void) ++{ ++ char *checksumEnv = getenv("NSS_IGNORE_CHECKSUMS"); ++ if (!checksumEnv) { ++ return PR_FALSE; ++ } ++ if ((strcasecmp(checksumEnv,"true") == 0) || ++ (strcasecmp(checksumEnv,"on") == 0) || ++ (strcasecmp(checksumEnv,"1") == 0)) { ++ return PR_TRUE; ++ } ++ return PR_FALSE; ++} ++ ++static int ++fips_isWantedEnv(void) ++{ ++ return getFIPSEnv() ? 1 : 0; ++} ++ ++static int ++fips_isWanted(void) ++{ ++ int fips_requests = 0; ++#ifdef LINUX ++ fips_requests += fips_isWantedProc(); ++#endif ++ if (fips_requests < 1) ++ { ++ fips_is_env = 1; ++ fips_ignore_checksums = getIgnoreChecksumsEnv(); ++ } ++ fips_requests += fips_isWantedEnv(); ++ ++ return fips_requests < 1 ? 0 : 1; ++} ++ ++static PRBool ++fips_check_signature_external (const char *full_lib_name, int *err) ++{ ++ char *p0, *p1; ++ char *ld_path; ++ PRBool rv = PR_FALSE; ++ ++ p0 = getenv ("LD_LIBRARY_PATH"); ++ p0 = ld_path = strdup (p0 ? p0 : ""); ++ ++ for (p1 = strchr (p0, ':'); p1 && !rv; p1 = strchr (p0, ':')) ++ { ++ char *path; ++ ++ *p1 = '\0'; ++ path = malloc (strlen (p0) + strlen (full_lib_name) + 2); ++ strcpy (path, p0); ++ strcat (path, "/"); ++ strcat (path, full_lib_name); ++ ++ rv = BLAPI_SHVerifyFile (path, err); ++ ++ free (path); ++ p0 = p1 + 1; ++ } ++ ++ if (!rv) ++ { ++ char *path = malloc (strlen ("/usr/lib64/") + strlen (full_lib_name) + 1); ++ strcpy (path, "/usr/lib64/"); ++ strcat (path, full_lib_name); ++ rv = BLAPI_SHVerifyFile (path, err); ++ } ++ ++ free (ld_path); ++ return rv; ++} ++ ++/* check integrity signatures (if present) */ ++static fips_check_status ++fips_checkSignature(char *libName, PRFuncPtr addr) ++{ ++ PRBool rv; ++ fips_check_status rv_check = CHECK_UNCHECKED; ++ int l = PATH_MAX; ++ int err = 0; ++ int err_NOENT = 0; ++ char full_lib_name[PATH_MAX+1]; ++ full_lib_name[0] = '\0'; ++ ++ if (NULL == libName) { ++ err_NOENT = PR_FILE_NOT_FOUND_ERROR; ++ rv = BLAPI_VerifySelf(SHLIB_PREFIX"freebl"SHLIB_VERSION"."SHLIB_SUFFIX, &err); ++ } else { ++ err_NOENT = PR_FILE_NOT_FOUND_ERROR; ++ strncat(full_lib_name, SHLIB_PREFIX, l); ++ l -= strlen(SHLIB_PREFIX); ++ strncat(full_lib_name, libName, l); ++ l -= strlen(libName); ++ strncat(full_lib_name, SHLIB_VERSION"."SHLIB_SUFFIX, l); ++ l -= strlen(SHLIB_VERSION"."SHLIB_SUFFIX); ++ ++ if (NULL == addr) ++ rv = fips_check_signature_external (full_lib_name, &err); ++ else ++ rv = BLAPI_SHVerify(full_lib_name, addr, &err); ++ } ++ ++ if (rv) { ++ rv_check = CHECK_OK; ++ } else { ++ if (err_NOENT == err) { ++ rv_check = CHECK_MISSING; ++ } else { ++ rv_check = CHECK_FAIL; ++ } ++ } ++ ++ return rv_check; ++} ++ ++/* decide what to do depending on the results of tests and system/required FIPS ++ * mode */ ++static int ++fips_resolve(fips_check_status check, char *libName) ++{ ++ int state; ++ ++ if (fips_wanted) { ++ switch (check) { ++ case CHECK_OK: ++ debug("fips - %s: mandatory checksum ok" ++ , (libName) ? libName : "freebl"); ++ break; ++ case CHECK_FAIL: ++ fatal("fips - %s: mandatory checksum failed - aborting" ++ , (libName) ? libName : "freebl"); ++ break; ++ case CHECK_FAIL_CRYPTO: ++ fatal("fips - %s: mandatory crypto test failed - aborting" ++ , (libName) ? libName : "freebl"); ++ break; ++ case CHECK_MISSING: ++ fatal("fips - %s: mandatory checksum data missing - aborting" ++ , (libName) ? libName : "freebl"); ++ break; ++ default: ++ fatal("Fatal error: internal error at %s:%u" ++ , __FILE__, __LINE__); ++ break; ++ } ++ state = 1; ++ } else { ++ switch (check) { ++ case CHECK_OK: ++ debug("fips - %s: checksum ok" ++ , (libName) ? libName : "freebl"); ++ break; ++ case CHECK_FAIL: ++#if 0 ++ fatal("fips - %s: checksum failed - aborting" ++ , (libName) ? libName : "freebl"); ++#else ++ debug("fips - %s: checksum failed - not in FIPS mode; continuing" ++ , (libName) ? libName : "freebl"); ++#endif ++ break; ++ case CHECK_FAIL_CRYPTO: ++ fatal("fips - %s: crypto test failed - aborting" ++ , (libName) ? libName : "freebl"); ++ break; ++ case CHECK_MISSING: ++ debug("fips - %s: mandatory checksum data missing, but not required in non FIPS mode; continuing non-FIPS" ++ , (libName) ? libName : "freebl"); ++ break; ++ default: ++ fatal("Fatal error: internal error at %s:%u" ++ , __FILE__, __LINE__); ++ break; ++ } ++ state = 0; ++ } ++ return state; ++} ++ ++/* generic selftest ++ * libName and addr are the name of shared object to check and a function ++ * contained therein; (NULL, NULL) performs selfcheck of freebl. ++ * crypto_check is callback that performs cryptographic algorithms checks; NULL ++ * for libraries that do not implement any cryptographic algorithms per se ++ */ ++static int ++fips_initTest(char *libName, PRFuncPtr addr, fips_check_status cryptoCheck(void)) ++{ ++ fips_check_status check = CHECK_OK; ++ ++ fips_wanted = fips_isWanted(); ++ ++ if (cryptoCheck) { ++ check = cryptoCheck(); ++ debug("fips - %s: crypto check %s" ++ , (libName) ? libName : "freebl" ++ , (CHECK_OK == check) ? "ok" : "failed"); ++ } ++ ++ if (CHECK_OK == check) { ++ check = fips_checkSignature(libName, addr); ++ } ++ ++ return fips_resolve(check, libName); ++} ++ ++#endif +Index: nss/lib/freebl/fips.c +=================================================================== +--- /dev/null ++++ nss/lib/freebl/fips.c +@@ -0,0 +1,7 @@ ++/* ++ * PKCS #11 FIPS Power-Up Self Test. ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ +Index: nss/lib/freebl/fips.h +=================================================================== +--- /dev/null ++++ nss/lib/freebl/fips.h +@@ -0,0 +1,16 @@ ++/* ++ * PKCS #11 FIPS Power-Up Self Test. ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#ifndef FIPS_H ++#define FIPS_H ++ ++int FIPS_mode(void); ++int FIPS_mode_allow_tests(void); ++char* FIPS_rngDev(void); ++ ++#endif ++ +Index: nss/lib/freebl/fipsfreebl.c +=================================================================== +--- nss.orig/lib/freebl/fipsfreebl.c ++++ nss/lib/freebl/fipsfreebl.c +@@ -21,6 +21,13 @@ + + #include "ec.h" /* Required for EC */ + ++#include "fips-selftest.inc" ++ ++#include "fips.h" ++ ++#define RNG_DEV_FIPS0 "/dev/urandom" ++#define RNG_DEV_FIPS1 "/dev/random" ++ + /* + * different platforms have different ways of calling and initial entry point + * when the dll/.so is loaded. Most platforms support either a posix pragma +@@ -1998,9 +2005,8 @@ freebl_fips_RNG_PowerUpSelfTest(void) + 0x0a, 0x26, 0x21, 0xd0, 0x19, 0xcb, 0x86, 0x73, + 0x10, 0x1f, 0x60, 0xd7 + }; +- + SECStatus rng_status = SECSuccess; +- PRUint8 DSAX[FIPS_DSA_SUBPRIME_LENGTH]; ++ PRUint8 DSAX[DSA1_SUBPRIME_LEN]; + + /*******************************************/ + /* Run the SP 800-90 Health tests */ +@@ -2014,13 +2020,12 @@ freebl_fips_RNG_PowerUpSelfTest(void) + /*******************************************/ + /* Generate DSAX fow given Q. */ + /*******************************************/ +- + rng_status = FIPS186Change_ReduceModQForDSA(GENX, Q, DSAX); + + /* Verify DSAX to perform the RNG integrity check */ + if ((rng_status != SECSuccess) || + (PORT_Memcmp(DSAX, rng_known_DSAX, +- (FIPS_DSA_SUBPRIME_LENGTH)) != 0)) { ++ (DSA1_SUBPRIME_LEN)) != 0)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } +@@ -2028,17 +2033,19 @@ freebl_fips_RNG_PowerUpSelfTest(void) + return (SECSuccess); + } + ++#if 0 + static SECStatus + freebl_fipsSoftwareIntegrityTest(const char *libname) + { + SECStatus rv = SECSuccess; + + /* make sure that our check file signatures are OK */ +- if (!BLAPI_VerifySelf(libname)) { ++ if (!BLAPI_VerifySelf(libname, NULL)) { + rv = SECFailure; + } + return rv; + } ++#endif + + #define DO_FREEBL 1 + #define DO_REST 2 +@@ -2156,11 +2163,13 @@ static PRBool self_tests_ran = PR_FALSE; + static PRBool self_tests_freebl_success = PR_FALSE; + static PRBool self_tests_success = PR_FALSE; + ++static PRBool freebl_only = PR_FALSE; ++ + /* + * accessors for freebl + */ + PRBool +-BL_POSTRan(PRBool freebl_only) ++BL_POSTRan(PRBool my_freebl_only) + { + SECStatus rv; + /* if the freebl self tests didn't run, there is something wrong with +@@ -2173,7 +2182,7 @@ BL_POSTRan(PRBool freebl_only) + return PR_TRUE; + } + /* if we only care about the freebl tests, we are good */ +- if (freebl_only) { ++ if (my_freebl_only) { + return PR_TRUE; + } + /* run the rest of the self tests */ +@@ -2192,32 +2201,16 @@ BL_POSTRan(PRBool freebl_only) + return PR_TRUE; + } + ++#if 0 + #include "blname.c" ++#endif + +-/* +- * This function is called at dll load time, the code tha makes this +- * happen is platform specific on defined above. +- */ +-static void +-bl_startup_tests(void) ++/* crypto algorithms selftest wrapper */ ++static fips_check_status ++fips_checkCryptoFreebl(void) + { +- const char *libraryName; +- PRBool freebl_only = PR_FALSE; + SECStatus rv; + +- PORT_Assert(self_tests_freebl_ran == PR_FALSE); +- PORT_Assert(self_tests_success == PR_FALSE); +- self_tests_freebl_ran = PR_TRUE; /* we are running the tests */ +- self_tests_success = PR_FALSE; /* force it just in case */ +- self_tests_freebl_success = PR_FALSE; /* force it just in case */ +- +-#ifdef FREEBL_NO_DEPEND +- rv = FREEBL_InitStubs(); +- if (rv != SECSuccess) { +- freebl_only = PR_TRUE; +- } +-#endif +- + self_tests_freebl_ran = PR_TRUE; /* we are running the tests */ + + if (!freebl_only) { +@@ -2229,20 +2222,55 @@ bl_startup_tests(void) + /* always run the post tests */ + rv = freebl_fipsPowerUpSelfTest(freebl_only ? DO_FREEBL : DO_FREEBL | DO_REST); + if (rv != SECSuccess) { +- return; ++ return CHECK_FAIL_CRYPTO; + } + ++#if 0 ++ /* fips_initTest() does this for us by calling fips_checkSignature() */ + libraryName = getLibName(); + rv = freebl_fipsSoftwareIntegrityTest(libraryName); + if (rv != SECSuccess) { +- return; ++ return CHECK_FAIL_CRYPTO; + } ++#endif + + /* posts are happy, allow the fips module to function now */ + self_tests_freebl_success = PR_TRUE; /* we always test the freebl stuff */ + if (!freebl_only) { + self_tests_success = PR_TRUE; + } ++ ++ return CHECK_OK; ++} ++ ++/* ++ * This function is called at dll load time, the code tha makes this ++ * happen is platform specific on defined above. ++ */ ++static void ++bl_startup_tests(void) ++{ ++ SECStatus rv; ++ ++ PORT_Assert(self_tests_freebl_ran == PR_FALSE); ++ PORT_Assert(self_tests_success == PR_FALSE); ++ PORT_Assert(fips_mode_available == PR_FALSE); ++ self_tests_freebl_ran = PR_TRUE; /* we are running the tests */ ++ self_tests_success = PR_FALSE; /* force it just in case */ ++ self_tests_freebl_success = PR_FALSE; /* force it just in case */ ++ ++ freebl_only = PR_FALSE; ++ ++#ifdef FREEBL_NO_DEPEND ++ rv = FREEBL_InitStubs(); ++ if (rv != SECSuccess) { ++ freebl_only = PR_TRUE; ++ } ++#endif ++ ++ /* Detect FIPS mode and verify checksums */ ++ fips_state = fips_initTest(NULL, NULL, fips_checkCryptoFreebl); ++ debug("FIPS mode: %i\n", FIPS_mode()); + } + + /* +@@ -2251,19 +2279,12 @@ bl_startup_tests(void) + * power on selftest failed. + */ + SECStatus +-BL_FIPSEntryOK(PRBool freebl_only, PRBool rerun) ++BL_FIPSEntryOK(PRBool my_freebl_only, PRBool rerun) + { +-#ifdef NSS_NO_INIT_SUPPORT +- /* this should only be set on platforms that can't handle one of the INIT +- * schemes. This code allows those platforms to continue to function, +- * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT +- * is not set, and init support has not been properly enabled, freebl +- * will always fail because of the test below +- */ ++ /* For platforms that don't support on-load constructors */ + if (!self_tests_freebl_ran) { + bl_startup_tests(); + } +-#endif + if (rerun) { + /* reset the flags */ + self_tests_freebl_ran = PR_FALSE; +@@ -2277,10 +2298,104 @@ BL_FIPSEntryOK(PRBool freebl_only, PRBoo + return SECSuccess; + } + /* standalone freebl can initialize */ +- if (freebl_only && self_tests_freebl_success) { ++ if (my_freebl_only && self_tests_freebl_success) { + return SECSuccess; + } + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } ++ ++void ++BL_FIPSRepeatIntegrityCheck(void) ++{ ++ fips_state = fips_initTest("freebl", NULL, NULL); ++ ++ if (!fips_state) ++ { ++ fatal ("fips - freebl: Integrity test re-run failed - aborting."); ++ } ++} ++ ++/* returns the FIPS mode we are running in or the one that we aspire to if the ++ * tests have not completed yet - which might happen during the crypto selftest ++ */ ++int ++FIPS_mode(void) ++{ ++ int fips; ++ ++ if (fips_wanted < 0) ++ fips_wanted = fips_isWanted (); ++ ++ /* until FIPS mode is cleared up, assume we are running in whatever is ++ * wanted by the environment */ ++ fips = (-1 != fips_state) ? fips_state : fips_wanted; ++ switch (fips) { ++ case 0: ++ case 1: ++ return fips; ++ default: ++ fatal("Fatal error: internal error at %s:%u" ++ , __FILE__, __LINE__); ++ } ++} ++ ++/* Returns the FIPS mode we are running in. If the tests have not completed yet, ++ * return FALSE. This allows testing of modules that are not allowed in FIPS ++ * mode. */ ++int ++FIPS_mode_allow_tests(void) ++{ ++ int fips; ++ ++ fips = (-1 != fips_state) ? fips_state : 0; ++ ++ return fips; ++} ++ ++/* returns string specifying what system RNG file to use for seeding */ ++char * ++FIPS_rngDev(void) ++{ ++ switch (FIPS_mode()) { ++ case 0: ++ return RNG_DEV_FIPS0; ++ case 1: ++ return RNG_DEV_FIPS1; ++ default: ++ fatal("Fatal error: internal error at %s:%u" ++ , __FILE__, __LINE__); ++ } ++} ++ ++/* either returns the input or aborts if in FIPS and the algorithm is not ++ * approved */ ++PRBool ++FIPS_hashAlgApproved(HASH_HashType hashAlg) ++{ ++ PRBool rv = PR_FALSE; ++ ++ switch (hashAlg) { ++ case HASH_AlgNULL: ++ case HASH_AlgSHA1: ++ case HASH_AlgSHA256: ++ case HASH_AlgSHA384: ++ case HASH_AlgSHA512: ++ case HASH_AlgSHA224: ++ rv = PR_TRUE; ++ break; ++ default: ++ /* ++ fatal("Fatal error: non-approved hash algorithm (id %i)" ++ "requested while running in FIPS mode" ++ , hashAlg); ++ */ ++ if (!FIPS_mode()) ++ rv = PR_TRUE; ++ break; ++ } ++ return rv; ++} ++ + #endif ++ +Index: nss/lib/freebl/loader.c +=================================================================== +--- nss.orig/lib/freebl/loader.c ++++ nss/lib/freebl/loader.c +@@ -95,6 +95,14 @@ BL_Init(void) + return (vector->p_BL_Init)(); + } + ++void ++BL_FIPSRepeatIntegrityCheck(void) ++{ ++ if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) ++ return; ++ (vector->p_BL_FIPSRepeatIntegrityCheck)(); ++} ++ + RSAPrivateKey * + RSA_NewKey(int keySizeInBits, SECItem *publicExponent) + { +@@ -1213,11 +1221,11 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext + } + + PRBool +-BLAPI_SHVerify(const char *name, PRFuncPtr addr) ++BLAPI_SHVerify(const char *name, PRFuncPtr addr, int *err) + { + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return PR_FALSE; +- return vector->p_BLAPI_SHVerify(name, addr); ++ return vector->p_BLAPI_SHVerify(name, addr, err); + } + + /* +@@ -1227,12 +1235,12 @@ BLAPI_SHVerify(const char *name, PRFuncP + * in freebl_LoadDSO) to p_BLAPI_VerifySelf. + */ + PRBool +-BLAPI_VerifySelf(const char *name) ++BLAPI_VerifySelf(const char *name, int *err) + { + PORT_Assert(!name); + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return PR_FALSE; +- return vector->p_BLAPI_VerifySelf(libraryName); ++ return vector->p_BLAPI_VerifySelf(libraryName, err); + } + + /* ============== New for 3.006 =============================== */ +@@ -1836,11 +1844,11 @@ SHA224_Clone(SHA224Context *dest, SHA224 + } + + PRBool +-BLAPI_SHVerifyFile(const char *name) ++BLAPI_SHVerifyFile(const char *name, int *err) + { + if (!vector && PR_SUCCESS != freebl_RunLoaderOnce()) + return PR_FALSE; +- return vector->p_BLAPI_SHVerifyFile(name); ++ return vector->p_BLAPI_SHVerifyFile(name, err); + } + + /* === new for DSA-2 === */ +Index: nss/lib/freebl/loader.h +=================================================================== +--- nss.orig/lib/freebl/loader.h ++++ nss/lib/freebl/loader.h +@@ -299,8 +299,8 @@ struct FREEBLVectorStr { + + /* Version 3.004 came to here */ + +- PRBool (*p_BLAPI_SHVerify)(const char *name, PRFuncPtr addr); +- PRBool (*p_BLAPI_VerifySelf)(const char *name); ++ PRBool (*p_BLAPI_SHVerify)(const char *name, PRFuncPtr addr, int *err); ++ PRBool (*p_BLAPI_VerifySelf)(const char *name, int *err); + + /* Version 3.005 came to here */ + +@@ -556,7 +556,7 @@ struct FREEBLVectorStr { + SECStatus (*p_SHA224_Flatten)(SHA224Context *cx, unsigned char *space); + SHA224Context *(*p_SHA224_Resurrect)(unsigned char *space, void *arg); + void (*p_SHA224_Clone)(SHA224Context *dest, SHA224Context *src); +- PRBool (*p_BLAPI_SHVerifyFile)(const char *name); ++ PRBool (*p_BLAPI_SHVerifyFile)(const char *name, int *err); + + /* Version 3.013 came to here */ + +@@ -834,6 +834,9 @@ struct FREEBLVectorStr { + + /* Add new function pointers at the end of this struct and bump + * FREEBL_VERSION at the beginning of this file. */ ++ ++ /* SUSE patch: Goes last */ ++ void (*p_BL_FIPSRepeatIntegrityCheck)(void); + }; + + typedef struct FREEBLVectorStr FREEBLVector; +Index: nss/lib/freebl/manifest.mn +=================================================================== +--- nss.orig/lib/freebl/manifest.mn ++++ nss/lib/freebl/manifest.mn +@@ -97,6 +97,7 @@ PRIVATE_EXPORTS = \ + ecl.h \ + ecl-curve.h \ + eclt.h \ ++ fips.h \ + $(NULL) + + MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h +@@ -187,6 +188,7 @@ ALL_HDRS = \ + shsign.h \ + vis_proto.h \ + seed.h \ ++ fips.h \ + $(NULL) + + +Index: nss/lib/freebl/shvfy.c +=================================================================== +--- nss.orig/lib/freebl/shvfy.c ++++ nss/lib/freebl/shvfy.c +@@ -23,6 +23,8 @@ + + #ifndef NSS_FIPS_DISABLED + ++#undef DEBUG_SHVERIFY ++ + /* + * Most modern version of Linux support a speed optimization scheme where an + * application called prelink modifies programs and shared libraries to quickly +@@ -232,8 +234,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int + } + #endif + +-/* #define DEBUG_SHVERIFY 1 */ +- + static char * + mkCheckFileName(const char *libName) + { +@@ -288,19 +288,19 @@ readItem(PRFileDesc *fd, SECItem *item) + return SECSuccess; + } + +-static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun); ++static PRBool blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun, int *err); + + static PRBool +-blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun) ++blapi_SHVerify(const char *name, PRFuncPtr addr, PRBool self, PRBool rerun, int *err) + { + PRBool result = PR_FALSE; /* if anything goes wrong, +- * the signature does not verify */ ++ * the signature does not verify */ + /* find our shared library name */ + char *shName = PR_GetLibraryFilePathname(name, addr); + if (!shName) { + goto loser; + } +- result = blapi_SHVerifyFile(shName, self, rerun); ++ result = blapi_SHVerifyFile(shName, self, rerun, err); + + loser: + if (shName != NULL) { +@@ -311,25 +311,25 @@ loser: + } + + PRBool +-BLAPI_SHVerify(const char *name, PRFuncPtr addr) ++BLAPI_SHVerify(const char *name, PRFuncPtr addr, int *err) + { + PRBool rerun = PR_FALSE; + if (name && *name == BLAPI_FIPS_RERUN_FLAG) { + name++; + rerun = PR_TRUE; + } +- return blapi_SHVerify(name, addr, PR_FALSE, rerun); ++ return blapi_SHVerify(name, addr, PR_FALSE, rerun, err); + } + + PRBool +-BLAPI_SHVerifyFile(const char *shName) ++BLAPI_SHVerifyFile(const char *shName, int *err) + { + PRBool rerun = PR_FALSE; + if (shName && *shName == BLAPI_FIPS_RERUN_FLAG) { + shName++; + rerun = PR_TRUE; + } +- return blapi_SHVerifyFile(shName, PR_FALSE, rerun); ++ return blapi_SHVerifyFile(shName, PR_FALSE, rerun, err); + } + + #ifndef NSS_STRICT_INTEGRITY +@@ -432,7 +432,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + } + + static PRBool +-blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun) ++blapi_SHVerifyFile(const char *shName, PRBool self, PRBool rerun, int *err) + { + char *checkName = NULL; + PRFileDesc *checkFD = NULL; +@@ -446,7 +446,7 @@ blapi_SHVerifyFile(const char *shName, P + int pid = 0; + #endif + PRBool result = PR_FALSE; /* if anything goes wrong, +- * the signature does not verify */ ++ * the signature does not verify */ + NSSSignChkHeader header; + #ifndef NSS_STRICT_INTEGRITY + DSAPublicKey key; +@@ -473,14 +473,17 @@ blapi_SHVerifyFile(const char *shName, P + /* open the check File */ + checkFD = PR_Open(checkName, PR_RDONLY, 0); + if (checkFD == NULL) { ++ if (err) { ++ *err = PORT_GetError(); ++ } + #ifdef DEBUG_SHVERIFY +- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n", +- checkName, (int)PR_GetError(), (int)PR_GetOSError()); ++ fprintf(stderr, "Failed to open the check file %s: (%d)\n", ++ checkName, (int)PORT_GetError()); + #endif /* DEBUG_SHVERIFY */ + goto loser; + } + +- /* read and Verify the headerthe header */ ++ /* read and Verify the header */ + bytesRead = PR_Read(checkFD, &header, sizeof(header)); + if (bytesRead != sizeof(header)) { + goto loser; +@@ -561,7 +564,7 @@ blapi_SHVerifyFile(const char *shName, P + goto loser; + } + +-/* open our library file */ ++ /* open our library file */ + #ifdef FREEBL_USE_PRELINK + shFD = bl_OpenUnPrelink(shName, &pid); + #else +@@ -569,8 +572,8 @@ blapi_SHVerifyFile(const char *shName, P + #endif + if (shFD == NULL) { + #ifdef DEBUG_SHVERIFY +- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n", +- shName, (int)PR_GetError(), (int)PR_GetOSError()); ++ fprintf(stderr, "Failed to open the library file %s: (%d)\n", ++ shName, (int)PORT_GetError()); + #endif /* DEBUG_SHVERIFY */ + goto loser; + } +@@ -631,7 +634,7 @@ loser: + } + + PRBool +-BLAPI_VerifySelf(const char *name) ++BLAPI_VerifySelf(const char *name, int *err) + { + if (name == NULL) { + /* +@@ -640,7 +643,7 @@ BLAPI_VerifySelf(const char *name) + */ + return PR_TRUE; + } +- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE); ++ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, PR_FALSE, err); + } + + #else /* NSS_FIPS_DISABLED */ +@@ -656,7 +659,7 @@ BLAPI_SHVerify(const char *name, PRFuncP + return PR_FALSE; + } + PRBool +-BLAPI_VerifySelf(const char *name) ++BLAPI_VerifySelf(const char *name, int *err) + { + return PR_FALSE; + } +Index: nss/lib/softoken/fips.c +=================================================================== +--- /dev/null ++++ nss/lib/softoken/fips.c +@@ -0,0 +1,50 @@ ++#include "../freebl/fips-selftest.inc" ++ ++#include "fips.h" ++ ++#include "softoken.h" ++ ++#include ++ ++/* crypto algorithms selftest wrapper */ ++static fips_check_status ++fips_checkCryptoSoftoken(void) ++{ ++ if (CKR_OK == sftk_FIPSEntryOK(PR_FALSE)) { ++ return CHECK_OK; ++ } else { ++ return CHECK_FAIL_CRYPTO; ++ } ++ ++ return CHECK_OK; ++} ++ ++/* constructor - load-time selfchecks */ ++static void __attribute__ ((constructor)) ++fips_initTestSoftoken(void) ++{ ++ fips_state = fips_initTest("softokn", (PRFuncPtr)fips_initTestSoftoken, fips_checkCryptoSoftoken); ++ ++ /* The legacy DB must be checked unconditionally in FIPS mode. As an exception, ++ * this can be turned off for the build-time tests using the env var ++ * NSS_IGNORE_CHECKSUMS. This is necessary because the files cannot be ++ * located before they're installed. It only works if FIPS mode is enabled ++ * via NSS_FIPS=1, not if it's set in /proc. */ ++ ++ if (fips_state && !(fips_is_env && fips_ignore_checksums)) ++ { ++ fips_state = fips_initTest("nssdbm", (PRFuncPtr) NULL, NULL); ++ } ++ ++ return; ++} ++ ++void ++fips_repeatTestSoftoken(void) ++{ ++ fips_initTestSoftoken(); ++ if (!fips_state) ++ { ++ fatal ("fips - softokn: Integrity test re-run failed - aborting."); ++ } ++} +Index: nss/lib/softoken/fips.h +=================================================================== +--- /dev/null ++++ nss/lib/softoken/fips.h +@@ -0,0 +1,15 @@ ++#ifndef FIPS_H ++#define FIPS_H ++ ++#include "prtypes.h" ++#include "softoken.h" ++ ++SEC_BEGIN_PROTOS ++ ++CK_RV sftk_fipsPowerUpSelfTest(void); ++extern void sftk_FIPSRepeatIntegrityCheck(void); ++ ++SEC_END_PROTOS ++ ++#endif ++ +Index: nss/lib/softoken/fipstest.c +=================================================================== +--- nss.orig/lib/softoken/fipstest.c ++++ nss/lib/softoken/fipstest.c +@@ -683,6 +683,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void) + return (SECSuccess); + } + ++#define FIPS_DSA_TYPE siBuffer ++#define FIPS_DSA_DIGEST_LENGTH 28 /* 224-bits */ ++#define FIPS_DSA_SUBPRIME_LENGTH 28 /* 224-bits */ ++#define FIPS_DSA_SIGNATURE_LENGTH 56 /* 448-bits */ ++#define FIPS_DSA_PRIME_LENGTH 256 /* 2048-bits */ ++#define FIPS_DSA_BASE_LENGTH 256 /* 2048-bits */ ++ ++/* Similar to freebl_fips_DSA_PowerUpSelfTest, but using DSA_HashSign() */ ++static SECStatus ++sftk_fips_DSA_PowerUpSelfTest(void) ++{ ++ /* DSA Known P (2048-bits), Q (224-bits), and G (2048-bits) Values. */ ++ static const PRUint8 dsa_P[] = { ++ 0xfe, 0x9f, 0xba, 0xff, 0x39, 0xa6, 0x00, 0x77, ++ 0x93, 0xfe, 0xa4, 0x58, 0x17, 0xf8, 0x37, 0x54, ++ 0x76, 0x39, 0x18, 0xcb, 0xbe, 0xca, 0x62, 0x8b, ++ 0x85, 0xbc, 0x60, 0x23, 0xf4, 0x7a, 0xb5, 0x75, ++ 0x31, 0xf4, 0x82, 0x83, 0x63, 0xc2, 0xdb, 0x8e, ++ 0x50, 0x67, 0xd6, 0xd9, 0xae, 0xa0, 0xd6, 0x13, ++ 0xc2, 0x35, 0x5b, 0x76, 0xf1, 0x00, 0x9c, 0x37, ++ 0xcb, 0x46, 0x3f, 0x6e, 0xef, 0xca, 0xff, 0xcc, ++ 0x1e, 0x15, 0xa1, 0x96, 0x70, 0x4c, 0xc9, 0x4d, ++ 0x7e, 0xde, 0x00, 0x1e, 0x76, 0x68, 0x35, 0x1c, ++ 0x31, 0x25, 0x37, 0x91, 0x98, 0x64, 0x40, 0x4c, ++ 0xf1, 0xc3, 0x0e, 0xf7, 0xf3, 0x16, 0x17, 0x79, ++ 0x7a, 0xa3, 0x11, 0x9a, 0xba, 0x72, 0x67, 0xe9, ++ 0x70, 0xd0, 0x16, 0x6a, 0x1a, 0x53, 0x4e, 0x1b, ++ 0xca, 0xb2, 0x79, 0xd8, 0x8c, 0x60, 0x53, 0xdb, ++ 0x48, 0x1c, 0x00, 0x2e, 0xd3, 0x29, 0x35, 0x14, ++ 0x6d, 0xd6, 0x23, 0x7c, 0x1c, 0xf3, 0x0d, 0x6a, ++ 0x7e, 0xb7, 0x09, 0x7d, 0xf2, 0x06, 0x29, 0x1c, ++ 0x1a, 0xdf, 0xd9, 0xe6, 0xb9, 0x2e, 0xd6, 0xb8, ++ 0xbf, 0xc5, 0xcd, 0xe7, 0xf4, 0xf9, 0x91, 0x38, ++ 0x2f, 0x61, 0xf9, 0xfe, 0xce, 0x16, 0x85, 0xc8, ++ 0xb7, 0xdd, 0x54, 0xe0, 0xa1, 0x54, 0x4f, 0xb3, ++ 0xdb, 0x72, 0xf3, 0xb9, 0xaa, 0xfe, 0x7b, 0xdd, ++ 0x5e, 0x59, 0x44, 0x6c, 0x4a, 0xfe, 0x67, 0x9b, ++ 0xcf, 0x78, 0x05, 0xd4, 0xc8, 0x98, 0xb3, 0x60, ++ 0x46, 0x44, 0x4e, 0x0b, 0xec, 0x19, 0x6c, 0xda, ++ 0xd6, 0x40, 0x3c, 0xd9, 0x96, 0xc8, 0x4a, 0x3b, ++ 0xc9, 0xb5, 0x52, 0x89, 0x2e, 0x68, 0xb9, 0xa0, ++ 0xd3, 0xbc, 0xa8, 0xd7, 0x6a, 0x7d, 0xe1, 0xf4, ++ 0x8c, 0x68, 0x3e, 0xc1, 0x5a, 0xac, 0x46, 0x6d, ++ 0xad, 0xe3, 0x89, 0x7f, 0x92, 0xa6, 0x29, 0xb2, ++ 0xc3, 0x3b, 0x20, 0x5f, 0x71, 0x00, 0x27, 0x87 ++ }; ++ ++ static const PRUint8 dsa_Q[] = { ++ 0xbc, 0xc9, 0xda, 0xca, 0xf9, 0x6b, 0xfa, 0x7e, ++ 0xbd, 0x9b, 0xfb, 0x48, 0x35, 0x1e, 0xe5, 0x8c, ++ 0x64, 0x46, 0xc7, 0x04, 0xb2, 0x44, 0x70, 0x9b, ++ 0x0a, 0x3f, 0x03, 0x01 ++ }; ++ ++ static const PRUint8 dsa_G[] = { ++ 0x5d, 0x23, 0xd1, 0xc5, 0x2e, 0x7e, 0x22, 0x3b, ++ 0x98, 0x03, 0xc3, 0xc0, 0x9d, 0xbe, 0x8f, 0x68, ++ 0x6b, 0xd0, 0xbf, 0x72, 0x20, 0x89, 0x5c, 0x8f, ++ 0x4c, 0x8e, 0x66, 0xfe, 0x8e, 0xfc, 0x02, 0x21, ++ 0xf3, 0xea, 0xc5, 0x23, 0x96, 0x9b, 0xa4, 0x2e, ++ 0xac, 0x35, 0x9f, 0x70, 0x90, 0x79, 0xd9, 0x42, ++ 0xfa, 0x0e, 0x4c, 0x1f, 0x55, 0xcf, 0x8b, 0xb5, ++ 0x98, 0x71, 0xfa, 0xf1, 0xbc, 0xfd, 0xc7, 0x2b, ++ 0x5a, 0xa6, 0x53, 0x86, 0xf1, 0xa3, 0xd5, 0xbc, ++ 0xad, 0x08, 0x80, 0x23, 0x40, 0xea, 0xc9, 0x2f, ++ 0x58, 0xfb, 0xa9, 0xda, 0x8d, 0xc5, 0xfa, 0x46, ++ 0x0a, 0x0a, 0xe8, 0x03, 0xef, 0x04, 0x53, 0x09, ++ 0xc4, 0x7f, 0x69, 0x59, 0x68, 0xb5, 0x52, 0x91, ++ 0x3d, 0xe1, 0xbc, 0xa0, 0x6b, 0x41, 0xec, 0x07, ++ 0x0b, 0xf5, 0xf5, 0x62, 0xf5, 0xeb, 0xb7, 0x7e, ++ 0xc5, 0x32, 0x3d, 0x1e, 0x03, 0xda, 0x75, 0x24, ++ 0xb6, 0xe5, 0xb9, 0xfd, 0x36, 0x3d, 0xa4, 0xbf, ++ 0xc4, 0xee, 0x3b, 0xb5, 0x14, 0x85, 0x5c, 0x2d, ++ 0x80, 0xb2, 0x55, 0xb6, 0x70, 0x21, 0xf2, 0x94, ++ 0x63, 0xa5, 0xc2, 0x6f, 0xee, 0x34, 0x81, 0xae, ++ 0xc6, 0x0f, 0xf3, 0xef, 0xb4, 0xde, 0xa5, 0x58, ++ 0x6f, 0x57, 0xc1, 0x51, 0x0a, 0xe4, 0x4e, 0xf0, ++ 0xed, 0xee, 0x42, 0xdc, 0xff, 0x4b, 0x14, 0xa3, ++ 0xcc, 0x6e, 0xa8, 0x0c, 0x29, 0x81, 0xdb, 0xce, ++ 0x78, 0x4d, 0x43, 0xe0, 0xe1, 0x60, 0xc8, 0x3e, ++ 0x54, 0x00, 0x29, 0x20, 0x25, 0x40, 0x22, 0xac, ++ 0xfa, 0x75, 0xb1, 0x4e, 0xcc, 0x61, 0x54, 0x27, ++ 0x2c, 0x95, 0xaf, 0x4c, 0x02, 0xa7, 0x55, 0xbd, ++ 0xed, 0xe2, 0x25, 0xfc, 0xba, 0xd2, 0x5b, 0xd7, ++ 0x33, 0xa1, 0xe9, 0xb4, 0x7f, 0x7e, 0xfe, 0xbb, ++ 0xfa, 0x54, 0xce, 0x3c, 0xbc, 0xd1, 0x03, 0x50, ++ 0x9d, 0xa9, 0x38, 0x9a, 0xf8, 0x67, 0xb1, 0xa3 ++ }; ++ /* DSA Known Random Values (known random key block is 224-bits) */ ++ static const PRUint8 dsa_known_random_key_block[] = { ++ "Mozilla Rules World! Always." ++ }; ++ /* DSA Known Digest (224-bits) */ ++ static const PRUint8 dsa_known_digest[] = { "DSA Signature Digest, Longer" }; ++ ++ /* DSA variables. */ ++ DSAPrivateKey *dsa_private_key; ++ SECStatus dsa_status; ++ SECItem dsa_signature_item; ++ SECItem dsa_digest_item; ++ DSAPublicKey dsa_public_key; ++ PRUint8 dsa_computed_signature[FIPS_DSA_SIGNATURE_LENGTH]; ++ static const PQGParams dsa_pqg = { ++ NULL, ++ { FIPS_DSA_TYPE, (unsigned char *)dsa_P, FIPS_DSA_PRIME_LENGTH }, ++ { FIPS_DSA_TYPE, (unsigned char *)dsa_Q, FIPS_DSA_SUBPRIME_LENGTH }, ++ { FIPS_DSA_TYPE, (unsigned char *)dsa_G, FIPS_DSA_BASE_LENGTH } ++ }; ++ NSSLOWKEYPrivateKey lowkey_priv; ++ ++ /******************************************/ ++ /* Generate a DSA public/private key pair */ ++ /******************************************/ ++ ++ /* Generate a DSA public/private key pair. */ ++ dsa_status = DSA_NewKeyFromSeed(&dsa_pqg, dsa_known_random_key_block, ++ &dsa_private_key); ++ ++ if (dsa_status != SECSuccess) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return (SECFailure); ++ } ++ ++ /* construct public key from private key. */ ++ dsa_public_key.params = dsa_private_key->params; ++ dsa_public_key.publicValue = dsa_private_key->publicValue; ++ ++ /*********************************/ ++ /* DSA pairwise consistency test */ ++ /*********************************/ ++ ++ dsa_signature_item.data = dsa_computed_signature; ++ dsa_signature_item.len = sizeof dsa_computed_signature; ++ ++ dsa_digest_item.data = (unsigned char *)dsa_known_digest; ++ dsa_digest_item.len = SHA224_LENGTH; ++ ++ /* Perform DSA signature process. */ ++ lowkey_priv.u.dsa = *dsa_private_key; ++ dsa_status = DSA_HashSign (SEC_OID_SHA224, &lowkey_priv, ++ dsa_signature_item.data, &dsa_signature_item.len, ++ sizeof dsa_computed_signature, ++ dsa_digest_item.data, SHA224_LENGTH); ++ ++ /* Check that operation succeeded and that signature is different from hash */ ++ if ((dsa_status != SECSuccess) || ++ (dsa_signature_item.len != FIPS_DSA_SIGNATURE_LENGTH) || ++ (PORT_Memcmp(dsa_computed_signature, dsa_known_digest, ++ PR_MIN (FIPS_DSA_SIGNATURE_LENGTH, FIPS_DSA_DIGEST_LENGTH)) == 0)) { ++ dsa_status = SECFailure; ++ } else { ++ /* Perform DSA verification process. */ ++ dsa_status = DSA_VerifyDigest(&dsa_public_key, ++ &dsa_signature_item, ++ &dsa_digest_item); ++ } ++ ++ PORT_FreeArena(dsa_private_key->params.arena, PR_TRUE); ++ /* Don't free public key, it uses same arena as private key */ ++ ++ /* Verify DSA signature. */ ++ if (dsa_status != SECSuccess) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return SECFailure; ++ } ++ ++ return (SECSuccess); ++} ++ ++#define FIPS_ECDSA_DIGEST_LENGTH 28 /* 224-bits */ ++#define FIPS_ECDSA_SIGNATURE_LENGTH 64 /* 512-bits */ ++ ++/* Similar to freebl_fips_ECDSA_PowerUpSelfTest, but using ECDSA_HashSign() */ ++static SECStatus ++sftk_fips_ECDSA_PowerUpSelfTest(void) ++{ ++ /* EC Known curve nistp256 == ECCCurve_X9_62_PRIME_256V1 params */ ++ static const unsigned char p256_prime[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF ++ }; ++ static const unsigned char p256_a[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC ++ }; ++ static const unsigned char p256_b[] = { ++ 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, 0x76, ++ 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, 0x3B, 0xCE, ++ 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B ++ }; ++ static const unsigned char p256_base[] = { ++ 0x04, ++ 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, 0x63, ++ 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, ++ 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, ++ 0x4F, 0xE3, 0x42, 0xE2, 0xFE, 0x1A, 0x7F, 0x9B, 0x8E, 0xE7, 0xEB, 0x4A, 0x7C, ++ 0x0F, 0x9E, 0x16, 0x2B, 0xCE, 0x33, 0x57, 0x6B, 0x31, 0x5E, 0xCE, 0xCB, 0xB6, ++ 0x40, 0x68, 0x37, 0xBF, 0x51, 0xF5 ++ }; ++ static const unsigned char p256_order[] = { ++ 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, ++ 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 ++ }; ++ static const unsigned char p256_encoding[] = { ++ 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 ++ }; ++ static ECParams ec_known_P256_Params = { ++ NULL, ec_params_named, /* arena, type */ ++ /* fieldID */ ++ { 256, ec_field_GFp, /* size and type */ ++ { { siBuffer, (unsigned char *)p256_prime, sizeof(p256_prime) } }, /* u.prime */ ++ 0, ++ 0, ++ 0 }, ++ /* curve */ ++ { /* a = curvea b = curveb */ ++ /* curve.a */ ++ { siBuffer, (unsigned char *)p256_a, sizeof(p256_a) }, ++ /* curve.b */ ++ { siBuffer, (unsigned char *)p256_b, sizeof(p256_b) }, ++ /* curve.seed */ ++ { siBuffer, NULL, 0 } }, ++ /* base = 04xy*/ ++ { siBuffer, (unsigned char *)p256_base, sizeof(p256_base) }, ++ /* order */ ++ { siBuffer, (unsigned char *)p256_order, sizeof(p256_order) }, ++ 1, /* cofactor */ ++ /* DEREncoding */ ++ { siBuffer, (unsigned char *)p256_encoding, sizeof(p256_encoding) }, ++ ECCurve_X9_62_PRIME_256V1, ++ /* curveOID */ ++ { siBuffer, (unsigned char *)(p256_encoding) + 2, sizeof(p256_encoding) - 2 }, ++ }; ++ /* ECDSA Known Seed info for curves nistp256 and nistk283 */ ++ static const PRUint8 ecdsa_Known_Seed[] = { ++ 0x6a, 0x9b, 0xf6, 0xf7, 0xce, 0xed, 0x79, 0x11, ++ 0xf0, 0xc7, 0xc8, 0x9a, 0xa5, 0xd1, 0x57, 0xb1, ++ 0x7b, 0x5a, 0x3b, 0x76, 0x4e, 0x7b, 0x7c, 0xbc, ++ 0xf2, 0x76, 0x1c, 0x1c, 0x7f, 0xc5, 0x53, 0x2f ++ }; ++ /* ECDSA Known Digest (224-bits) */ ++ static const PRUint8 ecdsa_known_digest[] = { "ECDSA Signature Digest, Longer" }; ++ /* ECDSA variables. */ ++ ECPrivateKey *ecdsa_private_key; ++ SECStatus ecdsa_status; ++ SECItem ecdsa_signature_item; ++ SECItem ecdsa_digest_item; ++ ECPublicKey ecdsa_public_key; ++ PRUint8 ecdsa_computed_signature[2 * MAX_ECKEY_LEN]; ++ NSSLOWKEYPrivateKey lowkey_priv; ++ ++ /*********************************************/ ++ /* Generate an ECDSA public/private key pair */ ++ /*********************************************/ ++ ++ ecdsa_status = EC_NewKeyFromSeed(&ec_known_P256_Params, ++ &ecdsa_private_key, ++ ecdsa_Known_Seed, ++ sizeof (ecdsa_Known_Seed)); ++ ++ if (ecdsa_status != SECSuccess) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return (SECFailure); ++ } ++ ++ /* Construct public key from private key. */ ++ ecdsa_public_key.ecParams = ecdsa_private_key->ecParams; ++ ecdsa_public_key.publicValue = ecdsa_private_key->publicValue; ++ ++ /* Validate public key value. */ ++ ecdsa_status = EC_ValidatePublicKey(&ecdsa_public_key.ecParams, ++ &ecdsa_public_key.publicValue); ++ if (ecdsa_status != SECSuccess) { ++ goto loser; ++ } ++ ++ /***********************************/ ++ /* ECDSA pairwise consistency test */ ++ /***********************************/ ++ ++ ecdsa_signature_item.data = ecdsa_computed_signature; ++ ecdsa_signature_item.len = sizeof ecdsa_computed_signature; ++ ++ ecdsa_digest_item.data = (unsigned char *)ecdsa_known_digest; ++ ecdsa_digest_item.len = SHA224_LENGTH; ++ ++ /* Perform ECDSA signature process. */ ++ lowkey_priv.u.ec = *ecdsa_private_key; ++ ecdsa_status = ECDSA_HashSign (SEC_OID_SHA224, &lowkey_priv, ++ ecdsa_signature_item.data, &ecdsa_signature_item.len, ++ sizeof ecdsa_computed_signature, ++ ecdsa_digest_item.data, SHA224_LENGTH); ++ ++ /* Check that operation succeeded and that signature is different from hash */ ++ if ((ecdsa_status != SECSuccess) || ++ (ecdsa_signature_item.len != FIPS_ECDSA_SIGNATURE_LENGTH) || ++ (PORT_Memcmp(ecdsa_computed_signature, ecdsa_known_digest, ++ PR_MIN (FIPS_ECDSA_SIGNATURE_LENGTH, FIPS_ECDSA_DIGEST_LENGTH)) == 0)) { ++ ecdsa_status = SECFailure; ++ } else { ++ /* Perform ECDSA verification process. */ ++ ecdsa_status = ECDSA_VerifyDigest(&ecdsa_public_key, ++ &ecdsa_signature_item, ++ &ecdsa_digest_item); ++ } ++ ++loser: ++ /* Free the memory for the private key arena */ ++ PORT_FreeArena(ecdsa_private_key->ecParams.arena, PR_FALSE); ++ ++ if (ecdsa_status != SECSuccess) { ++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); ++ return SECFailure; ++ } ++ ++ return (SECSuccess); ++} ++ + static PRBool sftk_self_tests_ran = PR_FALSE; + static PRBool sftk_self_tests_success = PR_FALSE; + +@@ -694,7 +1015,6 @@ void + sftk_startup_tests_with_rerun(PRBool rerun) + { + SECStatus rv; +- const char *libraryName = rerun ? BLAPI_FIPS_RERUN_FLAG_STRING SOFTOKEN_LIB_NAME : SOFTOKEN_LIB_NAME; + + PORT_Assert(!sftk_self_tests_ran); + PORT_Assert(!sftk_self_tests_success); +@@ -706,6 +1026,7 @@ sftk_startup_tests_with_rerun(PRBool rer + if (rv != SECSuccess) { + return; + } ++ + /* make sure freebl is initialized, or our RSA check + * may fail. This is normally done at freebl load time, but it's + * possible we may have shut freebl down without unloading it. */ +@@ -723,12 +1044,21 @@ sftk_startup_tests_with_rerun(PRBool rer + if (rv != SECSuccess) { + return; + } +- if (!BLAPI_SHVerify(libraryName, +- (PRFuncPtr)&sftk_fips_RSA_PowerUpSelfTest)) { +- /* something is wrong with the library, fail without enabling +- * the token */ ++ ++ /* check the DSA combined functions in softoken */ ++ rv = sftk_fips_DSA_PowerUpSelfTest(); ++ if (rv != SECSuccess) { + return; + } ++ ++ /* check the ECDSA combined functions in softoken */ ++ rv = sftk_fips_ECDSA_PowerUpSelfTest(); ++ if (rv != SECSuccess) { ++ return; ++ } ++ ++ /* Checksum is done by fips_initTestSoftoken() in fips.c */ ++ + rv = sftk_fips_IKE_PowerUpSelfTests(); + if (rv != SECSuccess) { + return; +@@ -766,17 +1096,10 @@ sftk_startup_tests(void) + CK_RV + sftk_FIPSEntryOK(PRBool rerun) + { +-#ifdef NSS_NO_INIT_SUPPORT +- /* this should only be set on platforms that can't handle one of the INIT +- * schemes. This code allows those platforms to continue to function, +- * though they don't meet the strict NIST requirements. If NSS_NO_INIT_SUPPORT +- * is not set, and init support has not been properly enabled, softken +- * will always fail because of the test below +- */ ++ /* For platforms that don't support on-load constructors */ + if (!sftk_self_tests_ran) { + sftk_startup_tests(); + } +-#endif + if (rerun) { + sftk_self_tests_ran = PR_FALSE; + sftk_self_tests_success = PR_FALSE; +@@ -787,6 +1110,17 @@ sftk_FIPSEntryOK(PRBool rerun) + } + return CKR_OK; + } ++ ++void fips_repeatTestSoftoken(void); ++ ++void ++sftk_FIPSRepeatIntegrityCheck() ++{ ++ /* These will abort if the checksum fails in FIPS mode */ ++ BL_FIPSRepeatIntegrityCheck(); ++ fips_repeatTestSoftoken(); ++} ++ + #else + #include "pkcs11t.h" + CK_RV +Index: nss/lib/softoken/legacydb/fips.c +=================================================================== +--- /dev/null ++++ nss/lib/softoken/legacydb/fips.c +@@ -0,0 +1,25 @@ ++#include "../../freebl/fips-selftest.inc" ++ ++#include "fips.h" ++ ++/*** private per-module symbols ***/ ++ ++/* crypto algorithms selftest wrapper */ ++static fips_check_status ++fips_checkCryptoDbm(void) ++{ ++ /* no checks in dbm */ ++ return CHECK_OK; ++} ++ ++/* constructor - load-time selfchecks */ ++static void __attribute__ ((constructor)) ++fips_initTestDbm(void) ++{ ++ fips_state = fips_initTest("nssdbm", (PRFuncPtr)fips_checkCryptoDbm, NULL); ++ ++ return; ++} ++ ++/*** public per-module symbols ***/ ++ +Index: nss/lib/softoken/legacydb/fips.h +=================================================================== +--- /dev/null ++++ nss/lib/softoken/legacydb/fips.h +@@ -0,0 +1,5 @@ ++#ifndef FIPS_H ++#define FIPS_H ++ ++#endif ++ +Index: nss/lib/softoken/legacydb/lgfips.c +=================================================================== +--- nss.orig/lib/softoken/legacydb/lgfips.c ++++ nss/lib/softoken/legacydb/lgfips.c +@@ -91,7 +91,7 @@ lg_startup_tests(void) + + /* no self tests required for the legacy db, only the integrity check */ + /* check the integrity of our shared library */ +- if (!BLAPI_SHVerify(libraryName, (PRFuncPtr)&lg_local_function)) { ++ if (!BLAPI_SHVerify(libraryName, (PRFuncPtr)&lg_local_function, NULL)) { + /* something is wrong with the library, fail without enabling + * the fips token */ + return; +Index: nss/lib/softoken/legacydb/manifest.mn +=================================================================== +--- nss.orig/lib/softoken/legacydb/manifest.mn ++++ nss/lib/softoken/legacydb/manifest.mn +@@ -12,7 +12,7 @@ LIBRARY_NAME = nssdbm + LIBRARY_VERSION = 3 + MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def + +-DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DLG_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" ++DEFINES += -DSHLIB_SUFFIX=\"$(DLL_SUFFIX)\" -DSHLIB_PREFIX=\"$(DLL_PREFIX)\" -DLG_LIB_NAME=\"$(notdir $(SHARED_LIBRARY))\" -DSHLIB_VERSION=\"$(LIBRARY_VERSION)\" + + CSRCS = \ + dbmshim.c \ +@@ -28,5 +28,6 @@ CSRCS = \ + lowkey.c \ + pcertdb.c \ + pk11db.c \ ++ fips.c \ + $(NULL) + +Index: nss/lib/softoken/manifest.mn +=================================================================== +--- nss.orig/lib/softoken/manifest.mn ++++ nss/lib/softoken/manifest.mn +@@ -22,6 +22,7 @@ endif + EXPORTS = \ + lowkeyi.h \ + lowkeyti.h \ ++ fips.h \ + $(NULL) + + PRIVATE_EXPORTS = \ +@@ -55,6 +56,7 @@ CSRCS = \ + softkver.c \ + tlsprf.c \ + jpakesftk.c \ ++ fips.c \ + $(NULL) + + ifndef NSS_DISABLE_DBM +Index: nss/lib/softoken/softoken.h +=================================================================== +--- nss.orig/lib/softoken/softoken.h ++++ nss/lib/softoken/softoken.h +@@ -59,6 +59,9 @@ extern unsigned char *CBC_PadBuffer(PLAr + /* make sure Power-up selftests have been run. */ + extern CK_RV sftk_FIPSEntryOK(PRBool rerun); + ++/* Unconditionally run the crypto self-tests. */ ++extern PRBool sftk_FIPSRunTests(); ++ + /* + ** make known fixed PKCS #11 key types to their sizes in bytes + */ +Index: nss/lib/freebl/ldvector.c +=================================================================== +--- nss.orig/lib/freebl/ldvector.c ++++ nss/lib/freebl/ldvector.c +@@ -375,9 +375,12 @@ static const struct FREEBLVectorStr vect + /* End of version 3.024 */ + ChaCha20_InitContext, + ChaCha20_CreateContext, +- ChaCha20_DestroyContext ++ ChaCha20_DestroyContext, + + /* End of version 3.025 */ ++ ++ /* SUSE patch: Goes last */ ++ BL_FIPSRepeatIntegrityCheck + }; + + const FREEBLVector* +Index: nss/lib/softoken/softokn.def +=================================================================== +--- nss.orig/lib/softoken/softokn.def ++++ nss/lib/softoken/softokn.def +@@ -34,6 +34,7 @@ NSC_GetInterfaceList; + C_GetInterface; + FC_GetInterface; + NSC_GetInterface; ++sftk_FIPSRepeatIntegrityCheck; + ;+ local: + ;+ *; + ;+}; diff --git a/nss-fips-detect-fips-mode-fixes.patch b/nss-fips-detect-fips-mode-fixes.patch new file mode 100644 index 0000000..957732a --- /dev/null +++ b/nss-fips-detect-fips-mode-fixes.patch @@ -0,0 +1,93 @@ +# HG changeset patch +# User M. Sirringhaus +# Date 1584305671 -3600 +# Sun Mar 15 21:54:31 2020 +0100 +# Node ID 715834d4a258c535f3abbf116d69d5e77392593b +# Parent 4ddd7d49eeed4ea32850daf41a472ccb50dee45e +commit facacdb9078693d7a4219e84f73ea7b8f977ddc2 +Author: Hans Petter Jansson + Patch 32: nss-fips-detect-fips-mode-fixes.patch + +Index: nss/lib/freebl/nsslowhash.c +=================================================================== +--- nss.orig/lib/freebl/nsslowhash.c ++++ nss/lib/freebl/nsslowhash.c +@@ -2,9 +2,13 @@ + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + ++#define _GNU_SOURCE 1 ++#include ++ + #ifdef FREEBL_NO_DEPEND + #include "stubs.h" + #endif ++ + #include "prtypes.h" + #include "prenv.h" + #include "secerr.h" +@@ -25,6 +29,23 @@ struct NSSLOWHASHContextStr { + }; + + #ifndef NSS_FIPS_DISABLED ++ ++static PRBool ++getFIPSEnv(void) ++{ ++ char *fipsEnv = secure_getenv("NSS_FIPS"); ++ if (!fipsEnv) { ++ return PR_FALSE; ++ } ++ if ((strcasecmp(fipsEnv, "fips") == 0) || ++ (strcasecmp(fipsEnv, "true") == 0) || ++ (strcasecmp(fipsEnv, "on") == 0) || ++ (strcasecmp(fipsEnv, "1") == 0)) { ++ return PR_TRUE; ++ } ++ return PR_FALSE; ++} ++ + static int + nsslow_GetFIPSEnabled(void) + { +@@ -52,6 +73,7 @@ nsslow_GetFIPSEnabled(void) + #endif /* LINUX */ + return 1; + } ++ + #endif /* NSS_FIPS_DISABLED */ + + static NSSLOWInitContext dummyContext = { 0 }; +@@ -67,7 +89,7 @@ NSSLOW_Init(void) + #ifndef NSS_FIPS_DISABLED + /* make sure the FIPS product is installed if we are trying to + * go into FIPS mode */ +- if (nsslow_GetFIPSEnabled()) { ++ if (nsslow_GetFIPSEnabled() || getFIPSEnv()) { + if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + post_failed = PR_TRUE; +Index: nss/lib/sysinit/nsssysinit.c +=================================================================== +--- nss.orig/lib/sysinit/nsssysinit.c ++++ nss/lib/sysinit/nsssysinit.c +@@ -178,16 +178,16 @@ getFIPSMode(void) + f = fopen("/proc/sys/crypto/fips_enabled", "r"); + if (!f) { + /* if we don't have a proc flag, fall back to the +- * environment variable */ ++ * environment variable */ + return getFIPSEnv(); + } + + size = fread(&d, 1, 1, f); + fclose(f); + if (size != 1) +- return PR_FALSE; ++ return getFIPSEnv(); + if (d != '1') +- return PR_FALSE; ++ return getFIPSEnv(); + return PR_TRUE; + #else + return PR_FALSE; diff --git a/nss-fips-drbg-libjitter.patch b/nss-fips-drbg-libjitter.patch new file mode 100644 index 0000000..548539b --- /dev/null +++ b/nss-fips-drbg-libjitter.patch @@ -0,0 +1,111 @@ +Index: nss/coreconf/Linux.mk +=================================================================== +--- nss.orig/coreconf/Linux.mk ++++ nss/coreconf/Linux.mk +@@ -136,7 +136,7 @@ OS_CFLAGS = $(DSO_CFLAGS) $(OS_REL_CFLA + ifeq ($(KERNEL),Linux) + OS_CFLAGS += -DLINUX -Dlinux + endif +-OS_LIBS = $(OS_PTHREAD) -ldl -lc ++OS_LIBS = $(OS_PTHREAD) -ldl -lc -ljitterentropy + + ifeq ($(OS_TARGET),Android) + OS_LIBS += -llog +Index: nss/lib/freebl/drbg.c +=================================================================== +--- nss.orig/lib/freebl/drbg.c ++++ nss/lib/freebl/drbg.c +@@ -6,6 +6,8 @@ + #include "stubs.h" + #endif + ++#include ++ + #include + + #include "prerror.h" +@@ -107,6 +109,45 @@ typedef struct RNGContextStr RNGContext; + static RNGContext *globalrng = NULL; + static RNGContext theGlobalRng; + ++/* Jitterentropy */ ++#define JITTER_FLAGS JENT_FORCE_FIPS ++static struct rand_data *jitter; ++ ++static ssize_t ++FIPS_jent_get_entropy (void *dest, ssize_t len) ++{ ++ int result = -1; ++ ++ /* Ensure that the jitterentropy generator is initialized */ ++ ++ if (!jitter) ++ { ++ if (jent_entropy_init_ex (1, JITTER_FLAGS)) ++ goto out; ++ ++ jitter = jent_entropy_collector_alloc (1, JITTER_FLAGS); ++ if (!jitter) ++ goto out; ++ } ++ ++ /* Get some entropy */ ++ ++ result = jent_read_entropy_safe (&jitter, dest, len); ++ ++out: ++ return result; ++} ++ ++static void ++FIPS_jent_deinit (void) ++{ ++ if (jitter) ++ { ++ jent_entropy_collector_free (jitter); ++ jitter = NULL; ++ } ++} ++ + /* + * The next several functions are derived from the NIST SP 800-90 + * spec. In these functions, an attempt was made to use names consistent +@@ -180,7 +221,7 @@ static PRCallOnceType coRNGInitEntropy; + static PRStatus + prng_initEntropy(void) + { +- size_t length; ++ ssize_t length; + PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE]; + SHA256Context ctx; + +@@ -203,8 +244,8 @@ prng_initEntropy(void) + /* For FIPS 140-2 4.9.2 continuous random number generator test, + * fetch the initial entropy from the system RNG and keep it for + * later comparison. */ +- length = RNG_SystemRNG(block, sizeof(block)); +- if (length == 0) { ++ length = FIPS_jent_get_entropy(block, sizeof(block)); ++ if (length < 1) { + coRNGInitEntropy.status = PR_FAILURE; + __sync_synchronize (); + coRNGInitEntropy.initialized = 1; +@@ -244,8 +285,8 @@ prng_getEntropy(PRUint8 *buffer, size_t + * iteratively fetch fixed sized blocks from the system and + * compare consecutive blocks. */ + while (total < requestLength) { +- size_t length = RNG_SystemRNG(block, sizeof(block)); +- if (length == 0) { ++ ssize_t length = FIPS_jent_get_entropy(block, sizeof(block)); ++ if (length < 1) { + rv = SECFailure; /* error is already set */ + goto out; + } +@@ -792,6 +833,7 @@ RNG_RNGShutdown(void) + /* clear */ + prng_freeRNGContext(globalrng); + globalrng = NULL; ++ FIPS_jent_deinit (); + /* reset the callonce struct to allow a new call to RNG_RNGInit() */ + coRNGInit = pristineCallOnce; + } diff --git a/nss-fips-dsa-kat.patch b/nss-fips-dsa-kat.patch new file mode 100644 index 0000000..e3c6503 --- /dev/null +++ b/nss-fips-dsa-kat.patch @@ -0,0 +1,210 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1505605677 -7200 +# Sun Sep 17 01:47:57 2017 +0200 +# Node ID 4ae6bed68a83c01f6d2ce7a37bdb0bdb0556416f +# Parent 5e191a391c38967e49a1d005800713ccd1010b09 +[PATCH 2/6] Make DSA KAT FIPS compliant (1024 -> 2048 bit key). +From b88701933a284ba8640df66b954c04d36ee592c9 Mon Sep 17 00:00:00 2001 +--- + nss/lib/freebl/dsa.c | 2 +- + nss/lib/freebl/fipsfreebl.c | 143 +++++++++++++++++++++++++++----------------- + 2 files changed, 90 insertions(+), 55 deletions(-) + +Index: nss/lib/freebl/dsa.c +=================================================================== +--- nss.orig/lib/freebl/dsa.c ++++ nss/lib/freebl/dsa.c +@@ -536,7 +536,7 @@ DSA_SignDigest(DSAPrivateKey *key, SECIt + return rv; + } + +-/* For FIPS compliance testing. Seed must be exactly 20 bytes. */ ++/* For FIPS compliance testing. Seed must be the same size as subprime. */ + SECStatus + DSA_SignDigestWithSeed(DSAPrivateKey *key, + SECItem *signature, +Index: nss/lib/freebl/fipsfreebl.c +=================================================================== +--- nss.orig/lib/freebl/fipsfreebl.c ++++ nss/lib/freebl/fipsfreebl.c +@@ -127,11 +127,11 @@ DllMain( + + /* FIPS preprocessor directives for DSA. */ + #define FIPS_DSA_TYPE siBuffer +-#define FIPS_DSA_DIGEST_LENGTH 20 /* 160-bits */ +-#define FIPS_DSA_SUBPRIME_LENGTH 20 /* 160-bits */ +-#define FIPS_DSA_SIGNATURE_LENGTH 40 /* 320-bits */ +-#define FIPS_DSA_PRIME_LENGTH 128 /* 1024-bits */ +-#define FIPS_DSA_BASE_LENGTH 128 /* 1024-bits */ ++#define FIPS_DSA_DIGEST_LENGTH 28 /* 224-bits */ ++#define FIPS_DSA_SUBPRIME_LENGTH 28 /* 224-bits */ ++#define FIPS_DSA_SIGNATURE_LENGTH 56 /* 448-bits */ ++#define FIPS_DSA_PRIME_LENGTH 256 /* 2048-bits */ ++#define FIPS_DSA_BASE_LENGTH 256 /* 2048-bits */ + + /* FIPS preprocessor directives for RNG. */ + #define FIPS_RNG_XKEY_LENGTH 32 /* 256-bits */ +@@ -1669,70 +1669,105 @@ freebl_fips_EC_PowerUpSelfTest() + static SECStatus + freebl_fips_DSA_PowerUpSelfTest(void) + { +- /* DSA Known P (1024-bits), Q (160-bits), and G (1024-bits) Values. */ ++ /* DSA Known P (2048-bits), Q (224-bits), and G (2048-bits) Values. */ + static const PRUint8 dsa_P[] = { +- 0x80, 0xb0, 0xd1, 0x9d, 0x6e, 0xa4, 0xf3, 0x28, +- 0x9f, 0x24, 0xa9, 0x8a, 0x49, 0xd0, 0x0c, 0x63, +- 0xe8, 0x59, 0x04, 0xf9, 0x89, 0x4a, 0x5e, 0xc0, +- 0x6d, 0xd2, 0x67, 0x6b, 0x37, 0x81, 0x83, 0x0c, +- 0xfe, 0x3a, 0x8a, 0xfd, 0xa0, 0x3b, 0x08, 0x91, +- 0x1c, 0xcb, 0xb5, 0x63, 0xb0, 0x1c, 0x70, 0xd0, +- 0xae, 0xe1, 0x60, 0x2e, 0x12, 0xeb, 0x54, 0xc7, +- 0xcf, 0xc6, 0xcc, 0xae, 0x97, 0x52, 0x32, 0x63, +- 0xd3, 0xeb, 0x55, 0xea, 0x2f, 0x4c, 0xd5, 0xd7, +- 0x3f, 0xda, 0xec, 0x49, 0x27, 0x0b, 0x14, 0x56, +- 0xc5, 0x09, 0xbe, 0x4d, 0x09, 0x15, 0x75, 0x2b, +- 0xa3, 0x42, 0x0d, 0x03, 0x71, 0xdf, 0x0f, 0xf4, +- 0x0e, 0xe9, 0x0c, 0x46, 0x93, 0x3d, 0x3f, 0xa6, +- 0x6c, 0xdb, 0xca, 0xe5, 0xac, 0x96, 0xc8, 0x64, +- 0x5c, 0xec, 0x4b, 0x35, 0x65, 0xfc, 0xfb, 0x5a, +- 0x1b, 0x04, 0x1b, 0xa1, 0x0e, 0xfd, 0x88, 0x15 ++ 0xfe, 0x9f, 0xba, 0xff, 0x39, 0xa6, 0x00, 0x77, ++ 0x93, 0xfe, 0xa4, 0x58, 0x17, 0xf8, 0x37, 0x54, ++ 0x76, 0x39, 0x18, 0xcb, 0xbe, 0xca, 0x62, 0x8b, ++ 0x85, 0xbc, 0x60, 0x23, 0xf4, 0x7a, 0xb5, 0x75, ++ 0x31, 0xf4, 0x82, 0x83, 0x63, 0xc2, 0xdb, 0x8e, ++ 0x50, 0x67, 0xd6, 0xd9, 0xae, 0xa0, 0xd6, 0x13, ++ 0xc2, 0x35, 0x5b, 0x76, 0xf1, 0x00, 0x9c, 0x37, ++ 0xcb, 0x46, 0x3f, 0x6e, 0xef, 0xca, 0xff, 0xcc, ++ 0x1e, 0x15, 0xa1, 0x96, 0x70, 0x4c, 0xc9, 0x4d, ++ 0x7e, 0xde, 0x00, 0x1e, 0x76, 0x68, 0x35, 0x1c, ++ 0x31, 0x25, 0x37, 0x91, 0x98, 0x64, 0x40, 0x4c, ++ 0xf1, 0xc3, 0x0e, 0xf7, 0xf3, 0x16, 0x17, 0x79, ++ 0x7a, 0xa3, 0x11, 0x9a, 0xba, 0x72, 0x67, 0xe9, ++ 0x70, 0xd0, 0x16, 0x6a, 0x1a, 0x53, 0x4e, 0x1b, ++ 0xca, 0xb2, 0x79, 0xd8, 0x8c, 0x60, 0x53, 0xdb, ++ 0x48, 0x1c, 0x00, 0x2e, 0xd3, 0x29, 0x35, 0x14, ++ 0x6d, 0xd6, 0x23, 0x7c, 0x1c, 0xf3, 0x0d, 0x6a, ++ 0x7e, 0xb7, 0x09, 0x7d, 0xf2, 0x06, 0x29, 0x1c, ++ 0x1a, 0xdf, 0xd9, 0xe6, 0xb9, 0x2e, 0xd6, 0xb8, ++ 0xbf, 0xc5, 0xcd, 0xe7, 0xf4, 0xf9, 0x91, 0x38, ++ 0x2f, 0x61, 0xf9, 0xfe, 0xce, 0x16, 0x85, 0xc8, ++ 0xb7, 0xdd, 0x54, 0xe0, 0xa1, 0x54, 0x4f, 0xb3, ++ 0xdb, 0x72, 0xf3, 0xb9, 0xaa, 0xfe, 0x7b, 0xdd, ++ 0x5e, 0x59, 0x44, 0x6c, 0x4a, 0xfe, 0x67, 0x9b, ++ 0xcf, 0x78, 0x05, 0xd4, 0xc8, 0x98, 0xb3, 0x60, ++ 0x46, 0x44, 0x4e, 0x0b, 0xec, 0x19, 0x6c, 0xda, ++ 0xd6, 0x40, 0x3c, 0xd9, 0x96, 0xc8, 0x4a, 0x3b, ++ 0xc9, 0xb5, 0x52, 0x89, 0x2e, 0x68, 0xb9, 0xa0, ++ 0xd3, 0xbc, 0xa8, 0xd7, 0x6a, 0x7d, 0xe1, 0xf4, ++ 0x8c, 0x68, 0x3e, 0xc1, 0x5a, 0xac, 0x46, 0x6d, ++ 0xad, 0xe3, 0x89, 0x7f, 0x92, 0xa6, 0x29, 0xb2, ++ 0xc3, 0x3b, 0x20, 0x5f, 0x71, 0x00, 0x27, 0x87 + }; + + static const PRUint8 dsa_Q[] = { +- 0xad, 0x22, 0x59, 0xdf, 0xe5, 0xec, 0x4c, 0x6e, +- 0xf9, 0x43, 0xf0, 0x4b, 0x2d, 0x50, 0x51, 0xc6, +- 0x91, 0x99, 0x8b, 0xcf ++ 0xbc, 0xc9, 0xda, 0xca, 0xf9, 0x6b, 0xfa, 0x7e, ++ 0xbd, 0x9b, 0xfb, 0x48, 0x35, 0x1e, 0xe5, 0x8c, ++ 0x64, 0x46, 0xc7, 0x04, 0xb2, 0x44, 0x70, 0x9b, ++ 0x0a, 0x3f, 0x03, 0x01 + }; + + static const PRUint8 dsa_G[] = { +- 0x78, 0x6e, 0xa9, 0xd8, 0xcd, 0x4a, 0x85, 0xa4, +- 0x45, 0xb6, 0x6e, 0x5d, 0x21, 0x50, 0x61, 0xf6, +- 0x5f, 0xdf, 0x5c, 0x7a, 0xde, 0x0d, 0x19, 0xd3, +- 0xc1, 0x3b, 0x14, 0xcc, 0x8e, 0xed, 0xdb, 0x17, +- 0xb6, 0xca, 0xba, 0x86, 0xa9, 0xea, 0x51, 0x2d, +- 0xc1, 0xa9, 0x16, 0xda, 0xf8, 0x7b, 0x59, 0x8a, +- 0xdf, 0xcb, 0xa4, 0x67, 0x00, 0x44, 0xea, 0x24, +- 0x73, 0xe5, 0xcb, 0x4b, 0xaf, 0x2a, 0x31, 0x25, +- 0x22, 0x28, 0x3f, 0x16, 0x10, 0x82, 0xf7, 0xeb, +- 0x94, 0x0d, 0xdd, 0x09, 0x22, 0x14, 0x08, 0x79, +- 0xba, 0x11, 0x0b, 0xf1, 0xff, 0x2d, 0x67, 0xac, +- 0xeb, 0xb6, 0x55, 0x51, 0x69, 0x97, 0xa7, 0x25, +- 0x6b, 0x9c, 0xa0, 0x9b, 0xd5, 0x08, 0x9b, 0x27, +- 0x42, 0x1c, 0x7a, 0x69, 0x57, 0xe6, 0x2e, 0xed, +- 0xa9, 0x5b, 0x25, 0xe8, 0x1f, 0xd2, 0xed, 0x1f, +- 0xdf, 0xe7, 0x80, 0x17, 0xba, 0x0d, 0x4d, 0x38 ++ 0x5d, 0x23, 0xd1, 0xc5, 0x2e, 0x7e, 0x22, 0x3b, ++ 0x98, 0x03, 0xc3, 0xc0, 0x9d, 0xbe, 0x8f, 0x68, ++ 0x6b, 0xd0, 0xbf, 0x72, 0x20, 0x89, 0x5c, 0x8f, ++ 0x4c, 0x8e, 0x66, 0xfe, 0x8e, 0xfc, 0x02, 0x21, ++ 0xf3, 0xea, 0xc5, 0x23, 0x96, 0x9b, 0xa4, 0x2e, ++ 0xac, 0x35, 0x9f, 0x70, 0x90, 0x79, 0xd9, 0x42, ++ 0xfa, 0x0e, 0x4c, 0x1f, 0x55, 0xcf, 0x8b, 0xb5, ++ 0x98, 0x71, 0xfa, 0xf1, 0xbc, 0xfd, 0xc7, 0x2b, ++ 0x5a, 0xa6, 0x53, 0x86, 0xf1, 0xa3, 0xd5, 0xbc, ++ 0xad, 0x08, 0x80, 0x23, 0x40, 0xea, 0xc9, 0x2f, ++ 0x58, 0xfb, 0xa9, 0xda, 0x8d, 0xc5, 0xfa, 0x46, ++ 0x0a, 0x0a, 0xe8, 0x03, 0xef, 0x04, 0x53, 0x09, ++ 0xc4, 0x7f, 0x69, 0x59, 0x68, 0xb5, 0x52, 0x91, ++ 0x3d, 0xe1, 0xbc, 0xa0, 0x6b, 0x41, 0xec, 0x07, ++ 0x0b, 0xf5, 0xf5, 0x62, 0xf5, 0xeb, 0xb7, 0x7e, ++ 0xc5, 0x32, 0x3d, 0x1e, 0x03, 0xda, 0x75, 0x24, ++ 0xb6, 0xe5, 0xb9, 0xfd, 0x36, 0x3d, 0xa4, 0xbf, ++ 0xc4, 0xee, 0x3b, 0xb5, 0x14, 0x85, 0x5c, 0x2d, ++ 0x80, 0xb2, 0x55, 0xb6, 0x70, 0x21, 0xf2, 0x94, ++ 0x63, 0xa5, 0xc2, 0x6f, 0xee, 0x34, 0x81, 0xae, ++ 0xc6, 0x0f, 0xf3, 0xef, 0xb4, 0xde, 0xa5, 0x58, ++ 0x6f, 0x57, 0xc1, 0x51, 0x0a, 0xe4, 0x4e, 0xf0, ++ 0xed, 0xee, 0x42, 0xdc, 0xff, 0x4b, 0x14, 0xa3, ++ 0xcc, 0x6e, 0xa8, 0x0c, 0x29, 0x81, 0xdb, 0xce, ++ 0x78, 0x4d, 0x43, 0xe0, 0xe1, 0x60, 0xc8, 0x3e, ++ 0x54, 0x00, 0x29, 0x20, 0x25, 0x40, 0x22, 0xac, ++ 0xfa, 0x75, 0xb1, 0x4e, 0xcc, 0x61, 0x54, 0x27, ++ 0x2c, 0x95, 0xaf, 0x4c, 0x02, 0xa7, 0x55, 0xbd, ++ 0xed, 0xe2, 0x25, 0xfc, 0xba, 0xd2, 0x5b, 0xd7, ++ 0x33, 0xa1, 0xe9, 0xb4, 0x7f, 0x7e, 0xfe, 0xbb, ++ 0xfa, 0x54, 0xce, 0x3c, 0xbc, 0xd1, 0x03, 0x50, ++ 0x9d, 0xa9, 0x38, 0x9a, 0xf8, 0x67, 0xb1, 0xa3 + }; + +- /* DSA Known Random Values (known random key block is 160-bits) */ +- /* and (known random signature block is 160-bits). */ ++ /* DSA Known Random Values (known random key block is 224-bits) */ ++ /* and (known random signature block is 224-bits). */ + static const PRUint8 dsa_known_random_key_block[] = { +- "Mozilla Rules World!" ++ "Mozilla Rules World! Always." + }; + static const PRUint8 dsa_known_random_signature_block[] = { +- "Random DSA Signature" ++ "Random DSA Signature, Longer" + }; + +- /* DSA Known Digest (160-bits) */ +- static const PRUint8 dsa_known_digest[] = { "DSA Signature Digest" }; ++ /* DSA Known Digest (224-bits) */ ++ static const PRUint8 dsa_known_digest[] = { "DSA Signature Digest, Longer" }; + +- /* DSA Known Signature (320-bits). */ ++ /* DSA Known Signature (448-bits). */ + static const PRUint8 dsa_known_signature[] = { +- 0x25, 0x7c, 0x3a, 0x79, 0x32, 0x45, 0xb7, 0x32, +- 0x70, 0xca, 0x62, 0x63, 0x2b, 0xf6, 0x29, 0x2c, +- 0x22, 0x2a, 0x03, 0xce, 0x48, 0x15, 0x11, 0x72, +- 0x7b, 0x7e, 0xf5, 0x7a, 0xf3, 0x10, 0x3b, 0xde, +- 0x34, 0xc1, 0x9e, 0xd7, 0x27, 0x9e, 0x77, 0x38 ++ 0x27, 0x04, 0xff, 0xd5, 0x2d, 0x80, 0x32, 0xea, ++ 0xac, 0xb5, 0x8b, 0x47, 0x17, 0xb1, 0x80, 0xed, ++ 0xd6, 0x0f, 0x72, 0x75, 0xe5, 0xba, 0x08, 0xc9, ++ 0x29, 0xc8, 0xc7, 0x75, 0x84, 0x60, 0x5a, 0xe9, ++ 0x55, 0xa4, 0x1c, 0xf0, 0xe3, 0xce, 0x4c, 0x8e, ++ 0x83, 0x3e, 0x7a, 0x77, 0x56, 0x7f, 0x83, 0xad, ++ 0x68, 0x36, 0x13, 0xa9, 0xd6, 0x08, 0x1f, 0x19 + }; + + /* DSA variables. */ +@@ -1774,7 +1809,7 @@ freebl_fips_DSA_PowerUpSelfTest(void) + dsa_signature_item.len = sizeof dsa_computed_signature; + + dsa_digest_item.data = (unsigned char *)dsa_known_digest; +- dsa_digest_item.len = SHA1_LENGTH; ++ dsa_digest_item.len = SHA224_LENGTH; + + /* Perform DSA signature process. */ + dsa_status = DSA_SignDigestWithSeed(dsa_private_key, diff --git a/nss-fips-fix-missing-nspr.patch b/nss-fips-fix-missing-nspr.patch new file mode 100644 index 0000000..f4cc201 --- /dev/null +++ b/nss-fips-fix-missing-nspr.patch @@ -0,0 +1,123 @@ +diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c +index 3ed1751..56a1a58 100644 +--- a/lib/freebl/drbg.c ++++ b/lib/freebl/drbg.c +@@ -6,6 +6,8 @@ + #include "stubs.h" + #endif + ++#include ++ + #include "prerror.h" + #include "secerr.h" + +@@ -182,11 +184,30 @@ prng_initEntropy(void) + PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE]; + SHA256Context ctx; + ++ /* Don't have NSPR, so can't use the real PR_CallOnce. Implement a stripped ++ * down version. This is similar to freebl_RunLoaderOnce(). */ ++ if (coRNGInitEntropy.initialized) { ++ return coRNGInitEntropy.status; ++ } ++ if (__sync_lock_test_and_set(&coRNGInitEntropy.inProgress, 1) != 0) { ++ /* Shouldn't have a lot of takers here, which is good ++ * since we don't have condition variables yet. ++ * 'initialized' only ever gets set (not cleared) so we don't ++ * need the traditional locks. */ ++ while (!coRNGInitEntropy.initialized) { ++ sleep(1); /* don't have condition variables, just give up the CPU */ ++ } ++ return coRNGInitEntropy.status; ++ } ++ + /* For FIPS 140-2 4.9.2 continuous random number generator test, + * fetch the initial entropy from the system RNG and keep it for + * later comparison. */ + length = RNG_SystemRNG(block, sizeof(block)); + if (length == 0) { ++ coRNGInitEntropy.status = PR_FAILURE; ++ __sync_synchronize (); ++ coRNGInitEntropy.initialized = 1; + return PR_FAILURE; /* error is already set */ + } + PORT_Assert(length == sizeof(block)); +@@ -199,6 +220,9 @@ prng_initEntropy(void) + sizeof(globalrng->previousEntropyHash)); + PORT_Memset(block, 0, sizeof(block)); + SHA256_DestroyContext(&ctx, PR_FALSE); ++ coRNGInitEntropy.status = PR_SUCCESS; ++ __sync_synchronize (); ++ coRNGInitEntropy.initialized = 1; + return PR_SUCCESS; + } + +@@ -211,7 +235,7 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength) + SHA256Context ctx; + SECStatus rv = SECSuccess; + +- if (PR_CallOnce(&coRNGInitEntropy, prng_initEntropy) != PR_SUCCESS) { ++ if (prng_initEntropy () != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } +@@ -564,10 +588,34 @@ prng_freeRNGContext(RNGContext *rng) + SECStatus + RNG_RNGInit(void) + { ++ /* Don't have NSPR, so can't use the real PR_CallOnce. Implement a stripped ++ * down version. This is similar to freebl_RunLoaderOnce(). */ ++ if (coRNGInit.initialized) { ++ return coRNGInit.status; ++ } ++ if (__sync_lock_test_and_set(&coRNGInit.inProgress, 1) != 0) { ++ /* Shouldn't have a lot of takers here, which is good ++ * since we don't have condition variables yet. ++ * 'initialized' only ever gets set (not cleared) so we don't ++ * need the traditional locks. */ ++ while (!coRNGInit.initialized) { ++ sleep(1); /* don't have condition variables, just give up the CPU */ ++ } ++ return coRNGInit.status; ++ } ++ + /* Allow only one call to initialize the context */ +- PR_CallOnce(&coRNGInit, rng_init); ++ coRNGInit.status = rng_init (); ++ __sync_synchronize (); ++ coRNGInit.initialized = 1; ++ if (coRNGInit.status != PR_SUCCESS) ++ return SECFailure; ++ + /* Make sure there is a context */ +- return (globalrng != NULL) ? SECSuccess : SECFailure; ++ coRNGInit.status = (globalrng != NULL) ? SECSuccess : SECFailure; ++ __sync_synchronize (); ++ coRNGInit.initialized = 1; ++ return coRNGInit.status; + } + + /* +@@ -842,7 +890,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len, + } + /* replicate reseed test from prng_GenerateGlobalRandomBytes */ + if (testContext.reseed_counter[0] >= RESEED_VALUE) { +- rv = prng_reseed(&testContext, NULL, 0, NULL, 0); ++ /* We need to supply the entropy so as to avoid use of global RNG */ ++ static const PRUint8 reseed_entropy[] = { ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ }; ++ static const PRUint8 additional_input[] = { ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ }; ++ rv = prng_reseed(&testContext, reseed_entropy, sizeof reseed_entropy, ++ additional_input, sizeof additional_input); + if (rv != SECSuccess) { + return rv; + } diff --git a/nss-fips-gcm-ctr.patch b/nss-fips-gcm-ctr.patch new file mode 100644 index 0000000..5b02258 --- /dev/null +++ b/nss-fips-gcm-ctr.patch @@ -0,0 +1,62 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1574234739 -3600 +# Wed Nov 20 08:25:39 2019 +0100 +# Node ID 5396ffb26887cc0cd42b9f12cc6c8e3dfdaf194b +# Parent f5cf5d16deb68e65b5dd4e799d9e8e3098400d62 +[PATCH] 22 +From 41dd171b242b0cb550d12760da110db7e2c21daf Mon Sep 17 00:00:00 2001 +--- + nss/lib/freebl/gcm.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +Index: nss/lib/freebl/gcm.c +=================================================================== +--- nss.orig/lib/freebl/gcm.c ++++ nss/lib/freebl/gcm.c +@@ -535,8 +535,14 @@ struct GCMContextStr { + unsigned char tagKey[MAX_BLOCK_SIZE]; + PRBool ctr_context_init; + gcmIVContext gcm_iv; ++ unsigned long long gcm_iv_bytes; + }; + ++/* NIST SP-800-38D limits the use of GCM with a single IV to 2^39 - 256 ++ * bits which translates to 2^32 - 2 128bit blocks or 2^36 - 32 bytes ++ */ ++#define MAX_GCM_BYTES_PER_IV ((1ULL << 36) - 32) ++ + SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv, + unsigned int ivLen, unsigned int tagBits, + const unsigned char *aad, unsigned int aadLen); +@@ -676,6 +682,8 @@ gcm_InitCounter(GCMContext *gcm, const u + goto loser; + } + ++ gcm->gcm_iv_bytes = MAX_GCM_BYTES_PER_IV; ++ + /* finally mix in the AAD data */ + rv = gcmHash_Reset(ghash, aad, aadLen); + if (rv != SECSuccess) { +@@ -777,6 +785,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig + return SECFailure; + } + ++ /* bail out if this invocation requests processing more than what is ++ * considered to be a safe limit */ ++ if (gcm->gcm_iv_bytes < (unsigned long long)inlen) { ++ PORT_SetError(SEC_ERROR_INPUT_LEN); ++ return SECFailure; ++ } ++ + tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE; + if (UINT_MAX - inlen < tagBytes) { + PORT_SetError(SEC_ERROR_INPUT_LEN); +@@ -805,6 +820,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig + *outlen = 0; + return SECFailure; + }; ++ gcm->gcm_iv_bytes -= inlen; + *outlen += len; + return SECSuccess; + } diff --git a/nss-fips-pairwise-consistency-check.patch b/nss-fips-pairwise-consistency-check.patch new file mode 100644 index 0000000..184c162 --- /dev/null +++ b/nss-fips-pairwise-consistency-check.patch @@ -0,0 +1,35 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1574138371 -3600 +# Tue Nov 19 05:39:31 2019 +0100 +# Node ID 557f9009507c9e70941dbe39965028049e1ef5a2 +# Parent 4ae6bed68a83c01f6d2ce7a37bdb0bdb0556416f +[PATCH 07/22] 15 +From 2a162c34b7aad7399f33069cd9930fd92714861c Mon Sep 17 00:00:00 2001 +--- + nss/lib/softoken/pkcs11c.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +Index: nss/lib/softoken/pkcs11c.c +=================================================================== +--- nss.orig/lib/softoken/pkcs11c.c ++++ nss/lib/softoken/pkcs11c.c +@@ -4800,8 +4800,8 @@ loser: + return crv; + } + +-#define PAIRWISE_DIGEST_LENGTH SHA1_LENGTH /* 160-bits */ +-#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ ++#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */ ++#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ + + /* + * FIPS 140-2 pairwise consistency check utilized to validate key pair. +@@ -5749,6 +5749,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS + (PRUint32)crv); + sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); + } ++ sftk_fatalError = PR_TRUE; + } + } + diff --git a/nss-fips-pbkdf-kat-compliance.patch b/nss-fips-pbkdf-kat-compliance.patch new file mode 100644 index 0000000..68b5244 --- /dev/null +++ b/nss-fips-pbkdf-kat-compliance.patch @@ -0,0 +1,59 @@ +Index: nss/lib/softoken/lowpbe.c +=================================================================== +--- nss.orig/lib/softoken/lowpbe.c ++++ nss/lib/softoken/lowpbe.c +@@ -1756,7 +1756,7 @@ loser: + return ret_algid; + } + +-#define TEST_KEY "pbkdf test key" ++#define TEST_KEY "qrfhfgkeWKZsYyLfUddaKQKLGhwqjQhNCiAdfweKEPaRf" + SECStatus + sftk_fips_pbkdf_PowerUpSelfTests(void) + { +@@ -1766,16 +1766,22 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) + unsigned char iteration_count = 5; + unsigned char keyLen = 64; + char *inKeyData = TEST_KEY; +- static const unsigned char saltData[] = { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; ++ static const unsigned char saltData[] = { ++ 0x11, 0x39, 0x93, 0x54, 0x1C, 0xDD, 0xD7, 0x18, ++ 0x2F, 0x4A, 0xC1, 0x14, 0x03, 0x7A, 0x0B, 0x64, ++ 0x48, 0x99, 0xF4, 0x6D, 0xB7, 0x48, 0xE3, 0x3B, ++ 0x91, 0xBF, 0x65, 0xA9, 0x26, 0x83, 0xE8, 0x22 ++ }; ++ + static const unsigned char pbkdf_known_answer[] = { +- 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29, +- 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c, +- 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37, +- 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90, +- 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa, +- 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1, +- 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66, +- 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5 ++ 0x44, 0xd2, 0xae, 0x2d, 0x45, 0xb9, 0x42, 0x70, ++ 0xcb, 0x3e, 0x40, 0xc5, 0xcf, 0x36, 0x9b, 0x5f, ++ 0xfc, 0x64, 0xb1, 0x10, 0x18, 0x4d, 0xd8, 0xb6, ++ 0x71, 0xa3, 0xc4, 0x4f, 0x1d, 0xa7, 0x8f, 0xa5, ++ 0x0c, 0x4b, 0x13, 0xce, 0x2f, 0x2b, 0x48, 0xe0, ++ 0xfc, 0x10, 0x6d, 0xf4, 0xfb, 0x71, 0x1b, 0x0e, ++ 0x33, 0x2c, 0x43, 0x43, 0xe1, 0x77, 0x16, 0xf5, ++ 0x1e, 0x96, 0xcd, 0x93, 0x21, 0xb8, 0x78, 0x32 + }; + + sftk_PBELockInit(); +@@ -1804,11 +1810,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) + * for NSSPKCS5_PBKDF2 */ + pbe_params.iter = iteration_count; + pbe_params.keyLen = keyLen; +- pbe_params.hashType = HASH_AlgSHA256; ++ pbe_params.hashType = HASH_AlgSHA384; + pbe_params.pbeType = NSSPKCS5_PBKDF2; + pbe_params.is2KeyDES = PR_FALSE; + + result = nsspkcs5_ComputeKeyAndIV(&pbe_params, &inKey, NULL, PR_FALSE); ++ + if ((result == NULL) || (result->len != sizeof(pbkdf_known_answer)) || + (PORT_Memcmp(result->data, pbkdf_known_answer, sizeof(pbkdf_known_answer)) != 0)) { + SECITEM_FreeItem(result, PR_TRUE); diff --git a/nss-fips-pct-pubkeys.patch b/nss-fips-pct-pubkeys.patch new file mode 100644 index 0000000..4eba5f4 --- /dev/null +++ b/nss-fips-pct-pubkeys.patch @@ -0,0 +1,135 @@ +# HG changeset patch +# Parent 5786c2bb5c229b530e95e435ee0cf51314359e7b + +Index: nss/lib/softoken/pkcs11c.c +=================================================================== +--- nss.orig/lib/softoken/pkcs11c.c ++++ nss/lib/softoken/pkcs11c.c +@@ -17,6 +17,7 @@ + * In this implementation, session objects are only visible to the session + * that created or generated them. + */ ++#include "lowkeyti.h" + #include "seccomon.h" + #include "secitem.h" + #include "secport.h" +@@ -4922,6 +4923,88 @@ pairwise_signverify_mech (CK_SESSION_HAN + return crv; + } + ++/* This function regenerates a public key from a private key ++ * (not simply returning the saved public key) and compares it ++ * to the given publicKey ++ */ ++static CK_RV ++regeneratePublicKeyFromPrivateKeyAndCompare(NSSLOWKEYPrivateKey *currPrivKey, ++ NSSLOWKEYPublicKey *currPubKey) ++{ ++ NSSLOWKEYPublicKey *pubk; ++ SECItem publicValue; ++ PLArenaPool *arena; ++ ++ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); ++ if (arena == NULL) { ++ PORT_SetError(SEC_ERROR_NO_MEMORY); ++ return CKR_HOST_MEMORY; ++ } ++ ++ switch (currPrivKey->keyType) { ++ case NSSLOWKEYDHKey: ++ pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena, ++ sizeof(NSSLOWKEYPublicKey)); ++ if (pubk != NULL) { ++ SECStatus rv; ++ ++ pubk->arena = arena; ++ pubk->keyType = currPrivKey->keyType; ++ ++ // Regenerate the publicValue ++ rv = DH_Derive(&currPrivKey->u.dh.base, &currPrivKey->u.dh.prime, ++ &currPrivKey->u.dh.privateValue, &publicValue, 0); ++ if (rv != SECSuccess) { ++ break; ++ } ++ rv = SECITEM_CopyItem(arena, &pubk->u.dh.publicValue, ++ &publicValue); ++ SECITEM_ZfreeItem(&publicValue, PR_FALSE); ++ if (rv != SECSuccess) { ++ break; ++ } ++ ++ if (SECITEM_CompareItem(&pubk->u.dh.publicValue, &currPubKey->u.dh.publicValue) != SECEqual) { ++ nsslowkey_DestroyPublicKey(pubk); ++ return CKR_GENERAL_ERROR; ++ } ++ nsslowkey_DestroyPublicKey(pubk); ++ return CKR_OK; ++ } ++ break; ++ case NSSLOWKEYECKey: ++ { ++ ECPrivateKey *privk = NULL; ++ SECStatus rv; ++ ++ /* The "seed" is an octet stream corresponding to our private key. ++ * The new public key is derived from this + the parameters and ++ * stored in the new private key's publicValue. */ ++ rv = EC_NewKeyFromSeed (&currPrivKey->u.ec.ecParams, ++ &privk, ++ currPrivKey->u.ec.privateValue.data, ++ currPrivKey->u.ec.privateValue.len); ++ if (rv != SECSuccess) ++ break; ++ ++ /* Verify that the passed-in public value is equal to the one derived */ ++ if (SECITEM_CompareItem (&privk->publicValue, &currPubKey->u.ec.publicValue) != SECEqual) { ++ PORT_FreeArena (privk->ecParams.arena, PR_TRUE); ++ return CKR_GENERAL_ERROR; ++ } ++ ++ PORT_FreeArena (privk->ecParams.arena, PR_TRUE); ++ return CKR_OK; ++ } ++ break; ++ default: ++ break; ++ } ++ ++ PORT_FreeArena(arena, PR_TRUE); ++ return CKR_GENERAL_ERROR; ++} ++ + /* + * FIPS 140-2 pairwise consistency check utilized to validate key pair. + * +@@ -5268,6 +5351,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION + } + } + ++ // Regenerate the publicKey from the privateKey and compare it to the ++ // original publicKey ++ if (keyType == CKK_DH || keyType == CKK_EC) { ++ NSSLOWKEYPrivateKey *currPrivKey = sftk_GetPrivKey(privateKey, CKK_DH, &crv); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ if (!currPrivKey) { ++ return CKR_DEVICE_ERROR; ++ } ++ ++ NSSLOWKEYPublicKey *currPubKey = sftk_GetPubKey(publicKey, CKK_DH, &crv); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ if (!currPubKey) { ++ return CKR_DEVICE_ERROR; ++ } ++ ++ crv = regeneratePublicKeyFromPrivateKeyAndCompare(currPrivKey, currPubKey); ++ if (crv != CKR_OK) { ++ return crv; ++ } ++ } + return CKR_OK; + } + diff --git a/nss-fips-rsa-keygen-strictness.patch b/nss-fips-rsa-keygen-strictness.patch new file mode 100644 index 0000000..4f60db0 --- /dev/null +++ b/nss-fips-rsa-keygen-strictness.patch @@ -0,0 +1,244 @@ +# HG changeset patch +# User M. Sirringhaus +# Date 1584305670 -3600 +# Sun Mar 15 21:54:30 2020 +0100 +# Node ID 2f570c6952d8edfc1ad9061cd3830f202eec1960 +# Parent 557f9009507c9e70941dbe39965028049e1ef5a2 +commit 4b8c0eac6b092717157b4141c82b4d76ccdc91b3 +Author: Hans Petter Jansson + Patch 16: nss-fips-rsa-keygen-strictness.patch + +Index: nss/lib/freebl/mpi/mpprime.c +=================================================================== +--- nss.orig/lib/freebl/mpi/mpprime.c ++++ nss/lib/freebl/mpi/mpprime.c +@@ -14,6 +14,8 @@ + #include + #include + ++#include "../fips.h" ++ + #define SMALL_TABLE 0 /* determines size of hard-wired prime table */ + + #define RANDOM() rand() +@@ -465,6 +467,25 @@ mpp_make_prime_ext_random(mp_int *start, + } else + num_tests = 50; + ++ /* FIPS 186-4 mandates more M-R tests for probable primes generation - make ++ * sure the minimums are observed (see Appendix C, tables C.1 and C.2). ++ * For DSA this is handled in pqg_ParamGen() through the use of ++ * prime_testcount_p() and prime_testcount_q() respectively. ++ * For RSA this unfortunately seems to be the right place to prevent larger ++ * code changes. On the other hand, it seems to generally speed things up, ++ * since there are measurably less errors while calculating inverse modulo in ++ * rsa_build_from_primes(). ++ */ ++ if (FIPS_mode()) { ++ if (nBits >= 1536) ++ i = 4; ++ else ++ i = 5; ++ if (i > num_tests) ++ num_tests = i; ++ i = 0; ++ } ++ + if (strong) + --nBits; + MP_CHECKOK(mpl_set_bit(start, nBits - 1, 1)); +Index: nss/lib/freebl/rsa.c +=================================================================== +--- nss.orig/lib/freebl/rsa.c ++++ nss/lib/freebl/rsa.c +@@ -16,11 +16,13 @@ + #include "prinit.h" + #include "blapi.h" + #include "mpi.h" ++#include "mpi-priv.h" + #include "mpprime.h" + #include "mplogic.h" + #include "secmpi.h" + #include "secitem.h" + #include "blapii.h" ++#include "fips.h" + + /* The minimal required randomness is 64 bits */ + /* EXP_BLINDING_RANDOMNESS_LEN is the length of the randomness in mp_digits */ +@@ -149,11 +151,24 @@ rsa_build_from_primes(const mp_int *p, c + err = mp_invmod(d, &phi, e); + } else { + err = mp_invmod(e, &phi, d); +- } ++ /* FIPS 186-4 (B.3.1.3.a) places additional requirements on the ++ * private exponent d: ++ * 2^(n/2) < d < lcm(p-1, q-1) = phi ++ */ ++ if (FIPS_mode() && (MP_OKAY == err)) { ++ CHECK_MPI_OK( mp_2expt(&tmp, keySizeInBits / 2) ); ++ if ((mp_cmp(d, &tmp) <= 0) || (mp_cmp(d, &phi) >= 0)) { ++ /* new set of p, q is needed for another calculation of d */ ++ err = MP_UNDEF; ++ } ++ } ++ } + } else { + err = MP_OKAY; + } +- /* Verify that phi(n) and e have no common divisors */ ++ /* Verify that phi(n) and e have no common divisors ++ * This is also the coprimality constraint from FIPS 186-4 (B.3.1.2.a) ++ */ + if (err != MP_OKAY) { + if (err == MP_UNDEF) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); +@@ -286,10 +301,12 @@ RSA_NewKey(int keySizeInBits, SECItem *p + mp_int q = { 0, 0, 0, NULL }; + mp_int e = { 0, 0, 0, NULL }; + mp_int d = { 0, 0, 0, NULL }; ++ mp_int u = { 0, 0, 0, NULL }; ++ mp_int v = { 0, 0, 0, NULL }; + int kiter; + int max_attempts; + mp_err err = MP_OKAY; +- SECStatus rv = SECSuccess; ++ SECStatus rv = SECFailure; + int prerr = 0; + RSAPrivateKey *key = NULL; + PLArenaPool *arena = NULL; +@@ -307,11 +324,40 @@ RSA_NewKey(int keySizeInBits, SECItem *p + PORT_SetError(SEC_ERROR_INVALID_ARGS); + goto cleanup; + } ++ ++ MP_DIGITS(&p) = 0; ++ MP_DIGITS(&q) = 0; ++ MP_DIGITS(&d) = 0; ++ MP_DIGITS(&u) = 0; ++ MP_DIGITS(&v) = 0; ++ CHECK_MPI_OK(mp_init(&p)); ++ CHECK_MPI_OK(mp_init(&q)); ++ CHECK_MPI_OK(mp_init(&d)); ++ CHECK_MPI_OK(mp_init(&u)); ++ CHECK_MPI_OK(mp_init(&v)); ++ + #ifndef NSS_FIPS_DISABLED +- /* Check that the exponent is not smaller than 65537 */ +- if (mp_cmp_d(&e, 0x10001) < 0) { +- PORT_SetError(SEC_ERROR_INVALID_ARGS); +- goto cleanup; ++ if (FIPS_mode()) { ++ /* Check that the exponent is not smaller than 65537 */ ++ if (mp_cmp_d(&e, 0x10001) < 0) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ goto cleanup; ++ } ++ ++ /* FIPS 186-4 requires 2^16 < e < 2^256 (B.3.1.1.b) */ ++ CHECK_MPI_OK( mp_2expt(&v, 256) ); ++ if (!(mp_cmp(&e, &v) < 0 )) { ++ err = MP_BADARG; ++ goto cleanup; ++ } ++ ++ /* FIPS 186-4 mandates keys to be either 2048, 3072 or 4096 bits long. ++ * We also allow a key length of 4096, since this is needed in order to ++ * pass the CAVS RSA SigGen test. */ ++ if (keySizeInBits < 2048) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ goto cleanup; ++ } + } + #endif + +@@ -329,12 +375,7 @@ RSA_NewKey(int keySizeInBits, SECItem *p + key->arena = arena; + /* length of primes p and q (in bytes) */ + primeLen = keySizeInBits / (2 * PR_BITS_PER_BYTE); +- MP_DIGITS(&p) = 0; +- MP_DIGITS(&q) = 0; +- MP_DIGITS(&d) = 0; +- CHECK_MPI_OK(mp_init(&p)); +- CHECK_MPI_OK(mp_init(&q)); +- CHECK_MPI_OK(mp_init(&d)); ++ + /* 3. Set the version number (PKCS1 v1.5 says it should be zero) */ + SECITEM_AllocItem(arena, &key->version, 1); + key->version.data[0] = 0; +@@ -345,13 +386,64 @@ RSA_NewKey(int keySizeInBits, SECItem *p + PORT_SetError(0); + CHECK_SEC_OK(generate_prime(&p, primeLen)); + CHECK_SEC_OK(generate_prime(&q, primeLen)); +- /* Assure p > q */ ++ /* Assure p >= q */ + /* NOTE: PKCS #1 does not require p > q, and NSS doesn't use any + * implementation optimization that requires p > q. We can remove + * this code in the future. + */ + if (mp_cmp(&p, &q) < 0) + mp_exch(&p, &q); ++ ++ /* FIPS 186-4 puts additional requirements on the primes (B.3.1.2.a-d) ++ * (n = key bit length): ++ * 1) both (p-1) and (q-1) are coprime to e (B.3.1.2.a), i.e.: ++ * gcd(p-1,e) = 1, gcd(q-1,e) = 1 ++ * this is ensured in rsa_build_from_primes(), where ++ * phi = lcm(p-1)(q-1) is tested for coprimality to e ++ * 2) magnitude constraint (B.3.1.2.b and B.3.1.2.c): ++ * both p and q are from open the interval ++ * I = ( sqrt(2) * 2^(n/2 - 1) , 2^(n/2 - 1) ) ++ * 3) minimum distance (B.3.1.2.d): abs(p-q) > 2 ^ (n/2 - 100) ++ */ ++ if (FIPS_mode()) { ++ /* 2 */ ++ /* in order not to constrain the selection too much, ++ * expand the inequality: ++ * x > 2^(1/2) * 2^(n/2 - 1) ++ * = 2^(1/2 + k) * 2^(n/2 - k - 1) ++ * = y(k) * r(k) ++ * for z(k) >= y(k) it clearly holds: ++ * x > z(k) * r(k) ++ * one suitable z(k) such that z(k)/y(k) - 1 = o(1) is ++ * ceil(y(k)) for big-enough k ++ * ceil(y(30))/y(30) - 1 < 10^-10, so lets use that ++ * 2^30.5 = 1518500249.98802484622388101120... ++ * the magic constant is thus z(30) = 1518500250 < 2^31 ++ * ++ * Additionally, since p >= q is required above, the ++ * condtitions can be shortened to: ++ * 1518500250 * 2^(n/2 - 31) = v < q ++ * p < u = 2^(n/2 - 1) ++ */ ++ CHECK_MPI_OK( mp_2expt(&u, keySizeInBits / 2 - 31) ); ++ CHECK_MPI_OK( mp_mul_d(&u, 1518500250, &v) ); ++ CHECK_MPI_OK( mp_2expt(&u, keySizeInBits / 2) ); ++ if ((mp_cmp(&q, &v) <= 0) || (mp_cmp(&p, &u) >= 0)) { ++ prerr = SEC_ERROR_NEED_RANDOM; /* retry with different values */ ++ kiter++; ++ continue; ++ } ++ /* 3 */ ++ CHECK_MPI_OK( mp_sub(&p, &q, &u) ); ++ CHECK_MPI_OK( mp_abs(&u, &u) ); ++ CHECK_MPI_OK( mp_2expt(&v, keySizeInBits / 2 - 100) ); ++ if (mp_cmp(&u, &v) < 0) { ++ prerr = SEC_ERROR_NEED_RANDOM; /* retry with different values */ ++ kiter++; ++ continue; ++ } ++ } ++ + /* Attempt to use these primes to generate a key */ + rv = rsa_build_from_primes(&p, &q, + &e, PR_FALSE, /* needPublicExponent=false */ +@@ -374,7 +466,9 @@ cleanup: + mp_clear(&q); + mp_clear(&e); + mp_clear(&d); +- if (err) { ++ mp_clear(&u); ++ mp_clear(&v); ++ if (err != MP_OKAY) { + MP_TO_SEC_ERROR(err); + rv = SECFailure; + } diff --git a/nss-fips-stricter-dh.patch b/nss-fips-stricter-dh.patch new file mode 100644 index 0000000..f222ea3 --- /dev/null +++ b/nss-fips-stricter-dh.patch @@ -0,0 +1,52 @@ +commit 3ab80b72e85583bd727730bc5b57f91e07b89710 +Author: Hans Petter Jansson +Date: Fri Sep 4 13:41:34 2020 +0200 + + Patch 38: nss-fips-stricter-dh.patch + +Index: nss/lib/freebl/dh.c +=================================================================== +--- nss.orig/lib/freebl/dh.c ++++ nss/lib/freebl/dh.c +@@ -449,7 +449,7 @@ cleanup: + PRBool + KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) + { +- mp_int p, q, y, r; ++ mp_int p, q, y, r, psub1; + mp_err err; + int cmp = 1; /* default is false */ + if (!Y || !prime || !subPrime) { +@@ -460,13 +460,24 @@ KEA_Verify(SECItem *Y, SECItem *prime, S + MP_DIGITS(&q) = 0; + MP_DIGITS(&y) = 0; + MP_DIGITS(&r) = 0; ++ MP_DIGITS(&psub1) = 0; + CHECK_MPI_OK(mp_init(&p)); + CHECK_MPI_OK(mp_init(&q)); + CHECK_MPI_OK(mp_init(&y)); + CHECK_MPI_OK(mp_init(&r)); ++ CHECK_MPI_OK(mp_init(&psub1)); + SECITEM_TO_MPINT(*prime, &p); + SECITEM_TO_MPINT(*subPrime, &q); + SECITEM_TO_MPINT(*Y, &y); ++ ++ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1)); ++ ++ if (mp_cmp_d(&y, 1) <= 0 || ++ mp_cmp(&y, &psub1) >= 0) { ++ err = MP_BADARG; ++ goto cleanup; ++ } ++ + /* compute r = y**q mod p */ + CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r)); + /* compare to 1 */ +@@ -476,6 +487,7 @@ cleanup: + mp_clear(&q); + mp_clear(&y); + mp_clear(&r); ++ mp_clear(&psub1); + if (err) { + MP_TO_SEC_ERROR(err); + return PR_FALSE; diff --git a/nss-fips-tests-enable-fips.patch b/nss-fips-tests-enable-fips.patch new file mode 100644 index 0000000..3f53729 --- /dev/null +++ b/nss-fips-tests-enable-fips.patch @@ -0,0 +1,25 @@ +Index: nss/tests/cert/cert.sh +=================================================================== +--- nss.orig/tests/cert/cert.sh ++++ nss/tests/cert/cert.sh +@@ -1350,6 +1350,11 @@ cert_stresscerts() + ############################################################################## + cert_fips() + { ++ OLD_FIPS_MODE=`echo ${NSS_FIPS}` ++ OLD_CHECKSUMS_MODE=`echo ${NSS_IGNORE_CHECKSUMS}` ++ export NSS_FIPS=1 ++ export NSS_IGNORE_CHECKSUMS=1 ++ + CERTFAILED=0 + echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates ==============" + cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}" +@@ -1390,6 +1395,8 @@ MODSCRIPT + cert_log "SUCCESS: FIPS passed" + fi + ++ export NSS_FIPS=${OLD_FIPS_MODE} ++ export NSS_IGNORE_CHECKSUMS=${OLD_CHECKSUMS_MODE} + } + + ########################## cert_rsa_exponent ################################# diff --git a/nss-fips-use-getrandom.patch b/nss-fips-use-getrandom.patch new file mode 100644 index 0000000..8d2969d --- /dev/null +++ b/nss-fips-use-getrandom.patch @@ -0,0 +1,125 @@ +# HG changeset patch +# User M. Sirringhaus +# Date 1574137588 -3600 +# Tue Nov 19 05:26:28 2019 +0100 +# Node ID 5e191a391c38967e49a1d005800713ccd1010b09 +# Parent 92da25f8ea7d41e938858872e2b6a2fb1aa53bb2 +commit c2a88344b616c75b1873fb163491d7362a4c3e5b +Author: Hans Petter Jansson + 11 + +Index: nss/coreconf/Linux.mk +=================================================================== +--- nss.orig/coreconf/Linux.mk ++++ nss/coreconf/Linux.mk +@@ -190,6 +190,18 @@ DSO_LDOPTS+=-Wl,-z,relro + LDFLAGS += -Wl,-z,relro + endif + ++# ++# On Linux 3.17 or later, use getrandom() to obtain entropy where possible. ++# Set NSS_USE_GETRANDOM to 0 in the environment to override this. ++# ++ifneq ($(OS_TARGET),Android) ++ifeq (3.17,$(firstword $(sort 3.17 $(OS_RELEASE)))) ++ifneq ($(NSS_USE_GETRANDOM),0) ++ DEFINES += -DNSS_USE_GETRANDOM ++endif ++endif ++endif ++ + USE_SYSTEM_ZLIB = 1 + ZLIB_LIBS = -lz + +Index: nss/lib/freebl/unix_rand.c +=================================================================== +--- nss.orig/lib/freebl/unix_rand.c ++++ nss/lib/freebl/unix_rand.c +@@ -13,6 +13,10 @@ + #include + #include + #include ++#ifdef NSS_USE_GETRANDOM ++# include ++# include ++#endif + #include + #include "secrng.h" + #include "secerr.h" +@@ -21,6 +25,43 @@ + #include "prprf.h" + #include "prenv.h" + ++#ifdef NSS_USE_GETRANDOM ++# ifndef __NR_getrandom ++# if defined __x86_64__ ++# define __NR_getrandom 318 ++# elif defined(__i386__) ++# define __NR_getrandom 355 ++# elif defined(__arm__) ++# define __NR_getrandom 384 ++# elif defined(__aarch64__) ++# define __NR_getrandom 278 ++# elif defined(__ia64__) ++# define __NR_getrandom 1339 ++# elif defined(__m68k__) ++# define __NR_getrandom 352 ++# elif defined(__s390x__) ++# define __NR_getrandom 349 ++# elif defined(__powerpc__) ++# define __NR_getrandom 359 ++# elif defined _MIPS_SIM ++# if _MIPS_SIM == _MIPS_SIM_ABI32 ++# define __NR_getrandom 4353 ++# endif ++# if _MIPS_SIM == _MIPS_SIM_NABI32 ++# define __NR_getrandom 6317 ++# endif ++# if _MIPS_SIM == _MIPS_SIM_ABI64 ++# define __NR_getrandom 5313 ++# endif ++# else ++# warning "__NR_getrandom unknown for your architecture" ++# endif ++# endif ++# ifndef GRND_RANDOM ++# define GRND_RANDOM 0x02 ++# endif ++#endif ++ + size_t RNG_FileUpdate(const char *fileName, size_t limit); + + /* +@@ -775,6 +816,26 @@ ReadFileOK(char *dir, char *file) + size_t + RNG_SystemRNG(void *dest, size_t maxLen) + { ++#ifdef NSS_USE_GETRANDOM ++ unsigned char *buf = dest; ++ size_t inBytes = 0; ++ int ret; ++ ++ do { ++ ret = syscall(__NR_getrandom, buf + inBytes, maxLen - inBytes, 0); ++ ++ if (0 < ret) ++ inBytes += ret; ++ } while ((0 < ret || EINTR == errno || ERESTART == errno) ++ && inBytes < maxLen); ++ ++ if (inBytes != maxLen) { ++ PORT_SetError(SEC_ERROR_NEED_RANDOM); /* system RNG failed */ ++ inBytes = 0; ++ } ++ ++ return inBytes; ++#else + FILE *file; + int fd; + int bytes; +@@ -808,4 +869,5 @@ RNG_SystemRNG(void *dest, size_t maxLen) + fileBytes = 0; + } + return fileBytes; ++#endif + } diff --git a/nss-fips-use-strong-random-pool.patch b/nss-fips-use-strong-random-pool.patch new file mode 100644 index 0000000..9f80be4 --- /dev/null +++ b/nss-fips-use-strong-random-pool.patch @@ -0,0 +1,52 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1574240799 -3600 +# Wed Nov 20 10:06:39 2019 +0100 +# Node ID 4ddd7d49eeed4ea32850daf41a472ccb50dee45e +# Parent 0efca22bbafd7575b20461f255c46157c9321822 +[PATCH] 31 +From a7cbf64ba8ac07a4a1fdea91f39da56d86af03bf Mon Sep 17 00:00:00 2001 +--- + nss/lib/freebl/unix_rand.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +Index: nss/lib/freebl/unix_rand.c +=================================================================== +--- nss.orig/lib/freebl/unix_rand.c ++++ nss/lib/freebl/unix_rand.c +@@ -24,6 +24,7 @@ + #include "prthread.h" + #include "prprf.h" + #include "prenv.h" ++#include "fips.h" + + #ifdef NSS_USE_GETRANDOM + # ifndef __NR_getrandom +@@ -692,7 +693,7 @@ RNG_SystemInfoForRNG(void) + } + + /* grab some data from system's PRNG before any other files. */ +- bytes = RNG_FileUpdate("/dev/urandom", SYSTEM_RNG_SEED_COUNT); ++ bytes = RNG_FileUpdate(FIPS_mode() ? "/dev/random" : "/dev/urandom", SYSTEM_RNG_SEED_COUNT); + if (!bytes) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); + } +@@ -822,7 +823,8 @@ RNG_SystemRNG(void *dest, size_t maxLen) + int ret; + + do { +- ret = syscall(__NR_getrandom, buf + inBytes, maxLen - inBytes, 0); ++ ret = syscall(__NR_getrandom, buf + inBytes, maxLen - inBytes, ++ FIPS_mode () ? GRND_RANDOM : 0); + + if (0 < ret) + inBytes += ret; +@@ -842,7 +844,7 @@ RNG_SystemRNG(void *dest, size_t maxLen) + size_t fileBytes = 0; + unsigned char *buffer = dest; + +- file = fopen("/dev/urandom", "r"); ++ file = fopen(FIPS_mode() ? "/dev/random" : "/dev/urandom", "r"); + if (file == NULL) { + PORT_SetError(SEC_ERROR_NEED_RANDOM); + return 0; diff --git a/nss-fips-zeroization.patch b/nss-fips-zeroization.patch new file mode 100644 index 0000000..e5e7093 --- /dev/null +++ b/nss-fips-zeroization.patch @@ -0,0 +1,214 @@ +# HG changeset patch +# User Hans Petter Jansson +# Date 1574240665 -3600 +# Wed Nov 20 10:04:25 2019 +0100 +# Node ID 3a2cb65dc157344cdad19e8e16e9c33e36f82d96 +# Parent 2d4483f4a1259f965f32ff4c65436e92aef83be7 +[PATCH 07/10] 29 +From 76da775313bd40a1353a9d2f6cc43ebe1a287574 Mon Sep 17 00:00:00 2001 +--- + nss/lib/freebl/aeskeywrap.c | 1 + + nss/lib/freebl/cts.c | 18 +++++++++------ + nss/lib/freebl/dh.c | 4 ++++ + nss/lib/freebl/ec.c | 2 +- + nss/lib/freebl/gcm.c | 45 +++++++++++++++++++++++++++++++++---- + 5 files changed, 58 insertions(+), 12 deletions(-) + +Index: nss/lib/freebl/aeskeywrap.c +=================================================================== +--- nss.orig/lib/freebl/aeskeywrap.c ++++ nss/lib/freebl/aeskeywrap.c +@@ -102,6 +102,7 @@ AESKeyWrap_DestroyContext(AESKeyWrapCont + { + if (cx) { + AES_DestroyContext(&cx->aescx, PR_FALSE); ++ memset(cx->iv, 0, sizeof (cx->iv)); + /* memset(cx, 0, sizeof *cx); */ + if (freeit) { + PORT_Free(cx->mem); +Index: nss/lib/freebl/cts.c +=================================================================== +--- nss.orig/lib/freebl/cts.c ++++ nss/lib/freebl/cts.c +@@ -37,6 +37,7 @@ CTS_CreateContext(void *context, freeblC + void + CTS_DestroyContext(CTSContext *cts, PRBool freeit) + { ++ PORT_Memset(cts, 0, sizeof(CTSContext)); + if (freeit) { + PORT_Free(cts); + } +@@ -135,7 +136,7 @@ CTS_EncryptUpdate(CTSContext *cts, unsig + PORT_Memset(lastBlock + inlen, 0, blocksize - inlen); + rv = (*cts->cipher)(cts->context, outbuf, &tmp, maxout, lastBlock, + blocksize, blocksize); +- PORT_Memset(lastBlock, 0, blocksize); ++ PORT_Memset(lastBlock, 0, MAX_BLOCK_SIZE); + if (rv == SECSuccess) { + *outlen = written + blocksize; + } else { +@@ -230,13 +231,15 @@ CTS_DecryptUpdate(CTSContext *cts, unsig + rv = (*cts->cipher)(cts->context, outbuf, outlen, maxout, inbuf, + fullblocks, blocksize); + if (rv != SECSuccess) { +- return SECFailure; ++ rv = SECFailure; ++ goto cleanup; + } + *outlen = fullblocks; /* AES low level doesn't set outlen */ + inbuf += fullblocks; + inlen -= fullblocks; + if (inlen == 0) { +- return SECSuccess; ++ rv = SECSuccess; ++ goto cleanup; + } + outbuf += fullblocks; + +@@ -280,9 +283,9 @@ CTS_DecryptUpdate(CTSContext *cts, unsig + rv = (*cts->cipher)(cts->context, Pn, &tmpLen, blocksize, lastBlock, + blocksize, blocksize); + if (rv != SECSuccess) { +- PORT_Memset(lastBlock, 0, blocksize); + PORT_Memset(saveout, 0, *outlen); +- return SECFailure; ++ rv = SECFailure; ++ goto cleanup; + } + /* make up for the out of order CBC decryption */ + XOR_BLOCK(Pn, Cn_2, blocksize); +@@ -297,7 +300,8 @@ CTS_DecryptUpdate(CTSContext *cts, unsig + /* clear last block. At this point last block contains Pn xor Cn_1 xor + * Cn_2, both of with an attacker would know, so we need to clear this + * buffer out */ +- PORT_Memset(lastBlock, 0, blocksize); ++cleanup: ++ PORT_Memset(lastBlock, 0, MAX_BLOCK_SIZE); + /* Cn, Cn_1, and Cn_2 have encrypted data, so no need to clear them */ +- return SECSuccess; ++ return rv; + } +Index: nss/lib/freebl/dh.c +=================================================================== +--- nss.orig/lib/freebl/dh.c ++++ nss/lib/freebl/dh.c +@@ -192,6 +192,10 @@ cleanup: + rv = SECFailure; + } + if (rv) { ++ SECITEM_ZfreeItem(&key->prime, PR_FALSE); ++ SECITEM_ZfreeItem(&key->base, PR_FALSE); ++ SECITEM_ZfreeItem(&key->publicValue, PR_FALSE); ++ SECITEM_ZfreeItem(&key->privateValue, PR_FALSE); + *privKey = NULL; + PORT_FreeArena(arena, PR_TRUE); + } +Index: nss/lib/freebl/ec.c +=================================================================== +--- nss.orig/lib/freebl/ec.c ++++ nss/lib/freebl/ec.c +@@ -974,7 +974,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con + ECParams *ecParams = NULL; + SECItem pointC = { siBuffer, NULL, 0 }; + int slen; /* length in bytes of a half signature (r or s) */ +- int flen; /* length in bytes of the field size */ ++ int flen = 0; /* length in bytes of the field size */ + unsigned olen; /* length in bytes of the base point order */ + unsigned obits; /* length in bits of the base point order */ + +Index: nss/lib/freebl/gcm.c +=================================================================== +--- nss.orig/lib/freebl/gcm.c ++++ nss/lib/freebl/gcm.c +@@ -162,6 +162,9 @@ bmul(uint64_t x, uint64_t y, uint64_t *r + + *r_high = (uint64_t)(r >> 64); + *r_low = (uint64_t)r; ++ ++ /* Zeroization */ ++ x1 = x2 = x3 = x4 = x5 = y1 = y2 = y3 = y4 = y5 = r = z = 0; + } + + SECStatus +@@ -200,6 +203,12 @@ gcm_HashMult_sftw(gcmHashContext *ghash, + } + ghash->x_low = ci_low; + ghash->x_high = ci_high; ++ ++ /* Zeroization */ ++ ci_low = ci_high = z2_low = z2_high = z0_low = z0_high = z1a_low = z1a_high = 0; ++ z_low = z_high = 0; ++ i = 0; ++ + return SECSuccess; + } + #else +@@ -239,6 +248,10 @@ bmul32(uint32_t x, uint32_t y, uint32_t + z = z0 | z1 | z2 | z3; + *r_high = (uint32_t)(z >> 32); + *r_low = (uint32_t)z; ++ ++ /* Zeroization */ ++ x0 = x1 = x2 = x3 = y0 = y1 = y2 = y3 = 0; ++ z0 = z1 = z2 = z3 = z = 0; + } + + SECStatus +@@ -324,6 +337,20 @@ gcm_HashMult_sftw32(gcmHashContext *ghas + ghash->x_high = z_high_h; + ghash->x_low = z_high_l; + } ++ ++ /* Zeroization */ ++ ci_low = ci_high = z_high_h = z_high_l = z_low_h = z_low_l = 0; ++ ++ ci_high_h = ci_high_l = ci_low_h = ci_low_l ++ = b_a_h = b_a_l = a_a_h = a_a_l = b_b_h = b_b_l ++ = a_b_h = a_b_l = b_c_h = b_c_l = a_c_h = a_c_l = c_c_h = c_c_l ++ = ci_highXlow_h = ci_highXlow_l = c_a_h = c_a_l = c_b_h = c_b_l ++ = h_high_h = h_high_l = h_low_h = h_low_l = h_highXlow_h = h_highXlow_l ++ = h_highX_xored ++ = 0; ++ ++ i = 0; ++ + return SECSuccess; + } + #endif /* HAVE_INT128_SUPPORT */ +@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig + /* verify the block */ + rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen); + if (rv != SECSuccess) { +- return SECFailure; ++ rv = SECFailure; ++ goto cleanup; + } + rv = gcm_GetTag(gcm, tag, &len, AES_BLOCK_SIZE); + if (rv != SECSuccess) { +- return SECFailure; ++ rv = SECFailure; ++ goto cleanup; + } + /* Don't decrypt if we can't authenticate the encrypted data! + * This assumes that if tagBits is not a multiple of 8, intag will +@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig + if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) { + /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ + PORT_SetError(SEC_ERROR_BAD_DATA); +- PORT_Memset(tag, 0, sizeof(tag)); +- return SECFailure; ++ rv = SECFailure; ++ goto cleanup; + } ++cleanup: ++ tagBytes = 0; + PORT_Memset(tag, 0, sizeof(tag)); ++ intag = NULL; ++ len = 0; ++ if (rv != SECSuccess) { ++ return rv; ++ } ++ + /* finish the decryption */ + return CTR_Update(&gcm->ctr_context, outbuf, outlen, maxout, + inbuf, inlen, AES_BLOCK_SIZE); diff --git a/nss-fix-bmo1836925.patch b/nss-fix-bmo1836925.patch new file mode 100644 index 0000000..fdb744a --- /dev/null +++ b/nss-fix-bmo1836925.patch @@ -0,0 +1,69 @@ +Index: nss/lib/freebl/Makefile +=================================================================== +--- nss.orig/lib/freebl/Makefile ++++ nss/lib/freebl/Makefile +@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null + HAVE_INT128_SUPPORT = 1 + DEFINES += -DHAVE_INT128_SUPPORT + else ifeq (1,$(CC_IS_GCC)) +- SUPPORTS_VALE_CURVE25519 = 1 + ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION)))) + HAVE_INT128_SUPPORT = 1 + DEFINES += -DHAVE_INT128_SUPPORT +@@ -593,11 +592,6 @@ ifndef HAVE_INT128_SUPPORT + DEFINES += -DKRML_VERIFIED_UINT128 + endif + +-ifdef SUPPORTS_VALE_CURVE25519 +- VERIFIED_SRCS += Hacl_Curve25519_64.c +- DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM +-endif +- + ifndef NSS_DISABLE_CHACHAPOLY + ifeq ($(CPU_ARCH),x86_64) + ifndef NSS_DISABLE_AVX2 +Index: nss/lib/freebl/freebl.gyp +=================================================================== +--- nss.orig/lib/freebl/freebl.gyp ++++ nss/lib/freebl/freebl.gyp +@@ -866,12 +866,6 @@ + }], + ], + }], +- [ 'supports_vale_curve25519==1', { +- 'defines': [ +- # The Makefile does version-tests on GCC, but we're not doing that here. +- 'HACL_CAN_COMPILE_INLINE_ASM', +- ], +- }], + [ 'OS=="linux" or OS=="android"', { + 'conditions': [ + [ 'target_arch=="x64"', { +@@ -934,11 +928,6 @@ + 'variables': { + 'module': 'nss', + 'conditions': [ +- [ 'target_arch=="x64" and cc_is_gcc==1', { +- 'supports_vale_curve25519%': 1, +- }, { +- 'supports_vale_curve25519%': 0, +- }], + [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', { + 'have_int128_support%': 1, + }, { +Index: nss/lib/freebl/freebl_base.gypi +=================================================================== +--- nss.orig/lib/freebl/freebl_base.gypi ++++ nss/lib/freebl/freebl_base.gypi +@@ -151,11 +151,6 @@ + 'ecl/curve25519_32.c', + ], + }], +- ['supports_vale_curve25519==1', { +- 'sources': [ +- 'verified/Hacl_Curve25519_64.c', +- ], +- }], + ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', { + 'sources': [ + # Gyp does not support per-file cflags, so working around like this. diff --git a/nss-no-rpath.patch b/nss-no-rpath.patch new file mode 100644 index 0000000..5ce6d7c --- /dev/null +++ b/nss-no-rpath.patch @@ -0,0 +1,32 @@ +# HG changeset patch +# Parent 796f0564feb6df3081b8ff7cb3a0d354053b3d2c +Index: security/nss/cmd/platlibs.mk +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v +retrieving revision 1.71 + +diff --git a/cmd/platlibs.mk b/cmd/platlibs.mk +--- a/cmd/platlibs.mk ++++ b/cmd/platlibs.mk +@@ -13,19 +13,19 @@ ifeq ($(USE_64), 1) + EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1/64:/usr/lib/mps/64' + else + EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' + endif + endif + + ifeq ($(OS_ARCH), Linux) + ifeq ($(USE_64), 1) +-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' ++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' + else +-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' ++#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' + endif + endif + + endif # BUILD_SUN_PKG + + ifdef NSS_DISABLE_DBM + DBMLIB = $(NULL) + else diff --git a/nss-opt.patch b/nss-opt.patch new file mode 100644 index 0000000..fab20a4 --- /dev/null +++ b/nss-opt.patch @@ -0,0 +1,17 @@ +Index: nss/coreconf/Linux.mk +=================================================================== +--- nss.orig/coreconf/Linux.mk ++++ nss/coreconf/Linux.mk +@@ -114,11 +114,7 @@ LIBC_TAG = _glibc + endif + + ifdef BUILD_OPT +-ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE)) +- OPTIMIZER = -Os +-else +- OPTIMIZER = -O2 +-endif ++ OPTIMIZER = $(OPT_FLAGS) + ifdef MOZ_DEBUG_SYMBOLS + ifdef MOZ_DEBUG_FLAGS + OPTIMIZER += $(MOZ_DEBUG_FLAGS) diff --git a/nss-sqlitename.patch b/nss-sqlitename.patch new file mode 100644 index 0000000..d8a62a9 --- /dev/null +++ b/nss-sqlitename.patch @@ -0,0 +1,29 @@ +# HG changeset patch +# User M. Sirringhaus +# Date 1590407652 -7200 +# Mon May 25 13:54:12 2020 +0200 +# Node ID b1d7045b31cf4090c0b78003c77a2eb6c8c57436 +# Parent e3d3ed5e142b172289d9d4a1c7fc63dfd4359410 +Index: security/nss/lib/sqlite/manifest.mn +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v +retrieving revision 1.5 + +diff -r e3d3ed5e142b -r b1d7045b31cf lib/sqlite/manifest.mn +--- a/lib/sqlite/manifest.mn Mon Sep 18 11:24:00 2017 +0200 ++++ b/lib/sqlite/manifest.mn Mon May 25 13:54:12 2020 +0200 +@@ -6,11 +6,11 @@ + + MODULE = nss + +-LIBRARY_NAME = sqlite ++LIBRARY_NAME = nsssqlite + LIBRARY_VERSION = 3 +-MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def ++MAPFILE = $(OBJDIR)/sqlite.def + RES = $(NULL) +- ++MAPFILE_SOURCE = sqlite.def + DEFINES += -DSQLITE_THREADSAFE=1 + + PRIVATE_EXPORTS = \ diff --git a/nss-util-config.in b/nss-util-config.in new file mode 100644 index 0000000..5f4504e --- /dev/null +++ b/nss-util-config.in @@ -0,0 +1,118 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=@exec_prefix@ +fi +if test -z "$includedir"; then + includedir=@includedir@ +fi +if test -z "$libdir"; then + libdir=@libdir@ +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/nss-util.pc.in b/nss-util.pc.in new file mode 100644 index 0000000..c2dd036 --- /dev/null +++ b/nss-util.pc.in @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=%LIBDIR% +includedir=${prefix}/include/nss3 + +Name: NSS-UTIL +Description: Network Security Services Utility Library +Version: %VERSION% +Requires: nspr >= %NSPR_VERSION% +Libs: -lnssutil3 +Cflags: -I${includedir} diff --git a/nss.pc.in b/nss.pc.in new file mode 100644 index 0000000..8db9b60 --- /dev/null +++ b/nss.pc.in @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=${prefix} +libdir=%LIBDIR% +includedir=${prefix}/include/nss3 + +Name: NSS +Description: Network Security Services +Version: %VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %VERSION% +Libs: -lssl3 -lsmime3 -lnss3 +Cflags: -I${includedir} diff --git a/pkcs11.txt b/pkcs11.txt new file mode 100644 index 0000000..7c56fd2 --- /dev/null +++ b/pkcs11.txt @@ -0,0 +1,5 @@ +library=libnsssysinit.so +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/setup-nsssysinit.sh b/setup-nsssysinit.sh new file mode 100644 index 0000000..9c1727b --- /dev/null +++ b/setup-nsssysinit.sh @@ -0,0 +1,55 @@ +#!/bin/sh +# +# Turns on or off the nss-sysinit module db by editing the +# global PKCS #11 congiguration file. +# +# This script can be invoked by the user as super user. +# It is invoked at nss-sysinit post install time with argument on +# and at nss-sysinit pre uninstall with argument off. +# +usage() +{ + cat <&2 +fi + +# the system-wide configuration file +p11conf="/etc/pki/nssdb/pkcs11.txt" +# must exist, otherwise report it and exit with failure +if [ ! -f $p11conf ]; then + echo "Could not find ${p11conf}" + exit 1 +fi + +on="1" +case "$1" in + on | ON ) + cat ${p11conf} | \ + sed -e 's/^library=$/library=libnsssysinit.so/' \ + -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ + ${p11conf}.on + mv ${p11conf}.on ${p11conf} + ;; + off | OFF ) + if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then + exit 0 + fi + cat ${p11conf} | \ + sed -e 's/^library=libnsssysinit.so/library=/' \ + -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ + ${p11conf}.off + mv ${p11conf}.off ${p11conf} + ;; + * ) + usage 1 1>&2 + ;; +esac diff --git a/system-nspr.patch b/system-nspr.patch new file mode 100644 index 0000000..0efb0c9 --- /dev/null +++ b/system-nspr.patch @@ -0,0 +1,17 @@ +diff --git a/Makefile b/Makefile +index eb4ed1a..de9c13d 100644 +--- a/Makefile ++++ b/Makefile +@@ -48,12 +48,10 @@ include $(CORE_DEPTH)/coreconf/rules.mk + ####################################################################### + + nss_build_all: +- $(MAKE) build_nspr + $(MAKE) all + $(MAKE) latest + + nss_clean_all: +- $(MAKE) clobber_nspr + $(MAKE) clobber + + NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status