Accepting request 1071795 from mozilla:Factory
- update to NSS 3.88.1 * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types - update to NSS 3.88 * bmo#1815870 - use a different treeherder symbol for each docker image build task * bmo#1815868 - pin an older version of the ubuntu:18.04 and 20.04 docker images * bmo#1810702 - remove nested table in rst doc * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag. * bmo#1812671 - build failure while implicitly casting SECStatus to PRUInt32 * bmo#1212915 - Add check for ClientHello SID max length * bmo#1771100 - Added EarlyData ALPN test support to BoGo shim * bmo#1790357 - ECH client - Discard resumption TLS < 1.3 Session(IDs|Tickets) if ECH configs are setup * bmo#1714245 - On HRR skip PSK incompatible with negotiated ciphersuites hash algorithm * bmo#1789410 - ECH client: Send ech_required alert on server negotiating TLS 1.2. Fixed misleading Gtest, enabled corresponding BoGo test * bmo#1771100 - Added Bogo ECH rejection test support * bmo#1771100 - Added ECH 0Rtt support to BoGo shim * bmo#1747957 - RSA OAEP Wycheproof JSON * bmo#1747957 - RSA decrypt Wycheproof JSON * bmo#1747957 - ECDSA Wycheproof JSON * bmo#1747957 - ECDH Wycheproof JSON * bmo#1747957 - PKCS#1v1.5 wycheproof json * bmo#1747957 - Use X25519 wycheproof json * bmo#1766767 - Move scripts to python3 * bmo#1809627 - Properly link FuzzingEngine for oss-fuzz. OBS-URL: https://build.opensuse.org/request/show/1071795 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=199
This commit is contained in:
commit
1132de695b
@ -2,7 +2,7 @@ Index: nss/coreconf/Linux.mk
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/coreconf/Linux.mk
|
--- nss.orig/coreconf/Linux.mk
|
||||||
+++ nss/coreconf/Linux.mk
|
+++ nss/coreconf/Linux.mk
|
||||||
@@ -183,6 +183,12 @@ endif
|
@@ -184,6 +184,12 @@ endif
|
||||||
endif
|
endif
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
@ -2,7 +2,7 @@ Index: nss/tests/ssl/ssl.sh
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/tests/ssl/ssl.sh
|
--- nss.orig/tests/ssl/ssl.sh
|
||||||
+++ nss/tests/ssl/ssl.sh
|
+++ nss/tests/ssl/ssl.sh
|
||||||
@@ -1683,6 +1683,7 @@ ssl_run_tests()
|
@@ -1696,6 +1696,7 @@ ssl_run_tests()
|
||||||
|
|
||||||
################################# main #################################
|
################################# main #################################
|
||||||
|
|
||||||
|
@ -1,3 +1,43 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Mar 11 13:21:23 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
||||||
|
|
||||||
|
- update to NSS 3.88.1
|
||||||
|
* bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
|
||||||
|
- update to NSS 3.88
|
||||||
|
* bmo#1815870 - use a different treeherder symbol for each docker
|
||||||
|
image build task
|
||||||
|
* bmo#1815868 - pin an older version of the ubuntu:18.04 and
|
||||||
|
20.04 docker images
|
||||||
|
* bmo#1810702 - remove nested table in rst doc
|
||||||
|
* bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag.
|
||||||
|
* bmo#1812671 - build failure while implicitly casting SECStatus
|
||||||
|
to PRUInt32
|
||||||
|
* bmo#1212915 - Add check for ClientHello SID max length
|
||||||
|
* bmo#1771100 - Added EarlyData ALPN test support to BoGo shim
|
||||||
|
* bmo#1790357 - ECH client - Discard resumption TLS < 1.3
|
||||||
|
Session(IDs|Tickets) if ECH configs are setup
|
||||||
|
* bmo#1714245 - On HRR skip PSK incompatible with negotiated
|
||||||
|
ciphersuites hash algorithm
|
||||||
|
* bmo#1789410 - ECH client: Send ech_required alert on server
|
||||||
|
negotiating TLS 1.2. Fixed misleading Gtest,
|
||||||
|
enabled corresponding BoGo test
|
||||||
|
* bmo#1771100 - Added Bogo ECH rejection test support
|
||||||
|
* bmo#1771100 - Added ECH 0Rtt support to BoGo shim
|
||||||
|
* bmo#1747957 - RSA OAEP Wycheproof JSON
|
||||||
|
* bmo#1747957 - RSA decrypt Wycheproof JSON
|
||||||
|
* bmo#1747957 - ECDSA Wycheproof JSON
|
||||||
|
* bmo#1747957 - ECDH Wycheproof JSON
|
||||||
|
* bmo#1747957 - PKCS#1v1.5 wycheproof json
|
||||||
|
* bmo#1747957 - Use X25519 wycheproof json
|
||||||
|
* bmo#1766767 - Move scripts to python3
|
||||||
|
* bmo#1809627 - Properly link FuzzingEngine for oss-fuzz.
|
||||||
|
* bmo#1805907 - Extending RSA-PSS bltest test coverage
|
||||||
|
(Adding SHA-256 and SHA-384)
|
||||||
|
* bmo#1804091 - NSS needs to move off of DSA for integrity checks
|
||||||
|
* bmo#1805815 - Add initial testing with ACVP vector sets using
|
||||||
|
acvp-rust
|
||||||
|
* bmo#1806369 - Don't clone libFuzzer, rely on clang instead
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Feb 14 23:09:39 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
Tue Feb 14 23:09:39 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
|
||||||
|
|
||||||
|
@ -17,14 +17,14 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
%global nss_softokn_fips_version 3.87
|
%global nss_softokn_fips_version 3.88
|
||||||
%define NSPR_min_version 4.35
|
%define NSPR_min_version 4.35
|
||||||
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
|
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
|
||||||
%define nssdbdir %{_sysconfdir}/pki/nssdb
|
%define nssdbdir %{_sysconfdir}/pki/nssdb
|
||||||
Name: mozilla-nss
|
Name: mozilla-nss
|
||||||
Version: 3.87
|
Version: 3.88.1
|
||||||
Release: 0
|
Release: 0
|
||||||
%define underscore_version 3_87
|
%define underscore_version 3_88_1
|
||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
License: MPL-2.0
|
License: MPL-2.0
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:68a1894496d3d158babc75f8a5dda3f55b7c1560573936e3b101a10fa4ac152d
|
|
||||||
size 71435408
|
|
3
nss-3.88.1.tar.gz
Normal file
3
nss-3.88.1.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:27d243edf87d1cf1bb9c861f03d387e0e9230ce5017f4308c941f558b54b3496
|
||||||
|
size 71607211
|
@ -29,7 +29,7 @@ Index: nss/lib/softoken/sftkpwd.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/softoken/sftkpwd.c
|
--- nss.orig/lib/softoken/sftkpwd.c
|
||||||
+++ nss/lib/softoken/sftkpwd.c
|
+++ nss/lib/softoken/sftkpwd.c
|
||||||
@@ -1439,7 +1439,7 @@ loser:
|
@@ -1459,7 +1459,7 @@ loser:
|
||||||
PORT_ZFree(newKey.data, newKey.len);
|
PORT_ZFree(newKey.data, newKey.len);
|
||||||
}
|
}
|
||||||
if (result) {
|
if (result) {
|
||||||
|
@ -440,7 +440,7 @@ Index: nss/lib/freebl/nsslowhash.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/freebl/nsslowhash.c
|
--- nss.orig/lib/freebl/nsslowhash.c
|
||||||
+++ nss/lib/freebl/nsslowhash.c
|
+++ nss/lib/freebl/nsslowhash.c
|
||||||
@@ -12,6 +12,7 @@
|
@@ -13,6 +13,7 @@
|
||||||
#include "plhash.h"
|
#include "plhash.h"
|
||||||
#include "nsslowhash.h"
|
#include "nsslowhash.h"
|
||||||
#include "blapii.h"
|
#include "blapii.h"
|
||||||
@ -448,7 +448,7 @@ Index: nss/lib/freebl/nsslowhash.c
|
|||||||
|
|
||||||
struct NSSLOWInitContextStr {
|
struct NSSLOWInitContextStr {
|
||||||
int count;
|
int count;
|
||||||
@@ -92,6 +93,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
|
@@ -99,6 +100,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
|
||||||
{
|
{
|
||||||
NSSLOWHASHContext *context;
|
NSSLOWHASHContext *context;
|
||||||
|
|
||||||
@ -487,7 +487,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/softoken/pkcs11c.c
|
--- nss.orig/lib/softoken/pkcs11c.c
|
||||||
+++ nss/lib/softoken/pkcs11c.c
|
+++ nss/lib/softoken/pkcs11c.c
|
||||||
@@ -7491,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
@@ -7495,7 +7495,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||||
} else {
|
} else {
|
||||||
/* now allocate the hash contexts */
|
/* now allocate the hash contexts */
|
||||||
md5 = MD5_NewContext();
|
md5 = MD5_NewContext();
|
||||||
|
@ -10,10 +10,11 @@ From ef2620b770082c77dbbbccae2e773157897b005d Mon Sep 17 00:00:00 2001
|
|||||||
nss/cmd/fipstest/fipstest.c | 112 ++++++++++++++++++++++++++++++++----
|
nss/cmd/fipstest/fipstest.c | 112 ++++++++++++++++++++++++++++++++----
|
||||||
1 file changed, 101 insertions(+), 11 deletions(-)
|
1 file changed, 101 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
Index: nss/cmd/fipstest/fipstest.c
|
||||||
--- a/cmd/fipstest/fipstest.c
|
===================================================================
|
||||||
+++ b/cmd/fipstest/fipstest.c
|
--- nss.orig/cmd/fipstest/fipstest.c
|
||||||
@@ -5576,7 +5576,7 @@
|
+++ nss/cmd/fipstest/fipstest.c
|
||||||
|
@@ -5575,7 +5575,7 @@ loser:
|
||||||
void
|
void
|
||||||
dsa_pqggen_test(char *reqfn)
|
dsa_pqggen_test(char *reqfn)
|
||||||
{
|
{
|
||||||
@ -22,7 +23,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
* or to the output RESPONSE file.
|
* or to the output RESPONSE file.
|
||||||
* 800 to hold seed = (384 public key (x2 for HEX)
|
* 800 to hold seed = (384 public key (x2 for HEX)
|
||||||
*/
|
*/
|
||||||
@@ -5592,6 +5592,13 @@
|
@@ -5591,6 +5591,13 @@ dsa_pqggen_test(char *reqfn)
|
||||||
PQGVerify *vfy = NULL;
|
PQGVerify *vfy = NULL;
|
||||||
unsigned int keySizeIndex = 0;
|
unsigned int keySizeIndex = 0;
|
||||||
dsa_pqg_type type = FIPS186_1;
|
dsa_pqg_type type = FIPS186_1;
|
||||||
@ -36,7 +37,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
|
|
||||||
dsareq = fopen(reqfn, "r");
|
dsareq = fopen(reqfn, "r");
|
||||||
dsaresp = stdout;
|
dsaresp = stdout;
|
||||||
@@ -5612,8 +5619,8 @@
|
@@ -5611,8 +5618,8 @@ dsa_pqggen_test(char *reqfn)
|
||||||
output_g = 1;
|
output_g = 1;
|
||||||
exit(1);
|
exit(1);
|
||||||
} else if (strncmp(&buf[1], "A.2.3", 5) == 0) {
|
} else if (strncmp(&buf[1], "A.2.3", 5) == 0) {
|
||||||
@ -47,7 +48,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
} else if (strncmp(&buf[1], "A.1.2.1", 7) == 0) {
|
} else if (strncmp(&buf[1], "A.1.2.1", 7) == 0) {
|
||||||
type = A_1_2_1;
|
type = A_1_2_1;
|
||||||
output_g = 0;
|
output_g = 0;
|
||||||
@@ -5627,14 +5634,17 @@
|
@@ -5626,14 +5633,17 @@ dsa_pqggen_test(char *reqfn)
|
||||||
|
|
||||||
/* [Mod = ... ] */
|
/* [Mod = ... ] */
|
||||||
if (buf[0] == '[') {
|
if (buf[0] == '[') {
|
||||||
@ -59,15 +60,14 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
goto loser;
|
goto loser;
|
||||||
}
|
}
|
||||||
- } else if (sscanf(buf, "[mod = L=%d, N=%d", &L, &N) != 2) {
|
- } else if (sscanf(buf, "[mod = L=%d, N=%d", &L, &N) != 2) {
|
||||||
- goto loser;
|
|
||||||
+ } else if (sscanf(buf, "[mod = L=%d, N=%d, SHA-%d", &L, &N, &hashbits) != 3) {
|
+ } else if (sscanf(buf, "[mod = L=%d, N=%d, SHA-%d", &L, &N, &hashbits) != 3) {
|
||||||
+ goto loser;
|
goto loser;
|
||||||
+ } else {
|
+ } else {
|
||||||
+ hashtype = sha_get_hashType (hashbits);
|
+ hashtype = sha_get_hashType (hashbits);
|
||||||
}
|
}
|
||||||
|
|
||||||
fputs(buf, dsaresp);
|
fputs(buf, dsaresp);
|
||||||
@@ -5656,7 +5666,7 @@
|
@@ -5655,7 +5665,7 @@ dsa_pqggen_test(char *reqfn)
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
/* N = ... */
|
/* N = ... */
|
||||||
@ -76,7 +76,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
if (strncmp(buf, "Num", 3) == 0) {
|
if (strncmp(buf, "Num", 3) == 0) {
|
||||||
if (sscanf(buf, "Num = %d", &count) != 1) {
|
if (sscanf(buf, "Num = %d", &count) != 1) {
|
||||||
goto loser;
|
goto loser;
|
||||||
@@ -5671,7 +5681,10 @@
|
@@ -5670,7 +5680,10 @@ dsa_pqggen_test(char *reqfn)
|
||||||
rv = PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
|
rv = PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
|
||||||
&pqg, &vfy);
|
&pqg, &vfy);
|
||||||
} else {
|
} else {
|
||||||
@ -88,7 +88,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
}
|
}
|
||||||
if (rv != SECSuccess) {
|
if (rv != SECSuccess) {
|
||||||
fprintf(dsaresp,
|
fprintf(dsaresp,
|
||||||
@@ -5682,6 +5695,10 @@
|
@@ -5681,6 +5694,10 @@ dsa_pqggen_test(char *reqfn)
|
||||||
fprintf(dsaresp, "P = %s\n", buf);
|
fprintf(dsaresp, "P = %s\n", buf);
|
||||||
to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
|
to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
|
||||||
fprintf(dsaresp, "Q = %s\n", buf);
|
fprintf(dsaresp, "Q = %s\n", buf);
|
||||||
@ -99,7 +99,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
if (output_g) {
|
if (output_g) {
|
||||||
to_hex_str(buf, pqg->base.data, pqg->base.len);
|
to_hex_str(buf, pqg->base.data, pqg->base.len);
|
||||||
fprintf(dsaresp, "G = %s\n", buf);
|
fprintf(dsaresp, "G = %s\n", buf);
|
||||||
@@ -5697,13 +5714,13 @@
|
@@ -5696,13 +5713,13 @@ dsa_pqggen_test(char *reqfn)
|
||||||
}
|
}
|
||||||
fprintf(dsaresp, "%s\n", buf);
|
fprintf(dsaresp, "%s\n", buf);
|
||||||
} else {
|
} else {
|
||||||
@ -118,11 +118,10 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
fprintf(dsaresp, "qseed = %s\n", buf);
|
fprintf(dsaresp, "qseed = %s\n", buf);
|
||||||
fprintf(dsaresp, "pgen_counter = %d\n", pgen_counter);
|
fprintf(dsaresp, "pgen_counter = %d\n", pgen_counter);
|
||||||
fprintf(dsaresp, "qgen_counter = %d\n", qgen_counter);
|
fprintf(dsaresp, "qgen_counter = %d\n", qgen_counter);
|
||||||
@@ -5723,12 +5740,85 @@
|
@@ -5722,12 +5739,85 @@ dsa_pqggen_test(char *reqfn)
|
||||||
vfy = NULL;
|
vfy = NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
-
|
|
||||||
+ continue;
|
+ continue;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
@ -180,7 +179,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
+
|
+
|
||||||
+ to_hex_str(buf, pqg->base.data, pqg->base.len);
|
+ to_hex_str(buf, pqg->base.data, pqg->base.len);
|
||||||
+ fprintf(dsaresp, "G = %s\n\n", buf);
|
+ fprintf(dsaresp, "G = %s\n\n", buf);
|
||||||
+
|
|
||||||
+ PQG_DestroyParams(pqg);
|
+ PQG_DestroyParams(pqg);
|
||||||
+ pqg = NULL;
|
+ pqg = NULL;
|
||||||
+ PQG_DestroyVerify(vfy);
|
+ PQG_DestroyVerify(vfy);
|
||||||
|
@ -102,7 +102,7 @@ Index: nss/cmd/fipstest/fipstest.c
|
|||||||
SECStatus
|
SECStatus
|
||||||
tdea_encrypt_buf(
|
tdea_encrypt_buf(
|
||||||
int mode,
|
int mode,
|
||||||
@@ -8930,41 +8994,6 @@ out:
|
@@ -8915,41 +8979,6 @@ out:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -144,7 +144,7 @@ Index: nss/cmd/fipstest/fipstest.c
|
|||||||
void
|
void
|
||||||
kas_ffc_test(char *reqfn, int do_validity)
|
kas_ffc_test(char *reqfn, int do_validity)
|
||||||
{
|
{
|
||||||
@@ -9387,12 +9416,34 @@ out:
|
@@ -9372,12 +9401,34 @@ out:
|
||||||
free_param_specs (pspecs);
|
free_param_specs (pspecs);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -11,10 +11,11 @@ From 4c27df62aa425745620f45710465b0264acacbb0 Mon Sep 17 00:00:00 2001
|
|||||||
nss/cmd/fipstest/kas.sh | 22 +++
|
nss/cmd/fipstest/kas.sh | 22 +++
|
||||||
2 files changed, 326 insertions(+)
|
2 files changed, 326 insertions(+)
|
||||||
|
|
||||||
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
Index: nss/cmd/fipstest/fipstest.c
|
||||||
--- a/cmd/fipstest/fipstest.c
|
===================================================================
|
||||||
+++ b/cmd/fipstest/fipstest.c
|
--- nss.orig/cmd/fipstest/fipstest.c
|
||||||
@@ -9092,6 +9092,301 @@
|
+++ nss/cmd/fipstest/fipstest.c
|
||||||
|
@@ -9077,6 +9077,301 @@ out:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -316,7 +317,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
int
|
int
|
||||||
main(int argc, char **argv)
|
main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
@@ -9287,6 +9582,15 @@
|
@@ -9272,6 +9567,15 @@ main(int argc, char **argv)
|
||||||
} else {
|
} else {
|
||||||
kas_ffc_test(argv[3], PR_FALSE);
|
kas_ffc_test(argv[3], PR_FALSE);
|
||||||
}
|
}
|
||||||
@ -332,10 +333,11 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
|
Index: nss/cmd/fipstest/kas.sh
|
||||||
--- a/cmd/fipstest/kas.sh
|
===================================================================
|
||||||
+++ b/cmd/fipstest/kas.sh
|
--- nss.orig/cmd/fipstest/kas.sh
|
||||||
@@ -27,6 +27,16 @@
|
+++ nss/cmd/fipstest/kas.sh
|
||||||
|
@@ -27,6 +27,16 @@ KASValidityTest_FFCEphem_NOKC_ZZOnly_ini
|
||||||
KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
|
KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
|
||||||
"
|
"
|
||||||
|
|
||||||
@ -352,7 +354,7 @@ diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
|
|||||||
if [ ${COMMAND} = "verify" ]; then
|
if [ ${COMMAND} = "verify" ]; then
|
||||||
for request in $kas_requests; do
|
for request in $kas_requests; do
|
||||||
sh ./validate1.sh ${TESTDIR} $request
|
sh ./validate1.sh ${TESTDIR} $request
|
||||||
@@ -45,3 +55,15 @@
|
@@ -45,3 +55,15 @@ for request in $kas_requests_ffc_validit
|
||||||
echo $request $response
|
echo $request $response
|
||||||
fipstest kasffc validity ${REQDIR}/$request > ${RSPDIR}/$response
|
fipstest kasffc validity ${REQDIR}/$request > ${RSPDIR}/$response
|
||||||
done
|
done
|
||||||
|
@ -12,10 +12,11 @@ From ac98082c3bc0c9f85213078b730980483062f25c Mon Sep 17 00:00:00 2001
|
|||||||
2 files changed, 241 insertions(+)
|
2 files changed, 241 insertions(+)
|
||||||
create mode 100644 nss/cmd/fipstest/kas.sh
|
create mode 100644 nss/cmd/fipstest/kas.sh
|
||||||
|
|
||||||
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
Index: nss/cmd/fipstest/fipstest.c
|
||||||
--- a/cmd/fipstest/fipstest.c
|
===================================================================
|
||||||
+++ b/cmd/fipstest/fipstest.c
|
--- nss.orig/cmd/fipstest/fipstest.c
|
||||||
@@ -2258,6 +2258,29 @@
|
+++ nss/cmd/fipstest/fipstest.c
|
||||||
|
@@ -2257,6 +2257,29 @@ fips_hashBuf(HASH_HashType type, unsigne
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -45,7 +46,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
int
|
int
|
||||||
fips_hashLen(HASH_HashType type)
|
fips_hashLen(HASH_HashType type)
|
||||||
{
|
{
|
||||||
@@ -8907,6 +8930,168 @@
|
@@ -8892,6 +8915,168 @@ out:
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -214,7 +215,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
int
|
int
|
||||||
main(int argc, char **argv)
|
main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
@@ -9093,6 +9278,15 @@
|
@@ -9078,6 +9263,15 @@ main(int argc, char **argv)
|
||||||
/* AES Keywrap */
|
/* AES Keywrap */
|
||||||
/***************/
|
/***************/
|
||||||
keywrap(argv[2]);
|
keywrap(argv[2]);
|
||||||
@ -230,10 +231,10 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
|
Index: nss/cmd/fipstest/kas.sh
|
||||||
new file mode 100644
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/cmd/fipstest/kas.sh
|
+++ nss/cmd/fipstest/kas.sh
|
||||||
@@ -0,0 +1,47 @@
|
@@ -0,0 +1,47 @@
|
||||||
+#!/bin/sh
|
+#!/bin/sh
|
||||||
+#
|
+#
|
||||||
|
@ -12,10 +12,11 @@ From f4cbaf95fcf2519029bb3c4407b2f15aa27c94c1 Mon Sep 17 00:00:00 2001
|
|||||||
2 files changed, 200 insertions(+)
|
2 files changed, 200 insertions(+)
|
||||||
create mode 100644 nss/cmd/fipstest/keywrap.sh
|
create mode 100644 nss/cmd/fipstest/keywrap.sh
|
||||||
|
|
||||||
diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
|
Index: nss/cmd/fipstest/fipstest.c
|
||||||
--- a/cmd/fipstest/fipstest.c Sun Mar 15 21:54:30 2020 +0100
|
===================================================================
|
||||||
+++ b/cmd/fipstest/fipstest.c Wed Nov 20 08:13:43 2019 +0100
|
--- nss.orig/cmd/fipstest/fipstest.c
|
||||||
@@ -8752,6 +8752,161 @@
|
+++ nss/cmd/fipstest/fipstest.c
|
||||||
|
@@ -8737,6 +8737,161 @@ done:
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -177,7 +178,7 @@ diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
|
|||||||
int
|
int
|
||||||
main(int argc, char **argv)
|
main(int argc, char **argv)
|
||||||
{
|
{
|
||||||
@@ -8933,6 +9088,11 @@
|
@@ -8918,6 +9073,11 @@ main(int argc, char **argv)
|
||||||
ikev2(argv[2]);
|
ikev2(argv[2]);
|
||||||
} else if (strcmp(argv[1], "kbkdf") == 0) {
|
} else if (strcmp(argv[1], "kbkdf") == 0) {
|
||||||
kbkdf(argv[2]);
|
kbkdf(argv[2]);
|
||||||
@ -189,9 +190,10 @@ diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
|
|||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/keywrap.sh
|
Index: nss/cmd/fipstest/keywrap.sh
|
||||||
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
|
===================================================================
|
||||||
+++ b/cmd/fipstest/keywrap.sh Wed Nov 20 08:13:43 2019 +0100
|
--- /dev/null
|
||||||
|
+++ nss/cmd/fipstest/keywrap.sh
|
||||||
@@ -0,0 +1,40 @@
|
@@ -0,0 +1,40 @@
|
||||||
+#!/bin/sh
|
+#!/bin/sh
|
||||||
+#
|
+#
|
||||||
|
@ -10,10 +10,11 @@ From 9b4636ad75add2ac09ce1844b3071785d563c275 Mon Sep 17 00:00:00 2001
|
|||||||
nss/cmd/fipstest/fipstest.c | 3 ++-
|
nss/cmd/fipstest/fipstest.c | 3 ++-
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
Index: nss/cmd/fipstest/fipstest.c
|
||||||
--- a/cmd/fipstest/fipstest.c
|
===================================================================
|
||||||
+++ b/cmd/fipstest/fipstest.c
|
--- nss.orig/cmd/fipstest/fipstest.c
|
||||||
@@ -6536,7 +6536,7 @@
|
+++ nss/cmd/fipstest/fipstest.c
|
||||||
|
@@ -6535,7 +6535,7 @@ rsa_siggen_test(char *reqfn)
|
||||||
/* Output the signature */
|
/* Output the signature */
|
||||||
fputs(buf, rsaresp);
|
fputs(buf, rsaresp);
|
||||||
to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed);
|
to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed);
|
||||||
@ -22,7 +23,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
|
|||||||
|
|
||||||
/* Perform RSA verification with the RSA public key. */
|
/* Perform RSA verification with the RSA public key. */
|
||||||
rv = RSA_HashCheckSign(shaOid,
|
rv = RSA_HashCheckSign(shaOid,
|
||||||
@@ -9536,6 +9536,7 @@
|
@@ -9521,6 +9521,7 @@ main(int argc, char **argv)
|
||||||
init_functions();
|
init_functions();
|
||||||
RNG_RNGInit();
|
RNG_RNGInit();
|
||||||
SECOID_Init();
|
SECOID_Init();
|
||||||
|
@ -42,7 +42,7 @@ Index: nss/lib/pk11wrap/pk11mech.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/pk11wrap/pk11mech.c
|
--- nss.orig/lib/pk11wrap/pk11mech.c
|
||||||
+++ nss/lib/pk11wrap/pk11mech.c
|
+++ nss/lib/pk11wrap/pk11mech.c
|
||||||
@@ -376,6 +376,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
|
@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
|
||||||
return CKK_RSA;
|
return CKK_RSA;
|
||||||
case CKM_DSA:
|
case CKM_DSA:
|
||||||
case CKM_DSA_SHA1:
|
case CKM_DSA_SHA1:
|
||||||
@ -53,7 +53,7 @@ Index: nss/lib/pk11wrap/pk11mech.c
|
|||||||
case CKM_DSA_KEY_PAIR_GEN:
|
case CKM_DSA_KEY_PAIR_GEN:
|
||||||
return CKK_DSA;
|
return CKK_DSA;
|
||||||
case CKM_DH_PKCS_DERIVE:
|
case CKM_DH_PKCS_DERIVE:
|
||||||
@@ -386,6 +390,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
|
@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
|
||||||
return CKK_KEA;
|
return CKK_KEA;
|
||||||
case CKM_ECDSA:
|
case CKM_ECDSA:
|
||||||
case CKM_ECDSA_SHA1:
|
case CKM_ECDSA_SHA1:
|
||||||
@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/softoken/pkcs11c.c
|
--- nss.orig/lib/softoken/pkcs11c.c
|
||||||
+++ nss/lib/softoken/pkcs11c.c
|
+++ nss/lib/softoken/pkcs11c.c
|
||||||
@@ -2675,7 +2675,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
|
@@ -2679,7 +2679,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
|
||||||
static SECStatus
|
static SECStatus
|
||||||
nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
|
nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
|
||||||
unsigned int *sigLen, unsigned int maxSigLen,
|
unsigned int *sigLen, unsigned int maxSigLen,
|
||||||
@ -77,7 +77,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
{
|
{
|
||||||
SECItem signature, digest;
|
SECItem signature, digest;
|
||||||
SECStatus rv;
|
SECStatus rv;
|
||||||
@@ -2693,6 +2693,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
|
@@ -2697,6 +2697,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -100,7 +100,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
static SECStatus
|
static SECStatus
|
||||||
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
|
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
|
||||||
void *dataBuf, unsigned int dataLen)
|
void *dataBuf, unsigned int dataLen)
|
||||||
@@ -2710,7 +2726,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
|
@@ -2714,7 +2730,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
|
||||||
static SECStatus
|
static SECStatus
|
||||||
nsc_ECDSASignStub(void *ctx, void *sigBuf,
|
nsc_ECDSASignStub(void *ctx, void *sigBuf,
|
||||||
unsigned int *sigLen, unsigned int maxSigLen,
|
unsigned int *sigLen, unsigned int maxSigLen,
|
||||||
@ -109,7 +109,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
{
|
{
|
||||||
SECItem signature, digest;
|
SECItem signature, digest;
|
||||||
SECStatus rv;
|
SECStatus rv;
|
||||||
@@ -2728,6 +2744,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
|
@@ -2732,6 +2748,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
/* NSC_SignInit setups up the signing operations. There are three basic
|
/* NSC_SignInit setups up the signing operations. There are three basic
|
||||||
* types of signing:
|
* types of signing:
|
||||||
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
|
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
|
||||||
@@ -3597,6 +3629,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
|
@@ -3601,6 +3633,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
|
||||||
info->hashOid = SEC_OID_##mmm; \
|
info->hashOid = SEC_OID_##mmm; \
|
||||||
goto finish_rsa;
|
goto finish_rsa;
|
||||||
|
|
||||||
@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
switch (pMechanism->mechanism) {
|
switch (pMechanism->mechanism) {
|
||||||
INIT_RSA_VFY_MECH(MD5)
|
INIT_RSA_VFY_MECH(MD5)
|
||||||
INIT_RSA_VFY_MECH(MD2)
|
INIT_RSA_VFY_MECH(MD2)
|
||||||
@@ -4825,6 +4873,73 @@ loser:
|
@@ -4829,6 +4877,73 @@ loser:
|
||||||
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
|
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
|
||||||
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
|
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
|
||||||
|
|
||||||
@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
/*
|
/*
|
||||||
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
|
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
|
||||||
*
|
*
|
||||||
@@ -4878,8 +4993,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
@@ -4882,8 +4997,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||||
|
|
||||||
/* Variables used for Signature/Verification functions. */
|
/* Variables used for Signature/Verification functions. */
|
||||||
/* Must be at least 256 bits for DSA2 digest */
|
/* Must be at least 256 bits for DSA2 digest */
|
||||||
@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
CK_ULONG signature_length;
|
CK_ULONG signature_length;
|
||||||
|
|
||||||
if (keyType == CKK_RSA) {
|
if (keyType == CKK_RSA) {
|
||||||
@@ -5033,76 +5146,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
@@ -5037,76 +5150,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -21,8 +21,8 @@ Index: nss/cmd/shlibsign/shlibsign.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/cmd/shlibsign/shlibsign.c
|
--- nss.orig/cmd/shlibsign/shlibsign.c
|
||||||
+++ nss/cmd/shlibsign/shlibsign.c
|
+++ nss/cmd/shlibsign/shlibsign.c
|
||||||
@@ -946,10 +946,12 @@ main(int argc, char **argv)
|
@@ -814,10 +814,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
|
||||||
goto cleanup;
|
return crv;
|
||||||
}
|
}
|
||||||
|
|
||||||
- if ((keySize == 0) && mechInfo.ulMaxKeySize >= 2048) {
|
- if ((keySize == 0) && mechInfo.ulMaxKeySize >= 2048) {
|
||||||
@ -839,7 +839,7 @@ Index: nss/lib/freebl/manifest.mn
|
|||||||
$(NULL)
|
$(NULL)
|
||||||
|
|
||||||
MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
|
MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
|
||||||
@@ -186,6 +187,7 @@ ALL_HDRS = \
|
@@ -187,6 +188,7 @@ ALL_HDRS = \
|
||||||
shsign.h \
|
shsign.h \
|
||||||
vis_proto.h \
|
vis_proto.h \
|
||||||
seed.h \
|
seed.h \
|
||||||
@ -851,7 +851,7 @@ Index: nss/lib/freebl/shvfy.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/freebl/shvfy.c
|
--- nss.orig/lib/freebl/shvfy.c
|
||||||
+++ nss/lib/freebl/shvfy.c
|
+++ nss/lib/freebl/shvfy.c
|
||||||
@@ -22,6 +22,8 @@
|
@@ -23,6 +23,8 @@
|
||||||
|
|
||||||
#ifndef NSS_FIPS_DISABLED
|
#ifndef NSS_FIPS_DISABLED
|
||||||
|
|
||||||
@ -860,7 +860,7 @@ Index: nss/lib/freebl/shvfy.c
|
|||||||
/*
|
/*
|
||||||
* Most modern version of Linux support a speed optimization scheme where an
|
* Most modern version of Linux support a speed optimization scheme where an
|
||||||
* application called prelink modifies programs and shared libraries to quickly
|
* application called prelink modifies programs and shared libraries to quickly
|
||||||
@@ -231,8 +233,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int
|
@@ -232,8 +234,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -869,7 +869,7 @@ Index: nss/lib/freebl/shvfy.c
|
|||||||
static char *
|
static char *
|
||||||
mkCheckFileName(const char *libName)
|
mkCheckFileName(const char *libName)
|
||||||
{
|
{
|
||||||
@@ -287,19 +287,19 @@ readItem(PRFileDesc *fd, SECItem *item)
|
@@ -288,19 +288,19 @@ readItem(PRFileDesc *fd, SECItem *item)
|
||||||
return SECSuccess;
|
return SECSuccess;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -893,7 +893,7 @@ Index: nss/lib/freebl/shvfy.c
|
|||||||
|
|
||||||
loser:
|
loser:
|
||||||
if (shName != NULL) {
|
if (shName != NULL) {
|
||||||
@@ -310,19 +310,19 @@ loser:
|
@@ -311,15 +311,15 @@ loser:
|
||||||
}
|
}
|
||||||
|
|
||||||
PRBool
|
PRBool
|
||||||
@ -912,96 +912,84 @@ Index: nss/lib/freebl/shvfy.c
|
|||||||
+ return blapi_SHVerifyFile(shName, PR_FALSE, err);
|
+ return blapi_SHVerifyFile(shName, PR_FALSE, err);
|
||||||
}
|
}
|
||||||
|
|
||||||
static PRBool
|
#ifndef NSS_STRICT_INTEGRITY
|
||||||
-blapi_SHVerifyFile(const char *shName, PRBool self)
|
@@ -421,7 +421,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
|
||||||
+blapi_SHVerifyFile(const char *shName, PRBool self, int *err)
|
}
|
||||||
{
|
|
||||||
char *checkName = NULL;
|
|
||||||
PRFileDesc *checkFD = NULL;
|
|
||||||
@@ -340,7 +340,7 @@ blapi_SHVerifyFile(const char *shName, P
|
|
||||||
#endif
|
|
||||||
|
|
||||||
PRBool result = PR_FALSE; /* if anything goes wrong,
|
static PRBool
|
||||||
- * the signature does not verify */
|
- blapi_SHVerifyFile(const char *shName, PRBool self)
|
||||||
+ * the signature does not verify */
|
+ blapi_SHVerifyFile(const char *shName, PRBool self, int *err)
|
||||||
unsigned char buf[4096];
|
{
|
||||||
unsigned char hashBuf[HASH_LENGTH_MAX];
|
char *checkName = NULL;
|
||||||
|
PRFileDesc *checkFD = NULL;
|
||||||
@@ -367,14 +367,17 @@ blapi_SHVerifyFile(const char *shName, P
|
@@ -462,14 +462,17 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
|
||||||
/* open the check File */
|
/* open the check File */
|
||||||
checkFD = PR_Open(checkName, PR_RDONLY, 0);
|
checkFD = PR_Open(checkName, PR_RDONLY, 0);
|
||||||
if (checkFD == NULL) {
|
if (checkFD == NULL) {
|
||||||
+ if (err) {
|
+ if (err) {
|
||||||
+ *err = PORT_GetError();
|
+ *err = PORT_GetError();
|
||||||
+ }
|
+ }
|
||||||
#ifdef DEBUG_SHVERIFY
|
#ifdef DEBUG_SHVERIFY
|
||||||
- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
|
- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
|
||||||
- checkName, (int)PR_GetError(), (int)PR_GetOSError());
|
- checkName, (int)PR_GetError(), (int)PR_GetOSError());
|
||||||
+ fprintf(stderr, "Failed to open the check file %s: (%d)\n",
|
+ fprintf(stderr, "Failed to open the check file %s: (%d)\n",
|
||||||
+ checkName, (int)PORT_GetError());
|
+ checkName, (int)PR_GetError());
|
||||||
#endif /* DEBUG_SHVERIFY */
|
#endif /* DEBUG_SHVERIFY */
|
||||||
goto loser;
|
goto loser;
|
||||||
}
|
}
|
||||||
|
|
||||||
- /* read and Verify the headerthe header */
|
- /* read and Verify the headerthe header */
|
||||||
+ /* read and Verify the header */
|
+ /* read and Verify the header */
|
||||||
bytesRead = PR_Read(checkFD, buf, 12);
|
bytesRead = PR_Read(checkFD, &header, sizeof(header));
|
||||||
if (bytesRead != 12) {
|
if (bytesRead != sizeof(header)) {
|
||||||
goto loser;
|
goto loser;
|
||||||
@@ -415,7 +418,8 @@ blapi_SHVerifyFile(const char *shName, P
|
@@ -550,7 +553,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
|
||||||
if (rv != SECSuccess) {
|
goto loser;
|
||||||
goto loser;
|
}
|
||||||
}
|
|
||||||
- /* read the siganture */
|
|
||||||
+
|
|
||||||
+ /* read the signature */
|
|
||||||
rv = readItem(checkFD, &signature);
|
|
||||||
if (rv != SECSuccess) {
|
|
||||||
goto loser;
|
|
||||||
@@ -430,7 +434,7 @@ blapi_SHVerifyFile(const char *shName, P
|
|
||||||
goto loser;
|
|
||||||
}
|
|
||||||
|
|
||||||
-/* open our library file */
|
-/* open our library file */
|
||||||
+ /* open our library file */
|
+ /* open our library file */
|
||||||
#ifdef FREEBL_USE_PRELINK
|
#ifdef FREEBL_USE_PRELINK
|
||||||
shFD = bl_OpenUnPrelink(shName, &pid);
|
shFD = bl_OpenUnPrelink(shName, &pid);
|
||||||
#else
|
#else
|
||||||
@@ -438,13 +442,13 @@ blapi_SHVerifyFile(const char *shName, P
|
@@ -558,8 +561,8 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
|
||||||
#endif
|
#endif
|
||||||
if (shFD == NULL) {
|
if (shFD == NULL) {
|
||||||
#ifdef DEBUG_SHVERIFY
|
#ifdef DEBUG_SHVERIFY
|
||||||
- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
|
- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
|
||||||
- shName, (int)PR_GetError(), (int)PR_GetOSError());
|
- shName, (int)PR_GetError(), (int)PR_GetOSError());
|
||||||
+ fprintf(stderr, "Failed to open the library file %s: (%d)\n",
|
+ fprintf(stderr, "Failed to open the library file %s: (%d)\n",
|
||||||
+ shName, (int)PORT_GetError());
|
+ shName, (int)PR_GetError());
|
||||||
#endif /* DEBUG_SHVERIFY */
|
#endif /* DEBUG_SHVERIFY */
|
||||||
goto loser;
|
goto loser;
|
||||||
|
}
|
||||||
|
@@ -620,7 +623,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
|
||||||
}
|
}
|
||||||
|
|
||||||
- /* hash our library file with SHA1 */
|
PRBool
|
||||||
+ /* hash our library file */
|
- BLAPI_VerifySelf(const char *name)
|
||||||
hashcx = hashObj->create();
|
+ BLAPI_VerifySelf(const char *name, int *err)
|
||||||
if (hashcx == NULL) {
|
{
|
||||||
goto loser;
|
if (name == NULL) {
|
||||||
@@ -531,7 +535,7 @@ loser:
|
/*
|
||||||
}
|
@@ -629,7 +632,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
|
||||||
|
*/
|
||||||
|
return PR_TRUE;
|
||||||
|
}
|
||||||
|
- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
|
||||||
|
+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err);
|
||||||
|
}
|
||||||
|
|
||||||
|
#else /* NSS_FIPS_DISABLED */
|
||||||
|
@@ -645,7 +648,7 @@ BLAPI_SHVerify(const char *name, PRFuncP
|
||||||
|
return PR_FALSE;
|
||||||
|
}
|
||||||
PRBool
|
PRBool
|
||||||
-BLAPI_VerifySelf(const char *name)
|
-BLAPI_VerifySelf(const char *name)
|
||||||
+BLAPI_VerifySelf(const char *name, int *err)
|
+BLAPI_VerifySelf(const char *name, int *err)
|
||||||
{
|
{
|
||||||
if (name == NULL) {
|
return PR_FALSE;
|
||||||
/*
|
|
||||||
@@ -540,7 +544,7 @@ BLAPI_VerifySelf(const char *name)
|
|
||||||
*/
|
|
||||||
return PR_TRUE;
|
|
||||||
}
|
|
||||||
- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
|
|
||||||
+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#else /* NSS_FIPS_DISABLED */
|
|
||||||
Index: nss/lib/softoken/fips.c
|
Index: nss/lib/softoken/fips.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
@ -1066,7 +1054,7 @@ Index: nss/lib/softoken/fipstest.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/softoken/fipstest.c
|
--- nss.orig/lib/softoken/fipstest.c
|
||||||
+++ nss/lib/softoken/fipstest.c
|
+++ nss/lib/softoken/fipstest.c
|
||||||
@@ -682,6 +682,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
|
@@ -683,6 +683,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
|
||||||
return (SECSuccess);
|
return (SECSuccess);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1394,7 +1382,7 @@ Index: nss/lib/softoken/fipstest.c
|
|||||||
static PRBool sftk_self_tests_ran = PR_FALSE;
|
static PRBool sftk_self_tests_ran = PR_FALSE;
|
||||||
static PRBool sftk_self_tests_success = PR_FALSE;
|
static PRBool sftk_self_tests_success = PR_FALSE;
|
||||||
|
|
||||||
@@ -693,7 +1014,6 @@ static void
|
@@ -694,7 +1015,6 @@ static void
|
||||||
sftk_startup_tests(void)
|
sftk_startup_tests(void)
|
||||||
{
|
{
|
||||||
SECStatus rv;
|
SECStatus rv;
|
||||||
@ -1402,7 +1390,7 @@ Index: nss/lib/softoken/fipstest.c
|
|||||||
|
|
||||||
PORT_Assert(!sftk_self_tests_ran);
|
PORT_Assert(!sftk_self_tests_ran);
|
||||||
PORT_Assert(!sftk_self_tests_success);
|
PORT_Assert(!sftk_self_tests_success);
|
||||||
@@ -705,6 +1025,7 @@ sftk_startup_tests(void)
|
@@ -706,6 +1026,7 @@ sftk_startup_tests(void)
|
||||||
if (rv != SECSuccess) {
|
if (rv != SECSuccess) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -1410,7 +1398,7 @@ Index: nss/lib/softoken/fipstest.c
|
|||||||
/* make sure freebl is initialized, or our RSA check
|
/* make sure freebl is initialized, or our RSA check
|
||||||
* may fail. This is normally done at freebl load time, but it's
|
* may fail. This is normally done at freebl load time, but it's
|
||||||
* possible we may have shut freebl down without unloading it. */
|
* possible we may have shut freebl down without unloading it. */
|
||||||
@@ -722,12 +1043,21 @@ sftk_startup_tests(void)
|
@@ -723,12 +1044,21 @@ sftk_startup_tests(void)
|
||||||
if (rv != SECSuccess) {
|
if (rv != SECSuccess) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -1436,7 +1424,7 @@ Index: nss/lib/softoken/fipstest.c
|
|||||||
rv = sftk_fips_IKE_PowerUpSelfTests();
|
rv = sftk_fips_IKE_PowerUpSelfTests();
|
||||||
if (rv != SECSuccess) {
|
if (rv != SECSuccess) {
|
||||||
return;
|
return;
|
||||||
@@ -759,17 +1089,11 @@ sftk_startup_tests(void)
|
@@ -760,17 +1090,11 @@ sftk_startup_tests(void)
|
||||||
CK_RV
|
CK_RV
|
||||||
sftk_FIPSEntryOK()
|
sftk_FIPSEntryOK()
|
||||||
{
|
{
|
||||||
@ -1500,7 +1488,7 @@ Index: nss/lib/softoken/legacydb/lgfips.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/softoken/legacydb/lgfips.c
|
--- nss.orig/lib/softoken/legacydb/lgfips.c
|
||||||
+++ nss/lib/softoken/legacydb/lgfips.c
|
+++ nss/lib/softoken/legacydb/lgfips.c
|
||||||
@@ -90,7 +90,7 @@ lg_startup_tests(void)
|
@@ -91,7 +91,7 @@ lg_startup_tests(void)
|
||||||
|
|
||||||
/* no self tests required for the legacy db, only the integrity check */
|
/* no self tests required for the legacy db, only the integrity check */
|
||||||
/* check the integrity of our shared library */
|
/* check the integrity of our shared library */
|
||||||
|
@ -8,10 +8,11 @@ commit facacdb9078693d7a4219e84f73ea7b8f977ddc2
|
|||||||
Author: Hans Petter Jansson <hpj@cl.no>
|
Author: Hans Petter Jansson <hpj@cl.no>
|
||||||
Patch 32: nss-fips-detect-fips-mode-fixes.patch
|
Patch 32: nss-fips-detect-fips-mode-fixes.patch
|
||||||
|
|
||||||
diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
Index: nss/lib/freebl/nsslowhash.c
|
||||||
--- a/lib/freebl/nsslowhash.c
|
===================================================================
|
||||||
+++ b/lib/freebl/nsslowhash.c
|
--- nss.orig/lib/freebl/nsslowhash.c
|
||||||
@@ -2,10 +2,15 @@
|
+++ nss/lib/freebl/nsslowhash.c
|
||||||
|
@@ -2,6 +2,9 @@
|
||||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||||
|
|
||||||
@ -21,13 +22,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
|||||||
#ifdef FREEBL_NO_DEPEND
|
#ifdef FREEBL_NO_DEPEND
|
||||||
#include "stubs.h"
|
#include "stubs.h"
|
||||||
#endif
|
#endif
|
||||||
+
|
@@ -25,6 +28,23 @@ struct NSSLOWHASHContextStr {
|
||||||
#include "prtypes.h"
|
|
||||||
+#include "prenv.h"
|
|
||||||
#include "secerr.h"
|
|
||||||
#include "blapi.h"
|
|
||||||
#include "hasht.h"
|
|
||||||
@@ -24,6 +29,23 @@
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#ifndef NSS_FIPS_DISABLED
|
#ifndef NSS_FIPS_DISABLED
|
||||||
@ -51,7 +46,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
|||||||
static int
|
static int
|
||||||
nsslow_GetFIPSEnabled(void)
|
nsslow_GetFIPSEnabled(void)
|
||||||
{
|
{
|
||||||
@@ -45,6 +67,7 @@
|
@@ -52,6 +72,7 @@ nsslow_GetFIPSEnabled(void)
|
||||||
#endif /* LINUX */
|
#endif /* LINUX */
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
@ -59,7 +54,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
|||||||
#endif /* NSS_FIPS_DISABLED */
|
#endif /* NSS_FIPS_DISABLED */
|
||||||
|
|
||||||
static NSSLOWInitContext dummyContext = { 0 };
|
static NSSLOWInitContext dummyContext = { 0 };
|
||||||
@@ -60,7 +83,7 @@
|
@@ -67,7 +88,7 @@ NSSLOW_Init(void)
|
||||||
#ifndef NSS_FIPS_DISABLED
|
#ifndef NSS_FIPS_DISABLED
|
||||||
/* make sure the FIPS product is installed if we are trying to
|
/* make sure the FIPS product is installed if we are trying to
|
||||||
* go into FIPS mode */
|
* go into FIPS mode */
|
||||||
@ -68,10 +63,11 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
|
|||||||
if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) {
|
if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) {
|
||||||
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||||
post_failed = PR_TRUE;
|
post_failed = PR_TRUE;
|
||||||
diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c
|
Index: nss/lib/sysinit/nsssysinit.c
|
||||||
--- a/lib/sysinit/nsssysinit.c
|
===================================================================
|
||||||
+++ b/lib/sysinit/nsssysinit.c
|
--- nss.orig/lib/sysinit/nsssysinit.c
|
||||||
@@ -178,16 +178,16 @@
|
+++ nss/lib/sysinit/nsssysinit.c
|
||||||
|
@@ -178,16 +178,16 @@ getFIPSMode(void)
|
||||||
f = fopen("/proc/sys/crypto/fips_enabled", "r");
|
f = fopen("/proc/sys/crypto/fips_enabled", "r");
|
||||||
if (!f) {
|
if (!f) {
|
||||||
/* if we don't have a proc flag, fall back to the
|
/* if we don't have a proc flag, fall back to the
|
||||||
|
@ -28,7 +28,7 @@ Index: nss/lib/freebl/fipsfreebl.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/freebl/fipsfreebl.c
|
--- nss.orig/lib/freebl/fipsfreebl.c
|
||||||
+++ nss/lib/freebl/fipsfreebl.c
|
+++ nss/lib/freebl/fipsfreebl.c
|
||||||
@@ -126,11 +126,11 @@ BOOL WINAPI DllMain(
|
@@ -127,11 +127,11 @@ DllMain(
|
||||||
|
|
||||||
/* FIPS preprocessor directives for DSA. */
|
/* FIPS preprocessor directives for DSA. */
|
||||||
#define FIPS_DSA_TYPE siBuffer
|
#define FIPS_DSA_TYPE siBuffer
|
||||||
|
@ -14,7 +14,7 @@ Index: nss/lib/freebl/gcm.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/freebl/gcm.c
|
--- nss.orig/lib/freebl/gcm.c
|
||||||
+++ nss/lib/freebl/gcm.c
|
+++ nss/lib/freebl/gcm.c
|
||||||
@@ -532,8 +532,14 @@ struct GCMContextStr {
|
@@ -535,8 +535,14 @@ struct GCMContextStr {
|
||||||
unsigned char tagKey[MAX_BLOCK_SIZE];
|
unsigned char tagKey[MAX_BLOCK_SIZE];
|
||||||
PRBool ctr_context_init;
|
PRBool ctr_context_init;
|
||||||
gcmIVContext gcm_iv;
|
gcmIVContext gcm_iv;
|
||||||
@ -29,7 +29,7 @@ Index: nss/lib/freebl/gcm.c
|
|||||||
SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv,
|
SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv,
|
||||||
unsigned int ivLen, unsigned int tagBits,
|
unsigned int ivLen, unsigned int tagBits,
|
||||||
const unsigned char *aad, unsigned int aadLen);
|
const unsigned char *aad, unsigned int aadLen);
|
||||||
@@ -673,6 +679,8 @@ gcm_InitCounter(GCMContext *gcm, const u
|
@@ -676,6 +682,8 @@ gcm_InitCounter(GCMContext *gcm, const u
|
||||||
goto loser;
|
goto loser;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -38,7 +38,7 @@ Index: nss/lib/freebl/gcm.c
|
|||||||
/* finally mix in the AAD data */
|
/* finally mix in the AAD data */
|
||||||
rv = gcmHash_Reset(ghash, aad, aadLen);
|
rv = gcmHash_Reset(ghash, aad, aadLen);
|
||||||
if (rv != SECSuccess) {
|
if (rv != SECSuccess) {
|
||||||
@@ -774,6 +782,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
|
@@ -777,6 +785,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
|
||||||
return SECFailure;
|
return SECFailure;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -52,7 +52,7 @@ Index: nss/lib/freebl/gcm.c
|
|||||||
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
|
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
|
||||||
if (UINT_MAX - inlen < tagBytes) {
|
if (UINT_MAX - inlen < tagBytes) {
|
||||||
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
PORT_SetError(SEC_ERROR_INPUT_LEN);
|
||||||
@@ -802,6 +817,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
|
@@ -805,6 +820,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
|
||||||
*outlen = 0;
|
*outlen = 0;
|
||||||
return SECFailure;
|
return SECFailure;
|
||||||
};
|
};
|
||||||
|
@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/softoken/pkcs11c.c
|
--- nss.orig/lib/softoken/pkcs11c.c
|
||||||
+++ nss/lib/softoken/pkcs11c.c
|
+++ nss/lib/softoken/pkcs11c.c
|
||||||
@@ -4822,8 +4822,8 @@ loser:
|
@@ -4826,8 +4826,8 @@ loser:
|
||||||
return crv;
|
return crv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
|
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
|
||||||
@@ -5771,6 +5771,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
@@ -5775,6 +5775,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||||
(PRUint32)crv);
|
(PRUint32)crv);
|
||||||
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
|
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
|
||||||
}
|
}
|
||||||
|
@ -4,15 +4,11 @@ Date: Fri Sep 4 13:41:34 2020 +0200
|
|||||||
|
|
||||||
Patch 38: nss-fips-stricter-dh.patch
|
Patch 38: nss-fips-stricter-dh.patch
|
||||||
|
|
||||||
diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
|
Index: nss/lib/freebl/dh.c
|
||||||
--- a/lib/freebl/dh.c
|
===================================================================
|
||||||
+++ b/lib/freebl/dh.c
|
--- nss.orig/lib/freebl/dh.c
|
||||||
@@ -445,41 +445,53 @@ KEA_PrimeCheck(SECItem *prime)
|
+++ nss/lib/freebl/dh.c
|
||||||
cleanup:
|
@@ -449,7 +449,7 @@ cleanup:
|
||||||
mp_clear(&p);
|
|
||||||
return err ? PR_FALSE : PR_TRUE;
|
|
||||||
}
|
|
||||||
|
|
||||||
PRBool
|
PRBool
|
||||||
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
|
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
|
||||||
{
|
{
|
||||||
@ -21,10 +17,7 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
|
|||||||
mp_err err;
|
mp_err err;
|
||||||
int cmp = 1; /* default is false */
|
int cmp = 1; /* default is false */
|
||||||
if (!Y || !prime || !subPrime) {
|
if (!Y || !prime || !subPrime) {
|
||||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
@@ -460,13 +460,24 @@ KEA_Verify(SECItem *Y, SECItem *prime, S
|
||||||
return SECFailure;
|
|
||||||
}
|
|
||||||
MP_DIGITS(&p) = 0;
|
|
||||||
MP_DIGITS(&q) = 0;
|
MP_DIGITS(&q) = 0;
|
||||||
MP_DIGITS(&y) = 0;
|
MP_DIGITS(&y) = 0;
|
||||||
MP_DIGITS(&r) = 0;
|
MP_DIGITS(&r) = 0;
|
||||||
@ -49,9 +42,7 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
|
|||||||
/* compute r = y**q mod p */
|
/* compute r = y**q mod p */
|
||||||
CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
|
CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
|
||||||
/* compare to 1 */
|
/* compare to 1 */
|
||||||
cmp = mp_cmp_d(&r, 1);
|
@@ -476,6 +487,7 @@ cleanup:
|
||||||
cleanup:
|
|
||||||
mp_clear(&p);
|
|
||||||
mp_clear(&q);
|
mp_clear(&q);
|
||||||
mp_clear(&y);
|
mp_clear(&y);
|
||||||
mp_clear(&r);
|
mp_clear(&r);
|
||||||
@ -59,6 +50,3 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
|
|||||||
if (err) {
|
if (err) {
|
||||||
MP_TO_SEC_ERROR(err);
|
MP_TO_SEC_ERROR(err);
|
||||||
return PR_FALSE;
|
return PR_FALSE;
|
||||||
}
|
|
||||||
return (cmp == 0) ? PR_TRUE : PR_FALSE;
|
|
||||||
}
|
|
||||||
|
@ -2,7 +2,7 @@ Index: nss/tests/cert/cert.sh
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/tests/cert/cert.sh
|
--- nss.orig/tests/cert/cert.sh
|
||||||
+++ nss/tests/cert/cert.sh
|
+++ nss/tests/cert/cert.sh
|
||||||
@@ -1353,6 +1353,11 @@ cert_stresscerts()
|
@@ -1350,6 +1350,11 @@ cert_stresscerts()
|
||||||
##############################################################################
|
##############################################################################
|
||||||
cert_fips()
|
cert_fips()
|
||||||
{
|
{
|
||||||
@ -14,7 +14,7 @@ Index: nss/tests/cert/cert.sh
|
|||||||
CERTFAILED=0
|
CERTFAILED=0
|
||||||
echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
|
echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
|
||||||
cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
|
cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
|
||||||
@@ -1393,6 +1398,8 @@ MODSCRIPT
|
@@ -1390,6 +1395,8 @@ MODSCRIPT
|
||||||
cert_log "SUCCESS: FIPS passed"
|
cert_log "SUCCESS: FIPS passed"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
@ -250,7 +250,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/softoken/pkcs11c.c
|
--- nss.orig/lib/softoken/pkcs11c.c
|
||||||
+++ nss/lib/softoken/pkcs11c.c
|
+++ nss/lib/softoken/pkcs11c.c
|
||||||
@@ -7158,7 +7158,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
@@ -7162,7 +7162,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||||
SFTKAttribute *att2 = NULL;
|
SFTKAttribute *att2 = NULL;
|
||||||
unsigned char *buf;
|
unsigned char *buf;
|
||||||
SHA1Context *sha;
|
SHA1Context *sha;
|
||||||
@ -259,7 +259,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
|||||||
MD2Context *md2;
|
MD2Context *md2;
|
||||||
CK_ULONG macSize;
|
CK_ULONG macSize;
|
||||||
CK_ULONG tmpKeySize;
|
CK_ULONG tmpKeySize;
|
||||||
@@ -7698,7 +7698,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
@@ -7702,7 +7702,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||||
}
|
}
|
||||||
sftk_FreeAttribute(att2);
|
sftk_FreeAttribute(att2);
|
||||||
md5 = MD5_NewContext();
|
md5 = MD5_NewContext();
|
||||||
|
@ -12,7 +12,7 @@ Index: nss/coreconf/Linux.mk
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/coreconf/Linux.mk
|
--- nss.orig/coreconf/Linux.mk
|
||||||
+++ nss/coreconf/Linux.mk
|
+++ nss/coreconf/Linux.mk
|
||||||
@@ -189,6 +189,18 @@ DSO_LDOPTS+=-Wl,-z,relro
|
@@ -190,6 +190,18 @@ DSO_LDOPTS+=-Wl,-z,relro
|
||||||
LDFLAGS += -Wl,-z,relro
|
LDFLAGS += -Wl,-z,relro
|
||||||
endif
|
endif
|
||||||
|
|
||||||
@ -90,7 +90,7 @@ Index: nss/lib/freebl/unix_rand.c
|
|||||||
size_t RNG_FileUpdate(const char *fileName, size_t limit);
|
size_t RNG_FileUpdate(const char *fileName, size_t limit);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -862,6 +903,26 @@ ReadFileOK(char *dir, char *file)
|
@@ -775,6 +816,26 @@ ReadFileOK(char *dir, char *file)
|
||||||
size_t
|
size_t
|
||||||
RNG_SystemRNG(void *dest, size_t maxLen)
|
RNG_SystemRNG(void *dest, size_t maxLen)
|
||||||
{
|
{
|
||||||
@ -117,7 +117,7 @@ Index: nss/lib/freebl/unix_rand.c
|
|||||||
FILE *file;
|
FILE *file;
|
||||||
int fd;
|
int fd;
|
||||||
int bytes;
|
int bytes;
|
||||||
@@ -895,4 +956,5 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
@@ -808,4 +869,5 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
||||||
fileBytes = 0;
|
fileBytes = 0;
|
||||||
}
|
}
|
||||||
return fileBytes;
|
return fileBytes;
|
||||||
|
@ -10,9 +10,10 @@ From a7cbf64ba8ac07a4a1fdea91f39da56d86af03bf Mon Sep 17 00:00:00 2001
|
|||||||
nss/lib/freebl/unix_rand.c | 8 +++++---
|
nss/lib/freebl/unix_rand.c | 8 +++++---
|
||||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
|
Index: nss/lib/freebl/unix_rand.c
|
||||||
--- a/lib/freebl/unix_rand.c
|
===================================================================
|
||||||
+++ b/lib/freebl/unix_rand.c
|
--- nss.orig/lib/freebl/unix_rand.c
|
||||||
|
+++ nss/lib/freebl/unix_rand.c
|
||||||
@@ -24,6 +24,7 @@
|
@@ -24,6 +24,7 @@
|
||||||
#include "prthread.h"
|
#include "prthread.h"
|
||||||
#include "prprf.h"
|
#include "prprf.h"
|
||||||
@ -21,7 +22,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
|
|||||||
|
|
||||||
#ifdef NSS_USE_GETRANDOM
|
#ifdef NSS_USE_GETRANDOM
|
||||||
# ifndef __NR_getrandom
|
# ifndef __NR_getrandom
|
||||||
@@ -779,7 +780,7 @@
|
@@ -692,7 +693,7 @@ RNG_SystemInfoForRNG(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* grab some data from system's PRNG before any other files. */
|
/* grab some data from system's PRNG before any other files. */
|
||||||
@ -30,7 +31,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
|
|||||||
if (!bytes) {
|
if (!bytes) {
|
||||||
PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
PORT_SetError(SEC_ERROR_NEED_RANDOM);
|
||||||
}
|
}
|
||||||
@@ -909,7 +910,8 @@
|
@@ -822,7 +823,8 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
do {
|
do {
|
||||||
@ -40,7 +41,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
|
|||||||
|
|
||||||
if (0 < ret)
|
if (0 < ret)
|
||||||
inBytes += ret;
|
inBytes += ret;
|
||||||
@@ -929,7 +931,7 @@
|
@@ -842,7 +844,7 @@ RNG_SystemRNG(void *dest, size_t maxLen)
|
||||||
size_t fileBytes = 0;
|
size_t fileBytes = 0;
|
||||||
unsigned char *buffer = dest;
|
unsigned char *buffer = dest;
|
||||||
|
|
||||||
|
@ -92,7 +92,7 @@ Index: nss/lib/freebl/dh.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/freebl/dh.c
|
--- nss.orig/lib/freebl/dh.c
|
||||||
+++ nss/lib/freebl/dh.c
|
+++ nss/lib/freebl/dh.c
|
||||||
@@ -193,6 +193,10 @@ cleanup:
|
@@ -192,6 +192,10 @@ cleanup:
|
||||||
rv = SECFailure;
|
rv = SECFailure;
|
||||||
}
|
}
|
||||||
if (rv) {
|
if (rv) {
|
||||||
@ -107,7 +107,7 @@ Index: nss/lib/freebl/ec.c
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/lib/freebl/ec.c
|
--- nss.orig/lib/freebl/ec.c
|
||||||
+++ nss/lib/freebl/ec.c
|
+++ nss/lib/freebl/ec.c
|
||||||
@@ -943,7 +943,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
|
@@ -974,7 +974,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
|
||||||
ECParams *ecParams = NULL;
|
ECParams *ecParams = NULL;
|
||||||
SECItem pointC = { siBuffer, NULL, 0 };
|
SECItem pointC = { siBuffer, NULL, 0 };
|
||||||
int slen; /* length in bytes of a half signature (r or s) */
|
int slen; /* length in bytes of a half signature (r or s) */
|
||||||
@ -175,7 +175,7 @@ Index: nss/lib/freebl/gcm.c
|
|||||||
return SECSuccess;
|
return SECSuccess;
|
||||||
}
|
}
|
||||||
#endif /* HAVE_INT128_SUPPORT */
|
#endif /* HAVE_INT128_SUPPORT */
|
||||||
@@ -867,11 +894,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
||||||
/* verify the block */
|
/* verify the block */
|
||||||
rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
|
rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
|
||||||
if (rv != SECSuccess) {
|
if (rv != SECSuccess) {
|
||||||
@ -191,7 +191,7 @@ Index: nss/lib/freebl/gcm.c
|
|||||||
}
|
}
|
||||||
/* Don't decrypt if we can't authenticate the encrypted data!
|
/* Don't decrypt if we can't authenticate the encrypted data!
|
||||||
* This assumes that if tagBits is not a multiple of 8, intag will
|
* This assumes that if tagBits is not a multiple of 8, intag will
|
||||||
@@ -879,10 +908,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
|
||||||
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
|
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
|
||||||
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
|
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
|
||||||
PORT_SetError(SEC_ERROR_BAD_DATA);
|
PORT_SetError(SEC_ERROR_BAD_DATA);
|
||||||
|
@ -2,7 +2,7 @@ Index: nss/coreconf/Linux.mk
|
|||||||
===================================================================
|
===================================================================
|
||||||
--- nss.orig/coreconf/Linux.mk
|
--- nss.orig/coreconf/Linux.mk
|
||||||
+++ nss/coreconf/Linux.mk
|
+++ nss/coreconf/Linux.mk
|
||||||
@@ -113,11 +113,7 @@ LIBC_TAG = _glibc
|
@@ -114,11 +114,7 @@ LIBC_TAG = _glibc
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifdef BUILD_OPT
|
ifdef BUILD_OPT
|
||||||
|
Loading…
Reference in New Issue
Block a user