From 8442248c89d15161d82c795969e3603b4adf26a476237cc1be2f7a31ca59375c Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 28 Jun 2022 06:46:22 +0000 Subject: [PATCH] - sync with current SLE * latest FIPS changes incl. testsuite fixes (enabled now) nss-fips-180-3-csp-clearing.patch nss-fips-tests-enable-fips.patch nss-fips-tests-skip.patch nss-fips-pbkdf-kat-compliance.patch - update to NSS 3.79 * bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. * bmo#1766907 - Update mercurial in clang-format docker image. * bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail. * bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. * bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots. * bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside indefinite GROUP. * bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed ECPointFormat extension alerts. * bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on unsupported ClientHello.legacy_version. * bmo#1764788 - Correct invalid record inner and outer content type alerts. * bmo#1757075 - NSS does not properly import or export pkcs12 files with large passwords and pkcs5v2 encoding. * bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle. * bmo#1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple. * bmo#1769302 - NSS 3.79 should depend on NSPR 4.34 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=386 --- baselibs.conf | 2 +- mozilla-nss.changes | 33 ++++++++ mozilla-nss.spec | 31 +++++--- nss-3.78.1.tar.gz | 3 - nss-3.79.tar.gz | 3 + nss-fips-180-3-csp-clearing.patch | 40 ++++++++++ nss-fips-approved-crypto-non-ec.patch | 101 +++++++++++++++++++++++- nss-fips-constructor-self-tests.patch | 109 +++++++++++++++++++++----- nss-fips-pbkdf-kat-compliance.patch | 60 ++++++++++++++ nss-fips-tests-enable-fips.patch | 25 ++++++ nss-fips-tests-skip.patch | 19 +++++ 11 files changed, 388 insertions(+), 38 deletions(-) delete mode 100644 nss-3.78.1.tar.gz create mode 100644 nss-3.79.tar.gz create mode 100644 nss-fips-180-3-csp-clearing.patch create mode 100644 nss-fips-pbkdf-kat-compliance.patch create mode 100644 nss-fips-tests-enable-fips.patch create mode 100644 nss-fips-tests-skip.patch diff --git a/baselibs.conf b/baselibs.conf index 7abe256..f1bc1c7 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,5 +1,5 @@ mozilla-nss - requires "mozilla-nspr- >= 4.32" + requires "mozilla-nspr- >= 4.34" requires "libfreebl3-" requires "libsoftokn3-" requires "libnssckbi.so" diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 727af8a..0a324b5 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Sat Jun 25 12:30:25 UTC 2022 - Wolfgang Rosenauer + +- sync with current SLE + * latest FIPS changes incl. testsuite fixes (enabled now) + nss-fips-180-3-csp-clearing.patch + nss-fips-tests-enable-fips.patch + nss-fips-tests-skip.patch + nss-fips-pbkdf-kat-compliance.patch + +------------------------------------------------------------------- +Sun Jun 12 08:57:06 UTC 2022 - Wolfgang Rosenauer + +- update to NSS 3.79 + * bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls. + * bmo#1766907 - Update mercurial in clang-format docker image. + * bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail. + * bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo. + * bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots. + * bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside + indefinite GROUP. + * bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed + ECPointFormat extension alerts. + * bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on + unsupported ClientHello.legacy_version. + * bmo#1764788 - Correct invalid record inner and outer content type alerts. + * bmo#1757075 - NSS does not properly import or export pkcs12 files + with large passwords and pkcs5v2 encoding. + * bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle. + * bmo#1767590 - Initialize pointers passed to + NSS_CMSDigestContext_FinishMultiple. + * bmo#1769302 - NSS 3.79 should depend on NSPR 4.34 + ------------------------------------------------------------------- Tue May 31 19:24:59 UTC 2022 - Wolfgang Rosenauer diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 7efc716..e625373 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -17,14 +17,14 @@ # -%global nss_softokn_fips_version 3.78 -%define NSPR_min_version 4.32 +%global nss_softokn_fips_version 3.79 +%define NSPR_min_version 4.34 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb Name: mozilla-nss -Version: 3.78.1 +Version: 3.79 Release: 0 -%define underscore_version 3_78_1 +%define underscore_version 3_79 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries @@ -70,8 +70,12 @@ Patch24: nss-fips-use-strong-random-pool.patch Patch25: nss-fips-detect-fips-mode-fixes.patch Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch Patch27: nss-fips-aes-keywrap-post.patch -Patch28: nss-fips-fix-missing-nspr.patch -Patch29: nss-fips-stricter-dh.patch +Patch37: nss-fips-fix-missing-nspr.patch +Patch38: nss-fips-stricter-dh.patch +Patch40: nss-fips-180-3-csp-clearing.patch +Patch41: nss-fips-pbkdf-kat-compliance.patch +Patch42: nss-fips-tests-skip.patch +Patch44: nss-fips-tests-enable-fips.patch %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references BuildRequires: gcc9-c++ @@ -92,8 +96,7 @@ Requires: libnssckbi.so %endif %ifnarch %sparc %if ! 0%{?qemu_user_space_build} -# disabled temporarily bmo#1236340 -%define run_testsuite 0 +%define run_testsuite 1 %endif %endif @@ -227,8 +230,12 @@ cd nss %patch25 -p1 %patch26 -p1 %patch27 -p1 -%patch28 -p1 -%patch29 -p1 +%patch37 -p1 +%patch38 -p1 +%patch40 -p1 +%patch41 -p1 +%patch42 -p1 +%patch44 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins @@ -268,6 +275,8 @@ export USE_64=1 %endif export NSS_DISABLE_GTESTS=1 export NSS_USE_SYSTEM_SQLITE=1 +export NSS_ENABLE_FIPS_INDICATORS=1 +export NSS_FIPS_MODULE_ID="\"SUSE Linux Enterprise NSS %{version}-%{release}\"" #export SQLITE_LIB_NAME=nsssqlite3 MAKE_FLAGS="BUILD_OPT=1" make %{?_smp_mflags} nss_build_all $MAKE_FLAGS @@ -275,7 +284,7 @@ make %{?_smp_mflags} nss_build_all $MAKE_FLAGS %if 0%{?run_testsuite} export BUILD_OPT=1 export HOST="localhost" -export DOMSUF=" " +export DOMSUF="localdomain" export USE_IP=TRUE export IP_ADDRESS="127.0.0.1" cd tests diff --git a/nss-3.78.1.tar.gz b/nss-3.78.1.tar.gz deleted file mode 100644 index bd4c002..0000000 --- a/nss-3.78.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b6a492594366410a3f0e391a82a87657e2901415f0d386eb07672edaf0ea6cac -size 84825394 diff --git a/nss-3.79.tar.gz b/nss-3.79.tar.gz new file mode 100644 index 0000000..df13da1 --- /dev/null +++ b/nss-3.79.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:ebdf2d6a96613b6fe70ad579e9f983e0e94e0110171cfb2999db633d3394a514 +size 84830113 diff --git a/nss-fips-180-3-csp-clearing.patch b/nss-fips-180-3-csp-clearing.patch new file mode 100644 index 0000000..c0a2ee5 --- /dev/null +++ b/nss-fips-180-3-csp-clearing.patch @@ -0,0 +1,40 @@ +Index: nss/lib/freebl/pqg.c +=================================================================== +--- nss.orig/lib/freebl/pqg.c ++++ nss/lib/freebl/pqg.c +@@ -1232,6 +1232,9 @@ cleanup: + MP_TO_SEC_ERROR(err); + rv = SECFailure; + } ++ if (rv != SECSuccess) { ++ mp_zero(G); ++ } + return rv; + } + +Index: nss/lib/softoken/sftkdb.c +=================================================================== +--- nss.orig/lib/softoken/sftkdb.c ++++ nss/lib/softoken/sftkdb.c +@@ -1506,7 +1506,7 @@ loser: + PORT_ZFree(data, dataSize); + } + if (arena) { +- PORT_FreeArena(arena, PR_FALSE); ++ PORT_FreeArena(arena, PR_TRUE); + } + return crv; + } +Index: nss/lib/softoken/sftkpwd.c +=================================================================== +--- nss.orig/lib/softoken/sftkpwd.c ++++ nss/lib/softoken/sftkpwd.c +@@ -1439,7 +1439,7 @@ loser: + PORT_ZFree(newKey.data, newKey.len); + } + if (result) { +- SECITEM_FreeItem(result, PR_TRUE); ++ SECITEM_ZfreeItem(result, PR_TRUE); + } + if (rv != SECSuccess) { + (*keydb->db->sdb_Abort)(keydb->db); diff --git a/nss-fips-approved-crypto-non-ec.patch b/nss-fips-approved-crypto-non-ec.patch index a0bee06..e239737 100644 --- a/nss-fips-approved-crypto-non-ec.patch +++ b/nss-fips-approved-crypto-non-ec.patch @@ -258,7 +258,7 @@ Index: nss/lib/freebl/fips.h =================================================================== --- nss.orig/lib/freebl/fips.h +++ nss/lib/freebl/fips.h -@@ -8,8 +8,20 @@ +@@ -8,9 +8,21 @@ #ifndef FIPS_H #define FIPS_H @@ -267,13 +267,14 @@ Index: nss/lib/freebl/fips.h + +#define IN_FIPS_RETURN(rv) \ + do { \ -+ if (FIPS_mode()) { \ ++ if (FIPS_mode_allow_tests()) { \ + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); \ + return rv; \ + } \ + } while (0) + int FIPS_mode(void); + int FIPS_mode_allow_tests(void); char* FIPS_rngDev(void); +PRBool FIPS_hashAlgApproved(HASH_HashType hashAlg); @@ -495,3 +496,99 @@ Index: nss/lib/softoken/pkcs11c.c PORT_Memset(crsrdata, 0, sizeof crsrdata); crv = CKR_HOST_MEMORY; break; +Index: nss/lib/freebl/desblapi.c +=================================================================== +--- nss.orig/lib/freebl/desblapi.c ++++ nss/lib/freebl/desblapi.c +@@ -18,6 +18,8 @@ + #include + #include "secerr.h" + ++#include "fips.h" ++ + #if defined(NSS_X86_OR_X64) + /* Intel X86 CPUs do unaligned loads and stores without complaint. */ + #define COPY8B(to, from, ptr) \ +@@ -136,6 +138,8 @@ DES_EDE3CBCDe(DESContext *cx, BYTE *out, + DESContext * + DES_AllocateContext(void) + { ++ IN_FIPS_RETURN(NULL); ++ + return PORT_ZNew(DESContext); + } + +@@ -145,12 +149,16 @@ DES_InitContext(DESContext *cx, const un + unsigned int unused) + { + DESDirection opposite; ++ ++ IN_FIPS_RETURN(SECFailure); ++ + if (!cx) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + cx->direction = encrypt ? DES_ENCRYPT : DES_DECRYPT; + opposite = encrypt ? DES_DECRYPT : DES_ENCRYPT; ++ + switch (mode) { + case NSS_DES: /* DES ECB */ + DES_MakeSchedule(cx->ks0, key, cx->direction); +@@ -201,8 +209,13 @@ DES_InitContext(DESContext *cx, const un + DESContext * + DES_CreateContext(const BYTE *key, const BYTE *iv, int mode, PRBool encrypt) + { +- DESContext *cx = PORT_ZNew(DESContext); +- SECStatus rv = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0); ++ DESContext *cx; ++ SECStatus rv; ++ ++ IN_FIPS_RETURN(NULL); ++ ++ cx = PORT_ZNew(DESContext); ++ rv = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0); + + if (rv != SECSuccess) { + PORT_ZFree(cx, sizeof *cx); +@@ -214,6 +227,8 @@ DES_CreateContext(const BYTE *key, const + void + DES_DestroyContext(DESContext *cx, PRBool freeit) + { ++ IN_FIPS_RETURN(); ++ + if (cx) { + memset(cx, 0, sizeof *cx); + if (freeit) +@@ -225,6 +240,7 @@ SECStatus + DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen, + unsigned int maxOutLen, const BYTE *in, unsigned int inLen) + { ++ IN_FIPS_RETURN(SECFailure); + + if ((inLen % 8) != 0 || maxOutLen < inLen || !cx || + cx->direction != DES_ENCRYPT) { +@@ -242,6 +258,7 @@ SECStatus + DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen, + unsigned int maxOutLen, const BYTE *in, unsigned int inLen) + { ++ IN_FIPS_RETURN(SECFailure); + + if ((inLen % 8) != 0 || maxOutLen < inLen || !cx || + cx->direction != DES_DECRYPT) { +Index: nss/lib/softoken/fips_algorithms.h +=================================================================== +--- nss.orig/lib/softoken/fips_algorithms.h ++++ nss/lib/softoken/fips_algorithms.h +@@ -111,8 +111,11 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] + { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, + { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone }, ++#if 0 ++ /* Not approved in FIPS mode */ + { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone }, + { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone }, ++#endif + /* ------------------------- Hashing Operations ----------------------- */ + { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone }, + { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone }, diff --git a/nss-fips-constructor-self-tests.patch b/nss-fips-constructor-self-tests.patch index 50151f8..4afca23 100644 --- a/nss-fips-constructor-self-tests.patch +++ b/nss-fips-constructor-self-tests.patch @@ -67,7 +67,7 @@ Index: nss/lib/freebl/fips-selftest.inc =================================================================== --- /dev/null +++ nss/lib/freebl/fips-selftest.inc -@@ -0,0 +1,306 @@ +@@ -0,0 +1,355 @@ +/* + * PKCS #11 FIPS Power-Up Self Test - common stuff. + * @@ -118,6 +118,9 @@ Index: nss/lib/freebl/fips-selftest.inc + +static int fips_wanted = -1; + ++static int fips_is_env = 0; ++static int fips_ignore_checksums = 0; ++ +/* debug messages are sent to stderr */ +static void +debug(const char *fmt,...) @@ -209,6 +212,21 @@ Index: nss/lib/freebl/fips-selftest.inc + return PR_FALSE; +} + ++static PRBool ++getIgnoreChecksumsEnv(void) ++{ ++ char *checksumEnv = getenv("NSS_IGNORE_CHECKSUMS"); ++ if (!checksumEnv) { ++ return PR_FALSE; ++ } ++ if ((strcasecmp(checksumEnv,"true") == 0) || ++ (strcasecmp(checksumEnv,"on") == 0) || ++ (strcasecmp(checksumEnv,"1") == 0)) { ++ return PR_TRUE; ++ } ++ return PR_FALSE; ++} ++ +static int +fips_isWantedEnv(void) +{ @@ -222,10 +240,54 @@ Index: nss/lib/freebl/fips-selftest.inc +#ifdef LINUX + fips_requests += fips_isWantedProc(); +#endif ++ if (fips_requests < 1) ++ { ++ fips_is_env = 1; ++ fips_ignore_checksums = getIgnoreChecksumsEnv(); ++ } + fips_requests += fips_isWantedEnv(); ++ + return fips_requests; +} + ++static PRBool ++fips_check_signature_external (const char *full_lib_name, int *err) ++{ ++ char *p0, *p1; ++ char *ld_path; ++ PRBool rv = PR_FALSE; ++ ++ p0 = getenv ("LD_LIBRARY_PATH"); ++ p0 = ld_path = strdup (p0 ? p0 : ""); ++ ++ for (p1 = strchr (p0, ':'); p1 && !rv; p1 = strchr (p0, ':')) ++ { ++ char *path; ++ ++ *p1 = '\0'; ++ path = malloc (strlen (p0) + strlen (full_lib_name) + 2); ++ strcpy (path, p0); ++ strcat (path, "/"); ++ strcat (path, full_lib_name); ++ ++ rv = BLAPI_SHVerifyFile (path, err); ++ ++ free (path); ++ p0 = p1 + 1; ++ } ++ ++ if (!rv) ++ { ++ char *path = malloc (strlen ("/usr/lib64/") + strlen (full_lib_name) + 1); ++ strcpy (path, "/usr/lib64/"); ++ strcat (path, full_lib_name); ++ rv = BLAPI_SHVerifyFile (path, err); ++ } ++ ++ free (ld_path); ++ return rv; ++} ++ +/* check integrity signatures (if present) */ +static fips_check_status +fips_checkSignature(char *libName, PRFuncPtr addr) @@ -249,24 +311,11 @@ Index: nss/lib/freebl/fips-selftest.inc + l -= strlen(libName); + strncat(full_lib_name, SHLIB_VERSION"."SHLIB_SUFFIX, l); + l -= strlen(SHLIB_VERSION"."SHLIB_SUFFIX); -+#if 1 -+ if (NULL == addr) { -+ char full_path [PATH_MAX+1]; + -+ full_path [0] = '\0'; -+ l = PATH_MAX; -+ strncat (full_path, "/usr/lib64/", l); -+ l -= strlen ("/usr/lib64/"); -+ strncat (full_path, full_lib_name, l); -+ l -= strlen (full_lib_name); -+ -+ rv = BLAPI_SHVerifyFile(full_path, &err); -+ } ++ if (NULL == addr) ++ rv = fips_check_signature_external (full_lib_name, &err); + else + rv = BLAPI_SHVerify(full_lib_name, addr, &err); -+#else -+ rv = 1; -+#endif + } + + if (rv) { @@ -390,7 +439,7 @@ Index: nss/lib/freebl/fips.h =================================================================== --- /dev/null +++ nss/lib/freebl/fips.h -@@ -0,0 +1,15 @@ +@@ -0,0 +1,16 @@ +/* + * PKCS #11 FIPS Power-Up Self Test. + * @@ -402,6 +451,7 @@ Index: nss/lib/freebl/fips.h +#define FIPS_H + +int FIPS_mode(void); ++int FIPS_mode_allow_tests(void); +char* FIPS_rngDev(void); + +#endif @@ -591,7 +641,7 @@ Index: nss/lib/freebl/fipsfreebl.c } /* -@@ -2251,28 +2279,91 @@ bl_startup_tests(void) +@@ -2251,28 +2279,104 @@ bl_startup_tests(void) * power on selftest failed. */ SECStatus @@ -648,6 +698,19 @@ Index: nss/lib/freebl/fipsfreebl.c + } +} + ++/* Returns the FIPS mode we are running in. If the tests have not completed yet, ++ * return FALSE. This allows testing of modules that are not allowed in FIPS ++ * mode. */ ++int ++FIPS_mode_allow_tests(void) ++{ ++ int fips; ++ ++ fips = (-1 != fips_state) ? fips_state : 0; ++ ++ return fips; ++} ++ +/* returns string specifying what system RNG file to use for seeding */ +char * +FIPS_rngDev(void) @@ -943,7 +1006,7 @@ Index: nss/lib/softoken/fips.c =================================================================== --- /dev/null +++ nss/lib/softoken/fips.c -@@ -0,0 +1,36 @@ +@@ -0,0 +1,40 @@ +#include "../freebl/fips-selftest.inc" + +#include "fips.h" @@ -971,9 +1034,13 @@ Index: nss/lib/softoken/fips.c +{ + fips_state = fips_initTest("softokn", (PRFuncPtr)fips_initTestSoftoken, fips_checkCryptoSoftoken); + -+ /* The legacy DB must be checked unconditionally in FIPS mode. */ ++ /* The legacy DB must be checked unconditionally in FIPS mode. As an exception, ++ * this can be turned off for the build-time tests using the env var ++ * NSS_IGNORE_CHECKSUMS. This is necessary because the files cannot be ++ * located before they're installed. It only works if FIPS mode is enabled ++ * via NSS_FIPS=1, not if it's set in /proc. */ + -+ if (fips_state) ++ if (fips_state && !(fips_is_env && fips_ignore_checksums)) + { + fips_state = fips_initTest("nssdbm", (PRFuncPtr) NULL, NULL); + } diff --git a/nss-fips-pbkdf-kat-compliance.patch b/nss-fips-pbkdf-kat-compliance.patch new file mode 100644 index 0000000..e09155b --- /dev/null +++ b/nss-fips-pbkdf-kat-compliance.patch @@ -0,0 +1,60 @@ +Index: nss/lib/softoken/lowpbe.c +=================================================================== +--- nss.orig/lib/softoken/lowpbe.c ++++ nss/lib/softoken/lowpbe.c +@@ -1745,7 +1745,7 @@ loser: + return ret_algid; + } + +-#define TEST_KEY "pbkdf test key" ++#define TEST_KEY "qrfhfgkeWKZsYyLfUddaKQKLGhwqjQhNCiAdfweKEPaRf" + SECStatus + sftk_fips_pbkdf_PowerUpSelfTests(void) + { +@@ -1755,17 +1755,22 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) + unsigned char iteration_count = 5; + unsigned char keyLen = 64; + char *inKeyData = TEST_KEY; +- static const unsigned char saltData[] = +- { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; ++ static const unsigned char saltData[] = { ++ 0x11, 0x39, 0x93, 0x54, 0x1C, 0xDD, 0xD7, 0x18, ++ 0x2F, 0x4A, 0xC1, 0x14, 0x03, 0x7A, 0x0B, 0x64, ++ 0x48, 0x99, 0xF4, 0x6D, 0xB7, 0x48, 0xE3, 0x3B, ++ 0x91, 0xBF, 0x65, 0xA9, 0x26, 0x83, 0xE8, 0x22 ++ }; ++ + static const unsigned char pbkdf_known_answer[] = { +- 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29, +- 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c, +- 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37, +- 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90, +- 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa, +- 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1, +- 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66, +- 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5 ++ 0x44, 0xd2, 0xae, 0x2d, 0x45, 0xb9, 0x42, 0x70, ++ 0xcb, 0x3e, 0x40, 0xc5, 0xcf, 0x36, 0x9b, 0x5f, ++ 0xfc, 0x64, 0xb1, 0x10, 0x18, 0x4d, 0xd8, 0xb6, ++ 0x71, 0xa3, 0xc4, 0x4f, 0x1d, 0xa7, 0x8f, 0xa5, ++ 0x0c, 0x4b, 0x13, 0xce, 0x2f, 0x2b, 0x48, 0xe0, ++ 0xfc, 0x10, 0x6d, 0xf4, 0xfb, 0x71, 0x1b, 0x0e, ++ 0x33, 0x2c, 0x43, 0x43, 0xe1, 0x77, 0x16, 0xf5, ++ 0x1e, 0x96, 0xcd, 0x93, 0x21, 0xb8, 0x78, 0x32 + }; + + sftk_PBELockInit(); +@@ -1794,11 +1799,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void) + * for NSSPKCS5_PBKDF2 */ + pbe_params.iter = iteration_count; + pbe_params.keyLen = keyLen; +- pbe_params.hashType = HASH_AlgSHA256; ++ pbe_params.hashType = HASH_AlgSHA384; + pbe_params.pbeType = NSSPKCS5_PBKDF2; + pbe_params.is2KeyDES = PR_FALSE; + + result = nsspkcs5_ComputeKeyAndIV(&pbe_params, &inKey, NULL, PR_FALSE); ++ + if ((result == NULL) || (result->len != sizeof(pbkdf_known_answer)) || + (PORT_Memcmp(result->data, pbkdf_known_answer, sizeof(pbkdf_known_answer)) != 0)) { + SECITEM_FreeItem(result, PR_TRUE); diff --git a/nss-fips-tests-enable-fips.patch b/nss-fips-tests-enable-fips.patch new file mode 100644 index 0000000..65dfad5 --- /dev/null +++ b/nss-fips-tests-enable-fips.patch @@ -0,0 +1,25 @@ +Index: nss/tests/cert/cert.sh +=================================================================== +--- nss.orig/tests/cert/cert.sh ++++ nss/tests/cert/cert.sh +@@ -1353,6 +1353,11 @@ cert_stresscerts() + ############################################################################## + cert_fips() + { ++ OLD_FIPS_MODE=`echo ${NSS_FIPS}` ++ OLD_CHECKSUMS_MODE=`echo ${NSS_IGNORE_CHECKSUMS}` ++ export NSS_FIPS=1 ++ export NSS_IGNORE_CHECKSUMS=1 ++ + CERTFAILED=0 + echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates ==============" + cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}" +@@ -1393,6 +1398,8 @@ MODSCRIPT + cert_log "SUCCESS: FIPS passed" + fi + ++ export NSS_FIPS=${OLD_FIPS_MODE} ++ export NSS_IGNORE_CHECKSUMS=${OLD_CHECKSUMS_MODE} + } + + ########################## cert_rsa_exponent ################################# diff --git a/nss-fips-tests-skip.patch b/nss-fips-tests-skip.patch new file mode 100644 index 0000000..7661085 --- /dev/null +++ b/nss-fips-tests-skip.patch @@ -0,0 +1,19 @@ +Index: nss/tests/lowhash/lowhash.sh +=================================================================== +--- nss.orig/tests/lowhash/lowhash.sh ++++ nss/tests/lowhash/lowhash.sh +@@ -61,11 +61,13 @@ lowhash_test() + ! -f ${BINDIR}/lowhashtest${PROG_SUFFIX} ]; then + echo "freebl lowhash not supported in this plaform." + else +- TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512" ++ TESTS_FIPS_0="MD5 SHA1 SHA224 SHA256 SHA384 SHA512" ++ TESTS_FIPS_1="SHA224 SHA256 SHA384 SHA512" + OLD_MODE=`echo ${NSS_FIPS}` + for fips_mode in 0 1; do + echo "lowhashtest with fips mode=${fips_mode}" + export NSS_FIPS=${fips_mode} ++ eval TESTS=\${TESTS_FIPS_${fips_mode}} + for TEST in ${TESTS} + do + echo "lowhashtest ${TEST}"