pool/mozilla-nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- sync with current SLE

Browse Source 
* latest FIPS changes incl. testsuite fixes (enabled now)
    nss-fips-180-3-csp-clearing.patch
    nss-fips-tests-enable-fips.patch
    nss-fips-tests-skip.patch
    nss-fips-pbkdf-kat-compliance.patch

- update to NSS 3.79
  * bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
  * bmo#1766907 - Update mercurial in clang-format docker image.
  * bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
  * bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
  * bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
  * bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside
                  indefinite GROUP.
  * bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed
                  ECPointFormat extension alerts.
  * bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on
                  unsupported ClientHello.legacy_version.
  * bmo#1764788 - Correct invalid record inner and outer content type alerts.
  * bmo#1757075 - NSS does not properly import or export pkcs12 files
                  with large passwords and pkcs5v2 encoding.
  * bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
  * bmo#1767590 - Initialize pointers passed to
                  NSS_CMSDigestContext_FinishMultiple.
  * bmo#1769302 - NSS 3.79 should depend on NSPR 4.34

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=386
This commit is contained in:
Wolfgang Rosenauer 2022-06-28 06:46:22 +00:00 committed by Git OBS Bridge
parent 8ce8182c65
commit 8442248c89
11 changed files with 388 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
baselibs.conf
View File

@ -1,5 +1,5 @@
mozilla-nss
requires "mozilla-nspr-<targettype> >= 4.32"
requires "mozilla-nspr-<targettype> >= 4.34"
requires "libfreebl3-<targettype>"
requires "libsoftokn3-<targettype>"
requires "libnssckbi.so"

33
mozilla-nss.changes
View File

@ -1,3 +1,36 @@
-------------------------------------------------------------------
Sat Jun 25 12:30:25 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
- sync with current SLE
* latest FIPS changes incl. testsuite fixes (enabled now)
nss-fips-180-3-csp-clearing.patch
nss-fips-tests-enable-fips.patch
nss-fips-tests-skip.patch
nss-fips-pbkdf-kat-compliance.patch
-------------------------------------------------------------------
Sun Jun 12 08:57:06 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.79
* bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
* bmo#1766907 - Update mercurial in clang-format docker image.
* bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
* bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
* bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
* bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside
indefinite GROUP.
* bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed
ECPointFormat extension alerts.
* bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on
unsupported ClientHello.legacy_version.
* bmo#1764788 - Correct invalid record inner and outer content type alerts.
* bmo#1757075 - NSS does not properly import or export pkcs12 files
with large passwords and pkcs5v2 encoding.
* bmo#1766978 - improve error handling after nssCKFWInstance_CreateObjectHandle.
* bmo#1767590 - Initialize pointers passed to
NSS_CMSDigestContext_FinishMultiple.
* bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
-------------------------------------------------------------------
Tue May 31 19:24:59 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>

31
mozilla-nss.spec
View File

@ -17,14 +17,14 @@
#
%global nss_softokn_fips_version 3.78
%define NSPR_min_version 4.32
%global nss_softokn_fips_version 3.79
%define NSPR_min_version 4.34
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
Name: mozilla-nss
Version: 3.78.1
Version: 3.79
Release: 0
%define underscore_version 3_78_1
%define underscore_version 3_79
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@ -70,8 +70,12 @@ Patch24: nss-fips-use-strong-random-pool.patch
Patch25: nss-fips-detect-fips-mode-fixes.patch
Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch
Patch27: nss-fips-aes-keywrap-post.patch
Patch28: nss-fips-fix-missing-nspr.patch
Patch29: nss-fips-stricter-dh.patch
Patch37: nss-fips-fix-missing-nspr.patch
Patch38: nss-fips-stricter-dh.patch
Patch40: nss-fips-180-3-csp-clearing.patch
Patch41: nss-fips-pbkdf-kat-compliance.patch
Patch42: nss-fips-tests-skip.patch
Patch44: nss-fips-tests-enable-fips.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@ -92,8 +96,7 @@ Requires: libnssckbi.so
%endif
%ifnarch %sparc
%if ! 0%{?qemu_user_space_build}
# disabled temporarily bmo#1236340
%define run_testsuite 0
%define run_testsuite 1
%endif
%endif
@ -227,8 +230,12 @@ cd nss
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch28 -p1
%patch29 -p1
%patch37 -p1
%patch38 -p1
%patch40 -p1
%patch41 -p1
%patch42 -p1
%patch44 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
@ -268,6 +275,8 @@ export USE_64=1
%endif
export NSS_DISABLE_GTESTS=1
export NSS_USE_SYSTEM_SQLITE=1
export NSS_ENABLE_FIPS_INDICATORS=1
export NSS_FIPS_MODULE_ID="\"SUSE Linux Enterprise NSS %{version}-%{release}\""
#export SQLITE_LIB_NAME=nsssqlite3
MAKE_FLAGS="BUILD_OPT=1"
make %{?_smp_mflags} nss_build_all $MAKE_FLAGS
@ -275,7 +284,7 @@ make %{?_smp_mflags} nss_build_all $MAKE_FLAGS
%if 0%{?run_testsuite}
export BUILD_OPT=1
export HOST="localhost"
export DOMSUF=" "
export DOMSUF="localdomain"
export USE_IP=TRUE
export IP_ADDRESS="127.0.0.1"
cd tests

3
nss-3.78.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b6a492594366410a3f0e391a82a87657e2901415f0d386eb07672edaf0ea6cac
size 84825394

3
nss-3.79.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ebdf2d6a96613b6fe70ad579e9f983e0e94e0110171cfb2999db633d3394a514
size 84830113

40
nss-fips-180-3-csp-clearing.patch Normal file
View File

@ -0,0 +1,40 @@
Index: nss/lib/freebl/pqg.c
===================================================================
--- nss.orig/lib/freebl/pqg.c
+++ nss/lib/freebl/pqg.c
@@ -1232,6 +1232,9 @@ cleanup:
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
+ if (rv != SECSuccess) {
+ mp_zero(G);
+ }
return rv;
}
Index: nss/lib/softoken/sftkdb.c
===================================================================
--- nss.orig/lib/softoken/sftkdb.c
+++ nss/lib/softoken/sftkdb.c
@@ -1506,7 +1506,7 @@ loser:
PORT_ZFree(data, dataSize);
}
if (arena) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_TRUE);
}
return crv;
}
Index: nss/lib/softoken/sftkpwd.c
===================================================================
--- nss.orig/lib/softoken/sftkpwd.c
+++ nss/lib/softoken/sftkpwd.c
@@ -1439,7 +1439,7 @@ loser:
PORT_ZFree(newKey.data, newKey.len);
}
if (result) {
- SECITEM_FreeItem(result, PR_TRUE);
+ SECITEM_ZfreeItem(result, PR_TRUE);
}
if (rv != SECSuccess) {
(*keydb->db->sdb_Abort)(keydb->db);

101
nss-fips-approved-crypto-non-ec.patch
View File

@ -258,7 +258,7 @@ Index: nss/lib/freebl/fips.h
===================================================================
--- nss.orig/lib/freebl/fips.h
+++ nss/lib/freebl/fips.h
@@ -8,8 +8,20 @@
@@ -8,9 +8,21 @@
#ifndef FIPS_H
#define FIPS_H
@ -267,13 +267,14 @@ Index: nss/lib/freebl/fips.h
+
+#define IN_FIPS_RETURN(rv) \
+ do { \
+ if (FIPS_mode()) { \
+ if (FIPS_mode_allow_tests()) { \
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); \
+ return rv; \
+ } \
+ } while (0)
+
int FIPS_mode(void);
int FIPS_mode_allow_tests(void);
char* FIPS_rngDev(void);
+PRBool FIPS_hashAlgApproved(HASH_HashType hashAlg);
@ -495,3 +496,99 @@ Index: nss/lib/softoken/pkcs11c.c
PORT_Memset(crsrdata, 0, sizeof crsrdata);
crv = CKR_HOST_MEMORY;
break;
Index: nss/lib/freebl/desblapi.c
===================================================================
--- nss.orig/lib/freebl/desblapi.c
+++ nss/lib/freebl/desblapi.c
@@ -18,6 +18,8 @@
#include <stddef.h>
#include "secerr.h"
+#include "fips.h"
+
#if defined(NSS_X86_OR_X64)
/* Intel X86 CPUs do unaligned loads and stores without complaint. */
#define COPY8B(to, from, ptr) \
@@ -136,6 +138,8 @@ DES_EDE3CBCDe(DESContext *cx, BYTE *out,
DESContext *
DES_AllocateContext(void)
{
+ IN_FIPS_RETURN(NULL);
+
return PORT_ZNew(DESContext);
}
@@ -145,12 +149,16 @@ DES_InitContext(DESContext *cx, const un
unsigned int unused)
{
DESDirection opposite;
+
+ IN_FIPS_RETURN(SECFailure);
+
if (!cx) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
cx->direction = encrypt ? DES_ENCRYPT : DES_DECRYPT;
opposite = encrypt ? DES_DECRYPT : DES_ENCRYPT;
+
switch (mode) {
case NSS_DES: /* DES ECB */
DES_MakeSchedule(cx->ks0, key, cx->direction);
@@ -201,8 +209,13 @@ DES_InitContext(DESContext *cx, const un
DESContext *
DES_CreateContext(const BYTE *key, const BYTE *iv, int mode, PRBool encrypt)
{
- DESContext *cx = PORT_ZNew(DESContext);
- SECStatus rv = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0);
+ DESContext *cx;
+ SECStatus rv;
+
+ IN_FIPS_RETURN(NULL);
+
+ cx = PORT_ZNew(DESContext);
+ rv = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0);
if (rv != SECSuccess) {
PORT_ZFree(cx, sizeof *cx);
@@ -214,6 +227,8 @@ DES_CreateContext(const BYTE *key, const
void
DES_DestroyContext(DESContext *cx, PRBool freeit)
{
+ IN_FIPS_RETURN();
+
if (cx) {
memset(cx, 0, sizeof *cx);
if (freeit)
@@ -225,6 +240,7 @@ SECStatus
DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
{
+ IN_FIPS_RETURN(SECFailure);
if ((inLen % 8) != 0 || maxOutLen < inLen || !cx ||
cx->direction != DES_ENCRYPT) {
@@ -242,6 +258,7 @@ SECStatus
DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
{
+ IN_FIPS_RETURN(SECFailure);
if ((inLen % 8) != 0 || maxOutLen < inLen || !cx ||
cx->direction != DES_DECRYPT) {
Index: nss/lib/softoken/fips_algorithms.h
===================================================================
--- nss.orig/lib/softoken/fips_algorithms.h
+++ nss/lib/softoken/fips_algorithms.h
@@ -111,8 +111,11 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
{ CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
{ CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+#if 0
+ /* Not approved in FIPS mode */
{ CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone },
{ CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone },
+#endif
/* ------------------------- Hashing Operations ----------------------- */
{ CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
{ CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },

109
nss-fips-constructor-self-tests.patch
View File

@ -67,7 +67,7 @@ Index: nss/lib/freebl/fips-selftest.inc
===================================================================
--- /dev/null
+++ nss/lib/freebl/fips-selftest.inc
@@ -0,0 +1,306 @@
@@ -0,0 +1,355 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test - common stuff.
+ *
@ -118,6 +118,9 @@ Index: nss/lib/freebl/fips-selftest.inc
+
+static int fips_wanted = -1;
+
+static int fips_is_env = 0;
+static int fips_ignore_checksums = 0;
+
+/* debug messages are sent to stderr */
+static void
+debug(const char *fmt,...)
@ -209,6 +212,21 @@ Index: nss/lib/freebl/fips-selftest.inc
+ return PR_FALSE;
+}
+
+static PRBool
+getIgnoreChecksumsEnv(void)
+{
+ char *checksumEnv = getenv("NSS_IGNORE_CHECKSUMS");
+ if (!checksumEnv) {
+ return PR_FALSE;
+ }
+ if ((strcasecmp(checksumEnv,"true") == 0) ||
+ (strcasecmp(checksumEnv,"on") == 0) ||
+ (strcasecmp(checksumEnv,"1") == 0)) {
+ return PR_TRUE;
+ }
+ return PR_FALSE;
+}
+
+static int
+fips_isWantedEnv(void)
+{
@ -222,10 +240,54 @@ Index: nss/lib/freebl/fips-selftest.inc
+#ifdef LINUX
+ fips_requests += fips_isWantedProc();
+#endif
+ if (fips_requests < 1)
+ {
+ fips_is_env = 1;
+ fips_ignore_checksums = getIgnoreChecksumsEnv();
+ }
+ fips_requests += fips_isWantedEnv();
+
+ return fips_requests;
+}
+
+static PRBool
+fips_check_signature_external (const char *full_lib_name, int *err)
+{
+ char *p0, *p1;
+ char *ld_path;
+ PRBool rv = PR_FALSE;
+
+ p0 = getenv ("LD_LIBRARY_PATH");
+ p0 = ld_path = strdup (p0 ? p0 : "");
+
+ for (p1 = strchr (p0, ':'); p1 && !rv; p1 = strchr (p0, ':'))
+ {
+ char *path;
+
+ *p1 = '\0';
+ path = malloc (strlen (p0) + strlen (full_lib_name) + 2);
+ strcpy (path, p0);
+ strcat (path, "/");
+ strcat (path, full_lib_name);
+
+ rv = BLAPI_SHVerifyFile (path, err);
+
+ free (path);
+ p0 = p1 + 1;
+ }
+
+ if (!rv)
+ {
+ char *path = malloc (strlen ("/usr/lib64/") + strlen (full_lib_name) + 1);
+ strcpy (path, "/usr/lib64/");
+ strcat (path, full_lib_name);
+ rv = BLAPI_SHVerifyFile (path, err);
+ }
+
+ free (ld_path);
+ return rv;
+}
+
+/* check integrity signatures (if present) */
+static fips_check_status
+fips_checkSignature(char *libName, PRFuncPtr addr)
@ -249,24 +311,11 @@ Index: nss/lib/freebl/fips-selftest.inc
+ l -= strlen(libName);
+ strncat(full_lib_name, SHLIB_VERSION"."SHLIB_SUFFIX, l);
+ l -= strlen(SHLIB_VERSION"."SHLIB_SUFFIX);
+#if 1
+ if (NULL == addr) {
+ char full_path [PATH_MAX+1];
+
+ full_path [0] = '\0';
+ l = PATH_MAX;
+ strncat (full_path, "/usr/lib64/", l);
+ l -= strlen ("/usr/lib64/");
+ strncat (full_path, full_lib_name, l);
+ l -= strlen (full_lib_name);
+
+ rv = BLAPI_SHVerifyFile(full_path, &err);
+ }
+ if (NULL == addr)
+ rv = fips_check_signature_external (full_lib_name, &err);
+ else
+ rv = BLAPI_SHVerify(full_lib_name, addr, &err);
+#else
+ rv = 1;
+#endif
+ }
+
+ if (rv) {
@ -390,7 +439,7 @@ Index: nss/lib/freebl/fips.h
===================================================================
--- /dev/null
+++ nss/lib/freebl/fips.h
@@ -0,0 +1,15 @@
@@ -0,0 +1,16 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test.
+ *
@ -402,6 +451,7 @@ Index: nss/lib/freebl/fips.h
+#define FIPS_H
+
+int FIPS_mode(void);
+int FIPS_mode_allow_tests(void);
+char* FIPS_rngDev(void);
+
+#endif
@ -591,7 +641,7 @@ Index: nss/lib/freebl/fipsfreebl.c
}
/*
@@ -2251,28 +2279,91 @@ bl_startup_tests(void)
@@ -2251,28 +2279,104 @@ bl_startup_tests(void)
* power on selftest failed.
*/
SECStatus
@ -648,6 +698,19 @@ Index: nss/lib/freebl/fipsfreebl.c
+ }
+}
+
+/* Returns the FIPS mode we are running in. If the tests have not completed yet,
+ * return FALSE. This allows testing of modules that are not allowed in FIPS
+ * mode. */
+int
+FIPS_mode_allow_tests(void)
+{
+ int fips;
+
+ fips = (-1 != fips_state) ? fips_state : 0;
+
+ return fips;
+}
+
+/* returns string specifying what system RNG file to use for seeding */
+char *
+FIPS_rngDev(void)
@ -943,7 +1006,7 @@ Index: nss/lib/softoken/fips.c
===================================================================
--- /dev/null
+++ nss/lib/softoken/fips.c
@@ -0,0 +1,36 @@
@@ -0,0 +1,40 @@
+#include "../freebl/fips-selftest.inc"
+
+#include "fips.h"
@ -971,9 +1034,13 @@ Index: nss/lib/softoken/fips.c
+{
+ fips_state = fips_initTest("softokn", (PRFuncPtr)fips_initTestSoftoken, fips_checkCryptoSoftoken);
+
+ /* The legacy DB must be checked unconditionally in FIPS mode. */
+ /* The legacy DB must be checked unconditionally in FIPS mode. As an exception,
+ * this can be turned off for the build-time tests using the env var
+ * NSS_IGNORE_CHECKSUMS. This is necessary because the files cannot be
+ * located before they're installed. It only works if FIPS mode is enabled
+ * via NSS_FIPS=1, not if it's set in /proc. */
+
+ if (fips_state)
+ if (fips_state && !(fips_is_env && fips_ignore_checksums))
+ {
+ fips_state = fips_initTest("nssdbm", (PRFuncPtr) NULL, NULL);
+ }

60
nss-fips-pbkdf-kat-compliance.patch Normal file
View File

@ -0,0 +1,60 @@
Index: nss/lib/softoken/lowpbe.c
===================================================================
--- nss.orig/lib/softoken/lowpbe.c
+++ nss/lib/softoken/lowpbe.c
@@ -1745,7 +1745,7 @@ loser:
return ret_algid;
}
-#define TEST_KEY "pbkdf test key"
+#define TEST_KEY "qrfhfgkeWKZsYyLfUddaKQKLGhwqjQhNCiAdfweKEPaRf"
SECStatus
sftk_fips_pbkdf_PowerUpSelfTests(void)
{
@@ -1755,17 +1755,22 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
unsigned char iteration_count = 5;
unsigned char keyLen = 64;
char *inKeyData = TEST_KEY;
- static const unsigned char saltData[] =
- { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+ static const unsigned char saltData[] = {
+ 0x11, 0x39, 0x93, 0x54, 0x1C, 0xDD, 0xD7, 0x18,
+ 0x2F, 0x4A, 0xC1, 0x14, 0x03, 0x7A, 0x0B, 0x64,
+ 0x48, 0x99, 0xF4, 0x6D, 0xB7, 0x48, 0xE3, 0x3B,
+ 0x91, 0xBF, 0x65, 0xA9, 0x26, 0x83, 0xE8, 0x22
+ };
+
static const unsigned char pbkdf_known_answer[] = {
- 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
- 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
- 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37,
- 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90,
- 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa,
- 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1,
- 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66,
- 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5
+ 0x44, 0xd2, 0xae, 0x2d, 0x45, 0xb9, 0x42, 0x70,
+ 0xcb, 0x3e, 0x40, 0xc5, 0xcf, 0x36, 0x9b, 0x5f,
+ 0xfc, 0x64, 0xb1, 0x10, 0x18, 0x4d, 0xd8, 0xb6,
+ 0x71, 0xa3, 0xc4, 0x4f, 0x1d, 0xa7, 0x8f, 0xa5,
+ 0x0c, 0x4b, 0x13, 0xce, 0x2f, 0x2b, 0x48, 0xe0,
+ 0xfc, 0x10, 0x6d, 0xf4, 0xfb, 0x71, 0x1b, 0x0e,
+ 0x33, 0x2c, 0x43, 0x43, 0xe1, 0x77, 0x16, 0xf5,
+ 0x1e, 0x96, 0xcd, 0x93, 0x21, 0xb8, 0x78, 0x32
};
sftk_PBELockInit();
@@ -1794,11 +1799,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
* for NSSPKCS5_PBKDF2 */
pbe_params.iter = iteration_count;
pbe_params.keyLen = keyLen;
- pbe_params.hashType = HASH_AlgSHA256;
+ pbe_params.hashType = HASH_AlgSHA384;
pbe_params.pbeType = NSSPKCS5_PBKDF2;
pbe_params.is2KeyDES = PR_FALSE;
result = nsspkcs5_ComputeKeyAndIV(&pbe_params, &inKey, NULL, PR_FALSE);
+
if ((result == NULL) || (result->len != sizeof(pbkdf_known_answer)) ||
(PORT_Memcmp(result->data, pbkdf_known_answer, sizeof(pbkdf_known_answer)) != 0)) {
SECITEM_FreeItem(result, PR_TRUE);

25
nss-fips-tests-enable-fips.patch Normal file
View File

@ -0,0 +1,25 @@
Index: nss/tests/cert/cert.sh
===================================================================
--- nss.orig/tests/cert/cert.sh
+++ nss/tests/cert/cert.sh
@@ -1353,6 +1353,11 @@ cert_stresscerts()
##############################################################################
cert_fips()
{
+ OLD_FIPS_MODE=`echo ${NSS_FIPS}`
+ OLD_CHECKSUMS_MODE=`echo ${NSS_IGNORE_CHECKSUMS}`
+ export NSS_FIPS=1
+ export NSS_IGNORE_CHECKSUMS=1
+
CERTFAILED=0
echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
@@ -1393,6 +1398,8 @@ MODSCRIPT
cert_log "SUCCESS: FIPS passed"
fi
+ export NSS_FIPS=${OLD_FIPS_MODE}
+ export NSS_IGNORE_CHECKSUMS=${OLD_CHECKSUMS_MODE}
}
########################## cert_rsa_exponent #################################

19
nss-fips-tests-skip.patch Normal file
View File

@ -0,0 +1,19 @@
Index: nss/tests/lowhash/lowhash.sh
===================================================================
--- nss.orig/tests/lowhash/lowhash.sh
+++ nss/tests/lowhash/lowhash.sh
@@ -61,11 +61,13 @@ lowhash_test()
! -f ${BINDIR}/lowhashtest${PROG_SUFFIX} ]; then
echo "freebl lowhash not supported in this plaform."
else
- TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512"
+ TESTS_FIPS_0="MD5 SHA1 SHA224 SHA256 SHA384 SHA512"
+ TESTS_FIPS_1="SHA224 SHA256 SHA384 SHA512"
OLD_MODE=`echo ${NSS_FIPS}`
for fips_mode in 0 1; do
echo "lowhashtest with fips mode=${fips_mode}"
export NSS_FIPS=${fips_mode}
+ eval TESTS=\${TESTS_FIPS_${fips_mode}}
for TEST in ${TESTS}
do
echo "lowhashtest ${TEST}"