Accepting request 1198722 from mozilla:Factory
OBS-URL: https://build.opensuse.org/request/show/1198722 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=221
This commit is contained in:
commit
907ca87dbe
@ -1,3 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 13 07:08:55 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||||
|
||||
- update to NSS 3.103
|
||||
* bmo#1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
|
||||
* bmo#1899542: Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
|
||||
* bmo#1909638 - Follow-up to fix test for presence of file nspr.patch.
|
||||
* bmo#1903783: Adjust libFuzzer size limits
|
||||
* bmo#1899542: Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
|
||||
* bmo#1899542: Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION
|
||||
- Add nss-reproducible-builds.patch to make the rpms reproducible,
|
||||
by using a hardcoded, static key to generate the checksums (*.chk-files)
|
||||
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
|
||||
approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Aug 2 08:04:51 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||||
|
||||
|
@ -17,15 +17,15 @@
|
||||
#
|
||||
|
||||
|
||||
%global nss_softokn_fips_version 3.102.1
|
||||
%global nss_softokn_fips_version 3.103
|
||||
%define NSPR_min_version 4.35
|
||||
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
|
||||
%define nssdbdir %{_sysconfdir}/pki/nssdb
|
||||
%global crypto_policies_version 20210218
|
||||
Name: mozilla-nss
|
||||
Version: 3.102.1
|
||||
Version: 3.103
|
||||
Release: 0
|
||||
%define underscore_version 3_102_1
|
||||
%define underscore_version 3_103
|
||||
Summary: Network Security Services
|
||||
License: MPL-2.0
|
||||
Group: System/Libraries
|
||||
@ -83,6 +83,7 @@ Patch49: nss-allow-slow-tests-s390x.patch
|
||||
Patch50: nss-fips-bsc1223724.patch
|
||||
Patch51: nss-fips-aes-gcm-restrict.patch
|
||||
Patch52: nss-fips-safe-memset.patch
|
||||
Patch53: nss-reproducible-builds.patch
|
||||
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
|
||||
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
|
||||
BuildRequires: gcc9-c++
|
||||
@ -253,6 +254,7 @@ cd nss
|
||||
# glibc on SLE-12 is too old and doesn't have explicit_bzero yet.
|
||||
%patch -P 52 -p1
|
||||
%endif
|
||||
%patch -P 53 -p1
|
||||
|
||||
# additional CA certificates
|
||||
#cd security/nss/lib/ckfw/builtins
|
||||
@ -459,15 +461,15 @@ install -m 744 %{SOURCE6} %{buildroot}%{_sbindir}/
|
||||
install -m 644 %{SOURCE7} %{buildroot}%{nssdbdir}
|
||||
install -m 644 %{SOURCE8} %{buildroot}%{nssdbdir}
|
||||
install -m 644 %{SOURCE9} %{buildroot}%{nssdbdir}
|
||||
# create shlib sigs after extracting debuginfo
|
||||
# create shlib sigs after extracting debuginfo with a hard-coded key to produce reproducible checksums, using the same key that openssl uses.
|
||||
%define __spec_install_post \
|
||||
%{?__debug_package:%{__debug_install_post}} \
|
||||
%{__arch_install_post} \
|
||||
%__os_install_post \
|
||||
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libsoftokn3.so \
|
||||
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libnssdbm3.so \
|
||||
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_libdir}/libfreebl3.so \
|
||||
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_libdir}/libfreeblpriv3.so \
|
||||
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}%{_libdir}/libsoftokn3.so \
|
||||
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}%{_libdir}/libnssdbm3.so \
|
||||
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}/%{_libdir}/libfreebl3.so \
|
||||
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}/%{_libdir}/libfreeblpriv3.so \
|
||||
%{nil}
|
||||
|
||||
%post -p /sbin/ldconfig
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:54982d3587e41579c94f2036ba084438b073f8456bbd873b7a942c057e9737cc
|
||||
size 76460182
|
3
nss-3.103.tar.gz
Normal file
3
nss-3.103.tar.gz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:7b4ab657f772dc7520c46e8d481940b292dcfc6a4c90150a7c26672384cee962
|
||||
size 76470174
|
@ -2,7 +2,7 @@ Index: nss/lib/softoken/sftkmessage.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/sftkmessage.c
|
||||
+++ nss/lib/softoken/sftkmessage.c
|
||||
@@ -151,6 +151,37 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
|
||||
@@ -183,6 +183,37 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
|
||||
if (crv != CKR_OK)
|
||||
return crv;
|
||||
|
||||
|
@ -349,9 +349,9 @@ Index: nss/lib/freebl/rawhash.c
|
||||
#include "secerr.h"
|
||||
+#include "fips.h"
|
||||
|
||||
static void *
|
||||
null_hash_new_context(void)
|
||||
@@ -190,7 +191,11 @@ const SECHashObject SECRawHashObjects[]
|
||||
#define RawHashBase(ctxtype, mmm) \
|
||||
static void * \
|
||||
@@ -236,7 +237,11 @@ const SECHashObject SECRawHashObjects[]
|
||||
const SECHashObject *
|
||||
HASH_GetRawHashObject(HASH_HashType hashType)
|
||||
{
|
||||
@ -368,7 +368,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11c.c
|
||||
+++ nss/lib/softoken/pkcs11c.c
|
||||
@@ -452,7 +452,7 @@ sftk_InitGeneric(SFTKSession *session, C
|
||||
@@ -538,7 +538,7 @@ sftk_InitGeneric(SFTKSession *session, C
|
||||
context->blockSize = 0;
|
||||
context->maxLen = 0;
|
||||
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
|
||||
@ -377,7 +377,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
*contextPtr = context;
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -4877,6 +4877,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
@@ -4989,6 +4989,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
goto loser;
|
||||
}
|
||||
|
||||
@ -388,7 +388,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
/*
|
||||
* handle the base object stuff
|
||||
*/
|
||||
@@ -4891,6 +4895,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
@@ -5003,6 +5007,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
|
||||
if (crv == CKR_OK) {
|
||||
*phKey = key->handle;
|
||||
}
|
||||
@ -396,7 +396,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
loser:
|
||||
PORT_Memset(buf, 0, sizeof buf);
|
||||
sftk_FreeObject(key);
|
||||
@@ -5318,7 +5323,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
@@ -5432,7 +5437,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
|
||||
int i;
|
||||
SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
|
||||
@ -405,7 +405,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
|
||||
/* RSA */
|
||||
int public_modulus_bits = 0;
|
||||
@@ -5921,11 +5926,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
@@ -6036,11 +6041,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
* created and linked.
|
||||
*/
|
||||
crv = sftk_handleObject(publicKey, session);
|
||||
@ -418,7 +418,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
return crv;
|
||||
}
|
||||
if (sftk_isTrue(privateKey, CKA_SENSITIVE)) {
|
||||
@@ -5969,13 +5974,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
@@ -6084,13 +6089,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
sftk_FreeObject(publicKey);
|
||||
NSC_DestroyObject(hSession, privateKey->handle);
|
||||
sftk_FreeObject(privateKey);
|
||||
@ -438,7 +438,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
|
||||
return CKR_OK;
|
||||
}
|
||||
@@ -7167,6 +7178,14 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
@@ -7282,6 +7293,14 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
return CKR_TEMPLATE_INCONSISTENT;
|
||||
}
|
||||
|
||||
@ -453,7 +453,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
/* sourceKey is NULL if we are called from the POST, skip the
|
||||
* sensitiveCheck */
|
||||
if (sourceKey != NULL) {
|
||||
@@ -7215,7 +7234,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
@@ -7330,7 +7349,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
mech.pParameter = params;
|
||||
mech.ulParameterLen = sizeof(*params);
|
||||
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
|
||||
@ -463,7 +463,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
}
|
||||
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
|
||||
if (saltKey_att == NULL) {
|
||||
@@ -7257,7 +7277,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
@@ -7372,7 +7392,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
|
||||
/* HKDF-Expand */
|
||||
if (!params->bExpand) {
|
||||
okm = prk;
|
||||
@ -472,7 +472,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
} else {
|
||||
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
|
||||
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
|
||||
@@ -7480,7 +7500,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
@@ -7595,7 +7615,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
return CKR_KEY_HANDLE_INVALID;
|
||||
}
|
||||
}
|
||||
@ -482,7 +482,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
|
||||
switch (mechanism) {
|
||||
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
|
||||
@@ -7681,7 +7702,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
@@ -7796,7 +7817,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
} else {
|
||||
/* now allocate the hash contexts */
|
||||
md5 = MD5_NewContext();
|
||||
@ -491,7 +491,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
PORT_Memset(crsrdata, 0, sizeof crsrdata);
|
||||
crv = CKR_HOST_MEMORY;
|
||||
break;
|
||||
@@ -8070,6 +8091,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
@@ -8185,6 +8206,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
|
||||
PORT_Assert(i <= sizeof key_block);
|
||||
}
|
||||
|
||||
@ -820,7 +820,7 @@ Index: nss/lib/softoken/pkcs11u.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11u.c
|
||||
+++ nss/lib/softoken/pkcs11u.c
|
||||
@@ -2248,6 +2248,12 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE
|
||||
@@ -2251,6 +2251,12 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE
|
||||
case CKA_NSS_MESSAGE | CKA_VERIFY:
|
||||
flags = CKF_MESSAGE_VERIFY;
|
||||
break;
|
||||
@ -833,7 +833,7 @@ Index: nss/lib/softoken/pkcs11u.c
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@@ -2324,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
|
||||
@@ -2327,7 +2333,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
|
||||
static int
|
||||
sftk_getKeyLength(SFTKObject *source)
|
||||
{
|
||||
@ -842,7 +842,16 @@ Index: nss/lib/softoken/pkcs11u.c
|
||||
CK_ATTRIBUTE_TYPE keyAttribute;
|
||||
CK_ULONG keyLength = 0;
|
||||
SFTKAttribute *attribute;
|
||||
@@ -2386,14 +2392,55 @@ sftk_getKeyLength(SFTKObject *source)
|
||||
@@ -2347,7 +2353,7 @@ sftk_getKeyLength(SFTKObject *source)
|
||||
* key length is CKA_VALUE, which is the default */
|
||||
keyType = CKK_INVALID_KEY_TYPE;
|
||||
}
|
||||
- if (keyType == CKK_EC) {
|
||||
+ if (keyType == CKK_EC || keyType == CKK_EC_MONTGOMERY) {
|
||||
SECOidTag curve = sftk_quickGetECCCurveOid(source);
|
||||
switch (curve) {
|
||||
case SEC_OID_CURVE25519:
|
||||
@@ -2389,14 +2395,55 @@ sftk_getKeyLength(SFTKObject *source)
|
||||
return keyLength;
|
||||
}
|
||||
|
||||
@ -899,7 +908,7 @@ Index: nss/lib/softoken/pkcs11u.c
|
||||
switch (mechInfo->special) {
|
||||
case SFTKFIPSDH: {
|
||||
SECItem dhPrime;
|
||||
@@ -2409,10 +2456,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
@@ -2412,10 +2459,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
}
|
||||
case SFTKFIPSNone:
|
||||
return PR_FALSE;
|
||||
@ -929,7 +938,7 @@ Index: nss/lib/softoken/pkcs11u.c
|
||||
case SFTKFIPSAEAD: {
|
||||
if (mech->ulParameterLen == 0) {
|
||||
/* AEAD ciphers are only in FIPS mode if we are using the
|
||||
@@ -2440,11 +2504,44 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
@@ -2443,11 +2507,44 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
if (hashObj == NULL) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
@ -974,7 +983,7 @@ Index: nss/lib/softoken/pkcs11u.c
|
||||
default:
|
||||
break;
|
||||
}
|
||||
@@ -2455,7 +2552,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
@@ -2458,7 +2555,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
|
||||
|
||||
PRBool
|
||||
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
|
||||
@ -983,7 +992,7 @@ Index: nss/lib/softoken/pkcs11u.c
|
||||
{
|
||||
#ifndef NSS_HAS_FIPS_INDICATORS
|
||||
return PR_FALSE;
|
||||
@@ -2468,18 +2565,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||
@@ -2471,18 +2568,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||
if (!sftk_isFIPS(slot->slotID)) {
|
||||
return PR_FALSE;
|
||||
}
|
||||
@ -1023,7 +1032,7 @@ Index: nss/lib/softoken/pkcs11u.c
|
||||
keyLength = sftk_getKeyLength(source);
|
||||
|
||||
/* check against our algorithm array */
|
||||
@@ -2487,13 +2601,15 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||
@@ -2490,13 +2604,15 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
|
||||
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
|
||||
/* if we match the number of records exactly, then we are an
|
||||
* approved algorithm in the approved mode with an approved key */
|
||||
@ -1061,7 +1070,7 @@ Index: nss/lib/softoken/pkcs11.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11.c
|
||||
+++ nss/lib/softoken/pkcs11.c
|
||||
@@ -573,17 +573,17 @@ static const struct mechanismList mechan
|
||||
@@ -574,17 +574,17 @@ static const struct mechanismList mechan
|
||||
{ CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
|
||||
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256,
|
||||
|
@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11c.c
|
||||
+++ nss/lib/softoken/pkcs11c.c
|
||||
@@ -2744,6 +2744,38 @@ nsc_EDDSASignStub(void *ctx, void *sigBu
|
||||
@@ -2848,6 +2848,38 @@ nsc_EDDSASignStub(void *ctx, unsigned ch
|
||||
return rv;
|
||||
}
|
||||
|
||||
@ -107,7 +107,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
/* NSC_SignInit setups up the signing operations. There are three basic
|
||||
* types of signing:
|
||||
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
|
||||
@@ -3647,6 +3679,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
|
||||
@@ -3755,6 +3787,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
|
||||
info->hashOid = SEC_OID_##mmm; \
|
||||
goto finish_rsa;
|
||||
|
||||
@ -130,7 +130,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
switch (pMechanism->mechanism) {
|
||||
INIT_RSA_VFY_MECH(MD5)
|
||||
INIT_RSA_VFY_MECH(MD2)
|
||||
@@ -4905,6 +4953,73 @@ loser:
|
||||
@@ -5017,6 +5065,73 @@ loser:
|
||||
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
|
||||
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
|
||||
|
||||
@ -204,7 +204,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
/*
|
||||
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
|
||||
*
|
||||
@@ -4958,8 +5073,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
@@ -5071,8 +5186,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
|
||||
/* Variables used for Signature/Verification functions. */
|
||||
/* Must be at least 256 bits for DSA2 digest */
|
||||
@ -213,7 +213,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
CK_ULONG signature_length;
|
||||
|
||||
if (keyType == CKK_RSA) {
|
||||
@@ -5113,80 +5226,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
@@ -5226,80 +5339,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -63,9 +63,9 @@ Index: nss/lib/freebl/blapi.h
|
||||
|
||||
/*********************************************************************/
|
||||
extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
|
||||
@@ -1942,6 +1942,9 @@ extern SECStatus ED_VerifyMessage(ECPubl
|
||||
*/
|
||||
extern SECStatus ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey);
|
||||
@@ -1944,6 +1944,9 @@ extern SECStatus ED_DerivePublicKey(cons
|
||||
|
||||
extern SECStatus X25519_DerivePublicKey(SECItem *privateKey, SECItem *publicKey);
|
||||
|
||||
+/* Unconditionally run the integrity check. */
|
||||
+extern void BL_FIPSRepeatIntegrityCheck(void);
|
||||
@ -910,7 +910,7 @@ Index: nss/lib/freebl/loader.h
|
||||
|
||||
/* Version 3.013 came to here */
|
||||
|
||||
@@ -927,6 +927,9 @@ struct FREEBLVectorStr {
|
||||
@@ -930,6 +930,9 @@ struct FREEBLVectorStr {
|
||||
|
||||
/* Add new function pointers at the end of this struct and bump
|
||||
* FREEBL_VERSION at the beginning of this file. */
|
||||
@ -1541,10 +1541,10 @@ Index: nss/lib/freebl/ldvector.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/ldvector.c
|
||||
+++ nss/lib/freebl/ldvector.c
|
||||
@@ -443,6 +443,9 @@ static const struct FREEBLVectorStr vect
|
||||
ED_VerifyMessage,
|
||||
ED_DerivePublicKey,
|
||||
/* End of version 3.028 */
|
||||
@@ -446,6 +446,9 @@ static const struct FREEBLVectorStr vect
|
||||
|
||||
X25519_DerivePublicKey,
|
||||
/* End of version 3.029 */
|
||||
+
|
||||
+ /* SUSE patch: Goes last */
|
||||
+ BL_FIPSRepeatIntegrityCheck
|
||||
|
@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11c.c
|
||||
+++ nss/lib/softoken/pkcs11c.c
|
||||
@@ -4897,8 +4897,8 @@ loser:
|
||||
@@ -5009,8 +5009,8 @@ loser:
|
||||
return crv;
|
||||
}
|
||||
|
||||
@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
|
||||
/*
|
||||
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
|
||||
@@ -5960,6 +5960,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
@@ -6075,6 +6075,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
|
||||
(PRUint32)crv);
|
||||
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
|
||||
}
|
||||
|
@ -5,7 +5,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
===================================================================
|
||||
--- nss.orig/lib/softoken/pkcs11c.c
|
||||
+++ nss/lib/softoken/pkcs11c.c
|
||||
@@ -5020,6 +5020,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
|
||||
@@ -5132,6 +5132,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
|
||||
return crv;
|
||||
}
|
||||
|
||||
@ -94,7 +94,7 @@ Index: nss/lib/softoken/pkcs11c.c
|
||||
/*
|
||||
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
|
||||
*
|
||||
@@ -5370,6 +5452,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
@@ -5484,6 +5566,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
|
||||
}
|
||||
}
|
||||
|
||||
|
229
nss-reproducible-builds.patch
Normal file
229
nss-reproducible-builds.patch
Normal file
@ -0,0 +1,229 @@
|
||||
commit cef712e9a49502e669535675c9900b61751ac02b
|
||||
Author: Martin Sirringhaus <martin.sirringhaus@suse.com>
|
||||
Date: Mon Jul 29 23:22:41 2024 +0000
|
||||
|
||||
Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible (r=nss-reviewers,rrelyea)
|
||||
|
||||
Differential Revision: https://phabricator.services.mozilla.com/D217282
|
||||
|
||||
Index: nss/cmd/shlibsign/Makefile
|
||||
===================================================================
|
||||
--- nss.orig/cmd/shlibsign/Makefile
|
||||
+++ nss/cmd/shlibsign/Makefile
|
||||
@@ -24,25 +24,7 @@ include $(CORE_DEPTH)/coreconf/config.mk
|
||||
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
|
||||
#######################################################################
|
||||
|
||||
-ifeq ($(OS_ARCH), WINNT)
|
||||
-
|
||||
-EXTRA_LIBS += \
|
||||
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
|
||||
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
|
||||
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
|
||||
- $(NULL)
|
||||
-
|
||||
-else
|
||||
-
|
||||
-EXTRA_SHARED_LIBS += \
|
||||
- -L$(NSPR_LIB_DIR) \
|
||||
- -lplc4 \
|
||||
- -lplds4 \
|
||||
- -lnspr4 \
|
||||
- $(NULL)
|
||||
-
|
||||
-endif
|
||||
-
|
||||
+include ../platlibs.mk
|
||||
|
||||
# sign any and all shared libraries that contain the word freebl
|
||||
ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
|
||||
Index: nss/cmd/shlibsign/shlibsign.c
|
||||
===================================================================
|
||||
--- nss.orig/cmd/shlibsign/shlibsign.c
|
||||
+++ nss/cmd/shlibsign/shlibsign.c
|
||||
@@ -55,6 +55,10 @@
|
||||
/* nss headers for definition of HASH_HashType */
|
||||
#include "hasht.h"
|
||||
|
||||
+#include "basicutil.h"
|
||||
+#include "secitem.h"
|
||||
+
|
||||
+
|
||||
CK_BBOOL cktrue = CK_TRUE;
|
||||
CK_BBOOL ckfalse = CK_FALSE;
|
||||
static PRBool verbose = PR_FALSE;
|
||||
@@ -111,7 +115,7 @@ usage(const char *program_name)
|
||||
PR_fprintf(debug_out,
|
||||
"Usage: %s [-v] [-V] [-o outfile] [-d dbdir] [-f pwfile]\n"
|
||||
" [-F] [-p pwd] -[P dbprefix ] [-t hash]"
|
||||
- " [-D] [-k keysize] [-c]"
|
||||
+ " [-D] [-k keysize] [-c] [-K key]"
|
||||
"-i shared_library_name\n",
|
||||
program_name);
|
||||
PR_fprintf(debug_out, "Valid Hashes: ");
|
||||
@@ -136,6 +140,7 @@ long_usage(const char *program_name)
|
||||
PR_fprintf(debug_out, "\t-t <hash> Hash for HMAC/or DSA\n");
|
||||
PR_fprintf(debug_out, "\t-D Sign with DSA rather than HMAC\n");
|
||||
PR_fprintf(debug_out, "\t-k <keysize> size of the DSA key\n");
|
||||
+ PR_fprintf(debug_out, "\t-K <key> key-material to use for hmac (hex-string, without leading 0x)\n");
|
||||
PR_fprintf(debug_out, "\t-c Use compatible versions for old NSS\n");
|
||||
PR_fprintf(debug_out, "\t-P <prefix> database prefix\n");
|
||||
PR_fprintf(debug_out, "\t-f <file> password File : echo pw > file \n");
|
||||
@@ -1069,7 +1074,7 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
|
||||
|
||||
CK_RV
|
||||
shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot,
|
||||
- CK_SESSION_HANDLE hRwSession, int keySize, PRFileDesc *ifd,
|
||||
+ CK_SESSION_HANDLE hRwSession, int keySize, char* key, PRFileDesc *ifd,
|
||||
PRFileDesc *ofd, const HashTable *hash)
|
||||
{
|
||||
CK_MECHANISM hmacMech = { 0, NULL, 0 };
|
||||
@@ -1100,40 +1105,78 @@ shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunc
|
||||
"Internal error:Could find sha256 entry in table.\n");
|
||||
}
|
||||
|
||||
- hmacKeyTemplate[0].type = CKA_TOKEN;
|
||||
- hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
|
||||
- hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
|
||||
- hmacKeyTemplate[1].type = CKA_PRIVATE;
|
||||
- hmacKeyTemplate[1].pValue = &cktrue;
|
||||
- hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
|
||||
- hmacKeyTemplate[2].type = CKA_SENSITIVE;
|
||||
- hmacKeyTemplate[2].pValue = &ckfalse;
|
||||
- hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
|
||||
- hmacKeyTemplate[3].type = CKA_SIGN;
|
||||
- hmacKeyTemplate[3].pValue = &cktrue;
|
||||
- hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
|
||||
- hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
|
||||
- hmacKeyTemplate[4].pValue = &ckfalse;
|
||||
- hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
|
||||
- hmacKeyTemplate[5].type = CKA_VALUE_LEN;
|
||||
- hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
|
||||
- hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
|
||||
- hmacKeyTemplate[6].type = CKA_KEY_TYPE;
|
||||
- hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
|
||||
- hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
|
||||
- hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
|
||||
- hmacMech.mechanism = hash->hmac;
|
||||
+ if (key == NULL) {
|
||||
+ hmacKeyTemplate[0].type = CKA_TOKEN;
|
||||
+ hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
|
||||
+ hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
|
||||
+ hmacKeyTemplate[1].type = CKA_PRIVATE;
|
||||
+ hmacKeyTemplate[1].pValue = &cktrue;
|
||||
+ hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
|
||||
+ hmacKeyTemplate[2].type = CKA_SENSITIVE;
|
||||
+ hmacKeyTemplate[2].pValue = &ckfalse;
|
||||
+ hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
|
||||
+ hmacKeyTemplate[3].type = CKA_SIGN;
|
||||
+ hmacKeyTemplate[3].pValue = &cktrue;
|
||||
+ hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
|
||||
+ hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
|
||||
+ hmacKeyTemplate[4].pValue = &ckfalse;
|
||||
+ hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
|
||||
+ hmacKeyTemplate[5].type = CKA_VALUE_LEN;
|
||||
+ hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
|
||||
+ hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
|
||||
+ hmacKeyTemplate[6].type = CKA_KEY_TYPE;
|
||||
+ hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
|
||||
+ hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
|
||||
+ hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
|
||||
+
|
||||
+ /* Generate a DSA key pair */
|
||||
+ logIt("Generate an HMAC key ... \n");
|
||||
+ crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
|
||||
+ hmacKeyTemplate,
|
||||
+ PR_ARRAY_SIZE(hmacKeyTemplate),
|
||||
+ &hHMACKey);
|
||||
+ } else {
|
||||
+ SECItem keyitem = { 0 };
|
||||
+ if (SECU_HexString2SECItem(NULL, &keyitem, key) == NULL) {
|
||||
+ pk11error("Reading HMAC key from commandline failed. Not a valid hex-key.", crv);
|
||||
+ return crv;
|
||||
+ }
|
||||
+
|
||||
+ CK_OBJECT_CLASS secret_key_obj_class = CKO_SECRET_KEY;
|
||||
+ CK_ATTRIBUTE hmacKeyObject[] = {
|
||||
+ {
|
||||
+ .type = CKA_CLASS,
|
||||
+ .pValue = &secret_key_obj_class,
|
||||
+ .ulValueLen = sizeof(CK_OBJECT_CLASS),
|
||||
+ },
|
||||
+ {
|
||||
+ .type = CKA_KEY_TYPE,
|
||||
+ .pValue = (void *)&hash->keyType,
|
||||
+ .ulValueLen = sizeof(hash->keyType),
|
||||
+ },
|
||||
+ {
|
||||
+ .type = CKA_VALUE,
|
||||
+ .pValue = keyitem.data,
|
||||
+ .ulValueLen = keyitem.len,
|
||||
+ },
|
||||
+ {
|
||||
+ .type = CKA_SIGN,
|
||||
+ .pValue = &cktrue,
|
||||
+ .ulValueLen = sizeof(cktrue),
|
||||
+ },
|
||||
+ };
|
||||
+ logIt("Using static HMAC key ... \n");
|
||||
+ crv = pFunctionList->C_CreateObject(hRwSession,
|
||||
+ hmacKeyObject,
|
||||
+ PR_ARRAY_SIZE(hmacKeyObject),
|
||||
+ &hHMACKey);
|
||||
+ }
|
||||
|
||||
- /* Generate a DSA key pair */
|
||||
- logIt("Generate an HMAC key ... \n");
|
||||
- crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
|
||||
- hmacKeyTemplate,
|
||||
- PR_ARRAY_SIZE(hmacKeyTemplate),
|
||||
- &hHMACKey);
|
||||
if (crv != CKR_OK) {
|
||||
pk11error("HMAC key generation failed", crv);
|
||||
return crv;
|
||||
}
|
||||
+ hmacMech.mechanism = hash->hmac;
|
||||
|
||||
/* compute the digest */
|
||||
memset(sign, 0, sizeof(sign));
|
||||
@@ -1258,6 +1301,7 @@ main(int argc, char **argv)
|
||||
static PRBool useDSA = PR_FALSE;
|
||||
PRBool successful = PR_FALSE;
|
||||
const HashTable *hash = NULL;
|
||||
+ char *key = NULL;
|
||||
|
||||
#ifdef USES_LINKS
|
||||
int ret;
|
||||
@@ -1281,7 +1325,7 @@ main(int argc, char **argv)
|
||||
|
||||
program_name = strrchr(argv[0], '/');
|
||||
program_name = program_name ? (program_name + 1) : argv[0];
|
||||
- optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:p:P:vVs:t:Dc");
|
||||
+ optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:K:p:P:vVs:t:Dc");
|
||||
if (optstate == NULL) {
|
||||
lperror("PL_CreateOptState failed");
|
||||
return 1;
|
||||
@@ -1331,6 +1375,14 @@ main(int argc, char **argv)
|
||||
keySize = atoi(optstate->value);
|
||||
break;
|
||||
|
||||
+ case 'K':
|
||||
+ if (!optstate->value) {
|
||||
+ PL_DestroyOptState(optstate);
|
||||
+ usage(program_name);
|
||||
+ }
|
||||
+ key = PL_strdup(optstate->value);
|
||||
+ break;
|
||||
+
|
||||
case 'f':
|
||||
if (!optstate->value) {
|
||||
PL_DestroyOptState(optstate);
|
||||
@@ -1569,7 +1621,7 @@ main(int argc, char **argv)
|
||||
keySize, ifd, ofd, hash);
|
||||
} else {
|
||||
crv = shlibSignHMAC(pFunctionList, pSlotList[slotIndex], hRwSession,
|
||||
- keySize, ifd, ofd, hash);
|
||||
+ keySize, key, ifd, ofd, hash);
|
||||
}
|
||||
if (crv == CKR_INTERNAL_OUT_FAILURE) {
|
||||
lperror(output_file);
|
Loading…
Reference in New Issue
Block a user