pool/mozilla-nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=408

Browse Source
This commit is contained in:
Wolfgang Rosenauer 2023-03-13 08:10:43 +00:00 committed by Git OBS Bridge
parent 0524eebc24
commit 9ad7a5b5cd
23 changed files with 188 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
add-relro-linker-option.patch
View File

@ -2,7 +2,7 @@ Index: nss/coreconf/Linux.mk
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
@@ -183,6 +183,12 @@ endif
@@ -184,6 +184,12 @@ endif
endif
endif

2
malloc.patch
View File

@ -2,7 +2,7 @@ Index: nss/tests/ssl/ssl.sh
===================================================================
--- nss.orig/tests/ssl/ssl.sh
+++ nss/tests/ssl/ssl.sh
@@ -1683,6 +1683,7 @@ ssl_run_tests()
@@ -1696,6 +1696,7 @@ ssl_run_tests()
################################# main #################################

2
nss-fips-180-3-csp-clearing.patch
View File

@ -29,7 +29,7 @@ Index: nss/lib/softoken/sftkpwd.c
===================================================================
--- nss.orig/lib/softoken/sftkpwd.c
+++ nss/lib/softoken/sftkpwd.c
@@ -1439,7 +1439,7 @@ loser:
@@ -1459,7 +1459,7 @@ loser:
PORT_ZFree(newKey.data, newKey.len);
}
if (result) {

6
nss-fips-approved-crypto-non-ec.patch
View File

@ -440,7 +440,7 @@ Index: nss/lib/freebl/nsslowhash.c
===================================================================
--- nss.orig/lib/freebl/nsslowhash.c
+++ nss/lib/freebl/nsslowhash.c
@@ -12,6 +12,7 @@
@@ -13,6 +13,7 @@
#include "plhash.h"
#include "nsslowhash.h"
#include "blapii.h"
@ -448,7 +448,7 @@ Index: nss/lib/freebl/nsslowhash.c
struct NSSLOWInitContextStr {
int count;
@@ -92,6 +93,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
@@ -99,6 +100,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
{
NSSLOWHASHContext *context;
@ -487,7 +487,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -7491,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7495,7 +7495,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
} else {
/* now allocate the hash contexts */
md5 = MD5_NewContext();

31
nss-fips-cavs-dsa-fixes.patch
View File

@ -10,10 +10,11 @@ From ef2620b770082c77dbbbccae2e773157897b005d Mon Sep 17 00:00:00 2001
nss/cmd/fipstest/fipstest.c | 112 ++++++++++++++++++++++++++++++++----
1 file changed, 101 insertions(+), 11 deletions(-)
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+++ b/cmd/fipstest/fipstest.c
@@ -5576,7 +5576,7 @@
Index: nss/cmd/fipstest/fipstest.c
===================================================================
--- nss.orig/cmd/fipstest/fipstest.c
+++ nss/cmd/fipstest/fipstest.c
@@ -5575,7 +5575,7 @@ loser:
void
dsa_pqggen_test(char *reqfn)
{
@ -22,7 +23,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
* or to the output RESPONSE file.
* 800 to hold seed = (384 public key (x2 for HEX)
*/
@@ -5592,6 +5592,13 @@
@@ -5591,6 +5591,13 @@ dsa_pqggen_test(char *reqfn)
PQGVerify *vfy = NULL;
unsigned int keySizeIndex = 0;
dsa_pqg_type type = FIPS186_1;
@ -36,7 +37,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
dsareq = fopen(reqfn, "r");
dsaresp = stdout;
@@ -5612,8 +5619,8 @@
@@ -5611,8 +5618,8 @@ dsa_pqggen_test(char *reqfn)
output_g = 1;
exit(1);
} else if (strncmp(&buf[1], "A.2.3", 5) == 0) {
@ -47,7 +48,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
} else if (strncmp(&buf[1], "A.1.2.1", 7) == 0) {
type = A_1_2_1;
output_g = 0;
@@ -5627,14 +5634,17 @@
@@ -5626,14 +5633,17 @@ dsa_pqggen_test(char *reqfn)
/* [Mod = ... ] */
if (buf[0] == '[') {
@ -59,15 +60,14 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
goto loser;
}
- } else if (sscanf(buf, "[mod = L=%d, N=%d", &L, &N) != 2) {
- goto loser;
+ } else if (sscanf(buf, "[mod = L=%d, N=%d, SHA-%d", &L, &N, &hashbits) != 3) {
+ goto loser;
goto loser;
+ } else {
+ hashtype = sha_get_hashType (hashbits);
}
fputs(buf, dsaresp);
@@ -5656,7 +5666,7 @@
@@ -5655,7 +5665,7 @@ dsa_pqggen_test(char *reqfn)
continue;
}
/* N = ... */
@ -76,7 +76,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
if (strncmp(buf, "Num", 3) == 0) {
if (sscanf(buf, "Num = %d", &count) != 1) {
goto loser;
@@ -5671,7 +5681,10 @@
@@ -5670,7 +5680,10 @@ dsa_pqggen_test(char *reqfn)
rv = PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES,
&pqg, &vfy);
} else {
@ -88,7 +88,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
}
if (rv != SECSuccess) {
fprintf(dsaresp,
@@ -5682,6 +5695,10 @@
@@ -5681,6 +5694,10 @@ dsa_pqggen_test(char *reqfn)
fprintf(dsaresp, "P = %s\n", buf);
to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
fprintf(dsaresp, "Q = %s\n", buf);
@ -99,7 +99,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
if (output_g) {
to_hex_str(buf, pqg->base.data, pqg->base.len);
fprintf(dsaresp, "G = %s\n", buf);
@@ -5697,13 +5714,13 @@
@@ -5696,13 +5713,13 @@ dsa_pqggen_test(char *reqfn)
}
fprintf(dsaresp, "%s\n", buf);
} else {
@ -118,11 +118,10 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
fprintf(dsaresp, "qseed = %s\n", buf);
fprintf(dsaresp, "pgen_counter = %d\n", pgen_counter);
fprintf(dsaresp, "qgen_counter = %d\n", qgen_counter);
@@ -5723,12 +5740,85 @@
@@ -5722,12 +5739,85 @@ dsa_pqggen_test(char *reqfn)
vfy = NULL;
}
}
-
+ continue;
+ }
+
@ -180,7 +179,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
+
+ to_hex_str(buf, pqg->base.data, pqg->base.len);
+ fprintf(dsaresp, "G = %s\n\n", buf);
+
+ PQG_DestroyParams(pqg);
+ pqg = NULL;
+ PQG_DestroyVerify(vfy);

4
nss-fips-cavs-general.patch
View File

@ -102,7 +102,7 @@ Index: nss/cmd/fipstest/fipstest.c
SECStatus
tdea_encrypt_buf(
int mode,
@@ -8930,41 +8994,6 @@ out:
@@ -8915,41 +8979,6 @@ out:
}
}
@ -144,7 +144,7 @@ Index: nss/cmd/fipstest/fipstest.c
void
kas_ffc_test(char *reqfn, int do_validity)
{
@@ -9387,12 +9416,34 @@ out:
@@ -9372,12 +9401,34 @@ out:
free_param_specs (pspecs);
}

22
nss-fips-cavs-kas-ecc.patch
View File

@ -11,10 +11,11 @@ From 4c27df62aa425745620f45710465b0264acacbb0 Mon Sep 17 00:00:00 2001
nss/cmd/fipstest/kas.sh | 22 +++
2 files changed, 326 insertions(+)
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+++ b/cmd/fipstest/fipstest.c
@@ -9092,6 +9092,301 @@
Index: nss/cmd/fipstest/fipstest.c
===================================================================
--- nss.orig/cmd/fipstest/fipstest.c
+++ nss/cmd/fipstest/fipstest.c
@@ -9077,6 +9077,301 @@ out:
}
}
@ -316,7 +317,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
int
main(int argc, char **argv)
{
@@ -9287,6 +9582,15 @@
@@ -9272,6 +9567,15 @@ main(int argc, char **argv)
} else {
kas_ffc_test(argv[3], PR_FALSE);
}
@ -332,10 +333,11 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
}
return 0;
}
diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
--- a/cmd/fipstest/kas.sh
+++ b/cmd/fipstest/kas.sh
@@ -27,6 +27,16 @@
Index: nss/cmd/fipstest/kas.sh
===================================================================
--- nss.orig/cmd/fipstest/kas.sh
+++ nss/cmd/fipstest/kas.sh
@@ -27,6 +27,16 @@ KASValidityTest_FFCEphem_NOKC_ZZOnly_ini
KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
"
@ -352,7 +354,7 @@ diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
if [ ${COMMAND} = "verify" ]; then
for request in $kas_requests; do
sh ./validate1.sh ${TESTDIR} $request
@@ -45,3 +55,15 @@
@@ -45,3 +55,15 @@ for request in $kas_requests_ffc_validit
echo $request $response
fipstest kasffc validity ${REQDIR}/$request > ${RSPDIR}/$response
done

19
nss-fips-cavs-kas-ffc.patch
View File

@ -12,10 +12,11 @@ From ac98082c3bc0c9f85213078b730980483062f25c Mon Sep 17 00:00:00 2001
2 files changed, 241 insertions(+)
create mode 100644 nss/cmd/fipstest/kas.sh
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+++ b/cmd/fipstest/fipstest.c
@@ -2258,6 +2258,29 @@
Index: nss/cmd/fipstest/fipstest.c
===================================================================
--- nss.orig/cmd/fipstest/fipstest.c
+++ nss/cmd/fipstest/fipstest.c
@@ -2257,6 +2257,29 @@ fips_hashBuf(HASH_HashType type, unsigne
return rv;
}
@ -45,7 +46,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
int
fips_hashLen(HASH_HashType type)
{
@@ -8907,6 +8930,168 @@
@@ -8892,6 +8915,168 @@ out:
}
}
@ -214,7 +215,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
int
main(int argc, char **argv)
{
@@ -9093,6 +9278,15 @@
@@ -9078,6 +9263,15 @@ main(int argc, char **argv)
/* AES Keywrap */
/***************/
keywrap(argv[2]);
@ -230,10 +231,10 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
}
return 0;
}
diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
new file mode 100644
Index: nss/cmd/fipstest/kas.sh
===================================================================
--- /dev/null
+++ b/cmd/fipstest/kas.sh
+++ nss/cmd/fipstest/kas.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+#

18
nss-fips-cavs-keywrap.patch
View File

@ -12,10 +12,11 @@ From f4cbaf95fcf2519029bb3c4407b2f15aa27c94c1 Mon Sep 17 00:00:00 2001
2 files changed, 200 insertions(+)
create mode 100644 nss/cmd/fipstest/keywrap.sh
diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c Sun Mar 15 21:54:30 2020 +0100
+++ b/cmd/fipstest/fipstest.c Wed Nov 20 08:13:43 2019 +0100
@@ -8752,6 +8752,161 @@
Index: nss/cmd/fipstest/fipstest.c
===================================================================
--- nss.orig/cmd/fipstest/fipstest.c
+++ nss/cmd/fipstest/fipstest.c
@@ -8737,6 +8737,161 @@ done:
return;
}
@ -177,7 +178,7 @@ diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
int
main(int argc, char **argv)
{
@@ -8933,6 +9088,11 @@
@@ -8918,6 +9073,11 @@ main(int argc, char **argv)
ikev2(argv[2]);
} else if (strcmp(argv[1], "kbkdf") == 0) {
kbkdf(argv[2]);
@ -189,9 +190,10 @@ diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
}
return 0;
}
diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/keywrap.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/cmd/fipstest/keywrap.sh Wed Nov 20 08:13:43 2019 +0100
Index: nss/cmd/fipstest/keywrap.sh
===================================================================
--- /dev/null
+++ nss/cmd/fipstest/keywrap.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#

11
nss-fips-cavs-rsa-fixes.patch
View File

@ -10,10 +10,11 @@ From 9b4636ad75add2ac09ce1844b3071785d563c275 Mon Sep 17 00:00:00 2001
nss/cmd/fipstest/fipstest.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
--- a/cmd/fipstest/fipstest.c
+++ b/cmd/fipstest/fipstest.c
@@ -6536,7 +6536,7 @@
Index: nss/cmd/fipstest/fipstest.c
===================================================================
--- nss.orig/cmd/fipstest/fipstest.c
+++ nss/cmd/fipstest/fipstest.c
@@ -6535,7 +6535,7 @@ rsa_siggen_test(char *reqfn)
/* Output the signature */
fputs(buf, rsaresp);
to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed);
@ -22,7 +23,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
/* Perform RSA verification with the RSA public key. */
rv = RSA_HashCheckSign(shaOid,
@@ -9536,6 +9536,7 @@
@@ -9521,6 +9521,7 @@ main(int argc, char **argv)
init_functions();
RNG_RNGInit();
SECOID_Init();

20
nss-fips-combined-hash-sign-dsa-ecdsa.patch
View File

@ -42,7 +42,7 @@ Index: nss/lib/pk11wrap/pk11mech.c
===================================================================
--- nss.orig/lib/pk11wrap/pk11mech.c
+++ nss/lib/pk11wrap/pk11mech.c
@@ -376,6 +376,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
return CKK_RSA;
case CKM_DSA:
case CKM_DSA_SHA1:
@ -53,7 +53,7 @@ Index: nss/lib/pk11wrap/pk11mech.c
case CKM_DSA_KEY_PAIR_GEN:
return CKK_DSA;
case CKM_DH_PKCS_DERIVE:
@@ -386,6 +390,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
return CKK_KEA;
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -2675,7 +2675,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
@@ -2679,7 +2679,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
static SECStatus
nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@ -77,7 +77,7 @@ Index: nss/lib/softoken/pkcs11c.c
{
SECItem signature, digest;
SECStatus rv;
@@ -2693,6 +2693,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
@@ -2697,6 +2697,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
return rv;
}
@ -100,7 +100,7 @@ Index: nss/lib/softoken/pkcs11c.c
static SECStatus
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
@@ -2710,7 +2726,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
@@ -2714,7 +2730,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
static SECStatus
nsc_ECDSASignStub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@ -109,7 +109,7 @@ Index: nss/lib/softoken/pkcs11c.c
{
SECItem signature, digest;
SECStatus rv;
@@ -2728,6 +2744,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
@@ -2732,6 +2748,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
return rv;
}
@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c
/* NSC_SignInit setups up the signing operations. There are three basic
* types of signing:
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
@@ -3597,6 +3629,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
@@ -3601,6 +3633,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
info->hashOid = SEC_OID_##mmm; \
goto finish_rsa;
@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c
switch (pMechanism->mechanism) {
INIT_RSA_VFY_MECH(MD5)
INIT_RSA_VFY_MECH(MD2)
@@ -4825,6 +4873,73 @@ loser:
@@ -4829,6 +4877,73 @@ loser:
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
@@ -4878,8 +4993,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -4882,8 +4997,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
/* Variables used for Signature/Verification functions. */
/* Must be at least 256 bits for DSA2 digest */
@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c
CK_ULONG signature_length;
if (keyType == CKK_RSA) {
@@ -5033,76 +5146,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5037,76 +5150,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}

154
nss-fips-constructor-self-tests.patch
View File

@ -21,8 +21,8 @@ Index: nss/cmd/shlibsign/shlibsign.c
===================================================================
--- nss.orig/cmd/shlibsign/shlibsign.c
+++ nss/cmd/shlibsign/shlibsign.c
@@ -946,10 +946,12 @@ main(int argc, char **argv)
goto cleanup;
@@ -814,10 +814,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
return crv;
}
- if ((keySize == 0) && mechInfo.ulMaxKeySize >= 2048) {
@ -839,7 +839,7 @@ Index: nss/lib/freebl/manifest.mn
$(NULL)
MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
@@ -186,6 +187,7 @@ ALL_HDRS = \
@@ -187,6 +188,7 @@ ALL_HDRS = \
shsign.h \
vis_proto.h \
seed.h \
@ -851,7 +851,7 @@ Index: nss/lib/freebl/shvfy.c
===================================================================
--- nss.orig/lib/freebl/shvfy.c
+++ nss/lib/freebl/shvfy.c
@@ -22,6 +22,8 @@
@@ -23,6 +23,8 @@
#ifndef NSS_FIPS_DISABLED
@ -860,7 +860,7 @@ Index: nss/lib/freebl/shvfy.c
/*
* Most modern version of Linux support a speed optimization scheme where an
* application called prelink modifies programs and shared libraries to quickly
@@ -231,8 +233,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int
@@ -232,8 +234,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int
}
#endif
@ -869,7 +869,7 @@ Index: nss/lib/freebl/shvfy.c
static char *
mkCheckFileName(const char *libName)
{
@@ -287,19 +287,19 @@ readItem(PRFileDesc *fd, SECItem *item)
@@ -288,19 +288,19 @@ readItem(PRFileDesc *fd, SECItem *item)
return SECSuccess;
}
@ -893,7 +893,7 @@ Index: nss/lib/freebl/shvfy.c
loser:
if (shName != NULL) {
@@ -310,19 +310,19 @@ loser:
@@ -311,15 +311,15 @@ loser:
}
PRBool
@ -912,96 +912,84 @@ Index: nss/lib/freebl/shvfy.c
+ return blapi_SHVerifyFile(shName, PR_FALSE, err);
}
static PRBool
-blapi_SHVerifyFile(const char *shName, PRBool self)
+blapi_SHVerifyFile(const char *shName, PRBool self, int *err)
{
char *checkName = NULL;
PRFileDesc *checkFD = NULL;
@@ -340,7 +340,7 @@ blapi_SHVerifyFile(const char *shName, P
#endif
#ifndef NSS_STRICT_INTEGRITY
@@ -421,7 +421,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
}
PRBool result = PR_FALSE; /* if anything goes wrong,
- * the signature does not verify */
+ * the signature does not verify */
unsigned char buf[4096];
unsigned char hashBuf[HASH_LENGTH_MAX];
@@ -367,14 +367,17 @@ blapi_SHVerifyFile(const char *shName, P
/* open the check File */
checkFD = PR_Open(checkName, PR_RDONLY, 0);
if (checkFD == NULL) {
+ if (err) {
+ *err = PORT_GetError();
+ }
static PRBool
- blapi_SHVerifyFile(const char *shName, PRBool self)
+ blapi_SHVerifyFile(const char *shName, PRBool self, int *err)
{
char *checkName = NULL;
PRFileDesc *checkFD = NULL;
@@ -462,14 +462,17 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
/* open the check File */
checkFD = PR_Open(checkName, PR_RDONLY, 0);
if (checkFD == NULL) {
+ if (err) {
+ *err = PORT_GetError();
+ }
#ifdef DEBUG_SHVERIFY
- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
- checkName, (int)PR_GetError(), (int)PR_GetOSError());
+ fprintf(stderr, "Failed to open the check file %s: (%d)\n",
+ checkName, (int)PORT_GetError());
- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
- checkName, (int)PR_GetError(), (int)PR_GetOSError());
+ fprintf(stderr, "Failed to open the check file %s: (%d)\n",
+ checkName, (int)PR_GetError());
#endif /* DEBUG_SHVERIFY */
goto loser;
}
goto loser;
}
- /* read and Verify the headerthe header */
+ /* read and Verify the header */
bytesRead = PR_Read(checkFD, buf, 12);
if (bytesRead != 12) {
goto loser;
@@ -415,7 +418,8 @@ blapi_SHVerifyFile(const char *shName, P
if (rv != SECSuccess) {
goto loser;
}
- /* read the siganture */
+
+ /* read the signature */
rv = readItem(checkFD, &signature);
if (rv != SECSuccess) {
goto loser;
@@ -430,7 +434,7 @@ blapi_SHVerifyFile(const char *shName, P
goto loser;
}
- /* read and Verify the headerthe header */
+ /* read and Verify the header */
bytesRead = PR_Read(checkFD, &header, sizeof(header));
if (bytesRead != sizeof(header)) {
goto loser;
@@ -550,7 +553,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
goto loser;
}
-/* open our library file */
+ /* open our library file */
#ifdef FREEBL_USE_PRELINK
shFD = bl_OpenUnPrelink(shName, &pid);
shFD = bl_OpenUnPrelink(shName, &pid);
#else
@@ -438,13 +442,13 @@ blapi_SHVerifyFile(const char *shName, P
@@ -558,8 +561,8 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
#endif
if (shFD == NULL) {
if (shFD == NULL) {
#ifdef DEBUG_SHVERIFY
- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
- shName, (int)PR_GetError(), (int)PR_GetOSError());
+ fprintf(stderr, "Failed to open the library file %s: (%d)\n",
+ shName, (int)PORT_GetError());
- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
- shName, (int)PR_GetError(), (int)PR_GetOSError());
+ fprintf(stderr, "Failed to open the library file %s: (%d)\n",
+ shName, (int)PR_GetError());
#endif /* DEBUG_SHVERIFY */
goto loser;
goto loser;
}
@@ -620,7 +623,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
}
- /* hash our library file with SHA1 */
+ /* hash our library file */
hashcx = hashObj->create();
if (hashcx == NULL) {
goto loser;
@@ -531,7 +535,7 @@ loser:
}
PRBool
- BLAPI_VerifySelf(const char *name)
+ BLAPI_VerifySelf(const char *name, int *err)
{
if (name == NULL) {
/*
@@ -629,7 +632,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
*/
return PR_TRUE;
}
- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err);
}
#else /* NSS_FIPS_DISABLED */
@@ -645,7 +648,7 @@ BLAPI_SHVerify(const char *name, PRFuncP
return PR_FALSE;
}
PRBool
-BLAPI_VerifySelf(const char *name)
+BLAPI_VerifySelf(const char *name, int *err)
{
if (name == NULL) {
/*
@@ -540,7 +544,7 @@ BLAPI_VerifySelf(const char *name)
*/
return PR_TRUE;
}
- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err);
return PR_FALSE;
}
#else /* NSS_FIPS_DISABLED */
Index: nss/lib/softoken/fips.c
===================================================================
--- /dev/null
@ -1066,7 +1054,7 @@ Index: nss/lib/softoken/fipstest.c
===================================================================
--- nss.orig/lib/softoken/fipstest.c
+++ nss/lib/softoken/fipstest.c
@@ -682,6 +682,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
@@ -683,6 +683,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
return (SECSuccess);
}
@ -1394,7 +1382,7 @@ Index: nss/lib/softoken/fipstest.c
static PRBool sftk_self_tests_ran = PR_FALSE;
static PRBool sftk_self_tests_success = PR_FALSE;
@@ -693,7 +1014,6 @@ static void
@@ -694,7 +1015,6 @@ static void
sftk_startup_tests(void)
{
SECStatus rv;
@ -1402,7 +1390,7 @@ Index: nss/lib/softoken/fipstest.c
PORT_Assert(!sftk_self_tests_ran);
PORT_Assert(!sftk_self_tests_success);
@@ -705,6 +1025,7 @@ sftk_startup_tests(void)
@@ -706,6 +1026,7 @@ sftk_startup_tests(void)
if (rv != SECSuccess) {
return;
}
@ -1410,7 +1398,7 @@ Index: nss/lib/softoken/fipstest.c
/* make sure freebl is initialized, or our RSA check
* may fail. This is normally done at freebl load time, but it's
* possible we may have shut freebl down without unloading it. */
@@ -722,12 +1043,21 @@ sftk_startup_tests(void)
@@ -723,12 +1044,21 @@ sftk_startup_tests(void)
if (rv != SECSuccess) {
return;
}
@ -1436,7 +1424,7 @@ Index: nss/lib/softoken/fipstest.c
rv = sftk_fips_IKE_PowerUpSelfTests();
if (rv != SECSuccess) {
return;
@@ -759,17 +1089,11 @@ sftk_startup_tests(void)
@@ -760,17 +1090,11 @@ sftk_startup_tests(void)
CK_RV
sftk_FIPSEntryOK()
{
@ -1500,7 +1488,7 @@ Index: nss/lib/softoken/legacydb/lgfips.c
===================================================================
--- nss.orig/lib/softoken/legacydb/lgfips.c
+++ nss/lib/softoken/legacydb/lgfips.c
@@ -90,7 +90,7 @@ lg_startup_tests(void)
@@ -91,7 +91,7 @@ lg_startup_tests(void)
/* no self tests required for the legacy db, only the integrity check */
/* check the integrity of our shared library */

30
nss-fips-detect-fips-mode-fixes.patch
View File

@ -8,10 +8,11 @@ commit facacdb9078693d7a4219e84f73ea7b8f977ddc2
Author: Hans Petter Jansson <hpj@cl.no>
Patch 32: nss-fips-detect-fips-mode-fixes.patch
diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
--- a/lib/freebl/nsslowhash.c
+++ b/lib/freebl/nsslowhash.c
@@ -2,10 +2,15 @@
Index: nss/lib/freebl/nsslowhash.c
===================================================================
--- nss.orig/lib/freebl/nsslowhash.c
+++ nss/lib/freebl/nsslowhash.c
@@ -2,6 +2,9 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
@ -21,13 +22,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
+
#include "prtypes.h"
+#include "prenv.h"
#include "secerr.h"
#include "blapi.h"
#include "hasht.h"
@@ -24,6 +29,23 @@
@@ -25,6 +28,23 @@ struct NSSLOWHASHContextStr {
};
#ifndef NSS_FIPS_DISABLED
@ -51,7 +46,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
static int
nsslow_GetFIPSEnabled(void)
{
@@ -45,6 +67,7 @@
@@ -52,6 +72,7 @@ nsslow_GetFIPSEnabled(void)
#endif /* LINUX */
return 1;
}
@ -59,7 +54,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
#endif /* NSS_FIPS_DISABLED */
static NSSLOWInitContext dummyContext = { 0 };
@@ -60,7 +83,7 @@
@@ -67,7 +88,7 @@ NSSLOW_Init(void)
#ifndef NSS_FIPS_DISABLED
/* make sure the FIPS product is installed if we are trying to
* go into FIPS mode */
@ -68,10 +63,11 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
post_failed = PR_TRUE;
diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c
--- a/lib/sysinit/nsssysinit.c
+++ b/lib/sysinit/nsssysinit.c
@@ -178,16 +178,16 @@
Index: nss/lib/sysinit/nsssysinit.c
===================================================================
--- nss.orig/lib/sysinit/nsssysinit.c
+++ nss/lib/sysinit/nsssysinit.c
@@ -178,16 +178,16 @@ getFIPSMode(void)
f = fopen("/proc/sys/crypto/fips_enabled", "r");
if (!f) {
/* if we don't have a proc flag, fall back to the

2
nss-fips-dsa-kat.patch
View File

@ -28,7 +28,7 @@ Index: nss/lib/freebl/fipsfreebl.c
===================================================================
--- nss.orig/lib/freebl/fipsfreebl.c
+++ nss/lib/freebl/fipsfreebl.c
@@ -126,11 +126,11 @@ BOOL WINAPI DllMain(
@@ -127,11 +127,11 @@ DllMain(
/* FIPS preprocessor directives for DSA. */
#define FIPS_DSA_TYPE siBuffer

8
nss-fips-gcm-ctr.patch
View File

@ -14,7 +14,7 @@ Index: nss/lib/freebl/gcm.c
===================================================================
--- nss.orig/lib/freebl/gcm.c
+++ nss/lib/freebl/gcm.c
@@ -532,8 +532,14 @@ struct GCMContextStr {
@@ -535,8 +535,14 @@ struct GCMContextStr {
unsigned char tagKey[MAX_BLOCK_SIZE];
PRBool ctr_context_init;
gcmIVContext gcm_iv;
@ -29,7 +29,7 @@ Index: nss/lib/freebl/gcm.c
SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv,
unsigned int ivLen, unsigned int tagBits,
const unsigned char *aad, unsigned int aadLen);
@@ -673,6 +679,8 @@ gcm_InitCounter(GCMContext *gcm, const u
@@ -676,6 +682,8 @@ gcm_InitCounter(GCMContext *gcm, const u
goto loser;
}
@ -38,7 +38,7 @@ Index: nss/lib/freebl/gcm.c
/* finally mix in the AAD data */
rv = gcmHash_Reset(ghash, aad, aadLen);
if (rv != SECSuccess) {
@@ -774,6 +782,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
@@ -777,6 +785,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
return SECFailure;
}
@ -52,7 +52,7 @@ Index: nss/lib/freebl/gcm.c
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
if (UINT_MAX - inlen < tagBytes) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
@@ -802,6 +817,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
@@ -805,6 +820,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
*outlen = 0;
return SECFailure;
};

4
nss-fips-pairwise-consistency-check.patch
View File

@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -4822,8 +4822,8 @@ loser:
@@ -4826,8 +4826,8 @@ loser:
return crv;
}
@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
@@ -5771,6 +5771,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5775,6 +5775,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
(PRUint32)crv);
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
}

26
nss-fips-stricter-dh.patch
View File

@ -4,15 +4,11 @@ Date: Fri Sep 4 13:41:34 2020 +0200
Patch 38: nss-fips-stricter-dh.patch
diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
--- a/lib/freebl/dh.c
+++ b/lib/freebl/dh.c
@@ -445,41 +445,53 @@ KEA_PrimeCheck(SECItem *prime)
cleanup:
mp_clear(&p);
return err ? PR_FALSE : PR_TRUE;
}
Index: nss/lib/freebl/dh.c
===================================================================
--- nss.orig/lib/freebl/dh.c
+++ nss/lib/freebl/dh.c
@@ -449,7 +449,7 @@ cleanup:
PRBool
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
{
@ -21,10 +17,7 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
mp_err err;
int cmp = 1; /* default is false */
if (!Y || !prime || !subPrime) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
MP_DIGITS(&p) = 0;
@@ -460,13 +460,24 @@ KEA_Verify(SECItem *Y, SECItem *prime, S
MP_DIGITS(&q) = 0;
MP_DIGITS(&y) = 0;
MP_DIGITS(&r) = 0;
@ -49,9 +42,7 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
/* compute r = y**q mod p */
CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
/* compare to 1 */
cmp = mp_cmp_d(&r, 1);
cleanup:
mp_clear(&p);
@@ -476,6 +487,7 @@ cleanup:
mp_clear(&q);
mp_clear(&y);
mp_clear(&r);
@ -59,6 +50,3 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
if (err) {
MP_TO_SEC_ERROR(err);
return PR_FALSE;
}
return (cmp == 0) ? PR_TRUE : PR_FALSE;
}

4
nss-fips-tests-enable-fips.patch
View File

@ -2,7 +2,7 @@ Index: nss/tests/cert/cert.sh
===================================================================
--- nss.orig/tests/cert/cert.sh
+++ nss/tests/cert/cert.sh
@@ -1353,6 +1353,11 @@ cert_stresscerts()
@@ -1350,6 +1350,11 @@ cert_stresscerts()
##############################################################################
cert_fips()
{
@ -14,7 +14,7 @@ Index: nss/tests/cert/cert.sh
CERTFAILED=0
echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
@@ -1393,6 +1398,8 @@ MODSCRIPT
@@ -1390,6 +1395,8 @@ MODSCRIPT
cert_log "SUCCESS: FIPS passed"
fi

4
nss-fips-tls-allow-md5-prf.patch
View File

@ -250,7 +250,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -7158,7 +7158,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7162,7 +7162,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
SFTKAttribute *att2 = NULL;
unsigned char *buf;
SHA1Context *sha;
@ -259,7 +259,7 @@ Index: nss/lib/softoken/pkcs11c.c
MD2Context *md2;
CK_ULONG macSize;
CK_ULONG tmpKeySize;
@@ -7698,7 +7698,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7702,7 +7702,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
}
sftk_FreeAttribute(att2);
md5 = MD5_NewContext();

6
nss-fips-use-getrandom.patch
View File

@ -12,7 +12,7 @@ Index: nss/coreconf/Linux.mk
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
@@ -189,6 +189,18 @@ DSO_LDOPTS+=-Wl,-z,relro
@@ -190,6 +190,18 @@ DSO_LDOPTS+=-Wl,-z,relro
LDFLAGS += -Wl,-z,relro
endif
@ -90,7 +90,7 @@ Index: nss/lib/freebl/unix_rand.c
size_t RNG_FileUpdate(const char *fileName, size_t limit);
/*
@@ -862,6 +903,26 @@ ReadFileOK(char *dir, char *file)
@@ -775,6 +816,26 @@ ReadFileOK(char *dir, char *file)
size_t
RNG_SystemRNG(void *dest, size_t maxLen)
{
@ -117,7 +117,7 @@ Index: nss/lib/freebl/unix_rand.c
FILE *file;
int fd;
int bytes;
@@ -895,4 +956,5 @@ RNG_SystemRNG(void *dest, size_t maxLen)
@@ -808,4 +869,5 @@ RNG_SystemRNG(void *dest, size_t maxLen)
fileBytes = 0;
}
return fileBytes;

13
nss-fips-use-strong-random-pool.patch
View File

@ -10,9 +10,10 @@ From a7cbf64ba8ac07a4a1fdea91f39da56d86af03bf Mon Sep 17 00:00:00 2001
nss/lib/freebl/unix_rand.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
--- a/lib/freebl/unix_rand.c
+++ b/lib/freebl/unix_rand.c
Index: nss/lib/freebl/unix_rand.c
===================================================================
--- nss.orig/lib/freebl/unix_rand.c
+++ nss/lib/freebl/unix_rand.c
@@ -24,6 +24,7 @@
#include "prthread.h"
#include "prprf.h"
@ -21,7 +22,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
#ifdef NSS_USE_GETRANDOM
# ifndef __NR_getrandom
@@ -779,7 +780,7 @@
@@ -692,7 +693,7 @@ RNG_SystemInfoForRNG(void)
}
/* grab some data from system's PRNG before any other files. */
@ -30,7 +31,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
if (!bytes) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
}
@@ -909,7 +910,8 @@
@@ -822,7 +823,8 @@ RNG_SystemRNG(void *dest, size_t maxLen)
int ret;
do {
@ -40,7 +41,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
if (0 < ret)
inBytes += ret;
@@ -929,7 +931,7 @@
@@ -842,7 +844,7 @@ RNG_SystemRNG(void *dest, size_t maxLen)
size_t fileBytes = 0;
unsigned char *buffer = dest;

8
nss-fips-zeroization.patch
View File

@ -92,7 +92,7 @@ Index: nss/lib/freebl/dh.c
===================================================================
--- nss.orig/lib/freebl/dh.c
+++ nss/lib/freebl/dh.c
@@ -193,6 +193,10 @@ cleanup:
@@ -192,6 +192,10 @@ cleanup:
rv = SECFailure;
}
if (rv) {
@ -107,7 +107,7 @@ Index: nss/lib/freebl/ec.c
===================================================================
--- nss.orig/lib/freebl/ec.c
+++ nss/lib/freebl/ec.c
@@ -943,7 +943,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
@@ -974,7 +974,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
ECParams *ecParams = NULL;
SECItem pointC = { siBuffer, NULL, 0 };
int slen; /* length in bytes of a half signature (r or s) */
@ -175,7 +175,7 @@ Index: nss/lib/freebl/gcm.c
return SECSuccess;
}
#endif /* HAVE_INT128_SUPPORT */
@@ -867,11 +894,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
/* verify the block */
rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
if (rv != SECSuccess) {
@ -191,7 +191,7 @@ Index: nss/lib/freebl/gcm.c
}
/* Don't decrypt if we can't authenticate the encrypted data!
* This assumes that if tagBits is not a multiple of 8, intag will
@@ -879,10 +908,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
PORT_SetError(SEC_ERROR_BAD_DATA);

2
nss-opt.patch
View File

@ -2,7 +2,7 @@ Index: nss/coreconf/Linux.mk
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
@@ -113,11 +113,7 @@ LIBC_TAG = _glibc
@@ -114,11 +114,7 @@ LIBC_TAG = _glibc
endif
ifdef BUILD_OPT