diff --git a/add-relro-linker-option.patch b/add-relro-linker-option.patch index e42e547..1455430 100644 --- a/add-relro-linker-option.patch +++ b/add-relro-linker-option.patch @@ -2,7 +2,7 @@ Index: nss/coreconf/Linux.mk =================================================================== --- nss.orig/coreconf/Linux.mk +++ nss/coreconf/Linux.mk -@@ -183,6 +183,12 @@ endif +@@ -184,6 +184,12 @@ endif endif endif diff --git a/malloc.patch b/malloc.patch index e1097e0..601a52b 100644 --- a/malloc.patch +++ b/malloc.patch @@ -2,7 +2,7 @@ Index: nss/tests/ssl/ssl.sh =================================================================== --- nss.orig/tests/ssl/ssl.sh +++ nss/tests/ssl/ssl.sh -@@ -1683,6 +1683,7 @@ ssl_run_tests() +@@ -1696,6 +1696,7 @@ ssl_run_tests() ################################# main ################################# diff --git a/nss-fips-180-3-csp-clearing.patch b/nss-fips-180-3-csp-clearing.patch index c0a2ee5..f4be260 100644 --- a/nss-fips-180-3-csp-clearing.patch +++ b/nss-fips-180-3-csp-clearing.patch @@ -29,7 +29,7 @@ Index: nss/lib/softoken/sftkpwd.c =================================================================== --- nss.orig/lib/softoken/sftkpwd.c +++ nss/lib/softoken/sftkpwd.c -@@ -1439,7 +1439,7 @@ loser: +@@ -1459,7 +1459,7 @@ loser: PORT_ZFree(newKey.data, newKey.len); } if (result) { diff --git a/nss-fips-approved-crypto-non-ec.patch b/nss-fips-approved-crypto-non-ec.patch index e239737..8686578 100644 --- a/nss-fips-approved-crypto-non-ec.patch +++ b/nss-fips-approved-crypto-non-ec.patch @@ -440,7 +440,7 @@ Index: nss/lib/freebl/nsslowhash.c =================================================================== --- nss.orig/lib/freebl/nsslowhash.c +++ nss/lib/freebl/nsslowhash.c -@@ -12,6 +12,7 @@ +@@ -13,6 +13,7 @@ #include "plhash.h" #include "nsslowhash.h" #include "blapii.h" @@ -448,7 +448,7 @@ Index: nss/lib/freebl/nsslowhash.c struct NSSLOWInitContextStr { int count; -@@ -92,6 +93,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext +@@ -99,6 +100,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext { NSSLOWHASHContext *context; @@ -487,7 +487,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -7491,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -7495,7 +7495,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession } else { /* now allocate the hash contexts */ md5 = MD5_NewContext(); diff --git a/nss-fips-cavs-dsa-fixes.patch b/nss-fips-cavs-dsa-fixes.patch index 1a922ba..655b3dc 100644 --- a/nss-fips-cavs-dsa-fixes.patch +++ b/nss-fips-cavs-dsa-fixes.patch @@ -10,10 +10,11 @@ From ef2620b770082c77dbbbccae2e773157897b005d Mon Sep 17 00:00:00 2001 nss/cmd/fipstest/fipstest.c | 112 ++++++++++++++++++++++++++++++++---- 1 file changed, 101 insertions(+), 11 deletions(-) -diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c ---- a/cmd/fipstest/fipstest.c -+++ b/cmd/fipstest/fipstest.c -@@ -5576,7 +5576,7 @@ +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -5575,7 +5575,7 @@ loser: void dsa_pqggen_test(char *reqfn) { @@ -22,7 +23,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c * or to the output RESPONSE file. * 800 to hold seed = (384 public key (x2 for HEX) */ -@@ -5592,6 +5592,13 @@ +@@ -5591,6 +5591,13 @@ dsa_pqggen_test(char *reqfn) PQGVerify *vfy = NULL; unsigned int keySizeIndex = 0; dsa_pqg_type type = FIPS186_1; @@ -36,7 +37,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c dsareq = fopen(reqfn, "r"); dsaresp = stdout; -@@ -5612,8 +5619,8 @@ +@@ -5611,8 +5618,8 @@ dsa_pqggen_test(char *reqfn) output_g = 1; exit(1); } else if (strncmp(&buf[1], "A.2.3", 5) == 0) { @@ -47,7 +48,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c } else if (strncmp(&buf[1], "A.1.2.1", 7) == 0) { type = A_1_2_1; output_g = 0; -@@ -5627,14 +5634,17 @@ +@@ -5626,14 +5633,17 @@ dsa_pqggen_test(char *reqfn) /* [Mod = ... ] */ if (buf[0] == '[') { @@ -59,15 +60,14 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c goto loser; } - } else if (sscanf(buf, "[mod = L=%d, N=%d", &L, &N) != 2) { -- goto loser; + } else if (sscanf(buf, "[mod = L=%d, N=%d, SHA-%d", &L, &N, &hashbits) != 3) { -+ goto loser; + goto loser; + } else { + hashtype = sha_get_hashType (hashbits); } fputs(buf, dsaresp); -@@ -5656,7 +5666,7 @@ +@@ -5655,7 +5665,7 @@ dsa_pqggen_test(char *reqfn) continue; } /* N = ... */ @@ -76,7 +76,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c if (strncmp(buf, "Num", 3) == 0) { if (sscanf(buf, "Num = %d", &count) != 1) { goto loser; -@@ -5671,7 +5681,10 @@ +@@ -5670,7 +5680,10 @@ dsa_pqggen_test(char *reqfn) rv = PQG_ParamGenSeedLen(keySizeIndex, PQG_TEST_SEED_BYTES, &pqg, &vfy); } else { @@ -88,7 +88,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c } if (rv != SECSuccess) { fprintf(dsaresp, -@@ -5682,6 +5695,10 @@ +@@ -5681,6 +5694,10 @@ dsa_pqggen_test(char *reqfn) fprintf(dsaresp, "P = %s\n", buf); to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len); fprintf(dsaresp, "Q = %s\n", buf); @@ -99,7 +99,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c if (output_g) { to_hex_str(buf, pqg->base.data, pqg->base.len); fprintf(dsaresp, "G = %s\n", buf); -@@ -5697,13 +5714,13 @@ +@@ -5696,13 +5713,13 @@ dsa_pqggen_test(char *reqfn) } fprintf(dsaresp, "%s\n", buf); } else { @@ -118,11 +118,10 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c fprintf(dsaresp, "qseed = %s\n", buf); fprintf(dsaresp, "pgen_counter = %d\n", pgen_counter); fprintf(dsaresp, "qgen_counter = %d\n", qgen_counter); -@@ -5723,12 +5740,85 @@ +@@ -5722,12 +5739,85 @@ dsa_pqggen_test(char *reqfn) vfy = NULL; } } -- + continue; + } + @@ -180,7 +179,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c + + to_hex_str(buf, pqg->base.data, pqg->base.len); + fprintf(dsaresp, "G = %s\n\n", buf); -+ + + PQG_DestroyParams(pqg); + pqg = NULL; + PQG_DestroyVerify(vfy); diff --git a/nss-fips-cavs-general.patch b/nss-fips-cavs-general.patch index 717a797..e5cb75c 100644 --- a/nss-fips-cavs-general.patch +++ b/nss-fips-cavs-general.patch @@ -102,7 +102,7 @@ Index: nss/cmd/fipstest/fipstest.c SECStatus tdea_encrypt_buf( int mode, -@@ -8930,41 +8994,6 @@ out: +@@ -8915,41 +8979,6 @@ out: } } @@ -144,7 +144,7 @@ Index: nss/cmd/fipstest/fipstest.c void kas_ffc_test(char *reqfn, int do_validity) { -@@ -9387,12 +9416,34 @@ out: +@@ -9372,12 +9401,34 @@ out: free_param_specs (pspecs); } diff --git a/nss-fips-cavs-kas-ecc.patch b/nss-fips-cavs-kas-ecc.patch index d0662ee..c52f0de 100644 --- a/nss-fips-cavs-kas-ecc.patch +++ b/nss-fips-cavs-kas-ecc.patch @@ -11,10 +11,11 @@ From 4c27df62aa425745620f45710465b0264acacbb0 Mon Sep 17 00:00:00 2001 nss/cmd/fipstest/kas.sh | 22 +++ 2 files changed, 326 insertions(+) -diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c ---- a/cmd/fipstest/fipstest.c -+++ b/cmd/fipstest/fipstest.c -@@ -9092,6 +9092,301 @@ +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -9077,6 +9077,301 @@ out: } } @@ -316,7 +317,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c int main(int argc, char **argv) { -@@ -9287,6 +9582,15 @@ +@@ -9272,6 +9567,15 @@ main(int argc, char **argv) } else { kas_ffc_test(argv[3], PR_FALSE); } @@ -332,10 +333,11 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c } return 0; } -diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh ---- a/cmd/fipstest/kas.sh -+++ b/cmd/fipstest/kas.sh -@@ -27,6 +27,16 @@ +Index: nss/cmd/fipstest/kas.sh +=================================================================== +--- nss.orig/cmd/fipstest/kas.sh ++++ nss/cmd/fipstest/kas.sh +@@ -27,6 +27,16 @@ KASValidityTest_FFCEphem_NOKC_ZZOnly_ini KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req " @@ -352,7 +354,7 @@ diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh if [ ${COMMAND} = "verify" ]; then for request in $kas_requests; do sh ./validate1.sh ${TESTDIR} $request -@@ -45,3 +55,15 @@ +@@ -45,3 +55,15 @@ for request in $kas_requests_ffc_validit echo $request $response fipstest kasffc validity ${REQDIR}/$request > ${RSPDIR}/$response done diff --git a/nss-fips-cavs-kas-ffc.patch b/nss-fips-cavs-kas-ffc.patch index da305be..82deb05 100644 --- a/nss-fips-cavs-kas-ffc.patch +++ b/nss-fips-cavs-kas-ffc.patch @@ -12,10 +12,11 @@ From ac98082c3bc0c9f85213078b730980483062f25c Mon Sep 17 00:00:00 2001 2 files changed, 241 insertions(+) create mode 100644 nss/cmd/fipstest/kas.sh -diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c ---- a/cmd/fipstest/fipstest.c -+++ b/cmd/fipstest/fipstest.c -@@ -2258,6 +2258,29 @@ +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -2257,6 +2257,29 @@ fips_hashBuf(HASH_HashType type, unsigne return rv; } @@ -45,7 +46,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c int fips_hashLen(HASH_HashType type) { -@@ -8907,6 +8930,168 @@ +@@ -8892,6 +8915,168 @@ out: } } @@ -214,7 +215,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c int main(int argc, char **argv) { -@@ -9093,6 +9278,15 @@ +@@ -9078,6 +9263,15 @@ main(int argc, char **argv) /* AES Keywrap */ /***************/ keywrap(argv[2]); @@ -230,10 +231,10 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c } return 0; } -diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh -new file mode 100644 +Index: nss/cmd/fipstest/kas.sh +=================================================================== --- /dev/null -+++ b/cmd/fipstest/kas.sh ++++ nss/cmd/fipstest/kas.sh @@ -0,0 +1,47 @@ +#!/bin/sh +# diff --git a/nss-fips-cavs-keywrap.patch b/nss-fips-cavs-keywrap.patch index 47b709a..c02dc76 100644 --- a/nss-fips-cavs-keywrap.patch +++ b/nss-fips-cavs-keywrap.patch @@ -12,10 +12,11 @@ From f4cbaf95fcf2519029bb3c4407b2f15aa27c94c1 Mon Sep 17 00:00:00 2001 2 files changed, 200 insertions(+) create mode 100644 nss/cmd/fipstest/keywrap.sh -diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c ---- a/cmd/fipstest/fipstest.c Sun Mar 15 21:54:30 2020 +0100 -+++ b/cmd/fipstest/fipstest.c Wed Nov 20 08:13:43 2019 +0100 -@@ -8752,6 +8752,161 @@ +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -8737,6 +8737,161 @@ done: return; } @@ -177,7 +178,7 @@ diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c int main(int argc, char **argv) { -@@ -8933,6 +9088,11 @@ +@@ -8918,6 +9073,11 @@ main(int argc, char **argv) ikev2(argv[2]); } else if (strcmp(argv[1], "kbkdf") == 0) { kbkdf(argv[2]); @@ -189,9 +190,10 @@ diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c } return 0; } -diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/keywrap.sh ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/cmd/fipstest/keywrap.sh Wed Nov 20 08:13:43 2019 +0100 +Index: nss/cmd/fipstest/keywrap.sh +=================================================================== +--- /dev/null ++++ nss/cmd/fipstest/keywrap.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# diff --git a/nss-fips-cavs-rsa-fixes.patch b/nss-fips-cavs-rsa-fixes.patch index 77c85b0..3369208 100644 --- a/nss-fips-cavs-rsa-fixes.patch +++ b/nss-fips-cavs-rsa-fixes.patch @@ -10,10 +10,11 @@ From 9b4636ad75add2ac09ce1844b3071785d563c275 Mon Sep 17 00:00:00 2001 nss/cmd/fipstest/fipstest.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c ---- a/cmd/fipstest/fipstest.c -+++ b/cmd/fipstest/fipstest.c -@@ -6536,7 +6536,7 @@ +Index: nss/cmd/fipstest/fipstest.c +=================================================================== +--- nss.orig/cmd/fipstest/fipstest.c ++++ nss/cmd/fipstest/fipstest.c +@@ -6535,7 +6535,7 @@ rsa_siggen_test(char *reqfn) /* Output the signature */ fputs(buf, rsaresp); to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed); @@ -22,7 +23,7 @@ diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c /* Perform RSA verification with the RSA public key. */ rv = RSA_HashCheckSign(shaOid, -@@ -9536,6 +9536,7 @@ +@@ -9521,6 +9521,7 @@ main(int argc, char **argv) init_functions(); RNG_RNGInit(); SECOID_Init(); diff --git a/nss-fips-combined-hash-sign-dsa-ecdsa.patch b/nss-fips-combined-hash-sign-dsa-ecdsa.patch index 0af95c6..1bfaef6 100644 --- a/nss-fips-combined-hash-sign-dsa-ecdsa.patch +++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch @@ -42,7 +42,7 @@ Index: nss/lib/pk11wrap/pk11mech.c =================================================================== --- nss.orig/lib/pk11wrap/pk11mech.c +++ nss/lib/pk11wrap/pk11mech.c -@@ -376,6 +376,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, +@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, return CKK_RSA; case CKM_DSA: case CKM_DSA_SHA1: @@ -53,7 +53,7 @@ Index: nss/lib/pk11wrap/pk11mech.c case CKM_DSA_KEY_PAIR_GEN: return CKK_DSA; case CKM_DH_PKCS_DERIVE: -@@ -386,6 +390,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, +@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, return CKK_KEA; case CKM_ECDSA: case CKM_ECDSA_SHA1: @@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -2675,7 +2675,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig +@@ -2679,7 +2679,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig static SECStatus nsc_DSA_Sign_Stub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, @@ -77,7 +77,7 @@ Index: nss/lib/softoken/pkcs11c.c { SECItem signature, digest; SECStatus rv; -@@ -2693,6 +2693,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu +@@ -2697,6 +2697,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu return rv; } @@ -100,7 +100,7 @@ Index: nss/lib/softoken/pkcs11c.c static SECStatus nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen, void *dataBuf, unsigned int dataLen) -@@ -2710,7 +2726,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig +@@ -2714,7 +2730,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig static SECStatus nsc_ECDSASignStub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, @@ -109,7 +109,7 @@ Index: nss/lib/softoken/pkcs11c.c { SECItem signature, digest; SECStatus rv; -@@ -2728,6 +2744,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu +@@ -2732,6 +2748,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu return rv; } @@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c /* NSC_SignInit setups up the signing operations. There are three basic * types of signing: * (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied -@@ -3597,6 +3629,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio +@@ -3601,6 +3633,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio info->hashOid = SEC_OID_##mmm; \ goto finish_rsa; @@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c switch (pMechanism->mechanism) { INIT_RSA_VFY_MECH(MD5) INIT_RSA_VFY_MECH(MD2) -@@ -4825,6 +4873,73 @@ loser: +@@ -4829,6 +4877,73 @@ loser: #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */ #define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ @@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. * -@@ -4878,8 +4993,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -4882,8 +4997,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION /* Variables used for Signature/Verification functions. */ /* Must be at least 256 bits for DSA2 digest */ @@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c CK_ULONG signature_length; if (keyType == CKK_RSA) { -@@ -5033,76 +5146,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -5037,76 +5150,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION } } diff --git a/nss-fips-constructor-self-tests.patch b/nss-fips-constructor-self-tests.patch index 4afca23..5be667b 100644 --- a/nss-fips-constructor-self-tests.patch +++ b/nss-fips-constructor-self-tests.patch @@ -21,8 +21,8 @@ Index: nss/cmd/shlibsign/shlibsign.c =================================================================== --- nss.orig/cmd/shlibsign/shlibsign.c +++ nss/cmd/shlibsign/shlibsign.c -@@ -946,10 +946,12 @@ main(int argc, char **argv) - goto cleanup; +@@ -814,10 +814,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct + return crv; } - if ((keySize == 0) && mechInfo.ulMaxKeySize >= 2048) { @@ -839,7 +839,7 @@ Index: nss/lib/freebl/manifest.mn $(NULL) MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h -@@ -186,6 +187,7 @@ ALL_HDRS = \ +@@ -187,6 +188,7 @@ ALL_HDRS = \ shsign.h \ vis_proto.h \ seed.h \ @@ -851,7 +851,7 @@ Index: nss/lib/freebl/shvfy.c =================================================================== --- nss.orig/lib/freebl/shvfy.c +++ nss/lib/freebl/shvfy.c -@@ -22,6 +22,8 @@ +@@ -23,6 +23,8 @@ #ifndef NSS_FIPS_DISABLED @@ -860,7 +860,7 @@ Index: nss/lib/freebl/shvfy.c /* * Most modern version of Linux support a speed optimization scheme where an * application called prelink modifies programs and shared libraries to quickly -@@ -231,8 +233,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int +@@ -232,8 +234,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int } #endif @@ -869,7 +869,7 @@ Index: nss/lib/freebl/shvfy.c static char * mkCheckFileName(const char *libName) { -@@ -287,19 +287,19 @@ readItem(PRFileDesc *fd, SECItem *item) +@@ -288,19 +288,19 @@ readItem(PRFileDesc *fd, SECItem *item) return SECSuccess; } @@ -893,7 +893,7 @@ Index: nss/lib/freebl/shvfy.c loser: if (shName != NULL) { -@@ -310,19 +310,19 @@ loser: +@@ -311,15 +311,15 @@ loser: } PRBool @@ -912,96 +912,84 @@ Index: nss/lib/freebl/shvfy.c + return blapi_SHVerifyFile(shName, PR_FALSE, err); } - static PRBool --blapi_SHVerifyFile(const char *shName, PRBool self) -+blapi_SHVerifyFile(const char *shName, PRBool self, int *err) - { - char *checkName = NULL; - PRFileDesc *checkFD = NULL; -@@ -340,7 +340,7 @@ blapi_SHVerifyFile(const char *shName, P - #endif + #ifndef NSS_STRICT_INTEGRITY +@@ -421,7 +421,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + } - PRBool result = PR_FALSE; /* if anything goes wrong, -- * the signature does not verify */ -+ * the signature does not verify */ - unsigned char buf[4096]; - unsigned char hashBuf[HASH_LENGTH_MAX]; - -@@ -367,14 +367,17 @@ blapi_SHVerifyFile(const char *shName, P - /* open the check File */ - checkFD = PR_Open(checkName, PR_RDONLY, 0); - if (checkFD == NULL) { -+ if (err) { -+ *err = PORT_GetError(); -+ } + static PRBool +- blapi_SHVerifyFile(const char *shName, PRBool self) ++ blapi_SHVerifyFile(const char *shName, PRBool self, int *err) + { + char *checkName = NULL; + PRFileDesc *checkFD = NULL; +@@ -462,14 +462,17 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + /* open the check File */ + checkFD = PR_Open(checkName, PR_RDONLY, 0); + if (checkFD == NULL) { ++ if (err) { ++ *err = PORT_GetError(); ++ } #ifdef DEBUG_SHVERIFY -- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n", -- checkName, (int)PR_GetError(), (int)PR_GetOSError()); -+ fprintf(stderr, "Failed to open the check file %s: (%d)\n", -+ checkName, (int)PORT_GetError()); +- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n", +- checkName, (int)PR_GetError(), (int)PR_GetOSError()); ++ fprintf(stderr, "Failed to open the check file %s: (%d)\n", ++ checkName, (int)PR_GetError()); #endif /* DEBUG_SHVERIFY */ - goto loser; - } + goto loser; + } -- /* read and Verify the headerthe header */ -+ /* read and Verify the header */ - bytesRead = PR_Read(checkFD, buf, 12); - if (bytesRead != 12) { - goto loser; -@@ -415,7 +418,8 @@ blapi_SHVerifyFile(const char *shName, P - if (rv != SECSuccess) { - goto loser; - } -- /* read the siganture */ -+ -+ /* read the signature */ - rv = readItem(checkFD, &signature); - if (rv != SECSuccess) { - goto loser; -@@ -430,7 +434,7 @@ blapi_SHVerifyFile(const char *shName, P - goto loser; - } +- /* read and Verify the headerthe header */ ++ /* read and Verify the header */ + bytesRead = PR_Read(checkFD, &header, sizeof(header)); + if (bytesRead != sizeof(header)) { + goto loser; +@@ -550,7 +553,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + goto loser; + } -/* open our library file */ + /* open our library file */ #ifdef FREEBL_USE_PRELINK - shFD = bl_OpenUnPrelink(shName, &pid); + shFD = bl_OpenUnPrelink(shName, &pid); #else -@@ -438,13 +442,13 @@ blapi_SHVerifyFile(const char *shName, P +@@ -558,8 +561,8 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD #endif - if (shFD == NULL) { + if (shFD == NULL) { #ifdef DEBUG_SHVERIFY -- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n", -- shName, (int)PR_GetError(), (int)PR_GetOSError()); -+ fprintf(stderr, "Failed to open the library file %s: (%d)\n", -+ shName, (int)PORT_GetError()); +- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n", +- shName, (int)PR_GetError(), (int)PR_GetOSError()); ++ fprintf(stderr, "Failed to open the library file %s: (%d)\n", ++ shName, (int)PR_GetError()); #endif /* DEBUG_SHVERIFY */ - goto loser; + goto loser; + } +@@ -620,7 +623,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD } -- /* hash our library file with SHA1 */ -+ /* hash our library file */ - hashcx = hashObj->create(); - if (hashcx == NULL) { - goto loser; -@@ -531,7 +535,7 @@ loser: - } + PRBool +- BLAPI_VerifySelf(const char *name) ++ BLAPI_VerifySelf(const char *name, int *err) + { + if (name == NULL) { + /* +@@ -629,7 +632,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD + */ + return PR_TRUE; + } +- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE); ++ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err); + } + #else /* NSS_FIPS_DISABLED */ +@@ -645,7 +648,7 @@ BLAPI_SHVerify(const char *name, PRFuncP + return PR_FALSE; + } PRBool -BLAPI_VerifySelf(const char *name) +BLAPI_VerifySelf(const char *name, int *err) { - if (name == NULL) { - /* -@@ -540,7 +544,7 @@ BLAPI_VerifySelf(const char *name) - */ - return PR_TRUE; - } -- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE); -+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err); + return PR_FALSE; } - - #else /* NSS_FIPS_DISABLED */ Index: nss/lib/softoken/fips.c =================================================================== --- /dev/null @@ -1066,7 +1054,7 @@ Index: nss/lib/softoken/fipstest.c =================================================================== --- nss.orig/lib/softoken/fipstest.c +++ nss/lib/softoken/fipstest.c -@@ -682,6 +682,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void) +@@ -683,6 +683,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void) return (SECSuccess); } @@ -1394,7 +1382,7 @@ Index: nss/lib/softoken/fipstest.c static PRBool sftk_self_tests_ran = PR_FALSE; static PRBool sftk_self_tests_success = PR_FALSE; -@@ -693,7 +1014,6 @@ static void +@@ -694,7 +1015,6 @@ static void sftk_startup_tests(void) { SECStatus rv; @@ -1402,7 +1390,7 @@ Index: nss/lib/softoken/fipstest.c PORT_Assert(!sftk_self_tests_ran); PORT_Assert(!sftk_self_tests_success); -@@ -705,6 +1025,7 @@ sftk_startup_tests(void) +@@ -706,6 +1026,7 @@ sftk_startup_tests(void) if (rv != SECSuccess) { return; } @@ -1410,7 +1398,7 @@ Index: nss/lib/softoken/fipstest.c /* make sure freebl is initialized, or our RSA check * may fail. This is normally done at freebl load time, but it's * possible we may have shut freebl down without unloading it. */ -@@ -722,12 +1043,21 @@ sftk_startup_tests(void) +@@ -723,12 +1044,21 @@ sftk_startup_tests(void) if (rv != SECSuccess) { return; } @@ -1436,7 +1424,7 @@ Index: nss/lib/softoken/fipstest.c rv = sftk_fips_IKE_PowerUpSelfTests(); if (rv != SECSuccess) { return; -@@ -759,17 +1089,11 @@ sftk_startup_tests(void) +@@ -760,17 +1090,11 @@ sftk_startup_tests(void) CK_RV sftk_FIPSEntryOK() { @@ -1500,7 +1488,7 @@ Index: nss/lib/softoken/legacydb/lgfips.c =================================================================== --- nss.orig/lib/softoken/legacydb/lgfips.c +++ nss/lib/softoken/legacydb/lgfips.c -@@ -90,7 +90,7 @@ lg_startup_tests(void) +@@ -91,7 +91,7 @@ lg_startup_tests(void) /* no self tests required for the legacy db, only the integrity check */ /* check the integrity of our shared library */ diff --git a/nss-fips-detect-fips-mode-fixes.patch b/nss-fips-detect-fips-mode-fixes.patch index 9b84ca7..c2edcf4 100644 --- a/nss-fips-detect-fips-mode-fixes.patch +++ b/nss-fips-detect-fips-mode-fixes.patch @@ -8,10 +8,11 @@ commit facacdb9078693d7a4219e84f73ea7b8f977ddc2 Author: Hans Petter Jansson Patch 32: nss-fips-detect-fips-mode-fixes.patch -diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c ---- a/lib/freebl/nsslowhash.c -+++ b/lib/freebl/nsslowhash.c -@@ -2,10 +2,15 @@ +Index: nss/lib/freebl/nsslowhash.c +=================================================================== +--- nss.orig/lib/freebl/nsslowhash.c ++++ nss/lib/freebl/nsslowhash.c +@@ -2,6 +2,9 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ @@ -21,13 +22,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c #ifdef FREEBL_NO_DEPEND #include "stubs.h" #endif -+ - #include "prtypes.h" -+#include "prenv.h" - #include "secerr.h" - #include "blapi.h" - #include "hasht.h" -@@ -24,6 +29,23 @@ +@@ -25,6 +28,23 @@ struct NSSLOWHASHContextStr { }; #ifndef NSS_FIPS_DISABLED @@ -51,7 +46,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c static int nsslow_GetFIPSEnabled(void) { -@@ -45,6 +67,7 @@ +@@ -52,6 +72,7 @@ nsslow_GetFIPSEnabled(void) #endif /* LINUX */ return 1; } @@ -59,7 +54,7 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c #endif /* NSS_FIPS_DISABLED */ static NSSLOWInitContext dummyContext = { 0 }; -@@ -60,7 +83,7 @@ +@@ -67,7 +88,7 @@ NSSLOW_Init(void) #ifndef NSS_FIPS_DISABLED /* make sure the FIPS product is installed if we are trying to * go into FIPS mode */ @@ -68,10 +63,11 @@ diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); post_failed = PR_TRUE; -diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c ---- a/lib/sysinit/nsssysinit.c -+++ b/lib/sysinit/nsssysinit.c -@@ -178,16 +178,16 @@ +Index: nss/lib/sysinit/nsssysinit.c +=================================================================== +--- nss.orig/lib/sysinit/nsssysinit.c ++++ nss/lib/sysinit/nsssysinit.c +@@ -178,16 +178,16 @@ getFIPSMode(void) f = fopen("/proc/sys/crypto/fips_enabled", "r"); if (!f) { /* if we don't have a proc flag, fall back to the diff --git a/nss-fips-dsa-kat.patch b/nss-fips-dsa-kat.patch index a4a15fd..90029e0 100644 --- a/nss-fips-dsa-kat.patch +++ b/nss-fips-dsa-kat.patch @@ -28,7 +28,7 @@ Index: nss/lib/freebl/fipsfreebl.c =================================================================== --- nss.orig/lib/freebl/fipsfreebl.c +++ nss/lib/freebl/fipsfreebl.c -@@ -126,11 +126,11 @@ BOOL WINAPI DllMain( +@@ -127,11 +127,11 @@ DllMain( /* FIPS preprocessor directives for DSA. */ #define FIPS_DSA_TYPE siBuffer diff --git a/nss-fips-gcm-ctr.patch b/nss-fips-gcm-ctr.patch index a6f7088..8c266d4 100644 --- a/nss-fips-gcm-ctr.patch +++ b/nss-fips-gcm-ctr.patch @@ -14,7 +14,7 @@ Index: nss/lib/freebl/gcm.c =================================================================== --- nss.orig/lib/freebl/gcm.c +++ nss/lib/freebl/gcm.c -@@ -532,8 +532,14 @@ struct GCMContextStr { +@@ -535,8 +535,14 @@ struct GCMContextStr { unsigned char tagKey[MAX_BLOCK_SIZE]; PRBool ctr_context_init; gcmIVContext gcm_iv; @@ -29,7 +29,7 @@ Index: nss/lib/freebl/gcm.c SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv, unsigned int ivLen, unsigned int tagBits, const unsigned char *aad, unsigned int aadLen); -@@ -673,6 +679,8 @@ gcm_InitCounter(GCMContext *gcm, const u +@@ -676,6 +682,8 @@ gcm_InitCounter(GCMContext *gcm, const u goto loser; } @@ -38,7 +38,7 @@ Index: nss/lib/freebl/gcm.c /* finally mix in the AAD data */ rv = gcmHash_Reset(ghash, aad, aadLen); if (rv != SECSuccess) { -@@ -774,6 +782,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig +@@ -777,6 +785,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig return SECFailure; } @@ -52,7 +52,7 @@ Index: nss/lib/freebl/gcm.c tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE; if (UINT_MAX - inlen < tagBytes) { PORT_SetError(SEC_ERROR_INPUT_LEN); -@@ -802,6 +817,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig +@@ -805,6 +820,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig *outlen = 0; return SECFailure; }; diff --git a/nss-fips-pairwise-consistency-check.patch b/nss-fips-pairwise-consistency-check.patch index 9b7dea3..205c757 100644 --- a/nss-fips-pairwise-consistency-check.patch +++ b/nss-fips-pairwise-consistency-check.patch @@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -4822,8 +4822,8 @@ loser: +@@ -4826,8 +4826,8 @@ loser: return crv; } @@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. -@@ -5771,6 +5771,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5775,6 +5775,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS (PRUint32)crv); sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); } diff --git a/nss-fips-stricter-dh.patch b/nss-fips-stricter-dh.patch index 66af4e1..9a17d9d 100644 --- a/nss-fips-stricter-dh.patch +++ b/nss-fips-stricter-dh.patch @@ -4,15 +4,11 @@ Date: Fri Sep 4 13:41:34 2020 +0200 Patch 38: nss-fips-stricter-dh.patch -diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c ---- a/lib/freebl/dh.c -+++ b/lib/freebl/dh.c -@@ -445,41 +445,53 @@ KEA_PrimeCheck(SECItem *prime) - cleanup: - mp_clear(&p); - return err ? PR_FALSE : PR_TRUE; - } - +Index: nss/lib/freebl/dh.c +=================================================================== +--- nss.orig/lib/freebl/dh.c ++++ nss/lib/freebl/dh.c +@@ -449,7 +449,7 @@ cleanup: PRBool KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime) { @@ -21,10 +17,7 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c mp_err err; int cmp = 1; /* default is false */ if (!Y || !prime || !subPrime) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; - } - MP_DIGITS(&p) = 0; +@@ -460,13 +460,24 @@ KEA_Verify(SECItem *Y, SECItem *prime, S MP_DIGITS(&q) = 0; MP_DIGITS(&y) = 0; MP_DIGITS(&r) = 0; @@ -49,9 +42,7 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c /* compute r = y**q mod p */ CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r)); /* compare to 1 */ - cmp = mp_cmp_d(&r, 1); - cleanup: - mp_clear(&p); +@@ -476,6 +487,7 @@ cleanup: mp_clear(&q); mp_clear(&y); mp_clear(&r); @@ -59,6 +50,3 @@ diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c if (err) { MP_TO_SEC_ERROR(err); return PR_FALSE; - } - return (cmp == 0) ? PR_TRUE : PR_FALSE; - } diff --git a/nss-fips-tests-enable-fips.patch b/nss-fips-tests-enable-fips.patch index 65dfad5..c790913 100644 --- a/nss-fips-tests-enable-fips.patch +++ b/nss-fips-tests-enable-fips.patch @@ -2,7 +2,7 @@ Index: nss/tests/cert/cert.sh =================================================================== --- nss.orig/tests/cert/cert.sh +++ nss/tests/cert/cert.sh -@@ -1353,6 +1353,11 @@ cert_stresscerts() +@@ -1350,6 +1350,11 @@ cert_stresscerts() ############################################################################## cert_fips() { @@ -14,7 +14,7 @@ Index: nss/tests/cert/cert.sh CERTFAILED=0 echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates ==============" cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}" -@@ -1393,6 +1398,8 @@ MODSCRIPT +@@ -1390,6 +1395,8 @@ MODSCRIPT cert_log "SUCCESS: FIPS passed" fi diff --git a/nss-fips-tls-allow-md5-prf.patch b/nss-fips-tls-allow-md5-prf.patch index 77304c2..2d2aed0 100644 --- a/nss-fips-tls-allow-md5-prf.patch +++ b/nss-fips-tls-allow-md5-prf.patch @@ -250,7 +250,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -7158,7 +7158,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -7162,7 +7162,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession SFTKAttribute *att2 = NULL; unsigned char *buf; SHA1Context *sha; @@ -259,7 +259,7 @@ Index: nss/lib/softoken/pkcs11c.c MD2Context *md2; CK_ULONG macSize; CK_ULONG tmpKeySize; -@@ -7698,7 +7698,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -7702,7 +7702,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession } sftk_FreeAttribute(att2); md5 = MD5_NewContext(); diff --git a/nss-fips-use-getrandom.patch b/nss-fips-use-getrandom.patch index 62f3769..53651aa 100644 --- a/nss-fips-use-getrandom.patch +++ b/nss-fips-use-getrandom.patch @@ -12,7 +12,7 @@ Index: nss/coreconf/Linux.mk =================================================================== --- nss.orig/coreconf/Linux.mk +++ nss/coreconf/Linux.mk -@@ -189,6 +189,18 @@ DSO_LDOPTS+=-Wl,-z,relro +@@ -190,6 +190,18 @@ DSO_LDOPTS+=-Wl,-z,relro LDFLAGS += -Wl,-z,relro endif @@ -90,7 +90,7 @@ Index: nss/lib/freebl/unix_rand.c size_t RNG_FileUpdate(const char *fileName, size_t limit); /* -@@ -862,6 +903,26 @@ ReadFileOK(char *dir, char *file) +@@ -775,6 +816,26 @@ ReadFileOK(char *dir, char *file) size_t RNG_SystemRNG(void *dest, size_t maxLen) { @@ -117,7 +117,7 @@ Index: nss/lib/freebl/unix_rand.c FILE *file; int fd; int bytes; -@@ -895,4 +956,5 @@ RNG_SystemRNG(void *dest, size_t maxLen) +@@ -808,4 +869,5 @@ RNG_SystemRNG(void *dest, size_t maxLen) fileBytes = 0; } return fileBytes; diff --git a/nss-fips-use-strong-random-pool.patch b/nss-fips-use-strong-random-pool.patch index 88be129..3efb4d3 100644 --- a/nss-fips-use-strong-random-pool.patch +++ b/nss-fips-use-strong-random-pool.patch @@ -10,9 +10,10 @@ From a7cbf64ba8ac07a4a1fdea91f39da56d86af03bf Mon Sep 17 00:00:00 2001 nss/lib/freebl/unix_rand.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) -diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c ---- a/lib/freebl/unix_rand.c -+++ b/lib/freebl/unix_rand.c +Index: nss/lib/freebl/unix_rand.c +=================================================================== +--- nss.orig/lib/freebl/unix_rand.c ++++ nss/lib/freebl/unix_rand.c @@ -24,6 +24,7 @@ #include "prthread.h" #include "prprf.h" @@ -21,7 +22,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c #ifdef NSS_USE_GETRANDOM # ifndef __NR_getrandom -@@ -779,7 +780,7 @@ +@@ -692,7 +693,7 @@ RNG_SystemInfoForRNG(void) } /* grab some data from system's PRNG before any other files. */ @@ -30,7 +31,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c if (!bytes) { PORT_SetError(SEC_ERROR_NEED_RANDOM); } -@@ -909,7 +910,8 @@ +@@ -822,7 +823,8 @@ RNG_SystemRNG(void *dest, size_t maxLen) int ret; do { @@ -40,7 +41,7 @@ diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c if (0 < ret) inBytes += ret; -@@ -929,7 +931,7 @@ +@@ -842,7 +844,7 @@ RNG_SystemRNG(void *dest, size_t maxLen) size_t fileBytes = 0; unsigned char *buffer = dest; diff --git a/nss-fips-zeroization.patch b/nss-fips-zeroization.patch index b8be926..bff8d6d 100644 --- a/nss-fips-zeroization.patch +++ b/nss-fips-zeroization.patch @@ -92,7 +92,7 @@ Index: nss/lib/freebl/dh.c =================================================================== --- nss.orig/lib/freebl/dh.c +++ nss/lib/freebl/dh.c -@@ -193,6 +193,10 @@ cleanup: +@@ -192,6 +192,10 @@ cleanup: rv = SECFailure; } if (rv) { @@ -107,7 +107,7 @@ Index: nss/lib/freebl/ec.c =================================================================== --- nss.orig/lib/freebl/ec.c +++ nss/lib/freebl/ec.c -@@ -943,7 +943,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con +@@ -974,7 +974,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con ECParams *ecParams = NULL; SECItem pointC = { siBuffer, NULL, 0 }; int slen; /* length in bytes of a half signature (r or s) */ @@ -175,7 +175,7 @@ Index: nss/lib/freebl/gcm.c return SECSuccess; } #endif /* HAVE_INT128_SUPPORT */ -@@ -867,11 +894,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig +@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig /* verify the block */ rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen); if (rv != SECSuccess) { @@ -191,7 +191,7 @@ Index: nss/lib/freebl/gcm.c } /* Don't decrypt if we can't authenticate the encrypted data! * This assumes that if tagBits is not a multiple of 8, intag will -@@ -879,10 +908,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig +@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) { /* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */ PORT_SetError(SEC_ERROR_BAD_DATA); diff --git a/nss-opt.patch b/nss-opt.patch index 7b048ff..8e1a1e1 100644 --- a/nss-opt.patch +++ b/nss-opt.patch @@ -2,7 +2,7 @@ Index: nss/coreconf/Linux.mk =================================================================== --- nss.orig/coreconf/Linux.mk +++ nss/coreconf/Linux.mk -@@ -113,11 +113,7 @@ LIBC_TAG = _glibc +@@ -114,11 +114,7 @@ LIBC_TAG = _glibc endif ifdef BUILD_OPT