pool/mozilla-nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- update to NSS 3.57

Browse Source 
* The following CA certificates were Added:
    bmo#1663049 - CN=Trustwave Global Certification Authority
        SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
    bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
        SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
    bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
        SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
  * The following CA certificates were Removed:
    bmo#1651211 - CN=EE Certification Centre Root CA
        SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
    bmo#1656077 - O=Government Root Certification Authority; C=TW
        SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
  * Trust settings for the following CA certificates were Modified:
    bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
        Websites (server authentication) trust bit removed.
  * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
- requires NSPR 4.29
- removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256)
- introduced _constraints due to high memory requirements especially
  for LTO on Tumbleweed

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=337
This commit is contained in:
Wolfgang Rosenauer 2020-10-07 08:15:55 +00:00 committed by Git OBS Bridge
parent e43a7b9e4b
commit f6aa3fb9fb
10 changed files with 531 additions and 247 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
_constraints Normal file
View File

@ -0,0 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<constraints>
<hardware>
<disk>
<size unit="G">10</size>
</disk>
<memory>
<size unit="M">2500</size>
</memory>
</hardware>
</constraints>

2
baselibs.conf
View File

@ -1,5 +1,5 @@
mozilla-nss
requires "mozilla-nspr-<targettype> >= 4.25"
requires "mozilla-nspr-<targettype> >= 4.29"
requires "libfreebl3-<targettype>"
requires "libsoftokn3-<targettype>"
requires "libnssckbi.so"

25
mozilla-nss.changes
View File

@ -1,3 +1,28 @@
-------------------------------------------------------------------
Wed Sep 30 21:06:01 UTC 2020 - Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.57
* The following CA certificates were Added:
bmo#1663049 - CN=Trustwave Global Certification Authority
SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8
bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority
SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4
bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority
SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097
* The following CA certificates were Removed:
bmo#1651211 - CN=EE Certification Centre Root CA
SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76
bmo#1656077 - O=Government Root Certification Authority; C=TW
SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3
* Trust settings for the following CA certificates were Modified:
bmo#1653092 - CN=OISTE WISeKey Global Root GA CA
Websites (server authentication) trust bit removed.
* https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes
- requires NSPR 4.29
- removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256)
- introduced _constraints due to high memory requirements especially
for LTO on Tumbleweed
-------------------------------------------------------------------
Fri Sep 25 06:55:40 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>

63
mozilla-nss.spec
View File

@ -17,14 +17,14 @@
#
%global nss_softokn_fips_version 3.56
%define NSPR_min_version 4.28
%global nss_softokn_fips_version 3.57
%define NSPR_min_version 4.29
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
Name: mozilla-nss
Version: 3.56
Version: 3.57
Release: 0
%define underscore_version 3_56
%define underscore_version 3_57
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@ -50,26 +50,25 @@ Patch5: malloc.patch
Patch6: bmo-1400603.patch
Patch7: nss-sqlitename.patch
Patch8: ppc-old-abi-v3.patch
Patch11: nss-fips-use-getrandom.patch
Patch13: nss-fips-dsa-kat.patch
Patch15: nss-fips-pairwise-consistency-check.patch
Patch16: nss-fips-rsa-keygen-strictness.patch
Patch19: nss-fips-cavs-keywrap.patch
Patch20: nss-fips-cavs-kas-ffc.patch
Patch21: nss-fips-cavs-kas-ecc.patch
Patch22: nss-fips-gcm-ctr.patch
Patch23: nss-fips-constructor-self-tests.patch
Patch24: nss-fips-cavs-general.patch
Patch25: nss-fips-cavs-dsa-fixes.patch
Patch26: nss-fips-cavs-rsa-fixes.patch
Patch27: nss-fips-approved-crypto-non-ec.patch
Patch29: nss-fips-zeroization.patch
Patch30: nss-fips-tls-allow-md5-prf.patch
Patch31: nss-fips-use-strong-random-pool.patch
Patch32: nss-fips-detect-fips-mode-fixes.patch
Patch34: nss-fips-combined-hash-sign-dsa-ecdsa.patch
Patch36: nss-fips-aes-keywrap-post.patch
Patch37: nss-freebl-fix-aarch64.patch
Patch9: nss-fips-use-getrandom.patch
Patch10: nss-fips-dsa-kat.patch
Patch11: nss-fips-pairwise-consistency-check.patch
Patch12: nss-fips-rsa-keygen-strictness.patch
Patch13: nss-fips-cavs-keywrap.patch
Patch14: nss-fips-cavs-kas-ffc.patch
Patch15: nss-fips-cavs-kas-ecc.patch
Patch16: nss-fips-gcm-ctr.patch
Patch17: nss-fips-constructor-self-tests.patch
Patch18: nss-fips-cavs-general.patch
Patch19: nss-fips-cavs-dsa-fixes.patch
Patch20: nss-fips-cavs-rsa-fixes.patch
Patch21: nss-fips-approved-crypto-non-ec.patch
Patch22: nss-fips-zeroization.patch
Patch23: nss-fips-tls-allow-md5-prf.patch
Patch24: nss-fips-use-strong-random-pool.patch
Patch25: nss-fips-detect-fips-mode-fixes.patch
Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch
Patch27: nss-fips-aes-keywrap-post.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@ -206,12 +205,17 @@ cd nss
%patch6 -p1
%patch7 -p1
%patch8 -p1
# FIPS patches
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1
%patch19 -p1
%patch20 -p1
%patch21 -p1
@ -221,15 +225,6 @@ cd nss
%patch25 -p1
%patch26 -p1
%patch27 -p1
%patch29 -p1
%patch30 -p1
%patch31 -p1
%patch32 -p1
%patch34 -p1
%patch36 -p1
# Freebl
%patch37 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins

3
nss-3.56.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f875e0e8ed3b5ce92d675be4a55aa25a8c1199789a4a01f69b5f2327e2048e9c
size 81706176

3
nss-3.57.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:55a86c01be860381d64bb4e5b94eb198df9b0f098a8af0e58c014df398bdc382
size 81712830

60
nss-fips-aes-keywrap-post.patch
View File

@ -3,7 +3,7 @@
# Date 1589854460 -7200
# Tue May 19 04:14:20 2020 +0200
# Node ID ce99bba6375432c55a73c1367f619dfef7c7e9fc
# Parent 2b4f407fb1f8824fed4df9c4c3f15a2493e71677
# Parent 2c820431829b3e5c7e161bd0bf73b48def9d3822
commit e78f5a6a2124ce88002796d6aaefc6232f132526
Author: Hans Petter Jansson <hpj@cl.no>
AES Keywrap POST.
@ -11,7 +11,12 @@ Author: Hans Petter Jansson <hpj@cl.no>
diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
--- a/lib/freebl/fipsfreebl.c
+++ b/lib/freebl/fipsfreebl.c
@@ -110,6 +110,9 @@
@@ -107,16 +107,19 @@ BOOL WINAPI DllMain(
#define FIPS_AES_BLOCK_SIZE 16 /* 128-bits */
#define FIPS_AES_ENCRYPT_LENGTH 16 /* 128-bits */
#define FIPS_AES_DECRYPT_LENGTH 16 /* 128-bits */
#define FIPS_AES_CMAC_LENGTH 16 /* 128-bits */
#define FIPS_AES_128_KEY_SIZE 16 /* 128-bits */
#define FIPS_AES_192_KEY_SIZE 24 /* 192-bits */
#define FIPS_AES_256_KEY_SIZE 32 /* 256-bits */
@ -21,7 +26,17 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
/* FIPS preprocessor directives for message digests */
#define FIPS_KNOWN_HASH_MESSAGE_LENGTH 64 /* 512-bits */
@@ -299,6 +302,9 @@
/* FIPS preprocessor directives for RSA. */
#define FIPS_RSA_TYPE siBuffer
#define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */
#define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */
#define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */
@@ -296,16 +299,19 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
static const PRUint8 aes_cbc_known_initialization_vector[] =
{ "SecurityytiruceS" };
/* AES Known Plaintext (128-bits). (blocksize is 128-bits) */
static const PRUint8 aes_known_plaintext[] = { "NetscapeepacsteN" };
static const PRUint8 aes_gcm_known_aad[] = { "MozillaallizoM" };
@ -31,8 +46,18 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
/* AES Known Ciphertext (128-bit key). */
static const PRUint8 aes_ecb128_known_ciphertext[] = {
0x3c, 0xa5, 0x96, 0xf3, 0x34, 0x6a, 0x96, 0xc1,
@@ -353,6 +359,25 @@
0xf4, 0xb0, 0xc1, 0x8c, 0x86, 0x51, 0xf5, 0xa1
0x03, 0x88, 0x16, 0x7b, 0x20, 0xbf, 0x35, 0x47
};
static const PRUint8 aes_cbc128_known_ciphertext[] = {
0xcf, 0x15, 0x1d, 0x4f, 0x96, 0xe4, 0x4f, 0x63,
@@ -366,33 +372,56 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
};
static const PRUint8 aes_cmac256_known_ciphertext[] = {
0xc1, 0x26, 0x69, 0x32, 0x51, 0x13, 0x65, 0xac,
0x71, 0x23, 0xe4, 0xe7, 0xb9, 0x0c, 0x88, 0x9f
};
+ /* AES Keywrap Known Ciphertexts. */
@ -57,10 +82,15 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
const PRUint8 *aes_ecb_known_ciphertext =
(aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext : aes_ecb256_known_ciphertext;
@@ -362,10 +387,14 @@
const PRUint8 *aes_cbc_known_ciphertext =
(aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cbc128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cbc192_known_ciphertext : aes_cbc256_known_ciphertext;
const PRUint8 *aes_gcm_known_ciphertext =
(aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_gcm128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_gcm192_known_ciphertext : aes_gcm256_known_ciphertext;
const PRUint8 *aes_cmac_known_ciphertext =
(aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext : aes_cmac256_known_ciphertext;
+ const PRUint8 *aes_keywrap_known_ciphertext =
+ (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_kw128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_kw192_known_ciphertext : aes_kw256_known_ciphertext;
+
@ -68,11 +98,22 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH * 2];
PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH * 2];
AESContext *aes_context;
CMACContext *cmac_context;
+ AESKeyWrapContext *aes_keywrap_context;
unsigned int aes_bytes_encrypted;
unsigned int aes_bytes_decrypted;
CK_NSS_GCM_PARAMS gcmParams;
@@ -554,6 +583,52 @@
SECStatus aes_status;
/*check if aes_key_size is 128, 192, or 256 bits */
if ((aes_key_size != FIPS_AES_128_KEY_SIZE) &&
(aes_key_size != FIPS_AES_192_KEY_SIZE) &&
@@ -609,16 +638,62 @@ freebl_fips_AES_PowerUpSelfTest(int aes_
if ((aes_status != SECSuccess) ||
(aes_bytes_encrypted != FIPS_AES_CMAC_LENGTH) ||
(PORT_Memcmp(aes_computed_ciphertext, aes_cmac_known_ciphertext,
FIPS_AES_CMAC_LENGTH) != 0)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return (SECFailure);
}
@ -125,3 +166,8 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
return (SECSuccess);
}
/* Known Hash Message (512-bits). Used for all hashes (incl. SHA-N [N>1]). */
static const PRUint8 known_hash_message[] = {
"The test message for the MD2, MD5, and SHA-1 hashing algorithms."
};

505
nss-fips-constructor-self-tests.patch
View File

@ -4,10 +4,15 @@ Date: Sun Mar 15 21:54:30 2020 +0100
Patch 23: nss-fips-constructor-self-tests.patch
diff -r 3a9a84eee4a2 cmd/chktest/chktest.c
--- a/cmd/chktest/chktest.c Wed Nov 20 08:25:39 2019 +0100
+++ b/cmd/chktest/chktest.c Fri May 29 09:13:35 2020 +0200
@@ -38,7 +38,7 @@
diff --git a/cmd/chktest/chktest.c b/cmd/chktest/chktest.c
--- a/cmd/chktest/chktest.c
+++ b/cmd/chktest/chktest.c
@@ -33,13 +33,13 @@ main(int argc, char **argv)
}
rv = BL_Init();
if (rv != SECSuccess) {
SECU_PrintPRandOSError("");
return -1;
}
RNG_SystemInfoForRNG();
@ -16,10 +21,16 @@ diff -r 3a9a84eee4a2 cmd/chktest/chktest.c
printf("%s\n",
(good_result ? "SUCCESS" : "FAILURE"));
return (good_result) ? SECSuccess : SECFailure;
diff -r 3a9a84eee4a2 cmd/shlibsign/shlibsign.c
--- a/cmd/shlibsign/shlibsign.c Wed Nov 20 08:25:39 2019 +0100
+++ b/cmd/shlibsign/shlibsign.c Fri May 29 09:13:35 2020 +0200
@@ -946,10 +946,12 @@
}
diff --git a/cmd/shlibsign/shlibsign.c b/cmd/shlibsign/shlibsign.c
--- a/cmd/shlibsign/shlibsign.c
+++ b/cmd/shlibsign/shlibsign.c
@@ -941,20 +941,22 @@ main(int argc, char **argv)
if (keySize && (mechInfo.ulMaxKeySize < keySize)) {
PR_fprintf(PR_STDERR,
"token doesn't support DSA2 (Max key size=%d)\n",
mechInfo.ulMaxKeySize);
goto cleanup;
}
@ -36,10 +47,20 @@ diff -r 3a9a84eee4a2 cmd/shlibsign/shlibsign.c
}
}
diff -r 3a9a84eee4a2 lib/freebl/blapi.h
--- a/lib/freebl/blapi.h Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/freebl/blapi.h Fri May 29 09:13:35 2020 +0200
@@ -1736,17 +1736,17 @@
/* DSA key init */
if (keySize == 1024) {
dsaPubKeyTemplate[0].type = CKA_PRIME;
dsaPubKeyTemplate[0].pValue = (CK_VOID_PTR)&prime;
dsaPubKeyTemplate[0].ulValueLen = sizeof(prime);
diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h
--- a/lib/freebl/blapi.h
+++ b/lib/freebl/blapi.h
@@ -1734,27 +1734,27 @@ extern void PQG_DestroyVerify(PQGVerify
extern void BL_Cleanup(void);
/* unload freebl shared library from memory */
extern void BL_Unload(void);
/**************************************************************************
* Verify a given Shared library signature *
**************************************************************************/
@ -60,9 +81,15 @@ diff -r 3a9a84eee4a2 lib/freebl/blapi.h
/*********************************************************************/
extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
diff -r 3a9a84eee4a2 lib/freebl/fips-selftest.inc
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/freebl/fips-selftest.inc Fri May 29 09:13:35 2020 +0200
extern void BL_SetForkState(PRBool forked);
/*
** pepare an ECParam structure from DEREncoded params
diff --git a/lib/freebl/fips-selftest.inc b/lib/freebl/fips-selftest.inc
new file mode 100644
--- /dev/null
+++ b/lib/freebl/fips-selftest.inc
@@ -0,0 +1,293 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test - common stuff.
@ -357,9 +384,10 @@ diff -r 3a9a84eee4a2 lib/freebl/fips-selftest.inc
+}
+
+#endif
diff -r 3a9a84eee4a2 lib/freebl/fips.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/freebl/fips.c Fri May 29 09:13:35 2020 +0200
diff --git a/lib/freebl/fips.c b/lib/freebl/fips.c
new file mode 100644
--- /dev/null
+++ b/lib/freebl/fips.c
@@ -0,0 +1,7 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test.
@ -368,9 +396,10 @@ diff -r 3a9a84eee4a2 lib/freebl/fips.c
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
diff -r 3a9a84eee4a2 lib/freebl/fips.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/freebl/fips.h Fri May 29 09:13:35 2020 +0200
diff --git a/lib/freebl/fips.h b/lib/freebl/fips.h
new file mode 100644
--- /dev/null
+++ b/lib/freebl/fips.h
@@ -0,0 +1,15 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test.
@ -387,10 +416,15 @@ diff -r 3a9a84eee4a2 lib/freebl/fips.h
+
+#endif
+
diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
--- a/lib/freebl/fipsfreebl.c Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/freebl/fipsfreebl.c Fri May 29 09:13:35 2020 +0200
@@ -20,6 +20,13 @@
diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c
--- a/lib/freebl/fipsfreebl.c
+++ b/lib/freebl/fipsfreebl.c
@@ -16,16 +16,23 @@
#include "secerr.h"
#include "prtypes.h"
#include "secitem.h"
#include "pkcs11t.h"
#include "cmac.h"
#include "ec.h" /* Required for EC */
@ -404,7 +438,17 @@ diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
/*
* different platforms have different ways of calling and initial entry point
* when the dll/.so is loaded. Most platforms support either a posix pragma
@@ -1774,9 +1781,8 @@
* or the GCC attribute. Some platforms suppor a pre-defined name, and some
* platforms have a link line way of invoking this function.
*/
/* The pragma */
@@ -1993,57 +2000,57 @@ freebl_fips_RNG_PowerUpSelfTest(void)
0x3f, 0xf7, 0x0c, 0xcd, 0xa6, 0xca, 0xbf, 0xce,
0x84, 0x0e, 0xb6, 0xf1, 0x0d, 0xbe, 0xa9, 0xa3
};
static const PRUint8 rng_known_DSAX[] = {
0x7a, 0x86, 0xf1, 0x7f, 0xbd, 0x4e, 0x6e, 0xd9,
0x0a, 0x26, 0x21, 0xd0, 0x19, 0xcb, 0x86, 0x73,
0x10, 0x1f, 0x60, 0xd7
};
@ -415,7 +459,13 @@ diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
/*******************************************/
/* Run the SP 800-90 Health tests */
@@ -1790,13 +1796,12 @@
/*******************************************/
rng_status = PRNGTEST_RunHealthTests();
if (rng_status != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
/*******************************************/
/* Generate DSAX fow given Q. */
/*******************************************/
@ -430,7 +480,7 @@ diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure;
}
@@ -1804,17 +1809,19 @@
return (SECSuccess);
}
@ -451,7 +501,17 @@ diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
#define DO_FREEBL 1
#define DO_REST 2
@@ -1926,11 +1933,13 @@
static SECStatus
freebl_fipsPowerUpSelfTest(unsigned int tests)
{
SECStatus rv;
@@ -2151,34 +2158,36 @@ freebl_fipsPowerUpSelfTest(unsigned int
* to prevent the softoken function pointer table from operating until the
* libraries are loaded and we try to use them.
*/
static PRBool self_tests_freebl_ran = PR_FALSE;
static PRBool self_tests_ran = PR_FALSE;
static PRBool self_tests_freebl_success = PR_FALSE;
static PRBool self_tests_success = PR_FALSE;
@ -466,7 +526,12 @@ diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
{
SECStatus rv;
/* if the freebl self tests didn't run, there is something wrong with
@@ -1943,7 +1952,7 @@
* our on load tests */
if (!self_tests_freebl_ran) {
return PR_FALSE;
}
/* if all the self tests have run, we are good */
if (self_tests_ran) {
return PR_TRUE;
}
/* if we only care about the freebl tests, we are good */
@ -475,7 +540,17 @@ diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
return PR_TRUE;
}
/* run the rest of the self tests */
@@ -1962,31 +1971,15 @@
/* We could get there if freebl was loaded without the rest of the support
* libraries, but now we want to use more than just a standalone freebl.
* This requires the other libraries to be loaded.
* If they are now loaded, Try to run the rest of the selftests,
* otherwise fail (disabling access to these algorithms) */
@@ -2187,92 +2196,174 @@ BL_POSTRan(PRBool freebl_only)
RNG_RNGInit(); /* required by RSA */
rv = freebl_fipsPowerUpSelfTest(DO_REST);
if (rv == SECSuccess) {
self_tests_success = PR_TRUE;
}
return PR_TRUE;
}
@ -514,7 +589,12 @@ diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
self_tests_freebl_ran = PR_TRUE; /* we are running the tests */
@@ -1999,20 +1992,55 @@
if (!freebl_only) {
self_tests_ran = PR_TRUE; /* we're running all the tests */
BL_Init(); /* needs to be called before RSA can be used */
RNG_RNGInit();
}
/* always run the post tests */
rv = freebl_fipsPowerUpSelfTest(freebl_only ? DO_FREEBL : DO_FREEBL | DO_REST);
if (rv != SECSuccess) {
@ -572,7 +652,8 @@ diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
}
/*
@@ -2021,28 +2049,91 @@
* this is called from the freebl init entry points that controll access to
* all other freebl functions. This prevents freebl from operating if our
* power on selftest failed.
*/
SECStatus
@ -674,10 +755,15 @@ diff -r 3a9a84eee4a2 lib/freebl/fipsfreebl.c
+}
+
#endif
diff -r 3a9a84eee4a2 lib/freebl/loader.c
--- a/lib/freebl/loader.c Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/freebl/loader.c Fri May 29 09:13:35 2020 +0200
@@ -1189,11 +1189,11 @@
diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c
--- a/lib/freebl/loader.c
+++ b/lib/freebl/loader.c
@@ -1208,36 +1208,36 @@ AESKeyWrap_DecryptKWP(AESKeyWrapContext
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return SECFailure;
return vector->p_AESKeyWrap_DecryptKWP(cx, output, outputLen, maxOutputLen,
input, inputLen);
}
PRBool
@ -691,7 +777,9 @@ diff -r 3a9a84eee4a2 lib/freebl/loader.c
}
/*
@@ -1203,12 +1203,12 @@
* The Caller is expected to pass NULL as the name, which will
* trigger the p_BLAPI_VerifySelf() to return 'TRUE'. Pass the real
* name of the shared library we loaded (the static libraryName set
* in freebl_LoadDSO) to p_BLAPI_VerifySelf.
*/
PRBool
@ -706,7 +794,17 @@ diff -r 3a9a84eee4a2 lib/freebl/loader.c
}
/* ============== New for 3.006 =============================== */
@@ -1804,11 +1804,11 @@
SECStatus
EC_NewKey(ECParams *params, ECPrivateKey **privKey)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
@@ -1831,21 +1831,21 @@ void
SHA224_Clone(SHA224Context *dest, SHA224Context *src)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
return;
(vector->p_SHA224_Clone)(dest, src);
}
PRBool
@ -720,10 +818,20 @@ diff -r 3a9a84eee4a2 lib/freebl/loader.c
}
/* === new for DSA-2 === */
diff -r 3a9a84eee4a2 lib/freebl/loader.h
--- a/lib/freebl/loader.h Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/freebl/loader.h Fri May 29 09:13:35 2020 +0200
@@ -299,8 +299,8 @@
SECStatus
PQG_ParamGenV2(unsigned int L, unsigned int N, unsigned int seedBytes,
PQGParams **pParams, PQGVerify **pVfy)
{
if (!vector && PR_SUCCESS != freebl_RunLoaderOnce())
diff --git a/lib/freebl/loader.h b/lib/freebl/loader.h
--- a/lib/freebl/loader.h
+++ b/lib/freebl/loader.h
@@ -294,18 +294,18 @@ struct FREEBLVectorStr {
SECStatus (*p_AESKeyWrap_Decrypt)(AESKeyWrapContext *cx,
unsigned char *output,
unsigned int *outputLen, unsigned int maxOutputLen,
const unsigned char *input, unsigned int inputLen);
/* Version 3.004 came to here */
@ -734,7 +842,17 @@ diff -r 3a9a84eee4a2 lib/freebl/loader.h
/* Version 3.005 came to here */
@@ -556,7 +556,7 @@
SECStatus (*p_EC_NewKey)(ECParams *params,
ECPrivateKey **privKey);
SECStatus (*p_EC_NewKeyFromSeed)(ECParams *params,
ECPrivateKey **privKey,
@@ -551,17 +551,17 @@ struct FREEBLVectorStr {
SECStatus (*p_SHA224_HashBuf)(unsigned char *dest, const unsigned char *src,
PRUint32 src_length);
SECStatus (*p_SHA224_Hash)(unsigned char *dest, const char *src);
void (*p_SHA224_TraceState)(SHA224Context *cx);
unsigned int (*p_SHA224_FlattenSize)(SHA224Context *cx);
SECStatus (*p_SHA224_Flatten)(SHA224Context *cx, unsigned char *space);
SHA224Context *(*p_SHA224_Resurrect)(unsigned char *space, void *arg);
void (*p_SHA224_Clone)(SHA224Context *dest, SHA224Context *src);
@ -743,10 +861,20 @@ diff -r 3a9a84eee4a2 lib/freebl/loader.h
/* Version 3.013 came to here */
diff -r 3a9a84eee4a2 lib/freebl/manifest.mn
--- a/lib/freebl/manifest.mn Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/freebl/manifest.mn Fri May 29 09:13:35 2020 +0200
@@ -97,6 +97,7 @@
SECStatus (*p_PQG_ParamGenV2)(unsigned int L, unsigned int N,
unsigned int seedBytes,
PQGParams **pParams, PQGVerify **pVfy);
SECStatus (*p_PRNGTEST_RunHealthTests)(void);
diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn
--- a/lib/freebl/manifest.mn
+++ b/lib/freebl/manifest.mn
@@ -92,16 +92,17 @@ PRIVATE_EXPORTS = \
chacha20poly1305.h \
hmacct.h \
secmpi.h \
secrng.h \
ec.h \
ecl.h \
ecl-curve.h \
eclt.h \
@ -754,7 +882,17 @@ diff -r 3a9a84eee4a2 lib/freebl/manifest.mn
$(NULL)
MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
@@ -179,6 +180,7 @@
MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c
ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h
ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \
@@ -181,16 +182,17 @@ ALL_HDRS = \
rijndael.h \
camellia.h \
secmpi.h \
sha_fast.h \
sha256.h \
shsign.h \
vis_proto.h \
seed.h \
@ -762,10 +900,20 @@ diff -r 3a9a84eee4a2 lib/freebl/manifest.mn
$(NULL)
diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
--- a/lib/freebl/shvfy.c Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/freebl/shvfy.c Fri May 29 09:13:35 2020 +0200
@@ -21,6 +21,8 @@
ifdef AES_GEN_VAL
DEFINES += -DRIJNDAEL_GENERATE_VALUES
else
ifdef AES_GEN_VAL_M
DEFINES += -DRIJNDAEL_GENERATE_VALUES_MACRO
diff --git a/lib/freebl/shvfy.c b/lib/freebl/shvfy.c
--- a/lib/freebl/shvfy.c
+++ b/lib/freebl/shvfy.c
@@ -16,16 +16,18 @@
#include "stdio.h"
#include "prmem.h"
#include "hasht.h"
#include "pqg.h"
#include "blapii.h"
#ifndef NSS_FIPS_DISABLED
@ -774,7 +922,17 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
/*
* Most modern version of Linux support a speed optimization scheme where an
* application called prelink modifies programs and shared libraries to quickly
@@ -230,8 +232,6 @@
* load if they fit into an already designed address space. In short, prelink
* scans the list of programs and libraries on your system, assigns them a
* predefined space in the the address space, then provides the fixups to the
* library.
@@ -225,18 +227,16 @@ bl_CloseUnPrelink(PRFileDesc *file, int
PR_Close(file);
/* reap the child */
if (pid) {
waitpid(pid, NULL, 0);
}
}
#endif
@ -783,7 +941,17 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
static char *
mkCheckFileName(const char *libName)
{
@@ -286,19 +286,19 @@
int ln_len = PORT_Strlen(libName);
int index = ln_len + 1 - sizeof("." SHLIB_SUFFIX);
char *output = PORT_Alloc(ln_len + sizeof(SGN_SUFFIX));
if (!output) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
@@ -281,52 +281,52 @@ readItem(PRFileDesc *fd, SECItem *item)
PORT_Free(item->data);
item->data = NULL;
item->len = 0;
return SECFailure;
}
return SECSuccess;
}
@ -807,7 +975,10 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
loser:
if (shName != NULL) {
@@ -309,19 +309,19 @@
PR_Free(shName);
}
return result;
}
PRBool
@ -832,7 +1003,17 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
{
char *checkName = NULL;
PRFileDesc *checkFD = NULL;
@@ -339,7 +339,7 @@
PRFileDesc *shFD = NULL;
void *hashcx = NULL;
const SECHashObject *hashObj = NULL;
SECItem signature = { 0, NULL, 0 };
SECItem hash;
@@ -334,17 +334,17 @@ blapi_SHVerifyFile(const char *shName, P
SECStatus rv;
DSAPublicKey key;
int count;
#ifdef FREEBL_USE_PRELINK
int pid = 0;
#endif
PRBool result = PR_FALSE; /* if anything goes wrong,
@ -841,7 +1022,17 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
unsigned char buf[4096];
unsigned char hashBuf[HASH_LENGTH_MAX];
@@ -366,14 +366,17 @@
PORT_Memset(&key, 0, sizeof(key));
hash.data = hashBuf;
hash.len = sizeof(hashBuf);
/* If our integrity check was never ran or failed, fail any other
@@ -361,24 +361,27 @@ blapi_SHVerifyFile(const char *shName, P
checkName = mkCheckFileName(shName);
if (!checkName) {
goto loser;
}
/* open the check File */
checkFD = PR_Open(checkName, PR_RDONLY, 0);
if (checkFD == NULL) {
@ -862,7 +1053,17 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
bytesRead = PR_Read(checkFD, buf, 12);
if (bytesRead != 12) {
goto loser;
@@ -414,7 +417,8 @@
}
if ((buf[0] != NSS_SIGN_CHK_MAGIC1) || (buf[1] != NSS_SIGN_CHK_MAGIC2)) {
goto loser;
}
if ((buf[2] != NSS_SIGN_CHK_MAJOR_VERSION) ||
@@ -409,46 +412,47 @@ blapi_SHVerifyFile(const char *shName, P
rv = readItem(checkFD, &key.params.base);
if (rv != SECSuccess) {
goto loser;
}
rv = readItem(checkFD, &key.publicValue);
if (rv != SECSuccess) {
goto loser;
}
@ -872,7 +1073,14 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
rv = readItem(checkFD, &signature);
if (rv != SECSuccess) {
goto loser;
@@ -429,7 +433,7 @@
}
/* done with the check file */
PR_Close(checkFD);
checkFD = NULL;
hashObj = HASH_GetRawHashObject(PQG_GetHashType(&key.params));
if (hashObj == NULL) {
goto loser;
}
@ -881,7 +1089,7 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
#ifdef FREEBL_USE_PRELINK
shFD = bl_OpenUnPrelink(shName, &pid);
#else
@@ -437,13 +441,13 @@
shFD = PR_Open(shName, PR_RDONLY, 0);
#endif
if (shFD == NULL) {
#ifdef DEBUG_SHVERIFY
@ -898,7 +1106,17 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
hashcx = hashObj->create();
if (hashcx == NULL) {
goto loser;
@@ -528,7 +532,7 @@
}
hashObj->begin(hashcx);
count = 0;
while ((bytesRead = PR_Read(shFD, buf, sizeof(buf))) > 0) {
@@ -523,26 +527,26 @@ loser:
if (key.publicValue.data != NULL) {
PORT_Free(key.publicValue.data);
}
return result;
}
PRBool
@ -907,7 +1125,8 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
{
if (name == NULL) {
/*
@@ -537,7 +541,7 @@
* If name is NULL, freebl is statically linked into softoken.
* softoken will call BLAPI_SHVerify next to verify itself.
*/
return PR_TRUE;
}
@ -916,9 +1135,15 @@ diff -r 3a9a84eee4a2 lib/freebl/shvfy.c
}
#else /* NSS_FIPS_DISABLED */
diff -r 3a9a84eee4a2 lib/softoken/fips.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/softoken/fips.c Fri May 29 09:13:35 2020 +0200
PRBool
BLAPI_SHVerifyFile(const char *shName)
{
return PR_FALSE;
diff --git a/lib/softoken/fips.c b/lib/softoken/fips.c
new file mode 100644
--- /dev/null
+++ b/lib/softoken/fips.c
@@ -0,0 +1,33 @@
+#include "../freebl/fips-selftest.inc"
+
@ -953,9 +1178,10 @@ diff -r 3a9a84eee4a2 lib/softoken/fips.c
+
+ return;
+}
diff -r 3a9a84eee4a2 lib/softoken/fips.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/softoken/fips.h Fri May 29 09:13:35 2020 +0200
diff --git a/lib/softoken/fips.h b/lib/softoken/fips.h
new file mode 100644
--- /dev/null
+++ b/lib/softoken/fips.h
@@ -0,0 +1,10 @@
+#ifndef FIPS_H
+#define FIPS_H
@ -967,11 +1193,16 @@ diff -r 3a9a84eee4a2 lib/softoken/fips.h
+
+#endif
+
diff -r 3a9a84eee4a2 lib/softoken/fipstest.c
--- a/lib/softoken/fipstest.c Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/softoken/fipstest.c Fri May 29 09:13:35 2020 +0200
@@ -581,6 +581,327 @@
return (SECFailure);
diff --git a/lib/softoken/fipstest.c b/lib/softoken/fipstest.c
--- a/lib/softoken/fipstest.c
+++ b/lib/softoken/fipstest.c
@@ -677,39 +677,360 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return (SECFailure);
}
#endif
return (SECSuccess);
}
+#define FIPS_DSA_TYPE siBuffer
@ -1298,7 +1529,11 @@ diff -r 3a9a84eee4a2 lib/softoken/fipstest.c
static PRBool sftk_self_tests_ran = PR_FALSE;
static PRBool sftk_self_tests_success = PR_FALSE;
@@ -592,7 +913,6 @@
/*
* This function is called at dll load time, the code tha makes this
* happen is platform specific on defined above.
*/
static void
sftk_startup_tests(void)
{
SECStatus rv;
@ -1306,7 +1541,11 @@ diff -r 3a9a84eee4a2 lib/softoken/fipstest.c
PORT_Assert(!sftk_self_tests_ran);
PORT_Assert(!sftk_self_tests_success);
@@ -604,6 +924,7 @@
sftk_self_tests_ran = PR_TRUE;
sftk_self_tests_success = PR_FALSE; /* just in case */
/* need to initiallize the oid library before the RSA tests */
rv = SECOID_Init();
if (rv != SECSuccess) {
return;
}
@ -1314,7 +1553,17 @@ diff -r 3a9a84eee4a2 lib/softoken/fipstest.c
/* make sure freebl is initialized, or our RSA check
* may fail. This is normally done at freebl load time, but it's
* possible we may have shut freebl down without unloading it. */
@@ -621,12 +942,21 @@
rv = BL_Init();
if (rv != SECSuccess) {
return;
}
@@ -717,22 +1038,31 @@ sftk_startup_tests(void)
if (rv != SECSuccess) {
return;
}
/* check the RSA combined functions in softoken */
rv = sftk_fips_RSA_PowerUpSelfTest();
if (rv != SECSuccess) {
return;
}
@ -1340,7 +1589,17 @@ diff -r 3a9a84eee4a2 lib/softoken/fipstest.c
rv = sftk_fips_IKE_PowerUpSelfTests();
if (rv != SECSuccess) {
return;
@@ -642,17 +972,11 @@
}
rv = sftk_fips_SP800_108_PowerUpSelfTests();
if (rv != SECSuccess) {
return;
@@ -754,27 +1084,21 @@ sftk_startup_tests(void)
/*
* this is called from nsc_Common_Initizialize entry points that gates access
* to * all other pkcs11 functions. This prevents softoken operation if our
* power on selftest failed.
*/
CK_RV
sftk_FIPSEntryOK()
{
@ -1360,9 +1619,15 @@ diff -r 3a9a84eee4a2 lib/softoken/fipstest.c
if (!sftk_self_tests_success) {
return CKR_DEVICE_ERROR;
}
diff -r 3a9a84eee4a2 lib/softoken/legacydb/fips.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/softoken/legacydb/fips.c Fri May 29 09:13:35 2020 +0200
return CKR_OK;
}
#else
#include "pkcs11t.h"
CK_RV
diff --git a/lib/softoken/legacydb/fips.c b/lib/softoken/legacydb/fips.c
new file mode 100644
--- /dev/null
+++ b/lib/softoken/legacydb/fips.c
@@ -0,0 +1,25 @@
+#include "../../freebl/fips-selftest.inc"
+
@ -1389,19 +1654,25 @@ diff -r 3a9a84eee4a2 lib/softoken/legacydb/fips.c
+
+/*** public per-module symbols ***/
+
diff -r 3a9a84eee4a2 lib/softoken/legacydb/fips.h
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/softoken/legacydb/fips.h Fri May 29 09:13:35 2020 +0200
diff --git a/lib/softoken/legacydb/fips.h b/lib/softoken/legacydb/fips.h
new file mode 100644
--- /dev/null
+++ b/lib/softoken/legacydb/fips.h
@@ -0,0 +1,5 @@
+#ifndef FIPS_H
+#define FIPS_H
+
+#endif
+
diff -r 3a9a84eee4a2 lib/softoken/legacydb/lgfips.c
--- a/lib/softoken/legacydb/lgfips.c Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/softoken/legacydb/lgfips.c Fri May 29 09:13:35 2020 +0200
@@ -90,7 +90,7 @@
diff --git a/lib/softoken/legacydb/lgfips.c b/lib/softoken/legacydb/lgfips.c
--- a/lib/softoken/legacydb/lgfips.c
+++ b/lib/softoken/legacydb/lgfips.c
@@ -85,17 +85,17 @@ lg_startup_tests(void)
PORT_Assert(!lg_self_tests_ran);
PORT_Assert(!lg_self_tests_success);
lg_self_tests_ran = PR_TRUE;
lg_self_tests_success = PR_FALSE; /* just in case */
/* no self tests required for the legacy db, only the integrity check */
/* check the integrity of our shared library */
@ -1410,10 +1681,20 @@ diff -r 3a9a84eee4a2 lib/softoken/legacydb/lgfips.c
/* something is wrong with the library, fail without enabling
* the fips token */
return;
diff -r 3a9a84eee4a2 lib/softoken/legacydb/manifest.mn
--- a/lib/softoken/legacydb/manifest.mn Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/softoken/legacydb/manifest.mn Fri May 29 09:13:35 2020 +0200
@@ -12,7 +12,7 @@
}
/* FIPS product has been installed and is functioning, allow
* the module to operate in fips mode */
lg_self_tests_success = PR_TRUE;
}
diff --git a/lib/softoken/legacydb/manifest.mn b/lib/softoken/legacydb/manifest.mn
--- a/lib/softoken/legacydb/manifest.mn
+++ b/lib/softoken/legacydb/manifest.mn
@@ -7,26 +7,27 @@ CORE_DEPTH = ../../..
MODULE = nss
REQUIRES = dbm
LIBRARY_NAME = nssdbm
LIBRARY_VERSION = 3
MAPFILE = $(OBJDIR)/$(LIBRARY_NAME).def
@ -1422,17 +1703,30 @@ diff -r 3a9a84eee4a2 lib/softoken/legacydb/manifest.mn
CSRCS = \
dbmshim.c \
@@ -28,5 +28,6 @@
keydb.c \
lgattr.c \
lgcreate.c \
lgdestroy.c \
lgfind.c \
lgfips.c \
lginit.c \
lgutil.c \
lowcert.c \
lowkey.c \
pcertdb.c \
pk11db.c \
+ fips.c \
$(NULL)
diff -r 3a9a84eee4a2 lib/softoken/manifest.mn
--- a/lib/softoken/manifest.mn Wed Nov 20 08:25:39 2019 +0100
+++ b/lib/softoken/manifest.mn Fri May 29 09:13:35 2020 +0200
@@ -29,6 +29,7 @@
diff --git a/lib/softoken/manifest.mn b/lib/softoken/manifest.mn
--- a/lib/softoken/manifest.mn
+++ b/lib/softoken/manifest.mn
@@ -26,16 +26,17 @@ EXPORTS = \
PRIVATE_EXPORTS = \
pkcs11ni.h \
softoken.h \
softoknt.h \
softkver.h \
sdb.h \
sftkdbt.h \
@ -1440,7 +1734,17 @@ diff -r 3a9a84eee4a2 lib/softoken/manifest.mn
$(NULL)
CSRCS = \
@@ -52,6 +53,7 @@
fipsaudt.c \
fipstest.c \
fipstokn.c \
kbkdf.c \
lowkey.c \
@@ -50,16 +51,17 @@ CSRCS = \
sftkhmac.c \
sftkike.c \
sftkmessage.c \
sftkpars.c \
sftkpwd.c \
softkver.c \
tlsprf.c \
jpakesftk.c \
@ -1448,3 +1752,8 @@ diff -r 3a9a84eee4a2 lib/softoken/manifest.mn
$(NULL)
ifndef NSS_DISABLE_DBM
PRIVATE_EXPORTS += lgglue.h
CSRCS += lgglue.c
endif
ifdef SQLITE_UNSAFE_THREADS

86
nss-freebl-fix-aarch64.patch
View File

@ -1,86 +0,0 @@
diff --git a/lib/freebl/Makefile b/lib/freebl/Makefile
--- a/lib/freebl/Makefile
+++ b/lib/freebl/Makefile
@@ -114,31 +114,47 @@ ifeq (,$(filter-out i386 x386 x86 x86_64
$(OBJDIR)/gcm-x86.o: CFLAGS += -mpclmul -maes
$(OBJDIR)/aes-x86.o: CFLAGS += -mpclmul -maes
ifneq (,$(USE_64)$(USE_X32))
DEFINES += -DNSS_X64
else
DEFINES += -DNSS_X86
endif
endif
-ifdef NS_USE_GCC
ifeq ($(CPU_ARCH),aarch64)
- DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
- EXTRA_SRCS += aes-armv8.c gcm-aarch64.c sha1-armv8.c sha256-armv8.c
-endif
+ ifdef CC_IS_CLANG
+ DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
+ EXTRA_SRCS += aes-armv8.c gcm-aarch64.c sha1-armv8.c sha256-armv8.c
+ else ifeq (1,$(CC_IS_GCC))
+ # GCC versions older than 4.9 don't support ARM AES. The check
+ # is done in two parts, first allows "major.minor" == "4.9",
+ # and then rejects any major versions prior to 5. Note that
+ # there has been no GCC 4.10, as it was renamed to GCC 5.
+ ifneq (,$(filter 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
+ DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
+ EXTRA_SRCS += aes-armv8.c gcm-aarch64.c sha1-armv8.c sha256-armv8.c
+ endif
+ ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
+ DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
+ EXTRA_SRCS += aes-armv8.c gcm-aarch64.c sha1-armv8.c sha256-armv8.c
+ endif
+ endif
endif
ifeq ($(CPU_ARCH),arm)
ifndef NSS_DISABLE_ARM32_NEON
EXTRA_SRCS += gcm-arm32-neon.c
endif
ifdef CC_IS_CLANG
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c sha1-armv8.c sha256-armv8.c
else ifeq (1,$(CC_IS_GCC))
- # Old compiler doesn't support ARM AES.
+ # GCC versions older than 4.9 don't support ARM AES. The check
+ # is done in two parts, first allows "major.minor" == "4.9",
+ # and then rejects any major versions prior to 5. Note that
+ # there has been no GCC 4.10, as it was renamed to GCC 5.
ifneq (,$(filter 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c sha1-armv8.c sha256-armv8.c
endif
ifeq (,$(filter 0 1 2 3 4,$(word 1,$(GCC_VERSION))))
DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
EXTRA_SRCS += aes-armv8.c sha1-armv8.c sha256-armv8.c
endif
@@ -723,24 +739,22 @@ USES_SOFTFLOAT_ABI := $(shell $(CC) -o -
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
$(OBJDIR)/$(PROG_PREFIX)sha1-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
$(OBJDIR)/$(PROG_PREFIX)sha256-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a -mfpu=crypto-neon-fp-armv8$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
ifndef NSS_DISABLE_ARM32_NEON
$(OBJDIR)/$(PROG_PREFIX)gcm-arm32-neon$(OBJ_SUFFIX): CFLAGS += -mfpu=neon$(if $(USES_SOFTFLOAT_ABI), -mfloat-abi=softfp)
endif
endif
-ifdef NS_USE_GCC
ifeq ($(CPU_ARCH),aarch64)
$(OBJDIR)/$(PROG_PREFIX)aes-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
$(OBJDIR)/$(PROG_PREFIX)gcm-aarch64$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
$(OBJDIR)/$(PROG_PREFIX)sha1-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
$(OBJDIR)/$(PROG_PREFIX)sha256-armv8$(OBJ_SUFFIX): CFLAGS += -march=armv8-a+crypto
endif
-endif
ifeq ($(CPU_ARCH),ppc)
ifndef NSS_DISABLE_ALTIVEC
$(OBJDIR)/$(PROG_PREFIX)gcm-ppc$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec -mvsx
$(OBJDIR)/$(PROG_PREFIX)gcm$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec -mvsx
$(OBJDIR)/$(PROG_PREFIX)rijndael$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec -mvsx
$(OBJDIR)/$(PROG_PREFIX)sha512$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec -mvsx \
-funroll-loops -fpeel-loops

20
nss-opt.patch
View File

@ -1,19 +1,8 @@
# HG changeset patch
# Parent 33317adf00d6bc6c3e3499e4b32fca6b899c4b77
Index: security/coreconf/Linux.mk
===================================================================
RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v
retrieving revision 1.45.2.1
diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
index 956f0e4..b3a352a 100644
--- a/coreconf/Linux.mk
+++ b/coreconf/Linux.mk
@@ -102,21 +102,17 @@ endif
endif
ifneq ($(OS_TARGET),Android)
LIBC_TAG = _glibc
@@ -108,11 +108,7 @@ LIBC_TAG = _glibc
endif
ifdef BUILD_OPT
@ -26,8 +15,3 @@ diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk
ifdef MOZ_DEBUG_SYMBOLS
ifdef MOZ_DEBUG_FLAGS
OPTIMIZER += $(MOZ_DEBUG_FLAGS)
else
OPTIMIZER += -gdwarf-2
endif
endif
endif