rpm/mozilla-nss
SHA256
1
0
Fork 0
forked from pool/mozilla-nss
Code Pull Requests Activity

Accepting request 1198722 from mozilla:Factory

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1198722
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=221
This commit is contained in:
Ana Guerrero 2024-09-05 13:46:20 +00:00 committed by Git OBS Bridge
commit 907ca87dbe
11 changed files with 309 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
mozilla-nss.changes
View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Tue Aug 13 07:08:55 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.103
* bmo#1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
* bmo#1899542: Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* bmo#1909638 - Follow-up to fix test for presence of file nspr.patch.
* bmo#1903783: Adjust libFuzzer size limits
* bmo#1899542: Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* bmo#1899542: Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Add nss-reproducible-builds.patch to make the rpms reproducible,
by using a hardcoded, static key to generate the checksums (*.chk-files)
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).
-------------------------------------------------------------------
Fri Aug 2 08:04:51 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>

18
mozilla-nss.spec
View File

@ -17,15 +17,15 @@
#
%global nss_softokn_fips_version 3.102.1
%global nss_softokn_fips_version 3.103
%define NSPR_min_version 4.35
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
%global crypto_policies_version 20210218
Name: mozilla-nss
Version: 3.102.1
Version: 3.103
Release: 0
%define underscore_version 3_102_1
%define underscore_version 3_103
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@ -83,6 +83,7 @@ Patch49: nss-allow-slow-tests-s390x.patch
Patch50: nss-fips-bsc1223724.patch
Patch51: nss-fips-aes-gcm-restrict.patch
Patch52: nss-fips-safe-memset.patch
Patch53: nss-reproducible-builds.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@ -253,6 +254,7 @@ cd nss
# glibc on SLE-12 is too old and doesn't have explicit_bzero yet.
%patch -P 52 -p1
%endif
%patch -P 53 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
@ -459,15 +461,15 @@ install -m 744 %{SOURCE6} %{buildroot}%{_sbindir}/
install -m 644 %{SOURCE7} %{buildroot}%{nssdbdir}
install -m 644 %{SOURCE8} %{buildroot}%{nssdbdir}
install -m 644 %{SOURCE9} %{buildroot}%{nssdbdir}
# create shlib sigs after extracting debuginfo
# create shlib sigs after extracting debuginfo with a hard-coded key to produce reproducible checksums, using the same key that openssl uses.
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%__os_install_post \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libsoftokn3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libnssdbm3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_libdir}/libfreebl3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_libdir}/libfreeblpriv3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}%{_libdir}/libsoftokn3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}%{_libdir}/libnssdbm3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}/%{_libdir}/libfreebl3.so \
LD_LIBRARY_PATH=:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -K f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 -i %{buildroot}/%{_libdir}/libfreeblpriv3.so \
%{nil}
%post -p /sbin/ldconfig

3
nss-3.102.1.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:54982d3587e41579c94f2036ba084438b073f8456bbd873b7a942c057e9737cc
size 76460182

3
nss-3.103.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7b4ab657f772dc7520c46e8d481940b292dcfc6a4c90150a7c26672384cee962
size 76470174

2
nss-fips-aes-gcm-restrict.patch
View File

@ -2,7 +2,7 @@ Index: nss/lib/softoken/sftkmessage.c
===================================================================
--- nss.orig/lib/softoken/sftkmessage.c
+++ nss/lib/softoken/sftkmessage.c
@@ -151,6 +151,37 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
@@ -183,6 +183,37 @@ sftk_CryptMessage(CK_SESSION_HANDLE hSes
if (crv != CKR_OK)
return crv;

57
nss-fips-approved-crypto-non-ec.patch
View File

@ -349,9 +349,9 @@ Index: nss/lib/freebl/rawhash.c
#include "secerr.h"
+#include "fips.h"
static void *
null_hash_new_context(void)
@@ -190,7 +191,11 @@ const SECHashObject SECRawHashObjects[]
#define RawHashBase(ctxtype, mmm) \
static void * \
@@ -236,7 +237,11 @@ const SECHashObject SECRawHashObjects[]
const SECHashObject *
HASH_GetRawHashObject(HASH_HashType hashType)
{
@ -368,7 +368,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -452,7 +452,7 @@ sftk_InitGeneric(SFTKSession *session, C
@@ -538,7 +538,7 @@ sftk_InitGeneric(SFTKSession *session, C
context->blockSize = 0;
context->maxLen = 0;
context->isFIPS = sftk_operationIsFIPS(session->slot, pMechanism,
@ -377,7 +377,7 @@ Index: nss/lib/softoken/pkcs11c.c
*contextPtr = context;
return CKR_OK;
}
@@ -4877,6 +4877,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
@@ -4989,6 +4989,10 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
goto loser;
}
@ -388,7 +388,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* handle the base object stuff
*/
@@ -4891,6 +4895,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
@@ -5003,6 +5007,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
if (crv == CKR_OK) {
*phKey = key->handle;
}
@ -396,7 +396,7 @@ Index: nss/lib/softoken/pkcs11c.c
loser:
PORT_Memset(buf, 0, sizeof buf);
sftk_FreeObject(key);
@@ -5318,7 +5323,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5432,7 +5437,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
CK_OBJECT_CLASS privClass = CKO_PRIVATE_KEY;
int i;
SFTKSlot *slot = sftk_SlotFromSessionHandle(hSession);
@ -405,7 +405,7 @@ Index: nss/lib/softoken/pkcs11c.c
/* RSA */
int public_modulus_bits = 0;
@@ -5921,11 +5926,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -6036,11 +6041,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
* created and linked.
*/
crv = sftk_handleObject(publicKey, session);
@ -418,7 +418,7 @@ Index: nss/lib/softoken/pkcs11c.c
return crv;
}
if (sftk_isTrue(privateKey, CKA_SENSITIVE)) {
@@ -5969,13 +5974,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -6084,13 +6089,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
@ -438,7 +438,7 @@ Index: nss/lib/softoken/pkcs11c.c
return CKR_OK;
}
@@ -7167,6 +7178,14 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7282,6 +7293,14 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
return CKR_TEMPLATE_INCONSISTENT;
}
@ -453,7 +453,7 @@ Index: nss/lib/softoken/pkcs11c.c
/* sourceKey is NULL if we are called from the POST, skip the
* sensitiveCheck */
if (sourceKey != NULL) {
@@ -7215,7 +7234,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7330,7 +7349,8 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
mech.pParameter = params;
mech.ulParameterLen = sizeof(*params);
key->isFIPS = sftk_operationIsFIPS(saltKey->slot, &mech,
@ -463,7 +463,7 @@ Index: nss/lib/softoken/pkcs11c.c
}
saltKey_att = sftk_FindAttribute(saltKey, CKA_VALUE);
if (saltKey_att == NULL) {
@@ -7257,7 +7277,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
@@ -7372,7 +7392,7 @@ sftk_HKDF(CK_HKDF_PARAMS_PTR params, CK_
/* HKDF-Expand */
if (!params->bExpand) {
okm = prk;
@ -472,7 +472,7 @@ Index: nss/lib/softoken/pkcs11c.c
} else {
/* T(1) = HMAC-Hash(prk, "" | info | 0x01)
* T(n) = HMAC-Hash(prk, T(n-1) | info | n
@@ -7480,7 +7500,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7595,7 +7615,8 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
return CKR_KEY_HANDLE_INVALID;
}
}
@ -482,7 +482,7 @@ Index: nss/lib/softoken/pkcs11c.c
switch (mechanism) {
/* get a public key from a private key. nsslowkey_ConvertToPublickey()
@@ -7681,7 +7702,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7796,7 +7817,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
} else {
/* now allocate the hash contexts */
md5 = MD5_NewContext();
@ -491,7 +491,7 @@ Index: nss/lib/softoken/pkcs11c.c
PORT_Memset(crsrdata, 0, sizeof crsrdata);
crv = CKR_HOST_MEMORY;
break;
@@ -8070,6 +8091,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -8185,6 +8206,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
PORT_Assert(i <= sizeof key_block);
}
@ -820,7 +820,7 @@ Index: nss/lib/softoken/pkcs11u.c
===================================================================
--- nss.orig/lib/softoken/pkcs11u.c
+++ nss/lib/softoken/pkcs11u.c
@@ -2248,6 +2248,12 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE
@@ -2251,6 +2251,12 @@ sftk_AttributeToFlags(CK_ATTRIBUTE_TYPE
case CKA_NSS_MESSAGE | CKA_VERIFY:
flags = CKF_MESSAGE_VERIFY;
break;
@ -833,7 +833,7 @@ Index: nss/lib/softoken/pkcs11u.c
default:
break;
}
@@ -2324,7 +2330,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
@@ -2327,7 +2333,7 @@ sftk_quickGetECCCurveOid(SFTKObject *sou
static int
sftk_getKeyLength(SFTKObject *source)
{
@ -842,7 +842,16 @@ Index: nss/lib/softoken/pkcs11u.c
CK_ATTRIBUTE_TYPE keyAttribute;
CK_ULONG keyLength = 0;
SFTKAttribute *attribute;
@@ -2386,14 +2392,55 @@ sftk_getKeyLength(SFTKObject *source)
@@ -2347,7 +2353,7 @@ sftk_getKeyLength(SFTKObject *source)
* key length is CKA_VALUE, which is the default */
keyType = CKK_INVALID_KEY_TYPE;
}
- if (keyType == CKK_EC) {
+ if (keyType == CKK_EC || keyType == CKK_EC_MONTGOMERY) {
SECOidTag curve = sftk_quickGetECCCurveOid(source);
switch (curve) {
case SEC_OID_CURVE25519:
@@ -2389,14 +2395,55 @@ sftk_getKeyLength(SFTKObject *source)
return keyLength;
}
@ -899,7 +908,7 @@ Index: nss/lib/softoken/pkcs11u.c
switch (mechInfo->special) {
case SFTKFIPSDH: {
SECItem dhPrime;
@@ -2409,10 +2456,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2412,10 +2459,27 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
}
case SFTKFIPSNone:
return PR_FALSE;
@ -929,7 +938,7 @@ Index: nss/lib/softoken/pkcs11u.c
case SFTKFIPSAEAD: {
if (mech->ulParameterLen == 0) {
/* AEAD ciphers are only in FIPS mode if we are using the
@@ -2440,11 +2504,44 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2443,11 +2507,44 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
if (hashObj == NULL) {
return PR_FALSE;
}
@ -974,7 +983,7 @@ Index: nss/lib/softoken/pkcs11u.c
default:
break;
}
@@ -2455,7 +2552,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
@@ -2458,7 +2555,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
PRBool
sftk_operationIsFIPS(SFTKSlot *slot, CK_MECHANISM *mech, CK_ATTRIBUTE_TYPE op,
@ -983,7 +992,7 @@ Index: nss/lib/softoken/pkcs11u.c
{
#ifndef NSS_HAS_FIPS_INDICATORS
return PR_FALSE;
@@ -2468,18 +2565,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
@@ -2471,18 +2568,35 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
if (!sftk_isFIPS(slot->slotID)) {
return PR_FALSE;
}
@ -1023,7 +1032,7 @@ Index: nss/lib/softoken/pkcs11u.c
keyLength = sftk_getKeyLength(source);
/* check against our algorithm array */
@@ -2487,13 +2601,15 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
@@ -2490,13 +2604,15 @@ sftk_operationIsFIPS(SFTKSlot *slot, CK_
SFTKFIPSAlgorithmList *mechs = &sftk_fips_mechs[i];
/* if we match the number of records exactly, then we are an
* approved algorithm in the approved mode with an approved key */
@ -1061,7 +1070,7 @@ Index: nss/lib/softoken/pkcs11.c
===================================================================
--- nss.orig/lib/softoken/pkcs11.c
+++ nss/lib/softoken/pkcs11.c
@@ -573,17 +573,17 @@ static const struct mechanismList mechan
@@ -574,17 +574,17 @@ static const struct mechanismList mechan
{ CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256,

12
nss-fips-combined-hash-sign-dsa-ecdsa.patch
View File

@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -2744,6 +2744,38 @@ nsc_EDDSASignStub(void *ctx, void *sigBu
@@ -2848,6 +2848,38 @@ nsc_EDDSASignStub(void *ctx, unsigned ch
return rv;
}
@ -107,8 +107,8 @@ Index: nss/lib/softoken/pkcs11c.c
/* NSC_SignInit setups up the signing operations. There are three basic
* types of signing:
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
@@ -3647,6 +3679,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
info->hashOid = SEC_OID_##mmm; \
@@ -3755,6 +3787,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
info->hashOid = SEC_OID_##mmm; \
goto finish_rsa;
+#define INIT_DSA_VFY_MECH(mmm) \
@ -130,7 +130,7 @@ Index: nss/lib/softoken/pkcs11c.c
switch (pMechanism->mechanism) {
INIT_RSA_VFY_MECH(MD5)
INIT_RSA_VFY_MECH(MD2)
@@ -4905,6 +4953,73 @@ loser:
@@ -5017,6 +5065,73 @@ loser:
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
@ -204,7 +204,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
@@ -4958,8 +5073,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5071,8 +5186,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
/* Variables used for Signature/Verification functions. */
/* Must be at least 256 bits for DSA2 digest */
@ -213,7 +213,7 @@ Index: nss/lib/softoken/pkcs11c.c
CK_ULONG signature_length;
if (keyType == CKK_RSA) {
@@ -5113,80 +5226,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5226,80 +5339,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}

16
nss-fips-constructor-self-tests.patch
View File

@ -63,9 +63,9 @@ Index: nss/lib/freebl/blapi.h
/*********************************************************************/
extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
@@ -1942,6 +1942,9 @@ extern SECStatus ED_VerifyMessage(ECPubl
*/
extern SECStatus ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey);
@@ -1944,6 +1944,9 @@ extern SECStatus ED_DerivePublicKey(cons
extern SECStatus X25519_DerivePublicKey(SECItem *privateKey, SECItem *publicKey);
+/* Unconditionally run the integrity check. */
+extern void BL_FIPSRepeatIntegrityCheck(void);
@ -910,7 +910,7 @@ Index: nss/lib/freebl/loader.h
/* Version 3.013 came to here */
@@ -927,6 +927,9 @@ struct FREEBLVectorStr {
@@ -930,6 +930,9 @@ struct FREEBLVectorStr {
/* Add new function pointers at the end of this struct and bump
* FREEBL_VERSION at the beginning of this file. */
@ -1541,10 +1541,10 @@ Index: nss/lib/freebl/ldvector.c
===================================================================
--- nss.orig/lib/freebl/ldvector.c
+++ nss/lib/freebl/ldvector.c
@@ -443,6 +443,9 @@ static const struct FREEBLVectorStr vect
ED_VerifyMessage,
ED_DerivePublicKey,
/* End of version 3.028 */
@@ -446,6 +446,9 @@ static const struct FREEBLVectorStr vect
X25519_DerivePublicKey,
/* End of version 3.029 */
+
+ /* SUSE patch: Goes last */
+ BL_FIPSRepeatIntegrityCheck

4
nss-fips-pairwise-consistency-check.patch
View File

@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -4897,8 +4897,8 @@ loser:
@@ -5009,8 +5009,8 @@ loser:
return crv;
}
@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
@@ -5960,6 +5960,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -6075,6 +6075,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
(PRUint32)crv);
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
}

4
nss-fips-pct-pubkeys.patch
View File

@ -5,7 +5,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -5020,6 +5020,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
@@ -5132,6 +5132,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
return crv;
}
@ -94,7 +94,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
@@ -5370,6 +5452,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5484,6 +5566,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}

229
nss-reproducible-builds.patch Normal file
View File

@ -0,0 +1,229 @@
commit cef712e9a49502e669535675c9900b61751ac02b
Author: Martin Sirringhaus <martin.sirringhaus@suse.com>
Date: Mon Jul 29 23:22:41 2024 +0000
Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible (r=nss-reviewers,rrelyea)
Differential Revision: https://phabricator.services.mozilla.com/D217282
Index: nss/cmd/shlibsign/Makefile
===================================================================
--- nss.orig/cmd/shlibsign/Makefile
+++ nss/cmd/shlibsign/Makefile
@@ -24,25 +24,7 @@ include $(CORE_DEPTH)/coreconf/config.mk
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
-ifeq ($(OS_ARCH), WINNT)
-
-EXTRA_LIBS += \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
- $(NULL)
-
-else
-
-EXTRA_SHARED_LIBS += \
- -L$(NSPR_LIB_DIR) \
- -lplc4 \
- -lplds4 \
- -lnspr4 \
- $(NULL)
-
-endif
-
+include ../platlibs.mk
# sign any and all shared libraries that contain the word freebl
ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
Index: nss/cmd/shlibsign/shlibsign.c
===================================================================
--- nss.orig/cmd/shlibsign/shlibsign.c
+++ nss/cmd/shlibsign/shlibsign.c
@@ -55,6 +55,10 @@
/* nss headers for definition of HASH_HashType */
#include "hasht.h"
+#include "basicutil.h"
+#include "secitem.h"
+
+
CK_BBOOL cktrue = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE;
static PRBool verbose = PR_FALSE;
@@ -111,7 +115,7 @@ usage(const char *program_name)
PR_fprintf(debug_out,
"Usage: %s [-v] [-V] [-o outfile] [-d dbdir] [-f pwfile]\n"
" [-F] [-p pwd] -[P dbprefix ] [-t hash]"
- " [-D] [-k keysize] [-c]"
+ " [-D] [-k keysize] [-c] [-K key]"
"-i shared_library_name\n",
program_name);
PR_fprintf(debug_out, "Valid Hashes: ");
@@ -136,6 +140,7 @@ long_usage(const char *program_name)
PR_fprintf(debug_out, "\t-t <hash> Hash for HMAC/or DSA\n");
PR_fprintf(debug_out, "\t-D Sign with DSA rather than HMAC\n");
PR_fprintf(debug_out, "\t-k <keysize> size of the DSA key\n");
+ PR_fprintf(debug_out, "\t-K <key> key-material to use for hmac (hex-string, without leading 0x)\n");
PR_fprintf(debug_out, "\t-c Use compatible versions for old NSS\n");
PR_fprintf(debug_out, "\t-P <prefix> database prefix\n");
PR_fprintf(debug_out, "\t-f <file> password File : echo pw > file \n");
@@ -1069,7 +1074,7 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
CK_RV
shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot,
- CK_SESSION_HANDLE hRwSession, int keySize, PRFileDesc *ifd,
+ CK_SESSION_HANDLE hRwSession, int keySize, char* key, PRFileDesc *ifd,
PRFileDesc *ofd, const HashTable *hash)
{
CK_MECHANISM hmacMech = { 0, NULL, 0 };
@@ -1100,40 +1105,78 @@ shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunc
"Internal error:Could find sha256 entry in table.\n");
}
- hmacKeyTemplate[0].type = CKA_TOKEN;
- hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
- hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
- hmacKeyTemplate[1].type = CKA_PRIVATE;
- hmacKeyTemplate[1].pValue = &cktrue;
- hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
- hmacKeyTemplate[2].type = CKA_SENSITIVE;
- hmacKeyTemplate[2].pValue = &ckfalse;
- hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
- hmacKeyTemplate[3].type = CKA_SIGN;
- hmacKeyTemplate[3].pValue = &cktrue;
- hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
- hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
- hmacKeyTemplate[4].pValue = &ckfalse;
- hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
- hmacKeyTemplate[5].type = CKA_VALUE_LEN;
- hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
- hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
- hmacKeyTemplate[6].type = CKA_KEY_TYPE;
- hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
- hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
- hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
- hmacMech.mechanism = hash->hmac;
+ if (key == NULL) {
+ hmacKeyTemplate[0].type = CKA_TOKEN;
+ hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
+ hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
+ hmacKeyTemplate[1].type = CKA_PRIVATE;
+ hmacKeyTemplate[1].pValue = &cktrue;
+ hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
+ hmacKeyTemplate[2].type = CKA_SENSITIVE;
+ hmacKeyTemplate[2].pValue = &ckfalse;
+ hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
+ hmacKeyTemplate[3].type = CKA_SIGN;
+ hmacKeyTemplate[3].pValue = &cktrue;
+ hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
+ hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
+ hmacKeyTemplate[4].pValue = &ckfalse;
+ hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
+ hmacKeyTemplate[5].type = CKA_VALUE_LEN;
+ hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
+ hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
+ hmacKeyTemplate[6].type = CKA_KEY_TYPE;
+ hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
+ hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
+ hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
+
+ /* Generate a DSA key pair */
+ logIt("Generate an HMAC key ... \n");
+ crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
+ hmacKeyTemplate,
+ PR_ARRAY_SIZE(hmacKeyTemplate),
+ &hHMACKey);
+ } else {
+ SECItem keyitem = { 0 };
+ if (SECU_HexString2SECItem(NULL, &keyitem, key) == NULL) {
+ pk11error("Reading HMAC key from commandline failed. Not a valid hex-key.", crv);
+ return crv;
+ }
+
+ CK_OBJECT_CLASS secret_key_obj_class = CKO_SECRET_KEY;
+ CK_ATTRIBUTE hmacKeyObject[] = {
+ {
+ .type = CKA_CLASS,
+ .pValue = &secret_key_obj_class,
+ .ulValueLen = sizeof(CK_OBJECT_CLASS),
+ },
+ {
+ .type = CKA_KEY_TYPE,
+ .pValue = (void *)&hash->keyType,
+ .ulValueLen = sizeof(hash->keyType),
+ },
+ {
+ .type = CKA_VALUE,
+ .pValue = keyitem.data,
+ .ulValueLen = keyitem.len,
+ },
+ {
+ .type = CKA_SIGN,
+ .pValue = &cktrue,
+ .ulValueLen = sizeof(cktrue),
+ },
+ };
+ logIt("Using static HMAC key ... \n");
+ crv = pFunctionList->C_CreateObject(hRwSession,
+ hmacKeyObject,
+ PR_ARRAY_SIZE(hmacKeyObject),
+ &hHMACKey);
+ }
- /* Generate a DSA key pair */
- logIt("Generate an HMAC key ... \n");
- crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
- hmacKeyTemplate,
- PR_ARRAY_SIZE(hmacKeyTemplate),
- &hHMACKey);
if (crv != CKR_OK) {
pk11error("HMAC key generation failed", crv);
return crv;
}
+ hmacMech.mechanism = hash->hmac;
/* compute the digest */
memset(sign, 0, sizeof(sign));
@@ -1258,6 +1301,7 @@ main(int argc, char **argv)
static PRBool useDSA = PR_FALSE;
PRBool successful = PR_FALSE;
const HashTable *hash = NULL;
+ char *key = NULL;
#ifdef USES_LINKS
int ret;
@@ -1281,7 +1325,7 @@ main(int argc, char **argv)
program_name = strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
- optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:p:P:vVs:t:Dc");
+ optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:K:p:P:vVs:t:Dc");
if (optstate == NULL) {
lperror("PL_CreateOptState failed");
return 1;
@@ -1331,6 +1375,14 @@ main(int argc, char **argv)
keySize = atoi(optstate->value);
break;
+ case 'K':
+ if (!optstate->value) {
+ PL_DestroyOptState(optstate);
+ usage(program_name);
+ }
+ key = PL_strdup(optstate->value);
+ break;
+
case 'f':
if (!optstate->value) {
PL_DestroyOptState(optstate);
@@ -1569,7 +1621,7 @@ main(int argc, char **argv)
keySize, ifd, ofd, hash);
} else {
crv = shlibSignHMAC(pFunctionList, pSlotList[slotIndex], hRwSession,
- keySize, ifd, ofd, hash);
+ keySize, key, ifd, ofd, hash);
}
if (crv == CKR_INTERNAL_OUT_FAILURE) {
lperror(output_file);