From 63548643a100333c2f0852ffd05cbb4372967114 Mon Sep 17 00:00:00 2001 From: Renbo Date: Tue, 24 Dec 2024 10:27:19 +0800 Subject: [PATCH 1/3] [BA] update to nss-3.101.0-11.src.rpm to #IBDA2O update to nss-3.101.0-11.src.rpm Signed-off-by: Renbo --- fips_algorithms.h | 2 + nss-3.101-allow-fips-rsa-oaep.patch | 20 ++++++++++ nss-3.101-fips-check-ec25519-size.patch | 12 ++++++ nss-3.101-fix-shlibsign-fips.patch | 12 ++++++ nss-3.90-ppc_no_init.patch | 29 ++++++++++++++ nss-add-sw.patch | 50 ------------------------- nss.spec | 26 +++++++++---- 7 files changed, 93 insertions(+), 58 deletions(-) create mode 100644 nss-3.101-allow-fips-rsa-oaep.patch create mode 100644 nss-3.101-fips-check-ec25519-size.patch create mode 100644 nss-3.101-fix-shlibsign-fips.patch delete mode 100644 nss-add-sw.patch diff --git a/fips_algorithms.h b/fips_algorithms.h index 30f8688..8fc6ad7 100644 --- a/fips_algorithms.h +++ b/fips_algorithms.h @@ -20,6 +20,7 @@ typedef enum { SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */ SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */ SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */ + SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */ } SFTKFIPSSpecialClass; /* set according to your security policy */ @@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { #define AES_FB_KEY 128, 256 #define AES_FB_STEP 64 { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP }, /* -------------- RSA Multipart Signing Operations -------------------- */ { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, diff --git a/nss-3.101-allow-fips-rsa-oaep.patch b/nss-3.101-allow-fips-rsa-oaep.patch new file mode 100644 index 0000000..151643e --- /dev/null +++ b/nss-3.101-allow-fips-rsa-oaep.patch @@ -0,0 +1,20 @@ +diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fipsrsaoaep 2024-10-24 09:27:17.971673855 +0200 ++++ ./lib/softoken/pkcs11u.c 2024-10-24 09:23:35.006352872 +0200 +@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + } + } + return sftk_checkKeyLength(targetKeyLength, 112, 512, 1); ++ case SFTKFIPSRSAOAEP:; ++ CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *) ++ mech->pParameter; ++ ++ HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg); ++ HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf); ++ /* message hash and mask generation function must be the same */ ++ if (hash_pad != hash_msg) return PR_FALSE; ++ ++ return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE); + default: + break; + } diff --git a/nss-3.101-fips-check-ec25519-size.patch b/nss-3.101-fips-check-ec25519-size.patch new file mode 100644 index 0000000..e9957f8 --- /dev/null +++ b/nss-3.101-fips-check-ec25519-size.patch @@ -0,0 +1,12 @@ +diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fips_check_curver25519 2024-11-11 11:24:25.186654635 +0100 ++++ ./lib/softoken/pkcs11u.c 2024-11-07 10:26:03.806562274 +0100 +@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source) + * key length is CKA_VALUE, which is the default */ + keyType = CKK_INVALID_KEY_TYPE; + } +- if (keyType == CKK_EC) { ++ if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) { + SECOidTag curve = sftk_quickGetECCCurveOid(source); + switch (curve) { + case SEC_OID_CURVE25519: diff --git a/nss-3.101-fix-shlibsign-fips.patch b/nss-3.101-fix-shlibsign-fips.patch new file mode 100644 index 0000000..70e83f5 --- /dev/null +++ b/nss-3.101-fix-shlibsign-fips.patch @@ -0,0 +1,12 @@ +diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c +--- ./cmd/shlibsign/shlibsign.c.shlibsign 2024-06-07 09:26:03.000000000 -0700 ++++ ./cmd/shlibsign/shlibsign.c 2024-10-31 10:49:28.637449054 -0700 +@@ -1426,7 +1426,7 @@ main(int argc, char **argv) + } else { + /* NON FIPS mode == C_GetFunctionList */ + pC_GetFunctionList = (CK_C_GetFunctionList) +- PR_FindFunctionSymbol(lib, "C_GetFunctionList"); ++ PR_FindFunctionSymbol(lib, "NSC_GetFunctionList"); + } + assert(pC_GetFunctionList != NULL); + if (!pC_GetFunctionList) { diff --git a/nss-3.90-ppc_no_init.patch b/nss-3.90-ppc_no_init.patch index 134955a..75ee08e 100644 --- a/nss-3.90-ppc_no_init.patch +++ b/nss-3.90-ppc_no_init.patch @@ -34,3 +34,32 @@ diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile ####################################################################### +diff -up ./lib/softoken/legacydb/Makefile.ppc_no_init ./lib/softoken/legacydb/Makefile +--- ./lib/softoken/legacydb/Makefile.ppc_no_init 2024-11-12 11:51:16.535343581 +0100 ++++ ./lib/softoken/legacydb/Makefile 2024-11-12 12:09:58.968187800 +0100 +@@ -23,16 +23,17 @@ include $(CORE_DEPTH)/coreconf/config.mk + ifdef NSS_NO_INIT_SUPPORT + DEFINES += -DNSS_NO_INIT_SUPPORT + endif +-ifeq ($(OS_TARGET),Linux) +-ifeq ($(CPU_ARCH),ppc) +-ifdef USE_64 +- DEFINES += -DNSS_NO_INIT_SUPPORT +-endif # USE_64 +-endif # ppc +-else # !Linux ++#ifeq ($(OS_TARGET),Linux) ++#ifeq ($(CPU_ARCH),ppc) ++#ifdef USE_64 ++# DEFINES += -DNSS_NO_INIT_SUPPORT ++#endif # USE_64 ++#endif # ppc ++#else # !Linux ++ifneq ($(OS_TARGET),Linux) + # turn off no init support everywhere for now + DEFINES += -DNSS_NO_INIT_SUPPORT +-endif # Linux ++endif # !Linux + + ####################################################################### + # (4) Include "local" platform-dependent assignments (OPTIONAL). # diff --git a/nss-add-sw.patch b/nss-add-sw.patch deleted file mode 100644 index 45dda38..0000000 --- a/nss-add-sw.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 43f5d373ecd297761a6c4b94ec0495266830f465 Mon Sep 17 00:00:00 2001 -From: wxiat -Date: Tue, 27 Jun 2023 16:43:45 +0800 -Subject: [PATCH] add sw - -Signed-off-by: wxiat ---- - coreconf/Linux.mk | 5 +++++ - lib/dbm/include/mcom_db.h | 2 +- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk -index 891086d..ee34ae3 100644 ---- a/coreconf/Linux.mk -+++ b/coreconf/Linux.mk -@@ -65,6 +65,10 @@ ifeq ($(OS_TEST),alpha) - OS_REL_CFLAGS = -D_ALPHA_ - CPU_ARCH = alpha - else -+ifeq ($(OS_TEST),sw_64) -+ OS_REL_CFLAGS = -D_SW_64_ -+ CPU_ARCH = sw_64 -+else - ifeq ($(OS_TEST),x86_64) - ifeq ($(USE_64),1) - CPU_ARCH = x86_64 -@@ -107,6 +111,7 @@ endif - endif - endif - endif -+endif - - - ifneq ($(OS_TARGET),Android) -diff --git a/lib/dbm/include/mcom_db.h b/lib/dbm/include/mcom_db.h -index e961dd1..e8cea2d 100644 ---- a/lib/dbm/include/mcom_db.h -+++ b/lib/dbm/include/mcom_db.h -@@ -126,7 +126,7 @@ typedef PRUint32 uint32; - #include - #endif - --#ifdef __alpha -+#if defined __alpha || defined __sw_64 - #ifndef WIN32 - #else - /* Alpha NT */ --- -2.31.1 - diff --git a/nss.spec b/nss.spec index 0d65d6b..a5f86d6 100644 --- a/nss.spec +++ b/nss.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %global nspr_build_version 4.35.0-1 %global nspr_release -1 %global nspr_version 4.35.0 @@ -12,7 +11,7 @@ # The timestamp of our downstream manual pages, e.g., nss-config.1 %global manual_date "Nov 13 2013" -%bcond_with tests +%bcond_without tests # Produce .chk files for the final stripped binaries # @@ -64,7 +63,7 @@ print(string.sub(hash, 0, 16)) Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 7%{anolis_release}%{?dist} +Release: 11%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version}%{nspr_release} @@ -202,11 +201,13 @@ Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch # https://bugzilla.mozilla.org/show_bug.cgi?id=676100 Patch85: nss-3.101-fix-cms-abi-break.patch Patch86: nss-3.101-long-pwd-fix.patch +Patch87: nss-3.101-fix-shlibsign-fips.patch +Patch88: nss-3.101-fips-check-ec25519-size.patch +Patch89: nss-3.101-allow-fips-rsa-oaep.patch #revert patches Patch300: nss-3.101-default-libpkix.patch -Patch1000: nss-add-sw.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -338,7 +339,6 @@ Header and library files for doing development with Network Security Services. pushd nss %autopatch -M 299 -p1 %patch -P 300 -p1 -R -%patch -P 1000 -p1 popd # copy the fips_algorithms.h for this release @@ -355,6 +355,7 @@ cp %{SOURCE30} nss/lib/softoken/ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \; %build + export FREEBL_NO_DEPEND=1 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets @@ -1001,9 +1002,18 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog -* Wed Sep 18 2024 Zhao Hang - 3.101.0-7.0.1 -- disable unit test -- cherry-pick `add sw patch #ce8dbcf775a1bf3d6bd0d5de53d3688e7caa00db`. (nijie@wxiat.com) +* Tue Nov 12 2024 Frantisek Krenzelok - 3.101.0-11 +- don't define -DNSS_NO_INIT_SUPPORT for legacydb on pcc systems + +* Mon Nov 11 2024 Frantisek Krenzelok - 3.101.0-10 +- Allow RSA-OAEP in FIPS mode + +* Mon Nov 11 2024 Frantisek Krenzelok - 3.101.0-9 +- Add SEC_OID_CURVE25519 to FIPS checks. +- This will mark algorithm using it as FIPS unapproved. + +* Mon Nov 4 2024 Bob Relyea - 3.101.0-8 +- fix shlibsign to work when the system is in FIPS mode. * Wed Sep 4 2024 Bob Relyea - 3.101.0-7 - fix cms abi breakage -- Gitee From 68b3f00066a7673634fa6c09fd932555228393b2 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Tue, 10 Oct 2023 10:54:50 +0800 Subject: [PATCH 2/3] disable unit test Signed-off-by: Zhao Hang --- nss.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/nss.spec b/nss.spec index a5f86d6..d76297b 100644 --- a/nss.spec +++ b/nss.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %global nspr_build_version 4.35.0-1 %global nspr_release -1 %global nspr_version 4.35.0 @@ -11,7 +12,7 @@ # The timestamp of our downstream manual pages, e.g., nss-config.1 %global manual_date "Nov 13 2013" -%bcond_without tests +%bcond_with tests # Produce .chk files for the final stripped binaries # @@ -63,7 +64,7 @@ print(string.sub(hash, 0, 16)) Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 11%{?dist} +Release: 11%{anolis_release}%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version}%{nspr_release} @@ -1002,6 +1003,9 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog +* Tue Dec 24 2024 Zhao Hang - 3.101.0-11.0.1 +- disable unit test + * Tue Nov 12 2024 Frantisek Krenzelok - 3.101.0-11 - don't define -DNSS_NO_INIT_SUPPORT for legacydb on pcc systems -- Gitee From f53394eb480dfb4576ba243832484ba7926c94e4 Mon Sep 17 00:00:00 2001 From: wxiat Date: Tue, 27 Jun 2023 16:47:34 +0800 Subject: [PATCH 3/3] cherry-pick `add sw patch #ce8dbcf775a1bf3d6bd0d5de53d3688e7caa00db`. Signed-off-by: wxiat Signed-off-by: Weisson --- nss-add-sw.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ nss.spec | 4 +++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 nss-add-sw.patch diff --git a/nss-add-sw.patch b/nss-add-sw.patch new file mode 100644 index 0000000..45dda38 --- /dev/null +++ b/nss-add-sw.patch @@ -0,0 +1,50 @@ +From 43f5d373ecd297761a6c4b94ec0495266830f465 Mon Sep 17 00:00:00 2001 +From: wxiat +Date: Tue, 27 Jun 2023 16:43:45 +0800 +Subject: [PATCH] add sw + +Signed-off-by: wxiat +--- + coreconf/Linux.mk | 5 +++++ + lib/dbm/include/mcom_db.h | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk +index 891086d..ee34ae3 100644 +--- a/coreconf/Linux.mk ++++ b/coreconf/Linux.mk +@@ -65,6 +65,10 @@ ifeq ($(OS_TEST),alpha) + OS_REL_CFLAGS = -D_ALPHA_ + CPU_ARCH = alpha + else ++ifeq ($(OS_TEST),sw_64) ++ OS_REL_CFLAGS = -D_SW_64_ ++ CPU_ARCH = sw_64 ++else + ifeq ($(OS_TEST),x86_64) + ifeq ($(USE_64),1) + CPU_ARCH = x86_64 +@@ -107,6 +111,7 @@ endif + endif + endif + endif ++endif + + + ifneq ($(OS_TARGET),Android) +diff --git a/lib/dbm/include/mcom_db.h b/lib/dbm/include/mcom_db.h +index e961dd1..e8cea2d 100644 +--- a/lib/dbm/include/mcom_db.h ++++ b/lib/dbm/include/mcom_db.h +@@ -126,7 +126,7 @@ typedef PRUint32 uint32; + #include + #endif + +-#ifdef __alpha ++#if defined __alpha || defined __sw_64 + #ifndef WIN32 + #else + /* Alpha NT */ +-- +2.31.1 + diff --git a/nss.spec b/nss.spec index d76297b..c296ec8 100644 --- a/nss.spec +++ b/nss.spec @@ -209,6 +209,7 @@ Patch89: nss-3.101-allow-fips-rsa-oaep.patch #revert patches Patch300: nss-3.101-default-libpkix.patch +Patch1000: nss-add-sw.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -340,6 +341,7 @@ Header and library files for doing development with Network Security Services. pushd nss %autopatch -M 299 -p1 %patch -P 300 -p1 -R +%patch -P 1000 -p1 popd # copy the fips_algorithms.h for this release @@ -356,7 +358,6 @@ cp %{SOURCE30} nss/lib/softoken/ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \; %build - export FREEBL_NO_DEPEND=1 # Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets @@ -1005,6 +1006,7 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog * Tue Dec 24 2024 Zhao Hang - 3.101.0-11.0.1 - disable unit test +- cherry-pick `add sw patch #ce8dbcf775a1bf3d6bd0d5de53d3688e7caa00db`. (nijie@wxiat.com) * Tue Nov 12 2024 Frantisek Krenzelok - 3.101.0-11 - don't define -DNSS_NO_INIT_SUPPORT for legacydb on pcc systems -- Gitee