import nss-3.101.0-10.el9_2

i9c changed/i9c/nss-3.101.0-10.el9_2
MSVSphere Packaging Team 1 day ago
parent b979e5f1cc
commit 38527bff69
Signed by: sys_gitsync
GPG Key ID: B2B0B9F29E528FE8

@ -20,6 +20,7 @@ typedef enum {
SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */ SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */
SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */ SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */
SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */ SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */
SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */
} SFTKFIPSSpecialClass; } SFTKFIPSSpecialClass;
/* set according to your security policy */ /* set according to your security policy */
@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
#define AES_FB_KEY 128, 256 #define AES_FB_KEY 128, 256
#define AES_FB_STEP 64 #define AES_FB_STEP 64
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP },
/* -------------- RSA Multipart Signing Operations -------------------- */ /* -------------- RSA Multipart Signing Operations -------------------- */
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

@ -0,0 +1,20 @@
diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fipsrsaoaep 2024-10-24 09:27:17.971673855 +0200
+++ ./lib/softoken/pkcs11u.c 2024-10-24 09:23:35.006352872 +0200
@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
}
}
return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
+ case SFTKFIPSRSAOAEP:;
+ CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *)
+ mech->pParameter;
+
+ HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg);
+ HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf);
+ /* message hash and mask generation function must be the same */
+ if (hash_pad != hash_msg) return PR_FALSE;
+
+ return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE);
default:
break;
}

@ -0,0 +1,12 @@
diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips_check_curver25519 2024-11-11 11:24:25.186654635 +0100
+++ ./lib/softoken/pkcs11u.c 2024-11-07 10:26:03.806562274 +0100
@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
* key length is CKA_VALUE, which is the default */
keyType = CKK_INVALID_KEY_TYPE;
}
- if (keyType == CKK_EC) {
+ if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
SECOidTag curve = sftk_quickGetECCCurveOid(source);
switch (curve) {
case SEC_OID_CURVE25519:

@ -0,0 +1,12 @@
diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c
--- ./cmd/shlibsign/shlibsign.c.shlibsign 2024-06-07 09:26:03.000000000 -0700
+++ ./cmd/shlibsign/shlibsign.c 2024-10-31 10:49:28.637449054 -0700
@@ -1426,7 +1426,7 @@ main(int argc, char **argv)
} else {
/* NON FIPS mode == C_GetFunctionList */
pC_GetFunctionList = (CK_C_GetFunctionList)
- PR_FindFunctionSymbol(lib, "C_GetFunctionList");
+ PR_FindFunctionSymbol(lib, "NSC_GetFunctionList");
}
assert(pC_GetFunctionList != NULL);
if (!pC_GetFunctionList) {

@ -21,7 +21,6 @@ Options:
Dynamic Libraries: Dynamic Libraries:
softokn3 - Requires full dynamic linking softokn3 - Requires full dynamic linking
freebl3 - for internal use only (and glibc for self-integrity check) freebl3 - for internal use only (and glibc for self-integrity check)
nssdbm3 - for internal use only
Dymamically linked Dymamically linked
EOF EOF
exit $1 exit $1

@ -7,5 +7,5 @@ Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module Description: Network Security Services Softoken PKCS #11 Module
Version: %SOFTOKEN_VERSION% Version: %SOFTOKEN_VERSION%
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 Libs: -L${libdir} -lfreebl3 -lsoftokn3
Cflags: -I${includedir} Cflags: -I${includedir}

@ -1,6 +1,6 @@
%global nss_version 3.101.0 %global nss_version 3.101.0
%global nspr_version 4.35.0 %global nspr_version 4.35.0
%global baserelease 7 %global baserelease 10
%global nss_release %baserelease %global nss_release %baserelease
# NOTE: To avoid NVR clashes of nspr* packages: # NOTE: To avoid NVR clashes of nspr* packages:
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
@ -199,6 +199,9 @@ Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=676100 # https://bugzilla.mozilla.org/show_bug.cgi?id=676100
Patch85: nss-3.101-fix-cms-abi-break.patch Patch85: nss-3.101-fix-cms-abi-break.patch
Patch86: nss-3.101-long-pwd-fix.patch Patch86: nss-3.101-long-pwd-fix.patch
Patch87: nss-3.101-fix-shlibsign-fips.patch
Patch88: nss-3.101-fips-check-ec25519-size.patch
Patch89: nss-3.101-allow-fips-rsa-oaep.patch
Patch100: nspr-config-pc.patch Patch100: nspr-config-pc.patch
Patch101: nspr-gcc-atomics.patch Patch101: nspr-gcc-atomics.patch
@ -1200,6 +1203,17 @@ update-crypto-policies &> /dev/null || :
%changelog %changelog
* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-10
- Allow RSA-OAEP in FIPS mode
* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-9
- Add SEC_OID_CURVE25519 to FIPS checks.
- This will mark algorithms using it as FIPS unapproved.
* Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-8
- fix shlibsign in FIPS mode
- remove dbm from pkgconfig
* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7 * Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
- fix cms abi breakage - fix cms abi breakage
- fix long password issue on pbmac encodings - fix long password issue on pbmac encodings

Loading…
Cancel
Save