diff --git a/SOURCES/fips_algorithms.h b/SOURCES/fips_algorithms.h index af90b78..7c48656 100644 --- a/SOURCES/fips_algorithms.h +++ b/SOURCES/fips_algorithms.h @@ -20,6 +20,7 @@ typedef enum { SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */ SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */ SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */ + SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */ } SFTKFIPSSpecialClass; /* set according to your security policy */ @@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { #define AES_FB_KEY 128, 256 #define AES_FB_STEP 64 { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP }, /* -------------- RSA Multipart Signing Operations -------------------- */ { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, diff --git a/SOURCES/nss-3.101-allow-fips-rsa-oaep.patch b/SOURCES/nss-3.101-allow-fips-rsa-oaep.patch new file mode 100644 index 0000000..151643e --- /dev/null +++ b/SOURCES/nss-3.101-allow-fips-rsa-oaep.patch @@ -0,0 +1,20 @@ +diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fipsrsaoaep 2024-10-24 09:27:17.971673855 +0200 ++++ ./lib/softoken/pkcs11u.c 2024-10-24 09:23:35.006352872 +0200 +@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + } + } + return sftk_checkKeyLength(targetKeyLength, 112, 512, 1); ++ case SFTKFIPSRSAOAEP:; ++ CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *) ++ mech->pParameter; ++ ++ HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg); ++ HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf); ++ /* message hash and mask generation function must be the same */ ++ if (hash_pad != hash_msg) return PR_FALSE; ++ ++ return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE); + default: + break; + } diff --git a/SOURCES/nss-3.101-fips-check-ec25519-size.patch b/SOURCES/nss-3.101-fips-check-ec25519-size.patch new file mode 100644 index 0000000..e9957f8 --- /dev/null +++ b/SOURCES/nss-3.101-fips-check-ec25519-size.patch @@ -0,0 +1,12 @@ +diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fips_check_curver25519 2024-11-11 11:24:25.186654635 +0100 ++++ ./lib/softoken/pkcs11u.c 2024-11-07 10:26:03.806562274 +0100 +@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source) + * key length is CKA_VALUE, which is the default */ + keyType = CKK_INVALID_KEY_TYPE; + } +- if (keyType == CKK_EC) { ++ if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) { + SECOidTag curve = sftk_quickGetECCCurveOid(source); + switch (curve) { + case SEC_OID_CURVE25519: diff --git a/SOURCES/nss-softokn-config.in b/SOURCES/nss-softokn-config.in index c7abe29..6ad7335 100644 --- a/SOURCES/nss-softokn-config.in +++ b/SOURCES/nss-softokn-config.in @@ -21,7 +21,6 @@ Options: Dynamic Libraries: softokn3 - Requires full dynamic linking freebl3 - for internal use only (and glibc for self-integrity check) - nssdbm3 - for internal use only Dymamically linked EOF exit $1 diff --git a/SOURCES/nss-softokn.pc.in b/SOURCES/nss-softokn.pc.in index 022ebbf..7487341 100644 --- a/SOURCES/nss-softokn.pc.in +++ b/SOURCES/nss-softokn.pc.in @@ -7,5 +7,5 @@ Name: NSS-SOFTOKN Description: Network Security Services Softoken PKCS #11 Module Version: %SOFTOKEN_VERSION% Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% -Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 +Libs: -L${libdir} -lfreebl3 -lsoftokn3 Cflags: -I${includedir} diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 3ed7ec4..09c8596 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -3,7 +3,7 @@ # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 9 +%global baserelease 13 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. @@ -191,11 +191,15 @@ Patch85: nss-3.101-fix-cms-abi-break.patch Patch86: nss-3.101-long-pwd-fix.patch Patch87: nss-3.101-fix-cavs-test.patch Patch88: nss-3.101-fix-shlibsign-fips.patch +Patch89: nss-3.101-fips-check-ec25519-size.patch # RHEL-10 specific Patch90: nss-3.101-disable_dsa.patch Patch91: nss-3.101-replace-xyber_with-mlkem.patch +# Allow rsa-oaep in fips mode +Patch95: nss-3.101-allow-fips-rsa-oaep.patch + # NSS reverse patches Patch300: nss-3.79-distrusted-certs.patch @@ -407,7 +411,7 @@ pushd nspr_build %ifarch i686 x86_64 sed -i '/^PR_MD_ASFILES/d' config/autoconf.mk %endif -make +%{make_build} date +"%e %B %Y" | tr -d '\n' > date.xml echo -n %{nspr_version} > version.xml @@ -503,8 +507,8 @@ export POLICY_FILE="nss.config" export POLICY_PATH="/etc/crypto-policies/back-ends" -%{__make} -C ./nss all -%{__make} -C ./nss latest +%{make_build} -C ./nss all +%{make_build} -C ./nss latest # build the man pages clean pushd ./nss @@ -1170,6 +1174,20 @@ fi %changelog +* Mon Nov 18 2024 Frantisek Krenzelok - 3.101.0-13 +- fix the "Allow RSA-OAEP in FIPS mode" patch for the declaration after switch statement +- fix changelog message for 3.101.0-11 + +* Mon Nov 11 2024 Frantisek Krenzelok - 3.101.0-12 +- Allow RSA-OAEP in FIPS mode + +* Mon Nov 11 2024 Frantisek Krenzelok - 3.101.0-11 +- Add SEC_OID_CURVE25519 to FIPS checks. +- This will mark algorithm using it as FIPS unapproved. + +* Mon Nov 4 2024 Bob Relyea - 3.101.0-10 +- remove dbm references in pkconfig + * Fri Nov 1 2024 Bob Relyea - 3.101.0-9 - Add ml-kem support and remove xyber support - Fix shlibsign when the system is in FIPS mode