diff --git a/SOURCES/fips_algorithms.h b/SOURCES/fips_algorithms.h index 30f8688..8fc6ad7 100644 --- a/SOURCES/fips_algorithms.h +++ b/SOURCES/fips_algorithms.h @@ -20,6 +20,7 @@ typedef enum { SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */ SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */ SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */ + SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */ } SFTKFIPSSpecialClass; /* set according to your security policy */ @@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = { #define AES_FB_KEY 128, 256 #define AES_FB_STEP 64 { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, + { CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP }, /* -------------- RSA Multipart Signing Operations -------------------- */ { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, diff --git a/SOURCES/nss-3.101-allow-fips-rsa-oaep.patch b/SOURCES/nss-3.101-allow-fips-rsa-oaep.patch new file mode 100644 index 0000000..151643e --- /dev/null +++ b/SOURCES/nss-3.101-allow-fips-rsa-oaep.patch @@ -0,0 +1,20 @@ +diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fipsrsaoaep 2024-10-24 09:27:17.971673855 +0200 ++++ ./lib/softoken/pkcs11u.c 2024-10-24 09:23:35.006352872 +0200 +@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME + } + } + return sftk_checkKeyLength(targetKeyLength, 112, 512, 1); ++ case SFTKFIPSRSAOAEP:; ++ CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *) ++ mech->pParameter; ++ ++ HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg); ++ HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf); ++ /* message hash and mask generation function must be the same */ ++ if (hash_pad != hash_msg) return PR_FALSE; ++ ++ return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE); + default: + break; + } diff --git a/SOURCES/nss-3.101-fips-check-ec25519-size.patch b/SOURCES/nss-3.101-fips-check-ec25519-size.patch new file mode 100644 index 0000000..e9957f8 --- /dev/null +++ b/SOURCES/nss-3.101-fips-check-ec25519-size.patch @@ -0,0 +1,12 @@ +diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c +--- ./lib/softoken/pkcs11u.c.fips_check_curver25519 2024-11-11 11:24:25.186654635 +0100 ++++ ./lib/softoken/pkcs11u.c 2024-11-07 10:26:03.806562274 +0100 +@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source) + * key length is CKA_VALUE, which is the default */ + keyType = CKK_INVALID_KEY_TYPE; + } +- if (keyType == CKK_EC) { ++ if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) { + SECOidTag curve = sftk_quickGetECCCurveOid(source); + switch (curve) { + case SEC_OID_CURVE25519: diff --git a/SOURCES/nss-3.101-fix-shlibsign-fips.patch b/SOURCES/nss-3.101-fix-shlibsign-fips.patch new file mode 100644 index 0000000..70e83f5 --- /dev/null +++ b/SOURCES/nss-3.101-fix-shlibsign-fips.patch @@ -0,0 +1,12 @@ +diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c +--- ./cmd/shlibsign/shlibsign.c.shlibsign 2024-06-07 09:26:03.000000000 -0700 ++++ ./cmd/shlibsign/shlibsign.c 2024-10-31 10:49:28.637449054 -0700 +@@ -1426,7 +1426,7 @@ main(int argc, char **argv) + } else { + /* NON FIPS mode == C_GetFunctionList */ + pC_GetFunctionList = (CK_C_GetFunctionList) +- PR_FindFunctionSymbol(lib, "C_GetFunctionList"); ++ PR_FindFunctionSymbol(lib, "NSC_GetFunctionList"); + } + assert(pC_GetFunctionList != NULL); + if (!pC_GetFunctionList) { diff --git a/SOURCES/nss-3.90-ppc_no_init.patch b/SOURCES/nss-3.90-ppc_no_init.patch index 134955a..75ee08e 100644 --- a/SOURCES/nss-3.90-ppc_no_init.patch +++ b/SOURCES/nss-3.90-ppc_no_init.patch @@ -34,3 +34,32 @@ diff -up ./lib/softoken/Makefile.ppc_no_init ./lib/softoken/Makefile ####################################################################### +diff -up ./lib/softoken/legacydb/Makefile.ppc_no_init ./lib/softoken/legacydb/Makefile +--- ./lib/softoken/legacydb/Makefile.ppc_no_init 2024-11-12 11:51:16.535343581 +0100 ++++ ./lib/softoken/legacydb/Makefile 2024-11-12 12:09:58.968187800 +0100 +@@ -23,16 +23,17 @@ include $(CORE_DEPTH)/coreconf/config.mk + ifdef NSS_NO_INIT_SUPPORT + DEFINES += -DNSS_NO_INIT_SUPPORT + endif +-ifeq ($(OS_TARGET),Linux) +-ifeq ($(CPU_ARCH),ppc) +-ifdef USE_64 +- DEFINES += -DNSS_NO_INIT_SUPPORT +-endif # USE_64 +-endif # ppc +-else # !Linux ++#ifeq ($(OS_TARGET),Linux) ++#ifeq ($(CPU_ARCH),ppc) ++#ifdef USE_64 ++# DEFINES += -DNSS_NO_INIT_SUPPORT ++#endif # USE_64 ++#endif # ppc ++#else # !Linux ++ifneq ($(OS_TARGET),Linux) + # turn off no init support everywhere for now + DEFINES += -DNSS_NO_INIT_SUPPORT +-endif # Linux ++endif # !Linux + + ####################################################################### + # (4) Include "local" platform-dependent assignments (OPTIONAL). # diff --git a/SPECS/nss.spec b/SPECS/nss.spec index fb7926b..a5f86d6 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -63,7 +63,7 @@ print(string.sub(hash, 0, 16)) Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 7%{?dist} +Release: 11%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version}%{nspr_release} @@ -201,6 +201,9 @@ Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch # https://bugzilla.mozilla.org/show_bug.cgi?id=676100 Patch85: nss-3.101-fix-cms-abi-break.patch Patch86: nss-3.101-long-pwd-fix.patch +Patch87: nss-3.101-fix-shlibsign-fips.patch +Patch88: nss-3.101-fips-check-ec25519-size.patch +Patch89: nss-3.101-allow-fips-rsa-oaep.patch #revert patches Patch300: nss-3.101-default-libpkix.patch @@ -999,6 +1002,19 @@ update-crypto-policies --no-reload &> /dev/null || : %changelog +* Tue Nov 12 2024 Frantisek Krenzelok - 3.101.0-11 +- don't define -DNSS_NO_INIT_SUPPORT for legacydb on pcc systems + +* Mon Nov 11 2024 Frantisek Krenzelok - 3.101.0-10 +- Allow RSA-OAEP in FIPS mode + +* Mon Nov 11 2024 Frantisek Krenzelok - 3.101.0-9 +- Add SEC_OID_CURVE25519 to FIPS checks. +- This will mark algorithm using it as FIPS unapproved. + +* Mon Nov 4 2024 Bob Relyea - 3.101.0-8 +- fix shlibsign to work when the system is in FIPS mode. + * Wed Sep 4 2024 Bob Relyea - 3.101.0-7 - fix cms abi breakage - fix long password issue on pbmac encodings