Compare commits
24 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
364a86cc8f | ||
|
4a5cdbbdb2 | ||
|
f1e37f35f8 | ||
|
c0b78bc53d | ||
|
c3571bbb3d | ||
|
b8de59e750 | ||
|
7e331e9268 | ||
|
219dd2513d | ||
|
3b655a2e4d | ||
|
81985bfb96 | ||
|
71cc95f92d | ||
|
1c0d77a6bb | ||
|
7007c4d430 | ||
|
eab1ac8862 | ||
|
ed198c7587 | ||
|
0102258016 | ||
|
74e1e8c297 | ||
|
b7b17c0e1f | ||
|
3c59bd0f5a | ||
|
f767d63b1b | ||
|
79de609de6 | ||
|
cf10cdf089 | ||
|
64e05e396d | ||
|
4d56a6c3a1 |
9
.gitignore
vendored
9
.gitignore
vendored
@ -37,3 +37,12 @@ TestUser51.cert
|
|||||||
/nss-3.43.tar.gz
|
/nss-3.43.tar.gz
|
||||||
/nss-3.44.tar.gz
|
/nss-3.44.tar.gz
|
||||||
/nss-3.44.1.tar.gz
|
/nss-3.44.1.tar.gz
|
||||||
|
/nss-3.46.tar.gz
|
||||||
|
/nss-3.46.1.tar.gz
|
||||||
|
/nss-3.47.tar.gz
|
||||||
|
/nss-3.47.1.tar.gz
|
||||||
|
/nss-3.48.tar.gz
|
||||||
|
/nss-3.49.tar.gz
|
||||||
|
/nss-3.49.2.tar.gz
|
||||||
|
/nss-3.50.tar.gz
|
||||||
|
/nss-3.51.tar.gz
|
||||||
|
22
nss-3.47-ike-fix.patch
Normal file
22
nss-3.47-ike-fix.patch
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
diff -up ./lib/softoken/pkcs11.c.ike_fix ./lib/softoken/pkcs11.c
|
||||||
|
--- ./lib/softoken/pkcs11.c.ike_fix 2019-11-04 10:15:08.022176945 -0800
|
||||||
|
+++ ./lib/softoken/pkcs11.c 2019-11-04 10:17:35.396733750 -0800
|
||||||
|
@@ -330,7 +330,7 @@ static const struct mechanismList mechan
|
||||||
|
{ CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
|
||||||
|
{ CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
|
||||||
|
{ CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE },
|
||||||
|
- { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE },
|
||||||
|
+ { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE },
|
||||||
|
{ CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
|
||||||
|
/* ------------------------- Camellia Operations --------------------- */
|
||||||
|
{ CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
|
||||||
|
@@ -518,7 +518,8 @@ static const struct mechanismList mechan
|
||||||
|
/* --------------------IPSEC ----------------------- */
|
||||||
|
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
|
||||||
|
{ CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
|
||||||
|
- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
|
||||||
|
+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
|
||||||
|
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
|
||||||
|
};
|
||||||
|
static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
|
||||||
|
|
@ -1,155 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# User Daiki Ueno <dueno@redhat.com>
|
|
||||||
# Date 1562162181 -7200
|
|
||||||
# Wed Jul 03 15:56:21 2019 +0200
|
|
||||||
# Node ID 88feab2a3e5e4b00b1626d59a0d3ecef93cafb92
|
|
||||||
# Parent b5d3f574967f8c5c705dab15682b0e16fac3e4be
|
|
||||||
tests: ensure CAVS test dirs are created
|
|
||||||
|
|
||||||
diff --git a/tests/fips/cavs_scripts/aes.sh b/tests/fips/cavs_scripts/aes.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/aes.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/aes.sh
|
|
||||||
@@ -83,6 +83,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
for request in $cbc_kat_requests; do
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/aesgcm.sh b/tests/fips/cavs_scripts/aesgcm.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/aesgcm.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/aesgcm.sh
|
|
||||||
@@ -56,6 +56,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
for request in $gcm_decrypt_requests; do
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/dsa.sh b/tests/fips/cavs_scripts/dsa.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/dsa.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/dsa.sh
|
|
||||||
@@ -59,6 +59,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
request=KeyPair.req
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/ecdsa.sh b/tests/fips/cavs_scripts/ecdsa.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/ecdsa.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/ecdsa.sh
|
|
||||||
@@ -50,6 +50,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
request=KeyPair.req
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/hmac.sh b/tests/fips/cavs_scripts/hmac.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/hmac.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/hmac.sh
|
|
||||||
@@ -31,6 +31,9 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
done
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
+
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
for request in $hmac_requests; do
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/ike.sh b/tests/fips/cavs_scripts/ike.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/ike.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/ike.sh
|
|
||||||
@@ -33,6 +33,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
request=ikev1_dsa.req
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/kas.sh b/tests/fips/cavs_scripts/kas.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/kas.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/kas.sh
|
|
||||||
@@ -68,6 +68,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
request=KASFunctionTest_ECCEphemeralUnified_NOKC_ZZOnly_init.req
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/rng.sh b/tests/fips/cavs_scripts/rng.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/rng.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/rng.sh
|
|
||||||
@@ -30,6 +30,9 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
done
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
+
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
for request in $drbg_requests; do
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/rsa.sh b/tests/fips/cavs_scripts/rsa.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/rsa.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/rsa.sh
|
|
||||||
@@ -38,6 +38,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
request=SigGen15_186-3.req
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/sha.sh b/tests/fips/cavs_scripts/sha.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/sha.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/sha.sh
|
|
||||||
@@ -51,6 +51,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
for request in $sha_ShortMsg_requests; do
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/tdea.sh b/tests/fips/cavs_scripts/tdea.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/tdea.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/tdea.sh
|
|
||||||
@@ -77,6 +77,8 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
for request in $cbc_kat_requests; do
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
||||||
diff --git a/tests/fips/cavs_scripts/tls.sh b/tests/fips/cavs_scripts/tls.sh
|
|
||||||
--- a/tests/fips/cavs_scripts/tls.sh
|
|
||||||
+++ b/tests/fips/cavs_scripts/tls.sh
|
|
||||||
@@ -30,6 +30,9 @@ if [ ${COMMAND} = "verify" ]; then
|
|
||||||
done
|
|
||||||
exit $result
|
|
||||||
fi
|
|
||||||
+
|
|
||||||
+test -d "${RSPDIR}" || mkdir "${RSPDIR}"
|
|
||||||
+
|
|
||||||
for request in $tls_requests; do
|
|
||||||
response=`echo $request | sed -e "s/req/rsp/"`
|
|
||||||
echo $request $response
|
|
30
nss-kremlin-ppc64le.patch
Normal file
30
nss-kremlin-ppc64le.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||||
|
===================================================================
|
||||||
|
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||||
|
+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||||
|
@@ -56,7 +56,9 @@ typedef const char *Prims_string;
|
||||||
|
#include <emmintrin.h>
|
||||||
|
typedef __m128i FStar_UInt128_uint128;
|
||||||
|
#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||||
|
- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
|
||||||
|
+ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||||
|
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
|
||||||
|
+ defined(__s390x__))
|
||||||
|
typedef unsigned __int128 FStar_UInt128_uint128;
|
||||||
|
#else
|
||||||
|
typedef struct FStar_UInt128_uint128_s {
|
||||||
|
Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||||
|
===================================================================
|
||||||
|
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||||
|
+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||||
|
@@ -25,7 +25,9 @@
|
||||||
|
#include "LowStar_Endianness.h"
|
||||||
|
|
||||||
|
#if !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||||
|
- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
|
||||||
|
+ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||||
|
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
|
||||||
|
+ defined(__s390x__))
|
||||||
|
|
||||||
|
/* GCC + using native unsigned __int128 support */
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# User Daiki Ueno <dueno@redhat.com>
|
|
||||||
# Date 1557150127 -7200
|
|
||||||
# Mon May 06 15:42:07 2019 +0200
|
|
||||||
# Node ID 438ac983bda9ec7944990d22a37877e9111caa90
|
|
||||||
# Parent b018f3e84d87cce99a1fd81feeecb31123058687
|
|
||||||
pk11slot: reference module from slot for finalization
|
|
||||||
|
|
||||||
diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
|
|
||||||
--- a/lib/pk11wrap/pk11slot.c
|
|
||||||
+++ b/lib/pk11wrap/pk11slot.c
|
|
||||||
@@ -1439,6 +1439,11 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
|
|
||||||
slot->slotID = slotID;
|
|
||||||
slot->isThreadSafe = mod->isThreadSafe;
|
|
||||||
slot->hasRSAInfo = PR_FALSE;
|
|
||||||
+ slot->module = mod; /* NOTE: we don't make a reference here because
|
|
||||||
+ * modules have references to their slots. This
|
|
||||||
+ * works because modules keep implicit references
|
|
||||||
+ * from their slots, and won't unload and disappear
|
|
||||||
+ * until all their slots have been freed */
|
|
||||||
|
|
||||||
if (PK11_GETTAB(slot)->C_GetSlotInfo(slotID, &slotInfo) != CKR_OK) {
|
|
||||||
slot->disabled = PR_TRUE;
|
|
||||||
@@ -1448,11 +1453,6 @@ PK11_InitSlot(SECMODModule *mod, CK_SLOT
|
|
||||||
|
|
||||||
/* test to make sure claimed mechanism work */
|
|
||||||
slot->needTest = mod->internal ? PR_FALSE : PR_TRUE;
|
|
||||||
- slot->module = mod; /* NOTE: we don't make a reference here because
|
|
||||||
- * modules have references to their slots. This
|
|
||||||
- * works because modules keep implicit references
|
|
||||||
- * from their slots, and won't unload and disappear
|
|
||||||
- * until all their slots have been freed */
|
|
||||||
(void)PK11_MakeString(NULL, slot->slot_name,
|
|
||||||
(char *)slotInfo.slotDescription, sizeof(slotInfo.slotDescription));
|
|
||||||
slot->isHW = (PRBool)((slotInfo.flags & CKF_HW_SLOT) == CKF_HW_SLOT);
|
|
94
nss-signtool-format.patch
Normal file
94
nss-signtool-format.patch
Normal file
@ -0,0 +1,94 @@
|
|||||||
|
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
|
||||||
|
--- a/cmd/modutil/install.c
|
||||||
|
+++ b/cmd/modutil/install.c
|
||||||
|
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
|
||||||
|
|
||||||
|
dir = PR_OpenDir(path);
|
||||||
|
if (!dir) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Recursively delete all entries in the directory */
|
||||||
|
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
|
||||||
|
- sprintf(filename, "%s/%s", path, entry->name);
|
||||||
|
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
|
||||||
|
+ PR_CloseDir(dir);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
if (rm_dash_r(filename)) {
|
||||||
|
PR_CloseDir(dir);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (PR_CloseDir(dir) != PR_SUCCESS) {
|
||||||
|
return -1;
|
||||||
|
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
|
||||||
|
--- a/cmd/signtool/util.c
|
||||||
|
+++ b/cmd/signtool/util.c
|
||||||
|
@@ -132,17 +132,20 @@ rm_dash_r(char *path)
|
||||||
|
if (!dir) {
|
||||||
|
PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
|
||||||
|
errorCount++;
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Recursively delete all entries in the directory */
|
||||||
|
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
|
||||||
|
- sprintf(filename, "%s/%s", path, entry->name);
|
||||||
|
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
|
||||||
|
+ errorCount++;
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
if (rm_dash_r(filename))
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (PR_CloseDir(dir) != PR_SUCCESS) {
|
||||||
|
PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
|
||||||
|
errorCount++;
|
||||||
|
return -1;
|
||||||
|
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
|
||||||
|
--- a/lib/libpkix/pkix/util/pkix_list.c
|
||||||
|
+++ b/lib/libpkix/pkix/util/pkix_list.c
|
||||||
|
@@ -1530,17 +1530,17 @@ cleanup:
|
||||||
|
*/
|
||||||
|
PKIX_Error *
|
||||||
|
PKIX_List_SetItem(
|
||||||
|
PKIX_List *list,
|
||||||
|
PKIX_UInt32 index,
|
||||||
|
PKIX_PL_Object *item,
|
||||||
|
void *plContext)
|
||||||
|
{
|
||||||
|
- PKIX_List *element;
|
||||||
|
+ PKIX_List *element = NULL;
|
||||||
|
|
||||||
|
PKIX_ENTER(LIST, "PKIX_List_SetItem");
|
||||||
|
PKIX_NULLCHECK_ONE(list);
|
||||||
|
|
||||||
|
if (list->immutable){
|
||||||
|
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||||
|
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||||
|
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
|
||||||
|
@@ -102,17 +102,17 @@ cleanup:
|
||||||
|
*/
|
||||||
|
static PKIX_Error *
|
||||||
|
pkix_pl_OID_Equals(
|
||||||
|
PKIX_PL_Object *first,
|
||||||
|
PKIX_PL_Object *second,
|
||||||
|
PKIX_Boolean *pResult,
|
||||||
|
void *plContext)
|
||||||
|
{
|
||||||
|
- PKIX_Int32 cmpResult;
|
||||||
|
+ PKIX_Int32 cmpResult = 0;
|
||||||
|
|
||||||
|
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
|
||||||
|
PKIX_NULLCHECK_THREE(first, second, pResult);
|
||||||
|
|
||||||
|
PKIX_CHECK(pkix_pl_OID_Comparator
|
||||||
|
(first, second, &cmpResult, plContext),
|
||||||
|
PKIX_OIDCOMPARATORFAILED);
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# User Daiki Ueno <dueno@redhat.com>
|
|
||||||
# Date 1558341826 -7200
|
|
||||||
# Mon May 20 10:43:46 2019 +0200
|
|
||||||
# Node ID b447f0046807b718d2928d0e33313620d38a287a
|
|
||||||
# Parent 02ea5f29ac3c1f1c6e6eb4b655afd9b4fc075a9e
|
|
||||||
tests: skip TLS 1.3 tests under FIPS mode
|
|
||||||
|
|
||||||
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
|
|
||||||
--- a/tests/ssl/ssl.sh
|
|
||||||
+++ b/tests/ssl/ssl.sh
|
|
||||||
@@ -393,6 +393,15 @@ ssl_auth()
|
|
||||||
echo "${testname}" | grep "TLS 1.3" > /dev/null
|
|
||||||
TLS13=$?
|
|
||||||
|
|
||||||
+ # Currently TLS 1.3 tests are known to fail under FIPS mode,
|
|
||||||
+ # because HKDF is implemented using the PKCS #11 functions
|
|
||||||
+ # prohibited under FIPS mode.
|
|
||||||
+ if [ "${TLS13}" -eq 0 ] && \
|
|
||||||
+ [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
|
|
||||||
+ echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
|
||||||
+ continue
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
|
|
||||||
echo "$SCRIPTNAME: skipping $testname (non-FIPS only)"
|
|
||||||
elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
|
|
12
nss-tls13-default.patch
Normal file
12
nss-tls13-default.patch
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
diff -up nss/lib/ssl/sslsock.c.tls13-default nss/lib/ssl/sslsock.c
|
||||||
|
--- nss/lib/ssl/sslsock.c.tls13-default 2020-01-27 10:21:44.930830558 +0100
|
||||||
|
+++ nss/lib/ssl/sslsock.c 2020-01-27 10:21:47.419852229 +0100
|
||||||
|
@@ -97,7 +97,7 @@ static sslOptions ssl_defaults = {
|
||||||
|
*/
|
||||||
|
static SSLVersionRange versions_defaults_stream = {
|
||||||
|
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||||
|
- SSL_LIBRARY_VERSION_TLS_1_3
|
||||||
|
+ SSL_LIBRARY_VERSION_TLS_1_2
|
||||||
|
};
|
||||||
|
|
||||||
|
static SSLVersionRange versions_defaults_datagram = {
|
74
nss.spec
74
nss.spec
@ -1,5 +1,5 @@
|
|||||||
%global nspr_version 4.21.0
|
%global nspr_version 4.25.0
|
||||||
%global nss_version 3.44.1
|
%global nss_version 3.51.0
|
||||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||||
%global saved_files_dir %{_libdir}/nss/saved
|
%global saved_files_dir %{_libdir}/nss/saved
|
||||||
%global dracutlibdir %{_prefix}/lib/dracut
|
%global dracutlibdir %{_prefix}/lib/dracut
|
||||||
@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
|
|||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: %{nss_version}
|
Version: %{nss_version}
|
||||||
Release: 2%{?dist}
|
Release: 1%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Requires: nspr >= %{nspr_version}
|
Requires: nspr >= %{nspr_version}
|
||||||
@ -93,8 +93,6 @@ Source28: nss-p11-kit.config
|
|||||||
|
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
||||||
Patch2: nss-539183.patch
|
Patch2: nss-539183.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1549382
|
|
||||||
Patch3: nss-module-leak.patch
|
|
||||||
# This patch uses the GCC -iquote option documented at
|
# This patch uses the GCC -iquote option documented at
|
||||||
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
||||||
# to give the in-tree headers a higher priority over the system headers,
|
# to give the in-tree headers a higher priority over the system headers,
|
||||||
@ -107,9 +105,16 @@ Patch3: nss-module-leak.patch
|
|||||||
# Once the buildroot aha been bootstrapped the patch may be removed
|
# Once the buildroot aha been bootstrapped the patch may be removed
|
||||||
# but it doesn't hurt to keep it.
|
# but it doesn't hurt to keep it.
|
||||||
Patch4: iquote.patch
|
Patch4: iquote.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1552767
|
# add missing ike mechanism to softoken
|
||||||
Patch5: nss-skip-tls13-fips.patch
|
Patch10: nss-3.47-ike-fix.patch
|
||||||
Patch6: nss-cavs-tests.patch
|
# To revert the upstream change:
|
||||||
|
# https://bugzilla.mozilla.org/show_bug.cgi?id=1573118
|
||||||
|
# as it still doesn't work under FIPS mode because of missing HKDF
|
||||||
|
# support in PKCS #11.
|
||||||
|
Patch11: nss-tls13-default.patch
|
||||||
|
Patch12: nss-signtool-format.patch
|
||||||
|
# https://github.com/FStarLang/kremlin/issues/166
|
||||||
|
Patch13: nss-kremlin-ppc64le.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -557,7 +562,7 @@ do
|
|||||||
done
|
done
|
||||||
|
|
||||||
# Copy some freebl include files we also want
|
# Copy some freebl include files we also want
|
||||||
for file in blapi.h alghmac.h
|
for file in blapi.h alghmac.h cmac.h
|
||||||
do
|
do
|
||||||
install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
|
install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
|
||||||
done
|
done
|
||||||
@ -850,6 +855,7 @@ update-crypto-policies &> /dev/null || :
|
|||||||
%{_includedir}/nss3/blapi.h
|
%{_includedir}/nss3/blapi.h
|
||||||
%{_includedir}/nss3/blapit.h
|
%{_includedir}/nss3/blapit.h
|
||||||
%{_includedir}/nss3/alghmac.h
|
%{_includedir}/nss3/alghmac.h
|
||||||
|
%{_includedir}/nss3/cmac.h
|
||||||
%{_includedir}/nss3/lowkeyi.h
|
%{_includedir}/nss3/lowkeyi.h
|
||||||
%{_includedir}/nss3/lowkeyti.h
|
%{_includedir}/nss3/lowkeyti.h
|
||||||
|
|
||||||
@ -874,6 +880,56 @@ update-crypto-policies &> /dev/null || :
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Apr 7 2020 Daiki Ueno <dueno@redhat.com> - 3.51.0-1
|
||||||
|
- Update to NSS 3.51
|
||||||
|
|
||||||
|
* Thu Mar 5 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-2
|
||||||
|
- Apply CMAC fixes from upstream
|
||||||
|
|
||||||
|
* Mon Feb 17 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-1
|
||||||
|
- Update to NSS 3.50
|
||||||
|
|
||||||
|
* Mon Jan 27 2020 Daiki Ueno <dueno@redhat.com> - 3.49.2-1
|
||||||
|
- Update to NSS 3.49.2
|
||||||
|
- Don't enable TLS 1.3 by default (#1794814)
|
||||||
|
|
||||||
|
* Fri Jan 10 2020 Daiki Ueno <dueno@redhat.com> - 3.49.0-1
|
||||||
|
- Update to NSS 3.49
|
||||||
|
- Fix build on armv7hl with the patch proposed in upstream
|
||||||
|
|
||||||
|
* Fri Jan 3 2020 Daiki Ueno <dueno@redhat.com> - 3.48.0-1
|
||||||
|
- Update to NSS 3.48
|
||||||
|
|
||||||
|
* Tue Dec 3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-4
|
||||||
|
- Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value
|
||||||
|
|
||||||
|
* Tue Dec 3 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-3
|
||||||
|
- Update nss-3.47-certdb-temp-cert.patch to the final version
|
||||||
|
|
||||||
|
* Thu Nov 28 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-2
|
||||||
|
- Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617)
|
||||||
|
|
||||||
|
* Fri Nov 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.1-1
|
||||||
|
- Update to NSS 3.47.1
|
||||||
|
|
||||||
|
* Thu Nov 7 2019 Bob Relyea <rrelyea@redhat.com> - 3.47.0-3
|
||||||
|
- Include ike mechanism fix
|
||||||
|
|
||||||
|
* Wed Oct 23 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-2
|
||||||
|
- Install cmac.h required by blapi.h (#1764513)
|
||||||
|
|
||||||
|
* Tue Oct 22 2019 Daiki Ueno <dueno@redhat.com> - 3.47.0-1
|
||||||
|
- Update to NSS 3.47
|
||||||
|
|
||||||
|
* Mon Oct 21 2019 Daiki Ueno <dueno@redhat.com> - 3.46.1-1
|
||||||
|
- Update to NSS 3.46.1
|
||||||
|
|
||||||
|
* Wed Sep 4 2019 Daiki Ueno <dueno@redhat.com> - 3.46.0-2
|
||||||
|
- Rebuild with NSPR 4.22
|
||||||
|
|
||||||
|
* Tue Sep 3 2019 Daiki Ueno <dueno@redhat.com> - 3.46.0-2
|
||||||
|
- Update to NSS 3.46
|
||||||
|
|
||||||
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.44.1-2
|
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 3.44.1-2
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
|
|||||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||||
SHA512 (nss-3.44.1.tar.gz) = eb8777701a25b54377026633b6bf284e4c62308012058355f348a7c57525afe96db74a07de41ba01754e316a7dff06689de527359a5474ed7ab606779c4cf169
|
SHA512 (nss-3.51.tar.gz) = 9c894b1ea41449b000750a7b3a89fcb43dfc3d0d4d6dcc0dc288bc73996f76f1ee1ede927a8aecae6d4a07f9f3d3e3a042c6a60cf06e27e0cdc004fce2e510fd
|
||||||
|
Loading…
Reference in New Issue
Block a user