Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mozilla-nss for openSUSE:Factory
checked in at 2022-06-29 16:00:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old)
and /work/SRC/openSUSE:Factory/.mozilla-nss.new.1548 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss"
Wed Jun 29 16:00:24 2022 rev:190 rq:985447 version:3.79
Changes:
--------
--- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2022-06-01
17:34:40.518741744 +0200
+++ /work/SRC/openSUSE:Factory/.mozilla-nss.new.1548/mozilla-nss.changes
2022-06-29 16:00:27.256544133 +0200
@@ -1,0 +2,33 @@
+Sat Jun 25 12:30:25 UTC 2022 - Wolfgang Rosenauer <w...@rosenauer.org>
+
+- sync with current SLE
+ * latest FIPS changes incl. testsuite fixes (enabled now)
+ nss-fips-180-3-csp-clearing.patch
+ nss-fips-tests-enable-fips.patch
+ nss-fips-tests-skip.patch
+ nss-fips-pbkdf-kat-compliance.patch
+
+-------------------------------------------------------------------
+Sun Jun 12 08:57:06 UTC 2022 - Wolfgang Rosenauer <w...@rosenauer.org>
+
+- update to NSS 3.79
+ * bmo#205717 - Use PK11_GetSlotInfo instead of raw C_GetSlotInfo calls.
+ * bmo#1766907 - Update mercurial in clang-format docker image.
+ * bmo#1454072 - Use of uninitialized pointer in lg_init after alloc fail.
+ * bmo#1769295 - selfserv and tstclnt should use PR_GetPrefLoopbackAddrInfo.
+ * bmo#1753315 - Add SECMOD_LockedModuleHasRemovableSlots.
+ * bmo#1387919 - Fix secasn1d parsing of indefinite SEQUENCE inside
+ indefinite GROUP.
+ * bmo#1765753 - Added RFC8422 compliant TLS <= 1.2 undefined/compressed
+ ECPointFormat extension alerts.
+ * bmo#1765753 - TLS 1.3 Server: Send protocol_version alert on
+ unsupported ClientHello.legacy_version.
+ * bmo#1764788 - Correct invalid record inner and outer content type alerts.
+ * bmo#1757075 - NSS does not properly import or export pkcs12 files
+ with large passwords and pkcs5v2 encoding.
+ * bmo#1766978 - improve error handling after
nssCKFWInstance_CreateObjectHandle.
+ * bmo#1767590 - Initialize pointers passed to
+ NSS_CMSDigestContext_FinishMultiple.
+ * bmo#1769302 - NSS 3.79 should depend on NSPR 4.34
+
+-------------------------------------------------------------------
Old:
----
nss-3.78.1.tar.gz
New:
----
nss-3.79.tar.gz
nss-fips-180-3-csp-clearing.patch
nss-fips-pbkdf-kat-compliance.patch
nss-fips-tests-enable-fips.patch
nss-fips-tests-skip.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mozilla-nss.spec ++++++
--- /var/tmp/diff_new_pack.t11LAR/_old 2022-06-29 16:00:30.004548272 +0200
+++ /var/tmp/diff_new_pack.t11LAR/_new 2022-06-29 16:00:30.008548279 +0200
@@ -17,14 +17,14 @@
#
-%global nss_softokn_fips_version 3.78
-%define NSPR_min_version 4.32
+%global nss_softokn_fips_version 3.79
+%define NSPR_min_version 4.34
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
Name: mozilla-nss
-Version: 3.78.1
+Version: 3.79
Release: 0
-%define underscore_version 3_78_1
+%define underscore_version 3_79
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@@ -70,8 +70,12 @@
Patch25: nss-fips-detect-fips-mode-fixes.patch
Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch
Patch27: nss-fips-aes-keywrap-post.patch
-Patch28: nss-fips-fix-missing-nspr.patch
-Patch29: nss-fips-stricter-dh.patch
+Patch37: nss-fips-fix-missing-nspr.patch
+Patch38: nss-fips-stricter-dh.patch
+Patch40: nss-fips-180-3-csp-clearing.patch
+Patch41: nss-fips-pbkdf-kat-compliance.patch
+Patch42: nss-fips-tests-skip.patch
+Patch44: nss-fips-tests-enable-fips.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@@ -92,8 +96,7 @@
%endif
%ifnarch %sparc
%if ! 0%{?qemu_user_space_build}
-# disabled temporarily bmo#1236340
-%define run_testsuite 0
+%define run_testsuite 1
%endif
%endif
@@ -227,8 +230,12 @@
%patch25 -p1
%patch26 -p1
%patch27 -p1
-%patch28 -p1
-%patch29 -p1
+%patch37 -p1
+%patch38 -p1
+%patch40 -p1
+%patch41 -p1
+%patch42 -p1
+%patch44 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
@@ -268,6 +275,8 @@
%endif
export NSS_DISABLE_GTESTS=1
export NSS_USE_SYSTEM_SQLITE=1
+export NSS_ENABLE_FIPS_INDICATORS=1
+export NSS_FIPS_MODULE_ID="\"SUSE Linux Enterprise NSS %{version}-%{release}\""
#export SQLITE_LIB_NAME=nsssqlite3
MAKE_FLAGS="BUILD_OPT=1"
make %{?_smp_mflags} nss_build_all $MAKE_FLAGS
@@ -275,7 +284,7 @@
%if 0%{?run_testsuite}
export BUILD_OPT=1
export HOST="localhost"
-export DOMSUF=" "
+export DOMSUF="localdomain"
export USE_IP=TRUE
export IP_ADDRESS="127.0.0.1"
cd tests
++++++ baselibs.conf ++++++
--- /var/tmp/diff_new_pack.t11LAR/_old 2022-06-29 16:00:30.096548412 +0200
+++ /var/tmp/diff_new_pack.t11LAR/_new 2022-06-29 16:00:30.100548417 +0200
@@ -1,5 +1,5 @@
mozilla-nss
- requires "mozilla-nspr-<targettype> >= 4.32"
+ requires "mozilla-nspr-<targettype> >= 4.34"
requires "libfreebl3-<targettype>"
requires "libsoftokn3-<targettype>"
requires "libnssckbi.so"
++++++ nss-3.78.1.tar.gz -> nss-3.79.tar.gz ++++++
/work/SRC/openSUSE:Factory/mozilla-nss/nss-3.78.1.tar.gz
/work/SRC/openSUSE:Factory/.mozilla-nss.new.1548/nss-3.79.tar.gz differ: char
5, line 1
++++++ nss-fips-180-3-csp-clearing.patch ++++++
Index: nss/lib/freebl/pqg.c
===================================================================
--- nss.orig/lib/freebl/pqg.c
+++ nss/lib/freebl/pqg.c
@@ -1232,6 +1232,9 @@ cleanup:
MP_TO_SEC_ERROR(err);
rv = SECFailure;
}
+ if (rv != SECSuccess) {
+ mp_zero(G);
+ }
return rv;
}
Index: nss/lib/softoken/sftkdb.c
===================================================================
--- nss.orig/lib/softoken/sftkdb.c
+++ nss/lib/softoken/sftkdb.c
@@ -1506,7 +1506,7 @@ loser:
PORT_ZFree(data, dataSize);
}
if (arena) {
- PORT_FreeArena(arena, PR_FALSE);
+ PORT_FreeArena(arena, PR_TRUE);
}
return crv;
}
Index: nss/lib/softoken/sftkpwd.c
===================================================================
--- nss.orig/lib/softoken/sftkpwd.c
+++ nss/lib/softoken/sftkpwd.c
@@ -1439,7 +1439,7 @@ loser:
PORT_ZFree(newKey.data, newKey.len);
}
if (result) {
- SECITEM_FreeItem(result, PR_TRUE);
+ SECITEM_ZfreeItem(result, PR_TRUE);
}
if (rv != SECSuccess) {
(*keydb->db->sdb_Abort)(keydb->db);
++++++ nss-fips-approved-crypto-non-ec.patch ++++++
--- /var/tmp/diff_new_pack.t11LAR/_old 2022-06-29 16:00:30.196548562 +0200
+++ /var/tmp/diff_new_pack.t11LAR/_new 2022-06-29 16:00:30.200548568 +0200
@@ -258,7 +258,7 @@
===================================================================
--- nss.orig/lib/freebl/fips.h
+++ nss/lib/freebl/fips.h
-@@ -8,8 +8,20 @@
+@@ -8,9 +8,21 @@
#ifndef FIPS_H
#define FIPS_H
@@ -267,13 +267,14 @@
+
+#define IN_FIPS_RETURN(rv) \
+ do { \
-+ if (FIPS_mode()) { \
++ if (FIPS_mode_allow_tests()) { \
+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); \
+ return rv; \
+ } \
+ } while (0)
+
int FIPS_mode(void);
+ int FIPS_mode_allow_tests(void);
char* FIPS_rngDev(void);
+PRBool FIPS_hashAlgApproved(HASH_HashType hashAlg);
@@ -495,4 +496,100 @@
PORT_Memset(crsrdata, 0, sizeof crsrdata);
crv = CKR_HOST_MEMORY;
break;
+Index: nss/lib/freebl/desblapi.c
+===================================================================
+--- nss.orig/lib/freebl/desblapi.c
++++ nss/lib/freebl/desblapi.c
+@@ -18,6 +18,8 @@
+ #include <stddef.h>
+ #include "secerr.h"
+
++#include "fips.h"
++
+ #if defined(NSS_X86_OR_X64)
+ /* Intel X86 CPUs do unaligned loads and stores without complaint. */
+ #define COPY8B(to, from, ptr) \
+@@ -136,6 +138,8 @@ DES_EDE3CBCDe(DESContext *cx, BYTE *out,
+ DESContext *
+ DES_AllocateContext(void)
+ {
++ IN_FIPS_RETURN(NULL);
++
+ return PORT_ZNew(DESContext);
+ }
+
+@@ -145,12 +149,16 @@ DES_InitContext(DESContext *cx, const un
+ unsigned int unused)
+ {
+ DESDirection opposite;
++
++ IN_FIPS_RETURN(SECFailure);
++
+ if (!cx) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+ return SECFailure;
+ }
+ cx->direction = encrypt ? DES_ENCRYPT : DES_DECRYPT;
+ opposite = encrypt ? DES_DECRYPT : DES_ENCRYPT;
++
+ switch (mode) {
+ case NSS_DES: /* DES ECB */
+ DES_MakeSchedule(cx->ks0, key, cx->direction);
+@@ -201,8 +209,13 @@ DES_InitContext(DESContext *cx, const un
+ DESContext *
+ DES_CreateContext(const BYTE *key, const BYTE *iv, int mode, PRBool encrypt)
+ {
+- DESContext *cx = PORT_ZNew(DESContext);
+- SECStatus rv = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0);
++ DESContext *cx;
++ SECStatus rv;
++
++ IN_FIPS_RETURN(NULL);
++
++ cx = PORT_ZNew(DESContext);
++ rv = DES_InitContext(cx, key, 0, iv, mode, encrypt, 0);
+
+ if (rv != SECSuccess) {
+ PORT_ZFree(cx, sizeof *cx);
+@@ -214,6 +227,8 @@ DES_CreateContext(const BYTE *key, const
+ void
+ DES_DestroyContext(DESContext *cx, PRBool freeit)
+ {
++ IN_FIPS_RETURN();
++
+ if (cx) {
+ memset(cx, 0, sizeof *cx);
+ if (freeit)
+@@ -225,6 +240,7 @@ SECStatus
+ DES_Encrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
+ unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
+ {
++ IN_FIPS_RETURN(SECFailure);
+
+ if ((inLen % 8) != 0 || maxOutLen < inLen || !cx ||
+ cx->direction != DES_ENCRYPT) {
+@@ -242,6 +258,7 @@ SECStatus
+ DES_Decrypt(DESContext *cx, BYTE *out, unsigned int *outLen,
+ unsigned int maxOutLen, const BYTE *in, unsigned int inLen)
+ {
++ IN_FIPS_RETURN(SECFailure);
+
+ if ((inLen % 8) != 0 || maxOutLen < inLen || !cx ||
+ cx->direction != DES_DECRYPT) {
+Index: nss/lib/softoken/fips_algorithms.h
+===================================================================
+--- nss.orig/lib/softoken/fips_algorithms.h
++++ nss/lib/softoken/fips_algorithms.h
+@@ -111,8 +111,11 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
+ { CKM_AES_KEY_WRAP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP, SFTKFIPSNone },
+ { CKM_AES_KEY_WRAP_PAD, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP,
SFTKFIPSNone },
+ { CKM_AES_KEY_WRAP_KWP, { AES_FB_KEY, CKF_ENC }, AES_FB_STEP,
SFTKFIPSNone },
++#if 0
++ /* Not approved in FIPS mode */
+ { CKM_AES_XCBC_MAC_96, { 96, 96, CKF_SGN }, 1, SFTKFIPSNone },
+ { CKM_AES_XCBC_MAC, { 128, 128, CKF_SGN }, 1, SFTKFIPSNone },
++#endif
+ /* ------------------------- Hashing Operations ----------------------- */
+ { CKM_SHA224, { 0, 0, CKF_HSH }, 1, SFTKFIPSNone },
+ { CKM_SHA224_HMAC, { 112, 224, CKF_SGN }, 1, SFTKFIPSNone },
++++++ nss-fips-constructor-self-tests.patch ++++++
--- /var/tmp/diff_new_pack.t11LAR/_old 2022-06-29 16:00:30.228548611 +0200
+++ /var/tmp/diff_new_pack.t11LAR/_new 2022-06-29 16:00:30.232548616 +0200
@@ -67,7 +67,7 @@
===================================================================
--- /dev/null
+++ nss/lib/freebl/fips-selftest.inc
-@@ -0,0 +1,306 @@
+@@ -0,0 +1,355 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test - common stuff.
+ *
@@ -118,6 +118,9 @@
+
+static int fips_wanted = -1;
+
++static int fips_is_env = 0;
++static int fips_ignore_checksums = 0;
++
+/* debug messages are sent to stderr */
+static void
+debug(const char *fmt,...)
@@ -209,6 +212,21 @@
+ return PR_FALSE;
+}
+
++static PRBool
++getIgnoreChecksumsEnv(void)
++{
++ char *checksumEnv = getenv("NSS_IGNORE_CHECKSUMS");
++ if (!checksumEnv) {
++ return PR_FALSE;
++ }
++ if ((strcasecmp(checksumEnv,"true") == 0) ||
++ (strcasecmp(checksumEnv,"on") == 0) ||
++ (strcasecmp(checksumEnv,"1") == 0)) {
++ return PR_TRUE;
++ }
++ return PR_FALSE;
++}
++
+static int
+fips_isWantedEnv(void)
+{
@@ -222,10 +240,54 @@
+#ifdef LINUX
+ fips_requests += fips_isWantedProc();
+#endif
++ if (fips_requests < 1)
++ {
++ fips_is_env = 1;
++ fips_ignore_checksums = getIgnoreChecksumsEnv();
++ }
+ fips_requests += fips_isWantedEnv();
++
+ return fips_requests;
+}
+
++static PRBool
++fips_check_signature_external (const char *full_lib_name, int *err)
++{
++ char *p0, *p1;
++ char *ld_path;
++ PRBool rv = PR_FALSE;
++
++ p0 = getenv ("LD_LIBRARY_PATH");
++ p0 = ld_path = strdup (p0 ? p0 : "");
++
++ for (p1 = strchr (p0, ':'); p1 && !rv; p1 = strchr (p0, ':'))
++ {
++ char *path;
++
++ *p1 = '\0';
++ path = malloc (strlen (p0) + strlen (full_lib_name) + 2);
++ strcpy (path, p0);
++ strcat (path, "/");
++ strcat (path, full_lib_name);
++
++ rv = BLAPI_SHVerifyFile (path, err);
++
++ free (path);
++ p0 = p1 + 1;
++ }
++
++ if (!rv)
++ {
++ char *path = malloc (strlen ("/usr/lib64/") + strlen
(full_lib_name) + 1);
++ strcpy (path, "/usr/lib64/");
++ strcat (path, full_lib_name);
++ rv = BLAPI_SHVerifyFile (path, err);
++ }
++
++ free (ld_path);
++ return rv;
++}
++
+/* check integrity signatures (if present) */
+static fips_check_status
+fips_checkSignature(char *libName, PRFuncPtr addr)
@@ -249,24 +311,11 @@
+ l -= strlen(libName);
+ strncat(full_lib_name, SHLIB_VERSION"."SHLIB_SUFFIX, l);
+ l -= strlen(SHLIB_VERSION"."SHLIB_SUFFIX);
-+#if 1
-+ if (NULL == addr) {
-+ char full_path [PATH_MAX+1];
-+
-+ full_path [0] = '\0';
-+ l = PATH_MAX;
-+ strncat (full_path, "/usr/lib64/", l);
-+ l -= strlen ("/usr/lib64/");
-+ strncat (full_path, full_lib_name, l);
-+ l -= strlen (full_lib_name);
+
-+ rv = BLAPI_SHVerifyFile(full_path, &err);
-+ }
++ if (NULL == addr)
++ rv = fips_check_signature_external (full_lib_name, &err);
+ else
+ rv = BLAPI_SHVerify(full_lib_name, addr, &err);
-+#else
-+ rv = 1;
-+#endif
+ }
+
+ if (rv) {
@@ -390,7 +439,7 @@
===================================================================
--- /dev/null
+++ nss/lib/freebl/fips.h
-@@ -0,0 +1,15 @@
+@@ -0,0 +1,16 @@
+/*
+ * PKCS #11 FIPS Power-Up Self Test.
+ *
@@ -402,6 +451,7 @@
+#define FIPS_H
+
+int FIPS_mode(void);
++int FIPS_mode_allow_tests(void);
+char* FIPS_rngDev(void);
+
+#endif
@@ -591,7 +641,7 @@
}
/*
-@@ -2251,28 +2279,91 @@ bl_startup_tests(void)
+@@ -2251,28 +2279,104 @@ bl_startup_tests(void)
* power on selftest failed.
*/
SECStatus
@@ -648,6 +698,19 @@
+ }
+}
+
++/* Returns the FIPS mode we are running in. If the tests have not completed
yet,
++ * return FALSE. This allows testing of modules that are not allowed in FIPS
++ * mode. */
++int
++FIPS_mode_allow_tests(void)
++{
++ int fips;
++
++ fips = (-1 != fips_state) ? fips_state : 0;
++
++ return fips;
++}
++
+/* returns string specifying what system RNG file to use for seeding */
+char *
+FIPS_rngDev(void)
@@ -943,7 +1006,7 @@
===================================================================
--- /dev/null
+++ nss/lib/softoken/fips.c
-@@ -0,0 +1,36 @@
+@@ -0,0 +1,40 @@
+#include "../freebl/fips-selftest.inc"
+
+#include "fips.h"
@@ -971,9 +1034,13 @@
+{
+ fips_state = fips_initTest("softokn", (PRFuncPtr)fips_initTestSoftoken,
fips_checkCryptoSoftoken);
+
-+ /* The legacy DB must be checked unconditionally in FIPS mode. */
++ /* The legacy DB must be checked unconditionally in FIPS mode. As an
exception,
++ * this can be turned off for the build-time tests using the env var
++ * NSS_IGNORE_CHECKSUMS. This is necessary because the files cannot be
++ * located before they're installed. It only works if FIPS mode is enabled
++ * via NSS_FIPS=1, not if it's set in /proc. */
+
-+ if (fips_state)
++ if (fips_state && !(fips_is_env && fips_ignore_checksums))
+ {
+ fips_state = fips_initTest("nssdbm", (PRFuncPtr) NULL, NULL);
+ }
++++++ nss-fips-pbkdf-kat-compliance.patch ++++++
Index: nss/lib/softoken/lowpbe.c
===================================================================
--- nss.orig/lib/softoken/lowpbe.c
+++ nss/lib/softoken/lowpbe.c
@@ -1745,7 +1745,7 @@ loser:
return ret_algid;
}
-#define TEST_KEY "pbkdf test key"
+#define TEST_KEY "qrfhfgkeWKZsYyLfUddaKQKLGhwqjQhNCiAdfweKEPaRf"
SECStatus
sftk_fips_pbkdf_PowerUpSelfTests(void)
{
@@ -1755,17 +1755,22 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
unsigned char iteration_count = 5;
unsigned char keyLen = 64;
char *inKeyData = TEST_KEY;
- static const unsigned char saltData[] =
- { 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 };
+ static const unsigned char saltData[] = {
+ 0x11, 0x39, 0x93, 0x54, 0x1C, 0xDD, 0xD7, 0x18,
+ 0x2F, 0x4A, 0xC1, 0x14, 0x03, 0x7A, 0x0B, 0x64,
+ 0x48, 0x99, 0xF4, 0x6D, 0xB7, 0x48, 0xE3, 0x3B,
+ 0x91, 0xBF, 0x65, 0xA9, 0x26, 0x83, 0xE8, 0x22
+ };
+
static const unsigned char pbkdf_known_answer[] = {
- 0x31, 0xf0, 0xe5, 0x39, 0x9f, 0x39, 0xb9, 0x29,
- 0x68, 0xac, 0xf2, 0xe9, 0x53, 0x9b, 0xb4, 0x9c,
- 0x28, 0x59, 0x8b, 0x5c, 0xd8, 0xd4, 0x02, 0x37,
- 0x18, 0x22, 0xc1, 0x92, 0xd0, 0xfa, 0x72, 0x90,
- 0x2c, 0x8d, 0x19, 0xd4, 0x56, 0xfb, 0x16, 0xfa,
- 0x8d, 0x5c, 0x06, 0x33, 0xd1, 0x5f, 0x17, 0xb1,
- 0x22, 0xd9, 0x9c, 0xaf, 0x5e, 0x3f, 0xf3, 0x66,
- 0xc6, 0x14, 0xfe, 0x83, 0xfa, 0x1a, 0x2a, 0xc5
+ 0x44, 0xd2, 0xae, 0x2d, 0x45, 0xb9, 0x42, 0x70,
+ 0xcb, 0x3e, 0x40, 0xc5, 0xcf, 0x36, 0x9b, 0x5f,
+ 0xfc, 0x64, 0xb1, 0x10, 0x18, 0x4d, 0xd8, 0xb6,
+ 0x71, 0xa3, 0xc4, 0x4f, 0x1d, 0xa7, 0x8f, 0xa5,
+ 0x0c, 0x4b, 0x13, 0xce, 0x2f, 0x2b, 0x48, 0xe0,
+ 0xfc, 0x10, 0x6d, 0xf4, 0xfb, 0x71, 0x1b, 0x0e,
+ 0x33, 0x2c, 0x43, 0x43, 0xe1, 0x77, 0x16, 0xf5,
+ 0x1e, 0x96, 0xcd, 0x93, 0x21, 0xb8, 0x78, 0x32
};
sftk_PBELockInit();
@@ -1794,11 +1799,12 @@ sftk_fips_pbkdf_PowerUpSelfTests(void)
* for NSSPKCS5_PBKDF2 */
pbe_params.iter = iteration_count;
pbe_params.keyLen = keyLen;
- pbe_params.hashType = HASH_AlgSHA256;
+ pbe_params.hashType = HASH_AlgSHA384;
pbe_params.pbeType = NSSPKCS5_PBKDF2;
pbe_params.is2KeyDES = PR_FALSE;
result = nsspkcs5_ComputeKeyAndIV(&pbe_params, &inKey, NULL, PR_FALSE);
+
if ((result == NULL) || (result->len != sizeof(pbkdf_known_answer)) ||
(PORT_Memcmp(result->data, pbkdf_known_answer,
sizeof(pbkdf_known_answer)) != 0)) {
SECITEM_FreeItem(result, PR_TRUE);
++++++ nss-fips-tests-enable-fips.patch ++++++
Index: nss/tests/cert/cert.sh
===================================================================
--- nss.orig/tests/cert/cert.sh
+++ nss/tests/cert/cert.sh
@@ -1353,6 +1353,11 @@ cert_stresscerts()
##############################################################################
cert_fips()
{
+ OLD_FIPS_MODE=`echo ${NSS_FIPS}`
+ OLD_CHECKSUMS_MODE=`echo ${NSS_IGNORE_CHECKSUMS}`
+ export NSS_FIPS=1
+ export NSS_IGNORE_CHECKSUMS=1
+
CERTFAILED=0
echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
@@ -1393,6 +1398,8 @@ MODSCRIPT
cert_log "SUCCESS: FIPS passed"
fi
+ export NSS_FIPS=${OLD_FIPS_MODE}
+ export NSS_IGNORE_CHECKSUMS=${OLD_CHECKSUMS_MODE}
}
########################## cert_rsa_exponent #################################
++++++ nss-fips-tests-skip.patch ++++++
Index: nss/tests/lowhash/lowhash.sh
===================================================================
--- nss.orig/tests/lowhash/lowhash.sh
+++ nss/tests/lowhash/lowhash.sh
@@ -61,11 +61,13 @@ lowhash_test()
! -f ${BINDIR}/lowhashtest${PROG_SUFFIX} ]; then
echo "freebl lowhash not supported in this plaform."
else
- TESTS="MD5 SHA1 SHA224 SHA256 SHA384 SHA512"
+ TESTS_FIPS_0="MD5 SHA1 SHA224 SHA256 SHA384 SHA512"
+ TESTS_FIPS_1="SHA224 SHA256 SHA384 SHA512"
OLD_MODE=`echo ${NSS_FIPS}`
for fips_mode in 0 1; do
echo "lowhashtest with fips mode=${fips_mode}"
export NSS_FIPS=${fips_mode}
+ eval TESTS=\${TESTS_FIPS_${fips_mode}}
for TEST in ${TESTS}
do
echo "lowhashtest ${TEST}"
