Bug 960241

Summary: Enable ECC in nss and freebl [rhel-5.10.0]
Product: Red Hat Enterprise Linux 5 Reporter: Elio Maldonado Batiz <emaldona>
Component: nssAssignee: Elio Maldonado Batiz <emaldona>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.10CC: amarecek, arubin, fweimer, hkario, rrelyea, sforsber
Target Milestone: rcKeywords: EasyFix
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.14.3-18.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 960193 Environment:
Last Closed: 2013-09-30 22:43:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 960193, 990223, 1002964    
Bug Blocks: 960208    
Attachments:
Description Flags
changes to support ecc in patch format
rrelyea: review+
ecc limited to suite b -- libraries
rrelyea: review+
ecc limited to suite b -- test scripts
rrelyea: review+
ecc limited to suite b -- spec file
rrelyea: review-
ecc limited to suite -- spec file changes in patch form
rrelyea: review+
ecc limited to suite b - ssl part - from upstream bug 857882 patches
rrelyea: review+
ecc limited to suite b - freebl/softoken part - from upstream bug 857882 patches
none
synch. up freebl with what we have on nss-softokn freebl for rhel-6.5 none

Description Elio Maldonado Batiz 2013-05-06 18:50:09 UTC 
+++ This bug was initially created as a clone of Bug #960193 +++

Description of problem:
The nss ECC code from upstream has traditionally beenstripped off to remove ecc and this code  needs to be included from now on. ECC will be supported on RHEL-6.5 and will also be part of the planned FIPS-140 revalidation.

Version-Release number of selected component (if applicable): 
6.5

How reproducible:
Always


Steps to Reproduce:
Unpack the upstream source tar ball and the one we use for the build and compare them as follows:
1. Download the upstrem sources from 
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_3_RTM/src/nss-3.14.3.tar.gz
2. rhpk clone nss --branch rhel-6.5; cd nss
3. cd nss; rhpkg sources
4. mkdir -p compare/upstream
5. mkdir -p compare/downstream
6. cd upstream; tar xzf ${PATH_TO}/nss-3.14.3.tar.gz
7. cd ../downstream; tar xjf ${PATH_TO}/nss-3.14.3-stripped.tar.bz
  (the embedded "-stripped" in the name is a clue
8. cd ..
9. Use you favorite diffing tool
   meld upstram downstream fora visual display or diff to save a textual file

Actual results:
downtream/nss-3.14.3mozilla/security/nss/freebl 
is missing the ecc related sources
which are present on
upntream/nss-3.14.3/mozilla/security/nss/freebl

Expected results:
downtream's contents is identical upstream's

A similar compare can be done using the nss-softokn package.

Additional info: 
1) This needs fixing on both the nss and nss-softoken packages.
2) This needs fixinf on rhel-5.10 also. We will do a FIPS=140 reval of nss for rhel-6.5 and a vendor affirmation on rhel-5.10 whic requires that the code inside the crypto boundary be the same on 5.10 as it is on 6.5.

--- Additional comment from Elio Maldonado Batiz on 2013-05-06 12:39:37 EDT ---

Created attachment 744260 [details]
Required changes for ecc in patch format
Comment 1 Elio Maldonado Batiz 2013-05-06 18:51:40 UTC 
Created attachment 744291 [details]
changes to support ecc in patch format
Comment 2 Bob Relyea 2013-05-07 22:12:37 UTC 
Comment on attachment 744291 [details]
changes to support ecc in patch format

r+ Note: you haven't requested any acks...
Comment 3 RHEL Program Management 2013-05-07 22:18:34 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 8 Elio Maldonado Batiz 2013-05-18 22:20:12 UTC 
Created attachment 749766 [details]
ecc limited to suite b -- libraries
Comment 9 Elio Maldonado Batiz 2013-05-18 22:21:30 UTC 
Created attachment 749767 [details]
ecc limited to suite b -- test scripts
Comment 10 Elio Maldonado Batiz 2013-05-18 22:24:55 UTC 
Created attachment 749768 [details]
ecc limited to suite b -- spec file
Comment 11 Bob Relyea 2013-05-20 17:20:17 UTC 
Comment on attachment 749766 [details]
ecc limited to suite b -- libraries

r+ rrelyea
Comment 12 Bob Relyea 2013-05-20 17:21:18 UTC 
Comment on attachment 749767 [details]
ecc limited to suite b -- test scripts

r+ rrelyea
Comment 13 Bob Relyea 2013-05-20 17:22:56 UTC 
Comment on attachment 749768 [details]
ecc limited to suite b -- spec file

r-

You are still missing some SSL updates.
Also there is a patch to softoken that fixes how it reports it's ECC key length.


bob
Comment 14 Bob Relyea 2013-05-20 17:28:33 UTC 
Elio, the missing patch can be found in this upstream bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=857882
Comment 15 Bob Relyea 2013-05-20 17:29:19 UTC 
Comment on attachment 749768 [details]
ecc limited to suite b -- spec file

oops, said the right thing in the comment, but did the wrong thing in the review.
Comment 16 Elio Maldonado Batiz 2013-05-21 18:32:33 UTC 
Created attachment 751340 [details]
ecc limited to suite  -- spec file changes in patch form
Comment 17 Elio Maldonado Batiz 2013-05-21 18:40:42 UTC 
Created attachment 751343 [details]
ecc limited to suite b - ssl part - from upstream bug 857882 patches
Comment 18 Bob Relyea 2013-05-21 22:13:28 UTC 
Comment on attachment 751343 [details]
ecc limited to suite b - ssl part - from upstream bug 857882 patches

r+ rrelyea
Comment 19 Bob Relyea 2013-05-21 22:14:15 UTC 
Comment on attachment 751340 [details]
ecc limited to suite  -- spec file changes in patch form

r+ rrelyea
Comment 20 Elio Maldonado Batiz 2013-05-21 22:40:54 UTC 
Created attachment 751441 [details]
ecc limited to suite b - freebl/softoken part - from upstream bug 857882 patches
Comment 23 Elio Maldonado Batiz 2013-07-30 19:02:10 UTC 
*** Bug 990223 has been marked as a duplicate of this bug. ***
Comment 24 Elio Maldonado Batiz 2013-08-01 21:07:35 UTC 
Created attachment 781776 [details]
synch. up freebl with what we have on nss-softokn freebl for rhel-6.5


On 08/01/2013 01:59 PM, Elio Maldonado wrote:
> The differences that I found. softoken is the same, freebl is not.
>
> -Elio
>
> ----- Forwarded Message -----
> From: "Elio Maldonado Batiz" <emaldona>
> To: "Elio Maldonado Batiz" <emaldona>
> Sent: Thursday, August 1, 2013 11:43:00 AM
> Subject: freebl mismatch rhel 5.10 versus 6.5
>
> Fix this on rhel-5.10. Softoken is okay but freebl isn't.
>
> Elio
OK, this patch should be added to rhel-5:

/mozilla/security/nss/lib/freebl/gcm.c.aesgcm5
--- nss/rhel-5.10/nss-3.14.3/mozilla/security/nss/lib/freebl/gcm.c.aesgcm5        2012-10-10 16:36:27.000000000 -0700
+++ nss-softokn/rhel-6.5/nss-softokn-3.14.3/mozilla/security/nss/lib/freebl/gcm.c.aesgcm5        2013-07-30 12:06:29.000000000 -0700
@@ -453,7 +453,9 @@
       * we can hash it */
      if (ghash->bufLen) {
          unsigned int needed = PR_MIN(len, blocksize - ghash->bufLen);
-        PORT_Memcpy(ghash->buffer+ghash->bufLen, buf, needed);
+        if (needed != 0) {
+            PORT_Memcpy(ghash->buffer+ghash->bufLen, buf, needed);
+        }
          buf += needed;
          len -= needed;
          ghash->bufLen += needed;
@@ -814,7 +816,7 @@
  
      /* get the authentication block */
      if (inlen < tagBytes) {
-        PORT_SetError(SEC_ERROR_INVALID_ARGS);
+        PORT_SetError(SEC_ERROR_INPUT_LEN);
          return SECFailure;
      }


r+ rrelyea.
Comment 25 Elio Maldonado Batiz 2013-08-05 18:30:45 UTC 
I had to cleanup the nss.spec file to avoild unnecessary patching of upperl level code that does not need compiling on phase 2 as we pick up the freeb/softoken related binary that we alreaday built on phase 1. The crypto-bounday boundary as well as code outside of it has not changed at all. As mentioned in the changelog, the spec file is now cleaner and should be easier to maintain.
Comment 26 Elio Maldonado Batiz 2013-08-05 23:19:39 UTC 
Going back to the nss-3.14.3-18.el5 build. The rpmdiff tools found some errors in the last -19 build. Some patches became unapplied in the nss side of the tree that shouln't have.  

I have rolled back the last change set and git is now at it's previous state. This is the safest course of action at this time. We can always do that spec file cleanup later, at a more appropriate time.
Comment 29 errata-xmlrpc 2013-09-30 22:43:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1318.html