Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 960208 - Enable ECC in nss-softoken [rhel-6.5.0]
Enable ECC in nss-softoken [rhel-6.5.0]
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss-softokn (Show other bugs)
6.5
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 6.5
Assigned To: Elio Maldonado Batiz
Hubert Kario
:
Depends On: 960193 960241 990223 1002964
Blocks: RHEL65FIPS140
  Show dependency treegraph
 
Reported: 2013-05-06 13:05 EDT by Elio Maldonado Batiz
Modified: 2013-11-21 01:14 EST (History)
6 users (show)

See Also:
Fixed In Version: nss-softokn-3.14.3-5.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 960193
Environment:
Last Closed: 2013-11-21 01:14:28 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
changes to support ecc in patch form (2.56 KB, patch)
2013-05-06 13:13 EDT, Elio Maldonado Batiz
rrelyea: review+
Details | Diff
limit ecc to suite b and deal with key sizes (2.08 KB, patch)
2013-05-22 17:20 EDT, Elio Maldonado Batiz
no flags Details | Diff
spec file changes for ecc in patch format (4.60 KB, patch)
2013-05-22 17:25 EDT, Elio Maldonado Batiz
no flags Details | Diff
limit the ecc support to suite-b only and deal with key sizes (2.14 KB, patch)
2013-06-20 14:22 EDT, Elio Maldonado Batiz
rrelyea: review+
Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1558 normal SHIPPED_LIVE nss and nspr bug fix and enhancement update 2013-11-20 19:40:48 EST

  None (edit)
Description Elio Maldonado Batiz 2013-05-06 13:05:18 EDT
+++ This bug was initially created as a clone of Bug #960193 +++

Description of problem:
The nss ECC code from upstream has traditionally beenstripped off to remove ecc and this code  needs to be included from now on. ECC will be supported on RHEL-6.5 and will also be part of the planned FIPS-140 revalidation.

Version-Release number of selected component (if applicable): 
6.5

How reproducible:
Always


Steps to Reproduce:
Unpack the upstream source tar ball and the one we use for the build and compare them as follows:
1. Download the upstrem sources from 
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_3_RTM/src/nss-3.14.3.tar.gz
2. rhpk clone nss --branch rhel-6.5; cd nss
3. cd nss; rhpkg sources
4. mkdir -p compare/upstream
5. mkdir -p compare/downstream
6. cd upstream; tar xzf ${PATH_TO}/nss-3.14.3.tar.gz
7. cd ../downstream; tar xjf ${PATH_TO}/nss-3.14.3-stripped.tar.bz
  (the embedded "-stripped" in the name is a clue
8. cd ..
9. Use you favorite diffing tool
   meld upstram downstream fora visual display or diff to save a textual file

Actual results:
downtream/nss-3.14.3mozilla/security/nss/freebl 
is missing the ecc related sources
which are present on
upntream/nss-3.14.3/mozilla/security/nss/freebl

Expected results:
downtream's contents is identical upstream's

A similar compare can be done using the nss-softokn package.

Additional info: 
1) This needs fixing on both the nss and nss-softoken packages.
2) This needs fixinf on rhel-5.10 also. We will do a FIPS=140 reval of nss for rhel-6.5 and a vendor affirmation on rhel-5.10 whic requires that the code inside the crypto boundary be the same on 5.10 as it is on 6.5.

--- Additional comment from Elio Maldonado Batiz on 2013-05-06 12:39:37 EDT ---

Created attachment 744260 [details]
Required changes for ecc in patch format
Comment 1 Elio Maldonado Batiz 2013-05-06 13:13:54 EDT
Created attachment 744266 [details]
changes to support ecc in patch form
Comment 3 Bob Relyea 2013-05-06 14:08:23 EDT
Comment on attachment 744266 [details]
changes to support ecc in patch form

r+ rrelyea
Comment 4 Elio Maldonado Batiz 2013-05-22 17:20:27 EDT
Created attachment 751909 [details]
limit ecc to suite b and deal with key sizes

freebl / softoken portion of the upstream bug 857882. This is identical to the nss patch already applied for RHEL-5.10
Comment 5 Elio Maldonado Batiz 2013-05-22 17:25:39 EDT
Created attachment 751910 [details]
spec file changes for ecc in patch format
Comment 9 Elio Maldonado Batiz 2013-06-20 14:22:40 EDT
Created attachment 763559 [details]
limit the ecc support to suite-b only and deal with key sizes

This is the one I actually applied. The old one this obsoletes had _BITS missing from the macro names.
Comment 10 Bob Relyea 2013-06-20 14:39:24 EDT
Comment on attachment 763559 [details]
limit the ecc support to suite-b only and deal with key sizes

r+ rrelyea

Yup, this is the one you need.
Comment 14 Hubert Kario 2013-09-13 07:38:52 EDT
When trying to run selfserv I get error:

selfserv: PR_SetFDInheritable returned error -5987:
Invalid function argument

that is using:
nspr-4.10.0-1.el6.x86_64
nss-softokn-freebl-3.14.3-6.el6.x86_64
nss-util-devel-3.15.1-2.el6.i686
nss-softokn-fips-3.14.3-6.el6.i686
nss-util-devel-3.15.1-2.el6.x86_64
nss-debuginfo-3.15.1-3.el6.x86_64
nss-softokn-freebl-devel-3.14.3-6.el6.i686
nss-3.15.1-3.el6.i686
nss-tools-3.15.1-3.el6.i686
nss-util-3.15.1-2.el6.x86_64
nspr-devel-4.10.0-1.el6.i686
nss-softokn-3.14.3-6.el6.x86_64
nss-sysinit-3.15.1-3.el6.x86_64
nss-softokn-freebl-fips-3.14.3-6.el6.i686
nss-softokn-devel-3.14.3-6.el6.x86_64
nss-softokn-fips-3.14.3-6.el6.x86_64
nss-softokn-freebl-fips-3.14.3-6.el6.x86_64
nspr-devel-4.10.0-1.el6.x86_64
nss-softokn-debuginfo-3.14.3-6.el6.x86_64
nspr-debuginfo-4.10.0-1.el6.x86_64
nss-softokn-freebl-3.14.3-6.el6.i686
nss-softokn-3.14.3-6.el6.i686
nss-devel-3.15.1-3.el6.i686
nss-pkcs11-devel-3.15.1-3.el6.i686
nss-devel-3.15.1-3.el6.x86_64
nss-sysinit-3.15.1-3.el6.i686
nspr-4.10.0-1.el6.i686
nss-3.15.1-3.el6.x86_64
nss-softokn-freebl-devel-3.14.3-6.el6.x86_64
nss-tools-3.15.1-3.el6.x86_64
nss-util-debuginfo-3.15.1-2.el6.x86_64
nss-util-3.15.1-2.el6.i686
nss-softokn-devel-3.14.3-6.el6.i686
nss-pkcs11-devel-3.15.1-3.el6.x86_64
Comment 16 errata-xmlrpc 2013-11-21 01:14:28 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1558.html

Note You need to log in before you can comment on or make changes to this bug.