Red Hat Bugzilla – Bug 960208
Enable ECC in nss-softoken [rhel-6.5.0]
Last modified: 2013-11-21 01:14:28 EST
+++ This bug was initially created as a clone of Bug #960193 +++ Description of problem: The nss ECC code from upstream has traditionally beenstripped off to remove ecc and this code needs to be included from now on. ECC will be supported on RHEL-6.5 and will also be part of the planned FIPS-140 revalidation. Version-Release number of selected component (if applicable): 6.5 How reproducible: Always Steps to Reproduce: Unpack the upstream source tar ball and the one we use for the build and compare them as follows: 1. Download the upstrem sources from https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_3_RTM/src/nss-3.14.3.tar.gz 2. rhpk clone nss --branch rhel-6.5; cd nss 3. cd nss; rhpkg sources 4. mkdir -p compare/upstream 5. mkdir -p compare/downstream 6. cd upstream; tar xzf ${PATH_TO}/nss-3.14.3.tar.gz 7. cd ../downstream; tar xjf ${PATH_TO}/nss-3.14.3-stripped.tar.bz (the embedded "-stripped" in the name is a clue 8. cd .. 9. Use you favorite diffing tool meld upstram downstream fora visual display or diff to save a textual file Actual results: downtream/nss-3.14.3mozilla/security/nss/freebl is missing the ecc related sources which are present on upntream/nss-3.14.3/mozilla/security/nss/freebl Expected results: downtream's contents is identical upstream's A similar compare can be done using the nss-softokn package. Additional info: 1) This needs fixing on both the nss and nss-softoken packages. 2) This needs fixinf on rhel-5.10 also. We will do a FIPS=140 reval of nss for rhel-6.5 and a vendor affirmation on rhel-5.10 whic requires that the code inside the crypto boundary be the same on 5.10 as it is on 6.5. --- Additional comment from Elio Maldonado Batiz on 2013-05-06 12:39:37 EDT --- Created attachment 744260 [details] Required changes for ecc in patch format
Created attachment 744266 [details] changes to support ecc in patch form
Comment on attachment 744266 [details] changes to support ecc in patch form r+ rrelyea
Created attachment 751909 [details] limit ecc to suite b and deal with key sizes freebl / softoken portion of the upstream bug 857882. This is identical to the nss patch already applied for RHEL-5.10
Created attachment 751910 [details] spec file changes for ecc in patch format
Created attachment 763559 [details] limit the ecc support to suite-b only and deal with key sizes This is the one I actually applied. The old one this obsoletes had _BITS missing from the macro names.
Comment on attachment 763559 [details] limit the ecc support to suite-b only and deal with key sizes r+ rrelyea Yup, this is the one you need.
When trying to run selfserv I get error: selfserv: PR_SetFDInheritable returned error -5987: Invalid function argument that is using: nspr-4.10.0-1.el6.x86_64 nss-softokn-freebl-3.14.3-6.el6.x86_64 nss-util-devel-3.15.1-2.el6.i686 nss-softokn-fips-3.14.3-6.el6.i686 nss-util-devel-3.15.1-2.el6.x86_64 nss-debuginfo-3.15.1-3.el6.x86_64 nss-softokn-freebl-devel-3.14.3-6.el6.i686 nss-3.15.1-3.el6.i686 nss-tools-3.15.1-3.el6.i686 nss-util-3.15.1-2.el6.x86_64 nspr-devel-4.10.0-1.el6.i686 nss-softokn-3.14.3-6.el6.x86_64 nss-sysinit-3.15.1-3.el6.x86_64 nss-softokn-freebl-fips-3.14.3-6.el6.i686 nss-softokn-devel-3.14.3-6.el6.x86_64 nss-softokn-fips-3.14.3-6.el6.x86_64 nss-softokn-freebl-fips-3.14.3-6.el6.x86_64 nspr-devel-4.10.0-1.el6.x86_64 nss-softokn-debuginfo-3.14.3-6.el6.x86_64 nspr-debuginfo-4.10.0-1.el6.x86_64 nss-softokn-freebl-3.14.3-6.el6.i686 nss-softokn-3.14.3-6.el6.i686 nss-devel-3.15.1-3.el6.i686 nss-pkcs11-devel-3.15.1-3.el6.i686 nss-devel-3.15.1-3.el6.x86_64 nss-sysinit-3.15.1-3.el6.i686 nspr-4.10.0-1.el6.i686 nss-3.15.1-3.el6.x86_64 nss-softokn-freebl-devel-3.14.3-6.el6.x86_64 nss-tools-3.15.1-3.el6.x86_64 nss-util-debuginfo-3.15.1-2.el6.x86_64 nss-util-3.15.1-2.el6.i686 nss-softokn-devel-3.14.3-6.el6.i686 nss-pkcs11-devel-3.15.1-3.el6.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1558.html