+++ This bug was initially created as a clone of Bug #960193 +++ Description of problem: The nss ECC code from upstream has traditionally beenstripped off to remove ecc and this code needs to be included from now on. ECC will be supported on RHEL-6.5 and will also be part of the planned FIPS-140 revalidation. Version-Release number of selected component (if applicable): 6.5 How reproducible: Always Steps to Reproduce: Unpack the upstream source tar ball and the one we use for the build and compare them as follows: 1. Download the upstrem sources from https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_14_3_RTM/src/nss-3.14.3.tar.gz 2. rhpk clone nss --branch rhel-6.5; cd nss 3. cd nss; rhpkg sources 4. mkdir -p compare/upstream 5. mkdir -p compare/downstream 6. cd upstream; tar xzf ${PATH_TO}/nss-3.14.3.tar.gz 7. cd ../downstream; tar xjf ${PATH_TO}/nss-3.14.3-stripped.tar.bz (the embedded "-stripped" in the name is a clue 8. cd .. 9. Use you favorite diffing tool meld upstram downstream fora visual display or diff to save a textual file Actual results: downtream/nss-3.14.3mozilla/security/nss/freebl is missing the ecc related sources which are present on upntream/nss-3.14.3/mozilla/security/nss/freebl Expected results: downtream's contents is identical upstream's A similar compare can be done using the nss-softokn package. Additional info: 1) This needs fixing on both the nss and nss-softoken packages. 2) This needs fixinf on rhel-5.10 also. We will do a FIPS=140 reval of nss for rhel-6.5 and a vendor affirmation on rhel-5.10 whic requires that the code inside the crypto boundary be the same on 5.10 as it is on 6.5. --- Additional comment from Elio Maldonado Batiz on 2013-05-06 12:39:37 EDT --- Created attachment 744260 [details] Required changes for ecc in patch format
Created attachment 744291 [details] changes to support ecc in patch format
Comment on attachment 744291 [details] changes to support ecc in patch format r+ Note: you haven't requested any acks...
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Created attachment 749766 [details] ecc limited to suite b -- libraries
Created attachment 749767 [details] ecc limited to suite b -- test scripts
Created attachment 749768 [details] ecc limited to suite b -- spec file
Comment on attachment 749766 [details] ecc limited to suite b -- libraries r+ rrelyea
Comment on attachment 749767 [details] ecc limited to suite b -- test scripts r+ rrelyea
Comment on attachment 749768 [details] ecc limited to suite b -- spec file r- You are still missing some SSL updates. Also there is a patch to softoken that fixes how it reports it's ECC key length. bob
Elio, the missing patch can be found in this upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=857882
Comment on attachment 749768 [details] ecc limited to suite b -- spec file oops, said the right thing in the comment, but did the wrong thing in the review.
Created attachment 751340 [details] ecc limited to suite -- spec file changes in patch form
Created attachment 751343 [details] ecc limited to suite b - ssl part - from upstream bug 857882 patches
Comment on attachment 751343 [details] ecc limited to suite b - ssl part - from upstream bug 857882 patches r+ rrelyea
Comment on attachment 751340 [details] ecc limited to suite -- spec file changes in patch form r+ rrelyea
Created attachment 751441 [details] ecc limited to suite b - freebl/softoken part - from upstream bug 857882 patches
*** Bug 990223 has been marked as a duplicate of this bug. ***
Created attachment 781776 [details] synch. up freebl with what we have on nss-softokn freebl for rhel-6.5 On 08/01/2013 01:59 PM, Elio Maldonado wrote: > The differences that I found. softoken is the same, freebl is not. > > -Elio > > ----- Forwarded Message ----- > From: "Elio Maldonado Batiz" <emaldona> > To: "Elio Maldonado Batiz" <emaldona> > Sent: Thursday, August 1, 2013 11:43:00 AM > Subject: freebl mismatch rhel 5.10 versus 6.5 > > Fix this on rhel-5.10. Softoken is okay but freebl isn't. > > Elio OK, this patch should be added to rhel-5: /mozilla/security/nss/lib/freebl/gcm.c.aesgcm5 --- nss/rhel-5.10/nss-3.14.3/mozilla/security/nss/lib/freebl/gcm.c.aesgcm5 2012-10-10 16:36:27.000000000 -0700 +++ nss-softokn/rhel-6.5/nss-softokn-3.14.3/mozilla/security/nss/lib/freebl/gcm.c.aesgcm5 2013-07-30 12:06:29.000000000 -0700 @@ -453,7 +453,9 @@ * we can hash it */ if (ghash->bufLen) { unsigned int needed = PR_MIN(len, blocksize - ghash->bufLen); - PORT_Memcpy(ghash->buffer+ghash->bufLen, buf, needed); + if (needed != 0) { + PORT_Memcpy(ghash->buffer+ghash->bufLen, buf, needed); + } buf += needed; len -= needed; ghash->bufLen += needed; @@ -814,7 +816,7 @@ /* get the authentication block */ if (inlen < tagBytes) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); + PORT_SetError(SEC_ERROR_INPUT_LEN); return SECFailure; } r+ rrelyea.
I had to cleanup the nss.spec file to avoild unnecessary patching of upperl level code that does not need compiling on phase 2 as we pick up the freeb/softoken related binary that we alreaday built on phase 1. The crypto-bounday boundary as well as code outside of it has not changed at all. As mentioned in the changelog, the spec file is now cleaner and should be easier to maintain.
Going back to the nss-3.14.3-18.el5 build. The rpmdiff tools found some errors in the last -19 build. Some patches became unapplied in the nss side of the tree that shouln't have. I have rolled back the last change set and git is now at it's previous state. This is the safest course of action at this time. We can always do that spec file cleanup later, at a more appropriate time.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1318.html