building SLES 12 RPM for nss-3.95, missing BL_FIPSRepeatIntegrityCheck()

39 views
Skip to first unread message

Brian Reichert

unread,
Nov 28, 2023, 4:41:57 PM11/28/23
to dev-tec...@lists.mozilla.org
I successfully built NSS 3.93 for SLES 12 several weeks ago.

I'm now trying to build NSS 3.95, and am running into challenges.

Among them:

ldvector.c:435:5: error: 'BL_FIPSRepeatIntegrityCheck' undeclared here (not in a function)
435 | BL_FIPSRepeatIntegrityCheck
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
../../coreconf/rules.mk:292: recipe for target
'Linux4.12_x86_64_gcc-9_glibc_PTH_64_OPT.OBJ/Linux_SINGLE_SHLIB/ldvector.o' failed

When I paw through the source, I see this in ./nss/lib/freebl/blapi.h:

/* Unconditionally run the integrity check. */
extern void BL_FIPSRepeatIntegrityCheck(void);

What would provide this function?

--
Brian Reichert <reic...@numachi.com>
BSD admin/developer at large

Martin Sirringhaus

unread,
Nov 29, 2023, 2:08:40 AM11/29/23
to dev-tec...@mozilla.org
Hi Brian,

> I successfully built NSS 3.93 for SLES 12 several weeks ago.

Glad it worked out!

> I'm now trying to build NSS 3.95, and am running into challenges.
>
> Among them:
>
> ldvector.c:435:5: error: 'BL_FIPSRepeatIntegrityCheck' undeclared here (not in a function)
> 435 | BL_FIPSRepeatIntegrityCheck
> | ^~~~~~~~~~~~~~~~~~~~~~~~~~~
> ../../coreconf/rules.mk:292: recipe for target
> 'Linux4.12_x86_64_gcc-9_glibc_PTH_64_OPT.OBJ/Linux_SINGLE_SHLIB/ldvector.o' failed
>
> When I paw through the source, I see this in ./nss/lib/freebl/blapi.h:
>
> /* Unconditionally run the integrity check. */
> extern void BL_FIPSRepeatIntegrityCheck(void);
>
> What would provide this function?

Our FIPS patches, or more specifically nss-fips-constructor-self-tests.patch

I'm not sure, if you really want to continue with the whole set of
fips-patches we have.
You can find the patches rebased to at least 3.94 here:
https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss

But I would suggest, you simply do not apply them at all, if you are not
after a FIPS-certification.
They are currently kept alive only in a minimal-effort kind of way for
newer NSS-versions. They should only be used for the ESR-version of NSS.

Cheers,
Martin

Brian Reichert

unread,
Nov 29, 2023, 5:14:15 PM11/29/23
to Martin Sirringhaus, dev-tec...@mozilla.org
On Wed, Nov 29, 2023 at 08:08:34AM +0100, Martin Sirringhaus wrote:
> But I would suggest, you simply do not apply them at all, if you are not
> after a FIPS-certification.
> They are currently kept alive only in a minimal-effort kind of way for
> newer NSS-versions. They should only be used for the ESR-version of NSS.

Thanks for you advice. I was able to port the patches I have, and
they seem to apply cleanly.

I'm bombing out on three tests, however. They all seem to have this
same flavor of error:

cert.sh: #291: Enable FIPS mode on database for FIPS PUB 140 Test Certificate (12) - FAILED
cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140 Test Certificate failed 12
cert.sh: Setting invalid database password in FIPS mode
--------------------------
certutil -W -d /home/breichert/rpmbuild/mozilla-nss/BUILD/nss-3.95/tests_results/security/localhost.1/fips -f ../tests.fipspw -@ ../tests.fipsbadpw
Failed to change password.
certutil: Could not set password for the slot: SEC_ERROR_INVALID_PASSWORD: Password entered is invalid. Please pick a different one.

It is possible these are due to my mismanaging the patches? Or is
this a known issue with this release?

> Cheers,
> Martin

Martin Sirringhaus

unread,
Nov 30, 2023, 1:42:07 AM11/30/23
to Brian Reichert, dev-tec...@mozilla.org
> I'm bombing out on three tests, however. They all seem to have this
> same flavor of error:
>
> cert.sh: #291: Enable FIPS mode on database for FIPS PUB 140 Test Certificate (12) - FAILED
> cert.sh ERROR: Enable FIPS mode on database for FIPS PUB 140 Test Certificate failed 12
> cert.sh: Setting invalid database password in FIPS mode
> --------------------------
> certutil -W -d /home/breichert/rpmbuild/mozilla-nss/BUILD/nss-3.95/tests_results/security/localhost.1/fips -f ../tests.fipspw -@ ../tests.fipsbadpw
> Failed to change password.
> certutil: Could not set password for the slot: SEC_ERROR_INVALID_PASSWORD: Password entered is invalid. Please pick a different one.
>
> It is possible these are due to my mismanaging the patches? Or is
> this a known issue with this release?

Do you have this patch as well?
https://build.opensuse.org/package/view_file/mozilla:Factory/mozilla-nss/nss-fips-test.patch?expand=1

That should fix those 3 failing tests.
We are currently still discussing, if this behavior is according to FIPS
specification or not. But it's not a big deal, and that patch should fix
it for now.

Cheers,
Martin

Brian Reichert

unread,
Nov 30, 2023, 1:19:48 PM11/30/23
to Martin Sirringhaus, Brian Reichert, dev-tec...@mozilla.org
On Thu, Nov 30, 2023 at 07:41:44AM +0100, Martin Sirringhaus wrote:
> Do you have this patch as well?
> https://build.opensuse.org/package/view_file/mozilla:Factory/mozilla-nss/nss-fips-test.patch?expand=1
>
> That should fix those 3 failing tests.

I did not; I have incorporated it, and now all tests complete.

Took forever, though:

breichert@sles12breichert:~/rpmbuild/mozilla-nss>
time rpmbuild --buildroot $PWD/BUILDROOT \
> --clean \
> --define "_topdir $PWD" \
> -bb SPECS/mozilla-nss.spec >& build.log; echo $?

real 105m26.864s
user 102m31.711s
sys 3m42.582s
0

I appreciate the guidance in this!

> We are currently still discussing, if this behavior is according to FIPS
> specification or not. But it's not a big deal, and that patch should fix
> it for now.
>
> Cheers,
> Martin

Reply all
Reply to author
Forward
0 new messages