Update patch to latest FIPS fixes

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=472
2025-03-05 19:49:24 +00:00 · 2025-03-05 19:49:24 +00:00 · 57b6c777a1
commit 57b6c777a1
parent 99b17fbdca
2 changed files with 27 additions and 3 deletions
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Mar  5 10:17:10 UTC 2025 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- Updated nss-fips-approved-crypto-non-ec.patch to not pass in
+  bad targetKeyLength parameters when checking for FIPS approval
+  after keygen. This was causing false rejections.
+
+- Updated nss-fips-approved-crypto-non-ec.patch to approve
+  RSA signature verification  mechanisms with PKCS padding and
+  legacy moduli (bsc#1222834).
+
 -------------------------------------------------------------------
 Sun Mar  2 09:04:20 UTC 2025 - Wolfgang Rosenauer <wr@rosenauer.org>

--- a/nss-fips-approved-crypto-non-ec.patch
+++ b/nss-fips-approved-crypto-non-ec.patch
@ -426,8 +426,8 @@ Index: nss/lib/softoken/pkcs11c.c
         return crv;
     }
 
-+    publicKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, publicKey, bitSize);
-+    privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, privateKey, bitSize);
+    publicKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, publicKey, 0);
+    privateKey->isFIPS = sftk_operationIsFIPS(slot, pMechanism, CKA_KEY_PAIR_GEN_MECHANISM, privateKey, 0);
 +    session->lastOpWasFIPS = privateKey->isFIPS;
 +
     *phPrivateKey = privateKey->handle;
@ -636,7 +636,20 @@ Index: nss/lib/softoken/fips_algorithms.h
     /* -------------- RSA Multipart Signing Operations -------------------- */
     { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
     { CKM_SHA256_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },
-@@ -88,21 +116,33 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
+@@ -79,30 +107,42 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[]
+     { CKM_SHA256_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
+     { CKM_SHA384_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
+     { CKM_SHA512_RSA_PKCS_PSS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSRSAPSS },
+-    { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+-    { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+-    { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+-    { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+    { CKM_SHA224_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA256_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA384_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+    { CKM_SHA512_RSA_PKCS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSNone },
+     { CKM_SHA224_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
+     { CKM_SHA256_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
     { CKM_SHA384_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
     { CKM_SHA512_RSA_PKCS_PSS, { RSA_LEGACY_FB_KEY, CKF_VERIFY }, RSA_LEGACY_FB_STEP, SFTKFIPSRSAPSS },
     /* ------------------------- DSA Operations --------------------------- */