- update to NSS 3.86

* bmo#1803190 - conscious language removal in NSS * bmo#1794506 - Set nssckbi version number to 2.60 * bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and CKA_NSS_EMAIL_DISTRUST_AFTER for 3 TrustCor Root Certificates * bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS * bmo#1797559 - Remove EC-ACC root cert from NSS * bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS * bmo#1794495 - Remove Network Solutions Certificate Authority * bmo#1802331 - compress docker image artifact with zstd * bmo#1799315 - Migrate nss from AWS to GCP * bmo#1800989 - Enable static builds in the CI * bmo#1765759 - Removing SAW docker from the NSS build system * bmo#1783231 - Initialising variables in the rsa blinding code * bmo#320582 - Implementation of the double-signing of the message for ECDSA * bmo#1783231 - Adding exponent blinding for RSA. OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=403
2023-01-15 21:31:50 +00:00 · 2023-01-15 21:31:50 +00:00 · 8f950e8007
commit 8f950e8007
parent d1813b37b2
5 changed files with 41 additions and 17 deletions
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Sun Jan 15 20:25:25 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- update to NSS 3.86
+  * bmo#1803190 - conscious language removal in NSS
+  * bmo#1794506 - Set nssckbi version number to 2.60
+  * bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and
+                  CKA_NSS_EMAIL_DISTRUST_AFTER for 3
+                  TrustCor Root Certificates
+  * bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS
+  * bmo#1797559 - Remove EC-ACC root cert from NSS
+  * bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS
+  * bmo#1794495 - Remove Network Solutions Certificate Authority
+  * bmo#1802331 - compress docker image artifact with zstd
+  * bmo#1799315 - Migrate nss from AWS to GCP
+  * bmo#1800989 - Enable static builds in the CI
+  * bmo#1765759 - Removing SAW docker from the NSS build system
+  * bmo#1783231 - Initialising variables in the rsa blinding code
+  * bmo#320582 - Implementation of the double-signing of the message
+                 for ECDSA
+  * bmo#1783231 - Adding exponent blinding for RSA.
+
 -------------------------------------------------------------------
 Mon Dec  5 13:32:45 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>

--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -1,8 +1,8 @@
 #
 # spec file for package mozilla-nss
 #
-# Copyright (c) 2022 SUSE LLC
-# Copyright (c) 2006-2022 Wolfgang Rosenauer
+# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2006-2023 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -17,14 +17,14 @@
 #


-%global nss_softokn_fips_version 3.85
+%global nss_softokn_fips_version 3.86
 %define NSPR_min_version 4.35
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 Name:           mozilla-nss
-Version:        3.85
+Version:        3.86
 Release:        0
-%define underscore_version 3_85
+%define underscore_version 3_86
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
--- a/nss-3.85.tar.gz
+++ b/nss-3.85.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:afd9d64510b1154debbd6cab3571e9ff64a3373898e03483e4c85cdada13d297
-size 84717969
--- a/nss-3.86.tar.gz
+++ b/nss-3.86.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3f385fc686476bbba811035fa6821b542475d55747b18c20c221d4d66573b975
+size 71423531
--- a/nss-fips-rsa-keygen-strictness.patch
+++ b/nss-fips-rsa-keygen-strictness.patch
@ -9,6 +9,7 @@ Author: Hans Petter Jansson <hpj@cl.no>
    Patch 16: nss-fips-rsa-keygen-strictness.patch

 diff --git a/lib/freebl/mpi/mpprime.c b/lib/freebl/mpi/mpprime.c
+index b757150..41d08b1 100644
 --- a/lib/freebl/mpi/mpprime.c
 +++ b/lib/freebl/mpi/mpprime.c
@@ -14,6 +14,8 @@
@ -20,7 +21,7 @@ diff --git a/lib/freebl/mpi/mpprime.c b/lib/freebl/mpi/mpprime.c
 #define SMALL_TABLE 0 /* determines size of hard-wired prime table */
 
 #define RANDOM() rand()
-@@ -451,6 +453,25 @@
+@@ -465,6 +467,25 @@ mpp_make_prime_ext_random(mp_int *start, mp_size nBits, mp_size strong, mpp_rand
     } else
         num_tests = 50;
 
@ -47,6 +48,7 @@ diff --git a/lib/freebl/mpi/mpprime.c b/lib/freebl/mpi/mpprime.c
         --nBits;
     MP_CHECKOK(mpl_set_bit(start, nBits - 1, 1));
 diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
+index 2b8a3bf..8d40d11 100644
 --- a/lib/freebl/rsa.c
 +++ b/lib/freebl/rsa.c
@@ -16,11 +16,13 @@
@ -61,9 +63,9 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
 #include "blapii.h"
 +#include "fips.h"
 
- /*
- ** Number of times to attempt to generate a prime (p or q) from a random
-@@ -143,11 +145,24 @@
+ /* The minimal required randomness is 64 bits */
+ /* EXP_BLINDING_RANDOMNESS_LEN is the length of the randomness in mp_digits */
+@@ -149,11 +151,24 @@ rsa_build_from_primes(const mp_int *p, const mp_int *q,
             err = mp_invmod(d, &phi, e);
         } else {
             err = mp_invmod(e, &phi, d);
@ -90,7 +92,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
     if (err != MP_OKAY) {
         if (err == MP_UNDEF) {
             PORT_SetError(SEC_ERROR_NEED_RANDOM);
-@@ -280,10 +295,12 @@
+@@ -286,10 +301,12 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
     mp_int q = { 0, 0, 0, NULL };
     mp_int e = { 0, 0, 0, NULL };
     mp_int d = { 0, 0, 0, NULL };
@ -104,7 +106,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
     int prerr = 0;
     RSAPrivateKey *key = NULL;
     PLArenaPool *arena = NULL;
-@@ -301,11 +318,40 @@
+@@ -307,11 +324,40 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         goto cleanup;
     }
@ -149,7 +151,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
     }
 #endif
 
-@@ -323,12 +369,7 @@
+@@ -329,12 +375,7 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
     key->arena = arena;
     /* length of primes p and q (in bytes) */
     primeLen = keySizeInBits / (2 * PR_BITS_PER_BYTE);
@ -163,7 +165,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
     /* 3.  Set the version number (PKCS1 v1.5 says it should be zero) */
     SECITEM_AllocItem(arena, &key->version, 1);
     key->version.data[0] = 0;
-@@ -339,13 +380,64 @@
+@@ -345,13 +386,64 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent)
         PORT_SetError(0);
         CHECK_SEC_OK(generate_prime(&p, primeLen));
         CHECK_SEC_OK(generate_prime(&q, primeLen));
@ -229,7 +231,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c
         /* Attempt to use these primes to generate a key */
         rv = rsa_build_from_primes(&p, &q,
                                    &e, PR_FALSE, /* needPublicExponent=false */
-@@ -368,7 +460,9 @@
+@@ -374,7 +466,9 @@ cleanup:
     mp_clear(&q);
     mp_clear(&e);
     mp_clear(&d);