pool/mozilla-nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1120733 from mozilla:Factory

Browse Source 
- update to NSS 3.94
  * bmo#1853737 - Updated code and commit ID for HACL*
  * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
                  current NSS
  * bmo#1827303 - Softoken C_ calls should use system FIPS setting
                  to select NSC_ or FC_ variants
  * bmo#1774659 - NSS needs a database tool that can dump the low level
                  representation of the database
  * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
  * bmo#1852179 - avoid implicit conversion for ByteString
  * bmo#1818766 - update rust version for acvp docker
  * bmo#1852011 - Moving the init function of the mpi_ints before
                  clean-up in ec.c
  * bmo#1615555 - P-256 ECDH and ECDSA from HACL*
  * bmo#1840510 - Add ACVP test vectors to the repository
  * bmo#1849077 - Stop relying on std::basic_string<uint8_t>
  * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test

  * bmo#1849471 - Update zlib in NSS to 1.3.
  * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
  * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).

OBS-URL: https://build.opensuse.org/request/show/1120733
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=209
This commit is contained in:
Ana Guerrero 2023-10-29 18:39:28 +00:00 committed by Git OBS Bridge
commit ae2cd5c9a0
11 changed files with 79 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
mozilla-nss.changes
View File

@ -1,10 +1,33 @@
-------------------------------------------------------------------
Tue Oct 24 06:44:18 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.94
* bmo#1853737 - Updated code and commit ID for HACL*
* bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
current NSS
* bmo#1827303 - Softoken C_ calls should use system FIPS setting
to select NSC_ or FC_ variants
* bmo#1774659 - NSS needs a database tool that can dump the low level
representation of the database
* bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
* bmo#1852179 - avoid implicit conversion for ByteString
* bmo#1818766 - update rust version for acvp docker
* bmo#1852011 - Moving the init function of the mpi_ints before
clean-up in ec.c
* bmo#1615555 - P-256 ECDH and ECDSA from HACL*
* bmo#1840510 - Add ACVP test vectors to the repository
* bmo#1849077 - Stop relying on std::basic_string<uint8_t>
* bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
- rebased patches
- added nss-fips-test.patch to fix broken test
-------------------------------------------------------------------
Tue Sep 5 10:48:46 UTC 2023 - Dominique Leuenberger <dimstar@opensuse.org>
- Update to NSS 3.93:
+ bmo#1849471 - Update zlib in NSS to 1.3.
+ bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
+ bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
* bmo#1849471 - Update zlib in NSS to 1.3.
* bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
* bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
- Rebase nss-fips-pct-pubkeys.patch.
-------------------------------------------------------------------

8
mozilla-nss.spec
View File

@ -17,14 +17,14 @@
#
%global nss_softokn_fips_version 3.93
%global nss_softokn_fips_version 3.94
%define NSPR_min_version 4.35
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
Name: mozilla-nss
Version: 3.93
Version: 3.94
Release: 0
%define underscore_version 3_93
%define underscore_version 3_94
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@ -77,6 +77,7 @@ Patch44: nss-fips-tests-enable-fips.patch
Patch45: nss-fips-drbg-libjitter.patch
Patch46: nss-allow-slow-tests.patch
Patch47: nss-fips-pct-pubkeys.patch
Patch48: nss-fips-test.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@ -231,6 +232,7 @@ cd nss
%endif
%patch46 -p1
%patch47 -p1
%patch48 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins

3
nss-3.93.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:15f54bb72048eb105f8c0e936a04b899e74c3db9a19bbc1e00acee2af9476a8a
size 72281331

3
nss-3.94.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:463ae180ee9e5ee9e3ad4f629326657e236780cc865572a930a16520abad9dd8
size 76580364

16
nss-fips-approved-crypto-non-ec.patch
View File

@ -324,7 +324,7 @@ Index: nss/lib/freebl/nsslowhash.c
struct NSSLOWInitContextStr {
int count;
@@ -99,6 +100,15 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
@@ -69,6 +70,15 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
{
NSSLOWHASHContext *context;
@ -369,7 +369,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -4792,6 +4792,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
@@ -4821,6 +4821,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
goto loser;
}
@ -379,7 +379,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* handle the base object stuff
*/
@@ -4806,6 +4809,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
@@ -4835,6 +4838,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
if (crv == CKR_OK) {
*phKey = key->handle;
}
@ -387,7 +387,7 @@ Index: nss/lib/softoken/pkcs11c.c
loser:
PORT_Memset(buf, 0, sizeof buf);
sftk_FreeObject(key);
@@ -5722,11 +5726,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5751,11 +5755,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
* created and linked.
*/
crv = sftk_handleObject(publicKey, session);
@ -400,7 +400,7 @@ Index: nss/lib/softoken/pkcs11c.c
return crv;
}
if (sftk_isTrue(privateKey, CKA_SENSITIVE)) {
@@ -5770,13 +5774,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5799,13 +5803,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
@ -420,7 +420,7 @@ Index: nss/lib/softoken/pkcs11c.c
return CKR_OK;
}
@@ -7481,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7510,7 +7520,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
} else {
/* now allocate the hash contexts */
md5 = MD5_NewContext();
@ -429,7 +429,7 @@ Index: nss/lib/softoken/pkcs11c.c
PORT_Memset(crsrdata, 0, sizeof crsrdata);
crv = CKR_HOST_MEMORY;
break;
@@ -7870,6 +7880,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
@@ -7899,6 +7909,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
PORT_Assert(i <= sizeof key_block);
}
@ -737,7 +737,7 @@ Index: nss/lib/softoken/pkcs11.c
===================================================================
--- nss.orig/lib/softoken/pkcs11.c
+++ nss/lib/softoken/pkcs11.c
@@ -546,17 +546,17 @@ static const struct mechanismList mechan
@@ -557,17 +557,17 @@ static const struct mechanismList mechan
{ CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256,

16
nss-fips-combined-hash-sign-dsa-ecdsa.patch
View File

@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -2657,7 +2657,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
@@ -2679,7 +2679,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
static SECStatus
nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@ -77,7 +77,7 @@ Index: nss/lib/softoken/pkcs11c.c
{
SECItem signature, digest;
SECStatus rv;
@@ -2675,6 +2675,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
@@ -2697,6 +2697,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
return rv;
}
@ -100,7 +100,7 @@ Index: nss/lib/softoken/pkcs11c.c
static SECStatus
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
@@ -2692,7 +2708,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
@@ -2714,7 +2730,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
static SECStatus
nsc_ECDSASignStub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@ -109,7 +109,7 @@ Index: nss/lib/softoken/pkcs11c.c
{
SECItem signature, digest;
SECStatus rv;
@@ -2710,6 +2726,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
@@ -2732,6 +2748,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
return rv;
}
@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c
/* NSC_SignInit setups up the signing operations. There are three basic
* types of signing:
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
@@ -3583,6 +3615,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
@@ -3612,6 +3644,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
info->hashOid = SEC_OID_##mmm; \
goto finish_rsa;
@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c
switch (pMechanism->mechanism) {
INIT_RSA_VFY_MECH(MD5)
INIT_RSA_VFY_MECH(MD2)
@@ -4819,6 +4867,73 @@ loser:
@@ -4848,6 +4896,73 @@ loser:
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
@@ -4872,8 +4987,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -4901,8 +5016,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
/* Variables used for Signature/Verification functions. */
/* Must be at least 256 bits for DSA2 digest */
@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c
CK_ULONG signature_length;
if (keyType == CKK_RSA) {
@@ -5027,76 +5140,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
@@ -5056,76 +5169,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}

4
nss-fips-constructor-self-tests.patch
View File

@ -63,9 +63,9 @@ Index: nss/lib/freebl/blapi.h
/*********************************************************************/
extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
@@ -1891,6 +1891,9 @@ extern SECStatus EC_CopyParams(PLArenaPo
@@ -1896,6 +1896,9 @@ extern int EC_GetPointSize(const ECParam
*/
extern int EC_GetPointSize(const ECParams *params);
extern int EC_GetScalarSize(const ECParams *params);
+/* Unconditionally run the integrity check. */
+extern void BL_FIPSRepeatIntegrityCheck(void);

25
nss-fips-detect-fips-mode-fixes.patch
View File

@ -26,11 +26,10 @@ Index: nss/lib/freebl/nsslowhash.c
#include "prtypes.h"
#include "prenv.h"
#include "secerr.h"
@@ -25,6 +29,23 @@ struct NSSLOWHASHContextStr {
};
@@ -27,6 +31,22 @@ struct NSSLOWHASHContextStr {
static NSSLOWInitContext dummyContext = { 0 };
static PRBool post_failed = PR_TRUE;
#ifndef NSS_FIPS_DISABLED
+
+static PRBool
+getFIPSEnv(void)
+{
@ -47,23 +46,15 @@ Index: nss/lib/freebl/nsslowhash.c
+ return PR_FALSE;
+}
+
static int
nsslow_GetFIPSEnabled(void)
NSSLOWInitContext *
NSSLOW_Init(void)
{
@@ -52,6 +73,7 @@ nsslow_GetFIPSEnabled(void)
#endif /* LINUX */
return 1;
}
+
#endif /* NSS_FIPS_DISABLED */
static NSSLOWInitContext dummyContext = { 0 };
@@ -67,7 +89,7 @@ NSSLOW_Init(void)
@@ -37,7 +57,7 @@ NSSLOW_Init(void)
#ifndef NSS_FIPS_DISABLED
/* make sure the FIPS product is installed if we are trying to
* go into FIPS mode */
- if (nsslow_GetFIPSEnabled()) {
+ if (nsslow_GetFIPSEnabled() || getFIPSEnv()) {
- if (NSS_GetSystemFIPSEnabled()) {
+ if (NSS_GetSystemFIPSEnabled() || getFIPSEnv()) {
if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
post_failed = PR_TRUE;

4
nss-fips-pairwise-consistency-check.patch
View File

@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -4812,8 +4812,8 @@ loser:
@@ -4841,8 +4841,8 @@ loser:
return crv;
}
@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
@@ -5761,6 +5761,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
@@ -5790,6 +5790,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
(PRUint32)crv);
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
}

15
nss-fips-test.patch Normal file
View File

@ -0,0 +1,15 @@
Index: nss/tests/cert/cert.sh
===================================================================
--- nss.orig/tests/cert/cert.sh
+++ nss/tests/cert/cert.sh
@@ -1367,8 +1367,8 @@ cert_fips()
echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
- echo "modutil -dbdir ${PROFILEDIR} -fips true "
- ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
+ echo "modutil -dbdir ${PROFILEDIR} -chkfips true "
+ ${BINDIR}/modutil -dbdir ${PROFILEDIR} -chkfips true 2>&1 <<MODSCRIPT
y
MODSCRIPT
RET=$?

4
nss-fips-zeroization.patch
View File

@ -107,8 +107,8 @@ Index: nss/lib/freebl/ec.c
===================================================================
--- nss.orig/lib/freebl/ec.c
+++ nss/lib/freebl/ec.c
@@ -974,7 +974,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
ECParams *ecParams = NULL;
@@ -1049,7 +1049,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
mp_int n;
SECItem pointC = { siBuffer, NULL, 0 };
int slen; /* length in bytes of a half signature (r or s) */
- int flen; /* length in bytes of the field size */