From 2c5bd7ba1570c12ced632991bf582020b7f94861a15121664b1b5ff394cb6acf Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Fri, 27 Oct 2023 07:13:16 +0000 Subject: [PATCH] - update to NSS 3.94 * bmo#1853737 - Updated code and commit ID for HACL* * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with current NSS * bmo#1827303 - Softoken C_ calls should use system FIPS setting to select NSC_ or FC_ variants * bmo#1774659 - NSS needs a database tool that can dump the low level representation of the database * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp * bmo#1852179 - avoid implicit conversion for ByteString * bmo#1818766 - update rust version for acvp docker * bmo#1852011 - Moving the init function of the mpi_ints before clean-up in ec.c * bmo#1615555 - P-256 ECDH and ECDSA from HACL* * bmo#1840510 - Add ACVP test vectors to the repository * bmo#1849077 - Stop relying on std::basic_string * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp - rebased patches - added nss-fips-test.patch to fix broken test * bmo#1849471 - Update zlib in NSS to 1.3. * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs. * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980). OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=428 --- mozilla-nss.changes | 29 ++++++++++++++++++--- mozilla-nss.spec | 8 +++--- nss-3.93.tar.gz | 3 --- nss-3.94.tar.gz | 3 +++ nss-fips-approved-crypto-non-ec.patch | 16 ++++++------ nss-fips-combined-hash-sign-dsa-ecdsa.patch | 16 ++++++------ nss-fips-constructor-self-tests.patch | 4 +-- nss-fips-detect-fips-mode-fixes.patch | 25 ++++++------------ nss-fips-pairwise-consistency-check.patch | 4 +-- nss-fips-test.patch | 15 +++++++++++ nss-fips-zeroization.patch | 4 +-- 11 files changed, 79 insertions(+), 48 deletions(-) delete mode 100644 nss-3.93.tar.gz create mode 100644 nss-3.94.tar.gz create mode 100644 nss-fips-test.patch diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 61a38c3..2037194 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,10 +1,33 @@ +------------------------------------------------------------------- +Tue Oct 24 06:44:18 UTC 2023 - Wolfgang Rosenauer + +- update to NSS 3.94 + * bmo#1853737 - Updated code and commit ID for HACL* + * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with + current NSS + * bmo#1827303 - Softoken C_ calls should use system FIPS setting + to select NSC_ or FC_ variants + * bmo#1774659 - NSS needs a database tool that can dump the low level + representation of the database + * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp + * bmo#1852179 - avoid implicit conversion for ByteString + * bmo#1818766 - update rust version for acvp docker + * bmo#1852011 - Moving the init function of the mpi_ints before + clean-up in ec.c + * bmo#1615555 - P-256 ECDH and ECDSA from HACL* + * bmo#1840510 - Add ACVP test vectors to the repository + * bmo#1849077 - Stop relying on std::basic_string + * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp +- rebased patches +- added nss-fips-test.patch to fix broken test + ------------------------------------------------------------------- Tue Sep 5 10:48:46 UTC 2023 - Dominique Leuenberger - Update to NSS 3.93: - + bmo#1849471 - Update zlib in NSS to 1.3. - + bmo#1848183 - softoken: iterate hashUpdate calls for long inputs. - + bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980). + * bmo#1849471 - Update zlib in NSS to 1.3. + * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs. + * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980). - Rebase nss-fips-pct-pubkeys.patch. ------------------------------------------------------------------- diff --git a/mozilla-nss.spec b/mozilla-nss.spec index eef93d4..d37f6f2 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -17,14 +17,14 @@ # -%global nss_softokn_fips_version 3.93 +%global nss_softokn_fips_version 3.94 %define NSPR_min_version 4.35 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb Name: mozilla-nss -Version: 3.93 +Version: 3.94 Release: 0 -%define underscore_version 3_93 +%define underscore_version 3_94 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries @@ -77,6 +77,7 @@ Patch44: nss-fips-tests-enable-fips.patch Patch45: nss-fips-drbg-libjitter.patch Patch46: nss-allow-slow-tests.patch Patch47: nss-fips-pct-pubkeys.patch +Patch48: nss-fips-test.patch %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references BuildRequires: gcc9-c++ @@ -231,6 +232,7 @@ cd nss %endif %patch46 -p1 %patch47 -p1 +%patch48 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins diff --git a/nss-3.93.tar.gz b/nss-3.93.tar.gz deleted file mode 100644 index cf59aa2..0000000 --- a/nss-3.93.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:15f54bb72048eb105f8c0e936a04b899e74c3db9a19bbc1e00acee2af9476a8a -size 72281331 diff --git a/nss-3.94.tar.gz b/nss-3.94.tar.gz new file mode 100644 index 0000000..da0fccf --- /dev/null +++ b/nss-3.94.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:463ae180ee9e5ee9e3ad4f629326657e236780cc865572a930a16520abad9dd8 +size 76580364 diff --git a/nss-fips-approved-crypto-non-ec.patch b/nss-fips-approved-crypto-non-ec.patch index 21663cc..31adbce 100644 --- a/nss-fips-approved-crypto-non-ec.patch +++ b/nss-fips-approved-crypto-non-ec.patch @@ -324,7 +324,7 @@ Index: nss/lib/freebl/nsslowhash.c struct NSSLOWInitContextStr { int count; -@@ -99,6 +100,15 @@ NSSLOWHASH_NewContext(NSSLOWInitContext +@@ -69,6 +70,15 @@ NSSLOWHASH_NewContext(NSSLOWInitContext { NSSLOWHASHContext *context; @@ -369,7 +369,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -4792,6 +4792,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi +@@ -4821,6 +4821,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi goto loser; } @@ -379,7 +379,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * handle the base object stuff */ -@@ -4806,6 +4809,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi +@@ -4835,6 +4838,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi if (crv == CKR_OK) { *phKey = key->handle; } @@ -387,7 +387,7 @@ Index: nss/lib/softoken/pkcs11c.c loser: PORT_Memset(buf, 0, sizeof buf); sftk_FreeObject(key); -@@ -5722,11 +5726,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5751,11 +5755,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS * created and linked. */ crv = sftk_handleObject(publicKey, session); @@ -400,7 +400,7 @@ Index: nss/lib/softoken/pkcs11c.c return crv; } if (sftk_isTrue(privateKey, CKA_SENSITIVE)) { -@@ -5770,13 +5774,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5799,13 +5803,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS sftk_FreeObject(publicKey); NSC_DestroyObject(hSession, privateKey->handle); sftk_FreeObject(privateKey); @@ -420,7 +420,7 @@ Index: nss/lib/softoken/pkcs11c.c return CKR_OK; } -@@ -7481,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -7510,7 +7520,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession } else { /* now allocate the hash contexts */ md5 = MD5_NewContext(); @@ -429,7 +429,7 @@ Index: nss/lib/softoken/pkcs11c.c PORT_Memset(crsrdata, 0, sizeof crsrdata); crv = CKR_HOST_MEMORY; break; -@@ -7870,6 +7880,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -7899,6 +7909,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession PORT_Assert(i <= sizeof key_block); } @@ -737,7 +737,7 @@ Index: nss/lib/softoken/pkcs11.c =================================================================== --- nss.orig/lib/softoken/pkcs11.c +++ nss/lib/softoken/pkcs11.c -@@ -546,17 +546,17 @@ static const struct mechanismList mechan +@@ -557,17 +557,17 @@ static const struct mechanismList mechan { CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, { CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, diff --git a/nss-fips-combined-hash-sign-dsa-ecdsa.patch b/nss-fips-combined-hash-sign-dsa-ecdsa.patch index 9427ed1..a205c25 100644 --- a/nss-fips-combined-hash-sign-dsa-ecdsa.patch +++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch @@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -2657,7 +2657,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig +@@ -2679,7 +2679,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig static SECStatus nsc_DSA_Sign_Stub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, @@ -77,7 +77,7 @@ Index: nss/lib/softoken/pkcs11c.c { SECItem signature, digest; SECStatus rv; -@@ -2675,6 +2675,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu +@@ -2697,6 +2697,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu return rv; } @@ -100,7 +100,7 @@ Index: nss/lib/softoken/pkcs11c.c static SECStatus nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen, void *dataBuf, unsigned int dataLen) -@@ -2692,7 +2708,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig +@@ -2714,7 +2730,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig static SECStatus nsc_ECDSASignStub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, @@ -109,7 +109,7 @@ Index: nss/lib/softoken/pkcs11c.c { SECItem signature, digest; SECStatus rv; -@@ -2710,6 +2726,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu +@@ -2732,6 +2748,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu return rv; } @@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c /* NSC_SignInit setups up the signing operations. There are three basic * types of signing: * (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied -@@ -3583,6 +3615,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio +@@ -3612,6 +3644,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio info->hashOid = SEC_OID_##mmm; \ goto finish_rsa; @@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c switch (pMechanism->mechanism) { INIT_RSA_VFY_MECH(MD5) INIT_RSA_VFY_MECH(MD2) -@@ -4819,6 +4867,73 @@ loser: +@@ -4848,6 +4896,73 @@ loser: #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */ #define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ @@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. * -@@ -4872,8 +4987,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -4901,8 +5016,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION /* Variables used for Signature/Verification functions. */ /* Must be at least 256 bits for DSA2 digest */ @@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c CK_ULONG signature_length; if (keyType == CKK_RSA) { -@@ -5027,76 +5140,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -5056,76 +5169,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION } } diff --git a/nss-fips-constructor-self-tests.patch b/nss-fips-constructor-self-tests.patch index d21f823..9de6923 100644 --- a/nss-fips-constructor-self-tests.patch +++ b/nss-fips-constructor-self-tests.patch @@ -63,9 +63,9 @@ Index: nss/lib/freebl/blapi.h /*********************************************************************/ extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType); -@@ -1891,6 +1891,9 @@ extern SECStatus EC_CopyParams(PLArenaPo +@@ -1896,6 +1896,9 @@ extern int EC_GetPointSize(const ECParam */ - extern int EC_GetPointSize(const ECParams *params); + extern int EC_GetScalarSize(const ECParams *params); +/* Unconditionally run the integrity check. */ +extern void BL_FIPSRepeatIntegrityCheck(void); diff --git a/nss-fips-detect-fips-mode-fixes.patch b/nss-fips-detect-fips-mode-fixes.patch index c91a750..1f1d31a 100644 --- a/nss-fips-detect-fips-mode-fixes.patch +++ b/nss-fips-detect-fips-mode-fixes.patch @@ -26,11 +26,10 @@ Index: nss/lib/freebl/nsslowhash.c #include "prtypes.h" #include "prenv.h" #include "secerr.h" -@@ -25,6 +29,23 @@ struct NSSLOWHASHContextStr { - }; +@@ -27,6 +31,22 @@ struct NSSLOWHASHContextStr { + static NSSLOWInitContext dummyContext = { 0 }; + static PRBool post_failed = PR_TRUE; - #ifndef NSS_FIPS_DISABLED -+ +static PRBool +getFIPSEnv(void) +{ @@ -47,23 +46,15 @@ Index: nss/lib/freebl/nsslowhash.c + return PR_FALSE; +} + - static int - nsslow_GetFIPSEnabled(void) + NSSLOWInitContext * + NSSLOW_Init(void) { -@@ -52,6 +73,7 @@ nsslow_GetFIPSEnabled(void) - #endif /* LINUX */ - return 1; - } -+ - #endif /* NSS_FIPS_DISABLED */ - - static NSSLOWInitContext dummyContext = { 0 }; -@@ -67,7 +89,7 @@ NSSLOW_Init(void) +@@ -37,7 +57,7 @@ NSSLOW_Init(void) #ifndef NSS_FIPS_DISABLED /* make sure the FIPS product is installed if we are trying to * go into FIPS mode */ -- if (nsslow_GetFIPSEnabled()) { -+ if (nsslow_GetFIPSEnabled() || getFIPSEnv()) { +- if (NSS_GetSystemFIPSEnabled()) { ++ if (NSS_GetSystemFIPSEnabled() || getFIPSEnv()) { if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) { PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); post_failed = PR_TRUE; diff --git a/nss-fips-pairwise-consistency-check.patch b/nss-fips-pairwise-consistency-check.patch index cbe461f..c68c9dd 100644 --- a/nss-fips-pairwise-consistency-check.patch +++ b/nss-fips-pairwise-consistency-check.patch @@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -4812,8 +4812,8 @@ loser: +@@ -4841,8 +4841,8 @@ loser: return crv; } @@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. -@@ -5761,6 +5761,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5790,6 +5790,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS (PRUint32)crv); sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); } diff --git a/nss-fips-test.patch b/nss-fips-test.patch new file mode 100644 index 0000000..321b4ea --- /dev/null +++ b/nss-fips-test.patch @@ -0,0 +1,15 @@ +Index: nss/tests/cert/cert.sh +=================================================================== +--- nss.orig/tests/cert/cert.sh ++++ nss/tests/cert/cert.sh +@@ -1367,8 +1367,8 @@ cert_fips() + + echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------" + CU_ACTION="Enable FIPS mode on database for ${CERTNAME}" +- echo "modutil -dbdir ${PROFILEDIR} -fips true " +- ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <&1 <