- update to NSS 3.91

* bmo#1837431 - Implementation of the HW support check for ADX instruction * bmo#1836925 - Removing the support of Curve25519 * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData * bmo#1839327 - Adding args to enable-legacy-db build * bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit default trust flags" * bmo#1837617 - Initialize flags in slot structures * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow * bmo#1829112 - Followup Fixes * bmo#1784253 - avoid processing unexpected inputs by checking for m_exptmod base sign * bmo#1826652 - add a limit check on order_k to avoid infinite loop * bmo#1834851 - Update HACL* to commit 5f6051d2 * bmo#1753026 - add SHA3 to cryptohi and softoken * bmo#1753026 - HACL SHA3 * bmo#1836781 - Disabling ASM C25519 for A but X86_64 - removed upstreamed patch nss-fix-bmo1836925.patch OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=422
2023-08-01 07:55:11 +00:00 · 2023-08-01 07:55:11 +00:00 · bf9b62ea10
commit bf9b62ea10
parent 34e601a718
11 changed files with 57 additions and 111 deletions
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Sat Jul 29 11:50:48 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- update to NSS 3.91
+  * bmo#1837431 - Implementation of the HW support check for ADX instruction
+  * bmo#1836925 - Removing the support of Curve25519
+  * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
+  * bmo#1839327 - Adding args to enable-legacy-db build
+  * bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
+                  default trust flags"
+  * bmo#1837617 - Initialize flags in slot structures
+  * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
+  * bmo#1829112 - Followup Fixes
+  * bmo#1784253 - avoid processing unexpected inputs by checking for
+                  m_exptmod base sign
+  * bmo#1826652 - add a limit check on order_k to avoid infinite loop
+  * bmo#1834851 - Update HACL* to commit 5f6051d2
+  * bmo#1753026 - add SHA3 to cryptohi and softoken
+  * bmo#1753026 - HACL SHA3
+  * bmo#1836781 - Disabling ASM C25519 for A but X86_64
+- removed upstreamed patch nss-fix-bmo1836925.patch
+
 -------------------------------------------------------------------
 Fri Jul 28 16:29:26 UTC 2023 - Dirk Stoecker <opensuse@dstoecker.de>

--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -17,14 +17,14 @@
 #


-%global nss_softokn_fips_version 3.90
+%global nss_softokn_fips_version 3.91
 %define NSPR_min_version 4.35
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 Name:           mozilla-nss
-Version:        3.90
+Version:        3.91
 Release:        0
-%define underscore_version 3_90
+%define underscore_version 3_91
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
@ -77,7 +77,6 @@ Patch44:        nss-fips-tests-enable-fips.patch
 Patch45:        nss-fips-drbg-libjitter.patch
 Patch46:        nss-allow-slow-tests.patch
 Patch47:        nss-fips-pct-pubkeys.patch
-Patch48:        nss-fix-bmo1836925.patch
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
 BuildRequires:  gcc9-c++
@ -232,7 +231,6 @@ cd nss
 %endif
 %patch46 -p1
 %patch47 -p1
-%patch48 -p1

 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
--- a/nss-3.90.tar.gz
+++ b/nss-3.90.tar.gz
--- a/nss-3.91.tar.gz
+++ b/nss-3.91.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:84bd46376df17118c55f6d73d30fd93a0af21296c66e7690471547e5898fc4b3
+size 72267945
--- a/nss-allow-slow-tests.patch
+++ b/nss-allow-slow-tests.patch
@ -20,8 +20,8 @@ Index: nss/tests/dbtests/dbtests.sh
       RARRAY=($dtime)
       TIMEARRAY=(${RARRAY[1]//./ })
       echo "${TIMEARRAY[0]} seconds"
-      test ${TIMEARRAY[0]} -lt 2
-+      # Was 2, but that is too small for OBS-workers.
+-      test ${TIMEARRAY[0]} -lt 5
+      # Was 5, but that is too small for OBS-workers.
 +      test ${TIMEARRAY[0]} -lt 6
       ret=$?
       html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
--- a/nss-fips-approved-crypto-non-ec.patch
+++ b/nss-fips-approved-crypto-non-ec.patch
@ -352,7 +352,7 @@ Index: nss/lib/freebl/rawhash.c
 
 static void *
 null_hash_new_context(void)
-@@ -146,7 +147,11 @@ const SECHashObject SECRawHashObjects[]
+@@ -190,7 +191,11 @@ const SECHashObject SECRawHashObjects[]
 const SECHashObject *
 HASH_GetRawHashObject(HASH_HashType hashType)
 {
@ -369,7 +369,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -4780,6 +4780,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
+@@ -4792,6 +4792,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
         goto loser;
     }
 
@ -379,7 +379,7 @@ Index: nss/lib/softoken/pkcs11c.c
     /*
      * handle the base object stuff
      */
-@@ -4794,6 +4797,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
+@@ -4806,6 +4809,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
     if (crv == CKR_OK) {
         *phKey = key->handle;
     }
@ -387,7 +387,7 @@ Index: nss/lib/softoken/pkcs11c.c
 loser:
     PORT_Memset(buf, 0, sizeof buf);
     sftk_FreeObject(key);
-@@ -5710,11 +5714,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5722,11 +5726,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
      * created and linked.
      */
     crv = sftk_handleObject(publicKey, session);
@ -400,7 +400,7 @@ Index: nss/lib/softoken/pkcs11c.c
         return crv;
     }
     if (sftk_isTrue(privateKey, CKA_SENSITIVE)) {
-@@ -5758,13 +5762,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5770,13 +5774,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
         sftk_FreeObject(publicKey);
         NSC_DestroyObject(hSession, privateKey->handle);
         sftk_FreeObject(privateKey);
@ -420,7 +420,7 @@ Index: nss/lib/softoken/pkcs11c.c
 
     return CKR_OK;
 }
-@@ -7469,7 +7479,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7481,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
             } else {
                 /* now allocate the hash contexts */
                 md5 = MD5_NewContext();
@ -429,7 +429,7 @@ Index: nss/lib/softoken/pkcs11c.c
                     PORT_Memset(crsrdata, 0, sizeof crsrdata);
                     crv = CKR_HOST_MEMORY;
                     break;
-@@ -7858,6 +7868,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7870,6 +7880,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
                 PORT_Assert(i <= sizeof key_block);
             }
 
@ -737,7 +737,7 @@ Index: nss/lib/softoken/pkcs11.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11.c
 +++ nss/lib/softoken/pkcs11.c
-@@ -534,17 +534,17 @@ static const struct mechanismList mechan
+@@ -546,17 +546,17 @@ static const struct mechanismList mechan
     { CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
     { CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
     { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256,
--- a/nss-fips-combined-hash-sign-dsa-ecdsa.patch
+++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch
@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -2653,7 +2653,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
+@@ -2657,7 +2657,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
 static SECStatus
 nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
                   unsigned int *sigLen, unsigned int maxSigLen,
@ -77,7 +77,7 @@ Index: nss/lib/softoken/pkcs11c.c
 {
     SECItem signature, digest;
     SECStatus rv;
-@@ -2671,6 +2671,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
+@@ -2675,6 +2675,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
     return rv;
 }
 
@ -100,7 +100,7 @@ Index: nss/lib/softoken/pkcs11c.c
 static SECStatus
 nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
                     void *dataBuf, unsigned int dataLen)
-@@ -2688,7 +2704,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
+@@ -2692,7 +2708,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
 static SECStatus
 nsc_ECDSASignStub(void *ctx, void *sigBuf,
                   unsigned int *sigLen, unsigned int maxSigLen,
@ -109,7 +109,7 @@ Index: nss/lib/softoken/pkcs11c.c
 {
     SECItem signature, digest;
     SECStatus rv;
-@@ -2706,6 +2722,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
+@@ -2710,6 +2726,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
     return rv;
 }
 
@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /* NSC_SignInit setups up the signing operations. There are three basic
  * types of signing:
  *      (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
-@@ -3575,6 +3607,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
+@@ -3583,6 +3615,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
         info->hashOid = SEC_OID_##mmm;                    \
         goto finish_rsa;
 
@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c
     switch (pMechanism->mechanism) {
         INIT_RSA_VFY_MECH(MD5)
         INIT_RSA_VFY_MECH(MD2)
-@@ -4807,6 +4855,73 @@ loser:
+@@ -4819,6 +4867,73 @@ loser:
 #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
 #define PAIRWISE_MESSAGE_LENGTH 20           /* 160-bits */
 
@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /*
  * FIPS 140-2 pairwise consistency check utilized to validate key pair.
  *
-@@ -4860,8 +4975,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -4872,8 +4987,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
 
     /* Variables used for Signature/Verification functions. */
     /* Must be at least 256 bits for DSA2 digest */
@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c
     CK_ULONG signature_length;
 
     if (keyType == CKK_RSA) {
-@@ -5015,76 +5128,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5027,76 +5140,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
         }
     }
 
--- a/nss-fips-constructor-self-tests.patch
+++ b/nss-fips-constructor-self-tests.patch
@ -42,7 +42,7 @@ Index: nss/lib/freebl/blapi.h
 ===================================================================
 --- nss.orig/lib/freebl/blapi.h
 +++ nss/lib/freebl/blapi.h
-@@ -1759,17 +1759,17 @@ extern void BL_Unload(void);
+@@ -1859,17 +1859,17 @@ extern void BL_Unload(void);
 /**************************************************************************
  *  Verify a given Shared library signature                               *
  **************************************************************************/
@ -63,7 +63,7 @@ Index: nss/lib/freebl/blapi.h
 
 /*********************************************************************/
 extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
-@@ -1791,6 +1791,9 @@ extern SECStatus EC_CopyParams(PLArenaPo
+@@ -1891,6 +1891,9 @@ extern SECStatus EC_CopyParams(PLArenaPo
  */
 extern int EC_GetPointSize(const ECParams *params);
 
@ -865,7 +865,7 @@ Index: nss/lib/freebl/loader.h
 
     /* Version 3.013 came to here */
 
-@@ -834,6 +834,9 @@ struct FREEBLVectorStr {
+@@ -912,6 +912,9 @@ struct FREEBLVectorStr {
 
     /* Add new function pointers at the end of this struct and bump
      * FREEBL_VERSION at the beginning of this file. */
@ -887,7 +887,7 @@ Index: nss/lib/freebl/manifest.mn
 	$(NULL)
 
 MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
-@@ -187,6 +188,7 @@ ALL_HDRS =  \
+@@ -189,6 +190,7 @@ ALL_HDRS =  \
 	shsign.h \
 	vis_proto.h \
 	seed.h \
@ -1654,15 +1654,10 @@ Index: nss/lib/freebl/ldvector.c
 ===================================================================
 --- nss.orig/lib/freebl/ldvector.c
 +++ nss/lib/freebl/ldvector.c
-@@ -375,9 +375,12 @@ static const struct FREEBLVectorStr vect
-     /* End of version 3.024 */
-     ChaCha20_InitContext,
-     ChaCha20_CreateContext,
-    ChaCha20_DestroyContext
-+    ChaCha20_DestroyContext,
+@@ -432,6 +432,8 @@ static const struct FREEBLVectorStr vect
+     SHAKE_256_Hash,
 
-     /* End of version 3.025 */
-+
+     /* End of version 3.026 */
 +    /* SUSE patch: Goes last */
 +    BL_FIPSRepeatIntegrityCheck
 };
--- a/nss-fips-pairwise-consistency-check.patch
+++ b/nss-fips-pairwise-consistency-check.patch
@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -4800,8 +4800,8 @@ loser:
+@@ -4812,8 +4812,8 @@ loser:
     return crv;
 }
 
@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c
 
 /*
  * FIPS 140-2 pairwise consistency check utilized to validate key pair.
-@@ -5749,6 +5749,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5761,6 +5761,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
                             (PRUint32)crv);
                 sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg);
             }
--- a/nss-fips-pct-pubkeys.patch
+++ b/nss-fips-pct-pubkeys.patch
@ -13,7 +13,7 @@ Index: nss/lib/softoken/pkcs11c.c
 #include "seccomon.h"
 #include "secitem.h"
 #include "secport.h"
-@@ -4922,6 +4923,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
+@@ -4934,6 +4935,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
     return crv;
 }
 
@ -102,7 +102,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /*
  * FIPS 140-2 pairwise consistency check utilized to validate key pair.
  *
-@@ -5268,6 +5351,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5280,6 +5363,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
         }
     }
 
--- a/nss-fix-bmo1836925.patch
+++ b/nss-fix-bmo1836925.patch
@ -1,69 +0,0 @@
-Index: nss/lib/freebl/Makefile
-===================================================================
--- nss.orig/lib/freebl/Makefile
-+++ nss/lib/freebl/Makefile
-@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null
-             HAVE_INT128_SUPPORT = 1
-             DEFINES += -DHAVE_INT128_SUPPORT
-     else ifeq (1,$(CC_IS_GCC))
-        SUPPORTS_VALE_CURVE25519 = 1
-         ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
-             HAVE_INT128_SUPPORT = 1
-             DEFINES += -DHAVE_INT128_SUPPORT
-@@ -593,11 +592,6 @@ ifndef HAVE_INT128_SUPPORT
-     DEFINES += -DKRML_VERIFIED_UINT128
- endif
- 
-ifdef SUPPORTS_VALE_CURVE25519
-    VERIFIED_SRCS += Hacl_Curve25519_64.c
-    DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM
-endif
-
- ifndef NSS_DISABLE_CHACHAPOLY
-     ifeq ($(CPU_ARCH),x86_64)
-         ifndef NSS_DISABLE_AVX2
-Index: nss/lib/freebl/freebl.gyp
-===================================================================
--- nss.orig/lib/freebl/freebl.gyp
-+++ nss/lib/freebl/freebl.gyp
-@@ -866,12 +866,6 @@
-           }],
-         ],
-       }],
-      [ 'supports_vale_curve25519==1', {
-        'defines': [
-          # The Makefile does version-tests on GCC, but we're not doing that here.
-          'HACL_CAN_COMPILE_INLINE_ASM',
-        ],
-      }],
-       [ 'OS=="linux" or OS=="android"', {
-         'conditions': [
-           [ 'target_arch=="x64"', {
-@@ -934,11 +928,6 @@
-   'variables': {
-     'module': 'nss',
-     'conditions': [
-      [ 'target_arch=="x64" and cc_is_gcc==1', {
-        'supports_vale_curve25519%': 1,
-      }, {
-        'supports_vale_curve25519%': 0,
-      }],
-       [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
-         'have_int128_support%': 1,
-       }, {
-Index: nss/lib/freebl/freebl_base.gypi
-===================================================================
--- nss.orig/lib/freebl/freebl_base.gypi
-+++ nss/lib/freebl/freebl_base.gypi
-@@ -151,11 +151,6 @@
-         'ecl/curve25519_32.c',
-       ],
-     }],
-    ['supports_vale_curve25519==1', {
-      'sources': [
-        'verified/Hacl_Curve25519_64.c',
-      ],
-    }],
-     ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
-       'sources': [
-         # Gyp does not support per-file cflags, so working around like this.