From bf9b62ea10f009e489e2efc430fcae07f1a6ef46762fb909a5e80ab291305e1e Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 1 Aug 2023 07:55:11 +0000 Subject: [PATCH] - update to NSS 3.91 * bmo#1837431 - Implementation of the HW support check for ADX instruction * bmo#1836925 - Removing the support of Curve25519 * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData * bmo#1839327 - Adding args to enable-legacy-db build * bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit default trust flags" * bmo#1837617 - Initialize flags in slot structures * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow * bmo#1829112 - Followup Fixes * bmo#1784253 - avoid processing unexpected inputs by checking for m_exptmod base sign * bmo#1826652 - add a limit check on order_k to avoid infinite loop * bmo#1834851 - Update HACL* to commit 5f6051d2 * bmo#1753026 - add SHA3 to cryptohi and softoken * bmo#1753026 - HACL SHA3 * bmo#1836781 - Disabling ASM C25519 for A but X86_64 - removed upstreamed patch nss-fix-bmo1836925.patch OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=422 --- mozilla-nss.changes | 22 +++++++ mozilla-nss.spec | 8 +-- nss-3.90.tar.gz | 3 - nss-3.91.tar.gz | 3 + nss-allow-slow-tests.patch | 4 +- nss-fips-approved-crypto-non-ec.patch | 16 ++--- nss-fips-combined-hash-sign-dsa-ecdsa.patch | 16 ++--- nss-fips-constructor-self-tests.patch | 19 +++--- nss-fips-pairwise-consistency-check.patch | 4 +- nss-fips-pct-pubkeys.patch | 4 +- nss-fix-bmo1836925.patch | 69 --------------------- 11 files changed, 57 insertions(+), 111 deletions(-) delete mode 100644 nss-3.90.tar.gz create mode 100644 nss-3.91.tar.gz delete mode 100644 nss-fix-bmo1836925.patch diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 1d43c35..8b5fbdb 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Sat Jul 29 11:50:48 UTC 2023 - Wolfgang Rosenauer + +- update to NSS 3.91 + * bmo#1837431 - Implementation of the HW support check for ADX instruction + * bmo#1836925 - Removing the support of Curve25519 + * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData + * bmo#1839327 - Adding args to enable-legacy-db build + * bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit + default trust flags" + * bmo#1837617 - Initialize flags in slot structures + * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow + * bmo#1829112 - Followup Fixes + * bmo#1784253 - avoid processing unexpected inputs by checking for + m_exptmod base sign + * bmo#1826652 - add a limit check on order_k to avoid infinite loop + * bmo#1834851 - Update HACL* to commit 5f6051d2 + * bmo#1753026 - add SHA3 to cryptohi and softoken + * bmo#1753026 - HACL SHA3 + * bmo#1836781 - Disabling ASM C25519 for A but X86_64 +- removed upstreamed patch nss-fix-bmo1836925.patch + ------------------------------------------------------------------- Fri Jul 28 16:29:26 UTC 2023 - Dirk Stoecker diff --git a/mozilla-nss.spec b/mozilla-nss.spec index f52d433..0595516 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -17,14 +17,14 @@ # -%global nss_softokn_fips_version 3.90 +%global nss_softokn_fips_version 3.91 %define NSPR_min_version 4.35 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb Name: mozilla-nss -Version: 3.90 +Version: 3.91 Release: 0 -%define underscore_version 3_90 +%define underscore_version 3_91 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries @@ -77,7 +77,6 @@ Patch44: nss-fips-tests-enable-fips.patch Patch45: nss-fips-drbg-libjitter.patch Patch46: nss-allow-slow-tests.patch Patch47: nss-fips-pct-pubkeys.patch -Patch48: nss-fix-bmo1836925.patch %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references BuildRequires: gcc9-c++ @@ -232,7 +231,6 @@ cd nss %endif %patch46 -p1 %patch47 -p1 -%patch48 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins diff --git a/nss-3.90.tar.gz b/nss-3.90.tar.gz deleted file mode 100644 index b601bed..0000000 --- a/nss-3.90.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9acd6534c41d8ead19fca6fcb3fffed2f9f09c437c3d79fee6a4ee668aaa93b6 -size 72211928 diff --git a/nss-3.91.tar.gz b/nss-3.91.tar.gz new file mode 100644 index 0000000..40d52ec --- /dev/null +++ b/nss-3.91.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:84bd46376df17118c55f6d73d30fd93a0af21296c66e7690471547e5898fc4b3 +size 72267945 diff --git a/nss-allow-slow-tests.patch b/nss-allow-slow-tests.patch index 6378fdf..ec550ef 100644 --- a/nss-allow-slow-tests.patch +++ b/nss-allow-slow-tests.patch @@ -20,8 +20,8 @@ Index: nss/tests/dbtests/dbtests.sh RARRAY=($dtime) TIMEARRAY=(${RARRAY[1]//./ }) echo "${TIMEARRAY[0]} seconds" -- test ${TIMEARRAY[0]} -lt 2 -+ # Was 2, but that is too small for OBS-workers. +- test ${TIMEARRAY[0]} -lt 5 ++ # Was 5, but that is too small for OBS-workers. + test ${TIMEARRAY[0]} -lt 6 ret=$? html_msg ${ret} 0 "certutil dump keys with explicit default trust flags" diff --git a/nss-fips-approved-crypto-non-ec.patch b/nss-fips-approved-crypto-non-ec.patch index 9965cdc..21663cc 100644 --- a/nss-fips-approved-crypto-non-ec.patch +++ b/nss-fips-approved-crypto-non-ec.patch @@ -352,7 +352,7 @@ Index: nss/lib/freebl/rawhash.c static void * null_hash_new_context(void) -@@ -146,7 +147,11 @@ const SECHashObject SECRawHashObjects[] +@@ -190,7 +191,11 @@ const SECHashObject SECRawHashObjects[] const SECHashObject * HASH_GetRawHashObject(HASH_HashType hashType) { @@ -369,7 +369,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -4780,6 +4780,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi +@@ -4792,6 +4792,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi goto loser; } @@ -379,7 +379,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * handle the base object stuff */ -@@ -4794,6 +4797,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi +@@ -4806,6 +4809,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi if (crv == CKR_OK) { *phKey = key->handle; } @@ -387,7 +387,7 @@ Index: nss/lib/softoken/pkcs11c.c loser: PORT_Memset(buf, 0, sizeof buf); sftk_FreeObject(key); -@@ -5710,11 +5714,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5722,11 +5726,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS * created and linked. */ crv = sftk_handleObject(publicKey, session); @@ -400,7 +400,7 @@ Index: nss/lib/softoken/pkcs11c.c return crv; } if (sftk_isTrue(privateKey, CKA_SENSITIVE)) { -@@ -5758,13 +5762,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5770,13 +5774,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS sftk_FreeObject(publicKey); NSC_DestroyObject(hSession, privateKey->handle); sftk_FreeObject(privateKey); @@ -420,7 +420,7 @@ Index: nss/lib/softoken/pkcs11c.c return CKR_OK; } -@@ -7469,7 +7479,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -7481,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession } else { /* now allocate the hash contexts */ md5 = MD5_NewContext(); @@ -429,7 +429,7 @@ Index: nss/lib/softoken/pkcs11c.c PORT_Memset(crsrdata, 0, sizeof crsrdata); crv = CKR_HOST_MEMORY; break; -@@ -7858,6 +7868,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession +@@ -7870,6 +7880,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession PORT_Assert(i <= sizeof key_block); } @@ -737,7 +737,7 @@ Index: nss/lib/softoken/pkcs11.c =================================================================== --- nss.orig/lib/softoken/pkcs11.c +++ nss/lib/softoken/pkcs11.c -@@ -534,17 +534,17 @@ static const struct mechanismList mechan +@@ -546,17 +546,17 @@ static const struct mechanismList mechan { CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, { CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, { CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256, diff --git a/nss-fips-combined-hash-sign-dsa-ecdsa.patch b/nss-fips-combined-hash-sign-dsa-ecdsa.patch index e3d7a61..9427ed1 100644 --- a/nss-fips-combined-hash-sign-dsa-ecdsa.patch +++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch @@ -68,7 +68,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -2653,7 +2653,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig +@@ -2657,7 +2657,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig static SECStatus nsc_DSA_Sign_Stub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, @@ -77,7 +77,7 @@ Index: nss/lib/softoken/pkcs11c.c { SECItem signature, digest; SECStatus rv; -@@ -2671,6 +2671,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu +@@ -2675,6 +2675,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu return rv; } @@ -100,7 +100,7 @@ Index: nss/lib/softoken/pkcs11c.c static SECStatus nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen, void *dataBuf, unsigned int dataLen) -@@ -2688,7 +2704,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig +@@ -2692,7 +2708,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig static SECStatus nsc_ECDSASignStub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, @@ -109,7 +109,7 @@ Index: nss/lib/softoken/pkcs11c.c { SECItem signature, digest; SECStatus rv; -@@ -2706,6 +2722,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu +@@ -2710,6 +2726,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu return rv; } @@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c /* NSC_SignInit setups up the signing operations. There are three basic * types of signing: * (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied -@@ -3575,6 +3607,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio +@@ -3583,6 +3615,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio info->hashOid = SEC_OID_##mmm; \ goto finish_rsa; @@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c switch (pMechanism->mechanism) { INIT_RSA_VFY_MECH(MD5) INIT_RSA_VFY_MECH(MD2) -@@ -4807,6 +4855,73 @@ loser: +@@ -4819,6 +4867,73 @@ loser: #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */ #define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ @@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. * -@@ -4860,8 +4975,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -4872,8 +4987,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION /* Variables used for Signature/Verification functions. */ /* Must be at least 256 bits for DSA2 digest */ @@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c CK_ULONG signature_length; if (keyType == CKK_RSA) { -@@ -5015,76 +5128,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -5027,76 +5140,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION } } diff --git a/nss-fips-constructor-self-tests.patch b/nss-fips-constructor-self-tests.patch index c2a2198..d21f823 100644 --- a/nss-fips-constructor-self-tests.patch +++ b/nss-fips-constructor-self-tests.patch @@ -42,7 +42,7 @@ Index: nss/lib/freebl/blapi.h =================================================================== --- nss.orig/lib/freebl/blapi.h +++ nss/lib/freebl/blapi.h -@@ -1759,17 +1759,17 @@ extern void BL_Unload(void); +@@ -1859,17 +1859,17 @@ extern void BL_Unload(void); /************************************************************************** * Verify a given Shared library signature * **************************************************************************/ @@ -63,7 +63,7 @@ Index: nss/lib/freebl/blapi.h /*********************************************************************/ extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType); -@@ -1791,6 +1791,9 @@ extern SECStatus EC_CopyParams(PLArenaPo +@@ -1891,6 +1891,9 @@ extern SECStatus EC_CopyParams(PLArenaPo */ extern int EC_GetPointSize(const ECParams *params); @@ -865,7 +865,7 @@ Index: nss/lib/freebl/loader.h /* Version 3.013 came to here */ -@@ -834,6 +834,9 @@ struct FREEBLVectorStr { +@@ -912,6 +912,9 @@ struct FREEBLVectorStr { /* Add new function pointers at the end of this struct and bump * FREEBL_VERSION at the beginning of this file. */ @@ -887,7 +887,7 @@ Index: nss/lib/freebl/manifest.mn $(NULL) MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h -@@ -187,6 +188,7 @@ ALL_HDRS = \ +@@ -189,6 +190,7 @@ ALL_HDRS = \ shsign.h \ vis_proto.h \ seed.h \ @@ -1654,15 +1654,10 @@ Index: nss/lib/freebl/ldvector.c =================================================================== --- nss.orig/lib/freebl/ldvector.c +++ nss/lib/freebl/ldvector.c -@@ -375,9 +375,12 @@ static const struct FREEBLVectorStr vect - /* End of version 3.024 */ - ChaCha20_InitContext, - ChaCha20_CreateContext, -- ChaCha20_DestroyContext -+ ChaCha20_DestroyContext, +@@ -432,6 +432,8 @@ static const struct FREEBLVectorStr vect + SHAKE_256_Hash, - /* End of version 3.025 */ -+ + /* End of version 3.026 */ + /* SUSE patch: Goes last */ + BL_FIPSRepeatIntegrityCheck }; diff --git a/nss-fips-pairwise-consistency-check.patch b/nss-fips-pairwise-consistency-check.patch index bdb1a9f..cbe461f 100644 --- a/nss-fips-pairwise-consistency-check.patch +++ b/nss-fips-pairwise-consistency-check.patch @@ -14,7 +14,7 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -4800,8 +4800,8 @@ loser: +@@ -4812,8 +4812,8 @@ loser: return crv; } @@ -25,7 +25,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. -@@ -5749,6 +5749,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS +@@ -5761,6 +5761,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS (PRUint32)crv); sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST, msg); } diff --git a/nss-fips-pct-pubkeys.patch b/nss-fips-pct-pubkeys.patch index 4b76701..79dea5a 100644 --- a/nss-fips-pct-pubkeys.patch +++ b/nss-fips-pct-pubkeys.patch @@ -13,7 +13,7 @@ Index: nss/lib/softoken/pkcs11c.c #include "seccomon.h" #include "secitem.h" #include "secport.h" -@@ -4922,6 +4923,88 @@ pairwise_signverify_mech (CK_SESSION_HAN +@@ -4934,6 +4935,88 @@ pairwise_signverify_mech (CK_SESSION_HAN return crv; } @@ -102,7 +102,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. * -@@ -5268,6 +5351,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -5280,6 +5363,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION } } diff --git a/nss-fix-bmo1836925.patch b/nss-fix-bmo1836925.patch deleted file mode 100644 index 71cc9e1..0000000 --- a/nss-fix-bmo1836925.patch +++ /dev/null @@ -1,69 +0,0 @@ -Index: nss/lib/freebl/Makefile -=================================================================== ---- nss.orig/lib/freebl/Makefile -+++ nss/lib/freebl/Makefile -@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null - HAVE_INT128_SUPPORT = 1 - DEFINES += -DHAVE_INT128_SUPPORT - else ifeq (1,$(CC_IS_GCC)) -- SUPPORTS_VALE_CURVE25519 = 1 - ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION)))) - HAVE_INT128_SUPPORT = 1 - DEFINES += -DHAVE_INT128_SUPPORT -@@ -593,11 +592,6 @@ ifndef HAVE_INT128_SUPPORT - DEFINES += -DKRML_VERIFIED_UINT128 - endif - --ifdef SUPPORTS_VALE_CURVE25519 -- VERIFIED_SRCS += Hacl_Curve25519_64.c -- DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM --endif -- - ifndef NSS_DISABLE_CHACHAPOLY - ifeq ($(CPU_ARCH),x86_64) - ifndef NSS_DISABLE_AVX2 -Index: nss/lib/freebl/freebl.gyp -=================================================================== ---- nss.orig/lib/freebl/freebl.gyp -+++ nss/lib/freebl/freebl.gyp -@@ -866,12 +866,6 @@ - }], - ], - }], -- [ 'supports_vale_curve25519==1', { -- 'defines': [ -- # The Makefile does version-tests on GCC, but we're not doing that here. -- 'HACL_CAN_COMPILE_INLINE_ASM', -- ], -- }], - [ 'OS=="linux" or OS=="android"', { - 'conditions': [ - [ 'target_arch=="x64"', { -@@ -934,11 +928,6 @@ - 'variables': { - 'module': 'nss', - 'conditions': [ -- [ 'target_arch=="x64" and cc_is_gcc==1', { -- 'supports_vale_curve25519%': 1, -- }, { -- 'supports_vale_curve25519%': 0, -- }], - [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', { - 'have_int128_support%': 1, - }, { -Index: nss/lib/freebl/freebl_base.gypi -=================================================================== ---- nss.orig/lib/freebl/freebl_base.gypi -+++ nss/lib/freebl/freebl_base.gypi -@@ -151,11 +151,6 @@ - 'ecl/curve25519_32.c', - ], - }], -- ['supports_vale_curve25519==1', { -- 'sources': [ -- 'verified/Hacl_Curve25519_64.c', -- ], -- }], - ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', { - 'sources': [ - # Gyp does not support per-file cflags, so working around like this.