Accepting request 1164588 from home:MSirringhaus:branches:mozilla:Factory

- update to NSS 3.99 * Removing check for message len in ed25519 (bmo#1325335) * add ed25519 to SECU_ecName2params. (bmo#1884276) * add EdDSA wycheproof tests. (bmo#1325335) * nss/lib layer code for EDDSA. (bmo#1325335) * Adding EdDSA implementation. (bmo#1325335) * Exporting Certificate Compression types (bmo#1881027) * Updating ACVP docker to rust 1.74 (bmo#1880857) * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335) * Add NSS_CMSRecipient_IsSupported. (bmo#1877730) OBS-URL: https://build.opensuse.org/request/show/1164588 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=444
2024-04-20 18:30:58 +00:00 · 2024-04-20 18:30:58 +00:00 · d7ce7e3b03
commit d7ce7e3b03
parent d8a343069d
6 changed files with 51 additions and 31 deletions
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Apr  4 11:20:08 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- update to NSS 3.99
+  * Removing check for message len in ed25519 (bmo#1325335)
+  * add ed25519 to SECU_ecName2params. (bmo#1884276)
+  * add EdDSA wycheproof tests. (bmo#1325335)
+  * nss/lib layer code for EDDSA. (bmo#1325335)
+  * Adding EdDSA implementation. (bmo#1325335)
+  * Exporting Certificate Compression types (bmo#1881027)
+  * Updating ACVP docker to rust 1.74 (bmo#1880857)
+  * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
+  * Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
+
 -------------------------------------------------------------------
 Sat Mar 16 21:39:31 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>

--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -17,15 +17,15 @@
 #


-%global nss_softokn_fips_version 3.98
+%global nss_softokn_fips_version 3.99
 %define NSPR_min_version 4.35
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 %global crypto_policies_version 20210118
 Name:           mozilla-nss
-Version:        3.98
+Version:        3.99
 Release:        0
-%define underscore_version 3_98
+%define underscore_version 3_99
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
--- a/nss-3.98.tar.gz
+++ b/nss-3.98.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f549cc33d35c0601674bfacf7c6ad683c187595eb4125b423238d3e9aa4209ce
-size 76685475
--- a/nss-3.99.tar.gz
+++ b/nss-3.99.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5cd5c2c8406a376686e6fa4b9c2de38aa280bea07bf927c0d521ba07c88b09bd
+size 76753982
--- a/nss-fips-combined-hash-sign-dsa-ecdsa.patch
+++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch
@ -16,7 +16,7 @@ Index: nss/cmd/lib/pk11table.c
 ===================================================================
 --- nss.orig/cmd/lib/pk11table.c
 +++ nss/cmd/lib/pk11table.c
-@@ -273,6 +273,10 @@ const Constant _consts[] = {
+@@ -274,6 +274,10 @@ const Constant _consts[] = {
     mkEntry(CKM_DSA_KEY_PAIR_GEN, Mechanism),
     mkEntry(CKM_DSA, Mechanism),
     mkEntry(CKM_DSA_SHA1, Mechanism),
@ -27,7 +27,7 @@ Index: nss/cmd/lib/pk11table.c
     mkEntry(CKM_DH_PKCS_KEY_PAIR_GEN, Mechanism),
     mkEntry(CKM_DH_PKCS_DERIVE, Mechanism),
     mkEntry(CKM_X9_42_DH_DERIVE, Mechanism),
-@@ -438,6 +442,10 @@ const Constant _consts[] = {
+@@ -439,6 +443,10 @@ const Constant _consts[] = {
     mkEntry(CKM_EC_KEY_PAIR_GEN, Mechanism),
     mkEntry(CKM_ECDSA, Mechanism),
     mkEntry(CKM_ECDSA_SHA1, Mechanism),
@ -37,12 +37,12 @@ Index: nss/cmd/lib/pk11table.c
 +    mkEntry(CKM_ECDSA_SHA512, Mechanism),
     mkEntry(CKM_ECDH1_DERIVE, Mechanism),
     mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism),
-     mkEntry(CKM_ECMQV_DERIVE, Mechanism),
+     mkEntry(CKM_EC_EDWARDS_KEY_PAIR_GEN, Mechanism),
 Index: nss/lib/pk11wrap/pk11mech.c
 ===================================================================
 --- nss.orig/lib/pk11wrap/pk11mech.c
 +++ nss/lib/pk11wrap/pk11mech.c
-@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
+@@ -377,6 +377,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
             return CKK_RSA;
         case CKM_DSA:
         case CKM_DSA_SHA1:
@ -53,7 +53,7 @@ Index: nss/lib/pk11wrap/pk11mech.c
         case CKM_DSA_KEY_PAIR_GEN:
             return CKK_DSA;
         case CKM_DH_PKCS_DERIVE:
-@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
+@@ -387,6 +391,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
             return CKK_KEA;
         case CKM_ECDSA:
         case CKM_ECDSA_SHA1:
@ -68,16 +68,16 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -2681,7 +2681,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
+@@ -2677,7 +2677,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
 static SECStatus
 nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
                   unsigned int *sigLen, unsigned int maxSigLen,
 -                  void *dataBuf, unsigned int dataLen)
 +                  const void *dataBuf, unsigned int dataLen)
 {
-     SECItem signature, digest;
-     SECStatus rv;
-@@ -2699,6 +2699,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
+     NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
+     SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
+@@ -2690,6 +2690,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
     return rv;
 }
 
@ -100,16 +100,16 @@ Index: nss/lib/softoken/pkcs11c.c
 static SECStatus
 nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
                     void *dataBuf, unsigned int dataLen)
-@@ -2716,7 +2732,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
+@@ -2703,7 +2719,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
 static SECStatus
 nsc_ECDSASignStub(void *ctx, void *sigBuf,
                   unsigned int *sigLen, unsigned int maxSigLen,
 -                  void *dataBuf, unsigned int dataLen)
 +                  const void *dataBuf, unsigned int dataLen)
 {
-     SECItem signature, digest;
-     SECStatus rv;
-@@ -2734,6 +2750,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
+     NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
+     SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
+@@ -2744,6 +2760,22 @@ nsc_EDDSASignStub(void *ctx, void *sigBu
     return rv;
 }
 
@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /* NSC_SignInit setups up the signing operations. There are three basic
  * types of signing:
  *      (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
-@@ -3614,6 +3646,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
+@@ -3647,6 +3679,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
         info->hashOid = SEC_OID_##mmm;                    \
         goto finish_rsa;
 
@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c
     switch (pMechanism->mechanism) {
         INIT_RSA_VFY_MECH(MD5)
         INIT_RSA_VFY_MECH(MD2)
-@@ -4850,6 +4898,73 @@ loser:
+@@ -4904,6 +4952,73 @@ loser:
 #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
 #define PAIRWISE_MESSAGE_LENGTH 20           /* 160-bits */
 
@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c
 /*
  * FIPS 140-2 pairwise consistency check utilized to validate key pair.
  *
-@@ -4903,8 +5018,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -4957,8 +5072,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
 
     /* Variables used for Signature/Verification functions. */
     /* Must be at least 256 bits for DSA2 digest */
@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c
     CK_ULONG signature_length;
 
     if (keyType == CKK_RSA) {
-@@ -5058,76 +5171,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5112,80 +5225,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
         }
     }
 
@ -268,6 +268,11 @@ Index: nss/lib/softoken/pkcs11c.c
 -                mech.mechanism = CKM_ECDSA;
 +                SIGNVERIFY_CHECK_MECH(CKM_ECDSA_SHA224)
                 break;
+             case CKK_EC_EDWARDS:
+                 signature_length = ED25519_SIGN_LEN;
+-                mech.mechanism = CKM_EDDSA;
+                SIGNVERIFY_CHECK_MECH(CKM_EDDSA)
+                 break;
             default:
                 return CKR_DEVICE_ERROR;
         }
--- a/nss-fips-constructor-self-tests.patch
+++ b/nss-fips-constructor-self-tests.patch
@ -63,9 +63,9 @@ Index: nss/lib/freebl/blapi.h
 
 /*********************************************************************/
 extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
-@@ -1921,6 +1921,9 @@ extern SECStatus Kyber_Encapsulate(Kyber
+@@ -1942,6 +1942,9 @@ extern SECStatus ED_VerifyMessage(ECPubl
  */
- extern SECStatus Kyber_Decapsulate(KyberParams params, const SECItem *privKey, const SECItem *ciphertext, SECItem *secret);
+ extern SECStatus ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey);
 
 +/* Unconditionally run the integrity check. */
 +extern void BL_FIPSRepeatIntegrityCheck(void);
@ -839,7 +839,7 @@ Index: nss/lib/freebl/loader.h
 
     /* Version 3.013 came to here */
 
-@@ -920,6 +920,9 @@ struct FREEBLVectorStr {
+@@ -927,6 +927,9 @@ struct FREEBLVectorStr {
 
     /* Add new function pointers at the end of this struct and bump
      * FREEBL_VERSION at the beginning of this file. */
@ -861,7 +861,7 @@ Index: nss/lib/freebl/manifest.mn
 	$(NULL)
 
 MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
-@@ -197,6 +198,7 @@ ALL_HDRS =  \
+@@ -198,6 +199,7 @@ ALL_HDRS =  \
 	shsign.h \
 	vis_proto.h \
 	seed.h \
@ -1628,10 +1628,11 @@ Index: nss/lib/freebl/ldvector.c
 ===================================================================
 --- nss.orig/lib/freebl/ldvector.c
 +++ nss/lib/freebl/ldvector.c
-@@ -438,6 +438,8 @@ static const struct FREEBLVectorStr vect
-     Kyber_Decapsulate,
- 
-     /* End of version 3.027 */
+@@ -443,6 +443,9 @@ static const struct FREEBLVectorStr vect
+     ED_VerifyMessage,
+     ED_DerivePublicKey,
+     /* End of version 3.028 */
+    
 +    /* SUSE patch: Goes last */
 +    BL_FIPSRepeatIntegrityCheck
 };