diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 4093a06..f2ca034 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Apr 4 11:20:08 UTC 2024 - Martin Sirringhaus + +- update to NSS 3.99 + * Removing check for message len in ed25519 (bmo#1325335) + * add ed25519 to SECU_ecName2params. (bmo#1884276) + * add EdDSA wycheproof tests. (bmo#1325335) + * nss/lib layer code for EDDSA. (bmo#1325335) + * Adding EdDSA implementation. (bmo#1325335) + * Exporting Certificate Compression types (bmo#1881027) + * Updating ACVP docker to rust 1.74 (bmo#1880857) + * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335) + * Add NSS_CMSRecipient_IsSupported. (bmo#1877730) + ------------------------------------------------------------------- Sat Mar 16 21:39:31 UTC 2024 - Wolfgang Rosenauer diff --git a/mozilla-nss.spec b/mozilla-nss.spec index bc0a0c9..49582a7 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -17,15 +17,15 @@ # -%global nss_softokn_fips_version 3.98 +%global nss_softokn_fips_version 3.99 %define NSPR_min_version 4.35 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb %global crypto_policies_version 20210118 Name: mozilla-nss -Version: 3.98 +Version: 3.99 Release: 0 -%define underscore_version 3_98 +%define underscore_version 3_99 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries diff --git a/nss-3.98.tar.gz b/nss-3.98.tar.gz deleted file mode 100644 index 964b8aa..0000000 --- a/nss-3.98.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f549cc33d35c0601674bfacf7c6ad683c187595eb4125b423238d3e9aa4209ce -size 76685475 diff --git a/nss-3.99.tar.gz b/nss-3.99.tar.gz new file mode 100644 index 0000000..82a08c3 --- /dev/null +++ b/nss-3.99.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5cd5c2c8406a376686e6fa4b9c2de38aa280bea07bf927c0d521ba07c88b09bd +size 76753982 diff --git a/nss-fips-combined-hash-sign-dsa-ecdsa.patch b/nss-fips-combined-hash-sign-dsa-ecdsa.patch index 729480b..e96b4f0 100644 --- a/nss-fips-combined-hash-sign-dsa-ecdsa.patch +++ b/nss-fips-combined-hash-sign-dsa-ecdsa.patch @@ -16,7 +16,7 @@ Index: nss/cmd/lib/pk11table.c =================================================================== --- nss.orig/cmd/lib/pk11table.c +++ nss/cmd/lib/pk11table.c -@@ -273,6 +273,10 @@ const Constant _consts[] = { +@@ -274,6 +274,10 @@ const Constant _consts[] = { mkEntry(CKM_DSA_KEY_PAIR_GEN, Mechanism), mkEntry(CKM_DSA, Mechanism), mkEntry(CKM_DSA_SHA1, Mechanism), @@ -27,7 +27,7 @@ Index: nss/cmd/lib/pk11table.c mkEntry(CKM_DH_PKCS_KEY_PAIR_GEN, Mechanism), mkEntry(CKM_DH_PKCS_DERIVE, Mechanism), mkEntry(CKM_X9_42_DH_DERIVE, Mechanism), -@@ -438,6 +442,10 @@ const Constant _consts[] = { +@@ -439,6 +443,10 @@ const Constant _consts[] = { mkEntry(CKM_EC_KEY_PAIR_GEN, Mechanism), mkEntry(CKM_ECDSA, Mechanism), mkEntry(CKM_ECDSA_SHA1, Mechanism), @@ -37,12 +37,12 @@ Index: nss/cmd/lib/pk11table.c + mkEntry(CKM_ECDSA_SHA512, Mechanism), mkEntry(CKM_ECDH1_DERIVE, Mechanism), mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism), - mkEntry(CKM_ECMQV_DERIVE, Mechanism), + mkEntry(CKM_EC_EDWARDS_KEY_PAIR_GEN, Mechanism), Index: nss/lib/pk11wrap/pk11mech.c =================================================================== --- nss.orig/lib/pk11wrap/pk11mech.c +++ nss/lib/pk11wrap/pk11mech.c -@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, +@@ -377,6 +377,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, return CKK_RSA; case CKM_DSA: case CKM_DSA_SHA1: @@ -53,7 +53,7 @@ Index: nss/lib/pk11wrap/pk11mech.c case CKM_DSA_KEY_PAIR_GEN: return CKK_DSA; case CKM_DH_PKCS_DERIVE: -@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, +@@ -387,6 +391,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, return CKK_KEA; case CKM_ECDSA: case CKM_ECDSA_SHA1: @@ -68,16 +68,16 @@ Index: nss/lib/softoken/pkcs11c.c =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -2681,7 +2681,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig +@@ -2677,7 +2677,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig static SECStatus nsc_DSA_Sign_Stub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, - void *dataBuf, unsigned int dataLen) + const void *dataBuf, unsigned int dataLen) { - SECItem signature, digest; - SECStatus rv; -@@ -2699,6 +2699,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu + NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx; + SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen }; +@@ -2690,6 +2690,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu return rv; } @@ -100,16 +100,16 @@ Index: nss/lib/softoken/pkcs11c.c static SECStatus nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen, void *dataBuf, unsigned int dataLen) -@@ -2716,7 +2732,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig +@@ -2703,7 +2719,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig static SECStatus nsc_ECDSASignStub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, - void *dataBuf, unsigned int dataLen) + const void *dataBuf, unsigned int dataLen) { - SECItem signature, digest; - SECStatus rv; -@@ -2734,6 +2750,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu + NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx; + SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen }; +@@ -2744,6 +2760,22 @@ nsc_EDDSASignStub(void *ctx, void *sigBu return rv; } @@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c /* NSC_SignInit setups up the signing operations. There are three basic * types of signing: * (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied -@@ -3614,6 +3646,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio +@@ -3647,6 +3679,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio info->hashOid = SEC_OID_##mmm; \ goto finish_rsa; @@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c switch (pMechanism->mechanism) { INIT_RSA_VFY_MECH(MD5) INIT_RSA_VFY_MECH(MD2) -@@ -4850,6 +4898,73 @@ loser: +@@ -4904,6 +4952,73 @@ loser: #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */ #define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ @@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. * -@@ -4903,8 +5018,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -4957,8 +5072,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION /* Variables used for Signature/Verification functions. */ /* Must be at least 256 bits for DSA2 digest */ @@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c CK_ULONG signature_length; if (keyType == CKK_RSA) { -@@ -5058,76 +5171,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -5112,80 +5225,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION } } @@ -268,6 +268,11 @@ Index: nss/lib/softoken/pkcs11c.c - mech.mechanism = CKM_ECDSA; + SIGNVERIFY_CHECK_MECH(CKM_ECDSA_SHA224) break; + case CKK_EC_EDWARDS: + signature_length = ED25519_SIGN_LEN; +- mech.mechanism = CKM_EDDSA; ++ SIGNVERIFY_CHECK_MECH(CKM_EDDSA) + break; default: return CKR_DEVICE_ERROR; } diff --git a/nss-fips-constructor-self-tests.patch b/nss-fips-constructor-self-tests.patch index 0e3c60e..45ef426 100644 --- a/nss-fips-constructor-self-tests.patch +++ b/nss-fips-constructor-self-tests.patch @@ -63,9 +63,9 @@ Index: nss/lib/freebl/blapi.h /*********************************************************************/ extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType); -@@ -1921,6 +1921,9 @@ extern SECStatus Kyber_Encapsulate(Kyber +@@ -1942,6 +1942,9 @@ extern SECStatus ED_VerifyMessage(ECPubl */ - extern SECStatus Kyber_Decapsulate(KyberParams params, const SECItem *privKey, const SECItem *ciphertext, SECItem *secret); + extern SECStatus ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey); +/* Unconditionally run the integrity check. */ +extern void BL_FIPSRepeatIntegrityCheck(void); @@ -839,7 +839,7 @@ Index: nss/lib/freebl/loader.h /* Version 3.013 came to here */ -@@ -920,6 +920,9 @@ struct FREEBLVectorStr { +@@ -927,6 +927,9 @@ struct FREEBLVectorStr { /* Add new function pointers at the end of this struct and bump * FREEBL_VERSION at the beginning of this file. */ @@ -861,7 +861,7 @@ Index: nss/lib/freebl/manifest.mn $(NULL) MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h -@@ -197,6 +198,7 @@ ALL_HDRS = \ +@@ -198,6 +199,7 @@ ALL_HDRS = \ shsign.h \ vis_proto.h \ seed.h \ @@ -1628,10 +1628,11 @@ Index: nss/lib/freebl/ldvector.c =================================================================== --- nss.orig/lib/freebl/ldvector.c +++ nss/lib/freebl/ldvector.c -@@ -438,6 +438,8 @@ static const struct FREEBLVectorStr vect - Kyber_Decapsulate, - - /* End of version 3.027 */ +@@ -443,6 +443,9 @@ static const struct FREEBLVectorStr vect + ED_VerifyMessage, + ED_DerivePublicKey, + /* End of version 3.028 */ ++ + /* SUSE patch: Goes last */ + BL_FIPSRepeatIntegrityCheck };