Accepting request 1164588 from home:MSirringhaus:branches:mozilla:Factory

- update to NSS 3.99
  * Removing check for message len in ed25519 (bmo#1325335)
  * add ed25519 to SECU_ecName2params. (bmo#1884276)
  * add EdDSA wycheproof tests. (bmo#1325335)
  * nss/lib layer code for EDDSA. (bmo#1325335)
  * Adding EdDSA implementation. (bmo#1325335)
  * Exporting Certificate Compression types (bmo#1881027)
  * Updating ACVP docker to rust 1.74 (bmo#1880857)
  * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
  * Add NSS_CMSRecipient_IsSupported. (bmo#1877730)

OBS-URL: https://build.opensuse.org/request/show/1164588
OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=444

mozilla-nss.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Apr  4 11:20:08 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- update to NSS 3.99
+  * Removing check for message len in ed25519 (bmo#1325335)
+  * add ed25519 to SECU_ecName2params. (bmo#1884276)
+  * add EdDSA wycheproof tests. (bmo#1325335)
+  * nss/lib layer code for EDDSA. (bmo#1325335)
+  * Adding EdDSA implementation. (bmo#1325335)
+  * Exporting Certificate Compression types (bmo#1881027)
+  * Updating ACVP docker to rust 1.74 (bmo#1880857)
+  * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335)
+  * Add NSS_CMSRecipient_IsSupported. (bmo#1877730)
+
 -------------------------------------------------------------------
 Sat Mar 16 21:39:31 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
 

mozilla-nss.spec

@@ -17,15 +17,15 @@
 #
 
 
-%global nss_softokn_fips_version 3.98
+%global nss_softokn_fips_version 3.99
 %define NSPR_min_version 4.35
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 %global crypto_policies_version 20210118
 Name:           mozilla-nss
-Version:        3.98
+Version:        3.99
 Release:        0
-%define underscore_version 3_98
+%define underscore_version 3_99
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries

nss-3.98.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f549cc33d35c0601674bfacf7c6ad683c187595eb4125b423238d3e9aa4209ce
-size 76685475

nss-3.99.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5cd5c2c8406a376686e6fa4b9c2de38aa280bea07bf927c0d521ba07c88b09bd
+size 76753982

nss-fips-combined-hash-sign-dsa-ecdsa.patch

@@ -16,7 +16,7 @@ Index: nss/cmd/lib/pk11table.c
 ===================================================================
 --- nss.orig/cmd/lib/pk11table.c
 +++ nss/cmd/lib/pk11table.c
-@@ -273,6 +273,10 @@ const Constant _consts[] = {
+@@ -274,6 +274,10 @@ const Constant _consts[] = {
      mkEntry(CKM_DSA_KEY_PAIR_GEN, Mechanism),
      mkEntry(CKM_DSA, Mechanism),
      mkEntry(CKM_DSA_SHA1, Mechanism),
@@ -27,7 +27,7 @@ Index: nss/cmd/lib/pk11table.c
      mkEntry(CKM_DH_PKCS_KEY_PAIR_GEN, Mechanism),
      mkEntry(CKM_DH_PKCS_DERIVE, Mechanism),
      mkEntry(CKM_X9_42_DH_DERIVE, Mechanism),
-@@ -438,6 +442,10 @@ const Constant _consts[] = {
+@@ -439,6 +443,10 @@ const Constant _consts[] = {
      mkEntry(CKM_EC_KEY_PAIR_GEN, Mechanism),
      mkEntry(CKM_ECDSA, Mechanism),
      mkEntry(CKM_ECDSA_SHA1, Mechanism),
@@ -37,12 +37,12 @@ Index: nss/cmd/lib/pk11table.c
 +    mkEntry(CKM_ECDSA_SHA512, Mechanism),
      mkEntry(CKM_ECDH1_DERIVE, Mechanism),
      mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism),
-     mkEntry(CKM_ECMQV_DERIVE, Mechanism),
+     mkEntry(CKM_EC_EDWARDS_KEY_PAIR_GEN, Mechanism),
 Index: nss/lib/pk11wrap/pk11mech.c
 ===================================================================
 --- nss.orig/lib/pk11wrap/pk11mech.c
 +++ nss/lib/pk11wrap/pk11mech.c
-@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
+@@ -377,6 +377,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
              return CKK_RSA;
          case CKM_DSA:
          case CKM_DSA_SHA1:
@@ -53,7 +53,7 @@ Index: nss/lib/pk11wrap/pk11mech.c
          case CKM_DSA_KEY_PAIR_GEN:
              return CKK_DSA;
          case CKM_DH_PKCS_DERIVE:
-@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
+@@ -387,6 +391,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
              return CKK_KEA;
          case CKM_ECDSA:
          case CKM_ECDSA_SHA1:
@@ -68,16 +68,16 @@ Index: nss/lib/softoken/pkcs11c.c
 ===================================================================
 --- nss.orig/lib/softoken/pkcs11c.c
 +++ nss/lib/softoken/pkcs11c.c
-@@ -2681,7 +2681,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
+@@ -2677,7 +2677,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
  static SECStatus
  nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
                    unsigned int *sigLen, unsigned int maxSigLen,
 -                  void *dataBuf, unsigned int dataLen)
 +                  const void *dataBuf, unsigned int dataLen)
  {
-     SECItem signature, digest;
+     NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
-     SECStatus rv;
+     SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
-@@ -2699,6 +2699,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
+@@ -2690,6 +2690,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
      return rv;
  }
  
@@ -100,16 +100,16 @@ Index: nss/lib/softoken/pkcs11c.c
  static SECStatus
  nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
                      void *dataBuf, unsigned int dataLen)
-@@ -2716,7 +2732,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
+@@ -2703,7 +2719,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
  static SECStatus
  nsc_ECDSASignStub(void *ctx, void *sigBuf,
                    unsigned int *sigLen, unsigned int maxSigLen,
 -                  void *dataBuf, unsigned int dataLen)
 +                  const void *dataBuf, unsigned int dataLen)
  {
-     SECItem signature, digest;
+     NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx;
-     SECStatus rv;
+     SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen };
-@@ -2734,6 +2750,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
+@@ -2744,6 +2760,22 @@ nsc_EDDSASignStub(void *ctx, void *sigBu
      return rv;
  }
  
@@ -132,7 +132,7 @@ Index: nss/lib/softoken/pkcs11c.c
  /* NSC_SignInit setups up the signing operations. There are three basic
   * types of signing:
   *      (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
-@@ -3614,6 +3646,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
+@@ -3647,6 +3679,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
          info->hashOid = SEC_OID_##mmm;                    \
          goto finish_rsa;
  
@@ -155,7 +155,7 @@ Index: nss/lib/softoken/pkcs11c.c
      switch (pMechanism->mechanism) {
          INIT_RSA_VFY_MECH(MD5)
          INIT_RSA_VFY_MECH(MD2)
-@@ -4850,6 +4898,73 @@ loser:
+@@ -4904,6 +4952,73 @@ loser:
  #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
  #define PAIRWISE_MESSAGE_LENGTH 20           /* 160-bits */
  
@@ -229,7 +229,7 @@ Index: nss/lib/softoken/pkcs11c.c
  /*
   * FIPS 140-2 pairwise consistency check utilized to validate key pair.
   *
-@@ -4903,8 +5018,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -4957,8 +5072,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
  
      /* Variables used for Signature/Verification functions. */
      /* Must be at least 256 bits for DSA2 digest */
@@ -238,7 +238,7 @@ Index: nss/lib/softoken/pkcs11c.c
      CK_ULONG signature_length;
  
      if (keyType == CKK_RSA) {
-@@ -5058,76 +5171,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5112,80 +5225,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
          }
      }
  
@@ -268,6 +268,11 @@ Index: nss/lib/softoken/pkcs11c.c
 -                mech.mechanism = CKM_ECDSA;
 +                SIGNVERIFY_CHECK_MECH(CKM_ECDSA_SHA224)
                  break;
+             case CKK_EC_EDWARDS:
+                 signature_length = ED25519_SIGN_LEN;
+-                mech.mechanism = CKM_EDDSA;
++                SIGNVERIFY_CHECK_MECH(CKM_EDDSA)
+                 break;
              default:
                  return CKR_DEVICE_ERROR;
          }

nss-fips-constructor-self-tests.patch

@@ -63,9 +63,9 @@ Index: nss/lib/freebl/blapi.h
  
  /*********************************************************************/
  extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
-@@ -1921,6 +1921,9 @@ extern SECStatus Kyber_Encapsulate(Kyber
+@@ -1942,6 +1942,9 @@ extern SECStatus ED_VerifyMessage(ECPubl
   */
- extern SECStatus Kyber_Decapsulate(KyberParams params, const SECItem *privKey, const SECItem *ciphertext, SECItem *secret);
+ extern SECStatus ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey);
  
 +/* Unconditionally run the integrity check. */
 +extern void BL_FIPSRepeatIntegrityCheck(void);
@@ -839,7 +839,7 @@ Index: nss/lib/freebl/loader.h
  
      /* Version 3.013 came to here */
  
-@@ -920,6 +920,9 @@ struct FREEBLVectorStr {
+@@ -927,6 +927,9 @@ struct FREEBLVectorStr {
  
      /* Add new function pointers at the end of this struct and bump
       * FREEBL_VERSION at the beginning of this file. */
@@ -861,7 +861,7 @@ Index: nss/lib/freebl/manifest.mn
  	$(NULL)
  
  MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
-@@ -197,6 +198,7 @@ ALL_HDRS =  \
+@@ -198,6 +199,7 @@ ALL_HDRS =  \
  	shsign.h \
  	vis_proto.h \
  	seed.h \
@@ -1628,10 +1628,11 @@ Index: nss/lib/freebl/ldvector.c
 ===================================================================
 --- nss.orig/lib/freebl/ldvector.c
 +++ nss/lib/freebl/ldvector.c
-@@ -438,6 +438,8 @@ static const struct FREEBLVectorStr vect
+@@ -443,6 +443,9 @@ static const struct FREEBLVectorStr vect
-     Kyber_Decapsulate,
+     ED_VerifyMessage,
- 
+     ED_DerivePublicKey,
-     /* End of version 3.027 */
+     /* End of version 3.028 */
++    
 +    /* SUSE patch: Goes last */
 +    BL_FIPSRepeatIntegrityCheck
  };