diff --git a/mozilla-nss.changes b/mozilla-nss.changes index eefe421..9bb7723 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Sun Jan 15 20:25:25 UTC 2023 - Wolfgang Rosenauer + +- update to NSS 3.86 + * bmo#1803190 - conscious language removal in NSS + * bmo#1794506 - Set nssckbi version number to 2.60 + * bmo#1803453 - Set CKA_NSS_SERVER_DISTRUST_AFTER and + CKA_NSS_EMAIL_DISTRUST_AFTER for 3 + TrustCor Root Certificates + * bmo#1799038 - Remove Staat der Nederlanden EV Root CA from NSS + * bmo#1797559 - Remove EC-ACC root cert from NSS + * bmo#1794507 - Remove SwissSign Platinum CA - G2 from NSS + * bmo#1794495 - Remove Network Solutions Certificate Authority + * bmo#1802331 - compress docker image artifact with zstd + * bmo#1799315 - Migrate nss from AWS to GCP + * bmo#1800989 - Enable static builds in the CI + * bmo#1765759 - Removing SAW docker from the NSS build system + * bmo#1783231 - Initialising variables in the rsa blinding code + * bmo#320582 - Implementation of the double-signing of the message + for ECDSA + * bmo#1783231 - Adding exponent blinding for RSA. + ------------------------------------------------------------------- Mon Dec 5 13:32:45 UTC 2022 - Wolfgang Rosenauer diff --git a/mozilla-nss.spec b/mozilla-nss.spec index c34b680..c83e5c6 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -1,8 +1,8 @@ # # spec file for package mozilla-nss # -# Copyright (c) 2022 SUSE LLC -# Copyright (c) 2006-2022 Wolfgang Rosenauer +# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2006-2023 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,14 +17,14 @@ # -%global nss_softokn_fips_version 3.85 +%global nss_softokn_fips_version 3.86 %define NSPR_min_version 4.35 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb Name: mozilla-nss -Version: 3.85 +Version: 3.86 Release: 0 -%define underscore_version 3_85 +%define underscore_version 3_86 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries diff --git a/nss-3.85.tar.gz b/nss-3.85.tar.gz deleted file mode 100644 index b8b7ed0..0000000 --- a/nss-3.85.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:afd9d64510b1154debbd6cab3571e9ff64a3373898e03483e4c85cdada13d297 -size 84717969 diff --git a/nss-3.86.tar.gz b/nss-3.86.tar.gz new file mode 100644 index 0000000..ad97f90 --- /dev/null +++ b/nss-3.86.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3f385fc686476bbba811035fa6821b542475d55747b18c20c221d4d66573b975 +size 71423531 diff --git a/nss-fips-rsa-keygen-strictness.patch b/nss-fips-rsa-keygen-strictness.patch index 220817b..ce99316 100644 --- a/nss-fips-rsa-keygen-strictness.patch +++ b/nss-fips-rsa-keygen-strictness.patch @@ -9,6 +9,7 @@ Author: Hans Petter Jansson Patch 16: nss-fips-rsa-keygen-strictness.patch diff --git a/lib/freebl/mpi/mpprime.c b/lib/freebl/mpi/mpprime.c +index b757150..41d08b1 100644 --- a/lib/freebl/mpi/mpprime.c +++ b/lib/freebl/mpi/mpprime.c @@ -14,6 +14,8 @@ @@ -20,7 +21,7 @@ diff --git a/lib/freebl/mpi/mpprime.c b/lib/freebl/mpi/mpprime.c #define SMALL_TABLE 0 /* determines size of hard-wired prime table */ #define RANDOM() rand() -@@ -451,6 +453,25 @@ +@@ -465,6 +467,25 @@ mpp_make_prime_ext_random(mp_int *start, mp_size nBits, mp_size strong, mpp_rand } else num_tests = 50; @@ -47,6 +48,7 @@ diff --git a/lib/freebl/mpi/mpprime.c b/lib/freebl/mpi/mpprime.c --nBits; MP_CHECKOK(mpl_set_bit(start, nBits - 1, 1)); diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c +index 2b8a3bf..8d40d11 100644 --- a/lib/freebl/rsa.c +++ b/lib/freebl/rsa.c @@ -16,11 +16,13 @@ @@ -61,9 +63,9 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c #include "blapii.h" +#include "fips.h" - /* - ** Number of times to attempt to generate a prime (p or q) from a random -@@ -143,11 +145,24 @@ + /* The minimal required randomness is 64 bits */ + /* EXP_BLINDING_RANDOMNESS_LEN is the length of the randomness in mp_digits */ +@@ -149,11 +151,24 @@ rsa_build_from_primes(const mp_int *p, const mp_int *q, err = mp_invmod(d, &phi, e); } else { err = mp_invmod(e, &phi, d); @@ -90,7 +92,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c if (err != MP_OKAY) { if (err == MP_UNDEF) { PORT_SetError(SEC_ERROR_NEED_RANDOM); -@@ -280,10 +295,12 @@ +@@ -286,10 +301,12 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) mp_int q = { 0, 0, 0, NULL }; mp_int e = { 0, 0, 0, NULL }; mp_int d = { 0, 0, 0, NULL }; @@ -104,7 +106,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c int prerr = 0; RSAPrivateKey *key = NULL; PLArenaPool *arena = NULL; -@@ -301,11 +318,40 @@ +@@ -307,11 +324,40 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) PORT_SetError(SEC_ERROR_INVALID_ARGS); goto cleanup; } @@ -149,7 +151,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c } #endif -@@ -323,12 +369,7 @@ +@@ -329,12 +375,7 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) key->arena = arena; /* length of primes p and q (in bytes) */ primeLen = keySizeInBits / (2 * PR_BITS_PER_BYTE); @@ -163,7 +165,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c /* 3. Set the version number (PKCS1 v1.5 says it should be zero) */ SECITEM_AllocItem(arena, &key->version, 1); key->version.data[0] = 0; -@@ -339,13 +380,64 @@ +@@ -345,13 +386,64 @@ RSA_NewKey(int keySizeInBits, SECItem *publicExponent) PORT_SetError(0); CHECK_SEC_OK(generate_prime(&p, primeLen)); CHECK_SEC_OK(generate_prime(&q, primeLen)); @@ -229,7 +231,7 @@ diff --git a/lib/freebl/rsa.c b/lib/freebl/rsa.c /* Attempt to use these primes to generate a key */ rv = rsa_build_from_primes(&p, &q, &e, PR_FALSE, /* needPublicExponent=false */ -@@ -368,7 +460,9 @@ +@@ -374,7 +466,9 @@ cleanup: mp_clear(&q); mp_clear(&e); mp_clear(&d);