Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mozilla-nss for openSUSE:Factory
checked in at 2023-10-29 19:39:28
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old)
and /work/SRC/openSUSE:Factory/.mozilla-nss.new.17445 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss"
Sun Oct 29 19:39:28 2023 rev:209 rq:1120733 version:3.94
Changes:
--------
--- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2023-09-06
18:57:10.425378073 +0200
+++ /work/SRC/openSUSE:Factory/.mozilla-nss.new.17445/mozilla-nss.changes
2023-10-29 19:39:30.374368879 +0100
@@ -1,0 +2,23 @@
+Tue Oct 24 06:44:18 UTC 2023 - Wolfgang Rosenauer <w...@rosenauer.org>
+
+- update to NSS 3.94
+ * bmo#1853737 - Updated code and commit ID for HACL*
+ * bmo#1840510 - update ACVP fuzzed test vector: refuzzed with
+ current NSS
+ * bmo#1827303 - Softoken C_ calls should use system FIPS setting
+ to select NSC_ or FC_ variants
+ * bmo#1774659 - NSS needs a database tool that can dump the low level
+ representation of the database
+ * bmo#1852179 - declare string literals using char in pkixnames_tests.cpp
+ * bmo#1852179 - avoid implicit conversion for ByteString
+ * bmo#1818766 - update rust version for acvp docker
+ * bmo#1852011 - Moving the init function of the mpi_ints before
+ clean-up in ec.c
+ * bmo#1615555 - P-256 ECDH and ECDSA from HACL*
+ * bmo#1840510 - Add ACVP test vectors to the repository
+ * bmo#1849077 - Stop relying on std::basic_string<uint8_t>
+ * bmo#1847845 - Transpose the PPC_ABI check from Makefile to gyp
+- rebased patches
+- added nss-fips-test.patch to fix broken test
+
+-------------------------------------------------------------------
@@ -5,3 +28,3 @@
- + bmo#1849471 - Update zlib in NSS to 1.3.
- + bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
- + bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
+ * bmo#1849471 - Update zlib in NSS to 1.3.
+ * bmo#1848183 - softoken: iterate hashUpdate calls for long inputs.
+ * bmo#1813401 - regenerate NameConstraints test certificates (boo#1214980).
Old:
----
nss-3.93.tar.gz
New:
----
nss-3.94.tar.gz
nss-fips-test.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mozilla-nss.spec ++++++
--- /var/tmp/diff_new_pack.UkGHCE/_old 2023-10-29 19:39:36.650597210 +0100
+++ /var/tmp/diff_new_pack.UkGHCE/_new 2023-10-29 19:39:36.654597355 +0100
@@ -17,14 +17,14 @@
#
-%global nss_softokn_fips_version 3.93
+%global nss_softokn_fips_version 3.94
%define NSPR_min_version 4.35
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
Name: mozilla-nss
-Version: 3.93
+Version: 3.94
Release: 0
-%define underscore_version 3_93
+%define underscore_version 3_94
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@@ -77,6 +77,7 @@
Patch45: nss-fips-drbg-libjitter.patch
Patch46: nss-allow-slow-tests.patch
Patch47: nss-fips-pct-pubkeys.patch
+Patch48: nss-fips-test.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@@ -231,6 +232,7 @@
%endif
%patch46 -p1
%patch47 -p1
+%patch48 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
++++++ nss-3.93.tar.gz -> nss-3.94.tar.gz ++++++
/work/SRC/openSUSE:Factory/mozilla-nss/nss-3.93.tar.gz
/work/SRC/openSUSE:Factory/.mozilla-nss.new.17445/nss-3.94.tar.gz differ: char
5, line 1
++++++ nss-fips-approved-crypto-non-ec.patch ++++++
--- /var/tmp/diff_new_pack.UkGHCE/_old 2023-10-29 19:39:36.786602157 +0100
+++ /var/tmp/diff_new_pack.UkGHCE/_new 2023-10-29 19:39:36.786602157 +0100
@@ -324,7 +324,7 @@
struct NSSLOWInitContextStr {
int count;
-@@ -99,6 +100,15 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
+@@ -69,6 +70,15 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
{
NSSLOWHASHContext *context;
@@ -369,7 +369,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -4792,6 +4792,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
+@@ -4821,6 +4821,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
goto loser;
}
@@ -379,7 +379,7 @@
/*
* handle the base object stuff
*/
-@@ -4806,6 +4809,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
+@@ -4835,6 +4838,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
if (crv == CKR_OK) {
*phKey = key->handle;
}
@@ -387,7 +387,7 @@
loser:
PORT_Memset(buf, 0, sizeof buf);
sftk_FreeObject(key);
-@@ -5722,11 +5726,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5751,11 +5755,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
* created and linked.
*/
crv = sftk_handleObject(publicKey, session);
@@ -400,7 +400,7 @@
return crv;
}
if (sftk_isTrue(privateKey, CKA_SENSITIVE)) {
-@@ -5770,13 +5774,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5799,13 +5803,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
@@ -420,7 +420,7 @@
return CKR_OK;
}
-@@ -7481,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7510,7 +7520,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
} else {
/* now allocate the hash contexts */
md5 = MD5_NewContext();
@@ -429,7 +429,7 @@
PORT_Memset(crsrdata, 0, sizeof crsrdata);
crv = CKR_HOST_MEMORY;
break;
-@@ -7870,6 +7880,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7899,6 +7909,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
PORT_Assert(i <= sizeof key_block);
}
@@ -737,7 +737,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11.c
+++ nss/lib/softoken/pkcs11.c
-@@ -546,17 +546,17 @@ static const struct mechanismList mechan
+@@ -557,17 +557,17 @@ static const struct mechanismList mechan
{ CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256,
++++++ nss-fips-combined-hash-sign-dsa-ecdsa.patch ++++++
--- /var/tmp/diff_new_pack.UkGHCE/_old 2023-10-29 19:39:36.810603030 +0100
+++ /var/tmp/diff_new_pack.UkGHCE/_new 2023-10-29 19:39:36.814603176 +0100
@@ -68,7 +68,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -2657,7 +2657,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
+@@ -2679,7 +2679,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
static SECStatus
nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@@ -77,7 +77,7 @@
{
SECItem signature, digest;
SECStatus rv;
-@@ -2675,6 +2675,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
+@@ -2697,6 +2697,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
return rv;
}
@@ -100,7 +100,7 @@
static SECStatus
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
-@@ -2692,7 +2708,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
+@@ -2714,7 +2730,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
static SECStatus
nsc_ECDSASignStub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@@ -109,7 +109,7 @@
{
SECItem signature, digest;
SECStatus rv;
-@@ -2710,6 +2726,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
+@@ -2732,6 +2748,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
return rv;
}
@@ -132,7 +132,7 @@
/* NSC_SignInit setups up the signing operations. There are three basic
* types of signing:
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
-@@ -3583,6 +3615,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
+@@ -3612,6 +3644,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
info->hashOid = SEC_OID_##mmm; \
goto finish_rsa;
@@ -155,7 +155,7 @@
switch (pMechanism->mechanism) {
INIT_RSA_VFY_MECH(MD5)
INIT_RSA_VFY_MECH(MD2)
-@@ -4819,6 +4867,73 @@ loser:
+@@ -4848,6 +4896,73 @@ loser:
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
@@ -229,7 +229,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
-@@ -4872,8 +4987,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -4901,8 +5016,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
/* Variables used for Signature/Verification functions. */
/* Must be at least 256 bits for DSA2 digest */
@@ -238,7 +238,7 @@
CK_ULONG signature_length;
if (keyType == CKK_RSA) {
-@@ -5027,76 +5140,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5056,76 +5169,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}
++++++ nss-fips-constructor-self-tests.patch ++++++
--- /var/tmp/diff_new_pack.UkGHCE/_old 2023-10-29 19:39:36.822603467 +0100
+++ /var/tmp/diff_new_pack.UkGHCE/_new 2023-10-29 19:39:36.826603613 +0100
@@ -63,9 +63,9 @@
/*********************************************************************/
extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
-@@ -1891,6 +1891,9 @@ extern SECStatus EC_CopyParams(PLArenaPo
+@@ -1896,6 +1896,9 @@ extern int EC_GetPointSize(const ECParam
*/
- extern int EC_GetPointSize(const ECParams *params);
+ extern int EC_GetScalarSize(const ECParams *params);
+/* Unconditionally run the integrity check. */
+extern void BL_FIPSRepeatIntegrityCheck(void);
++++++ nss-fips-detect-fips-mode-fixes.patch ++++++
--- /var/tmp/diff_new_pack.UkGHCE/_old 2023-10-29 19:39:36.838604049 +0100
+++ /var/tmp/diff_new_pack.UkGHCE/_new 2023-10-29 19:39:36.842604195 +0100
@@ -26,11 +26,10 @@
#include "prtypes.h"
#include "prenv.h"
#include "secerr.h"
-@@ -25,6 +29,23 @@ struct NSSLOWHASHContextStr {
- };
+@@ -27,6 +31,22 @@ struct NSSLOWHASHContextStr {
+ static NSSLOWInitContext dummyContext = { 0 };
+ static PRBool post_failed = PR_TRUE;
- #ifndef NSS_FIPS_DISABLED
-+
+static PRBool
+getFIPSEnv(void)
+{
@@ -47,23 +46,15 @@
+ return PR_FALSE;
+}
+
- static int
- nsslow_GetFIPSEnabled(void)
+ NSSLOWInitContext *
+ NSSLOW_Init(void)
{
-@@ -52,6 +73,7 @@ nsslow_GetFIPSEnabled(void)
- #endif /* LINUX */
- return 1;
- }
-+
- #endif /* NSS_FIPS_DISABLED */
-
- static NSSLOWInitContext dummyContext = { 0 };
-@@ -67,7 +89,7 @@ NSSLOW_Init(void)
+@@ -37,7 +57,7 @@ NSSLOW_Init(void)
#ifndef NSS_FIPS_DISABLED
/* make sure the FIPS product is installed if we are trying to
* go into FIPS mode */
-- if (nsslow_GetFIPSEnabled()) {
-+ if (nsslow_GetFIPSEnabled() || getFIPSEnv()) {
+- if (NSS_GetSystemFIPSEnabled()) {
++ if (NSS_GetSystemFIPSEnabled() || getFIPSEnv()) {
if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
post_failed = PR_TRUE;
++++++ nss-fips-pairwise-consistency-check.patch ++++++
--- /var/tmp/diff_new_pack.UkGHCE/_old 2023-10-29 19:39:36.858604776 +0100
+++ /var/tmp/diff_new_pack.UkGHCE/_new 2023-10-29 19:39:36.862604922 +0100
@@ -14,7 +14,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -4812,8 +4812,8 @@ loser:
+@@ -4841,8 +4841,8 @@ loser:
return crv;
}
@@ -25,7 +25,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
-@@ -5761,6 +5761,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5790,6 +5790,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
(PRUint32)crv);
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST,
msg);
}
++++++ nss-fips-test.patch ++++++
Index: nss/tests/cert/cert.sh
===================================================================
--- nss.orig/tests/cert/cert.sh
+++ nss/tests/cert/cert.sh
@@ -1367,8 +1367,8 @@ cert_fips()
echo "$SCRIPTNAME: Enable FIPS mode on database -----------------------"
CU_ACTION="Enable FIPS mode on database for ${CERTNAME}"
- echo "modutil -dbdir ${PROFILEDIR} -fips true "
- ${BINDIR}/modutil -dbdir ${PROFILEDIR} -fips true 2>&1 <<MODSCRIPT
+ echo "modutil -dbdir ${PROFILEDIR} -chkfips true "
+ ${BINDIR}/modutil -dbdir ${PROFILEDIR} -chkfips true 2>&1 <<MODSCRIPT
y
MODSCRIPT
RET=$?
++++++ nss-fips-zeroization.patch ++++++
--- /var/tmp/diff_new_pack.UkGHCE/_old 2023-10-29 19:39:36.898606232 +0100
+++ /var/tmp/diff_new_pack.UkGHCE/_new 2023-10-29 19:39:36.902606377 +0100
@@ -107,8 +107,8 @@
===================================================================
--- nss.orig/lib/freebl/ec.c
+++ nss/lib/freebl/ec.c
-@@ -974,7 +974,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
- ECParams *ecParams = NULL;
+@@ -1049,7 +1049,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
+ mp_int n;
SECItem pointC = { siBuffer, NULL, 0 };
int slen; /* length in bytes of a half signature (r or s) */
- int flen; /* length in bytes of the field size */
