Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2024-04-24 15:13:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old) and /work/SRC/openSUSE:Factory/.mozilla-nss.new.1880 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss" Wed Apr 24 15:13:06 2024 rev:216 rq:1169404 version:3.99 Changes: -------- --- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2024-03-25 21:07:18.515222325 +0100 +++ /work/SRC/openSUSE:Factory/.mozilla-nss.new.1880/mozilla-nss.changes 2024-04-24 15:13:10.886592046 +0200 @@ -1,0 +2,14 @@ +Thu Apr 4 11:20:08 UTC 2024 - Martin Sirringhaus <[email protected]> + +- update to NSS 3.99 + * Removing check for message len in ed25519 (bmo#1325335) + * add ed25519 to SECU_ecName2params. (bmo#1884276) + * add EdDSA wycheproof tests. (bmo#1325335) + * nss/lib layer code for EDDSA. (bmo#1325335) + * Adding EdDSA implementation. (bmo#1325335) + * Exporting Certificate Compression types (bmo#1881027) + * Updating ACVP docker to rust 1.74 (bmo#1880857) + * Updating HACL* to 0f136f28935822579c244f287e1d2a1908a7e552 (bmo#1325335) + * Add NSS_CMSRecipient_IsSupported. (bmo#1877730) + +------------------------------------------------------------------- Old: ---- nss-3.98.tar.gz New: ---- nss-3.99.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.OB02Nw/_old 2024-04-24 15:13:16.398789563 +0200 +++ /var/tmp/diff_new_pack.OB02Nw/_new 2024-04-24 15:13:16.402789706 +0200 @@ -17,15 +17,15 @@ # -%global nss_softokn_fips_version 3.98 +%global nss_softokn_fips_version 3.99 %define NSPR_min_version 4.35 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb %global crypto_policies_version 20210118 Name: mozilla-nss -Version: 3.98 +Version: 3.99 Release: 0 -%define underscore_version 3_98 +%define underscore_version 3_99 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries ++++++ nss-3.98.tar.gz -> nss-3.99.tar.gz ++++++ /work/SRC/openSUSE:Factory/mozilla-nss/nss-3.98.tar.gz /work/SRC/openSUSE:Factory/.mozilla-nss.new.1880/nss-3.99.tar.gz differ: char 5, line 1 ++++++ nss-fips-combined-hash-sign-dsa-ecdsa.patch ++++++ --- /var/tmp/diff_new_pack.OB02Nw/_old 2024-04-24 15:13:16.634798019 +0200 +++ /var/tmp/diff_new_pack.OB02Nw/_new 2024-04-24 15:13:16.642798306 +0200 @@ -16,7 +16,7 @@ =================================================================== --- nss.orig/cmd/lib/pk11table.c +++ nss/cmd/lib/pk11table.c -@@ -273,6 +273,10 @@ const Constant _consts[] = { +@@ -274,6 +274,10 @@ const Constant _consts[] = { mkEntry(CKM_DSA_KEY_PAIR_GEN, Mechanism), mkEntry(CKM_DSA, Mechanism), mkEntry(CKM_DSA_SHA1, Mechanism), @@ -27,7 +27,7 @@ mkEntry(CKM_DH_PKCS_KEY_PAIR_GEN, Mechanism), mkEntry(CKM_DH_PKCS_DERIVE, Mechanism), mkEntry(CKM_X9_42_DH_DERIVE, Mechanism), -@@ -438,6 +442,10 @@ const Constant _consts[] = { +@@ -439,6 +443,10 @@ const Constant _consts[] = { mkEntry(CKM_EC_KEY_PAIR_GEN, Mechanism), mkEntry(CKM_ECDSA, Mechanism), mkEntry(CKM_ECDSA_SHA1, Mechanism), @@ -37,12 +37,12 @@ + mkEntry(CKM_ECDSA_SHA512, Mechanism), mkEntry(CKM_ECDH1_DERIVE, Mechanism), mkEntry(CKM_ECDH1_COFACTOR_DERIVE, Mechanism), - mkEntry(CKM_ECMQV_DERIVE, Mechanism), + mkEntry(CKM_EC_EDWARDS_KEY_PAIR_GEN, Mechanism), Index: nss/lib/pk11wrap/pk11mech.c =================================================================== --- nss.orig/lib/pk11wrap/pk11mech.c +++ nss/lib/pk11wrap/pk11mech.c -@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, +@@ -377,6 +377,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, return CKK_RSA; case CKM_DSA: case CKM_DSA_SHA1: @@ -53,7 +53,7 @@ case CKM_DSA_KEY_PAIR_GEN: return CKK_DSA; case CKM_DH_PKCS_DERIVE: -@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, +@@ -387,6 +391,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type, return CKK_KEA; case CKM_ECDSA: case CKM_ECDSA_SHA1: @@ -68,16 +68,16 @@ =================================================================== --- nss.orig/lib/softoken/pkcs11c.c +++ nss/lib/softoken/pkcs11c.c -@@ -2681,7 +2681,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig +@@ -2677,7 +2677,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig static SECStatus nsc_DSA_Sign_Stub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, - void *dataBuf, unsigned int dataLen) + const void *dataBuf, unsigned int dataLen) { - SECItem signature, digest; - SECStatus rv; -@@ -2699,6 +2699,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu + NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx; + SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen }; +@@ -2690,6 +2690,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu return rv; } @@ -100,16 +100,16 @@ static SECStatus nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen, void *dataBuf, unsigned int dataLen) -@@ -2716,7 +2732,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig +@@ -2703,7 +2719,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig static SECStatus nsc_ECDSASignStub(void *ctx, void *sigBuf, unsigned int *sigLen, unsigned int maxSigLen, - void *dataBuf, unsigned int dataLen) + const void *dataBuf, unsigned int dataLen) { - SECItem signature, digest; - SECStatus rv; -@@ -2734,6 +2750,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu + NSSLOWKEYPrivateKey *key = (NSSLOWKEYPrivateKey *)ctx; + SECItem signature = { siBuffer, (unsigned char *)sigBuf, maxSigLen }; +@@ -2744,6 +2760,22 @@ nsc_EDDSASignStub(void *ctx, void *sigBu return rv; } @@ -132,7 +132,7 @@ /* NSC_SignInit setups up the signing operations. There are three basic * types of signing: * (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied -@@ -3614,6 +3646,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio +@@ -3647,6 +3679,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio info->hashOid = SEC_OID_##mmm; \ goto finish_rsa; @@ -155,7 +155,7 @@ switch (pMechanism->mechanism) { INIT_RSA_VFY_MECH(MD5) INIT_RSA_VFY_MECH(MD2) -@@ -4850,6 +4898,73 @@ loser: +@@ -4904,6 +4952,73 @@ loser: #define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */ #define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */ @@ -229,7 +229,7 @@ /* * FIPS 140-2 pairwise consistency check utilized to validate key pair. * -@@ -4903,8 +5018,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -4957,8 +5072,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION /* Variables used for Signature/Verification functions. */ /* Must be at least 256 bits for DSA2 digest */ @@ -238,7 +238,7 @@ CK_ULONG signature_length; if (keyType == CKK_RSA) { -@@ -5058,76 +5171,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION +@@ -5112,80 +5225,36 @@ sftk_PairwiseConsistencyCheck(CK_SESSION } } @@ -268,6 +268,11 @@ - mech.mechanism = CKM_ECDSA; + SIGNVERIFY_CHECK_MECH(CKM_ECDSA_SHA224) break; + case CKK_EC_EDWARDS: + signature_length = ED25519_SIGN_LEN; +- mech.mechanism = CKM_EDDSA; ++ SIGNVERIFY_CHECK_MECH(CKM_EDDSA) + break; default: return CKR_DEVICE_ERROR; } ++++++ nss-fips-constructor-self-tests.patch ++++++ --- /var/tmp/diff_new_pack.OB02Nw/_old 2024-04-24 15:13:16.662799023 +0200 +++ /var/tmp/diff_new_pack.OB02Nw/_new 2024-04-24 15:13:16.666799167 +0200 @@ -63,9 +63,9 @@ /*********************************************************************/ extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType); -@@ -1921,6 +1921,9 @@ extern SECStatus Kyber_Encapsulate(Kyber +@@ -1942,6 +1942,9 @@ extern SECStatus ED_VerifyMessage(ECPubl */ - extern SECStatus Kyber_Decapsulate(KyberParams params, const SECItem *privKey, const SECItem *ciphertext, SECItem *secret); + extern SECStatus ED_DerivePublicKey(const SECItem *privateKey, SECItem *publicKey); +/* Unconditionally run the integrity check. */ +extern void BL_FIPSRepeatIntegrityCheck(void); @@ -839,7 +839,7 @@ /* Version 3.013 came to here */ -@@ -920,6 +920,9 @@ struct FREEBLVectorStr { +@@ -927,6 +927,9 @@ struct FREEBLVectorStr { /* Add new function pointers at the end of this struct and bump * FREEBL_VERSION at the beginning of this file. */ @@ -861,7 +861,7 @@ $(NULL) MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h -@@ -197,6 +198,7 @@ ALL_HDRS = \ +@@ -198,6 +199,7 @@ ALL_HDRS = \ shsign.h \ vis_proto.h \ seed.h \ @@ -1628,10 +1628,11 @@ =================================================================== --- nss.orig/lib/freebl/ldvector.c +++ nss/lib/freebl/ldvector.c -@@ -438,6 +438,8 @@ static const struct FREEBLVectorStr vect - Kyber_Decapsulate, - - /* End of version 3.027 */ +@@ -443,6 +443,9 @@ static const struct FREEBLVectorStr vect + ED_VerifyMessage, + ED_DerivePublicKey, + /* End of version 3.028 */ ++ + /* SUSE patch: Goes last */ + BL_FIPSRepeatIntegrityCheck };
