Hello community, here is the log from the commit of package mozilla-nss for openSUSE:Factory checked in at 2020-10-10 19:00:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old) and /work/SRC/openSUSE:Factory/.mozilla-nss.new.4249 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss" Sat Oct 10 19:00:34 2020 rev:164 rq:840031 version:3.57 Changes: -------- --- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2020-09-29 18:59:04.053574082 +0200 +++ /work/SRC/openSUSE:Factory/.mozilla-nss.new.4249/mozilla-nss.changes 2020-10-10 19:00:44.512375606 +0200 @@ -1,0 +2,25 @@ +Wed Sep 30 21:06:01 UTC 2020 - Wolfgang Rosenauer <w...@rosenauer.org> + +- update to NSS 3.57 + * The following CA certificates were Added: + bmo#1663049 - CN=Trustwave Global Certification Authority + SHA-256 Fingerprint: 97552015F5DDFC3C8788C006944555408894450084F100867086BC1A2BB58DC8 + bmo#1663049 - CN=Trustwave Global ECC P256 Certification Authority + SHA-256 Fingerprint: 945BBC825EA554F489D1FD51A73DDF2EA624AC7019A05205225C22A78CCFA8B4 + bmo#1663049 - CN=Trustwave Global ECC P384 Certification Authority + SHA-256 Fingerprint: 55903859C8C0C3EBB8759ECE4E2557225FF5758BBD38EBD48276601E1BD58097 + * The following CA certificates were Removed: + bmo#1651211 - CN=EE Certification Centre Root CA + SHA-256 Fingerprint: 3E84BA4342908516E77573C0992F0979CA084E4685681FF195CCBA8A229B8A76 + bmo#1656077 - O=Government Root Certification Authority; C=TW + SHA-256 Fingerprint: 7600295EEFE85B9E1FD624DB76062AAAAE59818A54D2774CD4C0B2C01131E1B3 + * Trust settings for the following CA certificates were Modified: + bmo#1653092 - CN=OISTE WISeKey Global Root GA CA + Websites (server authentication) trust bit removed. + * https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.57_release_notes +- requires NSPR 4.29 +- removed obsolete nss-freebl-fix-aarch64.patch (bmo#1659256) +- introduced _constraints due to high memory requirements especially + for LTO on Tumbleweed + +------------------------------------------------------------------- Old: ---- nss-3.56.tar.gz nss-freebl-fix-aarch64.patch New: ---- _constraints nss-3.57.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ --- /var/tmp/diff_new_pack.EBWkdT/_old 2020-10-10 19:00:51.380379016 +0200 +++ /var/tmp/diff_new_pack.EBWkdT/_new 2020-10-10 19:00:51.384379018 +0200 @@ -17,14 +17,14 @@ # -%global nss_softokn_fips_version 3.56 -%define NSPR_min_version 4.28 +%global nss_softokn_fips_version 3.57 +%define NSPR_min_version 4.29 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb Name: mozilla-nss -Version: 3.56 +Version: 3.57 Release: 0 -%define underscore_version 3_56 +%define underscore_version 3_57 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries @@ -50,26 +50,25 @@ Patch6: bmo-1400603.patch Patch7: nss-sqlitename.patch Patch8: ppc-old-abi-v3.patch -Patch11: nss-fips-use-getrandom.patch -Patch13: nss-fips-dsa-kat.patch -Patch15: nss-fips-pairwise-consistency-check.patch -Patch16: nss-fips-rsa-keygen-strictness.patch -Patch19: nss-fips-cavs-keywrap.patch -Patch20: nss-fips-cavs-kas-ffc.patch -Patch21: nss-fips-cavs-kas-ecc.patch -Patch22: nss-fips-gcm-ctr.patch -Patch23: nss-fips-constructor-self-tests.patch -Patch24: nss-fips-cavs-general.patch -Patch25: nss-fips-cavs-dsa-fixes.patch -Patch26: nss-fips-cavs-rsa-fixes.patch -Patch27: nss-fips-approved-crypto-non-ec.patch -Patch29: nss-fips-zeroization.patch -Patch30: nss-fips-tls-allow-md5-prf.patch -Patch31: nss-fips-use-strong-random-pool.patch -Patch32: nss-fips-detect-fips-mode-fixes.patch -Patch34: nss-fips-combined-hash-sign-dsa-ecdsa.patch -Patch36: nss-fips-aes-keywrap-post.patch -Patch37: nss-freebl-fix-aarch64.patch +Patch9: nss-fips-use-getrandom.patch +Patch10: nss-fips-dsa-kat.patch +Patch11: nss-fips-pairwise-consistency-check.patch +Patch12: nss-fips-rsa-keygen-strictness.patch +Patch13: nss-fips-cavs-keywrap.patch +Patch14: nss-fips-cavs-kas-ffc.patch +Patch15: nss-fips-cavs-kas-ecc.patch +Patch16: nss-fips-gcm-ctr.patch +Patch17: nss-fips-constructor-self-tests.patch +Patch18: nss-fips-cavs-general.patch +Patch19: nss-fips-cavs-dsa-fixes.patch +Patch20: nss-fips-cavs-rsa-fixes.patch +Patch21: nss-fips-approved-crypto-non-ec.patch +Patch22: nss-fips-zeroization.patch +Patch23: nss-fips-tls-allow-md5-prf.patch +Patch24: nss-fips-use-strong-random-pool.patch +Patch25: nss-fips-detect-fips-mode-fixes.patch +Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch +Patch27: nss-fips-aes-keywrap-post.patch %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references BuildRequires: gcc9-c++ @@ -206,12 +205,17 @@ %patch6 -p1 %patch7 -p1 %patch8 -p1 - # FIPS patches +%patch9 -p1 +%patch10 -p1 %patch11 -p1 +%patch12 -p1 %patch13 -p1 +%patch14 -p1 %patch15 -p1 %patch16 -p1 +%patch17 -p1 +%patch18 -p1 %patch19 -p1 %patch20 -p1 %patch21 -p1 @@ -221,15 +225,6 @@ %patch25 -p1 %patch26 -p1 %patch27 -p1 -%patch29 -p1 -%patch30 -p1 -%patch31 -p1 -%patch32 -p1 -%patch34 -p1 -%patch36 -p1 - -# Freebl -%patch37 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins ++++++ _constraints ++++++ <?xml version="1.0" encoding="UTF-8"?> <constraints> <hardware> <disk> <size unit="G">5</size> </disk> <memory> <size unit="G">6</size> </memory> </hardware> </constraints> ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.EBWkdT/_old 2020-10-10 19:00:51.464379057 +0200 +++ /var/tmp/diff_new_pack.EBWkdT/_new 2020-10-10 19:00:51.464379057 +0200 @@ -1,5 +1,5 @@ mozilla-nss - requires "mozilla-nspr-<targettype> >= 4.25" + requires "mozilla-nspr-<targettype> >= 4.29" requires "libfreebl3-<targettype>" requires "libsoftokn3-<targettype>" requires "libnssckbi.so" ++++++ nss-3.56.tar.gz -> nss-3.57.tar.gz ++++++ /work/SRC/openSUSE:Factory/mozilla-nss/nss-3.56.tar.gz /work/SRC/openSUSE:Factory/.mozilla-nss.new.4249/nss-3.57.tar.gz differ: char 5, line 1 ++++++ nss-fips-aes-keywrap-post.patch ++++++ --- /var/tmp/diff_new_pack.EBWkdT/_old 2020-10-10 19:00:51.556379103 +0200 +++ /var/tmp/diff_new_pack.EBWkdT/_new 2020-10-10 19:00:51.556379103 +0200 @@ -3,7 +3,7 @@ # Date 1589854460 -7200 # Tue May 19 04:14:20 2020 +0200 # Node ID ce99bba6375432c55a73c1367f619dfef7c7e9fc -# Parent 2b4f407fb1f8824fed4df9c4c3f15a2493e71677 +# Parent 2c820431829b3e5c7e161bd0bf73b48def9d3822 commit e78f5a6a2124ce88002796d6aaefc6232f132526 Author: Hans Petter Jansson <h...@cl.no> AES Keywrap POST. @@ -11,7 +11,12 @@ diff --git a/lib/freebl/fipsfreebl.c b/lib/freebl/fipsfreebl.c --- a/lib/freebl/fipsfreebl.c +++ b/lib/freebl/fipsfreebl.c -@@ -110,6 +110,9 @@ +@@ -107,16 +107,19 @@ BOOL WINAPI DllMain( + #define FIPS_AES_BLOCK_SIZE 16 /* 128-bits */ + #define FIPS_AES_ENCRYPT_LENGTH 16 /* 128-bits */ + #define FIPS_AES_DECRYPT_LENGTH 16 /* 128-bits */ + #define FIPS_AES_CMAC_LENGTH 16 /* 128-bits */ + #define FIPS_AES_128_KEY_SIZE 16 /* 128-bits */ #define FIPS_AES_192_KEY_SIZE 24 /* 192-bits */ #define FIPS_AES_256_KEY_SIZE 32 /* 256-bits */ @@ -21,7 +26,17 @@ /* FIPS preprocessor directives for message digests */ #define FIPS_KNOWN_HASH_MESSAGE_LENGTH 64 /* 512-bits */ -@@ -299,6 +302,9 @@ + /* FIPS preprocessor directives for RSA. */ + #define FIPS_RSA_TYPE siBuffer + #define FIPS_RSA_PUBLIC_EXPONENT_LENGTH 3 /* 24-bits */ + #define FIPS_RSA_PRIVATE_VERSION_LENGTH 1 /* 8-bits */ + #define FIPS_RSA_MESSAGE_LENGTH 256 /* 2048-bits */ +@@ -296,16 +299,19 @@ freebl_fips_AES_PowerUpSelfTest(int aes_ + static const PRUint8 aes_cbc_known_initialization_vector[] = + { "SecurityytiruceS" }; + + /* AES Known Plaintext (128-bits). (blocksize is 128-bits) */ + static const PRUint8 aes_known_plaintext[] = { "NetscapeepacsteN" }; static const PRUint8 aes_gcm_known_aad[] = { "MozillaallizoM" }; @@ -31,8 +46,18 @@ /* AES Known Ciphertext (128-bit key). */ static const PRUint8 aes_ecb128_known_ciphertext[] = { 0x3c, 0xa5, 0x96, 0xf3, 0x34, 0x6a, 0x96, 0xc1, -@@ -353,6 +359,25 @@ - 0xf4, 0xb0, 0xc1, 0x8c, 0x86, 0x51, 0xf5, 0xa1 + 0x03, 0x88, 0x16, 0x7b, 0x20, 0xbf, 0x35, 0x47 + }; + + static const PRUint8 aes_cbc128_known_ciphertext[] = { + 0xcf, 0x15, 0x1d, 0x4f, 0x96, 0xe4, 0x4f, 0x63, +@@ -366,33 +372,56 @@ freebl_fips_AES_PowerUpSelfTest(int aes_ + }; + + static const PRUint8 aes_cmac256_known_ciphertext[] = { + 0xc1, 0x26, 0x69, 0x32, 0x51, 0x13, 0x65, 0xac, + 0x71, 0x23, 0xe4, 0xe7, 0xb9, 0x0c, 0x88, 0x9f + }; + /* AES Keywrap Known Ciphertexts. */ @@ -57,10 +82,15 @@ const PRUint8 *aes_ecb_known_ciphertext = (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_ecb128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_ecb192_known_ciphertext : aes_ecb256_known_ciphertext; -@@ -362,10 +387,14 @@ + const PRUint8 *aes_cbc_known_ciphertext = + (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cbc128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cbc192_known_ciphertext : aes_cbc256_known_ciphertext; + const PRUint8 *aes_gcm_known_ciphertext = (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_gcm128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_gcm192_known_ciphertext : aes_gcm256_known_ciphertext; + const PRUint8 *aes_cmac_known_ciphertext = + (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_cmac128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_cmac192_known_ciphertext : aes_cmac256_known_ciphertext; + + const PRUint8 *aes_keywrap_known_ciphertext = + (aes_key_size == FIPS_AES_128_KEY_SIZE) ? aes_kw128_known_ciphertext : (aes_key_size == FIPS_AES_192_KEY_SIZE) ? aes_kw192_known_ciphertext : aes_kw256_known_ciphertext; + @@ -68,11 +98,22 @@ PRUint8 aes_computed_ciphertext[FIPS_AES_ENCRYPT_LENGTH * 2]; PRUint8 aes_computed_plaintext[FIPS_AES_DECRYPT_LENGTH * 2]; AESContext *aes_context; + CMACContext *cmac_context; + AESKeyWrapContext *aes_keywrap_context; unsigned int aes_bytes_encrypted; unsigned int aes_bytes_decrypted; CK_NSS_GCM_PARAMS gcmParams; -@@ -554,6 +583,52 @@ + SECStatus aes_status; + + /*check if aes_key_size is 128, 192, or 256 bits */ + if ((aes_key_size != FIPS_AES_128_KEY_SIZE) && + (aes_key_size != FIPS_AES_192_KEY_SIZE) && +@@ -609,16 +638,62 @@ freebl_fips_AES_PowerUpSelfTest(int aes_ + if ((aes_status != SECSuccess) || + (aes_bytes_encrypted != FIPS_AES_CMAC_LENGTH) || + (PORT_Memcmp(aes_computed_ciphertext, aes_cmac_known_ciphertext, + FIPS_AES_CMAC_LENGTH) != 0)) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); return (SECFailure); } @@ -125,3 +166,8 @@ return (SECSuccess); } + /* Known Hash Message (512-bits). Used for all hashes (incl. SHA-N [N>1]). */ + static const PRUint8 known_hash_message[] = { + "The test message for the MD2, MD5, and SHA-1 hashing algorithms." + }; + ++++++ nss-fips-constructor-self-tests.patch ++++++ ++++ 838 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/mozilla-nss/nss-fips-constructor-self-tests.patch ++++ and /work/SRC/openSUSE:Factory/.mozilla-nss.new.4249/nss-fips-constructor-self-tests.patch ++++++ nss-opt.patch ++++++ --- /var/tmp/diff_new_pack.EBWkdT/_old 2020-10-10 19:00:51.640379145 +0200 +++ /var/tmp/diff_new_pack.EBWkdT/_new 2020-10-10 19:00:51.640379145 +0200 @@ -1,19 +1,8 @@ -# HG changeset patch -# Parent 33317adf00d6bc6c3e3499e4b32fca6b899c4b77 -Index: security/coreconf/Linux.mk -=================================================================== -RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v -retrieving revision 1.45.2.1 - diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk +index 956f0e4..b3a352a 100644 --- a/coreconf/Linux.mk +++ b/coreconf/Linux.mk -@@ -102,21 +102,17 @@ endif - endif - - - ifneq ($(OS_TARGET),Android) - LIBC_TAG = _glibc +@@ -108,11 +108,7 @@ LIBC_TAG = _glibc endif ifdef BUILD_OPT @@ -26,8 +15,3 @@ ifdef MOZ_DEBUG_SYMBOLS ifdef MOZ_DEBUG_FLAGS OPTIMIZER += $(MOZ_DEBUG_FLAGS) - else - OPTIMIZER += -gdwarf-2 - endif - endif - endif
