Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mozilla-nss for openSUSE:Factory
checked in at 2023-03-15 18:53:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old)
and /work/SRC/openSUSE:Factory/.mozilla-nss.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss"
Wed Mar 15 18:53:39 2023 rev:199 rq:1071795 version:3.88.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2023-02-16
16:55:04.346511363 +0100
+++ /work/SRC/openSUSE:Factory/.mozilla-nss.new.31432/mozilla-nss.changes
2023-03-15 18:53:48.276159002 +0100
@@ -1,0 +2,40 @@
+Sat Mar 11 13:21:23 UTC 2023 - Wolfgang Rosenauer <w...@rosenauer.org>
+
+- update to NSS 3.88.1
+ * bmo#1804640 - improve handling of unknown PKCS#12 safe bag types
+- update to NSS 3.88
+ * bmo#1815870 - use a different treeherder symbol for each docker
+ image build task
+ * bmo#1815868 - pin an older version of the ubuntu:18.04 and
+ 20.04 docker images
+ * bmo#1810702 - remove nested table in rst doc
+ * bmo#1815246 - Export NSS_CMSSignerInfo_GetDigestAlgTag.
+ * bmo#1812671 - build failure while implicitly casting SECStatus
+ to PRUInt32
+ * bmo#1212915 - Add check for ClientHello SID max length
+ * bmo#1771100 - Added EarlyData ALPN test support to BoGo shim
+ * bmo#1790357 - ECH client - Discard resumption TLS < 1.3
+ Session(IDs|Tickets) if ECH configs are setup
+ * bmo#1714245 - On HRR skip PSK incompatible with negotiated
+ ciphersuites hash algorithm
+ * bmo#1789410 - ECH client: Send ech_required alert on server
+ negotiating TLS 1.2. Fixed misleading Gtest,
+ enabled corresponding BoGo test
+ * bmo#1771100 - Added Bogo ECH rejection test support
+ * bmo#1771100 - Added ECH 0Rtt support to BoGo shim
+ * bmo#1747957 - RSA OAEP Wycheproof JSON
+ * bmo#1747957 - RSA decrypt Wycheproof JSON
+ * bmo#1747957 - ECDSA Wycheproof JSON
+ * bmo#1747957 - ECDH Wycheproof JSON
+ * bmo#1747957 - PKCS#1v1.5 wycheproof json
+ * bmo#1747957 - Use X25519 wycheproof json
+ * bmo#1766767 - Move scripts to python3
+ * bmo#1809627 - Properly link FuzzingEngine for oss-fuzz.
+ * bmo#1805907 - Extending RSA-PSS bltest test coverage
+ (Adding SHA-256 and SHA-384)
+ * bmo#1804091 - NSS needs to move off of DSA for integrity checks
+ * bmo#1805815 - Add initial testing with ACVP vector sets using
+ acvp-rust
+ * bmo#1806369 - Don't clone libFuzzer, rely on clang instead
+
+-------------------------------------------------------------------
Old:
----
nss-3.87.tar.gz
New:
----
nss-3.88.1.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mozilla-nss.spec ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.484176066 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.488176087 +0100
@@ -17,14 +17,14 @@
#
-%global nss_softokn_fips_version 3.87
+%global nss_softokn_fips_version 3.88
%define NSPR_min_version 4.35
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
Name: mozilla-nss
-Version: 3.87
+Version: 3.88.1
Release: 0
-%define underscore_version 3_87
+%define underscore_version 3_88_1
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
++++++ add-relro-linker-option.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.556176449 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.580176577 +0100
@@ -2,7 +2,7 @@
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
-@@ -183,6 +183,12 @@ endif
+@@ -184,6 +184,12 @@ endif
endif
endif
++++++ malloc.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.624176811 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.628176832 +0100
@@ -2,7 +2,7 @@
===================================================================
--- nss.orig/tests/ssl/ssl.sh
+++ nss/tests/ssl/ssl.sh
-@@ -1683,6 +1683,7 @@ ssl_run_tests()
+@@ -1696,6 +1696,7 @@ ssl_run_tests()
################################# main #################################
++++++ nss-3.87.tar.gz -> nss-3.88.1.tar.gz ++++++
/work/SRC/openSUSE:Factory/mozilla-nss/nss-3.87.tar.gz
/work/SRC/openSUSE:Factory/.mozilla-nss.new.31432/nss-3.88.1.tar.gz differ:
char 5, line 1
++++++ nss-fips-180-3-csp-clearing.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.680177109 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.684177130 +0100
@@ -29,7 +29,7 @@
===================================================================
--- nss.orig/lib/softoken/sftkpwd.c
+++ nss/lib/softoken/sftkpwd.c
-@@ -1439,7 +1439,7 @@ loser:
+@@ -1459,7 +1459,7 @@ loser:
PORT_ZFree(newKey.data, newKey.len);
}
if (result) {
++++++ nss-fips-approved-crypto-non-ec.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.696177194 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.700177215 +0100
@@ -440,7 +440,7 @@
===================================================================
--- nss.orig/lib/freebl/nsslowhash.c
+++ nss/lib/freebl/nsslowhash.c
-@@ -12,6 +12,7 @@
+@@ -13,6 +13,7 @@
#include "plhash.h"
#include "nsslowhash.h"
#include "blapii.h"
@@ -448,7 +448,7 @@
struct NSSLOWInitContextStr {
int count;
-@@ -92,6 +93,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
+@@ -99,6 +100,12 @@ NSSLOWHASH_NewContext(NSSLOWInitContext
{
NSSLOWHASHContext *context;
@@ -487,7 +487,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -7491,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7495,7 +7495,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
} else {
/* now allocate the hash contexts */
md5 = MD5_NewContext();
++++++ nss-fips-cavs-dsa-fixes.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.712177279 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.716177301 +0100
@@ -10,10 +10,11 @@
nss/cmd/fipstest/fipstest.c | 112 ++++++++++++++++++++++++++++++++----
1 file changed, 101 insertions(+), 11 deletions(-)
-diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
---- a/cmd/fipstest/fipstest.c
-+++ b/cmd/fipstest/fipstest.c
-@@ -5576,7 +5576,7 @@
+Index: nss/cmd/fipstest/fipstest.c
+===================================================================
+--- nss.orig/cmd/fipstest/fipstest.c
++++ nss/cmd/fipstest/fipstest.c
+@@ -5575,7 +5575,7 @@ loser:
void
dsa_pqggen_test(char *reqfn)
{
@@ -22,7 +23,7 @@
* or to the output RESPONSE file.
* 800 to hold seed = (384 public key (x2 for HEX)
*/
-@@ -5592,6 +5592,13 @@
+@@ -5591,6 +5591,13 @@ dsa_pqggen_test(char *reqfn)
PQGVerify *vfy = NULL;
unsigned int keySizeIndex = 0;
dsa_pqg_type type = FIPS186_1;
@@ -36,7 +37,7 @@
dsareq = fopen(reqfn, "r");
dsaresp = stdout;
-@@ -5612,8 +5619,8 @@
+@@ -5611,8 +5618,8 @@ dsa_pqggen_test(char *reqfn)
output_g = 1;
exit(1);
} else if (strncmp(&buf[1], "A.2.3", 5) == 0) {
@@ -47,7 +48,7 @@
} else if (strncmp(&buf[1], "A.1.2.1", 7) == 0) {
type = A_1_2_1;
output_g = 0;
-@@ -5627,14 +5634,17 @@
+@@ -5626,14 +5633,17 @@ dsa_pqggen_test(char *reqfn)
/* [Mod = ... ] */
if (buf[0] == '[') {
@@ -59,15 +60,14 @@
goto loser;
}
- } else if (sscanf(buf, "[mod = L=%d, N=%d", &L, &N) != 2) {
-- goto loser;
+ } else if (sscanf(buf, "[mod = L=%d, N=%d, SHA-%d", &L, &N,
&hashbits) != 3) {
-+ goto loser;
+ goto loser;
+ } else {
+ hashtype = sha_get_hashType (hashbits);
}
fputs(buf, dsaresp);
-@@ -5656,7 +5666,7 @@
+@@ -5655,7 +5665,7 @@ dsa_pqggen_test(char *reqfn)
continue;
}
/* N = ... */
@@ -76,7 +76,7 @@
if (strncmp(buf, "Num", 3) == 0) {
if (sscanf(buf, "Num = %d", &count) != 1) {
goto loser;
-@@ -5671,7 +5681,10 @@
+@@ -5670,7 +5680,10 @@ dsa_pqggen_test(char *reqfn)
rv = PQG_ParamGenSeedLen(keySizeIndex,
PQG_TEST_SEED_BYTES,
&pqg, &vfy);
} else {
@@ -88,7 +88,7 @@
}
if (rv != SECSuccess) {
fprintf(dsaresp,
-@@ -5682,6 +5695,10 @@
+@@ -5681,6 +5694,10 @@ dsa_pqggen_test(char *reqfn)
fprintf(dsaresp, "P = %s\n", buf);
to_hex_str(buf, pqg->subPrime.data, pqg->subPrime.len);
fprintf(dsaresp, "Q = %s\n", buf);
@@ -99,7 +99,7 @@
if (output_g) {
to_hex_str(buf, pqg->base.data, pqg->base.len);
fprintf(dsaresp, "G = %s\n", buf);
-@@ -5697,13 +5714,13 @@
+@@ -5696,13 +5713,13 @@ dsa_pqggen_test(char *reqfn)
}
fprintf(dsaresp, "%s\n", buf);
} else {
@@ -118,11 +118,10 @@
fprintf(dsaresp, "qseed = %s\n", buf);
fprintf(dsaresp, "pgen_counter = %d\n", pgen_counter);
fprintf(dsaresp, "qgen_counter = %d\n", qgen_counter);
-@@ -5723,12 +5740,85 @@
+@@ -5722,12 +5739,85 @@ dsa_pqggen_test(char *reqfn)
vfy = NULL;
}
}
--
+ continue;
+ }
+
@@ -180,7 +179,7 @@
+
+ to_hex_str(buf, pqg->base.data, pqg->base.len);
+ fprintf(dsaresp, "G = %s\n\n", buf);
-+
+
+ PQG_DestroyParams(pqg);
+ pqg = NULL;
+ PQG_DestroyVerify(vfy);
++++++ nss-fips-cavs-general.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.728177364 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.728177364 +0100
@@ -102,7 +102,7 @@
SECStatus
tdea_encrypt_buf(
int mode,
-@@ -8930,41 +8994,6 @@ out:
+@@ -8915,41 +8979,6 @@ out:
}
}
@@ -144,7 +144,7 @@
void
kas_ffc_test(char *reqfn, int do_validity)
{
-@@ -9387,12 +9416,34 @@ out:
+@@ -9372,12 +9401,34 @@ out:
free_param_specs (pspecs);
}
++++++ nss-fips-cavs-kas-ecc.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.740177428 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.744177449 +0100
@@ -11,10 +11,11 @@
nss/cmd/fipstest/kas.sh | 22 +++
2 files changed, 326 insertions(+)
-diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
---- a/cmd/fipstest/fipstest.c
-+++ b/cmd/fipstest/fipstest.c
-@@ -9092,6 +9092,301 @@
+Index: nss/cmd/fipstest/fipstest.c
+===================================================================
+--- nss.orig/cmd/fipstest/fipstest.c
++++ nss/cmd/fipstest/fipstest.c
+@@ -9077,6 +9077,301 @@ out:
}
}
@@ -316,7 +317,7 @@
int
main(int argc, char **argv)
{
-@@ -9287,6 +9582,15 @@
+@@ -9272,6 +9567,15 @@ main(int argc, char **argv)
} else {
kas_ffc_test(argv[3], PR_FALSE);
}
@@ -332,10 +333,11 @@
}
return 0;
}
-diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
---- a/cmd/fipstest/kas.sh
-+++ b/cmd/fipstest/kas.sh
-@@ -27,6 +27,16 @@
+Index: nss/cmd/fipstest/kas.sh
+===================================================================
+--- nss.orig/cmd/fipstest/kas.sh
++++ nss/cmd/fipstest/kas.sh
+@@ -27,6 +27,16 @@ KASValidityTest_FFCEphem_NOKC_ZZOnly_ini
KASValidityTest_FFCEphem_NOKC_ZZOnly_resp.req
"
@@ -352,7 +354,7 @@
if [ ${COMMAND} = "verify" ]; then
for request in $kas_requests; do
sh ./validate1.sh ${TESTDIR} $request
-@@ -45,3 +55,15 @@
+@@ -45,3 +55,15 @@ for request in $kas_requests_ffc_validit
echo $request $response
fipstest kasffc validity ${REQDIR}/$request > ${RSPDIR}/$response
done
++++++ nss-fips-cavs-kas-ffc.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.756177513 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.776177620 +0100
@@ -12,10 +12,11 @@
2 files changed, 241 insertions(+)
create mode 100644 nss/cmd/fipstest/kas.sh
-diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
---- a/cmd/fipstest/fipstest.c
-+++ b/cmd/fipstest/fipstest.c
-@@ -2258,6 +2258,29 @@
+Index: nss/cmd/fipstest/fipstest.c
+===================================================================
+--- nss.orig/cmd/fipstest/fipstest.c
++++ nss/cmd/fipstest/fipstest.c
+@@ -2257,6 +2257,29 @@ fips_hashBuf(HASH_HashType type, unsigne
return rv;
}
@@ -45,7 +46,7 @@
int
fips_hashLen(HASH_HashType type)
{
-@@ -8907,6 +8930,168 @@
+@@ -8892,6 +8915,168 @@ out:
}
}
@@ -214,7 +215,7 @@
int
main(int argc, char **argv)
{
-@@ -9093,6 +9278,15 @@
+@@ -9078,6 +9263,15 @@ main(int argc, char **argv)
/* AES Keywrap */
/***************/
keywrap(argv[2]);
@@ -230,10 +231,10 @@
}
return 0;
}
-diff --git a/cmd/fipstest/kas.sh b/cmd/fipstest/kas.sh
-new file mode 100644
+Index: nss/cmd/fipstest/kas.sh
+===================================================================
--- /dev/null
-+++ b/cmd/fipstest/kas.sh
++++ nss/cmd/fipstest/kas.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+#
++++++ nss-fips-cavs-keywrap.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.792177704 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.792177704 +0100
@@ -12,10 +12,11 @@
2 files changed, 200 insertions(+)
create mode 100644 nss/cmd/fipstest/keywrap.sh
-diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/fipstest.c
---- a/cmd/fipstest/fipstest.c Sun Mar 15 21:54:30 2020 +0100
-+++ b/cmd/fipstest/fipstest.c Wed Nov 20 08:13:43 2019 +0100
-@@ -8752,6 +8752,161 @@
+Index: nss/cmd/fipstest/fipstest.c
+===================================================================
+--- nss.orig/cmd/fipstest/fipstest.c
++++ nss/cmd/fipstest/fipstest.c
+@@ -8737,6 +8737,161 @@ done:
return;
}
@@ -177,7 +178,7 @@
int
main(int argc, char **argv)
{
-@@ -8933,6 +9088,11 @@
+@@ -8918,6 +9073,11 @@ main(int argc, char **argv)
ikev2(argv[2]);
} else if (strcmp(argv[1], "kbkdf") == 0) {
kbkdf(argv[2]);
@@ -189,9 +190,10 @@
}
return 0;
}
-diff -r 2f570c6952d8 -r 5d6e015d1af4 cmd/fipstest/keywrap.sh
---- /dev/null Thu Jan 01 00:00:00 1970 +0000
-+++ b/cmd/fipstest/keywrap.sh Wed Nov 20 08:13:43 2019 +0100
+Index: nss/cmd/fipstest/keywrap.sh
+===================================================================
+--- /dev/null
++++ nss/cmd/fipstest/keywrap.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#
++++++ nss-fips-cavs-rsa-fixes.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.804177768 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.808177790 +0100
@@ -10,10 +10,11 @@
nss/cmd/fipstest/fipstest.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/cmd/fipstest/fipstest.c b/cmd/fipstest/fipstest.c
---- a/cmd/fipstest/fipstest.c
-+++ b/cmd/fipstest/fipstest.c
-@@ -6536,7 +6536,7 @@
+Index: nss/cmd/fipstest/fipstest.c
+===================================================================
+--- nss.orig/cmd/fipstest/fipstest.c
++++ nss/cmd/fipstest/fipstest.c
+@@ -6535,7 +6535,7 @@ rsa_siggen_test(char *reqfn)
/* Output the signature */
fputs(buf, rsaresp);
to_hex_str(buf, rsa_computed_signature, rsa_bytes_signed);
@@ -22,7 +23,7 @@
/* Perform RSA verification with the RSA public key. */
rv = RSA_HashCheckSign(shaOid,
-@@ -9536,6 +9536,7 @@
+@@ -9521,6 +9521,7 @@ main(int argc, char **argv)
init_functions();
RNG_RNGInit();
SECOID_Init();
++++++ nss-fips-combined-hash-sign-dsa-ecdsa.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.816177832 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.820177854 +0100
@@ -42,7 +42,7 @@
===================================================================
--- nss.orig/lib/pk11wrap/pk11mech.c
+++ nss/lib/pk11wrap/pk11mech.c
-@@ -376,6 +376,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
+@@ -375,6 +375,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
return CKK_RSA;
case CKM_DSA:
case CKM_DSA_SHA1:
@@ -53,7 +53,7 @@
case CKM_DSA_KEY_PAIR_GEN:
return CKK_DSA;
case CKM_DH_PKCS_DERIVE:
-@@ -386,6 +390,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
+@@ -385,6 +389,10 @@ PK11_GetKeyType(CK_MECHANISM_TYPE type,
return CKK_KEA;
case CKM_ECDSA:
case CKM_ECDSA_SHA1:
@@ -68,7 +68,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -2675,7 +2675,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
+@@ -2679,7 +2679,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
static SECStatus
nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@@ -77,7 +77,7 @@
{
SECItem signature, digest;
SECStatus rv;
-@@ -2693,6 +2693,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
+@@ -2697,6 +2697,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
return rv;
}
@@ -100,7 +100,7 @@
static SECStatus
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
-@@ -2710,7 +2726,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
+@@ -2714,7 +2730,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
static SECStatus
nsc_ECDSASignStub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@@ -109,7 +109,7 @@
{
SECItem signature, digest;
SECStatus rv;
-@@ -2728,6 +2744,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
+@@ -2732,6 +2748,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
return rv;
}
@@ -132,7 +132,7 @@
/* NSC_SignInit setups up the signing operations. There are three basic
* types of signing:
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
-@@ -3597,6 +3629,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
+@@ -3601,6 +3633,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
info->hashOid = SEC_OID_##mmm; \
goto finish_rsa;
@@ -155,7 +155,7 @@
switch (pMechanism->mechanism) {
INIT_RSA_VFY_MECH(MD5)
INIT_RSA_VFY_MECH(MD2)
-@@ -4825,6 +4873,73 @@ loser:
+@@ -4829,6 +4877,73 @@ loser:
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
@@ -229,7 +229,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
-@@ -4878,8 +4993,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -4882,8 +4997,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
/* Variables used for Signature/Verification functions. */
/* Must be at least 256 bits for DSA2 digest */
@@ -238,7 +238,7 @@
CK_ULONG signature_length;
if (keyType == CKK_RSA) {
-@@ -5033,76 +5146,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5037,76 +5150,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}
++++++ nss-fips-constructor-self-tests.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.832177918 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.836177938 +0100
@@ -21,8 +21,8 @@
===================================================================
--- nss.orig/cmd/shlibsign/shlibsign.c
+++ nss/cmd/shlibsign/shlibsign.c
-@@ -946,10 +946,12 @@ main(int argc, char **argv)
- goto cleanup;
+@@ -814,10 +814,12 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
+ return crv;
}
- if ((keySize == 0) && mechInfo.ulMaxKeySize >= 2048) {
@@ -839,7 +839,7 @@
$(NULL)
MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h
mp_gf2m.h
-@@ -186,6 +187,7 @@ ALL_HDRS = \
+@@ -187,6 +188,7 @@ ALL_HDRS = \
shsign.h \
vis_proto.h \
seed.h \
@@ -851,7 +851,7 @@
===================================================================
--- nss.orig/lib/freebl/shvfy.c
+++ nss/lib/freebl/shvfy.c
-@@ -22,6 +22,8 @@
+@@ -23,6 +23,8 @@
#ifndef NSS_FIPS_DISABLED
@@ -860,7 +860,7 @@
/*
* Most modern version of Linux support a speed optimization scheme where an
* application called prelink modifies programs and shared libraries to
quickly
-@@ -231,8 +233,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int
+@@ -232,8 +234,6 @@ bl_CloseUnPrelink(PRFileDesc *file, int
}
#endif
@@ -869,7 +869,7 @@
static char *
mkCheckFileName(const char *libName)
{
-@@ -287,19 +287,19 @@ readItem(PRFileDesc *fd, SECItem *item)
+@@ -288,19 +288,19 @@ readItem(PRFileDesc *fd, SECItem *item)
return SECSuccess;
}
@@ -893,7 +893,7 @@
loser:
if (shName != NULL) {
-@@ -310,19 +310,19 @@ loser:
+@@ -311,15 +311,15 @@ loser:
}
PRBool
@@ -912,96 +912,84 @@
+ return blapi_SHVerifyFile(shName, PR_FALSE, err);
}
- static PRBool
--blapi_SHVerifyFile(const char *shName, PRBool self)
-+blapi_SHVerifyFile(const char *shName, PRBool self, int *err)
- {
- char *checkName = NULL;
- PRFileDesc *checkFD = NULL;
-@@ -340,7 +340,7 @@ blapi_SHVerifyFile(const char *shName, P
- #endif
-
- PRBool result = PR_FALSE; /* if anything goes wrong,
-- * the signature does not verify */
-+ * the signature does not verify */
- unsigned char buf[4096];
- unsigned char hashBuf[HASH_LENGTH_MAX];
+ #ifndef NSS_STRICT_INTEGRITY
+@@ -421,7 +421,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
+ }
-@@ -367,14 +367,17 @@ blapi_SHVerifyFile(const char *shName, P
- /* open the check File */
- checkFD = PR_Open(checkName, PR_RDONLY, 0);
- if (checkFD == NULL) {
-+ if (err) {
-+ *err = PORT_GetError();
-+ }
+ static PRBool
+- blapi_SHVerifyFile(const char *shName, PRBool self)
++ blapi_SHVerifyFile(const char *shName, PRBool self, int *err)
+ {
+ char *checkName = NULL;
+ PRFileDesc *checkFD = NULL;
+@@ -462,14 +462,17 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
+ /* open the check File */
+ checkFD = PR_Open(checkName, PR_RDONLY, 0);
+ if (checkFD == NULL) {
++ if (err) {
++ *err = PORT_GetError();
++ }
#ifdef DEBUG_SHVERIFY
-- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
-- checkName, (int)PR_GetError(), (int)PR_GetOSError());
-+ fprintf(stderr, "Failed to open the check file %s: (%d)\n",
-+ checkName, (int)PORT_GetError());
+- fprintf(stderr, "Failed to open the check file %s: (%d, %d)\n",
+- checkName, (int)PR_GetError(), (int)PR_GetOSError());
++ fprintf(stderr, "Failed to open the check file %s: (%d)\n",
++ checkName, (int)PR_GetError());
#endif /* DEBUG_SHVERIFY */
- goto loser;
- }
+ goto loser;
+ }
-- /* read and Verify the headerthe header */
-+ /* read and Verify the header */
- bytesRead = PR_Read(checkFD, buf, 12);
- if (bytesRead != 12) {
- goto loser;
-@@ -415,7 +418,8 @@ blapi_SHVerifyFile(const char *shName, P
- if (rv != SECSuccess) {
- goto loser;
- }
-- /* read the siganture */
-+
-+ /* read the signature */
- rv = readItem(checkFD, &signature);
- if (rv != SECSuccess) {
- goto loser;
-@@ -430,7 +434,7 @@ blapi_SHVerifyFile(const char *shName, P
- goto loser;
- }
+- /* read and Verify the headerthe header */
++ /* read and Verify the header */
+ bytesRead = PR_Read(checkFD, &header, sizeof(header));
+ if (bytesRead != sizeof(header)) {
+ goto loser;
+@@ -550,7 +553,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
+ goto loser;
+ }
-/* open our library file */
+ /* open our library file */
#ifdef FREEBL_USE_PRELINK
- shFD = bl_OpenUnPrelink(shName, &pid);
+ shFD = bl_OpenUnPrelink(shName, &pid);
#else
-@@ -438,13 +442,13 @@ blapi_SHVerifyFile(const char *shName, P
+@@ -558,8 +561,8 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
#endif
- if (shFD == NULL) {
+ if (shFD == NULL) {
#ifdef DEBUG_SHVERIFY
-- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
-- shName, (int)PR_GetError(), (int)PR_GetOSError());
-+ fprintf(stderr, "Failed to open the library file %s: (%d)\n",
-+ shName, (int)PORT_GetError());
+- fprintf(stderr, "Failed to open the library file %s: (%d, %d)\n",
+- shName, (int)PR_GetError(), (int)PR_GetOSError());
++ fprintf(stderr, "Failed to open the library file %s: (%d)\n",
++ shName, (int)PR_GetError());
#endif /* DEBUG_SHVERIFY */
- goto loser;
+ goto loser;
+ }
+@@ -620,7 +623,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
}
-- /* hash our library file with SHA1 */
-+ /* hash our library file */
- hashcx = hashObj->create();
- if (hashcx == NULL) {
- goto loser;
-@@ -531,7 +535,7 @@ loser:
- }
+ PRBool
+- BLAPI_VerifySelf(const char *name)
++ BLAPI_VerifySelf(const char *name, int *err)
+ {
+ if (name == NULL) {
+ /*
+@@ -629,7 +632,7 @@ blapi_SHVerifyHMACCheck(PRFileDesc *shFD
+ */
+ return PR_TRUE;
+ }
+- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
++ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err);
+ }
+ #else /* NSS_FIPS_DISABLED */
+@@ -645,7 +648,7 @@ BLAPI_SHVerify(const char *name, PRFuncP
+ return PR_FALSE;
+ }
PRBool
-BLAPI_VerifySelf(const char *name)
+BLAPI_VerifySelf(const char *name, int *err)
{
- if (name == NULL) {
- /*
-@@ -540,7 +544,7 @@ BLAPI_VerifySelf(const char *name)
- */
- return PR_TRUE;
- }
-- return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE);
-+ return blapi_SHVerify(name, (PRFuncPtr)decodeInt, PR_TRUE, err);
+ return PR_FALSE;
}
-
- #else /* NSS_FIPS_DISABLED */
Index: nss/lib/softoken/fips.c
===================================================================
--- /dev/null
@@ -1066,7 +1054,7 @@
===================================================================
--- nss.orig/lib/softoken/fipstest.c
+++ nss/lib/softoken/fipstest.c
-@@ -682,6 +682,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
+@@ -683,6 +683,327 @@ sftk_fips_HKDF_PowerUpSelfTest(void)
return (SECSuccess);
}
@@ -1394,7 +1382,7 @@
static PRBool sftk_self_tests_ran = PR_FALSE;
static PRBool sftk_self_tests_success = PR_FALSE;
-@@ -693,7 +1014,6 @@ static void
+@@ -694,7 +1015,6 @@ static void
sftk_startup_tests(void)
{
SECStatus rv;
@@ -1402,7 +1390,7 @@
PORT_Assert(!sftk_self_tests_ran);
PORT_Assert(!sftk_self_tests_success);
-@@ -705,6 +1025,7 @@ sftk_startup_tests(void)
+@@ -706,6 +1026,7 @@ sftk_startup_tests(void)
if (rv != SECSuccess) {
return;
}
@@ -1410,7 +1398,7 @@
/* make sure freebl is initialized, or our RSA check
* may fail. This is normally done at freebl load time, but it's
* possible we may have shut freebl down without unloading it. */
-@@ -722,12 +1043,21 @@ sftk_startup_tests(void)
+@@ -723,12 +1044,21 @@ sftk_startup_tests(void)
if (rv != SECSuccess) {
return;
}
@@ -1436,7 +1424,7 @@
rv = sftk_fips_IKE_PowerUpSelfTests();
if (rv != SECSuccess) {
return;
-@@ -759,17 +1089,11 @@ sftk_startup_tests(void)
+@@ -760,17 +1090,11 @@ sftk_startup_tests(void)
CK_RV
sftk_FIPSEntryOK()
{
@@ -1500,7 +1488,7 @@
===================================================================
--- nss.orig/lib/softoken/legacydb/lgfips.c
+++ nss/lib/softoken/legacydb/lgfips.c
-@@ -90,7 +90,7 @@ lg_startup_tests(void)
+@@ -91,7 +91,7 @@ lg_startup_tests(void)
/* no self tests required for the legacy db, only the integrity check */
/* check the integrity of our shared library */
++++++ nss-fips-detect-fips-mode-fixes.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.848178002 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.848178002 +0100
@@ -8,10 +8,11 @@
Author: Hans Petter Jansson <h...@cl.no>
Patch 32: nss-fips-detect-fips-mode-fixes.patch
-diff --git a/lib/freebl/nsslowhash.c b/lib/freebl/nsslowhash.c
---- a/lib/freebl/nsslowhash.c
-+++ b/lib/freebl/nsslowhash.c
-@@ -2,10 +2,15 @@
+Index: nss/lib/freebl/nsslowhash.c
+===================================================================
+--- nss.orig/lib/freebl/nsslowhash.c
++++ nss/lib/freebl/nsslowhash.c
+@@ -2,6 +2,9 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
@@ -21,13 +22,7 @@
#ifdef FREEBL_NO_DEPEND
#include "stubs.h"
#endif
-+
- #include "prtypes.h"
-+#include "prenv.h"
- #include "secerr.h"
- #include "blapi.h"
- #include "hasht.h"
-@@ -24,6 +29,23 @@
+@@ -25,6 +28,23 @@ struct NSSLOWHASHContextStr {
};
#ifndef NSS_FIPS_DISABLED
@@ -51,7 +46,7 @@
static int
nsslow_GetFIPSEnabled(void)
{
-@@ -45,6 +67,7 @@
+@@ -52,6 +72,7 @@ nsslow_GetFIPSEnabled(void)
#endif /* LINUX */
return 1;
}
@@ -59,7 +54,7 @@
#endif /* NSS_FIPS_DISABLED */
static NSSLOWInitContext dummyContext = { 0 };
-@@ -60,7 +83,7 @@
+@@ -67,7 +88,7 @@ NSSLOW_Init(void)
#ifndef NSS_FIPS_DISABLED
/* make sure the FIPS product is installed if we are trying to
* go into FIPS mode */
@@ -68,10 +63,11 @@
if (BL_FIPSEntryOK(PR_TRUE) != SECSuccess) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
post_failed = PR_TRUE;
-diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c
---- a/lib/sysinit/nsssysinit.c
-+++ b/lib/sysinit/nsssysinit.c
-@@ -178,16 +178,16 @@
+Index: nss/lib/sysinit/nsssysinit.c
+===================================================================
+--- nss.orig/lib/sysinit/nsssysinit.c
++++ nss/lib/sysinit/nsssysinit.c
+@@ -178,16 +178,16 @@ getFIPSMode(void)
f = fopen("/proc/sys/crypto/fips_enabled", "r");
if (!f) {
/* if we don't have a proc flag, fall back to the
++++++ nss-fips-dsa-kat.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.860178066 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.864178087 +0100
@@ -28,7 +28,7 @@
===================================================================
--- nss.orig/lib/freebl/fipsfreebl.c
+++ nss/lib/freebl/fipsfreebl.c
-@@ -126,11 +126,11 @@ BOOL WINAPI DllMain(
+@@ -127,11 +127,11 @@ DllMain(
/* FIPS preprocessor directives for DSA. */
#define FIPS_DSA_TYPE siBuffer
++++++ nss-fips-gcm-ctr.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.876178151 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.880178172 +0100
@@ -14,7 +14,7 @@
===================================================================
--- nss.orig/lib/freebl/gcm.c
+++ nss/lib/freebl/gcm.c
-@@ -532,8 +532,14 @@ struct GCMContextStr {
+@@ -535,8 +535,14 @@ struct GCMContextStr {
unsigned char tagKey[MAX_BLOCK_SIZE];
PRBool ctr_context_init;
gcmIVContext gcm_iv;
@@ -29,7 +29,7 @@
SECStatus gcm_InitCounter(GCMContext *gcm, const unsigned char *iv,
unsigned int ivLen, unsigned int tagBits,
const unsigned char *aad, unsigned int aadLen);
-@@ -673,6 +679,8 @@ gcm_InitCounter(GCMContext *gcm, const u
+@@ -676,6 +682,8 @@ gcm_InitCounter(GCMContext *gcm, const u
goto loser;
}
@@ -38,7 +38,7 @@
/* finally mix in the AAD data */
rv = gcmHash_Reset(ghash, aad, aadLen);
if (rv != SECSuccess) {
-@@ -774,6 +782,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
+@@ -777,6 +785,13 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
return SECFailure;
}
@@ -52,7 +52,7 @@
tagBytes = (gcm->tagBits + (PR_BITS_PER_BYTE - 1)) / PR_BITS_PER_BYTE;
if (UINT_MAX - inlen < tagBytes) {
PORT_SetError(SEC_ERROR_INPUT_LEN);
-@@ -802,6 +817,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
+@@ -805,6 +820,7 @@ GCM_EncryptUpdate(GCMContext *gcm, unsig
*outlen = 0;
return SECFailure;
};
++++++ nss-fips-pairwise-consistency-check.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.888178215 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.892178237 +0100
@@ -14,7 +14,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -4822,8 +4822,8 @@ loser:
+@@ -4826,8 +4826,8 @@ loser:
return crv;
}
@@ -25,7 +25,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
-@@ -5771,6 +5771,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5775,6 +5775,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
(PRUint32)crv);
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST,
msg);
}
++++++ nss-fips-stricter-dh.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.912178343 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.916178364 +0100
@@ -4,15 +4,11 @@
Patch 38: nss-fips-stricter-dh.patch
-diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
---- a/lib/freebl/dh.c
-+++ b/lib/freebl/dh.c
-@@ -445,41 +445,53 @@ KEA_PrimeCheck(SECItem *prime)
- cleanup:
- mp_clear(&p);
- return err ? PR_FALSE : PR_TRUE;
- }
-
+Index: nss/lib/freebl/dh.c
+===================================================================
+--- nss.orig/lib/freebl/dh.c
++++ nss/lib/freebl/dh.c
+@@ -449,7 +449,7 @@ cleanup:
PRBool
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
{
@@ -21,10 +17,7 @@
mp_err err;
int cmp = 1; /* default is false */
if (!Y || !prime || !subPrime) {
- PORT_SetError(SEC_ERROR_INVALID_ARGS);
- return SECFailure;
- }
- MP_DIGITS(&p) = 0;
+@@ -460,13 +460,24 @@ KEA_Verify(SECItem *Y, SECItem *prime, S
MP_DIGITS(&q) = 0;
MP_DIGITS(&y) = 0;
MP_DIGITS(&r) = 0;
@@ -49,9 +42,7 @@
/* compute r = y**q mod p */
CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
/* compare to 1 */
- cmp = mp_cmp_d(&r, 1);
- cleanup:
- mp_clear(&p);
+@@ -476,6 +487,7 @@ cleanup:
mp_clear(&q);
mp_clear(&y);
mp_clear(&r);
@@ -59,7 +50,4 @@
if (err) {
MP_TO_SEC_ERROR(err);
return PR_FALSE;
- }
- return (cmp == 0) ? PR_TRUE : PR_FALSE;
- }
++++++ nss-fips-tests-enable-fips.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.928178428 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.932178449 +0100
@@ -2,7 +2,7 @@
===================================================================
--- nss.orig/tests/cert/cert.sh
+++ nss/tests/cert/cert.sh
-@@ -1353,6 +1353,11 @@ cert_stresscerts()
+@@ -1350,6 +1350,11 @@ cert_stresscerts()
##############################################################################
cert_fips()
{
@@ -14,7 +14,7 @@
CERTFAILED=0
echo "$SCRIPTNAME: Creating FIPS 140 DSA Certificates =============="
cert_init_cert "${FIPSDIR}" "FIPS PUB 140 Test Certificate" 1000 "${D_FIPS}"
-@@ -1393,6 +1398,8 @@ MODSCRIPT
+@@ -1390,6 +1395,8 @@ MODSCRIPT
cert_log "SUCCESS: FIPS passed"
fi
++++++ nss-fips-tls-allow-md5-prf.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.948178535 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.948178535 +0100
@@ -250,7 +250,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -7158,7 +7158,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7162,7 +7162,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
SFTKAttribute *att2 = NULL;
unsigned char *buf;
SHA1Context *sha;
@@ -259,7 +259,7 @@
MD2Context *md2;
CK_ULONG macSize;
CK_ULONG tmpKeySize;
-@@ -7698,7 +7698,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7702,7 +7702,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
}
sftk_FreeAttribute(att2);
md5 = MD5_NewContext();
++++++ nss-fips-use-getrandom.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.960178598 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.964178619 +0100
@@ -12,7 +12,7 @@
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
-@@ -189,6 +189,18 @@ DSO_LDOPTS+=-Wl,-z,relro
+@@ -190,6 +190,18 @@ DSO_LDOPTS+=-Wl,-z,relro
LDFLAGS += -Wl,-z,relro
endif
@@ -90,7 +90,7 @@
size_t RNG_FileUpdate(const char *fileName, size_t limit);
/*
-@@ -862,6 +903,26 @@ ReadFileOK(char *dir, char *file)
+@@ -775,6 +816,26 @@ ReadFileOK(char *dir, char *file)
size_t
RNG_SystemRNG(void *dest, size_t maxLen)
{
@@ -117,7 +117,7 @@
FILE *file;
int fd;
int bytes;
-@@ -895,4 +956,5 @@ RNG_SystemRNG(void *dest, size_t maxLen)
+@@ -808,4 +869,5 @@ RNG_SystemRNG(void *dest, size_t maxLen)
fileBytes = 0;
}
return fileBytes;
++++++ nss-fips-use-strong-random-pool.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:51.972178662 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:51.992178768 +0100
@@ -10,9 +10,10 @@
nss/lib/freebl/unix_rand.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
-diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
---- a/lib/freebl/unix_rand.c
-+++ b/lib/freebl/unix_rand.c
+Index: nss/lib/freebl/unix_rand.c
+===================================================================
+--- nss.orig/lib/freebl/unix_rand.c
++++ nss/lib/freebl/unix_rand.c
@@ -24,6 +24,7 @@
#include "prthread.h"
#include "prprf.h"
@@ -21,7 +22,7 @@
#ifdef NSS_USE_GETRANDOM
# ifndef __NR_getrandom
-@@ -779,7 +780,7 @@
+@@ -692,7 +693,7 @@ RNG_SystemInfoForRNG(void)
}
/* grab some data from system's PRNG before any other files. */
@@ -30,7 +31,7 @@
if (!bytes) {
PORT_SetError(SEC_ERROR_NEED_RANDOM);
}
-@@ -909,7 +910,8 @@
+@@ -822,7 +823,8 @@ RNG_SystemRNG(void *dest, size_t maxLen)
int ret;
do {
@@ -40,7 +41,7 @@
if (0 < ret)
inBytes += ret;
-@@ -929,7 +931,7 @@
+@@ -842,7 +844,7 @@ RNG_SystemRNG(void *dest, size_t maxLen)
size_t fileBytes = 0;
unsigned char *buffer = dest;
++++++ nss-fips-zeroization.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:52.008178854 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:52.008178854 +0100
@@ -92,7 +92,7 @@
===================================================================
--- nss.orig/lib/freebl/dh.c
+++ nss/lib/freebl/dh.c
-@@ -193,6 +193,10 @@ cleanup:
+@@ -192,6 +192,10 @@ cleanup:
rv = SECFailure;
}
if (rv) {
@@ -107,7 +107,7 @@
===================================================================
--- nss.orig/lib/freebl/ec.c
+++ nss/lib/freebl/ec.c
-@@ -943,7 +943,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
+@@ -974,7 +974,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
ECParams *ecParams = NULL;
SECItem pointC = { siBuffer, NULL, 0 };
int slen; /* length in bytes of a half signature (r or s) */
@@ -175,7 +175,7 @@
return SECSuccess;
}
#endif /* HAVE_INT128_SUPPORT */
-@@ -867,11 +894,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
+@@ -870,11 +897,13 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
/* verify the block */
rv = gcmHash_Update(gcm->ghash_context, inbuf, inlen);
if (rv != SECSuccess) {
@@ -191,7 +191,7 @@
}
/* Don't decrypt if we can't authenticate the encrypted data!
* This assumes that if tagBits is not a multiple of 8, intag will
-@@ -879,10 +908,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
+@@ -882,10 +911,18 @@ GCM_DecryptUpdate(GCMContext *gcm, unsig
if (NSS_SecureMemcmp(tag, intag, tagBytes) != 0) {
/* force a CKR_ENCRYPTED_DATA_INVALID error at in softoken */
PORT_SetError(SEC_ERROR_BAD_DATA);
++++++ nss-opt.patch ++++++
--- /var/tmp/diff_new_pack.HMIrwN/_old 2023-03-15 18:53:52.024178938 +0100
+++ /var/tmp/diff_new_pack.HMIrwN/_new 2023-03-15 18:53:52.028178960 +0100
@@ -2,7 +2,7 @@
===================================================================
--- nss.orig/coreconf/Linux.mk
+++ nss/coreconf/Linux.mk
-@@ -113,11 +113,7 @@ LIBC_TAG = _glibc
+@@ -114,11 +114,7 @@ LIBC_TAG = _glibc
endif
ifdef BUILD_OPT
