Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package mozilla-nss for openSUSE:Factory
checked in at 2023-08-02 16:48:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old)
and /work/SRC/openSUSE:Factory/.mozilla-nss.new.22712 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss"
Wed Aug 2 16:48:09 2023 rev:206 rq:1101639 version:3.91
Changes:
--------
--- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes 2023-07-30
20:57:36.555161732 +0200
+++ /work/SRC/openSUSE:Factory/.mozilla-nss.new.22712/mozilla-nss.changes
2023-08-02 16:48:24.392606749 +0200
@@ -1,0 +2,22 @@
+Sat Jul 29 11:50:48 UTC 2023 - Wolfgang Rosenauer <w...@rosenauer.org>
+
+- update to NSS 3.91
+ * bmo#1837431 - Implementation of the HW support check for ADX instruction
+ * bmo#1836925 - Removing the support of Curve25519
+ * bmo#1839795 - Fix comment about the addition of ticketSupportsEarlyData
+ * bmo#1839327 - Adding args to enable-legacy-db build
+ * bmo#1835357 - dbtests.sh failure in "certutil dump keys with explicit
+ default trust flags"
+ * bmo#1837617 - Initialize flags in slot structures
+ * bmo#1835425 - Improve the length check of RSA input to avoid heap overflow
+ * bmo#1829112 - Followup Fixes
+ * bmo#1784253 - avoid processing unexpected inputs by checking for
+ m_exptmod base sign
+ * bmo#1826652 - add a limit check on order_k to avoid infinite loop
+ * bmo#1834851 - Update HACL* to commit 5f6051d2
+ * bmo#1753026 - add SHA3 to cryptohi and softoken
+ * bmo#1753026 - HACL SHA3
+ * bmo#1836781 - Disabling ASM C25519 for A but X86_64
+- removed upstreamed patch nss-fix-bmo1836925.patch
+
+-------------------------------------------------------------------
Old:
----
nss-3.90.tar.gz
nss-fix-bmo1836925.patch
New:
----
nss-3.91.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mozilla-nss.spec ++++++
--- /var/tmp/diff_new_pack.5qHAvm/_old 2023-08-02 16:48:27.768627284 +0200
+++ /var/tmp/diff_new_pack.5qHAvm/_new 2023-08-02 16:48:27.776627333 +0200
@@ -17,14 +17,14 @@
#
-%global nss_softokn_fips_version 3.90
+%global nss_softokn_fips_version 3.91
%define NSPR_min_version 4.35
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
Name: mozilla-nss
-Version: 3.90
+Version: 3.91
Release: 0
-%define underscore_version 3_90
+%define underscore_version 3_91
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@@ -77,7 +77,6 @@
Patch45: nss-fips-drbg-libjitter.patch
Patch46: nss-allow-slow-tests.patch
Patch47: nss-fips-pct-pubkeys.patch
-Patch48: nss-fix-bmo1836925.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@@ -232,7 +231,6 @@
%endif
%patch46 -p1
%patch47 -p1
-%patch48 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
++++++ nss-3.90.tar.gz -> nss-3.91.tar.gz ++++++
/work/SRC/openSUSE:Factory/mozilla-nss/nss-3.90.tar.gz
/work/SRC/openSUSE:Factory/.mozilla-nss.new.22712/nss-3.91.tar.gz differ: char
5, line 1
++++++ nss-allow-slow-tests.patch ++++++
--- /var/tmp/diff_new_pack.5qHAvm/_old 2023-08-02 16:48:27.936628306 +0200
+++ /var/tmp/diff_new_pack.5qHAvm/_new 2023-08-02 16:48:27.940628331 +0200
@@ -20,8 +20,8 @@
RARRAY=($dtime)
TIMEARRAY=(${RARRAY[1]//./ })
echo "${TIMEARRAY[0]} seconds"
-- test ${TIMEARRAY[0]} -lt 2
-+ # Was 2, but that is too small for OBS-workers.
+- test ${TIMEARRAY[0]} -lt 5
++ # Was 5, but that is too small for OBS-workers.
+ test ${TIMEARRAY[0]} -lt 6
ret=$?
html_msg ${ret} 0 "certutil dump keys with explicit default trust flags"
++++++ nss-fips-approved-crypto-non-ec.patch ++++++
--- /var/tmp/diff_new_pack.5qHAvm/_old 2023-08-02 16:48:27.968628501 +0200
+++ /var/tmp/diff_new_pack.5qHAvm/_new 2023-08-02 16:48:27.972628525 +0200
@@ -352,7 +352,7 @@
static void *
null_hash_new_context(void)
-@@ -146,7 +147,11 @@ const SECHashObject SECRawHashObjects[]
+@@ -190,7 +191,11 @@ const SECHashObject SECRawHashObjects[]
const SECHashObject *
HASH_GetRawHashObject(HASH_HashType hashType)
{
@@ -369,7 +369,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -4780,6 +4780,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
+@@ -4792,6 +4792,9 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
goto loser;
}
@@ -379,7 +379,7 @@
/*
* handle the base object stuff
*/
-@@ -4794,6 +4797,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
+@@ -4806,6 +4809,7 @@ NSC_GenerateKey(CK_SESSION_HANDLE hSessi
if (crv == CKR_OK) {
*phKey = key->handle;
}
@@ -387,7 +387,7 @@
loser:
PORT_Memset(buf, 0, sizeof buf);
sftk_FreeObject(key);
-@@ -5710,11 +5714,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5722,11 +5726,11 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
* created and linked.
*/
crv = sftk_handleObject(publicKey, session);
@@ -400,7 +400,7 @@
return crv;
}
if (sftk_isTrue(privateKey, CKA_SENSITIVE)) {
-@@ -5758,13 +5762,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5770,13 +5774,19 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
sftk_FreeObject(publicKey);
NSC_DestroyObject(hSession, privateKey->handle);
sftk_FreeObject(privateKey);
@@ -420,7 +420,7 @@
return CKR_OK;
}
-@@ -7469,7 +7479,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7481,7 +7491,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
} else {
/* now allocate the hash contexts */
md5 = MD5_NewContext();
@@ -429,7 +429,7 @@
PORT_Memset(crsrdata, 0, sizeof crsrdata);
crv = CKR_HOST_MEMORY;
break;
-@@ -7858,6 +7868,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+@@ -7870,6 +7880,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
PORT_Assert(i <= sizeof key_block);
}
@@ -737,7 +737,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11.c
+++ nss/lib/softoken/pkcs11.c
-@@ -534,17 +534,17 @@ static const struct mechanismList mechan
+@@ -546,17 +546,17 @@ static const struct mechanismList mechan
{ CKM_TLS_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_TLS12_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE },
{ CKM_NSS_TLS_MASTER_KEY_DERIVE_SHA256,
++++++ nss-fips-combined-hash-sign-dsa-ecdsa.patch ++++++
--- /var/tmp/diff_new_pack.5qHAvm/_old 2023-08-02 16:48:28.004628720 +0200
+++ /var/tmp/diff_new_pack.5qHAvm/_new 2023-08-02 16:48:28.008628744 +0200
@@ -68,7 +68,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -2653,7 +2653,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
+@@ -2657,7 +2657,7 @@ nsc_DSA_Verify_Stub(void *ctx, void *sig
static SECStatus
nsc_DSA_Sign_Stub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@@ -77,7 +77,7 @@
{
SECItem signature, digest;
SECStatus rv;
-@@ -2671,6 +2671,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
+@@ -2675,6 +2675,22 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
return rv;
}
@@ -100,7 +100,7 @@
static SECStatus
nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
void *dataBuf, unsigned int dataLen)
-@@ -2688,7 +2704,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
+@@ -2692,7 +2708,7 @@ nsc_ECDSAVerifyStub(void *ctx, void *sig
static SECStatus
nsc_ECDSASignStub(void *ctx, void *sigBuf,
unsigned int *sigLen, unsigned int maxSigLen,
@@ -109,7 +109,7 @@
{
SECItem signature, digest;
SECStatus rv;
-@@ -2706,6 +2722,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
+@@ -2710,6 +2726,22 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
return rv;
}
@@ -132,7 +132,7 @@
/* NSC_SignInit setups up the signing operations. There are three basic
* types of signing:
* (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
-@@ -3575,6 +3607,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
+@@ -3583,6 +3615,22 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
info->hashOid = SEC_OID_##mmm; \
goto finish_rsa;
@@ -155,7 +155,7 @@
switch (pMechanism->mechanism) {
INIT_RSA_VFY_MECH(MD5)
INIT_RSA_VFY_MECH(MD2)
-@@ -4807,6 +4855,73 @@ loser:
+@@ -4819,6 +4867,73 @@ loser:
#define PAIRWISE_DIGEST_LENGTH SHA224_LENGTH /* 224-bits */
#define PAIRWISE_MESSAGE_LENGTH 20 /* 160-bits */
@@ -229,7 +229,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
-@@ -4860,8 +4975,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -4872,8 +4987,6 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
/* Variables used for Signature/Verification functions. */
/* Must be at least 256 bits for DSA2 digest */
@@ -238,7 +238,7 @@
CK_ULONG signature_length;
if (keyType == CKK_RSA) {
-@@ -5015,76 +5128,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5027,76 +5140,32 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}
++++++ nss-fips-constructor-self-tests.patch ++++++
--- /var/tmp/diff_new_pack.5qHAvm/_old 2023-08-02 16:48:28.020628817 +0200
+++ /var/tmp/diff_new_pack.5qHAvm/_new 2023-08-02 16:48:28.028628866 +0200
@@ -42,7 +42,7 @@
===================================================================
--- nss.orig/lib/freebl/blapi.h
+++ nss/lib/freebl/blapi.h
-@@ -1759,17 +1759,17 @@ extern void BL_Unload(void);
+@@ -1859,17 +1859,17 @@ extern void BL_Unload(void);
/**************************************************************************
* Verify a given Shared library signature *
**************************************************************************/
@@ -63,7 +63,7 @@
/*********************************************************************/
extern const SECHashObject *HASH_GetRawHashObject(HASH_HashType hashType);
-@@ -1791,6 +1791,9 @@ extern SECStatus EC_CopyParams(PLArenaPo
+@@ -1891,6 +1891,9 @@ extern SECStatus EC_CopyParams(PLArenaPo
*/
extern int EC_GetPointSize(const ECParams *params);
@@ -865,7 +865,7 @@
/* Version 3.013 came to here */
-@@ -834,6 +834,9 @@ struct FREEBLVectorStr {
+@@ -912,6 +912,9 @@ struct FREEBLVectorStr {
/* Add new function pointers at the end of this struct and bump
* FREEBL_VERSION at the beginning of this file. */
@@ -887,7 +887,7 @@
$(NULL)
MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h
mp_gf2m.h
-@@ -187,6 +188,7 @@ ALL_HDRS = \
+@@ -189,6 +190,7 @@ ALL_HDRS = \
shsign.h \
vis_proto.h \
seed.h \
@@ -1654,15 +1654,10 @@
===================================================================
--- nss.orig/lib/freebl/ldvector.c
+++ nss/lib/freebl/ldvector.c
-@@ -375,9 +375,12 @@ static const struct FREEBLVectorStr vect
- /* End of version 3.024 */
- ChaCha20_InitContext,
- ChaCha20_CreateContext,
-- ChaCha20_DestroyContext
-+ ChaCha20_DestroyContext,
+@@ -432,6 +432,8 @@ static const struct FREEBLVectorStr vect
+ SHAKE_256_Hash,
- /* End of version 3.025 */
-+
+ /* End of version 3.026 */
+ /* SUSE patch: Goes last */
+ BL_FIPSRepeatIntegrityCheck
};
++++++ nss-fips-pairwise-consistency-check.patch ++++++
--- /var/tmp/diff_new_pack.5qHAvm/_old 2023-08-02 16:48:28.056629036 +0200
+++ /var/tmp/diff_new_pack.5qHAvm/_new 2023-08-02 16:48:28.060629061 +0200
@@ -14,7 +14,7 @@
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
-@@ -4800,8 +4800,8 @@ loser:
+@@ -4812,8 +4812,8 @@ loser:
return crv;
}
@@ -25,7 +25,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
-@@ -5749,6 +5749,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+@@ -5761,6 +5761,7 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
(PRUint32)crv);
sftk_LogAuditMessage(NSS_AUDIT_ERROR, NSS_AUDIT_SELF_TEST,
msg);
}
++++++ nss-fips-pct-pubkeys.patch ++++++
--- /var/tmp/diff_new_pack.5qHAvm/_old 2023-08-02 16:48:28.072629134 +0200
+++ /var/tmp/diff_new_pack.5qHAvm/_new 2023-08-02 16:48:28.076629158 +0200
@@ -13,7 +13,7 @@
#include "seccomon.h"
#include "secitem.h"
#include "secport.h"
-@@ -4922,6 +4923,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
+@@ -4934,6 +4935,88 @@ pairwise_signverify_mech (CK_SESSION_HAN
return crv;
}
@@ -102,7 +102,7 @@
/*
* FIPS 140-2 pairwise consistency check utilized to validate key pair.
*
-@@ -5268,6 +5351,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
+@@ -5280,6 +5363,30 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
}
}
