PR#56: Update NSS to 3.95.0 - rpms/nss

rpms / nss

#56 Update NSS to 3.95.0

Merged 5 months ago by fkrenzel. Opened 5 months ago by fkrenzel.

rpms/ fkrenzel/nss f38 into f38

Krenzelok Frantisek • 5 months ago

f61e0ac

.gitignore

file modified

		`@@ -85,3 +85,4 @@`
		`/nss-3.92-with-nspr-4.35.tar.gz`
		`/nss-3.93-with-nspr-4.35.tar.gz`
		`/nss-3.94-with-nspr-4.35.tar.gz`
		`+ /nss-3.95-with-nspr-4.35.tar.gz`

nss-3.94-fix-ec-encoding.patch

file removed

-107

		`@@ -1,107 +0,0 @@`
		`- diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h`
		`- --- a/lib/freebl/blapit.h`
		`- +++ b/lib/freebl/blapit.h`
		`- @@ -387,17 +387,18 @@ typedef struct DHPrivateKeyStr DHPrivate`
		`- */`
		`-`
		`- /*`
		`- ** The ECParams data structures can encode elliptic curve`
		`- ** parameters for both GFp and GF2m curves.`
		`- */`
		`-`
		`- typedef enum { ec_params_explicit,`
		`- - ec_params_named`
		`- + ec_params_named,`
		`- + ec_params_edwards_named`
		`- } ECParamsType;`
		`-`
		`- typedef enum { ec_field_GFp = 1,`
		`- ec_field_GF2m,`
		`- ec_field_plain`
		`- } ECFieldType;`
		`-`
		`- struct ECFieldIDStr {`
		`- diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c`
		`- --- a/lib/freebl/ecdecode.c`
		`- +++ b/lib/freebl/ecdecode.c`
		`- @@ -171,16 +171,17 @@ EC_FillParams(PLArenaPool *arena, const`
		`- * (the NIST P-521 curve)`
		`- */`
		`- CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1,`
		`- ec_field_GFp, params));`
		`- break;`
		`-`
		`- case SEC_OID_CURVE25519:`
		`- /* Populate params for Curve25519 */`
		`- + params->type = ec_params_edwards_named;`
		`- CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,`
		`- ec_field_plain,`
		`- params));`
		`- break;`
		`-`
		`- default:`
		`- break;`
		`- };`
		`- diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c`
		`- --- a/lib/softoken/pkcs11.c`
		`- +++ b/lib/softoken/pkcs11.c`
		`- @@ -1921,17 +1921,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE`
		`- /* special note: We can't just use the first byte to distinguish`
		`- * between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING.`
		`- * Both are 0x04. */`
		`-`
		`- /* Handle the non-DER encoded case.`
		`- * Some curves are always pressumed to be non-DER.`
		`- */`
		`- if (pubKey->u.ec.publicValue.len == keyLen &&`
		`- - (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain \|\|`
		`- + (pubKey->u.ec.ecParams.type == ec_params_edwards_named \|\|`
		`- pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {`
		`- break; /* key was not DER encoded, no need to unwrap */`
		`- }`
		`-`
		`- /* handle the encoded case */`
		`- if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) &&`
		`- pubKey->u.ec.publicValue.len > keyLen) {`
		`- SECItem publicValue;`
		`- @@ -1941,17 +1941,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE`
		`- SEC_ASN1_GET(SEC_OctetStringTemplate),`
		`- &pubKey->u.ec.publicValue);`
		`- /* nope, didn't decode correctly */`
		`- if ((rv != SECSuccess) \|\| (publicValue.len != keyLen)) {`
		`- crv = CKR_ATTRIBUTE_VALUE_INVALID;`
		`- break;`
		`- }`
		`- /* we don't handle compressed points except in the case of ECCurve25519 */`
		`- - if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&`
		`- + if ((pubKey->u.ec.ecParams.type != ec_params_edwards_named) &&`
		`- (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {`
		`- crv = CKR_ATTRIBUTE_VALUE_INVALID;`
		`- break;`
		`- }`
		`- /* replace our previous with the decoded key */`
		`- pubKey->u.ec.publicValue = publicValue;`
		`- break;`
		`- }`
		`- diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c`
		`- --- a/lib/softoken/pkcs11c.c`
		`- +++ b/lib/softoken/pkcs11c.c`
		`- @@ -5655,17 +5655,17 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS`
		`- sftk_fatalError = PR_TRUE;`
		`- }`
		`- PORT_FreeArena(ecParams->arena, PR_TRUE);`
		`- crv = sftk_MapCryptError(PORT_GetError());`
		`- break;`
		`- }`
		`-`
		`- if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") \|\|`
		`- - ecParams->fieldID.type == ec_field_plain) {`
		`- + ecParams->type == ec_params_edwards_named) {`
		`- PORT_FreeArena(ecParams->arena, PR_TRUE);`
		`- crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,`
		`- sftk_item_expand(&ecPriv->publicValue));`
		`- } else {`
		`- PORT_FreeArena(ecParams->arena, PR_TRUE);`
		`- SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL,`
		`- &ecPriv->publicValue,`
		`- SEC_ASN1_GET(SEC_OctetStringTemplate));`

nss.spec

file modified

+6 -6

		`@@ -1,13 +1,13 @@`
		`%global nspr_version 4.35.0`
		`- %global nss_version 3.94.0`
		`+ %global nss_version 3.95.0`
		`# NOTE: To avoid NVR clashes of nspr* packages:`
		`# - reset %%{nspr_release} to 1, when updating %%{nspr_version}`
		`# - increment %%{nspr_version}, when updating the NSS part only`
		`- %global baserelease 2`
		`+ %global baserelease 1`
		`%global nss_release %baserelease`
		`# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when`
		`# release number between nss and nspr are different.`
		`- %global nspr_release %[%baserelease+10]`
		`+ %global nspr_release %[%baserelease+12]`
		`# only need to update this as we added new`
		`# algorithms under nss policy control`
		`%global crypto_policies_version 20210118`
		`@@ -132,9 +132,6 @@`
		`# fedora disabled dbm by default`
		`Patch40: nss-no-dbm-man-page.patch`

		`- # https://bugzilla.mozilla.org/show_bug.cgi?id=1861265`
		`- Patch50: nss-3.94-fix-ec-encoding.patch`
		`-`
		`Patch100: nspr-config-pc.patch`
		`Patch101: nspr-gcc-atomics.patch`

		`@@ -1088,6 +1085,9 @@`


		`%changelog`
		`+ * Mon Nov 27 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.95.0-1`
		`+ - Update NSS to 3.95.0`
		`+`
		`* Thu Oct 26 2023 Bob Relyea <rrelyea#redhat.com> - 3.94.0-2`
		`- binary compatibility issue with HACL ECC 256 patch.`

sources

file modified

+1 -1

		`@@ -1,3 +1,3 @@`
		`SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06`
		`SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7`
		`- SHA512 (nss-3.94-with-nspr-4.35.tar.gz) = 121180c80c635b0e3e9fa5d44297107d4c5da84879210e81da0f799a48e9ed1ea43e5c28d5cb53fd65218678b94b5db282b7ed0ee96482caa01493c39ed93c27`
		`+ SHA512 (nss-3.95-with-nspr-4.35.tar.gz) = 8394a0381db5b5d7f975f5057e0578909901244616ccaca694c1932fd9428e651a52bbf3f30e4d993e692538a603a57df1eae5e9badda3a1291d35836ab02ecd`