diff --git a/.gitignore b/.gitignore index 61e1690..3f34bb5 100644 --- a/.gitignore +++ b/.gitignore @@ -85,3 +85,4 @@ TestUser51.cert /nss-3.92-with-nspr-4.35.tar.gz /nss-3.93-with-nspr-4.35.tar.gz /nss-3.94-with-nspr-4.35.tar.gz +/nss-3.95-with-nspr-4.35.tar.gz diff --git a/nss-3.94-fix-ec-encoding.patch b/nss-3.94-fix-ec-encoding.patch deleted file mode 100644 index f4361c9..0000000 --- a/nss-3.94-fix-ec-encoding.patch +++ /dev/null @@ -1,107 +0,0 @@ -diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h ---- a/lib/freebl/blapit.h -+++ b/lib/freebl/blapit.h -@@ -387,17 +387,18 @@ typedef struct DHPrivateKeyStr DHPrivate - */ - - /* - ** The ECParams data structures can encode elliptic curve - ** parameters for both GFp and GF2m curves. - */ - - typedef enum { ec_params_explicit, -- ec_params_named -+ ec_params_named, -+ ec_params_edwards_named - } ECParamsType; - - typedef enum { ec_field_GFp = 1, - ec_field_GF2m, - ec_field_plain - } ECFieldType; - - struct ECFieldIDStr { -diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c ---- a/lib/freebl/ecdecode.c -+++ b/lib/freebl/ecdecode.c -@@ -171,16 +171,17 @@ EC_FillParams(PLArenaPool *arena, const - * (the NIST P-521 curve) - */ - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1, - ec_field_GFp, params)); - break; - - case SEC_OID_CURVE25519: - /* Populate params for Curve25519 */ -+ params->type = ec_params_edwards_named; - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, - ec_field_plain, - params)); - break; - - default: - break; - }; -diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c ---- a/lib/softoken/pkcs11.c -+++ b/lib/softoken/pkcs11.c -@@ -1921,17 +1921,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE - /* special note: We can't just use the first byte to distinguish - * between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING. - * Both are 0x04. */ - - /* Handle the non-DER encoded case. - * Some curves are always pressumed to be non-DER. - */ - if (pubKey->u.ec.publicValue.len == keyLen && -- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain || -+ (pubKey->u.ec.ecParams.type == ec_params_edwards_named || - pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) { - break; /* key was not DER encoded, no need to unwrap */ - } - - /* handle the encoded case */ - if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) && - pubKey->u.ec.publicValue.len > keyLen) { - SECItem publicValue; -@@ -1941,17 +1941,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE - SEC_ASN1_GET(SEC_OctetStringTemplate), - &pubKey->u.ec.publicValue); - /* nope, didn't decode correctly */ - if ((rv != SECSuccess) || (publicValue.len != keyLen)) { - crv = CKR_ATTRIBUTE_VALUE_INVALID; - break; - } - /* we don't handle compressed points except in the case of ECCurve25519 */ -- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) && -+ if ((pubKey->u.ec.ecParams.type != ec_params_edwards_named) && - (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) { - crv = CKR_ATTRIBUTE_VALUE_INVALID; - break; - } - /* replace our previous with the decoded key */ - pubKey->u.ec.publicValue = publicValue; - break; - } -diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c ---- a/lib/softoken/pkcs11c.c -+++ b/lib/softoken/pkcs11c.c -@@ -5655,17 +5655,17 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS - sftk_fatalError = PR_TRUE; - } - PORT_FreeArena(ecParams->arena, PR_TRUE); - crv = sftk_MapCryptError(PORT_GetError()); - break; - } - - if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") || -- ecParams->fieldID.type == ec_field_plain) { -+ ecParams->type == ec_params_edwards_named) { - PORT_FreeArena(ecParams->arena, PR_TRUE); - crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT, - sftk_item_expand(&ecPriv->publicValue)); - } else { - PORT_FreeArena(ecParams->arena, PR_TRUE); - SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL, - &ecPriv->publicValue, - SEC_ASN1_GET(SEC_OctetStringTemplate)); diff --git a/nss.spec b/nss.spec index 43412fa..e7bb6ec 100644 --- a/nss.spec +++ b/nss.spec @@ -1,13 +1,13 @@ %global nspr_version 4.35.0 -%global nss_version 3.94.0 +%global nss_version 3.95.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only -%global baserelease 2 +%global baserelease 1 %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %[%baserelease+13] +%global nspr_release %[%baserelease+15] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -131,8 +131,6 @@ Patch4: iquote.patch Patch12: nss-signtool-format.patch # fedora disabled dbm by default Patch40: nss-no-dbm-man-page.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1861265 -Patch50: nss-3.94-fix-ec-encoding.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1086,6 +1084,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Mon Nov 27 2023 Frantisek Krenzelok - 3.95.0-1 +- Update NSS to 3.95.0 + * Wed Oct 25 2023 Frantisek Krenzelok - 3.94.0-2 - revert HACL 256 code to fix binary compatibility issue. diff --git a/sources b/sources index fa784d4..0a41301 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nss-3.94-with-nspr-4.35.tar.gz) = 121180c80c635b0e3e9fa5d44297107d4c5da84879210e81da0f799a48e9ed1ea43e5c28d5cb53fd65218678b94b5db282b7ed0ee96482caa01493c39ed93c27 +SHA512 (nss-3.95-with-nspr-4.35.tar.gz) = 8394a0381db5b5d7f975f5057e0578909901244616ccaca694c1932fd9428e651a52bbf3f30e4d993e692538a603a57df1eae5e9badda3a1291d35836ab02ecd