rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update NSS to 3.95.0

Browse Source 
- remove nss-3.94-fix-ec-encoding.patch (upstreamed)
This commit is contained in:
Krenzelok Frantisek 2023-11-27 12:25:31 +01:00
parent b40f26ee71
commit 7a963c96b2
4 changed files with 8 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -85,3 +85,4 @@ TestUser51.cert
/nss-3.92-with-nspr-4.35.tar.gz
/nss-3.93-with-nspr-4.35.tar.gz
/nss-3.94-with-nspr-4.35.tar.gz
/nss-3.95-with-nspr-4.35.tar.gz

107
nss-3.94-fix-ec-encoding.patch
View File

@ -1,107 +0,0 @@
diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h
--- a/lib/freebl/blapit.h
+++ b/lib/freebl/blapit.h
@@ -387,17 +387,18 @@ typedef struct DHPrivateKeyStr DHPrivate
*/
/*
** The ECParams data structures can encode elliptic curve
** parameters for both GFp and GF2m curves.
*/
typedef enum { ec_params_explicit,
- ec_params_named
+ ec_params_named,
+ ec_params_edwards_named
} ECParamsType;
typedef enum { ec_field_GFp = 1,
ec_field_GF2m,
ec_field_plain
} ECFieldType;
struct ECFieldIDStr {
diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c
--- a/lib/freebl/ecdecode.c
+++ b/lib/freebl/ecdecode.c
@@ -171,16 +171,17 @@ EC_FillParams(PLArenaPool *arena, const
* (the NIST P-521 curve)
*/
CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1,
ec_field_GFp, params));
break;
case SEC_OID_CURVE25519:
/* Populate params for Curve25519 */
+ params->type = ec_params_edwards_named;
CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
ec_field_plain,
params));
break;
default:
break;
};
diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -1921,17 +1921,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
/* special note: We can't just use the first byte to distinguish
* between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING.
* Both are 0x04. */
/* Handle the non-DER encoded case.
* Some curves are always pressumed to be non-DER.
*/
if (pubKey->u.ec.publicValue.len == keyLen &&
- (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
+ (pubKey->u.ec.ecParams.type == ec_params_edwards_named ||
pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
break; /* key was not DER encoded, no need to unwrap */
}
/* handle the encoded case */
if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) &&
pubKey->u.ec.publicValue.len > keyLen) {
SECItem publicValue;
@@ -1941,17 +1941,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
SEC_ASN1_GET(SEC_OctetStringTemplate),
&pubKey->u.ec.publicValue);
/* nope, didn't decode correctly */
if ((rv != SECSuccess) || (publicValue.len != keyLen)) {
crv = CKR_ATTRIBUTE_VALUE_INVALID;
break;
}
/* we don't handle compressed points except in the case of ECCurve25519 */
- if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
+ if ((pubKey->u.ec.ecParams.type != ec_params_edwards_named) &&
(publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
crv = CKR_ATTRIBUTE_VALUE_INVALID;
break;
}
/* replace our previous with the decoded key */
pubKey->u.ec.publicValue = publicValue;
break;
}
diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -5655,17 +5655,17 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
sftk_fatalError = PR_TRUE;
}
PORT_FreeArena(ecParams->arena, PR_TRUE);
crv = sftk_MapCryptError(PORT_GetError());
break;
}
if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
- ecParams->fieldID.type == ec_field_plain) {
+ ecParams->type == ec_params_edwards_named) {
PORT_FreeArena(ecParams->arena, PR_TRUE);
crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
sftk_item_expand(&ecPriv->publicValue));
} else {
PORT_FreeArena(ecParams->arena, PR_TRUE);
SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL,
&ecPriv->publicValue,
SEC_ASN1_GET(SEC_OctetStringTemplate));

11
nss.spec
View File

@ -1,13 +1,13 @@
%global nspr_version 4.35.0
%global nss_version 3.94.0
%global nss_version 3.95.0
# NOTE: To avoid NVR clashes of nspr* packages:
# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
# - increment %%{nspr_version}, when updating the NSS part only
%global baserelease 2
%global baserelease 1
%global nss_release %baserelease
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
# release number between nss and nspr are different.
%global nspr_release %[%baserelease+13]
%global nspr_release %[%baserelease+15]
# only need to update this as we added new
# algorithms under nss policy control
%global crypto_policies_version 20210118
@ -131,8 +131,6 @@ Patch4: iquote.patch
Patch12: nss-signtool-format.patch
# fedora disabled dbm by default
Patch40: nss-no-dbm-man-page.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1861265
Patch50: nss-3.94-fix-ec-encoding.patch
Patch100: nspr-config-pc.patch
Patch101: nspr-gcc-atomics.patch
@ -1086,6 +1084,9 @@ update-crypto-policies &> /dev/null || :
%changelog
* Mon Nov 27 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.95.0-1
- Update NSS to 3.95.0
* Wed Oct 25 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.94.0-2
- revert HACL 256 code to fix binary compatibility issue.

2
sources
View File

@ -1,3 +1,3 @@
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
SHA512 (nss-3.94-with-nspr-4.35.tar.gz) = 121180c80c635b0e3e9fa5d44297107d4c5da84879210e81da0f799a48e9ed1ea43e5c28d5cb53fd65218678b94b5db282b7ed0ee96482caa01493c39ed93c27
SHA512 (nss-3.95-with-nspr-4.35.tar.gz) = 8394a0381db5b5d7f975f5057e0578909901244616ccaca694c1932fd9428e651a52bbf3f30e4d993e692538a603a57df1eae5e9badda3a1291d35836ab02ecd