diff --git a/Feature-nss-support-SM2-signature-algorithm.patch b/Feature-nss-support-SM2-signature-algorithm.patch index 6b1c7c99cca06d8dd6f24ba6d4ca3f3c3aa5d1f6..89bc63b8aa6c81466bf2853766be76aa0220bef0 100644 --- a/Feature-nss-support-SM2-signature-algorithm.patch +++ b/Feature-nss-support-SM2-signature-algorithm.patch @@ -5,22 +5,6 @@ Subject: [PATCH 4/4] nss support SM2 signature algorithm Co-authored-by: godcansee Signed-off-by: Huaxin Lu ---- - lib/cryptohi/cryptohi.h | 2 ++ - lib/cryptohi/seckey.c | 3 +++ - lib/cryptohi/secsign.c | 43 +++++++++++++++++++++++++++++++++++++ - lib/cryptohi/secvfy.c | 5 +++++ - lib/freebl/ec.c | 5 ++++- - lib/freebl/ecdecode.c | 5 ++++- - lib/freebl/ecl/ecl-curve.h | 33 ++++++++++++++++++++++++++++ - lib/freebl/ecl/ecl-exp.h | 1 + - lib/freebl/freebl_base.gypi | 1 + - lib/freebl/manifest.mn | 2 ++ - lib/nss/nss.def | 6 ++++++ - lib/util/pkcs11n.h | 2 ++ - lib/util/secoid.c | 4 ++++ - lib/util/secoidt.h | 2 ++ - 14 files changed, 112 insertions(+), 2 deletions(-) diff --git a/lib/cryptohi/cryptohi.h b/lib/cryptohi/cryptohi.h index 7b66f0b..4f99ef9 100644 @@ -36,10 +20,10 @@ index 7b66f0b..4f99ef9 100644 #endif /* _CRYPTOHI_H_ */ diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c -index fa13bc3..4bcd43e 100644 +index 656609e..6a230e1 100644 --- a/lib/cryptohi/seckey.c +++ b/lib/cryptohi/seckey.c -@@ -520,6 +520,7 @@ seckey_GetKeyType(SECOidTag tag) +@@ -519,6 +519,7 @@ seckey_GetKeyType(SECOidTag tag) keyType = dhKey; break; case SEC_OID_ANSIX962_EC_PUBLIC_KEY: @@ -47,7 +31,7 @@ index fa13bc3..4bcd43e 100644 keyType = ecKey; break; /* accommodate applications that hand us a signature type when they -@@ -776,6 +777,7 @@ SECKEY_ECParamsToKeySize(const SECItem *encodedParams) +@@ -775,6 +776,7 @@ SECKEY_ECParamsToKeySize(const SECItem *encodedParams) case SEC_OID_SECG_EC_SECP256K1: case SEC_OID_ANSIX962_EC_PRIME256V1: @@ -55,7 +39,7 @@ index fa13bc3..4bcd43e 100644 return 256; case SEC_OID_ANSIX962_EC_C2PNB272W1: -@@ -924,6 +926,7 @@ SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams) +@@ -923,6 +925,7 @@ SECKEY_ECParamsToBasePointOrderLen(const SECItem *encodedParams) case SEC_OID_SECG_EC_SECP256K1: case SEC_OID_ANSIX962_EC_PRIME256V1: @@ -64,10 +48,10 @@ index fa13bc3..4bcd43e 100644 case SEC_OID_ANSIX962_EC_C2PNB272W1: diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c -index c46b2b1..90be1d1 100644 +index 8779904..8a12b25 100644 --- a/lib/cryptohi/secsign.c +++ b/lib/cryptohi/secsign.c -@@ -861,3 +861,46 @@ SEC_CreateSignatureAlgorithmParameters(PLArenaPool *arena, +@@ -882,3 +882,46 @@ SEC_CreateSignatureAlgorithmParameters(PLArenaPool *arena, return result; } } @@ -115,7 +99,7 @@ index c46b2b1..90be1d1 100644 + return SECSuccess; +} diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c -index 1754584..1d75bdf 100644 +index 8c9dc2d..981cb0d 100644 --- a/lib/cryptohi/secvfy.c +++ b/lib/cryptohi/secvfy.c @@ -288,6 +288,8 @@ sec_GetEncAlgFromSigAlg(SECOidTag sigAlg) @@ -138,7 +122,7 @@ index 1754584..1d75bdf 100644 case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: default: diff --git a/lib/freebl/ec.c b/lib/freebl/ec.c -index 73a625a..bf2aea7 100644 +index 5bf7d81..2b8e321 100644 --- a/lib/freebl/ec.c +++ b/lib/freebl/ec.c @@ -15,6 +15,7 @@ @@ -148,8 +132,8 @@ index 73a625a..bf2aea7 100644 +#include "sm2.h" #define EC_DOUBLECHECK PR_FALSE - -@@ -907,7 +908,9 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest) + +@@ -988,7 +989,9 @@ ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest) goto cleanup; /* Generate ECDSA signature with the specified k value */ @@ -161,14 +145,13 @@ index 73a625a..bf2aea7 100644 cleanup: if (kBytes) { diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c -index 652ad42..4c090d2 100644 +index bd31eb0..29f41c9 100644 --- a/lib/freebl/ecdecode.c +++ b/lib/freebl/ecdecode.c -@@ -179,7 +179,10 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams, - CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519, ec_field_plain, +@@ -181,6 +181,10 @@ EC_FillParams(PLArenaPool *arena, const SECItem *encodedParams, params)); break; -- + + case SEC_OID_SM2: + /* Populate params for Curve SM2 */ + CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_sm2p256v1, ec_field_plain, @@ -177,10 +160,10 @@ index 652ad42..4c090d2 100644 break; }; diff --git a/lib/freebl/ecl/ecl-curve.h b/lib/freebl/ecl/ecl-curve.h -index fc8003f..e64fe4d 100644 +index dec3ce3..b525ba5 100644 --- a/lib/freebl/ecl/ecl-curve.h +++ b/lib/freebl/ecl/ecl-curve.h -@@ -206,6 +206,38 @@ static const ECCurveBytes ecCurve_25519 = { +@@ -178,6 +178,38 @@ static const ECCurveBytes ecCurve_25519 = { KU_KEY_AGREEMENT }; @@ -219,7 +202,7 @@ index fc8003f..e64fe4d 100644 /* mapping between ECCurveName enum and pointers to ECCurveParams */ static const ECCurveBytes *ecCurve_map[] = { NULL, /* ECCurve_noName */ -@@ -267,6 +299,7 @@ static const ECCurveBytes *ecCurve_map[] = { +@@ -239,6 +271,7 @@ static const ECCurveBytes *ecCurve_map[] = { NULL, /* ECCurve_WTLS_8 */ NULL, /* ECCurve_WTLS_9 */ &ecCurve_25519, /* ECCurve25519 */ @@ -240,10 +223,10 @@ index 44adb8a..d071fc9 100644 ECCurve_pastLastCurve } ECCurveName; diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi -index 85a569f..253ce8d 100644 +index 920d613..e6094a9 100644 --- a/lib/freebl/freebl_base.gypi +++ b/lib/freebl/freebl_base.gypi -@@ -59,6 +59,7 @@ +@@ -61,6 +61,7 @@ 'sha_fast.c', 'shvfy.c', 'sm3.c', @@ -252,10 +235,10 @@ index 85a569f..253ce8d 100644 'tlsprfalg.c', 'secmpi.c', diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn -index fd3218d..2dbf7c9 100644 +index 3214369..f321f67 100644 --- a/lib/freebl/manifest.mn +++ b/lib/freebl/manifest.mn -@@ -158,6 +158,7 @@ CSRCS = \ +@@ -161,6 +161,7 @@ CSRCS = \ $(LOWHASH_SRCS) \ $(EXTRA_SRCS) \ sm3.c \ @@ -263,7 +246,7 @@ index fd3218d..2dbf7c9 100644 $(NULL) ifndef NSS_DISABLE_DEPRECATED_SEED -@@ -188,6 +189,7 @@ ALL_HDRS = \ +@@ -191,6 +192,7 @@ ALL_HDRS = \ vis_proto.h \ seed.h \ sm3.h \ @@ -272,10 +255,10 @@ index fd3218d..2dbf7c9 100644 diff --git a/lib/nss/nss.def b/lib/nss/nss.def -index e87395b..2bc4965 100644 +index 35850ca..4d778e5 100644 --- a/lib/nss/nss.def +++ b/lib/nss/nss.def -@@ -1238,3 +1238,9 @@ PK11_SlotGetLastFIPSStatus; +@@ -1253,3 +1253,9 @@ SECMOD_LockedModuleHasRemovableSlots; ;+ local: ;+ *; ;+}; @@ -286,10 +269,10 @@ index e87395b..2bc4965 100644 +;+ *; +;+}; diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h -index 9bb704c..f195077 100644 +index 5027847..31a0807 100644 --- a/lib/util/pkcs11n.h +++ b/lib/util/pkcs11n.h -@@ -252,6 +252,8 @@ +@@ -260,6 +260,8 @@ /* SM algorithm (to be proposed to PKCS #11) */ #define CKM_NSS_SM3 (CKM_NSS + 45) @@ -299,10 +282,10 @@ index 9bb704c..f195077 100644 /* diff --git a/lib/util/secoid.c b/lib/util/secoid.c -index 3091d99..f5f2b12 100644 +index 2060429..e97eead 100644 --- a/lib/util/secoid.c +++ b/lib/util/secoid.c -@@ -606,6 +606,8 @@ CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01 +@@ -616,6 +616,8 @@ CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01 * 1.2.156.197.1.401 */ CONST_OID sm3[] = { 0x2A, 0x81, 0x1C, 0xCF, 0x55, 0x01, 0x83, 0x11 }; @@ -311,28 +294,25 @@ index 3091d99..f5f2b12 100644 #define OI(x) \ { \ -@@ -1801,6 +1803,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = { - "IPsec User", +@@ -1812,6 +1814,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = { CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + OD(sm3, SEC_OID_SM3, "SM3", CKM_NSS_SM3, INVALID_CERT_EXTENSION), + OD(sm2, SEC_OID_SM2, "SM2", CKM_NSS_SM2, INVALID_CERT_EXTENSION), + OD(sm2_with_sm3, SEC_OID_SM2_WITH_SM3, "SM2_WITH_SM3", CKM_NSS_SM2_WITH_SM3, INVALID_CERT_EXTENSION), - }; - /* PRIVATE EXTENDED SECOID Table + OD(sha3_224, SEC_OID_SHA3_224, "SHA3-224", CKM_SHA3_224, INVALID_CERT_EXTENSION), + OD(sha3_256, SEC_OID_SHA3_256, "SHA3-256", CKM_SHA3_256, INVALID_CERT_EXTENSION), diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h -index 984b7fb..fe49661 100644 +index b6a98a2..b60f74e 100644 --- a/lib/util/secoidt.h +++ b/lib/util/secoidt.h -@@ -503,6 +503,8 @@ typedef enum { - SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363, +@@ -513,6 +513,8 @@ typedef enum { + SEC_OID_HMAC_SHA3_512 = 371, - SEC_OID_SM3 = 364, -+ SEC_OID_SM2 = 365, -+ SEC_OID_SM2_WITH_SM3 = 366, + SEC_OID_SM3 = 372, ++ SEC_OID_SM2 = 373, ++ SEC_OID_SM2_WITH_SM3 = 374, SEC_OID_TOTAL } SECOidTag; --- -2.33.0 - diff --git a/Feature-nss-support-SM3-digest-algorithm.patch b/Feature-nss-support-SM3-digest-algorithm.patch index 2584f5216d2ccc59d8b6dd27714a3f95bf2e7ddc..658b82393115e8713be91ef143e19ea6346f3957 100644 --- a/Feature-nss-support-SM3-digest-algorithm.patch +++ b/Feature-nss-support-SM3-digest-algorithm.patch @@ -5,32 +5,9 @@ Subject: [PATCH 2/4] nss support SM3 digest algorithm Co-authored-by: godcansee Signed-off-by: Huaxin Lu ---- - lib/cryptohi/sechash.c | 19 ++++++++ - lib/freebl/blapi.h | 18 ++++++++ - lib/freebl/blapit.h | 4 ++ - lib/freebl/freebl_base.gypi | 1 + - lib/freebl/ldvector.c | 13 +++++- - lib/freebl/loader.c | 91 +++++++++++++++++++++++++++++++++++++ - lib/freebl/loader.h | 14 ++++++ - lib/freebl/manifest.mn | 2 + - lib/freebl/rawhash.c | 12 +++++ - lib/pk11wrap/pk11pars.c | 2 + - lib/pk11wrap/pk11slot.c | 11 ++++- - lib/pk11wrap/secmod.h | 1 + - lib/softoken/pkcs11.c | 1 + - lib/softoken/pkcs11c.c | 2 + - lib/util/hasht.h | 2 + - lib/util/pkcs11n.h | 4 ++ - lib/util/secoid.c | 6 +++ - lib/util/secoidt.h | 2 + - lib/util/utilmodt.h | 1 + - lib/util/utilpars.c | 1 + - lib/util/utilparst.h | 2 +- - 21 files changed, 205 insertions(+), 4 deletions(-) diff --git a/lib/cryptohi/sechash.c b/lib/cryptohi/sechash.c -index 474fdff..7c4cdbf 100644 +index 5c592df..b288145 100644 --- a/lib/cryptohi/sechash.c +++ b/lib/cryptohi/sechash.c @@ -85,6 +85,12 @@ sha512_NewContext(void) @@ -43,10 +20,10 @@ index 474fdff..7c4cdbf 100644 + return (void *)PK11_CreateDigestContext(SEC_OID_SM3); +} + - const SECHashObject SECHashObjects[] = { - { 0, - (void *(*)(void))null_hash_new_context, -@@ -166,6 +172,16 @@ const SECHashObject SECHashObjects[] = { + static void * + sha3_224_NewContext(void) + { +@@ -190,6 +196,16 @@ const SECHashObject SECHashObjects[] = { PK11_DigestFinal, SHA224_BLOCK_LENGTH, HASH_AlgSHA224 }, @@ -60,26 +37,26 @@ index 474fdff..7c4cdbf 100644 + PK11_DigestFinal, + SM3_BLOCK_LENGTH, + HASH_AlgSM3 }, - }; - - const SECHashObject * -@@ -201,6 +217,9 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid) + { SHA3_224_LENGTH, + (void *(*)(void))sha3_224_NewContext, + (void *(*)(void *))PK11_CloneContext, +@@ -265,6 +281,9 @@ HASH_GetHashTypeByOidTag(SECOidTag hashOid) case SEC_OID_SHA512: ht = HASH_AlgSHA512; break; + case SEC_OID_SM3: + ht = HASH_AlgSM3; + break; - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + case SEC_OID_SHA3_224: + ht = HASH_AlgSHA3_224; break; diff --git a/lib/freebl/blapi.h b/lib/freebl/blapi.h -index 94fd802..d53c196 100644 +index b8bc4d3..a06544e 100644 --- a/lib/freebl/blapi.h +++ b/lib/freebl/blapi.h -@@ -1484,6 +1484,24 @@ extern SECStatus SHA384_Flatten(SHA384Context *cx, unsigned char *space); - extern SHA384Context *SHA384_Resurrect(unsigned char *space, void *arg); - extern void SHA384_Clone(SHA384Context *dest, SHA384Context *src); +@@ -1584,6 +1584,24 @@ extern SECStatus SHAKE_256_HashBuf(unsigned char *dest, unsigned int dest_len, + const unsigned char *src, PRUint32 src_length); + extern SECStatus SHAKE_256_Hash(unsigned char *dest, unsigned int dest_len, const char *src); +/******************************************/ + @@ -103,46 +80,46 @@ index 94fd802..d53c196 100644 * implement TLS 1.0 Pseudo Random Function (PRF) and TLS P_hash function */ diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h -index 0054e17..2d400ec 100644 +index 8cba3ec..cbd6b79 100644 --- a/lib/freebl/blapit.h +++ b/lib/freebl/blapit.h -@@ -98,6 +98,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated)); - #define SHA384_LENGTH 48 /* bytes */ - #define SHA512_LENGTH 64 /* bytes */ +@@ -102,6 +102,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated)); + #define SHA3_384_LENGTH 48 /* bytes */ + #define SHA3_512_LENGTH 64 /* bytes */ #define BLAKE2B512_LENGTH 64 /* Bytes */ +#define SM3_LENGTH 32 /* bytes */ #define HASH_LENGTH_MAX SHA512_LENGTH /* -@@ -112,6 +113,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated)); - #define SHA384_BLOCK_LENGTH 128 /* bytes */ - #define SHA512_BLOCK_LENGTH 128 /* bytes */ - #define BLAKE2B_BLOCK_LENGTH 128 /* Bytes */ +@@ -120,6 +121,7 @@ typedef int __BLAPI_DEPRECATED __attribute__((deprecated)); + #define SHA3_384_BLOCK_LENGTH 104 /* bytes */ + #define SHA3_512_BLOCK_LENGTH 72 /* bytes */ + #define BLAKE2B_BLOCK_LENGTH 128 /* Bytes */ +#define SM3_BLOCK_LENGTH 64 /* bytes */ - #define HASH_BLOCK_LENGTH_MAX SHA512_BLOCK_LENGTH + #define HASH_BLOCK_LENGTH_MAX SHA3_224_BLOCK_LENGTH #define AES_BLOCK_SIZE 16 /* bytes */ -@@ -243,6 +245,7 @@ struct MD5ContextStr; +@@ -255,6 +257,7 @@ struct MD5ContextStr; struct SHA1ContextStr; struct SHA256ContextStr; struct SHA512ContextStr; +struct SM3ContextStr; + struct SHA3ContextStr; + struct SHAKEContextStr; struct AESKeyWrapContextStr; - struct SEEDContextStr; - struct ChaCha20ContextStr; -@@ -264,6 +267,7 @@ typedef struct SHA256ContextStr SHA224Context; +@@ -278,6 +281,7 @@ typedef struct SHA256ContextStr SHA224Context; typedef struct SHA512ContextStr SHA512Context; /* SHA384Context is really a SHA512ContextStr. This is not a mistake. */ typedef struct SHA512ContextStr SHA384Context; +typedef struct SM3ContextStr SM3Context; - typedef struct AESKeyWrapContextStr AESKeyWrapContext; - typedef struct SEEDContextStr SEEDContext; - typedef struct ChaCha20ContextStr ChaCha20Context; + /* All SHA3_*Contexts are the same. This is not a mistake. */ + typedef struct SHA3ContextStr SHA3_224Context; + typedef struct SHA3ContextStr SHA3_256Context; diff --git a/lib/freebl/freebl_base.gypi b/lib/freebl/freebl_base.gypi -index 34b6b3c..8f64046 100644 +index d2e16f2..920d613 100644 --- a/lib/freebl/freebl_base.gypi +++ b/lib/freebl/freebl_base.gypi -@@ -58,6 +58,7 @@ +@@ -60,6 +60,7 @@ 'rsapkcs.c', 'sha_fast.c', 'shvfy.c', @@ -151,17 +128,13 @@ index 34b6b3c..8f64046 100644 'tlsprfalg.c', 'secmpi.c', diff --git a/lib/freebl/ldvector.c b/lib/freebl/ldvector.c -index 6f4bd6a..143584b 100644 +index ff0a5f8..bf41759 100644 --- a/lib/freebl/ldvector.c +++ b/lib/freebl/ldvector.c -@@ -375,9 +375,20 @@ static const struct FREEBLVectorStr vector = { - /* End of version 3.024 */ - ChaCha20_InitContext, - ChaCha20_CreateContext, -- ChaCha20_DestroyContext -+ ChaCha20_DestroyContext, +@@ -379,6 +379,18 @@ static const struct FREEBLVectorStr vector = { /* End of version 3.025 */ + + SM3_NewContext, + SM3_DestroyContext, + SM3_Begin, @@ -172,19 +145,19 @@ index 6f4bd6a..143584b 100644 + SM3_TraceState, + SM3_FlattenSize, + SM3_Flatten, -+ SM3_Resurrect - }; - - const FREEBLVector* ++ SM3_Resurrect, ++ + SHA3_224_NewContext, + SHA3_224_DestroyContext, + SHA3_224_FlattenSize, diff --git a/lib/freebl/loader.c b/lib/freebl/loader.c -index 692a883..dc3a37e 100644 +index c44343f..8e4b542 100644 --- a/lib/freebl/loader.c +++ b/lib/freebl/loader.c -@@ -2446,3 +2446,94 @@ CMAC_Destroy(CMACContext *ctx, PRBool free_it) - return; +@@ -2447,6 +2447,96 @@ CMAC_Destroy(CMACContext *ctx, PRBool free_it) (vector->p_CMAC_Destroy)(ctx, free_it); } -+ + +SECStatus +SM3_Hash(unsigned char *dest, const char *src) +{ @@ -275,8 +248,11 @@ index 692a883..dc3a37e 100644 + return (vector->p_SM3_Resurrect)(space, arg); +} + + /* ============== New for 3.0026 =============================== */ + + SHA3_224Context * diff --git a/lib/freebl/loader.h b/lib/freebl/loader.h -index eb3046d..f67595e 100644 +index cab96ba..b949e9f 100644 --- a/lib/freebl/loader.h +++ b/lib/freebl/loader.h @@ -831,6 +831,20 @@ struct FREEBLVectorStr { @@ -298,13 +274,13 @@ index eb3046d..f67595e 100644 + SECStatus (*p_SM3_Flatten)(SM3Context *cx, unsigned char *space); + SM3Context *(*p_SM3_Resurrect)(unsigned char *space, void *arg); - /* Add new function pointers at the end of this struct and bump - * FREEBL_VERSION at the beginning of this file. */ + SHA3_224Context *(*p_SHA3_224_NewContext)(void); + void (*p_SHA3_224_DestroyContext)(SHA3_224Context *cx, PRBool freeit); diff --git a/lib/freebl/manifest.mn b/lib/freebl/manifest.mn -index 9dac210..fd3218d 100644 +index 6ac8fcd..3214369 100644 --- a/lib/freebl/manifest.mn +++ b/lib/freebl/manifest.mn -@@ -157,6 +157,7 @@ CSRCS = \ +@@ -160,6 +160,7 @@ CSRCS = \ $(STUBS_SRCS) \ $(LOWHASH_SRCS) \ $(EXTRA_SRCS) \ @@ -312,7 +288,7 @@ index 9dac210..fd3218d 100644 $(NULL) ifndef NSS_DISABLE_DEPRECATED_SEED -@@ -186,6 +187,7 @@ ALL_HDRS = \ +@@ -189,6 +190,7 @@ ALL_HDRS = \ shsign.h \ vis_proto.h \ seed.h \ @@ -321,14 +297,14 @@ index 9dac210..fd3218d 100644 diff --git a/lib/freebl/rawhash.c b/lib/freebl/rawhash.c -index 551727b..c74cbbc 100644 +index 07a34cf..0e4e2e3 100644 --- a/lib/freebl/rawhash.c +++ b/lib/freebl/rawhash.c -@@ -141,6 +141,18 @@ const SECHashObject SECRawHashObjects[] = { +@@ -141,6 +141,17 @@ const SECHashObject SECRawHashObjects[] = { HASH_AlgSHA224, (void (*)(void *, unsigned char *, unsigned int *, unsigned int))SHA224_EndRaw }, -+ { SM3_LENGTH, ++ { SM3_LENGTH, + (void *(*)(void))SM3_NewContext, + (void *(*)(void *))null_hash_clone_context, + (void (*)(void *, PRBool))SM3_DestroyContext, @@ -338,16 +314,15 @@ index 551727b..c74cbbc 100644 + unsigned int))SM3_End, + SM3_BLOCK_LENGTH, + HASH_AlgSM3, -+ NULL /* end_raw */ -+ }, - }; - - const SECHashObject * ++ NULL }, + { SHA3_224_LENGTH, + (void *(*)(void))SHA3_224_NewContext, + (void *(*)(void *))null_hash_clone_context, diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c -index 23e5af3..c127309 100644 +index 0243a93..5c4408e 100644 --- a/lib/pk11wrap/pk11pars.c +++ b/lib/pk11wrap/pk11pars.c -@@ -338,6 +338,8 @@ static const oidValDef hashOptList[] = { +@@ -342,6 +342,8 @@ static const oidValDef hashOptList[] = { { CIPHER_NAME("SHA384"), SEC_OID_SHA384, NSS_USE_ALG_IN_SSL_KX | NSS_USE_ALG_IN_SIGNATURE }, { CIPHER_NAME("SHA512"), SEC_OID_SHA512, @@ -357,7 +332,7 @@ index 23e5af3..c127309 100644 }; diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c -index c320019..41a326b 100644 +index fb05ba6..e29cb26 100644 --- a/lib/pk11wrap/pk11slot.c +++ b/lib/pk11wrap/pk11slot.c @@ -51,6 +51,7 @@ const PK11DefaultArrayEntry PK11_DefaultArray[] = { @@ -378,7 +353,7 @@ index c320019..41a326b 100644 /************************************************************ * Generic Slot List and Slot List element manipulations -@@ -838,6 +840,7 @@ PK11_InitSlotLists(void) +@@ -848,6 +850,7 @@ PK11_InitSlotLists(void) pk11_InitSlotListStatic(&pk11_randomSlotList); pk11_InitSlotListStatic(&pk11_sha256SlotList); pk11_InitSlotListStatic(&pk11_sha512SlotList); @@ -386,7 +361,7 @@ index c320019..41a326b 100644 return SECSuccess; } -@@ -864,6 +867,7 @@ PK11_DestroySlotLists(void) +@@ -874,6 +877,7 @@ PK11_DestroySlotLists(void) pk11_FreeSlotListStatic(&pk11_randomSlotList); pk11_FreeSlotListStatic(&pk11_sha256SlotList); pk11_FreeSlotListStatic(&pk11_sha512SlotList); @@ -394,7 +369,7 @@ index c320019..41a326b 100644 return; } -@@ -911,6 +915,8 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type) +@@ -925,6 +929,8 @@ PK11_GetSlotList(CK_MECHANISM_TYPE type) return &pk11_md5SlotList; case CKM_MD2: return &pk11_md2SlotList; @@ -403,7 +378,7 @@ index c320019..41a326b 100644 case CKM_RC2_ECB: case CKM_RC2_CBC: return &pk11_rc2SlotList; -@@ -2362,7 +2368,8 @@ PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, +@@ -2385,7 +2391,8 @@ PK11_GetBestSlotMultipleWithAttributes(CK_MECHANISM_TYPE *type, (type[i] != CKM_SHA384) && (type[i] != CKM_SHA512) && (type[i] != CKM_MD5) && @@ -414,7 +389,7 @@ index c320019..41a326b 100644 break; } diff --git a/lib/pk11wrap/secmod.h b/lib/pk11wrap/secmod.h -index fcc7707..dbc58e8 100644 +index 53181f0..5ebc86f 100644 --- a/lib/pk11wrap/secmod.h +++ b/lib/pk11wrap/secmod.h @@ -29,6 +29,7 @@ @@ -426,10 +401,10 @@ index fcc7707..dbc58e8 100644 #define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul #define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c -index 3f49333..323b2e2 100644 +index 8e7872f..75985ab 100644 --- a/lib/softoken/pkcs11.c +++ b/lib/softoken/pkcs11.c -@@ -452,6 +452,7 @@ static const struct mechanismList mechanisms[] = { +@@ -475,6 +475,7 @@ static const struct mechanismList mechanisms[] = { { CKM_NSS_TLS_PRF_GENERAL_SHA256, { 0, 512, CKF_SN_VR }, PR_FALSE }, @@ -438,43 +413,43 @@ index 3f49333..323b2e2 100644 { CKM_HKDF_DERIVE, { 1, 255 * 64, CKF_DERIVE }, PR_TRUE }, { CKM_HKDF_DATA, { 1, 255 * 64, CKF_DERIVE }, PR_TRUE }, diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c -index 201a0c7..813f4d7 100644 +index f99f114..4a1e44b 100644 --- a/lib/softoken/pkcs11c.c +++ b/lib/softoken/pkcs11c.c -@@ -1939,6 +1939,8 @@ NSC_DigestInit(CK_SESSION_HANDLE hSession, - INIT_MECH(SHA256) - INIT_MECH(SHA384) - INIT_MECH(SHA512) +@@ -1919,6 +1919,8 @@ NSC_DigestInit(CK_SESSION_HANDLE hSession, + INIT_MECH(SHA3_256) + INIT_MECH(SHA3_384) + INIT_MECH(SHA3_512) +#define CKM_SM3 CKM_NSS_SM3 + INIT_MECH(SM3) default: crv = CKR_MECHANISM_INVALID; diff --git a/lib/util/hasht.h b/lib/util/hasht.h -index 536d34c..556c6ba 100644 +index b70b94f..26506c3 100644 --- a/lib/util/hasht.h +++ b/lib/util/hasht.h -@@ -24,6 +24,7 @@ typedef enum { - HASH_AlgSHA384 = 5, - HASH_AlgSHA512 = 6, - HASH_AlgSHA224 = 7, -+ HASH_AlgSM3 = 8, +@@ -28,6 +28,7 @@ typedef enum { + HASH_AlgSHA3_256 = 9, + HASH_AlgSHA3_384 = 10, + HASH_AlgSHA3_512 = 11, ++ HASH_AlgSM3 = 12, HASH_AlgTOTAL } HASH_HashType; -@@ -37,6 +38,7 @@ typedef enum { - #define SHA256_LENGTH 32 - #define SHA384_LENGTH 48 - #define SHA512_LENGTH 64 +@@ -45,6 +46,7 @@ typedef enum { + #define SHA3_256_LENGTH 32 + #define SHA3_384_LENGTH 48 + #define SHA3_512_LENGTH 64 +#define SM3_LENGTH 32 #define HASH_LENGTH_MAX SHA512_LENGTH /* diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h -index 9a8126a..9bb704c 100644 +index cb76720..5027847 100644 --- a/lib/util/pkcs11n.h +++ b/lib/util/pkcs11n.h -@@ -250,6 +250,10 @@ +@@ -258,6 +258,10 @@ #define CKM_NSS_SP800_108_FEEDBACK_KDF_DERIVE_DATA (CKM_NSS + 43) #define CKM_NSS_SP800_108_DOUBLE_PIPELINE_KDF_DERIVE_DATA (CKM_NSS + 44) @@ -486,10 +461,10 @@ index 9a8126a..9bb704c 100644 * HISTORICAL: * Do not attempt to use these. They are only used by NSS's internal diff --git a/lib/util/secoid.c b/lib/util/secoid.c -index b10f859..3091d99 100644 +index 5026d4b..2060429 100644 --- a/lib/util/secoid.c +++ b/lib/util/secoid.c -@@ -602,6 +602,11 @@ CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 }; +@@ -612,6 +612,11 @@ CONST_OID evIncorporationCountry[] = { EV_NAME_ATTRIBUTE, 3 }; */ CONST_OID curve25519[] = { 0x2B, 0x06, 0x01, 0x04, 0x01, 0xDA, 0x47, 0x0F, 0x01 }; @@ -501,23 +476,24 @@ index b10f859..3091d99 100644 #define OI(x) \ { \ siDEROID, (unsigned char *)x, sizeof x \ -@@ -1795,6 +1800,7 @@ const static SECOidData oids[SEC_OID_TOTAL] = { - SEC_OID_EXT_KEY_USAGE_IPSEC_USER, +@@ -1806,6 +1811,8 @@ const static SECOidData oids[SEC_OID_TOTAL] = { "IPsec User", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), -+ OD(sm3, SEC_OID_SM3, "SM3", CKM_NSS_SM3, INVALID_CERT_EXTENSION), - }; - /* PRIVATE EXTENDED SECOID Table ++ OD(sm3, SEC_OID_SM3, "SM3", CKM_NSS_SM3, INVALID_CERT_EXTENSION), ++ + OD(sha3_224, SEC_OID_SHA3_224, "SHA3-224", CKM_SHA3_224, INVALID_CERT_EXTENSION), + OD(sha3_256, SEC_OID_SHA3_256, "SHA3-256", CKM_SHA3_256, INVALID_CERT_EXTENSION), + OD(sha3_384, SEC_OID_SHA3_384, "SHA3-384", CKM_SHA3_384, INVALID_CERT_EXTENSION), diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h -index 2b7eb21..984b7fb 100644 +index 788bed0..b6a98a2 100644 --- a/lib/util/secoidt.h +++ b/lib/util/secoidt.h -@@ -502,6 +502,8 @@ typedef enum { - SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362, - SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363, +@@ -512,6 +512,8 @@ typedef enum { + SEC_OID_HMAC_SHA3_384 = 370, + SEC_OID_HMAC_SHA3_512 = 371, -+ SEC_OID_SM3 = 364, ++ SEC_OID_SM3 = 372, + SEC_OID_TOTAL } SECOidTag; @@ -535,7 +511,7 @@ index e1555f3..cc927dd 100644 #define SECMOD_RESERVED_FLAG 0X08000000L #define SECMOD_FRIENDLY_FLAG 0x10000000L diff --git a/lib/util/utilpars.c b/lib/util/utilpars.c -index c248aa6..56ede24 100644 +index dd3d232..97c6fe2 100644 --- a/lib/util/utilpars.c +++ b/lib/util/utilpars.c @@ -607,6 +607,7 @@ static struct nssutilArgSlotFlagTable nssutil_argSlotFlagTable[] = { @@ -559,6 +535,3 @@ index 5dda090..7a4c9f7 100644 #define NSSUTIL_DEFAULT_CIPHER_ORDER 0 #define NSSUTIL_DEFAULT_TRUST_ORDER 50 --- -2.33.0 - diff --git a/nss-3.89.tar.gz b/nss-3.94.tar.gz similarity index 80% rename from nss-3.89.tar.gz rename to nss-3.94.tar.gz index 2d4f8ea2195a653e591816d4511ac606860ebf58..89103e0b223c891d341e423d285a1b1644f3145d 100644 Binary files a/nss-3.89.tar.gz and b/nss-3.94.tar.gz differ diff --git a/nss-config b/nss-config index 2a8dc69a3c9b5eef53a063de606f0ac2190e64f0..5c5cd7e0ae4153e01ae183d5458c8ff989c82348 100644 --- a/nss-config +++ b/nss-config @@ -3,7 +3,7 @@ prefix=/usr major_version=3 -minor_version=89 +minor_version=94 patch_version=0 usage() diff --git a/nss-softokn-config b/nss-softokn-config index c6a4019dfbb4fa0f3004e195012aaea771a9a679..8422c7985f71ee72b2e53b5e7b80df054c2166c8 100644 --- a/nss-softokn-config +++ b/nss-softokn-config @@ -3,7 +3,7 @@ prefix=/usr major_version=3 -minor_version=89 +minor_version=94 patch_version=0 usage() diff --git a/nss-softokn.pc b/nss-softokn.pc index cdbc180db4d8f849440181d7a9796df091bf0fc4..339222a13b38a875a25e4cb56b3a40cf9e0123cb 100644 --- a/nss-softokn.pc +++ b/nss-softokn.pc @@ -5,7 +5,7 @@ includedir=/usr/include/nss3 Name: NSS-SOFTOKN Description: Network Security Services Softoken PKCS #11 Module -Version: 3.89 -Requires: nspr >= 4.35.0, nss-util >= 3.89 +Version: 394 +Requires: nspr >= 4.35.0, nss-util >= 3.94 Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 Cflags: -I${includedir} diff --git a/nss-util-config b/nss-util-config index ef82ba7249ab00274717764d80342ae2b0351dce..4726a838282ffc1b5a455d85be39518ff0d0794b 100644 --- a/nss-util-config +++ b/nss-util-config @@ -3,7 +3,7 @@ prefix=/usr major_version=3 -minor_version=89 +minor_version=94 patch_version=0 usage() diff --git a/nss-util.pc b/nss-util.pc index 9db43ee0bacaa031767fc20ccee25a98a11f7da3..86515d236577eb832b5d67ff984528576f48784d 100644 --- a/nss-util.pc +++ b/nss-util.pc @@ -5,7 +5,7 @@ includedir=/usr/include/nss3 Name: NSS-UTIL Description: Network Security Services Utility Library -Version: 3.89 +Version: 3.94 Requires: nspr >= 4.35.0 Libs: -L${libdir} -lnssutil3 Cflags: -I${includedir} diff --git a/nss.pc b/nss.pc index b8ce884e93195ca796e408be0368954c590bb26c..ff03a70c82e37e0a20a8dc464bfdf52379b337f1 100644 --- a/nss.pc +++ b/nss.pc @@ -5,7 +5,7 @@ includedir=/usr/include/nss3 Name: NSS Description: Network Security Services -Version: 3.89 -Requires: nspr >= 4.35.0, nss-util >= 3.89 +Version: 3.94 +Requires: nspr >= 4.35.0, nss-util >= 3.94 Libs: -L${libdir} -lssl3 -lsmime3 -lnss3 Cflags: -I${includedir} diff --git a/nss.spec b/nss.spec index 210d27ea7474ae6c9741da219d4a8afaefb3c66d..d98cae8c0c8d065bfca289d68e86df59e587fee9 100644 --- a/nss.spec +++ b/nss.spec @@ -1,6 +1,7 @@ %global nspr_version 4.35.0 -%global nss_version 3.89.0 -%global nss_archive_version 3.89 +%global nss_version 3.94 +%global nss_ver 3_94 +%global nss_archive_version 3.94 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" @@ -14,18 +15,18 @@ Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 2 +Release: 1 License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Provides: nss-system-init Requires: nspr >= %{nspr_version} nss-util >= %{nss_version} nss-softokn%{_isa} >= %{nss_version} -Requires: p11-kit-trust crypto-policies +Requires: p11-kit-trust crypto-policies Requires(post): coreutils, sed BuildRequires: nspr-devel >= %{nspr_version} nss-softokn sqlite-devel zlib-devel -BuildRequires: pkgconf gawk psmisc perl-interpreter gcc-c++ +BuildRequires: pkgconf gawk psmisc perl-interpreter gcc-c++ obsoletes: nss-sysinit < %{version}-%{release} -Source0: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_89_RTM/src/%{name}-%{nss_archive_version}.tar.gz +Source0: https://ftp.mozilla.org/pub/security/nss/releases/NSS_%{nss_ver}_RTM/src/%{name}-%{nss_archive_version}.tar.gz Source1: nss-util.pc Source2: nss-util-config Source3: nss-softokn.pc @@ -42,7 +43,7 @@ Source16: setup-nsssysinit.sh # Feature: support sm2 and sm3 Patch9000: Feature-nss-add-implement-of-SM3-digest-algorithm.patch -Patch9001: Feature-nss-add-implement-of-SM2-signature-algorithm.patch +Patch9001: Feature-nss-add-implement-of-SM2-signature-algorithm.patch Patch9002: Feature-nss-support-SM3-digest-algorithm.patch Patch9003: Feature-nss-support-SM2-signature-algorithm.patch Patch9004: Feature-nss-fix-the-certificate-resolution-in-sm2.patch @@ -556,6 +557,9 @@ update-crypto-policies &>/dev/null||: %doc %{_mandir}/man* %changelog +* Mon Nov 20 2023 Jingwiw - 3.94-1 +- update version to 3.94 + * Tue Sep 12 2023 jinlun - 3.89.0-2 - fix the certificate resolution in sm2