From 37a76edc6b1ee71e24d5ab1fd287d4c3e764f069166413d49c384873e1e67d1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 22 Jul 2024 17:40:18 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main mozilla-nss revision 0900df218e8c303ee76645feb113c57d --- mozilla-nss.changes | 25 +++++++++++++- mozilla-nss.spec | 13 ++++---- nss-3.90.2.tar.gz | 3 -- nss-3.90.3.tar.gz | 3 ++ nss-fips-bsc1223724.patch | 19 +++++++++++ nss-fix-bmo1836925.patch | 69 --------------------------------------- 6 files changed, 53 insertions(+), 79 deletions(-) delete mode 100644 nss-3.90.2.tar.gz create mode 100644 nss-3.90.3.tar.gz create mode 100644 nss-fips-bsc1223724.patch delete mode 100644 nss-fix-bmo1836925.patch diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 4203c94..2d235ed 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,9 +1,32 @@ +------------------------------------------------------------------- +Wed Jul 10 06:29:05 UTC 2024 - Martin Sirringhaus + +- update to NSS 3.90.3 + * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME. + * bmo#1748105 - clean up escape handling. + * bmo#1895032 - remove redundant AllocItem implementation. + * bmo#1836925 - Disable ASM support for Curve25519. + * bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64. +- remove upstreamed nss-fix-bmo1836925.patch + +------------------------------------------------------------------- +Fri May 24 08:12:08 UTC 2024 - Martin Sirringhaus + +- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox + when using FIPS-mode (bsc#1223724). + +------------------------------------------------------------------- +Tue Feb 27 17:48:42 UTC 2024 - Charles Robertson + +- Added "Provides: nss" so other RPMs that require 'nss' can + be installed (jira PED-6358). + ------------------------------------------------------------------- Mon Feb 19 07:03:50 UTC 2024 - Martin Sirringhaus - update to NSS 3.90.2 * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA - decryption in TLS. + decryption in TLS. (bsc#1216198) * bmo#1867408 - add a defensive check for large ssl_DefSend return values. diff --git a/mozilla-nss.spec b/mozilla-nss.spec index bf586ad..24a6c29 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -1,8 +1,8 @@ # # spec file for package mozilla-nss # -# Copyright (c) 2023 SUSE LLC -# Copyright (c) 2006-2023 Wolfgang Rosenauer +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2006-2024 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -22,9 +22,9 @@ %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb Name: mozilla-nss -Version: 3.90.2 +Version: 3.90.3 Release: 0 -%define underscore_version 3_90_2 +%define underscore_version 3_90_3 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries @@ -77,7 +77,7 @@ Patch44: nss-fips-tests-enable-fips.patch Patch45: nss-fips-drbg-libjitter.patch Patch46: nss-allow-slow-tests.patch Patch47: nss-fips-pct-pubkeys.patch -Patch48: nss-fix-bmo1836925.patch +Patch49: nss-fips-bsc1223724.patch %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references BuildRequires: gcc9-c++ @@ -102,6 +102,7 @@ Requires: libnssckbi.so()(64bit) %else Requires: libnssckbi.so %endif +Provides: nss = %{version} %ifnarch %sparc %if ! 0%{?qemu_user_space_build} %define run_testsuite 1 @@ -232,7 +233,7 @@ cd nss %endif %patch46 -p1 %patch47 -p1 -%patch48 -p1 +%patch49 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins diff --git a/nss-3.90.2.tar.gz b/nss-3.90.2.tar.gz deleted file mode 100644 index 7b06601..0000000 --- a/nss-3.90.2.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:20bc31bd6c38820fd2e44b5734c1630ed823a1535b5ec60af1e61fbb31592a65 -size 72215444 diff --git a/nss-3.90.3.tar.gz b/nss-3.90.3.tar.gz new file mode 100644 index 0000000..d7f986a --- /dev/null +++ b/nss-3.90.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1f9607d46aa77ee38088003fd464b17b52dd2fae56fe28bdb864a201040c8690 +size 72215217 diff --git a/nss-fips-bsc1223724.patch b/nss-fips-bsc1223724.patch new file mode 100644 index 0000000..df58c57 --- /dev/null +++ b/nss-fips-bsc1223724.patch @@ -0,0 +1,19 @@ +Index: nss/lib/pk11wrap/pk11skey.c +=================================================================== +--- nss.orig/lib/pk11wrap/pk11skey.c ++++ nss/lib/pk11wrap/pk11skey.c +@@ -520,6 +520,14 @@ PK11_ImportDataKey(PK11SlotInfo *slot, C + CK_OBJECT_HANDLE handle; + PK11GenericObject *genObject; + ++ // Using HTTP3, Firefox runs via neqo that doesn't log in before calling into ++ // this function. So we try to log in here (and ignore failures) in case of FIPS. ++ // Also, no need to also load certificates, we only create a new object and we ++ // have to be logged in for that. ++ if (PK11_IsFIPS()) { ++ PK11_Authenticate(slot, PR_FALSE, wincx); ++ } ++ + genObject = PK11_CreateGenericObject(slot, template, PR_ARRAY_SIZE(template), PR_FALSE); + if (genObject == NULL) { + return NULL; diff --git a/nss-fix-bmo1836925.patch b/nss-fix-bmo1836925.patch deleted file mode 100644 index 71cc9e1..0000000 --- a/nss-fix-bmo1836925.patch +++ /dev/null @@ -1,69 +0,0 @@ -Index: nss/lib/freebl/Makefile -=================================================================== ---- nss.orig/lib/freebl/Makefile -+++ nss/lib/freebl/Makefile -@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null - HAVE_INT128_SUPPORT = 1 - DEFINES += -DHAVE_INT128_SUPPORT - else ifeq (1,$(CC_IS_GCC)) -- SUPPORTS_VALE_CURVE25519 = 1 - ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION)))) - HAVE_INT128_SUPPORT = 1 - DEFINES += -DHAVE_INT128_SUPPORT -@@ -593,11 +592,6 @@ ifndef HAVE_INT128_SUPPORT - DEFINES += -DKRML_VERIFIED_UINT128 - endif - --ifdef SUPPORTS_VALE_CURVE25519 -- VERIFIED_SRCS += Hacl_Curve25519_64.c -- DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM --endif -- - ifndef NSS_DISABLE_CHACHAPOLY - ifeq ($(CPU_ARCH),x86_64) - ifndef NSS_DISABLE_AVX2 -Index: nss/lib/freebl/freebl.gyp -=================================================================== ---- nss.orig/lib/freebl/freebl.gyp -+++ nss/lib/freebl/freebl.gyp -@@ -866,12 +866,6 @@ - }], - ], - }], -- [ 'supports_vale_curve25519==1', { -- 'defines': [ -- # The Makefile does version-tests on GCC, but we're not doing that here. -- 'HACL_CAN_COMPILE_INLINE_ASM', -- ], -- }], - [ 'OS=="linux" or OS=="android"', { - 'conditions': [ - [ 'target_arch=="x64"', { -@@ -934,11 +928,6 @@ - 'variables': { - 'module': 'nss', - 'conditions': [ -- [ 'target_arch=="x64" and cc_is_gcc==1', { -- 'supports_vale_curve25519%': 1, -- }, { -- 'supports_vale_curve25519%': 0, -- }], - [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', { - 'have_int128_support%': 1, - }, { -Index: nss/lib/freebl/freebl_base.gypi -=================================================================== ---- nss.orig/lib/freebl/freebl_base.gypi -+++ nss/lib/freebl/freebl_base.gypi -@@ -151,11 +151,6 @@ - 'ecl/curve25519_32.c', - ], - }], -- ['supports_vale_curve25519==1', { -- 'sources': [ -- 'verified/Hacl_Curve25519_64.c', -- ], -- }], - ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', { - 'sources': [ - # Gyp does not support per-file cflags, so working around like this.