Sync from SUSE:SLFO:Main mozilla-nss revision 0900df218e8c303ee76645feb113c57d

This commit is contained in:
Adrian Schröter 2024-07-22 17:40:18 +02:00
parent 346317dfad
commit 37a76edc6b
6 changed files with 53 additions and 79 deletions

View File

@ -1,9 +1,32 @@
-------------------------------------------------------------------
Wed Jul 10 06:29:05 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.90.3
* bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
* bmo#1748105 - clean up escape handling.
* bmo#1895032 - remove redundant AllocItem implementation.
* bmo#1836925 - Disable ASM support for Curve25519.
* bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64.
- remove upstreamed nss-fix-bmo1836925.patch
-------------------------------------------------------------------
Fri May 24 08:12:08 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
when using FIPS-mode (bsc#1223724).
-------------------------------------------------------------------
Tue Feb 27 17:48:42 UTC 2024 - Charles Robertson <cgrobertson@suse.com>
- Added "Provides: nss" so other RPMs that require 'nss' can
be installed (jira PED-6358).
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Feb 19 07:03:50 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com> Mon Feb 19 07:03:50 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.90.2 - update to NSS 3.90.2
* bmo#1780432 - (CVE-2023-5388) Timing attack against RSA * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
decryption in TLS. decryption in TLS. (bsc#1216198)
* bmo#1867408 - add a defensive check for large ssl_DefSend * bmo#1867408 - add a defensive check for large ssl_DefSend
return values. return values.

View File

@ -1,8 +1,8 @@
# #
# spec file for package mozilla-nss # spec file for package mozilla-nss
# #
# Copyright (c) 2023 SUSE LLC # Copyright (c) 2024 SUSE LLC
# Copyright (c) 2006-2023 Wolfgang Rosenauer # Copyright (c) 2006-2024 Wolfgang Rosenauer
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -22,9 +22,9 @@
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb %define nssdbdir %{_sysconfdir}/pki/nssdb
Name: mozilla-nss Name: mozilla-nss
Version: 3.90.2 Version: 3.90.3
Release: 0 Release: 0
%define underscore_version 3_90_2 %define underscore_version 3_90_3
Summary: Network Security Services Summary: Network Security Services
License: MPL-2.0 License: MPL-2.0
Group: System/Libraries Group: System/Libraries
@ -77,7 +77,7 @@ Patch44: nss-fips-tests-enable-fips.patch
Patch45: nss-fips-drbg-libjitter.patch Patch45: nss-fips-drbg-libjitter.patch
Patch46: nss-allow-slow-tests.patch Patch46: nss-allow-slow-tests.patch
Patch47: nss-fips-pct-pubkeys.patch Patch47: nss-fips-pct-pubkeys.patch
Patch48: nss-fix-bmo1836925.patch Patch49: nss-fips-bsc1223724.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++ BuildRequires: gcc9-c++
@ -102,6 +102,7 @@ Requires: libnssckbi.so()(64bit)
%else %else
Requires: libnssckbi.so Requires: libnssckbi.so
%endif %endif
Provides: nss = %{version}
%ifnarch %sparc %ifnarch %sparc
%if ! 0%{?qemu_user_space_build} %if ! 0%{?qemu_user_space_build}
%define run_testsuite 1 %define run_testsuite 1
@ -232,7 +233,7 @@ cd nss
%endif %endif
%patch46 -p1 %patch46 -p1
%patch47 -p1 %patch47 -p1
%patch48 -p1 %patch49 -p1
# additional CA certificates # additional CA certificates
#cd security/nss/lib/ckfw/builtins #cd security/nss/lib/ckfw/builtins

BIN
nss-3.90.2.tar.gz (Stored with Git LFS)

Binary file not shown.

BIN
nss-3.90.3.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

19
nss-fips-bsc1223724.patch Normal file
View File

@ -0,0 +1,19 @@
Index: nss/lib/pk11wrap/pk11skey.c
===================================================================
--- nss.orig/lib/pk11wrap/pk11skey.c
+++ nss/lib/pk11wrap/pk11skey.c
@@ -520,6 +520,14 @@ PK11_ImportDataKey(PK11SlotInfo *slot, C
CK_OBJECT_HANDLE handle;
PK11GenericObject *genObject;
+ // Using HTTP3, Firefox runs via neqo that doesn't log in before calling into
+ // this function. So we try to log in here (and ignore failures) in case of FIPS.
+ // Also, no need to also load certificates, we only create a new object and we
+ // have to be logged in for that.
+ if (PK11_IsFIPS()) {
+ PK11_Authenticate(slot, PR_FALSE, wincx);
+ }
+
genObject = PK11_CreateGenericObject(slot, template, PR_ARRAY_SIZE(template), PR_FALSE);
if (genObject == NULL) {
return NULL;

View File

@ -1,69 +0,0 @@
Index: nss/lib/freebl/Makefile
===================================================================
--- nss.orig/lib/freebl/Makefile
+++ nss/lib/freebl/Makefile
@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null
HAVE_INT128_SUPPORT = 1
DEFINES += -DHAVE_INT128_SUPPORT
else ifeq (1,$(CC_IS_GCC))
- SUPPORTS_VALE_CURVE25519 = 1
ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
HAVE_INT128_SUPPORT = 1
DEFINES += -DHAVE_INT128_SUPPORT
@@ -593,11 +592,6 @@ ifndef HAVE_INT128_SUPPORT
DEFINES += -DKRML_VERIFIED_UINT128
endif
-ifdef SUPPORTS_VALE_CURVE25519
- VERIFIED_SRCS += Hacl_Curve25519_64.c
- DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM
-endif
-
ifndef NSS_DISABLE_CHACHAPOLY
ifeq ($(CPU_ARCH),x86_64)
ifndef NSS_DISABLE_AVX2
Index: nss/lib/freebl/freebl.gyp
===================================================================
--- nss.orig/lib/freebl/freebl.gyp
+++ nss/lib/freebl/freebl.gyp
@@ -866,12 +866,6 @@
}],
],
}],
- [ 'supports_vale_curve25519==1', {
- 'defines': [
- # The Makefile does version-tests on GCC, but we're not doing that here.
- 'HACL_CAN_COMPILE_INLINE_ASM',
- ],
- }],
[ 'OS=="linux" or OS=="android"', {
'conditions': [
[ 'target_arch=="x64"', {
@@ -934,11 +928,6 @@
'variables': {
'module': 'nss',
'conditions': [
- [ 'target_arch=="x64" and cc_is_gcc==1', {
- 'supports_vale_curve25519%': 1,
- }, {
- 'supports_vale_curve25519%': 0,
- }],
[ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
'have_int128_support%': 1,
}, {
Index: nss/lib/freebl/freebl_base.gypi
===================================================================
--- nss.orig/lib/freebl/freebl_base.gypi
+++ nss/lib/freebl/freebl_base.gypi
@@ -151,11 +151,6 @@
'ecl/curve25519_32.c',
],
}],
- ['supports_vale_curve25519==1', {
- 'sources': [
- 'verified/Hacl_Curve25519_64.c',
- ],
- }],
['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
'sources': [
# Gyp does not support per-file cflags, so working around like this.