Sync from SUSE:SLFO:Main mozilla-nss revision 0900df218e8c303ee76645feb113c57d

2024-07-22 17:40:18 +02:00 · 2024-07-22 17:40:18 +02:00 · 37a76edc6b
commit 37a76edc6b
parent 346317dfad
6 changed files with 53 additions and 79 deletions
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,9 +1,32 @@
+-------------------------------------------------------------------
+Wed Jul 10 06:29:05 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- update to NSS 3.90.3
+  * bmo#1901080 - GLOBALTRUST 2020: Set Distrust After for TLS and S/MIME.
+  * bmo#1748105 - clean up escape handling.
+  * bmo#1895032 - remove redundant AllocItem implementation.
+  * bmo#1836925 - Disable ASM support for Curve25519.
+  * bmo#1836781 - Disable ASM support for Curve25519 for all but X86_64. 
+- remove upstreamed nss-fix-bmo1836925.patch
+
+-------------------------------------------------------------------
+Fri May 24 08:12:08 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
+
+- Adding nss-fips-bsc1223724.patch to fix startup crash of Firefox
+  when using FIPS-mode (bsc#1223724).
+ 
+-------------------------------------------------------------------
+Tue Feb 27 17:48:42 UTC 2024 - Charles Robertson <cgrobertson@suse.com>
+
+- Added "Provides: nss" so other RPMs that require 'nss' can
+  be installed (jira PED-6358).
+
 -------------------------------------------------------------------
 Mon Feb 19 07:03:50 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>

 - update to NSS 3.90.2
  * bmo#1780432 - (CVE-2023-5388) Timing attack against RSA
-     decryption in TLS.
+     decryption in TLS. (bsc#1216198)
  * bmo#1867408 - add a defensive check for large ssl_DefSend
     return values.

--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -1,8 +1,8 @@
 #
 # spec file for package mozilla-nss
 #
-# Copyright (c) 2023 SUSE LLC
-# Copyright (c) 2006-2023 Wolfgang Rosenauer
+# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2006-2024 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -22,9 +22,9 @@
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 Name:           mozilla-nss
-Version:        3.90.2
+Version:        3.90.3
 Release:        0
-%define underscore_version 3_90_2
+%define underscore_version 3_90_3
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
@ -77,7 +77,7 @@ Patch44:        nss-fips-tests-enable-fips.patch
 Patch45:        nss-fips-drbg-libjitter.patch
 Patch46:        nss-allow-slow-tests.patch
 Patch47:        nss-fips-pct-pubkeys.patch
-Patch48:        nss-fix-bmo1836925.patch
+Patch49:        nss-fips-bsc1223724.patch
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
 BuildRequires:  gcc9-c++
@ -102,6 +102,7 @@ Requires:       libnssckbi.so()(64bit)
 %else
 Requires:       libnssckbi.so
 %endif
+Provides:       nss = %{version}
 %ifnarch %sparc
 %if ! 0%{?qemu_user_space_build}
 %define run_testsuite 1
@ -232,7 +233,7 @@ cd nss
 %endif
 %patch46 -p1
 %patch47 -p1
-%patch48 -p1
+%patch49 -p1

 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
--- a/nss-3.90.2.tar.gz
+++ b/nss-3.90.2.tar.gz
--- a/nss-3.90.3.tar.gz
+++ b/nss-3.90.3.tar.gz
--- a/nss-fips-bsc1223724.patch
+++ b/nss-fips-bsc1223724.patch
@ -0,0 +1,19 @@
+Index: nss/lib/pk11wrap/pk11skey.c
+===================================================================
+--- nss.orig/lib/pk11wrap/pk11skey.c
+++ nss/lib/pk11wrap/pk11skey.c
+@@ -520,6 +520,14 @@ PK11_ImportDataKey(PK11SlotInfo *slot, C
+     CK_OBJECT_HANDLE handle;
+     PK11GenericObject *genObject;
+ 
+    // Using HTTP3, Firefox runs via neqo that doesn't log in before calling into
+    // this function. So we try to log in here (and ignore failures) in case of FIPS.
+    // Also, no need to also load certificates, we only create a new object and we
+    // have to be logged in for that.
+    if (PK11_IsFIPS()) {
+        PK11_Authenticate(slot, PR_FALSE, wincx);
+    }
+
+     genObject = PK11_CreateGenericObject(slot, template, PR_ARRAY_SIZE(template), PR_FALSE);
+     if (genObject == NULL) {
+         return NULL;
--- a/nss-fix-bmo1836925.patch
+++ b/nss-fix-bmo1836925.patch
@ -1,69 +0,0 @@
-Index: nss/lib/freebl/Makefile
-===================================================================
--- nss.orig/lib/freebl/Makefile
-+++ nss/lib/freebl/Makefile
-@@ -568,7 +568,6 @@ ifneq ($(shell $(CC) -? 2>&1 >/dev/null
-             HAVE_INT128_SUPPORT = 1
-             DEFINES += -DHAVE_INT128_SUPPORT
-     else ifeq (1,$(CC_IS_GCC))
-        SUPPORTS_VALE_CURVE25519 = 1
-         ifneq (,$(filter 4.6 4.7 4.8 4.9,$(word 1,$(GCC_VERSION)).$(word 2,$(GCC_VERSION))))
-             HAVE_INT128_SUPPORT = 1
-             DEFINES += -DHAVE_INT128_SUPPORT
-@@ -593,11 +592,6 @@ ifndef HAVE_INT128_SUPPORT
-     DEFINES += -DKRML_VERIFIED_UINT128
- endif
- 
-ifdef SUPPORTS_VALE_CURVE25519
-    VERIFIED_SRCS += Hacl_Curve25519_64.c
-    DEFINES += -DHACL_CAN_COMPILE_INLINE_ASM
-endif
-
- ifndef NSS_DISABLE_CHACHAPOLY
-     ifeq ($(CPU_ARCH),x86_64)
-         ifndef NSS_DISABLE_AVX2
-Index: nss/lib/freebl/freebl.gyp
-===================================================================
--- nss.orig/lib/freebl/freebl.gyp
-+++ nss/lib/freebl/freebl.gyp
-@@ -866,12 +866,6 @@
-           }],
-         ],
-       }],
-      [ 'supports_vale_curve25519==1', {
-        'defines': [
-          # The Makefile does version-tests on GCC, but we're not doing that here.
-          'HACL_CAN_COMPILE_INLINE_ASM',
-        ],
-      }],
-       [ 'OS=="linux" or OS=="android"', {
-         'conditions': [
-           [ 'target_arch=="x64"', {
-@@ -934,11 +928,6 @@
-   'variables': {
-     'module': 'nss',
-     'conditions': [
-      [ 'target_arch=="x64" and cc_is_gcc==1', {
-        'supports_vale_curve25519%': 1,
-      }, {
-        'supports_vale_curve25519%': 0,
-      }],
-       [ 'target_arch=="x64" or target_arch=="arm64" or target_arch=="aarch64"', {
-         'have_int128_support%': 1,
-       }, {
-Index: nss/lib/freebl/freebl_base.gypi
-===================================================================
--- nss.orig/lib/freebl/freebl_base.gypi
-+++ nss/lib/freebl/freebl_base.gypi
-@@ -151,11 +151,6 @@
-         'ecl/curve25519_32.c',
-       ],
-     }],
-    ['supports_vale_curve25519==1', {
-      'sources': [
-        'verified/Hacl_Curve25519_64.c',
-      ],
-    }],
-     ['(target_arch!="ppc64" and target_arch!="ppc64le") or disable_altivec==1', {
-       'sources': [
-         # Gyp does not support per-file cflags, so working around like this.