From 05db00320536ec68747204ccdf2c0100f8ca85afb8653cbd9e0b24ba075434b0 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Sun, 31 Jul 2016 10:48:39 +0000 Subject: [PATCH 1/2] - update to NSS 3.24 New functionality: * NSS softoken has been updated with the latest National Institute of Standards and Technology (NIST) guidance (as of 2015): - Software integrity checks and POST functions are executed on shared library load. These checks have been disabled by default, as they can cause a performance regression. To enable these checks, you must define symbol NSS_FORCE_FIPS when building NSS. - Counter mode and Galois/Counter Mode (GCM) have checks to prevent counter overflow. - Additional CSPs are zeroed in the code. - NSS softoken uses new guidance for how many Rabin-Miller tests are needed to verify a prime based on prime size. * NSS softoken has also been updated to allow NSS to run in FIPS Level 1 (no password). This mode is triggered by setting the database password to the empty string. In FIPS mode, you may move from Level 1 to Level 2 (by setting an appropriate password), but not the reverse. * A SSL_ConfigServerCert function has been added for configuring SSL/TLS server sockets with a certificate and private key. Use this new function in place of SSL_ConfigSecureServer, SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically determines the certificate type from the certificate and private key. The caller is no longer required to use SSLKEAType explicitly to select a "slot" into which the certificate is configured (which incorrectly identifies a key agreement type rather than a certificate). Separate functions for configuring Online Certificate Status Protocol (OCSP) responses or Signed Certificate Timestamps are not needed, since these can be added to the optional SSLExtraServerCertData struct OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=216 --- mozilla-nss.changes | 88 ++++++++++++++++++++++++++++++++++++++++++++ mozilla-nss.spec | 12 +++--- nss-3.23.tar.gz | 3 -- nss-3.24.tar.gz | 3 ++ nss-bmo1236011.patch | 22 ----------- 5 files changed, 98 insertions(+), 30 deletions(-) delete mode 100644 nss-3.23.tar.gz create mode 100644 nss-3.24.tar.gz delete mode 100644 nss-bmo1236011.patch diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 38b4416..d5d3ee0 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,91 @@ +------------------------------------------------------------------- +Sat Jul 30 08:53:02 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.24 + New functionality: + * NSS softoken has been updated with the latest National Institute + of Standards and Technology (NIST) guidance (as of 2015): + - Software integrity checks and POST functions are executed on + shared library load. These checks have been disabled by default, + as they can cause a performance regression. To enable these + checks, you must define symbol NSS_FORCE_FIPS when building NSS. + - Counter mode and Galois/Counter Mode (GCM) have checks to + prevent counter overflow. + - Additional CSPs are zeroed in the code. + - NSS softoken uses new guidance for how many Rabin-Miller tests + are needed to verify a prime based on prime size. + * NSS softoken has also been updated to allow NSS to run in FIPS + Level 1 (no password). This mode is triggered by setting the + database password to the empty string. In FIPS mode, you may move + from Level 1 to Level 2 (by setting an appropriate password), + but not the reverse. + * A SSL_ConfigServerCert function has been added for configuring + SSL/TLS server sockets with a certificate and private key. Use + this new function in place of SSL_ConfigSecureServer, + SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, + and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically + determines the certificate type from the certificate and private key. + The caller is no longer required to use SSLKEAType explicitly to + select a "slot" into which the certificate is configured (which + incorrectly identifies a key agreement type rather than a certificate). + Separate functions for configuring Online Certificate Status Protocol + (OCSP) responses or Signed Certificate Timestamps are not needed, + since these can be added to the optional SSLExtraServerCertData struct + provided to SSL_ConfigServerCert. Also, partial support for RSA + Probabilistic Signature Scheme (RSA-PSS) certificates has been added. + Although these certificates can be configured, they will not be + used by NSS in this version. + New functions + * SSL_ConfigServerCert - Configures an SSL/TLS socket with a + certificate, private key, and other information. + * PORT_InitCheapArena - Initializes an arena that was created on + the stack. (See PORTCheapArenaPool.= + * PORT_DestroyCheapArena - Destroys an arena that was created on + the stack. (See PORTCheapArenaPool.) + New types + * SSLExtraServerCertData - Optionally passed as an argument to + SSL_ConfigServerCert. This struct contains supplementary information + about a certificate, such as the intended type of the certificate, + stapled OCSP responses, or Signed Certificate Timestamps (used for + certificate transparency). + * PORTCheapArenaPool - A stack-allocated arena pool, to be used for + temporary arena allocations. + New macros + * CKM_TLS12_MAC + * SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the + TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used + only for session resumption in TLS 1.3. + Notable changes: + * Deprecate the following functions. (Applications should instead use the new + SSL_ConfigServerCert function.): + - SSL_SetStapledOCSPResponses + - SSL_SetSignedCertTimestamps + - SSL_ConfigSecureServer + - SSL_ConfigSecureServerWithCertChain + * Deprecate the NSS_FindCertKEAType function, as it reports a misleading + value for certificates that might be used for signing rather than + key exchange. + * Update SSLAuthType to define a larger number of authentication key types. + * Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo. + Instead, applications should use the newly added attribute authType. + * Rename ssl_auth_rsa to ssl_auth_rsa_decrypt. + * Add a shared library (libfreeblpriv3) on Linux platforms that + define FREEBL_LOWHASH. + * Remove most code related to SSL v2, including the ability to actively + send a SSLv2-compatible client hello. However, the server-side + implementation of the SSL/TLS protocol still supports processing + of received v2-compatible client hello messages. + * Disable (by default) NSS support in optimized builds for logging SSL/TLS + key material to a logfile if the SSLKEYLOGFILE environment variable + is set. To enable the functionality in optimized builds, you must define + the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS. + * Update NSS to protect it against the Cachebleed attack. + * Disable support for DTLS compression. + * Improve support for TLS 1.3. This includes support for DTLS 1.3. + Note that TLS 1.3 support is experimental and not suitable for + production use. +- removed obsolete nss-bmo1236011.patch + ------------------------------------------------------------------- Thu May 26 05:59:03 UTC 2016 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 11b0801..11d839a 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.12 BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel -Version: 3.23 +Version: 3.24 Release: 0 # bug437293 %ifarch ppc64 @@ -36,8 +36,8 @@ Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ -Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/nss-%{version}.tar.gz -# hg clone https://hg.mozilla.org/projects/nss nss-3.23/nss ; cd nss-3.23/nss ; hg up NSS_3_23_RTM +Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/nss-%{version}.tar.gz +# hg clone https://hg.mozilla.org/projects/nss nss-3.24/nss ; cd nss-3.24/nss ; hg up NSS_3_24_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in @@ -56,7 +56,6 @@ Patch5: renegotiate-transitional.patch Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch -Patch9: nss-bmo1236011.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} @@ -177,7 +176,6 @@ cd nss %endif %patch7 -p1 %patch8 -p1 -%patch9 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt @@ -249,6 +247,8 @@ cp -L lib/libnss3.so \ $RPM_BUILD_ROOT%{_libdir} cp -L lib/libfreebl3.so \ lib/libfreebl3.chk \ + lib/libfreeblpriv3.so \ + lib/libfreeblpriv3.chk \ $RPM_BUILD_ROOT/%{_lib} #cp -L lib/libnsssqlite3.so \ # $RPM_BUILD_ROOT%{_libdir} @@ -388,6 +388,8 @@ rm -rf $RPM_BUILD_ROOT %defattr(-, root, root) /%{_lib}/libfreebl3.so /%{_lib}/libfreebl3.chk +/%{_lib}/libfreeblpriv3.so +/%{_lib}/libfreeblpriv3.chk %files -n libsoftokn3 %defattr(-, root, root) diff --git a/nss-3.23.tar.gz b/nss-3.23.tar.gz deleted file mode 100644 index f61c991..0000000 --- a/nss-3.23.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:94b383e31c9671e9dfcca81084a8a813817e8f05a57f54533509b318d26e11cf -size 7467001 diff --git a/nss-3.24.tar.gz b/nss-3.24.tar.gz new file mode 100644 index 0000000..94ac2cc --- /dev/null +++ b/nss-3.24.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2f0841492f91cca473b73dec6cab9cf765a485e032d48d2e8ae7261e54c419ed +size 7307782 diff --git a/nss-bmo1236011.patch b/nss-bmo1236011.patch deleted file mode 100644 index 0bf3ad4..0000000 --- a/nss-bmo1236011.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/cmd/modutil/install-ds.h b/nss/cmd/modutil/install-ds.h ---- a/cmd/modutil/install-ds.h -+++ b/cmd/modutil/install-ds.h -@@ -238,17 +238,17 @@ struct Pk11Install_Info_str { - int numPlatforms; - Pk11Install_PlatformName *forwardCompatible; - int numForwardCompatible; - }; - - Pk11Install_Info* - Pk11Install_Info_new(); - void --Pk11Install_Info_init(); -+Pk11Install_Info_init(Pk11Install_Info* _this); - void - Pk11Install_Info_delete(Pk11Install_Info* _this); - /*// Returns NULL for success, error message if parse error.*/ - char* - Pk11Install_Info_Generate(Pk11Install_Info* _this, - const Pk11Install_ValueList *list); - /*// Returns NULL if there is no matching platform*/ - Pk11Install_Platform* From 10edbe58e976f04558041bce4cde0348b09e46dfdc6cd0a50703488fbe2329e6 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Fri, 5 Aug 2016 05:48:45 +0000 Subject: [PATCH 2/2] - also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=217 --- mozilla-nss.changes | 5 +++++ mozilla-nss.spec | 1 + 2 files changed, 6 insertions(+) diff --git a/mozilla-nss.changes b/mozilla-nss.changes index d5d3ee0..34c92b3 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Thu Aug 4 20:28:32 UTC 2016 - wr@rosenauer.org + +- also sign libfreeblpriv3.so to allow FIPS mode again (boo#992236) + ------------------------------------------------------------------- Sat Jul 30 08:53:02 UTC 2016 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 11d839a..743594d 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -325,6 +325,7 @@ install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir} LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \ + LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreeblpriv3.so \ %{nil} %post -p /sbin/ldconfig