Accepting request 916736 from mozilla:Factory

version required for upcoming FF92
- Update to NSS 3.69.1
  * bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
  * bmo#1720226 (Backout) - integrity checks in key4.db not happening
                            on private components with AES_CBC
  NSS 3.69
  * bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
  * bmo#1720226 - integrity checks in key4.db not happening on private
                  components with AES_CBC (backed out again)
  * bmo#1720235 - SSL handling of signature algorithms ignores
                  environmental invalid algorithms.
  * bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
                  nss failures.
                  (removed obsolete nss-btrfs-sqlite.patch)
  * bmo#1720230 - Gtest update changed the gtest reports, losing gtest
                  details in all.sh reports.
  * bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
  * bmo#1720232 - SQLite calls could timeout in starvation situations.
  * bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
  * bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
  * bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE

OBS-URL: https://build.opensuse.org/request/show/916736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=178
This commit is contained in:
Dominique Leuenberger 2021-09-07 19:13:41 +00:00 committed by Git OBS Bridge
commit 5a83f92434
8 changed files with 156 additions and 38 deletions

View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Fri Sep 3 09:10:56 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
- Update to NSS 3.69.1
* bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
* bmo#1720226 (Backout) - integrity checks in key4.db not happening
on private components with AES_CBC
NSS 3.69
* bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
* bmo#1720226 - integrity checks in key4.db not happening on private
components with AES_CBC (backed out again)
* bmo#1720235 - SSL handling of signature algorithms ignores
environmental invalid algorithms.
* bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
nss failures.
(removed obsolete nss-btrfs-sqlite.patch)
* bmo#1720230 - Gtest update changed the gtest reports, losing gtest
details in all.sh reports.
* bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
* bmo#1720232 - SQLite calls could timeout in starvation situations.
* bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
* bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
* bmo#1720227 - NSS using a tempdir to measure sql performance not active
- add nss-fips-stricter-dh.patch
- updated existing patches with latest SLE
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Aug 18 12:41:56 UTC 2021 - Hans Petter Jansson <hpj@suse.com> Wed Aug 18 12:41:56 UTC 2021 - Hans Petter Jansson <hpj@suse.com>

View File

@ -17,14 +17,14 @@
# #
%global nss_softokn_fips_version 3.68 %global nss_softokn_fips_version 3.69
%define NSPR_min_version 4.32 %define NSPR_min_version 4.32
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb %define nssdbdir %{_sysconfdir}/pki/nssdb
Name: mozilla-nss Name: mozilla-nss
Version: 3.68 Version: 3.69.1
Release: 0 Release: 0
%define underscore_version 3_68 %define underscore_version 3_69_1
Summary: Network Security Services Summary: Network Security Services
License: MPL-2.0 License: MPL-2.0
Group: System/Libraries Group: System/Libraries
@ -68,8 +68,8 @@ Patch24: nss-fips-use-strong-random-pool.patch
Patch25: nss-fips-detect-fips-mode-fixes.patch Patch25: nss-fips-detect-fips-mode-fixes.patch
Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch
Patch27: nss-fips-aes-keywrap-post.patch Patch27: nss-fips-aes-keywrap-post.patch
Patch28: nss-btrfs-sqlite.patch Patch28: nss-fips-fix-missing-nspr.patch
Patch29: nss-fips-fix-missing-nspr.patch Patch29: nss-fips-stricter-dh.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++ BuildRequires: gcc9-c++
@ -226,7 +226,7 @@ cd nss
%patch26 -p1 %patch26 -p1
%patch27 -p1 %patch27 -p1
%patch28 -p1 %patch28 -p1
%patch29 -p2 %patch29 -p1
# additional CA certificates # additional CA certificates
#cd security/nss/lib/ckfw/builtins #cd security/nss/lib/ckfw/builtins

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c402b32cac83034ec1c3d826ef4306cd14a066d7d9a6f4c30d82b3bc043c725b
size 82405833

3
nss-3.69.1.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bbdbd248c25e2faf498edbdd2ffd5896b54cfa35bd2e450813b491f805c754e0
size 82426679

View File

@ -1,18 +0,0 @@
diff -up ./lib/softoken/sdb.c.orig ./lib/softoken/sdb.c
--- ./lib/softoken/sdb.c.orig 2020-12-11 22:49:26.961726193 -0500
+++ ./lib/softoken/sdb.c 2020-12-11 23:01:30.739122494 -0500
@@ -690,8 +690,14 @@ sdb_openDB(const char *name, sqlite3 **s
openFlags = SQLITE_OPEN_READONLY;
} else {
openFlags = SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE;
+ /* btrfs and sqlite seem to incorrectly open readwrite.
+ * when the file is readonly explicitly reject that issue here */
+ if ((_NSSUTIL_Access(name, PR_ACCESS_EXISTS) == PR_SUCCESS) && (_NSSUTIL_Access(name, PR_ACCESS_WRITE_OK) != PR_SUCCESS)) {
+ return SQLITE_READONLY;
+ }
}
+
/* Requires SQLite 3.5.0 or newer. */
sqlerr = sqlite3_open_v2(name, sqlDB, openFlags, NULL);
if (sqlerr != SQLITE_OK) {

View File

@ -67,7 +67,7 @@ Index: nss/lib/freebl/fips-selftest.inc
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ nss/lib/freebl/fips-selftest.inc +++ nss/lib/freebl/fips-selftest.inc
@@ -0,0 +1,296 @@ @@ -0,0 +1,306 @@
+/* +/*
+ * PKCS #11 FIPS Power-Up Self Test - common stuff. + * PKCS #11 FIPS Power-Up Self Test - common stuff.
+ * + *
@ -250,8 +250,18 @@ Index: nss/lib/freebl/fips-selftest.inc
+ strncat(full_lib_name, SHLIB_VERSION"."SHLIB_SUFFIX, l); + strncat(full_lib_name, SHLIB_VERSION"."SHLIB_SUFFIX, l);
+ l -= strlen(SHLIB_VERSION"."SHLIB_SUFFIX); + l -= strlen(SHLIB_VERSION"."SHLIB_SUFFIX);
+#if 1 +#if 1
+ if (NULL == addr) + if (NULL == addr) {
+ rv = BLAPI_SHVerifyFile(full_lib_name, &err); + char full_path [PATH_MAX+1];
+
+ full_path [0] = '\0';
+ l = PATH_MAX;
+ strncat (full_path, "/usr/lib64/", l);
+ l -= strlen ("/usr/lib64/");
+ strncat (full_path, full_lib_name, l);
+ l -= strlen (full_lib_name);
+
+ rv = BLAPI_SHVerifyFile(full_path, &err);
+ }
+ else + else
+ rv = BLAPI_SHVerify(full_lib_name, addr, &err); + rv = BLAPI_SHVerify(full_lib_name, addr, &err);
+#else +#else

View File

@ -1,7 +1,7 @@
diff --git a/nss/lib/freebl/drbg.c b/nss/lib/freebl/drbg.c diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
index 3ed1751..65fee9a 100644 index 3ed1751..56a1a58 100644
--- a/nss/lib/freebl/drbg.c --- a/lib/freebl/drbg.c
+++ b/nss/lib/freebl/drbg.c +++ b/lib/freebl/drbg.c
@@ -6,6 +6,8 @@ @@ -6,6 +6,8 @@
#include "stubs.h" #include "stubs.h"
#endif #endif
@ -42,18 +42,17 @@ index 3ed1751..65fee9a 100644
return PR_FAILURE; /* error is already set */ return PR_FAILURE; /* error is already set */
} }
PORT_Assert(length == sizeof(block)); PORT_Assert(length == sizeof(block));
@@ -199,6 +220,10 @@ prng_initEntropy(void) @@ -199,6 +220,9 @@ prng_initEntropy(void)
sizeof(globalrng->previousEntropyHash)); sizeof(globalrng->previousEntropyHash));
PORT_Memset(block, 0, sizeof(block)); PORT_Memset(block, 0, sizeof(block));
SHA256_DestroyContext(&ctx, PR_FALSE); SHA256_DestroyContext(&ctx, PR_FALSE);
+
+ coRNGInitEntropy.status = PR_SUCCESS; + coRNGInitEntropy.status = PR_SUCCESS;
+ __sync_synchronize (); + __sync_synchronize ();
+ coRNGInitEntropy.initialized = 1; + coRNGInitEntropy.initialized = 1;
return PR_SUCCESS; return PR_SUCCESS;
} }
@@ -211,7 +236,7 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength) @@ -211,7 +235,7 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength)
SHA256Context ctx; SHA256Context ctx;
SECStatus rv = SECSuccess; SECStatus rv = SECSuccess;
@ -62,7 +61,44 @@ index 3ed1751..65fee9a 100644
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
return SECFailure; return SECFailure;
} }
@@ -842,7 +867,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len, @@ -564,10 +588,34 @@ prng_freeRNGContext(RNGContext *rng)
SECStatus
RNG_RNGInit(void)
{
+ /* Don't have NSPR, so can't use the real PR_CallOnce. Implement a stripped
+ * down version. This is similar to freebl_RunLoaderOnce(). */
+ if (coRNGInit.initialized) {
+ return coRNGInit.status;
+ }
+ if (__sync_lock_test_and_set(&coRNGInit.inProgress, 1) != 0) {
+ /* Shouldn't have a lot of takers here, which is good
+ * since we don't have condition variables yet.
+ * 'initialized' only ever gets set (not cleared) so we don't
+ * need the traditional locks. */
+ while (!coRNGInit.initialized) {
+ sleep(1); /* don't have condition variables, just give up the CPU */
+ }
+ return coRNGInit.status;
+ }
+
/* Allow only one call to initialize the context */
- PR_CallOnce(&coRNGInit, rng_init);
+ coRNGInit.status = rng_init ();
+ __sync_synchronize ();
+ coRNGInit.initialized = 1;
+ if (coRNGInit.status != PR_SUCCESS)
+ return SECFailure;
+
/* Make sure there is a context */
- return (globalrng != NULL) ? SECSuccess : SECFailure;
+ coRNGInit.status = (globalrng != NULL) ? SECSuccess : SECFailure;
+ __sync_synchronize ();
+ coRNGInit.initialized = 1;
+ return coRNGInit.status;
}
/*
@@ -842,7 +890,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
} }
/* replicate reseed test from prng_GenerateGlobalRandomBytes */ /* replicate reseed test from prng_GenerateGlobalRandomBytes */
if (testContext.reseed_counter[0] >= RESEED_VALUE) { if (testContext.reseed_counter[0] >= RESEED_VALUE) {

View File

@ -0,0 +1,64 @@
commit 3ab80b72e85583bd727730bc5b57f91e07b89710
Author: Hans Petter Jansson <hpj@cl.no>
Date: Fri Sep 4 13:41:34 2020 +0200
Patch 38: nss-fips-stricter-dh.patch
diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
--- a/lib/freebl/dh.c
+++ b/lib/freebl/dh.c
@@ -445,41 +445,53 @@ KEA_PrimeCheck(SECItem *prime)
cleanup:
mp_clear(&p);
return err ? PR_FALSE : PR_TRUE;
}
PRBool
KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
{
- mp_int p, q, y, r;
+ mp_int p, q, y, r, psub1;
mp_err err;
int cmp = 1; /* default is false */
if (!Y || !prime || !subPrime) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
MP_DIGITS(&p) = 0;
MP_DIGITS(&q) = 0;
MP_DIGITS(&y) = 0;
MP_DIGITS(&r) = 0;
+ MP_DIGITS(&psub1) = 0;
CHECK_MPI_OK(mp_init(&p));
CHECK_MPI_OK(mp_init(&q));
CHECK_MPI_OK(mp_init(&y));
CHECK_MPI_OK(mp_init(&r));
+ CHECK_MPI_OK(mp_init(&psub1));
SECITEM_TO_MPINT(*prime, &p);
SECITEM_TO_MPINT(*subPrime, &q);
SECITEM_TO_MPINT(*Y, &y);
+
+ CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1));
+
+ if (mp_cmp_d(&y, 1) <= 0 ||
+ mp_cmp(&y, &psub1) >= 0) {
+ err = MP_BADARG;
+ goto cleanup;
+ }
+
/* compute r = y**q mod p */
CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
/* compare to 1 */
cmp = mp_cmp_d(&r, 1);
cleanup:
mp_clear(&p);
mp_clear(&q);
mp_clear(&y);
mp_clear(&r);
+ mp_clear(&psub1);
if (err) {
MP_TO_SEC_ERROR(err);
return PR_FALSE;
}
return (cmp == 0) ? PR_TRUE : PR_FALSE;
}