pool/mozilla-nss
SHA256
12
0
Fork 1
Code Issues Pull Requests Activity

Accepting request 1204527 from mozilla:Factory

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1204527
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=222
This commit is contained in:
Ana Guerrero
2024-09-30 13:34:33 +00:00
committed by Git OBS Bridge
parent 907ca87dbe cd8891d66e
commit cd9be57a4a
6 changed files with 62 additions and 246 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
mozilla-nss.changes
View File

@@ -1,14 +1,61 @@
-------------------------------------------------------------------
Sun Sep 29 10:12:09 UTC 2024 - ecsos <ecsos@opensuse.org>
- Fix build error under Leap by rebasing nss-fips-safe-memset.patch.
-------------------------------------------------------------------
Sat Sep 28 11:12:23 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
- update to NSS 3.104
* bmo#1910071 - Copy original corpus to heap-allocated buffer
* bmo#1910079 - Fix min ssl version for DTLS client fuzzer
* bmo#1908990 - Remove OS2 support just like we did on NSPR
* bmo#1910605 - clang-format NSS improvements
* bmo#1902078 - Adding basicutil.h to use HexString2SECItem function
* bmo#1908990 - removing dirent.c from build
* bmo#1902078 - Allow handing in keymaterial to shlibsign to make
the output reproducible
* bmo#1908990 - remove nec4.3, sunos4, riscos and SNI references
* bmo#1908990 - remove other old OS (BSDI, old HP UX, NCR,
openunix, sco, unixware or reliantUnix
* bmo#1908990 - remove mentions of WIN95
* bmo#1908990 - remove mentions of WIN16
* bmo#1913750 - More explicit directory naming
* bmo#1913755 - Add more options to TLS server fuzz target
* bmo#1913675 - Add more options to TLS client fuzz target
* bmo#1835240 - Use OSS-Fuzz corpus in NSS CI
* bmo#1908012 - set nssckbi version number to 2.70.
* bmo#1914499 - Remove Email Trust bit from ACCVRAIZ1 root cert.
* bmo#1908009 - Remove Email Trust bit from certSIGN ROOT CA.
* bmo#1908006 - Add Cybertrust Japan Roots to NSS.
* bmo#1908004 - Add Taiwan CA Roots to NSS.
* bmo#1911354 - remove search by decoded serial in
nssToken_FindCertificateByIssuerAndSerialNumber
* bmo#1913132 - Fix tstclnt CI build failure
* bmo#1913047 - vfyserv: ensure peer cert chain is in db for
CERT_VerifyCertificateNow
* bmo#1912427 - Enable all supported protocol versions for UDP
* bmo#1910361 - Actually use random PSK hash type
* bmo#1911576 - Initialize NSS DB once
* bmo#1910361 - Additional ECH cipher suites and PSK hash types
* bmo#1903604 - Automate corpus file generation for TLS client Fuzzer
* bmo#1910364 - Fix crash with UNSAFE_FUZZER_MODE
* bmo#1910605 - clang-format shlibsign.c
- remove obsolete nss-reproducible-builds.patch
-------------------------------------------------------------------
Tue Aug 13 07:08:55 UTC 2024 - Martin Sirringhaus <martin.sirringhaus@suse.com>
- update to NSS 3.103
* bmo#1908623 - move list size check after lock acquisition in sftk_PutObjectToList.
* bmo#1899542: Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_POST_HANDSHAKE_AUTH,
* bmo#1909638 - Follow-up to fix test for presence of file nspr.patch.
* bmo#1903783: Adjust libFuzzer size limits
* bmo#1899542: Add fuzzing support for SSL_SetCertificateCompressionAlgorithm, SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* bmo#1899542: Add fuzzing support for SSL_ENABLE_GREASE and SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Add nss-reproducible-builds.patch to make the rpms reproducible,
* bmo#1903783 - Adjust libFuzzer size limits
* bmo#1899542 - Add fuzzing support for SSL_SetCertificateCompressionAlgorithm,
SSL_SetClientEchConfigs, SSL_VersionRangeSet and SSL_AddExternalPsk
* bmo#1899542 - Add fuzzing support for SSL_ENABLE_GREASE and
SSL_ENABLE_CH_EXTENSION_PERMUTATION
- Add nss-reproducible-builds.patch to make the rpms reproducible,
by using a hardcoded, static key to generate the checksums (*.chk-files)
- Updated nss-fips-approved-crypto-non-ec.patch to enforce
approved curves with the CKK_EC_MONTGOMERY key type (bsc#1224113).

8
mozilla-nss.spec
View File

@@ -17,15 +17,15 @@
#
%global nss_softokn_fips_version 3.103
%global nss_softokn_fips_version 3.104
%define NSPR_min_version 4.35
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
%define nssdbdir %{_sysconfdir}/pki/nssdb
%global crypto_policies_version 20210218
Name: mozilla-nss
Version: 3.103
Version: 3.104
Release: 0
%define underscore_version 3_103
%define underscore_version 3_104
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
@@ -83,7 +83,6 @@ Patch49: nss-allow-slow-tests-s390x.patch
Patch50: nss-fips-bsc1223724.patch
Patch51: nss-fips-aes-gcm-restrict.patch
Patch52: nss-fips-safe-memset.patch
Patch53: nss-reproducible-builds.patch
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
BuildRequires: gcc9-c++
@@ -254,7 +253,6 @@ cd nss
# glibc on SLE-12 is too old and doesn't have explicit_bzero yet.
%patch -P 52 -p1
%endif
%patch -P 53 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins

3
nss-3.103.tar.gz
View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:7b4ab657f772dc7520c46e8d481940b292dcfc6a4c90150a7c26672384cee962
size 76470174

3
nss-3.104.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e2763223622d1e76b98a43030873856f248af0a41b03b2fa2ca06a91bc50ac8e
size 76468542

8
nss-fips-safe-memset.patch
View File

@@ -277,7 +277,7 @@ Index: nss/lib/freebl/rijndael.c
===================================================================
--- nss.orig/lib/freebl/rijndael.c
+++ nss/lib/freebl/rijndael.c
@@ -1114,7 +1114,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
@@ -1251,7 +1251,7 @@ AES_DestroyContext(AESContext *cx, PRBoo
cx->worker_cx = NULL;
cx->destroy = NULL;
}
@@ -445,7 +445,7 @@ Index: nss/lib/softoken/pkcs11c.c
===================================================================
--- nss.orig/lib/softoken/pkcs11c.c
+++ nss/lib/softoken/pkcs11c.c
@@ -4994,7 +4994,7 @@ pairwise_signverify_mech (CK_SESSION_HAN
@@ -5105,7 +5105,7 @@ pairwise_signverify_mech (CK_SESSION_HAN
if ((signature_length >= pairwise_digest_length) &&
(PORT_Memcmp(known_digest, signature + (signature_length - pairwise_digest_length), pairwise_digest_length) == 0)) {
PORT_Free(signature);
@@ -468,8 +468,8 @@ Index: nss/lib/util/secport.h
#include <string.h>
#include <stddef.h>
#include <stdlib.h>
@@ -182,6 +185,39 @@ SEC_END_PROTOS
#endif /*SUNOS4*/
@@ -178,6 +181,39 @@ SEC_END_PROTOS
#define PORT_Memmove memmove
#define PORT_Memset memset
+/* there are cases where the compiler optimizes away our attempt to clear

229
nss-reproducible-builds.patch
View File

@@ -1,229 +0,0 @@
commit cef712e9a49502e669535675c9900b61751ac02b
Author: Martin Sirringhaus <martin.sirringhaus@suse.com>
Date: Mon Jul 29 23:22:41 2024 +0000
Bug 1902078 - Allow handing in keymaterial to shlibsign to make the output reproducible (r=nss-reviewers,rrelyea)
Differential Revision: https://phabricator.services.mozilla.com/D217282
Index: nss/cmd/shlibsign/Makefile
===================================================================
--- nss.orig/cmd/shlibsign/Makefile
+++ nss/cmd/shlibsign/Makefile
@@ -24,25 +24,7 @@ include $(CORE_DEPTH)/coreconf/config.mk
# (4) Include "local" platform-dependent assignments (OPTIONAL). #
#######################################################################
-ifeq ($(OS_ARCH), WINNT)
-
-EXTRA_LIBS += \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plc4.$(LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)plds4.$(LIB_SUFFIX) \
- $(NSPR_LIB_DIR)/$(NSPR31_LIB_PREFIX)nspr4.$(LIB_SUFFIX) \
- $(NULL)
-
-else
-
-EXTRA_SHARED_LIBS += \
- -L$(NSPR_LIB_DIR) \
- -lplc4 \
- -lplds4 \
- -lnspr4 \
- $(NULL)
-
-endif
-
+include ../platlibs.mk
# sign any and all shared libraries that contain the word freebl
ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
Index: nss/cmd/shlibsign/shlibsign.c
===================================================================
--- nss.orig/cmd/shlibsign/shlibsign.c
+++ nss/cmd/shlibsign/shlibsign.c
@@ -55,6 +55,10 @@
/* nss headers for definition of HASH_HashType */
#include "hasht.h"
+#include "basicutil.h"
+#include "secitem.h"
+
+
CK_BBOOL cktrue = CK_TRUE;
CK_BBOOL ckfalse = CK_FALSE;
static PRBool verbose = PR_FALSE;
@@ -111,7 +115,7 @@ usage(const char *program_name)
PR_fprintf(debug_out,
"Usage: %s [-v] [-V] [-o outfile] [-d dbdir] [-f pwfile]\n"
" [-F] [-p pwd] -[P dbprefix ] [-t hash]"
- " [-D] [-k keysize] [-c]"
+ " [-D] [-k keysize] [-c] [-K key]"
"-i shared_library_name\n",
program_name);
PR_fprintf(debug_out, "Valid Hashes: ");
@@ -136,6 +140,7 @@ long_usage(const char *program_name)
PR_fprintf(debug_out, "\t-t <hash> Hash for HMAC/or DSA\n");
PR_fprintf(debug_out, "\t-D Sign with DSA rather than HMAC\n");
PR_fprintf(debug_out, "\t-k <keysize> size of the DSA key\n");
+ PR_fprintf(debug_out, "\t-K <key> key-material to use for hmac (hex-string, without leading 0x)\n");
PR_fprintf(debug_out, "\t-c Use compatible versions for old NSS\n");
PR_fprintf(debug_out, "\t-P <prefix> database prefix\n");
PR_fprintf(debug_out, "\t-f <file> password File : echo pw > file \n");
@@ -1069,7 +1074,7 @@ shlibSignDSA(CK_FUNCTION_LIST_PTR pFunct
CK_RV
shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunctionList, CK_SLOT_ID slot,
- CK_SESSION_HANDLE hRwSession, int keySize, PRFileDesc *ifd,
+ CK_SESSION_HANDLE hRwSession, int keySize, char* key, PRFileDesc *ifd,
PRFileDesc *ofd, const HashTable *hash)
{
CK_MECHANISM hmacMech = { 0, NULL, 0 };
@@ -1100,40 +1105,78 @@ shlibSignHMAC(CK_FUNCTION_LIST_PTR pFunc
"Internal error:Could find sha256 entry in table.\n");
}
- hmacKeyTemplate[0].type = CKA_TOKEN;
- hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
- hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
- hmacKeyTemplate[1].type = CKA_PRIVATE;
- hmacKeyTemplate[1].pValue = &cktrue;
- hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
- hmacKeyTemplate[2].type = CKA_SENSITIVE;
- hmacKeyTemplate[2].pValue = &ckfalse;
- hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
- hmacKeyTemplate[3].type = CKA_SIGN;
- hmacKeyTemplate[3].pValue = &cktrue;
- hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
- hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
- hmacKeyTemplate[4].pValue = &ckfalse;
- hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
- hmacKeyTemplate[5].type = CKA_VALUE_LEN;
- hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
- hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
- hmacKeyTemplate[6].type = CKA_KEY_TYPE;
- hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
- hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
- hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
- hmacMech.mechanism = hash->hmac;
+ if (key == NULL) {
+ hmacKeyTemplate[0].type = CKA_TOKEN;
+ hmacKeyTemplate[0].pValue = &ckfalse; /* session object */
+ hmacKeyTemplate[0].ulValueLen = sizeof(ckfalse);
+ hmacKeyTemplate[1].type = CKA_PRIVATE;
+ hmacKeyTemplate[1].pValue = &cktrue;
+ hmacKeyTemplate[1].ulValueLen = sizeof(cktrue);
+ hmacKeyTemplate[2].type = CKA_SENSITIVE;
+ hmacKeyTemplate[2].pValue = &ckfalse;
+ hmacKeyTemplate[2].ulValueLen = sizeof(cktrue);
+ hmacKeyTemplate[3].type = CKA_SIGN;
+ hmacKeyTemplate[3].pValue = &cktrue;
+ hmacKeyTemplate[3].ulValueLen = sizeof(cktrue);
+ hmacKeyTemplate[4].type = CKA_EXTRACTABLE;
+ hmacKeyTemplate[4].pValue = &ckfalse;
+ hmacKeyTemplate[4].ulValueLen = sizeof(ckfalse);
+ hmacKeyTemplate[5].type = CKA_VALUE_LEN;
+ hmacKeyTemplate[5].pValue = (void *)&hash->hashLength;
+ hmacKeyTemplate[5].ulValueLen = sizeof(hash->hashLength);
+ hmacKeyTemplate[6].type = CKA_KEY_TYPE;
+ hmacKeyTemplate[6].pValue = (void *)&hash->keyType;
+ hmacKeyTemplate[6].ulValueLen = sizeof(hash->keyType);
+ hmacKeyGenMech.mechanism = CKM_GENERIC_SECRET_KEY_GEN;
+
+ /* Generate a DSA key pair */
+ logIt("Generate an HMAC key ... \n");
+ crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
+ hmacKeyTemplate,
+ PR_ARRAY_SIZE(hmacKeyTemplate),
+ &hHMACKey);
+ } else {
+ SECItem keyitem = { 0 };
+ if (SECU_HexString2SECItem(NULL, &keyitem, key) == NULL) {
+ pk11error("Reading HMAC key from commandline failed. Not a valid hex-key.", crv);
+ return crv;
+ }
+
+ CK_OBJECT_CLASS secret_key_obj_class = CKO_SECRET_KEY;
+ CK_ATTRIBUTE hmacKeyObject[] = {
+ {
+ .type = CKA_CLASS,
+ .pValue = &secret_key_obj_class,
+ .ulValueLen = sizeof(CK_OBJECT_CLASS),
+ },
+ {
+ .type = CKA_KEY_TYPE,
+ .pValue = (void *)&hash->keyType,
+ .ulValueLen = sizeof(hash->keyType),
+ },
+ {
+ .type = CKA_VALUE,
+ .pValue = keyitem.data,
+ .ulValueLen = keyitem.len,
+ },
+ {
+ .type = CKA_SIGN,
+ .pValue = &cktrue,
+ .ulValueLen = sizeof(cktrue),
+ },
+ };
+ logIt("Using static HMAC key ... \n");
+ crv = pFunctionList->C_CreateObject(hRwSession,
+ hmacKeyObject,
+ PR_ARRAY_SIZE(hmacKeyObject),
+ &hHMACKey);
+ }
- /* Generate a DSA key pair */
- logIt("Generate an HMAC key ... \n");
- crv = pFunctionList->C_GenerateKey(hRwSession, &hmacKeyGenMech,
- hmacKeyTemplate,
- PR_ARRAY_SIZE(hmacKeyTemplate),
- &hHMACKey);
if (crv != CKR_OK) {
pk11error("HMAC key generation failed", crv);
return crv;
}
+ hmacMech.mechanism = hash->hmac;
/* compute the digest */
memset(sign, 0, sizeof(sign));
@@ -1258,6 +1301,7 @@ main(int argc, char **argv)
static PRBool useDSA = PR_FALSE;
PRBool successful = PR_FALSE;
const HashTable *hash = NULL;
+ char *key = NULL;
#ifdef USES_LINKS
int ret;
@@ -1281,7 +1325,7 @@ main(int argc, char **argv)
program_name = strrchr(argv[0], '/');
program_name = program_name ? (program_name + 1) : argv[0];
- optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:p:P:vVs:t:Dc");
+ optstate = PL_CreateOptState(argc, argv, "i:o:f:Fd:hH?k:K:p:P:vVs:t:Dc");
if (optstate == NULL) {
lperror("PL_CreateOptState failed");
return 1;
@@ -1331,6 +1375,14 @@ main(int argc, char **argv)
keySize = atoi(optstate->value);
break;
+ case 'K':
+ if (!optstate->value) {
+ PL_DestroyOptState(optstate);
+ usage(program_name);
+ }
+ key = PL_strdup(optstate->value);
+ break;
+
case 'f':
if (!optstate->value) {
PL_DestroyOptState(optstate);
@@ -1569,7 +1621,7 @@ main(int argc, char **argv)
keySize, ifd, ofd, hash);
} else {
crv = shlibSignHMAC(pFunctionList, pSlotList[slotIndex], hRwSession,
- keySize, ifd, ofd, hash);
+ keySize, key, ifd, ofd, hash);
}
if (crv == CKR_INTERNAL_OUT_FAILURE) {
lperror(output_file);