diff --git a/mozilla-nss.changes b/mozilla-nss.changes index da3f765..544d4db 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Thu Aug 5 15:21:31 UTC 2021 - Wolfgang Rosenauer + +- update to NSS 3.68 + * bmo#1713562 - Fix test leak. + * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. + * bmo#1693206 - Implement PKCS8 export of ECDSA keys. + * bmo#1712883 - DTLS 1.3 draft-43. + * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. + * bmo#1713562 - Validate ECH public names. + * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. +- required by Firefox 91.0 +- added nss-fips-fix-missing-nspr.patch (via SLE sync) + ------------------------------------------------------------------- Sat Jul 10 08:50:18 UTC 2021 - Wolfgang Rosenauer diff --git a/mozilla-nss.spec b/mozilla-nss.spec index 4f3963a..e3e4f2a 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -17,14 +17,14 @@ # -%global nss_softokn_fips_version 3.66 -%define NSPR_min_version 4.31 +%global nss_softokn_fips_version 3.68 +%define NSPR_min_version 4.32 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr) %define nssdbdir %{_sysconfdir}/pki/nssdb Name: mozilla-nss -Version: 3.66 +Version: 3.68 Release: 0 -%define underscore_version 3_66 +%define underscore_version 3_68 Summary: Network Security Services License: MPL-2.0 Group: System/Libraries @@ -69,6 +69,7 @@ Patch25: nss-fips-detect-fips-mode-fixes.patch Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch Patch27: nss-fips-aes-keywrap-post.patch Patch28: nss-btrfs-sqlite.patch +Patch37: nss-fips-fix-missing-nspr.patch %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references BuildRequires: gcc9-c++ @@ -225,6 +226,7 @@ cd nss %patch26 -p1 %patch27 -p1 %patch28 -p1 +%patch37 -p2 # additional CA certificates #cd security/nss/lib/ckfw/builtins diff --git a/nss-3.66.tar.gz b/nss-3.66.tar.gz deleted file mode 100644 index 8ec8401..0000000 --- a/nss-3.66.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:89a79e3a756cf0ac9ba645f4d4c0fc58d4133134401fb0b6c8a74c420bb4cdc9 -size 82401896 diff --git a/nss-3.68.tar.gz b/nss-3.68.tar.gz new file mode 100644 index 0000000..0e8592f --- /dev/null +++ b/nss-3.68.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c402b32cac83034ec1c3d826ef4306cd14a066d7d9a6f4c30d82b3bc043c725b +size 82405833 diff --git a/nss-fips-fix-missing-nspr.patch b/nss-fips-fix-missing-nspr.patch new file mode 100644 index 0000000..34fa196 --- /dev/null +++ b/nss-fips-fix-missing-nspr.patch @@ -0,0 +1,87 @@ +diff --git a/nss/lib/freebl/drbg.c b/nss/lib/freebl/drbg.c +index 3ed1751..65fee9a 100644 +--- a/nss/lib/freebl/drbg.c ++++ b/nss/lib/freebl/drbg.c +@@ -6,6 +6,8 @@ + #include "stubs.h" + #endif + ++#include ++ + #include "prerror.h" + #include "secerr.h" + +@@ -182,11 +184,30 @@ prng_initEntropy(void) + PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE]; + SHA256Context ctx; + ++ /* Don't have NSPR, so can't use the real PR_CallOnce. Implement a stripped ++ * down version. This is similar to freebl_RunLoaderOnce(). */ ++ if (coRNGInitEntropy.initialized) { ++ return coRNGInitEntropy.status; ++ } ++ if (__sync_lock_test_and_set(&coRNGInitEntropy.inProgress, 1) != 0) { ++ /* Shouldn't have a lot of takers here, which is good ++ * since we don't have condition variables yet. ++ * 'initialized' only ever gets set (not cleared) so we don't ++ * need the traditional locks. */ ++ while (!coRNGInitEntropy.initialized) { ++ sleep(1); /* don't have condition variables, just give up the CPU */ ++ } ++ return coRNGInitEntropy.status; ++ } ++ + /* For FIPS 140-2 4.9.2 continuous random number generator test, + * fetch the initial entropy from the system RNG and keep it for + * later comparison. */ + length = RNG_SystemRNG(block, sizeof(block)); + if (length == 0) { ++ coRNGInitEntropy.status = PR_FAILURE; ++ __sync_synchronize (); ++ coRNGInitEntropy.initialized = 1; + return PR_FAILURE; /* error is already set */ + } + PORT_Assert(length == sizeof(block)); +@@ -199,6 +220,10 @@ prng_initEntropy(void) + sizeof(globalrng->previousEntropyHash)); + PORT_Memset(block, 0, sizeof(block)); + SHA256_DestroyContext(&ctx, PR_FALSE); ++ ++ coRNGInitEntropy.status = PR_SUCCESS; ++ __sync_synchronize (); ++ coRNGInitEntropy.initialized = 1; + return PR_SUCCESS; + } + +@@ -211,7 +236,7 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength) + SHA256Context ctx; + SECStatus rv = SECSuccess; + +- if (PR_CallOnce(&coRNGInitEntropy, prng_initEntropy) != PR_SUCCESS) { ++ if (prng_initEntropy () != PR_SUCCESS) { + PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); + return SECFailure; + } +@@ -842,7 +867,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len, + } + /* replicate reseed test from prng_GenerateGlobalRandomBytes */ + if (testContext.reseed_counter[0] >= RESEED_VALUE) { +- rv = prng_reseed(&testContext, NULL, 0, NULL, 0); ++ /* We need to supply the entropy so as to avoid use of global RNG */ ++ static const PRUint8 reseed_entropy[] = { ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ }; ++ static const PRUint8 additional_input[] = { ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, ++ }; ++ rv = prng_reseed(&testContext, reseed_entropy, sizeof reseed_entropy, ++ additional_input, sizeof additional_input); + if (rv != SECSuccess) { + return rv; + }