Accepting request 910950 from mozilla:Factory
- update to NSS 3.68 * bmo#1713562 - Fix test leak. * bmo#1717452 - NSS 3.68 should depend on NSPR 4.32. * bmo#1693206 - Implement PKCS8 export of ECDSA keys. * bmo#1712883 - DTLS 1.3 draft-43. * bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension. * bmo#1713562 - Validate ECH public names. * bmo#1717610 - Add function to get seconds from epoch from pkix::Time. - required by Firefox 91.0 - added nss-fips-fix-missing-nspr.patch (via SLE sync) OBS-URL: https://build.opensuse.org/request/show/910950 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=176
This commit is contained in:
commit
e0a827349c
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Aug 5 15:21:31 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
||||||
|
|
||||||
|
- update to NSS 3.68
|
||||||
|
* bmo#1713562 - Fix test leak.
|
||||||
|
* bmo#1717452 - NSS 3.68 should depend on NSPR 4.32.
|
||||||
|
* bmo#1693206 - Implement PKCS8 export of ECDSA keys.
|
||||||
|
* bmo#1712883 - DTLS 1.3 draft-43.
|
||||||
|
* bmo#1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
|
||||||
|
* bmo#1713562 - Validate ECH public names.
|
||||||
|
* bmo#1717610 - Add function to get seconds from epoch from pkix::Time.
|
||||||
|
- required by Firefox 91.0
|
||||||
|
- added nss-fips-fix-missing-nspr.patch (via SLE sync)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Sat Jul 10 08:50:18 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
Sat Jul 10 08:50:18 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
|
||||||
|
|
||||||
|
@ -17,14 +17,14 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
%global nss_softokn_fips_version 3.66
|
%global nss_softokn_fips_version 3.68
|
||||||
%define NSPR_min_version 4.31
|
%define NSPR_min_version 4.32
|
||||||
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
|
%define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
|
||||||
%define nssdbdir %{_sysconfdir}/pki/nssdb
|
%define nssdbdir %{_sysconfdir}/pki/nssdb
|
||||||
Name: mozilla-nss
|
Name: mozilla-nss
|
||||||
Version: 3.66
|
Version: 3.68
|
||||||
Release: 0
|
Release: 0
|
||||||
%define underscore_version 3_66
|
%define underscore_version 3_68
|
||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
License: MPL-2.0
|
License: MPL-2.0
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
@ -69,6 +69,7 @@ Patch25: nss-fips-detect-fips-mode-fixes.patch
|
|||||||
Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch
|
Patch26: nss-fips-combined-hash-sign-dsa-ecdsa.patch
|
||||||
Patch27: nss-fips-aes-keywrap-post.patch
|
Patch27: nss-fips-aes-keywrap-post.patch
|
||||||
Patch28: nss-btrfs-sqlite.patch
|
Patch28: nss-btrfs-sqlite.patch
|
||||||
|
Patch37: nss-fips-fix-missing-nspr.patch
|
||||||
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
|
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
|
||||||
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
|
# aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
|
||||||
BuildRequires: gcc9-c++
|
BuildRequires: gcc9-c++
|
||||||
@ -225,6 +226,7 @@ cd nss
|
|||||||
%patch26 -p1
|
%patch26 -p1
|
||||||
%patch27 -p1
|
%patch27 -p1
|
||||||
%patch28 -p1
|
%patch28 -p1
|
||||||
|
%patch37 -p2
|
||||||
|
|
||||||
# additional CA certificates
|
# additional CA certificates
|
||||||
#cd security/nss/lib/ckfw/builtins
|
#cd security/nss/lib/ckfw/builtins
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:89a79e3a756cf0ac9ba645f4d4c0fc58d4133134401fb0b6c8a74c420bb4cdc9
|
|
||||||
size 82401896
|
|
3
nss-3.68.tar.gz
Normal file
3
nss-3.68.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:c402b32cac83034ec1c3d826ef4306cd14a066d7d9a6f4c30d82b3bc043c725b
|
||||||
|
size 82405833
|
87
nss-fips-fix-missing-nspr.patch
Normal file
87
nss-fips-fix-missing-nspr.patch
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
diff --git a/nss/lib/freebl/drbg.c b/nss/lib/freebl/drbg.c
|
||||||
|
index 3ed1751..65fee9a 100644
|
||||||
|
--- a/nss/lib/freebl/drbg.c
|
||||||
|
+++ b/nss/lib/freebl/drbg.c
|
||||||
|
@@ -6,6 +6,8 @@
|
||||||
|
#include "stubs.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+#include <unistd.h>
|
||||||
|
+
|
||||||
|
#include "prerror.h"
|
||||||
|
#include "secerr.h"
|
||||||
|
|
||||||
|
@@ -182,11 +184,30 @@ prng_initEntropy(void)
|
||||||
|
PRUint8 block[PRNG_ENTROPY_BLOCK_SIZE];
|
||||||
|
SHA256Context ctx;
|
||||||
|
|
||||||
|
+ /* Don't have NSPR, so can't use the real PR_CallOnce. Implement a stripped
|
||||||
|
+ * down version. This is similar to freebl_RunLoaderOnce(). */
|
||||||
|
+ if (coRNGInitEntropy.initialized) {
|
||||||
|
+ return coRNGInitEntropy.status;
|
||||||
|
+ }
|
||||||
|
+ if (__sync_lock_test_and_set(&coRNGInitEntropy.inProgress, 1) != 0) {
|
||||||
|
+ /* Shouldn't have a lot of takers here, which is good
|
||||||
|
+ * since we don't have condition variables yet.
|
||||||
|
+ * 'initialized' only ever gets set (not cleared) so we don't
|
||||||
|
+ * need the traditional locks. */
|
||||||
|
+ while (!coRNGInitEntropy.initialized) {
|
||||||
|
+ sleep(1); /* don't have condition variables, just give up the CPU */
|
||||||
|
+ }
|
||||||
|
+ return coRNGInitEntropy.status;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* For FIPS 140-2 4.9.2 continuous random number generator test,
|
||||||
|
* fetch the initial entropy from the system RNG and keep it for
|
||||||
|
* later comparison. */
|
||||||
|
length = RNG_SystemRNG(block, sizeof(block));
|
||||||
|
if (length == 0) {
|
||||||
|
+ coRNGInitEntropy.status = PR_FAILURE;
|
||||||
|
+ __sync_synchronize ();
|
||||||
|
+ coRNGInitEntropy.initialized = 1;
|
||||||
|
return PR_FAILURE; /* error is already set */
|
||||||
|
}
|
||||||
|
PORT_Assert(length == sizeof(block));
|
||||||
|
@@ -199,6 +220,10 @@ prng_initEntropy(void)
|
||||||
|
sizeof(globalrng->previousEntropyHash));
|
||||||
|
PORT_Memset(block, 0, sizeof(block));
|
||||||
|
SHA256_DestroyContext(&ctx, PR_FALSE);
|
||||||
|
+
|
||||||
|
+ coRNGInitEntropy.status = PR_SUCCESS;
|
||||||
|
+ __sync_synchronize ();
|
||||||
|
+ coRNGInitEntropy.initialized = 1;
|
||||||
|
return PR_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -211,7 +236,7 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength)
|
||||||
|
SHA256Context ctx;
|
||||||
|
SECStatus rv = SECSuccess;
|
||||||
|
|
||||||
|
- if (PR_CallOnce(&coRNGInitEntropy, prng_initEntropy) != PR_SUCCESS) {
|
||||||
|
+ if (prng_initEntropy () != PR_SUCCESS) {
|
||||||
|
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
|
||||||
|
return SECFailure;
|
||||||
|
}
|
||||||
|
@@ -842,7 +867,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
|
||||||
|
}
|
||||||
|
/* replicate reseed test from prng_GenerateGlobalRandomBytes */
|
||||||
|
if (testContext.reseed_counter[0] >= RESEED_VALUE) {
|
||||||
|
- rv = prng_reseed(&testContext, NULL, 0, NULL, 0);
|
||||||
|
+ /* We need to supply the entropy so as to avoid use of global RNG */
|
||||||
|
+ static const PRUint8 reseed_entropy[] = {
|
||||||
|
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||||
|
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||||
|
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||||
|
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||||
|
+ };
|
||||||
|
+ static const PRUint8 additional_input[] = {
|
||||||
|
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||||
|
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||||
|
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||||
|
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
|
||||||
|
+ };
|
||||||
|
+ rv = prng_reseed(&testContext, reseed_entropy, sizeof reseed_entropy,
|
||||||
|
+ additional_input, sizeof additional_input);
|
||||||
|
if (rv != SECSuccess) {
|
||||||
|
return rv;
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user