commit mozilla-nss for openSUSE:Factory

Tue, 07 Sep 2021 12:14:40 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package mozilla-nss for openSUSE:Factory 
checked in at 2021-09-07 21:13:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mozilla-nss (Old)
 and      /work/SRC/openSUSE:Factory/.mozilla-nss.new.1899 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "mozilla-nss"

Tue Sep  7 21:13:41 2021 rev:178 rq:916736 version:3.69.1

Changes:
--------
--- /work/SRC/openSUSE:Factory/mozilla-nss/mozilla-nss.changes  2021-08-24 
10:54:29.860350761 +0200
+++ /work/SRC/openSUSE:Factory/.mozilla-nss.new.1899/mozilla-nss.changes        
2021-09-07 21:13:44.656746212 +0200
@@ -1,0 +2,26 @@
+Fri Sep  3 09:10:56 UTC 2021 - Wolfgang Rosenauer <[email protected]>
+
+- Update to NSS 3.69.1
+  * bmo#1722613 (Backout) - Disable DTLS 1.0 and 1.1 by default
+  * bmo#1720226 (Backout) - integrity checks in key4.db not happening
+                            on private components with AES_CBC
+  NSS 3.69
+  * bmo#1722613 - Disable DTLS 1.0 and 1.1 by default (backed out again)
+  * bmo#1720226 - integrity checks in key4.db not happening on private
+                  components with AES_CBC (backed out again)
+  * bmo#1720235 - SSL handling of signature algorithms ignores
+                  environmental invalid algorithms.
+  * bmo#1721476 - sqlite 3.34 changed it's open semantics, causing
+                  nss failures.
+                  (removed obsolete nss-btrfs-sqlite.patch)
+  * bmo#1720230 - Gtest update changed the gtest reports, losing gtest
+                  details in all.sh reports.
+  * bmo#1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
+  * bmo#1720232 - SQLite calls could timeout in starvation situations.
+  * bmo#1720225 - Coverity/cpp scanner errors found in nss 3.67
+  * bmo#1709817 - Import the NSS documentation from MDN in nss/doc.
+  * bmo#1720227 - NSS using a tempdir to measure sql performance not active
+- add nss-fips-stricter-dh.patch
+- updated existing patches with latest SLE
+
+-------------------------------------------------------------------

Old:
----
  nss-3.68.tar.gz
  nss-btrfs-sqlite.patch

New:
----
  nss-3.69.1.tar.gz
  nss-fips-stricter-dh.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ mozilla-nss.spec ++++++
--- /var/tmp/diff_new_pack.u5yjcS/_old  2021-09-07 21:13:47.352749471 +0200
+++ /var/tmp/diff_new_pack.u5yjcS/_new  2021-09-07 21:13:47.352749471 +0200
@@ -17,14 +17,14 @@
 #
 
 
-%global nss_softokn_fips_version 3.68
+%global nss_softokn_fips_version 3.69
 %define NSPR_min_version 4.32
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 Name:           mozilla-nss
-Version:        3.68
+Version:        3.69.1
 Release:        0
-%define underscore_version 3_68
+%define underscore_version 3_69_1
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
@@ -68,8 +68,8 @@
 Patch25:        nss-fips-detect-fips-mode-fixes.patch
 Patch26:        nss-fips-combined-hash-sign-dsa-ecdsa.patch
 Patch27:        nss-fips-aes-keywrap-post.patch
-Patch28:        nss-btrfs-sqlite.patch
-Patch29:        nss-fips-fix-missing-nspr.patch
+Patch28:        nss-fips-fix-missing-nspr.patch
+Patch29:        nss-fips-stricter-dh.patch
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
 BuildRequires:  gcc9-c++
@@ -226,7 +226,7 @@
 %patch26 -p1
 %patch27 -p1
 %patch28 -p1
-%patch29 -p2
+%patch29 -p1
 
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins



++++++ nss-3.68.tar.gz -> nss-3.69.1.tar.gz ++++++
/work/SRC/openSUSE:Factory/mozilla-nss/nss-3.68.tar.gz 
/work/SRC/openSUSE:Factory/.mozilla-nss.new.1899/nss-3.69.1.tar.gz differ: char 
5, line 1

++++++ nss-fips-constructor-self-tests.patch ++++++
--- /var/tmp/diff_new_pack.u5yjcS/_old  2021-09-07 21:13:47.524749679 +0200
+++ /var/tmp/diff_new_pack.u5yjcS/_new  2021-09-07 21:13:47.524749679 +0200
@@ -67,7 +67,7 @@
 ===================================================================
 --- /dev/null
 +++ nss/lib/freebl/fips-selftest.inc
-@@ -0,0 +1,296 @@
+@@ -0,0 +1,306 @@
 +/*
 + * PKCS #11 FIPS Power-Up Self Test - common stuff.
 + *
@@ -250,8 +250,18 @@
 +      strncat(full_lib_name, SHLIB_VERSION"."SHLIB_SUFFIX, l);
 +      l -= strlen(SHLIB_VERSION"."SHLIB_SUFFIX);
 +#if 1
-+      if (NULL == addr)
-+              rv = BLAPI_SHVerifyFile(full_lib_name, &err);
++      if (NULL == addr) {
++              char full_path [PATH_MAX+1];
++
++              full_path [0] = '\0';
++              l = PATH_MAX;
++              strncat (full_path, "/usr/lib64/", l);
++              l -= strlen ("/usr/lib64/");
++              strncat (full_path, full_lib_name, l);
++              l -= strlen (full_lib_name);
++
++              rv = BLAPI_SHVerifyFile(full_path, &err);
++      }
 +      else
 +              rv = BLAPI_SHVerify(full_lib_name, addr, &err);
 +#else

++++++ nss-fips-fix-missing-nspr.patch ++++++
--- /var/tmp/diff_new_pack.u5yjcS/_old  2021-09-07 21:13:47.536749693 +0200
+++ /var/tmp/diff_new_pack.u5yjcS/_new  2021-09-07 21:13:47.536749693 +0200
@@ -1,7 +1,7 @@
-diff --git a/nss/lib/freebl/drbg.c b/nss/lib/freebl/drbg.c
-index 3ed1751..65fee9a 100644
---- a/nss/lib/freebl/drbg.c
-+++ b/nss/lib/freebl/drbg.c
+diff --git a/lib/freebl/drbg.c b/lib/freebl/drbg.c
+index 3ed1751..56a1a58 100644
+--- a/lib/freebl/drbg.c
++++ b/lib/freebl/drbg.c
 @@ -6,6 +6,8 @@
  #include "stubs.h"
  #endif
@@ -42,18 +42,17 @@
          return PR_FAILURE; /* error is already set */
      }
      PORT_Assert(length == sizeof(block));
-@@ -199,6 +220,10 @@ prng_initEntropy(void)
+@@ -199,6 +220,9 @@ prng_initEntropy(void)
                 sizeof(globalrng->previousEntropyHash));
      PORT_Memset(block, 0, sizeof(block));
      SHA256_DestroyContext(&ctx, PR_FALSE);
-+
 +    coRNGInitEntropy.status = PR_SUCCESS;
 +    __sync_synchronize ();
 +    coRNGInitEntropy.initialized = 1;
      return PR_SUCCESS;
  }
  
-@@ -211,7 +236,7 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength)
+@@ -211,7 +235,7 @@ prng_getEntropy(PRUint8 *buffer, size_t requestLength)
      SHA256Context ctx;
      SECStatus rv = SECSuccess;
  
@@ -62,7 +61,44 @@
          PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
          return SECFailure;
      }
-@@ -842,7 +867,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
+@@ -564,10 +588,34 @@ prng_freeRNGContext(RNGContext *rng)
+ SECStatus
+ RNG_RNGInit(void)
+ {
++    /* Don't have NSPR, so can't use the real PR_CallOnce. Implement a 
stripped
++     * down version. This is similar to freebl_RunLoaderOnce(). */
++    if (coRNGInit.initialized) {
++        return coRNGInit.status;
++    }
++    if (__sync_lock_test_and_set(&coRNGInit.inProgress, 1) != 0) {
++        /* Shouldn't have a lot of takers here, which is good
++         * since we don't have condition variables yet.
++         * 'initialized' only ever gets set (not cleared) so we don't
++         * need the traditional locks. */
++        while (!coRNGInit.initialized) {
++            sleep(1); /* don't have condition variables, just give up the CPU 
*/
++        }
++        return coRNGInit.status;
++    }
++
+     /* Allow only one call to initialize the context */
+-    PR_CallOnce(&coRNGInit, rng_init);
++    coRNGInit.status = rng_init ();
++    __sync_synchronize ();
++    coRNGInit.initialized = 1;
++    if (coRNGInit.status != PR_SUCCESS)
++        return SECFailure;
++
+     /* Make sure there is a context */
+-    return (globalrng != NULL) ? SECSuccess : SECFailure;
++    coRNGInit.status = (globalrng != NULL) ? SECSuccess : SECFailure;
++    __sync_synchronize ();
++    coRNGInit.initialized = 1;
++    return coRNGInit.status;
+ }
+ 
+ /*
+@@ -842,7 +890,21 @@ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
      }
      /* replicate reseed test from prng_GenerateGlobalRandomBytes */
      if (testContext.reseed_counter[0] >= RESEED_VALUE) {

++++++ nss-fips-stricter-dh.patch ++++++
commit 3ab80b72e85583bd727730bc5b57f91e07b89710
Author: Hans Petter Jansson <[email protected]>
Date:   Fri Sep 4 13:41:34 2020 +0200

    Patch 38: nss-fips-stricter-dh.patch

diff --git a/lib/freebl/dh.c b/lib/freebl/dh.c
--- a/lib/freebl/dh.c
+++ b/lib/freebl/dh.c
@@ -445,41 +445,53 @@ KEA_PrimeCheck(SECItem *prime)
 cleanup:
     mp_clear(&p);
     return err ? PR_FALSE : PR_TRUE;
 }
 
 PRBool
 KEA_Verify(SECItem *Y, SECItem *prime, SECItem *subPrime)
 {
-    mp_int p, q, y, r;
+    mp_int p, q, y, r, psub1;
     mp_err err;
     int cmp = 1; /* default is false */
     if (!Y || !prime || !subPrime) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     MP_DIGITS(&p) = 0;
     MP_DIGITS(&q) = 0;
     MP_DIGITS(&y) = 0;
     MP_DIGITS(&r) = 0;
+    MP_DIGITS(&psub1) = 0;
     CHECK_MPI_OK(mp_init(&p));
     CHECK_MPI_OK(mp_init(&q));
     CHECK_MPI_OK(mp_init(&y));
     CHECK_MPI_OK(mp_init(&r));
+    CHECK_MPI_OK(mp_init(&psub1));
     SECITEM_TO_MPINT(*prime, &p);
     SECITEM_TO_MPINT(*subPrime, &q);
     SECITEM_TO_MPINT(*Y, &y);
+
+    CHECK_MPI_OK(mp_sub_d(&p, 1, &psub1));
+
+    if (mp_cmp_d(&y, 1) <= 0 ||
+        mp_cmp(&y, &psub1) >= 0) {
+        err = MP_BADARG;
+        goto cleanup;
+    }
+
     /* compute r = y**q mod p */
     CHECK_MPI_OK(mp_exptmod(&y, &q, &p, &r));
     /* compare to 1 */
     cmp = mp_cmp_d(&r, 1);
 cleanup:
     mp_clear(&p);
     mp_clear(&q);
     mp_clear(&y);
     mp_clear(&r);
+    mp_clear(&psub1);
     if (err) {
         MP_TO_SEC_ERROR(err);
         return PR_FALSE;
     }
     return (cmp == 0) ? PR_TRUE : PR_FALSE;
 }

Reply via email to