Resolves: rhbz#2064360

Rebase nss to 3.79, nspr to 4.34 for Firefox 102 ESR

.gitignore

@@ -65,3 +65,5 @@ TestUser51.cert
 /nspr-4.31.tar.gz
 /nspr-4.32.tar.gz
 /nss-3.71.tar.gz
+/nss-3.79.tar.gz
+/nspr-4.34.tar.gz

gating.yaml

@@ -6,3 +6,4 @@ rules:
   - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
   - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
   - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.userspace-fips-mode.functional}
+  - !PassingTestCaseRule {test_case_name: manual.sst_security_crypto.nss.streamspreadprevent}

nss.spec

@@ -1,12 +1,13 @@
-%global nspr_version 4.32.0
+%global nss_version 3.79.0
+%global nspr_version 4.34.0
+%global baserelease 1
+%global nss_release %baserelease
 # NOTE: To avoid NVR clashes of nspr* packages:
-# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
-# - increment %%{nspr_version}, when updating the NSS part only
-# - put the nss_release number here next to nspr, as they both
-#   need to be updated on a given release
-%global nss_release 7
-%global nspr_release %[ %nss_release+2]
-%global nss_version 3.71.0
+# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
+# release number between nss and nspr are different.
+# when a new nspr is released with nss, reset nspr_release to baserelease.
+# for each new nss relase with the same nspr, change increment n by one.
+%global nspr_release %baserelease
 # only need to update this as we added new
 # algorithms under nss policy control
 %global crypto_policies_version 20210118
@@ -56,6 +57,21 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
            string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
 }
 
+# This is taken from gnutls.spec
+%define srpmhash() %{lua:
+local files = rpm.expand("%_specdir/nss.spec")
+for i, p in ipairs(patches) do
+   files = files.." "..p
+end
+for i, p in ipairs(sources) do
+   files = files.." "..p
+end
+local sha256sum = assert(io.popen("cat "..files.."| sha256sum"))
+local hash = sha256sum:read("*a")
+sha256sum:close()
+print(string.sub(hash, 0, 16))
+}
+
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
@@ -110,14 +126,12 @@ Source22:         pkcs11.txt.xml
 Source24:         cert9.db.xml
 Source26:         key4.db.xml
 Source28:         nss-p11-kit.config
-Source30:         PayPalEE.cert
+#Source30:         PayPalEE.cert
 
 
 Source100:        nspr-%{nspr_archive_version}.tar.gz
 Source101:        nspr-config.xml
 
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
-Patch2:           nss-3.71-ipv6-fix.patch
 # This patch uses the GCC -iquote option documented at
 # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
 # to give the in-tree headers a higher priority over the system headers,
@@ -141,17 +155,10 @@ Patch32:          nss-disable-md5.patch
 Patch33:          nss-no-dbm-man-page.patch
 %endif
 
-# upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1729550
-Patch50:          nss-3.71-fips-module-name.patch
-# upstream bug https://buzilla.mozilla.org/show_bug.cgi?id=1737470
-Patch60:          nss-3.67-cve-2021-43527.patch
-Patch70:          nss-3.67-cve-2021-43527-test.patch
 # not upstreamable patch...
 Patch80:          nss-3.71-fix-lto-gtests.patch
 # camellia pkcs12 docs.
 patch85:          nss-3.71-camellia-pkcs12-doc.patch
-# fix issue with long passwords in pkcs12
-patch90:          nss-3.75-fix-pkcs12-passwords.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
@@ -313,7 +320,7 @@ Header files for doing development with the Netscape Portable Runtime.
 %setup -q -T -b 0 -n %{name}-%{nss_archive_version}
 mv ../nspr-%{nspr_archive_version}/nspr .
 cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
-%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
+#%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs
 
 %patch100 -p0 -b .flags
 pushd nspr
@@ -389,24 +396,10 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
 
 # FIPS related defines
 export NSS_FORCE_FIPS=1
-export NSS_FIPS_VERSION="%{name}\ %{version}-$(date +%Y%m%d)"
-%if %{defined rhel}
-%if %{defined centos}
-  export NSS_FIPS_MODULE_ID="Centos\ %rhel\ ${NSS_FIPS_VERSION}\ unvalidated"
-%else
-if grep "Red Hat" /etc/system-release; then
-  export NSS_FIPS_MODULE_ID="Red\ Hat\ Enterprise\ Linux\ %rhel\ ${NSS_FIPS_VERSION}"
-else
-  export NSS_FIPS_MODULE_ID="Generic\ Enterprise\ Linux\ %rhel\ ${NSS_FIPS_VERSION}\ unvalidated"
-fi
-%endif
-%else
-%if %{defined fedora}
-  export NSS_FIPS_MODULE_ID="Fedora\ %fedora\ ${NSS_FIPS_VERSION}\ unvalidated"
-%else
-  export NSS_FIPS_MODULE_ID="Generic\ Linux\ ${NSS_FIPS_VERSION}\ unvalidated"
-%endif
-%endif
+export NSS_FIPS_VERSION="%{name}\ %{version}-%{srpmhash}"
+eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release | sed -e 's/ /\\ /g')
+export FIPS_MODULE_OS="$OS_NAME\ ${OS_VERSION_ID%%.*}"
+export NSS_FIPS_MODULE_ID="${FIPS_MODULE_OS}\ ${NSS_FIPS_VERSION}"
 
 # Enable compiler optimizations and disable debugging code
 export BUILD_OPT=1
@@ -433,6 +426,7 @@ export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
 export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
 
 export NSPR_INCLUDE_DIR=$PWD/dist/include/nspr
+export NSPR_LIB_DIR=$PWD/dist/lib
 
 export NSS_USE_SYSTEM_SQLITE=1
 
@@ -601,6 +595,15 @@ export USE_64=1
 
 # End -- copied from the build section
 
+# copy the nspr libraries into the NSS object directory so we use the
+# newly compiled nspr binaries in our test rather than the build root
+# versions
+export LOBJDIR=`make -s -C ./nss/tests/common objdir_name`
+for i in ./dist/lib/*.so
+do
+   cp $i ./dist/${LOBJDIR}/lib
+done
+
 # This is necessary because the test suite tests algorithms that are
 # disabled by the system policy.
 export NSS_IGNORE_SYSTEM_POLICY=1
@@ -624,9 +627,9 @@ if [ $SPACEISBAD -ne 0 ]; then
   echo "error: filenames containing space are not supported (xargs)"
   exit 1
 fi
-MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
-RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
-DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
+export MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND
+export RANDSERV=selfserv_${MYRAND}; echo $RANDSERV
+export DISTBINDIR=./dist/${LOBJDIR}/bin
 pushd "$DISTBINDIR"
 ln -s selfserv $RANDSERV
 popd
@@ -685,6 +688,25 @@ for f in nspr-config; do
 done
 popd
 
+# Begin -- copied from the build section
+# this is needed to make sure LOBJDIR is correct
+
+export FREEBL_NO_DEPEND=1
+
+export BUILD_OPT=1
+export NSS_DISABLE_PPC_GHASH=1
+
+%ifnarch noarch
+%if 0%{__isa_bits} == 64
+export USE_64=1
+%endif
+%endif
+
+# End -- copied from the build section
+
+# get the objdir value from the test make file
+export LOBJDIR=`make -s -C ./nss/tests/common objdir_name`
+
 # There is no make install target so we'll do it ourselves.
 
 mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3
@@ -713,7 +735,7 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 # Copy the binary libraries we want
 for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
 do
-  install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  install -p -m 755 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Install the empty NSS db files
@@ -732,19 +754,19 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.tx
 # Copy the development libraries we want
 for file in libcrmf.a libnssb.a libnssckfw.a
 do
-  install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+  install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Copy the binaries we want
 for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
+  install -p -m 755 dist/${LOBJDIR}/bin/$file $RPM_BUILD_ROOT/%{_bindir}
 done
 
 # Copy the binaries we ship as unsupported
 for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt validation vfyserv vfychain
 do
-  install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
+  install -p -m 755 dist/${LOBJDIR}/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 done
 
 # Copy the include files we want
@@ -762,7 +784,7 @@ done
 # Copy the static freebl library
 for file in libfreebl.a
 do
-install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
+install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
 
 # Copy the template files we want
@@ -1107,6 +1129,11 @@ update-crypto-policies &> /dev/null || :
 
 
 %changelog
+* Wed Jun 1 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
+- update to NSS 3.79
+- update to NSPR 4.34
+- change FIPS Modulename to conform with our final module standard
+
 * Wed Feb 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-7
 - Fix handling of pkcs12 passwords for PKCS5v2 cases which causes failures
   on long passwords.

sources

@@ -1,5 +1,4 @@
 SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
-SHA512 (nspr-4.32.tar.gz) = da9b65b374783d20a2e589211b411816d899e296e91175d376e59df1919144c1808c155a234d6ceefdf7b8ae8f47cec98d92a5aa3150a579513251860e50dcb7
-SHA512 (nss-3.71.tar.gz) = a4a724dc4e8677965b6245ea2309790d31ec7719658e2b349eb67c9008082132c76277340d15e4fdd8d2fe1f560ae6803fb038d023c3dfd2e3772fa3b77720e2
-SHA512 (PayPalEE.cert) = 72088243a1917a709f14b67703d643f91bf14624b7461a49c13ead5ea141ff8b96cea29992db6a3ea4087756729fbb3df976b343820d5e702bcaf2b99c7c31be
+SHA512 (nspr-4.34.tar.gz) = 4cfac886c14cf7df4c4b79fa1c3bc92e1b14260c9c3018fa2562060d62fecb4e66c0b4e8f7edf4f4823def784a919d99dde88a89674f0cd8a644310b0569ead4
+SHA512 (nss-3.79.tar.gz) = d3311da3bd0e6907760390221c1307a63d84dd8ad9b85dbfdbf59fe4678341c9856b6f93235731999a1236c98dc0ac66d2dc023eb439cb696f73509dae70c41d