From 347b7343a56c7a413a3a43dc805e5fa079ac19d6 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Thu, 2 Jun 2022 11:14:49 -0700 Subject: [PATCH] Resolves: rhbz#2064360 Rebase nss to 3.79, nspr to 4.34 for Firefox 102 ESR --- .gitignore | 2 + gating.yaml | 1 + nss.spec | 117 ++++++++++++++++++++++++++++++++-------------------- sources | 5 +-- 4 files changed, 77 insertions(+), 48 deletions(-) diff --git a/.gitignore b/.gitignore index d31b100..89bd7d5 100644 --- a/.gitignore +++ b/.gitignore @@ -65,3 +65,5 @@ TestUser51.cert /nspr-4.31.tar.gz /nspr-4.32.tar.gz /nss-3.71.tar.gz +/nss-3.79.tar.gz +/nspr-4.34.tar.gz diff --git a/gating.yaml b/gating.yaml index c604380..c0d595e 100644 --- a/gating.yaml +++ b/gating.yaml @@ -6,3 +6,4 @@ rules: - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional} - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional} - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.userspace-fips-mode.functional} + - !PassingTestCaseRule {test_case_name: manual.sst_security_crypto.nss.streamspreadprevent} diff --git a/nss.spec b/nss.spec index 755fc2b..3acd0e0 100644 --- a/nss.spec +++ b/nss.spec @@ -1,12 +1,13 @@ -%global nspr_version 4.32.0 +%global nss_version 3.79.0 +%global nspr_version 4.34.0 +%global baserelease 1 +%global nss_release %baserelease # NOTE: To avoid NVR clashes of nspr* packages: -# - reset %%{nspr_release} to 1, when updating %%{nspr_version} -# - increment %%{nspr_version}, when updating the NSS part only -# - put the nss_release number here next to nspr, as they both -# need to be updated on a given release -%global nss_release 7 -%global nspr_release %[ %nss_release+2] -%global nss_version 3.71.0 +# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when +# release number between nss and nspr are different. +# when a new nspr is released with nss, reset nspr_release to baserelease. +# for each new nss relase with the same nspr, change increment n by one. +%global nspr_release %baserelease # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -56,6 +57,21 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", string.gsub(rpm.expand("%nss_archive_version"), "%.", "_"))) } +# This is taken from gnutls.spec +%define srpmhash() %{lua: +local files = rpm.expand("%_specdir/nss.spec") +for i, p in ipairs(patches) do + files = files.." "..p +end +for i, p in ipairs(sources) do + files = files.." "..p +end +local sha256sum = assert(io.popen("cat "..files.."| sha256sum")) +local hash = sha256sum:read("*a") +sha256sum:close() +print(string.sub(hash, 0, 16)) +} + Summary: Network Security Services Name: nss Version: %{nss_version} @@ -110,14 +126,12 @@ Source22: pkcs11.txt.xml Source24: cert9.db.xml Source26: key4.db.xml Source28: nss-p11-kit.config -Source30: PayPalEE.cert +#Source30: PayPalEE.cert Source100: nspr-%{nspr_archive_version}.tar.gz Source101: nspr-config.xml -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 -Patch2: nss-3.71-ipv6-fix.patch # This patch uses the GCC -iquote option documented at # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options # to give the in-tree headers a higher priority over the system headers, @@ -141,17 +155,10 @@ Patch32: nss-disable-md5.patch Patch33: nss-no-dbm-man-page.patch %endif -# upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1729550 -Patch50: nss-3.71-fips-module-name.patch -# upstream bug https://buzilla.mozilla.org/show_bug.cgi?id=1737470 -Patch60: nss-3.67-cve-2021-43527.patch -Patch70: nss-3.67-cve-2021-43527-test.patch # not upstreamable patch... Patch80: nss-3.71-fix-lto-gtests.patch # camellia pkcs12 docs. patch85: nss-3.71-camellia-pkcs12-doc.patch -# fix issue with long passwords in pkcs12 -patch90: nss-3.75-fix-pkcs12-passwords.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -313,7 +320,7 @@ Header files for doing development with the Netscape Portable Runtime. %setup -q -T -b 0 -n %{name}-%{nss_archive_version} mv ../nspr-%{nspr_archive_version}/nspr . cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in -%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs +#%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs %patch100 -p0 -b .flags pushd nspr @@ -389,24 +396,10 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1 # FIPS related defines export NSS_FORCE_FIPS=1 -export NSS_FIPS_VERSION="%{name}\ %{version}-$(date +%Y%m%d)" -%if %{defined rhel} -%if %{defined centos} - export NSS_FIPS_MODULE_ID="Centos\ %rhel\ ${NSS_FIPS_VERSION}\ unvalidated" -%else -if grep "Red Hat" /etc/system-release; then - export NSS_FIPS_MODULE_ID="Red\ Hat\ Enterprise\ Linux\ %rhel\ ${NSS_FIPS_VERSION}" -else - export NSS_FIPS_MODULE_ID="Generic\ Enterprise\ Linux\ %rhel\ ${NSS_FIPS_VERSION}\ unvalidated" -fi -%endif -%else -%if %{defined fedora} - export NSS_FIPS_MODULE_ID="Fedora\ %fedora\ ${NSS_FIPS_VERSION}\ unvalidated" -%else - export NSS_FIPS_MODULE_ID="Generic\ Linux\ ${NSS_FIPS_VERSION}\ unvalidated" -%endif -%endif +export NSS_FIPS_VERSION="%{name}\ %{version}-%{srpmhash}" +eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release | sed -e 's/ /\\ /g') +export FIPS_MODULE_OS="$OS_NAME\ ${OS_VERSION_ID%%.*}" +export NSS_FIPS_MODULE_ID="${FIPS_MODULE_OS}\ ${NSS_FIPS_VERSION}" # Enable compiler optimizations and disable debugging code export BUILD_OPT=1 @@ -433,6 +426,7 @@ export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 export NSPR_INCLUDE_DIR=$PWD/dist/include/nspr +export NSPR_LIB_DIR=$PWD/dist/lib export NSS_USE_SYSTEM_SQLITE=1 @@ -601,6 +595,15 @@ export USE_64=1 # End -- copied from the build section +# copy the nspr libraries into the NSS object directory so we use the +# newly compiled nspr binaries in our test rather than the build root +# versions +export LOBJDIR=`make -s -C ./nss/tests/common objdir_name` +for i in ./dist/lib/*.so +do + cp $i ./dist/${LOBJDIR}/lib +done + # This is necessary because the test suite tests algorithms that are # disabled by the system policy. export NSS_IGNORE_SYSTEM_POLICY=1 @@ -624,9 +627,9 @@ if [ $SPACEISBAD -ne 0 ]; then echo "error: filenames containing space are not supported (xargs)" exit 1 fi -MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: -RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: -DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: +export MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND +export RANDSERV=selfserv_${MYRAND}; echo $RANDSERV +export DISTBINDIR=./dist/${LOBJDIR}/bin pushd "$DISTBINDIR" ln -s selfserv $RANDSERV popd @@ -685,6 +688,25 @@ for f in nspr-config; do done popd +# Begin -- copied from the build section +# this is needed to make sure LOBJDIR is correct + +export FREEBL_NO_DEPEND=1 + +export BUILD_OPT=1 +export NSS_DISABLE_PPC_GHASH=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +export USE_64=1 +%endif +%endif + +# End -- copied from the build section + +# get the objdir value from the test make file +export LOBJDIR=`make -s -C ./nss/tests/common objdir_name` + # There is no make install target so we'll do it ourselves. mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3 @@ -713,7 +735,7 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 # Copy the binary libraries we want for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so do - install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} + install -p -m 755 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Install the empty NSS db files @@ -732,19 +754,19 @@ install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.tx # Copy the development libraries we want for file in libcrmf.a libnssb.a libnssckfw.a do - install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} + install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Copy the binaries we want for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap do - install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} + install -p -m 755 dist/${LOBJDIR}/bin/$file $RPM_BUILD_ROOT/%{_bindir} done # Copy the binaries we ship as unsupported for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt validation vfyserv vfychain do - install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} + install -p -m 755 dist/${LOBJDIR}/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} done # Copy the include files we want @@ -762,7 +784,7 @@ done # Copy the static freebl library for file in libfreebl.a do -install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +install -p -m 644 dist/${LOBJDIR}/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Copy the template files we want @@ -1107,6 +1129,11 @@ update-crypto-policies &> /dev/null || : %changelog +* Wed Jun 1 2022 Bob Relyea - 3.79.0-1 +- update to NSS 3.79 +- update to NSPR 4.34 +- change FIPS Modulename to conform with our final module standard + * Wed Feb 16 2022 Bob Relyea - 3.71.0-7 - Fix handling of pkcs12 passwords for PKCS5v2 cases which causes failures on long passwords. diff --git a/sources b/sources index 78b1575..a96c9b9 100644 --- a/sources +++ b/sources @@ -1,5 +1,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 -SHA512 (nspr-4.32.tar.gz) = da9b65b374783d20a2e589211b411816d899e296e91175d376e59df1919144c1808c155a234d6ceefdf7b8ae8f47cec98d92a5aa3150a579513251860e50dcb7 -SHA512 (nss-3.71.tar.gz) = a4a724dc4e8677965b6245ea2309790d31ec7719658e2b349eb67c9008082132c76277340d15e4fdd8d2fe1f560ae6803fb038d023c3dfd2e3772fa3b77720e2 -SHA512 (PayPalEE.cert) = 72088243a1917a709f14b67703d643f91bf14624b7461a49c13ead5ea141ff8b96cea29992db6a3ea4087756729fbb3df976b343820d5e702bcaf2b99c7c31be +SHA512 (nspr-4.34.tar.gz) = 4cfac886c14cf7df4c4b79fa1c3bc92e1b14260c9c3018fa2562060d62fecb4e66c0b4e8f7edf4f4823def784a919d99dde88a89674f0cd8a644310b0569ead4 +SHA512 (nss-3.79.tar.gz) = d3311da3bd0e6907760390221c1307a63d84dd8ad9b85dbfdbf59fe4678341c9856b6f93235731999a1236c98dc0ac66d2dc023eb439cb696f73509dae70c41d