Commit Graph

64 Commits

Author SHA1 Message Date
Krenzelok Frantisek
4f1878c47a Resolves: RHEL-32161
Allow for shorter ecdsa signatures by padding them to full length
2024-04-10 20:02:23 +02:00
Robert Relyea
f628c7a792 Related: RHEL-16653
Fix ECC parameter DERwrapping that was broken by the minerva fixes.
2024-01-24 08:49:08 -08:00
Robert Relyea
19e3cdb28c Resolves: RHEL-16653
CVE-2023-6135 nss: vulnerable to Minerva side-channel information leak
 - Pick up validated constant time implementations of p256, p384, and p521
   from upsream
 - More Fips indicator changes
2024-01-20 08:01:55 -08:00
Robert Relyea
78737bcfaa Resolves: RHEL-17216
Incorporate Lab FIPS review requests.
2023-12-05 09:30:31 -08:00
Robert Relyea
b604fc6eb5 Resolves: RHEL-15134
CVE-2023-5388
nss: timing attack against RSA decryption.
Make the final blinding multmod constant time.
2023-11-21 10:45:17 -08:00
Robert Relyea
2fef3aa45f Resolves: rhbz#2229399
- add indicator for pbkdf
- fix ems policy bug
2023-08-05 10:43:46 -07:00
Stanislav Zidek
ac0b8ce8dd Disable separate reporting of interop tests
Otherwise, we would have to enumerate all the test plans
in `gating.yaml`. Without separate reporting, we could
simply use `osci.brew-build.tier0.functional`.

Related: rhbz#2209764
2023-07-13 11:31:29 +02:00
Frantisek Krenzelok
b5cdb03af2
Increase the release number
Related: rhbz#2211937

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
2023-06-29 14:49:43 +02:00
Frantisek Krenzelok
6bbfd9e4ef
Add dist tag to packages version
Related: rhbz#2211937

Packages lacked dist tag in their version tag after the
92cf70d

move `%patch<num>` from deprecate format to `%patch -P<num>`

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>
2023-06-28 17:06:00 +02:00
Robert Relyea
92cf70d178 Resolves: rhbz#2211937
Rebase NSS to 3.90 for Firefox 115 ESR
Includes NSPR 4.35
2023-06-22 08:21:33 +02:00
Alexander Sosedkin
f2db67545b delete tests/
The test directory seems to be inherited from Fedora.
The only test in there has become outdated.

Related: rhbz#2209764
2023-05-25 16:50:18 +02:00
Peter Leitmann
9bb1bef019 Add new interop rpm-tmt-tests 2023-05-25 09:24:59 +00:00
Bob Relyea
7391e8d0cd Resolves: rhbz#2179385
Make DH parameter processing in FIPS mode more strict.
Fix memory leak in dh keygen.
2023-03-22 09:38:23 -07:00
Bob Relyea
2ed3d453e9 Related: rhbz#2174613
Fix regression issue in FIPS mode. We need to return a non-locking return
code if the user supplied DH parameters are invalid, rather than a blocking
code we return if the underlying NSS math engine blows up.
2023-03-16 12:53:52 -07:00
Bob Relyea
fe16df6b41 Related: rhbz#2176630 rhbz#2153473 rhbz#2174613
Sync nss.spec with rhel-9.0.0 branch to match versioning.
2023-03-15 10:36:00 -07:00
Bob Relyea
67466513bc Resolves: rhbz#2176630 rhbz#2153473 rhbz#2174613
Fix CVE 2023-0767
Fix FIPS review comments.
2023-03-11 11:19:28 -08:00
Bob Relyea
f445964895 Resolves: rhbz#2004545 rhbz#2122714
- Update fips_algorithms.h to match the final FIPS requirements
    - Disable delegated credentials
2022-09-08 08:56:38 -07:00
Bob Relyea
dcbd11ce7c Resolves: rhbz#2091905
- remove OAEP from the fips indicator list
2022-08-24 15:28:58 -07:00
Bob Relyea
cba98b139c Resolves: rhbz#2091905
- More FIPS changes for FIPS 140-3
    -   drbg seeding fixes
    -   fips indicator fixes
- Fix regressions in pkcs12.
2022-08-24 08:17:30 -07:00
Bob Relyea
09dd8eef9a Resolves: rhbz#2104703
- more complete fix for the client auth crash
2022-07-07 09:34:21 -07:00
Bob Relyea
590eee18a6 Related: rhbz#2097816
- increase the pbe cache size
- remove debugging print from certmonder patch
2022-06-22 13:59:47 -07:00
Bob Relyea
aef9d0723d Resolves: rhbz#2091905 rhbz#2098489
- mark rsa 1023 as FIPS, reject RSA key sizes less than 1023.
- allow applications to rerun the POST arbitrarily (that is after dlopen).
2022-06-21 12:21:13 -07:00
Bob Relyea
e6c0644902 Resolves: rhbz#2064360
- resolve more regressions. selfserv no longer handles IPV4 when configured for IPV6.
2022-06-14 18:50:06 -07:00
Bob Relyea
4d2d68aab9 Resolves: rhbz#2064360
- Fix test case regressions in rebase
2022-06-13 15:25:32 -07:00
Bob Relyea
328433776d Resolves: rhbz#2064360
- fix coverity issues
 - add dbtool
2022-06-10 16:51:19 -07:00
Bob Relyea
347b7343a5 Resolves: rhbz#2064360
Rebase nss to 3.79, nspr to 4.34 for Firefox 102 ESR
2022-06-02 11:14:49 -07:00
Bob Relyea
abcefb3fa4 Resolves: rhbz#2041832
openssl pkcs12 unable to process nss pk12util generated pkcs12 file if its password length is >= 64 chars
2022-02-16 12:55:59 -08:00
Bob Relyea
fd0aecc80b Resolves: rhbz#2039862 rhbz#1986987
Turn on lto (fixing gtests issue with lto)
Fix pkcs12 man page to include changes made in that command.
2022-01-27 08:09:17 -08:00
Robert Relyea
8857078930 Related: rhbz#2033309 2022-01-14 22:06:25 +00:00
Bob Relyea
79eaf96146 Resolves: rhbz#2033309
Remove old db files and man pages
2022-01-11 14:20:39 -08:00
Bob Relyea
34e9500654 Resolves: rhbz#2025362
Fix CVE 2021-43527
2021-12-01 11:54:49 -08:00
Bob Relyea
af61b61e84 Related: rhbz#2008320
- Fix typo that prevented the validation program from building.
- add the validation program to nss-tools.
- Fix issue with NSS_FIPS_MODULE_ID where it wasn't detecting builds on RHEL9
2021-10-19 20:11:17 -07:00
Bob Relyea
c9c633332d Resolves: rhbz#2008320
Rebase to NSS 3.71: (changes since NSS 3.67)

    Network Security Services (NSS) 3.71 was released on 30 September 2021.

    The HG tag is NSS_3_71_RTM. This version of NSS requires NSPR 4.32 or newer.

    NSS 3.71 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_71_RTM/src/>

    Changes:
    - Bug 1717716 - Set nssckbi version number to 2.52.
    - Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
    - Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported
    - Bug 1717707 - Add HARICA Client ECC Root CA 2021.
    - Bug 1717707 - Add HARICA Client RSA Root CA 2021.
    - Bug 1717707 - Add HARICA TLS ECC Root CA 2021.
    - Bug 1717707 - Add HARICA TLS RSA Root CA 2021.
    - Bug 1728394 - Add TunTrust Root CA certificate to NSS.
    -------------------------------------

    Network Security Services (NSS) 3.70 was released on 4 September 2021.

    The HG tag is NSS_3_70_RTM. This version of NSS requires NSPR 4.32 or newer.

    NSS 3.70 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_70_RTM/src/>

    Changes:
       - Documentation: release notes for NSS 3.70.
       - Documentation: release notes for NSS 3.69.1.
       - Bug 1726022 - Update test case to verify fix.
       - Bug 1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
       - Bug 1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
       - Formatting for lib/util
       - Bug 1681975 - Avoid using a lookup table in nssb64d.
       - Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
       - Bug 1714579 - Change default value of enableHelloDowngradeCheck to true.
       - Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc
       - Bug 1726022 - Cache additional PBE entries.
       - Bug 1709750 - Read HPKE vectors from official JSON.
       - Documentation: update for NSS 3.69 release.

    Network Security Services (NSS) 3.69 was released on 5 August 2021.

    The HG tag is NSS_3_69_RTM. NSS 3.69 requires NSPR 4.32 or newer.

    NSS 3.69 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_69_RTM/src/>

    Bugs fixed:
       - Bug 1722613 - Disable DTLS 1.0 and 1.1 by default
       - Bug 1720226 - integrity checks in key4.db not happening on private components with AES_CBC
       - Bug 1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms.
       - Bug 1721476 - sqlite 3.34 changed it's open semantics, causing nss failures.
       - Bug 1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports.
       - Bug 1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
       - Bug 1720232 - SQLite calls could timeout in starvation situations.
       - Bug 1720225 - Coverity/cpp scanner errors found in nss 3.67
       - Bug 1709817 - Import the NSS documentation from MDN in nss/doc.
       - Bug 1720227 - NSS using a tempdir to measure sql performance not active

    Network Security Services (NSS) 3.68 ESR was released on 8 July 2021.

    The HG tag is NSS_3_68_RTM. NSS 3.68 requires NSPR 4.32 or newer.

    NSS 3.68 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_68_RTM/src/>

    Bugs fixed:
       -  Bug 1713562 - Fix test leak.
       -  Bug 1717452 - NSS 3.68 should depend on NSPR 4.32.
       -  Bug 1693206 - Implement PKCS8 export of ECDSA keys.
       -  Bug 1712883 - DTLS 1.3 draft-43.
       -  Bug 1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
       -  Bug 1713562 - Validate ECH public names.
       -  Bug 1717610 - Add function to get seconds from epoch from pkix::Time.
2021-10-06 12:09:11 -07:00
Bob Relyea
55f8cd2e51 Related: rhbz#1972928
Rebuild for gating
2021-08-25 08:46:15 -07:00
Bob Relyea
bcabd96a47 Related: rhbz#1972928
Add gating.yaml
2021-08-20 10:57:03 -07:00
Bob Relyea
9a9e0681ed Related: rhbz#1972928
Update nspr for firefox 92
2021-08-19 13:06:04 -07:00
Florian Weimer
6098d94e9d Change release number to correct cross-package dependencies (#1991688)
Related: #1991688
2021-08-12 15:01:01 +02:00
Florian Weimer
ec42b367dc Change release number to correct cross-package dependencies (#1991688)
Related: #1991688
2021-08-12 10:54:57 +02:00
Florian Weimer
4b70a03790 Change release number to correct cross-package dependencies (#1991688)
Related: #1991688
2021-08-12 07:18:54 +02:00
Mohan Boddu
1fded96fc7 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 22:34:19 +00:00
Bob Relyea
449fc4a03c Related: rhbz#1972928
- fix relro support in nspr part of build
2021-07-08 15:19:14 -07:00
Bob Relyea
5a8798b5da Related: rhbz#1933778
sigh, bump nspr release number
2021-07-07 12:58:28 -07:00
Bob Relyea
ceb4bbe240 Resolves: rhbz#1933778
Fix incorrect ssl alerts on signature algorithms.
2021-07-07 12:06:28 -07:00
Bob Relyea
b6e19ee8f1 Related: rhbz#1978038
Bump the nspr build number.
2021-07-02 08:08:22 -07:00
Bob Relyea
66eacfa6fd Related: rhbz#1978038
Sigh fix LDFlags to make nspr happy...
2021-07-01 15:54:34 -07:00
Bob Relyea
8e1aafaab1 Resolves: rhbz#1978038
Allow NSS to use databases which have been updated from dbm to sql
on an unpacked version of nss. (prevented pesign from working).
2021-07-01 15:12:42 -07:00
Bob Relyea
4c08989645 Related: rhbz#1972928
- only include nspr man pages in nspr-devel
2021-06-22 19:37:34 -07:00
Bob Relyea
fed7d55f1a Resolves: rhbz#1972928
Rebase nss to 3.67
2021-06-21 10:17:18 -07:00
Bob Relyea
af6d77e2b5 Related: rhbz1926367
Fix incorrect patch file
2021-04-16 18:13:49 -07:00
Bob Relyea
88a947fc0b Resolves: rhbz#1926367
Restore RHEL-8 patch to prevent MD5 and MD4 hash operations
2021-04-16 14:12:00 -07:00