From 047dc3ed4ec91978b02b32d814f698de000dfc6a Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 11 May 2020 18:21:55 +0200 Subject: [PATCH 1/3] Update to NSS 3.52 --- .gitignore | 1 + nss-3.47-ike-fix.patch | 22 ---------------------- nss-kremlin-ppc64le.patch | 30 ------------------------------ nss-tls13-default.patch | 12 ------------ nss.spec | 16 +++++----------- sources | 2 +- 6 files changed, 7 insertions(+), 76 deletions(-) delete mode 100644 nss-3.47-ike-fix.patch delete mode 100644 nss-kremlin-ppc64le.patch delete mode 100644 nss-tls13-default.patch diff --git a/.gitignore b/.gitignore index ef6528b..3cbf5bc 100644 --- a/.gitignore +++ b/.gitignore @@ -48,3 +48,4 @@ TestUser51.cert /nss-3.50.tar.gz /nss-3.51.tar.gz /nss-3.51.1.tar.gz +/nss-3.52.tar.gz diff --git a/nss-3.47-ike-fix.patch b/nss-3.47-ike-fix.patch deleted file mode 100644 index 2de0aee..0000000 --- a/nss-3.47-ike-fix.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up ./lib/softoken/pkcs11.c.ike_fix ./lib/softoken/pkcs11.c ---- ./lib/softoken/pkcs11.c.ike_fix 2019-11-04 10:15:08.022176945 -0800 -+++ ./lib/softoken/pkcs11.c 2019-11-04 10:17:35.396733750 -0800 -@@ -330,7 +330,7 @@ static const struct mechanismList mechan - { CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE }, - { CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE }, - { CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE }, -- { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE }, -+ { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE }, - { CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE }, - /* ------------------------- Camellia Operations --------------------- */ - { CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE }, -@@ -518,7 +518,8 @@ static const struct mechanismList mechan - /* --------------------IPSEC ----------------------- */ - { CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }, - { CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, -- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE } -+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }, -+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE } - }; - static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]); - diff --git a/nss-kremlin-ppc64le.patch b/nss-kremlin-ppc64le.patch deleted file mode 100644 index d4e9d89..0000000 --- a/nss-kremlin-ppc64le.patch +++ /dev/null @@ -1,30 +0,0 @@ -Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h -=================================================================== ---- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h -+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h -@@ -56,7 +56,9 @@ typedef const char *Prims_string; - #include - typedef __m128i FStar_UInt128_uint128; - #elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \ -- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__)) -+ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \ -+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ -+ defined(__s390x__)) - typedef unsigned __int128 FStar_UInt128_uint128; - #else - typedef struct FStar_UInt128_uint128_s { -Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h -=================================================================== ---- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h -+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h -@@ -25,7 +25,9 @@ - #include "LowStar_Endianness.h" - - #if !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \ -- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__)) -+ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \ -+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ -+ defined(__s390x__)) - - /* GCC + using native unsigned __int128 support */ - diff --git a/nss-tls13-default.patch b/nss-tls13-default.patch deleted file mode 100644 index ffdca50..0000000 --- a/nss-tls13-default.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.tls13-default nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.tls13-default 2020-01-27 10:21:44.930830558 +0100 -+++ nss/lib/ssl/sslsock.c 2020-01-27 10:21:47.419852229 +0100 -@@ -97,7 +97,7 @@ static sslOptions ssl_defaults = { - */ - static SSLVersionRange versions_defaults_stream = { - SSL_LIBRARY_VERSION_TLS_1_0, -- SSL_LIBRARY_VERSION_TLS_1_3 -+ SSL_LIBRARY_VERSION_TLS_1_2 - }; - - static SSLVersionRange versions_defaults_datagram = { diff --git a/nss.spec b/nss.spec index b83944f..8a0c2ba 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.25.0 -%global nss_version 3.51.1 +%global nss_version 3.52.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -44,7 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 2%{?dist} +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -106,16 +106,7 @@ Patch2: nss-539183.patch # Once the buildroot aha been bootstrapped the patch may be removed # but it doesn't hurt to keep it. Patch4: iquote.patch -# add missing ike mechanism to softoken -Patch10: nss-3.47-ike-fix.patch -# To revert the upstream change: -# https://bugzilla.mozilla.org/show_bug.cgi?id=1573118 -# as it still doesn't work under FIPS mode because of missing HKDF -# support in PKCS #11. -Patch11: nss-tls13-default.patch Patch12: nss-signtool-format.patch -# https://github.com/FStarLang/kremlin/issues/166 -Patch13: nss-kremlin-ppc64le.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -894,6 +885,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Mon May 11 2020 Daiki Ueno - 3.52.0-1 +- Update to NSS 3.52 + * Sat Apr 25 2020 Daiki Ueno - 3.51.1-2 - Temporarily revert DBM disablement for kernel build failure (#1827902) diff --git a/sources b/sources index 8464526..2f019bb 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nss-3.51.1.tar.gz) = 1878780886cc330489a14a60ee5cb67b174f3167d020db256eacdce079652ef8af65813914cd0fb5684457053fa27acc9bff72d0713fbea28795613ca45a6d46 +SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6 From 26f93fa193ff06d976a34e573d93b6a89e43c920 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 11 May 2020 18:38:26 +0200 Subject: [PATCH 2/3] Restore nss-kremlin-ppc64le.patch --- nss-kremlin-ppc64le.patch | 31 +++++++++++++++++++++++++++++++ nss.spec | 2 ++ 2 files changed, 33 insertions(+) create mode 100644 nss-kremlin-ppc64le.patch diff --git a/nss-kremlin-ppc64le.patch b/nss-kremlin-ppc64le.patch new file mode 100644 index 0000000..b5f4700 --- /dev/null +++ b/nss-kremlin-ppc64le.patch @@ -0,0 +1,31 @@ +Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h +=================================================================== +--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h ++++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h +@@ -56,9 +56,10 @@ typedef const char *Prims_string; + !defined(__clang__) + #include + typedef __m128i FStar_UInt128_uint128; +-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \ ++#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \ + (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \ +- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__))) ++ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ ++ defined(__s390x__)) + typedef unsigned __int128 FStar_UInt128_uint128; + #elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__) + typedef __uint128_t FStar_UInt128_uint128; +Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h +=================================================================== +--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h ++++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h +@@ -26,7 +26,8 @@ + + #if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \ + (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \ +- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__))) ++ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \ ++ defined(__s390x__)) + + /* GCC + using native unsigned __int128 support */ + diff --git a/nss.spec b/nss.spec index 8a0c2ba..fe76971 100644 --- a/nss.spec +++ b/nss.spec @@ -107,6 +107,8 @@ Patch2: nss-539183.patch # but it doesn't hurt to keep it. Patch4: iquote.patch Patch12: nss-signtool-format.patch +# https://github.com/FStarLang/kremlin/issues/166 +Patch13: nss-kremlin-ppc64le.patch %description Network Security Services (NSS) is a set of libraries designed to From 614f823eb30b6ac0f0c6ea54ac9b5d26cd0f9cfe Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Wed, 13 May 2020 16:02:36 -0700 Subject: [PATCH 3/3] Delay new CK_GCM_PARAMS semantics until fedora 34 unless explicitly enabled. --- nss-gcm-param-default-pkcs11v2.patch | 21 +++++++++++++++++++++ nss.spec | 10 +++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 nss-gcm-param-default-pkcs11v2.patch diff --git a/nss-gcm-param-default-pkcs11v2.patch b/nss-gcm-param-default-pkcs11v2.patch new file mode 100644 index 0000000..2d6cba8 --- /dev/null +++ b/nss-gcm-param-default-pkcs11v2.patch @@ -0,0 +1,21 @@ +diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h +--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700 ++++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700 +@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS { + typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR; + + /* deprecated #defines. Drop in future NSS releases */ +-#ifdef NSS_PKCS11_2_0_COMPAT ++#ifndef NSS_PKCS11_3_0_STRICT + + /* defines that were changed between NSS's PKCS #11 and the Oasis headers */ + #define CKF_EC_FP CKF_EC_F_P +@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_ + #define CKT_NETSCAPE_VALID CKT_NSS_VALID + #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR + #else +-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */ ++/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */ + typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS; + typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR; + #endif diff --git a/nss.spec b/nss.spec index fe76971..d7d288f 100644 --- a/nss.spec +++ b/nss.spec @@ -44,7 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -109,6 +109,11 @@ Patch4: iquote.patch Patch12: nss-signtool-format.patch # https://github.com/FStarLang/kremlin/issues/166 Patch13: nss-kremlin-ppc64le.patch +%if 0%{?fedora} < 34 +%if 0%{?rhel} < 9 +Patch20: nss-gcm-param-default-pkcs11v2.patch +%endif +%endif %description Network Security Services (NSS) is a set of libraries designed to @@ -887,6 +892,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Wed May 13 2020 Bob Relyea - 3.52.0-2 +- Delay CK_GCM_PARAMS semantics until fedora 34 + * Mon May 11 2020 Daiki Ueno - 3.52.0-1 - Update to NSS 3.52