Compare commits

...

No commits in common. 'c10-beta' and 'c9' have entirely different histories.
c10-beta ... c9

3
.gitignore vendored

@ -1,3 +1,4 @@
SOURCES/blank-cert9.db SOURCES/blank-cert9.db
SOURCES/blank-key4.db SOURCES/blank-key4.db
SOURCES/nss-3.101-with-nspr-4.35.tar.gz SOURCES/nspr-4.35.tar.gz
SOURCES/nss-3.101.tar.gz

@ -1,3 +1,4 @@
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
592ea337ee2504efb09a21a4593cc1f19e4477c2 SOURCES/nss-3.101-with-nspr-4.35.tar.gz 71267859a581d61fea8d7d36c25f716750271cac SOURCES/nspr-4.35.tar.gz
90f6f1d5440e7cc72cd27f2ecf2e8f3f680a00aa SOURCES/nss-3.101.tar.gz

@ -20,6 +20,7 @@ typedef enum {
SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */ SFTKFIPSChkHash, /* make sure the base hash of KDF functions is FIPS */
SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */ SFTKFIPSChkHashTls, /* make sure the base hash of TLS KDF functions is FIPS */
SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */ SFTKFIPSChkHashSp800, /* make sure the base hash of SP-800-108 KDF functions is FIPS */
SFTKFIPSRSAOAEP, /* make sure that both hashes use the same FIPS compliant algorithm */
} SFTKFIPSSpecialClass; } SFTKFIPSSpecialClass;
/* set according to your security policy */ /* set according to your security policy */
@ -79,6 +80,7 @@ SFTKFIPSAlgorithmList sftk_fips_mechs[] = {
#define AES_FB_KEY 128, 256 #define AES_FB_KEY 128, 256
#define AES_FB_STEP 64 #define AES_FB_STEP 64
{ CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_RSA_PKCS_KEY_PAIR_GEN, { RSA_FB_KEY, CKF_KPG }, RSA_FB_STEP, SFTKFIPSNone },
{ CKM_RSA_PKCS_OAEP, { RSA_FB_KEY, CKF_ENC }, RSA_FB_STEP, SFTKFIPSRSAOAEP },
/* -------------- RSA Multipart Signing Operations -------------------- */ /* -------------- RSA Multipart Signing Operations -------------------- */
{ CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone }, { CKM_SHA224_RSA_PKCS, { RSA_FB_KEY, CKF_SGN }, RSA_FB_STEP, SFTKFIPSNone },

@ -0,0 +1,20 @@
diff -up ./lib/softoken/pkcs11u.c.fipsrsaoaep ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fipsrsaoaep 2024-10-24 09:27:17.971673855 +0200
+++ ./lib/softoken/pkcs11u.c 2024-10-24 09:23:35.006352872 +0200
@@ -2565,6 +2565,16 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME
}
}
return sftk_checkKeyLength(targetKeyLength, 112, 512, 1);
+ case SFTKFIPSRSAOAEP:;
+ CK_RSA_PKCS_OAEP_PARAMS *rsaoaep = (CK_RSA_PKCS_OAEP_PARAMS *)
+ mech->pParameter;
+
+ HASH_HashType hash_msg = sftk_GetHashTypeFromMechanism(rsaoaep->hashAlg);
+ HASH_HashType hash_pad = sftk_GetHashTypeFromMechanism(rsaoaep->mgf);
+ /* message hash and mask generation function must be the same */
+ if (hash_pad != hash_msg) return PR_FALSE;
+
+ return sftk_checkFIPSHash(rsaoaep->hashAlg, PR_FALSE, PR_FALSE);
default:
break;
}

File diff suppressed because it is too large Load Diff

@ -0,0 +1,14 @@
diff -up ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default ./cmd/pk12util/pk12util.c
--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default 2024-07-18 08:26:35.773248450 -0700
+++ ./cmd/pk12util/pk12util.c 2024-07-18 08:27:05.796595554 -0700
@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
}
}
}
- /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
- if (PK11_IsFIPS()) {
- hash = SEC_OID_HMAC_SHA256;
- }
if (pk12util.options[opt_Mac].activated) {
char *hashString = pk12util.options[opt_Mac].arg;

@ -0,0 +1,12 @@
diff -up ./lib/softoken/pkcs11u.c.fips_check_curver25519 ./lib/softoken/pkcs11u.c
--- ./lib/softoken/pkcs11u.c.fips_check_curver25519 2024-11-11 11:24:25.186654635 +0100
+++ ./lib/softoken/pkcs11u.c 2024-11-07 10:26:03.806562274 +0100
@@ -2356,7 +2356,7 @@ sftk_getKeyLength(SFTKObject *source)
* key length is CKA_VALUE, which is the default */
keyType = CKK_INVALID_KEY_TYPE;
}
- if (keyType == CKK_EC) {
+ if (keyType == CKK_EC || keyType == CKK_EC_EDWARDS || keyType == CKK_EC_MONTGOMERY) {
SECOidTag curve = sftk_quickGetECCCurveOid(source);
switch (curve) {
case SEC_OID_CURVE25519:

@ -1,12 +0,0 @@
diff -up ./tests/fips/cavs_scripts/validate1.sh.fix_cavs ./tests/fips/cavs_scripts/validate1.sh
--- ./tests/fips/cavs_scripts/validate1.sh.fix_cavs 2024-09-12 14:39:41.421586862 -0700
+++ ./tests/fips/cavs_scripts/validate1.sh 2024-09-12 14:39:55.036747283 -0700
@@ -21,7 +21,7 @@ name=`basename $request .req`
echo ">>>>> $name"
sed -e 's; ;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1
# if we didn't generate any output, flag that as an error
-size=`sum /tmp/y1 | awk '{ print $NF }'`
+size=`sum /tmp/y1 | awk '{ print $1 }'`
if [ $size -eq 0 ]; then
echo "${TESTDIR}/resp/${name}.rsp: empty"
exit 1;

@ -0,0 +1,12 @@
diff -up ./cmd/shlibsign/shlibsign.c.shlibsign ./cmd/shlibsign/shlibsign.c
--- ./cmd/shlibsign/shlibsign.c.shlibsign 2024-06-07 09:26:03.000000000 -0700
+++ ./cmd/shlibsign/shlibsign.c 2024-10-31 10:49:28.637449054 -0700
@@ -1426,7 +1426,7 @@ main(int argc, char **argv)
} else {
/* NON FIPS mode == C_GetFunctionList */
pC_GetFunctionList = (CK_C_GetFunctionList)
- PR_FindFunctionSymbol(lib, "C_GetFunctionList");
+ PR_FindFunctionSymbol(lib, "NSC_GetFunctionList");
}
assert(pC_GetFunctionList != NULL);
if (!pC_GetFunctionList) {

@ -0,0 +1,83 @@
diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/pkcs12/p12plcy.c 2024-07-17 11:26:00.334836451 -0700
@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
static PRBool
sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
{
+#ifdef notdef
PRUint32 policy;
SECStatus rv;
@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
return PR_TRUE;
}
return PR_FALSE;
+#else
+ return PR_TRUE;
+#endif
}
PRBool
diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
--- ./lib/smime/smimeutil.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/smimeutil.c 2024-07-17 11:27:04.716617111 -0700
@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
PRBool
smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
{
+#ifdef notdef
PRUint32 policyFlags;
/* some S/MIME algs map to the same underlying KEA mechanism,
@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
return PR_FALSE;
}
+#endif
return PR_TRUE;
}
@@ -485,6 +487,7 @@ smime_init_once(void *arg)
return PR_FAILURE;
}
+#ifdef notdef
/* At initialization time, we need to set up the defaults. We first
* look to see if the system or application has set up certain algorithms
* by policy. If they have set up values by policy we'll only allow those
@@ -497,6 +500,11 @@ smime_init_once(void *arg)
PORT_Free(tags);
tags = NULL;
}
+#else
+ /* just initialize the old maps */
+ rv = SECSuccess;
+ tagCount = 0;
+#endif
if ((rv != SECSuccess) || (tagCount == 0)) {
/* No algorithms have been enabled by policy (either by the system
* or by the application, we then will use the traditional default
diff -up ./tests/smime/smime.sh.no_p12_smime_policy ./tests/smime/smime.sh
--- ./tests/smime/smime.sh.no_p12_smime_policy 2024-07-17 11:26:00.303836075 -0700
+++ ./tests/smime/smime.sh 2024-07-17 11:26:00.334836451 -0700
@@ -872,6 +872,6 @@ smime_init
smime_main
smime_data_tb
smime_p7
-smime_policy
+#smime_policy
smime_cleanup
diff -up ./tests/tools/tools.sh.no_p12_smime_policy ./tests/tools/tools.sh
--- ./tests/tools/tools.sh.no_p12_smime_policy 2024-07-17 11:26:00.304836087 -0700
+++ ./tests/tools/tools.sh 2024-07-17 11:26:00.334836451 -0700
@@ -585,7 +585,7 @@ tools_p12()
tools_p12_import_old_files
tools_p12_import_pbmac1_samples
tools_p12_import_rsa_pss_private_key
- tools_p12_policy
+ #tools_p12_policy
}
############################## tools_sign ##############################

@ -0,0 +1,104 @@
diff -up ./lib/certhigh/certvfypkix.c.revert_libpkix ./lib/certhigh/certvfypkix.c
--- ./lib/certhigh/certvfypkix.c.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/certhigh/certvfypkix.c 2024-07-05 13:18:34.285174699 -0700
@@ -39,7 +39,7 @@ pkix_pl_lifecycle_ObjectTableUpdate(int
PRInt32 parallelFnInvocationCount;
#endif /* PKIX_OBJECT_LEAK_TEST */
-static PRBool usePKIXValidationEngine = PR_TRUE;
+static PRBool usePKIXValidationEngine = PR_FALSE;
#endif /* NSS_DISABLE_LIBPKIX */
/*
diff -up ./lib/nss/nssinit.c.revert_libpkix ./lib/nss/nssinit.c
--- ./lib/nss/nssinit.c.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/nss/nssinit.c 2024-07-05 13:18:34.285174699 -0700
@@ -764,9 +764,9 @@ nss_Init(const char *configdir, const ch
if (pkixError != NULL) {
goto loser;
} else {
- char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
+ char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
if (ev && ev[0]) {
- CERT_SetUsePKIXForValidation(PR_FALSE);
+ CERT_SetUsePKIXForValidation(PR_TRUE);
}
}
#endif /* NSS_DISABLE_LIBPKIX */
diff -up ./tests/all.sh.revert_libpkix ./tests/all.sh
--- ./tests/all.sh.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/all.sh 2024-07-05 13:18:34.285174699 -0700
@@ -143,9 +143,6 @@ run_cycle_standard()
{
TEST_MODE=STANDARD
- NSS_DISABLE_LIBPKIX_VERIFY="1"
- export NSS_DISABLE_LIBPKIX_VERIFY
-
TESTS="${ALL_TESTS}"
TESTS_SKIP="libpkix pkits"
@@ -153,8 +150,6 @@ run_cycle_standard()
export NSS_DEFAULT_DB_TYPE
run_tests
-
- unset NSS_DISABLE_LIBPKIX_VERIFY
}
############################ run_cycle_pkix ############################
@@ -172,6 +167,9 @@ run_cycle_pkix()
mkdir -p "${HOSTDIR}"
init_directories
+ NSS_ENABLE_PKIX_VERIFY="1"
+ export NSS_ENABLE_PKIX_VERIFY
+
TESTS="${ALL_TESTS}"
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
diff -up ./tests/common/init.sh.revert_libpkix ./tests/common/init.sh
--- ./tests/common/init.sh.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/common/init.sh 2024-07-05 13:18:34.285174699 -0700
@@ -140,8 +140,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
echo "export NSS_DEFAULT_DB_TYPE"
- echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
- echo "export NSS_DISABLE_PKIX_VERIFY"
+ echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
+ echo "export NSS_ENABLE_PKIX_VERIFY"
echo "init_directories"
}
diff -up ./tests/ssl/ssl.sh.revert_libpkix ./tests/ssl/ssl.sh
--- ./tests/ssl/ssl.sh.revert_libpkix 2024-07-05 13:18:34.267174492 -0700
+++ ./tests/ssl/ssl.sh 2024-07-05 13:23:15.295402481 -0700
@@ -971,8 +971,9 @@ ssl_policy_pkix_ocsp()
return 0
fi
- PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
- unset NSS_DISABLE_LIBPKIX_VERIFY
+ PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
+ NSS_ENABLE_PKIX_VERIFY="1"
+ export NSS_ENABLE_PKIX_VERIFY
testname=""
@@ -997,10 +998,12 @@ ssl_policy_pkix_ocsp()
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
- if [ "{PKIX_SAVE}" != "unset" ]; then
- export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
+ if [ "${PKIX_SAVE}" = "unset" ]; then
+ unset NSS_ENABLE_PKIX_VERIFY
+ else
+ NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
+ export NSS_ENABLE_PKIX_VERIFY
fi
-
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
html "</TABLE><BR>"

@ -0,0 +1,4 @@
name=p11-kit-proxy
library=p11-kit-proxy.so

@ -21,7 +21,6 @@ Options:
Dynamic Libraries: Dynamic Libraries:
softokn3 - Requires full dynamic linking softokn3 - Requires full dynamic linking
freebl3 - for internal use only (and glibc for self-integrity check) freebl3 - for internal use only (and glibc for self-integrity check)
nssdbm3 - for internal use only
Dymamically linked Dymamically linked
EOF EOF
exit $1 exit $1

@ -7,5 +7,5 @@ Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module Description: Network Security Services Softoken PKCS #11 Module
Version: %SOFTOKEN_VERSION% Version: %SOFTOKEN_VERSION%
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 Libs: -L${libdir} -lfreebl3 -lsoftokn3
Cflags: -I${includedir} Cflags: -I${includedir}

@ -1,16 +1,16 @@
%global nss_version 3.101.0 %global nss_version 3.101.0
%global nspr_version 4.35.0 %global nspr_version 4.35.0
# NOTE: To avoid NVR clashes of nspr* packages: %global baserelease 10
# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
# - increment %%{nspr_version}, when updating the NSS part only
%global baserelease 7
%global nss_release %baserelease %global nss_release %baserelease
# NOTE: To avoid NVR clashes of nspr* packages:
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
# release number between nss and nspr are different. # release number between nss and nspr are different.
%global nspr_release %[%baserelease+21] # when a new nspr is released with nss, reset nspr_release to baserelease.
# for each new nss relase with the same nspr, change increment n by one.
%global nspr_release %[%baserelease+7]
# only need to update this as we added new # only need to update this as we added new
# algorithms under nss policy control # algorithms under nss policy control
%global crypto_policies_version 20240522 %global crypto_policies_version 20210118
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir %{_libdir}/nss/saved %global saved_files_dir %{_libdir}/nss/saved
%global dracutlibdir %{_prefix}/lib/dracut %global dracutlibdir %{_prefix}/lib/dracut
@ -57,8 +57,6 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
string.gsub(rpm.expand("%nss_archive_version"), "%.", "_"))) string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
} }
%global nss_nspr_archive nss-%{nss_archive_version}-with-nspr-%{nspr_archive_version}
# This is taken from gnutls.spec # This is taken from gnutls.spec
%define srpmhash() %{lua: %define srpmhash() %{lua:
local files = rpm.expand("%_specdir/nss.spec") local files = rpm.expand("%_specdir/nss.spec")
@ -78,7 +76,7 @@ Summary: Network Security Services
Name: nss Name: nss
Version: %{nss_version} Version: %{nss_version}
Release: %{nss_release}%{?dist} Release: %{nss_release}%{?dist}
License: MPL-2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/ URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version} Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{nss_version} Requires: nss-util >= %{nss_version}
@ -86,6 +84,7 @@ Requires: nss-util >= %{nss_version}
Requires: nss-softokn%{_isa} >= %{nss_version} Requires: nss-softokn%{_isa} >= %{nss_version}
Requires: nss-system-init Requires: nss-system-init
Requires: p11-kit-trust Requires: p11-kit-trust
Requires: /usr/bin/update-crypto-policies
Requires: crypto-policies >= %{crypto_policies_version} Requires: crypto-policies >= %{crypto_policies_version}
# for shlibsign # for shlibsign
BuildRequires: make BuildRequires: make
@ -98,7 +97,7 @@ BuildRequires: psmisc
BuildRequires: perl-interpreter BuildRequires: perl-interpreter
BuildRequires: gcc-c++ BuildRequires: gcc-c++
Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{nss_nspr_archive}.tar.gz Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
Source1: nss-util.pc.in Source1: nss-util.pc.in
Source2: nss-util-config.in Source2: nss-util-config.in
Source3: nss-softokn.pc.in Source3: nss-softokn.pc.in
@ -118,18 +117,22 @@ Source15: system-pkcs11.txt
Source16: setup-nsssysinit.sh Source16: setup-nsssysinit.sh
Source20: nss-config.xml Source20: nss-config.xml
Source21: setup-nsssysinit.xml Source21: setup-nsssysinit.xml
Source22: pkcs11.txt.xml
Source24: cert9.db.xml
Source26: key4.db.xml
%if %{with dbm} %if %{with dbm}
Source23: cert8.db.xml Source23: cert8.db.xml
Source25: key3.db.xml Source25: key3.db.xml
Source27: secmod.db.xml Source27: secmod.db.xml
%endif %endif
Source22: pkcs11.txt.xml
Source24: cert9.db.xml
Source26: key4.db.xml
Source28: nss-p11-kit.config
# fips algorithms are tied to the red hat validation, others # fips algorithms are tied to the red hat validation, others
# will have their own validation # will have their own validation
Source30: fips_algorithms.h Source30: fips_algorithms.h
#Source50: NameConstraints_Certs.tar
Source100: nspr-%{nspr_archive_version}.tar.gz
Source101: nspr-config.xml Source101: nspr-config.xml
# This patch uses the GCC -iquote option documented at # This patch uses the GCC -iquote option documented at
@ -142,19 +145,22 @@ Source101: nspr-config.xml
# changes. # changes.
# #
# Once the buildroot has been bootstrapped the patch may be removed # Once the buildroot has been bootstrapped the patch may be removed
# but it doesn't hurt to keep it. # but it doesn't hurt to keep it
Patch4: iquote.patch Patch4: iquote.patch
Patch12: nss-signtool-format.patch Patch12: nss-signtool-format.patch
Patch20: nss-3.101-extend-db-dump-time.patch Patch20: nss-3.101-extend-db-dump-time.patch
Patch21: nss-3.101-enable-sdb-tests.patch Patch21: nss-3.101-enable-sdb-tests.patch
# connect our shared library to the build root loader flags (needed for -relro) # connect our shared library to the build root loader flags (needed for -relro)
Patch31: nss-dso-ldflags.patch Patch31: nss-dso-ldflags.patch
# keep RHEL 8 semantics of disabling md4 and md5 even if the env variable is set
Patch32: nss-3.101-disable-md5.patch Patch32: nss-3.101-disable-md5.patch
# rhel10 disabled dbm by default # dbm is disabled on RHEL9, make the man pages reflect that
%if %{with dbm}
%else
Patch33: nss-no-dbm-man-page.patch Patch33: nss-no-dbm-man-page.patch
%endif
# not upstreamable patch... # not upstreamable patch...
# WARNING: Need to make this patch work before checking!!! $$$$@@@
Patch34: nss-3.71-fix-lto-gtests.patch Patch34: nss-3.71-fix-lto-gtests.patch
# camellia pkcs12 docs. # camellia pkcs12 docs.
Patch35: nss-3.71-camellia-pkcs12-doc.patch Patch35: nss-3.71-camellia-pkcs12-doc.patch
@ -169,6 +175,8 @@ Patch50: nss-3.79-fips.patch
Patch51: nss-3.101-fips-review.patches Patch51: nss-3.101-fips-review.patches
Patch52: nss-3.90-pbkdf2-indicator.patch Patch52: nss-3.90-pbkdf2-indicator.patch
Patch53: nss-3.101-skip-ocsp-if-not-connected.patch Patch53: nss-3.101-skip-ocsp-if-not-connected.patch
# dont upstream, must be after patch53 (sigh)
Patch54: nss-3.101-revert-libpkix-default.patch
# ems policy. needs to upstream # ems policy. needs to upstream
Patch60: nss-3.101-add-ems-policy.patch Patch60: nss-3.101-add-ems-policy.patch
@ -181,6 +189,8 @@ Patch75: nss-3.90-ppc_no_init.patch
Patch76: nss-3.101-enable-kyber-policy.patch Patch76: nss-3.101-enable-kyber-policy.patch
Patch77: nss-3.101-fix-rsa-policy-test.patch Patch77: nss-3.101-fix-rsa-policy-test.patch
Patch78: nss-3.101-fix-pkcs12-md5-decode.patch Patch78: nss-3.101-fix-pkcs12-md5-decode.patch
Patch79: nss-3.101-el9-restore-old-pkcs12-default.patch
Patch80: nss-3.101-no-p12-smime-policy.patch
Patch81: nss-3.101-fix-missing-size-checks.patch Patch81: nss-3.101-fix-missing-size-checks.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1905691 # https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
Patch82: nss-3.101-chacha-timing-fix.patch Patch82: nss-3.101-chacha-timing-fix.patch
@ -189,13 +199,9 @@ Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=676100 # https://bugzilla.mozilla.org/show_bug.cgi?id=676100
Patch85: nss-3.101-fix-cms-abi-break.patch Patch85: nss-3.101-fix-cms-abi-break.patch
Patch86: nss-3.101-long-pwd-fix.patch Patch86: nss-3.101-long-pwd-fix.patch
Patch87: nss-3.101-fix-cavs-test.patch Patch87: nss-3.101-fix-shlibsign-fips.patch
Patch88: nss-3.101-fips-check-ec25519-size.patch
# RHEL-10 specific Patch89: nss-3.101-allow-fips-rsa-oaep.patch
Patch90: nss-3.101-disable_dsa.patch
# NSS reverse patches
Patch300: nss-3.79-distrusted-certs.patch
Patch100: nspr-config-pc.patch Patch100: nspr-config-pc.patch
Patch101: nspr-gcc-atomics.patch Patch101: nspr-gcc-atomics.patch
@ -203,6 +209,11 @@ Patch101: nspr-gcc-atomics.patch
Patch110: nspr-4.34-fix-coverity-loop-issue.patch Patch110: nspr-4.34-fix-coverity-loop-issue.patch
Patch120: nspr-4.34-server-passive.patch Patch120: nspr-4.34-server-passive.patch
# NSS reverse patches
Patch300: nss-3.79-distrusted-certs.patch
%description %description
Network Security Services (NSS) is a set of libraries designed to Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and support cross-platform development of security-enabled client and
@ -212,7 +223,7 @@ v3 certificates, and other security standards.
%package tools %package tools
Summary: Tools for the Network Security Services Summary: Tools for the Network Security Services
Requires: %{name}%{?_isa} = %{nss_version}-%{release} Requires: %{name}%{?_isa} = %{nss_version}-%{nss_release}%{dist}
%description tools %description tools
Network Security Services (NSS) is a set of libraries designed to Network Security Services (NSS) is a set of libraries designed to
@ -229,7 +240,7 @@ Summary: System NSS Initialization
# providing nss-system-init without version so that it can # providing nss-system-init without version so that it can
# be replaced by a better one, e.g. supplied by the os vendor # be replaced by a better one, e.g. supplied by the os vendor
Provides: nss-system-init Provides: nss-system-init
Requires: nss%{?_isa} = %{nss_version}-%{release} Requires: nss%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires(post): coreutils, sed Requires(post): coreutils, sed
%description sysinit %description sysinit
@ -240,8 +251,8 @@ any system or user configured modules.
%package devel %package devel
Summary: Development libraries for Network Security Services Summary: Development libraries for Network Security Services
Provides: nss-static = %{nss_version}-%{release} Provides: nss-static = %{nss_version}-%{nss_release}%{dist}
Requires: nss%{?_isa} = %{nss_version}-%{release} Requires: nss%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires: nss-util-devel Requires: nss-util-devel
Requires: nss-softokn-devel Requires: nss-softokn-devel
Requires: nspr-devel >= %{nspr_version} Requires: nspr-devel >= %{nspr_version}
@ -254,9 +265,9 @@ Header and Library files for doing development with Network Security Services.
%package pkcs11-devel %package pkcs11-devel
Summary: Development libraries for PKCS #11 (Cryptoki) using NSS Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
Provides: nss-pkcs11-devel-static = %{nss_version}-%{release} Provides: nss-pkcs11-devel-static = %{nss_version}-%{nss_release}%{dist}
Requires: nss-devel = %{nss_version}-%{release} Requires: nss-devel = %{nss_version}-%{nss_release}%{dist}
Requires: nss-softokn-freebl-devel = %{nss_version}-%{release} Requires: nss-softokn-freebl-devel = %{nss_version}-%{nss_release}%{dist}
%description pkcs11-devel %description pkcs11-devel
Library files for developing PKCS #11 modules using basic NSS Library files for developing PKCS #11 modules using basic NSS
@ -272,7 +283,7 @@ Utilities for Network Security Services and the Softoken module
%package util-devel %package util-devel
Summary: Development libraries for Network Security Services Utilities Summary: Development libraries for Network Security Services Utilities
Requires: nss-util%{?_isa} = %{nss_version}-%{release} Requires: nss-util%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires: nspr-devel >= %{nspr_version} Requires: nspr-devel >= %{nspr_version}
Requires: pkgconfig Requires: pkgconfig
@ -283,8 +294,8 @@ Header and library files for doing development with Network Security Services.
%package softokn %package softokn
Summary: Network Security Services Softoken Module Summary: Network Security Services Softoken Module
Requires: nspr >= %{nspr_version} Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{nss_version}-%{release} Requires: nss-util >= %{nss_version}-%{nss_release}%{dist}
Requires: nss-softokn-freebl%{_isa} >= %{nss_version}-%{release} Requires: nss-softokn-freebl%{_isa} >= %{nss_version}-%{nss_release}%{dist}
%description softokn %description softokn
Network Security Services Softoken Cryptographic Module Network Security Services Softoken Cryptographic Module
@ -305,8 +316,8 @@ Install the nss-softokn-freebl package if you need the freebl library.
%package softokn-freebl-devel %package softokn-freebl-devel
Summary: Header and Library files for doing development with the Freebl library for NSS Summary: Header and Library files for doing development with the Freebl library for NSS
Provides: nss-softokn-freebl-static = %{nss_version}-%{release} Provides: nss-softokn-freebl-static = %{nss_version}-%{nss_release}%{dist}
Requires: nss-softokn-freebl%{?_isa} = %{nss_version}-%{release} Requires: nss-softokn-freebl%{?_isa} = %{nss_version}-%{nss_release}%{dist}
%description softokn-freebl-devel %description softokn-freebl-devel
NSS Softoken Cryptographic Module Freebl Library Development Tools NSS Softoken Cryptographic Module Freebl Library Development Tools
@ -317,10 +328,10 @@ Developers should rely only on the officially supported NSS public API.
%package softokn-devel %package softokn-devel
Summary: Development libraries for Network Security Services Summary: Development libraries for Network Security Services
Requires: nss-softokn%{?_isa} = %{nss_version}-%{release} Requires: nss-softokn%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires: nss-softokn-freebl-devel%{?_isa} = %{nss_version}-%{release} Requires: nss-softokn-freebl-devel%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires: nspr-devel >= %{nspr_version} Requires: nspr-devel >= %{nspr_version}
Requires: nss-util-devel >= %{nss_version}-%{release} Requires: nss-util-devel >= %{nss_version}-%{nss_release}%{dist}
Requires: pkgconfig Requires: pkgconfig
%description softokn-devel %description softokn-devel
@ -330,7 +341,7 @@ Header and library files for doing development with Network Security Services.
Summary: Netscape Portable Runtime Summary: Netscape Portable Runtime
Version: %{nspr_version} Version: %{nspr_version}
Release: %{nspr_release}%{?dist} Release: %{nspr_release}%{?dist}
License: MPL-2.0 License: MPLv2.0
URL: http://www.mozilla.org/projects/nspr/ URL: http://www.mozilla.org/projects/nspr/
Conflicts: filesystem < 3 Conflicts: filesystem < 3
BuildRequires: gcc BuildRequires: gcc
@ -353,8 +364,12 @@ Conflicts: filesystem < 3
%description -n nspr-devel %description -n nspr-devel
Header files for doing development with the Netscape Portable Runtime. Header files for doing development with the Netscape Portable Runtime.
%prep %prep
%setup -q -T -b 100 -n nspr-%{nspr_archive_version}
%setup -q -T -b 0 -n %{name}-%{nss_archive_version} %setup -q -T -b 0 -n %{name}-%{nss_archive_version}
mv ../nspr-%{nspr_archive_version}/nspr .
cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
%patch -P 100 -p0 -b .flags %patch -P 100 -p0 -b .flags
@ -362,8 +377,10 @@ pushd nspr
%autopatch -p 1 -m 101 -M 299 %autopatch -p 1 -m 101 -M 299
popd popd
pushd nss pushd nss
%autopatch -p1 -M 99 %autopatch -p1 -M 99
#%%patch -P 400 -p1 -b .backup
# sigh it would be nice if autopatch supported -R # sigh it would be nice if autopatch supported -R
%patch -P 300 -R -p1 %patch -P 300 -R -p1
popd popd
@ -373,6 +390,11 @@ popd
# each vendors claim in their own FIPS certification # each vendors claim in their own FIPS certification
cp %{SOURCE30} nss/lib/softoken/ cp %{SOURCE30} nss/lib/softoken/
#update expired test certs
#pushd nss
#tar xvf %{SOURCE50}
#popd
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353 # https://bugzilla.redhat.com/show_bug.cgi?id=1247353
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \; find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
@ -385,6 +407,8 @@ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
# adjustment in the NSS build process. # adjustment in the NSS build process.
mkdir -p nspr_build mkdir -p nspr_build
pushd nspr_build pushd nspr_build
export LDFLAGS="$RPM_LD_FLAGS"
export CFLAGS="$RPM_OPT_FLAGS"
../nspr/configure \ ../nspr/configure \
--prefix=%{_prefix} \ --prefix=%{_prefix} \
--libdir=%{_libdir} \ --libdir=%{_libdir} \
@ -434,10 +458,6 @@ popd
# uncomment if the iquote patch is activated # uncomment if the iquote patch is activated
export IN_TREE_FREEBL_HEADERS_FIRST=1 export IN_TREE_FREEBL_HEADERS_FIRST=1
# deprication
export NSS_DISABLE_DEPRECATED_SEED=1
export NSS_DISABLE_DSA=1
# FIPS related defines # FIPS related defines
export NSS_FORCE_FIPS=1 export NSS_FORCE_FIPS=1
export NSS_FIPS_VERSION="%{name}\ %{nss_version}-%{srpmhash}" export NSS_FIPS_VERSION="%{name}\ %{nss_version}-%{srpmhash}"
@ -467,8 +487,6 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
# Similarly, but for gcc-11 # Similarly, but for gcc-11
export XCFLAGS="$XCFLAGS -Wno-array-parameter" export XCFLAGS="$XCFLAGS -Wno-array-parameter"
export LDFLAGS=$RPM_LD_FLAGS
export DSO_LDFLAGS=$RPM_LD_FLAGS export DSO_LDFLAGS=$RPM_LD_FLAGS
export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
@ -500,7 +518,6 @@ export POLICY_FILE="nss.config"
# location of the policy file # location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends" export POLICY_PATH="/etc/crypto-policies/back-ends"
%{__make} -C ./nss all %{__make} -C ./nss all
%{__make} -C ./nss latest %{__make} -C ./nss latest
@ -597,20 +614,22 @@ date +"%e %B %Y" | tr -d '\n' > date.xml
echo -n %{nss_version} > version.xml echo -n %{nss_version} > version.xml
# configuration files and setup script # configuration files and setup script
for m in %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE24} %{SOURCE26}; do
cp ${m} .
done
for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml cert9.db.xml key4.db.xml; do
xmlto man ${m}
done
%if %{with dbm} %if %{with dbm}
%global XMLSOURCES %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27} # nss dbm databases
%global dbfiles cert8.db key3.db secmod.db cert9.db key4.db pkcs11.txt for m in %{SOURCE23} %{SOURCE25} %{SOURCE27}; do
%else
%global XMLSOURCES %{SOURCE22} %{SOURCE24} %{SOURCE26}
%global dbfiles cert9.db key4.db pkcs11.txt
%endif
for m in %{SOURCE20} %{SOURCE21} %{XMLSOURCES}; do
cp ${m} . cp ${m} .
done done
%global configFiles nss-config setup-nsssysinit for m in cert8.db.xml key3.db.xml secmod.db.xml; do
for m in %{configFiles} %{dbfiles}; do xmlto man ${m}
xmlto man ${m}.xml
done done
%endif
%check %check
@ -634,9 +653,6 @@ popd
export FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND=1
export BUILD_OPT=1 export BUILD_OPT=1
export NSS_DISABLE_PPC_GHASH=1
export NSS_DISABLE_DEPRECATED_SEED=1
export NSS_DISABLE_DSA=1
%ifnarch noarch %ifnarch noarch
%if 0%{__isa_bits} == 64 %if 0%{__isa_bits} == 64
@ -659,6 +675,10 @@ done
# disabled by the system policy. # disabled by the system policy.
export NSS_IGNORE_SYSTEM_POLICY=1 export NSS_IGNORE_SYSTEM_POLICY=1
%ifarch i686 ppcle64
export NSS_DB_DUMP_TIME=10
%endif
# enable the following line to force a test failure # enable the following line to force a test failure
# find ./nss -name \*.chk | xargs rm -f # find ./nss -name \*.chk | xargs rm -f
@ -769,6 +789,7 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir} mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir} mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir} mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
%if %{defined rhel} %if %{defined rhel}
# not needed for rhel and its derivatives only fedora # not needed for rhel and its derivatives only fedora
%else %else
@ -857,11 +878,11 @@ install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir
ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
# Copy the man pages for scripts # Copy the man pages for scripts
for f in %{configFiles}; do for f in nss-config setup-nsssysinit; do
install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done done
# Copy the man pages for the nss tools # Copy the man pages for the nss tools
for f in certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv; do for f in certutil cmsutil crlutil derdump modutil nss-policy-check pk12util signtool signver ssltap vfychain vfyserv; do
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done done
%if %{defined rhel} %if %{defined rhel}
@ -870,10 +891,19 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1 install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
%endif %endif
# Copy the man pages for the nss databases # Copy the man pages for the configuration files
for f in %{dbfiles}; do for f in pkcs11.txt cert9.db key4.db; do
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
done done
# Copy the man pages for the nss dbm databases
%if %{with dbm}
for f in cert8.db key3.db secmod.db; do
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
done
%endif
# Copy the crypto-policies configuration file
install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3 %triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet # Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
@ -894,6 +924,9 @@ if test $1 -eq 2; then
fi fi
%endif %endif
%posttrans
update-crypto-policies &> /dev/null || :
%files %files
%{!?_licensedir:%global license %%doc} %{!?_licensedir:%global license %%doc}
@ -910,6 +943,7 @@ fi
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
%if %{with dbm} %if %{with dbm}
%doc %{_mandir}/man5/cert8.db.5* %doc %{_mandir}/man5/cert8.db.5*
%doc %{_mandir}/man5/key3.db.5* %doc %{_mandir}/man5/key3.db.5*
@ -955,6 +989,7 @@ fi
%doc %{_mandir}/man1/cmsutil.1* %doc %{_mandir}/man1/cmsutil.1*
%doc %{_mandir}/man1/crlutil.1* %doc %{_mandir}/man1/crlutil.1*
%doc %{_mandir}/man1/modutil.1* %doc %{_mandir}/man1/modutil.1*
%doc %{_mandir}/man1/nss-policy-check.1*
%doc %{_mandir}/man1/pk12util.1* %doc %{_mandir}/man1/pk12util.1*
%doc %{_mandir}/man1/signver.1* %doc %{_mandir}/man1/signver.1*
# unsupported tools # unsupported tools
@ -1057,8 +1092,8 @@ fi
%{_includedir}/nss3/base64.h %{_includedir}/nss3/base64.h
%{_includedir}/nss3/ciferfam.h %{_includedir}/nss3/ciferfam.h
%{_includedir}/nss3/eccutil.h %{_includedir}/nss3/eccutil.h
%{_includedir}/nss3/kyber.h
%{_includedir}/nss3/hasht.h %{_includedir}/nss3/hasht.h
%{_includedir}/nss3/kyber.h
%{_includedir}/nss3/nssb64.h %{_includedir}/nss3/nssb64.h
%{_includedir}/nss3/nssb64t.h %{_includedir}/nss3/nssb64t.h
%{_includedir}/nss3/nsshash.h %{_includedir}/nss3/nsshash.h
@ -1168,6 +1203,17 @@ fi
%changelog %changelog
* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-10
- Allow RSA-OAEP in FIPS mode
* Mon Nov 11 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.101.0-9
- Add SEC_OID_CURVE25519 to FIPS checks.
- This will mark algorithms using it as FIPS unapproved.
* Mon Nov 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-8
- fix shlibsign in FIPS mode
- remove dbm from pkgconfig
* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7 * Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
- fix cms abi breakage - fix cms abi breakage
- fix long password issue on pbmac encodings - fix long password issue on pbmac encodings
@ -1176,159 +1222,187 @@ fi
- fix param encoding in pkcs12 pbamac encoding - fix param encoding in pkcs12 pbamac encoding
- add support for certificate compression in selfserv and tstclient - add support for certificate compression in selfserv and tstclient
* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-5 * Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
- Fix missing and inaccurate key length checks - Fix missing and inaccurate key length checks
- Fix chacha timing issue - Fix chacha timing issue
* Thu Jul 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-4 * Tue Jul 16 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
- Fix MD-5 decode issue in pkcs #12 - Fix MD-5 decode issue in pkcs #12
- turn off policy processing for pkcs12 and smime
- restore the rhel9 pkcs12 defaults for pk12util
* Mon Jul 15 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3 * Tue Jun 11 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
- Add FIPS 140-3 defines to sec file - Rebase to NSS 3.101
- restore ppc init support
* Fri Jul 12 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2 * Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
- Fix spec to deal with annocheck failures - Allow for shorter ecdsa signatures by padding them to full length
* Tue Jun 25 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1 * Tue Jan 23 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-6
- Update NSS to 3.101.0 - Fix ecc DER wrapping.
- Pick up RHEL FIPS and other patches
- Turn off SEED and DSA
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.97.0-2 * Tue Jan 9 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-5
- Bump release for June 2024 mass rebuild - Pick up validated constant time implementations of p256, p384, and p521
from upsream
- More Fips indicator changes
* Sun Jan 28 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.97.0-1 * Wed Nov 22 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-4
- Update NSS to 3.97.0 - FIPS review changes
- add PORT_SafeZero to avoid compiler optimizing a way zeroing memory.
- update the indicators for this release
- allow hashing of longer than int32 values in a single PKCS #11 call.
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.96.1-3 * Tue Nov 21 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3.3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - Fix expired certs in tests
- Fix CVE-2023-5388
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.96.1-2 * Fri Aug 4 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - add indicator for pbkdf
- fix ems policy bug
* Thu Dec 21 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.96.1-1 * Thu Jun 29 2023 frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-2
- Update NSS to 3.96.1 - fix release number
* Mon Nov 27 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.95.0-1 * Wed Jun 28 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
- Update NSS to 3.95.0 - fix missing dist tag in packages version
- move from deprecate %%patch format
* Wed Oct 25 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.94.0-2 * Mon Jun 12 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-1
- revert HACL 256 code to fix binary compatibility issue. - Rebase to NSS-3.90
- Rebase to NSPR-3.35
- fix incorrect version values in the NSS spec file for FIPS
* Wed Oct 4 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.94.0-1 * Fri Mar 17 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-18
- Update NSS to 3.94.0 - fix memory leak, add generator test in FIPS mode.
* Thu Sep 07 2023 Bob Relyea <rrelyea@redhat.com> - 3.93.0-2 * Thu Mar 16 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-17
- Update License field to SPDX. - fix consistency return errors. We shouldn't lock the FIPS
token if the application asked for invalid DH parameters on
on keygen.
* Thu Aug 31 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.93.0-1 * Mon Mar 13 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-16
- Update NSS to 3.93.0 - Add check for RSA PSS Salt required by FIPS
- Update fips_algorithms.sh according to the review.
* Tue Aug 1 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.92.0-1 * Thu Mar 2 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-15
- Update NSS to 3.92.0 - Fix CVE-2023-0767
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.91.0-2 * Wed Aug 24 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - Update fips_algorithms.h to match the final FIPS requirements
- Disable delegated credentials
* Tue Jul 4 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.91.0-1 * Wed Aug 24 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-13
- Update NSS to 3.91.0 - remove OAEP from the FIPS indicators
* Tue Jun 6 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1 * Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-12
- Add patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 & - only turn off rand changes on all non-fips kernels
https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1 * Mon Aug 8 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
- Update %%patch syntax - only turn off rand changes on ppc64le at build-test time.
* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1 * Mon Aug 8 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-10
- Update NSS to 3.90.0 - turn off rand changes on ppc64le
* Fri May 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1 * Sun Aug 7 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-9
- combine nss and nspr source togeather - FIPS 140-3 changes
* Fri May 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1 * Thu Jul 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-8
- replace %{version} with %{nss_version} as it version can be overiden. - fix encoding issue with NULL passwords
* Fri Mar 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1 * Thu Jul 7 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-7
- Update NSS to 3.89.0 - more complete fix for cert auth regression crash
* Fri Feb 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.88.1-1 * Wed Jun 22 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-6
- Update NSS to 3.88.1 - Remove debugging printf from a patch
- increase the pbe cache size to handle reusing the same token key.
* Tue Jan 24 2023 Bob Relyea - 3.87.0-2 * Mon Jun 20 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-5
- Fix rebuild errors - FIPS 140-3 changes
- Reject Small RSA keys, 1024 bit keys are marked as FIP OK when verifying, reject
signature keys by policy
- Allow applications to retrigger selftests on demand.
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.87.0-2 * Tue Jun 14 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - server passive fix
* Tue Jan 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.87.0-1 * Sat Jun 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-3
- Update NSS to 3.87 & remove unused patches - fix regressions in test suite
* Thu Nov 17 2022 Bob Relyea <rrelyea@redhat.com> - 3.85.0-1 * Mon Jun 6 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
- update to NSS 3.83 - fix nspr coverify issues.
* Fri Sep 9 2022 Bob Relyea <rrelyea@redhat.com> - 3.83.0-1 * Wed Jun 1 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
- update to NSS 3.83 - update to NSS 3.79
- update to NSPR 4.35 - update to NSPR 4.34
- change FIPS Modulename to conform with our final module standard
* Fri Sep 9 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-2 * Wed Feb 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-7
- add dbtool - Fix handling of pkcs12 passwords for PKCS5v2 cases which causes failures
on long passwords.
* Thu Jul 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-1 * Wed Jan 26 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-6
- udpate to NSS 3.81 - update pkcs12 documentation to include camellia
- turn on lto
* Thu Jun 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2 * Wed Jan 12 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-5
- Fix crash when getting client cert and there is none in the database. - remove old dbm files from the build
* Tue May 31 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1 * Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-2
- Update to NSS 3.79 - Fix CVE-2021-43527
- Update to NSPR 4.34
* Mon Apr 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.77.0-1 * Tue Oct 19 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-2
- Update to 3.77 - make sure validation is built
- fix syntax on FIPS module name
* Fri Feb 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.75.0-1 * Tue Oct 5 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-1
- Update to 3.75 - rebase to NSS-3.71
- fix PayPal expiration issue
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.73.0-2 * Wed Aug 25 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - rebuild to clear gating.yaml test
* Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.73.0-1 * Thu Aug 19 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-12
- Update to 3.73 - pick up nspr 3.2 for Firefox 92
- includes CVE 2021-43527
* Mon Oct 4 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-1 * Thu Aug 12 2021 Florian Weimer <fweimer@redhat.com> - 3.67.0-11
- Update to 3.71 - Change release number to correct cross-package dependencies (#1991688)
* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-2 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
- turn on lto - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jul 8 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-8
- fix relro support in nspr part of build
* Tue Jul 6 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-7
- fix ssl alert regressions
* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-1 * Fri Jul 2 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-6
- Update to 3.69 - bump the nspr release number
- Update to NSPR 4.31
* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4 * Thu Jul 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-5
- switch to baserelease so rpmdev-bumpspec will work next time - fix error when trying to read keys from updated databases when updated
from unpatched versions of NSS (like on fedora or upstream).
- fix spelling of LD_OPTFLAGS which prevents relro from working.
* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3 * Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
- rpmdev-bumpspec doesn't work correctly with nss/nspr. Fixup version numbers - update nspr man page files to only pick up nspr man pages
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.67.0-2 * Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - Update NSS to 3.67
- Update NSPR to 2.31
- pick up rhel coverity patches which have not yet been pushed upstream.
* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-1 * Fri Apr 16 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-3
- Update to 3.67 - prevent MD5 from being enabled even with the environment variables
- Update to NSPR 2.31 and policy. This mirrors the rhel8 semantics.
- add DSO_LDFLAGS support so we pick up system LDFLAGS in our shared libraries
* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.65.0-1 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.63.0-2
- Update to 3.65 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
- update nss-tools manages to remove references to dbm
* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1 * Wed Mar 24 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1
- Update to 3.63 - Update NSS to 3.62
- Update to NSPR 2.30 - Update NSPR to 2.30
- Remove old dbm files and man pages
* Tue Feb 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.62.0-1 * Tue Feb 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.62.0-1
- Update to 3.62 - Update to 3.62

Loading…
Cancel
Save