NSS: Bump to 3.101

nss/mozilla-nss.spec

@@ -17,15 +17,14 @@
 #
 
 
-%global nss_softokn_fips_version 3.100
+%global nss_softokn_fips_version 3.101
 %define NSPR_min_version 4.35
 %define nspr_ver %(rpm -q --queryformat '%%{VERSION}' mozilla-nspr)
 %define nssdbdir %{_sysconfdir}/pki/nssdb
-%global crypto_policies_version 20210118
 Name:           mozilla-nss
-Version:        3.100
+Version:        3.101
 Release:        0
-%define underscore_version 3_100
+%define underscore_version 3_101
 Summary:        Network Security Services
 License:        MPL-2.0
 Group:          System/Libraries
@@ -80,6 +79,7 @@ Patch46:        nss-allow-slow-tests.patch
 Patch47:        nss-fips-pct-pubkeys.patch
 Patch48:        nss-fips-test.patch
 Patch49:        nss-allow-slow-tests-s390x.patch
+Patch50:        nss-fips-bsc1223724.patch
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
 # aarch64 + gcc4.8 fails to build on SLE-12 due to undefined references
 BuildRequires:  gcc9-c++
@@ -107,6 +107,7 @@ Requires:       libnssckbi.so()(64bit)
 %else
 Requires:       libnssckbi.so
 %endif
+Provides:       nss = %{version}
 %ifnarch %sparc
 %if ! 0%{?qemu_user_space_build}
 %define run_testsuite 1
@@ -242,6 +243,7 @@ cd nss
 # slow test on s390x, permit more time
 %patch -P 49 -p1
 %endif
+%patch -P 50 -p1
 
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins

nss/nss-fips-bsc1223724.patch

@@ -0,0 +1,19 @@
+Index: nss/lib/pk11wrap/pk11skey.c
+===================================================================
+--- nss.orig/lib/pk11wrap/pk11skey.c
++++ nss/lib/pk11wrap/pk11skey.c
+@@ -520,6 +520,14 @@ PK11_ImportDataKey(PK11SlotInfo *slot, C
+     CK_OBJECT_HANDLE handle;
+     PK11GenericObject *genObject;
+
++    // Using HTTP3, Firefox runs via neqo that doesn't log in before calling into
++    // this function. So we try to log in here (and ignore failures) in case of FIPS.
++    // Also, no need to also load certificates, we only create a new object and we
++    // have to be logged in for that.
++    if (PK11_IsFIPS()) {
++        PK11_Authenticate(slot, PR_FALSE, wincx);
++    }
++
+     genObject = PK11_CreateGenericObject(slot, template, PR_ARRAY_SIZE(template), PR_FALSE);
+     if (genObject == NULL) {
+         return NULL;

nss/nss-fips-constructor-self-tests.patch

@@ -1326,7 +1326,7 @@ Index: nss/lib/softoken/fipstest.c
 +    static ECParams ec_known_P256_Params = {
 +        NULL, ec_params_named,                                               /* arena, type */
 +                                                                             /* fieldID */
-+        { 256, ec_field_GFp,                                                 /* size and type */
++        { 256, ec_field_plain,                                               /* size and type */
 +          { { siBuffer, (unsigned char *)p256_prime, sizeof(p256_prime) } }, /* u.prime */
 +          0,
 +          0,

nss/nss-fips-zeroization.patch

@@ -103,19 +103,6 @@ Index: nss/lib/freebl/dh.c
          *privKey = NULL;
          PORT_FreeArena(arena, PR_TRUE);
      }
-Index: nss/lib/freebl/ec.c
-===================================================================
---- nss.orig/lib/freebl/ec.c
-+++ nss/lib/freebl/ec.c
-@@ -1121,7 +1121,7 @@ ECDSA_VerifyDigest(ECPublicKey *key, con
-     mp_int n;
-     SECItem pointC = { siBuffer, NULL, 0 };
-     int slen;       /* length in bytes of a half signature (r or s) */
--    int flen;       /* length in bytes of the field size */
-+    int flen = 0;   /* length in bytes of the field size */
-     unsigned olen;  /* length in bytes of the base point order */
-     unsigned obits; /* length in bits  of the base point order */
-
 Index: nss/lib/freebl/gcm.c
 ===================================================================
 --- nss.orig/lib/freebl/gcm.c