From 031e90195c7f003249860ac4841662ab372dc5c8 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Apr 25 2016 11:14:31 +0000 Subject: import nss-softokn-3.16.2.3-14.2.el7_2 --- diff --git a/SOURCES/nss-softokn-3.16-tls12-mechanisms.patch b/SOURCES/nss-softokn-3.16-tls12-mechanisms.patch index 58be595..d215993 100644 --- a/SOURCES/nss-softokn-3.16-tls12-mechanisms.patch +++ b/SOURCES/nss-softokn-3.16-tls12-mechanisms.patch @@ -70,7 +70,7 @@ diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c + break; + } + tls12_mac_params = (CK_TLS12_MAC_PARAMS *)pMechanism->pParameter; -+ if (tls12_mac_params->prfHashMechanism == CKM_TLS_PRF) { ++ if (tls12_mac_params->prfMechanism == CKM_TLS_PRF) { + /* The TLS 1.0 and 1.1 PRF */ + tlsPrfHash = HASH_AlgNULL; + if (tls12_mac_params->ulMacLength != 12) { @@ -80,7 +80,7 @@ diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c + } else { + /* The hash function for the TLS 1.2 PRF */ + tlsPrfHash = -+ GetHashTypeFromMechanism(tls12_mac_params->prfHashMechanism); ++ GetHashTypeFromMechanism(tls12_mac_params->prfMechanism); + if (tlsPrfHash == HASH_AlgNULL || + tls12_mac_params->ulMacLength < 12) { + crv = CKR_MECHANISM_PARAM_INVALID; @@ -360,6 +360,18 @@ diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c diff --git a/lib/softoken/pkcs11i.h b/lib/softoken/pkcs11i.h --- a/lib/softoken/pkcs11i.h +++ b/lib/softoken/pkcs11i.h +@@ -25,6 +25,11 @@ + * the expense of space. + */ + ++ ++/* Was present in older nss-util, is missing in newer. Definition required to build. */ ++#define CKM_TLS12_MAC 0x000003E5 ++ ++ + /* + * The attribute allocation strategy is static allocation: + * Attributes are pre-allocated as part of the session object and used from @@ -733,13 +733,14 @@ void sftk_MACConstantTime_DestroyContext /**************************************** * implement TLS Pseudo Random Function (PRF) diff --git a/SOURCES/skip-check-fork-in_GetFunctionList.patch b/SOURCES/skip-check-fork-in_GetFunctionList.patch new file mode 100644 index 0000000..5c980af --- /dev/null +++ b/SOURCES/skip-check-fork-in_GetFunctionList.patch @@ -0,0 +1,21 @@ +diff -up ./mozilla/security/nss/lib/softoken/pkcs11.c.nocheckfork ./mozilla/security/nss/lib/softoken/pkcs11.c +--- ./mozilla/security/nss/lib/softoken/pkcs11.c.nocheckfork 2014-03-11 15:07:08.279347367 -0700 ++++ ./mozilla/security/nss/lib/softoken/pkcs11.c 2014-03-11 15:08:42.773414078 -0700 +@@ -2130,8 +2130,6 @@ sftk_IsWeakKey(unsigned char *key,CK_KEY + /* return the function list */ + CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) + { +- CHECK_FORK(); +- + *pFunctionList = (CK_FUNCTION_LIST_PTR) &sftk_funcList; + return CKR_OK; + } +@@ -2139,8 +2137,6 @@ CK_RV NSC_GetFunctionList(CK_FUNCTION_LI + /* return the function list */ + CK_RV C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList) + { +- CHECK_FORK(); +- + return NSC_GetFunctionList(pFunctionList); + } + diff --git a/SPECS/nss-softokn.spec b/SPECS/nss-softokn.spec index 86a4147..de94e49 100644 --- a/SPECS/nss-softokn.spec +++ b/SPECS/nss-softokn.spec @@ -1,6 +1,7 @@ %global nspr_version 4.10.8 %global nss_name nss -%global nss_util_version 3.19.1 +%global nss_util_version 3.21.0 +%global nss_util_build -2.2 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/ @@ -31,16 +32,16 @@ Summary: Network Security Services Softoken Module Name: nss-softokn Version: 3.16.2.3 -Release: 13%{?dist} +Release: 14.2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries Requires: nspr >= %{nspr_version} -Requires: nss-util >= %{nss_util_version} +Requires: nss-util >= %{nss_util_version}%{nss_util_build} Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release} BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: nspr-devel >= %{nspr_version} -BuildRequires: nss-util-devel >= %{nss_util_version} +BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build} BuildRequires: sqlite-devel BuildRequires: zlib-devel BuildRequires: pkgconfig @@ -81,6 +82,8 @@ Patch10: iquote.patch Patch11: nss-softokn-allow-level1.patch Patch12: additional-covscan-fixes.patch Patch13: nss-softokn-3.16-tls12-mechanisms.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455 Patch14: nss-softokn-3.16-sha384-key-derive.patch # Patch related to CVE-2015-2730 @@ -90,6 +93,7 @@ Patch102: CheckForPeqQ-or-PnoteqQ-before-adding-P-and-Q.patch # FIPS update +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1181814 Patch80: nss-softokn-3.16-fips-post.patch Patch81: nss-softokn-3.16-fips.patch Patch82: nss-softokn-3.16-fips-rem-old-test.patch @@ -107,8 +111,11 @@ Patch202: nss-softokn-fix-error-handling.patch Patch203: nss-softokn-3.16-freebl_dyload.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1113632 Patch204: limit-create-fipscheck.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455 Patch205: nss-softokn-3.16-tls12-mechanisms-fipstest.patch - +# https://bugzilla.redhat.com/show_bug.cgi?id=1053437 +Patch206: skip-check-fork-in_GetFunctionList.patch %description Network Security Services Softoken Cryptographic Module @@ -145,10 +152,10 @@ Group: Development/Libraries Requires: nss-softokn%{?_isa} = %{version}-%{release} Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release} Requires: nspr-devel >= %{nspr_version} -Requires: nss-util-devel >= %{nss_util_version} +Requires: nss-util-devel >= %{nss_util_version}%{nss_util_build} Requires: pkgconfig BuildRequires: nspr-devel >= %{nspr_version} -BuildRequires: nss-util-devel >= %{nss_util_version} +BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build} # require nss at least the version when we split via subpackages %description devel @@ -182,6 +189,8 @@ Header and library files for doing development with Network Security Services. %patch203 -p0 -b .freebl-dyload %patch204 -p0 -b .limit_create_fips_check %patch205 -p0 -b .1212106 +# https://bugzilla.redhat.com/show_bug.cgi?id=1053437 +%patch206 -p3 -b .skipcheckfork %patch12 -p0 -b .1154764extras pushd nss %patch13 -p1 -b .1212106 @@ -240,10 +249,12 @@ export NSSUTIL_LIB_DIR=%{_libdir} NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE -%if %{__isa_bits} == 64 +%ifnarch noarch +%if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif +%endif # uncomment if the iquote patch is activated export IN_TREE_FREEBL_HEADERS_FIRST=1 @@ -308,10 +319,12 @@ export FREEBL_NO_DEPEND BUILD_OPT=1 export BUILD_OPT -%if %{__isa_bits} == 64 +%ifnarch noarch +%if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif +%endif # to test for the last tool built correctly export NSS_BUILD_SOFTOKEN_ONLY=1 @@ -495,20 +508,27 @@ done %{_includedir}/nss3/shsign.h %changelog -* Fri Aug 07 2015 Elio Maldonado - 3.16.2.3-13 +* Fri Apr 15 2016 Kai Engert - 3.16.2.3-14.2 +- Adjust for a renamed variable in newer nss-util, require a compatible nss-util version. + +* Mon Apr 11 2016 Kai Engert - 3.16.2.3-14.1 +- Pick up a bugfix related to fork(), to avoid a regression with NSS 3.21 + +* Fri Aug 07 2015 Elio Maldonado - 3.16.2.3-14 - Pick up upstream freebl patch for CVE-2015-2730 - Check for P == Q or P ==-Q before adding P and Q +* Thu Jul 16 2015 Elio Maldonado - 3.16.2.3-13 +- Add links to filed upstream bugs to better track patches in spec file + * Wed Jun 24 2015 Elio Maldonado - 3.16.2.3-12 - Bump nss_util_version to 3.19.1 * Fri May 29 2015 Robert Relyea - 3.16.2.3-11 - Make sure we have enough space for generating keyblocks for ciphers with HMAC_SHA384 (TLS). -- Resolves: Bug 1216909 - Need to support SHA384 TLS cipher suites * Wed Apr 29 2015 Elio Maldonado - 3.16.2.3-10 - Use the TLS 1.2 mechanisms for PKCS #11 added for V2.40 -- Resolves: Bug 1216909 - Need to support SHA384 TLS cipher suites * Mon Feb 02 2015 Tomáš Mráz - 3.16.2.3-9 - add configuration file for dracut to add the nss-softokn module by default