diff --git a/.nss-softokn.metadata b/.nss-softokn.metadata index 70a1be7..fdaff3b 100644 --- a/.nss-softokn.metadata +++ b/.nss-softokn.metadata @@ -1 +1 @@ -60f4ab43e34fc5af4b7607fa924576bc01a9061c SOURCES/nss-softokn-3.15.2.tar.bz2 +34c16520e458a5e12ef31428e8b63998a6a0071b SOURCES/nss-softokn-3.15.4.tar.gz diff --git a/SOURCES/build-nss-softoken-only.patch b/SOURCES/build-nss-softoken-only.patch index 5f1b271..1ac89d6 100644 --- a/SOURCES/build-nss-softoken-only.patch +++ b/SOURCES/build-nss-softoken-only.patch @@ -6,7 +6,7 @@ diff -up nss/lib/Makefile.softokenonly nss/lib/Makefile SOFTOKEN_SRCDIR = else +ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1) -+UTIL_SRCDIR =util ++UTIL_SRCDIR = +FREEBL_SRCDIR = freebl +SOFTOKEN_SRCDIR = softoken # default is to include all diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch index a7c2212..3d1aa60 100644 --- a/SOURCES/iquote.patch +++ b/SOURCES/iquote.patch @@ -23,3 +23,15 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk endif ifndef NSS_LIB_DIR +diff -up ./nss/lib/softoken/Makefile.iquote ./nss/lib/softoken/Makefile +--- ./nss/lib/softoken/Makefile.iquote 2014-01-06 20:35:19.931937299 -0800 ++++ ./nss/lib/softoken/Makefile 2014-01-06 20:36:15.336390664 -0800 +@@ -42,6 +42,8 @@ ifdef NSS_DISABLE_DBM + DIRS= + endif + ++INCLUDES += -iquote $(DIST)/../private/nss ++ + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # + ####################################################################### diff --git a/SOURCES/nss-softokn-allow-level1.patch b/SOURCES/nss-softokn-allow-level1.patch new file mode 100644 index 0000000..859f912 --- /dev/null +++ b/SOURCES/nss-softokn-allow-level1.patch @@ -0,0 +1,42 @@ +diff -up ./nss/lib/softoken/fipstokn.c.allow_level1 ./nss/lib/softoken/fipstokn.c +--- ./nss/lib/softoken/fipstokn.c.allow_level1 2013-10-11 11:47:31.265670032 -0700 ++++ ./nss/lib/softoken/fipstokn.c 2013-10-11 11:58:12.730655827 -0700 +@@ -97,6 +97,7 @@ libaudit_init(void) + * ******************** Password Utilities ******************************* + */ + static PRBool isLoggedIn = PR_FALSE; ++static PRBool isLevel2 = PR_TRUE; + PRBool sftk_fatalError = PR_FALSE; + + /* +@@ -197,7 +198,7 @@ static CK_RV sftk_newPinCheck(CK_CHAR_PT + static CK_RV sftk_fipsCheck(void) { + if (sftk_fatalError) + return CKR_DEVICE_ERROR; +- if (!isLoggedIn) ++ if (isLevel2 && !isLoggedIn) + return CKR_USER_NOT_LOGGED_IN; + return CKR_OK; + } +@@ -498,6 +499,7 @@ CK_RV FC_Initialize(CK_VOID_PTR pReserve + return crv; + } + nsf_init = PR_TRUE; ++ isLevel2 = PR_TRUE; /* assume level 2 unless we learn otherwise */ + + return CKR_OK; + } +@@ -552,8 +554,11 @@ CK_RV FC_GetSlotInfo(CK_SLOT_ID slotID, + CHECK_FORK(); + + crv = NSC_GetTokenInfo(slotID,pInfo); +- if (crv == CKR_OK) +- pInfo->flags |= CKF_LOGIN_REQUIRED; ++ if (crv == CKR_OK) { ++ if ((pInfo->flags & CKF_LOGIN_REQUIRED) == 0) { ++ isLevel2 = PR_FALSE; ++ } ++ } + return crv; + + } diff --git a/SOURCES/nss-split-softokn.sh b/SOURCES/nss-split-softokn.sh index cd2878a..9a43dad 100755 --- a/SOURCES/nss-split-softokn.sh +++ b/SOURCES/nss-split-softokn.sh @@ -2,8 +2,8 @@ # # Splits NSS into nss-util and nss-softokn # Takes as command line input the version of nss -# and assumes that a file nss-${nss_version}-stripped.tar.bz2 -# exits in the current directory +# and assumes that a file nss-${nss_version}.tar.gz +# exists in the current directory set -e @@ -16,9 +16,9 @@ fi export name=nss export version=$1 -echo "Extracting ${name}-${version}.tar.bz2" +echo "Extracting ${name}-${version}.tar.gz" -tar -xjf ${name}-${version}.tar.bz2 +tar -xzf ${name}-${version}.tar.gz # the directory will be named ${name}-${version} @@ -81,20 +81,20 @@ cp -a ${nss_source_dir}/nss/cmd/lib ${WORK}/${softokn_dir}/nss/cmd/lib cp -a ${nss_source_dir}/nss/cmd/lowhashtest ${WORK}/${softokn_dir}/nss/cmd/lowhashtest cp -a ${nss_source_dir}/nss/cmd/shlibsign ${WORK}/${softokn_dir}/nss/cmd/shlibsign -# plus common and crypto from nss/tests +# plus common, crypto, and lowhash from nss/tests mkdir ${WORK}/${softokn_dir}/nss/tests topFilesT=`find ${nss_source_dir}/nss/tests/ -maxdepth 1 -mindepth 1 -type f` for f in $topFilesT; do cp -p $f ${WORK}/${softokn_dir}/nss/tests/ done -keepers="cipher common" +keepers="cipher common lowhash" for t in $keepers; do cp -a ${nss_source_dir}/nss/tests/$t ${WORK}/${softokn_dir}/nss/tests/$t done pushd ${WORK} # the compressed tar ball for nss-softokn -tar -cjf ../${name}-softokn-${version}.tar.bz2 ${softokn_dir} +tar -czf ../${name}-softokn-${version}.tar.gz ${softokn_dir} popd # cleanup after ourselves diff --git a/SPECS/nss-softokn.spec b/SPECS/nss-softokn.spec index d54d99f..df9b187 100644 --- a/SPECS/nss-softokn.spec +++ b/SPECS/nss-softokn.spec @@ -1,6 +1,6 @@ -%global nspr_version 4.10 +%global nspr_version 4.10.2 %global nss_name nss -%global nss_util_version 3.15.2 +%global nss_util_version 3.15.4 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved @@ -24,7 +24,7 @@ Summary: Network Security Services Softoken Module Name: nss-softokn -Version: 3.15.2 +Version: 3.15.4 Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ @@ -42,16 +42,16 @@ BuildRequires: gawk BuildRequires: psmisc BuildRequires: perl -Source0: %{name}-%{version}.tar.bz2 -# The nss-softokn tar ball is a subset of nss-{version}.tar.bz2. +Source0: %{name}-%{version}.tar.gz +# The nss-softokn tar ball is a subset of nss-{version}.tar.gz. # We use the nss-split-softokn.sh script to keep only what we need -# via via nss-split-util.sh ${version} +# via via nss-split-softokn.sh ${version} # Detailed Steps: # rhpkg clone nss-softokn # cd nss-softokn # Split off nss-softokn out of the full nss source tar ball: # sh ./nss-split-softokn.sh ${version} -# A file named {name}-{version}.tar.bz2 should appear +# A file named {name}-{version}.tar.gz should appear # which is ready for uploading to the lookaside cache. Source1: nss-split-softokn.sh Source2: nss-softokn.pc.in @@ -71,6 +71,7 @@ Patch9: nss-versus-softoken-tests.patch # NSSUTIL_INCLUDE_DIR, after all, contains both util and freebl headers. # Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it. Patch10: iquote.patch +Patch11: nss-softokn-allow-level1.patch %description Network Security Services Softoken Cryptographic Module @@ -125,6 +126,7 @@ Header and library files for doing development with Network Security Services. %patch9 -p0 -b .cryptotests # activate if needed when doing a major update with new apis %patch10 -p0 -b .iquote +%patch11 -p0 -b .allow_level1 %build @@ -245,7 +247,7 @@ export USE_64 # to test for the last tool built correctly export NSS_BUILD_SOFTOKEN_ONLY=1 -# let the tests know that freebl supprts ecc +# let the tests know that freebl supports ecc export NSS_ENABLE_ECC=1 # End -- copied from the build section @@ -388,6 +390,28 @@ done %{_includedir}/nss3/shsign.h %changelog +* Fri Jan 24 2014 Daniel Mach - 3.15.4-2 +- Mass rebuild 2014-01-24 + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-4 +- Rebase to nss-3.15.4 +- Resolves: Bug 1054457 - CVE-2013-1740 +- Update softokn splitting script to oparate on the upstream pristine source +- Using the .gz archives directly, not repackaging as .bz2 ones +- Avoid unneeded manual steps that could introduce errors +- Update the iquote and build softoken only patches on account of the rebase + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-3 +- Fix to allow level 1 fips mode if the db has no password +- Resolves: Bug 852023 - FIPS mode detection does not work + +* Fri Dec 27 2013 Daniel Mach - 3.15.3-2 +- Mass rebuild 2013-12-27 + +* Mon Nov 25 2013 Elio Maldonado - 3.15.3-1 +- Rebase to NSS_3_15_3_RTM +- Related: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 + * Tue Oct 29 2013 Elio Maldonado - 3.15.2-2 - Resolves: rhbz#1020395 - Allow Level 1 FIPS mode if the nss db has no password