diff --git a/.gitignore b/.gitignore index 8764b3f..0e92371 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nss-softokn-3.16.2.tar.gz +SOURCES/nss-softokn-3.16.2.3.tar.gz diff --git a/.nss-softokn.metadata b/.nss-softokn.metadata index c363d24..4226477 100644 --- a/.nss-softokn.metadata +++ b/.nss-softokn.metadata @@ -1 +1 @@ -a35640b6fd1de5e59e70c3ebfe34d532d1aeec0e SOURCES/nss-softokn-3.16.2.tar.gz +93048a6f84e161d641f77498ac27ca93d63dd584 SOURCES/nss-softokn-3.16.2.3.tar.gz diff --git a/SOURCES/cve-2014-1568-softokn.patch b/SOURCES/cve-2014-1568-softokn.patch deleted file mode 100644 index f754782..0000000 --- a/SOURCES/cve-2014-1568-softokn.patch +++ /dev/null @@ -1,138 +0,0 @@ - -# HG changeset patch -# User Kai Engert -# Date 1411493325 -7200 -# Node ID 4e90910ad2f9741978820ec2314b12a504d78c4e -# Parent ad411fb64046d987272043f311ca477022c6fef4 -Fix bug 1064636, patch part 3, r=rrelyea - -diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c ---- a/lib/softoken/pkcs11c.c -+++ b/lib/softoken/pkcs11c.c -@@ -18,16 +18,17 @@ - * that created or generated them. - */ - #include "seccomon.h" - #include "secitem.h" - #include "secport.h" - #include "blapi.h" - #include "pkcs11.h" - #include "pkcs11i.h" -+#include "pkcs1sig.h" - #include "lowkeyi.h" - #include "secder.h" - #include "secdig.h" - #include "lowpbe.h" /* We do PBE below */ - #include "pkcs11t.h" - #include "secoid.h" - #include "alghmac.h" - #include "softoken.h" -@@ -2851,75 +2852,52 @@ sftk_hashCheckSign(SFTKHashVerifyInfo *i - return SECFailure; - } - - return RSA_HashCheckSign(info->hashOid, info->key, sig, sigLen, digest, - digestLen); - } - - SECStatus --RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key, -+RSA_HashCheckSign(SECOidTag digestOid, NSSLOWKEYPublicKey *key, - const unsigned char *sig, unsigned int sigLen, -- const unsigned char *hash, unsigned int hashLen) -+ const unsigned char *digestData, unsigned int digestLen) - { -- SECItem it; -- SGNDigestInfo *di = NULL; -- SECStatus rv = SECSuccess; -- -- it.data = NULL; -- it.len = nsslowkey_PublicModulusLen(key); -- if (!it.len) { -- goto loser; -- } -- -- it.data = (unsigned char *)PORT_Alloc(it.len); -- if (it.data == NULL) { -- goto loser; -- } -- -+ unsigned char *pkcs1DigestInfoData; -+ SECItem pkcs1DigestInfo; -+ SECItem digest; -+ unsigned int bufferSize; -+ SECStatus rv; -+ -+ /* pkcs1DigestInfo.data must be less than key->u.rsa.modulus.len */ -+ bufferSize = key->u.rsa.modulus.len; -+ pkcs1DigestInfoData = PORT_ZAlloc(bufferSize); -+ if (!pkcs1DigestInfoData) { -+ PORT_SetError(SEC_ERROR_NO_MEMORY); -+ return SECFailure; -+ } -+ -+ pkcs1DigestInfo.data = pkcs1DigestInfoData; -+ pkcs1DigestInfo.len = bufferSize; -+ - /* decrypt the block */ -- rv = RSA_CheckSignRecover(&key->u.rsa, it.data, &it.len, it.len, sig, -- sigLen); -+ rv = RSA_CheckSignRecover(&key->u.rsa, pkcs1DigestInfo.data, -+ &pkcs1DigestInfo.len, pkcs1DigestInfo.len, -+ sig, sigLen); - if (rv != SECSuccess) { -- goto loser; -- } -- -- di = SGN_DecodeDigestInfo(&it); -- if (di == NULL) { -- goto loser; -- } -- if (di->digest.len != hashLen) { -- goto loser; -- } -- -- /* make sure the tag is OK */ -- if (SECOID_GetAlgorithmTag(&di->digestAlgorithm) != hashOid) { -- goto loser; -- } -- /* make sure the "parameters" are not too bogus. */ -- if (di->digestAlgorithm.parameters.len > 2) { -- goto loser; -- } -- /* Now check the signature */ -- if (PORT_Memcmp(hash, di->digest.data, di->digest.len) == 0) { -- goto done; -- } -- -- loser: -- PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -- rv = SECFailure; -- -- done: -- if (it.data != NULL) { -- PORT_Free(it.data); -- } -- if (di != NULL) { -- SGN_DestroyDigestInfo(di); -- } -- -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ } else { -+ digest.data = (PRUint8*) digestData; -+ digest.len = digestLen; -+ rv = _SGN_VerifyPKCS1DigestInfo( -+ digestOid, &digest, &pkcs1DigestInfo, -+ PR_TRUE /*XXX: unsafeAllowMissingParameters*/); -+ } -+ -+ PORT_Free(pkcs1DigestInfoData); - return rv; - } - - static SECStatus - sftk_RSACheckSign(NSSLOWKEYPublicKey *key, const unsigned char *sig, - unsigned int sigLen, const unsigned char *digest, - unsigned int digestLen) - { - diff --git a/SOURCES/nss-versus-softoken-tests.patch b/SOURCES/nss-versus-softoken-tests.patch deleted file mode 100644 index 40b1808..0000000 --- a/SOURCES/nss-versus-softoken-tests.patch +++ /dev/null @@ -1,42 +0,0 @@ -diff -up nss/tests/all.sh.cryptotests nss/tests/all.sh ---- nss/tests/all.sh.cryptotests 2013-05-28 14:43:24.000000000 -0700 -+++ nss/tests/all.sh 2013-06-17 11:11:49.626902227 -0700 -@@ -299,9 +299,13 @@ fi - # created, we check for modutil to know whether the build - # is complete. If a new file is created after that, the - # following test for modutil should check for that instead. -- --if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \ -- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then -+# Except when building softoken only where shlibsign is the last one built. -+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" -eq "1" ]; then -+ LAST_BUILT=shlibsign || modutil -+else -+ LAST_BUILT=modutil -+fi -+if [ ! -x ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} ]; then - echo "Build Incomplete. Aborting test." >> ${LOGFILE} - html_head "Testing Initialization" - Exit "Checking for build" -diff -up nss/tests/cipher/cipher.sh.cryptotests nss/tests/cipher/cipher.sh ---- nss/tests/cipher/cipher.sh.cryptotests 2013-05-28 14:43:24.000000000 -0700 -+++ nss/tests/cipher/cipher.sh 2013-06-17 11:10:18.946049972 -0700 -@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${ - return 0 - fi - cipher_init --cipher_main --cipher_gcm -+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then -+ echo "Skipping cipher_gcm because this is a softoken only build" -+ cipher_main -+elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then -+ echo "Skipping cipher_main because this an nss without softoken build" -+ cipher_gcm -+else -+ # default is to run both -+ cipher_init -+ cipher_main -+ cipher_gcm -+fi - cipher_cleanup diff --git a/SPECS/nss-softokn.spec b/SPECS/nss-softokn.spec index 586c466..461278f 100644 --- a/SPECS/nss-softokn.spec +++ b/SPECS/nss-softokn.spec @@ -1,6 +1,6 @@ %global nspr_version 4.10.6 %global nss_name nss -%global nss_util_version 3.16.2 +%global nss_util_version 3.16.2.3 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved @@ -24,8 +24,8 @@ Summary: Network Security Services Softoken Module Name: nss-softokn -Version: 3.16.2 -Release: 2%{?dist} +Version: 3.16.2.3 +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -61,8 +61,6 @@ Patch1: build-nss-softoken-only.patch # Build only the softoken and freebl related tools Patch8: softoken-minimal-test-dependencies.patch # Select the tests to run based on the type of build -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171 -Patch9: nss-versus-softoken-tests.patch # This patch uses the gcc-iquote dir option documented at # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options # to place the in-tree directories at the head of the list on list of directories @@ -72,8 +70,7 @@ Patch9: nss-versus-softoken-tests.patch # Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it. Patch10: iquote.patch Patch11: nss-softokn-allow-level1.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1064636 -Patch12: cve-2014-1568-softokn.patch + %description Network Security Services Softoken Cryptographic Module @@ -126,11 +123,8 @@ Header and library files for doing development with Network Security Services. %patch1 -p0 -b .softokenonly %patch8 -p0 -b .crypto # activate if needed when doing a major update with new apis -%patch10 -p0 -b .iquote +#%patch10 -p0 -b .iquote %patch11 -p0 -b .allow_level1 -pushd nss -%patch12 -p1 -b .cve_2014-1568 -popd %build @@ -238,6 +232,10 @@ chmod 755 ./dist/pkgconfig/nss-softokn-config %check +if [ ${DISABLETEST:-0} -eq 1 ]; then + echo "testing disabled" + exit 0 +fi # Begin -- copied from the build section FREEBL_NO_DEPEND=1 @@ -268,28 +266,50 @@ if [ $SPACEISBAD -ne 0 ]; then fi rm -rf ./tests_results -cd ./nss/tests/ +pushd ./nss/tests/ # all.sh is the test suite script # only run cipher tests for nss-softokn %global nss_cycles "standard" -%global nss_tests "cipher" +%global nss_tests "cipher lowhash" %global nss_ssl_tests " " %global nss_ssl_run " " HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh -cd ../../../../ +popd -TEST_FAILURES=`grep -c FAILED ./tests_results/security/localhost.1/output.log` || : -# test suite is failing on arm and has for awhile let's run the test suite but make it non fatal on arm +# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, +# Grep exits with status greater than 1 if an error ocurred. +# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, +# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas +# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. +killall $RANDSERV || : + +TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? +if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then + echo "okay: test suite detected no failures" +else +# test suite is failing on arm and has for a while let's run the test suite but make it non fatal on arm %ifnarch %{arm} -if [ $TEST_FAILURES -ne 0 ]; then - echo "error: test suite returned failure(s)" - exit 1 + if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then + # while a situation in which grep return status is 0 and it doesn't output + # anything shouldn't happen, set the default to something that is + # obviously wrong (-1) + echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" + exit 1 + else + if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then + echo "error: grep has not found log file" + exit 1 + else + echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" + exit 1 + fi + fi +%endif fi echo "test suite completed" -%endif %install @@ -394,6 +414,9 @@ done %{_includedir}/nss3/shsign.h %changelog +* Wed Nov 19 2014 Elio Maldonado - 3.16.2-3 +- Resolves: Bug 1165525 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 + * Tue Sep 23 2014 Elio Maldonado - 3.16.2-3 - Resolves: Bug 1145433 - CVE-2014-1568