From 4f9f00995d8bd76e5c0c6ee6f34d1b0f3921faa3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 05 2023 13:54:00 +0000 Subject: import nss-util-3.90.0-1.el7_9 --- diff --git a/.gitignore b/.gitignore index 2e53166..1348edd 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nss-util-3.79.tar.gz +SOURCES/nss-util-3.90.tar.gz diff --git a/.nss-util.metadata b/.nss-util.metadata index c6cd5fa..9995ff3 100644 --- a/.nss-util.metadata +++ b/.nss-util.metadata @@ -1 +1 @@ -d44dc17b9aa14ded8d35689b49223b4576af9a87 SOURCES/nss-util-3.79.tar.gz +3da034265fae0aceb70113f02b56f17325a3ebbf SOURCES/nss-util-3.90.tar.gz diff --git a/SOURCES/nss-util-3.79-fips.patch b/SOURCES/nss-util-3.79-fips.patch new file mode 100644 index 0000000..6aae9d5 --- /dev/null +++ b/SOURCES/nss-util-3.79-fips.patch @@ -0,0 +1,22 @@ +diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h +--- a/lib/util/pkcs11n.h ++++ b/lib/util/pkcs11n.h +@@ -58,16 +58,18 @@ + /* + * NSS-defined certificate types + * + */ + #define CKC_NSS (CKC_VENDOR_DEFINED | NSSCK_VENDOR_NSS) + + /* FAKE PKCS #11 defines */ + #define CKA_DIGEST 0x81000000L ++#define CKA_NSS_GENERATE 0x81000001L ++#define CKA_NSS_GENERATE_KEY_PAIR 0x81000002L + #define CKA_NSS_MESSAGE 0x82000000L + #define CKA_NSS_MESSAGE_MASK 0xff000000L + #define CKA_FLAGS_ONLY 0 /* CKA_CLASS */ + + /* + * NSS-defined object attributes + * + */ diff --git a/SOURCES/nss-util-3.90-add-ems-policy.patch b/SOURCES/nss-util-3.90-add-ems-policy.patch new file mode 100644 index 0000000..ef6863e --- /dev/null +++ b/SOURCES/nss-util-3.90-add-ems-policy.patch @@ -0,0 +1,37 @@ +diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c +--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700 ++++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700 +@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT + SEC_OID_EXT_KEY_USAGE_IPSEC_USER, + "IPsec User", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ ++ /* this will change upstream. for now apps shouldn't use it */ ++ /* we need it for the policy code. */ ++ ODE(SEC_OID_PRIVATE_1, ++ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + }; + + /* PRIVATE EXTENDED SECOID Table +@@ -2095,6 +2100,8 @@ SECOID_Init(void) + + /* turn off NSS_USE_POLICY_IN_SSL by default */ + xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL; ++ /* turn off TLS REQUIRE EMS by default */ ++ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0; + + envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT"); + if (envVal) +diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h +--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700 ++++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700 +@@ -501,6 +501,9 @@ typedef enum { + SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361, + SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362, + SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363, ++ /* this will change upstream. for now apps shouldn't use it */ ++ /* give it an obscure name here */ ++ SEC_OID_PRIVATE_1 = 372, + + SEC_OID_TOTAL + } SECOidTag; diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec index ec33a82..541546b 100644 --- a/SPECS/nss-util.spec +++ b/SPECS/nss-util.spec @@ -1,7 +1,7 @@ -%global nspr_version 4.34.0 +%global nspr_version 4.35.0 # adjust to the very latest build needed %global nspr_build_version -1 -%global nss_util_version 3.79.0 +%global nss_util_version 3.90.0 # The upstream omits the trailing ".0", while we need it for # consistency with the pkg-config version: @@ -57,6 +57,10 @@ Patch10: nss-util-disable-md5.patch # For compatibility reasons, we stick with the old PKCS #11 2.40 # definition of CK_GCM_PARAMS: Patch11: nss-util-gcm-param-default-pkcs11v2.patch +Patch60: nss-util-3.79-fips.patch +#ems policy. needs to upstream +Patch70: nss-util-3.90-add-ems-policy.patch + %description @@ -78,13 +82,15 @@ Header and library files for doing development with Network Security Services. %prep %setup -q -n %{name}-%{nss_util_archive_version} -%patch2 -p0 -b .prtypes -%patch7 -p0 -b .include_prtypes -%patch8 -p1 -b .tls12_mechs +%patch -P2 -p0 -b .prtypes +%patch -P7 -p0 -b .include_prtypes +%patch -P8 -p1 -b .tls12_mechs pushd nss -%patch9 -p1 -R -b .sql-default -%patch10 -p1 -b .disable-md5 -%patch11 -p1 -b .pkcs11v2 +%patch -P9 -p1 -R -b .sql-default +%patch -P10 -p1 -b .disable-md5 +%patch -P11 -p1 -b .pkcs11v2 +%patch -P60 -p1 -b .fips +%patch -P70 -p1 -b .ems popd @@ -264,6 +270,10 @@ done %{_includedir}/nss3/templates/templates.c %changelog +* Tue Jun 20 2023 Bob Relyea - 3.90.0-1 +- Rebase to NSS 3.90 +- Replace deprecate %patchN syntax + * Thu Jun 2 2022 Bob Relyea - 3.79.0-1 - Rebase to NSS 3.79