diff --git a/.gitignore b/.gitignore index a5df990..a046fce 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/nss-util-3.44.tar.gz +SOURCES/nss-util-3.53.1.tar.gz diff --git a/.nss-util.metadata b/.nss-util.metadata index 1aba32d..0c829fd 100644 --- a/.nss-util.metadata +++ b/.nss-util.metadata @@ -1 +1 @@ -0082a63b26f7cf067441ef6de90a1af9cc4e4e21 SOURCES/nss-util-3.44.tar.gz +bf561dd7132a2b3345deb1c574237397f26ff65e SOURCES/nss-util-3.53.1.tar.gz diff --git a/SOURCES/nss-split-util.sh b/SOURCES/nss-split-util.sh index b56debe..ac023d3 100755 --- a/SOURCES/nss-split-util.sh +++ b/SOURCES/nss-split-util.sh @@ -58,7 +58,6 @@ cp ${nss_source_dir}/nss/cmd/platrules.mk ${UTIL_WORK}/${util_dir}/nss/cmd mkdir ${UTIL_WORK}/${util_dir}/nss/lib # copy some files at the top and the util subdirectory recursively cp ${nss_source_dir}/nss/lib/Makefile ${UTIL_WORK}/${util_dir}/nss/lib -cp ${nss_source_dir}/nss/lib/manifest.mn ${UTIL_WORK}/${util_dir}/nss/lib cp -a ${nss_source_dir}/nss/lib/util ${UTIL_WORK}/${util_dir}/nss/lib/util pushd ${UTIL_WORK} # the compressed tar ball for nss-util diff --git a/SOURCES/nss-util-3.19.1-tls12-mechanisms.patch b/SOURCES/nss-util-3.19.1-tls12-mechanisms.patch index b631dbe..ed06926 100644 --- a/SOURCES/nss-util-3.19.1-tls12-mechanisms.patch +++ b/SOURCES/nss-util-3.19.1-tls12-mechanisms.patch @@ -1,14 +1,14 @@ diff -up ./nss/lib/util/pkcs11t.h.tls12_mechs ./nss/lib/util/pkcs11t.h ---- ./nss/lib/util/pkcs11t.h.tls12_mechs 2017-01-13 16:33:12.199107708 +0100 -+++ ./nss/lib/util/pkcs11t.h 2017-01-13 16:34:12.479625017 +0100 -@@ -1650,6 +1650,10 @@ typedef struct CK_TLS_MAC_PARAMS { +--- ./nss/lib/util/pkcs11t.h.tls12_mechs 2020-07-21 10:29:05.662324870 +0200 ++++ ./nss/lib/util/pkcs11t.h 2020-07-21 10:29:46.368025862 +0200 +@@ -992,6 +992,10 @@ typedef CK_ULONG CK_MECHANISM_TYPE; - typedef CK_TLS_MAC_PARAMS CK_PTR CK_TLS_MAC_PARAMS_PTR; + #define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0UL +/* aliases for compatibility with prior release */ +#define CK_TLS12_MAC_PARAMS CK_TLS_MAC_PARAMS +#define CK_TLS12_MAC_PARAMS_PTR CK_TLS_MAC_PARAMS_PTR + - /* WTLS is new for version 2.20 */ - typedef struct CK_WTLS_RANDOM_DATA { - CK_BYTE_PTR pClientRandom; + /* WTLS mechanisms are new for v2.20 */ + #define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0UL + #define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1UL diff --git a/SOURCES/nss-util-3.44-handle-malformed-ecdh.patch b/SOURCES/nss-util-3.44-handle-malformed-ecdh.patch deleted file mode 100644 index 083cecf..0000000 --- a/SOURCES/nss-util-3.44-handle-malformed-ecdh.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/lib/util/quickder.c b/lib/util/quickder.c ---- a/lib/util/quickder.c -+++ b/lib/util/quickder.c -@@ -757,6 +757,13 @@ - } - - case SEC_ASN1_BIT_STRING: { -+ /* Can't be 8 or more spare bits, or any spare bits -+ * if there are no octets. */ -+ if (temp.data[0] >= 8 || (temp.data[0] > 0 && temp.len == 1)) { -+ PORT_SetError(SEC_ERROR_BAD_DER); -+ rv = SECFailure; -+ break; -+ } - /* change the length in the SECItem to be the number - of bits */ - temp.len = (temp.len - 1) * 8 - (temp.data[0] & 0x7); - - diff --git a/SOURCES/nss-util-disable-md5.patch b/SOURCES/nss-util-disable-md5.patch new file mode 100644 index 0000000..45e312a --- /dev/null +++ b/SOURCES/nss-util-disable-md5.patch @@ -0,0 +1,23 @@ +diff -r 699541a7793b lib/util/secoid.c +--- a/lib/util/secoid.c Tue Jun 16 23:03:22 2020 +0000 ++++ b/lib/util/secoid.c Thu Jun 25 14:33:09 2020 +0200 +@@ -2042,6 +2042,19 @@ + int i; + + for (i = 1; i < SEC_OID_TOTAL; i++) { ++ switch (i) { ++ case SEC_OID_MD2: ++ case SEC_OID_MD4: ++ case SEC_OID_MD5: ++ case SEC_OID_PKCS1_MD2_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS1_MD4_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: ++ case SEC_OID_PKCS5_PBE_WITH_MD2_AND_DES_CBC: ++ case SEC_OID_PKCS5_PBE_WITH_MD5_AND_DES_CBC: ++ continue; ++ default: ++ break; ++ } + if (oids[i].desc && strstr(arg, oids[i].desc)) { + xOids[i].notPolicyFlags = notEnable | + (xOids[i].notPolicyFlags & ~(DEF_FLAGS)); diff --git a/SOURCES/nss-util-fix-public-key-from-priv.patch b/SOURCES/nss-util-fix-public-key-from-priv.patch deleted file mode 100644 index 820c508..0000000 --- a/SOURCES/nss-util-fix-public-key-from-priv.patch +++ /dev/null @@ -1,31 +0,0 @@ -diff -up ./nss/lib/util/pkcs11n.h.pub_priv_mech ./nss/lib/util/pkcs11n.h ---- ./nss/lib/util/pkcs11n.h.pub_priv_mech 2019-06-05 09:59:18.446315784 -0700 -+++ ./nss/lib/util/pkcs11n.h 2019-06-05 10:15:13.388806330 -0700 -@@ -152,11 +152,6 @@ - #define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5) - #define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6) - --/* IKE mechanism (to be proposed to PKCS #11 */ --#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 7) --#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 8) --#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 9) --#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 10) - - /* J-PAKE round 1 key generation mechanisms. - * -@@ -238,6 +233,15 @@ - - #define CKM_NSS_CHACHA20_CTR (CKM_NSS + 33) - -+/* IKE mechanism (to be proposed to PKCS #11 */ -+#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 34) -+#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 35) -+#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 36) -+#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 37) -+ -+/* Derive a public key from a bare private key */ -+#define CKM_NSS_PUB_FROM_PRIV (CKM_NSS + 40) -+ - /* - * HISTORICAL: - * Do not attempt to use these. They are only used by NETSCAPE's internal diff --git a/SOURCES/nss-util-gcm-param-default-pkcs11v2.patch b/SOURCES/nss-util-gcm-param-default-pkcs11v2.patch new file mode 100644 index 0000000..2d6cba8 --- /dev/null +++ b/SOURCES/nss-util-gcm-param-default-pkcs11v2.patch @@ -0,0 +1,21 @@ +diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h +--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700 ++++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700 +@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS { + typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR; + + /* deprecated #defines. Drop in future NSS releases */ +-#ifdef NSS_PKCS11_2_0_COMPAT ++#ifndef NSS_PKCS11_3_0_STRICT + + /* defines that were changed between NSS's PKCS #11 and the Oasis headers */ + #define CKF_EC_FP CKF_EC_F_P +@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_ + #define CKT_NETSCAPE_VALID CKT_NSS_VALID + #define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR + #else +-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */ ++/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */ + typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS; + typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR; + #endif diff --git a/SOURCES/nss-util-ike-patch.patch b/SOURCES/nss-util-ike-patch.patch deleted file mode 100644 index 0c38bfa..0000000 --- a/SOURCES/nss-util-ike-patch.patch +++ /dev/null @@ -1,131 +0,0 @@ -diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h ---- a/lib/util/pkcs11n.h -+++ b/lib/util/pkcs11n.h -@@ -147,16 +147,22 @@ - #define CKM_NSS_AES_KEY_WRAP_PAD (CKM_NSS + 2) - - /* HKDF key derivation mechanisms. See CK_NSS_HKDFParams for documentation. */ - #define CKM_NSS_HKDF_SHA1 (CKM_NSS + 3) - #define CKM_NSS_HKDF_SHA256 (CKM_NSS + 4) - #define CKM_NSS_HKDF_SHA384 (CKM_NSS + 5) - #define CKM_NSS_HKDF_SHA512 (CKM_NSS + 6) - -+/* IKE mechanism (to be proposed to PKCS #11 */ -+#define CKM_NSS_IKE_PRF_PLUS_DERIVE (CKM_NSS + 7) -+#define CKM_NSS_IKE_PRF_DERIVE (CKM_NSS + 8) -+#define CKM_NSS_IKE1_PRF_DERIVE (CKM_NSS + 9) -+#define CKM_NSS_IKE1_APP_B_PRF_DERIVE (CKM_NSS + 10) -+ - /* J-PAKE round 1 key generation mechanisms. - * - * Required template attributes: CKA_PRIME, CKA_SUBPRIME, CKA_BASE, - * CKA_NSS_JPAKE_SIGNERID - * Output key type: CKK_NSS_JPAKE_ROUND1 - * Output key class: CKO_PRIVATE_KEY - * Parameter type: CK_NSS_JPAKERound1Params - * -@@ -337,16 +343,82 @@ typedef struct CK_NSS_HKDFParams { - CK_BYTE_PTR pSalt; - CK_ULONG ulSaltLen; - CK_BBOOL bExpand; - CK_BYTE_PTR pInfo; - CK_ULONG ulInfoLen; - } CK_NSS_HKDFParams; - - /* -+ * CK_NSS_IKE_PRF_PLUS_PARAMS is a structure that provides the parameters to -+ * the CKM_NSS_IKE_PRF_PLUS_DERIVE mechanism. -+ * The fields of the structure have the following meanings: -+ * prfMechanism underlying MAC mechanism used to generate the prf. -+ * bHasSeedKey hSeed key is present. -+ * hSeedKey optional seed from key -+ * pSeedData optional seed from data. -+ * ulSeedDataLen length of optional seed data. -+ * If no seed data is present this value is NULL. -+ */ -+typedef struct CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS { -+ CK_MECHANISM_TYPE prfMechanism; -+ CK_BBOOL bHasSeedKey; -+ CK_OBJECT_HANDLE hSeedKey; -+ CK_BYTE_PTR pSeedData; -+ CK_ULONG ulSeedDataLen; -+} CK_NSS_IKE_PRF_PLUS_DERIVE_PARAMS; -+ -+/* CK_NSS_IKE_PRF_DERIVE_PARAMS is a structure that provides the parameters to -+ * the CKM_NSS_IKE_PRF_DERIVE mechanism. -+ * -+ * The fields of the structure have the following meanings: -+ * prfMechanism underlying MAC mechanism used to generate the prf. -+ * bRekey hNewKey is present. -+ * pNi Ni value -+ * ulNiLen length of Ni -+ * pNr Nr value -+ * ulNrLen length of Nr -+ * hNewKey New key value to drive the rekey. -+ */ -+typedef struct CK_NSS_IKE_PRF_DERIVE_PARAMS { -+ CK_MECHANISM_TYPE prfMechanism; -+ CK_BBOOL bDataAsKey; -+ CK_BBOOL bRekey; -+ CK_BYTE_PTR pNi; -+ CK_ULONG ulNiLen; -+ CK_BYTE_PTR pNr; -+ CK_ULONG ulNrLen; -+ CK_OBJECT_HANDLE hNewKey; -+} CK_NSS_IKE_PRF_DERIVE_PARAMS; -+ -+/* CK_NSS_IKE1_PRF_DERIVE_PARAMS is a structure that provides the parameters -+ * to the CKM_NSS_IKE_PRF_DERIVE mechanism. -+ * -+ * The fields of the structure have the following meanings: -+ * prfMechanism underlying MAC mechanism used to generate the prf. -+ * bRekey hNewKey is present. -+ * pCKYi CKYi value -+ * ulCKYiLen length of CKYi -+ * pCKYr CKYr value -+ * ulCKYrLen length of CKYr -+ * hNewKey New key value to drive the rekey. -+ */ -+typedef struct CK_NSS_IKE1_PRF_DERIVE_PARAMS { -+ CK_MECHANISM_TYPE prfMechanism; -+ CK_BBOOL bHasPrevKey; -+ CK_OBJECT_HANDLE hKeygxy; -+ CK_OBJECT_HANDLE hPrevKey; -+ CK_BYTE_PTR pCKYi; -+ CK_ULONG ulCKYiLen; -+ CK_BYTE_PTR pCKYr; -+ CK_ULONG ulCKYrLen; -+ CK_BYTE keyNumber; -+} CK_NSS_IKE1_PRF_DERIVE_PARAMS; -+ -+/* - * Parameter for the TLS extended master secret key derivation mechanisms: - * - * * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE - * * CKM_NSS_TLS_EXTENDED_MASTER_KEY_DERIVE_DH - * - * For the TLS 1.2 PRF, the prfHashMechanism parameter determines the hash - * function used. For earlier versions of the PRF, set the prfHashMechanism - * value to CKM_TLS_PRF. -diff --git a/lib/util/pkcs11t.h b/lib/util/pkcs11t.h ---- a/lib/util/pkcs11t.h -+++ b/lib/util/pkcs11t.h -@@ -877,16 +877,18 @@ typedef CK_ULONG CK_MECHANISM_TYPE; - #define CKM_AES_MAC_GENERAL 0x00001084 - #define CKM_AES_CBC_PAD 0x00001085 - /* new for v2.20 amendment 3 */ - #define CKM_AES_CTR 0x00001086 - /* new for v2.30 */ - #define CKM_AES_GCM 0x00001087 - #define CKM_AES_CCM 0x00001088 - #define CKM_AES_CTS 0x00001089 -+#define CKM_AES_XCBC_MAC 0x0000108C -+#define CKM_AES_XCBC_MAC_96 0x0000108D - - /* BlowFish and TwoFish are new for v2.20 */ - #define CKM_BLOWFISH_KEY_GEN 0x00001090 - #define CKM_BLOWFISH_CBC 0x00001091 - #define CKM_TWOFISH_KEY_GEN 0x00001092 - #define CKM_TWOFISH_CBC 0x00001093 - - /* Camellia is proposed for v2.20 Amendment 3 */ diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec index 276e83a..00a0eaf 100644 --- a/SPECS/nss-util.spec +++ b/SPECS/nss-util.spec @@ -1,7 +1,7 @@ -%global nspr_version 4.21.0 +%global nspr_version 4.25.0 # adjust to the very latest build needed %global nspr_build_version -1 -%global nss_util_version 3.44.0 +%global nss_util_version 3.53.1 # The upstream omits the trailing ".0", while we need it for # consistency with the pkg-config version: @@ -14,7 +14,7 @@ rpm.define(string.format("nss_util_archive_version %s", Summary: Network Security Services Utilities Library Name: nss-util Version: %{nss_util_version} -Release: 4%{?dist} +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -51,12 +51,12 @@ Patch8: nss-util-3.19.1-tls12-mechanisms.patch # To revert the change in: # https://bugzilla.mozilla.org/show_bug.cgi?id=1377940 Patch9: nss-util-sql-default.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1546229 -Patch10: nss-util-ike-patch.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1473806 -Patch11: nss-util-fix-public-key-from-priv.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1515342 -Patch12: nss-util-3.44-handle-malformed-ecdh.patch +# Local patch: disable MD5 (also MD2 and MD4) completely +# https://bugzilla.redhat.com/show_bug.cgi?id=1849938 +Patch10: nss-util-disable-md5.patch +# For compatibility reasons, we stick with the old PKCS #11 2.40 +# definition of CK_GCM_PARAMS: +Patch11: nss-util-gcm-param-default-pkcs11v2.patch %description @@ -83,11 +83,8 @@ Header and library files for doing development with Network Security Services. %patch8 -p1 -b .tls12_mechs pushd nss %patch9 -p1 -R -b .sql-default -%patch10 -p1 -b .ike_mechs -popd -%patch11 -p1 -b .pub_priv_mechs -pushd nss -%patch12 -p1 -b .handle-malformed-ecdh +%patch10 -p1 -b .disable-md5 +%patch11 -p1 -b .pkcs11v2 popd @@ -103,6 +100,12 @@ export BUILD_OPT # Generate symbolic info for debuggers XCFLAGS=$RPM_OPT_FLAGS + +# -std=c99 is the default since 3.48, which causes that some functions +# (e.g., putenv) are not declared under older glibc (<= 2.19), without +# explicitly set feature test macros: +# https://bugzilla.mozilla.org/show_bug.cgi?id=1590972 +XCFLAGS+=" -D_SVID_SOURCE" export XCFLAGS PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 @@ -133,8 +136,8 @@ export USE_64 %endif # make util -%{__make} -C ./nss/coreconf -%{__make} -C ./nss +%{__make} -C ./nss all +%{__make} -C ./nss latest # Set up our package file %{__mkdir_p} ./dist/pkgconfig @@ -261,6 +264,9 @@ done %{_includedir}/nss3/templates/templates.c %changelog +* Mon Jul 20 2020 Daiki Ueno - 3.53.1-1 +- Rebase to NSS 3.53.1 + * Thu Dec 5 2019 Bob Relyea - 3.44.0-4 - Fix segfault on empty or malformed ecdh keys (#1777712)