diff --git a/SOURCES/nss-util-mozilla-ca-policy.patch b/SOURCES/nss-util-mozilla-ca-policy.patch new file mode 100644 index 0000000..de662f2 --- /dev/null +++ b/SOURCES/nss-util-mozilla-ca-policy.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Kai Engert +# Date 1486667455 -3600 +# Thu Feb 09 20:10:55 2017 +0100 +# Node ID 29858a467f45b3964c7403ab4e41daf5c5bc18ad +# Parent 867f6176020d098a5c069bf43f06ef5c68e4c3cd +Bug 1334976, use a new attribute in the builtins root CA list, to distinguish between Mozilla policy CAs and other CAs, code changes, r=rrelyea + +diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h +--- a/lib/util/pkcs11n.h ++++ b/lib/util/pkcs11n.h +@@ -93,6 +93,8 @@ + #define CKA_NSS_JPAKE_X2 (CKA_NSS + 32) + #define CKA_NSS_JPAKE_X2S (CKA_NSS + 33) + ++#define CKA_NSS_MOZILLA_CA_POLICY (CKA_NSS + 34) ++ + /* + * Trust attributes: + * diff --git a/SOURCES/nss-util-pkcs12.patch b/SOURCES/nss-util-pkcs12.patch new file mode 100644 index 0000000..c5994b3 --- /dev/null +++ b/SOURCES/nss-util-pkcs12.patch @@ -0,0 +1,45 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1481829086 -3600 +# Thu Dec 15 20:11:26 2016 +0100 +# Node ID 6d66c2c24e4d9d1ad12a7065c55ef1c9fe143057 +# Parent 35ecce23718136f99ca9537007481b4774c57e68 +Bug 1268143 - pk12util can't import PKCS#12 files with SHA-256 MAC, r=rrelyea + +diff --git a/lib/util/pkcs11n.h b/lib/util/pkcs11n.h +--- a/lib/util/pkcs11n.h ++++ b/lib/util/pkcs11n.h +@@ -222,6 +222,12 @@ + #define CKM_NSS_CHACHA20_KEY_GEN (CKM_NSS + 27) + #define CKM_NSS_CHACHA20_POLY1305 (CKM_NSS + 28) + ++/* Additional PKCS #12 PBE algorithms defined in v1.1 */ ++#define CKM_NSS_PKCS12_PBE_SHA224_HMAC_KEY_GEN (CKM_NSS + 29) ++#define CKM_NSS_PKCS12_PBE_SHA256_HMAC_KEY_GEN (CKM_NSS + 30) ++#define CKM_NSS_PKCS12_PBE_SHA384_HMAC_KEY_GEN (CKM_NSS + 31) ++#define CKM_NSS_PKCS12_PBE_SHA512_HMAC_KEY_GEN (CKM_NSS + 32) ++ + /* + * HISTORICAL: + * Do not attempt to use these. They are only used by NETSCAPE's internal +# HG changeset patch +# User Daiki Ueno +# Date 1485768835 -3600 +# Mon Jan 30 10:33:55 2017 +0100 +# Node ID 09d1a0757431fa52ae025138da654c698141971b +# Parent 806c3106536feea0827ec54729a52b5cbac8a496 +Bug 1268141 - pk12util can't import PKCS#12 files encrypted with AES-128-CBC, r=rrelyea + +diff --git a/lib/util/ciferfam.h b/lib/util/ciferfam.h +--- a/lib/util/ciferfam.h ++++ b/lib/util/ciferfam.h +@@ -52,6 +52,9 @@ + #define PKCS12_RC4_128 (CIPHER_FAMILYID_PKCS12 | 0012) + #define PKCS12_DES_56 (CIPHER_FAMILYID_PKCS12 | 0021) + #define PKCS12_DES_EDE3_168 (CIPHER_FAMILYID_PKCS12 | 0022) ++#define PKCS12_AES_CBC_128 (CIPHER_FAMILYID_PKCS12 | 0031) ++#define PKCS12_AES_CBC_192 (CIPHER_FAMILYID_PKCS12 | 0032) ++#define PKCS12_AES_CBC_256 (CIPHER_FAMILYID_PKCS12 | 0033) + + /* SMIME version numbers are negative, to avoid colliding with SSL versions */ + #define SMIME_LIBRARY_VERSION_1_0 -0x0100 diff --git a/SOURCES/nss-util-policy-double-newline.patch b/SOURCES/nss-util-policy-double-newline.patch new file mode 100644 index 0000000..c627990 --- /dev/null +++ b/SOURCES/nss-util-policy-double-newline.patch @@ -0,0 +1,68 @@ +diff --git a/lib/util/utilmod.c b/lib/util/utilmod.c +--- a/lib/util/utilmod.c ++++ b/lib/util/utilmod.c +@@ -227,20 +227,25 @@ nssutil_ReadSecmodDB(const char *appName + * the following loop takes line separated config lines and collapses + * the lines to a single string, escaping and quoting as necessary. + */ + /* loop state variables */ + moduleString = NULL; /* current concatenated string */ + internal = PR_FALSE; /* is this an internal module */ + skipParams = PR_FALSE; /* did we find an override parameter block*/ + paramsValue = NULL; /* the current parameter block value */ +- while (fgets(line, sizeof(line), fd) != NULL) { +- int len = PORT_Strlen(line); ++ do { ++ int len; ++ ++ if (fgets(line, sizeof(line), fd) == NULL) { ++ goto endloop; ++ } + + /* remove the ending newline */ ++ len = PORT_Strlen(line); + if (len && line[len - 1] == '\n') { + len--; + line[len] = 0; + } + if (*line == '#') { + continue; + } + if (*line != 0) { +@@ -339,16 +344,17 @@ nssutil_ReadSecmodDB(const char *appName + } + } + continue; + } + if ((moduleString == NULL) || (*moduleString == 0)) { + continue; + } + ++ endloop: + /* + * if we are here, we have found a complete stanza. Now write out + * any param section we may have found. + */ + if (paramsValue) { + /* we had an override */ + if (!skipParams) { + moduleString = nssutil_DupnCat(moduleString, " parameters=", 12); +@@ -374,17 +380,17 @@ nssutil_ReadSecmodDB(const char *appName + moduleList[0] = moduleString; + } else { + moduleList[moduleCount] = moduleString; + moduleCount++; + } + moduleString = NULL; + internal = PR_FALSE; + skipParams = PR_FALSE; +- } ++ } while (!feof(fd)); + + if (moduleString) { + PORT_Free(moduleString); + moduleString = NULL; + } + done: + /* if we couldn't open a pkcs11 database, look for the old one */ + if (fd == NULL) { diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec index e930077..51c76ef 100644 --- a/SPECS/nss-util.spec +++ b/SPECS/nss-util.spec @@ -5,7 +5,7 @@ Summary: Network Security Services Utilities Library Name: nss-util Version: 3.28.4 -Release: 1.0%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -39,6 +39,13 @@ Patch7: pkcs1sig-include-prtypes.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089 Patch8: nss-util-3.19.1-tls12-mechanisms.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1334976 +Patch9: nss-util-mozilla-ca-policy.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268143 +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1268141 +Patch10: nss-util-pkcs12.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1319856 +Patch11: nss-util-policy-double-newline.patch %description Utilities for Network Security Services and the Softoken module @@ -62,6 +69,11 @@ Header and library files for doing development with Network Security Services. %patch2 -p0 -b .prtypes %patch7 -p0 -b .include_prtypes %patch8 -p1 -b .tls12_mechs +pushd nss +%patch9 -p1 -b .mozilla_ca_policy +%patch10 -p1 -b .pkcs12 +%patch11 -p1 -b .policy_double_newline +popd %build @@ -233,8 +245,17 @@ done %{_includedir}/nss3/templates/templates.c %changelog -* Fri Apr 7 2017 Daiki Ueno - 3.28.4-1.0 -- Rebase to nss-3.28.4 to accommodate base64 encoding issue +* Mon May 15 2017 Daiki Ueno - 3.28.4-3 +- Backport patch to allow empty line at the end of policy file + +* Thu Apr 20 2017 Daiki Ueno - 3.28.4-2 +- Rebase to nss-3.28.4 + +* Thu Mar 9 2017 Daiki Ueno - 3.28.3-3 +- Backport necessary constant definitions + +* Thu Mar 2 2017 Daiki Ueno - 3.28.3-2 +- Rebase to nss-3.28.3 * Fri Feb 17 2017 Daiki Ueno - 3.28.2-1.1 - Prevent ABI incompatibility of SECKEYECPublicKey structure @@ -244,9 +265,6 @@ done - Remove upstreamed build-nss-util-only.patch - Package new header eccutil.h -* Wed Nov 02 2016 Kai Engert - 3.21.3-1.1 -- rebuild - * Mon Oct 24 2016 Daiki Ueno - 3.21.3-1 - Rebase to nss-3.21.3 - Remove patch for CVE-2016-1950, which is included in the release