From 76478bf24365fb02edaee0b6c3973ab8e40db3ca Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sep 26 2022 14:24:42 +0000 Subject: import nss-3.79.0-4.el7_9 --- diff --git a/.gitignore b/.gitignore index 4f7cff8..4befa78 100644 --- a/.gitignore +++ b/.gitignore @@ -1,9 +1,6 @@ -SOURCES/PayPalEE.cert -SOURCES/PayPalICA.cert -SOURCES/TestOldCA.p12 SOURCES/blank-cert8.db SOURCES/blank-cert9.db SOURCES/blank-key3.db SOURCES/blank-key4.db SOURCES/blank-secmod.db -SOURCES/nss-3.67.tar.gz +SOURCES/nss-3.79.tar.gz diff --git a/.nss.metadata b/.nss.metadata index d284a79..b374a5a 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -1,9 +1,6 @@ -bc5c03643bfa1a5ea8519b8e7e2d7d5e30abea30 SOURCES/PayPalEE.cert -7e2f3a4f8fe8fa8a5730aeca029696637e986f3f SOURCES/PayPalICA.cert -706c3f929a1e7eca473be12fcd92620709fdada6 SOURCES/TestOldCA.p12 d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db -9cccf98f0476905c0d863a6b2cb08a1955482241 SOURCES/nss-3.67.tar.gz +3719dd97c8ec9cb04aa61e6aca41b129b4adc004 SOURCES/nss-3.79.tar.gz diff --git a/SOURCES/NameConstraints.ipaca.cert b/SOURCES/NameConstraints.ipaca.cert deleted file mode 100644 index 4a451f3..0000000 Binary files a/SOURCES/NameConstraints.ipaca.cert and /dev/null differ diff --git a/SOURCES/NameConstraints.ocsp1.cert b/SOURCES/NameConstraints.ocsp1.cert deleted file mode 100644 index 817faaf..0000000 Binary files a/SOURCES/NameConstraints.ocsp1.cert and /dev/null differ diff --git a/SOURCES/PayPalRootCA.cert b/SOURCES/PayPalRootCA.cert deleted file mode 100644 index dae0196..0000000 Binary files a/SOURCES/PayPalRootCA.cert and /dev/null differ diff --git a/SOURCES/TestCA.ca.cert b/SOURCES/TestCA.ca.cert deleted file mode 100644 index 929b793..0000000 Binary files a/SOURCES/TestCA.ca.cert and /dev/null differ diff --git a/SOURCES/TestUser50.cert b/SOURCES/TestUser50.cert deleted file mode 100644 index ed71727..0000000 Binary files a/SOURCES/TestUser50.cert and /dev/null differ diff --git a/SOURCES/TestUser51.cert b/SOURCES/TestUser51.cert deleted file mode 100644 index 1b45db2..0000000 Binary files a/SOURCES/TestUser51.cert and /dev/null differ diff --git a/SOURCES/nss-3.53-fix-private_key_mac.patch b/SOURCES/nss-3.53-fix-private_key_mac.patch deleted file mode 100644 index 60df7d5..0000000 --- a/SOURCES/nss-3.53-fix-private_key_mac.patch +++ /dev/null @@ -1,104 +0,0 @@ -diff --git a/lib/softoken/sftkpwd.c b/lib/softoken/sftkpwd.c ---- a/lib/softoken/sftkpwd.c -+++ b/lib/softoken/sftkpwd.c -@@ -277,17 +277,19 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha - *plain = nsspkcs5_CipherData(cipherValue.param, passKey, &cipherValue.value, - PR_FALSE, NULL); - if (*plain == NULL) { - rv = SECFailure; - goto loser; - } - - /* If we are using aes 256, we need to check authentication as well.*/ -- if ((type != CKT_INVALID_TYPE) && (cipherValue.alg == SEC_OID_AES_256_CBC)) { -+ if ((type != CKT_INVALID_TYPE) && -+ (cipherValue.alg == SEC_OID_PKCS5_PBES2) && -+ (cipherValue.param->encAlg == SEC_OID_AES_256_CBC)) { - SECItem signature; - unsigned char signData[SDB_MAX_META_DATA_LEN]; - - /* if we get here from the old legacy db, there is clearly an - * error, don't return the plaintext */ - if (handle == NULL) { - rv = SECFailure; - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); -@@ -299,17 +301,27 @@ sftkdb_DecryptAttribute(SFTKDBHandle *ha - rv = sftkdb_GetAttributeSignature(handle, handle, id, type, - &signature); - if (rv != SECSuccess) { - goto loser; - } - rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, type, - *plain, &signature); - if (rv != SECSuccess) { -- goto loser; -+ /* handle a bug where old versions of NSS misfiled the signature -+ * attribute on password update */ -+ id |= SFTK_KEYDB_TYPE|SFTK_TOKEN_TYPE; -+ signature.len = sizeof(signData); -+ rv = sftkdb_GetAttributeSignature(handle, handle, id, type, -+ &signature); -+ if (rv != SECSuccess) { -+ goto loser; -+ } -+ rv = sftkdb_VerifyAttribute(handle, passKey, CK_INVALID_HANDLE, -+ type, *plain, &signature); - } - } - - loser: - if (cipherValue.param) { - nsspkcs5_DestroyPBEParameter(cipherValue.param); - } - if (cipherValue.arena) { -@@ -1186,16 +1198,17 @@ sftk_updateEncrypted(PLArenaPool *arena, - }; - const CK_ULONG privAttrCount = sizeof(privAttrTypes) / sizeof(privAttrTypes[0]); - - // We don't know what attributes this object has, so we update them one at a - // time. - unsigned int i; - for (i = 0; i < privAttrCount; i++) { - // Read the old attribute in the clear. -+ CK_OBJECT_HANDLE sdbId = id & SFTK_OBJ_ID_MASK; - CK_ATTRIBUTE privAttr = { privAttrTypes[i], NULL, 0 }; - CK_RV crv = sftkdb_GetAttributeValue(keydb, id, &privAttr, 1); - if (crv != CKR_OK) { - continue; - } - if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) { - continue; - } -@@ -1210,30 +1223,29 @@ sftk_updateEncrypted(PLArenaPool *arena, - if ((privAttr.ulValueLen == -1) || (privAttr.ulValueLen == 0)) { - return CKR_GENERAL_ERROR; - } - SECItem plainText; - SECItem *result; - plainText.data = privAttr.pValue; - plainText.len = privAttr.ulValueLen; - if (sftkdb_EncryptAttribute(arena, keydb, keydb->db, newKey, -- iterationCount, id, privAttr.type, -+ iterationCount, sdbId, privAttr.type, - &plainText, &result) != SECSuccess) { - return CKR_GENERAL_ERROR; - } - privAttr.pValue = result->data; - privAttr.ulValueLen = result->len; - // Clear sensitive data. - PORT_Memset(plainText.data, 0, plainText.len); - - // Write the newly encrypted attributes out directly. -- CK_OBJECT_HANDLE newId = id & SFTK_OBJ_ID_MASK; - keydb->newKey = newKey; - keydb->newDefaultIterationCount = iterationCount; -- crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, newId, &privAttr, 1); -+ crv = (*keydb->db->sdb_SetAttributeValue)(keydb->db, sdbId, &privAttr, 1); - keydb->newKey = NULL; - if (crv != CKR_OK) { - return crv; - } - } - - return CKR_OK; - } diff --git a/SOURCES/nss-3.66-no-combo-tests.patch b/SOURCES/nss-3.66-no-combo-tests.patch deleted file mode 100644 index 32f7c35..0000000 --- a/SOURCES/nss-3.66-no-combo-tests.patch +++ /dev/null @@ -1,217 +0,0 @@ -diff -up ./gtests/freebl_gtest/rsa_unittest.cc.oldsoft ./gtests/freebl_gtest/rsa_unittest.cc ---- ./gtests/freebl_gtest/rsa_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000 -+++ ./gtests/freebl_gtest/rsa_unittest.cc 2021-06-11 19:06:57.778552974 +0000 -@@ -9,6 +9,7 @@ - - #include "blapi.h" - #include "secitem.h" -+#include "prenv.h" - - template - struct ScopedDelete { -@@ -76,6 +77,13 @@ TEST_F(RSATest, DecryptBlockTestErrors) - in_small, sizeof(in_small)); - EXPECT_EQ(SECFailure, rv); - -+ char *env = PR_GetEnvSecure("NSS_OLD_SOFTOKEN"); -+ if (env) { -+ std::cerr << "Skipping RSA blapi DecryptBlockTestErrors because of" -+ << " semantic differences between old and new softoken." -+ << std::endl; -+ } -+ - uint8_t in[256] = {0}; - // This should fail because the padding checks will fail, - // however, mitigations for Bleichenbacher attacks transform failures -diff -up ./gtests/pk11_gtest/pk11_ike_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_ike_unittest.cc ---- ./gtests/pk11_gtest/pk11_ike_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000 -+++ ./gtests/pk11_gtest/pk11_ike_unittest.cc 2021-06-11 19:41:20.381137781 +0000 -@@ -12,8 +12,10 @@ - #include "pk11pub.h" - #include "secerr.h" - #include "sechash.h" -+#include "hasht.h" - #include "util.h" - #include "databuffer.h" -+#include "prenv.h" - - #include "testvectors/ike-sha1-vectors.h" - #include "testvectors/ike-sha256-vectors.h" -@@ -23,6 +25,24 @@ - - namespace nss_test { - -+unsigned mech_to_size(CK_MECHANISM_TYPE mech) { -+ switch (mech) { -+ case CKM_SHA_1_HMAC: -+ return SHA1_LENGTH; -+ case CKM_SHA256_HMAC: -+ return SHA256_LENGTH; -+ case CKM_SHA384_HMAC: -+ return SHA384_LENGTH; -+ case CKM_SHA512_HMAC: -+ return SHA512_LENGTH; -+ case CKM_AES_XCBC_MAC: -+ return AES_BLOCK_SIZE; -+ default: -+ break; -+ } -+ return 0; -+} -+ - class Pkcs11IkeTest : public ::testing::TestWithParam< - std::tuple> { - protected: -@@ -59,6 +79,7 @@ class Pkcs11IkeTest : public ::testing:: - ScopedPK11SymKey gxy_key = nullptr; - ScopedPK11SymKey prev_key = nullptr; - ScopedPK11SymKey ikm = ImportKey(ikm_item); -+ unsigned hashsize = mech_to_size(prf_mech); - - // IKE_PRF structure (used in cases 1, 2 and 3) - CK_NSS_IKE_PRF_DERIVE_PARAMS nss_ike_prf_params = { -@@ -148,6 +169,14 @@ class Pkcs11IkeTest : public ::testing:: - ScopedPK11SymKey okm = ScopedPK11SymKey( - PK11_Derive(ikm.get(), derive_mech, ¶ms_item, - CKM_GENERIC_SECRET_KEY_GEN, CKA_DERIVE, vec.size)); -+ char *env = PR_GetEnvSecure("NSS_OLD_SOFTOKEN"); -+ if (env && (derive_mech == CKM_NSS_IKE1_APP_B_PRF_DERIVE) && -+ (vec.size <= hashsize)) { -+ std::cerr << "Skipping Test #" << std::to_string(vec.id) -+ << ". Old tokens process APP B Prf for small keys incorrectly" -+ << std::endl; -+ return; -+ } - if (vec.valid) { - ASSERT_NE(nullptr, okm.get()) << msg; - ASSERT_EQ(SECSuccess, PK11_ExtractKeyValue(okm.get())) << msg; -diff -up ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc ---- ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000 -+++ ./gtests/pk11_gtest/pk11_rsaencrypt_unittest.cc 2021-06-11 19:06:57.779552981 +0000 -@@ -14,6 +14,7 @@ - #include "nss_scoped_ptrs.h" - #include "pk11pub.h" - #include "databuffer.h" -+#include "prenv.h" - - #include "testvectors/rsa_pkcs1_2048_test-vectors.h" - #include "testvectors/rsa_pkcs1_3072_test-vectors.h" -@@ -45,6 +46,14 @@ class RsaDecryptWycheproofTest - rv = PK11_PrivDecryptPKCS1(priv_key.get(), decrypted.data(), &decrypted_len, - decrypted.size(), vec.ct.data(), vec.ct.size()); - -+ // semantics changed since the old softken -+ char *env = PR_GetEnvSecure("NSS_OLD_SOFTOKEN"); -+ if (env && vec.valid && (rv == SECFailure)) { -+ std::cerr << "Skipping Decrypt test. Old softoken failed on bad data," -+ << "New softoken generates fake data" << std::endl; -+ return; -+ } -+ - if (vec.valid) { - EXPECT_EQ(SECSuccess, rv); - decrypted.resize(decrypted_len); -diff -up ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc ---- ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000 -+++ ./gtests/pk11_gtest/pk11_rsaoaep_unittest.cc 2021-06-11 19:06:57.780552988 +0000 -@@ -13,6 +13,7 @@ - #include "nss.h" - #include "nss_scoped_ptrs.h" - #include "pk11pub.h" -+#include "prenv.h" - - #include "testvectors/rsa_oaep_2048_sha1_mgf1sha1-vectors.h" - #include "testvectors/rsa_oaep_2048_sha256_mgf1sha1-vectors.h" -@@ -161,6 +162,12 @@ TEST(Pkcs11RsaOaepTest, TestOaepWrapUnwr - rv = PK11_ExtractKeyValue(to_wrap.get()); - ASSERT_EQ(rv, SECSuccess); - -+ char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN"); -+ if (env) { -+ std::cerr << "Skipping OAEP test, not supported in old softoken\n"; -+ return; -+ } -+ - // References owned by PKCS#11 layer; no need to scope and free. - SECItem* expectedItem = PK11_GetKeyData(to_wrap.get()); - -diff -up ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.oldsoft ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc ---- ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000 -+++ ./gtests/pk11_gtest/pk11_rsapkcs1_unittest.cc 2021-06-11 19:06:57.781552995 +0000 -@@ -16,6 +16,7 @@ - #include "secerr.h" - #include "sechash.h" - #include "pk11_signature_test.h" -+#include "prenv.h" - - #include "testvectors/rsa_signature_2048_sha224-vectors.h" - #include "testvectors/rsa_signature_2048_sha256-vectors.h" -@@ -175,6 +176,13 @@ TEST(RsaPkcs1Test, Pkcs1MinimumPadding) - SECItem hash_item = {siBuffer, toUcharPtr(hash.data()), - static_cast(hash.len())}; - SECItem sig_item = {siBuffer, toUcharPtr(sig.data()), sig_len}; -+ -+ char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN"); -+ if (env) { -+ std::cerr << "Skipping pkcs1 padding test, not supported in old softoken\n"; -+ return; -+ } -+ - rv = VFY_VerifyDigestDirect(&hash_item, short_pub.get(), &sig_item, - SEC_OID_PKCS1_RSA_ENCRYPTION, SEC_OID_SHA512, - nullptr); -diff -up ./gtests/pk11_gtest/pk11_signature_test.cc.oldsoft ./gtests/pk11_gtest/pk11_signature_test.cc ---- ./gtests/pk11_gtest/pk11_signature_test.cc.oldsoft 2021-05-28 09:50:43.000000000 +0000 -+++ ./gtests/pk11_gtest/pk11_signature_test.cc 2021-06-11 19:06:57.781552995 +0000 -@@ -4,6 +4,7 @@ - - #include - #include "nss.h" -+#include "prenv.h" - #include "pk11pub.h" - #include "sechash.h" - #include "prerror.h" -@@ -77,6 +78,25 @@ bool Pk11SignatureTest::SignData(ScopedS - EXPECT_LT(0, (int)sigLen); - sig->Allocate(static_cast(sigLen)); - -+ char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN"); -+ if (env != NULL) { -+ std::cerr << "Skipping combo mechanism 0x" << std::hex << combo_ -+ << ", no token support.\n"; -+ DataBuffer hash; -+ if (!ComputeHash(data, &hash)) { -+ ADD_FAILURE() << "Failed to compute hash"; -+ return false; -+ } -+ if (!SignHashedData(privKey, hash, sig)) { -+ ADD_FAILURE() << "Failed to sign hashed data"; -+ return false; -+ } -+ -+ return true; -+ } else { -+ std::cerr << "PR_GetEnvSecure(\"NSS_OLD_SOFTOKEN\") return null!!!\n"; -+ } -+ - // test the hash and verify interface */ - PK11Context* context = PK11_CreateContextByPrivKey( - combo_, CKA_SIGN, privKey.get(), parameters()); -@@ -160,6 +180,17 @@ void Pk11SignatureTest::Verify(const Pkc - EXPECT_EQ(rv, valid ? SECSuccess : SECFailure); - } - -+ /* old softokens don't understand all the new combo mechanism. */ -+ /* skip it */ -+ char *env=PR_GetEnvSecure("NSS_OLD_SOFTOKEN"); -+ if (env != NULL) { -+ std::cerr << "Skipping combo mechanism 0x" << std::hex << combo_ -+ << ", no token support.\n"; -+ return; -+ } else { -+ std::cerr << "PR_GetEnvSecure(\"NSS_OLD_SOFTOKEN\") return null!!!\n"; -+ } -+ - // test the hash and verify interface */ - PK11Context* context = PK11_CreateContextByPubKey( - combo_, CKA_VERIFY, pubKey.get(), parameters(), NULL); diff --git a/SOURCES/nss-3.66-no-small-primes.patch b/SOURCES/nss-3.66-no-small-primes.patch deleted file mode 100644 index 31be316..0000000 --- a/SOURCES/nss-3.66-no-small-primes.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -up ./gtests/softoken_gtest/softoken_dh_vectors.h.orig ./gtests/softoken_gtest/softoken_dh_vectors.h ---- ./gtests/softoken_gtest/softoken_dh_vectors.h.orig 2021-06-02 16:57:50.557008790 -0700 -+++ ./gtests/softoken_gtest/softoken_dh_vectors.h 2021-06-02 16:59:52.781735096 -0700 -@@ -2872,7 +2872,7 @@ static const DhTestVector DH_TEST_VECTOR - {siBuffer, (unsigned char *)g2, sizeof(g2)}, - {siBuffer, NULL, 0}, - {siBuffer, NULL, 0}, -- IKE_APPROVED, -+ SAFE_PRIME, - CLASS_1536}, - {"IKE 2048", - {siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)}, -@@ -2952,7 +2952,7 @@ static const DhTestVector DH_TEST_VECTOR - {siBuffer, (unsigned char *)sub2_prime_ike_1536, - sizeof(sub2_prime_ike_1536)}, - {siBuffer, NULL, 0}, -- IKE_APPROVED, -+ SAFE_PRIME, - CLASS_1536}, - {"IKE 2048 with subprime", - {siBuffer, (unsigned char *)prime_ike_2048, sizeof(prime_ike_2048)}, -diff -up ./lib/softoken/pkcs11c.c.orig ./lib/softoken/pkcs11c.c ---- ./lib/softoken/pkcs11c.c.orig 2021-05-28 02:50:43.000000000 -0700 -+++ ./lib/softoken/pkcs11c.c 2021-06-02 16:52:01.196932757 -0700 -@@ -5193,7 +5193,7 @@ sftk_PairwiseConsistencyCheck(CK_SESSION - /* subprime not supplied, In this case look it up. - * This only works with approved primes, but in FIPS mode - * that's the only kine of prime that will get here */ -- subPrimePtr = sftk_VerifyDH_Prime(&prime); -+ subPrimePtr = sftk_VerifyDH_Prime(&prime,isFIPS); - if (subPrimePtr == NULL) { - crv = CKR_GENERAL_ERROR; - goto done; -@@ -8351,7 +8351,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession - - /* if the prime is an approved prime, we can skip all the other - * checks. */ -- subPrime = sftk_VerifyDH_Prime(&dhPrime); -+ subPrime = sftk_VerifyDH_Prime(&dhPrime,isFIPS); - if (subPrime == NULL) { - SECItem dhSubPrime; - /* If the caller set the subprime value, it means that -diff -up ./lib/softoken/pkcs11i.h.orig ./lib/softoken/pkcs11i.h ---- ./lib/softoken/pkcs11i.h.orig 2021-06-02 16:52:01.196932757 -0700 -+++ ./lib/softoken/pkcs11i.h 2021-06-02 16:52:54.281248207 -0700 -@@ -946,7 +946,7 @@ char **NSC_ModuleDBFunc(unsigned long fu - /* dh verify functions */ - /* verify that dhPrime matches one of our known primes, and if so return - * it's subprime value */ --const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime); -+const SECItem *sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS); - /* check if dhSubPrime claims dhPrime is a safe prime. */ - SECStatus sftk_IsSafePrime(SECItem *dhPrime, SECItem *dhSubPrime, PRBool *isSafe); - /* map an operation Attribute to a Mechanism flag */ -diff -up ./lib/softoken/pkcs11u.c.orig ./lib/softoken/pkcs11u.c ---- ./lib/softoken/pkcs11u.c.orig 2021-06-02 16:54:23.387777705 -0700 -+++ ./lib/softoken/pkcs11u.c 2021-06-02 16:54:51.012941866 -0700 -@@ -2312,7 +2312,7 @@ sftk_handleSpecial(SFTKSlot *slot, CK_ME - if (crv != CKR_OK) { - return PR_FALSE; - } -- dhSubPrime = sftk_VerifyDH_Prime(&dhPrime); -+ dhSubPrime = sftk_VerifyDH_Prime(&dhPrime, PR_TRUE); - SECITEM_ZfreeItem(&dhPrime, PR_FALSE); - return (dhSubPrime) ? PR_TRUE : PR_FALSE; - } -diff -up ./lib/softoken/sftkdhverify.c.orig ./lib/softoken/sftkdhverify.c ---- ./lib/softoken/sftkdhverify.c.orig 2021-05-28 02:50:43.000000000 -0700 -+++ ./lib/softoken/sftkdhverify.c 2021-06-02 16:52:01.196932757 -0700 -@@ -1171,11 +1171,15 @@ static const SECItem subprime_tls_8192 = - * verify that dhPrime matches one of our known primes - */ - const SECItem * --sftk_VerifyDH_Prime(SECItem *dhPrime) -+sftk_VerifyDH_Prime(SECItem *dhPrime, PRBool isFIPS) - { - /* use the length to decide which primes to check */ - switch (dhPrime->len) { - case 1536 / PR_BITS_PER_BYTE: -+ /* don't accept 1536 bit primes in FIPS mode */ -+ if (isFIPS) { -+ break; -+ } - if (PORT_Memcmp(dhPrime->data, prime_ike_1536, - sizeof(prime_ike_1536)) == 0) { - return &subprime_ike_1536; diff --git a/SOURCES/nss-3.67-cve-2021-43527-test.patch b/SOURCES/nss-3.67-cve-2021-43527-test.patch deleted file mode 100644 index 51cb8e0..0000000 --- a/SOURCES/nss-3.67-cve-2021-43527-test.patch +++ /dev/null @@ -1,325 +0,0 @@ -diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt -new file mode 100644 ---- /dev/null -+++ b/tests/cert/Leaf-bogus-dsa.crt -@@ -0,0 +1,143 @@ -+-----BEGIN CERTIFICATE----- -+MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl -+RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw -+WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0 -+dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq -+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq -+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq -+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 -+u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM -+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM -+zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM -+zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d -+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d -+3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG -+ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u -+7u7u7u7uAoIIAQD///////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+//////////////////////////////////////////////////////////////// -+/////////////////////////////////////////////////////////w== -+-----END CERTIFICATE----- -diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt -new file mode 100644 ---- /dev/null -+++ b/tests/cert/Leaf-bogus-rsa-pss.crt -@@ -0,0 +1,126 @@ -+-----BEGIN CERTIFICATE----- -+MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI -+AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x -+EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw -+MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE -+AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE -+RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G -+CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL -+CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV -+VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU= -+-----END CERTIFICATE----- -diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh ---- a/tests/cert/cert.sh -+++ b/tests/cert/cert.sh -@@ -114,16 +114,28 @@ certu() - cert_log "ERROR: ${CU_ACTION} failed $RET" - else - html_passed "${CU_ACTION}" - fi - - return $RET - } - -+cert_test_vfy() -+{ -+ echo "$SCRIPTNAME: Verify large rsa pss signature --------------" -+ echo " vfychain -a Leaf-bogus-dsa.crt" -+ vfychain -a ${QADIR}/cert/Leaf-bogus-dsa.crt -+ html_msg $? 1 "Verify large dsa signature" -+ echo "$SCRIPTNAME: Verify large rsa pss signature --------------" -+ echo " vfychain -a Leaf-bogus-rsa-pss.crt" -+ vfychain -a ${QADIR}/cert/Leaf-bogus-rsa-pss.crt -+ html_msg $? 1 "Verify large rsa pss signature" -+} -+ - ################################ crlu ################################# - # local shell function to call crlutil, also: writes action and options to - # stdout, sets variable RET and writes results to the html file results - ######################################################################## - crlu() - { - echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" - -@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then - else - echo "$SCRIPTNAME: Skipping CRL Tests" - fi - - if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then - cert_stresscerts - fi - -+cert_test_vfy -+ - cert_iopr_setup - - cert_cleanup diff --git a/SOURCES/nss-3.67-cve-2021-43527.patch b/SOURCES/nss-3.67-cve-2021-43527.patch deleted file mode 100644 index 8fc81d3..0000000 --- a/SOURCES/nss-3.67-cve-2021-43527.patch +++ /dev/null @@ -1,279 +0,0 @@ -diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c ---- a/lib/cryptohi/secvfy.c -+++ b/lib/cryptohi/secvfy.c -@@ -164,6 +164,37 @@ - PR_FALSE /*XXX: unsafeAllowMissingParameters*/); - } - -+static unsigned int -+checkedSignatureLen(const SECKEYPublicKey *pubk) -+{ -+ unsigned int sigLen = SECKEY_SignatureLen(pubk); -+ if (sigLen == 0) { -+ /* Error set by SECKEY_SignatureLen */ -+ return sigLen; -+ } -+ unsigned int maxSigLen; -+ switch (pubk->keyType) { -+ case rsaKey: -+ case rsaPssKey: -+ maxSigLen = (RSA_MAX_MODULUS_BITS + 7) / 8; -+ break; -+ case dsaKey: -+ maxSigLen = DSA_MAX_SIGNATURE_LEN; -+ break; -+ case ecKey: -+ maxSigLen = 2 * MAX_ECKEY_LEN; -+ break; -+ default: -+ PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); -+ return 0; -+ } -+ if (sigLen > maxSigLen) { -+ PORT_SetError(SEC_ERROR_INVALID_KEY); -+ return 0; -+ } -+ return sigLen; -+} -+ - /* - * decode the ECDSA or DSA signature from it's DER wrapping. - * The unwrapped/raw signature is placed in the buffer pointed -@@ -174,38 +205,38 @@ - unsigned int len) - { - SECItem *dsasig = NULL; /* also used for ECDSA */ -- SECStatus rv = SECSuccess; - -- if ((algid != SEC_OID_ANSIX9_DSA_SIGNATURE) && -- (algid != SEC_OID_ANSIX962_EC_PUBLIC_KEY)) { -- if (sig->len != len) { -- PORT_SetError(SEC_ERROR_BAD_DER); -- return SECFailure; -+ /* Safety: Ensure algId is as expected and that signature size is within maxmimums */ -+ if (algid == SEC_OID_ANSIX9_DSA_SIGNATURE) { -+ if (len > DSA_MAX_SIGNATURE_LEN) { -+ goto loser; - } -- -- PORT_Memcpy(dsig, sig->data, sig->len); -- return SECSuccess; -+ } else if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { -+ if (len > MAX_ECKEY_LEN * 2) { -+ goto loser; -+ } -+ } else { -+ goto loser; - } - -- if (algid == SEC_OID_ANSIX962_EC_PUBLIC_KEY) { -- if (len > MAX_ECKEY_LEN * 2) { -- PORT_SetError(SEC_ERROR_BAD_DER); -- return SECFailure; -- } -+ /* Decode and pad to length */ -+ dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); -+ if (dsasig == NULL) { -+ goto loser; - } -- dsasig = DSAU_DecodeDerSigToLen((SECItem *)sig, len); -- -- if ((dsasig == NULL) || (dsasig->len != len)) { -- rv = SECFailure; -- } else { -- PORT_Memcpy(dsig, dsasig->data, dsasig->len); -+ if (dsasig->len != len) { -+ SECITEM_FreeItem(dsasig, PR_TRUE); -+ goto loser; - } - -- if (dsasig != NULL) -- SECITEM_FreeItem(dsasig, PR_TRUE); -- if (rv == SECFailure) -- PORT_SetError(SEC_ERROR_BAD_DER); -- return rv; -+ PORT_Memcpy(dsig, dsasig->data, len); -+ SECITEM_FreeItem(dsasig, PR_TRUE); -+ -+ return SECSuccess; -+ -+loser: -+ PORT_SetError(SEC_ERROR_BAD_DER); -+ return SECFailure; - } - - const SEC_ASN1Template hashParameterTemplate[] = -@@ -281,7 +312,7 @@ - sec_DecodeSigAlg(const SECKEYPublicKey *key, SECOidTag sigAlg, - const SECItem *param, SECOidTag *encalgp, SECOidTag *hashalg) - { -- int len; -+ unsigned int len; - PLArenaPool *arena; - SECStatus rv; - SECItem oid; -@@ -466,48 +497,52 @@ - cx->pkcs1RSADigestInfo = NULL; - rv = SECSuccess; - if (sig) { -- switch (type) { -- case rsaKey: -- rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, -- &cx->pkcs1RSADigestInfo, -- &cx->pkcs1RSADigestInfoLen, -- cx->key, -- sig, wincx); -- break; -- case rsaPssKey: -- sigLen = SECKEY_SignatureLen(key); -- if (sigLen == 0) { -- /* error set by SECKEY_SignatureLen */ -- rv = SECFailure; -+ rv = SECFailure; -+ if (type == rsaKey) { -+ rv = recoverPKCS1DigestInfo(hashAlg, &cx->hashAlg, -+ &cx->pkcs1RSADigestInfo, -+ &cx->pkcs1RSADigestInfoLen, -+ cx->key, -+ sig, wincx); -+ } else { -+ sigLen = checkedSignatureLen(key); -+ /* Check signature length is within limits */ -+ if (sigLen == 0) { -+ /* error set by checkedSignatureLen */ -+ rv = SECFailure; -+ goto loser; -+ } -+ if (sigLen > sizeof(cx->u)) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ rv = SECFailure; -+ goto loser; -+ } -+ switch (type) { -+ case rsaPssKey: -+ if (sig->len != sigLen) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ rv = SECFailure; -+ goto loser; -+ } -+ PORT_Memcpy(cx->u.buffer, sig->data, sigLen); -+ rv = SECSuccess; - break; -- } -- if (sig->len != sigLen) { -- PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ case ecKey: -+ case dsaKey: -+ /* decodeECorDSASignature will check sigLen == sig->len after padding */ -+ rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); -+ break; -+ default: -+ /* Unreachable */ - rv = SECFailure; -- break; -- } -- PORT_Memcpy(cx->u.buffer, sig->data, sigLen); -- break; -- case dsaKey: -- case ecKey: -- sigLen = SECKEY_SignatureLen(key); -- if (sigLen == 0) { -- /* error set by SECKEY_SignatureLen */ -- rv = SECFailure; -- break; -- } -- rv = decodeECorDSASignature(encAlg, sig, cx->u.buffer, sigLen); -- break; -- default: -- rv = SECFailure; -- PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG); -- break; -+ goto loser; -+ } -+ } -+ if (rv != SECSuccess) { -+ goto loser; - } - } - -- if (rv) -- goto loser; -- - /* check hash alg again, RSA may have changed it.*/ - if (HASH_GetHashTypeByOidTag(cx->hashAlg) == HASH_AlgNULL) { - /* error set by HASH_GetHashTypeByOidTag */ -@@ -650,11 +685,16 @@ - switch (cx->key->keyType) { - case ecKey: - case dsaKey: -- dsasig.data = cx->u.buffer; -- dsasig.len = SECKEY_SignatureLen(cx->key); -+ dsasig.len = checkedSignatureLen(cx->key); - if (dsasig.len == 0) { - return SECFailure; - } -+ if (dsasig.len > sizeof(cx->u)) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -+ return SECFailure; -+ } -+ dsasig.data = cx->u.buffer; -+ - if (sig) { - rv = decodeECorDSASignature(cx->encAlg, sig, dsasig.data, - dsasig.len); -@@ -686,8 +726,13 @@ - } - - rsasig.data = cx->u.buffer; -- rsasig.len = SECKEY_SignatureLen(cx->key); -+ rsasig.len = checkedSignatureLen(cx->key); - if (rsasig.len == 0) { -+ /* Error set by checkedSignatureLen */ -+ return SECFailure; -+ } -+ if (rsasig.len > sizeof(cx->u)) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - return SECFailure; - } - if (sig) { -@@ -749,7 +794,6 @@ - SECStatus rv; - VFYContext *cx; - SECItem dsasig; /* also used for ECDSA */ -- - rv = SECFailure; - - cx = vfy_CreateContext(key, sig, encAlg, hashAlg, NULL, wincx); -@@ -757,19 +801,25 @@ - switch (key->keyType) { - case rsaKey: - rv = verifyPKCS1DigestInfo(cx, digest); -+ /* Error (if any) set by verifyPKCS1DigestInfo */ - break; -- case dsaKey: - case ecKey: -+ case dsaKey: - dsasig.data = cx->u.buffer; -- dsasig.len = SECKEY_SignatureLen(cx->key); -+ dsasig.len = checkedSignatureLen(cx->key); - if (dsasig.len == 0) { -+ /* Error set by checkedSignatureLen */ -+ rv = SECFailure; - break; - } -- if (PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx) != -- SECSuccess) { -+ if (dsasig.len > sizeof(cx->u)) { - PORT_SetError(SEC_ERROR_BAD_SIGNATURE); -- } else { -- rv = SECSuccess; -+ rv = SECFailure; -+ break; -+ } -+ rv = PK11_Verify(cx->key, &dsasig, (SECItem *)digest, cx->wincx); -+ if (rv != SECSuccess) { -+ PORT_SetError(SEC_ERROR_BAD_SIGNATURE); - } - break; - default: - diff --git a/SOURCES/nss-3.67-fix-pkcs12-policy.patch b/SOURCES/nss-3.67-fix-pkcs12-policy.patch deleted file mode 100644 index 26912a5..0000000 --- a/SOURCES/nss-3.67-fix-pkcs12-policy.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up ./lib/pkcs12/p12plcy.c.policy_enable_fix ./lib/pkcs12/p12plcy.c ---- ./lib/pkcs12/p12plcy.c.policy_enable_fix 2021-09-21 15:58:46.013861285 -0700 -+++ ./lib/pkcs12/p12plcy.c 2021-09-21 15:59:06.440987853 -0700 -@@ -85,17 +85,12 @@ SECStatus - SEC_PKCS12EnableCipher(long which, int on) - { - int i; -- SECStatus rv; - PRUint32 set = on ? NSS_USE_ALG_IN_PKCS12 : 0; - PRUint32 clear = on ? 0 : NSS_USE_ALG_IN_PKCS12; - - for (i = 0; pkcs12SuiteMaps[i].suite != 0L; i++) { - if (pkcs12SuiteMaps[i].suite == (unsigned long)which) { -- rv = NSS_SetAlgorithmPolicy(pkcs12SuiteMaps[i].algTag, set, clear); -- /* could fail if the policy has been locked */ -- if (rv != SECSuccess) { -- return rv; -- } -+ return NSS_SetAlgorithmPolicy(pkcs12SuiteMaps[i].algTag, set, clear); - } - } - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); diff --git a/SOURCES/nss-3.67-fix-sdb-timeout.patch b/SOURCES/nss-3.67-fix-sdb-timeout.patch deleted file mode 100644 index 120cb5b..0000000 --- a/SOURCES/nss-3.67-fix-sdb-timeout.patch +++ /dev/null @@ -1,63 +0,0 @@ -diff --git a/lib/softoken/sdb.c b/lib/softoken/sdb.c ---- a/lib/softoken/sdb.c -+++ b/lib/softoken/sdb.c -@@ -1519,16 +1519,18 @@ sdb_Begin(SDB *sdb) - - sqlerr = sqlite3_prepare_v2(sqlDB, BEGIN_CMD, -1, &stmt, NULL); - - do { - sqlerr = sqlite3_step(stmt); - if (sqlerr == SQLITE_BUSY) { - PR_Sleep(SDB_BUSY_RETRY_TIME); - } -+ /* don't retry BEGIN transaction*/ -+ retry = 0; - } while (!sdb_done(sqlerr, &retry)); - - if (stmt) { - sqlite3_reset(stmt); - sqlite3_finalize(stmt); - } - - loser: -diff --git a/lib/softoken/sftkdb.c b/lib/softoken/sftkdb.c ---- a/lib/softoken/sftkdb.c -+++ b/lib/softoken/sftkdb.c -@@ -1521,17 +1521,17 @@ sftkdb_DestroyObject(SFTKDBHandle *handl - if (handle == NULL) { - return CKR_TOKEN_WRITE_PROTECTED; - } - db = SFTK_GET_SDB(handle); - objectID &= SFTK_OBJ_ID_MASK; - - crv = (*db->sdb_Begin)(db); - if (crv != CKR_OK) { -- goto loser; -+ return crv; - } - crv = (*db->sdb_DestroyObject)(db, objectID); - if (crv != CKR_OK) { - goto loser; - } - /* if the database supports meta data, delete any old signatures - * that we may have added */ - if ((db->sdb_flags & SDB_HAS_META) == SDB_HAS_META) { -@@ -2456,17 +2456,17 @@ sftkdb_Update(SFTKDBHandle *handle, SECI - return CKR_OK; - } - /* - * put the whole update under a transaction. This allows us to handle - * any possible race conditions between with the updateID check. - */ - crv = (*handle->db->sdb_Begin)(handle->db); - if (crv != CKR_OK) { -- goto loser; -+ return crv; - } - inTransaction = PR_TRUE; - - /* some one else has already updated this db */ - if (sftkdb_hasUpdate(sftkdb_TypeString(handle), - handle->db, handle->updateID)) { - crv = CKR_OK; - goto done; diff --git a/SOURCES/nss-3.67-fix-ssl-alerts.patch b/SOURCES/nss-3.67-fix-ssl-alerts.patch deleted file mode 100644 index 10cdaf5..0000000 --- a/SOURCES/nss-3.67-fix-ssl-alerts.patch +++ /dev/null @@ -1,122 +0,0 @@ -diff -up ./lib/ssl/ssl3con.c.alert-fix ./lib/ssl/ssl3con.c ---- ./lib/ssl/ssl3con.c.alert-fix 2021-06-10 05:33:12.000000000 -0700 -+++ ./lib/ssl/ssl3con.c 2021-07-06 17:08:25.894018521 -0700 -@@ -4319,7 +4319,11 @@ ssl_SignatureSchemeValid(SSLSignatureSch - if (!ssl_IsSupportedSignatureScheme(scheme)) { - return PR_FALSE; - } -- if (!ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) { -+ /* if we are purposefully passed SEC_OID_UNKOWN, it means -+ * we not checking the scheme against a potential key, so skip -+ * the call */ -+ if ((spkiOid != SEC_OID_UNKNOWN) && -+ !ssl_SignatureSchemeMatchesSpkiOid(scheme, spkiOid)) { - return PR_FALSE; - } - if (isTls13) { -@@ -4517,7 +4521,8 @@ ssl_CheckSignatureSchemeConsistency(sslS - } - - /* Verify that the signature scheme matches the signing key. */ -- if (!ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) { -+ if ((spkiOid == SEC_OID_UNKNOWN) || -+ !ssl_SignatureSchemeValid(scheme, spkiOid, isTLS13)) { - PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); - return SECFailure; - } -@@ -4533,6 +4538,7 @@ ssl_CheckSignatureSchemeConsistency(sslS - PRBool - ssl_IsSupportedSignatureScheme(SSLSignatureScheme scheme) - { -+ PRBool isSupported = PR_FALSE; - switch (scheme) { - case ssl_sig_rsa_pkcs1_sha1: - case ssl_sig_rsa_pkcs1_sha256: -@@ -4552,7 +4558,8 @@ ssl_IsSupportedSignatureScheme(SSLSignat - case ssl_sig_dsa_sha384: - case ssl_sig_dsa_sha512: - case ssl_sig_ecdsa_sha1: -- return PR_TRUE; -+ isSupported = PR_TRUE; -+ break; - - case ssl_sig_rsa_pkcs1_sha1md5: - case ssl_sig_none: -@@ -4560,7 +4567,19 @@ ssl_IsSupportedSignatureScheme(SSLSignat - case ssl_sig_ed448: - return PR_FALSE; - } -- return PR_FALSE; -+ if (isSupported) { -+ SECOidTag hashOID = ssl3_HashTypeToOID(ssl_SignatureSchemeToHashType(scheme)); -+ PRUint32 policy; -+ const PRUint32 sigSchemePolicy= -+ NSS_USE_ALG_IN_SSL_KX|NSS_USE_ALG_IN_SIGNATURE; -+ /* check hash policy */ -+ if ((NSS_GetAlgorithmPolicy(hashOID, &policy) == SECSuccess) && -+ ((policy & sigSchemePolicy) != sigSchemePolicy)) { -+ return PR_FALSE; -+ } -+ /* check algorithm policy */ -+ } -+ return isSupported; - } - - PRBool -@@ -6533,6 +6552,9 @@ ssl_PickSignatureScheme(sslSocket *ss, - } - - spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm); -+ if (spkiOid == SEC_OID_UNKNOWN) { -+ goto loser; -+ } - - /* Now we have to search based on the key type. Go through our preferred - * schemes in order and find the first that can be used. */ -@@ -6547,6 +6569,7 @@ ssl_PickSignatureScheme(sslSocket *ss, - } - } - -+loser: - PORT_SetError(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); - return SECFailure; - } -@@ -7700,7 +7723,8 @@ ssl_ParseSignatureSchemes(const sslSocke - PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); - return SECFailure; - } -- if (ssl_IsSupportedSignatureScheme((SSLSignatureScheme)tmp)) { -+ if (ssl_SignatureSchemeValid((SSLSignatureScheme)tmp, SEC_OID_UNKNOWN, -+ (PRBool)ss->version >= SSL_LIBRARY_VERSION_TLS_1_3)) {; - schemes[numSupported++] = (SSLSignatureScheme)tmp; - } - } -@@ -10286,7 +10310,12 @@ ssl3_HandleCertificateVerify(sslSocket * - PORT_Assert(ss->ssl3.hs.hashType == handshake_hash_record); - rv = ssl_ConsumeSignatureScheme(ss, &b, &length, &sigScheme); - if (rv != SECSuccess) { -- goto loser; /* malformed or unsupported. */ -+ errCode = PORT_GetError(); -+ /* unsupported == illegal_parameter, others == handshake_failure. */ -+ if (errCode == SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM) { -+ desc = illegal_parameter; -+ } -+ goto alert_loser; - } - rv = ssl_CheckSignatureSchemeConsistency( - ss, sigScheme, &ss->sec.peerCert->subjectPublicKeyInfo); -diff -up ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix ./gtests/ssl_gtest/ssl_extension_unittest.cc ---- ./gtests/ssl_gtest/ssl_extension_unittest.cc.alert-fix 2021-07-07 11:32:11.634376932 -0700 -+++ ./gtests/ssl_gtest/ssl_extension_unittest.cc 2021-07-07 11:33:30.595841110 -0700 -@@ -428,7 +428,10 @@ TEST_P(TlsExtensionTest12Plus, Signature - } - - TEST_P(TlsExtensionTest12Plus, SignatureAlgorithmsTrailingData) { -- const uint8_t val[] = {0x00, 0x02, 0x04, 0x01, 0x00}; // sha-256, rsa -+ // make sure the test uses an algorithm that is legal for -+ // tls 1.3 (or tls 1.3 will through and illegalParameter -+ // instead of a decode error) -+ const uint8_t val[] = {0x00, 0x02, 0x08, 0x09, 0x00}; // sha-256, rsa-pss-pss - DataBuffer extension(val, sizeof(val)); - ClientHelloErrorTest(std::make_shared( - client_, ssl_signature_algorithms_xtn, extension)); diff --git a/SOURCES/nss-3.79-distrusted-certs.patch b/SOURCES/nss-3.79-distrusted-certs.patch new file mode 100644 index 0000000..14a5b0c --- /dev/null +++ b/SOURCES/nss-3.79-distrusted-certs.patch @@ -0,0 +1,375 @@ +# HG changeset patch +# User John M. Schanck +# Date 1648094761 0 +# Thu Mar 24 04:06:01 2022 +0000 +# Node ID b722e523d66297fe4bc1fac0ebb06203138eccbb +# Parent 853b64626b19a46f41f4ba9c684490dc15923c94 +Bug 1751305 - Remove expired explicitly distrusted certificates from certdata.txt. r=KathleenWilson + +Differential Revision: https://phabricator.services.mozilla.com/D141919 + +diff --git a/lib/ckfw/builtins/certdata.txt b/lib/ckfw/builtins/certdata.txt +--- a/lib/ckfw/builtins/certdata.txt ++++ b/lib/ckfw/builtins/certdata.txt +@@ -7663,197 +7663,16 @@ CKA_SERIAL_NUMBER MULTILINE_OCTAL + \377\377 + END + CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # +-# Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" +-# +-# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL +-# Serial Number: 268435455 (0xfffffff) +-# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL +-# Not Valid Before: Wed May 12 08:51:39 2010 +-# Not Valid After : Mon Mar 23 09:50:05 2020 +-# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C +-# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 +-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" +-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +-CKA_SUBJECT MULTILINE_OCTAL +-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 +-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 +-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 +-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 +-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 +-\156\151\163\141\164\151\145\040\055\040\107\062 +-END +-CKA_ID UTF8 "0" +-CKA_ISSUER MULTILINE_OCTAL +-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 +-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 +-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 +-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 +-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 +-\156\151\163\141\164\151\145\040\055\040\107\062 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\004\017\377\377\377 +-END +-CKA_VALUE MULTILINE_OCTAL +-\060\202\006\225\060\202\004\175\240\003\002\001\002\002\004\017 +-\377\377\377\060\015\006\011\052\206\110\206\367\015\001\001\013 +-\005\000\060\132\061\013\060\011\006\003\125\004\006\023\002\116 +-\114\061\027\060\025\006\003\125\004\012\014\016\104\151\147\151 +-\116\157\164\141\162\040\102\056\126\056\061\062\060\060\006\003 +-\125\004\003\014\051\104\151\147\151\116\157\164\141\162\040\120 +-\113\111\157\166\145\162\150\145\151\144\040\103\101\040\117\162 +-\147\141\156\151\163\141\164\151\145\040\055\040\107\062\060\036 +-\027\015\061\060\060\065\061\062\060\070\065\061\063\071\132\027 +-\015\062\060\060\063\062\063\060\071\065\060\060\065\132\060\132 +-\061\013\060\011\006\003\125\004\006\023\002\116\114\061\027\060 +-\025\006\003\125\004\012\014\016\104\151\147\151\116\157\164\141 +-\162\040\102\056\126\056\061\062\060\060\006\003\125\004\003\014 +-\051\104\151\147\151\116\157\164\141\162\040\120\113\111\157\166 +-\145\162\150\145\151\144\040\103\101\040\117\162\147\141\156\151 +-\163\141\164\151\145\040\055\040\107\062\060\202\002\042\060\015 +-\006\011\052\206\110\206\367\015\001\001\001\005\000\003\202\002 +-\017\000\060\202\002\012\002\202\002\001\000\261\023\031\017\047 +-\346\154\324\125\206\113\320\354\211\212\105\221\170\254\107\275 +-\107\053\344\374\105\353\117\264\046\163\133\067\323\303\177\366 +-\343\336\327\243\370\055\150\305\010\076\113\224\326\344\207\045 +-\066\153\204\265\030\164\363\050\130\163\057\233\152\317\274\004 +-\036\366\336\335\257\374\113\252\365\333\146\142\045\001\045\202 +-\336\362\227\132\020\156\335\135\251\042\261\004\251\043\163\072 +-\370\161\255\035\317\204\104\353\107\321\257\155\310\174\050\253 +-\307\362\067\172\164\137\137\305\002\024\212\243\132\343\033\154 +-\001\343\135\216\331\150\326\364\011\033\062\334\221\265\054\365 +-\040\353\214\003\155\046\111\270\223\304\205\135\330\322\233\257 +-\126\152\314\005\063\314\240\102\236\064\125\104\234\153\240\324 +-\022\320\053\124\315\267\211\015\345\366\353\350\373\205\001\063 +-\117\172\153\361\235\162\063\226\016\367\262\204\245\245\047\304 +-\047\361\121\163\051\167\272\147\156\376\114\334\264\342\241\241 +-\201\057\071\111\215\103\070\023\316\320\245\134\302\207\072\000 +-\147\145\102\043\361\066\131\012\035\243\121\310\274\243\224\052 +-\061\337\343\074\362\235\032\074\004\260\357\261\012\060\023\163 +-\266\327\363\243\114\001\165\024\205\170\300\327\212\071\130\205 +-\120\372\056\346\305\276\317\213\077\257\217\066\324\045\011\055 +-\322\017\254\162\223\362\277\213\324\120\263\371\025\120\233\231 +-\365\024\331\373\213\221\243\062\046\046\240\370\337\073\140\201 +-\206\203\171\133\053\353\023\075\051\072\301\155\335\275\236\216 +-\207\326\112\256\064\227\005\356\024\246\366\334\070\176\112\351 +-\044\124\007\075\227\150\067\106\153\015\307\250\041\257\023\124 +-\344\011\152\361\115\106\012\311\135\373\233\117\275\336\373\267 +-\124\313\270\070\234\247\071\373\152\055\300\173\215\253\245\247 +-\127\354\112\222\212\063\305\341\040\134\163\330\220\222\053\200 +-\325\017\206\030\151\174\071\117\204\206\274\367\114\133\363\325 +-\264\312\240\302\360\067\042\312\171\122\037\123\346\252\363\220 +-\260\073\335\362\050\375\254\353\305\006\044\240\311\324\057\017 +-\130\375\265\236\354\017\317\262\131\320\242\004\172\070\152\256 +-\162\373\275\360\045\142\224\011\247\005\013\002\003\001\000\001 +-\243\202\001\141\060\202\001\135\060\110\006\003\125\035\040\004 +-\101\060\077\060\075\006\004\125\035\040\000\060\065\060\063\006 +-\010\053\006\001\005\005\007\002\001\026\047\150\164\164\160\072 +-\057\057\167\167\167\056\144\151\147\151\156\157\164\141\162\056 +-\156\154\057\143\160\163\057\160\153\151\157\166\145\162\150\145 +-\151\144\060\017\006\003\125\035\023\001\001\377\004\005\060\003 +-\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003 +-\002\001\006\060\201\205\006\003\125\035\043\004\176\060\174\200 +-\024\071\020\213\111\222\134\333\141\022\040\315\111\235\032\216 +-\332\234\147\100\271\241\136\244\134\060\132\061\013\060\011\006 +-\003\125\004\006\023\002\116\114\061\036\060\034\006\003\125\004 +-\012\014\025\123\164\141\141\164\040\144\145\162\040\116\145\144 +-\145\162\154\141\156\144\145\156\061\053\060\051\006\003\125\004 +-\003\014\042\123\164\141\141\164\040\144\145\162\040\116\145\144 +-\145\162\154\141\156\144\145\156\040\122\157\157\164\040\103\101 +-\040\055\040\107\062\202\004\000\230\226\364\060\111\006\003\125 +-\035\037\004\102\060\100\060\076\240\074\240\072\206\070\150\164 +-\164\160\072\057\057\143\162\154\056\160\153\151\157\166\145\162 +-\150\145\151\144\056\156\154\057\104\157\155\117\162\147\141\156 +-\151\163\141\164\151\145\114\141\164\145\163\164\103\122\114\055 +-\107\062\056\143\162\154\060\035\006\003\125\035\016\004\026\004 +-\024\274\135\224\073\331\253\173\003\045\163\141\302\333\055\356 +-\374\253\217\145\241\060\015\006\011\052\206\110\206\367\015\001 +-\001\013\005\000\003\202\002\001\000\217\374\055\114\267\331\055 +-\325\037\275\357\313\364\267\150\027\165\235\116\325\367\335\234 +-\361\052\046\355\237\242\266\034\003\325\123\263\354\010\317\064 +-\342\343\303\364\265\026\057\310\303\276\327\323\163\253\000\066 +-\371\032\112\176\326\143\351\136\106\272\245\266\216\025\267\243 +-\052\330\103\035\357\135\310\037\201\205\263\213\367\377\074\364 +-\331\364\106\010\077\234\274\035\240\331\250\114\315\045\122\116 +-\012\261\040\367\037\351\103\331\124\106\201\023\232\300\136\164 +-\154\052\230\062\352\374\167\273\015\245\242\061\230\042\176\174 +-\174\347\332\244\255\354\267\056\032\031\161\370\110\120\332\103 +-\217\054\204\335\301\100\047\343\265\360\025\116\226\324\370\134 +-\343\206\051\106\053\327\073\007\353\070\177\310\206\127\227\323 +-\357\052\063\304\027\120\325\144\151\153\053\153\105\136\135\057 +-\027\312\132\116\317\303\327\071\074\365\073\237\106\271\233\347 +-\016\111\227\235\326\325\343\033\017\352\217\001\116\232\023\224 +-\131\012\002\007\110\113\032\140\253\177\117\355\013\330\125\015 +-\150\157\125\234\151\145\025\102\354\300\334\335\154\254\303\026 +-\316\013\035\126\233\244\304\304\322\056\340\017\342\104\047\053 +-\120\151\244\334\142\350\212\041\051\102\154\314\000\072\226\166 +-\233\357\100\300\244\136\167\204\062\154\046\052\071\146\256\135 +-\343\271\271\262\054\150\037\036\232\220\003\071\360\252\263\244 +-\314\111\213\030\064\351\067\311\173\051\307\204\174\157\104\025 +-\057\354\141\131\004\311\105\313\242\326\122\242\174\177\051\222 +-\326\112\305\213\102\250\324\376\352\330\307\207\043\030\344\235 +-\172\175\163\100\122\230\240\256\156\343\005\077\005\017\340\245 +-\306\155\115\355\203\067\210\234\307\363\334\102\232\152\266\327 +-\041\111\066\167\362\357\030\117\305\160\331\236\351\336\267\053 +-\213\364\274\176\050\337\015\100\311\205\134\256\235\305\061\377 +-\320\134\016\265\250\176\360\351\057\272\257\210\256\345\265\321 +-\130\245\257\234\161\247\051\001\220\203\151\067\202\005\272\374 +-\011\301\010\156\214\170\073\303\063\002\200\077\104\205\010\035 +-\337\125\126\010\255\054\205\055\135\261\003\341\256\252\164\305 +-\244\363\116\272\067\230\173\202\271 +-END +- +-# Trust for Certificate "Explicitly Distrusted DigiNotar PKIoverheid G2" +-# Issuer: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL +-# Serial Number: 268435455 (0xfffffff) +-# Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL +-# Not Valid Before: Wed May 12 08:51:39 2010 +-# Not Valid After : Mon Mar 23 09:50:05 2020 +-# Fingerprint (MD5): 2E:61:A2:D1:78:CE:EE:BF:59:33:B0:23:14:0F:94:1C +-# Fingerprint (SHA1): D5:F2:57:A9:BF:2D:D0:3F:8B:46:57:F9:2B:C9:A4:C6:92:E1:42:42 +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "Explicitly Distrusted DigiNotar PKIoverheid G2" +-CKA_CERT_SHA1_HASH MULTILINE_OCTAL +-\325\362\127\251\277\055\320\077\213\106\127\371\053\311\244\306 +-\222\341\102\102 +-END +-CKA_CERT_MD5_HASH MULTILINE_OCTAL +-\056\141\242\321\170\316\356\277\131\063\260\043\024\017\224\034 +-END +-CKA_ISSUER MULTILINE_OCTAL +-\060\132\061\013\060\011\006\003\125\004\006\023\002\116\114\061 +-\027\060\025\006\003\125\004\012\014\016\104\151\147\151\116\157 +-\164\141\162\040\102\056\126\056\061\062\060\060\006\003\125\004 +-\003\014\051\104\151\147\151\116\157\164\141\162\040\120\113\111 +-\157\166\145\162\150\145\151\144\040\103\101\040\117\162\147\141 +-\156\151\163\141\164\151\145\040\055\040\107\062 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\004\017\377\377\377 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- +-# + # Certificate "Security Communication RootCA2" + # + # Issuer: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP + # Serial Number: 0 (0x0) + # Subject: OU=Security Communication RootCA2,O="SECOM Trust Systems CO.,LTD.",C=JP + # Not Valid Before: Fri May 29 05:00:39 2009 + # Not Valid After : Tue May 29 05:00:39 2029 + # Fingerprint (SHA-256): 51:3B:2C:EC:B8:10:D4:CD:E5:DD:85:39:1A:DF:C6:C2:DD:60:D8:7B:B7:36:D2:B5:21:48:4A:A4:7A:0E:BE:F6 +@@ -8337,78 +8156,16 @@ END + CKA_SERIAL_NUMBER MULTILINE_OCTAL + \002\001\000 + END + CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +-# Explicitly Distrust "MITM subCA 1 issued by Trustwave", Bug 724929 +-# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US +-# Serial Number: 1800000005 (0x6b49d205) +-# Not Before: Apr 7 15:37:15 2011 GMT +-# Not After : Apr 4 15:37:15 2021 GMT +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "MITM subCA 1 issued by Trustwave" +-CKA_ISSUER MULTILINE_OCTAL +-\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 +-\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 +-\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 +-\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 +-\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 +-\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 +-\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 +-\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 +-\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 +-\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 +-\100\164\162\165\163\164\167\141\166\145\056\143\157\155 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\004\153\111\322\005 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- +-# Explicitly Distrust "MITM subCA 2 issued by Trustwave", Bug 724929 +-# Issuer: E=ca@trustwave.com,CN="Trustwave Organization Issuing CA, Level 2",O="Trustwave Holdings, Inc.",L=Chicago,ST=Illinois,C=US +-# Serial Number: 1800000006 (0x6b49d206) +-# Not Before: Apr 18 21:09:30 2011 GMT +-# Not After : Apr 15 21:09:30 2021 GMT +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "MITM subCA 2 issued by Trustwave" +-CKA_ISSUER MULTILINE_OCTAL +-\060\201\253\061\013\060\011\006\003\125\004\006\023\002\125\123 +-\061\021\060\017\006\003\125\004\010\023\010\111\154\154\151\156 +-\157\151\163\061\020\060\016\006\003\125\004\007\023\007\103\150 +-\151\143\141\147\157\061\041\060\037\006\003\125\004\012\023\030 +-\124\162\165\163\164\167\141\166\145\040\110\157\154\144\151\156 +-\147\163\054\040\111\156\143\056\061\063\060\061\006\003\125\004 +-\003\023\052\124\162\165\163\164\167\141\166\145\040\117\162\147 +-\141\156\151\172\141\164\151\157\156\040\111\163\163\165\151\156 +-\147\040\103\101\054\040\114\145\166\145\154\040\062\061\037\060 +-\035\006\011\052\206\110\206\367\015\001\011\001\026\020\143\141 +-\100\164\162\165\163\164\167\141\166\145\056\143\157\155 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\004\153\111\322\006 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- + # + # Certificate "Actalis Authentication Root CA" + # + # Issuer: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT + # Serial Number:57:0a:11:97:42:c4:e3:cc + # Subject: CN=Actalis Authentication Root CA,O=Actalis S.p.A./03358520967,L=Milan,C=IT + # Not Valid Before: Thu Sep 22 11:22:02 2011 + # Not Valid After : Sun Sep 22 11:22:02 2030 +@@ -9042,84 +8799,16 @@ END + CKA_SERIAL_NUMBER MULTILINE_OCTAL + \002\001\001 + END + CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + +-# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 1", Bug 825022 +-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri +-# Serial Number: 2087 (0x827) +-# Subject: CN=*.EGO.GOV.TR,OU=EGO BILGI ISLEM,O=EGO,L=ANKARA,ST=ANKARA,C=TR +-# Not Valid Before: Mon Aug 08 07:07:51 2011 +-# Not Valid After : Tue Jul 06 07:07:51 2021 +-# Fingerprint (MD5): F8:F5:25:FF:0C:31:CF:85:E1:0C:86:17:C1:CE:1F:8E +-# Fingerprint (SHA1): C6:9F:28:C8:25:13:9E:65:A6:46:C4:34:AC:A5:A1:D2:00:29:5D:B1 +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 1" +-CKA_ISSUER MULTILINE_OCTAL +-\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 +-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 +-\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 +-\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 +-\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 +-\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 +-\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 +-\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 +-\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 +-\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 +-\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\002\010\047 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- +-# Explicitly Distrust "TURKTRUST Mis-issued Intermediate CA 2", Bug 825022 +-# Issuer: O=T..RKTRUST Bilgi ..leti..im ve Bili..im G..venli..i Hizmetleri A...,C=TR,CN=T..RKTRUST Elektronik Sunucu Sertifikas.. Hizmetleri +-# Serial Number: 2148 (0x864) +-# Subject: E=ileti@kktcmerkezbankasi.org,CN=e-islem.kktcmerkezbankasi.org,O=KKTC Merkez Bankasi,L=Lefkosa,ST=Lefkosa,C=TR +-# Not Valid Before: Mon Aug 08 07:07:51 2011 +-# Not Valid After : Thu Aug 05 07:07:51 2021 +-# Fingerprint (MD5): BF:C3:EC:AD:0F:42:4F:B4:B5:38:DB:35:BF:AD:84:A2 +-# Fingerprint (SHA1): F9:2B:E5:26:6C:C0:5D:B2:DC:0D:C3:F2:DC:74:E0:2D:EF:D9:49:CB +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "TURKTRUST Mis-issued Intermediate CA 2" +-CKA_ISSUER MULTILINE_OCTAL +-\060\201\254\061\075\060\073\006\003\125\004\003\014\064\124\303 +-\234\122\113\124\122\125\123\124\040\105\154\145\153\164\162\157 +-\156\151\153\040\123\165\156\165\143\165\040\123\145\162\164\151 +-\146\151\153\141\163\304\261\040\110\151\172\155\145\164\154\145 +-\162\151\061\013\060\011\006\003\125\004\006\023\002\124\122\061 +-\136\060\134\006\003\125\004\012\014\125\124\303\234\122\113\124 +-\122\125\123\124\040\102\151\154\147\151\040\304\260\154\145\164 +-\151\305\237\151\155\040\166\145\040\102\151\154\151\305\237\151 +-\155\040\107\303\274\166\145\156\154\151\304\237\151\040\110\151 +-\172\155\145\164\154\145\162\151\040\101\056\305\236\056\040\050 +-\143\051\040\113\141\163\304\261\155\040\040\062\060\060\065 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\002\010\144 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- + # + # Certificate "D-TRUST Root Class 3 CA 2 2009" + # + # Issuer: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE + # Serial Number: 623603 (0x983f3) + # Subject: CN=D-TRUST Root Class 3 CA 2 2009,O=D-Trust GmbH,C=DE + # Not Valid Before: Thu Nov 05 08:35:58 2009 + # Not Valid After : Mon Nov 05 08:35:58 2029 diff --git a/SOURCES/nss-3.79-fix-client-cert-crash.patch b/SOURCES/nss-3.79-fix-client-cert-crash.patch new file mode 100644 index 0000000..2d752e4 --- /dev/null +++ b/SOURCES/nss-3.79-fix-client-cert-crash.patch @@ -0,0 +1,23 @@ +diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c +--- a/lib/ssl/authcert.c ++++ b/lib/ssl/authcert.c +@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg, + + /* otherwise look through the cache based on usage + * if chosenNickname is set, we ignore the expiration date */ + if (certList == NULL) { + certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), + certUsageSSLClient, + PR_FALSE, chosenNickName == NULL, + pw_arg); ++ if (certList == NULL) { ++ return SECFailure; ++ } + /* filter only the certs that meet the nickname requirements */ + if (chosenNickName) { + rv = CERT_FilterCertListByNickname(certList, chosenNickName, + pw_arg); + } else { + int nnames = 0; + char **names = ssl_DistNamesToStrings(caNames, &nnames); + rv = CERT_FilterCertListByCANames(certList, nnames, names, diff --git a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch new file mode 100644 index 0000000..1195e5c --- /dev/null +++ b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch @@ -0,0 +1,21 @@ +diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c +--- ./lib/pkcs12/p12local.c.fix_null_password 2022-07-20 14:15:45.081009438 -0700 ++++ ./lib/pkcs12/p12local.c 2022-07-20 14:19:40.856546963 -0700 +@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre + if (zeroTerm) { + /* unicode adds two nulls at the end */ + if (toUnicode) { +- if ((dest->len >= 2) && +- (dest->data[dest->len - 1] || dest->data[dest->len - 2])) { ++ if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) { + /* we've already allocated space for these new NULLs */ + PORT_Assert(dest->len + 2 <= bufferSize); + dest->len += 2; + dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0; + } + /* ascii/utf-8 adds just 1 */ +- } else if ((dest->len >= 1) && dest->data[dest->len - 1]) { ++ } else if (!dest->len || dest->data[dest->len - 1]) { + PORT_Assert(dest->len + 1 <= bufferSize); + dest->len++; + dest->data[dest->len - 1] = 0; diff --git a/SOURCES/nss-3.79-r7-remove-explicit-ipv4.patch b/SOURCES/nss-3.79-r7-remove-explicit-ipv4.patch new file mode 100644 index 0000000..845dc6e --- /dev/null +++ b/SOURCES/nss-3.79-r7-remove-explicit-ipv4.patch @@ -0,0 +1,258 @@ +diff -up ./tests/ssl/ssl.sh.remove-explicit-ipv4 ./tests/ssl/ssl.sh +--- ./tests/ssl/ssl.sh.remove-explicit-ipv4 2022-06-08 19:00:03.508875175 -0700 ++++ ./tests/ssl/ssl.sh 2022-06-08 19:02:17.230744026 -0700 +@@ -86,6 +86,8 @@ ssl_init() + NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} + nss_ssl_run="stapling signed_cert_timestamps cov auth dtls scheme exporter" + NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} ++ IPVER=${NSS_CLIENT_IPVER} ++ + + # Test case files + if [ "${NSS_NO_SSL2}" = "1" ]; then +@@ -180,16 +182,16 @@ wait_for_selfserv() + { + #verbose="-v" + echo "trying to connect to selfserv at `date`" +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" + echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" +- ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ ++ ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} + if [ $? -ne 0 ]; then + sleep 5 + echo "retrying to connect to selfserv at `date`" + echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" + echo " -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE}" +- ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ ++ ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} + if [ $? -ne 0 ]; then + if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then +@@ -395,11 +397,11 @@ ssl_cov() + + + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? +@@ -451,11 +453,11 @@ ssl_cov_rsa_pss() + + echo "$SCRIPTNAME: running $testname (RSA-PSS) ----------------------------" + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? +@@ -504,10 +506,10 @@ ssl_auth() + fi + start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'` + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${cparam} $verbose ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? +@@ -552,10 +554,10 @@ ssl_stapling_sub() + + start_selfserv + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -c v -T -O -F -M 1 -V ssl3:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? +@@ -596,10 +598,10 @@ ssl_stapling_stress() + echo "${testname}" + start_selfserv + +- echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\" ++ echo "strsclnt ${IPVER} -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \\" + echo " -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR}" + echo "strsclnt started at `date`" +- ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ ++ ${PROFTOOL} ${BINDIR}/strsclnt ${IPVER} -q -p ${PORT} -d ${P_R_CLIENTDIR} ${CLIENT_OPTIONS} -w nss \ + -c 1000 -V ssl3:tls1.2 -N -T $verbose ${HOSTADDR} + ret=$? + +@@ -662,10 +664,10 @@ ssl_signed_cert_timestamps() + + # Since we don't have server-side support, this test only covers advertising the + # extension in the client hello. +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -U -V tls1.0:tls1.2 ${CLIENT_PW} < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? +@@ -721,10 +723,10 @@ ssl_stress() + dbdir=${P_R_CLIENTDIR} + fi + +- echo "strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\" ++ echo "strsclnt ${IPVER} -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \\" + echo " -V ssl3:tls1.2 $verbose ${HOSTADDR}" + echo "strsclnt started at `date`" +- ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \ ++ ${PROFTOOL} ${BINDIR}/strsclnt ${IPVER} -q -p ${PORT} -d ${dbdir} ${CLIENT_OPTIONS} -w nss $cparam \ + -V ssl3:tls1.2 $verbose ${HOSTADDR} + ret=$? + echo "strsclnt completed at `date`" +@@ -813,10 +815,10 @@ ssl_crl_ssl() + cparam=`echo $_cparam | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` + start_selfserv `echo "$sparam" | sed -e 's;\([^\\]\)_;\1 ;g' -e 's;\\\\_;_;g'` + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? +@@ -908,11 +910,11 @@ ssl_policy() + policy=`echo ${policy} | sed -e 's;_; ;g'` + setup_policy "$policy" ${P_R_CLIENTDIR} + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c ${param} -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? +@@ -1090,12 +1092,12 @@ ssl_policy_selfserv() + VMAX="tls1.2" + + # Try to connect to the server with a ciphersuite using RSA in key exchange +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} \\" + echo " -f -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE}" + + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null + RET_EXP=254 +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -c d -V ${VMIN}:${VMAX} ${CLIENT_OPTIONS} -f \ + -d ${P_R_CLIENTDIR} $verbose -w nss < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + RET=$? +@@ -1180,7 +1182,7 @@ load_group_crl() { + fi + echo "================= Reloading ${eccomment}CRL for group $grpBegin - $grpEnd =============" + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix}" + echo "Request:" + echo "GET crl://${SERVERDIR}/root.crl_${grpBegin}-${grpEnd}${ecsuffix}" +@@ -1193,7 +1195,7 @@ GET crl://${SERVERDIR}/root.crl_${grpBeg + + _EOF_REQUEST_ + +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f \ + -d ${R_CLIENTDIR} $verbose -V ssl3:tls1.2 -w nss -n TestUser${UNREVOKED_CERT_GRP_1}${ecsuffix} \ + >${OUTFILE_TMP} 2>&1 < ${REQF} + +@@ -1281,10 +1283,10 @@ ssl_crl_cache() + cparam=`echo $_cparam | sed -e 's;\([^\]\)_;\1 ;g' -e 's;\\_;_;g' -e "s/TestUser/$USER_NICKNAME/g" ` + + echo "Server Args: $SERV_ARG" +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${R_CLIENTDIR} $verbose \\" + echo " ${cparam} < ${REQUEST_FILE}" + rm ${TMP}/$HOST.tmp.$$ 2>/dev/null +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${cparam} \ + -d ${R_CLIENTDIR} $verbose < ${REQUEST_FILE} \ + >${TMP}/$HOST.tmp.$$ 2>&1 + ret=$? +@@ -1349,19 +1351,19 @@ ssl_dtls() + + echo "${testname}" + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \\" + echo " -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss < ${REQUEST_FILE} &" + +- (sleep 2; cat ${REQUEST_FILE}) | ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \ ++ (sleep 2; cat ${REQUEST_FILE}) | ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${SERVER_OPTIONS} \ + -d ${P_R_SERVERDIR} $verbose -U -V tls1.1:tls1.2 -P server -n ${HOSTADDR} -w nss 2>&1 & + + PID=$! + + sleep 1 + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \\" + echo " -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE}" +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -U -V tls1.1:tls1.2 -P client -Q ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 + ret=$? + html_msg $ret $value "${testname}" \ +@@ -1388,9 +1390,9 @@ ssl_scheme() + + start_selfserv -V tls1.2:tls1.2 -J "$sscheme" + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE}" +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 + ret=$? + # If both schemes include just one option and those options don't +@@ -1428,9 +1430,9 @@ ssl_scheme_stress() + + start_selfserv -V tls1.2:tls1.2 -J "$sscheme" + +- echo "strsclnt -4 -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" ++ echo "strsclnt ${IPVER} -q -p ${PORT} -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE}" +- ${PROFTOOL} ${BINDIR}/strsclnt -4 -q -p ${PORT} ${CLIENT_OPTIONS} \ ++ ${PROFTOOL} ${BINDIR}/strsclnt ${IPVER} -q -p ${PORT} ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -J "$cscheme" ${HOSTADDR} ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 + ret=$? + # If both schemes include just one option and those options don't +@@ -1467,9 +1469,9 @@ ssl_exporter() + for exporter in "${exporters[@]}"; do + start_selfserv -V tls1.2:tls1.2 -x "$exporter" + +- echo "tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" ++ echo "tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} $verbose ${CLIENT_OPTIONS} \\" + echo " -V tls1.2:tls1.2 -x $exporter ${CLIENT_PW} < ${REQUEST_FILE}" +- ${PROFTOOL} ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ ++ ${PROFTOOL} ${BINDIR}/tstclnt ${IPVER} -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ + -d ${P_R_CLIENTDIR} $verbose -V tls1.2:tls1.2 -x "$exporter" ${CLIENT_PW} < ${REQUEST_FILE} 2>&1 > client.out + kill_selfserv + diff <(LC_ALL=C grep -A1 "^ *Keying Material:" server.out) \ diff --git a/SOURCES/nss-3.79-skip-pwdecrypt-time.patch b/SOURCES/nss-3.79-skip-pwdecrypt-time.patch new file mode 100644 index 0000000..004ea51 --- /dev/null +++ b/SOURCES/nss-3.79-skip-pwdecrypt-time.patch @@ -0,0 +1,14 @@ +diff -up ./tests/sdr/sdr.sh.skip ./tests/sdr/sdr.sh +--- ./tests/sdr/sdr.sh.skip 2022-06-11 09:52:05.037086587 -0700 ++++ ./tests/sdr/sdr.sh 2022-06-11 09:52:16.825162027 -0700 +@@ -146,7 +146,10 @@ sdr_main() + RARRAY=($dtime) + TIMEARRAY=(${RARRAY[1]//./ }) + echo "${TIMEARRAY[0]} seconds" ++ # allow an environment variable to skip the test ++ if [ "${NSS_SKIP_PWDECRYPT_TIME}" != "true" ]; then + html_msg ${TIMEARRAY[0]} 0 "pwdecrypt no time regression" ++ fi + export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS + } + diff --git a/SOURCES/nss-3.79-ssl2-compatible-client-hello.patch b/SOURCES/nss-3.79-ssl2-compatible-client-hello.patch new file mode 100644 index 0000000..4451ea3 --- /dev/null +++ b/SOURCES/nss-3.79-ssl2-compatible-client-hello.patch @@ -0,0 +1,12 @@ +diff -up ./lib/ssl/sslsock.c.ssl2hello ./lib/ssl/sslsock.c +--- ./lib/ssl/sslsock.c.ssl2hello 2022-06-08 18:56:58.420672624 -0700 ++++ ./lib/ssl/sslsock.c 2022-06-08 18:58:37.801318314 -0700 +@@ -90,7 +90,7 @@ static sslOptions ssl_defaults = { + .enableDtls13VersionCompat = PR_FALSE, + .enableDtlsShortHeader = PR_FALSE, + .enableHelloDowngradeCheck = PR_TRUE, +- .enableV2CompatibleHello = PR_FALSE, ++ .enableV2CompatibleHello = PR_TRUE, + .enablePostHandshakeAuth = PR_FALSE, + .suppressEndOfEarlyData = PR_FALSE, + .enableTls13GreaseEch = PR_FALSE, diff --git a/SOURCES/nss-3.79-version-range.patch b/SOURCES/nss-3.79-version-range.patch new file mode 100644 index 0000000..f131883 --- /dev/null +++ b/SOURCES/nss-3.79-version-range.patch @@ -0,0 +1,14 @@ +diff -up ./lib/ssl/sslsock.c.version-range ./lib/ssl/sslsock.c +--- ./lib/ssl/sslsock.c.version-range 2022-06-08 18:47:18.882918821 -0700 ++++ ./lib/ssl/sslsock.c 2022-06-08 18:55:05.555939293 -0700 +@@ -102,8 +102,8 @@ static sslOptions ssl_defaults = { + * default range of enabled SSL/TLS protocols + */ + static SSLVersionRange versions_defaults_stream = { +- SSL_LIBRARY_VERSION_TLS_1_2, +- SSL_LIBRARY_VERSION_TLS_1_3 ++ SSL_LIBRARY_VERSION_3_0, ++ SSL_LIBRARY_VERSION_TLS_1_2 + }; + + static SSLVersionRange versions_defaults_datagram = { diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch deleted file mode 100644 index f5db089..0000000 --- a/SOURCES/nss-539183.patch +++ /dev/null @@ -1,44 +0,0 @@ -diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c ---- nss/cmd/httpserv/httpserv.c.539183 2016-08-15 17:58:41.756630037 +0200 -+++ nss/cmd/httpserv/httpserv.c 2016-08-15 18:04:13.559131620 +0200 -@@ -976,13 +976,13 @@ getBoundListenSocket(unsigned short port - PRNetAddr addr; - PRSocketOptionData opt; - -- addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); -+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { -+ errExit("PR_SetNetAddr"); -+ } - -- listen_sock = PR_NewTCPSocket(); -+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); - if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); -+ errExit("PR_OpenTCPSocket error"); - } - - opt.option = PR_SockOpt_Nonblocking; -diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c ---- nss/cmd/selfserv/selfserv.c.539183 2016-08-15 17:58:41.756630037 +0200 -+++ nss/cmd/selfserv/selfserv.c 2016-08-15 18:05:11.027487891 +0200 -@@ -1731,13 +1731,13 @@ getBoundListenSocket(unsigned short port - PRNetAddr addr; - PRSocketOptionData opt; - -- addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); -+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { -+ errExit("PR_SetNetAddr"); -+ } - -- listen_sock = PR_NewTCPSocket(); -+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); - if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); -+ errExit("PR_OpenTCPSocket error"); - } - - opt.option = PR_SockOpt_Nonblocking; diff --git a/SOURCES/nss-ssl2-compatible-client-hello.patch b/SOURCES/nss-ssl2-compatible-client-hello.patch deleted file mode 100644 index ec013e2..0000000 --- a/SOURCES/nss-ssl2-compatible-client-hello.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ./lib/ssl/sslsock.c.ssl2hello ./lib/ssl/sslsock.c ---- ./lib/ssl/sslsock.c.ssl2hello 2021-06-03 15:39:52.237945867 -0700 -+++ ./lib/ssl/sslsock.c 2021-06-03 15:43:21.746203666 -0700 -@@ -90,7 +90,7 @@ static sslOptions ssl_defaults = { - .enableDtls13VersionCompat = PR_FALSE, - .enableDtlsShortHeader = PR_FALSE, - .enableHelloDowngradeCheck = PR_FALSE, -- .enableV2CompatibleHello = PR_FALSE, -+ .enableV2CompatibleHello = PR_TRUE, - .enablePostHandshakeAuth = PR_FALSE, - .suppressEndOfEarlyData = PR_FALSE, - .enableTls13GreaseEch = PR_FALSE, diff --git a/SOURCES/nss-version-range.patch b/SOURCES/nss-version-range.patch deleted file mode 100644 index 4693e96..0000000 --- a/SOURCES/nss-version-range.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.version-range nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.version-range 2020-07-30 08:20:35.811375910 +0200 -+++ nss/lib/ssl/sslsock.c 2020-07-30 08:21:02.132188806 +0200 -@@ -98,8 +98,8 @@ static sslOptions ssl_defaults = { - * default range of enabled SSL/TLS protocols - */ - static SSLVersionRange versions_defaults_stream = { -- SSL_LIBRARY_VERSION_TLS_1_0, -- SSL_LIBRARY_VERSION_TLS_1_3 -+ SSL_LIBRARY_VERSION_3_0, -+ SSL_LIBRARY_VERSION_TLS_1_2 - }; - - static SSLVersionRange versions_defaults_datagram = { diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 8310009..1efc0f7 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,14 +1,14 @@ -%global nspr_version 4.31.0 -%global nss_util_version 3.67.0 +%global nspr_version 4.34.0 +%global nss_util_version 3.79.0 %global nss_util_build -1 # adjust to the version that gets submitted for FIPS validation # Attention: Separate softokn versions for build and runtime. -%global nss_softokn_version 3.67.0 +%global nss_softokn_version 3.79.0 %global runtime_required_softokn_build_version -1 # Building NSS doesn't require the same version of softokn built for runtime. -%global nss_softokn_build_version 3.53.1 -%global build_required_softokn_build_version -2 -%global nss_version 3.67.0 +%global nss_softokn_build_version 3.67.0 +%global build_required_softokn_build_version -1 +%global nss_version 3.79.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil nss-policy-check pk12util pp signtool signver ssltap vfychain vfyserv" @@ -37,6 +37,7 @@ rpm.define(string.format("nss_archive_version %s", #% define nss_ckbi_suffix .with.ckbi.1.93 %bcond_without tests +%bcond_with gtests Summary: Network Security Services Name: nss @@ -87,10 +88,6 @@ Source6: blank-cert9.db Source7: blank-key4.db Source8: system-pkcs11.txt Source9: setup-nsssysinit.sh -Source10: PayPalEE.cert -Source17: TestCA.ca.cert -Source18: TestUser50.cert -Source19: TestUser51.cert Source20: nss-config.xml Source21: setup-nsssysinit.xml Source22: pkcs11.txt.xml @@ -99,16 +96,11 @@ Source24: cert9.db.xml Source25: key3.db.xml Source26: key4.db.xml Source27: secmod.db.xml -Source30: PayPalRootCA.cert -Source31: PayPalICA.cert Source32: nss-rhel7.config -Source33: TestOldCA.p12 -Source34: NameConstraints.ocsp1.cert -Source35: NameConstraints.ipaca.cert Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch -Patch16: nss-539183.patch +#Patch16: nss-539183.patch # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator @@ -130,7 +122,7 @@ Patch56: p-ignore-setpolicy.patch Patch62: nss-fix-deadlock-squash.patch # In RHEL-7, we still disable TLS 1.3 by default, and set SSL 3.0 as # the hard minimum -Patch100: nss-version-range.patch +Patch100: nss-3.79-version-range.patch Patch108: nss-sni-c-v-fix.patch Patch123: nss-skip-util-gtest.patch Patch126: nss-reorder-cipher-suites.patch @@ -149,18 +141,16 @@ Patch141: nss-sysinit-getenv.patch # To revert the change in: # https://bugzilla.mozilla.org/show_bug.cgi?id=818686 Patch148: nss-sysinit-userdb.patch -# Disable nss-sysinit test which is sorely to test the above change +# Disable nss-sysinit test which is solely to test the above change Patch149: nss-skip-sysinit-gtests.patch # Enable SSLv2 compatible ClientHello, disabled in the change: # https://bugzilla.mozilla.org/show_bug.cgi?id=1483128 -Patch150: nss-ssl2-compatible-client-hello.patch +Patch150: nss-3.79-ssl2-compatible-client-hello.patch # For backward compatibility: make -V "ssl3:" continue working, while # the minimum version is clamped to tls1.0 Patch152: nss-version-range-set.patch # CAVS testing should be done in nss-softkn package Patch156: nss-skip-cavs-tests.patch -# no upsteam bug yet -Patch157: nss-3.53-fix-private_key_mac.patch # To revert the testing portion of the change: # https://bugzilla.mozilla.org/show_bug.cgi?id=1594933 Patch158: nss-sql-default-tests.patch @@ -168,27 +158,22 @@ Patch158: nss-sql-default-tests.patch Patch159: nss-disable-dc.patch # restore defaults when creating pkcs12 files Patch160:nss-3.66-restore-old-pkcs12-default.patch +# disable tests that don't work in the brew environment +# because we can't reference external servers. +Patch161: nss-3.66-disable-external-host-test.patch +# keep expired distrusted certs +Patch162: nss-3.79-distrusted-certs.patch +#----------------------------------- + +# remove when nss-softokn is 3.79 during builds +Patch200: nss-3.79-skip-pwdecrypt-time.patch # patches that just need to be upstreamed -# https://bugzilla.mozilla.org/show_bug.cgi?id=1662738 -Patch200: nss-3.66-no-small-primes.patch -# no bug number -Patch201: nss-3.67-fix-sdb-timeout.patch -# no bug number -Patch202: nss-3.67-fix-ssl-alerts.patch -# no bug number -Patch203: nss-3.67-fix-pkcs12-policy.patch - -# disable tests that don't work with the 3.53 softoken -# so builds can complete. -Patch300: nss-3.66-no-combo-tests.patch +Patch300: nss-3.79-r7-remove-explicit-ipv4.patch +Patch301: nss-3.79-fix-client-cert-crash.patch +Patch302: nss-3.79-pkcs12-fix-null-password.patch -# disable tests that don't work in the brew environment -# because we can't reference external servers. -Patch301: nss-3.66-disable-external-host-test.patch -Patch400: nss-3.67-cve-2021-43527.patch -Patch401: nss-3.67-cve-2021-43527-test.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -259,19 +244,10 @@ low level services. %prep %setup -q -n %{name}-%{nss_archive_version} -%{__cp} %{SOURCE10} -f ./nss/tests/libpkix/certs -%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs -%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs -%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs -%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs -%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs -%{__cp} %{SOURCE33} -f ./nss/tests/tools -%{__cp} %{SOURCE34} -f ./nss/tests/libpkix/certs -%{__cp} %{SOURCE35} -f ./nss/tests/libpkix/certs %patch2 -p0 -b .relro %patch3 -p0 -b .transitional -%patch16 -p0 -b .539183 +#%patch16 -p0 -b .539183 %patch40 -p0 -b .noocsptest %patch47 -p0 -b .templates %patch50 -p0 -b .iquote @@ -297,19 +273,17 @@ pushd nss %patch150 -p1 -b .ssl2hello %patch152 -p1 -b .version-range-set %patch156 -p1 -b .skip-cavs -%patch157 -p1 -b .privkey-mac %patch128 -R -p1 -b .sql-man-page %patch158 -p1 -b .sql-default-tests %patch159 -p1 -b .dc %patch160 -p1 -b .restore-pkcs12-defaults -%patch200 -p1 -b .no-small-primes -%patch201 -p1 -b .fix-sdb-timeout -%patch202 -p1 -b .fix-ssl-alerts -%patch203 -p1 -b .fix-pkcs12-policy -%patch300 -p1 -b .oldsoft -%patch301 -p1 -b .brew -%patch400 -p1 -b .cve-2021-43527 -%patch401 -p1 -b .cve-2021-43527-test +%patch161 -p1 -b .brew +%patch162 -R -p1 -b .distrusted-certs + +%patch200 -p1 -b .skip-pwdecrypt-time +%patch300 -p1 -b .remove-explicit-ipv4 +%patch301 -p1 -b .client-cert-crash +%patch302 -p1 -b .fix-pkcs12-null popd ######################################################### @@ -428,6 +402,11 @@ export POLICY_PATH="/etc/pki/nss-legacy" %{__mkdir_p} ./dist/private/nss %{__mv} ./nss/verref.h ./dist/private/nss/verref.h +# gtests require a newer version of g++ than we have natively on rhel 7.9 +# first build nss proper with our native tools +%if %{without gtests} +export NSS_DISABLE_GTESTS=1 +%endif %{__make} -C ./nss all %{__make} -C ./nss latest @@ -532,6 +511,10 @@ export USE_64 export NSS_BLTEST_NOT_AVAILABLE=1 export NSS_FORCE_FIPS=1 +export NSS_FIPS_VERSION="%{name}\ %{version}-%{srpmhash}" +eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release | sed -e 's/ /\\ /g') +export FIPS_MODULE_OS="$OS_NAME\ ${OS_VERSION_ID%%.*}" +export NSS_FIPS_MODULE_ID="${FIPS_MODULE_OS}\ ${NSS_FIPS_VERSION}" # needed for the fips mangling test export SOFTOKEN_LIB_DIR=%{_libdir} @@ -544,6 +527,7 @@ export GTESTFILTER='-TlsConnectTest.DisallowSSLv3HelloWithTLSv13Enabled' # This is necessary because the test suite tests algorithms that are # disabled by the system policy. export NSS_IGNORE_SYSTEM_POLICY=1 +export NSS_SKIP_PWDECRYPT_TIME="true" # enable the following line to force a test failure # find ./nss -name \*.chk | xargs rm -f @@ -589,11 +573,15 @@ export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 7, the default db is sql, but we want # standard to test dbm, or upgradedb will fail %global nss_full_cycles "standard pkix upgradedb sharedb threadunsafe" %global nss_cycles "standard pkix upgradedb sharedb" -%global nss_full_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" -%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +%global nss_full_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec" +%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec" %ifarch x86_64 %global nss_cycles "standard pkix upgradedb sharedb threadunsafe" %endif +%if %{with gtests} +%global nss_full_tests "%{nss_full_tests} gtests ssl_gtests" +%global nss_tests "%{nss_tests} ssl_gtests" +%endif # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_run: cov auth stress # @@ -605,11 +593,14 @@ export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 7, the default db is sql, but we want # Temporarily disabling tests for s390 %ifarch s390 %global nss_ssl_run "cov auth" -%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec gtests" +%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec" %endif %ifarch s390x %global nss_ssl_run "cov auth" -%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec gtests" +%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec" +%endif +%if %{with gtests} +%global nss_tests "%{nss_tests} gtests" %endif # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr soft=$(rpm -q nss-softokn) @@ -718,7 +709,7 @@ do done # Copy the binaries we ship as unsupported -for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain +for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain validation do %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} done @@ -855,6 +846,7 @@ fi %{unsupported_tools_directory}/strsclnt %{unsupported_tools_directory}/symkeyutil %{unsupported_tools_directory}/tstclnt +%{unsupported_tools_directory}/validation %{unsupported_tools_directory}/vfyserv %{unsupported_tools_directory}/vfychain # instead of %%{_mandir}/man*/* let's list them explicitely @@ -950,6 +942,19 @@ fi %changelog +* Thu Jul 21 2022 Bob Relyea - 3.79.0-4 +- fix regression for pkcs12. + +* Wed Jul 6 2022 Bob Relyea - 3.79.0-3 +- fix crash in curl. better fix for the regression below + +* Sat Jun 11 2022 Bob Relyea - 3.79.0-2 +- fix regressions found in test suite + +* Wed Jun 8 2022 Bob Relyea - 3.79.0-1 +- Rebase to NSS 3.79 +- Set FIPS Module ID + * Thu Nov 18 2021 Bob Relyea - 3.67.0-4 - fix CVE-2021-43527