diff --git a/.gitignore b/.gitignore index fb97387..51984f5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ SOURCES/PayPalEE.cert +SOURCES/PayPalICA.cert SOURCES/blank-cert8.db SOURCES/blank-cert9.db SOURCES/blank-key3.db @@ -8,7 +9,7 @@ SOURCES/cert8.db.xml SOURCES/cert9.db.xml SOURCES/key3.db.xml SOURCES/key4.db.xml -SOURCES/nss-3.16.2.3.tar.gz +SOURCES/nss-3.18.0.tar.gz SOURCES/nss-config.xml SOURCES/nss-pem-20140125.tar.bz2 SOURCES/secmod.db.xml diff --git a/.nss.metadata b/.nss.metadata index b2fbd5a..f1cb2d2 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -1,4 +1,5 @@ -084be8769682236828d8e9dc55901e53e8eb8432 SOURCES/PayPalEE.cert +86cf4eb313dda4bd86a6d096ecc5aee07ee5e124 SOURCES/PayPalEE.cert +a031c46782e6e6c662c2c87c76da9aa62ccabd8e SOURCES/PayPalICA.cert d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db @@ -8,7 +9,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml -264abc5af31eab16e2245e33a71f77cc7aae5c39 SOURCES/nss-3.16.2.3.tar.gz +38889e39147cf4d6ccd46dbb28f24ee69b2033c1 SOURCES/nss-3.18.0.tar.gz 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml 66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2 ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch index efbbfe8..07a7eb1 100644 --- a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch +++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch @@ -14,18 +14,18 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk +DEFINES += -DNSS_NO_SSL2 +endif + + # Allow build-time configuration of TLS 1.3 (Experimental) + ifdef NSS_ENABLE_TLS_1_3 + DEFINES += -DNSS_ENABLE_TLS_1_3 + endif + ifdef NSS_NO_PKCS11_BYPASS DEFINES += -DNO_PKCS11_BYPASS else - CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) - - EXTRA_LIBS += \ - $(CRYPTOLIB) \ - $(NULL) diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c -@@ -649,16 +649,24 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh +@@ -650,16 +650,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh if (ss->cipherSpecs) { PORT_Free(ss->cipherSpecs); ss->cipherSpecs = NULL; @@ -39,8 +39,6 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ + } -+ break; -+ ss->opt.enableSSL2 = on; +#else if (IS_DTLS(ss)) { if (on) { @@ -50,7 +48,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c break; } ss->opt.enableSSL2 = on; -@@ -666,42 +674,51 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh +@@ -667,52 +673,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh ss->opt.v2CompatibleHello = on; } ss->preferredCipher = NULL; @@ -79,7 +77,6 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c + if (on) { + PORT_SetError(SSL_ERROR_SSL2_DISABLED); + rv = SECFailure; /* not allowed */ -+ break; + } +#else if (IS_DTLS(ss)) { @@ -101,27 +98,45 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c break; case SSL_NO_STEP_DOWN: - ss->opt.noStepDown = on; -@@ -1155,17 +1172,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt - - if (rv != SECSuccess) { - return rv; - } - - if (ssl_IsRemovedCipherSuite(which)) { - rv = SECSuccess; - } else if (SSL_IS_SSL2_CIPHER(which)) { +#ifdef NSS_NO_SSL2 -+ rv = SSL_ERROR_SSL2_DISABLED; ++ if (!on) { ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++ } +#else - rv = ssl2_SetPolicy(which, policy); + ss->opt.noStepDown = on; + if (on) + SSL_DisableExportCipherSuites(fd); +#endif /* NSS_NO_SSL2 */ - } else { - rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); + break; + + case SSL_BYPASS_PKCS11: + if (ss->handshakeBegun) { + PORT_SetError(PR_INVALID_STATE_ERROR); + rv = SECFailure; + } else { + if (PR_FALSE != on) { +@@ -1127,16 +1148,23 @@ SSL_OptionSetDefault(PRInt32 which, PRBo } - return rv; + return SECSuccess; } - SECStatus - SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) - + /* function tells us if the cipher suite is one that we no longer support. */ + static PRBool + ssl_IsRemovedCipherSuite(PRInt32 suite) + { ++#ifdef NSS_NO_SSL2 ++ /* both ssl2 and export cipher suites disabled */ ++ if (SSL_IS_SSL2_CIPHER(suite)) ++ return PR_TRUE; ++ if (SSL_IsExportCipherSuite(suite)) ++ return PR_TRUE; ++#endif /* NSS_NO_SSL2_NO_EXPORT */ + switch (suite) { + case SSL_FORTEZZA_DMS_WITH_NULL_SHA: + case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: + case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: + return PR_TRUE; + default: + return PR_FALSE; + } diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch index c8a0ce0..6ed54ef 100644 --- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch +++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch @@ -1,7 +1,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh --- a/tests/ssl/ssl.sh +++ b/tests/ssl/ssl.sh -@@ -57,18 +57,23 @@ ssl_init() +@@ -57,19 +57,23 @@ ssl_init() fi PORT=${PORT-8443} @@ -11,14 +11,15 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # Test case files - SSLCOV=${QADIR}/ssl/sslcov.txt -+ SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \ -+ && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \ -+ || ${QADIR}/ssl/sslcov.txt - SSLAUTH=${QADIR}/ssl/sslauth.txt -+ SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \ -+ && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \ -+ || ${QADIR}/ssl/sslstress.txt - SSLSTRESS=${QADIR}/ssl/sslstress.txt +- SSLAUTH=${QADIR}/ssl/sslauth.txt +- SSLSTRESS=${QADIR}/ssl/sslstress.txt ++ if [ "${NSS_NO_SSL2}" = "1" ]; then ++ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt ++ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt ++ else ++ SSLCOV=${QADIR}/ssl/sslcov.txt ++ SSLSTRESS=${QADIR}/ssl/sslstress.txt ++ fi REQUEST_FILE=${QADIR}/ssl/sslreq.dat #temparary files @@ -26,7 +27,8 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh SERVERPID=${TMP}/tests_pid.$$ R_SERVERPID=../tests_pid.$$ -@@ -115,17 +120,21 @@ is_selfserv_alive() + +@@ -115,17 +119,21 @@ is_selfserv_alive() if [ "${OS_ARCH}" = "WINNT" ] && \ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then PID=${SHELL_SERVERPID} @@ -35,7 +37,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh fi echo "kill -0 ${PID} >/dev/null 2>/dev/null" -+ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then ++ if [[ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]]; then + echo "No server to kill" + else kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" @@ -48,7 +50,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # local shell function to wait until selfserver is running and initialized ######################################################################## wait_for_selfserv() -@@ -138,17 +147,21 @@ wait_for_selfserv() +@@ -138,17 +146,21 @@ wait_for_selfserv() if [ $? -ne 0 ]; then sleep 5 echo "retrying to connect to selfserv at `date`" @@ -70,7 +72,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh ########################### kill_selfserv ############################## # local shell function to kill the selfserver after the tests are done ######################################################################## -@@ -273,16 +286,19 @@ ssl_cov() +@@ -273,16 +285,19 @@ ssl_cov() exec < ${SSLCOV} while read ectype testmax param testname do diff --git a/SOURCES/Bug-1174527-fixsegfault.patch b/SOURCES/Bug-1174527-fixsegfault.patch deleted file mode 100644 index ff24334..0000000 --- a/SOURCES/Bug-1174527-fixsegfault.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c ---- a/lib/pkcs12/p12local.c -+++ b/lib/pkcs12/p12local.c -@@ -923,17 +923,18 @@ sec_pkcs12_convert_item_to_unicode(PLAre - if(!arena) { - PORT_Free(dest->data); - dest->data = NULL; - dest->len = 0; - } - return PR_FALSE; - } - -- if((dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) { -+ if ((dest->len >= 2) && -+ (dest->data[dest->len-1] || dest->data[dest->len-2]) && zeroTerm) { - if(dest->len + 2 > 3 * src->len) { - if(arena) { - dest->data = (unsigned char*)PORT_ArenaGrow(arena, - dest->data, dest->len, - dest->len + 2); - } else { - dest->data = (unsigned char*)PORT_Realloc(dest->data, - dest->len + 2); diff --git a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch b/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch deleted file mode 100644 index d3e0f21..0000000 --- a/SOURCES/Crash-in-stan_GetCERTCertificate-rhbz1094468.patch +++ /dev/null @@ -1,154 +0,0 @@ -diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c ---- a/lib/pki/pki3hack.c -+++ b/lib/pki/pki3hack.c -@@ -849,18 +849,21 @@ fill_CERTCertificateFields(NSSCertificat - } - - static CERTCertificate * - stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate) - { - nssDecodedCert *dc = NULL; - CERTCertificate *cc = NULL; - CERTCertTrust certTrust; -+ nssPKIObject *object = &c->object; - -- nssPKIObject_Lock(&c->object); -+ /* make sure object does not go away until we finish */ -+ nssPKIObject_AddRef(object); -+ nssPKIObject_Lock(object); - - dc = c->decoding; - if (!dc) { - dc = nssDecodedPKIXCertificate_Create(NULL, &c->encoding); - if (!dc) { - goto loser; - } - cc = (CERTCertificate *)dc->data; -@@ -898,17 +901,18 @@ stan_GetCERTCertificate(NSSCertificate * - trust = nssTrust_GetCERTCertTrustForCert(c, cc); - - CERT_LockCertTrust(cc); - cc->trust = trust; - CERT_UnlockCertTrust(cc); - } - - loser: -- nssPKIObject_Unlock(&c->object); -+ nssPKIObject_Unlock(object); -+ nssPKIObject_Destroy(object); - return cc; - } - - NSS_IMPLEMENT CERTCertificate * - STAN_ForceCERTCertificateUpdate(NSSCertificate *c) - { - if (c->decoding) { - return stan_GetCERTCertificate(c, PR_TRUE); -@@ -1265,16 +1269,17 @@ done: - */ - static PRStatus - DeleteCertTrustMatchingSlot(PK11SlotInfo *pk11slot, nssPKIObject *tObject) - { - int numNotDestroyed = 0; /* the ones skipped plus the failures */ - int failureCount = 0; /* actual deletion failures by devices */ - int index; - -+ nssPKIObject_AddRef(tObject); - nssPKIObject_Lock(tObject); - /* Keep going even if a module fails to delete. */ - for (index = 0; index < tObject->numInstances; index++) { - nssCryptokiObject *instance = tObject->instances[index]; - if (!instance) { - continue; - } - -@@ -1298,16 +1303,17 @@ DeleteCertTrustMatchingSlot(PK11SlotInfo - if (numNotDestroyed == 0) { - nss_ZFreeIf(tObject->instances); - tObject->numInstances = 0; - } else { - tObject->numInstances = numNotDestroyed; - } - - nssPKIObject_Unlock(tObject); -+ nssPKIObject_Destroy(tObject); - - return failureCount == 0 ? PR_SUCCESS : PR_FAILURE; - } - - /* - ** Delete trust objects matching the slot of the given certificate. - ** Returns an error if any device fails to delete. - */ -@@ -1324,30 +1330,32 @@ STAN_DeleteCertTrustMatchingSlot(NSSCert - int i; - - /* Iterate through the cert and trust object instances looking for - * those with matching pk11 slots to delete. Even if some device - * can't delete we keep going. Keeping a status variable for the - * loop so that once it's failed the other gets set. - */ - NSSRWLock_LockRead(td->tokensLock); -+ nssPKIObject_AddRef(cobject); - nssPKIObject_Lock(cobject); - for (i = 0; i < cobject->numInstances; i++) { - nssCryptokiObject *cInstance = cobject->instances[i]; - if (cInstance && !PK11_IsReadOnly(cInstance->token->pk11slot)) { - PRStatus status; - if (!tobject->numInstances || !tobject->instances) continue; - status = DeleteCertTrustMatchingSlot(cInstance->token->pk11slot, tobject); - if (status == PR_FAILURE) { - /* set the outer one but keep going */ - nssrv = PR_FAILURE; - } - } - } - nssPKIObject_Unlock(cobject); -+ nssPKIObject_Destroy(cobject); - NSSRWLock_UnlockRead(td->tokensLock); - return nssrv; - } - - /* CERT_TraversePermCertsForSubject */ - NSS_IMPLEMENT PRStatus - nssTrustDomain_TraverseCertificatesBySubject ( - NSSTrustDomain *td, -diff --git a/lib/pki/tdcache.c b/lib/pki/tdcache.c ---- a/lib/pki/tdcache.c -+++ b/lib/pki/tdcache.c -@@ -386,16 +386,17 @@ struct token_cert_dtor { - - static void - remove_token_certs(const void *k, void *v, void *a) - { - NSSCertificate *c = (NSSCertificate *)k; - nssPKIObject *object = &c->object; - struct token_cert_dtor *dtor = a; - PRUint32 i; -+ nssPKIObject_AddRef(object); - nssPKIObject_Lock(object); - for (i=0; inumInstances; i++) { - if (object->instances[i]->token == dtor->token) { - nssCryptokiObject_Destroy(object->instances[i]); - object->instances[i] = object->instances[object->numInstances-1]; - object->instances[object->numInstances-1] = NULL; - object->numInstances--; - dtor->certs[dtor->numCerts++] = c; -@@ -404,16 +405,17 @@ remove_token_certs(const void *k, void * - dtor->certs = nss_ZREALLOCARRAY(dtor->certs, - NSSCertificate *, - dtor->arrSize); - } - break; - } - } - nssPKIObject_Unlock(object); -+ nssPKIObject_Destroy(object); - return; - } - - /* - * Remove all certs for the given token from the cache. This is - * needed if the token is removed. - */ - NSS_IMPLEMENT PRStatus diff --git a/SOURCES/PayPalRootCA.cert b/SOURCES/PayPalRootCA.cert new file mode 100644 index 0000000..dae0196 Binary files /dev/null and b/SOURCES/PayPalRootCA.cert differ diff --git a/SOURCES/certutil-man-supply-missing-options.patch b/SOURCES/certutil-man-supply-missing-options.patch deleted file mode 100644 index 14bf738..0000000 --- a/SOURCES/certutil-man-supply-missing-options.patch +++ /dev/null @@ -1,76 +0,0 @@ -diff -up ./nss/doc/certutil.xml.missing_options ./nss/doc/certutil.xml ---- ./nss/doc/certutil.xml.missing_options 2014-11-25 10:14:22.068846717 -0800 -+++ ./nss/doc/certutil.xml 2014-11-25 10:17:49.810974243 -0800 -@@ -204,6 +204,11 @@ If this option is not used, the validity - - - -+ --dump-ext-val OID -+ For single cert, print binary DER encoding of extension OID. -+ -+ -+ - -e - Check a certificate's signature during the process of validating a certificate. - -@@ -214,6 +219,26 @@ If this option is not used, the validity - - - -+ --extGeneric OID:critical-flag:filename[,OID:critical-flag:filename]... -+ -+ -+Add one or multiple extensions that certutil cannot encode yet, by loading their encodings from external files. -+ -+ -+ -+OID (example): 1.2.3.4 -+ -+ -+critical-flag: critical or not-critical -+ -+ -+filename: full path to a file containing an encoded extension -+ -+ -+ -+ -+ -+ - -f password-file - Specify a file that will automatically supply the password to include in a certificate - or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent -@@ -376,6 +401,15 @@ of the attribute codes: - V (as an SSL server) - - -+L (as an SSL CA) -+ -+ -+A (as Any CA) -+ -+ -+Y (Verify CA) -+ -+ - S (as an email signer) - - -@@ -649,6 +683,17 @@ of the attribute codes: - - - -+ --extSAN type:name[,type:name]... -+ -+Create a Subject Alt Name extension with one or multiple names. -+ -+ -+-type: directory, dn, dns, edi, ediparty, email, ip, ipaddr, other, registerid, rfc822, uri, x400, x400addr -+ -+ -+ -+ -+ - --empty-password - Use empty password when creating new certificate database with -N. - diff --git a/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch b/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch deleted file mode 100644 index ec7d6c8..0000000 --- a/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch +++ /dev/null @@ -1,123 +0,0 @@ -diff -up ./nss/lib/certdb/certi.h.1034409 ./nss/lib/certdb/certi.h ---- ./nss/lib/certdb/certi.h.1034409 2014-01-03 11:59:10.000000000 -0800 -+++ ./nss/lib/certdb/certi.h 2014-02-20 08:46:10.345136599 -0800 -@@ -116,11 +116,16 @@ struct CRLDPCacheStr { - #else - PRLock* lock; - #endif -- CERTCertificate* issuer; /* issuer cert -- XXX there may be multiple issuer certs, -- with different validity dates. Also -- need to deal with SKID/AKID . See -- bugzilla 217387, 233118 */ -+ SECItem *issuerDERCert; /* issuer DER cert. Don't hold a reference -+ to the actual cert so the trust can be -+ updated on the cert automatically. -+ XXX there may be multiple issuer certs, -+ with different validity dates. Also -+ need to deal with SKID/AKID . See -+ bugzilla 217387, 233118 */ -+ -+ CERTCertDBHandle *dbHandle; -+ - SECItem* subject; /* DER of issuer subject */ - SECItem* distributionPoint; /* DER of distribution point. This may be - NULL when distribution points aren't -@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr { - NSSRWLock* lock; - CRLDPCache** dps; - PLHashTable* distributionpoints; -- CERTCertificate* issuer; -+ CERTCertificate* issuer; /* This should be the DER Cert, not a cert handle */ - #endif - }; - -diff -up ./nss/lib/certdb/crl.c.1034409 ./nss/lib/certdb/crl.c ---- ./nss/lib/certdb/crl.c.1034409 2014-01-03 11:59:10.000000000 -0800 -+++ ./nss/lib/certdb/crl.c 2014-02-20 08:49:30.835466687 -0800 -@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa - PORT_Free(cache->crls); - } - /* destroy the cert */ -- if (cache->issuer) -+ if (cache->issuerDERCert) - { -- CERT_DestroyCertificate(cache->issuer); -+ SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE); - } - /* free the subject */ - if (cache->subject) -@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC - else - { - SECStatus signstatus = SECFailure; -- if (cache->issuer) -+ if (cache->issuerDERCert) - { -- signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate, -+ CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle, -+ cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE); -+ -+ if (issuer) { -+ signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate, - wincx); -+ CERT_DestroyCertificate(issuer); -+ } - } - if (SECSuccess != signstatus) - { -- if (!cache->issuer) -+ if (!cache->issuerDERCert) - { - /* we tried to verify without an issuer cert . This is - because this CRL came through a call to SEC_FindCrlByName. -@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL - } - - /* add issuer certificate if it was previously unavailable */ -- if (issuer && (NULL == cache->issuer) && -+ if (issuer && (NULL == cache->issuerDERCert) && - (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN))) - { - /* if we didn't have a valid issuer cert yet, but we do now. add it */ - DPCache_LockWrite(); -- if (!cache->issuer) -+ if (!cache->issuerDERCert) - { - dirty = PR_TRUE; -- cache->issuer = CERT_DupCertificate(issuer); -+ cache->dbHandle = issuer->dbhandle; -+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert); - } - DPCache_UnlockWrite(); - } -@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL - SEC_FindCrlByName, or through manual insertion, rather than through a - certificate verification (CERT_CheckCRL) */ - -- if (cache->issuer && vfdate ) -+ if (cache->issuerDERCert && vfdate ) - { - mustunlock = PR_FALSE; - /* re-process all unverified CRLs */ -@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac - } - if (issuer) - { -- cache->issuer = CERT_DupCertificate(issuer); -+ cache->dbHandle = issuer->dbhandle; -+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert); - } - cache->distributionPoint = SECITEM_DupItem(dp); - cache->subject = SECITEM_DupItem(subject); -diff -up ./nss/tests/chains/chains.sh.1034409 ./nss/tests/chains/chains.sh ---- ./nss/tests/chains/chains.sh.1034409 2014-02-20 08:16:34.867686934 -0800 -+++ ./nss/tests/chains/chains.sh 2014-02-20 08:34:35.149603340 -0800 -@@ -974,6 +974,7 @@ check_ocsp() - OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") - OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/") - -+ echo "Cert = ${CERT_NICK}.cert" - echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20" - tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20 - return $? diff --git a/SOURCES/expired-cert.patch b/SOURCES/expired-cert.patch new file mode 100644 index 0000000..2754190 --- /dev/null +++ b/SOURCES/expired-cert.patch @@ -0,0 +1,28 @@ +diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg +--- a/tests/chains/scenarios/realcerts.cfg ++++ b/tests/chains/scenarios/realcerts.cfg +@@ -16,14 +16,14 @@ import BrAirWaysBadSig:x: + + verify TestUser50:x + result pass + + verify TestUser51:x + result pass + + verify PayPalEE:x +- policy OID.2.16.840.1.113733.1.7.23.6 ++ policy OID.2.16.840.1.114412.1.1 + result pass + + verify BrAirWaysBadSig:x + result fail + +diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst +--- a/tests/libpkix/vfychain_test.lst ++++ b/tests/libpkix/vfychain_test.lst +@@ -1,4 +1,4 @@ + # Status | Leaf Cert | Policies | Others(undef) + 0 TestUser50 undef + 0 TestUser51 undef +-0 PayPalEE OID.2.16.840.1.113733.1.7.23.6 ++0 PayPalEE OID.2.16.840.1.114412.1.1 diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch index ba9cb71..6e03b38 100644 --- a/SOURCES/iquote.patch +++ b/SOURCES/iquote.patch @@ -9,6 +9,18 @@ diff -up ./nss/cmd/bltest/Makefile.iquote ./nss/cmd/bltest/Makefile ####################################################################### +diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile +--- ./nss/cmd/certutil/Makefile.iquote 2015-03-25 15:52:30.276938803 -0700 ++++ ./nss/cmd/certutil/Makefile 2015-03-25 15:53:53.044536721 -0700 +@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../private/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + + ####################################################################### diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile --- ./nss/cmd/httpserv/Makefile.iquote 2014-01-18 11:33:15.058108851 -0800 +++ ./nss/cmd/httpserv/Makefile 2014-01-18 11:34:08.913478276 -0800 diff --git a/SOURCES/nss-3.16-tcache-race.patch b/SOURCES/nss-3.16-tcache-race.patch deleted file mode 100644 index 8bbb329..0000000 --- a/SOURCES/nss-3.16-tcache-race.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff -up ./nss/lib/pki/tdcache.c.race ./nss/lib/pki/tdcache.c ---- ./nss/lib/pki/tdcache.c.race 2014-12-18 15:39:42.975354956 -0800 -+++ ./nss/lib/pki/tdcache.c 2014-12-18 15:42:33.934201074 -0800 -@@ -399,6 +399,8 @@ remove_token_certs(const void *k, void * - object->instances[i] = object->instances[object->numInstances-1]; - object->instances[object->numInstances-1] = NULL; - object->numInstances--; -+ /* make sure id doesn't disappear on us before we finish */ -+ nssPKIObject_AddRef(object); - dtor->certs[dtor->numCerts++] = c; - if (dtor->numCerts == dtor->arrSize) { - dtor->arrSize *= 2; -@@ -441,13 +443,15 @@ nssTrustDomain_RemoveTokenCertsFromCache - for (i=0; iobject.numInstances == 0) { - nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]); -+ nssPKIObject_Destroy(&dtor.certs[i]->object); - dtor.certs[i] = NULL; /* skip this cert in the second for loop */ -- } -+ } - } - PZ_Unlock(td->cache->lock); - for (i=0; iobject); - } - } - nss_ZFreeIf(dtor.certs); diff --git a/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch b/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch new file mode 100644 index 0000000..3e95d9b --- /dev/null +++ b/SOURCES/nss-3.18.1-ca-2.3-to-2.4.patch @@ -0,0 +1,326 @@ +diff -up ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4 ./nss/lib/ckfw/builtins/certdata.txt +--- ./nss/lib/ckfw/builtins/certdata.txt.pre-ca-2.4 2015-03-17 00:03:37.000000000 +0100 ++++ ./nss/lib/ckfw/builtins/certdata.txt 2015-04-23 18:49:24.536940322 +0200 +@@ -187,9 +187,9 @@ END + CKA_SERIAL_NUMBER MULTILINE_OCTAL + \002\004\065\336\364\317 + END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements." +@@ -17341,149 +17341,6 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_ + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # +-# Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" +-# +-# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR +-# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5 +-# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR +-# Not Valid Before: Thu Jan 04 11:32:48 2007 +-# Not Valid After : Wed Jan 04 11:32:48 2017 +-# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B +-# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34 +-CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" +-CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 +-CKA_SUBJECT MULTILINE_OCTAL +-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061 +-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162 +-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156 +-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125 +-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040 +-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151 +-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154 +-\141\171\151\143\151\163\151 +-END +-CKA_ID UTF8 "0" +-CKA_ISSUER MULTILINE_OCTAL +-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061 +-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162 +-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156 +-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125 +-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040 +-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151 +-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154 +-\141\171\151\143\151\163\151 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333 +-\254\265 +-END +-CKA_VALUE MULTILINE_OCTAL +-\060\202\003\266\060\202\002\236\240\003\002\001\002\002\020\104 +-\231\215\074\300\003\047\275\234\166\225\271\352\333\254\265\060 +-\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\165 +-\061\013\060\011\006\003\125\004\006\023\002\124\122\061\050\060 +-\046\006\003\125\004\012\023\037\105\154\145\153\164\162\157\156 +-\151\153\040\102\151\154\147\151\040\107\165\166\145\156\154\151 +-\147\151\040\101\056\123\056\061\074\060\072\006\003\125\004\003 +-\023\063\145\055\107\165\166\145\156\040\113\157\153\040\105\154 +-\145\153\164\162\157\156\151\153\040\123\145\162\164\151\146\151 +-\153\141\040\110\151\172\155\145\164\040\123\141\147\154\141\171 +-\151\143\151\163\151\060\036\027\015\060\067\060\061\060\064\061 +-\061\063\062\064\070\132\027\015\061\067\060\061\060\064\061\061 +-\063\062\064\070\132\060\165\061\013\060\011\006\003\125\004\006 +-\023\002\124\122\061\050\060\046\006\003\125\004\012\023\037\105 +-\154\145\153\164\162\157\156\151\153\040\102\151\154\147\151\040 +-\107\165\166\145\156\154\151\147\151\040\101\056\123\056\061\074 +-\060\072\006\003\125\004\003\023\063\145\055\107\165\166\145\156 +-\040\113\157\153\040\105\154\145\153\164\162\157\156\151\153\040 +-\123\145\162\164\151\146\151\153\141\040\110\151\172\155\145\164 +-\040\123\141\147\154\141\171\151\143\151\163\151\060\202\001\042 +-\060\015\006\011\052\206\110\206\367\015\001\001\001\005\000\003 +-\202\001\017\000\060\202\001\012\002\202\001\001\000\303\022\040 +-\236\260\136\000\145\215\116\106\273\200\134\351\054\006\227\325 +-\363\162\311\160\271\347\113\145\200\301\113\276\176\074\327\124 +-\061\224\336\325\022\272\123\026\002\352\130\143\357\133\330\363 +-\355\052\032\252\161\110\243\334\020\055\137\137\353\134\113\234 +-\226\010\102\045\050\021\314\212\132\142\001\120\325\353\011\123 +-\057\370\303\217\376\263\374\375\235\242\343\137\175\276\355\013 +-\340\140\353\151\354\063\355\330\215\373\022\111\203\000\311\213 +-\227\214\073\163\052\062\263\022\367\271\115\362\364\115\155\307 +-\346\326\046\067\010\362\331\375\153\134\243\345\110\134\130\274 +-\102\276\003\132\201\272\034\065\014\000\323\365\043\176\161\060 +-\010\046\070\334\045\021\107\055\363\272\043\020\245\277\274\002 +-\367\103\136\307\376\260\067\120\231\173\017\223\316\346\103\054 +-\303\176\015\362\034\103\146\140\313\141\061\107\207\243\117\256 +-\275\126\154\114\274\274\370\005\312\144\364\351\064\241\054\265 +-\163\341\302\076\350\310\311\064\045\010\134\363\355\246\307\224 +-\237\255\210\103\045\327\341\071\140\376\254\071\131\002\003\001 +-\000\001\243\102\060\100\060\016\006\003\125\035\017\001\001\377 +-\004\004\003\002\001\006\060\017\006\003\125\035\023\001\001\377 +-\004\005\060\003\001\001\377\060\035\006\003\125\035\016\004\026 +-\004\024\237\356\104\263\224\325\372\221\117\056\331\125\232\004 +-\126\333\055\304\333\245\060\015\006\011\052\206\110\206\367\015 +-\001\001\005\005\000\003\202\001\001\000\177\137\271\123\133\143 +-\075\165\062\347\372\304\164\032\313\106\337\106\151\034\122\317 +-\252\117\302\150\353\377\200\251\121\350\075\142\167\211\075\012 +-\165\071\361\156\135\027\207\157\150\005\301\224\154\331\135\337 +-\332\262\131\313\245\020\212\312\314\071\315\237\353\116\336\122 +-\377\014\360\364\222\251\362\154\123\253\233\322\107\240\037\164 +-\367\233\232\361\057\025\237\172\144\060\030\007\074\052\017\147 +-\312\374\017\211\141\235\145\245\074\345\274\023\133\010\333\343 +-\377\355\273\006\273\152\006\261\172\117\145\306\202\375\036\234 +-\213\265\015\356\110\273\270\275\252\010\264\373\243\174\313\237 +-\315\220\166\134\206\226\170\127\012\146\371\130\032\235\375\227 +-\051\140\336\021\246\220\034\031\034\356\001\226\042\064\064\056 +-\221\371\267\304\047\321\173\346\277\373\200\104\132\026\345\353 +-\340\324\012\070\274\344\221\343\325\353\134\301\254\337\033\152 +-\174\236\345\165\322\266\227\207\333\314\207\053\103\072\204\010 +-\257\253\074\333\367\074\146\061\206\260\235\123\171\355\370\043 +-\336\102\343\055\202\361\017\345\372\227 +-END +- +-# Trust for Certificate "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" +-# Issuer: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR +-# Serial Number:44:99:8d:3c:c0:03:27:bd:9c:76:95:b9:ea:db:ac:b5 +-# Subject: CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi,O=Elektronik Bilgi Guvenligi A.S.,C=TR +-# Not Valid Before: Thu Jan 04 11:32:48 2007 +-# Not Valid After : Wed Jan 04 11:32:48 2017 +-# Fingerprint (MD5): 3D:41:29:CB:1E:AA:11:74:CD:5D:B0:62:AF:B0:43:5B +-# Fingerprint (SHA1): DD:E1:D2:A9:01:80:2E:1D:87:5E:84:B3:80:7E:4B:B1:FD:99:41:34 +-CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST +-CKA_TOKEN CK_BBOOL CK_TRUE +-CKA_PRIVATE CK_BBOOL CK_FALSE +-CKA_MODIFIABLE CK_BBOOL CK_FALSE +-CKA_LABEL UTF8 "E-Guven Kok Elektronik Sertifika Hizmet Saglayicisi" +-CKA_CERT_SHA1_HASH MULTILINE_OCTAL +-\335\341\322\251\001\200\056\035\207\136\204\263\200\176\113\261 +-\375\231\101\064 +-END +-CKA_CERT_MD5_HASH MULTILINE_OCTAL +-\075\101\051\313\036\252\021\164\315\135\260\142\257\260\103\133 +-END +-CKA_ISSUER MULTILINE_OCTAL +-\060\165\061\013\060\011\006\003\125\004\006\023\002\124\122\061 +-\050\060\046\006\003\125\004\012\023\037\105\154\145\153\164\162 +-\157\156\151\153\040\102\151\154\147\151\040\107\165\166\145\156 +-\154\151\147\151\040\101\056\123\056\061\074\060\072\006\003\125 +-\004\003\023\063\145\055\107\165\166\145\156\040\113\157\153\040 +-\105\154\145\153\164\162\157\156\151\153\040\123\145\162\164\151 +-\146\151\153\141\040\110\151\172\155\145\164\040\123\141\147\154 +-\141\171\151\143\151\163\151 +-END +-CKA_SERIAL_NUMBER MULTILINE_OCTAL +-\002\020\104\231\215\074\300\003\047\275\234\166\225\271\352\333 +-\254\265 +-END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST +-CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +- +-# + # Certificate "GlobalSign Root CA - R3" + # + # Issuer: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3 +@@ -31590,3 +31447,146 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_T + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE ++ ++# ++# Certificate "Explicitly Distrusted MCSHOLDING CA" ++# ++# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN ++# Serial Number: 1228079246 (0x4933008e) ++# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG ++# Not Valid Before: Thu Mar 19 06:20:09 2015 ++# Not Valid After : Fri Apr 03 06:20:09 2015 ++# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61 ++# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76 ++CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA" ++CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509 ++CKA_SUBJECT MULTILINE_OCTAL ++\060\074\061\013\060\011\006\003\125\004\006\023\002\105\107\061 ++\023\060\021\006\003\125\004\012\014\012\115\103\123\110\117\114 ++\104\111\116\107\061\030\060\026\006\003\125\004\003\014\017\115 ++\103\123\110\117\114\104\111\116\107\040\124\105\123\124 ++END ++CKA_ID UTF8 "0" ++CKA_ISSUER MULTILINE_OCTAL ++\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061 ++\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061 ++\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040 ++\122\117\117\124 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\111\063\000\216 ++END ++CKA_VALUE MULTILINE_OCTAL ++\060\202\004\222\060\202\003\172\240\003\002\001\002\002\004\111 ++\063\000\216\060\015\006\011\052\206\110\206\367\015\001\001\013 ++\005\000\060\062\061\013\060\011\006\003\125\004\006\023\002\103 ++\116\061\016\060\014\006\003\125\004\012\023\005\103\116\116\111 ++\103\061\023\060\021\006\003\125\004\003\023\012\103\116\116\111 ++\103\040\122\117\117\124\060\036\027\015\061\065\060\063\061\071 ++\060\066\062\060\060\071\132\027\015\061\065\060\064\060\063\060 ++\066\062\060\060\071\132\060\074\061\013\060\011\006\003\125\004 ++\006\023\002\105\107\061\023\060\021\006\003\125\004\012\014\012 ++\115\103\123\110\117\114\104\111\116\107\061\030\060\026\006\003 ++\125\004\003\014\017\115\103\123\110\117\114\104\111\116\107\040 ++\124\105\123\124\060\202\001\042\060\015\006\011\052\206\110\206 ++\367\015\001\001\001\005\000\003\202\001\017\000\060\202\001\012 ++\002\202\001\001\000\245\371\165\014\006\256\356\014\021\315\226 ++\063\115\153\316\300\112\014\075\135\353\322\113\011\177\347\107 ++\054\254\161\000\371\010\257\064\361\243\152\307\374\346\253\316 ++\320\276\312\315\052\230\230\271\320\216\063\111\007\141\040\321 ++\132\064\316\203\024\006\171\216\032\277\333\344\240\070\072\356 ++\224\271\243\240\130\072\211\024\254\140\076\003\324\307\315\073 ++\034\260\232\210\032\111\020\251\260\262\375\345\350\341\004\342 ++\352\202\155\376\014\121\105\221\255\165\042\256\377\117\220\013 ++\300\123\145\167\076\036\302\126\265\066\306\326\205\314\016\203 ++\032\063\037\166\231\133\053\227\053\213\327\321\024\025\114\235 ++\131\327\200\057\244\242\205\325\210\066\002\140\125\312\130\337 ++\223\374\112\142\007\226\323\304\372\277\215\001\047\227\057\246 ++\134\164\361\072\102\156\135\171\024\060\061\032\074\331\262\127 ++\115\340\270\077\017\151\061\242\235\145\231\331\326\061\207\265 ++\230\046\337\360\313\273\025\300\044\023\142\122\032\153\313\105 ++\007\227\343\304\224\136\311\015\107\054\351\317\351\364\217\376 ++\065\341\062\347\061\002\003\001\000\001\243\202\001\244\060\202 ++\001\240\060\166\006\010\053\006\001\005\005\007\001\001\004\152 ++\060\150\060\051\006\010\053\006\001\005\005\007\060\001\206\035 ++\150\164\164\160\072\057\057\157\143\163\160\143\156\156\151\143 ++\162\157\157\164\056\143\156\156\151\143\056\143\156\060\073\006 ++\010\053\006\001\005\005\007\060\002\206\057\150\164\164\160\072 ++\057\057\167\167\167\056\143\156\156\151\143\056\143\156\057\144 ++\157\167\156\154\157\141\144\057\143\145\162\164\057\103\116\116 ++\111\103\122\117\117\124\056\143\145\162\060\037\006\003\125\035 ++\043\004\030\060\026\200\024\145\362\061\255\052\367\367\335\122 ++\226\012\307\002\301\016\357\246\325\073\021\060\017\006\003\125 ++\035\023\001\001\377\004\005\060\003\001\001\377\060\077\006\003 ++\125\035\040\004\070\060\066\060\064\006\012\053\006\001\004\001 ++\201\351\014\001\006\060\046\060\044\006\010\053\006\001\005\005 ++\007\002\001\026\030\150\164\164\160\072\057\057\167\167\167\056 ++\143\156\156\151\143\056\143\156\057\143\160\163\057\060\201\206 ++\006\003\125\035\037\004\177\060\175\060\102\240\100\240\076\244 ++\074\060\072\061\013\060\011\006\003\125\004\006\023\002\103\116 ++\061\016\060\014\006\003\125\004\012\014\005\103\116\116\111\103 ++\061\014\060\012\006\003\125\004\013\014\003\143\162\154\061\015 ++\060\013\006\003\125\004\003\014\004\143\162\154\061\060\067\240 ++\065\240\063\206\061\150\164\164\160\072\057\057\143\162\154\056 ++\143\156\156\151\143\056\143\156\057\144\157\167\156\154\157\141 ++\144\057\162\157\157\164\163\150\141\062\143\162\154\057\103\122 ++\114\061\056\143\162\154\060\013\006\003\125\035\017\004\004\003 ++\002\001\006\060\035\006\003\125\035\016\004\026\004\024\104\244 ++\211\253\024\137\075\157\040\074\252\174\372\031\256\364\110\140 ++\005\265\060\015\006\011\052\206\110\206\367\015\001\001\013\005 ++\000\003\202\001\001\000\134\264\365\123\233\117\271\340\204\211 ++\061\276\236\056\352\236\041\113\245\217\155\241\246\363\057\110 ++\353\351\333\255\036\061\200\320\171\073\020\357\232\044\367\223 ++\033\065\363\032\302\307\302\054\012\177\157\133\361\137\163\221 ++\004\373\015\171\015\351\032\006\326\203\375\116\140\235\154\222 ++\103\114\352\144\230\104\253\327\373\107\320\257\037\144\114\342 ++\335\167\150\026\302\054\241\240\201\227\000\102\037\176\040\170 ++\350\306\120\035\013\177\025\223\131\130\100\024\204\360\247\220 ++\153\066\005\147\352\177\042\155\273\321\245\046\115\263\060\244 ++\130\324\133\265\032\214\120\214\270\015\341\240\007\263\017\130 ++\316\327\005\265\175\065\171\157\242\333\014\000\052\150\044\214 ++\176\234\301\166\111\272\174\146\021\336\362\107\316\376\320\316 ++\125\276\010\332\362\171\046\052\025\071\316\153\030\246\337\330 ++\207\050\231\224\016\055\150\241\232\316\122\066\234\053\354\264 ++\150\263\154\025\254\313\160\102\362\304\101\245\310\374\041\170 ++\123\167\062\040\251\041\114\162\342\323\262\311\166\033\030\130 ++\102\013\102\222\263\344 ++END ++ ++# Distrust "Explicitly Distrusted MCSHOLDING CA" ++# Issuer: CN=CNNIC ROOT,O=CNNIC,C=CN ++# Serial Number: 1228079246 (0x4933008e) ++# Subject: CN=MCSHOLDING TEST,O=MCSHOLDING,C=EG ++# Not Valid Before: Thu Mar 19 06:20:09 2015 ++# Not Valid After : Fri Apr 03 06:20:09 2015 ++# Fingerprint (SHA-256): 27:40:D9:56:B1:12:7B:79:1A:A1:B3:CC:64:4A:4D:BE:DB:A7:61:86:A2:36:38:B9:51:02:35:1A:83:4E:A8:61 ++# Fingerprint (SHA1): E1:F3:59:1E:76:98:65:C4:E4:47:AC:C3:7E:AF:C9:E2:BF:E4:C5:76 ++CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST ++CKA_TOKEN CK_BBOOL CK_TRUE ++CKA_PRIVATE CK_BBOOL CK_FALSE ++CKA_MODIFIABLE CK_BBOOL CK_FALSE ++CKA_LABEL UTF8 "Explicitly Distrusted MCSHOLDING CA" ++CKA_CERT_SHA1_HASH MULTILINE_OCTAL ++\341\363\131\036\166\230\145\304\344\107\254\303\176\257\311\342 ++\277\344\305\166 ++END ++CKA_CERT_MD5_HASH MULTILINE_OCTAL ++\366\212\253\024\076\326\060\045\267\111\015\167\205\160\231\313 ++END ++CKA_ISSUER MULTILINE_OCTAL ++\060\062\061\013\060\011\006\003\125\004\006\023\002\103\116\061 ++\016\060\014\006\003\125\004\012\023\005\103\116\116\111\103\061 ++\023\060\021\006\003\125\004\003\023\012\103\116\116\111\103\040 ++\122\117\117\124 ++END ++CKA_SERIAL_NUMBER MULTILINE_OCTAL ++\002\004\111\063\000\216 ++END ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED ++CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE +diff -up ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4 ./nss/lib/ckfw/builtins/nssckbi.h +--- ./nss/lib/ckfw/builtins/nssckbi.h.pre-ca-2.4 2015-03-17 00:03:37.000000000 +0100 ++++ ./nss/lib/ckfw/builtins/nssckbi.h 2015-04-23 18:49:24.575939481 +0200 +@@ -45,8 +45,8 @@ + * of the comment in the CK_VERSION type definition. + */ + #define NSS_BUILTINS_LIBRARY_VERSION_MAJOR 2 +-#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 3 +-#define NSS_BUILTINS_LIBRARY_VERSION "2.3" ++#define NSS_BUILTINS_LIBRARY_VERSION_MINOR 4 ++#define NSS_BUILTINS_LIBRARY_VERSION "2.4" + + /* These version numbers detail the semantic changes to the ckfw engine. */ + #define NSS_BUILTINS_HARDWARE_VERSION_MAJOR 1 diff --git a/SOURCES/nss-646045.patch b/SOURCES/nss-646045.patch index 33b80fe..765f25e 100644 --- a/SOURCES/nss-646045.patch +++ b/SOURCES/nss-646045.patch @@ -1,34 +1,34 @@ -diff -up nss/tests/dbtests/dbtests.sh.646045 nss/tests/dbtests/dbtests.sh ---- nss/tests/dbtests/dbtests.sh.646045 2013-04-04 13:31:55.000000000 -0700 -+++ nss/tests/dbtests/dbtests.sh 2013-04-04 15:57:46.298127149 -0700 -@@ -168,6 +168,9 @@ dbtest_main() +diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh +--- a/tests/dbtests/dbtests.sh ++++ b/tests/dbtests/dbtests.sh +@@ -165,28 +165,28 @@ dbtest_main() + # opens immediately see the files are readonly. As a + # workaround we open the files once first. (Bug 185074) + if [ "${OS_ARCH}" = "Darwin" ]; then cat $RONLY_DIR/* > /dev/null fi -+ # skipping the next two tests when user is root, -+ # otherwise they would fail due to rooty powers -+ if [[ $EUID -ne 0 ]] then - ${BINDIR}/dbtest -d $RONLY_DIR + # skipping the next two tests when user is root, + # otherwise they would fail due to rooty powers +- if [ $UID -ne 0 ]; then ++ if [[ $UID -ne 0 ]]; then + ${BINDIR}/dbtest -d $RONLY_DIR ret=$? if [ $ret -ne 46 ]; then -@@ -175,6 +178,10 @@ dbtest_main() + html_failed "Dbtest r/w succeeded in a readonly directory $ret" else html_passed "Dbtest r/w didn't work in an readonly dir $ret" fi -+ else -+ html_passed "Skipping Dbtest r/w in a readonly dir because user is root" -+ fi -+ if [[ $EUID -ne 0 ]] then - ${BINDIR}/certutil -D -n "TestUser" -d . + else + html_passed "Skipping Dbtest r/w in a readonly dir because user is root" + fi +- if [ $UID -ne 0 ]; then ++ if [[ $UID -ne 0 ]]; then + ${BINDIR}/certutil -D -n "TestUser" -d . ret=$? if [ $ret -ne 255 ]; then -@@ -182,6 +189,9 @@ dbtest_main() + html_failed "Certutil succeeded in deleting a cert in a readonly directory $ret" else - html_passed "Certutil didn't work in an readonly dir $ret" + html_passed "Certutil didn't work in an readonly dir $ret" fi -+ else -+ html_passed "Skipping Certutil delete cert in an readonly directory test because user is root" -+ fi - - Echo "test opening the database ronly in a readonly directory" - + else diff --git a/SOURCES/nss-revert-tls-version-defaults.patch b/SOURCES/nss-revert-tls-version-defaults.patch new file mode 100644 index 0000000..f24e91c --- /dev/null +++ b/SOURCES/nss-revert-tls-version-defaults.patch @@ -0,0 +1,37 @@ + +# HG changeset patch +# User Martin Thomson +# Date 1425582301 -3600 +# Node ID 3c8e2b57803654f9cc74a37132d72fd0b8a59db5 +# Parent ad602a80ac1013dcd8b7508e0f8474d81e447d4a +Bug 1083900, Enable TLS 1.2 in the default NSS configuration, r=rrelyea + +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = { + PR_FALSE /* enableFallbackSCSV */ + }; + + /* + * default range of enabled SSL/TLS protocols + */ + static SSLVersionRange versions_defaults_stream = { + SSL_LIBRARY_VERSION_3_0, +- SSL_LIBRARY_VERSION_TLS_1_0 ++ SSL_LIBRARY_VERSION_TLS_1_2 + }; + + static SSLVersionRange versions_defaults_datagram = { + SSL_LIBRARY_VERSION_TLS_1_1, +- SSL_LIBRARY_VERSION_TLS_1_1 ++ SSL_LIBRARY_VERSION_TLS_1_2 + }; + + #define VERSIONS_DEFAULTS(variant) \ + (variant == ssl_variant_stream ? &versions_defaults_stream : \ + &versions_defaults_datagram) + + sslSessionIDLookupFunc ssl_sid_lookup; + sslSessionIDCacheFunc ssl_sid_cache; + diff --git a/SOURCES/p-1083360.patch b/SOURCES/p-1083360.patch deleted file mode 100644 index ed8c3d4..0000000 --- a/SOURCES/p-1083360.patch +++ /dev/null @@ -1,142 +0,0 @@ -diff --git a/cmd/ssltap/ssltap.c b/cmd/ssltap/ssltap.c ---- a/cmd/ssltap/ssltap.c -+++ b/cmd/ssltap/ssltap.c -@@ -398,16 +398,17 @@ const char * V2CipherString(int cs_int) - case 0x000098: cs_str = "TLS/DH-RSA/SEED-CBC/SHA"; break; - case 0x000099: cs_str = "TLS/DHE-DSS/SEED-CBC/SHA"; break; - case 0x00009A: cs_str = "TLS/DHE-RSA/SEED-CBC/SHA"; break; - case 0x00009B: cs_str = "TLS/DH-ANON/SEED-CBC/SHA"; break; - case 0x00009C: cs_str = "TLS/RSA/AES128-GCM/SHA256"; break; - case 0x00009E: cs_str = "TLS/DHE-RSA/AES128-GCM/SHA256"; break; - - case 0x0000FF: cs_str = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"; break; -+ case 0x005600: cs_str = "TLS_FALLBACK_SCSV"; break; - - case 0x00C001: cs_str = "TLS/ECDH-ECDSA/NULL/SHA"; break; - case 0x00C002: cs_str = "TLS/ECDH-ECDSA/RC4-128/SHA"; break; - case 0x00C003: cs_str = "TLS/ECDH-ECDSA/3DES-EDE-CBC/SHA"; break; - case 0x00C004: cs_str = "TLS/ECDH-ECDSA/AES128-CBC/SHA"; break; - case 0x00C005: cs_str = "TLS/ECDH-ECDSA/AES256-CBC/SHA"; break; - case 0x00C006: cs_str = "TLS/ECDHE-ECDSA/NULL/SHA"; break; - case 0x00C007: cs_str = "TLS/ECDHE-ECDSA/RC4-128/SHA"; break; -diff --git a/cmd/tstclnt/tstclnt.c b/cmd/tstclnt/tstclnt.c ---- a/cmd/tstclnt/tstclnt.c -+++ b/cmd/tstclnt/tstclnt.c -@@ -175,17 +175,17 @@ handshakeCallback(PRFileDesc *fd, void * - } - } - - static void PrintUsageHeader(const char *progName) - { - fprintf(stderr, - "Usage: %s -h host [-a 1st_hs_name ] [-a 2nd_hs_name ] [-p port]\n" - "[-d certdir] [-n nickname] [-Bafosvx] [-c ciphers] [-Y]\n" -- "[-V [min-version]:[max-version]] [-T]\n" -+ "[-V [min-version]:[max-version]] [-K] [-T]\n" - "[-r N] [-w passwd] [-W pwfile] [-q [-t seconds]]\n", - progName); - } - - static void PrintParameterUsage(void) - { - fprintf(stderr, "%-20s Send different SNI name. 1st_hs_name - at first\n" - "%-20s handshake, 2nd_hs_name - at second handshake.\n" -@@ -201,16 +201,17 @@ static void PrintParameterUsage(void) - fprintf(stderr, - "%-20s Bypass PKCS11 layer for SSL encryption and MACing.\n", "-B"); - fprintf(stderr, - "%-20s Restricts the set of enabled SSL/TLS protocols versions.\n" - "%-20s All versions are enabled by default.\n" - "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n" - "%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n", - "-V [min]:[max]", "", "", ""); -+ fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K"); - fprintf(stderr, "%-20s Prints only payload data. Skips HTTP header.\n", "-S"); - fprintf(stderr, "%-20s Client speaks first. \n", "-f"); - fprintf(stderr, "%-20s Use synchronous certificate validation " - "(required for SSL2)\n", "-O"); - fprintf(stderr, "%-20s Override bad server cert. Make it OK.\n", "-o"); - fprintf(stderr, "%-20s Disable SSL socket locking.\n", "-s"); - fprintf(stderr, "%-20s Verbose progress reporting.\n", "-v"); - fprintf(stderr, "%-20s Use export policy.\n", "-x"); -@@ -802,16 +803,17 @@ int main(int argc, char **argv) - PRBool enableSSL2 = PR_TRUE; - int bypassPKCS11 = 0; - int disableLocking = 0; - int useExportPolicy = 0; - int enableSessionTickets = 0; - int enableCompression = 0; - int enableFalseStart = 0; - int enableCertStatus = 0; -+ int forceFallbackSCSV = 0; - PRSocketOptionData opt; - PRNetAddr addr; - PRPollDesc pollset[2]; - PRBool allowIPv4 = PR_TRUE; - PRBool allowIPv6 = PR_TRUE; - PRBool pingServerFirst = PR_FALSE; - int pingTimeoutSeconds = -1; - PRBool clientSpeaksFirst = PR_FALSE; -@@ -847,17 +849,17 @@ int main(int argc, char **argv) - if (sec > 0) { - maxInterval = PR_SecondsToInterval(sec); - } - } - - SSL_VersionRangeGetSupported(ssl_variant_stream, &enabledVersions); - - optstate = PL_CreateOptState(argc, argv, -- "46BFM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz"); -+ "46BFKM:OSTV:W:Ya:c:d:fgh:m:n:op:qr:st:uvw:xz"); - while ((optstatus = PL_GetNextOpt(optstate)) == PL_OPT_OK) { - switch (optstate->option) { - case '?': - default : Usage(progName); break; - - case '4': allowIPv6 = PR_FALSE; if (!allowIPv4) Usage(progName); break; - case '6': allowIPv4 = PR_FALSE; if (!allowIPv6) Usage(progName); break; - -@@ -869,16 +871,18 @@ int main(int argc, char **argv) - } - serverCertAuth.testFreshStatusFromSideChannel = PR_TRUE; - break; - - case 'I': /* reserved for OCSP multi-stapling */ break; - - case 'O': serverCertAuth.shouldPause = PR_FALSE; break; - -+ case 'K': forceFallbackSCSV = PR_TRUE; break; -+ - case 'M': switch (atoi(optstate->value)) { - case 1: - serverCertAuth.allowOCSPSideChannelData = PR_TRUE; - serverCertAuth.allowCRLSideChannelData = PR_FALSE; - break; - case 2: - serverCertAuth.allowOCSPSideChannelData = PR_FALSE; - serverCertAuth.allowCRLSideChannelData = PR_TRUE; -@@ -1213,16 +1216,24 @@ int main(int argc, char **argv) - - /* enable false start. */ - rv = SSL_OptionSet(s, SSL_ENABLE_FALSE_START, enableFalseStart); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling false start"); - return 1; - } - -+ if (forceFallbackSCSV) { -+ rv = SSL_OptionSet(s, SSL_ENABLE_FALLBACK_SCSV, PR_TRUE); -+ if (rv != SECSuccess) { -+ SECU_PrintError(progName, "error forcing fallback scsv"); -+ return 1; -+ } -+ } -+ - /* enable cert status (OCSP stapling). */ - rv = SSL_OptionSet(s, SSL_ENABLE_OCSP_STAPLING, enableCertStatus); - if (rv != SECSuccess) { - SECU_PrintError(progName, "error enabling cert status (OCSP stapling)"); - return 1; - } - - SSL_SetPKCS11PinArg(s, &pwdata); diff --git a/SOURCES/syntaxfix.patch b/SOURCES/syntaxfix.patch new file mode 100644 index 0000000..91603a4 --- /dev/null +++ b/SOURCES/syntaxfix.patch @@ -0,0 +1,22 @@ +diff --git a/tests/all.sh b/tests/all.sh +--- a/tests/all.sh ++++ b/tests/all.sh +@@ -297,17 +297,17 @@ fi + + # NOTE: + # Since in make at the top level, modutil is the last file + # created, we check for modutil to know whether the build + # is complete. If a new file is created after that, the + # following test for modutil should check for that instead. + # Exception: when building softoken only, shlibsign is the + # last file created. +-if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then ++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then + LAST_FILE_BUILT=shlibsign + else + LAST_FILE_BUILT=modutil + fi + + if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then + echo "Build Incomplete. Aborting test." >> ${LOGFILE} + html_head "Testing Initialization" diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 0a233c4..e7ec2d8 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,5 +1,5 @@ -%global nspr_version 4.10.6 -%global nss_util_version 3.16.2.3 +%global nspr_version 4.10.8 +%global nss_util_version 3.18.0 # adjust to the version that gets submitted for FIPS validation %global nss_softokn_fips_version 3.16.2 %global nss_softokn_version 3.16.2.3 @@ -20,8 +20,8 @@ Summary: Network Security Services Name: nss -Version: 3.16.2.3 -Release: 5%{?dist} +Version: 3.18.0 +Release: 2.2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -71,6 +71,8 @@ Source24: cert9.db.xml Source25: key3.db.xml Source26: key4.db.xml Source27: secmod.db.xml +Source30: PayPalRootCA.cert +Source31: PayPalICA.cert Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch @@ -98,18 +100,14 @@ Patch53: Bug-1001841-disable-sslv2-tests.patch Patch55: enable-fips-when-system-is-in-fips-mode.patch # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677 Patch56: p-ignore-setpolicy.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684 -Patch62: dont-hold-issuer-cert-handles-in-crl-cache.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069 -Patch64: Crash-in-stan_GetCERTCertificate-rhbz1094468.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083360 -# support TLS_FALLBACK_SCSV in tstclnt and ssltap -Patch88: p-1083360.patch -Patch89: certutil-man-supply-missing-options.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1111901 -Patch90: Bug-1174527-fixsegfault.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1050069 -Patch91: nss-3.16-tcache-race.patch +# Update the root CA list to 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1) +Patch91: nss-3.18.1-ca-2.3-to-2.4.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1151037 +Patch95: expired-cert.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1153994 +Patch96: syntaxfix.patch +# Patch to keep the TLS protocol versions that are enabled by default +Patch98: nss-revert-tls-version-defaults.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -184,13 +182,17 @@ low level services. %{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs %setup -q -T -D -n %{name}-%{version} -a 12 %patch2 -p0 -b .relro %patch3 -p0 -b .transitional %patch6 -p0 -b .libpem %patch16 -p0 -b .539183 -%patch18 -p0 -b .646045 +pushd nss +%patch18 -p1 -b .646045 +popd # link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl %patch40 -p0 -b .noocsptest @@ -203,16 +205,13 @@ pushd nss popd %patch55 -p0 -b .852023 %patch56 -p0 -b .1026677 -%patch62 -p0 -b .1034409 +%patch91 -p1 -b .pre-ca-2.4 pushd nss -%patch64 -p1 -b .1094468 -%patch88 -p1 -b .support_tls_fallback_scsv +%patch95 -p1 -b .renewed_paypal_cert +%patch96 -p1 -b .syntax_fix +# attention, reverting patch98, keep -R +%patch98 -p1 -R -b .keep_tls_default popd -%patch89 -p0 -b .missing_options - pushd nss -%patch90 -p1 -b .1174527 -popd -%patch91 -p0 -b .race ######################################################### # Higher-level libraries and test tools need access to @@ -457,7 +456,7 @@ pushd ./nss/tests/ # don't need to run all the tests when testing packaging # nss_cycles: standard pkix upgradedb sharedb -nss_tests="libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains" +%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains" # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_run: cov auth stress # @@ -537,7 +536,7 @@ done %{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db %{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db %{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt - + # Copy the development libraries we want for file in libcrmf.a libnssb.a libnssckfw.a do @@ -793,6 +792,21 @@ fi %changelog +* Tue Apr 28 2015 Kai Engert - 3.18.0-2.2 +- On RHEL 7.1 keep the TLS version defaults unchanged. + +* Thu Apr 23 2015 Kai Engert - 3.18.0-2.1 +- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1) + +* Fri Apr 17 2015 Elio Maldonado - 3.18.0-2 +- Update and reenable nss-646045.patch on account of the rebase +- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] + +* Tue Apr 14 2015 Elio Maldonado - 3.18.0-1 +- Resolves: Bug 1211371 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] +- Fix shell syntax error on nss/tests/all.sh +- Replace expired PayPal test certificate that breaks the build + * Mon Jan 19 2015 Elio Maldonado - 3.16.2.3-5 - Reverse the sense of a test in patch to fix pk12util segfault - Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files