diff --git a/.gitignore b/.gitignore index 7286e8d..9f715bd 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,7 @@ SOURCES/cert8.db.xml SOURCES/cert9.db.xml SOURCES/key3.db.xml SOURCES/key4.db.xml -SOURCES/nss-3.34.0.tar.gz +SOURCES/nss-3.36.0.tar.gz SOURCES/nss-config.xml SOURCES/secmod.db.xml SOURCES/setup-nsssysinit.xml diff --git a/.nss.metadata b/.nss.metadata index 7b7738a..43619b7 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -10,7 +10,7 @@ bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db 7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml 24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml -01388dc47540744bb4b3c32cd8b77f1e770c4661 SOURCES/nss-3.34.0.tar.gz +e9d8137e035efed17bd0ca12db497dbeff9b828e SOURCES/nss-3.36.0.tar.gz 2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch index 40e3e6d..96569b2 100644 --- a/SOURCES/Bug-1001841-disable-sslv2-tests.patch +++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch @@ -1,10 +1,11 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh ---- nss/tests/ssl/ssl.sh.disableSSL2tests 2017-09-20 08:47:27.000000000 +0200 -+++ nss/tests/ssl/ssl.sh 2017-10-06 16:19:10.812108552 +0200 -@@ -69,8 +69,14 @@ ssl_init() - +--- nss/tests/ssl/ssl.sh.disableSSL2tests 2018-03-05 16:58:32.000000000 +0100 ++++ nss/tests/ssl/ssl.sh 2018-03-09 17:24:07.047568191 +0100 +@@ -68,9 +68,14 @@ ssl_init() + NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} + # Test case files - SSLCOV=${QADIR}/ssl/sslcov.txt +- SSLCOV=${QADIR}/ssl/sslcov.txt + if [ "${NSS_NO_SSL2}" = "1" ]; then + SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt + SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt @@ -17,7 +18,7 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh SSLPOLICY=${QADIR}/ssl/sslpolicy.txt REQUEST_FILE=${QADIR}/ssl/sslreq.dat -@@ -128,7 +134,11 @@ is_selfserv_alive() +@@ -128,7 +133,11 @@ is_selfserv_alive() fi echo "kill -0 ${PID} >/dev/null 2>/dev/null" @@ -29,7 +30,7 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh echo "selfserv with PID ${PID} found at `date`" } -@@ -152,7 +162,11 @@ wait_for_selfserv() +@@ -152,7 +161,11 @@ wait_for_selfserv() ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} if [ $? -ne 0 ]; then @@ -41,7 +42,7 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh fi fi is_selfserv_alive -@@ -275,7 +289,7 @@ ssl_cov() +@@ -275,7 +288,7 @@ ssl_cov() start_selfserv # Launch the server VMIN="ssl3" @@ -50,7 +51,7 @@ diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh ignore_blank_lines ${SSLCOV} | \ while read ectype testmax param testname -@@ -283,6 +297,12 @@ ssl_cov() +@@ -283,6 +296,12 @@ ssl_cov() echo "${testname}" | grep "EXPORT" > /dev/null EXP=$? diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch index 72c0cb4..dde5dcb 100644 --- a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch +++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch @@ -1,7 +1,7 @@ diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c ---- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100 -+++ nss/lib/pk11wrap/pk11pars.c 2017-01-13 17:04:52.968903200 +0100 -@@ -672,6 +672,10 @@ SECMOD_CreateModuleEx(const char *librar +--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100 ++++ nss/lib/pk11wrap/pk11pars.c 2018-03-09 17:24:39.815838810 +0100 +@@ -671,6 +671,10 @@ SECMOD_CreateModuleEx(const char *librar mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc); mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc); @@ -13,9 +13,9 @@ diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/li slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc); mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams, diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c ---- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100 -+++ nss/lib/pk11wrap/pk11util.c 2017-01-13 17:06:24.171723872 +0100 -@@ -94,6 +94,26 @@ SECMOD_Shutdown() +--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100 ++++ nss/lib/pk11wrap/pk11util.c 2018-03-09 17:25:46.804347730 +0100 +@@ -95,6 +95,26 @@ SECMOD_Shutdown() return SECSuccess; } @@ -42,7 +42,7 @@ diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/li /* * retrieve the internal module */ -@@ -427,7 +447,7 @@ SECMOD_DeleteInternalModule(const char * +@@ -428,7 +448,7 @@ SECMOD_DeleteInternalModule(const char * SECMODModuleList **mlpp; SECStatus rv = SECFailure; @@ -51,18 +51,18 @@ diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/li PORT_SetError(SEC_ERROR_MODULE_STUCK); return rv; } -@@ -902,7 +922,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis - PRBool - SECMOD_CanDeleteInternalModule(void) - { +@@ -963,7 +983,7 @@ SECMOD_CanDeleteInternalModule(void) + #ifdef NSS_FIPS_DISABLED + return PR_FALSE; + #else - return (PRBool)(pendingModule == NULL); + return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled()); + #endif } - /* diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h ---- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100 -+++ nss/lib/pk11wrap/secmodi.h 2017-01-13 17:07:08.897624098 +0100 +--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2018-03-05 16:58:32.000000000 +0100 ++++ nss/lib/pk11wrap/secmodi.h 2018-03-09 17:24:39.816838788 +0100 @@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, SECItem **param, SECItem *pwd, PRBool faulty3DES); diff --git a/SOURCES/nss-certutil-suppress-password.patch b/SOURCES/nss-certutil-suppress-password.patch deleted file mode 100644 index 985ac21..0000000 --- a/SOURCES/nss-certutil-suppress-password.patch +++ /dev/null @@ -1,20 +0,0 @@ -# HG changeset patch -# User Daiki Ueno -# Date 1513770602 -3600 -# Wed Dec 20 12:50:02 2017 +0100 -# Node ID 29b2a346746fb03316cf97c8c7b0837b714c255b -# Parent 5a14f42384eb22b67e0465949c03555eff41e4af -Bug 1426361, certutil: check CKF_LOGIN_REQUIRED as well as CKF_USER_PIN_INITIALIZED, r=rrelyea - -diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c ---- a/cmd/certutil/certutil.c -+++ b/cmd/certutil/certutil.c -@@ -3171,7 +3171,7 @@ certutil_main(int argc, char **argv, PRB - certutil.commands[cmd_CreateAndAddCert].activated || - certutil.commands[cmd_AddCert].activated || - certutil.commands[cmd_AddEmailCert].activated) { -- if (PK11_NeedUserInit(slot)) { -+ if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { - char *password = NULL; - /* fetch the password from the command line or the file - * if no password is supplied, initialize the password to NULL */ diff --git a/SOURCES/nss-devslot-reinsert.patch b/SOURCES/nss-devslot-reinsert.patch new file mode 100644 index 0000000..f68a81a --- /dev/null +++ b/SOURCES/nss-devslot-reinsert.patch @@ -0,0 +1,95 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1521731296 -3600 +# Thu Mar 22 16:08:16 2018 +0100 +# Node ID 6ae3ab8a1e7b4161f3f8eee90db7a745acced408 +# Parent dedf5290c679153e5b3555ba9c711fe62323c156 +Bug 1447628, devslot: avoid deadlock when re-inserting a token, r=rrelyea + +diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c +--- a/lib/dev/devslot.c ++++ b/lib/dev/devslot.c +@@ -96,10 +96,16 @@ nssSlot_ResetDelay( + } + + static PRBool +-within_token_delay_period(const NSSSlot *slot) ++token_status_checked(const NSSSlot *slot) + { + PRIntervalTime time; + int lastPingState = slot->lastTokenPingState; ++ /* When called from the same thread, that means ++ * nssSlot_IsTokenPresent() is called recursively through ++ * nssSlot_Refresh(). Return immediately in that case. */ ++ if (slot->isPresentThread == PR_GetCurrentThread()) { ++ return PR_TRUE; ++ } + /* Set the delay time for checking the token presence */ + if (s_token_delay_time == 0) { + s_token_delay_time = PR_SecondsToInterval(NSSSLOT_TOKEN_DELAY_TIME); +@@ -130,7 +136,7 @@ nssSlot_IsTokenPresent( + + /* avoid repeated calls to check token status within set interval */ + PZ_Lock(slot->isPresentLock); +- if (within_token_delay_period(slot)) { ++ if (token_status_checked(slot)) { + CK_FLAGS ckFlags = slot->ckFlags; + PZ_Unlock(slot->isPresentLock); + return ((ckFlags & CKF_TOKEN_PRESENT) != 0); +@@ -146,12 +152,12 @@ nssSlot_IsTokenPresent( + + /* set up condition so only one thread is active in this part of the code at a time */ + PZ_Lock(slot->isPresentLock); +- while (slot->inIsPresent) { ++ while (slot->isPresentThread) { + PR_WaitCondVar(slot->isPresentCondition, 0); + } + /* if we were one of multiple threads here, the first thread will have + * given us the answer, no need to make more queries of the token. */ +- if (within_token_delay_period(slot)) { ++ if (token_status_checked(slot)) { + CK_FLAGS ckFlags = slot->ckFlags; + PZ_Unlock(slot->isPresentLock); + return ((ckFlags & CKF_TOKEN_PRESENT) != 0); +@@ -159,7 +165,7 @@ nssSlot_IsTokenPresent( + /* this is the winning thread, block all others until we've determined + * if the token is present and that it needs initialization. */ + slot->lastTokenPingState = nssSlotLastPingState_Update; +- slot->inIsPresent = PR_TRUE; ++ slot->isPresentThread = PR_GetCurrentThread(); + + PZ_Unlock(slot->isPresentLock); + +@@ -257,7 +263,7 @@ done: + slot->lastTokenPingTime = PR_IntervalNow(); + slot->lastTokenPingState = nssSlotLastPingState_Valid; + } +- slot->inIsPresent = PR_FALSE; ++ slot->isPresentThread = NULL; + PR_NotifyAllCondVar(slot->isPresentCondition); + PZ_Unlock(slot->isPresentLock); + return isPresent; +diff --git a/lib/dev/devt.h b/lib/dev/devt.h +--- a/lib/dev/devt.h ++++ b/lib/dev/devt.h +@@ -92,7 +92,7 @@ struct NSSSlotStr { + PK11SlotInfo *pk11slot; + PZLock *isPresentLock; + PRCondVar *isPresentCondition; +- PRBool inIsPresent; ++ PRThread *isPresentThread; + }; + + struct nssSessionStr { +diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c +--- a/lib/pk11wrap/dev3hack.c ++++ b/lib/pk11wrap/dev3hack.c +@@ -122,7 +122,7 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD + rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock; + rvSlot->isPresentLock = PZ_NewLock(nssiLockOther); + rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock); +- rvSlot->inIsPresent = PR_FALSE; ++ rvSlot->isPresentThread = NULL; + rvSlot->lastTokenPingState = nssSlotLastPingState_Reset; + return rvSlot; + } diff --git a/SOURCES/nss-increase-pkcs12-iterations.patch b/SOURCES/nss-increase-pkcs12-iterations.patch deleted file mode 100644 index 72fedd4..0000000 --- a/SOURCES/nss-increase-pkcs12-iterations.patch +++ /dev/null @@ -1,26 +0,0 @@ -# HG changeset patch -# User Kai Engert -# Date 1511356939 -3600 -# Wed Nov 22 14:22:19 2017 +0100 -# Node ID 93109d4cbedd397f5e75a2096257f9842a0ac5a1 -# Parent 6a27e4b4c92c8c3694132b75a1a54c23688789bd -Bug 1278071, increase number of iterations for export to PKCS #12, r=fkiefer - -diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c ---- a/lib/pkcs7/p7create.c -+++ b/lib/pkcs7/p7create.c -@@ -18,7 +18,13 @@ - #include "secder.h" - #include "secpkcs5.h" - --const int NSS_PBE_DEFAULT_ITERATION_COUNT = 100000; /* used in p12e.c too */ -+const int NSS_PBE_DEFAULT_ITERATION_COUNT = /* used in p12e.c too */ -+#ifdef DEBUG -+ 10000 -+#else -+ 1000000 -+#endif -+ ; - - static SECStatus - sec_pkcs7_init_content_info(SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp, diff --git a/SOURCES/nss-is-token-present-race.patch b/SOURCES/nss-is-token-present-race.patch deleted file mode 100644 index 9c85f74..0000000 --- a/SOURCES/nss-is-token-present-race.patch +++ /dev/null @@ -1,191 +0,0 @@ -# HG changeset patch -# User Robert Relyea -# Date 1516007838 -3600 -# Mon Jan 15 10:17:18 2018 +0100 -# Node ID 33d9c969cd6548c335ce43fa8909b96ef323f670 -# Parent db32ef3be38eb06a91babbcbb48285284d704dbd -Bug 1054373, Crash in PK11_DoesMechanism due to race condition, r=rsleevi - -diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c ---- a/lib/dev/devslot.c -+++ b/lib/dev/devslot.c -@@ -33,6 +33,8 @@ nssSlot_Destroy( - if (PR_ATOMIC_DECREMENT(&slot->base.refCount) == 0) { - PK11_FreeSlot(slot->pk11slot); - PZ_DestroyLock(slot->base.lock); -+ PZ_DestroyCondVar(slot->isPresentCondition); -+ PZ_DestroyLock(slot->isPresentLock); - return nssArena_Destroy(slot->base.arena); - } - } -@@ -117,35 +119,61 @@ nssSlot_IsTokenPresent( - nssSession *session; - CK_SLOT_INFO slotInfo; - void *epv; -+ PRBool isPresent = PR_FALSE; -+ - /* permanent slots are always present unless they're disabled */ - if (nssSlot_IsPermanent(slot)) { - return !PK11_IsDisabled(slot->pk11slot); - } -+ - /* avoid repeated calls to check token status within set interval */ -+ PZ_Lock(slot->isPresentLock); - if (within_token_delay_period(slot)) { -- return ((slot->ckFlags & CKF_TOKEN_PRESENT) != 0); -+ CK_FLAGS ckFlags = slot->ckFlags; -+ PZ_Unlock(slot->isPresentLock); -+ return ((ckFlags & CKF_TOKEN_PRESENT) != 0); - } -+ PZ_Unlock(slot->isPresentLock); - -- /* First obtain the slot info */ -+ /* First obtain the slot epv before we set up the condition -+ * variable, so we can just return if we couldn't get it. */ - epv = slot->epv; - if (!epv) { - return PR_FALSE; - } -+ -+ /* set up condition so only one thread is active in this part of the code at a time */ -+ PZ_Lock(slot->isPresentLock); -+ while (slot->inIsPresent) { -+ PR_WaitCondVar(slot->isPresentCondition, 0); -+ } -+ /* if we were one of multiple threads here, the first thread will have -+ * given us the answer, no need to make more queries of the token. */ -+ if (within_token_delay_period(slot)) { -+ CK_FLAGS ckFlags = slot->ckFlags; -+ PZ_Unlock(slot->isPresentLock); -+ return ((ckFlags & CKF_TOKEN_PRESENT) != 0); -+ } -+ /* this is the winning thread, block all others until we've determined -+ * if the token is present and that it needs initialization. */ -+ slot->inIsPresent = PR_TRUE; -+ PZ_Unlock(slot->isPresentLock); -+ - nssSlot_EnterMonitor(slot); - ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo); - nssSlot_ExitMonitor(slot); - if (ckrv != CKR_OK) { - slot->token->base.name[0] = 0; /* XXX */ -- slot->lastTokenPing = PR_IntervalNow(); -- return PR_FALSE; -+ isPresent = PR_FALSE; -+ goto done; - } - slot->ckFlags = slotInfo.flags; - /* check for the presence of the token */ - if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) { - if (!slot->token) { - /* token was never present */ -- slot->lastTokenPing = PR_IntervalNow(); -- return PR_FALSE; -+ isPresent = PR_FALSE; -+ goto done; - } - session = nssToken_GetDefaultSession(slot->token); - if (session) { -@@ -167,15 +195,15 @@ nssSlot_IsTokenPresent( - slot->token->base.name[0] = 0; /* XXX */ - /* clear the token cache */ - nssToken_Remove(slot->token); -- slot->lastTokenPing = PR_IntervalNow(); -- return PR_FALSE; -+ isPresent = PR_FALSE; -+ goto done; - } - /* token is present, use the session info to determine if the card - * has been removed and reinserted. - */ - session = nssToken_GetDefaultSession(slot->token); - if (session) { -- PRBool isPresent = PR_FALSE; -+ PRBool tokenRemoved; - nssSession_EnterMonitor(session); - if (session->handle != CK_INVALID_SESSION) { - CK_SESSION_INFO sessionInfo; -@@ -187,12 +215,12 @@ nssSlot_IsTokenPresent( - session->handle = CK_INVALID_SESSION; - } - } -- isPresent = session->handle != CK_INVALID_SESSION; -+ tokenRemoved = (session->handle == CK_INVALID_SESSION); - nssSession_ExitMonitor(session); - /* token not removed, finished */ -- if (isPresent) { -- slot->lastTokenPing = PR_IntervalNow(); -- return PR_TRUE; -+ if (!tokenRemoved) { -+ isPresent = PR_TRUE; -+ goto done; - } - } - /* the token has been removed, and reinserted, or the slot contains -@@ -203,15 +231,27 @@ nssSlot_IsTokenPresent( - nssToken_Remove(slot->token); - /* token has been removed, need to refresh with new session */ - nssrv = nssSlot_Refresh(slot); -+ isPresent = PR_TRUE; - if (nssrv != PR_SUCCESS) { - slot->token->base.name[0] = 0; /* XXX */ - slot->ckFlags &= ~CKF_TOKEN_PRESENT; -- /* TODO: insert a barrier here to avoid reordering of the assingments */ -- slot->lastTokenPing = PR_IntervalNow(); -- return PR_FALSE; -+ isPresent = PR_FALSE; - } -+done: -+ /* Once we've set up the condition variable, -+ * Before returning, it's necessary to: -+ * 1) Set the lastTokenPing time so that any other threads waiting on this -+ * initialization and any future calls within the initialization window -+ * return the just-computed status. -+ * 2) Indicate we're complete, waking up all other threads that may still -+ * be waiting on initialization can progress. -+ */ -+ PZ_Lock(slot->isPresentLock); - slot->lastTokenPing = PR_IntervalNow(); -- return PR_TRUE; -+ slot->inIsPresent = PR_FALSE; -+ PR_NotifyAllCondVar(slot->isPresentCondition); -+ PZ_Unlock(slot->isPresentLock); -+ return isPresent; - } - - NSS_IMPLEMENT void * -@@ -229,7 +269,7 @@ nssSlot_GetToken( - - if (nssSlot_IsTokenPresent(slot)) { - /* Even if a token should be present, check `slot->token` too as it -- * might be gone already. This would happen mostly on shutdown. */ -+ * might be gone already. This would happen mostly on shutdown. */ - nssSlot_EnterMonitor(slot); - if (slot->token) - rvToken = nssToken_AddRef(slot->token); -diff --git a/lib/dev/devt.h b/lib/dev/devt.h ---- a/lib/dev/devt.h -+++ b/lib/dev/devt.h -@@ -81,6 +81,9 @@ struct NSSSlotStr { - PZLock *lock; - void *epv; - PK11SlotInfo *pk11slot; -+ PZLock *isPresentLock; -+ PRCondVar *isPresentCondition; -+ PRBool inIsPresent; - }; - - struct nssSessionStr { -diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c ---- a/lib/pk11wrap/dev3hack.c -+++ b/lib/pk11wrap/dev3hack.c -@@ -120,6 +120,9 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD - /* Grab the slot name from the PKCS#11 fixed-length buffer */ - rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name, td->arena); - rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock; -+ rvSlot->isPresentLock = PZ_NewLock(nssiLockOther); -+ rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock); -+ rvSlot->inIsPresent = PR_FALSE; - return rvSlot; - } - diff --git a/SOURCES/nss-lockcert-api-change.patch b/SOURCES/nss-lockcert-api-change.patch new file mode 100644 index 0000000..0eba9a4 --- /dev/null +++ b/SOURCES/nss-lockcert-api-change.patch @@ -0,0 +1,68 @@ +# HG changeset patch +# User Franziskus Kiefer +# Date 1486546862 -3600 +# Wed Feb 08 10:41:02 2017 +0100 +# Node ID 896e3eb3a79933a51886949c7adb67ef37b721c0 +# Parent a8d77070526320ad0edc7ba164ce97f10c4f7d94 +Bug 1278965 - tsan race in CERTCertificate, r=wtc,ttaubert + +diff --git a/lib/certdb/cert.h b/lib/certdb/cert.h +--- a/lib/certdb/cert.h ++++ b/lib/certdb/cert.h +@@ -1405,24 +1405,11 @@ void CERT_SetStatusConfig(CERTCertDBHand + void CERT_LockCertRefCount(CERTCertificate *cert); + + /* +- * Free the cert reference count lock ++ * Release the cert reference count lock + */ + void CERT_UnlockCertRefCount(CERTCertificate *cert); + + /* +- * Acquire the cert trust lock +- * There is currently one global lock for all certs, but I'm putting a cert +- * arg here so that it will be easy to make it per-cert in the future if +- * that turns out to be necessary. +- */ +-void CERT_LockCertTrust(const CERTCertificate *cert); +- +-/* +- * Free the cert trust lock +- */ +-void CERT_UnlockCertTrust(const CERTCertificate *cert); +- +-/* + * Digest the cert's subject public key using the specified algorithm. + * NOTE: this digests the value of the BIT STRING subjectPublicKey (excluding + * the tag, length, and number of unused bits) rather than the whole +diff --git a/lib/certdb/certi.h b/lib/certdb/certi.h +--- a/lib/certdb/certi.h ++++ b/lib/certdb/certi.h +@@ -378,14 +378,27 @@ PRUint32 cert_CountDNSPatterns(CERTGener + SECStatus cert_CheckLeafTrust(CERTCertificate* cert, SECCertUsage usage, + unsigned int* failedFlags, PRBool* isTrusted); + + /* + * Acquire the cert temp/perm lock + */ + void CERT_LockCertTempPerm(const CERTCertificate* cert); + + /* + * Release the temp/perm lock + */ + void CERT_UnlockCertTempPerm(const CERTCertificate* cert); + ++/* ++ * Acquire the cert trust lock ++ * There is currently one global lock for all certs, but I'm putting a cert ++ * arg here so that it will be easy to make it per-cert in the future if ++ * that turns out to be necessary. ++ */ ++void CERT_LockCertTrust(const CERTCertificate* cert); ++ ++/* ++ * Release the cert trust lock ++ */ ++void CERT_UnlockCertTrust(const CERTCertificate* cert); ++ + #endif /* _CERTI_H_ */ diff --git a/SOURCES/nss-modutil-skip-changepw-fips.patch b/SOURCES/nss-modutil-skip-changepw-fips.patch new file mode 100644 index 0000000..9ed2983 --- /dev/null +++ b/SOURCES/nss-modutil-skip-changepw-fips.patch @@ -0,0 +1,22 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1523546409 -7200 +# Thu Apr 12 17:20:09 2018 +0200 +# Node ID 919e116728f29263c17ec31716ac2bd04c10e9ca +# Parent 2eefd697d661efb82a77c84d893e6fbceefdf458 +Bug 1453408, modutil -changepw fails in FIPS mode if password is an empty string + +diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c +--- a/cmd/modutil/pk11.c ++++ b/cmd/modutil/pk11.c +@@ -764,6 +764,10 @@ ChangePW(char *tokenName, char *pwFile, + ret = CHANGEPW_FAILED_ERR; + goto loser; + } ++ } else if (PK11_IsFIPS() && *newpw == '\0' && PK11_CheckUserPassword(slot, newpw) == SECSuccess) { ++ /* Workaround to suppress harmless error in FIPS mode: ++ * When explicitly setting empty password while the old ++ * password is also empty, skip */ + } else { + if (PK11_ChangePW(slot, oldpw, newpw) != SECSuccess) { + PR_fprintf(PR_STDERR, errStrings[CHANGEPW_FAILED_ERR], tokenName); diff --git a/SOURCES/nss-modutil-suppress-password.patch b/SOURCES/nss-modutil-suppress-password.patch deleted file mode 100644 index 160f995..0000000 --- a/SOURCES/nss-modutil-suppress-password.patch +++ /dev/null @@ -1,20 +0,0 @@ -# HG changeset patch -# User Daiki Ueno -# Date 1510244757 -3600 -# Thu Nov 09 17:25:57 2017 +0100 -# Node ID 523734e69b5cdd7c2c9047e705e858da352a3b24 -# Parent 54be8a4501d454b2b7454e4a44ea013738e0b693 -Bug 1415847, modutil: Suppress unnecessary password prompt, r=kaie - -diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c ---- a/cmd/modutil/pk11.c -+++ b/cmd/modutil/pk11.c -@@ -728,7 +728,7 @@ ChangePW(char *tokenName, char *pwFile, - ret = BAD_PW_ERR; - goto loser; - } -- } else { -+ } else if (PK11_NeedLogin(slot)) { - for (matching = PR_FALSE; !matching;) { - oldpw = SECU_GetPasswordString(NULL, "Enter old password: "); - if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) { diff --git a/SOURCES/nss-pk12util-faulty-aes.patch b/SOURCES/nss-pk12util-faulty-aes.patch deleted file mode 100644 index c6d22cc..0000000 --- a/SOURCES/nss-pk12util-faulty-aes.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 0615bf4ad6c7e07cc1b7dee4bded01fe8974ad0b Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Wed, 27 Sep 2017 11:11:10 +0200 -Subject: [PATCH] pk11wrap: Add backward compatibility with faulty PBES2 AES - schemes - ---- - lib/pk11wrap/pk11pbe.c | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c -index bea9333f6..5f68f399e 100644 ---- a/lib/pk11wrap/pk11pbe.c -+++ b/lib/pk11wrap/pk11pbe.c -@@ -367,7 +367,24 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId) - cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId); - - if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) { -- length = sec_pkcs5v2_aes_key_length(cipherAlg); -+ /* Previously, the PKCS#12 files created with the old NSS -+ * releases encoded the maximum key size of AES (that is 32) -+ * in the keyLength field of PBKDF2-params. That resulted in -+ * always performing AES-256 even if AES-128-CBC or -+ * AES-192-CBC is specified in the encryptionScheme field of -+ * PBES2-params. This is wrong, but for compatibility reasons, -+ * check the keyLength field and use the value if it is 32. -+ */ -+ if (p5_param.keyLength.data != NULL) { -+ length = DER_GetInteger(&p5_param.keyLength); -+ } -+ /* If the keyLength field is present and contains a value -+ * other than 32, that means the file is created outside of -+ * NSS, which we don't care about. Note that the following -+ * also handles the case when the field is absent. */ -+ if (length != 32) { -+ length = sec_pkcs5v2_aes_key_length(cipherAlg); -+ } - } else if (p5_param.keyLength.data != NULL) { - length = DER_GetInteger(&p5_param.keyLength); - } else { --- -2.13.5 - diff --git a/SOURCES/nss-pkcs12-iterations-limit.patch b/SOURCES/nss-pkcs12-iterations-limit.patch new file mode 100644 index 0000000..8b035b8 --- /dev/null +++ b/SOURCES/nss-pkcs12-iterations-limit.patch @@ -0,0 +1,24 @@ +# HG changeset patch +# User J.C. Jones +# Date 1521824312 25200 +# Fri Mar 23 09:58:32 2018 -0700 +# Branch NSS_3_36_BRANCH +# Node ID ba3f1cc8a8e644ee6f8a763624d97e987816304d +# Parent 2355c9e3bba477c947a09a2fe8b1ed8971fab1cb +Bug 1278071 - Limit iterations for PKCS #12 export for Windows r=kaie + +Per Bug 1436873, Windows is limited on importing PKCS12 files of 600k rounds +or less. So for compatibility's sake, let's limit there, too. + +diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c +--- a/lib/pkcs7/p7create.c ++++ b/lib/pkcs7/p7create.c +@@ -22,7 +22,7 @@ const int NSS_PBE_DEFAULT_ITERATION_COUN + #ifdef DEBUG + 10000 + #else +- 1000000 ++ 600000 + #endif + ; + diff --git a/SOURCES/nss-pss-fixes.patch b/SOURCES/nss-pss-fixes.patch deleted file mode 100644 index 964e792..0000000 --- a/SOURCES/nss-pss-fixes.patch +++ /dev/null @@ -1,649 +0,0 @@ -# HG changeset patch -# User Daiki Ueno -# Date 1510136005 -3600 -# Wed Nov 08 11:13:25 2017 +0100 -# Node ID 6da6e699fa02bbf1763acba4176f994c6a5ddf62 -# Parent d515199921dd703087f7e0e03eb71058a015934d -Bug 1415171, Fix handling of default RSA-PSS parameters, r=mt - -Reviewers: mt, rrelyea - -Reviewed By: mt - -Bug #: 1415171 - -Differential Revision: https://phabricator.services.mozilla.com/D202 - -diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c ---- a/cmd/lib/secutil.c -+++ b/cmd/lib/secutil.c -@@ -1192,7 +1192,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte - SECU_Indent(out, level + 1); - fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20); - } else { -- SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level + 1); -+ SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1); - } - } else { - SECU_Indent(out, level + 1); -diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c ---- a/lib/cryptohi/seckey.c -+++ b/lib/cryptohi/seckey.c -@@ -2056,9 +2056,13 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ - mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ - } - -- rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength); -- if (rv != SECSuccess) { -- return rv; -+ if (params->saltLength.data) { -+ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength); -+ if (rv != SECSuccess) { -+ return rv; -+ } -+ } else { -+ saltLength = 20; /* default, 20 */ - } - mech->sLen = saltLength; - -diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c ---- a/lib/cryptohi/secsign.c -+++ b/lib/cryptohi/secsign.c -@@ -610,6 +610,7 @@ sec_CreateRSAPSSParameters(PLArenaPool * - SECKEYRSAPSSParams pssParams; - int modBytes, hashLength; - unsigned long saltLength; -+ PRBool defaultSHA1 = PR_FALSE; - SECStatus rv; - - if (key->keyType != rsaKey && key->keyType != rsaPssKey) { -@@ -631,6 +632,7 @@ sec_CreateRSAPSSParameters(PLArenaPool * - if (rv != SECSuccess) { - return NULL; - } -+ defaultSHA1 = PR_TRUE; - } - - if (pssParams.trailerField.data) { -@@ -652,15 +654,23 @@ sec_CreateRSAPSSParameters(PLArenaPool * - /* Determine the hash algorithm to use, based on hashAlgTag and - * pssParams.hashAlg; there are four cases */ - if (hashAlgTag != SEC_OID_UNKNOWN) { -+ SECOidTag tag = SEC_OID_UNKNOWN; -+ - if (pssParams.hashAlg) { -- if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) { -- PORT_SetError(SEC_ERROR_INVALID_ARGS); -- return NULL; -- } -+ tag = SECOID_GetAlgorithmTag(pssParams.hashAlg); -+ } else if (defaultSHA1) { -+ tag = SEC_OID_SHA1; -+ } -+ -+ if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ return NULL; - } - } else if (hashAlgTag == SEC_OID_UNKNOWN) { - if (pssParams.hashAlg) { - hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg); -+ } else if (defaultSHA1) { -+ hashAlgTag = SEC_OID_SHA1; - } else { - /* Find a suitable hash algorithm based on the NIST recommendation */ - if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */ -@@ -709,6 +719,11 @@ sec_CreateRSAPSSParameters(PLArenaPool * - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); - return NULL; - } -+ } else if (defaultSHA1) { -+ if (hashAlgTag != SEC_OID_SHA1) { -+ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); -+ return NULL; -+ } - } - - hashLength = HASH_ResultLenByOidTag(hashAlgTag); -@@ -725,6 +740,8 @@ sec_CreateRSAPSSParameters(PLArenaPool * - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return NULL; - } -+ } else if (defaultSHA1) { -+ saltLength = 20; - } - - /* Fill in the parameters */ -diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh ---- a/tests/cert/cert.sh -+++ b/tests/cert/cert.sh -@@ -516,6 +516,9 @@ cert_all_CA() - cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256 - rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert - -+ ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US" -+ cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1 -+ rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert - - # - # Create EC version of TestCA -@@ -2054,7 +2057,7 @@ check_sign_algo() - { - certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ - sed -n '/^ *Data:/,/^$/{ --/^ Signature Algorithm/,/^ *Salt Length/s/^ //p -+/^ Signature Algorithm/,/^ *Salt length/s/^ //p - }' > ${TMP}/signalgo.txt - - diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt -@@ -2088,6 +2091,12 @@ cert_test_rsapss() - CU_ACTION="Verify RSA-PSS CA Cert" - certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}" - -+ CU_ACTION="Import RSA-PSS CA Cert (SHA1)" -+ certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -+ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 -+ -+ CERTSERIAL=200 -+ - # Subject certificate: RSA - # Issuer certificate: RSA - # Signature: RSA-PSS (explicit, with --pss-sign) -@@ -2098,7 +2107,7 @@ cert_test_rsapss() - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request" -- certu -C -c "TestCA" --pss-sign -m 200 -v 60 -d "${P_R_CADIR}" \ -+ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert" -@@ -2113,10 +2122,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig - Hash algorithm: SHA-256 - Mask algorithm: PKCS #1 MGF1 Mask Generation Function - Mask hash algorithm: SHA-256 -- Salt Length: 32 (0x20) -+ Salt length: 32 (0x20) - EOF - check_sign_algo - -+ CERTSERIAL=`expr $CERTSERIAL + 1` -+ - # Subject certificate: RSA - # Issuer certificate: RSA - # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512) -@@ -2127,7 +2138,7 @@ EOF - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request" -- certu -C -c "TestCA" --pss-sign -Z SHA512 -m 201 -v 60 -d "${P_R_CADIR}" \ -+ certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert" -@@ -2142,10 +2153,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig - Hash algorithm: SHA-512 - Mask algorithm: PKCS #1 MGF1 Mask Generation Function - Mask hash algorithm: SHA-512 -- Salt Length: 64 (0x40) -+ Salt length: 64 (0x40) - EOF - check_sign_algo - -+ CERTSERIAL=`expr $CERTSERIAL + 1` -+ - # Subject certificate: RSA - # Issuer certificate: RSA-PSS - # Signature: RSA-PSS -@@ -2156,7 +2169,69 @@ EOF - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request" -- certu -C -c "TestCA-rsa-pss" -m 202 -v 60 -d "${P_R_CADIR}" \ -+ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 -+ -+ CU_ACTION="Import $CERTNAME's Cert" -+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -+ -i "${CERTNAME}.cert" 2>&1 -+ -+ CU_ACTION="Verify $CERTNAME's Cert" -+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" -+ cat > ${TMP}/signalgo.exp <&1 -+ -+ CU_ACTION="Sign ${CERTNAME}'s Request" -+ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 -+ -+ CU_ACTION="Import $CERTNAME's Cert" -+ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -+ -i "${CERTNAME}.cert" 2>&1 -+ -+ CU_ACTION="Verify $CERTNAME's Cert" -+ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" -+ cat > ${TMP}/signalgo.exp <&1 -+ -+ CU_ACTION="Sign ${CERTNAME}'s Request" -+ certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert" -@@ -2171,21 +2246,24 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig - Hash algorithm: SHA-256 - Mask algorithm: PKCS #1 MGF1 Mask Generation Function - Mask hash algorithm: SHA-256 -- Salt Length: 32 (0x20) -+ Salt length: 32 (0x20) - EOF - check_sign_algo - -+ CERTSERIAL=`expr $CERTSERIAL + 1` -+ - # Subject certificate: RSA-PSS -- # Issuer certificate: RSA -- # Signature: RSA-PSS (explicit, with --pss-sign) -- CERTNAME="TestUser-rsa-pss4" -+ # Issuer certificate: RSA-PSS -+ # Signature: RSA-PSS (implicit, without --pss-sign) -+ CERTNAME="TestUser-rsa-pss6" - - CU_ACTION="Generate Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request" -- certu -C -c "TestCA" --pss-sign -m 203 -v 60 -d "${P_R_CADIR}" \ -+ # Sign without --pss-sign nor -Z option -+ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert" -@@ -2200,21 +2278,40 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig - Hash algorithm: SHA-256 - Mask algorithm: PKCS #1 MGF1 Mask Generation Function - Mask hash algorithm: SHA-256 -- Salt Length: 32 (0x20) -+ Salt length: 32 (0x20) - EOF - check_sign_algo - -+ CERTSERIAL=`expr $CERTSERIAL + 1` -+ - # Subject certificate: RSA-PSS - # Issuer certificate: RSA-PSS -- # Signature: RSA-PSS (explicit, with --pss-sign) -- CERTNAME="TestUser-rsa-pss5" -+ # Signature: RSA-PSS (with conflicting hash algorithm) -+ CERTNAME="TestUser-rsa-pss7" - - CU_ACTION="Generate Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" - certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request" -- certu -C -c "TestCA-rsa-pss" --pss-sign -m 204 -v 60 -d "${P_R_CADIR}" \ -+ RETEXPECTED=255 -+ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 -+ RETEXPECTED=0 -+ -+ CERTSERIAL=`expr $CERTSERIAL + 1` -+ -+ # Subject certificate: RSA-PSS -+ # Issuer certificate: RSA-PSS -+ # Signature: RSA-PSS (with compatible hash algorithm) -+ CERTNAME="TestUser-rsa-pss8" -+ -+ CU_ACTION="Generate Cert Request for $CERTNAME" -+ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" -+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 -+ -+ CU_ACTION="Sign ${CERTNAME}'s Request" -+ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert" -@@ -2229,21 +2326,23 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig - Hash algorithm: SHA-256 - Mask algorithm: PKCS #1 MGF1 Mask Generation Function - Mask hash algorithm: SHA-256 -- Salt Length: 32 (0x20) -+ Salt length: 32 (0x20) - EOF - check_sign_algo - -- # Subject certificate: RSA-PSS -- # Issuer certificate: RSA-PSS -- # Signature: RSA-PSS (implicit, without --pss-sign) -- CERTNAME="TestUser-rsa-pss6" -+ CERTSERIAL=`expr $CERTSERIAL + 1` -+ -+ # Subject certificate: RSA -+ # Issuer certificate: RSA -+ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1) -+ CERTNAME="TestUser-rsa-pss9" - - CU_ACTION="Generate Cert Request for $CERTNAME" - CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" -- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 -+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request" -- certu -C -c "TestCA-rsa-pss" -m 205 -v 60 -d "${P_R_CADIR}" \ -+ certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert" -@@ -2255,39 +2354,27 @@ EOF - cat > ${TMP}/signalgo.exp <&1 -+ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 - - CU_ACTION="Sign ${CERTNAME}'s Request" -- RETEXPECTED=255 -- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m 206 -v 60 -d "${P_R_CADIR}" \ -- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 -- RETEXPECTED=0 -- -- # Subject certificate: RSA-PSS -- # Issuer certificate: RSA-PSS -- # Signature: RSA-PSS (with compatible hash algorithm) -- CERTNAME="TestUser-rsa-pss8" -- -- CU_ACTION="Generate Cert Request for $CERTNAME" -- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" -- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 -- -- CU_ACTION="Sign ${CERTNAME}'s Request" -- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m 207 -v 60 -d "${P_R_CADIR}" \ -+ # Sign without --pss-sign nor -Z option -+ certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ - -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 - - CU_ACTION="Import $CERTNAME's Cert" -@@ -2299,12 +2386,29 @@ EOF - cat > ${TMP}/signalgo.exp <&1 -+ -+ CU_ACTION="Sign ${CERTNAME}'s Request" -+ RETEXPECTED=255 -+ certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ -+ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 -+ RETEXPECTED=0 - } - - ############################## cert_cleanup ############################ -# HG changeset patch -# User Daiki Ueno -# Date 1514884761 -3600 -# Tue Jan 02 10:19:21 2018 +0100 -# Node ID 5a14f42384eb22b67e0465949c03555eff41e4af -# Parent e577b1df8dabb31466cebad07fdbe0883290bede -Bug 1423557, cryptohi: make RSA-PSS parameter check stricter, r=mt - -Summary: This adds a check on unsupported hash/mask algorithms and invalid trailer field, when converting SECKEYRSAPSSParams to CK_RSA_PKCS_PSS_PARAMS for both signing and verification. It also add missing support for SHA224 as underlying hash algorithm. - -Reviewers: mt - -Reviewed By: mt - -Bug #: 1423557 - -Differential Revision: https://phabricator.services.mozilla.com/D322 - -diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c ---- a/lib/cryptohi/seckey.c -+++ b/lib/cryptohi/seckey.c -@@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag t - return CKM_SHA384; - case SEC_OID_SHA256: - return CKM_SHA256; -+ case SEC_OID_SHA224: -+ return CKM_SHA224; -+ case SEC_OID_SHA1: -+ return CKM_SHA_1; - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); -- /* fallthrough */ -- case SEC_OID_SHA1: -- break; -+ return CKM_INVALID_MECHANISM; - } -- return CKM_SHA_1; - } - - static CK_RSA_PKCS_MGF_TYPE -@@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag) - return CKG_MGF1_SHA384; - case SEC_OID_SHA256: - return CKG_MGF1_SHA256; -+ case SEC_OID_SHA224: -+ return CKG_MGF1_SHA224; -+ case SEC_OID_SHA1: -+ return CKG_MGF1_SHA1; - default: - PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); -- /* fallthrough */ -- case SEC_OID_SHA1: -- break; -+ return 0; - } -- return CKG_MGF1_SHA1; - } - - SECStatus -@@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ - SECStatus rv = SECSuccess; - SECOidTag hashAlgTag; - unsigned long saltLength; -+ unsigned long trailerField; - - PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS)); - -@@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ - hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */ - } - mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag); -+ if (mech->hashAlg == CKM_INVALID_MECHANISM) { -+ return SECFailure; -+ } - - if (params->maskAlg) { - SECAlgorithmID maskHashAlg; -@@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ - } - maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg); - mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag); -+ if (mech->mgf == 0) { -+ return SECFailure; -+ } - } else { - mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ - } -@@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ - } - mech->sLen = saltLength; - -+ if (params->trailerField.data) { -+ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->trailerField, &trailerField); -+ if (rv != SECSuccess) { -+ return rv; -+ } -+ if (trailerField != 1) { -+ /* the value must be 1, which represents the trailer field -+ * with hexadecimal value 0xBC */ -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ return SECFailure; -+ } -+ } -+ - return rv; - } -diff --git a/tests/cert/TestCA-bogus-rsa-pss1.crt b/tests/cert/TestCA-bogus-rsa-pss1.crt -new file mode 100644 ---- /dev/null -+++ b/tests/cert/TestCA-bogus-rsa-pss1.crt -@@ -0,0 +1,26 @@ -+-----BEGIN CERTIFICATE----- -+MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA -+oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ -+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp -+biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB -+IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa -+GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp -+Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO -+U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl -+ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG -+CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB -+AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX -+yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo -+SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK -+xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07 -+/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK -+Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC -+BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow -+OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA -+ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8 -+HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba -+nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh -+pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA -+hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh -+uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA= -+-----END CERTIFICATE----- -diff --git a/tests/cert/TestCA-bogus-rsa-pss2.crt b/tests/cert/TestCA-bogus-rsa-pss2.crt -new file mode 100644 ---- /dev/null -+++ b/tests/cert/TestCA-bogus-rsa-pss2.crt -@@ -0,0 +1,24 @@ -+-----BEGIN CERTIFICATE----- -+MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh -+GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT -+MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw -+EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT -+IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2 -+NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH -+Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T -+UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3 -+DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6 -+7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x -+Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj -+sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa -+eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu -+aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg -+hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E -+BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN -+AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY -+fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D -+difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+ -+4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2 -+g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT -+0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ== -+-----END CERTIFICATE----- -diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh ---- a/tests/cert/cert.sh -+++ b/tests/cert/cert.sh -@@ -2095,6 +2095,20 @@ cert_test_rsapss() - certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ - -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 - -+ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)" -+ certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -+ -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1 -+ RETEXPECTED=255 -+ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 -+ RETEXPECTED=0 -+ -+ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)" -+ certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ -+ -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1 -+ RETEXPECTED=255 -+ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 -+ RETEXPECTED=0 -+ - CERTSERIAL=200 - - # Subject certificate: RSA diff --git a/SOURCES/nss-reorder-cipher-suites-gtests.patch b/SOURCES/nss-reorder-cipher-suites-gtests.patch index 7a75e50..0675959 100644 --- a/SOURCES/nss-reorder-cipher-suites-gtests.patch +++ b/SOURCES/nss-reorder-cipher-suites-gtests.patch @@ -1,7 +1,7 @@ diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc ---- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2017-09-20 08:47:27.000000000 +0200 -+++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc 2017-10-06 16:41:39.223713982 +0200 -@@ -222,7 +222,9 @@ static SSLNamedGroup NamedGroupForEcdsa3 +--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2018-03-05 16:58:32.000000000 +0100 ++++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc 2018-03-09 17:29:32.985313219 +0100 +@@ -231,7 +231,9 @@ static SSLNamedGroup NamedGroupForEcdsa3 // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519. @@ -12,7 +12,7 @@ diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests return ssl_grp_ec_secp384r1; } return ssl_grp_ec_curve25519; -@@ -806,20 +808,24 @@ INSTANTIATE_TEST_CASE_P( +@@ -870,20 +872,24 @@ INSTANTIATE_TEST_CASE_P( ::testing::Values(TlsAgent::kServerEcdsa256), ::testing::Values(ssl_auth_ecdsa), ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256))); @@ -39,9 +39,9 @@ diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests INSTANTIATE_TEST_CASE_P( SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration, ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, -@@ -828,4 +834,5 @@ INSTANTIATE_TEST_CASE_P( +@@ -892,4 +898,5 @@ INSTANTIATE_TEST_CASE_P( TlsAgent::kServerEcdsa384), ::testing::Values(ssl_auth_ecdsa), ::testing::Values(ssl_sig_ecdsa_sha1))); +#endif - } + } // namespace nss_test diff --git a/SOURCES/nss-sql-default.patch b/SOURCES/nss-sql-default.patch new file mode 100644 index 0000000..fd39778 --- /dev/null +++ b/SOURCES/nss-sql-default.patch @@ -0,0 +1,42 @@ +# HG changeset patch +# User Kai Engert +# Date 1511548994 -3600 +# Fri Nov 24 19:43:14 2017 +0100 +# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4 +# Parent 807662e6ba57db5be05036511ac8634466ed473f +Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer + +--- a/tests/all.sh ++++ b/tests/all.sh +@@ -111,6 +111,8 @@ RUN_FIPS="" + ######################################################################## + run_tests() + { ++ echo "Running test cycle: ${TEST_MODE} ----------------------" ++ echo "List of tests that will be executed: ${TESTS}" + for TEST in ${TESTS} + do + # NOTE: the spaces are important. If you don't include +@@ -172,8 +174,9 @@ run_cycle_pkix() + NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"` + export -n NSS_SSL_RUN + +- # use the default format ++ # use the default format. (unset for the shell, export -n for binaries) + export -n NSS_DEFAULT_DB_TYPE ++ unset NSS_DEFAULT_DB_TYPE + + run_tests + } +diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh +--- a/tests/merge/merge.sh ++++ b/tests/merge/merge.sh +@@ -98,7 +98,7 @@ merge_init() + # are dbm databases. + if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then + save=${NSS_DEFAULT_DB_TYPE} +- NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE ++ NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE + fi + + certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE} diff --git a/SOURCES/renegotiate-transitional.patch b/SOURCES/renegotiate-transitional.patch index ca92f83..5e3dbc7 100644 --- a/SOURCES/renegotiate-transitional.patch +++ b/SOURCES/renegotiate-transitional.patch @@ -1,12 +1,12 @@ diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.transitional 2016-08-15 17:57:58.146879056 +0200 -+++ nss/lib/ssl/sslsock.c 2016-08-15 17:58:02.365758224 +0200 -@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = { - PR_FALSE, /* noLocks */ - PR_FALSE, /* enableSessionTickets */ - PR_FALSE, /* enableDeflate */ -- 2, /* enableRenegotiation (default: requires extension) */ -+ 3, /* enableRenegotiation (default: transitional) */ - PR_FALSE, /* requireSafeNegotiation */ - PR_FALSE, /* enableFalseStart */ - PR_TRUE, /* cbcRandomIV */ +--- nss/lib/ssl/sslsock.c.transitional 2018-03-09 17:21:52.593560971 +0100 ++++ nss/lib/ssl/sslsock.c 2018-03-09 17:22:21.096926523 +0100 +@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = { + .noLocks = PR_FALSE, + .enableSessionTickets = PR_FALSE, + .enableDeflate = PR_FALSE, +- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, ++ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL, + .requireSafeNegotiation = PR_FALSE, + .enableFalseStart = PR_FALSE, + .cbcRandomIV = PR_TRUE, diff --git a/SPECS/nss.spec b/SPECS/nss.spec index ad8821b..984a6fe 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,9 +1,9 @@ -%global nspr_version 4.17.0 -%global nss_util_version 3.34.0 +%global nspr_version 4.19.0 +%global nss_util_version 3.36.0 %global nss_util_build -1 # adjust to the version that gets submitted for FIPS validation -%global nss_softokn_fips_version 3.34.0 -%global nss_softokn_version 3.34.0 +%global nss_softokn_fips_version 3.36.0 +%global nss_softokn_version 3.36.0 # Attention: Separate softokn versions for build and runtime. %global runtime_required_softokn_build_version -1 # Building NSS doesn't require the same version of softokn built for runtime. @@ -26,8 +26,8 @@ Summary: Network Security Services Name: nss -Version: 3.34.0 -Release: 4%{?dist} +Version: 3.36.0 +Release: 5%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -123,24 +123,21 @@ Patch130: nss-reorder-cipher-suites-gtests.patch Patch131: nss-disable-tls13-gtests.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 Patch135: nss-check-policy-file.patch +# To revert the change in: +# https://bugzilla.mozilla.org/show_bug.cgi?id=1377940 +Patch136: nss-sql-default.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1278071 +Patch137: nss-pkcs12-iterations-limit.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1447628 +Patch138: nss-devslot-reinsert.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1453408 +Patch139: nss-modutil-skip-changepw-fips.patch # Work around for yum # https://bugzilla.redhat.com/show_bug.cgi?id=1469526 Patch141: nss-sysinit-getenv.patch - -# Patches backported from 3.35: -# https://bugzilla.mozilla.org/show_bug.cgi?id=1416265 -Patch144: nss-pk12util-faulty-aes.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1278071 -Patch145: nss-increase-pkcs12-iterations.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1415847 -Patch146: nss-modutil-suppress-password.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1426361 -Patch147: nss-certutil-suppress-password.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1423557 -# https://bugzilla.mozilla.org/show_bug.cgi?id=1415171 -Patch148: nss-pss-fixes.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1054373 -Patch149: nss-is-token-present-race.patch +# To revert the change in: +# https://hg.mozilla.org/projects/nss/rev/896e3eb3a799 +Patch142: nss-lockcert-api-change.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -244,13 +241,12 @@ pushd nss %patch130 -p1 -b .reorder-cipher-suites-gtests %patch131 -p1 -b .disable-tls13-gtests %patch135 -p1 -b .check_policy_file +%patch136 -p1 -R -b .sql-default +%patch137 -p1 -b .pkcs12-iterations-limit +%patch138 -p1 -b .devslot-reinsert +%patch139 -p1 -b .modutil-skip-changepw-fips %patch141 -p1 -b .sysinit-getenv -%patch144 -p1 -b .pk12util-faulty-aes -%patch145 -p1 -b .increase-pkcs12-iterations -%patch146 -p1 -b .suppress-modutil-password -%patch147 -p1 -b .suppress-certutil-password -%patch148 -p1 -b .pss-fixes -%patch149 -p1 -b .is-token-present-race +%patch142 -p1 -R -b .lockcert-api-change popd ######################################################### @@ -357,6 +353,8 @@ export NSS_BLTEST_NOT_AVAILABLE=1 export NSS_DISABLE_TLS_1_3=1 +export NSS_FORCE_FIPS=1 + %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm @@ -849,6 +847,24 @@ fi %changelog +* Wed Apr 18 2018 Daiki Ueno - 3.36.0-5 +- Restore CERT_LockCertTrust and CERT_UnlockCertTrust back in cert.h + +* Fri Apr 13 2018 Daiki Ueno - 3.36.0-4 +- Work around modutil -changepw error if the old and new passwords are + both empty in FIPS mode + +* Tue Mar 27 2018 Daiki Ueno - 3.36.0-3 +- Decrease the iteration count of PKCS#12 for compatibility with Windows +- Fix deadlock when a token is re-inserted while a client process is running + +* Mon Mar 12 2018 Daiki Ueno - 3.36.0-2 +- Set NSS_FORCE_FIPS=1 in %%build +- Revert the changes to tests assuming the default DB type + +* Fri Mar 9 2018 Daiki Ueno - 3.36.0-1 +- Rebase to NSS 3.36 + * Mon Jan 15 2018 Daiki Ueno - 3.34.0-4 - Re-enable nss-is-token-present-race.patch