diff --git a/.nss.metadata b/.nss.metadata index d4c0feb..ccb2c1e 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -1,11 +1,11 @@ +66f2060c35f4e97bdfa163e8bd7cb2ef5e8125d8 SOURCES/nss-pem-20140125.tar.bz2 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db 1a4738a7fcc0bca303b47e9a24739637a9ab6640 SOURCES/TestCA.ca.cert d63e287dc5d012993221373fe14a8e1dac5eaff7 SOURCES/TestUser51.cert d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db -69c70f63ccf23ca0761e77085fd1970211cdab1e SOURCES/nss-3.15.2.tar.bz2 f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db -59f95324bb4fad179498bf1ddce2ceb0ee245356 SOURCES/nss-pem-20130405.tar.bz2 b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db 4019f0c1959c2b7102d470821e917e9c02551010 SOURCES/TestUser50.cert 21774825dc4a9c54ce02b070928a2e72ce5878e7 SOURCES/PayPalEE.cert +c164fac83fcbaff010786767e2a858ca23a89a5b SOURCES/nss-3.15.4.tar.gz diff --git a/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch b/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch deleted file mode 100644 index 36fbd9d..0000000 --- a/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch +++ /dev/null @@ -1,406 +0,0 @@ -From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001 -From: Elio Maldonado -Date: Sat, 9 Feb 2013 17:11:00 -0500 -Subject: [PATCH] Sync up with upstream softokn changes - -- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux -- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 -- It now compiles with the NSS_3_14_3_BETA1 source ---- - mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++------------------- - 1 files changed, 82 insertions(+), 256 deletions(-) - -diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c -index 5ac4f39..3780d30 100644 ---- a/nss/lib/ckfw/pem/rsawrapr.c -+++ b/nss/lib/ckfw/pem/rsawrapr.c -@@ -46,6 +46,7 @@ - #include "sechash.h" - #include "base.h" - -+#include "lowkeyi.h" - #include "secerr.h" - - #define RSA_BLOCK_MIN_PAD_LEN 8 -@@ -54,9 +55,8 @@ - #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff - #define RSA_BLOCK_AFTER_PAD_OCTET 0x00 - --#define OAEP_SALT_LEN 8 --#define OAEP_PAD_LEN 8 --#define OAEP_PAD_OCTET 0x00 -+/* Needed for RSA-PSS functions */ -+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; - - #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ - -@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) - return 0; - } - --static SHA1Context *SHA1_CloneContext(SHA1Context * original) --{ -- SHA1Context *clone = NULL; -- unsigned char *pBuf; -- int sha1ContextSize = SHA1_FlattenSize(original); -- SECStatus frv; -- unsigned char buf[FLAT_BUFSIZE]; -- -- PORT_Assert(sizeof buf >= sha1ContextSize); -- if (sizeof buf >= sha1ContextSize) { -- pBuf = buf; -- } else { -- pBuf = nss_ZAlloc(NULL, sha1ContextSize); -- if (!pBuf) -- goto done; -- } -- -- frv = SHA1_Flatten(original, pBuf); -- if (frv == SECSuccess) { -- clone = SHA1_Resurrect(pBuf, NULL); -- memset(pBuf, 0, sha1ContextSize); -- } -- done: -- if (pBuf != buf) -- nss_ZFreeIf(pBuf); -- return clone; -+/* Constant time comparison of a single byte. -+ * Returns 1 iff a == b, otherwise returns 0. -+ * Note: For ranges of bytes, use constantTimeCompare. -+ */ -+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) { -+ unsigned char c = ~(a - b | b - a); -+ c >>= 7; -+ return c; - } - --/* -- * Modify data by XORing it with a special hash of salt. -+/* Constant time comparison of a range of bytes. -+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise -+ * returns 0. - */ --static SECStatus --oaep_xor_with_h1(unsigned char *data, unsigned int datalen, -- unsigned char *salt, unsigned int saltlen) --{ -- SHA1Context *sha1cx; -- unsigned char *dp, *dataend; -- unsigned char end_octet; -- -- sha1cx = SHA1_NewContext(); -- if (sha1cx == NULL) { -- return SECFailure; -- } -- -- /* -- * Get a hash of salt started; we will use it several times, -- * adding in a different end octet (x00, x01, x02, ...). -- */ -- SHA1_Begin(sha1cx); -- SHA1_Update(sha1cx, salt, saltlen); -- end_octet = 0; -- -- dp = data; -- dataend = data + datalen; -- -- while (dp < dataend) { -- SHA1Context *sha1cx_h1; -- unsigned int sha1len, sha1off; -- unsigned char sha1[SHA1_LENGTH]; -- -- /* -- * Create hash of (salt || end_octet) -- */ -- sha1cx_h1 = SHA1_CloneContext(sha1cx); -- SHA1_Update(sha1cx_h1, &end_octet, 1); -- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1)); -- SHA1_DestroyContext(sha1cx_h1, PR_TRUE); -- PORT_Assert(sha1len == SHA1_LENGTH); -- -- /* -- * XOR that hash with the data. -- * When we have fewer than SHA1_LENGTH octets of data -- * left to xor, use just the low-order ones of the hash. -- */ -- sha1off = 0; -- if ((dataend - dp) < SHA1_LENGTH) -- sha1off = SHA1_LENGTH - (dataend - dp); -- while (sha1off < SHA1_LENGTH) -- *dp++ ^= sha1[sha1off++]; -- -- /* -- * Bump for next hash chunk. -- */ -- end_octet++; -- } -- -- SHA1_DestroyContext(sha1cx, PR_TRUE); -- return SECSuccess; -+static unsigned char constantTimeCompare(const unsigned char *a, -+ const unsigned char *b, -+ unsigned int len) { -+ unsigned char tmp = 0; -+ unsigned int i; -+ for (i = 0; i < len; ++i, ++a, ++b) -+ tmp |= *a ^ *b; -+ return constantTimeEQ8(0x00, tmp); - } - --/* -- * Modify salt by XORing it with a special hash of data. -+/* Constant time conditional. -+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is -+ * not 0 or 1. - */ --static SECStatus --oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen, -- unsigned char *data, unsigned int datalen) -+static unsigned int constantTimeCondition(unsigned int c, -+ unsigned int a, -+ unsigned int b) - { -- unsigned char sha1[SHA1_LENGTH]; -- unsigned char *psalt, *psha1, *saltend; -- SECStatus rv; -- -- /* -- * Create a hash of data. -- */ -- rv = SHA1_HashBuf(sha1, data, datalen); -- if (rv != SECSuccess) { -- return rv; -- } -- -- /* -- * XOR the low-order octets of that hash with salt. -- */ -- PORT_Assert(saltlen <= SHA1_LENGTH); -- saltend = salt + saltlen; -- psalt = salt; -- psha1 = sha1 + SHA1_LENGTH - saltlen; -- while (psalt < saltend) { -- *psalt++ ^= *psha1++; -- } -- -- return SECSuccess; -+ return (~(c - 1) & a) | ((c - 1) & b); - } - - /* -@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, - unsigned char *block; - unsigned char *bp; - int padLen; -- int i; -+ int i, j; - SECStatus rv; - - block = (unsigned char *) nss_ZAlloc(NULL, modulusLen); -@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, - */ - case RSA_BlockPublic: - -- /* -- * 0x00 || BT || Pad || 0x00 || ActualData -- * 1 1 padLen 1 data->len -- * Pad is all non-zero random bytes. -- */ -- padLen = modulusLen - data->len - 3; -- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN); -- if (padLen < RSA_BLOCK_MIN_PAD_LEN) { -- nss_ZFreeIf(block); -- return NULL; -- } -- for (i = 0; i < padLen; i++) { -- /* Pad with non-zero random data. */ -- do { -- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1); -- } while (rv == SECSuccess -- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET); -- if (rv != SECSuccess) { -- nss_ZFreeIf(block); -- return NULL; -- } -- } -- bp += padLen; -- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; -- nsslibc_memcpy(bp, data->data, data->len); -- -- break; -- -- /* -- * Blocks intended for public-key operation, using -- * Optimal Asymmetric Encryption Padding (OAEP). -- */ -- case RSA_BlockOAEP: -- /* -- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData) -- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N] -- * -- * where: -- * PaddedData is "Pad1 || ActualData [|| Pad2]" -- * Salt is random data. -- * Pad1 is all zeros. -- * Pad2, if present, is random data. -- * (The "modified" fields are all the same length as the original -- * unmodified values; they are just xor'd with other values.) -- * -- * Modified1 is an XOR of PaddedData with a special octet -- * string constructed of iterated hashing of Salt (see below). -- * Modified2 is an XOR of Salt with the low-order octets of -- * the hash of Modified1 (see farther below ;-). -- * -- * Whew! -- */ -- -- -- /* -- * Salt -- */ -- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN); -- if (rv != SECSuccess) { -- nss_ZFreeIf(block); -- return NULL; -- } -- bp += OAEP_SALT_LEN; -- -- /* -- * Pad1 -- */ -- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN); -- bp += OAEP_PAD_LEN; -- -- /* -- * Data -- */ -- nsslibc_memcpy(bp, data->data, data->len); -- bp += data->len; -- -- /* -- * Pad2 -- */ -- if (bp < (block + modulusLen)) { -- rv = RNG_GenerateGlobalRandomBytes(bp, -- block - bp + modulusLen); -- if (rv != SECSuccess) { -- nss_ZFreeIf(block); -- return NULL; -- } -- } -- -- /* -- * Now we have the following: -- * 0x00 || BT || Salt || PaddedData -- * (From this point on, "Pad1 || Data [|| Pad2]" is treated -- * as the one entity PaddedData.) -- * -- * We need to turn PaddedData into Modified1. -- */ -- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN, -- modulusLen - 2 - OAEP_SALT_LEN, -- block + 2, OAEP_SALT_LEN) != SECSuccess) { -- nss_ZFreeIf(block); -- return NULL; -- } -- -- /* -- * Now we have: -- * 0x00 || BT || Salt || Modified1(PaddedData) -- * -- * The remaining task is to turn Salt into Modified2. -- */ -- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN, -- block + 2 + OAEP_SALT_LEN, -- modulusLen - 2 - OAEP_SALT_LEN) != -- SECSuccess) { -- nss_ZFreeIf(block); -- return NULL; -- } -- -- break; -+ /* -+ * 0x00 || BT || Pad || 0x00 || ActualData -+ * 1 1 padLen 1 data->len -+ * Pad is all non-zero random bytes. -+ * -+ * Build the block left to right. -+ * Fill the entire block from Pad to the end with random bytes. -+ * Use the bytes after Pad as a supply of extra random bytes from -+ * which to find replacements for the zero bytes in Pad. -+ * If we need more than that, refill the bytes after Pad with -+ * new random bytes as necessary. -+ */ -+ padLen = modulusLen - (data->len + 3); -+ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN); -+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) { -+ nss_ZFreeIf (block); -+ return NULL; -+ } -+ j = modulusLen - 2; -+ rv = RNG_GenerateGlobalRandomBytes(bp, j); -+ if (rv == SECSuccess) { -+ for (i = 0; i < padLen; ) { -+ unsigned char repl; -+ /* Pad with non-zero random data. */ -+ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) { -+ ++i; -+ continue; -+ } -+ if (j <= padLen) { -+ rv = RNG_GenerateGlobalRandomBytes(bp + padLen, -+ modulusLen - (2 + padLen)); -+ if (rv != SECSuccess) -+ break; -+ j = modulusLen - 2; -+ } -+ do { -+ repl = bp[--j]; -+ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen); -+ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) { -+ bp[i++] = repl; -+ } -+ } -+ } -+ if (rv != SECSuccess) { -+ /*sftk_fatalError = PR_TRUE;*/ -+ nss_ZFreeIf (block); -+ return NULL; -+ } -+ bp += padLen; -+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; -+ nsslibc_memcpy(bp, data->data, data->len); -+ break; - - default: - PORT_Assert(0); -@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, - - break; - -- case RSA_BlockOAEP: -- /* -- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) -- * -- * The "2" below is the first octet + the second octet. -- * (The other fields do not contain the clear values, but are -- * the same length as the clear values.) -- */ -- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN -- + OAEP_PAD_LEN))); -- -- result->data = rsa_FormatOneBlock(modulusLen, blockType, data); -- if (result->data == NULL) { -- result->len = 0; -- return SECFailure; -- } -- result->len = modulusLen; -- -- break; -- - case RSA_BlockRaw: - /* - * Pad || ActualData --- -1.7.1 - diff --git a/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch deleted file mode 100644 index 6f0e88c..0000000 --- a/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch +++ /dev/null @@ -1,44 +0,0 @@ ---- nss/lib/ckfw/pem/psession.c -+++ nss/lib/ckfw/pem/psession.c -@@ -230,6 +230,7 @@ pem_mdSession_Login - unsigned int len = 0; - NSSLOWKEYPrivateKey *lpk = NULL; - PLArenaPool *arena; -+ SECItem plain; - int i; - - fwSlot = NSSCKFWToken_GetFWSlot(fwToken); -@@ -306,23 +321,27 @@ pem_mdSession_Login - lpk->keyType = NSSLOWKEYRSAKey; - prepare_low_rsa_priv_key_for_asn1(lpk); - -- nss_ZFreeIf(io->u.key.key.privateKey->data); -- io->u.key.key.privateKey->len = len - output[len - 1]; -- io->u.key.key.privateKey->data = -- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); -- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); - - /* Decode the resulting blob and see if it is a decodable DER that fits - * our private key template. If so we declare success and move on. If not - * then we return an error. - */ -+ memset(&plain, 0, sizeof(plain)); -+ plain.data = output; -+ plain.len = len - output[len - 1]; - rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate, -- io->u.key.key.privateKey); -+ &plain); - pem_DestroyPrivateKey(lpk); - arena = NULL; - if (rv != SECSuccess) - goto loser; - -+ nss_ZFreeIf(io->u.key.key.privateKey->data); -+ io->u.key.key.privateKey->len = len - output[len - 1]; -+ io->u.key.key.privateKey->data = -+ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); -+ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); -+ - rv = CKR_OK; - - loser: diff --git a/SOURCES/disable-ocsp-stapling-tests.patch b/SOURCES/disable-ocsp-stapling-tests.patch deleted file mode 100644 index df27c0e..0000000 --- a/SOURCES/disable-ocsp-stapling-tests.patch +++ /dev/null @@ -1,9 +0,0 @@ -diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh ---- nss/tests/ocsp/ocsp.sh.skipoutbound 2013-04-24 18:04:30.203307355 -0700 -+++ nss/tests/ocsp/ocsp.sh 2013-04-24 18:06:27.967176794 -0700 -@@ -115,4 +115,4 @@ ocsp_stapling() - ################## main ################################################# - ocsp_init - ocsp_iopr_run --ocsp_stapling -+#ocsp_stapling diff --git a/SOURCES/document-certutil-email-option.patch b/SOURCES/document-certutil-email-option.patch deleted file mode 100644 index b9ca7e1..0000000 --- a/SOURCES/document-certutil-email-option.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff --git a/doc/certutil.xml b/doc/certutil.xml ---- a/doc/certutil.xml -+++ b/doc/certutil.xml -@@ -204,16 +204,21 @@ If this option is not used, the validity - - - - -e - Check a certificate's signature during the process of validating a certificate. - - - -+ --email email-address -+ Specify the email address, used with the -L command option to print a single named certificate. -+ -+ -+ - -f password-file - Specify a file that will automatically supply the password to include in a certificate - or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent - unauthorized access to this file. - - - - -g keysize diff --git a/SOURCES/dont-disable-internal-module.patch b/SOURCES/dont-disable-internal-module.patch new file mode 100644 index 0000000..5d71643 --- /dev/null +++ b/SOURCES/dont-disable-internal-module.patch @@ -0,0 +1,39 @@ +diff -up ./nss/cmd/modutil/pk11.c.1056036 ./nss/cmd/modutil/pk11.c +--- ./nss/cmd/modutil/pk11.c.1056036 2014-02-24 15:49:00.802754246 -0800 ++++ ./nss/cmd/modutil/pk11.c 2014-02-24 15:49:00.806754285 -0800 +@@ -826,6 +826,12 @@ EnableModule(char *moduleName, char *slo + PK11_GetSlotName(slot), "enabled"); + } + } else { ++ if (module->internal) { ++ PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR], ++ "disable", PK11_GetSlotName(slot)); ++ rv = ENABLE_FAILED_ERR; ++ goto loser; ++ } + if(! PK11_UserDisableSlot(slot)) { + PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR], + "disable", PK11_GetSlotName(slot)); +diff -up ./nss/doc/modutil.xml.1056036 ./nss/doc/modutil.xml +--- ./nss/doc/modutil.xml.1056036 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/doc/modutil.xml 2014-02-24 15:49:00.806754285 -0800 +@@ -86,7 +86,7 @@ + + + -disable modulename +- Disable all slots on the named module. Use the argument to disable a specific slot. ++ Disable all slots on the named module. Use the argument to disable a specific slot.The internal NSS PKCS #11 module cannot be disabled. + + + +diff -up ./nss/lib/dev/devtoken.c.1056036 ./nss/lib/dev/devtoken.c +--- ./nss/lib/dev/devtoken.c.1056036 2014-02-24 15:55:16.687529925 -0800 ++++ ./nss/lib/dev/devtoken.c 2014-02-24 15:56:15.720143547 -0800 +@@ -1438,6 +1438,7 @@ nssToken_IsPresent ( + NSSToken *token + ) + { ++ if (token == NULL) return PR_FALSE; + return nssSlot_IsTokenPresent(token->slot); + } + diff --git a/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch b/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch new file mode 100644 index 0000000..ec7d6c8 --- /dev/null +++ b/SOURCES/dont-hold-issuer-cert-handles-in-crl-cache.patch @@ -0,0 +1,123 @@ +diff -up ./nss/lib/certdb/certi.h.1034409 ./nss/lib/certdb/certi.h +--- ./nss/lib/certdb/certi.h.1034409 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/lib/certdb/certi.h 2014-02-20 08:46:10.345136599 -0800 +@@ -116,11 +116,16 @@ struct CRLDPCacheStr { + #else + PRLock* lock; + #endif +- CERTCertificate* issuer; /* issuer cert +- XXX there may be multiple issuer certs, +- with different validity dates. Also +- need to deal with SKID/AKID . See +- bugzilla 217387, 233118 */ ++ SECItem *issuerDERCert; /* issuer DER cert. Don't hold a reference ++ to the actual cert so the trust can be ++ updated on the cert automatically. ++ XXX there may be multiple issuer certs, ++ with different validity dates. Also ++ need to deal with SKID/AKID . See ++ bugzilla 217387, 233118 */ ++ ++ CERTCertDBHandle *dbHandle; ++ + SECItem* subject; /* DER of issuer subject */ + SECItem* distributionPoint; /* DER of distribution point. This may be + NULL when distribution points aren't +@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr { + NSSRWLock* lock; + CRLDPCache** dps; + PLHashTable* distributionpoints; +- CERTCertificate* issuer; ++ CERTCertificate* issuer; /* This should be the DER Cert, not a cert handle */ + #endif + }; + +diff -up ./nss/lib/certdb/crl.c.1034409 ./nss/lib/certdb/crl.c +--- ./nss/lib/certdb/crl.c.1034409 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/lib/certdb/crl.c 2014-02-20 08:49:30.835466687 -0800 +@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa + PORT_Free(cache->crls); + } + /* destroy the cert */ +- if (cache->issuer) ++ if (cache->issuerDERCert) + { +- CERT_DestroyCertificate(cache->issuer); ++ SECITEM_FreeItem(cache->issuerDERCert, PR_TRUE); + } + /* free the subject */ + if (cache->subject) +@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC + else + { + SECStatus signstatus = SECFailure; +- if (cache->issuer) ++ if (cache->issuerDERCert) + { +- signstatus = CERT_VerifyCRL(crlobject->crl, cache->issuer, vfdate, ++ CERTCertificate *issuer = CERT_NewTempCertificate(cache->dbHandle, ++ cache->issuerDERCert, NULL, PR_FALSE, PR_TRUE); ++ ++ if (issuer) { ++ signstatus = CERT_VerifyCRL(crlobject->crl, issuer, vfdate, + wincx); ++ CERT_DestroyCertificate(issuer); ++ } + } + if (SECSuccess != signstatus) + { +- if (!cache->issuer) ++ if (!cache->issuerDERCert) + { + /* we tried to verify without an issuer cert . This is + because this CRL came through a call to SEC_FindCrlByName. +@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL + } + + /* add issuer certificate if it was previously unavailable */ +- if (issuer && (NULL == cache->issuer) && ++ if (issuer && (NULL == cache->issuerDERCert) && + (SECSuccess == CERT_CheckCertUsage(issuer, KU_CRL_SIGN))) + { + /* if we didn't have a valid issuer cert yet, but we do now. add it */ + DPCache_LockWrite(); +- if (!cache->issuer) ++ if (!cache->issuerDERCert) + { + dirty = PR_TRUE; +- cache->issuer = CERT_DupCertificate(issuer); ++ cache->dbHandle = issuer->dbhandle; ++ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert); + } + DPCache_UnlockWrite(); + } +@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL + SEC_FindCrlByName, or through manual insertion, rather than through a + certificate verification (CERT_CheckCRL) */ + +- if (cache->issuer && vfdate ) ++ if (cache->issuerDERCert && vfdate ) + { + mustunlock = PR_FALSE; + /* re-process all unverified CRLs */ +@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac + } + if (issuer) + { +- cache->issuer = CERT_DupCertificate(issuer); ++ cache->dbHandle = issuer->dbhandle; ++ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert); + } + cache->distributionPoint = SECITEM_DupItem(dp); + cache->subject = SECITEM_DupItem(subject); +diff -up ./nss/tests/chains/chains.sh.1034409 ./nss/tests/chains/chains.sh +--- ./nss/tests/chains/chains.sh.1034409 2014-02-20 08:16:34.867686934 -0800 ++++ ./nss/tests/chains/chains.sh 2014-02-20 08:34:35.149603340 -0800 +@@ -974,6 +974,7 @@ check_ocsp() + OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") + OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/") + ++ echo "Cert = ${CERT_NICK}.cert" + echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20" + tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20 + return $? diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch index 3df4927..9fb7772 100644 --- a/SOURCES/iquote.patch +++ b/SOURCES/iquote.patch @@ -1,6 +1,6 @@ -diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile ---- nss/cmd/bltest/Makefile.iquote 2013-06-27 10:58:08.000000000 -0700 -+++ nss/cmd/bltest/Makefile 2013-07-02 15:02:26.656643246 -0700 +diff -up ./nss/cmd/bltest/Makefile.iquote ./nss/cmd/bltest/Makefile +--- ./nss/cmd/bltest/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/cmd/bltest/Makefile 2014-01-18 11:31:32.277404478 -0800 @@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -9,9 +9,22 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile ####################################################################### -diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile ---- nss/cmd/lib/Makefile.iquote 2013-07-02 15:07:47.260622471 -0700 -+++ nss/cmd/lib/Makefile 2013-07-02 15:08:47.219179157 -0700 +diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile +--- ./nss/cmd/httpserv/Makefile.iquote 2014-01-18 11:33:15.058108851 -0800 ++++ ./nss/cmd/httpserv/Makefile 2014-01-18 11:34:08.913478276 -0800 +@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../private/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile +--- ./nss/cmd/lib/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/cmd/lib/Makefile 2014-01-18 11:31:32.309404697 -0800 @@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -22,9 +35,9 @@ diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk ---- nss/coreconf/location.mk.iquote 2013-06-27 10:58:08.000000000 -0700 -+++ nss/coreconf/location.mk 2013-07-02 15:02:26.656643246 -0700 +diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk +--- ./nss/coreconf/location.mk.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/coreconf/location.mk 2014-01-18 11:31:32.309404697 -0800 @@ -45,6 +45,10 @@ endif ifdef NSS_INCLUDE_DIR @@ -36,9 +49,9 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk endif ifndef NSS_LIB_DIR -diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile ---- nss/lib/certhigh/Makefile.iquote 2013-09-27 11:13:55.158689314 -0700 -+++ nss/lib/certhigh/Makefile 2013-09-27 11:14:38.181042336 -0700 +diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile +--- ./nss/lib/certhigh/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/lib/certhigh/Makefile 2014-01-18 11:31:32.310404704 -0800 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -48,9 +61,9 @@ diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile ---- nss/lib/cryptohi/Makefile.iquote 2013-09-27 11:11:30.117494489 -0700 -+++ nss/lib/cryptohi/Makefile 2013-09-27 11:12:54.704194915 -0700 +diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile +--- ./nss/lib/cryptohi/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/lib/cryptohi/Makefile 2014-01-18 11:31:32.310404704 -0800 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -60,3 +73,29 @@ diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile +--- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/lib/libpkix/pkix/checker/Makefile 2014-01-18 11:31:32.310404704 -0800 +@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile +--- ./nss/lib/nss/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ ./nss/lib/nss/Makefile 2014-01-18 11:31:32.310404704 -0800 +@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # diff --git a/SOURCES/nss-ecc-list-3.15.3.patch b/SOURCES/nss-ecc-list-3.15.3.patch new file mode 100644 index 0000000..6f86258 --- /dev/null +++ b/SOURCES/nss-ecc-list-3.15.3.patch @@ -0,0 +1,239 @@ +diff -up ./nss/cmd/modutil/pk11.c.ecc-lists ./nss/cmd/modutil/pk11.c +--- ./nss/cmd/modutil/pk11.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800 ++++ ./nss/cmd/modutil/pk11.c 2013-12-20 10:29:01.540726233 -0800 +@@ -7,12 +7,9 @@ + */ + + #include "modutil.h" +-/* #include "secmodti.h" */ ++#include "secmodi.h" + #include "pk11func.h" + +-static PK11DefaultArrayEntry *pk11_DefaultArray = NULL; +-static int pk11_DefaultArraySize = 0; +- + /************************************************************************* + * + * F i p s M o d e +@@ -110,32 +107,11 @@ ChkFipsMode(char *arg) + + typedef struct { + const char *name; +- const unsigned long mask; ++ unsigned long mask; + } MaskString; + +-static const MaskString mechanismStrings[] = { +- {"RSA", PUBLIC_MECH_RSA_FLAG}, +- {"DSA", PUBLIC_MECH_DSA_FLAG}, +- {"RC2", PUBLIC_MECH_RC2_FLAG}, +- {"RC4", PUBLIC_MECH_RC4_FLAG}, +- {"RC5", PUBLIC_MECH_RC5_FLAG}, +- {"DES", PUBLIC_MECH_DES_FLAG}, +- {"DH", PUBLIC_MECH_DH_FLAG}, +- {"FORTEZZA", PUBLIC_MECH_FORTEZZA_FLAG}, +- {"SHA1", PUBLIC_MECH_SHA1_FLAG}, +- {"MD5", PUBLIC_MECH_MD5_FLAG}, +- {"MD2", PUBLIC_MECH_MD2_FLAG}, +- {"SSL", PUBLIC_MECH_SSL_FLAG}, +- {"TLS", PUBLIC_MECH_TLS_FLAG}, +- {"AES", PUBLIC_MECH_AES_FLAG}, +- {"CAMELLIA", PUBLIC_MECH_CAMELLIA_FLAG}, +- {"SHA256", PUBLIC_MECH_SHA256_FLAG}, +- {"SHA512", PUBLIC_MECH_SHA512_FLAG}, +- {"RANDOM", PUBLIC_MECH_RANDOM_FLAG}, +- {"FRIENDLY", PUBLIC_MECH_FRIENDLY_FLAG} +-}; +-static const int numMechanismStrings = +- sizeof(mechanismStrings) / sizeof(mechanismStrings[0]); ++static MaskString *mechanismStrings = NULL; ++static int numMechanismStrings = 0; + + static const MaskString cipherStrings[] = { + {"FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG} +@@ -143,10 +119,83 @@ static const MaskString cipherStrings[] + static const int numCipherStrings = + sizeof(cipherStrings) / sizeof(cipherStrings[0]); + ++static PK11DefaultArrayEntry *pk11_DefaultArray = NULL; ++static int pk11_DefaultArraySize = 0; ++ ++ + /* Maximum length of a colon-separated list of all the strings in an + * array. */ + #define MAX_STRING_LIST_LEN 240 /* or less */ + ++/* ++** The same as SECMOD_InternaltoPubMechFlags ++** from nss/lib/pk11wrap/pk11util.c wich is a ++** private export and not visible to us ++*/ ++static unsigned long ++InternaltoPubMechFlags(unsigned long internalFlags) ++{ ++ unsigned long publicFlags = internalFlags; ++ ++ if (internalFlags & SECMOD_RANDOM_FLAG) { ++ publicFlags &= ~SECMOD_RANDOM_FLAG; ++ publicFlags |= PUBLIC_MECH_RANDOM_FLAG; ++ } ++ return publicFlags; ++} ++ ++ ++Error ++loadMechanismList(void) ++{ ++ int i; ++ ++ if (pk11_DefaultArray == NULL) { ++ pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); ++ if (pk11_DefaultArray == NULL) { ++ /* should assert. This shouldn't happen */ ++ return UNSPECIFIED_ERR; ++ } ++ } ++ if (mechanismStrings != NULL) { ++ PR_Free(mechanismStrings); ++ } ++ ++ /* build the mechanismStrings array */ ++ mechanismStrings = PR_Malloc( pk11_DefaultArraySize*sizeof(MaskString) ); ++ if (mechanismStrings == NULL) { ++ return OUT_OF_MEM_ERR; ++ } ++ numMechanismStrings = pk11_DefaultArraySize; ++ for (i = 0; i < numMechanismStrings; i++) { ++ char *name = pk11_DefaultArray[i].name; ++ unsigned long flag = pk11_DefaultArray[i].flag; ++ /* map new name to old */ ++ switch (flag) { ++ case SECMOD_FORTEZZA_FLAG: ++ name = "FORTEZZA"; ++ break; ++ case SECMOD_SHA1_FLAG: ++ name = "SHA1"; ++ break; ++ case SECMOD_CAMELLIA_FLAG: ++ name = "CAMELLIA"; ++ break; ++ case SECMOD_RANDOM_FLAG: ++ name = "RANDOM"; ++ break; ++ case SECMOD_FRIENDLY_FLAG: ++ name = "FRIENDLY"; ++ break; ++ default: ++ break; ++ } ++ mechanismStrings[i].name = name; ++ mechanismStrings[i].mask = InternaltoPubMechFlags(flag); ++ } ++ return SUCCESS; ++} ++ + /************************************************************************ + * + * g e t F l a g s F r o m S t r i n g +@@ -244,6 +293,12 @@ AddModule(char *moduleName, char *libFil + unsigned long ciphers; + unsigned long mechanisms; + SECStatus status; ++ Error rv; ++ ++ rv = loadMechanismList(); ++ if (rv != SUCCESS) { ++ return rv; ++ } + + mechanisms = + getFlagsFromString(mechanismString, mechanismStrings, +@@ -493,6 +548,11 @@ ListModule(char *moduleName) + return SUCCESS; + } + ++ rv = loadMechanismList(); ++ if (rv != SUCCESS) { ++ return rv; ++ } ++ + module = SECMOD_FindModule(moduleName); + if(!module) { + PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName); +@@ -811,19 +871,18 @@ SetDefaultModule(char *moduleName, char + SECMODModule *module = NULL; + PK11SlotInfo *slot; + int s, i; +- unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings, +- numMechanismStrings); ++ unsigned long mechFlags; + PRBool found = PR_FALSE; +- Error errcode = UNSPECIFIED_ERR; ++ Error errcode; + +- if (pk11_DefaultArray == NULL) { +- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); +- if (pk11_DefaultArray == NULL) { +- /* should assert. This shouldn't happen */ +- goto loser; +- } ++ errcode = loadMechanismList(); ++ if (errcode != SUCCESS) { ++ return errcode; + } ++ errcode = UNSPECIFIED_ERR; + ++ mechFlags = getFlagsFromString(mechanisms, mechanismStrings, ++ numMechanismStrings); + mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags); + + module = SECMOD_FindModule(moduleName); +@@ -889,20 +948,17 @@ UnsetDefaultModule(char *moduleName, cha + SECMODModule * module = NULL; + PK11SlotInfo *slot; + int s, i; +- unsigned long mechFlags = getFlagsFromString(mechanisms, +- mechanismStrings, numMechanismStrings); ++ unsigned long mechFlags; + PRBool found = PR_FALSE; + Error rv; + +- if (pk11_DefaultArray == NULL) { +- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); +- if (pk11_DefaultArray == NULL) { +- /* should assert. This shouldn't happen */ +- rv = UNSPECIFIED_ERR; +- goto loser; +- } ++ rv = loadMechanismList(); ++ if (rv != SUCCESS) { ++ return rv; + } + ++ mechFlags = getFlagsFromString(mechanisms, mechanismStrings, ++ numMechanismStrings); + mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags); + + module = SECMOD_FindModule(moduleName); +diff -up ./nss/lib/pk11wrap/pk11slot.c.ecc-lists ./nss/lib/pk11wrap/pk11slot.c +--- ./nss/lib/pk11wrap/pk11slot.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800 ++++ ./nss/lib/pk11wrap/pk11slot.c 2013-12-20 10:29:55.756109883 -0800 +@@ -32,6 +32,7 @@ + PK11DefaultArrayEntry PK11_DefaultArray[] = { + { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS }, + { "DSA", SECMOD_DSA_FLAG, CKM_DSA }, ++ { "ECC", SECMOD_ECC_FLAG, CKM_ECDSA }, + { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE }, + { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC }, + { "RC4", SECMOD_RC4_FLAG, CKM_RC4 }, +diff -up ./nss/lib/pk11wrap/secmod.h.ecc-lists ./nss/lib/pk11wrap/secmod.h +--- ./nss/lib/pk11wrap/secmod.h.ecc-lists 2013-11-09 09:23:30.000000000 -0800 ++++ ./nss/lib/pk11wrap/secmod.h 2013-12-20 10:26:20.881585723 -0800 +@@ -28,6 +28,7 @@ + #define PUBLIC_MECH_SHA512_FLAG 0x00008000ul + #define PUBLIC_MECH_CAMELLIA_FLAG 0x00010000ul + #define PUBLIC_MECH_SEED_FLAG 0x00020000ul ++#define PUBLIC_MECH_ECC_FLAG 0x00040000ul + + #define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul + #define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul diff --git a/SOURCES/setup-nsssysinit.xml b/SOURCES/setup-nsssysinit.xml index bca4bfa..5b9827f 100644 --- a/SOURCES/setup-nsssysinit.xml +++ b/SOURCES/setup-nsssysinit.xml @@ -55,7 +55,7 @@ - count + returns whether nss-syinit is enabled or not. @@ -67,13 +67,13 @@ The following example will query for the status of nss-sysinit: - /usr/bin/setup-nsssysinit --status + /usr/bin/setup-nsssysinit status The following example, when run as superuser, will turn on nss-sysinit: - /usr/bin/setup-nsssysinit --on + /usr/bin/setup-nsssysinit on @@ -81,7 +81,7 @@ Files - /usr/sbin/setup-nsssysinit + /usr/bin/setup-nsssysinit diff --git a/SPECS/nss.spec b/SPECS/nss.spec index fffec65..0dc3202 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,7 +1,7 @@ -%global nspr_version 4.10 -%global nss_util_version 3.15.2 -%global nss_softokn_fips_version 3.12.9 -%global nss_softokn_version 3.15.2 +%global nspr_version 4.10.2 +%global nss_util_version 3.15.4 +%global nss_softokn_fips_version 3.13.4 +%global nss_softokn_version 3.15.4 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" @@ -19,8 +19,8 @@ Summary: Network Security Services Name: nss -Version: 3.15.2 -Release: 8%{?dist} +Version: 3.15.4 +Release: 6%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -47,7 +47,7 @@ BuildRequires: perl %{!?nss_ckbi_suffix:%define full_nss_version %{version}} %{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}} -Source0: %{name}-%{full_nss_version}.tar.bz2 +Source0: %{name}-%{full_nss_version}.tar.gz Source1: nss.pc.in Source2: nss-config.in Source3: blank-cert8.db @@ -58,7 +58,7 @@ Source7: blank-key4.db Source8: system-pkcs11.txt Source9: setup-nsssysinit.sh Source10: PayPalEE.cert -Source12: %{name}-pem-20130405.tar.bz2 +Source12: %{name}-pem-20140125.tar.bz2 Source17: TestCA.ca.cert Source18: TestUser50.cert Source19: TestUser51.cert @@ -81,25 +81,29 @@ Patch18: nss-646045.patch Patch25: nsspem-use-system-freebl.patch # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch -Patch44: 0001-sync-up-with-upstream-softokn-changes.patch -Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch -# The ocsp stapling tests currently require access to the -# kuix.de test server but koji forbids outbount connections -Patch46: disable-ocsp-stapling-tests.patch # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator Patch47: utilwrap-include-templates.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171 Patch48: nss-versus-softoken-tests.patch # TODO remove when we switch to building nss without softoken Patch49: nss-skip-bltest-and-fipstest.patch +# This patch uses the gcc-iquote dir option documented at +# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options +# to place the in-tree directories at the head of the list of list of directories +# to be searched for for header files. This ensures a build even when system +# headers are older. Such is the case when starting an update with API changes or even private export changes. +# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. Patch50: iquote.patch Patch52: Bug-1001841-disable-sslv2-libssl.patch Patch53: Bug-1001841-disable-sslv2-tests.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001 -Patch54: document-certutil-email-option.patch Patch55: enable-fips-when-system-is-in-fips-mode.patch # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677 Patch56: p-ignore-setpolicy.patch +Patch61: nss-ecc-list-3.15.3.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684 +Patch62: dont-hold-issuer-cert-handles-in-crl-cache.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=977673 +Patch63: dont-disable-internal-module.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -184,22 +188,19 @@ low level services. # link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl %patch40 -p0 -b .noocsptest -%patch44 -p1 -b .syncupwithupstream -%patch45 -p0 -b .notrash -%patch46 -p0 -b .skipoutbound %patch47 -p0 -b .templates %patch48 -p0 -b .crypto %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote %patch52 -p0 -b .disableSSL2 %patch53 -p0 -b .disableSSL2 -pushd nss -%patch54 -p1 -b .948495 -popd %patch55 -p0 -b .852023 pushd nss %patch56 -p1 -b .1026677 popd +%patch61 -p0 -b .ecc-lists +%patch62 -p0 -b .1034409 +%patch63 -p0 -b .1056036 ######################################################### # Higher-level libraries and test tools need access to @@ -542,7 +543,7 @@ done %{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config # Copy the pkcs #11 configuration script %{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh -# install a symbolic link top it, without the ".sh" suffix, +# install a symbolic link to it, without the ".sh" suffix, # that matches the man page documentation ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit @@ -602,17 +603,17 @@ fi /sbin/ldconfig %posttrans -# An earlier version of this package had an incorrect %postun script (3.14.3-9). -# (The incorrect %postun always called "update-alternatives --remove", +# An earlier version of this package had an incorrect %%postun script (3.14.3-9). +# (The incorrect %%postun always called "update-alternatives --remove", # because it incorrectly assumed that test -f returns false for symbolic links.) # The only possible remedy to fix the mistake that "always removes on upgrade" -# made by the older %postun script, is to repair it in %posttrans of the new package. +# made by the older %%postun script, is to repair it in %%posttrans of the new package. # Strategy: -# %posttrans is never called when uninstalling. -# %posttrans is only called when installing or upgrading a package. -# Because %posttrans is the very last action of a package install, -# %{_libdir}/libnssckbi.so must exist. -# If it does not, it's the result of the incorrect removal from a broken %postun. +# %%posttrans is never called when uninstalling. +# %%posttrans is only called when installing or upgrading a package. +# Because %%posttrans is the very last action of a package install, +# %%{_libdir}/libnssckbi.so must exist. +# If it does not, it's the result of the incorrect removal from a broken %%postun. # In this case, we repeat installation of the alternatives link. if ! test -e %{_libdir}/libnssckbi.so; then %{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ @@ -632,20 +633,19 @@ fi %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db -%attr(0644,root,root) %doc /usr/share/man/man5/* +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt %attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz %attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz %attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz %files sysinit %defattr(-,root,root) %{_libdir}/libnsssysinit.so -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt -%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz %{_bindir}/setup-nsssysinit.sh # symbolic link to setup-nsssysinit.sh %{_bindir}/setup-nsssysinit @@ -672,7 +672,7 @@ fi %{unsupported_tools_directory}/tstclnt %{unsupported_tools_directory}/vfyserv %{unsupported_tools_directory}/vfychain -# instead of %{_mandir}/man*/* let's list them explicitely +# instead of %%{_mandir}/man*/* let's list them explicitely # supported tools %attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz %attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz @@ -763,6 +763,81 @@ fi %changelog +* Mon Mar 03 2014 Elio Maldonado - 3.15.4-6 +- Disallow disabling the internal module +- Resolves: Bug 1056036 - nss segfaults with opencryptoki module + +* Thu Feb 20 2014 Elio Maldonado - 3.15.4-5 +- Pick up a fix from rhel-6 and fix an rpm conflict +- Don't hold issuer cert handles in crl cache +- Resolves: Bug 1034409 - deadlock in trust domain and object lock +- Move nss shared db files to the main package +- Resolves: Bug 1050163 - Same files in two packages create rpm conflict + +* Mon Jan 27 2014 Elio Maldonado - 3.15.4-4 +- Update pem sources to latest from nss-pem upstream +- Pick up pem module fixes verified on RHEL and applied upstream +- Remove no loger needed pem patches on acccount on this update +- Add comments documenting the iquote.patch +- Resolves: Bug 1054457 - CVE-2013-1740 + +* Sun Jan 26 2014 Elio Maldonado - 3.15.4-3 +- Remove spurious man5 wildcard entry as all manpages are listed by name +- Resolves: Bug 1050163 - Same files in two packages create rpm conflict + +* Fri Jan 24 2014 Daniel Mach - 3.15.4-2 +- Mass rebuild 2014-01-24 + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-9 +- Rebase to nss-3.15.4 +- Resolves: Bug 1054457 - CVE-2013-1740 nss: false start PR_Recv information disclosure security issue +- Remove no longer needed patches for manpages that were applied upstream +- Remove no longer needed patch to disable ocsp stapling tests +- Update iquote.patch on account of upstream changes +- Update and rename patch to pem/rsawrapr.c on account of upstream changes +- Use the pristine upstream sources for nss without repackaging +- Avoid unneeded manual step which may introduce errors + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-8 +- Fix the spec file to apply the nss ecc list patch for bug 752980 +- Resolves: Bug 752980 - Support ECDSA algorithm in the nss package via puggable ecc + +* Fri Jan 17 2014 Elio Maldonado - 3.15.3-7 +- Move several nss-sysinit manpages tar archives to the %%files +- Resolves: Bug 1050163 - Same files in two packages create rpm conflict + +* Fri Jan 17 2014 Elio Maldonado - 3.15.3-6 +- Fix a coverity scan compile time warning for the pem module +- Resolves: Bug 1002271 - NSS pem module should not require unique base file names + +* Wed Jan 15 2014 Elio Maldonado - 3.15.3-5 +- Resolves: Bug 1002271 - NSS pem module should not require unique base file names + +* Thu Jan 09 2014 Elio Maldonado - 3.15.3-4 +- Improve pluggable ECC support for ECDSA +- Resolves: Bug 752980 - [7.0 FEAT] Support ECDSA algorithm in the nss package + +* Fri Dec 27 2013 Daniel Mach - 3.15.3-3 +- Mass rebuild 2013-12-27 + +* Thu Dec 12 2013 Elio Maldonado - 3.15.3-2 +- Revoke trust in one mis-issued anssi certificate +- Resolves: Bug 1040284 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-7.0] + +* Mon Nov 25 2013 Elio Maldonado - 3.15.3-1 +- Update to NSS_3_15_3_RTM +- Resolves: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 + +* Wed Nov 13 2013 Elio Maldonado - 3.15.2-10 +- Fix path to script and remove -- from some options in nss-sysinit man page +- Resolves: rhbz#982723 - man page of nss-sysinit worong path and other flaws + +* Tue Nov 12 2013 Elio Maldonado - 3.15.2-9 +- Fix certutil man page options names to be consistent with help +- Resolves: rhbz#948495 - man page scan results for nss +- Remove incorrect count argument in status description in nss-sysinit man page +- Resolves: rhbz#982723 - man page of nss-sysinit incorrect option descriptions + * Wed Nov 06 2013 Elio Maldonado - 3.15.2-8 - Fix patch for disabling ssl2 in ssl to correctly set error code - Fix syntax error reported in the build.log even tough it succeeds