diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7286e8d --- /dev/null +++ b/.gitignore @@ -0,0 +1,16 @@ +SOURCES/PayPalEE.cert +SOURCES/PayPalICA.cert +SOURCES/TestOldCA.p12 +SOURCES/blank-cert8.db +SOURCES/blank-cert9.db +SOURCES/blank-key3.db +SOURCES/blank-key4.db +SOURCES/blank-secmod.db +SOURCES/cert8.db.xml +SOURCES/cert9.db.xml +SOURCES/key3.db.xml +SOURCES/key4.db.xml +SOURCES/nss-3.34.0.tar.gz +SOURCES/nss-config.xml +SOURCES/secmod.db.xml +SOURCES/setup-nsssysinit.xml diff --git a/.nss.metadata b/.nss.metadata new file mode 100644 index 0000000..7b7738a --- /dev/null +++ b/.nss.metadata @@ -0,0 +1,16 @@ +83025bf9062b026aae49ef8775c6432507159bca SOURCES/PayPalEE.cert +a031c46782e6e6c662c2c87c76da9aa62ccabd8e SOURCES/PayPalICA.cert +706c3f929a1e7eca473be12fcd92620709fdada6 SOURCES/TestOldCA.p12 +d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db +b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db +7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db +f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db +bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db +6a43a6788fff0f2a967051209adbd354fad4c346 SOURCES/cert8.db.xml +7cbb7841b1aefe52534704bf2a4358bfea1aa477 SOURCES/cert9.db.xml +24c123810543ff0f6848647d6d910744e275fb01 SOURCES/key3.db.xml +af51b16a56fda1f7525a0eed3ecbdcbb4133be0c SOURCES/key4.db.xml +01388dc47540744bb4b3c32cd8b77f1e770c4661 SOURCES/nss-3.34.0.tar.gz +2905c9b06e7e686c9e3c0b5736a218766d4ae4c2 SOURCES/nss-config.xml +ca9ebf79c1437169a02527c18b1e3909943c4be9 SOURCES/secmod.db.xml +bcbe05281b38d843273f91ae3f9f19f70c7d97b3 SOURCES/setup-nsssysinit.xml diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch new file mode 100644 index 0000000..527b312 --- /dev/null +++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch @@ -0,0 +1,26 @@ +diff -up nss/lib/ssl/config.mk.disableSSL2libssl nss/lib/ssl/config.mk +--- nss/lib/ssl/config.mk.disableSSL2libssl 2017-01-04 15:24:24.000000000 +0100 ++++ nss/lib/ssl/config.mk 2017-01-16 10:53:47.629894929 +0100 +@@ -69,3 +69,8 @@ endif + ifdef NSS_DISABLE_TLS_1_3 + DEFINES += -DNSS_DISABLE_TLS_1_3 + endif ++ ++ifdef NSS_NO_SSL2 ++DEFINES += -DNSS_NO_SSL2 ++endif ++ +diff -up nss/lib/ssl/sslsock.c.disableSSL2libssl nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.disableSSL2libssl 2017-01-16 10:53:47.615895344 +0100 ++++ nss/lib/ssl/sslsock.c 2017-01-16 10:54:16.088051233 +0100 +@@ -1221,6 +1221,10 @@ SSL_OptionSetDefault(PRInt32 which, PRBo + static PRBool + ssl_IsRemovedCipherSuite(PRInt32 suite) + { ++#ifdef NSS_NO_SSL2 ++ if (SSL_IS_SSL2_CIPHER(suite)) ++ return PR_TRUE; ++#endif /* NSS_NO_SSL2 */ + switch (suite) { + case SSL_FORTEZZA_DMS_WITH_NULL_SHA: + case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch new file mode 100644 index 0000000..40e3e6d --- /dev/null +++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch @@ -0,0 +1,65 @@ +diff -up nss/tests/ssl/ssl.sh.disableSSL2tests nss/tests/ssl/ssl.sh +--- nss/tests/ssl/ssl.sh.disableSSL2tests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/tests/ssl/ssl.sh 2017-10-06 16:19:10.812108552 +0200 +@@ -69,8 +69,14 @@ ssl_init() + + # Test case files + SSLCOV=${QADIR}/ssl/sslcov.txt ++ if [ "${NSS_NO_SSL2}" = "1" ]; then ++ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt ++ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt ++ else ++ SSLCOV=${QADIR}/ssl/sslcov.txt ++ SSLSTRESS=${QADIR}/ssl/sslstress.txt ++ fi + SSLAUTH=${QADIR}/ssl/sslauth.txt +- SSLSTRESS=${QADIR}/ssl/sslstress.txt + SSLPOLICY=${QADIR}/ssl/sslpolicy.txt + REQUEST_FILE=${QADIR}/ssl/sslreq.dat + +@@ -128,7 +134,11 @@ is_selfserv_alive() + fi + + echo "kill -0 ${PID} >/dev/null 2>/dev/null" ++ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then ++ echo "No server to kill" ++ else + kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" ++ fi + + echo "selfserv with PID ${PID} found at `date`" + } +@@ -152,7 +162,11 @@ wait_for_selfserv() + ${BINDIR}/tstclnt -4 -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ + -d ${P_R_CLIENTDIR} $verbose < ${REQUEST_FILE} + if [ $? -ne 0 ]; then ++ if [ "${NSS_NO_SSL2}" = "1" ] && [[ ${EXP} -eq 0 || ${SSL2} -eq 0 ]]; then ++ html_passed "Server never started" ++ else + html_failed "Waiting for Server" ++ fi + fi + fi + is_selfserv_alive +@@ -275,7 +289,7 @@ ssl_cov() + start_selfserv # Launch the server + + VMIN="ssl3" +- VMAX="tls1.1" ++ VMAX="tls1.2" + + ignore_blank_lines ${SSLCOV} | \ + while read ectype testmax param testname +@@ -283,6 +297,12 @@ ssl_cov() + echo "${testname}" | grep "EXPORT" > /dev/null + EXP=$? + ++ # skip export tests ++ if [ ${EXP} -eq 0 ]; then ++ echo "export test skipped" ++ continue ++ fi ++ + if [ "$ectype" = "ECC" ] ; then + echo "$SCRIPTNAME: skipping $testname (ECC only)" + else diff --git a/SOURCES/PayPalRootCA.cert b/SOURCES/PayPalRootCA.cert new file mode 100644 index 0000000..dae0196 Binary files /dev/null and b/SOURCES/PayPalRootCA.cert differ diff --git a/SOURCES/TestCA.ca.cert b/SOURCES/TestCA.ca.cert new file mode 100644 index 0000000..929b793 Binary files /dev/null and b/SOURCES/TestCA.ca.cert differ diff --git a/SOURCES/TestUser50.cert b/SOURCES/TestUser50.cert new file mode 100644 index 0000000..ed71727 Binary files /dev/null and b/SOURCES/TestUser50.cert differ diff --git a/SOURCES/TestUser51.cert b/SOURCES/TestUser51.cert new file mode 100644 index 0000000..1b45db2 Binary files /dev/null and b/SOURCES/TestUser51.cert differ diff --git a/SOURCES/add-relro-linker-option.patch b/SOURCES/add-relro-linker-option.patch new file mode 100644 index 0000000..7ab9db1 --- /dev/null +++ b/SOURCES/add-relro-linker-option.patch @@ -0,0 +1,16 @@ +diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk +--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700 ++++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700 +@@ -174,6 +174,12 @@ endif + endif + endif + ++# harden DSOs/executables a bit against exploits ++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE)))) ++DSO_LDOPTS+=-Wl,-z,relro ++LDFLAGS += -Wl,-z,relro ++endif ++ + USE_SYSTEM_ZLIB = 1 + ZLIB_LIBS = -lz + diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch new file mode 100644 index 0000000..72c0cb4 --- /dev/null +++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch @@ -0,0 +1,79 @@ +diff -up nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11pars.c +--- nss/lib/pk11wrap/pk11pars.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100 ++++ nss/lib/pk11wrap/pk11pars.c 2017-01-13 17:04:52.968903200 +0100 +@@ -672,6 +672,10 @@ SECMOD_CreateModuleEx(const char *librar + + mod->internal = NSSUTIL_ArgHasFlag("flags", "internal", nssc); + mod->isFIPS = NSSUTIL_ArgHasFlag("flags", "FIPS", nssc); ++ /* if the system FIPS mode is enabled, force FIPS to be on */ ++ if (SECMOD_GetSystemFIPSEnabled()) { ++ mod->isFIPS = PR_TRUE; ++ } + mod->isCritical = NSSUTIL_ArgHasFlag("flags", "critical", nssc); + slotParams = NSSUTIL_ArgGetParamValue("slotParams", nssc); + mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena, slotParams, +diff -up nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/pk11util.c +--- nss/lib/pk11wrap/pk11util.c.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100 ++++ nss/lib/pk11wrap/pk11util.c 2017-01-13 17:06:24.171723872 +0100 +@@ -94,6 +94,26 @@ SECMOD_Shutdown() + return SECSuccess; + } + ++int SECMOD_GetSystemFIPSEnabled(void) { ++#ifdef LINUX ++ FILE *f; ++ char d; ++ size_t size; ++ ++ f = fopen("/proc/sys/crypto/fips_enabled", "r"); ++ if (!f) ++ return 0; ++ ++ size = fread(&d, 1, 1, f); ++ fclose(f); ++ if (size != 1) ++ return 0; ++ if (d == '1') ++ return 1; ++#endif ++ return 0; ++} ++ + /* + * retrieve the internal module + */ +@@ -427,7 +447,7 @@ SECMOD_DeleteInternalModule(const char * + SECMODModuleList **mlpp; + SECStatus rv = SECFailure; + +- if (pendingModule) { ++ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) { + PORT_SetError(SEC_ERROR_MODULE_STUCK); + return rv; + } +@@ -902,7 +922,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis + PRBool + SECMOD_CanDeleteInternalModule(void) + { +- return (PRBool)(pendingModule == NULL); ++ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled()); + } + + /* +diff -up nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode nss/lib/pk11wrap/secmodi.h +--- nss/lib/pk11wrap/secmodi.h.852023_enable_fips_when_in_fips_mode 2017-01-13 17:01:05.278296965 +0100 ++++ nss/lib/pk11wrap/secmodi.h 2017-01-13 17:07:08.897624098 +0100 +@@ -115,6 +115,13 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd + CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, + SECItem **param, SECItem *pwd, PRBool faulty3DES); + ++/* Get the state of the system FIPS mode */ ++/* NSS uses this to force FIPS mode if the system bit is on. Applications which ++ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or ++ * from FIPS mode will automatically be told that they can't swith out of FIPS ++ * mode */ ++int SECMOD_GetSystemFIPSEnabled(); ++ + extern void pk11sdr_Init(void); + extern void pk11sdr_Shutdown(void); + diff --git a/SOURCES/fix-min-library-version-in-SSLVersionRange.patch b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch new file mode 100644 index 0000000..00facbf --- /dev/null +++ b/SOURCES/fix-min-library-version-in-SSLVersionRange.patch @@ -0,0 +1,12 @@ +diff -up ./lib/ssl/sslsock.c.1171318 ./lib/ssl/sslsock.c +--- ./lib/ssl/sslsock.c.1171318 2016-02-04 10:57:08.489310227 -0800 ++++ ./lib/ssl/sslsock.c 2016-02-04 11:02:59.290818001 -0800 +@@ -92,7 +92,7 @@ static sslOptions ssl_defaults = { + * default range of enabled SSL/TLS protocols + */ + static SSLVersionRange versions_defaults_stream = { +- SSL_LIBRARY_VERSION_TLS_1_0, ++ SSL_LIBRARY_VERSION_3_0, + SSL_LIBRARY_VERSION_TLS_1_2 + }; + diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch new file mode 100644 index 0000000..4908c00 --- /dev/null +++ b/SOURCES/iquote.patch @@ -0,0 +1,228 @@ +diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile +--- ./nss/cmd/certutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/certutil/Makefile 2017-09-21 16:39:08.680260103 +0200 +@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile +--- ./nss/cmd/httpserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/httpserv/Makefile 2017-09-21 16:39:08.680260103 +0200 +@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../private/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile +--- ./nss/cmd/lib/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/lib/Makefile 2017-09-21 16:39:08.680260103 +0200 +@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../private/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile +--- ./nss/cmd/modutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/modutil/Makefile 2017-09-21 16:39:08.680260103 +0200 +@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/pk12util/Makefile.iquote ./nss/cmd/pk12util/Makefile +--- ./nss/cmd/pk12util/Makefile.iquote 2017-09-21 16:41:23.158209761 +0200 ++++ ./nss/cmd/pk12util/Makefile 2017-09-21 16:41:44.298730232 +0200 +@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile +--- ./nss/cmd/selfserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/selfserv/Makefile 2017-09-21 16:39:08.680260103 +0200 +@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile +--- ./nss/cmd/ssltap/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/ssltap/Makefile 2017-09-21 16:39:08.680260103 +0200 +@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../private/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile +--- ./nss/cmd/strsclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/strsclnt/Makefile 2017-09-21 16:39:08.681260081 +0200 +@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile +--- ./nss/cmd/tstclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/tstclnt/Makefile 2017-09-21 16:39:08.681260081 +0200 +@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + ####################################################################### + + #include ../platlibs.mk ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile +--- ./nss/cmd/vfyserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/cmd/vfyserv/Makefile 2017-09-21 16:39:08.681260081 +0200 +@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + ####################################################################### + + #include ../platlibs.mk ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk +--- ./nss/coreconf/location.mk.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/coreconf/location.mk 2017-09-21 16:39:08.681260081 +0200 +@@ -45,6 +45,10 @@ endif + + ifdef NSS_INCLUDE_DIR + INCLUDES += -I$(NSS_INCLUDE_DIR) ++ ifdef IN_TREE_FREEBL_HEADERS_FIRST ++ INCLUDES += -iquote $(DIST)/../public/nss ++ INCLUDES += -iquote $(DIST)/../private/nss ++ endif + endif + + ifndef NSS_LIB_DIR +diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile +--- ./nss/gtests/ssl_gtest/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/gtests/ssl_gtest/Makefile 2017-09-21 16:39:08.682260058 +0200 +@@ -53,6 +53,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile +--- ./nss/lib/certhigh/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/certhigh/Makefile 2017-09-21 16:39:08.681260081 +0200 +@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile +--- ./nss/lib/cryptohi/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/cryptohi/Makefile 2017-09-21 16:39:08.681260081 +0200 +@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile +--- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/libpkix/pkix/checker/Makefile 2017-09-21 16:39:08.681260081 +0200 +@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../private/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile +--- ./nss/lib/nss/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/nss/Makefile 2017-09-21 16:39:08.681260081 +0200 +@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/pkcs12/Makefile.iquote ./nss/lib/pkcs12/Makefile +--- ./nss/lib/pkcs12/Makefile.iquote 2017-09-21 16:39:49.616331555 +0200 ++++ ./nss/lib/pkcs12/Makefile 2017-09-21 16:40:16.286726596 +0200 +@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile +--- ./nss/lib/ssl/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 ++++ ./nss/lib/ssl/Makefile 2017-09-21 16:39:08.681260081 +0200 +@@ -56,6 +56,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../public/nss + + + ####################################################################### diff --git a/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch new file mode 100644 index 0000000..3347ee9 --- /dev/null +++ b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch @@ -0,0 +1,11 @@ +diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios +--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700 ++++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700 +@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg + realcerts.cfg + dsa.cfg + revoc.cfg +-ocsp.cfg + crldp.cfg + trustanchors.cfg + nameconstraints.cfg diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch new file mode 100644 index 0000000..f5db089 --- /dev/null +++ b/SOURCES/nss-539183.patch @@ -0,0 +1,44 @@ +diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c +--- nss/cmd/httpserv/httpserv.c.539183 2016-08-15 17:58:41.756630037 +0200 ++++ nss/cmd/httpserv/httpserv.c 2016-08-15 18:04:13.559131620 +0200 +@@ -976,13 +976,13 @@ getBoundListenSocket(unsigned short port + PRNetAddr addr; + PRSocketOptionData opt; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSocket error"); + } + + opt.option = PR_SockOpt_Nonblocking; +diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c +--- nss/cmd/selfserv/selfserv.c.539183 2016-08-15 17:58:41.756630037 +0200 ++++ nss/cmd/selfserv/selfserv.c 2016-08-15 18:05:11.027487891 +0200 +@@ -1731,13 +1731,13 @@ getBoundListenSocket(unsigned short port + PRNetAddr addr; + PRSocketOptionData opt; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSocket error"); + } + + opt.option = PR_SockOpt_Nonblocking; diff --git a/SOURCES/nss-certutil-suppress-password.patch b/SOURCES/nss-certutil-suppress-password.patch new file mode 100644 index 0000000..985ac21 --- /dev/null +++ b/SOURCES/nss-certutil-suppress-password.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1513770602 -3600 +# Wed Dec 20 12:50:02 2017 +0100 +# Node ID 29b2a346746fb03316cf97c8c7b0837b714c255b +# Parent 5a14f42384eb22b67e0465949c03555eff41e4af +Bug 1426361, certutil: check CKF_LOGIN_REQUIRED as well as CKF_USER_PIN_INITIALIZED, r=rrelyea + +diff --git a/cmd/certutil/certutil.c b/cmd/certutil/certutil.c +--- a/cmd/certutil/certutil.c ++++ b/cmd/certutil/certutil.c +@@ -3171,7 +3171,7 @@ certutil_main(int argc, char **argv, PRB + certutil.commands[cmd_CreateAndAddCert].activated || + certutil.commands[cmd_AddCert].activated || + certutil.commands[cmd_AddEmailCert].activated) { +- if (PK11_NeedUserInit(slot)) { ++ if (PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { + char *password = NULL; + /* fetch the password from the command line or the file + * if no password is supplied, initialize the password to NULL */ diff --git a/SOURCES/nss-check-policy-file.patch b/SOURCES/nss-check-policy-file.patch new file mode 100644 index 0000000..898ffef --- /dev/null +++ b/SOURCES/nss-check-policy-file.patch @@ -0,0 +1,49 @@ +diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c +--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-02-28 10:49:53.811343156 +0100 ++++ nss/lib/pk11wrap/pk11pars.c 2017-02-28 10:59:41.178647490 +0100 +@@ -109,6 +109,7 @@ secmod_NewModule(void) + *other flags are set */ + #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02 + #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04 ++#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08 + + /* private flags for internal (field in SECMODModule). */ + /* The meaing of these flags is as follows: +@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar + if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) { + flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB; + } ++ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) { ++ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY; ++ } + /* additional moduleDB flags could be added here in the future */ + mod->isModuleDB = (PRBool)flags; + } +@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule + } + + PRBool ++secmod_PolicyOnly(SECMODModule *mod) ++{ ++ char flags = (char) mod->isModuleDB; ++ ++ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE; ++} ++ ++PRBool + secmod_IsInternalKeySlot(SECMODModule *mod) + { + char flags = (char)mod->internal; +@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM + if (!module) { + goto loser; + } ++ ++ /* a policy only stanza doesn't actually get 'loaded'. policy has already ++ * been parsed as a side effect of the CreateModuleEx call */ ++ if (secmod_PolicyOnly(module)) { ++ return module; ++ } + if (parent) { + module->parent = SECMOD_ReferenceModule(parent); + if (module->internal && secmod_IsInternalKeySlot(parent)) { diff --git a/SOURCES/nss-config.in b/SOURCES/nss-config.in new file mode 100644 index 0000000..f8f893e --- /dev/null +++ b/SOURCES/nss-config.in @@ -0,0 +1,145 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_ssl=yes +lib_smime=yes +lib_nss=yes +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + ssl) + lib_ssl=yes + ;; + smime) + lib_smime=yes + ;; + nss) + lib_nss=yes + ;; + nssutil) + lib_nssutil=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_ssl"; then + libdirs="$libdirs -lssl${major_version}" + fi + if test -n "$lib_smime"; then + libdirs="$libdirs -lsmime${major_version}" + fi + if test -n "$lib_nss"; then + libdirs="$libdirs -lnss${major_version}" + fi + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/SOURCES/nss-disable-cipher-suites.patch b/SOURCES/nss-disable-cipher-suites.patch new file mode 100644 index 0000000..b593479 --- /dev/null +++ b/SOURCES/nss-disable-cipher-suites.patch @@ -0,0 +1,27 @@ +diff -up nss/lib/ssl/ssl3con.c.disable-cipher-suites nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.disable-cipher-suites 2017-04-26 11:53:57.980039632 +0200 ++++ nss/lib/ssl/ssl3con.c 2017-04-26 11:55:56.374264466 +0200 +@@ -97,7 +97,10 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ /* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 is disabled by default. ++ * The GCM variant is preferred for new applications. ++ */ ++ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +@@ -106,7 +109,10 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ /* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is disabled by default. ++ * The GCM variant is preferred for new applications. ++ */ ++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/SOURCES/nss-disable-tls13-gtests.patch b/SOURCES/nss-disable-tls13-gtests.patch new file mode 100644 index 0000000..cc7b661 --- /dev/null +++ b/SOURCES/nss-disable-tls13-gtests.patch @@ -0,0 +1,12 @@ +diff -up nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests nss/gtests/ssl_gtest/ssl_skip_unittest.cc +--- nss/gtests/ssl_gtest/ssl_skip_unittest.cc.disable-tls13-gtests 2017-10-16 17:13:51.798825185 +0200 ++++ nss/gtests/ssl_gtest/ssl_skip_unittest.cc 2017-10-16 17:14:08.238496409 +0200 +@@ -234,6 +234,8 @@ INSTANTIATE_TEST_CASE_P( + INSTANTIATE_TEST_CASE_P(SkipVariants, TlsSkipTest, + ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, + TlsConnectTestBase::kTlsV11V12)); ++#if 0 + INSTANTIATE_TEST_CASE_P(Skip13Variants, Tls13SkipTest, + TlsConnectTestBase::kTlsVariantsAll); ++#endif + } // namespace nss_test diff --git a/SOURCES/nss-enable-cipher-suites.patch b/SOURCES/nss-enable-cipher-suites.patch new file mode 100644 index 0000000..0e6aabd --- /dev/null +++ b/SOURCES/nss-enable-cipher-suites.patch @@ -0,0 +1,39 @@ +diff -up nss/lib/ssl/ssl3con.c.enable-cipher-suites nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.enable-cipher-suites 2017-02-20 16:32:39.464067010 +0100 ++++ nss/lib/ssl/ssl3con.c 2017-02-20 16:37:00.506731989 +0100 +@@ -91,7 +91,7 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi + /* clang-format off */ + static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { + /* cipher_suite policy enabled isPresent */ +- { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +@@ -102,7 +102,7 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +@@ -113,7 +113,7 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +@@ -140,7 +140,7 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/SOURCES/nss-fix-deadlock-squash.patch b/SOURCES/nss-fix-deadlock-squash.patch new file mode 100644 index 0000000..c8222c7 --- /dev/null +++ b/SOURCES/nss-fix-deadlock-squash.patch @@ -0,0 +1,112 @@ +diff -up nss/lib/pki/tdcache.c.fix_deadlock nss/lib/pki/tdcache.c +--- nss/lib/pki/tdcache.c.fix_deadlock 2017-01-13 17:10:36.055530248 +0100 ++++ nss/lib/pki/tdcache.c 2017-01-13 17:14:04.015338438 +0100 +@@ -374,13 +374,19 @@ struct token_cert_dtor { + PRUint32 numCerts, arrSize; + }; + +-static void +-remove_token_certs(const void *k, void *v, void *a) ++static void cert_iter(const void *k, void *v, void *a) + { ++ nssList *certList = (nssList *)a; + NSSCertificate *c = (NSSCertificate *)k; ++ nssList_Add(certList, nssCertificate_AddRef(c)); ++} ++ ++static void ++remove_token_certs(NSSCertificate *c, struct token_cert_dtor *dtor) ++{ + nssPKIObject *object = &c->object; +- struct token_cert_dtor *dtor = a; + PRUint32 i; ++ + nssPKIObject_AddRef(object); + nssPKIObject_Lock(object); + for (i = 0; i < object->numInstances; i++) { +@@ -416,6 +422,11 @@ nssTrustDomain_RemoveTokenCertsFromCache + NSSCertificate **certs; + PRUint32 i, arrSize = 10; + struct token_cert_dtor dtor; ++ nssList *certList; ++ PRStatus nspr_rv = PR_FAILURE; ++ nssListIterator *iter; ++ NSSCertificate *c; ++ + certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize); + if (!certs) { + return PR_FAILURE; +@@ -425,8 +436,33 @@ nssTrustDomain_RemoveTokenCertsFromCache + dtor.certs = certs; + dtor.numCerts = 0; + dtor.arrSize = arrSize; ++ ++ certList = nssList_Create(NULL, PR_FALSE); ++ if (!certList) { ++ goto loser; ++ } ++ /* fetch the list of certs in the cache */ ++ PZ_Lock(td->cache->lock); ++ nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList); ++ PZ_Unlock(td->cache->lock); ++ ++ /* find the certs that match this token without olding the td cache lock */ ++ iter=nssList_CreateIterator(certList); ++ if (!iter) { ++ goto loser; ++ } ++ for (c = (NSSCertificate *)nssListIterator_Start(iter); ++ c != (NSSCertificate *)NULL; ++ c = (NSSCertificate *)nssListIterator_Next(iter)) { ++ remove_token_certs( c, &dtor); ++ } ++ nssListIterator_Finish(iter); ++ nssListIterator_Destroy(iter); ++ nssList_Destroy(certList); ++ certList = NULL; ++ ++ /* now remove theose certs attached to this token */ + PZ_Lock(td->cache->lock); +- nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor); + for (i = 0; i < dtor.numCerts; i++) { + if (dtor.certs[i]->object.numInstances == 0) { + nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]); +@@ -437,14 +473,22 @@ nssTrustDomain_RemoveTokenCertsFromCache + } + } + PZ_Unlock(td->cache->lock); ++ ++ /* clean up */ + for (i = 0; i < dtor.numCerts; i++) { + if (dtor.certs[i]) { + STAN_ForceCERTCertificateUpdate(dtor.certs[i]); + nssCertificate_Destroy(dtor.certs[i]); + } + } ++ ++ nspr_rv = PR_SUCCESS; ++loser: ++ if (certList) { ++ nssList_Destroy(certList); ++ } + nss_ZFreeIf(dtor.certs); +- return PR_SUCCESS; ++ return nspr_rv; + } + + NSS_IMPLEMENT PRStatus +@@ -1058,14 +1102,6 @@ nssTrustDomain_GetCertByDERFromCache( + return rvCert; + } + +-static void +-cert_iter(const void *k, void *v, void *a) +-{ +- nssList *certList = (nssList *)a; +- NSSCertificate *c = (NSSCertificate *)k; +- nssList_Add(certList, nssCertificate_AddRef(c)); +-} +- + NSS_EXTERN NSSCertificate ** + nssTrustDomain_GetCertsFromCache( + NSSTrustDomain *td, diff --git a/SOURCES/nss-increase-pkcs12-iterations.patch b/SOURCES/nss-increase-pkcs12-iterations.patch new file mode 100644 index 0000000..72fedd4 --- /dev/null +++ b/SOURCES/nss-increase-pkcs12-iterations.patch @@ -0,0 +1,26 @@ +# HG changeset patch +# User Kai Engert +# Date 1511356939 -3600 +# Wed Nov 22 14:22:19 2017 +0100 +# Node ID 93109d4cbedd397f5e75a2096257f9842a0ac5a1 +# Parent 6a27e4b4c92c8c3694132b75a1a54c23688789bd +Bug 1278071, increase number of iterations for export to PKCS #12, r=fkiefer + +diff --git a/lib/pkcs7/p7create.c b/lib/pkcs7/p7create.c +--- a/lib/pkcs7/p7create.c ++++ b/lib/pkcs7/p7create.c +@@ -18,7 +18,13 @@ + #include "secder.h" + #include "secpkcs5.h" + +-const int NSS_PBE_DEFAULT_ITERATION_COUNT = 100000; /* used in p12e.c too */ ++const int NSS_PBE_DEFAULT_ITERATION_COUNT = /* used in p12e.c too */ ++#ifdef DEBUG ++ 10000 ++#else ++ 1000000 ++#endif ++ ; + + static SECStatus + sec_pkcs7_init_content_info(SEC_PKCS7ContentInfo *cinfo, PLArenaPool *poolp, diff --git a/SOURCES/nss-is-token-present-race.patch b/SOURCES/nss-is-token-present-race.patch new file mode 100644 index 0000000..9c85f74 --- /dev/null +++ b/SOURCES/nss-is-token-present-race.patch @@ -0,0 +1,191 @@ +# HG changeset patch +# User Robert Relyea +# Date 1516007838 -3600 +# Mon Jan 15 10:17:18 2018 +0100 +# Node ID 33d9c969cd6548c335ce43fa8909b96ef323f670 +# Parent db32ef3be38eb06a91babbcbb48285284d704dbd +Bug 1054373, Crash in PK11_DoesMechanism due to race condition, r=rsleevi + +diff --git a/lib/dev/devslot.c b/lib/dev/devslot.c +--- a/lib/dev/devslot.c ++++ b/lib/dev/devslot.c +@@ -33,6 +33,8 @@ nssSlot_Destroy( + if (PR_ATOMIC_DECREMENT(&slot->base.refCount) == 0) { + PK11_FreeSlot(slot->pk11slot); + PZ_DestroyLock(slot->base.lock); ++ PZ_DestroyCondVar(slot->isPresentCondition); ++ PZ_DestroyLock(slot->isPresentLock); + return nssArena_Destroy(slot->base.arena); + } + } +@@ -117,35 +119,61 @@ nssSlot_IsTokenPresent( + nssSession *session; + CK_SLOT_INFO slotInfo; + void *epv; ++ PRBool isPresent = PR_FALSE; ++ + /* permanent slots are always present unless they're disabled */ + if (nssSlot_IsPermanent(slot)) { + return !PK11_IsDisabled(slot->pk11slot); + } ++ + /* avoid repeated calls to check token status within set interval */ ++ PZ_Lock(slot->isPresentLock); + if (within_token_delay_period(slot)) { +- return ((slot->ckFlags & CKF_TOKEN_PRESENT) != 0); ++ CK_FLAGS ckFlags = slot->ckFlags; ++ PZ_Unlock(slot->isPresentLock); ++ return ((ckFlags & CKF_TOKEN_PRESENT) != 0); + } ++ PZ_Unlock(slot->isPresentLock); + +- /* First obtain the slot info */ ++ /* First obtain the slot epv before we set up the condition ++ * variable, so we can just return if we couldn't get it. */ + epv = slot->epv; + if (!epv) { + return PR_FALSE; + } ++ ++ /* set up condition so only one thread is active in this part of the code at a time */ ++ PZ_Lock(slot->isPresentLock); ++ while (slot->inIsPresent) { ++ PR_WaitCondVar(slot->isPresentCondition, 0); ++ } ++ /* if we were one of multiple threads here, the first thread will have ++ * given us the answer, no need to make more queries of the token. */ ++ if (within_token_delay_period(slot)) { ++ CK_FLAGS ckFlags = slot->ckFlags; ++ PZ_Unlock(slot->isPresentLock); ++ return ((ckFlags & CKF_TOKEN_PRESENT) != 0); ++ } ++ /* this is the winning thread, block all others until we've determined ++ * if the token is present and that it needs initialization. */ ++ slot->inIsPresent = PR_TRUE; ++ PZ_Unlock(slot->isPresentLock); ++ + nssSlot_EnterMonitor(slot); + ckrv = CKAPI(epv)->C_GetSlotInfo(slot->slotID, &slotInfo); + nssSlot_ExitMonitor(slot); + if (ckrv != CKR_OK) { + slot->token->base.name[0] = 0; /* XXX */ +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_FALSE; ++ isPresent = PR_FALSE; ++ goto done; + } + slot->ckFlags = slotInfo.flags; + /* check for the presence of the token */ + if ((slot->ckFlags & CKF_TOKEN_PRESENT) == 0) { + if (!slot->token) { + /* token was never present */ +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_FALSE; ++ isPresent = PR_FALSE; ++ goto done; + } + session = nssToken_GetDefaultSession(slot->token); + if (session) { +@@ -167,15 +195,15 @@ nssSlot_IsTokenPresent( + slot->token->base.name[0] = 0; /* XXX */ + /* clear the token cache */ + nssToken_Remove(slot->token); +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_FALSE; ++ isPresent = PR_FALSE; ++ goto done; + } + /* token is present, use the session info to determine if the card + * has been removed and reinserted. + */ + session = nssToken_GetDefaultSession(slot->token); + if (session) { +- PRBool isPresent = PR_FALSE; ++ PRBool tokenRemoved; + nssSession_EnterMonitor(session); + if (session->handle != CK_INVALID_SESSION) { + CK_SESSION_INFO sessionInfo; +@@ -187,12 +215,12 @@ nssSlot_IsTokenPresent( + session->handle = CK_INVALID_SESSION; + } + } +- isPresent = session->handle != CK_INVALID_SESSION; ++ tokenRemoved = (session->handle == CK_INVALID_SESSION); + nssSession_ExitMonitor(session); + /* token not removed, finished */ +- if (isPresent) { +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_TRUE; ++ if (!tokenRemoved) { ++ isPresent = PR_TRUE; ++ goto done; + } + } + /* the token has been removed, and reinserted, or the slot contains +@@ -203,15 +231,27 @@ nssSlot_IsTokenPresent( + nssToken_Remove(slot->token); + /* token has been removed, need to refresh with new session */ + nssrv = nssSlot_Refresh(slot); ++ isPresent = PR_TRUE; + if (nssrv != PR_SUCCESS) { + slot->token->base.name[0] = 0; /* XXX */ + slot->ckFlags &= ~CKF_TOKEN_PRESENT; +- /* TODO: insert a barrier here to avoid reordering of the assingments */ +- slot->lastTokenPing = PR_IntervalNow(); +- return PR_FALSE; ++ isPresent = PR_FALSE; + } ++done: ++ /* Once we've set up the condition variable, ++ * Before returning, it's necessary to: ++ * 1) Set the lastTokenPing time so that any other threads waiting on this ++ * initialization and any future calls within the initialization window ++ * return the just-computed status. ++ * 2) Indicate we're complete, waking up all other threads that may still ++ * be waiting on initialization can progress. ++ */ ++ PZ_Lock(slot->isPresentLock); + slot->lastTokenPing = PR_IntervalNow(); +- return PR_TRUE; ++ slot->inIsPresent = PR_FALSE; ++ PR_NotifyAllCondVar(slot->isPresentCondition); ++ PZ_Unlock(slot->isPresentLock); ++ return isPresent; + } + + NSS_IMPLEMENT void * +@@ -229,7 +269,7 @@ nssSlot_GetToken( + + if (nssSlot_IsTokenPresent(slot)) { + /* Even if a token should be present, check `slot->token` too as it +- * might be gone already. This would happen mostly on shutdown. */ ++ * might be gone already. This would happen mostly on shutdown. */ + nssSlot_EnterMonitor(slot); + if (slot->token) + rvToken = nssToken_AddRef(slot->token); +diff --git a/lib/dev/devt.h b/lib/dev/devt.h +--- a/lib/dev/devt.h ++++ b/lib/dev/devt.h +@@ -81,6 +81,9 @@ struct NSSSlotStr { + PZLock *lock; + void *epv; + PK11SlotInfo *pk11slot; ++ PZLock *isPresentLock; ++ PRCondVar *isPresentCondition; ++ PRBool inIsPresent; + }; + + struct nssSessionStr { +diff --git a/lib/pk11wrap/dev3hack.c b/lib/pk11wrap/dev3hack.c +--- a/lib/pk11wrap/dev3hack.c ++++ b/lib/pk11wrap/dev3hack.c +@@ -120,6 +120,9 @@ nssSlot_CreateFromPK11SlotInfo(NSSTrustD + /* Grab the slot name from the PKCS#11 fixed-length buffer */ + rvSlot->base.name = nssUTF8_Duplicate(nss3slot->slot_name, td->arena); + rvSlot->lock = (nss3slot->isThreadSafe) ? NULL : nss3slot->sessionLock; ++ rvSlot->isPresentLock = PZ_NewLock(nssiLockOther); ++ rvSlot->isPresentCondition = PR_NewCondVar(rvSlot->isPresentLock); ++ rvSlot->inIsPresent = PR_FALSE; + return rvSlot; + } + diff --git a/SOURCES/nss-modutil-suppress-password.patch b/SOURCES/nss-modutil-suppress-password.patch new file mode 100644 index 0000000..160f995 --- /dev/null +++ b/SOURCES/nss-modutil-suppress-password.patch @@ -0,0 +1,20 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1510244757 -3600 +# Thu Nov 09 17:25:57 2017 +0100 +# Node ID 523734e69b5cdd7c2c9047e705e858da352a3b24 +# Parent 54be8a4501d454b2b7454e4a44ea013738e0b693 +Bug 1415847, modutil: Suppress unnecessary password prompt, r=kaie + +diff --git a/cmd/modutil/pk11.c b/cmd/modutil/pk11.c +--- a/cmd/modutil/pk11.c ++++ b/cmd/modutil/pk11.c +@@ -728,7 +728,7 @@ ChangePW(char *tokenName, char *pwFile, + ret = BAD_PW_ERR; + goto loser; + } +- } else { ++ } else if (PK11_NeedLogin(slot)) { + for (matching = PR_FALSE; !matching;) { + oldpw = SECU_GetPasswordString(NULL, "Enter old password: "); + if (PK11_CheckUserPassword(slot, oldpw) == SECSuccess) { diff --git a/SOURCES/nss-pk12util-faulty-aes.patch b/SOURCES/nss-pk12util-faulty-aes.patch new file mode 100644 index 0000000..c6d22cc --- /dev/null +++ b/SOURCES/nss-pk12util-faulty-aes.patch @@ -0,0 +1,43 @@ +From 0615bf4ad6c7e07cc1b7dee4bded01fe8974ad0b Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Wed, 27 Sep 2017 11:11:10 +0200 +Subject: [PATCH] pk11wrap: Add backward compatibility with faulty PBES2 AES + schemes + +--- + lib/pk11wrap/pk11pbe.c | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c +index bea9333f6..5f68f399e 100644 +--- a/lib/pk11wrap/pk11pbe.c ++++ b/lib/pk11wrap/pk11pbe.c +@@ -367,7 +367,24 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId) + cipherAlg = SECOID_GetAlgorithmTag(cipherAlgId); + + if (sec_pkcs5_is_algorithm_v2_aes_algorithm(cipherAlg)) { +- length = sec_pkcs5v2_aes_key_length(cipherAlg); ++ /* Previously, the PKCS#12 files created with the old NSS ++ * releases encoded the maximum key size of AES (that is 32) ++ * in the keyLength field of PBKDF2-params. That resulted in ++ * always performing AES-256 even if AES-128-CBC or ++ * AES-192-CBC is specified in the encryptionScheme field of ++ * PBES2-params. This is wrong, but for compatibility reasons, ++ * check the keyLength field and use the value if it is 32. ++ */ ++ if (p5_param.keyLength.data != NULL) { ++ length = DER_GetInteger(&p5_param.keyLength); ++ } ++ /* If the keyLength field is present and contains a value ++ * other than 32, that means the file is created outside of ++ * NSS, which we don't care about. Note that the following ++ * also handles the case when the field is absent. */ ++ if (length != 32) { ++ length = sec_pkcs5v2_aes_key_length(cipherAlg); ++ } + } else if (p5_param.keyLength.data != NULL) { + length = DER_GetInteger(&p5_param.keyLength); + } else { +-- +2.13.5 + diff --git a/SOURCES/nss-pss-fixes.patch b/SOURCES/nss-pss-fixes.patch new file mode 100644 index 0000000..964e792 --- /dev/null +++ b/SOURCES/nss-pss-fixes.patch @@ -0,0 +1,649 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1510136005 -3600 +# Wed Nov 08 11:13:25 2017 +0100 +# Node ID 6da6e699fa02bbf1763acba4176f994c6a5ddf62 +# Parent d515199921dd703087f7e0e03eb71058a015934d +Bug 1415171, Fix handling of default RSA-PSS parameters, r=mt + +Reviewers: mt, rrelyea + +Reviewed By: mt + +Bug #: 1415171 + +Differential Revision: https://phabricator.services.mozilla.com/D202 + +diff --git a/cmd/lib/secutil.c b/cmd/lib/secutil.c +--- a/cmd/lib/secutil.c ++++ b/cmd/lib/secutil.c +@@ -1192,7 +1192,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte + SECU_Indent(out, level + 1); + fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20); + } else { +- SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level + 1); ++ SECU_PrintInteger(out, ¶m.saltLength, "Salt length", level + 1); + } + } else { + SECU_Indent(out, level + 1); +diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c +--- a/lib/cryptohi/seckey.c ++++ b/lib/cryptohi/seckey.c +@@ -2056,9 +2056,13 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ + } + +- rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength); +- if (rv != SECSuccess) { +- return rv; ++ if (params->saltLength.data) { ++ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->saltLength, &saltLength); ++ if (rv != SECSuccess) { ++ return rv; ++ } ++ } else { ++ saltLength = 20; /* default, 20 */ + } + mech->sLen = saltLength; + +diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c +--- a/lib/cryptohi/secsign.c ++++ b/lib/cryptohi/secsign.c +@@ -610,6 +610,7 @@ sec_CreateRSAPSSParameters(PLArenaPool * + SECKEYRSAPSSParams pssParams; + int modBytes, hashLength; + unsigned long saltLength; ++ PRBool defaultSHA1 = PR_FALSE; + SECStatus rv; + + if (key->keyType != rsaKey && key->keyType != rsaPssKey) { +@@ -631,6 +632,7 @@ sec_CreateRSAPSSParameters(PLArenaPool * + if (rv != SECSuccess) { + return NULL; + } ++ defaultSHA1 = PR_TRUE; + } + + if (pssParams.trailerField.data) { +@@ -652,15 +654,23 @@ sec_CreateRSAPSSParameters(PLArenaPool * + /* Determine the hash algorithm to use, based on hashAlgTag and + * pssParams.hashAlg; there are four cases */ + if (hashAlgTag != SEC_OID_UNKNOWN) { ++ SECOidTag tag = SEC_OID_UNKNOWN; ++ + if (pssParams.hashAlg) { +- if (SECOID_GetAlgorithmTag(pssParams.hashAlg) != hashAlgTag) { +- PORT_SetError(SEC_ERROR_INVALID_ARGS); +- return NULL; +- } ++ tag = SECOID_GetAlgorithmTag(pssParams.hashAlg); ++ } else if (defaultSHA1) { ++ tag = SEC_OID_SHA1; ++ } ++ ++ if (tag != SEC_OID_UNKNOWN && tag != hashAlgTag) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return NULL; + } + } else if (hashAlgTag == SEC_OID_UNKNOWN) { + if (pssParams.hashAlg) { + hashAlgTag = SECOID_GetAlgorithmTag(pssParams.hashAlg); ++ } else if (defaultSHA1) { ++ hashAlgTag = SEC_OID_SHA1; + } else { + /* Find a suitable hash algorithm based on the NIST recommendation */ + if (modBytes <= 384) { /* 128, in NIST 800-57, Part 1 */ +@@ -709,6 +719,11 @@ sec_CreateRSAPSSParameters(PLArenaPool * + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); + return NULL; + } ++ } else if (defaultSHA1) { ++ if (hashAlgTag != SEC_OID_SHA1) { ++ PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); ++ return NULL; ++ } + } + + hashLength = HASH_ResultLenByOidTag(hashAlgTag); +@@ -725,6 +740,8 @@ sec_CreateRSAPSSParameters(PLArenaPool * + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return NULL; + } ++ } else if (defaultSHA1) { ++ saltLength = 20; + } + + /* Fill in the parameters */ +diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh +--- a/tests/cert/cert.sh ++++ b/tests/cert/cert.sh +@@ -516,6 +516,9 @@ cert_all_CA() + cert_rsa_pss_CA $CADIR TestCA-rsa-pss -x "CTu,CTu,CTu" ${D_CA} "1" SHA256 + rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert + ++ ALL_CU_SUBJECT="CN=NSS Test CA (RSA-PSS-SHA1), O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ cert_rsa_pss_CA $CADIR TestCA-rsa-pss-sha1 -x "CTu,CTu,CTu" ${D_CA} "1" SHA1 ++ rm $CLIENT_CADIR/rsapssroot.cert $SERVER_CADIR/rsapssroot.cert + + # + # Create EC version of TestCA +@@ -2054,7 +2057,7 @@ check_sign_algo() + { + certu -L -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" | \ + sed -n '/^ *Data:/,/^$/{ +-/^ Signature Algorithm/,/^ *Salt Length/s/^ //p ++/^ Signature Algorithm/,/^ *Salt length/s/^ //p + }' > ${TMP}/signalgo.txt + + diff ${TMP}/signalgo.exp ${TMP}/signalgo.txt +@@ -2088,6 +2091,12 @@ cert_test_rsapss() + CU_ACTION="Verify RSA-PSS CA Cert" + certu -V -u L -e -n "TestCA-rsa-pss" -d "${PROFILEDIR}" -f "${R_PWFILE}" + ++ CU_ACTION="Import RSA-PSS CA Cert (SHA1)" ++ certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 ++ ++ CERTSERIAL=200 ++ + # Subject certificate: RSA + # Issuer certificate: RSA + # Signature: RSA-PSS (explicit, with --pss-sign) +@@ -2098,7 +2107,7 @@ cert_test_rsapss() + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA" --pss-sign -m 200 -v 60 -d "${P_R_CADIR}" \ ++ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2113,10 +2122,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 +- Salt Length: 32 (0x20) ++ Salt length: 32 (0x20) + EOF + check_sign_algo + ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ + # Subject certificate: RSA + # Issuer certificate: RSA + # Signature: RSA-PSS (explict, with --pss-sign -Z SHA512) +@@ -2127,7 +2138,7 @@ EOF + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA" --pss-sign -Z SHA512 -m 201 -v 60 -d "${P_R_CADIR}" \ ++ certu -C -c "TestCA" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2142,10 +2153,12 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-512 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-512 +- Salt Length: 64 (0x40) ++ Salt length: 64 (0x40) + EOF + check_sign_algo + ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ + # Subject certificate: RSA + # Issuer certificate: RSA-PSS + # Signature: RSA-PSS +@@ -2156,7 +2169,69 @@ EOF + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA-rsa-pss" -m 202 -v 60 -d "${P_R_CADIR}" \ ++ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ ++ CU_ACTION="Import $CERTNAME's Cert" ++ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${CERTNAME}.cert" 2>&1 ++ ++ CU_ACTION="Verify $CERTNAME's Cert" ++ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" ++ cat > ${TMP}/signalgo.exp <&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s Request" ++ certu -C -c "TestCA" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ ++ CU_ACTION="Import $CERTNAME's Cert" ++ certu -A -n "$CERTNAME" -t ",," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${CERTNAME}.cert" 2>&1 ++ ++ CU_ACTION="Verify $CERTNAME's Cert" ++ certu -V -u V -e -n "$CERTNAME" -d "${PROFILEDIR}" -f "${R_PWFILE}" ++ cat > ${TMP}/signalgo.exp <&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s Request" ++ certu -C -c "TestCA-rsa-pss" --pss-sign -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2171,21 +2246,24 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 +- Salt Length: 32 (0x20) ++ Salt length: 32 (0x20) + EOF + check_sign_algo + ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ + # Subject certificate: RSA-PSS +- # Issuer certificate: RSA +- # Signature: RSA-PSS (explicit, with --pss-sign) +- CERTNAME="TestUser-rsa-pss4" ++ # Issuer certificate: RSA-PSS ++ # Signature: RSA-PSS (implicit, without --pss-sign) ++ CERTNAME="TestUser-rsa-pss6" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA" --pss-sign -m 203 -v 60 -d "${P_R_CADIR}" \ ++ # Sign without --pss-sign nor -Z option ++ certu -C -c "TestCA-rsa-pss" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2200,21 +2278,40 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 +- Salt Length: 32 (0x20) ++ Salt length: 32 (0x20) + EOF + check_sign_algo + ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ + # Subject certificate: RSA-PSS + # Issuer certificate: RSA-PSS +- # Signature: RSA-PSS (explicit, with --pss-sign) +- CERTNAME="TestUser-rsa-pss5" ++ # Signature: RSA-PSS (with conflicting hash algorithm) ++ CERTNAME="TestUser-rsa-pss7" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" + certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA-rsa-pss" --pss-sign -m 204 -v 60 -d "${P_R_CADIR}" \ ++ RETEXPECTED=255 ++ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ RETEXPECTED=0 ++ ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ ++ # Subject certificate: RSA-PSS ++ # Issuer certificate: RSA-PSS ++ # Signature: RSA-PSS (with compatible hash algorithm) ++ CERTNAME="TestUser-rsa-pss8" ++ ++ CU_ACTION="Generate Cert Request for $CERTNAME" ++ CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" ++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s Request" ++ certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2229,21 +2326,23 @@ Signature Algorithm: PKCS #1 RSA-PSS Sig + Hash algorithm: SHA-256 + Mask algorithm: PKCS #1 MGF1 Mask Generation Function + Mask hash algorithm: SHA-256 +- Salt Length: 32 (0x20) ++ Salt length: 32 (0x20) + EOF + check_sign_algo + +- # Subject certificate: RSA-PSS +- # Issuer certificate: RSA-PSS +- # Signature: RSA-PSS (implicit, without --pss-sign) +- CERTNAME="TestUser-rsa-pss6" ++ CERTSERIAL=`expr $CERTSERIAL + 1` ++ ++ # Subject certificate: RSA ++ # Issuer certificate: RSA ++ # Signature: RSA-PSS (explict, with --pss-sign -Z SHA1) ++ CERTNAME="TestUser-rsa-pss9" + + CU_ACTION="Generate Cert Request for $CERTNAME" + CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" +- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 ++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA-rsa-pss" -m 205 -v 60 -d "${P_R_CADIR}" \ ++ certu -C -c "TestCA" --pss-sign -Z SHA1 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2255,39 +2354,27 @@ EOF + cat > ${TMP}/signalgo.exp <&1 ++ certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -o req 2>&1 + + CU_ACTION="Sign ${CERTNAME}'s Request" +- RETEXPECTED=255 +- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA512 -m 206 -v 60 -d "${P_R_CADIR}" \ +- -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 +- RETEXPECTED=0 +- +- # Subject certificate: RSA-PSS +- # Issuer certificate: RSA-PSS +- # Signature: RSA-PSS (with compatible hash algorithm) +- CERTNAME="TestUser-rsa-pss8" +- +- CU_ACTION="Generate Cert Request for $CERTNAME" +- CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US" +- certu -R -d "${PROFILEDIR}" -f "${R_PWFILE}" -z "${R_NOISE_FILE}" --pss -o req 2>&1 +- +- CU_ACTION="Sign ${CERTNAME}'s Request" +- certu -C -c "TestCA-rsa-pss" --pss-sign -Z SHA256 -m 207 -v 60 -d "${P_R_CADIR}" \ ++ # Sign without --pss-sign nor -Z option ++ certu -C -c "TestCA-rsa-pss-sha1" -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ + -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 + + CU_ACTION="Import $CERTNAME's Cert" +@@ -2299,12 +2386,29 @@ EOF + cat > ${TMP}/signalgo.exp <&1 ++ ++ CU_ACTION="Sign ${CERTNAME}'s Request" ++ RETEXPECTED=255 ++ certu -C -c "TestCA-rsa-pss-sha1" --pss-sign -Z SHA256 -m "${CERTSERIAL}" -v 60 -d "${P_R_CADIR}" \ ++ -i req -o "${CERTNAME}.cert" -f "${R_PWFILE}" "$1" 2>&1 ++ RETEXPECTED=0 + } + + ############################## cert_cleanup ############################ +# HG changeset patch +# User Daiki Ueno +# Date 1514884761 -3600 +# Tue Jan 02 10:19:21 2018 +0100 +# Node ID 5a14f42384eb22b67e0465949c03555eff41e4af +# Parent e577b1df8dabb31466cebad07fdbe0883290bede +Bug 1423557, cryptohi: make RSA-PSS parameter check stricter, r=mt + +Summary: This adds a check on unsupported hash/mask algorithms and invalid trailer field, when converting SECKEYRSAPSSParams to CK_RSA_PKCS_PSS_PARAMS for both signing and verification. It also add missing support for SHA224 as underlying hash algorithm. + +Reviewers: mt + +Reviewed By: mt + +Bug #: 1423557 + +Differential Revision: https://phabricator.services.mozilla.com/D322 + +diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c +--- a/lib/cryptohi/seckey.c ++++ b/lib/cryptohi/seckey.c +@@ -1984,13 +1984,14 @@ sec_GetHashMechanismByOidTag(SECOidTag t + return CKM_SHA384; + case SEC_OID_SHA256: + return CKM_SHA256; ++ case SEC_OID_SHA224: ++ return CKM_SHA224; ++ case SEC_OID_SHA1: ++ return CKM_SHA_1; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); +- /* fallthrough */ +- case SEC_OID_SHA1: +- break; ++ return CKM_INVALID_MECHANISM; + } +- return CKM_SHA_1; + } + + static CK_RSA_PKCS_MGF_TYPE +@@ -2003,13 +2004,14 @@ sec_GetMgfTypeByOidTag(SECOidTag tag) + return CKG_MGF1_SHA384; + case SEC_OID_SHA256: + return CKG_MGF1_SHA256; ++ case SEC_OID_SHA224: ++ return CKG_MGF1_SHA224; ++ case SEC_OID_SHA1: ++ return CKG_MGF1_SHA1; + default: + PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); +- /* fallthrough */ +- case SEC_OID_SHA1: +- break; ++ return 0; + } +- return CKG_MGF1_SHA1; + } + + SECStatus +@@ -2019,6 +2021,7 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + SECStatus rv = SECSuccess; + SECOidTag hashAlgTag; + unsigned long saltLength; ++ unsigned long trailerField; + + PORT_Memset(mech, 0, sizeof(CK_RSA_PKCS_PSS_PARAMS)); + +@@ -2028,6 +2031,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + hashAlgTag = SEC_OID_SHA1; /* default, SHA-1 */ + } + mech->hashAlg = sec_GetHashMechanismByOidTag(hashAlgTag); ++ if (mech->hashAlg == CKM_INVALID_MECHANISM) { ++ return SECFailure; ++ } + + if (params->maskAlg) { + SECAlgorithmID maskHashAlg; +@@ -2050,6 +2056,9 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + } + maskHashAlgTag = SECOID_GetAlgorithmTag(&maskHashAlg); + mech->mgf = sec_GetMgfTypeByOidTag(maskHashAlgTag); ++ if (mech->mgf == 0) { ++ return SECFailure; ++ } + } else { + mech->mgf = CKG_MGF1_SHA1; /* default, MGF1 with SHA-1 */ + } +@@ -2064,5 +2073,18 @@ sec_RSAPSSParamsToMechanism(CK_RSA_PKCS_ + } + mech->sLen = saltLength; + ++ if (params->trailerField.data) { ++ rv = SEC_ASN1DecodeInteger((SECItem *)¶ms->trailerField, &trailerField); ++ if (rv != SECSuccess) { ++ return rv; ++ } ++ if (trailerField != 1) { ++ /* the value must be 1, which represents the trailer field ++ * with hexadecimal value 0xBC */ ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return SECFailure; ++ } ++ } ++ + return rv; + } +diff --git a/tests/cert/TestCA-bogus-rsa-pss1.crt b/tests/cert/TestCA-bogus-rsa-pss1.crt +new file mode 100644 +--- /dev/null ++++ b/tests/cert/TestCA-bogus-rsa-pss1.crt +@@ -0,0 +1,26 @@ ++-----BEGIN CERTIFICATE----- ++MIIEbDCCAxqgAwIBAgIBATBHBgkqhkiG9w0BAQowOqAPMA0GCWCGSAFlAwQCAQUA ++oRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUAogMCASCjBAICEmcwgYMxCzAJ ++BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFp ++biBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxMzAxBgNVBAMTKk5TUyBUZXN0IENB ++IChSU0EtUFNTIGludmFsaWQgdHJhaWxlckZpZWxkKTAgFw0xNzEyMDcxMjU3NDBa ++GA8yMDY3MTIwNzEyNTc0MFowgYMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxp ++Zm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBO ++U1MxMzAxBgNVBAMTKk5TUyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgdHJhaWxl ++ckZpZWxkKTCCAVwwRwYJKoZIhvcNAQEKMDqgDzANBglghkgBZQMEAgEFAKEcMBoG ++CSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEgowQCAhJnA4IBDwAwggEKAoIB ++AQDgkKJk+PoFpESak7kMQ0w147/xilUZCG7hDGG2uuGTbX8jqy9N9pxzB9sJjgJX ++yYND0XEmrUQ2Memmy8jufhXML5DekW1tr3Gi2L3VivbIReJZfXk1xDMvNbB/Gjjo ++SoPyu8C4hnevjgMlmqG3KdMkB+eN6PnBG64YFyki3vnLO5iTNHEBTgFYo0gTX4uK ++xl0hLtiDL+4K5l7BwVgxZwQF6uHoHjrjjlhkzR0FwjjqR8U0pH20Pb6IlRsFMv07 ++/1GHf+jm34pKb/1ZNzAbiKxYv7YAQUWEZ7e/GSXgA6gbTpV9ueiLkVucUeXN/mXK ++Tqb4zivi5FaSGVl8SJnqsJXJAgMBAAGjOTA3MBQGCWCGSAGG+EIBAQEB/wQEAwIC ++BDAPBgNVHRMECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwICBDBHBgkqhkiG9w0BAQow ++OqAPMA0GCWCGSAFlAwQCAQUAoRwwGgYJKoZIhvcNAQEIMA0GCWCGSAFlAwQCAQUA ++ogMCASCjBAICEmcDggEBAJht9t9p/dlhJtx7ShDvUXyq8N4tCoGKdREM83K/jlW8 ++HxdHOz5PuvZx+UMlaUtqZVIriSCnRtEWkoSo0hWmcv1rp80it2G1zLfLPYdyrPba ++nQmE1iFb69Wr9dwrX7o/CII+WHQgoIGeFGntZ8YRZTe5+JeiGAlAyZCqUKbl9lhh ++pCpf1YYxb3VI8mAGVi0jwabWBEbInGBZYH9HP0nK7/Tflk6UY3f4h4Fbkk5D4WZA ++hFfkebx6Wh90QGiKQhp4/N+dYira8bKvWqqn0VqwzBoJBU/RmMaJVpwqFFvcaUJh ++uEKUPeQbqkYvj1WJYmy4ettVwi4OZU50+kCaRQhMsFA= ++-----END CERTIFICATE----- +diff --git a/tests/cert/TestCA-bogus-rsa-pss2.crt b/tests/cert/TestCA-bogus-rsa-pss2.crt +new file mode 100644 +--- /dev/null ++++ b/tests/cert/TestCA-bogus-rsa-pss2.crt +@@ -0,0 +1,24 @@ ++-----BEGIN CERTIFICATE----- ++MIIEFzCCAs2gAwIBAgIBATA/BgkqhkiG9w0BAQowMqAOMAwGCCqGSIb3DQIFBQCh ++GzAZBgkqhkiG9w0BAQgwDAYIKoZIhvcNAgUFAKIDAgEgMH4xCzAJBgNVBAYTAlVT ++MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRIw ++EAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5TUyBUZXN0IENBIChSU0EtUFNT ++IGludmFsaWQgaGFzaEFsZykwIBcNMTcxMjA3MTQwNjQ0WhgPMjA2ODAxMDcxNDA2 ++NDRaMH4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH ++Ew1Nb3VudGFpbiBWaWV3MRIwEAYDVQQKEwlCT0dVUyBOU1MxLjAsBgNVBAMTJU5T ++UyBUZXN0IENBIChSU0EtUFNTIGludmFsaWQgaGFzaEFsZykwggEgMAsGCSqGSIb3 ++DQEBCgOCAQ8AMIIBCgKCAQEAtDXA73yTOgs8zVYNMCtuQ9a07UgbfeQbjHp3pkF6 ++7rsC/Q28mrLh+zLkht5e7qU/Qf/8a2ZkcYhPOBAjCzjgIXOdE2lsWvdVujOJLR0x ++Fesd3hDLRmL6f6momc+j1/Tw3bKyZinaeJ9BFRv9c94SayB3QUe+6+TNJKASwlhj ++sx6mUsND+h3DkuL77gi7hIUpUXfFSwa+zM69VLhIu+/WRZfG8gfKkCAIGUC3WYJa ++eU1HgQKfVSXW0ok4ototXWEe9ohU+Z1tO9LJStcY8mMpig7EU9zbpObhG46Sykfu ++aKsubB9J+gFgwP5Tb85tRYT6SbHeHR6U/N8GBrKdRcomWwIDAQABozwwOjAUBglg ++hkgBhvhCAQEBAf8EBAMCAgQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E ++BAMCAgQwPwYJKoZIhvcNAQEKMDKgDjAMBggqhkiG9w0CBQUAoRswGQYJKoZIhvcN ++AQEIMAwGCCqGSIb3DQIFBQCiAwIBIAOCAQEAjeemeTxh2xrMUJ6Z5Yn2nH2FbcPY ++fTHJcdfXjfNBkrMl5pe2/lk0JyNuACTuTYFCxdWNRL1coN//h9DSUbF3dpF1ex6D ++difo+6PwxkO2aPVGPYw4DSivt4SFbn5dKGgVqBQfnmNK7p/iT91AcErg/grRrNL+ ++4jeT0UiRjQYeX9xKJArv+ocIidNpQL3QYxXuBLZxVC92Af69ol7WG8QBRLnFi1p2 ++g6q8hOHqOfB29qnsSo3PkI1yuShOl50tRLbNgyotEfZdk1N3oXvapoBsm/jlcdCT ++0aKelCSQYYAfyl5PKCpa1lgBm7zfcHSDStMhEEFu/fbnJhqO9g9znj3STQ== ++-----END CERTIFICATE----- +diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh +--- a/tests/cert/cert.sh ++++ b/tests/cert/cert.sh +@@ -2095,6 +2095,20 @@ cert_test_rsapss() + certu -A -n "TestCA-rsa-pss-sha1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ + -i "${R_CADIR}/TestCA-rsa-pss-sha1.ca.cert" 2>&1 + ++ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid trailerField)" ++ certu -A -n "TestCA-bogus-rsa-pss1" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${QADIR}/cert/TestCA-bogus-rsa-pss1.crt" 2>&1 ++ RETEXPECTED=255 ++ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss1 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 ++ RETEXPECTED=0 ++ ++ CU_ACTION="Import Bogus RSA-PSS CA Cert (invalid hashAlg)" ++ certu -A -n "TestCA-bogus-rsa-pss2" -t "C,," -d "${PROFILEDIR}" -f "${R_PWFILE}" \ ++ -i "${QADIR}/cert/TestCA-bogus-rsa-pss2.crt" 2>&1 ++ RETEXPECTED=255 ++ certu -V -b 1712101010Z -n TestCA-bogus-rsa-pss2 -u L -e -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1 ++ RETEXPECTED=0 ++ + CERTSERIAL=200 + + # Subject certificate: RSA diff --git a/SOURCES/nss-reorder-cipher-suites-gtests.patch b/SOURCES/nss-reorder-cipher-suites-gtests.patch new file mode 100644 index 0000000..7a75e50 --- /dev/null +++ b/SOURCES/nss-reorder-cipher-suites-gtests.patch @@ -0,0 +1,47 @@ +diff -up nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests nss/gtests/ssl_gtest/ssl_auth_unittest.cc +--- nss/gtests/ssl_gtest/ssl_auth_unittest.cc.reorder-cipher-suites-gtests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/gtests/ssl_gtest/ssl_auth_unittest.cc 2017-10-06 16:41:39.223713982 +0200 +@@ -222,7 +222,9 @@ static SSLNamedGroup NamedGroupForEcdsa3 + // NSS tries to match the group size to the symmetric cipher. In TLS 1.1 and + // 1.0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is the highest priority suite, so + // we use P-384. With TLS 1.2 on we pick AES-128 GCM so use x25519. +- if (version <= SSL_LIBRARY_VERSION_TLS_1_1) { ++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ++ // a higher priority than AES-128 GCM. ++ if (version <= SSL_LIBRARY_VERSION_TLS_1_2) { + return ssl_grp_ec_secp384r1; + } + return ssl_grp_ec_curve25519; +@@ -806,20 +808,24 @@ INSTANTIATE_TEST_CASE_P( + ::testing::Values(TlsAgent::kServerEcdsa256), + ::testing::Values(ssl_auth_ecdsa), + ::testing::Values(ssl_sig_ecdsa_secp256r1_sha256))); ++ // FIXME: In RHEL, we assign TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ++ // a higher priority than AES-128 GCM, and that causes the following ++ // 3 TLS 1.2 tests to fail. + INSTANTIATE_TEST_CASE_P( + SignatureSchemeEcdsaP384, TlsSignatureSchemeConfiguration, + ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, +- TlsConnectTestBase::kTlsV12Plus, ++ TlsConnectTestBase::kTlsV13, + ::testing::Values(TlsAgent::kServerEcdsa384), + ::testing::Values(ssl_auth_ecdsa), + ::testing::Values(ssl_sig_ecdsa_secp384r1_sha384))); + INSTANTIATE_TEST_CASE_P( + SignatureSchemeEcdsaP521, TlsSignatureSchemeConfiguration, + ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, +- TlsConnectTestBase::kTlsV12Plus, ++ TlsConnectTestBase::kTlsV13, + ::testing::Values(TlsAgent::kServerEcdsa521), + ::testing::Values(ssl_auth_ecdsa), + ::testing::Values(ssl_sig_ecdsa_secp521r1_sha512))); ++#if 0 + INSTANTIATE_TEST_CASE_P( + SignatureSchemeEcdsaSha1, TlsSignatureSchemeConfiguration, + ::testing::Combine(TlsConnectTestBase::kTlsVariantsAll, +@@ -828,4 +834,5 @@ INSTANTIATE_TEST_CASE_P( + TlsAgent::kServerEcdsa384), + ::testing::Values(ssl_auth_ecdsa), + ::testing::Values(ssl_sig_ecdsa_sha1))); ++#endif + } diff --git a/SOURCES/nss-reorder-cipher-suites.patch b/SOURCES/nss-reorder-cipher-suites.patch new file mode 100644 index 0000000..9806190 --- /dev/null +++ b/SOURCES/nss-reorder-cipher-suites.patch @@ -0,0 +1,234 @@ +diff -up nss/lib/ssl/ssl3con.c.reorder-cipher-suites nss/lib/ssl/ssl3con.c +--- nss/lib/ssl/ssl3con.c.reorder-cipher-suites 2017-04-26 11:47:33.690047402 +0200 ++++ nss/lib/ssl/ssl3con.c 2017-04-26 11:51:51.103013632 +0200 +@@ -91,54 +91,44 @@ PRBool ssl_IsRsaPssSignatureScheme(SSLSi + /* clang-format off */ + static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { + /* cipher_suite policy enabled isPresent */ +- /* Special TLS 1.3 suites. */ +- { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, +- { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, +- { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, +- +- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around +- * bug 946147. +- */ + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- ++ { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- + { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +@@ -147,27 +137,21 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- +- /* RSA */ +- { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_SEED_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_RSA_WITH_RC4_128_MD5, SSL_ALLOWED, PR_TRUE, PR_FALSE}, +- +- /* 56-bit DES "domestic" cipher suites */ + { TLS_DHE_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_DES_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- +- /* ciphersuites with no encryption */ + { TLS_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDH_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +@@ -175,6 +159,9 @@ static ssl3CipherSuiteCfg cipherSuites[s + { TLS_RSA_WITH_NULL_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_NULL_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_RSA_WITH_NULL_MD5, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, ++ { TLS_CHACHA20_POLY1305_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE }, ++ { TLS_AES_256_GCM_SHA384, SSL_ALLOWED, PR_TRUE, PR_FALSE }, + }; + /* clang-format on */ + +diff -up nss/lib/ssl/sslenum.c.reorder-cipher-suites nss/lib/ssl/sslenum.c +--- nss/lib/ssl/sslenum.c.reorder-cipher-suites 2017-04-26 11:46:50.215066457 +0200 ++++ nss/lib/ssl/sslenum.c 2017-04-26 11:47:09.362617638 +0200 +@@ -55,53 +55,44 @@ + * the third one. + */ + const PRUint16 SSL_ImplementedCiphers[] = { +- TLS_AES_128_GCM_SHA256, +- TLS_CHACHA20_POLY1305_SHA256, +- TLS_AES_256_GCM_SHA384, +- +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, +- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, +- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, +- /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before +- * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147. +- */ + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, ++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, ++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, ++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, ++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, ++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, ++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, ++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, +- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, +- ++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, ++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, ++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, ++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, ++ TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, ++ TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA, + TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, + TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA, +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA, +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, +- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, +- TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, + TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA, + TLS_DHE_DSS_WITH_RC4_128_SHA, +- + TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, +@@ -110,26 +101,21 @@ const PRUint16 SSL_ImplementedCiphers[] + TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDH_ECDSA_WITH_RC4_128_SHA, + TLS_ECDH_RSA_WITH_RC4_128_SHA, +- +- TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, +- TLS_RSA_WITH_AES_128_CBC_SHA, +- TLS_RSA_WITH_AES_128_CBC_SHA256, +- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA256, + TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, ++ TLS_RSA_WITH_AES_128_GCM_SHA256, ++ TLS_RSA_WITH_AES_128_CBC_SHA, ++ TLS_RSA_WITH_AES_128_CBC_SHA256, ++ TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, + TLS_RSA_WITH_SEED_CBC_SHA, + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_RC4_128_SHA, + TLS_RSA_WITH_RC4_128_MD5, +- +- /* 56-bit DES "domestic" cipher suites */ + TLS_DHE_RSA_WITH_DES_CBC_SHA, + TLS_DHE_DSS_WITH_DES_CBC_SHA, + TLS_RSA_WITH_DES_CBC_SHA, +- +- /* ciphersuites with no encryption */ + TLS_ECDHE_ECDSA_WITH_NULL_SHA, + TLS_ECDHE_RSA_WITH_NULL_SHA, + TLS_ECDH_RSA_WITH_NULL_SHA, +@@ -137,6 +123,9 @@ const PRUint16 SSL_ImplementedCiphers[] + TLS_RSA_WITH_NULL_SHA, + TLS_RSA_WITH_NULL_SHA256, + TLS_RSA_WITH_NULL_MD5, ++ TLS_AES_128_GCM_SHA256, ++ TLS_CHACHA20_POLY1305_SHA256, ++ TLS_AES_256_GCM_SHA384, + + 0 + }; diff --git a/SOURCES/nss-rhel7.config b/SOURCES/nss-rhel7.config new file mode 100644 index 0000000..be6d690 --- /dev/null +++ b/SOURCES/nss-rhel7.config @@ -0,0 +1,7 @@ +# To re-enable legacy algorithms, edit this file +# Note that the last empty line in this file must be preserved +library= +name=Policy +NSS=flags=policyOnly,moduleDB +config="disallow=md5 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023" + diff --git a/SOURCES/nss-skip-bltest-and-fipstest.patch b/SOURCES/nss-skip-bltest-and-fipstest.patch new file mode 100644 index 0000000..7d55d10 --- /dev/null +++ b/SOURCES/nss-skip-bltest-and-fipstest.patch @@ -0,0 +1,15 @@ +diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile +--- nss/cmd/Makefile.skipthem 2017-01-13 16:41:04.117486801 +0100 ++++ nss/cmd/Makefile 2017-01-13 16:42:31.396335957 +0100 +@@ -19,7 +19,11 @@ BLTEST_SRCDIR = + ECPERF_SRCDIR = + FREEBL_ECTEST_SRCDIR = + FIPSTEST_SRCDIR = ++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) ++SHLIBSIGN_SRCDIR = shlibsign ++else + SHLIBSIGN_SRCDIR = ++endif + else + BLTEST_SRCDIR = bltest + ECPERF_SRCDIR = ecperf diff --git a/SOURCES/nss-skip-util-gtest.patch b/SOURCES/nss-skip-util-gtest.patch new file mode 100644 index 0000000..02bf308 --- /dev/null +++ b/SOURCES/nss-skip-util-gtest.patch @@ -0,0 +1,33 @@ +diff -up nss/gtests/manifest.mn.skip-util-gtests nss/gtests/manifest.mn +--- nss/gtests/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/gtests/manifest.mn 2017-10-19 11:02:27.773910909 +0200 +@@ -32,6 +32,5 @@ endif + + DIRS = \ + $(LIB_SRCDIRS) \ +- $(UTIL_SRCDIRS) \ + $(NSS_SRCDIRS) \ + $(NULL) +diff -up nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests nss/gtests/ssl_gtest/manifest.mn +--- nss/gtests/ssl_gtest/manifest.mn.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/gtests/ssl_gtest/manifest.mn 2017-10-19 11:02:27.773910909 +0200 +@@ -58,6 +58,7 @@ PROGRAM = ssl_gtest + EXTRA_LIBS += \ + $(DIST)/lib/$(LIB_PREFIX)gtest.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)cpputil.$(LIB_SUFFIX) \ ++ -lsoftokn3 + $(NULL) + + USE_STATIC_LIBS = 1 +diff -up nss/tests/gtests/gtests.sh.skip-util-gtests nss/tests/gtests/gtests.sh +--- nss/tests/gtests/gtests.sh.skip-util-gtests 2017-09-20 08:47:27.000000000 +0200 ++++ nss/tests/gtests/gtests.sh 2017-10-19 11:03:57.473976538 +0200 +@@ -83,7 +83,7 @@ gtest_cleanup() + } + + ################## main ################################################# +-GTESTS="prng_gtest certhigh_gtest certdb_gtest der_gtest pk11_gtest util_gtest freebl_gtest softoken_gtest blake2b_gtest" ++GTESTS="certhigh_gtest certdb_gtest der_gtest pk11_gtest softoken_gtest" + SOURCE_DIR="$PWD"/../.. + gtest_init $0 + gtest_start diff --git a/SOURCES/nss-sni-c-v-fix.patch b/SOURCES/nss-sni-c-v-fix.patch new file mode 100644 index 0000000..cc52515 --- /dev/null +++ b/SOURCES/nss-sni-c-v-fix.patch @@ -0,0 +1,21 @@ +diff -up nss/tests/ssl/sslauth.txt.sni_c_v_fix nss/tests/ssl/sslauth.txt +--- nss/tests/ssl/sslauth.txt.sni_c_v_fix 2017-04-05 14:23:56.000000000 +0200 ++++ nss/tests/ssl/sslauth.txt 2017-06-02 10:22:27.457072785 +0200 +@@ -64,13 +64,13 @@ + # + # SNI Tests + # +- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI ++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert +- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI ++ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser SSL3 Server hello response without SNI + SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions +- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser TLS Server hello response without SNI ++ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser TLS Server hello response without SNI + SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI +- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS ++ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS + SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:tls1.2_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert diff --git a/SOURCES/nss-sysinit-getenv.patch b/SOURCES/nss-sysinit-getenv.patch new file mode 100644 index 0000000..d3f47bc --- /dev/null +++ b/SOURCES/nss-sysinit-getenv.patch @@ -0,0 +1,57 @@ +diff --git a/lib/sysinit/nsssysinit.c b/lib/sysinit/nsssysinit.c +--- a/lib/sysinit/nsssysinit.c ++++ b/lib/sysinit/nsssysinit.c +@@ -1,11 +1,15 @@ + /* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#define _GNU_SOURCE 1 ++#include ++ + #include "seccomon.h" + #include "prio.h" + #include "prprf.h" + #include "plhash.h" + #include "prenv.h" + + /* + * The following provides a default example for operating systems to set up +@@ -37,17 +41,17 @@ testdir(char *dir) + return S_ISDIR(buf.st_mode); + } + + #define NSS_USER_PATH1 "/.pki" + #define NSS_USER_PATH2 "/nssdb" + static char * + getUserDB(void) + { +- char *userdir = PR_GetEnvSecure("HOME"); ++ char *userdir = secure_getenv("HOME"); + char *nssdir = NULL; + + if (userdir == NULL) { + return NULL; + } + + nssdir = PORT_Alloc(strlen(userdir) + sizeof(NSS_USER_PATH1) + sizeof(NSS_USER_PATH2)); + if (nssdir == NULL) { +@@ -129,17 +133,17 @@ userCanModifySystemDB() + #else + #error "Need to write getUserDB, SystemDB, userIsRoot, and userCanModifySystemDB functions" + #endif + #endif + + static PRBool + getFIPSEnv(void) + { +- char *fipsEnv = PR_GetEnvSecure("NSS_FIPS"); ++ char *fipsEnv = secure_getenv("NSS_FIPS"); + if (!fipsEnv) { + return PR_FALSE; + } + if ((strcasecmp(fipsEnv, "fips") == 0) || + (strcasecmp(fipsEnv, "true") == 0) || + (strcasecmp(fipsEnv, "on") == 0) || + (strcasecmp(fipsEnv, "1") == 0)) { + return PR_TRUE; diff --git a/SOURCES/nss.pc.in b/SOURCES/nss.pc.in new file mode 100644 index 0000000..69823cb --- /dev/null +++ b/SOURCES/nss.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS +Description: Network Security Services +Version: %NSS_VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lssl3 -lsmime3 -lnss3 +Cflags: -I${includedir} diff --git a/SOURCES/p-ignore-setpolicy.patch b/SOURCES/p-ignore-setpolicy.patch new file mode 100644 index 0000000..7334c80 --- /dev/null +++ b/SOURCES/p-ignore-setpolicy.patch @@ -0,0 +1,25 @@ +diff -up nss/lib/ssl/sslsock.c.1026677_ignore_set_policy nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.1026677_ignore_set_policy 2017-01-13 17:10:36.049530395 +0100 ++++ nss/lib/ssl/sslsock.c 2017-01-13 17:10:36.053530297 +0100 +@@ -1391,7 +1391,6 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3 + SECStatus + NSS_SetDomesticPolicy(void) + { +- SECStatus status = SECSuccess; + const PRUint16 *cipher; + SECStatus rv; + PRUint32 policy; +@@ -1403,11 +1402,9 @@ NSS_SetDomesticPolicy(void) + } + + for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { +- status = SSL_SetPolicy(*cipher, SSL_ALLOWED); +- if (status != SECSuccess) +- break; ++ (void) SSL_SetPolicy(*cipher, SSL_ALLOWED); + } +- return status; ++ return SECSuccess; + } + + SECStatus diff --git a/SOURCES/pkcs11.txt.xml b/SOURCES/pkcs11.txt.xml new file mode 100644 index 0000000..d30e469 --- /dev/null +++ b/SOURCES/pkcs11.txt.xml @@ -0,0 +1,56 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + pkcs11.txt + 5 + + + + pkcs11.txt + NSS PKCS #11 module configuration file + + + + Description + +The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules. + + +For full documentation visit PKCS #11 Module Specs. + + + + + Files + /etc/pki/nssdb/pkcs11.txt + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + diff --git a/SOURCES/renegotiate-transitional.patch b/SOURCES/renegotiate-transitional.patch new file mode 100644 index 0000000..ca92f83 --- /dev/null +++ b/SOURCES/renegotiate-transitional.patch @@ -0,0 +1,12 @@ +diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.transitional 2016-08-15 17:57:58.146879056 +0200 ++++ nss/lib/ssl/sslsock.c 2016-08-15 17:58:02.365758224 +0200 +@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = { + PR_FALSE, /* noLocks */ + PR_FALSE, /* enableSessionTickets */ + PR_FALSE, /* enableDeflate */ +- 2, /* enableRenegotiation (default: requires extension) */ ++ 3, /* enableRenegotiation (default: transitional) */ + PR_FALSE, /* requireSafeNegotiation */ + PR_FALSE, /* enableFalseStart */ + PR_TRUE, /* cbcRandomIV */ diff --git a/SOURCES/setup-nsssysinit.sh b/SOURCES/setup-nsssysinit.sh new file mode 100755 index 0000000..8e1f5f7 --- /dev/null +++ b/SOURCES/setup-nsssysinit.sh @@ -0,0 +1,68 @@ +#!/bin/sh +# +# Turns on or off the nss-sysinit module db by editing the +# global PKCS #11 congiguration file. Displays the status. +# +# This script can be invoked by the user as super user. +# It is invoked at nss-sysinit post install time with argument on. +# +usage() +{ + cat <&2 +fi + +# the system-wide configuration file +p11conf="/etc/pki/nssdb/pkcs11.txt" +# must exist, otherwise report it and exit with failure +if [ ! -f $p11conf ]; then + echo "Could not find ${p11conf}" + exit 1 +fi + +# check if nsssysinit is currently enabled or disabled +sysinit_enabled() +{ + grep -q '^library=libnsssysinit' ${p11conf} +} + +umask 022 +case "$1" in + on | ON ) + if sysinit_enabled; then + exit 0 + fi + cat ${p11conf} | \ + sed -e 's/^library=$/library=libnsssysinit.so/' \ + -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ + ${p11conf}.on + mv ${p11conf}.on ${p11conf} + ;; + off | OFF ) + if ! sysinit_enabled; then + exit 0 + fi + cat ${p11conf} | \ + sed -e 's/^library=libnsssysinit.so/library=/' \ + -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ + ${p11conf}.off + mv ${p11conf}.off ${p11conf} + ;; + status ) + echo -n 'NSS sysinit is ' + sysinit_enabled && echo 'enabled' || echo 'disabled' + ;; + * ) + usage 1 1>&2 + ;; +esac diff --git a/SOURCES/system-pkcs11.txt b/SOURCES/system-pkcs11.txt new file mode 100644 index 0000000..c2f5704 --- /dev/null +++ b/SOURCES/system-pkcs11.txt @@ -0,0 +1,5 @@ +library=libnsssysinit.so +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/SOURCES/utilwrap-include-templates.patch b/SOURCES/utilwrap-include-templates.patch new file mode 100644 index 0000000..649b548 --- /dev/null +++ b/SOURCES/utilwrap-include-templates.patch @@ -0,0 +1,14 @@ +diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk +--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700 ++++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700 +@@ -3,6 +3,10 @@ + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + ++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) ++INCLUDES += -I/usr/include/nss3/templates ++#endif ++ + # can't do this in manifest.mn because OS_TARGET isn't defined there. + ifeq (,$(filter-out WIN%,$(OS_TARGET))) + diff --git a/SPECS/nss.spec b/SPECS/nss.spec new file mode 100644 index 0000000..ad8821b --- /dev/null +++ b/SPECS/nss.spec @@ -0,0 +1,2145 @@ +%global nspr_version 4.17.0 +%global nss_util_version 3.34.0 +%global nss_util_build -1 +# adjust to the version that gets submitted for FIPS validation +%global nss_softokn_fips_version 3.34.0 +%global nss_softokn_version 3.34.0 +# Attention: Separate softokn versions for build and runtime. +%global runtime_required_softokn_build_version -1 +# Building NSS doesn't require the same version of softokn built for runtime. +%global build_required_softokn_build_version -1 + +%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" + +# solution taken from icedtea-web.spec +%define multilib_arches ppc64 s390x sparc64 x86_64 +%ifarch %{multilib_arches} +%define alt_ckbi libnssckbi.so.%{_arch} +%else +%define alt_ckbi libnssckbi.so +%endif + +# Define if using a source archive like "nss-version.with.ckbi.version". +# To "disable", add "#" to start of line, AND a space after "%". +#% define nss_ckbi_suffix .with.ckbi.1.93 + +Summary: Network Security Services +Name: nss +Version: 3.34.0 +Release: 4%{?dist} +License: MPLv2.0 +URL: http://www.mozilla.org/projects/security/pki/nss/ +Group: System Environment/Libraries +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{nss_util_version}%{nss_util_build} +# TODO: revert to same version as nss once we are done with the merge +Requires: nss-softokn%{_isa} >= %{nss_softokn_version}%{runtime_required_softokn_build_version} +Requires: nss-system-init +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: nspr-devel >= %{nspr_version} +# TODO: revert to same version as nss once we are done with the merge +# Using '>=' but on RHEL the requires should be '=' +BuildRequires: nss-softokn-devel >= %{nss_softokn_version}%{build_required_softokn_build_version} +BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build} +BuildRequires: sqlite-devel +BuildRequires: zlib-devel +BuildRequires: pkgconfig +BuildRequires: gawk +BuildRequires: psmisc +BuildRequires: perl + +# nss-pem used to be bundled with the nss package on Fedora -- make sure that +# programs relying on that continue to work until they are fixed to require +# nss-pem instead. Once all of them are fixed, the following line can be +# removed. See https://bugzilla.redhat.com/1346806 for details. +Requires: nss-pem%{?_isa} + +%if %{defined nss_ckbi_suffix} +%define full_nss_version %{version}%{nss_ckbi_suffix} +%else +%define full_nss_version %{version} +%endif + +Source0: %{name}-%{full_nss_version}.tar.gz +Source1: nss.pc.in +Source2: nss-config.in +Source3: blank-cert8.db +Source4: blank-key3.db +Source5: blank-secmod.db +Source6: blank-cert9.db +Source7: blank-key4.db +Source8: system-pkcs11.txt +Source9: setup-nsssysinit.sh +Source10: PayPalEE.cert +Source17: TestCA.ca.cert +Source18: TestUser50.cert +Source19: TestUser51.cert +Source20: nss-config.xml +Source21: setup-nsssysinit.xml +Source22: pkcs11.txt.xml +Source23: cert8.db.xml +Source24: cert9.db.xml +Source25: key3.db.xml +Source26: key4.db.xml +Source27: secmod.db.xml +Source30: PayPalRootCA.cert +Source31: PayPalICA.cert +Source32: nss-rhel7.config +Source33: TestOldCA.p12 + +Patch2: add-relro-linker-option.patch +Patch3: renegotiate-transitional.patch +Patch16: nss-539183.patch +# TODO: Remove this patch when the ocsp test are fixed +Patch40: nss-3.14.0.0-disble-ocsp-test.patch +# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator +Patch47: utilwrap-include-templates.patch +# TODO remove when we switch to building nss without softoken +Patch49: nss-skip-bltest-and-fipstest.patch +# This patch uses the gcc-iquote dir option documented at +# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options +# to place the in-tree directories at the head of the list of list of directories +# to be searched for for header files. This ensures a build even when system +# headers are older. Such is the case when starting an update with API changes or even private export changes. +# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. +Patch50: iquote.patch +Patch52: Bug-1001841-disable-sslv2-libssl.patch +Patch53: Bug-1001841-disable-sslv2-tests.patch +Patch55: enable-fips-when-system-is-in-fips-mode.patch +# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677 +Patch56: p-ignore-setpolicy.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144 +Patch62: nss-fix-deadlock-squash.patch +Patch100: fix-min-library-version-in-SSLVersionRange.patch +Patch108: nss-sni-c-v-fix.patch +Patch123: nss-skip-util-gtest.patch +Patch126: nss-reorder-cipher-suites.patch +Patch127: nss-disable-cipher-suites.patch +Patch128: nss-enable-cipher-suites.patch +Patch130: nss-reorder-cipher-suites-gtests.patch +Patch131: nss-disable-tls13-gtests.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520 +Patch135: nss-check-policy-file.patch +# Work around for yum +# https://bugzilla.redhat.com/show_bug.cgi?id=1469526 +Patch141: nss-sysinit-getenv.patch + +# Patches backported from 3.35: +# https://bugzilla.mozilla.org/show_bug.cgi?id=1416265 +Patch144: nss-pk12util-faulty-aes.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1278071 +Patch145: nss-increase-pkcs12-iterations.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1415847 +Patch146: nss-modutil-suppress-password.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1426361 +Patch147: nss-certutil-suppress-password.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1423557 +# https://bugzilla.mozilla.org/show_bug.cgi?id=1415171 +Patch148: nss-pss-fixes.patch +# https://bugzilla.mozilla.org/show_bug.cgi?id=1054373 +Patch149: nss-is-token-present-race.patch + +%description +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled client and +server applications. Applications built with NSS can support SSL v2 +and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 +v3 certificates, and other security standards. + +%package tools +Summary: Tools for the Network Security Services +Group: System Environment/Base +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled client and +server applications. Applications built with NSS can support SSL v2 +and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 +v3 certificates, and other security standards. + +Install the nss-tools package if you need command-line tools to +manipulate the NSS certificate and key database. + +%package sysinit +Summary: System NSS Initialization +Group: System Environment/Base +# providing nss-system-init without version so that it can +# be replaced by a better one, e.g. supplied by the os vendor +Provides: nss-system-init +Requires: nss = %{version}-%{release} +Requires(post): coreutils, sed + +%description sysinit +Default Operating System module that manages applications loading +NSS globally on the system. This module loads the system defined +PKCS #11 modules for NSS and chains with other NSS modules to load +any system or user configured modules. + +%package devel +Summary: Development libraries for Network Security Services +Group: Development/Libraries +Provides: nss-static = %{version}-%{release} +Requires: nss = %{version}-%{release} +Requires: nss-util-devel +Requires: nss-softokn-devel +Requires: nspr-devel >= %{nspr_version} +Requires: pkgconfig +BuildRequires: xmlto + +%description devel +Header and Library files for doing development with Network Security Services. + + +%package pkcs11-devel +Summary: Development libraries for PKCS #11 (Cryptoki) using NSS +Group: Development/Libraries +Provides: nss-pkcs11-devel-static = %{version}-%{release} +Requires: nss-devel = %{version}-%{release} +# TODO: revert to using nss_softokn_version once we are done with +# the merge into to new rhel git repo +# For RHEL we should have '=' instead of '>=' +Requires: nss-softokn-freebl-devel >= %{nss_softokn_version} + +%description pkcs11-devel +Library files for developing PKCS #11 modules using basic NSS +low level services. + + +%prep +%setup -q +%{__cp} %{SOURCE10} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE31} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE33} -f ./nss/tests/tools +%setup -q -T -D -n %{name}-%{version} + +%patch2 -p0 -b .relro +%patch3 -p0 -b .transitional +%patch16 -p0 -b .539183 +%patch40 -p0 -b .noocsptest +%patch47 -p0 -b .templates +%patch49 -p0 -b .skipthem +%patch50 -p0 -b .iquote +pushd nss +%patch52 -p1 -b .disableSSL2libssl +%patch53 -p1 -b .disableSSL2tests +%patch55 -p1 -b .852023_enable_fips_when_in_fips_mode +%patch56 -p1 -b .1026677_ignore_set_policy +%patch62 -p1 -b .fix_deadlock +%patch100 -p0 -b .1171318 +popd +%patch108 -p0 -b .sni_c_v_fix +pushd nss +%patch123 -p1 -b .skip-util-gtests +%patch126 -p1 -b .reorder-cipher-suites +%patch127 -p1 -b .disable-cipher-suites +%patch128 -p1 -b .enable-cipher-suites +%patch130 -p1 -b .reorder-cipher-suites-gtests +%patch131 -p1 -b .disable-tls13-gtests +%patch135 -p1 -b .check_policy_file +%patch141 -p1 -b .sysinit-getenv +%patch144 -p1 -b .pk12util-faulty-aes +%patch145 -p1 -b .increase-pkcs12-iterations +%patch146 -p1 -b .suppress-modutil-password +%patch147 -p1 -b .suppress-certutil-password +%patch148 -p1 -b .pss-fixes +%patch149 -p1 -b .is-token-present-race +popd + +######################################################### +# Higher-level libraries and test tools need access to +# module-private headers from util, freebl, and softoken +# until fixed upstream we must copy some headers locally +######################################################### + +# Copying these header until the upstream bug is accepted +# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207 +%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf +%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf + +# Before removing util directory we must save verref.h +# as it will be needed later during the build phase. +%{__mv} ./nss/lib/util/verref.h ./nss/verref.h + +##### Remove util/freebl/softoken and low level tools +######## Remove freebl, softoken and util +%{__rm} -rf ./nss/lib/freebl +%{__rm} -rf ./nss/lib/softoken +%{__rm} -rf ./nss/lib/util +######## Remove nss-softokn test tools as we already ran +# the cipher test suite as part of the nss-softokn build +%{__rm} -rf ./nss/cmd/bltest +%{__rm} -rf ./nss/cmd/fipstest +%{__rm} -rf ./nss/cmd/rsaperf_low + +pushd nss/tests/ssl +# Create versions of sslcov.txt and sslstress.txt that disable tests +# for SSL2 and EXPORT ciphers. +cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt +cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt +popd + +%build + +export NSS_NO_SSL2=1 + +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +# Enable compiler optimizations and disable debugging code +export BUILD_OPT=1 + +# Uncomment to disable optimizations +# RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g' -e 's/ -Wp,-D_FORTIFY_SOURCE=2//g'` +# export RPM_OPT_FLAGS + +# Generate symbolic info for debuggers +XCFLAGS=$RPM_OPT_FLAGS + +export XCFLAGS + +PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +NSPR_LIB_DIR=%{_libdir} + +export NSPR_INCLUDE_DIR +export NSPR_LIB_DIR + +export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` +export NSSUTIL_LIB_DIR=%{_libdir} + +export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'` +export FREEBL_LIB_DIR=%{_libdir} +export USE_SYSTEM_FREEBL=1 +# FIXME choose one or the other style and submit a patch upstream +# wtc has suggested using NSS_USE_SYSTEM_FREEBL +export NSS_USE_SYSTEM_FREEBL=1 + +export FREEBL_LIBS=`/usr/bin/pkg-config --libs nss-softokn` + +export SOFTOKEN_LIB_DIR=%{_libdir} +# use the system ones +export USE_SYSTEM_NSSUTIL=1 +export USE_SYSTEM_SOFTOKEN=1 + +# tell the upstream build system what we are doing +export NSS_BUILD_WITHOUT_SOFTOKEN=1 + +NSS_USE_SYSTEM_SQLITE=1 +export NSS_USE_SYSTEM_SQLITE + +export NSS_ALLOW_SSLKEYLOGFILE=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif +%endif + +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 + +##### phase 2: build the rest of nss +export NSS_BLTEST_NOT_AVAILABLE=1 + +export NSS_DISABLE_TLS_1_3=1 + +%{__make} -C ./nss/coreconf +%{__make} -C ./nss/lib/dbm + +# Set the policy file location +# if set NSS will always check for the policy file and load if it exists +export POLICY_FILE="nss-rhel7.config" +# location of the policy file +export POLICY_PATH="/etc/pki/nss-legacy" + +# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c +# need nss/lib/util/verref.h which is exported privately, +# copy the one we saved during prep so it they can find it. +%{__mkdir_p} ./dist/private/nss +%{__mv} ./nss/verref.h ./dist/private/nss/verref.h + +%{__make} -C ./nss +unset NSS_BLTEST_NOT_AVAILABLE + +# build the man pages clean +pushd ./nss +%{__make} clean_docs build_docs +popd + +# and copy them to the dist directory for %%install to find them +%{__mkdir_p} ./dist/doc/nroff +%{__cp} ./nss/doc/nroff/* ./dist/doc/nroff + +# Set up our package file +# The nspr_version and nss_{util|softokn}_version globals used +# here match the ones nss has for its Requires. +# Using the current %%{nss_softokn_version} for fedora again +%{__mkdir_p} ./dist/pkgconfig +%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSS_VERSION%%,%{version},g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \ + ./dist/pkgconfig/nss.pc + +NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` +NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` +NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` + +export NSS_VMAJOR +export NSS_VMINOR +export NSS_VPATCH + +%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ + > ./dist/pkgconfig/nss-config + +chmod 755 ./dist/pkgconfig/nss-config + +%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh +chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh + +%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/ + +date +"%e %B %Y" | tr -d '\n' > date.xml +echo -n %{version} > version.xml + +# configuration files and setup script +for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do + cp ${m} . +done +for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do + xmlto man ${m} +done + +# nss databases considered to be configuration files +for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do + cp ${m} . +done +for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do + xmlto man ${m} +done + + +%check +if [ ${DISABLETEST:-0} -eq 1 ]; then + echo "testing disabled" + exit 0 +fi + +# Begin -- copied from the build section + +# inform the ssl test scripts that SSL2 is disabled +export NSS_NO_SSL2=1 + +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +export BUILD_OPT=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif +%endif + +export NSS_BLTEST_NOT_AVAILABLE=1 + +export NSS_DISABLE_TLS_1_3=1 + +export NSS_FORCE_FIPS=1 + +# needed for the fips mangling test +export SOFTOKEN_LIB_DIR=%{_libdir} + +# End -- copied from the build section + +# enable the following line to force a test failure +# find ./nss -name \*.chk | xargs rm -f + +# Run test suite. +# In order to support multiple concurrent executions of the test suite +# (caused by concurrent RPM builds) on a single host, +# we'll use a random port. Also, we want to clean up any stuck +# selfserv processes. If process name "selfserv" is used everywhere, +# we can't simply do a "killall selfserv", because it could disturb +# concurrent builds. Therefore we'll do a search and replace and use +# a different process name. +# Using xargs doesn't mix well with spaces in filenames, in order to +# avoid weird quoting we'll require that no spaces are being used. + +SPACEISBAD=`find ./nss/tests | grep -c ' '` ||: +if [ $SPACEISBAD -ne 0 ]; then + echo "error: filenames containing space are not supported (xargs)" + exit 1 +fi +MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: +RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: +DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: +pushd `pwd` +cd $DISTBINDIR +ln -s selfserv $RANDSERV +popd +# man perlrun, man perlrequick +# replace word-occurrences of selfserv with selfserv_$MYRAND +find ./nss/tests -type f |\ + grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\ + grep -vw CVS |xargs grep -lw selfserv |\ + xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||: + +killall $RANDSERV || : + +rm -rf ./tests_results +pushd ./nss/tests/ +# all.sh is the test suite script + +# don't need to run all the tests when testing packaging +# nss_cycles: standard pkix upgradedb sharedb +%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr +# nss_ssl_run: cov auth stress +# +# Uncomment these lines if you need to temporarily +# disable some test suites for faster test builds +# global nss_ssl_tests "normal_fips" +# global nss_ssl_run "cov auth" + +# Temporarily disabling ssl stress tests for s390 +%ifarch s390 +%global nss_ssl_run "cov auth" +%endif + +HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh + +popd + +# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, +# Grep exits with status greater than 1 if an error ocurred. +# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, +# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas +# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. +killall $RANDSERV || : + +TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? +if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then + echo "okay: test suite detected no failures" +else + %ifarch %{arm} + : + # do nothing on arm where the test suite is failing and has been + # for while, do run the test suite but make it non fatal on arm + %else + if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then + # while a situation in which grep return status is 0 and it doesn't output + # anything shouldn't happen, set the default to something that is + # obviously wrong (-1) + echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" + exit 1 + else + if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then + echo "error: grep has not found log file" + exit 1 + else + echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" + exit 1 + fi + fi +%endif +fi +echo "test suite completed" + +%install + +%{__rm} -rf $RPM_BUILD_ROOT + +# There is no make install target so we'll do it ourselves. + +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig + +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 + +touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so +%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so + +# Copy the binary libraries we want +for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so +do + %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Install the empty NSS db files +# Legacy db +%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb +%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db +%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db +%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db +# Shared db +%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db +%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db +%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt + +# Copy the development libraries we want +for file in libcrmf.a libnssb.a libnssckfw.a +do + %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the binaries we want +for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap +do + %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} +done + +# Copy the binaries we ship as unsupported +for file in atob btoa derdump listsuites ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain +do + %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} +done + +# Copy the include files we want +for file in dist/public/nss/*.h +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the template files we want +for file in dist/private/nss/nssck.api +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +done + +# Copy the package configuration files +%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc +%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config +# Copy the pkcs #11 configuration script +%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh +# install a symbolic link to it, without the ".sh" suffix, +# that matches the man page documentation +ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit + +# Copy the man pages for scripts +for f in nss-config setup-nsssysinit; do + install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 +done +# Copy the man pages for the nss tools +for f in "%{allTools}"; do + install -c -m 644 ./dist/doc/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 +done +# Copy the man pages for the configuration files +for f in pkcs11.txt; do + install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 +done +# Copy the man pages for the nss databases +for f in cert8.db cert9.db key3.db key4.db secmod.db; do + install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 +done + +%{__mkdir_p} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy +%{__install} -p -m 644 %{SOURCE32} $RPM_BUILD_ROOT%{_sysconfdir}/pki/nss-legacy/nss-rhel7.config + +%clean +%{__rm} -rf $RPM_BUILD_ROOT + +%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3 +# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet +# from previous versions of nss.spec +/usr/bin/setup-nsssysinit.sh on + +%post +# If we upgrade, and the shared filename is a regular file, then we must +# remove it, before we can install the alternatives symbolic link. +if [ $1 -gt 1 ] ; then + # when upgrading or downgrading + if ! test -L %{_libdir}/libnssckbi.so; then + rm -f %{_libdir}/libnssckbi.so + fi +fi +# Install the symbolic link +# FYI: Certain other packages use alternatives --set to enforce that the first +# installed package is preferred. We don't do that. Highest priority wins. +%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ + %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10 +/sbin/ldconfig + +%postun +if [ $1 -eq 0 ] ; then + # package removal + %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so +else + # upgrade or downgrade + # If the new installed package uses a regular file (not a symblic link), + # then cleanup the alternatives link. + if ! test -L %{_libdir}/libnssckbi.so; then + %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so + fi +fi +/sbin/ldconfig + + +%files +%defattr(-,root,root) +%{_libdir}/libnss3.so +%{_libdir}/libssl3.so +%{_libdir}/libsmime3.so +%ghost %{_libdir}/libnssckbi.so +%{_libdir}/nss/libnssckbi.so +%dir %{_sysconfdir}/pki/nssdb +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt +%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz +%dir %{_sysconfdir}/pki/nss-legacy +%config(noreplace) %{_sysconfdir}/pki/nss-legacy/nss-rhel7.config + +%files sysinit +%defattr(-,root,root) +%{_libdir}/libnsssysinit.so +%{_bindir}/setup-nsssysinit.sh +# symbolic link to setup-nsssysinit.sh +%{_bindir}/setup-nsssysinit +%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz + +%files tools +%defattr(-,root,root) +%{_bindir}/certutil +%{_bindir}/cmsutil +%{_bindir}/crlutil +%{_bindir}/modutil +%{_bindir}/pk12util +%{_bindir}/signtool +%{_bindir}/signver +%{_bindir}/ssltap +%{unsupported_tools_directory}/atob +%{unsupported_tools_directory}/btoa +%{unsupported_tools_directory}/derdump +%{unsupported_tools_directory}/listsuites +%{unsupported_tools_directory}/ocspclnt +%{unsupported_tools_directory}/pp +%{unsupported_tools_directory}/selfserv +%{unsupported_tools_directory}/strsclnt +%{unsupported_tools_directory}/symkeyutil +%{unsupported_tools_directory}/tstclnt +%{unsupported_tools_directory}/vfyserv +%{unsupported_tools_directory}/vfychain +# instead of %%{_mandir}/man*/* let's list them explicitely +# supported tools +%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz +# unsupported tools +%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz + +%files devel +%defattr(-,root,root) +%{_libdir}/libcrmf.a +%{_libdir}/pkgconfig/nss.pc +%{_bindir}/nss-config +%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz + +%dir %{_includedir}/nss3 +%{_includedir}/nss3/cert.h +%{_includedir}/nss3/certdb.h +%{_includedir}/nss3/certt.h +%{_includedir}/nss3/cmmf.h +%{_includedir}/nss3/cmmft.h +%{_includedir}/nss3/cms.h +%{_includedir}/nss3/cmsreclist.h +%{_includedir}/nss3/cmst.h +%{_includedir}/nss3/crmf.h +%{_includedir}/nss3/crmft.h +%{_includedir}/nss3/cryptohi.h +%{_includedir}/nss3/cryptoht.h +%{_includedir}/nss3/sechash.h +%{_includedir}/nss3/jar-ds.h +%{_includedir}/nss3/jar.h +%{_includedir}/nss3/jarfile.h +%{_includedir}/nss3/key.h +%{_includedir}/nss3/keyhi.h +%{_includedir}/nss3/keyt.h +%{_includedir}/nss3/keythi.h +%{_includedir}/nss3/nss.h +%{_includedir}/nss3/nssckbi.h +%{_includedir}/nss3/ocsp.h +%{_includedir}/nss3/ocspt.h +%{_includedir}/nss3/p12.h +%{_includedir}/nss3/p12plcy.h +%{_includedir}/nss3/p12t.h +%{_includedir}/nss3/pk11func.h +%{_includedir}/nss3/pk11pqg.h +%{_includedir}/nss3/pk11priv.h +%{_includedir}/nss3/pk11pub.h +%{_includedir}/nss3/pk11sdr.h +%{_includedir}/nss3/pkcs12.h +%{_includedir}/nss3/pkcs12t.h +%{_includedir}/nss3/pkcs7t.h +%{_includedir}/nss3/preenc.h +%{_includedir}/nss3/secmime.h +%{_includedir}/nss3/secmod.h +%{_includedir}/nss3/secmodt.h +%{_includedir}/nss3/secpkcs5.h +%{_includedir}/nss3/secpkcs7.h +%{_includedir}/nss3/smime.h +%{_includedir}/nss3/ssl.h +%{_includedir}/nss3/sslerr.h +%{_includedir}/nss3/sslexp.h +%{_includedir}/nss3/sslproto.h +%{_includedir}/nss3/sslt.h + + +%files pkcs11-devel +%defattr(-, root, root) +%{_includedir}/nss3/nssbase.h +%{_includedir}/nss3/nssbaset.h +%{_includedir}/nss3/nssckepv.h +%{_includedir}/nss3/nssckft.h +%{_includedir}/nss3/nssckfw.h +%{_includedir}/nss3/nssckfwc.h +%{_includedir}/nss3/nssckfwt.h +%{_includedir}/nss3/nssckg.h +%{_includedir}/nss3/nssckmdt.h +%{_includedir}/nss3/nssckt.h +%{_includedir}/nss3/templates/nssck.api +%{_libdir}/libnssb.a +%{_libdir}/libnssckfw.a + + +%changelog +* Mon Jan 15 2018 Daiki Ueno - 3.34.0-4 +- Re-enable nss-is-token-present-race.patch + +* Fri Jan 5 2018 Daiki Ueno - 3.34.0-3 +- Temporarily disable nss-is-token-present-race.patch + +* Thu Jan 4 2018 Daiki Ueno - 3.34.0-2 +- Backport necessary changes from 3.35 + +* Fri Nov 24 2017 Daiki Ueno - 3.34.0-1 +- Rebase to NSS 3.34 + +* Mon Oct 30 2017 Daiki Ueno - 3.34.0-0.1.beta1 +- Rebase to NSS 3.34.BETA1 + +* Wed Oct 25 2017 Daiki Ueno - 3.33.0-3 +- Disable TLS 1.3 + +* Wed Oct 18 2017 Daiki Ueno - 3.33.0-2 +- Enable TLS 1.3 + +* Mon Oct 16 2017 Daiki Ueno - 3.33.0-1 +- Rebase to NSS 3.33 +- Disable TLS 1.3, temporarily disable failing gtests (Skip13Variants) +- Temporarily disable race.patch and nss-3.16-token-init-race.patch, + which causes a deadlock in newly added test cases +- Remove upstreamed patches: moz-1320932.patch, + nss-tstclnt-optspec.patch, + nss-1334976-1336487-1345083-ca-2.14.patch, nss-alert-handler.patch, + nss-tools-sha256-default.patch, nss-is-token-present-race.patch, + nss-pk12util.patch, nss-ssl3gthr.patch, and nss-transcript.patch + +* Mon Oct 16 2017 Daiki Ueno - 3.28.4-14 +- Add backward compatibility to pk12util regarding faulty PBES2 AES encryption + +* Mon Oct 16 2017 Daiki Ueno - 3.28.4-13 +- Update iquote.patch to prefer nss.h from the source + +* Mon Oct 16 2017 Daiki Ueno - 3.28.4-12 +- Add backward compatibility to pk12util regarding password encoding + +* Thu Aug 10 2017 Daiki Ueno - 3.28.4-11 +- Backport patch to simplify transcript calculation for CertificateVerify +- Enable TLS 1.3 and RSA-PSS +- Disable some upstream tests failing due to downstream ciphersuites changes + +* Thu Jul 13 2017 Daiki Ueno - 3.28.4-10 +- Work around yum crash due to new NSPR symbol being used in nss-sysinit, + patch by Kai Engert + +* Fri Jun 2 2017 Daiki Ueno - 3.28.4-9 +- Fix typo in nss-sni-c-v-fix.patch + +* Fri May 5 2017 Kai Engert - 3.28.4-8 +- Include CKBI 2.14 and updated CA constraints from NSS 3.28.5 + +* Fri May 5 2017 Daiki Ueno - 3.28.4-7 +- Update nss-pk12util.patch to include fix from mozbz#1353724. + +* Wed May 3 2017 Daiki Ueno - 3.28.4-6 +- Update nss-alert-handler.patch with the upstream fix from mozbz#1360207. + +* Fri Apr 28 2017 Daiki Ueno - 3.28.4-5 +- Fix zero-length record treatment for stream ciphers and SSLv2 + +* Thu Apr 27 2017 Daiki Ueno - 3.28.4-4 +- Correctly set policy file location when building + +* Wed Apr 26 2017 Daiki Ueno - 3.28.4-3 +- Reorder ChaCha20-Poly1305 cipher suites, as suggested in: + https://bugzilla.redhat.com/show_bug.cgi?id=1373158#c9 + +* Thu Apr 20 2017 Daiki Ueno - 3.28.4-2 +- Rebase to NSS 3.28.4 +- Update nss-pk12util.patch with backport of mozbz#1353325 + +* Thu Mar 16 2017 Daiki Ueno - 3.28.3-5 +- Switch default hash algorithm used by tools from SHA-1 to SHA-256 +- Avoid race condition in nssSlot_IsTokenPresent() +- Enable SHA-2 and AES in pk12util +- Disable RSA-PSS for now + +* Fri Mar 10 2017 Daiki Ueno - 3.28.3-4 +- Utilize CKA_NSS_MOZILLA_CA_POLICY attribute, patch by Kai Engert +- Backport changes adding SSL alert callbacks from upstream +- Add nss-check-policy-file.patch from Fedora +- Install policy config in /etc/pki/nss-legacy/nss-rhel7.config + +* Mon Mar 6 2017 Daiki Ueno - 3.28.3-3 +- Make sure 32bit nss-pem always be installed with 32bit nss in + multlib environment, patch by Kamil Dudka +- Enable new algorithms supported by the new nss-softokn + +* Mon Mar 6 2017 Daiki Ueno - 3.28.3-2 +- Rebase to NSS 3.28.3 +- Bump required version of nss-softokn + +* Wed Feb 15 2017 Daiki Ueno - 3.28.2-3 +- Remove %%nss_cycles setting, which was also mistakenly added +- Re-enable BUILD_OPT, mistakenly disabled in the previous build +- Prevent ABI incompatibilty of SECKEYECPublicKey +- Disable TLS_ECDHE_{RSA,ECDSA}_WITH_AES_128_CBC_SHA256 by default +- Enable 4 AES_256_GCM_SHA384 ciphersuites, enabled by the downstream + patch in the previous release +- Fix crash with tstclnt -W +- Always enable gtests for supported features +- Add patch to fix bash syntax error in tests/ssl.sh +- Build with support for SSLKEYLOGFILE +- Disable the use of RSA-PSS with SSL/TLS + +* Tue Feb 14 2017 Daiki Ueno - 3.28.2-2 +- Decouple nss-pem from the nss package +- Resolves: #1316546 + +* Mon Feb 13 2017 Daiki Ueno - 3.28.2-1.1 +- Remove mistakenly added R: nss-pem + +* Fri Feb 10 2017 Daiki Ueno - 3.28.2-1.0 +- Rebase to NSS 3.28.2 +- Remove NSS_ENABLE_ECC and NSS_ECC_MORE_THAN_SUITE_B setting, which + is no-op now +- Enable gtests when requested +- Remove nss-646045.patch and fix-nss-test-filtering.patch, which are + not necessary +- Remove sslauth-no-v2.patch and + nss-sslstress-txt-ssl3-lower-value-in-range.patch, as SSLv2 is + already disabled in upstream +- Remove ssl-server-min-key-sizes.patch, as we decided to support DH + key size greater than 1023 bits +- Remove local patches for SHA384 cipher suites (now supported in + upstream): dhe-sha384-dss-support.patch, + client_auth_for_sha384_prf_support.patch, + nss-fix-client-auth-init-hashes.patch, nss-map-oid-to-hashalg.patch, + nss-enable-384-cipher-tests.patch, nss-fix-signature-and-hash.patch, + fix-allowed-sig-alg.patch, tests-extra.patch +- Remove upstreamed patches: rh1238290.patch, + fix-reuse-of-session-cache-entry.patch, flexible-certverify.patch, + call-restartmodules-in-nssinit.patch + +* Wed Oct 26 2016 Daiki Ueno - 3.21.3-1 +- Rebase to NSS 3.21.3 +- Resolves: #1383887 + +* Thu Jun 30 2016 Kai Engert - 3.21.0-17 +- remove additional false duplicates from sha384 downstream patches + +* Tue Jun 28 2016 Kai Engert - 3.21.0-16 +- enable ssl_gtests (without extended master secret tests), Bug 1298692 +- call SECMOD_RestartModules in nss_Init, Bug 1317691 + +* Fri Jun 17 2016 Kai Engert - 3.21.0-15 +- escape all percent characters in all changelog comments + +* Fri Jun 17 2016 Kai Engert - 3.21.0-14 +- Support TLS 1.2 certificate_verify hashes other than PRF, + backported fix from NSS 3.25 (upstream bug 1179338). + +* Mon May 23 2016 Elio Maldonado - 3.21.0-13 +- Fix reuse of session cache entry +- Resolves: Bug 1241172 - Certificate verification fails with multiple https urls + +* Wed Apr 20 2016 Elio Maldonado - 3.21.0-12 +- Fix a flaw in %%check for nss not building on arm +- Resolves: Bug 1200856 + +* Wed Apr 20 2016 Elio Maldonado - 3.21.0-11 +- Cleanup: Remove unnecessary %%posttrans script from nss.spec +- Resolves: Bug 1174201 + +* Wed Apr 20 2016 Elio Maldonado - 3.21.0-10 +- Merge fixes from the rhel-7.2 branch +- Fix a bogus %%changelog entry +- Resolves: Bug 1297941 + +* Fri Apr 15 2016 Kai Engert - 3.21.0-9 +- Rebuild to require the latest nss-util build and nss-softokn build. + +* Mon Apr 11 2016 Kai Engert - 3.21.0-8 +- Update the minimum nss-softokn build required at runtime. + +* Mon Apr 04 2016 Elio Maldonado - 3.21.0-7 +- Delete duplicates from one table + +* Tue Mar 29 2016 Kai Engert - 3.21.0-6 +- Fix missing support for sha384/dsa in certificate_request + +* Wed Mar 23 2016 Kai Engert - 3.21.0-5 +- Merge fixes from the rhel-7.2 branch +- Fix the SigAlgs sent in certificate_request +- Ensure all ssl.sh tests are executed +- Update sslauth test patch to run additional tests + +* Fri Feb 26 2016 Elio Maldonado - 3.21.0-2 +- Fix sha384 support and testing patches + +* Wed Feb 17 2016 Elio Maldonado - 3.21.0-1 +- Rebase to NSS-3.21 + +* Tue Dec 15 2015 Elio Maldonado - 3.19.1-19 +- Prevent TLS 1.2 Transcript Collision attacks against MD5 in key exchange protocol +- Fix a mockbuild reported bad %%if condition when using the __isa_bits macro instead of list of 64-bit architectures +- Change the test to %%if 0%%{__isa_bits} == 64 as required for building the srpm which is noarch +- Resolves: Bug 1289884 + +* Wed Oct 21 2015 Kai Engert - 3.19.1-18 +- Rebuild against updated NSPR + +* Thu Sep 03 2015 Elio Maldonado - 3.19.1-17 +- Change the required_softokn_build_version back to -13 +- Ensure we use nss-softokn-3.16.2.3-13.el7_1 + +* Thu Sep 03 2015 Elio Maldonado - 3.19.1-16 +- Fix check for public key size of DSA certificates +- Use size of prime P not the size of dsa.publicValue + +* Mon Aug 31 2015 Elio Maldonado - 3.19.1-15 +- Reorder the cipher suites and enable two more by default + +* Sun Aug 30 2015 Elio Maldonado - 3.19.1-14 +- Update the required_softokn_build_version to -14 +- Add references to bugs filed upstream for new patches +- Merge ocsp stapling and sslauth sni tests patches into one + +* Sat Aug 29 2015 Elio Maldonado - 3.19.1-13 +- Reorder the cipher suites and enable two more by default +- Fix some of the ssauth sni and ocsp stapling tests + +* Thu Aug 27 2015 Elio Maldonado - 3.19.1-12 +- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers +- Enable ECDSA cipher suites by default, a subset of the ones requested + +* Wed Aug 26 2015 Elio Maldonado - 3.19.1-11 +- Support TLS > 1.0 by support while still allowing to connect to SSL3 only servers + +* Mon Aug 17 2015 Elio Maldonado - 3.19.1-10 +- Fix to correctly report integrity mechanism for TLS_RSA_WITH_AES_256_GCM_SHA384 + +* Mon Aug 10 2015 Elio Maldonado - 3.19.1-9 +- Fix checks to skip ssl2/export cipher suites tests to not skip needed tests +- Fix libssl ssl2/export disabling patch to handle NULL cipher cases +- Enable additional cipher suites by default + +* Thu Jul 16 2015 Elio Maldonado - 3.19.1-8 +- Add links to filed upstream bugs to better track patches in spec file + +* Tue Jul 07 2015 Elio Maldonado - 3.19.1-7 +- Package listsuites as part of the unsupported tools + +* Thu Jul 02 2015 Elio Maldonado - 3.19.1-6 +- Bump the release tag + +* Mon Jun 29 2015 Kai Engert - 3.19.1-5 +- Incremental patches to fix SSL/TLS test suite execution, + fix the earlier SHA384 patch, and inform clients to use SHA384 with + certificate_verify if required by NSS. + +* Thu Jun 18 2015 Elio Maldonado - 3.19.1-4 +- Add support for sha384 tls cipher suites +- Add support for server-side hde key exchange +- Add support for DSS+SHA256 ciphersuites + +* Wed Jun 10 2015 Elio Maldonado - 3.19.1-3 +- Reenable a patch that had been mistakenly disabled + +* Wed Jun 10 2015 Elio Maldonado - 3.19.1-2 +- Build against nss-softokn-3.16.2.3-9 + +* Fri Jun 05 2015 Elio Maldonado - 3.19.1-1 +- Rebase to nss-3.19.1 +- Resolves: Bug 1228913 - Rebase to nss-3.19.1 for CVE-2015-4000 [RHEL-7.1] + +* Tue Apr 28 2015 Kai Engert - 3.18.0-6 +- Backport mozbz#1155922 to support SHA512 signatures with TLS 1.2 + +* Thu Apr 23 2015 Kai Engert - 3.18.0-5 +- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1) + +* Fri Apr 17 2015 Elio Maldonado - 3.18.0-4 +- Update and reeneable nss-646045.patch on account of the rebase +- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] + +* Tue Apr 14 2015 Elio Maldonado - 3.18.0-3 +- Fix shell syntax error on nss/tests/all.sh +- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] + +* Fri Apr 10 2015 Elio Maldonado - 3.18.0-2 +- Replace expired PayPal test certificate that breaks the build +- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] + +* Mon Mar 30 2015 Elio Maldonado - 3.18.0-1 +- Resolves: Bug 1200898 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL7.1] + +* Mon Jan 19 2015 Elio Maldonado - 3.16.2.3-5 +- Reverse the sense of a test in patch to fix pk12util segfault +- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files + +* Thu Jan 08 2015 Elio Maldonado - 3.16.2.3-4 +- Fix race condition +- Resolves: Bug 1094468 - 389-ds-base server reported crash in stan_GetCERTCertificate +- under the replication replay failure condition + +* Wed Jan 07 2015 Elio Maldonado - 3.16.2.3-3 +- Resolves: Bug 1174527 - Segfault in pk12util when using -l option with certain .p12 files + +* Tue Nov 25 2014 Elio Maldonado - 3.16.2.3-2 +- Restore patch for certutil man page +- supply missing options descriptions +- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 + +* Thu Nov 13 2014 Elio Maldonado - 3.16.2-10 +- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 +- Support TLS_FALLBACK_SCSV in tstclnt and ssltap + +* Mon Sep 29 2014 Elio Maldonado - 3.16.2-9 +- Resolves: Bug 1145434 - CVE-2014-1568 +- Using a release number higher than on rhel-7.0 branch + +* Mon Aug 11 2014 Elio Maldonado - 3.16.2-4 +- Fix crash in stan_GetCERTCertificate +- Resolves: Bug 1094468 + +* Tue Aug 05 2014 Elio Maldonado 3.16.2-3 +- Generic 32/64 bit platform detection (fix ppc64le build) +- Resolves: Bug 1125619 - nss fails to build on arch: ppc64le (missing dependencies) +- Fix contributed by Peter Robinson + +* Fri Aug 01 2014 Elio Maldonado - 3.16.2-2 +- Fix libssl and test patches that disable ssl2 support +- Resolves: Bug 1123435 +- Replace expired PayPal test certificate with current one + +* Tue Jul 08 2014 Elio Maldonado - 3.16.2-1 +- Rebase to nss-3.16.2 +- Resolves: Bug 1103252 - Rebase RHEL 7.1 to at least NSS 3.16.1 (FF 31) +- Fix test failure detection in the %%check section +- Move removal of unwanted source directories to the end of the %%prep section +- Update various patches on account of the rebase +- Remove unused patches rendered obsolete by the rebase + +* Mon Mar 03 2014 Elio Maldonado - 3.15.4-6 +- Disallow disabling the internal module +- Resolves: Bug 1056036 - nss segfaults with opencryptoki module + +* Thu Feb 20 2014 Elio Maldonado - 3.15.4-5 +- Pick up a fix from rhel-6 and fix an rpm conflict +- Don't hold issuer cert handles in crl cache +- Resolves: Bug 1034409 - deadlock in trust domain and object lock +- Move nss shared db files to the main package +- Resolves: Bug 1050163 - Same files in two packages create rpm conflict + +* Mon Jan 27 2014 Elio Maldonado - 3.15.4-4 +- Update pem sources to latest from nss-pem upstream +- Pick up pem module fixes verified on RHEL and applied upstream +- Remove no loger needed pem patches on acccount on this update +- Add comments documenting the iquote.patch +- Resolves: Bug 1054457 - CVE-2013-1740 + +* Sun Jan 26 2014 Elio Maldonado - 3.15.4-3 +- Remove spurious man5 wildcard entry as all manpages are listed by name +- Resolves: Bug 1050163 - Same files in two packages create rpm conflict + +* Fri Jan 24 2014 Daniel Mach - 3.15.4-2 +- Mass rebuild 2014-01-24 + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-9 +- Rebase to nss-3.15.4 +- Resolves: Bug 1054457 - CVE-2013-1740 nss: false start PR_Recv information disclosure security issue +- Remove no longer needed patches for manpages that were applied upstream +- Remove no longer needed patch to disable ocsp stapling tests +- Update iquote.patch on account of upstream changes +- Update and rename patch to pem/rsawrapr.c on account of upstream changes +- Use the pristine upstream sources for nss without repackaging +- Avoid unneeded manual step which may introduce errors + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-8 +- Fix the spec file to apply the nss ecc list patch for bug 752980 +- Resolves: Bug 752980 - Support ECDSA algorithm in the nss package via puggable ecc + +* Fri Jan 17 2014 Elio Maldonado - 3.15.3-7 +- Move several nss-sysinit manpages tar archives to the %%files +- Resolves: Bug 1050163 - Same files in two packages create rpm conflict + +* Fri Jan 17 2014 Elio Maldonado - 3.15.3-6 +- Fix a coverity scan compile time warning for the pem module +- Resolves: Bug 1002271 - NSS pem module should not require unique base file names + +* Wed Jan 15 2014 Elio Maldonado - 3.15.3-5 +- Resolves: Bug 1002271 - NSS pem module should not require unique base file names + +* Thu Jan 09 2014 Elio Maldonado - 3.15.3-4 +- Improve pluggable ECC support for ECDSA +- Resolves: Bug 752980 - [7.0 FEAT] Support ECDSA algorithm in the nss package + +* Fri Dec 27 2013 Daniel Mach - 3.15.3-3 +- Mass rebuild 2013-12-27 + +* Thu Dec 12 2013 Elio Maldonado - 3.15.3-2 +- Revoke trust in one mis-issued anssi certificate +- Resolves: Bug 1040284 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) [rhel-7.0] + +* Mon Nov 25 2013 Elio Maldonado - 3.15.3-1 +- Update to NSS_3_15_3_RTM +- Resolves: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 + +* Wed Nov 13 2013 Elio Maldonado - 3.15.2-10 +- Fix path to script and remove -- from some options in nss-sysinit man page +- Resolves: rhbz#982723 - man page of nss-sysinit worong path and other flaws + +* Tue Nov 12 2013 Elio Maldonado - 3.15.2-9 +- Fix certutil man page options names to be consistent with help +- Resolves: rhbz#948495 - man page scan results for nss +- Remove incorrect count argument in status description in nss-sysinit man page +- Resolves: rhbz#982723 - man page of nss-sysinit incorrect option descriptions + +* Wed Nov 06 2013 Elio Maldonado - 3.15.2-8 +- Fix patch for disabling ssl2 in ssl to correctly set error code +- Fix syntax error reported in the build.log even tough it succeeds +- Add patch top ignore setpolicy result +- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites +- Resolves: rhbz#1026677 - Attempt to run ipa-client-install fails + +* Sun Nov 03 2013 Elio Maldonado - 3.15.2-7 +- Fix bash syntax error in patch for disabling ssl2 tests +- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites + +* Sat Nov 02 2013 Elio Maldonado - 3.15.2-6 +- Fix errors in ssl disabling patches for both library and tests +- Add s390x to the multilib_arches definition used for alt_ckbi +- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites + +* Thu Oct 31 2013 Elio Maldonado - 3.15.2-5 +- Fix errors in nss-sysinit manpage options descriptions +- Resolves: rhbz#982723 + +* Tue Oct 29 2013 Elio Maldonado - 3.15.2-4 +- Enable fips when system is in fips mode +- Resolves: rhbz#852023 - FIPS mode detection does not work + +* Tue Oct 29 2013 Elio Maldonado - 3.15.2-3 +- Remove unused and obsoleted patches +- Related: rhbz#1012656 + +* Mon Oct 28 2013 Elio Maldonado - 3.15.2-2 +- Add description of the certutil's --email option to it's manpage +- Resolves: rhbz#Bug 948495 - Man page scan results for nss + +* Mon Oct 21 2013 Elio Maldonado - 3.15.2-1 +- Rebase to nss-3.15.2 +- Resolves: rhbz#1012656 - pick up NSS 3.15.2 to fix CVE-2013-1739 and disable MD5 in OCSP/CRL + +* Fri Oct 11 2013 Elio Maldonado - 3.15.1-4 +- Install symlink to nss-sysinit.sh without the .sh suffix +- Resolves: rhbz#982723 - nss-sysinit man page has wrong path for the script + +* Tue Oct 08 2013 Elio Maldonado - 3.15.1-3 +- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites + +* Tue Aug 06 2013 Elio Maldonado - 3.15.1-2 +- Add upstream bug URL for a patch subitted upstream and remove obsolete script + +* Wed Jul 24 2013 Elio Maldonado - 3.15.1-2 +- Update to NSS_3_15_1_RTM +- Apply various fixes to the man pages and add new ones +- Enable the iquote.patch to access newly introduced types +- Add man page for pkcs11.txt configuration file and cert and key databases +- Add missing option descriptions for {cert|cms|crl}util +- Resolves: rhbz#948495 - Man page scan results for nss +- Resolves: rhbz#982723 - Fix path to script in man page for nss-sysinit + +* Tue Jul 02 2013 Elio Maldonado - 3.15-6 +- Use the unstripped source tar ball + +* Wed Jun 19 2013 Elio Maldonado - 3.15-5 +- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts +- Resolves: rhbz#606020 - nss security tools lack man pages + +* Tue Jun 18 2013 emaldona - 3.15-4 +- Build nss without softoken or util sources in the tree +- Resolves: rhbz#689918 + +* Mon Jun 17 2013 emaldona - 3.15-3 +- Update ssl-cbc-random-iv-by-default.patch + +* Sun Jun 16 2013 Elio Maldonado - 3.15-2 +- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config + +* Sat Jun 15 2013 Elio Maldonado - 3.15-1 +- Update to NSS_3_15_RTM + +* Tue May 14 2013 Elio Maldonado - 3.14.3-13.0 +- Reactivate nss-ssl-cbc-random-iv-off-by-default.patch + +* Fri Apr 19 2013 Kai Engert - 3.14.3-12.0 +- Add upstream patch to fix rhbz#872761 + +* Sun Mar 24 2013 Kai Engert - 3.14.3-11 +- Update expired test certificates (fixed in upstream bug 852781) + +* Fri Mar 08 2013 Kai Engert - 3.14.3-10 +- Fix incorrect post/postun scripts. Fix broken links in posttrans. + +* Wed Mar 06 2013 Kai Engert - 3.14.3-9 +- Configure libnssckbi.so to use the alternatives system + in order to prepare for a drop in replacement. + +* Fri Feb 15 2013 Elio Maldonado - 3.14.3-1 +- Update to NSS_3_14_3_RTM +- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3 +- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack +- Resolves: rhbz#896651 - PEM module trashes private keys if login fails +- Resolves: rhbz#909775 - specfile support for AArch64 +- Resolves: rhbz#910584 - certutil -a does not produce ASCII output + +* Mon Feb 04 2013 Elio Maldonado - 3.14.2-2 +- Allow building nss against older system sqlite + +* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1 +- Update to NSS_3_14_2_RTM + +* Wed Jan 02 2013 Kai Engert - 3.14.1-3 +- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM + +* Sat Dec 22 2012 Elio Maldonado - 3.14.1-2 +- Require nspr >= 4.9.4 +- Fix changelog invalid dates + +* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1 +- Update to NSS_3_14_1_RTM + +* Wed Dec 12 2012 Elio Maldonado - 3.14-12 +- Bug 879978 - Install the nssck.api header template where mod_revocator can access it +- Install nssck.api in /usr/includes/nss3/templates + +* Tue Nov 27 2012 Elio Maldonado - 3.14-11 +- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it +- Install nssck.api in /usr/includes/nss3 + +* Mon Nov 19 2012 Elio Maldonado - 3.14-10 +- Bug 870864 - Add support in NSS for Secure Boot + +* Sat Nov 10 2012 Elio Maldonado - 3.14-9 +- Disable bypass code at build time and return failure on attempts to enable at runtime +- Bug 806588 - Disable SSL PKCS #11 bypass at build time + +* Sun Nov 04 2012 Elio Maldonado - 3.14-8 +- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs +- Bug 872124 - nss-3.14 breaks fedpkg new-sources +- Fix should be considered preliminary since the patch may change upon upstream approval + +* Thu Nov 01 2012 Elio Maldonado - 3.14-7 +- Add a dummy source file for testing /preventing fedpkg breakage +- Helps test the fedpkg new-sources and upload commands for breakage by nss updates +- Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources + +* Thu Nov 01 2012 Elio Maldonado - 3.14-6 +- Fix a previous unwanted merge from f18 +- Update the SS_SSL_CBC_RANDOM_IV patch to match new sources while +- Keeping the patch disabled while we are still in rawhide and +- State in comment that patch is needed for both stable and beta branches +- Update .gitignore to download only the new sources + +* Wed Oct 31 2012 Elio Maldonado - 3.14-5 +- Fix the spec file so sechash.h gets installed +- Resolves: rhbz#871882 - missing header: sechash.h in nss 3.14 + +* Sat Oct 27 2012 Elio Maldonado - 3.14-4 +- Update the license to MPLv2.0 + +* Wed Oct 24 2012 Elio Maldonado - 3.14-3 +- Use only -f when removing unwanted headers + +* Tue Oct 23 2012 Elio Maldonado - 3.14-2 +- Add secmodt.h to the headers installed by nss-devel +- nss-devel must install secmodt.h which moved from softoken to pk11wrap with nss-3.14 + +* Mon Oct 22 2012 Elio Maldonado - 3.14-1 +- Update to NSS_3_14_RTM + +* Sun Oct 21 2012 Elio Maldonado - 3.14-0.1.rc.1 +- Update to NSS_3_14_RC1 +- update nss-589636.patch to apply to httpdserv +- turn off ocsp tests for now +- remove no longer needed patches +- remove headers shipped by nss-util + +* Fri Oct 05 2012 Kai Engert - 3.13.6-1 +- Update to NSS_3_13_6_RTM + +* Mon Aug 27 2012 Elio Maldonado - 3.13.5-8 +- Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3 +- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load +- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer +- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix + +* Mon Aug 13 2012 Elio Maldonado - 3.13.5-7 +- Fix pluggable ecc support + +* Fri Jul 20 2012 Fedora Release Engineering - 3.13.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun Jul 01 2012 Elio Maldonado - 3.13.5-5 +- Fix checkin comment to prevent unwanted expansions of percents + +* Sun Jul 01 2012 Elio Maldonado - 3.13.5-4 +- Resolves: Bug 830410 - Missing Requires %%{?_isa} +- Use Requires: %%{name}%%{?_isa} = %%{version}-%%{release} on tools +- Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib +- Enable sha224 portion of powerup selftest when running test suites +- Require nspr 4.9.1 + +* Wed Jun 20 2012 Elio Maldonado - 3.13.5-3 +- Resolves: rhbz#833529 - revert unwanted change to nss.pc.in + +* Tue Jun 19 2012 Elio Maldonado - 3.13.5-2 +- Resolves: rhbz#833529 - Remove unwanted space from the Libs: line on nss.pc.in + +* Mon Jun 18 2012 Elio Maldonado - 3.13.5-1 +- Update to NSS_3_13_5_RTM + +* Fri Apr 13 2012 Elio Maldonado - 3.13.4-3 +- Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3 + +* Sun Apr 08 2012 Elio Maldonado - 3.13.4-2 +- Resolves: Bug 805723 - Library needs partial RELRO support added +- Patch coreconf/Linux.mk as done on RHEL 6.2 + +* Fri Apr 06 2012 Elio Maldonado - 3.13.4-1 +- Update to NSS_3_13_4_RTM +- Update the nss-pem source archive to the latest version +- Remove no longer needed patches +- Resolves: Bug 806043 - use pem files interchangeably in a single process +- Resolves: Bug 806051 - PEM various flaws detected by Coverity +- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name + +* Wed Mar 21 2012 Elio Maldonado - 3.13.3-4 +- Resolves: Bug 805723 - Library needs partial RELRO support added + +* Fri Mar 09 2012 Elio Maldonado - 3.13.3-3 +- Cleanup of the spec file +- Add references to the upstream bugs +- Fix typo in Summary for sysinit + +* Thu Mar 08 2012 Elio Maldonado - 3.13.3-2 +- Pick up fixes from RHEL +- Resolves: rhbz#800674 - Unable to contact LDAP Server during winsync +- Resolves: rhbz#800682 - Qpid AMQP daemon fails to load after nss update +- Resolves: rhbz#800676 - NSS workaround for freebl bug that causes openswan to drop connections + +* Thu Mar 01 2012 Elio Maldonado - 3.13.3-1 +- Update to NSS_3_13_3_RTM + +* Mon Jan 30 2012 Tom Callaway - 3.13.1-13 +- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals + +* Thu Jan 26 2012 Elio Maldonado - 3.13.1-12 +- Resolves: Bug 784672 - nss should protect against being called before nss_Init + +* Fri Jan 13 2012 Fedora Release Engineering - 3.13.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Jan 06 2012 Elio Maldonado - 3.13.1-11 +- Deactivate a patch currently meant for stable branches only + +* Fri Jan 06 2012 Elio Maldonado - 3.13.1-10 +- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity +- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request + +* Tue Dec 13 2011 elio maldonado - 3.13.1-9 +- Revert to using current nss_softokn_version +- Patch to deal with lack of sha224 is no longer needed + +* Tue Dec 13 2011 Elio Maldonado - 3.13.1-8 +- Resolves: Bug 754771 - [PEM] an unregistered callback causes a SIGSEGV + +* Mon Dec 12 2011 Elio Maldonado - 3.13.1-7 +- Resolves: Bug 750376 - nss 3.13 breaks sssd TLS +- Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y +- Only patch blapitest for the lack of sha224 on system freebl +- Completed the patch to make pem link against system freebl + +* Mon Dec 05 2011 Elio Maldonado - 3.13.1-6 +- Removed unwanted /usr/include/nss3 in front of the normal cflags include path +- Removed unnecessary patch dealing with CERTDB_TERMINAL_RECORD, it's visible + +* Sun Dec 04 2011 Elio Maldonado - 3.13.1-5 +- Statically link the pem module against system freebl found in buildroot +- Disabling sha224-related powerup selftest until we update softokn +- Disable sha224 and pss tests which nss-softokn 3.12.x doesn't support + +* Fri Dec 02 2011 Elio Maldonado Batiz - 3.13.1-4 +- Rebuild with nss-softokn from 3.12 in the buildroot +- Allows the pem module to statically link against 3.12.x freebl +- Required for using nss-3.13.x with nss-softokn-3.12.y for a merge inrto rhel git repo +- Build will be temprarily placed on buildroot override but not pushed in bodhi + +* Fri Nov 04 2011 Elio Maldonado - 3.13.1-2 +- Fix broken dependencies by updating the nss-util and nss-softokn versions + +* Thu Nov 03 2011 Elio Maldonado - 3.13.1-1 +- Update to NSS_3_13_1_RTM +- Update builtin certs to those from NSSCKBI_1_88_RTM + +* Sat Oct 15 2011 Elio Maldonado - 3.13-1 +- Update to NSS_3_13_RTM + +* Sat Oct 08 2011 Elio Maldonado - 3.13-0.1.rc0.1 +- Update to NSS_3_13_RC0 + +* Wed Sep 14 2011 Elio Maldonado - 3.12.11-3 +- Fix attempt to free initilized pointer (#717338) +- Fix leak on pem_CreateObject when given non-existing file name (#734760) +- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410) + +* Tue Sep 06 2011 Kai Engert - 3.12.11-2 +- Update builtins certs to those from NSSCKBI_1_87_RTM + +* Tue Aug 09 2011 Elio Maldonado - 3.12.11-1 +- Update to NSS_3_12_11_RTM + +* Sat Jul 23 2011 Elio Maldonado - 3.12.10-6 +- Indicate the provenance of stripped source tarball (#688015) + +* Mon Jun 27 2011 Michael Schwendt - 3.12.10-5 +- Provide virtual -static package to meet guidelines (#609612). + +* Fri Jun 10 2011 Elio Maldonado - 3.12.10-4 +- Enable pluggable ecc support (#712556) +- Disable the nssdb write-access-on-read-only-dir tests when user is root (#646045) + +* Fri May 20 2011 Dennis Gilmore - 3.12.10-3 +- make the testsuite non fatal on arm arches + +* Tue May 17 2011 Elio Maldonado - 3.12.10-2 +- Fix crmf hard-coded maximum size for wrapped private keys (#703656) + +* Fri May 06 2011 Elio Maldonado - 3.12.10-1 +- Update to NSS_3_12_10_RTM + +* Wed Apr 27 2011 Elio Maldonado - 3.12.10-0.1.beta1 +- Update to NSS_3_12_10_BETA1 + +* Mon Apr 11 2011 Elio Maldonado - 3.12.9-15 +- Implement PEM logging using NSPR's own (#695011) + +* Wed Mar 23 2011 Elio Maldonado - 3.12.9-14 +- Update to NSS_3.12.9_WITH_CKBI_1_82_RTM + +* Thu Feb 24 2011 Elio Maldonado - 3.12.9-13 +- Short-term fix for ssl test suites hangs on ipv6 type connections (#539183) + +* Fri Feb 18 2011 Elio Maldonado - 3.12.9-12 +- Add a missing requires for pkcs11-devel (#675196) + +* Tue Feb 15 2011 Elio Maldonado - 3.12.9-11 +- Run the test suites in the check section (#677809) + +* Thu Feb 10 2011 Elio Maldonado - 3.12.9-10 +- Fix cms headers to not use c++ reserved words (#676036) +- Reenabling Bug 499444 patches +- Fix to swap internal key slot on fips mode switches + +* Tue Feb 08 2011 Elio Maldonado - 3.12.9-9 +- Revert patches for 499444 until all c++ reserved words are found and extirpated + +* Tue Feb 08 2011 Fedora Release Engineering - 3.12.9-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Feb 08 2011 Elio Maldonado - 3.12.9-7 +- Fix cms header to not use c++ reserved word (#676036) +- Reenable patches for bug 499444 + +* Tue Feb 08 2011 Christopher Aillon - 3.12.9-6 +- Revert patches for 499444 as they use a C++ reserved word and + cause compilation of Firefox to fail + +* Fri Feb 04 2011 Elio Maldonado - 3.12.9-5 +- Fix the earlier infinite recursion patch (#499444) +- Remove a header that now nss-softokn-freebl-devel ships + +* Tue Feb 01 2011 Elio Maldonado - 3.12.9-4 +- Fix infinite recursion when encoding NSS enveloped/digested data (#499444) + +* Mon Jan 31 2011 Elio Maldonado - 3.12.9-3 +- Update the cacert trust patch per upstream review requests (#633043) + +* Wed Jan 19 2011 Elio Maldonado - 3.12.9-2 +- Fix to honor the user's cert trust preferences (#633043) +- Remove obsoleted patch + +* Wed Jan 12 2011 Elio Maldonado - 3.12.9-1 +- Update to 3.12.9 + +* Mon Dec 27 2010 Elio Maldonado - 3.12.9-0.1.beta2 +- Rebuilt according to fedora pre-release package naming guidelines + +* Fri Dec 10 2010 Elio Maldonado - 3.12.8.99.2-1 +- Update to NSS_3_12_9_BETA2 +- Fix libpnsspem crash when cacert dir contains other directories (#642433) + +* Wed Dec 08 2010 Elio Maldonado - 3.12.8.99.1-1 +- Update to NSS_3_12_9_BETA1 + +* Thu Nov 25 2010 Elio Maldonado - 3.12.8-9 +- Update pem source tar with fixes for 614532 and 596674 +- Remove no longer needed patches + +* Fri Nov 05 2010 Elio Maldonado - 3.12.8-8 +- Update PayPalEE.cert test certificate which had expired + +* Sun Oct 31 2010 Elio Maldonado - 3.12.8-7 +- Tell rpm not to verify md5, size, and modtime of configurations file + +* Mon Oct 18 2010 Elio Maldonado - 3.12.8-6 +- Fix certificates trust order (#643134) +- Apply nss-sysinit-userdb-first.patch last + +* Wed Oct 06 2010 Elio Maldonado - 3.12.8-5 +- Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248) + +* Tue Oct 05 2010 Elio Maldonado - 3.12.8-4 +- Fix invalid %%postun scriptlet (#639248) + +* Wed Sep 29 2010 Elio Maldonado - 3.12.8-3 +- Replace posttrans sysinit scriptlet with a triggerpostun one (#636787) +- Fix and cleanup the setup-nsssysinit.sh script (#636792, #636801) + +* Mon Sep 27 2010 Elio Maldonado - 3.12.8-2 +- Add posttrans scriptlet (#636787) + +* Thu Sep 23 2010 Elio Maldonado - 3.12.8-1 +- Update to 3.12.8 +- Prevent disabling of nss-sysinit on package upgrade (#636787) +- Create pkcs11.txt with correct permissions regardless of umask (#636792) +- Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801) +- Added provides pkcs11-devel-static to comply with packaging guidelines (#609612) + +* Sat Sep 18 2010 Elio Maldonado - 3.12.7.99.4-1 +- NSS 3.12.8 RC0 + +* Sun Sep 05 2010 Elio Maldonado - 3.12.7.99.3-2 +- Fix nss-util_version and nss_softokn_version required to be 3.12.7.99.3 + +* Sat Sep 04 2010 Elio Maldonado - 3.12.7.99.3-1 +- NSS 3.12.8 Beta3 +- Fix unclosed comment in renegotiate-transitional.patch + +* Sat Aug 28 2010 Elio Maldonado - 3.12.7-3 +- Change BuildRequries to available version of nss-util-devel + +* Sat Aug 28 2010 Elio Maldonado - 3.12.7-2 +- Define NSS_USE_SYSTEM_SQLITE and remove unneeded patch +- Add comments regarding an unversioned provides which triggers rpmlint warning +- Build requires nss-softokn-devel >= 3.12.7 + +* Mon Aug 16 2010 Elio Maldonado - 3.12.7-1 +- Update to 3.12.7 + +* Sat Aug 14 2010 Elio Maldonado - 3.12.6-12 +- Apply the patches to fix rhbz#614532 + +* Mon Aug 09 2010 Elio Maldonado - 3.12.6-11 +- Removed pem sourecs as they are in the cache + +* Mon Aug 09 2010 Elio Maldonado - 3.12.6-10 +- Add support for PKCS#8 encoded PEM RSA private key files (#614532) + +* Sat Jul 31 2010 Elio Maldonado - 3.12.6-9 +- Fix nsssysinit to return userdb ahead of systemdb (#603313) + +* Tue Jun 08 2010 Dennis Gilmore - 3.12.6-8 +- Require and BuildRequire >= the listed version not = + +* Tue Jun 08 2010 Elio Maldonado - 3.12.6-7 +- Require nss-softoken 3.12.6 + +* Sun Jun 06 2010 Elio Maldonado - 3.12.6-6 +- Fix SIGSEGV within CreateObject (#596674) + +* Mon Apr 12 2010 Elio Maldonado - 3.12.6-5 +- Update pem source tar to pick up the following bug fixes: +- PEM - Allow collect objects to search through all objects +- PEM - Make CopyObject return a new shallow copy +- PEM - Fix memory leak in pem_mdCryptoOperationRSAPriv + +* Wed Apr 07 2010 Elio Maldonado - 3.12.6-4 +- Update the test cert in the setup phase + +* Wed Apr 07 2010 Elio Maldonado - 3.12.6-3 +- Add sed to sysinit requires as setup-nsssysinit.sh requires it (#576071) +- Update PayPalEE test cert with unexpired one (#580207) + +* Thu Mar 18 2010 Elio Maldonado - 3.12.6-2 +- Fix ns.spec to not require nss-softokn (#575001) + +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1.2 +- rebuilt with all tests enabled + +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1.1 +- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period +- Disabling ssl tests suites until bug 539183 is resolved + +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1 +- Update to 3.12.6 +- Reactivate all tests +- Patch tools to validate command line options arguments + +* Mon Jan 25 2010 Elio Maldonado - 3.12.5-8 +- Fix curl related regression and general patch code clean up + +* Wed Jan 13 2010 Elio Maldonado - 3.12.5-5 +- retagging + +* Tue Jan 12 2010 Elio Maldonado - 3.12.5-1.1 +- Fix SIGSEGV on call of NSS_Initialize (#553638) + +* Wed Jan 06 2010 Elio Maldonado - 3.12.5-1.13.2 +- New version of patch to allow root to modify ystem database (#547860) + +* Thu Dec 31 2009 Elio Maldonado - 3.12.5-1.13.1 +- Temporarily disabling the ssl tests + +* Sat Dec 26 2009 Elio Maldonado - 3.12.5-1.13 +- Fix nsssysinit to allow root to modify the nss system database (#547860) + +* Fri Dec 25 2009 Elio Maldonado - 3.12.5-1.11 +- Fix an error introduced when adapting the patch for rhbz #546211 + +* Sat Dec 19 2009 Elio maldonado - 3.12.5-1.9 +- Remove left over trace statements from nsssysinit patching + +* Fri Dec 18 2009 Elio Maldonado - 3.12.5-2.7 +- Fix a misconstructed patch + +* Thu Dec 17 2009 Elio Maldonado - 3.12.5-1.6 +- Fix nsssysinit to enable apps to use system cert store, patch contributed by David Woodhouse (#546221) +- Fix spec so sysinit requires coreutils for post install scriplet (#547067) +- Fix segmentation fault when listing keys or certs in the database, patch contributed by Kamil Dudka (#540387) + +* Thu Dec 10 2009 Elio Maldonado - 3.12.5-1.5 +- Fix nsssysinit to set the default flags on the crypto module (#545779) +- Remove redundant header from the pem module + +* Wed Dec 09 2009 Elio Maldonado - 3.12.5-1.1 +- Remove unneeded patch + +* Thu Dec 03 2009 Elio Maldonado - 3.12.5-1.1 +- Retagging to include missing patch + +* Thu Dec 03 2009 Elio Maldonado - 3.12.5-1 +- Update to 3.12.5 +- Patch to allow ssl/tls clients to interoperate with servers that require renogiation + +* Fri Nov 20 2009 Elio Maldonado - 3.12.4-14.1 +- Retagging + +* Tue Oct 20 2009 Elio Maldonado - 3.12.4-13.1 +- Require nss-softoken of same architecture as nss (#527867) +- Merge setup-nsssysinit.sh improvements from F-12 (#527051) + +* Sat Oct 03 2009 Elio Maldonado - 3.12.4-13 +- User no longer prompted for a password when listing keys an empty system db (#527048) +- Fix setup-nsssysinit to handle more general formats (#527051) + +* Sun Sep 27 2009 Elio Maldonado - 3.12.4-12 +- Fix syntax error in setup-nsssysinit.sh + +* Sun Sep 27 2009 Elio Maldonado - 3.12.4-11 +- Fix sysinit to be under mozilla/security/nss/lib + +* Sat Sep 26 2009 Elio Maldonado - 3.12.4-10 +- Add nss-sysinit activation/deactivation script + +* Fri Sep 18 2009 Elio Maldonado - 3.12.4-8 +- Restoring nssutil and -rpath-link to nss-config for now - 522477 + +* Tue Sep 08 2009 Elio Maldonado - 3.12.4-6 +- Installing shared libraries to %%{_libdir} + +* Mon Sep 07 2009 Elio Maldonado - 3.12.4-5 +- Retagging to pick up new sources + +* Mon Sep 07 2009 Elio Maldonado - 3.12.4-4 +- Update pem enabling source tar with latest fixes (509705, 51209) + +* Sun Sep 06 2009 Elio Maldonado - 3.12.4-3 +- PEM module implements memory management for internal objects - 509705 +- PEM module doesn't crash when processing malformed key files - 512019 + +* Sat Sep 05 2009 Elio Maldonado - 3.12.4-2 +- Remove symbolic links to shared libraries from devel - 521155 +- No rpath-link in nss-softokn-config + +* Tue Sep 01 2009 Elio Maldonado - 3.12.4-1 +- Update to 3.12.4 + +* Mon Aug 31 2009 Elio Maldonado - 3.12.3.99.3-30 +- Fix FORTIFY_SOURCE buffer overflows in test suite on ppc and ppc64 - bug 519766 +- Fixed requires and buildrequires as per recommendations in spec file review + +* Sun Aug 30 2009 Elio Maldonado - 3.12.3.99.3-29 +- Restoring patches 2 and 7 as we still compile all sources +- Applying the nss-nolocalsql.patch solves nss-tools sqlite dependency problems + +* Sun Aug 30 2009 Elio Maldonado - 3.12.3.99.3-28 +- restore require sqlite + +* Sat Aug 29 2009 Elio Maldonado - 3.12.3.99.3-27 +- Don't require sqlite for nss + +* Sat Aug 29 2009 Elio Maldonado - 3.12.3.99.3-26 +- Ensure versions in the requires match those used when creating nss.pc + +* Fri Aug 28 2009 Elio Maldonado - 3.12.3.99.3-25 +- Remove nss-prelink.conf as signed all shared libraries moved to nss-softokn +- Add a temprary hack to nss.pc.in to unblock builds + +* Fri Aug 28 2009 Warren Togami - 3.12.3.99.3-24 +- caolan's nss.pc patch + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-23 +- Bump the release number for a chained build of nss-util, nss-softokn and nss + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-22 +- Fix nss-config not to include nssutil +- Add BuildRequires on nss-softokn and nss-util since build also runs the test suite + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-21 +- disabling all tests while we investigate a buffer overflow bug + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-20 +- disabling some tests while we investigate a buffer overflow bug - 519766 + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-19 +- remove patches that are now in nss-softokn and +- remove spurious exec-permissions for nss.pc per rpmlint +- single requires line in nss.pc.in + +* Wed Aug 26 2009 Elio Maldonado - 3.12.3.99.3-18 +- Fix BuildRequires: nss-softokn-devel release number + +* Wed Aug 26 2009 Elio Maldonado - 3.12.3.99.3-16 +- cleanups for softokn + +* Tue Aug 25 2009 Dennis Gilmore - 3.12.3.99.3-15 +- remove the softokn subpackages + +* Mon Aug 24 2009 Dennis Gilmore - 3.12.3.99.3-14 +- don install the nss-util pkgconfig bits + +* Mon Aug 24 2009 Dennis Gilmore - 3.12.3.99.3-13 +- remove from -devel the 3 headers that ship in nss-util-devel + +* Mon Aug 24 2009 Dennis Gilmore - 3.12.3.99.3-12 +- kill off the nss-util nss-util-devel subpackages + +* Sun Aug 23 2009 Elio Maldonado+emaldona@redhat.com - 3.12.3.99.3-11 +- split off nss-softokn and nss-util as subpackages with their own rpms +- first phase of splitting nss-softokn and nss-util as their own packages + +* Thu Aug 20 2009 Elio Maldonado - 3.12.3.99.3-10 +- must install libnssutil3.since nss-util is untagged at the moment +- preserve time stamps when installing various files + +* Thu Aug 20 2009 Dennis Gilmore - 3.12.3.99.3-9 +- dont install libnssutil3.so since its now in nss-util + +* Thu Aug 06 2009 Elio Maldonado - 3.12.3.99.3-7.1 +- Fix spec file problems uncovered by Fedora_12_Mass_Rebuild + +* Sat Jul 25 2009 Fedora Release Engineering - 3.12.3.99.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jun 22 2009 Elio Maldonado - 3.12.3.99.3-6 +- removed two patch files which are no longer needed and fixed previous change log number +* Mon Jun 22 2009 Elio Maldonado - 3.12.3.99.3-5 +- updated pem module incorporates various patches +- fix off-by-one error when computing size to reduce memory leak. (483855) +- fix data type to work on x86_64 systems. (429175) +- fix various memory leaks and free internal objects on module unload. (501080) +- fix to not clone internal objects in collect_objects(). (501118) +- fix to not bypass initialization if module arguments are omitted. (501058) +- fix numerous gcc warnings. (500815) +- fix to support arbitrarily long password while loading a private key. (500180) +- fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191) +* Mon Jun 08 2009 Elio Maldonado - 3.12.3.99.3-4 +- add patch for bug 502133 upstream bug 496997 +* Fri Jun 05 2009 Kai Engert - 3.12.3.99.3-3 +- rebuild with higher release number for upgrade sanity +* Fri Jun 05 2009 Kai Engert - 3.12.3.99.3-2 +- updated to NSS_3_12_4_FIPS1_WITH_CKBI_1_75 +* Thu May 07 2009 Kai Engert - 3.12.3-7 +- re-enable test suite +- add patch for upstream bug 488646 and add newer paypal + certs in order to make the test suite pass +* Wed May 06 2009 Kai Engert - 3.12.3-4 +- add conflicts info in order to fix bug 499436 +* Tue Apr 14 2009 Kai Engert - 3.12.3-3 +- ship .chk files instead of running shlibsign at install time +- include .chk file in softokn-freebl subpackage +- add patch for upstream nss bug 488350 +* Tue Apr 14 2009 Kai Engert - 3.12.3-2 +- Update to NSS 3.12.3 +* Mon Apr 06 2009 Kai Engert - 3.12.2.99.3-7 +- temporarily disable the test suite because of bug 494266 +* Mon Apr 06 2009 Kai Engert - 3.12.2.99.3-6 +- fix softokn-freebl dependency for multilib (bug 494122) +* Thu Apr 02 2009 Kai Engert - 3.12.2.99.3-5 +- introduce separate nss-softokn-freebl package +* Thu Apr 02 2009 Kai Engert - 3.12.2.99.3-4 +- disable execstack when building freebl +* Tue Mar 31 2009 Kai Engert - 3.12.2.99.3-3 +- add upstream patch to fix bug 483855 +* Tue Mar 31 2009 Kai Engert - 3.12.2.99.3-2 +- build nspr-less freebl library +* Tue Mar 31 2009 Kai Engert - 3.12.2.99.3-1 +- Update to NSS_3_12_3_BETA4 + +* Wed Feb 25 2009 Fedora Release Engineering - 3.12.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Oct 22 2008 Kai Engert - 3.12.2.0-3 +- update to NSS_3_12_2_RC1 +- use system zlib +* Tue Sep 30 2008 Dennis Gilmore - 3.12.1.1-4 +- add sparc64 to the list of 64 bit arches + +* Wed Sep 24 2008 Kai Engert - 3.12.1.1-3 +- bug 456847, move pkgconfig requirement to devel package +* Fri Sep 05 2008 Kai Engert - 3.12.1.1-2 +- Update to NSS_3_12_1_RC2 +* Fri Aug 22 2008 Kai Engert - 3.12.1.0-2 +- NSS 3.12.1 RC1 +* Fri Aug 15 2008 Kai Engert - 3.12.0.3-7 +- fix bug bug 429175 in libpem module +* Tue Aug 05 2008 Kai Engert - 3.12.0.3-6 +- bug 456847, add Requires: pkgconfig +* Tue Jun 24 2008 Kai Engert - 3.12.0.3-3 +- nss package should own /etc/prelink.conf.d folder, rhbz#452062 +- use upstream patch to fix test suite abort +* Mon Jun 02 2008 Kai Engert - 3.12.0.3-2 +- Update to NSS_3_12_RC4 +* Mon Apr 14 2008 Kai Engert - 3.12.0.1-1 +- Update to NSS_3_12_RC2 +* Thu Mar 20 2008 Jesse Keating - 3.11.99.5-2 +- Zapping old Obsoletes/Provides. No longer needed, causes multilib headache. +* Mon Mar 17 2008 Kai Engert - 3.11.99.5-1 +- Update to NSS_3_12_BETA3 +* Fri Feb 22 2008 Kai Engert - 3.11.99.4-1 +- NSS 3.12 Beta 2 +- Use /usr/lib{64} as devel libdir, create symbolic links. +* Sat Feb 16 2008 Kai Engert - 3.11.99.3-6 +- Apply upstream patch for bug 417664, enable test suite on pcc. +* Fri Feb 15 2008 Kai Engert - 3.11.99.3-5 +- Support concurrent runs of the test suite on a single build host. +* Thu Feb 14 2008 Kai Engert - 3.11.99.3-4 +- disable test suite on ppc +* Thu Feb 14 2008 Kai Engert - 3.11.99.3-3 +- disable test suite on ppc64 + +* Thu Feb 14 2008 Kai Engert - 3.11.99.3-2 +- Build against gcc 4.3.0, use workaround for bug 432146 +- Run the test suite after the build and abort on failures. + +* Thu Jan 24 2008 Kai Engert - 3.11.99.3-1 +* NSS 3.12 Beta 1 + +* Mon Jan 07 2008 Kai Engert - 3.11.99.2b-3 +- move .so files to /lib + +* Wed Dec 12 2007 Kai Engert - 3.11.99.2b-2 +- NSS 3.12 alpha 2b + +* Mon Dec 03 2007 Kai Engert - 3.11.99.2-2 +- upstream patches to avoid calling netstat for random data + +* Wed Nov 07 2007 Kai Engert - 3.11.99.2-1 +- NSS 3.12 alpha 2 + +* Wed Oct 10 2007 Kai Engert - 3.11.7-10 +- Add /etc/prelink.conf.d/nss-prelink.conf in order to blacklist + our signed libraries and protect them from modification. + +* Thu Sep 06 2007 Rob Crittenden - 3.11.7-9 +- Fix off-by-one error in the PEM module + +* Thu Sep 06 2007 Kai Engert - 3.11.7-8 +- fix a C++ mode compilation error + +* Wed Sep 05 2007 Bob Relyea - 3.11.7-7 +- Add 3.12 ckfw and libnsspem + +* Tue Aug 28 2007 Kai Engert - 3.11.7-6 +- Updated license tag + +* Wed Jul 11 2007 Kai Engert - 3.11.7-5 +- Ensure the workaround for mozilla bug 51429 really get's built. + +* Mon Jun 18 2007 Kai Engert - 3.11.7-4 +- Better approach to ship freebl/softokn based on 3.11.5 +- Remove link time dependency on softokn + +* Sun Jun 10 2007 Kai Engert - 3.11.7-3 +- Fix unowned directories, rhbz#233890 + +* Fri Jun 01 2007 Kai Engert - 3.11.7-2 +- Update to 3.11.7, but freebl/softokn remain at 3.11.5. +- Use a workaround to avoid mozilla bug 51429. + +* Fri Mar 02 2007 Kai Engert - 3.11.5-2 +- Fix rhbz#230545, failure to enable FIPS mode +- Fix rhbz#220542, make NSS more tolerant of resets when in the + middle of prompting for a user password. + +* Sat Feb 24 2007 Kai Engert - 3.11.5-1 +- Update to 3.11.5 +- This update fixes two security vulnerabilities with SSL 2 +- Do not use -rpath link option +- Added several unsupported tools to tools package + +* Tue Jan 9 2007 Bob Relyea - 3.11.4-4 +- disable ECC, cleanout dead code + +* Tue Nov 28 2006 Kai Engert - 3.11.4-1 +- Update to 3.11.4 + +* Thu Sep 14 2006 Kai Engert - 3.11.3-2 +- Revert the attempt to require latest NSPR, as it is not yet available + in the build infrastructure. + +* Thu Sep 14 2006 Kai Engert - 3.11.3-1 +- Update to 3.11.3 + +* Thu Aug 03 2006 Kai Engert - 3.11.2-2 +- Add /etc/pki/nssdb + +* Wed Jul 12 2006 Jesse Keating - 3.11.2-1.1 +- rebuild + +* Fri Jun 30 2006 Kai Engert - 3.11.2-1 +- Update to 3.11.2 +- Enable executable bit on shared libs, also fixes debug info. + +* Wed Jun 14 2006 Kai Engert - 3.11.1-2 +- Enable Elliptic Curve Cryptography (ECC) + +* Fri May 26 2006 Kai Engert - 3.11.1-1 +- Update to 3.11.1 +- Include upstream patch to limit curves + +* Wed Feb 15 2006 Kai Engert - 3.11-4 +- add --noexecstack when compiling assembler on x86_64 + +* Fri Feb 10 2006 Jesse Keating - 3.11-3.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 3.11-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Thu Jan 19 2006 Ray Strode 3.11-3 +- rebuild + +* Fri Dec 16 2005 Christopher Aillon 3.11-2 +- Update file list for the devel packages + +* Thu Dec 15 2005 Christopher Aillon 3.11-1 +- Update to 3.11 + +* Thu Dec 15 2005 Christopher Aillon 3.11-0.cvs.2 +- Add patch to allow building on ppc* +- Update the pkgconfig file to Require nspr + +* Thu Dec 15 2005 Christopher Aillon 3.11-0.cvs +- Initial import into Fedora Core, based on a CVS snapshot of + the NSS_3_11_RTM tag +- Fix up the pkcs11-devel subpackage to contain the proper headers +- Build with RPM_OPT_FLAGS +- No need to have rpath of /usr/lib in the pc file + +* Thu Dec 15 2005 Kai Engert +- Adressed review comments by Wan-Teh Chang, Bob Relyea, + Christopher Aillon. + +* Sat Jul 9 2005 Rob Crittenden 3.10-1 +- Initial build