diff --git a/.gitignore b/.gitignore index 4befa78..eda990c 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,4 @@ SOURCES/blank-cert9.db SOURCES/blank-key3.db SOURCES/blank-key4.db SOURCES/blank-secmod.db -SOURCES/nss-3.79.tar.gz +SOURCES/nss-3.90.tar.gz diff --git a/.nss.metadata b/.nss.metadata index b374a5a..f78c944 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -3,4 +3,4 @@ b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db 7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db -3719dd97c8ec9cb04aa61e6aca41b129b4adc004 SOURCES/nss-3.79.tar.gz +1e7d2f16655281cfb2972688af1605e0de302481 SOURCES/nss-3.90.tar.gz diff --git a/SOURCES/cve-2023-0767.patch b/SOURCES/cve-2023-0767.patch deleted file mode 100644 index fc5d4fa..0000000 --- a/SOURCES/cve-2023-0767.patch +++ /dev/null @@ -1,92 +0,0 @@ -diff --git a/lib/pkcs12/p12d.c b/lib/pkcs12/p12d.c ---- a/lib/pkcs12/p12d.c -+++ b/lib/pkcs12/p12d.c -@@ -335,35 +335,42 @@ - sec_PKCS12SafeContentsContext *safeContentsCtx = - (sec_PKCS12SafeContentsContext *)arg; - SEC_PKCS12DecoderContext *p12dcx; - SECStatus rv; - -- /* make sure that we are not skipping the current safeBag, -- * and that there are no errors. If so, just return rather -- * than continuing to process. -- */ -- if (!safeContentsCtx || !safeContentsCtx->p12dcx || -- safeContentsCtx->p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { -+ if (!safeContentsCtx || !safeContentsCtx->p12dcx || !safeContentsCtx->currentSafeBagA1Dcx) { - return; - } - p12dcx = safeContentsCtx->p12dcx; - -+ /* make sure that there are no errors and we are not skipping the current safeBag */ -+ if (p12dcx->error || safeContentsCtx->skipCurrentSafeBag) { -+ goto loser; -+ } -+ - rv = SEC_ASN1DecoderUpdate(safeContentsCtx->currentSafeBagA1Dcx, data, len); - if (rv != SECSuccess) { - p12dcx->errorValue = PORT_GetError(); -+ p12dcx->error = PR_TRUE; -+ goto loser; -+ } -+ -+ /* The update may have set safeContentsCtx->skipCurrentSafeBag, and we -+ * may not get another opportunity to clean up the decoder context. -+ */ -+ if (safeContentsCtx->skipCurrentSafeBag) { - goto loser; - } - - return; - - loser: -- /* set the error, and finish the decoder context. because there -+ /* Finish the decoder context. Because there - * is not a way of returning an error message, it may be worth - * while to do a check higher up and finish any decoding contexts - * that are still open. - */ -- p12dcx->error = PR_TRUE; - SEC_ASN1DecoderFinish(safeContentsCtx->currentSafeBagA1Dcx); - safeContentsCtx->currentSafeBagA1Dcx = NULL; - return; - } - -diff --git a/lib/pkcs12/p12t.h b/lib/pkcs12/p12t.h ---- a/lib/pkcs12/p12t.h -+++ b/lib/pkcs12/p12t.h -@@ -71,10 +71,11 @@ - SECKEYEncryptedPrivateKeyInfo *pkcs8ShroudedKeyBag; - sec_PKCS12CertBag *certBag; - sec_PKCS12CRLBag *crlBag; - sec_PKCS12SecretBag *secretBag; - sec_PKCS12SafeContents *safeContents; -+ SECItem *unknownBag; - } safeBagContent; - - sec_PKCS12Attribute **attribs; - - /* used locally */ -diff --git a/lib/pkcs12/p12tmpl.c b/lib/pkcs12/p12tmpl.c ---- a/lib/pkcs12/p12tmpl.c -+++ b/lib/pkcs12/p12tmpl.c -@@ -28,16 +28,16 @@ - - safeBag = (sec_PKCS12SafeBag *)src_or_dest; - - oiddata = SECOID_FindOID(&safeBag->safeBagType); - if (oiddata == NULL) { -- return SEC_ASN1_GET(SEC_AnyTemplate); -+ return SEC_ASN1_GET(SEC_PointerToAnyTemplate); - } - - switch (oiddata->offset) { - default: -- theTemplate = SEC_ASN1_GET(SEC_AnyTemplate); -+ theTemplate = SEC_ASN1_GET(SEC_PointerToAnyTemplate); - break; - case SEC_OID_PKCS12_V1_KEY_BAG_ID: - theTemplate = SEC_ASN1_GET(SECKEY_PointerToPrivateKeyInfoTemplate); - break; - case SEC_OID_PKCS12_V1_CERT_BAG_ID: - diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch index 4908c00..6e4adcd 100644 --- a/SOURCES/iquote.patch +++ b/SOURCES/iquote.patch @@ -1,228 +1,13 @@ -diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile ---- ./nss/cmd/certutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/certutil/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/httpserv/Makefile.iquote ./nss/cmd/httpserv/Makefile ---- ./nss/cmd/httpserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/httpserv/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../private/nss -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile ---- ./nss/cmd/lib/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/lib/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../private/nss -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile ---- ./nss/cmd/modutil/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/modutil/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/pk12util/Makefile.iquote ./nss/cmd/pk12util/Makefile ---- ./nss/cmd/pk12util/Makefile.iquote 2017-09-21 16:41:23.158209761 +0200 -+++ ./nss/cmd/pk12util/Makefile 2017-09-21 16:41:44.298730232 +0200 -@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile ---- ./nss/cmd/selfserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/selfserv/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile ---- ./nss/cmd/ssltap/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/ssltap/Makefile 2017-09-21 16:39:08.680260103 +0200 -@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../private/nss -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile ---- ./nss/cmd/strsclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/strsclnt/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile ---- ./nss/cmd/tstclnt/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/tstclnt/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - ####################################################################### - - #include ../platlibs.mk -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile ---- ./nss/cmd/vfyserv/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/cmd/vfyserv/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - ####################################################################### - - #include ../platlibs.mk -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk ---- ./nss/coreconf/location.mk.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/coreconf/location.mk 2017-09-21 16:39:08.681260081 +0200 -@@ -45,6 +45,10 @@ endif - - ifdef NSS_INCLUDE_DIR - INCLUDES += -I$(NSS_INCLUDE_DIR) -+ ifdef IN_TREE_FREEBL_HEADERS_FIRST -+ INCLUDES += -iquote $(DIST)/../public/nss -+ INCLUDES += -iquote $(DIST)/../private/nss -+ endif +diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk +--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200 ++++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200 +@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME + SQLITE_LIB_NAME = sqlite3 endif - ifndef NSS_LIB_DIR -diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile ---- ./nss/gtests/ssl_gtest/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/gtests/ssl_gtest/Makefile 2017-09-21 16:39:08.682260058 +0200 -@@ -53,6 +53,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile ---- ./nss/lib/certhigh/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/certhigh/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile ---- ./nss/lib/cryptohi/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/cryptohi/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/libpkix/pkix/checker/Makefile.iquote ./nss/lib/libpkix/pkix/checker/Makefile ---- ./nss/lib/libpkix/pkix/checker/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/libpkix/pkix/checker/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../private/nss -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile ---- ./nss/lib/nss/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/nss/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/pkcs12/Makefile.iquote ./nss/lib/pkcs12/Makefile ---- ./nss/lib/pkcs12/Makefile.iquote 2017-09-21 16:39:49.616331555 +0200 -+++ ./nss/lib/pkcs12/Makefile 2017-09-21 16:40:16.286726596 +0200 -@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -- -+INCLUDES += -iquote $(DIST)/../public/nss -+INCLUDES += -iquote $(DIST)/../private/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile ---- ./nss/lib/ssl/Makefile.iquote 2017-04-05 14:23:56.000000000 +0200 -+++ ./nss/lib/ssl/Makefile 2017-09-21 16:39:08.681260081 +0200 -@@ -56,6 +56,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -+INCLUDES += -iquote $(DIST)/../public/nss - - - ####################################################################### ++# Prefer in-tree headers over system headers ++ifdef IN_TREE_FREEBL_HEADERS_FIRST ++ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss ++endif ++ + MK_LOCATION = included diff --git a/SOURCES/nss-3.67-cve-2021-43527-test.patch b/SOURCES/nss-3.67-cve-2021-43527-test.patch new file mode 100644 index 0000000..51cb8e0 --- /dev/null +++ b/SOURCES/nss-3.67-cve-2021-43527-test.patch @@ -0,0 +1,325 @@ +diff --git a/tests/cert/Leaf-bogus-dsa.crt b/tests/cert/Leaf-bogus-dsa.crt +new file mode 100644 +--- /dev/null ++++ b/tests/cert/Leaf-bogus-dsa.crt +@@ -0,0 +1,143 @@ ++-----BEGIN CERTIFICATE----- ++MIIaZzCCCkWgAwIBAgIBATALBgcqhkjOOAQDBQAwMTEvMC0GA1UEAxMmZGVjb2Rl ++RUNvckRTQVNpZ25hdHVyZS10ZXN0Q2FzZS90YXZpc28wHhcNMjEwMTAxMDAwMDAw ++WhcNNDEwMTAxMDAwMDAwWjAxMS8wLQYDVQQDEyZkZWNvZGVFQ29yRFNBU2lnbmF0 ++dXJlLXRlc3RDYXNlL3RhdmlzbzCCCaYwggkaBgcqhkjOOAQBMIIJDQKBgQCqqqqq ++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq ++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq ++qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqgKCCAEAu7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7 ++u7u7u7u7u7u7u7u7u7u7u7sCgYEAzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM ++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM ++zMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzM ++zMzMzMwDgYUAAoGB3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d ++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d ++3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3dMAkG ++ByqGSM44BAMDghAPADCCEAoCgggBAO7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u ++7u7u7u7uAoIIAQD///////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++//////////////////////////////////////////////////////////////// ++/////////////////////////////////////////////////////////w== ++-----END CERTIFICATE----- +diff --git a/tests/cert/Leaf-bogus-rsa-pss.crt b/tests/cert/Leaf-bogus-rsa-pss.crt +new file mode 100644 +--- /dev/null ++++ b/tests/cert/Leaf-bogus-rsa-pss.crt +@@ -0,0 +1,126 @@ ++-----BEGIN CERTIFICATE----- ++MIIXODCCC/WgAwIBAgIBAjApBgkqhkiG9w0BAQowHKACMAChETAPBQAwCwYJYIZI ++AWUDBAIBogMCASAwNzEgMB4GCSqGSIb3DQEJARYRdGF2aXNvQGdvb2dsZS5jb20x ++EzARBgNVBAMTCmJ1ZzE3Mzc0NzAwHhcNMjAwMTAxMDAwMDAwWhcNNDAwMTAxMDAw ++MDAwWjA3MSAwHgYJKoZIhvcNAQkBFhF0YXZpc29AZ29vZ2xlLmNvbTETMBEGA1UE ++AxMKYnVnMTczNzQ3MDCCCywwDQYJKoZIhvcNAQEBBQADggsZADCCCxQCggsLAMRE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERE ++RERERERERERERERERERERERERERERERERERERERERERERERERERERQIDAQABMC4G ++CSqGSIb3DQEBCjAhoRowGAYJKoZIhvcNAQEIMAsGCSqGSIb3DQEBCqIDAgEgA4IL ++CwAAxVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV ++VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVU= ++-----END CERTIFICATE----- +diff --git a/tests/cert/cert.sh b/tests/cert/cert.sh +--- a/tests/cert/cert.sh ++++ b/tests/cert/cert.sh +@@ -114,16 +114,28 @@ certu() + cert_log "ERROR: ${CU_ACTION} failed $RET" + else + html_passed "${CU_ACTION}" + fi + + return $RET + } + ++cert_test_vfy() ++{ ++ echo "$SCRIPTNAME: Verify large rsa pss signature --------------" ++ echo " vfychain -a Leaf-bogus-dsa.crt" ++ vfychain -a ${QADIR}/cert/Leaf-bogus-dsa.crt ++ html_msg $? 1 "Verify large dsa signature" ++ echo "$SCRIPTNAME: Verify large rsa pss signature --------------" ++ echo " vfychain -a Leaf-bogus-rsa-pss.crt" ++ vfychain -a ${QADIR}/cert/Leaf-bogus-rsa-pss.crt ++ html_msg $? 1 "Verify large rsa pss signature" ++} ++ + ################################ crlu ################################# + # local shell function to call crlutil, also: writes action and options to + # stdout, sets variable RET and writes results to the html file results + ######################################################################## + crlu() + { + echo "$SCRIPTNAME: ${CU_ACTION} --------------------------" + +@@ -2640,11 +2652,13 @@ if [ -z "$NSS_TEST_DISABLE_CRL" ] ; then + else + echo "$SCRIPTNAME: Skipping CRL Tests" + fi + + if [ -n "$DO_DIST_ST" -a "$DO_DIST_ST" = "TRUE" ] ; then + cert_stresscerts + fi + ++cert_test_vfy ++ + cert_iopr_setup + + cert_cleanup diff --git a/SOURCES/nss-3.79-fix-client-cert-crash.patch b/SOURCES/nss-3.79-fix-client-cert-crash.patch deleted file mode 100644 index 2d752e4..0000000 --- a/SOURCES/nss-3.79-fix-client-cert-crash.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c ---- a/lib/ssl/authcert.c -+++ b/lib/ssl/authcert.c -@@ -201,16 +201,19 @@ NSS_GetClientAuthData(void *arg, - - /* otherwise look through the cache based on usage - * if chosenNickname is set, we ignore the expiration date */ - if (certList == NULL) { - certList = CERT_FindUserCertsByUsage(CERT_GetDefaultCertDB(), - certUsageSSLClient, - PR_FALSE, chosenNickName == NULL, - pw_arg); -+ if (certList == NULL) { -+ return SECFailure; -+ } - /* filter only the certs that meet the nickname requirements */ - if (chosenNickName) { - rv = CERT_FilterCertListByNickname(certList, chosenNickName, - pw_arg); - } else { - int nnames = 0; - char **names = ssl_DistNamesToStrings(caNames, &nnames); - rv = CERT_FilterCertListByCANames(certList, nnames, names, diff --git a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch b/SOURCES/nss-3.79-pkcs12-fix-null-password.patch deleted file mode 100644 index 1195e5c..0000000 --- a/SOURCES/nss-3.79-pkcs12-fix-null-password.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ./lib/pkcs12/p12local.c.fix_null_password ./lib/pkcs12/p12local.c ---- ./lib/pkcs12/p12local.c.fix_null_password 2022-07-20 14:15:45.081009438 -0700 -+++ ./lib/pkcs12/p12local.c 2022-07-20 14:19:40.856546963 -0700 -@@ -968,15 +968,14 @@ sec_pkcs12_convert_item_to_unicode(PLAre - if (zeroTerm) { - /* unicode adds two nulls at the end */ - if (toUnicode) { -- if ((dest->len >= 2) && -- (dest->data[dest->len - 1] || dest->data[dest->len - 2])) { -+ if ((dest->len < 2) || dest->data[dest->len - 1] || dest->data[dest->len - 2]) { - /* we've already allocated space for these new NULLs */ - PORT_Assert(dest->len + 2 <= bufferSize); - dest->len += 2; - dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0; - } - /* ascii/utf-8 adds just 1 */ -- } else if ((dest->len >= 1) && dest->data[dest->len - 1]) { -+ } else if (!dest->len || dest->data[dest->len - 1]) { - PORT_Assert(dest->len + 1 <= bufferSize); - dest->len++; - dest->data[dest->len - 1] = 0; diff --git a/SOURCES/nss-3.79-skip-pwdecrypt-time.patch b/SOURCES/nss-3.79-skip-pwdecrypt-time.patch deleted file mode 100644 index 004ea51..0000000 --- a/SOURCES/nss-3.79-skip-pwdecrypt-time.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ./tests/sdr/sdr.sh.skip ./tests/sdr/sdr.sh ---- ./tests/sdr/sdr.sh.skip 2022-06-11 09:52:05.037086587 -0700 -+++ ./tests/sdr/sdr.sh 2022-06-11 09:52:16.825162027 -0700 -@@ -146,7 +146,10 @@ sdr_main() - RARRAY=($dtime) - TIMEARRAY=(${RARRAY[1]//./ }) - echo "${TIMEARRAY[0]} seconds" -+ # allow an environment variable to skip the test -+ if [ "${NSS_SKIP_PWDECRYPT_TIME}" != "true" ]; then - html_msg ${TIMEARRAY[0]} 0 "pwdecrypt no time regression" -+ fi - export NSS_MAX_MP_PBE_ITERATION_COUNT=$OLD_MAX_PBE_ITERATIONS - } - diff --git a/SOURCES/nss-3.90-add-ems-policy.patch b/SOURCES/nss-3.90-add-ems-policy.patch new file mode 100644 index 0000000..18739d9 --- /dev/null +++ b/SOURCES/nss-3.90-add-ems-policy.patch @@ -0,0 +1,104 @@ +diff -up ./lib/pk11wrap/pk11pars.c.add_ems_policy ./lib/pk11wrap/pk11pars.c +--- ./lib/pk11wrap/pk11pars.c.add_ems_policy 2023-06-12 15:37:49.292905411 -0700 ++++ ./lib/pk11wrap/pk11pars.c 2023-06-12 17:18:35.129938514 -0700 +@@ -389,6 +389,8 @@ static const oidValDef kxOptList[] = { + { CIPHER_NAME("ECDHE-RSA"), SEC_OID_TLS_ECDHE_RSA, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("ECDH-ECDSA"), SEC_OID_TLS_ECDH_ECDSA, NSS_USE_ALG_IN_SSL_KX }, + { CIPHER_NAME("ECDH-RSA"), SEC_OID_TLS_ECDH_RSA, NSS_USE_ALG_IN_SSL_KX }, ++ /* not really a key exchange, but it's the closest fit */ ++ { CIPHER_NAME("TLS-REQUIRE-EMS"), SEC_OID_TLS_REQUIRE_EMS, NSS_USE_ALG_IN_SSL_KX }, + }; + + static const oidValDef signOptList[] = { +diff -up ./lib/pk11wrap/secmodti.h.add_ems_policy ./lib/pk11wrap/secmodti.h +--- ./lib/pk11wrap/secmodti.h.add_ems_policy 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/pk11wrap/secmodti.h 2023-06-12 17:18:35.129938514 -0700 +@@ -202,4 +202,10 @@ struct PK11GenericObjectStr { + /* This mask includes all CK_FLAGs with an equivalent CKA_ attribute. */ + #define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL + ++/* this oid value could change values if it's added after other new ++ * upstream oids. We protect applications by hiding the define in a private ++ * header file that only NSS sees. Currently it's only available through ++ * the policy code */ ++#define SEC_OID_TLS_REQUIRE_EMS SEC_OID_PRIVATE_1 ++ + #endif /* _SECMODTI_H_ */ +diff -up ./lib/ssl/ssl3con.c.add_ems_policy ./lib/ssl/ssl3con.c +--- ./lib/ssl/ssl3con.c.add_ems_policy 2023-06-04 01:42:53.000000000 -0700 ++++ ./lib/ssl/ssl3con.c 2023-06-12 17:18:35.130938525 -0700 +@@ -36,6 +36,7 @@ + #include "pk11func.h" + #include "secmod.h" + #include "blapi.h" ++#include "secmodti.h" /* until SEC_OID_TLS_REQUIRE_EMS is upstream */ + + #include + +@@ -3480,6 +3481,29 @@ ssl3_ComputeMasterSecretInt(sslSocket *s + CK_TLS12_MASTER_KEY_DERIVE_PARAMS master_params; + unsigned int master_params_len; + ++ /* if we are using TLS and we aren't using the extended master secret, ++ * and SEC_OID_TLS_REQUIRE_EMS policy is true, fail. The caller will ++ * send and alert (eventually). In the RSA Server case, the alert ++ * won't happen until Finish time because the upper level code ++ * can't tell a difference between this failure and an RSA decrypt ++ * failure, so it will proceed with a faux key */ ++ if (isTLS) { ++ PRUint32 policy; ++ SECStatus rv; ++ ++ /* first fetch the policy for this algorithm */ ++ rv = NSS_GetAlgorithmPolicy(SEC_OID_TLS_REQUIRE_EMS, &policy); ++ /* we only look at the policy if we can fetch it. */ ++ if (rv == SECSuccess) { ++ if (policy & NSS_USE_ALG_IN_SSL_KX) { ++ /* just set the error, we don't want to map any errors ++ * set by NSS_GetAlgorithmPolicy here */ ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_VERSION); ++ return SECFailure; ++ } ++ } ++ } ++ + if (isTLS12) { + if (isDH) + master_derive = CKM_TLS12_MASTER_KEY_DERIVE_DH; +diff -up ./lib/util/secoid.c.add_ems_policy ./lib/util/secoid.c +--- ./lib/util/secoid.c.add_ems_policy 2023-06-12 15:37:49.293905422 -0700 ++++ ./lib/util/secoid.c 2023-06-12 17:20:29.498142775 -0700 +@@ -1795,6 +1795,11 @@ const static SECOidData oids[SEC_OID_TOT + SEC_OID_EXT_KEY_USAGE_IPSEC_USER, + "IPsec User", + CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ ++ /* this will change upstream. for now apps shouldn't use it */ ++ /* we need it for the policy code. */ ++ ODE(SEC_OID_PRIVATE_1, ++ "TLS Require EMS", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + }; + + /* PRIVATE EXTENDED SECOID Table +@@ -2095,6 +2100,8 @@ SECOID_Init(void) + + /* turn off NSS_USE_POLICY_IN_SSL by default */ + xOids[SEC_OID_APPLY_SSL_POLICY].notPolicyFlags = NSS_USE_POLICY_IN_SSL; ++ /* turn off TLS REQUIRE EMS by default */ ++ xOids[SEC_OID_PRIVATE_1].notPolicyFlags = ~0; + + envVal = PR_GetEnvSecure("NSS_HASH_ALG_SUPPORT"); + if (envVal) +diff -up ./lib/util/secoidt.h.add_ems_policy ./lib/util/secoidt.h +--- ./lib/util/secoidt.h.add_ems_policy 2023-06-12 17:18:35.131938535 -0700 ++++ ./lib/util/secoidt.h 2023-06-12 17:21:49.675987022 -0700 +@@ -501,6 +501,9 @@ typedef enum { + SEC_OID_EXT_KEY_USAGE_IPSEC_END = 361, + SEC_OID_EXT_KEY_USAGE_IPSEC_TUNNEL = 362, + SEC_OID_EXT_KEY_USAGE_IPSEC_USER = 363, ++ /* this will change upstream. for now apps shouldn't use it */ ++ /* give it an obscure name here */ ++ SEC_OID_PRIVATE_1 = 372, + + SEC_OID_TOTAL + } SECOidTag; diff --git a/SOURCES/nss-3.90-certutil-dump-speed.patch b/SOURCES/nss-3.90-certutil-dump-speed.patch new file mode 100644 index 0000000..81566c3 --- /dev/null +++ b/SOURCES/nss-3.90-certutil-dump-speed.patch @@ -0,0 +1,17 @@ +diff -up ./tests/dbtests/dbtests.sh.handle_time ./tests/dbtests/dbtests.sh +--- ./tests/dbtests/dbtests.sh.handle_time 2023-07-29 14:39:51.907864604 -0700 ++++ ./tests/dbtests/dbtests.sh 2023-07-29 14:40:58.268377159 -0700 +@@ -362,11 +362,12 @@ dbtest_main() + dtime=$(time -p (certutil -K -d ${BIG_DIR} -f ${R_PWFILE}) 2>&1 1>/dev/null) + echo "------------- time ----------------------" + echo $dtime ++ expected_time=${NSS_EXPECTED_TIME-2} + # now parse the real time to make sure it's subsecond + RARRAY=($dtime) + TIMEARRAY=(${RARRAY[1]//./ }) + echo "${TIMEARRAY[0]} seconds" +- test ${TIMEARRAY[0]} -lt 2 ++ test ${TIMEARRAY[0]} -lt ${expected_time} + ret=$? + html_msg ${ret} 0 "certutil dump keys with explicit default trust flags" + fi diff --git a/SOURCES/nss-3.90-disable-ech.patch b/SOURCES/nss-3.90-disable-ech.patch new file mode 100644 index 0000000..eee8c39 --- /dev/null +++ b/SOURCES/nss-3.90-disable-ech.patch @@ -0,0 +1,96 @@ +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -4394,62 +4394,82 @@ ssl_ClearPRCList(PRCList *list, void (*f + } + PORT_Free(cursor); + } + } + + SECStatus + SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; + } + ss->opt.enableTls13GreaseEch = enabled; + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_SetTls13GreaseEchSize(PRFileDesc *fd, PRUint8 size) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss || size == 0) { + return SECFailure; + } + ssl_Get1stHandshakeLock(ss); + ssl_GetSSL3HandshakeLock(ss); + + ss->ssl3.hs.greaseEchSize = size; + + ssl_ReleaseSSL3HandshakeLock(ss); + ssl_Release1stHandshakeLock(ss); + + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; + } + ss->opt.enableTls13BackendEch = enabled; + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled) + { ++#ifdef notdef + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; + } + ss->opt.callExtensionWriterOnEchInner = enabled; + return SECSuccess; ++#else ++ PORT_SetError(SSL_ERROR_UNSUPPORTED_EXPERIMENTAL_API); ++ return SECFailure; ++#endif + } + + SECStatus + SSLExp_SetDtls13VersionWorkaround(PRFileDesc *fd, PRBool enabled) + { + sslSocket *ss = ssl_FindSocket(fd); + if (!ss) { + return SECFailure; +diff -up ./gtests/ssl_gtest/manifest.mn.disable_ech ./gtests/ssl_gtest/manifest.mn +--- ./gtests/ssl_gtest/manifest.mn.disable_ech 2023-06-21 19:02:02.160400997 +0200 ++++ ./gtests/ssl_gtest/manifest.mn 2023-06-21 19:02:18.226618324 +0200 +@@ -57,7 +57,6 @@ CPPSRCS = \ + tls_filter.cc \ + tls_protect.cc \ + tls_psk_unittest.cc \ +- tls_ech_unittest.cc \ + $(SSLKEYLOGFILE_FILES) \ + $(NULL) diff --git a/SOURCES/nss-3.90-no-dbm-25519.patch b/SOURCES/nss-3.90-no-dbm-25519.patch new file mode 100644 index 0000000..3c7c614 --- /dev/null +++ b/SOURCES/nss-3.90-no-dbm-25519.patch @@ -0,0 +1,18 @@ +diff -up ./tests/ec/ectest.sh.no_dbm_25519 ./tests/ec/ectest.sh +--- ./tests/ec/ectest.sh.no_dbm_25519 2023-07-26 10:12:29.531147406 -0700 ++++ ./tests/ec/ectest.sh 2023-07-26 10:12:39.547245445 -0700 +@@ -46,11 +46,13 @@ ectest_genkeydb_test() + return $? + fi + curves=( \ +- "curve25519" \ + "secp256r1" \ + "secp384r1" \ + "secp521r1" \ + ) ++ if [ "${NSS_DEFAULT_DB_TYPE}" = "sql" ] ; then ++ curves=( "curve25519" "${curves[@]}" ) ++ fi + for curve in "${curves[@]}"; do + echo "Test $curve key generation using certutil ..." + certutil -G -d "${HOSTDIR}" -k ec -q $curve -f "${R_PWFILE}" -z ${NOISE_FILE} diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 2ed4f53..cc28bbe 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -1,14 +1,14 @@ -%global nspr_version 4.34.0 -%global nss_util_version 3.79.0 +%global nspr_version 4.35.0 +%global nss_util_version 3.90.0 %global nss_util_build -1 # adjust to the version that gets submitted for FIPS validation # Attention: Separate softokn versions for build and runtime. -%global nss_softokn_version 3.79.0 +%global nss_softokn_version 3.90.0 %global runtime_required_softokn_build_version -1 # Building NSS doesn't require the same version of softokn built for runtime. -%global nss_softokn_build_version 3.67.0 +%global nss_softokn_build_version 3.90.0 %global build_required_softokn_build_version -1 -%global nss_version 3.79.0 +%global nss_version 3.90.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil nss-policy-check pk12util pp signtool signver ssltap vfychain vfyserv" @@ -42,7 +42,7 @@ rpm.define(string.format("nss_archive_version %s", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 5%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -163,20 +163,22 @@ Patch160:nss-3.66-restore-old-pkcs12-default.patch Patch161: nss-3.66-disable-external-host-test.patch # keep expired distrusted certs Patch162: nss-3.79-distrusted-certs.patch -#----------------------------------- -# cve 2023-0767, remove on rebase to nss 3.88.1 or later -# https://bugzilla.mozilla.org/show_bug.cgi?id=1804640 -Patch170: cve-2023-0767.patch +# already upstream patches to deal with curve 25519 +Patch163: nss-3.90-no-dbm-25519.patch +# already upstream - increases certutil timeout for slower machines +# https://bugzilla.mozilla.org/show_bug.cgi?id=1835357 +Patch164: nss-3.90-certutil-dump-speed.patch +# restore test patch that has not been upstreamed +Patch165: nss-3.67-cve-2021-43527-test.patch +# disable ech +Patch166: nss-3.90-disable-ech.patch -# remove when nss-softokn is 3.79 during builds -Patch200: nss-3.79-skip-pwdecrypt-time.patch # patches that just need to be upstreamed Patch300: nss-3.79-r7-remove-explicit-ipv4.patch -Patch301: nss-3.79-fix-client-cert-crash.patch -Patch302: nss-3.79-pkcs12-fix-null-password.patch - +#ems policy. needs to upstream +Patch301: nss-3.90-add-ems-policy.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -282,12 +284,13 @@ pushd nss %patch160 -p1 -b .restore-pkcs12-defaults %patch161 -p1 -b .brew %patch162 -R -p1 -b .distrusted-certs -%patch170 -p1 -b .cve-2023-0767 +%patch163 -p1 -b .no-dbm-25519 +%patch164 -p1 -b .certutil-dump-speed +%patch165 -p1 -b .cve-2021-43527-test +%patch166 -p1 -b .disable-ech -%patch200 -p1 -b .skip-pwdecrypt-time %patch300 -p1 -b .remove-explicit-ipv4 -%patch301 -p1 -b .client-cert-crash -%patch302 -p1 -b .fix-pkcs12-null +%patch301 -p1 -b .ems popd ######################################################### @@ -392,6 +395,9 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1 ##### phase 2: build the rest of nss export NSS_BLTEST_NOT_AVAILABLE=1 +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 + export NSS_FORCE_FIPS=1 # Set the policy file location @@ -575,17 +581,20 @@ pushd ./nss/tests/ # don't need to run all the tests when testing packaging export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 7, the default db is sql, but we want # standard to test dbm, or upgradedb will fail +%ifnarch x86_64 +export NSS_EXPECTED_TIME=8 +%endif +%if %{with gtests} +%define do_gtests gtests +%define do_ssl_gtests ssl_gtests +%endif %global nss_full_cycles "standard pkix upgradedb sharedb threadunsafe" %global nss_cycles "standard pkix upgradedb sharedb" -%global nss_full_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec" -%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec" +%define nss_full_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec %{do_gtests} %{do_ssl_gtests}" +%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec %{do_gtests} %{do_ssl_gtests}" %ifarch x86_64 %global nss_cycles "standard pkix upgradedb sharedb threadunsafe" %endif -%if %{with gtests} -%global nss_full_tests "%{nss_full_tests} gtests ssl_gtests" -%global nss_tests "%{nss_tests} ssl_gtests" -%endif # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_run: cov auth stress # @@ -597,15 +606,13 @@ export NSS_DEFAULT_DB_TYPE=dbm #in RHEL 7, the default db is sql, but we want # Temporarily disabling tests for s390 %ifarch s390 %global nss_ssl_run "cov auth" -%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec" +%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec%{do_gtests}" %endif %ifarch s390x %global nss_ssl_run "cov auth" -%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec" -%endif -%if %{with gtests} -%global nss_tests "%{nss_tests} gtests" +%global nss_tests "libpkix cert dbtests tools sdr crmf smime ocsp merge pkits ec%{do_gtests}" %endif + # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr soft=$(rpm -q nss-softokn) soft_minor=${soft:14:2} @@ -946,6 +953,15 @@ fi %changelog +* Mon Aug 7 2023 Bob Relyea - 3.90.0-2 +- fix EMS bug +- disbale ECH +- fix gtests in spec file +- restore missing test case + +* Wed Jun 21 2023 Bob Relyea - 3.90.0-1 +- Rebase to NSS 3.90 + * Wed Mar 8 2023 Bob Relyea - 3.79.0-5 - fix CVE-2023-0767