diff --git a/.gitignore b/.gitignore index abf5f25..b5ff2c8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,8 +1,8 @@ -nss-3.13.3-stripped.tar.bz2 -nss-pem-20101125.tar.bz2 blank-cert8.db blank-key3.db blank-secmod.db blank-cert9.db blank-key4.db PayPalEE.cert +/nss-3.13.4-stripped.tar.bz2 +/nss-pem-20120402.tar.bz2 diff --git a/0001-Bug-695011-PEM-logging.patch b/0001-Bug-695011-PEM-logging.patch deleted file mode 100644 index 2693d7c..0000000 --- a/0001-Bug-695011-PEM-logging.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 5c61cdba435096ee6e65cee4dc9a473430643c07 Mon Sep 17 00:00:00 2001 -From: Elio Maldonado -Date: Tue, 12 Apr 2011 09:31:48 -0700 -Subject: [PATCH] Bug 695011 PEM logging - -Use NSPR logging facilities for PEM logging to fix a segmenation violation -caused when user cannot for write a log file created by root ---- - mozilla/security/nss/lib/ckfw/pem/ckpem.h | 7 ++++- - mozilla/security/nss/lib/ckfw/pem/util.c | 30 ++++++++++++++++------------ - 2 files changed, 22 insertions(+), 15 deletions(-) - -diff --git a/mozilla/security/nss/lib/ckfw/pem/ckpem.h b/mozilla/security/nss/lib/ckfw/pem/ckpem.h -index 839d40b..720525e 100644 ---- a/mozilla/security/nss/lib/ckfw/pem/ckpem.h -+++ b/mozilla/security/nss/lib/ckfw/pem/ckpem.h -@@ -1,3 +1,6 @@ -+#ifndef CKPEM_H -+#define CKPEM_H -+ - #include "nssckmdt.h" - #include "nssckfw.h" - #include "ckfwtm.h" -@@ -254,8 +257,8 @@ unsigned int pem_PrivateModulusLen(pemLOWKEYPrivateKey *privk); - /* ptoken.c */ - NSSCKMDToken * pem_NewToken(NSSCKFWInstance *fwInstance, CK_RV *pError); - -+/* util.c */ - void open_log(); --void close_log(); - void plog(const char *fmt, ...); - --#define PEM_H 1 -+#endif /* CKPEM_H */ -diff --git a/mozilla/security/nss/lib/ckfw/pem/util.c b/mozilla/security/nss/lib/ckfw/pem/util.c -index 853f418..fafb924 100644 ---- a/mozilla/security/nss/lib/ckfw/pem/util.c -+++ b/mozilla/security/nss/lib/ckfw/pem/util.c -@@ -41,6 +41,7 @@ - #include "prtime.h" - #include "prlong.h" - #include "prerror.h" -+#include "prlog.h" - #include "prprf.h" - #include "plgetopt.h" - #include "prenv.h" -@@ -51,6 +52,9 @@ - #include "cryptohi.h" - #include "secpkcs7.h" - #include "secerr.h" -+ -+#include "ckpem.h" -+ - #include - - #define CHUNK_SIZE 512 -@@ -267,34 +271,34 @@ ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii, - return -1; - } - --FILE *plogfile; -+#ifdef DEBUG -+#define LOGGING_BUFFER_SIZE 400 -+#define PEM_DEFAULT_LOG_FILE "/tmp/pkcs11.log" -+static const char *pemLogModuleName = "PEM"; -+static PRLogModuleInfo* pemLogModule; -+#endif - - void open_log() - { - #ifdef DEBUG -- plogfile = fopen("/tmp/pkcs11.log", "a"); --#endif -+ const char *nsprLogFile = PR_GetEnv("NSPR_LOG_FILE"); - -- return; --} -+ pemLogModule = PR_NewLogModule(pemLogModuleName); - --void close_log() --{ --#ifdef DEBUG -- fclose(plogfile); -+ (void) PR_SetLogFile(nsprLogFile ? nsprLogFile : PEM_DEFAULT_LOG_FILE); -+ /* If false, the log file will remain what it was before */ - #endif -- return; - } - - void plog(const char *fmt, ...) - { - #ifdef DEBUG -+ char buf[LOGGING_BUFFER_SIZE]; - va_list ap; - - va_start(ap, fmt); -- vfprintf(plogfile, fmt, ap); -+ PR_vsnprintf(buf, sizeof(buf), fmt, ap); - va_end(ap); -- -- fflush(plogfile); -+ PR_LOG(pemLogModule, PR_LOG_DEBUG, ("%s", buf)); - #endif - } --- -1.7.4.2 - diff --git a/0001-libnsspem-rhbz-734760.patch b/0001-libnsspem-rhbz-734760.patch deleted file mode 100644 index 45b4024..0000000 --- a/0001-libnsspem-rhbz-734760.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ./mozilla/security/nss/lib/ckfw/pem/pobject.c.734760 ./mozilla/security/nss/lib/ckfw/pem/pobject.c ---- ./mozilla/security/nss/lib/ckfw/pem/pobject.c.734760 2011-09-10 10:21:38.819248564 -0700 -+++ ./mozilla/security/nss/lib/ckfw/pem/pobject.c 2011-09-10 10:28:47.970083785 -0700 -@@ -1117,7 +1117,7 @@ pem_CreateObject - - nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); - if (nobjs < 1) -- return (NSSCKMDObject *) NULL; -+ goto loser; - - objid = -1; - /* Brute force: find the id of the key, if any, in this slot */ -@@ -1176,7 +1176,7 @@ pem_CreateObject - - nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_FALSE /* keys only */); - if (nobjs < 1) -- return (NSSCKMDObject *) NULL; -+ goto loser; - - certDER.len = 0; /* in case there is no equivalent cert */ - certDER.data = NULL; diff --git a/Bug-800676-nss-workaround-for-freebl-bug-that-causes-openswan-to-drop-connections.patch b/Bug-800676-nss-workaround-for-freebl-bug-that-causes-openswan-to-drop-connections.patch deleted file mode 100644 index 88b1004..0000000 --- a/Bug-800676-nss-workaround-for-freebl-bug-that-causes-openswan-to-drop-connections.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up ./mozilla/security/nss/lib/pk11wrap/pk11skey.c.800676 ./mozilla/security/nss/lib/pk11wrap/pk11skey.c ---- ./mozilla/security/nss/lib/pk11wrap/pk11skey.c.800676 2012-03-07 18:29:16.679551532 -0800 -+++ ./mozilla/security/nss/lib/pk11wrap/pk11skey.c 2012-03-07 18:29:42.338733488 -0800 -@@ -1664,7 +1664,10 @@ PK11_PubDerive(SECKEYPrivateKey *privKey - - keyType = PK11_GetKeyType(target,keySize); - key_size = keySize; -- symKey->size = keySize; -+ /* There's a bug in FreeBL where this size is treated as a max. -+ * if we are using softoken, Don't set that size value here, but -+ * set it to zero we we will query softoken for the size */ -+ symKey->size = slot->isInternal ? 0 : keySize; - if (key_size == 0) templateCount--; - - mechanism.mechanism = derive; diff --git a/nss.spec b/nss.spec index 49915fa..5443482 100644 --- a/nss.spec +++ b/nss.spec @@ -1,13 +1,13 @@ %global nspr_version 4.9 -%global nss_util_version 3.13.3 +%global nss_util_version 3.13.4 %global nss_softokn_fips_version 3.12.9 -%global nss_softokn_version 3.13.3 +%global nss_softokn_version 3.13.4 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools Summary: Network Security Services Name: nss -Version: 3.13.3 -Release: 4%{?dist} +Version: 3.13.4 +Release: 1%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -52,24 +52,18 @@ Source7: blank-key4.db Source8: system-pkcs11.txt Source9: setup-nsssysinit.sh Source10: PayPalEE.cert -Source12: %{name}-pem-20101125.tar.bz2 +Source12: %{name}-pem-20120402.tar.bz2 Patch3: renegotiate-transitional.patch Patch6: nss-enable-pem.patch -Patch7: nsspem-642433.patch -Patch8: 0001-Bug-695011-PEM-logging.patch Patch16: nss-539183.patch Patch18: nss-646045.patch -Patch20: nsspem-createobject-initialize-pointer.patch -Patch21: 0001-libnsspem-rhbz-734760.patch -Patch22: nsspem-init-inform-not-thread-safe.patch -# must statically link pem against the 3.12.x system freebl in the buildroot +# must statically link pem against the freebl in the buildroot +# Needed only when freebl on tree has newe APIS Patch25: nsspem-use-system-freebl.patch # don't compile the fipstest application Patch26: nofipstest.patch -# include this patch in the upstream pem review -Patch28: nsspem-bz754771.patch -# This patch is currently meant for f16 and f15 only, and f17 now +# This patch is currently meant for stable branches Patch29: nss-ssl-cbc-random-iv-off-by-default.patch # upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=734492 @@ -84,12 +78,6 @@ Patch32: Bug-800674-Unable-to-contact-LDAP-Server-during-winsync.patch # upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=734492 Patch33: Bug-800682-Qpid-AMQP-daemon-fails-to-load-after-nss-update.patch -# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=734441 -Patch34: Bug-800676-nss-workaround-for-freebl-bug-that-causes-openswan-to-drop-connections.patch - -# Activate when verified in RHEL -# Patch55: Bug-746632-pem_CreateObject-mem-leak-on-non-existing-file-name.patch - %description Network Security Services (NSS) is a set of libraries designed to @@ -165,24 +153,17 @@ low level services. %patch3 -p0 -b .transitional %patch6 -p0 -b .libpem -%patch7 -p0 -b .642433 -%patch8 -p1 -b .695011 %patch16 -p0 -b .539183 %patch18 -p0 -b .646045 -%patch20 -p1 -b .717338 -%patch21 -p1 -b .734760 -%patch22 -p0 -b .736410 -# link pem against buildroot's 3.12 freebl +# link pem against buildroot's freebl, esential wen mixing and matching %patch25 -p0 -b .systemfreebl %patch26 -p0 -b .nofipstest -%patch28 -p0 -b .754771 -# activate only if requested for f17 -#%patch29 -p0 -b .770682 +# activate only if requested for this branch +%patch29 -p0 -b .770682 %patch30 -p0 -b .784672 %patch31 -p0 -b .gcc47 %patch32 -p0 -b .800674 %patch33 -p0 -b .800682 -%patch34 -p0 -b .800676 %build @@ -601,6 +582,14 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Fri Apr 06 2012 Elio Maldonado - 3.13.4-1 +- Update to NSS_3_13_4_RTM +- Update the nss-pem source archive to the latest version +- Remove no longer needed patches +- Resolves: Bug 806043 - use pem files interchangeably in a single process +- Resolves: Bug 806051 - PEM various flaws detected by Coverity +- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name + * Wed Mar 21 2012 Elio Maldonado - 3.13.3-4 - Resolves: Bug 805723 - Library needs partial RELRO support added diff --git a/nsspem-642433.patch b/nsspem-642433.patch deleted file mode 100644 index 710919b..0000000 --- a/nsspem-642433.patch +++ /dev/null @@ -1,52 +0,0 @@ -diff -up ./mozilla/security/nss/lib/ckfw/pem/util.c.642433 ./mozilla/security/nss/lib/ckfw/pem/util.c ---- ./mozilla/security/nss/lib/ckfw/pem/util.c.642433 2010-11-25 10:49:27.000000000 -0800 -+++ ./mozilla/security/nss/lib/ckfw/pem/util.c 2010-12-08 08:02:02.618304926 -0800 -@@ -96,9 +96,6 @@ static SECItem *AllocItem(SECItem * item - return (result); - - loser: -- if (result != NULL) { -- SECITEM_FreeItem(result, (item == NULL) ? PR_TRUE : PR_FALSE); -- } - return (NULL); - } - -@@ -110,7 +107,7 @@ static SECStatus FileToItem(SECItem * ds - - prStatus = PR_GetOpenFileInfo(src, &info); - -- if (prStatus != PR_SUCCESS) { -+ if (prStatus != PR_SUCCESS || info.type == PR_FILE_DIRECTORY) { - return SECFailure; - } - -@@ -126,8 +123,7 @@ static SECStatus FileToItem(SECItem * ds - - return SECSuccess; - loser: -- SECITEM_FreeItem(dst, PR_FALSE); -- nss_ZFreeIf(dst); -+ nss_ZFreeIf(dst->data); - return SECFailure; - } - -@@ -153,6 +149,10 @@ ReadDERFromFile(SECItem *** derlist, cha - - /* Read in ascii data */ - rv = FileToItem(&filedata, inFile); -+ if (rv != SECSuccess) { -+ PR_Close(inFile); -+ return -1; -+ } - asc = (char *) filedata.data; - if (!asc) { - PR_Close(inFile); -@@ -252,7 +252,7 @@ ReadDERFromFile(SECItem *** derlist, cha - } else { - /* Read in binary der */ - rv = FileToItem(der, inFile); -- if (rv) { -+ if (rv != SECSuccess) { - PR_Close(inFile); - return -1; - } diff --git a/nsspem-bz754771.patch b/nsspem-bz754771.patch deleted file mode 100644 index 1e64a42..0000000 --- a/nsspem-bz754771.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up ./mozilla/security/nss/lib/ckfw/pem/pinst.c.754771 ./mozilla/security/nss/lib/ckfw/pem/pinst.c ---- ./mozilla/security/nss/lib/ckfw/pem/pinst.c.754771 2011-12-12 09:38:51.839104295 -0800 -+++ ./mozilla/security/nss/lib/ckfw/pem/pinst.c 2011-12-12 09:44:40.437096761 -0800 -@@ -350,6 +350,9 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla - if (io == NULL) - return NULL; - -+ /* initialize pointers to functions */ -+ pem_CreateMDObject(NULL, io, NULL); -+ - io->gobjIndex = count; - - /* add object to global array */ diff --git a/nsspem-createobject-initialize-pointer.patch b/nsspem-createobject-initialize-pointer.patch deleted file mode 100644 index cdfdea3..0000000 --- a/nsspem-createobject-initialize-pointer.patch +++ /dev/null @@ -1,11 +0,0 @@ -diff -up ./mozilla/security/nss/lib/ckfw/pem/pobject.c.717338 ./mozilla/security/nss/lib/ckfw/pem/pobject.c ---- ./mozilla/security/nss/lib/ckfw/pem/pobject.c.717338 2010-11-25 10:49:27.000000000 -0800 -+++ ./mozilla/security/nss/lib/ckfw/pem/pobject.c 2011-09-10 10:16:58.752726964 -0700 -@@ -1179,6 +1179,7 @@ pem_CreateObject - return (NSSCKMDObject *) NULL; - - certDER.len = 0; /* in case there is no equivalent cert */ -+ certDER.data = NULL; - - objid = -1; - for (i = 0; i < pem_nobjs; i++) { diff --git a/nsspem-init-inform-not-thread-safe.patch b/nsspem-init-inform-not-thread-safe.patch deleted file mode 100644 index 2df4fbe..0000000 --- a/nsspem-init-inform-not-thread-safe.patch +++ /dev/null @@ -1,129 +0,0 @@ ---- mozilla/security/nss/lib/ckfw/pem/pinst.c.736410 2010-11-25 11:51:52.000000000 -0800 -+++ mozilla/security/nss/lib/ckfw/pem/pinst.c 2011-09-13 16:59:49.325215540 -0700 -@@ -364,39 +364,37 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objCla - size += PEM_ITEM_CHUNK; - } - gobj[count] = io; - count++; - pem_nobjs++; - - io->refCount ++; - return io; - } - - CK_RV - AddCertificate(char *certfile, char *keyfile, PRBool cacert, - CK_SLOT_ID slotID) - { - pemInternalObject *o; -- SECItem certDER; - CK_RV error = 0; - int objid, i; - int nobjs = 0; - SECItem **objs = NULL; - char *ivstring = NULL; - int cipher; - -- certDER.data = NULL; - nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); - if (nobjs <= 0) { - nss_ZFreeIf(objs); - return CKR_GENERAL_ERROR; - } - - /* For now load as many certs as are in the file for CAs only */ - if (cacert) { - for (i = 0; i < nobjs; i++) { - char nickname[1024]; - objid = pem_nobjs + 1; - - snprintf(nickname, 1024, "%s - %d", certfile, i); - - o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[i], NULL, -@@ -456,72 +454,76 @@ AddCertificate(char *certfile, char *key - loser: - nss_ZFreeIf(objs); - nss_ZFreeIf(o); - return error; - } - - CK_RV - pem_Initialize - ( - NSSCKMDInstance * mdInstance, - NSSCKFWInstance * fwInstance, - NSSUTF8 * configurationData - ) - { - CK_RV rv; -- /* parse the initialization string and initialize CRLInstances */ -+ /* parse the initialization string */ - char **certstrings = NULL; -+ char *modparms = NULL; - PRInt32 numcerts = 0; - PRBool status, error = PR_FALSE; - int i; -+ CK_C_INITIALIZE_ARGS_PTR modArgs = NULL; -+ -+ if (!fwInstance) return CKR_ARGUMENTS_BAD; -+ -+ modArgs = NSSCKFWInstance_GetInitArgs(fwInstance); -+ if (modArgs && -+ ((modArgs->flags & CKF_OS_LOCKING_OK) || (modArgs->CreateMutex != 0))) { -+ return CKR_CANT_LOCK; -+ } - - if (pemInitialized) { - return CKR_OK; - } -+ - RNG_RNGInit(); - - open_log(); - - plog("pem_Initialize\n"); - -- unsigned char *modparms = NULL; -- if (!fwInstance) { -- return CKR_ARGUMENTS_BAD; -- } -- -- CK_C_INITIALIZE_ARGS_PTR modArgs = -- NSSCKFWInstance_GetInitArgs(fwInstance); - if (!modArgs || !modArgs->LibraryParameters) { - goto done; - } -- modparms = (unsigned char *) modArgs->LibraryParameters; -+ modparms = (char *) modArgs->LibraryParameters; - plog("Initialized with %s\n", modparms); - - /* - * The initialization string format is a space-delimited file of - * pairs of paths which are delimited by a semi-colon. The first - * entry of the pair is the path to the certificate file. The - * second is the path to the key file. - * - * CA certificates do not need the semi-colon. - * - * Example: - * /etc/certs/server.pem;/etc/certs/server.key /etc/certs/ca.pem - * - */ - status = -- pem_ParseString((const char *) modparms, ' ', &numcerts, -+ pem_ParseString(modparms, ' ', &numcerts, - &certstrings); - if (status == PR_FALSE) { - return CKR_ARGUMENTS_BAD; - } - - for (i = 0; i < numcerts && error != PR_TRUE; i++) { - char *cert = certstrings[i]; - PRInt32 attrcount = 0; - char **certattrs = NULL; - status = pem_ParseString(cert, ';', &attrcount, &certattrs); - if (status == PR_FALSE) { - error = PR_TRUE; - break; - } - diff --git a/sources b/sources index e9123b8..58481cf 100644 --- a/sources +++ b/sources @@ -1,8 +1,8 @@ -3d211ab803585d449f94e67cbeca8502 nss-3.13.3-stripped.tar.bz2 -e63cddf74c07f0d818d1052ecc6fbb1f nss-pem-20101125.tar.bz2 a5ae49867124ac75f029a9a33af31bad blank-cert8.db 9315689bbd9f28ceebd47894f99fccbd blank-key3.db 73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db 691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db bf47cecad861efa77d1488ad4a73cb5b PayPalEE.cert +d19159b7f91b94afaf7fa78bba006c13 nss-pem-20120402.tar.bz2 +74bbd7b520179c2e226a021fba8ff365 nss-3.13.4-stripped.tar.bz2