Merge branch 'f17' into f16

- Update nss to NSS_3_14_2_RTM
2013-02-07 20:49:30 -08:00 · 2013-02-07 20:49:30 -08:00 · 33b06304b4
parent 3f9e1f6945 f48ddc9b79
commit 33b06304b4
7 changed files with 62 additions and 191 deletions
--- a/.gitignore
+++ b/.gitignore
@ -6,4 +6,4 @@ blank-key4.db
 PayPalEE.cert
 /nss-pem-20120811.tar.bz2
 /dummy-sources-for-testing
-/nss-3.14.1.with.ckbi.1.93-stripped.tar.bz2
+/nss-3.14.2-stripped.tar.bz2
--- a/0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
+++ b/0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
@ -1,168 +0,0 @@
-diff -up ./mozilla/security/nss/cmd/certcgi/ca_form.html.870864 ./mozilla/security/nss/cmd/certcgi/ca_form.html
--- ./mozilla/security/nss/cmd/certcgi/ca_form.html.870864	2012-03-20 07:46:53.000000000 -0700
-+++ ./mozilla/security/nss/cmd/certcgi/ca_form.html	2012-11-19 21:32:32.568415831 -0800
-@@ -167,6 +167,7 @@
-     <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
-     <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
-     <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
-+    <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P>
-     </tr>
-     <tr>
-     <td>
-diff -up ./mozilla/security/nss/cmd/certcgi/certcgi.c.870864 ./mozilla/security/nss/cmd/certcgi/certcgi.c
--- ./mozilla/security/nss/cmd/certcgi/certcgi.c.870864	2012-04-29 05:52:04.000000000 -0700
-+++ ./mozilla/security/nss/cmd/certcgi/certcgi.c	2012-11-19 21:32:32.569415846 -0800
-@@ -21,6 +21,7 @@
- #include "pk11pqg.h"
- #include "certxutl.h"
- #include "nss.h"
-+#include "secutil.h"
- 
- 
- /* #define TEST           1 */
-@@ -33,6 +34,8 @@
- 
- static char *progName;
- 
-+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
-+
- typedef struct PairStr Pair;
- 
- struct PairStr {
-@@ -819,6 +822,10 @@ AddExtKeyUsage(void *extHandle, Pair *da
-     if( SECSuccess != rv ) goto loser;
-   }
- 
-+  if( find_field_bool(data, "extKeyUsage-msCodeSign", PR_TRUE) ) {
-+    SECU_RegisterDynamicOids();
-+  }
-+
-   if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) {
-     rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
-     if( SECSuccess != rv ) goto loser;
-diff -up ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.870864 ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html
--- ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.870864	2012-03-20 07:46:53.000000000 -0700
-+++ ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html	2012-11-19 21:32:32.570415861 -0800
-@@ -34,6 +34,7 @@
-     <input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
-     <input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
-     <input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
-+    <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P>
-     </tr>
-     <tr>
-     <td>
-diff -up ./mozilla/security/nss/cmd/certutil/certext.c.870864 ./mozilla/security/nss/cmd/certutil/certext.c
--- ./mozilla/security/nss/cmd/certutil/certext.c.870864	2012-03-20 07:46:54.000000000 -0700
-+++ ./mozilla/security/nss/cmd/certutil/certext.c	2012-11-19 21:32:32.571415876 -0800
-@@ -18,6 +18,9 @@
- #endif
- 
- #include "secutil.h"
-+/* #include "secoidt.h" */ /* For when we update nss */
-+
-+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
- 
- #if defined(XP_UNIX)
- #include <unistd.h>
-@@ -483,6 +486,7 @@ extKeyUsageKeyWordArray[] = { "serverAut
-                               "timeStamp",
-                               "ocspResponder",
-                               "stepUp",
-+                              "msCodeSigning",
-                               NULL};
- 
- static SECStatus 
-@@ -554,6 +558,9 @@ AddExtKeyUsage (void *extHandle, const c
-         case 6:
-             rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
-             break;
-+        case 7:
-+            rv = AddOidToSequence(os, szOID_KP_CTL_USAGE_SIGNING);
-+            break;
-         default:
-             goto endloop;
-         }
-diff -up ./mozilla/security/nss/cmd/certutil/certutil.c.870864 ./mozilla/security/nss/cmd/certutil/certutil.c
--- ./mozilla/security/nss/cmd/certutil/certutil.c.870864	2012-03-20 07:46:54.000000000 -0700
-+++ ./mozilla/security/nss/cmd/certutil/certutil.c	2012-11-19 21:32:32.573415906 -0800
-@@ -46,6 +46,8 @@
- 
- char *progName;
- 
-+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
-+
- static CERTCertificateRequest *
- GetCertRequest(PRFileDesc *inFile, PRBool ascii)
- {
-@@ -1145,6 +1147,7 @@ static void luC(enum usage_level ul, con
-               "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
-               "%-20s \"stepUp\", \"critical\"\n",
-         "   -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
-+              "%-20s \"stepUp\", \"msCodeSign\", \"critical\"\n",
-     FPS "%-20s Create an email subject alt name extension\n",
-         "   -7 emailAddrs");
-     FPS "%-20s Create an dns subject alt name extension\n",
-diff -up ./mozilla/security/nss/cmd/lib/moreoids.c.870864 ./mozilla/security/nss/cmd/lib/moreoids.c
--- ./mozilla/security/nss/cmd/lib/moreoids.c.870864	2012-03-20 07:46:59.000000000 -0700
-+++ ./mozilla/security/nss/cmd/lib/moreoids.c	2012-11-19 21:36:23.782925556 -0800
-@@ -41,6 +41,18 @@ OIDT  mKPSCL[]	= { MICROSOFT, 20, 2, 2 }
- OIDT  mNTPN []	= { MICROSOFT, 20, 2, 3 }; /* NT Principal Name        */
- OIDT  mCASRV[]	= { MICROSOFT, 21, 1    }; /* CertServ CA version      */
- 
-+#define _TO_ITEM(x) {siDEROID, (unsigned char *)(x), sizeof(x) }
-+
-+SECOidTag szOID_KP_CTL_USAGE_SIGNING = SEC_OID_UNKNOWN;
-+/* { 1.3.6.1.4.1.311 } */
-+static const unsigned char msExtendedKeyUsageCodeSigning[] =
-+        { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0xa, 3, 1  };
-+
-+static const SECOidData microsoftAuthenticodeSigning_Entry =
-+        { _TO_ITEM(msExtendedKeyUsageCodeSigning), SEC_OID_UNKNOWN,
-+        "Microsoft Authenticode Signing", CKM_INVALID_MECHANISM,
-+        INVALID_CERT_EXTENSION };
-+
- /* AOL OIDs     (1 3 6 1 4 1 1066 ... )   */
- #define AOL 0x2B, 0x06, 0x01, 0x04, 0x01, 0x88, 0x2A
- 
-@@ -127,6 +139,18 @@ static const SECOidData oids[] = {
- 
- static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]);
- 
-+/* register the oid if we haven't already */
-+void
-+SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src)
-+{
-+    if (*data == SEC_OID_UNKNOWN) {
-+        /* AddEntry does the right thing if someone else has already
-+         * added the oid. (that is return that oid tag) */
-+        *data = SECOID_AddEntry(src);
-+    }
-+}
-+
-+
- SECStatus
- SECU_RegisterDynamicOids(void)
- {
-@@ -144,5 +168,10 @@ SECU_RegisterDynamicOids(void)
- #endif
- 	}
-     }
-+
-+    /* Fetch and register the oid on behalf of the tools. */
-+    SECU_cert_fetchOID(&szOID_KP_CTL_USAGE_SIGNING,
-+	&microsoftAuthenticodeSigning_Entry);
-+
-     return rv;
- }
-diff -up ./mozilla/security/nss/cmd/lib/secutil.h.870864 ./mozilla/security/nss/cmd/lib/secutil.h
--- ./mozilla/security/nss/cmd/lib/secutil.h.870864	2012-09-27 10:13:33.000000000 -0700
-+++ ./mozilla/security/nss/cmd/lib/secutil.h	2012-11-19 21:32:32.575415936 -0800
-@@ -293,6 +293,8 @@ extern SECStatus DER_PrettyPrint(FILE *o
- 
- extern char *SECU_SECModDBName(void);
- 
-+extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src);
-+
- extern SECStatus SECU_RegisterDynamicOids(void);
- 
- /* Identifies hash algorithm tag by its string representation. */
--- a/allow-building-nss-against-older-sqlite.patch
+++ b/allow-building-nss-against-older-sqlite.patch
@ -0,0 +1,20 @@
+Index: ./mozilla/security/nss/lib/softoken/sdb.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sdb.c,v
+retrieving revision 1.30
+retrieving revision 1.31
+diff -u -p -r1.30 -r1.31
+--- ./mozilla/security/nss/lib/softoken/sdb.c	16 Jan 2013 18:13:25 -0000	1.30
+++ ./mozilla/security/nss/lib/softoken/sdb.c	4 Feb 2013 19:58:20 -0000	1.31
+@@ -254,6 +254,11 @@ sdb_getFallbackTempDir(void)
+ #error "sdb_getFallbackTempDir not implemented"
+ #endif
+ 
+#ifndef SQLITE_FCNTL_TEMPFILENAME
+/* SQLITE_FCNTL_TEMPFILENAME was added in SQLite 3.7.15 */
+#define SQLITE_FCNTL_TEMPFILENAME 16
+#endif
+
+ static char *
+ sdb_getTempDir(sqlite3 *sqlDB)
+ {
--- a/nss-3.14.0.0-disble-ocsp-test.patch
+++ b/nss-3.14.0.0-disble-ocsp-test.patch
@ -1,9 +1,10 @@
-diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.disable_ocsp_test ./mozilla/security/nss/tests/chains/scenarios/scenarios
--- ./mozilla/security/nss/tests/chains/scenarios/scenarios.disable_ocsp_test	2012-10-12 09:30:07.264987000 -0700
-+++ ./mozilla/security/nss/tests/chains/scenarios/scenarios	2012-10-12 09:34:55.653123000 -0700
-@@ -49,5 +49,4 @@ bridgewithpolicyextensionandmapping.cfg
+diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest ./mozilla/security/nss/tests/chains/scenarios/scenarios
+--- ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest	2013-01-06 19:56:15.000000000 -0800
+++ ./mozilla/security/nss/tests/chains/scenarios/scenarios	2013-02-01 08:38:28.140615299 -0800
+@@ -50,6 +50,5 @@ bridgewithpolicyextensionandmapping.cfg
 realcerts.cfg
 dsa.cfg
 revoc.cfg
 -ocsp.cfg
 crldp.cfg
+ trustanchors.cfg
--- a/nss-ssl-cbc-random-iv-off-by-default.patch
+++ b/nss-ssl-cbc-random-iv-off-by-default.patch
@ -1,6 +1,6 @@
-diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.770682 ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.770682	2012-11-01 11:10:54.107504267 -0700
-+++ ./mozilla/security/nss/lib/ssl/sslsock.c	2012-11-01 11:07:36.758464814 -0700
+diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff ./mozilla/security/nss/lib/ssl/sslsock.c
+--- ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff	2013-02-01 10:14:36.960458329 -0800
+++ ./mozilla/security/nss/lib/ssl/sslsock.c	2013-02-01 10:17:16.532265855 -0800
@@ -153,7 +153,7 @@ static sslOptions ssl_defaults = {
     3,          /* enableRenegotiation (default: transitional) */
     PR_FALSE,   /* requireSafeNegotiation */
@ -10,3 +10,16 @@ diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.770682 ./mozilla/security/nss/
 };
 
 /*
+@@ -2837,9 +2837,9 @@ ssl_SetDefaultsFromEnvironment(void)
+ 	                PR_TRUE));
+ 	}
+ 	ev = getenv("NSS_SSL_CBC_RANDOM_IV");
+-	if (ev && ev[0] == '0') {
+-	    ssl_defaults.cbcRandomIV = PR_FALSE;
+-	    SSL_TRACE(("SSL: cbcRandomIV set to 0"));
+	if (ev && ev[0] == '1') {
+	    ssl_defaults.cbcRandomIV = PR_TRUE;
+	    SSL_TRACE(("SSL: cbcRandomIV set to 1"));
+ 	}
+     }
+ #endif /* NSS_HAVE_GETENV */
--- a/nss.spec
+++ b/nss.spec
@ -1,17 +1,17 @@
-%global nspr_version 4.9.4
-%global nss_util_version 3.14
+%global nspr_version 4.9.5
+%global nss_util_version 3.14.2
 %global nss_softokn_fips_version 3.12.9
-%global nss_softokn_version 3.14
+%global nss_softokn_version 3.14.2
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools

 # Define if using a source archive like "nss-version.with.ckbi.version".
 # To "disable", add "#" to start of line, AND a space after "%".
-%define nss_ckbi_suffix .with.ckbi.1.93
+#% define nss_ckbi_suffix .with.ckbi.1.93

 Summary:          Network Security Services
 Name:             nss
-Version:          3.14.1
-Release:          3%{?dist}
+Version:          3.14.2
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@ -68,7 +68,7 @@ Patch6:           nss-enable-pem.patch
 Patch16:          nss-539183.patch
 Patch18:          nss-646045.patch
 # must statically link pem against the freebl in the buildroot
-# Needed only when freebl on tree has newe APIS
+# Needed only when freebl on tree has new APIS
 Patch25:          nsspem-use-system-freebl.patch
 # This patch is currently meant for stable branches
 Patch29:          nss-ssl-cbc-random-iv-off-by-default.patch
@ -76,11 +76,9 @@ Patch29:          nss-ssl-cbc-random-iv-off-by-default.patch
 Patch39:          nss-ssl-enforce-no-pkcs11-bypass.path
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
-
-# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=807890
-Patch42:          0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
-
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=835919
 Patch43:          no-softoken-freebl-tests.patch
+Patch44: allow-building-nss-against-older-sqlite.patch

 %description
 Network Security Services (NSS) is a set of libraries designed to
@ -158,14 +156,15 @@ low level services.
 %patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
 %patch18 -p0 -b .646045
-# link pem against buildroot's freebl, esential wen mixing and matching
+# link pem against buildroot's freebl, essential when mixing and matching
 %patch25 -p0 -b .systemfreebl
 # activate for stable and beta branches
-%patch29 -p0 -b .770682
+%patch29 -p0 -b .cbcrandomivoff
 %patch39 -p1 -b .nobypass
 %patch40 -p1 -b .noocsptest
-%patch42 -p0 -b .870864
 %patch43 -p0 -b .nosoftokentests
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=837799
+%patch44 -p0 -b .oldersqlite

 %build

@ -611,6 +610,12 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h


 %changelog
+* Mon Feb 04 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-2
+- Allow building nss against older system sqlite
+
+* Fri Feb 01 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-1
+- Update to NSS_3_14_2_RTM
+
 * Wed Jan 02 2013 Kai Engert <kaie@redhat.com> - 3.14.1-3
 - Update to NSS_3_14_1_WITH_CKBI_1_93_RTM

--- a/2
+++ b/2
@ -6,4 +6,4 @@ a5ae49867124ac75f029a9a33af31bad  blank-cert8.db
 bf47cecad861efa77d1488ad4a73cb5b  PayPalEE.cert
 2a06bf7b815d1a666cc3587b895506ce  nss-pem-20120811.tar.bz2
 0be54f196b5da7e9008eb13a71bc2cb0  dummy-sources-for-testing
-331910e63d3ff5ff3acb845ba44dcf56  nss-3.14.1.with.ckbi.1.93-stripped.tar.bz2
+828c6949bd348684b15237f8796f54c1  nss-3.14.2-stripped.tar.bz2