From 3792f608873eed9a11c51ce47e1599915a5afe60 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Fri, 24 Jun 2016 14:13:59 -0700 Subject: [PATCH] Rebase to NSS 3.15 - Remove three patches obsolted by the rebase and updated two - Temporarily not building the ecperf tool - ecperef requires freebl/ec.h and ecl-curve.h and the latter - causes compile failure because it requires that - NSS_ECC_MORE_THAN_SUITE_B not be defined yet this is - required for nss builds to allow external pkcs #11 providers - to support curves beyond suite-b, such restriction only applies - to the internal crypto module --- .gitignore | 2 +- mozbz1277569backport.patch | 102 ------------------ nss-enable-pem.patch | 12 --- nss-skip-bltest-and-fipstest.patch | 22 ++-- nss-skip-ecperf.patch | 11 ++ nss.spec | 31 ++++-- nsspem-use-system-freebl.patch | 80 -------------- renegotiate-transitional.patch | 22 ++-- ...8-enable-ecc-3des-ciphers-by-default.patch | 23 ++-- sources | 2 +- 10 files changed, 71 insertions(+), 236 deletions(-) delete mode 100644 mozbz1277569backport.patch delete mode 100644 nss-enable-pem.patch create mode 100644 nss-skip-ecperf.patch delete mode 100644 nsspem-use-system-freebl.patch diff --git a/.gitignore b/.gitignore index 019d5b5..fb51e43 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,4 @@ TestUser50.cert TestUser51.cert /PayPalRootCA.cert /PayPalICA.cert -/nss-3.24.0.tar.gz +/nss-3.25.0.tar.gz diff --git a/mozbz1277569backport.patch b/mozbz1277569backport.patch deleted file mode 100644 index 8a38ac9..0000000 --- a/mozbz1277569backport.patch +++ /dev/null @@ -1,102 +0,0 @@ ---- ./lib/ssl/sslsock.c.compatibility 2016-06-02 10:59:07.188831825 -0700 -+++ ./lib/ssl/sslsock.c 2016-06-02 10:59:07.205831404 -0700 -@@ -675,16 +675,28 @@ - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; /* not allowed */ - } - break; - } - ssl_EnableSSL3(&ss->vrange, on); - break; - -+ case SSL_ENABLE_SSL2: -+ case SSL_V2_COMPATIBLE_HELLO: -+ /* We no longer support SSL v2. -+ * However, if an old application requests to disable SSL v2, -+ * we shouldn't fail. -+ */ -+ if (on) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ rv = SECFailure; -+ } -+ break; -+ - case SSL_NO_CACHE: - ss->opt.noCache = on; - break; - - case SSL_ENABLE_FDX: - if (on && ss->opt.noLocks) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; -@@ -856,16 +868,20 @@ - on = ss->opt.handshakeAsServer; - break; - case SSL_ENABLE_TLS: - on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; - break; - case SSL_ENABLE_SSL3: - on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; - break; -+ case SSL_ENABLE_SSL2: -+ case SSL_V2_COMPATIBLE_HELLO: -+ on = PR_FALSE; -+ break; - case SSL_NO_CACHE: - on = ss->opt.noCache; - break; - case SSL_ENABLE_FDX: - on = ss->opt.fdx; - break; - case SSL_ROLLBACK_DETECTION: - on = ss->opt.detectRollBack; -@@ -967,16 +983,20 @@ - on = ssl_defaults.handshakeAsServer; - break; - case SSL_ENABLE_TLS: - on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; - break; - case SSL_ENABLE_SSL3: - on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; - break; -+ case SSL_ENABLE_SSL2: -+ case SSL_V2_COMPATIBLE_HELLO: -+ on = PR_FALSE; -+ break; - case SSL_NO_CACHE: - on = ssl_defaults.noCache; - break; - case SSL_ENABLE_FDX: - on = ssl_defaults.fdx; - break; - case SSL_ROLLBACK_DETECTION: - on = ssl_defaults.detectRollBack; -@@ -1100,16 +1120,28 @@ - case SSL_ENABLE_TLS: - ssl_EnableTLS(&versions_defaults_stream, on); - break; - - case SSL_ENABLE_SSL3: - ssl_EnableSSL3(&versions_defaults_stream, on); - break; - -+ case SSL_ENABLE_SSL2: -+ case SSL_V2_COMPATIBLE_HELLO: -+ /* We no longer support SSL v2. -+ * However, if an old application requests to disable SSL v2, -+ * we shouldn't fail. -+ */ -+ if (on) { -+ PORT_SetError(SEC_ERROR_INVALID_ARGS); -+ return SECFailure; -+ } -+ break; -+ - case SSL_NO_CACHE: - ssl_defaults.noCache = on; - break; - - case SSL_ENABLE_FDX: - if (on && ssl_defaults.noLocks) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - return SECFailure; diff --git a/nss-enable-pem.patch b/nss-enable-pem.patch deleted file mode 100644 index 723039a..0000000 --- a/nss-enable-pem.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn ---- nss/lib/ckfw/manifest.mn.libpem 2013-05-28 14:43:24.000000000 -0700 -+++ nss/lib/ckfw/manifest.mn 2013-05-30 22:14:49.247459672 -0700 -@@ -5,7 +5,7 @@ - - CORE_DEPTH = ../.. - --DIRS = builtins -+DIRS = builtins pem - - PRIVATE_EXPORTS = \ - ck.h \ diff --git a/nss-skip-bltest-and-fipstest.patch b/nss-skip-bltest-and-fipstest.patch index 7d2427b..1dadf60 100644 --- a/nss-skip-bltest-and-fipstest.patch +++ b/nss-skip-bltest-and-fipstest.patch @@ -1,17 +1,15 @@ -diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile ---- nss/cmd/Makefile.nobltest 2013-05-28 14:43:24.000000000 -0700 -+++ nss/cmd/Makefile 2013-06-15 11:51:11.669655168 -0700 -@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS - DIRS += libpkix - endif - --ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) -+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) +diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile +--- ./nss/cmd/Makefile.skipem 2016-06-24 10:10:38.143165159 -0700 ++++ ./nss/cmd/Makefile 2016-06-24 10:13:08.566457400 -0700 +@@ -17,7 +17,11 @@ endif + ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) BLTEST_SRCDIR = --FIPSTEST_SRCDIR = --SHLIBSIGN_SRCDIR = -+FIPSTEST_SRCDIR = + FIPSTEST_SRCDIR = ++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) +SHLIBSIGN_SRCDIR = shlibsign ++else + SHLIBSIGN_SRCDIR = ++endif else BLTEST_SRCDIR = bltest FIPSTEST_SRCDIR = fipstest diff --git a/nss-skip-ecperf.patch b/nss-skip-ecperf.patch new file mode 100644 index 0000000..1f747ba --- /dev/null +++ b/nss-skip-ecperf.patch @@ -0,0 +1,11 @@ +diff -up ./nss/cmd/manifest.mn.skip_ecperf ./nss/cmd/manifest.mn +--- ./nss/cmd/manifest.mn.noecperf 2016-06-24 08:04:53.891106841 -0700 ++++ ./nss/cmd/manifest.mn 2016-06-24 08:06:57.186887403 -0700 +@@ -42,7 +42,6 @@ NSS_SRCDIRS = \ + dbtest \ + derdump \ + digest \ +- ecperf \ + httpserv \ + listsuites \ + makepqg \ diff --git a/nss.spec b/nss.spec index 5a9d72f..c8f134a 100644 --- a/nss.spec +++ b/nss.spec @@ -1,6 +1,6 @@ %global nspr_version 4.12.0 -%global nss_util_version 3.24.0 -%global nss_softokn_version 3.24.0 +%global nss_util_version 3.25.0 +%global nss_softokn_version 3.25.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" @@ -18,10 +18,10 @@ Summary: Network Security Services Name: nss -Version: 3.24.0 +Version: 3.25.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 3%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -94,14 +94,14 @@ Patch50: iquote.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # TODO: file a bug usptream Patch59: nss-check-policy-file.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569 -Patch61: mozbz1277569backport.patch # TODO: file a bug usptream Patch62: nss-skip-util-gtest.patch # TODO: file a bug usptream when enough tests are run Patch63: tests-check-policy-file.patch # TODO: file a bug usptream when enough tests are run Patch64: tests-data-adjust-for-policy.patch +# TODO: file a bug upstream +Patch70: nss-skip-ecperf.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -185,11 +185,12 @@ low level services. %patch58 -p0 -b .1185708_3des pushd nss %patch59 -p1 -b .check_policy_file -%patch61 -p1 -b .compatibility -%patch62 -p0 -b .skip_util_gtest +#%patch62 -p0 -b .skip_util_gtest %patch63 -p1 -b .check_policy %patch64 -p1 -b .expected_result popd +# temporary +%patch70 -p0 -b .skip_ecperf ######################################################### # Higher-level libraries and test tools need access to @@ -197,10 +198,13 @@ popd # until fixed upstream we must copy some headers locally ######################################################### -# Copying these header until the upstream bug is accepted +# Copying these headers until the upstream bug is accepted # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207 %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf +# TODO: similar problem as descrived above +# ./nss/lib/freebl/ec.h, ./nss/lib/freebl/ecl/ecl-curve.h +# the last one requires that NSS_ECC_MORE_THAN_SUITE_B not be defined # Before removing util directory we must save verref.h # as it will be needed later during the build phase. @@ -230,6 +234,8 @@ popd %build +# TODO: remove this when we solve the problems +export NSS_DISABLE_GTESTS=1 NSS_NO_PKCS11_BYPASS=1 export NSS_NO_PKCS11_BYPASS @@ -457,7 +463,9 @@ pushd ./nss/tests/ # don't need to run all the tests when testing packaging # nss_cycles: standard pkix upgradedb sharedb -%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains" +# the full list from all.sh is: +# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_run: cov auth stress # @@ -802,6 +810,9 @@ fi %changelog +* Fri Jun 24 2016 Elio Maldonado - 3.25.0-2 +- Rebase to nss 3.25 + * Thu Jun 16 2016 Kamil Dudka - 3.24.0-3 - decouple nss-pem from the nss package (#1347336) diff --git a/nsspem-use-system-freebl.patch b/nsspem-use-system-freebl.patch deleted file mode 100644 index 115b49c..0000000 --- a/nsspem-use-system-freebl.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk ---- nss/lib/ckfw/pem/config.mk.systemfreebl 2012-08-11 09:06:59.000000000 -0700 -+++ nss/lib/ckfw/pem/config.mk 2013-04-04 16:02:33.805744145 -0700 -@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m - # are specifed as dependencies within rules.mk. - # - -+ -+EXTRA_LIBS += \ -+ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ -+ $(NULL) -+ - TARGETS = $(SHARED_LIBRARY) - LIBRARY = - IMPORT_LIBRARY = -@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS) - MKSHLIB += -R '$$ORIGIN' - endif - -+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and -+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil -+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf. -+ifdef USE_SYSTEM_NSSUTIL -+OS_LIBS += $(NSSUTIL_LIBS) -+else -+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) -+EXTRA_LIBS += $(NSSUTIL_LIBS) -+endif -+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and -+# FREEBL_LIBS to the linker command-line arguments for the system nssutil -+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf. -+ifdef USE_SYSTEM_FREEBL -+OS_LIBS += $(FREEBL_LIBS) -+else -+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX) -+EXTRA_LIBS += $(FREEBL_LIBS) -+endif -+ -diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile ---- nss/lib/ckfw/pem/Makefile.systemfreebl 2012-08-11 09:06:59.000000000 -0700 -+++ nss/lib/ckfw/pem/Makefile 2013-04-04 16:02:33.806744154 -0700 -@@ -43,8 +43,7 @@ include config.mk - EXTRA_LIBS = \ - $(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \ - $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ -- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ -- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \ -+ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ - $(NULL) - - # can't do this in manifest.mn because OS_TARGET isn't defined there. -@@ -56,6 +55,9 @@ EXTRA_LIBS += \ - -lplc4 \ - -lplds4 \ - -lnspr4 \ -+ -L$(NSSUTIL_LIB_DIR) \ -+ -lnssutil3 \ -+ -lfreebl3 - $(NULL) - else - EXTRA_SHARED_LIBS += \ -@@ -74,6 +76,9 @@ EXTRA_LIBS += \ - -lplc4 \ - -lplds4 \ - -lnspr4 \ -+ -L$(NSSUTIL_LIB_DIR) \ -+ -lnssutil3 \ -+ -lfreebl3 \ - $(NULL) - endif - -diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn ---- nss/lib/ckfw/pem/manifest.mn.systemfreebl 2012-08-11 09:06:59.000000000 -0700 -+++ nss/lib/ckfw/pem/manifest.mn 2013-04-04 16:02:33.807744163 -0700 -@@ -65,4 +65,4 @@ REQUIRES = nspr - - LIBRARY_NAME = nsspem - --#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3 diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch index ce444e1..73b366b 100644 --- a/renegotiate-transitional.patch +++ b/renegotiate-transitional.patch @@ -1,12 +1,12 @@ diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c ---- ./nss/lib/ssl/sslsock.c.transitional 2016-03-05 08:54:13.871412639 -0800 -+++ ./nss/lib/ssl/sslsock.c 2016-03-05 09:00:27.721889811 -0800 -@@ -77,7 +77,7 @@ static sslOptions ssl_defaults = { - PR_FALSE, /* noLocks */ - PR_FALSE, /* enableSessionTickets */ - PR_FALSE, /* enableDeflate */ -- 2, /* enableRenegotiation (default: requires extension) */ -+ 3, /* enableRenegotiation (default: transitional) */ - PR_FALSE, /* requireSafeNegotiation */ - PR_FALSE, /* enableFalseStart */ - PR_TRUE, /* cbcRandomIV */ +--- ./nss/lib/ssl/sslsock.c.transitional 2016-06-23 21:03:16.316480089 -0400 ++++ ./nss/lib/ssl/sslsock.c 2016-06-23 21:08:07.290202477 -0400 +@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = { + PR_FALSE, /* noLocks */ + PR_FALSE, /* enableSessionTickets */ + PR_FALSE, /* enableDeflate */ +- 2, /* enableRenegotiation (default: requires extension) */ ++ 3, /* enableRenegotiation (default: transitional) */ + PR_FALSE, /* requireSafeNegotiation */ + PR_FALSE, /* enableFalseStart */ + PR_TRUE, /* cbcRandomIV */ diff --git a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch index 69ad4db..455c747 100644 --- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch +++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch @@ -1,14 +1,23 @@ -diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c ---- ./nss/lib/ssl/ssl3con.c.1185708_3des 2015-09-29 16:24:18.717593591 -0700 -+++ ./nss/lib/ssl/ssl3con.c 2015-09-29 16:25:22.672879926 -0700 -@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s +--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400 ++++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400 +@@ -118,18 +118,18 @@ + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - #endif /* NSS_DISABLE_ECC */ + + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/sources b/sources index a7af001..4fcbfc9 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db 73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db 691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db -2a3ffd2f46b60ecc116ac086343a537a nss-3.24.0.tar.gz +950263d15d1f055605bfb6e634a1a019 nss-3.25.0.tar.gz