diff --git a/dummy-sources-for-testing b/dummy-sources-for-testing deleted file mode 100644 index 59ba8d6..0000000 --- a/dummy-sources-for-testing +++ /dev/null @@ -1,2 +0,0 @@ -Dummy source file that we by uploading it lets us verify that nss builds -do not cause the 'fedpkg upload' or 'fedpg new-sources' commands to hang. diff --git a/nss-ssl-enforce-no-pkcs11-bypass.path b/nss-ssl-enforce-no-pkcs11-bypass.path deleted file mode 100644 index 3c99446..0000000 --- a/nss-ssl-enforce-no-pkcs11-bypass.path +++ /dev/null @@ -1,16 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.nobypass nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.nobypass 2013-05-30 22:23:37.305583715 -0700 -+++ nss/lib/ssl/sslsock.c 2013-05-30 22:23:37.311583762 -0700 -@@ -553,8 +553,10 @@ static PRStatus SSL_BypassRegisterShutdo - static PRStatus SSL_BypassSetup(void) - { - #ifdef NO_PKCS11_BYPASS -- /* Guarantee binary compatibility */ -- return PR_SUCCESS; -+ /* No need in our case to guarantee binary compatibility and -+ * we can safely return failure as we have never supported it -+ */ -+ return PR_FAILURE; - #else - return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown); - #endif diff --git a/nss.spec b/nss.spec index 46e36fb..90909de 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.21.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -70,7 +70,10 @@ Source27: secmod.db.xml Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=402712 Patch6: nss-enable-pem.patch +# Below reference applies to most pem module related patches +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 Patch16: nss-539183.patch # must statically link pem against the freebl in the buildroot # Needed only when freebl on tree has new APIS @@ -96,11 +99,11 @@ Patch55: skip_stress_TLS_RC4_128_with_MD5.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # As of nss-3.21 we compile NSS with -Werror. -# See https://bugzilla.mozilla.org/show_bug.cgi?id=1182667 +# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667 # This requires a cleanup of the PEM module as we have it here. -# TODO: submit a variant to the interim nss-pem upstream project -# Note that the submission will be quite different from this patch -# as a cleanup there is already in progress there. +# TODO: submit a patch to the interim nss-pem upstream project +# The submission will be very different from this patch as +# cleanup there is already in progress there. Patch59: pem-compile-with-Werror.patch %description @@ -292,10 +295,12 @@ export NSS_USE_SYSTEM_SQLITE # TODO: Investigate as there may be a better solution export NSS_DISABLE_GTESTS=1 -%if %{__isa_bits} == 64 +%ifnarch noarch +%if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif +%endif # uncomment if the iquote patch is activated export IN_TREE_FREEBL_HEADERS_FIRST=1 @@ -403,10 +408,12 @@ export FREEBL_NO_DEPEND BUILD_OPT=1 export BUILD_OPT -%if %{__isa_bits} == 64 +%ifnarch noarch +%if 0%{__isa_bits} == 64 USE_64=1 export USE_64 %endif +%endif export NSS_BLTEST_NOT_AVAILABLE=1 @@ -821,6 +828,9 @@ fi %changelog +* Sun Nov 15 2015 Elio Maldonado - 3.21.0-3 +- Add references to bugs filed upstream + * Fri Nov 13 2015 Elio Maldonado Batiz - 3.21.1-2 - Update to NSS 3.21 - Package listsuites as part of the unsupported tools set diff --git a/pem-compile-with-Werror.patch b/pem-compile-with-Werror.patch index 7307dca..392d74a 100644 --- a/pem-compile-with-Werror.patch +++ b/pem-compile-with-Werror.patch @@ -1,114 +1,93 @@ diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h --- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-12 06:59:07.831377167 -0800 -@@ -233,7 +233,7 @@ struct pemLOWKEYPrivateKeyStr { ++++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-13 12:07:29.219887390 -0800 +@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr { }; typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey; --SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly); -+int ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly, SECStatus *pError); ++/* NOTE: Discrepancy with the the way callers use of the return value as a count ++ * Fix this when we sync. up with the cleanup work being done at nss-pem project. ++ */ + SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly); const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type); void pem_PopulateModulusExponent(pemInternalObject *io); - NSSCKMDObject * pem_CreateObject(NSSCKFWInstance *fwInstance, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_RV *pError); diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c --- ./nss/lib/ckfw/pem/pinst.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/pinst.c 2015-11-12 06:59:07.831377167 -0800 -@@ -466,15 +466,17 @@ AddCertificate(char *certfile, char *key - { - pemInternalObject *o; - CK_RV error = 0; -+ SECStatus status; - int objid, i; - int nobjs = 0; - SECItem **objs = NULL; ++++ ./nss/lib/ckfw/pem/pinst.c 2015-11-13 12:07:29.219887390 -0800 +@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key char *ivstring = NULL; int cipher; - nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); -+ nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */, &status); ++ /* TODO: Fix discrepancy between our usage of the return value as ++ * as an int (a count) and the declaration as a SECStatus. */ ++ nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); if (nobjs <= 0) { nss_ZFreeIf(objs); -+ /* TODO: map the status to a CK_RV error */ return CKR_GENERAL_ERROR; - } - -@@ -513,12 +515,14 @@ AddCertificate(char *certfile, char *key - o = NULL; - +@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key if (keyfile) { /* add the private key */ -+ SECStatus status; SECItem **keyobjs = NULL; int kobjs = 0; ++ /* TODO: Fix discrepancy between our usage of the return value as ++ * as an int and the declaration as a SECStatus. */ kobjs = - ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher, -- &ivstring, PR_FALSE); -+ &ivstring, PR_FALSE, &status); +- ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher, ++ (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher, + &ivstring, PR_FALSE); if (kobjs < 1) { -+ /* TODO: map the status to an error */ error = CKR_GENERAL_ERROR; - goto loser; - } diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c --- ./nss/lib/ckfw/pem/pobject.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/pobject.c 2015-11-12 06:59:07.831377167 -0800 -@@ -630,6 +630,8 @@ pem_DestroyInternalObject ++++ ./nss/lib/ckfw/pem/pobject.c 2015-11-13 12:07:29.220887368 -0800 +@@ -630,6 +630,11 @@ pem_DestroyInternalObject if (io->u.key.ivstring) free(io->u.key.ivstring); break; + case pemAll: ++ /* pemAll is not used, keep the compiler happy ++ * TODO: investigate a proper solution ++ */ + return; } if (NULL != gobj) -@@ -1044,7 +1046,7 @@ pem_CreateObject +@@ -1044,7 +1049,9 @@ pem_CreateObject int nobjs = 0; int i; int objid; -- pemToken *token; -+ /*pemToken *token = NULL;*/ ++#if 0 + pemToken *token; ++#endif int cipher; char *ivstring = NULL; pemInternalObject *listObj = NULL; -@@ -1073,7 +1075,7 @@ pem_CreateObject +@@ -1073,7 +1080,9 @@ pem_CreateObject } slotID = nssCKFWSlot_GetSlotID(fwSlot); -- token = (pemToken *) mdToken->etc; -+ /*token = (pemToken *) mdToken->etc;*/ ++#if 0 + token = (pemToken *) mdToken->etc; ++#endif /* * only create keys and certs. -@@ -1114,7 +1116,10 @@ pem_CreateObject +@@ -1114,7 +1123,11 @@ pem_CreateObject } if (objClass == CKO_CERTIFICATE) { - nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); -+ SECStatus status; -+ nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, -+ PR_TRUE /* certs only */, &status); -+ /* TODO: How do we map status to *pError */ - if (nobjs < 1) - goto loser; - -@@ -1156,11 +1161,14 @@ pem_CreateObject - } else if (objClass == CKO_PRIVATE_KEY) { - /* Brute force: find the id of the certificate, if any, in this slot */ - int i; -+ SECStatus status; - SECItem certDER; - CK_SESSION_HANDLE hSession; - PRBool added; - -- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_FALSE /* keys only */); -+ nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, -+ PR_FALSE /* keys only */, &status); -+ /* TODO: How do we map status to *pError? */ ++ /* TODO: Fix discrepancy between our usage of the return value as ++ * as an int and the declaration as a SECStatus. Typecasting as a ++ * temporary workaround. ++ */ ++ nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */); if (nobjs < 1) goto loser; diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c --- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-12 06:59:07.831377167 -0800 ++++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-13 12:07:29.220887368 -0800 @@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey return 0; } @@ -128,64 +107,40 @@ diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrap * Format one block of data for public/private key encryption using diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c --- ./nss/lib/ckfw/pem/util.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800 -+++ ./nss/lib/ckfw/pem/util.c 2015-11-12 06:59:07.831377167 -0800 -@@ -58,7 +58,7 @@ - #include ++++ ./nss/lib/ckfw/pem/util.c 2015-11-13 12:22:52.282196306 -0800 +@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds + return SECFailure; + } - #define CHUNK_SIZE 512 --#define PUT_Object(obj,err) \ -+#define PUT_Object(obj,pErr) \ - { \ - if (count >= size) { \ - *derlist = *derlist ? \ -@@ -67,7 +67,7 @@ - nss_ZNEWARRAY(NULL, SECItem *, \ - (size+CHUNK_SIZE) ) ; \ - if ((SECItem **)NULL == *derlist) { \ -- err = CKR_HOST_MEMORY; \ -+ *pErr = CKR_HOST_MEMORY; \ - goto loser; \ - } \ - size += CHUNK_SIZE; \ -@@ -133,19 +133,20 @@ static SECStatus FileToItem(SECItem * ds - - int +-int ++/* FIX: Returns a SECStatus yet callers take result as a count */ ++SECStatus ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii, -- int *cipher, char **ivstring, PRBool certsonly) -+ int *cipher, char **ivstring, PRBool certsonly, SECStatus *pError) + int *cipher, char **ivstring, PRBool certsonly) { - SECStatus rv; - PRFileDesc *inFile; - int count = 0, size = 0; - SECItem *der = NULL; -- int error; - SECItem filedata; - char *c, *iv; - - inFile = PR_Open(filename, PR_RDONLY, 0); -- if (!inFile) -+ if (!inFile) { -+ *pError = SECFailure; - return -1; -+ } - - if (ascii) { - /* First convert ascii to binary */ -@@ -237,7 +238,7 @@ ReadDERFromFile(SECItem *** derlist, cha +@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha goto loser; } if ((certsonly && !key) || (!certsonly && key)) { -- PUT_Object(der, error); -+ PUT_Object(der, pError); ++ error = CKR_OK; + PUT_Object(der, error); ++ if (error != CKR_OK) { ++ free(der); ++ goto loser; ++ } } else { free(der->data); free(der); -@@ -255,7 +256,7 @@ ReadDERFromFile(SECItem *** derlist, cha +@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha } /* NOTE: This code path has never been tested. */ -- PUT_Object(der, error); -+ PUT_Object(der, pError); ++ error = CKR_OK; + PUT_Object(der, error); ++ if (error != CKR_OK) { ++ free(der); ++ goto loser; ++ } } nss_ZFreeIf(filedata.data);