Merge branch 'f24' into f23
This commit is contained in:
commit
45e747b60f
|
@ -7,7 +7,7 @@ PayPalEE.cert
|
|||
TestCA.ca.cert
|
||||
TestUser50.cert
|
||||
TestUser51.cert
|
||||
/nss-pem-20140125.tar.bz2
|
||||
/nss-pem-20160308.tar.bz2
|
||||
/PayPalRootCA.cert
|
||||
/PayPalICA.cert
|
||||
/nss-3.23.0.tar.gz
|
||||
|
|
28
nss.spec
28
nss.spec
|
@ -21,7 +21,7 @@ Name: nss
|
|||
Version: 3.23.0
|
||||
# for Rawhide, please always use release >= 2
|
||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||
Release: 1.0%{?dist}
|
||||
Release: 1.1%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
|
@ -58,7 +58,7 @@ Source6: blank-cert9.db
|
|||
Source7: blank-key4.db
|
||||
Source8: system-pkcs11.txt
|
||||
Source9: setup-nsssysinit.sh
|
||||
Source12: %{name}-pem-20140125.tar.bz2
|
||||
Source12: %{name}-pem-20160308.tar.bz2
|
||||
Source20: nss-config.xml
|
||||
Source21: setup-nsssysinit.xml
|
||||
Source22: pkcs11.txt.xml
|
||||
|
@ -98,13 +98,6 @@ Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
|
|||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||
|
||||
# As of nss-3.21 we compile NSS with -Werror.
|
||||
# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
|
||||
# This requires a cleanup of the PEM module as we have it here.
|
||||
# TODO: submit a patch to the interim nss-pem upstream project
|
||||
# The submission will be very different from this patch as
|
||||
# cleanup there is already in progress there.
|
||||
Patch59: pem-compile-with-Werror.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -194,7 +187,6 @@ popd
|
|||
%patch54 -p0 -b .ssl2_off
|
||||
%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
|
||||
%patch58 -p0 -b .1185708_3des
|
||||
%patch59 -p0 -b .compile_Werror
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
|
@ -823,6 +815,10 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Mar 10 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.1
|
||||
- Update pem sources to latest from nss-pem upstream
|
||||
- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
|
||||
|
||||
* Sun Mar 06 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-1.0
|
||||
- Rebase to NSS 3.23.0
|
||||
|
||||
|
@ -914,7 +910,7 @@ fi
|
|||
- Backing out from disabling ssl2 until the patches are fixed
|
||||
|
||||
* Mon Feb 09 2015 Elio Maldonado <emaldona@redhat.com> - 3.17.4-2
|
||||
- Disable SSL2 support at build time
|
||||
- Disable SSL2 support at build time
|
||||
- Fix syntax errors in various shell scripts
|
||||
- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
|
||||
|
||||
|
@ -1164,7 +1160,7 @@ fi
|
|||
- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs
|
||||
- Bug 872124 - nss-3.14 breaks fedpkg new-sources
|
||||
- Fix should be considered preliminary since the patch may change upon upstream approval
|
||||
|
||||
|
||||
* Thu Nov 01 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-7
|
||||
- Add a dummy source file for testing /preventing fedpkg breakage
|
||||
- Helps test the fedpkg new-sources and upload commands for breakage by nss updates
|
||||
|
@ -1207,7 +1203,7 @@ fi
|
|||
* Mon Aug 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-8
|
||||
- Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3
|
||||
- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
|
||||
- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
|
||||
- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
|
||||
- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix
|
||||
|
||||
* Mon Aug 13 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-7
|
||||
|
@ -1448,7 +1444,7 @@ fi
|
|||
* Thu Sep 23 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-1
|
||||
- Update to 3.12.8
|
||||
- Prevent disabling of nss-sysinit on package upgrade (#636787)
|
||||
- Create pkcs11.txt with correct permissions regardless of umask (#636792)
|
||||
- Create pkcs11.txt with correct permissions regardless of umask (#636792)
|
||||
- Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801)
|
||||
- Added provides pkcs11-devel-static to comply with packaging guidelines (#609612)
|
||||
|
||||
|
@ -1708,7 +1704,7 @@ fi
|
|||
- fix to not clone internal objects in collect_objects(). (501118)
|
||||
- fix to not bypass initialization if module arguments are omitted. (501058)
|
||||
- fix numerous gcc warnings. (500815)
|
||||
- fix to support arbitrarily long password while loading a private key. (500180)
|
||||
- fix to support arbitrarily long password while loading a private key. (500180)
|
||||
- fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191)
|
||||
* Mon Jun 08 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-4
|
||||
- add patch for bug 502133 upstream bug 496997
|
||||
|
@ -1836,7 +1832,7 @@ fi
|
|||
|
||||
* Fri Mar 02 2007 Kai Engert <kengert@redhat.com> - 3.11.5-2
|
||||
- Fix rhbz#230545, failure to enable FIPS mode
|
||||
- Fix rhbz#220542, make NSS more tolerant of resets when in the
|
||||
- Fix rhbz#220542, make NSS more tolerant of resets when in the
|
||||
middle of prompting for a user password.
|
||||
|
||||
* Sat Feb 24 2007 Kai Engert <kengert@redhat.com> - 3.11.5-1
|
||||
|
|
|
@ -1,146 +0,0 @@
|
|||
diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
|
||||
--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-13 12:07:29.219887390 -0800
|
||||
@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
|
||||
};
|
||||
typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
|
||||
|
||||
+/* NOTE: Discrepancy with the the way callers use of the return value as a count
|
||||
+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
|
||||
+ */
|
||||
SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
|
||||
const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
|
||||
void pem_PopulateModulusExponent(pemInternalObject *io);
|
||||
diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
|
||||
--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/pinst.c 2015-11-13 12:07:29.219887390 -0800
|
||||
@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
|
||||
char *ivstring = NULL;
|
||||
int cipher;
|
||||
|
||||
- nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int (a count) and the declaration as a SECStatus. */
|
||||
+ nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
if (nobjs <= 0) {
|
||||
nss_ZFreeIf(objs);
|
||||
return CKR_GENERAL_ERROR;
|
||||
@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
|
||||
if (keyfile) { /* add the private key */
|
||||
SECItem **keyobjs = NULL;
|
||||
int kobjs = 0;
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int and the declaration as a SECStatus. */
|
||||
kobjs =
|
||||
- ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
|
||||
+ (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
|
||||
&ivstring, PR_FALSE);
|
||||
if (kobjs < 1) {
|
||||
error = CKR_GENERAL_ERROR;
|
||||
diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
|
||||
--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/pobject.c 2015-11-13 12:07:29.220887368 -0800
|
||||
@@ -630,6 +630,11 @@ pem_DestroyInternalObject
|
||||
if (io->u.key.ivstring)
|
||||
free(io->u.key.ivstring);
|
||||
break;
|
||||
+ case pemAll:
|
||||
+ /* pemAll is not used, keep the compiler happy
|
||||
+ * TODO: investigate a proper solution
|
||||
+ */
|
||||
+ return;
|
||||
}
|
||||
|
||||
if (NULL != gobj)
|
||||
@@ -1044,7 +1049,9 @@ pem_CreateObject
|
||||
int nobjs = 0;
|
||||
int i;
|
||||
int objid;
|
||||
+#if 0
|
||||
pemToken *token;
|
||||
+#endif
|
||||
int cipher;
|
||||
char *ivstring = NULL;
|
||||
pemInternalObject *listObj = NULL;
|
||||
@@ -1073,7 +1080,9 @@ pem_CreateObject
|
||||
}
|
||||
slotID = nssCKFWSlot_GetSlotID(fwSlot);
|
||||
|
||||
+#if 0
|
||||
token = (pemToken *) mdToken->etc;
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* only create keys and certs.
|
||||
@@ -1114,7 +1123,11 @@ pem_CreateObject
|
||||
}
|
||||
|
||||
if (objClass == CKO_CERTIFICATE) {
|
||||
- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
+ /* TODO: Fix discrepancy between our usage of the return value as
|
||||
+ * as an int and the declaration as a SECStatus. Typecasting as a
|
||||
+ * temporary workaround.
|
||||
+ */
|
||||
+ nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
|
||||
if (nobjs < 1)
|
||||
goto loser;
|
||||
|
||||
diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
|
||||
--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-13 12:07:29.220887368 -0800
|
||||
@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
|
||||
return 0;
|
||||
}
|
||||
|
||||
+/* unused functions */
|
||||
+#if 0
|
||||
static SHA1Context *SHA1_CloneContext(SHA1Context * original)
|
||||
{
|
||||
SHA1Context *clone = NULL;
|
||||
@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
|
||||
|
||||
return SECSuccess;
|
||||
}
|
||||
+#endif /* unused functions */
|
||||
|
||||
/*
|
||||
* Format one block of data for public/private key encryption using
|
||||
diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
|
||||
--- ./nss/lib/ckfw/pem/util.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
|
||||
+++ ./nss/lib/ckfw/pem/util.c 2015-11-13 12:22:52.282196306 -0800
|
||||
@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
|
||||
return SECFailure;
|
||||
}
|
||||
|
||||
-int
|
||||
+/* FIX: Returns a SECStatus yet callers take result as a count */
|
||||
+SECStatus
|
||||
ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
|
||||
int *cipher, char **ivstring, PRBool certsonly)
|
||||
{
|
||||
@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
goto loser;
|
||||
}
|
||||
if ((certsonly && !key) || (!certsonly && key)) {
|
||||
+ error = CKR_OK;
|
||||
PUT_Object(der, error);
|
||||
+ if (error != CKR_OK) {
|
||||
+ free(der);
|
||||
+ goto loser;
|
||||
+ }
|
||||
} else {
|
||||
free(der->data);
|
||||
free(der);
|
||||
@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
|
||||
}
|
||||
|
||||
/* NOTE: This code path has never been tested. */
|
||||
+ error = CKR_OK;
|
||||
PUT_Object(der, error);
|
||||
+ if (error != CKR_OK) {
|
||||
+ free(der);
|
||||
+ goto loser;
|
||||
+ }
|
||||
}
|
||||
|
||||
nss_ZFreeIf(filedata.data);
|
2
sources
2
sources
|
@ -3,5 +3,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
|||
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
|
||||
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
|
||||
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
|
||||
b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2
|
||||
4d8e770b105483e365f3327d883dd229 nss-pem-20160308.tar.bz2
|
||||
574488f97390085832299cc3b90814a8 nss-3.23.0.tar.gz
|
||||
|
|
Loading…
Reference in New Issue