Merge branch 'f18' into f17
- Update to nss-3.14.1
This commit is contained in:
commit
4729bb6f26
2
.gitignore
vendored
2
.gitignore
vendored
@ -5,5 +5,5 @@ blank-cert9.db
|
||||
blank-key4.db
|
||||
PayPalEE.cert
|
||||
/nss-pem-20120811.tar.bz2
|
||||
/nss-3.14-stripped.tar.bz2
|
||||
/dummy-sources-for-testing
|
||||
/nss-3.14.1-stripped.tar.bz2
|
||||
|
@ -1,393 +0,0 @@
|
||||
Index: ./mozilla/security/nss/lib/cryptohi/keythi.h
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/cryptohi/keythi.h,v
|
||||
retrieving revision 1.17
|
||||
diff -u -p -r1.17 keythi.h
|
||||
--- ./mozilla/security/nss/lib/cryptohi/keythi.h 16 May 2012 12:34:15 -0000 1.17
|
||||
+++ ./mozilla/security/nss/lib/cryptohi/keythi.h 2 Nov 2012 18:09:53 -0000
|
||||
@@ -214,7 +214,12 @@ typedef struct SECKEYPublicKeyStr SECKEY
|
||||
#define SECKEY_HAS_ATTRIBUTE_SET(key,attribute) \
|
||||
(0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \
|
||||
(0 != (key->staticflags & SECKEY_##attribute)) : \
|
||||
- PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute)
|
||||
+ PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute, PR_FALSE)
|
||||
+
|
||||
+#define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key,attribute, haslock) \
|
||||
+ (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \
|
||||
+ (0 != (key->staticflags & SECKEY_##attribute)) : \
|
||||
+ PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute, haslock)
|
||||
|
||||
/*
|
||||
** A generic key structure
|
||||
Index: ./mozilla/security/nss/lib/cryptohi/seckey.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/cryptohi/seckey.c,v
|
||||
retrieving revision 1.68
|
||||
diff -u -p -r1.68 seckey.c
|
||||
--- ./mozilla/security/nss/lib/cryptohi/seckey.c 25 Jun 2012 21:48:39 -0000 1.68
|
||||
+++ ./mozilla/security/nss/lib/cryptohi/seckey.c 2 Nov 2012 18:09:53 -0000
|
||||
@@ -1918,7 +1918,7 @@ loser:
|
||||
}
|
||||
|
||||
#define SECKEY_CacheAttribute(key, attribute) \
|
||||
- if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute)) { \
|
||||
+ if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)) { \
|
||||
key->staticflags |= SECKEY_##attribute; \
|
||||
} else { \
|
||||
key->staticflags &= (~SECKEY_##attribute); \
|
||||
Index: ./mozilla/security/nss/lib/pk11wrap/pk11akey.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v
|
||||
retrieving revision 1.36
|
||||
diff -u -p -r1.36 pk11akey.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11akey.c 25 Apr 2012 14:50:04 -0000 1.36
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11akey.c 2 Nov 2012 18:09:54 -0000
|
||||
@@ -740,7 +740,7 @@ PK11_MakePrivKey(PK11SlotInfo *slot, Key
|
||||
CK_KEY_TYPE pk11Type = CKK_RSA;
|
||||
|
||||
pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE);
|
||||
- isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN);
|
||||
+ isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN,PR_FALSE);
|
||||
switch (pk11Type) {
|
||||
case CKK_RSA: keyType = rsaKey; break;
|
||||
case CKK_DSA: keyType = dsaKey; break;
|
||||
@@ -754,7 +754,7 @@ PK11_MakePrivKey(PK11SlotInfo *slot, Key
|
||||
|
||||
/* if the key is private, make sure we are authenticated to the
|
||||
* token before we try to use it */
|
||||
- isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE);
|
||||
+ isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE,PR_FALSE);
|
||||
if (isPrivate) {
|
||||
rv = PK11_Authenticate(slot, PR_TRUE, wincx);
|
||||
if (rv != SECSuccess) {
|
||||
@@ -1432,7 +1432,7 @@ PK11_GenerateKeyPairWithOpFlags(PK11Slot
|
||||
|
||||
/* set the ID to the public key so we can find it again */
|
||||
cka_id = pk11_MakeIDFromPublicKey(*pubKey);
|
||||
- pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN);
|
||||
+ pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN,PR_FALSE);
|
||||
|
||||
PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len);
|
||||
|
||||
Index: ./mozilla/security/nss/lib/pk11wrap/pk11auth.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11auth.c,v
|
||||
retrieving revision 1.16
|
||||
diff -u -p -r1.16 pk11auth.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11auth.c 16 May 2012 12:34:19 -0000 1.16
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11auth.c 2 Nov 2012 18:09:54 -0000
|
||||
@@ -45,8 +45,9 @@ static struct PK11GlobalStruct {
|
||||
* Check the user's password. Log into the card if it's correct.
|
||||
* succeed if the user is already logged in.
|
||||
*/
|
||||
-SECStatus
|
||||
-pk11_CheckPassword(PK11SlotInfo *slot,char *pw,PRBool contextSpecific)
|
||||
+static SECStatus
|
||||
+pk11_CheckPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
|
||||
+ char *pw, PRBool alreadyLocked, PRBool contextSpecific)
|
||||
{
|
||||
int len = 0;
|
||||
CK_RV crv;
|
||||
@@ -66,13 +67,13 @@ pk11_CheckPassword(PK11SlotInfo *slot,ch
|
||||
}
|
||||
|
||||
do {
|
||||
- PK11_EnterSlotMonitor(slot);
|
||||
- crv = PK11_GETTAB(slot)->C_Login(slot->session,
|
||||
+ if (!alreadyLocked) PK11_EnterSlotMonitor(slot);
|
||||
+ crv = PK11_GETTAB(slot)->C_Login(session,
|
||||
contextSpecific ? CKU_CONTEXT_SPECIFIC : CKU_USER,
|
||||
(unsigned char *)pw,len);
|
||||
slot->lastLoginCheck = 0;
|
||||
mustRetry = PR_FALSE;
|
||||
- PK11_ExitSlotMonitor(slot);
|
||||
+ if (!alreadyLocked) PK11_ExitSlotMonitor(slot);
|
||||
switch (crv) {
|
||||
/* if we're already logged in, we're good to go */
|
||||
case CKR_OK:
|
||||
@@ -91,10 +92,19 @@ pk11_CheckPassword(PK11SlotInfo *slot,ch
|
||||
* if the token is still there. */
|
||||
case CKR_SESSION_HANDLE_INVALID:
|
||||
case CKR_SESSION_CLOSED:
|
||||
+ if (session != slot->session) {
|
||||
+ /* don't bother retrying, we were in a middle of an operation,
|
||||
+ * which is now lost. Just fail. */
|
||||
+ PORT_SetError(PK11_MapError(crv));
|
||||
+ rv = SECFailure;
|
||||
+ break;
|
||||
+ }
|
||||
if (retry++ == 0) {
|
||||
rv = PK11_InitToken(slot,PR_FALSE);
|
||||
if (rv == SECSuccess) {
|
||||
if (slot->session != CK_INVALID_SESSION) {
|
||||
+ session = slot->session; /* we should have
|
||||
+ * a new session now */
|
||||
mustRetry = PR_TRUE;
|
||||
} else {
|
||||
PORT_SetError(PK11_MapError(crv));
|
||||
@@ -242,7 +252,8 @@ PK11_HandlePasswordCheck(PK11SlotInfo *s
|
||||
NeedAuth = PR_TRUE;
|
||||
}
|
||||
}
|
||||
- if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx,PR_FALSE);
|
||||
+ if (NeedAuth) PK11_DoPassword(slot, slot->session, PR_TRUE,
|
||||
+ wincx, PR_FALSE, PR_FALSE);
|
||||
}
|
||||
|
||||
void
|
||||
@@ -301,7 +312,8 @@ pk11_LoginStillRequired(PK11SlotInfo *sl
|
||||
SECStatus
|
||||
PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) {
|
||||
if (pk11_LoginStillRequired(slot,wincx)) {
|
||||
- return PK11_DoPassword(slot,loadCerts,wincx,PR_FALSE);
|
||||
+ return PK11_DoPassword(slot, slot->session, loadCerts, wincx,
|
||||
+ PR_FALSE, PR_FALSE);
|
||||
}
|
||||
return SECSuccess;
|
||||
}
|
||||
@@ -532,7 +544,8 @@ PK11_SetIsLoggedInFunc(PK11IsLoggedInFun
|
||||
* of the PKCS 11 module.
|
||||
*/
|
||||
SECStatus
|
||||
-PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx,
|
||||
+PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
|
||||
+ PRBool loadCerts, void *wincx, PRBool alreadyLocked,
|
||||
PRBool contextSpecific)
|
||||
{
|
||||
SECStatus rv = SECFailure;
|
||||
@@ -602,7 +615,8 @@ PK11_DoPassword(PK11SlotInfo *slot, PRBo
|
||||
break;
|
||||
}
|
||||
}
|
||||
- rv = pk11_CheckPassword(slot,password,contextSpecific);
|
||||
+ rv = pk11_CheckPassword(slot, session, password,
|
||||
+ alreadyLocked, contextSpecific);
|
||||
PORT_Memset(password, 0, PORT_Strlen(password));
|
||||
PORT_Free(password);
|
||||
if (rv != SECWouldBlock) break;
|
||||
Index: ./mozilla/security/nss/lib/pk11wrap/pk11merge.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11merge.c,v
|
||||
retrieving revision 1.10
|
||||
diff -u -p -r1.10 pk11merge.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11merge.c 25 Apr 2012 14:50:05 -0000 1.10
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11merge.c 2 Nov 2012 18:09:54 -0000
|
||||
@@ -169,15 +169,15 @@ pk11_getPrivateKeyUsage(PK11SlotInfo *sl
|
||||
{
|
||||
unsigned int usage = 0;
|
||||
|
||||
- if ((PK11_HasAttributeSet(slot, id, CKA_UNWRAP) ||
|
||||
- PK11_HasAttributeSet(slot,id, CKA_DECRYPT))) {
|
||||
+ if ((PK11_HasAttributeSet(slot, id, CKA_UNWRAP,PR_FALSE) ||
|
||||
+ PK11_HasAttributeSet(slot,id, CKA_DECRYPT,PR_FALSE))) {
|
||||
usage |= KU_KEY_ENCIPHERMENT;
|
||||
}
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_DERIVE)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_DERIVE, PR_FALSE)) {
|
||||
usage |= KU_KEY_AGREEMENT;
|
||||
}
|
||||
- if ((PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER) ||
|
||||
- PK11_HasAttributeSet(slot, id, CKA_SIGN))) {
|
||||
+ if ((PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER, PR_FALSE) ||
|
||||
+ PK11_HasAttributeSet(slot, id, CKA_SIGN, PR_FALSE))) {
|
||||
usage |= KU_DIGITAL_SIGNATURE;
|
||||
}
|
||||
return usage;
|
||||
@@ -373,31 +373,31 @@ pk11_getSecretKeyFlags(PK11SlotInfo *slo
|
||||
{
|
||||
CK_FLAGS flags = 0;
|
||||
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_UNWRAP)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_UNWRAP, PR_FALSE)) {
|
||||
flags |= CKF_UNWRAP;
|
||||
}
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_WRAP)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_WRAP, PR_FALSE)) {
|
||||
flags |= CKF_WRAP;
|
||||
}
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_ENCRYPT)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_ENCRYPT, PR_FALSE)) {
|
||||
flags |= CKF_ENCRYPT;
|
||||
}
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_DECRYPT)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_DECRYPT, PR_FALSE)) {
|
||||
flags |= CKF_DECRYPT;
|
||||
}
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_DERIVE)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_DERIVE, PR_FALSE)) {
|
||||
flags |= CKF_DERIVE;
|
||||
}
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_SIGN)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_SIGN, PR_FALSE)) {
|
||||
flags |= CKF_SIGN;
|
||||
}
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER, PR_FALSE)) {
|
||||
flags |= CKF_SIGN_RECOVER;
|
||||
}
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_VERIFY)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_VERIFY, PR_FALSE)) {
|
||||
flags |= CKF_VERIFY;
|
||||
}
|
||||
- if (PK11_HasAttributeSet(slot, id, CKA_VERIFY_RECOVER)) {
|
||||
+ if (PK11_HasAttributeSet(slot, id, CKA_VERIFY_RECOVER, PR_FALSE)) {
|
||||
flags |= CKF_VERIFY_RECOVER;
|
||||
}
|
||||
return flags;
|
||||
Index: ./mozilla/security/nss/lib/pk11wrap/pk11obj.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11obj.c,v
|
||||
retrieving revision 1.27
|
||||
diff -u -p -r1.27 pk11obj.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11obj.c 29 Jun 2012 17:46:25 -0000 1.27
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11obj.c 2 Nov 2012 18:09:54 -0000
|
||||
@@ -146,7 +146,7 @@ PK11_ReadULongAttribute(PK11SlotInfo *sl
|
||||
*/
|
||||
CK_BBOOL
|
||||
PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id,
|
||||
- CK_ATTRIBUTE_TYPE type )
|
||||
+ CK_ATTRIBUTE_TYPE type, PRBool haslock )
|
||||
{
|
||||
CK_BBOOL ckvalue = CK_FALSE;
|
||||
CK_ATTRIBUTE theTemplate;
|
||||
@@ -156,10 +156,10 @@ PK11_HasAttributeSet( PK11SlotInfo *slot
|
||||
PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) );
|
||||
|
||||
/* Retrieve attribute value. */
|
||||
- PK11_EnterSlotMonitor(slot);
|
||||
+ if (!haslock) PK11_EnterSlotMonitor(slot);
|
||||
crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id,
|
||||
&theTemplate, 1 );
|
||||
- PK11_ExitSlotMonitor(slot);
|
||||
+ if (!haslock) PK11_ExitSlotMonitor(slot);
|
||||
if( crv != CKR_OK ) {
|
||||
PORT_SetError( PK11_MapError( crv ) );
|
||||
return CK_FALSE;
|
||||
@@ -254,7 +254,7 @@ PK11_GetAttributes(PRArenaPool *arena,PK
|
||||
PRBool
|
||||
PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle)
|
||||
{
|
||||
- return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN);
|
||||
+ return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN, PR_FALSE);
|
||||
}
|
||||
|
||||
char *
|
||||
@@ -735,6 +735,7 @@ PK11_Sign(SECKEYPrivateKey *key, SECItem
|
||||
CK_MECHANISM mech = {0, NULL, 0 };
|
||||
PRBool owner = PR_TRUE;
|
||||
CK_SESSION_HANDLE session;
|
||||
+ PRBool haslock = PR_FALSE;
|
||||
CK_ULONG len;
|
||||
CK_RV crv;
|
||||
|
||||
@@ -745,24 +746,27 @@ PK11_Sign(SECKEYPrivateKey *key, SECItem
|
||||
}
|
||||
|
||||
session = pk11_GetNewSession(slot,&owner);
|
||||
- if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
|
||||
+ haslock = (!owner || !(slot->isThreadSafe));
|
||||
+ if (haslock) PK11_EnterSlotMonitor(slot);
|
||||
crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID);
|
||||
if (crv != CKR_OK) {
|
||||
- if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
|
||||
+ if (haslock) PK11_ExitSlotMonitor(slot);
|
||||
pk11_CloseSession(slot,session,owner);
|
||||
PORT_SetError( PK11_MapError(crv) );
|
||||
return SECFailure;
|
||||
}
|
||||
- /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then
|
||||
- * do C_Login with CKU_CONTEXT_SPECIFIC
|
||||
- * between C_SignInit and C_Sign */
|
||||
- if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_ALWAYS_AUTHENTICATE)) {
|
||||
- PK11_DoPassword(slot, PR_FALSE, key->wincx, PR_TRUE);
|
||||
- }
|
||||
+
|
||||
+ /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then
|
||||
+ * do C_Login with CKU_CONTEXT_SPECIFIC
|
||||
+ * between C_SignInit and C_Sign */
|
||||
+ if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) {
|
||||
+ PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE);
|
||||
+ }
|
||||
+
|
||||
len = sig->len;
|
||||
crv = PK11_GETTAB(slot)->C_Sign(session,hash->data,
|
||||
hash->len, sig->data, &len);
|
||||
- if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
|
||||
+ if (haslock) PK11_ExitSlotMonitor(slot);
|
||||
pk11_CloseSession(slot,session,owner);
|
||||
sig->len = len;
|
||||
if (crv != CKR_OK) {
|
||||
@@ -788,6 +792,7 @@ pk11_PrivDecryptRaw(SECKEYPrivateKey *ke
|
||||
CK_ULONG out = maxLen;
|
||||
PRBool owner = PR_TRUE;
|
||||
CK_SESSION_HANDLE session;
|
||||
+ PRBool haslock = PR_FALSE;
|
||||
CK_RV crv;
|
||||
|
||||
if (key->keyType != rsaKey) {
|
||||
@@ -803,23 +808,26 @@ pk11_PrivDecryptRaw(SECKEYPrivateKey *ke
|
||||
PK11_HandlePasswordCheck(slot, key->wincx);
|
||||
}
|
||||
session = pk11_GetNewSession(slot,&owner);
|
||||
- if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot);
|
||||
+ haslock = (!owner || !(slot->isThreadSafe));
|
||||
+ if (haslock) PK11_EnterSlotMonitor(slot);
|
||||
crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, key->pkcs11ID);
|
||||
if (crv != CKR_OK) {
|
||||
- if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
|
||||
+ if (haslock) PK11_ExitSlotMonitor(slot);
|
||||
pk11_CloseSession(slot,session,owner);
|
||||
PORT_SetError( PK11_MapError(crv) );
|
||||
return SECFailure;
|
||||
}
|
||||
- /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then
|
||||
- * do C_Login with CKU_CONTEXT_SPECIFIC
|
||||
- * between C_DecryptInit and C_Decrypt */
|
||||
- /* But see note above about servers */
|
||||
- if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_ALWAYS_AUTHENTICATE)) {
|
||||
- PK11_DoPassword(slot, PR_FALSE, key->wincx, PR_TRUE);
|
||||
- }
|
||||
+
|
||||
+ /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then
|
||||
+ * do C_Login with CKU_CONTEXT_SPECIFIC
|
||||
+ * between C_DecryptInit and C_Decrypt
|
||||
+ * ... But see note above about servers */
|
||||
+ if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) {
|
||||
+ PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE);
|
||||
+ }
|
||||
+
|
||||
crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen, data, &out);
|
||||
- if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot);
|
||||
+ if (haslock) PK11_ExitSlotMonitor(slot);
|
||||
pk11_CloseSession(slot,session,owner);
|
||||
*outLen = out;
|
||||
if (crv != CKR_OK) {
|
||||
Index: ./mozilla/security/nss/lib/pk11wrap/pk11priv.h
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11priv.h,v
|
||||
retrieving revision 1.18
|
||||
diff -u -p -r1.18 pk11priv.h
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 16 May 2012 12:34:20 -0000 1.18
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 2 Nov 2012 18:09:55 -0000
|
||||
@@ -59,8 +59,9 @@ void PK11_CleanKeyList(PK11SlotInfo *slo
|
||||
/************************************************************
|
||||
* Slot Password Management
|
||||
************************************************************/
|
||||
-SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx,
|
||||
- PRBool contextSpecific);
|
||||
+SECStatus PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session,
|
||||
+ PRBool loadCerts, void *wincx, PRBool alreadyLocked,
|
||||
+ PRBool contextSpecific);
|
||||
SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw);
|
||||
void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx);
|
||||
void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func);
|
||||
@@ -121,7 +122,8 @@ CK_OBJECT_HANDLE PK11_MatchItem(PK11Slot
|
||||
CK_OBJECT_CLASS o_class);
|
||||
CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot,
|
||||
CK_OBJECT_HANDLE id,
|
||||
- CK_ATTRIBUTE_TYPE type );
|
||||
+ CK_ATTRIBUTE_TYPE type,
|
||||
+ PRBool haslock );
|
||||
CK_RV PK11_GetAttributes(PLArenaPool *arena,PK11SlotInfo *slot,
|
||||
CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count);
|
||||
int PK11_NumberCertsForCertSubject(CERTCertificate *cert);
|
39
no-softoken-freebl-tests.patch
Normal file
39
no-softoken-freebl-tests.patch
Normal file
@ -0,0 +1,39 @@
|
||||
diff -up ./mozilla/security/nss/cmd/Makefile.nosoftokentests ./mozilla/security/nss/cmd/Makefile
|
||||
--- ./mozilla/security/nss/cmd/Makefile.nosoftokentests 2012-12-22 14:06:13.193304912 -0800
|
||||
+++ ./mozilla/security/nss/cmd/Makefile 2012-12-22 14:10:04.942248630 -0800
|
||||
@@ -14,6 +14,14 @@ ifdef BUILD_LIBPKIX_TESTS
|
||||
DIRS += libpkix
|
||||
endif
|
||||
|
||||
+# nss-softoken only tests
|
||||
+BLTEST_SRCDIR=
|
||||
+FIPSTEST_SRCDIR=
|
||||
+ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
|
||||
+BLTEST_SRCDIR=bltest # Add the bltest directory to DIRS.
|
||||
+FIPSTEST_SRCDIR=fipstest # Add the fipstest directory to DIRS.
|
||||
+endif
|
||||
+
|
||||
LOWHASHTEST_SRCDIR=
|
||||
ifeq ($(FREEBL_LOWHASH),1)
|
||||
LOWHASHTEST_SRCDIR = lowhashtest # Add the lowhashtest directory to DIRS.
|
||||
diff -up ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests ./mozilla/security/nss/cmd/manifest.mn
|
||||
--- ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests 2012-12-22 14:06:35.191293837 -0800
|
||||
+++ ./mozilla/security/nss/cmd/manifest.mn 2012-12-22 14:11:22.342263467 -0800
|
||||
@@ -11,7 +11,7 @@ REQUIRES = nss nspr libdbm
|
||||
DIRS = lib \
|
||||
addbuiltin \
|
||||
atob \
|
||||
- bltest \
|
||||
+ $(BLTEST_SRCDIR) \
|
||||
btoa \
|
||||
certcgi \
|
||||
certutil \
|
||||
@@ -23,7 +23,7 @@ DIRS = lib \
|
||||
derdump \
|
||||
digest \
|
||||
httpserv \
|
||||
- fipstest \
|
||||
+ $(FIPSTEST_SRCDIR) \
|
||||
$(LOWHASHTEST_SRCDIR) \
|
||||
listsuites \
|
||||
makepqg \
|
@ -10,16 +10,3 @@ diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.770682 ./mozilla/security/nss/
|
||||
};
|
||||
|
||||
/*
|
||||
@@ -2833,9 +2833,9 @@ ssl_SetDefaultsFromEnvironment(void)
|
||||
PR_TRUE));
|
||||
}
|
||||
ev = getenv("NSS_SSL_CBC_RANDOM_IV");
|
||||
- if (ev && ev[0] == '0') {
|
||||
- ssl_defaults.cbcRandomIV = PR_FALSE;
|
||||
- SSL_TRACE(("SSL: cbcRandomIV set to 0"));
|
||||
+ if (ev && ev[0] == '1') {
|
||||
+ ssl_defaults.cbcRandomIV = PR_TRUE;
|
||||
+ SSL_TRACE(("SSL: cbcRandomIV set to 1"));
|
||||
}
|
||||
}
|
||||
#endif /* NSS_HAVE_GETENV */
|
||||
|
61
nss.spec
61
nss.spec
@ -1,4 +1,4 @@
|
||||
%global nspr_version 4.9.2
|
||||
%global nspr_version 4.9.4
|
||||
%global nss_util_version 3.14
|
||||
%global nss_softokn_fips_version 3.12.9
|
||||
%global nss_softokn_version 3.14
|
||||
@ -6,8 +6,8 @@
|
||||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.14
|
||||
Release: 7%{?dist}
|
||||
Version: 3.14.1
|
||||
Release: 2%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
@ -69,11 +69,11 @@ Patch39: nss-ssl-enforce-no-pkcs11-bypass.path
|
||||
# TODO: Remove this patch when the ocsp test are fixed
|
||||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
||||
|
||||
# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=357025
|
||||
Patch41: Bug-872124-fix-pk11wrap-locking.patch
|
||||
# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=807890
|
||||
Patch42: 0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
|
||||
|
||||
Patch43: no-softoken-freebl-tests.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
support cross-platform development of security-enabled client and
|
||||
@ -150,14 +150,14 @@ low level services.
|
||||
%patch6 -p0 -b .libpem
|
||||
%patch16 -p0 -b .539183
|
||||
%patch18 -p0 -b .646045
|
||||
# link pem against buildroot's freebl, esential wen mixing and matching
|
||||
# link pem against buildroot's freebl, essential when mixing and matching
|
||||
%patch25 -p0 -b .systemfreebl
|
||||
# activate for stable and beta branches
|
||||
%patch29 -p0 -b .770682
|
||||
%patch39 -p1 -b .nobypass
|
||||
%patch40 -p1 -b .noocsptest
|
||||
%patch41 -p0 -b .872124
|
||||
%patch42 -p0 -b .870864
|
||||
%patch43 -p0 -b .nosoftokentests
|
||||
|
||||
%build
|
||||
|
||||
@ -282,6 +282,8 @@ chmod 755 ./mozilla/dist/pkgconfig/nss-config
|
||||
%{__cat} %{SOURCE9} > ./mozilla/dist/pkgconfig/setup-nsssysinit.sh
|
||||
chmod 755 ./mozilla/dist/pkgconfig/setup-nsssysinit.sh
|
||||
|
||||
%{__cp} ./mozilla/security/nss/lib/ckfw/nssck.api ./mozilla/dist/private/nss/
|
||||
|
||||
%check
|
||||
|
||||
# Begin -- copied from the build section
|
||||
@ -370,6 +372,7 @@ echo "test suite completed"
|
||||
# There is no make install target so we'll do it ourselves.
|
||||
|
||||
%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3
|
||||
%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
|
||||
%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
|
||||
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
|
||||
%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
|
||||
@ -416,6 +419,12 @@ do
|
||||
%{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
|
||||
done
|
||||
|
||||
# Copy the template files we want
|
||||
for file in mozilla/dist/private/nss/nssck.api
|
||||
do
|
||||
%{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
|
||||
done
|
||||
|
||||
# Copy the package configuration files
|
||||
%{__install} -p -m 644 ./mozilla/dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
|
||||
%{__install} -p -m 755 ./mozilla/dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
|
||||
@ -588,11 +597,27 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
%{_includedir}/nss3/nssckg.h
|
||||
%{_includedir}/nss3/nssckmdt.h
|
||||
%{_includedir}/nss3/nssckt.h
|
||||
%{_includedir}/nss3/templates/nssck.api
|
||||
%{_libdir}/libnssb.a
|
||||
%{_libdir}/libnssckfw.a
|
||||
|
||||
|
||||
%changelog
|
||||
* Sat Dec 22 2012 Elio Maldonado <emaldona@redhat.com> - 3.14.1-2
|
||||
- Require nspr >= 4.9.4
|
||||
- Fix changelog invalid dates
|
||||
|
||||
* Mon Dec 17 2012 Elio Maldonado <emaldona@redhat.com> - 3.14.1-1
|
||||
- Update to NSS_3_14_1_RTM
|
||||
|
||||
* Wed Dec 12 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-12
|
||||
- Bug 879978 - Install the nssck.api header template where mod_revocator can access it
|
||||
- Install nssck.api in /usr/includes/nss3/templates
|
||||
|
||||
* Tue Nov 27 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-11
|
||||
- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it
|
||||
- Install nssck.api in /usr/includes/nss3
|
||||
|
||||
* Mon Nov 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.14-7
|
||||
- Bug 870864 - Add support in NSS for Secure Boot
|
||||
|
||||
@ -789,7 +814,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
* Wed Mar 23 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-14
|
||||
- Update to NSS_3.12.9_WITH_CKBI_1_82_RTM
|
||||
|
||||
* Wed Feb 24 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-13
|
||||
* Thu Feb 24 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-13
|
||||
- Short-term fix for ssl test suites hangs on ipv6 type connections (#539183)
|
||||
|
||||
* Fri Feb 18 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.9-12
|
||||
@ -854,7 +879,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
* Sun Oct 31 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-7
|
||||
- Tell rpm not to verify md5, size, and modtime of configurations file
|
||||
|
||||
* Wed Oct 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-6
|
||||
* Mon Oct 18 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-6
|
||||
- Fix certificates trust order (#643134)
|
||||
- Apply nss-sysinit-userdb-first.patch last
|
||||
|
||||
@ -908,7 +933,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
* Mon Aug 09 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-10
|
||||
- Add support for PKCS#8 encoded PEM RSA private key files (#614532)
|
||||
|
||||
* Fri Jul 31 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-9
|
||||
* Sat Jul 31 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-9
|
||||
- Fix nsssysinit to return userdb ahead of systemdb (#603313)
|
||||
|
||||
* Tue Jun 08 2010 Dennis Gilmore <dennis@ausil.us> - 3.12.6-8
|
||||
@ -920,7 +945,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
* Sun Jun 06 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-6
|
||||
- Fix SIGSEGV within CreateObject (#596674)
|
||||
|
||||
* Sat Apr 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-5
|
||||
* Mon Apr 12 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-5
|
||||
- Update pem source tar to pick up the following bug fixes:
|
||||
- PEM - Allow collect objects to search through all objects
|
||||
- PEM - Make CopyObject return a new shallow copy
|
||||
@ -1001,7 +1026,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
- Require nss-softoken of same architecture as nss (#527867)
|
||||
- Merge setup-nsssysinit.sh improvements from F-12 (#527051)
|
||||
|
||||
* Mon Oct 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13
|
||||
* Sat Oct 03 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-13
|
||||
- User no longer prompted for a password when listing keys an empty system db (#527048)
|
||||
- Fix setup-nsssysinit to handle more general formats (#527051)
|
||||
|
||||
@ -1075,13 +1100,13 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
- Fix nss-config not to include nssutil
|
||||
- Add BuildRequires on nss-softokn and nss-util since build also runs the test suite
|
||||
|
||||
* Wed Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-21
|
||||
* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-21
|
||||
- disabling all tests while we investigate a buffer overflow bug
|
||||
|
||||
* Wed Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-20
|
||||
* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-20
|
||||
- disabling some tests while we investigate a buffer overflow bug - 519766
|
||||
|
||||
* Wed Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-19
|
||||
* Thu Aug 27 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-19
|
||||
- remove patches that are now in nss-softokn and
|
||||
- remove spurious exec-permissions for nss.pc per rpmlint
|
||||
- single requires line in nss.pc.in
|
||||
@ -1118,7 +1143,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
* Thu Aug 20 2009 Dennis Gilmore <dennis@ausil.us> - 3.12.3.99.3-9
|
||||
- dont install libnssutil3.so since its now in nss-util
|
||||
|
||||
* Sat Aug 06 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-7.1
|
||||
* Thu Aug 06 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-7.1
|
||||
- Fix spec file problems uncovered by Fedora_12_Mass_Rebuild
|
||||
|
||||
* Sat Jul 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.12.3.99.3-7
|
||||
@ -1136,7 +1161,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
- fix numerous gcc warnings. (500815)
|
||||
- fix to support arbitrarily long password while loading a private key. (500180)
|
||||
- fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191)
|
||||
* Fri Jun 08 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-4
|
||||
* Mon Jun 08 2009 Elio Maldonado <emaldona@redhat.com> - 3.12.3.99.3-4
|
||||
- add patch for bug 502133 upstream bug 496997
|
||||
* Fri Jun 05 2009 Kai Engert <kaie@redhat.com> - 3.12.3.99.3-3
|
||||
- rebuild with higher release number for upgrade sanity
|
||||
@ -1334,5 +1359,5 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
||||
- Adressed review comments by Wan-Teh Chang, Bob Relyea,
|
||||
Christopher Aillon.
|
||||
|
||||
* Tue Jul 9 2005 Rob Crittenden <rcritten@redhat.com> 3.10-1
|
||||
* Sat Jul 9 2005 Rob Crittenden <rcritten@redhat.com> 3.10-1
|
||||
- Initial build
|
||||
|
4
sources
4
sources
@ -5,5 +5,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
||||
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
|
||||
bf47cecad861efa77d1488ad4a73cb5b PayPalEE.cert
|
||||
2a06bf7b815d1a666cc3587b895506ce nss-pem-20120811.tar.bz2
|
||||
2844d502638ac84097d5a9affa6d1c3a nss-3.14-stripped.tar.bz2
|
||||
1eda5a1b9b9ab00476203d0df303297c dummy-sources-for-testing
|
||||
0be54f196b5da7e9008eb13a71bc2cb0 dummy-sources-for-testing
|
||||
78b4c196af29ef5e7851447029f947c0 nss-3.14.1-stripped.tar.bz2
|
||||
|
Loading…
Reference in New Issue
Block a user