From d613d7be536eb67e1874f50140556e8db0537b59 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 31 May 2016 10:09:08 -0700 Subject: [PATCH 1/5] Update nss_tests with some of the new gtests from upstream --- nss.spec | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nss.spec b/nss.spec index fb4d010..22906d5 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.24.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 1.0%{?dist} +Release: 1.1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -446,7 +446,7 @@ pushd ./nss/tests/ # don't need to run all the tests when testing packaging # nss_cycles: standard pkix upgradedb sharedb -%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains" +%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains pk11_gtests der_gtests" # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr # nss_ssl_run: cov auth stress # @@ -793,6 +793,9 @@ fi %changelog +* Tue May 31 2016 Elio Maldonado - 3.24.0-1.1 +- Update nss_tests with some of the new gtests from upstream + * Fri May 28 2016 Elio Maldonado - 3.24.0-1.0 - Rebase to NSS 3.24.0 From 98bf48efa87d1fab4be88ef2b2db42468ebb4456 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Thu, 2 Jun 2016 14:02:11 -0700 Subject: [PATCH 2/5] Allow application requests to disable SSL v2 to succeed - Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails - Update existing patch to apply it a cleaner way --- mozbz1277569backport.patch | 102 +++++++++++++++++++++++++++++++++++++ nss-skip-util-gtest.patch | 6 +-- nss.spec | 10 +++- 3 files changed, 113 insertions(+), 5 deletions(-) create mode 100644 mozbz1277569backport.patch diff --git a/mozbz1277569backport.patch b/mozbz1277569backport.patch new file mode 100644 index 0000000..8a38ac9 --- /dev/null +++ b/mozbz1277569backport.patch @@ -0,0 +1,102 @@ +--- ./lib/ssl/sslsock.c.compatibility 2016-06-02 10:59:07.188831825 -0700 ++++ ./lib/ssl/sslsock.c 2016-06-02 10:59:07.205831404 -0700 +@@ -675,16 +675,28 @@ + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; /* not allowed */ + } + break; + } + ssl_EnableSSL3(&ss->vrange, on); + break; + ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ /* We no longer support SSL v2. ++ * However, if an old application requests to disable SSL v2, ++ * we shouldn't fail. ++ */ ++ if (on) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ rv = SECFailure; ++ } ++ break; ++ + case SSL_NO_CACHE: + ss->opt.noCache = on; + break; + + case SSL_ENABLE_FDX: + if (on && ss->opt.noLocks) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; +@@ -856,16 +868,20 @@ + on = ss->opt.handshakeAsServer; + break; + case SSL_ENABLE_TLS: + on = ss->vrange.max >= SSL_LIBRARY_VERSION_TLS_1_0; + break; + case SSL_ENABLE_SSL3: + on = ss->vrange.min == SSL_LIBRARY_VERSION_3_0; + break; ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ on = PR_FALSE; ++ break; + case SSL_NO_CACHE: + on = ss->opt.noCache; + break; + case SSL_ENABLE_FDX: + on = ss->opt.fdx; + break; + case SSL_ROLLBACK_DETECTION: + on = ss->opt.detectRollBack; +@@ -967,16 +983,20 @@ + on = ssl_defaults.handshakeAsServer; + break; + case SSL_ENABLE_TLS: + on = versions_defaults_stream.max >= SSL_LIBRARY_VERSION_TLS_1_0; + break; + case SSL_ENABLE_SSL3: + on = versions_defaults_stream.min == SSL_LIBRARY_VERSION_3_0; + break; ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ on = PR_FALSE; ++ break; + case SSL_NO_CACHE: + on = ssl_defaults.noCache; + break; + case SSL_ENABLE_FDX: + on = ssl_defaults.fdx; + break; + case SSL_ROLLBACK_DETECTION: + on = ssl_defaults.detectRollBack; +@@ -1100,16 +1120,28 @@ + case SSL_ENABLE_TLS: + ssl_EnableTLS(&versions_defaults_stream, on); + break; + + case SSL_ENABLE_SSL3: + ssl_EnableSSL3(&versions_defaults_stream, on); + break; + ++ case SSL_ENABLE_SSL2: ++ case SSL_V2_COMPATIBLE_HELLO: ++ /* We no longer support SSL v2. ++ * However, if an old application requests to disable SSL v2, ++ * we shouldn't fail. ++ */ ++ if (on) { ++ PORT_SetError(SEC_ERROR_INVALID_ARGS); ++ return SECFailure; ++ } ++ break; ++ + case SSL_NO_CACHE: + ssl_defaults.noCache = on; + break; + + case SSL_ENABLE_FDX: + if (on && ssl_defaults.noLocks) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; diff --git a/nss-skip-util-gtest.patch b/nss-skip-util-gtest.patch index 80a785e..cb36160 100644 --- a/nss-skip-util-gtest.patch +++ b/nss-skip-util-gtest.patch @@ -1,6 +1,6 @@ -diff -up ./nss/external_tests/manifest.mn.skip_util_gtest ./nss/external_tests/manifest.mn ---- ./nss/external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700 -+++ ./nss/external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700 +diff -up ./external_tests/manifest.mn.skip_util_gtest ./external_tests/manifest.mn +--- ./external_tests/manifest.mn.skip_util_gtest 2016-05-21 21:34:56.156346633 -0700 ++++ ./external_tests/manifest.mn 2016-05-21 21:35:23.408854282 -0700 @@ -8,7 +8,6 @@ DEPTH = .. DIRS = \ google_test \ diff --git a/nss.spec b/nss.spec index 22906d5..06cc5b2 100644 --- a/nss.spec +++ b/nss.spec @@ -96,7 +96,8 @@ Patch55: skip_stress_TLS_RC4_128_with_MD5.patch Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Patch60: nss-pem-unitialized-vars.path Patch61: nss-skip-util-gtest.patch - +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569 +Patch62: mozbz1277569backport.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -183,8 +184,9 @@ low level services. %patch58 -p0 -b .1185708_3des pushd nss %patch60 -p1 -b .unitialized_vars -popd %patch61 -p0 -b .skip_util_gtest +%patch62 -p1 -b .compatibility +popd ######################################################### # Higher-level libraries and test tools need access to @@ -793,6 +795,10 @@ fi %changelog +* Thu Jun 02 2016 Elio Maldonado - 3.24.0-1.2 +- Allow application requests to disable SSL v2 to succeed +- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails + * Tue May 31 2016 Elio Maldonado - 3.24.0-1.1 - Update nss_tests with some of the new gtests from upstream From cd48e5fca6fa3187bfd58779e5992a7f9824b8d4 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Thu, 2 Jun 2016 15:05:58 -0700 Subject: [PATCH 3/5] Fix the release tag --- nss.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index 06cc5b2..2a0f8ce 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.24.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 1.1%{?dist} +Release: 1.2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries From ad02ded6f4548b0d71e5312b96d1aa5c76e529f4 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Thu, 9 Jun 2016 15:24:19 -0700 Subject: [PATCH 4/5] Restore optimized build support for logging SSL/TLS key material to logfile - Resolves: Bug - 1343289 - Update to nss 3.24 removes sslkeylogfile support - Fix a bogus date --- nss-allow-keylogfile-in-opt-builds.patch | 26 ++++++++++++++++++++++++ nss.spec | 11 ++++++++-- 2 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 nss-allow-keylogfile-in-opt-builds.patch diff --git a/nss-allow-keylogfile-in-opt-builds.patch b/nss-allow-keylogfile-in-opt-builds.patch new file mode 100644 index 0000000..aad8448 --- /dev/null +++ b/nss-allow-keylogfile-in-opt-builds.patch @@ -0,0 +1,26 @@ +--- ./lib/ssl/Makefile.allow_keylogfile 2016-06-08 21:54:29.504328764 -0700 ++++ ./lib/ssl/Makefile 2016-06-08 22:03:57.061313047 -0700 +@@ -34,19 +34,20 @@ + else + ifeq ($(OS_TARGET),OS2) + CSRCS += os2_err.c + else + CSRCS += unix_err.c + endif + endif + +-# Enable key logging by default in debug builds, but not opt builds. +-# Logging still needs to be enabled at runtime through env vars. +-NSS_ALLOW_SSLKEYLOGFILE ?= $(if $(BUILD_OPT),0,1) ++# For Fedora stable branch compatibility, i.e f23 and f22 ++# Enable key logging by default in debug builds and opt builds. ++# Logging doesn't need to be enabled at runtime through env vars. ++NSS_ALLOW_SSLKEYLOGFILE = 1 + ifeq (1,$(NSS_ALLOW_SSLKEYLOGFILE)) + DEFINES += -DNSS_ALLOW_SSLKEYLOGFILE=1 + endif + + ####################################################################### + # (5) Execute "global" rules. (OPTIONAL) # + ####################################################################### + diff --git a/nss.spec b/nss.spec index 2a0f8ce..30ce560 100644 --- a/nss.spec +++ b/nss.spec @@ -21,7 +21,7 @@ Name: nss Version: 3.24.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 1.2%{?dist} +Release: 1.3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -98,6 +98,8 @@ Patch60: nss-pem-unitialized-vars.path Patch61: nss-skip-util-gtest.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1277569 Patch62: mozbz1277569backport.patch +# Local: for stable branch compatibility +Patch63: nss-allow-keylogfile-in-opt-builds.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -186,6 +188,7 @@ pushd nss %patch60 -p1 -b .unitialized_vars %patch61 -p0 -b .skip_util_gtest %patch62 -p1 -b .compatibility +%patch63 -p1 -b .allow_keylogfile popd ######################################################### @@ -795,6 +798,10 @@ fi %changelog +* Thu Jun 09 2016 Elio Maldonado - 3.24.0-1.1 +- Restore optimized build support for logging SSL/TLS key material to logfile +- Resolves: Bug - 1343289 - Update to nss 3.24 removes sslkeylogfile support + * Thu Jun 02 2016 Elio Maldonado - 3.24.0-1.2 - Allow application requests to disable SSL v2 to succeed - Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails @@ -802,7 +809,7 @@ fi * Tue May 31 2016 Elio Maldonado - 3.24.0-1.1 - Update nss_tests with some of the new gtests from upstream -* Fri May 28 2016 Elio Maldonado - 3.24.0-1.0 +* Sat May 28 2016 Elio Maldonado - 3.24.0-1.0 - Rebase to NSS 3.24.0 * Thu Mar 10 2016 Elio Maldonado - 3.23.0-1.1 From bf75a70375a6e91c5b656566f333fe764c071398 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Thu, 9 Jun 2016 15:32:12 -0700 Subject: [PATCH 5/5] Fix the release in changelog --- nss.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index 30ce560..8e6c2c3 100644 --- a/nss.spec +++ b/nss.spec @@ -798,7 +798,7 @@ fi %changelog -* Thu Jun 09 2016 Elio Maldonado - 3.24.0-1.1 +* Thu Jun 09 2016 Elio Maldonado - 3.24.0-1.3 - Restore optimized build support for logging SSL/TLS key material to logfile - Resolves: Bug - 1343289 - Update to nss 3.24 removes sslkeylogfile support