From 569d439b916be4a54f4cb507ecbcb780a6165ab6 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 7 Jan 2014 13:48:44 -0800 Subject: [PATCH] Update two patches due to upstream changes - Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken - Update iquote.patch on account of upstream changes - Resolves: Bug 1049229 - nss-3.15.4 is available --- ...ync-up-with-upstream-softokn-changes.patch | 681 ++++++++++++++++-- iquote.patch | 59 +- nss.spec | 2 + 3 files changed, 686 insertions(+), 56 deletions(-) diff --git a/0001-sync-up-with-upstream-softokn-changes.patch b/0001-sync-up-with-upstream-softokn-changes.patch index 36fbd9d..8733b49 100644 --- a/0001-sync-up-with-upstream-softokn-changes.patch +++ b/0001-sync-up-with-upstream-softokn-changes.patch @@ -1,40 +1,64 @@ -From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001 -From: Elio Maldonado -Date: Sat, 9 Feb 2013 17:11:00 -0500 -Subject: [PATCH] Sync up with upstream softokn changes - -- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux -- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 -- It now compiles with the NSS_3_14_3_BETA1 source ---- - mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++------------------- - 1 files changed, 82 insertions(+), 256 deletions(-) - -diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c -index 5ac4f39..3780d30 100644 ---- a/nss/lib/ckfw/pem/rsawrapr.c -+++ b/nss/lib/ckfw/pem/rsawrapr.c -@@ -46,6 +46,7 @@ - #include "sechash.h" - #include "base.h" +diff -up ./nss/lib/ckfw/pem/rsawrapr.c.syncupwithupstream ./nss/lib/ckfw/pem/rsawrapr.c +--- ./nss/lib/ckfw/pem/rsawrapr.c.syncupwithupstream 2013-12-26 14:21:08.000000000 -0800 ++++ ./nss/lib/ckfw/pem/rsawrapr.c 2014-01-07 13:26:43.350502692 -0800 +@@ -1,5 +1,10 @@ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ + /* +- * PKCS#1 encoding and decoding functions. ++ RSA PKCS#1 v2.1 (RFC 3447) encoding and decoding functions. ++ + * This file is believed to contain no code licensed from other parties. + * + * ***** BEGIN LICENSE BLOCK ***** +@@ -42,21 +47,38 @@ -+#include "lowkeyi.h" + #include "ckpem.h" + #include "blapi.h" ++#include "secitem.h" ++/*#include "blapii.h"*/ ++/* + #include "softoken.h" + #include "sechash.h" +-#include "base.h" +- ++#include "base.h"#include "lowkeyi.h" ++*/ #include "secerr.h" #define RSA_BLOCK_MIN_PAD_LEN 8 -@@ -54,9 +55,8 @@ + #define RSA_BLOCK_FIRST_OCTET 0x00 +-#define RSA_BLOCK_PRIVATE0_PAD_OCTET 0x00 #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff #define RSA_BLOCK_AFTER_PAD_OCTET 0x00 -#define OAEP_SALT_LEN 8 -#define OAEP_PAD_LEN 8 -#define OAEP_PAD_OCTET 0x00 ++/* ++ * RSA block types ++ * ++ * The actual values are important -- they are fixed, *not* arbitrary. ++ * The explicit value assignments are not needed (because C would give ++ * us those same values anyway) but are included as a reminder... ++ */ ++typedef enum { ++ RSA_BlockUnused = 0, /* unused */ ++ RSA_BlockPrivate = 1, /* pad for a private-key operation */ ++ RSA_BlockPublic = 2, /* pad for a public-key operation */ ++ RSA_BlockRaw = 4, /* simply justify the block appropriately */ ++ RSA_BlockTotal ++} RSA_BlockType; ++ ++ +/* Needed for RSA-PSS functions */ +static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ -@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) +@@ -78,141 +100,62 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey return 0; } @@ -69,7 +93,7 @@ index 5ac4f39..3780d30 100644 + * Note: For ranges of bytes, use constantTimeCompare. + */ +static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) { -+ unsigned char c = ~(a - b | b - a); ++ unsigned char c = ~((a - b) | (b - a)); + c >>= 7; + return c; } @@ -182,13 +206,30 @@ index 5ac4f39..3780d30 100644 - while (psalt < saltend) { - *psalt++ ^= *psha1++; - } -- -- return SECSuccess; + return (~(c - 1) & a) | ((c - 1) & b); ++} + +- return SECSuccess; ++static unsigned int ++rsa_modulusLen(SECItem * modulus) ++{ ++ unsigned char byteZero = modulus->data[0]; ++ unsigned int modLen = modulus->len - !byteZero; ++ return modLen; } /* -@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, + * Format one block of data for public/private key encryption using + * the rules defined in PKCS #1. + */ +-static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, +- RSA_BlockType blockType, +- SECItem * data) ++static unsigned char * ++rsa_FormatOneBlock(unsigned modulusLen, ++ RSA_BlockType blockType, ++ SECItem * data) + { unsigned char *block; unsigned char *bp; int padLen; @@ -197,10 +238,49 @@ index 5ac4f39..3780d30 100644 SECStatus rv; block = (unsigned char *) nss_ZAlloc(NULL, modulusLen); -@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, - */ - case RSA_BlockPublic: +@@ -223,18 +166,17 @@ static unsigned char *rsa_FormatOneBlock + /* + * All RSA blocks start with two octets: +- * 0x00 || BlockType ++ * 0x00 || BlockType + */ + *bp++ = RSA_BLOCK_FIRST_OCTET; + *bp++ = (unsigned char) blockType; + + switch (blockType) { + +- /* +- * Blocks intended for private-key operation. +- */ +- case RSA_BlockPrivate0: /* essentially unused */ +- case RSA_BlockPrivate: /* preferred method */ ++ /* ++ * Blocks intended for private-key operation. ++ */ ++ case RSA_BlockPrivate: /* preferred method */ + /* + * 0x00 || BT || Pad || 0x00 || ActualData + * 1 1 padLen 1 data->len +@@ -246,138 +188,69 @@ static unsigned char *rsa_FormatOneBlock + nss_ZFreeIf(block); + return NULL; + } +- nsslibc_memset(bp, +- blockType == RSA_BlockPrivate0 +- ? RSA_BLOCK_PRIVATE0_PAD_OCTET +- : RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); ++ nsslibc_memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); + bp += padLen; + *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; + nsslibc_memcpy(bp, data->data, data->len); + break; + +- /* +- * Blocks intended for public-key operation. +- */ +- case RSA_BlockPublic: +- - /* - * 0x00 || BT || Pad || 0x00 || ActualData - * 1 1 padLen 1 data->len @@ -319,6 +399,11 @@ index 5ac4f39..3780d30 100644 - } - - break; ++ /* ++ * Blocks intended for public-key operation. ++ */ ++ case RSA_BlockPublic: ++ + /* + * 0x00 || BT || Pad || 0x00 || ActualData + * 1 1 padLen 1 data->len @@ -374,20 +459,44 @@ index 5ac4f39..3780d30 100644 default: PORT_Assert(0); -@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, +@@ -389,54 +262,21 @@ static unsigned char *rsa_FormatOneBlock + } - break; - -- case RSA_BlockOAEP: -- /* -- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) -- * -- * The "2" below is the first octet + the second octet. -- * (The other fields do not contain the clear values, but are -- * the same length as the clear values.) -- */ -- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN -- + OAEP_PAD_LEN))); + static SECStatus +-rsa_FormatBlock(SECItem * result, unsigned modulusLen, +- RSA_BlockType blockType, SECItem * data) ++rsa_FormatBlock(SECItem * result, ++ unsigned modulusLen, ++ RSA_BlockType blockType, ++ SECItem * data) + { +- /* +- * XXX For now assume that the data length fits in a single +- * XXX encryption block; the ASSERTs below force this. +- * XXX To fix it, each case will have to loop over chunks whose +- * XXX lengths satisfy the assertions, until all data is handled. +- * XXX (Unless RSA has more to say about how to handle data +- * XXX which does not fit in a single encryption block?) +- * XXX And I do not know what the result is supposed to be, +- * XXX so the interface to this function may need to change +- * XXX to allow for returning multiple blocks, if they are +- * XXX not wanted simply concatenated one after the other. +- */ +- + switch (blockType) { +- case RSA_BlockPrivate0: +- case RSA_BlockPrivate: +- case RSA_BlockPublic: ++ case RSA_BlockPrivate: ++ case RSA_BlockPublic: + /* + * 0x00 || BT || Pad || 0x00 || ActualData + * + * The "3" below is the first octet + the second octet + the 0x00 + * octet that always comes just before the ActualData. + */ +- PORT_Assert(data->len <= +- (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))); - - result->data = rsa_FormatOneBlock(modulusLen, blockType, data); - if (result->data == NULL) { @@ -398,9 +507,489 @@ index 5ac4f39..3780d30 100644 - - break; - - case RSA_BlockRaw: +- case RSA_BlockOAEP: +- /* +- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) +- * +- * The "2" below is the first octet + the second octet. +- * (The other fields do not contain the clear values, but are +- * the same length as the clear values.) +- */ +- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN +- + OAEP_PAD_LEN))); ++ PORT_Assert(data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN))); + + result->data = rsa_FormatOneBlock(modulusLen, blockType, data); + if (result->data == NULL) { +@@ -447,7 +287,7 @@ rsa_FormatBlock(SECItem * result, unsign + + break; + +- case RSA_BlockRaw: ++ case RSA_BlockRaw: /* * Pad || ActualData --- -1.7.1 - + * Pad is zeros. The application is responsible for recovering +@@ -476,36 +316,34 @@ rsa_FormatBlock(SECItem * result, unsign + SECStatus + pem_RSA_Sign(pemLOWKEYPrivateKey * key, + unsigned char *output, +- unsigned int *output_len, ++ unsigned int *outputLen, + unsigned int maxOutputLen, +- unsigned char *input, unsigned int input_len) ++ unsigned char *input, unsigned int inputLen) + { + SECStatus rv = SECSuccess; +- unsigned int modulus_len = pem_PrivateModulusLen(key); ++ unsigned int modulusLen = pem_PrivateModulusLen(key); + SECItem formatted; + SECItem unformatted; + +- if (maxOutputLen < modulus_len) ++ if (maxOutputLen < modulusLen) + return SECFailure; + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + return SECFailure; + +- unformatted.len = input_len; ++ unformatted.len = inputLen; + unformatted.data = input; + formatted.data = NULL; +- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPrivate, ++ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPrivate, + &unformatted); + if (rv != SECSuccess) + goto done; + + rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, + formatted.data); +- *output_len = modulus_len; ++ *outputLen = modulusLen; + +- goto done; +- +- done: ++done: + if (formatted.data != NULL) + nss_ZFreeIf(formatted.data); + return rv; +@@ -515,17 +353,17 @@ pem_RSA_Sign(pemLOWKEYPrivateKey * key, + /* XXX Doesn't set error code */ + SECStatus + RSA_CheckSign(NSSLOWKEYPublicKey * key, +- unsigned char *sign, +- unsigned int sign_len, ++ unsigned char *sig, ++ unsigned int sigLen, + unsigned char *hash, unsigned int hash_len) + { + SECStatus rv; +- unsigned int modulus_len = pem_PublicModulusLen(key); ++ unsigned int modulusLen = pem_PublicModulusLen(key); + unsigned int i; + unsigned char *buffer; + +- modulus_len = pem_PublicModulusLen(key); +- if (sign_len != modulus_len) ++ modulusLen = pem_PublicModulusLen(key); ++ if (sigLen != modulusLen) + goto failure; + /* + * 0x00 || BT || Pad || 0x00 || ActualData +@@ -533,17 +371,17 @@ RSA_CheckSign(NSSLOWKEYPublicKey * key, + * The "3" below is the first octet + the second octet + the 0x00 + * octet that always comes just before the ActualData. + */ +- if (hash_len > modulus_len - (3 + RSA_BLOCK_MIN_PAD_LEN)) ++ if (hash_len > modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)) + goto failure; + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + goto failure; + +- buffer = (unsigned char *) nss_ZAlloc(NULL, modulus_len + 1); ++ buffer = (unsigned char *) nss_ZAlloc(NULL, modulusLen + 1); + if (!buffer) + goto failure; + +- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign); ++ rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sig); + if (rv != SECSuccess) + goto loser; + +@@ -552,7 +390,7 @@ RSA_CheckSign(NSSLOWKEYPublicKey * key, + */ + if (buffer[0] != 0 || buffer[1] != 1) + goto loser; +- for (i = 2; i < modulus_len - hash_len - 1; i++) { ++ for (i = 2; i < modulusLen - hash_len - 1; i++) { + if (buffer[i] != 0xff) + goto loser; + } +@@ -562,7 +400,7 @@ RSA_CheckSign(NSSLOWKEYPublicKey * key, + /* + * make sure we get the same results + */ +- if (memcmp(buffer + modulus_len - hash_len, hash, hash_len) != 0) ++ if (memcmp(buffer + modulusLen - hash_len, hash, hash_len) != 0) + goto loser; + + nss_ZFreeIf(buffer); +@@ -579,25 +417,25 @@ SECStatus + RSA_CheckSignRecover(NSSLOWKEYPublicKey * key, + unsigned char *data, + unsigned int *data_len, +- unsigned int max_output_len, +- unsigned char *sign, unsigned int sign_len) ++ unsigned int maxOutputLen, ++ unsigned char *sig, unsigned int sigLen) + { + SECStatus rv; +- unsigned int modulus_len = pem_PublicModulusLen(key); ++ unsigned int modulusLen = pem_PublicModulusLen(key); + unsigned int i; + unsigned char *buffer; + +- if (sign_len != modulus_len) ++ if (sigLen != modulusLen) + goto failure; + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + goto failure; + +- buffer = (unsigned char *) nss_ZAlloc(NULL, modulus_len + 1); ++ buffer = (unsigned char *) nss_ZAlloc(NULL, modulusLen + 1); + if (!buffer) + goto failure; + +- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign); ++ rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sig); + if (rv != SECSuccess) + goto loser; + *data_len = 0; +@@ -607,9 +445,9 @@ RSA_CheckSignRecover(NSSLOWKEYPublicKey + */ + if (buffer[0] != 0 || buffer[1] != 1) + goto loser; +- for (i = 2; i < modulus_len; i++) { ++ for (i = 2; i < modulusLen; i++) { + if (buffer[i] == 0) { +- *data_len = modulus_len - i - 1; ++ *data_len = modulusLen - i - 1; + break; + } + if (buffer[i] != 0xff) +@@ -617,13 +455,13 @@ RSA_CheckSignRecover(NSSLOWKEYPublicKey + } + if (*data_len == 0) + goto loser; +- if (*data_len > max_output_len) ++ if (*data_len > maxOutputLen) + goto loser; + + /* + * make sure we get the same results + */ +- nsslibc_memcpy(data, buffer + modulus_len - *data_len, *data_len); ++ nsslibc_memcpy(data, buffer + modulusLen - *data_len, *data_len); + + nss_ZFreeIf(buffer); + return SECSuccess; +@@ -638,26 +476,26 @@ RSA_CheckSignRecover(NSSLOWKEYPublicKey + SECStatus + RSA_EncryptBlock(NSSLOWKEYPublicKey * key, + unsigned char *output, +- unsigned int *output_len, +- unsigned int max_output_len, +- unsigned char *input, unsigned int input_len) ++ unsigned int *outputLen, ++ unsigned int maxOutputLen, ++ unsigned char *input, unsigned int inputLen) + { + SECStatus rv; +- unsigned int modulus_len = pem_PublicModulusLen(key); ++ unsigned int modulusLen = pem_PublicModulusLen(key); + SECItem formatted; + SECItem unformatted; + + formatted.data = NULL; +- if (max_output_len < modulus_len) ++ if (maxOutputLen < modulusLen) + goto failure; + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + goto failure; + +- unformatted.len = input_len; ++ unformatted.len = inputLen; + unformatted.data = input; + formatted.data = NULL; +- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockPublic, ++ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockPublic, + &unformatted); + if (rv != SECSuccess) + goto failure; +@@ -667,7 +505,7 @@ RSA_EncryptBlock(NSSLOWKEYPublicKey * ke + goto failure; + + nss_ZFreeIf(formatted.data); +- *output_len = modulus_len; ++ *outputLen = modulusLen; + return SECSuccess; + + failure: +@@ -681,22 +519,22 @@ RSA_EncryptBlock(NSSLOWKEYPublicKey * ke + SECStatus + pem_RSA_DecryptBlock(pemLOWKEYPrivateKey * key, + unsigned char *output, +- unsigned int *output_len, +- unsigned int max_output_len, +- unsigned char *input, unsigned int input_len) ++ unsigned int *outputLen, ++ unsigned int maxOutputLen, ++ unsigned char *input, unsigned int inputLen) + { + SECStatus rv; +- unsigned int modulus_len = pem_PrivateModulusLen(key); ++ unsigned int modulusLen = pem_PrivateModulusLen(key); + unsigned int i; + unsigned char *buffer; + + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + goto failure; +- if (input_len != modulus_len) ++ if (inputLen != modulusLen) + goto failure; + +- buffer = (unsigned char *) nss_ZAlloc(NULL, modulus_len + 1); ++ buffer = (unsigned char *) nss_ZAlloc(NULL, modulusLen + 1); + if (!buffer) + goto failure; + +@@ -707,19 +545,19 @@ pem_RSA_DecryptBlock(pemLOWKEYPrivateKey + + if (buffer[0] != 0 || buffer[1] != 2) + goto loser; +- *output_len = 0; +- for (i = 2; i < modulus_len; i++) { ++ *outputLen = 0; ++ for (i = 2; i < modulusLen; i++) { + if (buffer[i] == 0) { +- *output_len = modulus_len - i - 1; ++ *outputLen = modulusLen - i - 1; + break; + } + } +- if (*output_len == 0) ++ if (*outputLen == 0) + goto loser; +- if (*output_len > max_output_len) ++ if (*outputLen > maxOutputLen) + goto loser; + +- nsslibc_memcpy(output, buffer + modulus_len - *output_len, *output_len); ++ nsslibc_memcpy(output, buffer + modulusLen - *outputLen, *outputLen); + + nss_ZFreeIf(buffer); + return SECSuccess; +@@ -739,32 +577,32 @@ pem_RSA_DecryptBlock(pemLOWKEYPrivateKey + SECStatus + pem_RSA_SignRaw(pemLOWKEYPrivateKey * key, + unsigned char *output, +- unsigned int *output_len, ++ unsigned int *outputLen, + unsigned int maxOutputLen, +- unsigned char *input, unsigned int input_len) ++ unsigned char *input, unsigned int inputLen) + { + SECStatus rv = SECSuccess; +- unsigned int modulus_len = pem_PrivateModulusLen(key); ++ unsigned int modulusLen = pem_PrivateModulusLen(key); + SECItem formatted; + SECItem unformatted; + +- if (maxOutputLen < modulus_len) ++ if (maxOutputLen < modulusLen) + return SECFailure; + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + return SECFailure; + +- unformatted.len = input_len; ++ unformatted.len = inputLen; + unformatted.data = input; + formatted.data = NULL; +- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, ++ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, + &unformatted); + if (rv != SECSuccess) + goto done; + + rv = RSA_PrivateKeyOpDoubleChecked(&key->u.rsa, output, + formatted.data); +- *output_len = modulus_len; ++ *outputLen = modulusLen; + + done: + if (formatted.data != NULL) +@@ -775,27 +613,27 @@ pem_RSA_SignRaw(pemLOWKEYPrivateKey * ke + /* XXX Doesn't set error code */ + SECStatus + RSA_CheckSignRaw(NSSLOWKEYPublicKey * key, +- unsigned char *sign, +- unsigned int sign_len, ++ unsigned char *sig, ++ unsigned int sigLen, + unsigned char *hash, unsigned int hash_len) + { + SECStatus rv; +- unsigned int modulus_len = pem_PublicModulusLen(key); ++ unsigned int modulusLen = pem_PublicModulusLen(key); + unsigned char *buffer; + +- if (sign_len != modulus_len) ++ if (sigLen != modulusLen) + goto failure; +- if (hash_len > modulus_len) ++ if (hash_len > modulusLen) + goto failure; + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + goto failure; + +- buffer = (unsigned char *) nss_ZAlloc(NULL, modulus_len + 1); ++ buffer = (unsigned char *) nss_ZAlloc(NULL, modulusLen + 1); + if (!buffer) + goto failure; + +- rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sign); ++ rv = RSA_PublicKeyOp(&key->u.rsa, buffer, sig); + if (rv != SECSuccess) + goto loser; + +@@ -803,7 +641,7 @@ RSA_CheckSignRaw(NSSLOWKEYPublicKey * ke + * make sure we get the same results + */ + /* NOTE: should we verify the leading zeros? */ +- if (memcmp(buffer + (modulus_len - hash_len), hash, hash_len) != ++ if (memcmp(buffer + (modulusLen - hash_len), hash, hash_len) != + 0) + goto loser; + +@@ -821,25 +659,25 @@ SECStatus + RSA_CheckSignRecoverRaw(NSSLOWKEYPublicKey * key, + unsigned char *data, + unsigned int *data_len, +- unsigned int max_output_len, +- unsigned char *sign, unsigned int sign_len) ++ unsigned int maxOutputLen, ++ unsigned char *sig, unsigned int sigLen) + { + SECStatus rv; +- unsigned int modulus_len = pem_PublicModulusLen(key); ++ unsigned int modulusLen = pem_PublicModulusLen(key); + +- if (sign_len != modulus_len) ++ if (sigLen != modulusLen) + goto failure; +- if (max_output_len < modulus_len) ++ if (maxOutputLen < modulusLen) + goto failure; + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + goto failure; + +- rv = RSA_PublicKeyOp(&key->u.rsa, data, sign); ++ rv = RSA_PublicKeyOp(&key->u.rsa, data, sig); + if (rv != SECSuccess) + goto failure; + +- *data_len = modulus_len; ++ *data_len = modulusLen; + return SECSuccess; + + failure: +@@ -851,26 +689,26 @@ RSA_CheckSignRecoverRaw(NSSLOWKEYPublicK + SECStatus + RSA_EncryptRaw(NSSLOWKEYPublicKey * key, + unsigned char *output, +- unsigned int *output_len, +- unsigned int max_output_len, +- unsigned char *input, unsigned int input_len) ++ unsigned int *outputLen, ++ unsigned int maxOutputLen, ++ unsigned char *input, unsigned int inputLen) + { + SECStatus rv; +- unsigned int modulus_len = pem_PublicModulusLen(key); ++ unsigned int modulusLen = pem_PublicModulusLen(key); + SECItem formatted; + SECItem unformatted; + + formatted.data = NULL; +- if (max_output_len < modulus_len) ++ if (maxOutputLen < modulusLen) + goto failure; + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + goto failure; + +- unformatted.len = input_len; ++ unformatted.len = inputLen; + unformatted.data = input; + formatted.data = NULL; +- rv = rsa_FormatBlock(&formatted, modulus_len, RSA_BlockRaw, ++ rv = rsa_FormatBlock(&formatted, modulusLen, RSA_BlockRaw, + &unformatted); + if (rv != SECSuccess) + goto failure; +@@ -880,7 +718,7 @@ RSA_EncryptRaw(NSSLOWKEYPublicKey * key, + goto failure; + + nss_ZFreeIf(formatted.data); +- *output_len = modulus_len; ++ *outputLen = modulusLen; + return SECSuccess; + + failure: +@@ -893,21 +731,21 @@ RSA_EncryptRaw(NSSLOWKEYPublicKey * key, + SECStatus + pem_RSA_DecryptRaw(pemLOWKEYPrivateKey * key, + unsigned char *output, +- unsigned int *output_len, +- unsigned int max_output_len, +- unsigned char *input, unsigned int input_len) ++ unsigned int *outputLen, ++ unsigned int maxOutputLen, ++ unsigned char *input, unsigned int inputLen) + { + SECStatus rv; +- unsigned int modulus_len = pem_PrivateModulusLen(key); ++ unsigned int modulusLen = pem_PrivateModulusLen(key); + +- if (modulus_len <= 0) ++ if (modulusLen <= 0) + goto failure; +- if (modulus_len > max_output_len) ++ if (modulusLen > maxOutputLen) + goto failure; + PORT_Assert(key->keyType == pemLOWKEYRSAKey); + if (key->keyType != pemLOWKEYRSAKey) + goto failure; +- if (input_len != modulus_len) ++ if (inputLen != modulusLen) + goto failure; + + rv = RSA_PrivateKeyOp(&key->u.rsa, output, input); +@@ -915,7 +753,7 @@ pem_RSA_DecryptRaw(pemLOWKEYPrivateKey * + goto failure; + } + +- *output_len = modulus_len; ++ *outputLen = modulusLen; + return SECSuccess; + + failure: diff --git a/iquote.patch b/iquote.patch index 3df4927..40fe5e0 100644 --- a/iquote.patch +++ b/iquote.patch @@ -1,6 +1,6 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile ---- nss/cmd/bltest/Makefile.iquote 2013-06-27 10:58:08.000000000 -0700 -+++ nss/cmd/bltest/Makefile 2013-07-02 15:02:26.656643246 -0700 +--- nss/cmd/bltest/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ nss/cmd/bltest/Makefile 2014-01-07 13:30:04.465429623 -0800 @@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -9,9 +9,22 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile ####################################################################### +diff -up nss/cmd/httpserv/Makefile.iquote nss/cmd/httpserv/Makefile +--- nss/cmd/httpserv/Makefile.iquote 2014-01-07 13:34:00.859358160 -0800 ++++ nss/cmd/httpserv/Makefile 2014-01-07 13:35:06.100212103 -0800 +@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../private/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile ---- nss/cmd/lib/Makefile.iquote 2013-07-02 15:07:47.260622471 -0700 -+++ nss/cmd/lib/Makefile 2013-07-02 15:08:47.219179157 -0700 +--- nss/cmd/lib/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ nss/cmd/lib/Makefile 2014-01-07 13:30:04.465429623 -0800 @@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -23,8 +36,8 @@ diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk ---- nss/coreconf/location.mk.iquote 2013-06-27 10:58:08.000000000 -0700 -+++ nss/coreconf/location.mk 2013-07-02 15:02:26.656643246 -0700 +--- nss/coreconf/location.mk.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ nss/coreconf/location.mk 2014-01-07 13:30:04.465429623 -0800 @@ -45,6 +45,10 @@ endif ifdef NSS_INCLUDE_DIR @@ -37,8 +50,8 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk ifndef NSS_LIB_DIR diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile ---- nss/lib/certhigh/Makefile.iquote 2013-09-27 11:13:55.158689314 -0700 -+++ nss/lib/certhigh/Makefile 2013-09-27 11:14:38.181042336 -0700 +--- nss/lib/certhigh/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ nss/lib/certhigh/Makefile 2014-01-07 13:30:04.466429634 -0800 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -49,8 +62,8 @@ diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile ---- nss/lib/cryptohi/Makefile.iquote 2013-09-27 11:11:30.117494489 -0700 -+++ nss/lib/cryptohi/Makefile 2013-09-27 11:12:54.704194915 -0700 +--- nss/lib/cryptohi/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ nss/lib/cryptohi/Makefile 2014-01-07 13:30:04.466429634 -0800 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -60,3 +73,29 @@ diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # +diff -up nss/lib/libpkix/pkix/checker/Makefile.iquote nss/lib/libpkix/pkix/checker/Makefile +--- nss/lib/libpkix/pkix/checker/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ nss/lib/libpkix/pkix/checker/Makefile 2014-01-07 13:30:04.466429634 -0800 +@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../private/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile +--- nss/lib/nss/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 ++++ nss/lib/nss/Makefile 2014-01-07 13:30:04.466429634 -0800 +@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # diff --git a/nss.spec b/nss.spec index 74606cb..cb1057b 100644 --- a/nss.spec +++ b/nss.spec @@ -739,6 +739,8 @@ fi - Resolves: Bug 1049229 - nss-3.15.4 is available - Update pem sources to latest from the interim upstream for pem - Remove no longer needed patches +- Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken +- Update iquote.patch on account of upstream changes * Wed Dec 11 2013 Elio Maldonado - 3.15.3.1-1 - Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM)