diff --git a/.gitignore b/.gitignore index 1d6796a..a948d04 100644 --- a/.gitignore +++ b/.gitignore @@ -5,5 +5,5 @@ blank-cert9.db blank-key4.db PayPalEE.cert /nss-pem-20120811.tar.bz2 -/nss-3.14-stripped.tar.bz2 /dummy-sources-for-testing +/nss-3.14.1-stripped.tar.bz2 diff --git a/Bug-872124-fix-pk11wrap-locking.patch b/Bug-872124-fix-pk11wrap-locking.patch deleted file mode 100644 index 7c7893b..0000000 --- a/Bug-872124-fix-pk11wrap-locking.patch +++ /dev/null @@ -1,393 +0,0 @@ -Index: ./mozilla/security/nss/lib/cryptohi/keythi.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/cryptohi/keythi.h,v -retrieving revision 1.17 -diff -u -p -r1.17 keythi.h ---- ./mozilla/security/nss/lib/cryptohi/keythi.h 16 May 2012 12:34:15 -0000 1.17 -+++ ./mozilla/security/nss/lib/cryptohi/keythi.h 2 Nov 2012 18:09:53 -0000 -@@ -214,7 +214,12 @@ typedef struct SECKEYPublicKeyStr SECKEY - #define SECKEY_HAS_ATTRIBUTE_SET(key,attribute) \ - (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \ - (0 != (key->staticflags & SECKEY_##attribute)) : \ -- PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute) -+ PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute, PR_FALSE) -+ -+#define SECKEY_HAS_ATTRIBUTE_SET_LOCK(key,attribute, haslock) \ -+ (0 != (key->staticflags & SECKEY_Attributes_Cached)) ? \ -+ (0 != (key->staticflags & SECKEY_##attribute)) : \ -+ PK11_HasAttributeSet(key->pkcs11Slot,key->pkcs11ID,attribute, haslock) - - /* - ** A generic key structure -Index: ./mozilla/security/nss/lib/cryptohi/seckey.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/cryptohi/seckey.c,v -retrieving revision 1.68 -diff -u -p -r1.68 seckey.c ---- ./mozilla/security/nss/lib/cryptohi/seckey.c 25 Jun 2012 21:48:39 -0000 1.68 -+++ ./mozilla/security/nss/lib/cryptohi/seckey.c 2 Nov 2012 18:09:53 -0000 -@@ -1918,7 +1918,7 @@ loser: - } - - #define SECKEY_CacheAttribute(key, attribute) \ -- if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute)) { \ -+ if (CK_TRUE == PK11_HasAttributeSet(key->pkcs11Slot, key->pkcs11ID, attribute, PR_FALSE)) { \ - key->staticflags |= SECKEY_##attribute; \ - } else { \ - key->staticflags &= (~SECKEY_##attribute); \ -Index: ./mozilla/security/nss/lib/pk11wrap/pk11akey.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11akey.c,v -retrieving revision 1.36 -diff -u -p -r1.36 pk11akey.c ---- ./mozilla/security/nss/lib/pk11wrap/pk11akey.c 25 Apr 2012 14:50:04 -0000 1.36 -+++ ./mozilla/security/nss/lib/pk11wrap/pk11akey.c 2 Nov 2012 18:09:54 -0000 -@@ -740,7 +740,7 @@ PK11_MakePrivKey(PK11SlotInfo *slot, Key - CK_KEY_TYPE pk11Type = CKK_RSA; - - pk11Type = PK11_ReadULongAttribute(slot,privID,CKA_KEY_TYPE); -- isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN); -+ isTemp = (PRBool)!PK11_HasAttributeSet(slot,privID,CKA_TOKEN,PR_FALSE); - switch (pk11Type) { - case CKK_RSA: keyType = rsaKey; break; - case CKK_DSA: keyType = dsaKey; break; -@@ -754,7 +754,7 @@ PK11_MakePrivKey(PK11SlotInfo *slot, Key - - /* if the key is private, make sure we are authenticated to the - * token before we try to use it */ -- isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE); -+ isPrivate = (PRBool)PK11_HasAttributeSet(slot,privID,CKA_PRIVATE,PR_FALSE); - if (isPrivate) { - rv = PK11_Authenticate(slot, PR_TRUE, wincx); - if (rv != SECSuccess) { -@@ -1432,7 +1432,7 @@ PK11_GenerateKeyPairWithOpFlags(PK11Slot - - /* set the ID to the public key so we can find it again */ - cka_id = pk11_MakeIDFromPublicKey(*pubKey); -- pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN); -+ pubIsToken = (PRBool)PK11_HasAttributeSet(slot,pubID, CKA_TOKEN,PR_FALSE); - - PK11_SETATTRS(&setTemplate, CKA_ID, cka_id->data, cka_id->len); - -Index: ./mozilla/security/nss/lib/pk11wrap/pk11auth.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11auth.c,v -retrieving revision 1.16 -diff -u -p -r1.16 pk11auth.c ---- ./mozilla/security/nss/lib/pk11wrap/pk11auth.c 16 May 2012 12:34:19 -0000 1.16 -+++ ./mozilla/security/nss/lib/pk11wrap/pk11auth.c 2 Nov 2012 18:09:54 -0000 -@@ -45,8 +45,9 @@ static struct PK11GlobalStruct { - * Check the user's password. Log into the card if it's correct. - * succeed if the user is already logged in. - */ --SECStatus --pk11_CheckPassword(PK11SlotInfo *slot,char *pw,PRBool contextSpecific) -+static SECStatus -+pk11_CheckPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session, -+ char *pw, PRBool alreadyLocked, PRBool contextSpecific) - { - int len = 0; - CK_RV crv; -@@ -66,13 +67,13 @@ pk11_CheckPassword(PK11SlotInfo *slot,ch - } - - do { -- PK11_EnterSlotMonitor(slot); -- crv = PK11_GETTAB(slot)->C_Login(slot->session, -+ if (!alreadyLocked) PK11_EnterSlotMonitor(slot); -+ crv = PK11_GETTAB(slot)->C_Login(session, - contextSpecific ? CKU_CONTEXT_SPECIFIC : CKU_USER, - (unsigned char *)pw,len); - slot->lastLoginCheck = 0; - mustRetry = PR_FALSE; -- PK11_ExitSlotMonitor(slot); -+ if (!alreadyLocked) PK11_ExitSlotMonitor(slot); - switch (crv) { - /* if we're already logged in, we're good to go */ - case CKR_OK: -@@ -91,10 +92,19 @@ pk11_CheckPassword(PK11SlotInfo *slot,ch - * if the token is still there. */ - case CKR_SESSION_HANDLE_INVALID: - case CKR_SESSION_CLOSED: -+ if (session != slot->session) { -+ /* don't bother retrying, we were in a middle of an operation, -+ * which is now lost. Just fail. */ -+ PORT_SetError(PK11_MapError(crv)); -+ rv = SECFailure; -+ break; -+ } - if (retry++ == 0) { - rv = PK11_InitToken(slot,PR_FALSE); - if (rv == SECSuccess) { - if (slot->session != CK_INVALID_SESSION) { -+ session = slot->session; /* we should have -+ * a new session now */ - mustRetry = PR_TRUE; - } else { - PORT_SetError(PK11_MapError(crv)); -@@ -242,7 +252,8 @@ PK11_HandlePasswordCheck(PK11SlotInfo *s - NeedAuth = PR_TRUE; - } - } -- if (NeedAuth) PK11_DoPassword(slot,PR_TRUE,wincx,PR_FALSE); -+ if (NeedAuth) PK11_DoPassword(slot, slot->session, PR_TRUE, -+ wincx, PR_FALSE, PR_FALSE); - } - - void -@@ -301,7 +312,8 @@ pk11_LoginStillRequired(PK11SlotInfo *sl - SECStatus - PK11_Authenticate(PK11SlotInfo *slot, PRBool loadCerts, void *wincx) { - if (pk11_LoginStillRequired(slot,wincx)) { -- return PK11_DoPassword(slot,loadCerts,wincx,PR_FALSE); -+ return PK11_DoPassword(slot, slot->session, loadCerts, wincx, -+ PR_FALSE, PR_FALSE); - } - return SECSuccess; - } -@@ -532,7 +544,8 @@ PK11_SetIsLoggedInFunc(PK11IsLoggedInFun - * of the PKCS 11 module. - */ - SECStatus --PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx, -+PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session, -+ PRBool loadCerts, void *wincx, PRBool alreadyLocked, - PRBool contextSpecific) - { - SECStatus rv = SECFailure; -@@ -602,7 +615,8 @@ PK11_DoPassword(PK11SlotInfo *slot, PRBo - break; - } - } -- rv = pk11_CheckPassword(slot,password,contextSpecific); -+ rv = pk11_CheckPassword(slot, session, password, -+ alreadyLocked, contextSpecific); - PORT_Memset(password, 0, PORT_Strlen(password)); - PORT_Free(password); - if (rv != SECWouldBlock) break; -Index: ./mozilla/security/nss/lib/pk11wrap/pk11merge.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11merge.c,v -retrieving revision 1.10 -diff -u -p -r1.10 pk11merge.c ---- ./mozilla/security/nss/lib/pk11wrap/pk11merge.c 25 Apr 2012 14:50:05 -0000 1.10 -+++ ./mozilla/security/nss/lib/pk11wrap/pk11merge.c 2 Nov 2012 18:09:54 -0000 -@@ -169,15 +169,15 @@ pk11_getPrivateKeyUsage(PK11SlotInfo *sl - { - unsigned int usage = 0; - -- if ((PK11_HasAttributeSet(slot, id, CKA_UNWRAP) || -- PK11_HasAttributeSet(slot,id, CKA_DECRYPT))) { -+ if ((PK11_HasAttributeSet(slot, id, CKA_UNWRAP,PR_FALSE) || -+ PK11_HasAttributeSet(slot,id, CKA_DECRYPT,PR_FALSE))) { - usage |= KU_KEY_ENCIPHERMENT; - } -- if (PK11_HasAttributeSet(slot, id, CKA_DERIVE)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_DERIVE, PR_FALSE)) { - usage |= KU_KEY_AGREEMENT; - } -- if ((PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER) || -- PK11_HasAttributeSet(slot, id, CKA_SIGN))) { -+ if ((PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER, PR_FALSE) || -+ PK11_HasAttributeSet(slot, id, CKA_SIGN, PR_FALSE))) { - usage |= KU_DIGITAL_SIGNATURE; - } - return usage; -@@ -373,31 +373,31 @@ pk11_getSecretKeyFlags(PK11SlotInfo *slo - { - CK_FLAGS flags = 0; - -- if (PK11_HasAttributeSet(slot, id, CKA_UNWRAP)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_UNWRAP, PR_FALSE)) { - flags |= CKF_UNWRAP; - } -- if (PK11_HasAttributeSet(slot, id, CKA_WRAP)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_WRAP, PR_FALSE)) { - flags |= CKF_WRAP; - } -- if (PK11_HasAttributeSet(slot, id, CKA_ENCRYPT)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_ENCRYPT, PR_FALSE)) { - flags |= CKF_ENCRYPT; - } -- if (PK11_HasAttributeSet(slot, id, CKA_DECRYPT)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_DECRYPT, PR_FALSE)) { - flags |= CKF_DECRYPT; - } -- if (PK11_HasAttributeSet(slot, id, CKA_DERIVE)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_DERIVE, PR_FALSE)) { - flags |= CKF_DERIVE; - } -- if (PK11_HasAttributeSet(slot, id, CKA_SIGN)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_SIGN, PR_FALSE)) { - flags |= CKF_SIGN; - } -- if (PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_SIGN_RECOVER, PR_FALSE)) { - flags |= CKF_SIGN_RECOVER; - } -- if (PK11_HasAttributeSet(slot, id, CKA_VERIFY)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_VERIFY, PR_FALSE)) { - flags |= CKF_VERIFY; - } -- if (PK11_HasAttributeSet(slot, id, CKA_VERIFY_RECOVER)) { -+ if (PK11_HasAttributeSet(slot, id, CKA_VERIFY_RECOVER, PR_FALSE)) { - flags |= CKF_VERIFY_RECOVER; - } - return flags; -Index: ./mozilla/security/nss/lib/pk11wrap/pk11obj.c -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11obj.c,v -retrieving revision 1.27 -diff -u -p -r1.27 pk11obj.c ---- ./mozilla/security/nss/lib/pk11wrap/pk11obj.c 29 Jun 2012 17:46:25 -0000 1.27 -+++ ./mozilla/security/nss/lib/pk11wrap/pk11obj.c 2 Nov 2012 18:09:54 -0000 -@@ -146,7 +146,7 @@ PK11_ReadULongAttribute(PK11SlotInfo *sl - */ - CK_BBOOL - PK11_HasAttributeSet( PK11SlotInfo *slot, CK_OBJECT_HANDLE id, -- CK_ATTRIBUTE_TYPE type ) -+ CK_ATTRIBUTE_TYPE type, PRBool haslock ) - { - CK_BBOOL ckvalue = CK_FALSE; - CK_ATTRIBUTE theTemplate; -@@ -156,10 +156,10 @@ PK11_HasAttributeSet( PK11SlotInfo *slot - PK11_SETATTRS( &theTemplate, type, &ckvalue, sizeof( CK_BBOOL ) ); - - /* Retrieve attribute value. */ -- PK11_EnterSlotMonitor(slot); -+ if (!haslock) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB( slot )->C_GetAttributeValue( slot->session, id, - &theTemplate, 1 ); -- PK11_ExitSlotMonitor(slot); -+ if (!haslock) PK11_ExitSlotMonitor(slot); - if( crv != CKR_OK ) { - PORT_SetError( PK11_MapError( crv ) ); - return CK_FALSE; -@@ -254,7 +254,7 @@ PK11_GetAttributes(PRArenaPool *arena,PK - PRBool - PK11_IsPermObject(PK11SlotInfo *slot, CK_OBJECT_HANDLE handle) - { -- return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN); -+ return (PRBool) PK11_HasAttributeSet(slot, handle, CKA_TOKEN, PR_FALSE); - } - - char * -@@ -735,6 +735,7 @@ PK11_Sign(SECKEYPrivateKey *key, SECItem - CK_MECHANISM mech = {0, NULL, 0 }; - PRBool owner = PR_TRUE; - CK_SESSION_HANDLE session; -+ PRBool haslock = PR_FALSE; - CK_ULONG len; - CK_RV crv; - -@@ -745,24 +746,27 @@ PK11_Sign(SECKEYPrivateKey *key, SECItem - } - - session = pk11_GetNewSession(slot,&owner); -- if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); -+ haslock = (!owner || !(slot->isThreadSafe)); -+ if (haslock) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_SignInit(session,&mech,key->pkcs11ID); - if (crv != CKR_OK) { -- if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); -+ if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; - } -- /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then -- * do C_Login with CKU_CONTEXT_SPECIFIC -- * between C_SignInit and C_Sign */ -- if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_ALWAYS_AUTHENTICATE)) { -- PK11_DoPassword(slot, PR_FALSE, key->wincx, PR_TRUE); -- } -+ -+ /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then -+ * do C_Login with CKU_CONTEXT_SPECIFIC -+ * between C_SignInit and C_Sign */ -+ if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) { -+ PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); -+ } -+ - len = sig->len; - crv = PK11_GETTAB(slot)->C_Sign(session,hash->data, - hash->len, sig->data, &len); -- if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); -+ if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - sig->len = len; - if (crv != CKR_OK) { -@@ -788,6 +792,7 @@ pk11_PrivDecryptRaw(SECKEYPrivateKey *ke - CK_ULONG out = maxLen; - PRBool owner = PR_TRUE; - CK_SESSION_HANDLE session; -+ PRBool haslock = PR_FALSE; - CK_RV crv; - - if (key->keyType != rsaKey) { -@@ -803,23 +808,26 @@ pk11_PrivDecryptRaw(SECKEYPrivateKey *ke - PK11_HandlePasswordCheck(slot, key->wincx); - } - session = pk11_GetNewSession(slot,&owner); -- if (!owner || !(slot->isThreadSafe)) PK11_EnterSlotMonitor(slot); -+ haslock = (!owner || !(slot->isThreadSafe)); -+ if (haslock) PK11_EnterSlotMonitor(slot); - crv = PK11_GETTAB(slot)->C_DecryptInit(session, mech, key->pkcs11ID); - if (crv != CKR_OK) { -- if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); -+ if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - PORT_SetError( PK11_MapError(crv) ); - return SECFailure; - } -- /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then -- * do C_Login with CKU_CONTEXT_SPECIFIC -- * between C_DecryptInit and C_Decrypt */ -- /* But see note above about servers */ -- if (SECKEY_HAS_ATTRIBUTE_SET(key,CKA_ALWAYS_AUTHENTICATE)) { -- PK11_DoPassword(slot, PR_FALSE, key->wincx, PR_TRUE); -- } -+ -+ /* PKCS11 2.20 says if CKA_ALWAYS_AUTHENTICATE then -+ * do C_Login with CKU_CONTEXT_SPECIFIC -+ * between C_DecryptInit and C_Decrypt -+ * ... But see note above about servers */ -+ if (SECKEY_HAS_ATTRIBUTE_SET_LOCK(key, CKA_ALWAYS_AUTHENTICATE, haslock)) { -+ PK11_DoPassword(slot, session, PR_FALSE, key->wincx, haslock, PR_TRUE); -+ } -+ - crv = PK11_GETTAB(slot)->C_Decrypt(session,enc, encLen, data, &out); -- if (!owner || !(slot->isThreadSafe)) PK11_ExitSlotMonitor(slot); -+ if (haslock) PK11_ExitSlotMonitor(slot); - pk11_CloseSession(slot,session,owner); - *outLen = out; - if (crv != CKR_OK) { -Index: ./mozilla/security/nss/lib/pk11wrap/pk11priv.h -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11priv.h,v -retrieving revision 1.18 -diff -u -p -r1.18 pk11priv.h ---- ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 16 May 2012 12:34:20 -0000 1.18 -+++ ./mozilla/security/nss/lib/pk11wrap/pk11priv.h 2 Nov 2012 18:09:55 -0000 -@@ -59,8 +59,9 @@ void PK11_CleanKeyList(PK11SlotInfo *slo - /************************************************************ - * Slot Password Management - ************************************************************/ --SECStatus PK11_DoPassword(PK11SlotInfo *slot, PRBool loadCerts, void *wincx, -- PRBool contextSpecific); -+SECStatus PK11_DoPassword(PK11SlotInfo *slot, CK_SESSION_HANDLE session, -+ PRBool loadCerts, void *wincx, PRBool alreadyLocked, -+ PRBool contextSpecific); - SECStatus PK11_VerifyPW(PK11SlotInfo *slot,char *pw); - void PK11_HandlePasswordCheck(PK11SlotInfo *slot,void *wincx); - void PK11_SetVerifyPasswordFunc(PK11VerifyPasswordFunc func); -@@ -121,7 +122,8 @@ CK_OBJECT_HANDLE PK11_MatchItem(PK11Slot - CK_OBJECT_CLASS o_class); - CK_BBOOL PK11_HasAttributeSet( PK11SlotInfo *slot, - CK_OBJECT_HANDLE id, -- CK_ATTRIBUTE_TYPE type ); -+ CK_ATTRIBUTE_TYPE type, -+ PRBool haslock ); - CK_RV PK11_GetAttributes(PLArenaPool *arena,PK11SlotInfo *slot, - CK_OBJECT_HANDLE obj,CK_ATTRIBUTE *attr, int count); - int PK11_NumberCertsForCertSubject(CERTCertificate *cert); diff --git a/no-softoken-freebl-tests.patch b/no-softoken-freebl-tests.patch new file mode 100644 index 0000000..356678d --- /dev/null +++ b/no-softoken-freebl-tests.patch @@ -0,0 +1,39 @@ +diff -up ./mozilla/security/nss/cmd/Makefile.nosoftokentests ./mozilla/security/nss/cmd/Makefile +--- ./mozilla/security/nss/cmd/Makefile.nosoftokentests 2012-12-22 14:06:13.193304912 -0800 ++++ ./mozilla/security/nss/cmd/Makefile 2012-12-22 14:10:04.942248630 -0800 +@@ -14,6 +14,14 @@ ifdef BUILD_LIBPKIX_TESTS + DIRS += libpkix + endif + ++# nss-softoken only tests ++BLTEST_SRCDIR= ++FIPSTEST_SRCDIR= ++ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1) ++BLTEST_SRCDIR=bltest # Add the bltest directory to DIRS. ++FIPSTEST_SRCDIR=fipstest # Add the fipstest directory to DIRS. ++endif ++ + LOWHASHTEST_SRCDIR= + ifeq ($(FREEBL_LOWHASH),1) + LOWHASHTEST_SRCDIR = lowhashtest # Add the lowhashtest directory to DIRS. +diff -up ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests ./mozilla/security/nss/cmd/manifest.mn +--- ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests 2012-12-22 14:06:35.191293837 -0800 ++++ ./mozilla/security/nss/cmd/manifest.mn 2012-12-22 14:11:22.342263467 -0800 +@@ -11,7 +11,7 @@ REQUIRES = nss nspr libdbm + DIRS = lib \ + addbuiltin \ + atob \ +- bltest \ ++ $(BLTEST_SRCDIR) \ + btoa \ + certcgi \ + certutil \ +@@ -23,7 +23,7 @@ DIRS = lib \ + derdump \ + digest \ + httpserv \ +- fipstest \ ++ $(FIPSTEST_SRCDIR) \ + $(LOWHASHTEST_SRCDIR) \ + listsuites \ + makepqg \ diff --git a/nss.spec b/nss.spec index 6957a5f..d74c8e6 100644 --- a/nss.spec +++ b/nss.spec @@ -1,4 +1,4 @@ -%global nspr_version 4.9.2 +%global nspr_version 4.9.4 %global nss_util_version 3.14 %global nss_softokn_fips_version 3.12.9 %global nss_softokn_version 3.14 @@ -6,8 +6,8 @@ Summary: Network Security Services Name: nss -Version: 3.14 -Release: 12%{?dist} +Version: 3.14.1 +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -69,11 +69,11 @@ Patch39: nss-ssl-enforce-no-pkcs11-bypass.path # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch -# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=357025 -Patch41: Bug-872124-fix-pk11wrap-locking.patch # upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=807890 Patch42: 0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch +Patch43: no-softoken-freebl-tests.patch + %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and @@ -150,14 +150,14 @@ low level services. %patch6 -p0 -b .libpem %patch16 -p0 -b .539183 %patch18 -p0 -b .646045 -# link pem against buildroot's freebl, esential wen mixing and matching +# link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl # activate for stable and beta branches %patch29 -p0 -b .770682 %patch39 -p1 -b .nobypass %patch40 -p1 -b .noocsptest -%patch41 -p0 -b .872124 %patch42 -p0 -b .870864 +%patch43 -p0 -b .nosoftokentests %build @@ -603,6 +603,13 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Sat Dec 22 2012 Elio Maldonado - 3.14.1-2 +- Require nspr >= 4.9.4 +- Fix changelog invalid dates + +* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1 +- Update to NSS_3_14_1_RTM + * Wed Dec 12 2012 Elio Maldonado - 3.14-12 - Bug 879978 - Install the nssck.api header template where mod_revocator can access it - Install nssck.api in /usr/includes/nss3/templates @@ -819,7 +826,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h * Wed Mar 23 2011 Elio Maldonado - 3.12.9-14 - Update to NSS_3.12.9_WITH_CKBI_1_82_RTM -* Wed Feb 24 2011 Elio Maldonado - 3.12.9-13 +* Thu Feb 24 2011 Elio Maldonado - 3.12.9-13 - Short-term fix for ssl test suites hangs on ipv6 type connections (#539183) * Fri Feb 18 2011 Elio Maldonado - 3.12.9-12 @@ -884,7 +891,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h * Sun Oct 31 2010 Elio Maldonado - 3.12.8-7 - Tell rpm not to verify md5, size, and modtime of configurations file -* Wed Oct 18 2010 Elio Maldonado - 3.12.8-6 +* Mon Oct 18 2010 Elio Maldonado - 3.12.8-6 - Fix certificates trust order (#643134) - Apply nss-sysinit-userdb-first.patch last @@ -938,7 +945,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h * Mon Aug 09 2010 Elio Maldonado - 3.12.6-10 - Add support for PKCS#8 encoded PEM RSA private key files (#614532) -* Fri Jul 31 2010 Elio Maldonado - 3.12.6-9 +* Sat Jul 31 2010 Elio Maldonado - 3.12.6-9 - Fix nsssysinit to return userdb ahead of systemdb (#603313) * Tue Jun 08 2010 Dennis Gilmore - 3.12.6-8 @@ -950,7 +957,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h * Sun Jun 06 2010 Elio Maldonado - 3.12.6-6 - Fix SIGSEGV within CreateObject (#596674) -* Sat Apr 12 2010 Elio Maldonado - 3.12.6-5 +* Mon Apr 12 2010 Elio Maldonado - 3.12.6-5 - Update pem source tar to pick up the following bug fixes: - PEM - Allow collect objects to search through all objects - PEM - Make CopyObject return a new shallow copy @@ -1031,7 +1038,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h - Require nss-softoken of same architecture as nss (#527867) - Merge setup-nsssysinit.sh improvements from F-12 (#527051) -* Mon Oct 03 2009 Elio Maldonado - 3.12.4-13 +* Sat Oct 03 2009 Elio Maldonado - 3.12.4-13 - User no longer prompted for a password when listing keys an empty system db (#527048) - Fix setup-nsssysinit to handle more general formats (#527051) @@ -1105,13 +1112,13 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h - Fix nss-config not to include nssutil - Add BuildRequires on nss-softokn and nss-util since build also runs the test suite -* Wed Aug 27 2009 Elio Maldonado - 3.12.3.99.3-21 +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-21 - disabling all tests while we investigate a buffer overflow bug -* Wed Aug 27 2009 Elio Maldonado - 3.12.3.99.3-20 +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-20 - disabling some tests while we investigate a buffer overflow bug - 519766 -* Wed Aug 27 2009 Elio Maldonado - 3.12.3.99.3-19 +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-19 - remove patches that are now in nss-softokn and - remove spurious exec-permissions for nss.pc per rpmlint - single requires line in nss.pc.in @@ -1148,7 +1155,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h * Thu Aug 20 2009 Dennis Gilmore - 3.12.3.99.3-9 - dont install libnssutil3.so since its now in nss-util -* Sat Aug 06 2009 Elio Maldonado - 3.12.3.99.3-7.1 +* Thu Aug 06 2009 Elio Maldonado - 3.12.3.99.3-7.1 - Fix spec file problems uncovered by Fedora_12_Mass_Rebuild * Sat Jul 25 2009 Fedora Release Engineering - 3.12.3.99.3-7 @@ -1166,7 +1173,7 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h - fix numerous gcc warnings. (500815) - fix to support arbitrarily long password while loading a private key. (500180) - fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191) -* Fri Jun 08 2009 Elio Maldonado - 3.12.3.99.3-4 +* Mon Jun 08 2009 Elio Maldonado - 3.12.3.99.3-4 - add patch for bug 502133 upstream bug 496997 * Fri Jun 05 2009 Kai Engert - 3.12.3.99.3-3 - rebuild with higher release number for upgrade sanity @@ -1364,5 +1371,5 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h - Adressed review comments by Wan-Teh Chang, Bob Relyea, Christopher Aillon. -* Tue Jul 9 2005 Rob Crittenden 3.10-1 +* Sat Jul 9 2005 Rob Crittenden 3.10-1 - Initial build diff --git a/sources b/sources index 6b775e9..5e6526f 100644 --- a/sources +++ b/sources @@ -5,5 +5,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db bf47cecad861efa77d1488ad4a73cb5b PayPalEE.cert 2a06bf7b815d1a666cc3587b895506ce nss-pem-20120811.tar.bz2 -2844d502638ac84097d5a9affa6d1c3a nss-3.14-stripped.tar.bz2 0be54f196b5da7e9008eb13a71bc2cb0 dummy-sources-for-testing +78b4c196af29ef5e7851447029f947c0 nss-3.14.1-stripped.tar.bz2