rpms
/
nss
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to NSS 3.21 

- Package listsuites as part of the unsupported tools set
- Resolves: Bug 1279912 - nss-3.21 is available
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
This commit is contained in:
Elio Maldonado 2015-11-16 09:58:28 -08:00
parent 2a9943d7d9
commit 76c2979b60
6 changed files with 208 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -10,4 +10,4 @@ TestUser51.cert
/nss-pem-20140125.tar.bz2
/PayPalRootCA.cert
/PayPalICA.cert
/nss-3.20.1.tar.gz
/nss-3.21.0.tar.gz

12
iquote.patch
View File

@ -173,3 +173,15 @@ diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile
--- nss/lib/ssl/Makefile.iquote 2015-11-13 09:23:41.653738563 -0800
+++ nss/lib/ssl/Makefile 2015-11-13 09:25:25.121415348 -0800
@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #

26
nss-539183.patch
View File

@ -1,11 +1,9 @@
diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
--- nss/cmd/httpserv/httpserv.c.539183 2013-05-28 14:43:24.000000000 -0700
+++ nss/cmd/httpserv/httpserv.c 2013-05-30 22:16:46.685373471 -0700
@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
PRStatus prStatus;
diff -up ./nss/cmd/httpserv/httpserv.c.539183 ./nss/cmd/httpserv/httpserv.c
--- ./nss/cmd/httpserv/httpserv.c.539183 2015-11-08 21:12:59.000000000 -0800
+++ ./nss/cmd/httpserv/httpserv.c 2015-11-12 13:28:01.574855325 -0800
@@ -938,13 +938,13 @@ getBoundListenSocket(unsigned short port
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
@ -15,9 +13,6 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
+ }
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
@ -25,14 +20,12 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
}
opt.option = PR_SockOpt_Nonblocking;
diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
--- nss/cmd/selfserv/selfserv.c.539183 2013-05-28 14:43:24.000000000 -0700
+++ nss/cmd/selfserv/selfserv.c 2013-05-30 22:16:46.688373495 -0700
@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port
PRStatus prStatus;
diff -up ./nss/cmd/selfserv/selfserv.c.539183 ./nss/cmd/selfserv/selfserv.c
--- ./nss/cmd/selfserv/selfserv.c.539183 2015-11-08 21:12:59.000000000 -0800
+++ ./nss/cmd/selfserv/selfserv.c 2015-11-12 13:26:40.498345875 -0800
@@ -1707,13 +1707,13 @@ getBoundListenSocket(unsigned short port
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
@ -42,9 +35,6 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
+ }
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");

54
nss.spec
View File

@ -18,7 +18,7 @@
Summary: Network Security Services
Name: nss
Version: 3.20.1
Version: 3.21.0
# for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 1.0%{?dist}
@ -92,15 +92,17 @@ Patch52: disableSSL2libssl.patch
Patch53: disableSSL2tests.patch
Patch54: tstclnt-ssl2-off-by-default.patch
Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
# See https://hg.mozilla.org/projects/nss/raw-rev/dc7bb2f8cc50
Patch56: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205688
Patch57: rhbz1185708-enable-ecc-ciphers-by-default.patch
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# As of nss-3.21 we compile NSS with -Werror.
# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
# This requires a cleanup of the PEM module as we have it here.
# TODO: submit a patch to the interim nss-pem upstream project
# The submission will be very different from this patch as
# cleanup there is already in progress there.
Patch59: pem-compile-with-Werror.patch
%description
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
@ -188,11 +190,8 @@ pushd nss
popd
%patch54 -p0 -b .ssl2_off
%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
%patch56 -p1 -b .ocsp_sni
pushd nss
%patch57 -p1 -b .1185708
popd
%patch58 -p0 -b .1185708_3des
%patch59 -p0 -b .compile_Werror
#########################################################
# Higher-level libraries and test tools need access to
@ -210,6 +209,10 @@ done
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
# Before removing util directory we must save verref.h
# as it will be needed later during the build phase.
%{__mv} ./nss/lib/util/verref.h ./nss/verref.h
##### Remove util/freebl/softoken and low level tools
######## Remove freebl, softoken and util
%{__rm} -rf ./nss/lib/freebl
@ -285,10 +288,16 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
# external tests are causing build problems because they access ssl internal types
# TODO: Investigate as there may be a better solution
export NSS_DISABLE_GTESTS=1
%ifnarch noarch
%if 0%{__isa_bits} == 64
USE_64=1
export USE_64
%endif
%endif
# uncomment if the iquote patch is activated
export IN_TREE_FREEBL_HEADERS_FIRST=1
@ -301,6 +310,13 @@ export NSS_ECC_MORE_THAN_SUITE_B
export NSS_BLTEST_NOT_AVAILABLE=1
%{__make} -C ./nss/coreconf
%{__make} -C ./nss/lib/dbm
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
# need nss/lib/util/verref.h which is which is exported privately,
# copy the one we saved during prep so it they can find it.
%{__mkdir_p} ./dist/private/nss
%{__mv} ./nss/verref.h ./dist/private/nss/verref.h
%{__make} -C ./nss
unset NSS_BLTEST_NOT_AVAILABLE
@ -389,10 +405,12 @@ export FREEBL_NO_DEPEND
BUILD_OPT=1
export BUILD_OPT
%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
%ifnarch noarch
%if 0%{__isa_bits} == 64
USE_64=1
export USE_64
%endif
%endif
export NSS_BLTEST_NOT_AVAILABLE=1
@ -551,7 +569,7 @@ do
done
# Copy the binaries we ship as unsupported
for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
for file in atob btoa derdump listsuites ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
do
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
done
@ -702,6 +720,7 @@ fi
%{unsupported_tools_directory}/atob
%{unsupported_tools_directory}/btoa
%{unsupported_tools_directory}/derdump
%{unsupported_tools_directory}/listsuites
%{unsupported_tools_directory}/ocspclnt
%{unsupported_tools_directory}/pp
%{unsupported_tools_directory}/selfserv
@ -806,6 +825,13 @@ fi
%changelog
* Mon Nov 16 2015 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1.0
- Update to NSS 3.21
- Package listsuites as part of the unsupported tools set
- Resolves: Bug 1279912 - nss-3.21 is available
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
* Mon Nov 02 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-1.0
- Update to NSS 3.20.1

146
pem-compile-with-Werror.patch Normal file
View File

@ -0,0 +1,146 @@
diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-13 12:07:29.219887390 -0800
@@ -233,6 +233,9 @@ struct pemLOWKEYPrivateKeyStr {
};
typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
+/* NOTE: Discrepancy with the the way callers use of the return value as a count
+ * Fix this when we sync. up with the cleanup work being done at nss-pem project.
+ */
SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
void pem_PopulateModulusExponent(pemInternalObject *io);
diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/pinst.c 2015-11-13 12:07:29.219887390 -0800
@@ -472,7 +472,9 @@ AddCertificate(char *certfile, char *key
char *ivstring = NULL;
int cipher;
- nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+ /* TODO: Fix discrepancy between our usage of the return value as
+ * as an int (a count) and the declaration as a SECStatus. */
+ nobjs = (int) ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
if (nobjs <= 0) {
nss_ZFreeIf(objs);
return CKR_GENERAL_ERROR;
@@ -515,8 +517,10 @@ AddCertificate(char *certfile, char *key
if (keyfile) { /* add the private key */
SECItem **keyobjs = NULL;
int kobjs = 0;
+ /* TODO: Fix discrepancy between our usage of the return value as
+ * as an int and the declaration as a SECStatus. */
kobjs =
- ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
+ (int) ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
&ivstring, PR_FALSE);
if (kobjs < 1) {
error = CKR_GENERAL_ERROR;
diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/pobject.c 2015-11-13 12:07:29.220887368 -0800
@@ -630,6 +630,11 @@ pem_DestroyInternalObject
if (io->u.key.ivstring)
free(io->u.key.ivstring);
break;
+ case pemAll:
+ /* pemAll is not used, keep the compiler happy
+ * TODO: investigate a proper solution
+ */
+ return;
}
if (NULL != gobj)
@@ -1044,7 +1049,9 @@ pem_CreateObject
int nobjs = 0;
int i;
int objid;
+#if 0
pemToken *token;
+#endif
int cipher;
char *ivstring = NULL;
pemInternalObject *listObj = NULL;
@@ -1073,7 +1080,9 @@ pem_CreateObject
}
slotID = nssCKFWSlot_GetSlotID(fwSlot);
+#if 0
token = (pemToken *) mdToken->etc;
+#endif
/*
* only create keys and certs.
@@ -1114,7 +1123,11 @@ pem_CreateObject
}
if (objClass == CKO_CERTIFICATE) {
- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+ /* TODO: Fix discrepancy between our usage of the return value as
+ * as an int and the declaration as a SECStatus. Typecasting as a
+ * temporary workaround.
+ */
+ nobjs = (int) ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
if (nobjs < 1)
goto loser;
diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-13 12:07:29.220887368 -0800
@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
return 0;
}
+/* unused functions */
+#if 0
static SHA1Context *SHA1_CloneContext(SHA1Context * original)
{
SHA1Context *clone = NULL;
@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
return SECSuccess;
}
+#endif /* unused functions */
/*
* Format one block of data for public/private key encryption using
diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
--- ./nss/lib/ckfw/pem/util.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/util.c 2015-11-13 12:22:52.282196306 -0800
@@ -131,7 +131,8 @@ static SECStatus FileToItem(SECItem * ds
return SECFailure;
}
-int
+/* FIX: Returns a SECStatus yet callers take result as a count */
+SECStatus
ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
int *cipher, char **ivstring, PRBool certsonly)
{
@@ -237,7 +238,12 @@ ReadDERFromFile(SECItem *** derlist, cha
goto loser;
}
if ((certsonly && !key) || (!certsonly && key)) {
+ error = CKR_OK;
PUT_Object(der, error);
+ if (error != CKR_OK) {
+ free(der);
+ goto loser;
+ }
} else {
free(der->data);
free(der);
@@ -255,7 +261,12 @@ ReadDERFromFile(SECItem *** derlist, cha
}
/* NOTE: This code path has never been tested. */
+ error = CKR_OK;
PUT_Object(der, error);
+ if (error != CKR_OK) {
+ free(der);
+ goto loser;
+ }
}
nss_ZFreeIf(filedata.data);

2
sources
View File

@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2
c285ef92de0031cb0a8caa60d396d618 nss-3.20.1.tar.gz
f53ffa490133d29ff930fa4b29bade90 nss-3.21.0.tar.gz