rpms
/
nss
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'private-emaldona-upstream-experiment' into private-emaldona-crypto-policy-work

This commit is contained in:
Elio Maldonado 2016-06-25 08:37:06 -07:00
parent 7f2e27a8d5 0ee7d5581e
commit 82cee71d15
2 changed files with 93 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
nss.spec
View File

@ -5,7 +5,7 @@
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
# uncomment to make nss ignore the system policy file
#%global nss_ignore_system_policy 1
%global nss_ignore_system_policy 1
# solution taken from icedtea-web.spec
%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
@ -75,8 +75,6 @@ Source24: cert9.db.xml
Source25: key3.db.xml
Source26: key4.db.xml
Source27: secmod.db.xml
# needs to be updated as we rebase and the system crypto policies evolve
Source28: adjust4policy.txt
Patch2: add-relro-linker-option.patch
Patch3: renegotiate-transitional.patch
@ -100,14 +98,19 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch59: nss-check-policy-file.patch
# TODO: file a bug usptream
# Upstream commit that caused problems with gtests
# https://git.fedorahosted.org/cgit/nss-pem.git/commit/
Patch62: nss-skip-util-gtest.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch63: tests-check-policy-file.patch
# TODO: Under test and could be merged with nss-check-policy-file.patch
Patch64: nss-conditionally-ignore-system-policy.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
Patch65: tests-data-adjust-for-policy.patch
# TODO: file a bug upstream
Patch70: nss-skip-ecperf.patch
%description
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
@ -192,7 +195,6 @@ pushd nss
#%patch62 -p0 -b .skip_util_gtest
%patch63 -p1 -b .check_policy
%patch64 -p0 -b .ignore_system_policy
#%patch65 -p1 -b .expected_result
popd
# temporary
%patch70 -p0 -b .skip_ecperf
@ -315,6 +317,12 @@ export POLICY_PATH="/etc/crypto-policies/back-ends"
# to keep nss from loading the policy file
%if %{nss_ignore_system_policy}
export NSS_IGNORE_SYSTEM_POLICY=1
%else
# system policy is enforced
pushd nss
# change some sslauth.txt entries to expect failure when enforcing policy
patch -p1 -b .expected_result < %{PATCH65}
popd
%endif
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
@ -423,27 +431,13 @@ export NSS_BLTEST_NOT_AVAILABLE=1
# needed for the fips mangling test
export SOFTOKEN_LIB_DIR=%{_libdir}
# inform tests we kept nss from loading the policy file
# tests need to know we kept nss from loading the policy file
%if %{nss_ignore_system_policy}
export NSS_IGNORE_SYSTEM_POLICY=1
%endif
# End -- copied from the build section
# ****************************************************************
# Patching the test data here is more upstream friendly and
# eventually should be incorporated into what ssl.sh init does.
%if %{nss_ignore_system_policy}
# no need to patch the test data
%else
# expected results on some sslauth tests depend on whether
# the system crypto policy is being enforced or not.
pushd nss
patch -p1 < %{SOURCE28}
popd
%endif
# ****************************************************************
# enable the following line to force a test failure
# find ./nss -name \*.chk | xargs rm -f
@ -485,9 +479,9 @@ pushd ./nss/tests/
# don't need to run all the tests when testing packaging
# nss_cycles: standard pkix upgradedb sharedb
# TODO: Add ssl_gtests when we rebase to nss-3.25 or higher
# the full list from all.sh is:
# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
# TODO: Add ssl_gtests when we rebase to nss-3.25
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
# nss_ssl_run: cov auth stress

79
sslauth-data-change-expected.patch Normal file
View File

@ -0,0 +1,79 @@
diff -up ./tests/ssl/sslauth.txt.expect_other ./tests/ssl/sslauth.txt
--- ./tests/ssl/sslauth.txt.expect_other 2016-06-04 12:39:37.866869160 -0700
+++ ./tests/ssl/sslauth.txt 2016-06-04 16:00:45.007632304 -0700
@@ -9,17 +9,17 @@
# ECC value params params
# ------- ------ ------ ------ ---------------
noECC 0 -r -w_nss_-n_none TLS Request don't require client auth (client does not provide auth)
- noECC 0 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
+ noECC 1 -r -w_bogus_-n_TestUser TLS Request don't require client auth (bad password)
noECC 0 -r -w_nss_-n_TestUser TLS Request don't require client auth (client auth)
- noECC 254 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
- noECC 254 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
+ noECC 1 -r_-r -w_nss_-n_none TLS Require client auth (client does not provide auth)
+ noECC 1 -r_-r -w_bogus_-n_TestUser TLS Require client auth (bad password)
noECC 0 -r_-r -w_nss_-n_TestUser_ TLS Require client auth (client auth)
- noECC 254 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
- noECC 254 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
- noECC 254 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
- noECC 254 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
- noECC 254 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
+ noECC 1 -r -V_:ssl3_-w_nss_-n_none SSL3 Request don't require client auth (client does not provide auth)
+ noECC 1 -r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth (bad password)
+ noECC 1 -r -V_:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth (client auth)
+ noECC 1 -r_-r -V_:ssl3_-w_nss_-n_none SSL3 Require client auth (client does not provide auth)
+ noECC 1 -r_-r -V_:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth (bad password)
+ noECC 1 -r_-r -V_:ssl3_-n_TestUser_-w_nss SSL3 Require client auth (client auth)
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_none TLS Request don't require client auth on 2nd hs (client does not provide auth)
noECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser TLS Request don't require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser TLS Request don't require client auth on 2nd hs (client auth)
@@ -32,9 +32,9 @@
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_none TLS 1.0 Require client auth on 2nd hs (client does not provide auth)
noECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser TLS 1.0 Require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser TLS 1.0 Require client auth on 2nd hs (client auth)
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
- noECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Request don't require client auth on 2nd hs (client does not provide auth)
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Request don't require client auth on 2nd hs (bad password)
+ noECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Request don't require client auth on 2nd hs (client auth)
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-w_nss_-n_none SSL3 Require client auth on 2nd hs (client does not provide auth)
noECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_bogus SSL3 Require client auth on 2nd hs (bad password)
noECC 0 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser_-w_nss SSL3 Require client auth on 2nd hs (client auth)
@@ -43,11 +43,11 @@
#
ECC 0 -r -w_bogus_-n_TestUser-ec TLS Request don't require client auth (EC) (bad password)
ECC 0 -r -w_nss_-n_TestUser-ec TLS Request don't require client auth (EC) (client auth)
- ECC 254 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
+ ECC 1 -r_-r -w_bogus_-n_TestUser-ec TLS Require client auth (EC) (bad password)
ECC 0 -r_-r -w_nss_-n_TestUser-ec_ TLS Require client auth (EC) (client auth)
ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth (EC) (bad password)
ECC 0 -r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth (EC) (client auth)
- ECC 254 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
+ ECC 1 -r_-r -V_:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth (EC) (bad password)
ECC 0 -r_-r -V_:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth (EC) (client auth)
ECC 0 -r_-r_-r -V_ssl3:_-w_bogus_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (bad password)
ECC 0 -r_-r_-r -V_ssl3:_-w_nss_-n_TestUser-ec TLS Request don't require client auth on 2nd hs (EC) (client auth)
@@ -57,17 +57,17 @@
ECC 0 -r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec TLS 1.0 Request don't require client auth on 2nd hs (EC) (client auth)
ECC 1 -r_-r_-r_-r -V_ssl3:tls1.0_-w_bogus_-n_TestUser-ec TLS 1.0 Require client auth on 2nd hs (EC) (bad password)
ECC 0 -r_-r_-r_-r -V_ssl3:tls1.0_-w_nss_-n_TestUser-ec_ TLS 1.0 Require client auth on 2nd hs (EC) (client auth)
- ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
- ECC 254 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
+ ECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Request don't require client auth on 2nd hs (EC) (bad password)
+ ECC 1 -r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Request don't require client auth on 2nd hs (EC) (client auth)
ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_bogus SSL3 Require client auth on 2nd hs (EC) (bad password)
- ECC 254 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
+ ECC 1 -r_-r_-r_-r -V_ssl3:ssl3_-n_TestUser-ec_-w_nss SSL3 Require client auth on 2nd hs (EC) (client auth)
#
# SNI Tests
#
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
- SNI 254 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI