Update to 3.12.5
This commit is contained in:
parent
6a5ec0e38b
commit
9d98fbfa61
|
@ -1,2 +1,2 @@
|
|||
nss-3.12.4-stripped.tar.bz2
|
||||
nss-3.12.5-stripped.tar.bz2
|
||||
nss-pem-20090907.tar.bz2
|
||||
|
|
|
@ -0,0 +1,23 @@
|
|||
Index: mozilla/security/nss/lib/ssl/ssl3con.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
|
||||
retrieving revision 1.121
|
||||
diff -u -p -r1.121 ssl3con.c
|
||||
--- mozilla/security/nss/lib/ssl/ssl3con.c 12 Nov 2009 05:08:27 -0000 1.121
|
||||
+++ mozilla/security/nss/lib/ssl/ssl3con.c 20 Nov 2009 19:36:30 -0000
|
||||
@@ -4004,6 +4004,7 @@ ssl3_HandleHelloRequest(sslSocket *ss)
|
||||
PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
|
||||
return SECFailure;
|
||||
}
|
||||
+ /*
|
||||
if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
|
||||
ssl_GetXmitBufLock(ss);
|
||||
rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation);
|
||||
@@ -4011,6 +4012,7 @@ ssl3_HandleHelloRequest(sslSocket *ss)
|
||||
PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
|
||||
return SECFailure;
|
||||
}
|
||||
+ */
|
||||
|
||||
if (sid) {
|
||||
ss->sec.uncache(sid);
|
159
newargs.patch
159
newargs.patch
|
@ -1,159 +0,0 @@
|
|||
Index: mozilla/security/nss/lib/pk11wrap/pk11pars.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11pars.c,v
|
||||
retrieving revision 1.21
|
||||
diff -u -p -r1.21 pk11pars.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 12 Nov 2005 00:14:25 -0000 1.21
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 1 Sep 2009 21:55:18 -0000
|
||||
@@ -107,6 +107,41 @@ secmod_NewModule(void)
|
||||
|
||||
}
|
||||
|
||||
+/* private flags. */
|
||||
+/* The meaing of these flags is as follows:
|
||||
+ *
|
||||
+ * SECMOD_FLAG_IS_MODULE_DB - This is a module that accesses the database of
|
||||
+ * other modules to load. Module DBs are loadable modules that tells
|
||||
+ * NSS which PKCS #11 modules to load and when. These module DBs are
|
||||
+ * chainable. That is, one module DB can load another one. NSS system init
|
||||
+ * design takes advantage of this feature. In system NSS, a fixed system
|
||||
+ * module DB loads the system defined libraries, then chains out to the
|
||||
+ * traditional module DBs to load any system or user configured modules
|
||||
+ * (like smart cards). This bit is the same as the already existing meaning
|
||||
+ * of isModuleDB = PR_TRUE. None of the other flags should be set if this
|
||||
+ * flag isn't on.
|
||||
+ *
|
||||
+ * SECMOD_FLAG_SKIP_FIRST - This flag tells NSS to skip the first
|
||||
+ * PKCS #11 module presented by a module DB. This allows the OS to load a
|
||||
+ * softoken from the system module, then ask the existing module DB code to
|
||||
+ * load the other PKCS #11 modules in that module DB (skipping it's request
|
||||
+ * to load softoken). This gives the system init finer control over the
|
||||
+ * configuration of that softoken module.
|
||||
+ *
|
||||
+ * SECMOD_FLAG_DEFAULT_MODDB - This flag allows system init to mark a
|
||||
+ * different module DB as the 'default' module DB (the one in which
|
||||
+ * 'Add module' changes will go). Without this flag NSS takes the first
|
||||
+ * module as the default Module DB, but in system NSS, that first module
|
||||
+ * is the system module, which is likely read only (at least to the user).
|
||||
+ * This allows system NSS to delegate those changes to the user's module DB,
|
||||
+ * preserving the user's ability to load new PKCS #11 modules (which only
|
||||
+ * affect him), from existing applications like Firefox.
|
||||
+ */
|
||||
+#define SECMOD_FLAG_IS_MODULE_DB 0x01 /* must be set if any of the other flags
|
||||
+ * are set */
|
||||
+#define SECMOD_FLAG_SKIP_FIRST 0x02
|
||||
+#define SECMOD_FLAG_DEFAULT_MODDB 0x04
|
||||
+
|
||||
/*
|
||||
* for 3.4 we continue to use the old SECMODModule structure
|
||||
*/
|
||||
@@ -137,15 +172,33 @@ SECMOD_CreateModule(const char *library,
|
||||
if (slotParams) PORT_Free(slotParams);
|
||||
/* new field */
|
||||
mod->trustOrder = secmod_argReadLong("trustOrder",nssc,
|
||||
- SECMOD_DEFAULT_TRUST_ORDER,NULL);
|
||||
+ SECMOD_DEFAULT_TRUST_ORDER,NULL);
|
||||
/* new field */
|
||||
mod->cipherOrder = secmod_argReadLong("cipherOrder",nssc,
|
||||
- SECMOD_DEFAULT_CIPHER_ORDER,NULL);
|
||||
+ SECMOD_DEFAULT_CIPHER_ORDER,NULL);
|
||||
/* new field */
|
||||
mod->isModuleDB = secmod_argHasFlag("flags","moduleDB",nssc);
|
||||
mod->moduleDBOnly = secmod_argHasFlag("flags","moduleDBOnly",nssc);
|
||||
if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE;
|
||||
|
||||
+ /* we need more bits, but we also want to preserve binary compatibility
|
||||
+ * so we overload the isModuleDB PRBool with additional flags.
|
||||
+ * These flags are only valid if mod->isModuleDB is already set.
|
||||
+ * NOTE: this depends on the fact that PRBool is at least a char on
|
||||
+ * all platforms. These flags are only valid if moduleDB is set, so
|
||||
+ * code checking if (mod->isModuleDB) will continue to work correctly. */
|
||||
+ if (mod->isModuleDB) {
|
||||
+ char flags = SECMOD_FLAG_IS_MODULE_DB;
|
||||
+ if (secmod_argHasFlag("flags","skipFirst",nssc)) {
|
||||
+ flags |= SECMOD_FLAG_SKIP_FIRST;
|
||||
+ }
|
||||
+ if (secmod_argHasFlag("flags","defaultModDB",nssc)) {
|
||||
+ flags |= SECMOD_FLAG_DEFAULT_MODDB;
|
||||
+ }
|
||||
+ /* additional moduleDB flags could be added here in the future */
|
||||
+ mod->isModuleDB = (PRBool) flags;
|
||||
+ }
|
||||
+
|
||||
ciphers = secmod_argGetParamValue("ciphers",nssc);
|
||||
secmod_argSetNewCipherFlags(&mod->ssl[0],ciphers);
|
||||
if (ciphers) PORT_Free(ciphers);
|
||||
@@ -155,6 +208,22 @@ SECMOD_CreateModule(const char *library,
|
||||
return mod;
|
||||
}
|
||||
|
||||
+PRBool
|
||||
+SECMOD_GetSkipFirstFlag(SECMODModule *mod)
|
||||
+{
|
||||
+ char flags = (char) mod->isModuleDB;
|
||||
+
|
||||
+ return (flags & SECMOD_FLAG_SKIP_FIRST) ? PR_TRUE : PR_FALSE;
|
||||
+}
|
||||
+
|
||||
+PRBool
|
||||
+SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
|
||||
+{
|
||||
+ char flags = (char) mod->isModuleDB;
|
||||
+
|
||||
+ return (flags & SECMOD_FLAG_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
|
||||
+}
|
||||
+
|
||||
static char *
|
||||
secmod_mkModuleSpec(SECMODModule * module)
|
||||
{
|
||||
@@ -333,7 +402,12 @@ SECMOD_LoadModule(char *modulespec,SECMO
|
||||
if (moduleSpecList) {
|
||||
char **index;
|
||||
|
||||
- for (index = moduleSpecList; *index; index++) {
|
||||
+ index = moduleSpecList;
|
||||
+ if (*index && SECMOD_GetSkipFirstFlag(module)) {
|
||||
+ index++;
|
||||
+ }
|
||||
+
|
||||
+ for (; *index; index++) {
|
||||
SECMODModule *child;
|
||||
child = SECMOD_LoadModule(*index,module,PR_TRUE);
|
||||
if (!child) break;
|
||||
Index: mozilla/security/nss/lib/pk11wrap/pk11util.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11util.c,v
|
||||
retrieving revision 1.55
|
||||
diff -u -p -r1.55 pk11util.c
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/pk11util.c 30 Jul 2009 00:29:35 -0000 1.55
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/pk11util.c 1 Sep 2009 21:55:18 -0000
|
||||
@@ -179,7 +179,10 @@ SECMOD_AddModuleToList(SECMODModule *new
|
||||
SECStatus
|
||||
SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule)
|
||||
{
|
||||
- if (defaultDBModule == NULL) {
|
||||
+ if (defaultDBModule && SECMOD_GetDefaultModDBFlag(newModule)) {
|
||||
+ SECMOD_DestroyModule(defaultDBModule);
|
||||
+ defaultDBModule = SECMOD_ReferenceModule(newModule);
|
||||
+ } else if (defaultDBModule == NULL) {
|
||||
defaultDBModule = SECMOD_ReferenceModule(newModule);
|
||||
}
|
||||
return secmod_AddModuleToList(&modulesDB,newModule);
|
||||
Index: mozilla/security/nss/lib/pk11wrap/secmod.h
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/secmod.h,v
|
||||
retrieving revision 1.26
|
||||
diff -u -p -r1.26 secmod.h
|
||||
--- ./mozilla/security/nss/lib/pk11wrap/secmod.h 17 Dec 2008 06:09:16 -0000 1.26
|
||||
+++ ./mozilla/security/nss/lib/pk11wrap/secmod.h 1 Sep 2009 21:55:18 -0000
|
||||
@@ -151,6 +151,10 @@ extern PK11SlotInfo *SECMOD_FindSlot(SEC
|
||||
/* of modType has been installed */
|
||||
PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags );
|
||||
|
||||
+/* accessors */
|
||||
+PRBool SECMOD_GetSkipFirstFlag(SECMODModule *mod);
|
||||
+PRBool SECMOD_GetDefaultModDBFlag(SECMODModule *mod);
|
||||
+
|
||||
/* Functions used to convert between internal & public representation
|
||||
* of Mechanism Flags and Cipher Enable Flags */
|
||||
extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);
|
|
@ -0,0 +1,38 @@
|
|||
Index: mozilla/security/nss/lib/manifest.mn
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/manifest.mn,v
|
||||
retrieving revision 1.20
|
||||
diff -u -p -r1.20 manifest.mn
|
||||
--- mozilla/security/nss/lib/manifest.mn 7 Nov 2009 05:57:41 -0000 1.20
|
||||
+++ mozilla/security/nss/lib/manifest.mn 4 Dec 2009 02:27:20 -0000
|
||||
@@ -56,6 +56,7 @@ DIRS = util freebl softoken \
|
||||
pkcs12 pkcs7 smime \
|
||||
crmf jar \
|
||||
ckfw \
|
||||
+ sysinit \
|
||||
$(NULL)
|
||||
|
||||
# fortcrypt is no longer built
|
||||
Index: mozilla/security/nss/lib/nss/nssinit.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/nss/nssinit.c,v
|
||||
retrieving revision 1.103
|
||||
diff -u -p -r1.103 nssinit.c
|
||||
--- mozilla/security/nss/lib/nss/nssinit.c 29 Oct 2009 21:33:10 -0000 1.103
|
||||
+++ mozilla/security/nss/lib/nss/nssinit.c 4 Dec 2009 01:25:06 -0000
|
||||
@@ -52,6 +52,7 @@
|
||||
#include "secoid.h"
|
||||
#include "nss.h"
|
||||
#include "pk11func.h"
|
||||
+#include "pk11priv.h"
|
||||
#include "secerr.h"
|
||||
#include "nssbase.h"
|
||||
#include "pkixt.h"
|
||||
@@ -64,6 +65,7 @@
|
||||
#include "ocspti.h"
|
||||
#include "ocspi.h"
|
||||
|
||||
+
|
||||
/*
|
||||
* On Windows nss3.dll needs to export the symbol 'mktemp' to be
|
||||
* fully backward compatible with the nss3.dll in NSS 3.2.x and
|
28
nss.spec
28
nss.spec
|
@ -1,21 +1,23 @@
|
|||
%global nspr_version 4.8
|
||||
%global nss_util_version 3.12.4
|
||||
%global nss_util_version 3.12.5
|
||||
%global nss_softokn_version 3.12.4
|
||||
%global nss_softokn_fips_version 3.12.4
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.12.4
|
||||
Release: 15%{?dist}
|
||||
Version: 3.12.5
|
||||
Release: 1%{?dist}.2
|
||||
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Group: System Environment/Libraries
|
||||
Requires: nspr >= %{nspr_version}
|
||||
Requires: nss-util >= %{nss_util_version}
|
||||
Requires: nss-softokn%{_isa} >= %{nss_softokn_version}
|
||||
Requires: nss-softokn%{_isa} = %{nss_softokn_fips_version}
|
||||
Requires: nss-system-init
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
BuildRequires: nspr-devel >= %{nspr_version}
|
||||
BuildRequires: nss-softokn-devel >= %{version}
|
||||
BuildRequires: nss-softokn-devel = %{nss_softokn_version}
|
||||
BuildRequires: nss-util-devel >= %{nss_util_version}
|
||||
BuildRequires: sqlite-devel
|
||||
BuildRequires: zlib-devel
|
||||
|
@ -39,8 +41,8 @@ Source12: %{name}-pem-20090907.tar.bz2
|
|||
|
||||
Patch2: nss-nolocalsql.patch
|
||||
Patch6: nss-enable-pem.patch
|
||||
Patch7: newargs.patch
|
||||
Patch8: sysinit.patch
|
||||
Patch7: 533125-ammend.patch
|
||||
Patch8: nss-sysinit.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -68,7 +70,7 @@ manipulate the NSS certificate and key database.
|
|||
%package sysinit
|
||||
Summary: System NSS Initilization
|
||||
Group: System Environment/Base
|
||||
Provides: nss-sysinit = %{version}-%{release}
|
||||
Provides: nss-system-init
|
||||
Requires: nss = %{version}-%{release}
|
||||
|
||||
%description sysinit
|
||||
|
@ -106,7 +108,7 @@ low level services.
|
|||
|
||||
%patch2 -p0
|
||||
%patch6 -p0 -b .libpem
|
||||
%patch7 -p0 -b .newargs
|
||||
%patch7 -p0 -b .533125
|
||||
%patch8 -p0 -b .sysinit
|
||||
|
||||
%build
|
||||
|
@ -137,8 +139,8 @@ export NSPR_LIB_DIR
|
|||
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
|
||||
NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss-util | sed 's/-L//'`
|
||||
|
||||
export NSS_INCLUDE_DIR
|
||||
export NSS_LIB_DIR
|
||||
#export NSS_INCLUDE_DIR
|
||||
#export NSS_LIB_DIR
|
||||
|
||||
%ifarch x86_64 ppc64 ia64 s390x sparc64
|
||||
USE_64=1
|
||||
|
@ -469,6 +471,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Dec 04 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.2
|
||||
- Update to 3.12.5
|
||||
- CVE-2009-3555 TLS: MITM attacks via session renegotiation
|
||||
|
||||
* Mon Oct 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-15
|
||||
- Require nss-softoken of same arch as nss (#527867)
|
||||
|
||||
|
|
2
sources
2
sources
|
@ -1,2 +1,2 @@
|
|||
954834f7b173bdab366a19880c671c39 nss-3.12.4-stripped.tar.bz2
|
||||
51c5958153b6c01fada2e74cedc66835 nss-3.12.5-stripped.tar.bz2
|
||||
895ef804e11c14868e86df80c2dd9b66 nss-pem-20090907.tar.bz2
|
||||
|
|
1492
sysinit.patch
1492
sysinit.patch
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue