rpms
/
nss
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update to 3.12.5

This commit is contained in:
Elio Maldonado 2009-12-04 16:23:46 +00:00
parent 6a5ec0e38b
commit 9d98fbfa61
7 changed files with 80 additions and 1664 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.cvsignore
View File

@ -1,2 +1,2 @@
nss-3.12.4-stripped.tar.bz2
nss-3.12.5-stripped.tar.bz2
nss-pem-20090907.tar.bz2

23
533125-ammend.patch Executable file
View File

@ -0,0 +1,23 @@
Index: mozilla/security/nss/lib/ssl/ssl3con.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/ssl/ssl3con.c,v
retrieving revision 1.121
diff -u -p -r1.121 ssl3con.c
--- mozilla/security/nss/lib/ssl/ssl3con.c 12 Nov 2009 05:08:27 -0000 1.121
+++ mozilla/security/nss/lib/ssl/ssl3con.c 20 Nov 2009 19:36:30 -0000
@@ -4004,6 +4004,7 @@ ssl3_HandleHelloRequest(sslSocket *ss)
PORT_SetError(SSL_ERROR_RX_UNEXPECTED_HELLO_REQUEST);
return SECFailure;
}
+ /*
if (ss->opt.enableRenegotiation == SSL_RENEGOTIATE_NEVER) {
ssl_GetXmitBufLock(ss);
rv = SSL3_SendAlert(ss, alert_warning, no_renegotiation);
@@ -4011,6 +4012,7 @@ ssl3_HandleHelloRequest(sslSocket *ss)
PORT_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED);
return SECFailure;
}
+ */
if (sid) {
ss->sec.uncache(sid);

159
newargs.patch
View File

@ -1,159 +0,0 @@
Index: mozilla/security/nss/lib/pk11wrap/pk11pars.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11pars.c,v
retrieving revision 1.21
diff -u -p -r1.21 pk11pars.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 12 Nov 2005 00:14:25 -0000 1.21
+++ ./mozilla/security/nss/lib/pk11wrap/pk11pars.c 1 Sep 2009 21:55:18 -0000
@@ -107,6 +107,41 @@ secmod_NewModule(void)
}
+/* private flags. */
+/* The meaing of these flags is as follows:
+ *
+ * SECMOD_FLAG_IS_MODULE_DB - This is a module that accesses the database of
+ * other modules to load. Module DBs are loadable modules that tells
+ * NSS which PKCS #11 modules to load and when. These module DBs are
+ * chainable. That is, one module DB can load another one. NSS system init
+ * design takes advantage of this feature. In system NSS, a fixed system
+ * module DB loads the system defined libraries, then chains out to the
+ * traditional module DBs to load any system or user configured modules
+ * (like smart cards). This bit is the same as the already existing meaning
+ * of isModuleDB = PR_TRUE. None of the other flags should be set if this
+ * flag isn't on.
+ *
+ * SECMOD_FLAG_SKIP_FIRST - This flag tells NSS to skip the first
+ * PKCS #11 module presented by a module DB. This allows the OS to load a
+ * softoken from the system module, then ask the existing module DB code to
+ * load the other PKCS #11 modules in that module DB (skipping it's request
+ * to load softoken). This gives the system init finer control over the
+ * configuration of that softoken module.
+ *
+ * SECMOD_FLAG_DEFAULT_MODDB - This flag allows system init to mark a
+ * different module DB as the 'default' module DB (the one in which
+ * 'Add module' changes will go). Without this flag NSS takes the first
+ * module as the default Module DB, but in system NSS, that first module
+ * is the system module, which is likely read only (at least to the user).
+ * This allows system NSS to delegate those changes to the user's module DB,
+ * preserving the user's ability to load new PKCS #11 modules (which only
+ * affect him), from existing applications like Firefox.
+ */
+#define SECMOD_FLAG_IS_MODULE_DB 0x01 /* must be set if any of the other flags
+ * are set */
+#define SECMOD_FLAG_SKIP_FIRST 0x02
+#define SECMOD_FLAG_DEFAULT_MODDB 0x04
+
/*
* for 3.4 we continue to use the old SECMODModule structure
*/
@@ -137,15 +172,33 @@ SECMOD_CreateModule(const char *library,
if (slotParams) PORT_Free(slotParams);
/* new field */
mod->trustOrder = secmod_argReadLong("trustOrder",nssc,
- SECMOD_DEFAULT_TRUST_ORDER,NULL);
+ SECMOD_DEFAULT_TRUST_ORDER,NULL);
/* new field */
mod->cipherOrder = secmod_argReadLong("cipherOrder",nssc,
- SECMOD_DEFAULT_CIPHER_ORDER,NULL);
+ SECMOD_DEFAULT_CIPHER_ORDER,NULL);
/* new field */
mod->isModuleDB = secmod_argHasFlag("flags","moduleDB",nssc);
mod->moduleDBOnly = secmod_argHasFlag("flags","moduleDBOnly",nssc);
if (mod->moduleDBOnly) mod->isModuleDB = PR_TRUE;
+ /* we need more bits, but we also want to preserve binary compatibility
+ * so we overload the isModuleDB PRBool with additional flags.
+ * These flags are only valid if mod->isModuleDB is already set.
+ * NOTE: this depends on the fact that PRBool is at least a char on
+ * all platforms. These flags are only valid if moduleDB is set, so
+ * code checking if (mod->isModuleDB) will continue to work correctly. */
+ if (mod->isModuleDB) {
+ char flags = SECMOD_FLAG_IS_MODULE_DB;
+ if (secmod_argHasFlag("flags","skipFirst",nssc)) {
+ flags |= SECMOD_FLAG_SKIP_FIRST;
+ }
+ if (secmod_argHasFlag("flags","defaultModDB",nssc)) {
+ flags |= SECMOD_FLAG_DEFAULT_MODDB;
+ }
+ /* additional moduleDB flags could be added here in the future */
+ mod->isModuleDB = (PRBool) flags;
+ }
+
ciphers = secmod_argGetParamValue("ciphers",nssc);
secmod_argSetNewCipherFlags(&mod->ssl[0],ciphers);
if (ciphers) PORT_Free(ciphers);
@@ -155,6 +208,22 @@ SECMOD_CreateModule(const char *library,
return mod;
}
+PRBool
+SECMOD_GetSkipFirstFlag(SECMODModule *mod)
+{
+ char flags = (char) mod->isModuleDB;
+
+ return (flags & SECMOD_FLAG_SKIP_FIRST) ? PR_TRUE : PR_FALSE;
+}
+
+PRBool
+SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
+{
+ char flags = (char) mod->isModuleDB;
+
+ return (flags & SECMOD_FLAG_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
+}
+
static char *
secmod_mkModuleSpec(SECMODModule * module)
{
@@ -333,7 +402,12 @@ SECMOD_LoadModule(char *modulespec,SECMO
if (moduleSpecList) {
char **index;
- for (index = moduleSpecList; *index; index++) {
+ index = moduleSpecList;
+ if (*index && SECMOD_GetSkipFirstFlag(module)) {
+ index++;
+ }
+
+ for (; *index; index++) {
SECMODModule *child;
child = SECMOD_LoadModule(*index,module,PR_TRUE);
if (!child) break;
Index: mozilla/security/nss/lib/pk11wrap/pk11util.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11util.c,v
retrieving revision 1.55
diff -u -p -r1.55 pk11util.c
--- ./mozilla/security/nss/lib/pk11wrap/pk11util.c 30 Jul 2009 00:29:35 -0000 1.55
+++ ./mozilla/security/nss/lib/pk11wrap/pk11util.c 1 Sep 2009 21:55:18 -0000
@@ -179,7 +179,10 @@ SECMOD_AddModuleToList(SECMODModule *new
SECStatus
SECMOD_AddModuleToDBOnlyList(SECMODModule *newModule)
{
- if (defaultDBModule == NULL) {
+ if (defaultDBModule && SECMOD_GetDefaultModDBFlag(newModule)) {
+ SECMOD_DestroyModule(defaultDBModule);
+ defaultDBModule = SECMOD_ReferenceModule(newModule);
+ } else if (defaultDBModule == NULL) {
defaultDBModule = SECMOD_ReferenceModule(newModule);
}
return secmod_AddModuleToList(&modulesDB,newModule);
Index: mozilla/security/nss/lib/pk11wrap/secmod.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/secmod.h,v
retrieving revision 1.26
diff -u -p -r1.26 secmod.h
--- ./mozilla/security/nss/lib/pk11wrap/secmod.h 17 Dec 2008 06:09:16 -0000 1.26
+++ ./mozilla/security/nss/lib/pk11wrap/secmod.h 1 Sep 2009 21:55:18 -0000
@@ -151,6 +151,10 @@ extern PK11SlotInfo *SECMOD_FindSlot(SEC
/* of modType has been installed */
PRBool SECMOD_IsModulePresent( unsigned long int pubCipherEnableFlags );
+/* accessors */
+PRBool SECMOD_GetSkipFirstFlag(SECMODModule *mod);
+PRBool SECMOD_GetDefaultModDBFlag(SECMODModule *mod);
+
/* Functions used to convert between internal & public representation
* of Mechanism Flags and Cipher Enable Flags */
extern unsigned long SECMOD_PubMechFlagstoInternal(unsigned long publicFlags);

38
nss-sysinit.patch Executable file
View File

@ -0,0 +1,38 @@
Index: mozilla/security/nss/lib/manifest.mn
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/manifest.mn,v
retrieving revision 1.20
diff -u -p -r1.20 manifest.mn
--- mozilla/security/nss/lib/manifest.mn 7 Nov 2009 05:57:41 -0000 1.20
+++ mozilla/security/nss/lib/manifest.mn 4 Dec 2009 02:27:20 -0000
@@ -56,6 +56,7 @@ DIRS = util freebl softoken \
pkcs12 pkcs7 smime \
crmf jar \
ckfw \
+ sysinit \
$(NULL)
# fortcrypt is no longer built
Index: mozilla/security/nss/lib/nss/nssinit.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/nss/nssinit.c,v
retrieving revision 1.103
diff -u -p -r1.103 nssinit.c
--- mozilla/security/nss/lib/nss/nssinit.c 29 Oct 2009 21:33:10 -0000 1.103
+++ mozilla/security/nss/lib/nss/nssinit.c 4 Dec 2009 01:25:06 -0000
@@ -52,6 +52,7 @@
#include "secoid.h"
#include "nss.h"
#include "pk11func.h"
+#include "pk11priv.h"
#include "secerr.h"
#include "nssbase.h"
#include "pkixt.h"
@@ -64,6 +65,7 @@
#include "ocspti.h"
#include "ocspi.h"
+
/*
* On Windows nss3.dll needs to export the symbol 'mktemp' to be
* fully backward compatible with the nss3.dll in NSS 3.2.x and

28
nss.spec
View File

@ -1,21 +1,23 @@
%global nspr_version 4.8
%global nss_util_version 3.12.4
%global nss_util_version 3.12.5
%global nss_softokn_version 3.12.4
%global nss_softokn_fips_version 3.12.4
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
Summary: Network Security Services
Name: nss
Version: 3.12.4
Release: 15%{?dist}
Version: 3.12.5
Release: 1%{?dist}.2
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{nss_util_version}
Requires: nss-softokn%{_isa} >= %{nss_softokn_version}
Requires: nss-softokn%{_isa} = %{nss_softokn_fips_version}
Requires: nss-system-init
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: nspr-devel >= %{nspr_version}
BuildRequires: nss-softokn-devel >= %{version}
BuildRequires: nss-softokn-devel = %{nss_softokn_version}
BuildRequires: nss-util-devel >= %{nss_util_version}
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
@ -39,8 +41,8 @@ Source12: %{name}-pem-20090907.tar.bz2
Patch2: nss-nolocalsql.patch
Patch6: nss-enable-pem.patch
Patch7: newargs.patch
Patch8: sysinit.patch
Patch7: 533125-ammend.patch
Patch8: nss-sysinit.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -68,7 +70,7 @@ manipulate the NSS certificate and key database.
%package sysinit
Summary: System NSS Initilization
Group: System Environment/Base
Provides: nss-sysinit = %{version}-%{release}
Provides: nss-system-init
Requires: nss = %{version}-%{release}
%description sysinit
@ -106,7 +108,7 @@ low level services.
%patch2 -p0
%patch6 -p0 -b .libpem
%patch7 -p0 -b .newargs
%patch7 -p0 -b .533125
%patch8 -p0 -b .sysinit
%build
@ -137,8 +139,8 @@ export NSPR_LIB_DIR
NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss-util | sed 's/-L//'`
export NSS_INCLUDE_DIR
export NSS_LIB_DIR
#export NSS_INCLUDE_DIR
#export NSS_LIB_DIR
%ifarch x86_64 ppc64 ia64 s390x sparc64
USE_64=1
@ -469,6 +471,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%changelog
* Thu Dec 04 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.5-1.2
- Update to 3.12.5
- CVE-2009-3555 TLS: MITM attacks via session renegotiation
* Mon Oct 26 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.4-15
- Require nss-softoken of same arch as nss (#527867)

2
sources
View File

@ -1,2 +1,2 @@
954834f7b173bdab366a19880c671c39 nss-3.12.4-stripped.tar.bz2
51c5958153b6c01fada2e74cedc66835 nss-3.12.5-stripped.tar.bz2
895ef804e11c14868e86df80c2dd9b66 nss-pem-20090907.tar.bz2

1492
sysinit.patch
View File

File diff suppressed because it is too large Load Diff