From bf043713d104dced0cdfb1bd79dbafe90187df01 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 1 Oct 2013 14:16:46 -0700 Subject: [PATCH 1/6] Ammend the merge from master by keeping the nss-ssl-cbc-random-iv-off-by-default.patch enabled --- nss.spec | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/nss.spec b/nss.spec index 819cc68..3dd00ef 100644 --- a/nss.spec +++ b/nss.spec @@ -93,7 +93,7 @@ Patch18: nss-646045.patch # Needed only when freebl on tree has new APIS Patch25: nsspem-use-system-freebl.patch # This patch is currently meant for stable branches -# Patch29: nss-ssl-cbc-random-iv-off-by-default.patch +Patch29: nss-ssl-cbc-random-iv-off-by-default.patch # Prevent users from trying to enable ssl pkcs11 bypass # Patch39: nss-ssl-enforce-no-pkcs11-bypass.path # TODO: Remove this patch when the ocsp test are fixed @@ -194,7 +194,7 @@ low level services. # link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl # activate for stable and beta branches -# %%patch29 -p0 -b .cbcrandomivoff +%patch29 -p0 -b .cbcrandomivoff # %%patch39 -p0 -b .nobypass %patch40 -p0 -b .noocsptest %patch44 -p1 -b .syncupwithupstream @@ -758,6 +758,7 @@ fi * Thu Sep 26 2013 Elio Maldonado - 3.15.2-1 - Update to NSS_3_15_2_RTM - Update iquote.patch on account of modified prototype on cert.h installed by nss-devel +- Keep the nss-ssl-cbc-random-iv-off-by-default.patch enabled * Wed Aug 28 2013 Elio Maldonado - 3.15.1-7 - Update pem sources to pick up a patch applied upstream which a faulty merge had missed From 1bb4981176b259ac69f40cbcdf2e54efd75e9068 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Fri, 18 Oct 2013 11:58:26 -0700 Subject: [PATCH 2/6] Disable application of the nss-ssl-cbc-random-iv-off-by-default.patch - Resolves: rhbz#1020420 - Turn on the fix for BEAST by default [CVE-2011-3389] --- nss.spec | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/nss.spec b/nss.spec index 3dd00ef..7595e9b 100644 --- a/nss.spec +++ b/nss.spec @@ -20,7 +20,7 @@ Summary: Network Security Services Name: nss Version: 3.15.2 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -93,7 +93,7 @@ Patch18: nss-646045.patch # Needed only when freebl on tree has new APIS Patch25: nsspem-use-system-freebl.patch # This patch is currently meant for stable branches -Patch29: nss-ssl-cbc-random-iv-off-by-default.patch +# Patch29: nss-ssl-cbc-random-iv-off-by-default.patch # Prevent users from trying to enable ssl pkcs11 bypass # Patch39: nss-ssl-enforce-no-pkcs11-bypass.path # TODO: Remove this patch when the ocsp test are fixed @@ -105,7 +105,7 @@ Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch Patch46: disable-ocsp-stapling-tests.patch # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator Patch47: utilwrap-include-templates.patch -# TODO submit this patch upstream +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171 Patch48: nss-versus-softoken-tests.patch # TODO remove when we switch to building nss without softoken Patch49: nss-skip-bltest-and-fipstest.patch @@ -193,8 +193,8 @@ low level services. %patch18 -p0 -b .646045 # link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl -# activate for stable and beta branches -%patch29 -p0 -b .cbcrandomivoff +# activate for stable and beta branches, disabled for f20 +# %%patch29 -p0 -b .cbcrandomivoff # %%patch39 -p0 -b .nobypass %patch40 -p0 -b .noocsptest %patch44 -p1 -b .syncupwithupstream @@ -755,6 +755,10 @@ fi %changelog +* Fri Oct 18 2013 Elio Maldonado - 3.15.2-2 +- Disable the nss-ssl-cbc-random-iv-off-by-default.patch +- Resolves: rhbz#1020420 - Turn on the fix for BEAST by default [CVE-2011-3389] + * Thu Sep 26 2013 Elio Maldonado - 3.15.2-1 - Update to NSS_3_15_2_RTM - Update iquote.patch on account of modified prototype on cert.h installed by nss-devel From d61e6dba7bad8125d96a65cb624201efa5fc3bae Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sun, 27 Oct 2013 09:45:10 -0700 Subject: [PATCH 3/6] Use the full pristine sources from upstream - Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird --- .gitignore | 2 +- mozilla-crypto-strip.sh | 128 ---------------------------------------- nss.spec | 19 ++---- sources | 2 +- 4 files changed, 7 insertions(+), 144 deletions(-) delete mode 100755 mozilla-crypto-strip.sh diff --git a/.gitignore b/.gitignore index 370b654..25fde7a 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,4 @@ TestCA.ca.cert TestUser50.cert TestUser51.cert /nss-pem-20130828.tar.bz2 -/nss-3.15.2-stripped.tar.bz2 +/nss-3.15.2.tar.gz diff --git a/mozilla-crypto-strip.sh b/mozilla-crypto-strip.sh deleted file mode 100755 index 56b00a8..0000000 --- a/mozilla-crypto-strip.sh +++ /dev/null @@ -1,128 +0,0 @@ -#!/bin/sh -set -e - -if test -z $1 -then - echo "usage: $0 " - exit -fi - -ORIGDIR=`pwd` -WORKDIR=nss_ecc_strip_working_dir -EXTENSION=`echo $1 | sed -r 's#^(.*)(.tar.bz2|.tbz2|.tar.gz|.tgz)$#\2#'` -BASE=`echo $1 | sed -r 's#^(.*)(.tar.bz2|.tbz2|.tar.gz|.tgz)$#\1#'` -COMPRESS="" - -if test "x$EXTENSION" = "x.tar.bz2" || test "x$EXTENSION" = "x.tbz2" -then - COMPRESS="j" -fi - -if test "x$EXTENSION" = "x.tar.gz" || test "x$EXTENSION" = "x.tgz" -then - COMPRESS="z" -fi - -if test "x$COMPRESS" = "x" -then - echo "unable to process, input file $1 has unsupported extension" - exit -fi - -echo "== extension is $EXTENSION - ok" -echo "== new extension will be $JEXTENSION" -echo "== cleaning old workdir $WORKDIR" - -rm -rf $WORKDIR -mkdir $WORKDIR - -echo "== extracting input archive $1" -tar -x -$COMPRESS -C $WORKDIR -f $1 - -echo "changing into $WORKDIR" -pushd $WORKDIR - -DIRCOUNT=`ls -1 | wc -l` -if test $DIRCOUNT -ne 1 -then - echo "unable to process, $1 contains more than one toplevel directory" - exit -fi - -TOPDIR=`ls -1` -if test "x$TOPDIR" != "xnss" -then - # try to deal with a single additional subdirectory above "nss" - echo "== skipping toplevel directory $TOPDIR" - cd $TOPDIR -fi - -DIRCOUNT=`ls -1 | wc -l` -if test $DIRCOUNT -ne 1 -then - echo "unable to process, $1 contains more than one second level directory" - exit -fi - -SINGLEDIR=`ls -1` -if test "x$SINGLEDIR" != "xnss" -then - echo "unable to process, first or second level directory is not nss" - exit -fi - -echo "== input archive accepted, now processing" - -REALFREEBLDIR=nss/lib/freebl -FREEBLDIR=./$REALFREEBLDIR - -rm -rf ./nss/cmd/ecperf - -mv ${FREEBLDIR}/ecl/ecl-exp.h ${FREEBLDIR}/save -rm -rf ${FREEBLDIR}/ecl/tests -rm -rf ${FREEBLDIR}/ecl/CVS -for i in ${FREEBLDIR}/ecl/* ; do -echo clobbering $i - > $i -done -mv ${FREEBLDIR}/save ${FREEBLDIR}/ecl/ecl-exp.h - -for j in ${FREEBLDIR}/ec.*; do - echo unifdef $j - cat $j | \ - awk 'BEGIN {ech=1; prt=0;} \ - /^#[ \t]*ifdef.*NSS_ENABLE_ECC/ {ech--; next;} \ - /^#[ \t]*if/ {if(ech < 1) ech--;} \ - {if(ech>0) {;print $0};} \ - /^#[ \t]*endif/ {if(ech < 1) ech++;} \ - {if (prt && (ech<=0)) {;print $0}; } \ - {if (ech>0) {prt=0;} } \ - /^#[ \t]*else/ {if (ech == 0) prt=1;}' > $j.hobbled && \ - mv $j.hobbled $j -done - -echo "== returning to original directory" -popd - -JCOMPRESS=j -JEXTENSION=.tar.bz2 -NEWARCHIVE=$BASE-stripped$JEXTENSION -echo "== finally producing new archive $NEWARCHIVE" -tar -c -$JCOMPRESS -C $WORKDIR -f $NEWARCHIVE $TOPDIR - -echo "== all done, listing of old and new archive:" -ls -l $1 -ls -l $NEWARCHIVE - -LISTING_DIR="" -if test "x$TOPDIR" != "xmozilla" -then - LISTING_DIR="$TOPDIR/$REALFREEBLDIR/ecl" -else - LISTING_DIR="$REALFREEBLDIR/ecl" -fi - -echo "== FYI, producing listing of stripped dir in new archive" -tar -t -v -$JCOMPRESS -C $WORKDIR -f $NEWARCHIVE $LISTING_DIR - - diff --git a/nss.spec b/nss.spec index 7595e9b..3fd8c96 100644 --- a/nss.spec +++ b/nss.spec @@ -47,20 +47,7 @@ BuildRequires: perl %{!?nss_ckbi_suffix:%define full_nss_version %{version}} %{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}} -Source0: %{name}-%{full_nss_version}-stripped.tar.bz2 - -# The stripped tar ball is a subset of the upstream sources with -# patent-encumbered cryptographic algorithms removed. -# Use this script to remove them and create the stripped archive. -# 1. Download the sources nss-{version}.tar.gz found within -# http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ -# in a subdirectory named NSS_${major}_${minor}_${maint}_RTM/src -# 2. In the download directory execute -# ./mozilla-crypto-strip.sh ${name}-${version}.tar.gz -# to produce ${name}-${version}-stripped.tar.bz2 -# for uploading to the lookaside cache. -Source100: mozilla-crypto-strip.sh - +Source0: %{name}-%{full_nss_version}.tar.gz Source1: nss.pc.in Source2: nss-config.in Source3: blank-cert8.db @@ -755,6 +742,10 @@ fi %changelog +* Sun Oct 27 2013 Elio Maldonado - 3.15.2-3 +- Use the full pristine sources from upstream +- Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird + * Fri Oct 18 2013 Elio Maldonado - 3.15.2-2 - Disable the nss-ssl-cbc-random-iv-off-by-default.patch - Resolves: rhbz#1020420 - Turn on the fix for BEAST by default [CVE-2011-3389] diff --git a/sources b/sources index c14d054..2a414c9 100644 --- a/sources +++ b/sources @@ -8,4 +8,4 @@ f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert e82dd2b9520f9d0f5d101e7710d59656 nss-pem-20130828.tar.bz2 -b402f7062b1c0c0ee9d0f223d03b4d6a nss-3.15.2-stripped.tar.bz2 +154223568f9734c76c164b46c774450c nss-3.15.2.tar.gz From c0d31ae1d8b3931d085dc16f196a3ff26570d7e1 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sun, 27 Oct 2013 10:43:24 -0700 Subject: [PATCH 4/6] Use the full pristine sources from upstream - Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird --- nss.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index 3fd8c96..29ae9a4 100644 --- a/nss.spec +++ b/nss.spec @@ -20,7 +20,7 @@ Summary: Network Security Services Name: nss Version: 3.15.2 -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries From 346792254e01b69d4d237e2606a91254cd5bf314 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 3 Dec 2013 08:27:21 -0800 Subject: [PATCH 5/6] Install symlink to setup-nsssysinit.sh, without suffix, to match manpage documentation --- nss.spec | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/nss.spec b/nss.spec index 2f9fea9..77462fc 100644 --- a/nss.spec +++ b/nss.spec @@ -20,7 +20,7 @@ Summary: Network Security Services Name: nss Version: 3.15.3 -Release: 1%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -528,6 +528,10 @@ done %{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config # Copy the pkcs #11 configuration script %{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh +# install a symbolic link to it, without the ".sh" suffix, +# that matches the man page documentation +ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit + # Copy the man pages for scripts for f in nss-config setup-nsssysinit; do install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 @@ -629,6 +633,8 @@ fi %attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz %attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz %{_bindir}/setup-nsssysinit.sh +# symbolic link to setup-nsssysinit.sh +%{_bindir}/setup-nsssysinit %attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz %files tools @@ -743,6 +749,9 @@ fi %changelog +* Tue Dec 03 2013 Elio Maldonado - 3.15.3-2 +- Install symlink to setup-nsssysinit.sh, without suffix, to match manpage + * Sun Nov 24 2013 Elio Maldonado - 3.15.3-1 - Update to NSS_3_15_3_RTM - Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws From a0fd8d95019854d1f6d1430ec14a2972232f35c0 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Wed, 18 Dec 2013 07:59:15 -0800 Subject: [PATCH 6/6] Remove unused patch --- manpages-fixes.patch | 209 ------------------------------------------- 1 file changed, 209 deletions(-) delete mode 100644 manpages-fixes.patch diff --git a/manpages-fixes.patch b/manpages-fixes.patch deleted file mode 100644 index dd419b9..0000000 --- a/manpages-fixes.patch +++ /dev/null @@ -1,209 +0,0 @@ -diff --git a/doc/certutil.xml b/doc/certutil.xml ---- a/doc/certutil.xml -+++ b/doc/certutil.xml -@@ -634,16 +634,37 @@ of the attribute codes: - - - - --extSKID - Add the Subject Key ID extension to the certificate. X.509 certificate extensions are described in RFC 5280. - - - -+ --extNC -+ Add a Name Constraint extension to the certificate. X.509 certificate extensions are described in RFC 5280. -+ -+ -+ -+ --keyAttrFlags attrflags -+ -+PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} -+ -+ -+ -+ --keyFlagsOn opflags -+ --keyFlagsOff opflags -+ -+PKCS #11 key Operation Flags. -+Comma separated list of one or more of the following: -+{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} -+ -+ -+ -+ - --source-dir certdir - Identify the certificate database directory to upgrade. - - - - --source-prefix certdir - Give the prefix of the certificate and key databases to upgrade. - -@@ -795,17 +816,17 @@ JyBVgFqDXRYSyTBNw1DrxUU/3GvWA/ngjAwHEv0C - XRzPORlC2WY3gkk7vmlsLvYpyecNazAi/NAwVnU/66HOsaoVFWE+gBQo99UrN2yk - 0BiK/GMFlLm5dXQROgA9ZKKyFdI0LIXtf6SbAgMBAAGjMzAxMBEGCWCGSAGG+EIB - AQQEAwIHADAMBgNVHRMEBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B - AQUFAAOBgQA6chkzkACN281d1jKMrc+RHG2UMaQyxiteaLVZO+Ro1nnRUvseDf09 - XKYFwPMJjWCihVku6bw/ihZfuMHhxK22Nue6inNQ6eDu7WmrqL8z3iUrQwxs+WiF - ob2rb8XRVVJkzXdXxlk4uo3UtNvw8sAz7sWD71qxKaIHU5q49zijfg== - -----END CERTIFICATE----- - --For a humam-readable display -+For a human-readable display - $ certutil -L -d sql:$HOME/nssdb -n my-ca-cert - Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3650 (0xe42) - Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption - Issuer: "CN=Example CA" - Validity: -diff --git a/doc/cmsutil.xml b/doc/cmsutil.xml ---- a/doc/cmsutil.xml -+++ b/doc/cmsutil.xml -@@ -84,19 +84,26 @@ The options and arguments for the cmsuti - - -S - Sign a message. - - - - - Arguments -- Option arguments modify an action and are lowercase. -+ Option arguments modify an action. - - -+ -b -+ -+ Decode a batch of files named in infile. -+ -+ -+ -+ - -c content - - Use this detached content (decode only). - - - - - -d dbdir -@@ -108,37 +115,58 @@ The options and arguments for the cmsuti - - -e envfile - - Specify a file containing an enveloped message for a set of recipients to which you would like to send an encrypted message. If this is the first encrypted message for that set of recipients, a new enveloped message will be created that you can then use for future messages (encrypt only). - - - - -+ -f pwfile -+ -+ Use password file to set password on all PKCS#11 tokens. -+ -+ -+ -+ - -G - - Include a signing time attribute (sign only). - - -- -+ -+ -+ -H hash -+ -+ Use specified hash algorithm (default:SHA1). -+ -+ -+ - - -h num - - Generate email headers with info about CMS message (decode only). - - - - - -i infile - - Use infile as a source of data (default is stdin). - - - - -+ -k -+ -+ Keep decoded encryption certs in permanent cert db. -+ -+ -+ -+ - -N nickname - - Specify nickname of certificate to sign with (sign only). - - - - - -n -@@ -188,16 +216,23 @@ For certificates-only message, list of c - - -u certusage - - Set type of cert usage (default is certUsageEmailSigner). - - - - -+ -v -+ -+ Print debugging information. -+ -+ -+ -+ - -Y ekprefnick - - Specify an encryption key preference by nickname. - - - - - -diff --git a/doc/crlutil.xml b/doc/crlutil.xml ---- a/doc/crlutil.xml -+++ b/doc/crlutil.xml -@@ -261,16 +261,30 @@ Specify type of CRL. possible types are: - -u url - - - Specify the url. - - - - -+ -+ -w pwd-string -+ -+ Provide db password in command line. -+ -+ -+ -+ -+ -Z algorithm -+ -+ Specify the hash algorithm to use for signing the CRL. -+ -+ -+ - - - - - CRL Generation script syntax - CRL generation script file has the following syntax: - - * Line with comments should have # as a first symbol of a line