From a25fc1174362f994a107555b50a980774ba22166 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sat, 25 Jan 2014 10:57:37 -0800 Subject: [PATCH] Update pem sources to latest from nss-pem upstream - Update picks up pem fixes verified on RHEL and applied upstream - Fix a problem where same files in two rpms created rpm conflict - Reported at https://bugzilla.redhat.com/show_bug.cgi?id=1050163 - Move some nss-sysinit manpages tar archives to the %files the - All man pages are listed by name so there shouldn't be wildcard inclusion - Add support for ppc64le, Resolves: Bug 1052545 --- .gitignore | 2 +- ...-3.15.4-changes-in-freebl-and-softok.patch | 196 ------------------ nss.spec | 27 ++- sources | 2 +- 4 files changed, 18 insertions(+), 209 deletions(-) delete mode 100644 0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch diff --git a/.gitignore b/.gitignore index 8c5fa50..acdcd65 100644 --- a/.gitignore +++ b/.gitignore @@ -7,5 +7,5 @@ PayPalEE.cert TestCA.ca.cert TestUser50.cert TestUser51.cert -/nss-pem-20131226.tar.bz2 +/nss-pem-20140125.tar.bz2 /nss-3.15.4.tar.gz diff --git a/0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch b/0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch deleted file mode 100644 index 53ab4c1..0000000 --- a/0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch +++ /dev/null @@ -1,196 +0,0 @@ -From 67aaa70fb0e889ff7dd3668561bfb002dd83e018 Mon Sep 17 00:00:00 2001 -From: Elio Maldonado -Date: Wed, 8 Jan 2014 10:02:19 -0800 -Subject: [PATCH 39/39] Sync up with nss-3.15.4 changes in freebl and softoken - -- Remove RSA_BlockOAEP cases which aren't used by the pem module after all -- Copied the private RSA_BlockType data structure from freebl/pkcss11.c -- Upstream removed softoken/rsawrapr.c and moved the code to freebl/pkcs11.c -- per Mozilla Bug 836019 - Move RSA-PKCS#1, RSA-PSS, and RSA-OAEP into freebl -- https://bugzilla.mozilla.org/show_bug.cgi?id=836019 ---- - mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 133 ++++----------------------- - 1 file changed, 16 insertions(+), 117 deletions(-) - -diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c -index 5ac4f39..103eeda 100644 ---- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c -+++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c -@@ -60,6 +60,21 @@ - - #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ - -+/* -+ * RSA block types -+ * -+ * The actual values are important -- they are fixed, *not* arbitrary. -+ * The explicit value assignments are not needed (because C would give -+ * us those same values anyway) but are included as a reminder... -+ */ -+typedef enum { -+ RSA_BlockUnused = 0, /* unused */ -+ RSA_BlockPrivate = 1, /* pad for a private-key operation */ -+ RSA_BlockPublic = 2, /* pad for a public-key operation */ -+ RSA_BlockRaw = 4, /* simply justify the block appropriately */ -+ RSA_BlockTotal -+} RSA_BlockType; -+ - unsigned - pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) - { -@@ -233,7 +248,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, - /* - * Blocks intended for private-key operation. - */ -- case RSA_BlockPrivate0: /* essentially unused */ - case RSA_BlockPrivate: /* preferred method */ - /* - * 0x00 || BT || Pad || 0x00 || ActualData -@@ -246,10 +260,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, - nss_ZFreeIf(block); - return NULL; - } -- nsslibc_memset(bp, -- blockType == RSA_BlockPrivate0 -- ? RSA_BLOCK_PRIVATE0_PAD_OCTET -- : RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); -+ nsslibc_memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); - bp += padLen; - *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; - nsslibc_memcpy(bp, data->data, data->len); -@@ -288,97 +299,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, - - break; - -- /* -- * Blocks intended for public-key operation, using -- * Optimal Asymmetric Encryption Padding (OAEP). -- */ -- case RSA_BlockOAEP: -- /* -- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData) -- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N] -- * -- * where: -- * PaddedData is "Pad1 || ActualData [|| Pad2]" -- * Salt is random data. -- * Pad1 is all zeros. -- * Pad2, if present, is random data. -- * (The "modified" fields are all the same length as the original -- * unmodified values; they are just xor'd with other values.) -- * -- * Modified1 is an XOR of PaddedData with a special octet -- * string constructed of iterated hashing of Salt (see below). -- * Modified2 is an XOR of Salt with the low-order octets of -- * the hash of Modified1 (see farther below ;-). -- * -- * Whew! -- */ -- -- -- /* -- * Salt -- */ -- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN); -- if (rv != SECSuccess) { -- nss_ZFreeIf(block); -- return NULL; -- } -- bp += OAEP_SALT_LEN; -- -- /* -- * Pad1 -- */ -- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN); -- bp += OAEP_PAD_LEN; -- -- /* -- * Data -- */ -- nsslibc_memcpy(bp, data->data, data->len); -- bp += data->len; -- -- /* -- * Pad2 -- */ -- if (bp < (block + modulusLen)) { -- rv = RNG_GenerateGlobalRandomBytes(bp, -- block - bp + modulusLen); -- if (rv != SECSuccess) { -- nss_ZFreeIf(block); -- return NULL; -- } -- } -- -- /* -- * Now we have the following: -- * 0x00 || BT || Salt || PaddedData -- * (From this point on, "Pad1 || Data [|| Pad2]" is treated -- * as the one entity PaddedData.) -- * -- * We need to turn PaddedData into Modified1. -- */ -- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN, -- modulusLen - 2 - OAEP_SALT_LEN, -- block + 2, OAEP_SALT_LEN) != SECSuccess) { -- nss_ZFreeIf(block); -- return NULL; -- } -- -- /* -- * Now we have: -- * 0x00 || BT || Salt || Modified1(PaddedData) -- * -- * The remaining task is to turn Salt into Modified2. -- */ -- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN, -- block + 2 + OAEP_SALT_LEN, -- modulusLen - 2 - OAEP_SALT_LEN) != -- SECSuccess) { -- nss_ZFreeIf(block); -- return NULL; -- } -- -- break; -- - default: - PORT_Assert(0); - nss_ZFreeIf(block); -@@ -406,7 +326,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, - */ - - switch (blockType) { -- case RSA_BlockPrivate0: - case RSA_BlockPrivate: - case RSA_BlockPublic: - /* -@@ -427,26 +346,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, - - break; - -- case RSA_BlockOAEP: -- /* -- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) -- * -- * The "2" below is the first octet + the second octet. -- * (The other fields do not contain the clear values, but are -- * the same length as the clear values.) -- */ -- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN -- + OAEP_PAD_LEN))); -- -- result->data = rsa_FormatOneBlock(modulusLen, blockType, data); -- if (result->data == NULL) { -- result->len = 0; -- return SECFailure; -- } -- result->len = modulusLen; -- -- break; -- - case RSA_BlockRaw: - /* - * Pad || ActualData --- -1.8.4.2 - diff --git a/nss.spec b/nss.spec index 955acc9..8c12c55 100644 --- a/nss.spec +++ b/nss.spec @@ -5,7 +5,7 @@ %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" # solution taken from icedtea-web.spec -%define multilib_arches ppc64 sparc64 x86_64 +%define multilib_arches ppc64 sparc64 x86_64 ppc64le %ifarch %{multilib_arches} %define alt_ckbi libnssckbi.so.%{_arch} %else @@ -19,7 +19,7 @@ Summary: Network Security Services Name: nss Version: 3.15.4 -Release: 2%{?dist} +Release: 3%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -57,7 +57,7 @@ Source7: blank-key4.db Source8: system-pkcs11.txt Source9: setup-nsssysinit.sh Source10: PayPalEE.cert -Source12: %{name}-pem-20131226.tar.bz2 +Source12: %{name}-pem-20140125.tar.bz2 Source17: TestCA.ca.cert Source18: TestUser50.cert Source19: TestUser51.cert @@ -80,7 +80,6 @@ Patch18: nss-646045.patch Patch25: nsspem-use-system-freebl.patch # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch -Patch44: 0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator Patch47: utilwrap-include-templates.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171 @@ -172,7 +171,6 @@ low level services. # link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl %patch40 -p0 -b .noocsptest -%patch44 -p3 -b .syncupwithupstream %patch47 -p0 -b .templates %patch48 -p0 -b .crypto %patch49 -p0 -b .skipthem @@ -250,7 +248,7 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1 NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE -%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 +%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 ppc64le USE_64=1 export USE_64 %endif @@ -364,7 +362,7 @@ export FREEBL_NO_DEPEND BUILD_OPT=1 export BUILD_OPT -%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 +%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 ppc64le USE_64=1 export USE_64 %endif @@ -600,10 +598,12 @@ fi %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db -%attr(0644,root,root) %doc /usr/share/man/man5/* %attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz %attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz %attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz %files sysinit %defattr(-,root,root) @@ -611,9 +611,6 @@ fi %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt -%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz %{_bindir}/setup-nsssysinit.sh # symbolic link to setup-nsssysinit.sh %{_bindir}/setup-nsssysinit @@ -731,6 +728,14 @@ fi %changelog +* Sat Jan 25 2014 Elio Maldonado - 3.15.4-3 +- Update pem sources to latest from nss-pem upstream +- Pick up pem fixes verified on RHEL and applied upstream +- Fix a problem where same files in two rpms created rpm conflict +- Move some nss-sysinit manpages tar archives to the %%files the +- All man pages are listed by name so there shouldn't be wildcard inclusion +- Add support for ppc64le, Resolves: Bug 1052545 + * Mon Jan 20 2014 Peter Robinson 3.15.4-2 - ARM tests pass so remove ARM conditional diff --git a/sources b/sources index 17a8fc5..5e4569d 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert -cb247307632f7673b32c71009ba7b660 nss-pem-20131226.tar.bz2 +b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2 74738d89615665e3547dc2c0602ab0e6 nss-3.15.4.tar.gz