Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM)
- Resolves: Bug 1049229 - nss-3.15.4 is available - Resolves: Bug 1054456 - CVE-2013-1740 - Update pem sources to latest from the interim upstream for pem - Remove no longer needed patches - Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken - Update iquote.patch on account of upstream changes - Add comments documenting the iquote patch - Selective merge from master and f20
This commit is contained in:
parent
c129cf0bc3
commit
a7a248594c
|
@ -7,5 +7,5 @@ PayPalEE.cert
|
|||
TestCA.ca.cert
|
||||
TestUser50.cert
|
||||
TestUser51.cert
|
||||
/nss-pem-20130828.tar.bz2
|
||||
/nss-3.15.3.1.tar.gz
|
||||
/nss-pem-20131226.tar.bz2
|
||||
/nss-3.15.4.tar.gz
|
||||
|
|
|
@ -1,406 +0,0 @@
|
|||
From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001
|
||||
From: Elio Maldonado <emaldona@redhat.com>
|
||||
Date: Sat, 9 Feb 2013 17:11:00 -0500
|
||||
Subject: [PATCH] Sync up with upstream softokn changes
|
||||
|
||||
- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux
|
||||
- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
|
||||
- It now compiles with the NSS_3_14_3_BETA1 source
|
||||
---
|
||||
mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++-------------------
|
||||
1 files changed, 82 insertions(+), 256 deletions(-)
|
||||
|
||||
diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c
|
||||
index 5ac4f39..3780d30 100644
|
||||
--- a/nss/lib/ckfw/pem/rsawrapr.c
|
||||
+++ b/nss/lib/ckfw/pem/rsawrapr.c
|
||||
@@ -46,6 +46,7 @@
|
||||
#include "sechash.h"
|
||||
#include "base.h"
|
||||
|
||||
+#include "lowkeyi.h"
|
||||
#include "secerr.h"
|
||||
|
||||
#define RSA_BLOCK_MIN_PAD_LEN 8
|
||||
@@ -54,9 +55,8 @@
|
||||
#define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
|
||||
#define RSA_BLOCK_AFTER_PAD_OCTET 0x00
|
||||
|
||||
-#define OAEP_SALT_LEN 8
|
||||
-#define OAEP_PAD_LEN 8
|
||||
-#define OAEP_PAD_OCTET 0x00
|
||||
+/* Needed for RSA-PSS functions */
|
||||
+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
|
||||
|
||||
#define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */
|
||||
|
||||
@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-static SHA1Context *SHA1_CloneContext(SHA1Context * original)
|
||||
-{
|
||||
- SHA1Context *clone = NULL;
|
||||
- unsigned char *pBuf;
|
||||
- int sha1ContextSize = SHA1_FlattenSize(original);
|
||||
- SECStatus frv;
|
||||
- unsigned char buf[FLAT_BUFSIZE];
|
||||
-
|
||||
- PORT_Assert(sizeof buf >= sha1ContextSize);
|
||||
- if (sizeof buf >= sha1ContextSize) {
|
||||
- pBuf = buf;
|
||||
- } else {
|
||||
- pBuf = nss_ZAlloc(NULL, sha1ContextSize);
|
||||
- if (!pBuf)
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- frv = SHA1_Flatten(original, pBuf);
|
||||
- if (frv == SECSuccess) {
|
||||
- clone = SHA1_Resurrect(pBuf, NULL);
|
||||
- memset(pBuf, 0, sha1ContextSize);
|
||||
- }
|
||||
- done:
|
||||
- if (pBuf != buf)
|
||||
- nss_ZFreeIf(pBuf);
|
||||
- return clone;
|
||||
+/* Constant time comparison of a single byte.
|
||||
+ * Returns 1 iff a == b, otherwise returns 0.
|
||||
+ * Note: For ranges of bytes, use constantTimeCompare.
|
||||
+ */
|
||||
+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
|
||||
+ unsigned char c = ~(a - b | b - a);
|
||||
+ c >>= 7;
|
||||
+ return c;
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Modify data by XORing it with a special hash of salt.
|
||||
+/* Constant time comparison of a range of bytes.
|
||||
+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
|
||||
+ * returns 0.
|
||||
*/
|
||||
-static SECStatus
|
||||
-oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
|
||||
- unsigned char *salt, unsigned int saltlen)
|
||||
-{
|
||||
- SHA1Context *sha1cx;
|
||||
- unsigned char *dp, *dataend;
|
||||
- unsigned char end_octet;
|
||||
-
|
||||
- sha1cx = SHA1_NewContext();
|
||||
- if (sha1cx == NULL) {
|
||||
- return SECFailure;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * Get a hash of salt started; we will use it several times,
|
||||
- * adding in a different end octet (x00, x01, x02, ...).
|
||||
- */
|
||||
- SHA1_Begin(sha1cx);
|
||||
- SHA1_Update(sha1cx, salt, saltlen);
|
||||
- end_octet = 0;
|
||||
-
|
||||
- dp = data;
|
||||
- dataend = data + datalen;
|
||||
-
|
||||
- while (dp < dataend) {
|
||||
- SHA1Context *sha1cx_h1;
|
||||
- unsigned int sha1len, sha1off;
|
||||
- unsigned char sha1[SHA1_LENGTH];
|
||||
-
|
||||
- /*
|
||||
- * Create hash of (salt || end_octet)
|
||||
- */
|
||||
- sha1cx_h1 = SHA1_CloneContext(sha1cx);
|
||||
- SHA1_Update(sha1cx_h1, &end_octet, 1);
|
||||
- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1));
|
||||
- SHA1_DestroyContext(sha1cx_h1, PR_TRUE);
|
||||
- PORT_Assert(sha1len == SHA1_LENGTH);
|
||||
-
|
||||
- /*
|
||||
- * XOR that hash with the data.
|
||||
- * When we have fewer than SHA1_LENGTH octets of data
|
||||
- * left to xor, use just the low-order ones of the hash.
|
||||
- */
|
||||
- sha1off = 0;
|
||||
- if ((dataend - dp) < SHA1_LENGTH)
|
||||
- sha1off = SHA1_LENGTH - (dataend - dp);
|
||||
- while (sha1off < SHA1_LENGTH)
|
||||
- *dp++ ^= sha1[sha1off++];
|
||||
-
|
||||
- /*
|
||||
- * Bump for next hash chunk.
|
||||
- */
|
||||
- end_octet++;
|
||||
- }
|
||||
-
|
||||
- SHA1_DestroyContext(sha1cx, PR_TRUE);
|
||||
- return SECSuccess;
|
||||
+static unsigned char constantTimeCompare(const unsigned char *a,
|
||||
+ const unsigned char *b,
|
||||
+ unsigned int len) {
|
||||
+ unsigned char tmp = 0;
|
||||
+ unsigned int i;
|
||||
+ for (i = 0; i < len; ++i, ++a, ++b)
|
||||
+ tmp |= *a ^ *b;
|
||||
+ return constantTimeEQ8(0x00, tmp);
|
||||
}
|
||||
|
||||
-/*
|
||||
- * Modify salt by XORing it with a special hash of data.
|
||||
+/* Constant time conditional.
|
||||
+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
|
||||
+ * not 0 or 1.
|
||||
*/
|
||||
-static SECStatus
|
||||
-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
|
||||
- unsigned char *data, unsigned int datalen)
|
||||
+static unsigned int constantTimeCondition(unsigned int c,
|
||||
+ unsigned int a,
|
||||
+ unsigned int b)
|
||||
{
|
||||
- unsigned char sha1[SHA1_LENGTH];
|
||||
- unsigned char *psalt, *psha1, *saltend;
|
||||
- SECStatus rv;
|
||||
-
|
||||
- /*
|
||||
- * Create a hash of data.
|
||||
- */
|
||||
- rv = SHA1_HashBuf(sha1, data, datalen);
|
||||
- if (rv != SECSuccess) {
|
||||
- return rv;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * XOR the low-order octets of that hash with salt.
|
||||
- */
|
||||
- PORT_Assert(saltlen <= SHA1_LENGTH);
|
||||
- saltend = salt + saltlen;
|
||||
- psalt = salt;
|
||||
- psha1 = sha1 + SHA1_LENGTH - saltlen;
|
||||
- while (psalt < saltend) {
|
||||
- *psalt++ ^= *psha1++;
|
||||
- }
|
||||
-
|
||||
- return SECSuccess;
|
||||
+ return (~(c - 1) & a) | ((c - 1) & b);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
|
||||
unsigned char *block;
|
||||
unsigned char *bp;
|
||||
int padLen;
|
||||
- int i;
|
||||
+ int i, j;
|
||||
SECStatus rv;
|
||||
|
||||
block = (unsigned char *) nss_ZAlloc(NULL, modulusLen);
|
||||
@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
|
||||
*/
|
||||
case RSA_BlockPublic:
|
||||
|
||||
- /*
|
||||
- * 0x00 || BT || Pad || 0x00 || ActualData
|
||||
- * 1 1 padLen 1 data->len
|
||||
- * Pad is all non-zero random bytes.
|
||||
- */
|
||||
- padLen = modulusLen - data->len - 3;
|
||||
- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
|
||||
- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
|
||||
- nss_ZFreeIf(block);
|
||||
- return NULL;
|
||||
- }
|
||||
- for (i = 0; i < padLen; i++) {
|
||||
- /* Pad with non-zero random data. */
|
||||
- do {
|
||||
- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
|
||||
- } while (rv == SECSuccess
|
||||
- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
|
||||
- if (rv != SECSuccess) {
|
||||
- nss_ZFreeIf(block);
|
||||
- return NULL;
|
||||
- }
|
||||
- }
|
||||
- bp += padLen;
|
||||
- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
|
||||
- nsslibc_memcpy(bp, data->data, data->len);
|
||||
-
|
||||
- break;
|
||||
-
|
||||
- /*
|
||||
- * Blocks intended for public-key operation, using
|
||||
- * Optimal Asymmetric Encryption Padding (OAEP).
|
||||
- */
|
||||
- case RSA_BlockOAEP:
|
||||
- /*
|
||||
- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
|
||||
- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N]
|
||||
- *
|
||||
- * where:
|
||||
- * PaddedData is "Pad1 || ActualData [|| Pad2]"
|
||||
- * Salt is random data.
|
||||
- * Pad1 is all zeros.
|
||||
- * Pad2, if present, is random data.
|
||||
- * (The "modified" fields are all the same length as the original
|
||||
- * unmodified values; they are just xor'd with other values.)
|
||||
- *
|
||||
- * Modified1 is an XOR of PaddedData with a special octet
|
||||
- * string constructed of iterated hashing of Salt (see below).
|
||||
- * Modified2 is an XOR of Salt with the low-order octets of
|
||||
- * the hash of Modified1 (see farther below ;-).
|
||||
- *
|
||||
- * Whew!
|
||||
- */
|
||||
-
|
||||
-
|
||||
- /*
|
||||
- * Salt
|
||||
- */
|
||||
- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
|
||||
- if (rv != SECSuccess) {
|
||||
- nss_ZFreeIf(block);
|
||||
- return NULL;
|
||||
- }
|
||||
- bp += OAEP_SALT_LEN;
|
||||
-
|
||||
- /*
|
||||
- * Pad1
|
||||
- */
|
||||
- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
|
||||
- bp += OAEP_PAD_LEN;
|
||||
-
|
||||
- /*
|
||||
- * Data
|
||||
- */
|
||||
- nsslibc_memcpy(bp, data->data, data->len);
|
||||
- bp += data->len;
|
||||
-
|
||||
- /*
|
||||
- * Pad2
|
||||
- */
|
||||
- if (bp < (block + modulusLen)) {
|
||||
- rv = RNG_GenerateGlobalRandomBytes(bp,
|
||||
- block - bp + modulusLen);
|
||||
- if (rv != SECSuccess) {
|
||||
- nss_ZFreeIf(block);
|
||||
- return NULL;
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * Now we have the following:
|
||||
- * 0x00 || BT || Salt || PaddedData
|
||||
- * (From this point on, "Pad1 || Data [|| Pad2]" is treated
|
||||
- * as the one entity PaddedData.)
|
||||
- *
|
||||
- * We need to turn PaddedData into Modified1.
|
||||
- */
|
||||
- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
|
||||
- modulusLen - 2 - OAEP_SALT_LEN,
|
||||
- block + 2, OAEP_SALT_LEN) != SECSuccess) {
|
||||
- nss_ZFreeIf(block);
|
||||
- return NULL;
|
||||
- }
|
||||
-
|
||||
- /*
|
||||
- * Now we have:
|
||||
- * 0x00 || BT || Salt || Modified1(PaddedData)
|
||||
- *
|
||||
- * The remaining task is to turn Salt into Modified2.
|
||||
- */
|
||||
- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
|
||||
- block + 2 + OAEP_SALT_LEN,
|
||||
- modulusLen - 2 - OAEP_SALT_LEN) !=
|
||||
- SECSuccess) {
|
||||
- nss_ZFreeIf(block);
|
||||
- return NULL;
|
||||
- }
|
||||
-
|
||||
- break;
|
||||
+ /*
|
||||
+ * 0x00 || BT || Pad || 0x00 || ActualData
|
||||
+ * 1 1 padLen 1 data->len
|
||||
+ * Pad is all non-zero random bytes.
|
||||
+ *
|
||||
+ * Build the block left to right.
|
||||
+ * Fill the entire block from Pad to the end with random bytes.
|
||||
+ * Use the bytes after Pad as a supply of extra random bytes from
|
||||
+ * which to find replacements for the zero bytes in Pad.
|
||||
+ * If we need more than that, refill the bytes after Pad with
|
||||
+ * new random bytes as necessary.
|
||||
+ */
|
||||
+ padLen = modulusLen - (data->len + 3);
|
||||
+ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
|
||||
+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
|
||||
+ nss_ZFreeIf (block);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ j = modulusLen - 2;
|
||||
+ rv = RNG_GenerateGlobalRandomBytes(bp, j);
|
||||
+ if (rv == SECSuccess) {
|
||||
+ for (i = 0; i < padLen; ) {
|
||||
+ unsigned char repl;
|
||||
+ /* Pad with non-zero random data. */
|
||||
+ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
|
||||
+ ++i;
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (j <= padLen) {
|
||||
+ rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
|
||||
+ modulusLen - (2 + padLen));
|
||||
+ if (rv != SECSuccess)
|
||||
+ break;
|
||||
+ j = modulusLen - 2;
|
||||
+ }
|
||||
+ do {
|
||||
+ repl = bp[--j];
|
||||
+ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
|
||||
+ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
|
||||
+ bp[i++] = repl;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ if (rv != SECSuccess) {
|
||||
+ /*sftk_fatalError = PR_TRUE;*/
|
||||
+ nss_ZFreeIf (block);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ bp += padLen;
|
||||
+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
|
||||
+ nsslibc_memcpy(bp, data->data, data->len);
|
||||
+ break;
|
||||
|
||||
default:
|
||||
PORT_Assert(0);
|
||||
@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
|
||||
|
||||
break;
|
||||
|
||||
- case RSA_BlockOAEP:
|
||||
- /*
|
||||
- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
|
||||
- *
|
||||
- * The "2" below is the first octet + the second octet.
|
||||
- * (The other fields do not contain the clear values, but are
|
||||
- * the same length as the clear values.)
|
||||
- */
|
||||
- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
|
||||
- + OAEP_PAD_LEN)));
|
||||
-
|
||||
- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
|
||||
- if (result->data == NULL) {
|
||||
- result->len = 0;
|
||||
- return SECFailure;
|
||||
- }
|
||||
- result->len = modulusLen;
|
||||
-
|
||||
- break;
|
||||
-
|
||||
case RSA_BlockRaw:
|
||||
/*
|
||||
* Pad || ActualData
|
||||
--
|
||||
1.7.1
|
||||
|
|
@ -1,44 +0,0 @@
|
|||
--- nss/lib/ckfw/pem/psession.c
|
||||
+++ nss/lib/ckfw/pem/psession.c
|
||||
@@ -230,6 +230,7 @@ pem_mdSession_Login
|
||||
unsigned int len = 0;
|
||||
NSSLOWKEYPrivateKey *lpk = NULL;
|
||||
PLArenaPool *arena;
|
||||
+ SECItem plain;
|
||||
int i;
|
||||
|
||||
fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
|
||||
@@ -306,23 +321,27 @@ pem_mdSession_Login
|
||||
lpk->keyType = NSSLOWKEYRSAKey;
|
||||
prepare_low_rsa_priv_key_for_asn1(lpk);
|
||||
|
||||
- nss_ZFreeIf(io->u.key.key.privateKey->data);
|
||||
- io->u.key.key.privateKey->len = len - output[len - 1];
|
||||
- io->u.key.key.privateKey->data =
|
||||
- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
|
||||
- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
|
||||
|
||||
/* Decode the resulting blob and see if it is a decodable DER that fits
|
||||
* our private key template. If so we declare success and move on. If not
|
||||
* then we return an error.
|
||||
*/
|
||||
+ memset(&plain, 0, sizeof(plain));
|
||||
+ plain.data = output;
|
||||
+ plain.len = len - output[len - 1];
|
||||
rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
|
||||
- io->u.key.key.privateKey);
|
||||
+ &plain);
|
||||
pem_DestroyPrivateKey(lpk);
|
||||
arena = NULL;
|
||||
if (rv != SECSuccess)
|
||||
goto loser;
|
||||
|
||||
+ nss_ZFreeIf(io->u.key.key.privateKey->data);
|
||||
+ io->u.key.key.privateKey->len = len - output[len - 1];
|
||||
+ io->u.key.key.privateKey->data =
|
||||
+ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
|
||||
+ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
|
||||
+
|
||||
rv = CKR_OK;
|
||||
|
||||
loser:
|
|
@ -1,24 +0,0 @@
|
|||
diff --git a/doc/certutil.xml b/doc/certutil.xml
|
||||
--- a/doc/certutil.xml
|
||||
+++ b/doc/certutil.xml
|
||||
@@ -655,18 +655,18 @@ of the attribute codes:
|
||||
|
||||
<varlistentry>
|
||||
<term>--keyAttrFlags attrflags</term>
|
||||
<listitem><para>
|
||||
PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
- <term>--keyFlagsOn opflags</term>
|
||||
- <term>--keyFlagsOff opflags</term>
|
||||
+ <term>--keyOpFlagsOn opflags</term>
|
||||
+ <term>--keyOpFlagsOff opflags</term>
|
||||
<listitem><para>
|
||||
PKCS #11 key Operation Flags.
|
||||
Comma separated list of one or more of the following:
|
||||
{token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
|
@ -1,9 +0,0 @@
|
|||
diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh
|
||||
--- nss/tests/ocsp/ocsp.sh.skipoutbound 2013-04-24 18:04:30.203307355 -0700
|
||||
+++ nss/tests/ocsp/ocsp.sh 2013-04-24 18:06:27.967176794 -0700
|
||||
@@ -115,4 +115,4 @@ ocsp_stapling()
|
||||
################## main #################################################
|
||||
ocsp_init
|
||||
ocsp_iopr_run
|
||||
-ocsp_stapling
|
||||
+#ocsp_stapling
|
|
@ -1,25 +0,0 @@
|
|||
diff --git a/doc/certutil.xml b/doc/certutil.xml
|
||||
--- a/doc/certutil.xml
|
||||
+++ b/doc/certutil.xml
|
||||
@@ -204,16 +204,21 @@ If this option is not used, the validity
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-e </term>
|
||||
<listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
+ <term>--email email-address</term>
|
||||
+ <listitem><para>Specify the email address, used with the -L command option to print a single named certificate.</para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term>-f password-file</term>
|
||||
<listitem><para>Specify a file that will automatically supply the password to include in a certificate
|
||||
or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent
|
||||
unauthorized access to this file.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>-g keysize</term>
|
32
iquote.patch
32
iquote.patch
|
@ -1,6 +1,6 @@
|
|||
diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
|
||||
--- nss/cmd/bltest/Makefile.iquote 2013-06-27 10:58:08.000000000 -0700
|
||||
+++ nss/cmd/bltest/Makefile 2013-07-02 15:02:26.656643246 -0700
|
||||
--- nss/cmd/bltest/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
|
||||
+++ nss/cmd/bltest/Makefile 2014-01-07 13:30:04.465429623 -0800
|
||||
@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
@ -10,8 +10,8 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
|
|||
|
||||
#######################################################################
|
||||
diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
|
||||
--- nss/cmd/lib/Makefile.iquote 2013-07-02 15:07:47.260622471 -0700
|
||||
+++ nss/cmd/lib/Makefile 2013-07-02 15:08:47.219179157 -0700
|
||||
--- nss/cmd/lib/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
|
||||
+++ nss/cmd/lib/Makefile 2014-01-07 13:30:04.465429623 -0800
|
||||
@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
@ -23,8 +23,8 @@ diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
|
|||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
|
||||
--- nss/coreconf/location.mk.iquote 2013-06-27 10:58:08.000000000 -0700
|
||||
+++ nss/coreconf/location.mk 2013-07-02 15:02:26.656643246 -0700
|
||||
--- nss/coreconf/location.mk.iquote 2014-01-03 11:59:10.000000000 -0800
|
||||
+++ nss/coreconf/location.mk 2014-01-07 13:30:04.465429623 -0800
|
||||
@@ -45,6 +45,10 @@ endif
|
||||
|
||||
ifdef NSS_INCLUDE_DIR
|
||||
|
@ -37,8 +37,8 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
|
|||
|
||||
ifndef NSS_LIB_DIR
|
||||
diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile
|
||||
--- nss/lib/certhigh/Makefile.iquote 2013-09-27 11:13:55.158689314 -0700
|
||||
+++ nss/lib/certhigh/Makefile 2013-09-27 11:14:38.181042336 -0700
|
||||
--- nss/lib/certhigh/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
|
||||
+++ nss/lib/certhigh/Makefile 2014-01-07 13:30:04.466429634 -0800
|
||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
@ -49,8 +49,8 @@ diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile
|
|||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile
|
||||
--- nss/lib/cryptohi/Makefile.iquote 2013-09-27 11:11:30.117494489 -0700
|
||||
+++ nss/lib/cryptohi/Makefile 2013-09-27 11:12:54.704194915 -0700
|
||||
--- nss/lib/cryptohi/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
|
||||
+++ nss/lib/cryptohi/Makefile 2014-01-07 13:30:04.466429634 -0800
|
||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
@ -60,3 +60,15 @@ diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile
|
|||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
--- nss/lib/nss/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800
|
||||
+++ nss/lib/nss/Makefile 2014-01-07 13:30:04.466429634 -0800
|
||||
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
||||
# (6) Execute "component" rules. (OPTIONAL) #
|
||||
#######################################################################
|
||||
|
||||
-
|
||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
||||
|
||||
#######################################################################
|
||||
# (7) Execute "local" rules. (OPTIONAL). #
|
||||
|
|
44
nss.spec
44
nss.spec
|
@ -1,7 +1,6 @@
|
|||
%global nspr_version 4.10.2
|
||||
%global nss_util_version 3.15.3
|
||||
%global nss_softokn_fips_version 3.13.5
|
||||
%global nss_softokn_version 3.15.3
|
||||
%global nss_util_version 3.15.4
|
||||
%global nss_softokn_version 3.15.4
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
|
@ -19,7 +18,7 @@
|
|||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.15.3.1
|
||||
Version: 3.15.4
|
||||
Release: 1%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
|
@ -58,7 +57,7 @@ Source7: blank-key4.db
|
|||
Source8: system-pkcs11.txt
|
||||
Source9: setup-nsssysinit.sh
|
||||
Source10: PayPalEE.cert
|
||||
Source12: %{name}-pem-20130828.tar.bz2
|
||||
Source12: %{name}-pem-20131226.tar.bz2
|
||||
Source17: TestCA.ca.cert
|
||||
Source18: TestUser50.cert
|
||||
Source19: TestUser51.cert
|
||||
|
@ -83,22 +82,20 @@ Patch25: nsspem-use-system-freebl.patch
|
|||
Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
|
||||
# TODO: Remove this patch when the ocsp test are fixed
|
||||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
||||
Patch44: 0001-sync-up-with-upstream-softokn-changes.patch
|
||||
Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch
|
||||
# The ocsp stapling tests currently require access to the
|
||||
# kuix.de test server but koji forbids outbount connections
|
||||
Patch46: disable-ocsp-stapling-tests.patch
|
||||
Patch44: 0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch
|
||||
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
||||
Patch47: utilwrap-include-templates.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
|
||||
Patch48: nss-versus-softoken-tests.patch
|
||||
# TODO remove when we switch to building nss without softoken
|
||||
Patch49: nss-skip-bltest-and-fipstest.patch
|
||||
# This patch uses the gcc-iquote dir option documented at
|
||||
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
||||
# to place the in-tree directories at the head of the list of list of directories
|
||||
# to be searched for for header files. This ensures a build even when system
|
||||
# headers are older. Such is the case when starting an update with API changes or even private export changes.
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
|
||||
Patch50: iquote.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001
|
||||
Patch54: document-certutil-email-option.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=937677
|
||||
Patch57: certutil_keyOpFlagsFix.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
|
@ -185,17 +182,11 @@ low level services.
|
|||
# activate for stable branches
|
||||
%patch29 -p0 -b .cbcrandomivoff
|
||||
%patch40 -p0 -b .noocsptest
|
||||
%patch44 -p1 -b .syncupwithupstream
|
||||
%patch45 -p0 -b .notrash
|
||||
%patch46 -p0 -b .skipoutbound
|
||||
%patch44 -p3 -b .syncupwithupstream
|
||||
%patch47 -p0 -b .templates
|
||||
%patch48 -p0 -b .crypto
|
||||
%patch49 -p0 -b .skipthem
|
||||
%patch50 -p0 -b .iquote
|
||||
pushd nss
|
||||
%patch54 -p1 -b .948495
|
||||
%patch57 -p1 -b .948495
|
||||
popd
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
|
@ -753,6 +744,17 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Fri Jan 17 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-1
|
||||
- Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM)
|
||||
- Resolves: Bug 1049229 - nss-3.15.4 is available
|
||||
- Resolves: Bug 1054456 - CVE-2013-1740 nss: false start PR_Recv information disclosure security issue
|
||||
- Update pem sources to latest from the interim upstream for pem
|
||||
- Remove no longer needed patches
|
||||
- Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken
|
||||
- Update iquote.patch on account of upstream changes
|
||||
- Add comments documenting the iquote patch
|
||||
- Selective merge from master and f20
|
||||
|
||||
* Wed Dec 18 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3.1-1
|
||||
- Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM)
|
||||
- Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
|
||||
|
|
4
sources
4
sources
|
@ -7,5 +7,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
|||
f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert
|
||||
1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert
|
||||
ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert
|
||||
e82dd2b9520f9d0f5d101e7710d59656 nss-pem-20130828.tar.bz2
|
||||
1d444fffdb1f890a000003b50295b5aa nss-3.15.3.1.tar.gz
|
||||
cb247307632f7673b32c71009ba7b660 nss-pem-20131226.tar.bz2
|
||||
74738d89615665e3547dc2c0602ab0e6 nss-3.15.4.tar.gz
|
||||
|
|
Loading…
Reference in New Issue