From aae9602c0159cdbcdf262235488eb5213ce238ac Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Tue, 7 Jan 2014 06:13:53 -0800 Subject: [PATCH] Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM) - Resolves: Bug 1049229 - nss-3.15.4 is available - Update pem sources to latest from the interim upstream for pem - Remove no longer needed patches --- .gitignore | 4 +- ...-pem-dont-trash-keys-on-failed-login.patch | 44 ------------------- certutil_keyOpFlagsFix.patch | 24 ---------- disable-ocsp-stapling-tests.patch | 9 ---- document-certutil-email-option.patch | 25 ----------- nss.spec | 29 +++++------- sources | 4 +- 7 files changed, 14 insertions(+), 125 deletions(-) delete mode 100644 Bug-896651-pem-dont-trash-keys-on-failed-login.patch delete mode 100644 certutil_keyOpFlagsFix.patch delete mode 100644 disable-ocsp-stapling-tests.patch delete mode 100644 document-certutil-email-option.patch diff --git a/.gitignore b/.gitignore index 6773720..8c5fa50 100644 --- a/.gitignore +++ b/.gitignore @@ -7,5 +7,5 @@ PayPalEE.cert TestCA.ca.cert TestUser50.cert TestUser51.cert -/nss-pem-20130828.tar.bz2 -/nss-3.15.3.1.tar.gz +/nss-pem-20131226.tar.bz2 +/nss-3.15.4.tar.gz diff --git a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch deleted file mode 100644 index 6f0e88c..0000000 --- a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch +++ /dev/null @@ -1,44 +0,0 @@ ---- nss/lib/ckfw/pem/psession.c -+++ nss/lib/ckfw/pem/psession.c -@@ -230,6 +230,7 @@ pem_mdSession_Login - unsigned int len = 0; - NSSLOWKEYPrivateKey *lpk = NULL; - PLArenaPool *arena; -+ SECItem plain; - int i; - - fwSlot = NSSCKFWToken_GetFWSlot(fwToken); -@@ -306,23 +321,27 @@ pem_mdSession_Login - lpk->keyType = NSSLOWKEYRSAKey; - prepare_low_rsa_priv_key_for_asn1(lpk); - -- nss_ZFreeIf(io->u.key.key.privateKey->data); -- io->u.key.key.privateKey->len = len - output[len - 1]; -- io->u.key.key.privateKey->data = -- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); -- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); - - /* Decode the resulting blob and see if it is a decodable DER that fits - * our private key template. If so we declare success and move on. If not - * then we return an error. - */ -+ memset(&plain, 0, sizeof(plain)); -+ plain.data = output; -+ plain.len = len - output[len - 1]; - rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate, -- io->u.key.key.privateKey); -+ &plain); - pem_DestroyPrivateKey(lpk); - arena = NULL; - if (rv != SECSuccess) - goto loser; - -+ nss_ZFreeIf(io->u.key.key.privateKey->data); -+ io->u.key.key.privateKey->len = len - output[len - 1]; -+ io->u.key.key.privateKey->data = -+ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); -+ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); -+ - rv = CKR_OK; - - loser: diff --git a/certutil_keyOpFlagsFix.patch b/certutil_keyOpFlagsFix.patch deleted file mode 100644 index 94724ff..0000000 --- a/certutil_keyOpFlagsFix.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/doc/certutil.xml b/doc/certutil.xml ---- a/doc/certutil.xml -+++ b/doc/certutil.xml -@@ -655,18 +655,18 @@ of the attribute codes: - - - --keyAttrFlags attrflags - - PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} - - - -- --keyFlagsOn opflags -- --keyFlagsOff opflags -+ --keyOpFlagsOn opflags -+ --keyOpFlagsOff opflags - - PKCS #11 key Operation Flags. - Comma separated list of one or more of the following: - {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} - - - - diff --git a/disable-ocsp-stapling-tests.patch b/disable-ocsp-stapling-tests.patch deleted file mode 100644 index df27c0e..0000000 --- a/disable-ocsp-stapling-tests.patch +++ /dev/null @@ -1,9 +0,0 @@ -diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh ---- nss/tests/ocsp/ocsp.sh.skipoutbound 2013-04-24 18:04:30.203307355 -0700 -+++ nss/tests/ocsp/ocsp.sh 2013-04-24 18:06:27.967176794 -0700 -@@ -115,4 +115,4 @@ ocsp_stapling() - ################## main ################################################# - ocsp_init - ocsp_iopr_run --ocsp_stapling -+#ocsp_stapling diff --git a/document-certutil-email-option.patch b/document-certutil-email-option.patch deleted file mode 100644 index b9ca7e1..0000000 --- a/document-certutil-email-option.patch +++ /dev/null @@ -1,25 +0,0 @@ -diff --git a/doc/certutil.xml b/doc/certutil.xml ---- a/doc/certutil.xml -+++ b/doc/certutil.xml -@@ -204,16 +204,21 @@ If this option is not used, the validity - - - - -e - Check a certificate's signature during the process of validating a certificate. - - - -+ --email email-address -+ Specify the email address, used with the -L command option to print a single named certificate. -+ -+ -+ - -f password-file - Specify a file that will automatically supply the password to include in a certificate - or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent - unauthorized access to this file. - - - - -g keysize diff --git a/nss.spec b/nss.spec index f33fe5f..74606cb 100644 --- a/nss.spec +++ b/nss.spec @@ -1,7 +1,6 @@ %global nspr_version 4.10.2 -%global nss_util_version 3.15.3 -%global nss_softokn_fips_version 3.13.5 -%global nss_softokn_version 3.15.3 +%global nss_util_version 3.15.4 +%global nss_softokn_version 3.15.4 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" @@ -19,7 +18,7 @@ Summary: Network Security Services Name: nss -Version: 3.15.3.1 +Version: 3.15.4 Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ @@ -58,7 +57,7 @@ Source7: blank-key4.db Source8: system-pkcs11.txt Source9: setup-nsssysinit.sh Source10: PayPalEE.cert -Source12: %{name}-pem-20130828.tar.bz2 +Source12: %{name}-pem-20131226.tar.bz2 Source17: TestCA.ca.cert Source18: TestUser50.cert Source19: TestUser51.cert @@ -82,10 +81,6 @@ Patch25: nsspem-use-system-freebl.patch # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch Patch44: 0001-sync-up-with-upstream-softokn-changes.patch -Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch -# The ocsp stapling tests currently require access to the -# kuix.de test server but koji forbids outbount connections -Patch46: disable-ocsp-stapling-tests.patch # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator Patch47: utilwrap-include-templates.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171 @@ -93,10 +88,6 @@ Patch48: nss-versus-softoken-tests.patch # TODO remove when we switch to building nss without softoken Patch49: nss-skip-bltest-and-fipstest.patch Patch50: iquote.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001 -Patch54: document-certutil-email-option.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=937677 -Patch57: certutil_keyOpFlagsFix.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -182,16 +173,10 @@ low level services. %patch25 -p0 -b .systemfreebl %patch40 -p0 -b .noocsptest %patch44 -p1 -b .syncupwithupstream -%patch45 -p0 -b .notrash -%patch46 -p0 -b .skipoutbound %patch47 -p0 -b .templates %patch48 -p0 -b .crypto %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote -pushd nss -%patch54 -p1 -b .948495 -%patch57 -p1 -b .948495 -popd ######################################################### # Higher-level libraries and test tools need access to @@ -749,6 +734,12 @@ fi %changelog +* Tue Jan 07 2014 Elio Maldonado - 3.15.4-1 +- Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM) +- Resolves: Bug 1049229 - nss-3.15.4 is available +- Update pem sources to latest from the interim upstream for pem +- Remove no longer needed patches + * Wed Dec 11 2013 Elio Maldonado - 3.15.3.1-1 - Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM) - Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) diff --git a/sources b/sources index ab0b3d0..17a8fc5 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert -e82dd2b9520f9d0f5d101e7710d59656 nss-pem-20130828.tar.bz2 -1d444fffdb1f890a000003b50295b5aa nss-3.15.3.1.tar.gz +cb247307632f7673b32c71009ba7b660 nss-pem-20131226.tar.bz2 +74738d89615665e3547dc2c0602ab0e6 nss-3.15.4.tar.gz