From c7e445694f7c7ac87aeb9038a78d04e68b9e017f Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 2 Jul 2019 12:55:10 +0200 Subject: [PATCH] Update to NSS 3.44.1 --- .gitignore | 1 + STAGE2-nss | 68 ---------- nss.spec | 7 +- sources | 2 +- .../Makefile | 64 --------- .../PURPOSE | 4 - .../runtest.sh | 125 ------------------ tests/tests.yml | 12 -- 8 files changed, 7 insertions(+), 276 deletions(-) delete mode 100644 STAGE2-nss delete mode 100644 tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile delete mode 100644 tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE delete mode 100755 tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh delete mode 100644 tests/tests.yml diff --git a/.gitignore b/.gitignore index 75a333c..23a0c00 100644 --- a/.gitignore +++ b/.gitignore @@ -36,3 +36,4 @@ TestUser51.cert /nss-3.42.1.tar.gz /nss-3.43.tar.gz /nss-3.44.tar.gz +/nss-3.44.1.tar.gz diff --git a/STAGE2-nss b/STAGE2-nss deleted file mode 100644 index 3d43b92..0000000 --- a/STAGE2-nss +++ /dev/null @@ -1,68 +0,0 @@ -#requires nspr -#requires perl -#requires nss-util -#requires nss-softokn - -mcd $BUILDDIR/nss - -export BUILD_OPT=1 -export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 -export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 -export NSPR_INCLUDE_DIR=/usr/include/nspr -export NSPR_LIB_DIR=/usr/lib${SUFFIX} -export NSS_USE_SYSTEM_SQLITE=1 -export NSS_BUILD_WITHOUT_SOFTOKEN=1 -export USE_SYSTEM_SOFTOKEN=1 -export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX} -export NSSUTIL_INCLUDE_DIR=/usr/include/nss3 -export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX} -export USE_SYSTEM_NSSUTIL=1 -export FREEBL_INCLUDE_DIR=/usr/include/nss3 -export FREEBL_LIB_DIR=/usr/lib${SUFFIX} -export USE_SYSTEM_FREEBL=1 -export NSS_USE_SYSTEM_FREEBL=1 -export FREEBL_NO_DEPEND=1 -export IN_TREE_FREEBL_HEADERS_FIRST=1 -export NSS_BLTEST_NOT_AVAILABLE=1 -export NSS_NO_SSL2_NO_EXPORT=1 -export NSS_ECC_MORE_THAN_SUITE_B=1 -export NSS_NO_PKCS11_BYPASS=1 -#export NSDISTMODE="copy" - -if [ "$SUFFIX" = "64" ]; then - USE_64=1 - export USE_64 -fi - -(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/) - -make -C $SRC/nss-3.*/nss/coreconf -make -C $SRC/nss-3.*/nss/lib/dbm - -# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c -# need nss/verref.h which is exported privately, move it to where it can be found. -(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/) - -make -C $SRC/nss-3.*/nss -cd $SRC/nss-3.*/nss/coreconf -make install -cd $SRC/nss-3.*/nss/lib/dbm -make install -cd $SRC/nss-3.*/nss -make install -# Copy the binary libraries we want -NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so" -# BOZO: temporarily disable FIPS140 support -#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk" -NSSLIBCHKS="" -# END BOZO -cd $SRC/nss-3.* -for file in $NSSLIBS $NSSLIBCHKS -do - install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/ -done -# Copy the include files we want -for file in $SRC/nss-*/dist/public/nss/*.h -do - install -p -m 644 $file /usr/include/nss3/ -done diff --git a/nss.spec b/nss.spec index 73f67cc..e93d51b 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.21.0 -%global nss_version 3.44.0 +%global nss_version 3.44.1 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -43,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 2%{?dist} +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -873,6 +873,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Tue Jul 2 2019 Daiki Ueno - 3.44.1-1 +- Update to NSS 3.44.1 + * Mon May 20 2019 Daiki Ueno - 3.44.0-2 - Skip TLS 1.3 tests under FIPS mode diff --git a/sources b/sources index 0483fb0..53b9c62 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nss-3.44.tar.gz) = c4d7343a66f91c5888a121e266d1f1471da798a21d608a29caf598a828725e4bf9ea7411a105b23335f20bd7c12788dad567922ceeaebeb0c98fbf9bbe4006f7 +SHA512 (nss-3.44.1.tar.gz) = eb8777701a25b54377026633b6bf284e4c62308012058355f348a7c57525afe96db74a07de41ba01754e316a7dff06689de527359a5474ed7ab606779c4cf169 diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile b/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile deleted file mode 100644 index ea65d87..0000000 --- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile +++ /dev/null @@ -1,64 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when -# Description: NSS tools should not use SHA1 by default when -# Author: Hubert Kario -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2016 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Hubert Kario " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA) - @echo "Type: Regression" >> $(METADATA) - @echo "TestTime: 10m" >> $(METADATA) - @echo "RunFor: nss openssl" >> $(METADATA) - @echo "Requires: nss nss-tools openssl" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE b/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE deleted file mode 100644 index 7caf493..0000000 --- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE +++ /dev/null @@ -1,4 +0,0 @@ -PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when -Description: NSS tools should not use SHA1 by default when -Author: Hubert Kario -Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates diff --git a/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh b/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh deleted file mode 100755 index 8290d92..0000000 --- a/tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh +++ /dev/null @@ -1,125 +0,0 @@ -#!/bin/bash -# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when -# Description: NSS tools should not use SHA1 by default when -# Author: Hubert Kario -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2016 Red Hat, Inc. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -# Include Beaker environment -. /usr/share/beakerlib/beakerlib.sh || exit 1 - -PACKAGE="nss" -PACKAGES="nss openssl" -DBDIR="nssdb" - -rlJournalStart - rlPhaseStartSetup - rlAssertRpm --all - rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory" - rlRun "pushd $TmpDir" - rlRun "mkdir nssdb" - rlRun "certutil -N -d $DBDIR --empty-password" - rlLogInfo "Create a JAR file" - rlRun "mkdir java-dir" - rlRun "pushd java-dir" - rlRun "mkdir META-INF mypackage" - rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF" - rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class" - #rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class" - rlRun "popd" - #rlRun "mv java-dir/package.jar ." - rlPhaseEnd - - rlPhaseStartTest "Self signing certificates" - rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" - rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise" - rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Signing certificates" - rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" - rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime" - rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "Certificate request" - rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" - rlRun "mkdir srv2db" - rlRun "certutil -d srv2db -N --empty-password" - rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise" - rlRun -s "openssl req -noout -text -in srv2.req" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" - rlRun -s "openssl x509 -in srv2.crt -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlRun "rm -rf srv2db" - rlPhaseEnd - - rlPhaseStartTest "Certificate request with SHA1" - rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null" - rlRun "mkdir srv2db" - rlRun "certutil -d srv2db -N --empty-password" - rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1" - rlRun -s "openssl req -noout -text -in srv2.req" - rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG" - rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt" - rlRun -s "openssl x509 -in srv2.crt -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG" - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlRun "rm -rf srv2db" - rlPhaseEnd - - rlPhaseStartTest "Signing CMS messages" - rlRun "echo 'This is a document' > document.txt" - rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms" - rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print" - rlAssertGrep "algorithm: sha256" $rlRun_LOG - rlAssertNotGrep "algorithm: sha1" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartTest "CRL signing" - rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script" - rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script" - rlRun "echo addext crlNumber 0 1245 >>script" - rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script" - rlRun "echo addext reasonCode 0 0 >>script" - rlRun "cat script" - rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl" - rlRun -s "openssl crl -in ca.crl -inform der -noout -text" - rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG - rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG - rlPhaseEnd - - rlPhaseStartCleanup - rlRun "popd" - rlRun "rm -r $TmpDir" 0 "Removing tmp directory" - rlPhaseEnd -rlJournalPrintText -rlJournalEnd diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index df64aa2..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -# This first play always runs on the local staging system -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - classic - tests: - - NSS-tools-should-not-use-SHA1-by-default-when - required_packages: - - nss-tools - - nss