From ebcf6b047ea2bf1d19ec9ed918f4b2e25d037766 Mon Sep 17 00:00:00 2001 From: Bob Relyea Date: Thu, 21 Jul 2022 12:39:13 -0700 Subject: [PATCH] Rebase to NSS 3.81 --- .gitignore | 1 + nss-3.79-fix-client-cert-crash.patch | 23 +++++++++++++++++++++++ nss.spec | 11 +++++++++-- sources | 2 +- 4 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 nss-3.79-fix-client-cert-crash.patch diff --git a/.gitignore b/.gitignore index 88af042..e492b18 100644 --- a/.gitignore +++ b/.gitignore @@ -72,3 +72,4 @@ TestUser51.cert /nss-3.77.tar.gz /nss-3.79.tar.gz /nspr-4.34.tar.gz +/nss-3.81.tar.gz diff --git a/nss-3.79-fix-client-cert-crash.patch b/nss-3.79-fix-client-cert-crash.patch new file mode 100644 index 0000000..5f80fdc --- /dev/null +++ b/nss-3.79-fix-client-cert-crash.patch @@ -0,0 +1,23 @@ +diff --git a/lib/ssl/authcert.c b/lib/ssl/authcert.c +--- a/lib/ssl/authcert.c ++++ b/lib/ssl/authcert.c +@@ -212,17 +212,17 @@ NSS_GetClientAuthData(void *arg, + pw_arg); + } else { + int nnames = 0; + char **names = ssl_DistNamesToStrings(caNames, &nnames); + rv = CERT_FilterCertListByCANames(certList, nnames, names, + certUsageSSLClient); + ssl_FreeDistNamesStrings(names, nnames); + } +- if ((rv != SECSuccess) || CERT_LIST_EMPTY(certList)) { ++ if ((rv != SECSuccess) || (certList && CERT_LIST_EMPTY(certList))) { + CERT_DestroyCertList(certList); + certList = NULL; + } + } + if (certList == NULL) { + /* no user certs meeting the nickname/usage requirements found */ + return SECFailure; + } + diff --git a/nss.spec b/nss.spec index abb3d79..58f4218 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.34.0 -%global nss_version 3.79.0 +%global nss_version 3.81.0 # NOTE: To avoid NVR clashes of nspr* packages: # - reset %%{nspr_release} to 1, when updating %%{nspr_version} # - increment %%{nspr_version}, when updating the NSS part only @@ -7,7 +7,7 @@ %global nss_release %baserelease # use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when # release number between nss and nspr are different. -%global nspr_release %baserelease +%global nspr_release [%baserelease+1] # only need to update this as we added new # algorithms under nss policy control %global crypto_policies_version 20210118 @@ -130,6 +130,9 @@ Patch4: iquote.patch Patch12: nss-signtool-format.patch # fedora disabled dbm by default Patch40: nss-no-dbm-man-page.patch + +# upstream bug https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 +Patch50: nss-3.79-fix-client-cert-crash.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -1087,6 +1090,10 @@ update-crypto-policies &> /dev/null || : %changelog +* Thu Jun 21 2022 Bob Relyea - 3.81.0-1 + - udpate to NSS 3.81 +- Fix crash when getting client cert and there is none in the database. + * Tue May 31 2022 Bob Relyea - 3.79.0-1 - Update to NSS 3.79 - Update to NSPR 4.34 diff --git a/sources b/sources index a96c9b9..8b30724 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06 SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (nspr-4.34.tar.gz) = 4cfac886c14cf7df4c4b79fa1c3bc92e1b14260c9c3018fa2562060d62fecb4e66c0b4e8f7edf4f4823def784a919d99dde88a89674f0cd8a644310b0569ead4 -SHA512 (nss-3.79.tar.gz) = d3311da3bd0e6907760390221c1307a63d84dd8ad9b85dbfdbf59fe4678341c9856b6f93235731999a1236c98dc0ac66d2dc023eb439cb696f73509dae70c41d +SHA512 (nss-3.81.tar.gz) = 206faa29ff9fc9c70f85cbb86690b55bd11003a1a5b1d49f5f3731fdd1221690f957a17d912ee5272505afb938968327f4532ae8f5d2d77e6e13370768229747