Compare commits

...

276 Commits
f17 ... master

Author SHA1 Message Date
Bob Relyea
614f823eb3 Delay new CK_GCM_PARAMS semantics until fedora 34 unless explicitly enabled. 2020-05-13 16:02:36 -07:00
Daiki Ueno
26f93fa193 Restore nss-kremlin-ppc64le.patch 2020-05-11 18:38:26 +02:00
Daiki Ueno
047dc3ed4e Update to NSS 3.52 2020-05-11 18:21:55 +02:00
Daiki Ueno
fc0174ead1 Temporarily revert DBM disablement for kernel build failure (#1827902) 2020-04-25 17:16:02 +02:00
Daiki Ueno
3c018618ca Fix the last change 2020-04-20 15:57:28 +02:00
Daiki Ueno
65271d923d Enable conditional builds on DBM 2020-04-20 14:47:27 +02:00
Daiki Ueno
9ae0f0b9e1 Update to NSS 3.51.1
Also disable building DBM backend
2020-04-20 14:24:47 +02:00
Daiki Ueno
2b122e4485 Update to NSS 3.51 2020-04-07 11:18:10 +02:00
Tom Stellard
507a1cebf0 Use __make macro to invoke make
Using the %__make macro makes it possible for an alternative buildroot
to inject its own flags into the make invocation.  This makes it easier
to do trial rebuilds of fedora using different compilers or different
compiler flags.
2020-03-27 15:39:49 +00:00
Daiki Ueno
7f30e21d0f Apply CMAC fixes from upstream 2020-03-05 09:57:34 +01:00
Daiki Ueno
aa7d80b11e Fix build with s390x, due to bundled kremlin source 2020-03-03 16:16:52 +01:00
Daiki Ueno
f512836b78 Fix build on ppc64le, due to bundled kremlin source 2020-02-17 14:30:50 +01:00
Daiki Ueno
58ca69fcaf Update to NSS 3.50 2020-02-17 13:46:37 +01:00
Daiki Ueno
bd89f2ce5c Fix build with gcc 10 2020-02-14 14:28:21 +01:00
Daiki Ueno
9e1e74ca17 Ignore false-positive compiler warnings with gcc 10 2020-02-14 12:07:57 +01:00
Daiki Ueno
37c40ebd3d Update nss-libpkix-maybe-uninitialized.patch 2020-02-14 11:42:12 +01:00
Daiki Ueno
656c979c95 Suppress compiler warning (treated as fatal) in libpkix 2020-02-14 10:48:31 +01:00
Fedora Release Engineering
0b17c92d39 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-29 19:15:25 +00:00
Daiki Ueno
3c27dc2471 Revert "pass %{_smp_mflags} to make to speed up the build"
This reverts commit 6e689ce0cb.

This still has a race condition and causes the build fail.
2020-01-27 11:07:50 +01:00
Daiki Ueno
36505c331d Update to NSS 3.49.2 2020-01-27 10:24:30 +01:00
Kamil Dudka
6e689ce0cb pass %{_smp_mflags} to make to speed up the build
I tried an uncached build of nss on Fedora 30 VM with 8 CPU cores
and the build time was reduced with this patch from 540 s to 250 s
of wall-clock time.
2020-01-24 11:17:23 +01:00
Daiki Ueno
703a4f9a95 Remove leftover debug command in %build 2020-01-11 09:02:36 +01:00
Daiki Ueno
1e2f8acd14 Fix build on armv7hl with the patch proposed in upstream 2020-01-10 17:26:33 +01:00
Daiki Ueno
74b268dbd9 Update to NSS 3.49 2020-01-10 10:35:28 +01:00
Daiki Ueno
541296170e Update to NSS 3.48 2020-01-03 10:59:30 +01:00
Daiki Ueno
f3ad534c37 Update nss-3.47-certdb-temp-cert.patch 2019-12-04 10:20:43 +01:00
Daiki Ueno
a8a8d020bf Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value 2019-12-03 15:51:55 +01:00
Daiki Ueno
704f2e22d6 Update nss-3.47-certdb-temp-cert.patch to the final version 2019-12-03 09:31:24 +01:00
Daiki Ueno
4f639ad73c Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617) 2019-11-28 16:13:41 +01:00
Daiki Ueno
8c9ed11be4 Update to NSS 3.47.1 2019-11-22 18:01:14 +01:00
Bob Relyea
115989f50d Correct change log error so it doesn't propogate to the next patch 2019-11-06 09:16:51 -08:00
Bob Relyea
2ec4745f30 Resolves: rhbz#1768652
NSS softoken does not include CKM_NSS_IKE1_APP_B_PRF_DERIVE in it's mechanism list, causing libreswan to crash.
2019-11-04 13:51:40 -08:00
Daiki Ueno
626f1941fd Install cmac.h required by blapi.h (#1764513) 2019-10-23 10:44:14 +02:00
Daiki Ueno
16706fe38d Update to NSS 3.47 2019-10-22 15:22:45 +02:00
Daiki Ueno
d86af7693a Update to NSS 3.46.1 2019-10-21 13:39:30 +02:00
Daiki Ueno
fa84af3e06 Require NSPR 4.22 2019-09-04 06:31:23 +02:00
Daiki Ueno
2f14d11d0d Update to NSS 3.46 2019-09-03 09:42:24 +02:00
Daiki Ueno
3f3c20ae17 Update to NSS 3.45 2019-08-29 15:38:15 +02:00
Fedora Release Engineering
326f5d0c9a - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-25 22:36:13 +00:00
Daiki Ueno
c5b7db61f4 Fix CAVS testdir creation 2019-07-03 15:59:50 +02:00
Daiki Ueno
7b734a0c80 Restore files removed by the previous commit 2019-07-02 12:57:50 +02:00
Daiki Ueno
c7e445694f Update to NSS 3.44.1 2019-07-02 12:55:10 +02:00
Daiki Ueno
3ea5d2fb0e Skip TLS 1.3 tests under FIPS mode 2019-05-20 11:09:19 +02:00
Daiki Ueno
4567b678cc Update to NSS 3.44 2019-05-17 13:03:12 +02:00
Daiki Ueno
141e716639 Fix PKCS#11 module leak if C_GetSlotInfo() failed 2019-05-06 18:33:40 +02:00
Elio Maldonado
5deb5dd362 Update nspr_version to 4.21.0 and remove obsolete comment 2019-03-26 08:25:09 -07:00
Daiki Ueno
d3f6891026 Update to NSS 3.43 2019-03-21 10:33:02 +01:00
Daiki Ueno
df8d75ac51 Update to NSS 3.42.1 2019-02-11 13:01:36 +01:00
Daiki Ueno
b3b17b08a0 Update to NSS 3.42 2019-02-08 11:31:29 +01:00
Daiki Ueno
455711f1df Simplify test failure detection in %check
There is the same logic in the upstream script:
https://hg.mozilla.org/projects/nss/file/tip/tests/common/cleanup.sh#l56
2019-02-08 10:59:35 +01:00
Fedora Release Engineering
0e03f768ab - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-02-01 16:32:50 +00:00
Daiki Ueno
e5e5a75933 Rebuild with recent changes
- Remove prelink.conf as prelink was removed in F24, suggested by
  Harald Reindl
- Use quilt for %%autopatch
- Make sysinit require arch-dependent nss, suggested by Igor Gnatenko
- Silence %%post/%%postun scriptlets, suggested by Ian Collier
2019-01-11 11:53:52 +01:00
Daiki Ueno
431c940fc5 Silence %post/%postun scriptlets
Suggested by Ian Collier in:
https://bugzilla.redhat.com/show_bug.cgi?id=1665053
2019-01-11 10:05:53 +01:00
Daiki Ueno
41b9b6b6a1 Make nss-sysinit require arch-specific nss package
Suggested by Igor Gnatenko in:
https://bugzilla.redhat.com/show_bug.cgi?id=1663136
2019-01-09 13:08:49 +01:00
Daiki Ueno
f572eae5ce Use quilt for %autopatch 2018-12-19 16:28:50 +01:00
Daiki Ueno
b250b65666 Remove prelink.conf as prelink was removed in F24
Suggested by Harald Reindl in:
https://bugzilla.redhat.com/show_bug.cgi?id=1659674
2018-12-18 16:22:25 +01:00
Daiki Ueno
5221baae09 Fix the last commit 2018-12-10 16:17:16 +01:00
Daiki Ueno
cab16c0490 Revert "Switch to gyp buildsystem"
It turned out that libpkix cannot be enabled in gyp build.

This reverts commit 390eaefc52.
2018-12-10 15:36:58 +01:00
Daiki Ueno
af46412ffe Partially revert 7bdb9fac17 2018-12-10 12:49:17 +01:00
Daiki Ueno
e557c2c2a1 Update to NSS 3.41 2018-12-10 10:45:52 +01:00
Daiki Ueno
8be7f95db1 Stop using the custom versioning scheme 2018-12-10 10:39:33 +01:00
Daiki Ueno
7bdb9fac17 Minor cleanup of spec
- expand %%allTools as it is used only once
- remove unnecessary pushd/popd
2018-12-10 10:39:14 +01:00
Daiki Ueno
71d6df3266 Use %%autopatch 2018-12-06 13:51:04 +01:00
Daiki Ueno
390eaefc52 Switch to gyp buildsystem 2018-12-06 13:48:33 +01:00
Daiki Ueno
4b42d21883 Remove unnecessary patches 2018-12-06 10:23:36 +01:00
Daiki Ueno
ec4d144b47 Update to NSS 3.40.1 2018-12-06 10:12:42 +01:00
Daiki Ueno
705e2b3229 Fix Source0 URL 2018-11-27 14:56:16 +01:00
Daiki Ueno
26c062714a Modernize spec file
Suggested by Robert-André Mauchin in:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/3JTN2YN3HM47UKSVTSANB4MO4UJDJPF5/
2018-11-19 15:47:27 +01:00
Daiki Ueno
c29d479b7f Consolidate nss-util, nss-softokn, and nss into a single package 2018-11-14 10:00:13 +01:00
Daiki Ueno
18c140b4c2 Fix FTBFS with expired test certs 2018-11-14 09:58:06 +01:00
Daiki Ueno
bdf4e9ddaf Fix LDFLAGS injection when creating DSO 2018-09-13 16:15:14 +02:00
Daiki Ueno
93c1de8b0d Allow SSLKEYLOGFILE 2018-09-03 14:00:45 +02:00
Daiki Ueno
db341dd2e0 Update to NSS 3.39 2018-09-03 13:55:21 +02:00
Kai Engert
89b8b47d46 Backport upstream addition of nss-policy-check utility, rhbz#1428746 2018-07-20 16:09:32 +02:00
Fedora Release Engineering
e4c3da9da7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-13 14:31:25 +00:00
Jason Tibbitts
137780ff5d Remove needless use of %defattr 2018-07-10 02:12:27 -05:00
Daiki Ueno
6f4f615c05 Install crypto-policies configuration file for p11-kit-proxy 2018-07-03 13:31:49 +02:00
Daiki Ueno
2b3aa61f20 Update to NSS 3.38 2018-07-02 16:10:47 +02:00
Daiki Ueno
3b822a7262 Backport fix for handling DTLS application_data before handshake 2018-06-06 11:18:51 +02:00
Daiki Ueno
8d5d06f814 Drop more tests failing intermittently 2018-06-06 10:17:29 +02:00
Daiki Ueno
26f23aeeb6 Disable tests failing intermittently 2018-06-05 16:40:58 +02:00
Daiki Ueno
dfa19ec931 Update to NSS 3.37.3 2018-06-05 13:52:07 +02:00
Daiki Ueno
e874285f92 Temporarily disable AlertBeforeServerHello test on all archtectures 2018-06-04 09:46:39 +02:00
Daiki Ueno
abfbe95c8d Temporarily disable AlertBeforeServerHello test on s390x and aarch64 2018-06-01 17:13:57 +02:00
Daiki Ueno
e42c9742c4 Update to NSS 3.37.1 2018-05-28 17:25:42 +02:00
Kai Engert
93dca340cd add missing file nss-moz1458518.patch 2018-05-02 16:08:29 +02:00
Kai Engert
a24d6b1353 Upstream patch to keep nicknames stable on repeated certificate import into SQL DB, mozbz#1458518 2018-05-02 16:01:40 +02:00
Daiki Ueno
418745fdce Update to NSS 3.36.1 2018-04-11 12:41:21 +02:00
Daiki Ueno
03874d1272 Fix partial injection of LDFLAGS 2018-03-12 15:20:53 +01:00
Daiki Ueno
2007524db8 Remove obsolete Conflicts 2018-03-12 15:04:04 +01:00
Daiki Ueno
67567fd852 Remove nss-3.14.0.0-disble-ocsp-test.patch 2018-03-12 15:03:33 +01:00
Daiki Ueno
2eadf22a1d Make test failure detection robuster 2018-03-09 15:38:51 +01:00
Daiki Ueno
3edcb8bd09 Update to NSS 3.36.0 2018-03-09 13:59:41 +01:00
Igor Gnatenko
b33603605a
Remove %clean section
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 09:16:55 +01:00
Igor Gnatenko
7504d3f5b2 Remove BuildRoot definition
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-13 23:55:40 +01:00
Fedora Release Engineering
51a16f5968 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-02-08 08:28:30 +00:00
Kai Engert
1689d12cbb Set NSS_FORCE_FIPS=1 at %%build time, and remove from %%check. 2018-02-01 14:26:39 +01:00
Kai Engert
0a70bce56d Fix a compiler error with gcc 8, mozbz#1434070 2018-01-29 22:58:11 +01:00
Kai Engert
ccf407af47 Stop pulling in nss-pem automatically, packages that need it should depend on it, rhbz#1539401 2018-01-29 19:03:50 +01:00
Daiki Ueno
08f152ebf9 Update to NSS 3.35.0 2018-01-23 14:38:31 +01:00
Daiki Ueno
bd239c046a Update to NSS 3.34.0 2017-11-14 14:20:29 +01:00
Daiki Ueno
6d15c06123 Fix nss-pem requirement on multilib 2017-11-10 15:13:21 +01:00
Kai Engert
423cf344b1 fix test script 2017-11-08 14:53:14 +01:00
Kai Engert
cd77ff2c17 Update tests to be compatible with default NSS DB changed to sql (the default was changed in the nss-util package). 2017-11-07 14:13:10 +01:00
Kai Engert
c4dce982fc rhbz#1505487, backport upstream fixes required for rhbz#1496560 2017-10-24 14:05:16 +02:00
Serhii Turivny
24e850cb0b Add CI tests using the standard test interface 2017-10-24 11:38:00 +03:00
Daiki Ueno
06c6c5b05b Forcibly run FIPS tests, and install new header file 2017-10-03 15:41:34 +02:00
Daiki Ueno
8a8a89e2ed Update to NSS 3.33.0 2017-10-03 10:18:40 +02:00
Daiki Ueno
c6bdcf333a Update to NSS 3.32.1 2017-09-15 14:21:47 +02:00
Daiki Ueno
3e4febd5a1 Prefer in-tree headers over system headers
See https://bugzilla.redhat.com/show_bug.cgi?id=1422046#c6
2017-09-06 14:38:46 +02:00
Kai Engert
61169569b1 NSS libnssckbi.so has already been obsoleted by p11-kit-trust, rhbz#1484449 2017-08-23 19:41:28 +02:00
Daiki Ueno
2d62c98a25 Don't build util_gtest 2017-08-08 12:47:53 +02:00
Daiki Ueno
7ae9f54af6 Update to NSS 3.32.0 2017-08-07 13:58:01 +02:00
Fedora Release Engineering
3bbfdef75c - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild 2017-08-03 04:07:03 +00:00
Fedora Release Engineering
7a90b2748d - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 01:18:19 +00:00
Daiki Ueno
943827bba4 Fix the previous commit 2017-07-19 18:34:50 +02:00
Daiki Ueno
82b3129713 Fix the previous commit for deprecating signtool
signtool.1 must be installed even if it is unsupported
2017-07-19 15:39:19 +02:00
Daiki Ueno
4b45ae6d65 Backport mozbz#1381784 to avoid deadlock in dnf 2017-07-18 13:18:15 +02:00
Daiki Ueno
314afd2133 Move signtool to %%_libdir/nss/unsupported-tools 2017-07-13 16:16:30 +02:00
Petr Písař
b2ceaeb648 perl dependency renamed to perl-interpreter <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules> 2017-07-12 14:42:33 +02:00
Daiki Ueno
5ed56146a2 Rebase to NSS 3.31.0 2017-06-21 17:41:09 +02:00
Daiki Ueno
4a49c5748c Enable gtests 2017-06-02 15:18:09 +02:00
Daiki Ueno
405310c946 Rebase to NSS 3.30.2 2017-04-24 09:50:22 +02:00
Kai Engert
cd8db2917d Backport upstream mozbz#1328318 to support crypto policy FUTURE. 2017-03-30 11:54:51 +02:00
Daiki Ueno
17cd27bdca Revert workaround for pkgconf transition
This reverts commit 70bf1cefc1.
2017-03-21 12:37:13 +01:00
Daiki Ueno
b6664ebb77 Update to NSS 3.30.0 2017-03-21 12:20:45 +01:00
Kai Engert
8b601d64b2 Backport mozbz#1334976 and mozbz#1336487. 2017-03-02 13:44:16 +01:00
Daiki Ueno
65a4d20cc7 Update to NSS 3.29.1 2017-02-17 15:32:15 +01:00
Daiki Ueno
07c729494a Disable TLS 1.3 again 2017-02-09 10:13:07 +01:00
Daiki Ueno
73106743c1 Update to NSS 3.29.0 2017-02-08 16:33:58 +01:00
Daiki Ueno
70bf1cefc1 Work around pkgconfig -> pkgconf transition issue 2017-01-23 14:41:48 +01:00
Daiki Ueno
877f068e97 Temporarily remove Conflicts: for icecat 2017-01-23 14:15:36 +01:00
Daiki Ueno
82e9983e43 Disable TLS 1.3 again
Also add Conflicts for old Mozilla apps
2017-01-20 17:41:36 +01:00
Daiki Ueno
c6535e87bd Add "Conflicts" with older firefox 2017-01-17 12:49:10 +01:00
Daiki Ueno
8b6e6cc656 Fix incorrect version requirement for nss-util/nss-softokn 2017-01-13 09:41:31 +01:00
Daiki Ueno
9168316fa8 Update to NSS 3.28.1 2017-01-06 14:35:27 +01:00
Daiki Ueno
1df1edced7 Update to 3.27.2 2016-11-30 15:35:31 +01:00
Daiki Ueno
f52ebc585d Revert the previous fix for RSA-PSS and use the upstream fix instead 2016-11-15 16:27:37 +01:00
Kai Engert
387bb6b467 Disable the use of RSA-PSS with SSL/TLS. #1383809 2016-11-02 14:19:58 +01:00
Daiki Ueno
74f302809f Disable TLS 1.3 by default 2016-10-02 07:12:26 +02:00
Daiki Ueno
ddcac56c2e Update to NSS 3.27.0 2016-09-29 13:52:40 +02:00
Daiki Ueno
e0be40e6f7 Add explanation about NSS_IGNORE_SYSTEM_POLICY=1 2016-08-19 10:33:21 +02:00
Daiki Ueno
351f464ed1 Update to NSS 3.26.0 2016-08-10 14:46:53 +02:00
Elio Maldonado
7854e70d7e Incorporate more changes requested in upstream review and commited upstream (#1157720)
- still keeping two separate patches
2016-07-14 10:41:00 -07:00
Elio Maldonado
ff192a931a Incorporate some changes requested in upstream review and commited upstream (#1157720) 2016-07-13 17:44:26 -07:00
Elio Maldonado
270f23d149 Implement changes requested in upstream review and pushed upstream (#1157720)
- merge the two policy related patches
2016-07-12 20:25:49 -07:00
Elio Maldonado
e666a29edf Add support for conditionally ignoring the system policy (#1157720)
- Remove unneeded test scripts patches in order to run more tests
- Remove unneeded test data modifications from the spec file
2016-07-01 18:22:06 -07:00
Elio Maldonado
68e30820ed Add a reference to bug filed upstream 2016-06-28 09:33:42 -07:00
Elio Maldonado
ef6c2f08e7 Remove obsolete patch and spurious lines from the spec file (#1347336) 2016-06-28 07:47:13 -07:00
Elio Maldonado
e51bf1ce38 Cleanup spec file and patches and add references to bugs filed upstream 2016-06-26 15:03:12 -07:00
Elio Maldonado
3792f60887 Rebase to NSS 3.15
- Remove three patches obsolted by the rebase and updated two
- Temporarily not building the ecperf tool
- ecperef requires freebl/ec.h and ecl-curve.h and the latter
- causes compile failure because it requires that
- NSS_ECC_MORE_THAN_SUITE_B not be defined yet this is
- required for nss builds to allow external pkcs #11 providers
- to support curves beyond suite-b, such restriction only applies
- to the internal crypto module
2016-06-24 14:13:59 -07:00
Kai Engert
1911d47990 Bug 1347336, decouple nss-pem from the nss package, patch contributed by Kamil Dudka 2016-06-22 15:20:39 +02:00
Elio Maldonado
f5c6a9ac04 Apply the patch that was last introduced
- Renumber and reorder some of the patches
- Resolves: Bug 1342158
2016-06-03 08:40:01 -07:00
Elio Maldonado
85c6e70f3c Allow application requests to disable SSL v2 to succeed
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
2016-06-02 13:47:29 -07:00
Elio Maldonado
c460de4d23 Rebase to NSS 3.24.0
- Restore setting the policy file location
- Make ssl tests scripts aware of policy
- Ajust tests data expected result for policy
2016-05-29 10:14:36 -07:00
Elio Maldonado
29b52f2caf Bootstrap build to rebase to NSS 3.24.0
- Temporarily not setting the policy file location
2016-05-25 19:55:49 -07:00
Elio Maldonado
fc09930b4d Update nss_util_version and nss_softoken_version to 3.24.0
- Resolves: Bug 1336849 - nss-3.24 is available
2016-05-24 06:49:40 -07:00
Elio Maldonado
3648d70a92 Update to NSS 3.24.0
- Resolves: Bug 1336849 - nss-3.24 is available
- Update patches on account of the rebase
- Remove unused patches un account of the rebase
- Patch pem module to compile with wrning for unitilaized variables treated as errors
- Patch to skip some of the gtests as they use private calls and need to statically link with libnssutil.a
- TODO: bring this up with the external_tests framework developers upstream
2016-05-23 18:10:46 -07:00
Elio Maldonado
2e6c8d6f71 Change POLICY_FILE to "nss.config" 2016-05-12 12:04:57 -07:00
Elio Maldonado
299e9058d1 Change POLICY_FILE to "nss.cfg" 2016-04-22 08:25:14 -07:00
Elio Maldonado
21d9cd13e1 Change the POLICY_PATH to "/etc/crypto-policies/back-ends"
- Regenerate the check policy patch with hg to provide more context
- the nss-util portion included though not applied here but in nss-util
- todo: file bug upstream once we have done some testing
2016-04-20 08:49:00 -07:00
Elio Maldonado
b9c9bc550c Fix typo in the last %changelog entry 2016-04-14 14:16:05 -07:00
Elio Maldonado
ea86d5898c Load policy file if /etc/pki/nssdb/policy.cfg exists
- Resolves: Bug 1157720 - NSS should enforce the system-wide crypto policy
2016-03-24 15:18:49 -07:00
Elio Maldonado
b22cf46b7c Remove unused patch rendered obsolete by pem update 2016-03-08 15:41:14 -08:00
Elio Maldonado
2a45956d5b Update pem sources to latest from nss-pem upstream
- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
- Fixes memory leak on failed ASN1 decoding of RSA keys with rebase
- https://git.fedorahosted.org/cgit/nss-pem.git
2016-03-08 06:47:48 -08:00
Elio Maldonado
e4343992f0 Rebase to NSS 3.23 2016-03-05 12:42:26 -08:00
Elio Maldonado
c0f6099656 Requite nss and nss-softokn version 3.22.2 2016-02-27 16:45:41 -08:00
Elio Maldonado
69c688f3b5 Rebase to NSS 3.22.2
- Resolves: Bug 1304135 - nss-3.22.2 is available
2016-02-26 21:59:01 -08:00
Elio Maldonado
fe44847276 Fix ssl2/exp test disabling to run all the required tests 2016-02-22 20:49:28 -08:00
Elio Maldonado
c281a339e1 Rebase to NSS 3.22.1
- Bug 1304135 - nss-3.22.1 is available
2016-02-21 11:30:52 -08:00
Elio Maldonado
317de01a4d Update .gitignore as part of updating to nss 3.22 2016-02-08 13:47:18 -08:00
Elio Maldonado
5953345108 Update to NSS 3.22 2016-02-08 07:57:39 -08:00
Fedora Release Engineering
f7ddea92df - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 10:56:52 +00:00
Elio Maldonado
5fe1656484 Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite
- Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built
- Use %define when specifying the nss_tests to run
2016-01-15 11:12:08 -08:00
Elio Maldonado
0483a01742 Add 64-bit MIPS to multilib arches
- Patch contributed by Michal Toman <michal.toman@gmail.com>
- Resolves: Bug 1294878 - Add 64-bit MIPS to multilib_arches
2015-12-31 08:11:54 -08:00
Jaromir Capik
65e0fbe683 Copy verref.h to the right dir in the STAGE2 recipe 2015-12-15 14:26:29 +01:00
Elio Maldonado
337a03cdd8 Fix style of commit message 2015-11-20 14:56:41 -08:00
Elio Maldonado
34058a2a6e Update %{nss_util_version} and %{nss_softokn_version} to 3.21.0
- Bug 1284095 - all https fails with sec_error_no_token
2015-11-20 14:39:49 -08:00
Elio Maldonado
66122a0ff7 Add references to bugs filed upstream 2015-11-15 10:51:54 -08:00
Elio Maldonado
03da09b383 Enclose the _isa_bits check inside a %ifnarch noarch ... %endif one 2015-11-14 14:49:57 -08:00
Elio Maldonado
69b02be530 Change the test to %if 0%{__isa_bits} == 64 as required in fedora
- As done in the patch contributed by Marcin Juszkiewicz <mjuszkiewicz@redhat.com>
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit architectures
2015-11-14 11:32:57 -08:00
Elio Maldonado
0a91ce3fe8 Complete the commits to update to NSS 3.21
- Add files missed in previous commit as they weren't staged
- Package listsuites as part of the unsupported tools set
- Resolves: Bug 1279912 - nss-3.21 is available
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
2015-11-13 18:03:07 -08:00
Elio Maldonado
c13e32fe80 Update to NSS 3.21
- Package listsuites as part of the unsupported tools set
- Resolves: Bug 1279912 - nss-3.21 is available
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
2015-11-13 17:53:10 -08:00
Jaromir Capik
81b37a0f74 Adding STAGE2 bootstrap recipe 2015-11-04 17:48:00 +01:00
Elio Maldonado
75207789dc Update to NSS 3.20.1 2015-10-31 08:55:27 -07:00
Elio Maldonado
82653be6b2 Enable ECC cipher-suites by default [hrbz#1185708]
- Split the enabling patch in two for easier maintenance
- Remove unused patches rendered obsolete by prior rebase
2015-09-30 11:34:48 -07:00
Elio Maldonado
ae64727ebb Enable ECC cipher-suites by default [hrbz#1185708]
- Implement corrections requested in code review
2015-09-16 09:25:43 -07:00
Elio Maldonado
a046ce773a Enable ECC cipher-suites by default [hrbz#1185708] 2015-09-15 16:21:10 -07:00
Elio Maldonado
17f536942a - Fix patches that disable ssl2 and export cipher suites support
- Fix libssl patch that disables ssl2 & export cipher suites not disable RSA_WITH_NULL ciphers
- Fix syntax erros in patch to skip ssl2 and export cipher suite tests to only skip what;s needed
- Turn ssl2 off by default in the tstclnt tool
- Disable ssl stress tests containing TLS RC4 128 with MD5
- Resolves: Bug 1263005
2015-09-14 18:15:13 -07:00
Elio Maldonado
b10f7b1f18 Fix the version number in last %%changelog entry to be NSS 3.20 2015-08-20 15:15:28 -07:00
Elio Maldonado
c4f83dca30 Update to NSS 3.120 2015-08-20 13:50:06 -07:00
Elio Maldonado
8b92dbf50e Update to NSS 3.19.3
- Resolves: Bug 1251624 - nss-3.19.3 is available
2015-08-07 21:13:01 -07:00
Elio Maldonado
f35af25385 Create on the fly versions of sslcov.txt and sslstress.txt that disable tests for SSL2 and EXPORT ciphers
- Enhancement from Kai Engert already used on RHEL-7
2015-06-26 14:53:21 -07:00
Kai Engert
0779a363b4 Update to NSS 3.19.2 2015-06-17 21:15:31 +02:00
Kai Engert
3a7ef4801d Update to NSS 3.19.1 2015-05-28 22:28:05 +02:00
Kai Engert
c0a0ca5eb2 forgot to udpate sources/gitignore 2015-05-19 21:23:31 +02:00
Kai Engert
856e33f728 Update to NSS 3.19 2015-05-19 21:07:35 +02:00
Kai Engert
a58533f703 Replace expired test certificates, upstream bug 1151037 2015-05-15 16:23:25 +02:00
Elio Maldonado
f59c0d1275 Update to nss-3.18.0
- Resolves: Bug 1203689 - nss-3.18 is available
2015-03-19 09:52:30 -07:00
Elio Maldonado
9b7199b3db Disable export suites and SSL2 support at build time
- Fix syntax errors in various shell scripts
- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
2015-03-03 14:35:20 -08:00
Till Maas
fa80ce0efb Rebuilt for Fedora 23 Change
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
2015-02-21 22:27:31 +01:00
Elio Maldonado
8687a87da5 Commented out the export NSS_NO_SSL2=1 line to not disable ssl2
- Backing out from disabling ssl2 until the patches are fixed
2015-02-09 17:52:50 -08:00
Elio Maldonado
8cfb70a447 Disable SSL2 support at build time
- Fix syntax errors in various shell scripts
- Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites
2015-02-08 18:30:17 -08:00
Elio Maldonado
8c142e52fe Update to nss-3.17.4
- remove a patch rendered obsolete by the rebase
2015-01-28 17:23:35 -08:00
Ville Skyttä
c70e45537d Own the %{_datadir}/doc/nss-tools dir
https://bugzilla.redhat.com/show_bug.cgi?id=1185573
2015-01-27 13:16:42 +02:00
Elio Maldonado
62096f81c3 Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
- Install pp man page in %{_datadir}/doc/nss-tools/pp.1
- Use %{_mandir} instead of /usr/share/man as more generic
2014-12-16 07:43:44 -08:00
Elio Maldonado
a60e3001fe Install pp man page in alternative location
- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
2014-12-15 08:26:07 -08:00
Elio Maldonado
a7df0838aa Update to nss-3.17.3
- Resolves: Bug 1171012 - nss-3.17.3 is available
2014-12-05 07:32:38 -08:00
Elio Maldonado
3e2a0ea4de Resolves: Bug 994599 - Enable TLS 1.2 by default 2014-10-16 16:36:18 -07:00
Elio Maldonado
1765d80a6c Update to nss-3.17.2 2014-10-12 09:06:05 -07:00
Kai Engert
0ac07fb221 - Update to nss-3.17.1
- Add a mechanism to skip test suite execution during development work
2014-09-25 02:12:48 +02:00
Kevin Fenzi
64ca89cbe4 Rebuild for rpm bug 1131960 2014-08-21 11:48:33 -06:00
Elio Maldonado
3e02cae346 Update to nss-3.17.0
- Update the iquote.patch on account of the rebase
2014-08-19 10:38:45 -07:00
Peter Robinson
db7f9bfa50 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild 2014-08-17 12:21:01 +00:00
Elio Maldonado
eaa519320e Replace expired PayPal test cert with current one to prevent build failure
- Using the new cert checked in upstream
- See https://hg.mozilla.org/projects/nss/rev/756ccadf33b3
2014-07-30 11:48:10 -07:00
Tom Callaway
8025e7be74 fix license handling 2014-07-18 18:52:34 -04:00
Elio Maldonado
fd6a1f2171 Update to nss-3.16.2
- Resolves: Bug 1114319 - nss-3.16.2 is available
- Remove no longer needed patch
2014-06-29 10:50:40 -07:00
Elio Maldonado
60816050f2 Remove unwanted source directories at the end of %prep so it truly does it
- Skip the cipher suite already run as part of the nss-softokn build
- Brings spec file fixes already approved and applied on rhel-6.6
2014-06-15 10:28:18 -07:00
Dennis Gilmore
296fce6af9 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild 2014-06-07 10:09:47 -05:00
Jaromir Capik
f94fcb299b Replacing ppc64 and ppc64le with the power64 macro
- Related: Bug 1052545 - Trivial change for ppc64le in nss spec
2014-05-12 20:09:13 +02:00
Elio Maldonado
4d04992e9a Update to nss-3.16.1
- Update the iquote patch on account of the rebase
- Improve error detection in the %section
- Resolves: Bug 1094702 - nss-3.16.1 is available
2014-05-06 09:32:26 -07:00
Elio Maldonado
37a942df5c Require nspr-4.10.4 2014-03-19 08:45:26 -07:00
Elio Maldonado
0834927548 Update to nss-3.16.0
- Cleanup the copying of the tools man pages
- Update the iquote.patch on account of the rebase
2014-03-18 17:27:02 -07:00
Elio Maldonado
8b13702a67 Restore requiring nss_softokn_version >= 3.15.5 2014-03-04 07:33:25 -08:00
Elio Maldonado
4f24d9e6c9 Remove reference to a patch that we aren't yet ready to apply. 2014-02-23 19:02:24 -08:00
Elio Maldonado
23d7297fce Temporarily requiring only nss_softokn_version >= 3.15.4
- This until a koji build environment prprobmem which that causes i686 nss-softokn builds
- to fail is resolved
- nss-softokn-3.15.5 has the same code as nss-softokn-3.15.4
2014-02-23 18:55:11 -08:00
Elio Maldonado
9b8380a073 Update to nss-3.15.5
- Fix location of sharedb files and their manpages
- Move cert9.db, key4.db, and pkcs11.txt to the main package
- Move nss-sysinit manpages tar archives to the main package
- Resolves: Bug 1066877 - nss-3.15.5 is available
- Resolves: Bug 1067091 - Move sharedb files to the %files section
2014-02-19 13:28:37 -08:00
Elio Maldonado
4c076bc0cd Revert previous change that moved some sysinit manpages
- Restore nss-sysinit manpages tar archives to %files sysinit
- Removing spurious wildcard entry was the only change needed
2014-02-06 15:33:20 -08:00
Elio Maldonado
4fb9d07b7f Add explanatory comments for iquote.patch as was done on f20
- The reason for this running patch is far from obvious.
- Helps code reviwers as the patch sometimes needs updating
- when doing rebases to nss that introduce new functions.
2014-01-27 07:51:27 -08:00
Elio Maldonado
a25fc11743 Update pem sources to latest from nss-pem upstream
- Update picks up pem fixes verified on RHEL and applied upstream
- Fix a problem where same files in two rpms created rpm conflict
- Reported at https://bugzilla.redhat.com/show_bug.cgi?id=1050163
- Move some nss-sysinit manpages tar archives to the %files the
- All man pages are listed by name so there shouldn't be wildcard inclusion
- Add support for ppc64le, Resolves: Bug 1052545
2014-01-25 10:57:37 -08:00
Peter Robinson
5d65d327f1 ARM tests pass so remove ARM conditional 2014-01-20 18:48:37 +00:00
Elio Maldonado
301ed12356 Remove unneeded sections from the patch 2014-01-10 15:19:35 -08:00
Elio Maldonado
7285eaab48 Regenerated pem patch to be suitable for submission to interim upstream pem 2014-01-08 10:24:30 -08:00
Elio Maldonado
d2ef6540b5 Sync up with changes made upstream for freebl and softoken
- Reduce the patch to its bare minumum
- Remove RSA_BlockOAEP cases which aren't used by the pem module after all
- Copied the private RSA_BlockType data structure from freebl/pkcss11.c that needed here
- Upstream removed softoken/rsawrapr.c and moved the code to freebl/pkcs11.c
- https://bugzilla.mozilla.org/show_bug.cgi?id=836019
- Bug 836019 - Move RSA-PKCS#1, RSA-PSS, and RSA-OAEP into freebl
2014-01-08 09:08:35 -08:00
Elio Maldonado
569d439b91 Update two patches due to upstream changes
- Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken
- Update iquote.patch on account of upstream changes
- Resolves: Bug 1049229 - nss-3.15.4 is available
2014-01-07 13:48:44 -08:00
Elio Maldonado
aae9602c01 Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM)
- Resolves: Bug 1049229 - nss-3.15.4 is available
- Update pem sources to latest from the interim upstream for pem
- Remove no longer needed patches
2014-01-07 06:13:53 -08:00
Elio Maldonado
6ab230bb01 Remove unused patches 2013-12-18 08:00:55 -08:00
Elio Maldonado
b5567867a7 - Resolves: Bug 1040192 - nss-3.15.3.1 is available 2013-12-11 10:41:54 -08:00
Elio Maldonado
4f6555074f Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM)
- Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA
2013-117)
2013-12-11 08:37:47 -08:00
Elio Maldonado
f37654e052 Bump the release tag 2013-12-03 14:12:35 -08:00
Elio Maldonado
49e209f91d Install symlink to setup-nsssysinit.sh, without the ".sh" suffix, that matches the man page documentation 2013-11-26 14:15:45 -08:00
Elio Maldonado
67a7a21b0e Update to NSS_3_15_3_RTM
- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws
- Fix option descriptions for setup-nsssysinit manpage
- Fix man page of nss-sysinit wrong path and other flaws
- Document email option for certutil manpage
- Remove unused patches
2013-11-26 10:36:24 -08:00
Elio Maldonado
129e66ef0e Remove unused script mozilla-crypto-strip.sh 2013-11-24 14:22:43 -08:00
Elio Maldonado
658733b0d3 Bump the minimum required verion of nss-util and nss-softokn to 3.15.3 2013-11-23 21:06:02 -08:00
Elio Maldonado
db7fe53123 Update to NSS_3_15_3_RTM
- Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws
- Fix option descriptions for setup-nsssysinit manpage
2013-11-23 20:47:19 -08:00
Elio Maldonado
a6a13f1a66 Bump the release tag 2013-10-27 11:04:28 -07:00
Elio Maldonado
4b2b74e5e0 Revert one change from last commit to preserve full nss pluggable ecc supprt 2013-10-27 11:00:35 -07:00
Elio Maldonado
74d9e91174 Remove obsolete NSS_ECC_MORE_THAN_SUITE_B=1 export. It has no effect. 2013-10-23 11:38:39 -07:00
Elio Maldonado
306dd778f4 Use the full sources from upstream
- Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
2013-10-23 09:53:20 -07:00
Elio Maldonado
9b70717281 - Update to NSS_3_15_2_RTM
- Update iquote.patch on account of modified prototype on cert.h installed by nss-devel
- On CERT_GetKeyType a const qualifier was added to the input parameter and this we must include
- the cert.h from the build tree intead of the one in system/buildroot which is not up to date yet
2013-09-27 11:32:01 -07:00
Elio Maldonado
8f6f357e88 Update to NSS_3_15_2_RTM 2013-09-27 09:50:45 -07:00
Elio Maldonado
33f25f5720 Fix the release tag to be Release: 7%{?dist} 2013-08-28 15:08:50 -07:00
Elio Maldonado
da85237ace Update pem sources to pick up a patch applied upstream which a faulty merge had missed
- The pem module should not require unique file basenames
2013-08-28 12:59:23 -07:00
Elio Maldonado
2285997461 Upload a new pem source tar ball with a fix to a relative patch 2013-08-27 21:39:03 -07:00
Elio Maldonado
1c902d0023 Fix the version of nss-pem source tar ball to use 2013-08-27 21:17:53 -07:00
Elio Maldonado
2c648570aa Update pem sources to the latest from interim upstream 2013-08-27 21:08:54 -07:00
Elio Maldonado
b4e6e308a6 Resolves: rhbz#996639 - Minor bugs in nss man pages
- Fix some typos and improve description and see also sections
2013-08-19 11:56:32 -07:00
Elio Maldonado
5761e30a94 Cleanup spec file to address most rpmlint errors and warnings
- Using double percent symbols to fix macro-in-comment warnings
- Ignore unversioned-explicit-provides nss-system-init per spec comments
- Ignore invalid-url Source0 as it comes from the git lookaside cache
- Ignore invalid-url Source12 as it comes from the git lookaside cache
2013-08-11 12:16:20 -07:00
Elio Maldonado
3888f3b230 Add man page for pkcs11.txt configuration file and cert and key databases
- Resolves: rhbz#985114 - Provide man pages for the nss configuration files
2013-07-25 14:21:44 -07:00
Elio Maldonado
8ae46fa97f Fix errors in the man pages
- Resolves: rhbz#984106 - Add missing option descriptions to man pages for {cert|cms|crl}util
- Resolves: rhbz#982856 - Fix path to script in man page for nss-sysinit
2013-07-19 10:42:57 -07:00
Elio Maldonado
fdb9637677 Fix nss-3.14.0.0-disble-ocsp-test.patch
- it was disabling the wrong test, dsa instead of ocsp
2013-07-02 16:15:12 -07:00
Elio Maldonado
cf4a750103 Update to NSS_3_15_1_RTM
- Enable the iquote.patch to access newly introduced types
- New types and constants added to sslprot.h, sslerr.h, and sslt.h require thhe in-tree headers to be picked up first
2013-07-02 15:15:25 -07:00
Elio Maldonado
8943f1ad54 Update to NSS_3_15_RTM 2013-07-02 13:44:44 -07:00
Elio Maldonado
efdced7007 Revert "Reenable patches required for compatibility on stable fedora branches"
This reverts commit 65efb2c2f3.
That commit wasn't untended for this branch
2013-06-23 19:39:13 -07:00
Elio Maldonado
65efb2c2f3 Reenable patches required for compatibility on stable fedora branches
- Reenable nss-ssl-enforce-no-pkcs11-bypass.path
- Renable nss-ssl-cbc-random-iv-off-by-default.patch
2013-06-23 19:00:21 -07:00
Elio Maldonado
b8273ce04c Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts
- Resolves: rhbz#606020 - nss security tools lack man pages
2013-06-19 20:32:27 -07:00
Elio Maldonado
e36079dd45 Build nss without softoken or util sources in the tree
- Resolves: rhbz#689918
2013-06-18 17:45:38 -07:00
Elio Maldonado
41e94360c9 Update ssl-cbc-random-iv-by-default.patch
- Added a missing comma
2013-06-17 16:23:06 -07:00
Elio Maldonado
2f66633263 Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config
- These were blank in nss-config causing build failures on client paclages
- Reported by Martin Stransky when a xulrunner build failed
2013-06-16 10:07:11 -07:00
Elio Maldonado
f6ec57311f Update to NSS_3_15_RTM 2013-06-15 12:48:12 -07:00
Elio Maldonado
2249db62a6 Fix incorrect path that hid failed test from view
- Add ocsp to the test suites to run but ...
- Temporarily disable the ocsp stapling tests
- Do not treat failed attempts at ssl pkcs11 bypass as fatal errors
2013-04-24 18:46:52 -07:00
Elio Maldonado
30056fd35c Update nss-pem-20130405.tar.bz2 to the git lookaside cache 2013-04-09 16:22:42 -07:00
Elio Maldonado
2a8c1318ea Update to NSS_3_15_BETA1
- Update spec file, patches, and helper scripts on account of a shallower source tree
- Update the pem sources also to adjust to the sallower source for nss
2013-04-09 16:14:36 -07:00
Kai Engert
59b5d52d9e * Sun Mar 24 2013 Kai Engert <kaie@redhat.com> - 3.14.3-12
- Update expired test certificates (fixed in upstream bug 852781)
2013-03-24 00:28:39 +01:00
Kai Engert
21e8668243 * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 3.14.3-10
- Fix incorrect post/postun scripts. Fix broken links in posttrans.
2013-03-08 23:34:55 +01:00
Kai Engert
7b5d7ea05f * Wed Mar 06 2013 Kai Engert <kaie@redhat.com> - 3.14.3-9
- Configure libnssckbi.so to use the alternatives system
  in order to prepare for a drop in replacement.
2013-03-06 00:49:27 +01:00
40 changed files with 2665 additions and 1189 deletions

48
.gitignore vendored
View File

@ -4,6 +4,48 @@ blank-secmod.db
blank-cert9.db
blank-key4.db
PayPalEE.cert
/nss-pem-20120811.tar.bz2
/dummy-sources-for-testing
/nss-3.14.3-stripped.tar.bz2
TestCA.ca.cert
TestUser50.cert
TestUser51.cert
/PayPalRootCA.cert
/PayPalICA.cert
/nss-3.25.0.tar.gz
/nss-3.26.0.tar.gz
/nss-3.27.0.tar.gz
/nss-3.27.2.tar.gz
/nss-3.28.1.tar.gz
/nss-3.29.0.tar.gz
/nss-3.29.1.tar.gz
/nss-3.30.0.tar.gz
/nss-3.30.2.tar.gz
/nss-3.31.0.tar.gz
/nss-3.32.0.tar.gz
/nss-3.32.1.tar.gz
/nss-3.33.0.tar.gz
/nss-3.34.0.tar.gz
/nss-3.35.0.tar.gz
/nss-3.36.0.tar.gz
/nss-3.36.1.tar.gz
/nss-3.37.1.tar.gz
/nss-3.37.3.tar.gz
/nss-3.38.0.tar.gz
/nss-3.39.tar.gz
/nss-3.40.1.tar.gz
/nss-3.41.tar.gz
/nss-3.42.tar.gz
/nss-3.42.1.tar.gz
/nss-3.43.tar.gz
/nss-3.44.tar.gz
/nss-3.44.1.tar.gz
/nss-3.45.tar.gz
/nss-3.46.tar.gz
/nss-3.46.1.tar.gz
/nss-3.47.tar.gz
/nss-3.47.1.tar.gz
/nss-3.48.tar.gz
/nss-3.49.tar.gz
/nss-3.49.2.tar.gz
/nss-3.50.tar.gz
/nss-3.51.tar.gz
/nss-3.51.1.tar.gz
/nss-3.52.tar.gz

View File

@ -1,406 +0,0 @@
From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001
From: Elio Maldonado <emaldona@redhat.com>
Date: Sat, 9 Feb 2013 17:11:00 -0500
Subject: [PATCH] Sync up with upstream softokn changes
- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux
- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
- It now compiles with the NSS_3_14_3_BETA1 source
---
mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++-------------------
1 files changed, 82 insertions(+), 256 deletions(-)
diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
index 5ac4f39..3780d30 100644
--- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
+++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
@@ -46,6 +46,7 @@
#include "sechash.h"
#include "base.h"
+#include "lowkeyi.h"
#include "secerr.h"
#define RSA_BLOCK_MIN_PAD_LEN 8
@@ -54,9 +55,8 @@
#define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
#define RSA_BLOCK_AFTER_PAD_OCTET 0x00
-#define OAEP_SALT_LEN 8
-#define OAEP_PAD_LEN 8
-#define OAEP_PAD_OCTET 0x00
+/* Needed for RSA-PSS functions */
+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
#define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */
@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
return 0;
}
-static SHA1Context *SHA1_CloneContext(SHA1Context * original)
-{
- SHA1Context *clone = NULL;
- unsigned char *pBuf;
- int sha1ContextSize = SHA1_FlattenSize(original);
- SECStatus frv;
- unsigned char buf[FLAT_BUFSIZE];
-
- PORT_Assert(sizeof buf >= sha1ContextSize);
- if (sizeof buf >= sha1ContextSize) {
- pBuf = buf;
- } else {
- pBuf = nss_ZAlloc(NULL, sha1ContextSize);
- if (!pBuf)
- goto done;
- }
-
- frv = SHA1_Flatten(original, pBuf);
- if (frv == SECSuccess) {
- clone = SHA1_Resurrect(pBuf, NULL);
- memset(pBuf, 0, sha1ContextSize);
- }
- done:
- if (pBuf != buf)
- nss_ZFreeIf(pBuf);
- return clone;
+/* Constant time comparison of a single byte.
+ * Returns 1 iff a == b, otherwise returns 0.
+ * Note: For ranges of bytes, use constantTimeCompare.
+ */
+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
+ unsigned char c = ~(a - b | b - a);
+ c >>= 7;
+ return c;
}
-/*
- * Modify data by XORing it with a special hash of salt.
+/* Constant time comparison of a range of bytes.
+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
+ * returns 0.
*/
-static SECStatus
-oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
- unsigned char *salt, unsigned int saltlen)
-{
- SHA1Context *sha1cx;
- unsigned char *dp, *dataend;
- unsigned char end_octet;
-
- sha1cx = SHA1_NewContext();
- if (sha1cx == NULL) {
- return SECFailure;
- }
-
- /*
- * Get a hash of salt started; we will use it several times,
- * adding in a different end octet (x00, x01, x02, ...).
- */
- SHA1_Begin(sha1cx);
- SHA1_Update(sha1cx, salt, saltlen);
- end_octet = 0;
-
- dp = data;
- dataend = data + datalen;
-
- while (dp < dataend) {
- SHA1Context *sha1cx_h1;
- unsigned int sha1len, sha1off;
- unsigned char sha1[SHA1_LENGTH];
-
- /*
- * Create hash of (salt || end_octet)
- */
- sha1cx_h1 = SHA1_CloneContext(sha1cx);
- SHA1_Update(sha1cx_h1, &end_octet, 1);
- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1));
- SHA1_DestroyContext(sha1cx_h1, PR_TRUE);
- PORT_Assert(sha1len == SHA1_LENGTH);
-
- /*
- * XOR that hash with the data.
- * When we have fewer than SHA1_LENGTH octets of data
- * left to xor, use just the low-order ones of the hash.
- */
- sha1off = 0;
- if ((dataend - dp) < SHA1_LENGTH)
- sha1off = SHA1_LENGTH - (dataend - dp);
- while (sha1off < SHA1_LENGTH)
- *dp++ ^= sha1[sha1off++];
-
- /*
- * Bump for next hash chunk.
- */
- end_octet++;
- }
-
- SHA1_DestroyContext(sha1cx, PR_TRUE);
- return SECSuccess;
+static unsigned char constantTimeCompare(const unsigned char *a,
+ const unsigned char *b,
+ unsigned int len) {
+ unsigned char tmp = 0;
+ unsigned int i;
+ for (i = 0; i < len; ++i, ++a, ++b)
+ tmp |= *a ^ *b;
+ return constantTimeEQ8(0x00, tmp);
}
-/*
- * Modify salt by XORing it with a special hash of data.
+/* Constant time conditional.
+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
+ * not 0 or 1.
*/
-static SECStatus
-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
- unsigned char *data, unsigned int datalen)
+static unsigned int constantTimeCondition(unsigned int c,
+ unsigned int a,
+ unsigned int b)
{
- unsigned char sha1[SHA1_LENGTH];
- unsigned char *psalt, *psha1, *saltend;
- SECStatus rv;
-
- /*
- * Create a hash of data.
- */
- rv = SHA1_HashBuf(sha1, data, datalen);
- if (rv != SECSuccess) {
- return rv;
- }
-
- /*
- * XOR the low-order octets of that hash with salt.
- */
- PORT_Assert(saltlen <= SHA1_LENGTH);
- saltend = salt + saltlen;
- psalt = salt;
- psha1 = sha1 + SHA1_LENGTH - saltlen;
- while (psalt < saltend) {
- *psalt++ ^= *psha1++;
- }
-
- return SECSuccess;
+ return (~(c - 1) & a) | ((c - 1) & b);
}
/*
@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
unsigned char *block;
unsigned char *bp;
int padLen;
- int i;
+ int i, j;
SECStatus rv;
block = (unsigned char *) nss_ZAlloc(NULL, modulusLen);
@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
*/
case RSA_BlockPublic:
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- * 1 1 padLen 1 data->len
- * Pad is all non-zero random bytes.
- */
- padLen = modulusLen - data->len - 3;
- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
- nss_ZFreeIf(block);
- return NULL;
- }
- for (i = 0; i < padLen; i++) {
- /* Pad with non-zero random data. */
- do {
- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
- } while (rv == SECSuccess
- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
- if (rv != SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
- }
- bp += padLen;
- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
- nsslibc_memcpy(bp, data->data, data->len);
-
- break;
-
- /*
- * Blocks intended for public-key operation, using
- * Optimal Asymmetric Encryption Padding (OAEP).
- */
- case RSA_BlockOAEP:
- /*
- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N]
- *
- * where:
- * PaddedData is "Pad1 || ActualData [|| Pad2]"
- * Salt is random data.
- * Pad1 is all zeros.
- * Pad2, if present, is random data.
- * (The "modified" fields are all the same length as the original
- * unmodified values; they are just xor'd with other values.)
- *
- * Modified1 is an XOR of PaddedData with a special octet
- * string constructed of iterated hashing of Salt (see below).
- * Modified2 is an XOR of Salt with the low-order octets of
- * the hash of Modified1 (see farther below ;-).
- *
- * Whew!
- */
-
-
- /*
- * Salt
- */
- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
- if (rv != SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
- bp += OAEP_SALT_LEN;
-
- /*
- * Pad1
- */
- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
- bp += OAEP_PAD_LEN;
-
- /*
- * Data
- */
- nsslibc_memcpy(bp, data->data, data->len);
- bp += data->len;
-
- /*
- * Pad2
- */
- if (bp < (block + modulusLen)) {
- rv = RNG_GenerateGlobalRandomBytes(bp,
- block - bp + modulusLen);
- if (rv != SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
- }
-
- /*
- * Now we have the following:
- * 0x00 || BT || Salt || PaddedData
- * (From this point on, "Pad1 || Data [|| Pad2]" is treated
- * as the one entity PaddedData.)
- *
- * We need to turn PaddedData into Modified1.
- */
- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
- modulusLen - 2 - OAEP_SALT_LEN,
- block + 2, OAEP_SALT_LEN) != SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
-
- /*
- * Now we have:
- * 0x00 || BT || Salt || Modified1(PaddedData)
- *
- * The remaining task is to turn Salt into Modified2.
- */
- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
- block + 2 + OAEP_SALT_LEN,
- modulusLen - 2 - OAEP_SALT_LEN) !=
- SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
-
- break;
+ /*
+ * 0x00 || BT || Pad || 0x00 || ActualData
+ * 1 1 padLen 1 data->len
+ * Pad is all non-zero random bytes.
+ *
+ * Build the block left to right.
+ * Fill the entire block from Pad to the end with random bytes.
+ * Use the bytes after Pad as a supply of extra random bytes from
+ * which to find replacements for the zero bytes in Pad.
+ * If we need more than that, refill the bytes after Pad with
+ * new random bytes as necessary.
+ */
+ padLen = modulusLen - (data->len + 3);
+ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+ nss_ZFreeIf (block);
+ return NULL;
+ }
+ j = modulusLen - 2;
+ rv = RNG_GenerateGlobalRandomBytes(bp, j);
+ if (rv == SECSuccess) {
+ for (i = 0; i < padLen; ) {
+ unsigned char repl;
+ /* Pad with non-zero random data. */
+ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
+ ++i;
+ continue;
+ }
+ if (j <= padLen) {
+ rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
+ modulusLen - (2 + padLen));
+ if (rv != SECSuccess)
+ break;
+ j = modulusLen - 2;
+ }
+ do {
+ repl = bp[--j];
+ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
+ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
+ bp[i++] = repl;
+ }
+ }
+ }
+ if (rv != SECSuccess) {
+ /*sftk_fatalError = PR_TRUE;*/
+ nss_ZFreeIf (block);
+ return NULL;
+ }
+ bp += padLen;
+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+ nsslibc_memcpy(bp, data->data, data->len);
+ break;
default:
PORT_Assert(0);
@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
break;
- case RSA_BlockOAEP:
- /*
- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
- *
- * The "2" below is the first octet + the second octet.
- * (The other fields do not contain the clear values, but are
- * the same length as the clear values.)
- */
- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
- + OAEP_PAD_LEN)));
-
- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
- if (result->data == NULL) {
- result->len = 0;
- return SECFailure;
- }
- result->len = modulusLen;
-
- break;
-
case RSA_BlockRaw:
/*
* Pad || ActualData
--
1.7.1

View File

@ -1,44 +0,0 @@
--- mozilla/security/nss/lib/ckfw/pem/psession.c
+++ mozilla/security/nss/lib/ckfw/pem/psession.c
@@ -230,6 +230,7 @@ pem_mdSession_Login
unsigned int len = 0;
NSSLOWKEYPrivateKey *lpk = NULL;
PLArenaPool *arena;
+ SECItem plain;
int i;
fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
@@ -306,23 +321,27 @@ pem_mdSession_Login
lpk->keyType = NSSLOWKEYRSAKey;
prepare_low_rsa_priv_key_for_asn1(lpk);
- nss_ZFreeIf(io->u.key.key.privateKey->data);
- io->u.key.key.privateKey->len = len - output[len - 1];
- io->u.key.key.privateKey->data =
- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
/* Decode the resulting blob and see if it is a decodable DER that fits
* our private key template. If so we declare success and move on. If not
* then we return an error.
*/
+ memset(&plain, 0, sizeof(plain));
+ plain.data = output;
+ plain.len = len - output[len - 1];
rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
- io->u.key.key.privateKey);
+ &plain);
pem_DestroyPrivateKey(lpk);
arena = NULL;
if (rv != SECSuccess)
goto loser;
+ nss_ZFreeIf(io->u.key.key.privateKey->data);
+ io->u.key.key.privateKey->len = len - output[len - 1];
+ io->u.key.key.privateKey->data =
+ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
+ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
+
rv = CKR_OK;
loser:

68
STAGE2-nss Normal file
View File

@ -0,0 +1,68 @@
#requires nspr
#requires perl
#requires nss-util
#requires nss-softokn
mcd $BUILDDIR/nss
export BUILD_OPT=1
export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
export NSPR_INCLUDE_DIR=/usr/include/nspr
export NSPR_LIB_DIR=/usr/lib${SUFFIX}
export NSS_USE_SYSTEM_SQLITE=1
export NSS_BUILD_WITHOUT_SOFTOKEN=1
export USE_SYSTEM_SOFTOKEN=1
export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX}
export NSSUTIL_INCLUDE_DIR=/usr/include/nss3
export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX}
export USE_SYSTEM_NSSUTIL=1
export FREEBL_INCLUDE_DIR=/usr/include/nss3
export FREEBL_LIB_DIR=/usr/lib${SUFFIX}
export USE_SYSTEM_FREEBL=1
export NSS_USE_SYSTEM_FREEBL=1
export FREEBL_NO_DEPEND=1
export IN_TREE_FREEBL_HEADERS_FIRST=1
export NSS_BLTEST_NOT_AVAILABLE=1
export NSS_NO_SSL2_NO_EXPORT=1
export NSS_ECC_MORE_THAN_SUITE_B=1
export NSS_NO_PKCS11_BYPASS=1
#export NSDISTMODE="copy"
if [ "$SUFFIX" = "64" ]; then
USE_64=1
export USE_64
fi
(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/)
make -C $SRC/nss-3.*/nss/coreconf
make -C $SRC/nss-3.*/nss/lib/dbm
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
# need nss/verref.h which is exported privately, move it to where it can be found.
(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/)
make -C $SRC/nss-3.*/nss
cd $SRC/nss-3.*/nss/coreconf
make install
cd $SRC/nss-3.*/nss/lib/dbm
make install
cd $SRC/nss-3.*/nss
make install
# Copy the binary libraries we want
NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so"
# BOZO: temporarily disable FIPS140 support
#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk"
NSSLIBCHKS=""
# END BOZO
cd $SRC/nss-3.*
for file in $NSSLIBS $NSSLIBCHKS
do
install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/
done
# Copy the include files we want
for file in $SRC/nss-*/dist/public/nss/*.h
do
install -p -m 644 $file /usr/include/nss3/
done

View File

@ -1,16 +0,0 @@
diff -up mozilla/security/coreconf/Linux.mk.relro mozilla/security/coreconf/Linux.mk
--- mozilla/security/coreconf/Linux.mk.relro 2010-08-12 18:32:29.000000000 -0700
+++ mozilla/security/coreconf/Linux.mk 2011-09-27 16:12:22.234743170 -0700
@@ -179,6 +179,12 @@ FREEBL_NO_DEPEND = 1
endif
endif
+# harden DSOs/executables a bit against exploits
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
+DSO_LDOPTS+=-Wl,-z,relro
+LDFLAGS += -Wl,-z,relro
+endif
+
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz

59
cert8.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="cert8.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>cert8.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>cert8.db</refname>
<refpurpose>Legacy NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
<para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/cert8.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

59
cert9.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="cert9.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>cert9.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>cert9.db</refname>
<refpurpose>NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
<para>This certificate database is the sqlite-based shared database with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/cert9.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

13
iquote.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
SQLITE_LIB_NAME = sqlite3
endif
+# Prefer in-tree headers over system headers
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
+endif
+
MK_LOCATION = included

59
key3.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="key3.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>key3.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>key3.db</refname>
<refpurpose>Legacy NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
<para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/key3.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

59
key4.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="key4.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>key4.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>key4.db</refname>
<refpurpose>NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>key4.db</emphasis> is an NSS key database.</para>
<para>This key database is the sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/key4.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

View File

@ -1,128 +0,0 @@
#!/bin/sh
set -e
if test -z $1
then
echo "usage: $0 <input-tarball>"
exit
fi
ORIGDIR=`pwd`
WORKDIR=nss_ecc_strip_working_dir
EXTENSION=`echo $1 | sed -r 's#^(.*)(.tar.bz2|.tbz2|.tar.gz|.tgz)$#\2#'`
BASE=`echo $1 | sed -r 's#^(.*)(.tar.bz2|.tbz2|.tar.gz|.tgz)$#\1#'`
COMPRESS=""
if test "x$EXTENSION" = "x.tar.bz2" || test "x$EXTENSION" = "x.tbz2"
then
COMPRESS="j"
fi
if test "x$EXTENSION" = "x.tar.gz" || test "x$EXTENSION" = "x.tgz"
then
COMPRESS="z"
fi
if test "x$COMPRESS" = "x"
then
echo "unable to process, input file $1 has unsupported extension"
exit
fi
echo "== extension is $EXTENSION - ok"
echo "== new extension will be $JEXTENSION"
echo "== cleaning old workdir $WORKDIR"
rm -rf $WORKDIR
mkdir $WORKDIR
echo "== extracting input archive $1"
tar -x -$COMPRESS -C $WORKDIR -f $1
echo "changing into $WORKDIR"
pushd $WORKDIR
DIRCOUNT=`ls -1 | wc -l`
if test $DIRCOUNT -ne 1
then
echo "unable to process, $1 contains more than one toplevel directory"
exit
fi
TOPDIR=`ls -1`
if test "x$TOPDIR" != "xmozilla"
then
# try to deal with a single additional subdirectory above "mozilla"
echo "== skipping toplevel directory $TOPDIR"
cd $TOPDIR
fi
DIRCOUNT=`ls -1 | wc -l`
if test $DIRCOUNT -ne 1
then
echo "unable to process, $1 contains more than one second level directory"
exit
fi
SINGLEDIR=`ls -1`
if test "x$SINGLEDIR" != "xmozilla"
then
echo "unable to process, first or second level directory is not mozilla"
exit
fi
echo "== input archive accepted, now processing"
REALFREEBLDIR=mozilla/security/nss/lib/freebl
FREEBLDIR=./$REALFREEBLDIR
rm -rf ./mozilla/security/nss/cmd/ecperf
mv ${FREEBLDIR}/ecl/ecl-exp.h ${FREEBLDIR}/save
rm -rf ${FREEBLDIR}/ecl/tests
rm -rf ${FREEBLDIR}/ecl/CVS
for i in ${FREEBLDIR}/ecl/* ; do
echo clobbering $i
> $i
done
mv ${FREEBLDIR}/save ${FREEBLDIR}/ecl/ecl-exp.h
for j in ${FREEBLDIR}/ec.*; do
echo unifdef $j
cat $j | \
awk 'BEGIN {ech=1; prt=0;} \
/^#[ \t]*ifdef.*NSS_ENABLE_ECC/ {ech--; next;} \
/^#[ \t]*if/ {if(ech < 1) ech--;} \
{if(ech>0) {;print $0};} \
/^#[ \t]*endif/ {if(ech < 1) ech++;} \
{if (prt && (ech<=0)) {;print $0}; } \
{if (ech>0) {prt=0;} } \
/^#[ \t]*else/ {if (ech == 0) prt=1;}' > $j.hobbled && \
mv $j.hobbled $j
done
echo "== returning to original directory"
popd
JCOMPRESS=j
JEXTENSION=.tar.bz2
NEWARCHIVE=$BASE-stripped$JEXTENSION
echo "== finally producing new archive $NEWARCHIVE"
tar -c -$JCOMPRESS -C $WORKDIR -f $NEWARCHIVE $TOPDIR
echo "== all done, listing of old and new archive:"
ls -l $1
ls -l $NEWARCHIVE
LISTING_DIR=""
if test "x$TOPDIR" != "xmozilla"
then
LISTING_DIR="$TOPDIR/$REALFREEBLDIR/ecl"
else
LISTING_DIR="$REALFREEBLDIR/ecl"
fi
echo "== FYI, producing listing of stripped dir in new archive"
tar -t -v -$JCOMPRESS -C $WORKDIR -f $NEWARCHIVE $LISTING_DIR

View File

@ -1,39 +0,0 @@
diff -up ./mozilla/security/nss/cmd/Makefile.nosoftokentests ./mozilla/security/nss/cmd/Makefile
--- ./mozilla/security/nss/cmd/Makefile.nosoftokentests 2012-12-22 14:06:13.193304912 -0800
+++ ./mozilla/security/nss/cmd/Makefile 2012-12-22 14:10:04.942248630 -0800
@@ -14,6 +14,14 @@ ifdef BUILD_LIBPKIX_TESTS
DIRS += libpkix
endif
+# nss-softoken only tests
+BLTEST_SRCDIR=
+FIPSTEST_SRCDIR=
+ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
+BLTEST_SRCDIR=bltest # Add the bltest directory to DIRS.
+FIPSTEST_SRCDIR=fipstest # Add the fipstest directory to DIRS.
+endif
+
LOWHASHTEST_SRCDIR=
ifeq ($(FREEBL_LOWHASH),1)
LOWHASHTEST_SRCDIR = lowhashtest # Add the lowhashtest directory to DIRS.
diff -up ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests ./mozilla/security/nss/cmd/manifest.mn
--- ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests 2012-12-22 14:06:35.191293837 -0800
+++ ./mozilla/security/nss/cmd/manifest.mn 2012-12-22 14:11:22.342263467 -0800
@@ -11,7 +11,7 @@ REQUIRES = nss nspr libdbm
DIRS = lib \
addbuiltin \
atob \
- bltest \
+ $(BLTEST_SRCDIR) \
btoa \
certcgi \
certutil \
@@ -23,7 +23,7 @@ DIRS = lib \
derdump \
digest \
httpserv \
- fipstest \
+ $(FIPSTEST_SRCDIR) \
$(LOWHASHTEST_SRCDIR) \
listsuites \
makepqg \

View File

@ -1,10 +0,0 @@
diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest ./mozilla/security/nss/tests/chains/scenarios/scenarios
--- ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest 2013-01-06 19:56:15.000000000 -0800
+++ ./mozilla/security/nss/tests/chains/scenarios/scenarios 2013-02-01 08:38:28.140615299 -0800
@@ -50,6 +50,5 @@ bridgewithpolicyextensionandmapping.cfg
realcerts.cfg
dsa.cfg
revoc.cfg
-ocsp.cfg
crldp.cfg
trustanchors.cfg

View File

@ -1,62 +1,62 @@
Index: ./mozilla/security/nss/cmd/httpserv/httpserv.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/cmd/httpserv/httpserv.c,v
retrieving revision 1.1
diff -u -p -r1.1 httpserv.c
--- ./mozilla/security/nss/cmd/httpserv/httpserv.c 28 Jun 2012 11:11:06 -0000 1.1
+++ ./mozilla/security/nss/cmd/httpserv/httpserv.c 21 Oct 2012 22:22:10 -0000
@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
PRStatus prStatus;
PRNetAddr addr;
--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
+++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
@@ -953,23 +953,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSocket error");
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSockett");
}
opt.option = PR_SockOpt_Nonblocking;
Index: ./mozilla/security/nss/cmd/selfserv/selfserv.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/cmd/selfserv/selfserv.c,v
retrieving revision 1.102
diff -u -p -r1.102 selfserv.c
--- ./mozilla/security/nss/cmd/selfserv/selfserv.c 27 Sep 2012 17:13:34 -0000 1.102
+++ ./mozilla/security/nss/cmd/selfserv/selfserv.c 21 Oct 2012 22:22:10 -0000
@@ -1483,14 +1483,18 @@ getBoundListenSocket(unsigned short port
PRStatus prStatus;
PRNetAddr addr;
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
+++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
@@ -1711,23 +1711,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSocket error");
}
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

View File

@ -1,34 +0,0 @@
diff -up ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot ./mozilla/security/nss/tests/dbtests/dbtests.sh
--- ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot 2011-04-06 09:56:07.207701000 -0700
+++ ./mozilla/security/nss/tests/dbtests/dbtests.sh 2011-04-06 10:19:54.159552000 -0700
@@ -201,6 +201,9 @@ dbtest_main()
cat $RONLY_DIR/* > /dev/null
fi
+ # skipping the next two tests when user is root,
+ # otherwise they would fail due to rooty powers
+ if [[ $EUID -ne 0 ]] then
${BINDIR}/dbtest -d $RONLY_DIR
ret=$?
if [ $ret -ne 46 ]; then
@@ -208,6 +211,10 @@ dbtest_main()
else
html_passed "Dbtest r/w didn't work in an readonly dir $ret"
fi
+ else
+ html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
+ fi
+ if [[ $EUID -ne 0 ]] then
${BINDIR}/certutil -D -n "TestUser" -d .
ret=$?
if [ $ret -ne 255 ]; then
@@ -215,6 +222,9 @@ dbtest_main()
else
html_passed "Certutil didn't work in an readonly dir $ret"
fi
+ else
+ html_passed "Skipping Certutil delete cert in an readonly directory test because user is root"
+ fi
Echo "test opening the database ronly in a readonly directory"

132
nss-config.xml Normal file
View File

@ -0,0 +1,132 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="nss-config">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>nss-config</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>nss-config</refname>
<refpurpose>Return meta information about nss libraries</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nss-config</command>
<arg><option>--prefix</option></arg>
<arg><option>--exec-prefix</option></arg>
<arg><option>--includedir</option></arg>
<arg><option>--libs</option></arg>
<arg><option>--cflags</option></arg>
<arg><option>--libdir</option></arg>
<arg><option>--version</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>nss-config</command> is a shell scrip
tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>--prefix</option></term>
<listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--exec-prefix</option></term>
<listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--includedir</option> <replaceable>count</replaceable></term>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--version</option></term>
<listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libs</option></term>
<listitem><simpara>returns the compiler linking flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--cflags</option></term>
<listitem><simpara>returns the compiler include flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libdir</option></term>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Examples</title>
<para>The following example will query for both include path and linkage flags:
<programlisting>
/usr/bin/nss-config --cflags --libs
</programlisting>
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/usr/bin/nss-config</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkg-config(1)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

View File

@ -1,12 +0,0 @@
diff -up ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem ./mozilla/security/nss/lib/ckfw/manifest.mn
--- ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem 2008-08-05 16:34:23.000000000 -0700
+++ ./mozilla/security/nss/lib/ckfw/manifest.mn 2008-08-05 16:34:30.000000000 -0700
@@ -38,7 +38,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile: manife
CORE_DEPTH = ../../..
-DIRS = builtins
+DIRS = builtins pem
PRIVATE_EXPORTS = \
ck.h \

View File

@ -0,0 +1,21 @@
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
/* deprecated #defines. Drop in future NSS releases */
-#ifdef NSS_PKCS11_2_0_COMPAT
+#ifndef NSS_PKCS11_3_0_STRICT
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
#define CKF_EC_FP CKF_EC_F_P
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
#else
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
#endif

31
nss-kremlin-ppc64le.patch Normal file
View File

@ -0,0 +1,31 @@
Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
@@ -56,9 +56,10 @@ typedef const char *Prims_string;
!defined(__clang__)
#include <emmintrin.h>
typedef __m128i FStar_UInt128_uint128;
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
typedef unsigned __int128 FStar_UInt128_uint128;
#elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
typedef __uint128_t FStar_UInt128_uint128;
Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
@@ -26,7 +26,8 @@
#if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
/* GCC + using native unsigned __int128 support */

4
nss-p11-kit.config Normal file
View File

@ -0,0 +1,4 @@
name=p11-kit-proxy
library=p11-kit-proxy.so

94
nss-signtool-format.patch Normal file
View File

@ -0,0 +1,94 @@
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
--- a/cmd/modutil/install.c
+++ b/cmd/modutil/install.c
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
dir = PR_OpenDir(path);
if (!dir) {
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ PR_CloseDir(dir);
+ return -1;
+ }
if (rm_dash_r(filename)) {
PR_CloseDir(dir);
return -1;
}
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
return -1;
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
--- a/cmd/signtool/util.c
+++ b/cmd/signtool/util.c
@@ -132,17 +132,20 @@ rm_dash_r(char *path)
if (!dir) {
PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
errorCount++;
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ errorCount++;
+ return -1;
+ }
if (rm_dash_r(filename))
return -1;
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
errorCount++;
return -1;
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
--- a/lib/libpkix/pkix/util/pkix_list.c
+++ b/lib/libpkix/pkix/util/pkix_list.c
@@ -1530,17 +1530,17 @@ cleanup:
*/
PKIX_Error *
PKIX_List_SetItem(
PKIX_List *list,
PKIX_UInt32 index,
PKIX_PL_Object *item,
void *plContext)
{
- PKIX_List *element;
+ PKIX_List *element = NULL;
PKIX_ENTER(LIST, "PKIX_List_SetItem");
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -102,17 +102,17 @@ cleanup:
*/
static PKIX_Error *
pkix_pl_OID_Equals(
PKIX_PL_Object *first,
PKIX_PL_Object *second,
PKIX_Boolean *pResult,
void *plContext)
{
- PKIX_Int32 cmpResult;
+ PKIX_Int32 cmpResult = 0;
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
PKIX_NULLCHECK_THREE(first, second, pResult);
PKIX_CHECK(pkix_pl_OID_Comparator
(first, second, &cmpResult, plContext),
PKIX_OIDCOMPARATORFAILED);

116
nss-softokn-config.in Normal file
View File

@ -0,0 +1,116 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
softokn3 - Requires full dynamic linking
freebl3 - for internal use only (and glibc for self-integrity check)
nssdbm3 - for internal use only
Dymamically linked
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-softokn`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-softokn`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
echo $libdirs
fi

View File

@ -0,0 +1,18 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
check() {
return 255
}
depends() {
return 0
}
install() {
local _dir
inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
libfreebl3.so
}

3
nss-softokn-dracut.conf Normal file
View File

@ -0,0 +1,3 @@
# turn on nss-softokn module
add_dracutmodules+=" nss-softokn "

11
nss-softokn.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module
Version: %SOFTOKEN_VERSION%
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
Cflags: -I${includedir}

View File

@ -1,25 +0,0 @@
diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff 2013-02-01 10:14:36.960458329 -0800
+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2013-02-01 10:17:16.532265855 -0800
@@ -153,7 +153,7 @@ static sslOptions ssl_defaults = {
3, /* enableRenegotiation (default: transitional) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
- PR_TRUE /* cbcRandomIV */
+ PR_FALSE /* cbcRandomIV */ /* defaults to off for compatibility */
};
/*
@@ -2837,9 +2837,9 @@ ssl_SetDefaultsFromEnvironment(void)
PR_TRUE));
}
ev = getenv("NSS_SSL_CBC_RANDOM_IV");
- if (ev && ev[0] == '0') {
- ssl_defaults.cbcRandomIV = PR_FALSE;
- SSL_TRACE(("SSL: cbcRandomIV set to 0"));
+ if (ev && ev[0] == '1') {
+ ssl_defaults.cbcRandomIV = PR_TRUE;
+ SSL_TRACE(("SSL: cbcRandomIV set to 1"));
}
}
#endif /* NSS_HAVE_GETENV */

View File

@ -1,15 +0,0 @@
diff -up ./mozilla/security/nss/lib/ssl/derive.c.nobypass ./mozilla/security/nss/lib/ssl/derive.c
diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass 2012-10-07 15:12:25.455307540 -0700
+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2012-10-07 15:21:27.229346754 -0700
@@ -547,8 +547,8 @@ static PRStatus SSL_BypassRegisterShutdo
static PRStatus SSL_BypassSetup(void)
{
#ifdef NO_PKCS11_BYPASS
- /* Guarantee binary compatibility */
- return PR_SUCCESS;
+ /* We can safely return failure as we have never supported it */
+ return PR_FALSE;
#else
return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
#endif

118
nss-util-config.in Normal file
View File

@ -0,0 +1,118 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-util-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nssutil
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-util`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-util`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-util`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi

11
nss-util.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-UTIL
Description: Network Security Services Utility Library
Version: %NSSUTIL_VERSION%
Requires: nspr >= %NSPR_VERSION%
Libs: -L${libdir} -lnssutil3
Cflags: -I${includedir}

1577
nss.spec

File diff suppressed because it is too large Load Diff

View File

@ -1,93 +0,0 @@
diff -up ./mozilla/security/coreconf/Linux.mk.sytemfreebl ./mozilla/security/coreconf/Linux.mk
--- ./mozilla/security/coreconf/Linux.mk.sytemfreebl 2011-12-03 22:07:23.924156119 -0800
+++ ./mozilla/security/coreconf/Linux.mk 2011-12-03 22:08:28.322328345 -0800
@@ -182,6 +182,9 @@ endif
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz
+USE_SYSTEM_FREEBL = 1
+FREEBL_LIBS = -lfreebl3
+
# The -rpath '$$ORIGIN' linker option instructs this library to search for its
# dependencies in the same directory where it resides.
ifeq ($(BUILD_SUN_PKG), 1)
diff -up ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras ./mozilla/security/nss/lib/ckfw/pem/config.mk
--- ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras 2010-11-25 10:01:17.000000000 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/config.mk 2011-06-21 18:20:04.484985568 -0700
@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
# are specifed as dependencies within rules.mk.
#
+
+EXTRA_LIBS += \
+ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
+ $(NULL)
+
TARGETS = $(SHARED_LIBRARY)
LIBRARY =
IMPORT_LIBRARY =
@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
MKSHLIB += -R '$$ORIGIN'
endif
+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
+ifdef USE_SYSTEM_NSSUTIL
+OS_LIBS += $(NSSUTIL_LIBS)
+else
+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
+EXTRA_LIBS += $(NSSUTIL_LIBS)
+endif
+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
+# FREEBL_LIBS to the linker command-line arguments for the system nssutil
+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
+ifdef USE_SYSTEM_FREEBL
+OS_LIBS += $(FREEBL_LIBS)
+else
+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
+EXTRA_LIBS += $(FREEBL_LIBS)
+endif
+
diff -up ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras ./mozilla/security/nss/lib/ckfw/pem/Makefile
--- ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras 2010-11-25 10:01:17.000000000 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/Makefile 2011-06-21 18:25:25.959136920 -0700
@@ -43,8 +43,7 @@ include config.mk
EXTRA_LIBS = \
$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
+ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
$(NULL)
# can't do this in manifest.mn because OS_TARGET isn't defined there.
@@ -56,6 +55,9 @@ EXTRA_LIBS += \
-lplc4 \
-lplds4 \
-lnspr4 \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -lfreebl3
$(NULL)
else
EXTRA_SHARED_LIBS += \
@@ -74,6 +76,9 @@ EXTRA_LIBS += \
-lplc4 \
-lplds4 \
-lnspr4 \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -lfreebl3 \
$(NULL)
endif
diff -up ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras ./mozilla/security/nss/lib/ckfw/pem/manifest.mn
--- ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras 2010-11-25 10:01:17.000000000 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/manifest.mn 2011-06-21 18:20:04.485985661 -0700
@@ -65,4 +65,4 @@ REQUIRES = nspr
LIBRARY_NAME = nsspem
-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3

56
pkcs11.txt.xml Normal file
View File

@ -0,0 +1,56 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="pkcs11.txt">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>pkcs11.txt</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>pkcs11.txt</refname>
<refpurpose>NSS PKCS #11 module configuration file</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para>
The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
</para>
<para>
For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

View File

@ -1,12 +0,0 @@
diff -up mozilla/security/nss/lib/ssl/sslsock.c.transitional mozilla/security/nss/lib/ssl/sslsock.c
--- mozilla/security/nss/lib/ssl/sslsock.c.transitional 2011-10-06 10:37:47.156659000 -0700
+++ mozilla/security/nss/lib/ssl/sslsock.c 2011-10-06 10:38:32.276704000 -0700
@@ -182,7 +182,7 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* noLocks */
PR_FALSE, /* enableSessionTickets */
PR_FALSE, /* enableDeflate */
- 2, /* enableRenegotiation (default: requires extension) */
+ 3, /* enableRenegotiation (default: transitional) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
PR_TRUE /* cbcRandomIV */

63
secmod.db.xml Normal file
View File

@ -0,0 +1,63 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="secmod.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>secmod.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>secmod.db</refname>
<refpurpose>Legacy NSS security modules database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
<para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
</para>
<para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
</para>
<para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/secmod.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

106
setup-nsssysinit.xml Normal file
View File

@ -0,0 +1,106 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="setup-nsssysinit">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>setup-nsssysinit</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>setup-nsssysinit</refname>
<refpurpose>Query or enable the nss-sysinit module</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>setup-nsssysinit</command>
<arg><option>on</option></arg>
<arg><option>off</option></arg>
<arg><option>status</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
<para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
</para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>on</option></term>
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>off</option></term>
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>status</option></term>
<listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Examples</title>
<para>The following example will query for the status of nss-sysinit:
<programlisting>
/usr/bin/setup-nsssysinit status
</programlisting>
</para>
<para>The following example, when run as superuser, will turn on nss-sysinit:
<programlisting>
/usr/bin/setup-nsssysinit on
</programlisting>
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/usr/bin/setup-nsssysinit</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkg-config(1)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

15
sources
View File

@ -1,9 +1,6 @@
a5ae49867124ac75f029a9a33af31bad blank-cert8.db
9315689bbd9f28ceebd47894f99fccbd blank-key3.db
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
bf47cecad861efa77d1488ad4a73cb5b PayPalEE.cert
2a06bf7b815d1a666cc3587b895506ce nss-pem-20120811.tar.bz2
0be54f196b5da7e9008eb13a71bc2cb0 dummy-sources-for-testing
43be35fcc852361748b59ba8ecd2e239 nss-3.14.3-stripped.tar.bz2
SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6

View File

@ -0,0 +1,64 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
# Description: NSS tools should not use SHA1 by default when
# Author: Hubert Kario <hkario@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 10m" >> $(METADATA)
@echo "RunFor: nss openssl" >> $(METADATA)
@echo "Requires: nss nss-tools openssl" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

View File

@ -0,0 +1,4 @@
PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
Description: NSS tools should not use SHA1 by default when
Author: Hubert Kario <hkario@redhat.com>
Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

View File

@ -0,0 +1,125 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
# Description: NSS tools should not use SHA1 by default when
# Author: Hubert Kario <hkario@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="nss"
PACKAGES="nss openssl"
DBDIR="nssdb"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm --all
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "mkdir nssdb"
rlRun "certutil -N -d $DBDIR --empty-password"
rlLogInfo "Create a JAR file"
rlRun "mkdir java-dir"
rlRun "pushd java-dir"
rlRun "mkdir META-INF mypackage"
rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
#rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
rlRun "popd"
#rlRun "mv java-dir/package.jar ."
rlPhaseEnd
rlPhaseStartTest "Self signing certificates"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Signing certificates"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Certificate request"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "mkdir srv2db"
rlRun "certutil -d srv2db -N --empty-password"
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
rlRun -s "openssl req -noout -text -in srv2.req"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
rlRun -s "openssl x509 -in srv2.crt -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlRun "rm -rf srv2db"
rlPhaseEnd
rlPhaseStartTest "Certificate request with SHA1"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "mkdir srv2db"
rlRun "certutil -d srv2db -N --empty-password"
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
rlRun -s "openssl req -noout -text -in srv2.req"
rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
rlRun -s "openssl x509 -in srv2.crt -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlRun "rm -rf srv2db"
rlPhaseEnd
rlPhaseStartTest "Signing CMS messages"
rlRun "echo 'This is a document' > document.txt"
rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
rlAssertGrep "algorithm: sha256" $rlRun_LOG
rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "CRL signing"
rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
rlRun "echo addext crlNumber 0 1245 >>script"
rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
rlRun "echo addext reasonCode 0 0 >>script"
rlRun "cat script"
rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

12
tests/tests.yml Normal file
View File

@ -0,0 +1,12 @@
---
# This first play always runs on the local staging system
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- NSS-tools-should-not-use-SHA1-by-default-when
required_packages:
- nss-tools
- nss