Compare commits

...

93 Commits
f28 ... master

Author SHA1 Message Date
Bob Relyea
614f823eb3 Delay new CK_GCM_PARAMS semantics until fedora 34 unless explicitly enabled. 2020-05-13 16:02:36 -07:00
Daiki Ueno
26f93fa193 Restore nss-kremlin-ppc64le.patch 2020-05-11 18:38:26 +02:00
Daiki Ueno
047dc3ed4e Update to NSS 3.52 2020-05-11 18:21:55 +02:00
Daiki Ueno
fc0174ead1 Temporarily revert DBM disablement for kernel build failure (#1827902) 2020-04-25 17:16:02 +02:00
Daiki Ueno
3c018618ca Fix the last change 2020-04-20 15:57:28 +02:00
Daiki Ueno
65271d923d Enable conditional builds on DBM 2020-04-20 14:47:27 +02:00
Daiki Ueno
9ae0f0b9e1 Update to NSS 3.51.1
Also disable building DBM backend
2020-04-20 14:24:47 +02:00
Daiki Ueno
2b122e4485 Update to NSS 3.51 2020-04-07 11:18:10 +02:00
Tom Stellard
507a1cebf0 Use __make macro to invoke make
Using the %__make macro makes it possible for an alternative buildroot
to inject its own flags into the make invocation.  This makes it easier
to do trial rebuilds of fedora using different compilers or different
compiler flags.
2020-03-27 15:39:49 +00:00
Daiki Ueno
7f30e21d0f Apply CMAC fixes from upstream 2020-03-05 09:57:34 +01:00
Daiki Ueno
aa7d80b11e Fix build with s390x, due to bundled kremlin source 2020-03-03 16:16:52 +01:00
Daiki Ueno
f512836b78 Fix build on ppc64le, due to bundled kremlin source 2020-02-17 14:30:50 +01:00
Daiki Ueno
58ca69fcaf Update to NSS 3.50 2020-02-17 13:46:37 +01:00
Daiki Ueno
bd89f2ce5c Fix build with gcc 10 2020-02-14 14:28:21 +01:00
Daiki Ueno
9e1e74ca17 Ignore false-positive compiler warnings with gcc 10 2020-02-14 12:07:57 +01:00
Daiki Ueno
37c40ebd3d Update nss-libpkix-maybe-uninitialized.patch 2020-02-14 11:42:12 +01:00
Daiki Ueno
656c979c95 Suppress compiler warning (treated as fatal) in libpkix 2020-02-14 10:48:31 +01:00
Fedora Release Engineering
0b17c92d39 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-29 19:15:25 +00:00
Daiki Ueno
3c27dc2471 Revert "pass %{_smp_mflags} to make to speed up the build"
This reverts commit 6e689ce0cb.

This still has a race condition and causes the build fail.
2020-01-27 11:07:50 +01:00
Daiki Ueno
36505c331d Update to NSS 3.49.2 2020-01-27 10:24:30 +01:00
Kamil Dudka
6e689ce0cb pass %{_smp_mflags} to make to speed up the build
I tried an uncached build of nss on Fedora 30 VM with 8 CPU cores
and the build time was reduced with this patch from 540 s to 250 s
of wall-clock time.
2020-01-24 11:17:23 +01:00
Daiki Ueno
703a4f9a95 Remove leftover debug command in %build 2020-01-11 09:02:36 +01:00
Daiki Ueno
1e2f8acd14 Fix build on armv7hl with the patch proposed in upstream 2020-01-10 17:26:33 +01:00
Daiki Ueno
74b268dbd9 Update to NSS 3.49 2020-01-10 10:35:28 +01:00
Daiki Ueno
541296170e Update to NSS 3.48 2020-01-03 10:59:30 +01:00
Daiki Ueno
f3ad534c37 Update nss-3.47-certdb-temp-cert.patch 2019-12-04 10:20:43 +01:00
Daiki Ueno
a8a8d020bf Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value 2019-12-03 15:51:55 +01:00
Daiki Ueno
704f2e22d6 Update nss-3.47-certdb-temp-cert.patch to the final version 2019-12-03 09:31:24 +01:00
Daiki Ueno
4f639ad73c Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617) 2019-11-28 16:13:41 +01:00
Daiki Ueno
8c9ed11be4 Update to NSS 3.47.1 2019-11-22 18:01:14 +01:00
Bob Relyea
115989f50d Correct change log error so it doesn't propogate to the next patch 2019-11-06 09:16:51 -08:00
Bob Relyea
2ec4745f30 Resolves: rhbz#1768652
NSS softoken does not include CKM_NSS_IKE1_APP_B_PRF_DERIVE in it's mechanism list, causing libreswan to crash.
2019-11-04 13:51:40 -08:00
Daiki Ueno
626f1941fd Install cmac.h required by blapi.h (#1764513) 2019-10-23 10:44:14 +02:00
Daiki Ueno
16706fe38d Update to NSS 3.47 2019-10-22 15:22:45 +02:00
Daiki Ueno
d86af7693a Update to NSS 3.46.1 2019-10-21 13:39:30 +02:00
Daiki Ueno
fa84af3e06 Require NSPR 4.22 2019-09-04 06:31:23 +02:00
Daiki Ueno
2f14d11d0d Update to NSS 3.46 2019-09-03 09:42:24 +02:00
Daiki Ueno
3f3c20ae17 Update to NSS 3.45 2019-08-29 15:38:15 +02:00
Fedora Release Engineering
326f5d0c9a - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-25 22:36:13 +00:00
Daiki Ueno
c5b7db61f4 Fix CAVS testdir creation 2019-07-03 15:59:50 +02:00
Daiki Ueno
7b734a0c80 Restore files removed by the previous commit 2019-07-02 12:57:50 +02:00
Daiki Ueno
c7e445694f Update to NSS 3.44.1 2019-07-02 12:55:10 +02:00
Daiki Ueno
3ea5d2fb0e Skip TLS 1.3 tests under FIPS mode 2019-05-20 11:09:19 +02:00
Daiki Ueno
4567b678cc Update to NSS 3.44 2019-05-17 13:03:12 +02:00
Daiki Ueno
141e716639 Fix PKCS#11 module leak if C_GetSlotInfo() failed 2019-05-06 18:33:40 +02:00
Elio Maldonado
5deb5dd362 Update nspr_version to 4.21.0 and remove obsolete comment 2019-03-26 08:25:09 -07:00
Daiki Ueno
d3f6891026 Update to NSS 3.43 2019-03-21 10:33:02 +01:00
Daiki Ueno
df8d75ac51 Update to NSS 3.42.1 2019-02-11 13:01:36 +01:00
Daiki Ueno
b3b17b08a0 Update to NSS 3.42 2019-02-08 11:31:29 +01:00
Daiki Ueno
455711f1df Simplify test failure detection in %check
There is the same logic in the upstream script:
https://hg.mozilla.org/projects/nss/file/tip/tests/common/cleanup.sh#l56
2019-02-08 10:59:35 +01:00
Fedora Release Engineering
0e03f768ab - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-02-01 16:32:50 +00:00
Daiki Ueno
e5e5a75933 Rebuild with recent changes
- Remove prelink.conf as prelink was removed in F24, suggested by
  Harald Reindl
- Use quilt for %%autopatch
- Make sysinit require arch-dependent nss, suggested by Igor Gnatenko
- Silence %%post/%%postun scriptlets, suggested by Ian Collier
2019-01-11 11:53:52 +01:00
Daiki Ueno
431c940fc5 Silence %post/%postun scriptlets
Suggested by Ian Collier in:
https://bugzilla.redhat.com/show_bug.cgi?id=1665053
2019-01-11 10:05:53 +01:00
Daiki Ueno
41b9b6b6a1 Make nss-sysinit require arch-specific nss package
Suggested by Igor Gnatenko in:
https://bugzilla.redhat.com/show_bug.cgi?id=1663136
2019-01-09 13:08:49 +01:00
Daiki Ueno
f572eae5ce Use quilt for %autopatch 2018-12-19 16:28:50 +01:00
Daiki Ueno
b250b65666 Remove prelink.conf as prelink was removed in F24
Suggested by Harald Reindl in:
https://bugzilla.redhat.com/show_bug.cgi?id=1659674
2018-12-18 16:22:25 +01:00
Daiki Ueno
5221baae09 Fix the last commit 2018-12-10 16:17:16 +01:00
Daiki Ueno
cab16c0490 Revert "Switch to gyp buildsystem"
It turned out that libpkix cannot be enabled in gyp build.

This reverts commit 390eaefc52.
2018-12-10 15:36:58 +01:00
Daiki Ueno
af46412ffe Partially revert 7bdb9fac17 2018-12-10 12:49:17 +01:00
Daiki Ueno
e557c2c2a1 Update to NSS 3.41 2018-12-10 10:45:52 +01:00
Daiki Ueno
8be7f95db1 Stop using the custom versioning scheme 2018-12-10 10:39:33 +01:00
Daiki Ueno
7bdb9fac17 Minor cleanup of spec
- expand %%allTools as it is used only once
- remove unnecessary pushd/popd
2018-12-10 10:39:14 +01:00
Daiki Ueno
71d6df3266 Use %%autopatch 2018-12-06 13:51:04 +01:00
Daiki Ueno
390eaefc52 Switch to gyp buildsystem 2018-12-06 13:48:33 +01:00
Daiki Ueno
4b42d21883 Remove unnecessary patches 2018-12-06 10:23:36 +01:00
Daiki Ueno
ec4d144b47 Update to NSS 3.40.1 2018-12-06 10:12:42 +01:00
Daiki Ueno
705e2b3229 Fix Source0 URL 2018-11-27 14:56:16 +01:00
Daiki Ueno
26c062714a Modernize spec file
Suggested by Robert-André Mauchin in:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/3JTN2YN3HM47UKSVTSANB4MO4UJDJPF5/
2018-11-19 15:47:27 +01:00
Daiki Ueno
c29d479b7f Consolidate nss-util, nss-softokn, and nss into a single package 2018-11-14 10:00:13 +01:00
Daiki Ueno
18c140b4c2 Fix FTBFS with expired test certs 2018-11-14 09:58:06 +01:00
Daiki Ueno
bdf4e9ddaf Fix LDFLAGS injection when creating DSO 2018-09-13 16:15:14 +02:00
Daiki Ueno
93c1de8b0d Allow SSLKEYLOGFILE 2018-09-03 14:00:45 +02:00
Daiki Ueno
db341dd2e0 Update to NSS 3.39 2018-09-03 13:55:21 +02:00
Kai Engert
89b8b47d46 Backport upstream addition of nss-policy-check utility, rhbz#1428746 2018-07-20 16:09:32 +02:00
Fedora Release Engineering
e4c3da9da7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-13 14:31:25 +00:00
Jason Tibbitts
137780ff5d Remove needless use of %defattr 2018-07-10 02:12:27 -05:00
Daiki Ueno
6f4f615c05 Install crypto-policies configuration file for p11-kit-proxy 2018-07-03 13:31:49 +02:00
Daiki Ueno
2b3aa61f20 Update to NSS 3.38 2018-07-02 16:10:47 +02:00
Daiki Ueno
3b822a7262 Backport fix for handling DTLS application_data before handshake 2018-06-06 11:18:51 +02:00
Daiki Ueno
8d5d06f814 Drop more tests failing intermittently 2018-06-06 10:17:29 +02:00
Daiki Ueno
26f23aeeb6 Disable tests failing intermittently 2018-06-05 16:40:58 +02:00
Daiki Ueno
dfa19ec931 Update to NSS 3.37.3 2018-06-05 13:52:07 +02:00
Daiki Ueno
e874285f92 Temporarily disable AlertBeforeServerHello test on all archtectures 2018-06-04 09:46:39 +02:00
Daiki Ueno
abfbe95c8d Temporarily disable AlertBeforeServerHello test on s390x and aarch64 2018-06-01 17:13:57 +02:00
Daiki Ueno
e42c9742c4 Update to NSS 3.37.1 2018-05-28 17:25:42 +02:00
Kai Engert
93dca340cd add missing file nss-moz1458518.patch 2018-05-02 16:08:29 +02:00
Kai Engert
a24d6b1353 Upstream patch to keep nicknames stable on repeated certificate import into SQL DB, mozbz#1458518 2018-05-02 16:01:40 +02:00
Daiki Ueno
418745fdce Update to NSS 3.36.1 2018-04-11 12:41:21 +02:00
Daiki Ueno
03874d1272 Fix partial injection of LDFLAGS 2018-03-12 15:20:53 +01:00
Daiki Ueno
2007524db8 Remove obsolete Conflicts 2018-03-12 15:04:04 +01:00
Daiki Ueno
67567fd852 Remove nss-3.14.0.0-disble-ocsp-test.patch 2018-03-12 15:03:33 +01:00
Daiki Ueno
2eadf22a1d Make test failure detection robuster 2018-03-09 15:38:51 +01:00
Daiki Ueno
3edcb8bd09 Update to NSS 3.36.0 2018-03-09 13:59:41 +01:00
23 changed files with 1064 additions and 499 deletions

25
.gitignore vendored
View File

@ -24,3 +24,28 @@ TestUser51.cert
/nss-3.33.0.tar.gz
/nss-3.34.0.tar.gz
/nss-3.35.0.tar.gz
/nss-3.36.0.tar.gz
/nss-3.36.1.tar.gz
/nss-3.37.1.tar.gz
/nss-3.37.3.tar.gz
/nss-3.38.0.tar.gz
/nss-3.39.tar.gz
/nss-3.40.1.tar.gz
/nss-3.41.tar.gz
/nss-3.42.tar.gz
/nss-3.42.1.tar.gz
/nss-3.43.tar.gz
/nss-3.44.tar.gz
/nss-3.44.1.tar.gz
/nss-3.45.tar.gz
/nss-3.46.tar.gz
/nss-3.46.1.tar.gz
/nss-3.47.tar.gz
/nss-3.47.1.tar.gz
/nss-3.48.tar.gz
/nss-3.49.tar.gz
/nss-3.49.2.tar.gz
/nss-3.50.tar.gz
/nss-3.51.tar.gz
/nss-3.51.1.tar.gz
/nss-3.52.tar.gz

View File

@ -1,16 +0,0 @@
diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700
+++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700
@@ -174,6 +174,12 @@ endif
endif
endif
+# harden DSOs/executables a bit against exploits
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
+DSO_LDOPTS+=-Wl,-z,relro
+LDFLAGS += -Wl,-z,relro
+endif
+
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz

View File

@ -1,11 +0,0 @@
diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
+++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
realcerts.cfg
dsa.cfg
revoc.cfg
-ocsp.cfg
crldp.cfg
trustanchors.cfg
nameconstraints.cfg

View File

@ -1,5 +1,5 @@
--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
+++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
@@ -953,23 +953,23 @@
getBoundListenSocket(unsigned short port)
{
@ -29,8 +29,8 @@
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
+++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
@@ -1711,23 +1711,23 @@
getBoundListenSocket(unsigned short port)
{

View File

@ -1,49 +0,0 @@
diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-01-06 13:21:47.002952050 +0100
+++ nss/lib/pk11wrap/pk11pars.c 2017-01-06 13:28:18.972536334 +0100
@@ -109,6 +109,7 @@ secmod_NewModule(void)
*other flags are set */
#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
/* private flags for internal (field in SECMODModule). */
/* The meaing of these flags is as follows:
@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
}
+ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
+ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
+ }
/* additional moduleDB flags could be added here in the future */
mod->isModuleDB = (PRBool)flags;
}
@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
}
PRBool
+secmod_PolicyOnly(SECMODModule *mod)
+{
+ char flags = (char) mod->isModuleDB;
+
+ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
+}
+
+PRBool
secmod_IsInternalKeySlot(SECMODModule *mod)
{
char flags = (char)mod->internal;
@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
if (!module) {
goto loser;
}
+
+ /* a policy only stanza doesn't actually get 'loaded'. policy has already
+ * been parsed as a side effect of the CreateModuleEx call */
+ if (secmod_PolicyOnly(module)) {
+ return module;
+ }
if (parent) {
module->parent = SECMOD_ReferenceModule(parent);
if (module->internal && secmod_IsInternalKeySlot(parent)) {

View File

@ -0,0 +1,21 @@
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
/* deprecated #defines. Drop in future NSS releases */
-#ifdef NSS_PKCS11_2_0_COMPAT
+#ifndef NSS_PKCS11_3_0_STRICT
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
#define CKF_EC_FP CKF_EC_F_P
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
#else
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
#endif

31
nss-kremlin-ppc64le.patch Normal file
View File

@ -0,0 +1,31 @@
Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
@@ -56,9 +56,10 @@ typedef const char *Prims_string;
!defined(__clang__)
#include <emmintrin.h>
typedef __m128i FStar_UInt128_uint128;
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
typedef unsigned __int128 FStar_UInt128_uint128;
#elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
typedef __uint128_t FStar_UInt128_uint128;
Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
@@ -26,7 +26,8 @@
#if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
/* GCC + using native unsigned __int128 support */

4
nss-p11-kit.config Normal file
View File

@ -0,0 +1,4 @@
name=p11-kit-proxy
library=p11-kit-proxy.so

94
nss-signtool-format.patch Normal file
View File

@ -0,0 +1,94 @@
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
--- a/cmd/modutil/install.c
+++ b/cmd/modutil/install.c
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
dir = PR_OpenDir(path);
if (!dir) {
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ PR_CloseDir(dir);
+ return -1;
+ }
if (rm_dash_r(filename)) {
PR_CloseDir(dir);
return -1;
}
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
return -1;
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
--- a/cmd/signtool/util.c
+++ b/cmd/signtool/util.c
@@ -132,17 +132,20 @@ rm_dash_r(char *path)
if (!dir) {
PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
errorCount++;
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ errorCount++;
+ return -1;
+ }
if (rm_dash_r(filename))
return -1;
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
errorCount++;
return -1;
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
--- a/lib/libpkix/pkix/util/pkix_list.c
+++ b/lib/libpkix/pkix/util/pkix_list.c
@@ -1530,17 +1530,17 @@ cleanup:
*/
PKIX_Error *
PKIX_List_SetItem(
PKIX_List *list,
PKIX_UInt32 index,
PKIX_PL_Object *item,
void *plContext)
{
- PKIX_List *element;
+ PKIX_List *element = NULL;
PKIX_ENTER(LIST, "PKIX_List_SetItem");
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -102,17 +102,17 @@ cleanup:
*/
static PKIX_Error *
pkix_pl_OID_Equals(
PKIX_PL_Object *first,
PKIX_PL_Object *second,
PKIX_Boolean *pResult,
void *plContext)
{
- PKIX_Int32 cmpResult;
+ PKIX_Int32 cmpResult = 0;
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
PKIX_NULLCHECK_THREE(first, second, pResult);
PKIX_CHECK(pkix_pl_OID_Comparator
(first, second, &cmpResult, plContext),
PKIX_OIDCOMPARATORFAILED);

View File

@ -1,15 +0,0 @@
diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile
--- ./nss/cmd/Makefile.skipthem 2017-01-06 13:17:27.477848351 +0100
+++ ./nss/cmd/Makefile 2017-01-06 13:19:30.244586100 +0100
@@ -19,7 +19,11 @@ BLTEST_SRCDIR =
ECPERF_SRCDIR =
FREEBL_ECTEST_SRCDIR =
FIPSTEST_SRCDIR =
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
+SHLIBSIGN_SRCDIR = shlibsign
+else
SHLIBSIGN_SRCDIR =
+endif
else
BLTEST_SRCDIR = bltest
ECPERF_SRCDIR = ecperf

View File

@ -1,10 +0,0 @@
diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn
--- nss/gtests/manifest.mn.skip_util_gtest 2017-08-08 12:45:57.598801125 +0200
+++ nss/gtests/manifest.mn 2017-08-08 12:46:59.682419852 +0200
@@ -31,6 +31,5 @@ endif
DIRS = \
$(LIB_SRCDIRS) \
- $(UTIL_SRCDIRS) \
$(NSS_SRCDIRS) \
$(NULL)

116
nss-softokn-config.in Normal file
View File

@ -0,0 +1,116 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
softokn3 - Requires full dynamic linking
freebl3 - for internal use only (and glibc for self-integrity check)
nssdbm3 - for internal use only
Dymamically linked
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-softokn`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-softokn`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
echo $libdirs
fi

View File

@ -0,0 +1,18 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
check() {
return 255
}
depends() {
return 0
}
install() {
local _dir
inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
libfreebl3.so
}

3
nss-softokn-dracut.conf Normal file
View File

@ -0,0 +1,3 @@
# turn on nss-softokn module
add_dracutmodules+=" nss-softokn "

11
nss-softokn.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module
Version: %SOFTOKEN_VERSION%
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
Cflags: -I${includedir}

118
nss-util-config.in Normal file
View File

@ -0,0 +1,118 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-util-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nssutil
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-util`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-util`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-util`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi

11
nss-util.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-UTIL
Description: Network Security Services Utility Library
Version: %NSSUTIL_VERSION%
Requires: nspr >= %NSPR_VERSION%
Libs: -L${libdir} -lnssutil3
Cflags: -I${includedir}

893
nss.spec

File diff suppressed because it is too large Load Diff

View File

@ -1,12 +0,0 @@
diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
--- ./nss/lib/ssl/sslsock.c.transitional 2016-06-23 21:03:16.316480089 -0400
+++ ./nss/lib/ssl/sslsock.c 2016-06-23 21:08:07.290202477 -0400
@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* noLocks */
PR_FALSE, /* enableSessionTickets */
PR_FALSE, /* enableDeflate */
- 2, /* enableRenegotiation (default: requires extension) */
+ 3, /* enableRenegotiation (default: transitional) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
PR_TRUE, /* cbcRandomIV */

View File

@ -1,23 +0,0 @@
--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400
+++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400
@@ -118,18 +118,18 @@
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},

View File

@ -1,56 +0,0 @@
diff -up ./nss/cmd/signtool/sign.c.org ./nss/cmd/signtool/sign.c
--- ./nss/cmd/signtool/sign.c.org 2018-01-18 15:19:59.000000000 +0100
+++ ./nss/cmd/signtool/sign.c 2018-01-29 22:46:32.599450048 +0100
@@ -83,7 +83,12 @@ SignArchive(char *tree, char *keyName, c
/* rsa/dsa to zip */
sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
: "rsa"));
- sprintf(fullfn, "%s/%s", tree, tempfn);
+ if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
+ PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
+ tree);
+ errorCount++;
+ exit(ERRX);
+ }
JzipAdd(fullfn, tempfn, zipfile, compression_level);
/* Loop through all files & subdirectories, add to archive */
@@ -93,12 +98,22 @@ SignArchive(char *tree, char *keyName, c
}
/* mf to zip */
strcpy(tempfn, "META-INF/manifest.mf");
- sprintf(fullfn, "%s/%s", tree, tempfn);
+ if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
+ PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
+ tree);
+ errorCount++;
+ exit(ERRX);
+ }
JzipAdd(fullfn, tempfn, zipfile, compression_level);
/* sf to zip */
sprintf(tempfn, "META-INF/%s.sf", base);
- sprintf(fullfn, "%s/%s", tree, tempfn);
+ if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
+ PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
+ tree);
+ errorCount++;
+ exit(ERRX);
+ }
JzipAdd(fullfn, tempfn, zipfile, compression_level);
/* Add the rsa/dsa file to the zip archive normally */
@@ -106,7 +121,12 @@ SignArchive(char *tree, char *keyName, c
/* rsa/dsa to zip */
sprintf(tempfn, "META-INF/%s.%s", base, (keyType == dsaKey ? "dsa"
: "rsa"));
- sprintf(fullfn, "%s/%s", tree, tempfn);
+ if (snprintf(fullfn, FNSIZE, "%s/%s", tree, tempfn) >= FNSIZE) {
+ PR_fprintf(errorFD, "buffer overflow, the tree \"%s\" was NOT SUCCESSFULLY SIGNED\n",
+ tree);
+ errorCount++;
+ exit(ERRX);
+ }
JzipAdd(fullfn, tempfn, zipfile, compression_level);
}

View File

@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
SHA512 (nss-3.35.0.tar.gz) = a9865fd11d8b2ab83b57b1b50fe6f0d3a6d936f7ae4d0817e9dd1bf3e5182ff7f26ebc21fe7490c3dea2b792e4e4302af876ac70750e8e1f4da6bb710fd3002e
SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6

View File

@ -1,14 +0,0 @@
diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700
+++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700
@@ -3,6 +3,10 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+INCLUDES += -I/usr/include/nss3/templates
+#endif
+
# can't do this in manifest.mn because OS_TARGET isn't defined there.
ifeq (,$(filter-out WIN%,$(OS_TARGET)))