Compare commits
16 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
8717d6f440 | ||
|
f002359684 | ||
|
5c8d0c9dc8 | ||
|
322fc2fe6a | ||
|
8f809a2ad3 | ||
|
5fa4ca6305 | ||
|
b85b8ae15c | ||
|
de815a3b94 | ||
|
fbe7ee8ba4 | ||
|
1aa83c28c1 | ||
|
4151e80088 | ||
|
09bd50715f | ||
|
da4d943b09 | ||
|
f4e07c6887 | ||
|
b3e4df57b7 | ||
|
2b0c47748c |
8
.gitignore
vendored
8
.gitignore
vendored
@ -20,3 +20,11 @@ TestUser51.cert
|
|||||||
/nss-3.30.2.tar.gz
|
/nss-3.30.2.tar.gz
|
||||||
/nss-3.31.0.tar.gz
|
/nss-3.31.0.tar.gz
|
||||||
/nss-3.32.0.tar.gz
|
/nss-3.32.0.tar.gz
|
||||||
|
/nss-3.33.0.tar.gz
|
||||||
|
/nss-3.34.0.tar.gz
|
||||||
|
/nss-3.35.0.tar.gz
|
||||||
|
/nss-3.36.0.tar.gz
|
||||||
|
/nss-3.36.1.tar.gz
|
||||||
|
/nss-3.37.3.tar.gz
|
||||||
|
/nss-3.38.0.tar.gz
|
||||||
|
/nss-3.39.tar.gz
|
||||||
|
220
iquote.patch
220
iquote.patch
@ -1,211 +1,13 @@
|
|||||||
diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile
|
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
|
||||||
--- ./nss/cmd/certcgi/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
|
||||||
+++ ./nss/cmd/certcgi/Makefile 2016-03-05 12:04:06.216474144 -0800
|
+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
|
||||||
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
SQLITE_LIB_NAME = sqlite3
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile
|
|
||||||
--- ./nss/cmd/certutil/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/cmd/certutil/Makefile 2016-03-05 12:04:06.216474144 -0800
|
|
||||||
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile
|
|
||||||
--- ./nss/cmd/lib/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/cmd/lib/Makefile 2016-03-05 12:04:06.216474144 -0800
|
|
||||||
@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile
|
|
||||||
--- ./nss/cmd/modutil/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/cmd/modutil/Makefile 2016-03-05 12:04:06.216474144 -0800
|
|
||||||
@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile
|
|
||||||
--- ./nss/cmd/selfserv/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/cmd/selfserv/Makefile 2016-03-05 12:04:06.216474144 -0800
|
|
||||||
@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile
|
|
||||||
--- ./nss/cmd/ssltap/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/cmd/ssltap/Makefile 2016-03-05 12:04:06.216474144 -0800
|
|
||||||
@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile
|
|
||||||
--- ./nss/cmd/strsclnt/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/cmd/strsclnt/Makefile 2016-03-05 12:04:06.217474124 -0800
|
|
||||||
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile
|
|
||||||
--- ./nss/cmd/tstclnt/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/cmd/tstclnt/Makefile 2016-03-05 12:04:06.217474124 -0800
|
|
||||||
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
#include ../platlibs.mk
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile
|
|
||||||
--- ./nss/cmd/vfyserv/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/cmd/vfyserv/Makefile 2016-03-05 12:04:06.217474124 -0800
|
|
||||||
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
#include ../platlibs.mk
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk
|
|
||||||
--- ./nss/coreconf/location.mk.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/coreconf/location.mk 2016-03-05 12:04:06.217474124 -0800
|
|
||||||
@@ -45,6 +45,10 @@ endif
|
|
||||||
|
|
||||||
ifdef NSS_INCLUDE_DIR
|
|
||||||
INCLUDES += -I$(NSS_INCLUDE_DIR)
|
|
||||||
+ ifdef IN_TREE_FREEBL_HEADERS_FIRST
|
|
||||||
+ INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
+ INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
+ endif
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifndef NSS_LIB_DIR
|
+# Prefer in-tree headers over system headers
|
||||||
diff -up ./nss/gtests/pk11_gtest/Makefile.iquote ./nss/gtests/pk11_gtest/Makefile
|
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
|
||||||
--- ./nss/gtests/pk11_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
|
||||||
+++ ./nss/gtests/pk11_gtest/Makefile 2016-03-05 12:04:06.217474124 -0800
|
+endif
|
||||||
@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
+
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
MK_LOCATION = included
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/gtests/ssl_gtest/Makefile.iquote ./nss/gtests/ssl_gtest/Makefile
|
|
||||||
--- ./nss/gtests/ssl_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/gtests/ssl_gtest/Makefile 2016-03-05 12:05:17.208082475 -0800
|
|
||||||
@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile
|
|
||||||
--- ./nss/lib/certhigh/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/lib/certhigh/Makefile 2016-03-05 12:04:06.217474124 -0800
|
|
||||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile
|
|
||||||
--- ./nss/lib/cryptohi/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/lib/cryptohi/Makefile 2016-03-05 12:04:06.217474124 -0800
|
|
||||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile
|
|
||||||
--- ./nss/lib/nss/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/lib/nss/Makefile 2016-03-05 12:04:06.217474124 -0800
|
|
||||||
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
+INCLUDES += -iquote $(DIST)/../private/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile
|
|
||||||
--- ./nss/lib/pk11wrap/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/lib/pk11wrap/Makefile 2016-03-05 12:04:06.217474124 -0800
|
|
||||||
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile
|
|
||||||
--- ./nss/lib/ssl/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800
|
|
||||||
+++ ./nss/lib/ssl/Makefile 2016-03-05 12:04:06.217474124 -0800
|
|
||||||
@@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
|
|
||||||
# (6) Execute "component" rules. (OPTIONAL) #
|
|
||||||
#######################################################################
|
|
||||||
|
|
||||||
-
|
|
||||||
+INCLUDES += -iquote $(DIST)/../public/nss
|
|
||||||
|
|
||||||
#######################################################################
|
|
||||||
# (7) Execute "local" rules. (OPTIONAL). #
|
|
||||||
|
@ -1,11 +0,0 @@
|
|||||||
diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
|
|
||||||
--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
|
|
||||||
+++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
|
|
||||||
@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
|
|
||||||
realcerts.cfg
|
|
||||||
dsa.cfg
|
|
||||||
revoc.cfg
|
|
||||||
-ocsp.cfg
|
|
||||||
crldp.cfg
|
|
||||||
trustanchors.cfg
|
|
||||||
nameconstraints.cfg
|
|
@ -1,49 +0,0 @@
|
|||||||
diff -up nss/lib/pk11wrap/pk11pars.c.check_policy_file nss/lib/pk11wrap/pk11pars.c
|
|
||||||
--- nss/lib/pk11wrap/pk11pars.c.check_policy_file 2017-01-06 13:21:47.002952050 +0100
|
|
||||||
+++ nss/lib/pk11wrap/pk11pars.c 2017-01-06 13:28:18.972536334 +0100
|
|
||||||
@@ -109,6 +109,7 @@ secmod_NewModule(void)
|
|
||||||
*other flags are set */
|
|
||||||
#define SECMOD_FLAG_MODULE_DB_SKIP_FIRST 0x02
|
|
||||||
#define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
|
|
||||||
+#define SECMOD_FLAG_MODULE_DB_POLICY_ONLY 0x08
|
|
||||||
|
|
||||||
/* private flags for internal (field in SECMODModule). */
|
|
||||||
/* The meaing of these flags is as follows:
|
|
||||||
@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
|
|
||||||
if (NSSUTIL_ArgHasFlag("flags", "defaultModDB", nssc)) {
|
|
||||||
flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
|
|
||||||
}
|
|
||||||
+ if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
|
|
||||||
+ flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
|
|
||||||
+ }
|
|
||||||
/* additional moduleDB flags could be added here in the future */
|
|
||||||
mod->isModuleDB = (PRBool)flags;
|
|
||||||
}
|
|
||||||
@@ -744,6 +748,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
|
|
||||||
}
|
|
||||||
|
|
||||||
PRBool
|
|
||||||
+secmod_PolicyOnly(SECMODModule *mod)
|
|
||||||
+{
|
|
||||||
+ char flags = (char) mod->isModuleDB;
|
|
||||||
+
|
|
||||||
+ return (flags & SECMOD_FLAG_MODULE_DB_POLICY_ONLY) ? PR_TRUE : PR_FALSE;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+PRBool
|
|
||||||
secmod_IsInternalKeySlot(SECMODModule *mod)
|
|
||||||
{
|
|
||||||
char flags = (char)mod->internal;
|
|
||||||
@@ -1661,6 +1673,12 @@ SECMOD_LoadModule(char *modulespec, SECM
|
|
||||||
if (!module) {
|
|
||||||
goto loser;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ /* a policy only stanza doesn't actually get 'loaded'. policy has already
|
|
||||||
+ * been parsed as a side effect of the CreateModuleEx call */
|
|
||||||
+ if (secmod_PolicyOnly(module)) {
|
|
||||||
+ return module;
|
|
||||||
+ }
|
|
||||||
if (parent) {
|
|
||||||
module->parent = SECMOD_ReferenceModule(parent);
|
|
||||||
if (module->internal && secmod_IsInternalKeySlot(parent)) {
|
|
79
nss-load-policy-file.patch
Normal file
79
nss-load-policy-file.patch
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User David Woodhouse <David.Woodhouse@intel.com>
|
||||||
|
# Date 1529655250 -7200
|
||||||
|
# Fri Jun 22 10:14:10 2018 +0200
|
||||||
|
# Node ID d99e54ca9b6df33025ee9a196b8b942428bbff91
|
||||||
|
# Parent 1a13c19d7fab53fd62786e05d6546a4abf66e48d
|
||||||
|
Bug 1296263 - Fix loading of PKCS#11 modules from system policy file, r=rrelyea
|
||||||
|
|
||||||
|
We currently load the policy file after calling
|
||||||
|
STAN_LoadDefaultNSS3TrustDomain(), which causes problems because any
|
||||||
|
tokens in the newly-added modules don't get initialised.
|
||||||
|
|
||||||
|
Move it up by a few lines and fix up the indentation while we're at it.
|
||||||
|
|
||||||
|
diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
|
||||||
|
--- a/lib/nss/nssinit.c
|
||||||
|
+++ b/lib/nss/nssinit.c
|
||||||
|
@@ -702,6 +702,30 @@ nss_Init(const char *configdir, const ch
|
||||||
|
if (SECOID_Init() != SECSuccess) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
+#ifdef POLICY_FILE
|
||||||
|
+ /* Load the system crypto policy file if it exists,
|
||||||
|
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
||||||
|
+ * variable has been set to 1. */
|
||||||
|
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
||||||
|
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
|
||||||
|
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
|
||||||
|
+ SECMODModule *module = SECMOD_LoadModule(
|
||||||
|
+ "name=\"Policy File\" "
|
||||||
|
+ "parameters=\"configdir='sql:" POLICY_PATH "' "
|
||||||
|
+ "secmod='" POLICY_FILE "' "
|
||||||
|
+ "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
||||||
|
+ "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
|
||||||
|
+ parent, PR_TRUE);
|
||||||
|
+ if (module) {
|
||||||
|
+ PRBool isLoaded = module->loaded;
|
||||||
|
+ SECMOD_DestroyModule(module);
|
||||||
|
+ if (!isLoaded) {
|
||||||
|
+ goto loser;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
|
||||||
|
goto loser;
|
||||||
|
}
|
||||||
|
@@ -730,30 +754,6 @@ nss_Init(const char *configdir, const ch
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-#ifdef POLICY_FILE
|
||||||
|
- /* Load the system crypto policy file if it exists,
|
||||||
|
- * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
||||||
|
- * variable has been set to 1. */
|
||||||
|
- ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
||||||
|
- if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
|
||||||
|
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
|
||||||
|
- SECMODModule *module = SECMOD_LoadModule(
|
||||||
|
- "name=\"Policy File\" "
|
||||||
|
- "parameters=\"configdir='sql:" POLICY_PATH "' "
|
||||||
|
- "secmod='" POLICY_FILE "' "
|
||||||
|
- "flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
||||||
|
- "NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
|
||||||
|
- parent, PR_TRUE);
|
||||||
|
- if (module) {
|
||||||
|
- PRBool isLoaded = module->loaded;
|
||||||
|
- SECMOD_DestroyModule(module);
|
||||||
|
- if (!isLoaded) {
|
||||||
|
- goto loser;
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-#endif
|
||||||
|
pk11sdr_Init();
|
||||||
|
cert_CreateSubjectKeyIDHashTable();
|
||||||
|
|
4
nss-p11-kit.config
Normal file
4
nss-p11-kit.config
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
name=p11-kit-proxy
|
||||||
|
library=p11-kit-proxy.so
|
||||||
|
|
||||||
|
|
42
nss-sql-default.patch
Normal file
42
nss-sql-default.patch
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
# HG changeset patch
|
||||||
|
# User Kai Engert <kaie@kuix.de>
|
||||||
|
# Date 1511548994 -3600
|
||||||
|
# Fri Nov 24 19:43:14 2017 +0100
|
||||||
|
# Node ID b0658ed367633e505d38c0c0f63b801ddbbb21a4
|
||||||
|
# Parent 807662e6ba57db5be05036511ac8634466ed473f
|
||||||
|
Bug 1377940, Change NSS default storage file format (currently DBM), when no prefix is given, to SQL, r=rrelyea, r=fkiefer
|
||||||
|
|
||||||
|
--- a/tests/all.sh
|
||||||
|
+++ b/tests/all.sh
|
||||||
|
@@ -111,6 +111,8 @@ RUN_FIPS=""
|
||||||
|
########################################################################
|
||||||
|
run_tests()
|
||||||
|
{
|
||||||
|
+ echo "Running test cycle: ${TEST_MODE} ----------------------"
|
||||||
|
+ echo "List of tests that will be executed: ${TESTS}"
|
||||||
|
for TEST in ${TESTS}
|
||||||
|
do
|
||||||
|
# NOTE: the spaces are important. If you don't include
|
||||||
|
@@ -172,8 +174,9 @@ run_cycle_pkix()
|
||||||
|
NSS_SSL_TESTS=`echo "${NSS_SSL_TESTS}" | sed -e "s/normal//g" -e "s/fips//g" -e "s/_//g"`
|
||||||
|
export -n NSS_SSL_RUN
|
||||||
|
|
||||||
|
- # use the default format
|
||||||
|
+ # use the default format. (unset for the shell, export -n for binaries)
|
||||||
|
export -n NSS_DEFAULT_DB_TYPE
|
||||||
|
+ unset NSS_DEFAULT_DB_TYPE
|
||||||
|
|
||||||
|
run_tests
|
||||||
|
}
|
||||||
|
diff --git a/tests/merge/merge.sh b/tests/merge/merge.sh
|
||||||
|
--- a/tests/merge/merge.sh
|
||||||
|
+++ b/tests/merge/merge.sh
|
||||||
|
@@ -98,7 +98,7 @@ merge_init()
|
||||||
|
# are dbm databases.
|
||||||
|
if [ "${TEST_MODE}" = "UPGRADE_DB" ]; then
|
||||||
|
save=${NSS_DEFAULT_DB_TYPE}
|
||||||
|
- NSS_DEFAULT_DB_TYPE= ; export NSS_DEFAULT_DB_TYPE
|
||||||
|
+ NSS_DEFAULT_DB_TYPE=dbm ; export NSS_DEFAULT_DB_TYPE
|
||||||
|
fi
|
||||||
|
|
||||||
|
certutil -N -d ${CONFLICT1DIR} -f ${R_PWFILE}
|
160
nss.spec
160
nss.spec
@ -1,27 +1,24 @@
|
|||||||
%global nspr_version 4.16.0
|
%global nspr_version 4.20.0
|
||||||
%global nss_util_version 3.32.0
|
%global nss_util_version 3.39.0
|
||||||
%global nss_softokn_version 3.32.0
|
%global nss_softokn_version 3.39.0
|
||||||
|
%global nss_version 3.39.0
|
||||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
|
||||||
|
|
||||||
# solution taken from icedtea-web.spec
|
# The upstream omits the trailing ".0", while we need it for
|
||||||
%define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
|
# consistency with the pkg-config version:
|
||||||
%ifarch %{multilib_arches}
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1578106
|
||||||
%define alt_ckbi libnssckbi.so.%{_arch}
|
%{lua:
|
||||||
%else
|
rpm.define(string.format("nss_archive_version %s",
|
||||||
%define alt_ckbi libnssckbi.so
|
string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1")))
|
||||||
%endif
|
}
|
||||||
|
|
||||||
# Define if using a source archive like "nss-version.with.ckbi.version".
|
|
||||||
# To "disable", add "#" to start of line, AND a space after "%".
|
|
||||||
#% define nss_ckbi_suffix .with.ckbi.1.93
|
|
||||||
|
|
||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: 3.32.0
|
Version: %{nss_version}
|
||||||
# for Rawhide, please always use release >= 2
|
# for Rawhide, please always use release >= 2
|
||||||
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
|
||||||
Release: 2%{?dist}
|
Release: 1.0%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -30,9 +27,7 @@ Requires: nss-util >= %{nss_util_version}
|
|||||||
# TODO: revert to same version as nss once we are done with the merge
|
# TODO: revert to same version as nss once we are done with the merge
|
||||||
Requires: nss-softokn%{_isa} >= %{nss_softokn_version}
|
Requires: nss-softokn%{_isa} >= %{nss_softokn_version}
|
||||||
Requires: nss-system-init
|
Requires: nss-system-init
|
||||||
Requires(post): %{_sbindir}/update-alternatives
|
Requires: p11-kit-trust
|
||||||
Requires(postun): %{_sbindir}/update-alternatives
|
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
||||||
BuildRequires: nspr-devel >= %{nspr_version}
|
BuildRequires: nspr-devel >= %{nspr_version}
|
||||||
# TODO: revert to same version as nss once we are done with the merge
|
# TODO: revert to same version as nss once we are done with the merge
|
||||||
# Using '>=' but on RHEL the requires should be '='
|
# Using '>=' but on RHEL the requires should be '='
|
||||||
@ -44,12 +39,13 @@ BuildRequires: pkgconfig
|
|||||||
BuildRequires: gawk
|
BuildRequires: gawk
|
||||||
BuildRequires: psmisc
|
BuildRequires: psmisc
|
||||||
BuildRequires: perl-interpreter
|
BuildRequires: perl-interpreter
|
||||||
|
BuildRequires: gcc-c++
|
||||||
|
|
||||||
# nss-pem used to be bundled with the nss package on Fedora -- make sure that
|
# nss-pem used to be bundled with the nss package on Fedora -- make sure that
|
||||||
# programs relying on that continue to work until they are fixed to require
|
# programs relying on that continue to work until they are fixed to require
|
||||||
# nss-pem instead. Once all of them are fixed, the following line can be
|
# nss-pem instead. Once all of them are fixed, the following line can be
|
||||||
# removed. See https://bugzilla.redhat.com/1346806 for details.
|
# removed. See https://bugzilla.redhat.com/1346806 for details.
|
||||||
Requires: nss-pem
|
Requires: nss-pem%{?_isa}
|
||||||
|
|
||||||
# NSS 3.28.1 introduced a curve, that is smaller than a check in old
|
# NSS 3.28.1 introduced a curve, that is smaller than a check in old
|
||||||
# Mozilla code allows.
|
# Mozilla code allows.
|
||||||
@ -64,13 +60,7 @@ Conflicts: seamonkey < 2.46-2
|
|||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1414987
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1414987
|
||||||
# Conflicts: icecat < 45.5.1-5
|
# Conflicts: icecat < 45.5.1-5
|
||||||
|
|
||||||
%if %{defined nss_ckbi_suffix}
|
Source0: %{name}-%{nss_archive_version}.tar.gz
|
||||||
%define full_nss_version %{version}%{nss_ckbi_suffix}
|
|
||||||
%else
|
|
||||||
%define full_nss_version %{version}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
Source0: %{name}-%{full_nss_version}.tar.gz
|
|
||||||
Source1: nss.pc.in
|
Source1: nss.pc.in
|
||||||
Source2: nss-config.in
|
Source2: nss-config.in
|
||||||
Source3: blank-cert8.db
|
Source3: blank-cert8.db
|
||||||
@ -93,24 +83,26 @@ Patch2: add-relro-linker-option.patch
|
|||||||
Patch3: renegotiate-transitional.patch
|
Patch3: renegotiate-transitional.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
||||||
Patch16: nss-539183.patch
|
Patch16: nss-539183.patch
|
||||||
# TODO: Remove this patch when the ocsp test are fixed
|
|
||||||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
|
||||||
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
||||||
Patch47: utilwrap-include-templates.patch
|
Patch47: utilwrap-include-templates.patch
|
||||||
# TODO remove when we switch to building nss without softoken
|
# TODO remove when we switch to building nss without softoken
|
||||||
Patch49: nss-skip-bltest-and-fipstest.patch
|
Patch49: nss-skip-bltest-and-fipstest.patch
|
||||||
# This patch uses the gcc-iquote dir option documented at
|
# This patch uses the GCC -iquote option documented at
|
||||||
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
||||||
# to place the in-tree directories at the head of the list of list of directories
|
# to give the in-tree headers a higher priority over the system headers,
|
||||||
# to be searched for for header files. This ensures a build even when system
|
# when they are included through the quote form (#include "file.h").
|
||||||
# headers are older. Such is the case when starting an update with API changes or even private export changes.
|
#
|
||||||
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
|
# This ensures a build even when system headers are older. Such is the
|
||||||
|
# case when starting an update with API changes or even private export
|
||||||
|
# changes.
|
||||||
|
#
|
||||||
|
# Once the buildroot aha been bootstrapped the patch may be removed
|
||||||
|
# but it doesn't hurt to keep it.
|
||||||
Patch50: iquote.patch
|
Patch50: iquote.patch
|
||||||
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
||||||
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
|
||||||
Patch59: nss-check-policy-file.patch
|
|
||||||
Patch62: nss-skip-util-gtest.patch
|
Patch62: nss-skip-util-gtest.patch
|
||||||
|
Patch63: nss-sql-default.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Network Security Services (NSS) is a set of libraries designed to
|
Network Security Services (NSS) is a set of libraries designed to
|
||||||
@ -180,20 +172,18 @@ low level services.
|
|||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q -n %{name}-%{nss_archive_version}
|
||||||
%setup -q -T -D -n %{name}-%{version}
|
|
||||||
|
|
||||||
%patch2 -p0 -b .relro
|
%patch2 -p0 -b .relro
|
||||||
%patch3 -p0 -b .transitional
|
%patch3 -p0 -b .transitional
|
||||||
%patch16 -p0 -b .539183
|
%patch16 -p0 -b .539183
|
||||||
%patch40 -p0 -b .noocsptest
|
|
||||||
%patch47 -p0 -b .templates
|
%patch47 -p0 -b .templates
|
||||||
%patch49 -p0 -b .skipthem
|
%patch49 -p0 -b .skipthem
|
||||||
%patch50 -p0 -b .iquote
|
%patch50 -p0 -b .iquote
|
||||||
%patch58 -p0 -b .1185708_3des
|
%patch58 -p0 -b .1185708_3des
|
||||||
pushd nss
|
pushd nss
|
||||||
%patch59 -p1 -b .check_policy_file
|
|
||||||
%patch62 -p1 -b .skip_util_gtest
|
%patch62 -p1 -b .skip_util_gtest
|
||||||
|
%patch63 -p1 -R -b .sql-default
|
||||||
popd
|
popd
|
||||||
|
|
||||||
#########################################################
|
#########################################################
|
||||||
@ -225,12 +215,12 @@ popd
|
|||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
NSS_NO_PKCS11_BYPASS=1
|
|
||||||
export NSS_NO_PKCS11_BYPASS
|
|
||||||
|
|
||||||
FREEBL_NO_DEPEND=1
|
FREEBL_NO_DEPEND=1
|
||||||
export FREEBL_NO_DEPEND
|
export FREEBL_NO_DEPEND
|
||||||
|
|
||||||
|
NSS_FORCE_FIPS=1
|
||||||
|
export NSS_FORCE_FIPS
|
||||||
|
|
||||||
# Enable compiler optimizations and disable debugging code
|
# Enable compiler optimizations and disable debugging code
|
||||||
export BUILD_OPT=1
|
export BUILD_OPT=1
|
||||||
|
|
||||||
@ -242,6 +232,9 @@ export BUILD_OPT=1
|
|||||||
XCFLAGS=$RPM_OPT_FLAGS
|
XCFLAGS=$RPM_OPT_FLAGS
|
||||||
export XCFLAGS
|
export XCFLAGS
|
||||||
|
|
||||||
|
LDFLAGS=$RPM_LD_FLAGS
|
||||||
|
export LDFLAGS
|
||||||
|
|
||||||
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
|
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
|
||||||
PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
|
PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
|
||||||
|
|
||||||
@ -407,6 +400,8 @@ export SOFTOKEN_LIB_DIR=%{_libdir}
|
|||||||
# disabled by the system policy.
|
# disabled by the system policy.
|
||||||
export NSS_IGNORE_SYSTEM_POLICY=1
|
export NSS_IGNORE_SYSTEM_POLICY=1
|
||||||
|
|
||||||
|
export NSS_FORCE_FIPS=1
|
||||||
|
|
||||||
# enable the following line to force a test failure
|
# enable the following line to force a test failure
|
||||||
# find ./nss -name \*.chk | xargs rm -f
|
# find ./nss -name \*.chk | xargs rm -f
|
||||||
|
|
||||||
@ -477,7 +472,7 @@ popd
|
|||||||
killall $RANDSERV || :
|
killall $RANDSERV || :
|
||||||
|
|
||||||
if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
|
if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then
|
||||||
TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
|
TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
|
||||||
else
|
else
|
||||||
TEST_FAILURES=0
|
TEST_FAILURES=0
|
||||||
GREP_EXIT_STATUS=1
|
GREP_EXIT_STATUS=1
|
||||||
@ -526,9 +521,6 @@ echo "test suite completed"
|
|||||||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
|
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
|
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
|
||||||
|
|
||||||
touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so
|
|
||||||
%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so
|
|
||||||
|
|
||||||
# Copy the binary libraries we want
|
# Copy the binary libraries we want
|
||||||
for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
|
for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so
|
||||||
do
|
do
|
||||||
@ -553,7 +545,7 @@ do
|
|||||||
done
|
done
|
||||||
|
|
||||||
# Copy the binaries we want
|
# Copy the binaries we want
|
||||||
for file in certutil cmsutil crlutil modutil pk12util signver ssltap
|
for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
|
||||||
do
|
do
|
||||||
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
|
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
|
||||||
done
|
done
|
||||||
@ -608,42 +600,15 @@ for f in cert8.db cert9.db key3.db key4.db secmod.db; do
|
|||||||
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
|
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
|
||||||
done
|
done
|
||||||
|
|
||||||
%clean
|
|
||||||
%{__rm} -rf $RPM_BUILD_ROOT
|
|
||||||
|
|
||||||
%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
|
%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
|
||||||
# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
|
# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
|
||||||
# from previous versions of nss.spec
|
# from previous versions of nss.spec
|
||||||
/usr/bin/setup-nsssysinit.sh on
|
/usr/bin/setup-nsssysinit.sh on
|
||||||
|
|
||||||
%post
|
%post
|
||||||
# If we upgrade, and the shared filename is a regular file, then we must
|
|
||||||
# remove it, before we can install the alternatives symbolic link.
|
|
||||||
if [ $1 -gt 1 ] ; then
|
|
||||||
# when upgrading or downgrading
|
|
||||||
if ! test -L %{_libdir}/libnssckbi.so; then
|
|
||||||
rm -f %{_libdir}/libnssckbi.so
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
# Install the symbolic link
|
|
||||||
# FYI: Certain other packages use alternatives --set to enforce that the first
|
|
||||||
# installed package is preferred. We don't do that. Highest priority wins.
|
|
||||||
%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \
|
|
||||||
%{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10
|
|
||||||
/sbin/ldconfig
|
/sbin/ldconfig
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
if [ $1 -eq 0 ] ; then
|
|
||||||
# package removal
|
|
||||||
%{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
|
|
||||||
else
|
|
||||||
# upgrade or downgrade
|
|
||||||
# If the new installed package uses a regular file (not a symblic link),
|
|
||||||
# then cleanup the alternatives link.
|
|
||||||
if ! test -L %{_libdir}/libnssckbi.so; then
|
|
||||||
%{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
/sbin/ldconfig
|
/sbin/ldconfig
|
||||||
|
|
||||||
|
|
||||||
@ -654,8 +619,6 @@ fi
|
|||||||
%{_libdir}/libnss3.so
|
%{_libdir}/libnss3.so
|
||||||
%{_libdir}/libssl3.so
|
%{_libdir}/libssl3.so
|
||||||
%{_libdir}/libsmime3.so
|
%{_libdir}/libsmime3.so
|
||||||
%ghost %{_libdir}/libnssckbi.so
|
|
||||||
%{_libdir}/nss/libnssckbi.so
|
|
||||||
%dir %{_sysconfdir}/pki/nssdb
|
%dir %{_sysconfdir}/pki/nssdb
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
||||||
@ -684,6 +647,7 @@ fi
|
|||||||
%{_bindir}/cmsutil
|
%{_bindir}/cmsutil
|
||||||
%{_bindir}/crlutil
|
%{_bindir}/crlutil
|
||||||
%{_bindir}/modutil
|
%{_bindir}/modutil
|
||||||
|
%{_bindir}/nss-policy-check
|
||||||
%{_bindir}/pk12util
|
%{_bindir}/pk12util
|
||||||
%{_bindir}/signver
|
%{_bindir}/signver
|
||||||
%{_bindir}/ssltap
|
%{_bindir}/ssltap
|
||||||
@ -773,6 +737,7 @@ fi
|
|||||||
%{_includedir}/nss3/smime.h
|
%{_includedir}/nss3/smime.h
|
||||||
%{_includedir}/nss3/ssl.h
|
%{_includedir}/nss3/ssl.h
|
||||||
%{_includedir}/nss3/sslerr.h
|
%{_includedir}/nss3/sslerr.h
|
||||||
|
%{_includedir}/nss3/sslexp.h
|
||||||
%{_includedir}/nss3/sslproto.h
|
%{_includedir}/nss3/sslproto.h
|
||||||
%{_includedir}/nss3/sslt.h
|
%{_includedir}/nss3/sslt.h
|
||||||
|
|
||||||
@ -795,6 +760,47 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 3 2018 Daiki Ueno <dueno@redhat.com> - 3.39.0-1.0
|
||||||
|
- Update to NSS 3.39
|
||||||
|
- Use the upstream tarball as it is (rhbz#1578106)
|
||||||
|
|
||||||
|
* Tue Jul 3 2018 Daiki Ueno <dueno@redhat.com> - 3.38.0-1.0
|
||||||
|
- Update to NSS 3.38
|
||||||
|
|
||||||
|
* Tue Jun 5 2018 Daiki Ueno <dueno@redhat.com> - 3.37.3-1.0
|
||||||
|
- Update to NSS 3.37.3
|
||||||
|
|
||||||
|
* Thu Apr 19 2018 Daiki Ueno <dueno@redhat.com> - 3.36.1-1.0
|
||||||
|
- Update to NSS 3.36.1
|
||||||
|
|
||||||
|
* Fri Mar 9 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-1.0
|
||||||
|
- Update to NSS 3.36.0
|
||||||
|
- Add gcc-c++ to BuildRequires (C++ is needed for gtests)
|
||||||
|
- Make test failure detection robuster
|
||||||
|
- Enable test on s390x again
|
||||||
|
|
||||||
|
* Mon Feb 12 2018 Daiki Ueno <dueno@redhat.com> - 3.35.0-1.1
|
||||||
|
- Temporarily ignore test failures on F27 s390x
|
||||||
|
|
||||||
|
* Wed Feb 7 2018 Daiki Ueno <dueno@redhat.com> - 3.35.0-1.0
|
||||||
|
- Update to NSS 3.35.0
|
||||||
|
|
||||||
|
* Tue Nov 14 2017 Daiki Ueno <dueno@redhat.com> - 3.34.0-1.0
|
||||||
|
- Update to NSS 3.34.0
|
||||||
|
|
||||||
|
* Fri Nov 10 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.1
|
||||||
|
- Make sure 32bit nss-pem always be installed with 32bit nss in
|
||||||
|
multlib environment, patch by Kamil Dudka
|
||||||
|
|
||||||
|
* Tue Oct 3 2017 Daiki Ueno <dueno@redhat.com> - 3.33.0-1.0
|
||||||
|
- Update to NSS 3.33.0
|
||||||
|
|
||||||
|
* Tue Oct 3 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.1
|
||||||
|
- Update iquote.patch to really prefer in-tree headers over system headers
|
||||||
|
|
||||||
|
* Fri Sep 15 2017 Daiki Ueno <dueno@redhat.com> - 3.32.1-1.0
|
||||||
|
- Update to NSS 3.32.1
|
||||||
|
|
||||||
* Mon Aug 7 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-2
|
* Mon Aug 7 2017 Daiki Ueno <dueno@redhat.com> - 3.32.0-2
|
||||||
- Update to NSS 3.32.0
|
- Update to NSS 3.32.0
|
||||||
|
|
||||||
|
@ -1,12 +1,12 @@
|
|||||||
diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c
|
diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
|
||||||
--- ./nss/lib/ssl/sslsock.c.transitional 2016-06-23 21:03:16.316480089 -0400
|
--- nss/lib/ssl/sslsock.c.transitional 2018-03-09 13:57:50.615706802 +0100
|
||||||
+++ ./nss/lib/ssl/sslsock.c 2016-06-23 21:08:07.290202477 -0400
|
+++ nss/lib/ssl/sslsock.c 2018-03-09 13:58:23.708974970 +0100
|
||||||
@@ -72,7 +72,7 @@ static sslOptions ssl_defaults = {
|
@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
|
||||||
PR_FALSE, /* noLocks */
|
.noLocks = PR_FALSE,
|
||||||
PR_FALSE, /* enableSessionTickets */
|
.enableSessionTickets = PR_FALSE,
|
||||||
PR_FALSE, /* enableDeflate */
|
.enableDeflate = PR_FALSE,
|
||||||
- 2, /* enableRenegotiation (default: requires extension) */
|
- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
|
||||||
+ 3, /* enableRenegotiation (default: transitional) */
|
+ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
|
||||||
PR_FALSE, /* requireSafeNegotiation */
|
.requireSafeNegotiation = PR_FALSE,
|
||||||
PR_FALSE, /* enableFalseStart */
|
.enableFalseStart = PR_FALSE,
|
||||||
PR_TRUE, /* cbcRandomIV */
|
.cbcRandomIV = PR_TRUE,
|
||||||
|
2
sources
2
sources
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
|
|||||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||||
SHA512 (nss-3.32.0.tar.gz) = c2947b7e12ab840bba1c591255d037a0c838bc1b36bd7ea00a94c447bf0e95fe4415da284c172acd8c04e3c0d583fcbc900a523230f42558c93692bfde5ba500
|
SHA512 (nss-3.39.tar.gz) = 16358c2d8660ca301410b1d39b2eae64fe2ebbbfab797872410e5fcc67f802ef48f4e362edeecb0591626c77013537019094a6a5dfc8d24487b6b6e54564da8f
|
||||||
|
64
tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile
Normal file
64
tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
# Description: NSS tools should not use SHA1 by default when
|
||||||
|
# Author: Hubert Kario <hkario@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
export TESTVERSION=1.0
|
||||||
|
|
||||||
|
BUILT_FILES=
|
||||||
|
|
||||||
|
FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
||||||
|
|
||||||
|
.PHONY: all install download clean
|
||||||
|
|
||||||
|
run: $(FILES) build
|
||||||
|
./runtest.sh
|
||||||
|
|
||||||
|
build: $(BUILT_FILES)
|
||||||
|
test -x runtest.sh || chmod a+x runtest.sh
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -f *~ $(BUILT_FILES)
|
||||||
|
|
||||||
|
|
||||||
|
include /usr/share/rhts/lib/rhts-make.include
|
||||||
|
|
||||||
|
$(METADATA): Makefile
|
||||||
|
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
|
||||||
|
@echo "Name: $(TEST)" >> $(METADATA)
|
||||||
|
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
||||||
|
@echo "Path: $(TEST_DIR)" >> $(METADATA)
|
||||||
|
@echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA)
|
||||||
|
@echo "Type: Regression" >> $(METADATA)
|
||||||
|
@echo "TestTime: 10m" >> $(METADATA)
|
||||||
|
@echo "RunFor: nss openssl" >> $(METADATA)
|
||||||
|
@echo "Requires: nss nss-tools openssl" >> $(METADATA)
|
||||||
|
@echo "Priority: Normal" >> $(METADATA)
|
||||||
|
@echo "License: GPLv2" >> $(METADATA)
|
||||||
|
@echo "Confidential: no" >> $(METADATA)
|
||||||
|
@echo "Destructive: no" >> $(METADATA)
|
||||||
|
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
||||||
|
|
||||||
|
rhts-lint $(METADATA)
|
@ -0,0 +1,4 @@
|
|||||||
|
PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
Description: NSS tools should not use SHA1 by default when
|
||||||
|
Author: Hubert Kario <hkario@redhat.com>
|
||||||
|
Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates
|
125
tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh
Executable file
125
tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh
Executable file
@ -0,0 +1,125 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
# Description: NSS tools should not use SHA1 by default when
|
||||||
|
# Author: Hubert Kario <hkario@redhat.com>
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
#
|
||||||
|
# Copyright (c) 2016 Red Hat, Inc.
|
||||||
|
#
|
||||||
|
# This copyrighted material is made available to anyone wishing
|
||||||
|
# to use, modify, copy, or redistribute it subject to the terms
|
||||||
|
# and conditions of the GNU General Public License version 2.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be
|
||||||
|
# useful, but WITHOUT ANY WARRANTY; without even the implied
|
||||||
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||||
|
# PURPOSE. See the GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public
|
||||||
|
# License along with this program; if not, write to the Free
|
||||||
|
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
||||||
|
# Boston, MA 02110-1301, USA.
|
||||||
|
#
|
||||||
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
# Include Beaker environment
|
||||||
|
. /usr/share/beakerlib/beakerlib.sh || exit 1
|
||||||
|
|
||||||
|
PACKAGE="nss"
|
||||||
|
PACKAGES="nss openssl"
|
||||||
|
DBDIR="nssdb"
|
||||||
|
|
||||||
|
rlJournalStart
|
||||||
|
rlPhaseStartSetup
|
||||||
|
rlAssertRpm --all
|
||||||
|
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
||||||
|
rlRun "pushd $TmpDir"
|
||||||
|
rlRun "mkdir nssdb"
|
||||||
|
rlRun "certutil -N -d $DBDIR --empty-password"
|
||||||
|
rlLogInfo "Create a JAR file"
|
||||||
|
rlRun "mkdir java-dir"
|
||||||
|
rlRun "pushd java-dir"
|
||||||
|
rlRun "mkdir META-INF mypackage"
|
||||||
|
rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
|
||||||
|
rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
|
||||||
|
#rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
|
||||||
|
rlRun "popd"
|
||||||
|
#rlRun "mv java-dir/package.jar ."
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Self signing certificates"
|
||||||
|
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||||
|
rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
|
||||||
|
rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Signing certificates"
|
||||||
|
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||||
|
rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
|
||||||
|
rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Certificate request"
|
||||||
|
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||||
|
rlRun "mkdir srv2db"
|
||||||
|
rlRun "certutil -d srv2db -N --empty-password"
|
||||||
|
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
|
||||||
|
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||||
|
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlRun "rm -rf srv2db"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Certificate request with SHA1"
|
||||||
|
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
|
||||||
|
rlRun "mkdir srv2db"
|
||||||
|
rlRun "certutil -d srv2db -N --empty-password"
|
||||||
|
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
|
||||||
|
rlRun -s "openssl req -noout -text -in srv2.req"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
|
||||||
|
rlRun -s "openssl x509 -in srv2.crt -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlRun "rm -rf srv2db"
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "Signing CMS messages"
|
||||||
|
rlRun "echo 'This is a document' > document.txt"
|
||||||
|
rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
|
||||||
|
rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
|
||||||
|
rlAssertGrep "algorithm: sha256" $rlRun_LOG
|
||||||
|
rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartTest "CRL signing"
|
||||||
|
rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
|
||||||
|
rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
|
||||||
|
rlRun "echo addext crlNumber 0 1245 >>script"
|
||||||
|
rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
|
||||||
|
rlRun "echo addext reasonCode 0 0 >>script"
|
||||||
|
rlRun "cat script"
|
||||||
|
rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
|
||||||
|
rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
|
||||||
|
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
|
||||||
|
rlPhaseEnd
|
||||||
|
|
||||||
|
rlPhaseStartCleanup
|
||||||
|
rlRun "popd"
|
||||||
|
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
||||||
|
rlPhaseEnd
|
||||||
|
rlJournalPrintText
|
||||||
|
rlJournalEnd
|
12
tests/tests.yml
Normal file
12
tests/tests.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
# This first play always runs on the local staging system
|
||||||
|
- hosts: localhost
|
||||||
|
roles:
|
||||||
|
- role: standard-test-beakerlib
|
||||||
|
tags:
|
||||||
|
- classic
|
||||||
|
tests:
|
||||||
|
- NSS-tools-should-not-use-SHA1-by-default-when
|
||||||
|
required_packages:
|
||||||
|
- nss-tools
|
||||||
|
- nss
|
Loading…
Reference in New Issue
Block a user