Compare commits

...

2 Commits

Author SHA1 Message Date
Elio Maldonado 2c53d31ef2 Consolidated the three pem module patches into one patch.
- Rename the surving patch to better reflect it's purpose
- This is still a work in progress to be cleaned up further and sent for review
2015-11-12 07:45:00 -08:00
Elio Maldonado b8a1e688a8 Update to NSS 3.21
- Package listsuites as part of the unsupported tools set
- Resolves: Bug 1279912 - nss-3.21 is available
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
- This is still a work in progress to be cleaned up and submitted for review
2015-11-11 20:44:30 -08:00
5 changed files with 229 additions and 22 deletions

2
.gitignore vendored
View File

@ -10,4 +10,4 @@ TestUser51.cert
/nss-pem-20140125.tar.bz2
/PayPalRootCA.cert
/PayPalICA.cert
/nss-3.20.1.tar.gz
/nss-3.21.0.tar.gz

View File

@ -5,7 +5,7 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
+ /*PRUint16 socketDomain = PR_AF_INET;*/
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
@ -16,7 +16,7 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ ; /*socketDomain = PR_AF_INET_SDP;*/
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
@ -32,7 +32,7 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
+ /*PRUint16 socketDomain = PR_AF_INET;*/
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
@ -43,7 +43,7 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ ; /*socketDomain = PR_AF_INET_SDP;*/
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {

View File

@ -18,7 +18,7 @@
Summary: Network Security Services
Name: nss
Version: 3.20.1
Version: 3.21.0
# for Rawhide, please always use release >= 2
# for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
Release: 2%{?dist}
@ -92,14 +92,13 @@ Patch52: disableSSL2libssl.patch
Patch53: disableSSL2tests.patch
Patch54: tstclnt-ssl2-off-by-default.patch
Patch55: skip_stress_TLS_RC4_128_with_MD5.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1009429
# See https://hg.mozilla.org/projects/nss/raw-rev/dc7bb2f8cc50
Patch56: ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1205688
Patch57: rhbz1185708-enable-ecc-ciphers-by-default.patch
# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# TODO: submit to the interim usptream project
# As of nss-3.21 we compile NSS with -Werror per upstream
# see: https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
# which requires quite a bit of clean up of the PEM module
Patch59: pem-compile-with-Werror.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@ -188,11 +187,8 @@ pushd nss
popd
%patch54 -p0 -b .ssl2_off
%patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
%patch56 -p1 -b .ocsp_sni
pushd nss
%patch57 -p1 -b .1185708
popd
%patch58 -p0 -b .1185708_3des
%patch59 -p0 -b .compile_Werror
#########################################################
# Higher-level libraries and test tools need access to
@ -210,6 +206,17 @@ done
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
# TODO: bring this up with nss upstream
# nssinit.c needs verref.h from nss/lib/util
# copy it locally so it it can find it
%{__cp} ./nss/lib/util/verref.h ./nss/lib/nss/
# ./nss/lib/ssl/sslcon.c needs it also
%{__cp} ./nss/lib/util/verref.h ./nss/lib/ssl/
# and so does smimeutil.c
%{__cp} ./nss/lib/util/verref.h ./nss/lib/smime/
# yet another one, for binst.c
%{__cp} ./nss/lib/util/verref.h ./nss/lib/ckfw/builtins/
##### Remove util/freebl/softoken and low level tools
######## Remove freebl, softoken and util
%{__rm} -rf ./nss/lib/freebl
@ -285,7 +292,11 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
# external tests are causing build problems because they access ssl internal types
# TODO: Investigate as there may be a better solution
export NSS_DISABLE_GTESTS=1
%if %{__isa_bits} == 64
USE_64=1
export USE_64
%endif
@ -389,7 +400,7 @@ export FREEBL_NO_DEPEND
BUILD_OPT=1
export BUILD_OPT
%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
%if %{__isa_bits} == 64
USE_64=1
export USE_64
%endif
@ -551,7 +562,7 @@ do
done
# Copy the binaries we ship as unsupported
for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
for file in atob btoa derdump listsuites ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
do
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
done
@ -702,6 +713,7 @@ fi
%{unsupported_tools_directory}/atob
%{unsupported_tools_directory}/btoa
%{unsupported_tools_directory}/derdump
%{unsupported_tools_directory}/listsuites
%{unsupported_tools_directory}/ocspclnt
%{unsupported_tools_directory}/pp
%{unsupported_tools_directory}/selfserv
@ -806,8 +818,12 @@ fi
%changelog
* Fri Oct 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.1-2
- Update to NSS 3.20.1
* Thu Nov 12 2015 Elio Maldonado Batiz <emaldona@redhat.com> - 3.21.1-2
- Update to NSS 3.21
- Package listsuites as part of the unsupported tools set
- Resolves: Bug 1279912 - nss-3.21 is available
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
* Wed Sep 30 2015 Elio Maldonado <emaldona@redhat.com> - 3.20.0-6
- Enable ECC cipher-suites by default [hrbz#1185708]

View File

@ -0,0 +1,191 @@
diff -up ./nss/lib/ckfw/pem/ckpem.h.compile_Werror ./nss/lib/ckfw/pem/ckpem.h
--- ./nss/lib/ckfw/pem/ckpem.h.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/ckpem.h 2015-11-12 06:59:07.831377167 -0800
@@ -233,7 +233,7 @@ struct pemLOWKEYPrivateKeyStr {
};
typedef struct pemLOWKEYPrivateKeyStr pemLOWKEYPrivateKey;
-SECStatus ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly);
+int ReadDERFromFile(SECItem ***derlist, char *filename, PRBool ascii, int *cipher, char **ivstring, PRBool certsonly, SECStatus *pError);
const NSSItem * pem_FetchAttribute ( pemInternalObject *io, CK_ATTRIBUTE_TYPE type);
void pem_PopulateModulusExponent(pemInternalObject *io);
NSSCKMDObject * pem_CreateObject(NSSCKFWInstance *fwInstance, NSSCKFWSession *fwSession, NSSCKMDToken *mdToken, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulAttributeCount, CK_RV *pError);
diff -up ./nss/lib/ckfw/pem/pinst.c.compile_Werror ./nss/lib/ckfw/pem/pinst.c
--- ./nss/lib/ckfw/pem/pinst.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/pinst.c 2015-11-12 06:59:07.831377167 -0800
@@ -466,15 +466,17 @@ AddCertificate(char *certfile, char *key
{
pemInternalObject *o;
CK_RV error = 0;
+ SECStatus status;
int objid, i;
int nobjs = 0;
SECItem **objs = NULL;
char *ivstring = NULL;
int cipher;
- nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+ nobjs = ReadDERFromFile(&objs, certfile, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */, &status);
if (nobjs <= 0) {
nss_ZFreeIf(objs);
+ /* TODO: map the status to a CK_RV error */
return CKR_GENERAL_ERROR;
}
@@ -513,12 +515,14 @@ AddCertificate(char *certfile, char *key
o = NULL;
if (keyfile) { /* add the private key */
+ SECStatus status;
SECItem **keyobjs = NULL;
int kobjs = 0;
kobjs =
ReadDERFromFile(&keyobjs, keyfile, PR_TRUE, &cipher,
- &ivstring, PR_FALSE);
+ &ivstring, PR_FALSE, &status);
if (kobjs < 1) {
+ /* TODO: map the status to an error */
error = CKR_GENERAL_ERROR;
goto loser;
}
diff -up ./nss/lib/ckfw/pem/pobject.c.compile_Werror ./nss/lib/ckfw/pem/pobject.c
--- ./nss/lib/ckfw/pem/pobject.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/pobject.c 2015-11-12 06:59:07.831377167 -0800
@@ -630,6 +630,8 @@ pem_DestroyInternalObject
if (io->u.key.ivstring)
free(io->u.key.ivstring);
break;
+ case pemAll:
+ return;
}
if (NULL != gobj)
@@ -1044,7 +1046,7 @@ pem_CreateObject
int nobjs = 0;
int i;
int objid;
- pemToken *token;
+ /*pemToken *token = NULL;*/
int cipher;
char *ivstring = NULL;
pemInternalObject *listObj = NULL;
@@ -1073,7 +1075,7 @@ pem_CreateObject
}
slotID = nssCKFWSlot_GetSlotID(fwSlot);
- token = (pemToken *) mdToken->etc;
+ /*token = (pemToken *) mdToken->etc;*/
/*
* only create keys and certs.
@@ -1114,7 +1116,10 @@ pem_CreateObject
}
if (objClass == CKO_CERTIFICATE) {
- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_TRUE /* certs only */);
+ SECStatus status;
+ nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring,
+ PR_TRUE /* certs only */, &status);
+ /* TODO: How do we map status to *pError */
if (nobjs < 1)
goto loser;
@@ -1156,11 +1161,14 @@ pem_CreateObject
} else if (objClass == CKO_PRIVATE_KEY) {
/* Brute force: find the id of the certificate, if any, in this slot */
int i;
+ SECStatus status;
SECItem certDER;
CK_SESSION_HANDLE hSession;
PRBool added;
- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_FALSE /* keys only */);
+ nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring,
+ PR_FALSE /* keys only */, &status);
+ /* TODO: How do we map status to *pError */
if (nobjs < 1)
goto loser;
diff -up ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror ./nss/lib/ckfw/pem/rsawrapr.c
--- ./nss/lib/ckfw/pem/rsawrapr.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/rsawrapr.c 2015-11-12 06:59:07.831377167 -0800
@@ -93,6 +93,8 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey
return 0;
}
+/* unused functions */
+#if 0
static SHA1Context *SHA1_CloneContext(SHA1Context * original)
{
SHA1Context *clone = NULL;
@@ -215,6 +217,7 @@ oaep_xor_with_h2(unsigned char *salt, un
return SECSuccess;
}
+#endif /* unused functions */
/*
* Format one block of data for public/private key encryption using
diff -up ./nss/lib/ckfw/pem/util.c.compile_Werror ./nss/lib/ckfw/pem/util.c
--- ./nss/lib/ckfw/pem/util.c.compile_Werror 2014-01-23 06:28:18.000000000 -0800
+++ ./nss/lib/ckfw/pem/util.c 2015-11-12 06:59:07.831377167 -0800
@@ -58,7 +58,7 @@
#include <stdarg.h>
#define CHUNK_SIZE 512
-#define PUT_Object(obj,err) \
+#define PUT_Object(obj,pErr) \
{ \
if (count >= size) { \
*derlist = *derlist ? \
@@ -67,7 +67,7 @@
nss_ZNEWARRAY(NULL, SECItem *, \
(size+CHUNK_SIZE) ) ; \
if ((SECItem **)NULL == *derlist) { \
- err = CKR_HOST_MEMORY; \
+ *pErr = CKR_HOST_MEMORY; \
goto loser; \
} \
size += CHUNK_SIZE; \
@@ -133,19 +133,20 @@ static SECStatus FileToItem(SECItem * ds
int
ReadDERFromFile(SECItem *** derlist, char *filename, PRBool ascii,
- int *cipher, char **ivstring, PRBool certsonly)
+ int *cipher, char **ivstring, PRBool certsonly, SECStatus *pError)
{
SECStatus rv;
PRFileDesc *inFile;
int count = 0, size = 0;
SECItem *der = NULL;
- int error;
SECItem filedata;
char *c, *iv;
inFile = PR_Open(filename, PR_RDONLY, 0);
- if (!inFile)
+ if (!inFile) {
+ *pError = SECFailure;
return -1;
+ }
if (ascii) {
/* First convert ascii to binary */
@@ -237,7 +238,7 @@ ReadDERFromFile(SECItem *** derlist, cha
goto loser;
}
if ((certsonly && !key) || (!certsonly && key)) {
- PUT_Object(der, error);
+ PUT_Object(der, pError);
} else {
free(der->data);
free(der);
@@ -255,7 +256,7 @@ ReadDERFromFile(SECItem *** derlist, cha
}
/* NOTE: This code path has never been tested. */
- PUT_Object(der, error);
+ PUT_Object(der, pError);
}
nss_ZFreeIf(filedata.data);

View File

@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2
c285ef92de0031cb0a8caa60d396d618 nss-3.20.1.tar.gz
f53ffa490133d29ff930fa4b29bade90 nss-3.21.0.tar.gz