rpms
/
nss
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: rpms:master
Branches Tags
rpms:master
rpms:main-riscv64
rpms:f38-riscv64
rpms:f36
rpms:f37
rpms:main
rpms:rawhide
rpms:f38
rpms:f37-riscv64
rpms:f35
rpms:f33-riscv64
rpms:f33
rpms:master-riscv64
rpms:f30
rpms:f31
rpms:f32
rpms:f29
rpms:f28
rpms:private-subpackage
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:private-emaldona-crypto-policy-work
rpms:private-emaldona-upstream-experiment
rpms:private-rebase-work-fedora-rawhide
rpms:f22
rpms:private-nss-rebasework4fedora
rpms:f21
rpms:private-emaldona-rhbz1279912
rpms:private-emaldona-rhbz1009429
rpms:f20
rpms:private-disableSSL2ForF22
rpms:f19
rpms:private-emaldona-bz987189
rpms:private-disableSSL2OnFedora
rpms:private-emaldona-rebase-pem-for-rawhide
rpms:private_pem_cleanup
rpms:f18
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:f13
rpms:f12
rpms:f11
rpms:f9
rpms:f10
rpms:f7
rpms:f8
rpms:nss-3_12_6-8_fc14
rpms:nss-3_12_6-7_fc14
rpms:nss-3_12_6-7_fc13
rpms:nss-3_12_6-7_fc12
rpms:nss-3_12_6-6_fc14
rpms:nss-3_12_6-6_fc13
rpms:nss-3_12_6-5_fc12
rpms:nss-3_12_6-5_fc13
rpms:nss-3_12_6-5_fc14
rpms:nss-3_12_6-4_fc12
rpms:nss-3_12_6-4_fc13
rpms:nss-3_12_6-3_fc13
rpms:nss-3_12_6-4_fc14
rpms:nss-3_12_6-3_fc12
rpms:nss-3_12_6-3_fc14
rpms:nss-3_12_6-2_fc12
rpms:nss-3_12_6-2_fc13
rpms:nss-3_12_6-2_fc14
rpms:nss-3_12_6-1_2_fc11
rpms:nss-3_12_6-1_2_fc12
rpms:nss-3_12_6-1_2_fc13
rpms:nss-3_12_6-1_2_fc14
rpms:nss-3_12_6-1_1_fc11
rpms:nss-3_12_6-1_1_fc12
rpms:nss-3_12_6-1_1_fc13
rpms:nss-3_12_6-1_1_fc14
rpms:nss-3_12_6-1_fc14
rpms:nss-3_12_5-9_fc13
rpms:F-13-split
rpms:F-13-start
rpms:nss-3_12_5-8_fc12
rpms:nss-3_12_5-7_fc12
rpms:nss-3_12_5-5_fc13
rpms:nss-3_12_5-4_1_fc12
rpms:nss-3_12_5-3_1_fc11
rpms:nss-3_12_5-3_fc11
rpms:nss-3_12_5-2_fc11
rpms:nss-3_12_5-2_fc12
rpms:nss-3_12_5-1_fc12_14
rpms:nss-3_12_5-1_fc13_13_2
rpms:nss-3_12_5-1_fc12_12_1
rpms:nss-3_12_5-1_fc13_13_1
rpms:nss-3_12_5-1_fc13_13
rpms:nss-3_12_5-1_fc12_12
rpms:nss-3_12_5-1_fc13_11
rpms:nss-3_12_5-1_fc12_10
rpms:nss-3_12_5-1_fc13_9
rpms:nss-3_12_5-1_fc12_8
rpms:nss-3_12_5-1_fc13_7
rpms:nss-3_12_5-1_fc13_6
rpms:nss-3_12_5-1_fc12_5
rpms:nss-3_12_5-1_fc13_4
rpms:nss-3_12_5-1_fc11_3
rpms:nss-3_12_5-1_fc12_2
rpms:nss-3_12_5-1_fc13_1
rpms:nss-3_12_5-1_fc13
rpms:nss-3_12_4-17_fc13
rpms:nss-3_12_4-15_fc12
rpms:nss-3_12_4-13_1_fc13
rpms:nss-3_12_4-14_fc12
rpms:nss-3_12_4-13_fc13
rpms:nss-3_12_4-12_fc12
rpms:F-12-split
rpms:F-12-start
rpms:nss-3_12_4-11_fc12
rpms:nss-3_12_4-10_fc12
rpms:nss-3_12_4-9_fc12
rpms:nss-3_12_3_99_3-2_10_6_fc10
rpms:nss-3_12_4-3_fc11
rpms:nss-3_12_3_99_3-2_10_5_fc10
rpms:nss-3_12_4-2_fc11
rpms:nss-3_12_4-8_fc12
rpms:nss-3_12_4-7_fc12
rpms:nss-3_12_4-6_fc12
rpms:nss-3_12_4-1_fc11
rpms:nss-3_12_4-5_fc12
rpms:nss-3_12_4-4_fc12
rpms:nss-3_12_4-3_fc12
rpms:nss-3_12_4-2_fc12
rpms:nss-3_12_4-1_fc12
rpms:nss-3_12_3_99_3-30_fc12
rpms:nss-3_12_3_99_3-29_fc12
rpms:nss-3_12_3_99_3-28_fc12
rpms:nss-3_12_3_99_3-27_fc12
rpms:nss-3_12_3_99_3-26_fc12
rpms:nss-3_12_3_99_3-25_fc12
rpms:nss-3_12_3_99_3-24_fc12
rpms:nss-3_12_3_99_3-23_fc12
rpms:nss-3_12_3_99_3-22_fc12
rpms:nss-3_12_3_99_3-21_fc12
rpms:nss-3_12_3_99_3-20_fc12
rpms:nss-3_12_3_99_3-19_fc12
rpms:nss-3_12_3_99_3-18_fc12
rpms:nss-3_12_3_99_3-17_fc12
rpms:nss-3_12_3_99_3-16_fc12
rpms:nss-3_12_3_99_3-15_fc12
rpms:nss-3_12_3_99_3-14_fc12
rpms:nss-3_12_3_99_3-13_fc12
rpms:nss-3_12_3_99_3-12_fc12
rpms:nss-3_12_3_99_3-11_fc12
rpms:nss-3_12_3_99_3-10_fc12
rpms:nss-3_12_3_99_3-9_fc12
rpms:nss-3_12_3_99_3-8_fc12
rpms:nss-3_12_3_99_3-7_1_fc12
rpms:nss-3_12_3_99_3-2_11_4_fc11
rpms:nss-3_12_3_99_3-7_fc12
rpms:nss-3_12_3_99_3-2_10_4_fc10
rpms:nss-3_12_3_99_3-2_10_3_fc10
rpms:nss-3_12_3_99_3-2_11_3_fc11
rpms:nss-3_12_3_99_3-6_fc12
rpms:nss-3_12_3_99_3-5_fc12
rpms:nss-3_12_3_99_3-2_11_2_fc11
rpms:nss-3_12_3_99_3-4_fc12
rpms:nss-3_12_3_99_3-2_9_2_fc9
rpms:nss-3_12_3_99_3-2_10_2_fc10
rpms:nss-3_12_3_99_3-3_fc12
rpms:nss-3_12_3_99_3-2_11_1_fc11
rpms:nss-3_12_3_99_3-2_10_1_fc10
rpms:nss-3_12_3_99_3-2_9_1_fc9
rpms:nss-3_12_3_99_3-2_fc9
rpms:nss-3_12_3_99_3-2_fc10
rpms:nss-3_12_3_99_3-2_fc11
rpms:nss-3_12_3_99_3-1_fc9
rpms:nss-3_12_3_99_3-1_fc10
rpms:nss-3_12_3_99_3-1_fc11
rpms:nss-3_12_3_99_3-2_fc12
rpms:nss-3_12_3-4_fc11
rpms:nss-3_12_3-7_fc12
rpms:nss-3_12_3-6_fc12
rpms:nss-3_12_3-5_fc12
rpms:nss-3_12_3-4_fc12
rpms:nss-3_12_3-3_fc11
rpms:F-11-split
rpms:F-11-start
rpms:nss-3_12_3-2_fc11
rpms:nss-3_12_2_99_3-7_fc11
rpms:nss-3_12_2_99_3-6_fc11
rpms:nss-3_12_2_99_3-5_fc11
rpms:nss-3_12_2_99_3-4_fc11
rpms:nss-3_12_2_0-3_fc9
rpms:nss-3_12_2_0-5_fc10
rpms:nss-3_12_2_99_3-3_fc11
rpms:nss-3_12_2_99_3-2_fc11
rpms:nss-3_12_2_99_3-1_fc11
rpms:nss-3_12_2_0-4_fc11
rpms:nss-3_12_2_0-4_fc10
rpms:nss-3_12_2_0-2_fc9
rpms:nss-3_12_2_0-1_1_fc9
rpms:nss-3_12_2_0-1_1_fc8
rpms:nss-3_12_2_0-1_fc8
rpms:nss-3_12_1_1-2_fc8
rpms:nss-3_12_1_1-5_fc9
rpms:nss-3_12_2_0-3_fc10
rpms:F-10-split
rpms:F-10-start
rpms:nss-3_12_2_0-2_fc10
rpms:nss-3_12_1_1-4_fc10
rpms:nss-3_12_1_1-4_fc9
rpms:nss-3_12_1_1-3_fc10
rpms:nss-3_12_1_1-2_fc10
rpms:nss-3_12_1_1-1_fc8
rpms:nss-3_12_1_1-1_fc9
rpms:nss-3_12_1_0-1_fc8
rpms:nss-3_12_1_0-1_fc9
rpms:nss-3_12_1_0-2_fc10
rpms:nss-3_12_0_3-0_9_2_fc9
rpms:nss-3_12_0_3-0_8_3_fc8
rpms:nss-3_12_0_3-7_fc10
rpms:nss-3_12_0_3-6_fc10
rpms:nss-3_12_0_3-5_fc10
rpms:nss-3_12_0_3-4_fc10
rpms:nss-3_12_0_3-0_8_2_fc8
rpms:nss-3_12_0_3-3_fc10
rpms:nss-3_12_0_3-0_8_1_fc8
rpms:nss-3_12_0_3-2_fc10
rpms:nss-3_12_0_3-0_9_1_fc9
rpms:nss-3_11_9-0_7_1_fc7
rpms:nss-3_12_0_1-1_fc9
rpms:F-9-split
rpms:F-9-start
rpms:nss-3_11_99_5-2_fc9
rpms:nss-3_11_99_5-1_fc9
rpms:nss-3_11_99_4-1_fc9
rpms:nss-3_11_99_3-6_fc9
rpms:nss-3_11_99_3-5_fc9
rpms:nss-3_11_99_3-4_fc9
rpms:nss-3_11_99_3-3_fc9
rpms:nss-3_11_99_3-2_fc9
rpms:nss-3_11_99_3-1_fc9
rpms:nss-3_11_99_2b-3_fc9
rpms:nss-3_11_99_2b-2_fc9
rpms:nss-3_11_99_2-2_fc9
rpms:nss-3_11_99_2-1_fc9
rpms:F-8-split
rpms:F-8-start
rpms:nss-3_11_7-10_fc8
rpms:nss-3_11_7-9_fc8
rpms:nss-3_11_7-8_fc8
rpms:nss-3_11_7-7_fc8
rpms:nss-3_11_7-6_fc8
rpms:nss-3_11_7-0_7_2_fc7
rpms:nss-3_11_7-5_fc8
rpms:nss-3_11_7-0_7_1_fc7
rpms:nss-3_11_7-4_fc8
rpms:nss-3_11_7-3_fc8
rpms:nss-3_11_7-2_fc8
rpms:nss-3_11_5-2_fc7
rpms:F-7-split
rpms:F-7-start
rpms:RHPKI-8_0-RHEL5-split
rpms:nss-3_11_5-1_fc7
rpms:nss-3_11_4-5_fc7
rpms:nss-3_11_4-1
rpms:nss-3_11_3-2
rpms:FC-6-split
rpms:nss-3_11_3-1
rpms:nss-3_11_2-2
rpms:nss-3_11_2-1_1
rpms:nss-3_11_2-1
rpms:nss-3_11_1-2
rpms:nss-3_11_1-1
rpms:nss-3_11-4
rpms:FC-5-split
rpms:nss-3_11-3_2
rpms:nss-3_11-3_1
rpms:nss-3_11-3
rpms:nss-3_11-2
rpms:nss-3_11-1
rpms:nss-3_11-0_cvs_2
rpms:nss-3_11-0
rpms:setup-new-module
..
compare: rpms:f17
Branches Tags
rpms:main-riscv64
rpms:f38-riscv64
rpms:f36
rpms:f37
rpms:main
rpms:rawhide
rpms:f38
rpms:f37-riscv64
rpms:f35
rpms:f33-riscv64
rpms:f33
rpms:master-riscv64
rpms:master
rpms:f30
rpms:f31
rpms:f32
rpms:f29
rpms:f28
rpms:private-subpackage
rpms:f27
rpms:f26
rpms:f25
rpms:f24
rpms:f23
rpms:private-emaldona-crypto-policy-work
rpms:private-emaldona-upstream-experiment
rpms:private-rebase-work-fedora-rawhide
rpms:f22
rpms:private-nss-rebasework4fedora
rpms:f21
rpms:private-emaldona-rhbz1279912
rpms:private-emaldona-rhbz1009429
rpms:f20
rpms:private-disableSSL2ForF22
rpms:f19
rpms:private-emaldona-bz987189
rpms:private-disableSSL2OnFedora
rpms:private-emaldona-rebase-pem-for-rawhide
rpms:private_pem_cleanup
rpms:f18
rpms:f17
rpms:f16
rpms:f15
rpms:f14
rpms:f13
rpms:f12
rpms:f11
rpms:f9
rpms:f10
rpms:f7
rpms:f8
rpms:nss-3_12_6-8_fc14
rpms:nss-3_12_6-7_fc14
rpms:nss-3_12_6-7_fc13
rpms:nss-3_12_6-7_fc12
rpms:nss-3_12_6-6_fc14
rpms:nss-3_12_6-6_fc13
rpms:nss-3_12_6-5_fc12
rpms:nss-3_12_6-5_fc13
rpms:nss-3_12_6-5_fc14
rpms:nss-3_12_6-4_fc12
rpms:nss-3_12_6-4_fc13
rpms:nss-3_12_6-3_fc13
rpms:nss-3_12_6-4_fc14
rpms:nss-3_12_6-3_fc12
rpms:nss-3_12_6-3_fc14
rpms:nss-3_12_6-2_fc12
rpms:nss-3_12_6-2_fc13
rpms:nss-3_12_6-2_fc14
rpms:nss-3_12_6-1_2_fc11
rpms:nss-3_12_6-1_2_fc12
rpms:nss-3_12_6-1_2_fc13
rpms:nss-3_12_6-1_2_fc14
rpms:nss-3_12_6-1_1_fc11
rpms:nss-3_12_6-1_1_fc12
rpms:nss-3_12_6-1_1_fc13
rpms:nss-3_12_6-1_1_fc14
rpms:nss-3_12_6-1_fc14
rpms:nss-3_12_5-9_fc13
rpms:F-13-split
rpms:F-13-start
rpms:nss-3_12_5-8_fc12
rpms:nss-3_12_5-7_fc12
rpms:nss-3_12_5-5_fc13
rpms:nss-3_12_5-4_1_fc12
rpms:nss-3_12_5-3_1_fc11
rpms:nss-3_12_5-3_fc11
rpms:nss-3_12_5-2_fc11
rpms:nss-3_12_5-2_fc12
rpms:nss-3_12_5-1_fc12_14
rpms:nss-3_12_5-1_fc13_13_2
rpms:nss-3_12_5-1_fc12_12_1
rpms:nss-3_12_5-1_fc13_13_1
rpms:nss-3_12_5-1_fc13_13
rpms:nss-3_12_5-1_fc12_12
rpms:nss-3_12_5-1_fc13_11
rpms:nss-3_12_5-1_fc12_10
rpms:nss-3_12_5-1_fc13_9
rpms:nss-3_12_5-1_fc12_8
rpms:nss-3_12_5-1_fc13_7
rpms:nss-3_12_5-1_fc13_6
rpms:nss-3_12_5-1_fc12_5
rpms:nss-3_12_5-1_fc13_4
rpms:nss-3_12_5-1_fc11_3
rpms:nss-3_12_5-1_fc12_2
rpms:nss-3_12_5-1_fc13_1
rpms:nss-3_12_5-1_fc13
rpms:nss-3_12_4-17_fc13
rpms:nss-3_12_4-15_fc12
rpms:nss-3_12_4-13_1_fc13
rpms:nss-3_12_4-14_fc12
rpms:nss-3_12_4-13_fc13
rpms:nss-3_12_4-12_fc12
rpms:F-12-split
rpms:F-12-start
rpms:nss-3_12_4-11_fc12
rpms:nss-3_12_4-10_fc12
rpms:nss-3_12_4-9_fc12
rpms:nss-3_12_3_99_3-2_10_6_fc10
rpms:nss-3_12_4-3_fc11
rpms:nss-3_12_3_99_3-2_10_5_fc10
rpms:nss-3_12_4-2_fc11
rpms:nss-3_12_4-8_fc12
rpms:nss-3_12_4-7_fc12
rpms:nss-3_12_4-6_fc12
rpms:nss-3_12_4-1_fc11
rpms:nss-3_12_4-5_fc12
rpms:nss-3_12_4-4_fc12
rpms:nss-3_12_4-3_fc12
rpms:nss-3_12_4-2_fc12
rpms:nss-3_12_4-1_fc12
rpms:nss-3_12_3_99_3-30_fc12
rpms:nss-3_12_3_99_3-29_fc12
rpms:nss-3_12_3_99_3-28_fc12
rpms:nss-3_12_3_99_3-27_fc12
rpms:nss-3_12_3_99_3-26_fc12
rpms:nss-3_12_3_99_3-25_fc12
rpms:nss-3_12_3_99_3-24_fc12
rpms:nss-3_12_3_99_3-23_fc12
rpms:nss-3_12_3_99_3-22_fc12
rpms:nss-3_12_3_99_3-21_fc12
rpms:nss-3_12_3_99_3-20_fc12
rpms:nss-3_12_3_99_3-19_fc12
rpms:nss-3_12_3_99_3-18_fc12
rpms:nss-3_12_3_99_3-17_fc12
rpms:nss-3_12_3_99_3-16_fc12
rpms:nss-3_12_3_99_3-15_fc12
rpms:nss-3_12_3_99_3-14_fc12
rpms:nss-3_12_3_99_3-13_fc12
rpms:nss-3_12_3_99_3-12_fc12
rpms:nss-3_12_3_99_3-11_fc12
rpms:nss-3_12_3_99_3-10_fc12
rpms:nss-3_12_3_99_3-9_fc12
rpms:nss-3_12_3_99_3-8_fc12
rpms:nss-3_12_3_99_3-7_1_fc12
rpms:nss-3_12_3_99_3-2_11_4_fc11
rpms:nss-3_12_3_99_3-7_fc12
rpms:nss-3_12_3_99_3-2_10_4_fc10
rpms:nss-3_12_3_99_3-2_10_3_fc10
rpms:nss-3_12_3_99_3-2_11_3_fc11
rpms:nss-3_12_3_99_3-6_fc12
rpms:nss-3_12_3_99_3-5_fc12
rpms:nss-3_12_3_99_3-2_11_2_fc11
rpms:nss-3_12_3_99_3-4_fc12
rpms:nss-3_12_3_99_3-2_9_2_fc9
rpms:nss-3_12_3_99_3-2_10_2_fc10
rpms:nss-3_12_3_99_3-3_fc12
rpms:nss-3_12_3_99_3-2_11_1_fc11
rpms:nss-3_12_3_99_3-2_10_1_fc10
rpms:nss-3_12_3_99_3-2_9_1_fc9
rpms:nss-3_12_3_99_3-2_fc9
rpms:nss-3_12_3_99_3-2_fc10
rpms:nss-3_12_3_99_3-2_fc11
rpms:nss-3_12_3_99_3-1_fc9
rpms:nss-3_12_3_99_3-1_fc10
rpms:nss-3_12_3_99_3-1_fc11
rpms:nss-3_12_3_99_3-2_fc12
rpms:nss-3_12_3-4_fc11
rpms:nss-3_12_3-7_fc12
rpms:nss-3_12_3-6_fc12
rpms:nss-3_12_3-5_fc12
rpms:nss-3_12_3-4_fc12
rpms:nss-3_12_3-3_fc11
rpms:F-11-split
rpms:F-11-start
rpms:nss-3_12_3-2_fc11
rpms:nss-3_12_2_99_3-7_fc11
rpms:nss-3_12_2_99_3-6_fc11
rpms:nss-3_12_2_99_3-5_fc11
rpms:nss-3_12_2_99_3-4_fc11
rpms:nss-3_12_2_0-3_fc9
rpms:nss-3_12_2_0-5_fc10
rpms:nss-3_12_2_99_3-3_fc11
rpms:nss-3_12_2_99_3-2_fc11
rpms:nss-3_12_2_99_3-1_fc11
rpms:nss-3_12_2_0-4_fc11
rpms:nss-3_12_2_0-4_fc10
rpms:nss-3_12_2_0-2_fc9
rpms:nss-3_12_2_0-1_1_fc9
rpms:nss-3_12_2_0-1_1_fc8
rpms:nss-3_12_2_0-1_fc8
rpms:nss-3_12_1_1-2_fc8
rpms:nss-3_12_1_1-5_fc9
rpms:nss-3_12_2_0-3_fc10
rpms:F-10-split
rpms:F-10-start
rpms:nss-3_12_2_0-2_fc10
rpms:nss-3_12_1_1-4_fc10
rpms:nss-3_12_1_1-4_fc9
rpms:nss-3_12_1_1-3_fc10
rpms:nss-3_12_1_1-2_fc10
rpms:nss-3_12_1_1-1_fc8
rpms:nss-3_12_1_1-1_fc9
rpms:nss-3_12_1_0-1_fc8
rpms:nss-3_12_1_0-1_fc9
rpms:nss-3_12_1_0-2_fc10
rpms:nss-3_12_0_3-0_9_2_fc9
rpms:nss-3_12_0_3-0_8_3_fc8
rpms:nss-3_12_0_3-7_fc10
rpms:nss-3_12_0_3-6_fc10
rpms:nss-3_12_0_3-5_fc10
rpms:nss-3_12_0_3-4_fc10
rpms:nss-3_12_0_3-0_8_2_fc8
rpms:nss-3_12_0_3-3_fc10
rpms:nss-3_12_0_3-0_8_1_fc8
rpms:nss-3_12_0_3-2_fc10
rpms:nss-3_12_0_3-0_9_1_fc9
rpms:nss-3_11_9-0_7_1_fc7
rpms:nss-3_12_0_1-1_fc9
rpms:F-9-split
rpms:F-9-start
rpms:nss-3_11_99_5-2_fc9
rpms:nss-3_11_99_5-1_fc9
rpms:nss-3_11_99_4-1_fc9
rpms:nss-3_11_99_3-6_fc9
rpms:nss-3_11_99_3-5_fc9
rpms:nss-3_11_99_3-4_fc9
rpms:nss-3_11_99_3-3_fc9
rpms:nss-3_11_99_3-2_fc9
rpms:nss-3_11_99_3-1_fc9
rpms:nss-3_11_99_2b-3_fc9
rpms:nss-3_11_99_2b-2_fc9
rpms:nss-3_11_99_2-2_fc9
rpms:nss-3_11_99_2-1_fc9
rpms:F-8-split
rpms:F-8-start
rpms:nss-3_11_7-10_fc8
rpms:nss-3_11_7-9_fc8
rpms:nss-3_11_7-8_fc8
rpms:nss-3_11_7-7_fc8
rpms:nss-3_11_7-6_fc8
rpms:nss-3_11_7-0_7_2_fc7
rpms:nss-3_11_7-5_fc8
rpms:nss-3_11_7-0_7_1_fc7
rpms:nss-3_11_7-4_fc8
rpms:nss-3_11_7-3_fc8
rpms:nss-3_11_7-2_fc8
rpms:nss-3_11_5-2_fc7
rpms:F-7-split
rpms:F-7-start
rpms:RHPKI-8_0-RHEL5-split
rpms:nss-3_11_5-1_fc7
rpms:nss-3_11_4-5_fc7
rpms:nss-3_11_4-1
rpms:nss-3_11_3-2
rpms:FC-6-split
rpms:nss-3_11_3-1
rpms:nss-3_11_2-2
rpms:nss-3_11_2-1_1
rpms:nss-3_11_2-1
rpms:nss-3_11_1-2
rpms:nss-3_11_1-1
rpms:nss-3_11-4
rpms:FC-5-split
rpms:nss-3_11-3_2
rpms:nss-3_11-3_1
rpms:nss-3_11-3
rpms:nss-3_11-2
rpms:nss-3_11-1
rpms:nss-3_11-0_cvs_2
rpms:nss-3_11-0
rpms:setup-new-module

39 Commits
master ... f17

Author SHA1 Message Date
Kai Engert 18a3415a0e - Update expired test certificates (fixed in upstream bug 852781) 2013-04-22 16:13:57 +02:00
Kai Engert 688aef2fc2 * Mon Apr 22 2013 Kai Engert <kaie@redhat.com> - 3.14.3-2 
- Add upstream patch to fix rhbz#872761
 2013-04-22 15:35:31 +02:00
Elio Maldonado 11c34a11a8 Merge branch 'f18' into f17 
- Update to NSS_3_14_3_RTM
 2013-02-23 10:35:23 -08:00
Elio Maldonado 10de960df7 Merge branch 'master' into f18 
- Update to NSS_3_14_RTM
 2013-02-22 10:41:35 -08:00
Elio Maldonado a7508f6a97 Update to NSS_3_14_3_RTM 
- cherry-pick from master to keep the nss-cbc-random-iv-off-by-by-default patch enabled
- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack
- Resolves: rhbz#909775 - specfile support for AArch64
- Resolves: rhbz#910584 - certutil -a does not produce ASCII output
- Resolves: rhbz#896651 - PEM module trashes private keys if login fails,
  patch contributed by Nalin Dahyabhai
 2013-02-19 18:12:05 -08:00
Elio Maldonado f48ddc9b79 Merge branch 'f18' into f17 
- Update to NSS_3_14_2_RTM
 2013-02-05 11:17:02 -08:00
Elio Maldonado 966b5e412f Merge branch 'master' into f18 2013-02-04 15:43:44 -08:00
Elio Maldonado cc8dc4398b Don't try to apply path 42 that was removed. 2013-02-03 19:29:42 -08:00
Elio Maldonado 9b0bed55b9 Merge branch 'master' into f18 
Update to NSS_3_14_2_RTM
 2013-02-01 16:57:32 -08:00
Kai Engert 37e12fb581 - Update to NSS_3_14_1_WITH_CKBI_1_93_RTM 2013-01-03 19:16:40 +01:00
Kai Engert fb479754a0 - Update to NSS_3_14_1_WITH_CKBI_1_93_RTM 2013-01-03 19:15:31 +01:00
Elio Maldonado 4729bb6f26 Merge branch 'f18' into f17 
- Update to nss-3.14.1
 2012-12-23 17:38:55 -08:00
Elio Maldonado 57fe405127 Merge branch 'master' into f18 
- Update to NSS_3_14_1_RTM
 2012-12-22 19:18:43 -08:00
Elio Maldonado 9c95ae5deb Merge branch 'master' into f18 2012-12-11 21:58:01 -08:00
Elio Maldonado c5c74121b2 Fix the first hunk so it does what's intended 
- Remove the second hunk so it applies, patch compliens it a previously appled change
- Must investigate why the second part seems to be applied already
 2012-11-28 12:59:48 -08:00
Elio Maldonado c3296995e7 - Reenable patch 29 which is required for stable branches 2012-11-28 11:28:37 -08:00
Elio Maldonado 7f564e02e5 Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it 
- Install nssck.api in /usr/includes/nss3
- cherry-pick merge from master
 2012-11-28 10:38:08 -08:00
Elio Maldonado aec3543d41 Update nss-ssl-cbc-random-iv-off-by-default.patch to account for code upstream code changes 2012-11-23 18:10:26 -08:00
Elio Maldonado b712fb8528 Merge branch 'f18' into f17 
- Update to NSS_3_14_RTM
- Update the license to MPLv2.0
- Bug 870864 - Add support in NSS for Secure Boot
- Bug 871882 - Update the spec file to install sechash.h and also secmodt.h
- Bug 806588 - Disable SSL PKCS #11 bypass at build time and return failure on attempts to enable it at runtime
- Bug 872124 - nss-3.14 breaks fedpkg new-sources - fix pk11wrap locking to prevent 'fedpkg new-sources' and 'fedpkg update' hangs
- Add a dummy source file for testing /preventing fedpkg breakage
- Enable patch to set NSS_SSL_CBC_RANDOM_IV to 1 by default
- Use only -f when removing unwanted headers
- Update nss-589636.patch to apply to httpdserv
- turn off ocsp tests for now
- update various patches on account of upstream source updates
- remove no longer needed patches
 2012-11-23 15:18:13 -08:00
Elio Maldonado 2b57162ae4 Bug 870864 - Add support in NSS for Secure Boot 
- manually merged from master
 2012-11-20 11:16:56 -08:00
Elio Maldonado 7234e68237 Disable bypass code at build time and return failure on attempts to enable at runtime 
- Bug 806588 - Disable SSL PKCS #11 bypass at build time
 2012-11-09 18:52:20 -08:00
Elio Maldonado 0a8619f20d Cherry pick changes from master to fix the build 
- Use Bug-872124-fix-pk11wrap-locking.patch as it is master
- Fix the apply to use -p 0 so it applies cleanly
- Update the changelog date
 2012-11-05 11:06:59 -08:00
Elio Maldonado b285bf571f Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs 
- Bug 872124 - nss-3.14 breaks fedpkg new-sources
- Preliminary fix as patch could change as a result of upstream review
- Renamed the patch file to refer to the correct bug number
 2012-11-04 22:11:09 -08:00
Elio Maldonado 4c9923e854 For scratch build only to test a patch under review 
- Bug 87838 - nss 3.14 breaks fedpkg new-sources
 2012-11-04 12:16:08 -08:00
Elio Maldonado 2fd69995be Add a dummy source file for testing/preventing fedpkg breakage 
- Facilitates testing fedpkg new-sources and upload commands for breakage such as hangs
- Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources
 2012-11-01 22:23:23 -04:00
Elio Maldonado 304de980b9 Reenable patch to set NSS_SSL_CBC_RANDOM_IV to 1 by default 
- Update the patch to account for the new sources
- Resolves Bug 872124 - nss 3.14 breaks fedpkg new-sources
 2012-11-01 11:16:11 -07:00
Elio Maldonado c061043780 Truly reactivate the patch this time 
- Change the comment to # activate for stable and beta branches
 2012-11-01 10:56:19 -07:00
Elio Maldonado 5ae182f707 Reenable patch to set NSS_SSL_CBC_RANDOM_IV to 1 by default 
- Bug 872124 - nss 3.14 breaks fedpkg new-sources
 2012-11-01 09:48:47 -07:00
Elio Maldonado ae47611986 Fix the spec file so sechash.h gets installed 
- Bug 871882 - missing header: sechash.h in nss 3.14
 2012-10-31 12:40:02 -07:00
Elio Maldonado 7430fa825a Merge branch 'master' into f18 
- Update to NSS_3_14_RTM
- Update the license to MPLv2.0
- Use only -f when removing unwanted headers
- Add secmodt.h to the headers installed by nss-devel
- update nss-589636.patch to apply to httpdserv
- turn off ocsp tests for now
- remove no longer needed patches
- remove secmodt.h now installed by nss-util
 2012-10-27 14:38:50 -04:00
Kai Engert b30891583b * Fri Oct 05 2012 Kai Engert <kaie@redhat.com> - 3.13.6-1 
- Update to NSS_3_13_6_RTM
 2012-10-06 00:33:02 +02:00
Kai Engert ed2b41da22 * Fri Oct 05 2012 Kai Engert <kaie@redhat.com> - 3.13.6-1 
- Update to NSS_3_13_6_RTM
 2012-10-06 00:25:40 +02:00
Elio Maldonado 9b32b99c51 Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3 
- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix
- Seletive merge from master
 2012-08-31 17:38:45 -07:00
Elio Maldonado Batiz 4dd8f88a7c Merge branch 'master' into f18 2012-08-28 09:06:29 -07:00
Elio Maldonado 9c6e20fa86 Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3 
- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load
- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer
- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix
 2012-08-27 17:17:16 -07:00
Elio Maldonado 10d6713229 Fix pluggable ecc support 
- Build nss in three phases
- Phase 1: build softoken, freebl, and util with NSS_ENABLE_ECC unset
- Phase 2: build the rest of nss (muinus bltest and fipstest) with NSS_ENABLE_ECC and NSS_ECC_MORE_THAN_SUITEB set
- Phase 3: build bltest and fipstest with NSS_ENABLE_ECC unset as in phsae 1
- Seletive merge from f18
 2012-08-13 16:25:21 -07:00
Elio Maldonado 1ca4396f92 Update to NSS_3_13_5_RTM 
- Resolves: Bug 830410 - Missing Requires %{?_isa}
- Use Requires: %{name}%{?_isa} = %{version}-%{release} on tools
- Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib
- Enable sha224 portion of powerup selftest when running test suites
- Require nspr 4.9.1
- Selective merge from master
 2012-07-01 11:12:23 -07:00
Elio Maldonado 1bdf396693 Keep patch 29 active 2012-04-25 16:48:19 -07:00
Elio Maldonado 724ae96e85 Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3 
- Fix conributed by Kamil Dudka
 2012-04-25 16:45:50 -07:00
41 changed files with 1272 additions and 2686 deletions
Show Stats Expand all files Collapse all files

45
.gitignore vendored
View File

@ -7,45 +7,6 @@ PayPalEE.cert
TestCA.ca.cert
TestUser50.cert
TestUser51.cert
/PayPalRootCA.cert
/PayPalICA.cert
/nss-3.25.0.tar.gz
/nss-3.26.0.tar.gz
/nss-3.27.0.tar.gz
/nss-3.27.2.tar.gz
/nss-3.28.1.tar.gz
/nss-3.29.0.tar.gz
/nss-3.29.1.tar.gz
/nss-3.30.0.tar.gz
/nss-3.30.2.tar.gz
/nss-3.31.0.tar.gz
/nss-3.32.0.tar.gz
/nss-3.32.1.tar.gz
/nss-3.33.0.tar.gz
/nss-3.34.0.tar.gz
/nss-3.35.0.tar.gz
/nss-3.36.0.tar.gz
/nss-3.36.1.tar.gz
/nss-3.37.1.tar.gz
/nss-3.37.3.tar.gz
/nss-3.38.0.tar.gz
/nss-3.39.tar.gz
/nss-3.40.1.tar.gz
/nss-3.41.tar.gz
/nss-3.42.tar.gz
/nss-3.42.1.tar.gz
/nss-3.43.tar.gz
/nss-3.44.tar.gz
/nss-3.44.1.tar.gz
/nss-3.45.tar.gz
/nss-3.46.tar.gz
/nss-3.46.1.tar.gz
/nss-3.47.tar.gz
/nss-3.47.1.tar.gz
/nss-3.48.tar.gz
/nss-3.49.tar.gz
/nss-3.49.2.tar.gz
/nss-3.50.tar.gz
/nss-3.51.tar.gz
/nss-3.51.1.tar.gz
/nss-3.52.tar.gz
/nss-pem-20120811.tar.bz2
/dummy-sources-for-testing
/nss-3.14.3-stripped.tar.bz2

406
0001-sync-up-with-upstream-softokn-changes.patch Normal file
View File

@ -0,0 +1,406 @@
From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001
From: Elio Maldonado <emaldona@redhat.com>
Date: Sat, 9 Feb 2013 17:11:00 -0500
Subject: [PATCH] Sync up with upstream softokn changes
- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux
- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
- It now compiles with the NSS_3_14_3_BETA1 source
---
mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++-------------------
1 files changed, 82 insertions(+), 256 deletions(-)
diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
index 5ac4f39..3780d30 100644
--- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
+++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
@@ -46,6 +46,7 @@
#include "sechash.h"
#include "base.h"
+#include "lowkeyi.h"
#include "secerr.h"
#define RSA_BLOCK_MIN_PAD_LEN 8
@@ -54,9 +55,8 @@
#define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff
#define RSA_BLOCK_AFTER_PAD_OCTET 0x00
-#define OAEP_SALT_LEN 8
-#define OAEP_PAD_LEN 8
-#define OAEP_PAD_OCTET 0x00
+/* Needed for RSA-PSS functions */
+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
#define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */
@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
return 0;
}
-static SHA1Context *SHA1_CloneContext(SHA1Context * original)
-{
- SHA1Context *clone = NULL;
- unsigned char *pBuf;
- int sha1ContextSize = SHA1_FlattenSize(original);
- SECStatus frv;
- unsigned char buf[FLAT_BUFSIZE];
-
- PORT_Assert(sizeof buf >= sha1ContextSize);
- if (sizeof buf >= sha1ContextSize) {
- pBuf = buf;
- } else {
- pBuf = nss_ZAlloc(NULL, sha1ContextSize);
- if (!pBuf)
- goto done;
- }
-
- frv = SHA1_Flatten(original, pBuf);
- if (frv == SECSuccess) {
- clone = SHA1_Resurrect(pBuf, NULL);
- memset(pBuf, 0, sha1ContextSize);
- }
- done:
- if (pBuf != buf)
- nss_ZFreeIf(pBuf);
- return clone;
+/* Constant time comparison of a single byte.
+ * Returns 1 iff a == b, otherwise returns 0.
+ * Note: For ranges of bytes, use constantTimeCompare.
+ */
+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
+ unsigned char c = ~(a - b | b - a);
+ c >>= 7;
+ return c;
}
-/*
- * Modify data by XORing it with a special hash of salt.
+/* Constant time comparison of a range of bytes.
+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
+ * returns 0.
*/
-static SECStatus
-oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
- unsigned char *salt, unsigned int saltlen)
-{
- SHA1Context *sha1cx;
- unsigned char *dp, *dataend;
- unsigned char end_octet;
-
- sha1cx = SHA1_NewContext();
- if (sha1cx == NULL) {
- return SECFailure;
- }
-
- /*
- * Get a hash of salt started; we will use it several times,
- * adding in a different end octet (x00, x01, x02, ...).
- */
- SHA1_Begin(sha1cx);
- SHA1_Update(sha1cx, salt, saltlen);
- end_octet = 0;
-
- dp = data;
- dataend = data + datalen;
-
- while (dp < dataend) {
- SHA1Context *sha1cx_h1;
- unsigned int sha1len, sha1off;
- unsigned char sha1[SHA1_LENGTH];
-
- /*
- * Create hash of (salt || end_octet)
- */
- sha1cx_h1 = SHA1_CloneContext(sha1cx);
- SHA1_Update(sha1cx_h1, &end_octet, 1);
- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1));
- SHA1_DestroyContext(sha1cx_h1, PR_TRUE);
- PORT_Assert(sha1len == SHA1_LENGTH);
-
- /*
- * XOR that hash with the data.
- * When we have fewer than SHA1_LENGTH octets of data
- * left to xor, use just the low-order ones of the hash.
- */
- sha1off = 0;
- if ((dataend - dp) < SHA1_LENGTH)
- sha1off = SHA1_LENGTH - (dataend - dp);
- while (sha1off < SHA1_LENGTH)
- *dp++ ^= sha1[sha1off++];
-
- /*
- * Bump for next hash chunk.
- */
- end_octet++;
- }
-
- SHA1_DestroyContext(sha1cx, PR_TRUE);
- return SECSuccess;
+static unsigned char constantTimeCompare(const unsigned char *a,
+ const unsigned char *b,
+ unsigned int len) {
+ unsigned char tmp = 0;
+ unsigned int i;
+ for (i = 0; i < len; ++i, ++a, ++b)
+ tmp |= *a ^ *b;
+ return constantTimeEQ8(0x00, tmp);
}
-/*
- * Modify salt by XORing it with a special hash of data.
+/* Constant time conditional.
+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
+ * not 0 or 1.
*/
-static SECStatus
-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
- unsigned char *data, unsigned int datalen)
+static unsigned int constantTimeCondition(unsigned int c,
+ unsigned int a,
+ unsigned int b)
{
- unsigned char sha1[SHA1_LENGTH];
- unsigned char *psalt, *psha1, *saltend;
- SECStatus rv;
-
- /*
- * Create a hash of data.
- */
- rv = SHA1_HashBuf(sha1, data, datalen);
- if (rv != SECSuccess) {
- return rv;
- }
-
- /*
- * XOR the low-order octets of that hash with salt.
- */
- PORT_Assert(saltlen <= SHA1_LENGTH);
- saltend = salt + saltlen;
- psalt = salt;
- psha1 = sha1 + SHA1_LENGTH - saltlen;
- while (psalt < saltend) {
- *psalt++ ^= *psha1++;
- }
-
- return SECSuccess;
+ return (~(c - 1) & a) | ((c - 1) & b);
}
/*
@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
unsigned char *block;
unsigned char *bp;
int padLen;
- int i;
+ int i, j;
SECStatus rv;
block = (unsigned char *) nss_ZAlloc(NULL, modulusLen);
@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
*/
case RSA_BlockPublic:
- /*
- * 0x00 || BT || Pad || 0x00 || ActualData
- * 1 1 padLen 1 data->len
- * Pad is all non-zero random bytes.
- */
- padLen = modulusLen - data->len - 3;
- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
- if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
- nss_ZFreeIf(block);
- return NULL;
- }
- for (i = 0; i < padLen; i++) {
- /* Pad with non-zero random data. */
- do {
- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
- } while (rv == SECSuccess
- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
- if (rv != SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
- }
- bp += padLen;
- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
- nsslibc_memcpy(bp, data->data, data->len);
-
- break;
-
- /*
- * Blocks intended for public-key operation, using
- * Optimal Asymmetric Encryption Padding (OAEP).
- */
- case RSA_BlockOAEP:
- /*
- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N]
- *
- * where:
- * PaddedData is "Pad1 || ActualData [|| Pad2]"
- * Salt is random data.
- * Pad1 is all zeros.
- * Pad2, if present, is random data.
- * (The "modified" fields are all the same length as the original
- * unmodified values; they are just xor'd with other values.)
- *
- * Modified1 is an XOR of PaddedData with a special octet
- * string constructed of iterated hashing of Salt (see below).
- * Modified2 is an XOR of Salt with the low-order octets of
- * the hash of Modified1 (see farther below ;-).
- *
- * Whew!
- */
-
-
- /*
- * Salt
- */
- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
- if (rv != SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
- bp += OAEP_SALT_LEN;
-
- /*
- * Pad1
- */
- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
- bp += OAEP_PAD_LEN;
-
- /*
- * Data
- */
- nsslibc_memcpy(bp, data->data, data->len);
- bp += data->len;
-
- /*
- * Pad2
- */
- if (bp < (block + modulusLen)) {
- rv = RNG_GenerateGlobalRandomBytes(bp,
- block - bp + modulusLen);
- if (rv != SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
- }
-
- /*
- * Now we have the following:
- * 0x00 || BT || Salt || PaddedData
- * (From this point on, "Pad1 || Data [|| Pad2]" is treated
- * as the one entity PaddedData.)
- *
- * We need to turn PaddedData into Modified1.
- */
- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
- modulusLen - 2 - OAEP_SALT_LEN,
- block + 2, OAEP_SALT_LEN) != SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
-
- /*
- * Now we have:
- * 0x00 || BT || Salt || Modified1(PaddedData)
- *
- * The remaining task is to turn Salt into Modified2.
- */
- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
- block + 2 + OAEP_SALT_LEN,
- modulusLen - 2 - OAEP_SALT_LEN) !=
- SECSuccess) {
- nss_ZFreeIf(block);
- return NULL;
- }
-
- break;
+ /*
+ * 0x00 || BT || Pad || 0x00 || ActualData
+ * 1 1 padLen 1 data->len
+ * Pad is all non-zero random bytes.
+ *
+ * Build the block left to right.
+ * Fill the entire block from Pad to the end with random bytes.
+ * Use the bytes after Pad as a supply of extra random bytes from
+ * which to find replacements for the zero bytes in Pad.
+ * If we need more than that, refill the bytes after Pad with
+ * new random bytes as necessary.
+ */
+ padLen = modulusLen - (data->len + 3);
+ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+ nss_ZFreeIf (block);
+ return NULL;
+ }
+ j = modulusLen - 2;
+ rv = RNG_GenerateGlobalRandomBytes(bp, j);
+ if (rv == SECSuccess) {
+ for (i = 0; i < padLen; ) {
+ unsigned char repl;
+ /* Pad with non-zero random data. */
+ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
+ ++i;
+ continue;
+ }
+ if (j <= padLen) {
+ rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
+ modulusLen - (2 + padLen));
+ if (rv != SECSuccess)
+ break;
+ j = modulusLen - 2;
+ }
+ do {
+ repl = bp[--j];
+ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
+ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
+ bp[i++] = repl;
+ }
+ }
+ }
+ if (rv != SECSuccess) {
+ /*sftk_fatalError = PR_TRUE;*/
+ nss_ZFreeIf (block);
+ return NULL;
+ }
+ bp += padLen;
+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+ nsslibc_memcpy(bp, data->data, data->len);
+ break;
default:
PORT_Assert(0);
@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
break;
- case RSA_BlockOAEP:
- /*
- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
- *
- * The "2" below is the first octet + the second octet.
- * (The other fields do not contain the clear values, but are
- * the same length as the clear values.)
- */
- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
- + OAEP_PAD_LEN)));
-
- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
- if (result->data == NULL) {
- result->len = 0;
- return SECFailure;
- }
- result->len = modulusLen;
-
- break;
-
case RSA_BlockRaw:
/*
* Pad || ActualData
--
1.7.1

44
Bug-896651-pem-dont-trash-keys-on-failed-login.patch Normal file
View File

@ -0,0 +1,44 @@
--- mozilla/security/nss/lib/ckfw/pem/psession.c
+++ mozilla/security/nss/lib/ckfw/pem/psession.c
@@ -230,6 +230,7 @@ pem_mdSession_Login
unsigned int len = 0;
NSSLOWKEYPrivateKey *lpk = NULL;
PLArenaPool *arena;
+ SECItem plain;
int i;
fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
@@ -306,23 +321,27 @@ pem_mdSession_Login
lpk->keyType = NSSLOWKEYRSAKey;
prepare_low_rsa_priv_key_for_asn1(lpk);
- nss_ZFreeIf(io->u.key.key.privateKey->data);
- io->u.key.key.privateKey->len = len - output[len - 1];
- io->u.key.key.privateKey->data =
- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
/* Decode the resulting blob and see if it is a decodable DER that fits
* our private key template. If so we declare success and move on. If not
* then we return an error.
*/
+ memset(&plain, 0, sizeof(plain));
+ plain.data = output;
+ plain.len = len - output[len - 1];
rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
- io->u.key.key.privateKey);
+ &plain);
pem_DestroyPrivateKey(lpk);
arena = NULL;
if (rv != SECSuccess)
goto loser;
+ nss_ZFreeIf(io->u.key.key.privateKey->data);
+ io->u.key.key.privateKey->len = len - output[len - 1];
+ io->u.key.key.privateKey->data =
+ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
+ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
+
rv = CKR_OK;
loser:

68
STAGE2-nss
View File

@ -1,68 +0,0 @@
#requires nspr
#requires perl
#requires nss-util
#requires nss-softokn
mcd $BUILDDIR/nss
export BUILD_OPT=1
export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
export NSPR_INCLUDE_DIR=/usr/include/nspr
export NSPR_LIB_DIR=/usr/lib${SUFFIX}
export NSS_USE_SYSTEM_SQLITE=1
export NSS_BUILD_WITHOUT_SOFTOKEN=1
export USE_SYSTEM_SOFTOKEN=1
export SOFTOKEN_LIB_DIR=/usr/lib${SUFFIX}
export NSSUTIL_INCLUDE_DIR=/usr/include/nss3
export NSSUTIL_LIB_DIR=/usr/lib${SUFFIX}
export USE_SYSTEM_NSSUTIL=1
export FREEBL_INCLUDE_DIR=/usr/include/nss3
export FREEBL_LIB_DIR=/usr/lib${SUFFIX}
export USE_SYSTEM_FREEBL=1
export NSS_USE_SYSTEM_FREEBL=1
export FREEBL_NO_DEPEND=1
export IN_TREE_FREEBL_HEADERS_FIRST=1
export NSS_BLTEST_NOT_AVAILABLE=1
export NSS_NO_SSL2_NO_EXPORT=1
export NSS_ECC_MORE_THAN_SUITE_B=1
export NSS_NO_PKCS11_BYPASS=1
#export NSDISTMODE="copy"
if [ "$SUFFIX" = "64" ]; then
USE_64=1
export USE_64
fi
(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp nss/lib/ckfw/nssck.api dist/private/nss/)
make -C $SRC/nss-3.*/nss/coreconf
make -C $SRC/nss-3.*/nss/lib/dbm
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
# need nss/verref.h which is exported privately, move it to where it can be found.
(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/)
make -C $SRC/nss-3.*/nss
cd $SRC/nss-3.*/nss/coreconf
make install
cd $SRC/nss-3.*/nss/lib/dbm
make install
cd $SRC/nss-3.*/nss
make install
# Copy the binary libraries we want
NSSLIBS="libnss3.so libnssckbi.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so"
# BOZO: temporarily disable FIPS140 support
#NSSLIBCHKS="libnssdbm3.chk libfreebl3.chk libsoftokn3.chk"
NSSLIBCHKS=""
# END BOZO
cd $SRC/nss-3.*
for file in $NSSLIBS $NSSLIBCHKS
do
install -p -m 755 dist/*.OBJ/lib/$file /usr/lib${SUFFIX}/
done
# Copy the include files we want
for file in $SRC/nss-*/dist/public/nss/*.h
do
install -p -m 644 $file /usr/include/nss3/
done

16
add-relro-linker-option.patch Normal file
View File

@ -0,0 +1,16 @@
diff -up mozilla/security/coreconf/Linux.mk.relro mozilla/security/coreconf/Linux.mk
--- mozilla/security/coreconf/Linux.mk.relro 2010-08-12 18:32:29.000000000 -0700
+++ mozilla/security/coreconf/Linux.mk 2011-09-27 16:12:22.234743170 -0700
@@ -179,6 +179,12 @@ FREEBL_NO_DEPEND = 1
endif
endif
+# harden DSOs/executables a bit against exploits
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
+DSO_LDOPTS+=-Wl,-z,relro
+LDFLAGS += -Wl,-z,relro
+endif
+
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz

59
cert8.db.xml
View File

@ -1,59 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="cert8.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>cert8.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>cert8.db</refname>
<refpurpose>Legacy NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
<para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/cert8.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

59
cert9.db.xml
View File

@ -1,59 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="cert9.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>cert9.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>cert9.db</refname>
<refpurpose>NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
<para>This certificate database is the sqlite-based shared database with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/cert9.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

13
iquote.patch
View File

@ -1,13 +0,0 @@
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
SQLITE_LIB_NAME = sqlite3
endif
+# Prefer in-tree headers over system headers
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
+endif
+
MK_LOCATION = included

59
key3.db.xml
View File

@ -1,59 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="key3.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>key3.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>key3.db</refname>
<refpurpose>Legacy NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
<para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/key3.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

59
key4.db.xml
View File

@ -1,59 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="key4.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>key4.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>key4.db</refname>
<refpurpose>NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>key4.db</emphasis> is an NSS key database.</para>
<para>This key database is the sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/key4.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

128
mozilla-crypto-strip.sh Executable file
View File

@ -0,0 +1,128 @@
#!/bin/sh
set -e
if test -z $1
then
echo "usage: $0 <input-tarball>"
exit
fi
ORIGDIR=`pwd`
WORKDIR=nss_ecc_strip_working_dir
EXTENSION=`echo $1 | sed -r 's#^(.*)(.tar.bz2|.tbz2|.tar.gz|.tgz)$#\2#'`
BASE=`echo $1 | sed -r 's#^(.*)(.tar.bz2|.tbz2|.tar.gz|.tgz)$#\1#'`
COMPRESS=""
if test "x$EXTENSION" = "x.tar.bz2" || test "x$EXTENSION" = "x.tbz2"
then
COMPRESS="j"
fi
if test "x$EXTENSION" = "x.tar.gz" || test "x$EXTENSION" = "x.tgz"
then
COMPRESS="z"
fi
if test "x$COMPRESS" = "x"
then
echo "unable to process, input file $1 has unsupported extension"
exit
fi
echo "== extension is $EXTENSION - ok"
echo "== new extension will be $JEXTENSION"
echo "== cleaning old workdir $WORKDIR"
rm -rf $WORKDIR
mkdir $WORKDIR
echo "== extracting input archive $1"
tar -x -$COMPRESS -C $WORKDIR -f $1
echo "changing into $WORKDIR"
pushd $WORKDIR
DIRCOUNT=`ls -1 | wc -l`
if test $DIRCOUNT -ne 1
then
echo "unable to process, $1 contains more than one toplevel directory"
exit
fi
TOPDIR=`ls -1`
if test "x$TOPDIR" != "xmozilla"
then
# try to deal with a single additional subdirectory above "mozilla"
echo "== skipping toplevel directory $TOPDIR"
cd $TOPDIR
fi
DIRCOUNT=`ls -1 | wc -l`
if test $DIRCOUNT -ne 1
then
echo "unable to process, $1 contains more than one second level directory"
exit
fi
SINGLEDIR=`ls -1`
if test "x$SINGLEDIR" != "xmozilla"
then
echo "unable to process, first or second level directory is not mozilla"
exit
fi
echo "== input archive accepted, now processing"
REALFREEBLDIR=mozilla/security/nss/lib/freebl
FREEBLDIR=./$REALFREEBLDIR
rm -rf ./mozilla/security/nss/cmd/ecperf
mv ${FREEBLDIR}/ecl/ecl-exp.h ${FREEBLDIR}/save
rm -rf ${FREEBLDIR}/ecl/tests
rm -rf ${FREEBLDIR}/ecl/CVS
for i in ${FREEBLDIR}/ecl/* ; do
echo clobbering $i
> $i
done
mv ${FREEBLDIR}/save ${FREEBLDIR}/ecl/ecl-exp.h
for j in ${FREEBLDIR}/ec.*; do
echo unifdef $j
cat $j | \
awk 'BEGIN {ech=1; prt=0;} \
/^#[ \t]*ifdef.*NSS_ENABLE_ECC/ {ech--; next;} \
/^#[ \t]*if/ {if(ech < 1) ech--;} \
{if(ech>0) {;print $0};} \
/^#[ \t]*endif/ {if(ech < 1) ech++;} \
{if (prt && (ech<=0)) {;print $0}; } \
{if (ech>0) {prt=0;} } \
/^#[ \t]*else/ {if (ech == 0) prt=1;}' > $j.hobbled && \
mv $j.hobbled $j
done
echo "== returning to original directory"
popd
JCOMPRESS=j
JEXTENSION=.tar.bz2
NEWARCHIVE=$BASE-stripped$JEXTENSION
echo "== finally producing new archive $NEWARCHIVE"
tar -c -$JCOMPRESS -C $WORKDIR -f $NEWARCHIVE $TOPDIR
echo "== all done, listing of old and new archive:"
ls -l $1
ls -l $NEWARCHIVE
LISTING_DIR=""
if test "x$TOPDIR" != "xmozilla"
then
LISTING_DIR="$TOPDIR/$REALFREEBLDIR/ecl"
else
LISTING_DIR="$REALFREEBLDIR/ecl"
fi
echo "== FYI, producing listing of stripped dir in new archive"
tar -t -v -$JCOMPRESS -C $WORKDIR -f $NEWARCHIVE $LISTING_DIR

39
no-softoken-freebl-tests.patch Normal file
View File

@ -0,0 +1,39 @@
diff -up ./mozilla/security/nss/cmd/Makefile.nosoftokentests ./mozilla/security/nss/cmd/Makefile
--- ./mozilla/security/nss/cmd/Makefile.nosoftokentests 2012-12-22 14:06:13.193304912 -0800
+++ ./mozilla/security/nss/cmd/Makefile 2012-12-22 14:10:04.942248630 -0800
@@ -14,6 +14,14 @@ ifdef BUILD_LIBPKIX_TESTS
DIRS += libpkix
endif
+# nss-softoken only tests
+BLTEST_SRCDIR=
+FIPSTEST_SRCDIR=
+ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1)
+BLTEST_SRCDIR=bltest # Add the bltest directory to DIRS.
+FIPSTEST_SRCDIR=fipstest # Add the fipstest directory to DIRS.
+endif
+
LOWHASHTEST_SRCDIR=
ifeq ($(FREEBL_LOWHASH),1)
LOWHASHTEST_SRCDIR = lowhashtest # Add the lowhashtest directory to DIRS.
diff -up ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests ./mozilla/security/nss/cmd/manifest.mn
--- ./mozilla/security/nss/cmd/manifest.mn.nosoftokentests 2012-12-22 14:06:35.191293837 -0800
+++ ./mozilla/security/nss/cmd/manifest.mn 2012-12-22 14:11:22.342263467 -0800
@@ -11,7 +11,7 @@ REQUIRES = nss nspr libdbm
DIRS = lib \
addbuiltin \
atob \
- bltest \
+ $(BLTEST_SRCDIR) \
btoa \
certcgi \
certutil \
@@ -23,7 +23,7 @@ DIRS = lib \
derdump \
digest \
httpserv \
- fipstest \
+ $(FIPSTEST_SRCDIR) \
$(LOWHASHTEST_SRCDIR) \
listsuites \
makepqg \

10
nss-3.14.0.0-disble-ocsp-test.patch Normal file
View File

@ -0,0 +1,10 @@
diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest ./mozilla/security/nss/tests/chains/scenarios/scenarios
--- ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest 2013-01-06 19:56:15.000000000 -0800
+++ ./mozilla/security/nss/tests/chains/scenarios/scenarios 2013-02-01 08:38:28.140615299 -0800
@@ -50,6 +50,5 @@ bridgewithpolicyextensionandmapping.cfg
realcerts.cfg
dsa.cfg
revoc.cfg
-ocsp.cfg
crldp.cfg
trustanchors.cfg

74
nss-539183.patch
View File

@ -1,62 +1,62 @@
--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
+++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
@@ -953,23 +953,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
Index: ./mozilla/security/nss/cmd/httpserv/httpserv.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/cmd/httpserv/httpserv.c,v
retrieving revision 1.1
diff -u -p -r1.1 httpserv.c
--- ./mozilla/security/nss/cmd/httpserv/httpserv.c 28 Jun 2012 11:11:06 -0000 1.1
+++ ./mozilla/security/nss/cmd/httpserv/httpserv.c 21 Oct 2012 22:22:10 -0000
@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSockett");
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSocket error");
}
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
+++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
@@ -1711,23 +1711,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
Index: ./mozilla/security/nss/cmd/selfserv/selfserv.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/cmd/selfserv/selfserv.c,v
retrieving revision 1.102
diff -u -p -r1.102 selfserv.c
--- ./mozilla/security/nss/cmd/selfserv/selfserv.c 27 Sep 2012 17:13:34 -0000 1.102
+++ ./mozilla/security/nss/cmd/selfserv/selfserv.c 21 Oct 2012 22:22:10 -0000
@@ -1483,14 +1483,18 @@ getBoundListenSocket(unsigned short port
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSocket error");
}
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

34
nss-646045.patch Normal file
View File

@ -0,0 +1,34 @@
diff -up ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot ./mozilla/security/nss/tests/dbtests/dbtests.sh
--- ./mozilla/security/nss/tests/dbtests/dbtests.sh.noroot 2011-04-06 09:56:07.207701000 -0700
+++ ./mozilla/security/nss/tests/dbtests/dbtests.sh 2011-04-06 10:19:54.159552000 -0700
@@ -201,6 +201,9 @@ dbtest_main()
cat $RONLY_DIR/* > /dev/null
fi
+ # skipping the next two tests when user is root,
+ # otherwise they would fail due to rooty powers
+ if [[ $EUID -ne 0 ]] then
${BINDIR}/dbtest -d $RONLY_DIR
ret=$?
if [ $ret -ne 46 ]; then
@@ -208,6 +211,10 @@ dbtest_main()
else
html_passed "Dbtest r/w didn't work in an readonly dir $ret"
fi
+ else
+ html_passed "Skipping Dbtest r/w in a readonly dir because user is root"
+ fi
+ if [[ $EUID -ne 0 ]] then
${BINDIR}/certutil -D -n "TestUser" -d .
ret=$?
if [ $ret -ne 255 ]; then
@@ -215,6 +222,9 @@ dbtest_main()
else
html_passed "Certutil didn't work in an readonly dir $ret"
fi
+ else
+ html_passed "Skipping Certutil delete cert in an readonly directory test because user is root"
+ fi
Echo "test opening the database ronly in a readonly directory"

58
nss-872761.patch Normal file
View File

@ -0,0 +1,58 @@
Index: mozilla/security/nss/cmd/lib/secutil.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/cmd/lib/secutil.c,v
retrieving revision 1.126
diff -u -u -r1.126 secutil.c
--- mozilla/security/nss/cmd/lib/secutil.c 7 Jan 2013 04:11:49 -0000 1.126
+++ mozilla/security/nss/cmd/lib/secutil.c 19 Apr 2013 22:43:02 -0000
@@ -504,6 +504,8 @@
/* Read in ascii data */
rv = SECU_FileToItem(&filedata, inFile);
+ if (rv != SECSuccess)
+ return rv;
asc = (char *)filedata.data;
if (!asc) {
fprintf(stderr, "unable to read data from input file\n");
@@ -519,20 +521,28 @@
body = PORT_Strchr(asc, '\r'); /* maybe this is a MAC file */
if (body)
trailer = strstr(++body, "-----END");
- if (trailer != NULL) {
+ if (trailer != NULL)
*trailer = '\0';
- } else {
+ if (!body || !trailer) {
fprintf(stderr, "input has header but no trailer\n");
PORT_Free(filedata.data);
return SECFailure;
}
} else {
- body = asc;
+ /* need one additional byte for zero terminator */
+ rv = SECITEM_ReallocItem(NULL, &filedata, filedata.len, filedata.len+1);
+ if (rv != SECSuccess) {
+ PORT_Free(filedata.data);
+ return rv;
+ }
+ filedata.len = filedata.len+1;
+ body = (char*)filedata.data;
+ body[filedata.len-1] = '\0';
}
/* Convert to binary */
rv = ATOB_ConvertAsciiToItem(der, body);
- if (rv) {
+ if (rv != SECSuccess) {
fprintf(stderr, "error converting ascii to binary (%s)\n",
SECU_Strerror(PORT_GetError()));
PORT_Free(filedata.data);
@@ -543,7 +553,7 @@
} else {
/* Read in binary der */
rv = SECU_FileToItem(der, inFile);
- if (rv) {
+ if (rv != SECSuccess) {
fprintf(stderr, "error converting der (%s)\n",
SECU_Strerror(PORT_GetError()));
return SECFailure;

132
nss-config.xml
View File

@ -1,132 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="nss-config">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>nss-config</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>nss-config</refname>
<refpurpose>Return meta information about nss libraries</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nss-config</command>
<arg><option>--prefix</option></arg>
<arg><option>--exec-prefix</option></arg>
<arg><option>--includedir</option></arg>
<arg><option>--libs</option></arg>
<arg><option>--cflags</option></arg>
<arg><option>--libdir</option></arg>
<arg><option>--version</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>nss-config</command> is a shell scrip
tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>--prefix</option></term>
<listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--exec-prefix</option></term>
<listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--includedir</option> <replaceable>count</replaceable></term>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--version</option></term>
<listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libs</option></term>
<listitem><simpara>returns the compiler linking flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--cflags</option></term>
<listitem><simpara>returns the compiler include flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libdir</option></term>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Examples</title>
<para>The following example will query for both include path and linkage flags:
<programlisting>
/usr/bin/nss-config --cflags --libs
</programlisting>
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/usr/bin/nss-config</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkg-config(1)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

12
nss-enable-pem.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem ./mozilla/security/nss/lib/ckfw/manifest.mn
--- ./mozilla/security/nss/lib/ckfw/manifest.mn.prepem 2008-08-05 16:34:23.000000000 -0700
+++ ./mozilla/security/nss/lib/ckfw/manifest.mn 2008-08-05 16:34:30.000000000 -0700
@@ -38,7 +38,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile: manife
CORE_DEPTH = ../../..
-DIRS = builtins
+DIRS = builtins pem
PRIVATE_EXPORTS = \
ck.h \

21
nss-gcm-param-default-pkcs11v2.patch
View File

@ -1,21 +0,0 @@
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
/* deprecated #defines. Drop in future NSS releases */
-#ifdef NSS_PKCS11_2_0_COMPAT
+#ifndef NSS_PKCS11_3_0_STRICT
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
#define CKF_EC_FP CKF_EC_F_P
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
#else
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
#endif

31
nss-kremlin-ppc64le.patch
View File

@ -1,31 +0,0 @@
Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
@@ -56,9 +56,10 @@ typedef const char *Prims_string;
!defined(__clang__)
#include <emmintrin.h>
typedef __m128i FStar_UInt128_uint128;
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
typedef unsigned __int128 FStar_UInt128_uint128;
#elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
typedef __uint128_t FStar_UInt128_uint128;
Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
@@ -26,7 +26,8 @@
#if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
/* GCC + using native unsigned __int128 support */

4
nss-p11-kit.config
View File

@ -1,4 +0,0 @@
name=p11-kit-proxy
library=p11-kit-proxy.so

94
nss-signtool-format.patch
View File

@ -1,94 +0,0 @@
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
--- a/cmd/modutil/install.c
+++ b/cmd/modutil/install.c
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
dir = PR_OpenDir(path);
if (!dir) {
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ PR_CloseDir(dir);
+ return -1;
+ }
if (rm_dash_r(filename)) {
PR_CloseDir(dir);
return -1;
}
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
return -1;
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
--- a/cmd/signtool/util.c
+++ b/cmd/signtool/util.c
@@ -132,17 +132,20 @@ rm_dash_r(char *path)
if (!dir) {
PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
errorCount++;
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ errorCount++;
+ return -1;
+ }
if (rm_dash_r(filename))
return -1;
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
errorCount++;
return -1;
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
--- a/lib/libpkix/pkix/util/pkix_list.c
+++ b/lib/libpkix/pkix/util/pkix_list.c
@@ -1530,17 +1530,17 @@ cleanup:
*/
PKIX_Error *
PKIX_List_SetItem(
PKIX_List *list,
PKIX_UInt32 index,
PKIX_PL_Object *item,
void *plContext)
{
- PKIX_List *element;
+ PKIX_List *element = NULL;
PKIX_ENTER(LIST, "PKIX_List_SetItem");
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -102,17 +102,17 @@ cleanup:
*/
static PKIX_Error *
pkix_pl_OID_Equals(
PKIX_PL_Object *first,
PKIX_PL_Object *second,
PKIX_Boolean *pResult,
void *plContext)
{
- PKIX_Int32 cmpResult;
+ PKIX_Int32 cmpResult = 0;
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
PKIX_NULLCHECK_THREE(first, second, pResult);
PKIX_CHECK(pkix_pl_OID_Comparator
(first, second, &cmpResult, plContext),
PKIX_OIDCOMPARATORFAILED);

116
nss-softokn-config.in
View File

@ -1,116 +0,0 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
softokn3 - Requires full dynamic linking
freebl3 - for internal use only (and glibc for self-integrity check)
nssdbm3 - for internal use only
Dymamically linked
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-softokn`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-softokn`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
echo $libdirs
fi

18
nss-softokn-dracut-module-setup.sh
View File

@ -1,18 +0,0 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
check() {
return 255
}
depends() {
return 0
}
install() {
local _dir
inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
libfreebl3.so
}

3
nss-softokn-dracut.conf
View File

@ -1,3 +0,0 @@
# turn on nss-softokn module
add_dracutmodules+=" nss-softokn "

11
nss-softokn.pc.in
View File

@ -1,11 +0,0 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module
Version: %SOFTOKEN_VERSION%
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
Cflags: -I${includedir}

25
nss-ssl-cbc-random-iv-off-by-default.patch Normal file
View File

@ -0,0 +1,25 @@
diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff 2013-02-01 10:14:36.960458329 -0800
+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2013-02-01 10:17:16.532265855 -0800
@@ -153,7 +153,7 @@ static sslOptions ssl_defaults = {
3, /* enableRenegotiation (default: transitional) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
- PR_TRUE /* cbcRandomIV */
+ PR_FALSE /* cbcRandomIV */ /* defaults to off for compatibility */
};
/*
@@ -2837,9 +2837,9 @@ ssl_SetDefaultsFromEnvironment(void)
PR_TRUE));
}
ev = getenv("NSS_SSL_CBC_RANDOM_IV");
- if (ev && ev[0] == '0') {
- ssl_defaults.cbcRandomIV = PR_FALSE;
- SSL_TRACE(("SSL: cbcRandomIV set to 0"));
+ if (ev && ev[0] == '1') {
+ ssl_defaults.cbcRandomIV = PR_TRUE;
+ SSL_TRACE(("SSL: cbcRandomIV set to 1"));
}
}
#endif /* NSS_HAVE_GETENV */

15
nss-ssl-enforce-no-pkcs11-bypass.path Normal file
View File

@ -0,0 +1,15 @@
diff -up ./mozilla/security/nss/lib/ssl/derive.c.nobypass ./mozilla/security/nss/lib/ssl/derive.c
diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.nobypass 2012-10-07 15:12:25.455307540 -0700
+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2012-10-07 15:21:27.229346754 -0700
@@ -547,8 +547,8 @@ static PRStatus SSL_BypassRegisterShutdo
static PRStatus SSL_BypassSetup(void)
{
#ifdef NO_PKCS11_BYPASS
- /* Guarantee binary compatibility */
- return PR_SUCCESS;
+ /* We can safely return failure as we have never supported it */
+ return PR_FALSE;
#else
return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
#endif

118
nss-util-config.in
View File

@ -1,118 +0,0 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-util-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nssutil
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-util`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-util`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-util`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi

11
nss-util.pc.in
View File

@ -1,11 +0,0 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-UTIL
Description: Network Security Services Utility Library
Version: %NSSUTIL_VERSION%
Requires: nspr >= %NSPR_VERSION%
Libs: -L${libdir} -lnssutil3
Cflags: -I${includedir}

1623
nss.spec
View File

File diff suppressed because it is too large Load Diff

93
nsspem-use-system-freebl.patch Normal file
View File

@ -0,0 +1,93 @@
diff -up ./mozilla/security/coreconf/Linux.mk.sytemfreebl ./mozilla/security/coreconf/Linux.mk
--- ./mozilla/security/coreconf/Linux.mk.sytemfreebl 2011-12-03 22:07:23.924156119 -0800
+++ ./mozilla/security/coreconf/Linux.mk 2011-12-03 22:08:28.322328345 -0800
@@ -182,6 +182,9 @@ endif
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz
+USE_SYSTEM_FREEBL = 1
+FREEBL_LIBS = -lfreebl3
+
# The -rpath '$$ORIGIN' linker option instructs this library to search for its
# dependencies in the same directory where it resides.
ifeq ($(BUILD_SUN_PKG), 1)
diff -up ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras ./mozilla/security/nss/lib/ckfw/pem/config.mk
--- ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras 2010-11-25 10:01:17.000000000 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/config.mk 2011-06-21 18:20:04.484985568 -0700
@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
# are specifed as dependencies within rules.mk.
#
+
+EXTRA_LIBS += \
+ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
+ $(NULL)
+
TARGETS = $(SHARED_LIBRARY)
LIBRARY =
IMPORT_LIBRARY =
@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
MKSHLIB += -R '$$ORIGIN'
endif
+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
+ifdef USE_SYSTEM_NSSUTIL
+OS_LIBS += $(NSSUTIL_LIBS)
+else
+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
+EXTRA_LIBS += $(NSSUTIL_LIBS)
+endif
+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
+# FREEBL_LIBS to the linker command-line arguments for the system nssutil
+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
+ifdef USE_SYSTEM_FREEBL
+OS_LIBS += $(FREEBL_LIBS)
+else
+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
+EXTRA_LIBS += $(FREEBL_LIBS)
+endif
+
diff -up ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras ./mozilla/security/nss/lib/ckfw/pem/Makefile
--- ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras 2010-11-25 10:01:17.000000000 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/Makefile 2011-06-21 18:25:25.959136920 -0700
@@ -43,8 +43,7 @@ include config.mk
EXTRA_LIBS = \
$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
+ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
$(NULL)
# can't do this in manifest.mn because OS_TARGET isn't defined there.
@@ -56,6 +55,9 @@ EXTRA_LIBS += \
-lplc4 \
-lplds4 \
-lnspr4 \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -lfreebl3
$(NULL)
else
EXTRA_SHARED_LIBS += \
@@ -74,6 +76,9 @@ EXTRA_LIBS += \
-lplc4 \
-lplds4 \
-lnspr4 \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -lfreebl3 \
$(NULL)
endif
diff -up ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras ./mozilla/security/nss/lib/ckfw/pem/manifest.mn
--- ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras 2010-11-25 10:01:17.000000000 -0800
+++ ./mozilla/security/nss/lib/ckfw/pem/manifest.mn 2011-06-21 18:20:04.485985661 -0700
@@ -65,4 +65,4 @@ REQUIRES = nspr
LIBRARY_NAME = nsspem
-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3

56
pkcs11.txt.xml
View File

@ -1,56 +0,0 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="pkcs11.txt">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>pkcs11.txt</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>pkcs11.txt</refname>
<refpurpose>NSS PKCS #11 module configuration file</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para>
The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
</para>
<para>
For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

12
renegotiate-transitional.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up mozilla/security/nss/lib/ssl/sslsock.c.transitional mozilla/security/nss/lib/ssl/sslsock.c
--- mozilla/security/nss/lib/ssl/sslsock.c.transitional 2011-10-06 10:37:47.156659000 -0700
+++ mozilla/security/nss/lib/ssl/sslsock.c 2011-10-06 10:38:32.276704000 -0700
@@ -182,7 +182,7 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* noLocks */
PR_FALSE, /* enableSessionTickets */
PR_FALSE, /* enableDeflate */
- 2, /* enableRenegotiation (default: requires extension) */
+ 3, /* enableRenegotiation (default: transitional) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
PR_TRUE /* cbcRandomIV */

63
secmod.db.xml
View File

@ -1,63 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="secmod.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>secmod.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>secmod.db</refname>
<refpurpose>Legacy NSS security modules database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
<para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
</para>
<para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
</para>
<para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/secmod.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

106
setup-nsssysinit.xml
View File

@ -1,106 +0,0 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="setup-nsssysinit">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>setup-nsssysinit</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>setup-nsssysinit</refname>
<refpurpose>Query or enable the nss-sysinit module</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>setup-nsssysinit</command>
<arg><option>on</option></arg>
<arg><option>off</option></arg>
<arg><option>status</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
<para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
</para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>on</option></term>
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>off</option></term>
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>status</option></term>
<listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Examples</title>
<para>The following example will query for the status of nss-sysinit:
<programlisting>
/usr/bin/setup-nsssysinit status
</programlisting>
</para>
<para>The following example, when run as superuser, will turn on nss-sysinit:
<programlisting>
/usr/bin/setup-nsssysinit on
</programlisting>
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/usr/bin/setup-nsssysinit</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkg-config(1)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

18
sources
View File

@ -1,6 +1,12 @@
SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
a5ae49867124ac75f029a9a33af31bad blank-cert8.db
9315689bbd9f28ceebd47894f99fccbd blank-key3.db
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
838b7b6e0c3563059f6e77d149666448 PayPalEE.cert
f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert
1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert
ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert
2a06bf7b815d1a666cc3587b895506ce nss-pem-20120811.tar.bz2
0be54f196b5da7e9008eb13a71bc2cb0 dummy-sources-for-testing
43be35fcc852361748b59ba8ecd2e239 nss-3.14.3-stripped.tar.bz2

64
tests/NSS-tools-should-not-use-SHA1-by-default-when/Makefile
View File

@ -1,64 +0,0 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
# Description: NSS tools should not use SHA1 by default when
# Author: Hubert Kario <hkario@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 10m" >> $(METADATA)
@echo "RunFor: nss openssl" >> $(METADATA)
@echo "Requires: nss nss-tools openssl" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

4
tests/NSS-tools-should-not-use-SHA1-by-default-when/PURPOSE
View File

@ -1,4 +0,0 @@
PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
Description: NSS tools should not use SHA1 by default when
Author: Hubert Kario <hkario@redhat.com>
Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

125
tests/NSS-tools-should-not-use-SHA1-by-default-when/runtest.sh
View File

@ -1,125 +0,0 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
# Description: NSS tools should not use SHA1 by default when
# Author: Hubert Kario <hkario@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="nss"
PACKAGES="nss openssl"
DBDIR="nssdb"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm --all
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "mkdir nssdb"
rlRun "certutil -N -d $DBDIR --empty-password"
rlLogInfo "Create a JAR file"
rlRun "mkdir java-dir"
rlRun "pushd java-dir"
rlRun "mkdir META-INF mypackage"
rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
#rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
rlRun "popd"
#rlRun "mv java-dir/package.jar ."
rlPhaseEnd
rlPhaseStartTest "Self signing certificates"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Signing certificates"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Certificate request"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "mkdir srv2db"
rlRun "certutil -d srv2db -N --empty-password"
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
rlRun -s "openssl req -noout -text -in srv2.req"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
rlRun -s "openssl x509 -in srv2.crt -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlRun "rm -rf srv2db"
rlPhaseEnd
rlPhaseStartTest "Certificate request with SHA1"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "mkdir srv2db"
rlRun "certutil -d srv2db -N --empty-password"
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
rlRun -s "openssl req -noout -text -in srv2.req"
rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
rlRun -s "openssl x509 -in srv2.crt -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlRun "rm -rf srv2db"
rlPhaseEnd
rlPhaseStartTest "Signing CMS messages"
rlRun "echo 'This is a document' > document.txt"
rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
rlAssertGrep "algorithm: sha256" $rlRun_LOG
rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "CRL signing"
rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
rlRun "echo addext crlNumber 0 1245 >>script"
rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
rlRun "echo addext reasonCode 0 0 >>script"
rlRun "cat script"
rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

12
tests/tests.yml
View File

@ -1,12 +0,0 @@
---
# This first play always runs on the local staging system
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- NSS-tools-should-not-use-SHA1-by-default-when
required_packages:
- nss-tools
- nss