Compare commits
5 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
c0aab7ef6e | ||
|
c978a38ac1 | ||
|
c4cbb434e3 | ||
|
81a5e0c7a1 | ||
|
fd620ffab3 |
2
.gitignore
vendored
2
.gitignore
vendored
@ -47,5 +47,3 @@ TestUser51.cert
|
||||
/nss-3.49.2.tar.gz
|
||||
/nss-3.50.tar.gz
|
||||
/nss-3.51.tar.gz
|
||||
/nss-3.51.1.tar.gz
|
||||
/nss-3.52.tar.gz
|
||||
|
22
nss-3.47-ike-fix.patch
Normal file
22
nss-3.47-ike-fix.patch
Normal file
@ -0,0 +1,22 @@
|
||||
diff -up ./lib/softoken/pkcs11.c.ike_fix ./lib/softoken/pkcs11.c
|
||||
--- ./lib/softoken/pkcs11.c.ike_fix 2019-11-04 10:15:08.022176945 -0800
|
||||
+++ ./lib/softoken/pkcs11.c 2019-11-04 10:17:35.396733750 -0800
|
||||
@@ -330,7 +330,7 @@ static const struct mechanismList mechan
|
||||
{ CKM_AES_CTS, { 16, 32, CKF_EN_DE }, PR_TRUE },
|
||||
{ CKM_AES_CTR, { 16, 32, CKF_EN_DE }, PR_TRUE },
|
||||
{ CKM_AES_GCM, { 16, 32, CKF_EN_DE }, PR_TRUE },
|
||||
- { CKM_AES_XCBC_MAC_96, { 16, 16, CKF_SN_VR }, PR_TRUE },
|
||||
+ { CKM_AES_XCBC_MAC_96, { 12, 12, CKF_SN_VR }, PR_TRUE },
|
||||
{ CKM_AES_XCBC_MAC, { 16, 16, CKF_SN_VR }, PR_TRUE },
|
||||
/* ------------------------- Camellia Operations --------------------- */
|
||||
{ CKM_CAMELLIA_KEY_GEN, { 16, 32, CKF_GENERATE }, PR_TRUE },
|
||||
@@ -518,7 +518,8 @@ static const struct mechanismList mechan
|
||||
/* --------------------IPSEC ----------------------- */
|
||||
{ CKM_NSS_IKE_PRF_PLUS_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE },
|
||||
{ CKM_NSS_IKE_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
|
||||
- { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE }
|
||||
+ { CKM_NSS_IKE1_PRF_DERIVE, { 8, 64, CKF_DERIVE }, PR_TRUE },
|
||||
+ { CKM_NSS_IKE1_APP_B_PRF_DERIVE, { 8, 255 * 64, CKF_DERIVE }, PR_TRUE }
|
||||
};
|
||||
static const CK_ULONG mechanismCount = sizeof(mechanisms) / sizeof(mechanisms[0]);
|
||||
|
@ -1,21 +0,0 @@
|
||||
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
|
||||
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
|
||||
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
|
||||
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
|
||||
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
|
||||
|
||||
/* deprecated #defines. Drop in future NSS releases */
|
||||
-#ifdef NSS_PKCS11_2_0_COMPAT
|
||||
+#ifndef NSS_PKCS11_3_0_STRICT
|
||||
|
||||
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
|
||||
#define CKF_EC_FP CKF_EC_F_P
|
||||
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
|
||||
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
|
||||
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
|
||||
#else
|
||||
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
|
||||
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
|
||||
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
|
||||
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
|
||||
#endif
|
@ -2,28 +2,27 @@ Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||
+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
|
||||
@@ -56,9 +56,10 @@ typedef const char *Prims_string;
|
||||
!defined(__clang__)
|
||||
@@ -56,7 +56,9 @@ typedef const char *Prims_string;
|
||||
#include <emmintrin.h>
|
||||
typedef __m128i FStar_UInt128_uint128;
|
||||
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||
+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
|
||||
#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||
- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
|
||||
+ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
|
||||
+ defined(__s390x__))
|
||||
typedef unsigned __int128 FStar_UInt128_uint128;
|
||||
#elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
|
||||
typedef __uint128_t FStar_UInt128_uint128;
|
||||
#else
|
||||
typedef struct FStar_UInt128_uint128_s {
|
||||
Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||
===================================================================
|
||||
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||
+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
|
||||
@@ -26,7 +26,8 @@
|
||||
@@ -25,7 +25,9 @@
|
||||
#include "LowStar_Endianness.h"
|
||||
|
||||
#if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
|
||||
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
|
||||
#if !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
|
||||
- (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__))
|
||||
+ (defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
|
||||
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
|
||||
+ defined(__s390x__))
|
||||
|
||||
|
12
nss-tls13-default.patch
Normal file
12
nss-tls13-default.patch
Normal file
@ -0,0 +1,12 @@
|
||||
diff -up nss/lib/ssl/sslsock.c.tls13-default nss/lib/ssl/sslsock.c
|
||||
--- nss/lib/ssl/sslsock.c.tls13-default 2020-01-27 10:21:44.930830558 +0100
|
||||
+++ nss/lib/ssl/sslsock.c 2020-01-27 10:21:47.419852229 +0100
|
||||
@@ -97,7 +97,7 @@ static sslOptions ssl_defaults = {
|
||||
*/
|
||||
static SSLVersionRange versions_defaults_stream = {
|
||||
SSL_LIBRARY_VERSION_TLS_1_0,
|
||||
- SSL_LIBRARY_VERSION_TLS_1_3
|
||||
+ SSL_LIBRARY_VERSION_TLS_1_2
|
||||
};
|
||||
|
||||
static SSLVersionRange versions_defaults_datagram = {
|
52
nss.spec
52
nss.spec
@ -1,5 +1,5 @@
|
||||
%global nspr_version 4.25.0
|
||||
%global nss_version 3.52.0
|
||||
%global nss_version 3.51.0
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global saved_files_dir %{_libdir}/nss/saved
|
||||
%global dracutlibdir %{_prefix}/lib/dracut
|
||||
@ -7,7 +7,6 @@
|
||||
%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
|
||||
|
||||
%bcond_without tests
|
||||
%bcond_without dbm
|
||||
|
||||
# Produce .chk files for the final stripped binaries
|
||||
#
|
||||
@ -25,7 +24,7 @@
|
||||
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
|
||||
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
|
||||
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
|
||||
%{?with_dbm:$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so} \
|
||||
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \
|
||||
%{nil}
|
||||
|
||||
# The upstream omits the trailing ".0", while we need it for
|
||||
@ -44,7 +43,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: %{nss_version}
|
||||
Release: 2%{?dist}
|
||||
Release: 1%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
Requires: nspr >= %{nspr_version}
|
||||
@ -106,14 +105,16 @@ Patch2: nss-539183.patch
|
||||
# Once the buildroot aha been bootstrapped the patch may be removed
|
||||
# but it doesn't hurt to keep it.
|
||||
Patch4: iquote.patch
|
||||
# add missing ike mechanism to softoken
|
||||
Patch10: nss-3.47-ike-fix.patch
|
||||
# To revert the upstream change:
|
||||
# https://bugzilla.mozilla.org/show_bug.cgi?id=1573118
|
||||
# as it still doesn't work under FIPS mode because of missing HKDF
|
||||
# support in PKCS #11.
|
||||
Patch11: nss-tls13-default.patch
|
||||
Patch12: nss-signtool-format.patch
|
||||
# https://github.com/FStarLang/kremlin/issues/166
|
||||
Patch13: nss-kremlin-ppc64le.patch
|
||||
%if 0%{?fedora} < 34
|
||||
%if 0%{?rhel} < 9
|
||||
Patch20: nss-gcm-param-default-pkcs11v2.patch
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
@ -295,19 +296,14 @@ export NSS_USE_SYSTEM_SQLITE=1
|
||||
|
||||
export NSS_ALLOW_SSLKEYLOGFILE=1
|
||||
|
||||
%if %{with dbm}
|
||||
%else
|
||||
export NSS_DISABLE_DBM=1
|
||||
%endif
|
||||
|
||||
%ifnarch noarch
|
||||
%if 0%{__isa_bits} == 64
|
||||
export USE_64=1
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%{__make} -C ./nss/coreconf
|
||||
%{__make} -C ./nss/lib/dbm
|
||||
make -C ./nss/coreconf
|
||||
make -C ./nss/lib/dbm
|
||||
|
||||
# Set the policy file location
|
||||
# if set NSS will always check for the policy file and load if it exists
|
||||
@ -315,11 +311,11 @@ export POLICY_FILE="nss.config"
|
||||
# location of the policy file
|
||||
export POLICY_PATH="/etc/crypto-policies/back-ends"
|
||||
|
||||
%{__make} -C ./nss
|
||||
make -C ./nss
|
||||
|
||||
# build the man pages clean
|
||||
pushd ./nss
|
||||
%{__make} clean_docs build_docs
|
||||
make clean_docs build_docs
|
||||
popd
|
||||
|
||||
# and copy them to the dist directory for %%install to find them
|
||||
@ -531,7 +527,7 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
|
||||
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
|
||||
|
||||
# Copy the binary libraries we want
|
||||
for file in libnssutil3.so libsoftokn3.so %{?with_dbm:libnssdbm3.so} libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
|
||||
for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
|
||||
do
|
||||
install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
|
||||
done
|
||||
@ -834,10 +830,8 @@ update-crypto-policies &> /dev/null || :
|
||||
%{_includedir}/nss3/templates/templates.c
|
||||
|
||||
%files softokn
|
||||
%if %{with dbm}
|
||||
%{_libdir}/libnssdbm3.so
|
||||
%{_libdir}/libnssdbm3.chk
|
||||
%endif
|
||||
%{_libdir}/libsoftokn3.so
|
||||
%{_libdir}/libsoftokn3.chk
|
||||
# shared with nss-tools
|
||||
@ -892,25 +886,9 @@ update-crypto-policies &> /dev/null || :
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed May 13 2020 Bob Relyea <rrelyea@redhat.com> - 3.52.0-2
|
||||
- Delay CK_GCM_PARAMS semantics until fedora 34
|
||||
|
||||
* Mon May 11 2020 Daiki Ueno <dueno@redhat.com> - 3.52.0-1
|
||||
- Update to NSS 3.52
|
||||
|
||||
* Sat Apr 25 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-2
|
||||
- Temporarily revert DBM disablement for kernel build failure (#1827902)
|
||||
|
||||
* Mon Apr 20 2020 Daiki Ueno <dueno@redhat.com> - 3.51.1-1
|
||||
- Update to NSS 3.51.1
|
||||
- Disable building DBM backend
|
||||
|
||||
* Tue Apr 7 2020 Daiki Ueno <dueno@redhat.com> - 3.51.0-1
|
||||
- Update to NSS 3.51
|
||||
|
||||
* Thu Mar 26 2020 Tom Stellard <tstellar@redhat.com> - 3.50.0-3
|
||||
- Use __make macro to invoke make
|
||||
|
||||
* Thu Mar 5 2020 Daiki Ueno <dueno@redhat.com> - 3.50.0-2
|
||||
- Apply CMAC fixes from upstream
|
||||
|
||||
|
2
sources
2
sources
@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403
|
||||
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
|
||||
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
|
||||
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
|
||||
SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6
|
||||
SHA512 (nss-3.51.tar.gz) = 9c894b1ea41449b000750a7b3a89fcb43dfc3d0d4d6dcc0dc288bc73996f76f1ee1ede927a8aecae6d4a07f9f3d3e3a042c6a60cf06e27e0cdc004fce2e510fd
|
||||
|
Loading…
Reference in New Issue
Block a user