Compare commits

...

183 Commits

Author SHA1 Message Date
Bob Relyea
614f823eb3 Delay new CK_GCM_PARAMS semantics until fedora 34 unless explicitly enabled. 2020-05-13 16:02:36 -07:00
Daiki Ueno
26f93fa193 Restore nss-kremlin-ppc64le.patch 2020-05-11 18:38:26 +02:00
Daiki Ueno
047dc3ed4e Update to NSS 3.52 2020-05-11 18:21:55 +02:00
Daiki Ueno
fc0174ead1 Temporarily revert DBM disablement for kernel build failure (#1827902) 2020-04-25 17:16:02 +02:00
Daiki Ueno
3c018618ca Fix the last change 2020-04-20 15:57:28 +02:00
Daiki Ueno
65271d923d Enable conditional builds on DBM 2020-04-20 14:47:27 +02:00
Daiki Ueno
9ae0f0b9e1 Update to NSS 3.51.1
Also disable building DBM backend
2020-04-20 14:24:47 +02:00
Daiki Ueno
2b122e4485 Update to NSS 3.51 2020-04-07 11:18:10 +02:00
Tom Stellard
507a1cebf0 Use __make macro to invoke make
Using the %__make macro makes it possible for an alternative buildroot
to inject its own flags into the make invocation.  This makes it easier
to do trial rebuilds of fedora using different compilers or different
compiler flags.
2020-03-27 15:39:49 +00:00
Daiki Ueno
7f30e21d0f Apply CMAC fixes from upstream 2020-03-05 09:57:34 +01:00
Daiki Ueno
aa7d80b11e Fix build with s390x, due to bundled kremlin source 2020-03-03 16:16:52 +01:00
Daiki Ueno
f512836b78 Fix build on ppc64le, due to bundled kremlin source 2020-02-17 14:30:50 +01:00
Daiki Ueno
58ca69fcaf Update to NSS 3.50 2020-02-17 13:46:37 +01:00
Daiki Ueno
bd89f2ce5c Fix build with gcc 10 2020-02-14 14:28:21 +01:00
Daiki Ueno
9e1e74ca17 Ignore false-positive compiler warnings with gcc 10 2020-02-14 12:07:57 +01:00
Daiki Ueno
37c40ebd3d Update nss-libpkix-maybe-uninitialized.patch 2020-02-14 11:42:12 +01:00
Daiki Ueno
656c979c95 Suppress compiler warning (treated as fatal) in libpkix 2020-02-14 10:48:31 +01:00
Fedora Release Engineering
0b17c92d39 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2020-01-29 19:15:25 +00:00
Daiki Ueno
3c27dc2471 Revert "pass %{_smp_mflags} to make to speed up the build"
This reverts commit 6e689ce0cb.

This still has a race condition and causes the build fail.
2020-01-27 11:07:50 +01:00
Daiki Ueno
36505c331d Update to NSS 3.49.2 2020-01-27 10:24:30 +01:00
Kamil Dudka
6e689ce0cb pass %{_smp_mflags} to make to speed up the build
I tried an uncached build of nss on Fedora 30 VM with 8 CPU cores
and the build time was reduced with this patch from 540 s to 250 s
of wall-clock time.
2020-01-24 11:17:23 +01:00
Daiki Ueno
703a4f9a95 Remove leftover debug command in %build 2020-01-11 09:02:36 +01:00
Daiki Ueno
1e2f8acd14 Fix build on armv7hl with the patch proposed in upstream 2020-01-10 17:26:33 +01:00
Daiki Ueno
74b268dbd9 Update to NSS 3.49 2020-01-10 10:35:28 +01:00
Daiki Ueno
541296170e Update to NSS 3.48 2020-01-03 10:59:30 +01:00
Daiki Ueno
f3ad534c37 Update nss-3.47-certdb-temp-cert.patch 2019-12-04 10:20:43 +01:00
Daiki Ueno
a8a8d020bf Update nss-3.47-certdb-temp-cert.patch to avoid setting empty trust value 2019-12-03 15:51:55 +01:00
Daiki Ueno
704f2e22d6 Update nss-3.47-certdb-temp-cert.patch to the final version 2019-12-03 09:31:24 +01:00
Daiki Ueno
4f639ad73c Fix intermittent SEC_ERROR_UNKNOWN_ISSUER (#1752303, #1648617) 2019-11-28 16:13:41 +01:00
Daiki Ueno
8c9ed11be4 Update to NSS 3.47.1 2019-11-22 18:01:14 +01:00
Bob Relyea
115989f50d Correct change log error so it doesn't propogate to the next patch 2019-11-06 09:16:51 -08:00
Bob Relyea
2ec4745f30 Resolves: rhbz#1768652
NSS softoken does not include CKM_NSS_IKE1_APP_B_PRF_DERIVE in it's mechanism list, causing libreswan to crash.
2019-11-04 13:51:40 -08:00
Daiki Ueno
626f1941fd Install cmac.h required by blapi.h (#1764513) 2019-10-23 10:44:14 +02:00
Daiki Ueno
16706fe38d Update to NSS 3.47 2019-10-22 15:22:45 +02:00
Daiki Ueno
d86af7693a Update to NSS 3.46.1 2019-10-21 13:39:30 +02:00
Daiki Ueno
fa84af3e06 Require NSPR 4.22 2019-09-04 06:31:23 +02:00
Daiki Ueno
2f14d11d0d Update to NSS 3.46 2019-09-03 09:42:24 +02:00
Daiki Ueno
3f3c20ae17 Update to NSS 3.45 2019-08-29 15:38:15 +02:00
Fedora Release Engineering
326f5d0c9a - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-07-25 22:36:13 +00:00
Daiki Ueno
c5b7db61f4 Fix CAVS testdir creation 2019-07-03 15:59:50 +02:00
Daiki Ueno
7b734a0c80 Restore files removed by the previous commit 2019-07-02 12:57:50 +02:00
Daiki Ueno
c7e445694f Update to NSS 3.44.1 2019-07-02 12:55:10 +02:00
Daiki Ueno
3ea5d2fb0e Skip TLS 1.3 tests under FIPS mode 2019-05-20 11:09:19 +02:00
Daiki Ueno
4567b678cc Update to NSS 3.44 2019-05-17 13:03:12 +02:00
Daiki Ueno
141e716639 Fix PKCS#11 module leak if C_GetSlotInfo() failed 2019-05-06 18:33:40 +02:00
Elio Maldonado
5deb5dd362 Update nspr_version to 4.21.0 and remove obsolete comment 2019-03-26 08:25:09 -07:00
Daiki Ueno
d3f6891026 Update to NSS 3.43 2019-03-21 10:33:02 +01:00
Daiki Ueno
df8d75ac51 Update to NSS 3.42.1 2019-02-11 13:01:36 +01:00
Daiki Ueno
b3b17b08a0 Update to NSS 3.42 2019-02-08 11:31:29 +01:00
Daiki Ueno
455711f1df Simplify test failure detection in %check
There is the same logic in the upstream script:
https://hg.mozilla.org/projects/nss/file/tip/tests/common/cleanup.sh#l56
2019-02-08 10:59:35 +01:00
Fedora Release Engineering
0e03f768ab - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2019-02-01 16:32:50 +00:00
Daiki Ueno
e5e5a75933 Rebuild with recent changes
- Remove prelink.conf as prelink was removed in F24, suggested by
  Harald Reindl
- Use quilt for %%autopatch
- Make sysinit require arch-dependent nss, suggested by Igor Gnatenko
- Silence %%post/%%postun scriptlets, suggested by Ian Collier
2019-01-11 11:53:52 +01:00
Daiki Ueno
431c940fc5 Silence %post/%postun scriptlets
Suggested by Ian Collier in:
https://bugzilla.redhat.com/show_bug.cgi?id=1665053
2019-01-11 10:05:53 +01:00
Daiki Ueno
41b9b6b6a1 Make nss-sysinit require arch-specific nss package
Suggested by Igor Gnatenko in:
https://bugzilla.redhat.com/show_bug.cgi?id=1663136
2019-01-09 13:08:49 +01:00
Daiki Ueno
f572eae5ce Use quilt for %autopatch 2018-12-19 16:28:50 +01:00
Daiki Ueno
b250b65666 Remove prelink.conf as prelink was removed in F24
Suggested by Harald Reindl in:
https://bugzilla.redhat.com/show_bug.cgi?id=1659674
2018-12-18 16:22:25 +01:00
Daiki Ueno
5221baae09 Fix the last commit 2018-12-10 16:17:16 +01:00
Daiki Ueno
cab16c0490 Revert "Switch to gyp buildsystem"
It turned out that libpkix cannot be enabled in gyp build.

This reverts commit 390eaefc52.
2018-12-10 15:36:58 +01:00
Daiki Ueno
af46412ffe Partially revert 7bdb9fac17 2018-12-10 12:49:17 +01:00
Daiki Ueno
e557c2c2a1 Update to NSS 3.41 2018-12-10 10:45:52 +01:00
Daiki Ueno
8be7f95db1 Stop using the custom versioning scheme 2018-12-10 10:39:33 +01:00
Daiki Ueno
7bdb9fac17 Minor cleanup of spec
- expand %%allTools as it is used only once
- remove unnecessary pushd/popd
2018-12-10 10:39:14 +01:00
Daiki Ueno
71d6df3266 Use %%autopatch 2018-12-06 13:51:04 +01:00
Daiki Ueno
390eaefc52 Switch to gyp buildsystem 2018-12-06 13:48:33 +01:00
Daiki Ueno
4b42d21883 Remove unnecessary patches 2018-12-06 10:23:36 +01:00
Daiki Ueno
ec4d144b47 Update to NSS 3.40.1 2018-12-06 10:12:42 +01:00
Daiki Ueno
705e2b3229 Fix Source0 URL 2018-11-27 14:56:16 +01:00
Daiki Ueno
26c062714a Modernize spec file
Suggested by Robert-André Mauchin in:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/3JTN2YN3HM47UKSVTSANB4MO4UJDJPF5/
2018-11-19 15:47:27 +01:00
Daiki Ueno
c29d479b7f Consolidate nss-util, nss-softokn, and nss into a single package 2018-11-14 10:00:13 +01:00
Daiki Ueno
18c140b4c2 Fix FTBFS with expired test certs 2018-11-14 09:58:06 +01:00
Daiki Ueno
bdf4e9ddaf Fix LDFLAGS injection when creating DSO 2018-09-13 16:15:14 +02:00
Daiki Ueno
93c1de8b0d Allow SSLKEYLOGFILE 2018-09-03 14:00:45 +02:00
Daiki Ueno
db341dd2e0 Update to NSS 3.39 2018-09-03 13:55:21 +02:00
Kai Engert
89b8b47d46 Backport upstream addition of nss-policy-check utility, rhbz#1428746 2018-07-20 16:09:32 +02:00
Fedora Release Engineering
e4c3da9da7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-07-13 14:31:25 +00:00
Jason Tibbitts
137780ff5d Remove needless use of %defattr 2018-07-10 02:12:27 -05:00
Daiki Ueno
6f4f615c05 Install crypto-policies configuration file for p11-kit-proxy 2018-07-03 13:31:49 +02:00
Daiki Ueno
2b3aa61f20 Update to NSS 3.38 2018-07-02 16:10:47 +02:00
Daiki Ueno
3b822a7262 Backport fix for handling DTLS application_data before handshake 2018-06-06 11:18:51 +02:00
Daiki Ueno
8d5d06f814 Drop more tests failing intermittently 2018-06-06 10:17:29 +02:00
Daiki Ueno
26f23aeeb6 Disable tests failing intermittently 2018-06-05 16:40:58 +02:00
Daiki Ueno
dfa19ec931 Update to NSS 3.37.3 2018-06-05 13:52:07 +02:00
Daiki Ueno
e874285f92 Temporarily disable AlertBeforeServerHello test on all archtectures 2018-06-04 09:46:39 +02:00
Daiki Ueno
abfbe95c8d Temporarily disable AlertBeforeServerHello test on s390x and aarch64 2018-06-01 17:13:57 +02:00
Daiki Ueno
e42c9742c4 Update to NSS 3.37.1 2018-05-28 17:25:42 +02:00
Kai Engert
93dca340cd add missing file nss-moz1458518.patch 2018-05-02 16:08:29 +02:00
Kai Engert
a24d6b1353 Upstream patch to keep nicknames stable on repeated certificate import into SQL DB, mozbz#1458518 2018-05-02 16:01:40 +02:00
Daiki Ueno
418745fdce Update to NSS 3.36.1 2018-04-11 12:41:21 +02:00
Daiki Ueno
03874d1272 Fix partial injection of LDFLAGS 2018-03-12 15:20:53 +01:00
Daiki Ueno
2007524db8 Remove obsolete Conflicts 2018-03-12 15:04:04 +01:00
Daiki Ueno
67567fd852 Remove nss-3.14.0.0-disble-ocsp-test.patch 2018-03-12 15:03:33 +01:00
Daiki Ueno
2eadf22a1d Make test failure detection robuster 2018-03-09 15:38:51 +01:00
Daiki Ueno
3edcb8bd09 Update to NSS 3.36.0 2018-03-09 13:59:41 +01:00
Igor Gnatenko
b33603605a
Remove %clean section
None of currently supported distributions need that.
Last one was EL5 which is EOL for a while.

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-14 09:16:55 +01:00
Igor Gnatenko
7504d3f5b2 Remove BuildRoot definition
None of currently supported distributions need that.
It was needed last for EL5 which is EOL now

Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-13 23:55:40 +01:00
Fedora Release Engineering
51a16f5968 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-02-08 08:28:30 +00:00
Kai Engert
1689d12cbb Set NSS_FORCE_FIPS=1 at %%build time, and remove from %%check. 2018-02-01 14:26:39 +01:00
Kai Engert
0a70bce56d Fix a compiler error with gcc 8, mozbz#1434070 2018-01-29 22:58:11 +01:00
Kai Engert
ccf407af47 Stop pulling in nss-pem automatically, packages that need it should depend on it, rhbz#1539401 2018-01-29 19:03:50 +01:00
Daiki Ueno
08f152ebf9 Update to NSS 3.35.0 2018-01-23 14:38:31 +01:00
Daiki Ueno
bd239c046a Update to NSS 3.34.0 2017-11-14 14:20:29 +01:00
Daiki Ueno
6d15c06123 Fix nss-pem requirement on multilib 2017-11-10 15:13:21 +01:00
Kai Engert
423cf344b1 fix test script 2017-11-08 14:53:14 +01:00
Kai Engert
cd77ff2c17 Update tests to be compatible with default NSS DB changed to sql (the default was changed in the nss-util package). 2017-11-07 14:13:10 +01:00
Kai Engert
c4dce982fc rhbz#1505487, backport upstream fixes required for rhbz#1496560 2017-10-24 14:05:16 +02:00
Serhii Turivny
24e850cb0b Add CI tests using the standard test interface 2017-10-24 11:38:00 +03:00
Daiki Ueno
06c6c5b05b Forcibly run FIPS tests, and install new header file 2017-10-03 15:41:34 +02:00
Daiki Ueno
8a8a89e2ed Update to NSS 3.33.0 2017-10-03 10:18:40 +02:00
Daiki Ueno
c6bdcf333a Update to NSS 3.32.1 2017-09-15 14:21:47 +02:00
Daiki Ueno
3e4febd5a1 Prefer in-tree headers over system headers
See https://bugzilla.redhat.com/show_bug.cgi?id=1422046#c6
2017-09-06 14:38:46 +02:00
Kai Engert
61169569b1 NSS libnssckbi.so has already been obsoleted by p11-kit-trust, rhbz#1484449 2017-08-23 19:41:28 +02:00
Daiki Ueno
2d62c98a25 Don't build util_gtest 2017-08-08 12:47:53 +02:00
Daiki Ueno
7ae9f54af6 Update to NSS 3.32.0 2017-08-07 13:58:01 +02:00
Fedora Release Engineering
3bbfdef75c - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild 2017-08-03 04:07:03 +00:00
Fedora Release Engineering
7a90b2748d - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 01:18:19 +00:00
Daiki Ueno
943827bba4 Fix the previous commit 2017-07-19 18:34:50 +02:00
Daiki Ueno
82b3129713 Fix the previous commit for deprecating signtool
signtool.1 must be installed even if it is unsupported
2017-07-19 15:39:19 +02:00
Daiki Ueno
4b45ae6d65 Backport mozbz#1381784 to avoid deadlock in dnf 2017-07-18 13:18:15 +02:00
Daiki Ueno
314afd2133 Move signtool to %%_libdir/nss/unsupported-tools 2017-07-13 16:16:30 +02:00
Petr Písař
b2ceaeb648 perl dependency renamed to perl-interpreter <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules> 2017-07-12 14:42:33 +02:00
Daiki Ueno
5ed56146a2 Rebase to NSS 3.31.0 2017-06-21 17:41:09 +02:00
Daiki Ueno
4a49c5748c Enable gtests 2017-06-02 15:18:09 +02:00
Daiki Ueno
405310c946 Rebase to NSS 3.30.2 2017-04-24 09:50:22 +02:00
Kai Engert
cd8db2917d Backport upstream mozbz#1328318 to support crypto policy FUTURE. 2017-03-30 11:54:51 +02:00
Daiki Ueno
17cd27bdca Revert workaround for pkgconf transition
This reverts commit 70bf1cefc1.
2017-03-21 12:37:13 +01:00
Daiki Ueno
b6664ebb77 Update to NSS 3.30.0 2017-03-21 12:20:45 +01:00
Kai Engert
8b601d64b2 Backport mozbz#1334976 and mozbz#1336487. 2017-03-02 13:44:16 +01:00
Daiki Ueno
65a4d20cc7 Update to NSS 3.29.1 2017-02-17 15:32:15 +01:00
Daiki Ueno
07c729494a Disable TLS 1.3 again 2017-02-09 10:13:07 +01:00
Daiki Ueno
73106743c1 Update to NSS 3.29.0 2017-02-08 16:33:58 +01:00
Daiki Ueno
70bf1cefc1 Work around pkgconfig -> pkgconf transition issue 2017-01-23 14:41:48 +01:00
Daiki Ueno
877f068e97 Temporarily remove Conflicts: for icecat 2017-01-23 14:15:36 +01:00
Daiki Ueno
82e9983e43 Disable TLS 1.3 again
Also add Conflicts for old Mozilla apps
2017-01-20 17:41:36 +01:00
Daiki Ueno
c6535e87bd Add "Conflicts" with older firefox 2017-01-17 12:49:10 +01:00
Daiki Ueno
8b6e6cc656 Fix incorrect version requirement for nss-util/nss-softokn 2017-01-13 09:41:31 +01:00
Daiki Ueno
9168316fa8 Update to NSS 3.28.1 2017-01-06 14:35:27 +01:00
Daiki Ueno
1df1edced7 Update to 3.27.2 2016-11-30 15:35:31 +01:00
Daiki Ueno
f52ebc585d Revert the previous fix for RSA-PSS and use the upstream fix instead 2016-11-15 16:27:37 +01:00
Kai Engert
387bb6b467 Disable the use of RSA-PSS with SSL/TLS. #1383809 2016-11-02 14:19:58 +01:00
Daiki Ueno
74f302809f Disable TLS 1.3 by default 2016-10-02 07:12:26 +02:00
Daiki Ueno
ddcac56c2e Update to NSS 3.27.0 2016-09-29 13:52:40 +02:00
Daiki Ueno
e0be40e6f7 Add explanation about NSS_IGNORE_SYSTEM_POLICY=1 2016-08-19 10:33:21 +02:00
Daiki Ueno
351f464ed1 Update to NSS 3.26.0 2016-08-10 14:46:53 +02:00
Elio Maldonado
7854e70d7e Incorporate more changes requested in upstream review and commited upstream (#1157720)
- still keeping two separate patches
2016-07-14 10:41:00 -07:00
Elio Maldonado
ff192a931a Incorporate some changes requested in upstream review and commited upstream (#1157720) 2016-07-13 17:44:26 -07:00
Elio Maldonado
270f23d149 Implement changes requested in upstream review and pushed upstream (#1157720)
- merge the two policy related patches
2016-07-12 20:25:49 -07:00
Elio Maldonado
e666a29edf Add support for conditionally ignoring the system policy (#1157720)
- Remove unneeded test scripts patches in order to run more tests
- Remove unneeded test data modifications from the spec file
2016-07-01 18:22:06 -07:00
Elio Maldonado
68e30820ed Add a reference to bug filed upstream 2016-06-28 09:33:42 -07:00
Elio Maldonado
ef6c2f08e7 Remove obsolete patch and spurious lines from the spec file (#1347336) 2016-06-28 07:47:13 -07:00
Elio Maldonado
e51bf1ce38 Cleanup spec file and patches and add references to bugs filed upstream 2016-06-26 15:03:12 -07:00
Elio Maldonado
3792f60887 Rebase to NSS 3.15
- Remove three patches obsolted by the rebase and updated two
- Temporarily not building the ecperf tool
- ecperef requires freebl/ec.h and ecl-curve.h and the latter
- causes compile failure because it requires that
- NSS_ECC_MORE_THAN_SUITE_B not be defined yet this is
- required for nss builds to allow external pkcs #11 providers
- to support curves beyond suite-b, such restriction only applies
- to the internal crypto module
2016-06-24 14:13:59 -07:00
Kai Engert
1911d47990 Bug 1347336, decouple nss-pem from the nss package, patch contributed by Kamil Dudka 2016-06-22 15:20:39 +02:00
Elio Maldonado
f5c6a9ac04 Apply the patch that was last introduced
- Renumber and reorder some of the patches
- Resolves: Bug 1342158
2016-06-03 08:40:01 -07:00
Elio Maldonado
85c6e70f3c Allow application requests to disable SSL v2 to succeed
- Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails
2016-06-02 13:47:29 -07:00
Elio Maldonado
c460de4d23 Rebase to NSS 3.24.0
- Restore setting the policy file location
- Make ssl tests scripts aware of policy
- Ajust tests data expected result for policy
2016-05-29 10:14:36 -07:00
Elio Maldonado
29b52f2caf Bootstrap build to rebase to NSS 3.24.0
- Temporarily not setting the policy file location
2016-05-25 19:55:49 -07:00
Elio Maldonado
fc09930b4d Update nss_util_version and nss_softoken_version to 3.24.0
- Resolves: Bug 1336849 - nss-3.24 is available
2016-05-24 06:49:40 -07:00
Elio Maldonado
3648d70a92 Update to NSS 3.24.0
- Resolves: Bug 1336849 - nss-3.24 is available
- Update patches on account of the rebase
- Remove unused patches un account of the rebase
- Patch pem module to compile with wrning for unitilaized variables treated as errors
- Patch to skip some of the gtests as they use private calls and need to statically link with libnssutil.a
- TODO: bring this up with the external_tests framework developers upstream
2016-05-23 18:10:46 -07:00
Elio Maldonado
2e6c8d6f71 Change POLICY_FILE to "nss.config" 2016-05-12 12:04:57 -07:00
Elio Maldonado
299e9058d1 Change POLICY_FILE to "nss.cfg" 2016-04-22 08:25:14 -07:00
Elio Maldonado
21d9cd13e1 Change the POLICY_PATH to "/etc/crypto-policies/back-ends"
- Regenerate the check policy patch with hg to provide more context
- the nss-util portion included though not applied here but in nss-util
- todo: file bug upstream once we have done some testing
2016-04-20 08:49:00 -07:00
Elio Maldonado
b9c9bc550c Fix typo in the last %changelog entry 2016-04-14 14:16:05 -07:00
Elio Maldonado
ea86d5898c Load policy file if /etc/pki/nssdb/policy.cfg exists
- Resolves: Bug 1157720 - NSS should enforce the system-wide crypto policy
2016-03-24 15:18:49 -07:00
Elio Maldonado
b22cf46b7c Remove unused patch rendered obsolete by pem update 2016-03-08 15:41:14 -08:00
Elio Maldonado
2a45956d5b Update pem sources to latest from nss-pem upstream
- Resolves: Bug 1300652 - [PEM] insufficient input validity checking while loading a private key
- Fixes memory leak on failed ASN1 decoding of RSA keys with rebase
- https://git.fedorahosted.org/cgit/nss-pem.git
2016-03-08 06:47:48 -08:00
Elio Maldonado
e4343992f0 Rebase to NSS 3.23 2016-03-05 12:42:26 -08:00
Elio Maldonado
c0f6099656 Requite nss and nss-softokn version 3.22.2 2016-02-27 16:45:41 -08:00
Elio Maldonado
69c688f3b5 Rebase to NSS 3.22.2
- Resolves: Bug 1304135 - nss-3.22.2 is available
2016-02-26 21:59:01 -08:00
Elio Maldonado
fe44847276 Fix ssl2/exp test disabling to run all the required tests 2016-02-22 20:49:28 -08:00
Elio Maldonado
c281a339e1 Rebase to NSS 3.22.1
- Bug 1304135 - nss-3.22.1 is available
2016-02-21 11:30:52 -08:00
Elio Maldonado
317de01a4d Update .gitignore as part of updating to nss 3.22 2016-02-08 13:47:18 -08:00
Elio Maldonado
5953345108 Update to NSS 3.22 2016-02-08 07:57:39 -08:00
Fedora Release Engineering
f7ddea92df - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild 2016-02-04 10:56:52 +00:00
Elio Maldonado
5fe1656484 Resolves: Bug 1299040 - Enable ssl_gtests upstream test suite
- Remove 'export NSS_DISABLE_GTESTS=1' go ssl_gtests are built
- Use %define when specifying the nss_tests to run
2016-01-15 11:12:08 -08:00
Elio Maldonado
0483a01742 Add 64-bit MIPS to multilib arches
- Patch contributed by Michal Toman <michal.toman@gmail.com>
- Resolves: Bug 1294878 - Add 64-bit MIPS to multilib_arches
2015-12-31 08:11:54 -08:00
Jaromir Capik
65e0fbe683 Copy verref.h to the right dir in the STAGE2 recipe 2015-12-15 14:26:29 +01:00
Elio Maldonado
337a03cdd8 Fix style of commit message 2015-11-20 14:56:41 -08:00
Elio Maldonado
34058a2a6e Update %{nss_util_version} and %{nss_softokn_version} to 3.21.0
- Bug 1284095 - all https fails with sec_error_no_token
2015-11-20 14:39:49 -08:00
Elio Maldonado
66122a0ff7 Add references to bugs filed upstream 2015-11-15 10:51:54 -08:00
Elio Maldonado
03da09b383 Enclose the _isa_bits check inside a %ifnarch noarch ... %endif one 2015-11-14 14:49:57 -08:00
Elio Maldonado
69b02be530 Change the test to %if 0%{__isa_bits} == 64 as required in fedora
- As done in the patch contributed by Marcin Juszkiewicz <mjuszkiewicz@redhat.com>
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit architectures
2015-11-14 11:32:57 -08:00
Elio Maldonado
0a91ce3fe8 Complete the commits to update to NSS 3.21
- Add files missed in previous commit as they weren't staged
- Package listsuites as part of the unsupported tools set
- Resolves: Bug 1279912 - nss-3.21 is available
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
2015-11-13 18:03:07 -08:00
Elio Maldonado
c13e32fe80 Update to NSS 3.21
- Package listsuites as part of the unsupported tools set
- Resolves: Bug 1279912 - nss-3.21 is available
- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit
- Resolves: Bug 1280032 - Package listsuites as part of the nss unsupported tools set
2015-11-13 17:53:10 -08:00
36 changed files with 1633 additions and 1233 deletions

42
.gitignore vendored
View File

@ -7,7 +7,45 @@ PayPalEE.cert
TestCA.ca.cert
TestUser50.cert
TestUser51.cert
/nss-pem-20140125.tar.bz2
/PayPalRootCA.cert
/PayPalICA.cert
/nss-3.20.1.tar.gz
/nss-3.25.0.tar.gz
/nss-3.26.0.tar.gz
/nss-3.27.0.tar.gz
/nss-3.27.2.tar.gz
/nss-3.28.1.tar.gz
/nss-3.29.0.tar.gz
/nss-3.29.1.tar.gz
/nss-3.30.0.tar.gz
/nss-3.30.2.tar.gz
/nss-3.31.0.tar.gz
/nss-3.32.0.tar.gz
/nss-3.32.1.tar.gz
/nss-3.33.0.tar.gz
/nss-3.34.0.tar.gz
/nss-3.35.0.tar.gz
/nss-3.36.0.tar.gz
/nss-3.36.1.tar.gz
/nss-3.37.1.tar.gz
/nss-3.37.3.tar.gz
/nss-3.38.0.tar.gz
/nss-3.39.tar.gz
/nss-3.40.1.tar.gz
/nss-3.41.tar.gz
/nss-3.42.tar.gz
/nss-3.42.1.tar.gz
/nss-3.43.tar.gz
/nss-3.44.tar.gz
/nss-3.44.1.tar.gz
/nss-3.45.tar.gz
/nss-3.46.tar.gz
/nss-3.46.1.tar.gz
/nss-3.47.tar.gz
/nss-3.47.1.tar.gz
/nss-3.48.tar.gz
/nss-3.49.tar.gz
/nss-3.49.2.tar.gz
/nss-3.50.tar.gz
/nss-3.51.tar.gz
/nss-3.51.1.tar.gz
/nss-3.52.tar.gz

View File

@ -38,6 +38,11 @@ fi
make -C $SRC/nss-3.*/nss/coreconf
make -C $SRC/nss-3.*/nss/lib/dbm
# nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
# need nss/verref.h which is exported privately, move it to where it can be found.
(cd $SRC/nss-3.* && mkdir -p dist/private/nss && cp -a nss/verref.h dist/private/nss/)
make -C $SRC/nss-3.*/nss
cd $SRC/nss-3.*/nss/coreconf
make install

View File

@ -1,16 +0,0 @@
diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk
--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700
+++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700
@@ -174,6 +174,12 @@ endif
endif
endif
+# harden DSOs/executables a bit against exploits
+ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
+DSO_LDOPTS+=-Wl,-z,relro
+LDFLAGS += -Wl,-z,relro
+endif
+
USE_SYSTEM_ZLIB = 1
ZLIB_LIBS = -lz

View File

@ -1,151 +0,0 @@
diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk
--- a/lib/ssl/config.mk
+++ b/lib/ssl/config.mk
@@ -2,16 +2,20 @@
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
ifdef NISCC_TEST
DEFINES += -DNISCC_TEST
endif
+ifdef NSS_NO_SSL2_NO_EXPORT
+DEFINES += -DNSS_NO_SSL2_NO_EXPORT
+endif
+
# Allow build-time configuration of TLS 1.3 (Experimental)
ifdef NSS_ENABLE_TLS_1_3
DEFINES += -DNSS_ENABLE_TLS_1_3
endif
ifdef NSS_NO_PKCS11_BYPASS
DEFINES += -DNO_PKCS11_BYPASS
else
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -674,16 +674,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
if (ss->cipherSpecs) {
PORT_Free(ss->cipherSpecs);
ss->cipherSpecs = NULL;
ss->sizeCipherSpecs = 0;
}
break;
case SSL_ENABLE_SSL2:
+#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure; /* not allowed */
}
break;
}
ss->opt.enableSSL2 = on;
@@ -691,52 +697,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
ss->opt.v2CompatibleHello = on;
}
ss->preferredCipher = NULL;
if (ss->cipherSpecs) {
PORT_Free(ss->cipherSpecs);
ss->cipherSpecs = NULL;
ss->sizeCipherSpecs = 0;
}
+#endif /* NSS_NO_SSL2_NO_EXPORT */
break;
case SSL_NO_CACHE:
ss->opt.noCache = on;
break;
case SSL_ENABLE_FDX:
if (on && ss->opt.noLocks) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure;
}
ss->opt.fdx = on;
break;
case SSL_V2_COMPATIBLE_HELLO:
+#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
if (IS_DTLS(ss)) {
if (on) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
rv = SECFailure; /* not allowed */
}
break;
}
ss->opt.v2CompatibleHello = on;
if (!on) {
ss->opt.enableSSL2 = on;
}
+#endif /* NSS_NO_SSL2_NO_EXPORT */
break;
case SSL_ROLLBACK_DETECTION:
ss->opt.detectRollBack = on;
break;
case SSL_NO_STEP_DOWN:
+#ifdef NSS_NO_SSL2_NO_EXPORT
+ if (!on) {
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
+ rv = SECFailure; /* not allowed */
+ }
+#else
ss->opt.noStepDown = on;
if (on)
SSL_DisableExportCipherSuites(fd);
+#endif /* NSS_NO_SSL2_NO_EXPORT */
break;
case SSL_BYPASS_PKCS11:
if (ss->handshakeBegun) {
PORT_SetError(PR_INVALID_STATE_ERROR);
rv = SECFailure;
} else {
if (PR_FALSE != on) {
@@ -1163,16 +1184,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo
}
return SECSuccess;
}
/* function tells us if the cipher suite is one that we no longer support. */
static PRBool
ssl_IsRemovedCipherSuite(PRInt32 suite)
{
+#ifdef NSS_NO_SSL2_NO_EXPORT
+ /* both ssl2 and export cipher suites disabled */
+ if (SSL_IS_SSL2_CIPHER(suite))
+ return PR_TRUE;
+ if (SSL_IsExportCipherSuite(suite)) {
+ SSLCipherSuiteInfo csdef;
+ if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess) {
+ /* failure to retrieve info, disable */
+ return PR_TRUE;
+ }
+ if (csdef.symCipher != ssl_calg_null) {
+ /* disable all except NULL ciphersuites */
+ return PR_TRUE;
+ }
+ }
+#endif /* NSS_NO_SSL2_NO_EXPORT */
switch (suite) {
case SSL_FORTEZZA_DMS_WITH_NULL_SHA:
case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA:
case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA:
return PR_TRUE;
default:
return PR_FALSE;
}

View File

@ -1,127 +0,0 @@
diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -57,19 +57,24 @@ ssl_init()
fi
PORT=${PORT-8443}
NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal}
nss_ssl_run="stapling cov auth stress"
NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run}
# Test case files
- SSLCOV=${QADIR}/ssl/sslcov.txt
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ]; then
+ SSLCOV=${QADIR}/ssl/sslcov.noSSL2orExport.txt
+ SSLSTRESS=${QADIR}/ssl/sslstress.noSSL2orExport.txt
+ else
+ SSLCOV=${QADIR}/ssl/sslcov.txt
+ SSLSTRESS=${QADIR}/ssl/sslstress.txt
+ fi
SSLAUTH=${QADIR}/ssl/sslauth.txt
- SSLSTRESS=${QADIR}/ssl/sslstress.txt
REQUEST_FILE=${QADIR}/ssl/sslreq.dat
#temparary files
SERVEROUTFILE=${TMP}/tests_server.$$
SERVERPID=${TMP}/tests_pid.$$
R_SERVERPID=../tests_pid.$$
@@ -115,17 +120,21 @@ is_selfserv_alive()
if [ "${OS_ARCH}" = "WINNT" ] && \
[ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then
PID=${SHELL_SERVERPID}
else
PID=`cat ${SERVERPID}`
fi
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ ${EXP} -eq 0 -o ${SSL2} -eq 0 ]; then
+ echo "No server to kill"
+ else
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable"
+ fi
echo "selfserv with PID ${PID} found at `date`"
}
########################### wait_for_selfserv ##########################
# local shell function to wait until selfserver is running and initialized
########################################################################
wait_for_selfserv()
@@ -138,17 +147,21 @@ wait_for_selfserv()
if [ $? -ne 0 ]; then
sleep 5
echo "retrying to connect to selfserv at `date`"
echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\"
echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}"
${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \
-d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}
if [ $? -ne 0 ]; then
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ ${EXP} -eq 0 -o ${SSL2} -eq 0 ]; then
+ html_passed "Server never started"
+ else
html_failed "Waiting for Server"
+ fi
fi
fi
is_selfserv_alive
}
########################### kill_selfserv ##############################
# local shell function to kill the selfserver after the tests are done
########################################################################
@@ -209,25 +222,26 @@ start_selfserv()
ECC_OPTIONS=""
fi
if [ "$1" = "mixed" ]; then
ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
fi
echo "selfserv starting at `date`"
echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
echo " ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
- echo " $verbose -H 1 &"
+ echo " $verbose -H 1 -V ssl3: &"
if [ ${fileout} -eq 1 ]; then
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
- > ${SERVEROUTFILE} 2>&1 &
+ -V ssl3:> ${SERVEROUTFILE} 2>&1 &
RET=$?
else
${PROFTOOL} ${BINDIR}/selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \
- ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 &
+ ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID} $verbose -H 1 \
+ -V ssl3: &
RET=$?
fi
# The PID $! returned by the MKS or Cygwin shell is not the PID of
# the real background process, but rather the PID of a helper
# process (sh.exe). MKS's kill command has a bug: invoking kill
# on the helper process does not terminate the real background
# process. Our workaround has been to have selfserv save its PID
@@ -274,16 +288,22 @@ ssl_cov()
exec < ${SSLCOV}
while read ectype testmax param testname
do
echo "${testname}" | grep "EXPORT" > /dev/null
EXP=$?
echo "${testname}" | grep "SSL2" > /dev/null
SSL2=$?
+ # skip export and ssl2 tests when build has disabled SSL2
+ if [ "${NSS_NO_SSL2_NO_EXPORT}" = "1" ] && [ ${EXP} -eq 0 || ${SSL2} -eq 0 ]; then
+ echo "yyy exp/ssl2 test skipped: (NSS_NO_SSL2,EXP,SSL2)=(${NSS_NO_SSL2},${EXP},${SSL2})"
+ continue
+ fi
+
if [ "${SSL2}" -eq 0 ] ; then
# We cannot use asynchronous cert verification with SSL2
SSL2_FLAGS=-O
VMIN="ssl2"
else
# Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by
# default in libssl but it is enabled by default in tstclnt; we want
# to test the libssl default whenever possible.

View File

@ -1,2 +0,0 @@
Dummy source file that we by uploading it lets us verify that nss builds
do not cause the 'fedpkg upload' or 'fedpg new-sources' commands to hang.

View File

@ -1,175 +1,13 @@
diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
--- nss/cmd/bltest/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/cmd/bltest/Makefile 2014-05-06 07:15:41.173387799 -0700
@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
diff -up nss/cmd/certcgi/Makefile.iquote nss/cmd/certcgi/Makefile
--- nss/cmd/certcgi/Makefile.iquote 2014-08-19 10:18:35.713017904 -0700
+++ nss/cmd/certcgi/Makefile 2014-08-19 10:19:36.106528087 -0700
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/cmd/certutil/Makefile.iquote nss/cmd/certutil/Makefile
--- nss/cmd/certutil/Makefile.iquote 2014-08-19 10:23:39.697585905 -0700
+++ nss/cmd/certutil/Makefile 2014-08-19 10:24:31.060019803 -0700
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile
--- nss/cmd/lib/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/cmd/lib/Makefile 2014-05-06 07:15:41.174387806 -0700
@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../private/nss
+INCLUDES += -iquote $(DIST)/../public/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/cmd/modutil/Makefile.iquote nss/cmd/modutil/Makefile
--- nss/cmd/modutil/Makefile.iquote 2014-05-06 07:34:30.055124213 -0700
+++ nss/cmd/modutil/Makefile 2014-05-06 07:35:36.016602770 -0700
@@ -41,6 +41,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
+INCLUDES += -iquote $(DIST)/../public/nss
#######################################################################
diff -up nss/cmd/selfserv/Makefile.iquote nss/cmd/selfserv/Makefile
--- nss/cmd/selfserv/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/cmd/selfserv/Makefile 2014-05-06 07:15:41.175387813 -0700
@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/cmd/ssltap/Makefile.iquote nss/cmd/ssltap/Makefile
--- nss/cmd/ssltap/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/cmd/ssltap/Makefile 2014-05-06 07:15:41.176387820 -0700
@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../private/nss
+INCLUDES += -iquote $(DIST)/../public/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/cmd/strsclnt/Makefile.iquote nss/cmd/strsclnt/Makefile
--- nss/cmd/strsclnt/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/cmd/strsclnt/Makefile 2014-05-06 07:15:41.177387827 -0700
@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/cmd/tstclnt/Makefile.iquote nss/cmd/tstclnt/Makefile
--- nss/cmd/tstclnt/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/cmd/tstclnt/Makefile 2014-05-06 07:15:41.178387834 -0700
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
#include ../platlibs.mk
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/cmd/vfyserv/Makefile.iquote nss/cmd/vfyserv/Makefile
--- nss/cmd/vfyserv/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/cmd/vfyserv/Makefile 2014-05-06 07:15:41.179387841 -0700
@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
#include ../platlibs.mk
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
--- nss/coreconf/location.mk.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/coreconf/location.mk 2014-05-06 07:15:41.180387848 -0700
@@ -45,6 +45,10 @@ endif
ifdef NSS_INCLUDE_DIR
INCLUDES += -I$(NSS_INCLUDE_DIR)
+ ifdef IN_TREE_FREEBL_HEADERS_FIRST
+ INCLUDES += -iquote $(DIST)/../public/nss
+ INCLUDES += -iquote $(DIST)/../private/nss
+ endif
--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
SQLITE_LIB_NAME = sqlite3
endif
ifndef NSS_LIB_DIR
diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile
--- nss/lib/certhigh/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/lib/certhigh/Makefile 2014-05-06 07:15:41.181387855 -0700
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile
--- nss/lib/cryptohi/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/lib/cryptohi/Makefile 2014-05-06 07:15:41.182387862 -0700
@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile
--- nss/lib/nss/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700
+++ nss/lib/nss/Makefile 2014-05-06 07:15:41.183387869 -0700
@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk
# (6) Execute "component" rules. (OPTIONAL) #
#######################################################################
-
+INCLUDES += -iquote $(DIST)/../public/nss
+INCLUDES += -iquote $(DIST)/../private/nss
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
+# Prefer in-tree headers over system headers
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
+endif
+
MK_LOCATION = included

View File

@ -1,11 +0,0 @@
diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios
--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700
+++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700
@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg
realcerts.cfg
dsa.cfg
revoc.cfg
-ocsp.cfg
crldp.cfg
trustanchors.cfg
nameconstraints.cfg

View File

@ -1,11 +1,13 @@
diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
--- nss/cmd/httpserv/httpserv.c.539183 2013-05-28 14:43:24.000000000 -0700
+++ nss/cmd/httpserv/httpserv.c 2013-05-30 22:16:46.685373471 -0700
@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port
--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
+++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
@@ -953,23 +953,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
@ -15,24 +17,28 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c
+ }
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSocket error");
+ errExit("PR_OpenTCPSockett");
}
opt.option = PR_SockOpt_Nonblocking;
diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
--- nss/cmd/selfserv/selfserv.c.539183 2013-05-28 14:43:24.000000000 -0700
+++ nss/cmd/selfserv/selfserv.c 2013-05-30 22:16:46.688373495 -0700
@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
+++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
@@ -1711,23 +1711,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
+ PRUint16 socketDomain = PR_AF_INET;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
@ -42,9 +48,6 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
+ }
- listen_sock = PR_NewTCPSocket();
+ if (PR_GetEnv("NSS_USE_SDP")) {
+ socketDomain = PR_AF_INET_SDP;
+ }
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
@ -52,3 +55,8 @@ diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c
}
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

View File

@ -1,12 +0,0 @@
diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn
--- nss/lib/ckfw/manifest.mn.libpem 2013-05-28 14:43:24.000000000 -0700
+++ nss/lib/ckfw/manifest.mn 2013-05-30 22:14:49.247459672 -0700
@@ -5,7 +5,7 @@
CORE_DEPTH = ../..
-DIRS = builtins
+DIRS = builtins pem
PRIVATE_EXPORTS = \
ck.h \

View File

@ -0,0 +1,21 @@
diff -up ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 ./lib/util/pkcs11n.h
--- ./lib/util/pkcs11n.h.aes_gcm_pkcs11_v2 2020-05-13 13:44:11.312405744 -0700
+++ ./lib/util/pkcs11n.h 2020-05-13 13:45:23.951723660 -0700
@@ -605,7 +605,7 @@ typedef struct CK_NSS_GCM_PARAMS {
typedef CK_NSS_GCM_PARAMS CK_PTR CK_NSS_GCM_PARAMS_PTR;
/* deprecated #defines. Drop in future NSS releases */
-#ifdef NSS_PKCS11_2_0_COMPAT
+#ifndef NSS_PKCS11_3_0_STRICT
/* defines that were changed between NSS's PKCS #11 and the Oasis headers */
#define CKF_EC_FP CKF_EC_F_P
@@ -664,7 +664,7 @@ typedef CK_NSS_GCM_PARAMS CK_PTR CK_GCM_
#define CKT_NETSCAPE_VALID CKT_NSS_VALID
#define CKT_NETSCAPE_VALID_DELEGATOR CKT_NSS_VALID_DELEGATOR
#else
-/* use the new CK_GCM_PARAMS if NSS_PKCS11_2_0_COMPAT is not defined */
+/* use the new CK_GCM_PARAMS if NSS_PKCS11_3_0_STRICT is defined */
typedef struct CK_GCM_PARAMS_V3 CK_GCM_PARAMS;
typedef CK_GCM_PARAMS_V3 CK_PTR CK_GCM_PARAMS_PTR;
#endif

31
nss-kremlin-ppc64le.patch Normal file
View File

@ -0,0 +1,31 @@
Index: nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
+++ nss/lib/freebl/verified/kremlin/include/kremlin/internal/types.h
@@ -56,9 +56,10 @@ typedef const char *Prims_string;
!defined(__clang__)
#include <emmintrin.h>
typedef __m128i FStar_UInt128_uint128;
-#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
+#elif !defined(KRML_VERIFIED_UINT128) && !defined(_MSC_VER) && \
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
typedef unsigned __int128 FStar_UInt128_uint128;
#elif !defined(KRML_VERIFIED_UINT128) && defined(_MSC_VER) && defined(__clang__)
typedef __uint128_t FStar_UInt128_uint128;
Index: nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
===================================================================
--- nss.orig/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
+++ nss/lib/freebl/verified/kremlin/kremlib/dist/minimal/fstar_uint128_gcc64.h
@@ -26,7 +26,8 @@
#if !defined(KRML_VERIFIED_UINT128) && (!defined(_MSC_VER) || defined(__clang__)) && \
(defined(__x86_64__) || defined(__x86_64) || defined(__aarch64__) || \
- (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)))
+ (defined(__powerpc64__) && defined(__LITTLE_ENDIAN__)) || \
+ defined(__s390x__))
/* GCC + using native unsigned __int128 support */

4
nss-p11-kit.config Normal file
View File

@ -0,0 +1,4 @@
name=p11-kit-proxy
library=p11-kit-proxy.so

94
nss-signtool-format.patch Normal file
View File

@ -0,0 +1,94 @@
diff --git a/cmd/modutil/install.c b/cmd/modutil/install.c
--- a/cmd/modutil/install.c
+++ b/cmd/modutil/install.c
@@ -825,17 +825,20 @@ rm_dash_r(char *path)
dir = PR_OpenDir(path);
if (!dir) {
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ PR_CloseDir(dir);
+ return -1;
+ }
if (rm_dash_r(filename)) {
PR_CloseDir(dir);
return -1;
}
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
return -1;
diff --git a/cmd/signtool/util.c b/cmd/signtool/util.c
--- a/cmd/signtool/util.c
+++ b/cmd/signtool/util.c
@@ -132,17 +132,20 @@ rm_dash_r(char *path)
if (!dir) {
PR_fprintf(errorFD, "Error: Unable to open directory %s.\n", path);
errorCount++;
return -1;
}
/* Recursively delete all entries in the directory */
while ((entry = PR_ReadDir(dir, PR_SKIP_BOTH)) != NULL) {
- sprintf(filename, "%s/%s", path, entry->name);
+ if (snprintf(filename, sizeof(filename), "%s/%s", path, entry->name) >= sizeof(filename)) {
+ errorCount++;
+ return -1;
+ }
if (rm_dash_r(filename))
return -1;
}
if (PR_CloseDir(dir) != PR_SUCCESS) {
PR_fprintf(errorFD, "Error: Could not close %s.\n", path);
errorCount++;
return -1;
diff --git a/lib/libpkix/pkix/util/pkix_list.c b/lib/libpkix/pkix/util/pkix_list.c
--- a/lib/libpkix/pkix/util/pkix_list.c
+++ b/lib/libpkix/pkix/util/pkix_list.c
@@ -1530,17 +1530,17 @@ cleanup:
*/
PKIX_Error *
PKIX_List_SetItem(
PKIX_List *list,
PKIX_UInt32 index,
PKIX_PL_Object *item,
void *plContext)
{
- PKIX_List *element;
+ PKIX_List *element = NULL;
PKIX_ENTER(LIST, "PKIX_List_SetItem");
PKIX_NULLCHECK_ONE(list);
if (list->immutable){
PKIX_ERROR(PKIX_OPERATIONNOTPERMITTEDONIMMUTABLELIST);
}
diff --git a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
--- a/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
+++ b/lib/libpkix/pkix_pl_nss/system/pkix_pl_oid.c
@@ -102,17 +102,17 @@ cleanup:
*/
static PKIX_Error *
pkix_pl_OID_Equals(
PKIX_PL_Object *first,
PKIX_PL_Object *second,
PKIX_Boolean *pResult,
void *plContext)
{
- PKIX_Int32 cmpResult;
+ PKIX_Int32 cmpResult = 0;
PKIX_ENTER(OID, "pkix_pl_OID_Equals");
PKIX_NULLCHECK_THREE(first, second, pResult);
PKIX_CHECK(pkix_pl_OID_Comparator
(first, second, &cmpResult, plContext),
PKIX_OIDCOMPARATORFAILED);

View File

@ -1,17 +0,0 @@
diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile
--- nss/cmd/Makefile.nobltest 2013-05-28 14:43:24.000000000 -0700
+++ nss/cmd/Makefile 2013-06-15 11:51:11.669655168 -0700
@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS
DIRS += libpkix
endif
-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1)
BLTEST_SRCDIR =
-FIPSTEST_SRCDIR =
-SHLIBSIGN_SRCDIR =
+FIPSTEST_SRCDIR =
+SHLIBSIGN_SRCDIR = shlibsign
else
BLTEST_SRCDIR = bltest
FIPSTEST_SRCDIR = fipstest

116
nss-softokn-config.in Normal file
View File

@ -0,0 +1,116 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
softokn3 - Requires full dynamic linking
freebl3 - for internal use only (and glibc for self-integrity check)
nssdbm3 - for internal use only
Dymamically linked
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-softokn`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-softokn`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
echo $libdirs
fi

View File

@ -0,0 +1,18 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
check() {
return 255
}
depends() {
return 0
}
install() {
local _dir
inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
libfreebl3.so
}

3
nss-softokn-dracut.conf Normal file
View File

@ -0,0 +1,3 @@
# turn on nss-softokn module
add_dracutmodules+=" nss-softokn "

11
nss-softokn.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module
Version: %SOFTOKEN_VERSION%
Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
Cflags: -I${includedir}

View File

@ -1,16 +0,0 @@
diff -up nss/lib/ssl/sslsock.c.nobypass nss/lib/ssl/sslsock.c
--- nss/lib/ssl/sslsock.c.nobypass 2013-05-30 22:23:37.305583715 -0700
+++ nss/lib/ssl/sslsock.c 2013-05-30 22:23:37.311583762 -0700
@@ -553,8 +553,10 @@ static PRStatus SSL_BypassRegisterShutdo
static PRStatus SSL_BypassSetup(void)
{
#ifdef NO_PKCS11_BYPASS
- /* Guarantee binary compatibility */
- return PR_SUCCESS;
+ /* No need in our case to guarantee binary compatibility and
+ * we can safely return failure as we have never supported it
+ */
+ return PR_FAILURE;
#else
return PR_CallOnce(&setupBypassOnce, &SSL_BypassRegisterShutdown);
#endif

118
nss-util-config.in Normal file
View File

@ -0,0 +1,118 @@
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-util-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nssutil
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-util`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-util`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-util`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi

11
nss-util.pc.in Normal file
View File

@ -0,0 +1,11 @@
prefix=%prefix%
exec_prefix=%exec_prefix%
libdir=%libdir%
includedir=%includedir%
Name: NSS-UTIL
Description: Network Security Services Utility Library
Version: %NSSUTIL_VERSION%
Requires: nspr >= %NSPR_VERSION%
Libs: -L${libdir} -lnssutil3
Cflags: -I${includedir}

1280
nss.spec

File diff suppressed because it is too large Load Diff

View File

@ -1,80 +0,0 @@
diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk
--- nss/lib/ckfw/pem/config.mk.systemfreebl 2012-08-11 09:06:59.000000000 -0700
+++ nss/lib/ckfw/pem/config.mk 2013-04-04 16:02:33.805744145 -0700
@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m
# are specifed as dependencies within rules.mk.
#
+
+EXTRA_LIBS += \
+ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
+ $(NULL)
+
TARGETS = $(SHARED_LIBRARY)
LIBRARY =
IMPORT_LIBRARY =
@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS)
MKSHLIB += -R '$$ORIGIN'
endif
+# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and
+# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil
+# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf.
+ifdef USE_SYSTEM_NSSUTIL
+OS_LIBS += $(NSSUTIL_LIBS)
+else
+NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX)
+EXTRA_LIBS += $(NSSUTIL_LIBS)
+endif
+# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and
+# FREEBL_LIBS to the linker command-line arguments for the system nssutil
+# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf.
+ifdef USE_SYSTEM_FREEBL
+OS_LIBS += $(FREEBL_LIBS)
+else
+FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX)
+EXTRA_LIBS += $(FREEBL_LIBS)
+endif
+
diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile
--- nss/lib/ckfw/pem/Makefile.systemfreebl 2012-08-11 09:06:59.000000000 -0700
+++ nss/lib/ckfw/pem/Makefile 2013-04-04 16:02:33.806744154 -0700
@@ -43,8 +43,7 @@ include config.mk
EXTRA_LIBS = \
$(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \
+ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \
$(NULL)
# can't do this in manifest.mn because OS_TARGET isn't defined there.
@@ -56,6 +55,9 @@ EXTRA_LIBS += \
-lplc4 \
-lplds4 \
-lnspr4 \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -lfreebl3
$(NULL)
else
EXTRA_SHARED_LIBS += \
@@ -74,6 +76,9 @@ EXTRA_LIBS += \
-lplc4 \
-lplds4 \
-lnspr4 \
+ -L$(NSSUTIL_LIB_DIR) \
+ -lnssutil3 \
+ -lfreebl3 \
$(NULL)
endif
diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn
--- nss/lib/ckfw/pem/manifest.mn.systemfreebl 2012-08-11 09:06:59.000000000 -0700
+++ nss/lib/ckfw/pem/manifest.mn 2013-04-04 16:02:33.807744163 -0700
@@ -65,4 +65,4 @@ REQUIRES = nspr
LIBRARY_NAME = nsspem
-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4
+EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3

View File

@ -1,38 +0,0 @@
diff -up ./nss/tests/ssl/sslauth.txt.ocsp_sni ./nss/tests/ssl/sslauth.txt
--- ./nss/tests/ssl/sslauth.txt.ocsp_sni 2015-05-28 10:50:45.000000000 -0700
+++ ./nss/tests/ssl/sslauth.txt 2015-08-30 08:49:22.025299419 -0700
@@ -65,12 +65,12 @@
# SNI Tests
#
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI
- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_vssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions
SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI
- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI
SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS
- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS
+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert
diff -up ./nss/tests/ssl/ssl.sh.ocsp_sni ./nss/tests/ssl/ssl.sh
--- ./nss/tests/ssl/ssl.sh.ocsp_sni 2015-08-30 08:49:21.905301105 -0700
+++ ./nss/tests/ssl/ssl.sh 2015-08-30 08:49:22.017299531 -0700
@@ -457,10 +457,10 @@ ssl_stapling_sub()
start_selfserv
echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\"
- echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
+ echo " -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}"
rm ${TMP}/$HOST.tmp.$$ 2>/dev/null
${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \
- -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
+ -d ${P_R_CLIENTDIR} -v -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \
>${TMP}/$HOST.tmp.$$ 2>&1
ret=$?
cat ${TMP}/$HOST.tmp.$$

View File

@ -1,12 +0,0 @@
diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
--- nss/lib/ssl/sslsock.c.transitional 2013-05-30 22:10:54.882675807 -0700
+++ nss/lib/ssl/sslsock.c 2013-05-30 22:12:11.909260024 -0700
@@ -149,7 +149,7 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* noLocks */
PR_FALSE, /* enableSessionTickets */
PR_FALSE, /* enableDeflate */
- 2, /* enableRenegotiation (default: requires extension) */
+ 3, /* enableRenegotiation (default: transitional) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
PR_TRUE, /* cbcRandomIV */

View File

@ -1,14 +0,0 @@
diff -up ./nss/lib/ssl/ssl3con.c.1185708_3des ./nss/lib/ssl/ssl3con.c
--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2015-09-29 16:24:18.717593591 -0700
+++ ./nss/lib/ssl/ssl3con.c 2015-09-29 16:25:22.672879926 -0700
@@ -101,8 +101,8 @@ static ssl3CipherSuiteCfg cipherSuites[s
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_DISABLE_ECC */

View File

@ -1,39 +0,0 @@
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -85,27 +85,27 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
*
* Important: See bug 946147 before enabling, reordering, or adding any cipher
* suites to this list.
*/
static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
/* cipher_suite policy enabled isPresent */
#ifndef NSS_DISABLE_ECC
- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
/* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
* bug 946147.
*/
- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
#endif /* NSS_DISABLE_ECC */
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},

View File

@ -1,52 +0,0 @@
diff -up ./nss/tests/ssl/sslstress.txt.skip ./nss/tests/ssl/sslstress.txt
--- ./nss/tests/ssl/sslstress.txt.skip 2015-09-11 21:48:21.763187957 -0700
+++ ./nss/tests/ssl/sslstress.txt 2015-09-11 21:50:10.516514535 -0700
@@ -8,29 +8,29 @@
# Enable return server client Test Case name
# ECC value params params
# ------- ------ ------ ------ ---------------
- noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
- noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
- noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
- noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
- noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
- noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
- noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
- SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
+# noECC 0 _ -c_1000_-C_A Stress SSL2 RC4 128 with MD5
+# noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5
+# noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5
+# noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start)
+# noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket)
+# noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression)
+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression)
+# noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start)
+# SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI)
#
# add client auth versions here...
#
- noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
- noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
- noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
- noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
- noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
- noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
- SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
- SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
+# noECC 0 -r_-r -c_100_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with MD5 (no reuse, client auth)
+# noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth)
+# noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth)
+# noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth)
+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth)
+# noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start)
+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth)
+# noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start)
+# SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host)
+# SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host)
#
# ############################ ECC ciphers ############################

13
sources
View File

@ -1,7 +1,6 @@
a5ae49867124ac75f029a9a33af31bad blank-cert8.db
9315689bbd9f28ceebd47894f99fccbd blank-key3.db
73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db
691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db
2ec9e0606ba40fe65196545564b7cc2a blank-key4.db
b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2
c285ef92de0031cb0a8caa60d396d618 nss-3.20.1.tar.gz
SHA512 (blank-cert8.db) = ac131d15708c5f1b5e467831f919f4fc4ba13b60a4bb5fe260c845fa9afcd899a588d21ed52060abaa1bbb29f2b53af8b495d28407183cb03aff1974f95f1d3d
SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403fda3e3d4e7757838061ae56ccf5aac335cb54f254f0a9e6e9c0dd5920b4155a39264525b06
SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c
SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7
SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310
SHA512 (nss-3.52.tar.gz) = a45baf38717bceda03c292b2c01def680a24a846327e17d36044a85e30ed40c68220c78c0a2c3025c11778ee58f5d5eb0fff1b4cd274b95c408fb59e394e62c6

View File

@ -0,0 +1,64 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
# Description: NSS tools should not use SHA1 by default when
# Author: Hubert Kario <hkario@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/CoreOS/nss/Regression/NSS-tools-should-not-use-SHA1-by-default-when
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Hubert Kario <hkario@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: NSS tools should not use SHA1 by default when" >> $(METADATA)
@echo "Type: Regression" >> $(METADATA)
@echo "TestTime: 10m" >> $(METADATA)
@echo "RunFor: nss openssl" >> $(METADATA)
@echo "Requires: nss nss-tools openssl" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

View File

@ -0,0 +1,4 @@
PURPOSE of NSS-tools-should-not-use-SHA1-by-default-when
Description: NSS tools should not use SHA1 by default when
Author: Hubert Kario <hkario@redhat.com>
Summary: NSS tools should not use SHA1 by default when generating digital signatures/certificates

View File

@ -0,0 +1,125 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of NSS-tools-should-not-use-SHA1-by-default-when
# Description: NSS tools should not use SHA1 by default when
# Author: Hubert Kario <hkario@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2016 Red Hat, Inc.
#
# This copyrighted material is made available to anyone wishing
# to use, modify, copy, or redistribute it subject to the terms
# and conditions of the GNU General Public License version 2.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public
# License along with this program; if not, write to the Free
# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
# Boston, MA 02110-1301, USA.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Include Beaker environment
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="nss"
PACKAGES="nss openssl"
DBDIR="nssdb"
rlJournalStart
rlPhaseStartSetup
rlAssertRpm --all
rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
rlRun "pushd $TmpDir"
rlRun "mkdir nssdb"
rlRun "certutil -N -d $DBDIR --empty-password"
rlLogInfo "Create a JAR file"
rlRun "mkdir java-dir"
rlRun "pushd java-dir"
rlRun "mkdir META-INF mypackage"
rlRun "echo 'Main-Class: mypackage/MyMainFile' > META-INF/MANIFEST.MF"
rlRun "echo 'Those are not the droids you are looking for' > mypackage/MyMainFile.class"
#rlRun "jar -cfe package.jar mypackage/MyMainFile mypackage/MyMainFile.class"
rlRun "popd"
#rlRun "mv java-dir/package.jar ."
rlPhaseEnd
rlPhaseStartTest "Self signing certificates"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "certutil -d $DBDIR -S -n 'CA' -t 'cTC,cTC,cTC' -s 'CN=CA' -x -z noise"
rlRun -s "certutil -d $DBDIR -L -n 'CA' -a | openssl x509 -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Signing certificates"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "certutil -d $DBDIR -S -n 'server' -t 'u,u,u' -s 'CN=server.example.com' -c 'CA' -z noise --nsCertType sslClient,sslServer,objectSigning,smime"
rlRun -s "certutil -d $DBDIR -L -n 'server' -a | openssl x509 -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "Certificate request"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "mkdir srv2db"
rlRun "certutil -d srv2db -N --empty-password"
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise"
rlRun -s "openssl req -noout -text -in srv2.req"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
rlRun -s "openssl x509 -in srv2.crt -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlRun "rm -rf srv2db"
rlPhaseEnd
rlPhaseStartTest "Certificate request with SHA1"
rlRun "dd if=/dev/urandom of=noise bs=1 count=32 >/dev/null"
rlRun "mkdir srv2db"
rlRun "certutil -d srv2db -N --empty-password"
rlRun "certutil -d srv2db -R -s CN=www.example.com -o srv2.req -a -z noise -Z SHA1"
rlRun -s "openssl req -noout -text -in srv2.req"
rlAssertGrep "Signature Algorithm: sha1WithRSAEncryption" "$rlRun_LOG"
rlRun "certutil -d $DBDIR -C -c 'CA' -i srv2.req -a -o srv2.crt"
rlRun -s "openssl x509 -in srv2.crt -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" "$rlRun_LOG"
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlRun "rm -rf srv2db"
rlPhaseEnd
rlPhaseStartTest "Signing CMS messages"
rlRun "echo 'This is a document' > document.txt"
rlRun "cmsutil -S -d $DBDIR -N 'server' -i document.txt -o document.cms"
rlRun -s "openssl cms -in document.cms -inform der -noout -cmsout -print"
rlAssertGrep "algorithm: sha256" $rlRun_LOG
rlAssertNotGrep "algorithm: sha1" $rlRun_LOG
rlPhaseEnd
rlPhaseStartTest "CRL signing"
rlRun "echo $(date --utc +update=%Y%m%d%H%M%SZ) > script"
rlRun "echo $(date -d 'next week' --utc +nextupdate=%Y%m%d%H%M%SZ) >> script"
rlRun "echo addext crlNumber 0 1245 >>script"
rlRun "echo addcert 12 $(date -d 'yesterday' --utc +%Y%m%d%H%M%SZ) >>script"
rlRun "echo addext reasonCode 0 0 >>script"
rlRun "cat script"
rlRun "crlutil -G -c script -d $DBDIR -n CA -o ca.crl"
rlRun -s "openssl crl -in ca.crl -inform der -noout -text"
rlAssertGrep "Signature Algorithm: sha256WithRSAEncryption" $rlRun_LOG
rlAssertNotGrep "Signature Algorithm: sha1WithRSAEncryption" $rlRun_LOG
rlPhaseEnd
rlPhaseStartCleanup
rlRun "popd"
rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

12
tests/tests.yml Normal file
View File

@ -0,0 +1,12 @@
---
# This first play always runs on the local staging system
- hosts: localhost
roles:
- role: standard-test-beakerlib
tags:
- classic
tests:
- NSS-tools-should-not-use-SHA1-by-default-when
required_packages:
- nss-tools
- nss

View File

@ -1,21 +0,0 @@
diff -up ./nss/cmd/tstclnt/tstclnt.c.ssl2_off ./nss/cmd/tstclnt/tstclnt.c
--- ./nss/cmd/tstclnt/tstclnt.c.ssl2_off 2015-08-07 11:12:13.000000000 -0700
+++ ./nss/cmd/tstclnt/tstclnt.c 2015-09-11 20:08:34.771859950 -0700
@@ -212,7 +212,7 @@ static void PrintParameterUsage(void)
fprintf(stderr,
"%-20s Restricts the set of enabled SSL/TLS protocols versions.\n"
"%-20s All versions are enabled by default.\n"
- "%-20s Possible values for min/max: ssl2 ssl3 tls1.0 tls1.1 tls1.2\n"
+ "%-20s Possible values for min/max: ssl3 tls1.0 tls1.1 tls1.2\n"
"%-20s Example: \"-V ssl3:\" enables SSL 3 and newer.\n",
"-V [min]:[max]", "", "", "");
fprintf(stderr, "%-20s Send TLS_FALLBACK_SCSV\n", "-K");
@@ -911,7 +911,7 @@ int main(int argc, char **argv)
int npds;
int override = 0;
SSLVersionRange enabledVersions;
- PRBool enableSSL2 = PR_TRUE;
+ PRBool enableSSL2 = PR_FALSE;
int bypassPKCS11 = 0;
int disableLocking = 0;
int useExportPolicy = 0;

View File

@ -1,14 +0,0 @@
diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk
--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700
+++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700
@@ -3,6 +3,10 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+INCLUDES += -I/usr/include/nss3/templates
+#endif
+
# can't do this in manifest.mn because OS_TARGET isn't defined there.
ifeq (,$(filter-out WIN%,$(OS_TARGET)))