From 543ae9ce8395f67331102252c46d2f4286284181 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Mon, 12 Dec 2011 15:42:30 -0800 Subject: [PATCH] - Resolves: Bug 750376 - nss 3.13 breaks sssd TLS - Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y - Only patch blapitest for the lack of sha224 on system freebl - Completed the patch to make pem link against system freebl --- nosha224.patch | 545 +-------------------------------- nss.spec | 8 +- nsspem-use-system-freebl.patch | 80 +++++ 3 files changed, 101 insertions(+), 532 deletions(-) diff --git a/nosha224.patch b/nosha224.patch index bd9d351..186f7dc 100644 --- a/nosha224.patch +++ b/nosha224.patch @@ -1,24 +1,6 @@ -diff -up ./mozilla/security/coreconf/Linux.mk.nosha224 ./mozilla/security/coreconf/Linux.mk ---- ./mozilla/security/coreconf/Linux.mk.nosha224 2011-12-04 22:03:47.295609957 -0800 -+++ ./mozilla/security/coreconf/Linux.mk 2011-12-04 22:03:47.301609957 -0800 -@@ -188,6 +188,14 @@ NSSUTIL_LIBS = -lnssutil3 - USE_SYSTEM_FREEBL = 1 - FREEBL_LIBS = -lfreebl3 - -+# -+# Don't compile code that requires SHA224 if it isn't avilable -+# Such is the case when system freebl/softokn is the 3.12 one -+# -+ifdef NO_SHA224_AVAILABLE -+CFLAGS+=-DNO_SHA224_AVAILABLE -+endif -+ - # The -rpath '$$ORIGIN' linker option instructs this library to search for its - # dependencies in the same directory where it resides. - ifeq ($(BUILD_SUN_PKG), 1) diff -up ./mozilla/security/nss/cmd/bltest/blapitest.c.nosha224 ./mozilla/security/nss/cmd/bltest/blapitest.c --- ./mozilla/security/nss/cmd/bltest/blapitest.c.nosha224 2011-09-16 12:16:50.000000000 -0700 -+++ ./mozilla/security/nss/cmd/bltest/blapitest.c 2011-12-04 22:03:47.302609957 -0800 ++++ ./mozilla/security/nss/cmd/bltest/blapitest.c 2011-12-10 11:45:11.346011408 -0800 @@ -686,7 +686,9 @@ typedef enum { bltestMD2, /* Hash algorithms */ bltestMD5, /* . */ @@ -91,520 +73,21 @@ diff -up ./mozilla/security/nss/cmd/bltest/blapitest.c.nosha224 ./mozilla/securi case bltestSHA256: case bltestSHA384: case bltestSHA512: -diff -up ./mozilla/security/nss/cmd/chktest/chktest.c.nosha224 ./mozilla/security/nss/cmd/chktest/chktest.c ---- ./mozilla/security/nss/cmd/chktest/chktest.c.nosha224 2010-12-06 09:22:49.000000000 -0800 -+++ ./mozilla/security/nss/cmd/chktest/chktest.c 2011-12-04 22:03:47.304609957 -0800 -@@ -41,6 +41,10 @@ - #include "blapi.h" - #include "secutil.h" +diff -up ./mozilla/security/nss/cmd/bltest/Makefile.nosha224 ./mozilla/security/nss/cmd/bltest/Makefile +--- ./mozilla/security/nss/cmd/bltest/Makefile.nosha224 2011-12-10 11:52:27.321001376 -0800 ++++ ./mozilla/security/nss/cmd/bltest/Makefile 2011-12-10 11:56:07.580996325 -0800 +@@ -62,6 +62,11 @@ include $(CORE_DEPTH)/coreconf/config.mk -+#ifdef NO_SHA224_AVAILABLE -+PRBool BLAPI_SHVerifyFile(const char *shName); -+#endif + include ../platlibs.mk + ++# Don't compile code that requires SHA224 if it isn't avilable ++# Such is the case when system freebl/softokn is the 3.12 one ++# ++CFLAGS+=-DNO_SHA224_AVAILABLE + - static int Usage() - { - fprintf(stderr, "Usage: chktest \n"); -diff -up ./mozilla/security/nss/cmd/lib/secutil.c.nosha224 ./mozilla/security/nss/cmd/lib/secutil.c ---- ./mozilla/security/nss/cmd/lib/secutil.c.nosha224 2011-10-22 07:35:41.000000000 -0700 -+++ ./mozilla/security/nss/cmd/lib/secutil.c 2011-12-04 22:03:47.305609957 -0800 -@@ -86,6 +86,14 @@ static char consoleName[] = { - #include "nssutil.h" - #include "ssl.h" - -+/* Defined in ./mozilla/dist/public/nss/certdb.h which was included -+ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h -+ * but invisible here for some reason -+ */ -+#ifndef CERTDB_TERMINAL_RECORD -+#define CERTDB_TERMINAL_RECORD (1<<0) -+#endif -+ - - void - SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...) -@@ -1509,6 +1517,8 @@ const SEC_ASN1Template secuPBEV2Params[] - { 0 } - }; - -+/* if no sha224 then no psapss either */ -+#ifndef NO_SHA224_AVAILABLE - void - secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level) - { -@@ -1572,6 +1582,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte - } - PORT_FreeArena(pool, PR_FALSE); - } -+#endif - - void - secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level) -@@ -1684,10 +1695,12 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgo - return; - } - -+#ifndef NO_SHA224_AVAILABLE - if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { - secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1); - return; - } -+#endif - - if (a->parameters.len == 0 - || (a->parameters.len == 2 -@@ -3763,8 +3776,10 @@ SECU_StringToSignatureAlgTag(const char - hashAlgTag = SEC_OID_MD5; - } else if (!PL_strcmp(alg, "SHA1")) { - hashAlgTag = SEC_OID_SHA1; -+#ifndef NO_SHA224_AVAILABLE - } else if (!PL_strcmp(alg, "SHA224")) { - hashAlgTag = SEC_OID_SHA224; -+#endif - } else if (!PL_strcmp(alg, "SHA256")) { - hashAlgTag = SEC_OID_SHA256; - } else if (!PL_strcmp(alg, "SHA384")) { -diff -up ./mozilla/security/nss/cmd/pk11mode/pk11mode.c.nosha224 ./mozilla/security/nss/cmd/pk11mode/pk11mode.c ---- ./mozilla/security/nss/cmd/pk11mode/pk11mode.c.nosha224 2011-12-04 22:07:27.230604899 -0800 -+++ ./mozilla/security/nss/cmd/pk11mode/pk11mode.c 2011-12-04 22:10:06.365601241 -0800 -@@ -883,21 +883,27 @@ CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR - - mech_str digestMechs[] = { - {CKM_SHA_1, "CKM_SHA_1 "}, -+#ifndef NO_SHA224_AVAILABLE - {CKM_SHA224, "CKM_SHA224"}, -+#endif - {CKM_SHA256, "CKM_SHA256"}, - {CKM_SHA384, "CKM_SHA384"}, - {CKM_SHA512, "CKM_SHA512"} - }; - mech_str hmacMechs[] = { - {CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"}, -+#ifndef NO_SHA224_AVAILABLE - {CKM_SHA224_HMAC, "CKM_SHA224_HMAC"}, -+#endif - {CKM_SHA256_HMAC, "CKM_SHA256_HMAC"}, - {CKM_SHA384_HMAC, "CKM_SHA384_HMAC"}, - {CKM_SHA512_HMAC, "CKM_SHA512_HMAC"} - }; - mech_str sigRSAMechs[] = { - {CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"}, -+#ifndef NO_SHA224_AVAILABLE - {CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"}, -+#endif - {CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"}, - {CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"}, - {CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"} -diff -up ./mozilla/security/nss/lib/cryptohi/sechash.c.nosha224 ./mozilla/security/nss/lib/cryptohi/sechash.c ---- ./mozilla/security/nss/lib/cryptohi/sechash.c.nosha224 2011-06-21 15:47:54.000000000 -0700 -+++ ./mozilla/security/nss/lib/cryptohi/sechash.c 2011-12-04 22:03:47.306609957 -0800 -@@ -91,10 +91,12 @@ sha1_NewContext(void) { - return (void *) PK11_CreateDigestContext(SEC_OID_SHA1); - } - -+#ifndef NO_SHA224_AVAILABLE - static void * - sha224_NewContext(void) { - return (void *) PK11_CreateDigestContext(SEC_OID_SHA224); - } -+#endif - - static void * - sha256_NewContext(void) { -@@ -189,6 +191,7 @@ const SECHashObject SECHashObjects[] = { - SHA512_BLOCK_LENGTH, - HASH_AlgSHA512 - }, -+#ifndef NO_SHA224_AVAILABLE - { SHA224_LENGTH, - (void * (*)(void)) sha224_NewContext, - (void * (*)(void *)) PK11_CloneContext, -@@ -200,6 +203,7 @@ const SECHashObject SECHashObjects[] = { - SHA224_BLOCK_LENGTH, - HASH_AlgSHA224 - }, -+#endif - }; - - const SECHashObject * -@@ -217,7 +221,9 @@ HASH_GetHashTypeByOidTag(SECOidTag hashO - case SEC_OID_MD2: ht = HASH_AlgMD2; break; - case SEC_OID_MD5: ht = HASH_AlgMD5; break; - case SEC_OID_SHA1: ht = HASH_AlgSHA1; break; -+#ifndef NO_SHA224_AVAILABLE - case SEC_OID_SHA224: ht = HASH_AlgSHA224; break; -+#endif - case SEC_OID_SHA256: ht = HASH_AlgSHA256; break; - case SEC_OID_SHA384: ht = HASH_AlgSHA384; break; - case SEC_OID_SHA512: ht = HASH_AlgSHA512; break; -@@ -237,7 +243,9 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag - /* no oid exists for HMAC_MD2 */ - /* NSS does not define a oid for HMAC_MD4 */ - case SEC_OID_HMAC_SHA1: hashOid = SEC_OID_SHA1; break; -+#ifndef NO_SHA224_AVAILABLE - case SEC_OID_HMAC_SHA224: hashOid = SEC_OID_SHA224; break; -+#endif - case SEC_OID_HMAC_SHA256: hashOid = SEC_OID_SHA256; break; - case SEC_OID_HMAC_SHA384: hashOid = SEC_OID_SHA384; break; - case SEC_OID_HMAC_SHA512: hashOid = SEC_OID_SHA512; break; -@@ -257,7 +265,9 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag - /* no oid exists for HMAC_MD2 */ - /* NSS does not define a oid for HMAC_MD4 */ - case SEC_OID_SHA1: hmacOid = SEC_OID_HMAC_SHA1; break; -+#ifndef NO_SHA224_AVAILABLE - case SEC_OID_SHA224: hmacOid = SEC_OID_HMAC_SHA224; break; -+#endif - case SEC_OID_SHA256: hmacOid = SEC_OID_HMAC_SHA256; break; - case SEC_OID_SHA384: hmacOid = SEC_OID_HMAC_SHA384; break; - case SEC_OID_SHA512: hmacOid = SEC_OID_HMAC_SHA512; break; -diff -up ./mozilla/security/nss/lib/cryptohi/seckey.c.nosha224 ./mozilla/security/nss/lib/cryptohi/seckey.c ---- ./mozilla/security/nss/lib/cryptohi/seckey.c.nosha224 2011-10-22 07:35:42.000000000 -0700 -+++ ./mozilla/security/nss/lib/cryptohi/seckey.c 2011-12-04 22:03:47.307609957 -0800 -@@ -550,7 +550,9 @@ seckey_GetKeyType (SECOidTag tag) { - * should be handing us a cipher type */ - case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: -+#ifndef NO_SHA224_AVAILABLE - case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: -+#endif - case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: -diff -up ./mozilla/security/nss/lib/cryptohi/secvfy.c.nosha224 ./mozilla/security/nss/lib/cryptohi/secvfy.c ---- ./mozilla/security/nss/lib/cryptohi/secvfy.c.nosha224 2011-10-22 07:35:42.000000000 -0700 -+++ ./mozilla/security/nss/lib/cryptohi/secvfy.c 2011-12-04 22:03:47.307609957 -0800 -@@ -240,11 +240,12 @@ sec_DecodeSigAlg(const SECKEYPublicKey * - case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: - *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */ - break; -- -+#ifndef NO_SHA224_AVAILABLE - case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: - case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: - *hashalg = SEC_OID_SHA224; - break; -+#endif - case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: - case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: - *hashalg = SEC_OID_SHA256; -@@ -279,8 +280,10 @@ sec_DecodeSigAlg(const SECKEYPublicKey * - len = SECKEY_PublicKeyStrength(key); - if (len < 28) { /* 28 bytes == 224 bits */ - *hashalg = SEC_OID_SHA1; -+#ifndef NO_SHA224_AVAILABLE - } else if (len < 32) { /* 32 bytes == 256 bits */ - *hashalg = SEC_OID_SHA224; -+#endif - } else if (len < 48) { /* 48 bytes == 384 bits */ - *hashalg = SEC_OID_SHA256; - } else if (len < 64) { /* 48 bytes == 512 bits */ -@@ -325,7 +328,9 @@ sec_DecodeSigAlg(const SECKEYPublicKey * - case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: - case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: - case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: -+#ifndef NO_SHA224_AVAILABLE - case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: -+#endif - case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: - case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: -@@ -347,7 +352,9 @@ sec_DecodeSigAlg(const SECKEYPublicKey * - *encalg = SEC_OID_MISSI_DSS; - break; - case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: -+#ifndef NO_SHA224_AVAILABLE - case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: -+#endif - case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: - case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: -diff -up ./mozilla/security/nss/lib/freebl/blapi.h.nosha224 ./mozilla/security/nss/lib/freebl/blapi.h ---- ./mozilla/security/nss/lib/freebl/blapi.h.nosha224 2011-10-04 15:05:53.000000000 -0700 -+++ ./mozilla/security/nss/lib/freebl/blapi.h 2011-12-04 22:03:47.308609957 -0800 -@@ -1088,7 +1088,7 @@ extern SHA1Context * SHA1_Resurrect(unsi - extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src); - - /******************************************/ -- -+#ifndef NO_SHA224_AVAILABLE - extern SHA224Context *SHA224_NewContext(void); - extern void SHA224_DestroyContext(SHA224Context *cx, PRBool freeit); - extern void SHA224_Begin(SHA224Context *cx); -@@ -1104,6 +1104,7 @@ extern unsigned int SHA224_FlattenSize(S - extern SECStatus SHA224_Flatten(SHA224Context *cx,unsigned char *space); - extern SHA224Context * SHA224_Resurrect(unsigned char *space, void *arg); - extern void SHA224_Clone(SHA224Context *dest, SHA224Context *src); -+#endif - - /******************************************/ - -diff -up ./mozilla/security/nss/lib/freebl/ldvector.c.nosha224 ./mozilla/security/nss/lib/freebl/ldvector.c ---- ./mozilla/security/nss/lib/freebl/ldvector.c.nosha224 2011-10-04 15:05:53.000000000 -0700 -+++ ./mozilla/security/nss/lib/freebl/ldvector.c 2011-12-04 22:03:47.309609957 -0800 -@@ -270,7 +270,7 @@ static const struct FREEBLVectorStr vect - JPAKE_Verify, - JPAKE_Round2, - JPAKE_Final, -- -+#ifndef NO_SHA224_AVAILABLE - /* End of Version 3.012 */ - - TLS_P_hash, -@@ -287,7 +287,7 @@ static const struct FREEBLVectorStr vect - SHA224_Resurrect, - SHA224_Clone, - BLAPI_SHVerifyFile -- -+#endif - /* End of Version 3.013 */ - }; - -diff -up ./mozilla/security/nss/lib/freebl/nsslowhash.c.nosha224 ./mozilla/security/nss/lib/freebl/nsslowhash.c ---- ./mozilla/security/nss/lib/freebl/nsslowhash.c.nosha224 2010-09-09 17:42:36.000000000 -0700 -+++ ./mozilla/security/nss/lib/freebl/nsslowhash.c 2011-12-04 22:03:47.309609957 -0800 -@@ -128,14 +128,14 @@ freebl_fips_SHA_PowerUpSelfTest( void ) - 0x0a,0x6d,0x07,0xba,0x1e,0xbd,0x8a,0x1b, - 0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0, - 0xe0,0x68,0x47,0x7a}; -- -+#ifndef NO_SHA224_AVAILABLE - /* SHA-224 Known Digest Message (224-bits). */ - static const PRUint8 sha224_known_digest[] = { - 0x1c,0xc3,0x06,0x8e,0xce,0x37,0x68,0xfb, - 0x1a,0x82,0x4a,0xbe,0x2b,0x00,0x51,0xf8, - 0x9d,0xb6,0xe0,0x90,0x0d,0x00,0xc9,0x64, - 0x9a,0xb8,0x98,0x4e}; -- -+#endif - /* SHA-256 Known Digest Message (256-bits). */ - static const PRUint8 sha256_known_digest[] = { - 0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61, -@@ -178,7 +178,7 @@ freebl_fips_SHA_PowerUpSelfTest( void ) - ( PORT_Memcmp( sha_computed_digest, sha1_known_digest, - SHA1_LENGTH ) != 0 ) ) - return( CKR_DEVICE_ERROR ); -- -+#ifndef NO_SHA224_AVAILABLE - /***************************************************/ - /* SHA-224 Single-Round Known Answer Hashing Test. */ - /***************************************************/ -@@ -190,7 +190,7 @@ freebl_fips_SHA_PowerUpSelfTest( void ) - ( PORT_Memcmp( sha_computed_digest, sha224_known_digest, - SHA224_LENGTH ) != 0 ) ) - return( CKR_DEVICE_ERROR ); -- -+#endif - /***************************************************/ - /* SHA-256 Single-Round Known Answer Hashing Test. */ - /***************************************************/ -diff -up ./mozilla/security/nss/lib/freebl/rawhash.c.nosha224 ./mozilla/security/nss/lib/freebl/rawhash.c ---- ./mozilla/security/nss/lib/freebl/rawhash.c.nosha224 2010-08-17 22:55:47.000000000 -0700 -+++ ./mozilla/security/nss/lib/freebl/rawhash.c 2011-12-04 22:03:47.309609957 -0800 -@@ -155,6 +155,7 @@ const SECHashObject SECRawHashObjects[] - SHA512_BLOCK_LENGTH, - HASH_AlgSHA512 - }, -+#ifndef NO_SHA224_AVAILABLE - { SHA224_LENGTH, - (void * (*)(void)) SHA224_NewContext, - (void * (*)(void *)) null_hash_clone_context, -@@ -166,6 +167,7 @@ const SECHashObject SECRawHashObjects[] - SHA224_BLOCK_LENGTH, - HASH_AlgSHA224 - }, -+#endif - }; - - const SECHashObject * -diff -up ./mozilla/security/nss/lib/freebl/sha512.c.nosha224 ./mozilla/security/nss/lib/freebl/sha512.c ---- ./mozilla/security/nss/lib/freebl/sha512.c.nosha224 2011-09-14 10:48:03.000000000 -0700 -+++ ./mozilla/security/nss/lib/freebl/sha512.c 2011-12-04 22:03:47.310609957 -0800 -@@ -544,6 +544,7 @@ void SHA256_Clone(SHA256Context *dest, S - memcpy(dest, src, sizeof *dest); - } - -+#ifndef NO_SHA224_AVAILABLE - /* ============= SHA224 implementation ================================== */ - - /* SHA-224 initial hash values */ -@@ -630,7 +631,7 @@ void SHA224_Clone(SHA224Context *dest, S - { - SHA256_Clone(dest, src); - } -- -+#endif - - /* ======= SHA512 and SHA384 common constants and defines ================= */ - -diff -up ./mozilla/security/nss/lib/softoken/fipstest.c.nosha224 ./mozilla/security/nss/lib/softoken/fipstest.c ---- ./mozilla/security/nss/lib/softoken/fipstest.c.nosha224 2011-03-29 08:12:43.000000000 -0700 -+++ ./mozilla/security/nss/lib/softoken/fipstest.c 2011-12-04 22:03:47.311609956 -0800 -@@ -865,12 +865,14 @@ sftk_fips_HMAC_PowerUpSelfTest( void ) - 0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e, - 0x5d, 0x0e, 0x1e, 0x11}; - -+#ifndef NO_SHA224_AVAILABLE - /* known SHA224 hmac (28 bytes) */ - static const PRUint8 known_SHA224_hmac[] = { - 0x1c, 0xc3, 0x06, 0x8e, 0xce, 0x37, 0x68, 0xfb, - 0x1a, 0x82, 0x4a, 0xbe, 0x2b, 0x00, 0x51, 0xf8, - 0x9d, 0xb6, 0xe0, 0x90, 0x0d, 0x00, 0xc9, 0x64, - 0x9a, 0xb8, 0x98, 0x4e}; -+#endif - - /* known SHA256 hmac (32 bytes) */ - static const PRUint8 known_SHA256_hmac[] = { -@@ -922,6 +924,7 @@ sftk_fips_HMAC_PowerUpSelfTest( void ) - /* HMAC SHA-224 Single-Round Known Answer Test. */ - /***************************************************/ - -+#ifndef NO_SHA224_AVAILABLE - hmac_status = sftk_fips_HMAC(hmac_computed, - HMAC_known_secret_key, - HMAC_known_secret_key_length, -@@ -933,6 +936,7 @@ sftk_fips_HMAC_PowerUpSelfTest( void ) - ( PORT_Memcmp( hmac_computed, known_SHA224_hmac, - SHA224_LENGTH ) != 0 ) ) - return( CKR_DEVICE_ERROR ); -+#endif - - /***************************************************/ - /* HMAC SHA-256 Single-Round Known Answer Test. */ -@@ -994,12 +998,14 @@ sftk_fips_SHA_PowerUpSelfTest( void ) - 0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0, - 0xe0,0x68,0x47,0x7a}; - -+#ifndef NO_SHA224_AVAILABLE - /* SHA-224 Known Digest Message (224-bits). */ - static const PRUint8 sha224_known_digest[] = { - 0x89,0x5e,0x7f,0xfd,0x0e,0xd8,0x35,0x6f, - 0x64,0x6d,0xf2,0xde,0x5e,0xed,0xa6,0x7f, - 0x29,0xd1,0x12,0x73,0x42,0x84,0x95,0x4f, - 0x8e,0x08,0xe5,0xcb}; -+#endif - - /* SHA-256 Known Digest Message (256-bits). */ - static const PRUint8 sha256_known_digest[] = { -@@ -1048,6 +1054,7 @@ sftk_fips_SHA_PowerUpSelfTest( void ) - /* SHA-224 Single-Round Known Answer Hashing Test. */ - /***************************************************/ - -+#ifndef NO_SHA224_AVAILABLE - sha_status = SHA224_HashBuf( sha_computed_digest, known_hash_message, - FIPS_KNOWN_HASH_MESSAGE_LENGTH ); - -@@ -1055,6 +1062,7 @@ sftk_fips_SHA_PowerUpSelfTest( void ) - ( PORT_Memcmp( sha_computed_digest, sha224_known_digest, - SHA224_LENGTH ) != 0 ) ) - return( CKR_DEVICE_ERROR ); -+#endif - - /***************************************************/ - /* SHA-256 Single-Round Known Answer Hashing Test. */ -diff -up ./mozilla/security/nss/lib/softoken/pkcs11c.c.nosha224 ./mozilla/security/nss/lib/softoken/pkcs11c.c ---- ./mozilla/security/nss/lib/softoken/pkcs11c.c.nosha224 2011-09-21 11:49:16.000000000 -0700 -+++ ./mozilla/security/nss/lib/softoken/pkcs11c.c 2011-12-04 22:03:47.313609956 -0800 -@@ -1316,7 +1316,9 @@ CK_RV NSC_DigestInit(CK_SESSION_HANDLE h - INIT_MECH(CKM_MD2, MD2) - INIT_MECH(CKM_MD5, MD5) - INIT_MECH(CKM_SHA_1, SHA1) -+#ifndef NO_SHA224_AVAILABLE - INIT_MECH(CKM_SHA224, SHA224) -+#endif - INIT_MECH(CKM_SHA256, SHA256) - INIT_MECH(CKM_SHA384, SHA384) - INIT_MECH(CKM_SHA512, SHA512) -@@ -1440,7 +1442,9 @@ sftk_doSub ## mmm(SFTKSessionContext *co - DOSUB(MD2) - DOSUB(MD5) - DOSUB(SHA1) -+#ifndef NO_SHA224_AVAILABLE - DOSUB(SHA224) -+#endif - DOSUB(SHA256) - DOSUB(SHA384) - DOSUB(SHA512) -@@ -2013,7 +2017,9 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSe - INIT_RSA_SIGN_MECH(MD5) - INIT_RSA_SIGN_MECH(MD2) - INIT_RSA_SIGN_MECH(SHA1) -+#ifndef NO_SHA224_AVAILABLE - INIT_RSA_SIGN_MECH(SHA224) -+#endif - INIT_RSA_SIGN_MECH(SHA256) - INIT_RSA_SIGN_MECH(SHA384) - INIT_RSA_SIGN_MECH(SHA512) -@@ -2131,7 +2137,9 @@ finish_rsa: - - INIT_HMAC_MECH(MD2) - INIT_HMAC_MECH(MD5) -+#ifndef NO_SHA224_AVAILABLE - INIT_HMAC_MECH(SHA224) -+#endif - INIT_HMAC_MECH(SHA256) - INIT_HMAC_MECH(SHA384) - INIT_HMAC_MECH(SHA512) -@@ -2529,7 +2537,9 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE h - INIT_RSA_VFY_MECH(MD5) - INIT_RSA_VFY_MECH(MD2) - INIT_RSA_VFY_MECH(SHA1) -+#ifndef NO_SHA224_AVAILABLE - INIT_RSA_VFY_MECH(SHA224) -+#endif - INIT_RSA_VFY_MECH(SHA256) - INIT_RSA_VFY_MECH(SHA384) - INIT_RSA_VFY_MECH(SHA512) -@@ -2626,7 +2636,9 @@ finish_rsa: - - INIT_HMAC_MECH(MD2) - INIT_HMAC_MECH(MD5) -+#ifndef NO_SHA224_AVAILABLE - INIT_HMAC_MECH(SHA224) -+#endif - INIT_HMAC_MECH(SHA256) - INIT_HMAC_MECH(SHA384) - INIT_HMAC_MECH(SHA512) -diff -up ./mozilla/security/nss/lib/softoken/pkcs11.c.nosha224 ./mozilla/security/nss/lib/softoken/pkcs11.c ---- ./mozilla/security/nss/lib/softoken/pkcs11.c.nosha224 2011-01-21 16:12:04.000000000 -0800 -+++ ./mozilla/security/nss/lib/softoken/pkcs11.c 2011-12-04 22:03:47.316609956 -0800 -@@ -311,8 +311,10 @@ static const struct mechanismList mechan - CKF_SN_VR}, PR_TRUE}, - {CKM_SHA1_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, - CKF_SN_VR}, PR_TRUE}, -+#ifndef NO_SHA224_AVAILABLE - {CKM_SHA224_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, - CKF_SN_VR}, PR_TRUE}, -+#endif - {CKM_SHA256_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, - CKF_SN_VR}, PR_TRUE}, - {CKM_SHA384_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, -@@ -401,9 +403,11 @@ static const struct mechanismList mechan - {CKM_SHA_1, {0, 0, CKF_DIGEST}, PR_FALSE}, - {CKM_SHA_1_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, - {CKM_SHA_1_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, -+#ifndef NO_SHA224_AVAILABLE - {CKM_SHA224, {0, 0, CKF_DIGEST}, PR_FALSE}, - {CKM_SHA224_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, - {CKM_SHA224_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, -+#endif - {CKM_SHA256, {0, 0, CKF_DIGEST}, PR_FALSE}, - {CKM_SHA256_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, - {CKM_SHA256_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, -diff -up ./mozilla/security/nss/lib/softoken/rsawrapr.c.nosha224 ./mozilla/security/nss/lib/softoken/rsawrapr.c ---- ./mozilla/security/nss/lib/softoken/rsawrapr.c.nosha224 2011-10-22 07:35:43.000000000 -0700 -+++ ./mozilla/security/nss/lib/softoken/rsawrapr.c 2011-12-04 22:03:47.316609956 -0800 -@@ -1173,9 +1173,11 @@ GetHashTypeFromMechanism(CK_MECHANISM_TY - case CKM_SHA_1: - case CKG_MGF1_SHA1: - return HASH_AlgSHA1; -+#ifndef NO_SHA224_AVAILABLE - case CKM_SHA224: - case CKG_MGF1_SHA224: - return HASH_AlgSHA224; -+#endif - case CKM_SHA256: - case CKG_MGF1_SHA256: - return HASH_AlgSHA256; + #EXTRA_SHARED_LIBS += \ + # -L/usr/lib \ + # -lposix4 \ diff -up ./mozilla/security/nss/tests/cipher/cipher.txt.nosha224 ./mozilla/security/nss/tests/cipher/cipher.txt --- ./mozilla/security/nss/tests/cipher/cipher.txt.nosha224 2010-08-17 22:57:05.000000000 -0700 +++ ./mozilla/security/nss/tests/cipher/cipher.txt 2011-12-04 22:03:47.317609956 -0800 diff --git a/nss.spec b/nss.spec index 954ec76..d6b9646 100644 --- a/nss.spec +++ b/nss.spec @@ -7,7 +7,7 @@ Summary: Network Security Services Name: nss Version: 3.13.1 -Release: 6%{?dist} +Release: 7%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -574,6 +574,12 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Mon Dec 12 2011 Elio Maldonado - 3.13.1-7 +- Resolves: Bug 750376 - nss 3.13 breaks sssd TLS +- Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y +- Only patch blapitest for the lack of sha224 on system freebl +- Completed the patch to make pem link against system freebl + * Mon Dec 05 2011 Elio Maldonado - 3.13.1-6 - Removed unwanted /usr/include/nss3 in front of the normal cflags include path - Removed unnecessary patch dealing with CERTDB_TERMINAL_RECORD, it's visible diff --git a/nsspem-use-system-freebl.patch b/nsspem-use-system-freebl.patch index 6bcd9d6..f85fa3e 100644 --- a/nsspem-use-system-freebl.patch +++ b/nsspem-use-system-freebl.patch @@ -11,3 +11,83 @@ diff -up ./mozilla/security/coreconf/Linux.mk.sytemfreebl ./mozilla/security/cor # The -rpath '$$ORIGIN' linker option instructs this library to search for its # dependencies in the same directory where it resides. ifeq ($(BUILD_SUN_PKG), 1) +diff -up ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras ./mozilla/security/nss/lib/ckfw/pem/config.mk +--- ./mozilla/security/nss/lib/ckfw/pem/config.mk.extras 2010-11-25 10:01:17.000000000 -0800 ++++ ./mozilla/security/nss/lib/ckfw/pem/config.mk 2011-06-21 18:20:04.484985568 -0700 +@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m + # are specifed as dependencies within rules.mk. + # + ++ ++EXTRA_LIBS += \ ++ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ ++ $(NULL) ++ + TARGETS = $(SHARED_LIBRARY) + LIBRARY = + IMPORT_LIBRARY = +@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS) + MKSHLIB += -R '$$ORIGIN' + endif + ++# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and ++# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil ++# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf. ++ifdef USE_SYSTEM_NSSUTIL ++OS_LIBS += $(NSSUTIL_LIBS) ++else ++NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) ++EXTRA_LIBS += $(NSSUTIL_LIBS) ++endif ++# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and ++# FREEBL_LIBS to the linker command-line arguments for the system nssutil ++# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf. ++ifdef USE_SYSTEM_FREEBL ++OS_LIBS += $(FREEBL_LIBS) ++else ++FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX) ++EXTRA_LIBS += $(FREEBL_LIBS) ++endif ++ +diff -up ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras ./mozilla/security/nss/lib/ckfw/pem/Makefile +--- ./mozilla/security/nss/lib/ckfw/pem/Makefile.extras 2010-11-25 10:01:17.000000000 -0800 ++++ ./mozilla/security/nss/lib/ckfw/pem/Makefile 2011-06-21 18:25:25.959136920 -0700 +@@ -43,8 +43,7 @@ include config.mk + EXTRA_LIBS = \ + $(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ +- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ +- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \ ++ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ + $(NULL) + + # can't do this in manifest.mn because OS_TARGET isn't defined there. +@@ -56,6 +55,9 @@ EXTRA_LIBS += \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ ++ -L$(NSSUTIL_LIB_DIR) \ ++ -lnssutil3 \ ++ -lfreebl3 + $(NULL) + else + EXTRA_SHARED_LIBS += \ +@@ -74,6 +76,9 @@ EXTRA_LIBS += \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ ++ -L$(NSSUTIL_LIB_DIR) \ ++ -lnssutil3 \ ++ -lfreebl3 \ + $(NULL) + endif + +diff -up ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras ./mozilla/security/nss/lib/ckfw/pem/manifest.mn +--- ./mozilla/security/nss/lib/ckfw/pem/manifest.mn.extras 2010-11-25 10:01:17.000000000 -0800 ++++ ./mozilla/security/nss/lib/ckfw/pem/manifest.mn 2011-06-21 18:20:04.485985661 -0700 +@@ -65,4 +65,4 @@ REQUIRES = nspr + + LIBRARY_NAME = nsspem + +-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 ++EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3