From 74b268dbd97ef78636af3b307d9893d36a4a78eb Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Fri, 10 Jan 2020 10:35:28 +0100 Subject: [PATCH] Update to NSS 3.49 --- .gitignore | 1 + nss-3.47-certdb-temp-cert.patch | 63 --------------------------------- nss.spec | 7 ++-- sources | 2 +- 4 files changed, 6 insertions(+), 67 deletions(-) delete mode 100644 nss-3.47-certdb-temp-cert.patch diff --git a/.gitignore b/.gitignore index 7b095ce..0f864ee 100644 --- a/.gitignore +++ b/.gitignore @@ -43,3 +43,4 @@ TestUser51.cert /nss-3.47.tar.gz /nss-3.47.1.tar.gz /nss-3.48.tar.gz +/nss-3.49.tar.gz diff --git a/nss-3.47-certdb-temp-cert.patch b/nss-3.47-certdb-temp-cert.patch deleted file mode 100644 index 0c37c0f..0000000 --- a/nss-3.47-certdb-temp-cert.patch +++ /dev/null @@ -1,63 +0,0 @@ -# HG changeset patch -# User Daiki Ueno -# Date 1575450841 -3600 -# Wed Dec 04 10:14:01 2019 +0100 -# Node ID 017097f0a0eaea1a3d849f3de79475c9bc28fcc2 -# Parent d64102b76a437f24d98a20480dcc9f1655143e7c -Bug 1593167, certdb: propagate trust information if trust module is loaded afterwards - -Summary: -When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in Firefox as it loads the module from a separate thread while accessing the network cache which populates temp certs. - -This change makes it properly roll up the trust information, if a temp cert doesn't have trust information. - -Reviewers: rrelyea, keeler - -Reviewed By: rrelyea - -Subscribers: reviewbot, heftig - -Bug #: 1593167 - -Differential Revision: https://phabricator.services.mozilla.com/D54726 - -diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c ---- a/lib/pki/pki3hack.c -+++ b/lib/pki/pki3hack.c -@@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate * - } - if (!cc->nssCertificate || forceUpdate) { - fill_CERTCertificateFields(c, cc, forceUpdate); -- } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess && -- !c->object.cryptoContext) { -- /* if it's a perm cert, it might have been stored before the -- * trust, so look for the trust again. But a temp cert can be -- * ignored. -- */ -- CERTCertTrust *trust = NULL; -- trust = nssTrust_GetCERTCertTrustForCert(c, cc); -+ } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) { -+ CERTCertTrust *trust; -+ if (!c->object.cryptoContext) { -+ /* If it's a perm cert, it might have been stored before the -+ * trust, so look for the trust again. -+ */ -+ trust = nssTrust_GetCERTCertTrustForCert(c, cc); -+ } else { -+ /* If it's a temp cert, it might have been stored before the -+ * builtin trust module is loaded, so look for the trust -+ * again, but don't set the empty trust if it is not found. -+ */ -+ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c); -+ if (!t) { -+ goto loser; -+ } -+ trust = cert_trust_from_stan_trust(t, cc->arena); -+ nssTrust_Destroy(t); -+ if (!trust) { -+ goto loser; -+ } -+ } - - CERT_LockCertTrust(cc); - cc->trust = trust; diff --git a/nss.spec b/nss.spec index 45e5490..8a7a756 100644 --- a/nss.spec +++ b/nss.spec @@ -1,5 +1,5 @@ %global nspr_version 4.24.0 -%global nss_version 3.48.0 +%global nss_version 3.49.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir %{_libdir}/nss/saved %global dracutlibdir %{_prefix}/lib/dracut @@ -107,8 +107,6 @@ Patch2: nss-539183.patch Patch4: iquote.patch # add missing ike mechanism to softoken Patch10: nss-3.47-ike-fix.patch -# https://bugzilla.mozilla.org/show_bug.cgi?id=1593167 -Patch11: nss-3.47-certdb-temp-cert.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -874,6 +872,9 @@ update-crypto-policies &> /dev/null || : %changelog +* Fri Jan 10 2020 Daiki Ueno - 3.49.0-1 +- Update to NSS 3.49 + * Fri Jan 3 2020 Daiki Ueno - 3.48.0-1 - Update to NSS 3.48 diff --git a/sources b/sources index 2e36a5d..b9615c6 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nss-3.48.tar.gz) = 71aefe323501dd8d750ed36606554f2e67ecb2bca85b55bc798d5dfc3a47f3d454348ca950971aaaafb16f6d847c098d2b1c40d40b50380e0c2540ed1b9a9e9a +SHA512 (nss-3.49.tar.gz) = 7d8df73a2e585585a7cb3f887af3f933854984479531b3dd30316873bdd92c130e2fadb54e7b3b1f0b10675b1bce09112ef39860d74ef6f0df7b57bf430bd072