rpms/nss
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to NSS_3_14_2_RTM

Browse Source 
- Update the minimum requred versiobs of nspr, nss-util, and nss-softokn
- Remove patch obsoleted by the update and update others
- Restore missing second half of the cbc random iv by default patch
- Restore the freebl tests patch until we build without nsssoftoken
This commit is contained in:
Elio Maldonado 2013-02-01 11:24:15 -08:00
parent ca00551ea7
commit 830ee96f85
6 changed files with 38 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -6,4 +6,4 @@ blank-key4.db
PayPalEE.cert
/nss-pem-20120811.tar.bz2
/dummy-sources-for-testing
/nss-3.14.1.with.ckbi.1.93-stripped.tar.bz2
/nss-3.14.2-stripped.tar.bz2

168
0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
View File

@ -1,168 +0,0 @@
diff -up ./mozilla/security/nss/cmd/certcgi/ca_form.html.870864 ./mozilla/security/nss/cmd/certcgi/ca_form.html
--- ./mozilla/security/nss/cmd/certcgi/ca_form.html.870864 2012-03-20 07:46:53.000000000 -0700
+++ ./mozilla/security/nss/cmd/certcgi/ca_form.html 2012-11-19 21:32:32.568415831 -0800
@@ -167,6 +167,7 @@
<input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
<input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
<input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
+ <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P>
</tr>
<tr>
<td>
diff -up ./mozilla/security/nss/cmd/certcgi/certcgi.c.870864 ./mozilla/security/nss/cmd/certcgi/certcgi.c
--- ./mozilla/security/nss/cmd/certcgi/certcgi.c.870864 2012-04-29 05:52:04.000000000 -0700
+++ ./mozilla/security/nss/cmd/certcgi/certcgi.c 2012-11-19 21:32:32.569415846 -0800
@@ -21,6 +21,7 @@
#include "pk11pqg.h"
#include "certxutl.h"
#include "nss.h"
+#include "secutil.h"
/* #define TEST 1 */
@@ -33,6 +34,8 @@
static char *progName;
+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
+
typedef struct PairStr Pair;
struct PairStr {
@@ -819,6 +822,10 @@ AddExtKeyUsage(void *extHandle, Pair *da
if( SECSuccess != rv ) goto loser;
}
+ if( find_field_bool(data, "extKeyUsage-msCodeSign", PR_TRUE) ) {
+ SECU_RegisterDynamicOids();
+ }
+
if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) {
rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH);
if( SECSuccess != rv ) goto loser;
diff -up ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.870864 ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html
--- ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.870864 2012-03-20 07:46:53.000000000 -0700
+++ ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html 2012-11-19 21:32:32.570415861 -0800
@@ -34,6 +34,7 @@
<input type="checkbox" name="extKeyUsage-timeStamp"> Timestamp</P>
<input type="checkbox" name="extKeyUsage-ocspResponder"> OCSP Responder</P>
<input type="checkbox" name="extKeyUsage-NS-govtApproved"> Step-up</P>
+ <input type="checkbox" name="extKeyUsage-msCodeSign"> Microsoft Code Signing</P>
</tr>
<tr>
<td>
diff -up ./mozilla/security/nss/cmd/certutil/certext.c.870864 ./mozilla/security/nss/cmd/certutil/certext.c
--- ./mozilla/security/nss/cmd/certutil/certext.c.870864 2012-03-20 07:46:54.000000000 -0700
+++ ./mozilla/security/nss/cmd/certutil/certext.c 2012-11-19 21:32:32.571415876 -0800
@@ -18,6 +18,9 @@
#endif
#include "secutil.h"
+/* #include "secoidt.h" */ /* For when we update nss */
+
+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
#if defined(XP_UNIX)
#include <unistd.h>
@@ -483,6 +486,7 @@ extKeyUsageKeyWordArray[] = { "serverAut
"timeStamp",
"ocspResponder",
"stepUp",
+ "msCodeSigning",
NULL};
static SECStatus
@@ -554,6 +558,9 @@ AddExtKeyUsage (void *extHandle, const c
case 6:
rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED);
break;
+ case 7:
+ rv = AddOidToSequence(os, szOID_KP_CTL_USAGE_SIGNING);
+ break;
default:
goto endloop;
}
diff -up ./mozilla/security/nss/cmd/certutil/certutil.c.870864 ./mozilla/security/nss/cmd/certutil/certutil.c
--- ./mozilla/security/nss/cmd/certutil/certutil.c.870864 2012-03-20 07:46:54.000000000 -0700
+++ ./mozilla/security/nss/cmd/certutil/certutil.c 2012-11-19 21:32:32.573415906 -0800
@@ -46,6 +46,8 @@
char *progName;
+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING;
+
static CERTCertificateRequest *
GetCertRequest(PRFileDesc *inFile, PRBool ascii)
{
@@ -1145,6 +1147,7 @@ static void luC(enum usage_level ul, con
"%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n"
"%-20s \"stepUp\", \"critical\"\n",
" -6 | --extKeyUsage keyword,keyword,...", "", "", "", "");
+ "%-20s \"stepUp\", \"msCodeSign\", \"critical\"\n",
FPS "%-20s Create an email subject alt name extension\n",
" -7 emailAddrs");
FPS "%-20s Create an dns subject alt name extension\n",
diff -up ./mozilla/security/nss/cmd/lib/moreoids.c.870864 ./mozilla/security/nss/cmd/lib/moreoids.c
--- ./mozilla/security/nss/cmd/lib/moreoids.c.870864 2012-03-20 07:46:59.000000000 -0700
+++ ./mozilla/security/nss/cmd/lib/moreoids.c 2012-11-19 21:36:23.782925556 -0800
@@ -41,6 +41,18 @@ OIDT mKPSCL[] = { MICROSOFT, 20, 2, 2 }
OIDT mNTPN [] = { MICROSOFT, 20, 2, 3 }; /* NT Principal Name */
OIDT mCASRV[] = { MICROSOFT, 21, 1 }; /* CertServ CA version */
+#define _TO_ITEM(x) {siDEROID, (unsigned char *)(x), sizeof(x) }
+
+SECOidTag szOID_KP_CTL_USAGE_SIGNING = SEC_OID_UNKNOWN;
+/* { 1.3.6.1.4.1.311 } */
+static const unsigned char msExtendedKeyUsageCodeSigning[] =
+ { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0xa, 3, 1 };
+
+static const SECOidData microsoftAuthenticodeSigning_Entry =
+ { _TO_ITEM(msExtendedKeyUsageCodeSigning), SEC_OID_UNKNOWN,
+ "Microsoft Authenticode Signing", CKM_INVALID_MECHANISM,
+ INVALID_CERT_EXTENSION };
+
/* AOL OIDs (1 3 6 1 4 1 1066 ... ) */
#define AOL 0x2B, 0x06, 0x01, 0x04, 0x01, 0x88, 0x2A
@@ -127,6 +139,18 @@ static const SECOidData oids[] = {
static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]);
+/* register the oid if we haven't already */
+void
+SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src)
+{
+ if (*data == SEC_OID_UNKNOWN) {
+ /* AddEntry does the right thing if someone else has already
+ * added the oid. (that is return that oid tag) */
+ *data = SECOID_AddEntry(src);
+ }
+}
+
+
SECStatus
SECU_RegisterDynamicOids(void)
{
@@ -144,5 +168,10 @@ SECU_RegisterDynamicOids(void)
#endif
}
}
+
+ /* Fetch and register the oid on behalf of the tools. */
+ SECU_cert_fetchOID(&szOID_KP_CTL_USAGE_SIGNING,
+ &microsoftAuthenticodeSigning_Entry);
+
return rv;
}
diff -up ./mozilla/security/nss/cmd/lib/secutil.h.870864 ./mozilla/security/nss/cmd/lib/secutil.h
--- ./mozilla/security/nss/cmd/lib/secutil.h.870864 2012-09-27 10:13:33.000000000 -0700
+++ ./mozilla/security/nss/cmd/lib/secutil.h 2012-11-19 21:32:32.575415936 -0800
@@ -293,6 +293,8 @@ extern SECStatus DER_PrettyPrint(FILE *o
extern char *SECU_SECModDBName(void);
+extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src);
+
extern SECStatus SECU_RegisterDynamicOids(void);
/* Identifies hash algorithm tag by its string representation. */

9
nss-3.14.0.0-disble-ocsp-test.patch
View File

@ -1,9 +1,10 @@
diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.disable_ocsp_test ./mozilla/security/nss/tests/chains/scenarios/scenarios
--- ./mozilla/security/nss/tests/chains/scenarios/scenarios.disable_ocsp_test 2012-10-12 09:30:07.264987000 -0700
+++ ./mozilla/security/nss/tests/chains/scenarios/scenarios 2012-10-12 09:34:55.653123000 -0700
@@ -49,5 +49,4 @@ bridgewithpolicyextensionandmapping.cfg
diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest ./mozilla/security/nss/tests/chains/scenarios/scenarios
--- ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest 2013-01-06 19:56:15.000000000 -0800
+++ ./mozilla/security/nss/tests/chains/scenarios/scenarios 2013-02-01 08:38:28.140615299 -0800
@@ -50,6 +50,5 @@ bridgewithpolicyextensionandmapping.cfg
realcerts.cfg
dsa.cfg
revoc.cfg
-ocsp.cfg
crldp.cfg
trustanchors.cfg

19
nss-ssl-cbc-random-iv-off-by-default.patch
View File

@ -1,6 +1,6 @@
diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.770682 ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.770682 2012-11-01 11:10:54.107504267 -0700
+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2012-11-01 11:07:36.758464814 -0700
diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff ./mozilla/security/nss/lib/ssl/sslsock.c
--- ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff 2013-02-01 10:14:36.960458329 -0800
+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2013-02-01 10:17:16.532265855 -0800
@@ -153,7 +153,7 @@ static sslOptions ssl_defaults = {
3, /* enableRenegotiation (default: transitional) */
PR_FALSE, /* requireSafeNegotiation */
@ -10,3 +10,16 @@ diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.770682 ./mozilla/security/nss/
};
/*
@@ -2837,9 +2837,9 @@ ssl_SetDefaultsFromEnvironment(void)
PR_TRUE));
}
ev = getenv("NSS_SSL_CBC_RANDOM_IV");
- if (ev && ev[0] == '0') {
- ssl_defaults.cbcRandomIV = PR_FALSE;
- SSL_TRACE(("SSL: cbcRandomIV set to 0"));
+ if (ev && ev[0] == '1') {
+ ssl_defaults.cbcRandomIV = PR_TRUE;
+ SSL_TRACE(("SSL: cbcRandomIV set to 1"));
}
}
#endif /* NSS_HAVE_GETENV */

30
nss.spec
View File

@ -1,17 +1,17 @@
%global nspr_version 4.9.4
%global nss_util_version 3.14
%global nspr_version 4.9.5
%global nss_util_version 3.14.2
%global nss_softokn_fips_version 3.12.9
%global nss_softokn_version 3.14
%global nss_softokn_version 3.14.2
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
# Define if using a source archive like "nss-version.with.ckbi.version".
# To "disable", add "#" to start of line, AND a space after "%".
%define nss_ckbi_suffix .with.ckbi.1.93
#% define nss_ckbi_suffix .with.ckbi.1.93
Summary: Network Security Services
Name: nss
Version: 3.14.1
Release: 3%{?dist}
Version: 3.14.2
Release: 1%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@ -68,7 +68,7 @@ Patch6: nss-enable-pem.patch
Patch16: nss-539183.patch
Patch18: nss-646045.patch
# must statically link pem against the freebl in the buildroot
# Needed only when freebl on tree has newe APIS
# Needed only when freebl on tree has new APIS
Patch25: nsspem-use-system-freebl.patch
# This patch is currently meant for stable branches
Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
@ -76,10 +76,8 @@ Patch29: nss-ssl-cbc-random-iv-off-by-default.patch
Patch39: nss-ssl-enforce-no-pkcs11-bypass.path
# TODO: Remove this patch when the ocsp test are fixed
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=807890
Patch42: 0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=835919
# Keeping it disabled until further view upstream
Patch43: no-softoken-freebl-tests.patch
%description
@ -161,11 +159,10 @@ low level services.
# link pem against buildroot's freebl, essential when mixing and matching
%patch25 -p0 -b .systemfreebl
# activate for stable and beta branches
#%patch29 -p0 -b .770682
#%patch29 -p0 -b .cbcrandomivoff
%patch39 -p1 -b .nobypass
%patch40 -p1 -b .noocsptest
%patch42 -p0 -b .870864
%patch43 -p0 -b .nosoftokentests
#%patch40 -p1 -b .noocsptest
#%patch43 -p0 -b .nosoftokentests
%build
@ -611,6 +608,9 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
%changelog
* Fri Feb 01 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.2-1
- Update to NSS_3_14_2_RTM
* Wed Jan 02 2013 Kai Engert <kaie@redhat.com> - 3.14.1-3
- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM

2
sources
View File

@ -6,4 +6,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
bf47cecad861efa77d1488ad4a73cb5b PayPalEE.cert
2a06bf7b815d1a666cc3587b895506ce nss-pem-20120811.tar.bz2
0be54f196b5da7e9008eb13a71bc2cb0 dummy-sources-for-testing
331910e63d3ff5ff3acb845ba44dcf56 nss-3.14.1.with.ckbi.1.93-stripped.tar.bz2
828c6949bd348684b15237f8796f54c1 nss-3.14.2-stripped.tar.bz2