From 830ee96f85b9db9e685925b5f7aeb9fecaa99322 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Fri, 1 Feb 2013 11:24:15 -0800 Subject: [PATCH] Update to NSS_3_14_2_RTM - Update the minimum requred versiobs of nspr, nss-util, and nss-softokn - Remove patch obsoleted by the update and update others - Restore missing second half of the cbc random iv by default patch - Restore the freebl tests patch until we build without nsssoftoken --- .gitignore | 2 +- ...-usage-for-MS-Authenticode-Code-Sign.patch | 168 ------------------ nss-3.14.0.0-disble-ocsp-test.patch | 9 +- nss-ssl-cbc-random-iv-off-by-default.patch | 19 +- nss.spec | 30 ++-- sources | 2 +- 6 files changed, 38 insertions(+), 192 deletions(-) delete mode 100644 0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch diff --git a/.gitignore b/.gitignore index 6c7c806..ecfc729 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,4 @@ blank-key4.db PayPalEE.cert /nss-pem-20120811.tar.bz2 /dummy-sources-for-testing -/nss-3.14.1.with.ckbi.1.93-stripped.tar.bz2 +/nss-3.14.2-stripped.tar.bz2 diff --git a/0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch b/0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch deleted file mode 100644 index d3a3ac6..0000000 --- a/0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch +++ /dev/null @@ -1,168 +0,0 @@ -diff -up ./mozilla/security/nss/cmd/certcgi/ca_form.html.870864 ./mozilla/security/nss/cmd/certcgi/ca_form.html ---- ./mozilla/security/nss/cmd/certcgi/ca_form.html.870864 2012-03-20 07:46:53.000000000 -0700 -+++ ./mozilla/security/nss/cmd/certcgi/ca_form.html 2012-11-19 21:32:32.568415831 -0800 -@@ -167,6 +167,7 @@ - Timestamp

- OCSP Responder

- Step-up

-+ Microsoft Code Signing

- - - -diff -up ./mozilla/security/nss/cmd/certcgi/certcgi.c.870864 ./mozilla/security/nss/cmd/certcgi/certcgi.c ---- ./mozilla/security/nss/cmd/certcgi/certcgi.c.870864 2012-04-29 05:52:04.000000000 -0700 -+++ ./mozilla/security/nss/cmd/certcgi/certcgi.c 2012-11-19 21:32:32.569415846 -0800 -@@ -21,6 +21,7 @@ - #include "pk11pqg.h" - #include "certxutl.h" - #include "nss.h" -+#include "secutil.h" - - - /* #define TEST 1 */ -@@ -33,6 +34,8 @@ - - static char *progName; - -+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; -+ - typedef struct PairStr Pair; - - struct PairStr { -@@ -819,6 +822,10 @@ AddExtKeyUsage(void *extHandle, Pair *da - if( SECSuccess != rv ) goto loser; - } - -+ if( find_field_bool(data, "extKeyUsage-msCodeSign", PR_TRUE) ) { -+ SECU_RegisterDynamicOids(); -+ } -+ - if( find_field_bool(data, "extKeyUsage-clientAuth", PR_TRUE) ) { - rv = AddOidToSequence(os, SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH); - if( SECSuccess != rv ) goto loser; -diff -up ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.870864 ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html ---- ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html.870864 2012-03-20 07:46:53.000000000 -0700 -+++ ./mozilla/security/nss/cmd/certcgi/stnd_ext_form.html 2012-11-19 21:32:32.570415861 -0800 -@@ -34,6 +34,7 @@ - Timestamp

- OCSP Responder

- Step-up

-+ Microsoft Code Signing

- - - -diff -up ./mozilla/security/nss/cmd/certutil/certext.c.870864 ./mozilla/security/nss/cmd/certutil/certext.c ---- ./mozilla/security/nss/cmd/certutil/certext.c.870864 2012-03-20 07:46:54.000000000 -0700 -+++ ./mozilla/security/nss/cmd/certutil/certext.c 2012-11-19 21:32:32.571415876 -0800 -@@ -18,6 +18,9 @@ - #endif - - #include "secutil.h" -+/* #include "secoidt.h" */ /* For when we update nss */ -+ -+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; - - #if defined(XP_UNIX) - #include -@@ -483,6 +486,7 @@ extKeyUsageKeyWordArray[] = { "serverAut - "timeStamp", - "ocspResponder", - "stepUp", -+ "msCodeSigning", - NULL}; - - static SECStatus -@@ -554,6 +558,9 @@ AddExtKeyUsage (void *extHandle, const c - case 6: - rv = AddOidToSequence(os, SEC_OID_NS_KEY_USAGE_GOVT_APPROVED); - break; -+ case 7: -+ rv = AddOidToSequence(os, szOID_KP_CTL_USAGE_SIGNING); -+ break; - default: - goto endloop; - } -diff -up ./mozilla/security/nss/cmd/certutil/certutil.c.870864 ./mozilla/security/nss/cmd/certutil/certutil.c ---- ./mozilla/security/nss/cmd/certutil/certutil.c.870864 2012-03-20 07:46:54.000000000 -0700 -+++ ./mozilla/security/nss/cmd/certutil/certutil.c 2012-11-19 21:32:32.573415906 -0800 -@@ -46,6 +46,8 @@ - - char *progName; - -+extern SECOidTag szOID_KP_CTL_USAGE_SIGNING; -+ - static CERTCertificateRequest * - GetCertRequest(PRFileDesc *inFile, PRBool ascii) - { -@@ -1145,6 +1147,7 @@ static void luC(enum usage_level ul, con - "%-20s \"emailProtection\", \"timeStamp\",\"ocspResponder\",\n" - "%-20s \"stepUp\", \"critical\"\n", - " -6 | --extKeyUsage keyword,keyword,...", "", "", "", ""); -+ "%-20s \"stepUp\", \"msCodeSign\", \"critical\"\n", - FPS "%-20s Create an email subject alt name extension\n", - " -7 emailAddrs"); - FPS "%-20s Create an dns subject alt name extension\n", -diff -up ./mozilla/security/nss/cmd/lib/moreoids.c.870864 ./mozilla/security/nss/cmd/lib/moreoids.c ---- ./mozilla/security/nss/cmd/lib/moreoids.c.870864 2012-03-20 07:46:59.000000000 -0700 -+++ ./mozilla/security/nss/cmd/lib/moreoids.c 2012-11-19 21:36:23.782925556 -0800 -@@ -41,6 +41,18 @@ OIDT mKPSCL[] = { MICROSOFT, 20, 2, 2 } - OIDT mNTPN [] = { MICROSOFT, 20, 2, 3 }; /* NT Principal Name */ - OIDT mCASRV[] = { MICROSOFT, 21, 1 }; /* CertServ CA version */ - -+#define _TO_ITEM(x) {siDEROID, (unsigned char *)(x), sizeof(x) } -+ -+SECOidTag szOID_KP_CTL_USAGE_SIGNING = SEC_OID_UNKNOWN; -+/* { 1.3.6.1.4.1.311 } */ -+static const unsigned char msExtendedKeyUsageCodeSigning[] = -+ { 0x2b, 0x6, 0x1, 0x4, 0x1, 0x82, 0x37, 0xa, 3, 1 }; -+ -+static const SECOidData microsoftAuthenticodeSigning_Entry = -+ { _TO_ITEM(msExtendedKeyUsageCodeSigning), SEC_OID_UNKNOWN, -+ "Microsoft Authenticode Signing", CKM_INVALID_MECHANISM, -+ INVALID_CERT_EXTENSION }; -+ - /* AOL OIDs (1 3 6 1 4 1 1066 ... ) */ - #define AOL 0x2B, 0x06, 0x01, 0x04, 0x01, 0x88, 0x2A - -@@ -127,6 +139,18 @@ static const SECOidData oids[] = { - - static const unsigned int numOids = (sizeof oids) / (sizeof oids[0]); - -+/* register the oid if we haven't already */ -+void -+SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src) -+{ -+ if (*data == SEC_OID_UNKNOWN) { -+ /* AddEntry does the right thing if someone else has already -+ * added the oid. (that is return that oid tag) */ -+ *data = SECOID_AddEntry(src); -+ } -+} -+ -+ - SECStatus - SECU_RegisterDynamicOids(void) - { -@@ -144,5 +168,10 @@ SECU_RegisterDynamicOids(void) - #endif - } - } -+ -+ /* Fetch and register the oid on behalf of the tools. */ -+ SECU_cert_fetchOID(&szOID_KP_CTL_USAGE_SIGNING, -+ µsoftAuthenticodeSigning_Entry); -+ - return rv; - } -diff -up ./mozilla/security/nss/cmd/lib/secutil.h.870864 ./mozilla/security/nss/cmd/lib/secutil.h ---- ./mozilla/security/nss/cmd/lib/secutil.h.870864 2012-09-27 10:13:33.000000000 -0700 -+++ ./mozilla/security/nss/cmd/lib/secutil.h 2012-11-19 21:32:32.575415936 -0800 -@@ -293,6 +293,8 @@ extern SECStatus DER_PrettyPrint(FILE *o - - extern char *SECU_SECModDBName(void); - -+extern void SECU_cert_fetchOID(SECOidTag *data, const SECOidData *src); -+ - extern SECStatus SECU_RegisterDynamicOids(void); - - /* Identifies hash algorithm tag by its string representation. */ diff --git a/nss-3.14.0.0-disble-ocsp-test.patch b/nss-3.14.0.0-disble-ocsp-test.patch index df4e692..393d3ab 100644 --- a/nss-3.14.0.0-disble-ocsp-test.patch +++ b/nss-3.14.0.0-disble-ocsp-test.patch @@ -1,9 +1,10 @@ -diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.disable_ocsp_test ./mozilla/security/nss/tests/chains/scenarios/scenarios ---- ./mozilla/security/nss/tests/chains/scenarios/scenarios.disable_ocsp_test 2012-10-12 09:30:07.264987000 -0700 -+++ ./mozilla/security/nss/tests/chains/scenarios/scenarios 2012-10-12 09:34:55.653123000 -0700 -@@ -49,5 +49,4 @@ bridgewithpolicyextensionandmapping.cfg +diff -up ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest ./mozilla/security/nss/tests/chains/scenarios/scenarios +--- ./mozilla/security/nss/tests/chains/scenarios/scenarios.noocsptest 2013-01-06 19:56:15.000000000 -0800 ++++ ./mozilla/security/nss/tests/chains/scenarios/scenarios 2013-02-01 08:38:28.140615299 -0800 +@@ -50,6 +50,5 @@ bridgewithpolicyextensionandmapping.cfg realcerts.cfg dsa.cfg revoc.cfg -ocsp.cfg crldp.cfg + trustanchors.cfg diff --git a/nss-ssl-cbc-random-iv-off-by-default.patch b/nss-ssl-cbc-random-iv-off-by-default.patch index 2678580..8b0f73c 100644 --- a/nss-ssl-cbc-random-iv-off-by-default.patch +++ b/nss-ssl-cbc-random-iv-off-by-default.patch @@ -1,6 +1,6 @@ -diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.770682 ./mozilla/security/nss/lib/ssl/sslsock.c ---- ./mozilla/security/nss/lib/ssl/sslsock.c.770682 2012-11-01 11:10:54.107504267 -0700 -+++ ./mozilla/security/nss/lib/ssl/sslsock.c 2012-11-01 11:07:36.758464814 -0700 +diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff ./mozilla/security/nss/lib/ssl/sslsock.c +--- ./mozilla/security/nss/lib/ssl/sslsock.c.cbcrandomivoff 2013-02-01 10:14:36.960458329 -0800 ++++ ./mozilla/security/nss/lib/ssl/sslsock.c 2013-02-01 10:17:16.532265855 -0800 @@ -153,7 +153,7 @@ static sslOptions ssl_defaults = { 3, /* enableRenegotiation (default: transitional) */ PR_FALSE, /* requireSafeNegotiation */ @@ -10,3 +10,16 @@ diff -up ./mozilla/security/nss/lib/ssl/sslsock.c.770682 ./mozilla/security/nss/ }; /* +@@ -2837,9 +2837,9 @@ ssl_SetDefaultsFromEnvironment(void) + PR_TRUE)); + } + ev = getenv("NSS_SSL_CBC_RANDOM_IV"); +- if (ev && ev[0] == '0') { +- ssl_defaults.cbcRandomIV = PR_FALSE; +- SSL_TRACE(("SSL: cbcRandomIV set to 0")); ++ if (ev && ev[0] == '1') { ++ ssl_defaults.cbcRandomIV = PR_TRUE; ++ SSL_TRACE(("SSL: cbcRandomIV set to 1")); + } + } + #endif /* NSS_HAVE_GETENV */ diff --git a/nss.spec b/nss.spec index 1862906..cdb5193 100644 --- a/nss.spec +++ b/nss.spec @@ -1,17 +1,17 @@ -%global nspr_version 4.9.4 -%global nss_util_version 3.14 +%global nspr_version 4.9.5 +%global nss_util_version 3.14.2 %global nss_softokn_fips_version 3.12.9 -%global nss_softokn_version 3.14 +%global nss_softokn_version 3.14.2 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools # Define if using a source archive like "nss-version.with.ckbi.version". # To "disable", add "#" to start of line, AND a space after "%". -%define nss_ckbi_suffix .with.ckbi.1.93 +#% define nss_ckbi_suffix .with.ckbi.1.93 Summary: Network Security Services Name: nss -Version: 3.14.1 -Release: 3%{?dist} +Version: 3.14.2 +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -68,7 +68,7 @@ Patch6: nss-enable-pem.patch Patch16: nss-539183.patch Patch18: nss-646045.patch # must statically link pem against the freebl in the buildroot -# Needed only when freebl on tree has newe APIS +# Needed only when freebl on tree has new APIS Patch25: nsspem-use-system-freebl.patch # This patch is currently meant for stable branches Patch29: nss-ssl-cbc-random-iv-off-by-default.patch @@ -76,10 +76,8 @@ Patch29: nss-ssl-cbc-random-iv-off-by-default.patch Patch39: nss-ssl-enforce-no-pkcs11-bypass.path # TODO: Remove this patch when the ocsp test are fixed Patch40: nss-3.14.0.0-disble-ocsp-test.patch - -# upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=807890 -Patch42: 0001-Add-extended-key-usage-for-MS-Authenticode-Code-Sign.patch - +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=835919 +# Keeping it disabled until further view upstream Patch43: no-softoken-freebl-tests.patch %description @@ -161,11 +159,10 @@ low level services. # link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl # activate for stable and beta branches -#%patch29 -p0 -b .770682 +#%patch29 -p0 -b .cbcrandomivoff %patch39 -p1 -b .nobypass -%patch40 -p1 -b .noocsptest -%patch42 -p0 -b .870864 -%patch43 -p0 -b .nosoftokentests +#%patch40 -p1 -b .noocsptest +#%patch43 -p0 -b .nosoftokentests %build @@ -611,6 +608,9 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1 +- Update to NSS_3_14_2_RTM + * Wed Jan 02 2013 Kai Engert - 3.14.1-3 - Update to NSS_3_14_1_WITH_CKBI_1_93_RTM diff --git a/sources b/sources index fa53974..d9ecc95 100644 --- a/sources +++ b/sources @@ -6,4 +6,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db bf47cecad861efa77d1488ad4a73cb5b PayPalEE.cert 2a06bf7b815d1a666cc3587b895506ce nss-pem-20120811.tar.bz2 0be54f196b5da7e9008eb13a71bc2cb0 dummy-sources-for-testing -331910e63d3ff5ff3acb845ba44dcf56 nss-3.14.1.with.ckbi.1.93-stripped.tar.bz2 +828c6949bd348684b15237f8796f54c1 nss-3.14.2-stripped.tar.bz2