From 962a77507e2b51bc9c3c5c786228139d57f1edcf Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 1 Mar 2022 06:27:23 -0500 Subject: [PATCH] import nss-3.71.0-7.el9 --- .gitignore | 4 +- .nss.metadata | 4 +- SOURCES/cert8.db.xml | 59 ----- SOURCES/key3.db.xml | 59 ----- SOURCES/nss-3.71-camellia-pkcs12-doc.patch | 20 ++ SOURCES/nss-3.71-fix-lto-gtests.patch | 36 +++ SOURCES/nss-3.75-fix-pkcs12-passwords.patch | 257 ++++++++++++++++++++ SOURCES/secmod.db.xml | 63 ----- SPECS/nss.spec | 60 ++++- 9 files changed, 362 insertions(+), 200 deletions(-) delete mode 100644 SOURCES/cert8.db.xml delete mode 100644 SOURCES/key3.db.xml create mode 100644 SOURCES/nss-3.71-camellia-pkcs12-doc.patch create mode 100644 SOURCES/nss-3.71-fix-lto-gtests.patch create mode 100644 SOURCES/nss-3.75-fix-pkcs12-passwords.patch delete mode 100644 SOURCES/secmod.db.xml diff --git a/.gitignore b/.gitignore index 7c7da43..d651e6d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,7 +1,5 @@ -SOURCES/blank-cert8.db +SOURCES/PayPalEE.cert SOURCES/blank-cert9.db -SOURCES/blank-key3.db SOURCES/blank-key4.db -SOURCES/blank-secmod.db SOURCES/nspr-4.32.tar.gz SOURCES/nss-3.71.tar.gz diff --git a/.nss.metadata b/.nss.metadata index 345574c..2aedeb3 100644 --- a/.nss.metadata +++ b/.nss.metadata @@ -1,7 +1,5 @@ -d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db +5c92efcd23ae5dc57c4f0a3903d662365bca008c SOURCES/PayPalEE.cert b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db -7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db -bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db 28e05ef5cbe6e7cde239d3cdcccabf571ec73f69 SOURCES/nspr-4.32.tar.gz b60e3e0a2765d4009347e08dc9792a4dc4aded03 SOURCES/nss-3.71.tar.gz diff --git a/SOURCES/cert8.db.xml b/SOURCES/cert8.db.xml deleted file mode 100644 index e82948d..0000000 --- a/SOURCES/cert8.db.xml +++ /dev/null @@ -1,59 +0,0 @@ - - - -]> - - - - - &date; - Network Security Services - nss - &version; - - - - cert8.db - 5 - - - - cert8.db - Legacy NSS certificate database - - - - Description - cert8.db is an NSS certificate database. - This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access. - - - - - Files - /etc/pki/nssdb/cert8.db - - - - See also - cert9.db(5), key4.db(5), pkcs11.txt(5), - - - - Authors - The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. - Authors: Elio Maldonado <emaldona@redhat.com>. - - - - - LICENSE - Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. - - - - - - diff --git a/SOURCES/key3.db.xml b/SOURCES/key3.db.xml deleted file mode 100644 index 444d7aa..0000000 --- a/SOURCES/key3.db.xml +++ /dev/null @@ -1,59 +0,0 @@ - - - -]> - - - - - &date; - Network Security Services - nss - &version; - - - - key3.db - 5 - - - - key3.db - Legacy NSS certificate database - - - - Description - key3.db is an NSS certificate database. - This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access. - - - - - Files - /etc/pki/nssdb/key3.db - - - - See also - cert9.db(5), key4.db(5), pkcs11.txt(5), - - - - Authors - The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. - Authors: Elio Maldonado <emaldona@redhat.com>. - - - - - LICENSE - Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. - - - - - - diff --git a/SOURCES/nss-3.71-camellia-pkcs12-doc.patch b/SOURCES/nss-3.71-camellia-pkcs12-doc.patch new file mode 100644 index 0000000..f14b5a9 --- /dev/null +++ b/SOURCES/nss-3.71-camellia-pkcs12-doc.patch @@ -0,0 +1,20 @@ +diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml +--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800 ++++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800 +@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre + + + Password Encryption +- PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. ++ PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. + The private key is always protected with strong encryption by default. + Several types of ciphers are supported. + +@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre + + + PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC") ++ PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme ("CAMELLIA-128-CBC", "CAMELLIA-192-CBC", and "CAMELLIA-256-CBC") + + + diff --git a/SOURCES/nss-3.71-fix-lto-gtests.patch b/SOURCES/nss-3.71-fix-lto-gtests.patch new file mode 100644 index 0000000..462e8ad --- /dev/null +++ b/SOURCES/nss-3.71-fix-lto-gtests.patch @@ -0,0 +1,36 @@ +diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc +--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc ++++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc +@@ -8,23 +8,32 @@ + + #include "prtime.h" + #include "secerr.h" + #include "ssl.h" + + #include "gtest_utils.h" + #include "tls_agent.h" + #include "tls_connect.h" ++#define LTO + + namespace nss_test { + ++#ifndef LTO ++// sigh this construction breaks LTO + const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256; + const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048; + const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048; + const std::string kDCId = TlsAgent::kServerEcdsa256; ++#else ++#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256 ++#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048 ++#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048 ++#define kDCId TlsAgent::kServerEcdsa256 ++#endif + const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256; + const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */; + + static void CheckPreliminaryPeerDelegCred( + const std::shared_ptr& client, bool expected, + PRUint32 key_bits = 0, SSLSignatureScheme sig_scheme = ssl_sig_none) { + EXPECT_NE(0U, (client->pre_info().valuesSet & ssl_preinfo_peer_auth)); + EXPECT_EQ(expected, client->pre_info().peerDelegCred); diff --git a/SOURCES/nss-3.75-fix-pkcs12-passwords.patch b/SOURCES/nss-3.75-fix-pkcs12-passwords.patch new file mode 100644 index 0000000..fffe693 --- /dev/null +++ b/SOURCES/nss-3.75-fix-pkcs12-passwords.patch @@ -0,0 +1,257 @@ +diff --git a/cmd/pk12util/pk12util.c b/cmd/pk12util/pk12util.c +--- a/cmd/pk12util/pk12util.c ++++ b/cmd/pk12util/pk12util.c +@@ -660,16 +660,27 @@ P12U_ExportPKCS12Object(char *nn, char * + } + + /* Password to use for PKCS12 file. */ + pwitem = P12U_GetP12FilePassword(PR_TRUE, p12FilePw); + if (!pwitem) { + goto loser; + } + ++ /* we are passing UTF8, drop the NULL in the normal password value. ++ * UCS2 conversion will add it back if necessary. This only affects ++ * password > Blocksize of the Hash function and pkcs5v2 pbe (if password ++ * <=Blocksize then the password is zero padded anyway, so an extra NULL ++ * at the end has not effect). This is allows us to work with openssl and ++ * gnutls. Older versions of NSS already fail to decrypt long passwords ++ * in this case, so we aren't breaking anyone with this code */ ++ if ((pwitem->len > 1) && (!pwitem->data[pwitem->len-1])) { ++ pwitem->len--; ++ } ++ + p12cxt = p12u_InitContext(PR_FALSE, outfile); + if (!p12cxt) { + SECU_PrintError(progName, "Initialization failed: %s", outfile); + pk12uErrno = PK12UERR_INIT_FILE; + goto loser; + } + + if (certlist) { +diff --git a/lib/pkcs12/p12local.c b/lib/pkcs12/p12local.c +--- a/lib/pkcs12/p12local.c ++++ b/lib/pkcs12/p12local.c +@@ -903,31 +903,35 @@ sec_pkcs12_find_object(SEC_PKCS12SafeCon + i++; + } + } + + PORT_SetError(SEC_ERROR_PKCS12_UNABLE_TO_LOCATE_OBJECT_BY_NAME); + return NULL; + } + +-/* this function converts a password to unicode and encures that the +- * required double 0 byte be placed at the end of the string ++/* this function converts a password to unicode and ensures that the ++ * required double 0 byte be placed at the end of the string (if zeroTerm ++ * is set), or the 0 bytes at the end are dropped (if zeroTerm is not set). + */ + PRBool + sec_pkcs12_convert_item_to_unicode(PLArenaPool *arena, SECItem *dest, + SECItem *src, PRBool zeroTerm, + PRBool asciiConvert, PRBool toUnicode) + { + PRBool success = PR_FALSE; ++ int bufferSize; ++ + if (!src || !dest) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return PR_FALSE; + } + +- dest->len = src->len * 3 + 2; ++ bufferSize = src->len * 3 + 2; ++ dest->len = bufferSize; + if (arena) { + dest->data = (unsigned char *)PORT_ArenaZAlloc(arena, dest->len); + } else { + dest->data = (unsigned char *)PORT_ZAlloc(dest->len); + } + + if (!dest->data) { + dest->len = 0; +@@ -951,34 +955,44 @@ sec_pkcs12_convert_item_to_unicode(PLAre + if (!arena) { + PORT_Free(dest->data); + dest->data = NULL; + dest->len = 0; + } + return PR_FALSE; + } + +- if ((dest->len >= 2) && +- (dest->data[dest->len - 1] || dest->data[dest->len - 2]) && zeroTerm) { +- if (dest->len + 2 > 3 * src->len) { +- if (arena) { +- dest->data = (unsigned char *)PORT_ArenaGrow(arena, +- dest->data, dest->len, +- dest->len + 2); +- } else { +- dest->data = (unsigned char *)PORT_Realloc(dest->data, +- dest->len + 2); ++ /* in some cases we need to add NULL terminations and in others ++ * we need to drop null terminations */ ++ if (zeroTerm) { ++ /* unicode adds two nulls a the end */ ++ if (toUnicode) { ++ if ((dest->len >= 2) && ++ (dest->data[dest->len - 1] || dest->data[dest->len - 2])) { ++ /* we've already allocated space for these new NULLs */ ++ PORT_Assert(dest->len + 2 <= bufferSize); ++ dest->len += 2; ++ dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0; + } +- +- if (!dest->data) { +- return PR_FALSE; ++ /* ascii/utf-8 adds just 1 */ ++ } else if ((dest->len >= 1) && dest->data[dest->len-1]) { ++ PORT_Assert(dest->len + 1 <= bufferSize); ++ dest->len ++; ++ dest->data[dest->len-1] = 0; ++ } ++ } else { ++ /* handle the drop case, no need to do any allocations here. */ ++ if (toUnicode) { ++ while ((dest->len >=2) && !dest->data[dest->len - 1] && ++ !dest->data[dest->len - 2]) { ++ dest->len -= 2; + } ++ } else while (dest->len && !dest->data[dest->len-1]) { ++ dest->len--; + } +- dest->len += 2; +- dest->data[dest->len - 1] = dest->data[dest->len - 2] = 0; + } + + return PR_TRUE; + } + + PRBool + sec_pkcs12_is_pkcs12_pbe_algorithm(SECOidTag algorithm) + { +@@ -1006,27 +1020,28 @@ sec_pkcs12_is_pkcs12_pbe_algorithm(SECOi + } + } + + /* this function decodes a password from Unicode if necessary, + * according to the PBE algorithm. + * + * we assume that the pwitem is already encoded in Unicode by the + * caller. if the encryption scheme is not the one defined in PKCS +- * #12, decode the pwitem back into UTF-8. */ ++ * #12, decode the pwitem back into UTF-8. NOTE: UTF-8 strings are ++ * used in the PRF without the trailing NULL */ + PRBool + sec_pkcs12_decode_password(PLArenaPool *arena, + SECItem *result, + SECOidTag algorithm, + const SECItem *pwitem) + { + if (!sec_pkcs12_is_pkcs12_pbe_algorithm(algorithm)) + return sec_pkcs12_convert_item_to_unicode(arena, result, + (SECItem *)pwitem, +- PR_TRUE, PR_FALSE, PR_FALSE); ++ PR_FALSE, PR_FALSE, PR_FALSE); + + return SECITEM_CopyItem(arena, result, pwitem) == SECSuccess; + } + + /* this function encodes a password into Unicode if necessary, + * according to the PBE algorithm. + * + * we assume that the pwitem holds a raw password. if the encryption +diff --git a/tests/common/init.sh b/tests/common/init.sh +--- a/tests/common/init.sh ++++ b/tests/common/init.sh +@@ -78,25 +78,27 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU + + CERT_EXTENSIONS_DIR=${HOSTDIR}/cert_extensions + STAPLINGDIR=${HOSTDIR}/stapling + NOLOGINDIR=${HOSTDIR}/nologin + SSLGTESTDIR=${HOSTDIR}/ssl_gtests + GTESTDIR=${HOSTDIR}/gtests + + PWFILE=${HOSTDIR}/tests.pw ++ LONGPWFILE=${HOSTDIR}/tests.longpw + EMPTY_FILE=${HOSTDIR}/tests_empty + NOISE_FILE=${HOSTDIR}/tests_noise + CORELIST_FILE=${HOSTDIR}/clist + + FIPSPWFILE=${HOSTDIR}/tests.fipspw + FIPSBADPWFILE=${HOSTDIR}/tests.fipsbadpw + FIPSP12PWFILE=${HOSTDIR}/tests.fipsp12pw + + echo nss > ${PWFILE} ++ echo "nss123456789012345678901234567890123456789012345678901234567890_" > ${LONGPWFILE} + echo > ${EMPTY_FILE} + echo "fIps140" > ${FIPSPWFILE} + echo "fips104" > ${FIPSBADPWFILE} + echo "pKcs12fips140" > ${FIPSP12PWFILE} + + noise + + P_SERVER_CADIR=${SERVER_CADIR} +@@ -656,16 +658,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU + P_R_NOLOGINDIR="multiaccess:${D_NOLOGIN}" + P_R_EXT_SERVERDIR="multiaccess:${D_EXT_SERVER}" + P_R_EXT_CLIENTDIR="multiaccess:${D_EXT_CLIENT}" + P_R_IMPLICIT_INIT_DIR="multiaccess:${D_IMPLICIT_INIT}" + P_R_RSAPSSDIR="multiaccess:${D_RSAPSS}" + fi + + R_PWFILE=../tests.pw ++ R_LONGPWFILE=../tests.longpw + R_EMPTY_FILE=../tests_empty + R_NOISE_FILE=../tests_noise + + R_FIPSPWFILE=../tests.fipspw + R_FIPSBADPWFILE=../tests.fipsbadpw + R_FIPSP12PWFILE=../tests.fipsp12pw + + trap "Exit $0 Signal_caught" 2 3 +diff --git a/tests/tools/tools.sh b/tests/tools/tools.sh +--- a/tests/tools/tools.sh ++++ b/tests/tools/tools.sh +@@ -382,16 +382,40 @@ tools_p12_export_list_import_with_defaul + check_tmpfile + + echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------" + echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}" + ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1 + ret=$? + html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)" + check_tmpfile ++ ++ echo "$SCRIPTNAME: Exporting Alice's email EC cert & key with long pw------" ++ echo "pk12util -o Alice-ec-long.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\" ++ echo " -w ${R_LONGPWFILE}" ++ ${BINDIR}/pk12util -o Alice-ec-long.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \ ++ -w ${R_LONGPWFILE} 2>&1 ++ ret=$? ++ html_msg $ret 0 "Exporting Alice's email EC cert & key with long pw (pk12util -o)" ++ check_tmpfile ++ verify_p12 Alice-ec-long.p12 "default" "default" "default" ++ ++ echo "$SCRIPTNAME: Importing Alice's email EC cert & key with long pw-----" ++ echo "pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE}" ++ ${BINDIR}/pk12util -i Alice-ec-long.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_LONGPWFILE} 2>&1 ++ ret=$? ++ html_msg $ret 0 "Importing Alice's email EC cert & key with long pw (pk12util -i)" ++ check_tmpfile ++ ++ echo "$SCRIPTNAME: Listing Alice's pk12 EC file with long pw ------------" ++ echo "pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE}" ++ ${BINDIR}/pk12util -l Alice-ec-long.p12 -w ${R_LONGPWFILE} 2>&1 ++ ret=$? ++ html_msg $ret 0 "Listing Alice's pk12 EC file with long pw (pk12util -l)" ++ check_tmpfile + } + + tools_p12_import_old_files() + { + echo "$SCRIPTNAME: Importing PKCS#12 files created with older NSS --------------" + echo "pk12util -i TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}" + ${BINDIR}/pk12util -i ${TOOLSDIR}/data/TestOldCA.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1 + ret=$? diff --git a/SOURCES/secmod.db.xml b/SOURCES/secmod.db.xml deleted file mode 100644 index afc9dce..0000000 --- a/SOURCES/secmod.db.xml +++ /dev/null @@ -1,63 +0,0 @@ - - - -]> - - - - - &date; - Network Security Services - nss - &version; - - - - secmod.db - 5 - - - - secmod.db - Legacy NSS security modules database - - - - Description - secmod.db is an NSS security modules database. - The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface. - - The command line utility modutil is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens. - - For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases. - - - - - Files - /etc/pki/nssdb/secmod.db - - - - See also - modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5) - - - - Authors - The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. - Authors: Elio Maldonado <emaldona@redhat.com>. - - - - - LICENSE - Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. - - - - - - diff --git a/SPECS/nss.spec b/SPECS/nss.spec index 19777dc..755fc2b 100644 --- a/SPECS/nss.spec +++ b/SPECS/nss.spec @@ -4,7 +4,7 @@ # - increment %%{nspr_version}, when updating the NSS part only # - put the nss_release number here next to nspr, as they both # need to be updated on a given release -%global nss_release 3 +%global nss_release 7 %global nspr_release %[ %nss_release+2] %global nss_version 3.71.0 # only need to update this as we added new @@ -90,22 +90,28 @@ Source6: nss-softokn-dracut-module-setup.sh Source7: nss-softokn-dracut.conf Source8: nss.pc.in Source9: nss-config.in +%if %{with dbm} Source10: blank-cert8.db Source11: blank-key3.db Source12: blank-secmod.db +%endif Source13: blank-cert9.db Source14: blank-key4.db Source15: system-pkcs11.txt Source16: setup-nsssysinit.sh Source20: nss-config.xml Source21: setup-nsssysinit.xml -Source22: pkcs11.txt.xml +%if %{with dbm} Source23: cert8.db.xml -Source24: cert9.db.xml Source25: key3.db.xml -Source26: key4.db.xml Source27: secmod.db.xml +%endif +Source22: pkcs11.txt.xml +Source24: cert9.db.xml +Source26: key4.db.xml Source28: nss-p11-kit.config +Source30: PayPalEE.cert + Source100: nspr-%{nspr_archive_version}.tar.gz Source101: nspr-config.xml @@ -140,6 +146,12 @@ Patch50: nss-3.71-fips-module-name.patch # upstream bug https://buzilla.mozilla.org/show_bug.cgi?id=1737470 Patch60: nss-3.67-cve-2021-43527.patch Patch70: nss-3.67-cve-2021-43527-test.patch +# not upstreamable patch... +Patch80: nss-3.71-fix-lto-gtests.patch +# camellia pkcs12 docs. +patch85: nss-3.71-camellia-pkcs12-doc.patch +# fix issue with long passwords in pkcs12 +patch90: nss-3.75-fix-pkcs12-passwords.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -301,6 +313,7 @@ Header files for doing development with the Netscape Portable Runtime. %setup -q -T -b 0 -n %{name}-%{nss_archive_version} mv ../nspr-%{nspr_archive_version}/nspr . cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in +%{__cp} %{SOURCE30} -f ./nss/tests/libpkix/certs %patch100 -p0 -b .flags pushd nspr @@ -361,7 +374,7 @@ popd # Build NSS # # This package fails its testsuite with LTO. Disable LTO for now -%global _lto_cflags %{nil} +#%%global _lto_cflags %%{nil} #export FREEBL_NO_DEPEND=1 @@ -540,20 +553,22 @@ date +"%e %B %Y" | tr -d '\n' > date.xml echo -n %{nss_version} > version.xml # configuration files and setup script -for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do +for m in %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE24} %{SOURCE26}; do cp ${m} . done -for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do +for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml cert9.db.xml key4.db.xml; do xmlto man ${m} done -# nss databases considered to be configuration files -for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do +%if %{with dbm} +# nss dbm databases +for m in %{SOURCE23} %{SOURCE25} %{SOURCE27}; do cp ${m} . done -for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do +for m in cert8.db.xml key3.db.xml secmod.db.xml; do xmlto man ${m} done +%endif %check @@ -704,9 +719,11 @@ done # Install the empty NSS db files # Legacy db mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb +%if %{with dbm} install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db +%endif # Shared db install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db @@ -782,13 +799,15 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tool %endif # Copy the man pages for the configuration files -for f in pkcs11.txt; do +for f in pkcs11.txt cert9.db key4.db; do install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 done -# Copy the man pages for the nss databases -for f in cert8.db cert9.db key3.db key4.db secmod.db; do +# Copy the man pages for the nss dbm databases +%if %{with dbm} +for f in cert8.db key3.db secmod.db; do install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 done +%endif # Copy the crypto-policies configuration file install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d @@ -823,16 +842,20 @@ update-crypto-policies &> /dev/null || : %{_libdir}/libssl3.so %{_libdir}/libsmime3.so %dir %{_sysconfdir}/pki/nssdb +%if %{with dbm} %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db +%endif %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config +%if %{with dbm} %doc %{_mandir}/man5/cert8.db.5* %doc %{_mandir}/man5/key3.db.5* %doc %{_mandir}/man5/secmod.db.5* +%endif %doc %{_mandir}/man5/cert9.db.5* %doc %{_mandir}/man5/key4.db.5* %doc %{_mandir}/man5/pkcs11.txt.5* @@ -1084,6 +1107,17 @@ update-crypto-policies &> /dev/null || : %changelog +* Wed Feb 16 2022 Bob Relyea - 3.71.0-7 +- Fix handling of pkcs12 passwords for PKCS5v2 cases which causes failures + on long passwords. + +* Wed Jan 26 2022 Bob Relyea - 3.71.0-6 +- update pkcs12 documentation to include camellia +- turn on lto + +* Wed Jan 12 2022 Bob Relyea - 3.71.0-5 +- remove old dbm files from the build + * Wed Dec 1 2021 Bob Relyea - 3.71.0-2 - Fix CVE-2021-43527