Update pem sources to latest from nss-pem upstream
- Update picks up pem fixes verified on RHEL and applied upstream - Fix a problem where same files in two rpms created rpm conflict - Reported at https://bugzilla.redhat.com/show_bug.cgi?id=1050163 - Move some nss-sysinit manpages tar archives to the %files the - All man pages are listed by name so there shouldn't be wildcard inclusion - Add support for ppc64le, Resolves: Bug 1052545
This commit is contained in:
parent
5d65d327f1
commit
a25fc11743
2
.gitignore
vendored
2
.gitignore
vendored
@ -7,5 +7,5 @@ PayPalEE.cert
|
|||||||
TestCA.ca.cert
|
TestCA.ca.cert
|
||||||
TestUser50.cert
|
TestUser50.cert
|
||||||
TestUser51.cert
|
TestUser51.cert
|
||||||
/nss-pem-20131226.tar.bz2
|
/nss-pem-20140125.tar.bz2
|
||||||
/nss-3.15.4.tar.gz
|
/nss-3.15.4.tar.gz
|
||||||
|
@ -1,196 +0,0 @@
|
|||||||
From 67aaa70fb0e889ff7dd3668561bfb002dd83e018 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Elio Maldonado <emaldona@redhat.com>
|
|
||||||
Date: Wed, 8 Jan 2014 10:02:19 -0800
|
|
||||||
Subject: [PATCH 39/39] Sync up with nss-3.15.4 changes in freebl and softoken
|
|
||||||
|
|
||||||
- Remove RSA_BlockOAEP cases which aren't used by the pem module after all
|
|
||||||
- Copied the private RSA_BlockType data structure from freebl/pkcss11.c
|
|
||||||
- Upstream removed softoken/rsawrapr.c and moved the code to freebl/pkcs11.c
|
|
||||||
- per Mozilla Bug 836019 - Move RSA-PKCS#1, RSA-PSS, and RSA-OAEP into freebl
|
|
||||||
- https://bugzilla.mozilla.org/show_bug.cgi?id=836019
|
|
||||||
---
|
|
||||||
mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 133 ++++-----------------------
|
|
||||||
1 file changed, 16 insertions(+), 117 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
|
|
||||||
index 5ac4f39..103eeda 100644
|
|
||||||
--- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
|
|
||||||
+++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
|
|
||||||
@@ -60,6 +60,21 @@
|
|
||||||
|
|
||||||
#define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */
|
|
||||||
|
|
||||||
+/*
|
|
||||||
+ * RSA block types
|
|
||||||
+ *
|
|
||||||
+ * The actual values are important -- they are fixed, *not* arbitrary.
|
|
||||||
+ * The explicit value assignments are not needed (because C would give
|
|
||||||
+ * us those same values anyway) but are included as a reminder...
|
|
||||||
+ */
|
|
||||||
+typedef enum {
|
|
||||||
+ RSA_BlockUnused = 0, /* unused */
|
|
||||||
+ RSA_BlockPrivate = 1, /* pad for a private-key operation */
|
|
||||||
+ RSA_BlockPublic = 2, /* pad for a public-key operation */
|
|
||||||
+ RSA_BlockRaw = 4, /* simply justify the block appropriately */
|
|
||||||
+ RSA_BlockTotal
|
|
||||||
+} RSA_BlockType;
|
|
||||||
+
|
|
||||||
unsigned
|
|
||||||
pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
|
|
||||||
{
|
|
||||||
@@ -233,7 +248,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
|
|
||||||
/*
|
|
||||||
* Blocks intended for private-key operation.
|
|
||||||
*/
|
|
||||||
- case RSA_BlockPrivate0: /* essentially unused */
|
|
||||||
case RSA_BlockPrivate: /* preferred method */
|
|
||||||
/*
|
|
||||||
* 0x00 || BT || Pad || 0x00 || ActualData
|
|
||||||
@@ -246,10 +260,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
|
|
||||||
nss_ZFreeIf(block);
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
- nsslibc_memset(bp,
|
|
||||||
- blockType == RSA_BlockPrivate0
|
|
||||||
- ? RSA_BLOCK_PRIVATE0_PAD_OCTET
|
|
||||||
- : RSA_BLOCK_PRIVATE_PAD_OCTET, padLen);
|
|
||||||
+ nsslibc_memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen);
|
|
||||||
bp += padLen;
|
|
||||||
*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
|
|
||||||
nsslibc_memcpy(bp, data->data, data->len);
|
|
||||||
@@ -288,97 +299,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
|
|
||||||
|
|
||||||
break;
|
|
||||||
|
|
||||||
- /*
|
|
||||||
- * Blocks intended for public-key operation, using
|
|
||||||
- * Optimal Asymmetric Encryption Padding (OAEP).
|
|
||||||
- */
|
|
||||||
- case RSA_BlockOAEP:
|
|
||||||
- /*
|
|
||||||
- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
|
|
||||||
- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N]
|
|
||||||
- *
|
|
||||||
- * where:
|
|
||||||
- * PaddedData is "Pad1 || ActualData [|| Pad2]"
|
|
||||||
- * Salt is random data.
|
|
||||||
- * Pad1 is all zeros.
|
|
||||||
- * Pad2, if present, is random data.
|
|
||||||
- * (The "modified" fields are all the same length as the original
|
|
||||||
- * unmodified values; they are just xor'd with other values.)
|
|
||||||
- *
|
|
||||||
- * Modified1 is an XOR of PaddedData with a special octet
|
|
||||||
- * string constructed of iterated hashing of Salt (see below).
|
|
||||||
- * Modified2 is an XOR of Salt with the low-order octets of
|
|
||||||
- * the hash of Modified1 (see farther below ;-).
|
|
||||||
- *
|
|
||||||
- * Whew!
|
|
||||||
- */
|
|
||||||
-
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * Salt
|
|
||||||
- */
|
|
||||||
- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
|
|
||||||
- if (rv != SECSuccess) {
|
|
||||||
- nss_ZFreeIf(block);
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
- bp += OAEP_SALT_LEN;
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * Pad1
|
|
||||||
- */
|
|
||||||
- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
|
|
||||||
- bp += OAEP_PAD_LEN;
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * Data
|
|
||||||
- */
|
|
||||||
- nsslibc_memcpy(bp, data->data, data->len);
|
|
||||||
- bp += data->len;
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * Pad2
|
|
||||||
- */
|
|
||||||
- if (bp < (block + modulusLen)) {
|
|
||||||
- rv = RNG_GenerateGlobalRandomBytes(bp,
|
|
||||||
- block - bp + modulusLen);
|
|
||||||
- if (rv != SECSuccess) {
|
|
||||||
- nss_ZFreeIf(block);
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * Now we have the following:
|
|
||||||
- * 0x00 || BT || Salt || PaddedData
|
|
||||||
- * (From this point on, "Pad1 || Data [|| Pad2]" is treated
|
|
||||||
- * as the one entity PaddedData.)
|
|
||||||
- *
|
|
||||||
- * We need to turn PaddedData into Modified1.
|
|
||||||
- */
|
|
||||||
- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
|
|
||||||
- modulusLen - 2 - OAEP_SALT_LEN,
|
|
||||||
- block + 2, OAEP_SALT_LEN) != SECSuccess) {
|
|
||||||
- nss_ZFreeIf(block);
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- /*
|
|
||||||
- * Now we have:
|
|
||||||
- * 0x00 || BT || Salt || Modified1(PaddedData)
|
|
||||||
- *
|
|
||||||
- * The remaining task is to turn Salt into Modified2.
|
|
||||||
- */
|
|
||||||
- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
|
|
||||||
- block + 2 + OAEP_SALT_LEN,
|
|
||||||
- modulusLen - 2 - OAEP_SALT_LEN) !=
|
|
||||||
- SECSuccess) {
|
|
||||||
- nss_ZFreeIf(block);
|
|
||||||
- return NULL;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- break;
|
|
||||||
-
|
|
||||||
default:
|
|
||||||
PORT_Assert(0);
|
|
||||||
nss_ZFreeIf(block);
|
|
||||||
@@ -406,7 +326,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
|
|
||||||
*/
|
|
||||||
|
|
||||||
switch (blockType) {
|
|
||||||
- case RSA_BlockPrivate0:
|
|
||||||
case RSA_BlockPrivate:
|
|
||||||
case RSA_BlockPublic:
|
|
||||||
/*
|
|
||||||
@@ -427,26 +346,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
|
|
||||||
|
|
||||||
break;
|
|
||||||
|
|
||||||
- case RSA_BlockOAEP:
|
|
||||||
- /*
|
|
||||||
- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
|
|
||||||
- *
|
|
||||||
- * The "2" below is the first octet + the second octet.
|
|
||||||
- * (The other fields do not contain the clear values, but are
|
|
||||||
- * the same length as the clear values.)
|
|
||||||
- */
|
|
||||||
- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
|
|
||||||
- + OAEP_PAD_LEN)));
|
|
||||||
-
|
|
||||||
- result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
|
|
||||||
- if (result->data == NULL) {
|
|
||||||
- result->len = 0;
|
|
||||||
- return SECFailure;
|
|
||||||
- }
|
|
||||||
- result->len = modulusLen;
|
|
||||||
-
|
|
||||||
- break;
|
|
||||||
-
|
|
||||||
case RSA_BlockRaw:
|
|
||||||
/*
|
|
||||||
* Pad || ActualData
|
|
||||||
--
|
|
||||||
1.8.4.2
|
|
||||||
|
|
27
nss.spec
27
nss.spec
@ -5,7 +5,7 @@
|
|||||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
|
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
|
||||||
|
|
||||||
# solution taken from icedtea-web.spec
|
# solution taken from icedtea-web.spec
|
||||||
%define multilib_arches ppc64 sparc64 x86_64
|
%define multilib_arches ppc64 sparc64 x86_64 ppc64le
|
||||||
%ifarch %{multilib_arches}
|
%ifarch %{multilib_arches}
|
||||||
%define alt_ckbi libnssckbi.so.%{_arch}
|
%define alt_ckbi libnssckbi.so.%{_arch}
|
||||||
%else
|
%else
|
||||||
@ -19,7 +19,7 @@
|
|||||||
Summary: Network Security Services
|
Summary: Network Security Services
|
||||||
Name: nss
|
Name: nss
|
||||||
Version: 3.15.4
|
Version: 3.15.4
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
@ -57,7 +57,7 @@ Source7: blank-key4.db
|
|||||||
Source8: system-pkcs11.txt
|
Source8: system-pkcs11.txt
|
||||||
Source9: setup-nsssysinit.sh
|
Source9: setup-nsssysinit.sh
|
||||||
Source10: PayPalEE.cert
|
Source10: PayPalEE.cert
|
||||||
Source12: %{name}-pem-20131226.tar.bz2
|
Source12: %{name}-pem-20140125.tar.bz2
|
||||||
Source17: TestCA.ca.cert
|
Source17: TestCA.ca.cert
|
||||||
Source18: TestUser50.cert
|
Source18: TestUser50.cert
|
||||||
Source19: TestUser51.cert
|
Source19: TestUser51.cert
|
||||||
@ -80,7 +80,6 @@ Patch18: nss-646045.patch
|
|||||||
Patch25: nsspem-use-system-freebl.patch
|
Patch25: nsspem-use-system-freebl.patch
|
||||||
# TODO: Remove this patch when the ocsp test are fixed
|
# TODO: Remove this patch when the ocsp test are fixed
|
||||||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
||||||
Patch44: 0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch
|
|
||||||
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
||||||
Patch47: utilwrap-include-templates.patch
|
Patch47: utilwrap-include-templates.patch
|
||||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
|
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
|
||||||
@ -172,7 +171,6 @@ low level services.
|
|||||||
# link pem against buildroot's freebl, essential when mixing and matching
|
# link pem against buildroot's freebl, essential when mixing and matching
|
||||||
%patch25 -p0 -b .systemfreebl
|
%patch25 -p0 -b .systemfreebl
|
||||||
%patch40 -p0 -b .noocsptest
|
%patch40 -p0 -b .noocsptest
|
||||||
%patch44 -p3 -b .syncupwithupstream
|
|
||||||
%patch47 -p0 -b .templates
|
%patch47 -p0 -b .templates
|
||||||
%patch48 -p0 -b .crypto
|
%patch48 -p0 -b .crypto
|
||||||
%patch49 -p0 -b .skipthem
|
%patch49 -p0 -b .skipthem
|
||||||
@ -250,7 +248,7 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
|
|||||||
NSS_USE_SYSTEM_SQLITE=1
|
NSS_USE_SYSTEM_SQLITE=1
|
||||||
export NSS_USE_SYSTEM_SQLITE
|
export NSS_USE_SYSTEM_SQLITE
|
||||||
|
|
||||||
%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
|
%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 ppc64le
|
||||||
USE_64=1
|
USE_64=1
|
||||||
export USE_64
|
export USE_64
|
||||||
%endif
|
%endif
|
||||||
@ -364,7 +362,7 @@ export FREEBL_NO_DEPEND
|
|||||||
BUILD_OPT=1
|
BUILD_OPT=1
|
||||||
export BUILD_OPT
|
export BUILD_OPT
|
||||||
|
|
||||||
%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
|
%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 ppc64le
|
||||||
USE_64=1
|
USE_64=1
|
||||||
export USE_64
|
export USE_64
|
||||||
%endif
|
%endif
|
||||||
@ -600,10 +598,12 @@ fi
|
|||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
|
||||||
%attr(0644,root,root) %doc /usr/share/man/man5/*
|
|
||||||
%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
|
%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
|
||||||
%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
|
%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
|
||||||
%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
|
%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
|
||||||
|
%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
|
||||||
|
%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
|
||||||
|
%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
|
||||||
|
|
||||||
%files sysinit
|
%files sysinit
|
||||||
%defattr(-,root,root)
|
%defattr(-,root,root)
|
||||||
@ -611,9 +611,6 @@ fi
|
|||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
|
||||||
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
|
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
|
||||||
%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
|
|
||||||
%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
|
|
||||||
%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
|
|
||||||
%{_bindir}/setup-nsssysinit.sh
|
%{_bindir}/setup-nsssysinit.sh
|
||||||
# symbolic link to setup-nsssysinit.sh
|
# symbolic link to setup-nsssysinit.sh
|
||||||
%{_bindir}/setup-nsssysinit
|
%{_bindir}/setup-nsssysinit
|
||||||
@ -731,6 +728,14 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Jan 25 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-3
|
||||||
|
- Update pem sources to latest from nss-pem upstream
|
||||||
|
- Pick up pem fixes verified on RHEL and applied upstream
|
||||||
|
- Fix a problem where same files in two rpms created rpm conflict
|
||||||
|
- Move some nss-sysinit manpages tar archives to the %%files the
|
||||||
|
- All man pages are listed by name so there shouldn't be wildcard inclusion
|
||||||
|
- Add support for ppc64le, Resolves: Bug 1052545
|
||||||
|
|
||||||
* Mon Jan 20 2014 Peter Robinson <pbrobinson@fedoraproject.org> 3.15.4-2
|
* Mon Jan 20 2014 Peter Robinson <pbrobinson@fedoraproject.org> 3.15.4-2
|
||||||
- ARM tests pass so remove ARM conditional
|
- ARM tests pass so remove ARM conditional
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -7,5 +7,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db
|
|||||||
f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert
|
f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert
|
||||||
1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert
|
1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert
|
||||||
ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert
|
ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert
|
||||||
cb247307632f7673b32c71009ba7b660 nss-pem-20131226.tar.bz2
|
b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2
|
||||||
74738d89615665e3547dc2c0602ab0e6 nss-3.15.4.tar.gz
|
74738d89615665e3547dc2c0602ab0e6 nss-3.15.4.tar.gz
|
||||||
|
Loading…
Reference in New Issue
Block a user