From cb85c9e1da2a8cf2b34adeeb01c7b4c14979b4bf Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sun, 4 Dec 2011 23:08:24 -0800 Subject: [PATCH] - Bug 750376 Enable updating nss to 3.13.x while keeping nss-softokn at 3.12.9 - Statically link the pem module against system freebl found in buildroot - Disable sha224-related powerup selftest until we update softokn - Disable sha224 and rsapss tests which nss-softokn 3.12.x doesn't support - nss-softokn 3.12.9 was submitted for FIPS 140 minor revalidation --- nofipstest.patch | 19 + nosha224.patch | 618 +++++++++++++++++++++++++++++++++ nss.spec | 39 ++- nsspem-use-system-freebl.patch | 16 + terminalrecord.patch | 90 +++++ 5 files changed, 774 insertions(+), 8 deletions(-) create mode 100644 nofipstest.patch create mode 100644 nosha224.patch create mode 100644 nsspem-use-system-freebl.patch create mode 100644 terminalrecord.patch diff --git a/nofipstest.patch b/nofipstest.patch new file mode 100644 index 0000000..5f711be --- /dev/null +++ b/nofipstest.patch @@ -0,0 +1,19 @@ +diff -up ./mozilla/security/nss/cmd/manifest.mn.nofipstest ./mozilla/security/nss/cmd/manifest.mn +--- ./mozilla/security/nss/cmd/manifest.mn.nofipstest 2011-12-03 22:54:40.969914919 -0800 ++++ ./mozilla/security/nss/cmd/manifest.mn 2011-12-03 22:55:12.348505822 -0800 +@@ -54,7 +54,6 @@ DIRS = lib \ + dbtest \ + derdump \ + digest \ +- fipstest \ + makepqg \ + multinit \ + ocspclnt \ +@@ -84,6 +83,7 @@ DIRS = lib \ + $(NULL) + + TEMPORARILY_DONT_BUILD = \ ++ fipstest \ + $(NULL) + + # rsaperf \ diff --git a/nosha224.patch b/nosha224.patch new file mode 100644 index 0000000..bd9d351 --- /dev/null +++ b/nosha224.patch @@ -0,0 +1,618 @@ +diff -up ./mozilla/security/coreconf/Linux.mk.nosha224 ./mozilla/security/coreconf/Linux.mk +--- ./mozilla/security/coreconf/Linux.mk.nosha224 2011-12-04 22:03:47.295609957 -0800 ++++ ./mozilla/security/coreconf/Linux.mk 2011-12-04 22:03:47.301609957 -0800 +@@ -188,6 +188,14 @@ NSSUTIL_LIBS = -lnssutil3 + USE_SYSTEM_FREEBL = 1 + FREEBL_LIBS = -lfreebl3 + ++# ++# Don't compile code that requires SHA224 if it isn't avilable ++# Such is the case when system freebl/softokn is the 3.12 one ++# ++ifdef NO_SHA224_AVAILABLE ++CFLAGS+=-DNO_SHA224_AVAILABLE ++endif ++ + # The -rpath '$$ORIGIN' linker option instructs this library to search for its + # dependencies in the same directory where it resides. + ifeq ($(BUILD_SUN_PKG), 1) +diff -up ./mozilla/security/nss/cmd/bltest/blapitest.c.nosha224 ./mozilla/security/nss/cmd/bltest/blapitest.c +--- ./mozilla/security/nss/cmd/bltest/blapitest.c.nosha224 2011-09-16 12:16:50.000000000 -0700 ++++ ./mozilla/security/nss/cmd/bltest/blapitest.c 2011-12-04 22:03:47.302609957 -0800 +@@ -686,7 +686,9 @@ typedef enum { + bltestMD2, /* Hash algorithms */ + bltestMD5, /* . */ + bltestSHA1, /* . */ ++#ifndef NO_SHA224_AVAILABLE + bltestSHA224, /* . */ ++#endif + bltestSHA256, /* . */ + bltestSHA384, /* . */ + bltestSHA512, /* . */ +@@ -721,7 +723,9 @@ static char *mode_strings[] = + "md2", + "md5", + "sha1", ++#ifndef NO_SHA224_AVAILABLE + "sha224", ++#endif + "sha256", + "sha384", + "sha512", +@@ -1761,6 +1765,7 @@ finish: + return rv; + } + ++#ifndef NO_SHA224_AVAILABLE + SECStatus + SHA224_restart(unsigned char *dest, const unsigned char *src, uint32 src_length) + { +@@ -1800,6 +1805,7 @@ finish: + SHA224_DestroyContext(cx, PR_TRUE); + return rv; + } ++#endif + + SECStatus + SHA256_restart(unsigned char *dest, const unsigned char *src, uint32 src_length) +@@ -2093,6 +2099,7 @@ cipherInit(bltestCipherInfo *cipherInfo, + cipherInfo->cipher.hashCipher = (restart) ? sha1_restart : SHA1_HashBuf; + return SECSuccess; + break; ++#ifndef NO_SHA224_AVAILABLE + case bltestSHA224: + restart = cipherInfo->params.hash.restart; + SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf, +@@ -2100,6 +2107,7 @@ cipherInit(bltestCipherInfo *cipherInfo, + cipherInfo->cipher.hashCipher = (restart) ? SHA224_restart + : SHA224_HashBuf; + return SECSuccess; ++#endif + break; + case bltestSHA256: + restart = cipherInfo->params.hash.restart; +@@ -2542,7 +2550,9 @@ cipherFinish(bltestCipherInfo *cipherInf + case bltestMD2: /* hash contexts are ephemeral */ + case bltestMD5: + case bltestSHA1: ++#ifndef NO_SHA224_AVAILABLE + case bltestSHA224: ++#endif + case bltestSHA256: + case bltestSHA384: + case bltestSHA512: +@@ -2896,7 +2906,9 @@ get_params(PRArenaPool *arena, bltestPar + case bltestMD2: + case bltestMD5: + case bltestSHA1: ++#ifndef NO_SHA224_AVAILABLE + case bltestSHA224: ++#endif + case bltestSHA256: + case bltestSHA384: + case bltestSHA512: +diff -up ./mozilla/security/nss/cmd/chktest/chktest.c.nosha224 ./mozilla/security/nss/cmd/chktest/chktest.c +--- ./mozilla/security/nss/cmd/chktest/chktest.c.nosha224 2010-12-06 09:22:49.000000000 -0800 ++++ ./mozilla/security/nss/cmd/chktest/chktest.c 2011-12-04 22:03:47.304609957 -0800 +@@ -41,6 +41,10 @@ + #include "blapi.h" + #include "secutil.h" + ++#ifdef NO_SHA224_AVAILABLE ++PRBool BLAPI_SHVerifyFile(const char *shName); ++#endif ++ + static int Usage() + { + fprintf(stderr, "Usage: chktest \n"); +diff -up ./mozilla/security/nss/cmd/lib/secutil.c.nosha224 ./mozilla/security/nss/cmd/lib/secutil.c +--- ./mozilla/security/nss/cmd/lib/secutil.c.nosha224 2011-10-22 07:35:41.000000000 -0700 ++++ ./mozilla/security/nss/cmd/lib/secutil.c 2011-12-04 22:03:47.305609957 -0800 +@@ -86,6 +86,14 @@ static char consoleName[] = { + #include "nssutil.h" + #include "ssl.h" + ++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included ++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h ++ * but invisible here for some reason ++ */ ++#ifndef CERTDB_TERMINAL_RECORD ++#define CERTDB_TERMINAL_RECORD (1<<0) ++#endif ++ + + void + SECU_PrintErrMsg(FILE *out, int level, char *progName, char *msg, ...) +@@ -1509,6 +1517,8 @@ const SEC_ASN1Template secuPBEV2Params[] + { 0 } + }; + ++/* if no sha224 then no psapss either */ ++#ifndef NO_SHA224_AVAILABLE + void + secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level) + { +@@ -1572,6 +1582,7 @@ secu_PrintRSAPSSParams(FILE *out, SECIte + } + PORT_FreeArena(pool, PR_FALSE); + } ++#endif + + void + secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level) +@@ -1684,10 +1695,12 @@ SECU_PrintAlgorithmID(FILE *out, SECAlgo + return; + } + ++#ifndef NO_SHA224_AVAILABLE + if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) { + secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1); + return; + } ++#endif + + if (a->parameters.len == 0 + || (a->parameters.len == 2 +@@ -3763,8 +3776,10 @@ SECU_StringToSignatureAlgTag(const char + hashAlgTag = SEC_OID_MD5; + } else if (!PL_strcmp(alg, "SHA1")) { + hashAlgTag = SEC_OID_SHA1; ++#ifndef NO_SHA224_AVAILABLE + } else if (!PL_strcmp(alg, "SHA224")) { + hashAlgTag = SEC_OID_SHA224; ++#endif + } else if (!PL_strcmp(alg, "SHA256")) { + hashAlgTag = SEC_OID_SHA256; + } else if (!PL_strcmp(alg, "SHA384")) { +diff -up ./mozilla/security/nss/cmd/pk11mode/pk11mode.c.nosha224 ./mozilla/security/nss/cmd/pk11mode/pk11mode.c +--- ./mozilla/security/nss/cmd/pk11mode/pk11mode.c.nosha224 2011-12-04 22:07:27.230604899 -0800 ++++ ./mozilla/security/nss/cmd/pk11mode/pk11mode.c 2011-12-04 22:10:06.365601241 -0800 +@@ -883,21 +883,27 @@ CK_RV PKM_KeyTests(CK_FUNCTION_LIST_PTR + + mech_str digestMechs[] = { + {CKM_SHA_1, "CKM_SHA_1 "}, ++#ifndef NO_SHA224_AVAILABLE + {CKM_SHA224, "CKM_SHA224"}, ++#endif + {CKM_SHA256, "CKM_SHA256"}, + {CKM_SHA384, "CKM_SHA384"}, + {CKM_SHA512, "CKM_SHA512"} + }; + mech_str hmacMechs[] = { + {CKM_SHA_1_HMAC, "CKM_SHA_1_HMAC"}, ++#ifndef NO_SHA224_AVAILABLE + {CKM_SHA224_HMAC, "CKM_SHA224_HMAC"}, ++#endif + {CKM_SHA256_HMAC, "CKM_SHA256_HMAC"}, + {CKM_SHA384_HMAC, "CKM_SHA384_HMAC"}, + {CKM_SHA512_HMAC, "CKM_SHA512_HMAC"} + }; + mech_str sigRSAMechs[] = { + {CKM_SHA1_RSA_PKCS, "CKM_SHA1_RSA_PKCS"}, ++#ifndef NO_SHA224_AVAILABLE + {CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"}, ++#endif + {CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"}, + {CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"}, + {CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"} +diff -up ./mozilla/security/nss/lib/cryptohi/sechash.c.nosha224 ./mozilla/security/nss/lib/cryptohi/sechash.c +--- ./mozilla/security/nss/lib/cryptohi/sechash.c.nosha224 2011-06-21 15:47:54.000000000 -0700 ++++ ./mozilla/security/nss/lib/cryptohi/sechash.c 2011-12-04 22:03:47.306609957 -0800 +@@ -91,10 +91,12 @@ sha1_NewContext(void) { + return (void *) PK11_CreateDigestContext(SEC_OID_SHA1); + } + ++#ifndef NO_SHA224_AVAILABLE + static void * + sha224_NewContext(void) { + return (void *) PK11_CreateDigestContext(SEC_OID_SHA224); + } ++#endif + + static void * + sha256_NewContext(void) { +@@ -189,6 +191,7 @@ const SECHashObject SECHashObjects[] = { + SHA512_BLOCK_LENGTH, + HASH_AlgSHA512 + }, ++#ifndef NO_SHA224_AVAILABLE + { SHA224_LENGTH, + (void * (*)(void)) sha224_NewContext, + (void * (*)(void *)) PK11_CloneContext, +@@ -200,6 +203,7 @@ const SECHashObject SECHashObjects[] = { + SHA224_BLOCK_LENGTH, + HASH_AlgSHA224 + }, ++#endif + }; + + const SECHashObject * +@@ -217,7 +221,9 @@ HASH_GetHashTypeByOidTag(SECOidTag hashO + case SEC_OID_MD2: ht = HASH_AlgMD2; break; + case SEC_OID_MD5: ht = HASH_AlgMD5; break; + case SEC_OID_SHA1: ht = HASH_AlgSHA1; break; ++#ifndef NO_SHA224_AVAILABLE + case SEC_OID_SHA224: ht = HASH_AlgSHA224; break; ++#endif + case SEC_OID_SHA256: ht = HASH_AlgSHA256; break; + case SEC_OID_SHA384: ht = HASH_AlgSHA384; break; + case SEC_OID_SHA512: ht = HASH_AlgSHA512; break; +@@ -237,7 +243,9 @@ HASH_GetHashOidTagByHMACOidTag(SECOidTag + /* no oid exists for HMAC_MD2 */ + /* NSS does not define a oid for HMAC_MD4 */ + case SEC_OID_HMAC_SHA1: hashOid = SEC_OID_SHA1; break; ++#ifndef NO_SHA224_AVAILABLE + case SEC_OID_HMAC_SHA224: hashOid = SEC_OID_SHA224; break; ++#endif + case SEC_OID_HMAC_SHA256: hashOid = SEC_OID_SHA256; break; + case SEC_OID_HMAC_SHA384: hashOid = SEC_OID_SHA384; break; + case SEC_OID_HMAC_SHA512: hashOid = SEC_OID_SHA512; break; +@@ -257,7 +265,9 @@ HASH_GetHMACOidTagByHashOidTag(SECOidTag + /* no oid exists for HMAC_MD2 */ + /* NSS does not define a oid for HMAC_MD4 */ + case SEC_OID_SHA1: hmacOid = SEC_OID_HMAC_SHA1; break; ++#ifndef NO_SHA224_AVAILABLE + case SEC_OID_SHA224: hmacOid = SEC_OID_HMAC_SHA224; break; ++#endif + case SEC_OID_SHA256: hmacOid = SEC_OID_HMAC_SHA256; break; + case SEC_OID_SHA384: hmacOid = SEC_OID_HMAC_SHA384; break; + case SEC_OID_SHA512: hmacOid = SEC_OID_HMAC_SHA512; break; +diff -up ./mozilla/security/nss/lib/cryptohi/seckey.c.nosha224 ./mozilla/security/nss/lib/cryptohi/seckey.c +--- ./mozilla/security/nss/lib/cryptohi/seckey.c.nosha224 2011-10-22 07:35:42.000000000 -0700 ++++ ./mozilla/security/nss/lib/cryptohi/seckey.c 2011-12-04 22:03:47.307609957 -0800 +@@ -550,7 +550,9 @@ seckey_GetKeyType (SECOidTag tag) { + * should be handing us a cipher type */ + case SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: ++#ifndef NO_SHA224_AVAILABLE + case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: ++#endif + case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: +diff -up ./mozilla/security/nss/lib/cryptohi/secvfy.c.nosha224 ./mozilla/security/nss/lib/cryptohi/secvfy.c +--- ./mozilla/security/nss/lib/cryptohi/secvfy.c.nosha224 2011-10-22 07:35:42.000000000 -0700 ++++ ./mozilla/security/nss/lib/cryptohi/secvfy.c 2011-12-04 22:03:47.307609957 -0800 +@@ -240,11 +240,12 @@ sec_DecodeSigAlg(const SECKEYPublicKey * + case SEC_OID_PKCS1_RSA_PSS_SIGNATURE: + *hashalg = SEC_OID_UNKNOWN; /* get it from the RSA signature */ + break; +- ++#ifndef NO_SHA224_AVAILABLE + case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: + case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: + *hashalg = SEC_OID_SHA224; + break; ++#endif + case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: + case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: + *hashalg = SEC_OID_SHA256; +@@ -279,8 +280,10 @@ sec_DecodeSigAlg(const SECKEYPublicKey * + len = SECKEY_PublicKeyStrength(key); + if (len < 28) { /* 28 bytes == 224 bits */ + *hashalg = SEC_OID_SHA1; ++#ifndef NO_SHA224_AVAILABLE + } else if (len < 32) { /* 32 bytes == 256 bits */ + *hashalg = SEC_OID_SHA224; ++#endif + } else if (len < 48) { /* 48 bytes == 384 bits */ + *hashalg = SEC_OID_SHA256; + } else if (len < 64) { /* 48 bytes == 512 bits */ +@@ -325,7 +328,9 @@ sec_DecodeSigAlg(const SECKEYPublicKey * + case SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION: + case SEC_OID_ISO_SHA_WITH_RSA_SIGNATURE: + case SEC_OID_ISO_SHA1_WITH_RSA_SIGNATURE: ++#ifndef NO_SHA224_AVAILABLE + case SEC_OID_PKCS1_SHA224_WITH_RSA_ENCRYPTION: ++#endif + case SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION: + case SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION: +@@ -347,7 +352,9 @@ sec_DecodeSigAlg(const SECKEYPublicKey * + *encalg = SEC_OID_MISSI_DSS; + break; + case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE: ++#ifndef NO_SHA224_AVAILABLE + case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE: ++#endif + case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE: + case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE: +diff -up ./mozilla/security/nss/lib/freebl/blapi.h.nosha224 ./mozilla/security/nss/lib/freebl/blapi.h +--- ./mozilla/security/nss/lib/freebl/blapi.h.nosha224 2011-10-04 15:05:53.000000000 -0700 ++++ ./mozilla/security/nss/lib/freebl/blapi.h 2011-12-04 22:03:47.308609957 -0800 +@@ -1088,7 +1088,7 @@ extern SHA1Context * SHA1_Resurrect(unsi + extern void SHA1_Clone(SHA1Context *dest, SHA1Context *src); + + /******************************************/ +- ++#ifndef NO_SHA224_AVAILABLE + extern SHA224Context *SHA224_NewContext(void); + extern void SHA224_DestroyContext(SHA224Context *cx, PRBool freeit); + extern void SHA224_Begin(SHA224Context *cx); +@@ -1104,6 +1104,7 @@ extern unsigned int SHA224_FlattenSize(S + extern SECStatus SHA224_Flatten(SHA224Context *cx,unsigned char *space); + extern SHA224Context * SHA224_Resurrect(unsigned char *space, void *arg); + extern void SHA224_Clone(SHA224Context *dest, SHA224Context *src); ++#endif + + /******************************************/ + +diff -up ./mozilla/security/nss/lib/freebl/ldvector.c.nosha224 ./mozilla/security/nss/lib/freebl/ldvector.c +--- ./mozilla/security/nss/lib/freebl/ldvector.c.nosha224 2011-10-04 15:05:53.000000000 -0700 ++++ ./mozilla/security/nss/lib/freebl/ldvector.c 2011-12-04 22:03:47.309609957 -0800 +@@ -270,7 +270,7 @@ static const struct FREEBLVectorStr vect + JPAKE_Verify, + JPAKE_Round2, + JPAKE_Final, +- ++#ifndef NO_SHA224_AVAILABLE + /* End of Version 3.012 */ + + TLS_P_hash, +@@ -287,7 +287,7 @@ static const struct FREEBLVectorStr vect + SHA224_Resurrect, + SHA224_Clone, + BLAPI_SHVerifyFile +- ++#endif + /* End of Version 3.013 */ + }; + +diff -up ./mozilla/security/nss/lib/freebl/nsslowhash.c.nosha224 ./mozilla/security/nss/lib/freebl/nsslowhash.c +--- ./mozilla/security/nss/lib/freebl/nsslowhash.c.nosha224 2010-09-09 17:42:36.000000000 -0700 ++++ ./mozilla/security/nss/lib/freebl/nsslowhash.c 2011-12-04 22:03:47.309609957 -0800 +@@ -128,14 +128,14 @@ freebl_fips_SHA_PowerUpSelfTest( void ) + 0x0a,0x6d,0x07,0xba,0x1e,0xbd,0x8a,0x1b, + 0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0, + 0xe0,0x68,0x47,0x7a}; +- ++#ifndef NO_SHA224_AVAILABLE + /* SHA-224 Known Digest Message (224-bits). */ + static const PRUint8 sha224_known_digest[] = { + 0x1c,0xc3,0x06,0x8e,0xce,0x37,0x68,0xfb, + 0x1a,0x82,0x4a,0xbe,0x2b,0x00,0x51,0xf8, + 0x9d,0xb6,0xe0,0x90,0x0d,0x00,0xc9,0x64, + 0x9a,0xb8,0x98,0x4e}; +- ++#endif + /* SHA-256 Known Digest Message (256-bits). */ + static const PRUint8 sha256_known_digest[] = { + 0x38,0xa9,0xc1,0xf0,0x35,0xf6,0x5d,0x61, +@@ -178,7 +178,7 @@ freebl_fips_SHA_PowerUpSelfTest( void ) + ( PORT_Memcmp( sha_computed_digest, sha1_known_digest, + SHA1_LENGTH ) != 0 ) ) + return( CKR_DEVICE_ERROR ); +- ++#ifndef NO_SHA224_AVAILABLE + /***************************************************/ + /* SHA-224 Single-Round Known Answer Hashing Test. */ + /***************************************************/ +@@ -190,7 +190,7 @@ freebl_fips_SHA_PowerUpSelfTest( void ) + ( PORT_Memcmp( sha_computed_digest, sha224_known_digest, + SHA224_LENGTH ) != 0 ) ) + return( CKR_DEVICE_ERROR ); +- ++#endif + /***************************************************/ + /* SHA-256 Single-Round Known Answer Hashing Test. */ + /***************************************************/ +diff -up ./mozilla/security/nss/lib/freebl/rawhash.c.nosha224 ./mozilla/security/nss/lib/freebl/rawhash.c +--- ./mozilla/security/nss/lib/freebl/rawhash.c.nosha224 2010-08-17 22:55:47.000000000 -0700 ++++ ./mozilla/security/nss/lib/freebl/rawhash.c 2011-12-04 22:03:47.309609957 -0800 +@@ -155,6 +155,7 @@ const SECHashObject SECRawHashObjects[] + SHA512_BLOCK_LENGTH, + HASH_AlgSHA512 + }, ++#ifndef NO_SHA224_AVAILABLE + { SHA224_LENGTH, + (void * (*)(void)) SHA224_NewContext, + (void * (*)(void *)) null_hash_clone_context, +@@ -166,6 +167,7 @@ const SECHashObject SECRawHashObjects[] + SHA224_BLOCK_LENGTH, + HASH_AlgSHA224 + }, ++#endif + }; + + const SECHashObject * +diff -up ./mozilla/security/nss/lib/freebl/sha512.c.nosha224 ./mozilla/security/nss/lib/freebl/sha512.c +--- ./mozilla/security/nss/lib/freebl/sha512.c.nosha224 2011-09-14 10:48:03.000000000 -0700 ++++ ./mozilla/security/nss/lib/freebl/sha512.c 2011-12-04 22:03:47.310609957 -0800 +@@ -544,6 +544,7 @@ void SHA256_Clone(SHA256Context *dest, S + memcpy(dest, src, sizeof *dest); + } + ++#ifndef NO_SHA224_AVAILABLE + /* ============= SHA224 implementation ================================== */ + + /* SHA-224 initial hash values */ +@@ -630,7 +631,7 @@ void SHA224_Clone(SHA224Context *dest, S + { + SHA256_Clone(dest, src); + } +- ++#endif + + /* ======= SHA512 and SHA384 common constants and defines ================= */ + +diff -up ./mozilla/security/nss/lib/softoken/fipstest.c.nosha224 ./mozilla/security/nss/lib/softoken/fipstest.c +--- ./mozilla/security/nss/lib/softoken/fipstest.c.nosha224 2011-03-29 08:12:43.000000000 -0700 ++++ ./mozilla/security/nss/lib/softoken/fipstest.c 2011-12-04 22:03:47.311609956 -0800 +@@ -865,12 +865,14 @@ sftk_fips_HMAC_PowerUpSelfTest( void ) + 0x3b, 0x57, 0x1d, 0x61, 0xe7, 0xb8, 0x84, 0x1e, + 0x5d, 0x0e, 0x1e, 0x11}; + ++#ifndef NO_SHA224_AVAILABLE + /* known SHA224 hmac (28 bytes) */ + static const PRUint8 known_SHA224_hmac[] = { + 0x1c, 0xc3, 0x06, 0x8e, 0xce, 0x37, 0x68, 0xfb, + 0x1a, 0x82, 0x4a, 0xbe, 0x2b, 0x00, 0x51, 0xf8, + 0x9d, 0xb6, 0xe0, 0x90, 0x0d, 0x00, 0xc9, 0x64, + 0x9a, 0xb8, 0x98, 0x4e}; ++#endif + + /* known SHA256 hmac (32 bytes) */ + static const PRUint8 known_SHA256_hmac[] = { +@@ -922,6 +924,7 @@ sftk_fips_HMAC_PowerUpSelfTest( void ) + /* HMAC SHA-224 Single-Round Known Answer Test. */ + /***************************************************/ + ++#ifndef NO_SHA224_AVAILABLE + hmac_status = sftk_fips_HMAC(hmac_computed, + HMAC_known_secret_key, + HMAC_known_secret_key_length, +@@ -933,6 +936,7 @@ sftk_fips_HMAC_PowerUpSelfTest( void ) + ( PORT_Memcmp( hmac_computed, known_SHA224_hmac, + SHA224_LENGTH ) != 0 ) ) + return( CKR_DEVICE_ERROR ); ++#endif + + /***************************************************/ + /* HMAC SHA-256 Single-Round Known Answer Test. */ +@@ -994,12 +998,14 @@ sftk_fips_SHA_PowerUpSelfTest( void ) + 0x72,0xf6,0xc7,0x22,0xf1,0x27,0x9f,0xf0, + 0xe0,0x68,0x47,0x7a}; + ++#ifndef NO_SHA224_AVAILABLE + /* SHA-224 Known Digest Message (224-bits). */ + static const PRUint8 sha224_known_digest[] = { + 0x89,0x5e,0x7f,0xfd,0x0e,0xd8,0x35,0x6f, + 0x64,0x6d,0xf2,0xde,0x5e,0xed,0xa6,0x7f, + 0x29,0xd1,0x12,0x73,0x42,0x84,0x95,0x4f, + 0x8e,0x08,0xe5,0xcb}; ++#endif + + /* SHA-256 Known Digest Message (256-bits). */ + static const PRUint8 sha256_known_digest[] = { +@@ -1048,6 +1054,7 @@ sftk_fips_SHA_PowerUpSelfTest( void ) + /* SHA-224 Single-Round Known Answer Hashing Test. */ + /***************************************************/ + ++#ifndef NO_SHA224_AVAILABLE + sha_status = SHA224_HashBuf( sha_computed_digest, known_hash_message, + FIPS_KNOWN_HASH_MESSAGE_LENGTH ); + +@@ -1055,6 +1062,7 @@ sftk_fips_SHA_PowerUpSelfTest( void ) + ( PORT_Memcmp( sha_computed_digest, sha224_known_digest, + SHA224_LENGTH ) != 0 ) ) + return( CKR_DEVICE_ERROR ); ++#endif + + /***************************************************/ + /* SHA-256 Single-Round Known Answer Hashing Test. */ +diff -up ./mozilla/security/nss/lib/softoken/pkcs11c.c.nosha224 ./mozilla/security/nss/lib/softoken/pkcs11c.c +--- ./mozilla/security/nss/lib/softoken/pkcs11c.c.nosha224 2011-09-21 11:49:16.000000000 -0700 ++++ ./mozilla/security/nss/lib/softoken/pkcs11c.c 2011-12-04 22:03:47.313609956 -0800 +@@ -1316,7 +1316,9 @@ CK_RV NSC_DigestInit(CK_SESSION_HANDLE h + INIT_MECH(CKM_MD2, MD2) + INIT_MECH(CKM_MD5, MD5) + INIT_MECH(CKM_SHA_1, SHA1) ++#ifndef NO_SHA224_AVAILABLE + INIT_MECH(CKM_SHA224, SHA224) ++#endif + INIT_MECH(CKM_SHA256, SHA256) + INIT_MECH(CKM_SHA384, SHA384) + INIT_MECH(CKM_SHA512, SHA512) +@@ -1440,7 +1442,9 @@ sftk_doSub ## mmm(SFTKSessionContext *co + DOSUB(MD2) + DOSUB(MD5) + DOSUB(SHA1) ++#ifndef NO_SHA224_AVAILABLE + DOSUB(SHA224) ++#endif + DOSUB(SHA256) + DOSUB(SHA384) + DOSUB(SHA512) +@@ -2013,7 +2017,9 @@ CK_RV NSC_SignInit(CK_SESSION_HANDLE hSe + INIT_RSA_SIGN_MECH(MD5) + INIT_RSA_SIGN_MECH(MD2) + INIT_RSA_SIGN_MECH(SHA1) ++#ifndef NO_SHA224_AVAILABLE + INIT_RSA_SIGN_MECH(SHA224) ++#endif + INIT_RSA_SIGN_MECH(SHA256) + INIT_RSA_SIGN_MECH(SHA384) + INIT_RSA_SIGN_MECH(SHA512) +@@ -2131,7 +2137,9 @@ finish_rsa: + + INIT_HMAC_MECH(MD2) + INIT_HMAC_MECH(MD5) ++#ifndef NO_SHA224_AVAILABLE + INIT_HMAC_MECH(SHA224) ++#endif + INIT_HMAC_MECH(SHA256) + INIT_HMAC_MECH(SHA384) + INIT_HMAC_MECH(SHA512) +@@ -2529,7 +2537,9 @@ CK_RV NSC_VerifyInit(CK_SESSION_HANDLE h + INIT_RSA_VFY_MECH(MD5) + INIT_RSA_VFY_MECH(MD2) + INIT_RSA_VFY_MECH(SHA1) ++#ifndef NO_SHA224_AVAILABLE + INIT_RSA_VFY_MECH(SHA224) ++#endif + INIT_RSA_VFY_MECH(SHA256) + INIT_RSA_VFY_MECH(SHA384) + INIT_RSA_VFY_MECH(SHA512) +@@ -2626,7 +2636,9 @@ finish_rsa: + + INIT_HMAC_MECH(MD2) + INIT_HMAC_MECH(MD5) ++#ifndef NO_SHA224_AVAILABLE + INIT_HMAC_MECH(SHA224) ++#endif + INIT_HMAC_MECH(SHA256) + INIT_HMAC_MECH(SHA384) + INIT_HMAC_MECH(SHA512) +diff -up ./mozilla/security/nss/lib/softoken/pkcs11.c.nosha224 ./mozilla/security/nss/lib/softoken/pkcs11.c +--- ./mozilla/security/nss/lib/softoken/pkcs11.c.nosha224 2011-01-21 16:12:04.000000000 -0800 ++++ ./mozilla/security/nss/lib/softoken/pkcs11.c 2011-12-04 22:03:47.316609956 -0800 +@@ -311,8 +311,10 @@ static const struct mechanismList mechan + CKF_SN_VR}, PR_TRUE}, + {CKM_SHA1_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, + CKF_SN_VR}, PR_TRUE}, ++#ifndef NO_SHA224_AVAILABLE + {CKM_SHA224_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, + CKF_SN_VR}, PR_TRUE}, ++#endif + {CKM_SHA256_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, + CKF_SN_VR}, PR_TRUE}, + {CKM_SHA384_RSA_PKCS, {RSA_MIN_MODULUS_BITS,CK_MAX, +@@ -401,9 +403,11 @@ static const struct mechanismList mechan + {CKM_SHA_1, {0, 0, CKF_DIGEST}, PR_FALSE}, + {CKM_SHA_1_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA_1_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, ++#ifndef NO_SHA224_AVAILABLE + {CKM_SHA224, {0, 0, CKF_DIGEST}, PR_FALSE}, + {CKM_SHA224_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA224_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, ++#endif + {CKM_SHA256, {0, 0, CKF_DIGEST}, PR_FALSE}, + {CKM_SHA256_HMAC, {1, 128, CKF_SN_VR}, PR_TRUE}, + {CKM_SHA256_HMAC_GENERAL, {1, 128, CKF_SN_VR}, PR_TRUE}, +diff -up ./mozilla/security/nss/lib/softoken/rsawrapr.c.nosha224 ./mozilla/security/nss/lib/softoken/rsawrapr.c +--- ./mozilla/security/nss/lib/softoken/rsawrapr.c.nosha224 2011-10-22 07:35:43.000000000 -0700 ++++ ./mozilla/security/nss/lib/softoken/rsawrapr.c 2011-12-04 22:03:47.316609956 -0800 +@@ -1173,9 +1173,11 @@ GetHashTypeFromMechanism(CK_MECHANISM_TY + case CKM_SHA_1: + case CKG_MGF1_SHA1: + return HASH_AlgSHA1; ++#ifndef NO_SHA224_AVAILABLE + case CKM_SHA224: + case CKG_MGF1_SHA224: + return HASH_AlgSHA224; ++#endif + case CKM_SHA256: + case CKG_MGF1_SHA256: + return HASH_AlgSHA256; +diff -up ./mozilla/security/nss/tests/cipher/cipher.txt.nosha224 ./mozilla/security/nss/tests/cipher/cipher.txt +--- ./mozilla/security/nss/tests/cipher/cipher.txt.nosha224 2010-08-17 22:57:05.000000000 -0700 ++++ ./mozilla/security/nss/tests/cipher/cipher.txt 2011-12-04 22:03:47.317609956 -0800 +@@ -73,7 +73,6 @@ + 0 md2_-H MD2_Hash + 0 md5_-H MD5_Hash + 0 sha1_-H SHA1_Hash +- 0 sha224_-H SHA224_Hash + 0 sha256_-H SHA256_Hash + 0 sha384_-H SHA384_Hash + 0 sha512_-H SHA512_Hash diff --git a/nss.spec b/nss.spec index de91aee..8d0595c 100644 --- a/nss.spec +++ b/nss.spec @@ -7,7 +7,7 @@ Summary: Network Security Services Name: nss Version: 3.13.1 -Release: 4%{?dist} +Release: 5%{?dist} License: MPLv1.1 or GPLv2+ or LGPLv2+ URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -64,8 +64,14 @@ Patch20: nsspem-createobject-initialize-pointer.patch Patch21: 0001-libnsspem-rhbz-734760.patch Patch22: nsspem-init-inform-not-thread-safe.patch Patch23: nss-ckbi-1.88.rtm.patch -# Remove this patch which belongs in nss-util -#Patch24: gnuc-minor-def-fix.patch +# must statically link pem against the 3.12.x system freebl in the buildroot +Patch25: nsspem-use-system-freebl.patch +# don't compile the fipstest application +Patch26: nofipstest.patch +# sha224 isn't available we use 3.12 softokn +Patch27: nosha224.patch +# Get rid of it as soon as we can +Patch28: terminalrecord.patch %description @@ -150,8 +156,11 @@ low level services. %patch21 -p1 -b .734760 %patch22 -p0 -b .736410 %patch23 -p0 -b .ckbi188 -# TODO: Reemove this patch which is now in nss-util -#%patch24 -p1 -b .gnuc-minor +# link pem against buildroot's 3.12 freebl +%patch25 -p0 -b .systemfreebl +%patch26 -p0 -b .nofipstest +%patch27 -p0 -b .nosha224 +%patch28 -p0 -b .terminalrecord %build @@ -178,13 +187,20 @@ export PKG_CONFIG_ALLOW_SYSTEM_LIBS export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` -NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'` +NSPR_LIB_DIR=%{_libdir} export NSPR_INCLUDE_DIR export NSPR_LIB_DIR NSS_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` -NSS_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nss-util | sed 's/-L//'` + +export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` +export NSSUTIL_LIB_DIR=%{_libdir} +export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'` +export FREEBL_LIB_DIR=%{_libdir} +export USE_SYSTEM_FREEBL=1 +# prevents running the sha224 portion of the powerup selftest when testing +export NO_SHA224_AVAILABLE=1 NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE @@ -221,6 +237,9 @@ export NSS_ECC_MORE_THAN_SUITE_B # Set up our package file # The nspr_version and nss_{util|softokn}_version globals used # here match the ones nss has for its Requires. +# TODO: using %%{nss_softokn_fips_version} for rhel +# but for fefora we will revert to nss_softokn_version after +# the merge is completed %{__mkdir_p} ./mozilla/dist/pkgconfig %{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ -e "s,%%prefix%%,%{_prefix},g" \ @@ -229,7 +248,7 @@ export NSS_ECC_MORE_THAN_SUITE_B -e "s,%%NSS_VERSION%%,%{version},g" \ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ - -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \ + -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_fips_version},g" > \ ./mozilla/dist/pkgconfig/nss.pc NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` @@ -562,6 +581,10 @@ rm -rf $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h %changelog +* Sun Dec 04 2011 Elio Maldonado - 3.13.1-5 +- Statically link the pem module against system freebl found in buildroot +- Disabling sha224-related powerup selftest until we update softokn + * Fri Dec 02 2011 Elio Maldonado Batiz - 3.13.1-4 - Rebuild with nss-softokn from 3.12 in the buildroot - Allows the pem module to statically link against 3.12.x freebl diff --git a/nsspem-use-system-freebl.patch b/nsspem-use-system-freebl.patch new file mode 100644 index 0000000..a8dbdc7 --- /dev/null +++ b/nsspem-use-system-freebl.patch @@ -0,0 +1,16 @@ +diff -up ./mozilla/security/coreconf/Linux.mk.sytemfreebl ./mozilla/security/coreconf/Linux.mk +--- ./mozilla/security/coreconf/Linux.mk.sytemfreebl 2011-12-03 22:07:23.924156119 -0800 ++++ ./mozilla/security/coreconf/Linux.mk 2011-12-03 22:08:28.322328345 -0800 +@@ -182,6 +182,12 @@ endif + USE_SYSTEM_ZLIB = 1 + ZLIB_LIBS = -lz + ++USE_SYSTEM_NSSUTIL = 1 ++NSSUTIL_LIBS = -lnssutil3 ++ ++USE_SYSTEM_FREEBL = 1 ++FREEBL_LIBS = -lfreebl3 ++ + # The -rpath '$$ORIGIN' linker option instructs this library to search for its + # dependencies in the same directory where it resides. + ifeq ($(BUILD_SUN_PKG), 1) diff --git a/terminalrecord.patch b/terminalrecord.patch new file mode 100644 index 0000000..42cf932 --- /dev/null +++ b/terminalrecord.patch @@ -0,0 +1,90 @@ +diff -up ./mozilla/security/nss/cmd/addbuiltin/addbuiltin.c.terminalrecord ./mozilla/security/nss/cmd/addbuiltin/addbuiltin.c +--- ./mozilla/security/nss/cmd/addbuiltin/addbuiltin.c.terminalrecord 2011-12-04 21:15:47.660672521 -0800 ++++ ./mozilla/security/nss/cmd/addbuiltin/addbuiltin.c 2011-12-04 21:16:39.491674974 -0800 +@@ -52,6 +52,14 @@ + #include + #endif + ++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included ++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h ++ * but invisible here for some reason ++ */ ++#ifndef CERTDB_TERMINAL_RECORD ++#define CERTDB_TERMINAL_RECORD (1<<0) ++#endif ++ + void dumpbytes(unsigned char *buf, int len) + { + int i; +diff -up ./mozilla/security/nss/lib/certhigh/certvfy.c.terminalrecord ./mozilla/security/nss/lib/certhigh/certvfy.c +--- ./mozilla/security/nss/lib/certhigh/certvfy.c.terminalrecord 2011-09-13 17:28:47.000000000 -0700 ++++ ./mozilla/security/nss/lib/certhigh/certvfy.c 2011-12-04 21:14:01.683678605 -0800 +@@ -56,6 +56,14 @@ + #include "pki3hack.h" + #include "base.h" + ++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included ++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h ++ * but invisible here for some reason ++ */ ++#ifndef CERTDB_TERMINAL_RECORD ++#define CERTDB_TERMINAL_RECORD (1<<0) ++#endif ++ + /* + * Check the validity times of a certificate + */ +diff -up ./mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c.terminalrecord ./mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c +--- ./mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c.terminalrecord 2011-09-14 16:16:16.000000000 -0700 ++++ ./mozilla/security/nss/lib/libpkix/pkix_pl_nss/pki/pkix_pl_cert.c 2011-12-04 21:14:01.684678605 -0800 +@@ -43,6 +43,14 @@ + + #include "pkix_pl_cert.h" + ++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included ++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h ++ * but invisible here for some reason ++ */ ++#ifndef CERTDB_TERMINAL_RECORD ++#define CERTDB_TERMINAL_RECORD (1<<0) ++#endif ++ + extern PKIX_PL_HashTable *cachedCertSigTable; + + /* --Private-Cert-Functions------------------------------------- */ +diff -up ./mozilla/security/nss/lib/pk11wrap/pk11nobj.c.terminalrecord ./mozilla/security/nss/lib/pk11wrap/pk11nobj.c +--- ./mozilla/security/nss/lib/pk11wrap/pk11nobj.c.terminalrecord 2011-04-12 17:10:26.000000000 -0700 ++++ ./mozilla/security/nss/lib/pk11wrap/pk11nobj.c 2011-12-04 21:14:01.685678605 -0800 +@@ -62,6 +62,14 @@ + #include "pki.h" + #include "pkim.h" + ++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included ++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h ++ * but invisible here for some reason ++ */ ++#ifndef CERTDB_TERMINAL_RECORD ++#define CERTDB_TERMINAL_RECORD (1<<0) ++#endif ++ + extern const NSSError NSS_ERROR_NOT_FOUND; + + CK_TRUST +diff -up ./mozilla/security/nss/lib/pki/pki3hack.c.terminalrecord ./mozilla/security/nss/lib/pki/pki3hack.c +--- ./mozilla/security/nss/lib/pki/pki3hack.c.terminalrecord 2011-04-12 17:10:26.000000000 -0700 ++++ ./mozilla/security/nss/lib/pki/pki3hack.c 2011-12-04 21:14:01.686678605 -0800 +@@ -76,6 +76,14 @@ static const char CVS_ID[] = "@(#) $RCSf + #include "secmod.h" + #include "nssrwlk.h" + ++/* Defined in ./mozilla/dist/public/nss/certdb.h which was included ++ * and also in ./mozilla/security/nss/lib/softoken/legacydb/pcertt.h ++ * but invisible here for some reason ++ */ ++#ifndef CERTDB_TERMINAL_RECORD ++#define CERTDB_TERMINAL_RECORD (1<<0) ++#endif ++ + NSSTrustDomain *g_default_trust_domain = NULL; + + NSSCryptoContext *g_default_crypto_context = NULL;