Resolves: rhbz#2039862 rhbz#1986987
Turn on lto (fixing gtests issue with lto) Fix pkcs12 man page to include changes made in that command.
This commit is contained in:
Bob Relyea
parent
8857078930
commit
fd0aecc80b
|
|
@ -0,0 +1,20 @@
|
|||
diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml
|
||||
--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800
|
||||
+++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800
|
||||
@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre
|
||||
|
||||
<refsection id="encryption">
|
||||
<title>Password Encryption</title>
|
||||
- <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||
+ <para>PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify <userinput>"NONE"</userinput> as the argument of the <option>-C</option> option.</para>
|
||||
<para>The private key is always protected with strong encryption by default.</para>
|
||||
<para>Several types of ciphers are supported.</para>
|
||||
<variablelist>
|
||||
@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre
|
||||
<listitem>
|
||||
<itemizedlist>
|
||||
<listitem><para>PBES2 with AES-CBC-Pad as underlying encryption scheme (<userinput>"AES-128-CBC"</userinput>, <userinput>"AES-192-CBC"</userinput>, and <userinput>"AES-256-CBC"</userinput>)</para></listitem>
|
||||
+ <listitem><para>PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme (<userinput>"CAMELLIA-128-CBC"</userinput>, <userinput>"CAMELLIA-192-CBC"</userinput>, and <userinput>"CAMELLIA-256-CBC"</userinput>)</para></listitem>
|
||||
</itemizedlist>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
+++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc
|
||||
@@ -8,23 +8,32 @@
|
||||
|
||||
#include "prtime.h"
|
||||
#include "secerr.h"
|
||||
#include "ssl.h"
|
||||
|
||||
#include "gtest_utils.h"
|
||||
#include "tls_agent.h"
|
||||
#include "tls_connect.h"
|
||||
+#define LTO
|
||||
|
||||
namespace nss_test {
|
||||
|
||||
+#ifndef LTO
|
||||
+// sigh this construction breaks LTO
|
||||
const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256;
|
||||
const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048;
|
||||
const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048;
|
||||
const std::string kDCId = TlsAgent::kServerEcdsa256;
|
||||
+#else
|
||||
+#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256
|
||||
+#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048
|
||||
+#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048
|
||||
+#define kDCId TlsAgent::kServerEcdsa256
|
||||
+#endif
|
||||
const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256;
|
||||
const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */;
|
||||
|
||||
static void CheckPreliminaryPeerDelegCred(
|
||||
const std::shared_ptr<TlsAgent>& client, bool expected,
|
||||
PRUint32 key_bits = 0, SSLSignatureScheme sig_scheme = ssl_sig_none) {
|
||||
EXPECT_NE(0U, (client->pre_info().valuesSet & ssl_preinfo_peer_auth));
|
||||
EXPECT_EQ(expected, client->pre_info().peerDelegCred);
|
||||
12
nss.spec
12
nss.spec
|
|
@ -4,7 +4,7 @@
|
|||
# - increment %%{nspr_version}, when updating the NSS part only
|
||||
# - put the nss_release number here next to nspr, as they both
|
||||
# need to be updated on a given release
|
||||
%global nss_release 5
|
||||
%global nss_release 6
|
||||
%global nspr_release %[ %nss_release+2]
|
||||
%global nss_version 3.71.0
|
||||
# only need to update this as we added new
|
||||
|
|
@ -146,6 +146,10 @@ Patch50: nss-3.71-fips-module-name.patch
|
|||
# upstream bug https://buzilla.mozilla.org/show_bug.cgi?id=1737470
|
||||
Patch60: nss-3.67-cve-2021-43527.patch
|
||||
Patch70: nss-3.67-cve-2021-43527-test.patch
|
||||
# not upstreamable patch...
|
||||
Patch80: nss-3.71-fix-lto-gtests.patch
|
||||
# camellia pkcs12 docs.
|
||||
patch85: nss-3.71-camellia-pkcs12-doc.patch
|
||||
|
||||
Patch100: nspr-config-pc.patch
|
||||
Patch101: nspr-gcc-atomics.patch
|
||||
|
|
@ -368,7 +372,7 @@ popd
|
|||
# Build NSS
|
||||
#
|
||||
# This package fails its testsuite with LTO. Disable LTO for now
|
||||
%global _lto_cflags %{nil}
|
||||
#%%global _lto_cflags %%{nil}
|
||||
|
||||
#export FREEBL_NO_DEPEND=1
|
||||
|
||||
|
|
@ -1101,6 +1105,10 @@ update-crypto-policies &> /dev/null || :
|
|||
|
||||
|
||||
%changelog
|
||||
* Wed Jan 26 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-6
|
||||
- update pkcs12 documentation to include camellia
|
||||
- turn on lto
|
||||
|
||||
* Wed Jan 12 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-5
|
||||
- remove old dbm files from the build
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue