diff --git a/nss-3.71-camellia-pkcs12-doc.patch b/nss-3.71-camellia-pkcs12-doc.patch new file mode 100644 index 0000000..f14b5a9 --- /dev/null +++ b/nss-3.71-camellia-pkcs12-doc.patch @@ -0,0 +1,20 @@ +diff -up ./doc/pk12util.xml.camellia ./doc/pk12util.xml +--- ./doc/pk12util.xml.camellia 2022-01-26 09:46:39.794919455 -0800 ++++ ./doc/pk12util.xml 2022-01-26 09:54:58.277019760 -0800 +@@ -317,7 +317,7 @@ Certificate Friendly Name: Thawte Fre + + + Password Encryption +- PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using PKCS #12 SHA-1 and 3-key triple DES for private key encryption. When not in FIPS mode, PKCS #12 SHA-1 and 40-bit RC4 is used for certificate encryption. When in FIPS mode, there is no certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. ++ PKCS #12 provides for not only the protection of the private keys but also the certificate and meta-data associated with the keys. Password-based encryption is used to protect private keys on export to a PKCS #12 file and, optionally, the associated certificates. If no algorithm is specified, the tool defaults to using AES-256-CBC for private key encryption and AES-128-CBC for certificate encryption. If certificate encryption is not wanted, specify "NONE" as the argument of the option. + The private key is always protected with strong encryption by default. + Several types of ciphers are supported. + +@@ -327,6 +327,7 @@ Certificate Friendly Name: Thawte Fre + + + PBES2 with AES-CBC-Pad as underlying encryption scheme ("AES-128-CBC", "AES-192-CBC", and "AES-256-CBC") ++ PBES2 with CAMELLIA-CBC-Pad as underlying encryption scheme ("CAMELLIA-128-CBC", "CAMELLIA-192-CBC", and "CAMELLIA-256-CBC") + + + diff --git a/nss-3.71-fix-lto-gtests.patch b/nss-3.71-fix-lto-gtests.patch new file mode 100644 index 0000000..462e8ad --- /dev/null +++ b/nss-3.71-fix-lto-gtests.patch @@ -0,0 +1,36 @@ +diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc +--- a/gtests/ssl_gtest/tls_subcerts_unittest.cc ++++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc +@@ -8,23 +8,32 @@ + + #include "prtime.h" + #include "secerr.h" + #include "ssl.h" + + #include "gtest_utils.h" + #include "tls_agent.h" + #include "tls_connect.h" ++#define LTO + + namespace nss_test { + ++#ifndef LTO ++// sigh this construction breaks LTO + const std::string kEcdsaDelegatorId = TlsAgent::kDelegatorEcdsa256; + const std::string kRsaeDelegatorId = TlsAgent::kDelegatorRsae2048; + const std::string kPssDelegatorId = TlsAgent::kDelegatorRsaPss2048; + const std::string kDCId = TlsAgent::kServerEcdsa256; ++#else ++#define kEcdsaDelegatorId TlsAgent::kDelegatorEcdsa256 ++#define kRsaeDelegatorId TlsAgent::kDelegatorRsae2048 ++#define kPssDelegatorId TlsAgent::kDelegatorRsaPss2048 ++#define kDCId TlsAgent::kServerEcdsa256 ++#endif + const SSLSignatureScheme kDCScheme = ssl_sig_ecdsa_secp256r1_sha256; + const PRUint32 kDCValidFor = 60 * 60 * 24 * 7 /* 1 week (seconds) */; + + static void CheckPreliminaryPeerDelegCred( + const std::shared_ptr& client, bool expected, + PRUint32 key_bits = 0, SSLSignatureScheme sig_scheme = ssl_sig_none) { + EXPECT_NE(0U, (client->pre_info().valuesSet & ssl_preinfo_peer_auth)); + EXPECT_EQ(expected, client->pre_info().peerDelegCred); diff --git a/nss.spec b/nss.spec index 6da4d8c..3d83be6 100644 --- a/nss.spec +++ b/nss.spec @@ -4,7 +4,7 @@ # - increment %%{nspr_version}, when updating the NSS part only # - put the nss_release number here next to nspr, as they both # need to be updated on a given release -%global nss_release 5 +%global nss_release 6 %global nspr_release %[ %nss_release+2] %global nss_version 3.71.0 # only need to update this as we added new @@ -146,6 +146,10 @@ Patch50: nss-3.71-fips-module-name.patch # upstream bug https://buzilla.mozilla.org/show_bug.cgi?id=1737470 Patch60: nss-3.67-cve-2021-43527.patch Patch70: nss-3.67-cve-2021-43527-test.patch +# not upstreamable patch... +Patch80: nss-3.71-fix-lto-gtests.patch +# camellia pkcs12 docs. +patch85: nss-3.71-camellia-pkcs12-doc.patch Patch100: nspr-config-pc.patch Patch101: nspr-gcc-atomics.patch @@ -368,7 +372,7 @@ popd # Build NSS # # This package fails its testsuite with LTO. Disable LTO for now -%global _lto_cflags %{nil} +#%%global _lto_cflags %%{nil} #export FREEBL_NO_DEPEND=1 @@ -1101,6 +1105,10 @@ update-crypto-policies &> /dev/null || : %changelog +* Wed Jan 26 2022 Bob Relyea - 3.71.0-6 +- update pkcs12 documentation to include camellia +- turn on lto + * Wed Jan 12 2022 Bob Relyea - 3.71.0-5 - remove old dbm files from the build