Accepting request 91345 from mozilla:Factory

OBS-URL: https://build.opensuse.org/request/show/91345 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=63
2011-11-16 16:19:33 +00:00 · 2011-11-16 16:19:33 +00:00 · 5bcc54305e
commit 5bcc54305e
parent 763f240ade 7b17b9dfbc
8 changed files with 136 additions and 3494 deletions
--- a/ckbi-1_88.patch
+++ b/ckbi-1_88.patch
--- a/mozilla-nss.changes
+++ b/mozilla-nss.changes
@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Mon Nov 14 10:13:17 UTC 2011 - john@redux.org.uk
+
+- Added a patch to fix errors in the pkcs11n.h header file.
+  (bmo#702090)
+
+-------------------------------------------------------------------
+Sat Nov  5 10:58:20 UTC 2011 - wolfgang@rosenauer.org
+
+- update to 3.13.1 RTM
+  * better SHA-224 support (bmo#647706)
+  * fixed a regression (causing hangs in some situations)
+    introduced in 3.13 (bmo#693228)
+- update to 3.13.0 RTM
+  * SSL 2.0 is disabled by default
+  * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext
+    attack demonstrated by Rizzo and Duong (CVE-2011-3389) is
+    enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to
+    PR_FALSE to disable it.
+  * SHA-224 is supported
+  * Ported to iOS. (Requires NSPR 4.9.)
+  * Added PORT_ErrorToString and PORT_ErrorToName to return the
+    error message and symbolic name of an NSS error code
+  * Added NSS_GetVersion to return the NSS version string
+  * Added experimental support of RSA-PSS to the softoken only
+  * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db
+    anymore (bmo#641052, bnc#726096)
+
 -------------------------------------------------------------------
 Sat Nov  5 10:47:51 UTC 2011 - wr@rosenauer.org

--- a/mozilla-nss.spec
+++ b/mozilla-nss.spec
@ -29,8 +29,8 @@ BuildRequires:  sqlite-devel
 BuildRequires:  sqlite3-devel
 %endif
 License:        MPLv1.1 or GPLv2+ or LGPLv2.1+
-Version:        3.12.11
-Release:        6
+Version:        3.13.1
+Release:        2
 # bug437293
 %ifarch ppc64
 Obsoletes:      mozilla-nss-64bit
@ -57,7 +57,7 @@ Patch5:         nss-no-rpath.patch
 Patch6:         renegotiate-transitional.patch
 Patch9:         malloc.patch
 Patch10:        ckbi-1_88.patch
-Patch11:        nss-3.12.11_CVE-2011-3640.patch
+Patch11:        pkcs11n-header-fix.patch
 %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
 PreReq:         mozilla-nspr >= %nspr_ver
 PreReq:         libfreebl3 >= %{nss_softokn_fips_version}
@ -189,7 +189,6 @@ TIME="\"$(date -d "${modified}" "+%%R")\""
 find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} +

 cd mozilla/security/nss
-#cp %SOURCE10 tests/libpkix/certs/PayPalEE.cert
 export FREEBL_NO_DEPEND=1
 export NSPR_INCLUDE_DIR=`nspr-config --includedir`
 export NSPR_LIB_DIR=`nspr-config --libdir`
--- a/nss-3.12.11.tar.bz2
+++ b/nss-3.12.11.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:222dc325ff07c34190bc4a35ed06b06dd90675b624f851909be2a018d61a9a7d
-size 4618894
--- a/nss-3.12.11_CVE-2011-3640.patch
+++ b/nss-3.12.11_CVE-2011-3640.patch
@ -1,141 +0,0 @@
-Index: security/nss/lib/softoken/sftkmod.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v
-retrieving revision 1.7
-diff -u -p -r1.7 sftkmod.c
--- security/nss/lib/softoken/sftkmod.c	11 Jun 2009 06:28:07 -0000	1.7
-+++ security/nss/lib/softoken/sftkmod.c	5 Nov 2011 11:55:24 -0000
-@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char *
-     char *sep;
- 
-     sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR);
-#ifdef WINDOWS
-+#ifdef _WIN32
-     if (!sep) {
-	sep = PORT_Strrchr(dirPath,'/');
-+	/* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */
-+	sep = PORT_Strrchr(dirPath,'\\');
-     }
- #endif
-     if (sep) {
-	*(sep)=0;
-+	*sep = 0;
-+	file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
-+    } else {
-+	file = PR_smprintf("%s", filename);
-     }
-    file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
-     PORT_Free(dirPath);
-     return file;
- }
-@@ -242,13 +245,18 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
-     char *paramsValue=NULL;
-     PRBool failed = PR_TRUE;
- 
-    if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
-+    if ((dbname != NULL) &&
-+		((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
- 	return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw);
-     }
- 
-     moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
-     if (moduleList == NULL) return NULL;
- 
-+    if (dbname == NULL) {
-+	goto return_default;
-+    }
-+
-     /* do we really want to use streams here */
-     fd = fopen(dbname, "r");
-     if (fd == NULL) goto done;
-@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
- 	moduleString = NULL;
-     }
- done:
-    /* if we couldn't open a pkcs11 database, look for the old one */
-+    /* If we couldn't open a pkcs11 database, look for the old one.
-+     * This is necessary to maintain the semantics of the transition from
-+     * old to new DB's. If there is an old DB and not new DB, we will
-+     * automatically use the old DB. If the DB was opened read/write, we
-+     * create a new db and upgrade it from the old one. */
-     if (fd == NULL) {
- 	char *olddbname = sftk_getOldSecmodName(dbname,filename);
- 	PRStatus status;
-@@ -462,6 +474,8 @@ bail:
- 	    PR_smprintf_free(olddbname);
- 	}
-     }
-+
-+return_default:
- 	
-     if (!moduleList[0]) {
- 	char * newParams;
-@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp
- 			const char *filename, const char *dbname, 
- 			char **moduleSpecList, PRBool rw)
- {
-    if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
-+    if ((dbname != NULL) &&
-+		((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
- 	return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname, 
- 					  moduleSpecList, rw);
-     }
-@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
-     PRBool skip = PR_FALSE;
-     PRBool found = PR_FALSE;
- 
-+    if (dbname == NULL) {
-+	return SECFailure;
-+    }
-+
-     if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
- 	return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw);
-     }
-@@ -668,6 +687,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const
-     char *block = NULL;
-     PRBool libFound = PR_FALSE;
- 
-+    if (dbname == NULL) {
-+	return SECFailure;
-+    }
-+
-     if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
- 	return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw);
-     }
-Index: security/nss/lib/softoken/sftkpars.c
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v
-retrieving revision 1.11
-diff -u -p -r1.11 sftkpars.c
--- security/nss/lib/softoken/sftkpars.c	18 Jun 2010 04:09:27 -0000	1.11
-+++ security/nss/lib/softoken/sftkpars.c	5 Nov 2011 11:55:24 -0000
-@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType 
-     char *value = NULL;
-     char *save_params = param;
-     const char *lconfigdir;
-+    PRBool noModDB = PR_FALSE;
-     param = sftk_argStrip(param);
- 	
- 
-@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType 
- 
-    if (sftk_argHasFlag("flags","noModDB",save_params)) {
- 	/* there isn't a module db, don't load the legacy support */
-+	noModDB = PR_TRUE;
- 	*dbType = SDB_SQL;
-+	PORT_Free(*filename);
-+	*filename = NULL;
-         *rw = PR_FALSE;
-    }
- 
-@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType 
- 	secmodName="pkcs11.txt";
-    }
- 
-   if (lconfigdir) {
-+   if (noModDB) {
-+	value = NULL;
-+   } else if (lconfigdir && lconfigdir[0] != '\0') {
- 	value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
-    } else {
- 	value = PR_smprintf("%s",secmodName);
--- a/nss-3.13.1.tar.bz2
+++ b/nss-3.13.1.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:05cab982801cf24b9ae00643a30073d3bc94c182a2085f10311f8110412c9ad8
+size 4639723
--- a/pkcs11n-header-fix.patch
+++ b/pkcs11n-header-fix.patch
@ -0,0 +1,43 @@
+diff -r -U 10 nss-3.13.1.orig/mozilla/security/nss/lib/util/pkcs11n.h nss-3.13.1/mozilla/security/nss/lib/util/pkcs11n.h
+--- security/nss/lib/util/pkcs11n.h	2011-11-14 09:53:46.703144803 +0000
+++ security/nss/lib/util/pkcs11n.h	2011-11-14 09:59:07.226273312 +0000
+@@ -339,37 +339,37 @@
+  * to cache resolution data.
+  */
+ #define CKT_NSS_VALID_DELEGATOR    (CKT_NSS + 11)
+ 
+ 
+ /*
+  * old definitions. They still exist, but the plain meaning of the
+  * labels have never been accurate to what was really implemented.
+  * The new labels correctly reflect what the values effectively mean.
+  */
+-#if __GNUC__ > 3
+#if defined(__GNUC__) && (__GNUC__ > 3)
+ /* make GCC warn when we use these #defines */
+ /*
+  *  This is really painful because GCC doesn't allow us to mark random
+  *  #defines as deprecated. We can only mark the following:
+  *      functions, variables, and types.
+  *  const variables will create extra storage for everyone including this
+  *       header file, so it's undesirable.
+  *  functions could be inlined to prevent storage creation, but will fail
+  *       when constant values are expected (like switch statements).
+  *  enum types do not seem to pay attention to the deprecated attribute.
+  *
+  *  That leaves typedefs. We declare new types that we then deprecate, then
+  *  cast the resulting value to the deprecated type in the #define, thus
+  *  producting the warning when the #define is used.
+  */
+-#if (__GNUC__  == 4) && (__GNUC_MINOR < 5)
+#if (__GNUC__  == 4) && (__GNUC_MINOR__ < 5)
+ /* The mac doesn't like the friendlier deprecate messages. I'm assuming this
+  * is a gcc version issue rather than mac or ppc specific */
+ typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated));
+ typedef CK_TRUST __CKT_NSS_VALID __attribute__ ((deprecated));
+ typedef CK_TRUST __CKT_NSS_MUST_VERIFY __attribute__((deprecated));
+ #else
+ /* when possible, get a full deprecation warning. This works on gcc 4.5
+  * it may work on earlier versions of gcc */
+ typedef CK_TRUST __CKT_NSS_UNTRUSTED __attribute__((deprecated
+     ("CKT_NSS_UNTRUSTED really means CKT_NSS_MUST_VERIFY_TRUST")));
--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
@ -1,11 +1,14 @@
 Index: security/nss/lib/ssl/sslsock.c
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
-retrieving revision 1.67.2.1
-diff -u -p -r1.67.2.1 sslsock.c
--- security/nss/lib/ssl/sslsock.c	31 Jul 2010 04:33:52 -0000	1.67.2.1
-+++ security/nss/lib/ssl/sslsock.c	5 Aug 2010 07:38:13 -0000
-@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
+retrieving revision 1.75
+diff -u -p -6 -r1.75 sslsock.c
+--- security/nss/lib/ssl/sslsock.c	22 Oct 2011 16:45:40 -0000	1.75
+++ security/nss/lib/ssl/sslsock.c	24 Oct 2011 12:52:25 -0000
+@@ -178,13 +178,13 @@ static sslOptions ssl_defaults = {
+     PR_TRUE,	/* detectRollBack     */
+     PR_FALSE,   /* noStepDown         */
+     PR_FALSE,   /* bypassPKCS11       */
     PR_FALSE,   /* noLocks            */
     PR_FALSE,   /* enableSessionTickets */
     PR_FALSE,   /* enableDeflate      */
@ -13,4 +16,7 @@ diff -u -p -r1.67.2.1 sslsock.c
 +    3,          /* enableRenegotiation (default: transitional) */
     PR_FALSE,   /* requireSafeNegotiation */
     PR_FALSE,   /* enableFalseStart   */
+     PR_TRUE     /* cbcRandomIV        */
 };
+ 
+ sslSessionIDLookupFunc  ssl_sid_lookup;