- update to NSS 3.30.2
New Functionality * In the PKCS#11 root CA module (nssckbi), CAs with positive trust are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY, set to true. Applications that need to distinguish them from other other root CAs, may use the exported function PK11_HasAttributeSet. * Support for callback functions that can be used to monitor SSL/TLS alerts that are sent or received. New Functions * CERT_CompareAVA - performs a comparison of two CERTAVA structures, and returns a SECComparison result. * PK11_HasAttributeSet - allows to check if a PKCS#11 object in a given slot has a specific boolean attribute set. * SSL_AlertReceivedCallback - register a callback function, that will be called whenever an SSL/TLS alert is received * SSL_AlertSentCallback - register a callback function, that will be called whenever an SSL/TLS alert is sent * SSL_SetSessionTicketKeyPair - configures an asymmetric key pair, for use in wrapping session ticket keys, used by the server. This function currently only accepts an RSA public/private key pair. New Macros * PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256 cipher family identifiers corresponding to the PKCS#5 v2.1 AES based encryption schemes used in the PKCS#12 support in NSS * CKA_NSS_MOZILLA_CA_POLICY - identifier for a boolean PKCS#11 attribute, that should be set to true, if a CA is present because of it's acceptance according to the Mozilla CA Policy Notable Changes * The TLS server code has been enhanced to support session tickets when no RSA certificate (e.g. only an ECDSA certificate) is configured. OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=241
This commit is contained in:
parent
607f63b358
commit
8a54093a7b
@ -1,3 +1,55 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Apr 26 21:30:30 UTC 2017 - wr@rosenauer.org
|
||||||
|
|
||||||
|
- update to NSS 3.30.2
|
||||||
|
New Functionality
|
||||||
|
* In the PKCS#11 root CA module (nssckbi), CAs with positive trust
|
||||||
|
are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY,
|
||||||
|
set to true. Applications that need to distinguish them from other
|
||||||
|
other root CAs, may use the exported function PK11_HasAttributeSet.
|
||||||
|
* Support for callback functions that can be used to monitor SSL/TLS
|
||||||
|
alerts that are sent or received.
|
||||||
|
New Functions
|
||||||
|
* CERT_CompareAVA - performs a comparison of two CERTAVA structures,
|
||||||
|
and returns a SECComparison result.
|
||||||
|
* PK11_HasAttributeSet - allows to check if a PKCS#11 object in a
|
||||||
|
given slot has a specific boolean attribute set.
|
||||||
|
* SSL_AlertReceivedCallback - register a callback function, that will
|
||||||
|
be called whenever an SSL/TLS alert is received
|
||||||
|
* SSL_AlertSentCallback - register a callback function, that will be
|
||||||
|
called whenever an SSL/TLS alert is sent
|
||||||
|
* SSL_SetSessionTicketKeyPair - configures an asymmetric key pair,
|
||||||
|
for use in wrapping session ticket keys, used by the server. This
|
||||||
|
function currently only accepts an RSA public/private key pair.
|
||||||
|
New Macros
|
||||||
|
* PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256
|
||||||
|
cipher family identifiers corresponding to the PKCS#5 v2.1 AES
|
||||||
|
based encryption schemes used in the PKCS#12 support in NSS
|
||||||
|
* CKA_NSS_MOZILLA_CA_POLICY - identifier for a boolean PKCS#11
|
||||||
|
attribute, that should be set to true, if a CA is present because
|
||||||
|
of it's acceptance according to the Mozilla CA Policy
|
||||||
|
Notable Changes
|
||||||
|
* The TLS server code has been enhanced to support session tickets
|
||||||
|
when no RSA certificate (e.g. only an ECDSA certificate) is configured.
|
||||||
|
* RSA-PSS signatures produced by key pairs with a modulus bit length
|
||||||
|
that is not a multiple of 8 are now supported.
|
||||||
|
* The pk12util tool now supports importing and exporting data encrypted
|
||||||
|
in the AES based schemes defined in PKCS#5 v2.1.
|
||||||
|
Root CA updates
|
||||||
|
* The following CA certificates were Removed
|
||||||
|
- O = Japanese Government, OU = ApplicationCA
|
||||||
|
- CN = WellsSecure Public Root Certificate Authority
|
||||||
|
- CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
|
||||||
|
- CN = Microsec e-Szigno Root
|
||||||
|
* The following CA certificates were Added
|
||||||
|
- CN = D-TRUST Root CA 3 2013
|
||||||
|
- CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
|
||||||
|
* The version number of the updated root CA list has been set to 2.14
|
||||||
|
(bmo#1350859)
|
||||||
|
* Domain name constraints for one of the new CAs have been added to the
|
||||||
|
NSS code (bmo#1349705)
|
||||||
|
- removed obsolete nss-bmo1320695.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org
|
Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org
|
||||||
|
|
||||||
|
@ -21,11 +21,11 @@
|
|||||||
|
|
||||||
Name: mozilla-nss
|
Name: mozilla-nss
|
||||||
BuildRequires: gcc-c++
|
BuildRequires: gcc-c++
|
||||||
BuildRequires: mozilla-nspr-devel >= 4.13.1
|
BuildRequires: mozilla-nspr-devel >= 4.14
|
||||||
BuildRequires: pkg-config
|
BuildRequires: pkg-config
|
||||||
BuildRequires: sqlite-devel
|
BuildRequires: sqlite-devel
|
||||||
BuildRequires: zlib-devel
|
BuildRequires: zlib-devel
|
||||||
Version: 3.29.5
|
Version: 3.30.2
|
||||||
Release: 0
|
Release: 0
|
||||||
# bug437293
|
# bug437293
|
||||||
%ifarch ppc64
|
%ifarch ppc64
|
||||||
@ -36,8 +36,8 @@ Summary: Network Security Services
|
|||||||
License: MPL-2.0
|
License: MPL-2.0
|
||||||
Group: System/Libraries
|
Group: System/Libraries
|
||||||
Url: http://www.mozilla.org/projects/security/pki/nss/
|
Url: http://www.mozilla.org/projects/security/pki/nss/
|
||||||
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_5_RTM/src/nss-%{version}.tar.gz
|
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_2_RTM/src/nss-%{version}.tar.gz
|
||||||
# hg clone https://hg.mozilla.org/projects/nss nss-3.29.5/nss ; cd nss-3.29.5/nss ; hg up NSS_3_29_5_RTM
|
# hg clone https://hg.mozilla.org/projects/nss nss-3.30.2/nss ; cd nss-3.30.2/nss ; hg up NSS_3_30_2_RTM
|
||||||
#Source: nss-%{version}.tar.gz
|
#Source: nss-%{version}.tar.gz
|
||||||
Source1: nss.pc.in
|
Source1: nss.pc.in
|
||||||
Source3: nss-config.in
|
Source3: nss-config.in
|
||||||
@ -57,7 +57,6 @@ Patch5: malloc.patch
|
|||||||
Patch6: nss-disable-ocsp-test.patch
|
Patch6: nss-disable-ocsp-test.patch
|
||||||
Patch7: nss-sqlitename.patch
|
Patch7: nss-sqlitename.patch
|
||||||
Patch8: nss-fix-hash.patch
|
Patch8: nss-fix-hash.patch
|
||||||
Patch9: nss-bmo1320695.patch
|
|
||||||
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
|
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
|
||||||
PreReq: mozilla-nspr >= %nspr_ver
|
PreReq: mozilla-nspr >= %nspr_ver
|
||||||
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
|
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
|
||||||
@ -86,10 +85,10 @@ certificates, and other security standards.
|
|||||||
|
|
||||||
%package devel
|
%package devel
|
||||||
Summary: Network (Netscape) Security Services development files
|
Summary: Network (Netscape) Security Services development files
|
||||||
Group: Development/Libraries/Other
|
Group: Development/Libraries/C and C++
|
||||||
Requires: libfreebl3
|
Requires: libfreebl3
|
||||||
Requires: libsoftokn3
|
Requires: libsoftokn3
|
||||||
Requires: mozilla-nspr-devel >= 4.13.1
|
Requires: mozilla-nspr-devel >= 4.14
|
||||||
Requires: mozilla-nss = %{version}-%{release}
|
Requires: mozilla-nss = %{version}-%{release}
|
||||||
# bug437293
|
# bug437293
|
||||||
%ifarch ppc64
|
%ifarch ppc64
|
||||||
@ -179,7 +178,6 @@ cd nss
|
|||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
|
||||||
# additional CA certificates
|
# additional CA certificates
|
||||||
#cd security/nss/lib/ckfw/builtins
|
#cd security/nss/lib/ckfw/builtins
|
||||||
#cat %{SOURCE2} >> certdata.txt
|
#cat %{SOURCE2} >> certdata.txt
|
||||||
@ -196,7 +194,7 @@ export FREEBL_NO_DEPEND=1
|
|||||||
export FREEBL_LOWHASH=1
|
export FREEBL_LOWHASH=1
|
||||||
export NSPR_INCLUDE_DIR=`nspr-config --includedir`
|
export NSPR_INCLUDE_DIR=`nspr-config --includedir`
|
||||||
export NSPR_LIB_DIR=`nspr-config --libdir`
|
export NSPR_LIB_DIR=`nspr-config --libdir`
|
||||||
export OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
|
export OPT_FLAGS="%{optflags} -fno-strict-aliasing"
|
||||||
export LIBDIR=%{_libdir}
|
export LIBDIR=%{_libdir}
|
||||||
%ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64
|
%ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64
|
||||||
export USE_64=1
|
export USE_64=1
|
||||||
@ -222,20 +220,20 @@ fi
|
|||||||
|
|
||||||
%install
|
%install
|
||||||
cd nss
|
cd nss
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_libdir}
|
mkdir -p %{buildroot}%{_libdir}
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss
|
mkdir -p %{buildroot}%{_libexecdir}/nss
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3
|
mkdir -p %{buildroot}%{_includedir}/nss3
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_bindir}
|
mkdir -p %{buildroot}%{_bindir}
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
|
mkdir -p %{buildroot}%{_sbindir}
|
||||||
mkdir -p $RPM_BUILD_ROOT/%{_lib}
|
mkdir -p %{buildroot}/%{_lib}
|
||||||
mkdir -p $RPM_BUILD_ROOT%{nssdbdir}
|
mkdir -p %{buildroot}%{nssdbdir}
|
||||||
pushd ../dist/Linux*
|
pushd ../dist/Linux*
|
||||||
# copy headers
|
# copy headers
|
||||||
cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3
|
cp -rL ../public/nss/*.h %{buildroot}%{_includedir}/nss3
|
||||||
# copy some freebl include files we also want
|
# copy some freebl include files we also want
|
||||||
for file in blapi.h alghmac.h
|
for file in blapi.h alghmac.h
|
||||||
do
|
do
|
||||||
cp -L ../private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
|
cp -L ../private/nss/$file %{buildroot}/%{_includedir}/nss3
|
||||||
done
|
done
|
||||||
# copy dynamic libs
|
# copy dynamic libs
|
||||||
cp -L lib/libnss3.so \
|
cp -L lib/libnss3.so \
|
||||||
@ -248,20 +246,20 @@ cp -L lib/libnss3.so \
|
|||||||
lib/libsoftokn3.so \
|
lib/libsoftokn3.so \
|
||||||
lib/libsoftokn3.chk \
|
lib/libsoftokn3.chk \
|
||||||
lib/libssl3.so \
|
lib/libssl3.so \
|
||||||
$RPM_BUILD_ROOT%{_libdir}
|
%{buildroot}%{_libdir}
|
||||||
cp -L lib/libfreebl3.so \
|
cp -L lib/libfreebl3.so \
|
||||||
lib/libfreebl3.chk \
|
lib/libfreebl3.chk \
|
||||||
lib/libfreeblpriv3.so \
|
lib/libfreeblpriv3.so \
|
||||||
lib/libfreeblpriv3.chk \
|
lib/libfreeblpriv3.chk \
|
||||||
$RPM_BUILD_ROOT/%{_lib}
|
%{buildroot}/%{_lib}
|
||||||
#cp -L lib/libnsssqlite3.so \
|
#cp -L lib/libnsssqlite3.so \
|
||||||
# $RPM_BUILD_ROOT%{_libdir}
|
# %{buildroot}%{_libdir}
|
||||||
# copy static libs
|
# copy static libs
|
||||||
cp -L lib/libcrmf.a \
|
cp -L lib/libcrmf.a \
|
||||||
lib/libfreebl.a \
|
lib/libfreebl.a \
|
||||||
lib/libnssb.a \
|
lib/libnssb.a \
|
||||||
lib/libnssckfw.a \
|
lib/libnssckfw.a \
|
||||||
$RPM_BUILD_ROOT%{_libdir}
|
%{buildroot}%{_libdir}
|
||||||
# copy tools
|
# copy tools
|
||||||
cp -L bin/certutil \
|
cp -L bin/certutil \
|
||||||
bin/cmsutil \
|
bin/cmsutil \
|
||||||
@ -271,7 +269,7 @@ cp -L bin/certutil \
|
|||||||
bin/signtool \
|
bin/signtool \
|
||||||
bin/signver \
|
bin/signver \
|
||||||
bin/ssltap \
|
bin/ssltap \
|
||||||
$RPM_BUILD_ROOT%{_bindir}
|
%{buildroot}%{_bindir}
|
||||||
# copy unsupported tools
|
# copy unsupported tools
|
||||||
cp -L bin/atob \
|
cp -L bin/atob \
|
||||||
bin/btoa \
|
bin/btoa \
|
||||||
@ -285,13 +283,13 @@ cp -L bin/atob \
|
|||||||
bin/tstclnt \
|
bin/tstclnt \
|
||||||
bin/vfyserv \
|
bin/vfyserv \
|
||||||
bin/vfychain \
|
bin/vfychain \
|
||||||
$RPM_BUILD_ROOT%{_libexecdir}/nss
|
%{buildroot}%{_libexecdir}/nss
|
||||||
# prepare pkgconfig file
|
# prepare pkgconfig file
|
||||||
mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/
|
mkdir -p %{buildroot}%{_libdir}/pkgconfig/
|
||||||
sed "s:%%LIBDIR%%:%{_libdir}:g
|
sed "s:%%LIBDIR%%:%{_libdir}:g
|
||||||
s:%%VERSION%%:%{version}:g
|
s:%%VERSION%%:%{version}:g
|
||||||
s:%%NSPR_VERSION%%:%{nspr_ver}:g" \
|
s:%%NSPR_VERSION%%:%{nspr_ver}:g" \
|
||||||
%{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc
|
%{SOURCE1} > %{buildroot}%{_libdir}/pkgconfig/nss.pc
|
||||||
# prepare nss-config file
|
# prepare nss-config file
|
||||||
popd
|
popd
|
||||||
NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | gawk '{print $3}'`
|
NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | gawk '{print $3}'`
|
||||||
@ -304,32 +302,32 @@ cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \
|
|||||||
-e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
|
-e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
|
||||||
-e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
|
-e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
|
||||||
-e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
|
-e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
|
||||||
> $RPM_BUILD_ROOT/%{_bindir}/nss-config
|
> %{buildroot}/%{_bindir}/nss-config
|
||||||
chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config
|
chmod 755 %{buildroot}/%{_bindir}/nss-config
|
||||||
# setup-nsssysinfo.sh
|
# setup-nsssysinfo.sh
|
||||||
install -m 744 %{SOURCE6} $RPM_BUILD_ROOT%{_sbindir}/
|
install -m 744 %{SOURCE6} %{buildroot}%{_sbindir}/
|
||||||
# create empty NSS database
|
# create empty NSS database
|
||||||
#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/modutil -force -dbdir "sql:$RPM_BUILD_ROOT%{nssdbdir}" -create
|
#LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_bindir}/modutil -force -dbdir "sql:%{buildroot}%{nssdbdir}" -create
|
||||||
#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/certutil -N -d "sql:$RPM_BUILD_ROOT%{nssdbdir}" -f /dev/null 2>&1 > /dev/null
|
#LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_bindir}/certutil -N -d "sql:%{buildroot}%{nssdbdir}" -f /dev/null 2>&1 > /dev/null
|
||||||
#chmod 644 "$RPM_BUILD_ROOT%{nssdbdir}"/*
|
#chmod 644 "%{buildroot}%{nssdbdir}"/*
|
||||||
#sed "s:%{buildroot}::g
|
#sed "s:%{buildroot}::g
|
||||||
#s/^library=$/library=libnsssysinit.so/
|
#s/^library=$/library=libnsssysinit.so/
|
||||||
#/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \
|
#/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \
|
||||||
# $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt > $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt.sed
|
# %{buildroot}%{nssdbdir}/pkcs11.txt > %{buildroot}%{nssdbdir}/pkcs11.txt.sed
|
||||||
# mv $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt{.sed,}
|
# mv %{buildroot}%{nssdbdir}/pkcs11.txt{.sed,}
|
||||||
# copy empty NSS database
|
# copy empty NSS database
|
||||||
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{nssdbdir}
|
install -m 644 %{SOURCE7} %{buildroot}%{nssdbdir}
|
||||||
install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{nssdbdir}
|
install -m 644 %{SOURCE8} %{buildroot}%{nssdbdir}
|
||||||
install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir}
|
install -m 644 %{SOURCE9} %{buildroot}%{nssdbdir}
|
||||||
# create shlib sigs after extracting debuginfo
|
# create shlib sigs after extracting debuginfo
|
||||||
%define __spec_install_post \
|
%define __spec_install_post \
|
||||||
%{?__debug_package:%{__debug_install_post}} \
|
%{?__debug_package:%{__debug_install_post}} \
|
||||||
%{__arch_install_post} \
|
%{__arch_install_post} \
|
||||||
%{__os_install_post} \
|
%{__os_install_post} \
|
||||||
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \
|
LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libsoftokn3.so \
|
||||||
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \
|
LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libnssdbm3.so \
|
||||||
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \
|
LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_lib}/libfreebl3.so \
|
||||||
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreeblpriv3.so \
|
LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_lib}/libfreeblpriv3.so \
|
||||||
%{nil}
|
%{nil}
|
||||||
|
|
||||||
%post -p /sbin/ldconfig
|
%post -p /sbin/ldconfig
|
||||||
@ -356,9 +354,6 @@ fi
|
|||||||
|
|
||||||
%postun sysinit -p /sbin/ldconfig
|
%postun sysinit -p /sbin/ldconfig
|
||||||
|
|
||||||
%clean
|
|
||||||
rm -rf $RPM_BUILD_ROOT
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%defattr(-, root, root)
|
%defattr(-, root, root)
|
||||||
%{_libdir}/libnss3.so
|
%{_libdir}/libnss3.so
|
||||||
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:5df483b73535d726207483f6349df23fe56aee83382b94b13298aec2e254d985
|
|
||||||
size 7480246
|
|
3
nss-3.30.2.tar.gz
Normal file
3
nss-3.30.2.tar.gz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:0d4a77ff26bcee79fa8afe0125e0df6ae9e798b6b36782fa29e28febf7cfce24
|
||||||
|
size 9499119
|
@ -1,67 +0,0 @@
|
|||||||
# HG changeset patch
|
|
||||||
# User Daiki Ueno <dueno@redhat.com>
|
|
||||||
# Date 1481108447 -3600
|
|
||||||
# Wed Dec 07 12:00:47 2016 +0100
|
|
||||||
# Branch wip/dueno/ec-session-ticket
|
|
||||||
# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73
|
|
||||||
# Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1
|
|
||||||
Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable
|
|
||||||
|
|
||||||
When session ticket is used and wrapping key pair (for caching
|
|
||||||
generated keys at server side) is not available, disable caching
|
|
||||||
instead of returning an error.
|
|
||||||
|
|
||||||
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
|
|
||||||
--- a/lib/ssl/ssl3exthandle.c
|
|
||||||
+++ b/lib/ssl/ssl3exthandle.c
|
|
||||||
@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat
|
|
||||||
sslSocket *ss = (sslSocket *)data;
|
|
||||||
sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
|
|
||||||
const sslServerCert *sc;
|
|
||||||
- SECKEYPrivateKey *svrPrivKey;
|
|
||||||
- SECKEYPublicKey *svrPubKey;
|
|
||||||
+ SECKEYPrivateKey *svrPrivKey = NULL;
|
|
||||||
+ SECKEYPublicKey *svrPubKey = NULL;
|
|
||||||
|
|
||||||
sc = ssl_FindServerCert(ss, &certType);
|
|
||||||
if (!sc || !sc->serverKeyPair) {
|
|
||||||
SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
|
|
||||||
SSL_GETPID(), ss->fd));
|
|
||||||
- goto loser;
|
|
||||||
- }
|
|
||||||
- svrPrivKey = sc->serverKeyPair->privKey;
|
|
||||||
- svrPubKey = sc->serverKeyPair->pubKey;
|
|
||||||
- if (svrPrivKey == NULL || svrPubKey == NULL) {
|
|
||||||
- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
|
|
||||||
- SSL_GETPID(), ss->fd));
|
|
||||||
- goto loser;
|
|
||||||
+ } else {
|
|
||||||
+ svrPrivKey = sc->serverKeyPair->privKey;
|
|
||||||
+ svrPubKey = sc->serverKeyPair->pubKey;
|
|
||||||
+ if (svrPrivKey == NULL || svrPubKey == NULL) {
|
|
||||||
+ SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
|
|
||||||
+ SSL_GETPID(), ss->fd));
|
|
||||||
+ svrPrivKey = NULL;
|
|
||||||
+ svrPubKey = NULL;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Get a copy of the session keys from shared memory. */
|
|
||||||
diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
|
|
||||||
--- a/lib/ssl/sslsnce.c
|
|
||||||
+++ b/lib/ssl/sslsnce.c
|
|
||||||
@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe
|
|
||||||
PRBool keysGenerated = PR_FALSE;
|
|
||||||
cacheDesc *cache = &globalCache;
|
|
||||||
|
|
||||||
- if (!cache->cacheMem) {
|
|
||||||
- /* cache is uninitialized. Generate keys and return them
|
|
||||||
- * without caching. */
|
|
||||||
+ if (!cache->cacheMem || !svrPrivKey || !svrPubKey) {
|
|
||||||
+ /* Generated keys cannot be cached, because:
|
|
||||||
+ * - the cache is not initialized, or
|
|
||||||
+ * - key pairs to wrap them are not available
|
|
||||||
+ * Generate keys and return them without caching. */
|
|
||||||
return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user