pool/mozilla-nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 492757 from mozilla:Factory

Browse Source 
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/492757
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=126
This commit is contained in:
Dominique Leuenberger 2017-05-06 16:26:16 +00:00 committed by Git OBS Bridge
commit e3b4251412
5 changed files with 94 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
mozilla-nss.changes
View File

@ -1,3 +1,55 @@
-------------------------------------------------------------------
Wed Apr 26 21:30:30 UTC 2017 - wr@rosenauer.org
- update to NSS 3.30.2
New Functionality
* In the PKCS#11 root CA module (nssckbi), CAs with positive trust
are marked with a new boolean attribute, CKA_NSS_MOZILLA_CA_POLICY,
set to true. Applications that need to distinguish them from other
other root CAs, may use the exported function PK11_HasAttributeSet.
* Support for callback functions that can be used to monitor SSL/TLS
alerts that are sent or received.
New Functions
* CERT_CompareAVA - performs a comparison of two CERTAVA structures,
and returns a SECComparison result.
* PK11_HasAttributeSet - allows to check if a PKCS#11 object in a
given slot has a specific boolean attribute set.
* SSL_AlertReceivedCallback - register a callback function, that will
be called whenever an SSL/TLS alert is received
* SSL_AlertSentCallback - register a callback function, that will be
called whenever an SSL/TLS alert is sent
* SSL_SetSessionTicketKeyPair - configures an asymmetric key pair,
for use in wrapping session ticket keys, used by the server. This
function currently only accepts an RSA public/private key pair.
New Macros
* PKCS12_AES_CBC_128, PKCS12_AES_CBC_192, PKCS12_AES_CBC_256
cipher family identifiers corresponding to the PKCS#5 v2.1 AES
based encryption schemes used in the PKCS#12 support in NSS
* CKA_NSS_MOZILLA_CA_POLICY - identifier for a boolean PKCS#11
attribute, that should be set to true, if a CA is present because
of it's acceptance according to the Mozilla CA Policy
Notable Changes
* The TLS server code has been enhanced to support session tickets
when no RSA certificate (e.g. only an ECDSA certificate) is configured.
* RSA-PSS signatures produced by key pairs with a modulus bit length
that is not a multiple of 8 are now supported.
* The pk12util tool now supports importing and exporting data encrypted
in the AES based schemes defined in PKCS#5 v2.1.
Root CA updates
* The following CA certificates were Removed
- O = Japanese Government, OU = ApplicationCA
- CN = WellsSecure Public Root Certificate Authority
- CN = TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6
- CN = Microsec e-Szigno Root
* The following CA certificates were Added
- CN = D-TRUST Root CA 3 2013
- CN = TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
* The version number of the updated root CA list has been set to 2.14
(bmo#1350859)
* Domain name constraints for one of the new CAs have been added to the
NSS code (bmo#1349705)
- removed obsolete nss-bmo1320695.patch
-------------------------------------------------------------------
Wed Apr 12 21:21:38 UTC 2017 - wr@rosenauer.org

83
mozilla-nss.spec
View File

@ -21,11 +21,11 @@
Name: mozilla-nss
BuildRequires: gcc-c++
BuildRequires: mozilla-nspr-devel >= 4.13.1
BuildRequires: mozilla-nspr-devel >= 4.14
BuildRequires: pkg-config
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
Version: 3.29.5
Version: 3.30.2
Release: 0
# bug437293
%ifarch ppc64
@ -36,8 +36,8 @@ Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
Url: http://www.mozilla.org/projects/security/pki/nss/
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_29_5_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.29.5/nss ; cd nss-3.29.5/nss ; hg up NSS_3_29_5_RTM
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_30_2_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.30.2/nss ; cd nss-3.30.2/nss ; hg up NSS_3_30_2_RTM
#Source: nss-%{version}.tar.gz
Source1: nss.pc.in
Source3: nss-config.in
@ -57,7 +57,6 @@ Patch5: malloc.patch
Patch6: nss-disable-ocsp-test.patch
Patch7: nss-sqlitename.patch
Patch8: nss-fix-hash.patch
Patch9: nss-bmo1320695.patch
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
PreReq: mozilla-nspr >= %nspr_ver
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
@ -86,10 +85,10 @@ certificates, and other security standards.
%package devel
Summary: Network (Netscape) Security Services development files
Group: Development/Libraries/Other
Group: Development/Libraries/C and C++
Requires: libfreebl3
Requires: libsoftokn3
Requires: mozilla-nspr-devel >= 4.13.1
Requires: mozilla-nspr-devel >= 4.14
Requires: mozilla-nss = %{version}-%{release}
# bug437293
%ifarch ppc64
@ -179,7 +178,6 @@ cd nss
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
#cat %{SOURCE2} >> certdata.txt
@ -196,7 +194,7 @@ export FREEBL_NO_DEPEND=1
export FREEBL_LOWHASH=1
export NSPR_INCLUDE_DIR=`nspr-config --includedir`
export NSPR_LIB_DIR=`nspr-config --libdir`
export OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
export OPT_FLAGS="%{optflags} -fno-strict-aliasing"
export LIBDIR=%{_libdir}
%ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64
export USE_64=1
@ -222,20 +220,20 @@ fi
%install
cd nss
mkdir -p $RPM_BUILD_ROOT%{_libdir}
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss
mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3
mkdir -p $RPM_BUILD_ROOT%{_bindir}
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT/%{_lib}
mkdir -p $RPM_BUILD_ROOT%{nssdbdir}
mkdir -p %{buildroot}%{_libdir}
mkdir -p %{buildroot}%{_libexecdir}/nss
mkdir -p %{buildroot}%{_includedir}/nss3
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_sbindir}
mkdir -p %{buildroot}/%{_lib}
mkdir -p %{buildroot}%{nssdbdir}
pushd ../dist/Linux*
# copy headers
cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3
cp -rL ../public/nss/*.h %{buildroot}%{_includedir}/nss3
# copy some freebl include files we also want
for file in blapi.h alghmac.h
do
cp -L ../private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
cp -L ../private/nss/$file %{buildroot}/%{_includedir}/nss3
done
# copy dynamic libs
cp -L lib/libnss3.so \
@ -248,20 +246,20 @@ cp -L lib/libnss3.so \
lib/libsoftokn3.so \
lib/libsoftokn3.chk \
lib/libssl3.so \
$RPM_BUILD_ROOT%{_libdir}
%{buildroot}%{_libdir}
cp -L lib/libfreebl3.so \
lib/libfreebl3.chk \
lib/libfreeblpriv3.so \
lib/libfreeblpriv3.chk \
$RPM_BUILD_ROOT/%{_lib}
%{buildroot}/%{_lib}
#cp -L lib/libnsssqlite3.so \
# $RPM_BUILD_ROOT%{_libdir}
# %{buildroot}%{_libdir}
# copy static libs
cp -L lib/libcrmf.a \
lib/libfreebl.a \
lib/libnssb.a \
lib/libnssckfw.a \
$RPM_BUILD_ROOT%{_libdir}
%{buildroot}%{_libdir}
# copy tools
cp -L bin/certutil \
bin/cmsutil \
@ -271,7 +269,7 @@ cp -L bin/certutil \
bin/signtool \
bin/signver \
bin/ssltap \
$RPM_BUILD_ROOT%{_bindir}
%{buildroot}%{_bindir}
# copy unsupported tools
cp -L bin/atob \
bin/btoa \
@ -285,13 +283,13 @@ cp -L bin/atob \
bin/tstclnt \
bin/vfyserv \
bin/vfychain \
$RPM_BUILD_ROOT%{_libexecdir}/nss
%{buildroot}%{_libexecdir}/nss
# prepare pkgconfig file
mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/
mkdir -p %{buildroot}%{_libdir}/pkgconfig/
sed "s:%%LIBDIR%%:%{_libdir}:g
s:%%VERSION%%:%{version}:g
s:%%NSPR_VERSION%%:%{nspr_ver}:g" \
%{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc
%{SOURCE1} > %{buildroot}%{_libdir}/pkgconfig/nss.pc
# prepare nss-config file
popd
NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | gawk '{print $3}'`
@ -304,32 +302,32 @@ cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \
-e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
-e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
-e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
> $RPM_BUILD_ROOT/%{_bindir}/nss-config
chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config
> %{buildroot}/%{_bindir}/nss-config
chmod 755 %{buildroot}/%{_bindir}/nss-config
# setup-nsssysinfo.sh
install -m 744 %{SOURCE6} $RPM_BUILD_ROOT%{_sbindir}/
install -m 744 %{SOURCE6} %{buildroot}%{_sbindir}/
# create empty NSS database
#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/modutil -force -dbdir "sql:$RPM_BUILD_ROOT%{nssdbdir}" -create
#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/certutil -N -d "sql:$RPM_BUILD_ROOT%{nssdbdir}" -f /dev/null 2>&1 > /dev/null
#chmod 644 "$RPM_BUILD_ROOT%{nssdbdir}"/*
#LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_bindir}/modutil -force -dbdir "sql:%{buildroot}%{nssdbdir}" -create
#LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_bindir}/certutil -N -d "sql:%{buildroot}%{nssdbdir}" -f /dev/null 2>&1 > /dev/null
#chmod 644 "%{buildroot}%{nssdbdir}"/*
#sed "s:%{buildroot}::g
#s/^library=$/library=libnsssysinit.so/
#/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \
# $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt > $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt.sed
# mv $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt{.sed,}
# %{buildroot}%{nssdbdir}/pkcs11.txt > %{buildroot}%{nssdbdir}/pkcs11.txt.sed
# mv %{buildroot}%{nssdbdir}/pkcs11.txt{.sed,}
# copy empty NSS database
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{nssdbdir}
install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{nssdbdir}
install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir}
install -m 644 %{SOURCE7} %{buildroot}%{nssdbdir}
install -m 644 %{SOURCE8} %{buildroot}%{nssdbdir}
install -m 644 %{SOURCE9} %{buildroot}%{nssdbdir}
# create shlib sigs after extracting debuginfo
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreeblpriv3.so \
LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libsoftokn3.so \
LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}%{_libdir}/libnssdbm3.so \
LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_lib}/libfreebl3.so \
LD_LIBRARY_PATH=%{buildroot}/%{_lib}:%{buildroot}%{_libdir} %{buildroot}%{_libexecdir}/nss/shlibsign -i %{buildroot}/%{_lib}/libfreeblpriv3.so \
%{nil}
%post -p /sbin/ldconfig
@ -356,9 +354,6 @@ fi
%postun sysinit -p /sbin/ldconfig
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-, root, root)
%{_libdir}/libnss3.so

3
nss-3.29.5.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5df483b73535d726207483f6349df23fe56aee83382b94b13298aec2e254d985
size 7480246

3
nss-3.30.2.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0d4a77ff26bcee79fa8afe0125e0df6ae9e798b6b36782fa29e28febf7cfce24
size 9499119

67
nss-bmo1320695.patch
View File

@ -1,67 +0,0 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1481108447 -3600
# Wed Dec 07 12:00:47 2016 +0100
# Branch wip/dueno/ec-session-ticket
# Node ID 86c3a4cb4eb55f50f80904796f0664e11d9b5d73
# Parent 5796201e791e6cbffc3615cb0c894cf1b0fc09a1
Bug 1320695 - Using SessionTicket extension along with any ECDHE-ECDSA ciphersuite renders selfserv unusable
When session ticket is used and wrapping key pair (for caching
generated keys at server side) is not available, disable caching
instead of returning an error.
diff --git a/lib/ssl/ssl3exthandle.c b/lib/ssl/ssl3exthandle.c
--- a/lib/ssl/ssl3exthandle.c
+++ b/lib/ssl/ssl3exthandle.c
@@ -99,21 +99,22 @@ ssl3_GenerateSessionTicketKeys(void *dat
sslSocket *ss = (sslSocket *)data;
sslServerCertType certType = { ssl_auth_rsa_decrypt, NULL };
const sslServerCert *sc;
- SECKEYPrivateKey *svrPrivKey;
- SECKEYPublicKey *svrPubKey;
+ SECKEYPrivateKey *svrPrivKey = NULL;
+ SECKEYPublicKey *svrPubKey = NULL;
sc = ssl_FindServerCert(ss, &certType);
if (!sc || !sc->serverKeyPair) {
SSL_DBG(("%d: SSL[%d]: No ssl_auth_rsa_decrypt cert and key pair",
SSL_GETPID(), ss->fd));
- goto loser;
- }
- svrPrivKey = sc->serverKeyPair->privKey;
- svrPubKey = sc->serverKeyPair->pubKey;
- if (svrPrivKey == NULL || svrPubKey == NULL) {
- SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
- SSL_GETPID(), ss->fd));
- goto loser;
+ } else {
+ svrPrivKey = sc->serverKeyPair->privKey;
+ svrPubKey = sc->serverKeyPair->pubKey;
+ if (svrPrivKey == NULL || svrPubKey == NULL) {
+ SSL_DBG(("%d: SSL[%d]: Pub or priv key(s) is NULL.",
+ SSL_GETPID(), ss->fd));
+ svrPrivKey = NULL;
+ svrPubKey = NULL;
+ }
}
/* Get a copy of the session keys from shared memory. */
diff --git a/lib/ssl/sslsnce.c b/lib/ssl/sslsnce.c
--- a/lib/ssl/sslsnce.c
+++ b/lib/ssl/sslsnce.c
@@ -1831,9 +1831,11 @@ ssl_GetSessionTicketKeys(SECKEYPrivateKe
PRBool keysGenerated = PR_FALSE;
cacheDesc *cache = &globalCache;
- if (!cache->cacheMem) {
- /* cache is uninitialized. Generate keys and return them
- * without caching. */
+ if (!cache->cacheMem || !svrPrivKey || !svrPubKey) {
+ /* Generated keys cannot be cached, because:
+ * - the cache is not initialized, or
+ * - key pairs to wrap them are not available
+ * Generate keys and return them without caching. */
return GenerateTicketKeys(pwArg, keyName, aesKey, macKey);
}