pool/mozilla-nss
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- update to NSS 3.23

Browse Source 
New functionality:
  * ChaCha20/Poly1305 cipher and TLS cipher suites now supported
  * Experimental-only support TLS 1.3 1-RTT mode (draft-11).
    This code is not ready for production use.
  New functions:
  * SSL_SetDowngradeCheckVersion - Set maximum version for new
    ServerRandom anti-downgrade mechanism. Clients that perform a
    version downgrade (which is generally a very bad idea) call this
    with the highest version number that they possibly support.
    This gives them access to the version downgrade protection from
    TLS 1.3.
  Notable changes:
  * The copy of SQLite shipped with NSS has been updated to version
    3.10.2
  * The list of TLS extensions sent in the TLS handshake has been
    reordered to increase compatibility of the Extended Master Secret
    with with servers
  * The build time environment variable NSS_ENABLE_ZLIB has been
    renamed to NSS_SSL_ENABLE_ZLIB
  * The build time environment variable NSS_DISABLE_CHACHAPOLY was
    added, which can be used to prevent compilation of the
    ChaCha20/Poly1305 code.
  * The following CA certificates were Removed
    - Staat der Nederlanden Root CA
    - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
    - NetLock Kozjegyzoi (Class A) Tanusitvanykiado
    - NetLock Uzleti (Class B) Tanusitvanykiado
    - NetLock Expressz (Class C) Tanusitvanykiado
    - VeriSign Class 1 Public PCA – G2

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=212
This commit is contained in:
Wolfgang Rosenauer 2016-05-26 20:20:47 +00:00 committed by Git OBS Bridge
parent fb6ae8911f
commit f2c3469da1
6 changed files with 76 additions and 369 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
mozilla-nss.changes
View File

@ -1,3 +1,52 @@
-------------------------------------------------------------------
Thu May 26 05:59:03 UTC 2016 - wr@rosenauer.org
- update to NSS 3.23
New functionality:
* ChaCha20/Poly1305 cipher and TLS cipher suites now supported
* Experimental-only support TLS 1.3 1-RTT mode (draft-11).
This code is not ready for production use.
New functions:
* SSL_SetDowngradeCheckVersion - Set maximum version for new
ServerRandom anti-downgrade mechanism. Clients that perform a
version downgrade (which is generally a very bad idea) call this
with the highest version number that they possibly support.
This gives them access to the version downgrade protection from
TLS 1.3.
Notable changes:
* The copy of SQLite shipped with NSS has been updated to version
3.10.2
* The list of TLS extensions sent in the TLS handshake has been
reordered to increase compatibility of the Extended Master Secret
with with servers
* The build time environment variable NSS_ENABLE_ZLIB has been
renamed to NSS_SSL_ENABLE_ZLIB
* The build time environment variable NSS_DISABLE_CHACHAPOLY was
added, which can be used to prevent compilation of the
ChaCha20/Poly1305 code.
* The following CA certificates were Removed
- Staat der Nederlanden Root CA
- NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
- NetLock Kozjegyzoi (Class A) Tanusitvanykiado
- NetLock Uzleti (Class B) Tanusitvanykiado
- NetLock Expressz (Class C) Tanusitvanykiado
- VeriSign Class 1 Public PCA G2
- VeriSign Class 3 Public PCA
- VeriSign Class 3 Public PCA G2
- CA Disig
* The following CA certificates were Added
+ SZAFIR ROOT CA2
+ Certum Trusted Network CA 2
* The following CA certificate had the Email trust bit turned on
+ Actalis Authentication Root CA
Security fixes:
* Fixed a heap-based buffer overflow related to the parsing of
certain ASN.1 structures. An attacker could create a specially-crafted
certificate which, when parsed by NSS, would cause a crash or
execution of arbitrary code with the permissions of the user.
(CVE-2016-1950, bmo#1245528)
- removed obsolete nss_gcc6_change.patch
-------------------------------------------------------------------
Mon Apr 18 15:53:40 UTC 2016 - normand@linux.vnet.ibm.com

11
mozilla-nss.spec
View File

@ -2,7 +2,7 @@
# spec file for package mozilla-nss
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2006-2015 Wolfgang Rosenauer
# Copyright (c) 2006-2016 Wolfgang Rosenauer
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -25,7 +25,7 @@ BuildRequires: mozilla-nspr-devel >= 4.12
BuildRequires: pkg-config
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
Version: 3.22.3
Version: 3.23
Release: 0
# bug437293
%ifarch ppc64
@ -36,8 +36,8 @@ Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
Url: http://www.mozilla.org/projects/security/pki/nss/
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_3_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.22.3/nss ; cd nss-3.22.3/nss ; hg up NSS_3_22_3_RTM
Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_23_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.23/nss ; cd nss-3.23/nss ; hg up NSS_3_23_RTM
#Source: nss-%{version}.tar.gz
Source1: nss.pc.in
Source3: nss-config.in
@ -57,7 +57,7 @@ Patch6: malloc.patch
Patch7: nss-disable-ocsp-test.patch
Patch8: nss-sqlitename.patch
Patch9: nss-bmo1236011.patch
Patch10: nss_gcc6_change.patch
#Patch10: nss_gcc6_change.patch
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
PreReq: mozilla-nspr >= %nspr_ver
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
@ -179,7 +179,6 @@ cd nss
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
#cat %{SOURCE2} >> certdata.txt

3
nss-3.22.3.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:03be288e20c19a032403318cc819529229aafdf6d50bc77b682e33a3241f9b97
size 6981457

3
nss-3.23.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:94b383e31c9671e9dfcca81084a8a813817e8f05a57f54533509b318d26e11cf
size 7467001

350
nss_gcc6_change.patch
View File

@ -1,350 +0,0 @@
From: Michel Normand <normand@linux.vnet.ibm.com>
Subject: nss gcc6 change
Date: Mon, 18 Apr 2016 19:11:03 +0200
nss changes required to avoid build error with gcc6 like:
===
[ 58s] h_page.c: In function 'new_lseek':
[ 58s] h_page.c:117:8: error: this 'if' clause does not guard... [-Werror=misleading-indentation]
[ 58s] if(offset < 1)
[ 58s] ^~
[ 58s] h_page.c:120:3: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'if'
[ 58s] cur_pos = lseek(fd, 0, SEEK_CUR);
[ 58s] ^~~~~~~
===
Signed-off-by: Michel Normand <normand@linux.vnet.ibm.com>
---
cmd/bltest/blapitest.c | 4 +--
cmd/vfychain/vfychain.c | 3 +-
lib/dbm/src/h_page.c | 55 +++++++++++++++++++++-----------------------
lib/dbm/src/hash.c | 60 ++++++++++++++++++++++++------------------------
4 files changed, 61 insertions(+), 61 deletions(-)
Index: nss/lib/dbm/src/h_page.c
===================================================================
--- nss.orig/lib/dbm/src/h_page.c
+++ nss/lib/dbm/src/h_page.c
@@ -112,26 +112,25 @@ long new_lseek(int fd, long offset, int
long end_pos=0;
long seek_pos=0;
- if(origin == SEEK_CUR)
- {
- if(offset < 1)
- return(lseek(fd, offset, SEEK_CUR));
+ if (origin == SEEK_CUR) {
+ if (offset < 1)
+ return(lseek(fd, offset, SEEK_CUR));
- cur_pos = lseek(fd, 0, SEEK_CUR);
+ cur_pos = lseek(fd, 0, SEEK_CUR);
+
+ if (cur_pos < 0)
+ return(cur_pos);
+ }
- if(cur_pos < 0)
- return(cur_pos);
- }
-
end_pos = lseek(fd, 0, SEEK_END);
- if(end_pos < 0)
+ if (end_pos < 0)
return(end_pos);
- if(origin == SEEK_SET)
+ if (origin == SEEK_SET)
seek_pos = offset;
- else if(origin == SEEK_CUR)
+ else if (origin == SEEK_CUR)
seek_pos = cur_pos + offset;
- else if(origin == SEEK_END)
+ else if (origin == SEEK_END)
seek_pos = end_pos + offset;
else
{
@@ -143,7 +142,7 @@ long new_lseek(int fd, long offset, int
* end of the file. We don't need
* to do anything special except the seek.
*/
- if(seek_pos <= end_pos)
+ if (seek_pos <= end_pos)
return(lseek(fd, seek_pos, SEEK_SET));
/* the seek position is beyond the end of the
@@ -161,7 +160,7 @@ long new_lseek(int fd, long offset, int
memset(buffer, 0, 1024);
while(len > 0)
{
- if(write(fd, buffer, (size_t)(1024 > len ? len : 1024)) < 0)
+ if (write(fd, buffer, (size_t)(1024 > len ? len : 1024)) < 0)
return(-1);
len -= 1024;
}
@@ -245,10 +244,10 @@ __delpair(HTAB *hashp, BUFHEAD *bufp, in
* Once we know dst_offset is < BSIZE, we can subtract it from BSIZE
* to get an upper bound on length.
*/
- if(dst_offset > (uint32)hashp->BSIZE)
+ if (dst_offset > (uint32)hashp->BSIZE)
return(DATABASE_CORRUPTED_ERROR);
- if(length > (uint32)(hashp->BSIZE - dst_offset))
+ if (length > (uint32)(hashp->BSIZE - dst_offset))
return(DATABASE_CORRUPTED_ERROR);
memmove(dst, src, length);
@@ -324,7 +323,7 @@ __split_page(HTAB *hashp, uint32 obucket
* off. If it is then the database has
* been corrupted.
*/
- if(ino[n] > off)
+ if (ino[n] > off)
return(DATABASE_CORRUPTED_ERROR);
key.size = off - ino[n];
@@ -355,7 +354,7 @@ __split_page(HTAB *hashp, uint32 obucket
* wrong. LJM
*/
tmp_uint16_array = (uint16*)np;
- if(!PAIRFITS(tmp_uint16_array, &key, &val))
+ if (!PAIRFITS(tmp_uint16_array, &key, &val))
return(DATABASE_CORRUPTED_ERROR);
putpair(np, &key, &val);
@@ -440,7 +439,7 @@ ugly_split(HTAB *hashp, uint32 obucket,
*/
loop_detection++;
- if(loop_detection > MAX_UGLY_SPLIT_LOOPS)
+ if (loop_detection > MAX_UGLY_SPLIT_LOOPS)
return DATABASE_CORRUPTED_ERROR;
if (ino[2] < REAL_KEY && ino[2] != OVFLPAGE) {
@@ -736,7 +735,7 @@ __get_page(HTAB *hashp,
* the maximum number of entries
* in the array
*/
- if((unsigned)max > (size / sizeof(uint16)))
+ if ((unsigned)max > (size / sizeof(uint16)))
return(DATABASE_CORRUPTED_ERROR);
/* do the byte order swap
@@ -749,7 +748,7 @@ __get_page(HTAB *hashp,
/* check the validity of the page here
* (after doing byte order swaping if necessary)
*/
- if(!is_bitmap && bp[0] != 0)
+ if (!is_bitmap && bp[0] != 0)
{
uint16 num_keys = bp[0];
uint16 offset;
@@ -760,11 +759,11 @@ __get_page(HTAB *hashp,
* bp[0] is too large (larger than the whole
* page) then the page is corrupted
*/
- if(bp[0] > (size / sizeof(uint16)))
+ if (bp[0] > (size / sizeof(uint16)))
return(DATABASE_CORRUPTED_ERROR);
/* bound free space */
- if(FREESPACE(bp) > size)
+ if (FREESPACE(bp) > size)
return(DATABASE_CORRUPTED_ERROR);
/* check each key and data offset to make
@@ -776,10 +775,10 @@ __get_page(HTAB *hashp,
for(i=1 ; i <= num_keys; i+=2)
{
/* ignore overflow pages etc. */
- if(bp[i+1] >= REAL_KEY)
+ if (bp[i+1] >= REAL_KEY)
{
- if(bp[i] > offset || bp[i+1] > bp[i])
+ if (bp[i] > offset || bp[i+1] > bp[i])
return(DATABASE_CORRUPTED_ERROR);
offset = bp[i+1];
@@ -832,7 +831,7 @@ __put_page(HTAB *hashp, char *p, uint32
* the maximum number of entries
* in the array
*/
- if((unsigned)max > (size / sizeof(uint16)))
+ if ((unsigned)max > (size / sizeof(uint16)))
return(DATABASE_CORRUPTED_ERROR);
for (i = 0; i <= max; i++)
@@ -1091,7 +1090,7 @@ __free_ovflpage(HTAB *hashp, BUFHEAD *ob
uint32 bit_address, free_page, free_bit;
uint16 ndx;
- if(!obufp || !obufp->addr)
+ if (!obufp || !obufp->addr)
return;
addr = obufp->addr;
Index: nss/lib/dbm/src/hash.c
===================================================================
--- nss.orig/lib/dbm/src/hash.c
+++ nss/lib/dbm/src/hash.c
@@ -154,7 +154,7 @@ __hash_open(const char *file, int flags,
return NULL;
}
hashp->fp = NO_FILE;
- if(file)
+ if (file)
hashp->filename = strdup(file);
/*
@@ -172,7 +172,7 @@ __hash_open(const char *file, int flags,
errno = 0; /* Just in case someone looks at errno */
new_table = 1;
}
- else if(statbuf.st_mtime && statbuf.st_size == 0)
+ else if (statbuf.st_mtime && statbuf.st_size == 0)
{
/* check for a zero length file and delete it
* if it exists
@@ -288,7 +288,7 @@ hash_close(DB *dbp)
return (DBM_ERROR);
hashp = (HTAB *)dbp->internal;
- if(!hashp)
+ if (!hashp)
return (DBM_ERROR);
retval = hdestroy(hashp);
@@ -304,7 +304,7 @@ static int hash_fd(const DB *dbp)
return (DBM_ERROR);
hashp = (HTAB *)dbp->internal;
- if(!hashp)
+ if (!hashp)
return (DBM_ERROR);
if (hashp->fp == -1) {
@@ -480,7 +480,7 @@ hdestroy(HTAB *hashp)
if (hashp->fp != -1)
(void)close(hashp->fp);
- if(hashp->filename) {
+ if (hashp->filename) {
#if defined(_WIN32) || defined(_WINDOWS) || defined(XP_OS2)
if (hashp->is_temp)
(void)unlink(hashp->filename);
@@ -578,7 +578,7 @@ hash_sync(const DB *dbp, uint flags)
return (DBM_ERROR);
hashp = (HTAB *)dbp->internal;
- if(!hashp)
+ if (!hashp)
return (DBM_ERROR);
if (!hashp->save_file)
@@ -670,7 +670,7 @@ hash_get(
rv = hash_access(hashp, HASH_GET, (DBT *)key, data);
- if(rv == DATABASE_CORRUPTED_ERROR)
+ if (rv == DATABASE_CORRUPTED_ERROR)
{
#if defined(unix) && defined(DEBUG)
printf("\n\nDBM Database has been corrupted, tell Lou...\n\n");
@@ -707,7 +707,7 @@ hash_put(
rv = hash_access(hashp, flag == R_NOOVERWRITE ?
HASH_PUTNEW : HASH_PUT, (DBT *)key, (DBT *)data);
- if(rv == DATABASE_CORRUPTED_ERROR)
+ if (rv == DATABASE_CORRUPTED_ERROR)
{
#if defined(unix) && defined(DEBUG)
printf("\n\nDBM Database has been corrupted, tell Lou...\n\n");
@@ -741,7 +741,7 @@ hash_delete(
}
rv = hash_access(hashp, HASH_DELETE, (DBT *)key, NULL);
- if(rv == DATABASE_CORRUPTED_ERROR)
+ if (rv == DATABASE_CORRUPTED_ERROR)
{
#if defined(unix) && defined(DEBUG)
printf("\n\nDBM Database has been corrupted, tell Lou...\n\n");
@@ -802,27 +802,27 @@ hash_access(
ndx += 2;
} else if (bp[1] == OVFLPAGE) {
- /* database corruption: overflow loop detection */
- if(last_overflow_page_no == (int32)*bp)
- return (DATABASE_CORRUPTED_ERROR);
-
- last_overflow_page_no = *bp;
-
- rbufp = __get_buf(hashp, *bp, rbufp, 0);
- if (!rbufp) {
- save_bufp->flags &= ~BUF_PIN;
- return (DBM_ERROR);
- }
-
- ovfl_loop_count++;
- if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS)
- return (DATABASE_CORRUPTED_ERROR);
-
- /* FOR LOOP INIT */
- bp = (uint16 *)rbufp->page;
- n = *bp++;
- ndx = 1;
- off = hashp->BSIZE;
+ /* database corruption: overflow loop detection */
+ if (last_overflow_page_no == (int32)*bp)
+ return (DATABASE_CORRUPTED_ERROR);
+
+ last_overflow_page_no = *bp;
+
+ rbufp = __get_buf(hashp, *bp, rbufp, 0);
+ if (!rbufp) {
+ save_bufp->flags &= ~BUF_PIN;
+ return (DBM_ERROR);
+ }
+
+ ovfl_loop_count++;
+ if (ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS)
+ return (DATABASE_CORRUPTED_ERROR);
+
+ /* FOR LOOP INIT */
+ bp = (uint16 *)rbufp->page;
+ n = *bp++;
+ ndx = 1;
+ off = hashp->BSIZE;
} else if (bp[1] < REAL_KEY) {
if ((ndx =
__find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0)
Index: nss/cmd/bltest/blapitest.c
===================================================================
--- nss.orig/cmd/bltest/blapitest.c
+++ nss/cmd/bltest/blapitest.c
@@ -1571,8 +1571,8 @@ bltest_seed_init(bltestCipherInfo *ciphe
cipherInfo->cipher.symmkeyCipher = seed_Encrypt;
else
cipherInfo->cipher.symmkeyCipher = seed_Decrypt;
-
- return SECSuccess;
+
+ return SECSuccess;
}
SECStatus
Index: nss/cmd/vfychain/vfychain.c
===================================================================
--- nss.orig/cmd/vfychain/vfychain.c
+++ nss/cmd/vfychain/vfychain.c
@@ -439,7 +439,8 @@ main(int argc, char *argv[], char *envp[
case 0 : /* positional parameter */ goto breakout;
case 'a' : isAscii = PR_TRUE; break;
case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
- if (secStatus != SECSuccess) Usage(progName); break;
+ if (secStatus != SECSuccess) Usage(progName);
+ break;
case 'd' : certDir = PL_strdup(optstate->value); break;
case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE; break;
case 'f' : certFetching = PR_TRUE; break;

29
renegotiate-transitional.patch
View File

@ -1,13 +1,22 @@
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
index e6b2387..87fbe1d 100644
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -74,7 +74,7 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* noLocks */
PR_FALSE, /* enableSessionTickets */
PR_FALSE, /* enableDeflate */
- 2, /* enableRenegotiation (default: requires extension) */
+ 3, /* enableRenegotiation (default: requires extension) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
PR_TRUE, /* cbcRandomIV */
@@ -72,17 +72,17 @@ static sslOptions ssl_defaults = {
PR_FALSE,
/* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */
PR_TRUE, /* detectRollBack */
PR_FALSE, /* noStepDown */
PR_FALSE, /* bypassPKCS11 */
PR_FALSE, /* noLocks */
PR_FALSE, /* enableSessionTickets */
PR_FALSE, /* enableDeflate */
- 2, /* enableRenegotiation (default: requires extension) */
+ 3, /* enableRenegotiation (default: requires extension) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
PR_TRUE, /* cbcRandomIV */
PR_FALSE, /* enableOCSPStapling */
PR_TRUE, /* enableNPN */
PR_FALSE, /* enableALPN */
PR_TRUE, /* reuseServerECDHEKey */
PR_FALSE, /* enableFallbackSCSV */