- update to 3.13.1 RTM
* better SHA-224 support (bmo#647706) * fixed a regression (causing hangs in some situations) introduced in 3.13 (bmo#693228) - update to 3.13.0 RTM * SSL 2.0 is disabled by default * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to PR_FALSE to disable it. * SHA-224 is supported * Ported to iOS. (Requires NSPR 4.9.) * Added PORT_ErrorToString and PORT_ErrorToName to return the error message and symbolic name of an NSS error code * Added NSS_GetVersion to return the NSS version string * Added experimental support of RSA-PSS to the softoken only * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db anymore (bmo#641052, bnc#726096) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/mozilla-nss?expand=0&rev=89
This commit is contained in:
parent
7a675fbd45
commit
f7efd48411
3389
ckbi-1_88.patch
3389
ckbi-1_88.patch
File diff suppressed because it is too large
Load Diff
@ -1,3 +1,25 @@
|
||||
-------------------------------------------------------------------
|
||||
Sat Nov 5 10:58:20 UTC 2011 - wolfgang@rosenauer.org
|
||||
|
||||
- update to 3.13.1 RTM
|
||||
* better SHA-224 support (bmo#647706)
|
||||
* fixed a regression (causing hangs in some situations)
|
||||
introduced in 3.13 (bmo#693228)
|
||||
- update to 3.13.0 RTM
|
||||
* SSL 2.0 is disabled by default
|
||||
* A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext
|
||||
attack demonstrated by Rizzo and Duong (CVE-2011-3389) is
|
||||
enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to
|
||||
PR_FALSE to disable it.
|
||||
* SHA-224 is supported
|
||||
* Ported to iOS. (Requires NSPR 4.9.)
|
||||
* Added PORT_ErrorToString and PORT_ErrorToName to return the
|
||||
error message and symbolic name of an NSS error code
|
||||
* Added NSS_GetVersion to return the NSS version string
|
||||
* Added experimental support of RSA-PSS to the softoken only
|
||||
* NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db
|
||||
anymore (bmo#641052, bnc#726096)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Sat Nov 5 10:47:51 UTC 2011 - wr@rosenauer.org
|
||||
|
||||
|
@ -29,8 +29,8 @@ BuildRequires: sqlite-devel
|
||||
BuildRequires: sqlite3-devel
|
||||
%endif
|
||||
License: MPLv1.1 or GPLv2+ or LGPLv2.1+
|
||||
Version: 3.12.11
|
||||
Release: 6
|
||||
Version: 3.13.1
|
||||
Release: 2
|
||||
# bug437293
|
||||
%ifarch ppc64
|
||||
Obsoletes: mozilla-nss-64bit
|
||||
@ -57,7 +57,6 @@ Patch5: nss-no-rpath.patch
|
||||
Patch6: renegotiate-transitional.patch
|
||||
Patch9: malloc.patch
|
||||
Patch10: ckbi-1_88.patch
|
||||
Patch11: nss-3.12.11_CVE-2011-3640.patch
|
||||
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
|
||||
PreReq: mozilla-nspr >= %nspr_ver
|
||||
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
|
||||
@ -176,7 +175,6 @@ cd mozilla
|
||||
%patch9
|
||||
%endif
|
||||
%patch10 -p1
|
||||
%patch11
|
||||
# additional CA certificates
|
||||
#cd security/nss/lib/ckfw/builtins
|
||||
#cat %{SOURCE2} >> certdata.txt
|
||||
@ -189,7 +187,6 @@ TIME="\"$(date -d "${modified}" "+%%R")\""
|
||||
find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} +
|
||||
|
||||
cd mozilla/security/nss
|
||||
#cp %SOURCE10 tests/libpkix/certs/PayPalEE.cert
|
||||
export FREEBL_NO_DEPEND=1
|
||||
export NSPR_INCLUDE_DIR=`nspr-config --includedir`
|
||||
export NSPR_LIB_DIR=`nspr-config --libdir`
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:222dc325ff07c34190bc4a35ed06b06dd90675b624f851909be2a018d61a9a7d
|
||||
size 4618894
|
@ -1,141 +0,0 @@
|
||||
Index: security/nss/lib/softoken/sftkmod.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkmod.c,v
|
||||
retrieving revision 1.7
|
||||
diff -u -p -r1.7 sftkmod.c
|
||||
--- security/nss/lib/softoken/sftkmod.c 11 Jun 2009 06:28:07 -0000 1.7
|
||||
+++ security/nss/lib/softoken/sftkmod.c 5 Nov 2011 11:55:24 -0000
|
||||
@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char *
|
||||
char *sep;
|
||||
|
||||
sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR);
|
||||
-#ifdef WINDOWS
|
||||
+#ifdef _WIN32
|
||||
if (!sep) {
|
||||
- sep = PORT_Strrchr(dirPath,'/');
|
||||
+ /* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */
|
||||
+ sep = PORT_Strrchr(dirPath,'\\');
|
||||
}
|
||||
#endif
|
||||
if (sep) {
|
||||
- *(sep)=0;
|
||||
+ *sep = 0;
|
||||
+ file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
|
||||
+ } else {
|
||||
+ file = PR_smprintf("%s", filename);
|
||||
}
|
||||
- file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
|
||||
PORT_Free(dirPath);
|
||||
return file;
|
||||
}
|
||||
@@ -242,13 +245,18 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
|
||||
char *paramsValue=NULL;
|
||||
PRBool failed = PR_TRUE;
|
||||
|
||||
- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
|
||||
+ if ((dbname != NULL) &&
|
||||
+ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
|
||||
return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw);
|
||||
}
|
||||
|
||||
moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
|
||||
if (moduleList == NULL) return NULL;
|
||||
|
||||
+ if (dbname == NULL) {
|
||||
+ goto return_default;
|
||||
+ }
|
||||
+
|
||||
/* do we really want to use streams here */
|
||||
fd = fopen(dbname, "r");
|
||||
if (fd == NULL) goto done;
|
||||
@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
|
||||
moduleString = NULL;
|
||||
}
|
||||
done:
|
||||
- /* if we couldn't open a pkcs11 database, look for the old one */
|
||||
+ /* If we couldn't open a pkcs11 database, look for the old one.
|
||||
+ * This is necessary to maintain the semantics of the transition from
|
||||
+ * old to new DB's. If there is an old DB and not new DB, we will
|
||||
+ * automatically use the old DB. If the DB was opened read/write, we
|
||||
+ * create a new db and upgrade it from the old one. */
|
||||
if (fd == NULL) {
|
||||
char *olddbname = sftk_getOldSecmodName(dbname,filename);
|
||||
PRStatus status;
|
||||
@@ -462,6 +474,8 @@ bail:
|
||||
PR_smprintf_free(olddbname);
|
||||
}
|
||||
}
|
||||
+
|
||||
+return_default:
|
||||
|
||||
if (!moduleList[0]) {
|
||||
char * newParams;
|
||||
@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp
|
||||
const char *filename, const char *dbname,
|
||||
char **moduleSpecList, PRBool rw)
|
||||
{
|
||||
- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
|
||||
+ if ((dbname != NULL) &&
|
||||
+ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
|
||||
return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname,
|
||||
moduleSpecList, rw);
|
||||
}
|
||||
@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
|
||||
PRBool skip = PR_FALSE;
|
||||
PRBool found = PR_FALSE;
|
||||
|
||||
+ if (dbname == NULL) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
|
||||
return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw);
|
||||
}
|
||||
@@ -668,6 +687,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const
|
||||
char *block = NULL;
|
||||
PRBool libFound = PR_FALSE;
|
||||
|
||||
+ if (dbname == NULL) {
|
||||
+ return SECFailure;
|
||||
+ }
|
||||
+
|
||||
if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
|
||||
return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw);
|
||||
}
|
||||
Index: security/nss/lib/softoken/sftkpars.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/softoken/sftkpars.c,v
|
||||
retrieving revision 1.11
|
||||
diff -u -p -r1.11 sftkpars.c
|
||||
--- security/nss/lib/softoken/sftkpars.c 18 Jun 2010 04:09:27 -0000 1.11
|
||||
+++ security/nss/lib/softoken/sftkpars.c 5 Nov 2011 11:55:24 -0000
|
||||
@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType
|
||||
char *value = NULL;
|
||||
char *save_params = param;
|
||||
const char *lconfigdir;
|
||||
+ PRBool noModDB = PR_FALSE;
|
||||
param = sftk_argStrip(param);
|
||||
|
||||
|
||||
@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType
|
||||
|
||||
if (sftk_argHasFlag("flags","noModDB",save_params)) {
|
||||
/* there isn't a module db, don't load the legacy support */
|
||||
+ noModDB = PR_TRUE;
|
||||
*dbType = SDB_SQL;
|
||||
+ PORT_Free(*filename);
|
||||
+ *filename = NULL;
|
||||
*rw = PR_FALSE;
|
||||
}
|
||||
|
||||
@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType
|
||||
secmodName="pkcs11.txt";
|
||||
}
|
||||
|
||||
- if (lconfigdir) {
|
||||
+ if (noModDB) {
|
||||
+ value = NULL;
|
||||
+ } else if (lconfigdir && lconfigdir[0] != '\0') {
|
||||
value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
|
||||
} else {
|
||||
value = PR_smprintf("%s",secmodName);
|
3
nss-3.13.1.tar.bz2
Normal file
3
nss-3.13.1.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:05cab982801cf24b9ae00643a30073d3bc94c182a2085f10311f8110412c9ad8
|
||||
size 4639723
|
@ -1,11 +1,14 @@
|
||||
Index: security/nss/lib/ssl/sslsock.c
|
||||
===================================================================
|
||||
RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v
|
||||
retrieving revision 1.67.2.1
|
||||
diff -u -p -r1.67.2.1 sslsock.c
|
||||
--- security/nss/lib/ssl/sslsock.c 31 Jul 2010 04:33:52 -0000 1.67.2.1
|
||||
+++ security/nss/lib/ssl/sslsock.c 5 Aug 2010 07:38:13 -0000
|
||||
@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
|
||||
retrieving revision 1.75
|
||||
diff -u -p -6 -r1.75 sslsock.c
|
||||
--- security/nss/lib/ssl/sslsock.c 22 Oct 2011 16:45:40 -0000 1.75
|
||||
+++ security/nss/lib/ssl/sslsock.c 24 Oct 2011 12:52:25 -0000
|
||||
@@ -178,13 +178,13 @@ static sslOptions ssl_defaults = {
|
||||
PR_TRUE, /* detectRollBack */
|
||||
PR_FALSE, /* noStepDown */
|
||||
PR_FALSE, /* bypassPKCS11 */
|
||||
PR_FALSE, /* noLocks */
|
||||
PR_FALSE, /* enableSessionTickets */
|
||||
PR_FALSE, /* enableDeflate */
|
||||
@ -13,4 +16,7 @@ diff -u -p -r1.67.2.1 sslsock.c
|
||||
+ 3, /* enableRenegotiation (default: transitional) */
|
||||
PR_FALSE, /* requireSafeNegotiation */
|
||||
PR_FALSE, /* enableFalseStart */
|
||||
PR_TRUE /* cbcRandomIV */
|
||||
};
|
||||
|
||||
sslSessionIDLookupFunc ssl_sid_lookup;
|
||||
|
Loading…
Reference in New Issue
Block a user