commit afa263357ba8710651a59f27027ca82caf6384f5 Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 11:10:05 2019 -0400 Package init diff --git a/Bug-1412829-reject-empty-supported_signature_algorit.patch b/Bug-1412829-reject-empty-supported_signature_algorit.patch new file mode 100644 index 0000000..33e847d --- /dev/null +++ b/Bug-1412829-reject-empty-supported_signature_algorit.patch @@ -0,0 +1,114 @@ +From 96728bb2bc55246d2bb3d98e4c1ab4b5b58a5c41 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 22 Nov 2018 10:55:20 +0100 +Subject: [PATCH 441/489] Bug 1412829, reject empty + supported_signature_algorithms in CR in TLS 1.2, + r=mt + +Summary: This basically reverts bug 1335069 to align with RFC 5246. + +Reviewers: mt + +Reviewed By: mt + +Bug #: 1412829 + +Differential Revision: https://phabricator.services.mozilla.com/D12563 + +--HG-- +extra : amend_source : a87f98603e14841654948c7664dbde26ebaf04e4 +--- + gtests/nss_bogo_shim/config.json | 3 ++- + gtests/ssl_gtest/ssl_auth_unittest.cc | 15 +++++---------- + lib/ssl/ssl3con.c | 17 +++++++++-------- + 3 files changed, 16 insertions(+), 19 deletions(-) + +diff --git a/gtests/nss_bogo_shim/config.json b/gtests/nss_bogo_shim/config.json +index 66f55d3..5c7a2e3 100644 +--- a/gtests/nss_bogo_shim/config.json ++++ b/gtests/nss_bogo_shim/config.json +@@ -64,7 +64,8 @@ + "RequireAnyClientCertificate-TLS1*":"Bug 1339387", + "SendExtensionOnClientCertificate-TLS13":"Bug 1339392", + "ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear", +- "P224-Server":"NSS doesn't support P-224" ++ "P224-Server":"NSS doesn't support P-224", ++ "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty." + }, + "ErrorMap" : { + ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP", +diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc +index 93a8c54..3a52ac2 100644 +--- a/gtests/ssl_gtest/ssl_auth_unittest.cc ++++ b/gtests/ssl_gtest/ssl_auth_unittest.cc +@@ -386,9 +386,9 @@ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter { + } + }; + +-// Check that we fall back to SHA-1 when the server doesn't provide any ++// Check that we send an alert when the server doesn't provide any + // supported_signature_algorithms in the CertificateRequest message. +-TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) { ++TEST_P(TlsConnectTls12, ClientAuthNoSigAlgs) { + EnsureTlsSetup(); + MakeTlsFilter(server_); + auto capture_cert_verify = MakeTlsFilter( +@@ -396,15 +396,10 @@ TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) { + client_->SetupClientAuth(); + server_->RequestClientAuth(true); + +- ConnectExpectAlert(server_, kTlsAlertDecryptError); +- +- // We're expecting a bad signature here because we tampered with a handshake +- // message (CertReq). Previously, without the SHA-1 fallback, we would've +- // seen a malformed record alert. +- server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE); +- client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT); ++ ConnectExpectAlert(client_, kTlsAlertHandshakeFailure); + +- CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024); ++ server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT); ++ client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM); + } + + static const SSLSignatureScheme kSignatureSchemeEcdsaSha384[] = { +diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c +index d7e8452..225f4f6 100644 +--- a/lib/ssl/ssl3con.c ++++ b/lib/ssl/ssl3con.c +@@ -6171,16 +6171,12 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes, + + PORT_Assert(pubKey); + +- if (!isTLS13 && numSchemes == 0) { +- /* If the server didn't provide any signature algorithms +- * then let's assume they support SHA-1. */ +- rv = ssl_PickFallbackSignatureScheme(ss, pubKey); +- SECKEY_DestroyPublicKey(pubKey); +- return rv; ++ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) { ++ /* We should have already checked that a signature scheme was ++ * listed in the request. */ ++ PORT_Assert(schemes && numSchemes > 0); + } + +- PORT_Assert(schemes && numSchemes > 0); +- + if (!isTLS13 && + (SECKEY_GetPublicKeyType(pubKey) == rsaKey || + SECKEY_GetPublicKeyType(pubKey) == dsaKey) && +@@ -7331,6 +7327,11 @@ ssl3_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length) + PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST); + goto loser; /* malformed, alert has been sent */ + } ++ if (signatureSchemeCount == 0) { ++ errCode = SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM; ++ desc = handshake_failure; ++ goto alert_loser; ++ } + } + + rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, &ca_list); +-- +1.7.12.4 + diff --git a/Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch b/Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch new file mode 100644 index 0000000..54c3c7a --- /dev/null +++ b/Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch @@ -0,0 +1,216 @@ +From 3b2d7d955f1baca00129454eddbe8fb5117c4fef Mon Sep 17 00:00:00 2001 +From: "J.C. Jones" +Date: Mon, 14 Jan 2019 10:35:25 -0700 +Subject: [PATCH 458/489] Bug 1507135 - Add additional null checks to CMS + message functions r=mt + +Differential review: https://phabricator.services.mozilla.com//D16488 + +--HG-- +extra : rebase_source : 31028021bec842d521d70c5200edb6ea8461fa23 +--- + lib/smime/cmsmessage.c | 69 ++++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 59 insertions(+), 10 deletions(-) + +diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c +index 27d1256..f41a432 100644 +--- a/lib/smime/cmsmessage.c ++++ b/lib/smime/cmsmessage.c +@@ -29,8 +29,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp) + + if (poolp == NULL) { + poolp = PORT_NewArena(1024); /* XXX what is right value? */ +- if (poolp == NULL) ++ if (poolp == NULL) { + return NULL; ++ } + poolp_is_ours = PR_TRUE; + } + +@@ -44,8 +45,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp) + if (mark) { + PORT_ArenaRelease(poolp, mark); + } +- } else ++ } else { + PORT_FreeArena(poolp, PR_FALSE); ++ } + return NULL; + } + +@@ -53,8 +55,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp) + cmsg->poolp_is_ours = poolp_is_ours; + cmsg->refCount = 1; + +- if (mark) ++ if (mark) { + PORT_ArenaUnmark(poolp, mark); ++ } + + return cmsg; + } +@@ -73,8 +76,13 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg, + NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg, + SECAlgorithmID **detached_digestalgs, SECItem **detached_digests) + { +- if (pwfn) ++ if (cmsg == NULL) { ++ return; ++ } ++ if (pwfn) { + PK11_SetPasswordFunc(pwfn); ++ } ++ + cmsg->pwfn_arg = pwfn_arg; + cmsg->decrypt_key_cb = decrypt_key_cb; + cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg; +@@ -89,18 +97,21 @@ void + NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg) + { + PORT_Assert(cmsg->refCount > 0); +- if (cmsg->refCount <= 0) /* oops */ ++ if (cmsg->refCount <= 0) { /* oops */ + return; ++ } + + cmsg->refCount--; /* thread safety? */ +- if (cmsg->refCount > 0) ++ if (cmsg->refCount > 0) { + return; ++ } + + NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo)); + + /* if poolp is not NULL, cmsg is the owner of its arena */ +- if (cmsg->poolp_is_ours) ++ if (cmsg->poolp_is_ours) { + PORT_FreeArena(cmsg->poolp, PR_FALSE); /* XXX clear it? */ ++ } + } + + /* +@@ -112,8 +123,9 @@ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg) + NSSCMSMessage * + NSS_CMSMessage_Copy(NSSCMSMessage *cmsg) + { +- if (cmsg == NULL) ++ if (cmsg == NULL) { + return NULL; ++ } + + PORT_Assert(cmsg->refCount > 0); + +@@ -127,6 +139,10 @@ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg) + PLArenaPool * + NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg) + { ++ if (cmsg == NULL) { ++ return NULL; ++ } ++ + return cmsg->poolp; + } + +@@ -136,6 +152,10 @@ NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg) + NSSCMSContentInfo * + NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg) + { ++ if (cmsg == NULL) { ++ return NULL; ++ } ++ + return &(cmsg->contentInfo); + } + +@@ -147,6 +167,10 @@ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg) + SECItem * + NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg) + { ++ if (cmsg == NULL) { ++ return NULL; ++ } ++ + /* this is a shortcut */ + NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg); + SECItem *pItem = NSS_CMSContentInfo_GetInnerContent(cinfo); +@@ -164,6 +188,10 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg) + int count = 0; + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return 0; ++ } ++ + /* walk down the chain of contentinfos */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL;) { + count++; +@@ -183,6 +211,10 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n) + int count = 0; + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return NULL; ++ } ++ + /* walk down the chain of contentinfos */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { +@@ -200,6 +232,10 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg) + { + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return PR_FALSE; ++ } ++ + /* descend into CMS message */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { +@@ -221,6 +257,10 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg) + { + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return PR_FALSE; ++ } ++ + /* walk down the chain of contentinfos */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { +@@ -251,13 +291,21 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg) + { + NSSCMSContentInfo *cinfo; + ++ if (cmsg == NULL) { ++ return PR_FALSE; ++ } ++ + /* walk down the chain of contentinfos */ + for (cinfo = &(cmsg->contentInfo); cinfo != NULL; + cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) { + switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) { + case SEC_OID_PKCS7_SIGNED_DATA: +- if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) ++ if (cinfo->content.signedData == NULL) { ++ return PR_FALSE; ++ } ++ if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) { + return PR_TRUE; ++ } + break; + default: + /* callback here for generic wrappers? */ +@@ -278,8 +326,9 @@ NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen) + { + SECItem *item = NULL; + +- if (cmsg == NULL) ++ if (cmsg == NULL) { + return PR_TRUE; ++ } + + item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg)); + +-- +1.7.12.4 + diff --git a/Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch b/Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch new file mode 100644 index 0000000..8380069 --- /dev/null +++ b/Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch @@ -0,0 +1,319 @@ +From 03d1823087e93e38485bf4fef0020fb0653ea616 Mon Sep 17 00:00:00 2001 +From: "J.C. Jones" +Date: Fri, 11 Jan 2019 22:33:16 -0700 +Subject: [PATCH 459/489] Bug 1507174 - Add additional null checks to other + CMS functions r=mt + +Differential review: https://phabricator.services.mozilla.com//D16383 + +--HG-- +extra : rebase_source : b5a87375965bbef9cd93e0ee936134631b597009 +--- + lib/smime/cmscinfo.c | 92 +++++++++++++++++++++++++++++++++++++++++++------- + lib/smime/cmsdigdata.c | 4 ++- + lib/smime/cmsencdata.c | 4 ++- + lib/smime/cmsenvdata.c | 5 +++ + lib/smime/cmsmessage.c | 3 ++ + lib/smime/cmsudf.c | 2 +- + 6 files changed, 95 insertions(+), 15 deletions(-) + +diff --git a/lib/smime/cmscinfo.c b/lib/smime/cmscinfo.c +index 08db662..453ccaa 100644 +--- a/lib/smime/cmscinfo.c ++++ b/lib/smime/cmscinfo.c +@@ -51,6 +51,10 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo) + { + SECOidTag kind; + ++ if (cinfo == NULL) { ++ return; ++ } ++ + kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + switch (kind) { + case SEC_OID_PKCS7_ENVELOPED_DATA: +@@ -86,6 +90,11 @@ NSSCMSContentInfo * + NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo) + { + NSSCMSContentInfo *ccinfo = NULL; ++ ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ + SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + switch (tag) { + case SEC_OID_PKCS7_SIGNED_DATA: +@@ -127,6 +136,9 @@ SECStatus + NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream) + { + SECStatus rv; ++ if (cinfo == NULL) { ++ return SECFailure; ++ } + + rv = NSS_CMSContentInfo_Private_Init(cinfo); + if (rv != SECSuccess) { +@@ -145,15 +157,20 @@ NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, + SECOidTag type, void *ptr) + { + SECStatus rv; ++ if (cinfo == NULL || cmsg == NULL) { ++ return SECFailure; ++ } + + cinfo->contentTypeTag = SECOID_FindOIDByTag(type); +- if (cinfo->contentTypeTag == NULL) ++ if (cinfo->contentTypeTag == NULL) { + return SECFailure; ++ } + + /* do not copy the oid, just create a reference */ + rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid)); +- if (rv != SECSuccess) ++ if (rv != SECSuccess) { + return SECFailure; ++ } + + cinfo->content.pointer = ptr; + +@@ -185,8 +202,9 @@ SECStatus + NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo, + SECItem *data, PRBool detached) + { +- if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) ++ if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) { + return SECFailure; ++ } + if (detached) { + cinfo->rawContent = NULL; + } +@@ -230,6 +248,10 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn + void * + NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo) + { ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ + SECOidTag tag = cinfo->contentTypeTag + ? cinfo->contentTypeTag->offset + : SEC_OID_UNKNOWN; +@@ -260,6 +282,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo) + SECOidTag tag; + SECItem *pItem = NULL; + ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ + tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo); + if (NSS_CMSType_IsData(tag)) { + pItem = cinfo->content.data; +@@ -282,6 +308,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo) + SECOidTag + NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo) + { ++ if (cinfo == NULL) { ++ return SEC_OID_UNKNOWN; ++ } ++ + if (cinfo->contentTypeTag == NULL) + cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); + +@@ -294,11 +324,17 @@ NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo) + SECItem * + NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo) + { +- if (cinfo->contentTypeTag == NULL) ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ ++ if (cinfo->contentTypeTag == NULL) { + cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType)); ++ } + +- if (cinfo->contentTypeTag == NULL) ++ if (cinfo->contentTypeTag == NULL) { + return NULL; ++ } + + return &(cinfo->contentTypeTag->oid); + } +@@ -310,8 +346,13 @@ NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo) + SECOidTag + NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo) + { +- if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) ++ if (cinfo == NULL) { ++ return SEC_OID_UNKNOWN; ++ } ++ ++ if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) { + cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg)); ++ } + + return cinfo->contentEncAlgTag; + } +@@ -322,6 +363,10 @@ NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo) + SECAlgorithmID * + NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo) + { ++ if (cinfo == NULL) { ++ return NULL; ++ } ++ + return &(cinfo->contentEncAlg); + } + +@@ -330,10 +375,14 @@ NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo + SECOidTag bulkalgtag, SECItem *parameters, int keysize) + { + SECStatus rv; ++ if (cinfo == NULL) { ++ return SECFailure; ++ } + + rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters); +- if (rv != SECSuccess) ++ if (rv != SECSuccess) { + return SECFailure; ++ } + cinfo->keysize = keysize; + return SECSuccess; + } +@@ -343,27 +392,42 @@ NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cin + SECAlgorithmID *algid, int keysize) + { + SECStatus rv; ++ if (cinfo == NULL) { ++ return SECFailure; ++ } + + rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid); +- if (rv != SECSuccess) ++ if (rv != SECSuccess) { + return SECFailure; +- if (keysize >= 0) ++ } ++ if (keysize >= 0) { + cinfo->keysize = keysize; ++ } + return SECSuccess; + } + + void + NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey) + { +- cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey); +- cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg)); ++ if (cinfo == NULL) { ++ return; ++ } ++ ++ if (bulkkey == NULL) { ++ cinfo->bulkkey = NULL; ++ cinfo->keysize = 0; ++ } else { ++ cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey); ++ cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg)); ++ } + } + + PK11SymKey * + NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo) + { +- if (cinfo->bulkkey == NULL) ++ if (cinfo == NULL || cinfo->bulkkey == NULL) { + return NULL; ++ } + + return PK11_ReferenceSymKey(cinfo->bulkkey); + } +@@ -371,5 +435,9 @@ NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo) + int + NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo) + { ++ if (cinfo == NULL) { ++ return 0; ++ } ++ + return cinfo->keysize; + } +diff --git a/lib/smime/cmsdigdata.c b/lib/smime/cmsdigdata.c +index 9ea2270..a249686 100644 +--- a/lib/smime/cmsdigdata.c ++++ b/lib/smime/cmsdigdata.c +@@ -56,7 +56,9 @@ void + NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd) + { + /* everything's in a pool, so don't worry about the storage */ +- NSS_CMSContentInfo_Destroy(&(digd->contentInfo)); ++ if (digd != NULL) { ++ NSS_CMSContentInfo_Destroy(&(digd->contentInfo)); ++ } + return; + } + +diff --git a/lib/smime/cmsencdata.c b/lib/smime/cmsencdata.c +index d2fc335..f2a2746 100644 +--- a/lib/smime/cmsencdata.c ++++ b/lib/smime/cmsencdata.c +@@ -87,7 +87,9 @@ void + NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd) + { + /* everything's in a pool, so don't worry about the storage */ +- NSS_CMSContentInfo_Destroy(&(encd->contentInfo)); ++ if (encd != NULL) { ++ NSS_CMSContentInfo_Destroy(&(encd->contentInfo)); ++ } + return; + } + +diff --git a/lib/smime/cmsenvdata.c b/lib/smime/cmsenvdata.c +index d5d5c41..95b3fb9 100644 +--- a/lib/smime/cmsenvdata.c ++++ b/lib/smime/cmsenvdata.c +@@ -144,6 +144,11 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd) + poolp = envd->cmsg->poolp; + cinfo = &(envd->contentInfo); + ++ if (cinfo == NULL) { ++ PORT_SetError(SEC_ERROR_BAD_DATA); ++ goto loser; ++ } ++ + recipientinfos = envd->recipientInfos; + if (recipientinfos == NULL) { + PORT_SetError(SEC_ERROR_BAD_DATA); +diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c +index f41a432..366b71a 100644 +--- a/lib/smime/cmsmessage.c ++++ b/lib/smime/cmsmessage.c +@@ -96,6 +96,9 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg, + void + NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg) + { ++ if (cmsg == NULL) ++ return; ++ + PORT_Assert(cmsg->refCount > 0); + if (cmsg->refCount <= 0) { /* oops */ + return; +diff --git a/lib/smime/cmsudf.c b/lib/smime/cmsudf.c +index 3ef4268..5c8a81e 100644 +--- a/lib/smime/cmsudf.c ++++ b/lib/smime/cmsudf.c +@@ -239,7 +239,7 @@ NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd) + { + const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type); + +- if (typeInfo && typeInfo->destroy) { ++ if (typeInfo && (typeInfo->destroy) && (gd != NULL)) { + (*typeInfo->destroy)(gd); + } + } +-- +1.7.12.4 + diff --git a/PayPalEE.cert b/PayPalEE.cert new file mode 100644 index 0000000..aef4086 Binary files /dev/null and b/PayPalEE.cert differ diff --git a/PayPalICA.cert b/PayPalICA.cert new file mode 100644 index 0000000..dd14c1b Binary files /dev/null and b/PayPalICA.cert differ diff --git a/blank-cert8.db b/blank-cert8.db new file mode 100644 index 0000000..ac40a33 Binary files /dev/null and b/blank-cert8.db differ diff --git a/blank-cert9.db b/blank-cert9.db new file mode 100644 index 0000000..1763264 Binary files /dev/null and b/blank-cert9.db differ diff --git a/blank-key3.db b/blank-key3.db new file mode 100644 index 0000000..31e3975 Binary files /dev/null and b/blank-key3.db differ diff --git a/blank-key4.db b/blank-key4.db new file mode 100644 index 0000000..6bd60cb Binary files /dev/null and b/blank-key4.db differ diff --git a/blank-secmod.db b/blank-secmod.db new file mode 100644 index 0000000..9a02807 Binary files /dev/null and b/blank-secmod.db differ diff --git a/cert8.db.xml b/cert8.db.xml new file mode 100644 index 0000000..e82948d --- /dev/null +++ b/cert8.db.xml @@ -0,0 +1,59 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + cert8.db + 5 + + + + cert8.db + Legacy NSS certificate database + + + + Description + cert8.db is an NSS certificate database. + This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access. + + + + + Files + /etc/pki/nssdb/cert8.db + + + + See also + cert9.db(5), key4.db(5), pkcs11.txt(5), + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/cert9.db.xml b/cert9.db.xml new file mode 100644 index 0000000..815d3f9 --- /dev/null +++ b/cert9.db.xml @@ -0,0 +1,59 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + cert9.db + 5 + + + + cert9.db + NSS certificate database + + + + Description + cert9.db is an NSS certificate database. + This certificate database is the sqlite-based shared database with support for concurrent access. + + + + + Files + /etc/pki/nssdb/cert9.db + + + + See also + pkcs11.txt(5) + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/iquote.patch b/iquote.patch new file mode 100644 index 0000000..6e4adcd --- /dev/null +++ b/iquote.patch @@ -0,0 +1,13 @@ +diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk +--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200 ++++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200 +@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME + SQLITE_LIB_NAME = sqlite3 + endif + ++# Prefer in-tree headers over system headers ++ifdef IN_TREE_FREEBL_HEADERS_FIRST ++ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss ++endif ++ + MK_LOCATION = included diff --git a/key3.db.xml b/key3.db.xml new file mode 100644 index 0000000..444d7aa --- /dev/null +++ b/key3.db.xml @@ -0,0 +1,59 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + key3.db + 5 + + + + key3.db + Legacy NSS certificate database + + + + Description + key3.db is an NSS certificate database. + This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access. + + + + + Files + /etc/pki/nssdb/key3.db + + + + See also + cert9.db(5), key4.db(5), pkcs11.txt(5), + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/key4.db.xml b/key4.db.xml new file mode 100644 index 0000000..9b65f41 --- /dev/null +++ b/key4.db.xml @@ -0,0 +1,59 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + key4.db + 5 + + + + key4.db + NSS certificate database + + + + Description + key4.db is an NSS key database. + This key database is the sqlite-based shared database format with support for concurrent access. + + + + + Files + /etc/pki/nssdb/key4.db + + + + See also + pkcs11.txt(5) + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/nss-3.40.1.tar.gz b/nss-3.40.1.tar.gz new file mode 100644 index 0000000..f736adf Binary files /dev/null and b/nss-3.40.1.tar.gz differ diff --git a/nss-539183.patch b/nss-539183.patch new file mode 100644 index 0000000..eda3249 --- /dev/null +++ b/nss-539183.patch @@ -0,0 +1,62 @@ +--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700 ++++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700 +@@ -953,23 +953,23 @@ + getBoundListenSocket(unsigned short port) + { + PRFileDesc *listen_sock; + int listenQueueDepth = 5 + (2 * maxThreads); + PRStatus prStatus; + PRNetAddr addr; + PRSocketOptionData opt; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSockett"); + } + + opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(listen_sock, &opt); + if (prStatus < 0) { + PR_Close(listen_sock); + errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); +--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700 ++++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700 +@@ -1711,23 +1711,23 @@ + getBoundListenSocket(unsigned short port) + { + PRFileDesc *listen_sock; + int listenQueueDepth = 5 + (2 * maxThreads); + PRStatus prStatus; + PRNetAddr addr; + PRSocketOptionData opt; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSocket error"); + } + + opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(listen_sock, &opt); + if (prStatus < 0) { + PR_Close(listen_sock); + errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); diff --git a/nss-config b/nss-config new file mode 100644 index 0000000..d22bbaa --- /dev/null +++ b/nss-config @@ -0,0 +1,145 @@ +#!/bin/sh + +prefix=/usr + +major_version=3 +minor_version=40 +patch_version=1 + +usage() +{ + cat <&2 +fi + +lib_ssl=yes +lib_smime=yes +lib_nss=yes +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + ssl) + lib_ssl=yes + ;; + smime) + lib_smime=yes + ;; + nss) + lib_nss=yes + ;; + nssutil) + lib_nssutil=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_ssl"; then + libdirs="$libdirs -lssl${major_version}" + fi + if test -n "$lib_smime"; then + libdirs="$libdirs -lsmime${major_version}" + fi + if test -n "$lib_nss"; then + libdirs="$libdirs -lnss${major_version}" + fi + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/nss-config.xml b/nss-config.xml new file mode 100644 index 0000000..f9518c9 --- /dev/null +++ b/nss-config.xml @@ -0,0 +1,132 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + nss-config + 1 + + + + nss-config + Return meta information about nss libraries + + + + + nss-config + + + + + + + + + + + + Description + + nss-config is a shell scrip + tool which can be used to obtain gcc options for building client pacakges of nspt. + + + + + Options + + + + + Returns the top level system directory under which the nss libraries are installed. + + + + + returns the top level system directory under which any nss binaries would be installed. + + + + count + returns the path to the directory were the nss libraries are installed. + + + + + returns the upstream version of nss in the form major_version-minor_version-patch_version. + + + + + returns the compiler linking flags. + + + + + returns the compiler include flags. + + + + + returns the path to the directory were the nss libraries are installed. + + + + + + + Examples + + The following example will query for both include path and linkage flags: + + + /usr/bin/nss-config --cflags --libs + + + + + + + + + Files + + /usr/bin/nss-config + + + + + See also + pkg-config(1) + + + + Authors + The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + diff --git a/nss-p11-kit.config b/nss-p11-kit.config new file mode 100644 index 0000000..0ebf073 --- /dev/null +++ b/nss-p11-kit.config @@ -0,0 +1,4 @@ +name=p11-kit-proxy +library=p11-kit-proxy.so + + diff --git a/nss-softokn-config b/nss-softokn-config new file mode 100644 index 0000000..137dcdb --- /dev/null +++ b/nss-softokn-config @@ -0,0 +1,116 @@ +#!/bin/sh + +prefix=/usr + +major_version=3 +minor_version=40 +patch_version=1 + +usage() +{ + cat <&2 +fi + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-softokn` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-softokn` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-softokn` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + echo $libdirs +fi + diff --git a/nss-softokn-dracut-module-setup.sh b/nss-softokn-dracut-module-setup.sh new file mode 100644 index 0000000..010ec18 --- /dev/null +++ b/nss-softokn-dracut-module-setup.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +check() { + return 255 +} + +depends() { + return 0 +} + +install() { + local _dir + + inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \ + libfreebl3.so +} diff --git a/nss-softokn-dracut.conf b/nss-softokn-dracut.conf new file mode 100644 index 0000000..2d9232e --- /dev/null +++ b/nss-softokn-dracut.conf @@ -0,0 +1,3 @@ +# turn on nss-softokn module + +add_dracutmodules+=" nss-softokn " diff --git a/nss-softokn-prelink.conf b/nss-softokn-prelink.conf new file mode 100644 index 0000000..1f7b405 --- /dev/null +++ b/nss-softokn-prelink.conf @@ -0,0 +1,8 @@ +-b /lib{,64}/libfreeblpriv3.so +-b /lib{,64}/libfreebl3.so +-b /lib{,64}/libsoftokn3.so +-b /lib{,64}/libnssdbm3.so +-b /usr/lib{,64}/libfreeblpriv3.so +-b /usr/lib{,64}/libfreebl3.so +-b /usr/lib{,64}/libsoftokn3.so +-b /usr/lib{,64}/libnssdbm3.so diff --git a/nss-softokn.pc b/nss-softokn.pc new file mode 100644 index 0000000..5ba0c99 --- /dev/null +++ b/nss-softokn.pc @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=/usr +libdir=/usr/lib64 +includedir=/usr/include/nss3 + +Name: NSS-SOFTOKN +Description: Network Security Services Softoken PKCS #11 Module +Version: 3.40.1 +Requires: nspr >= 4.20.0, nss-util >= 3.40.1 +Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 +Cflags: -I${includedir} diff --git a/nss-tests-paypal-certs-v2.patch b/nss-tests-paypal-certs-v2.patch new file mode 100644 index 0000000..8f37f8c --- /dev/null +++ b/nss-tests-paypal-certs-v2.patch @@ -0,0 +1,29 @@ +# HG changeset patch +# User Daiki Ueno +# Date 1541595734 -3600 +# Wed Nov 07 14:02:14 2018 +0100 +# Node ID 19fd907784e38a5febb54588353368af91b12551 +# Parent 3b79af0fa294b4b1c009c1c0b659bb72b4d2c1c8 +Bug 1505317, update PayPal test certs + +diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg +--- a/tests/chains/scenarios/realcerts.cfg ++++ b/tests/chains/scenarios/realcerts.cfg +@@ -21,7 +21,7 @@ verify TestUser51:x + result pass + + verify PayPalEE:x +- policy OID.2.16.840.1.114412.1.1 ++ policy OID.2.16.840.1.114412.2.1 + result pass + + verify BrAirWaysBadSig:x +diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst +--- a/tests/libpkix/vfychain_test.lst ++++ b/tests/libpkix/vfychain_test.lst +@@ -1,4 +1,4 @@ + # Status | Leaf Cert | Policies | Others(undef) + 0 TestUser50 undef + 0 TestUser51 undef +-0 PayPalEE OID.2.16.840.1.114412.1.1 ++0 PayPalEE OID.2.16.840.1.114412.2.1 diff --git a/nss-util-config b/nss-util-config new file mode 100644 index 0000000..ce51cc5 --- /dev/null +++ b/nss-util-config @@ -0,0 +1,118 @@ +#!/bin/sh + +prefix=/usr + +major_version=3 +minor_version=40 +patch_version=1 + +usage() +{ + cat <&2 +fi + +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-util` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-util` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-util` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/nss-util.pc b/nss-util.pc new file mode 100644 index 0000000..c9616e0 --- /dev/null +++ b/nss-util.pc @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=/usr +libdir=/usr/lib64 +includedir=/usr/include/nss3 + +Name: NSS-UTIL +Description: Network Security Services Utility Library +Version: 3.40.1 +Requires: nspr >= 4.20.0 +Libs: -L${libdir} -lnssutil3 +Cflags: -I${includedir} diff --git a/nss.pc b/nss.pc new file mode 100644 index 0000000..a82990a --- /dev/null +++ b/nss.pc @@ -0,0 +1,11 @@ +prefix=/usr +exec_prefix=/usr +libdir=/usr/lib64 +includedir=/usr/include/nss3 + +Name: NSS +Description: Network Security Services +Version: 3.40.1 +Requires: nspr >= 4.20.0, nss-util >= 3.40.1 +Libs: -L${libdir} -lssl3 -lsmime3 -lnss3 +Cflags: -I${includedir} diff --git a/nss.spec b/nss.spec new file mode 100644 index 0000000..d4d0993 --- /dev/null +++ b/nss.spec @@ -0,0 +1,644 @@ +%global nspr_version 4.20.0 +%global nss_version 3.40.1 +%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" + +%global dracutlibdir %{_prefix}/lib/dracut +%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/ +%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d + +Summary: Network Security Services +Name: nss +Version: %{nss_version} +Release: 4 +License: MPLv2.0 +URL: http://www.mozilla.org/projects/security/pki/nss/ +Provides: nss-system-init +Requires: nspr >= %{nspr_version} nss-util >= %{nss_version} nss-softokn%{_isa} >= %{nss_version} +Requires: p11-kit-trust crypto-policies nss-help +Requires(post): coreutils, sed +BuildRequires: nspr-devel >= %{nspr_version} nss-softokn sqlite-devel zlib-devel +BuildRequires: pkgconf gawk psmisc perl-interpreter gcc-c++ +obsoletes: nss-sysinit + +Source0: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_40_1_RTM/src/%{name}-%{nss_version}.tar.gz +Source1: nss-util.pc +Source2: nss-util-config +Source3: nss-softokn.pc +Source4: nss-softokn-config +Source5: nss-softokn-prelink.conf +Source6: nss-softokn-dracut-module-setup.sh +Source7: nss-softokn-dracut.conf +Source8: nss.pc +Source9: nss-config +Source10: blank-cert8.db +Source11: blank-key3.db +Source12: blank-secmod.db +Source13: blank-cert9.db +Source14: blank-key4.db +Source15: system-pkcs11.txt +Source16: setup-nsssysinit.sh +Source20: nss-config.xml +Source21: setup-nsssysinit.xml +Source22: pkcs11.txt.xml +Source23: cert8.db.xml +Source24: cert9.db.xml +Source25: key3.db.xml +Source26: key4.db.xml +Source27: secmod.db.xml +Source28: nss-p11-kit.config +Source29: PayPalICA.cert +Source30: PayPalEE.cert + +Patch1: renegotiate-transitional.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 +Patch2: nss-539183.patch +# This patch uses the GCC -iquote option documented at +# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options +# to give the in-tree headers a higher priority over the system headers, +# when they are included through the quote form (#include "file.h"). +Patch3: iquote.patch +# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1185708 +Patch4: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317 +Patch5: nss-tests-paypal-certs-v2.patch + +Patch9000: Bug-1412829-reject-empty-supported_signature_algorit.patch +Patch9001: Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch +Patch9002: Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch + +%description +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled client and +server applications. Applications built with NSS can support SSL v2 +and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 +v3 certificates, and other security standards. + +%package devel +Summary: Network Security Services development files +Provides: nss-static = %{version}-%{release} +Provides: nss-pkcs11-devel-static = %{version}-%{release} +Requires: nss%{?_isa} = %{version}-%{release} +Requires: nss-util-devel nss-softokn-devel nspr-devel >= %{nspr_version} pkgconf +Requires: nss-softokn-devel = %{version}-%{release} +BuildRequires: xmlto +obsoletes: nss-pkcs11-devel + +%description devel +Header and Library files for doing development with Network Security Services. + +%package util +Summary: Network Security Services Utilities Library +Requires: nspr >= %{nspr_version} nss-help +Requires: %{name}%{?_isa} = %{version}-%{release} +Provides: nss-tools = %{version}-%{release} +obsoletes: nss-tools + +%description util +Utilities for Network Security Services and the Softoken module +manipulate the NSS certificate and key database. + +%package util-devel +Summary: Development libraries for Network Security Services Utilities +Requires: nss-util%{?_isa} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: pkgconf + +%description util-devel +Header and library files for doing development with Network Security Services. + +%package softokn +Summary: Network Security Services Softoken and Freebl library Module +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{version}-%{release} +Provides: nss-softokn-freebl +Conflicts: prelink < 0.4.3 +Conflicts: filesystem < 3 +obsoletes: nss-softokn-freebl + +%description softokn +Network Security Services Softoken and Freebl Cryptographic Module + +%package softokn-devel +Summary: Header and Library files for doing development with the Freebl library for NSS +Provides: nss-softokn-freebl-static = %{version}-%{release} +Provides: nss-softokn-freebl-devel +Requires: nss-softokn%{?_isa} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: nss-util-devel >= %{version}-%{release} +Requires: pkgconf +BuildRequires: nspr-devel >= %{nspr_version} +obsoletes: nss-softokn-freebl-devel + +%description softokn-devel +NSS Softoken Cryptographic Module and Freebl Library Development Tools +This package supports special needs of some PKCS #11 module developers and +is otherwise considered private to NSS. As such, the programming interfaces +may change and the usual NSS binary compatibility commitments do not apply. +Developers should rely only on the officially supported NSS public API. + +%package help +Summary: help document for NSS +Requires: man-db + +%description help +Help document for NSS + +%prep +%setup -q -n %{name}-%{nss_version} + +%patch1 -p0 -b .transitional +%patch2 -p0 -b .539183 +%patch3 -p0 -b .iquote +%patch4 -p0 -b .1185708_3des +pushd nss +%patch5 -p1 -b .paypal-certs +%patch9000 -p1 +%patch9001 -p1 +%patch9002 -p1 +cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs +popd + +%build + +export NSS_FORCE_FIPS=1 +# Enable compiler optimizations and disable debugging code + +export BUILD_OPT=1 +# Uncomment to disable optimizations +#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` +#export RPM_OPT_FLAGS + +# Generate symbolic info for debuggers +export XCFLAGS=$RPM_OPT_FLAGS +export LDFLAGS=$RPM_LD_FLAGS +export DSO_LDOPTS=$RPM_LD_FLAGS + +# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets +# copied to dist and the rpm install phase can find it +# This due of the upstream changes to fix +# https://bugzilla.mozilla.org/show_bug.cgi?id=717906 +export FREEBL_LOWHASH=1 +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 + +export FREEBL_NO_DEPEND=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +export NSPR_LIB_DIR=%{_libdir} + +export NSS_USE_SYSTEM_SQLITE=1 +export NSS_ALLOW_SSLKEYLOGFILE=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +export USE_64=1 +%endif +%endif + +##### phase 2: build the rest of nss +make -C ./nss/coreconf +make -C ./nss/lib/dbm + +# Set the policy file location +# if set NSS will always check for the policy file and load if it exists +export POLICY_FILE="nss.config" +# location of the policy file +export POLICY_PATH="/etc/crypto-policies/back-ends" + +make -C ./nss + +# build the man pages clean +pushd ./nss +make clean_docs build_docs +popd + +# and copy them to the dist directory for %%install to find them +mkdir -p ./dist/docs/nroff +cp ./nss/doc/nroff/* ./dist/docs/nroff + +# Set up our package files +mkdir -p ./dist/pkgconfig +for m in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9} %{SOURCE16}; do + cp ${m} ./dist/pkgconfig + chmod 755 ./dist/pkgconfig/* +done + +NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'` +NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'` +NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'` + +SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'` +SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'` +SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'` + +NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` +NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` +NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` + +cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/ + +date +"%e %B %Y" | tr -d '\n' > date.xml +echo -n %{version} > version.xml + +# configuration files and setup script +for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do + cp ${m} . +done +for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do + xmlto man ${m} +done + +# nss databases considered to be configuration files +for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do + cp ${m} . +done +for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do + xmlto man ${m} +done + + +%check + +export FREEBL_NO_DEPEND=1 + +export BUILD_OPT=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +export USE_64=1 +%endif +%endif + +export NSS_IGNORE_SYSTEM_POLICY=1 + +# Run test suite. +SPACEISBAD=`find ./nss/tests | grep -c ' '` ||: +if [ $SPACEISBAD -ne 0 ]; then + echo "error: filenames containing space are not supported (xargs)" + exit 1 +fi +MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: +RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: +DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: +pushd `pwd` +cd $DISTBINDIR +ln -s selfserv $RANDSERV +popd +# man perlrun, man perlrequick +# replace word-occurrences of selfserv with selfserv_$MYRAND +find ./nss/tests -type f |\ + grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\ + grep -vw CVS |xargs grep -lw selfserv |\ + xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||: + +killall $RANDSERV || : + +rm -rf ./tests_results +pushd ./nss/tests/ + +# the full list from all.sh is: +%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy +# nss_ssl_run: cov auth stapling stress +# +# disable some test suites for faster test builds +# % define nss_ssl_tests "normal_fips" +# % define nss_ssl_run "cov" + +HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh + +popd + +killall $RANDSERV || : + +TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? + +if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then + echo "okay: test suite detected no failures" +else + if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then + # while a situation in which grep return status is 0 and it doesn't output + # anything shouldn't happen, set the default to something that is + # obviously wrong (-1) + echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" + exit 1 + else + if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then + echo "error: grep has not found log file" + exit 1 + else + echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" + exit 1 + fi + fi +fi +echo "test suite completed" + +%install + +mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +mkdir -p $RPM_BUILD_ROOT/%{_bindir} +mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory} +mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +mkdir -p $RPM_BUILD_ROOT/%{_libdir}/nss/saved +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/ +mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir} +mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir} +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 +mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb + +install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/ +install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh +install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf +# Install the empty NSS db files +# Legacy db +install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db +install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db +install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db +# Shared db +install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db +install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db +install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt + +# Copy the binary libraries we want +for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so +do + install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the development libraries we want +for file in libcrmf.a libnssb.a libnssckfw.a libfreebl.a +do + install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the binaries we want +for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap +do + install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} +done + +# Copy the binaries we ship as unsupported +for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain +do + install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} +done + +# Copy the include files we want +for file in dist/public/nss/*.h +do + install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy some freebl include files we also want +for file in blapi.h alghmac.h +do + install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the template files we want +for file in dist/private/nss/templates.c dist/private/nss/nssck.api +do + install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +done + +# Copy the package configuration files +install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc +install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config +install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc +install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config +install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc +install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config +# Copy the pkcs #11 configuration script +install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh +# install a symbolic link to it, without the ".sh" suffix, +ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit + +# Copy the man pages for scripts +for f in nss-config setup-nsssysinit; do + install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 +done +# Copy the man pages for the nss tools +for f in "%{allTools}"; do + install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 +done +install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1 + +# Copy the man pages for the configuration files +for f in pkcs11.txt; do + install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 +done +# Copy the man pages for the nss databases +for f in cert8.db cert9.db key3.db key4.db secmod.db; do + install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 +done + +# Copy the crypto-policies configuration file +install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d + +/usr/bin/setup-nsssysinit.sh on +$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so +$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so +$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so +$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so + +%post +update-crypto-policies + +%postun +update-crypto-policies + +%files +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libnss3.so +%{_libdir}/libssl3.so +%{_libdir}/libsmime3.so +%dir %{_sysconfdir}/pki/nssdb +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/* +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config +%{_libdir}/libnsssysinit.so +%{_bindir}/setup-nsssysinit.sh +# symbolic link to setup-nsssysinit.sh +%{_bindir}/setup-nsssysinit + +%files devel +%{_libdir}/libcrmf.a +%{_libdir}/pkgconfig/nss.pc +%{_bindir}/nss-config +%{_libdir}/libnssb.a +%{_libdir}/libnssckfw.a + +%dir %{_includedir}/nss3 +%{_includedir}/nss3/cert*.h +%{_includedir}/nss3/cm*.h +%{_includedir}/nss3/cr*.h +%{_includedir}/nss3/sechash.h +%{_includedir}/nss3/jar-ds.h +%{_includedir}/nss3/jar.h +%{_includedir}/nss3/jarfile.h +%{_includedir}/nss3/key*.h +%{_includedir}/nss3/nss.h +%{_includedir}/nss3/ocsp.h +%{_includedir}/nss3/ocspt.h +%{_includedir}/nss3/p12.h +%{_includedir}/nss3/p12plcy.h +%{_includedir}/nss3/p12t.h +%{_includedir}/nss3/pk11*.h +%{_includedir}/nss3/pkcs12.h +%{_includedir}/nss3/pkcs12t.h +%{_includedir}/nss3/pkcs7t.h +%{_includedir}/nss3/preenc.h +%{_includedir}/nss3/secmime.h +%{_includedir}/nss3/secmod.h +%{_includedir}/nss3/secmodt.h +%{_includedir}/nss3/secpkcs5.h +%{_includedir}/nss3/secpkcs7.h +%{_includedir}/nss3/smime.h +%{_includedir}/nss3/ssl*.h +%{_includedir}/nss3/nssbase.h +%{_includedir}/nss3/nssbaset.h +%{_includedir}/nss3/nssck*.h +%{_includedir}/nss3/templates/nssck.api + +%files util +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libnssutil3.so +%{_bindir}/certutil +%{_bindir}/cmsutil +%{_bindir}/crlutil +%{_bindir}/modutil +%{_bindir}/nss-policy-check +%{_bindir}/pk12util +%{_bindir}/signver +%{_bindir}/ssltap +%{unsupported_tools_directory}/atob +%{unsupported_tools_directory}/btoa +%{unsupported_tools_directory}/derdump +%{unsupported_tools_directory}/listsuites +%{unsupported_tools_directory}/ocspclnt +%{unsupported_tools_directory}/pp +%{unsupported_tools_directory}/selfserv +%{unsupported_tools_directory}/signtool +%{unsupported_tools_directory}/strsclnt +%{unsupported_tools_directory}/symkeyutil +%{unsupported_tools_directory}/tstclnt +%{unsupported_tools_directory}/vfyserv +%{unsupported_tools_directory}/vfychain + +%files util-devel +%{_libdir}/pkgconfig/nss-util.pc +%{_bindir}/nss-util-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# these are marked as public export in nss/lib/util/manifest.mk +%{_includedir}/nss3/base64.h +%{_includedir}/nss3/ciferfam.h +%{_includedir}/nss3/eccutil.h +%{_includedir}/nss3/hasht.h +%{_includedir}/nss3/nssb64.h +%{_includedir}/nss3/nssb64t.h +%{_includedir}/nss3/nsslocks.h +%{_includedir}/nss3/nssilock.h +%{_includedir}/nss3/nssilckt.h +%{_includedir}/nss3/nssrwlk.h +%{_includedir}/nss3/nssrwlkt.h +%{_includedir}/nss3/nssutil.h +%{_includedir}/nss3/pkcs1sig.h +%{_includedir}/nss3/pkcs11*.h +%{_includedir}/nss3/portreg.h +%{_includedir}/nss3/secasn1.h +%{_includedir}/nss3/secasn1t.h +%{_includedir}/nss3/seccomon.h +%{_includedir}/nss3/secder.h +%{_includedir}/nss3/secdert.h +%{_includedir}/nss3/secdig.h +%{_includedir}/nss3/secdigt.h +%{_includedir}/nss3/secerr.h +%{_includedir}/nss3/secitem.h +%{_includedir}/nss3/secoid.h +%{_includedir}/nss3/secoidt.h +%{_includedir}/nss3/secport.h +%{_includedir}/nss3/util*.h +%{_includedir}/nss3/templates/templates.c + +%files softokn +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libfreebl3.so +%{_libdir}/libfreebl3.chk +%{_libdir}/libfreeblpriv3.so +%{_libdir}/libfreeblpriv3.chk +%dir %{_sysconfdir}/prelink.conf.d/ +%{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf +%dir %{dracut_modules_dir} +%{dracut_modules_dir}/module-setup.sh +%{dracut_conf_dir}/50-nss-softokn.conf +%{_libdir}/libnssdbm3.so +%{_libdir}/libnssdbm3.chk +%{_libdir}/libsoftokn3.so +%{_libdir}/libsoftokn3.chk +%dir %{_libdir}/nss +%dir %{_libdir}/nss/saved +%dir %{unsupported_tools_directory} +%{unsupported_tools_directory}/bltest +%{unsupported_tools_directory}/ecperf +%{unsupported_tools_directory}/fbectest +%{unsupported_tools_directory}/fipstest +%{unsupported_tools_directory}/shlibsign + +%files softokn-devel +%{_libdir}/libfreebl.a +%{_includedir}/nss3/blapi.h +%{_includedir}/nss3/blapit.h +%{_includedir}/nss3/alghmac.h +%{_includedir}/nss3/lowkeyi.h +%{_includedir}/nss3/lowkeyti.h +%{_libdir}/pkgconfig/nss-softokn.pc +%{_bindir}/nss-softokn-config +# co-owned with nss +%dir %{_includedir}/nss3 +%{_includedir}/nss3/ecl-exp.h +%{_includedir}/nss3/nsslowhash.h +%{_includedir}/nss3/shsign.h + +%files help +%doc %{_mandir}/man5/cert8.db.5* +%doc %{_mandir}/man5/key3.db.5* +%doc %{_mandir}/man5/secmod.db.5* +%doc %{_mandir}/man5/cert9.db.5* +%doc %{_mandir}/man5/key4.db.5* +%doc %{_mandir}/man5/pkcs11.txt.5* +%doc %{_mandir}/man1/setup-nsssysinit.1* +%doc %{_mandir}/man1/certutil.1* +%doc %{_mandir}/man1/cmsutil.1* +%doc %{_mandir}/man1/crlutil.1* +%doc %{_mandir}/man1/modutil.1* +%doc %{_mandir}/man1/pk12util.1* +%doc %{_mandir}/man1/signver.1* +%doc %{_mandir}/man1/derdump.1* +%doc %{_mandir}/man1/signtool.1* +%doc %{_mandir}/man1/pp.1* +%doc %{_mandir}/man1/ssltap.1* +%doc %{_mandir}/man1/vfychain.1* +%doc %{_mandir}/man1/vfyserv.1* +%doc %{_mandir}/man1/nss-config.1* + + +%changelog +* Tue Sep 24 2019 openEuler Buildteam - 3.40.1-4 +- update requires for help + +* Mon Sep 23 2019 openEuler Buildteam - 3.40.1-3 +- Rebuild + +* Wed Sep 20 2019 openEuler Buildteam - 3.40.1-2 +- Package init diff --git a/pkcs11.txt.xml b/pkcs11.txt.xml new file mode 100644 index 0000000..d30e469 --- /dev/null +++ b/pkcs11.txt.xml @@ -0,0 +1,56 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + pkcs11.txt + 5 + + + + pkcs11.txt + NSS PKCS #11 module configuration file + + + + Description + +The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules. + + +For full documentation visit PKCS #11 Module Specs. + + + + + Files + /etc/pki/nssdb/pkcs11.txt + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch new file mode 100644 index 0000000..d3aa3bd --- /dev/null +++ b/renegotiate-transitional.patch @@ -0,0 +1,12 @@ +diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.transitional 2018-03-09 13:57:50.615706802 +0100 ++++ nss/lib/ssl/sslsock.c 2018-03-09 13:58:23.708974970 +0100 +@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = { + .noLocks = PR_FALSE, + .enableSessionTickets = PR_FALSE, + .enableDeflate = PR_FALSE, +- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, ++ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL, + .requireSafeNegotiation = PR_FALSE, + .enableFalseStart = PR_FALSE, + .cbcRandomIV = PR_TRUE, diff --git a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch new file mode 100644 index 0000000..455c747 --- /dev/null +++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch @@ -0,0 +1,23 @@ +--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400 ++++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400 +@@ -118,18 +118,18 @@ + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/secmod.db.xml b/secmod.db.xml new file mode 100644 index 0000000..afc9dce --- /dev/null +++ b/secmod.db.xml @@ -0,0 +1,63 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + secmod.db + 5 + + + + secmod.db + Legacy NSS security modules database + + + + Description + secmod.db is an NSS security modules database. + The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface. + + The command line utility modutil is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens. + + For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases. + + + + + Files + /etc/pki/nssdb/secmod.db + + + + See also + modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5) + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/setup-nsssysinit.sh b/setup-nsssysinit.sh new file mode 100755 index 0000000..8e1f5f7 --- /dev/null +++ b/setup-nsssysinit.sh @@ -0,0 +1,68 @@ +#!/bin/sh +# +# Turns on or off the nss-sysinit module db by editing the +# global PKCS #11 congiguration file. Displays the status. +# +# This script can be invoked by the user as super user. +# It is invoked at nss-sysinit post install time with argument on. +# +usage() +{ + cat <&2 +fi + +# the system-wide configuration file +p11conf="/etc/pki/nssdb/pkcs11.txt" +# must exist, otherwise report it and exit with failure +if [ ! -f $p11conf ]; then + echo "Could not find ${p11conf}" + exit 1 +fi + +# check if nsssysinit is currently enabled or disabled +sysinit_enabled() +{ + grep -q '^library=libnsssysinit' ${p11conf} +} + +umask 022 +case "$1" in + on | ON ) + if sysinit_enabled; then + exit 0 + fi + cat ${p11conf} | \ + sed -e 's/^library=$/library=libnsssysinit.so/' \ + -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ + ${p11conf}.on + mv ${p11conf}.on ${p11conf} + ;; + off | OFF ) + if ! sysinit_enabled; then + exit 0 + fi + cat ${p11conf} | \ + sed -e 's/^library=libnsssysinit.so/library=/' \ + -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ + ${p11conf}.off + mv ${p11conf}.off ${p11conf} + ;; + status ) + echo -n 'NSS sysinit is ' + sysinit_enabled && echo 'enabled' || echo 'disabled' + ;; + * ) + usage 1 1>&2 + ;; +esac diff --git a/setup-nsssysinit.xml b/setup-nsssysinit.xml new file mode 100644 index 0000000..5b9827f --- /dev/null +++ b/setup-nsssysinit.xml @@ -0,0 +1,106 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + setup-nsssysinit + 1 + + + + setup-nsssysinit + Query or enable the nss-sysinit module + + + + + setup-nsssysinit + + + + + + + + Description + setup-nsssysinit is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. + Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on. + + + + + Options + + + + + Turn on nss-sysinit. + + + + + Turn on nss-sysinit. + + + + + returns whether nss-syinit is enabled or not. + + + + + + + Examples + + The following example will query for the status of nss-sysinit: + + /usr/bin/setup-nsssysinit status + + + + The following example, when run as superuser, will turn on nss-sysinit: + + /usr/bin/setup-nsssysinit on + + + + + + + Files + /usr/bin/setup-nsssysinit + + + + See also + pkg-config(1) + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + diff --git a/system-pkcs11.txt b/system-pkcs11.txt new file mode 100644 index 0000000..c2f5704 --- /dev/null +++ b/system-pkcs11.txt @@ -0,0 +1,5 @@ +library=libnsssysinit.so +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) +