packages/nss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
overweight 2019-09-30 11:10:05 -04:00
commit afa263357b
37 changed files with 2543 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
Bug-1412829-reject-empty-supported_signature_algorit.patch Normal file
View File

@ -0,0 +1,114 @@
From 96728bb2bc55246d2bb3d98e4c1ab4b5b58a5c41 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Thu, 22 Nov 2018 10:55:20 +0100
Subject: [PATCH 441/489] Bug 1412829, reject empty
supported_signature_algorithms in CR in TLS 1.2,
r=mt
Summary: This basically reverts bug 1335069 to align with RFC 5246.
Reviewers: mt
Reviewed By: mt
Bug #: 1412829
Differential Revision: https://phabricator.services.mozilla.com/D12563
--HG--
extra : amend_source : a87f98603e14841654948c7664dbde26ebaf04e4
---
gtests/nss_bogo_shim/config.json | 3 ++-
gtests/ssl_gtest/ssl_auth_unittest.cc | 15 +++++----------
lib/ssl/ssl3con.c | 17 +++++++++--------
3 files changed, 16 insertions(+), 19 deletions(-)
diff --git a/gtests/nss_bogo_shim/config.json b/gtests/nss_bogo_shim/config.json
index 66f55d3..5c7a2e3 100644
--- a/gtests/nss_bogo_shim/config.json
+++ b/gtests/nss_bogo_shim/config.json
@@ -64,7 +64,8 @@
"RequireAnyClientCertificate-TLS1*":"Bug 1339387",
"SendExtensionOnClientCertificate-TLS13":"Bug 1339392",
"ALPNClient-Mismatch-TLS13":"NSS sends alerts in response to errors in protected handshake messages in the clear",
- "P224-Server":"NSS doesn't support P-224"
+ "P224-Server":"NSS doesn't support P-224",
+ "ClientAuth-SHA1-Fallback*":"Boring wants us to fall back to SHA-1 if supported_signature_algorithms in CR is empty."
},
"ErrorMap" : {
":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:":"SSL_ERROR_NO_CYPHER_OVERLAP",
diff --git a/gtests/ssl_gtest/ssl_auth_unittest.cc b/gtests/ssl_gtest/ssl_auth_unittest.cc
index 93a8c54..3a52ac2 100644
--- a/gtests/ssl_gtest/ssl_auth_unittest.cc
+++ b/gtests/ssl_gtest/ssl_auth_unittest.cc
@@ -386,9 +386,9 @@ class TlsZeroCertificateRequestSigAlgsFilter : public TlsHandshakeFilter {
}
};
-// Check that we fall back to SHA-1 when the server doesn't provide any
+// Check that we send an alert when the server doesn't provide any
// supported_signature_algorithms in the CertificateRequest message.
-TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
+TEST_P(TlsConnectTls12, ClientAuthNoSigAlgs) {
EnsureTlsSetup();
MakeTlsFilter<TlsZeroCertificateRequestSigAlgsFilter>(server_);
auto capture_cert_verify = MakeTlsFilter<TlsHandshakeRecorder>(
@@ -396,15 +396,10 @@ TEST_P(TlsConnectTls12, ClientAuthNoSigAlgsFallback) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
- ConnectExpectAlert(server_, kTlsAlertDecryptError);
-
- // We're expecting a bad signature here because we tampered with a handshake
- // message (CertReq). Previously, without the SHA-1 fallback, we would've
- // seen a malformed record alert.
- server_->CheckErrorCode(SEC_ERROR_BAD_SIGNATURE);
- client_->CheckErrorCode(SSL_ERROR_DECRYPT_ERROR_ALERT);
+ ConnectExpectAlert(client_, kTlsAlertHandshakeFailure);
- CheckSigScheme(capture_cert_verify, 0, server_, ssl_sig_rsa_pkcs1_sha1, 1024);
+ server_->CheckErrorCode(SSL_ERROR_HANDSHAKE_FAILURE_ALERT);
+ client_->CheckErrorCode(SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM);
}
static const SSLSignatureScheme kSignatureSchemeEcdsaSha384[] = {
diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c
index d7e8452..225f4f6 100644
--- a/lib/ssl/ssl3con.c
+++ b/lib/ssl/ssl3con.c
@@ -6171,16 +6171,12 @@ ssl_PickClientSignatureScheme(sslSocket *ss, const SSLSignatureScheme *schemes,
PORT_Assert(pubKey);
- if (!isTLS13 && numSchemes == 0) {
- /* If the server didn't provide any signature algorithms
- * then let's assume they support SHA-1. */
- rv = ssl_PickFallbackSignatureScheme(ss, pubKey);
- SECKEY_DestroyPublicKey(pubKey);
- return rv;
+ if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_2) {
+ /* We should have already checked that a signature scheme was
+ * listed in the request. */
+ PORT_Assert(schemes && numSchemes > 0);
}
- PORT_Assert(schemes && numSchemes > 0);
-
if (!isTLS13 &&
(SECKEY_GetPublicKeyType(pubKey) == rsaKey ||
SECKEY_GetPublicKeyType(pubKey) == dsaKey) &&
@@ -7331,6 +7327,11 @@ ssl3_HandleCertificateRequest(sslSocket *ss, PRUint8 *b, PRUint32 length)
PORT_SetError(SSL_ERROR_RX_MALFORMED_CERT_REQUEST);
goto loser; /* malformed, alert has been sent */
}
+ if (signatureSchemeCount == 0) {
+ errCode = SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+ desc = handshake_failure;
+ goto alert_loser;
+ }
}
rv = ssl3_ParseCertificateRequestCAs(ss, &b, &length, &ca_list);
--
1.7.12.4

216
Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch Normal file
View File

@ -0,0 +1,216 @@
From 3b2d7d955f1baca00129454eddbe8fb5117c4fef Mon Sep 17 00:00:00 2001
From: "J.C. Jones" <jjones@mozilla.com>
Date: Mon, 14 Jan 2019 10:35:25 -0700
Subject: [PATCH 458/489] Bug 1507135 - Add additional null checks to CMS
message functions r=mt
Differential review: https://phabricator.services.mozilla.com//D16488
--HG--
extra : rebase_source : 31028021bec842d521d70c5200edb6ea8461fa23
---
lib/smime/cmsmessage.c | 69 ++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 59 insertions(+), 10 deletions(-)
diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c
index 27d1256..f41a432 100644
--- a/lib/smime/cmsmessage.c
+++ b/lib/smime/cmsmessage.c
@@ -29,8 +29,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
if (poolp == NULL) {
poolp = PORT_NewArena(1024); /* XXX what is right value? */
- if (poolp == NULL)
+ if (poolp == NULL) {
return NULL;
+ }
poolp_is_ours = PR_TRUE;
}
@@ -44,8 +45,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
if (mark) {
PORT_ArenaRelease(poolp, mark);
}
- } else
+ } else {
PORT_FreeArena(poolp, PR_FALSE);
+ }
return NULL;
}
@@ -53,8 +55,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
cmsg->poolp_is_ours = poolp_is_ours;
cmsg->refCount = 1;
- if (mark)
+ if (mark) {
PORT_ArenaUnmark(poolp, mark);
+ }
return cmsg;
}
@@ -73,8 +76,13 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
{
- if (pwfn)
+ if (cmsg == NULL) {
+ return;
+ }
+ if (pwfn) {
PK11_SetPasswordFunc(pwfn);
+ }
+
cmsg->pwfn_arg = pwfn_arg;
cmsg->decrypt_key_cb = decrypt_key_cb;
cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg;
@@ -89,18 +97,21 @@ void
NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
{
PORT_Assert(cmsg->refCount > 0);
- if (cmsg->refCount <= 0) /* oops */
+ if (cmsg->refCount <= 0) { /* oops */
return;
+ }
cmsg->refCount--; /* thread safety? */
- if (cmsg->refCount > 0)
+ if (cmsg->refCount > 0) {
return;
+ }
NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo));
/* if poolp is not NULL, cmsg is the owner of its arena */
- if (cmsg->poolp_is_ours)
+ if (cmsg->poolp_is_ours) {
PORT_FreeArena(cmsg->poolp, PR_FALSE); /* XXX clear it? */
+ }
}
/*
@@ -112,8 +123,9 @@ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
NSSCMSMessage *
NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
{
- if (cmsg == NULL)
+ if (cmsg == NULL) {
return NULL;
+ }
PORT_Assert(cmsg->refCount > 0);
@@ -127,6 +139,10 @@ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
PLArenaPool *
NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
{
+ if (cmsg == NULL) {
+ return NULL;
+ }
+
return cmsg->poolp;
}
@@ -136,6 +152,10 @@ NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
NSSCMSContentInfo *
NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
{
+ if (cmsg == NULL) {
+ return NULL;
+ }
+
return &(cmsg->contentInfo);
}
@@ -147,6 +167,10 @@ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
SECItem *
NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
{
+ if (cmsg == NULL) {
+ return NULL;
+ }
+
/* this is a shortcut */
NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
SECItem *pItem = NSS_CMSContentInfo_GetInnerContent(cinfo);
@@ -164,6 +188,10 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
int count = 0;
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return 0;
+ }
+
/* walk down the chain of contentinfos */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL;) {
count++;
@@ -183,6 +211,10 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
int count = 0;
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return NULL;
+ }
+
/* walk down the chain of contentinfos */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n;
cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
@@ -200,6 +232,10 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
{
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return PR_FALSE;
+ }
+
/* descend into CMS message */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
@@ -221,6 +257,10 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
{
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return PR_FALSE;
+ }
+
/* walk down the chain of contentinfos */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
@@ -251,13 +291,21 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
{
NSSCMSContentInfo *cinfo;
+ if (cmsg == NULL) {
+ return PR_FALSE;
+ }
+
/* walk down the chain of contentinfos */
for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
case SEC_OID_PKCS7_SIGNED_DATA:
- if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
+ if (cinfo->content.signedData == NULL) {
+ return PR_FALSE;
+ }
+ if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) {
return PR_TRUE;
+ }
break;
default:
/* callback here for generic wrappers? */
@@ -278,8 +326,9 @@ NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen)
{
SECItem *item = NULL;
- if (cmsg == NULL)
+ if (cmsg == NULL) {
return PR_TRUE;
+ }
item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg));
--
1.7.12.4

319
Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch Normal file
View File

@ -0,0 +1,319 @@
From 03d1823087e93e38485bf4fef0020fb0653ea616 Mon Sep 17 00:00:00 2001
From: "J.C. Jones" <jjones@mozilla.com>
Date: Fri, 11 Jan 2019 22:33:16 -0700
Subject: [PATCH 459/489] Bug 1507174 - Add additional null checks to other
CMS functions r=mt
Differential review: https://phabricator.services.mozilla.com//D16383
--HG--
extra : rebase_source : b5a87375965bbef9cd93e0ee936134631b597009
---
lib/smime/cmscinfo.c | 92 +++++++++++++++++++++++++++++++++++++++++++-------
lib/smime/cmsdigdata.c | 4 ++-
lib/smime/cmsencdata.c | 4 ++-
lib/smime/cmsenvdata.c | 5 +++
lib/smime/cmsmessage.c | 3 ++
lib/smime/cmsudf.c | 2 +-
6 files changed, 95 insertions(+), 15 deletions(-)
diff --git a/lib/smime/cmscinfo.c b/lib/smime/cmscinfo.c
index 08db662..453ccaa 100644
--- a/lib/smime/cmscinfo.c
+++ b/lib/smime/cmscinfo.c
@@ -51,6 +51,10 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
{
SECOidTag kind;
+ if (cinfo == NULL) {
+ return;
+ }
+
kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
switch (kind) {
case SEC_OID_PKCS7_ENVELOPED_DATA:
@@ -86,6 +90,11 @@ NSSCMSContentInfo *
NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
{
NSSCMSContentInfo *ccinfo = NULL;
+
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
switch (tag) {
case SEC_OID_PKCS7_SIGNED_DATA:
@@ -127,6 +136,9 @@ SECStatus
NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream)
{
SECStatus rv;
+ if (cinfo == NULL) {
+ return SECFailure;
+ }
rv = NSS_CMSContentInfo_Private_Init(cinfo);
if (rv != SECSuccess) {
@@ -145,15 +157,20 @@ NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
SECOidTag type, void *ptr)
{
SECStatus rv;
+ if (cinfo == NULL || cmsg == NULL) {
+ return SECFailure;
+ }
cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
- if (cinfo->contentTypeTag == NULL)
+ if (cinfo->contentTypeTag == NULL) {
return SECFailure;
+ }
/* do not copy the oid, just create a reference */
rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
return SECFailure;
+ }
cinfo->content.pointer = ptr;
@@ -185,8 +202,9 @@ SECStatus
NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
SECItem *data, PRBool detached)
{
- if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
+ if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) {
return SECFailure;
+ }
if (detached) {
cinfo->rawContent = NULL;
}
@@ -230,6 +248,10 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn
void *
NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
{
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
SECOidTag tag = cinfo->contentTypeTag
? cinfo->contentTypeTag->offset
: SEC_OID_UNKNOWN;
@@ -260,6 +282,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
SECOidTag tag;
SECItem *pItem = NULL;
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
if (NSS_CMSType_IsData(tag)) {
pItem = cinfo->content.data;
@@ -282,6 +308,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
SECOidTag
NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
{
+ if (cinfo == NULL) {
+ return SEC_OID_UNKNOWN;
+ }
+
if (cinfo->contentTypeTag == NULL)
cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
@@ -294,11 +324,17 @@ NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
SECItem *
NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
{
- if (cinfo->contentTypeTag == NULL)
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
+ if (cinfo->contentTypeTag == NULL) {
cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+ }
- if (cinfo->contentTypeTag == NULL)
+ if (cinfo->contentTypeTag == NULL) {
return NULL;
+ }
return &(cinfo->contentTypeTag->oid);
}
@@ -310,8 +346,13 @@ NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
SECOidTag
NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
{
- if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
+ if (cinfo == NULL) {
+ return SEC_OID_UNKNOWN;
+ }
+
+ if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) {
cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
+ }
return cinfo->contentEncAlgTag;
}
@@ -322,6 +363,10 @@ NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
SECAlgorithmID *
NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
{
+ if (cinfo == NULL) {
+ return NULL;
+ }
+
return &(cinfo->contentEncAlg);
}
@@ -330,10 +375,14 @@ NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo
SECOidTag bulkalgtag, SECItem *parameters, int keysize)
{
SECStatus rv;
+ if (cinfo == NULL) {
+ return SECFailure;
+ }
rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
return SECFailure;
+ }
cinfo->keysize = keysize;
return SECSuccess;
}
@@ -343,27 +392,42 @@ NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cin
SECAlgorithmID *algid, int keysize)
{
SECStatus rv;
+ if (cinfo == NULL) {
+ return SECFailure;
+ }
rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
- if (rv != SECSuccess)
+ if (rv != SECSuccess) {
return SECFailure;
- if (keysize >= 0)
+ }
+ if (keysize >= 0) {
cinfo->keysize = keysize;
+ }
return SECSuccess;
}
void
NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
{
- cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
- cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
+ if (cinfo == NULL) {
+ return;
+ }
+
+ if (bulkkey == NULL) {
+ cinfo->bulkkey = NULL;
+ cinfo->keysize = 0;
+ } else {
+ cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
+ cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
+ }
}
PK11SymKey *
NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
{
- if (cinfo->bulkkey == NULL)
+ if (cinfo == NULL || cinfo->bulkkey == NULL) {
return NULL;
+ }
return PK11_ReferenceSymKey(cinfo->bulkkey);
}
@@ -371,5 +435,9 @@ NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
int
NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
{
+ if (cinfo == NULL) {
+ return 0;
+ }
+
return cinfo->keysize;
}
diff --git a/lib/smime/cmsdigdata.c b/lib/smime/cmsdigdata.c
index 9ea2270..a249686 100644
--- a/lib/smime/cmsdigdata.c
+++ b/lib/smime/cmsdigdata.c
@@ -56,7 +56,9 @@ void
NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
{
/* everything's in a pool, so don't worry about the storage */
- NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
+ if (digd != NULL) {
+ NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
+ }
return;
}
diff --git a/lib/smime/cmsencdata.c b/lib/smime/cmsencdata.c
index d2fc335..f2a2746 100644
--- a/lib/smime/cmsencdata.c
+++ b/lib/smime/cmsencdata.c
@@ -87,7 +87,9 @@ void
NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
{
/* everything's in a pool, so don't worry about the storage */
- NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
+ if (encd != NULL) {
+ NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
+ }
return;
}
diff --git a/lib/smime/cmsenvdata.c b/lib/smime/cmsenvdata.c
index d5d5c41..95b3fb9 100644
--- a/lib/smime/cmsenvdata.c
+++ b/lib/smime/cmsenvdata.c
@@ -144,6 +144,11 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
poolp = envd->cmsg->poolp;
cinfo = &(envd->contentInfo);
+ if (cinfo == NULL) {
+ PORT_SetError(SEC_ERROR_BAD_DATA);
+ goto loser;
+ }
+
recipientinfos = envd->recipientInfos;
if (recipientinfos == NULL) {
PORT_SetError(SEC_ERROR_BAD_DATA);
diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c
index f41a432..366b71a 100644
--- a/lib/smime/cmsmessage.c
+++ b/lib/smime/cmsmessage.c
@@ -96,6 +96,9 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
void
NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
{
+ if (cmsg == NULL)
+ return;
+
PORT_Assert(cmsg->refCount > 0);
if (cmsg->refCount <= 0) { /* oops */
return;
diff --git a/lib/smime/cmsudf.c b/lib/smime/cmsudf.c
index 3ef4268..5c8a81e 100644
--- a/lib/smime/cmsudf.c
+++ b/lib/smime/cmsudf.c
@@ -239,7 +239,7 @@ NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd)
{
const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type);
- if (typeInfo && typeInfo->destroy) {
+ if (typeInfo && (typeInfo->destroy) && (gd != NULL)) {
(*typeInfo->destroy)(gd);
}
}
--
1.7.12.4

BIN
PayPalEE.cert Normal file
View File

Binary file not shown.

BIN
PayPalICA.cert Normal file
View File

Binary file not shown.

BIN
blank-cert8.db Normal file
View File

Binary file not shown.

BIN
blank-cert9.db Normal file
View File

Binary file not shown.

BIN
blank-key3.db Normal file
View File

Binary file not shown.

BIN
blank-key4.db Normal file
View File

Binary file not shown.

BIN
blank-secmod.db Normal file
View File

Binary file not shown.

59
cert8.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="cert8.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>cert8.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>cert8.db</refname>
<refpurpose>Legacy NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>cert8.db</emphasis> is an NSS certificate database.</para>
<para>This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/cert8.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

59
cert9.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="cert9.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>cert9.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>cert9.db</refname>
<refpurpose>NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>cert9.db</emphasis> is an NSS certificate database.</para>
<para>This certificate database is the sqlite-based shared database with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/cert9.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

13
iquote.patch Normal file
View File

@ -0,0 +1,13 @@
diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200
+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200
@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
SQLITE_LIB_NAME = sqlite3
endif
+# Prefer in-tree headers over system headers
+ifdef IN_TREE_FREEBL_HEADERS_FIRST
+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
+endif
+
MK_LOCATION = included

59
key3.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="key3.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>key3.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>key3.db</refname>
<refpurpose>Legacy NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>key3.db</emphasis> is an NSS certificate database.</para>
<para>This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/key3.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>cert9.db(5), key4.db(5), pkcs11.txt(5), </para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

59
key4.db.xml Normal file
View File

@ -0,0 +1,59 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="key4.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>key4.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>key4.db</refname>
<refpurpose>NSS certificate database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>key4.db</emphasis> is an NSS key database.</para>
<para>This key database is the sqlite-based shared database format with support for concurrent access.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/key4.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

BIN
nss-3.40.1.tar.gz Normal file
View File

Binary file not shown.

62
nss-539183.patch Normal file
View File

@ -0,0 +1,62 @@
--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700
+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700
@@ -953,23 +953,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSockett");
}
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700
+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700
@@ -1711,23 +1711,23 @@
getBoundListenSocket(unsigned short port)
{
PRFileDesc *listen_sock;
int listenQueueDepth = 5 + (2 * maxThreads);
PRStatus prStatus;
PRNetAddr addr;
PRSocketOptionData opt;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
- errExit("PR_NewTCPSocket");
+ errExit("PR_OpenTCPSocket error");
}
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;
prStatus = PR_SetSocketOption(listen_sock, &opt);
if (prStatus < 0) {
PR_Close(listen_sock);
errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");

145
nss-config Normal file
View File

@ -0,0 +1,145 @@
#!/bin/sh
prefix=/usr
major_version=3
minor_version=40
patch_version=1
usage()
{
cat <<EOF
Usage: nss-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nss
nssutil
ssl
smime
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_ssl=yes
lib_smime=yes
lib_nss=yes
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
ssl)
lib_ssl=yes
;;
smime)
lib_smime=yes
;;
nss)
lib_nss=yes
;;
nssutil)
lib_nssutil=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_ssl"; then
libdirs="$libdirs -lssl${major_version}"
fi
if test -n "$lib_smime"; then
libdirs="$libdirs -lsmime${major_version}"
fi
if test -n "$lib_nss"; then
libdirs="$libdirs -lnss${major_version}"
fi
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi

132
nss-config.xml Normal file
View File

@ -0,0 +1,132 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="nss-config">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>nss-config</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>nss-config</refname>
<refpurpose>Return meta information about nss libraries</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>nss-config</command>
<arg><option>--prefix</option></arg>
<arg><option>--exec-prefix</option></arg>
<arg><option>--includedir</option></arg>
<arg><option>--libs</option></arg>
<arg><option>--cflags</option></arg>
<arg><option>--libdir</option></arg>
<arg><option>--version</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>nss-config</command> is a shell scrip
tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>--prefix</option></term>
<listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--exec-prefix</option></term>
<listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--includedir</option> <replaceable>count</replaceable></term>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--version</option></term>
<listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libs</option></term>
<listitem><simpara>returns the compiler linking flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--cflags</option></term>
<listitem><simpara>returns the compiler include flags.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--libdir</option></term>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Examples</title>
<para>The following example will query for both include path and linkage flags:
<programlisting>
/usr/bin/nss-config --cflags --libs
</programlisting>
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/usr/bin/nss-config</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkg-config(1)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>
Authors: Elio Maldonado &lt;emaldona@redhat.com>.
</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

4
nss-p11-kit.config Normal file
View File

@ -0,0 +1,4 @@
name=p11-kit-proxy
library=p11-kit-proxy.so

116
nss-softokn-config Normal file
View File

@ -0,0 +1,116 @@
#!/bin/sh
prefix=/usr
major_version=3
minor_version=40
patch_version=1
usage()
{
cat <<EOF
Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
softokn3 - Requires full dynamic linking
freebl3 - for internal use only (and glibc for self-integrity check)
nssdbm3 - for internal use only
Dymamically linked
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-softokn`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-softokn`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
echo $libdirs
fi

18
nss-softokn-dracut-module-setup.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
check() {
return 255
}
depends() {
return 0
}
install() {
local _dir
inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
libfreebl3.so
}

3
nss-softokn-dracut.conf Normal file
View File

@ -0,0 +1,3 @@
# turn on nss-softokn module
add_dracutmodules+=" nss-softokn "

8
nss-softokn-prelink.conf Normal file
View File

@ -0,0 +1,8 @@
-b /lib{,64}/libfreeblpriv3.so
-b /lib{,64}/libfreebl3.so
-b /lib{,64}/libsoftokn3.so
-b /lib{,64}/libnssdbm3.so
-b /usr/lib{,64}/libfreeblpriv3.so
-b /usr/lib{,64}/libfreebl3.so
-b /usr/lib{,64}/libsoftokn3.so
-b /usr/lib{,64}/libnssdbm3.so

11
nss-softokn.pc Normal file
View File

@ -0,0 +1,11 @@
prefix=/usr
exec_prefix=/usr
libdir=/usr/lib64
includedir=/usr/include/nss3
Name: NSS-SOFTOKN
Description: Network Security Services Softoken PKCS #11 Module
Version: 3.40.1
Requires: nspr >= 4.20.0, nss-util >= 3.40.1
Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
Cflags: -I${includedir}

29
nss-tests-paypal-certs-v2.patch Normal file
View File

@ -0,0 +1,29 @@
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1541595734 -3600
# Wed Nov 07 14:02:14 2018 +0100
# Node ID 19fd907784e38a5febb54588353368af91b12551
# Parent 3b79af0fa294b4b1c009c1c0b659bb72b4d2c1c8
Bug 1505317, update PayPal test certs
diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
--- a/tests/chains/scenarios/realcerts.cfg
+++ b/tests/chains/scenarios/realcerts.cfg
@@ -21,7 +21,7 @@ verify TestUser51:x
result pass
verify PayPalEE:x
- policy OID.2.16.840.1.114412.1.1
+ policy OID.2.16.840.1.114412.2.1
result pass
verify BrAirWaysBadSig:x
diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst
--- a/tests/libpkix/vfychain_test.lst
+++ b/tests/libpkix/vfychain_test.lst
@@ -1,4 +1,4 @@
# Status | Leaf Cert | Policies | Others(undef)
0 TestUser50 undef
0 TestUser51 undef
-0 PayPalEE OID.2.16.840.1.114412.1.1
+0 PayPalEE OID.2.16.840.1.114412.2.1

118
nss-util-config Normal file
View File

@ -0,0 +1,118 @@
#!/bin/sh
prefix=/usr
major_version=3
minor_version=40
patch_version=1
usage()
{
cat <<EOF
Usage: nss-util-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nssutil
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=`pkg-config --variable=exec_prefix nss-util`
fi
if test -z "$includedir"; then
includedir=`pkg-config --variable=includedir nss-util`
fi
if test -z "$libdir"; then
libdir=`pkg-config --variable=libdir nss-util`
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi

11
nss-util.pc Normal file
View File

@ -0,0 +1,11 @@
prefix=/usr
exec_prefix=/usr
libdir=/usr/lib64
includedir=/usr/include/nss3
Name: NSS-UTIL
Description: Network Security Services Utility Library
Version: 3.40.1
Requires: nspr >= 4.20.0
Libs: -L${libdir} -lnssutil3
Cflags: -I${includedir}

11
nss.pc Normal file
View File

@ -0,0 +1,11 @@
prefix=/usr
exec_prefix=/usr
libdir=/usr/lib64
includedir=/usr/include/nss3
Name: NSS
Description: Network Security Services
Version: 3.40.1
Requires: nspr >= 4.20.0, nss-util >= 3.40.1
Libs: -L${libdir} -lssl3 -lsmime3 -lnss3
Cflags: -I${includedir}

644
nss.spec Normal file
View File

@ -0,0 +1,644 @@
%global nspr_version 4.20.0
%global nss_version 3.40.1
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
%global dracutlibdir %{_prefix}/lib/dracut
%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/
%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d
Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: 4
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Provides: nss-system-init
Requires: nspr >= %{nspr_version} nss-util >= %{nss_version} nss-softokn%{_isa} >= %{nss_version}
Requires: p11-kit-trust crypto-policies nss-help
Requires(post): coreutils, sed
BuildRequires: nspr-devel >= %{nspr_version} nss-softokn sqlite-devel zlib-devel
BuildRequires: pkgconf gawk psmisc perl-interpreter gcc-c++
obsoletes: nss-sysinit
Source0: https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_40_1_RTM/src/%{name}-%{nss_version}.tar.gz
Source1: nss-util.pc
Source2: nss-util-config
Source3: nss-softokn.pc
Source4: nss-softokn-config
Source5: nss-softokn-prelink.conf
Source6: nss-softokn-dracut-module-setup.sh
Source7: nss-softokn-dracut.conf
Source8: nss.pc
Source9: nss-config
Source10: blank-cert8.db
Source11: blank-key3.db
Source12: blank-secmod.db
Source13: blank-cert9.db
Source14: blank-key4.db
Source15: system-pkcs11.txt
Source16: setup-nsssysinit.sh
Source20: nss-config.xml
Source21: setup-nsssysinit.xml
Source22: pkcs11.txt.xml
Source23: cert8.db.xml
Source24: cert9.db.xml
Source25: key3.db.xml
Source26: key4.db.xml
Source27: secmod.db.xml
Source28: nss-p11-kit.config
Source29: PayPalICA.cert
Source30: PayPalEE.cert
Patch1: renegotiate-transitional.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
Patch2: nss-539183.patch
# This patch uses the GCC -iquote option documented at
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
# to give the in-tree headers a higher priority over the system headers,
# when they are included through the quote form (#include "file.h").
Patch3: iquote.patch
# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1185708
Patch4: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317
Patch5: nss-tests-paypal-certs-v2.patch
Patch9000: Bug-1412829-reject-empty-supported_signature_algorit.patch
Patch9001: Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch
Patch9002: Bug-1507174-Add-additional-null-checks-to-other-CMS-.patch
%description
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.
%package devel
Summary: Network Security Services development files
Provides: nss-static = %{version}-%{release}
Provides: nss-pkcs11-devel-static = %{version}-%{release}
Requires: nss%{?_isa} = %{version}-%{release}
Requires: nss-util-devel nss-softokn-devel nspr-devel >= %{nspr_version} pkgconf
Requires: nss-softokn-devel = %{version}-%{release}
BuildRequires: xmlto
obsoletes: nss-pkcs11-devel
%description devel
Header and Library files for doing development with Network Security Services.
%package util
Summary: Network Security Services Utilities Library
Requires: nspr >= %{nspr_version} nss-help
Requires: %{name}%{?_isa} = %{version}-%{release}
Provides: nss-tools = %{version}-%{release}
obsoletes: nss-tools
%description util
Utilities for Network Security Services and the Softoken module
manipulate the NSS certificate and key database.
%package util-devel
Summary: Development libraries for Network Security Services Utilities
Requires: nss-util%{?_isa} = %{version}-%{release}
Requires: nspr-devel >= %{nspr_version}
Requires: pkgconf
%description util-devel
Header and library files for doing development with Network Security Services.
%package softokn
Summary: Network Security Services Softoken and Freebl library Module
Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{version}-%{release}
Provides: nss-softokn-freebl
Conflicts: prelink < 0.4.3
Conflicts: filesystem < 3
obsoletes: nss-softokn-freebl
%description softokn
Network Security Services Softoken and Freebl Cryptographic Module
%package softokn-devel
Summary: Header and Library files for doing development with the Freebl library for NSS
Provides: nss-softokn-freebl-static = %{version}-%{release}
Provides: nss-softokn-freebl-devel
Requires: nss-softokn%{?_isa} = %{version}-%{release}
Requires: nspr-devel >= %{nspr_version}
Requires: nss-util-devel >= %{version}-%{release}
Requires: pkgconf
BuildRequires: nspr-devel >= %{nspr_version}
obsoletes: nss-softokn-freebl-devel
%description softokn-devel
NSS Softoken Cryptographic Module and Freebl Library Development Tools
This package supports special needs of some PKCS #11 module developers and
is otherwise considered private to NSS. As such, the programming interfaces
may change and the usual NSS binary compatibility commitments do not apply.
Developers should rely only on the officially supported NSS public API.
%package help
Summary: help document for NSS
Requires: man-db
%description help
Help document for NSS
%prep
%setup -q -n %{name}-%{nss_version}
%patch1 -p0 -b .transitional
%patch2 -p0 -b .539183
%patch3 -p0 -b .iquote
%patch4 -p0 -b .1185708_3des
pushd nss
%patch5 -p1 -b .paypal-certs
%patch9000 -p1
%patch9001 -p1
%patch9002 -p1
cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs
popd
%build
export NSS_FORCE_FIPS=1
# Enable compiler optimizations and disable debugging code
export BUILD_OPT=1
# Uncomment to disable optimizations
#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
#export RPM_OPT_FLAGS
# Generate symbolic info for debuggers
export XCFLAGS=$RPM_OPT_FLAGS
export LDFLAGS=$RPM_LD_FLAGS
export DSO_LDOPTS=$RPM_LD_FLAGS
# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets
# copied to dist and the rpm install phase can find it
# This due of the upstream changes to fix
# https://bugzilla.mozilla.org/show_bug.cgi?id=717906
export FREEBL_LOWHASH=1
# uncomment if the iquote patch is activated
export IN_TREE_FREEBL_HEADERS_FIRST=1
export FREEBL_NO_DEPEND=1
export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
export NSPR_LIB_DIR=%{_libdir}
export NSS_USE_SYSTEM_SQLITE=1
export NSS_ALLOW_SSLKEYLOGFILE=1
%ifnarch noarch
%if 0%{__isa_bits} == 64
export USE_64=1
%endif
%endif
##### phase 2: build the rest of nss
make -C ./nss/coreconf
make -C ./nss/lib/dbm
# Set the policy file location
# if set NSS will always check for the policy file and load if it exists
export POLICY_FILE="nss.config"
# location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends"
make -C ./nss
# build the man pages clean
pushd ./nss
make clean_docs build_docs
popd
# and copy them to the dist directory for %%install to find them
mkdir -p ./dist/docs/nroff
cp ./nss/doc/nroff/* ./dist/docs/nroff
# Set up our package files
mkdir -p ./dist/pkgconfig
for m in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9} %{SOURCE16}; do
cp ${m} ./dist/pkgconfig
chmod 755 ./dist/pkgconfig/*
done
NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'`
NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'`
NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'`
SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'`
SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'`
SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'`
NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
cp ./nss/lib/ckfw/nssck.api ./dist/private/nss/
date +"%e %B %Y" | tr -d '\n' > date.xml
echo -n %{version} > version.xml
# configuration files and setup script
for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do
cp ${m} .
done
for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do
xmlto man ${m}
done
# nss databases considered to be configuration files
for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do
cp ${m} .
done
for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do
xmlto man ${m}
done
%check
export FREEBL_NO_DEPEND=1
export BUILD_OPT=1
%ifnarch noarch
%if 0%{__isa_bits} == 64
export USE_64=1
%endif
%endif
export NSS_IGNORE_SYSTEM_POLICY=1
# Run test suite.
SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
if [ $SPACEISBAD -ne 0 ]; then
echo "error: filenames containing space are not supported (xargs)"
exit 1
fi
MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
pushd `pwd`
cd $DISTBINDIR
ln -s selfserv $RANDSERV
popd
# man perlrun, man perlrequick
# replace word-occurrences of selfserv with selfserv_$MYRAND
find ./nss/tests -type f |\
grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
grep -vw CVS |xargs grep -lw selfserv |\
xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
killall $RANDSERV || :
rm -rf ./tests_results
pushd ./nss/tests/
# the full list from all.sh is:
%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests"
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy
# nss_ssl_run: cov auth stapling stress
#
# disable some test suites for faster test builds
# % define nss_ssl_tests "normal_fips"
# % define nss_ssl_run "cov"
HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
popd
killall $RANDSERV || :
TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
echo "okay: test suite detected no failures"
else
if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
# while a situation in which grep return status is 0 and it doesn't output
# anything shouldn't happen, set the default to something that is
# obviously wrong (-1)
echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
exit 1
else
if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
echo "error: grep has not found log file"
exit 1
else
echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
exit 1
fi
fi
fi
echo "test suite completed"
%install
mkdir -p $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
mkdir -p $RPM_BUILD_ROOT/%{_bindir}
mkdir -p $RPM_BUILD_ROOT/%{unsupported_tools_directory}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/nss/saved
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/
mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/
install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
# Install the empty NSS db files
# Legacy db
install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
install -p -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
# Shared db
install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
# Copy the binary libraries we want
for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
do
install -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done
# Copy the development libraries we want
for file in libcrmf.a libnssb.a libnssckfw.a libfreebl.a
do
install -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done
# Copy the binaries we want
for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap
do
install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
done
# Copy the binaries we ship as unsupported
for file in bltest ecperf fbectest fipstest shlibsign atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain
do
install -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
done
# Copy the include files we want
for file in dist/public/nss/*.h
do
install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
done
# Copy some freebl include files we also want
for file in blapi.h alghmac.h
do
install -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
done
# Copy the template files we want
for file in dist/private/nss/templates.c dist/private/nss/nssck.api
do
install -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
done
# Copy the package configuration files
install -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc
install -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config
install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc
install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
# Copy the pkcs #11 configuration script
install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
# install a symbolic link to it, without the ".sh" suffix,
ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
# Copy the man pages for scripts
for f in nss-config setup-nsssysinit; do
install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done
# Copy the man pages for the nss tools
for f in "%{allTools}"; do
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done
install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
# Copy the man pages for the configuration files
for f in pkcs11.txt; do
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
done
# Copy the man pages for the nss databases
for f in cert8.db cert9.db key3.db key4.db secmod.db; do
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
done
# Copy the crypto-policies configuration file
install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
/usr/bin/setup-nsssysinit.sh on
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so
%post
update-crypto-policies
%postun
update-crypto-policies
%files
%{!?_licensedir:%global license %%doc}
%license nss/COPYING
%{_libdir}/libnss3.so
%{_libdir}/libssl3.so
%{_libdir}/libsmime3.so
%dir %{_sysconfdir}/pki/nssdb
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/*
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
%{_libdir}/libnsssysinit.so
%{_bindir}/setup-nsssysinit.sh
# symbolic link to setup-nsssysinit.sh
%{_bindir}/setup-nsssysinit
%files devel
%{_libdir}/libcrmf.a
%{_libdir}/pkgconfig/nss.pc
%{_bindir}/nss-config
%{_libdir}/libnssb.a
%{_libdir}/libnssckfw.a
%dir %{_includedir}/nss3
%{_includedir}/nss3/cert*.h
%{_includedir}/nss3/cm*.h
%{_includedir}/nss3/cr*.h
%{_includedir}/nss3/sechash.h
%{_includedir}/nss3/jar-ds.h
%{_includedir}/nss3/jar.h
%{_includedir}/nss3/jarfile.h
%{_includedir}/nss3/key*.h
%{_includedir}/nss3/nss.h
%{_includedir}/nss3/ocsp.h
%{_includedir}/nss3/ocspt.h
%{_includedir}/nss3/p12.h
%{_includedir}/nss3/p12plcy.h
%{_includedir}/nss3/p12t.h
%{_includedir}/nss3/pk11*.h
%{_includedir}/nss3/pkcs12.h
%{_includedir}/nss3/pkcs12t.h
%{_includedir}/nss3/pkcs7t.h
%{_includedir}/nss3/preenc.h
%{_includedir}/nss3/secmime.h
%{_includedir}/nss3/secmod.h
%{_includedir}/nss3/secmodt.h
%{_includedir}/nss3/secpkcs5.h
%{_includedir}/nss3/secpkcs7.h
%{_includedir}/nss3/smime.h
%{_includedir}/nss3/ssl*.h
%{_includedir}/nss3/nssbase.h
%{_includedir}/nss3/nssbaset.h
%{_includedir}/nss3/nssck*.h
%{_includedir}/nss3/templates/nssck.api
%files util
%{!?_licensedir:%global license %%doc}
%license nss/COPYING
%{_libdir}/libnssutil3.so
%{_bindir}/certutil
%{_bindir}/cmsutil
%{_bindir}/crlutil
%{_bindir}/modutil
%{_bindir}/nss-policy-check
%{_bindir}/pk12util
%{_bindir}/signver
%{_bindir}/ssltap
%{unsupported_tools_directory}/atob
%{unsupported_tools_directory}/btoa
%{unsupported_tools_directory}/derdump
%{unsupported_tools_directory}/listsuites
%{unsupported_tools_directory}/ocspclnt
%{unsupported_tools_directory}/pp
%{unsupported_tools_directory}/selfserv
%{unsupported_tools_directory}/signtool
%{unsupported_tools_directory}/strsclnt
%{unsupported_tools_directory}/symkeyutil
%{unsupported_tools_directory}/tstclnt
%{unsupported_tools_directory}/vfyserv
%{unsupported_tools_directory}/vfychain
%files util-devel
%{_libdir}/pkgconfig/nss-util.pc
%{_bindir}/nss-util-config
# co-owned with nss
%dir %{_includedir}/nss3
# these are marked as public export in nss/lib/util/manifest.mk
%{_includedir}/nss3/base64.h
%{_includedir}/nss3/ciferfam.h
%{_includedir}/nss3/eccutil.h
%{_includedir}/nss3/hasht.h
%{_includedir}/nss3/nssb64.h
%{_includedir}/nss3/nssb64t.h
%{_includedir}/nss3/nsslocks.h
%{_includedir}/nss3/nssilock.h
%{_includedir}/nss3/nssilckt.h
%{_includedir}/nss3/nssrwlk.h
%{_includedir}/nss3/nssrwlkt.h
%{_includedir}/nss3/nssutil.h
%{_includedir}/nss3/pkcs1sig.h
%{_includedir}/nss3/pkcs11*.h
%{_includedir}/nss3/portreg.h
%{_includedir}/nss3/secasn1.h
%{_includedir}/nss3/secasn1t.h
%{_includedir}/nss3/seccomon.h
%{_includedir}/nss3/secder.h
%{_includedir}/nss3/secdert.h
%{_includedir}/nss3/secdig.h
%{_includedir}/nss3/secdigt.h
%{_includedir}/nss3/secerr.h
%{_includedir}/nss3/secitem.h
%{_includedir}/nss3/secoid.h
%{_includedir}/nss3/secoidt.h
%{_includedir}/nss3/secport.h
%{_includedir}/nss3/util*.h
%{_includedir}/nss3/templates/templates.c
%files softokn
%{!?_licensedir:%global license %%doc}
%license nss/COPYING
%{_libdir}/libfreebl3.so
%{_libdir}/libfreebl3.chk
%{_libdir}/libfreeblpriv3.so
%{_libdir}/libfreeblpriv3.chk
%dir %{_sysconfdir}/prelink.conf.d/
%{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf
%dir %{dracut_modules_dir}
%{dracut_modules_dir}/module-setup.sh
%{dracut_conf_dir}/50-nss-softokn.conf
%{_libdir}/libnssdbm3.so
%{_libdir}/libnssdbm3.chk
%{_libdir}/libsoftokn3.so
%{_libdir}/libsoftokn3.chk
%dir %{_libdir}/nss
%dir %{_libdir}/nss/saved
%dir %{unsupported_tools_directory}
%{unsupported_tools_directory}/bltest
%{unsupported_tools_directory}/ecperf
%{unsupported_tools_directory}/fbectest
%{unsupported_tools_directory}/fipstest
%{unsupported_tools_directory}/shlibsign
%files softokn-devel
%{_libdir}/libfreebl.a
%{_includedir}/nss3/blapi.h
%{_includedir}/nss3/blapit.h
%{_includedir}/nss3/alghmac.h
%{_includedir}/nss3/lowkeyi.h
%{_includedir}/nss3/lowkeyti.h
%{_libdir}/pkgconfig/nss-softokn.pc
%{_bindir}/nss-softokn-config
# co-owned with nss
%dir %{_includedir}/nss3
%{_includedir}/nss3/ecl-exp.h
%{_includedir}/nss3/nsslowhash.h
%{_includedir}/nss3/shsign.h
%files help
%doc %{_mandir}/man5/cert8.db.5*
%doc %{_mandir}/man5/key3.db.5*
%doc %{_mandir}/man5/secmod.db.5*
%doc %{_mandir}/man5/cert9.db.5*
%doc %{_mandir}/man5/key4.db.5*
%doc %{_mandir}/man5/pkcs11.txt.5*
%doc %{_mandir}/man1/setup-nsssysinit.1*
%doc %{_mandir}/man1/certutil.1*
%doc %{_mandir}/man1/cmsutil.1*
%doc %{_mandir}/man1/crlutil.1*
%doc %{_mandir}/man1/modutil.1*
%doc %{_mandir}/man1/pk12util.1*
%doc %{_mandir}/man1/signver.1*
%doc %{_mandir}/man1/derdump.1*
%doc %{_mandir}/man1/signtool.1*
%doc %{_mandir}/man1/pp.1*
%doc %{_mandir}/man1/ssltap.1*
%doc %{_mandir}/man1/vfychain.1*
%doc %{_mandir}/man1/vfyserv.1*
%doc %{_mandir}/man1/nss-config.1*
%changelog
* Tue Sep 24 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.40.1-4
- update requires for help
* Mon Sep 23 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.40.1-3
- Rebuild
* Wed Sep 20 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.40.1-2
- Package init

56
pkcs11.txt.xml Normal file
View File

@ -0,0 +1,56 @@
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="pkcs11.txt">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>pkcs11.txt</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>pkcs11.txt</refname>
<refpurpose>NSS PKCS #11 module configuration file</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para>
The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules.
</para>
<para>
For full documentation visit <ulink url="https://developer.mozilla.org/en-US/docs/PKCS11_Module_Specs">PKCS #11 Module Specs</ulink>.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/pkcs11.txt</filename></para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

12
renegotiate-transitional.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
--- nss/lib/ssl/sslsock.c.transitional 2018-03-09 13:57:50.615706802 +0100
+++ nss/lib/ssl/sslsock.c 2018-03-09 13:58:23.708974970 +0100
@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
.noLocks = PR_FALSE,
.enableSessionTickets = PR_FALSE,
.enableDeflate = PR_FALSE,
- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
+ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
.requireSafeNegotiation = PR_FALSE,
.enableFalseStart = PR_FALSE,
.cbcRandomIV = PR_TRUE,

23
rhbz1185708-enable-ecc-3des-ciphers-by-default.patch Normal file
View File

@ -0,0 +1,23 @@
--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400
+++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400
@@ -118,18 +118,18 @@
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
{ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
{ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},

63
secmod.db.xml Normal file
View File

@ -0,0 +1,63 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="secmod.db">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>secmod.db</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>secmod.db</refname>
<refpurpose>Legacy NSS security modules database</refpurpose>
</refnamediv>
<refsection id="description">
<title>Description</title>
<para><emphasis>secmod.db</emphasis> is an NSS security modules database.</para>
<para>The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface.
</para>
<para>The command line utility <emphasis>modutil</emphasis> is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens.
</para>
<para>For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases.
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/etc/pki/nssdb/secmod.db</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

68
setup-nsssysinit.sh Executable file
View File

@ -0,0 +1,68 @@
#!/bin/sh
#
# Turns on or off the nss-sysinit module db by editing the
# global PKCS #11 congiguration file. Displays the status.
#
# This script can be invoked by the user as super user.
# It is invoked at nss-sysinit post install time with argument on.
#
usage()
{
cat <<EOF
Usage: setup-nsssysinit [on|off]
on - turns on nsssysinit
off - turns off nsssysinit
status - reports whether nsssysinit is turned on or off
EOF
exit $1
}
# validate
if [ $# -eq 0 ]; then
usage 1 1>&2
fi
# the system-wide configuration file
p11conf="/etc/pki/nssdb/pkcs11.txt"
# must exist, otherwise report it and exit with failure
if [ ! -f $p11conf ]; then
echo "Could not find ${p11conf}"
exit 1
fi
# check if nsssysinit is currently enabled or disabled
sysinit_enabled()
{
grep -q '^library=libnsssysinit' ${p11conf}
}
umask 022
case "$1" in
on | ON )
if sysinit_enabled; then
exit 0
fi
cat ${p11conf} | \
sed -e 's/^library=$/library=libnsssysinit.so/' \
-e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
${p11conf}.on
mv ${p11conf}.on ${p11conf}
;;
off | OFF )
if ! sysinit_enabled; then
exit 0
fi
cat ${p11conf} | \
sed -e 's/^library=libnsssysinit.so/library=/' \
-e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
${p11conf}.off
mv ${p11conf}.off ${p11conf}
;;
status )
echo -n 'NSS sysinit is '
sysinit_enabled && echo 'enabled' || echo 'disabled'
;;
* )
usage 1 1>&2
;;
esac

106
setup-nsssysinit.xml Normal file
View File

@ -0,0 +1,106 @@
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
]>
<refentry id="setup-nsssysinit">
<refentryinfo>
<date>&date;</date>
<title>Network Security Services</title>
<productname>nss</productname>
<productnumber>&version;</productnumber>
</refentryinfo>
<refmeta>
<refentrytitle>setup-nsssysinit</refentrytitle>
<manvolnum>1</manvolnum>
</refmeta>
<refnamediv>
<refname>setup-nsssysinit</refname>
<refpurpose>Query or enable the nss-sysinit module</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>setup-nsssysinit</command>
<arg><option>on</option></arg>
<arg><option>off</option></arg>
<arg><option>status</option></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsection id="description">
<title>Description</title>
<para><command>setup-nsssysinit</command> is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. </para>
<para>Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on.
</para>
</refsection>
<refsection>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>on</option></term>
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>off</option></term>
<listitem><simpara>Turn on nss-sysinit.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>status</option></term>
<listitem><simpara>returns whether nss-syinit is enabled or not.</simpara></listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection>
<title>Examples</title>
<para>The following example will query for the status of nss-sysinit:
<programlisting>
/usr/bin/setup-nsssysinit status
</programlisting>
</para>
<para>The following example, when run as superuser, will turn on nss-sysinit:
<programlisting>
/usr/bin/setup-nsssysinit on
</programlisting>
</para>
</refsection>
<refsection>
<title>Files</title>
<para><filename>/usr/bin/setup-nsssysinit</filename></para>
</refsection>
<refsection>
<title>See also</title>
<para>pkg-config(1)</para>
</refsection>
<refsection id="authors">
<title>Authors</title>
<para>The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
<para>Authors: Elio Maldonado &lt;emaldona@redhat.com>.</para>
</refsection>
<!-- don't change -->
<refsection id="license">
<title>LICENSE</title>
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/.
</para>
</refsection>
</refentry>

5
system-pkcs11.txt Normal file
View File

@ -0,0 +1,5 @@
library=libnsssysinit.so
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})