Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 849543 Details for
Bug 1049229
nss-3.15.4 is available
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
All changes - for completeness, hard on the eyes
changes4rebaseAll.patch (text/plain), 33.10 KB, created by
Elio Maldonado Batiz
on 2014-01-13 19:08:14 UTC
(
hide
)
Description:
All changes - for completeness, hard on the eyes
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2014-01-13 19:08:14 UTC
Size:
33.10 KB
patch
obsolete
>diff --git a/.gitignore b/.gitignore >index 6773720..8c5fa50 100644 >--- a/.gitignore >+++ b/.gitignore >@@ -7,5 +7,5 @@ PayPalEE.cert > TestCA.ca.cert > TestUser50.cert > TestUser51.cert >-/nss-pem-20130828.tar.bz2 >-/nss-3.15.3.1.tar.gz >+/nss-pem-20131226.tar.bz2 >+/nss-3.15.4.tar.gz >diff --git a/0001-sync-up-with-upstream-softokn-changes.patch b/0001-sync-up-with-upstream-softokn-changes.patch >deleted file mode 100644 >index 36fbd9d..0000000 >--- a/0001-sync-up-with-upstream-softokn-changes.patch >+++ /dev/null >@@ -1,406 +0,0 @@ >-From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001 >-From: Elio Maldonado <emaldona@redhat.com> >-Date: Sat, 9 Feb 2013 17:11:00 -0500 >-Subject: [PATCH] Sync up with upstream softokn changes >- >-- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux >-- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 >-- It now compiles with the NSS_3_14_3_BETA1 source >---- >- mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++------------------- >- 1 files changed, 82 insertions(+), 256 deletions(-) >- >-diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c >-index 5ac4f39..3780d30 100644 >---- a/nss/lib/ckfw/pem/rsawrapr.c >-+++ b/nss/lib/ckfw/pem/rsawrapr.c >-@@ -46,6 +46,7 @@ >- #include "sechash.h" >- #include "base.h" >- >-+#include "lowkeyi.h" >- #include "secerr.h" >- >- #define RSA_BLOCK_MIN_PAD_LEN 8 >-@@ -54,9 +55,8 @@ >- #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff >- #define RSA_BLOCK_AFTER_PAD_OCTET 0x00 >- >--#define OAEP_SALT_LEN 8 >--#define OAEP_PAD_LEN 8 >--#define OAEP_PAD_OCTET 0x00 >-+/* Needed for RSA-PSS functions */ >-+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; >- >- #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ >- >-@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) >- return 0; >- } >- >--static SHA1Context *SHA1_CloneContext(SHA1Context * original) >--{ >-- SHA1Context *clone = NULL; >-- unsigned char *pBuf; >-- int sha1ContextSize = SHA1_FlattenSize(original); >-- SECStatus frv; >-- unsigned char buf[FLAT_BUFSIZE]; >-- >-- PORT_Assert(sizeof buf >= sha1ContextSize); >-- if (sizeof buf >= sha1ContextSize) { >-- pBuf = buf; >-- } else { >-- pBuf = nss_ZAlloc(NULL, sha1ContextSize); >-- if (!pBuf) >-- goto done; >-- } >-- >-- frv = SHA1_Flatten(original, pBuf); >-- if (frv == SECSuccess) { >-- clone = SHA1_Resurrect(pBuf, NULL); >-- memset(pBuf, 0, sha1ContextSize); >-- } >-- done: >-- if (pBuf != buf) >-- nss_ZFreeIf(pBuf); >-- return clone; >-+/* Constant time comparison of a single byte. >-+ * Returns 1 iff a == b, otherwise returns 0. >-+ * Note: For ranges of bytes, use constantTimeCompare. >-+ */ >-+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) { >-+ unsigned char c = ~(a - b | b - a); >-+ c >>= 7; >-+ return c; >- } >- >--/* >-- * Modify data by XORing it with a special hash of salt. >-+/* Constant time comparison of a range of bytes. >-+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise >-+ * returns 0. >- */ >--static SECStatus >--oaep_xor_with_h1(unsigned char *data, unsigned int datalen, >-- unsigned char *salt, unsigned int saltlen) >--{ >-- SHA1Context *sha1cx; >-- unsigned char *dp, *dataend; >-- unsigned char end_octet; >-- >-- sha1cx = SHA1_NewContext(); >-- if (sha1cx == NULL) { >-- return SECFailure; >-- } >-- >-- /* >-- * Get a hash of salt started; we will use it several times, >-- * adding in a different end octet (x00, x01, x02, ...). >-- */ >-- SHA1_Begin(sha1cx); >-- SHA1_Update(sha1cx, salt, saltlen); >-- end_octet = 0; >-- >-- dp = data; >-- dataend = data + datalen; >-- >-- while (dp < dataend) { >-- SHA1Context *sha1cx_h1; >-- unsigned int sha1len, sha1off; >-- unsigned char sha1[SHA1_LENGTH]; >-- >-- /* >-- * Create hash of (salt || end_octet) >-- */ >-- sha1cx_h1 = SHA1_CloneContext(sha1cx); >-- SHA1_Update(sha1cx_h1, &end_octet, 1); >-- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1)); >-- SHA1_DestroyContext(sha1cx_h1, PR_TRUE); >-- PORT_Assert(sha1len == SHA1_LENGTH); >-- >-- /* >-- * XOR that hash with the data. >-- * When we have fewer than SHA1_LENGTH octets of data >-- * left to xor, use just the low-order ones of the hash. >-- */ >-- sha1off = 0; >-- if ((dataend - dp) < SHA1_LENGTH) >-- sha1off = SHA1_LENGTH - (dataend - dp); >-- while (sha1off < SHA1_LENGTH) >-- *dp++ ^= sha1[sha1off++]; >-- >-- /* >-- * Bump for next hash chunk. >-- */ >-- end_octet++; >-- } >-- >-- SHA1_DestroyContext(sha1cx, PR_TRUE); >-- return SECSuccess; >-+static unsigned char constantTimeCompare(const unsigned char *a, >-+ const unsigned char *b, >-+ unsigned int len) { >-+ unsigned char tmp = 0; >-+ unsigned int i; >-+ for (i = 0; i < len; ++i, ++a, ++b) >-+ tmp |= *a ^ *b; >-+ return constantTimeEQ8(0x00, tmp); >- } >- >--/* >-- * Modify salt by XORing it with a special hash of data. >-+/* Constant time conditional. >-+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is >-+ * not 0 or 1. >- */ >--static SECStatus >--oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen, >-- unsigned char *data, unsigned int datalen) >-+static unsigned int constantTimeCondition(unsigned int c, >-+ unsigned int a, >-+ unsigned int b) >- { >-- unsigned char sha1[SHA1_LENGTH]; >-- unsigned char *psalt, *psha1, *saltend; >-- SECStatus rv; >-- >-- /* >-- * Create a hash of data. >-- */ >-- rv = SHA1_HashBuf(sha1, data, datalen); >-- if (rv != SECSuccess) { >-- return rv; >-- } >-- >-- /* >-- * XOR the low-order octets of that hash with salt. >-- */ >-- PORT_Assert(saltlen <= SHA1_LENGTH); >-- saltend = salt + saltlen; >-- psalt = salt; >-- psha1 = sha1 + SHA1_LENGTH - saltlen; >-- while (psalt < saltend) { >-- *psalt++ ^= *psha1++; >-- } >-- >-- return SECSuccess; >-+ return (~(c - 1) & a) | ((c - 1) & b); >- } >- >- /* >-@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, >- unsigned char *block; >- unsigned char *bp; >- int padLen; >-- int i; >-+ int i, j; >- SECStatus rv; >- >- block = (unsigned char *) nss_ZAlloc(NULL, modulusLen); >-@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, >- */ >- case RSA_BlockPublic: >- >-- /* >-- * 0x00 || BT || Pad || 0x00 || ActualData >-- * 1 1 padLen 1 data->len >-- * Pad is all non-zero random bytes. >-- */ >-- padLen = modulusLen - data->len - 3; >-- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN); >-- if (padLen < RSA_BLOCK_MIN_PAD_LEN) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- for (i = 0; i < padLen; i++) { >-- /* Pad with non-zero random data. */ >-- do { >-- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1); >-- } while (rv == SECSuccess >-- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET); >-- if (rv != SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- } >-- bp += padLen; >-- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; >-- nsslibc_memcpy(bp, data->data, data->len); >-- >-- break; >-- >-- /* >-- * Blocks intended for public-key operation, using >-- * Optimal Asymmetric Encryption Padding (OAEP). >-- */ >-- case RSA_BlockOAEP: >-- /* >-- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData) >-- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N] >-- * >-- * where: >-- * PaddedData is "Pad1 || ActualData [|| Pad2]" >-- * Salt is random data. >-- * Pad1 is all zeros. >-- * Pad2, if present, is random data. >-- * (The "modified" fields are all the same length as the original >-- * unmodified values; they are just xor'd with other values.) >-- * >-- * Modified1 is an XOR of PaddedData with a special octet >-- * string constructed of iterated hashing of Salt (see below). >-- * Modified2 is an XOR of Salt with the low-order octets of >-- * the hash of Modified1 (see farther below ;-). >-- * >-- * Whew! >-- */ >-- >-- >-- /* >-- * Salt >-- */ >-- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN); >-- if (rv != SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- bp += OAEP_SALT_LEN; >-- >-- /* >-- * Pad1 >-- */ >-- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN); >-- bp += OAEP_PAD_LEN; >-- >-- /* >-- * Data >-- */ >-- nsslibc_memcpy(bp, data->data, data->len); >-- bp += data->len; >-- >-- /* >-- * Pad2 >-- */ >-- if (bp < (block + modulusLen)) { >-- rv = RNG_GenerateGlobalRandomBytes(bp, >-- block - bp + modulusLen); >-- if (rv != SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- } >-- >-- /* >-- * Now we have the following: >-- * 0x00 || BT || Salt || PaddedData >-- * (From this point on, "Pad1 || Data [|| Pad2]" is treated >-- * as the one entity PaddedData.) >-- * >-- * We need to turn PaddedData into Modified1. >-- */ >-- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN, >-- modulusLen - 2 - OAEP_SALT_LEN, >-- block + 2, OAEP_SALT_LEN) != SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- >-- /* >-- * Now we have: >-- * 0x00 || BT || Salt || Modified1(PaddedData) >-- * >-- * The remaining task is to turn Salt into Modified2. >-- */ >-- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN, >-- block + 2 + OAEP_SALT_LEN, >-- modulusLen - 2 - OAEP_SALT_LEN) != >-- SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- >-- break; >-+ /* >-+ * 0x00 || BT || Pad || 0x00 || ActualData >-+ * 1 1 padLen 1 data->len >-+ * Pad is all non-zero random bytes. >-+ * >-+ * Build the block left to right. >-+ * Fill the entire block from Pad to the end with random bytes. >-+ * Use the bytes after Pad as a supply of extra random bytes from >-+ * which to find replacements for the zero bytes in Pad. >-+ * If we need more than that, refill the bytes after Pad with >-+ * new random bytes as necessary. >-+ */ >-+ padLen = modulusLen - (data->len + 3); >-+ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN); >-+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) { >-+ nss_ZFreeIf (block); >-+ return NULL; >-+ } >-+ j = modulusLen - 2; >-+ rv = RNG_GenerateGlobalRandomBytes(bp, j); >-+ if (rv == SECSuccess) { >-+ for (i = 0; i < padLen; ) { >-+ unsigned char repl; >-+ /* Pad with non-zero random data. */ >-+ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) { >-+ ++i; >-+ continue; >-+ } >-+ if (j <= padLen) { >-+ rv = RNG_GenerateGlobalRandomBytes(bp + padLen, >-+ modulusLen - (2 + padLen)); >-+ if (rv != SECSuccess) >-+ break; >-+ j = modulusLen - 2; >-+ } >-+ do { >-+ repl = bp[--j]; >-+ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen); >-+ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) { >-+ bp[i++] = repl; >-+ } >-+ } >-+ } >-+ if (rv != SECSuccess) { >-+ /*sftk_fatalError = PR_TRUE;*/ >-+ nss_ZFreeIf (block); >-+ return NULL; >-+ } >-+ bp += padLen; >-+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; >-+ nsslibc_memcpy(bp, data->data, data->len); >-+ break; >- >- default: >- PORT_Assert(0); >-@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, >- >- break; >- >-- case RSA_BlockOAEP: >-- /* >-- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) >-- * >-- * The "2" below is the first octet + the second octet. >-- * (The other fields do not contain the clear values, but are >-- * the same length as the clear values.) >-- */ >-- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN >-- + OAEP_PAD_LEN))); >-- >-- result->data = rsa_FormatOneBlock(modulusLen, blockType, data); >-- if (result->data == NULL) { >-- result->len = 0; >-- return SECFailure; >-- } >-- result->len = modulusLen; >-- >-- break; >-- >- case RSA_BlockRaw: >- /* >- * Pad || ActualData >--- >-1.7.1 >- >diff --git a/0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch b/0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch >new file mode 100644 >index 0000000..53ab4c1 >--- /dev/null >+++ b/0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch >@@ -0,0 +1,196 @@ >+From 67aaa70fb0e889ff7dd3668561bfb002dd83e018 Mon Sep 17 00:00:00 2001 >+From: Elio Maldonado <emaldona@redhat.com> >+Date: Wed, 8 Jan 2014 10:02:19 -0800 >+Subject: [PATCH 39/39] Sync up with nss-3.15.4 changes in freebl and softoken >+ >+- Remove RSA_BlockOAEP cases which aren't used by the pem module after all >+- Copied the private RSA_BlockType data structure from freebl/pkcss11.c >+- Upstream removed softoken/rsawrapr.c and moved the code to freebl/pkcs11.c >+- per Mozilla Bug 836019 - Move RSA-PKCS#1, RSA-PSS, and RSA-OAEP into freebl >+- https://bugzilla.mozilla.org/show_bug.cgi?id=836019 >+--- >+ mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 133 ++++----------------------- >+ 1 file changed, 16 insertions(+), 117 deletions(-) >+ >+diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c >+index 5ac4f39..103eeda 100644 >+--- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c >++++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c >+@@ -60,6 +60,21 @@ >+ >+ #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ >+ >++/* >++ * RSA block types >++ * >++ * The actual values are important -- they are fixed, *not* arbitrary. >++ * The explicit value assignments are not needed (because C would give >++ * us those same values anyway) but are included as a reminder... >++ */ >++typedef enum { >++ RSA_BlockUnused = 0, /* unused */ >++ RSA_BlockPrivate = 1, /* pad for a private-key operation */ >++ RSA_BlockPublic = 2, /* pad for a public-key operation */ >++ RSA_BlockRaw = 4, /* simply justify the block appropriately */ >++ RSA_BlockTotal >++} RSA_BlockType; >++ >+ unsigned >+ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) >+ { >+@@ -233,7 +248,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, >+ /* >+ * Blocks intended for private-key operation. >+ */ >+- case RSA_BlockPrivate0: /* essentially unused */ >+ case RSA_BlockPrivate: /* preferred method */ >+ /* >+ * 0x00 || BT || Pad || 0x00 || ActualData >+@@ -246,10 +260,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, >+ nss_ZFreeIf(block); >+ return NULL; >+ } >+- nsslibc_memset(bp, >+- blockType == RSA_BlockPrivate0 >+- ? RSA_BLOCK_PRIVATE0_PAD_OCTET >+- : RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); >++ nsslibc_memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); >+ bp += padLen; >+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; >+ nsslibc_memcpy(bp, data->data, data->len); >+@@ -288,97 +299,6 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, >+ >+ break; >+ >+- /* >+- * Blocks intended for public-key operation, using >+- * Optimal Asymmetric Encryption Padding (OAEP). >+- */ >+- case RSA_BlockOAEP: >+- /* >+- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData) >+- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N] >+- * >+- * where: >+- * PaddedData is "Pad1 || ActualData [|| Pad2]" >+- * Salt is random data. >+- * Pad1 is all zeros. >+- * Pad2, if present, is random data. >+- * (The "modified" fields are all the same length as the original >+- * unmodified values; they are just xor'd with other values.) >+- * >+- * Modified1 is an XOR of PaddedData with a special octet >+- * string constructed of iterated hashing of Salt (see below). >+- * Modified2 is an XOR of Salt with the low-order octets of >+- * the hash of Modified1 (see farther below ;-). >+- * >+- * Whew! >+- */ >+- >+- >+- /* >+- * Salt >+- */ >+- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN); >+- if (rv != SECSuccess) { >+- nss_ZFreeIf(block); >+- return NULL; >+- } >+- bp += OAEP_SALT_LEN; >+- >+- /* >+- * Pad1 >+- */ >+- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN); >+- bp += OAEP_PAD_LEN; >+- >+- /* >+- * Data >+- */ >+- nsslibc_memcpy(bp, data->data, data->len); >+- bp += data->len; >+- >+- /* >+- * Pad2 >+- */ >+- if (bp < (block + modulusLen)) { >+- rv = RNG_GenerateGlobalRandomBytes(bp, >+- block - bp + modulusLen); >+- if (rv != SECSuccess) { >+- nss_ZFreeIf(block); >+- return NULL; >+- } >+- } >+- >+- /* >+- * Now we have the following: >+- * 0x00 || BT || Salt || PaddedData >+- * (From this point on, "Pad1 || Data [|| Pad2]" is treated >+- * as the one entity PaddedData.) >+- * >+- * We need to turn PaddedData into Modified1. >+- */ >+- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN, >+- modulusLen - 2 - OAEP_SALT_LEN, >+- block + 2, OAEP_SALT_LEN) != SECSuccess) { >+- nss_ZFreeIf(block); >+- return NULL; >+- } >+- >+- /* >+- * Now we have: >+- * 0x00 || BT || Salt || Modified1(PaddedData) >+- * >+- * The remaining task is to turn Salt into Modified2. >+- */ >+- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN, >+- block + 2 + OAEP_SALT_LEN, >+- modulusLen - 2 - OAEP_SALT_LEN) != >+- SECSuccess) { >+- nss_ZFreeIf(block); >+- return NULL; >+- } >+- >+- break; >+- >+ default: >+ PORT_Assert(0); >+ nss_ZFreeIf(block); >+@@ -406,7 +326,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, >+ */ >+ >+ switch (blockType) { >+- case RSA_BlockPrivate0: >+ case RSA_BlockPrivate: >+ case RSA_BlockPublic: >+ /* >+@@ -427,26 +346,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, >+ >+ break; >+ >+- case RSA_BlockOAEP: >+- /* >+- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) >+- * >+- * The "2" below is the first octet + the second octet. >+- * (The other fields do not contain the clear values, but are >+- * the same length as the clear values.) >+- */ >+- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN >+- + OAEP_PAD_LEN))); >+- >+- result->data = rsa_FormatOneBlock(modulusLen, blockType, data); >+- if (result->data == NULL) { >+- result->len = 0; >+- return SECFailure; >+- } >+- result->len = modulusLen; >+- >+- break; >+- >+ case RSA_BlockRaw: >+ /* >+ * Pad || ActualData >+-- >+1.8.4.2 >+ >diff --git a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch >deleted file mode 100644 >index 6f0e88c..0000000 >--- a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch >+++ /dev/null >@@ -1,44 +0,0 @@ >---- nss/lib/ckfw/pem/psession.c >-+++ nss/lib/ckfw/pem/psession.c >-@@ -230,6 +230,7 @@ pem_mdSession_Login >- unsigned int len = 0; >- NSSLOWKEYPrivateKey *lpk = NULL; >- PLArenaPool *arena; >-+ SECItem plain; >- int i; >- >- fwSlot = NSSCKFWToken_GetFWSlot(fwToken); >-@@ -306,23 +321,27 @@ pem_mdSession_Login >- lpk->keyType = NSSLOWKEYRSAKey; >- prepare_low_rsa_priv_key_for_asn1(lpk); >- >-- nss_ZFreeIf(io->u.key.key.privateKey->data); >-- io->u.key.key.privateKey->len = len - output[len - 1]; >-- io->u.key.key.privateKey->data = >-- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); >-- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); >- >- /* Decode the resulting blob and see if it is a decodable DER that fits >- * our private key template. If so we declare success and move on. If not >- * then we return an error. >- */ >-+ memset(&plain, 0, sizeof(plain)); >-+ plain.data = output; >-+ plain.len = len - output[len - 1]; >- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate, >-- io->u.key.key.privateKey); >-+ &plain); >- pem_DestroyPrivateKey(lpk); >- arena = NULL; >- if (rv != SECSuccess) >- goto loser; >- >-+ nss_ZFreeIf(io->u.key.key.privateKey->data); >-+ io->u.key.key.privateKey->len = len - output[len - 1]; >-+ io->u.key.key.privateKey->data = >-+ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); >-+ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); >-+ >- rv = CKR_OK; >- >- loser: >diff --git a/certutil_keyOpFlagsFix.patch b/certutil_keyOpFlagsFix.patch >deleted file mode 100644 >index 94724ff..0000000 >--- a/certutil_keyOpFlagsFix.patch >+++ /dev/null >@@ -1,24 +0,0 @@ >-diff --git a/doc/certutil.xml b/doc/certutil.xml >---- a/doc/certutil.xml >-+++ b/doc/certutil.xml >-@@ -655,18 +655,18 @@ of the attribute codes: >- >- <varlistentry> >- <term>--keyAttrFlags attrflags</term> >- <listitem><para> >- PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem> >- </varlistentry> >- >- <varlistentry> >-- <term>--keyFlagsOn opflags</term> >-- <term>--keyFlagsOff opflags</term> >-+ <term>--keyOpFlagsOn opflags</term> >-+ <term>--keyOpFlagsOff opflags</term> >- <listitem><para> >- PKCS #11 key Operation Flags. >- Comma separated list of one or more of the following: >- {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable} >- </para></listitem> >- </varlistentry> >- >- <varlistentry> >diff --git a/disable-ocsp-stapling-tests.patch b/disable-ocsp-stapling-tests.patch >deleted file mode 100644 >index df27c0e..0000000 >--- a/disable-ocsp-stapling-tests.patch >+++ /dev/null >@@ -1,9 +0,0 @@ >-diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh >---- nss/tests/ocsp/ocsp.sh.skipoutbound 2013-04-24 18:04:30.203307355 -0700 >-+++ nss/tests/ocsp/ocsp.sh 2013-04-24 18:06:27.967176794 -0700 >-@@ -115,4 +115,4 @@ ocsp_stapling() >- ################## main ################################################# >- ocsp_init >- ocsp_iopr_run >--ocsp_stapling >-+#ocsp_stapling >diff --git a/document-certutil-email-option.patch b/document-certutil-email-option.patch >deleted file mode 100644 >index b9ca7e1..0000000 >--- a/document-certutil-email-option.patch >+++ /dev/null >@@ -1,25 +0,0 @@ >-diff --git a/doc/certutil.xml b/doc/certutil.xml >---- a/doc/certutil.xml >-+++ b/doc/certutil.xml >-@@ -204,16 +204,21 @@ If this option is not used, the validity >- </varlistentry> >- >- <varlistentry> >- <term>-e </term> >- <listitem><para>Check a certificate's signature during the process of validating a certificate.</para></listitem> >- </varlistentry> >- >- <varlistentry> >-+ <term>--email email-address</term> >-+ <listitem><para>Specify the email address, used with the -L command option to print a single named certificate.</para></listitem> >-+ </varlistentry> >-+ >-+ <varlistentry> >- <term>-f password-file</term> >- <listitem><para>Specify a file that will automatically supply the password to include in a certificate >- or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent >- unauthorized access to this file.</para></listitem> >- </varlistentry> >- >- <varlistentry> >- <term>-g keysize</term> >diff --git a/iquote.patch b/iquote.patch >index 3df4927..90e7914 100644 >--- a/iquote.patch >+++ b/iquote.patch >@@ -1,6 +1,6 @@ > diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile >---- nss/cmd/bltest/Makefile.iquote 2013-06-27 10:58:08.000000000 -0700 >-+++ nss/cmd/bltest/Makefile 2013-07-02 15:02:26.656643246 -0700 >+--- nss/cmd/bltest/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 >++++ nss/cmd/bltest/Makefile 2014-01-07 13:30:04.465429623 -0800 > @@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk > # (6) Execute "component" rules. (OPTIONAL) # > ####################################################################### >@@ -10,8 +10,8 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile > > ####################################################################### > diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile >---- nss/cmd/lib/Makefile.iquote 2013-07-02 15:07:47.260622471 -0700 >-+++ nss/cmd/lib/Makefile 2013-07-02 15:08:47.219179157 -0700 >+--- nss/cmd/lib/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 >++++ nss/cmd/lib/Makefile 2014-01-07 13:30:04.465429623 -0800 > @@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk > # (6) Execute "component" rules. (OPTIONAL) # > ####################################################################### >@@ -23,8 +23,8 @@ diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile > ####################################################################### > # (7) Execute "local" rules. (OPTIONAL). # > diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk >---- nss/coreconf/location.mk.iquote 2013-06-27 10:58:08.000000000 -0700 >-+++ nss/coreconf/location.mk 2013-07-02 15:02:26.656643246 -0700 >+--- nss/coreconf/location.mk.iquote 2014-01-03 11:59:10.000000000 -0800 >++++ nss/coreconf/location.mk 2014-01-07 13:30:04.465429623 -0800 > @@ -45,6 +45,10 @@ endif > > ifdef NSS_INCLUDE_DIR >@@ -37,8 +37,8 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk > > ifndef NSS_LIB_DIR > diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile >---- nss/lib/certhigh/Makefile.iquote 2013-09-27 11:13:55.158689314 -0700 >-+++ nss/lib/certhigh/Makefile 2013-09-27 11:14:38.181042336 -0700 >+--- nss/lib/certhigh/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 >++++ nss/lib/certhigh/Makefile 2014-01-07 13:30:04.466429634 -0800 > @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk > # (6) Execute "component" rules. (OPTIONAL) # > ####################################################################### >@@ -49,8 +49,8 @@ diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile > ####################################################################### > # (7) Execute "local" rules. (OPTIONAL). # > diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile >---- nss/lib/cryptohi/Makefile.iquote 2013-09-27 11:11:30.117494489 -0700 >-+++ nss/lib/cryptohi/Makefile 2013-09-27 11:12:54.704194915 -0700 >+--- nss/lib/cryptohi/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 >++++ nss/lib/cryptohi/Makefile 2014-01-07 13:30:04.466429634 -0800 > @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk > # (6) Execute "component" rules. (OPTIONAL) # > ####################################################################### >@@ -60,3 +60,15 @@ diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile > > ####################################################################### > # (7) Execute "local" rules. (OPTIONAL). # >+--- nss/lib/nss/Makefile.iquote 2014-01-03 11:59:10.000000000 -0800 >++++ nss/lib/nss/Makefile 2014-01-07 13:30:04.466429634 -0800 >+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >diff --git a/nss.spec b/nss.spec >index f33fe5f..23baa3f 100644 >--- a/nss.spec >+++ b/nss.spec >@@ -1,7 +1,6 @@ > %global nspr_version 4.10.2 >-%global nss_util_version 3.15.3 >-%global nss_softokn_fips_version 3.13.5 >-%global nss_softokn_version 3.15.3 >+%global nss_util_version 3.15.4 >+%global nss_softokn_version 3.15.4 > %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools > %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" > >@@ -19,7 +18,7 @@ > > Summary: Network Security Services > Name: nss >-Version: 3.15.3.1 >+Version: 3.15.4 > Release: 1%{?dist} > License: MPLv2.0 > URL: http://www.mozilla.org/projects/security/pki/nss/ >@@ -58,7 +57,7 @@ Source7: blank-key4.db > Source8: system-pkcs11.txt > Source9: setup-nsssysinit.sh > Source10: PayPalEE.cert >-Source12: %{name}-pem-20130828.tar.bz2 >+Source12: %{name}-pem-20131226.tar.bz2 > Source17: TestCA.ca.cert > Source18: TestUser50.cert > Source19: TestUser51.cert >@@ -81,11 +80,7 @@ Patch18: nss-646045.patch > Patch25: nsspem-use-system-freebl.patch > # TODO: Remove this patch when the ocsp test are fixed > Patch40: nss-3.14.0.0-disble-ocsp-test.patch >-Patch44: 0001-sync-up-with-upstream-softokn-changes.patch >-Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch >-# The ocsp stapling tests currently require access to the >-# kuix.de test server but koji forbids outbount connections >-Patch46: disable-ocsp-stapling-tests.patch >+Patch44: 0039-Sync-up-with-nss-3.15.4-changes-in-freebl-and-softok.patch > # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator > Patch47: utilwrap-include-templates.patch > # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171 >@@ -93,10 +88,6 @@ Patch48: nss-versus-softoken-tests.patch > # TODO remove when we switch to building nss without softoken > Patch49: nss-skip-bltest-and-fipstest.patch > Patch50: iquote.patch >-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001 >-Patch54: document-certutil-email-option.patch >-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=937677 >-Patch57: certutil_keyOpFlagsFix.patch > > %description > Network Security Services (NSS) is a set of libraries designed to >@@ -181,17 +172,11 @@ low level services. > # link pem against buildroot's freebl, essential when mixing and matching > %patch25 -p0 -b .systemfreebl > %patch40 -p0 -b .noocsptest >-%patch44 -p1 -b .syncupwithupstream >-%patch45 -p0 -b .notrash >-%patch46 -p0 -b .skipoutbound >+%patch44 -p3 -b .syncupwithupstream > %patch47 -p0 -b .templates > %patch48 -p0 -b .crypto > %patch49 -p0 -b .skipthem > %patch50 -p0 -b .iquote >-pushd nss >-%patch54 -p1 -b .948495 >-%patch57 -p1 -b .948495 >-popd > > ######################################################### > # Higher-level libraries and test tools need access to >@@ -749,6 +734,14 @@ fi > > > %changelog >+* Tue Jan 07 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-1 >+- Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM) >+- Resolves: Bug 1049229 - nss-3.15.4 is available >+- Update pem sources to latest from the interim upstream for pem >+- Remove no longer needed patches >+- Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken >+- Update iquote.patch on account of upstream changes >+ > * Wed Dec 11 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3.1-1 > - Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM) > - Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) >diff --git a/sources b/sources >index ab0b3d0..17a8fc5 100644 >--- a/sources >+++ b/sources >@@ -7,5 +7,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db > f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert > 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert > ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert >-e82dd2b9520f9d0f5d101e7710d59656 nss-pem-20130828.tar.bz2 >-1d444fffdb1f890a000003b50295b5aa nss-3.15.3.1.tar.gz >+cb247307632f7673b32c71009ba7b660 nss-pem-20131226.tar.bz2 >+74738d89615665e3547dc2c0602ab0e6 nss-3.15.4.tar.gz
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=849543">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1049229
: 849543 |
849545
|
849546
|
849559