Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 898509 Details for
Bug 1099619
Rebase nss in RHEL 6.6 to NSS 3.16.1 (anticipated minimum version for FF 31)
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
all changes to rebase nss to nss-3.16.1
bz1099619nss.patch (text/plain), 44.96 KB, created by
Elio Maldonado Batiz
on 2014-05-22 23:23:06 UTC
(
hide
)
Description:
all changes to rebase nss to nss-3.16.1
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2014-05-22 23:23:06 UTC
Size:
44.96 KB
patch
obsolete
>diff --git a/.gitignore b/.gitignore >index 3f13fac..6f006fe 100644 >--- a/.gitignore >+++ b/.gitignore >@@ -8,4 +8,4 @@ TestCA.ca.cert > TestUser50.cert > TestUser51.cert > /nss-pem-20130405.tar.bz2 >-/nss-3.15.3.tar.bz2 >+/nss-3.16.1.tar.bz2 >diff --git a/0001-sync-up-with-upstream-softokn-changes.patch b/0001-sync-up-with-upstream-softokn-changes.patch >index 36fbd9d..baea8c0 100644 >--- a/0001-sync-up-with-upstream-softokn-changes.patch >+++ b/0001-sync-up-with-upstream-softokn-changes.patch >@@ -1,234 +1,52 @@ >-From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001 >-From: Elio Maldonado <emaldona@redhat.com> >-Date: Sat, 9 Feb 2013 17:11:00 -0500 >-Subject: [PATCH] Sync up with upstream softokn changes >- >-- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux >-- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 >-- It now compiles with the NSS_3_14_3_BETA1 source >---- >- mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++------------------- >- 1 files changed, 82 insertions(+), 256 deletions(-) >- >-diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c >-index 5ac4f39..3780d30 100644 >---- a/nss/lib/ckfw/pem/rsawrapr.c >-+++ b/nss/lib/ckfw/pem/rsawrapr.c >-@@ -46,6 +46,7 @@ >- #include "sechash.h" >- #include "base.h" >- >-+#include "lowkeyi.h" >- #include "secerr.h" >- >- #define RSA_BLOCK_MIN_PAD_LEN 8 >-@@ -54,9 +55,8 @@ >- #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff >- #define RSA_BLOCK_AFTER_PAD_OCTET 0x00 >- >--#define OAEP_SALT_LEN 8 >--#define OAEP_PAD_LEN 8 >--#define OAEP_PAD_OCTET 0x00 >-+/* Needed for RSA-PSS functions */ >-+static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; >+diff -up nss/lib/ckfw/pem/rsawrapr.c.syncupwithupstream nss/lib/ckfw/pem/rsawrapr.c >+--- nss/lib/ckfw/pem/rsawrapr.c.syncupwithupstream 2012-08-11 09:06:59.000000000 -0700 >++++ nss/lib/ckfw/pem/rsawrapr.c 2014-05-21 08:27:54.198521465 -0700 >+@@ -60,6 +60,21 @@ > > #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ > >-@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) >- return 0; >- } >- >--static SHA1Context *SHA1_CloneContext(SHA1Context * original) >--{ >-- SHA1Context *clone = NULL; >-- unsigned char *pBuf; >-- int sha1ContextSize = SHA1_FlattenSize(original); >-- SECStatus frv; >-- unsigned char buf[FLAT_BUFSIZE]; >-- >-- PORT_Assert(sizeof buf >= sha1ContextSize); >-- if (sizeof buf >= sha1ContextSize) { >-- pBuf = buf; >-- } else { >-- pBuf = nss_ZAlloc(NULL, sha1ContextSize); >-- if (!pBuf) >-- goto done; >-- } >-- >-- frv = SHA1_Flatten(original, pBuf); >-- if (frv == SECSuccess) { >-- clone = SHA1_Resurrect(pBuf, NULL); >-- memset(pBuf, 0, sha1ContextSize); >-- } >-- done: >-- if (pBuf != buf) >-- nss_ZFreeIf(pBuf); >-- return clone; >-+/* Constant time comparison of a single byte. >-+ * Returns 1 iff a == b, otherwise returns 0. >-+ * Note: For ranges of bytes, use constantTimeCompare. >++/* >++ * RSA block types >++ * >++ * The actual values are important -- they are fixed, *not* arbitrary. >++ * The explicit value assignments are not needed (because C would give >++ * us those same values anyway) but are included as a reminder... > + */ >-+static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) { >-+ unsigned char c = ~(a - b | b - a); >-+ c >>= 7; >-+ return c; >- } >- >--/* >-- * Modify data by XORing it with a special hash of salt. >-+/* Constant time comparison of a range of bytes. >-+ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise >-+ * returns 0. >- */ >--static SECStatus >--oaep_xor_with_h1(unsigned char *data, unsigned int datalen, >-- unsigned char *salt, unsigned int saltlen) >--{ >-- SHA1Context *sha1cx; >-- unsigned char *dp, *dataend; >-- unsigned char end_octet; >-- >-- sha1cx = SHA1_NewContext(); >-- if (sha1cx == NULL) { >-- return SECFailure; >-- } >-- >-- /* >-- * Get a hash of salt started; we will use it several times, >-- * adding in a different end octet (x00, x01, x02, ...). >-- */ >-- SHA1_Begin(sha1cx); >-- SHA1_Update(sha1cx, salt, saltlen); >-- end_octet = 0; >-- >-- dp = data; >-- dataend = data + datalen; >-- >-- while (dp < dataend) { >-- SHA1Context *sha1cx_h1; >-- unsigned int sha1len, sha1off; >-- unsigned char sha1[SHA1_LENGTH]; >-- >-- /* >-- * Create hash of (salt || end_octet) >-- */ >-- sha1cx_h1 = SHA1_CloneContext(sha1cx); >-- SHA1_Update(sha1cx_h1, &end_octet, 1); >-- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1)); >-- SHA1_DestroyContext(sha1cx_h1, PR_TRUE); >-- PORT_Assert(sha1len == SHA1_LENGTH); >-- >-- /* >-- * XOR that hash with the data. >-- * When we have fewer than SHA1_LENGTH octets of data >-- * left to xor, use just the low-order ones of the hash. >-- */ >-- sha1off = 0; >-- if ((dataend - dp) < SHA1_LENGTH) >-- sha1off = SHA1_LENGTH - (dataend - dp); >-- while (sha1off < SHA1_LENGTH) >-- *dp++ ^= sha1[sha1off++]; >-- >-- /* >-- * Bump for next hash chunk. >-- */ >-- end_octet++; >-- } >-- >-- SHA1_DestroyContext(sha1cx, PR_TRUE); >-- return SECSuccess; >-+static unsigned char constantTimeCompare(const unsigned char *a, >-+ const unsigned char *b, >-+ unsigned int len) { >-+ unsigned char tmp = 0; >-+ unsigned int i; >-+ for (i = 0; i < len; ++i, ++a, ++b) >-+ tmp |= *a ^ *b; >-+ return constantTimeEQ8(0x00, tmp); >- } >- >--/* >-- * Modify salt by XORing it with a special hash of data. >-+/* Constant time conditional. >-+ * Returns a if c is 1, or b if c is 0. The result is undefined if c is >-+ * not 0 or 1. >- */ >--static SECStatus >--oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen, >-- unsigned char *data, unsigned int datalen) >-+static unsigned int constantTimeCondition(unsigned int c, >-+ unsigned int a, >-+ unsigned int b) >++typedef enum { >++ RSA_BlockUnused = 0, /* unused */ >++ RSA_BlockPrivate = 1, /* pad for a private-key operation */ >++ RSA_BlockPublic = 2, /* pad for a public-key operation */ >++ RSA_BlockRaw = 4, /* simply justify the block appropriately */ >++ RSA_BlockTotal >++} RSA_BlockType; >++ >+ unsigned >+ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) > { >-- unsigned char sha1[SHA1_LENGTH]; >-- unsigned char *psalt, *psha1, *saltend; >-- SECStatus rv; >-- >-- /* >-- * Create a hash of data. >-- */ >-- rv = SHA1_HashBuf(sha1, data, datalen); >-- if (rv != SECSuccess) { >-- return rv; >-- } >-- >-- /* >-- * XOR the low-order octets of that hash with salt. >-- */ >-- PORT_Assert(saltlen <= SHA1_LENGTH); >-- saltend = salt + saltlen; >-- psalt = salt; >-- psha1 = sha1 + SHA1_LENGTH - saltlen; >-- while (psalt < saltend) { >-- *psalt++ ^= *psha1++; >-- } >-- >-- return SECSuccess; >-+ return (~(c - 1) & a) | ((c - 1) & b); >- } >- >- /* >-@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, >- unsigned char *block; >- unsigned char *bp; >- int padLen; >-- int i; >-+ int i, j; >- SECStatus rv; >- >- block = (unsigned char *) nss_ZAlloc(NULL, modulusLen); >-@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, >+@@ -233,7 +248,6 @@ static unsigned char *rsa_FormatOneBlock >+ /* >+ * Blocks intended for private-key operation. > */ >- case RSA_BlockPublic: >+- case RSA_BlockPrivate0: /* essentially unused */ >+ case RSA_BlockPrivate: /* preferred method */ >+ /* >+ * 0x00 || BT || Pad || 0x00 || ActualData >+@@ -246,10 +260,7 @@ static unsigned char *rsa_FormatOneBlock >+ nss_ZFreeIf(block); >+ return NULL; >+ } >+- nsslibc_memset(bp, >+- blockType == RSA_BlockPrivate0 >+- ? RSA_BLOCK_PRIVATE0_PAD_OCTET >+- : RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); >++ nsslibc_memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); >+ bp += padLen; >+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; >+ nsslibc_memcpy(bp, data->data, data->len); >+@@ -288,97 +299,6 @@ static unsigned char *rsa_FormatOneBlock >+ >+ break; > >-- /* >-- * 0x00 || BT || Pad || 0x00 || ActualData >-- * 1 1 padLen 1 data->len >-- * Pad is all non-zero random bytes. >-- */ >-- padLen = modulusLen - data->len - 3; >-- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN); >-- if (padLen < RSA_BLOCK_MIN_PAD_LEN) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- for (i = 0; i < padLen; i++) { >-- /* Pad with non-zero random data. */ >-- do { >-- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1); >-- } while (rv == SECSuccess >-- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET); >-- if (rv != SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- } >-- bp += padLen; >-- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; >-- nsslibc_memcpy(bp, data->data, data->len); >-- >-- break; >-- > - /* > - * Blocks intended for public-key operation, using > - * Optimal Asymmetric Encryption Padding (OAEP). >@@ -319,62 +137,19 @@ index 5ac4f39..3780d30 100644 > - } > - > - break; >-+ /* >-+ * 0x00 || BT || Pad || 0x00 || ActualData >-+ * 1 1 padLen 1 data->len >-+ * Pad is all non-zero random bytes. >-+ * >-+ * Build the block left to right. >-+ * Fill the entire block from Pad to the end with random bytes. >-+ * Use the bytes after Pad as a supply of extra random bytes from >-+ * which to find replacements for the zero bytes in Pad. >-+ * If we need more than that, refill the bytes after Pad with >-+ * new random bytes as necessary. >-+ */ >-+ padLen = modulusLen - (data->len + 3); >-+ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN); >-+ if (padLen < RSA_BLOCK_MIN_PAD_LEN) { >-+ nss_ZFreeIf (block); >-+ return NULL; >-+ } >-+ j = modulusLen - 2; >-+ rv = RNG_GenerateGlobalRandomBytes(bp, j); >-+ if (rv == SECSuccess) { >-+ for (i = 0; i < padLen; ) { >-+ unsigned char repl; >-+ /* Pad with non-zero random data. */ >-+ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) { >-+ ++i; >-+ continue; >-+ } >-+ if (j <= padLen) { >-+ rv = RNG_GenerateGlobalRandomBytes(bp + padLen, >-+ modulusLen - (2 + padLen)); >-+ if (rv != SECSuccess) >-+ break; >-+ j = modulusLen - 2; >-+ } >-+ do { >-+ repl = bp[--j]; >-+ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen); >-+ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) { >-+ bp[i++] = repl; >-+ } >-+ } >-+ } >-+ if (rv != SECSuccess) { >-+ /*sftk_fatalError = PR_TRUE;*/ >-+ nss_ZFreeIf (block); >-+ return NULL; >-+ } >-+ bp += padLen; >-+ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; >-+ nsslibc_memcpy(bp, data->data, data->len); >-+ break; >- >+- > default: > PORT_Assert(0); >-@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, >+ nss_ZFreeIf(block); >+@@ -406,7 +326,6 @@ rsa_FormatBlock(SECItem * result, unsign >+ */ >+ >+ switch (blockType) { >+- case RSA_BlockPrivate0: >+ case RSA_BlockPrivate: >+ case RSA_BlockPublic: >+ /* >+@@ -427,26 +346,6 @@ rsa_FormatBlock(SECItem * result, unsign > > break; > >@@ -401,6 +176,3 @@ index 5ac4f39..3780d30 100644 > case RSA_BlockRaw: > /* > * Pad || ActualData >--- >-1.7.1 >- >diff --git a/Bug-961659-dont-hold-issuer-cert-handles-in-crl-cache.patch b/Bug-961659-dont-hold-issuer-cert-handles-in-crl-cache.patch >index 66c2ee4..286fa62 100644 >--- a/Bug-961659-dont-hold-issuer-cert-handles-in-crl-cache.patch >+++ b/Bug-961659-dont-hold-issuer-cert-handles-in-crl-cache.patch >@@ -1,7 +1,7 @@ > diff -up ./nss/lib/certdb/certi.h.961659 ./nss/lib/certdb/certi.h >---- ./nss/lib/certdb/certi.h.961659 2012-12-06 09:56:57.000000000 -0800 >-+++ ./nss/lib/certdb/certi.h 2013-08-12 18:30:23.000000000 -0700 >-@@ -118,11 +118,16 @@ struct CRLDPCacheStr { >+--- ./nss/lib/certdb/certi.h.961659 2014-05-20 15:15:44.022129698 -0700 >++++ ./nss/lib/certdb/certi.h 2014-05-20 15:26:20.824632711 -0700 >+@@ -116,11 +116,16 @@ struct CRLDPCacheStr { > #else > PRLock* lock; > #endif >@@ -23,7 +23,7 @@ diff -up ./nss/lib/certdb/certi.h.961659 ./nss/lib/certdb/certi.h > SECItem* subject; /* DER of issuer subject */ > SECItem* distributionPoint; /* DER of distribution point. This may be > NULL when distribution points aren't >-@@ -174,7 +179,7 @@ struct CRLIssuerCacheStr { >+@@ -172,7 +177,7 @@ struct CRLIssuerCacheStr { > NSSRWLock* lock; > CRLDPCache** dps; > PLHashTable* distributionpoints; >@@ -33,9 +33,9 @@ diff -up ./nss/lib/certdb/certi.h.961659 ./nss/lib/certdb/certi.h > }; > > diff -up ./nss/lib/certdb/crl.c.961659 ./nss/lib/certdb/crl.c >---- ./nss/lib/certdb/crl.c.961659 2012-04-25 07:49:26.000000000 -0700 >-+++ ./nss/lib/certdb/crl.c 2013-08-12 18:14:30.000000000 -0700 >-@@ -1125,9 +1125,9 @@ static SECStatus DPCache_Destroy(CRLDPCa >+--- ./nss/lib/certdb/crl.c.961659 2014-05-20 15:16:18.149317402 -0700 >++++ ./nss/lib/certdb/crl.c 2014-05-20 15:39:24.729944955 -0700 >+@@ -1123,9 +1123,9 @@ static SECStatus DPCache_Destroy(CRLDPCa > PORT_Free(cache->crls); > } > /* destroy the cert */ >@@ -47,7 +47,7 @@ diff -up ./nss/lib/certdb/crl.c.961659 ./nss/lib/certdb/crl.c > } > /* free the subject */ > if (cache->subject) >-@@ -1573,14 +1573,20 @@ static SECStatus CachedCrl_Verify(CRLDPC >+@@ -1571,14 +1571,20 @@ static SECStatus CachedCrl_Verify(CRLDPC > else > { > SECStatus signstatus = SECFailure; >@@ -71,7 +71,7 @@ diff -up ./nss/lib/certdb/crl.c.961659 ./nss/lib/certdb/crl.c > { > /* we tried to verify without an issuer cert . This is > because this CRL came through a call to SEC_FindCrlByName. >-@@ -1927,15 +1933,16 @@ static SECStatus DPCache_GetUpToDate(CRL >+@@ -1925,15 +1931,16 @@ static SECStatus DPCache_GetUpToDate(CRL > } > > /* add issuer certificate if it was previously unavailable */ >@@ -86,39 +86,38 @@ diff -up ./nss/lib/certdb/crl.c.961659 ./nss/lib/certdb/crl.c > { > dirty = PR_TRUE; > - cache->issuer = CERT_DupCertificate(issuer); >-+ cache->dbHandle = issuer->dbhandle; >-+ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert); >++ cache->dbHandle = issuer->dbhandle; >++ cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert); > } > DPCache_UnlockWrite(); > } >-@@ -1946,7 +1953,7 @@ static SECStatus DPCache_GetUpToDate(CRL >+@@ -1944,7 +1951,7 @@ static SECStatus DPCache_GetUpToDate(CRL > SEC_FindCrlByName, or through manual insertion, rather than through a > certificate verification (CERT_CheckCRL) */ > > - if (cache->issuer && vfdate ) >-+ if (cache->issuerDERCert && vfdate ) >++ if (cache->issuerDERCert && vfdate) > { > mustunlock = PR_FALSE; > /* re-process all unverified CRLs */ >-@@ -2203,7 +2210,8 @@ static SECStatus DPCache_Create(CRLDPCac >+@@ -2201,7 +2208,8 @@ static SECStatus DPCache_Create(CRLDPCac > } > if (issuer) > { > - cache->issuer = CERT_DupCertificate(issuer); >-+ cache->dbHandle = issuer->dbhandle; >++ cache->dbHandle = issuer->dbhandle; > + cache->issuerDERCert = SECITEM_DupItem(&issuer->derCert); > } > cache->distributionPoint = SECITEM_DupItem(dp); > cache->subject = SECITEM_DupItem(subject); > diff -up ./nss/tests/chains/chains.sh.961659 ./nss/tests/chains/chains.sh >---- ./nss/tests/chains/chains.sh.961659 2013-01-09 09:47:50.000000000 -0800 >-+++ ./nss/tests/chains/chains.sh 2013-08-12 18:14:30.000000000 -0700 >-@@ -921,6 +921,8 @@ check_ocsp() >- OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") >- OCSP_PORT=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:.*:\([0-9]*\)\"/\1/") >+--- ./nss/tests/chains/chains.sh.961659 2014-05-20 15:17:40.308769346 -0700 >++++ ./nss/tests/chains/chains.sh 2014-05-20 15:20:07.461578867 -0700 >+@@ -974,6 +974,7 @@ check_ocsp() >+ OCSP_HOST=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") >+ OCSP_PORT=$(${BINDIR}/pp -w -t certificate -i ${CERT_FILE} | grep URI | sed "s/^.*:.*:\/\/.*:\([0-9]*\).*$/\1/") > > + echo "Cert = ${CERT_NICK}.cert" >-+ echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20" >+ echo "tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20" > tstclnt -h ${OCSP_HOST} -p ${OCSP_PORT} -q -t 20 > return $? >- } >diff --git a/add-missing-option-descriptions.patch b/add-missing-option-descriptions.patch >deleted file mode 100644 >index 3238ce0..0000000 >--- a/add-missing-option-descriptions.patch >+++ /dev/null >@@ -1,37 +0,0 @@ >-diff -up ./nss/doc/certutil.xml.documentoptions ./nss/doc/certutil.xml >---- ./nss/doc/certutil.xml.documentoptions 2014-02-12 12:22:13.060177721 -0800 >-+++ ./nss/doc/certutil.xml 2014-02-12 12:22:35.820344345 -0800 >-@@ -209,6 +209,11 @@ If this option is not used, the validity >- </varlistentry> >- >- <varlistentry> >-+ <term>--email email-address</term> >-+ <listitem><para>Specify the email address of a certificate to list. Used with the -L command option.</para></listitem> >-+ </varlistentry> >-+ >-+ <varlistentry> >- <term>-f password-file</term> >- <listitem><para>Specify a file that will automatically supply the password to include in a certificate >- or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent >-@@ -644,14 +649,19 @@ of the attribute codes: >- </varlistentry> >- >- <varlistentry> >-+ <term>--empty-password</term> >-+ <listitem><para>Use empty password when creating new certificate database with -N.</para></listitem> >-+ </varlistentry> >-+ >-+ <varlistentry> >- <term>--keyAttrFlags attrflags</term> >- <listitem><para> >- PKCS #11 key Attributes. Comma separated list of key attribute flags, selected from the following list of choices: {token | session} {public | private} {sensitive | insensitive} {modifiable | unmodifiable} {extractable | unextractable}</para></listitem> >- </varlistentry> >- >- <varlistentry> >-- <term>--keyFlagsOn opflags</term> >-- <term>--keyFlagsOff opflags</term> >-+ <term>--keyOpFlagsOn opflags</term> >-+ <term>--keyOpFlagsOff opflags</term> >- <listitem><para> >- PKCS #11 key Operation Flags. >- Comma separated list of one or more of the following: >diff --git a/disable-ocsp-stapling-tests.patch b/disable-ocsp-stapling-tests.patch >deleted file mode 100644 >index df27c0e..0000000 >--- a/disable-ocsp-stapling-tests.patch >+++ /dev/null >@@ -1,9 +0,0 @@ >-diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh >---- nss/tests/ocsp/ocsp.sh.skipoutbound 2013-04-24 18:04:30.203307355 -0700 >-+++ nss/tests/ocsp/ocsp.sh 2013-04-24 18:06:27.967176794 -0700 >-@@ -115,4 +115,4 @@ ocsp_stapling() >- ################## main ################################################# >- ocsp_init >- ocsp_iopr_run >--ocsp_stapling >-+#ocsp_stapling >diff --git a/dont-disable-internal-module.patch b/dont-disable-internal-module.patch >deleted file mode 100644 >index 5d71643..0000000 >--- a/dont-disable-internal-module.patch >+++ /dev/null >@@ -1,39 +0,0 @@ >-diff -up ./nss/cmd/modutil/pk11.c.1056036 ./nss/cmd/modutil/pk11.c >---- ./nss/cmd/modutil/pk11.c.1056036 2014-02-24 15:49:00.802754246 -0800 >-+++ ./nss/cmd/modutil/pk11.c 2014-02-24 15:49:00.806754285 -0800 >-@@ -826,6 +826,12 @@ EnableModule(char *moduleName, char *slo >- PK11_GetSlotName(slot), "enabled"); >- } >- } else { >-+ if (module->internal) { >-+ PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR], >-+ "disable", PK11_GetSlotName(slot)); >-+ rv = ENABLE_FAILED_ERR; >-+ goto loser; >-+ } >- if(! PK11_UserDisableSlot(slot)) { >- PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR], >- "disable", PK11_GetSlotName(slot)); >-diff -up ./nss/doc/modutil.xml.1056036 ./nss/doc/modutil.xml >---- ./nss/doc/modutil.xml.1056036 2014-01-03 11:59:10.000000000 -0800 >-+++ ./nss/doc/modutil.xml 2014-02-24 15:49:00.806754285 -0800 >-@@ -86,7 +86,7 @@ >- >- <varlistentry> >- <term>-disable modulename</term> >-- <listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para></listitem> >-+ <listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para><para>The internal NSS PKCS #11 module cannot be disabled.</para></listitem> >- </varlistentry> >- >- <varlistentry> >-diff -up ./nss/lib/dev/devtoken.c.1056036 ./nss/lib/dev/devtoken.c >---- ./nss/lib/dev/devtoken.c.1056036 2014-02-24 15:55:16.687529925 -0800 >-+++ ./nss/lib/dev/devtoken.c 2014-02-24 15:56:15.720143547 -0800 >-@@ -1438,6 +1438,7 @@ nssToken_IsPresent ( >- NSSToken *token >- ) >- { >-+ if (token == NULL) return PR_FALSE; >- return nssSlot_IsTokenPresent(token->slot); >- } >- >diff --git a/iquote.patch b/iquote.patch >index 3f91e64..d0bc5ba 100644 >--- a/iquote.patch >+++ b/iquote.patch >@@ -9,6 +9,19 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile > > > ####################################################################### >+diff -up nss/cmd/httpserv/Makefile.iquote nss/cmd/httpserv/Makefile >+--- nss/cmd/httpserv/Makefile.iquote 2014-05-20 21:44:36.847686293 -0700 >++++ nss/cmd/httpserv/Makefile 2014-05-20 21:46:04.579274782 -0700 >+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../private/nss >++INCLUDES += -iquote $(DIST)/../public/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # > diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile > --- nss/cmd/lib/Makefile.iquote 2013-06-27 10:58:08.000000000 -0700 > +++ nss/cmd/lib/Makefile 2013-08-26 18:39:49.000000000 -0700 >@@ -22,6 +35,81 @@ diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile > > ####################################################################### > # (7) Execute "local" rules. (OPTIONAL). # >+diff -up nss/cmd/modutil/Makefile.iquote nss/cmd/modutil/Makefile >+--- nss/cmd/modutil/Makefile.iquote 2014-05-21 07:52:19.406333284 -0700 >++++ nss/cmd/modutil/Makefile 2014-05-21 07:53:05.612816698 -0700 >+@@ -41,7 +41,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up nss/cmd/selfserv/Makefile.iquote nss/cmd/selfserv/Makefile >+--- nss/cmd/selfserv/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ nss/cmd/selfserv/Makefile 2014-05-20 21:41:16.185342526 -0700 >+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up nss/cmd/ssltap/Makefile.iquote nss/cmd/ssltap/Makefile >+--- nss/cmd/ssltap/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ nss/cmd/ssltap/Makefile 2014-05-20 21:41:16.185342526 -0700 >+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../private/nss >++INCLUDES += -iquote $(DIST)/../public/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up nss/cmd/strsclnt/Makefile.iquote nss/cmd/strsclnt/Makefile >+--- nss/cmd/strsclnt/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ nss/cmd/strsclnt/Makefile 2014-05-20 21:41:16.186342541 -0700 >+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up nss/cmd/tstclnt/Makefile.iquote nss/cmd/tstclnt/Makefile >+--- nss/cmd/tstclnt/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ nss/cmd/tstclnt/Makefile 2014-05-20 21:41:16.186342541 -0700 >+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ ####################################################################### >+ >+ #include ../platlibs.mk >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up nss/cmd/vfyserv/Makefile.iquote nss/cmd/vfyserv/Makefile >+--- nss/cmd/vfyserv/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ nss/cmd/vfyserv/Makefile 2014-05-20 21:41:16.187342556 -0700 >+@@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ ####################################################################### >+ >+ #include ../platlibs.mk >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # > diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk > --- nss/coreconf/location.mk.iquote 2013-06-27 10:58:08.000000000 -0700 > +++ nss/coreconf/location.mk 2013-08-26 18:39:49.000000000 -0700 >@@ -36,16 +124,53 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk > endif > > ifndef NSS_LIB_DIR >-diff -up nss/lib/certhigh/config.mk.iquote nss/lib/certhigh/config.mk > diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile >---- nss/lib/certhigh/Makefile.iquote 2013-08-26 18:47:33.000000000 -0700 >-+++ nss/lib/certhigh/Makefile 2013-08-26 18:47:54.000000000 -0700 >-@@ -38,6 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+--- nss/lib/certhigh/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ nss/lib/certhigh/Makefile 2014-05-20 21:41:16.188342572 -0700 >+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile >+--- nss/lib/cryptohi/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ nss/lib/cryptohi/Makefile 2014-05-20 21:41:16.188342572 -0700 >+@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up nss/lib/libpkix/pkix/checker/Makefile.iquote nss/lib/libpkix/pkix/checker/Makefile >+--- nss/lib/libpkix/pkix/checker/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ nss/lib/libpkix/pkix/checker/Makefile 2014-05-20 21:41:16.188342572 -0700 >+@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk > # (6) Execute "component" rules. (OPTIONAL) # > ####################################################################### > >+- > +INCLUDES += -iquote $(DIST)/../private/nss > +INCLUDES += -iquote $(DIST)/../public/nss > >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile >+--- nss/lib/nss/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ nss/lib/nss/Makefile 2014-05-20 21:41:16.189342588 -0700 >+@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss > > ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >diff --git a/manfixes.patch b/manfixes.patch >index 832658f..8fe4491 100644 >--- a/manfixes.patch >+++ b/manfixes.patch >@@ -15,24 +15,6 @@ diff -up ./nss/doc/certutil.xml.cleanup ./nss/doc/certutil.xml > </listitem> > </varlistentry> > >-@@ -222,7 +222,7 @@ If this option is not used, the validity >- >- <varlistentry> >- <term>-g keysize</term> >-- <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 8192 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem> >-+ <listitem><para>Set a key size to use when generating new public and private key pairs. The minimum is 512 bits and the maximum is 16384 bits. The default is 1024 bits. Any size between the minimum and maximum is allowed.</para></listitem> >- </varlistentry> >- >- >-@@ -360,7 +360,7 @@ of the attribute codes: >- <para> >- The attribute codes for the categories are separated by commas, and the entire set of attributes enclosed by quotation marks. For example: >- </para> >--<para><command>-t "TCu,Cu,Tuw"</command></para> >-+<para><command>-t "TCu,Cu,Tu"</command></para> >- <para> >- Use the -L option to see a list of the current certificates and trust attributes in a certificate database. </para></listitem> >- </varlistentry> > @@ -432,11 +432,11 @@ of the attribute codes: > > <varlistentry> >diff --git a/nss-ecc-list-3.15.3.patch b/nss-ecc-list-3.15.3.patch >deleted file mode 100644 >index 6f86258..0000000 >--- a/nss-ecc-list-3.15.3.patch >+++ /dev/null >@@ -1,239 +0,0 @@ >-diff -up ./nss/cmd/modutil/pk11.c.ecc-lists ./nss/cmd/modutil/pk11.c >---- ./nss/cmd/modutil/pk11.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800 >-+++ ./nss/cmd/modutil/pk11.c 2013-12-20 10:29:01.540726233 -0800 >-@@ -7,12 +7,9 @@ >- */ >- >- #include "modutil.h" >--/* #include "secmodti.h" */ >-+#include "secmodi.h" >- #include "pk11func.h" >- >--static PK11DefaultArrayEntry *pk11_DefaultArray = NULL; >--static int pk11_DefaultArraySize = 0; >-- >- /************************************************************************* >- * >- * F i p s M o d e >-@@ -110,32 +107,11 @@ ChkFipsMode(char *arg) >- >- typedef struct { >- const char *name; >-- const unsigned long mask; >-+ unsigned long mask; >- } MaskString; >- >--static const MaskString mechanismStrings[] = { >-- {"RSA", PUBLIC_MECH_RSA_FLAG}, >-- {"DSA", PUBLIC_MECH_DSA_FLAG}, >-- {"RC2", PUBLIC_MECH_RC2_FLAG}, >-- {"RC4", PUBLIC_MECH_RC4_FLAG}, >-- {"RC5", PUBLIC_MECH_RC5_FLAG}, >-- {"DES", PUBLIC_MECH_DES_FLAG}, >-- {"DH", PUBLIC_MECH_DH_FLAG}, >-- {"FORTEZZA", PUBLIC_MECH_FORTEZZA_FLAG}, >-- {"SHA1", PUBLIC_MECH_SHA1_FLAG}, >-- {"MD5", PUBLIC_MECH_MD5_FLAG}, >-- {"MD2", PUBLIC_MECH_MD2_FLAG}, >-- {"SSL", PUBLIC_MECH_SSL_FLAG}, >-- {"TLS", PUBLIC_MECH_TLS_FLAG}, >-- {"AES", PUBLIC_MECH_AES_FLAG}, >-- {"CAMELLIA", PUBLIC_MECH_CAMELLIA_FLAG}, >-- {"SHA256", PUBLIC_MECH_SHA256_FLAG}, >-- {"SHA512", PUBLIC_MECH_SHA512_FLAG}, >-- {"RANDOM", PUBLIC_MECH_RANDOM_FLAG}, >-- {"FRIENDLY", PUBLIC_MECH_FRIENDLY_FLAG} >--}; >--static const int numMechanismStrings = >-- sizeof(mechanismStrings) / sizeof(mechanismStrings[0]); >-+static MaskString *mechanismStrings = NULL; >-+static int numMechanismStrings = 0; >- >- static const MaskString cipherStrings[] = { >- {"FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG} >-@@ -143,10 +119,83 @@ static const MaskString cipherStrings[] >- static const int numCipherStrings = >- sizeof(cipherStrings) / sizeof(cipherStrings[0]); >- >-+static PK11DefaultArrayEntry *pk11_DefaultArray = NULL; >-+static int pk11_DefaultArraySize = 0; >-+ >-+ >- /* Maximum length of a colon-separated list of all the strings in an >- * array. */ >- #define MAX_STRING_LIST_LEN 240 /* or less */ >- >-+/* >-+** The same as SECMOD_InternaltoPubMechFlags >-+** from nss/lib/pk11wrap/pk11util.c wich is a >-+** private export and not visible to us >-+*/ >-+static unsigned long >-+InternaltoPubMechFlags(unsigned long internalFlags) >-+{ >-+ unsigned long publicFlags = internalFlags; >-+ >-+ if (internalFlags & SECMOD_RANDOM_FLAG) { >-+ publicFlags &= ~SECMOD_RANDOM_FLAG; >-+ publicFlags |= PUBLIC_MECH_RANDOM_FLAG; >-+ } >-+ return publicFlags; >-+} >-+ >-+ >-+Error >-+loadMechanismList(void) >-+{ >-+ int i; >-+ >-+ if (pk11_DefaultArray == NULL) { >-+ pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); >-+ if (pk11_DefaultArray == NULL) { >-+ /* should assert. This shouldn't happen */ >-+ return UNSPECIFIED_ERR; >-+ } >-+ } >-+ if (mechanismStrings != NULL) { >-+ PR_Free(mechanismStrings); >-+ } >-+ >-+ /* build the mechanismStrings array */ >-+ mechanismStrings = PR_Malloc( pk11_DefaultArraySize*sizeof(MaskString) ); >-+ if (mechanismStrings == NULL) { >-+ return OUT_OF_MEM_ERR; >-+ } >-+ numMechanismStrings = pk11_DefaultArraySize; >-+ for (i = 0; i < numMechanismStrings; i++) { >-+ char *name = pk11_DefaultArray[i].name; >-+ unsigned long flag = pk11_DefaultArray[i].flag; >-+ /* map new name to old */ >-+ switch (flag) { >-+ case SECMOD_FORTEZZA_FLAG: >-+ name = "FORTEZZA"; >-+ break; >-+ case SECMOD_SHA1_FLAG: >-+ name = "SHA1"; >-+ break; >-+ case SECMOD_CAMELLIA_FLAG: >-+ name = "CAMELLIA"; >-+ break; >-+ case SECMOD_RANDOM_FLAG: >-+ name = "RANDOM"; >-+ break; >-+ case SECMOD_FRIENDLY_FLAG: >-+ name = "FRIENDLY"; >-+ break; >-+ default: >-+ break; >-+ } >-+ mechanismStrings[i].name = name; >-+ mechanismStrings[i].mask = InternaltoPubMechFlags(flag); >-+ } >-+ return SUCCESS; >-+} >-+ >- /************************************************************************ >- * >- * g e t F l a g s F r o m S t r i n g >-@@ -244,6 +293,12 @@ AddModule(char *moduleName, char *libFil >- unsigned long ciphers; >- unsigned long mechanisms; >- SECStatus status; >-+ Error rv; >-+ >-+ rv = loadMechanismList(); >-+ if (rv != SUCCESS) { >-+ return rv; >-+ } >- >- mechanisms = >- getFlagsFromString(mechanismString, mechanismStrings, >-@@ -493,6 +548,11 @@ ListModule(char *moduleName) >- return SUCCESS; >- } >- >-+ rv = loadMechanismList(); >-+ if (rv != SUCCESS) { >-+ return rv; >-+ } >-+ >- module = SECMOD_FindModule(moduleName); >- if(!module) { >- PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName); >-@@ -811,19 +871,18 @@ SetDefaultModule(char *moduleName, char >- SECMODModule *module = NULL; >- PK11SlotInfo *slot; >- int s, i; >-- unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings, >-- numMechanismStrings); >-+ unsigned long mechFlags; >- PRBool found = PR_FALSE; >-- Error errcode = UNSPECIFIED_ERR; >-+ Error errcode; >- >-- if (pk11_DefaultArray == NULL) { >-- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); >-- if (pk11_DefaultArray == NULL) { >-- /* should assert. This shouldn't happen */ >-- goto loser; >-- } >-+ errcode = loadMechanismList(); >-+ if (errcode != SUCCESS) { >-+ return errcode; >- } >-+ errcode = UNSPECIFIED_ERR; >- >-+ mechFlags = getFlagsFromString(mechanisms, mechanismStrings, >-+ numMechanismStrings); >- mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags); >- >- module = SECMOD_FindModule(moduleName); >-@@ -889,20 +948,17 @@ UnsetDefaultModule(char *moduleName, cha >- SECMODModule * module = NULL; >- PK11SlotInfo *slot; >- int s, i; >-- unsigned long mechFlags = getFlagsFromString(mechanisms, >-- mechanismStrings, numMechanismStrings); >-+ unsigned long mechFlags; >- PRBool found = PR_FALSE; >- Error rv; >- >-- if (pk11_DefaultArray == NULL) { >-- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); >-- if (pk11_DefaultArray == NULL) { >-- /* should assert. This shouldn't happen */ >-- rv = UNSPECIFIED_ERR; >-- goto loser; >-- } >-+ rv = loadMechanismList(); >-+ if (rv != SUCCESS) { >-+ return rv; >- } >- >-+ mechFlags = getFlagsFromString(mechanisms, mechanismStrings, >-+ numMechanismStrings); >- mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags); >- >- module = SECMOD_FindModule(moduleName); >-diff -up ./nss/lib/pk11wrap/pk11slot.c.ecc-lists ./nss/lib/pk11wrap/pk11slot.c >---- ./nss/lib/pk11wrap/pk11slot.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800 >-+++ ./nss/lib/pk11wrap/pk11slot.c 2013-12-20 10:29:55.756109883 -0800 >-@@ -32,6 +32,7 @@ >- PK11DefaultArrayEntry PK11_DefaultArray[] = { >- { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS }, >- { "DSA", SECMOD_DSA_FLAG, CKM_DSA }, >-+ { "ECC", SECMOD_ECC_FLAG, CKM_ECDSA }, >- { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE }, >- { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC }, >- { "RC4", SECMOD_RC4_FLAG, CKM_RC4 }, >-diff -up ./nss/lib/pk11wrap/secmod.h.ecc-lists ./nss/lib/pk11wrap/secmod.h >---- ./nss/lib/pk11wrap/secmod.h.ecc-lists 2013-11-09 09:23:30.000000000 -0800 >-+++ ./nss/lib/pk11wrap/secmod.h 2013-12-20 10:26:20.881585723 -0800 >-@@ -28,6 +28,7 @@ >- #define PUBLIC_MECH_SHA512_FLAG 0x00008000ul >- #define PUBLIC_MECH_CAMELLIA_FLAG 0x00010000ul >- #define PUBLIC_MECH_SEED_FLAG 0x00020000ul >-+#define PUBLIC_MECH_ECC_FLAG 0x00040000ul >- >- #define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul >- #define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul >diff --git a/nss-ssl-cbc-random-iv-off-by-default.patch b/nss-ssl-cbc-random-iv-off-by-default.patch >index fd0988e..76eb1a9 100644 >--- a/nss-ssl-cbc-random-iv-off-by-default.patch >+++ b/nss-ssl-cbc-random-iv-off-by-default.patch >@@ -1,16 +1,16 @@ > diff -up nss/lib/ssl/sslsock.c.cbcrandomivoff nss/lib/ssl/sslsock.c >---- nss/lib/ssl/sslsock.c.cbcrandomivoff 2013-05-30 22:20:52.181292812 -0700 >-+++ nss/lib/ssl/sslsock.c 2013-05-30 22:20:52.194292913 -0700 >-@@ -152,7 +152,7 @@ static sslOptions ssl_defaults = { >+--- nss/lib/ssl/sslsock.c.cbcrandomivoff 2014-05-20 14:46:57.256630822 -0700 >++++ nss/lib/ssl/sslsock.c 2014-05-20 14:50:02.124647777 -0700 >+@@ -77,7 +77,7 @@ static sslOptions ssl_defaults = { > 3, /* enableRenegotiation (default: transitional) */ > PR_FALSE, /* requireSafeNegotiation */ > PR_FALSE, /* enableFalseStart */ > - PR_TRUE, /* cbcRandomIV */ >-+ PR_FALSE, /* cbcRandomIV */ /* defaults to off for compatibility */ >- PR_FALSE /* enableOCSPStapling */ >- }; >- >-@@ -2906,9 +2906,9 @@ ssl_SetDefaultsFromEnvironment(void) >++ PR_FALSE, /* cbcRandomIV */ /* defaults to off for compatibility */ >+ PR_FALSE, /* enableOCSPStapling */ >+ PR_TRUE, /* enableNPN */ >+ PR_FALSE /* enableALPN */ >+@@ -2883,9 +2883,9 @@ ssl_SetDefaultsFromEnvironment(void) > PR_TRUE)); > } > ev = getenv("NSS_SSL_CBC_RANDOM_IV"); >diff --git a/nss-util-ecc-list-3.15.3.patch b/nss-util-ecc-list-3.15.3.patch >deleted file mode 100644 >index 288dbf2..0000000 >--- a/nss-util-ecc-list-3.15.3.patch >+++ /dev/null >@@ -1,16 +0,0 @@ >-diff -up ./nss/lib/util/utilmodt.h.ecc_list ./nss/lib/util/utilmodt.h >---- ./nss/lib/util/utilmodt.h.ecc_list 2013-12-04 10:19:17.393804242 -0800 >-+++ ./nss/lib/util/utilmodt.h 2013-12-04 10:22:28.541804170 -0800 >-@@ -23,10 +23,11 @@ >- #define SECMOD_SSL_FLAG 0x00000800L >- #define SECMOD_TLS_FLAG 0x00001000L >- #define SECMOD_AES_FLAG 0x00002000L >--#define SECMOD_SHA256_FLAG 0x00004000L >-+#define SECMOD_SHA256_FLAG 0x00004000L /* also for SHA224 */ >- #define SECMOD_SHA512_FLAG 0x00008000L /* also for SHA384 */ >- #define SECMOD_CAMELLIA_FLAG 0x00010000L /* = PUBLIC_MECH_CAMELLIA_FLAG */ >- #define SECMOD_SEED_FLAG 0x00020000L >-+#define SECMOD_ECC_FLAG 0x00040000L >- /* reserved bit for future, do not use */ >- #define SECMOD_RESERVED_FLAG 0X08000000L >- #define SECMOD_FRIENDLY_FLAG 0x10000000L >diff --git a/nss.spec b/nss.spec >index d1ac9bc..55c33bd 100644 >--- a/nss.spec >+++ b/nss.spec >@@ -1,5 +1,5 @@ >-%global nspr_version 4.10.2 >-%global nss_util_version 3.15.3 >+%global nspr_version 4.10.5 >+%global nss_util_version 3.16.1 > %global nss_softokn_fips_version 3.14.3 > %global nss_softokn_version 3.14.3 > %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools >@@ -15,8 +15,8 @@ > > Summary: Network Security Services > Name: nss >-Version: 3.15.3 >-Release: 12%{?dist} >+Version: 3.16.1 >+Release: 1%{?dist} > License: MPLv2.0 > URL: http://www.mozilla.org/projects/security/pki/nss/ > Group: System Environment/Libraries >@@ -71,9 +71,6 @@ Patch40: nss-3.14.0.0-disble-ocsp-test.patch > Patch41: p-disable-md5-590364-reversed.patch > Patch44: 0001-sync-up-with-upstream-softokn-changes.patch > Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch >-# The ocsp stapling tests currently require access to the >-# kuix.de test server but koji forbids outbount connections >-Patch46: disable-ocsp-stapling-tests.patch > # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator > # will be needed when we try to build nss as requested on rhbz#689919 > Patch47: utilwrap-include-templates.patch >@@ -107,13 +104,6 @@ Patch58: revoking-trust-in-one-anssi-certificate.patch > Patch59: 0001-RHBZ-895339.patch > Patch64: 0001-pinst-make-derEncodingsMatch-work-with-encrypted-key.patch > >-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001 >-# Remove this patch whwn we update to nss-3.15.4 or higher >-Patch65: add-missing-option-descriptions.patch >-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=977869 >-Patch66: nss-ecc-list-3.15.3.patch >-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=977673 >-Patch68: dont-disable-internal-module.patch > # Local patch to deal with current older version of softoken/freebl > Patch69: define-uint32.patch > # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1007126 >@@ -206,27 +196,20 @@ low level services. > %patch29 -p0 -b .cbcrandomivoff > %patch40 -p0 -b .noocsptest > %patch41 -p0 -b .md5okay >-%patch44 -p1 -b .syncupwithupstream >+%patch44 -p0 -b .syncupwithupstream > # activate when approved > #%patch45 -p0 -b .notrash >-%patch46 -p0 -b .skipoutbound > %patch47 -p0 -b .templates > %patch48 -p0 -b .crypto > %patch49 -p0 -b .skipthem > %patch50 -p0 -b .iquote > %patch51 -p1 -b .702083 > %patch60 -p0 -b .961659 >-%patch61 -p1 -b .990631 >+#%patch61 -p1 -b .990631 > %patch62 -p1 -b .deadlock >-%patch63 -p0 -b .hw_comp >-pushd nss >-%patch58 -p1 -b .1042686 >-popd >+#%patch63 -p0 -b .hw_comp > %patch59 -p3 -b .895339 > %patch64 -p1 -b .895339 >-%patch65 -p1 -b .606022 >-%patch66 -p0 -b .ecc-lists >-%patch68 -p0 -b .1059176 > %patch69 -p0 -b .uint32 > %patch70 -p0 -b .cleanup > >@@ -345,8 +328,6 @@ unset NSS_BLTEST_NOT_AVAILABLE > # build the man pages clean > pushd ./nss > %{__make} clean_docs build_docs >-# workaround until bug 1096478 is resolved >-patch -b ./doc/nroff/certutil.1 $RPM_SOURCE_DIR/indentation.patch > popd > > # and copy them to the dist directory for %%install to find them >@@ -754,10 +735,9 @@ fi > > > %changelog >-* Wed May 21 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-12 >-- Apply man pages fixes requested on Bug 606022 >-- Using temporary workaround until bug 1096478 is approved and fixed >-- Resolves: Bug 606022 - nss security tools lack man pages >+* Thu May 22 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-1 >+- Update to nss-3.16.1 >+- Resolves: Bug 1099619 - Rebase nss in RHEL 6.6 to NSS 3.16.1 > > * Mon Apr 21 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-11 > - Resolves: Bug 689919 - build without any softoken or util sources in the tree >diff --git a/sources b/sources >index de384a8..197a5f6 100644 >--- a/sources >+++ b/sources >@@ -8,4 +8,4 @@ f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert > 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert > ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert > 8b9cf94e7ed23586ab3f618366b6acb6 nss-pem-20130405.tar.bz2 >-2b7f607b709dc8319050f95e9ee28036 nss-3.15.3.tar.bz2 >+b459ca2d0536aca73aa5961a54683f65 nss-3.16.1.tar.bz2
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Flags:
rrelyea
: review+
Actions:
View
|
Diff
Attachments on
bug 1099619
:
898508
| 898509 |
898716
|
903189
|
913569
|
928882
|
928886
|
928887