Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 908712 Details for
Bug 1002205
PEM module trashes private keys if login fails
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
all changes to update pem source tar ball and get rid of old pem patches
pemupdate.patch (text/plain), 27.54 KB, created by
Elio Maldonado Batiz
on 2014-06-13 22:33:34 UTC
(
hide
)
Description:
all changes to update pem source tar ball and get rid of old pem patches
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2014-06-13 22:33:34 UTC
Size:
27.54 KB
patch
obsolete
>diff --git a/.gitignore b/.gitignore >index 6f006fe..648bc4b 100644 >--- a/.gitignore >+++ b/.gitignore >@@ -7,5 +7,5 @@ PayPalEE.cert > TestCA.ca.cert > TestUser50.cert > TestUser51.cert >-/nss-pem-20130405.tar.bz2 >+/nss-pem-20140125.tar.bz2 > /nss-3.16.1.tar.bz2 >diff --git a/0001-RHBZ-895339.patch b/0001-RHBZ-895339.patch >deleted file mode 100644 >index 0863650..0000000 >--- a/0001-RHBZ-895339.patch >+++ /dev/null >@@ -1,153 +0,0 @@ >-From b7535f93e8cddb41c6a63bc66ff7f2dd315a4e5f Mon Sep 17 00:00:00 2001 >-From: Kamil Dudka <kdudka@redhat.com> >-Date: Mon, 29 Apr 2013 15:54:20 +0200 >-Subject: [PATCH] RHBZ#895339 - experimental fix for testing purposes >- >---- >- mozilla/security/nss/lib/ckfw/pem/ckpem.h | 2 +- >- mozilla/security/nss/lib/ckfw/pem/pinst.c | 16 +++++++++++----- >- mozilla/security/nss/lib/ckfw/pem/pobject.c | 12 +++++++----- >- 3 files changed, 19 insertions(+), 11 deletions(-) >- >-diff --git a/mozilla/security/nss/lib/ckfw/pem/ckpem.h b/mozilla/security/nss/lib/ckfw/pem/ckpem.h >-index 839d40b..3cda549 100644 >---- a/mozilla/security/nss/lib/ckfw/pem/ckpem.h >-+++ b/mozilla/security/nss/lib/ckfw/pem/ckpem.h >-@@ -243,7 +243,7 @@ PRBool pem_FreeParsedStrings(PRInt32 numStrings, char** instrings); >- pemInternalObject * >- AddObjectIfNeeded(CK_OBJECT_CLASS objClass, pemObjectType type, >- SECItem *certDER, SECItem *keyDER, char *filename, int objid, >-- CK_SLOT_ID slotID); >-+ CK_SLOT_ID slotID, PRBool *pAdded); >- >- void pem_DestroyInternalObject (pemInternalObject *io); >- >-diff --git a/mozilla/security/nss/lib/ckfw/pem/pinst.c b/mozilla/security/nss/lib/ckfw/pem/pinst.c >-index 7e286c8..b84caff 100644 >---- a/mozilla/security/nss/lib/ckfw/pem/pinst.c >-+++ b/mozilla/security/nss/lib/ckfw/pem/pinst.c >-@@ -313,7 +313,7 @@ pemInternalObject * >- AddObjectIfNeeded(CK_OBJECT_CLASS objClass, >- pemObjectType type, SECItem * certDER, >- SECItem * keyDER, char *filename, >-- int objid, CK_SLOT_ID slotID) >-+ int objid, CK_SLOT_ID slotID, PRBool *pAdded) >- { >- int i; >- >-@@ -324,6 +324,9 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass, >- else >- nickname = filename; >- >-+ if (pAdded) >-+ *pAdded = PR_FALSE; >-+ >- /* first look for the object in gobj, it might be already there */ >- for (i = 0; i < pem_nobjs; i++) { >- if (NULL == gobj[i]) >-@@ -368,6 +371,9 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass, >- count++; >- pem_nobjs++; >- >-+ if (pAdded) >-+ *pAdded = PR_TRUE; >-+ >- io->refCount ++; >- return io; >- } >-@@ -401,7 +407,7 @@ AddCertificate(char *certfile, char *keyfile, PRBool cacert, >- snprintf(nickname, 1024, "%s - %d", certfile, i); >- >- o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[i], NULL, >-- nickname, 0, slotID); >-+ nickname, 0, slotID, NULL); >- if (o == NULL) { >- error = CKR_GENERAL_ERROR; >- goto loser; >-@@ -412,7 +418,7 @@ AddCertificate(char *certfile, char *keyfile, PRBool cacert, >- >- /* Add the CA trust object */ >- o = AddObjectIfNeeded(CKO_NETSCAPE_TRUST, pemTrust, objs[i], NULL, >-- nickname, 0, slotID); >-+ nickname, 0, slotID, NULL); >- if (o == NULL) { >- error = CKR_GENERAL_ERROR; >- goto loser; >-@@ -421,7 +427,7 @@ AddCertificate(char *certfile, char *keyfile, PRBool cacert, >- } else { >- objid = pem_nobjs + 1; >- o = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, objs[0], NULL, certfile, >-- objid, slotID); >-+ objid, slotID, NULL); >- if (o == NULL) { >- error = CKR_GENERAL_ERROR; >- goto loser; >-@@ -443,7 +449,7 @@ AddCertificate(char *certfile, char *keyfile, PRBool cacert, >- goto loser; >- } >- o = AddObjectIfNeeded(CKO_PRIVATE_KEY, pemBareKey, objs[0], >-- keyobjs[0], certfile, objid, slotID); >-+ keyobjs[0], certfile, objid, slotID, NULL); >- if (o == NULL) { >- error = CKR_GENERAL_ERROR; >- goto loser; >-diff --git a/mozilla/security/nss/lib/ckfw/pem/pobject.c b/mozilla/security/nss/lib/ckfw/pem/pobject.c >-index 2665de1..be93bd7 100644 >---- a/mozilla/security/nss/lib/ckfw/pem/pobject.c >-+++ b/mozilla/security/nss/lib/ckfw/pem/pobject.c >-@@ -1133,7 +1133,7 @@ pem_CreateObject >- APPEND_LIST_ITEM(listItem); >- listItem->io = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, >- derlist[c], NULL, nickname, 0, >-- slotID); >-+ slotID, NULL); >- if (listItem->io == NULL) >- goto loser; >- >-@@ -1141,14 +1141,14 @@ pem_CreateObject >- APPEND_LIST_ITEM(listItem); >- listItem->io = AddObjectIfNeeded(CKO_NETSCAPE_TRUST, pemTrust, >- derlist[c], NULL, nickname, 0, >-- slotID); >-+ slotID, NULL); >- if (listItem->io == NULL) >- goto loser; >- } >- } else { >- listItem->io = AddObjectIfNeeded(CKO_CERTIFICATE, pemCert, >- derlist[0], NULL, filename, objid, >-- slotID); >-+ slotID, NULL); >- if (listItem->io == NULL) >- goto loser; >- } >-@@ -1157,6 +1157,7 @@ pem_CreateObject >- int i; >- SECItem certDER; >- CK_SESSION_HANDLE hSession; >-+ PRBool added; >- >- nobjs = ReadDERFromFile(&derlist, filename, PR_TRUE, &cipher, &ivstring, PR_FALSE /* keys only */); >- if (nobjs < 1) >-@@ -1184,7 +1185,8 @@ pem_CreateObject >- objid = pem_nobjs + 1; >- >- listItem->io = AddObjectIfNeeded(CKO_PRIVATE_KEY, pemBareKey, &certDER, >-- derlist[0], filename, objid, slotID); >-+ derlist[0], filename, objid, slotID, >-+ &added); >- if (listItem->io == NULL) >- goto loser; >- >-@@ -1195,7 +1197,7 @@ pem_CreateObject >- /* If the key was encrypted then free the session to make it appear that >- * the token was removed so we can force a login. >- */ >-- if (cipher) { >-+ if (cipher && added) { >- /* FIXME: Why 1.0s? Is it enough? Isn't it too much? >- * What about e.g. 3.14s? */ >- PRIntervalTime onesec = PR_SecondsToInterval(1); >--- >-1.7.1 >- >diff --git a/0001-pinst-make-derEncodingsMatch-work-with-encrypted-key.patch b/0001-pinst-make-derEncodingsMatch-work-with-encrypted-key.patch >deleted file mode 100644 >index 12beff5..0000000 >--- a/0001-pinst-make-derEncodingsMatch-work-with-encrypted-key.patch >+++ /dev/null >@@ -1,67 +0,0 @@ >-From 76d83bb76a391e4adc86947e870adbc0081720e9 Mon Sep 17 00:00:00 2001 >-From: Kamil Dudka <kdudka@redhat.com> >-Date: Mon, 20 Jan 2014 18:25:37 +0100 >-Subject: [PATCH v2] pinst: make derEncodingsMatch() work with encrypted keys >- >---- >- nss/lib/ckfw/pem/ckpem.h | 1 + >- nss/lib/ckfw/pem/pinst.c | 11 ++++++++++- >- nss/lib/ckfw/pem/pobject.c | 1 + >- 3 files changed, 12 insertions(+), 1 deletions(-) >- >-diff --git a/nss/lib/ckfw/pem/ckpem.h b/nss/lib/ckfw/pem/ckpem.h >-index 3f8312e..2a47c75 100644 >---- a/nss/lib/ckfw/pem/ckpem.h >-+++ b/nss/lib/ckfw/pem/ckpem.h >-@@ -53,6 +53,7 @@ struct pemKeyParamsStr { >- NSSItem coefficient; >- unsigned char publicExponentData[sizeof(CK_ULONG)]; >- SECItem *privateKey; >-+ SECItem *privateKeyOrig; /* deep copy of privateKey until decrypted */ >- void *pubKey; >- }; >- typedef struct pemKeyParamsStr pemKeyParams; >-diff --git a/nss/lib/ckfw/pem/pinst.c b/nss/lib/ckfw/pem/pinst.c >-index 9ecdbae..813810c 100644 >---- a/nss/lib/ckfw/pem/pinst.c >-+++ b/nss/lib/ckfw/pem/pinst.c >-@@ -303,6 +303,15 @@ CreateObject(CK_OBJECT_CLASS objClass, >- nss_ZFreeIf(o->u.key.key.privateKey); >- goto fail; >- } >-+ >-+ /* store deep copy of original key DER so we can compare it later on */ >-+ o->u.key.key.privateKeyOrig = SECITEM_DupItem(keyDER); >-+ if (o->u.key.key.privateKeyOrig == NULL) { >-+ nss_ZFreeIf(o->u.key.key.privateKey->data); >-+ nss_ZFreeIf(o->u.key.key.privateKey); >-+ goto fail; >-+ } >-+ >- o->u.key.key.privateKey->len = keyDER->len; >- nsslibc_memcpy(o->u.key.key.privateKey->data, keyDER->data, >- keyDER->len); >-@@ -340,7 +349,7 @@ derEncodingsMatch(CK_OBJECT_CLASS objClass, pemInternalObject * obj, >- break; >- >- case CKO_PRIVATE_KEY: >-- result = SECITEM_CompareItem(obj->u.key.key.privateKey, keyDER); >-+ result = SECITEM_CompareItem(obj->u.key.key.privateKeyOrig, keyDER); >- break; >- >- default: >-diff --git a/nss/lib/ckfw/pem/pobject.c b/nss/lib/ckfw/pem/pobject.c >-index 3a45778..48f72d0 100644 >---- a/nss/lib/ckfw/pem/pobject.c >-+++ b/nss/lib/ckfw/pem/pobject.c >-@@ -609,6 +609,7 @@ pem_DestroyInternalObject >- } >- break; >- case pemBareKey: >-+ SECITEM_FreeItem(io->u.key.key.privateKeyOrig, PR_TRUE); >- nss_ZFreeIf(io->u.key.key.coefficient.data); >- nss_ZFreeIf(io->u.key.key.exponent2.data); >- nss_ZFreeIf(io->u.key.key.exponent1.data); >--- >-1.7.1 >- >diff --git a/0001-sync-up-with-upstream-softokn-changes.patch b/0001-sync-up-with-upstream-softokn-changes.patch >deleted file mode 100644 >index baea8c0..0000000 >--- a/0001-sync-up-with-upstream-softokn-changes.patch >+++ /dev/null >@@ -1,178 +0,0 @@ >-diff -up nss/lib/ckfw/pem/rsawrapr.c.syncupwithupstream nss/lib/ckfw/pem/rsawrapr.c >---- nss/lib/ckfw/pem/rsawrapr.c.syncupwithupstream 2012-08-11 09:06:59.000000000 -0700 >-+++ nss/lib/ckfw/pem/rsawrapr.c 2014-05-21 08:27:54.198521465 -0700 >-@@ -60,6 +60,21 @@ >- >- #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ >- >-+/* >-+ * RSA block types >-+ * >-+ * The actual values are important -- they are fixed, *not* arbitrary. >-+ * The explicit value assignments are not needed (because C would give >-+ * us those same values anyway) but are included as a reminder... >-+ */ >-+typedef enum { >-+ RSA_BlockUnused = 0, /* unused */ >-+ RSA_BlockPrivate = 1, /* pad for a private-key operation */ >-+ RSA_BlockPublic = 2, /* pad for a public-key operation */ >-+ RSA_BlockRaw = 4, /* simply justify the block appropriately */ >-+ RSA_BlockTotal >-+} RSA_BlockType; >-+ >- unsigned >- pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) >- { >-@@ -233,7 +248,6 @@ static unsigned char *rsa_FormatOneBlock >- /* >- * Blocks intended for private-key operation. >- */ >-- case RSA_BlockPrivate0: /* essentially unused */ >- case RSA_BlockPrivate: /* preferred method */ >- /* >- * 0x00 || BT || Pad || 0x00 || ActualData >-@@ -246,10 +260,7 @@ static unsigned char *rsa_FormatOneBlock >- nss_ZFreeIf(block); >- return NULL; >- } >-- nsslibc_memset(bp, >-- blockType == RSA_BlockPrivate0 >-- ? RSA_BLOCK_PRIVATE0_PAD_OCTET >-- : RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); >-+ nsslibc_memset(bp, RSA_BLOCK_PRIVATE_PAD_OCTET, padLen); >- bp += padLen; >- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; >- nsslibc_memcpy(bp, data->data, data->len); >-@@ -288,97 +299,6 @@ static unsigned char *rsa_FormatOneBlock >- >- break; >- >-- /* >-- * Blocks intended for public-key operation, using >-- * Optimal Asymmetric Encryption Padding (OAEP). >-- */ >-- case RSA_BlockOAEP: >-- /* >-- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData) >-- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N] >-- * >-- * where: >-- * PaddedData is "Pad1 || ActualData [|| Pad2]" >-- * Salt is random data. >-- * Pad1 is all zeros. >-- * Pad2, if present, is random data. >-- * (The "modified" fields are all the same length as the original >-- * unmodified values; they are just xor'd with other values.) >-- * >-- * Modified1 is an XOR of PaddedData with a special octet >-- * string constructed of iterated hashing of Salt (see below). >-- * Modified2 is an XOR of Salt with the low-order octets of >-- * the hash of Modified1 (see farther below ;-). >-- * >-- * Whew! >-- */ >-- >-- >-- /* >-- * Salt >-- */ >-- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN); >-- if (rv != SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- bp += OAEP_SALT_LEN; >-- >-- /* >-- * Pad1 >-- */ >-- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN); >-- bp += OAEP_PAD_LEN; >-- >-- /* >-- * Data >-- */ >-- nsslibc_memcpy(bp, data->data, data->len); >-- bp += data->len; >-- >-- /* >-- * Pad2 >-- */ >-- if (bp < (block + modulusLen)) { >-- rv = RNG_GenerateGlobalRandomBytes(bp, >-- block - bp + modulusLen); >-- if (rv != SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- } >-- >-- /* >-- * Now we have the following: >-- * 0x00 || BT || Salt || PaddedData >-- * (From this point on, "Pad1 || Data [|| Pad2]" is treated >-- * as the one entity PaddedData.) >-- * >-- * We need to turn PaddedData into Modified1. >-- */ >-- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN, >-- modulusLen - 2 - OAEP_SALT_LEN, >-- block + 2, OAEP_SALT_LEN) != SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- >-- /* >-- * Now we have: >-- * 0x00 || BT || Salt || Modified1(PaddedData) >-- * >-- * The remaining task is to turn Salt into Modified2. >-- */ >-- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN, >-- block + 2 + OAEP_SALT_LEN, >-- modulusLen - 2 - OAEP_SALT_LEN) != >-- SECSuccess) { >-- nss_ZFreeIf(block); >-- return NULL; >-- } >-- >-- break; >-- >- default: >- PORT_Assert(0); >- nss_ZFreeIf(block); >-@@ -406,7 +326,6 @@ rsa_FormatBlock(SECItem * result, unsign >- */ >- >- switch (blockType) { >-- case RSA_BlockPrivate0: >- case RSA_BlockPrivate: >- case RSA_BlockPublic: >- /* >-@@ -427,26 +346,6 @@ rsa_FormatBlock(SECItem * result, unsign >- >- break; >- >-- case RSA_BlockOAEP: >-- /* >-- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) >-- * >-- * The "2" below is the first octet + the second octet. >-- * (The other fields do not contain the clear values, but are >-- * the same length as the clear values.) >-- */ >-- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN >-- + OAEP_PAD_LEN))); >-- >-- result->data = rsa_FormatOneBlock(modulusLen, blockType, data); >-- if (result->data == NULL) { >-- result->len = 0; >-- return SECFailure; >-- } >-- result->len = modulusLen; >-- >-- break; >-- >- case RSA_BlockRaw: >- /* >- * Pad || ActualData >diff --git a/Bug-702083-dont-require-unique-file-basenames.patch b/Bug-702083-dont-require-unique-file-basenames.patch >deleted file mode 100644 >index 5b4a4da..0000000 >--- a/Bug-702083-dont-require-unique-file-basenames.patch >+++ /dev/null >@@ -1,183 +0,0 @@ >-From d0a744d6e0bce077bf9b9d6019c55a6336a53c47 Mon Sep 17 00:00:00 2001 >-From: Kamil Dudka <kdudka@redhat.com> >-Date: Tue, 28 May 2013 10:37:29 +0000 >-Subject: pinst: assignObjectID() - a new helper function >- >---- >-diff --git a/nss/lib/ckfw/pem/pinst.c b/nss/lib/ckfw/pem/pinst.c >-index 9c8682a..ee29296 100644 >---- a/nss/lib/ckfw/pem/pinst.c >-+++ b/nss/lib/ckfw/pem/pinst.c >-@@ -182,6 +182,23 @@ GetCertFields(unsigned char *cert, int cert_length, >- return SECSuccess; >- } >- >-+static CK_RV >-+assignObjectID(pemInternalObject *o, int objid) >-+{ >-+ char id[16]; >-+ int len; >-+ >-+ sprintf(id, "%d", objid); >-+ len = strlen(id) + 1; /* zero terminate */ >-+ o->id.size = len; >-+ o->id.data = nss_ZAlloc(NULL, len); >-+ if (o->id.data == NULL) >-+ return CKR_HOST_MEMORY; >-+ >-+ nsslibc_memcpy(o->id.data, id, len); >-+ return CKR_OK; >-+} >-+ >- static pemInternalObject * >- CreateObject(CK_OBJECT_CLASS objClass, >- pemObjectType type, SECItem * certDER, >-@@ -195,9 +212,7 @@ CreateObject(CK_OBJECT_CLASS objClass, >- SECItem derSN; >- SECItem valid; >- SECItem subjkey; >-- char id[16]; >- char *nickname; >-- int len; >- >- o = nss_ZNEW(NULL, pemInternalObject); >- if ((pemInternalObject *) NULL == o) { >-@@ -231,13 +246,8 @@ CreateObject(CK_OBJECT_CLASS objClass, >- goto fail; >- strcpy(o->nickname, nickname); >- >-- sprintf(id, "%d", objid); >-- len = strlen(id) + 1; /* zero terminate */ >-- o->id.data = (void *) nss_ZAlloc(NULL, len); >-- if (o->id.data == NULL) >-+ if (CKR_OK != assignObjectID(o, objid)) >- goto fail; >-- (void) nsslibc_memcpy(o->id.data, id, len); >-- o->id.size = len; >- >- o->objClass = objClass; >- o->type = type; >--- >-cgit v0.9.2 >-From 6822e94ef82bc83b3b259c4bdc7e28d54971eb33 Mon Sep 17 00:00:00 2001 >-From: Kamil Dudka <kdudka@redhat.com> >-Date: Tue, 28 May 2013 10:41:22 +0000 >-Subject: pinst: allow to share private keys by client certs >- >-https://bugzilla.redhat.com/883620#c15 >---- >-diff --git a/nss/lib/ckfw/pem/pinst.c b/nss/lib/ckfw/pem/pinst.c >-index ee29296..2f6b5d2 100644 >---- a/nss/lib/ckfw/pem/pinst.c >-+++ b/nss/lib/ckfw/pem/pinst.c >-@@ -324,6 +324,28 @@ fail: >- return NULL; >- } >- >-+static CK_RV >-+LinkSharedKeyObject(int oldKeyIdx, int newKeyIdx) >-+{ >-+ int i; >-+ for (i = 0; i < pem_nobjs; i++) { >-+ CK_RV rv; >-+ const pemInternalObject *obj = gobj[i]; >-+ if (NULL == obj) >-+ continue; >-+ >-+ if (atoi(obj->id.data) != oldKeyIdx) >-+ continue; >-+ >-+ nss_ZFreeIf(obj->id.data); >-+ rv = assignObjectID(obj, newKeyIdx); >-+ if (CKR_OK != rv) >-+ return rv; >-+ } >-+ >-+ return CKR_OK; >-+} >-+ >- pemInternalObject * >- AddObjectIfNeeded(CK_OBJECT_CLASS objClass, >- pemObjectType type, SECItem * certDER, >-@@ -353,6 +375,13 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass, >- #endif >- && (0 == strcmp(gobj[i]->nickname, nickname))) { >- >-+ /* While adding a client certificate we (wrongly?) assumed that the >-+ * key object will follow right after the cert object. However, if >-+ * the key object is shared by multiple client certificates, such >-+ * an assumption does not hold. We have to update the references. >-+ */ >-+ LinkSharedKeyObject(pem_nobjs, i); >-+ >- plog("AddObjectIfNeeded: re-using internal object #%i\n", i); >- gobj[i]->refCount ++; >- return gobj[i]; >--- >-cgit v0.9.2 >-From 570c5a036e6f97e70cf22b47e6a45c35c3425376 Mon Sep 17 00:00:00 2001 >-From: Kamil Dudka <kdudka@redhat.com> >-Date: Tue, 24 Jul 2012 10:02:29 +0000 >-Subject: pinst: compare DER instead of nicknames in AddObjectIfNeeded() >- >-https://bugzilla.redhat.com/702083 >---- >-diff --git a/nss/lib/ckfw/pem/pinst.c b/nss/lib/ckfw/pem/pinst.c >-index 2f6b5d2..13d3b88 100644 >---- a/nss/lib/ckfw/pem/pinst.c >-+++ b/nss/lib/ckfw/pem/pinst.c >-@@ -324,6 +324,33 @@ fail: >- return NULL; >- } >- >-+/* Compare the DER encoding of the internal object against those >-+ * of the provided certDER or keyDER according to its objClass. >-+ */ >-+static PRBool >-+derEncodingsMatch(CK_OBJECT_CLASS objClass, pemInternalObject * obj, >-+ SECItem * certDER, SECItem * keyDER) >-+{ >-+ SECComparison result; >-+ >-+ switch (objClass) { >-+ case CKO_CERTIFICATE: >-+ case CKO_NETSCAPE_TRUST: >-+ result = SECITEM_CompareItem(obj->derCert, certDER); >-+ break; >-+ >-+ case CKO_PRIVATE_KEY: >-+ result = SECITEM_CompareItem(obj->u.key.key.privateKey, keyDER); >-+ break; >-+ >-+ default: >-+ /* unhandled object class */ >-+ return PR_FALSE; >-+ } >-+ >-+ return SECEqual == result; >-+} >-+ >- static CK_RV >- LinkSharedKeyObject(int oldKeyIdx, int newKeyIdx) >- { >-@@ -366,14 +393,13 @@ AddObjectIfNeeded(CK_OBJECT_CLASS objClass, >- if (NULL == gobj[i]) >- continue; >- >-+ /* Comparing DER encodings is dependable and frees the PEM module >-+ * from having to require clients to provide unique nicknames. >-+ */ >- if ((gobj[i]->objClass == objClass) >- && (gobj[i]->type == type) >- && (gobj[i]->slotID == slotID) >--#if 0 >-- /* FIXME: is it safe to return object with different objid? */ >-- && (atoi(gobj[i]->id.data) == objid) >--#endif >-- && (0 == strcmp(gobj[i]->nickname, nickname))) { >-+ && derEncodingsMatch(objClass, gobj[i], certDER, keyDER)) { >- >- /* While adding a client certificate we (wrongly?) assumed that the >- * key object will follow right after the cert object. However, if >--- >-cgit v0.9.2 >diff --git a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch >deleted file mode 100644 >index 6f0e88c..0000000 >--- a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch >+++ /dev/null >@@ -1,44 +0,0 @@ >---- nss/lib/ckfw/pem/psession.c >-+++ nss/lib/ckfw/pem/psession.c >-@@ -230,6 +230,7 @@ pem_mdSession_Login >- unsigned int len = 0; >- NSSLOWKEYPrivateKey *lpk = NULL; >- PLArenaPool *arena; >-+ SECItem plain; >- int i; >- >- fwSlot = NSSCKFWToken_GetFWSlot(fwToken); >-@@ -306,23 +321,27 @@ pem_mdSession_Login >- lpk->keyType = NSSLOWKEYRSAKey; >- prepare_low_rsa_priv_key_for_asn1(lpk); >- >-- nss_ZFreeIf(io->u.key.key.privateKey->data); >-- io->u.key.key.privateKey->len = len - output[len - 1]; >-- io->u.key.key.privateKey->data = >-- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); >-- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); >- >- /* Decode the resulting blob and see if it is a decodable DER that fits >- * our private key template. If so we declare success and move on. If not >- * then we return an error. >- */ >-+ memset(&plain, 0, sizeof(plain)); >-+ plain.data = output; >-+ plain.len = len - output[len - 1]; >- rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate, >-- io->u.key.key.privateKey); >-+ &plain); >- pem_DestroyPrivateKey(lpk); >- arena = NULL; >- if (rv != SECSuccess) >- goto loser; >- >-+ nss_ZFreeIf(io->u.key.key.privateKey->data); >-+ io->u.key.key.privateKey->len = len - output[len - 1]; >-+ io->u.key.key.privateKey->data = >-+ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); >-+ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); >-+ >- rv = CKR_OK; >- >- loser: >diff --git a/nss.spec b/nss.spec >index bda660d..392b08d 100644 >--- a/nss.spec >+++ b/nss.spec >@@ -16,7 +16,7 @@ > Summary: Network Security Services > Name: nss > Version: 3.16.1 >-Release: 5%{?dist} >+Release: 6%{?dist} > License: MPLv2.0 > URL: http://www.mozilla.org/projects/security/pki/nss/ > Group: System Environment/Libraries >@@ -50,7 +50,7 @@ Source7: blank-key4.db > Source8: system-pkcs11.txt > Source9: setup-nsssysinit.sh > Source10: PayPalEE.cert >-Source12: %{name}-pem-20130405.tar.bz2 >+Source12: %{name}-pem-20140125.tar.bz2 > Source17: TestCA.ca.cert > Source18: TestUser50.cert > Source19: TestUser51.cert >@@ -68,8 +68,6 @@ Patch29: nss-ssl-cbc-random-iv-off-by-default.patch > # TODO: Remove this patch when the ocsp test are fixed > Patch40: nss-3.14.0.0-disble-ocsp-test.patch > Patch41: p-disable-md5-590364-reversed.patch >-Patch44: 0001-sync-up-with-upstream-softokn-changes.patch >-Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch > # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator > # will be needed when we try to build nss as requested on rhbz#689919 > Patch47: utilwrap-include-templates.patch >@@ -84,21 +82,12 @@ Patch49: nss-skip-bltest-and-fipstest.patch > # headers are older. Such is the case when starting an update with API changes or even private export changes. > # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. > Patch50: iquote.patch >-# >-# Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=d0a744d6 >-# Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=6822e94e >-# Upstream: https://git.fedorahosted.org/cgit/nss-pem.git/commit/?id=570c5a03 >-# >-# Concatenation of the above three patches >-Patch51: Bug-702083-dont-require-unique-file-basenames.patch > # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684 > Patch60: Bug-961659-dont-hold-issuer-cert-handles-in-crl-cache.patch > # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144 > Patch62: nss-fix-deadlock-squash.patch > # Disable hw gcm on RHEL5-based build environments where older OS lacks support > Patch63: disable_hw_gcm.patch >-Patch59: 0001-RHBZ-895339.patch >-Patch64: 0001-pinst-make-derEncodingsMatch-work-with-encrypted-key.patch > > # Local patch to deal with current older version of softoken/freebl > Patch69: define-uint32.patch >@@ -192,19 +181,13 @@ low level services. > %patch29 -p0 -b .cbcrandomivoff > %patch40 -p0 -b .noocsptest > %patch41 -p0 -b .md5okay >-%patch44 -p0 -b .syncupwithupstream >-# activate when approved >-%patch45 -p0 -b .notrash > %patch47 -p0 -b .templates > %patch48 -p0 -b .crypto > %patch49 -p0 -b .skipthem > %patch50 -p0 -b .iquote >-%patch51 -p1 -b .702083 > %patch60 -p0 -b .961659 > %patch62 -p1 -b .deadlock > #%patch63 -p0 -b .hw_comp >-%patch59 -p3 -b .895339 >-%patch64 -p1 -b .895339 > %patch69 -p0 -b .uint32 > %patch70 -p0 -b .cleanup > >@@ -731,6 +714,10 @@ fi > > > %changelog >+* Fri Jun 13 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-6 >+- Update pem sources to the same ones used on rhel-7 >+- Remove no longer needed patches on account of this update >+ > * Tue Jun 10 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-5 > - Move removal of directories to the end of the %%prep section > - Resolves: Bug 689919 - build without any softoken or util sources in the tree >diff --git a/sources b/sources >index 197a5f6..1e131ed 100644 >--- a/sources >+++ b/sources >@@ -7,5 +7,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db > f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert > 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert > ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert >-8b9cf94e7ed23586ab3f618366b6acb6 nss-pem-20130405.tar.bz2 >+b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2 > b459ca2d0536aca73aa5961a54683f65 nss-3.16.1.tar.bz2
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=908712">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
rrelyea
: review+
Actions:
View
|
Diff
Attachments on
bug 1002205
: 908712 |
908713