Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 923334 Details for
Bug 1124659
Rebase RHEL 7.0.Z to at least NSS 3.16.1 (FF 31)
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
all changes neded for rebase to nss-3.16.2 - in patch format
allchanges4rebase.patch (text/plain), 48.02 KB, created by
Elio Maldonado Batiz
on 2014-08-01 15:05:59 UTC
(
hide
)
Description:
all changes neded for rebase to nss-3.16.2 - in patch format
Filename:
MIME Type:
Creator:
Elio Maldonado Batiz
Created:
2014-08-01 15:05:59 UTC
Size:
48.02 KB
patch
obsolete
>diff --git a/.gitignore b/.gitignore >index acdcd65..d357569 100644 >--- a/.gitignore >+++ b/.gitignore >@@ -8,4 +8,4 @@ TestCA.ca.cert > TestUser50.cert > TestUser51.cert > /nss-pem-20140125.tar.bz2 >-/nss-3.15.4.tar.gz >+/nss-3.16.2.tar.gz >diff --git a/Bug-1001841-disable-sslv2-libssl.patch b/Bug-1001841-disable-sslv2-libssl.patch >index a9bc128..efbbfe8 100644 >--- a/Bug-1001841-disable-sslv2-libssl.patch >+++ b/Bug-1001841-disable-sslv2-libssl.patch >@@ -1,7 +1,12 @@ >-diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk >---- ./nss/lib/ssl/config.mk.disableSSL2 2013-09-25 06:57:55.000000000 -0700 >-+++ ./nss/lib/ssl/config.mk 2013-11-05 16:09:47.459727948 -0800 >-@@ -7,6 +7,10 @@ ifdef NISCC_TEST >+diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk >+--- a/lib/ssl/config.mk >++++ b/lib/ssl/config.mk >+@@ -2,16 +2,20 @@ >+ # This Source Code Form is subject to the terms of the Mozilla Public >+ # License, v. 2.0. If a copy of the MPL was not distributed with this >+ # file, You can obtain one at http://mozilla.org/MPL/2.0/. >+ >+ ifdef NISCC_TEST > DEFINES += -DNISCC_TEST > endif > >@@ -12,64 +17,111 @@ diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk > ifdef NSS_NO_PKCS11_BYPASS > DEFINES += -DNO_PKCS11_BYPASS > else >-diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c >---- ./nss/lib/ssl/sslsock.c.disableSSL2 2013-11-05 16:09:47.419727310 -0800 >-+++ ./nss/lib/ssl/sslsock.c 2013-11-05 16:09:47.461727980 -0800 >-@@ -639,6 +639,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh >- break; >+ CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) >+ >+ EXTRA_LIBS += \ >+ $(CRYPTOLIB) \ >+ $(NULL) >+diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c >+--- a/lib/ssl/sslsock.c >++++ b/lib/ssl/sslsock.c >+@@ -649,16 +649,24 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh >+ if (ss->cipherSpecs) { >+ PORT_Free(ss->cipherSpecs); >+ ss->cipherSpecs = NULL; >+ ss->sizeCipherSpecs = 0; >+ } >+ break; > > case SSL_ENABLE_SSL2: > +#ifdef NSS_NO_SSL2 >-+ if (on) { >-+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); >-+ rv = SECFailure; /* not allowed */ >-+ } >-+ break; >-+ ss->opt.enableSSL2 = on; >++ if (on) { >++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); >++ rv = SECFailure; /* not allowed */ >++ } >++ break; >++ ss->opt.enableSSL2 = on; > +#else > if (IS_DTLS(ss)) { >- if (on) { >- PORT_SetError(SEC_ERROR_INVALID_ARGS); >-@@ -650,6 +658,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh >- if (on) { >- ss->opt.v2CompatibleHello = on; >- } >-+#endif >- ss->preferredCipher = NULL; >- if (ss->cipherSpecs) { >- PORT_Free(ss->cipherSpecs); >-@@ -671,6 +680,13 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh >- break; >+ if (on) { >+ PORT_SetError(SEC_ERROR_INVALID_ARGS); >+ rv = SECFailure; /* not allowed */ >+ } >+ break; >+ } >+ ss->opt.enableSSL2 = on; >+@@ -666,42 +674,51 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh >+ ss->opt.v2CompatibleHello = on; >+ } >+ ss->preferredCipher = NULL; >+ if (ss->cipherSpecs) { >+ PORT_Free(ss->cipherSpecs); >+ ss->cipherSpecs = NULL; >+ ss->sizeCipherSpecs = 0; >+ } >++#endif /* NSS_NO_SSL2 */ >+ break; >+ >+ case SSL_NO_CACHE: >+ ss->opt.noCache = on; >+ break; >+ >+ case SSL_ENABLE_FDX: >+ if (on && ss->opt.noLocks) { >+ PORT_SetError(SEC_ERROR_INVALID_ARGS); >+ rv = SECFailure; >+ } >+ ss->opt.fdx = on; >+ break; > > case SSL_V2_COMPATIBLE_HELLO: > +#ifdef NSS_NO_SSL2 >-+ if (on) { >-+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); >-+ rv = SECFailure; /* not allowed */ >-+ break; >-+ } >++ if (on) { >++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); >++ rv = SECFailure; /* not allowed */ >++ break; >++ } > +#else > if (IS_DTLS(ss)) { >- if (on) { >- PORT_SetError(SEC_ERROR_INVALID_ARGS); >-@@ -678,6 +694,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh >- } >- break; >- } >-+#endif >- ss->opt.v2CompatibleHello = on; >- if (!on) { >- ss->opt.enableSSL2 = on; >-@@ -1112,7 +1129,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt >+ if (on) { >+ PORT_SetError(SEC_ERROR_INVALID_ARGS); >+ rv = SECFailure; /* not allowed */ >+ } >+ break; >+ } >+ ss->opt.v2CompatibleHello = on; >+ if (!on) { >+ ss->opt.enableSSL2 = on; >+ } >++#endif /* NSS_NO_SSL2 */ >+ break; >+ >+ case SSL_ROLLBACK_DETECTION: >+ ss->opt.detectRollBack = on; >+ break; >+ >+ case SSL_NO_STEP_DOWN: >+ ss->opt.noStepDown = on; >+@@ -1155,17 +1172,21 @@ SSL_CipherPolicySet(PRInt32 which, PRInt >+ >+ if (rv != SECSuccess) { >+ return rv; >+ } >+ > if (ssl_IsRemovedCipherSuite(which)) { >- rv = SECSuccess; >+ rv = SECSuccess; > } else if (SSL_IS_SSL2_CIPHER(which)) { > +#ifdef NSS_NO_SSL2 >-+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); >-+ rv = SECFailure; /* not allowed */ >++ rv = SSL_ERROR_SSL2_DISABLED; > +#else >- rv = ssl2_SetPolicy(which, policy); >-+#endif >+ rv = ssl2_SetPolicy(which, policy); >++#endif /* NSS_NO_SSL2 */ > } else { >- rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); >+ rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); > } >+ return rv; >+ } >+ >+ SECStatus >+ SSL_CipherPolicyGet(PRInt32 which, PRInt32 *oPolicy) >+ >diff --git a/Bug-1001841-disable-sslv2-tests.patch b/Bug-1001841-disable-sslv2-tests.patch >index bf0adcb..c8a0ce0 100644 >--- a/Bug-1001841-disable-sslv2-tests.patch >+++ b/Bug-1001841-disable-sslv2-tests.patch >@@ -1,13 +1,289 @@ >-diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh >---- ./nss/tests/ssl/ssl.sh.disableSSL2 2013-09-25 06:57:55.000000000 -0700 >-+++ ./nss/tests/ssl/ssl.sh 2013-11-03 16:43:48.905914207 -0800 >-@@ -278,6 +278,9 @@ ssl_cov() >+diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh >+--- a/tests/ssl/ssl.sh >++++ b/tests/ssl/ssl.sh >+@@ -57,18 +57,23 @@ ssl_init() >+ fi >+ >+ PORT=${PORT-8443} >+ NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} >+ nss_ssl_run="stapling cov auth stress" >+ NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} >+ >+ # Test case files >+- SSLCOV=${QADIR}/ssl/sslcov.txt >++ SSLCOV=[ "${NSS_NO_SSL2}" = "1" ] \ >++ && ${QADIR}/ssl/sslcov.noSSL2orExport.txt \ >++ || ${QADIR}/ssl/sslcov.txt >+ SSLAUTH=${QADIR}/ssl/sslauth.txt >++ SSLSTRESS=[ "${NSS_NO_SSL2}" = "1" ] \ >++ && ${QADIR}/ssl/sslstress.noSSL2orExport.txt \ >++ || ${QADIR}/ssl/sslstress.txt >+ SSLSTRESS=${QADIR}/ssl/sslstress.txt >+ REQUEST_FILE=${QADIR}/ssl/sslreq.dat >+ >+ #temparary files >+ SERVEROUTFILE=${TMP}/tests_server.$$ >+ SERVERPID=${TMP}/tests_pid.$$ >+ >+ R_SERVERPID=../tests_pid.$$ >+@@ -115,17 +120,21 @@ is_selfserv_alive() >+ if [ "${OS_ARCH}" = "WINNT" ] && \ >+ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then >+ PID=${SHELL_SERVERPID} >+ else >+ PID=`cat ${SERVERPID}` >+ fi >+ >+ echo "kill -0 ${PID} >/dev/null 2>/dev/null" >++ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then >++ echo "No server to kill" >++ else >+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - selfserv process not detectable" >++ fi >+ >+ echo "selfserv with PID ${PID} found at `date`" >+ } >+ >+ ########################### wait_for_selfserv ########################## >+ # local shell function to wait until selfserver is running and initialized >+ ######################################################################## >+ wait_for_selfserv() >+@@ -138,17 +147,21 @@ wait_for_selfserv() >+ if [ $? -ne 0 ]; then >+ sleep 5 >+ echo "retrying to connect to selfserv at `date`" >+ echo "tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \\" >+ echo " -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE}" >+ ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} ${CLIENT_OPTIONS} -q \ >+ -d ${P_R_CLIENTDIR} -v < ${REQUEST_FILE} >+ if [ $? -ne 0 ]; then >++ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then >++ html_passed "Server never started" >++ else >+ html_failed "Waiting for Server" >++ fi >+ fi >+ fi >+ is_selfserv_alive >+ } >+ >+ ########################### kill_selfserv ############################## >+ # local shell function to kill the selfserver after the tests are done >+ ######################################################################## >+@@ -273,16 +286,19 @@ ssl_cov() >+ exec < ${SSLCOV} >+ while read ectype testmax param testname >+ do >+ echo "${testname}" | grep "EXPORT" > /dev/null >+ EXP=$? > echo "${testname}" | grep "SSL2" > /dev/null > SSL2=$? > > + # skip export and ssl2 tests when build has disabled SSL2 >-+ if [ "${NSS_NO_SSL2}" = 1 ] && [ -n ${EXP} -o -n ${SSL2} ] && continue >++ [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ] && continue > + > if [ "${SSL2}" -eq 0 ] ; then > # We cannot use asynchronous cert verification with SSL2 > SSL2_FLAGS=-O >+ VMIN="ssl2" >+ else >+ # Do not enable SSL2 for non-SSL2-specific tests. SSL2 is disabled by >+ # default in libssl but it is enabled by default in tstclnt; we want >+ # to test the libssl default whenever possible. >+diff --git a/tests/ssl/sslcov.noSSL2orExport.txt b/tests/ssl/sslcov.noSSL2orExport.txt >+new file mode 100644 >+--- /dev/null >++++ b/tests/ssl/sslcov.noSSL2orExport.txt >+@@ -0,0 +1,134 @@ >++# This Source Code Form is subject to the terms of the Mozilla Public >++# License, v. 2.0. If a copy of the MPL was not distributed with this >++# file, You can obtain one at http://mozilla.org/MPL/2.0/. >++# >++# This file enables test coverage of the various SSL ciphers >++# >++# NOTE: SSL2 ciphers are independent of whether TLS is enabled or not. We >++# mix up the enable functions so we can tests boths paths. >++# >++# Enable Enable Cipher Test Name >++# EC TLS >++# >++# >++ noECC SSL3 c SSL3_RSA_WITH_RC4_128_MD5 >++ noECC SSL3 d SSL3_RSA_WITH_3DES_EDE_CBC_SHA >++ noECC SSL3 e SSL3_RSA_WITH_DES_CBC_SHA >++ noECC SSL3 i SSL3_RSA_WITH_NULL_MD5 >++ noECC SSL3 j SSL3_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >++ noECC SSL3 k SSL3_RSA_FIPS_WITH_DES_CBC_SHA >++ noECC SSL3 n SSL3_RSA_WITH_RC4_128_SHA >++ noECC SSL3 v SSL3_RSA_WITH_AES_128_CBC_SHA >++ noECC SSL3 y SSL3_RSA_WITH_AES_256_CBC_SHA >++ noECC SSL3 z SSL3_RSA_WITH_NULL_SHA >++# noECC SSL3 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA >++# noECC SSL3 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA >++# >++ noECC TLS10 c TLS_RSA_WITH_RC4_128_MD5 >++ noECC TLS10 d TLS_RSA_WITH_3DES_EDE_CBC_SHA >++ noECC TLS10 e TLS_RSA_WITH_DES_CBC_SHA >++ noECC TLS10 i TLS_RSA_WITH_NULL_MD5 >++ noECC TLS10 j TLS_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >++ noECC TLS10 k TLS_RSA_FIPS_WITH_DES_CBC_SHA >++ noECC TLS10 n TLS_RSA_WITH_RC4_128_SHA >++ noECC TLS10 v TLS_RSA_WITH_AES_128_CBC_SHA >++ noECC TLS10 y TLS_RSA_WITH_AES_256_CBC_SHA >++ noECC TLS10 z TLS_RSA_WITH_NULL_SHA >++# noECC TLS10 :0041 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA >++# noECC TLS10 :0084 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA >++# >++# >++ noECC TLS11 c TLS11_RSA_WITH_RC4_128_MD5 >++ noECC TLS11 d TLS11_RSA_WITH_3DES_EDE_CBC_SHA >++ noECC TLS11 e TLS11_RSA_WITH_DES_CBC_SHA >++ noECC TLS11 i TLS11_RSA_WITH_NULL_MD5 >++ noECC TLS11 j TLS11_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >++ noECC TLS11 k TLS11_RSA_FIPS_WITH_DES_CBC_SHA >++ noECC TLS11 n TLS11_RSA_WITH_RC4_128_SHA >++ noECC TLS11 v TLS11_RSA_WITH_AES_128_CBC_SHA >++ noECC TLS11 y TLS11_RSA_WITH_AES_256_CBC_SHA >++ noECC TLS11 z TLS11_RSA_WITH_NULL_SHA >++# >++ noECC TLS12 c TLS12_RSA_WITH_RC4_128_MD5 >++ noECC TLS12 d TLS12_RSA_WITH_3DES_EDE_CBC_SHA >++ noECC TLS12 e TLS12_RSA_WITH_DES_CBC_SHA >++ noECC TLS12 i TLS12_RSA_WITH_NULL_MD5 >++ noECC TLS12 j TLS12_RSA_FIPS_WITH_3DES_EDE_CBC_SHA >++ noECC TLS12 k TLS12_RSA_FIPS_WITH_DES_CBC_SHA >++ noECC TLS12 n TLS12_RSA_WITH_RC4_128_SHA >++ noECC TLS12 v TLS12_RSA_WITH_AES_128_CBC_SHA >++ noECC TLS12 y TLS12_RSA_WITH_AES_256_CBC_SHA >++ noECC TLS12 z TLS12_RSA_WITH_NULL_SHA >++ noECC TLS12 :003B TLS12_RSA_WITH_NULL_SHA256 >++ noECC TLS12 :003C TLS12_RSA_WITH_AES_128_CBC_SHA256 >++ noECC TLS12 :003D TLS12_RSA_WITH_AES_256_CBC_SHA256 >++ noECC TLS12 :009C TLS12_RSA_WITH_AES_128_GCM_SHA256 >++# >++# ECC ciphers (TLS) >++# >++ ECC TLS10 :C001 TLS_ECDH_ECDSA_WITH_NULL_SHA >++ ECC TLS10 :C002 TLS_ECDH_ECDSA_WITH_RC4_128_SHA >++ ECC TLS10 :C003 TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS10 :C004 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA >++ ECC TLS10 :C005 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA >++ ECC TLS10 :C006 TLS_ECDHE_ECDSA_WITH_NULL_SHA >++ ECC TLS10 :C007 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA >++ ECC TLS10 :C008 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS10 :C009 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >++ ECC TLS10 :C00A TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >++ ECC TLS10 :C00B TLS_ECDH_RSA_WITH_NULL_SHA >++ ECC TLS10 :C00C TLS_ECDH_RSA_WITH_RC4_128_SHA >++ ECC TLS10 :C00D TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS10 :C00E TLS_ECDH_RSA_WITH_AES_128_CBC_SHA >++ ECC TLS10 :C00F TLS_ECDH_RSA_WITH_AES_256_CBC_SHA >++ ECC TLS10 :C010 TLS_ECDHE_RSA_WITH_NULL_SHA >++ ECC TLS10 :C011 TLS_ECDHE_RSA_WITH_RC4_128_SHA >++ ECC TLS10 :C012 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS10 :C013 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA >++ ECC TLS10 :C014 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA >++# >++ ECC TLS11 :C001 TLS11_ECDH_ECDSA_WITH_NULL_SHA >++ ECC TLS11 :C002 TLS11_ECDH_ECDSA_WITH_RC4_128_SHA >++ ECC TLS11 :C003 TLS11_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS11 :C004 TLS11_ECDH_ECDSA_WITH_AES_128_CBC_SHA >++ ECC TLS11 :C005 TLS11_ECDH_ECDSA_WITH_AES_256_CBC_SHA >++ ECC TLS11 :C006 TLS11_ECDHE_ECDSA_WITH_NULL_SHA >++ ECC TLS11 :C007 TLS11_ECDHE_ECDSA_WITH_RC4_128_SHA >++ ECC TLS11 :C008 TLS11_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS11 :C009 TLS11_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >++ ECC TLS11 :C00A TLS11_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >++ ECC TLS11 :C00B TLS11_ECDH_RSA_WITH_NULL_SHA >++ ECC TLS11 :C00C TLS11_ECDH_RSA_WITH_RC4_128_SHA >++ ECC TLS11 :C00D TLS11_ECDH_RSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS11 :C00E TLS11_ECDH_RSA_WITH_AES_128_CBC_SHA >++ ECC TLS11 :C00F TLS11_ECDH_RSA_WITH_AES_256_CBC_SHA >++ ECC TLS11 :C010 TLS11_ECDHE_RSA_WITH_NULL_SHA >++ ECC TLS11 :C011 TLS11_ECDHE_RSA_WITH_RC4_128_SHA >++ ECC TLS11 :C012 TLS11_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS11 :C013 TLS11_ECDHE_RSA_WITH_AES_128_CBC_SHA >++ ECC TLS11 :C014 TLS11_ECDHE_RSA_WITH_AES_256_CBC_SHA >++# >++ ECC TLS12 :C001 TLS12_ECDH_ECDSA_WITH_NULL_SHA >++ ECC TLS12 :C002 TLS12_ECDH_ECDSA_WITH_RC4_128_SHA >++ ECC TLS12 :C003 TLS12_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS12 :C004 TLS12_ECDH_ECDSA_WITH_AES_128_CBC_SHA >++ ECC TLS12 :C005 TLS12_ECDH_ECDSA_WITH_AES_256_CBC_SHA >++ ECC TLS12 :C006 TLS12_ECDHE_ECDSA_WITH_NULL_SHA >++ ECC TLS12 :C007 TLS12_ECDHE_ECDSA_WITH_RC4_128_SHA >++ ECC TLS12 :C008 TLS12_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS12 :C009 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA >++ ECC TLS12 :C00A TLS12_ECDHE_ECDSA_WITH_AES_256_CBC_SHA >++ ECC TLS12 :C00B TLS12_ECDH_RSA_WITH_NULL_SHA >++ ECC TLS12 :C00C TLS12_ECDH_RSA_WITH_RC4_128_SHA >++ ECC TLS12 :C00D TLS12_ECDH_RSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS12 :C00E TLS12_ECDH_RSA_WITH_AES_128_CBC_SHA >++ ECC TLS12 :C00F TLS12_ECDH_RSA_WITH_AES_256_CBC_SHA >++ ECC TLS12 :C010 TLS12_ECDHE_RSA_WITH_NULL_SHA >++ ECC TLS12 :C011 TLS12_ECDHE_RSA_WITH_RC4_128_SHA >++ ECC TLS12 :C012 TLS12_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA >++ ECC TLS12 :C013 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA >++ ECC TLS12 :C014 TLS12_ECDHE_RSA_WITH_AES_256_CBC_SHA >++ ECC TLS12 :C023 TLS12_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 >++ ECC TLS12 :C027 TLS12_ECDHE_RSA_WITH_AES_128_CBC_SHA256 >++ ECC TLS12 :C02B TLS12_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 >++ ECC TLS12 :C02F TLS12_ECDHE_RSA_WITH_AES_128_GCM_SHA256 >+diff --git a/tests/ssl/sslstress.noSSL2orExport.txt b/tests/ssl/sslstress.noSSL2orExport.txt >+new file mode 100644 >+--- /dev/null >++++ b/tests/ssl/sslstress.noSSL2orExport.txt >+@@ -0,0 +1,53 @@ >++# This Source Code Form is subject to the terms of the Mozilla Public >++# License, v. 2.0. If a copy of the MPL was not distributed with this >++# file, You can obtain one at http://mozilla.org/MPL/2.0/. >++# >++# This file defines the stress tests for SSL/TLS. >++# >++# expected >++# Enable return server client Test Case name >++# ECC value params params >++# ------- ------ ------ ------ --------------- >++ noECC 0 _ -c_1000_-C_c_-V_:ssl3 Stress SSL3 RC4 128 with MD5 >++ noECC 0 _ -c_1000_-C_c Stress TLS RC4 128 with MD5 >++ noECC 0 _ -c_1000_-C_c_-g Stress TLS RC4 128 with MD5 (false start) >++ noECC 0 -u -V_ssl3:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket) >++ noECC 0 -z -V_ssl3:_-c_1000_-C_c_-z Stress TLS RC4 128 with MD5 (compression) >++ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression) >++ noECC 0 -u_-z -V_ssl3:_-c_1000_-C_c_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, false start) >++ SNI 0 -u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI) >++ >++# >++# add client auth versions here... >++# >++ noECC 0 -r_-r -c_100_-C_c_-V_:ssl3_-N_-n_TestUser Stress SSL3 RC4 128 with MD5 (no reuse, client auth) >++ noECC 0 -r_-r -c_100_-C_c_-N_-n_TestUser Stress TLS RC4 128 with MD5 (no reuse, client auth) >++ noECC 0 -r_-r_-u -V_ssl3:_-c_100_-C_c_-n_TestUser_-u Stress TLS RC4 128 with MD5 (session ticket, client auth) >++ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z Stress TLS RC4 128 with MD5 (compression, client auth) >++ noECC 0 -r_-r_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-z_-g Stress TLS RC4 128 with MD5 (compression, client auth, false start) >++ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z Stress TLS RC4 128 with MD5 (session ticket, compression, client auth) >++ noECC 0 -r_-r_-u_-z -V_ssl3:_-c_100_-C_c_-n_TestUser_-u_-z_-g Stress TLS RC4 128 with MD5 (session ticket, compression, client auth, false start) >++ SNI 0 -r_-r_-u_-a_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, default virt host) >++ SNI 0 -r_-r_-u_-a_Host-sni.Dom_-k_Host-sni.Dom -V_tls1.0:_-c_1000_-C_c_-u_-a_Host-sni.Dom Stress TLS RC4 128 with MD5 (session ticket, SNI, client auth, change virt host) >++ >++# >++# ############################ ECC ciphers ############################ >++# >++ ECC 0 -c_:C009 -V_ssl3:_-c_100_-C_:C009_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse) >++ ECC 0 -c_:C023 -V_ssl3:_-c_100_-C_:C023_-N Stress TLS ECDHE-ECDSA AES 128 CBC with SHA256 (no reuse) >++ ECC 0 -c_:C02B -V_ssl3:_-c_100_-C_:C02B_-N Stress TLS ECDHE-ECDSA AES 128 GCM (no reuse) >++ ECC 0 -c_:C004 -V_ssl3:_-c_100_-C_:C004_-N Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse) >++ ECC 0 -c_:C00E -V_ssl3:_-c_100_-C_:C00E_-N Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse) >++ ECC 0 -c_:C013 -V_ssl3:_-c_1000_-C_:C013 Stress TLS ECDHE-RSA AES 128 CBC with SHA >++ ECC 0 -c_:C027 -V_ssl3:_-c_1000_-C_:C027 Stress TLS ECDHE-RSA AES 128 CBC with SHA256 >++ ECC 0 -c_:C02F -V_ssl3:_-c_1000_-C_:C02F Stress TLS ECDHE-RSA AES 128 GCM >++ ECC 0 -c_:C004_-u -V_ssl3:_-c_1000_-C_:C004_-u Stress TLS ECDH-ECDSA AES 128 CBC with SHA (session ticket) >++# >++# add client auth versions here... >++# >++ ECC 0 -r_-r_-c_:C009 -V_ssl3:_-c_10_-C_:C009_-N_-n_TestUser-ec Stress TLS ECDHE-ECDSA AES 128 CBC with SHA (no reuse, client auth) >++ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA (client auth) >++ ECC 0 -r_-r_-c_:C004 -V_ssl3:_-c_10_-C_:C004_-N_-n_TestUser-ec Stress TLS ECDH-ECDSA AES 128 CBC with SHA (no reuse, client auth) >++ ECC 0 -r_-r_-c_:C00E -V_ssl3:_-c_10_-C_:C00E_-N_-n_TestUser-ecmixed Stress TLS ECDH-RSA AES 128 CBC with SHA (no reuse, client auth) >++ ECC 0 -r_-r_-c_:C013 -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec Stress TLS ECDHE-RSA AES 128 CBC with SHA(client auth) >++ ECC 0 -r_-r_-c_:C013_-u -V_ssl3:_-c_100_-C_:C013_-n_TestUser-ec_-u Stress TLS ECDHE-RSA AES 128 CBC with SHA(session ticket, client auth) >diff --git a/Free-dangling-reference.patch b/Free-dangling-reference.patch >deleted file mode 100644 >index b2d3554..0000000 >--- a/Free-dangling-reference.patch >+++ /dev/null >@@ -1,29 +0,0 @@ >-diff --git a/lib/pk11wrap/pk11cert.c b/lib/pk11wrap/pk11cert.c >---- a/lib/pk11wrap/pk11cert.c >-+++ b/lib/pk11wrap/pk11cert.c >-@@ -976,18 +976,25 @@ PK11_ImportCert(PK11SlotInfo *slot, CERT >- cert->istemp = PR_FALSE; >- cert->isperm = PR_TRUE; >- } >- >- /* add the new instance to the cert, force an update of the >- * CERTCertificate, and finish >- */ >- nssPKIObject_AddInstance(&c->object, certobj); >-+ /* nssTrustDomain_AddCertsToCache may release a reference to 'c' and >-+ * replace 'c' by a different value. So we add a reference to 'c' to >-+ * prevent 'c' from being destroyed. */ >-+ nssCertificate_AddRef(c); >- nssTrustDomain_AddCertsToCache(STAN_GetDefaultTrustDomain(), &c, 1); >-+ /* XXX should we pass the original value of 'c' to >-+ * STAN_ForceCERTCertificateUpdate? */ >- (void)STAN_ForceCERTCertificateUpdate(c); >-+ nssCertificate_Destroy(c); >- SECITEM_FreeItem(keyID,PR_TRUE); >- return SECSuccess; >- loser: >- CERT_MapStanError(); >- SECITEM_FreeItem(keyID,PR_TRUE); >- if (PORT_GetError() != SEC_ERROR_TOKEN_NOT_LOGGED_IN) { >- PORT_SetError(SEC_ERROR_ADDING_CERT); >- } >diff --git a/dont-disable-internal-module.patch b/dont-disable-internal-module.patch >deleted file mode 100644 >index 5d71643..0000000 >--- a/dont-disable-internal-module.patch >+++ /dev/null >@@ -1,39 +0,0 @@ >-diff -up ./nss/cmd/modutil/pk11.c.1056036 ./nss/cmd/modutil/pk11.c >---- ./nss/cmd/modutil/pk11.c.1056036 2014-02-24 15:49:00.802754246 -0800 >-+++ ./nss/cmd/modutil/pk11.c 2014-02-24 15:49:00.806754285 -0800 >-@@ -826,6 +826,12 @@ EnableModule(char *moduleName, char *slo >- PK11_GetSlotName(slot), "enabled"); >- } >- } else { >-+ if (module->internal) { >-+ PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR], >-+ "disable", PK11_GetSlotName(slot)); >-+ rv = ENABLE_FAILED_ERR; >-+ goto loser; >-+ } >- if(! PK11_UserDisableSlot(slot)) { >- PR_fprintf(PR_STDERR, errStrings[ENABLE_FAILED_ERR], >- "disable", PK11_GetSlotName(slot)); >-diff -up ./nss/doc/modutil.xml.1056036 ./nss/doc/modutil.xml >---- ./nss/doc/modutil.xml.1056036 2014-01-03 11:59:10.000000000 -0800 >-+++ ./nss/doc/modutil.xml 2014-02-24 15:49:00.806754285 -0800 >-@@ -86,7 +86,7 @@ >- >- <varlistentry> >- <term>-disable modulename</term> >-- <listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para></listitem> >-+ <listitem><para>Disable all slots on the named module. Use the <option>-slot</option> argument to disable a specific slot.</para><para>The internal NSS PKCS #11 module cannot be disabled.</para></listitem> >- </varlistentry> >- >- <varlistentry> >-diff -up ./nss/lib/dev/devtoken.c.1056036 ./nss/lib/dev/devtoken.c >---- ./nss/lib/dev/devtoken.c.1056036 2014-02-24 15:55:16.687529925 -0800 >-+++ ./nss/lib/dev/devtoken.c 2014-02-24 15:56:15.720143547 -0800 >-@@ -1438,6 +1438,7 @@ nssToken_IsPresent ( >- NSSToken *token >- ) >- { >-+ if (token == NULL) return PR_FALSE; >- return nssSlot_IsTokenPresent(token->slot); >- } >- >diff --git a/iquote.patch b/iquote.patch >index 9fb7772..ba9cb71 100644 >--- a/iquote.patch >+++ b/iquote.patch >@@ -35,6 +35,82 @@ diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile > > ####################################################################### > # (7) Execute "local" rules. (OPTIONAL). # >+diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile >+--- ./nss/cmd/modutil/Makefile.iquote 2014-05-31 11:14:36.880951209 -0700 >++++ ./nss/cmd/modutil/Makefile 2014-05-31 11:15:13.423253804 -0700 >+@@ -41,7 +41,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile >+--- ./nss/cmd/selfserv/Makefile.iquote 2014-05-31 10:41:33.790380931 -0700 >++++ ./nss/cmd/selfserv/Makefile 2014-05-31 10:42:12.319696191 -0700 >+@@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile >+--- ./nss/cmd/ssltap/Makefile.iquote 2014-05-31 10:46:19.661718435 -0700 >++++ ./nss/cmd/ssltap/Makefile 2014-05-31 10:47:11.269140037 -0700 >+@@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile >+--- ./nss/cmd/strsclnt/Makefile.iquote 2014-05-31 10:51:00.833015089 -0700 >++++ ./nss/cmd/strsclnt/Makefile 2014-05-31 10:51:30.397255298 -0700 >+@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (6) Execute "component" rules. (OPTIONAL) # >+ ####################################################################### >+ >+- >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >+ >+ ####################################################################### >+ # (7) Execute "local" rules. (OPTIONAL). # >+diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile >+--- ./nss/cmd/tstclnt/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 >++++ ./nss/cmd/tstclnt/Makefile 2014-05-31 10:57:43.740326022 -0700 >+@@ -42,5 +42,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (7) Execute "local" rules. (OPTIONAL). # >+ ####################################################################### >+ >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >++ >+ include ../platrules.mk >+ >+diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile >+--- ./nss/cmd/vfyserv/Makefile.iquote 2014-05-31 11:00:19.522669067 -0700 >++++ ./nss/cmd/vfyserv/Makefile 2014-05-31 11:00:42.954870502 -0700 >+@@ -42,5 +42,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk >+ # (7) Execute "local" rules. (OPTIONAL). # >+ ####################################################################### >+ >++INCLUDES += -iquote $(DIST)/../public/nss >++INCLUDES += -iquote $(DIST)/../private/nss >++ >+ include ../platrules.mk >+ > diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk > --- ./nss/coreconf/location.mk.iquote 2014-01-03 11:59:10.000000000 -0800 > +++ ./nss/coreconf/location.mk 2014-01-18 11:31:32.309404697 -0800 >diff --git a/nss-ecc-list-3.15.3.patch b/nss-ecc-list-3.15.3.patch >deleted file mode 100644 >index 6f86258..0000000 >--- a/nss-ecc-list-3.15.3.patch >+++ /dev/null >@@ -1,239 +0,0 @@ >-diff -up ./nss/cmd/modutil/pk11.c.ecc-lists ./nss/cmd/modutil/pk11.c >---- ./nss/cmd/modutil/pk11.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800 >-+++ ./nss/cmd/modutil/pk11.c 2013-12-20 10:29:01.540726233 -0800 >-@@ -7,12 +7,9 @@ >- */ >- >- #include "modutil.h" >--/* #include "secmodti.h" */ >-+#include "secmodi.h" >- #include "pk11func.h" >- >--static PK11DefaultArrayEntry *pk11_DefaultArray = NULL; >--static int pk11_DefaultArraySize = 0; >-- >- /************************************************************************* >- * >- * F i p s M o d e >-@@ -110,32 +107,11 @@ ChkFipsMode(char *arg) >- >- typedef struct { >- const char *name; >-- const unsigned long mask; >-+ unsigned long mask; >- } MaskString; >- >--static const MaskString mechanismStrings[] = { >-- {"RSA", PUBLIC_MECH_RSA_FLAG}, >-- {"DSA", PUBLIC_MECH_DSA_FLAG}, >-- {"RC2", PUBLIC_MECH_RC2_FLAG}, >-- {"RC4", PUBLIC_MECH_RC4_FLAG}, >-- {"RC5", PUBLIC_MECH_RC5_FLAG}, >-- {"DES", PUBLIC_MECH_DES_FLAG}, >-- {"DH", PUBLIC_MECH_DH_FLAG}, >-- {"FORTEZZA", PUBLIC_MECH_FORTEZZA_FLAG}, >-- {"SHA1", PUBLIC_MECH_SHA1_FLAG}, >-- {"MD5", PUBLIC_MECH_MD5_FLAG}, >-- {"MD2", PUBLIC_MECH_MD2_FLAG}, >-- {"SSL", PUBLIC_MECH_SSL_FLAG}, >-- {"TLS", PUBLIC_MECH_TLS_FLAG}, >-- {"AES", PUBLIC_MECH_AES_FLAG}, >-- {"CAMELLIA", PUBLIC_MECH_CAMELLIA_FLAG}, >-- {"SHA256", PUBLIC_MECH_SHA256_FLAG}, >-- {"SHA512", PUBLIC_MECH_SHA512_FLAG}, >-- {"RANDOM", PUBLIC_MECH_RANDOM_FLAG}, >-- {"FRIENDLY", PUBLIC_MECH_FRIENDLY_FLAG} >--}; >--static const int numMechanismStrings = >-- sizeof(mechanismStrings) / sizeof(mechanismStrings[0]); >-+static MaskString *mechanismStrings = NULL; >-+static int numMechanismStrings = 0; >- >- static const MaskString cipherStrings[] = { >- {"FORTEZZA", PUBLIC_CIPHER_FORTEZZA_FLAG} >-@@ -143,10 +119,83 @@ static const MaskString cipherStrings[] >- static const int numCipherStrings = >- sizeof(cipherStrings) / sizeof(cipherStrings[0]); >- >-+static PK11DefaultArrayEntry *pk11_DefaultArray = NULL; >-+static int pk11_DefaultArraySize = 0; >-+ >-+ >- /* Maximum length of a colon-separated list of all the strings in an >- * array. */ >- #define MAX_STRING_LIST_LEN 240 /* or less */ >- >-+/* >-+** The same as SECMOD_InternaltoPubMechFlags >-+** from nss/lib/pk11wrap/pk11util.c wich is a >-+** private export and not visible to us >-+*/ >-+static unsigned long >-+InternaltoPubMechFlags(unsigned long internalFlags) >-+{ >-+ unsigned long publicFlags = internalFlags; >-+ >-+ if (internalFlags & SECMOD_RANDOM_FLAG) { >-+ publicFlags &= ~SECMOD_RANDOM_FLAG; >-+ publicFlags |= PUBLIC_MECH_RANDOM_FLAG; >-+ } >-+ return publicFlags; >-+} >-+ >-+ >-+Error >-+loadMechanismList(void) >-+{ >-+ int i; >-+ >-+ if (pk11_DefaultArray == NULL) { >-+ pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); >-+ if (pk11_DefaultArray == NULL) { >-+ /* should assert. This shouldn't happen */ >-+ return UNSPECIFIED_ERR; >-+ } >-+ } >-+ if (mechanismStrings != NULL) { >-+ PR_Free(mechanismStrings); >-+ } >-+ >-+ /* build the mechanismStrings array */ >-+ mechanismStrings = PR_Malloc( pk11_DefaultArraySize*sizeof(MaskString) ); >-+ if (mechanismStrings == NULL) { >-+ return OUT_OF_MEM_ERR; >-+ } >-+ numMechanismStrings = pk11_DefaultArraySize; >-+ for (i = 0; i < numMechanismStrings; i++) { >-+ char *name = pk11_DefaultArray[i].name; >-+ unsigned long flag = pk11_DefaultArray[i].flag; >-+ /* map new name to old */ >-+ switch (flag) { >-+ case SECMOD_FORTEZZA_FLAG: >-+ name = "FORTEZZA"; >-+ break; >-+ case SECMOD_SHA1_FLAG: >-+ name = "SHA1"; >-+ break; >-+ case SECMOD_CAMELLIA_FLAG: >-+ name = "CAMELLIA"; >-+ break; >-+ case SECMOD_RANDOM_FLAG: >-+ name = "RANDOM"; >-+ break; >-+ case SECMOD_FRIENDLY_FLAG: >-+ name = "FRIENDLY"; >-+ break; >-+ default: >-+ break; >-+ } >-+ mechanismStrings[i].name = name; >-+ mechanismStrings[i].mask = InternaltoPubMechFlags(flag); >-+ } >-+ return SUCCESS; >-+} >-+ >- /************************************************************************ >- * >- * g e t F l a g s F r o m S t r i n g >-@@ -244,6 +293,12 @@ AddModule(char *moduleName, char *libFil >- unsigned long ciphers; >- unsigned long mechanisms; >- SECStatus status; >-+ Error rv; >-+ >-+ rv = loadMechanismList(); >-+ if (rv != SUCCESS) { >-+ return rv; >-+ } >- >- mechanisms = >- getFlagsFromString(mechanismString, mechanismStrings, >-@@ -493,6 +548,11 @@ ListModule(char *moduleName) >- return SUCCESS; >- } >- >-+ rv = loadMechanismList(); >-+ if (rv != SUCCESS) { >-+ return rv; >-+ } >-+ >- module = SECMOD_FindModule(moduleName); >- if(!module) { >- PR_fprintf(PR_STDERR, errStrings[NO_SUCH_MODULE_ERR], moduleName); >-@@ -811,19 +871,18 @@ SetDefaultModule(char *moduleName, char >- SECMODModule *module = NULL; >- PK11SlotInfo *slot; >- int s, i; >-- unsigned long mechFlags = getFlagsFromString(mechanisms, mechanismStrings, >-- numMechanismStrings); >-+ unsigned long mechFlags; >- PRBool found = PR_FALSE; >-- Error errcode = UNSPECIFIED_ERR; >-+ Error errcode; >- >-- if (pk11_DefaultArray == NULL) { >-- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); >-- if (pk11_DefaultArray == NULL) { >-- /* should assert. This shouldn't happen */ >-- goto loser; >-- } >-+ errcode = loadMechanismList(); >-+ if (errcode != SUCCESS) { >-+ return errcode; >- } >-+ errcode = UNSPECIFIED_ERR; >- >-+ mechFlags = getFlagsFromString(mechanisms, mechanismStrings, >-+ numMechanismStrings); >- mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags); >- >- module = SECMOD_FindModule(moduleName); >-@@ -889,20 +948,17 @@ UnsetDefaultModule(char *moduleName, cha >- SECMODModule * module = NULL; >- PK11SlotInfo *slot; >- int s, i; >-- unsigned long mechFlags = getFlagsFromString(mechanisms, >-- mechanismStrings, numMechanismStrings); >-+ unsigned long mechFlags; >- PRBool found = PR_FALSE; >- Error rv; >- >-- if (pk11_DefaultArray == NULL) { >-- pk11_DefaultArray = PK11_GetDefaultArray(&pk11_DefaultArraySize); >-- if (pk11_DefaultArray == NULL) { >-- /* should assert. This shouldn't happen */ >-- rv = UNSPECIFIED_ERR; >-- goto loser; >-- } >-+ rv = loadMechanismList(); >-+ if (rv != SUCCESS) { >-+ return rv; >- } >- >-+ mechFlags = getFlagsFromString(mechanisms, mechanismStrings, >-+ numMechanismStrings); >- mechFlags = SECMOD_PubMechFlagstoInternal(mechFlags); >- >- module = SECMOD_FindModule(moduleName); >-diff -up ./nss/lib/pk11wrap/pk11slot.c.ecc-lists ./nss/lib/pk11wrap/pk11slot.c >---- ./nss/lib/pk11wrap/pk11slot.c.ecc-lists 2013-11-09 09:23:30.000000000 -0800 >-+++ ./nss/lib/pk11wrap/pk11slot.c 2013-12-20 10:29:55.756109883 -0800 >-@@ -32,6 +32,7 @@ >- PK11DefaultArrayEntry PK11_DefaultArray[] = { >- { "RSA", SECMOD_RSA_FLAG, CKM_RSA_PKCS }, >- { "DSA", SECMOD_DSA_FLAG, CKM_DSA }, >-+ { "ECC", SECMOD_ECC_FLAG, CKM_ECDSA }, >- { "DH", SECMOD_DH_FLAG, CKM_DH_PKCS_DERIVE }, >- { "RC2", SECMOD_RC2_FLAG, CKM_RC2_CBC }, >- { "RC4", SECMOD_RC4_FLAG, CKM_RC4 }, >-diff -up ./nss/lib/pk11wrap/secmod.h.ecc-lists ./nss/lib/pk11wrap/secmod.h >---- ./nss/lib/pk11wrap/secmod.h.ecc-lists 2013-11-09 09:23:30.000000000 -0800 >-+++ ./nss/lib/pk11wrap/secmod.h 2013-12-20 10:26:20.881585723 -0800 >-@@ -28,6 +28,7 @@ >- #define PUBLIC_MECH_SHA512_FLAG 0x00008000ul >- #define PUBLIC_MECH_CAMELLIA_FLAG 0x00010000ul >- #define PUBLIC_MECH_SEED_FLAG 0x00020000ul >-+#define PUBLIC_MECH_ECC_FLAG 0x00040000ul >- >- #define PUBLIC_MECH_RANDOM_FLAG 0x08000000ul >- #define PUBLIC_MECH_FRIENDLY_FLAG 0x10000000ul >diff --git a/nss-versus-softoken-tests.patch b/nss-versus-softoken-tests.patch >deleted file mode 100644 >index e77487d..0000000 >--- a/nss-versus-softoken-tests.patch >+++ /dev/null >@@ -1,38 +0,0 @@ >-diff -up nss/tests/all.sh.crypto nss/tests/all.sh >---- nss/tests/all.sh.crypto 2013-05-28 14:43:24.000000000 -0700 >-+++ nss/tests/all.sh 2013-06-13 12:14:12.741082184 -0700 >-@@ -299,9 +299,10 @@ fi >- # created, we check for modutil to know whether the build >- # is complete. If a new file is created after that, the >- # following test for modutil should check for that instead. >-+# Except when building softoken only where shlibsign is the last one built. >-+export LAST_BUILT=[ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ] && shlibsign || modutil >- >--if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \ >-- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then >-+if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} -a ]; then >- echo "Build Incomplete. Aborting test." >> ${LOGFILE} >- html_head "Testing Initialization" >- Exit "Checking for build" >-diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh >---- nss/tests/cipher/cipher.sh.crypto 2013-05-28 14:43:24.000000000 -0700 >-+++ nss/tests/cipher/cipher.sh 2013-06-13 11:58:00.956064976 -0700 >-@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${ >- return 0 >- fi >- cipher_init >--cipher_main >--cipher_gcm >-+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then >-+ echo "Skipping cipher_gcm because this is a softoken only build" >-+ cipher_main >-+elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then >-+ echo "Skipping cipher_main because this an nss without softoken build" >-+ cipher_gcm >-+else >-+ # default is to run both >-+ cipher_init >-+ cipher_main >-+ cipher_gcm >-+fi >- cipher_cleanup >diff --git a/nss.spec b/nss.spec >index e5acc89..ec3ec94 100644 >--- a/nss.spec >+++ b/nss.spec >@@ -1,7 +1,8 @@ >-%global nspr_version 4.10.2 >-%global nss_util_version 3.15.4 >-%global nss_softokn_fips_version 3.13.4 >-%global nss_softokn_version 3.15.4 >+%global nspr_version 4.10.6 >+%global nss_util_version 3.16.2 >+# adjust to the version that gets submitted for FIPS validation >+%global nss_softokn_fips_version 3.16.2 >+%global nss_softokn_version 3.16.2 > %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools > %global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" > >@@ -19,8 +20,8 @@ > > Summary: Network Security Services > Name: nss >-Version: 3.15.4 >-Release: 7%{?dist} >+Version: 3.16.2 >+Release: 1%{?dist} > License: MPLv2.0 > URL: http://www.mozilla.org/projects/security/pki/nss/ > Group: System Environment/Libraries >@@ -83,8 +84,6 @@ Patch25: nsspem-use-system-freebl.patch > Patch40: nss-3.14.0.0-disble-ocsp-test.patch > # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator > Patch47: utilwrap-include-templates.patch >-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171 >-Patch48: nss-versus-softoken-tests.patch > # TODO remove when we switch to building nss without softoken > Patch49: nss-skip-bltest-and-fipstest.patch > # This patch uses the gcc-iquote dir option documented at >@@ -99,14 +98,8 @@ Patch53: Bug-1001841-disable-sslv2-tests.patch > Patch55: enable-fips-when-system-is-in-fips-mode.patch > # rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677 > Patch56: p-ignore-setpolicy.patch >-Patch61: nss-ecc-list-3.15.3.patch > # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=921684 > Patch62: dont-hold-issuer-cert-handles-in-crl-cache.patch >-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=977673 >-Patch63: dont-disable-internal-module.patch >-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=963150 >-# Remove when we update to nss-3.16.2 >-Patch72: Free-dangling-reference.patch > > %description > Network Security Services (NSS) is a set of libraries designed to >@@ -192,21 +185,15 @@ low level services. > %patch25 -p0 -b .systemfreebl > %patch40 -p0 -b .noocsptest > %patch47 -p0 -b .templates >-%patch48 -p0 -b .crypto > %patch49 -p0 -b .skipthem > %patch50 -p0 -b .iquote >-%patch52 -p0 -b .disableSSL2 >-%patch53 -p0 -b .disableSSL2 >-%patch55 -p0 -b .852023 > pushd nss >-%patch56 -p1 -b .1026677 >+%patch52 -p1 -b .disableSSL2libssl >+%patch53 -p1 -b .disableSSL2tests > popd >-%patch61 -p0 -b .ecc-lists >+%patch55 -p0 -b .852023 >+%patch56 -p0 -b .1026677 > %patch62 -p0 -b .1034409 >-%patch63 -p0 -b .1056036 >-pushd nss >-%patch72 -p1 -b .dangling >-popd > > ######################################################### > # Higher-level libraries and test tools need access to >@@ -224,6 +211,16 @@ done > %{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf > %{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf > >+##### Remove util/freebl/softoken and low level tools >+######## Remove freebl, softoken and util >+%{__rm} -rf ./nss/lib/freebl >+%{__rm} -rf ./nss/lib/softoken >+%{__rm} -rf ./nss/lib/util >+######## Remove nss-softokn test tools as we already ran >+# the cipher test suite as part of the nss-softokn build >+%{__rm} -rf ./nss/cmd/bltest >+%{__rm} -rf ./nss/cmd/fipstest >+%{__rm} -rf ./nss/cmd/rsaperf_low > > %build > >@@ -290,17 +287,6 @@ export USE_64 > # uncomment if the iquote patch is activated > export IN_TREE_FREEBL_HEADERS_FIRST=1 > >-##### phase 1: remove util/freebl/softoken and low level tools >-# >-######## Remove freebl, softoken and util >-%{__rm} -rf ./mozilla/security/nss/lib/freebl >-%{__rm} -rf ./mozilla/security/nss/lib/softoken >-%{__rm} -rf ./mozilla/security/nss/lib/util >-######## Remove nss-softokn test tools >-%{__rm} -rf ./mozilla/security/nss/cmd/bltest >-%{__rm} -rf ./mozilla/security/nss/cmd/fipstest >-%{__rm} -rf ./mozilla/security/nss/cmd/rsaperf_low >- > ##### phase 2: build the rest of nss > # nss supports pluggable ecc > NSS_ENABLE_ECC=1 >@@ -319,10 +305,9 @@ pushd ./nss > %{__make} clean_docs build_docs > popd > >-# and copy them here >-for m in "%{allTools}"; do >- cp ./nss/doc/nroff/${m}.1 . >-done >+# and copy them to the dist directory for %%install to find them >+%{__mkdir_p} ./dist/doc/nroff >+%{__cp} ./nss/doc/nroff/* ./dist/doc/nroff > > # Set up our package file > # The nspr_version and nss_{util|softokn}_version globals used >@@ -384,7 +369,7 @@ done > > > %check >-if [ $DISABLETEST -eq 1 ]; then >+if [ ${DISABLETEST:-0} -eq 1 ]; then > echo "testing disabled" > exit 0 > fi >@@ -448,12 +433,12 @@ find ./nss/tests -type f |\ > killall $RANDSERV || : > > rm -rf ./tests_results >-cd ./nss/tests/ >+pushd ./nss/tests/ > # all.sh is the test suite script > > # don't need to run all the tests when testing packaging > # nss_cycles: standard pkix upgradedb sharedb >-nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains" >+nss_tests="libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains" > # nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr > # nss_ssl_run: cov auth stress > # >@@ -464,19 +449,39 @@ nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge > > HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh > >-cd ../../ >+popd > >+# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, >+# Grep exits with status greater than 1 if an error ocurred. >+# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, >+# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas >+# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. > killall $RANDSERV || : > >-TEST_FAILURES=`grep -c FAILED ./tests_results/security/localhost.1/output.log` || : >-# test suite is failing on arm and has for awhile let's run the test suite but make it non fatal on arm >+TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? >+if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then >+ echo "okay: test suite detected no failures" >+else >+# test suite is failing on arm and has for a while let's run the test suite but make it non fatal on arm > %ifnarch %{arm} >-if [ $TEST_FAILURES -ne 0 ]; then >- echo "error: test suite returned failure(s)" >- exit 1 >+ if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then >+ # while a situation in which grep return status is 0 and it doesn't output >+ # anything shouldn't happen, set the default to something that is >+ # obviously wrong (-1) >+ echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" >+ exit 1 >+ else >+ if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then >+ echo "error: grep has not found log file" >+ exit 1 >+ else >+ echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" >+ exit 1 >+ fi >+ fi >+%endif > fi > echo "test suite completed" >-%endif > > %install > >@@ -559,7 +564,7 @@ for f in nss-config setup-nsssysinit; do > done > # Copy the man pages for the nss tools > for f in "%{allTools}"; do >- install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 >+ install -c -m 644 ./dist/doc/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 > done > # Copy the man pages for the configuration files > for f in pkcs11.txt; do >@@ -769,6 +774,16 @@ fi > > > %changelog >+* Fri Aug 01 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1 >+- Rebase to nss-3.16.2 >+- Resolves: Bug 1124659 - Rebase RHEL 7 to at least NSS 3.16.1 (FF 31) >+- Fix test failure detection in the %%check section >+- Move removal of unwanted source directories to the end of the %%prep section >+- Update various patches on account of the rebase >+- Remove unused patches rendered obsolete by the rebase >+- Fix libssl and test patches that disable ssl2 support >+- Replace expired PayPal test certificate that breaks the build >+ > * Fri Jul 04 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-7 > - Fix race-condition in certificate validation > - Resolves: Bug 1116201 >diff --git a/p-ignore-setpolicy.patch b/p-ignore-setpolicy.patch >index c6632b3..741781d 100644 >--- a/p-ignore-setpolicy.patch >+++ b/p-ignore-setpolicy.patch >@@ -1,31 +1,17 @@ >-diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c >---- a/lib/ssl/sslsock.c >-+++ b/lib/ssl/sslsock.c >-@@ -1252,25 +1252,22 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3 >- rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); >- } >- return rv; >- } >- >- SECStatus >- NSS_SetDomesticPolicy(void) >- { >-- SECStatus status = SECSuccess; >+diff -up ./nsslib/ssl/sslsock.c.1026677 ./nsslib/ssl/sslsock.c >+--- ./nss/lib/ssl/sslsock.c.1026677 2014-07-05 08:56:37.137268923 -0700 >++++ ./nss/lib/ssl/sslsock.c 2014-07-05 09:01:20.149518959 -0700 >+@@ -1315,11 +1315,9 @@ NSS_SetDomesticPolicy(void) > const PRUint16 *cipher; > > for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { >-- status = SSL_SetPolicy(*cipher, SSL_ALLOWED); >-- if (status != SECSuccess) >-- break; >-+ SSL_SetPolicy(*cipher, SSL_ALLOWED); >+- status = SSL_SetPolicy(*cipher, SSL_ALLOWED); >+- if (status != SECSuccess) >+- break; >++ SSL_SetPolicy(*cipher, SSL_ALLOWED); > } > - return status; > + return SECSuccess; > } > > SECStatus >- NSS_SetExportPolicy(void) >- { >- return NSS_SetDomesticPolicy(); >- } >- >diff --git a/sources b/sources >index 5e4569d..c23aece 100644 >--- a/sources >+++ b/sources >@@ -3,9 +3,9 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db > 73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db > 691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db > 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db >-838b7b6e0c3563059f6e77d149666448 PayPalEE.cert >+c9fefa97dc184a5857f12d938517ed81 PayPalEE.cert > f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert > 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert > ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert > b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2 >-74738d89615665e3547dc2c0602ab0e6 nss-3.15.4.tar.gz >+afc6789c9d805db5be1e5f3c533394f1 nss-3.16.2.tar.gz
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1124659
: 923334