Hello community, here is the log from the commit of package mozilla-nss.1536 for openSUSE:12.2:Update checked in at 2013-04-05 13:59:23 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/mozilla-nss.1536 (Old) and /work/SRC/openSUSE:12.2:Update/.mozilla-nss.1536.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss.1536", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-04-05 00:01:41.916011506 +0200 +++ /work/SRC/openSUSE:12.2:Update/.mozilla-nss.1536.new/mozilla-nss.changes 2013-04-05 13:59:22.000000000 +0200 @@ -0,0 +1,659 @@ +------------------------------------------------------------------- +Sun Mar 24 20:07:59 UTC 2013 - [email protected] + +- disable tests with expired certificates + (nss-disable-expired-testcerts.patch) +- add SEC_PKCS7VerifyDetachedSignatureAtTime using patch from + mozilla tree to fulfill Firefox 21 requirements + (bug-834091.patch; bmo#834091) + +------------------------------------------------------------------- +Thu Feb 28 21:55:49 UTC 2013 - [email protected] + +- update to 3.14.3 + * No new major functionality is introduced in this release. This + release is a patch release to address CVE-2013-1620 (bmo#822365) + * "certutil -a" was not correctly producing ASCII output as + requested. (bmo#840714) + * NSS 3.14.2 broke compilation with older versions of sqlite that + lacked the SQLITE_FCNTL_TEMPFILENAME file control. NSS 3.14.3 now + properly compiles when used with older versions of sqlite + (bmo#837799) - remove system-sqlite.patch +- add aarch64 support + +------------------------------------------------------------------- +Tue Feb 5 12:51:56 UTC 2013 - [email protected] + +- added system-sqlite.patch (bmo#837799) + * do not depend on latest sqlite just for a #define +- enable system sqlite usage again + +------------------------------------------------------------------- +Sat Feb 2 16:05:20 UTC 2013 - [email protected] + +- update to 3.14.2 + * required for Firefox >= 20 + * removed obsolete nssckbi update patch + * MFSA 2013-40/CVE-2013-0791 (bmo#629816) + Out-of-bounds array read in CERT_DecodeCertPackage +- disable system sqlite usage since we depend on 3.7.15 which is + not provided in any openSUSE distribution + * add nss-sqlitename.patch to avoid any name clash + +------------------------------------------------------------------- +Sun Dec 30 17:59:34 UTC 2012 - [email protected] + +- updated CA database (nssckbi-1.93.patch) + * MFSA 2013-20/CVE-2013-0743 (bmo#825022, bnc#796628) + revoke mis-issued intermediate certificates from TURKTRUST + +------------------------------------------------------------------- +Tue Dec 18 13:36:09 UTC 2012 - [email protected] + +- update to 3.14.1 RTM + * minimal requirement for Gecko 20 + * several bugfixes + +------------------------------------------------------------------- +Thu Oct 25 12:02:22 UTC 2012 - [email protected] + +- update to 3.14 RTM + * Support for TLS 1.1 (RFC 4346) + * Experimental support for DTLS 1.0 (RFC 4347) and DTLS-SRTP (RFC 5764) + * Support for AES-CTR, AES-CTS, and AES-GCM + * Support for Keying Material Exporters for TLS (RFC 5705) + * Support for certificate signatures using the MD5 hash algorithm + is now disabled by default + * The NSS license has changed to MPL 2.0. Previous releases were + released under a MPL 1.1/GPL 2.0/LGPL 2.1 tri-license. For more + information about MPL 2.0, please see + http://www.mozilla.org/MPL/2.0/FAQ.html. For an additional + explanation on GPL/LGPL compatibility, see security/nss/COPYING + in the source code. + * Export and DES cipher suites are disabled by default. Non-ECC + AES and Triple DES cipher suites are enabled by default +- disabled OCSP testcases since they need external network + (nss-disable-ocsp-test.patch) + +------------------------------------------------------------------- +Wed Aug 15 13:57:42 UTC 2012 - [email protected] + +- update to 3.13.6 RTM + * root CA update + * other bugfixes + +------------------------------------------------------------------- +Fri Jun 1 18:46:28 UTC 2012 - [email protected] + +- update to 3.13.5 RTM + +------------------------------------------------------------------- +Fri Apr 13 18:55:57 UTC 2012 - [email protected] + +- update to 3.13.4 RTM + * fixed some bugs + * fixed cert verification regression in PKIX mode (bmo#737802) + introduced in 3.13.2 + +------------------------------------------------------------------- +Thu Feb 23 15:06:34 UTC 2012 - [email protected] + +- update to 3.13.3 RTM + - distrust Trustwave's MITM certificates (bmo#724929) + - fix generic blacklisting mechanism (bmo#727204) + +------------------------------------------------------------------- +Thu Feb 16 08:48:42 UTC 2012 - [email protected] + +- update to 3.13.2 RTM + * requirement with Gecko >= 11 +- removed obsolete patches + * ckbi-1.88 + * pkcs11n-header-fix.patch + +------------------------------------------------------------------- +Sun Dec 18 15:59:08 UTC 2011 - [email protected] + +- fix spec file syntax for qemu-workaround + +------------------------------------------------------------------- +Mon Nov 14 10:13:17 UTC 2011 - [email protected] + +- Added a patch to fix errors in the pkcs11n.h header file. + (bmo#702090) + +------------------------------------------------------------------- +Sat Nov 5 10:58:20 UTC 2011 - [email protected] + +- update to 3.13.1 RTM + * better SHA-224 support (bmo#647706) + * fixed a regression (causing hangs in some situations) + introduced in 3.13 (bmo#693228) +- update to 3.13.0 RTM + * SSL 2.0 is disabled by default + * A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext + attack demonstrated by Rizzo and Duong (CVE-2011-3389) is + enabled by default. Set the SSL_CBC_RANDOM_IV SSL option to + PR_FALSE to disable it. + * SHA-224 is supported + * Ported to iOS. (Requires NSPR 4.9.) + * Added PORT_ErrorToString and PORT_ErrorToName to return the + error message and symbolic name of an NSS error code + * Added NSS_GetVersion to return the NSS version string + * Added experimental support of RSA-PSS to the softoken only + * NSS_NoDB_Init does not try to open /pkcs11.txt and /secmod.db + anymore (bmo#641052, bnc#726096) + +------------------------------------------------------------------- +Sat Nov 5 10:47:51 UTC 2011 - [email protected] + +- explicitely distrust DigiCert Sdn. Bhd (bnc#728520, bmo#698753) +- make sure NSS_NoDB_Init does not try to use wrong certificate + databases (CVE-2011-3640, bnc#726096, bmo#641052) + +------------------------------------------------------------------- +Fri Sep 30 23:27:07 UTC 2011 - [email protected] + +- Workaround qemu-arm bugs. + +------------------------------------------------------------------- +Fri Sep 9 05:44:15 UTC 2011 - [email protected] + +- explicitely distrust/override DigiNotar certs (bmo#683261) + (trustdb version 1.87) + +------------------------------------------------------------------- +Fri Sep 2 14:40:07 UTC 2011 - [email protected] + +- removed DigiNotar root certificate from trusted db + (bmo#682927, bnc#714931) + +------------------------------------------------------------------- +Wed Aug 24 08:37:13 UTC 2011 - [email protected] + +- fixed typo in summary of mozilla-nss (libsoftokn3) + +------------------------------------------------------------------- +Fri Aug 12 20:55:38 UTC 2011 - [email protected] + +- update to 3.12.11 RTM + * no upstream release notes available + +------------------------------------------------------------------- +Wed Jul 13 16:45:23 CEST 2011 - [email protected] + +- Linux3.0 is the new Linux2.6 (make it build) + +------------------------------------------------------------------- +Mon May 23 17:37:34 UTC 2011 - [email protected] + +- Do not include build dates in binaries, messes up + build compare + +------------------------------------------------------------------- +Thu May 19 05:37:02 UTC 2011 - [email protected] + +- update to 3.12.10 RTM + * no changes except internal release information ++++ 462 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.mozilla-nss.1536.new/mozilla-nss.changes New: ---- baselibs.conf bug-834091.patch cert9.db char.patch key4.db malloc.patch mozilla-nss-rpmlintrc mozilla-nss.changes mozilla-nss.spec nss-3.14.3.tar.bz2 nss-config.in nss-disable-expired-testcerts.patch nss-disable-ocsp-test.patch nss-no-rpath.patch nss-opt.patch nss-sqlitename.patch nss.pc.in pkcs11.txt renegotiate-transitional.patch setup-nsssysinit.sh system-nspr.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ # # spec file for package mozilla-nss # # Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2006-2013 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %global nss_softokn_fips_version 3.12.4 Name: mozilla-nss BuildRequires: gcc-c++ BuildRequires: mozilla-nspr-devel BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel Version: 3.14.3 Release: 0 # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-64bit %endif # Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ # cvs -d :pserver:[email protected]:/cvsroot co -r <RTM_TAG> NSS Source: nss-%{version}.tar.bz2 Source1: nss.pc.in Source3: nss-config.in Source4: %{name}-rpmlintrc Source5: baselibs.conf Source6: setup-nsssysinit.sh Source7: cert9.db Source8: key4.db Source9: pkcs11.txt #Source10: PayPalEE.cert Patch1: nss-opt.patch Patch2: system-nspr.patch Patch3: char.patch Patch4: nss-no-rpath.patch Patch5: renegotiate-transitional.patch Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch Patch9: nss-disable-expired-testcerts.patch Patch10: bug-834091.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} PreReq: libsoftokn3 >= %{nss_softokn_fips_version} Requires: mozilla-nss-certs BuildRoot: %{_tmppath}/%{name}-%{version}-build %define nssdbdir %{_sysconfdir}/pki/nssdb %ifnarch %sparc %if ! 0%{?qemu_user_space_build} %define run_testsuite 1 %endif %endif %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. %package devel Summary: Network (Netscape) Security Services development files Group: Development/Libraries/Other Requires: libfreebl3 Requires: libsoftokn3 Requires: mozilla-nspr-devel Requires: mozilla-nss = %{version}-%{release} # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-devel-64bit %endif %description devel Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. %package tools Summary: Tools for developing, debugging, and managing applications that use NSS Group: System/Management PreReq: mozilla-nss >= %{version} %description tools The NSS Security Tools allow developers to test, debug, and manage applications that use NSS. %package sysinit Summary: System NSS Initialization Group: System/Management Requires: mozilla-nss >= %{version} Requires(post): coreutils %description sysinit Default Operation System module that manages applications loading NSS globally on the system. This module loads the system defined PKCS #11 modules for NSS and chains with other NSS modules to load any system or user configured modules. %package -n libfreebl3 Summary: Freebl library for the Network Security Services Group: System/Libraries %description -n libfreebl3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. This package installs the freebl library from NSS. %package -n libsoftokn3 Summary: Network Security Services Softoken Module Group: System/Libraries Requires: libfreebl3 = %{version}-%{release} %description -n libsoftokn3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. Network Security Services Softoken Cryptographic Module %package certs Summary: CA certificates for NSS Group: Productivity/Networking/Security %description certs This package contains the integrated CA root certificates from the Mozilla project. %prep %setup -n nss-%{version} -q cd mozilla %patch1 %patch2 %patch3 %patch4 %patch5 %if %suse_version > 1110 %patch6 %endif %patch7 %patch8 %patch9 %patch10 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt #make generate %build modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{_sourcedir}/%{name}.changes")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" TIME="\"$(date -d "${modified}" "+%%R")\"" find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} + cd mozilla/security/nss export FREEBL_NO_DEPEND=1 export NSPR_INCLUDE_DIR=`nspr-config --includedir` export NSPR_LIB_DIR=`nspr-config --libdir` export OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" export LIBDIR=%{_libdir} %ifarch x86_64 s390x ppc64 ia64 aarch64 export USE_64=1 %endif export NSS_USE_SYSTEM_SQLITE=1 #export SQLITE_LIB_NAME=nsssqlite3 MAKE_FLAGS="BUILD_OPT=1 NSS_ENABLE_ECC=1" make nss_build_all $MAKE_FLAGS # run testsuite %if 0%{?run_testsuite} export BUILD_OPT=1 export HOST="localhost" export DOMSUF=" " export USE_IP=TRUE export IP_ADDRESS="127.0.0.1" cd tests ./all.sh if grep "FAILED" ../../../tests_results/security/localhost.1/output.log ; then echo "Testsuite FAILED" exit 1 fi %endif %install mkdir -p $RPM_BUILD_ROOT%{_libdir} mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3 mkdir -p $RPM_BUILD_ROOT%{_bindir} mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT%{nssdbdir} pushd mozilla/dist/Linux* # copy headers cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3 # copy dynamic libs cp -L lib/libnss3.so \ lib/libnssdbm3.so \ lib/libnssdbm3.chk \ lib/libnssutil3.so \ lib/libnssckbi.so \ lib/libnsssysinit.so \ lib/libsmime3.so \ lib/libsoftokn3.so \ lib/libsoftokn3.chk \ lib/libssl3.so \ $RPM_BUILD_ROOT%{_libdir} cp -L lib/libfreebl3.so \ lib/libfreebl3.chk \ $RPM_BUILD_ROOT/%{_lib} #cp -L lib/libnsssqlite3.so \ # $RPM_BUILD_ROOT%{_libdir} # copy static libs cp -L lib/libcrmf.a \ lib/libnssb.a \ lib/libnssckfw.a \ $RPM_BUILD_ROOT%{_libdir} # copy tools cp -L bin/certutil \ bin/cmsutil \ bin/crlutil \ bin/modutil \ bin/pk12util \ bin/signtool \ bin/signver \ bin/ssltap \ $RPM_BUILD_ROOT%{_bindir} # copy unsupported tools cp -L bin/atob \ bin/btoa \ bin/derdump \ bin/ocspclnt \ bin/pp \ bin/selfserv \ bin/shlibsign \ bin/strsclnt \ bin/symkeyutil \ bin/tstclnt \ bin/vfyserv \ bin/vfychain \ $RPM_BUILD_ROOT%{_libexecdir}/nss # prepare pkgconfig file mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/ sed "s:%%LIBDIR%%:%{_libdir}:g s:%%VERSION%%:%{version}:g s:%%NSPR_VERSION%%:%{nspr_ver}:g" \ %{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc # prepare nss-config file popd NSS_VMAJOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` NSS_VMINOR=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` NSS_VPATCH=`cat mozilla/security/nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@includedir@,%{_includedir}/nss3,g" \ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ > $RPM_BUILD_ROOT/%{_bindir}/nss-config chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config # setup-nsssysinfo.sh install -m 744 %{SOURCE6} $RPM_BUILD_ROOT%{_sbindir}/ # create empty NSS database #LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/modutil -force -dbdir "sql:$RPM_BUILD_ROOT%{nssdbdir}" -create #LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/certutil -N -d "sql:$RPM_BUILD_ROOT%{nssdbdir}" -f /dev/null 2>&1 > /dev/null #chmod 644 "$RPM_BUILD_ROOT%{nssdbdir}"/* #sed "s:%{buildroot}::g #s/^library=$/library=libnsssysinit.so/ #/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \ # $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt > $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt.sed # mv $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt{.sed,} # copy empty NSS database install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir} # create shlib sigs after extracting debuginfo %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \ %{nil} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %post -n libfreebl3 -p /sbin/ldconfig %postun -n libfreebl3 -p /sbin/ldconfig %post -n libsoftokn3 -p /sbin/ldconfig %postun -n libsoftokn3 -p /sbin/ldconfig %post sysinit /sbin/ldconfig # make sure the current config is enabled %{_sbindir}/setup-nsssysinit.sh on %preun sysinit if [ $1 = 0 ]; then %{_sbindir}/setup-nsssysinit.sh off fi %postun sysinit -p /sbin/ldconfig %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-, root, root) %{_libdir}/libnss3.so %{_libdir}/libnssutil3.so %{_libdir}/libsmime3.so %{_libdir}/libssl3.so #%{_libdir}/libnsssqlite3.so %files devel %defattr(644, root, root, 755) %{_includedir}/nss3/ %{_libdir}/*.a %{_libdir}/pkgconfig/* %attr(755,root,root) %{_bindir}/nss-config %files tools %defattr(-, root, root) %{_bindir}/* %exclude %{_sbindir}/setup-nsssysinit.sh %{_libexecdir}/nss/ %exclude %{_bindir}/nss-config %files sysinit %defattr(-, root, root) %dir %{_sysconfdir}/pki %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %{_sysconfdir}/pki/nssdb/* %{_libdir}/libnsssysinit.so %{_sbindir}/setup-nsssysinit.sh %files -n libfreebl3 %defattr(-, root, root) /%{_lib}/libfreebl3.so /%{_lib}/libfreebl3.chk %files -n libsoftokn3 %defattr(-, root, root) %{_libdir}/libsoftokn3.so %{_libdir}/libsoftokn3.chk %{_libdir}/libnssdbm3.so %{_libdir}/libnssdbm3.chk %files certs %defattr(-, root, root) %{_libdir}/libnssckbi.so %changelog ++++++ baselibs.conf ++++++ mozilla-nss requires "libfreebl3-<targettype>" requires "libsoftokn3-<targettype>" requires "mozilla-nss-certs-<targettype>" libsoftokn3 requires "libfreebl3-<targettype> = <version>" +/usr/lib/libsoftokn3.chk +/usr/lib/libnssdbm3.chk libfreebl3 +/lib/libfreebl3.chk mozilla-nss-sysinit mozilla-nss-certs ++++++ bug-834091.patch ++++++ Index: security/nss/lib/pkcs7/p7decode.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/p7decode.c,v retrieving revision 1.31 diff -u -8 -p -r1.31 p7decode.c --- security/nss/lib/pkcs7/p7decode.c 12 Dec 2012 19:25:36 -0000 1.31 +++ security/nss/lib/pkcs7/p7decode.c 25 Jan 2013 23:22:54 -0000 @@ -1276,17 +1276,18 @@ SEC_PKCS7ContentIsSigned(SEC_PKCS7Conten * there should be NO authenticatedAttributes (signerinfo->authAttr should * be NULL). */ static PRBool sec_pkcs7_verify_signature(SEC_PKCS7ContentInfo *cinfo, SECCertUsage certusage, const SECItem *detached_digest, HASH_HashType digest_type, - PRBool keepcerts) + PRBool keepcerts, + PRTime atTime) { SECAlgorithmID **digestalgs, *bulkid; const SECItem *digest; SECItem **digests; SECItem **rawcerts; CERTSignedCrl **crls; SEC_PKCS7SignerInfo **signerinfos, *signerinfo; CERTCertificate *cert, **certs; @@ -1294,17 +1295,18 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont CERTCertDBHandle *certdb, *defaultdb; SECOidTag encTag,digestTag; HASH_HashType found_type; int i, certcount; SECKEYPublicKey *publickey; SECItem *content_type; PK11SymKey *sigkey; SECItem *encoded_stime; - int64 stime; + PRTime stime; + PRTime verificationTime; SECStatus rv; /* * Everything needed in order to "goto done" safely. */ goodsig = PR_FALSE; certcount = 0; cert = NULL; @@ -1431,18 +1433,20 @@ sec_pkcs7_verify_signature(SEC_PKCS7Cont /* * XXX This uses the signing time, if available. Additionally, we * might want to, if there is no signing time, get the message time * from the mail header itself, and use that. That would require * a change to our interface though, and for S/MIME callers to pass * in a time (and for non-S/MIME callers to pass in nothing, or * maybe make them pass in the current time, always?). */ + verificationTime = atTime ? atTime + : (encoded_stime ? stime : PR_Now()); if (CERT_VerifyCert (certdb, cert, PR_TRUE, certusage, - encoded_stime != NULL ? stime : PR_Now(), + verificationTime, cinfo->pwfn_arg, NULL) != SECSuccess) { /* * XXX Give the user an option to check the signature anyway? * If we want to do this, need to give a way to leave and display * some dialog and get the answer and come back through (or do * the rest of what we do below elsewhere, maybe by putting it * in a function that we call below and could call from a dialog @@ -1752,17 +1756,17 @@ done: * into our local database. */ PRBool SEC_PKCS7VerifySignature(SEC_PKCS7ContentInfo *cinfo, SECCertUsage certusage, PRBool keepcerts) { return sec_pkcs7_verify_signature (cinfo, certusage, - NULL, HASH_AlgNULL, keepcerts); + NULL, HASH_AlgNULL, keepcerts, 0); } /* * SEC_PKCS7VerifyDetachedSignature * Look at a PKCS7 contentInfo and check if the signature matches * a passed-in digest (calculated, supposedly, from detached contents). * The verification checks that the signing cert is valid and trusted * for the purpose specified by "certusage". @@ -1774,19 +1778,44 @@ PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, SECCertUsage certusage, const SECItem *detached_digest, HASH_HashType digest_type, PRBool keepcerts) { return sec_pkcs7_verify_signature (cinfo, certusage, detached_digest, digest_type, - keepcerts); + keepcerts, 0); } +/* + * SEC_PKCS7VerifyDetachedSignatureAtTime + * Look at a PKCS7 contentInfo and check if the signature matches + * a passed-in digest (calculated, supposedly, from detached contents). + * The verification checks that the signing cert is valid and trusted + * for the purpose specified by "certusage" at time "atTime" + * if "atTime" is non-zero, or at the current time (as returned by + * PR_Now) otherwise. + */ +PRBool +SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, + SECCertUsage certusage, + const SECItem *detached_digest, + HASH_HashType digest_type, + PRBool keepcerts, + PRTime atTime) +{ + if (!atTime) { + atTime = PR_Now(); + } + + return sec_pkcs7_verify_signature (cinfo, certusage, + detached_digest, digest_type, + keepcerts, atTime); +} /* * Return the asked-for portion of the name of the signer of a PKCS7 * signed object. * * Returns a pointer to allocated memory, which must be freed. * A NULL return value is an error. */ @@ -1839,17 +1868,17 @@ sec_pkcs7_get_signer_cert_info(SEC_PKCS7 */ if (signercert == NULL) { /* * The cert usage does not matter in this case, because we do not * actually care about the verification itself, but we have to pick * some valid usage to pass in. */ (void) sec_pkcs7_verify_signature (cinfo, certUsageEmailSigner, - NULL, HASH_AlgNULL, PR_FALSE); + NULL, HASH_AlgNULL, PR_FALSE, 0); signercert = signerinfos[0]->cert; if (signercert == NULL) return NULL; } switch (selector) { case sec_common_name: container = CERT_GetCommonName (&signercert->subject); Index: security/nss/lib/pkcs7/secpkcs7.h =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/pkcs7/secpkcs7.h,v retrieving revision 1.10 diff -u -8 -p -r1.10 secpkcs7.h --- security/nss/lib/pkcs7/secpkcs7.h 27 Nov 2012 22:48:08 -0000 1.10 +++ security/nss/lib/pkcs7/secpkcs7.h 25 Jan 2013 23:22:54 -0000 @@ -128,16 +128,33 @@ extern PRBool SEC_PKCS7VerifySignature(S * into our local database. */ extern PRBool SEC_PKCS7VerifyDetachedSignature(SEC_PKCS7ContentInfo *cinfo, SECCertUsage certusage, const SECItem *detached_digest, HASH_HashType digest_type, PRBool keepcerts); + +/* + * SEC_PKCS7VerifyDetachedSignatureAtTime + * Look at a PKCS7 contentInfo and check if the signature matches + * a passed-in digest (calculated, supposedly, from detached contents). + * The verification checks that the signing cert is valid and trusted + * for the purpose specified by "certusage" at time "atTime" + * if "atTime" is non-zero, or at the current time (as returned by + * PR_Now) otherwise. + */ +extern PRBool SEC_PKCS7VerifyDetachedSignatureAtTime(SEC_PKCS7ContentInfo *cinfo, + SECCertUsage certusage, + const SECItem *detached_digest, + HASH_HashType digest_type, + PRBool keepcerts, + PRTime atTime); + /* * SEC_PKCS7GetSignerCommonName, SEC_PKCS7GetSignerEmailAddress * The passed-in contentInfo is espected to be Signed, and these * functions return the specified portion of the full signer name. * * Returns a pointer to allocated memory, which must be freed. * A NULL return value is an error. */ Index: security/nss/lib/smime/smime.def =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/smime/smime.def,v retrieving revision 1.39 diff -u -8 -p -r1.39 smime.def --- security/nss/lib/smime/smime.def 25 Apr 2012 14:50:09 -0000 1.39 +++ security/nss/lib/smime/smime.def 25 Jan 2013 23:22:54 -0000 @@ -262,8 +262,14 @@ NSS_Get_NSS_PointerToCMSGenericWrapperDa ;+ *; ;+}; ;+NSS_3.13 { # NSS 3.13 release ;+ global: NSSSMIME_GetVersion; ;+ local: ;+ *; ;+}; +;+NSS_3.14.3 { # NSS 3.14.3 release +;+ global: +SEC_PKCS7VerifyDetachedSignatureAtTime; +;+ local: +;+ *; +;+}; ++++++ char.patch ++++++ Index: security/nss/cmd/modutil/install-ds.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/cmd/modutil/install-ds.c,v retrieving revision 1.2 diff -u -p -6 -r1.2 install-ds.c --- security/nss/cmd/modutil/install-ds.c 25 Apr 2004 15:02:47 -0000 1.2 +++ security/nss/cmd/modutil/install-ds.c 5 Feb 2007 06:57:38 -0000 @@ -249,13 +249,13 @@ Pk11Install_File_Generate(Pk11Install_Fi if(!subval || (subval->type != STRING_VALUE)){ errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS], _this->jarPath); goto loser; } _this->permissions = (int) strtol(subval->string, &endp, 8); - if(*endp != '\0' || subval->string == "\0") { + if(*endp != '\0' || subval->string[0] == '\0') { errStr = PR_smprintf(errString[BOGUS_FILE_PERMISSIONS], _this->jarPath); goto loser; } gotPerms = PR_TRUE; Pk11Install_ListIter_delete(subiter); ++++++ malloc.patch ++++++ Index: security/nss/tests/ssl/ssl.sh =================================================================== RCS file: /cvsroot/mozilla/security/nss/tests/ssl/ssl.sh,v retrieving revision 1.100 diff -u -r1.100 ssl.sh --- security/nss/tests/ssl/ssl.sh 26 Mar 2009 23:14:34 -0000 1.100 +++ security/nss/tests/ssl/ssl.sh 6 Jun 2009 06:21:07 -0000 @@ -974,6 +974,7 @@ ################################# main ################################# +unset MALLOC_CHECK_ ssl_init ssl_run_tests ssl_cleanup ++++++ mozilla-nss-rpmlintrc ++++++ addFilter("shlib-policy-name-error") addFilter("shlib-policy-missing-lib") addFilter("shlib-policy-missing-suffix") addFilter("shlib-unversioned-lib") addFilter("shlib-fixed-dependency") ++++++ nss-config.in ++++++ #!/bin/sh prefix=@prefix@ major_version=@MOD_MAJOR_VERSION@ minor_version=@MOD_MINOR_VERSION@ patch_version=@MOD_PATCH_VERSION@ usage() { cat <<EOF Usage: nss-config [OPTIONS] [LIBRARIES] Options: [--prefix[=DIR]] [--exec-prefix[=DIR]] [--includedir[=DIR]] [--libdir[=DIR]] [--version] [--libs] [--cflags] Dynamic Libraries: nss ssl smime EOF exit $1 } if test $# -eq 0; then usage 1 1>&2 fi lib_ssl=yes lib_smime=yes lib_nss=yes lib_nssutil=yes while test $# -gt 0; do case "$1" in -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; *) optarg= ;; esac case $1 in --prefix=*) prefix=$optarg ;; --prefix) echo_prefix=yes ;; --exec-prefix=*) exec_prefix=$optarg ;; --exec-prefix) echo_exec_prefix=yes ;; --includedir=*) includedir=$optarg ;; --includedir) echo_includedir=yes ;; --libdir=*) libdir=$optarg ;; --libdir) echo_libdir=yes ;; --version) echo ${major_version}.${minor_version}.${patch_version} ;; --cflags) echo_cflags=yes ;; --libs) echo_libs=yes ;; ssl) lib_ssl=yes ;; smime) lib_smime=yes ;; nss) lib_nss=yes ;; nssutil) lib_nssutil=yes ;; *) usage 1 1>&2 ;; esac shift done # Set variables that may be dependent upon other variables if test -z "$exec_prefix"; then exec_prefix=@exec_prefix@ fi if test -z "$includedir"; then includedir=@includedir@ fi if test -z "$libdir"; then libdir=@libdir@ fi if test "$echo_prefix" = "yes"; then echo $prefix fi if test "$echo_exec_prefix" = "yes"; then echo $exec_prefix fi if test "$echo_includedir" = "yes"; then echo $includedir fi if test "$echo_libdir" = "yes"; then echo $libdir fi if test "$echo_cflags" = "yes"; then echo -I$includedir fi if test "$echo_libs" = "yes"; then libdirs="-Wl,-rpath-link,$libdir -L$libdir" if test -n "$lib_ssl"; then libdirs="$libdirs -lssl${major_version}" fi if test -n "$lib_smime"; then libdirs="$libdirs -lsmime${major_version}" fi if test -n "$lib_nss"; then libdirs="$libdirs -lnss${major_version}" fi if test -n "$lib_nssutil"; then libdirs="$libdirs -lnssutil${major_version}" fi echo $libdirs fi ++++++ nss-disable-expired-testcerts.patch ++++++ Index: security/nss/tests/chains/scenarios/realcerts.cfg =================================================================== RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/realcerts.cfg,v retrieving revision 1.4 diff -u -r1.4 realcerts.cfg --- security/nss/tests/chains/scenarios/realcerts.cfg 20 Mar 2012 14:47:29 -0000 1.4 +++ security/nss/tests/chains/scenarios/realcerts.cfg 3 Apr 2013 07:39:49 -0000 @@ -14,15 +14,15 @@ import PayPalEE:x: import BrAirWaysBadSig:x: -verify TestUser50:x - result pass +#verify TestUser50:x +# result pass -verify TestUser51:x - result pass +#verify TestUser51:x +# result pass -verify PayPalEE:x - policy OID.2.16.840.1.113733.1.7.23.6 - result pass +#verify PayPalEE:x +# policy OID.2.16.840.1.113733.1.7.23.6 +# result pass verify BrAirWaysBadSig:x result fail ++++++ nss-disable-ocsp-test.patch ++++++ Index: security/nss/tests/chains/scenarios/scenarios =================================================================== RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/scenarios,v retrieving revision 1.10 diff -u -r1.10 scenarios --- security/nss/tests/chains/scenarios/scenarios 7 Jan 2013 03:56:15 -0000 1.10 +++ security/nss/tests/chains/scenarios/scenarios 28 Jan 2013 18:11:16 -0000 @@ -50,6 +50,5 @@ realcerts.cfg dsa.cfg revoc.cfg -ocsp.cfg crldp.cfg trustanchors.cfg ++++++ nss-no-rpath.patch ++++++ Index: security/nss/cmd/platlibs.mk =================================================================== RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v retrieving revision 1.71 diff -u -p -6 -r1.71 platlibs.mk --- security/nss/cmd/platlibs.mk 17 Jul 2012 15:22:42 -0000 1.71 +++ security/nss/cmd/platlibs.mk 25 Oct 2012 12:07:35 -0000 @@ -15,15 +15,15 @@ else EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' endif endif ifeq ($(OS_ARCH), Linux) ifeq ($(USE_64), 1) -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' else -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' endif endif endif # BUILD_SUN_PKG ifdef NSS_DISABLE_DBM ++++++ nss-opt.patch ++++++ Index: security/coreconf/Linux.mk =================================================================== RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v retrieving revision 1.45.2.1 diff -u -r1.45.2.1 Linux.mk --- security/coreconf/Linux.mk 31 Jul 2010 04:23:37 -0000 1.45.2.1 +++ security/coreconf/Linux.mk 5 Aug 2010 07:35:06 -0000 @@ -112,11 +112,7 @@ endif ifdef BUILD_OPT -ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE)) - OPTIMIZER = -Os -else - OPTIMIZER = -O2 -endif + OPTIMIZER = $(OPT_FLAGS) ifdef MOZ_DEBUG_SYMBOLS ifdef MOZ_DEBUG_FLAGS OPTIMIZER += $(MOZ_DEBUG_FLAGS) ++++++ nss-sqlitename.patch ++++++ Index: security/nss/lib/sqlite/manifest.mn =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v retrieving revision 1.5 diff -u -r1.5 manifest.mn --- security/nss/lib/sqlite/manifest.mn 25 Apr 2012 14:50:11 -0000 1.5 +++ security/nss/lib/sqlite/manifest.mn 28 Jan 2013 20:48:22 -0000 @@ -6,9 +6,10 @@ MODULE = nss -LIBRARY_NAME = sqlite +LIBRARY_NAME = nsssqlite LIBRARY_VERSION = 3 MAPFILE = $(OBJDIR)/sqlite.def +MAPFILE_SOURCE = sqlite.def DEFINES += -DSQLITE_THREADSAFE=1 EXPORTS = \ ++++++ nss.pc.in ++++++ prefix=/usr exec_prefix=${prefix} libdir=%LIBDIR% includedir=${prefix}/include/nss3 Name: NSS Description: Network Security Services Version: %VERSION% Requires: nspr >= %NSPR_VERSION% Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3 Cflags: -I${includedir} ++++++ pkcs11.txt ++++++ library=libnsssysinit.so name=NSS Internal PKCS #11 Module parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) ++++++ renegotiate-transitional.patch ++++++ Index: security/nss/lib/ssl/sslsock.c =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslsock.c,v retrieving revision 1.96 diff -u -p -6 -r1.96 sslsock.c --- security/nss/lib/ssl/sslsock.c 24 Sep 2012 23:57:42 -0000 1.96 +++ security/nss/lib/ssl/sslsock.c 25 Oct 2012 12:08:56 -0000 @@ -147,13 +147,13 @@ static sslOptions ssl_defaults = { PR_TRUE, /* detectRollBack */ PR_FALSE, /* noStepDown */ PR_FALSE, /* bypassPKCS11 */ PR_FALSE, /* noLocks */ PR_FALSE, /* enableSessionTickets */ PR_FALSE, /* enableDeflate */ - 2, /* enableRenegotiation (default: requires extension) */ + 3, /* enableRenegotiation (default: requires extension) */ PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ PR_TRUE /* cbcRandomIV */ }; /* ++++++ setup-nsssysinit.sh ++++++ #!/bin/sh # # Turns on or off the nss-sysinit module db by editing the # global PKCS #11 congiguration file. # # This script can be invoked by the user as super user. # It is invoked at nss-sysinit post install time with argument on # and at nss-sysinit pre uninstall with argument off. # usage() { cat <<EOF Usage: setup-nsssysinit [on|off] on - turns on nsssysinit off - turns off nsssysinit EOF exit $1 } # validate if test $# -eq 0; then usage 1 1>&2 fi # the system-wide configuration file p11conf="/etc/pki/nssdb/pkcs11.txt" # must exist, otherwise report it and exit with failure if [ ! -f $p11conf ]; then echo "Could not find ${p11conf}" exit 1 fi on="1" case "$1" in on | ON ) cat ${p11conf} | \ sed -e 's/^library=$/library=libnsssysinit.so/' \ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ ${p11conf}.on mv ${p11conf}.on ${p11conf} ;; off | OFF ) if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then exit 0 fi cat ${p11conf} | \ sed -e 's/^library=libnsssysinit.so/library=/' \ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ ${p11conf}.off mv ${p11conf}.off ${p11conf} ;; * ) usage 1 1>&2 ;; esac ++++++ system-nspr.patch ++++++ Index: security/nss/Makefile =================================================================== RCS file: /cvsroot/mozilla/security/nss/Makefile,v retrieving revision 1.36 diff -u -p -r1.36 Makefile --- security/nss/Makefile 2 Dec 2008 23:24:39 -0000 1.36 +++ security/nss/Makefile 23 Nov 2009 16:19:04 -0000 @@ -78,7 +78,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (7) Execute "local" rules. (OPTIONAL). # ####################################################################### -nss_build_all: build_coreconf build_nspr build_dbm all +nss_build_all: build_coreconf build_dbm all nss_clean_all: clobber_coreconf clobber_nspr clobber_dbm clobber -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
