[nss-softokn/f16] - Downgrading to 3.12.9 for a merge into new RHEL git repo - Disabling the test suite temporarily -
Elio Maldonado
emaldonado at fedoraproject.org
Fri Dec 2 22:11:59 UTC 2011
commit 14256fc91e217ae54b8e8894191b67df31fb4912
Author: Elio Maldonado <emaldona at redhat.com>
Date: Fri Dec 2 14:11:02 2011 -0800
- Downgrading to 3.12.9 for a merge into new RHEL git repo
- Disabling the test suite temporarily
- Add this build to the buildroot for a limited time only
- Do not push it to update-testing
- This build matches nss-softokn 3.12.9 from RHEL 6.2
- This is the softokn submitted for a minor FIPS 140 revalidation
.gitignore | 1 +
add-relro-linker-option.patch | 16 +
drbg.patch | 481 +++++++++++++++++++
linux3.patch | 31 ++
nss-softokn-3.12.4-fips-fix.patch | 11 +
nss-softokn-3.12.4-prelink.patch | 32 +-
nss-softokn-710298.patch | 14 +
nss-softokn-748524.patch | 157 ++++++
nss-softokn.spec | 68 ++-
softoken-minimal-test-dependencies.patch | 774 ++++++++++++++++++++++--------
sources | 1 +
11 files changed, 1365 insertions(+), 221 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 2c62a64..8cffd6d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
+nss-softokn-3.12.9-stripped.tar.bz2
nss-softokn-3.13.1-stripped.tar.bz2
diff --git a/add-relro-linker-option.patch b/add-relro-linker-option.patch
new file mode 100644
index 0000000..05758f7
--- /dev/null
+++ b/add-relro-linker-option.patch
@@ -0,0 +1,16 @@
+diff -up mozilla/security/coreconf/Linux.mk.relro mozilla/security/coreconf/Linux.mk
+--- mozilla/security/coreconf/Linux.mk.relro 2010-08-12 18:32:29.000000000 -0700
++++ mozilla/security/coreconf/Linux.mk 2011-09-27 16:12:22.234743170 -0700
+@@ -179,6 +179,12 @@ FREEBL_NO_DEPEND = 1
+ endif
+ endif
+
++# harden DSOs/executables a bit against exploits
++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE))))
++DSO_LDOPTS+=-Wl,-z,relro
++LDFLAGS += -Wl,-z,relro
++endif
++
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
+
diff --git a/drbg.patch b/drbg.patch
new file mode 100644
index 0000000..9f120d1
--- /dev/null
+++ b/drbg.patch
@@ -0,0 +1,481 @@
+Index: ./mozilla/security/nss/lib/freebl/drbg.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/freebl/drbg.c,v
+retrieving revision 1.9
+diff -u -p -r1.9 drbg.c
+--- ./mozilla/security/nss/lib/freebl/drbg.c 10 Jun 2009 03:24:01 -0000 1.9
++++ ./mozilla/security/nss/lib/freebl/drbg.c 24 Oct 2011 23:59:03 -0000
+@@ -67,7 +67,6 @@ static const PRInt64 PRNG_MAX_ADDITIONAL
+ * PRNG_MAX_ADDITIONAL_BYTES
+ */
+
+-
+ /* RESEED_COUNT is how many calls to the prng before we need to reseed
+ * under normal NIST rules, you must return an error. In the NSS case, we
+ * self-reseed with RNG_SystemRNG(). Count can be a large number. For code
+@@ -192,8 +191,14 @@ prng_Hash_df(PRUint8 *requested_bytes, u
+ * normal operation, NSS calculates them all together in a single call.
+ */
+ static SECStatus
+-prng_instantiate(RNGContext *rng, PRUint8 *bytes, unsigned int len)
++prng_instantiate(RNGContext *rng, const PRUint8 *bytes, unsigned int len)
+ {
++ if (len < PRNG_SEEDLEN) {
++ /* if the seedlen is to small, it's probably because we failed to get
++ * enough random data */
++ PORT_SetError(SEC_ERROR_NEED_RANDOM);
++ return SECFailure;
++ }
+ prng_Hash_df(V(rng), VSize(rng), bytes, len, NULL, 0);
+ rng->V_type = prngCGenerateType;
+ prng_Hash_df(rng->C,sizeof rng->C,rng->V_Data,sizeof rng->V_Data,NULL,0);
+@@ -209,8 +214,7 @@ prng_instantiate(RNGContext *rng, PRUint
+ *
+ * If entropy is NULL, it is fetched from the noise generator.
+ */
+-static
+-SECStatus
++static SECStatus
+ prng_reseed(RNGContext *rng, const PRUint8 *entropy, unsigned int entropy_len,
+ const PRUint8 *additional_input, unsigned int additional_input_len)
+ {
+@@ -233,6 +237,12 @@ prng_reseed(RNGContext *rng, const PRUin
+ PORT_Memcpy(&noise[sizeof rng->V_Data],entropy, entropy_len);
+ }
+
++ if (entropy_len < 256/PR_BITS_PER_BYTE) {
++ /* noise == &noiseData[0] at this point, so nothing to free */
++ PORT_SetError(SEC_ERROR_NEED_RANDOM);
++ return SECFailure;
++ }
++
+ rng->V_type = prngReseedType;
+ PORT_Memcpy(noise, rng->V_Data, sizeof rng->V_Data);
+ prng_Hash_df(V(rng), VSize(rng), noise, (sizeof rng->V_Data) + entropy_len,
+@@ -249,6 +259,29 @@ prng_reseed(RNGContext *rng, const PRUin
+ return SECSuccess;
+ }
+
++SECStatus PRNGTEST_RunHealthTests();
++
++/*
++ * SP 800-90 requires we rerun our health tests on reseed
++ */
++static SECStatus
++prng_reseed_test(RNGContext *rng, const PRUint8 *entropy,
++ unsigned int entropy_len, const PRUint8 *additional_input,
++ unsigned int additional_input_len)
++{
++ SECStatus rv;
++
++ /* do health checks in FIPS mode */
++ rv = PRNGTEST_RunHealthTests();
++ if (rv != SECSuccess) {
++ /* error set by PRNGTEST_RunHealTests() */
++ rng->isValid = PR_FALSE;
++ return SECFailure;
++ }
++ return prng_reseed(rng, entropy, entropy_len,
++ additional_input, additional_input_len);
++}
++
+ /*
+ * build some fast inline functions for adding.
+ */
+@@ -380,6 +413,8 @@ static PRStatus rng_init(void)
+ {
+ PRUint8 bytes[PRNG_SEEDLEN*2]; /* entropy + nonce */
+ unsigned int numBytes;
++ SECStatus rv = SECSuccess;
++
+ if (globalrng == NULL) {
+ /* bytes needs to have enough space to hold
+ * a SHA256 hash value. Blow up at compile time if this isn't true */
+@@ -403,9 +438,9 @@ static PRStatus rng_init(void)
+ * prng_instantiate gets a new clean state, we want to mix
+ * any previous entropy we may have collected */
+ if (V(globalrng)[0] == 0) {
+- prng_instantiate(globalrng, bytes, numBytes);
++ rv = prng_instantiate(globalrng, bytes, numBytes);
+ } else {
+- prng_reseed(globalrng, bytes, numBytes, NULL, 0);
++ rv = prng_reseed_test(globalrng, bytes, numBytes, NULL, 0);
+ }
+ memset(bytes, 0, numBytes);
+ } else {
+@@ -414,6 +449,10 @@ static PRStatus rng_init(void)
+ globalrng = NULL;
+ return PR_FAILURE;
+ }
++
++ if (rv != SECSuccess) {
++ return PR_FAILURE;
++ }
+ /* the RNG is in a valid state */
+ globalrng->isValid = PR_TRUE;
+
+@@ -520,7 +559,7 @@ RNG_RandomUpdate(const void *data, size_
+ /* if we're passed more than our additionalDataCache, simply
+ * call reseed with that data */
+ if (bytes > sizeof (globalrng->additionalDataCache)) {
+- rv = prng_reseed(globalrng, NULL, 0, data, (unsigned int) bytes);
++ rv = prng_reseed_test(globalrng, NULL, 0, data, (unsigned int) bytes);
+ /* if we aren't going to fill or overflow the buffer, just cache it */
+ } else if (bytes < ((sizeof globalrng->additionalDataCache)
+ - globalrng->additionalAvail)) {
+@@ -545,7 +584,8 @@ RNG_RandomUpdate(const void *data, size_
+ bytes -= bufRemain;
+ }
+ /* reseed from buffer */
+- rv = prng_reseed(globalrng, NULL, 0, globalrng->additionalDataCache,
++ rv = prng_reseed_test(globalrng, NULL, 0,
++ globalrng->additionalDataCache,
+ sizeof globalrng->additionalDataCache);
+
+ /* copy the rest into the cache */
+@@ -584,7 +624,7 @@ prng_GenerateGlobalRandomBytes(RNGContex
+ * don't produce any data.
+ */
+ if (rng->reseed_counter[0] >= RESEED_VALUE) {
+- rv = prng_reseed(rng, NULL, 0, NULL, 0);
++ rv = prng_reseed_test(rng, NULL, 0, NULL, 0);
+ PZ_Unlock(rng->lock);
+ if (rv != SECSuccess) {
+ return rv;
+@@ -641,7 +681,7 @@ RNG_RNGShutdown(void)
+ PORT_Assert(globalrng != NULL);
+ if (globalrng == NULL) {
+ /* Should set a "not initialized" error code. */
+- PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return;
+ }
+ /* clear */
+@@ -669,9 +709,17 @@ PRNGTEST_Instantiate(const PRUint8 *entr
+ const PRUint8 *personal_string, unsigned int ps_len)
+ {
+ int bytes_len = entropy_len + nonce_len + ps_len;
+- PRUint8 *bytes = PORT_Alloc(bytes_len);
++ PRUint8 *bytes = NULL;
++ SECStatus rv;
+
++ if (entropy_len < 256/PR_BITS_PER_BYTE) {
++ PORT_SetError(SEC_ERROR_NEED_RANDOM);
++ return SECFailure;
++ }
++
++ bytes = PORT_Alloc(bytes_len);
+ if (bytes == NULL) {
++ PORT_SetError(SEC_ERROR_NO_MEMORY);
+ return SECFailure;
+ }
+ /* concatenate the various inputs, internally NSS only instantiates with
+@@ -687,9 +735,12 @@ PRNGTEST_Instantiate(const PRUint8 *entr
+ } else {
+ PORT_Assert(ps_len == 0);
+ }
+- prng_instantiate(&testContext, bytes, bytes_len);
+- testContext.isValid = PR_TRUE;
++ rv = prng_instantiate(&testContext, bytes, bytes_len);
+ PORT_ZFree(bytes, bytes_len);
++ if (rv == SECFailure) {
++ return SECFailure;
++ }
++ testContext.isValid = PR_TRUE;
+ return SECSuccess;
+ }
+
+@@ -701,6 +752,13 @@ PRNGTEST_Reseed(const PRUint8 *entropy,
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
++ /* This magic input tells us to set the reseed count to it's max count,
++ * so we can simulate PRNGTEST_Generate reaching max reseed count */
++ if ((entropy == NULL) && (entropy_len == 0) &&
++ (additional == NULL) && (additional_len == 0)) {
++ testContext.reseed_counter[0] = RESEED_VALUE;
++ return SECSuccess;
++ }
+ return prng_reseed(&testContext, entropy, entropy_len, additional,
+ additional_len);
+
+@@ -710,10 +768,18 @@ SECStatus
+ PRNGTEST_Generate(PRUint8 *bytes, unsigned int bytes_len,
+ const PRUint8 *additional, unsigned int additional_len)
+ {
++ SECStatus rv;
+ if (!testContext.isValid) {
+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
+ return SECFailure;
+ }
++ /* replicate reseed test from prng_GenerateGlobalRandomBytes */
++ if (testContext.reseed_counter[0] >= RESEED_VALUE) {
++ rv = prng_reseed(&testContext, NULL, 0, NULL, 0);
++ if (rv != SECSuccess) {
++ return rv;
++ }
++ }
+ return prng_generateNewBytes(&testContext, bytes, bytes_len,
+ additional, additional_len);
+
+@@ -722,8 +788,165 @@ PRNGTEST_Generate(PRUint8 *bytes, unsign
+ SECStatus
+ PRNGTEST_Uninstantiate()
+ {
++ if (!testContext.isValid) {
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
+ PORT_Memset(&testContext, 0, sizeof testContext);
+ return SECSuccess;
+ }
+
++SECStatus
++PRNGTEST_RunHealthTests()
++{
++ static const PRUint8 entropy[] = {
++ 0x8e,0x9c,0x0d,0x25,0x75,0x22,0x04,0xf9,
++ 0xc5,0x79,0x10,0x8b,0x23,0x79,0x37,0x14,
++ 0x9f,0x2c,0xc7,0x0b,0x39,0xf8,0xee,0xef,
++ 0x95,0x0c,0x97,0x59,0xfc,0x0a,0x85,0x41,
++ 0x76,0x9d,0x6d,0x67,0x00,0x4e,0x19,0x12,
++ 0x02,0x16,0x53,0xea,0xf2,0x73,0xd7,0xd6,
++ 0x7f,0x7e,0xc8,0xae,0x9c,0x09,0x99,0x7d,
++ 0xbb,0x9e,0x48,0x7f,0xbb,0x96,0x46,0xb3,
++ 0x03,0x75,0xf8,0xc8,0x69,0x45,0x3f,0x97,
++ 0x5e,0x2e,0x48,0xe1,0x5d,0x58,0x97,0x4c };
++ static const PRUint8 rng_known_result[] = {
++ 0x16,0xe1,0x8c,0x57,0x21,0xd8,0xf1,0x7e,
++ 0x5a,0xa0,0x16,0x0b,0x7e,0xa6,0x25,0xb4,
++ 0x24,0x19,0xdb,0x54,0xfa,0x35,0x13,0x66,
++ 0xbb,0xaa,0x2a,0x1b,0x22,0x33,0x2e,0x4a,
++ 0x14,0x07,0x9d,0x52,0xfc,0x73,0x61,0x48,
++ 0xac,0xc1,0x22,0xfc,0xa4,0xfc,0xac,0xa4,
++ 0xdb,0xda,0x5b,0x27,0x33,0xc4,0xb3 };
++ static const PRUint8 reseed_entropy[] = {
++ 0xc6,0x0b,0x0a,0x30,0x67,0x07,0xf4,0xe2,
++ 0x24,0xa7,0x51,0x6f,0x5f,0x85,0x3e,0x5d,
++ 0x67,0x97,0xb8,0x3b,0x30,0x9c,0x7a,0xb1,
++ 0x52,0xc6,0x1b,0xc9,0x46,0xa8,0x62,0x79 };
++ static const PRUint8 additional_input[] = {
++ 0x86,0x82,0x28,0x98,0xe7,0xcb,0x01,0x14,
++ 0xae,0x87,0x4b,0x1d,0x99,0x1b,0xc7,0x41,
++ 0x33,0xff,0x33,0x66,0x40,0x95,0x54,0xc6,
++ 0x67,0x4d,0x40,0x2a,0x1f,0xf9,0xeb,0x65 };
++ static const PRUint8 rng_reseed_result[] = {
++ 0x02,0x0c,0xc6,0x17,0x86,0x49,0xba,0xc4,
++ 0x7b,0x71,0x35,0x05,0xf0,0xdb,0x4a,0xc2,
++ 0x2c,0x38,0xc1,0xa4,0x42,0xe5,0x46,0x4a,
++ 0x7d,0xf0,0xbe,0x47,0x88,0xb8,0x0e,0xc6,
++ 0x25,0x2b,0x1d,0x13,0xef,0xa6,0x87,0x96,
++ 0xa3,0x7d,0x5b,0x80,0xc2,0x38,0x76,0x61,
++ 0xc7,0x80,0x5d,0x0f,0x05,0x76,0x85 };
++ static const PRUint8 rng_no_reseed_result[] = {
++ 0xc4,0x40,0x41,0x8c,0xbf,0x2f,0x70,0x23,
++ 0x88,0xf2,0x7b,0x30,0xc3,0xca,0x1e,0xf3,
++ 0xef,0x53,0x81,0x5d,0x30,0xed,0x4c,0xf1,
++ 0xff,0x89,0xa5,0xee,0x92,0xf8,0xc0,0x0f,
++ 0x88,0x53,0xdf,0xb6,0x76,0xf0,0xaa,0xd3,
++ 0x2e,0x1d,0x64,0x37,0x3e,0xe8,0x4a,0x02,
++ 0xff,0x0a,0x7f,0xe5,0xe9,0x2b,0x6d };
++
++ SECStatus rng_status = SECSuccess;
++ PR_STATIC_ASSERT(sizeof(rng_known_result) >= sizeof(rng_reseed_result));
++ PRUint8 result[sizeof(rng_known_result)];
++
++ /********************************************/
++ /* First test instantiate error path. */
++ /* In this case we supply enough entropy, */
++ /* but not enough seed. This will trigger */
++ /* the code that checks for a entropy */
++ /* source failure. */
++ /********************************************/
++ rng_status = PRNGTEST_Instantiate(entropy, 256/PR_BITS_PER_BYTE,
++ NULL, 0, NULL, 0);
++ if (rng_status == SECSuccess) {
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) {
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ /* we failed with the proper error code, we can continue */
+
++ /********************************************/
++ /* Generate random bytes with a known seed. */
++ /********************************************/
++ rng_status = PRNGTEST_Instantiate(entropy, sizeof entropy,
++ NULL, 0, NULL, 0);
++ if (rng_status != SECSuccess) {
++ /* Error set by PRNGTEST_Instantiate */
++ return SECFailure;
++ }
++ rng_status = PRNGTEST_Generate(result, sizeof rng_known_result, NULL, 0);
++ if ( ( rng_status != SECSuccess) ||
++ ( PORT_Memcmp( result, rng_known_result,
++ sizeof rng_known_result ) != 0 ) ) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ rng_status = PRNGTEST_Reseed(reseed_entropy, sizeof reseed_entropy,
++ additional_input, sizeof additional_input);
++ if (rng_status != SECSuccess) {
++ /* Error set by PRNG_Reseed */
++ PRNGTEST_Uninstantiate();
++ return SECFailure;
++ }
++ rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0);
++ if ( ( rng_status != SECSuccess) ||
++ ( PORT_Memcmp( result, rng_reseed_result,
++ sizeof rng_reseed_result ) != 0 ) ) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ /* This magic forces the reseed count to it's max count, so we can see if
++ * PRNGTEST_Generate will actually when it reaches it's count */
++ rng_status = PRNGTEST_Reseed(NULL, 0, NULL, 0);
++ if (rng_status != SECSuccess) {
++ PRNGTEST_Uninstantiate();
++ /* Error set by PRNG_Reseed */
++ return SECFailure;
++ }
++ /* This generate should now reseed */
++ rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0);
++ if ( ( rng_status != SECSuccess) ||
++ /* NOTE we fail if the result is equal to the no_reseed_result.
++ * no_reseed_result is the value we would have gotten if we didn't
++ * do an automatic reseed in PRNGTEST_Generate */
++ ( PORT_Memcmp( result, rng_no_reseed_result,
++ sizeof rng_no_reseed_result ) == 0 ) ) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ /* make sure reseed fails when we don't supply enough entropy */
++ rng_status = PRNGTEST_Reseed(reseed_entropy, 4, NULL, 0);
++ if (rng_status == SECSuccess) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) {
++ PRNGTEST_Uninstantiate();
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ rng_status = PRNGTEST_Uninstantiate();
++ if (rng_status != SECSuccess) {
++ /* Error set by PRNG_Uninstantiate */
++ return rng_status;
++ }
++ /* make sure uninstantiate fails if the contest is not initiated (also tests
++ * if the context was cleared in the previous Uninstantiate) */
++ rng_status = PRNGTEST_Uninstantiate();
++ if (rng_status == SECSuccess) {
++ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
++ return SECFailure;
++ }
++ if (PORT_GetError() != SEC_ERROR_LIBRARY_FAILURE) {
++ return rng_status;
++ }
++
++ return SECSuccess;
++}
+Index: ./mozilla/security/nss/lib/softoken/fipstest.c
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/lib/softoken/fipstest.c,v
+retrieving revision 1.27
+diff -u -p -r1.27 fipstest.c
+--- ./mozilla/security/nss/lib/softoken/fipstest.c 19 Jun 2009 23:05:48 -0000 1.27
++++ ./mozilla/security/nss/lib/softoken/fipstest.c 24 Oct 2011 23:59:05 -0000
+@@ -1963,6 +1963,15 @@ sftk_fips_RNG_PowerUpSelfTest( void )
+ 0x25,0x2b,0x1d,0x13,0xef,0xa6,0x87,0x96,
+ 0xa3,0x7d,0x5b,0x80,0xc2,0x38,0x76,0x61,
+ 0xc7,0x80,0x5d,0x0f,0x05,0x76,0x85 };
++ static const PRUint8 rng_no_reseed_result[] = {
++ 0xc4,0x40,0x41,0x8c,0xbf,0x2f,0x70,0x23,
++ 0x88,0xf2,0x7b,0x30,0xc3,0xca,0x1e,0xf3,
++ 0xef,0x53,0x81,0x5d,0x30,0xed,0x4c,0xf1,
++ 0xff,0x89,0xa5,0xee,0x92,0xf8,0xc0,0x0f,
++ 0x88,0x53,0xdf,0xb6,0x76,0xf0,0xaa,0xd3,
++ 0x2e,0x1d,0x64,0x37,0x3e,0xe8,0x4a,0x02,
++ 0xff,0x0a,0x7f,0xe5,0xe9,0x2b,0x6d };
++
+ static const PRUint8 Q[] = {
+ 0x85,0x89,0x9c,0x77,0xa3,0x79,0xff,0x1a,
+ 0x86,0x6f,0x2f,0x3e,0x2e,0xf9,0x8c,0x9c,
+@@ -1986,6 +1995,23 @@ sftk_fips_RNG_PowerUpSelfTest( void )
+ PRUint8 DSAX[FIPS_DSA_SUBPRIME_LENGTH];
+
+ /********************************************/
++ /* First test instantiate error path. */
++ /* In this case we supply enough entropy, */
++ /* but not enough seed. This will trigger */
++ /* the code that checks for a entropy */
++ /* source failure. */
++ /********************************************/
++ rng_status = PRNGTEST_Instantiate(entropy, 256/PR_BITS_PER_BYTE,
++ NULL, 0, NULL, 0);
++ if (rng_status == SECSuccess) {
++ return (CKR_DEVICE_ERROR);
++ }
++ if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) {
++ return (CKR_DEVICE_ERROR);
++ }
++ /* we failed with the proper error code, we can continue */
++
++ /********************************************/
+ /* Generate random bytes with a known seed. */
+ /********************************************/
+ rng_status = PRNGTEST_Instantiate(entropy, sizeof entropy,
+@@ -2013,10 +2039,47 @@ sftk_fips_RNG_PowerUpSelfTest( void )
+ PRNGTEST_Uninstantiate();
+ return ( CKR_DEVICE_ERROR );
+ }
++ /* This magic forces the reseed count to it's max count, so we can see if
++ * PRNGTEST_Generate will actually when it reaches it's count */
++ rng_status = PRNGTEST_Reseed(NULL, 0, NULL, 0);
++ if (rng_status != SECSuccess) {
++ PRNGTEST_Uninstantiate();
++ return ( CKR_DEVICE_ERROR );
++ }
++ /* This generate should now reseed */
++ rng_status = PRNGTEST_Generate(result, sizeof rng_reseed_result, NULL, 0);
++ if ( ( rng_status != SECSuccess) ||
++ /* NOTE we fail if the result is equal to the no_reseed_result.
++ * no_reseed_result is the value we would have gotten if we didn't
++ * do an automatic reseed in PRNGTEST_Generate */
++ ( PORT_Memcmp( result, rng_no_reseed_result,
++ sizeof rng_no_reseed_result ) == 0 ) ) {
++ PRNGTEST_Uninstantiate();
++ return ( CKR_DEVICE_ERROR );
++ }
++ /* make sure reseed fails when we don't supply enough entropy */
++ rng_status = PRNGTEST_Reseed(reseed_entropy, 4, NULL, 0);
++ if (rng_status == SECSuccess) {
++ PRNGTEST_Uninstantiate();
++ return ( CKR_DEVICE_ERROR );
++ }
++ if (PORT_GetError() != SEC_ERROR_NEED_RANDOM) {
++ PRNGTEST_Uninstantiate();
++ return (CKR_DEVICE_ERROR);
++ }
+ rng_status = PRNGTEST_Uninstantiate();
+ if (rng_status != SECSuccess) {
+ return ( CKR_DEVICE_ERROR );
+ }
++ /* make sure uninstantiate fails if the contest is not initiated (also tests
++ * if the context was cleared in the previous Uninstantiate) */
++ rng_status = PRNGTEST_Uninstantiate();
++ if (rng_status == SECSuccess) {
++ return ( CKR_DEVICE_ERROR );
++ }
++ if (PORT_GetError() != SEC_ERROR_LIBRARY_FAILURE) {
++ return ( CKR_DEVICE_ERROR );
++ }
+
+ /*******************************************/
+ /* Generate DSAX fow given Q. */
diff --git a/linux3.patch b/linux3.patch
new file mode 100644
index 0000000..c09ed08
--- /dev/null
+++ b/linux3.patch
@@ -0,0 +1,31 @@
+diff -up ./mozilla/security/coreconf/config.mk.linux3 ./mozilla/security/coreconf/config.mk
+--- ./mozilla/security/coreconf/config.mk.linux3 2011-12-02 08:55:14.583384570 -0800
++++ ./mozilla/security/coreconf/config.mk 2011-12-02 08:55:46.116383662 -0800
+@@ -63,7 +63,7 @@ endif
+ #######################################################################
+
+ TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
+- AIX RISCOS WINNT WIN95 WINCE
++ AIX RISCOS WINNT WIN95 WINCE Linux
+
+ ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
+ include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
+diff -up ./mozilla/security/coreconf/Linux.mk.linux3 ./mozilla/security/coreconf/Linux.mk
+--- ./mozilla/security/coreconf/Linux.mk.linux3 2011-12-02 08:53:47.271386407 -0800
++++ ./mozilla/security/coreconf/Linux.mk 2011-12-02 08:54:48.356384973 -0800
+@@ -198,3 +198,15 @@ RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/pr
+ endif
+ endif
+
++OS_REL_CFLAGS += -DLINUX2_1
++MKSHLIB = $(CC) $(DSO_LDOPTS) -Wl,-soname -Wl,$(@:$(OBJDIR)/%.so=%.so) $(RPATH)
++
++ifdef MAPFILE
++ MKSHLIB += -Wl,--version-script,$(MAPFILE)
++endif
++PROCESS_MAP_FILE = grep -v ';-' $< | \
++ sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
++
++ifeq ($(OS_RELEASE),2.4)
++DEFINES += -DNO_FORK_CHECK
++endif
diff --git a/nss-softokn-3.12.4-fips-fix.patch b/nss-softokn-3.12.4-fips-fix.patch
new file mode 100644
index 0000000..05ae9cb
--- /dev/null
+++ b/nss-softokn-3.12.4-fips-fix.patch
@@ -0,0 +1,11 @@
+--- ./mozilla/security/nss/lib/freebl/nsslowhash.c 2010-05-08 18:02:39.592248982 +0300
++++ ./mozilla/security/nss/lib/freebl/nsslowhash.c.fix 2010-05-08 18:01:45.564454513 +0300
+@@ -275,7 +275,7 @@ static int nsslow_GetFIPSEnabled(void) {
+
+ f = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (!f)
+- return 1;
++ return 0;
+
+ size = fread(&d, 1, 1, f);
+ fclose(f);
diff --git a/nss-softokn-3.12.4-prelink.patch b/nss-softokn-3.12.4-prelink.patch
index ed187e8..5f2e46f 100644
--- a/nss-softokn-3.12.4-prelink.patch
+++ b/nss-softokn-3.12.4-prelink.patch
@@ -1,6 +1,6 @@
diff -up ./mozilla/security/nss/lib/freebl/Makefile.prelink ./mozilla/security/nss/lib/freebl/Makefile
---- ./mozilla/security/nss/lib/freebl/Makefile.prelink 2011-10-12 09:47:04.956000000 -0700
-+++ ./mozilla/security/nss/lib/freebl/Makefile 2011-10-12 09:47:55.040002000 -0700
+--- ./mozilla/security/nss/lib/freebl/Makefile.prelink 2010-09-04 14:13:58.846327263 -0700
++++ ./mozilla/security/nss/lib/freebl/Makefile 2010-09-04 14:15:11.544326993 -0700
@@ -82,6 +82,12 @@ ifeq ($(FREEBL_NO_DEPEND),1)
else
MAPFILE_SOURCE = freebl.def
@@ -15,8 +15,8 @@ diff -up ./mozilla/security/nss/lib/freebl/Makefile.prelink ./mozilla/security/n
# NSS_X64 means the target is a 64-bits x64 CPU architecture
# NSS_X86_OR_X64 means the target is either x86 or x64
diff -up ./mozilla/security/nss/lib/freebl/shvfy.c.prelink ./mozilla/security/nss/lib/freebl/shvfy.c
---- ./mozilla/security/nss/lib/freebl/shvfy.c.prelink 2011-10-12 09:48:46.966000000 -0700
-+++ ./mozilla/security/nss/lib/freebl/shvfy.c 2011-10-12 09:50:16.017002000 -0700
+--- ./mozilla/security/nss/lib/freebl/shvfy.c.prelink 2010-09-04 14:16:01.518326988 -0700
++++ ./mozilla/security/nss/lib/freebl/shvfy.c 2010-09-04 14:25:44.770326384 -0700
@@ -48,6 +48,168 @@
#include "stdio.h"
#include "prmem.h"
@@ -221,9 +221,9 @@ diff -up ./mozilla/security/nss/lib/freebl/shvfy.c.prelink ./mozilla/security/ns
SHA1_End(hashcx, hash.data, &hash.len, hash.len);
diff -up ./mozilla/security/nss/lib/freebl/stubs.c.prelink ./mozilla/security/nss/lib/freebl/stubs.c
---- ./mozilla/security/nss/lib/freebl/stubs.c.prelink 2011-03-30 11:39:44.000000000 -0700
-+++ ./mozilla/security/nss/lib/freebl/stubs.c 2011-10-12 09:46:24.737000000 -0700
-@@ -70,6 +70,7 @@
+--- ./mozilla/security/nss/lib/freebl/stubs.c.prelink 2010-09-04 14:26:27.454327120 -0700
++++ ./mozilla/security/nss/lib/freebl/stubs.c 2010-09-04 14:31:56.778327428 -0700
+@@ -69,6 +69,7 @@
#include <secport.h>
#include <secitem.h>
#include <blapi.h>
@@ -231,8 +231,8 @@ diff -up ./mozilla/security/nss/lib/freebl/stubs.c.prelink ./mozilla/security/ns
#define FREEBL_NO_WEAK 1
-@@ -162,6 +163,8 @@ STUB_DECLARE(PRStatus,PR_NotifyCondVar,(
- STUB_DECLARE(PRStatus,PR_NotifyAllCondVar,(PRCondVar *cvar));
+@@ -157,6 +158,8 @@ STUB_DECLARE(void,PR_Lock,(PRLock *lock)
+ STUB_DECLARE(PRLock *,PR_NewLock,(void));
STUB_DECLARE(PRFileDesc *,PR_Open,(const char *name, PRIntn flags,
PRIntn mode));
+STUB_DECLARE(PRFileDesc *,PR_ImportFile,(PROsfd osfd));
@@ -240,7 +240,7 @@ diff -up ./mozilla/security/nss/lib/freebl/stubs.c.prelink ./mozilla/security/ns
STUB_DECLARE(PRInt32,PR_Read,(PRFileDesc *fd, void *buf, PRInt32 amount));
STUB_DECLARE(PROffset32,PR_Seek,(PRFileDesc *fd, PROffset32 offset,
PRSeekWhence whence));
-@@ -303,6 +306,34 @@ PR_Open_stub(const char *name, PRIntn fl
+@@ -295,6 +298,34 @@ PR_Open_stub(const char *name, PRIntn fl
return (PRFileDesc *)lfd;
}
@@ -275,7 +275,7 @@ diff -up ./mozilla/security/nss/lib/freebl/stubs.c.prelink ./mozilla/security/ns
extern PRStatus
PR_Close_stub(PRFileDesc *fd)
{
-@@ -549,6 +580,8 @@ freebl_InitNSPR(void *lib)
+@@ -492,6 +523,8 @@ freebl_InitNSPR(void *lib)
{
STUB_FETCH_FUNCTION(PR_Free);
STUB_FETCH_FUNCTION(PR_Open);
@@ -285,11 +285,11 @@ diff -up ./mozilla/security/nss/lib/freebl/stubs.c.prelink ./mozilla/security/ns
STUB_FETCH_FUNCTION(PR_Read);
STUB_FETCH_FUNCTION(PR_Seek);
diff -up ./mozilla/security/nss/lib/freebl/stubs.h.prelink ./mozilla/security/nss/lib/freebl/stubs.h
---- ./mozilla/security/nss/lib/freebl/stubs.h.prelink 2011-03-30 11:39:44.000000000 -0700
-+++ ./mozilla/security/nss/lib/freebl/stubs.h 2011-10-12 09:46:24.740001000 -0700
-@@ -84,6 +84,8 @@
- #define PR_NotifyCondVar PR_NotifyCondVar_stub
- #define PR_NotifyAllCondVar PR_NotifyAllCondVar_stub
+--- ./mozilla/security/nss/lib/freebl/stubs.h.prelink 2010-09-04 14:26:41.822327256 -0700
++++ ./mozilla/security/nss/lib/freebl/stubs.h 2010-09-04 14:32:53.498540767 -0700
+@@ -78,6 +78,8 @@
+ #define PR_Lock PR_Lock_stub
+ #define PR_NewLock PR_NewLock_stub
#define PR_Open PR_Open_stub
+#define PR_ImportFile PR_ImportFile_stub
+#define PR_ImportPipe PR_ImportPipe_stub
diff --git a/nss-softokn-710298.patch b/nss-softokn-710298.patch
new file mode 100644
index 0000000..d847b3f
--- /dev/null
+++ b/nss-softokn-710298.patch
@@ -0,0 +1,14 @@
+diff -up ./mozilla/security/nss/lib/freebl/intel-aes.s.710298 ./mozilla/security/nss/lib/freebl/intel-aes.s
+--- ./mozilla/security/nss/lib/freebl/intel-aes.s.710298 2011-06-14 16:12:37.167353550 -0700
++++ ./mozilla/security/nss/lib/freebl/intel-aes.s 2011-06-14 16:14:14.870654107 -0700
+@@ -1654,8 +1654,8 @@ intel_aes_decrypt_cbc_256:
+ .byte 0x66,0x41,0x0f,0x38,0xdf,0xc8 /* aesdeclast %xmm8, %xmm1 */
+ movdqu 112(%rdi), %xmm8
+ pxor %xmm0, %xmm1
+- movdqu %xmm1, (%rsi, %rax)
+- movdqu (%r8, %rax), %xmm0
++ movdqu (%r8, %rax), %xmm0 /* fetch the IV before we store the block */
++ movdqu %xmm1, (%rsi, %rax) /* in case input buf = output buf */
+ addq $16, %rax
+ cmpq %rax, %r9
+ jne 4b
diff --git a/nss-softokn-748524.patch b/nss-softokn-748524.patch
new file mode 100644
index 0000000..78e0939
--- /dev/null
+++ b/nss-softokn-748524.patch
@@ -0,0 +1,157 @@
+diff -up ./mozilla/security/nss/lib/softoken/sftkmod.c.748524 ./mozilla/security/nss/lib/softoken/sftkmod.c
+--- ./mozilla/security/nss/lib/softoken/sftkmod.c.748524 2011-10-24 10:38:11.144474083 -0700
++++ ./mozilla/security/nss/lib/softoken/sftkmod.c 2011-10-24 10:46:35.482664611 -0700
+@@ -179,15 +179,18 @@ char *sftk_getOldSecmodName(const char *
+ char *sep;
+
+ sep = PORT_Strrchr(dirPath,*PATH_SEPARATOR);
+-#ifdef WINDOWS
++#ifdef _WIN32
+ if (!sep) {
+- sep = PORT_Strrchr(dirPath,'/');
++ /* pkcs11i.h defines PATH_SEPARATOR as "/" for all platforms. */
++ sep = PORT_Strrchr(dirPath,'\\');
+ }
+ #endif
+ if (sep) {
+- *(sep)=0;
++ *sep = 0;
++ file = PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
++ } else {
++ file = PR_smprintf("%s", filename);
+ }
+- file= PR_smprintf("%s"PATH_SEPARATOR"%s", dirPath, filename);
+ PORT_Free(dirPath);
+ return file;
+ }
+@@ -242,19 +245,24 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
+ char *paramsValue=NULL;
+ PRBool failed = PR_TRUE;
+
+- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
++ if ((dbname != NULL) &&
++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
+ return sftkdbCall_ReadSecmodDB(appName, filename, dbname, params, rw);
+ }
+
+ moduleList = (char **) PORT_ZAlloc(useCount*sizeof(char **));
+ if (moduleList == NULL) return NULL;
+
++ if (dbname == NULL) {
++ goto return_default;
++ }
++
+ /* do we really want to use streams here */
+ fd = fopen(dbname, "r");
+ if (fd == NULL) goto done;
+
+ /*
+- * the following loop takes line separated config lines and colapses
++ * the following loop takes line separated config lines and collapses
+ * the lines to a single string, escaping and quoting as necessary.
+ */
+ /* loop state variables */
+@@ -405,7 +413,11 @@ sftkdb_ReadSecmodDB(SDBType dbType, cons
+ moduleString = NULL;
+ }
+ done:
+- /* if we couldn't open a pkcs11 database, look for the old one */
++ /* If we couldn't open a pkcs11 database, look for the old one.
++ * This is necessary to maintain the semantics of the transition from
++ * old to new DB's. If there is an old DB and not new DB, we will
++ * automatically use the old DB. If the DB was opened read/write, we
++ * create a new db and upgrade it from the old one. */
+ if (fd == NULL) {
+ char *olddbname = sftk_getOldSecmodName(dbname,filename);
+ PRStatus status;
+@@ -462,6 +474,8 @@ bail:
+ PR_smprintf_free(olddbname);
+ }
+ }
++
++return_default:
+
+ if (!moduleList[0]) {
+ char * newParams;
+@@ -515,7 +529,8 @@ sftkdb_ReleaseSecmodDBData(SDBType dbTyp
+ const char *filename, const char *dbname,
+ char **moduleSpecList, PRBool rw)
+ {
+- if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
++ if ((dbname != NULL) &&
++ ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS))) {
+ return sftkdbCall_ReleaseSecmodDBData(appName, filename, dbname,
+ moduleSpecList, rw);
+ }
+@@ -546,6 +561,10 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
+ PRBool skip = PR_FALSE;
+ PRBool found = PR_FALSE;
+
++ if (dbname == NULL) {
++ return SECFailure;
++ }
++
+ if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ return sftkdbCall_DeleteSecmodDB(appName, filename, dbname, args, rw);
+ }
+@@ -579,7 +598,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
+
+
+ /*
+- * the following loop takes line separated config files and colapses
++ * the following loop takes line separated config files and collapses
+ * the lines to a single string, escaping and quoting as necessary.
+ */
+ /* loop state variables */
+@@ -638,6 +657,7 @@ sftkdb_DeleteSecmodDB(SDBType dbType, co
+ PORT_Free(dbname2);
+ PORT_Free(lib);
+ PORT_Free(name);
++ PORT_Free(block);
+ return SECSuccess;
+
+ loser:
+@@ -668,6 +688,10 @@ sftkdb_AddSecmodDB(SDBType dbType, const
+ char *block = NULL;
+ PRBool libFound = PR_FALSE;
+
++ if (dbname == NULL) {
++ return SECFailure;
++ }
++
+ if ((dbType == SDB_LEGACY) || (dbType == SDB_MULTIACCESS)) {
+ return sftkdbCall_AddSecmodDB(appName, filename, dbname, module, rw);
+ }
+diff -up ./mozilla/security/nss/lib/softoken/sftkpars.c.748524 ./mozilla/security/nss/lib/softoken/sftkpars.c
+--- ./mozilla/security/nss/lib/softoken/sftkpars.c.748524 2011-10-24 10:39:21.697662167 -0700
++++ ./mozilla/security/nss/lib/softoken/sftkpars.c 2011-10-24 10:48:03.369411295 -0700
+@@ -607,6 +607,7 @@ sftk_getSecmodName(char *param, SDBType
+ char *value = NULL;
+ char *save_params = param;
+ const char *lconfigdir;
++ PRBool noModDB = PR_FALSE;
+ param = sftk_argStrip(param);
+
+
+@@ -631,7 +632,10 @@ sftk_getSecmodName(char *param, SDBType
+
+ if (sftk_argHasFlag("flags","noModDB",save_params)) {
+ /* there isn't a module db, don't load the legacy support */
++ noModDB = PR_TRUE;
+ *dbType = SDB_SQL;
++ PORT_Free(*filename);
++ *filename = NULL;
+ *rw = PR_FALSE;
+ }
+
+@@ -640,7 +644,9 @@ sftk_getSecmodName(char *param, SDBType
+ secmodName="pkcs11.txt";
+ }
+
+- if (lconfigdir) {
++ if (noModDB) {
++ value = NULL;
++ } else if (lconfigdir && lconfigdir[0] != '\0') {
+ value = PR_smprintf("%s" PATH_SEPARATOR "%s",lconfigdir,secmodName);
+ } else {
+ value = PR_smprintf("%s",secmodName);
diff --git a/nss-softokn.spec b/nss-softokn.spec
index cabc35b..74375b0 100644
--- a/nss-softokn.spec
+++ b/nss-softokn.spec
@@ -16,7 +16,7 @@
Summary: Network Security Services Softoken Module
Name: nss-softokn
-Version: 3.13.1
+Version: 3.12.9
Release: 1%{?dist}
License: MPLv1.1 or GPLv2+ or LGPLv2+
URL: http://www.mozilla.org/projects/security/pki/nss/
@@ -49,10 +49,24 @@ Source1: nss-split-softokn.sh
Source2: nss-softokn.pc.in
Source3: nss-softokn-config.in
-# FIPS 140 -- update this patch as we rebase nss
-# and remov it once it has been included upstream
+Patch1: add-relro-linker-option.patch
+# FIPS 140 remove these two patches once we rebase and
+# can pick up the fixes from upstream
Patch2: nss-softokn-3.12.4-prelink.patch
-Patch4: softoken-minimal-test-dependencies.patch
+Patch3: nss-softokn-3.12.4-fips-fix.patch
+Patch4: nss-softokn-710298.patch
+# Add drbg tests for FIPS validation, patch from upstream
+# see: https://bugzilla.mozilla.org/show_bug.cgi?id=695571
+# Remove this patch when we rebase to nss 3.13.2
+Patch5: drbg.patch
+# Backported from upstream nss 3.13
+# See: https://bugzilla.mozilla.org/show_bug.cgi?id=641052
+# Remove this patch when we rebase to nss 3.13.2
+Patch6: nss-softokn-748524.patch
+Patch7: linux3.patch
+
+#Uncomment when we are ready to enable testing
+#Patch8: softoken-minimal-test-dependencies.patch
%description
Network Security Services Softoken Cryptographic Module
@@ -102,9 +116,17 @@ Header and Library files for doing development with Network Security Services.
%prep
%setup -q
+%patch1 -p0 -b .relro
%patch2 -p0 -b .prelink
-%patch4 -p0 -b .onlycrypto
+%patch3 -p0 -b .fipsfix
+%patch4 -p0 -b .710298
+%patch5 -p0 -b .747053
+%patch6 -p0 -b .748524
+%patch7 -p0 -b .linux3
+# FIXME uncomment when we are ready to
+# resume testing of part of the build
+#%patch8 -p0 -b .crypto
%build
@@ -138,11 +160,8 @@ NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'`
export NSPR_INCLUDE_DIR
export NSPR_LIB_DIR
-NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
-NSSUTIL_LIB_DIR=%{_libdir}
-
-export NSSUTIL_INCLUDE_DIR
-export NSSUTIL_LIB_DIR
+export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'`
+export NSSUTIL_LIB_DIR=%{_libdir}
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
@@ -226,7 +245,7 @@ if [ $SPACEISBAD -ne 0 ]; then
fi
rm -rf ./mozilla/tests_results
-cd ./mozilla/security/nss/tests/
+#cd ./mozilla/security/nss/tests/
# all.sh is the test suite script
# only run cipher tests for nss-softokn
@@ -235,11 +254,11 @@ cd ./mozilla/security/nss/tests/
%global nss_ssl_tests " "
%global nss_ssl_run " "
-HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
+#HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
-cd ../../../../
+#cd ../../../../
-killall $RANDSERV || :
+#killall $RANDSERV || :
TEST_FAILURES=`grep -c FAILED ./mozilla/tests_results/security/localhost.1/output.log` || :
# test suite is failing on arm and has for awhile let's run the test suite but make it non fatal on arm
@@ -374,12 +393,33 @@ done
%{_includedir}/nss3/shsign.h
%changelog
+* Wed Nov 23 2011 Elio Maldonado Batiz <emaldona at redhat.com> - 3.12.9-1.test.1
+- Downgrading to 3.12.9 for a merge into new RHEL git repo
+- This build is for the buildroot for a limited time only
+- Do not not push it to update-testing
+
* Tue Nov 08 2011 Elio Maldonado <emaldona at redhat.com> - 3.13.1-1
- Update to NSS_3_13_1_RTM
* Wed Oct 12 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.10-6
- Fix failure to switch nss-softokn to FIPS mode (#745571)
+* Tue Oct 11 2011 Elio Maldonado <emaldona at redhat.com> - 3.13-0.1.rc0.3
+- Update to NSS_3_13_RC0 post bootstrapping
+- Don't incude util in sources for the lookaside cache
+- Reenable building the fipstest tool
+- Restore full cli argument parsing in the sectool library
+
+* Sun Oct 09 2011 Elio Maldonado <emaldona at redhat.com> - 3.13-0.1.rc0.2
+- Update to NSS_3_13_RC0 bootstrapping the system phase 2
+- Reenable the cipher test suite
+
+* Sat Oct 08 2011 Elio Maldonado <emaldona at redhat.com> - 3.13-0.rc0.1
+- Update to NSS_3_13_RC0
+
+* Thu Sep 8 2011 Ville Skyttä <ville.skytta at iki.fi> - 3.12.11-3
+- Avoid %%post/un shell invocations and dependencies.
+
* Wed Aug 17 2011 Elio Maldonado <emaldona at redhat.com> - 3.12.10-5
- rebuilt as recommended to deal with an rpm 4.9.1 issue
diff --git a/softoken-minimal-test-dependencies.patch b/softoken-minimal-test-dependencies.patch
index 2587801..27f0750 100644
--- a/softoken-minimal-test-dependencies.patch
+++ b/softoken-minimal-test-dependencies.patch
@@ -1,21 +1,7 @@
-diff -up ./mozilla/security/nss/cmd/lib/manifest.mn.onlycrypto ./mozilla/security/nss/cmd/lib/manifest.mn
---- ./mozilla/security/nss/cmd/lib/manifest.mn.onlycrypto 2009-03-30 16:40:51.000000000 -0700
-+++ ./mozilla/security/nss/cmd/lib/manifest.mn 2011-05-30 16:01:57.511062081 -0700
-@@ -36,7 +36,7 @@
- # ***** END LICENSE BLOCK *****
- CORE_DEPTH = ../../..
-
--LIBRARY_NAME = sectool
-+LIBRARY_NAME = sectoolcrypto
-
- # MODULE public and private header directories are implicitly REQUIRED.
- MODULE = nss
-@@ -46,17 +46,11 @@ DEFINES = -DNSPR20
- PRIVATE_EXPORTS = secutil.h \
- NSPRerrs.h \
- SECerrs.h \
-- SSLerrs.h \
- pk11table.h \
+diff -up mozilla/security/nss/cmd/lib/manifest.mn.crypto mozilla/security/nss/cmd/lib/manifest.mn
+--- mozilla/security/nss/cmd/lib/manifest.mn.crypto 2011-09-16 12:16:50.000000000 -0700
++++ mozilla/security/nss/cmd/lib/manifest.mn 2011-10-11 10:40:37.259477337 -0700
+@@ -48,11 +48,6 @@ PRIVATE_EXPORTS = secutil.h \
$(NULL)
CSRCS = secutil.c \
@@ -23,30 +9,13 @@ diff -up ./mozilla/security/nss/cmd/lib/manifest.mn.onlycrypto ./mozilla/securit
- derprint.c \
- moreoids.c \
- pppolicy.c \
- secerror.c \
- ffs.c \
pk11table.c \
$(NULL)
-diff -up ./mozilla/security/nss/cmd/lib/secerror.c.onlycrypto ./mozilla/security/nss/cmd/lib/secerror.c
---- ./mozilla/security/nss/cmd/lib/secerror.c.onlycrypto 2004-04-25 08:02:46.000000000 -0700
-+++ ./mozilla/security/nss/cmd/lib/secerror.c 2011-05-30 16:01:57.512062097 -0700
-@@ -46,12 +46,10 @@ typedef struct tuple_str tuple_str;
- #define ER3(a,b,c) {a, c},
-
- #include "secerr.h"
--#include "sslerr.h"
-
- const tuple_str errStrings[] = {
-
- /* keep this list in asceding order of error numbers */
--#include "SSLerrs.h"
- #include "SECerrs.h"
- #include "NSPRerrs.h"
-
-diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/nss/cmd/lib/secutil.c
---- ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto 2011-01-27 19:02:00.000000000 -0800
-+++ ./mozilla/security/nss/cmd/lib/secutil.c 2011-05-30 16:01:57.515062142 -0700
+diff -up mozilla/security/nss/cmd/lib/secutil.c.crypto mozilla/security/nss/cmd/lib/secutil.c
+--- mozilla/security/nss/cmd/lib/secutil.c.crypto 2011-09-16 12:16:50.000000000 -0700
++++ mozilla/security/nss/cmd/lib/secutil.c 2011-10-11 11:04:17.699269836 -0700
@@ -48,10 +48,7 @@
#include "prenv.h"
#include "prnetdb.h"
@@ -58,7 +27,7 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
#include <stdarg.h>
#if !defined(_WIN32_WCE)
#include <sys/stat.h>
-@@ -62,15 +59,11 @@
+@@ -62,29 +59,9 @@
#include <unistd.h>
#endif
@@ -71,22 +40,43 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
-#include "pk11func.h"
#include "secoid.h"
-+extern long DER_GetInteger(SECItem *src);
-+
-+/*
- static char consoleName[] = {
- #ifdef XP_UNIX
- "/dev/tty"
-@@ -82,7 +75,7 @@ static char consoleName[] = {
- #endif
- #endif
- };
+-static char consoleName[] = {
+-#ifdef XP_UNIX
+- "/dev/tty"
+-#else
+-#ifdef XP_OS2
+- "\\DEV\\CON"
+-#else
+- "CON:"
+-#endif
+-#endif
+-};
-
-+*/
+-#include "nssutil.h"
+-#include "ssl.h"
++extern long DER_GetInteger(SECItem *src);
+
- char *
- SECU_GetString(int16 error_number)
-@@ -157,436 +150,6 @@ secu_ClearPassword(char *p)
+ void
+@@ -92,7 +69,7 @@ SECU_PrintErrMsg(FILE *out, int level, c
+ {
+ va_list args;
+ PRErrorCode err = PORT_GetError();
+- const char * errString = SECU_Strerror(err);
++ const char * errString = PORT_ErrorToString(err);
+
+ va_start(args, msg);
+
+@@ -112,7 +89,7 @@ SECU_PrintError(char *progName, char *ms
+ {
+ va_list args;
+ PRErrorCode err = PORT_GetError();
+- const char * errString = SECU_Strerror(err);
++ const char * errString = PORT_ErrorToString(err);
+
+ va_start(args, msg);
+
+@@ -151,436 +128,6 @@ secu_ClearPassword(char *p)
}
}
@@ -523,7 +513,7 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
SECStatus
secu_StdinToItem(SECItem *dst)
-@@ -709,64 +272,6 @@ loser:
+@@ -703,64 +250,6 @@ loser:
return SECFailure;
}
@@ -588,7 +578,7 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
#define INDENT_MULT 4
void
-@@ -981,2414 +486,74 @@ SECU_PrintInteger(FILE *out, SECItem *i,
+@@ -975,2464 +464,86 @@ SECU_PrintInteger(FILE *out, SECItem *i,
}
static void
@@ -597,7 +587,7 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
{
- int column;
- unsigned int i;
-
+-
- if ( m ) {
- SECU_Indent(out, level); fprintf(out, "%s: ", m);
- column = (level * INDENT_MULT) + strlen(m) + 2;
@@ -617,7 +607,7 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
-
- fprintf(out,"%c", printable[val]); column++;
- }
--
+
- fprintf(out, "\""); column++;
- if (column != level*INDENT_MULT || column > 76) {
- secu_Newline(out);
@@ -702,13 +692,14 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
+ curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
+ SECU_PrintObjectID(out, &curveOID, "Curve", level +1);
}
--
++}
++#endif /* NSS_ENABLE_ECC */
+
- if (m != NULL)
- fprintf(out, "\n");
--
+
- PORT_Free(timeString);
- }
-+#endif /* NSS_ENABLE_ECC */
+-}
-/*
- * Format and print the UTC Time "t". If the tag message "m" is not NULL,
@@ -717,16 +708,28 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
- */
-void
-SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level)
--{
++#if defined(DEBUG) || defined(FORCE_PR_ASSERT)
++/* Returns true iff a[i].flag has a duplicate in a[i+1 : count-1] */
++static PRBool HasShortDuplicate(int i, secuCommandFlag *a, int count)
+ {
- int64 time;
- SECStatus rv;
-
- rv = DER_UTCTimeToTime(&time, t);
- if (rv != SECSuccess)
- return;
--
++ char target = a[i].flag;
++ int j;
+
- secu_PrintTime(out, time, m, level);
--}
++ /* duplicate '\0' flags are okay, they are used with long forms */
++ for (j = i+1; j < count; j++) {
++ if (a[j].flag && a[j].flag == target) {
++ return PR_TRUE;
++ }
++ }
++ return PR_FALSE;
+ }
-/*
- * Format and print the Generalized Time "t". If the tag message "m"
@@ -735,35 +738,36 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
- */
-void
-SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m, int level)
-+SECStatus
-+SECU_ParseCommandLine(int argc, char **argv, char *progName,
-+ const secuCommand *cmd)
++/* Returns true iff a[i].longform has a duplicate in a[i+1 : count-1] */
++static PRBool HasLongDuplicate(int i, secuCommandFlag *a, int count)
{
- int64 time;
- SECStatus rv;
-
--
++ int j;
++ char *target = a[i].longform;
+
- rv = DER_GeneralizedTimeToTime(&time, t);
- if (rv != SECSuccess)
- return;
-+ PRBool found;
-+ PLOptState *optstate;
-+ PLOptStatus status;
-+ char *optstring;
-+ PLLongOpt *longopts = NULL;
-+ int i, j;
-+ int lcmd = 0, lopt = 0;
++ if (!target)
++ return PR_FALSE;
- secu_PrintTime(out, time, m, level);
--}
-+ PR_ASSERT(HasNoDuplicates(cmd->commands, cmd->numCommands));
-+ PR_ASSERT(HasNoDuplicates(cmd->options, cmd->numOptions));
++ for (j = i+1; j < count; j++) {
++ if (a[j].longform && strcmp(a[j].longform, target) == 0) {
++ return PR_TRUE;
++ }
++ }
++ return PR_FALSE;
+ }
-/*
- * Format and print the UTC or Generalized Time "t". If the tag message
- * "m" is not NULL, do indent formatting based on "level" and add a newline
- * afterward; otherwise just print the formatted time string only.
-- */
++/* Returns true iff a has no short or long form duplicates
+ */
-void
-SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level)
-{
@@ -1166,6 +1170,70 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
-};
-
-void
+-secu_PrintRSAPSSParams(FILE *out, SECItem *value, char *m, int level)
+-{
+- PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+- SECStatus rv;
+- SECKEYRSAPSSParams param;
+- SECAlgorithmID maskHashAlg;
+-
+- if (m) {
+- SECU_Indent(out, level);
+- fprintf (out, "%s:\n", m);
+- }
+-
+- if (!pool) {
+- SECU_Indent(out, level);
+- fprintf(out, "Out of memory\n");
+- return;
+- }
+-
+- PORT_Memset(¶m, 0, sizeof param);
+-
+- rv = SEC_QuickDERDecodeItem(pool, ¶m,
+- SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate),
+- value);
+- if (rv == SECSuccess) {
+- if (!param.hashAlg) {
+- SECU_Indent(out, level+1);
+- fprintf(out, "Hash algorithm: default, SHA-1\n");
+- } else {
+- SECU_PrintObjectID(out, ¶m.hashAlg->algorithm,
+- "Hash algorithm", level+1);
+- }
+- if (!param.maskAlg) {
+- SECU_Indent(out, level+1);
+- fprintf(out, "Mask algorithm: default, MGF1\n");
+- SECU_Indent(out, level+1);
+- fprintf(out, "Mask hash algorithm: default, SHA-1\n");
+- } else {
+- SECU_PrintObjectID(out, ¶m.maskAlg->algorithm,
+- "Mask algorithm", level+1);
+- rv = SEC_QuickDERDecodeItem(pool, &maskHashAlg,
+- SEC_ASN1_GET(SECOID_AlgorithmIDTemplate),
+- ¶m.maskAlg->parameters);
+- if (rv == SECSuccess) {
+- SECU_PrintObjectID(out, &maskHashAlg.algorithm,
+- "Mask hash algorithm", level+1);
+- } else {
+- SECU_Indent(out, level+1);
+- fprintf(out, "Invalid mask generation algorithm parameters\n");
+- }
+- }
+- if (!param.saltLength.data) {
+- SECU_Indent(out, level+1);
+- fprintf(out, "Salt length: default, %i (0x%2X)\n", 20, 20);
+- } else {
+- SECU_PrintInteger(out, ¶m.saltLength, "Salt Length", level+1);
+- }
+- } else {
+- SECU_Indent(out, level+1);
+- fprintf(out, "Invalid RSA-PSS parameters\n");
+- }
+- PORT_FreeArena(pool, PR_FALSE);
+-}
+-
+-void
-secu_PrintKDF2Params(FILE *out, SECItem *value, char *m, int level)
-{
- PRArenaPool *pool = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
@@ -1275,7 +1343,11 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
- }
- return;
- }
--
+-
+- if (algtag == SEC_OID_PKCS1_RSA_PSS_SIGNATURE) {
+- secu_PrintRSAPSSParams(out, &a->parameters, "Parameters", level+1);
+- return;
+- }
-
- if (a->parameters.len == 0
- || (a->parameters.len == 2
@@ -2034,7 +2106,7 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
- if (!(flags & CERTDB_TRUSTED_CA) &&
- !(flags & CERTDB_TRUSTED_CLIENT_CA))
- PORT_Strcat(trusts, "c");
-- if (flags & CERTDB_VALID_PEER)
+- if (flags & CERTDB_TERMINAL_RECORD)
- if (!(flags & CERTDB_TRUSTED))
- PORT_Strcat(trusts, "p");
- if (flags & CERTDB_TRUSTED_CA)
@@ -2859,8 +2931,8 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
-void
-printFlags(FILE *out, unsigned int flags, int level)
-{
-- if ( flags & CERTDB_VALID_PEER ) {
-- SECU_Indent(out, level); fprintf(out, "Valid Peer\n");
+- if ( flags & CERTDB_TERMINAL_RECORD ) {
+- SECU_Indent(out, level); fprintf(out, "Terminal Record\n");
- }
- if ( flags & CERTDB_TRUSTED ) {
- SECU_Indent(out, level); fprintf(out, "Trusted\n");
@@ -2900,6 +2972,29 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
- printFlags(out, trust->objectSigningFlags, level+2);
-}
-
+-int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level)
+-{
+- PRArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+- CERTName *name;
+- int rv = SEC_ERROR_NO_MEMORY;
+-
+- if (!arena)
+- return rv;
+-
+- name = PORT_ArenaZNew(arena, CERTName);
+- if (!name)
+- goto loser;
+-
+- rv = SEC_ASN1DecodeItem(arena, name, SEC_ASN1_GET(CERT_NameTemplate), der);
+- if (rv)
+- goto loser;
+-
+- SECU_PrintName(out, name, m, level);
+-loser:
+- PORT_FreeArena(arena, PR_FALSE);
+- return rv;
+-}
+-
-int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
- int level, SECU_PPFunc inner)
-{
@@ -2931,7 +3026,6 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
-loser:
- PORT_FreeArena(arena, PR_FALSE);
- return rv;
--
-}
-
-SECStatus
@@ -2999,85 +3093,11 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
-/* Returns true iff a has no short or long form duplicates
- */
-PRBool HasNoDuplicates(secuCommandFlag *a, int count)
--{
-- int i;
--
-- for (i = 0; i < count; i++) {
-- if (a[i].flag && HasShortDuplicate(i, a, count)) {
-- return PR_FALSE;
-- }
-- if (a[i].longform && HasLongDuplicate(i, a, count)) {
-- return PR_FALSE;
-- }
-- }
-- return PR_TRUE;
--}
--#endif
--
--SECStatus
--SECU_ParseCommandLine(int argc, char **argv, char *progName,
-- const secuCommand *cmd)
--{
-- PRBool found;
-- PLOptState *optstate;
-- PLOptStatus status;
-- char *optstring;
-- PLLongOpt *longopts = NULL;
-- int i, j;
-- int lcmd = 0, lopt = 0;
--
-- PR_ASSERT(HasNoDuplicates(cmd->commands, cmd->numCommands));
-- PR_ASSERT(HasNoDuplicates(cmd->options, cmd->numOptions));
--
-- optstring = (char *)PORT_Alloc(cmd->numCommands + 2*cmd->numOptions+1);
-- if (optstring == NULL)
-- return SECFailure;
--
-- j = 0;
-- for (i=0; i<cmd->numCommands; i++) {
-- if (cmd->commands[i].flag) /* single character option ? */
-- optstring[j++] = cmd->commands[i].flag;
-- if (cmd->commands[i].longform)
-- lcmd++;
-+ optstring = (char *)PORT_Alloc(cmd->numCommands + 2*cmd->numOptions+1);
-+ if (optstring == NULL)
-+ return SECFailure;
-+
-+ j = 0;
-+ for (i=0; i<cmd->numCommands; i++) {
-+ if (cmd->commands[i].flag) /* single character option ? */
-+ optstring[j++] = cmd->commands[i].flag;
-+ if (cmd->commands[i].longform)
-+ lcmd++;
- }
- for (i=0; i<cmd->numOptions; i++) {
- if (cmd->options[i].flag) {
-@@ -3560,24 +725,6 @@ SECU_ErrorStringRaw(int16 err)
- sprintf(SECUErrorBuf, "Untrusted certificate");
- else if (err == SEC_ERROR_UNTRUSTED_ISSUER)
- sprintf(SECUErrorBuf, "Untrusted issuer");
-- else if (err == SSL_ERROR_BAD_CERTIFICATE)
-- sprintf(SECUErrorBuf, "Bad certificate");
-- else if (err == SSL_ERROR_BAD_CLIENT)
-- sprintf(SECUErrorBuf, "Bad client");
-- else if (err == SSL_ERROR_BAD_SERVER)
-- sprintf(SECUErrorBuf, "Bad server");
-- else if (err == SSL_ERROR_EXPORT_ONLY_SERVER)
-- sprintf(SECUErrorBuf, "Export only server");
-- else if (err == SSL_ERROR_NO_CERTIFICATE)
-- sprintf(SECUErrorBuf, "No certificate");
-- else if (err == SSL_ERROR_NO_CYPHER_OVERLAP)
-- sprintf(SECUErrorBuf, "No cypher overlap");
-- else if (err == SSL_ERROR_UNSUPPORTED_CERTIFICATE_TYPE)
-- sprintf(SECUErrorBuf, "Unsupported certificate type");
-- else if (err == SSL_ERROR_UNSUPPORTED_VERSION)
-- sprintf(SECUErrorBuf, "Unsupported version");
-- else if (err == SSL_ERROR_US_ONLY_SERVER)
-- sprintf(SECUErrorBuf, "U.S. only server");
- else if (err == PR_IO_ERROR)
- sprintf(SECUErrorBuf, "I/O error");
-
-@@ -3644,144 +791,6 @@ SECU_PrintPRandOSError(char *progName)
++PRBool HasNoDuplicates(secuCommandFlag *a, int count)
+ {
+ int i;
+
+@@ -3611,144 +722,6 @@ SECU_PrintPRandOSError(char *progName)
}
@@ -3149,8 +3169,8 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
- }
- }
- }
-- fprintf(outfile," ERROR %ld: %s\n", node->error,
-- SECU_Strerror(node->error));
+- fprintf(outfile, " ERROR %ld: %s\n", node->error,
+- SECU_Strerror(node->error));
- errstr = NULL;
- switch (node->error) {
- case SEC_ERROR_INADEQUATE_KEY_USAGE:
@@ -3222,7 +3242,7 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
SECOidTag
SECU_StringToSignatureAlgTag(const char *alg)
{
-@@ -3808,300 +817,6 @@ SECU_StringToSignatureAlgTag(const char
+@@ -3775,298 +748,6 @@ SECU_StringToSignatureAlgTag(const char
}
@@ -3398,15 +3418,13 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
- if (rv) goto loser;
-
- /* Fill out SignedData object */
-- PORT_Memset(sd, 0, sizeof(sd));
+- PORT_Memset(sd, 0, sizeof(*sd));
- sd->data.data = buf;
- sd->data.len = len;
- sd->signature.data = it.data;
- sd->signature.len = it.len << 3; /* convert to bit string */
-- if (!sd->signatureAlgorithm.parameters.data) {
-- rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0);
-- if (rv) goto loser;
-- }
+- rv = SECOID_SetAlgorithmID(arena, &sd->signatureAlgorithm, algID, 0);
+- if (rv) goto loser;
-
- return rv;
-
@@ -3523,7 +3541,7 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
/* Caller ensures that dst is at least item->len*2+1 bytes long */
void
SECU_SECItemToHex(const SECItem * item, char * dst)
-@@ -4165,39 +880,3 @@ SECU_SECItemHexStringToBinary(SECItem* s
+@@ -4130,39 +811,3 @@ SECU_SECItemHexStringToBinary(SECItem* s
return SECSuccess;
}
@@ -3563,10 +3581,387 @@ diff -up ./mozilla/security/nss/cmd/lib/secutil.c.onlycrypto ./mozilla/security/
-}
-
-
-diff -up ./mozilla/security/nss/cmd/manifest.mn.onlycrypto ./mozilla/security/nss/cmd/manifest.mn
---- ./mozilla/security/nss/cmd/manifest.mn.onlycrypto 2009-11-06 21:57:40.000000000 -0800
-+++ ./mozilla/security/nss/cmd/manifest.mn 2011-05-30 16:01:57.516062157 -0700
-@@ -41,45 +41,8 @@ DEPTH = ../..
+diff -up mozilla/security/nss/cmd/lib/secutil.h.crypto mozilla/security/nss/cmd/lib/secutil.h
+--- mozilla/security/nss/cmd/lib/secutil.h.crypto 2011-09-16 12:16:50.000000000 -0700
++++ mozilla/security/nss/cmd/lib/secutil.h 2011-10-11 10:40:37.266477442 -0700
+@@ -38,7 +38,10 @@
+
+ #include "seccomon.h"
+ #include "secitem.h"
++#include "secoid.h"
++#include "secoidt.h"
+ #include "secport.h"
++#include "key.h"
+ #include "prerror.h"
+ #include "base64.h"
+ #include "key.h"
+@@ -47,109 +50,6 @@
+ #include "secder.h"
+ #include <stdio.h>
+
+-#define SEC_CT_PRIVATE_KEY "private-key"
+-#define SEC_CT_PUBLIC_KEY "public-key"
+-#define SEC_CT_CERTIFICATE "certificate"
+-#define SEC_CT_CERTIFICATE_REQUEST "certificate-request"
+-#define SEC_CT_PKCS7 "pkcs7"
+-#define SEC_CT_CRL "crl"
+-#define SEC_CT_NAME "name"
+-
+-#define NS_CERTREQ_HEADER "-----BEGIN NEW CERTIFICATE REQUEST-----"
+-#define NS_CERTREQ_TRAILER "-----END NEW CERTIFICATE REQUEST-----"
+-
+-#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
+-#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
+-
+-#define NS_CRL_HEADER "-----BEGIN CRL-----"
+-#define NS_CRL_TRAILER "-----END CRL-----"
+-
+-#define SECU_Strerror PORT_ErrorToString
+-
+-#ifdef SECUTIL_NEW
+-typedef int (*SECU_PPFunc)(PRFileDesc *out, SECItem *item,
+- char *msg, int level);
+-#else
+-typedef int (*SECU_PPFunc)(FILE *out, SECItem *item, char *msg, int level);
+-#endif
+-
+-typedef struct {
+- enum {
+- PW_NONE = 0,
+- PW_FROMFILE = 1,
+- PW_PLAINTEXT = 2,
+- PW_EXTERNAL = 3
+- } source;
+- char *data;
+-} secuPWData;
+-
+-/*
+-** Change a password on a token, or initialize a token with a password
+-** if it does not already have one.
+-** Use passwd to send the password in plaintext, pwFile to specify a
+-** file containing the password, or NULL for both to prompt the user.
+-*/
+-SECStatus SECU_ChangePW(PK11SlotInfo *slot, char *passwd, char *pwFile);
+-
+-/*
+-** Change a password on a token, or initialize a token with a password
+-** if it does not already have one.
+-** In this function, you can specify both the old and new passwords
+-** as either a string or file. NOTE: any you don't specify will
+-** be prompted for
+-*/
+-SECStatus SECU_ChangePW2(PK11SlotInfo *slot, char *oldPass, char *newPass,
+- char *oldPwFile, char *newPwFile);
+-
+-/* These were stolen from the old sec.h... */
+-/*
+-** Check a password for legitimacy. Passwords must be at least 8
+-** characters long and contain one non-alphabetic. Return DSTrue if the
+-** password is ok, DSFalse otherwise.
+-*/
+-extern PRBool SEC_CheckPassword(char *password);
+-
+-/*
+-** Blind check of a password. Complement to SEC_CheckPassword which
+-** ignores length and content type, just retuning DSTrue is the password
+-** exists, DSFalse if NULL
+-*/
+-extern PRBool SEC_BlindCheckPassword(char *password);
+-
+-/*
+-** Get a password.
+-** First prompt with "msg" on "out", then read the password from "in".
+-** The password is then checked using "chkpw".
+-*/
+-extern char *SEC_GetPassword(FILE *in, FILE *out, char *msg,
+- PRBool (*chkpw)(char *));
+-
+-char *SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg);
+-
+-char *SECU_GetPasswordString(void *arg, char *prompt);
+-
+-/*
+-** Write a dongle password.
+-** Uses MD5 to hash constant system data (hostname, etc.), and then
+-** creates RC4 key to encrypt a password "pw" into a file "fd".
+-*/
+-extern SECStatus SEC_WriteDongleFile(int fd, char *pw);
+-
+-/*
+-** Get a dongle password.
+-** Uses MD5 to hash constant system data (hostname, etc.), and then
+-** creates RC4 key to decrypt and return a password from file "fd".
+-*/
+-extern char *SEC_ReadDongleFile(int fd);
+-
+-
+-/* End stolen headers */
+-
+-/* Just sticks the two strings together with a / if needed */
+-char *SECU_AppendFilenameToDir(char *dir, char *filename);
+-
+-/* Returns result of getenv("SSL_DIR") or NULL */
+-extern char *SECU_DefaultSSLDir(void);
+
+ /*
+ ** Should be called once during initialization to set the default
+@@ -159,14 +59,6 @@ extern char *SECU_DefaultSSLDir(void);
+ */
+ extern char *SECU_ConfigDirectory(const char* base);
+
+-/*
+-** Basic callback function for SSL_GetClientAuthDataHook
+-*/
+-extern int
+-SECU_GetClientAuthData(void *arg, PRFileDesc *fd,
+- struct CERTDistNamesStr *caNames,
+- struct CERTCertificateStr **pRetCert,
+- struct SECKEYPrivateKeyStr **pRetKey);
+
+ /* print out an error message */
+ extern void SECU_PrintError(char *progName, char *msg, ...);
+@@ -174,99 +66,22 @@ extern void SECU_PrintError(char *progNa
+ /* print out a system error message */
+ extern void SECU_PrintSystemError(char *progName, char *msg, ...);
+
+-/* revalidate the cert and print information about cert verification
+- * failure at time == now */
+-extern void
+-SECU_printCertProblems(FILE *outfile, CERTCertDBHandle *handle,
+- CERTCertificate *cert, PRBool checksig,
+- SECCertificateUsage certUsage, void *pinArg, PRBool verbose);
+-
+-/* revalidate the cert and print information about cert verification
+- * failure at specified time */
+-extern void
+-SECU_printCertProblemsOnDate(FILE *outfile, CERTCertDBHandle *handle,
+- CERTCertificate *cert, PRBool checksig, SECCertificateUsage certUsage,
+- void *pinArg, PRBool verbose, PRTime datetime);
+-
+-/* print out CERTVerifyLog info. */
+-extern void
+-SECU_displayVerifyLog(FILE *outfile, CERTVerifyLog *log,
+- PRBool verbose);
+-
+ /* Read the contents of a file into a SECItem */
+ extern SECStatus SECU_FileToItem(SECItem *dst, PRFileDesc *src);
+ extern SECStatus SECU_TextFileToItem(SECItem *dst, PRFileDesc *src);
+
+-/* Read in a DER from a file, may be ascii */
+-extern SECStatus
+-SECU_ReadDERFromFile(SECItem *der, PRFileDesc *inFile, PRBool ascii);
+-
+ /* Indent based on "level" */
+ extern void SECU_Indent(FILE *out, int level);
+
+ /* Print integer value and hex */
+ extern void SECU_PrintInteger(FILE *out, SECItem *i, char *m, int level);
+
+-/* Print ObjectIdentifier symbolically */
+-extern SECOidTag SECU_PrintObjectID(FILE *out, SECItem *oid, char *m, int level);
+-
+-/* Print AlgorithmIdentifier symbolically */
+-extern void SECU_PrintAlgorithmID(FILE *out, SECAlgorithmID *a, char *m,
+- int level);
+-
+ /* Print SECItem as hex */
+ extern void SECU_PrintAsHex(FILE *out, SECItem *i, const char *m, int level);
+
+ /* dump a buffer in hex and ASCII */
+ extern void SECU_PrintBuf(FILE *out, const char *msg, const void *vp, int len);
+
+-/*
+- * Format and print the UTC Time "t". If the tag message "m" is not NULL,
+- * do indent formatting based on "level" and add a newline afterward;
+- * otherwise just print the formatted time string only.
+- */
+-extern void SECU_PrintUTCTime(FILE *out, SECItem *t, char *m, int level);
+-
+-/*
+- * Format and print the Generalized Time "t". If the tag message "m"
+- * is not NULL, * do indent formatting based on "level" and add a newline
+- * afterward; otherwise just print the formatted time string only.
+- */
+-extern void SECU_PrintGeneralizedTime(FILE *out, SECItem *t, char *m,
+- int level);
+-
+-/*
+- * Format and print the UTC or Generalized Time "t". If the tag message
+- * "m" is not NULL, do indent formatting based on "level" and add a newline
+- * afterward; otherwise just print the formatted time string only.
+- */
+-extern void SECU_PrintTimeChoice(FILE *out, SECItem *t, char *m, int level);
+-
+-/* callback for listing certs through pkcs11 */
+-extern SECStatus SECU_PrintCertNickname(CERTCertListNode* cert, void *data);
+-
+-/* Dump all certificate nicknames in a database */
+-extern SECStatus
+-SECU_PrintCertificateNames(CERTCertDBHandle *handle, PRFileDesc* out,
+- PRBool sortByName, PRBool sortByTrust);
+-
+-/* See if nickname already in database. Return 1 true, 0 false, -1 error */
+-int SECU_CheckCertNameExists(CERTCertDBHandle *handle, char *nickname);
+-
+-/* Dump contents of cert req */
+-extern int SECU_PrintCertificateRequest(FILE *out, SECItem *der, char *m,
+- int level);
+-
+-/* Dump contents of certificate */
+-extern int SECU_PrintCertificate(FILE *out, SECItem *der, char *m, int level);
+-
+-/* Dump contents of a DER certificate name (issuer or subject) */
+-extern int SECU_PrintDERName(FILE *out, SECItem *der, const char *m, int level);
+-
+-/* print trust flags on a cert */
+-extern void SECU_PrintTrustFlags(FILE *out, CERTCertTrust *trust, char *m,
+- int level);
+-
+ /* Dump contents of an RSA public key */
+ extern int SECU_PrintRSAPublicKey(FILE *out, SECItem *der, char *m, int level);
+
+@@ -282,52 +97,9 @@ extern int SECU_PrintPrivateKey(FILE *ou
+ extern int SECU_PrintFingerprints(FILE *out, SECItem *derCert, char *m,
+ int level);
+
+-/* Pretty-print any PKCS7 thing */
+-extern int SECU_PrintPKCS7ContentInfo(FILE *out, SECItem *der, char *m,
+- int level);
+-
+ /* Init PKCS11 stuff */
+ extern SECStatus SECU_PKCS11Init(PRBool readOnly);
+
+-/* Dump contents of signed data */
+-extern int SECU_PrintSignedData(FILE *out, SECItem *der, const char *m,
+- int level, SECU_PPFunc inner);
+-
+-/* Print cert data and its trust flags */
+-extern SECStatus SEC_PrintCertificateAndTrust(CERTCertificate *cert,
+- const char *label,
+- CERTCertTrust *trust);
+-
+-extern int SECU_PrintCrl(FILE *out, SECItem *der, char *m, int level);
+-
+-extern void
+-SECU_PrintCRLInfo(FILE *out, CERTCrl *crl, char *m, int level);
+-
+-extern void SECU_PrintString(FILE *out, SECItem *si, char *m, int level);
+-extern void SECU_PrintAny(FILE *out, SECItem *i, char *m, int level);
+-
+-extern void SECU_PrintPolicy(FILE *out, SECItem *value, char *msg, int level);
+-extern void SECU_PrintPrivKeyUsagePeriodExtension(FILE *out, SECItem *value,
+- char *msg, int level);
+-
+-extern void SECU_PrintExtensions(FILE *out, CERTCertExtension **extensions,
+- char *msg, int level);
+-
+-extern void SECU_PrintName(FILE *out, CERTName *name, const char *msg,
+- int level);
+-extern void SECU_PrintRDN(FILE *out, CERTRDN *rdn, const char *msg, int level);
+-
+-#ifdef SECU_GetPassword
+-/* Convert a High public Key to a Low public Key */
+-extern SECKEYLowPublicKey *SECU_ConvHighToLow(SECKEYPublicKey *pubHighKey);
+-#endif
+-
+-extern char *SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg);
+-
+-extern SECStatus DER_PrettyPrint(FILE *out, SECItem *it, PRBool raw);
+-
+-extern char *SECU_SECModDBName(void);
+-
+ extern void SECU_PrintPRandOSError(char *progName);
+
+ extern SECStatus SECU_RegisterDynamicOids(void);
+@@ -335,70 +107,6 @@ extern SECStatus SECU_RegisterDynamicOid
+ /* Identifies hash algorithm tag by its string representation. */
+ extern SECOidTag SECU_StringToSignatureAlgTag(const char *alg);
+
+-/* Store CRL in output file or pk11 db. Also
+- * encodes with base64 and exports to file if ascii flag is set
+- * and file is not NULL. */
+-extern SECStatus SECU_StoreCRL(PK11SlotInfo *slot, SECItem *derCrl,
+- PRFileDesc *outFile, PRBool ascii, char *url);
+-
+-
+-/*
+-** DER sign a single block of data using private key encryption and the
+-** MD5 hashing algorithm. This routine first computes a digital signature
+-** using SEC_SignData, then wraps it with an CERTSignedData and then der
+-** encodes the result.
+-** "arena" is the memory arena to use to allocate data from
+-** "sd" returned CERTSignedData
+-** "result" the final der encoded data (memory is allocated)
+-** "buf" the input data to sign
+-** "len" the amount of data to sign
+-** "pk" the private key to encrypt with
+-*/
+-extern SECStatus SECU_DerSignDataCRL(PRArenaPool *arena, CERTSignedData *sd,
+- unsigned char *buf, int len,
+- SECKEYPrivateKey *pk, SECOidTag algID);
+-
+-typedef enum {
+- noKeyFound = 1,
+- noSignatureMatch = 2,
+- failToEncode = 3,
+- failToSign = 4,
+- noMem = 5
+-} SignAndEncodeFuncExitStat;
+-
+-extern SECStatus
+-SECU_SignAndEncodeCRL(CERTCertificate *issuer, CERTSignedCrl *signCrl,
+- SECOidTag hashAlgTag, SignAndEncodeFuncExitStat *resCode);
+-
+-extern SECStatus
+-SECU_CopyCRL(PRArenaPool *destArena, CERTCrl *destCrl, CERTCrl *srcCrl);
+-
+-/*
+-** Finds the crl Authority Key Id extension. Returns NULL if no such extension
+-** was found.
+-*/
+-CERTAuthKeyID *
+-SECU_FindCRLAuthKeyIDExten (PRArenaPool *arena, CERTSignedCrl *crl);
+-
+-/*
+- * Find the issuer of a crl. Cert usage should be checked before signing a crl.
+- */
+-CERTCertificate *
+-SECU_FindCrlIssuer(CERTCertDBHandle *dbHandle, SECItem* subject,
+- CERTAuthKeyID* id, PRTime validTime);
+-
+-
+-/* call back function used in encoding of an extension. Called from
+- * SECU_EncodeAndAddExtensionValue */
+-typedef SECStatus (* EXTEN_EXT_VALUE_ENCODER) (PRArenaPool *extHandleArena,
+- void *value, SECItem *encodedValue);
+-
+-/* Encodes and adds extensions to the CRL or CRL entries. */
+-SECStatus
+-SECU_EncodeAndAddExtensionValue(PRArenaPool *arena, void *extHandle,
+- void *value, PRBool criticality, int extenType,
+- EXTEN_EXT_VALUE_ENCODER EncodeValueFn);
+-
+ /* Caller ensures that dst is at least item->len*2+1 bytes long */
+ void
+ SECU_SECItemToHex(const SECItem * item, char * dst);
+@@ -452,13 +160,6 @@ void printflags(char *trusts, unsigned i
+ extern int ffs(unsigned int i);
+ #endif
+
+-/* Finds certificate by searching it in the DB or by examinig file
+- * in the local directory. */
+-CERTCertificate*
+-SECU_FindCertByNicknameOrFilename(CERTCertDBHandle *handle,
+- char *name, PRBool ascii,
+- void *pwarg);
+ #include "secerr.h"
+-#include "sslerr.h"
+
+ #endif /* _SEC_UTIL_H_ */
+diff -up mozilla/security/nss/cmd/manifest.mn.crypto mozilla/security/nss/cmd/manifest.mn
+--- mozilla/security/nss/cmd/manifest.mn.crypto 2010-12-06 09:22:48.000000000 -0800
++++ mozilla/security/nss/cmd/manifest.mn 2011-10-11 11:30:54.592692661 -0700
+@@ -41,46 +41,9 @@ DEPTH = ../..
REQUIRES = nss nspr libdbm
DIRS = lib \
@@ -3577,6 +3972,7 @@ diff -up ./mozilla/security/nss/cmd/manifest.mn.onlycrypto ./mozilla/security/ns
- certcgi \
- certutil \
- checkcert \
+- chktest \
- crlutil \
- crmftest \
- dbtest \
@@ -3599,6 +3995,7 @@ diff -up ./mozilla/security/nss/cmd/manifest.mn.onlycrypto ./mozilla/security/ns
- selfserv \
- signtool \
- signver \
++ fipstest \
shlibsign \
- smimetools \
- ssltap \
@@ -3612,9 +4009,9 @@ diff -up ./mozilla/security/nss/cmd/manifest.mn.onlycrypto ./mozilla/security/ns
$(NULL)
TEMPORARILY_DONT_BUILD = \
-diff -up ./mozilla/security/nss/cmd/platlibs.mk.onlycrypto ./mozilla/security/nss/cmd/platlibs.mk
---- ./mozilla/security/nss/cmd/platlibs.mk.onlycrypto 2010-06-11 17:58:33.000000000 -0700
-+++ ./mozilla/security/nss/cmd/platlibs.mk 2011-05-30 16:01:57.517062173 -0700
+diff -up mozilla/security/nss/cmd/platlibs.mk.crypto mozilla/security/nss/cmd/platlibs.mk
+--- mozilla/security/nss/cmd/platlibs.mk.crypto 2010-06-11 17:58:33.000000000 -0700
++++ mozilla/security/nss/cmd/platlibs.mk 2011-10-11 10:40:37.319478239 -0700
@@ -92,44 +92,13 @@ DEFINES += -DNSS_USE_STATIC_LIBS
# $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX)
@@ -3641,14 +4038,13 @@ diff -up ./mozilla/security/nss/cmd/platlibs.mk.onlycrypto ./mozilla/security/ns
- $(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)cryptohi.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
-+ $(DIST)/lib/$(LIB_PREFIX)sectoolcrypto.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \
$(CRYPTOLIB) \
- $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
@@ -3669,7 +4065,7 @@ diff -up ./mozilla/security/nss/cmd/platlibs.mk.onlycrypto ./mozilla/security/ns
- $(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)nss.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)ssl.$(LIB_SUFFIX) \
-- $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)pkcs12.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)pkcs7.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
@@ -3678,7 +4074,6 @@ diff -up ./mozilla/security/nss/cmd/platlibs.mk.onlycrypto ./mozilla/security/ns
- $(DIST)/lib/$(LIB_PREFIX)certhi.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)pk11wrap.$(LIB_SUFFIX) \
-+ $(DIST)/lib/$(LIB_PREFIX)sectoolcrypto.$(LIB_SUFFIX) \
$(DIST)/lib/$(LIB_PREFIX)softokn.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)certdb.$(LIB_SUFFIX) \
- $(DIST)/lib/$(LIB_PREFIX)nsspki.$(LIB_SUFFIX) \
@@ -3693,12 +4088,9 @@ diff -up ./mozilla/security/nss/cmd/platlibs.mk.onlycrypto ./mozilla/security/ns
$(NULL)
ifeq ($(OS_ARCH), AIX)
-@@ -197,11 +145,8 @@ ifeq (,$(filter-out WINNT WINCE,$(OS_ARC
-
- # $(PROGRAM) has explicit dependencies on $(EXTRA_LIBS)
+@@ -199,9 +147,6 @@ ifeq (,$(filter-out WINNT WINCE,$(OS_ARC
EXTRA_LIBS += \
-- $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
-+ $(DIST)/lib/$(LIB_PREFIX)sectoolcrypto.$(LIB_SUFFIX) \
+ $(DIST)/lib/$(LIB_PREFIX)sectool.$(LIB_SUFFIX) \
$(DIST)/lib/$(IMPORT_LIB_PREFIX)nssutil3$(IMPORT_LIB_SUFFIX) \
- $(DIST)/lib/$(IMPORT_LIB_PREFIX)smime3$(IMPORT_LIB_SUFFIX) \
- $(DIST)/lib/$(IMPORT_LIB_PREFIX)ssl3$(IMPORT_LIB_SUFFIX) \
@@ -3716,9 +4108,9 @@ diff -up ./mozilla/security/nss/cmd/platlibs.mk.onlycrypto ./mozilla/security/ns
-L$(NSSUTIL_LIB_DIR) \
-lnssutil3 \
-L$(NSPR_LIB_DIR) \
-diff -up ./mozilla/security/nss/tests/all.sh.onlycrypto ./mozilla/security/nss/tests/all.sh
---- ./mozilla/security/nss/tests/all.sh.onlycrypto 2010-01-29 11:58:40.000000000 -0800
-+++ ./mozilla/security/nss/tests/all.sh 2011-05-30 16:06:11.613049500 -0700
+diff -up mozilla/security/nss/tests/all.sh.crypto mozilla/security/nss/tests/all.sh
+--- mozilla/security/nss/tests/all.sh.crypto 2010-01-29 11:58:40.000000000 -0800
++++ mozilla/security/nss/tests/all.sh 2011-10-11 11:06:41.884531933 -0700
@@ -303,18 +303,18 @@ run_cycles()
############################## main code ###############################
diff --git a/sources b/sources
index ce78c5c..0d198e9 100644
--- a/sources
+++ b/sources
@@ -1 +1,2 @@
+13b1d1dbf81765c137809d332a29aa0d nss-softokn-3.12.9-stripped.tar.bz2
3daa76bcd96fa425dc7efaab6989faa5 nss-softokn-3.13.1-stripped.tar.bz2
More information about the scm-commits
mailing list