[nss] Add pem module fix, spec file support for AArch64 and document additional fix
Elio Maldonado
emaldonado at fedoraproject.org
Sat Feb 16 23:19:02 UTC 2013
commit 0370142fd086abf9380906f92f622206d869dfa7
Author: Elio Maldonado <emaldona at redhat.com>
Date: Sat Feb 16 15:02:25 2013 -0800
Add pem module fix, spec file support for AArch64 and document additional fix
- Resolves: rhbz#896651 - PEM module trashes private keys if login fails
- Resolves: rhbz#909775 - specfile support for AArch64
- Resolves: rhbz#910584 - certutil -a does not produce ASCII output, upstream fix
...96651-pem-dont-trash-keys-on-failed-login.patch | 44 ++++++++++++++++++++
nss.spec | 9 +++-
2 files changed, 51 insertions(+), 2 deletions(-)
---
diff --git a/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
new file mode 100644
index 0000000..c7a301f
--- /dev/null
+++ b/Bug-896651-pem-dont-trash-keys-on-failed-login.patch
@@ -0,0 +1,44 @@
+--- mozilla/security/nss/lib/ckfw/pem/psession.c
++++ mozilla/security/nss/lib/ckfw/pem/psession.c
+@@ -230,6 +230,7 @@ pem_mdSession_Login
+ unsigned int len = 0;
+ NSSLOWKEYPrivateKey *lpk = NULL;
+ PLArenaPool *arena;
++ SECItem plain;
+ int i;
+
+ fwSlot = NSSCKFWToken_GetFWSlot(fwToken);
+@@ -306,23 +321,27 @@ pem_mdSession_Login
+ lpk->keyType = NSSLOWKEYRSAKey;
+ prepare_low_rsa_priv_key_for_asn1(lpk);
+
+- nss_ZFreeIf(io->u.key.key.privateKey->data);
+- io->u.key.key.privateKey->len = len - output[len - 1];
+- io->u.key.key.privateKey->data =
+- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
+- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
+
+ /* Decode the resulting blob and see if it is a decodable DER that fits
+ * our private key template. If so we declare success and move on. If not
+ * then we return an error.
+ */
++ memset(&plain, 0, sizeof(plain));
++ plain.data = output;
++ plain.len = len - output[len - 1];
+ rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate,
+- io->u.key.key.privateKey);
++ &plain);
+ pem_DestroyPrivateKey(lpk);
+ arena = NULL;
+ if (rv != SECSuccess)
+ goto loser;
+
++ nss_ZFreeIf(io->u.key.key.privateKey->data);
++ io->u.key.key.privateKey->len = len - output[len - 1];
++ io->u.key.key.privateKey->data =
++ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len);
++ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]);
++
+ rv = CKR_OK;
+
+ loser:
diff --git a/nss.spec b/nss.spec
index 2df2406..5993ca8 100644
--- a/nss.spec
+++ b/nss.spec
@@ -79,6 +79,7 @@ Patch40: nss-3.14.0.0-disble-ocsp-test.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=835919
Patch43: no-softoken-freebl-tests.patch
Patch44: 0001-sync-up-with-upstream-softokn-changes.patch
+Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch
%description
Network Security Services (NSS) is a set of libraries designed to
@@ -164,6 +165,7 @@ low level services.
%patch40 -p1 -b .noocsptest
%patch43 -p0 -b .nosoftokentests
%patch44 -p1 -b .syncupwithupstream
+%patch45 -p0 -b .notrash
%build
@@ -204,7 +206,7 @@ export USE_SYSTEM_FREEBL=1
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
-%ifarch x86_64 ppc64 ia64 s390x sparc64
+%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
USE_64=1
export USE_64
%endif
@@ -299,7 +301,7 @@ export FREEBL_NO_DEPEND
BUILD_OPT=1
export BUILD_OPT
-%ifarch x86_64 ppc64 ia64 s390x sparc64
+%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
USE_64=1
export USE_64
%endif
@@ -612,6 +614,9 @@ rm -f $RPM_BUILD_ROOT/%{_includedir}/nss3/nsslowhash.h
* Fri Feb 15 2013 Elio Maldonado <emaldona at redhat.com> - 3.14.3-1
- Update to NSS_3_14_3_RTM
- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3
+- Resolves: rhbz#896651 - PEM module trashes private keys if login fails
+- Resolves: rhbz#909775 - specfile support for AArch64
+- Resolves: rhbz#910584 - certutil -a does not produce ASCII output
* Mon Feb 04 2013 Elio Maldonado <emaldona at redhat.com> - 3.14.2-2
- Allow building nss against older system sqlite
More information about the scm-commits
mailing list