Re: nss package ready for testing
On 2016-12-21 21:29:35, Antoine Beaupré wrote:
> Hi,
>
> I finally got around to finishing the work I started back in november:
> updating the nss package in wheezy, again.
>
> Packages are available here, only for armel unfortunately, but source is
> there so it can be recompiled properly. As usual:
>
> https://people.debian.org/~anarcat/debian/wheezy-lts/
The binary packages in the above URL are correct, but the source package
wasn't properly rebuilt and, obviously, the debdiff was also incorrect.
Here's a more up to date debdiff:
diff -Nru nss-3.26/debian/changelog nss-3.26.2/debian/changelog
--- nss-3.26/debian/changelog 2016-11-30 15:25:52.000000000 -0500
+++ nss-3.26.2/debian/changelog 2016-11-30 15:09:36.000000000 -0500
@@ -1,3 +1,25 @@
+nss (2:3.26.2-1+deb7u1) UNRELEASED; urgency=high
+
+ [ Antoine Beaupré ]
+ * Non-maintainer upload by the LTS Security Team.
+ * New upstream release to fix CVE-2016-9074
+ * CVE-2016-9074: existing mitigation of timing side-channel attacks
+ insufficient
+ * also includes a fix for aborted client connexions with MD5 algorithm
+ selection
+ * remove weird debian/changelog.n file from previous upload
+
+ [ Raphaël Hertzog ]
+ * Run upstream test suite (cf #806639).
+ * Add autopkgtest (cf #806207).
+ * Force use of gcc-4.7 and g++-4.7 to fix FTBFS on arm*.
+ * Update nss/tests/libpkix/certs/PayPal*.cert to work-around
+ the fact that the former certificates have expired. Also
+ update the expected OID through
+ debian/patches/replace_expired_paypal_cert.patch.
+
+ -- Antoine Beaupré <anarcat@debian.org> Wed, 30 Nov 2016 15:09:36 -0500
+
nss (2:3.26-1+debu7u1) wheezy-security; urgency=medium
* New upstream release. Closes: #583651.
diff -Nru nss-3.26/debian/changelog.n nss-3.26.2/debian/changelog.n
--- nss-3.26/debian/changelog.n 2016-11-30 15:26:06.000000000 -0500
+++ nss-3.26.2/debian/changelog.n 1969-12-31 19:00:00.000000000 -0500
@@ -1,839 +0,0 @@
-nss (2:3.26-1+debu8u1) jessie-security; urgency=medium
-
- * New upstream release. Closes: #583651.
- * Remove SPI CA certificate.
- * Remove transitional compatibility kludge for renegotiation handling.
- * Update watch file and Vcs URLs, and the symbols file from unstable.
-
- -- Florian Weimer <fw@deneb.enyo.de> Mon, 03 Oct 2016 21:17:21 +0200
-
-nss (2:3.17.2-1.1+deb8u2) jessie; urgency=medium
-
- [ Andrew Ayer ]
- * Apply upstream patch (99_prefer_stronger_cert_chains.patch) to fix
- certificate chain generation to prefer stronger/newer certificates
- over weaker/older certs. Closes: #774195.
-
- -- Christoph Egger <christoph@debian.org> Sat, 15 Aug 2015 12:40:31 +0200
-
-nss (2:3.17.2-1.1+deb8u1) jessie-security; urgency=high
-
- * Non-maintainer upload by the Security Team.
- * Add 99_CVE-2015-2721.patch patch.
- CVE-2015-2721: NSS incorrectly permits skipping of ServerKeyExchange.
- * Add 100_CVE-2015-2730.patch patch.
- CVE-2015-2730: ECDSA signature validation fails to handle some
- signatures correctly.
-
- -- Salvatore Bonaccorso <carnil@debian.org> Tue, 11 Aug 2015 19:37:12 +0200
-
-nss (2:3.17.2-1.1) unstable; urgency=medium
-
- * Non-maintainer upload.
- * Fix CVE-2014-1569. Closes: #773625.
-
- -- Matt Kraai <kraai@debian.org> Sun, 21 Dec 2014 19:46:52 -0800
-
-nss (2:3.17.2-1) unstable; urgency=medium
-
- * New upstream release.
-
- -- Mike Hommey <glandium@debian.org> Sat, 18 Oct 2014 13:22:04 +0900
-
-nss (2:3.17.1-1) unstable; urgency=high
-
- * New upstream release.
- - Fixes CVE-2014-1568.
- - Add support for ppc64el, with a non-broken patch. Closes: #745757.
- * debian/libnss3.symbols: Add NSSUTIL_3.17.1 symbol versions.
-
- -- Mike Hommey <glandium@debian.org> Wed, 24 Sep 2014 22:16:32 +0900
-
-nss (2:3.17-1) unstable; urgency=medium
-
- * New upstream release.
- * nss/coreconf/Linux.mk: Actually add support for ppc64el. Closes: #745757.
-
- -- Mike Hommey <glandium@debian.org> Sun, 24 Aug 2014 08:41:37 +0900
-
-nss (2:3.16.3-1.1) unstable; urgency=low
-
- * Non-maintainer upload to delayed.
- * Add support for ppc64el. Closes: #745757
-
- -- Andreas Barth <aba@ayous.org> Mon, 18 Aug 2014 20:01:00 +0000
-
-nss (2:3.16.3-1) unstable; urgency=medium
-
- * New upstream release.
- * debian/libnss3.symbols: Add NSS_3.16.2 symbol versions.
-
- -- Mike Hommey <glandium@debian.org> Sun, 13 Jul 2014 09:24:12 +0900
-
-nss (2:3.16.1-1) unstable; urgency=medium
-
- * New upstream release.
- * debian/libnss3.symbols: Add NSS_3.16.1 symbol versions.
-
- -- Mike Hommey <glandium@debian.org> Sat, 07 Jun 2014 17:24:57 +0900
-
-nss (2:3.16-1) unstable; urgency=medium
-
- * New upstream release.
- * debian/libnss3.symbols: Add NSS_3.16 symbol versions.
- * nss/lib/ckfw/builtins/certdata.txt: Remove CACert root certificates.
-
- -- Mike Hommey <glandium@debian.org> Fri, 21 Mar 2014 08:10:24 +0900
-
-nss (2:3.15.4-2) unstable; urgency=high
-
- * Upstream release 3.15.4 fixed MFSA-2014-12, also known as CVE-2014-1490
- and CVE-2014-1491. Bumping urgency as such.
- * debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules:
- Revert changes from 2:3.15.4-1. Reopens: #537866, Closes: #735329, #736061.
-
- -- Mike Hommey <glandium@debian.org> Wed, 05 Feb 2014 16:26:06 +0900
-
-nss (2:3.15.4-1) unstable; urgency=low
-
- * New upstream release.
- * Acknowledge NMU.
- * debian/rules: Avoid long one-liner with semi-colons.
- * debian/patches/*: Refresh patches.
- * debian/copyright: Update. Closes: #730428.
- * debian/control, debian/libnss3-nssdb.*, debian/pkcs11.txt, debian/rules:
- Add shared cert and key databases. Thanks Timo Aaltonen. Closes: #537866.
- * debian/rules: Use DEB_HOST_ARCH instead of DEB_BUILD_ARCH.
- * debian/control: Mark libnss3-dev as Multi-Arch: same. Thanks Shawn
- Landden. Closes: #682925.
- * debian/libnss3.symbols: Add NSS_3.15.4 symbol versions.
-
- -- Mike Hommey <glandium@debian.org> Mon, 13 Jan 2014 10:46:04 +0900
-
-nss (2:3.15.3.1-1.1) unstable; urgency=low
-
- * Non-Maintainer Upload
- - ship extra NSS utilities (Closes: #701141)
-
- -- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sat, 04 Jan 2014 11:34:41 -0500
-
-nss (2:3.15.3.1-1) unstable; urgency=high
-
- * New upstream release.
- - Distrusts AC DG Tresor SSL CA.
-
- -- Mike Hommey <glandium@debian.org> Sun, 15 Dec 2013 10:09:48 +0900
-
-nss (2:3.15.3-1) unstable; urgency=high
-
- * New upstream release.
- - Fixes CVE-2013-1741, CVE-2013-5605, CVE-2013-5606.
-
- -- Mike Hommey <glandium@debian.org> Sat, 16 Nov 2013 08:50:45 +0900
-
-nss (2:3.15.2-1) unstable; urgency=low
-
- * New upstream release.
- - Fixes CVE-2013-1739. Closes: #726473.
-
- -- Mike Hommey <glandium@debian.org> Mon, 21 Oct 2013 08:05:24 +0900
-
-nss (2:3.15.1-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches/*: Refresh patches.
- * debian/patches/lower-dhe-priority.patch: Removed, as it was only necessary
- for Iceweasel 3.5, which is long gone.
-
- -- Mike Hommey <glandium@debian.org> Mon, 05 Aug 2013 14:41:14 +0900
-
-nss (2:3.15-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches/*: Refresh patches and removed unused ones.
- * debian/rules: Adjusted to the new source layout.
- * debian/libnss3.symbols: Add NSS*_3.15 symbol versions.
- * debian/control: Bump nspr build dependency.
-
- -- Mike Hommey <glandium@debian.org> Sat, 15 Jun 2013 19:23:12 +0900
-
-nss (2:3.14.3-1) unstable; urgency=high
-
- * New upstream release.
- - Fixes TLS timing attack (luck 13). Closes: #699888.
- * debian/libnss3.symbols: Add NSS_3.14.3 symbol version.
- * debian/control: Unbump sqlite3 build dependency, 3.14.3 lifted the need
- for sqlite 3.7.15.
-
- -- Mike Hommey <glandium@debian.org> Sun, 17 Mar 2013 15:01:06 +0100
-
-nss (2:3.14.2-1) unstable; urgency=low
-
- * New upstream release.
- * debian/control: Bump sqlite3 build dependency.
- * debian/rules: Avoid installing freebl, softokn, nssckbi and nssdbm in two
- places.
- * debian/libnss3-1d.lintian-overrides.in: Stop preprocessing, it has nothing
- to preprocess anymore.
- * debian/libnss3.lintian-overrides.in: Fix not to contain a reference to the
- libnss3-1d package.
-
- -- Mike Hommey <glandium@debian.org> Fri, 15 Feb 2013 10:06:59 +0100
-
-nss (2:3.14.1.with.ckbi.1.93-1) unstable; urgency=low
-
- * New upstream release.
- - Explicitly distrust two intermediate CA certificates mis-issued by
- TURKTRUST.
- * debian/patches/95_add_spi+cacert_ca_certs.patch: Refreshed.
-
- -- Mike Hommey <glandium@debian.org> Fri, 04 Jan 2013 11:16:33 +0100
-
-nss (2:3.14.1-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches: Removed patches applied upstream, and refreshed
- the others.
- * debian/libnss3.symbols: Updated for new symbols.
-
- -- Mike Hommey <glandium@debian.org> Sun, 23 Dec 2012 17:40:21 +0100
-
-nss (2:3.14-2) unstable; urgency=low
-
- * debian/nss-config.in: Fix nss-config when version is in the x.y form
- instead of x.y.z.
-
- -- Mike Hommey <glandium@debian.org> Fri, 07 Dec 2012 17:07:05 +0100
-
-nss (2:3.14-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches: Removed patches applied upstream, and refreshed
- the others.
- * debian/libnss3.symbols: Updated for new symbols.
-
- -- Mike Hommey <glandium@debian.org> Thu, 01 Nov 2012 10:37:39 +0100
-
-nss (2:3.13.6-1) unstable; urgency=low
-
- * New upstream release.
- * debian/rules: Use xz compression for binary packages.
- Thanks Ansgar Burchardt. Closes: #683835.
-
- -- Mike Hommey <glandium@debian.org> Fri, 31 Aug 2012 09:56:53 +0200
-
-nss (2:3.13.5-1) unstable; urgency=low
-
- * New upstream release.
-
- -- Mike Hommey <glandium@debian.org> Fri, 15 Jun 2012 09:40:00 +0200
-
-nss (2:3.13.4-3) unstable; urgency=low
-
- * debian/rules: Skip epoch when getting upstream version number.
-
- -- Mike Hommey <glandium@debian.org> Sun, 20 May 2012 07:36:11 +0200
-
-nss (2:3.13.4-2) unstable; urgency=low
-
- * debian/control, debian/libnss3*, debian/rules,
- mozilla/security/coreconf/*, mozilla/security/nss/lib/*/manifest.mn:
- Move to unversioned library. ABI compatibility is ensured upstream, and
- the SO version, if it needed a change at any time, would be a change in
- the library name. There is no reason to keep making compatibility more
- difficult with other distros and upstream binary releases. While previous
- versions were one-way compatible (binaries built against other distros or
- upstream nspr could work on Debian), this approach works both ways.
- * debian/control:
- - Bump Standards-Version to 3.9.3.0. No changes required.
- - Force to build against libnspr4-dev >= 2:4.9
- * Removed unapplied patches.
- * Adding an epoch to match the old libnss3 package that used to be in
- the Debian archive.
-
- -- Mike Hommey <glandium@debian.org> Thu, 17 May 2012 09:45:36 +0200
-
-nss (3.13.4-1) unstable; urgency=low
-
- * New upstream release.
- - Changed __GNUC_MINOR__ use in pkcs11n.h. Closes: #650319.
- * mozilla/security/nss/cmd/certcgi/certcgi.c,
- mozilla/security/nss/cmd/digest/digest.c,
- mozilla/security/nss/cmd/signver/pk7print.c: Import patch from Moritz
- Muehlenhoff for hardened format strings.
- * debian/make.mk, debian/rules, debian/control: Enable hardening.
- Closes: #657325.
- * debian/libnss3-1d.lintian-overrides.in, debian/rules: Use wildcards in
- lintian override. Closes: #670013.
- * debian/compat, debian/control: Bump debian/compat to 9. This has the
- effect of using build-id for debug files, thus Closes: #670015.
- * debian/libnss3-1d.symbols: Add symbols for /usr/lib/nss/ libraries.
-
- -- Mike Hommey <glandium@debian.org> Sun, 29 Apr 2012 09:48:58 +0200
-
-nss (3.13.3-1) unstable; urgency=low
-
- * New upstream release.
- * debian/libnss3-1d.symbols: Updated to fit new upstream.
-
- -- Mike Hommey <glandium@debian.org> Fri, 24 Feb 2012 09:56:10 +0100
-
-nss (3.13.2~beta1-3) experimental; urgency=low
-
- * debian/libnss3-1d.symbols: Fix symbol version for the symbol added in
- -2.
-
- -- Mike Hommey <glandium@debian.org> Fri, 23 Dec 2011 19:20:23 +0100
-
-nss (3.13.2~beta1-2) experimental; urgency=low
-
- * mozilla/security/nss/lib/ssl/*,
- mozilla/security/nss/cmd/tstclnt/tstclnt.c,
- mozilla/security/nss/tests/ssl/ssl.sh: Apply patches from bz#542832,
- required for Iceweasel 11.
- * debian/libnss3-1d.symbols: Add corresponding symbol.
-
- -- Mike Hommey <glandium@debian.org> Fri, 23 Dec 2011 17:54:03 +0100
-
-nss (3.13.2~beta1-1) experimental; urgency=low
-
- * New upstream snapshot, picked from NSS_3_13_2_BETA1 cvs tag.
- * debian/libnss3-1d.symbols: Add NSS 3.13.2 symbols.
-
- -- Mike Hommey <glandium@debian.org> Fri, 23 Dec 2011 16:22:05 +0100
-
-nss (3.13.1.with.ckbi.1.88-1) unstable; urgency=low
-
- * New upstream release.
- - Distrusts malaysian Digicert Sdn. Bhd CA certificate.
- - Addresses CVE-2011-3640 (Untrusted search path vulnerability).
- Closes: #647614.
- * debian/patches/*: Refreshed patches.
- * debian/libnss3-1d.symbols: Add NSS 3.13 symbols.
-
- -- Mike Hommey <glandium@debian.org> Sat, 05 Nov 2011 17:05:26 +0100
-
-nss (3.12.11-3) unstable; urgency=high
-
- * mozilla/security/nss/lib/ckfw/builtins/certdata.*:
- Explicitely distrust various DigiNotar CAs:
- - DigiNotar Root CA
- - DigiNotar Services 1024 CA
- - DigiNotar Cyber CA
- - DigiNotar Cyber CA 2nd
- - DigiNotar PKIoverheid
- - DigiNotar PKIoverheid G2
-
- -- Mike Hommey <glandium@debian.org> Sat, 03 Sep 2011 09:33:28 +0200
-
-nss (3.12.11-2) unstable; urgency=high
-
- * mozilla/security/nss/lib/ckfw/builtins/certdata.*:
- Remove DigiNotar Root CA.
-
- -- Mike Hommey <glandium@debian.org> Wed, 31 Aug 2011 08:49:00 +0200
-
-nss (3.12.11-1) unstable; urgency=low
-
- * New upstream release.
- * mozilla/security/nss/lib/ckfw/builtins/certdata.*,
- * mozilla/security/coreconf/{config,Linux}.mk: Refreshed.
- * debian/copyright: Update dbm license according to that in the source.
- Closes: #624310
-
- -- Mike Hommey <glandium@debian.org> Fri, 12 Aug 2011 12:45:08 +0200
-
-nss (3.12.10-3) unstable; urgency=low
-
- * debian/nss-config.in, debian/nss.pc.in, debian/rules: Return the multiarch
- path in nss-config and nss.pc.
-
- -- Mike Hommey <glandium@debian.org> Thu, 21 Jul 2011 18:08:48 +0200
-
-nss (3.12.10-2) unstable; urgency=low
-
- * debian/control, debian/libnss3-1d.dirs,
- debian/libnss3-1d.lintian-overrides.in, debian/libnss3-dev.dirs,
- debian/libnss3-1d.links.in, debian/libnss3-dev.links.in,
- debian/rules: Switch to multi-arch while keeping backports easy.
- Closes: #497088.
-
- -- Mike Hommey <glandium@debian.org> Mon, 04 Jul 2011 11:24:18 +0200
-
-nss (3.12.10-1) unstable; urgency=low
-
- * New upstream release.
- * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.
- * debian/control: Build depend on libnspr4-dev >= 4.8.8.
- * debian/libnss3-1d.symbols: Add new symbol version.
-
- -- Mike Hommey <glandium@debian.org> Wed, 25 May 2011 10:20:59 +0200
-
-nss (3.12.9.with.ckbi.1.82-1) unstable; urgency=low
-
- * New upstream release.
- - Marks fraudulent Comodo certificates as untrusted.
- * mozilla/security/nss/lib/ckfw/builtins/certdata.*: Refreshed.
-
- -- Mike Hommey <glandium@debian.org> Thu, 24 Mar 2011 16:37:46 +0100
-
-nss (3.12.9-2) unstable; urgency=low
-
- * Upload to unstable.
- * debian/rules: Fallback to DEB_BUILD_ARCH when dpkg-architecture does't
- support DEB_BUILD_ARCH_BITS.
- * debian/control: Lower build depends on dpkg-dev to (>= 1.13.19), which
- was the previous value.
- * mozilla/security/nss/lib/freebl/unix_rand.c: We don't need to prevent
- using netstat for entropy seeding. The seeding will stop before netstat
- if it could get data from /dev/urandom.
- * mozilla/security/coreconf/Linux.mk: We shouldn't need to special case
- mips64 anymore.
- * mozilla/security/nss/cmd/shlibsign/Makefile, debian/rules: Don't rely
- on patching the source to not create .chk files during build.
-
- -- Mike Hommey <glandium@debian.org> Sun, 06 Mar 2011 09:58:41 +0100
-
-nss (3.12.9-1) experimental; urgency=low
-
- * New upstream release.
-
- -- Mike Hommey <glandium@debian.org> Sat, 15 Jan 2011 11:33:35 +0100
-
-nss (3.12.9~beta2-1) experimental; urgency=low
-
- * New upstream snapshot, picked from NSS_3_12_9_BETA2 cvs tag.
- * debian/patches/*: Refresh patches.
- * debian/libnss3-1d.symbols: Add new symbol versions.
- * debian/rules: Bump shlibs.
-
- -- Mike Hommey <glandium@debian.org> Fri, 17 Dec 2010 15:01:31 +0100
-
-nss (3.12.8-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches/*: Refresh patches.
- * debian/patches/series:
- + lower-dhe-priority.patch: Upstream patch from bz#583337 to lower DHE
- priority. Closes: #592315.
-
- -- Mike Hommey <glandium@debian.org> Thu, 07 Oct 2010 08:50:48 +0200
-
-nss (3.12.8~b2-1) experimental; urgency=low
-
- * New upstream snapshot, picked from NSS_3_12_8_BETA2 cvs tag.
- * debian/patches/*: Refresh patches.
-
- -- Mike Hommey <glandium@debian.org> Mon, 23 Aug 2010 18:11:12 +0200
-
-nss (3.12.7-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches/*: Refresh patches.
- * debian/control:
- - Bump Standards-Version to 3.9.1.0.
- - Build depend on libnspr4-dev >= 4.8.6.
- * debian/libnss3-1d.symbols: Simplify symbols file and add new symbols.
- * debian/rules: Bump shlibs.
-
- -- Mike Hommey <glandium@debian.org> Fri, 06 Aug 2010 13:55:14 +0200
-
-nss (3.12.6-3) unstable; urgency=low
-
- * debian/rules:
- + Sign libnssdbm3.so. Closes: #588806.
- + Test that the FIPS mode can be properly enabled during build.
- * debian/control:
- + Remove conflicts with very old packages.
- + Bump Standards-Version to 3.9.0.0.
-
- -- Mike Hommey <glandium@debian.org> Mon, 12 Jul 2010 15:12:24 +0200
-
-nss (3.12.6-2) unstable; urgency=low
-
- * debian/patches/series:
- + 00_ckbi_1.79.patch: New patch to update CKBI to 1.79.
- + 95_add_spi+cacert_ca_certs.patch: Refreshed against CKBI 1.79.
-
- -- Mike Hommey <glandium@debian.org> Fri, 09 Apr 2010 10:45:01 +0200
-
-nss (3.12.6-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches/*: Refresh patches.
- * debian/libnss3-1d.symbols, debian/rules: Update symbols file with new
- symbols and bump shlibs.
- * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch,
- debian/patches/series: Enable transitional scheme for ssl renegotiation.
- Closes: #561918.
- * debian/control:
- + Bump Standards-Version to 3.8.4.0.
- + Drop libnss3-1d dependency on dpkg. The versions it didn't really like
- were between oldstable and stable.
- + Don't allow different versions of libnss3-1d, libnss3-1d-dbg and
- libnss3-tools to be installed at the same time.
- + Add ${misc:Depends} to libnss3-1d-dbg dependencies.
- * debian/rules: Revert workaround for gcc 4.4 bug on powerpc with -Os.
- * debian/rules, debian/control, debian/compat: Simplify debian/rules by
- using dh.
-
- -- Mike Hommey <glandium@debian.org> Wed, 17 Mar 2010 20:33:32 +0100
-
-nss (3.12.5-2) unstable; urgency=low
-
- * debian/control:
- + Remove build dependency on autotools-dev, we don't use it.
- + libnss3-dev depends on libnspr4-dev >= 4.6.6-1. 4.6.6-1 was the first
- version where the pkg-config file was nspr.pc instead of
- xulrunner-nspr.pc. Closes: #567134.
- * debian/patches/96_NSS_VersionCheck.patch, debian/patches/series:
- Remove runtime check of NSPR version in NSS_VersionCheck, which seems to
- be pointless. Closes: #567136.
-
- -- Mike Hommey <glandium@debian.org> Thu, 28 Jan 2010 12:12:35 +0100
-
-nss (3.12.5-1) unstable; urgency=low
-
- * New upstream release.
- * debian/copyright: Modify with new location for the embedded copy of zlib.
- * debian/patches/*:
- + Adapt patches to new upstream.
- + Switch to quilt format
- * debian/source/format: Switch to 3.0 (quilt) format.
- * debian/rules, debian/control: Stop using dpatch.
- * debian/patches/38_intel_aes_executable_stack.patch: Removed. An upstream
- change in version 3.12.4 obsoleted it.
- * debian/rules:
- + Remove DEB_{BUILD,HOST}_* variables, they are not used.
- + Use DEB_BUILD_ARCH_BITS to determine whether to build with USE_64 or not.
- + Ship more tools in libnss3-tools. Closes: #526267.
- + Work around gcc 4.4 bug on powerpc with -Os.
- + Force non parallel build. There are too many race conditions in the
- build system to support parallel builds. Closes: #536248.
- + Bump shlibs.
- * debian/control:
- + Bump Standards-Version to 3.8.3.0.
- + Build-depend on dpkg-dev (>= 1.15.4) for DEB_BUILD_ARCH_BITS.
- + Stricter dependency between libnss3-dev and libnss3-1d.
- * debian/libnss3-1d.symbols:
- + Add new symbols.
- + Remove debian revision for symbols added in 3.12.4.
- * debian/patches/38_hurd.patch: Fix FTBFS on Hurd due to PATH_MAX usage in
- unix_rand.c. Closes: #550995.
-
- -- Mike Hommey <glandium@debian.org> Fri, 18 Dec 2009 11:48:14 +0100
-
-nss (3.12.4-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches/38_kbsd.dpatch:
- + Use CHECK_FORK_PTHREAD on kfreebsd and hurd. Closes: #547301.
- + Adapt to upstream changes.
- * debian/patches/95_add_spi+cacert_ca_certs.dpatch,
- * debian/patches/81_sonames.dpatch: Adapt to upstream changes.
- * debian/libnss3-1d.symbols: Update symbols file with new symbols.
- * debian/rules: Bumped shlibs.
-
- -- Mike Hommey <glandium@debian.org> Sun, 11 Oct 2009 01:26:14 +0200
-
-nss (3.12.3.1-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches/95_add_spi+cacert_ca_certs.dpatch, Adapted to upstream
- changes.
-
- -- Mike Hommey <glandium@debian.org> Fri, 21 Aug 2009 23:47:24 +0200
-
-nss (3.12.3-1) unstable; urgency=low
-
- * New upstream release.
- * debian/watch: Updated to catch new upstream .bz2 tarballs.
- * debian/copyright: Add information about
- mozilla/security/corecond/mkdepend.
- * debian/patches/38_hurd.dpatch, debian/patches/38_kbsd.dpatch: Adapted
- to upstream changes.
- * debian/patches/85_security_load.dpatch: Load libsoftokn3.so from
- /usr/lib/nss when unable to load it from standard ld.so paths in
- shlibsign.
- * debian/rules:
- + Add debian/libnss3-1d/usr/lib/nss to LD_LIBRARY_PATH when running
- shlibsign during build.
- + Bumped shlibs.
- * debian/libnss3-1d.symbols: Update symbols file with new symbols.
- * debian/control:
- + Bumped Standards-Version to 3.8.1.0. No changes needed.
- + Put the libnss3-1d-dbg package in the "debug" section.
- + Correct libnss3-1d-dbg short description.
- + Remove redundant section on libnss3-1d.
- + Build-depend on proper version of debhelper for dh_lintian.
- * debian/*.lintian-overrides, debian/rules: Install some Lintian
- overrides with dh_lintian.
- * debian/patches/38_intel_aes_executable_stack.dpatch: Indicate that
- we don't need executable stack in intel-aes.s.
- * debian/patches/00list: Updated accordingly.
-
- -- Mike Hommey <glandium@debian.org> Sat, 18 Apr 2009 09:37:31 +0200
-
-nss (3.12.2.with.ckbi.1.73-2) unstable; urgency=low
-
- * mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_object.h:
- Apply patch from upstream to fix alignment issues on sparc and ia64.
- Closes: #509930.
-
- -- Mike Hommey <glandium@debian.org> Mon, 06 Apr 2009 20:24:01 +0200
-
-nss (3.12.2.with.ckbi.1.73-1) unstable; urgency=low
-
- * debian/patches/38_kbsd.dpatch: Brown paper bag fix for regression
- in previous release that led to FTBFS on i386 only. Closes: #513101.
- Thanks Steffen Joeris, Sebastian Andrzej Siewior and Petr Salinger.
- * debian/patches/95_add_spi+cacert_ca_certs.dpatch,
- debian/patches/80_security_tools.dpatch: Adapted to upstream changes.
- * debian/libnss3-1d.symbols: Update symbols file with new symbols.
- * debian/rules: Bumped shlibs.
-
- -- Mike Hommey <glandium@debian.org> Sat, 31 Jan 2009 16:41:26 +0100
-
-nss (3.12.1-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches/95_add_spi+cacert_ca_certs.dpatch,
- debian/patches/38_mips64_build.dpatch,
- debian/patches/38_kbsd.dpatch: Adapted to upstream changes.
- * debian/libnss3-1d.symbols: Update symbols file with new symbols.
- * debian/rules: Bumped shlibs.
-
- -- Mike Hommey <glandium@debian.org> Sat, 20 Dec 2008 12:11:28 +0100
-
-nss (3.12.0-5) unstable; urgency=low
-
- * debian/control:
- + Conflict with libnss3-0d >= 3.11.5, that has conflicting files in
- /usr/lib/nss. Older versions (those from etch) don't conflict.
- This makes updates from old testing smoother. Closes: #492332.
- + Build-depend on libsqlite3-dev >= 3.3.9, since API introduced in this
- version is used. Closes: #493191.
-
- -- Mike Hommey <glandium@debian.org> Sun, 03 Aug 2008 09:42:03 +0200
-
-nss (3.12.0-4) unstable; urgency=low
-
- * debian/control: Remove conflict with libnss3-0d, it was only useful when
- libnss3-0d was a transitional package. Closes: #490995.
-
- -- Mike Hommey <glandium@debian.org> Wed, 16 Jul 2008 21:29:19 +0200
-
-nss (3.12.0-3) unstable; urgency=low
-
- * debian/rules:
- + Enable ECC cypher suite. Closes: #490826.
- + Build with the same optimization level as upstream.
-
- -- Mike Hommey <glandium@debian.org> Mon, 14 Jul 2008 17:35:25 +0200
-
-nss (3.12.0-2) unstable; urgency=low
-
- * debian/patches/95_add_spi+cacert_ca_certs.dpatch:
- + Add CAcert root and class 3 certificates to nssckbi module.
- + Add SPI Inc. certificate to nssckbi module.
- Thanks to Martin F Krafft for these. Closes: #309564.
- * debian/patches/00list: Updated accordingly.
-
- -- Mike Hommey <glandium@debian.org> Sat, 12 Jul 2008 18:26:09 +0200
-
-nss (3.12.0-1) unstable; urgency=low
-
- * New upstream release.
- * debian/patches/92_ocsp.dpatch: Removed, as applied upstream.
- * debian/patches/00list: Updated accordingly.
- * debian/control:
- + Bumped Standards-Version to 3.8.0.1. No changes needed.
- + Added Vcs-Browser and Vcs-Git fields.
- + libnss3-dev don't need explicit version dependency on libnss3-1d.
- + libnss3-dev depends on libnspr4-dev. Closes: #488402.
- + Make the -dbg package less a hassle for manual installations with dpkg.
- + libnss3-1d depends on version of dpkg that either don't support symbols
- files or has fix for #474079.
- * debian/patches/85_security_load.dpatch: Load files from /usr/lib/nss if
- given reference path is only a filename, which happens when freebl is
- statically linked in a binary executable, such as signtool, and the
- executable is run from $PATH. When the executable is run using a full
- path, we must replace /bin/ in the path with /lib/ to find the libraries.
- Closes: #483774.
- * debian/libnss3-1d.symbols: Re-enable symbols file.
-
- -- Mike Hommey <glandium@debian.org> Sat, 05 Jul 2008 10:19:53 +0200
-
-nss (3.12.0~rc3-3) unstable; urgency=low
-
- * debian/control: Make libnss3-0d conflict with old libnss3, which can
- still be installed on some systems, though it hasn't been in the archive
- since sarge. Closes: #485080.
-
- -- Mike Hommey <glandium@debian.org> Sun, 08 Jun 2008 14:11:13 +0200
-
-nss (3.12.0~rc3-2) unstable; urgency=low
-
- * debian/patches/92_ocsp.dpatch: Apply patches from bz433594 and bz#433386,
- which are applied in upstream RC4 (and are the only changes), to fix
- crashes under some conditions with OCSP checks.
- * debian/patches/00list: Updated accordingly.
- * debian/libnss3-dev.links, debian/libnss3-1d.links: Don't install so
- files in the -dev package but in the library package. It will allow
- external applications linked against upstream nss to work on Debian with
- system nss libraries, and will avoid all browsers to have to implement
- symlinks themselves to allow some external plugins to work properly.
- * debian/control: Make libnss3-1d conflict with older versions of
- libnss3-dev and libnss3-dev need newer libnss3-1d accordingly.
-
- -- Mike Hommey <glandium@debian.org> Sat, 07 Jun 2008 11:57:55 +0200
-
-nss (3.12.0~rc3-1) unstable; urgency=low
-
- * New upstream snapshot, picked from NSS_3_12_RC3 cvs tag.
-
- -- Mike Hommey <glandium@debian.org> Sun, 11 May 2008 16:58:17 +0200
-
-nss (3.12.0~beta3-1) unstable; urgency=low
-
- * New upstream snapshot, picked from NSS_3_12_BETA3 cvs tag.
- * debian/control: Turn Homepage indications in descriptions into a
- control field.
- * debian/patches/91_build_pwdecrypt.dpatch: Enable building and installing
- pwdecrypt. Thanks Paul Wise. Closes: #472303.
- * debian/patches/00list: Updated accordingly.
- * debian/libnss3-1d.symbols: Update symbols file with new symbols and rename
- the file, so that it isn't used, as a workaround to #474079.
- Closes: #474007.
- * debian/rules: Bumped shlibs.
-
- -- Mike Hommey <glandium@debian.org> Tue, 08 Apr 2008 21:23:53 +0200
-
-nss (3.12.0~beta2-1) unstable; urgency=low
-
- * New upstream snapshot, picked from NSS_3_12_BETA2 cvs tag.
- * debian/patches/10_3.11.7_symbol_fix.dpatch: Removed, as applied upstream.
- * debian/patches/38_kbsd.dpatch: Adapted to upstream changes.
- * debian/patches/81_sonames.dpatch: Add SO_VERSION to libnssutil3.
- * debian/libnss3-dev.links: Add link for libnssutil3.
- * debian/libnss3-1d.symbols: Update symbols file with new symbols. Note that
- SEC_StringToOID disappeared (well, was moved to nssutil), compared to
- version 3.12.0~1.9b1, but it was a new symbol, and isn't used anywhere.
- * debian/nss.pc.in, debian/nss-config.in: Add libnssutil3 support.
- * debian/rules:
- + Bumped shlibs.
- + Don't generate libsoftokn3.so.0d.
- * debian/control:
- + Remove transitional libnss3-0d package.
- + Bumped Standards-Version to 3.7.3.0. No changes needed.
- + Build depend on libnspr4-dev >= 4.7.0 (we *do* need the RTM version, and
- not the preceding betas)
- * debian/libnss3-0d.*: Removed.
- * debian/patches/85_security_load.dpatch: Load files from $ORIGIN/nss before
- those of $ORIGIN. Closes: #469079.
- * debian/patches/38_hurd.dpatch: Fix FTBFS on Hurd because of MAXPATHLEN.
- Closes: #419529.
- * debian/patches/00list: Updated accordingly.
-
- -- Mike Hommey <glandium@debian.org> Fri, 07 Mar 2008 21:27:54 +0100
-
-nss (3.12.0~1.9b1-2) unstable; urgency=low
-
- * debian/control: libnss3-1-dbg needs to conflict with older libnss3-0d-dbg,
- as it overwrites so of its files. Closes: #455875.
- * debian/patches/90_realpath.dpatch: Use realpath() in
- loader_GetOriginalPathname, so that symlinks are properly followed when
- determining where the current library lives.
- * debian/patches/00list: Updated accordingly.
- * debian/patches/85_security_load.dpatch: When the module given by the
- caller contains a directory name, remove it so that the module can be
- properly loaded. Closes: #456296.
-
- -- Mike Hommey <glandium@debian.org> Sun, 16 Dec 2007 11:06:03 +0100
-
-nss (3.12.0~1.9b1-1) unstable; urgency=low
-
- * New upstream snapshot, picked from FIREFOX_3_0b1_RELEASE cvs tag.
- * debian/copyright: Add licensing information about the recently added
- sqlite copy in the source tree.
- * debian/control:
- + Build depend on libsqlite3-dev.
- + Rename all -0d packages to -1d, but keep a transitional -0d package,
- since all libraries are compatible (except for the removed one).
- + Make libnss3-1d conflict with older libnss3-0d.
- * debian/patches/38_kbsd.dpatch, debian/patches/81_sonames.dpatch:
- Adapted to upstream changes.
- * debian/patches/81_sonames.dpatch:
- + Remove SO version from libsoftokn3, now it is not linked against
- anymore, but dlloaded.
- + Remove the hacks to have shlibsign and the signature verification code
- handle the SO version in the file name.
- + Bump SO version to 1d.
- * debian/rules:
- + Add NSS_USE_SYSTEM_SQLITE=1 to the make options.
- + Install libsoftokn3 and the new libnssdbm3 in /usr/lib/nss.
- + Run shlibsign on libsoftokn3 in /usr/lib/nss, without a SO version.
- + For some reason, build-stamp was missing in install-stamp dependencies.
- + Bumped shlibs because of new symbols, and pass -c4 to dpkg-gensymbols,
- so that it fails in all cases where the symbols file is not up to date.
- + Adapt upstream version pattern matching so that the ~1.9b1 part is
- removed.
- + Install .1d libraries in -1d packages.
- + Create a dummy libsoftokn3.so.0d library, installed in the libnss3-0d
- package.
- * debian/libnss3-0d.links:
- + Remove links in /usr/lib/xulrunner. The workaround they were
- implementing is going to be done another way.
- + Add .0d links to .1d libraries.
- * debian/libnss3-dev.links:
- + Don't put a symlink for libsoftokn3.
- + .so files now link to .1d libraries.
- * debian/patches/80_security_build.dpatch: Remove the hack to load libfreebl
- from /usr/lib/nss.
- * debian/patches/85_security_load.dpatch: Load modules from $ORIGIN/nss.
- * debian/patches/10_3.11.7_symbol_fix.dpatch: Fix a symbol version. Stolen
- from bz#325672.
- * debian/patches/00list: Updated accordingly.
- * debian/libnss3-0d.dirs: Renamed to libnss3-1d.dirs.
-
- -- Mike Hommey <glandium@debian.org> Sat, 08 Dec 2007 10:53:02 +0100
-
-nss (3.11.7-1) unstable; urgency=low
-
- * New upstream release, picked from NSS_3_11_7_RTM cvs tag.
- * debian/patches/38_kbsd.dpatch: Also add support for the Hurd.
- Closes: #419529.
- * debian/rules:
- + Don't fail on clean with unpatched ruleset. Closes: #421542.
- + Bumped shlibs because of new symbols.
- * debian/patches/81_sonames.dpatch: Adapted to upstream changes.
-
- -- Mike Hommey <glandium@debian.org> Sun, 01 Jul 2007 11:29:06 +0200
-
-nss (3.11.5-3) unstable; urgency=low
-
- * Upload to unstable.
-
- -- Mike Hommey <glandium@debian.org> Mon, 09 Apr 2007 20:37:25 +0200
-
-nss (3.11.5-2) experimental; urgency=low
-
- * debian/rules:
- + Cleaner way to set the NSPR location.
- + Install libcrmf.a files in libnss3-dev.
- + binary-indep now does nothing.
- * debian/control: Make libnss3-dev an Arch: any package.
- * debian/nss.pc.in:
- + Remove libsoftokn3 from ld libraries.
- + Improvement in directories setting.
- * debian/libnss3-dev.dirs: Create /usr/bin.
- * debian/nss-config.in, debian/rules: Install a nss-config script into
- libnss3-dev.
-
- -- Mike Hommey <glandium@debian.org> Tue, 27 Mar 2007 20:41:11 +0200
-
-nss (3.11.5-1) experimental; urgency=low
-
- * Initial release. (Closes: #416151)
-
- -- Mike Hommey <glandium@debian.org> Sun, 25 Mar 2007 23:56:17 +0200
diff -Nru nss-3.26/debian/control nss-3.26.2/debian/control
--- nss-3.26/debian/control 2016-10-03 15:18:55.000000000 -0400
+++ nss-3.26.2/debian/control 2016-12-22 15:00:11.000000000 -0500
@@ -7,7 +7,9 @@
dpkg-dev (>= 1.16.1.1~),
libnspr4-dev (>= 2:4.12),
zlib1g-dev,
- libsqlite3-dev (>= 3.3.9)
+ libsqlite3-dev (>= 3.3.9),
+ gcc-4.7,
+ g++-4.7
Standards-Version: 3.9.3.0
Homepage: http://www.mozilla.org/projects/security/pki/nss/
Vcs-Git: https://anonscm.debian.org/git/pkg-mozilla/nss.git
diff -Nru nss-3.26/debian/patches/customize-gcc.patch nss-3.26.2/debian/patches/customize-gcc.patch
--- nss-3.26/debian/patches/customize-gcc.patch 1969-12-31 19:00:00.000000000 -0500
+++ nss-3.26.2/debian/patches/customize-gcc.patch 2016-12-22 15:00:41.000000000 -0500
@@ -0,0 +1,30 @@
+Description: allow environment to override linux compiler
+Author: Antoine Beaupré <anarcat@debian.org>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: debian
+Forwarded: no
+Last-Update: 2016-12-21
+
+--- nss-3.26.2.orig/nss/coreconf/Linux.mk
++++ nss-3.26.2/nss/coreconf/Linux.mk
+@@ -16,11 +16,11 @@ ifeq ($(USE_PTHREADS),1)
+ IMPL_STRATEGY = _PTH
+ endif
+
+-CC = gcc
+-CCC = g++
+-RANLIB = ranlib
++CC ?= gcc
++CCC ?= g++
++RANLIB ?= ranlib
+
+-DEFAULT_COMPILER = gcc
++DEFAULT_COMPILER = $(CC)
+
+ ifeq ($(OS_TARGET),Android)
+ ifndef ANDROID_NDK
diff -Nru nss-3.26/debian/patches/replace_expired_paypal_cert.patch nss-3.26.2/debian/patches/replace_expired_paypal_cert.patch
--- nss-3.26/debian/patches/replace_expired_paypal_cert.patch 1969-12-31 19:00:00.000000000 -0500
+++ nss-3.26.2/debian/patches/replace_expired_paypal_cert.patch 2016-12-22 15:00:42.000000000 -0500
@@ -0,0 +1,29 @@
+Description: Two tests are failing due to PayPalEE.cert having expired
+ $ nss-pp -t c -i tests/libpkix/certs/PayPalEE.cert|grep After
+ Not After : Fri Dec 16 12:00:00 2016
+ We update the associated meta-data and will replace the binary
+ certificates separately through debian/source/include-binaries.
+ .
+ This problem is the same than two years ago:
+ https://bugzilla.mozilla.org/show_bug.cgi?id=1151037
+Author: Raphaël Hertzog <hertzog@debian.org>
+
+--- a/nss/tests/chains/scenarios/realcerts.cfg
++++ b/nss/tests/chains/scenarios/realcerts.cfg
+@@ -21,7 +21,7 @@ verify TestUser51:x
+ result pass
+
+ verify PayPalEE:x
+- policy OID.2.16.840.1.114412.1.1
++ policy OID.2.16.840.1.113733.1.7.23.6
+ result pass
+
+ verify BrAirWaysBadSig:x
+--- a/nss/tests/libpkix/vfychain_test.lst
++++ b/nss/tests/libpkix/vfychain_test.lst
+@@ -1,4 +1,4 @@
+ # Status | Leaf Cert | Policies | Others(undef)
+ 0 TestUser50 undef
+ 0 TestUser51 undef
+-0 PayPalEE OID.2.16.840.1.114412.1.1
++0 PayPalEE OID.2.16.840.1.113733.1.7.23.6
diff -Nru nss-3.26/debian/patches/series nss-3.26.2/debian/patches/series
--- nss-3.26/debian/patches/series 2016-10-03 15:27:18.000000000 -0400
+++ nss-3.26.2/debian/patches/series 2016-12-22 15:00:42.000000000 -0500
@@ -2,3 +2,5 @@
38_kbsd.patch
80_security_tools.patch
85_security_load.patch
+replace_expired_paypal_cert.patch
+customize-gcc.patch
diff -Nru nss-3.26/debian/rules nss-3.26.2/debian/rules
--- nss-3.26/debian/rules 2016-10-03 15:42:41.000000000 -0400
+++ nss-3.26.2/debian/rules 2016-12-22 15:00:29.000000000 -0500
@@ -6,6 +6,10 @@
$(call lazy,CPPFLAGS,$$(shell dpkg-buildflags --get CPPFLAGS))
$(call lazy,LDFLAGS,$$(shell dpkg-buildflags --get LDFLAGS))
+export CC=gcc-4.7
+export CXX=g++-4.7
+export CCC=g++-4.7
+
PREPROCESS_FILES := $(wildcard debian/*.in)
$(PREPROCESS_FILES:.in=): %: %.in
@@ -50,7 +54,6 @@
SOURCE_MD_DIR=$(DISTDIR) \
DIST=$(DISTDIR) \
BUILD_OPT=1 \
- NS_USE_GCC=1 \
OPTIMIZER="$(CFLAGS) $(CPPFLAGS)" \
LDFLAGS='$(LDFLAGS) $$(ARCHFLAG) $$(ZDEFS_FLAG)' \
DSO_LDOPTS='-shared $$(LDFLAGS)' \
@@ -155,6 +158,20 @@
dh_gencontrol -- -Vmisc:Multi-Arch=same
endif
+override_dh_auto_test:
+ # Create .chk files for FIPS mode tests
+ $(foreach lib,libsoftokn3.so libfreebl3.so libfreeblpriv3.so libnssdbm3.so, \
+ $(call cmd,cd $(DISTDIR)/lib; LD_LIBRARY_PATH=$(DISTDIR)/lib $(DISTDIR)/bin/shlibsign -v -i $(lib)))
+ # Run tests
+ export DIST=$(CURDIR) &&\
+ export OBJDIR=dist &&\
+ export IP_ADDRESS=127.0.0.1 &&\
+ export USE_IP=TRUE &&\
+ export NSS_CYCLES=standard &&\
+ cd $(CURDIR)/nss/tests && ./all.sh
+ # Cleanup
+ rm -f dist/lib/*.chk
+
override_dh_builddeb:
dh_builddeb -- -Zxz
diff -Nru nss-3.26/debian/source/include-binaries nss-3.26.2/debian/source/include-binaries
--- nss-3.26/debian/source/include-binaries 1969-12-31 19:00:00.000000000 -0500
+++ nss-3.26.2/debian/source/include-binaries 2016-11-30 15:09:36.000000000 -0500
@@ -0,0 +1,3 @@
+nss/tests/libpkix/certs/PayPalEE.cert
+nss/tests/libpkix/certs/PayPalICA.cert
+nss/tests/libpkix/certs/PayPalRootCA.cert
diff -Nru nss-3.26/debian/tests/control nss-3.26.2/debian/tests/control
--- nss-3.26/debian/tests/control 1969-12-31 19:00:00.000000000 -0500
+++ nss-3.26.2/debian/tests/control 2016-11-30 15:09:36.000000000 -0500
@@ -0,0 +1,5 @@
+Tests: test-cert.sh test-fips.sh
+Depends: libnss3-tools
+
+Tests: test-link.make
+Depends: libnss3-dev, pkg-config, g++
diff -Nru nss-3.26/debian/tests/test-cert.sh nss-3.26.2/debian/tests/test-cert.sh
--- nss-3.26/debian/tests/test-cert.sh 1969-12-31 19:00:00.000000000 -0500
+++ nss-3.26.2/debian/tests/test-cert.sh 2016-11-30 15:09:36.000000000 -0500
@@ -0,0 +1,42 @@
+#!/bin/bash
+#
+# Check some basic CA operations
+
+set -e
+
+cleanup() {
+ [ -z "$DIR" ] || rm -rf "$DIR"
+}
+
+
+run_certutil() {
+ CMD="certutil -z $DIR/random -f $DIR/passwd -d sql:$DIR $@"
+ echo "Running: $CMD"
+ $CMD
+}
+
+DIR=`mktemp -p . -d`
+trap cleanup EXIT ERR
+
+dd bs=20 count=1 if=/dev/urandom of=$DIR/random 2>/dev/null
+echo "password" > $DIR/passwd
+
+# Create the database
+run_certutil -N
+# Create a self signed certificate
+run_certutil -S -k rsa -n test-ca -s CN=testca -t c -x 2>/dev/null
+# Create a certificate request
+run_certutil -R -k rsa -g 2048 -n test-cert -s "CN=testcert" -o $DIR/cert.req -a 2>/dev/null
+# Sign with ca
+run_certutil -C -m 10000 -c test-ca -i $DIR/cert.req -o $DIR/cert.cer -a
+run_certutil -A -n test-cert -i $DIR/cert.cer -t c -a
+
+echo -n "Checking if ca is present..."
+run_certutil -L -n test-ca >/dev/null
+echo "OK."
+
+echo -n "Checking if cert present..."
+run_certutil -L -n test-cert >/dev/null
+echo "OK."
+
+exit 0
diff -Nru nss-3.26/debian/tests/test-fips.sh nss-3.26.2/debian/tests/test-fips.sh
--- nss-3.26/debian/tests/test-fips.sh 1969-12-31 19:00:00.000000000 -0500
+++ nss-3.26.2/debian/tests/test-fips.sh 2016-11-30 15:09:36.000000000 -0500
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# Enable fips mode
+
+set -e
+
+cleanup() {
+ [ -z "$DIR" ] || rm -rf "$DIR"
+}
+
+
+run_certutil() {
+ CMD="certutil -z $DIR/random -f $DIR/passwd -d sql:$DIR $@"
+ echo "Running: $CMD"
+ $CMD
+}
+
+DIR=`mktemp -p . -d`
+trap cleanup EXIT ERR
+
+modutil -create -dbdir $DIR < /dev/null
+modutil -fips true -dbdir $DIR < /dev/null
diff -Nru nss-3.26/debian/tests/test-link.cpp nss-3.26.2/debian/tests/test-link.cpp
--- nss-3.26/debian/tests/test-link.cpp 1969-12-31 19:00:00.000000000 -0500
+++ nss-3.26.2/debian/tests/test-link.cpp 2016-11-30 15:09:36.000000000 -0500
@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+
+#include <nss.h>
+
+int main()
+{
+ int ret = 0;
+ SECStatus s;
+ char *t = strdup("/tmp/nss.XXXXXX");
+ char *tmpdir = mkdtemp(t);
+
+ if (tmpdir == NULL)
+ fprintf(stderr, "Failed to create temp directory: %s", strerror(errno));
+
+ s = NSS_InitReadWrite(tmpdir);
+ if (s != SECSuccess)
+ ret = 2;
+
+ NSS_Shutdown();
+ free(t);
+
+ return ret;
+}
diff -Nru nss-3.26/debian/tests/test-link.make nss-3.26.2/debian/tests/test-link.make
--- nss-3.26/debian/tests/test-link.make 1969-12-31 19:00:00.000000000 -0500
+++ nss-3.26.2/debian/tests/test-link.make 2016-11-30 15:09:36.000000000 -0500
@@ -0,0 +1,10 @@
+#!/usr/bin/make -f
+
+all: a.out
+ ./a.out
+ rm -f a.out
+
+a.out: debian/tests/test-link.cpp
+ g++ -Wall -Werror $< $(shell pkg-config --cflags nss) $(shell pkg-config --libs nss)
+
+.PHONY: all
diff -Nru nss-3.26/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc nss-3.26.2/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc
--- nss-3.26/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc 2016-08-05 11:43:39.000000000 -0400
+++ nss-3.26.2/nss/external_tests/ssl_gtest/ssl_auth_unittest.cc 2016-10-10 10:54:09.000000000 -0400
@@ -22,6 +22,38 @@
namespace nss_test {
+class TlsInspectorCertificateRequestSigAlgSetter : public TlsHandshakeFilter {
+ public:
+ TlsInspectorCertificateRequestSigAlgSetter(SSLSignatureAndHashAlg sig_alg)
+ : sig_alg_(sig_alg) {}
+
+ virtual PacketFilter::Action FilterHandshake(
+ const HandshakeHeader& header,
+ const DataBuffer& input, DataBuffer* output) {
+ if (header.handshake_type() != kTlsHandshakeCertificateRequest) {
+ return KEEP;
+ }
+
+ TlsParser parser(input);
+ *output = input;
+
+ // Skip certificate types.
+ parser.SkipVariable(1);
+
+ // Skip sig algs length.
+ parser.Skip(2);
+
+ // Write signature algorithm.
+ output->Write(parser.consumed(), sig_alg_.hashAlg, 1);
+ output->Write(parser.consumed() + 1, sig_alg_.sigAlg, 1);
+
+ return CHANGE;
+ }
+
+ private:
+ SSLSignatureAndHashAlg sig_alg_;
+};
+
TEST_P(TlsConnectGeneric, ClientAuth) {
client_->SetupClientAuth();
server_->RequestClientAuth(true);
@@ -337,4 +369,41 @@
Receive(10);
}
+TEST_P(TlsConnectTls12, ClientAuthNoMatchingSigAlgs) {
+ Reset(TlsAgent::kServerEcdsa);
+ server_->RequestClientAuth(false);
+ client_->SetupClientAuth();
+
+ server_->EnableCiphersByAuthType(ssl_auth_ecdh_ecdsa);
+ server_->SetSignatureAlgorithms(SignatureEcdsaSha256,
+ PR_ARRAY_SIZE(SignatureEcdsaSha256));
+
+ Connect();
+ CheckKeys(ssl_kea_ecdh, ssl_auth_ecdsa);
+ EXPECT_TRUE(!SSL_PeerCertificate(server_->ssl_fd()));
+}
+
+TEST_P(TlsConnectTls12, CertificateRequestMd5) {
+ const SSLSignatureAndHashAlg md5_sig_alg = {ssl_hash_md5, ssl_sign_rsa};
+
+ const SSLSignatureAndHashAlg serverAlgorithms[] = {
+ {ssl_hash_sha1, ssl_sign_rsa},
+ {ssl_hash_sha256, ssl_sign_rsa}
+ };
+
+ client_->SetupClientAuth();
+ server_->RequestClientAuth(true);
+ server_->SetPacketFilter(new TlsInspectorCertificateRequestSigAlgSetter
+ (md5_sig_alg));
+ server_->SetSignatureAlgorithms(serverAlgorithms,
+ PR_ARRAY_SIZE(serverAlgorithms));
+
+ client_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384);
+ server_->EnableSingleCipher(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384);
+
+ ConnectExpectFail();
+ ASSERT_EQ(SEC_ERROR_BAD_SIGNATURE, server_->error_code());
+ ASSERT_EQ(SSL_ERROR_DECRYPT_ERROR_ALERT, client_->error_code());
+}
+
}
diff -Nru nss-3.26/nss/external_tests/ssl_gtest/tls_parser.h nss-3.26.2/nss/external_tests/ssl_gtest/tls_parser.h
--- nss-3.26/nss/external_tests/ssl_gtest/tls_parser.h 2016-08-05 11:43:39.000000000 -0400
+++ nss-3.26.2/nss/external_tests/ssl_gtest/tls_parser.h 2016-10-10 10:54:09.000000000 -0400
@@ -29,6 +29,7 @@
const uint8_t kTlsHandshakeEncryptedExtensions = 8;
const uint8_t kTlsHandshakeCertificate = 11;
const uint8_t kTlsHandshakeServerKeyExchange = 12;
+const uint8_t kTlsHandshakeCertificateRequest = 13;
const uint8_t kTlsHandshakeCertificateVerify = 15;
const uint8_t kTlsHandshakeClientKeyExchange = 16;
const uint8_t kTlsHandshakeFinished = 20;
diff -Nru nss-3.26/nss/.hg_archival.txt nss-3.26.2/nss/.hg_archival.txt
--- nss-3.26/nss/.hg_archival.txt 2016-08-05 11:43:39.000000000 -0400
+++ nss-3.26.2/nss/.hg_archival.txt 2016-10-10 10:54:09.000000000 -0400
@@ -1,4 +1,4 @@
repo: 9949429068caa6bb8827a8ceeaa7c605d722f47f
-node: f118cfd3948a9198bff6db23a300073897fb59c0
+node: 5bb734f18d10e207cdfb222dbdb8be56dfdd0f64
branch: NSS_3_26_BRANCH
-tag: NSS_3_26_RTM
+tag: NSS_3_26_2_RTM
diff -Nru nss-3.26/nss/lib/nss/nss.h nss-3.26.2/nss/lib/nss/nss.h
--- nss-3.26/nss/lib/nss/nss.h 2016-08-05 11:43:39.000000000 -0400
+++ nss-3.26.2/nss/lib/nss/nss.h 2016-10-10 10:54:09.000000000 -0400
@@ -22,10 +22,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define NSS_VERSION "3.26" _NSS_CUSTOMIZED
+#define NSS_VERSION "3.26.2" _NSS_CUSTOMIZED
#define NSS_VMAJOR 3
#define NSS_VMINOR 26
-#define NSS_VPATCH 0
+#define NSS_VPATCH 2
#define NSS_VBUILD 0
#define NSS_BETA PR_FALSE
diff -Nru nss-3.26/nss/lib/softoken/softkver.h nss-3.26.2/nss/lib/softoken/softkver.h
--- nss-3.26/nss/lib/softoken/softkver.h 2016-08-05 11:43:39.000000000 -0400
+++ nss-3.26.2/nss/lib/softoken/softkver.h 2016-10-10 10:54:09.000000000 -0400
@@ -25,10 +25,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
*/
-#define SOFTOKEN_VERSION "3.26" SOFTOKEN_ECC_STRING
+#define SOFTOKEN_VERSION "3.26.2" SOFTOKEN_ECC_STRING
#define SOFTOKEN_VMAJOR 3
#define SOFTOKEN_VMINOR 26
-#define SOFTOKEN_VPATCH 0
+#define SOFTOKEN_VPATCH 2
#define SOFTOKEN_VBUILD 0
#define SOFTOKEN_BETA PR_FALSE
diff -Nru nss-3.26/nss/lib/ssl/ssl3con.c nss-3.26.2/nss/lib/ssl/ssl3con.c
--- nss-3.26/nss/lib/ssl/ssl3con.c 2016-08-05 11:43:39.000000000 -0400
+++ nss-3.26.2/nss/lib/ssl/ssl3con.c 2016-10-10 10:54:09.000000000 -0400
@@ -7881,7 +7881,7 @@
return rv;
}
-static void
+static SECStatus
ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms);
typedef struct dnameNode {
@@ -8112,7 +8112,10 @@
}
if (ss->ssl3.hs.hashType == handshake_hash_record ||
ss->ssl3.hs.hashType == handshake_hash_single) {
- ssl3_DecideTls12CertVerifyHash(ss, algorithms);
+ rv = ssl3_DecideTls12CertVerifyHash(ss, algorithms);
+ if (rv != SECSuccess) {
+ goto send_no_certificate;
+ }
}
break; /* not an error */
@@ -10187,7 +10190,7 @@
return SECFailure;
}
-static void
+static SECStatus
ssl3_DecideTls12CertVerifyHash(sslSocket *ss, const SECItem *algorithms)
{
SECStatus rv;
@@ -10201,7 +10204,7 @@
/* Determine the key's signature algorithm and whether it prefers SHA-1. */
rv = ssl3_ExtractClientKeyInfo(ss, &sigAlg, &preferSha1);
if (rv != SECSuccess) {
- return;
+ return SECFailure;
}
/* Determine the server's hash support for that signature algorithm. */
@@ -10210,6 +10213,9 @@
SSLHashType hashAlg = algorithms->data[i];
SECOidTag hashOID;
PRUint32 policy;
+ if (hashAlg == ssl_hash_md5) {
+ continue; /* No MD5 signature support. */
+ }
if (hashAlg == ssl_hash_sha1 &&
ss->ssl3.pwSpec->version >= SSL_LIBRARY_VERSION_TLS_1_3) {
/* TLS 1.3 explicitly forbids using SHA-1 with certificate_verify. */
@@ -10239,6 +10245,13 @@
} else {
ss->ssl3.hs.tls12CertVerifyHash = otherHashAlg;
}
+
+ /* We didn't find a sigAlg matching the client cert's key type. */
+ if (ss->ssl3.hs.tls12CertVerifyHash == ssl_hash_none) {
+ return SECFailure;
+ }
+
+ return SECSuccess;
}
static SECStatus
@@ -12983,6 +12996,13 @@
return DUPLICATE_MSB_TO_ALL_8(c);
}
+/* ssl_constantTimeSelect return a if mask is 0xFF and b if mask is 0x00 */
+static unsigned char
+ssl_constantTimeSelect(unsigned char mask, unsigned char a, unsigned char b)
+{
+ return (mask & a) | (~mask & b);
+}
+
static SECStatus
ssl_RemoveSSLv3CBCPadding(sslBuffer *plaintext,
unsigned int blockSize,
@@ -13086,22 +13106,54 @@
/* scanStart contains the number of bytes that we can ignore because
* the MAC's position can only vary by 255 bytes. */
unsigned scanStart = 0;
- unsigned i, j, divSpoiler;
+ unsigned i, j;
unsigned char rotateOffset;
- if (originalLength > macSize + 255 + 1)
+ if (originalLength > macSize + 255 + 1) {
scanStart = originalLength - (macSize + 255 + 1);
+ }
- /* divSpoiler contains a multiple of macSize that is used to cause the
- * modulo operation to be constant time. Without this, the time varies
- * based on the amount of padding when running on Intel chips at least.
- *
- * The aim of right-shifting macSize is so that the compiler doesn't
- * figure out that it can remove divSpoiler as that would require it
- * to prove that macSize is always even, which I hope is beyond it. */
- divSpoiler = macSize >> 1;
- divSpoiler <<= (sizeof(divSpoiler) - 1) * 8;
- rotateOffset = (divSpoiler + macStart - scanStart) % macSize;
+ /* We want to compute
+ * rotateOffset = (macStart - scanStart) % macSize
+ * But the time to compute this varies based on the amount of padding. Thus
+ * we explicitely handle all mac sizes with (hopefully) constant time modulo
+ * using Barrett reduction:
+ * q := (rotateOffset * m) >> k
+ * rotateOffset -= q * n
+ * if (n <= rotateOffset) rotateOffset -= n
+ */
+ rotateOffset = macStart - scanStart;
+ /* rotateOffset < 255 + 1 + 48 = 304 */
+ if (macSize == 16) {
+ rotateOffset &= 15;
+ } else if (macSize == 20) {
+ /*
+ * Correctness: rotateOffset * ( 1/20 - 25/2^9 ) < 1
+ * with rotateOffset <= 853
+ */
+ unsigned q = (rotateOffset * 25) >> 9; /* m = 25, k = 9 */
+ rotateOffset -= q * 20;
+ rotateOffset -= ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, 20),
+ 20, 0);
+ } else if (macSize == 32) {
+ rotateOffset &= 31;
+ } else if (macSize == 48) {
+ /*
+ * Correctness: rotateOffset * ( 1/48 - 10/2^9 ) < 1
+ * with rotateOffset < 768
+ */
+ unsigned q = (rotateOffset * 10) >> 9; /* m = 25, k = 9 */
+ rotateOffset -= q * 48;
+ rotateOffset -= ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, 48),
+ 48, 0);
+ } else {
+ /*
+ * SHA384 (macSize == 48) is the largest we support. We should never
+ * get here.
+ */
+ PORT_Assert(0);
+ rotateOffset = rotateOffset % macSize;
+ }
memset(rotatedMac, 0, macSize);
for (i = scanStart; i < originalLength;) {
@@ -13117,12 +13169,16 @@
/* Now rotate the MAC. If we knew that the MAC fit into a CPU cache line
* we could line-align |rotatedMac| and rotate in place. */
memset(out, 0, macSize);
+ rotateOffset = macSize - rotateOffset;
+ rotateOffset = ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, macSize),
+ 0, rotateOffset);
for (i = 0; i < macSize; i++) {
- unsigned char offset =
- (divSpoiler + macSize - rotateOffset + i) % macSize;
for (j = 0; j < macSize; j++) {
- out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, offset);
+ out[j] |= rotatedMac[i] & ssl_ConstantTimeEQ8(j, rotateOffset);
}
+ rotateOffset++;
+ rotateOffset = ssl_constantTimeSelect(ssl_ConstantTimeGE(rotateOffset, macSize),
+ 0, rotateOffset);
}
}
diff -Nru nss-3.26/nss/lib/util/nssutil.h nss-3.26.2/nss/lib/util/nssutil.h
--- nss-3.26/nss/lib/util/nssutil.h 2016-08-05 11:43:39.000000000 -0400
+++ nss-3.26.2/nss/lib/util/nssutil.h 2016-10-10 10:54:09.000000000 -0400
@@ -19,10 +19,10 @@
* The format of the version string should be
* "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
*/
-#define NSSUTIL_VERSION "3.26"
+#define NSSUTIL_VERSION "3.26.2"
#define NSSUTIL_VMAJOR 3
#define NSSUTIL_VMINOR 26
-#define NSSUTIL_VPATCH 0
+#define NSSUTIL_VPATCH 2
#define NSSUTIL_VBUILD 0
#define NSSUTIL_BETA PR_FALSE
Les fichiers binaires /tmp/KBRYTjaHxN/nss-3.26/nss/tests/libpkix/certs/PayPalEE.cert et /tmp/Ua8lsn8jAs/nss-3.26.2/nss/tests/libpkix/certs/PayPalEE.cert sont différents
Les fichiers binaires /tmp/KBRYTjaHxN/nss-3.26/nss/tests/libpkix/certs/PayPalICA.cert et /tmp/Ua8lsn8jAs/nss-3.26.2/nss/tests/libpkix/certs/PayPalICA.cert sont différents
Les fichiers binaires /tmp/KBRYTjaHxN/nss-3.26/nss/tests/libpkix/certs/PayPalRootCA.cert et /tmp/Ua8lsn8jAs/nss-3.26.2/nss/tests/libpkix/certs/PayPalRootCA.cert sont différents
I have uploaded a new package, built on AMD64, here:
https://people.debian.org/~anarcat/debian/wheezy-lts/
... which should have the proper patches. Make sure that
`customize-gcc.patch` is present in order for arm builds to work.
Cheers,
A.
Reply to: