nss-softokn package update

Signed-off-by: basebuilder_pel7ppc64bebuilder0 <basebuilder@powerel.org>

SOURCES/iquote.patch

@@ -0,0 +1,37 @@
+diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile
+--- nss/cmd/bltest/Makefile.iquote	2013-04-04 21:56:59.329249213 -0700
++++ nss/cmd/bltest/Makefile	2013-04-04 21:57:47.583579084 -0700
+@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ # (6) Execute "component" rules. (OPTIONAL)                           #
+ #######################################################################
+ 
++INCLUDES += -iquote $(DIST)/../private/nss
+ 
+ 
+ #######################################################################
+diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
+--- nss/coreconf/location.mk.iquote	2013-04-04 21:54:59.710477106 -0700
++++ nss/coreconf/location.mk	2013-04-04 21:56:21.091163121 -0700
+@@ -45,6 +45,10 @@ endif
+ 
+ ifdef NSS_INCLUDE_DIR
+     INCLUDES += -I$(NSS_INCLUDE_DIR)
++    ifdef IN_TREE_FREEBL_HEADERS_FIRST
++        INCLUDES += -iquote $(DIST)/../public/nss
++        INCLUDES += -iquote $(DIST)/../private/nss
++    endif
+ endif
+ 
+ ifndef NSS_LIB_DIR
+diff -up ./nss/lib/softoken/Makefile.iquote ./nss/lib/softoken/Makefile
+--- ./nss/lib/softoken/Makefile.iquote	2014-01-06 20:35:19.931937299 -0800
++++ ./nss/lib/softoken/Makefile	2014-01-06 20:36:15.336390664 -0800
+@@ -42,6 +42,8 @@ ifdef NSS_DISABLE_DBM
+ DIRS=
+ endif
+ 
++INCLUDES += -iquote $(DIST)/../private/nss
++
+ #######################################################################
+ # (7) Execute "local" rules. (OPTIONAL).                              #
+ #######################################################################

SOURCES/nss-softokn-3.16-add_encrypt_derive.patch

@@ -0,0 +1,59 @@
+diff -up nss/lib/softoken/pkcs11.c.add_encrypt_derive nss/lib/softoken/pkcs11.c
+--- nss/lib/softoken/pkcs11.c.add_encrypt_derive	2018-02-27 15:47:47.000000000 +0100
++++ nss/lib/softoken/pkcs11.c	2018-03-01 16:01:05.853165433 +0100
+@@ -426,6 +426,8 @@ static const struct mechanismList mechan
+     { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_DERIVE }, PR_FALSE },
+     { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+     { CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE },
++    { CKM_DES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
++    { CKM_DES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+     { CKM_DES3_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+     { CKM_DES3_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+     { CKM_AES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE },
+diff -up nss/lib/softoken/pkcs11c.c.add_encrypt_derive nss/lib/softoken/pkcs11c.c
+--- nss/lib/softoken/pkcs11c.c.add_encrypt_derive	2018-02-27 15:47:47.000000000 +0100
++++ nss/lib/softoken/pkcs11c.c	2018-03-01 16:01:18.468880916 +0100
+@@ -6935,6 +6935,43 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
+             break;
+         }
+ 
++        case CKM_DES_ECB_ENCRYPT_DATA:
++        case CKM_DES_CBC_ENCRYPT_DATA: {
++            void *cipherInfo;
++            CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr;
++            int mode;
++            unsigned char *iv;
++            unsigned char *data;
++            CK_ULONG len;
++
++            if (mechanism == CKM_DES_ECB_ENCRYPT_DATA) {
++                stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)
++                                pMechanism->pParameter;
++                mode = NSS_DES;
++                iv = NULL;
++                data = stringPtr->pData;
++                len = stringPtr->ulLen;
++            } else {
++                mode = NSS_DES_CBC;
++                desEncryptPtr =
++                    (CK_DES_CBC_ENCRYPT_DATA_PARAMS *)
++                        pMechanism->pParameter;
++                iv = desEncryptPtr->iv;
++                data = desEncryptPtr->pData;
++                len = desEncryptPtr->length;
++            }
++            cipherInfo = DES_CreateContext((unsigned char *)att->attrib.pValue, iv, mode, PR_TRUE);
++            if (cipherInfo == NULL) {
++                crv = CKR_HOST_MEMORY;
++                break;
++            }
++            crv = sftk_DeriveEncrypt((SFTKCipher)DES_Encrypt,
++                                     cipherInfo, 8, key, keySize,
++                                     data, len);
++            DES_DestroyContext(cipherInfo, PR_TRUE);
++            break;
++        }
++
+         case CKM_DES3_ECB_ENCRYPT_DATA:
+         case CKM_DES3_CBC_ENCRYPT_DATA: {
+             void *cipherInfo;

SOURCES/nss-softokn-aes-zeroize.patch

@@ -0,0 +1,51 @@
+diff --git a/lib/freebl/intel-gcm-wrap.c b/lib/freebl/intel-gcm-wrap.c
+--- a/lib/freebl/intel-gcm-wrap.c
++++ b/lib/freebl/intel-gcm-wrap.c
+@@ -138,16 +138,17 @@ intel_AES_GCM_CreateContext(void *contex
+ loser:
+     PORT_Free(gcm);
+     return NULL;
+ }
+ 
+ void
+ intel_AES_GCM_DestroyContext(intel_AES_GCMContext *gcm, PRBool freeit)
+ {
++    PORT_Memset(gcm, 0, sizeof(intel_AES_GCMContext));
+     if (freeit) {
+         PORT_Free(gcm);
+     }
+ }
+ 
+ SECStatus
+ intel_AES_GCM_EncryptUpdate(intel_AES_GCMContext *gcm,
+                             unsigned char *outbuf,
+diff --git a/lib/freebl/rijndael.c b/lib/freebl/rijndael.c
+--- a/lib/freebl/rijndael.c
++++ b/lib/freebl/rijndael.c
+@@ -1027,23 +1027,25 @@ AES_CreateContext(const unsigned char *k
+  * AES_DestroyContext
+  *
+  * Zero an AES cipher context.  If freeit is true, also free the pointer
+  * to the context.
+  */
+ void
+ AES_DestroyContext(AESContext *cx, PRBool freeit)
+ {
++    void *mem = cx->mem;
+     if (cx->worker_cx && cx->destroy) {
+         (*cx->destroy)(cx->worker_cx, PR_TRUE);
+         cx->worker_cx = NULL;
+         cx->destroy = NULL;
+     }
++    PORT_Memset(cx, 0, sizeof(AESContext));
+     if (freeit) {
+-        PORT_Free(cx->mem);
++        PORT_Free(mem);
+     }
+ }
+ 
+ /*
+  * AES_Encrypt
+  *
+  * Encrypt an arbitrary-length buffer.  The output buffer must already be
+  * allocated to at least inputLen.

SOURCES/nss-softokn-config.in

@@ -0,0 +1,116 @@
+#!/bin/sh
+
+prefix=@prefix@
+
+major_version=@MOD_MAJOR_VERSION@
+minor_version=@MOD_MINOR_VERSION@
+patch_version=@MOD_PATCH_VERSION@
+
+usage()
+{
+	cat <<EOF
+Usage: nss-softokn-config [OPTIONS] [LIBRARIES]
+Options:
+	[--prefix[=DIR]]
+	[--exec-prefix[=DIR]]
+	[--includedir[=DIR]]
+	[--libdir[=DIR]]
+	[--version]
+	[--libs]
+	[--cflags]
+Dynamic Libraries:
+	softokn3 - Requires full dynamic linking
+	freebl3  - for internal use only (and glibc for self-integrity check)
+	nssdbm3  - for internal use only
+Dymamically linked
+EOF
+	exit $1
+}
+
+if test $# -eq 0; then
+	usage 1 1>&2
+fi
+
+while test $# -gt 0; do
+  case "$1" in
+  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+  *) optarg= ;;
+  esac
+
+  case $1 in
+    --prefix=*)
+      prefix=$optarg
+      ;;
+    --prefix)
+      echo_prefix=yes
+      ;;
+    --exec-prefix=*)
+      exec_prefix=$optarg
+      ;;
+    --exec-prefix)
+      echo_exec_prefix=yes
+      ;;
+    --includedir=*)
+      includedir=$optarg
+      ;;
+    --includedir)
+      echo_includedir=yes
+      ;;
+    --libdir=*)
+      libdir=$optarg
+      ;;
+    --libdir)
+      echo_libdir=yes
+      ;;
+    --version)
+      echo ${major_version}.${minor_version}.${patch_version}
+      ;;
+    --cflags)
+      echo_cflags=yes
+      ;;
+    --libs)
+      echo_libs=yes
+      ;;
+    *)
+      usage 1 1>&2
+      ;;
+  esac
+  shift
+done
+
+# Set variables that may be dependent upon other variables
+if test -z "$exec_prefix"; then
+    exec_prefix=`pkg-config --variable=exec_prefix nss-softokn`
+fi
+if test -z "$includedir"; then
+    includedir=`pkg-config --variable=includedir nss-softokn`
+fi
+if test -z "$libdir"; then
+    libdir=`pkg-config --variable=libdir nss-softokn`
+fi
+
+if test "$echo_prefix" = "yes"; then
+    echo $prefix
+fi
+
+if test "$echo_exec_prefix" = "yes"; then
+    echo $exec_prefix
+fi
+
+if test "$echo_includedir" = "yes"; then
+    echo $includedir
+fi
+
+if test "$echo_libdir" = "yes"; then
+    echo $libdir
+fi
+
+if test "$echo_cflags" = "yes"; then
+    echo -I$includedir
+fi
+
+if test "$echo_libs" = "yes"; then
+      libdirs="-Wl,-rpath-link,$libdir -L$libdir"
+      echo $libdirs
+fi      
+

SOURCES/nss-softokn-dracut-module-setup.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    return 255
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    local _dir
+
+    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
+        libfreebl3.so 
+}
+

SOURCES/nss-softokn-dracut.conf

@@ -0,0 +1,3 @@
+# turn on nss-softokn module
+
+add_dracutmodules+=" nss-softokn "

SOURCES/nss-softokn-fs-probe.patch

@@ -0,0 +1,79 @@
+# HG changeset patch
+# User David Keeler <dkeeler@mozilla.com>
+# Date 1500978196 -7200
+#      Tue Jul 25 12:23:16 2017 +0200
+# Node ID 9c94423e0669decabbb22b0d52ce31115c750265
+# Parent  f212be04f3d0265340bf5ae20ffbbccdda68b0aa
+bug 1382736 - Don't perform costly filesystem probes at startup r=ttaubert
+
+Differential Revision: https://nss-review.dev.mozaws.net/D374
+
+diff --git a/lib/softoken/sdb.c b/lib/softoken/sdb.c
+--- a/lib/softoken/sdb.c
++++ b/lib/softoken/sdb.c
+@@ -1866,30 +1866,29 @@ sdb_init(char *dbname, char *table, sdbD
+      * so we use it for the cache (see sdb_buildCache for how it's done).*/
+ 
+     /*
+-      * we decide whether or not to use the cache based on the following input.
+-      *
+-      * NSS_SDB_USE_CACHE environment variable is non-existant or set to
+-      *   anything other than "no" or "yes" ("auto", for instance).
+-      *   This is the normal case. NSS will measure the performance of access
+-      *   to the temp database versus the access to the users passed in
+-      *   database location. If the temp database location is "significantly"
+-      *   faster we will use the cache.
+-      *
+-      * NSS_SDB_USE_CACHE environment variable is set to "no": cache will not
+-      *   be used.
+-      *
+-      * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will
+-      *   always be used.
+-      *
+-      * It is expected that most applications would use the "auto" selection,
+-      * the environment variable is primarily to simplify testing, and to
+-      * correct potential corner cases where  */
++     * we decide whether or not to use the cache based on the following input.
++     *
++     * NSS_SDB_USE_CACHE environment variable is set to anything other than
++     *   "yes" or "no" (for instance, "auto"): NSS will measure the performance
++     *   of access to the temp database versus the access to the user's
++     *   passed-in database location. If the temp database location is
++     *   "significantly" faster we will use the cache.
++     *
++     * NSS_SDB_USE_CACHE environment variable is nonexistent or set to "no":
++     *   cache will not be used.
++     *
++     * NSS_SDB_USE_CACHE environment variable is set to "yes": cache will
++     *   always be used.
++     *
++     * It is expected that most applications will not need this feature, and
++     * thus it is disabled by default.
++     */
+ 
+     env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
+ 
+-    if (env && PORT_Strcasecmp(env, "no") == 0) {
++    if (!env || PORT_Strcasecmp(env, "no") == 0) {
+         enableCache = PR_FALSE;
+-    } else if (env && PORT_Strcasecmp(env, "yes") == 0) {
++    } else if (PORT_Strcasecmp(env, "yes") == 0) {
+         enableCache = PR_TRUE;
+     } else {
+         char *tempDir = NULL;
+@@ -2035,10 +2034,11 @@ s_open(const char *directory, const char
+     {
+         char *env;
+         env = PR_GetEnvSecure("NSS_SDB_USE_CACHE");
+-        /* If the environment variable is set to yes or no, sdb_init() will
+-         * ignore the value of accessOps, and we can skip the measuring.*/
+-        if (!env || ((PORT_Strcasecmp(env, "no") != 0) &&
+-                     (PORT_Strcasecmp(env, "yes") != 0))) {
++        /* If the environment variable is undefined or set to yes or no,
++         * sdb_init() will ignore the value of accessOps, and we can skip the
++         * measuring.*/
++        if (env && PORT_Strcasecmp(env, "no") != 0 &&
++            PORT_Strcasecmp(env, "yes") != 0) {
+             accessOps = sdb_measureAccess(directory);
+         }
+     }

SOURCES/nss-softokn-prelink.conf

@@ -0,0 +1,6 @@
+-b /lib{,64}/libfreeblpriv3.so
+-b /lib{,64}/libsoftokn3.so
+-b /lib{,64}/libnssdbm3.so
+-b /usr/lib{,64}/libfreeblpriv3.so
+-b /usr/lib{,64}/libsoftokn3.so
+-b /usr/lib{,64}/libnssdbm3.so

SOURCES/nss-softokn-tls-abi-fix.patch

@@ -0,0 +1,26 @@
+diff -up ./nss/lib/softoken/pkcs11c.c.tls_abi_fix ./nss/lib/softoken/pkcs11c.c
+--- ./nss/lib/softoken/pkcs11c.c.tls_abi_fix	2017-03-23 14:44:59.059880273 -0700
++++ ./nss/lib/softoken/pkcs11c.c	2017-03-23 14:45:24.738316707 -0700
+@@ -2672,6 +2672,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
+         case CKM_TLS_PRF_GENERAL:
+             crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0);
+             break;
++        case CKM_TLS_KDF:
+         case CKM_TLS_MAC: {
+             CK_TLS_MAC_PARAMS *tls12_mac_params;
+             HASH_HashType tlsPrfHash;
+diff -up ./nss/lib/softoken/pkcs11.c.tls_abi_fix ./nss/lib/softoken/pkcs11.c
+--- ./nss/lib/softoken/pkcs11.c.tls_abi_fix	2017-03-23 14:42:21.055194120 -0700
++++ ./nss/lib/softoken/pkcs11.c	2017-03-23 14:44:44.321629780 -0700
+@@ -373,6 +373,11 @@ static const struct mechanismList mechan
+     { CKM_SHA512_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
+     { CKM_TLS_PRF_GENERAL, { 0, 512, CKF_SN_VR }, PR_FALSE },
+     { CKM_TLS_MAC, { 0, 512, CKF_SN_VR }, PR_FALSE },
++    { CKM_TLS_KDF, { 0, 512, CKF_SN_VR }, PR_FALSE }, /* in RHEL 7.3 we had the wrong 
++						       * number for TLS_MAC. keep the old
++						       * number to allow old versions of 
++						       * nss on * RHEL 7 to work with 
++						       * this softoken */
+     { CKM_NSS_TLS_PRF_GENERAL_SHA256,
+       { 0, 512, CKF_SN_VR },
+       PR_FALSE },

SOURCES/nss-softokn.pc.in

@@ -0,0 +1,11 @@
+prefix=%prefix%
+exec_prefix=%exec_prefix%
+libdir=%libdir%
+includedir=%includedir%
+
+Name: NSS-SOFTOKN
+Description: Network Security Services Softoken PKCS #11 Module
+Version: %SOFTOKEN_VERSION%
+Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION%
+Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3
+Cflags: -I${includedir}

SOURCES/nss-split-softokn.sh

@@ -0,0 +1,115 @@
+#!/bin/sh
+#
+# Splits NSS into nss-util and nss-softokn
+# Takes as command line input the version of nss
+# and assumes that a file nss-${nss_version}.tar.gz
+# exists in the current directory
+
+set -e
+
+if test -z $1
+then
+  echo "usage: $0 nss-version"
+  exit
+fi
+
+export name=nss
+export version=$1
+
+echo "Extracting ${name}-${version}.tar.gz"
+
+tar -xzf ${name}-${version}.tar.gz
+
+# the directory will be named ${name}-${version}
+
+nss_source_dir=${name}-${version}
+softokn_dir=${name}-softokn-${version}
+
+# make_nss_softokn
+#-------------------------------------------------
+# create the nss-softokn subset consisting of
+#   nss/dbm                 full directory
+#   nss/coreconf            full directory
+#   nss                     top files only
+#   nss/lib                 top files only
+#   nss/lib/freebl          full directory
+#   nss/lib/softoken        full directory
+#   nss/lib/softoken/dbm    full directory
+#-------------------------------------------------------
+
+WORK=${softokn_dir}-work
+rm -rf ${WORK}
+mkdir ${WORK}
+
+# copy everything
+cp -a ${nss_source_dir} ${WORK}/${softokn_dir}
+
+# remove subdirectories that we don't want
+rm -rf ${WORK}/${softokn_dir}/nss/cmd
+rm -rf ${WORK}/${softokn_dir}/nss/tests
+rm -rf ${WORK}/${softokn_dir}/nss/lib
+rm -rf ${WORK}/${softokn_dir}/nss/pkg
+rm -rf ${WORK}/${softokn_dir}/nss/automation
+rm -rf ${WORK}/${softokn_dir}/nss/external_tests
+rm -rf ${WORK}/${softokn_dir}/nss/doc
+# start with an empty lib directory and copy only what we need
+mkdir ${WORK}/${softokn_dir}/nss/lib
+# copy the top files from nss/lib/
+topFilesL=`find ${nss_source_dir}/nss/lib/ -maxdepth 1 -mindepth 1 -type f`
+for f in $topFilesL; do
+  cp -p $f ${WORK}/${softokn_dir}/nss/lib
+done
+mkdir ${WORK}/${softokn_dir}/nss/lib/util
+# copy entire dbm, freebl and softoken directories recursively
+cp -a ${nss_source_dir}/nss/lib/dbm ${WORK}/${softokn_dir}/nss/lib/dbm
+cp -a ${nss_source_dir}/nss/lib/freebl ${WORK}/${softokn_dir}/nss/lib/freebl
+cp -a ${nss_source_dir}/nss/lib/softoken ${WORK}/${softokn_dir}/nss/lib/softoken
+# and some Makefiles and related files from nss
+topFilesN=`find ${nss_source_dir}/nss/ -maxdepth 1 -mindepth 1 -type f`
+for f in $topFilesN; do
+  cp -p $f ${WORK}/${softokn_dir}/nss/
+done
+# copy private headers that nss-softoken needs
+for f in verref.h; do
+  cp -p ${nss_source_dir}/nss/lib/util/$f ${WORK}/${softokn_dir}/nss/lib/util
+done
+
+# we do need bltest, ecperf, fbectest, lib, lowhashtest, and shlibsign
+# from nss/cmd
+mkdir ${WORK}/${softokn_dir}/nss/cmd
+# copy some files at the top and the slhlib subdirectory
+topFilesC=`find ${nss_source_dir}/nss/cmd/ -maxdepth 1 -mindepth 1 -type f`
+for f in $topFilesC; do
+  cp -p $f ${WORK}/${softokn_dir}/nss/cmd/
+done
+
+cp -a ${nss_source_dir}/nss/cmd/bltest ${WORK}/${softokn_dir}/nss/cmd/bltest
+cp -a ${nss_source_dir}/nss/cmd/ecperf ${WORK}/${softokn_dir}/nss/cmd/ecperf
+cp -a ${nss_source_dir}/nss/cmd/fbectest ${WORK}/${softokn_dir}/nss/cmd/fbectest
+cp -a ${nss_source_dir}/nss/cmd/fipstest ${WORK}/${softokn_dir}/nss/cmd/fipstest
+cp -a ${nss_source_dir}/nss/cmd/lib ${WORK}/${softokn_dir}/nss/cmd/lib
+cp -a ${nss_source_dir}/nss/cmd/lowhashtest ${WORK}/${softokn_dir}/nss/cmd/lowhashtest
+cp -a ${nss_source_dir}/nss/cmd/shlibsign ${WORK}/${softokn_dir}/nss/cmd/shlibsign
+
+# plus common, crypto, and lowhash from nss/tests
+mkdir ${WORK}/${softokn_dir}/nss/tests
+topFilesT=`find ${nss_source_dir}/nss/tests/ -maxdepth 1 -mindepth 1 -type f`
+for f in $topFilesT; do
+  cp -p $f ${WORK}/${softokn_dir}/nss/tests/
+done
+keepers="cipher common ec lowhash"
+for t in $keepers; do
+  cp -a ${nss_source_dir}/nss/tests/$t ${WORK}/${softokn_dir}/nss/tests/$t
+done
+
+pushd ${WORK}
+# the compressed tar ball for nss-softokn
+tar -czf ../${name}-softokn-${version}.tar.gz ${softokn_dir}
+popd
+
+# cleanup after ourselves
+rm -fr ${nss_source_dir}
+rm -rf ${WORK}
+
+
+