From 595334510899780777f7ea1cfe8bb6f5e272a89f Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Mon, 8 Feb 2016 07:57:39 -0800 Subject: [PATCH] Update to NSS 3.22 --- disableSSL2libssl.patch | 18 ++- disableSSL2tests.patch | 17 ++- fix_warnings_treated_as_errors.patch | 124 ++++++++++++++++++ iquote.patch | 34 +++++ nss.spec | 24 +++- ..._sslauth_sni_tests_client_side_fixes.patch | 38 ------ ...185708-enable-ecc-ciphers-by-default.patch | 39 ------ sources | 2 +- vfyserv-defined-but-not-used.patch | 18 +++ 9 files changed, 210 insertions(+), 104 deletions(-) create mode 100644 fix_warnings_treated_as_errors.patch delete mode 100644 ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch delete mode 100644 rhbz1185708-enable-ecc-ciphers-by-default.patch create mode 100644 vfyserv-defined-but-not-used.patch diff --git a/disableSSL2libssl.patch b/disableSSL2libssl.patch index 10e583a..0186b22 100644 --- a/disableSSL2libssl.patch +++ b/disableSSL2libssl.patch @@ -1,6 +1,5 @@ -diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk ---- a/lib/ssl/config.mk -+++ b/lib/ssl/config.mk +--- ./lib/ssl/config.mk.disableSSL2libssl 2016-01-29 02:30:10.000000000 -0800 ++++ ./lib/ssl/config.mk 2016-02-06 11:20:50.322990421 -0800 @@ -2,16 +2,20 @@ # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this @@ -22,10 +21,9 @@ diff --git a/lib/ssl/config.mk b/lib/ssl/config.mk ifdef NSS_NO_PKCS11_BYPASS DEFINES += -DNO_PKCS11_BYPASS else -diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c ---- a/lib/ssl/sslsock.c -+++ b/lib/ssl/sslsock.c -@@ -674,16 +674,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh +--- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-02-06 11:20:50.312990617 -0800 ++++ ./lib/ssl/sslsock.c 2016-02-06 11:26:04.123828138 -0800 +@@ -705,16 +705,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh if (ss->cipherSpecs) { PORT_Free(ss->cipherSpecs); ss->cipherSpecs = NULL; @@ -47,8 +45,8 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c } break; } - ss->opt.enableSSL2 = on; -@@ -691,52 +697,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + if (on) { +@@ -729,52 +735,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh ss->opt.v2CompatibleHello = on; } ss->preferredCipher = NULL; @@ -116,7 +114,7 @@ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c rv = SECFailure; } else { if (PR_FALSE != on) { -@@ -1163,16 +1184,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo +@@ -1235,16 +1256,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo } return SECSuccess; } diff --git a/disableSSL2tests.patch b/disableSSL2tests.patch index 9011bfe..b3cdc14 100644 --- a/disableSSL2tests.patch +++ b/disableSSL2tests.patch @@ -1,12 +1,11 @@ -diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh ---- a/tests/ssl/ssl.sh -+++ b/tests/ssl/ssl.sh +--- ./tests/ssl/ssl.sh.disableSSL2tests 2016-01-29 02:30:10.000000000 -0800 ++++ ./tests/ssl/ssl.sh 2016-02-06 11:50:26.496668124 -0800 @@ -57,19 +57,24 @@ ssl_init() fi PORT=${PORT-8443} NSS_SSL_TESTS=${NSS_SSL_TESTS:-normal_normal} - nss_ssl_run="stapling cov auth stress" + nss_ssl_run="stapling signed_cert_timestamps cov auth stress" NSS_SSL_RUN=${NSS_SSL_RUN:-$nss_ssl_run} # Test case files @@ -20,6 +19,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh + fi SSLAUTH=${QADIR}/ssl/sslauth.txt - SSLSTRESS=${QADIR}/ssl/sslstress.txt + SSLPOLICY=${QADIR}/ssl/sslpolicy.txt REQUEST_FILE=${QADIR}/ssl/sslreq.dat #temparary files @@ -27,8 +27,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh SERVERPID=${TMP}/tests_pid.$$ R_SERVERPID=../tests_pid.$$ - -@@ -115,17 +120,21 @@ is_selfserv_alive() +@@ -116,17 +121,21 @@ is_selfserv_alive() if [ "${OS_ARCH}" = "WINNT" ] && \ [ "$OS_NAME" = "CYGWIN_NT" -o "$OS_NAME" = "MINGW32_NT" ]; then PID=${SHELL_SERVERPID} @@ -50,7 +49,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # local shell function to wait until selfserver is running and initialized ######################################################################## wait_for_selfserv() -@@ -138,17 +147,21 @@ wait_for_selfserv() +@@ -139,17 +148,21 @@ wait_for_selfserv() if [ $? -ne 0 ]; then sleep 5 echo "retrying to connect to selfserv at `date`" @@ -72,7 +71,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh ########################### kill_selfserv ############################## # local shell function to kill the selfserver after the tests are done ######################################################################## -@@ -209,25 +222,26 @@ start_selfserv() +@@ -210,25 +223,26 @@ start_selfserv() ECC_OPTIONS="" fi if [ "$1" = "mixed" ]; then @@ -102,7 +101,7 @@ diff --git a/tests/ssl/ssl.sh b/tests/ssl/ssl.sh # process (sh.exe). MKS's kill command has a bug: invoking kill # on the helper process does not terminate the real background # process. Our workaround has been to have selfserv save its PID -@@ -274,16 +288,22 @@ ssl_cov() +@@ -275,16 +289,22 @@ ssl_cov() exec < ${SSLCOV} while read ectype testmax param testname do diff --git a/fix_warnings_treated_as_errors.patch b/fix_warnings_treated_as_errors.patch new file mode 100644 index 0000000..84e3ee6 --- /dev/null +++ b/fix_warnings_treated_as_errors.patch @@ -0,0 +1,124 @@ +diff -up ./cmd/p7sign/p7sign.c.fix_warnings ./cmd/p7sign/p7sign.c +--- ./cmd/p7sign/p7sign.c.fix_warnings 2016-02-07 15:29:48.459494920 -0800 ++++ ./cmd/p7sign/p7sign.c 2016-02-07 15:55:04.920963101 -0800 +@@ -92,21 +92,24 @@ SignFile(FILE *outFile, PRFileDesc *inFi + SEC_PKCS7ContentInfo *cinfo; + SECStatus rv; + +- if (outFile == NULL || inFile == NULL || cert == NULL) +- return -1; ++ if (outFile == NULL || inFile == NULL || cert == NULL) { ++ return -1; ++ } + + /* suck the file in */ +- if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE, +- PR_FALSE) != SECSuccess) +- return -1; ++ if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE, ++ PR_FALSE) != SECSuccess) { ++ return -1; ++ } + + if (!encapsulated) { + /* unfortunately, we must create the digest ourselves */ + /* SEC_PKCS7CreateSignedData should have a flag to not include */ + /* the content for non-encapsulated content at encode time, but */ + /* should always compute the hash itself */ +- if (CreateDigest(&data2sign, digestdata, &len, 32) < 0) +- return -1; ++ if (CreateDigest(&data2sign, digestdata, &len, 32) < 0) { ++ return -1; ++ } + digest.data = (unsigned char *)digestdata; + digest.len = len; + } +@@ -116,9 +119,9 @@ SignFile(FILE *outFile, PRFileDesc *inFi + SEC_OID_SHA1, + encapsulated ? NULL : &digest, + NULL, NULL); +- if (cinfo == NULL) ++ if (cinfo == NULL) { + return -1; +- ++ } + if (encapsulated) { + SEC_PKCS7SetContent(cinfo, (char *)data2sign.data, data2sign.len); + } +@@ -134,8 +137,9 @@ SignFile(FILE *outFile, PRFileDesc *inFi + + SEC_PKCS7DestroyContentInfo (cinfo); + +- if (rv != SECSuccess) ++ if (rv != SECSuccess) { + return -1; ++ } + + return 0; + } +diff -up ./cmd/vfychain/vfychain.c.fix_warnings ./cmd/vfychain/vfychain.c +--- ./cmd/vfychain/vfychain.c.fix_warnings 2016-02-07 16:03:13.189775733 -0800 ++++ ./cmd/vfychain/vfychain.c 2016-02-07 16:22:33.709073372 -0800 +@@ -439,7 +439,7 @@ main(int argc, char *argv[], char *envp[ + case 0 : /* positional parameter */ goto breakout; + case 'a' : isAscii = PR_TRUE; break; + case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value); +- if (secStatus != SECSuccess) Usage(progName); break; ++ if (secStatus != SECSuccess) { Usage(progName); } break; + case 'd' : certDir = PL_strdup(optstate->value); break; + case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE; break; + case 'f' : certFetching = PR_TRUE; break; +@@ -484,9 +484,9 @@ main(int argc, char *argv[], char *envp[ + case 't' : trusted = PR_TRUE; break; + case 'T' : onlyTrustAnchors = PR_FALSE; break; + case 'u' : usage = PORT_Atoi(optstate->value); +- if (usage < 0 || usage > 62) Usage(progName); ++ if (usage < 0 || usage > 62) { Usage(progName); } + certUsage = ((SECCertificateUsage)1) << usage; +- if (certUsage > certificateUsageHighest) Usage(progName); ++ if (certUsage > certificateUsageHighest) { Usage(progName); } + break; + case 'w': + pwdata.source = PW_PLAINTEXT; +diff -up ./lib/dbm/src/hash.c.fix_warnings ./lib/dbm/src/hash.c +--- ./lib/dbm/src/hash.c.fix_warnings 2016-02-07 15:18:54.006925157 -0800 ++++ ./lib/dbm/src/hash.c 2016-02-07 15:21:02.151491099 -0800 +@@ -815,9 +815,9 @@ hash_access( + } + + ovfl_loop_count++; +- if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS) ++ if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS) { + return (DATABASE_CORRUPTED_ERROR); +- ++ } + /* FOR LOOP INIT */ + bp = (uint16 *)rbufp->page; + n = *bp++; +@@ -825,8 +825,9 @@ hash_access( + off = hashp->BSIZE; + } else if (bp[1] < REAL_KEY) { + if ((ndx = +- __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0) ++ __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0) { + goto found; ++ } + if (ndx == -2) { + bufp = rbufp; + if (!(pageno = +diff -up ./lib/dbm/src/h_page.c.fix_warnings ./lib/dbm/src/h_page.c +--- ./lib/dbm/src/h_page.c.fix_warnings 2016-01-29 02:30:10.000000000 -0800 ++++ ./lib/dbm/src/h_page.c 2016-02-07 15:10:42.439250993 -0800 +@@ -114,9 +114,9 @@ long new_lseek(int fd, long offset, int + + if(origin == SEEK_CUR) + { +- if(offset < 1) +- return(lseek(fd, offset, SEEK_CUR)); +- ++ if(offset < 1) { ++ return(lseek(fd, offset, SEEK_CUR)); ++ } + cur_pos = lseek(fd, 0, SEEK_CUR); + + if(cur_pos < 0) diff --git a/iquote.patch b/iquote.patch index 0c9e4cf..d86c518 100644 --- a/iquote.patch +++ b/iquote.patch @@ -171,6 +171,18 @@ diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile +INCLUDES += -iquote $(DIST)/../public/nss +INCLUDES += -iquote $(DIST)/../private/nss + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile +--- ./nss/lib/pk11wrap/Makefile.iquote 2016-02-07 09:49:33.310455054 -0800 ++++ ./nss/lib/pk11wrap/Makefile 2016-02-07 09:51:38.830881330 -0800 +@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss + ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile @@ -185,3 +197,25 @@ diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile +--- ./nss/external_tests/pk11_gtest/Makefile.iquote 2016-02-07 10:07:49.163055808 -0800 ++++ ./nss/external_tests/pk11_gtest/Makefile 2016-02-07 10:09:07.463478307 -0800 +@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile +--- ./nss/external_tests/ssl_gtest/Makefile.iquote 2016-02-07 10:19:57.132763142 -0800 ++++ ./nss/external_tests/ssl_gtest/Makefile 2016-02-07 10:20:42.346957530 -0800 +@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # diff --git a/nss.spec b/nss.spec index 3b55636..beb8deb 100644 --- a/nss.spec +++ b/nss.spec @@ -1,6 +1,6 @@ -%global nspr_version 4.10.10 -%global nss_util_version 3.21.0 -%global nss_softokn_version 3.21.0 +%global nspr_version 4.11.0 +%global nss_util_version 3.22.0 +%global nss_softokn_version 3.22.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" @@ -18,10 +18,10 @@ Summary: Network Security Services Name: nss -Version: 3.21.0 +Version: 3.22.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 7%{?dist} +Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -105,6 +105,10 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # The submission will be very different from this patch as # cleanup there is already in progress there. Patch59: pem-compile-with-Werror.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1246499 +Patch60: vfyserv-defined-but-not-used.patch +# Local: Upstream nss-3.23 has these fixed +Patch61: fix_warnings_treated_as_errors.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -195,6 +199,10 @@ popd %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5 %patch58 -p0 -b .1185708_3des %patch59 -p0 -b .compile_Werror +pushd nss +%patch60 -p1 -b .defined_not_used +%patch61 -p1 -b .fix_warnings +popd ######################################################### # Higher-level libraries and test tools need access to @@ -303,8 +311,7 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1 ##### phase 2: build the rest of nss # nss supports pluggable ecc with more than suite-b -NSS_ECC_MORE_THAN_SUITE_B=1 -export NSS_ECC_MORE_THAN_SUITE_B +export NSS_ECC_MORE_THAN_SUITE_B=1 export NSS_BLTEST_NOT_AVAILABLE=1 %{__make} -C ./nss/coreconf @@ -824,6 +831,9 @@ fi %changelog +* Mon Feb 08 2016 Elio Maldonado - 3.22.0-2 +- Update to NSS 3.22 + * Thu Feb 04 2016 Fedora Release Engineering - 3.21.0-7 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild diff --git a/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch b/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch deleted file mode 100644 index 3ba7ae1..0000000 --- a/ocsp_stapling_sslauth_sni_tests_client_side_fixes.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff -up ./nss/tests/ssl/sslauth.txt.ocsp_sni ./nss/tests/ssl/sslauth.txt ---- ./nss/tests/ssl/sslauth.txt.ocsp_sni 2015-05-28 10:50:45.000000000 -0700 -+++ ./nss/tests/ssl/sslauth.txt 2015-08-30 08:49:22.025299419 -0700 -@@ -65,12 +65,12 @@ - # SNI Tests - # - SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI -- SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI -- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert -+ SNI 0 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI -+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert - SNI 0 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser SSL3 Server hello response without SNI -- SNI 1 -r_-a_Host-sni.Dom -V_ssl3:ssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions -+ SNI 1 -r_-a_Host-sni.Dom -V_ssl3:_-c_vssl3_-w_nss_-n_TestUser_-a_Host-sni.Dom SSL3 Server hello response with SNI: SSL don't have SH extensions - SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser TLS Server hello response without SNI -- SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI -+ SNI 0 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom TLS Server hello response with SNI - SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host.Dom TLS Server hello response with SNI: Change name on 2d HS -- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS -- SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert -+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni.Dom_-a_Host-sni1.Dom TLS Server hello response with SNI: Change name to invalid 2d HS -+ SNI 1 -r_-r_-r_-a_Host-sni.Dom -V_ssl3:_-c_v_-w_nss_-n_TestUser_-a_Host-sni1.Dom TLS Server response with alert -diff -up ./nss/tests/ssl/ssl.sh.ocsp_sni ./nss/tests/ssl/ssl.sh ---- ./nss/tests/ssl/ssl.sh.ocsp_sni 2015-08-30 08:49:21.905301105 -0700 -+++ ./nss/tests/ssl/ssl.sh 2015-08-30 08:49:22.017299531 -0700 -@@ -457,10 +457,10 @@ ssl_stapling_sub() - start_selfserv - - echo "tstclnt -p ${PORT} -h ${HOSTADDR} -f -d ${P_R_CLIENTDIR} -v ${CLIENT_OPTIONS} \\" -- echo " -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}" -+ echo " -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE}" - rm ${TMP}/$HOST.tmp.$$ 2>/dev/null - ${PROFTOOL} ${BINDIR}/tstclnt -p ${PORT} -h ${HOSTADDR} -f ${CLIENT_OPTIONS} \ -- -d ${P_R_CLIENTDIR} -v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \ -+ -d ${P_R_CLIENTDIR} -v -c v -T -O -F -M 1 -V ssl3: < ${REQUEST_FILE} \ - >${TMP}/$HOST.tmp.$$ 2>&1 - ret=$? - cat ${TMP}/$HOST.tmp.$$ diff --git a/rhbz1185708-enable-ecc-ciphers-by-default.patch b/rhbz1185708-enable-ecc-ciphers-by-default.patch deleted file mode 100644 index 80cf4a2..0000000 --- a/rhbz1185708-enable-ecc-ciphers-by-default.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/lib/ssl/ssl3con.c b/lib/ssl/ssl3con.c ---- a/lib/ssl/ssl3con.c -+++ b/lib/ssl/ssl3con.c -@@ -85,27 +85,27 @@ static SECStatus ssl3_AESGCMBypass(ssl3K - * - * Important: See bug 946147 before enabling, reordering, or adding any cipher - * suites to this list. - */ - static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = { - /* cipher_suite policy enabled isPresent */ - - #ifndef NSS_DISABLE_ECC -- { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around - * bug 946147. - */ -- { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - #endif /* NSS_DISABLE_ECC */ - - { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/sources b/sources index b8aa5ea..2a3bcb4 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db 691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2 -f53ffa490133d29ff930fa4b29bade90 nss-3.21.0.tar.gz +a0ae9d27c0261716648e49e3be33badd nss-3.22.0.tar.gz diff --git a/vfyserv-defined-but-not-used.patch b/vfyserv-defined-but-not-used.patch new file mode 100644 index 0000000..a844fc1 --- /dev/null +++ b/vfyserv-defined-but-not-used.patch @@ -0,0 +1,18 @@ +diff -up ./cmd/vfyserv/vfyserv.h.defined_not_used ./cmd/vfyserv/vfyserv.h +--- ./cmd/vfyserv/vfyserv.h.defined_not_used 2016-02-06 18:32:54.143216370 -0800 ++++ ./cmd/vfyserv/vfyserv.h 2016-02-06 18:33:24.943636231 -0800 +@@ -135,14 +135,4 @@ void lockedVars_WaitForDone(lockedVars * + + int lockedVars_AddToCount(lockedVars *lv, int addend); + +-/* Buffer stuff. */ +- +-static const char stopCmd[] = { "GET /stop " }; +-static const char defaultHeader[] = { +- "HTTP/1.0 200 OK\r\n" +- "Server: SSL sample server\r\n" +- "Content-type: text/plain\r\n" +- "\r\n" +-}; +- + #endif