From 86f33dd63a3402008a9ce22ae4eb9b0926d7a53b Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Tue, 11 Dec 2018 13:26:51 +0100 Subject: [PATCH] Update to NSS 3.41 --- .gitignore | 1 + nss-539183.patch | 8 ++--- nss.spec | 36 +++++-------------- renegotiate-transitional.patch | 12 ------- ...8-enable-ecc-3des-ciphers-by-default.patch | 23 ------------ sources | 2 +- utilwrap-include-templates.patch | 14 -------- 7 files changed, 15 insertions(+), 81 deletions(-) delete mode 100644 renegotiate-transitional.patch delete mode 100644 rhbz1185708-enable-ecc-3des-ciphers-by-default.patch delete mode 100644 utilwrap-include-templates.patch diff --git a/.gitignore b/.gitignore index b0fa934..357bdc5 100644 --- a/.gitignore +++ b/.gitignore @@ -31,3 +31,4 @@ TestUser51.cert /nss-3.38.0.tar.gz /nss-3.39.tar.gz /nss-3.40.1.tar.gz +/nss-3.41.tar.gz diff --git a/nss-539183.patch b/nss-539183.patch index eda3249..267e71e 100644 --- a/nss-539183.patch +++ b/nss-539183.patch @@ -1,5 +1,5 @@ ---- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700 -+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700 +--- nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700 ++++ nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700 @@ -953,23 +953,23 @@ getBoundListenSocket(unsigned short port) { @@ -29,8 +29,8 @@ if (prStatus < 0) { PR_Close(listen_sock); errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); ---- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700 -+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700 +--- nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700 ++++ nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700 @@ -1711,23 +1711,23 @@ getBoundListenSocket(unsigned short port) { diff --git a/nss.spec b/nss.spec index da782dd..1024783 100644 --- a/nss.spec +++ b/nss.spec @@ -1,7 +1,6 @@ %global nspr_version 4.20.0 -%global nss_version 3.40.1 +%global nss_version 3.41.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools -%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" %global saved_files_dir %{_libdir}/nss/saved %global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/ %global dracutlibdir %{_prefix}/lib/dracut @@ -45,9 +44,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM", Summary: Network Security Services Name: nss Version: %{nss_version} -# for Rawhide, please always use release >= 2 -# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) -Release: 1.0%{?dist} +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Requires: nspr >= %{nspr_version} @@ -94,14 +91,9 @@ Source25: key3.db.xml Source26: key4.db.xml Source27: secmod.db.xml Source28: nss-p11-kit.config -Source29: PayPalICA.cert -Source30: PayPalEE.cert -Patch1: renegotiate-transitional.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 Patch2: nss-539183.patch -# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator -Patch3: utilwrap-include-templates.patch # This patch uses the GCC -iquote option documented at # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options # to give the in-tree headers a higher priority over the system headers, @@ -114,10 +106,6 @@ Patch3: utilwrap-include-templates.patch # Once the buildroot aha been bootstrapped the patch may be removed # but it doesn't hurt to keep it. Patch4: iquote.patch -# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers -Patch5: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317 -Patch6: nss-tests-paypal-certs-v2.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -247,15 +235,8 @@ Header and library files for doing development with Network Security Services. %prep %setup -q -n %{name}-%{nss_archive_version} - -%patch1 -p0 -b .transitional -%patch2 -p0 -b .539183 -%patch3 -p0 -b .templates -%patch4 -p0 -b .iquote -%patch5 -p0 -b .1185708_3des pushd nss -%patch6 -p1 -b .paypal-certs -cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs +%autopatch -p1 popd @@ -467,8 +448,7 @@ fi MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: -pushd `pwd` -cd $DISTBINDIR +pushd "$DISTBINDIR" ln -s selfserv $RANDSERV popd # man perlrun, man perlrequick @@ -481,7 +461,7 @@ find ./nss/tests -type f |\ killall $RANDSERV || : rm -rf ./tests_results -pushd ./nss/tests/ +pushd nss/tests # all.sh is the test suite script # don't need to run all the tests when testing packaging @@ -498,7 +478,6 @@ pushd ./nss/tests/ # % define nss_ssl_run "cov" HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh - popd # Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, @@ -638,7 +617,7 @@ for f in nss-config setup-nsssysinit; do install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 done # Copy the man pages for the nss tools -for f in "%{allTools}"; do +for f in certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv; do install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 done %if %{defined rhel} @@ -922,6 +901,9 @@ update-crypto-policies %changelog +* Mon Dec 10 2018 Daiki Ueno - 3.41.0-1 +- Update to NSS 3.41 + * Thu Dec 6 2018 Daiki Ueno - 3.40.1-1.0 - Update to NSS 3.40.1 diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch deleted file mode 100644 index d3aa3bd..0000000 --- a/renegotiate-transitional.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.transitional 2018-03-09 13:57:50.615706802 +0100 -+++ nss/lib/ssl/sslsock.c 2018-03-09 13:58:23.708974970 +0100 -@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = { - .noLocks = PR_FALSE, - .enableSessionTickets = PR_FALSE, - .enableDeflate = PR_FALSE, -- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, -+ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL, - .requireSafeNegotiation = PR_FALSE, - .enableFalseStart = PR_FALSE, - .cbcRandomIV = PR_TRUE, diff --git a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch deleted file mode 100644 index 455c747..0000000 --- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400 -+++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400 -@@ -118,18 +118,18 @@ - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - - { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/sources b/sources index bd84a22..d5a8214 100644 --- a/sources +++ b/sources @@ -3,4 +3,4 @@ SHA512 (blank-cert9.db) = 2f8eab4c0612210ee47db8a3a80c1b58a0b43849551af78c7da403 SHA512 (blank-key3.db) = 01f7314e9fc8a7c9aa997652624cfcde213d18a6b3bb31840c1a60bbd662e56b5bc3221d13874abb42ce78163b225a6dfce2e1326cf6dd29366ad9c28ba5a71c SHA512 (blank-key4.db) = 8fedae93af7163da23fe9492ea8e785a44c291604fa98e58438448efb69c85d3253fc22b926d5c3209c62e58a86038fd4d78a1c4c068bc00600a7f3e5382ebe7 SHA512 (blank-secmod.db) = 06a2dbd861839ef6315093459328b500d3832333a34b30e6fac4a2503af337f014a4d319f0f93322409e719142904ce8bc08252ae9a4f37f30d4c3312e900310 -SHA512 (nss-3.40.1.tar.gz) = 464ae843161e8deb911975d2117e8bf1194a968689b4ce70f9a12d5a33dba7ddd69f1248ec45244139c30fcc87678b206a4e124f032b26ead8bf894e4e8d0564 +SHA512 (nss-3.41.tar.gz) = b5a43fe86ded664002fd714c493d9222a64539cd6139b64720625d1742fec5100712cbe401c90c79196e9cbad9ec07d9b4f0f517ce34e4b207beaa3e01c9e114 diff --git a/utilwrap-include-templates.patch b/utilwrap-include-templates.patch deleted file mode 100644 index 649b548..0000000 --- a/utilwrap-include-templates.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk ---- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700 -+++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700 -@@ -3,6 +3,10 @@ - # License, v. 2.0. If a copy of the MPL was not distributed with this - # file, You can obtain one at http://mozilla.org/MPL/2.0/. - -+#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) -+INCLUDES += -I/usr/include/nss3/templates -+#endif -+ - # can't do this in manifest.mn because OS_TARGET isn't defined there. - ifeq (,$(filter-out WIN%,$(OS_TARGET))) -