From e4343992f01a9a42200f6f92edfff27b9a8b96bb Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sat, 5 Mar 2016 12:42:26 -0800 Subject: [PATCH] Rebase to NSS 3.23 --- .gitignore | 2 +- disableSSL2libssl.patch | 190 +++++++++++++-------------- fix_warnings_treated_as_errors.patch | 124 ----------------- iquote.patch | 146 ++++++++++---------- nss.spec | 51 ++++--- renegotiate-transitional.patch | 24 ++-- sources | 2 +- vfyserv-defined-but-not-used.patch | 18 --- 8 files changed, 200 insertions(+), 357 deletions(-) delete mode 100644 fix_warnings_treated_as_errors.patch delete mode 100644 vfyserv-defined-but-not-used.patch diff --git a/.gitignore b/.gitignore index 0b22e15..b8b21b3 100644 --- a/.gitignore +++ b/.gitignore @@ -10,4 +10,4 @@ TestUser51.cert /nss-pem-20140125.tar.bz2 /PayPalRootCA.cert /PayPalICA.cert -/nss-3.22.2.tar.gz +/nss-3.23.0.tar.gz diff --git a/disableSSL2libssl.patch b/disableSSL2libssl.patch index 0186b22..6957b00 100644 --- a/disableSSL2libssl.patch +++ b/disableSSL2libssl.patch @@ -1,5 +1,5 @@ ---- ./lib/ssl/config.mk.disableSSL2libssl 2016-01-29 02:30:10.000000000 -0800 -+++ ./lib/ssl/config.mk 2016-02-06 11:20:50.322990421 -0800 +--- ./lib/ssl/config.mk.disableSSL2libssl 2016-03-05 09:20:12.712130884 -0800 ++++ ./lib/ssl/config.mk 2016-03-05 09:24:22.748518581 -0800 @@ -2,16 +2,20 @@ # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this @@ -13,108 +13,108 @@ +DEFINES += -DNSS_NO_SSL2_NO_EXPORT +endif + - # Allow build-time configuration of TLS 1.3 (Experimental) - ifdef NSS_ENABLE_TLS_1_3 - DEFINES += -DNSS_ENABLE_TLS_1_3 - endif - ifdef NSS_NO_PKCS11_BYPASS DEFINES += -DNO_PKCS11_BYPASS else ---- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-02-06 11:20:50.312990617 -0800 -+++ ./lib/ssl/sslsock.c 2016-02-06 11:26:04.123828138 -0800 -@@ -705,16 +705,22 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh - if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); - ss->cipherSpecs = NULL; - ss->sizeCipherSpecs = 0; - } - break; + CRYPTOLIB=$(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) - case SSL_ENABLE_SSL2: -+#ifdef NSS_NO_SSL2_NO_EXPORT -+ if (on) { -+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); -+ rv = SECFailure; /* not allowed */ -+ } -+#else - if (IS_DTLS(ss)) { - if (on) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; /* not allowed */ + EXTRA_LIBS += \ + $(CRYPTOLIB) \ + $(NULL) +--- ./lib/ssl/sslsock.c.disableSSL2libssl 2016-03-05 09:20:12.713130866 -0800 ++++ ./lib/ssl/sslsock.c 2016-03-05 09:32:55.060592007 -0800 +@@ -707,16 +707,22 @@ + if (ss->cipherSpecs) { + PORT_Free(ss->cipherSpecs); + ss->cipherSpecs = NULL; + ss->sizeCipherSpecs = 0; } break; - } - if (on) { -@@ -729,52 +735,67 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + + case SSL_ENABLE_SSL2: ++#ifdef NSS_NO_SSL2_NO_EXPORT ++ if (on) { ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++ } ++#else + if (IS_DTLS(ss)) { + if (on) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; /* not allowed */ + } + break; + } + if (on) { +@@ -731,52 +737,67 @@ + ss->opt.v2CompatibleHello = on; + } + ss->preferredCipher = NULL; + if (ss->cipherSpecs) { + PORT_Free(ss->cipherSpecs); + ss->cipherSpecs = NULL; + ss->sizeCipherSpecs = 0; + } ++#endif /* NSS_NO_SSL2_NO_EXPORT */ + break; + + case SSL_NO_CACHE: + ss->opt.noCache = on; + break; + + case SSL_ENABLE_FDX: + if (on && ss->opt.noLocks) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; + } + ss->opt.fdx = on; + break; + + case SSL_V2_COMPATIBLE_HELLO: ++#ifdef NSS_NO_SSL2_NO_EXPORT ++ if (on) { ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++ } ++#else + if (IS_DTLS(ss)) { + if (on) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + rv = SECFailure; /* not allowed */ + } + break; + } ss->opt.v2CompatibleHello = on; - } - ss->preferredCipher = NULL; - if (ss->cipherSpecs) { - PORT_Free(ss->cipherSpecs); - ss->cipherSpecs = NULL; - ss->sizeCipherSpecs = 0; - } -+#endif /* NSS_NO_SSL2_NO_EXPORT */ - break; - - case SSL_NO_CACHE: - ss->opt.noCache = on; - break; - - case SSL_ENABLE_FDX: - if (on && ss->opt.noLocks) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; - } - ss->opt.fdx = on; - break; - - case SSL_V2_COMPATIBLE_HELLO: -+#ifdef NSS_NO_SSL2_NO_EXPORT -+ if (on) { -+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); -+ rv = SECFailure; /* not allowed */ -+ } -+#else - if (IS_DTLS(ss)) { - if (on) { - PORT_SetError(SEC_ERROR_INVALID_ARGS); - rv = SECFailure; /* not allowed */ + if (!on) { + ss->opt.enableSSL2 = on; } ++#endif /* NSS_NO_SSL2_NO_EXPORT */ break; - } - ss->opt.v2CompatibleHello = on; - if (!on) { - ss->opt.enableSSL2 = on; - } -+#endif /* NSS_NO_SSL2_NO_EXPORT */ - break; - case SSL_ROLLBACK_DETECTION: - ss->opt.detectRollBack = on; - break; + case SSL_ROLLBACK_DETECTION: + ss->opt.detectRollBack = on; + break; - case SSL_NO_STEP_DOWN: + case SSL_NO_STEP_DOWN: +#ifdef NSS_NO_SSL2_NO_EXPORT -+ if (!on) { -+ PORT_SetError(SSL_ERROR_SSL2_DISABLED); -+ rv = SECFailure; /* not allowed */ -+ } ++ if (!on) { ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++ } +#else - ss->opt.noStepDown = on; - if (on) - SSL_DisableExportCipherSuites(fd); + ss->opt.noStepDown = on; + if (on) + SSL_DisableExportCipherSuites(fd); +#endif /* NSS_NO_SSL2_NO_EXPORT */ - break; + break; - case SSL_BYPASS_PKCS11: - if (ss->handshakeBegun) { - PORT_SetError(PR_INVALID_STATE_ERROR); - rv = SECFailure; - } else { - if (PR_FALSE != on) { -@@ -1235,16 +1256,32 @@ SSL_OptionSetDefault(PRInt32 which, PRBo + case SSL_BYPASS_PKCS11: + if (ss->handshakeBegun) { + PORT_SetError(PR_INVALID_STATE_ERROR); + rv = SECFailure; + } else { + if (PR_FALSE != on) { +@@ -1324,16 +1345,32 @@ } return SECSuccess; } @@ -140,10 +140,10 @@ + } +#endif /* NSS_NO_SSL2_NO_EXPORT */ switch (suite) { - case SSL_FORTEZZA_DMS_WITH_NULL_SHA: - case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: - case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: - return PR_TRUE; - default: - return PR_FALSE; + case SSL_FORTEZZA_DMS_WITH_NULL_SHA: + case SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA: + case SSL_FORTEZZA_DMS_WITH_RC4_128_SHA: + return PR_TRUE; + default: + return PR_FALSE; } diff --git a/fix_warnings_treated_as_errors.patch b/fix_warnings_treated_as_errors.patch deleted file mode 100644 index 84e3ee6..0000000 --- a/fix_warnings_treated_as_errors.patch +++ /dev/null @@ -1,124 +0,0 @@ -diff -up ./cmd/p7sign/p7sign.c.fix_warnings ./cmd/p7sign/p7sign.c ---- ./cmd/p7sign/p7sign.c.fix_warnings 2016-02-07 15:29:48.459494920 -0800 -+++ ./cmd/p7sign/p7sign.c 2016-02-07 15:55:04.920963101 -0800 -@@ -92,21 +92,24 @@ SignFile(FILE *outFile, PRFileDesc *inFi - SEC_PKCS7ContentInfo *cinfo; - SECStatus rv; - -- if (outFile == NULL || inFile == NULL || cert == NULL) -- return -1; -+ if (outFile == NULL || inFile == NULL || cert == NULL) { -+ return -1; -+ } - - /* suck the file in */ -- if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE, -- PR_FALSE) != SECSuccess) -- return -1; -+ if (SECU_ReadDERFromFile(&data2sign, inFile, PR_FALSE, -+ PR_FALSE) != SECSuccess) { -+ return -1; -+ } - - if (!encapsulated) { - /* unfortunately, we must create the digest ourselves */ - /* SEC_PKCS7CreateSignedData should have a flag to not include */ - /* the content for non-encapsulated content at encode time, but */ - /* should always compute the hash itself */ -- if (CreateDigest(&data2sign, digestdata, &len, 32) < 0) -- return -1; -+ if (CreateDigest(&data2sign, digestdata, &len, 32) < 0) { -+ return -1; -+ } - digest.data = (unsigned char *)digestdata; - digest.len = len; - } -@@ -116,9 +119,9 @@ SignFile(FILE *outFile, PRFileDesc *inFi - SEC_OID_SHA1, - encapsulated ? NULL : &digest, - NULL, NULL); -- if (cinfo == NULL) -+ if (cinfo == NULL) { - return -1; -- -+ } - if (encapsulated) { - SEC_PKCS7SetContent(cinfo, (char *)data2sign.data, data2sign.len); - } -@@ -134,8 +137,9 @@ SignFile(FILE *outFile, PRFileDesc *inFi - - SEC_PKCS7DestroyContentInfo (cinfo); - -- if (rv != SECSuccess) -+ if (rv != SECSuccess) { - return -1; -+ } - - return 0; - } -diff -up ./cmd/vfychain/vfychain.c.fix_warnings ./cmd/vfychain/vfychain.c ---- ./cmd/vfychain/vfychain.c.fix_warnings 2016-02-07 16:03:13.189775733 -0800 -+++ ./cmd/vfychain/vfychain.c 2016-02-07 16:22:33.709073372 -0800 -@@ -439,7 +439,7 @@ main(int argc, char *argv[], char *envp[ - case 0 : /* positional parameter */ goto breakout; - case 'a' : isAscii = PR_TRUE; break; - case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value); -- if (secStatus != SECSuccess) Usage(progName); break; -+ if (secStatus != SECSuccess) { Usage(progName); } break; - case 'd' : certDir = PL_strdup(optstate->value); break; - case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE; break; - case 'f' : certFetching = PR_TRUE; break; -@@ -484,9 +484,9 @@ main(int argc, char *argv[], char *envp[ - case 't' : trusted = PR_TRUE; break; - case 'T' : onlyTrustAnchors = PR_FALSE; break; - case 'u' : usage = PORT_Atoi(optstate->value); -- if (usage < 0 || usage > 62) Usage(progName); -+ if (usage < 0 || usage > 62) { Usage(progName); } - certUsage = ((SECCertificateUsage)1) << usage; -- if (certUsage > certificateUsageHighest) Usage(progName); -+ if (certUsage > certificateUsageHighest) { Usage(progName); } - break; - case 'w': - pwdata.source = PW_PLAINTEXT; -diff -up ./lib/dbm/src/hash.c.fix_warnings ./lib/dbm/src/hash.c ---- ./lib/dbm/src/hash.c.fix_warnings 2016-02-07 15:18:54.006925157 -0800 -+++ ./lib/dbm/src/hash.c 2016-02-07 15:21:02.151491099 -0800 -@@ -815,9 +815,9 @@ hash_access( - } - - ovfl_loop_count++; -- if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS) -+ if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS) { - return (DATABASE_CORRUPTED_ERROR); -- -+ } - /* FOR LOOP INIT */ - bp = (uint16 *)rbufp->page; - n = *bp++; -@@ -825,8 +825,9 @@ hash_access( - off = hashp->BSIZE; - } else if (bp[1] < REAL_KEY) { - if ((ndx = -- __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0) -+ __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0) { - goto found; -+ } - if (ndx == -2) { - bufp = rbufp; - if (!(pageno = -diff -up ./lib/dbm/src/h_page.c.fix_warnings ./lib/dbm/src/h_page.c ---- ./lib/dbm/src/h_page.c.fix_warnings 2016-01-29 02:30:10.000000000 -0800 -+++ ./lib/dbm/src/h_page.c 2016-02-07 15:10:42.439250993 -0800 -@@ -114,9 +114,9 @@ long new_lseek(int fd, long offset, int - - if(origin == SEEK_CUR) - { -- if(offset < 1) -- return(lseek(fd, offset, SEEK_CUR)); -- -+ if(offset < 1) { -+ return(lseek(fd, offset, SEEK_CUR)); -+ } - cur_pos = lseek(fd, 0, SEEK_CUR); - - if(cur_pos < 0) diff --git a/iquote.patch b/iquote.patch index d86c518..fae52b8 100644 --- a/iquote.patch +++ b/iquote.patch @@ -1,17 +1,6 @@ -diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile ---- nss/cmd/bltest/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/cmd/bltest/Makefile 2014-05-06 07:15:41.173387799 -0700 -@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -+INCLUDES += -iquote $(DIST)/../private/nss - - - ####################################################################### -diff -up nss/cmd/certcgi/Makefile.iquote nss/cmd/certcgi/Makefile ---- nss/cmd/certcgi/Makefile.iquote 2014-08-19 10:18:35.713017904 -0700 -+++ nss/cmd/certcgi/Makefile 2014-08-19 10:19:36.106528087 -0700 +diff -up ./nss/cmd/certcgi/Makefile.iquote ./nss/cmd/certcgi/Makefile +--- ./nss/cmd/certcgi/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/cmd/certcgi/Makefile 2016-03-05 12:04:06.216474144 -0800 @@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -22,9 +11,9 @@ diff -up nss/cmd/certcgi/Makefile.iquote nss/cmd/certcgi/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/cmd/certutil/Makefile.iquote nss/cmd/certutil/Makefile ---- nss/cmd/certutil/Makefile.iquote 2014-08-19 10:23:39.697585905 -0700 -+++ nss/cmd/certutil/Makefile 2014-08-19 10:24:31.060019803 -0700 +diff -up ./nss/cmd/certutil/Makefile.iquote ./nss/cmd/certutil/Makefile +--- ./nss/cmd/certutil/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/cmd/certutil/Makefile 2016-03-05 12:04:06.216474144 -0800 @@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -35,9 +24,9 @@ diff -up nss/cmd/certutil/Makefile.iquote nss/cmd/certutil/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile ---- nss/cmd/lib/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/cmd/lib/Makefile 2014-05-06 07:15:41.174387806 -0700 +diff -up ./nss/cmd/lib/Makefile.iquote ./nss/cmd/lib/Makefile +--- ./nss/cmd/lib/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/cmd/lib/Makefile 2016-03-05 12:04:06.216474144 -0800 @@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -48,10 +37,10 @@ diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/cmd/modutil/Makefile.iquote nss/cmd/modutil/Makefile ---- nss/cmd/modutil/Makefile.iquote 2014-05-06 07:34:30.055124213 -0700 -+++ nss/cmd/modutil/Makefile 2014-05-06 07:35:36.016602770 -0700 -@@ -41,6 +41,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk +diff -up ./nss/cmd/modutil/Makefile.iquote ./nss/cmd/modutil/Makefile +--- ./nss/cmd/modutil/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/cmd/modutil/Makefile 2016-03-05 12:04:06.216474144 -0800 +@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -59,9 +48,9 @@ diff -up nss/cmd/modutil/Makefile.iquote nss/cmd/modutil/Makefile ####################################################################### -diff -up nss/cmd/selfserv/Makefile.iquote nss/cmd/selfserv/Makefile ---- nss/cmd/selfserv/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/cmd/selfserv/Makefile 2014-05-06 07:15:41.175387813 -0700 +diff -up ./nss/cmd/selfserv/Makefile.iquote ./nss/cmd/selfserv/Makefile +--- ./nss/cmd/selfserv/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/cmd/selfserv/Makefile 2016-03-05 12:04:06.216474144 -0800 @@ -35,7 +35,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -72,9 +61,9 @@ diff -up nss/cmd/selfserv/Makefile.iquote nss/cmd/selfserv/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/cmd/ssltap/Makefile.iquote nss/cmd/ssltap/Makefile ---- nss/cmd/ssltap/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/cmd/ssltap/Makefile 2014-05-06 07:15:41.176387820 -0700 +diff -up ./nss/cmd/ssltap/Makefile.iquote ./nss/cmd/ssltap/Makefile +--- ./nss/cmd/ssltap/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/cmd/ssltap/Makefile 2016-03-05 12:04:06.216474144 -0800 @@ -39,7 +39,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -85,9 +74,9 @@ diff -up nss/cmd/ssltap/Makefile.iquote nss/cmd/ssltap/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/cmd/strsclnt/Makefile.iquote nss/cmd/strsclnt/Makefile ---- nss/cmd/strsclnt/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/cmd/strsclnt/Makefile 2014-05-06 07:15:41.177387827 -0700 +diff -up ./nss/cmd/strsclnt/Makefile.iquote ./nss/cmd/strsclnt/Makefile +--- ./nss/cmd/strsclnt/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/cmd/strsclnt/Makefile 2016-03-05 12:04:06.217474124 -0800 @@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -98,9 +87,9 @@ diff -up nss/cmd/strsclnt/Makefile.iquote nss/cmd/strsclnt/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/cmd/tstclnt/Makefile.iquote nss/cmd/tstclnt/Makefile ---- nss/cmd/tstclnt/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/cmd/tstclnt/Makefile 2014-05-06 07:15:41.178387834 -0700 +diff -up ./nss/cmd/tstclnt/Makefile.iquote ./nss/cmd/tstclnt/Makefile +--- ./nss/cmd/tstclnt/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/cmd/tstclnt/Makefile 2016-03-05 12:04:06.217474124 -0800 @@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk ####################################################################### @@ -110,9 +99,9 @@ diff -up nss/cmd/tstclnt/Makefile.iquote nss/cmd/tstclnt/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/cmd/vfyserv/Makefile.iquote nss/cmd/vfyserv/Makefile ---- nss/cmd/vfyserv/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/cmd/vfyserv/Makefile 2014-05-06 07:15:41.179387841 -0700 +diff -up ./nss/cmd/vfyserv/Makefile.iquote ./nss/cmd/vfyserv/Makefile +--- ./nss/cmd/vfyserv/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/cmd/vfyserv/Makefile 2016-03-05 12:04:06.217474124 -0800 @@ -37,6 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk ####################################################################### @@ -122,9 +111,9 @@ diff -up nss/cmd/vfyserv/Makefile.iquote nss/cmd/vfyserv/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk ---- nss/coreconf/location.mk.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/coreconf/location.mk 2014-05-06 07:15:41.180387848 -0700 +diff -up ./nss/coreconf/location.mk.iquote ./nss/coreconf/location.mk +--- ./nss/coreconf/location.mk.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/coreconf/location.mk 2016-03-05 12:04:06.217474124 -0800 @@ -45,6 +45,10 @@ endif ifdef NSS_INCLUDE_DIR @@ -136,9 +125,32 @@ diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk endif ifndef NSS_LIB_DIR -diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile ---- nss/lib/certhigh/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/lib/certhigh/Makefile 2014-05-06 07:15:41.181387855 -0700 +diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile +--- ./nss/external_tests/pk11_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/external_tests/pk11_gtest/Makefile 2016-03-05 12:04:06.217474124 -0800 +@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile +--- ./nss/external_tests/ssl_gtest/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/external_tests/ssl_gtest/Makefile 2016-03-05 12:05:17.208082475 -0800 +@@ -43,6 +43,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up ./nss/lib/certhigh/Makefile.iquote ./nss/lib/certhigh/Makefile +--- ./nss/lib/certhigh/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/lib/certhigh/Makefile 2016-03-05 12:04:06.217474124 -0800 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -148,9 +160,9 @@ diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile ---- nss/lib/cryptohi/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/lib/cryptohi/Makefile 2014-05-06 07:15:41.182387862 -0700 +diff -up ./nss/lib/cryptohi/Makefile.iquote ./nss/lib/cryptohi/Makefile +--- ./nss/lib/cryptohi/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/lib/cryptohi/Makefile 2016-03-05 12:04:06.217474124 -0800 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -160,9 +172,9 @@ diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile ---- nss/lib/nss/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 -+++ nss/lib/nss/Makefile 2014-05-06 07:15:41.183387869 -0700 +diff -up ./nss/lib/nss/Makefile.iquote ./nss/lib/nss/Makefile +--- ./nss/lib/nss/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/lib/nss/Makefile 2016-03-05 12:04:06.217474124 -0800 @@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -174,8 +186,8 @@ diff -up nss/lib/nss/Makefile.iquote nss/lib/nss/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile ---- ./nss/lib/pk11wrap/Makefile.iquote 2016-02-07 09:49:33.310455054 -0800 -+++ ./nss/lib/pk11wrap/Makefile 2016-02-07 09:51:38.830881330 -0800 +--- ./nss/lib/pk11wrap/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/lib/pk11wrap/Makefile 2016-03-05 12:04:06.217474124 -0800 @@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -185,9 +197,9 @@ diff -up ./nss/lib/pk11wrap/Makefile.iquote ./nss/lib/pk11wrap/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile ---- nss/lib/ssl/Makefile.iquote 2015-11-13 09:23:41.653738563 -0800 -+++ nss/lib/ssl/Makefile 2015-11-13 09:25:25.121415348 -0800 +diff -up ./nss/lib/ssl/Makefile.iquote ./nss/lib/ssl/Makefile +--- ./nss/lib/ssl/Makefile.iquote 2016-02-26 12:51:11.000000000 -0800 ++++ ./nss/lib/ssl/Makefile 2016-03-05 12:04:06.217474124 -0800 @@ -49,7 +49,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk # (6) Execute "component" rules. (OPTIONAL) # ####################################################################### @@ -197,25 +209,3 @@ diff -up nss/lib/ssl/Makefile.iquote nss/lib/ssl/Makefile ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/external_tests/pk11_gtest/Makefile.iquote ./nss/external_tests/pk11_gtest/Makefile ---- ./nss/external_tests/pk11_gtest/Makefile.iquote 2016-02-07 10:07:49.163055808 -0800 -+++ ./nss/external_tests/pk11_gtest/Makefile 2016-02-07 10:09:07.463478307 -0800 -@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -+INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # -diff -up ./nss/external_tests/ssl_gtest/Makefile.iquote ./nss/external_tests/ssl_gtest/Makefile ---- ./nss/external_tests/ssl_gtest/Makefile.iquote 2016-02-07 10:19:57.132763142 -0800 -+++ ./nss/external_tests/ssl_gtest/Makefile 2016-02-07 10:20:42.346957530 -0800 -@@ -37,6 +37,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk - # (6) Execute "component" rules. (OPTIONAL) # - ####################################################################### - -++INCLUDES += -iquote $(DIST)/../public/nss - - ####################################################################### - # (7) Execute "local" rules. (OPTIONAL). # diff --git a/nss.spec b/nss.spec index 06cf905..b6d61e0 100644 --- a/nss.spec +++ b/nss.spec @@ -1,6 +1,6 @@ %global nspr_version 4.12.0 -%global nss_util_version 3.22.2 -%global nss_softokn_version 3.22.2 +%global nss_util_version 3.23.0 +%global nss_softokn_version 3.23.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" @@ -18,7 +18,7 @@ Summary: Network Security Services Name: nss -Version: 3.22.2 +Version: 3.23.0 # for Rawhide, please always use release >= 2 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...) Release: 2%{?dist} @@ -87,7 +87,7 @@ Patch49: nss-skip-bltest-and-fipstest.patch # This patch uses the gcc-iquote dir option documented at # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options # to place the in-tree directories at the head of the list of list of directories -# to be searched for for header files. This ensures a build even when system +# to be searched for for header files. This ensures a build even when system # headers are older. Such is the case when starting an update with API changes or even private export changes. # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. Patch50: iquote.patch @@ -105,10 +105,6 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch # The submission will be very different from this patch as # cleanup there is already in progress there. Patch59: pem-compile-with-Werror.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1246499 -Patch60: vfyserv-defined-but-not-used.patch -# Local: Upstream nss-3.23 has these fixed -Patch61: fix_warnings_treated_as_errors.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -173,7 +169,7 @@ Requires: nss-devel = %{version}-%{release} Requires: nss-softokn-freebl-devel >= %{nss_softokn_version} %description pkcs11-devel -Library files for developing PKCS #11 modules using basic NSS +Library files for developing PKCS #11 modules using basic NSS low level services. @@ -199,10 +195,6 @@ popd %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5 %patch58 -p0 -b .1185708_3des %patch59 -p0 -b .compile_Werror -pushd nss -%patch60 -p1 -b .defined_not_used -%patch61 -p1 -b .fix_warnings -popd ######################################################### # Higher-level libraries and test tools need access to @@ -337,7 +329,7 @@ popd # Set up our package file # The nspr_version and nss_{util|softokn}_version globals used -# here match the ones nss has for its Requires. +# here match the ones nss has for its Requires. # Using the current %%{nss_softokn_version} for fedora again %{__mkdir_p} ./dist/pkgconfig %{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ @@ -392,7 +384,7 @@ done for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do xmlto man ${m} done - + %check if [ ${DISABLETEST:-0} -eq 1 ]; then @@ -486,9 +478,9 @@ fi popd # Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, -# Grep exits with status greater than 1 if an error ocurred. -# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, -# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas +# Grep exits with status greater than 1 if an error ocurred. +# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, +# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas # GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. killall $RANDSERV || : @@ -602,11 +594,11 @@ done ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit # Copy the man pages for scripts -for f in nss-config setup-nsssysinit; do +for f in nss-config setup-nsssysinit; do install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 done # Copy the man pages for the nss tools -for f in "%{allTools}"; do +for f in "%{allTools}"; do install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 done %if %{defined rhel} @@ -616,11 +608,11 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tool %endif # Copy the man pages for the configuration files -for f in pkcs11.txt; do +for f in pkcs11.txt; do install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 done # Copy the man pages for the nss databases -for f in cert8.db cert9.db key3.db key4.db secmod.db; do +for f in cert8.db cert9.db key3.db key4.db secmod.db; do install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 done @@ -831,6 +823,9 @@ fi %changelog +* Sat Mar 05 2016 emaldona - 3.23.0-2 +- Rebase to NSS 3.23 + * Sat Feb 27 2016 Elio Maldonado - 3.22.2-2 - Rebase to NSS 3.22.2 @@ -932,7 +927,7 @@ fi - Backing out from disabling ssl2 until the patches are fixed * Mon Feb 09 2015 Elio Maldonado - 3.17.4-2 -- Disable SSL2 support at build time +- Disable SSL2 support at build time - Fix syntax errors in various shell scripts - Resolves: Bug 1189952 - Disable SSL2 and the export cipher suites @@ -1182,7 +1177,7 @@ fi - Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs - Bug 872124 - nss-3.14 breaks fedpkg new-sources - Fix should be considered preliminary since the patch may change upon upstream approval - + * Thu Nov 01 2012 Elio Maldonado - 3.14-7 - Add a dummy source file for testing /preventing fedpkg breakage - Helps test the fedpkg new-sources and upload commands for breakage by nss updates @@ -1225,7 +1220,7 @@ fi * Mon Aug 27 2012 Elio Maldonado - 3.13.5-8 - Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3 - Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load -- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer +- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer - Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix * Mon Aug 13 2012 Elio Maldonado - 3.13.5-7 @@ -1466,7 +1461,7 @@ fi * Thu Sep 23 2010 Elio Maldonado - 3.12.8-1 - Update to 3.12.8 - Prevent disabling of nss-sysinit on package upgrade (#636787) -- Create pkcs11.txt with correct permissions regardless of umask (#636792) +- Create pkcs11.txt with correct permissions regardless of umask (#636792) - Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801) - Added provides pkcs11-devel-static to comply with packaging guidelines (#609612) @@ -1726,7 +1721,7 @@ fi - fix to not clone internal objects in collect_objects(). (501118) - fix to not bypass initialization if module arguments are omitted. (501058) - fix numerous gcc warnings. (500815) -- fix to support arbitrarily long password while loading a private key. (500180) +- fix to support arbitrarily long password while loading a private key. (500180) - fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191) * Mon Jun 08 2009 Elio Maldonado - 3.12.3.99.3-4 - add patch for bug 502133 upstream bug 496997 @@ -1854,7 +1849,7 @@ fi * Fri Mar 02 2007 Kai Engert - 3.11.5-2 - Fix rhbz#230545, failure to enable FIPS mode -- Fix rhbz#220542, make NSS more tolerant of resets when in the +- Fix rhbz#220542, make NSS more tolerant of resets when in the middle of prompting for a user password. * Sat Feb 24 2007 Kai Engert - 3.11.5-1 diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch index c55a1a2..ce444e1 100644 --- a/renegotiate-transitional.patch +++ b/renegotiate-transitional.patch @@ -1,12 +1,12 @@ -diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.transitional 2013-05-30 22:10:54.882675807 -0700 -+++ nss/lib/ssl/sslsock.c 2013-05-30 22:12:11.909260024 -0700 -@@ -149,7 +149,7 @@ static sslOptions ssl_defaults = { - PR_FALSE, /* noLocks */ - PR_FALSE, /* enableSessionTickets */ - PR_FALSE, /* enableDeflate */ -- 2, /* enableRenegotiation (default: requires extension) */ -+ 3, /* enableRenegotiation (default: transitional) */ - PR_FALSE, /* requireSafeNegotiation */ - PR_FALSE, /* enableFalseStart */ - PR_TRUE, /* cbcRandomIV */ +diff -up ./nss/lib/ssl/sslsock.c.transitional ./nss/lib/ssl/sslsock.c +--- ./nss/lib/ssl/sslsock.c.transitional 2016-03-05 08:54:13.871412639 -0800 ++++ ./nss/lib/ssl/sslsock.c 2016-03-05 09:00:27.721889811 -0800 +@@ -77,7 +77,7 @@ static sslOptions ssl_defaults = { + PR_FALSE, /* noLocks */ + PR_FALSE, /* enableSessionTickets */ + PR_FALSE, /* enableDeflate */ +- 2, /* enableRenegotiation (default: requires extension) */ ++ 3, /* enableRenegotiation (default: transitional) */ + PR_FALSE, /* requireSafeNegotiation */ + PR_FALSE, /* enableFalseStart */ + PR_TRUE, /* cbcRandomIV */ diff --git a/sources b/sources index bd593df..be690da 100644 --- a/sources +++ b/sources @@ -4,4 +4,4 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db 691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2 -c42c743b3e70b2912c77fb4129b0a12b nss-3.22.2.tar.gz +574488f97390085832299cc3b90814a8 nss-3.23.0.tar.gz diff --git a/vfyserv-defined-but-not-used.patch b/vfyserv-defined-but-not-used.patch deleted file mode 100644 index a844fc1..0000000 --- a/vfyserv-defined-but-not-used.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff -up ./cmd/vfyserv/vfyserv.h.defined_not_used ./cmd/vfyserv/vfyserv.h ---- ./cmd/vfyserv/vfyserv.h.defined_not_used 2016-02-06 18:32:54.143216370 -0800 -+++ ./cmd/vfyserv/vfyserv.h 2016-02-06 18:33:24.943636231 -0800 -@@ -135,14 +135,4 @@ void lockedVars_WaitForDone(lockedVars * - - int lockedVars_AddToCount(lockedVars *lv, int addend); - --/* Buffer stuff. */ -- --static const char stopCmd[] = { "GET /stop " }; --static const char defaultHeader[] = { -- "HTTP/1.0 200 OK\r\n" -- "Server: SSL sample server\r\n" -- "Content-type: text/plain\r\n" -- "\r\n" --}; -- - #endif