pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/devel/nss



Module Name:    pkgsrc
Committed By:   wiz
Date:           Sat Oct 31 19:36:30 UTC 2020

Modified Files:
        pkgsrc/devel/nss: Makefile PLIST distinfo
Added Files:
        pkgsrc/devel/nss/patches: patch-nss_cmd_shlibsign_sign.sh
            patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc
            patch-nss_lib_ssl_ssl3con.c patch-nss_lib_ssl_sslimpl.h
Removed Files:
        pkgsrc/devel/nss/patches: patch-security_nss_cmd_shlibsign_sign.sh

Log Message:
nss: update to 3.58nb1.

Add a post-release patch that broke some applications
https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f

Changes nout found.


To generate a diff of this commit:
cvs rdiff -u -r1.192 -r1.193 pkgsrc/devel/nss/Makefile
cvs rdiff -u -r1.25 -r1.26 pkgsrc/devel/nss/PLIST
cvs rdiff -u -r1.118 -r1.119 pkgsrc/devel/nss/distinfo
cvs rdiff -u -r0 -r1.1 \
    pkgsrc/devel/nss/patches/patch-nss_cmd_shlibsign_sign.sh \
    pkgsrc/devel/nss/patches/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc \
    pkgsrc/devel/nss/patches/patch-nss_lib_ssl_ssl3con.c \
    pkgsrc/devel/nss/patches/patch-nss_lib_ssl_sslimpl.h
cvs rdiff -u -r1.2 -r0 \
    pkgsrc/devel/nss/patches/patch-security_nss_cmd_shlibsign_sign.sh

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/devel/nss/Makefile
diff -u pkgsrc/devel/nss/Makefile:1.192 pkgsrc/devel/nss/Makefile:1.193
--- pkgsrc/devel/nss/Makefile:1.192     Sat Sep 19 23:54:14 2020
+++ pkgsrc/devel/nss/Makefile   Sat Oct 31 19:36:30 2020
@@ -1,8 +1,9 @@
-# $NetBSD: Makefile,v 1.192 2020/09/19 23:54:14 ryoon Exp $
+# $NetBSD: Makefile,v 1.193 2020/10/31 19:36:30 wiz Exp $
 
 DISTNAME=              nss-${NSS_RELEASE:S/.0$//}
-NSS_RELEASE=           3.57.0
-CATEGORIES=            security
+NSS_RELEASE=           3.58.0
+PKGREVISION=           1
+CATEGORIES=            devel security
 MASTER_SITES=          ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_DIST_DIR_VERSION:S/_0$//}_RTM/src/}
 
 MAINTAINER=            pkgsrc-users%NetBSD.org@localhost

Index: pkgsrc/devel/nss/PLIST
diff -u pkgsrc/devel/nss/PLIST:1.25 pkgsrc/devel/nss/PLIST:1.26
--- pkgsrc/devel/nss/PLIST:1.25 Tue Dec  3 14:29:21 2019
+++ pkgsrc/devel/nss/PLIST      Sat Oct 31 19:36:30 2020
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.25 2019/12/03 14:29:21 ryoon Exp $
+@comment $NetBSD: PLIST,v 1.26 2020/10/31 19:36:30 wiz Exp $
 bin/certutil
 bin/cmsutil
 bin/crlutil
@@ -80,6 +80,7 @@ include/nss/nss/p12.h
 include/nss/nss/p12plcy.h
 include/nss/nss/p12t.h
 include/nss/nss/pk11func.h
+include/nss/nss/pk11hpke.h
 include/nss/nss/pk11pqg.h
 include/nss/nss/pk11priv.h
 include/nss/nss/pk11pub.h

Index: pkgsrc/devel/nss/distinfo
diff -u pkgsrc/devel/nss/distinfo:1.118 pkgsrc/devel/nss/distinfo:1.119
--- pkgsrc/devel/nss/distinfo:1.118     Sat Sep 19 23:54:14 2020
+++ pkgsrc/devel/nss/distinfo   Sat Oct 31 19:36:30 2020
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.118 2020/09/19 23:54:14 ryoon Exp $
+$NetBSD: distinfo,v 1.119 2020/10/31 19:36:30 wiz Exp $
 
-SHA1 (nss-3.57.tar.gz) = ee150322d22ca2b449b31a9a4188eab156e0a13d
-RMD160 (nss-3.57.tar.gz) = d00996339012f73e11eb61d9e162e334921e4082
-SHA512 (nss-3.57.tar.gz) = 7e312d7539a26f57b968548935a7715cfa895aa61da21d0542ae45b71cb16f63167728534cdfd15f8eca68c75753a0df3d05e87b4c5acaabbda63c736e552ea2
-Size (nss-3.57.tar.gz) = 81712830 bytes
+SHA1 (nss-3.58.tar.gz) = f0c572b72921690c77d59471fe21cfa811d8b876
+RMD160 (nss-3.58.tar.gz) = 7c6f03a8ca20ec6bcc43435538d84bb940e562f3
+SHA512 (nss-3.58.tar.gz) = 03d2ab1517ac07620ea3f02dcf680cf019e0129006ff2559b2d0a047036340c20b98c9679b17a594e5502aa30e158caf309f046901b9ec7c7adeeaa13ec50b80
+Size (nss-3.58.tar.gz) = 81846254 bytes
 SHA1 (patch-am) = fea682bf03bc8b645049f93ed58554ca45f47aca
 SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69
 SHA1 (patch-md) = 8547c9414332c02221b96719dea1e09cb741f4d1
@@ -13,13 +13,16 @@ SHA1 (patch-mg) = 3c878548c98bdea559a3e6
 SHA1 (patch-mj) = 08ca1a37afce99e0292a20348fc6855547f44e8a
 SHA1 (patch-mn) = 5b79783e48249044be1a904a6cfd20ba175b5fd4
 SHA1 (patch-nss_cmd_platlibs.mk) = 01f4350de601b29c94e8a791a28daca226866bb6
+SHA1 (patch-nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af
 SHA1 (patch-nss_coreconf_NetBSD.mk) = ed95aa1c245c9f2b8fda0a1769f9599223b61dbf
 SHA1 (patch-nss_coreconf_OpenBSD.mk) = 1a4c3711d5d1f7f9e8d58b36145b15d7e444d754
 SHA1 (patch-nss_coreconf_command.mk) = a7b682d367825b48f8802fa30cee83f10680bb74
+SHA1 (patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc) = 85c61f09a833ae0039294f0475931474d69a913e
 SHA1 (patch-nss_lib_freebl_aes-armv8.c) = aa698f61dd3d66ba707a9b5425bc15d057244ad7
 SHA1 (patch-nss_lib_freebl_gcm-aarch64.c) = 311cfe7ca58e91285052d0ca27bd2df3f325071b
 SHA1 (patch-nss_lib_freebl_md5.c) = 5cbec40695e296f0713895fb85cd37f6df76b85b
+SHA1 (patch-nss_lib_ssl_ssl3con.c) = 04dc8ca7714bb1295ff9b470aed325cac1846950
+SHA1 (patch-nss_lib_ssl_sslimpl.h) = 91f7da0f30469bb81b416431e8f1268edbb82e5f
 SHA1 (patch-nss_lib_util_utilpars.c) = 5d3000515b01037929730a752b7d7a0f46f06deb
 SHA1 (patch-nss_tests_all.sh) = b328778b538db66f5447f962f23afd6f650f7071
 SHA1 (patch-nss_tests_merge_merge.sh) = 42a4866d226b1076740ba9a5e42c7604f2cb15a7
-SHA1 (patch-security_nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af

Added files:

Index: pkgsrc/devel/nss/patches/patch-nss_cmd_shlibsign_sign.sh
diff -u /dev/null pkgsrc/devel/nss/patches/patch-nss_cmd_shlibsign_sign.sh:1.1
--- /dev/null   Sat Oct 31 19:36:30 2020
+++ pkgsrc/devel/nss/patches/patch-nss_cmd_shlibsign_sign.sh    Sat Oct 31 19:36:30 2020
@@ -0,0 +1,17 @@
+$NetBSD: patch-nss_cmd_shlibsign_sign.sh,v 1.1 2020/10/31 19:36:30 wiz Exp $
+
+This tries to dlopen libsoftokn3.so which is linked against sqlite3,
+so we need a directory containing libsqlite3.so in the search path,
+beside the directory containing libsoftokn3.so itself.
+
+--- nss/cmd/shlibsign/sign.sh.orig     2011-06-15 21:57:52.000000000 +0000
++++ nss/cmd/shlibsign/sign.sh
+@@ -26,7 +26,7 @@ WIN*)
+     export LIBPATH
+     SHLIB_PATH=${1}/lib:${4}:$SHLIB_PATH
+     export SHLIB_PATH
+-    LD_LIBRARY_PATH=${1}/lib:${4}:$LD_LIBRARY_PATH
++    LD_LIBRARY_PATH=${1}/lib:${4}:${PREFIX}/lib:$LD_LIBRARY_PATH
+     export LD_LIBRARY_PATH
+     DYLD_LIBRARY_PATH=${1}/lib:${4}:$DYLD_LIBRARY_PATH
+     export DYLD_LIBRARY_PATH
Index: pkgsrc/devel/nss/patches/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc
diff -u /dev/null pkgsrc/devel/nss/patches/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc:1.1
--- /dev/null   Sat Oct 31 19:36:30 2020
+++ pkgsrc/devel/nss/patches/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc  Sat Oct 31 19:36:30 2020
@@ -0,0 +1,52 @@
+$NetBSD: patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc,v 1.1 2020/10/31 19:36:30 wiz Exp $
+
+https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f
+
+--- nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc.orig      2020-10-16 14:50:49.000000000 +0000
++++ nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
+@@ -348,8 +348,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
+   client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
+ }
+ 
+-// The server rejects a ChangeCipherSpec if the client advertises an
+-// empty session ID.
++// The server accepts a ChangeCipherSpec even if the client advertises
++// an empty session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
+   EnsureTlsSetup();
+   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
+@@ -358,9 +358,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
+   client_->Handshake();  // Send ClientHello
+   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));  // Send CCS
+ 
+-  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+-  server_->Handshake();  // Consume ClientHello and CCS
+-  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++  Handshake();
++  CheckConnected();
+ }
+ 
+ // The server rejects multiple ChangeCipherSpec even if the client
+@@ -381,7 +380,7 @@ TEST_F(Tls13CompatTest, ChangeCipherSpec
+   server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+ }
+ 
+-// The client rejects a ChangeCipherSpec if it advertises an empty
++// The client accepts a ChangeCipherSpec even if it advertises an empty
+ // session ID.
+ TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
+   EnsureTlsSetup();
+@@ -398,9 +397,10 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
+                          // send ServerHello..CertificateVerify
+   // Send CCS
+   server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
+-  client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
+-  client_->Handshake();  // Consume ClientHello and CCS
+-  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
++
++  // No alert is sent from the client. As Finished is dropped, we
++  // can't use Handshake() and CheckConnected().
++  client_->Handshake();
+ }
+ 
+ // The client rejects multiple ChangeCipherSpec in a row even if the
Index: pkgsrc/devel/nss/patches/patch-nss_lib_ssl_ssl3con.c
diff -u /dev/null pkgsrc/devel/nss/patches/patch-nss_lib_ssl_ssl3con.c:1.1
--- /dev/null   Sat Oct 31 19:36:30 2020
+++ pkgsrc/devel/nss/patches/patch-nss_lib_ssl_ssl3con.c        Sat Oct 31 19:36:30 2020
@@ -0,0 +1,49 @@
+$NetBSD: patch-nss_lib_ssl_ssl3con.c,v 1.1 2020/10/31 19:36:30 wiz Exp $
+
+https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f
+
+--- nss/lib/ssl/ssl3con.c.orig 2020-10-16 14:50:49.000000000 +0000
++++ nss/lib/ssl/ssl3con.c
+@@ -6645,11 +6645,7 @@ ssl_CheckServerSessionIdCorrectness(sslS
+ 
+     /* TLS 1.3: We sent a session ID.  The server's should match. */
+     if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
+-        if (sidMatch) {
+-            ss->ssl3.hs.allowCcs = PR_TRUE;
+-            return PR_TRUE;
+-        }
+-        return PR_FALSE;
++        return sidMatch;
+     }
+ 
+     /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
+@@ -8696,7 +8692,6 @@ ssl3_HandleClientHello(sslSocket *ss, PR
+                 errCode = PORT_GetError();
+                 goto alert_loser;
+             }
+-            ss->ssl3.hs.allowCcs = PR_TRUE;
+         }
+ 
+         /* TLS 1.3 requires that compression include only null. */
+@@ -13066,15 +13061,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
+             ss->ssl3.hs.ws != idle_handshake &&
+             cText->buf->len == 1 &&
+             cText->buf->buf[0] == change_cipher_spec_choice) {
+-            if (ss->ssl3.hs.allowCcs) {
+-                /* Ignore the first CCS. */
+-                ss->ssl3.hs.allowCcs = PR_FALSE;
++            if (!ss->ssl3.hs.rejectCcs) {
++                /* Allow only the first CCS. */
++                ss->ssl3.hs.rejectCcs = PR_TRUE;
+                 return SECSuccess;
++            } else {
++                alert = unexpected_message;
++                PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+             }
+-
+-            /* Compatibility mode is not negotiated. */
+-            alert = unexpected_message;
+-            PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+         }
+ 
+         if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
Index: pkgsrc/devel/nss/patches/patch-nss_lib_ssl_sslimpl.h
diff -u /dev/null pkgsrc/devel/nss/patches/patch-nss_lib_ssl_sslimpl.h:1.1
--- /dev/null   Sat Oct 31 19:36:30 2020
+++ pkgsrc/devel/nss/patches/patch-nss_lib_ssl_sslimpl.h        Sat Oct 31 19:36:30 2020
@@ -0,0 +1,18 @@
+$NetBSD: patch-nss_lib_ssl_sslimpl.h,v 1.1 2020/10/31 19:36:30 wiz Exp $
+
+https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f
+
+--- nss/lib/ssl/sslimpl.h.orig 2020-10-16 14:50:49.000000000 +0000
++++ nss/lib/ssl/sslimpl.h
+@@ -710,10 +710,7 @@ typedef struct SSL3HandshakeStateStr {
+                                            * or received. */
+     PRBool receivedCcs;                   /* A server received ChangeCipherSpec
+                                            * before the handshake started. */
+-    PRBool allowCcs;                      /* A server allows ChangeCipherSpec
+-                                           * as the middlebox compatibility mode
+-                                           * is explicitly indicarted by
+-                                           * legacy_session_id in TLS 1.3 ClientHello. */
++    PRBool rejectCcs;                     /* Excessive ChangeCipherSpecs are rejected. */
+     PRBool clientCertRequested;           /* True if CertificateRequest received. */
+     PRBool endOfFlight;                   /* Processed a full flight (DTLS 1.3). */
+     ssl3KEADef kea_def_mutable;           /* Used to hold the writable kea_def



Home | Main Index | Thread Index | Old Index