Hello community, here is the log from the commit of package mozilla-nss.5017 for openSUSE:13.2:Update checked in at 2016-05-04 11:38:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/mozilla-nss.5017 (Old) and /work/SRC/openSUSE:13.2:Update/.mozilla-nss.5017.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "mozilla-nss.5017" Changes: -------- New Changes file: --- /dev/null 2016-04-07 01:36:33.300037506 +0200 +++ /work/SRC/openSUSE:13.2:Update/.mozilla-nss.5017.new/mozilla-nss.changes 2016-05-04 11:38:47.000000000 +0200 @@ -0,0 +1,1540 @@ +------------------------------------------------------------------- +Mon Apr 18 15:53:40 UTC 2016 - normand@linux.vnet.ibm.com + +- add nss_gcc6_change.patch + +------------------------------------------------------------------- +Tue Mar 15 10:25:38 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.22.3 + * required for Firefox 46.0 + * Increase compatibility of TLS extended master secret, + don't send an empty TLS extension last in the handshake + (bmo#1243641) + +------------------------------------------------------------------- +Wed Mar 9 15:42:01 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.22.2 + New functionality: + * RSA-PSS signatures are now supported (bmo#1215295) + * Pseudorandom functions based on hashes other than SHA-1 are now supported + * Enforce an External Policy on NSS from a config file (bmo#1009429) + New functions: + * PK11_SignWithMechanism - an extended version PK11_Sign() + * PK11_VerifyWithMechanism - an extended version of PK11_Verify() + * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp + TLS extension data + * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp + TLS extension data + New types: + * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType + * Constants for several object IDs are added to SECOidTag + New macros: + * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS + * NSS_USE_ALG_IN_SSL + * NSS_USE_POLICY_IN_SSL + * NSS_RSA_MIN_KEY_SIZE + * NSS_DH_MIN_KEY_SIZE + * NSS_DSA_MIN_KEY_SIZE + * NSS_TLS_VERSION_MIN_POLICY + * NSS_TLS_VERSION_MAX_POLICY + * NSS_DTLS_VERSION_MIN_POLICY + * NSS_DTLS_VERSION_MAX_POLICY + * CKP_PKCS5_PBKD2_HMAC_SHA224 + * CKP_PKCS5_PBKD2_HMAC_SHA256 + * CKP_PKCS5_PBKD2_HMAC_SHA384 + * CKP_PKCS5_PBKD2_HMAC_SHA512 + * CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported) + * CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported) + * CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported) + Notable changes: + * NSS C++ tests are built by default, requiring a C++11 compiler. + Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests. + * NSS has been changed to use the PR_GetEnvSecure function that + was made available in NSPR 4.12 + +------------------------------------------------------------------- +Mon Mar 7 15:41:50 UTC 2016 - wr@rosenauer.org + +- update to NSS 3.21.1 (bmo#969894) + * required for Firefox 45.0 + * MFSA 2016-35/CVE-2016-1950 (bmo#1245528) + Buffer overflow during ASN.1 decoding in NSS + * MFSA 2016-36/CVE-2016-1979 (bmo#1185033) + Use-after-free during processing of DER encoded keys in NSS + +------------------------------------------------------------------- +Sun Dec 20 10:12:35 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.21 + * required for Firefox 44.0 + New functionality: + * certutil now supports a --rename option to change a nickname (bmo#1142209) + * TLS extended master secret extension (RFC 7627) is supported (bmo#1117022) + * New info functions added for use during mid-handshake callbacks (bmo#1084669) + New Functions: + * NSS_OptionSet - sets NSS global options + * NSS_OptionGet - gets the current value of NSS global options + * SECMOD_CreateModuleEx - Create a new SECMODModule structure from module name + string, module parameters string, NSS specific parameters string, and NSS + configuration parameter string. The module represented by the module + structure is not loaded. The difference with SECMOD_CreateModule is the new + function handles NSS configuration parameter strings. + * SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel prior + to the handshake being completed, for use with the callbacks that are invoked + during the handshake + * SSL_SignaturePrefSet - configures the enabled signature and hash algorithms + for TLS + * SSL_SignaturePrefGet - retrieves the currently configured signature and hash + algorithms + * SSL_SignatureMaxCount - obtains the maximum number signature algorithms that + can be configured with SSL_SignaturePrefSet + * NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into shared + library string, module name string, module parameters string, NSS specific + parameters string, and NSS configuration parameter strings. The returned + strings must be freed by the caller. The difference with + NSS_ArgParseModuleSpec is the new function handles NSS configuration + parameter strings. + * NSSUTIL_MkModuleSpecEx - take a shared library string, module name string, + module parameters string, NSS specific parameters string, and NSS + configuration parameter string and returns a module string which the caller + must free when it is done. The difference with NSS_MkModuleSpec is the new + function handles NSS configuration parameter strings. + New Types: + * CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for + CKM_TLS12_MASTER_KEY_DERIVE + * CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for + CKM_TLS12_KEY_AND_MAC_DERIVE + * CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF + * CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC + * SSLHashType - identifies a hash function + * SSLSignatureAndHashAlg - identifies a signature and hash function + * SSLPreliminaryChannelInfo - provides information about the session state + prior to handshake completion + New Macros: + * NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or + get the minimum RSA key size + * NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or + get the minimum DH key size + * NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or + get the minimum DSA key size + * CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret + * CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV + * CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and + ECDH) cipher suites + * CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional + PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS. + * CKM_TLS_MAC - computes TLS Finished MAC + * NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS key + exchange + * SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete + DTLS record in a UDP packet + * SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid + signature and hash algorithm is available + * SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an + unsupported signature and hash algorithm is configured + * SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended + master secret is missing after having been negotiated + * SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an + extended master secret when previously not negotiated + * SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS extended + master secret extension (RFC 7627) + * ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that a + TLS version has been selected + * ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate + that a TLS cipher suite has been selected + * ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all + preliminary information has been set + Notable Changes: + * NSS now builds with elliptic curve ciphers enabled by default (bmo#1205688) + * NSS now builds with warnings as errors (bmo#1182667) + * The following CA certificates were Removed + - CN = VeriSign Class 4 Public Primary Certification Authority - G3 + - CN = UTN-USERFirst-Network Applications + - CN = TC TrustCenter Universal CA III + - CN = A-Trust-nQual-03 + - CN = USERTrust Legacy Secure Server CA + - Friendly Name: Digital Signature Trust Co. Global CA 1 + - Friendly Name: Digital Signature Trust Co. Global CA 3 + - CN = UTN - DATACorp SGC + - O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Kasım 2005 + * The following CA certificate had the Websites trust bit turned off + - OU = Equifax Secure Certificate Authority + * The following CA certificates were Added + - CN = Certification Authority of WoSign G2 + - CN = CA WoSign ECC Root + - CN = OISTE WISeKey Global Root GB CA +- increased the minimum level of possible mixed installations + (softokn3, freebl3) to 3.21 +- added nss-bmo1236011.patch to fix compiler error (bmo#1236011) +- disabled testsuite as it currently breaks (bmo#1236340) + +------------------------------------------------------------------- +Sat Dec 19 17:13:21 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.20.2 (bnc#959888) + * MFSA 2015-150/CVE-2015-7575 (bmo#1158489) + MD5 signatures accepted within TLS 1.2 ServerKeyExchange in + server signature + +------------------------------------------------------------------- +Sun Oct 25 14:44:21 UTC 2015 - wr@rosenauer.org + +- update to NSS 3.20.1 (bnc#952810) + * requires NSPR 4.10.10 + * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182 (bmo#1192028, bmo#1202868) + memory corruption issues + +------------------------------------------------------------------- +Thu Sep 24 15:41:09 UTC 2015 - fstrba@suse.com + +- Install the static libfreebl.a that is needed in order to link + Sun elliptical curves provider in Java 7. + +------------------------------------------------------------------- +Thu Sep 24 09:39:17 UTC 2015 - wr@rosenauer.org + ++++ 1343 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.mozilla-nss.5017.new/mozilla-nss.changes New: ---- baselibs.conf cert9.db key4.db malloc.patch mozilla-nss-rpmlintrc mozilla-nss.changes mozilla-nss.spec nss-3.22.3.tar.gz nss-bmo1236011.patch nss-config.in nss-disable-ocsp-test.patch nss-no-rpath.patch nss-opt.patch nss-sqlitename.patch nss.pc.in nss_gcc6_change.patch pkcs11.txt renegotiate-transitional.patch setup-nsssysinit.sh system-nspr.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ # # spec file for package mozilla-nss # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2006-2015 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %global nss_softokn_fips_version 3.21 Name: mozilla-nss BuildRequires: gcc-c++ BuildRequires: mozilla-nspr-devel >= 4.12 BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel Version: 3.22.3 Release: 0 # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-64bit %endif # Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_3_RTM/src/nss-%{version}.tar.gz # hg clone https://hg.mozilla.org/projects/nss nss-3.22.3/nss ; cd nss-3.22.3/nss ; hg up NSS_3_22_3_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in Source4: %{name}-rpmlintrc Source5: baselibs.conf Source6: setup-nsssysinit.sh Source7: cert9.db Source8: key4.db Source9: pkcs11.txt #Source10: PayPalEE.cert Source99: %{name}.changes Patch1: nss-opt.patch Patch2: system-nspr.patch Patch4: nss-no-rpath.patch Patch5: renegotiate-transitional.patch Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch Patch9: nss-bmo1236011.patch Patch10: nss_gcc6_change.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} PreReq: libsoftokn3 >= %{nss_softokn_fips_version} %if %{_lib} == lib64 Requires: libnssckbi.so()(64bit) %else Requires: libnssckbi.so %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build %define nssdbdir %{_sysconfdir}/pki/nssdb %ifnarch %sparc %if ! 0%{?qemu_user_space_build} # disabled temporarily bmo#1236340 %define run_testsuite 0 %endif %endif %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. %package devel Summary: Network (Netscape) Security Services development files Group: Development/Libraries/Other Requires: libfreebl3 Requires: libsoftokn3 Requires: mozilla-nspr-devel >= 4.9 Requires: mozilla-nss = %{version}-%{release} # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-devel-64bit %endif %description devel Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. %package tools Summary: Tools for developing, debugging, and managing applications that use NSS Group: System/Management PreReq: mozilla-nss >= %{version} %description tools The NSS Security Tools allow developers to test, debug, and manage applications that use NSS. %package sysinit Summary: System NSS Initialization Group: System/Management Requires: mozilla-nss >= %{version} Requires(post): coreutils %description sysinit Default Operation System module that manages applications loading NSS globally on the system. This module loads the system defined PKCS #11 modules for NSS and chains with other NSS modules to load any system or user configured modules. %package -n libfreebl3 Summary: Freebl library for the Network Security Services Group: System/Libraries Provides: libfreebl3-hmac %description -n libfreebl3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. This package installs the freebl library from NSS. %package -n libsoftokn3 Summary: Network Security Services Softoken Module Group: System/Libraries Requires: libfreebl3 = %{version}-%{release} Provides: libsoftokn3-hmac %description -n libsoftokn3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. Network Security Services Softoken Cryptographic Module %package certs Summary: CA certificates for NSS Group: Productivity/Networking/Security %description certs This package contains the integrated CA root certificates from the Mozilla project. %prep %setup -n nss-%{version} -q cd nss %patch1 -p1 %patch2 -p1 %patch4 -p1 %patch5 -p1 %if %suse_version > 1110 %patch6 -p1 %endif %patch7 -p1 %patch8 -p1 %patch9 -p1 %patch10 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt #make generate %build cd nss modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{S:99}")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" TIME="\"$(date -d "${modified}" "+%%R")\"" find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} + export FREEBL_NO_DEPEND=1 export FREEBL_LOWHASH=1 export NSPR_INCLUDE_DIR=`nspr-config --includedir` export NSPR_LIB_DIR=`nspr-config --libdir` export OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" export LIBDIR=%{_libdir} %ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64 export USE_64=1 %endif export NSS_USE_SYSTEM_SQLITE=1 #export SQLITE_LIB_NAME=nsssqlite3 MAKE_FLAGS="BUILD_OPT=1" make nss_build_all $MAKE_FLAGS # run testsuite %if 0%{?run_testsuite} export BUILD_OPT=1 export HOST="localhost" export DOMSUF=" " export USE_IP=TRUE export IP_ADDRESS="127.0.0.1" cd tests ./all.sh if grep "FAILED" ../../../tests_results/security/localhost.1/output.log ; then echo "Testsuite FAILED" exit 1 fi %endif %install cd nss mkdir -p $RPM_BUILD_ROOT%{_libdir} mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3 mkdir -p $RPM_BUILD_ROOT%{_bindir} mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT%{nssdbdir} pushd ../dist/Linux* # copy headers cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3 # copy some freebl include files we also want for file in blapi.h alghmac.h do cp -L ../private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 done # copy dynamic libs cp -L lib/libnss3.so \ lib/libnssdbm3.so \ lib/libnssdbm3.chk \ lib/libnssutil3.so \ lib/libnssckbi.so \ lib/libnsssysinit.so \ lib/libsmime3.so \ lib/libsoftokn3.so \ lib/libsoftokn3.chk \ lib/libssl3.so \ $RPM_BUILD_ROOT%{_libdir} cp -L lib/libfreebl3.so \ lib/libfreebl3.chk \ $RPM_BUILD_ROOT/%{_lib} #cp -L lib/libnsssqlite3.so \ # $RPM_BUILD_ROOT%{_libdir} # copy static libs cp -L lib/libcrmf.a \ lib/libfreebl.a \ lib/libnssb.a \ lib/libnssckfw.a \ $RPM_BUILD_ROOT%{_libdir} # copy tools cp -L bin/certutil \ bin/cmsutil \ bin/crlutil \ bin/modutil \ bin/pk12util \ bin/signtool \ bin/signver \ bin/ssltap \ $RPM_BUILD_ROOT%{_bindir} # copy unsupported tools cp -L bin/atob \ bin/btoa \ bin/derdump \ bin/ocspclnt \ bin/pp \ bin/selfserv \ bin/shlibsign \ bin/strsclnt \ bin/symkeyutil \ bin/tstclnt \ bin/vfyserv \ bin/vfychain \ $RPM_BUILD_ROOT%{_libexecdir}/nss # prepare pkgconfig file mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/ sed "s:%%LIBDIR%%:%{_libdir}:g s:%%VERSION%%:%{version}:g s:%%NSPR_VERSION%%:%{nspr_ver}:g" \ %{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc # prepare nss-config file popd NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | gawk '{print $3}'` NSS_VMINOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMINOR" | gawk '{print $3}'` NSS_VPATCH=`cat lib/nss/nss.h | grep "#define.*NSS_VPATCH" | gawk '{print $3}'` cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@includedir@,%{_includedir}/nss3,g" \ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ > $RPM_BUILD_ROOT/%{_bindir}/nss-config chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config # setup-nsssysinfo.sh install -m 744 %{SOURCE6} $RPM_BUILD_ROOT%{_sbindir}/ # create empty NSS database #LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/modutil -force -dbdir "sql:$RPM_BUILD_ROOT%{nssdbdir}" -create #LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/certutil -N -d "sql:$RPM_BUILD_ROOT%{nssdbdir}" -f /dev/null 2>&1 > /dev/null #chmod 644 "$RPM_BUILD_ROOT%{nssdbdir}"/* #sed "s:%{buildroot}::g #s/^library=$/library=libnsssysinit.so/ #/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \ # $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt > $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt.sed # mv $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt{.sed,} # copy empty NSS database install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir} # create shlib sigs after extracting debuginfo %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \ %{nil} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %post -n libfreebl3 -p /sbin/ldconfig %postun -n libfreebl3 -p /sbin/ldconfig %post -n libsoftokn3 -p /sbin/ldconfig %postun -n libsoftokn3 -p /sbin/ldconfig %post sysinit /sbin/ldconfig # make sure the current config is enabled %{_sbindir}/setup-nsssysinit.sh on %preun sysinit if [ $1 = 0 ]; then %{_sbindir}/setup-nsssysinit.sh off fi %postun sysinit -p /sbin/ldconfig %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-, root, root) %{_libdir}/libnss3.so %{_libdir}/libnssutil3.so %{_libdir}/libsmime3.so %{_libdir}/libssl3.so #%{_libdir}/libnsssqlite3.so %files devel %defattr(644, root, root, 755) %{_includedir}/nss3/ %{_libdir}/*.a %{_libdir}/pkgconfig/* %attr(755,root,root) %{_bindir}/nss-config %files tools %defattr(-, root, root) %{_bindir}/* %exclude %{_sbindir}/setup-nsssysinit.sh %{_libexecdir}/nss/ %exclude %{_bindir}/nss-config %files sysinit %defattr(-, root, root) %dir %{_sysconfdir}/pki %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %{_sysconfdir}/pki/nssdb/* %{_libdir}/libnsssysinit.so %{_sbindir}/setup-nsssysinit.sh %files -n libfreebl3 %defattr(-, root, root) /%{_lib}/libfreebl3.so /%{_lib}/libfreebl3.chk %files -n libsoftokn3 %defattr(-, root, root) %{_libdir}/libsoftokn3.so %{_libdir}/libsoftokn3.chk %{_libdir}/libnssdbm3.so %{_libdir}/libnssdbm3.chk %files certs %defattr(-, root, root) %{_libdir}/libnssckbi.so %changelog ++++++ baselibs.conf ++++++ mozilla-nss requires "libfreebl3-<targettype>" requires "libsoftokn3-<targettype>" requires "mozilla-nss-certs-<targettype>" libsoftokn3 requires "libfreebl3-<targettype> = <version>" +/usr/lib/libsoftokn3.chk +/usr/lib/libnssdbm3.chk libfreebl3 +/lib/libfreebl3.chk mozilla-nss-sysinit mozilla-nss-certs ++++++ malloc.patch ++++++ Index: security/nss/tests/ssl/ssl.sh =================================================================== RCS file: /cvsroot/mozilla/security/nss/tests/ssl/ssl.sh,v retrieving revision 1.100 diff -u -r1.100 ssl.sh --- security/nss/tests/ssl/ssl.sh 26 Mar 2009 23:14:34 -0000 1.100 +++ nss/tests/ssl/ssl.sh 6 Jun 2009 06:21:07 -0000 @@ -974,6 +974,7 @@ ################################# main ################################# +unset MALLOC_CHECK_ ssl_init ssl_run_tests ssl_cleanup ++++++ mozilla-nss-rpmlintrc ++++++ addFilter("shlib-policy-name-error") addFilter("shlib-policy-missing-lib") addFilter("shlib-policy-missing-suffix") addFilter("shlib-unversioned-lib") addFilter("shlib-fixed-dependency") ++++++ nss-bmo1236011.patch ++++++ diff --git a/cmd/modutil/install-ds.h b/nss/cmd/modutil/install-ds.h --- a/cmd/modutil/install-ds.h +++ b/cmd/modutil/install-ds.h @@ -238,17 +238,17 @@ struct Pk11Install_Info_str { int numPlatforms; Pk11Install_PlatformName *forwardCompatible; int numForwardCompatible; }; Pk11Install_Info* Pk11Install_Info_new(); void -Pk11Install_Info_init(); +Pk11Install_Info_init(Pk11Install_Info* _this); void Pk11Install_Info_delete(Pk11Install_Info* _this); /*// Returns NULL for success, error message if parse error.*/ char* Pk11Install_Info_Generate(Pk11Install_Info* _this, const Pk11Install_ValueList *list); /*// Returns NULL if there is no matching platform*/ Pk11Install_Platform* ++++++ nss-config.in ++++++ #!/bin/sh prefix=@prefix@ major_version=@MOD_MAJOR_VERSION@ minor_version=@MOD_MINOR_VERSION@ patch_version=@MOD_PATCH_VERSION@ usage() { cat <<EOF Usage: nss-config [OPTIONS] [LIBRARIES] Options: [--prefix[=DIR]] [--exec-prefix[=DIR]] [--includedir[=DIR]] [--libdir[=DIR]] [--version] [--libs] [--cflags] Dynamic Libraries: nss ssl smime EOF exit $1 } if test $# -eq 0; then usage 1 1>&2 fi lib_ssl=yes lib_smime=yes lib_nss=yes lib_nssutil=yes while test $# -gt 0; do case "$1" in -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; *) optarg= ;; esac case $1 in --prefix=*) prefix=$optarg ;; --prefix) echo_prefix=yes ;; --exec-prefix=*) exec_prefix=$optarg ;; --exec-prefix) echo_exec_prefix=yes ;; --includedir=*) includedir=$optarg ;; --includedir) echo_includedir=yes ;; --libdir=*) libdir=$optarg ;; --libdir) echo_libdir=yes ;; --version) echo ${major_version}.${minor_version}.${patch_version} ;; --cflags) echo_cflags=yes ;; --libs) echo_libs=yes ;; ssl) lib_ssl=yes ;; smime) lib_smime=yes ;; nss) lib_nss=yes ;; nssutil) lib_nssutil=yes ;; *) usage 1 1>&2 ;; esac shift done # Set variables that may be dependent upon other variables if test -z "$exec_prefix"; then exec_prefix=@exec_prefix@ fi if test -z "$includedir"; then includedir=@includedir@ fi if test -z "$libdir"; then libdir=@libdir@ fi if test "$echo_prefix" = "yes"; then echo $prefix fi if test "$echo_exec_prefix" = "yes"; then echo $exec_prefix fi if test "$echo_includedir" = "yes"; then echo $includedir fi if test "$echo_libdir" = "yes"; then echo $libdir fi if test "$echo_cflags" = "yes"; then echo -I$includedir fi if test "$echo_libs" = "yes"; then libdirs="-Wl,-rpath-link,$libdir -L$libdir" if test -n "$lib_ssl"; then libdirs="$libdirs -lssl${major_version}" fi if test -n "$lib_smime"; then libdirs="$libdirs -lsmime${major_version}" fi if test -n "$lib_nss"; then libdirs="$libdirs -lnss${major_version}" fi if test -n "$lib_nssutil"; then libdirs="$libdirs -lnssutil${major_version}" fi echo $libdirs fi ++++++ nss-disable-ocsp-test.patch ++++++ diff --git a/tests/chains/scenarios/scenarios b/tests/chains/scenarios/scenarios --- a/tests/chains/scenarios/scenarios +++ b/tests/chains/scenarios/scenarios @@ -45,12 +45,11 @@ mapping.cfg mapping2.cfg aia.cfg bridgewithaia.cfg bridgewithhalfaia.cfg bridgewithpolicyextensionandmapping.cfg realcerts.cfg dsa.cfg revoc.cfg -ocsp.cfg crldp.cfg trustanchors.cfg nameconstraints.cfg ++++++ nss-no-rpath.patch ++++++ Index: security/nss/cmd/platlibs.mk =================================================================== RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v retrieving revision 1.71 diff -u -p -6 -r1.71 platlibs.mk --- security/nss/cmd/platlibs.mk 17 Jul 2012 15:22:42 -0000 1.71 +++ nss/cmd/platlibs.mk 25 Oct 2012 12:07:35 -0000 @@ -15,15 +15,15 @@ else EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' endif endif ifeq ($(OS_ARCH), Linux) ifeq ($(USE_64), 1) -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' else -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' endif endif endif # BUILD_SUN_PKG ifdef NSS_DISABLE_DBM ++++++ nss-opt.patch ++++++ Index: security/coreconf/Linux.mk =================================================================== RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v retrieving revision 1.45.2.1 diff -u -r1.45.2.1 Linux.mk --- security/coreconf/Linux.mk 31 Jul 2010 04:23:37 -0000 1.45.2.1 +++ nss/coreconf/Linux.mk 5 Aug 2010 07:35:06 -0000 @@ -112,11 +112,7 @@ endif ifdef BUILD_OPT -ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE)) - OPTIMIZER = -Os -else - OPTIMIZER = -O2 -endif + OPTIMIZER = $(OPT_FLAGS) ifdef MOZ_DEBUG_SYMBOLS ifdef MOZ_DEBUG_FLAGS OPTIMIZER += $(MOZ_DEBUG_FLAGS) ++++++ nss-sqlitename.patch ++++++ Index: security/nss/lib/sqlite/manifest.mn =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v retrieving revision 1.5 diff -u -r1.5 manifest.mn --- security/nss/lib/sqlite/manifest.mn 25 Apr 2012 14:50:11 -0000 1.5 +++ nss/lib/sqlite/manifest.mn 28 Jan 2013 20:48:22 -0000 @@ -6,9 +6,10 @@ MODULE = nss -LIBRARY_NAME = sqlite +LIBRARY_NAME = nsssqlite LIBRARY_VERSION = 3 MAPFILE = $(OBJDIR)/sqlite.def +MAPFILE_SOURCE = sqlite.def DEFINES += -DSQLITE_THREADSAFE=1 EXPORTS = \ ++++++ nss.pc.in ++++++ prefix=/usr exec_prefix=${prefix} libdir=%LIBDIR% includedir=${prefix}/include/nss3 Name: NSS Description: Network Security Services Version: %VERSION% Requires: nspr >= %NSPR_VERSION% Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3 Cflags: -I${includedir} ++++++ nss_gcc6_change.patch ++++++ From: Michel Normand <normand@linux.vnet.ibm.com> Subject: nss gcc6 change Date: Mon, 18 Apr 2016 19:11:03 +0200 nss changes required to avoid build error with gcc6 like: === [ 58s] h_page.c: In function 'new_lseek': [ 58s] h_page.c:117:8: error: this 'if' clause does not guard... [-Werror=misleading-indentation] [ 58s] if(offset < 1) [ 58s] ^~ [ 58s] h_page.c:120:3: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'if' [ 58s] cur_pos = lseek(fd, 0, SEEK_CUR); [ 58s] ^~~~~~~ === Signed-off-by: Michel Normand <normand@linux.vnet.ibm.com> --- cmd/bltest/blapitest.c | 4 +-- cmd/vfychain/vfychain.c | 3 +- lib/dbm/src/h_page.c | 55 +++++++++++++++++++++----------------------- lib/dbm/src/hash.c | 60 ++++++++++++++++++++++++------------------------ 4 files changed, 61 insertions(+), 61 deletions(-) Index: nss/lib/dbm/src/h_page.c =================================================================== --- nss.orig/lib/dbm/src/h_page.c +++ nss/lib/dbm/src/h_page.c @@ -112,26 +112,25 @@ long new_lseek(int fd, long offset, int long end_pos=0; long seek_pos=0; - if(origin == SEEK_CUR) - { - if(offset < 1) - return(lseek(fd, offset, SEEK_CUR)); + if (origin == SEEK_CUR) { + if (offset < 1) + return(lseek(fd, offset, SEEK_CUR)); - cur_pos = lseek(fd, 0, SEEK_CUR); + cur_pos = lseek(fd, 0, SEEK_CUR); + + if (cur_pos < 0) + return(cur_pos); + } - if(cur_pos < 0) - return(cur_pos); - } - end_pos = lseek(fd, 0, SEEK_END); - if(end_pos < 0) + if (end_pos < 0) return(end_pos); - if(origin == SEEK_SET) + if (origin == SEEK_SET) seek_pos = offset; - else if(origin == SEEK_CUR) + else if (origin == SEEK_CUR) seek_pos = cur_pos + offset; - else if(origin == SEEK_END) + else if (origin == SEEK_END) seek_pos = end_pos + offset; else { @@ -143,7 +142,7 @@ long new_lseek(int fd, long offset, int * end of the file. We don't need * to do anything special except the seek. */ - if(seek_pos <= end_pos) + if (seek_pos <= end_pos) return(lseek(fd, seek_pos, SEEK_SET)); /* the seek position is beyond the end of the @@ -161,7 +160,7 @@ long new_lseek(int fd, long offset, int memset(buffer, 0, 1024); while(len > 0) { - if(write(fd, buffer, (size_t)(1024 > len ? len : 1024)) < 0) + if (write(fd, buffer, (size_t)(1024 > len ? len : 1024)) < 0) return(-1); len -= 1024; } @@ -245,10 +244,10 @@ __delpair(HTAB *hashp, BUFHEAD *bufp, in * Once we know dst_offset is < BSIZE, we can subtract it from BSIZE * to get an upper bound on length. */ - if(dst_offset > (uint32)hashp->BSIZE) + if (dst_offset > (uint32)hashp->BSIZE) return(DATABASE_CORRUPTED_ERROR); - if(length > (uint32)(hashp->BSIZE - dst_offset)) + if (length > (uint32)(hashp->BSIZE - dst_offset)) return(DATABASE_CORRUPTED_ERROR); memmove(dst, src, length); @@ -324,7 +323,7 @@ __split_page(HTAB *hashp, uint32 obucket * off. If it is then the database has * been corrupted. */ - if(ino[n] > off) + if (ino[n] > off) return(DATABASE_CORRUPTED_ERROR); key.size = off - ino[n]; @@ -355,7 +354,7 @@ __split_page(HTAB *hashp, uint32 obucket * wrong. LJM */ tmp_uint16_array = (uint16*)np; - if(!PAIRFITS(tmp_uint16_array, &key, &val)) + if (!PAIRFITS(tmp_uint16_array, &key, &val)) return(DATABASE_CORRUPTED_ERROR); putpair(np, &key, &val); @@ -440,7 +439,7 @@ ugly_split(HTAB *hashp, uint32 obucket, */ loop_detection++; - if(loop_detection > MAX_UGLY_SPLIT_LOOPS) + if (loop_detection > MAX_UGLY_SPLIT_LOOPS) return DATABASE_CORRUPTED_ERROR; if (ino[2] < REAL_KEY && ino[2] != OVFLPAGE) { @@ -736,7 +735,7 @@ __get_page(HTAB *hashp, * the maximum number of entries * in the array */ - if((unsigned)max > (size / sizeof(uint16))) + if ((unsigned)max > (size / sizeof(uint16))) return(DATABASE_CORRUPTED_ERROR); /* do the byte order swap @@ -749,7 +748,7 @@ __get_page(HTAB *hashp, /* check the validity of the page here * (after doing byte order swaping if necessary) */ - if(!is_bitmap && bp[0] != 0) + if (!is_bitmap && bp[0] != 0) { uint16 num_keys = bp[0]; uint16 offset; @@ -760,11 +759,11 @@ __get_page(HTAB *hashp, * bp[0] is too large (larger than the whole * page) then the page is corrupted */ - if(bp[0] > (size / sizeof(uint16))) + if (bp[0] > (size / sizeof(uint16))) return(DATABASE_CORRUPTED_ERROR); /* bound free space */ - if(FREESPACE(bp) > size) + if (FREESPACE(bp) > size) return(DATABASE_CORRUPTED_ERROR); /* check each key and data offset to make @@ -776,10 +775,10 @@ __get_page(HTAB *hashp, for(i=1 ; i <= num_keys; i+=2) { /* ignore overflow pages etc. */ - if(bp[i+1] >= REAL_KEY) + if (bp[i+1] >= REAL_KEY) { - if(bp[i] > offset || bp[i+1] > bp[i]) + if (bp[i] > offset || bp[i+1] > bp[i]) return(DATABASE_CORRUPTED_ERROR); offset = bp[i+1]; @@ -832,7 +831,7 @@ __put_page(HTAB *hashp, char *p, uint32 * the maximum number of entries * in the array */ - if((unsigned)max > (size / sizeof(uint16))) + if ((unsigned)max > (size / sizeof(uint16))) return(DATABASE_CORRUPTED_ERROR); for (i = 0; i <= max; i++) @@ -1091,7 +1090,7 @@ __free_ovflpage(HTAB *hashp, BUFHEAD *ob uint32 bit_address, free_page, free_bit; uint16 ndx; - if(!obufp || !obufp->addr) + if (!obufp || !obufp->addr) return; addr = obufp->addr; Index: nss/lib/dbm/src/hash.c =================================================================== --- nss.orig/lib/dbm/src/hash.c +++ nss/lib/dbm/src/hash.c @@ -154,7 +154,7 @@ __hash_open(const char *file, int flags, return NULL; } hashp->fp = NO_FILE; - if(file) + if (file) hashp->filename = strdup(file); /* @@ -172,7 +172,7 @@ __hash_open(const char *file, int flags, errno = 0; /* Just in case someone looks at errno */ new_table = 1; } - else if(statbuf.st_mtime && statbuf.st_size == 0) + else if (statbuf.st_mtime && statbuf.st_size == 0) { /* check for a zero length file and delete it * if it exists @@ -288,7 +288,7 @@ hash_close(DB *dbp) return (DBM_ERROR); hashp = (HTAB *)dbp->internal; - if(!hashp) + if (!hashp) return (DBM_ERROR); retval = hdestroy(hashp); @@ -304,7 +304,7 @@ static int hash_fd(const DB *dbp) return (DBM_ERROR); hashp = (HTAB *)dbp->internal; - if(!hashp) + if (!hashp) return (DBM_ERROR); if (hashp->fp == -1) { @@ -480,7 +480,7 @@ hdestroy(HTAB *hashp) if (hashp->fp != -1) (void)close(hashp->fp); - if(hashp->filename) { + if (hashp->filename) { #if defined(_WIN32) || defined(_WINDOWS) || defined(XP_OS2) if (hashp->is_temp) (void)unlink(hashp->filename); @@ -578,7 +578,7 @@ hash_sync(const DB *dbp, uint flags) return (DBM_ERROR); hashp = (HTAB *)dbp->internal; - if(!hashp) + if (!hashp) return (DBM_ERROR); if (!hashp->save_file) @@ -670,7 +670,7 @@ hash_get( rv = hash_access(hashp, HASH_GET, (DBT *)key, data); - if(rv == DATABASE_CORRUPTED_ERROR) + if (rv == DATABASE_CORRUPTED_ERROR) { #if defined(unix) && defined(DEBUG) printf("\n\nDBM Database has been corrupted, tell Lou...\n\n"); @@ -707,7 +707,7 @@ hash_put( rv = hash_access(hashp, flag == R_NOOVERWRITE ? HASH_PUTNEW : HASH_PUT, (DBT *)key, (DBT *)data); - if(rv == DATABASE_CORRUPTED_ERROR) + if (rv == DATABASE_CORRUPTED_ERROR) { #if defined(unix) && defined(DEBUG) printf("\n\nDBM Database has been corrupted, tell Lou...\n\n"); @@ -741,7 +741,7 @@ hash_delete( } rv = hash_access(hashp, HASH_DELETE, (DBT *)key, NULL); - if(rv == DATABASE_CORRUPTED_ERROR) + if (rv == DATABASE_CORRUPTED_ERROR) { #if defined(unix) && defined(DEBUG) printf("\n\nDBM Database has been corrupted, tell Lou...\n\n"); @@ -802,27 +802,27 @@ hash_access( ndx += 2; } else if (bp[1] == OVFLPAGE) { - /* database corruption: overflow loop detection */ - if(last_overflow_page_no == (int32)*bp) - return (DATABASE_CORRUPTED_ERROR); - - last_overflow_page_no = *bp; - - rbufp = __get_buf(hashp, *bp, rbufp, 0); - if (!rbufp) { - save_bufp->flags &= ~BUF_PIN; - return (DBM_ERROR); - } - - ovfl_loop_count++; - if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS) - return (DATABASE_CORRUPTED_ERROR); - - /* FOR LOOP INIT */ - bp = (uint16 *)rbufp->page; - n = *bp++; - ndx = 1; - off = hashp->BSIZE; + /* database corruption: overflow loop detection */ + if (last_overflow_page_no == (int32)*bp) + return (DATABASE_CORRUPTED_ERROR); + + last_overflow_page_no = *bp; + + rbufp = __get_buf(hashp, *bp, rbufp, 0); + if (!rbufp) { + save_bufp->flags &= ~BUF_PIN; + return (DBM_ERROR); + } + + ovfl_loop_count++; + if (ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS) + return (DATABASE_CORRUPTED_ERROR); + + /* FOR LOOP INIT */ + bp = (uint16 *)rbufp->page; + n = *bp++; + ndx = 1; + off = hashp->BSIZE; } else if (bp[1] < REAL_KEY) { if ((ndx = __find_bigpair(hashp, rbufp, ndx, kp, (int)size)) > 0) Index: nss/cmd/bltest/blapitest.c =================================================================== --- nss.orig/cmd/bltest/blapitest.c +++ nss/cmd/bltest/blapitest.c @@ -1571,8 +1571,8 @@ bltest_seed_init(bltestCipherInfo *ciphe cipherInfo->cipher.symmkeyCipher = seed_Encrypt; else cipherInfo->cipher.symmkeyCipher = seed_Decrypt; - - return SECSuccess; + + return SECSuccess; } SECStatus Index: nss/cmd/vfychain/vfychain.c =================================================================== --- nss.orig/cmd/vfychain/vfychain.c +++ nss/cmd/vfychain/vfychain.c @@ -439,7 +439,8 @@ main(int argc, char *argv[], char *envp[ case 0 : /* positional parameter */ goto breakout; case 'a' : isAscii = PR_TRUE; break; case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value); - if (secStatus != SECSuccess) Usage(progName); break; + if (secStatus != SECSuccess) Usage(progName); + break; case 'd' : certDir = PL_strdup(optstate->value); break; case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE; break; case 'f' : certFetching = PR_TRUE; break; ++++++ pkcs11.txt ++++++ library=libnsssysinit.so name=NSS Internal PKCS #11 Module parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) ++++++ renegotiate-transitional.patch ++++++ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c index e6b2387..87fbe1d 100644 --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c @@ -74,7 +74,7 @@ static sslOptions ssl_defaults = { PR_FALSE, /* noLocks */ PR_FALSE, /* enableSessionTickets */ PR_FALSE, /* enableDeflate */ - 2, /* enableRenegotiation (default: requires extension) */ + 3, /* enableRenegotiation (default: requires extension) */ PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ PR_TRUE, /* cbcRandomIV */ ++++++ setup-nsssysinit.sh ++++++ #!/bin/sh # # Turns on or off the nss-sysinit module db by editing the # global PKCS #11 congiguration file. # # This script can be invoked by the user as super user. # It is invoked at nss-sysinit post install time with argument on # and at nss-sysinit pre uninstall with argument off. # usage() { cat <<EOF Usage: setup-nsssysinit [on|off] on - turns on nsssysinit off - turns off nsssysinit EOF exit $1 } # validate if test $# -eq 0; then usage 1 1>&2 fi # the system-wide configuration file p11conf="/etc/pki/nssdb/pkcs11.txt" # must exist, otherwise report it and exit with failure if [ ! -f $p11conf ]; then echo "Could not find ${p11conf}" exit 1 fi on="1" case "$1" in on | ON ) cat ${p11conf} | \ sed -e 's/^library=$/library=libnsssysinit.so/' \ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ ${p11conf}.on mv ${p11conf}.on ${p11conf} ;; off | OFF ) if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then exit 0 fi cat ${p11conf} | \ sed -e 's/^library=libnsssysinit.so/library=/' \ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ ${p11conf}.off mv ${p11conf}.off ${p11conf} ;; * ) usage 1 1>&2 ;; esac ++++++ system-nspr.patch ++++++ diff --git a/Makefile b/Makefile --- a/Makefile +++ b/Makefile @@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk ####################################################################### ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # ####################################################################### -nss_build_all: build_nspr all +nss_build_all: all nss_clean_all: clobber_nspr clobber NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure # # Translate coreconf build options to NSPR configure options.