Hello community,
here is the log from the commit of package mozilla-nss.5017 for
openSUSE:13.2:Update checked in at 2016-05-04 11:38:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/mozilla-nss.5017 (Old)
and /work/SRC/openSUSE:13.2:Update/.mozilla-nss.5017.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss.5017"
Changes:
--------
New Changes file:
--- /dev/null 2016-04-07 01:36:33.300037506 +0200
+++ /work/SRC/openSUSE:13.2:Update/.mozilla-nss.5017.new/mozilla-nss.changes
2016-05-04 11:38:47.000000000 +0200
@@ -0,0 +1,1540 @@
+-------------------------------------------------------------------
+Mon Apr 18 15:53:40 UTC 2016 - norm...@linux.vnet.ibm.com
+
+- add nss_gcc6_change.patch
+
+-------------------------------------------------------------------
+Tue Mar 15 10:25:38 UTC 2016 - w...@rosenauer.org
+
+- update to NSS 3.22.3
+ * required for Firefox 46.0
+ * Increase compatibility of TLS extended master secret,
+ don't send an empty TLS extension last in the handshake
+ (bmo#1243641)
+
+-------------------------------------------------------------------
+Wed Mar 9 15:42:01 UTC 2016 - w...@rosenauer.org
+
+- update to NSS 3.22.2
+ New functionality:
+ * RSA-PSS signatures are now supported (bmo#1215295)
+ * Pseudorandom functions based on hashes other than SHA-1 are now supported
+ * Enforce an External Policy on NSS from a config file (bmo#1009429)
+ New functions:
+ * PK11_SignWithMechanism - an extended version PK11_Sign()
+ * PK11_VerifyWithMechanism - an extended version of PK11_Verify()
+ * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp
+ TLS extension data
+ * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp
+ TLS extension data
+ New types:
+ * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType
+ * Constants for several object IDs are added to SECOidTag
+ New macros:
+ * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS
+ * NSS_USE_ALG_IN_SSL
+ * NSS_USE_POLICY_IN_SSL
+ * NSS_RSA_MIN_KEY_SIZE
+ * NSS_DH_MIN_KEY_SIZE
+ * NSS_DSA_MIN_KEY_SIZE
+ * NSS_TLS_VERSION_MIN_POLICY
+ * NSS_TLS_VERSION_MAX_POLICY
+ * NSS_DTLS_VERSION_MIN_POLICY
+ * NSS_DTLS_VERSION_MAX_POLICY
+ * CKP_PKCS5_PBKD2_HMAC_SHA224
+ * CKP_PKCS5_PBKD2_HMAC_SHA256
+ * CKP_PKCS5_PBKD2_HMAC_SHA384
+ * CKP_PKCS5_PBKD2_HMAC_SHA512
+ * CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported)
+ * CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported)
+ * CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported)
+ Notable changes:
+ * NSS C++ tests are built by default, requiring a C++11 compiler.
+ Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests.
+ * NSS has been changed to use the PR_GetEnvSecure function that
+ was made available in NSPR 4.12
+
+-------------------------------------------------------------------
+Mon Mar 7 15:41:50 UTC 2016 - w...@rosenauer.org
+
+- update to NSS 3.21.1 (bmo#969894)
+ * required for Firefox 45.0
+ * MFSA 2016-35/CVE-2016-1950 (bmo#1245528)
+ Buffer overflow during ASN.1 decoding in NSS
+ * MFSA 2016-36/CVE-2016-1979 (bmo#1185033)
+ Use-after-free during processing of DER encoded keys in NSS
+
+-------------------------------------------------------------------
+Sun Dec 20 10:12:35 UTC 2015 - w...@rosenauer.org
+
+- update to NSS 3.21
+ * required for Firefox 44.0
+ New functionality:
+ * certutil now supports a --rename option to change a nickname (bmo#1142209)
+ * TLS extended master secret extension (RFC 7627) is supported (bmo#1117022)
+ * New info functions added for use during mid-handshake callbacks
(bmo#1084669)
+ New Functions:
+ * NSS_OptionSet - sets NSS global options
+ * NSS_OptionGet - gets the current value of NSS global options
+ * SECMOD_CreateModuleEx - Create a new SECMODModule structure from module
name
+ string, module parameters string, NSS specific parameters string, and NSS
+ configuration parameter string. The module represented by the module
+ structure is not loaded. The difference with SECMOD_CreateModule is the new
+ function handles NSS configuration parameter strings.
+ * SSL_GetPreliminaryChannelInfo - obtains information about a TLS channel
prior
+ to the handshake being completed, for use with the callbacks that are
invoked
+ during the handshake
+ * SSL_SignaturePrefSet - configures the enabled signature and hash algorithms
+ for TLS
+ * SSL_SignaturePrefGet - retrieves the currently configured signature and
hash
+ algorithms
+ * SSL_SignatureMaxCount - obtains the maximum number signature algorithms
that
+ can be configured with SSL_SignaturePrefSet
+ * NSSUTIL_ArgParseModuleSpecEx - takes a module spec and breaks it into
shared
+ library string, module name string, module parameters string, NSS specific
+ parameters string, and NSS configuration parameter strings. The returned
+ strings must be freed by the caller. The difference with
+ NSS_ArgParseModuleSpec is the new function handles NSS configuration
+ parameter strings.
+ * NSSUTIL_MkModuleSpecEx - take a shared library string, module name string,
+ module parameters string, NSS specific parameters string, and NSS
+ configuration parameter string and returns a module string which the caller
+ must free when it is done. The difference with NSS_MkModuleSpec is the new
+ function handles NSS configuration parameter strings.
+ New Types:
+ * CK_TLS12_MASTER_KEY_DERIVE_PARAMS{_PTR} - parameters {or pointer} for
+ CKM_TLS12_MASTER_KEY_DERIVE
+ * CK_TLS12_KEY_MAT_PARAMS{_PTR} - parameters {or pointer} for
+ CKM_TLS12_KEY_AND_MAC_DERIVE
+ * CK_TLS_KDF_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_KDF
+ * CK_TLS_MAC_PARAMS{_PTR} - parameters {or pointer} for CKM_TLS_MAC
+ * SSLHashType - identifies a hash function
+ * SSLSignatureAndHashAlg - identifies a signature and hash function
+ * SSLPreliminaryChannelInfo - provides information about the session state
+ prior to handshake completion
+ New Macros:
+ * NSS_RSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
+ get the minimum RSA key size
+ * NSS_DH_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
+ get the minimum DH key size
+ * NSS_DSA_MIN_KEY_SIZE - used with NSS_OptionSet and NSS_OptionGet to set or
+ get the minimum DSA key size
+ * CKM_TLS12_MASTER_KEY_DERIVE - derives TLS 1.2 master secret
+ * CKM_TLS12_KEY_AND_MAC_DERIVE - derives TLS 1.2 traffic key and IV
+ * CKM_TLS12_MASTER_KEY_DERIVE_DH - derives TLS 1.2 master secret for DH (and
+ ECDH) cipher suites
+ * CKM_TLS12_KEY_SAFE_DERIVE and CKM_TLS_KDF are identifiers for additional
+ PKCS#12 mechanisms for TLS 1.2 that are currently unused in NSS.
+ * CKM_TLS_MAC - computes TLS Finished MAC
+ * NSS_USE_ALG_IN_SSL_KX - policy flag indicating that keys are used in TLS
key
+ exchange
+ * SSL_ERROR_RX_SHORT_DTLS_READ - error code for failure to include a complete
+ DTLS record in a UDP packet
+ * SSL_ERROR_NO_SUPPORTED_SIGNATURE_ALGORITHM - error code for when no valid
+ signature and hash algorithm is available
+ * SSL_ERROR_UNSUPPORTED_SIGNATURE_ALGORITHM - error code for when an
+ unsupported signature and hash algorithm is configured
+ * SSL_ERROR_MISSING_EXTENDED_MASTER_SECRET - error code for when the extended
+ master secret is missing after having been negotiated
+ * SSL_ERROR_UNEXPECTED_EXTENDED_MASTER_SECRET - error code for receiving an
+ extended master secret when previously not negotiated
+ * SSL_ENABLE_EXTENDED_MASTER_SECRET - configuration to enable the TLS
extended
+ master secret extension (RFC 7627)
+ * ssl_preinfo_version - used with SSLPreliminaryChannelInfo to indicate that
a
+ TLS version has been selected
+ * ssl_preinfo_cipher_suite - used with SSLPreliminaryChannelInfo to indicate
+ that a TLS cipher suite has been selected
+ * ssl_preinfo_all - used with SSLPreliminaryChannelInfo to indicate that all
+ preliminary information has been set
+ Notable Changes:
+ * NSS now builds with elliptic curve ciphers enabled by default (bmo#1205688)
+ * NSS now builds with warnings as errors (bmo#1182667)
+ * The following CA certificates were Removed
+ - CN = VeriSign Class 4 Public Primary Certification Authority - G3
+ - CN = UTN-USERFirst-Network Applications
+ - CN = TC TrustCenter Universal CA III
+ - CN = A-Trust-nQual-03
+ - CN = USERTrust Legacy Secure Server CA
+ - Friendly Name: Digital Signature Trust Co. Global CA 1
+ - Friendly Name: Digital Signature Trust Co. Global CA 3
+ - CN = UTN - DATACorp SGC
+ - O = TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c)
Kasım 2005
+ * The following CA certificate had the Websites trust bit turned off
+ - OU = Equifax Secure Certificate Authority
+ * The following CA certificates were Added
+ - CN = Certification Authority of WoSign G2
+ - CN = CA WoSign ECC Root
+ - CN = OISTE WISeKey Global Root GB CA
+- increased the minimum level of possible mixed installations
+ (softokn3, freebl3) to 3.21
+- added nss-bmo1236011.patch to fix compiler error (bmo#1236011)
+- disabled testsuite as it currently breaks (bmo#1236340)
+
+-------------------------------------------------------------------
+Sat Dec 19 17:13:21 UTC 2015 - w...@rosenauer.org
+
+- update to NSS 3.20.2 (bnc#959888)
+ * MFSA 2015-150/CVE-2015-7575 (bmo#1158489)
+ MD5 signatures accepted within TLS 1.2 ServerKeyExchange in
+ server signature
+
+-------------------------------------------------------------------
+Sun Oct 25 14:44:21 UTC 2015 - w...@rosenauer.org
+
+- update to NSS 3.20.1 (bnc#952810)
+ * requires NSPR 4.10.10
+ * MFSA 2015-133/CVE-2015-7181/CVE-2015-7182 (bmo#1192028, bmo#1202868)
+ memory corruption issues
+
+-------------------------------------------------------------------
+Thu Sep 24 15:41:09 UTC 2015 - fst...@suse.com
+
+- Install the static libfreebl.a that is needed in order to link
+ Sun elliptical curves provider in Java 7.
+
+-------------------------------------------------------------------
+Thu Sep 24 09:39:17 UTC 2015 - w...@rosenauer.org
+
++++ 1343 more lines (skipped)
++++ between /dev/null
++++ and
/work/SRC/openSUSE:13.2:Update/.mozilla-nss.5017.new/mozilla-nss.changes
New:
----
baselibs.conf
cert9.db
key4.db
malloc.patch
mozilla-nss-rpmlintrc
mozilla-nss.changes
mozilla-nss.spec
nss-3.22.3.tar.gz
nss-bmo1236011.patch
nss-config.in
nss-disable-ocsp-test.patch
nss-no-rpath.patch
nss-opt.patch
nss-sqlitename.patch
nss.pc.in
nss_gcc6_change.patch
pkcs11.txt
renegotiate-transitional.patch
setup-nsssysinit.sh
system-nspr.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mozilla-nss.spec ++++++
#
# spec file for package mozilla-nss
#
# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2006-2015 Wolfgang Rosenauer
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
%global nss_softokn_fips_version 3.21
Name: mozilla-nss
BuildRequires: gcc-c++
BuildRequires: mozilla-nspr-devel >= 4.12
BuildRequires: pkg-config
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
Version: 3.22.3
Release: 0
# bug437293
%ifarch ppc64
Obsoletes: mozilla-nss-64bit
%endif
#
Summary: Network Security Services
License: MPL-2.0
Group: System/Libraries
Url: http://www.mozilla.org/projects/security/pki/nss/
Source:
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_22_3_RTM/src/nss-%{version}.tar.gz
# hg clone https://hg.mozilla.org/projects/nss nss-3.22.3/nss ; cd
nss-3.22.3/nss ; hg up NSS_3_22_3_RTM
#Source: nss-%{version}.tar.gz
Source1: nss.pc.in
Source3: nss-config.in
Source4: %{name}-rpmlintrc
Source5: baselibs.conf
Source6: setup-nsssysinit.sh
Source7: cert9.db
Source8: key4.db
Source9: pkcs11.txt
#Source10: PayPalEE.cert
Source99: %{name}.changes
Patch1: nss-opt.patch
Patch2: system-nspr.patch
Patch4: nss-no-rpath.patch
Patch5: renegotiate-transitional.patch
Patch6: malloc.patch
Patch7: nss-disable-ocsp-test.patch
Patch8: nss-sqlitename.patch
Patch9: nss-bmo1236011.patch
Patch10: nss_gcc6_change.patch
%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
PreReq: mozilla-nspr >= %nspr_ver
PreReq: libfreebl3 >= %{nss_softokn_fips_version}
PreReq: libsoftokn3 >= %{nss_softokn_fips_version}
%if %{_lib} == lib64
Requires: libnssckbi.so()(64bit)
%else
Requires: libnssckbi.so
%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%define nssdbdir %{_sysconfdir}/pki/nssdb
%ifnarch %sparc
%if ! 0%{?qemu_user_space_build}
# disabled temporarily bmo#1236340
%define run_testsuite 0
%endif
%endif
%description
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled server
applications. Applications built with NSS can support SSL v3,
TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3
certificates, and other security standards.
%package devel
Summary: Network (Netscape) Security Services development files
Group: Development/Libraries/Other
Requires: libfreebl3
Requires: libsoftokn3
Requires: mozilla-nspr-devel >= 4.9
Requires: mozilla-nss = %{version}-%{release}
# bug437293
%ifarch ppc64
Obsoletes: mozilla-nss-devel-64bit
%endif
%description devel
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled server
applications. Applications built with NSS can support SSL v3,
TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3
certificates, and other security standards.
%package tools
Summary: Tools for developing, debugging, and managing applications that
use NSS
Group: System/Management
PreReq: mozilla-nss >= %{version}
%description tools
The NSS Security Tools allow developers to test, debug, and manage
applications that use NSS.
%package sysinit
Summary: System NSS Initialization
Group: System/Management
Requires: mozilla-nss >= %{version}
Requires(post): coreutils
%description sysinit
Default Operation System module that manages applications loading
NSS globally on the system. This module loads the system defined
PKCS #11 modules for NSS and chains with other NSS modules to load
any system or user configured modules.
%package -n libfreebl3
Summary: Freebl library for the Network Security Services
Group: System/Libraries
Provides: libfreebl3-hmac
%description -n libfreebl3
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled server
applications. Applications built with NSS can support SSL v3,
TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3
certificates, and other security standards.
This package installs the freebl library from NSS.
%package -n libsoftokn3
Summary: Network Security Services Softoken Module
Group: System/Libraries
Requires: libfreebl3 = %{version}-%{release}
Provides: libsoftokn3-hmac
%description -n libsoftokn3
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled server
applications. Applications built with NSS can support SSL v3,
TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3
certificates, and other security standards.
Network Security Services Softoken Cryptographic Module
%package certs
Summary: CA certificates for NSS
Group: Productivity/Networking/Security
%description certs
This package contains the integrated CA root certificates from the
Mozilla project.
%prep
%setup -n nss-%{version} -q
cd nss
%patch1 -p1
%patch2 -p1
%patch4 -p1
%patch5 -p1
%if %suse_version > 1110
%patch6 -p1
%endif
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
# additional CA certificates
#cd security/nss/lib/ckfw/builtins
#cat %{SOURCE2} >> certdata.txt
#make generate
%build
cd nss
modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{S:99}")"
DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\""
TIME="\"$(date -d "${modified}" "+%%R")\""
find . -name '*.[ch]' -print -exec sed -i
"s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} +
export FREEBL_NO_DEPEND=1
export FREEBL_LOWHASH=1
export NSPR_INCLUDE_DIR=`nspr-config --includedir`
export NSPR_LIB_DIR=`nspr-config --libdir`
export OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
export LIBDIR=%{_libdir}
%ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64
export USE_64=1
%endif
export NSS_USE_SYSTEM_SQLITE=1
#export SQLITE_LIB_NAME=nsssqlite3
MAKE_FLAGS="BUILD_OPT=1"
make nss_build_all $MAKE_FLAGS
# run testsuite
%if 0%{?run_testsuite}
export BUILD_OPT=1
export HOST="localhost"
export DOMSUF=" "
export USE_IP=TRUE
export IP_ADDRESS="127.0.0.1"
cd tests
./all.sh
if grep "FAILED" ../../../tests_results/security/localhost.1/output.log ; then
echo "Testsuite FAILED"
exit 1
fi
%endif
%install
cd nss
mkdir -p $RPM_BUILD_ROOT%{_libdir}
mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss
mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3
mkdir -p $RPM_BUILD_ROOT%{_bindir}
mkdir -p $RPM_BUILD_ROOT%{_sbindir}
mkdir -p $RPM_BUILD_ROOT/%{_lib}
mkdir -p $RPM_BUILD_ROOT%{nssdbdir}
pushd ../dist/Linux*
# copy headers
cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3
# copy some freebl include files we also want
for file in blapi.h alghmac.h
do
cp -L ../private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3
done
# copy dynamic libs
cp -L lib/libnss3.so \
lib/libnssdbm3.so \
lib/libnssdbm3.chk \
lib/libnssutil3.so \
lib/libnssckbi.so \
lib/libnsssysinit.so \
lib/libsmime3.so \
lib/libsoftokn3.so \
lib/libsoftokn3.chk \
lib/libssl3.so \
$RPM_BUILD_ROOT%{_libdir}
cp -L lib/libfreebl3.so \
lib/libfreebl3.chk \
$RPM_BUILD_ROOT/%{_lib}
#cp -L lib/libnsssqlite3.so \
# $RPM_BUILD_ROOT%{_libdir}
# copy static libs
cp -L lib/libcrmf.a \
lib/libfreebl.a \
lib/libnssb.a \
lib/libnssckfw.a \
$RPM_BUILD_ROOT%{_libdir}
# copy tools
cp -L bin/certutil \
bin/cmsutil \
bin/crlutil \
bin/modutil \
bin/pk12util \
bin/signtool \
bin/signver \
bin/ssltap \
$RPM_BUILD_ROOT%{_bindir}
# copy unsupported tools
cp -L bin/atob \
bin/btoa \
bin/derdump \
bin/ocspclnt \
bin/pp \
bin/selfserv \
bin/shlibsign \
bin/strsclnt \
bin/symkeyutil \
bin/tstclnt \
bin/vfyserv \
bin/vfychain \
$RPM_BUILD_ROOT%{_libexecdir}/nss
# prepare pkgconfig file
mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/
sed "s:%%LIBDIR%%:%{_libdir}:g
s:%%VERSION%%:%{version}:g
s:%%NSPR_VERSION%%:%{nspr_ver}:g" \
%{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc
# prepare nss-config file
popd
NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | gawk '{print $3}'`
NSS_VMINOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMINOR" | gawk '{print $3}'`
NSS_VPATCH=`cat lib/nss/nss.h | grep "#define.*NSS_VPATCH" | gawk '{print $3}'`
cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \
-e "s,@prefix@,%{_prefix},g" \
-e "s,@exec_prefix@,%{_prefix},g" \
-e "s,@includedir@,%{_includedir}/nss3,g" \
-e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
-e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
-e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
> $RPM_BUILD_ROOT/%{_bindir}/nss-config
chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config
# setup-nsssysinfo.sh
install -m 744 %{SOURCE6} $RPM_BUILD_ROOT%{_sbindir}/
# create empty NSS database
#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir}
$RPM_BUILD_ROOT%{_bindir}/modutil -force -dbdir
"sql:$RPM_BUILD_ROOT%{nssdbdir}" -create
#LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir}
$RPM_BUILD_ROOT%{_bindir}/certutil -N -d "sql:$RPM_BUILD_ROOT%{nssdbdir}" -f
/dev/null 2>&1 > /dev/null
#chmod 644 "$RPM_BUILD_ROOT%{nssdbdir}"/*
#sed "s:%{buildroot}::g
#s/^library=$/library=libnsssysinit.so/
#/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \
# $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt >
$RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt.sed
# mv $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt{.sed,}
# copy empty NSS database
install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{nssdbdir}
install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{nssdbdir}
install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir}
# create shlib sigs after extracting debuginfo
%define __spec_install_post \
%{?__debug_package:%{__debug_install_post}} \
%{__arch_install_post} \
%{__os_install_post} \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir}
$RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i
$RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir}
$RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i
$RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \
LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir}
$RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i
$RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \
%{nil}
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%post -n libfreebl3 -p /sbin/ldconfig
%postun -n libfreebl3 -p /sbin/ldconfig
%post -n libsoftokn3 -p /sbin/ldconfig
%postun -n libsoftokn3 -p /sbin/ldconfig
%post sysinit
/sbin/ldconfig
# make sure the current config is enabled
%{_sbindir}/setup-nsssysinit.sh on
%preun sysinit
if [ $1 = 0 ]; then
%{_sbindir}/setup-nsssysinit.sh off
fi
%postun sysinit -p /sbin/ldconfig
%clean
rm -rf $RPM_BUILD_ROOT
%files
%defattr(-, root, root)
%{_libdir}/libnss3.so
%{_libdir}/libnssutil3.so
%{_libdir}/libsmime3.so
%{_libdir}/libssl3.so
#%{_libdir}/libnsssqlite3.so
%files devel
%defattr(644, root, root, 755)
%{_includedir}/nss3/
%{_libdir}/*.a
%{_libdir}/pkgconfig/*
%attr(755,root,root) %{_bindir}/nss-config
%files tools
%defattr(-, root, root)
%{_bindir}/*
%exclude %{_sbindir}/setup-nsssysinit.sh
%{_libexecdir}/nss/
%exclude %{_bindir}/nss-config
%files sysinit
%defattr(-, root, root)
%dir %{_sysconfdir}/pki
%dir %{_sysconfdir}/pki/nssdb
%config(noreplace) %{_sysconfdir}/pki/nssdb/*
%{_libdir}/libnsssysinit.so
%{_sbindir}/setup-nsssysinit.sh
%files -n libfreebl3
%defattr(-, root, root)
/%{_lib}/libfreebl3.so
/%{_lib}/libfreebl3.chk
%files -n libsoftokn3
%defattr(-, root, root)
%{_libdir}/libsoftokn3.so
%{_libdir}/libsoftokn3.chk
%{_libdir}/libnssdbm3.so
%{_libdir}/libnssdbm3.chk
%files certs
%defattr(-, root, root)
%{_libdir}/libnssckbi.so
%changelog
++++++ baselibs.conf ++++++
mozilla-nss
requires "libfreebl3-<targettype>"
requires "libsoftokn3-<targettype>"
requires "mozilla-nss-certs-<targettype>"
libsoftokn3
requires "libfreebl3-<targettype> = <version>"
+/usr/lib/libsoftokn3.chk
+/usr/lib/libnssdbm3.chk
libfreebl3
+/lib/libfreebl3.chk
mozilla-nss-sysinit
mozilla-nss-certs
++++++ malloc.patch ++++++
Index: security/nss/tests/ssl/ssl.sh
===================================================================
RCS file: /cvsroot/mozilla/security/nss/tests/ssl/ssl.sh,v
retrieving revision 1.100
diff -u -r1.100 ssl.sh
--- security/nss/tests/ssl/ssl.sh 26 Mar 2009 23:14:34 -0000 1.100
+++ nss/tests/ssl/ssl.sh 6 Jun 2009 06:21:07 -0000
@@ -974,6 +974,7 @@
################################# main #################################
+unset MALLOC_CHECK_
ssl_init
ssl_run_tests
ssl_cleanup
++++++ mozilla-nss-rpmlintrc ++++++
addFilter("shlib-policy-name-error")
addFilter("shlib-policy-missing-lib")
addFilter("shlib-policy-missing-suffix")
addFilter("shlib-unversioned-lib")
addFilter("shlib-fixed-dependency")
++++++ nss-bmo1236011.patch ++++++
diff --git a/cmd/modutil/install-ds.h b/nss/cmd/modutil/install-ds.h
--- a/cmd/modutil/install-ds.h
+++ b/cmd/modutil/install-ds.h
@@ -238,17 +238,17 @@ struct Pk11Install_Info_str {
int numPlatforms;
Pk11Install_PlatformName *forwardCompatible;
int numForwardCompatible;
};
Pk11Install_Info*
Pk11Install_Info_new();
void
-Pk11Install_Info_init();
+Pk11Install_Info_init(Pk11Install_Info* _this);
void
Pk11Install_Info_delete(Pk11Install_Info* _this);
/*// Returns NULL for success, error message if parse error.*/
char*
Pk11Install_Info_Generate(Pk11Install_Info* _this,
const Pk11Install_ValueList *list);
/*// Returns NULL if there is no matching platform*/
Pk11Install_Platform*
++++++ nss-config.in ++++++
#!/bin/sh
prefix=@prefix@
major_version=@MOD_MAJOR_VERSION@
minor_version=@MOD_MINOR_VERSION@
patch_version=@MOD_PATCH_VERSION@
usage()
{
cat <<EOF
Usage: nss-config [OPTIONS] [LIBRARIES]
Options:
[--prefix[=DIR]]
[--exec-prefix[=DIR]]
[--includedir[=DIR]]
[--libdir[=DIR]]
[--version]
[--libs]
[--cflags]
Dynamic Libraries:
nss
ssl
smime
EOF
exit $1
}
if test $# -eq 0; then
usage 1 1>&2
fi
lib_ssl=yes
lib_smime=yes
lib_nss=yes
lib_nssutil=yes
while test $# -gt 0; do
case "$1" in
-*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
*) optarg= ;;
esac
case $1 in
--prefix=*)
prefix=$optarg
;;
--prefix)
echo_prefix=yes
;;
--exec-prefix=*)
exec_prefix=$optarg
;;
--exec-prefix)
echo_exec_prefix=yes
;;
--includedir=*)
includedir=$optarg
;;
--includedir)
echo_includedir=yes
;;
--libdir=*)
libdir=$optarg
;;
--libdir)
echo_libdir=yes
;;
--version)
echo ${major_version}.${minor_version}.${patch_version}
;;
--cflags)
echo_cflags=yes
;;
--libs)
echo_libs=yes
;;
ssl)
lib_ssl=yes
;;
smime)
lib_smime=yes
;;
nss)
lib_nss=yes
;;
nssutil)
lib_nssutil=yes
;;
*)
usage 1 1>&2
;;
esac
shift
done
# Set variables that may be dependent upon other variables
if test -z "$exec_prefix"; then
exec_prefix=@exec_prefix@
fi
if test -z "$includedir"; then
includedir=@includedir@
fi
if test -z "$libdir"; then
libdir=@libdir@
fi
if test "$echo_prefix" = "yes"; then
echo $prefix
fi
if test "$echo_exec_prefix" = "yes"; then
echo $exec_prefix
fi
if test "$echo_includedir" = "yes"; then
echo $includedir
fi
if test "$echo_libdir" = "yes"; then
echo $libdir
fi
if test "$echo_cflags" = "yes"; then
echo -I$includedir
fi
if test "$echo_libs" = "yes"; then
libdirs="-Wl,-rpath-link,$libdir -L$libdir"
if test -n "$lib_ssl"; then
libdirs="$libdirs -lssl${major_version}"
fi
if test -n "$lib_smime"; then
libdirs="$libdirs -lsmime${major_version}"
fi
if test -n "$lib_nss"; then
libdirs="$libdirs -lnss${major_version}"
fi
if test -n "$lib_nssutil"; then
libdirs="$libdirs -lnssutil${major_version}"
fi
echo $libdirs
fi
++++++ nss-disable-ocsp-test.patch ++++++
diff --git a/tests/chains/scenarios/scenarios b/tests/chains/scenarios/scenarios
--- a/tests/chains/scenarios/scenarios
+++ b/tests/chains/scenarios/scenarios
@@ -45,12 +45,11 @@ mapping.cfg
mapping2.cfg
aia.cfg
bridgewithaia.cfg
bridgewithhalfaia.cfg
bridgewithpolicyextensionandmapping.cfg
realcerts.cfg
dsa.cfg
revoc.cfg
-ocsp.cfg
crldp.cfg
trustanchors.cfg
nameconstraints.cfg
++++++ nss-no-rpath.patch ++++++
Index: security/nss/cmd/platlibs.mk
===================================================================
RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v
retrieving revision 1.71
diff -u -p -6 -r1.71 platlibs.mk
--- security/nss/cmd/platlibs.mk 17 Jul 2012 15:22:42 -0000 1.71
+++ nss/cmd/platlibs.mk 25 Oct 2012 12:07:35 -0000
@@ -15,15 +15,15 @@ else
EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps'
endif
endif
ifeq ($(OS_ARCH), Linux)
ifeq ($(USE_64), 1)
-EXTRA_SHARED_LIBS +=
-Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
+#EXTRA_SHARED_LIBS +=
-Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
else
-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
endif
endif
endif # BUILD_SUN_PKG
ifdef NSS_DISABLE_DBM
++++++ nss-opt.patch ++++++
Index: security/coreconf/Linux.mk
===================================================================
RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v
retrieving revision 1.45.2.1
diff -u -r1.45.2.1 Linux.mk
--- security/coreconf/Linux.mk 31 Jul 2010 04:23:37 -0000 1.45.2.1
+++ nss/coreconf/Linux.mk 5 Aug 2010 07:35:06 -0000
@@ -112,11 +112,7 @@
endif
ifdef BUILD_OPT
-ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE))
- OPTIMIZER = -Os
-else
- OPTIMIZER = -O2
-endif
+ OPTIMIZER = $(OPT_FLAGS)
ifdef MOZ_DEBUG_SYMBOLS
ifdef MOZ_DEBUG_FLAGS
OPTIMIZER += $(MOZ_DEBUG_FLAGS)
++++++ nss-sqlitename.patch ++++++
Index: security/nss/lib/sqlite/manifest.mn
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v
retrieving revision 1.5
diff -u -r1.5 manifest.mn
--- security/nss/lib/sqlite/manifest.mn 25 Apr 2012 14:50:11 -0000 1.5
+++ nss/lib/sqlite/manifest.mn 28 Jan 2013 20:48:22 -0000
@@ -6,9 +6,10 @@
MODULE = nss
-LIBRARY_NAME = sqlite
+LIBRARY_NAME = nsssqlite
LIBRARY_VERSION = 3
MAPFILE = $(OBJDIR)/sqlite.def
+MAPFILE_SOURCE = sqlite.def
DEFINES += -DSQLITE_THREADSAFE=1
EXPORTS = \
++++++ nss.pc.in ++++++
prefix=/usr
exec_prefix=${prefix}
libdir=%LIBDIR%
includedir=${prefix}/include/nss3
Name: NSS
Description: Network Security Services
Version: %VERSION%
Requires: nspr >= %NSPR_VERSION%
Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
Cflags: -I${includedir}
++++++ nss_gcc6_change.patch ++++++
From: Michel Normand <norm...@linux.vnet.ibm.com>
Subject: nss gcc6 change
Date: Mon, 18 Apr 2016 19:11:03 +0200
nss changes required to avoid build error with gcc6 like:
===
[ 58s] h_page.c: In function 'new_lseek':
[ 58s] h_page.c:117:8: error: this 'if' clause does not guard...
[-Werror=misleading-indentation]
[ 58s] if(offset < 1)
[ 58s] ^~
[ 58s] h_page.c:120:3: note: ...this statement, but the latter is
misleadingly indented as if it is guarded by the 'if'
[ 58s] cur_pos = lseek(fd, 0, SEEK_CUR);
[ 58s] ^~~~~~~
===
Signed-off-by: Michel Normand <norm...@linux.vnet.ibm.com>
---
cmd/bltest/blapitest.c | 4 +--
cmd/vfychain/vfychain.c | 3 +-
lib/dbm/src/h_page.c | 55 +++++++++++++++++++++-----------------------
lib/dbm/src/hash.c | 60 ++++++++++++++++++++++++------------------------
4 files changed, 61 insertions(+), 61 deletions(-)
Index: nss/lib/dbm/src/h_page.c
===================================================================
--- nss.orig/lib/dbm/src/h_page.c
+++ nss/lib/dbm/src/h_page.c
@@ -112,26 +112,25 @@ long new_lseek(int fd, long offset, int
long end_pos=0;
long seek_pos=0;
- if(origin == SEEK_CUR)
- {
- if(offset < 1)
- return(lseek(fd, offset, SEEK_CUR));
+ if (origin == SEEK_CUR) {
+ if (offset < 1)
+ return(lseek(fd, offset, SEEK_CUR));
- cur_pos = lseek(fd, 0, SEEK_CUR);
+ cur_pos = lseek(fd, 0, SEEK_CUR);
+
+ if (cur_pos < 0)
+ return(cur_pos);
+ }
- if(cur_pos < 0)
- return(cur_pos);
- }
-
end_pos = lseek(fd, 0, SEEK_END);
- if(end_pos < 0)
+ if (end_pos < 0)
return(end_pos);
- if(origin == SEEK_SET)
+ if (origin == SEEK_SET)
seek_pos = offset;
- else if(origin == SEEK_CUR)
+ else if (origin == SEEK_CUR)
seek_pos = cur_pos + offset;
- else if(origin == SEEK_END)
+ else if (origin == SEEK_END)
seek_pos = end_pos + offset;
else
{
@@ -143,7 +142,7 @@ long new_lseek(int fd, long offset, int
* end of the file. We don't need
* to do anything special except the seek.
*/
- if(seek_pos <= end_pos)
+ if (seek_pos <= end_pos)
return(lseek(fd, seek_pos, SEEK_SET));
/* the seek position is beyond the end of the
@@ -161,7 +160,7 @@ long new_lseek(int fd, long offset, int
memset(buffer, 0, 1024);
while(len > 0)
{
- if(write(fd, buffer, (size_t)(1024 > len ? len : 1024)) < 0)
+ if (write(fd, buffer, (size_t)(1024 > len ? len : 1024)) < 0)
return(-1);
len -= 1024;
}
@@ -245,10 +244,10 @@ __delpair(HTAB *hashp, BUFHEAD *bufp, in
* Once we know dst_offset is < BSIZE, we can subtract it from
BSIZE
* to get an upper bound on length.
*/
- if(dst_offset > (uint32)hashp->BSIZE)
+ if (dst_offset > (uint32)hashp->BSIZE)
return(DATABASE_CORRUPTED_ERROR);
- if(length > (uint32)(hashp->BSIZE - dst_offset))
+ if (length > (uint32)(hashp->BSIZE - dst_offset))
return(DATABASE_CORRUPTED_ERROR);
memmove(dst, src, length);
@@ -324,7 +323,7 @@ __split_page(HTAB *hashp, uint32 obucket
* off. If it is then the database has
* been corrupted.
*/
- if(ino[n] > off)
+ if (ino[n] > off)
return(DATABASE_CORRUPTED_ERROR);
key.size = off - ino[n];
@@ -355,7 +354,7 @@ __split_page(HTAB *hashp, uint32 obucket
* wrong. LJM
*/
tmp_uint16_array = (uint16*)np;
- if(!PAIRFITS(tmp_uint16_array, &key, &val))
+ if (!PAIRFITS(tmp_uint16_array, &key, &val))
return(DATABASE_CORRUPTED_ERROR);
putpair(np, &key, &val);
@@ -440,7 +439,7 @@ ugly_split(HTAB *hashp, uint32 obucket,
*/
loop_detection++;
- if(loop_detection > MAX_UGLY_SPLIT_LOOPS)
+ if (loop_detection > MAX_UGLY_SPLIT_LOOPS)
return DATABASE_CORRUPTED_ERROR;
if (ino[2] < REAL_KEY && ino[2] != OVFLPAGE) {
@@ -736,7 +735,7 @@ __get_page(HTAB *hashp,
* the maximum number of entries
* in the array
*/
- if((unsigned)max > (size / sizeof(uint16)))
+ if ((unsigned)max > (size / sizeof(uint16)))
return(DATABASE_CORRUPTED_ERROR);
/* do the byte order swap
@@ -749,7 +748,7 @@ __get_page(HTAB *hashp,
/* check the validity of the page here
* (after doing byte order swaping if necessary)
*/
- if(!is_bitmap && bp[0] != 0)
+ if (!is_bitmap && bp[0] != 0)
{
uint16 num_keys = bp[0];
uint16 offset;
@@ -760,11 +759,11 @@ __get_page(HTAB *hashp,
* bp[0] is too large (larger than the whole
* page) then the page is corrupted
*/
- if(bp[0] > (size / sizeof(uint16)))
+ if (bp[0] > (size / sizeof(uint16)))
return(DATABASE_CORRUPTED_ERROR);
/* bound free space */
- if(FREESPACE(bp) > size)
+ if (FREESPACE(bp) > size)
return(DATABASE_CORRUPTED_ERROR);
/* check each key and data offset to make
@@ -776,10 +775,10 @@ __get_page(HTAB *hashp,
for(i=1 ; i <= num_keys; i+=2)
{
/* ignore overflow pages etc. */
- if(bp[i+1] >= REAL_KEY)
+ if (bp[i+1] >= REAL_KEY)
{
- if(bp[i] > offset || bp[i+1] > bp[i])
+ if (bp[i] > offset || bp[i+1] > bp[i])
return(DATABASE_CORRUPTED_ERROR);
offset = bp[i+1];
@@ -832,7 +831,7 @@ __put_page(HTAB *hashp, char *p, uint32
* the maximum number of entries
* in the array
*/
- if((unsigned)max > (size / sizeof(uint16)))
+ if ((unsigned)max > (size / sizeof(uint16)))
return(DATABASE_CORRUPTED_ERROR);
for (i = 0; i <= max; i++)
@@ -1091,7 +1090,7 @@ __free_ovflpage(HTAB *hashp, BUFHEAD *ob
uint32 bit_address, free_page, free_bit;
uint16 ndx;
- if(!obufp || !obufp->addr)
+ if (!obufp || !obufp->addr)
return;
addr = obufp->addr;
Index: nss/lib/dbm/src/hash.c
===================================================================
--- nss.orig/lib/dbm/src/hash.c
+++ nss/lib/dbm/src/hash.c
@@ -154,7 +154,7 @@ __hash_open(const char *file, int flags,
return NULL;
}
hashp->fp = NO_FILE;
- if(file)
+ if (file)
hashp->filename = strdup(file);
/*
@@ -172,7 +172,7 @@ __hash_open(const char *file, int flags,
errno = 0; /* Just in case someone looks at errno */
new_table = 1;
}
- else if(statbuf.st_mtime && statbuf.st_size == 0)
+ else if (statbuf.st_mtime && statbuf.st_size == 0)
{
/* check for a zero length file and delete it
* if it exists
@@ -288,7 +288,7 @@ hash_close(DB *dbp)
return (DBM_ERROR);
hashp = (HTAB *)dbp->internal;
- if(!hashp)
+ if (!hashp)
return (DBM_ERROR);
retval = hdestroy(hashp);
@@ -304,7 +304,7 @@ static int hash_fd(const DB *dbp)
return (DBM_ERROR);
hashp = (HTAB *)dbp->internal;
- if(!hashp)
+ if (!hashp)
return (DBM_ERROR);
if (hashp->fp == -1) {
@@ -480,7 +480,7 @@ hdestroy(HTAB *hashp)
if (hashp->fp != -1)
(void)close(hashp->fp);
- if(hashp->filename) {
+ if (hashp->filename) {
#if defined(_WIN32) || defined(_WINDOWS) || defined(XP_OS2)
if (hashp->is_temp)
(void)unlink(hashp->filename);
@@ -578,7 +578,7 @@ hash_sync(const DB *dbp, uint flags)
return (DBM_ERROR);
hashp = (HTAB *)dbp->internal;
- if(!hashp)
+ if (!hashp)
return (DBM_ERROR);
if (!hashp->save_file)
@@ -670,7 +670,7 @@ hash_get(
rv = hash_access(hashp, HASH_GET, (DBT *)key, data);
- if(rv == DATABASE_CORRUPTED_ERROR)
+ if (rv == DATABASE_CORRUPTED_ERROR)
{
#if defined(unix) && defined(DEBUG)
printf("\n\nDBM Database has been corrupted, tell Lou...\n\n");
@@ -707,7 +707,7 @@ hash_put(
rv = hash_access(hashp, flag == R_NOOVERWRITE ?
HASH_PUTNEW : HASH_PUT, (DBT *)key, (DBT *)data);
- if(rv == DATABASE_CORRUPTED_ERROR)
+ if (rv == DATABASE_CORRUPTED_ERROR)
{
#if defined(unix) && defined(DEBUG)
printf("\n\nDBM Database has been corrupted, tell Lou...\n\n");
@@ -741,7 +741,7 @@ hash_delete(
}
rv = hash_access(hashp, HASH_DELETE, (DBT *)key, NULL);
- if(rv == DATABASE_CORRUPTED_ERROR)
+ if (rv == DATABASE_CORRUPTED_ERROR)
{
#if defined(unix) && defined(DEBUG)
printf("\n\nDBM Database has been corrupted, tell Lou...\n\n");
@@ -802,27 +802,27 @@ hash_access(
ndx += 2;
} else if (bp[1] == OVFLPAGE) {
- /* database corruption: overflow loop detection */
- if(last_overflow_page_no == (int32)*bp)
- return (DATABASE_CORRUPTED_ERROR);
-
- last_overflow_page_no = *bp;
-
- rbufp = __get_buf(hashp, *bp, rbufp, 0);
- if (!rbufp) {
- save_bufp->flags &= ~BUF_PIN;
- return (DBM_ERROR);
- }
-
- ovfl_loop_count++;
- if(ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS)
- return (DATABASE_CORRUPTED_ERROR);
-
- /* FOR LOOP INIT */
- bp = (uint16 *)rbufp->page;
- n = *bp++;
- ndx = 1;
- off = hashp->BSIZE;
+ /* database corruption: overflow loop detection */
+ if (last_overflow_page_no == (int32)*bp)
+ return (DATABASE_CORRUPTED_ERROR);
+
+ last_overflow_page_no = *bp;
+
+ rbufp = __get_buf(hashp, *bp, rbufp, 0);
+ if (!rbufp) {
+ save_bufp->flags &= ~BUF_PIN;
+ return (DBM_ERROR);
+ }
+
+ ovfl_loop_count++;
+ if (ovfl_loop_count > MAX_OVERFLOW_HASH_ACCESS_LOOPS)
+ return (DATABASE_CORRUPTED_ERROR);
+
+ /* FOR LOOP INIT */
+ bp = (uint16 *)rbufp->page;
+ n = *bp++;
+ ndx = 1;
+ off = hashp->BSIZE;
} else if (bp[1] < REAL_KEY) {
if ((ndx =
__find_bigpair(hashp, rbufp, ndx, kp, (int)size)) >
0)
Index: nss/cmd/bltest/blapitest.c
===================================================================
--- nss.orig/cmd/bltest/blapitest.c
+++ nss/cmd/bltest/blapitest.c
@@ -1571,8 +1571,8 @@ bltest_seed_init(bltestCipherInfo *ciphe
cipherInfo->cipher.symmkeyCipher = seed_Encrypt;
else
cipherInfo->cipher.symmkeyCipher = seed_Decrypt;
-
- return SECSuccess;
+
+ return SECSuccess;
}
SECStatus
Index: nss/cmd/vfychain/vfychain.c
===================================================================
--- nss.orig/cmd/vfychain/vfychain.c
+++ nss/cmd/vfychain/vfychain.c
@@ -439,7 +439,8 @@ main(int argc, char *argv[], char *envp[
case 0 : /* positional parameter */ goto breakout;
case 'a' : isAscii = PR_TRUE; break;
case 'b' : secStatus = DER_AsciiToTime(&time, optstate->value);
- if (secStatus != SECSuccess) Usage(progName); break;
+ if (secStatus != SECSuccess) Usage(progName);
+ break;
case 'd' : certDir = PL_strdup(optstate->value); break;
case 'e' : ocsp_fetchingFailureIsAFailure = PR_FALSE; break;
case 'f' : certFetching = PR_TRUE; break;
++++++ pkcs11.txt ++++++
library=libnsssysinit.so
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix=''
secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix=''
updateid='' updateTokenDescription=''
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})
++++++ renegotiate-transitional.patch ++++++
diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c
index e6b2387..87fbe1d 100644
--- a/lib/ssl/sslsock.c
+++ b/lib/ssl/sslsock.c
@@ -74,7 +74,7 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* noLocks */
PR_FALSE, /* enableSessionTickets */
PR_FALSE, /* enableDeflate */
- 2, /* enableRenegotiation (default: requires extension) */
+ 3, /* enableRenegotiation (default: requires extension) */
PR_FALSE, /* requireSafeNegotiation */
PR_FALSE, /* enableFalseStart */
PR_TRUE, /* cbcRandomIV */
++++++ setup-nsssysinit.sh ++++++
#!/bin/sh
#
# Turns on or off the nss-sysinit module db by editing the
# global PKCS #11 congiguration file.
#
# This script can be invoked by the user as super user.
# It is invoked at nss-sysinit post install time with argument on
# and at nss-sysinit pre uninstall with argument off.
#
usage()
{
cat <<EOF
Usage: setup-nsssysinit [on|off]
on - turns on nsssysinit
off - turns off nsssysinit
EOF
exit $1
}
# validate
if test $# -eq 0; then
usage 1 1>&2
fi
# the system-wide configuration file
p11conf="/etc/pki/nssdb/pkcs11.txt"
# must exist, otherwise report it and exit with failure
if [ ! -f $p11conf ]; then
echo "Could not find ${p11conf}"
exit 1
fi
on="1"
case "$1" in
on | ON )
cat ${p11conf} | \
sed -e 's/^library=$/library=libnsssysinit.so/' \
-e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
${p11conf}.on
mv ${p11conf}.on ${p11conf}
;;
off | OFF )
if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then
exit 0
fi
cat ${p11conf} | \
sed -e 's/^library=libnsssysinit.so/library=/' \
-e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
${p11conf}.off
mv ${p11conf}.off ${p11conf}
;;
* )
usage 1 1>&2
;;
esac
++++++ system-nspr.patch ++++++
diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk
#######################################################################
#######################################################################
# (7) Execute "local" rules. (OPTIONAL). #
#######################################################################
-nss_build_all: build_nspr all
+nss_build_all: all
nss_clean_all: clobber_nspr clobber
NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure
#
# Translate coreconf build options to NSPR configure options.
