diff --git a/PayPalEE.cert b/PayPalEE.cert deleted file mode 100644 index aef4086762a88dd5d7df06a7f4e23ea2f502c83c..0000000000000000000000000000000000000000 Binary files a/PayPalEE.cert and /dev/null differ diff --git a/PayPalICA.cert b/PayPalICA.cert deleted file mode 100644 index dd14c1b21886d9e63559403e819aa2ac2b516b9b..0000000000000000000000000000000000000000 Binary files a/PayPalICA.cert and /dev/null differ diff --git a/iquote.patch b/iquote.patch deleted file mode 100644 index 6e4adcd71f4f5acfeea5aef25878136b3fe3facb..0000000000000000000000000000000000000000 --- a/iquote.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk ---- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200 -+++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200 -@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME - SQLITE_LIB_NAME = sqlite3 - endif - -+# Prefer in-tree headers over system headers -+ifdef IN_TREE_FREEBL_HEADERS_FIRST -+ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss -+endif -+ - MK_LOCATION = included diff --git a/nss-539183.patch b/nss-539183.patch deleted file mode 100644 index eda32492eff006038ccdadd229ff07c57fdd6ebb..0000000000000000000000000000000000000000 --- a/nss-539183.patch +++ /dev/null @@ -1,62 +0,0 @@ ---- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700 -+++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700 -@@ -953,23 +953,23 @@ - getBoundListenSocket(unsigned short port) - { - PRFileDesc *listen_sock; - int listenQueueDepth = 5 + (2 * maxThreads); - PRStatus prStatus; - PRNetAddr addr; - PRSocketOptionData opt; - -- addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); -+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { -+ errExit("PR_SetNetAddr"); -+ } - -- listen_sock = PR_NewTCPSocket(); -+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); - if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); -+ errExit("PR_OpenTCPSockett"); - } - - opt.option = PR_SockOpt_Nonblocking; - opt.value.non_blocking = PR_FALSE; - prStatus = PR_SetSocketOption(listen_sock, &opt); - if (prStatus < 0) { - PR_Close(listen_sock); - errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); ---- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700 -+++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700 -@@ -1711,23 +1711,23 @@ - getBoundListenSocket(unsigned short port) - { - PRFileDesc *listen_sock; - int listenQueueDepth = 5 + (2 * maxThreads); - PRStatus prStatus; - PRNetAddr addr; - PRSocketOptionData opt; - -- addr.inet.family = PR_AF_INET; -- addr.inet.ip = PR_INADDR_ANY; -- addr.inet.port = PR_htons(port); -+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { -+ errExit("PR_SetNetAddr"); -+ } - -- listen_sock = PR_NewTCPSocket(); -+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); - if (listen_sock == NULL) { -- errExit("PR_NewTCPSocket"); -+ errExit("PR_OpenTCPSocket error"); - } - - opt.option = PR_SockOpt_Nonblocking; - opt.value.non_blocking = PR_FALSE; - prStatus = PR_SetSocketOption(listen_sock, &opt); - if (prStatus < 0) { - PR_Close(listen_sock); - errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); diff --git a/nss-p11-kit.config b/nss-p11-kit.config deleted file mode 100644 index 0ebf0735d89b1e535244e51f84974605db1f6936..0000000000000000000000000000000000000000 --- a/nss-p11-kit.config +++ /dev/null @@ -1,4 +0,0 @@ -name=p11-kit-proxy -library=p11-kit-proxy.so - - diff --git a/nss-softokn-dracut-module-setup.sh b/nss-softokn-dracut-module-setup.sh deleted file mode 100644 index 010ec18ab271219237fe936b543b255a2c9c66f8..0000000000000000000000000000000000000000 --- a/nss-softokn-dracut-module-setup.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- -# ex: ts=8 sw=4 sts=4 et filetype=sh - -check() { - return 255 -} - -depends() { - return 0 -} - -install() { - local _dir - - inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \ - libfreebl3.so -} diff --git a/nss-softokn-dracut.conf b/nss-softokn-dracut.conf deleted file mode 100644 index 2d9232e0241382bfe16def3cefd5d68631c4229b..0000000000000000000000000000000000000000 --- a/nss-softokn-dracut.conf +++ /dev/null @@ -1,3 +0,0 @@ -# turn on nss-softokn module - -add_dracutmodules+=" nss-softokn " diff --git a/nss-softokn-prelink.conf b/nss-softokn-prelink.conf deleted file mode 100644 index 1f7b4058199283d727d64c06f25295ec96489d9e..0000000000000000000000000000000000000000 --- a/nss-softokn-prelink.conf +++ /dev/null @@ -1,8 +0,0 @@ --b /lib{,64}/libfreeblpriv3.so --b /lib{,64}/libfreebl3.so --b /lib{,64}/libsoftokn3.so --b /lib{,64}/libnssdbm3.so --b /usr/lib{,64}/libfreeblpriv3.so --b /usr/lib{,64}/libfreebl3.so --b /usr/lib{,64}/libsoftokn3.so --b /usr/lib{,64}/libnssdbm3.so diff --git a/nss-tests-paypal-certs-v2.patch b/nss-tests-paypal-certs-v2.patch deleted file mode 100644 index 8f37f8c3719d23f0789dff2f289d8245a33dc578..0000000000000000000000000000000000000000 --- a/nss-tests-paypal-certs-v2.patch +++ /dev/null @@ -1,29 +0,0 @@ -# HG changeset patch -# User Daiki Ueno -# Date 1541595734 -3600 -# Wed Nov 07 14:02:14 2018 +0100 -# Node ID 19fd907784e38a5febb54588353368af91b12551 -# Parent 3b79af0fa294b4b1c009c1c0b659bb72b4d2c1c8 -Bug 1505317, update PayPal test certs - -diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg ---- a/tests/chains/scenarios/realcerts.cfg -+++ b/tests/chains/scenarios/realcerts.cfg -@@ -21,7 +21,7 @@ verify TestUser51:x - result pass - - verify PayPalEE:x -- policy OID.2.16.840.1.114412.1.1 -+ policy OID.2.16.840.1.114412.2.1 - result pass - - verify BrAirWaysBadSig:x -diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst ---- a/tests/libpkix/vfychain_test.lst -+++ b/tests/libpkix/vfychain_test.lst -@@ -1,4 +1,4 @@ - # Status | Leaf Cert | Policies | Others(undef) - 0 TestUser50 undef - 0 TestUser51 undef --0 PayPalEE OID.2.16.840.1.114412.1.1 -+0 PayPalEE OID.2.16.840.1.114412.2.1 diff --git a/nss.spec b/nss.spec index 4b538d426bd50eb500da37d6adc2839d2465b721..e339e4f5ff527219c793f00972f7becf4b2767aa 100644 --- a/nss.spec +++ b/nss.spec @@ -10,7 +10,7 @@ Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 6 +Release: 7 License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Provides: nss-system-init @@ -26,9 +26,6 @@ Source1: nss-util.pc Source2: nss-util-config Source3: nss-softokn.pc Source4: nss-softokn-config -Source5: nss-softokn-prelink.conf -Source6: nss-softokn-dracut-module-setup.sh -Source7: nss-softokn-dracut.conf Source8: nss.pc Source9: nss-config Source10: blank-cert8.db @@ -36,24 +33,6 @@ Source11: blank-key3.db Source12: blank-secmod.db Source13: blank-cert9.db Source14: blank-key4.db -Source15: system-pkcs11.txt -Source16: setup-nsssysinit.sh -Source28: nss-p11-kit.config -Source29: PayPalICA.cert -Source30: PayPalEE.cert - -Patch1: renegotiate-transitional.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 -Patch2: nss-539183.patch -# This patch uses the GCC -iquote option documented at -# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options -# to give the in-tree headers a higher priority over the system headers, -# when they are included through the quote form (#include "file.h"). -Patch3: iquote.patch -# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1185708 -Patch4: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317 -Patch5: nss-tests-paypal-certs-v2.patch Patch9000: Bug-1412829-reject-empty-supported_signature_algorit.patch Patch9001: Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch @@ -140,16 +119,10 @@ Help document for NSS %prep %setup -q -n %{name}-%{nss_version} -%patch1 -p0 -b .transitional -%patch2 -p0 -b .539183 -%patch3 -p0 -b .iquote -%patch4 -p0 -b .1185708_3des pushd nss -%patch5 -p1 -b .paypal-certs %patch9000 -p1 %patch9001 -p1 %patch9002 -p1 -cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs popd %build @@ -215,7 +188,7 @@ cp ./nss/doc/nroff/* ./dist/docs/nroff # Set up our package files mkdir -p ./dist/pkgconfig -for m in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9} %{SOURCE16}; do +for m in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9}; do cp ${m} ./dist/pkgconfig chmod 755 ./dist/pkgconfig/* done @@ -328,9 +301,6 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb -install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/ -install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh -install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf # Install the empty NSS db files # Legacy db install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db @@ -339,7 +309,6 @@ install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db # Shared db install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db -install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt # Copy the binary libraries we want for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so @@ -390,10 +359,6 @@ install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkg install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config -# Copy the pkcs #11 configuration script -install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh -# install a symbolic link to it, without the ".sh" suffix, -ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit # Copy the man pages for the nss tools for f in "%{allTools}"; do @@ -402,7 +367,6 @@ done install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1 # Copy the crypto-policies configuration file -install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d /usr/bin/setup-nsssysinit.sh on $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so @@ -424,11 +388,7 @@ update-crypto-policies %{_libdir}/libsmime3.so %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/* -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config %{_libdir}/libnsssysinit.so -%{_bindir}/setup-nsssysinit.sh -# symbolic link to setup-nsssysinit.sh -%{_bindir}/setup-nsssysinit %files devel %{_libdir}/libcrmf.a @@ -539,11 +499,6 @@ update-crypto-policies %{_libdir}/libfreebl3.chk %{_libdir}/libfreeblpriv3.so %{_libdir}/libfreeblpriv3.chk -%dir %{_sysconfdir}/prelink.conf.d/ -%{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf -%dir %{dracut_modules_dir} -%{dracut_modules_dir}/module-setup.sh -%{dracut_conf_dir}/50-nss-softokn.conf %{_libdir}/libnssdbm3.so %{_libdir}/libnssdbm3.chk %{_libdir}/libsoftokn3.so @@ -576,6 +531,9 @@ update-crypto-policies %doc %{_mandir}/man* %changelog +* Sat Jan 11 2020 openEuler Buildteam - 3.40.1-7 +- simplify functions + * Tue Dec 31 2019 openEuler Buildteam - 3.40.1-6 - delete unused man diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch deleted file mode 100644 index d3aa3bd9173210b5c18eab42fc950f1b329a6cc3..0000000000000000000000000000000000000000 --- a/renegotiate-transitional.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.transitional 2018-03-09 13:57:50.615706802 +0100 -+++ nss/lib/ssl/sslsock.c 2018-03-09 13:58:23.708974970 +0100 -@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = { - .noLocks = PR_FALSE, - .enableSessionTickets = PR_FALSE, - .enableDeflate = PR_FALSE, -- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, -+ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL, - .requireSafeNegotiation = PR_FALSE, - .enableFalseStart = PR_FALSE, - .cbcRandomIV = PR_TRUE, diff --git a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch deleted file mode 100644 index 455c747c0000bb2fbd5b21a31173eadf4b244e72..0000000000000000000000000000000000000000 --- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400 -+++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400 -@@ -118,18 +118,18 @@ - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - - { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/setup-nsssysinit.sh b/setup-nsssysinit.sh deleted file mode 100644 index 8e1f5f7dc474cf877986364d368c7ba9b80391e5..0000000000000000000000000000000000000000 --- a/setup-nsssysinit.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/sh -# -# Turns on or off the nss-sysinit module db by editing the -# global PKCS #11 congiguration file. Displays the status. -# -# This script can be invoked by the user as super user. -# It is invoked at nss-sysinit post install time with argument on. -# -usage() -{ - cat <&2 -fi - -# the system-wide configuration file -p11conf="/etc/pki/nssdb/pkcs11.txt" -# must exist, otherwise report it and exit with failure -if [ ! -f $p11conf ]; then - echo "Could not find ${p11conf}" - exit 1 -fi - -# check if nsssysinit is currently enabled or disabled -sysinit_enabled() -{ - grep -q '^library=libnsssysinit' ${p11conf} -} - -umask 022 -case "$1" in - on | ON ) - if sysinit_enabled; then - exit 0 - fi - cat ${p11conf} | \ - sed -e 's/^library=$/library=libnsssysinit.so/' \ - -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ - ${p11conf}.on - mv ${p11conf}.on ${p11conf} - ;; - off | OFF ) - if ! sysinit_enabled; then - exit 0 - fi - cat ${p11conf} | \ - sed -e 's/^library=libnsssysinit.so/library=/' \ - -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ - ${p11conf}.off - mv ${p11conf}.off ${p11conf} - ;; - status ) - echo -n 'NSS sysinit is ' - sysinit_enabled && echo 'enabled' || echo 'disabled' - ;; - * ) - usage 1 1>&2 - ;; -esac diff --git a/system-pkcs11.txt b/system-pkcs11.txt deleted file mode 100644 index c2f5704fae6494999f67e8db7578282ec2d43f18..0000000000000000000000000000000000000000 --- a/system-pkcs11.txt +++ /dev/null @@ -1,5 +0,0 @@ -library=libnsssysinit.so -name=NSS Internal PKCS #11 Module -parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' -NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) -