From 8e90a34467324d5d30254b961b54855eb681fa0e Mon Sep 17 00:00:00 2001 From: guoxiaoqi Date: Sat, 11 Jan 2020 17:06:30 +0800 Subject: [PATCH] simplify functions --- PayPalEE.cert | Bin 2012 -> 0 bytes PayPalICA.cert | Bin 1210 -> 0 bytes iquote.patch | 13 ---- nss-539183.patch | 62 ---------------- nss-p11-kit.config | 4 -- nss-softokn-dracut-module-setup.sh | 18 ----- nss-softokn-dracut.conf | 3 - nss-softokn-prelink.conf | 8 --- nss-tests-paypal-certs-v2.patch | 29 -------- nss.spec | 52 ++------------ renegotiate-transitional.patch | 12 ---- ...8-enable-ecc-3des-ciphers-by-default.patch | 23 ------ setup-nsssysinit.sh | 68 ------------------ system-pkcs11.txt | 5 -- 14 files changed, 5 insertions(+), 292 deletions(-) delete mode 100644 PayPalEE.cert delete mode 100644 PayPalICA.cert delete mode 100644 iquote.patch delete mode 100644 nss-539183.patch delete mode 100644 nss-p11-kit.config delete mode 100644 nss-softokn-dracut-module-setup.sh delete mode 100644 nss-softokn-dracut.conf delete mode 100644 nss-softokn-prelink.conf delete mode 100644 nss-tests-paypal-certs-v2.patch delete mode 100644 renegotiate-transitional.patch delete mode 100644 rhbz1185708-enable-ecc-3des-ciphers-by-default.patch delete mode 100644 setup-nsssysinit.sh delete mode 100644 system-pkcs11.txt diff --git a/PayPalEE.cert b/PayPalEE.cert deleted file mode 100644 index aef4086762a88dd5d7df06a7f4e23ea2f502c83c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2012 zcma)7c~BE)6yMz}3j_$n4H6M#6-4Fy5+UM+a*9wWg5WuYkgOq@n1mz{5wsEnuX>b2 z@j|GmpaWh=Wx#r&SQW$ziwDYhR4WzH3W%cJMbTjY>CR*}@4erJTqX5F=9{*M`EIR)&Qpk zCT<=ml}H0fwU(Hv5b=fq8(M9KTj_K<4>4sDQ6>+Oaxu>f@M#kRcm3iK9pc9)f|h7W zg_sl*u|m02EYwPs3L=_Rr;utQzz>YDvEcatAIiJ`nQvpk2bAc;qh0{a2N`#H_Fy<2 z*wUO6sg|Y)wIuPqS|U_Pm-ffv;ed^qxneL1>nBV>U`BuWbe#rD1UCsJhesJM0ycsede{=8 z^h`t#!%$;!?}K6MZmpkHe=}iaCSHB3t0DKC>Z)`e!?ki9#EGoZZ96jM9e!vVGoV=IUx_Qs0imL^>gso@y9}9UH;B<1{=}!K4Tkc~g(xMWr91_!it|)0a z(;b$b$=x%zrm^bBt`64Heev8)`-j*XwR^Ky{^@kMu;JIkxusQTVYtn)rxmvzZ9h8o zbh%i>K0nV|hRG{-xeDrgWaYqRx+v$3CiGQwB0q{%?4A|3wMd+mu*24ld2{Uvw=v~) zefz7zPo^OZ7=m}}8NEQy=mHMZ5bYgNE*QFkGxd7pp5~(R7q3I(ndJ46H+p)SErC4^ zV4*`%PR*nzrQ@K2mHgC3-Aj0J95Yo^4Knu7b~c)^6J%`Df3pkykVL6Qt5l~N>_=~| z9VCeiB@2W-$ao6-;Kz9k>gTnmR%j^Gmh0$pVG!XcM37Bbob_kr^Cr4o50>%y$hrmPa=vp*X zG2aq~XFy~$Fvg4|8RjqyGFA`xz%ZH)mI9{%8Nk`x&;2Mx8r7i6K-3o$k{vwIwUFi{ z%^;xX04LFuG{8t-3F#9b1^7|Z&;oP1FPxq}0_dB#9Aoy=OLHoMBB&l#P(K-*2Ka%VEbdxC5KK<02uOz@lmUf+U}Pk8sU^=P zewy;&EBO5#_bdLH7BNAQUflB!1nL(hLD+gz3X;on5X=y~cc|^0t@EE;zOy*lzu+JL zz*24Jic0%;e+NOyP%H=A=6UN(`}H?%CjyW7)(59l*KTDmJk^m`5YxP->E7qWE&Yju zK_Eh?JR54bSx5O#yloqOx3tDz-Z16Bg;u}u*jZx1+sN9sdG@gocsKQH{T-o|6BXSkV9e$9f5 zg&d!s+V?s-J4}`tw?>5du|K@%>(1NIwnK=_&cV@?+cFshn#EIbwre{9@l37`ka%d%s6Q~y3x*E;M!a-eSGtB zW=&J_shmp7To1zffjnw&Sx9VN(ABjvVeP{RCrMg!Nncy#$G692cP?W2ZEx})b(Fo+ qE}vG|SJCQVuejF*)!p3fg*ZFf21kzuGv^DsEzby736eZcT>2NRSRYHCB{F>mTflRW#iOp^Jx3d%gD&h%3zRV z$Zf#M#vIDRCd?EXY$$3V4B~JJ^SETDXF8`Al_+@TB^yc_h=YW=g$2sX%k@%#QprFm zz2y8{Lu~_1kQB495?qHzW_pH#V{vh5QDRvgSOR~{Tqfq>ovyxWvgZZMw>%p*FtmS6 z*Jx|)=}W$~XQP9~qsw34EM=A0VQY7Ernu1?iJo5{d6uOpww`7eFxe2)p)H>=`_jgK zp$(faJ@1g0e{WG95**)9X|E@>YK5G)Ht*`~$vaKA*NW_k^u8bHb!p)vo<|d!+OyWZ zx}I`vM(B&b>!kv6LiPxL`s?*+?(TZNFIV^ViFFEv-Z)Tb^6uLm-8VMk->luB*qUCV*#eSHUn7@UzJ77K!lA$n~jl`m7SRp&SEk!fw37G zSu_mP3{+rz1I9LqjFOT9D}DX^H(`(&VBX6BMQT zu-FGBMR-bd4Fjb^XGcAtdIMXKVG1l}2B0Lv0%S56Xc=h0+`+^sCId3O80Zl6B(Lur z5Df7kABz}^i0$QorPmg$efQZbfh+a0;*}piuJIelgG^UukuVTz5ZP#VIFtFues{(z zGt{IwnBFI+XdgySZoq5^Om2(}bGKcX(Dty6>Fv=4A53IQ4)&IvY2#Y)!K=&Zn*E8D zzH4hZ);`-7uw#*wZwLEEO~pIUZymEyeDGM%vtUh?EaQ?>f>zxMSK$dyb>- -# Date 1541595734 -3600 -# Wed Nov 07 14:02:14 2018 +0100 -# Node ID 19fd907784e38a5febb54588353368af91b12551 -# Parent 3b79af0fa294b4b1c009c1c0b659bb72b4d2c1c8 -Bug 1505317, update PayPal test certs - -diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg ---- a/tests/chains/scenarios/realcerts.cfg -+++ b/tests/chains/scenarios/realcerts.cfg -@@ -21,7 +21,7 @@ verify TestUser51:x - result pass - - verify PayPalEE:x -- policy OID.2.16.840.1.114412.1.1 -+ policy OID.2.16.840.1.114412.2.1 - result pass - - verify BrAirWaysBadSig:x -diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst ---- a/tests/libpkix/vfychain_test.lst -+++ b/tests/libpkix/vfychain_test.lst -@@ -1,4 +1,4 @@ - # Status | Leaf Cert | Policies | Others(undef) - 0 TestUser50 undef - 0 TestUser51 undef --0 PayPalEE OID.2.16.840.1.114412.1.1 -+0 PayPalEE OID.2.16.840.1.114412.2.1 diff --git a/nss.spec b/nss.spec index 4b538d4..e339e4f 100644 --- a/nss.spec +++ b/nss.spec @@ -10,7 +10,7 @@ Summary: Network Security Services Name: nss Version: %{nss_version} -Release: 6 +Release: 7 License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Provides: nss-system-init @@ -26,9 +26,6 @@ Source1: nss-util.pc Source2: nss-util-config Source3: nss-softokn.pc Source4: nss-softokn-config -Source5: nss-softokn-prelink.conf -Source6: nss-softokn-dracut-module-setup.sh -Source7: nss-softokn-dracut.conf Source8: nss.pc Source9: nss-config Source10: blank-cert8.db @@ -36,24 +33,6 @@ Source11: blank-key3.db Source12: blank-secmod.db Source13: blank-cert9.db Source14: blank-key4.db -Source15: system-pkcs11.txt -Source16: setup-nsssysinit.sh -Source28: nss-p11-kit.config -Source29: PayPalICA.cert -Source30: PayPalEE.cert - -Patch1: renegotiate-transitional.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 -Patch2: nss-539183.patch -# This patch uses the GCC -iquote option documented at -# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options -# to give the in-tree headers a higher priority over the system headers, -# when they are included through the quote form (#include "file.h"). -Patch3: iquote.patch -# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1185708 -Patch4: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch -# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317 -Patch5: nss-tests-paypal-certs-v2.patch Patch9000: Bug-1412829-reject-empty-supported_signature_algorit.patch Patch9001: Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch @@ -140,16 +119,10 @@ Help document for NSS %prep %setup -q -n %{name}-%{nss_version} -%patch1 -p0 -b .transitional -%patch2 -p0 -b .539183 -%patch3 -p0 -b .iquote -%patch4 -p0 -b .1185708_3des pushd nss -%patch5 -p1 -b .paypal-certs %patch9000 -p1 %patch9001 -p1 %patch9002 -p1 -cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs popd %build @@ -215,7 +188,7 @@ cp ./nss/doc/nroff/* ./dist/docs/nroff # Set up our package files mkdir -p ./dist/pkgconfig -for m in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9} %{SOURCE16}; do +for m in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9}; do cp ${m} ./dist/pkgconfig chmod 755 ./dist/pkgconfig/* done @@ -328,9 +301,6 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb -install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/ -install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh -install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf # Install the empty NSS db files # Legacy db install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db @@ -339,7 +309,6 @@ install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db # Shared db install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db -install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt # Copy the binary libraries we want for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so @@ -390,10 +359,6 @@ install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkg install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config -# Copy the pkcs #11 configuration script -install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh -# install a symbolic link to it, without the ".sh" suffix, -ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit # Copy the man pages for the nss tools for f in "%{allTools}"; do @@ -402,7 +367,6 @@ done install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1 # Copy the crypto-policies configuration file -install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d /usr/bin/setup-nsssysinit.sh on $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so @@ -424,11 +388,7 @@ update-crypto-policies %{_libdir}/libsmime3.so %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/* -%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config %{_libdir}/libnsssysinit.so -%{_bindir}/setup-nsssysinit.sh -# symbolic link to setup-nsssysinit.sh -%{_bindir}/setup-nsssysinit %files devel %{_libdir}/libcrmf.a @@ -539,11 +499,6 @@ update-crypto-policies %{_libdir}/libfreebl3.chk %{_libdir}/libfreeblpriv3.so %{_libdir}/libfreeblpriv3.chk -%dir %{_sysconfdir}/prelink.conf.d/ -%{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf -%dir %{dracut_modules_dir} -%{dracut_modules_dir}/module-setup.sh -%{dracut_conf_dir}/50-nss-softokn.conf %{_libdir}/libnssdbm3.so %{_libdir}/libnssdbm3.chk %{_libdir}/libsoftokn3.so @@ -576,6 +531,9 @@ update-crypto-policies %doc %{_mandir}/man* %changelog +* Sat Jan 11 2020 openEuler Buildteam - 3.40.1-7 +- simplify functions + * Tue Dec 31 2019 openEuler Buildteam - 3.40.1-6 - delete unused man diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch deleted file mode 100644 index d3aa3bd..0000000 --- a/renegotiate-transitional.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.transitional 2018-03-09 13:57:50.615706802 +0100 -+++ nss/lib/ssl/sslsock.c 2018-03-09 13:58:23.708974970 +0100 -@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = { - .noLocks = PR_FALSE, - .enableSessionTickets = PR_FALSE, - .enableDeflate = PR_FALSE, -- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, -+ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL, - .requireSafeNegotiation = PR_FALSE, - .enableFalseStart = PR_FALSE, - .cbcRandomIV = PR_TRUE, diff --git a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch deleted file mode 100644 index 455c747..0000000 --- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400 -+++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400 -@@ -118,18 +118,18 @@ - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, -+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, -+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - - { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, - { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, - { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/setup-nsssysinit.sh b/setup-nsssysinit.sh deleted file mode 100644 index 8e1f5f7..0000000 --- a/setup-nsssysinit.sh +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/sh -# -# Turns on or off the nss-sysinit module db by editing the -# global PKCS #11 congiguration file. Displays the status. -# -# This script can be invoked by the user as super user. -# It is invoked at nss-sysinit post install time with argument on. -# -usage() -{ - cat <&2 -fi - -# the system-wide configuration file -p11conf="/etc/pki/nssdb/pkcs11.txt" -# must exist, otherwise report it and exit with failure -if [ ! -f $p11conf ]; then - echo "Could not find ${p11conf}" - exit 1 -fi - -# check if nsssysinit is currently enabled or disabled -sysinit_enabled() -{ - grep -q '^library=libnsssysinit' ${p11conf} -} - -umask 022 -case "$1" in - on | ON ) - if sysinit_enabled; then - exit 0 - fi - cat ${p11conf} | \ - sed -e 's/^library=$/library=libnsssysinit.so/' \ - -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ - ${p11conf}.on - mv ${p11conf}.on ${p11conf} - ;; - off | OFF ) - if ! sysinit_enabled; then - exit 0 - fi - cat ${p11conf} | \ - sed -e 's/^library=libnsssysinit.so/library=/' \ - -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ - ${p11conf}.off - mv ${p11conf}.off ${p11conf} - ;; - status ) - echo -n 'NSS sysinit is ' - sysinit_enabled && echo 'enabled' || echo 'disabled' - ;; - * ) - usage 1 1>&2 - ;; -esac diff --git a/system-pkcs11.txt b/system-pkcs11.txt deleted file mode 100644 index c2f5704..0000000 --- a/system-pkcs11.txt +++ /dev/null @@ -1,5 +0,0 @@ -library=libnsssysinit.so -name=NSS Internal PKCS #11 Module -parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' -NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) - -- Gitee