From b927a8f31804f4bc280dbd254392ba2c5a5b6327 Mon Sep 17 00:00:00 2001
From: Britney Fransen <brfransen@gmail.com>
Date: Mon, 21 Sep 2015 16:41:37 +0000
Subject: nss: update to 3.20

---
 abs/extra/nss/PKGBUILD                           | 30 ++++++++++++------------
 abs/extra/nss/certdata2pem.py                    |  1 +
 abs/extra/nss/legacy-certs.patch                 | 26 ++++++++++++++++++++
 abs/extra/nss/nss.install                        | 13 ++++++++++
 abs/extra/nss/ssl-renegotiate-transitional.patch | 21 -----------------
 5 files changed, 55 insertions(+), 36 deletions(-)
 create mode 100644 abs/extra/nss/legacy-certs.patch
 create mode 100644 abs/extra/nss/nss.install
 delete mode 100644 abs/extra/nss/ssl-renegotiate-transitional.patch

diff --git a/abs/extra/nss/PKGBUILD b/abs/extra/nss/PKGBUILD
index 7a06cec..4bf9a60 100644
--- a/abs/extra/nss/PKGBUILD
+++ b/abs/extra/nss/PKGBUILD
@@ -3,36 +3,34 @@
 
 pkgbase=nss
 pkgname=(nss ca-certificates-mozilla)
-pkgver=3.17
-pkgrel=4
+pkgver=3.20
+pkgrel=1
 pkgdesc="Mozilla Network Security Services"
 arch=(i686 x86_64)
 url="http://www.mozilla.org/projects/security/pki/nss/"
 license=('MPL' 'GPL')
-_nsprver=4.10.7
+_nsprver=4.10.8
 depends=("nspr>=${_nsprver}" 'sqlite' 'zlib' 'sh' 'p11-kit')
 makedepends=('perl' 'python2')
 options=('!strip' '!makeflags' 'staticlibs')
-source=("ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/${pkgbase}-${pkgver}.tar.gz"
-        certdata2pem.py
-        bundle.sh
-        nss.pc.in
-        nss-config.in
-        ssl-renegotiate-transitional.patch)
-sha256sums=('3b1abcd8f89211dda2cc739bfa76552d080f7ea80482ef2727b006548a7f0c81'
-            'af13c30801a8a27623948206458432a4cf98061b75ff6e5b5e03912f93c034ee'
+source=("https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_${pkgver//./_}_RTM/src/${pkgbase}-${pkgver}.tar.gz"
+        certdata2pem.py bundle.sh nss.pc.in nss-config.in legacy-certs.patch)
+sha256sums=('5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c'
+            '2a2ff9131c21fa3b23ad7c7a2f069eabc783e56c6eb05419ac5f365f48dea0fc'
             '045f520403f715a4cc7f3607b4e2c9bcc88fee5bce58d462fddaa2fdb0e4c180'
             'b9f1428ca2305bf30b109507ff335fa00bce5a7ce0434b50acd26ad7c47dd5bd'
             'e44ac5095b4d88f24ec7b2e6a9f1581560bd3ad41a3d198596d67ef22f67adb9'
-            '12df04bccbf674db1eef7a519a28987927b5e9c107b1dc386686f05e64f49a97')
+            '22330fcde2dac5fa4733f7d77bffbbd31d91cbaa338738afdc2a8ebfccb61184')
 
 prepare() {
   mkdir certs
 
   cd nss-$pkgver
 
-  # Adds transitional SSL renegotiate support - patch from Debian
-  patch -Np3 -i ../ssl-renegotiate-transitional.patch
+  # FS#45479: Reenable two weak Verisign certificates used by login.live.com
+  # Otherwise, accessing this site via Epiphany (GnuTLS) or Skype (OpenSSL) fails
+  # Also see https://gist.github.com/grawity/15eabf67191e17080241
+  patch nss/lib/ckfw/builtins/certdata.txt ../legacy-certs.patch
 
   # Respect LDFLAGS
   sed -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/' \
@@ -66,6 +64,8 @@ build() {
 }
 
 package_nss() {
+  install=nss.install
+
   cd nss-$pkgver
   install -d "$pkgdir"/usr/{bin,include/nss,lib/pkgconfig}
 
@@ -105,7 +105,7 @@ package_nss() {
   install -t "$pkgdir/usr/include/nss" -m644 *.h
 
   rm "$pkgdir/usr/lib/libnssckbi.so"
-  ln -s pkcs11/p11-kit-trust.so "$pkgdir/usr/lib/libnssckbi.so"
+  ln -s libnssckbi-p11-kit.so "$pkgdir/usr/lib/libnssckbi.so"
 }
 
 package_ca-certificates-mozilla() {
diff --git a/abs/extra/nss/certdata2pem.py b/abs/extra/nss/certdata2pem.py
index 175de1a..021772a 100644
--- a/abs/extra/nss/certdata2pem.py
+++ b/abs/extra/nss/certdata2pem.py
@@ -196,4 +196,5 @@ for tobj in objects:
             if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
               f.write("x-distrusted: true\n")
             f.write("\n\n")
+        f.close()
         print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)
diff --git a/abs/extra/nss/legacy-certs.patch b/abs/extra/nss/legacy-certs.patch
new file mode 100644
index 0000000..863cef9
--- /dev/null
+++ b/abs/extra/nss/legacy-certs.patch
@@ -0,0 +1,26 @@
+--- certdata.txt	2015-06-27 23:31:01.419795911 +0200
++++ certdata-legacy-less.txt	2015-06-27 23:57:47.106199639 +0200
+@@ -577,9 +577,9 @@
+ \002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314
+ \272\277
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
+@@ -17186,9 +17186,9 @@
+ \002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277
+ \022\276
+ END
+-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
+ CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
+ 
+ #
diff --git a/abs/extra/nss/nss.install b/abs/extra/nss/nss.install
new file mode 100644
index 0000000..24f9ec6
--- /dev/null
+++ b/abs/extra/nss/nss.install
@@ -0,0 +1,13 @@
+post_upgrade() {
+  if (($(vercmp $2 3.18-3) < 0)); then
+    # This symlink was created by ldconfig because we linked to
+    # pkcs11/p11-kit-trust.so from libnssckbi.so; the chain was:
+    #   p11-kit-trust.so -> libnssckbi.so -> pkcs11/p11-kit-trust.so
+    # Now we have:
+    #   libnssckbi.so -> libnssckbi-p11-kit.so
+    # which no longer creates an incorrect p11-kit-trust.so symlink
+    if [[ $(readlink usr/lib/p11-kit-trust.so) == libnssckbi.so ]]; then
+      rm usr/lib/p11-kit-trust.so
+    fi
+  fi
+}
diff --git a/abs/extra/nss/ssl-renegotiate-transitional.patch b/abs/extra/nss/ssl-renegotiate-transitional.patch
deleted file mode 100644
index f457c55..0000000
--- a/abs/extra/nss/ssl-renegotiate-transitional.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Enable transitional scheme for ssl renegotiation:
-
-(from mozilla/security/nss/lib/ssl/ssl.h)
-Disallow unsafe renegotiation in server sockets only, but allow clients
-to continue to renegotiate with vulnerable servers.
-This value should only be used during the transition period when few
-servers have been upgraded.
-
-diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
-index f1d1921..c074360 100644
---- a/mozilla/security/nss/lib/ssl/sslsock.c
-+++ b/mozilla/security/nss/lib/ssl/sslsock.c
-@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
-     PR_FALSE,   /* noLocks            */
-     PR_FALSE,   /* enableSessionTickets */
-     PR_FALSE,   /* enableDeflate      */
--    2,          /* enableRenegotiation (default: requires extension) */
-+    3,          /* enableRenegotiation (default: transitional) */
-     PR_FALSE,   /* requireSafeNegotiation */
- };
- 
-- 
cgit v0.12