From b927a8f31804f4bc280dbd254392ba2c5a5b6327 Mon Sep 17 00:00:00 2001 From: Britney Fransen Date: Mon, 21 Sep 2015 16:41:37 +0000 Subject: nss: update to 3.20 --- abs/extra/nss/PKGBUILD | 30 ++++++++++++------------ abs/extra/nss/certdata2pem.py | 1 + abs/extra/nss/legacy-certs.patch | 26 ++++++++++++++++++++ abs/extra/nss/nss.install | 13 ++++++++++ abs/extra/nss/ssl-renegotiate-transitional.patch | 21 ----------------- 5 files changed, 55 insertions(+), 36 deletions(-) create mode 100644 abs/extra/nss/legacy-certs.patch create mode 100644 abs/extra/nss/nss.install delete mode 100644 abs/extra/nss/ssl-renegotiate-transitional.patch diff --git a/abs/extra/nss/PKGBUILD b/abs/extra/nss/PKGBUILD index 7a06cec..4bf9a60 100644 --- a/abs/extra/nss/PKGBUILD +++ b/abs/extra/nss/PKGBUILD @@ -3,36 +3,34 @@ pkgbase=nss pkgname=(nss ca-certificates-mozilla) -pkgver=3.17 -pkgrel=4 +pkgver=3.20 +pkgrel=1 pkgdesc="Mozilla Network Security Services" arch=(i686 x86_64) url="http://www.mozilla.org/projects/security/pki/nss/" license=('MPL' 'GPL') -_nsprver=4.10.7 +_nsprver=4.10.8 depends=("nspr>=${_nsprver}" 'sqlite' 'zlib' 'sh' 'p11-kit') makedepends=('perl' 'python2') options=('!strip' '!makeflags' 'staticlibs') -source=("ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/${pkgbase}-${pkgver}.tar.gz" - certdata2pem.py - bundle.sh - nss.pc.in - nss-config.in - ssl-renegotiate-transitional.patch) -sha256sums=('3b1abcd8f89211dda2cc739bfa76552d080f7ea80482ef2727b006548a7f0c81' - 'af13c30801a8a27623948206458432a4cf98061b75ff6e5b5e03912f93c034ee' +source=("https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_${pkgver//./_}_RTM/src/${pkgbase}-${pkgver}.tar.gz" + certdata2pem.py bundle.sh nss.pc.in nss-config.in legacy-certs.patch) +sha256sums=('5e38d4b9837ca338af966b97fc91c07f67ad647fb38dc4af3cfd0d84e477d15c' + '2a2ff9131c21fa3b23ad7c7a2f069eabc783e56c6eb05419ac5f365f48dea0fc' '045f520403f715a4cc7f3607b4e2c9bcc88fee5bce58d462fddaa2fdb0e4c180' 'b9f1428ca2305bf30b109507ff335fa00bce5a7ce0434b50acd26ad7c47dd5bd' 'e44ac5095b4d88f24ec7b2e6a9f1581560bd3ad41a3d198596d67ef22f67adb9' - '12df04bccbf674db1eef7a519a28987927b5e9c107b1dc386686f05e64f49a97') + '22330fcde2dac5fa4733f7d77bffbbd31d91cbaa338738afdc2a8ebfccb61184') prepare() { mkdir certs cd nss-$pkgver - # Adds transitional SSL renegotiate support - patch from Debian - patch -Np3 -i ../ssl-renegotiate-transitional.patch + # FS#45479: Reenable two weak Verisign certificates used by login.live.com + # Otherwise, accessing this site via Epiphany (GnuTLS) or Skype (OpenSSL) fails + # Also see https://gist.github.com/grawity/15eabf67191e17080241 + patch nss/lib/ckfw/builtins/certdata.txt ../legacy-certs.patch # Respect LDFLAGS sed -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/' \ @@ -66,6 +64,8 @@ build() { } package_nss() { + install=nss.install + cd nss-$pkgver install -d "$pkgdir"/usr/{bin,include/nss,lib/pkgconfig} @@ -105,7 +105,7 @@ package_nss() { install -t "$pkgdir/usr/include/nss" -m644 *.h rm "$pkgdir/usr/lib/libnssckbi.so" - ln -s pkcs11/p11-kit-trust.so "$pkgdir/usr/lib/libnssckbi.so" + ln -s libnssckbi-p11-kit.so "$pkgdir/usr/lib/libnssckbi.so" } package_ca-certificates-mozilla() { diff --git a/abs/extra/nss/certdata2pem.py b/abs/extra/nss/certdata2pem.py index 175de1a..021772a 100644 --- a/abs/extra/nss/certdata2pem.py +++ b/abs/extra/nss/certdata2pem.py @@ -196,4 +196,5 @@ for tobj in objects: if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'): f.write("x-distrusted: true\n") f.write("\n\n") + f.close() print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags) diff --git a/abs/extra/nss/legacy-certs.patch b/abs/extra/nss/legacy-certs.patch new file mode 100644 index 0000000..863cef9 --- /dev/null +++ b/abs/extra/nss/legacy-certs.patch @@ -0,0 +1,26 @@ +--- certdata.txt 2015-06-27 23:31:01.419795911 +0200 ++++ certdata-legacy-less.txt 2015-06-27 23:57:47.106199639 +0200 +@@ -577,9 +577,9 @@ + \002\020\160\272\344\035\020\331\051\064\266\070\312\173\003\314 + \272\277 + END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # +@@ -17186,9 +17186,9 @@ + \002\020\074\221\061\313\037\366\320\033\016\232\270\320\104\277 + \022\276 + END +-CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR +-CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST ++CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR + CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE + + # diff --git a/abs/extra/nss/nss.install b/abs/extra/nss/nss.install new file mode 100644 index 0000000..24f9ec6 --- /dev/null +++ b/abs/extra/nss/nss.install @@ -0,0 +1,13 @@ +post_upgrade() { + if (($(vercmp $2 3.18-3) < 0)); then + # This symlink was created by ldconfig because we linked to + # pkcs11/p11-kit-trust.so from libnssckbi.so; the chain was: + # p11-kit-trust.so -> libnssckbi.so -> pkcs11/p11-kit-trust.so + # Now we have: + # libnssckbi.so -> libnssckbi-p11-kit.so + # which no longer creates an incorrect p11-kit-trust.so symlink + if [[ $(readlink usr/lib/p11-kit-trust.so) == libnssckbi.so ]]; then + rm usr/lib/p11-kit-trust.so + fi + fi +} diff --git a/abs/extra/nss/ssl-renegotiate-transitional.patch b/abs/extra/nss/ssl-renegotiate-transitional.patch deleted file mode 100644 index f457c55..0000000 --- a/abs/extra/nss/ssl-renegotiate-transitional.patch +++ /dev/null @@ -1,21 +0,0 @@ -Enable transitional scheme for ssl renegotiation: - -(from mozilla/security/nss/lib/ssl/ssl.h) -Disallow unsafe renegotiation in server sockets only, but allow clients -to continue to renegotiate with vulnerable servers. -This value should only be used during the transition period when few -servers have been upgraded. - -diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c -index f1d1921..c074360 100644 ---- a/mozilla/security/nss/lib/ssl/sslsock.c -+++ b/mozilla/security/nss/lib/ssl/sslsock.c -@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = { - PR_FALSE, /* noLocks */ - PR_FALSE, /* enableSessionTickets */ - PR_FALSE, /* enableDeflate */ -- 2, /* enableRenegotiation (default: requires extension) */ -+ 3, /* enableRenegotiation (default: transitional) */ - PR_FALSE, /* requireSafeNegotiation */ - }; - -- cgit v0.12