main/nss: security upgrade to 3.4.15. Fixes #2395

author: Leonardo Arena <rnalrd@alpinelinux.org> 2013-12-03 11:03:06 +0000
committer: Leonardo Arena <rnalrd@alpinelinux.org> 2013-12-03 11:03:06 +0000
commit: e96a0cf3d069a5942459132dc582f4d19bf4fa58 (patch)
tree: d85598cb697f935e48ab044c1fe8b5888a4aafa4 /main/nss
parent: 234a2993d2793d2e8466e5b940ef666e5c3217f1 (diff)
download: aports-e96a0cf3d069a5942459132dc582f4d19bf4fa58.tar.bz2
aports-e96a0cf3d069a5942459132dc582f4d19bf4fa58.tar.xz
6 files changed, 198 insertions, 28 deletions
diff --git a/main/nss/80_security_tools.patch b/main/nss/80_security_tools.patch
new file mode 100644
index 0000000000..9357e90916
--- /dev/null
+++ b/main/nss/80_security_tools.patch
@@ -0,0 +1,26 @@
+## 80_security_tools.patch by Mike Hommey <glandium@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Enable building of some NSS tools.
+## DP: Disable rpath.
+
+Index: nss/mozilla/security/nss/cmd/platlibs.mk
+===================================================================
+--- nss.orig/mozilla/security/nss/cmd/platlibs.mk	2012-10-05 14:46:28.387226831 +0200
++++ nss/mozilla/security/nss/cmd/platlibs.mk	2012-10-05 14:46:39.931118977 +0200
+@@ -8,6 +8,7 @@
+ # set RPATH-type linker instructions here so they can be used in the shared
+ # version and in the mixed (static nss libs/shared NSPR libs) version.
+ 
++ifdef ENABLE_RPATH
+ ifeq ($(OS_ARCH), SunOS) 
+ ifeq ($(USE_64), 1)
+ EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
+@@ -31,6 +32,7 @@
+ else
+ DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) 
+ endif
++endif
+ 
+ ifdef USE_STATIC_LIBS
+ 
diff --git a/main/nss/85_security_load.patch b/main/nss/85_security_load.patch
new file mode 100644
index 0000000000..11cc8dd219
--- /dev/null
+++ b/main/nss/85_security_load.patch
@@ -0,0 +1,80 @@
+## 85_security_load.patch by Mike Hommey <glandium@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Load modules from $ORIGIN/nss.
+
+Index: nss/mozilla/security/nss/cmd/shlibsign/shlibsign.c
+===================================================================
+--- nss.orig/mozilla/security/nss/cmd/shlibsign/shlibsign.c	2012-10-05 14:46:30.599206535 +0200
++++ nss/mozilla/security/nss/cmd/shlibsign/shlibsign.c	2012-10-05 14:46:41.883100266 +0200
+@@ -852,6 +852,8 @@
+     libname = PR_GetLibraryName(NULL, "softokn3");
+     assert(libname != NULL);
+     lib = PR_LoadLibrary(libname);
++    if (!lib)
++        lib = PR_LoadLibrary("/usr/lib/nss/libsoftokn3.so");
+     assert(lib != NULL);
+     PR_FreeLibraryName(libname);
+ 
+Index: nss/mozilla/security/nss/lib/pk11wrap/pk11load.c
+===================================================================
+--- nss.orig/mozilla/security/nss/lib/pk11wrap/pk11load.c	2012-10-05 14:46:28.331227343 +0200
++++ nss/mozilla/security/nss/lib/pk11wrap/pk11load.c	2012-10-05 14:46:41.883100266 +0200
+@@ -406,6 +406,13 @@
+ 	 * unload the library if anything goes wrong from here on out...
+ 	 */
+ 	library = PR_LoadLibrary(mod->dllName);
++	if ((library == NULL) &&
++	    !rindex(mod->dllName, PR_GetDirectorySeparator())) {
++            library = PORT_LoadLibraryFromOrigin(my_shlib_name,
++                                      (PRFuncPtr) &softoken_LoadDSO,
++                                      mod->dllName);
++	}
++
+ 	mod->library = (void *)library;
+ 
+ 	if (library == NULL) {
+Index: nss/mozilla/security/nss/lib/util/secload.c
+===================================================================
+--- nss.orig/mozilla/security/nss/lib/util/secload.c	2012-10-05 14:46:28.331227343 +0200
++++ nss/mozilla/security/nss/lib/util/secload.c	2012-10-05 14:46:41.883100266 +0200
+@@ -69,9 +69,14 @@
+ 
+     /* Remove the trailing filename from referencePath and add the new one */
+     c = strrchr(referencePath, PR_GetDirectorySeparator());
++    if (!c) { /* referencePath doesn't contain a / means that dladdr gave us argv[0]
++               * and program was called from $PATH. Hack to get libs from /usr/lib */
++        referencePath = "/usr/lib/";
++        c = &referencePath[8]; /* last / */
++    }
+     if (c) {
+         size_t referencePathSize = 1 + c - referencePath;
+-        fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 1);
++        fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 5);
+         if (fullName) {
+             memcpy(fullName, referencePath, referencePathSize);
+             strcpy(fullName + referencePathSize, name); 
+@@ -81,6 +86,12 @@
+ #endif
+             libSpec.type = PR_LibSpec_Pathname;
+             libSpec.value.pathname = fullName;
++            if ((referencePathSize >= 4) &&
++                (strncmp(fullName + referencePathSize - 4, "bin", 3) == 0)) {
++                memcpy(fullName + referencePathSize -4, "lib", 3);
++            }
++            strcpy(fullName + referencePathSize, "nss/");
++            strcpy(fullName + referencePathSize + 4, name);
+             dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL
+ #ifdef PR_LD_ALT_SEARCH_PATH
+             /* allow library's dependencies to be found in the same directory
+@@ -88,6 +99,10 @@
+                                           | PR_LD_ALT_SEARCH_PATH 
+ #endif
+                                           );
++            if (! dlh) {
++                strcpy(fullName + referencePathSize, name);
++                dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
++            }
+             PORT_Free(fullName);
+         }
+     }
diff --git a/main/nss/add_spi+cacert_ca_certs.patch b/main/nss/95_add_spi+cacert_ca_certs.patch
index 1cc7c18f54..5420bbffa9 100644
--- a/main/nss/add_spi+cacert_ca_certs.patch
+++ b/main/nss/95_add_spi+cacert_ca_certs.patch
@@ -1,10 +1,17 @@
---- a/mozilla/security/nss/lib/ckfw/builtins/certdata.txt
-+++ b/mozilla/security/nss/lib/ckfw/builtins/certdata.txt
-@@ -20926,3 +20926,558 @@ CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
- CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
- CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR
+## 95_add_spi+cacert_ca_certs.patch by martin f. krafft <madduck@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Adds the SPI Inc. and CAcert.org CA certificates
+
+Index: nss/mozilla/security/nss/lib/ckfw/builtins/certdata.txt
+===================================================================
+--- nss.orig/mozilla/security/nss/lib/ckfw/builtins/certdata.txt	2013-01-04 11:14:44.704055110 +0100
++++ nss/mozilla/security/nss/lib/ckfw/builtins/certdata.txt	2013-01-04 11:14:44.700055209 +0100
+@@ -24783,3 +24783,558 @@
+ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_NOT_TRUSTED
+ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_NOT_TRUSTED
  CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
-+
++ 
 +#
 +# Certificate "CAcert.org Class 1 Root CA"
 +#
diff --git a/main/nss/ssl-renegotiate-transitional.patch b/main/nss/97_ssl_renegotiate_transitional.patch
index f457c55518..c09b813387 100644
--- a/main/nss/ssl-renegotiate-transitional.patch
+++ b/main/nss/97_ssl_renegotiate_transitional.patch
@@ -6,16 +6,16 @@ to continue to renegotiate with vulnerable servers.
 This value should only be used during the transition period when few
 servers have been upgraded.
 
-diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
-index f1d1921..c074360 100644
---- a/mozilla/security/nss/lib/ssl/sslsock.c
-+++ b/mozilla/security/nss/lib/ssl/sslsock.c
-@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
+Index: nss/mozilla/security/nss/lib/ssl/sslsock.c
+===================================================================
+--- nss.orig/mozilla/security/nss/lib/ssl/sslsock.c	2012-10-05 14:46:07.223624005 +0200
++++ nss/mozilla/security/nss/lib/ssl/sslsock.c	2012-10-05 14:48:26.905899063 +0200
+@@ -150,7 +150,7 @@
      PR_FALSE,   /* noLocks            */
      PR_FALSE,   /* enableSessionTickets */
      PR_FALSE,   /* enableDeflate      */
 -    2,          /* enableRenegotiation (default: requires extension) */
 +    3,          /* enableRenegotiation (default: transitional) */
      PR_FALSE,   /* requireSafeNegotiation */
- };
- 
+     PR_FALSE,   /* enableFalseStart   */
+     PR_TRUE     /* cbcRandomIV        */
diff --git a/main/nss/APKBUILD b/main/nss/APKBUILD
index 99f7086aeb..4d6b3d047e 100644
--- a/main/nss/APKBUILD
+++ b/main/nss/APKBUILD
@@ -1,6 +1,6 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=nss
-pkgver=3.14.3
+pkgver=3.14.5
 _pkgver=3.14.1
 _ver=${pkgver//./_}
 pkgrel=0
@@ -11,16 +11,19 @@ license="MPL GPL"
 depends=
 makedepends="nspr-dev sqlite-dev zlib-dev perl"
 subpackages="$pkgname-dev $pkgname-tools"
-#source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src/$pkgname-$pkgver.tar.gz
-source="ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_3_14_1_WITH_CKBI_1_93_RTM/src/${pkgname}-3.14.1.with.ckbi.1.93.tar.gz
+#source="ftp://ftp.mozilla.org/pub/security/nss/releases/NSS_3_14_1_WITH_CKBI_1_93_RTM/src/${pkgname}-3.14.1.with.ckbi.1.93.tar.gz
+source="ftp://ftp.mozilla.org/pub/security/$pkgname/releases/NSS_${_ver}_RTM/src/$pkgname-$pkgver.tar.gz
 	nss.pc.in
 	nss-config.in
-	add_spi+cacert_ca_certs.patch
-	ssl-renegotiate-transitional.patch
+	80_security_tools.patch
+	85_security_load.patch
+	95_add_spi+cacert_ca_certs.patch
+	97_ssl_renegotiate_transitional.patch
+	lower-dhe-priority.patch
 	"
 depends_dev="nspr-dev"
 
-_builddir="$srcdir"/$pkgname-$_pkgver
+_builddir="$srcdir"/$pkgname-$pkgver
 prepare() { 
 	cd "$_builddir"
 	for i in $source; do
@@ -141,18 +144,27 @@ tools() {
 	mv "$pkgdir"/usr/bin "$subpkgdir"/usr/
 }
 
-md5sums="49e6661758deb0c469f0b4edd4e727d5  nss-3.14.1.with.ckbi.1.93.tar.gz
+md5sums="73cf5c23206f7d333853aea697a0e7c9  nss-3.14.5.tar.gz
 c547b030c57fe1ed8b77c73bf52b3ded  nss.pc.in
 46bee81908f1e5b26d6a7a2e14c64d9f  nss-config.in
-7f39c19b1dfd62d7db7d8bf19f156fed  add_spi+cacert_ca_certs.patch
-d83c7b61abb7e9f8f7bcd157183d1ade  ssl-renegotiate-transitional.patch"
-sha256sums="e22ffcca62d604029145e4f904c59e4a967a20d1276f123a91e76ecaae48ba98  nss-3.14.1.with.ckbi.1.93.tar.gz
+262714f8f8e206dc9ea5270683a4f34f  80_security_tools.patch
+e737ca88170023c9243dc4bda4730d42  85_security_load.patch
+4ce81c80d381337b8e048ef3cb0b6005  95_add_spi+cacert_ca_certs.patch
+83bd48daebc54d588f718c4054a62318  97_ssl_renegotiate_transitional.patch
+629faf8cc95ba10cfef9066a5c07eaf8  lower-dhe-priority.patch"
+sha256sums="61f3493117483c85ef343fc7f22e1b3b7bff14580c632523d939eea8c5849216  nss-3.14.5.tar.gz
 b9f1428ca2305bf30b109507ff335fa00bce5a7ce0434b50acd26ad7c47dd5bd  nss.pc.in
 e44ac5095b4d88f24ec7b2e6a9f1581560bd3ad41a3d198596d67ef22f67adb9  nss-config.in
-a9fa92d29d3079d73894288afed7ac736b3527f7c1de990eb3b314978eb3107b  add_spi+cacert_ca_certs.patch
-12df04bccbf674db1eef7a519a28987927b5e9c107b1dc386686f05e64f49a97  ssl-renegotiate-transitional.patch"
-sha512sums="e2d49abc87e76ea3fb5edb09b1c9be1c14b25212fceb69f19b00662e59add972c2d9799626a32e7735095126157bad0aed6c732f472764017304da2ef2696a0e  nss-3.14.1.with.ckbi.1.93.tar.gz
+d9580965d7a01ee2e8a4b675aa1cbb37ed6b9d95ab3a6157639bfb7f51aa246a  80_security_tools.patch
+ec90e68260fa4c8343a894d0d03ca1f93e4730c612d2ef5ed66d2f03f1c242d2  85_security_load.patch
+5550bd42d06fdc59530a8e228c40e6d66c8a3a55bc92dae1df51954a0f9f3579  95_add_spi+cacert_ca_certs.patch
+21de95d23b3788bfd01249d61ea52010e44214e2c0126974b585c107c85b104a  97_ssl_renegotiate_transitional.patch
+fa8f10ff7d40b43161dd1b53acf875323aef7a5317bcc72bd6a69a7bd076624a  lower-dhe-priority.patch"
+sha512sums="ef35939d6b4627df0e562da7b0f1bb599c8f7cf09f7baa9fc059ddd725a91a4d34204a22e05e3aa9b2a609c085834f611f9e6ff2dde69e16e9cd7e7c74a86ddf  nss-3.14.5.tar.gz
 75dbd648a461940647ff373389cc73bc8ec609139cd46c91bcce866af02be6bcbb0524eb3dfb721fbd5b0bc68c20081ed6f7debf6b24317f2a7ba823e8d3c531  nss.pc.in
 2971669e128f06a9af40a5ba88218fa7c9eecfeeae8b0cf42e14f31ed12bf6fa4c5ce60289e078f50e2669a9376b56b45d7c29d726a7eac69ebe1d1e22dc710b  nss-config.in
-301ca0936ce5d51280e441b6b395841e9231d8739227bcecf73e809d909c9ac6d165758234d5728fc77649ec3697c9b15168fa215e353b4b0401e22ca90c5382  add_spi+cacert_ca_certs.patch
-0c2d54a15636851947e9dfdf0b652f94d89b7f187d7e0f0d47751bc4383c742d9fe5cc932c30b41bced0cf547c59dfab51f65f307bf63300965df83811067e75  ssl-renegotiate-transitional.patch"
+5b618edccc63b1bf9c6e51a1863f6a92b42de1dfb59d1726f3d04c194fc3ff9fe21e1894f3dfd092c6427fa79a5e767344daedfc1b7db225016adde5d73ceb47  80_security_tools.patch
+237283427f091141da22418556ecd432948ff67dfec90f23181da35e4c2218d0a6ba307cecea8079feaf6a92fab677050f252564e7c01642869aa16c0ef58909  85_security_load.patch
+6a20b99c9c60e199072c9bbccb97c3855fce4dd4625a22c6f3a24787ea70890a94eda01b037e9764b223b52d83b47c5c5254a62347ec8b751cab65917c8475a6  95_add_spi+cacert_ca_certs.patch
+63bd776f22b085e6cf11bebfa25cf5aebeb3e08713957f0d9ee0f465f8fa563313cfd0ce6696bcb1a5eeaa5688d2dcb862b8d0eacfe4dcbafd816540d72bebb1  97_ssl_renegotiate_transitional.patch
+3d0845acaf83f35f4733a4461d6eb63558c7b9823365c39f3184a014bb6bf1cbf41f7a633be1c2f37f3335eae272f54b4356dbbed8c0b6e2f95c1abeec5e8859  lower-dhe-priority.patch"
diff --git a/main/nss/lower-dhe-priority.patch b/main/nss/lower-dhe-priority.patch
new file mode 100644
index 0000000000..970e2fcafe
--- /dev/null
+++ b/main/nss/lower-dhe-priority.patch
@@ -0,0 +1,45 @@
+https://bugzilla.mozilla.org/show_bug.cgi?id=583337
+List TLS_DHE_RSA_WITH_AES_256_CBC_SHA after TLS_RSA_WITH_AES_256_CBC_SHA
+in SSL ClientHello to communicate securely with some servers that use
+256-bit DH keys.
+
+Index: nss/mozilla/security/nss/lib/ssl/ssl3con.c
+===================================================================
+--- nss.orig/mozilla/security/nss/lib/ssl/ssl3con.c	2012-10-05 14:46:07.000000000 +0200
++++ nss/mozilla/security/nss/lib/ssl/ssl3con.c	2012-10-05 14:50:36.387931139 +0200
+@@ -82,7 +82,6 @@
+ #endif /* NSS_ENABLE_ECC */
+  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,  SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+- { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ #ifdef NSS_ENABLE_ECC
+  { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,      SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+@@ -90,6 +89,7 @@
+ #endif /* NSS_ENABLE_ECC */
+  { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,  	   SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+  { TLS_RSA_WITH_AES_256_CBC_SHA,     	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
++ { TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	   SSL_NOT_ALLOWED, PR_TRUE,PR_FALSE},
+ 
+ #ifdef NSS_ENABLE_ECC
+  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,       SSL_NOT_ALLOWED, PR_FALSE,PR_FALSE},
+Index: nss/mozilla/security/nss/lib/ssl/sslenum.c
+===================================================================
+--- nss.orig/mozilla/security/nss/lib/ssl/sslenum.c	2012-10-05 14:46:07.000000000 +0200
++++ nss/mozilla/security/nss/lib/ssl/sslenum.c	2012-10-05 14:48:39.701727613 +0200
+@@ -35,7 +35,6 @@
+ #endif /* NSS_ENABLE_ECC */
+     TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+     TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
+-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
+ #ifdef NSS_ENABLE_ECC
+     TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
+@@ -43,6 +42,7 @@
+ #endif /* NSS_ENABLE_ECC */
+     TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+     TLS_RSA_WITH_AES_256_CBC_SHA,
++    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ 
+     /* 128-bit */
+ #ifdef NSS_ENABLE_ECC
author	Leonardo Arena <rnalrd@alpinelinux.org>	2013-12-03 11:03:06 +0000
committer	Leonardo Arena <rnalrd@alpinelinux.org>	2013-12-03 11:03:06 +0000
commit	e96a0cf3d069a5942459132dc582f4d19bf4fa58 (patch)
tree	d85598cb697f935e48ab044c1fe8b5888a4aafa4 /main/nss
parent	234a2993d2793d2e8466e5b940ef666e5c3217f1 (diff)
download	aports-e96a0cf3d069a5942459132dc582f4d19bf4fa58.tar.bz2 aports-e96a0cf3d069a5942459132dc582f4d19bf4fa58.tar.xz