Sat Oct 31 19:36:30 2020 UTC ()
nss: update to 3.58nb1.

Add a post-release patch that broke some applications
https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f

Changes nout found.


(wiz)
diff -r1.192 -r1.193 pkgsrc/devel/nss/Makefile
diff -r1.25 -r1.26 pkgsrc/devel/nss/PLIST
diff -r1.118 -r1.119 pkgsrc/devel/nss/distinfo
diff -r0 -r1.1 pkgsrc/devel/nss/patches/patch-nss_cmd_shlibsign_sign.sh
diff -r0 -r1.1 pkgsrc/devel/nss/patches/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc
diff -r0 -r1.1 pkgsrc/devel/nss/patches/patch-nss_lib_ssl_ssl3con.c
diff -r0 -r1.1 pkgsrc/devel/nss/patches/patch-nss_lib_ssl_sslimpl.h
diff -r1.2 -r0 pkgsrc/devel/nss/patches/patch-security_nss_cmd_shlibsign_sign.sh
cvs diff -r1.192 -r1.193 pkgsrc/devel/nss/Makefile (expand / switch to unified diff)

--- pkgsrc/devel/nss/Makefile 2020/09/19 23:54:14 1.192
+++ pkgsrc/devel/nss/Makefile 2020/10/31 19:36:30 1.193
@@ -1,18 +1,19 @@ @@ -1,18 +1,19 @@
1# $NetBSD: Makefile,v 1.192 2020/09/19 23:54:14 ryoon Exp $ 1# $NetBSD: Makefile,v 1.193 2020/10/31 19:36:30 wiz Exp $
2 2
3DISTNAME= nss-${NSS_RELEASE:S/.0$//} 3DISTNAME= nss-${NSS_RELEASE:S/.0$//}
4NSS_RELEASE= 3.57.0 4NSS_RELEASE= 3.58.0
5CATEGORIES= security 5PKGREVISION= 1
 6CATEGORIES= devel security
6MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_DIST_DIR_VERSION:S/_0$//}_RTM/src/} 7MASTER_SITES= ${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_DIST_DIR_VERSION:S/_0$//}_RTM/src/}
7 8
8MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
9HOMEPAGE= https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS 10HOMEPAGE= https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
10COMMENT= Libraries to support development of security-enabled applications 11COMMENT= Libraries to support development of security-enabled applications
11LICENSE= mpl-2.0 12LICENSE= mpl-2.0
12 13
13CHECK_PORTABILITY_SKIP+= nss/tests/libpkix/libpkix.sh 14CHECK_PORTABILITY_SKIP+= nss/tests/libpkix/libpkix.sh
14CHECK_PORTABILITY_SKIP+= nss/tests/multinit/multinit.sh 15CHECK_PORTABILITY_SKIP+= nss/tests/multinit/multinit.sh
15CHECK_PORTABILITY_SKIP+= js/src/configure 16CHECK_PORTABILITY_SKIP+= js/src/configure
16CHECK_PORTABILITY_SKIP+= configure 17CHECK_PORTABILITY_SKIP+= configure
17 18
18CTF_SUPPORTED= no # https://smartos.org/bugview/OS-6510 19CTF_SUPPORTED= no # https://smartos.org/bugview/OS-6510
cvs diff -r1.25 -r1.26 pkgsrc/devel/nss/PLIST (expand / switch to unified diff)

--- pkgsrc/devel/nss/PLIST 2019/12/03 14:29:21 1.25
+++ pkgsrc/devel/nss/PLIST 2020/10/31 19:36:30 1.26
@@ -1,14 +1,14 @@ @@ -1,14 +1,14 @@
1@comment $NetBSD: PLIST,v 1.25 2019/12/03 14:29:21 ryoon Exp $ 1@comment $NetBSD: PLIST,v 1.26 2020/10/31 19:36:30 wiz Exp $
2bin/certutil 2bin/certutil
3bin/cmsutil 3bin/cmsutil
4bin/crlutil 4bin/crlutil
5bin/derdump 5bin/derdump
6bin/makepqg 6bin/makepqg
7bin/mangle 7bin/mangle
8bin/modutil 8bin/modutil
9bin/nss-config 9bin/nss-config
10bin/ocspclnt 10bin/ocspclnt
11bin/oidcalc 11bin/oidcalc
12bin/p7content 12bin/p7content
13bin/p7env 13bin/p7env
14bin/p7sign 14bin/p7sign
@@ -70,26 +70,27 @@ include/nss/nss/nssckmdt.h @@ -70,26 +70,27 @@ include/nss/nss/nssckmdt.h
70include/nss/nss/nssckt.h 70include/nss/nss/nssckt.h
71include/nss/nss/nssilckt.h 71include/nss/nss/nssilckt.h
72include/nss/nss/nssilock.h 72include/nss/nss/nssilock.h
73include/nss/nss/nsslocks.h 73include/nss/nss/nsslocks.h
74include/nss/nss/nssrwlk.h 74include/nss/nss/nssrwlk.h
75include/nss/nss/nssrwlkt.h 75include/nss/nss/nssrwlkt.h
76include/nss/nss/nssutil.h 76include/nss/nss/nssutil.h
77include/nss/nss/ocsp.h 77include/nss/nss/ocsp.h
78include/nss/nss/ocspt.h 78include/nss/nss/ocspt.h
79include/nss/nss/p12.h 79include/nss/nss/p12.h
80include/nss/nss/p12plcy.h 80include/nss/nss/p12plcy.h
81include/nss/nss/p12t.h 81include/nss/nss/p12t.h
82include/nss/nss/pk11func.h 82include/nss/nss/pk11func.h
 83include/nss/nss/pk11hpke.h
83include/nss/nss/pk11pqg.h 84include/nss/nss/pk11pqg.h
84include/nss/nss/pk11priv.h 85include/nss/nss/pk11priv.h
85include/nss/nss/pk11pub.h 86include/nss/nss/pk11pub.h
86include/nss/nss/pk11sdr.h 87include/nss/nss/pk11sdr.h
87include/nss/nss/pkcs11.h 88include/nss/nss/pkcs11.h
88include/nss/nss/pkcs11f.h 89include/nss/nss/pkcs11f.h
89include/nss/nss/pkcs11n.h 90include/nss/nss/pkcs11n.h
90include/nss/nss/pkcs11p.h 91include/nss/nss/pkcs11p.h
91include/nss/nss/pkcs11t.h 92include/nss/nss/pkcs11t.h
92include/nss/nss/pkcs11u.h 93include/nss/nss/pkcs11u.h
93include/nss/nss/pkcs11uri.h 94include/nss/nss/pkcs11uri.h
94include/nss/nss/pkcs12.h 95include/nss/nss/pkcs12.h
95include/nss/nss/pkcs12t.h 96include/nss/nss/pkcs12t.h
cvs diff -r1.118 -r1.119 pkgsrc/devel/nss/distinfo (expand / switch to unified diff)

--- pkgsrc/devel/nss/distinfo 2020/09/19 23:54:14 1.118
+++ pkgsrc/devel/nss/distinfo 2020/10/31 19:36:30 1.119
@@ -1,25 +1,28 @@ @@ -1,25 +1,28 @@
1$NetBSD: distinfo,v 1.118 2020/09/19 23:54:14 ryoon Exp $ 1$NetBSD: distinfo,v 1.119 2020/10/31 19:36:30 wiz Exp $
2 2
3SHA1 (nss-3.57.tar.gz) = ee150322d22ca2b449b31a9a4188eab156e0a13d 3SHA1 (nss-3.58.tar.gz) = f0c572b72921690c77d59471fe21cfa811d8b876
4RMD160 (nss-3.57.tar.gz) = d00996339012f73e11eb61d9e162e334921e4082 4RMD160 (nss-3.58.tar.gz) = 7c6f03a8ca20ec6bcc43435538d84bb940e562f3
5SHA512 (nss-3.57.tar.gz) = 7e312d7539a26f57b968548935a7715cfa895aa61da21d0542ae45b71cb16f63167728534cdfd15f8eca68c75753a0df3d05e87b4c5acaabbda63c736e552ea2 5SHA512 (nss-3.58.tar.gz) = 03d2ab1517ac07620ea3f02dcf680cf019e0129006ff2559b2d0a047036340c20b98c9679b17a594e5502aa30e158caf309f046901b9ec7c7adeeaa13ec50b80
6Size (nss-3.57.tar.gz) = 81712830 bytes 6Size (nss-3.58.tar.gz) = 81846254 bytes
7SHA1 (patch-am) = fea682bf03bc8b645049f93ed58554ca45f47aca 7SHA1 (patch-am) = fea682bf03bc8b645049f93ed58554ca45f47aca
8SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69 8SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69
9SHA1 (patch-md) = 8547c9414332c02221b96719dea1e09cb741f4d1 9SHA1 (patch-md) = 8547c9414332c02221b96719dea1e09cb741f4d1
10SHA1 (patch-me) = 3b23fb15a1a22204604ebe64345bb30734a131ba 10SHA1 (patch-me) = 3b23fb15a1a22204604ebe64345bb30734a131ba
11SHA1 (patch-mf) = 534fe5f711f60dadc3432bc805a6153535f11709 11SHA1 (patch-mf) = 534fe5f711f60dadc3432bc805a6153535f11709
12SHA1 (patch-mg) = 3c878548c98bdea559a3e653e63e0ed22a2a8834 12SHA1 (patch-mg) = 3c878548c98bdea559a3e653e63e0ed22a2a8834
13SHA1 (patch-mj) = 08ca1a37afce99e0292a20348fc6855547f44e8a 13SHA1 (patch-mj) = 08ca1a37afce99e0292a20348fc6855547f44e8a
14SHA1 (patch-mn) = 5b79783e48249044be1a904a6cfd20ba175b5fd4 14SHA1 (patch-mn) = 5b79783e48249044be1a904a6cfd20ba175b5fd4
15SHA1 (patch-nss_cmd_platlibs.mk) = 01f4350de601b29c94e8a791a28daca226866bb6 15SHA1 (patch-nss_cmd_platlibs.mk) = 01f4350de601b29c94e8a791a28daca226866bb6
 16SHA1 (patch-nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af
16SHA1 (patch-nss_coreconf_NetBSD.mk) = ed95aa1c245c9f2b8fda0a1769f9599223b61dbf 17SHA1 (patch-nss_coreconf_NetBSD.mk) = ed95aa1c245c9f2b8fda0a1769f9599223b61dbf
17SHA1 (patch-nss_coreconf_OpenBSD.mk) = 1a4c3711d5d1f7f9e8d58b36145b15d7e444d754 18SHA1 (patch-nss_coreconf_OpenBSD.mk) = 1a4c3711d5d1f7f9e8d58b36145b15d7e444d754
18SHA1 (patch-nss_coreconf_command.mk) = a7b682d367825b48f8802fa30cee83f10680bb74 19SHA1 (patch-nss_coreconf_command.mk) = a7b682d367825b48f8802fa30cee83f10680bb74
 20SHA1 (patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc) = 85c61f09a833ae0039294f0475931474d69a913e
19SHA1 (patch-nss_lib_freebl_aes-armv8.c) = aa698f61dd3d66ba707a9b5425bc15d057244ad7 21SHA1 (patch-nss_lib_freebl_aes-armv8.c) = aa698f61dd3d66ba707a9b5425bc15d057244ad7
20SHA1 (patch-nss_lib_freebl_gcm-aarch64.c) = 311cfe7ca58e91285052d0ca27bd2df3f325071b 22SHA1 (patch-nss_lib_freebl_gcm-aarch64.c) = 311cfe7ca58e91285052d0ca27bd2df3f325071b
21SHA1 (patch-nss_lib_freebl_md5.c) = 5cbec40695e296f0713895fb85cd37f6df76b85b 23SHA1 (patch-nss_lib_freebl_md5.c) = 5cbec40695e296f0713895fb85cd37f6df76b85b
 24SHA1 (patch-nss_lib_ssl_ssl3con.c) = 04dc8ca7714bb1295ff9b470aed325cac1846950
 25SHA1 (patch-nss_lib_ssl_sslimpl.h) = 91f7da0f30469bb81b416431e8f1268edbb82e5f
22SHA1 (patch-nss_lib_util_utilpars.c) = 5d3000515b01037929730a752b7d7a0f46f06deb 26SHA1 (patch-nss_lib_util_utilpars.c) = 5d3000515b01037929730a752b7d7a0f46f06deb
23SHA1 (patch-nss_tests_all.sh) = b328778b538db66f5447f962f23afd6f650f7071 27SHA1 (patch-nss_tests_all.sh) = b328778b538db66f5447f962f23afd6f650f7071
24SHA1 (patch-nss_tests_merge_merge.sh) = 42a4866d226b1076740ba9a5e42c7604f2cb15a7 28SHA1 (patch-nss_tests_merge_merge.sh) = 42a4866d226b1076740ba9a5e42c7604f2cb15a7
25SHA1 (patch-security_nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388af 
File Added: pkgsrc/devel/nss/patches/patch-nss_cmd_shlibsign_sign.sh
$NetBSD: patch-nss_cmd_shlibsign_sign.sh,v 1.1 2020/10/31 19:36:30 wiz Exp $

This tries to dlopen libsoftokn3.so which is linked against sqlite3,
so we need a directory containing libsqlite3.so in the search path,
beside the directory containing libsoftokn3.so itself.

--- nss/cmd/shlibsign/sign.sh.orig	2011-06-15 21:57:52.000000000 +0000
+++ nss/cmd/shlibsign/sign.sh
@@ -26,7 +26,7 @@ WIN*)
     export LIBPATH
     SHLIB_PATH=${1}/lib:${4}:$SHLIB_PATH
     export SHLIB_PATH
-    LD_LIBRARY_PATH=${1}/lib:${4}:$LD_LIBRARY_PATH
+    LD_LIBRARY_PATH=${1}/lib:${4}:${PREFIX}/lib:$LD_LIBRARY_PATH
     export LD_LIBRARY_PATH
     DYLD_LIBRARY_PATH=${1}/lib:${4}:$DYLD_LIBRARY_PATH
     export DYLD_LIBRARY_PATH
File Added: pkgsrc/devel/nss/patches/Attic/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc
$NetBSD: patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc,v 1.1 2020/10/31 19:36:30 wiz Exp $

https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f

--- nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc.orig	2020-10-16 14:50:49.000000000 +0000
+++ nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
@@ -348,8 +348,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
   client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
 }
 
-// The server rejects a ChangeCipherSpec if the client advertises an
-// empty session ID.
+// The server accepts a ChangeCipherSpec even if the client advertises
+// an empty session ID.
 TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
   EnsureTlsSetup();
   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
@@ -358,9 +358,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
   client_->Handshake();  // Send ClientHello
   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));  // Send CCS
 
-  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
-  server_->Handshake();  // Consume ClientHello and CCS
-  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+  Handshake();
+  CheckConnected();
 }
 
 // The server rejects multiple ChangeCipherSpec even if the client
@@ -381,7 +380,7 @@ TEST_F(Tls13CompatTest, ChangeCipherSpec
   server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
 }
 
-// The client rejects a ChangeCipherSpec if it advertises an empty
+// The client accepts a ChangeCipherSpec even if it advertises an empty
 // session ID.
 TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
   EnsureTlsSetup();
@@ -398,9 +397,10 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
                          // send ServerHello..CertificateVerify
   // Send CCS
   server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
-  client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
-  client_->Handshake();  // Consume ClientHello and CCS
-  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
+
+  // No alert is sent from the client. As Finished is dropped, we
+  // can't use Handshake() and CheckConnected().
+  client_->Handshake();
 }
 
 // The client rejects multiple ChangeCipherSpec in a row even if the
File Added: pkgsrc/devel/nss/patches/Attic/patch-nss_lib_ssl_ssl3con.c
$NetBSD: patch-nss_lib_ssl_ssl3con.c,v 1.1 2020/10/31 19:36:30 wiz Exp $

https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f

--- nss/lib/ssl/ssl3con.c.orig	2020-10-16 14:50:49.000000000 +0000
+++ nss/lib/ssl/ssl3con.c
@@ -6645,11 +6645,7 @@ ssl_CheckServerSessionIdCorrectness(sslS
 
     /* TLS 1.3: We sent a session ID.  The server's should match. */
     if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
-        if (sidMatch) {
-            ss->ssl3.hs.allowCcs = PR_TRUE;
-            return PR_TRUE;
-        }
-        return PR_FALSE;
+        return sidMatch;
     }
 
     /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
@@ -8696,7 +8692,6 @@ ssl3_HandleClientHello(sslSocket *ss, PR
                 errCode = PORT_GetError();
                 goto alert_loser;
             }
-            ss->ssl3.hs.allowCcs = PR_TRUE;
         }
 
         /* TLS 1.3 requires that compression include only null. */
@@ -13066,15 +13061,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
             ss->ssl3.hs.ws != idle_handshake &&
             cText->buf->len == 1 &&
             cText->buf->buf[0] == change_cipher_spec_choice) {
-            if (ss->ssl3.hs.allowCcs) {
-                /* Ignore the first CCS. */
-                ss->ssl3.hs.allowCcs = PR_FALSE;
+            if (!ss->ssl3.hs.rejectCcs) {
+                /* Allow only the first CCS. */
+                ss->ssl3.hs.rejectCcs = PR_TRUE;
                 return SECSuccess;
+            } else {
+                alert = unexpected_message;
+                PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
             }
-
-            /* Compatibility mode is not negotiated. */
-            alert = unexpected_message;
-            PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
         }
 
         if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
File Added: pkgsrc/devel/nss/patches/Attic/patch-nss_lib_ssl_sslimpl.h
$NetBSD: patch-nss_lib_ssl_sslimpl.h,v 1.1 2020/10/31 19:36:30 wiz Exp $

https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f

--- nss/lib/ssl/sslimpl.h.orig	2020-10-16 14:50:49.000000000 +0000
+++ nss/lib/ssl/sslimpl.h
@@ -710,10 +710,7 @@ typedef struct SSL3HandshakeStateStr {
                                            * or received. */
     PRBool receivedCcs;                   /* A server received ChangeCipherSpec
                                            * before the handshake started. */
-    PRBool allowCcs;                      /* A server allows ChangeCipherSpec
-                                           * as the middlebox compatibility mode
-                                           * is explicitly indicarted by
-                                           * legacy_session_id in TLS 1.3 ClientHello. */
+    PRBool rejectCcs;                     /* Excessive ChangeCipherSpecs are rejected. */
     PRBool clientCertRequested;           /* True if CertificateRequest received. */
     PRBool endOfFlight;                   /* Processed a full flight (DTLS 1.3). */
     ssl3KEADef kea_def_mutable;           /* Used to hold the writable kea_def
File Deleted: pkgsrc/devel/nss/patches/Attic/patch-security_nss_cmd_shlibsign_sign.sh