head 1.7; access; symbols pkgsrc-2021Q1:1.6.0.62 pkgsrc-2021Q1-base:1.6 pkgsrc-2020Q4:1.6.0.60 pkgsrc-2020Q4-base:1.6 pkgsrc-2020Q3:1.6.0.58 pkgsrc-2020Q3-base:1.6 pkgsrc-2020Q2:1.6.0.54 pkgsrc-2020Q2-base:1.6 pkgsrc-2020Q1:1.6.0.34 pkgsrc-2020Q1-base:1.6 pkgsrc-2019Q4:1.6.0.56 pkgsrc-2019Q4-base:1.6 pkgsrc-2019Q3:1.6.0.52 pkgsrc-2019Q3-base:1.6 pkgsrc-2019Q2:1.6.0.50 pkgsrc-2019Q2-base:1.6 pkgsrc-2019Q1:1.6.0.48 pkgsrc-2019Q1-base:1.6 pkgsrc-2018Q4:1.6.0.46 pkgsrc-2018Q4-base:1.6 pkgsrc-2018Q3:1.6.0.44 pkgsrc-2018Q3-base:1.6 pkgsrc-2018Q2:1.6.0.42 pkgsrc-2018Q2-base:1.6 pkgsrc-2018Q1:1.6.0.40 pkgsrc-2018Q1-base:1.6 pkgsrc-2017Q4:1.6.0.38 pkgsrc-2017Q4-base:1.6 pkgsrc-2017Q3:1.6.0.36 pkgsrc-2017Q3-base:1.6 pkgsrc-2017Q2:1.6.0.32 pkgsrc-2017Q2-base:1.6 pkgsrc-2017Q1:1.6.0.30 pkgsrc-2017Q1-base:1.6 pkgsrc-2016Q4:1.6.0.28 pkgsrc-2016Q4-base:1.6 pkgsrc-2016Q3:1.6.0.26 pkgsrc-2016Q3-base:1.6 pkgsrc-2016Q2:1.6.0.24 pkgsrc-2016Q2-base:1.6 pkgsrc-2016Q1:1.6.0.22 pkgsrc-2016Q1-base:1.6 pkgsrc-2015Q4:1.6.0.20 pkgsrc-2015Q4-base:1.6 pkgsrc-2015Q3:1.6.0.18 pkgsrc-2015Q3-base:1.6 pkgsrc-2015Q2:1.6.0.16 pkgsrc-2015Q2-base:1.6 pkgsrc-2015Q1:1.6.0.14 pkgsrc-2015Q1-base:1.6 pkgsrc-2014Q4:1.6.0.12 pkgsrc-2014Q4-base:1.6 pkgsrc-2014Q3:1.6.0.10 pkgsrc-2014Q3-base:1.6 pkgsrc-2014Q2:1.6.0.8 pkgsrc-2014Q2-base:1.6 pkgsrc-2014Q1:1.6.0.6 pkgsrc-2014Q1-base:1.6 pkgsrc-2013Q4:1.6.0.4 pkgsrc-2013Q4-base:1.6 pkgsrc-2013Q3:1.6.0.2 pkgsrc-2013Q3-base:1.6 pkgsrc-2013Q2:1.5.0.10 pkgsrc-2013Q2-base:1.5 pkgsrc-2013Q1:1.5.0.8 pkgsrc-2013Q1-base:1.5 pkgsrc-2012Q4:1.5.0.6 pkgsrc-2012Q4-base:1.5 pkgsrc-2012Q3:1.5.0.4 pkgsrc-2012Q3-base:1.5 pkgsrc-2012Q2:1.5.0.2 pkgsrc-2012Q2-base:1.5 pkgsrc-2011Q4:1.4.0.4 pkgsrc-2011Q4-base:1.4 pkgsrc-2011Q2:1.4.0.2 pkgsrc-2011Q2-base:1.4 pkgsrc-2009Q4:1.3.0.28 pkgsrc-2009Q4-base:1.3 pkgsrc-2009Q3:1.3.0.26 pkgsrc-2009Q3-base:1.3 pkgsrc-2009Q2:1.3.0.24 pkgsrc-2009Q2-base:1.3 pkgsrc-2009Q1:1.3.0.22 pkgsrc-2009Q1-base:1.3 pkgsrc-2008Q4:1.3.0.20 pkgsrc-2008Q4-base:1.3 pkgsrc-2008Q3:1.3.0.18 pkgsrc-2008Q3-base:1.3 cube-native-xorg:1.3.0.16 cube-native-xorg-base:1.3 pkgsrc-2008Q2:1.3.0.14 pkgsrc-2008Q2-base:1.3 cwrapper:1.3.0.12 pkgsrc-2008Q1:1.3.0.10 pkgsrc-2008Q1-base:1.3 pkgsrc-2007Q4:1.3.0.8 pkgsrc-2007Q4-base:1.3 pkgsrc-2007Q3:1.3.0.6 pkgsrc-2007Q3-base:1.3 pkgsrc-2007Q2:1.3.0.4 pkgsrc-2007Q2-base:1.3 pkgsrc-2007Q1:1.3.0.2 pkgsrc-2007Q1-base:1.3 pkgsrc-2006Q4:1.2.0.2 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.1.0.2 pkgsrc-2006Q3-base:1.1; locks; strict; comment @# @; 1.7 date 2021.04.09.06.40.59; author wiz; state dead; branches; next 1.6; commitid LyiaXY3PbpR7hAOC; 1.6 date 2013.07.20.09.28.12; author ryoon; state Exp; branches; next 1.5; commitid vGlStYxlQ9FPRbYw; 1.5 date 2012.04.18.21.01.42; author ryoon; state Exp; branches; next 1.4; 1.4 date 2010.01.16.14.41.25; author tnn; state dead; branches; next 1.3; 1.3 date 2007.01.20.18.55.09; author wiz; state Exp; branches; next 1.2; 1.2 date 2006.10.22.15.32.47; author dmcmahill; state Exp; branches; next 1.1; 1.1 date 2006.07.12.16.30.04; author rillig; state Exp; branches; next ; desc @@ 1.7 log @nss: fix interoperability with openssl For a long time now (at least 15 years), the installed pkg-config file also linked against libsoftokn3, which is wrong according to upstream. This library is only intended to be loaded as a module. Having this library linked added symbols to the namespace that conflict with openssl symbols. This had caused problems before, and patches had been added to rename symbols to avoid this conflict. Instead, fix this correctly by not linking against libsoftokn3. Switch to using the pkg-config and nss-config files provided in the distfiles instead of pkgsrc-specific ones. Remove now unneeded symbol-renaming patches. Remove DragonFly patches while here. Bump PKGREVISION. @ text @$NetBSD: patch-an,v 1.6 2013/07/20 09:28:12 ryoon Exp $ SHA1_Update conflicts with openssl which may be dynamically loaded at runtime via libcups or libgssapi so causing a crash due to using the wrong binding. So rename here to avoid conflict. --- nss/lib/freebl/sha-fast-amd64-sun.s.orig 2009-06-29 18:15:14.000000000 +0200 +++ nss/lib/freebl/sha-fast-amd64-sun.s @@@@ -1712,9 +1712,9 @@@@ shaCompress: .LFE7: .size shaCompress, .-shaCompress .align 16 -.globl SHA1_Update - .type SHA1_Update, @@function -SHA1_Update: +.globl NSS_SHA1_Update + .type NSS_SHA1_Update, @@function +NSS_SHA1_Update: .LFB5: pushq %rbp .LCFI5: @@@@ -1800,7 +1800,7 @@@@ SHA1_Update: call shaCompress jmp .L245 .LFE5: - .size SHA1_Update, .-SHA1_Update + .size NSS_SHA1_Update, .-NSS_SHA1_Update .section .rodata .align 32 .type bulk_pad.0, @@object @@@@ -1902,7 +1902,7 @@@@ SHA1_End: subl %r8d, %edx andl $63, %edx incl %edx - call SHA1_Update@@PLT + call NSS_SHA1_Update@@PLT movq %rbx, %rdi movq %r12, %rsi shrq $32, %rdi @@@@ -2018,7 +2018,7 @@@@ SHA1_HashBuf: movl %r12d, %edx movq %r13, %rsi movq %rbx, %rdi - call SHA1_Update@@PLT + call NSS_SHA1_Update@@PLT leaq -292(%rbp), %rdx movq %r14, %rsi movq %rbx, %rdi @ 1.6 log @Update to 3.15.1 Changelog: NSS 3.15.1 release notes Introduction Network Security Services (NSS) 3.15.1 is a patch release for NSS 3.15. The bug fixes in NSS 3.15.1 are described in the "Bugs Fixed" section below. Distribution Information NSS 3.15.1 source distributions are also available on ftp.mozilla.org for secure HTTPS download: Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_1_RTM/src/ New in NSS 3.15.1 New Functionality TLS 1.2: TLS 1.2 (RFC 5246) is supported. HMAC-SHA256 cipher suites (RFC 5246 and RFC 5289) are supported, allowing TLS to be used without MD5 and SHA-1. Note the following limitations. The hash function used in the signature for TLS 1.2 client authentication must be the hash function of the TLS 1.2 PRF, which is always SHA-256 in NSS 3.15.1. AES GCM cipher suites are not yet supported. New Functions None. New Types in sslprot.h SSL_LIBRARY_VERSION_TLS_1_2 - The protocol version of TLS 1.2 on the wire, value 0x0303. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_NULL_SHA256 - New TLS 1.2 only HMAC-SHA256 cipher suites. in sslerr.h SSL_ERROR_UNSUPPORTED_HASH_ALGORITHM, SSL_ERROR_DIGEST_FAILURE, SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM - New error codes for TLS 1.2. in sslt.h ssl_hmac_sha256 - A new value in the SSLMACAlgorithm enum type. ssl_signature_algorithms_xtn - A new value in the SSLExtensionType enum type. New PKCS #11 Mechanisms None. Notable Changes in NSS 3.15.1 Bug 856060 - Enforce name constraints on the common name in libpkix when no subjectAltName is present. Bug 875156 - Add const to the function arguments of SEC_CertNicknameConflict. Bug 877798 - Fix ssltap to print the certificate_status handshake message correctly. Bug 882829 - On Windows, NSS initialization fails if NSS cannot call the RtlGenRandom function. Bug 875601 - SECMOD_CloseUserDB/SECMOD_OpenUserDB fails to reset the token delay, leading to spurious failures. Bug 884072 - Fix a typo in the header include guard macro of secmod.h. Bug 876352 - certutil now warns if importing a PEM file that contains a private key. Bug 565296 - Fix the bug that shlibsign exited with status 0 even though it failed. The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option is removed. Bugs fixed in NSS 3.15.1 https://bugzilla.mozilla.org/buglist.cgi?list_id=5689256;resolution=FIXED;classification=Components;query_format=advanced;target_milestone=3.15.1;product=NSS Compatibility NSS 3.15.1 shared libraries are backward compatible with all older NSS 3.x shared libraries. A program linked with older NSS 3.x shared libraries will work with NSS 3.15.1 shared libraries without recompiling or relinking. Furthermore, applications that restrict their use of NSS APIs to the functions listed in NSS Public Functions will remain compatible with future versions of the NSS shared libraries. NSS 3.15 release notes Introduction The NSS team has released Network Security Services (NSS) 3.15, which is a minor release. Distribution Information The HG tag is NSS_3_15_RTM. NSS 3.15 requires NSPR 4.10 or newer. NSS 3.15 source distributions are available on ftp.mozilla.org for secure HTTPS download: Source tarballs: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_15_RTM/src/ New in NSS 3.15 New Functionality Support for OCSP Stapling (RFC 6066, Certificate Status Request) has been added for both client and server sockets. TLS client applications may enable this via a call to SSL_OptionSetDefault(SSL_ENABLE_OCSP_STAPLING, PR_TRUE); Added function SECITEM_ReallocItemV2. It replaces function SECITEM_ReallocItem, which is now declared as obsolete. Support for single-operation (eg: not multi-part) symmetric key encryption and decryption, via PK11_Encrypt and PK11_Decrypt. certutil has been updated to support creating name constraints extensions. New Functions in ssl.h SSL_PeerStapledOCSPResponse - Returns the server's stapled OCSP response, when used with a TLS client socket that negotiated the status_request extension. SSL_SetStapledOCSPResponses - Set's a stapled OCSP response for a TLS server socket to return when clients send the status_request extension. in ocsp.h CERT_PostOCSPRequest - Primarily intended for testing, permits the sending and receiving of raw OCSP request/responses. in secpkcs7.h SEC_PKCS7VerifyDetachedSignatureAtTime - Verifies a PKCS#7 signature at a specific time other than the present time. in xconst.h CERT_EncodeNameConstraintsExtension - Matching function for CERT_DecodeNameConstraintsExtension, added in NSS 3.10. in secitem.h SECITEM_AllocArray SECITEM_DupArray SECITEM_FreeArray SECITEM_ZfreeArray - Utility functions to handle the allocation and deallocation of SECItemArrays SECITEM_ReallocItemV2 - Replaces SECITEM_ReallocItem, which is now obsolete. SECITEM_ReallocItemV2 better matches caller expectations, in that it updates item->len on allocation. For more details of the issues with SECITEM_ReallocItem, see Bug 298649 and Bug 298938. in pk11pub.h PK11_Decrypt - Performs decryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. PK11_Encrypt - Performs encryption as a single PKCS#11 operation (eg: not multi-part). This is necessary for AES-GCM. New Types in secitem.h SECItemArray - Represents a variable-length array of SECItems. New Macros in ssl.h SSL_ENABLE_OCSP_STAPLING - Used with SSL_OptionSet to configure TLS client sockets to request the certificate_status extension (eg: OCSP stapling) when set to PR_TRUE Notable Changes in NSS 3.15 SECITEM_ReallocItem is now deprecated. Please consider using SECITEM_ReallocItemV2 in all future code. NSS has migrated from CVS to the Mercurial source control management system. Updated build instructions are available at Migration to HG As part of this migration, the source code directory layout has been re-organized. The list of root CA certificates in the nssckbi module has been updated. The default implementation of SSL_AuthCertificate has been updated to add certificate status responses stapled by the TLS server to the OCSP cache. Applications that use SSL_AuthCertificateHook to override the default handler should add appropriate calls to SSL_PeerStapledOCSPResponse and CERT_CacheOCSPResponseFromSideChannel. Bug 554369: Fixed correctness of CERT_CacheOCSPResponseFromSideChannel and other OCSP caching behaviour. Bug 853285: Fixed bugs in AES GCM. Bug 341127: Fix the invalid read in rc4_wordconv. Faster NIST curve P-256 implementation. Dropped (32-bit) SPARC V8 processor support on Solaris. The shared library libfreebl_32int_3.so is no longer produced. Bugs fixed in NSS 3.15 This Bugzilla query returns all the bugs fixed in NSS 3.15: https://bugzilla.mozilla.org/buglist.cgi?list_id=6278317&resolution=FIXED&classification=Components&query_format=advanced&product=NSS&target_milestone=3.15 @ text @d1 1 a1 1 $NetBSD: patch-an,v 1.5 2012/04/18 21:01:42 ryoon Exp $ @ 1.5 log @Update 3.13.4 * Change distfile to separated source. Changelog is not shown. Probably some bugs are fixed. Tested on NetBSD/i386 6.99.4 and DragonFly/i386 3.0.1. @ text @d1 1 a1 1 $NetBSD: patch-an,v 1.1.1.1 2009/08/05 02:59:48 tnn Exp $ d7 2 a8 2 --- security/nss/lib/freebl/sha-fast-amd64-sun.s.orig 2009-06-29 18:15:14.000000000 +0200 +++ security/nss/lib/freebl/sha-fast-amd64-sun.s @ 1.4 log @- update to 3.12.4.5 - reach over to xulrunner, track the stable gecko release - use external sqlite3 - cleanup - take maintainership This is the second part of PR pkg/42277. @ text @d1 1 a1 1 $NetBSD: patch-an,v 1.3 2007/01/20 18:55:09 wiz Exp $ d3 3 a5 2 https://bugzilla.mozilla.org/show_bug.cgi?id=323977 https://bugzilla.mozilla.org/attachment.cgi?id=209007&action=view d7 42 a48 27 Added DragonFly. Also, when building on solaris with gcc, be sure to correctly set the flags used by the solaris assembler which is explicitly called out in the makefile in a couple of places. This prevents errors when trying to assemble files which contain cpu specific instructions. --- mozilla/security/nss/lib/freebl/Makefile.orig 2006-08-23 22:57:26.000000000 +0000 +++ mozilla/security/nss/lib/freebl/Makefile @@@@ -196,6 +196,17 @@@@ ifeq (,$(filter-out BSD_OS FreeBSD Linux MKSHLIB += -Wl,-Bsymbolic endif +# The blapi functions are defined not only in the freebl shared +# libraries but also in the shared libraries linked with loader.c +# (libsoftokn3.so and libssl3.so). We need to use GNU ld's +# -Bsymbolic option or the equivalent option for other linkers +# to bind the blapi function references in FREEBLVector vector +# (ldvector.c) to the blapi functions defined in the freebl +# shared libraries. +ifeq (,$(filter-out BSD_OS FreeBSD Linux NetBSD DragonFly, $(OS_TARGET))) + MKSHLIB += -Wl,-Bsymbolic +endif + ifeq ($(OS_TARGET),SunOS) # The -R '$ORIGIN' linker option instructs this library to search for its @ 1.3 log @Update to 3.11.4: The following bugs have been fixed in NSS 3.11.4. * Bug 115951: freebl dynamic library is never unloaded by libsoftoken or libssl. Also tiny one-time leak in freebl's loader.c. * Bug 127960: SSL force handshake function should take a timeout. * Bug 335454: Unable to find library 'libsoftokn3.sl' on HP-UX 64 bit. * Bug 350200: Implement DHMAC based POP (ProofOfPossession). * Bug 351482: audit_log_user_message doesn't exist in all versions of libaudit.so.0. (the "paranoia patch") * Bug 352041: oom [@@ CERT_DecodeDERCrlWithFlags] "extended" tracked as NULL was dereferenced. * Bug 353422: Klocwork bugs in nss/lib/crmf. * Bug 353475: Cannot run cmd tools compiled with VC++ 2005. * Bug 353572: leak in sftk_OpenCertDB. * Bug 353608: NSS_RegisterShutdown may fail, and appData argument to callbacks is always NULL. * Bug 353749: PowerUpSelf tests update for DSA and ECDSA KAT. * Bug 353896: Building tip with NSS_ECC_MORE_THAN_SUITE_B causes crashes in all.sh. * Bug 353910: memory leak in RNG_RNGInit. * Bug 354313: STAN_GetCERTCertificateName leaks "instance" struct. * Bug 354384: vfyserv shutdown failure when client auth requested. * Bug 354900: Audit modifications, accesses, deletions, and additions of cryptographic keys. * Bug 355297: Improve the very first RNG_RandomUpdate call. * Bug 356073: C_GetTokenInfo should return CKR_CRYPTOKI_NOT_INITIALIZED if not initialized. * Bug 356309: CertVerifyLog in CERT_VerifyCertificate terminates early on expired certs. * Bug 357197: OCSP response code fails to match CERTIds. (hot fix only) * Bug 359484: FireFox 2 tries to negotiate ECC cipher suites using ssl2 client hello. (hot fix only) * Bug 360818: No RPATH set for signtool and signver. @ text @d1 1 a1 1 $NetBSD: patch-an,v 1.2 2006/10/22 15:32:47 dmcmahill Exp $ @ 1.2 log @Various solaris fixes. In particular: - when building with gcc, the solaris /usr/ccs/bin/as assembler is still used in a couple of places but the correct flags aren't set. - The object directory has a different name when building with gcc instead of the sun studio compilers. - There are a couple of libs which are installed that aren't part of the install for other systems (freebl). @ text @d1 1 a1 1 $NetBSD$ d13 1 a13 1 --- mozilla/security/nss/lib/freebl/Makefile.orig 2005-11-22 02:13:32.000000000 -0500 d15 2 a16 2 @@@@ -188,6 +188,17 @@@@ endif endif a32 21 @@@@ -227,16 +238,20 @@@@ ifeq ($(CPU_ARCH),sparc) endif ifdef USE_ABI32_INT64 ARCHFLAG=-mcpu=v9 -Wa,-xarch=v8plus + SOLARIS_AS_FLAGS = -xarch=v8plus -K PIC endif ifdef USE_ABI32_FPU ARCHFLAG=-mcpu=v9 -Wa,-xarch=v8plus + SOLARIS_AS_FLAGS = -xarch=v8plusa -K PIC endif # USE_ABI32_FPU ifdef USE_ABI64_INT # this builds for Sparc v9a pure 64-bit architecture + SOLARIS_AS_FLAGS = -xarch=v9 -K PIC endif ifdef USE_ABI64_FPU # this builds for Sparc v9a pure 64-bit architecture # It uses floating point, and 32-bit word size + SOLARIS_AS_FLAGS = -xarch=v9a -K PIC endif else # NS_USE_GCC ifdef USE_ABI32_INT32 @ 1.1 log @Updated nss to 3.11. No ChangeLog available, but some libraries have changed: - removed libfort - added libfreebl3 - removed libswft @ text @d8 8 a15 8 Index: mozilla/security/nss/lib/freebl/Makefile =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/freebl/Makefile,v retrieving revision 1.70 diff -u -r1.70 Makefile --- mozilla/security/nss/lib/freebl/Makefile 22 Nov 2005 07:13:32 -0000 1.70 +++ mozilla/security/nss/lib/freebl/Makefile 19 Jan 2006 21:47:47 -0000 @@@@ -188,6 +188,17 @@@@ d33 21 @