Update to 3.13.1 with ckbi 1.88 changes include

SSL 2.0 is disabled by default. A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default. SHA-224 is supported. additional blacklist CA's. Malaysia-based DigiCert Sdn. Bhd Ok sthen@
2011-11-18 12:32:37 +00:00 · 2011-11-18 12:32:37 +00:00 · c9c77840a6
commit c9c77840a6
parent d6e7c2c8e4
5 changed files with 335 additions and 281 deletions
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@ -1,19 +1,18 @@
-# $OpenBSD: Makefile,v 1.24 2011/09/16 11:41:39 espie Exp $
+# $OpenBSD: Makefile,v 1.25 2011/11/18 12:32:37 nigel Exp $

 SHARED_ONLY=		Yes

 COMMENT=		libraries to support development of security-enabled apps

-VERSION=		3.12.11
-DISTNAME=		nss-${VERSION}.with.ckbi.1.87
+VERSION=		3.13.1
+DISTNAME=		nss-${VERSION}.with.ckbi.1.88
 WRKDIST=		${WRKDIR}/nss-${VERSION}
 PKGNAME =		nss-${VERSION}
-SO_VERSION=		28.0
+SO_VERSION=		29.0
 .for _lib in freebl3 nss3 nssckbi nssdbm3 nssutil3 smime3 softokn3 ssl3
 SHARED_LIBS+=		${_lib} ${SO_VERSION}
 .endfor
 CATEGORIES=		security
-REVISION=		1

 HOMEPAGE=		http://www.mozilla.org/projects/security/pki/nss/

@ -26,10 +25,9 @@ PERMIT_DISTFILES_CDROM=	Yes
 PERMIT_DISTFILES_FTP=	Yes
 WANTLIB += c pthread z nspr4 plc4 plds4 sqlite3

-MASTER_SITES =		ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_11_WITH_CKBI_1_87_RTM/src/
 #for regular releases
-#MASTER_SITES=		http://ftp.eu.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_${VERSION:S/./_/g}_RTM/src/ \
-#			http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_${VERSION:S/./_/g}_RTM/src/
+MASTER_SITES=		http://ftp.eu.mozilla.org/pub/mozilla.org/security/nss/releases/${DISTNAME:U:C/[-.]/_/g}_RTM/src/ \
+			http://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${DISTNAME:U:C/[-.]/_/g}_RTM/src/

 LIB_DEPENDS=		devel/nspr>=4.8 \
 			databases/sqlite3>=3.6.13
--- a/security/nss/distinfo
+++ b/security/nss/distinfo
@ -1,5 +1,5 @@
-MD5 (nss-3.12.11.with.ckbi.1.87.tar.gz) = qatOBYZYJjpvEo+zhtawZg==
-RMD160 (nss-3.12.11.with.ckbi.1.87.tar.gz) = hQ8zVNa4AP+QjSsbT7FKOV9l3ns=
-SHA1 (nss-3.12.11.with.ckbi.1.87.tar.gz) = 92l2EDiiZn51HoTWg/IyImEzg1Q=
-SHA256 (nss-3.12.11.with.ckbi.1.87.tar.gz) = S4SnzTYb8tFJNdDydoHdFIzzEk7fVYonHP3oiC9/cCA=
-SIZE (nss-3.12.11.with.ckbi.1.87.tar.gz) = 6035595
+MD5 (nss-3.13.1.with.ckbi.1.88.tar.gz) = upclePQ51u/hLvaGB5qY3Q==
+RMD160 (nss-3.13.1.with.ckbi.1.88.tar.gz) = IL93JZ2SywVKTkxA+9kx2jNfxYw=
+SHA1 (nss-3.13.1.with.ckbi.1.88.tar.gz) = 68AljI0aPC/oCUG9mRt2ZVJGT8Y=
+SHA256 (nss-3.13.1.with.ckbi.1.88.tar.gz) = RW/SrQNpdmYK5+TiTt3cSfL0fnykkMHFNydxu7UgeHk=
+SIZE (nss-3.13.1.with.ckbi.1.88.tar.gz) = 6065634
--- a/security/nss/patches/patch-mozilla_security_nss_lib_ckfw_builtins_certdata_c
+++ b/security/nss/patches/patch-mozilla_security_nss_lib_ckfw_builtins_certdata_c
--- a/security/nss/patches/patch-mozilla_security_nss_lib_ckfw_builtins_certdata_txt
+++ b/security/nss/patches/patch-mozilla_security_nss_lib_ckfw_builtins_certdata_txt
@ -1,9 +1,9 @@
-$OpenBSD: patch-mozilla_security_nss_lib_ckfw_builtins_certdata_txt,v 1.6 2011/09/06 19:39:34 landry Exp $
+$OpenBSD: patch-mozilla_security_nss_lib_ckfw_builtins_certdata_txt,v 1.7 2011/11/18 12:32:37 nigel Exp $
 add CACert CA
 https://bugzilla.mozilla.org/show_bug.cgi?id=215243
--- mozilla/security/nss/lib/ckfw/builtins/certdata.txt.orig	Fri Sep  2 21:39:06 2011
-+++ mozilla/security/nss/lib/ckfw/builtins/certdata.txt	Fri Sep  2 22:24:18 2011
-@@ -14885,6 +14885,352 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NETSCAPE_TRUST_UNK
+--- mozilla/security/nss/lib/ckfw/builtins/certdata.txt.orig	Thu Nov  3 15:11:58 2011
+++ mozilla/security/nss/lib/ckfw/builtins/certdata.txt	Wed Nov  9 15:20:15 2011
+@@ -14885,6 +14885,352 @@ CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUST_UNKNOWN
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
 #
--- a/security/nss/patches/patch-mozilla_security_nss_lib_freebl_unix_rand_c
+++ b/security/nss/patches/patch-mozilla_security_nss_lib_freebl_unix_rand_c
@ -1,7 +1,7 @@
-$OpenBSD: patch-mozilla_security_nss_lib_freebl_unix_rand_c,v 1.8 2010/10/22 19:14:56 landry Exp $
--- mozilla/security/nss/lib/freebl/unix_rand.c.orig	Fri Apr 30 02:20:02 2010
-+++ mozilla/security/nss/lib/freebl/unix_rand.c	Wed Oct 20 13:07:03 2010
-@@ -849,7 +849,6 @@ safe_pclose(FILE *fp)
+$OpenBSD: patch-mozilla_security_nss_lib_freebl_unix_rand_c,v 1.9 2011/11/18 12:32:37 nigel Exp $
+--- mozilla/security/nss/lib/freebl/unix_rand.c.orig	Thu Aug 25 00:57:44 2011
+++ mozilla/security/nss/lib/freebl/unix_rand.c	Wed Nov  9 15:20:15 2011
+@@ -852,7 +852,6 @@ safe_pclose(FILE *fp)
 /* Fork netstat to collect its output by default. Do not unset this unless
  * another source of entropy is available
  */
@ -9,7 +9,7 @@ $OpenBSD: patch-mozilla_security_nss_lib_freebl_unix_rand_c,v 1.8 2010/10/22 19:
 
 void RNG_SystemInfoForRNG(void)
 {
-@@ -916,7 +915,7 @@ void RNG_SystemInfoForRNG(void)
+@@ -924,7 +923,7 @@ void RNG_SystemInfoForRNG(void)
     GiveSystemInfo();
 
     /* grab some data from system's PRNG before any other files. */
@ -18,7 +18,7 @@ $OpenBSD: patch-mozilla_security_nss_lib_freebl_unix_rand_c,v 1.8 2010/10/22 19:
 
     /* If the user points us to a random file, pass it through the rng */
     randfile = getenv("NSRANDFILE");
-@@ -1161,7 +1160,7 @@ size_t RNG_SystemRNG(void *dest, size_t maxLen)
+@@ -1169,7 +1168,7 @@ size_t RNG_SystemRNG(void *dest, size_t maxLen)
     size_t fileBytes = 0;
     unsigned char *buffer = dest;