Remove the symbol renaming workaround. Use version scripts as done on
Linux and FreeBSD to hide internal symbols (eg HMAC_Update) that
conflict with libcrypto.
Tested in a bul by ajacoutot@, ok sthen@ naddy@, no objection landry@
(maintainer)
NSS has a number of internal functions (used inter-library between NSS's
various libraries, not exported in the public API) that conflict with
libcrypto:
HMAC_Init, HMAC_Update, MD5_Update, SHA1_Update, SHA224_Update,
SHA256_Update, SHA384_Update, SHA512_Update.
We were already renaming (via #define macro) SHA1_Update and HMAC_Update
but some programs use others - notably libreoffice, which uses HMAC_Init and
HMAC_Update when saving encrypted .od* files - as robert@ tracked down, the
NSS version was being called instead of the expected libcrypto one.
Fix by renaming the remaining conflicting functions the same way.
See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.37_release_notes
Interestingly, in nss 3.31 the way entropy is gathered from the system
was revamped, and in #1057343 it started using the getentropy() syscall
by default if available, with a fallback to /dev/urandom...but only on
linux/glibc 2.25.
Add a patch to also use getentropy() on OpenBSD.. reported upstream in
#1461075
ago from Debian, just patch & use the ones added upstream in bug
#1277852. This way, we properly list the right libs when linking,
including nssutil3 (which should fix linking chrome with lld) - and
while here fix includedir to be consistent with cflags.
Prompted by an original diff from espie@
Tested in bulks by ajacoutot@ and myself
WANTLIB fixes removing softokn3 to come
See
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.27_release_notes
Note that a bunch of CA's were removed, but not WoSign, because it owns
StartSSL/StartCOM.. see
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview
and https://wiki.mozilla.org/CA:WoSign_Issues for details. Anyway, we
know the CA model is broken, right ?
Bump major, functions added/removed...
- Remove patch-nss_lib_util_verref_h, merged upstream (#1226179)
- Remove useless patch-nss_coreconf_UNIX_mk, our -O2 takes precedence
- Remove chunk of patch-nss_coreconf_OpenBSD_mk, was merged upstream in
#1250891. While here remove the addition of -Wl,Bsymbolic to MKSHLIB
which was here since forever for no justified reason.
https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15_release_notes
After years of sticking to CVS, upstream finally switched to hg,
changing its directory layout while here. All our patches are actually
unchanged, but got renamed/moved. CVS doesn't handle moves :)
Tested in an amd64 bulk build.
Remove a useless patch, unix_rand.c uses /dev/urandom on OpenBSD since
bug #174993 was fixed more that 5 years ago in nss 3.5.
Enforce dependency on sqlite 3.7.15.2.
Went in a handful of bulk builds.
Tested on sparc64 & hppa, and went into an amd64 bulk build.
Node that builtins/certdata.c patch goes to the attic since it's
autogenerated at build time from builtins/certdata.txt (which we patch
too for CACert roots) since bug #683266.
There might be a chemspill for a TURKTRUST CA distrust soon (bug
#825022, sg-only) but let's get this in now.
- use ${SUBST_CMD} instead of old-style perl -pi -e commands
- update nss-config from debian's nss-config.in, since apparently it
comes from there.. needed to fix detection by mozillas, otherwise the
current script returns 3.14 for --version while configure scripts
expect 3.14.0... grab version via awk on nss.h at runtime.
Tested on amd64/i386/powerpc and in an amd64 bulk build. Needed by
firefox 18.
ok sthen@ ajacoutot@ jasper@
SSL 2.0 is disabled by default.
A defense against the SSL 3.0 and TLS 1.0 CBC chosen plaintext attack
demonstrated by Rizzo and Duong (CVE-2011-3389) is enabled by default.
SHA-224 is supported.
additional blacklist CA's. Malaysia-based DigiCert Sdn. Bhd
Ok sthen@
at runtime via other libs (cups, kerberos...) so causing a crash due to
using the wrong binding.
Rename here to avoid conflict.
from pkgsrc
ok sthen@ jasper@ robert@
