!5 nss: simplify functions

Merge pull request !5 from guoxiaoqi/next
2020-01-11 17:30:35 +08:00 · 2020-01-11 17:30:35 +08:00 · d003a0df9e
commit d003a0df9e
parent 29d6066484 8e90a34467
14 changed files with 5 additions and 292 deletions
--- a/PayPalEE.cert
+++ b/PayPalEE.cert
--- a/PayPalICA.cert
+++ b/PayPalICA.cert
--- a/iquote.patch
+++ b/iquote.patch
@ -1,13 +0,0 @@
-diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk
--- nss/coreconf/location.mk.iquote	2017-07-27 16:09:32.000000000 +0200
-+++ nss/coreconf/location.mk	2017-09-06 13:23:14.633611555 +0200
-@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME
-     SQLITE_LIB_NAME = sqlite3
- endif
- 
-+# Prefer in-tree headers over system headers
-+ifdef IN_TREE_FREEBL_HEADERS_FIRST
-+    INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss
-+endif
-+
- MK_LOCATION = included
--- a/nss-539183.patch
+++ b/nss-539183.patch
@ -1,62 +0,0 @@
--- ./nss/cmd/httpserv/httpserv.c.539183	2016-05-21 18:31:39.879585420 -0700
-+++ ./nss/cmd/httpserv/httpserv.c	2016-05-21 18:37:22.374464057 -0700
-@@ -953,23 +953,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
-    addr.inet.family = PR_AF_INET;
-    addr.inet.ip = PR_INADDR_ANY;
-    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
-+    }
- 
-    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
-        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSockett");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- ./nss/cmd/selfserv/selfserv.c.539183	2016-05-21 18:31:39.882585367 -0700
-+++ ./nss/cmd/selfserv/selfserv.c	2016-05-21 18:41:43.092801174 -0700
-@@ -1711,23 +1711,23 @@
- getBoundListenSocket(unsigned short port)
- {
-     PRFileDesc *listen_sock;
-     int listenQueueDepth = 5 + (2 * maxThreads);
-     PRStatus prStatus;
-     PRNetAddr addr;
-     PRSocketOptionData opt;
- 
-    addr.inet.family = PR_AF_INET;
-    addr.inet.ip = PR_INADDR_ANY;
-    addr.inet.port = PR_htons(port);
-+    if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
-+        errExit("PR_SetNetAddr");
-+    }
- 
-    listen_sock = PR_NewTCPSocket();
-+    listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
-     if (listen_sock == NULL) {
-        errExit("PR_NewTCPSocket");
-+        errExit("PR_OpenTCPSocket error");
-     }
- 
-     opt.option = PR_SockOpt_Nonblocking;
-     opt.value.non_blocking = PR_FALSE;
-     prStatus = PR_SetSocketOption(listen_sock, &opt);
-     if (prStatus < 0) {
-         PR_Close(listen_sock);
-         errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)");
--- a/nss-p11-kit.config
+++ b/nss-p11-kit.config
@ -1,4 +0,0 @@
-name=p11-kit-proxy
-library=p11-kit-proxy.so
-
-
--- a/nss-softokn-dracut-module-setup.sh
+++ b/nss-softokn-dracut-module-setup.sh
@ -1,18 +0,0 @@
-#!/bin/bash
-# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
-# ex: ts=8 sw=4 sts=4 et filetype=sh
-
-check() {
-    return 255
-}
-
-depends() {
-    return 0
-}
-
-install() {
-    local _dir
-
-    inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \
-        libfreebl3.so
-}
--- a/nss-softokn-dracut.conf
+++ b/nss-softokn-dracut.conf
@ -1,3 +0,0 @@
-# turn on nss-softokn module
-
-add_dracutmodules+=" nss-softokn "
--- a/nss-softokn-prelink.conf
+++ b/nss-softokn-prelink.conf
@ -1,8 +0,0 @@
-b /lib{,64}/libfreeblpriv3.so
-b /lib{,64}/libfreebl3.so
-b /lib{,64}/libsoftokn3.so
-b /lib{,64}/libnssdbm3.so
-b /usr/lib{,64}/libfreeblpriv3.so
-b /usr/lib{,64}/libfreebl3.so
-b /usr/lib{,64}/libsoftokn3.so
-b /usr/lib{,64}/libnssdbm3.so
--- a/nss-tests-paypal-certs-v2.patch
+++ b/nss-tests-paypal-certs-v2.patch
@ -1,29 +0,0 @@
-# HG changeset patch
-# User Daiki Ueno <dueno@redhat.com>
-# Date 1541595734 -3600
-#      Wed Nov 07 14:02:14 2018 +0100
-# Node ID 19fd907784e38a5febb54588353368af91b12551
-# Parent  3b79af0fa294b4b1c009c1c0b659bb72b4d2c1c8
-Bug 1505317, update PayPal test certs
-
-diff --git a/tests/chains/scenarios/realcerts.cfg b/tests/chains/scenarios/realcerts.cfg
--- a/tests/chains/scenarios/realcerts.cfg
-+++ b/tests/chains/scenarios/realcerts.cfg
-@@ -21,7 +21,7 @@ verify TestUser51:x
-   result pass
- 
- verify PayPalEE:x
-  policy OID.2.16.840.1.114412.1.1 
-+  policy OID.2.16.840.1.114412.2.1 
-   result pass
- 
- verify BrAirWaysBadSig:x
-diff --git a/tests/libpkix/vfychain_test.lst b/tests/libpkix/vfychain_test.lst
--- a/tests/libpkix/vfychain_test.lst
-+++ b/tests/libpkix/vfychain_test.lst
-@@ -1,4 +1,4 @@
- # Status | Leaf Cert | Policies | Others(undef)
- 0 TestUser50 undef
- 0 TestUser51 undef
-0 PayPalEE OID.2.16.840.1.114412.1.1
-+0 PayPalEE OID.2.16.840.1.114412.2.1
--- a/nss.spec
+++ b/nss.spec
@ -10,7 +10,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          6
+Release:          7
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Provides:         nss-system-init
@ -26,9 +26,6 @@ Source1:          nss-util.pc
 Source2:          nss-util-config
 Source3:          nss-softokn.pc
 Source4:          nss-softokn-config
-Source5:          nss-softokn-prelink.conf
-Source6:          nss-softokn-dracut-module-setup.sh
-Source7:          nss-softokn-dracut.conf
 Source8:          nss.pc
 Source9:          nss-config
 Source10:         blank-cert8.db
@ -36,24 +33,6 @@ Source11:         blank-key3.db
 Source12:         blank-secmod.db
 Source13:         blank-cert9.db
 Source14:         blank-key4.db
-Source15:         system-pkcs11.txt
-Source16:         setup-nsssysinit.sh
-Source28:         nss-p11-kit.config
-Source29:         PayPalICA.cert
-Source30:         PayPalEE.cert
-
-Patch1:           renegotiate-transitional.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
-Patch2:           nss-539183.patch
-# This patch uses the GCC -iquote option documented at
-# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
-# to give the in-tree headers a higher priority over the system headers,
-# when they are included through the quote form (#include "file.h").
-Patch3:           iquote.patch
-# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1185708
-Patch4:           rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1505317
-Patch5:           nss-tests-paypal-certs-v2.patch

 Patch9000: Bug-1412829-reject-empty-supported_signature_algorit.patch
 Patch9001: Bug-1507135-Add-additional-null-checks-to-CMS-messag.patch
@ -140,16 +119,10 @@ Help document for NSS
 %prep
 %setup -q -n %{name}-%{nss_version}

-%patch1 -p0 -b .transitional
-%patch2 -p0 -b .539183
-%patch3 -p0 -b .iquote
-%patch4 -p0 -b .1185708_3des
 pushd nss
-%patch5 -p1 -b .paypal-certs
 %patch9000 -p1
 %patch9001 -p1
 %patch9002 -p1
-cp %{SOURCE29} %{SOURCE30} tests/libpkix/certs
 popd

 %build
@ -215,7 +188,7 @@ cp ./nss/doc/nroff/* ./dist/docs/nroff

 # Set up our package files
 mkdir -p ./dist/pkgconfig
-for m in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9} %{SOURCE16}; do
+for m in %{SOURCE1} %{SOURCE2} %{SOURCE3} %{SOURCE4} %{SOURCE8} %{SOURCE9}; do
  cp ${m} ./dist/pkgconfig
  chmod 755 ./dist/pkgconfig/*
 done
@ -328,9 +301,6 @@ mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
 mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb

-install -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/
-install -m 755 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh
-install -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf
 # Install the empty NSS db files
 # Legacy db
 install -p -m 644 %{SOURCE10} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
@ -339,7 +309,6 @@ install -p -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
 # Shared db
 install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
 install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
-install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt

 # Copy the binary libraries we want
 for file in libnssutil3.so libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so libnss3.so libnsssysinit.so libsmime3.so libssl3.so
@ -390,10 +359,6 @@ install -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkg
 install -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 install -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
 install -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
-# Copy the pkcs #11 configuration script
-install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh
-# install a symbolic link to it, without the ".sh" suffix,
-ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit

 # Copy the man pages for the nss tools
 for f in "%{allTools}"; do
@ -402,7 +367,6 @@ done
 install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1

 # Copy the crypto-policies configuration file
-install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d

 /usr/bin/setup-nsssysinit.sh on
 $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so
@ -424,11 +388,7 @@ update-crypto-policies
 %{_libdir}/libsmime3.so
 %dir %{_sysconfdir}/pki/nssdb
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/*
-%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
 %{_libdir}/libnsssysinit.so
-%{_bindir}/setup-nsssysinit.sh
-# symbolic link to setup-nsssysinit.sh
-%{_bindir}/setup-nsssysinit

 %files devel
 %{_libdir}/libcrmf.a
@ -539,11 +499,6 @@ update-crypto-policies
 %{_libdir}/libfreebl3.chk
 %{_libdir}/libfreeblpriv3.so
 %{_libdir}/libfreeblpriv3.chk
-%dir %{_sysconfdir}/prelink.conf.d/
-%{_sysconfdir}/prelink.conf.d/nss-softokn-prelink.conf
-%dir %{dracut_modules_dir}
-%{dracut_modules_dir}/module-setup.sh
-%{dracut_conf_dir}/50-nss-softokn.conf
 %{_libdir}/libnssdbm3.so
 %{_libdir}/libnssdbm3.chk
 %{_libdir}/libsoftokn3.so
@ -576,6 +531,9 @@ update-crypto-policies
 %doc %{_mandir}/man*

 %changelog
+* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 3.40.1-7
+- simplify functions
+
 * Tue Dec 31 2019 openEuler Buildteam <buildteam@openeuler.org> - 3.40.1-6
 - delete unused man

--- a/renegotiate-transitional.patch
+++ b/renegotiate-transitional.patch
@ -1,12 +0,0 @@
-diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c
--- nss/lib/ssl/sslsock.c.transitional	2018-03-09 13:57:50.615706802 +0100
-+++ nss/lib/ssl/sslsock.c	2018-03-09 13:58:23.708974970 +0100
-@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = {
-     .noLocks = PR_FALSE,
-     .enableSessionTickets = PR_FALSE,
-     .enableDeflate = PR_FALSE,
-    .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN,
-+    .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL,
-     .requireSafeNegotiation = PR_FALSE,
-     .enableFalseStart = PR_FALSE,
-     .cbcRandomIV = PR_TRUE,
--- a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
@ -1,23 +0,0 @@
--- ./nss/lib/ssl/ssl3con.c.1185708_3des	2016-06-23 21:10:09.765992512 -0400
-+++ ./nss/lib/ssl/ssl3con.c	2016-06-23 22:58:39.121398601 -0400
-@@ -118,18 +118,18 @@
-  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_TRUE, PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-+ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-+ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
- 
-  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
-  { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE,  PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
-  { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
--- a/setup-nsssysinit.sh
+++ b/setup-nsssysinit.sh
@ -1,68 +0,0 @@
-#!/bin/sh
-#
-# Turns on or off the nss-sysinit module db by editing the
-# global PKCS #11 congiguration file. Displays the status.
-#
-# This script can be invoked by the user as super user.
-# It is invoked at nss-sysinit post install time with argument on.
-#
-usage()
-{
-  cat <<EOF
-Usage: setup-nsssysinit [on|off]
-  on     - turns on nsssysinit
-  off    - turns off nsssysinit
-  status - reports whether nsssysinit is turned on or off
-EOF
-  exit $1
-}
-
-# validate
-if [ $# -eq 0 ]; then
-  usage 1 1>&2
-fi
-
-# the system-wide configuration file
-p11conf="/etc/pki/nssdb/pkcs11.txt"
-# must exist, otherwise report it and exit with failure
-if [ ! -f $p11conf ]; then
-  echo "Could not find ${p11conf}"
-  exit 1
-fi
-
-# check if nsssysinit is currently enabled or disabled
-sysinit_enabled()
-{
-  grep -q '^library=libnsssysinit' ${p11conf}
-}
-
-umask 022
-case "$1" in
-  on | ON )
-    if sysinit_enabled; then 
-      exit 0 
-    fi
-    cat ${p11conf} | \
-    sed -e 's/^library=$/library=libnsssysinit.so/' \
-        -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \
-        ${p11conf}.on
-    mv ${p11conf}.on ${p11conf}
-    ;;
-  off | OFF )
-    if ! sysinit_enabled; then
-      exit 0
-    fi
-    cat ${p11conf} | \
-    sed -e 's/^library=libnsssysinit.so/library=/' \
-        -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \
-        ${p11conf}.off
-    mv ${p11conf}.off ${p11conf}
-    ;;
-  status )
-    echo -n 'NSS sysinit is '
-    sysinit_enabled && echo 'enabled' || echo 'disabled'
-    ;;
-  * )
-    usage 1 1>&2
-    ;;
-esac
--- a/system-pkcs11.txt
+++ b/system-pkcs11.txt
@ -1,5 +0,0 @@
-library=libnsssysinit.so
-name=NSS Internal PKCS #11 Module
-parameters=configdir='sql:/etc/pki/nssdb'  certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' 
-NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
-