From f47ee216cd2680d584bd138665d86d6f34c1d05e Mon Sep 17 00:00:00 2001
From: ryoon <ryoon@pkgsrc.org>
Date: Wed, 18 Nov 2020 14:24:00 +0000
Subject: nss: Update to 3.59

Changelog:
Notable Changes in NSS 3.59

Exported two existing functions from libnss, CERT_AddCertToListHeadWithData
and CERT_AddCertToListTailWithData

NOTE: NSS will soon require GCC 4.8 or newer. Gyp-based builds will stop
supporting older GCC versions first, followed a few releases later by the
make-based builds. Users of older GCC versions can continue to use the
make-based build system while they upgrade to newer versions of GCC.

Bugs fixed in NSS 3.59

* Bug 1607449 - Lock cert->nssCertificate to prevent a potential data race
* Bug 1672823 - Add Wycheproof test cases for HMAC, HKDF, and DSA
* Bug 1663661 - Guard against NULL token in nssSlot_IsTokenPresent
* Bug 1670835 - Support enabling and disabling signatures via Crypto Policy
* Bug 1672291 - Resolve libpkix OCSP failures on SHA1 self-signed root certs
when SHA1 signatures are disabled.
* Bug 1644209 - Fix broken SelectedCipherSuiteReplacer filter to solve some
test intermittents
* Bug 1672703 - Tolerate the first CCS in TLS 1.3  to fix a regression in our
CVE-2020-25648 fix that broke purple-discord
* Bug 1666891 - Support key wrap/unwrap with RSA-OAEP
* Bug 1667989 - Fix gyp linking on Solaris
* Bug 1668123 - Export CERT_AddCertToListHeadWithData and
CERT_AddCertToListTailWithData from libnss
* Bug 1634584 - Set CKA_NSS_SERVER_DISTRUST_AFTER for Trustis FPS Root CA
* Bug 1663091 - Remove unnecessary assertions in the streaming ASN.1 decoder
that affected decoding certain PKCS8 private keys when using NSS debug builds
* Bug 1670839 - Use ARM crypto extension for AES, SHA1 and SHA2 on MacOS.
---
 devel/nss/Makefile                                 |  5 +--
 devel/nss/distinfo                                 | 13 +++---
 ...gtests_ssl__gtest_ssl__tls13compat__unittest.cc | 52 ----------------------
 devel/nss/patches/patch-nss_lib_ssl_ssl3con.c      | 49 --------------------
 devel/nss/patches/patch-nss_lib_ssl_sslimpl.h      | 18 --------
 5 files changed, 7 insertions(+), 130 deletions(-)
 delete mode 100644 devel/nss/patches/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc
 delete mode 100644 devel/nss/patches/patch-nss_lib_ssl_ssl3con.c
 delete mode 100644 devel/nss/patches/patch-nss_lib_ssl_sslimpl.h

(limited to 'devel')

diff --git a/devel/nss/Makefile b/devel/nss/Makefile
index b05b1fa079a..b96e15e72e1 100644
--- a/devel/nss/Makefile
+++ b/devel/nss/Makefile
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.194 2020/11/05 09:07:57 ryoon Exp $
+# $NetBSD: Makefile,v 1.195 2020/11/18 14:24:00 ryoon Exp $
 
 DISTNAME=		nss-${NSS_RELEASE:S/.0$//}
-NSS_RELEASE=		3.58.0
-PKGREVISION=		2
+NSS_RELEASE=		3.59.0
 CATEGORIES=		devel security
 MASTER_SITES=		${MASTER_SITE_MOZILLA_ALL:=security/nss/releases/NSS_${NSS_DIST_DIR_VERSION:S/_0$//}_RTM/src/}
 
diff --git a/devel/nss/distinfo b/devel/nss/distinfo
index ec5f37e9d93..9850b06286f 100644
--- a/devel/nss/distinfo
+++ b/devel/nss/distinfo
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.119 2020/10/31 19:36:30 wiz Exp $
+$NetBSD: distinfo,v 1.120 2020/11/18 14:24:00 ryoon Exp $
 
-SHA1 (nss-3.58.tar.gz) = f0c572b72921690c77d59471fe21cfa811d8b876
-RMD160 (nss-3.58.tar.gz) = 7c6f03a8ca20ec6bcc43435538d84bb940e562f3
-SHA512 (nss-3.58.tar.gz) = 03d2ab1517ac07620ea3f02dcf680cf019e0129006ff2559b2d0a047036340c20b98c9679b17a594e5502aa30e158caf309f046901b9ec7c7adeeaa13ec50b80
-Size (nss-3.58.tar.gz) = 81846254 bytes
+SHA1 (nss-3.59.tar.gz) = 1459fb7f197c0b80e85333fbd33e723adcd28a7f
+RMD160 (nss-3.59.tar.gz) = 5e72ed96f177c7c85092027be69c697214b3ed42
+SHA512 (nss-3.59.tar.gz) = 8963e846f2ff7222457ae59f042672cf4e44f7752807226f46c215a772fd1cbd65d0ce634da4afb698eabd4eb1c1e78146cc2a089339ada11da03d259c609a38
+Size (nss-3.59.tar.gz) = 82141516 bytes
 SHA1 (patch-am) = fea682bf03bc8b645049f93ed58554ca45f47aca
 SHA1 (patch-an) = 4ab22f2a575676b5b640bc9a760b83eb05c75e69
 SHA1 (patch-md) = 8547c9414332c02221b96719dea1e09cb741f4d1
@@ -17,12 +17,9 @@ SHA1 (patch-nss_cmd_shlibsign_sign.sh) = 7948b7b502a4c148ee185836dde8a84d3aa388a
 SHA1 (patch-nss_coreconf_NetBSD.mk) = ed95aa1c245c9f2b8fda0a1769f9599223b61dbf
 SHA1 (patch-nss_coreconf_OpenBSD.mk) = 1a4c3711d5d1f7f9e8d58b36145b15d7e444d754
 SHA1 (patch-nss_coreconf_command.mk) = a7b682d367825b48f8802fa30cee83f10680bb74
-SHA1 (patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc) = 85c61f09a833ae0039294f0475931474d69a913e
 SHA1 (patch-nss_lib_freebl_aes-armv8.c) = aa698f61dd3d66ba707a9b5425bc15d057244ad7
 SHA1 (patch-nss_lib_freebl_gcm-aarch64.c) = 311cfe7ca58e91285052d0ca27bd2df3f325071b
 SHA1 (patch-nss_lib_freebl_md5.c) = 5cbec40695e296f0713895fb85cd37f6df76b85b
-SHA1 (patch-nss_lib_ssl_ssl3con.c) = 04dc8ca7714bb1295ff9b470aed325cac1846950
-SHA1 (patch-nss_lib_ssl_sslimpl.h) = 91f7da0f30469bb81b416431e8f1268edbb82e5f
 SHA1 (patch-nss_lib_util_utilpars.c) = 5d3000515b01037929730a752b7d7a0f46f06deb
 SHA1 (patch-nss_tests_all.sh) = b328778b538db66f5447f962f23afd6f650f7071
 SHA1 (patch-nss_tests_merge_merge.sh) = 42a4866d226b1076740ba9a5e42c7604f2cb15a7
diff --git a/devel/nss/patches/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc b/devel/nss/patches/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc
deleted file mode 100644
index 6e183d9a113..00000000000
--- a/devel/nss/patches/patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc
+++ /dev/null
@@ -1,52 +0,0 @@
-$NetBSD: patch-nss_gtests_ssl__gtest_ssl__tls13compat__unittest.cc,v 1.1 2020/10/31 19:36:30 wiz Exp $
-
-https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f
-
---- nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc.orig	2020-10-16 14:50:49.000000000 +0000
-+++ nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc
-@@ -348,8 +348,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
-   client_->CheckErrorCode(SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT);
- }
- 
--// The server rejects a ChangeCipherSpec if the client advertises an
--// empty session ID.
-+// The server accepts a ChangeCipherSpec even if the client advertises
-+// an empty session ID.
- TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterClientHelloEmptySid) {
-   EnsureTlsSetup();
-   ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_3);
-@@ -358,9 +358,8 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
-   client_->Handshake();  // Send ClientHello
-   client_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));  // Send CCS
- 
--  server_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
--  server_->Handshake();  // Consume ClientHello and CCS
--  server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-+  Handshake();
-+  CheckConnected();
- }
- 
- // The server rejects multiple ChangeCipherSpec even if the client
-@@ -381,7 +380,7 @@ TEST_F(Tls13CompatTest, ChangeCipherSpec
-   server_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
- }
- 
--// The client rejects a ChangeCipherSpec if it advertises an empty
-+// The client accepts a ChangeCipherSpec even if it advertises an empty
- // session ID.
- TEST_F(TlsConnectStreamTls13, ChangeCipherSpecAfterServerHelloEmptySid) {
-   EnsureTlsSetup();
-@@ -398,9 +397,10 @@ TEST_F(TlsConnectStreamTls13, ChangeCiph
-                          // send ServerHello..CertificateVerify
-   // Send CCS
-   server_->SendDirect(DataBuffer(kCannedCcs, sizeof(kCannedCcs)));
--  client_->ExpectSendAlert(kTlsAlertUnexpectedMessage);
--  client_->Handshake();  // Consume ClientHello and CCS
--  client_->CheckErrorCode(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-+
-+  // No alert is sent from the client. As Finished is dropped, we
-+  // can't use Handshake() and CheckConnected().
-+  client_->Handshake();
- }
- 
- // The client rejects multiple ChangeCipherSpec in a row even if the
diff --git a/devel/nss/patches/patch-nss_lib_ssl_ssl3con.c b/devel/nss/patches/patch-nss_lib_ssl_ssl3con.c
deleted file mode 100644
index 0e0e6547e05..00000000000
--- a/devel/nss/patches/patch-nss_lib_ssl_ssl3con.c
+++ /dev/null
@@ -1,49 +0,0 @@
-$NetBSD: patch-nss_lib_ssl_ssl3con.c,v 1.1 2020/10/31 19:36:30 wiz Exp $
-
-https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f
-
---- nss/lib/ssl/ssl3con.c.orig	2020-10-16 14:50:49.000000000 +0000
-+++ nss/lib/ssl/ssl3con.c
-@@ -6645,11 +6645,7 @@ ssl_CheckServerSessionIdCorrectness(sslS
- 
-     /* TLS 1.3: We sent a session ID.  The server's should match. */
-     if (!IS_DTLS(ss) && (sentRealSid || sentFakeSid)) {
--        if (sidMatch) {
--            ss->ssl3.hs.allowCcs = PR_TRUE;
--            return PR_TRUE;
--        }
--        return PR_FALSE;
-+        return sidMatch;
-     }
- 
-     /* TLS 1.3 (no SID)/DTLS 1.3: The server shouldn't send a session ID. */
-@@ -8696,7 +8692,6 @@ ssl3_HandleClientHello(sslSocket *ss, PR
-                 errCode = PORT_GetError();
-                 goto alert_loser;
-             }
--            ss->ssl3.hs.allowCcs = PR_TRUE;
-         }
- 
-         /* TLS 1.3 requires that compression include only null. */
-@@ -13066,15 +13061,14 @@ ssl3_HandleRecord(sslSocket *ss, SSL3Cip
-             ss->ssl3.hs.ws != idle_handshake &&
-             cText->buf->len == 1 &&
-             cText->buf->buf[0] == change_cipher_spec_choice) {
--            if (ss->ssl3.hs.allowCcs) {
--                /* Ignore the first CCS. */
--                ss->ssl3.hs.allowCcs = PR_FALSE;
-+            if (!ss->ssl3.hs.rejectCcs) {
-+                /* Allow only the first CCS. */
-+                ss->ssl3.hs.rejectCcs = PR_TRUE;
-                 return SECSuccess;
-+            } else {
-+                alert = unexpected_message;
-+                PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-             }
--
--            /* Compatibility mode is not negotiated. */
--            alert = unexpected_message;
--            PORT_SetError(SSL_ERROR_RX_MALFORMED_CHANGE_CIPHER);
-         }
- 
-         if ((IS_DTLS(ss) && !dtls13_AeadLimitReached(spec)) ||
diff --git a/devel/nss/patches/patch-nss_lib_ssl_sslimpl.h b/devel/nss/patches/patch-nss_lib_ssl_sslimpl.h
deleted file mode 100644
index 982d3e966f2..00000000000
--- a/devel/nss/patches/patch-nss_lib_ssl_sslimpl.h
+++ /dev/null
@@ -1,18 +0,0 @@
-$NetBSD: patch-nss_lib_ssl_sslimpl.h,v 1.1 2020/10/31 19:36:30 wiz Exp $
-
-https://hg.mozilla.org/projects/nss/rev/b03a4fc5b902498414b02640dcb2717dfef9682f
-
---- nss/lib/ssl/sslimpl.h.orig	2020-10-16 14:50:49.000000000 +0000
-+++ nss/lib/ssl/sslimpl.h
-@@ -710,10 +710,7 @@ typedef struct SSL3HandshakeStateStr {
-                                            * or received. */
-     PRBool receivedCcs;                   /* A server received ChangeCipherSpec
-                                            * before the handshake started. */
--    PRBool allowCcs;                      /* A server allows ChangeCipherSpec
--                                           * as the middlebox compatibility mode
--                                           * is explicitly indicarted by
--                                           * legacy_session_id in TLS 1.3 ClientHello. */
-+    PRBool rejectCcs;                     /* Excessive ChangeCipherSpecs are rejected. */
-     PRBool clientCertRequested;           /* True if CertificateRequest received. */
-     PRBool endOfFlight;                   /* Processed a full flight (DTLS 1.3). */
-     ssl3KEADef kea_def_mutable;           /* Used to hold the writable kea_def
-- 
cgit v1.2.3