nss/nss-3.71-ipv6-fix.patch
Bob Relyea c9c633332d Resolves: rhbz#2008320
Rebase to NSS 3.71: (changes since NSS 3.67)

    Network Security Services (NSS) 3.71 was released on 30 September 2021.

    The HG tag is NSS_3_71_RTM. This version of NSS requires NSPR 4.32 or newer.

    NSS 3.71 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_71_RTM/src/>

    Changes:
    - Bug 1717716 - Set nssckbi version number to 2.52.
    - Bug 1667000 - Respect server requirements of tlsfuzzer/test-tls13-signature-algorithms.py
    - Bug 1373716 - Import of PKCS#12 files with Camellia encryption is not supported
    - Bug 1717707 - Add HARICA Client ECC Root CA 2021.
    - Bug 1717707 - Add HARICA Client RSA Root CA 2021.
    - Bug 1717707 - Add HARICA TLS ECC Root CA 2021.
    - Bug 1717707 - Add HARICA TLS RSA Root CA 2021.
    - Bug 1728394 - Add TunTrust Root CA certificate to NSS.
    -------------------------------------

    Network Security Services (NSS) 3.70 was released on 4 September 2021.

    The HG tag is NSS_3_70_RTM. This version of NSS requires NSPR 4.32 or newer.

    NSS 3.70 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_70_RTM/src/>

    Changes:
       - Documentation: release notes for NSS 3.70.
       - Documentation: release notes for NSS 3.69.1.
       - Bug 1726022 - Update test case to verify fix.
       - Bug 1714579 - Explicitly disable downgrade check in TlsConnectStreamTls13.EchOuterWith12Max
       - Bug 1714579 - Explicitly disable downgrade check in TlsConnectTest.DisableFalseStartOnFallback
       - Formatting for lib/util
       - Bug 1681975 - Avoid using a lookup table in nssb64d.
       - Bug 1724629 - Use HW accelerated SHA2 on AArch64 Big Endian.
       - Bug 1714579 - Change default value of enableHelloDowngradeCheck to true.
       - Formatting for gtests/pk11_gtest/pk11_hpke_unittest.cc
       - Bug 1726022 - Cache additional PBE entries.
       - Bug 1709750 - Read HPKE vectors from official JSON.
       - Documentation: update for NSS 3.69 release.

    Network Security Services (NSS) 3.69 was released on 5 August 2021.

    The HG tag is NSS_3_69_RTM. NSS 3.69 requires NSPR 4.32 or newer.

    NSS 3.69 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_69_RTM/src/>

    Bugs fixed:
       - Bug 1722613 - Disable DTLS 1.0 and 1.1 by default
       - Bug 1720226 - integrity checks in key4.db not happening on private components with AES_CBC
       - Bug 1720235 - SSL handling of signature algorithms ignores environmental invalid algorithms.
       - Bug 1721476 - sqlite 3.34 changed it's open semantics, causing nss failures.
       - Bug 1720230 - Gtest update changed the gtest reports, losing gtest details in all.sh reports.
       - Bug 1720228 - NSS incorrectly accepting 1536 bit DH primes in FIPS mode
       - Bug 1720232 - SQLite calls could timeout in starvation situations.
       - Bug 1720225 - Coverity/cpp scanner errors found in nss 3.67
       - Bug 1709817 - Import the NSS documentation from MDN in nss/doc.
       - Bug 1720227 - NSS using a tempdir to measure sql performance not active

    Network Security Services (NSS) 3.68 ESR was released on 8 July 2021.

    The HG tag is NSS_3_68_RTM. NSS 3.68 requires NSPR 4.32 or newer.

    NSS 3.68 source distributions are available on ftp.mozilla.org for secure HTTPS download: <https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_68_RTM/src/>

    Bugs fixed:
       -  Bug 1713562 - Fix test leak.
       -  Bug 1717452 - NSS 3.68 should depend on NSPR 4.32.
       -  Bug 1693206 - Implement PKCS8 export of ECDSA keys.
       -  Bug 1712883 - DTLS 1.3 draft-43.
       -  Bug 1655493 - Support SHA2 HW acceleration using Intel SHA Extension.
       -  Bug 1713562 - Validate ECH public names.
       -  Bug 1717610 - Add function to get seconds from epoch from pkix::Time.
2021-10-06 12:09:11 -07:00

37 lines
1.3 KiB
Diff

diff -up ./cmd/selfserv/selfserv.c.ipv6_fix ./cmd/selfserv/selfserv.c
--- ./cmd/selfserv/selfserv.c.ipv6_fix 2021-09-14 11:40:06.176408531 -0700
+++ ./cmd/selfserv/selfserv.c 2021-09-14 11:49:46.361907308 -0700
@@ -1717,14 +1717,28 @@ getBoundListenSocket(unsigned short port
PRNetAddr addr;
PRSocketOptionData opt;
- addr.inet.family = PR_AF_INET;
- addr.inet.ip = PR_INADDR_ANY;
- addr.inet.port = PR_htons(port);
+ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) {
+ errExit("PR_SetNetAddr");
+ }
- listen_sock = PR_NewTCPSocket();
+ listen_sock = PR_OpenTCPSocket(PR_AF_INET6);
if (listen_sock == NULL) {
errExit("PR_NewTCPSocket");
}
+ /* NSPR has a bug where set inheritable doesn't work unless it's a pure
+ * NSPR socket. If we have an IPV6 emulator on an IPV4 socket, it will fail.
+ * In that case just open an IPV4 socket instead */
+ if (PR_NSPR_IO_LAYER != PR_GetLayersIdentity(listen_sock)) {
+ PR_Close(listen_sock);
+ addr.inet.family = PR_AF_INET;
+ addr.inet.ip = PR_INADDR_ANY;
+ addr.inet.port = PR_htons(port);
+
+ listen_sock = PR_NewTCPSocket();
+ if (listen_sock == NULL) {
+ errExit("PR_NewTCPSocket");
+ }
+ }
opt.option = PR_SockOpt_Nonblocking;
opt.value.non_blocking = PR_FALSE;