pidgin/pidgin

Fairly easy manual merge of release-2.x.y into master.

2014-09-28, Mark Doliner
c3e87cb60c02
Parents 63d2b56900d690c81031ac46
Children 304d073d134e
Fairly easy manual merge of release-2.x.y into master.

Conflicts were in libpurple/plugins/ssl/ssl-nss.c and
libpurple/win32/global.mak
4 files changed, 75 insertions(+), 80 deletions(-)
  • +1 -1
    ChangeLog
  • +9 -0
    Makefile.mingw
  • +62 -48
    libpurple/plugins/ssl/ssl-nss.c
  • +3 -31
    libpurple/win32/global.mak
    • --- a/ChangeLog Fri Sep 12 12:14:38 2014 -0700
    +++ b/ChangeLog Sun Sep 28 19:12:41 2014 -0700
    @@ -86,7 +86,7 @@
    Windows-Specific Changes:
    * Updates to dependencies:
    - * NSS 3.16 and NSPR 4.10.4
    + * NSS 3.17.1 and NSPR 4.10.7
    Finch:
    * Fix build against Python 3. (Ed Catmur) (#15969)
    --- a/Makefile.mingw Fri Sep 12 12:14:38 2014 -0700
    +++ b/Makefile.mingw Sun Sep 28 19:12:41 2014 -0700
    @@ -33,12 +33,21 @@
    GTK_INSTALL_VERSION = 2.24.18.0
    +ifdef SIGNTOOL
    +authenticode_sign = $(SIGNTOOL) sign \
    + /fd SHA256 \
    + /f "$(SIGNTOOL_PFX)" /p "$(SIGNTOOL_PASSWORD)" \
    + /d $(2) /du "https://pidgin.im" \
    + /tr "http://timestamp.comodoca.com/rfc3161" /td SHA256 \
    + $(1)
    +else
    authenticode_sign = $(MONO_SIGNCODE) \
    -spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \
    -a sha1 -$$ commercial \
    -n "$(2)" -i "https://pidgin.im" \
    -t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \
    $(1) && rm -f $(1).bak
    +endif
    gpg_sign = $(GPG_SIGN) -ab $(1) && $(GPG_SIGN) --verify $(1).asc
    --- a/libpurple/plugins/ssl/ssl-nss.c Fri Sep 12 12:14:38 2014 -0700
    +++ b/libpurple/plugins/ssl/ssl-nss.c Sun Sep 28 19:12:41 2014 -0700
    @@ -133,8 +133,6 @@
    static void
    ssl_nss_init_nss(void)
    {
    - SSLVersionRange supported, enabled;
    -
    PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
    NSS_NoDB_Init(".");
    NSS_SetDomesticPolicy();
    @@ -152,27 +150,31 @@
    SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
    SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
    - /* Get the ranges of supported and enabled SSL versions */
    - if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&
    - (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {
    - purple_debug_info("nss", "TLS supported versions: "
    - "0x%04hx through 0x%04hx\n", supported.min, supported.max);
    - purple_debug_info("nss", "TLS versions allowed by default: "
    - "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
    + if (NSS_VersionCheck("3.14")) {
    + SSLVersionRange supported, enabled;
    +
    + /* Get the ranges of supported and enabled SSL versions */
    + if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&
    + (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {
    + purple_debug_info("nss", "TLS supported versions: "
    + "0x%04hx through 0x%04hx\n", supported.min, supported.max);
    + purple_debug_info("nss", "TLS versions allowed by default: "
    + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
    - /* Make sure SSL 3.0 is disabled (it's old and everyone should be
    - using at least TLS 1.0 by now), and make sure all versions of TLS
    - supported by the local library are enabled (for some reason NSS
    - doesn't enable newer versions of TLS by default -- more context in
    - ticket #15909). */
    - if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) {
    - enabled.max = supported.max;
    - if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
    - purple_debug_info("nss", "Changed allowed TLS versions to "
    - "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
    - } else {
    - purple_debug_error("nss", "Error setting allowed TLS versions to "
    - "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
    + /* Make sure SSL 3.0 is disabled (it's old and everyone should be
    + using at least TLS 1.0 by now), and make sure all versions of TLS
    + supported by the local library are enabled (for some reason NSS
    + doesn't enable newer versions of TLS by default -- more context in
    + ticket #15909). */
    + if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) {
    + enabled.max = supported.max;
    + if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
    + purple_debug_info("nss", "Changed allowed TLS versions to "
    + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
    + } else {
    + purple_debug_error("nss", "Error setting allowed TLS versions to "
    + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
    + }
    }
    }
    }
    @@ -916,7 +918,7 @@
    }
    static gboolean
    -x509_times (PurpleCertificate *crt, gint64 *activation, gint64 *expiration)
    +x509_times (PurpleCertificate *crt, time_t *activation, time_t *expiration)
    {
    CERTCertificate *crt_dat;
    PRTime nss_activ, nss_expir;
    @@ -942,37 +944,49 @@
    if (activation) {
    *activation = nss_activ;
    +#if SIZEOF_TIME_T == 4
    + /** Hack to deal with dates past the 32-bit barrier.
    + Handling is different for signed vs unsigned 32-bit types.
    + */
    + if (*activation != nss_activ) {
    + if (nss_activ < 0) {
    + purple_debug_warning("nss",
    + "Setting Activation Date to epoch to handle pre-epoch value\n");
    + *activation = 0;
    + } else {
    + purple_debug_error("nss",
    + "Activation date past 32-bit barrier, forcing invalidity\n");
    + return FALSE;
    + }
    + }
    +#endif
    }
    if (expiration) {
    *expiration = nss_expir;
    +#if SIZEOF_TIME_T == 4
    + if (*expiration != nss_expir) {
    + if (*expiration < nss_expir) {
    + if (*expiration < 0) {
    + purple_debug_warning("nss",
    + "Setting Expiration Date to 32-bit signed max\n");
    + *expiration = PR_INT32_MAX;
    + } else {
    + purple_debug_warning("nss",
    + "Setting Expiration Date to 32-bit unsigned max\n");
    + *expiration = PR_UINT32_MAX;
    + }
    + } else {
    + purple_debug_error("nss",
    + "Expiration date prior to unix epoch, forcing invalidity\n");
    + return FALSE;
    + }
    + }
    +#endif
    }
    return TRUE;
    }
    -static GByteArray *
    -x509_get_der_data(PurpleCertificate *crt)
    -{
    - CERTCertificate *crt_dat;
    - SECItem *dercrt;
    - GByteArray *data;
    -
    - crt_dat = X509_NSS_DATA(crt);
    - g_return_val_if_fail(crt_dat, NULL);
    -
    - dercrt = SEC_ASN1EncodeItem(NULL, NULL, crt_dat,
    - SEC_ASN1_GET(SEC_SignedCertificateTemplate));
    - g_return_val_if_fail(dercrt != NULL, FALSE);
    -
    - data = g_byte_array_sized_new(dercrt->len);
    - memcpy(data->data, dercrt->data, dercrt->len);
    - data->len = dercrt->len;
    -
    - SECITEM_FreeItem(dercrt, PR_TRUE);
    -
    - return data;
    -}
    -
    static PurpleCertificateScheme x509_nss = {
    "x509", /* Scheme name */
    N_("X.509 Certificates"), /* User-visible scheme name */
    @@ -988,8 +1002,9 @@
    x509_check_name, /* Check subject name */
    x509_times, /* Activation/Expiration time */
    x509_importcerts_from_file, /* Multiple certificate import function */
    - x509_get_der_data, /* Binary DER data */
    + NULL,
    + NULL,
    NULL
    };
    @@ -1006,7 +1021,6 @@
    /* padding */
    NULL,
    NULL,
    - NULL,
    NULL
    };
    --- a/libpurple/win32/global.mak Fri Sep 12 12:14:38 2014 -0700
    +++ b/libpurple/win32/global.mak Sun Sep 28 19:12:41 2014 -0700
    @@ -25,7 +25,7 @@
    JSON_GLIB_TOP ?= $(WIN32_DEV_TOP)/json-glib-0.14
    LIBXML2_TOP ?= $(WIN32_DEV_TOP)/libxml2-2.9
    MEANWHILE_TOP ?= $(WIN32_DEV_TOP)/meanwhile-1.0
    -NSS_TOP ?= $(WIN32_DEV_TOP)/nss-3.14
    +NSS_TOP ?= $(WIN32_DEV_TOP)/nss-3.17.1-nspr-4.10.7
    PERL_LIB_TOP ?= $(WIN32_DEV_TOP)/perl-5.10
    SILC_TOOLKIT ?= $(WIN32_DEV_TOP)/silc-toolkit-1.1
    TCL_LIB_TOP ?= $(WIN32_DEV_TOP)/tcl-8.5
    @@ -75,7 +75,6 @@
    CC_HARDENING_OPTIONS ?= -Wstack-protector -fwrapv -fno-strict-overflow -Wno-missing-field-initializers -Wformat-security -fstack-protector-all --param ssp-buffer-size=1
    LD_HARDENING_OPTIONS ?= -Wl,--dynamicbase -Wl,--nxcompat
    -TAG := @$(PURPLE_TOP)/tag.sh
    # parse the version number from the configure.ac file if it is newer
    #m4_define([purple_major_version], [2])
    @@ -117,45 +116,18 @@
    ifeq "$(origin CC)" "default"
    CC := gcc.exe
    endif
    -# comment out the next line to make output more verbose
    -CC := $(TAG) "auto" $(CC)
    -
    -GMSGFMT ?= $(GETTEXT_TOP)/bin/msgfmt
    +GMSGFMT ?= $(WIN32_DEV_TOP)/gettext-0.17/bin/msgfmt
    MAKENSIS ?= makensis.exe
    PERL ?= perl
    WINDRES ?= windres
    STRIP ?= strip
    -INTLTOOL_MERGE ?= $(INTLTOOL_TOP)/bin/intltool-merge
    +INTLTOOL_MERGE ?= $(WIN32_DEV_TOP)/intltool_0.40.4-1_win32/bin/intltool-merge
    MONO_SIGNCODE ?= signcode
    GPG_SIGN ?= gpg
    -GLIB_GENMARSHAL ?= $(GTK_BIN)/glib-genmarshal
    -GLIB_MKENUMS ?= $(GTK_BIN)/glib-mkenums
    PIDGIN_COMMON_RULES := $(PURPLE_TOP)/win32/rules.mak
    PIDGIN_COMMON_TARGETS := $(PURPLE_TOP)/win32/targets.mak
    MINGW_MAKEFILE := Makefile.mingw
    -MAKE_at := @
    -
    -USE_VV ?= 1
    -
    -ifeq "$(USE_VV)" "1"
    -VV_LIBS := \
    - -lgstreamer-0.10 \
    - -lgstvideo-0.10 \
    - -lgstinterfaces-0.10 \
    - -lfarstream-0.1
    -VV_INCLUDE_PATHS := \
    - -I$(GSTREAMER_TOP)/include/gstreamer-0.10 \
    - -I$(GSTREAMER_TOP)/include/farstream-0.1 \
    - -I$(LIBXML2_TOP)/include/libxml2
    -VV_LIB_PATHS := \
    - -L$(GSTREAMER_TOP)/lib
    -DEFINES += -DUSE_GSTREAMER -DUSE_VV
    -else
    -VV_LIBS :=
    -VV_INCLUDE_PATHS :=
    -VV_LIB_PATHS :=
    -endif
    INSTALL_PIXMAPS ?= 1
    INSTALL_SSL_CERTIFICATES ?= 1