--- a/ChangeLog Fri Sep 12 12:14:38 2014 -0700
+++ b/ChangeLog Sun Sep 28 19:12:41 2014 -0700
@@ -86,7 +86,7 @@
Windows-Specific Changes:
* Updates to dependencies:
- * NSS 3.16 and NSPR 4.10.4
+ * NSS 3.17.1 and NSPR 4.10.7 * Fix build against Python 3. (Ed Catmur) (#15969)
--- a/Makefile.mingw Fri Sep 12 12:14:38 2014 -0700
+++ b/Makefile.mingw Sun Sep 28 19:12:41 2014 -0700
@@ -33,12 +33,21 @@
GTK_INSTALL_VERSION = 2.24.18.0
+authenticode_sign = $(SIGNTOOL) sign \ + /f "$(SIGNTOOL_PFX)" /p "$(SIGNTOOL_PASSWORD)" \ + /d $(2) /du "https://pidgin.im" \ + /tr "http://timestamp.comodoca.com/rfc3161" /td SHA256 \ authenticode_sign = $(MONO_SIGNCODE) \
-spc "$(SIGNCODE_SPC)" -v "$(SIGNCODE_PVK)" \
-n "$(2)" -i "https://pidgin.im" \
-t "http://timestamp.verisign.com/scripts/timstamp.dll" -tr 10 \
gpg_sign = $(GPG_SIGN) -ab $(1) && $(GPG_SIGN) --verify $(1).asc
--- a/libpurple/plugins/ssl/ssl-nss.c Fri Sep 12 12:14:38 2014 -0700
+++ b/libpurple/plugins/ssl/ssl-nss.c Sun Sep 28 19:12:41 2014 -0700
@@ -133,8 +133,6 @@
- SSLVersionRange supported, enabled;
PR_Init(PR_SYSTEM_THREAD, PR_PRIORITY_NORMAL, 1);
@@ -152,27 +150,31 @@
SSL_CipherPrefSetDefault(SSL_DHE_RSA_WITH_DES_CBC_SHA, 1);
SSL_CipherPrefSetDefault(SSL_DHE_DSS_WITH_DES_CBC_SHA, 1);
- /* Get the ranges of supported and enabled SSL versions */
- if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) &&
- (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) {
- purple_debug_info("nss", "TLS supported versions: "
- "0x%04hx through 0x%04hx\n", supported.min, supported.max);
- purple_debug_info("nss", "TLS versions allowed by default: "
- "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
+ if (NSS_VersionCheck("3.14")) { + SSLVersionRange supported, enabled; + /* Get the ranges of supported and enabled SSL versions */ + if ((SSL_VersionRangeGetSupported(ssl_variant_stream, &supported) == SECSuccess) && + (SSL_VersionRangeGetDefault(ssl_variant_stream, &enabled) == SECSuccess)) { + purple_debug_info("nss", "TLS supported versions: " + "0x%04hx through 0x%04hx\n", supported.min, supported.max); + purple_debug_info("nss", "TLS versions allowed by default: " + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); - /* Make sure SSL 3.0 is disabled (it's old and everyone should be
- using at least TLS 1.0 by now), and make sure all versions of TLS
- supported by the local library are enabled (for some reason NSS
- doesn't enable newer versions of TLS by default -- more context in
- if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) {
- enabled.max = supported.max;
- if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) {
- purple_debug_info("nss", "Changed allowed TLS versions to "
- "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
- purple_debug_error("nss", "Error setting allowed TLS versions to "
- "0x%04hx through 0x%04hx\n", enabled.min, enabled.max);
+ /* Make sure SSL 3.0 is disabled (it's old and everyone should be + using at least TLS 1.0 by now), and make sure all versions of TLS + supported by the local library are enabled (for some reason NSS + doesn't enable newer versions of TLS by default -- more context in + if (enabled.min != SSL_LIBRARY_VERSION_TLS_1_0 || supported.max > enabled.max) { + enabled.max = supported.max; + if (SSL_VersionRangeSetDefault(ssl_variant_stream, &enabled) == SECSuccess) { + purple_debug_info("nss", "Changed allowed TLS versions to " + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); + purple_debug_error("nss", "Error setting allowed TLS versions to " + "0x%04hx through 0x%04hx\n", enabled.min, enabled.max); @@ -916,7 +918,7 @@
-x509_times (PurpleCertificate *crt, gint64 *activation, gint64 *expiration)
+x509_times (PurpleCertificate *crt, time_t *activation, time_t *expiration) CERTCertificate *crt_dat;
PRTime nss_activ, nss_expir;
@@ -942,37 +944,49 @@
+ /** Hack to deal with dates past the 32-bit barrier. + Handling is different for signed vs unsigned 32-bit types. + if (*activation != nss_activ) { + purple_debug_warning("nss", + "Setting Activation Date to epoch to handle pre-epoch value\n"); + purple_debug_error("nss", + "Activation date past 32-bit barrier, forcing invalidity\n"); + if (*expiration != nss_expir) { + if (*expiration < nss_expir) { + purple_debug_warning("nss", + "Setting Expiration Date to 32-bit signed max\n"); + *expiration = PR_INT32_MAX; + purple_debug_warning("nss", + "Setting Expiration Date to 32-bit unsigned max\n"); + *expiration = PR_UINT32_MAX; + purple_debug_error("nss", + "Expiration date prior to unix epoch, forcing invalidity\n");
-x509_get_der_data(PurpleCertificate *crt)
- CERTCertificate *crt_dat;
- crt_dat = X509_NSS_DATA(crt);
- g_return_val_if_fail(crt_dat, NULL);
- dercrt = SEC_ASN1EncodeItem(NULL, NULL, crt_dat,
- SEC_ASN1_GET(SEC_SignedCertificateTemplate));
- g_return_val_if_fail(dercrt != NULL, FALSE);
- data = g_byte_array_sized_new(dercrt->len);
- memcpy(data->data, dercrt->data, dercrt->len);
- data->len = dercrt->len;
- SECITEM_FreeItem(dercrt, PR_TRUE);
static PurpleCertificateScheme x509_nss = {
"x509", /* Scheme name */
N_("X.509 Certificates"), /* User-visible scheme name */
@@ -988,8 +1002,9 @@
x509_check_name, /* Check subject name */
x509_times, /* Activation/Expiration time */
x509_importcerts_from_file, /* Multiple certificate import function */
- x509_get_der_data, /* Binary DER data */
@@ -1006,7 +1021,6 @@
--- a/libpurple/win32/global.mak Fri Sep 12 12:14:38 2014 -0700
+++ b/libpurple/win32/global.mak Sun Sep 28 19:12:41 2014 -0700
@@ -25,7 +25,7 @@
JSON_GLIB_TOP ?= $(WIN32_DEV_TOP)/json-glib-0.14
LIBXML2_TOP ?= $(WIN32_DEV_TOP)/libxml2-2.9
MEANWHILE_TOP ?= $(WIN32_DEV_TOP)/meanwhile-1.0
-NSS_TOP ?= $(WIN32_DEV_TOP)/nss-3.14
+NSS_TOP ?= $(WIN32_DEV_TOP)/nss-3.17.1-nspr-4.10.7 PERL_LIB_TOP ?= $(WIN32_DEV_TOP)/perl-5.10
SILC_TOOLKIT ?= $(WIN32_DEV_TOP)/silc-toolkit-1.1
TCL_LIB_TOP ?= $(WIN32_DEV_TOP)/tcl-8.5
@@ -75,7 +75,6 @@
CC_HARDENING_OPTIONS ?= -Wstack-protector -fwrapv -fno-strict-overflow -Wno-missing-field-initializers -Wformat-security -fstack-protector-all --param ssp-buffer-size=1
LD_HARDENING_OPTIONS ?= -Wl,--dynamicbase -Wl,--nxcompat
-TAG := @$(PURPLE_TOP)/tag.sh
# parse the version number from the configure.ac file if it is newer
#m4_define([purple_major_version], [2])
@@ -117,45 +116,18 @@
ifeq "$(origin CC)" "default"
-# comment out the next line to make output more verbose
-CC := $(TAG) "auto" $(CC)
-GMSGFMT ?= $(GETTEXT_TOP)/bin/msgfmt
+GMSGFMT ?= $(WIN32_DEV_TOP)/gettext-0.17/bin/msgfmt -INTLTOOL_MERGE ?= $(INTLTOOL_TOP)/bin/intltool-merge
+INTLTOOL_MERGE ?= $(WIN32_DEV_TOP)/intltool_0.40.4-1_win32/bin/intltool-merge MONO_SIGNCODE ?= signcode
-GLIB_GENMARSHAL ?= $(GTK_BIN)/glib-genmarshal
-GLIB_MKENUMS ?= $(GTK_BIN)/glib-mkenums
PIDGIN_COMMON_RULES := $(PURPLE_TOP)/win32/rules.mak
PIDGIN_COMMON_TARGETS := $(PURPLE_TOP)/win32/targets.mak
MINGW_MAKEFILE := Makefile.mingw
- -I$(GSTREAMER_TOP)/include/gstreamer-0.10 \
- -I$(GSTREAMER_TOP)/include/farstream-0.1 \
- -I$(LIBXML2_TOP)/include/libxml2
-DEFINES += -DUSE_GSTREAMER -DUSE_VV
INSTALL_SSL_CERTIFICATES ?= 1