[arch-commits] Commit in lib32-nss/repos/multilib-testing-x86_64 (6 files)

Jan Steffens heftig at archlinux.org
Tue Dec 3 14:14:19 UTC 2019


    Date: Tuesday, December 3, 2019 @ 14:14:19
  Author: heftig
Revision: 534945

archrelease: copy trunk to multilib-testing-x86_64

Added:
  lib32-nss/repos/multilib-testing-x86_64/PKGBUILD
    (from rev 534944, lib32-nss/trunk/PKGBUILD)
  lib32-nss/repos/multilib-testing-x86_64/no-plt.diff
    (from rev 534944, lib32-nss/trunk/no-plt.diff)
  lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch
    (from rev 534944, lib32-nss/trunk/nss-3.47-certdb-temp-cert.patch)
Deleted:
  lib32-nss/repos/multilib-testing-x86_64/PKGBUILD
  lib32-nss/repos/multilib-testing-x86_64/no-plt.diff
  lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch

---------------------------------+
 PKGBUILD                        |  128 +++++++++----------
 no-plt.diff                     |   96 +++++++-------
 nss-3.47-certdb-temp-cert.patch |  251 +++-----------------------------------
 3 files changed, 133 insertions(+), 342 deletions(-)

Deleted: PKGBUILD
===================================================================
--- PKGBUILD	2019-12-03 14:14:07 UTC (rev 534944)
+++ PKGBUILD	2019-12-03 14:14:19 UTC (rev 534945)
@@ -1,64 +0,0 @@
-# Maintainer: Daniel Wallace <danielwallace at gtmanfred dot com>
-# Contributor: kfgz <kfgz at interia pl>
-# Contributor: Ionut Biru <ibiru at archlinux dot org>
-
-pkgname=lib32-nss
-pkgver=3.47.1
-pkgrel=2
-pkgdesc="Network Security Services (32-bit)"
-url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
-arch=(x86_64)
-license=(MPL GPL)
-_nsprver=4.20
-depends=("lib32-nspr>=${_nsprver}" lib32-sqlite lib32-zlib lib32-p11-kit nss)
-makedepends=(perl python2 gyp)
-source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"
-        nss-3.47-certdb-temp-cert.patch
-        no-plt.diff)
-sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb'
-            'dd9d9ba4091a5f24e5bb9d6e97658d9cb62b7926ff888373435e08e3bec9147b'
-            'ea8e1b871c0f1dd29cdea1b1a2e7f47bf4713e2ae7b947ec832dba7dfcc67daa')
-
-prepare() {
-  mkdir path
-
-  ln -s /usr/bin/python2 path/python
-
-  cd nss-$pkgver
-
-  # https://bugzilla.mozilla.org/show_bug.cgi?id=1382942
-  patch -Np2 -i ../no-plt.diff
-
-  # https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
-  patch -d nss -Np1 < ../nss-3.47-certdb-temp-cert.patch
-}
-
-build() {
-  export PKG_CONFIG_PATH=/usr/lib32/pkgconfig
-
-  cd nss-$pkgver/nss
-  PATH="$srcdir/path:$PATH" bash -x ./build.sh -v \
-    --m32 --opt --system-sqlite --system-nspr --enable-libpkix --disable-tests
-}
-
-package() {
-  cd nss-$pkgver
-
-  sed nss/pkg/pkg-config/nss.pc.in \
-    -e "s,%libdir%,/usr/lib32,g" \
-    -e "s,%prefix%,/usr,g" \
-    -e "s,%exec_prefix%,/usr/bin,g" \
-    -e "s,%includedir%,/usr/include/nss,g" \
-    -e "s,%NSPR_VERSION%,$_nsprver,g" \
-    -e "s,%NSS_VERSION%,$pkgver,g" |
-    install -Dm644 /dev/stdin "$pkgdir/usr/lib32/pkgconfig/nss.pc"
-
-  ln -s nss.pc "$pkgdir/usr/lib32/pkgconfig/mozilla-nss.pc"
-
-  cd dist/Release/lib
-  install -Dt "$pkgdir/usr/lib32" *.so
-  install -Dt "$pkgdir/usr/lib32" -m644 *.chk
-
-  # Replace built-in trust with p11-kit connection
-  ln -sf libnssckbi-p11-kit.so "$pkgdir/usr/lib32/libnssckbi.so"
-}

Copied: lib32-nss/repos/multilib-testing-x86_64/PKGBUILD (from rev 534944, lib32-nss/trunk/PKGBUILD)
===================================================================
--- PKGBUILD	                        (rev 0)
+++ PKGBUILD	2019-12-03 14:14:19 UTC (rev 534945)
@@ -0,0 +1,64 @@
+# Maintainer: Daniel Wallace <danielwallace at gtmanfred dot com>
+# Contributor: kfgz <kfgz at interia pl>
+# Contributor: Ionut Biru <ibiru at archlinux dot org>
+
+pkgname=lib32-nss
+pkgver=3.47.1
+pkgrel=3
+pkgdesc="Network Security Services (32-bit)"
+url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
+arch=(x86_64)
+license=(MPL GPL)
+_nsprver=4.20
+depends=("lib32-nspr>=${_nsprver}" lib32-sqlite lib32-zlib lib32-p11-kit nss)
+makedepends=(perl python2 gyp)
+source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"
+        nss-3.47-certdb-temp-cert.patch
+        no-plt.diff)
+sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb'
+            '82d7924d7c3491de04f42c240fef6dd6e80fc5004ab44f55e6f03571d2d02e58'
+            'ea8e1b871c0f1dd29cdea1b1a2e7f47bf4713e2ae7b947ec832dba7dfcc67daa')
+
+prepare() {
+  mkdir path
+
+  ln -s /usr/bin/python2 path/python
+
+  cd nss-$pkgver
+
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1382942
+  patch -Np2 -i ../no-plt.diff
+
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
+  patch -d nss -Np1 < ../nss-3.47-certdb-temp-cert.patch
+}
+
+build() {
+  export PKG_CONFIG_PATH=/usr/lib32/pkgconfig
+
+  cd nss-$pkgver/nss
+  PATH="$srcdir/path:$PATH" bash -x ./build.sh -v \
+    --m32 --opt --system-sqlite --system-nspr --enable-libpkix --disable-tests
+}
+
+package() {
+  cd nss-$pkgver
+
+  sed nss/pkg/pkg-config/nss.pc.in \
+    -e "s,%libdir%,/usr/lib32,g" \
+    -e "s,%prefix%,/usr,g" \
+    -e "s,%exec_prefix%,/usr/bin,g" \
+    -e "s,%includedir%,/usr/include/nss,g" \
+    -e "s,%NSPR_VERSION%,$_nsprver,g" \
+    -e "s,%NSS_VERSION%,$pkgver,g" |
+    install -Dm644 /dev/stdin "$pkgdir/usr/lib32/pkgconfig/nss.pc"
+
+  ln -s nss.pc "$pkgdir/usr/lib32/pkgconfig/mozilla-nss.pc"
+
+  cd dist/Release/lib
+  install -Dt "$pkgdir/usr/lib32" *.so
+  install -Dt "$pkgdir/usr/lib32" -m644 *.chk
+
+  # Replace built-in trust with p11-kit connection
+  ln -sf libnssckbi-p11-kit.so "$pkgdir/usr/lib32/libnssckbi.so"
+}

Deleted: no-plt.diff
===================================================================
--- no-plt.diff	2019-12-03 14:14:07 UTC (rev 534944)
+++ no-plt.diff	2019-12-03 14:14:19 UTC (rev 534945)
@@ -1,48 +0,0 @@
-diff --git i/security/nss/lib/freebl/mpi/mpi_x86.s w/security/nss/lib/freebl/mpi/mpi_x86.s
-index 8f7e2130c3264754..b3ca1ce5b41b3771 100644
---- i/security/nss/lib/freebl/mpi/mpi_x86.s
-+++ w/security/nss/lib/freebl/mpi/mpi_x86.s
-@@ -22,22 +22,41 @@ is_sse: .long	-1
- #
- .ifndef NO_PIC
- .macro GET   var,reg
--    movl   \var at GOTOFF(%ebx),\reg
-+    call   thunk.ax
-+    addl   $_GLOBAL_OFFSET_TABLE_, %eax
-+    movl   \var at GOTOFF(%eax),\reg
- .endm
- .macro PUT   reg,var
--    movl   \reg,\var at GOTOFF(%ebx)
-+    call   thunk.dx
-+    addl   $_GLOBAL_OFFSET_TABLE_, %edx
-+    movl   \reg,\var at GOTOFF(%edx)
- .endm
- .else
- .macro GET   var,reg
-     movl   \var,\reg
- .endm
- .macro PUT   reg,var
-     movl   \reg,\var
- .endm
- .endif
- 
- .text
- 
-+.ifndef NO_PIC
-+.globl	thunk.ax
-+.hidden	thunk.ax
-+.type	thunk.ax, @function
-+thunk.ax:
-+       movl   (%esp),%eax
-+       ret
-+
-+.globl	thunk.dx
-+.hidden	thunk.dx
-+.type	thunk.dx, @function
-+thunk.dx:
-+       movl   (%esp),%edx
-+       ret
-+.endif
- 
-  #  ebp - 36:	caller's esi
-  #  ebp - 32:	caller's edi

Copied: lib32-nss/repos/multilib-testing-x86_64/no-plt.diff (from rev 534944, lib32-nss/trunk/no-plt.diff)
===================================================================
--- no-plt.diff	                        (rev 0)
+++ no-plt.diff	2019-12-03 14:14:19 UTC (rev 534945)
@@ -0,0 +1,48 @@
+diff --git i/security/nss/lib/freebl/mpi/mpi_x86.s w/security/nss/lib/freebl/mpi/mpi_x86.s
+index 8f7e2130c3264754..b3ca1ce5b41b3771 100644
+--- i/security/nss/lib/freebl/mpi/mpi_x86.s
++++ w/security/nss/lib/freebl/mpi/mpi_x86.s
+@@ -22,22 +22,41 @@ is_sse: .long	-1
+ #
+ .ifndef NO_PIC
+ .macro GET   var,reg
+-    movl   \var at GOTOFF(%ebx),\reg
++    call   thunk.ax
++    addl   $_GLOBAL_OFFSET_TABLE_, %eax
++    movl   \var at GOTOFF(%eax),\reg
+ .endm
+ .macro PUT   reg,var
+-    movl   \reg,\var at GOTOFF(%ebx)
++    call   thunk.dx
++    addl   $_GLOBAL_OFFSET_TABLE_, %edx
++    movl   \reg,\var at GOTOFF(%edx)
+ .endm
+ .else
+ .macro GET   var,reg
+     movl   \var,\reg
+ .endm
+ .macro PUT   reg,var
+     movl   \reg,\var
+ .endm
+ .endif
+ 
+ .text
+ 
++.ifndef NO_PIC
++.globl	thunk.ax
++.hidden	thunk.ax
++.type	thunk.ax, @function
++thunk.ax:
++       movl   (%esp),%eax
++       ret
++
++.globl	thunk.dx
++.hidden	thunk.dx
++.type	thunk.dx, @function
++thunk.dx:
++       movl   (%esp),%edx
++       ret
++.endif
+ 
+  #  ebp - 36:	caller's esi
+  #  ebp - 32:	caller's edi

Deleted: nss-3.47-certdb-temp-cert.patch
===================================================================
--- nss-3.47-certdb-temp-cert.patch	2019-12-03 14:14:07 UTC (rev 534944)
+++ nss-3.47-certdb-temp-cert.patch	2019-12-03 14:14:19 UTC (rev 534945)
@@ -1,230 +0,0 @@
-# HG changeset patch
-# User Daiki Ueno <dueno at redhat.com>
-# Date 1574953499 -3600
-#      Thu Nov 28 16:04:59 2019 +0100
-# Node ID f1f705bd0528713216e16867233825c299d3e3b2
-# Parent  10722c590949819ed4d971ad5ae213bc8b11a1bf
-Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
-
-Summary:
-When a builtin root module is loaded after some temp certs being
-loaded, our certificate lookup logic preferred those temp certs over
-perm certs stored on the root module.  This was a problem because such
-temp certs are usually not accompanied with trust information.
-
-This makes the certificate lookup logic capable of handling such
-situations by checking if the trust information is attached to temp
-certs and otherwise falling back to perm certs.
-
-Reviewers: rrelyea, keeler
-
-Reviewed By: rrelyea
-
-Subscribers: heftig
-
-Bug #: 1593167
-
-Differential Revision: https://phabricator.services.mozilla.com/D54726
-
-diff --git a/lib/certdb/stanpcertdb.c b/lib/certdb/stanpcertdb.c
---- a/lib/certdb/stanpcertdb.c
-+++ b/lib/certdb/stanpcertdb.c
-@@ -340,6 +340,91 @@ CERT_AddTempCertToPerm(CERTCertificate *
-     return __CERT_AddTempCertToPerm(cert, nickname, trust);
- }
- 
-+static CERTCertificate *
-+find_cert_by_der_cert(CERTCertDBHandle *handle, SECItem *derCert)
-+{
-+    CERTCertificate *cc;
-+    NSSCryptoContext *context;
-+    NSSCertificate *cert = NULL;
-+    NSSCertificate *tempCert = NULL;
-+    NSSCertificate *permCert = NULL;
-+    NSSDER encoding;
-+    nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
-+    nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
-+
-+    /* We retrieve a certificate instance for derCert in this order:
-+     * 1. Look up a temp cert in the crypto context.  If it is found
-+     *    and has a trust object associated, use it.
-+     * 2. Look up a perm cert in the trust domain.  If it is found,
-+     *    use it.  Otherwise, use the temp cert.
-+     */
-+    NSSITEM_FROM_SECITEM(&encoding, derCert);
-+    context = STAN_GetDefaultCryptoContext();
-+
-+    /* First, see if it is already a temp cert */
-+    tempCert = NSSCryptoContext_FindCertificateByEncodedCertificate(context,
-+                                                                    &encoding);
-+    if (tempCert) {
-+        NSSTrust *trust;
-+
-+        trust = nssCryptoContext_FindTrustForCertificate(context, tempCert);
-+        if (trust) {
-+            nssTrust_Destroy(trust);
-+            cert = tempCert;
-+            tempCert = NULL;
-+        }
-+    }
-+
-+    /* Then, see if it is already a perm cert */
-+    if (!cert && handle) {
-+        permCert = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
-+                                                                      &encoding);
-+        if (permCert) {
-+            /* Delete the temp instance */
-+            if (tempCert) {
-+                nssCertificateStore_Lock(context->certStore, &lockTrace);
-+                nssCertificateStore_RemoveCertLOCKED(context->certStore,
-+                                                     tempCert);
-+                nssCertificateStore_Unlock(context->certStore, &lockTrace,
-+                                           &unlockTrace);
-+            }
-+            cert = permCert;
-+            permCert = NULL;
-+        } else if (tempCert) {
-+            cert = tempCert;
-+            tempCert = NULL;
-+        }
-+    }
-+
-+    if (tempCert) {
-+        nssCertificate_Destroy(tempCert);
-+    }
-+    if (permCert) {
-+        nssCertificate_Destroy(permCert);
-+    }
-+
-+    if (!cert) {
-+        return NULL;
-+    }
-+
-+    /* Actually, that search ends up going by issuer/serial,
-+     * so it is still possible to return a cert with the same
-+     * issuer/serial but a different encoding, and we're
-+     * going to reject that
-+     */
-+    if (!nssItem_Equal(&cert->encoding, &encoding, NULL)) {
-+        nssCertificate_Destroy(cert);
-+        PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
-+        return NULL;
-+    }
-+
-+    cc = STAN_GetCERTCertificateOrRelease(cert);
-+    if (!cc) {
-+        CERT_MapStanError();
-+    }
-+    return cc;
-+}
-+
- CERTCertificate *
- CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
-                         char *nickname, PRBool isperm, PRBool copyDER)
-@@ -351,32 +436,8 @@ CERT_NewTempCertificate(CERTCertDBHandle
-     NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
-     NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain();
-     if (!isperm) {
--        NSSDER encoding;
--        NSSITEM_FROM_SECITEM(&encoding, derCert);
--        /* First, see if it is already a temp cert */
--        c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC,
--                                                                 &encoding);
--        if (!c && handle) {
--            /* Then, see if it is already a perm cert */
--            c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
--                                                                   &encoding);
--        }
--        if (c) {
--            /* actually, that search ends up going by issuer/serial,
--             * so it is still possible to return a cert with the same
--             * issuer/serial but a different encoding, and we're
--             * going to reject that
--             */
--            if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
--                nssCertificate_Destroy(c);
--                PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
--                cc = NULL;
--            } else {
--                cc = STAN_GetCERTCertificateOrRelease(c);
--                if (cc == NULL) {
--                    CERT_MapStanError();
--                }
--            }
-+        cc = find_cert_by_der_cert(handle, derCert);
-+        if (cc) {
-             return cc;
-         }
-     }
-@@ -598,19 +659,7 @@ CERT_FindCertByNickname(CERTCertDBHandle
- CERTCertificate *
- CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
- {
--    NSSCryptoContext *cc;
--    NSSCertificate *c;
--    NSSDER encoding;
--    NSSITEM_FROM_SECITEM(&encoding, derCert);
--    cc = STAN_GetDefaultCryptoContext();
--    c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
--    if (!c) {
--        c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
--                                                               &encoding);
--        if (!c)
--            return NULL;
--    }
--    return STAN_GetCERTCertificateOrRelease(c);
-+    return find_cert_by_der_cert(handle, derCert);
- }
- 
- static CERTCertificate *
-diff --git a/lib/pki/pkistore.c b/lib/pki/pkistore.c
---- a/lib/pki/pkistore.c
-+++ b/lib/pki/pkistore.c
-@@ -27,6 +27,8 @@
- 
- #include "prbit.h"
- 
-+#include "secerr.h"
-+
- /*
-  * Certificate Store
-  *
-@@ -544,6 +546,13 @@ nssCertificateStore_FindCertificateByEnc
-                                                                         &serial);
-     PORT_Free(issuer.data);
-     PORT_Free(serial.data);
-+
-+    if (rvCert && !nssItem_Equal(&rvCert->encoding, encoding, NULL)) {
-+        nssCertificate_Destroy(rvCert);
-+        PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
-+        return NULL;
-+    }
-+
-     return rvCert;
- }
- 
-diff --git a/lib/pki/trustdomain.c b/lib/pki/trustdomain.c
---- a/lib/pki/trustdomain.c
-+++ b/lib/pki/trustdomain.c
-@@ -15,6 +15,7 @@
- #include "pk11pub.h"
- #include "nssrwlk.h"
- #include "pk11priv.h"
-+#include "secerr.h"
- 
- #define NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE 32
- 
-@@ -841,6 +842,13 @@ nssTrustDomain_FindCertificateByEncodedC
-                                                                    &serial);
-     PORT_Free(issuer.data);
-     PORT_Free(serial.data);
-+
-+    if (rvCert && !nssItem_Equal(&rvCert->encoding, ber, NULL)) {
-+        nssCertificate_Destroy(rvCert);
-+        PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
-+        return NULL;
-+    }
-+
-     return rvCert;
- }
- 

Copied: lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch (from rev 534944, lib32-nss/trunk/nss-3.47-certdb-temp-cert.patch)
===================================================================
--- nss-3.47-certdb-temp-cert.patch	                        (rev 0)
+++ nss-3.47-certdb-temp-cert.patch	2019-12-03 14:14:19 UTC (rev 534945)
@@ -0,0 +1,21 @@
+diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
+--- a/lib/pki/pki3hack.c
++++ b/lib/pki/pki3hack.c
+@@ -921,11 +921,11 @@
+     }
+     if (!cc->nssCertificate || forceUpdate) {
+         fill_CERTCertificateFields(c, cc, forceUpdate);
+-    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
+-               !c->object.cryptoContext) {
+-        /* if it's a perm cert, it might have been stored before the
+-         * trust, so look for the trust again.  But a temp cert can be
+-         * ignored.
++    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
++        /* If it's a perm cert, it might have been stored before the
++         * trust, so look for the trust again. If it's a temp cert, it
++         * might have been stored before the builtin module is loaded,
++         * so still need to look for the trust again.
+          */
+         CERTCertTrust *trust = NULL;
+         trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+



More information about the arch-commits mailing list