[arch-commits] Commit in lib32-nss/repos (4 files)

Jan Steffens heftig at archlinux.org
Wed Dec 4 14:53:09 UTC 2019 

    Date: Wednesday, December 4, 2019 @ 14:53:09
  Author: heftig
Revision: 535209

archrelease: copy trunk to multilib-testing-x86_64

Added:
  lib32-nss/repos/multilib-testing-x86_64/
  lib32-nss/repos/multilib-testing-x86_64/PKGBUILD
    (from rev 535208, lib32-nss/trunk/PKGBUILD)
  lib32-nss/repos/multilib-testing-x86_64/no-plt.diff
    (from rev 535208, lib32-nss/trunk/no-plt.diff)
  lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch
    (from rev 535208, lib32-nss/trunk/nss-3.47-certdb-temp-cert.patch)

---------------------------------+
 PKGBUILD                        |   64 ++++++++++++++++++++++++++++++++++++++
 no-plt.diff                     |   48 ++++++++++++++++++++++++++++
 nss-3.47-certdb-temp-cert.patch |   63 +++++++++++++++++++++++++++++++++++++
 3 files changed, 175 insertions(+)

Copied: lib32-nss/repos/multilib-testing-x86_64/PKGBUILD (from rev 535208, lib32-nss/trunk/PKGBUILD)
===================================================================
--- multilib-testing-x86_64/PKGBUILD	                        (rev 0)
+++ multilib-testing-x86_64/PKGBUILD	2019-12-04 14:53:09 UTC (rev 535209)
@@ -0,0 +1,64 @@
+# Maintainer: Daniel Wallace <danielwallace at gtmanfred dot com>
+# Contributor: kfgz <kfgz at interia pl>
+# Contributor: Ionut Biru <ibiru at archlinux dot org>
+
+pkgname=lib32-nss
+pkgver=3.47.1
+pkgrel=5
+pkgdesc="Network Security Services (32-bit)"
+url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
+arch=(x86_64)
+license=(MPL GPL)
+_nsprver=4.20
+depends=("lib32-nspr>=${_nsprver}" lib32-sqlite lib32-zlib lib32-p11-kit nss)
+makedepends=(perl python2 gyp)
+source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"
+        nss-3.47-certdb-temp-cert.patch
+        no-plt.diff)
+sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb'
+            'e4d7c7d6ac8c8cccd5bb23c217402922aafc1c104e46ae17a39f3c13b0e96002'
+            'ea8e1b871c0f1dd29cdea1b1a2e7f47bf4713e2ae7b947ec832dba7dfcc67daa')
+
+prepare() {
+  mkdir path
+
+  ln -s /usr/bin/python2 path/python
+
+  cd nss-$pkgver
+
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1382942
+  patch -Np2 -i ../no-plt.diff
+
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
+  patch -d nss -Np1 < ../nss-3.47-certdb-temp-cert.patch
+}
+
+build() {
+  export PKG_CONFIG_PATH=/usr/lib32/pkgconfig
+
+  cd nss-$pkgver/nss
+  PATH="$srcdir/path:$PATH" bash -x ./build.sh -v \
+    --m32 --opt --system-sqlite --system-nspr --enable-libpkix --disable-tests
+}
+
+package() {
+  cd nss-$pkgver
+
+  sed nss/pkg/pkg-config/nss.pc.in \
+    -e "s,%libdir%,/usr/lib32,g" \
+    -e "s,%prefix%,/usr,g" \
+    -e "s,%exec_prefix%,/usr/bin,g" \
+    -e "s,%includedir%,/usr/include/nss,g" \
+    -e "s,%NSPR_VERSION%,$_nsprver,g" \
+    -e "s,%NSS_VERSION%,$pkgver,g" |
+    install -Dm644 /dev/stdin "$pkgdir/usr/lib32/pkgconfig/nss.pc"
+
+  ln -s nss.pc "$pkgdir/usr/lib32/pkgconfig/mozilla-nss.pc"
+
+  cd dist/Release/lib
+  install -Dt "$pkgdir/usr/lib32" *.so
+  install -Dt "$pkgdir/usr/lib32" -m644 *.chk
+
+  # Replace built-in trust with p11-kit connection
+  ln -sf libnssckbi-p11-kit.so "$pkgdir/usr/lib32/libnssckbi.so"
+}

Copied: lib32-nss/repos/multilib-testing-x86_64/no-plt.diff (from rev 535208, lib32-nss/trunk/no-plt.diff)
===================================================================
--- multilib-testing-x86_64/no-plt.diff	                        (rev 0)
+++ multilib-testing-x86_64/no-plt.diff	2019-12-04 14:53:09 UTC (rev 535209)
@@ -0,0 +1,48 @@
+diff --git i/security/nss/lib/freebl/mpi/mpi_x86.s w/security/nss/lib/freebl/mpi/mpi_x86.s
+index 8f7e2130c3264754..b3ca1ce5b41b3771 100644
+--- i/security/nss/lib/freebl/mpi/mpi_x86.s
++++ w/security/nss/lib/freebl/mpi/mpi_x86.s
+@@ -22,22 +22,41 @@ is_sse: .long	-1
+ #
+ .ifndef NO_PIC
+ .macro GET   var,reg
+-    movl   \var at GOTOFF(%ebx),\reg
++    call   thunk.ax
++    addl   $_GLOBAL_OFFSET_TABLE_, %eax
++    movl   \var at GOTOFF(%eax),\reg
+ .endm
+ .macro PUT   reg,var
+-    movl   \reg,\var at GOTOFF(%ebx)
++    call   thunk.dx
++    addl   $_GLOBAL_OFFSET_TABLE_, %edx
++    movl   \reg,\var at GOTOFF(%edx)
+ .endm
+ .else
+ .macro GET   var,reg
+     movl   \var,\reg
+ .endm
+ .macro PUT   reg,var
+     movl   \reg,\var
+ .endm
+ .endif
+ 
+ .text
+ 
++.ifndef NO_PIC
++.globl	thunk.ax
++.hidden	thunk.ax
++.type	thunk.ax, @function
++thunk.ax:
++       movl   (%esp),%eax
++       ret
++
++.globl	thunk.dx
++.hidden	thunk.dx
++.type	thunk.dx, @function
++thunk.dx:
++       movl   (%esp),%edx
++       ret
++.endif
+ 
+  #  ebp - 36:	caller's esi
+  #  ebp - 32:	caller's edi

Copied: lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch (from rev 535208, lib32-nss/trunk/nss-3.47-certdb-temp-cert.patch)
===================================================================
--- multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch	                        (rev 0)
+++ multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch	2019-12-04 14:53:09 UTC (rev 535209)
@@ -0,0 +1,63 @@
+# HG changeset patch
+# User Daiki Ueno <dueno at redhat.com>
+# Date 1575450841 -3600
+#      Wed Dec 04 10:14:01 2019 +0100
+# Node ID 017097f0a0eaea1a3d849f3de79475c9bc28fcc2
+# Parent  d64102b76a437f24d98a20480dcc9f1655143e7c
+Bug 1593167, certdb: propagate trust information if trust module is loaded afterwards
+
+Summary:
+When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in Firefox as it loads the module from a separate thread while accessing the network cache which populates temp certs.
+
+This change makes it properly roll up the trust information, if a temp cert doesn't have trust information.
+
+Reviewers: rrelyea, keeler
+
+Reviewed By: rrelyea
+
+Subscribers: reviewbot, heftig
+
+Bug #: 1593167
+
+Differential Revision: https://phabricator.services.mozilla.com/D54726
+
+diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
+--- a/lib/pki/pki3hack.c
++++ b/lib/pki/pki3hack.c
+@@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate *
+     }
+     if (!cc->nssCertificate || forceUpdate) {
+         fill_CERTCertificateFields(c, cc, forceUpdate);
+-    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
+-               !c->object.cryptoContext) {
+-        /* if it's a perm cert, it might have been stored before the
+-         * trust, so look for the trust again.  But a temp cert can be
+-         * ignored.
+-         */
+-        CERTCertTrust *trust = NULL;
+-        trust = nssTrust_GetCERTCertTrustForCert(c, cc);
++    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
++        CERTCertTrust *trust;
++        if (!c->object.cryptoContext) {
++            /* If it's a perm cert, it might have been stored before the
++             * trust, so look for the trust again.
++             */
++            trust = nssTrust_GetCERTCertTrustForCert(c, cc);
++        } else {
++            /* If it's a temp cert, it might have been stored before the
++             * builtin trust module is loaded, so look for the trust
++             * again, but don't set the empty trust if it is not found.
++             */
++            NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
++            if (!t) {
++                goto loser;
++            }
++            trust = cert_trust_from_stan_trust(t, cc->arena);
++            nssTrust_Destroy(t);
++            if (!trust) {
++                goto loser;
++            }
++        }
+ 
+         CERT_LockCertTrust(cc);
+         cc->trust = trust;

More information about the arch-commits mailing list