[arch-commits] Commit in lib32-nss/repos (4 files)
Jan Steffens
heftig at archlinux.org
Fri Nov 29 09:11:48 UTC 2019
Date: Friday, November 29, 2019 @ 09:11:48
Author: heftig
Revision: 534324
archrelease: copy trunk to multilib-testing-x86_64
Added:
lib32-nss/repos/multilib-testing-x86_64/
lib32-nss/repos/multilib-testing-x86_64/PKGBUILD
(from rev 534323, lib32-nss/trunk/PKGBUILD)
lib32-nss/repos/multilib-testing-x86_64/no-plt.diff
(from rev 534323, lib32-nss/trunk/no-plt.diff)
lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch
(from rev 534323, lib32-nss/trunk/nss-3.47-certdb-temp-cert.patch)
---------------------------------+
PKGBUILD | 64 ++++++++++
no-plt.diff | 48 +++++++
nss-3.47-certdb-temp-cert.patch | 230 ++++++++++++++++++++++++++++++++++++++
3 files changed, 342 insertions(+)
Copied: lib32-nss/repos/multilib-testing-x86_64/PKGBUILD (from rev 534323, lib32-nss/trunk/PKGBUILD)
===================================================================
--- multilib-testing-x86_64/PKGBUILD (rev 0)
+++ multilib-testing-x86_64/PKGBUILD 2019-11-29 09:11:48 UTC (rev 534324)
@@ -0,0 +1,64 @@
+# Maintainer: Daniel Wallace <danielwallace at gtmanfred dot com>
+# Contributor: kfgz <kfgz at interia pl>
+# Contributor: Ionut Biru <ibiru at archlinux dot org>
+
+pkgname=lib32-nss
+pkgver=3.47.1
+pkgrel=2
+pkgdesc="Network Security Services (32-bit)"
+url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
+arch=(x86_64)
+license=(MPL GPL)
+_nsprver=4.20
+depends=("lib32-nspr>=${_nsprver}" lib32-sqlite lib32-zlib lib32-p11-kit nss)
+makedepends=(perl python2 gyp)
+source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"
+ nss-3.47-certdb-temp-cert.patch
+ no-plt.diff)
+sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb'
+ 'dd9d9ba4091a5f24e5bb9d6e97658d9cb62b7926ff888373435e08e3bec9147b'
+ 'ea8e1b871c0f1dd29cdea1b1a2e7f47bf4713e2ae7b947ec832dba7dfcc67daa')
+
+prepare() {
+ mkdir path
+
+ ln -s /usr/bin/python2 path/python
+
+ cd nss-$pkgver
+
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=1382942
+ patch -Np2 -i ../no-plt.diff
+
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
+ patch -d nss -Np1 < ../nss-3.47-certdb-temp-cert.patch
+}
+
+build() {
+ export PKG_CONFIG_PATH=/usr/lib32/pkgconfig
+
+ cd nss-$pkgver/nss
+ PATH="$srcdir/path:$PATH" bash -x ./build.sh -v \
+ --m32 --opt --system-sqlite --system-nspr --enable-libpkix --disable-tests
+}
+
+package() {
+ cd nss-$pkgver
+
+ sed nss/pkg/pkg-config/nss.pc.in \
+ -e "s,%libdir%,/usr/lib32,g" \
+ -e "s,%prefix%,/usr,g" \
+ -e "s,%exec_prefix%,/usr/bin,g" \
+ -e "s,%includedir%,/usr/include/nss,g" \
+ -e "s,%NSPR_VERSION%,$_nsprver,g" \
+ -e "s,%NSS_VERSION%,$pkgver,g" |
+ install -Dm644 /dev/stdin "$pkgdir/usr/lib32/pkgconfig/nss.pc"
+
+ ln -s nss.pc "$pkgdir/usr/lib32/pkgconfig/mozilla-nss.pc"
+
+ cd dist/Release/lib
+ install -Dt "$pkgdir/usr/lib32" *.so
+ install -Dt "$pkgdir/usr/lib32" -m644 *.chk
+
+ # Replace built-in trust with p11-kit connection
+ ln -sf libnssckbi-p11-kit.so "$pkgdir/usr/lib32/libnssckbi.so"
+}
Copied: lib32-nss/repos/multilib-testing-x86_64/no-plt.diff (from rev 534323, lib32-nss/trunk/no-plt.diff)
===================================================================
--- multilib-testing-x86_64/no-plt.diff (rev 0)
+++ multilib-testing-x86_64/no-plt.diff 2019-11-29 09:11:48 UTC (rev 534324)
@@ -0,0 +1,48 @@
+diff --git i/security/nss/lib/freebl/mpi/mpi_x86.s w/security/nss/lib/freebl/mpi/mpi_x86.s
+index 8f7e2130c3264754..b3ca1ce5b41b3771 100644
+--- i/security/nss/lib/freebl/mpi/mpi_x86.s
++++ w/security/nss/lib/freebl/mpi/mpi_x86.s
+@@ -22,22 +22,41 @@ is_sse: .long -1
+ #
+ .ifndef NO_PIC
+ .macro GET var,reg
+- movl \var at GOTOFF(%ebx),\reg
++ call thunk.ax
++ addl $_GLOBAL_OFFSET_TABLE_, %eax
++ movl \var at GOTOFF(%eax),\reg
+ .endm
+ .macro PUT reg,var
+- movl \reg,\var at GOTOFF(%ebx)
++ call thunk.dx
++ addl $_GLOBAL_OFFSET_TABLE_, %edx
++ movl \reg,\var at GOTOFF(%edx)
+ .endm
+ .else
+ .macro GET var,reg
+ movl \var,\reg
+ .endm
+ .macro PUT reg,var
+ movl \reg,\var
+ .endm
+ .endif
+
+ .text
+
++.ifndef NO_PIC
++.globl thunk.ax
++.hidden thunk.ax
++.type thunk.ax, @function
++thunk.ax:
++ movl (%esp),%eax
++ ret
++
++.globl thunk.dx
++.hidden thunk.dx
++.type thunk.dx, @function
++thunk.dx:
++ movl (%esp),%edx
++ ret
++.endif
+
+ # ebp - 36: caller's esi
+ # ebp - 32: caller's edi
Copied: lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch (from rev 534323, lib32-nss/trunk/nss-3.47-certdb-temp-cert.patch)
===================================================================
--- multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch (rev 0)
+++ multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch 2019-11-29 09:11:48 UTC (rev 534324)
@@ -0,0 +1,230 @@
+# HG changeset patch
+# User Daiki Ueno <dueno at redhat.com>
+# Date 1574953499 -3600
+# Thu Nov 28 16:04:59 2019 +0100
+# Node ID f1f705bd0528713216e16867233825c299d3e3b2
+# Parent 10722c590949819ed4d971ad5ae213bc8b11a1bf
+Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available
+
+Summary:
+When a builtin root module is loaded after some temp certs being
+loaded, our certificate lookup logic preferred those temp certs over
+perm certs stored on the root module. This was a problem because such
+temp certs are usually not accompanied with trust information.
+
+This makes the certificate lookup logic capable of handling such
+situations by checking if the trust information is attached to temp
+certs and otherwise falling back to perm certs.
+
+Reviewers: rrelyea, keeler
+
+Reviewed By: rrelyea
+
+Subscribers: heftig
+
+Bug #: 1593167
+
+Differential Revision: https://phabricator.services.mozilla.com/D54726
+
+diff --git a/lib/certdb/stanpcertdb.c b/lib/certdb/stanpcertdb.c
+--- a/lib/certdb/stanpcertdb.c
++++ b/lib/certdb/stanpcertdb.c
+@@ -340,6 +340,91 @@ CERT_AddTempCertToPerm(CERTCertificate *
+ return __CERT_AddTempCertToPerm(cert, nickname, trust);
+ }
+
++static CERTCertificate *
++find_cert_by_der_cert(CERTCertDBHandle *handle, SECItem *derCert)
++{
++ CERTCertificate *cc;
++ NSSCryptoContext *context;
++ NSSCertificate *cert = NULL;
++ NSSCertificate *tempCert = NULL;
++ NSSCertificate *permCert = NULL;
++ NSSDER encoding;
++ nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
++ nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE };
++
++ /* We retrieve a certificate instance for derCert in this order:
++ * 1. Look up a temp cert in the crypto context. If it is found
++ * and has a trust object associated, use it.
++ * 2. Look up a perm cert in the trust domain. If it is found,
++ * use it. Otherwise, use the temp cert.
++ */
++ NSSITEM_FROM_SECITEM(&encoding, derCert);
++ context = STAN_GetDefaultCryptoContext();
++
++ /* First, see if it is already a temp cert */
++ tempCert = NSSCryptoContext_FindCertificateByEncodedCertificate(context,
++ &encoding);
++ if (tempCert) {
++ NSSTrust *trust;
++
++ trust = nssCryptoContext_FindTrustForCertificate(context, tempCert);
++ if (trust) {
++ nssTrust_Destroy(trust);
++ cert = tempCert;
++ tempCert = NULL;
++ }
++ }
++
++ /* Then, see if it is already a perm cert */
++ if (!cert && handle) {
++ permCert = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
++ &encoding);
++ if (permCert) {
++ /* Delete the temp instance */
++ if (tempCert) {
++ nssCertificateStore_Lock(context->certStore, &lockTrace);
++ nssCertificateStore_RemoveCertLOCKED(context->certStore,
++ tempCert);
++ nssCertificateStore_Unlock(context->certStore, &lockTrace,
++ &unlockTrace);
++ }
++ cert = permCert;
++ permCert = NULL;
++ } else if (tempCert) {
++ cert = tempCert;
++ tempCert = NULL;
++ }
++ }
++
++ if (tempCert) {
++ nssCertificate_Destroy(tempCert);
++ }
++ if (permCert) {
++ nssCertificate_Destroy(permCert);
++ }
++
++ if (!cert) {
++ return NULL;
++ }
++
++ /* Actually, that search ends up going by issuer/serial,
++ * so it is still possible to return a cert with the same
++ * issuer/serial but a different encoding, and we're
++ * going to reject that
++ */
++ if (!nssItem_Equal(&cert->encoding, &encoding, NULL)) {
++ nssCertificate_Destroy(cert);
++ PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
++ return NULL;
++ }
++
++ cc = STAN_GetCERTCertificateOrRelease(cert);
++ if (!cc) {
++ CERT_MapStanError();
++ }
++ return cc;
++}
++
+ CERTCertificate *
+ CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert,
+ char *nickname, PRBool isperm, PRBool copyDER)
+@@ -351,32 +436,8 @@ CERT_NewTempCertificate(CERTCertDBHandle
+ NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext();
+ NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain();
+ if (!isperm) {
+- NSSDER encoding;
+- NSSITEM_FROM_SECITEM(&encoding, derCert);
+- /* First, see if it is already a temp cert */
+- c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC,
+- &encoding);
+- if (!c && handle) {
+- /* Then, see if it is already a perm cert */
+- c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
+- &encoding);
+- }
+- if (c) {
+- /* actually, that search ends up going by issuer/serial,
+- * so it is still possible to return a cert with the same
+- * issuer/serial but a different encoding, and we're
+- * going to reject that
+- */
+- if (!nssItem_Equal(&c->encoding, &encoding, NULL)) {
+- nssCertificate_Destroy(c);
+- PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
+- cc = NULL;
+- } else {
+- cc = STAN_GetCERTCertificateOrRelease(c);
+- if (cc == NULL) {
+- CERT_MapStanError();
+- }
+- }
++ cc = find_cert_by_der_cert(handle, derCert);
++ if (cc) {
+ return cc;
+ }
+ }
+@@ -598,19 +659,7 @@ CERT_FindCertByNickname(CERTCertDBHandle
+ CERTCertificate *
+ CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert)
+ {
+- NSSCryptoContext *cc;
+- NSSCertificate *c;
+- NSSDER encoding;
+- NSSITEM_FROM_SECITEM(&encoding, derCert);
+- cc = STAN_GetDefaultCryptoContext();
+- c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding);
+- if (!c) {
+- c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle,
+- &encoding);
+- if (!c)
+- return NULL;
+- }
+- return STAN_GetCERTCertificateOrRelease(c);
++ return find_cert_by_der_cert(handle, derCert);
+ }
+
+ static CERTCertificate *
+diff --git a/lib/pki/pkistore.c b/lib/pki/pkistore.c
+--- a/lib/pki/pkistore.c
++++ b/lib/pki/pkistore.c
+@@ -27,6 +27,8 @@
+
+ #include "prbit.h"
+
++#include "secerr.h"
++
+ /*
+ * Certificate Store
+ *
+@@ -544,6 +546,13 @@ nssCertificateStore_FindCertificateByEnc
+ &serial);
+ PORT_Free(issuer.data);
+ PORT_Free(serial.data);
++
++ if (rvCert && !nssItem_Equal(&rvCert->encoding, encoding, NULL)) {
++ nssCertificate_Destroy(rvCert);
++ PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
++ return NULL;
++ }
++
+ return rvCert;
+ }
+
+diff --git a/lib/pki/trustdomain.c b/lib/pki/trustdomain.c
+--- a/lib/pki/trustdomain.c
++++ b/lib/pki/trustdomain.c
+@@ -15,6 +15,7 @@
+ #include "pk11pub.h"
+ #include "nssrwlk.h"
+ #include "pk11priv.h"
++#include "secerr.h"
+
+ #define NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE 32
+
+@@ -841,6 +842,13 @@ nssTrustDomain_FindCertificateByEncodedC
+ &serial);
+ PORT_Free(issuer.data);
+ PORT_Free(serial.data);
++
++ if (rvCert && !nssItem_Equal(&rvCert->encoding, ber, NULL)) {
++ nssCertificate_Destroy(rvCert);
++ PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL);
++ return NULL;
++ }
++
+ return rvCert;
+ }
+
More information about the arch-commits
mailing list