Date: Tuesday, December 3, 2019 @ 14:14:19 Author: heftig Revision: 534945
archrelease: copy trunk to multilib-testing-x86_64 Added: lib32-nss/repos/multilib-testing-x86_64/PKGBUILD (from rev 534944, lib32-nss/trunk/PKGBUILD) lib32-nss/repos/multilib-testing-x86_64/no-plt.diff (from rev 534944, lib32-nss/trunk/no-plt.diff) lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch (from rev 534944, lib32-nss/trunk/nss-3.47-certdb-temp-cert.patch) Deleted: lib32-nss/repos/multilib-testing-x86_64/PKGBUILD lib32-nss/repos/multilib-testing-x86_64/no-plt.diff lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch ---------------------------------+ PKGBUILD | 128 +++++++++---------- no-plt.diff | 96 +++++++------- nss-3.47-certdb-temp-cert.patch | 251 +++----------------------------------- 3 files changed, 133 insertions(+), 342 deletions(-) Deleted: PKGBUILD =================================================================== --- PKGBUILD 2019-12-03 14:14:07 UTC (rev 534944) +++ PKGBUILD 2019-12-03 14:14:19 UTC (rev 534945) @@ -1,64 +0,0 @@ -# Maintainer: Daniel Wallace <danielwallace at gtmanfred dot com> -# Contributor: kfgz <kfgz at interia pl> -# Contributor: Ionut Biru <ibiru at archlinux dot org> - -pkgname=lib32-nss -pkgver=3.47.1 -pkgrel=2 -pkgdesc="Network Security Services (32-bit)" -url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS" -arch=(x86_64) -license=(MPL GPL) -_nsprver=4.20 -depends=("lib32-nspr>=${_nsprver}" lib32-sqlite lib32-zlib lib32-p11-kit nss) -makedepends=(perl python2 gyp) -source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz" - nss-3.47-certdb-temp-cert.patch - no-plt.diff) -sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb' - 'dd9d9ba4091a5f24e5bb9d6e97658d9cb62b7926ff888373435e08e3bec9147b' - 'ea8e1b871c0f1dd29cdea1b1a2e7f47bf4713e2ae7b947ec832dba7dfcc67daa') - -prepare() { - mkdir path - - ln -s /usr/bin/python2 path/python - - cd nss-$pkgver - - # https://bugzilla.mozilla.org/show_bug.cgi?id=1382942 - patch -Np2 -i ../no-plt.diff - - # https://bugzilla.mozilla.org/show_bug.cgi?id=1593167 - patch -d nss -Np1 < ../nss-3.47-certdb-temp-cert.patch -} - -build() { - export PKG_CONFIG_PATH=/usr/lib32/pkgconfig - - cd nss-$pkgver/nss - PATH="$srcdir/path:$PATH" bash -x ./build.sh -v \ - --m32 --opt --system-sqlite --system-nspr --enable-libpkix --disable-tests -} - -package() { - cd nss-$pkgver - - sed nss/pkg/pkg-config/nss.pc.in \ - -e "s,%libdir%,/usr/lib32,g" \ - -e "s,%prefix%,/usr,g" \ - -e "s,%exec_prefix%,/usr/bin,g" \ - -e "s,%includedir%,/usr/include/nss,g" \ - -e "s,%NSPR_VERSION%,$_nsprver,g" \ - -e "s,%NSS_VERSION%,$pkgver,g" | - install -Dm644 /dev/stdin "$pkgdir/usr/lib32/pkgconfig/nss.pc" - - ln -s nss.pc "$pkgdir/usr/lib32/pkgconfig/mozilla-nss.pc" - - cd dist/Release/lib - install -Dt "$pkgdir/usr/lib32" *.so - install -Dt "$pkgdir/usr/lib32" -m644 *.chk - - # Replace built-in trust with p11-kit connection - ln -sf libnssckbi-p11-kit.so "$pkgdir/usr/lib32/libnssckbi.so" -} Copied: lib32-nss/repos/multilib-testing-x86_64/PKGBUILD (from rev 534944, lib32-nss/trunk/PKGBUILD) =================================================================== --- PKGBUILD (rev 0) +++ PKGBUILD 2019-12-03 14:14:19 UTC (rev 534945) @@ -0,0 +1,64 @@ +# Maintainer: Daniel Wallace <danielwallace at gtmanfred dot com> +# Contributor: kfgz <kfgz at interia pl> +# Contributor: Ionut Biru <ibiru at archlinux dot org> + +pkgname=lib32-nss +pkgver=3.47.1 +pkgrel=3 +pkgdesc="Network Security Services (32-bit)" +url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS" +arch=(x86_64) +license=(MPL GPL) +_nsprver=4.20 +depends=("lib32-nspr>=${_nsprver}" lib32-sqlite lib32-zlib lib32-p11-kit nss) +makedepends=(perl python2 gyp) +source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz" + nss-3.47-certdb-temp-cert.patch + no-plt.diff) +sha256sums=('1ae3d1cb1de345b258788f2ef6b10a460068034c3fd64f42427a183d8342a6fb' + '82d7924d7c3491de04f42c240fef6dd6e80fc5004ab44f55e6f03571d2d02e58' + 'ea8e1b871c0f1dd29cdea1b1a2e7f47bf4713e2ae7b947ec832dba7dfcc67daa') + +prepare() { + mkdir path + + ln -s /usr/bin/python2 path/python + + cd nss-$pkgver + + # https://bugzilla.mozilla.org/show_bug.cgi?id=1382942 + patch -Np2 -i ../no-plt.diff + + # https://bugzilla.mozilla.org/show_bug.cgi?id=1593167 + patch -d nss -Np1 < ../nss-3.47-certdb-temp-cert.patch +} + +build() { + export PKG_CONFIG_PATH=/usr/lib32/pkgconfig + + cd nss-$pkgver/nss + PATH="$srcdir/path:$PATH" bash -x ./build.sh -v \ + --m32 --opt --system-sqlite --system-nspr --enable-libpkix --disable-tests +} + +package() { + cd nss-$pkgver + + sed nss/pkg/pkg-config/nss.pc.in \ + -e "s,%libdir%,/usr/lib32,g" \ + -e "s,%prefix%,/usr,g" \ + -e "s,%exec_prefix%,/usr/bin,g" \ + -e "s,%includedir%,/usr/include/nss,g" \ + -e "s,%NSPR_VERSION%,$_nsprver,g" \ + -e "s,%NSS_VERSION%,$pkgver,g" | + install -Dm644 /dev/stdin "$pkgdir/usr/lib32/pkgconfig/nss.pc" + + ln -s nss.pc "$pkgdir/usr/lib32/pkgconfig/mozilla-nss.pc" + + cd dist/Release/lib + install -Dt "$pkgdir/usr/lib32" *.so + install -Dt "$pkgdir/usr/lib32" -m644 *.chk + + # Replace built-in trust with p11-kit connection + ln -sf libnssckbi-p11-kit.so "$pkgdir/usr/lib32/libnssckbi.so" +} Deleted: no-plt.diff =================================================================== --- no-plt.diff 2019-12-03 14:14:07 UTC (rev 534944) +++ no-plt.diff 2019-12-03 14:14:19 UTC (rev 534945) @@ -1,48 +0,0 @@ -diff --git i/security/nss/lib/freebl/mpi/mpi_x86.s w/security/nss/lib/freebl/mpi/mpi_x86.s -index 8f7e2130c3264754..b3ca1ce5b41b3771 100644 ---- i/security/nss/lib/freebl/mpi/mpi_x86.s -+++ w/security/nss/lib/freebl/mpi/mpi_x86.s -@@ -22,22 +22,41 @@ is_sse: .long -1 - # - .ifndef NO_PIC - .macro GET var,reg -- movl \var@GOTOFF(%ebx),\reg -+ call thunk.ax -+ addl $_GLOBAL_OFFSET_TABLE_, %eax -+ movl \var@GOTOFF(%eax),\reg - .endm - .macro PUT reg,var -- movl \reg,\var@GOTOFF(%ebx) -+ call thunk.dx -+ addl $_GLOBAL_OFFSET_TABLE_, %edx -+ movl \reg,\var@GOTOFF(%edx) - .endm - .else - .macro GET var,reg - movl \var,\reg - .endm - .macro PUT reg,var - movl \reg,\var - .endm - .endif - - .text - -+.ifndef NO_PIC -+.globl thunk.ax -+.hidden thunk.ax -+.type thunk.ax, @function -+thunk.ax: -+ movl (%esp),%eax -+ ret -+ -+.globl thunk.dx -+.hidden thunk.dx -+.type thunk.dx, @function -+thunk.dx: -+ movl (%esp),%edx -+ ret -+.endif - - # ebp - 36: caller's esi - # ebp - 32: caller's edi Copied: lib32-nss/repos/multilib-testing-x86_64/no-plt.diff (from rev 534944, lib32-nss/trunk/no-plt.diff) =================================================================== --- no-plt.diff (rev 0) +++ no-plt.diff 2019-12-03 14:14:19 UTC (rev 534945) @@ -0,0 +1,48 @@ +diff --git i/security/nss/lib/freebl/mpi/mpi_x86.s w/security/nss/lib/freebl/mpi/mpi_x86.s +index 8f7e2130c3264754..b3ca1ce5b41b3771 100644 +--- i/security/nss/lib/freebl/mpi/mpi_x86.s ++++ w/security/nss/lib/freebl/mpi/mpi_x86.s +@@ -22,22 +22,41 @@ is_sse: .long -1 + # + .ifndef NO_PIC + .macro GET var,reg +- movl \var@GOTOFF(%ebx),\reg ++ call thunk.ax ++ addl $_GLOBAL_OFFSET_TABLE_, %eax ++ movl \var@GOTOFF(%eax),\reg + .endm + .macro PUT reg,var +- movl \reg,\var@GOTOFF(%ebx) ++ call thunk.dx ++ addl $_GLOBAL_OFFSET_TABLE_, %edx ++ movl \reg,\var@GOTOFF(%edx) + .endm + .else + .macro GET var,reg + movl \var,\reg + .endm + .macro PUT reg,var + movl \reg,\var + .endm + .endif + + .text + ++.ifndef NO_PIC ++.globl thunk.ax ++.hidden thunk.ax ++.type thunk.ax, @function ++thunk.ax: ++ movl (%esp),%eax ++ ret ++ ++.globl thunk.dx ++.hidden thunk.dx ++.type thunk.dx, @function ++thunk.dx: ++ movl (%esp),%edx ++ ret ++.endif + + # ebp - 36: caller's esi + # ebp - 32: caller's edi Deleted: nss-3.47-certdb-temp-cert.patch =================================================================== --- nss-3.47-certdb-temp-cert.patch 2019-12-03 14:14:07 UTC (rev 534944) +++ nss-3.47-certdb-temp-cert.patch 2019-12-03 14:14:19 UTC (rev 534945) @@ -1,230 +0,0 @@ -# HG changeset patch -# User Daiki Ueno <du...@redhat.com> -# Date 1574953499 -3600 -# Thu Nov 28 16:04:59 2019 +0100 -# Node ID f1f705bd0528713216e16867233825c299d3e3b2 -# Parent 10722c590949819ed4d971ad5ae213bc8b11a1bf -Bug 1593167, certdb: prefer perm certs over temp certs when trust is not available - -Summary: -When a builtin root module is loaded after some temp certs being -loaded, our certificate lookup logic preferred those temp certs over -perm certs stored on the root module. This was a problem because such -temp certs are usually not accompanied with trust information. - -This makes the certificate lookup logic capable of handling such -situations by checking if the trust information is attached to temp -certs and otherwise falling back to perm certs. - -Reviewers: rrelyea, keeler - -Reviewed By: rrelyea - -Subscribers: heftig - -Bug #: 1593167 - -Differential Revision: https://phabricator.services.mozilla.com/D54726 - -diff --git a/lib/certdb/stanpcertdb.c b/lib/certdb/stanpcertdb.c ---- a/lib/certdb/stanpcertdb.c -+++ b/lib/certdb/stanpcertdb.c -@@ -340,6 +340,91 @@ CERT_AddTempCertToPerm(CERTCertificate * - return __CERT_AddTempCertToPerm(cert, nickname, trust); - } - -+static CERTCertificate * -+find_cert_by_der_cert(CERTCertDBHandle *handle, SECItem *derCert) -+{ -+ CERTCertificate *cc; -+ NSSCryptoContext *context; -+ NSSCertificate *cert = NULL; -+ NSSCertificate *tempCert = NULL; -+ NSSCertificate *permCert = NULL; -+ NSSDER encoding; -+ nssCertificateStoreTrace lockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; -+ nssCertificateStoreTrace unlockTrace = { NULL, NULL, PR_FALSE, PR_FALSE }; -+ -+ /* We retrieve a certificate instance for derCert in this order: -+ * 1. Look up a temp cert in the crypto context. If it is found -+ * and has a trust object associated, use it. -+ * 2. Look up a perm cert in the trust domain. If it is found, -+ * use it. Otherwise, use the temp cert. -+ */ -+ NSSITEM_FROM_SECITEM(&encoding, derCert); -+ context = STAN_GetDefaultCryptoContext(); -+ -+ /* First, see if it is already a temp cert */ -+ tempCert = NSSCryptoContext_FindCertificateByEncodedCertificate(context, -+ &encoding); -+ if (tempCert) { -+ NSSTrust *trust; -+ -+ trust = nssCryptoContext_FindTrustForCertificate(context, tempCert); -+ if (trust) { -+ nssTrust_Destroy(trust); -+ cert = tempCert; -+ tempCert = NULL; -+ } -+ } -+ -+ /* Then, see if it is already a perm cert */ -+ if (!cert && handle) { -+ permCert = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, -+ &encoding); -+ if (permCert) { -+ /* Delete the temp instance */ -+ if (tempCert) { -+ nssCertificateStore_Lock(context->certStore, &lockTrace); -+ nssCertificateStore_RemoveCertLOCKED(context->certStore, -+ tempCert); -+ nssCertificateStore_Unlock(context->certStore, &lockTrace, -+ &unlockTrace); -+ } -+ cert = permCert; -+ permCert = NULL; -+ } else if (tempCert) { -+ cert = tempCert; -+ tempCert = NULL; -+ } -+ } -+ -+ if (tempCert) { -+ nssCertificate_Destroy(tempCert); -+ } -+ if (permCert) { -+ nssCertificate_Destroy(permCert); -+ } -+ -+ if (!cert) { -+ return NULL; -+ } -+ -+ /* Actually, that search ends up going by issuer/serial, -+ * so it is still possible to return a cert with the same -+ * issuer/serial but a different encoding, and we're -+ * going to reject that -+ */ -+ if (!nssItem_Equal(&cert->encoding, &encoding, NULL)) { -+ nssCertificate_Destroy(cert); -+ PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); -+ return NULL; -+ } -+ -+ cc = STAN_GetCERTCertificateOrRelease(cert); -+ if (!cc) { -+ CERT_MapStanError(); -+ } -+ return cc; -+} -+ - CERTCertificate * - CERT_NewTempCertificate(CERTCertDBHandle *handle, SECItem *derCert, - char *nickname, PRBool isperm, PRBool copyDER) -@@ -351,32 +436,8 @@ CERT_NewTempCertificate(CERTCertDBHandle - NSSCryptoContext *gCC = STAN_GetDefaultCryptoContext(); - NSSTrustDomain *gTD = STAN_GetDefaultTrustDomain(); - if (!isperm) { -- NSSDER encoding; -- NSSITEM_FROM_SECITEM(&encoding, derCert); -- /* First, see if it is already a temp cert */ -- c = NSSCryptoContext_FindCertificateByEncodedCertificate(gCC, -- &encoding); -- if (!c && handle) { -- /* Then, see if it is already a perm cert */ -- c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, -- &encoding); -- } -- if (c) { -- /* actually, that search ends up going by issuer/serial, -- * so it is still possible to return a cert with the same -- * issuer/serial but a different encoding, and we're -- * going to reject that -- */ -- if (!nssItem_Equal(&c->encoding, &encoding, NULL)) { -- nssCertificate_Destroy(c); -- PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); -- cc = NULL; -- } else { -- cc = STAN_GetCERTCertificateOrRelease(c); -- if (cc == NULL) { -- CERT_MapStanError(); -- } -- } -+ cc = find_cert_by_der_cert(handle, derCert); -+ if (cc) { - return cc; - } - } -@@ -598,19 +659,7 @@ CERT_FindCertByNickname(CERTCertDBHandle - CERTCertificate * - CERT_FindCertByDERCert(CERTCertDBHandle *handle, SECItem *derCert) - { -- NSSCryptoContext *cc; -- NSSCertificate *c; -- NSSDER encoding; -- NSSITEM_FROM_SECITEM(&encoding, derCert); -- cc = STAN_GetDefaultCryptoContext(); -- c = NSSCryptoContext_FindCertificateByEncodedCertificate(cc, &encoding); -- if (!c) { -- c = NSSTrustDomain_FindCertificateByEncodedCertificate(handle, -- &encoding); -- if (!c) -- return NULL; -- } -- return STAN_GetCERTCertificateOrRelease(c); -+ return find_cert_by_der_cert(handle, derCert); - } - - static CERTCertificate * -diff --git a/lib/pki/pkistore.c b/lib/pki/pkistore.c ---- a/lib/pki/pkistore.c -+++ b/lib/pki/pkistore.c -@@ -27,6 +27,8 @@ - - #include "prbit.h" - -+#include "secerr.h" -+ - /* - * Certificate Store - * -@@ -544,6 +546,13 @@ nssCertificateStore_FindCertificateByEnc - &serial); - PORT_Free(issuer.data); - PORT_Free(serial.data); -+ -+ if (rvCert && !nssItem_Equal(&rvCert->encoding, encoding, NULL)) { -+ nssCertificate_Destroy(rvCert); -+ PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); -+ return NULL; -+ } -+ - return rvCert; - } - -diff --git a/lib/pki/trustdomain.c b/lib/pki/trustdomain.c ---- a/lib/pki/trustdomain.c -+++ b/lib/pki/trustdomain.c -@@ -15,6 +15,7 @@ - #include "pk11pub.h" - #include "nssrwlk.h" - #include "pk11priv.h" -+#include "secerr.h" - - #define NSSTRUSTDOMAIN_DEFAULT_CACHE_SIZE 32 - -@@ -841,6 +842,13 @@ nssTrustDomain_FindCertificateByEncodedC - &serial); - PORT_Free(issuer.data); - PORT_Free(serial.data); -+ -+ if (rvCert && !nssItem_Equal(&rvCert->encoding, ber, NULL)) { -+ nssCertificate_Destroy(rvCert); -+ PORT_SetError(SEC_ERROR_REUSED_ISSUER_AND_SERIAL); -+ return NULL; -+ } -+ - return rvCert; - } - Copied: lib32-nss/repos/multilib-testing-x86_64/nss-3.47-certdb-temp-cert.patch (from rev 534944, lib32-nss/trunk/nss-3.47-certdb-temp-cert.patch) =================================================================== --- nss-3.47-certdb-temp-cert.patch (rev 0) +++ nss-3.47-certdb-temp-cert.patch 2019-12-03 14:14:19 UTC (rev 534945) @@ -0,0 +1,21 @@ +diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c +--- a/lib/pki/pki3hack.c ++++ b/lib/pki/pki3hack.c +@@ -921,11 +921,11 @@ + } + if (!cc->nssCertificate || forceUpdate) { + fill_CERTCertificateFields(c, cc, forceUpdate); +- } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess && +- !c->object.cryptoContext) { +- /* if it's a perm cert, it might have been stored before the +- * trust, so look for the trust again. But a temp cert can be +- * ignored. ++ } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) { ++ /* If it's a perm cert, it might have been stored before the ++ * trust, so look for the trust again. If it's a temp cert, it ++ * might have been stored before the builtin module is loaded, ++ * so still need to look for the trust again. + */ + CERTCertTrust *trust = NULL; + trust = nssTrust_GetCERTCertTrustForCert(c, cc); +