summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIan Stakenvicius <axs@gentoo.org>2019-01-22 11:46:07 -0500
committerIan Stakenvicius <axs@gentoo.org>2019-01-22 15:03:31 -0500
commit78717184c7294a8a8a444c6a957f7a15358c39b9 (patch)
tree9556bb7dfe7df47fc279dc0fa1919658a4c2b4d9
parentlicenses: Remove unused. (diff)
downloadgentoo-78717184c7294a8a8a444c6a957f7a15358c39b9.tar.gz
gentoo-78717184c7294a8a8a444c6a957f7a15358c39b9.tar.bz2
gentoo-78717184c7294a8a8a444c6a957f7a15358c39b9.zip
dev-libs/nss: patch to fix a rare CMS related crash
Patch forward-ported from 3.36.7 (will also be included in 3.42) Signed-off-by: Ian Stakenvicius <axs@gentoo.org> Package-Manager: Portage-2.3.49, Repoman-2.3.11
-rw-r--r--dev-libs/nss/files/nss-3.36.7-fix-cms.patch531
-rw-r--r--dev-libs/nss/nss-3.40.1-r1.ebuild (renamed from dev-libs/nss/nss-3.41.ebuild)4
-rw-r--r--dev-libs/nss/nss-3.41-r1.ebuild373
3 files changed, 907 insertions, 1 deletions
diff --git a/dev-libs/nss/files/nss-3.36.7-fix-cms.patch b/dev-libs/nss/files/nss-3.36.7-fix-cms.patch
new file mode 100644
index 000000000000..57b4cdaf5a5d
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.36.7-fix-cms.patch
@@ -0,0 +1,531 @@
+From d54a1f812ae23ec11d2af6ed93ba1a11609421a8 Mon Sep 17 00:00:00 2001
+From: "J.C. Jones" <jjones@mozilla.com>
+Date: Mon, 14 Jan 2019 10:35:25 -0700
+Subject: [PATCH] Bug 1507135 - Add additional null checks to CMS message
+ functions r=mt
+
+Differential review: https://phabricator.services.mozilla.com//D16488
+
+--HG--
+branch : NSS_3_36_BRANCH
+extra : transplant_source : 1%02%80%21%BE%C8B%D5%21%D7%0CR%00%ED%B6%EA%84a%FA%23
+---
+ lib/smime/cmsmessage.c | 69 ++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 59 insertions(+), 10 deletions(-)
+
+diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c
+index 27d1256ec..f41a432b1 100644
+--- a/lib/smime/cmsmessage.c
++++ b/lib/smime/cmsmessage.c
+@@ -29,8 +29,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
+
+ if (poolp == NULL) {
+ poolp = PORT_NewArena(1024); /* XXX what is right value? */
+- if (poolp == NULL)
++ if (poolp == NULL) {
+ return NULL;
++ }
+ poolp_is_ours = PR_TRUE;
+ }
+
+@@ -44,8 +45,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
+ if (mark) {
+ PORT_ArenaRelease(poolp, mark);
+ }
+- } else
++ } else {
+ PORT_FreeArena(poolp, PR_FALSE);
++ }
+ return NULL;
+ }
+
+@@ -53,8 +55,9 @@ NSS_CMSMessage_Create(PLArenaPool *poolp)
+ cmsg->poolp_is_ours = poolp_is_ours;
+ cmsg->refCount = 1;
+
+- if (mark)
++ if (mark) {
+ PORT_ArenaUnmark(poolp, mark);
++ }
+
+ return cmsg;
+ }
+@@ -73,8 +76,13 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
+ NSSCMSGetDecryptKeyCallback decrypt_key_cb, void *decrypt_key_cb_arg,
+ SECAlgorithmID **detached_digestalgs, SECItem **detached_digests)
+ {
+- if (pwfn)
++ if (cmsg == NULL) {
++ return;
++ }
++ if (pwfn) {
+ PK11_SetPasswordFunc(pwfn);
++ }
++
+ cmsg->pwfn_arg = pwfn_arg;
+ cmsg->decrypt_key_cb = decrypt_key_cb;
+ cmsg->decrypt_key_cb_arg = decrypt_key_cb_arg;
+@@ -89,18 +97,21 @@ void
+ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
+ {
+ PORT_Assert(cmsg->refCount > 0);
+- if (cmsg->refCount <= 0) /* oops */
++ if (cmsg->refCount <= 0) { /* oops */
+ return;
++ }
+
+ cmsg->refCount--; /* thread safety? */
+- if (cmsg->refCount > 0)
++ if (cmsg->refCount > 0) {
+ return;
++ }
+
+ NSS_CMSContentInfo_Destroy(&(cmsg->contentInfo));
+
+ /* if poolp is not NULL, cmsg is the owner of its arena */
+- if (cmsg->poolp_is_ours)
++ if (cmsg->poolp_is_ours) {
+ PORT_FreeArena(cmsg->poolp, PR_FALSE); /* XXX clear it? */
++ }
+ }
+
+ /*
+@@ -112,8 +123,9 @@ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
+ NSSCMSMessage *
+ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
+ {
+- if (cmsg == NULL)
++ if (cmsg == NULL) {
+ return NULL;
++ }
+
+ PORT_Assert(cmsg->refCount > 0);
+
+@@ -127,6 +139,10 @@ NSS_CMSMessage_Copy(NSSCMSMessage *cmsg)
+ PLArenaPool *
+ NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
+ {
++ if (cmsg == NULL) {
++ return NULL;
++ }
++
+ return cmsg->poolp;
+ }
+
+@@ -136,6 +152,10 @@ NSS_CMSMessage_GetArena(NSSCMSMessage *cmsg)
+ NSSCMSContentInfo *
+ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
+ {
++ if (cmsg == NULL) {
++ return NULL;
++ }
++
+ return &(cmsg->contentInfo);
+ }
+
+@@ -147,6 +167,10 @@ NSS_CMSMessage_GetContentInfo(NSSCMSMessage *cmsg)
+ SECItem *
+ NSS_CMSMessage_GetContent(NSSCMSMessage *cmsg)
+ {
++ if (cmsg == NULL) {
++ return NULL;
++ }
++
+ /* this is a shortcut */
+ NSSCMSContentInfo *cinfo = NSS_CMSMessage_GetContentInfo(cmsg);
+ SECItem *pItem = NSS_CMSContentInfo_GetInnerContent(cinfo);
+@@ -164,6 +188,10 @@ NSS_CMSMessage_ContentLevelCount(NSSCMSMessage *cmsg)
+ int count = 0;
+ NSSCMSContentInfo *cinfo;
+
++ if (cmsg == NULL) {
++ return 0;
++ }
++
+ /* walk down the chain of contentinfos */
+ for (cinfo = &(cmsg->contentInfo); cinfo != NULL;) {
+ count++;
+@@ -183,6 +211,10 @@ NSS_CMSMessage_ContentLevel(NSSCMSMessage *cmsg, int n)
+ int count = 0;
+ NSSCMSContentInfo *cinfo;
+
++ if (cmsg == NULL) {
++ return NULL;
++ }
++
+ /* walk down the chain of contentinfos */
+ for (cinfo = &(cmsg->contentInfo); cinfo != NULL && count < n;
+ cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+@@ -200,6 +232,10 @@ NSS_CMSMessage_ContainsCertsOrCrls(NSSCMSMessage *cmsg)
+ {
+ NSSCMSContentInfo *cinfo;
+
++ if (cmsg == NULL) {
++ return PR_FALSE;
++ }
++
+ /* descend into CMS message */
+ for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
+ cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+@@ -221,6 +257,10 @@ NSS_CMSMessage_IsEncrypted(NSSCMSMessage *cmsg)
+ {
+ NSSCMSContentInfo *cinfo;
+
++ if (cmsg == NULL) {
++ return PR_FALSE;
++ }
++
+ /* walk down the chain of contentinfos */
+ for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
+ cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+@@ -251,13 +291,21 @@ NSS_CMSMessage_IsSigned(NSSCMSMessage *cmsg)
+ {
+ NSSCMSContentInfo *cinfo;
+
++ if (cmsg == NULL) {
++ return PR_FALSE;
++ }
++
+ /* walk down the chain of contentinfos */
+ for (cinfo = &(cmsg->contentInfo); cinfo != NULL;
+ cinfo = NSS_CMSContentInfo_GetChildContentInfo(cinfo)) {
+ switch (NSS_CMSContentInfo_GetContentTypeTag(cinfo)) {
+ case SEC_OID_PKCS7_SIGNED_DATA:
+- if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos))
++ if (cinfo->content.signedData == NULL) {
++ return PR_FALSE;
++ }
++ if (!NSS_CMSArray_IsEmpty((void **)cinfo->content.signedData->signerInfos)) {
+ return PR_TRUE;
++ }
+ break;
+ default:
+ /* callback here for generic wrappers? */
+@@ -278,8 +326,9 @@ NSS_CMSMessage_IsContentEmpty(NSSCMSMessage *cmsg, unsigned int minLen)
+ {
+ SECItem *item = NULL;
+
+- if (cmsg == NULL)
++ if (cmsg == NULL) {
+ return PR_TRUE;
++ }
+
+ item = NSS_CMSContentInfo_GetContent(NSS_CMSMessage_GetContentInfo(cmsg));
+
+From fa26771e9515cc82c941fcef689dd797a3e308c3 Mon Sep 17 00:00:00 2001
+From: "J.C. Jones" <jjones@mozilla.com>
+Date: Fri, 11 Jan 2019 22:33:16 -0700
+Subject: [PATCH] Bug 1507174 - Add additional null checks to other CMS
+ functions r=mt
+
+Differential review: https://phabricator.services.mozilla.com//D16383
+
+--HG--
+branch : NSS_3_36_BRANCH
+extra : transplant_source : %B5%A8su%96%5B%BE%F9%CD%93%E0%EE%93a4c%1BYp%09
+---
+ lib/smime/cmscinfo.c | 92 ++++++++++++++++++++++++++++++++++++------
+ lib/smime/cmsdigdata.c | 4 +-
+ lib/smime/cmsencdata.c | 4 +-
+ lib/smime/cmsenvdata.c | 5 +++
+ lib/smime/cmsmessage.c | 3 ++
+ lib/smime/cmsudf.c | 2 +-
+ 6 files changed, 95 insertions(+), 15 deletions(-)
+
+diff --git a/lib/smime/cmscinfo.c b/lib/smime/cmscinfo.c
+index 08db662f8..453ccaada 100644
+--- a/lib/smime/cmscinfo.c
++++ b/lib/smime/cmscinfo.c
+@@ -51,6 +51,10 @@ NSS_CMSContentInfo_Destroy(NSSCMSContentInfo *cinfo)
+ {
+ SECOidTag kind;
+
++ if (cinfo == NULL) {
++ return;
++ }
++
+ kind = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+ switch (kind) {
+ case SEC_OID_PKCS7_ENVELOPED_DATA:
+@@ -86,6 +90,11 @@ NSSCMSContentInfo *
+ NSS_CMSContentInfo_GetChildContentInfo(NSSCMSContentInfo *cinfo)
+ {
+ NSSCMSContentInfo *ccinfo = NULL;
++
++ if (cinfo == NULL) {
++ return NULL;
++ }
++
+ SECOidTag tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+ switch (tag) {
+ case SEC_OID_PKCS7_SIGNED_DATA:
+@@ -127,6 +136,9 @@ SECStatus
+ NSS_CMSContentInfo_SetDontStream(NSSCMSContentInfo *cinfo, PRBool dontStream)
+ {
+ SECStatus rv;
++ if (cinfo == NULL) {
++ return SECFailure;
++ }
+
+ rv = NSS_CMSContentInfo_Private_Init(cinfo);
+ if (rv != SECSuccess) {
+@@ -145,15 +157,20 @@ NSS_CMSContentInfo_SetContent(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
+ SECOidTag type, void *ptr)
+ {
+ SECStatus rv;
++ if (cinfo == NULL || cmsg == NULL) {
++ return SECFailure;
++ }
+
+ cinfo->contentTypeTag = SECOID_FindOIDByTag(type);
+- if (cinfo->contentTypeTag == NULL)
++ if (cinfo->contentTypeTag == NULL) {
+ return SECFailure;
++ }
+
+ /* do not copy the oid, just create a reference */
+ rv = SECITEM_CopyItem(cmsg->poolp, &(cinfo->contentType), &(cinfo->contentTypeTag->oid));
+- if (rv != SECSuccess)
++ if (rv != SECSuccess) {
+ return SECFailure;
++ }
+
+ cinfo->content.pointer = ptr;
+
+@@ -185,8 +202,9 @@ SECStatus
+ NSS_CMSContentInfo_SetContent_Data(NSSCMSMessage *cmsg, NSSCMSContentInfo *cinfo,
+ SECItem *data, PRBool detached)
+ {
+- if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess)
++ if (NSS_CMSContentInfo_SetContent(cmsg, cinfo, SEC_OID_PKCS7_DATA, (void *)data) != SECSuccess) {
+ return SECFailure;
++ }
+ if (detached) {
+ cinfo->rawContent = NULL;
+ }
+@@ -230,6 +248,10 @@ NSS_CMSContentInfo_SetContent_EncryptedData(NSSCMSMessage *cmsg, NSSCMSContentIn
+ void *
+ NSS_CMSContentInfo_GetContent(NSSCMSContentInfo *cinfo)
+ {
++ if (cinfo == NULL) {
++ return NULL;
++ }
++
+ SECOidTag tag = cinfo->contentTypeTag
+ ? cinfo->contentTypeTag->offset
+ : SEC_OID_UNKNOWN;
+@@ -260,6 +282,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
+ SECOidTag tag;
+ SECItem *pItem = NULL;
+
++ if (cinfo == NULL) {
++ return NULL;
++ }
++
+ tag = NSS_CMSContentInfo_GetContentTypeTag(cinfo);
+ if (NSS_CMSType_IsData(tag)) {
+ pItem = cinfo->content.data;
+@@ -282,6 +308,10 @@ NSS_CMSContentInfo_GetInnerContent(NSSCMSContentInfo *cinfo)
+ SECOidTag
+ NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
+ {
++ if (cinfo == NULL) {
++ return SEC_OID_UNKNOWN;
++ }
++
+ if (cinfo->contentTypeTag == NULL)
+ cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
+
+@@ -294,11 +324,17 @@ NSS_CMSContentInfo_GetContentTypeTag(NSSCMSContentInfo *cinfo)
+ SECItem *
+ NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
+ {
+- if (cinfo->contentTypeTag == NULL)
++ if (cinfo == NULL) {
++ return NULL;
++ }
++
++ if (cinfo->contentTypeTag == NULL) {
+ cinfo->contentTypeTag = SECOID_FindOID(&(cinfo->contentType));
++ }
+
+- if (cinfo->contentTypeTag == NULL)
++ if (cinfo->contentTypeTag == NULL) {
+ return NULL;
++ }
+
+ return &(cinfo->contentTypeTag->oid);
+ }
+@@ -310,8 +346,13 @@ NSS_CMSContentInfo_GetContentTypeOID(NSSCMSContentInfo *cinfo)
+ SECOidTag
+ NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
+ {
+- if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN)
++ if (cinfo == NULL) {
++ return SEC_OID_UNKNOWN;
++ }
++
++ if (cinfo->contentEncAlgTag == SEC_OID_UNKNOWN) {
+ cinfo->contentEncAlgTag = SECOID_GetAlgorithmTag(&(cinfo->contentEncAlg));
++ }
+
+ return cinfo->contentEncAlgTag;
+ }
+@@ -322,6 +363,10 @@ NSS_CMSContentInfo_GetContentEncAlgTag(NSSCMSContentInfo *cinfo)
+ SECAlgorithmID *
+ NSS_CMSContentInfo_GetContentEncAlg(NSSCMSContentInfo *cinfo)
+ {
++ if (cinfo == NULL) {
++ return NULL;
++ }
++
+ return &(cinfo->contentEncAlg);
+ }
+
+@@ -330,10 +375,14 @@ NSS_CMSContentInfo_SetContentEncAlg(PLArenaPool *poolp, NSSCMSContentInfo *cinfo
+ SECOidTag bulkalgtag, SECItem *parameters, int keysize)
+ {
+ SECStatus rv;
++ if (cinfo == NULL) {
++ return SECFailure;
++ }
+
+ rv = SECOID_SetAlgorithmID(poolp, &(cinfo->contentEncAlg), bulkalgtag, parameters);
+- if (rv != SECSuccess)
++ if (rv != SECSuccess) {
+ return SECFailure;
++ }
+ cinfo->keysize = keysize;
+ return SECSuccess;
+ }
+@@ -343,27 +392,42 @@ NSS_CMSContentInfo_SetContentEncAlgID(PLArenaPool *poolp, NSSCMSContentInfo *cin
+ SECAlgorithmID *algid, int keysize)
+ {
+ SECStatus rv;
++ if (cinfo == NULL) {
++ return SECFailure;
++ }
+
+ rv = SECOID_CopyAlgorithmID(poolp, &(cinfo->contentEncAlg), algid);
+- if (rv != SECSuccess)
++ if (rv != SECSuccess) {
+ return SECFailure;
+- if (keysize >= 0)
++ }
++ if (keysize >= 0) {
+ cinfo->keysize = keysize;
++ }
+ return SECSuccess;
+ }
+
+ void
+ NSS_CMSContentInfo_SetBulkKey(NSSCMSContentInfo *cinfo, PK11SymKey *bulkkey)
+ {
+- cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
+- cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
++ if (cinfo == NULL) {
++ return;
++ }
++
++ if (bulkkey == NULL) {
++ cinfo->bulkkey = NULL;
++ cinfo->keysize = 0;
++ } else {
++ cinfo->bulkkey = PK11_ReferenceSymKey(bulkkey);
++ cinfo->keysize = PK11_GetKeyStrength(cinfo->bulkkey, &(cinfo->contentEncAlg));
++ }
+ }
+
+ PK11SymKey *
+ NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
+ {
+- if (cinfo->bulkkey == NULL)
++ if (cinfo == NULL || cinfo->bulkkey == NULL) {
+ return NULL;
++ }
+
+ return PK11_ReferenceSymKey(cinfo->bulkkey);
+ }
+@@ -371,5 +435,9 @@ NSS_CMSContentInfo_GetBulkKey(NSSCMSContentInfo *cinfo)
+ int
+ NSS_CMSContentInfo_GetBulkKeySize(NSSCMSContentInfo *cinfo)
+ {
++ if (cinfo == NULL) {
++ return 0;
++ }
++
+ return cinfo->keysize;
+ }
+diff --git a/lib/smime/cmsdigdata.c b/lib/smime/cmsdigdata.c
+index 9ea22702e..a249686bb 100644
+--- a/lib/smime/cmsdigdata.c
++++ b/lib/smime/cmsdigdata.c
+@@ -56,7 +56,9 @@ void
+ NSS_CMSDigestedData_Destroy(NSSCMSDigestedData *digd)
+ {
+ /* everything's in a pool, so don't worry about the storage */
+- NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
++ if (digd != NULL) {
++ NSS_CMSContentInfo_Destroy(&(digd->contentInfo));
++ }
+ return;
+ }
+
+diff --git a/lib/smime/cmsencdata.c b/lib/smime/cmsencdata.c
+index c3a4549ad..8b520b439 100644
+--- a/lib/smime/cmsencdata.c
++++ b/lib/smime/cmsencdata.c
+@@ -87,7 +87,9 @@ void
+ NSS_CMSEncryptedData_Destroy(NSSCMSEncryptedData *encd)
+ {
+ /* everything's in a pool, so don't worry about the storage */
+- NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
++ if (encd != NULL) {
++ NSS_CMSContentInfo_Destroy(&(encd->contentInfo));
++ }
+ return;
+ }
+
+diff --git a/lib/smime/cmsenvdata.c b/lib/smime/cmsenvdata.c
+index f2c8e171d..9bc77be8b 100644
+--- a/lib/smime/cmsenvdata.c
++++ b/lib/smime/cmsenvdata.c
+@@ -144,6 +144,11 @@ NSS_CMSEnvelopedData_Encode_BeforeStart(NSSCMSEnvelopedData *envd)
+ poolp = envd->cmsg->poolp;
+ cinfo = &(envd->contentInfo);
+
++ if (cinfo == NULL) {
++ PORT_SetError(SEC_ERROR_BAD_DATA);
++ goto loser;
++ }
++
+ recipientinfos = envd->recipientInfos;
+ if (recipientinfos == NULL) {
+ PORT_SetError(SEC_ERROR_BAD_DATA);
+diff --git a/lib/smime/cmsmessage.c b/lib/smime/cmsmessage.c
+index f41a432b1..366b71aba 100644
+--- a/lib/smime/cmsmessage.c
++++ b/lib/smime/cmsmessage.c
+@@ -96,6 +96,9 @@ NSS_CMSMessage_SetEncodingParams(NSSCMSMessage *cmsg,
+ void
+ NSS_CMSMessage_Destroy(NSSCMSMessage *cmsg)
+ {
++ if (cmsg == NULL)
++ return;
++
+ PORT_Assert(cmsg->refCount > 0);
+ if (cmsg->refCount <= 0) { /* oops */
+ return;
+diff --git a/lib/smime/cmsudf.c b/lib/smime/cmsudf.c
+index 3ef4268d4..5c8a81e6d 100644
+--- a/lib/smime/cmsudf.c
++++ b/lib/smime/cmsudf.c
+@@ -239,7 +239,7 @@ NSS_CMSGenericWrapperData_Destroy(SECOidTag type, NSSCMSGenericWrapperData *gd)
+ {
+ const nsscmstypeInfo *typeInfo = nss_cmstype_lookup(type);
+
+- if (typeInfo && typeInfo->destroy) {
++ if (typeInfo && (typeInfo->destroy) && (gd != NULL)) {
+ (*typeInfo->destroy)(gd);
+ }
+ }
diff --git a/dev-libs/nss/nss-3.41.ebuild b/dev-libs/nss/nss-3.40.1-r1.ebuild
index 9ce8edd66595..907e54788a66 100644
--- a/dev-libs/nss/nss-3.41.ebuild
+++ b/dev-libs/nss/nss-3.40.1-r1.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Authors
+# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -43,6 +43,8 @@ PATCHES=(
"${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+ # fix for bugs ported forward from 3.36.7
+ "${FILESDIR}/${PN}-3.36.7-fix-cms.patch"
)
src_unpack() {
diff --git a/dev-libs/nss/nss-3.41-r1.ebuild b/dev-libs/nss/nss-3.41-r1.ebuild
new file mode 100644
index 000000000000..907e54788a66
--- /dev/null
+++ b/dev-libs/nss/nss-3.41-r1.ebuild
@@ -0,0 +1,373 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
+
+NSPR_VER="4.16"
+RTM_NAME="NSS_${PV//./_}_RTM"
+# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
+PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
+PEM_P="${PN}-pem-20160329"
+
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
+SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
+ cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
+ nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
+
+LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="cacert +nss-pem utils"
+CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+ >=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]"
+DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+ >=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+ ${CDEPEND}"
+RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
+ ${CDEPEND}
+"
+
+RESTRICT="test"
+
+S="${WORKDIR}/${P}/${PN}"
+
+MULTILIB_CHOST_TOOLS=(
+ /usr/bin/nss-config
+)
+
+PATCHES=(
+ # Custom changes for gentoo
+ "${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
+ "${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
+ "${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
+ # fix for bugs ported forward from 3.36.7
+ "${FILESDIR}/${PN}-3.36.7-fix-cms.patch"
+)
+
+src_unpack() {
+ unpack ${A}
+ if use nss-pem ; then
+ mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
+ fi
+}
+
+src_prepare() {
+ if use nss-pem ; then
+ PATCHES+=(
+ "${FILESDIR}/${PN}-3.21-enable-pem.patch"
+ )
+ fi
+ if use cacert ; then #521462
+ PATCHES+=(
+ "${DISTDIR}/${PN}-cacert-class1-class3.patch"
+ )
+ fi
+
+ default
+
+ pushd coreconf >/dev/null || die
+ # hack nspr paths
+ echo 'INCLUDES += -I$(DIST)/include/dbm' \
+ >> headers.mk || die "failed to append include"
+
+ # modify install path
+ sed -e '/CORE_DEPTH/s:SOURCE_PREFIX.*$:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+ -i source.mk || die
+
+ # Respect LDFLAGS
+ sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk
+ popd >/dev/null || die
+
+ # Fix pkgconfig file for Prefix
+ sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+ config/Makefile || die
+
+ # use host shlibsign if need be #436216
+ if tc-is-cross-compiler ; then
+ sed -i \
+ -e 's:"${2}"/shlibsign:shlibsign:' \
+ cmd/shlibsign/sign.sh || die
+ fi
+
+ # dirty hack
+ sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+ lib/ssl/config.mk || die
+ sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+ cmd/platlibs.mk || die
+
+ multilib_copy_sources
+
+ strip-flags
+}
+
+multilib_src_configure() {
+ # Ensure we stay multilib aware
+ sed -i -e "/@libdir@/ s:lib64:$(get_libdir):" config/Makefile || die
+}
+
+nssarch() {
+ # Most of the arches are the same as $ARCH
+ local t=${1:-${CHOST}}
+ case ${t} in
+ aarch64*)echo "aarch64";;
+ hppa*) echo "parisc";;
+ i?86*) echo "i686";;
+ x86_64*) echo "x86_64";;
+ *) tc-arch ${t};;
+ esac
+}
+
+nssbits() {
+ local cc cppflags="${1}CPPFLAGS" cflags="${1}CFLAGS"
+ if [[ ${1} == BUILD_ ]]; then
+ cc=$(tc-getBUILD_CC)
+ else
+ cc=$(tc-getCC)
+ fi
+ echo > "${T}"/test.c || die
+ ${cc} ${!cppflags} ${!cflags} -c "${T}"/test.c -o "${T}/${1}test.o" || die
+ case $(file "${T}/${1}test.o") in
+ *32-bit*x86-64*) echo USE_X32=1;;
+ *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
+ *32-bit*|*ppc*|*i386*) ;;
+ *) die "Failed to detect whether ${cc} builds 64bits or 32bits, disable distcc if you're using it, please";;
+ esac
+}
+
+multilib_src_compile() {
+ # use ABI to determine bit'ness, or fallback if unset
+ local buildbits mybits
+ case "${ABI}" in
+ n32) mybits="USE_N32=1";;
+ x32) mybits="USE_X32=1";;
+ s390x|*64) mybits="USE_64=1";;
+ ${DEFAULT_ABI})
+ einfo "Running compilation test to determine bit'ness"
+ mybits=$(nssbits)
+ ;;
+ esac
+ # bitness of host may differ from target
+ if tc-is-cross-compiler; then
+ buildbits=$(nssbits BUILD_)
+ fi
+
+ local makeargs=(
+ CC="$(tc-getCC)"
+ CCC="$(tc-getCXX)"
+ AR="$(tc-getAR) rc \$@"
+ RANLIB="$(tc-getRANLIB)"
+ OPTIMIZER=
+ ${mybits}
+ )
+
+ # Take care of nspr settings #436216
+ local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
+ unset NSPR_INCLUDE_DIR
+
+ # Do not let `uname` be used.
+ if use kernel_linux ; then
+ makeargs+=(
+ OS_TARGET=Linux
+ OS_RELEASE=2.6
+ OS_TEST="$(nssarch)"
+ )
+ fi
+
+ export NSS_ENABLE_WERROR=0 #567158
+ export BUILD_OPT=1
+ export NSS_USE_SYSTEM_SQLITE=1
+ export NSDISTMODE=copy
+ export NSS_ENABLE_ECC=1
+ export FREEBL_NO_DEPEND=1
+ export ASFLAGS=""
+
+ local d
+
+ # Build the host tools first.
+ LDFLAGS="${BUILD_LDFLAGS}" \
+ XCFLAGS="${BUILD_CFLAGS}" \
+ NSPR_LIB_DIR="${T}/fakedir" \
+ emake -j1 -C coreconf \
+ CC="$(tc-getBUILD_CC)" \
+ ${buildbits:-${mybits}}
+ makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
+
+ # Then build the target tools.
+ for d in . lib/dbm ; do
+ CPPFLAGS="${myCPPFLAGS}" \
+ XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
+ NSPR_LIB_DIR="${T}/fakedir" \
+ emake -j1 "${makeargs[@]}" -C ${d}
+ done
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+# */${local_libdir}/libfreebl3.so*
+# */${local_libdir}/libnssdbm3.so*
+# */${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+ local shlibsign="$1"
+ local libdir="$2"
+ einfo "Resigning core NSS libraries for FIPS validation"
+ shift 2
+ local i
+ for i in ${NSS_CHK_SIGN_LIBS} ; do
+ local libname=lib${i}.so
+ local chkname=lib${i}.chk
+ "${shlibsign}" \
+ -i "${libdir}"/${libname} \
+ -o "${libdir}"/${chkname}.tmp \
+ && mv -f \
+ "${libdir}"/${chkname}.tmp \
+ "${libdir}"/${chkname} \
+ || die "Failed to sign ${libname}"
+ done
+}
+
+cleanup_chk() {
+ local libdir="$1"
+ shift 1
+ local i
+ for i in ${NSS_CHK_SIGN_LIBS} ; do
+ local libfname="${libdir}/lib${i}.so"
+ # If the major version has changed, then we have old chk files.
+ [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+ && rm -f "${libfname}.chk"
+ done
+}
+
+multilib_src_install() {
+ pushd dist >/dev/null || die
+
+ dodir /usr/$(get_libdir)
+ cp -L */lib/*$(get_libname) "${ED%/}"/usr/$(get_libdir) || die "copying shared libs failed"
+ local i
+ for i in crmf freebl nssb nssckfw ; do
+ cp -L */lib/lib${i}.a "${ED%/}"/usr/$(get_libdir) || die "copying libs failed"
+ done
+
+ # Install nss-config and pkgconfig file
+ dodir /usr/bin
+ cp -L */bin/nss-config "${ED%/}"/usr/bin || die
+ dodir /usr/$(get_libdir)/pkgconfig
+ cp -L */lib/pkgconfig/nss.pc "${ED%/}"/usr/$(get_libdir)/pkgconfig || die
+
+ # create an nss-softokn.pc from nss.pc for libfreebl and some private headers
+ # bug 517266
+ sed -e 's#Libs:#Libs: -lfreebl#' \
+ -e 's#Cflags:#Cflags: -I${includedir}/private#' \
+ */lib/pkgconfig/nss.pc >"${ED%/}"/usr/$(get_libdir)/pkgconfig/nss-softokn.pc \
+ || die "could not create nss-softokn.pc"
+
+ # all the include files
+ insinto /usr/include/nss
+ doins public/nss/*.{h,api}
+ insinto /usr/include/nss/private
+ doins private/nss/{blapi,alghmac}.h
+
+ popd >/dev/null || die
+
+ local f nssutils
+ # Always enabled because we need it for chk generation.
+ nssutils=( shlibsign )
+
+ if multilib_is_native_abi ; then
+ if use utils; then
+ # The tests we do not need to install.
+ #nssutils_test="bltest crmftest dbtest dertimetest
+ #fipstest remtest sdrtest"
+ # checkcert utils has been removed in nss-3.22:
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=1187545
+ # https://hg.mozilla.org/projects/nss/rev/df1729d37870
+ # certcgi has been removed in nss-3.36:
+ # https://bugzilla.mozilla.org/show_bug.cgi?id=1426602
+ nssutils+=(
+ addbuiltin
+ atob
+ baddbdir
+ btoa
+ certutil
+ cmsutil
+ conflict
+ crlutil
+ derdump
+ digest
+ makepqg
+ mangle
+ modutil
+ multinit
+ nonspr10
+ ocspclnt
+ oidcalc
+ p7content
+ p7env
+ p7sign
+ p7verify
+ pk11mode
+ pk12util
+ pp
+ rsaperf
+ selfserv
+ signtool
+ signver
+ ssltap
+ strsclnt
+ symkeyutil
+ tstclnt
+ vfychain
+ vfyserv
+ )
+ # install man-pages for utils (bug #516810)
+ doman doc/nroff/*.1
+ fi
+ pushd dist/*/bin >/dev/null || die
+ for f in ${nssutils[@]}; do
+ dobin ${f}
+ done
+ popd >/dev/null || die
+ fi
+
+ # Prelink breaks the CHK files. We don't have any reliable way to run
+ # shlibsign after prelink.
+ dodir /etc/prelink.conf.d
+ printf -- "-b ${EPREFIX}/usr/$(get_libdir)/lib%s.so\n" ${NSS_CHK_SIGN_LIBS} \
+ > "${ED%/}"/etc/prelink.conf.d/nss.conf
+}
+
+pkg_postinst() {
+ multilib_pkg_postinst() {
+ # We must re-sign the libraries AFTER they are stripped.
+ local shlibsign="${EROOT}/usr/bin/shlibsign"
+ # See if we can execute it (cross-compiling & such). #436216
+ "${shlibsign}" -h >&/dev/null
+ if [[ $? -gt 1 ]] ; then
+ shlibsign="shlibsign"
+ fi
+ generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
+ }
+
+ multilib_foreach_abi multilib_pkg_postinst
+}
+
+pkg_postrm() {
+ multilib_pkg_postrm() {
+ cleanup_chk "${EROOT}"/usr/$(get_libdir)
+ }
+
+ multilib_foreach_abi multilib_pkg_postrm
+}