[gentoo-commits] proj/mozilla:master commit in: dev-libs/nss/files/, dev-libs/nss/

["Jory Pratt" <anarchy@gentoo.org>]

commit:     c1e8497e8681827c4bfdec551e3a1a8611dfa4bd
Author:     Jory A. Pratt <anarchy <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 16 04:15:19 2013 +0000
Commit:     Jory Pratt <anarchy <AT> gentoo <DOT> org>
CommitDate: Sat Feb 16 04:15:19 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/mozilla.git;a=commit;h=c1e8497e

Fix bug #455558

---
 dev-libs/nss/Manifest                              |    9 +-
 dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch    |   24 ++
 dev-libs/nss/files/nss-3.14.2-x32.patch            |   66 ++++
 ...3.14.3_sync_with_upstream_softokn_changes.patch |  407 ++++++++++++++++++++
 dev-libs/nss/nss-3.14.1-r1.ebuild                  |  271 -------------
 .../nss/{nss-3.14.2.ebuild => nss-3.14.3.ebuild}   |   11 +-
 6 files changed, 508 insertions(+), 280 deletions(-)

diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index cb9d283..6196f57 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -2,10 +2,11 @@ AUX nss-3.12.6-gentoo-fixup-warnings.patch 301 SHA256 e14b227f762bd21875208e2410
 AUX nss-3.13.1-solaris-gcc.patch 994 SHA256 2633e73f8bba27fb34b5872464946b1abe03a7e73e544be4f751655c6276487b SHA512 6e06499d39c89fa60b9efac8dc5b38296d9e26003fc7fc9165434e5a545a50845ca920611cd722c9599b3c2652169ea9f0820a327dab74761e3db2dfab22cf0c WHIRLPOOL d1e3822e279361fd2b96c3e1fbac445aeddde0eca53371c0335c054d644f74de07c883466c20c0ab8d1d34f1bc3f8f4f10ff2111d2b4a1fef769bb74081063c7
 AUX nss-3.13.5-x32.patch 2304 SHA256 ae402bef2c97cdeac3a00430729d3668167af5f957b1c217e3a79a3d54a3d206 SHA512 c9c4aeca3b7cc62037534b8b6dea04088e07f6d817a4f8a9f3af0de1e494119f140b67b1ed79c8c8af670cd6f86faa5366ae34afe4dda353d5e310c68a8122ee WHIRLPOOL a1507439d64dae60c237c105c3e47d5e20ff80451f97bedfa71b693aa99e9590dfb63f7fdb1bad057a6256159e3efa0a58a5941a9fb4f2d9de7aba3ca7b08102
 AUX nss-3.14.1-gentoo-fixups-r1.patch 6370 SHA256 68a7e9f3f05d247825abe364e12289b7924e5e6f079d309b18aa7ef0be90d002 SHA512 8ac25987f330a34dd364ba4ea1eb9378813268d0a47dc6f287ece66184d88d2eb32fb80f8c6ea46815161ef54f6dac2960c8024ef443545d8ffdba43c10405e1 WHIRLPOOL fa45342b098c62daa6b8b798f8bcfec894743b264d50bd0c025f0395b91bd3c354547f4282fa8d9afcb5dd844f9f2590014657d881ab606cc71c2d84ba9ed7ce
+AUX nss-3.14.2-solaris-gcc.patch 659 SHA256 d6ac2638602fcf5d73020efb616c2c16d5775d3a75122cc1681c944ddcd0a07f SHA512 5703fa0d6cd793f9622c331983499ce35f696b71589cac347e2a72d4d377ab53d97f79d9b1396bf1f255a933067ebe2f0e4fb6fca9cc5f3c179275d42a6be9f8 WHIRLPOOL b5f49f0a860598cf508ce7ea97165840ab5c068a00f213591d41101c12ec1e5afbffdbad7c3a1d69ef52c34f4d00da0d1aef4a80829f21209c60908e21a2663a
 AUX nss-3.14.2-sqlite.patch 585 SHA256 9672be84ac06e7c041a6704aa03522d75318d801adfedb23f827f62282a712d3 SHA512 e40d674795309e709ee97af8f56af2fc4e4e738d4d5428b4f3d7b2c46b36c07043c1db9f1bf77021c3401736df8ead2b607414eb5dc11120820aa38cda2c81d3 WHIRLPOOL 40fcc0df77d0ba68b2abd4d01356e662e3b277da7e738e4f283b30765044942f0f3ed0cccca69fc916cf1e35394726e66a08792936496732a5945233a82904d1
+AUX nss-3.14.2-x32.patch 1941 SHA256 396e2609aafc24d2a51382f74e2124f3eac615d9ae33a848b1a1cffa2789e1e9 SHA512 2b056701ee0d3af16d93ed965d60a55e46cce2a60c946b922f75461c91284242d32746358637292b0e7cf0013ce906b69c04545e23ca26500ef4028f00b49fe8 WHIRLPOOL 03f49c9547e47068e1ff894fec74163b7fadf6ff7e8c2a3ca0ed5b2a18c40cdb9e7f9dfb9666fd748d595925568606e138a27f2674f9f197d59b932a8777d86c
+AUX nss-3.14.3_sync_with_upstream_softokn_changes.patch 12364 SHA256 34519ce93a62de743caca2904c47df16d94993a0c5f84626a88ababc3ae65156 SHA512 f41e167bcdab7850280b93b433b2cfd10d38657b52de26b6bfd63019b2b542c8a8a9fa0e99b12917239cea2eb686649da595520cf54bd34b64b53add8d7fa03d WHIRLPOOL e8fa84826d5374cae03a59d0ebc02aa405fa4034cf3c7b5f339d6bf2b4716639e212d010dd73629c9dbb9add6da38b27aa2f12b55994f9ed88dcbbd8f65dadc3
 DIST nss-3.13.3_pem.support 191571 SHA256 cb6cf7955203514b3c1210c9b32504b0d2f1c158fa9b5d2509ef0bb34b68374c SHA512 223026adbacf2f325f808210cc050f95cb65cb0fe8c6022109a42bd991fd576e2e96beb5ec8e185dbbd649f4bd4516bc0f7fc10401f47eda806ab2d63f0c23a3 WHIRLPOOL 78345665e54fe67f57bc09311567ad525f9a8dae7d17e600a9639fac820fcf9c64e9f4bacc5df3f90b90a224e374ac44e938962c5248189fe76dad7143bf3476
 DIST nss-3.14.1-add_spi+cacerts_ca_certs.patch 25018 SHA256 82ca25982828fd7153ad15fc6e81408c115476eeeb4045d3a71469380b56824b SHA512 2aafbd972b073061bfd66a66a4b50060691957f2910f716f7a69d22d655c499f186f05db2101bea5248a00949f339327ba8bfffec024c61c8ee908766201ae00 WHIRLPOOL c9fe397e316dac7983b187acf7227078ebd8f8da5df53f77f2564489e85f123c4d2afb88d56e8dc14b9ebfffe8a71ade4724b3c1ea683c5c4c487cb3a64eda43
-DIST nss-3.14.1.tar.gz 5814063 SHA256 80a5d4872da13d0272636ad04e1beddcf8d4572bcc0d47dbea1d12fb592fb7e5 SHA512 f62a7ebcdade8815379f80929c63de1284c3ca3f5c87214cb5b327f6689635118d301969d4ef0e1940c7a426253b13ce54acd68a91abc23ab32626341217580e WHIRLPOOL 8b292433ec764cfe857bd7cb25c216905b785c536176ece14571c9e7017a93c7a8562502645d71eed7da9f5cc52c65564c294a8a2b75ea43bda19049d6c393bb
-DIST nss-3.14.2.tar.gz 6178419 SHA256 a22691209f4c4989812939c7e38c48a1df09f4b80e7ce4c66b66c9a59235ae95 SHA512 65303f09ef09900512da8d19f7f35f50ef07926256bc5b548a665b5f2ea82bf02548bc8464e0f3723014f3f0f3d2e908faf9ef82b564be21adb7da7f5295e137 WHIRLPOOL 71063478b5083e7cad64e06e84fc8a713c45b85ce9d6f0ad1af16c38b5cbb89779fd35c93813644a8d0c0c1e729805b957c44b6b0f7acf60c8032ed0eb98b4a9
-EBUILD nss-3.14.1-r1.ebuild 8036 SHA256 3623df7d0a49c990a5180e6c964e2bc0c325dcab0ed157a5dfc662cdb2d641c1 SHA512 66472b0d4106b80af2455d97edf403be7722324b63cdf90e699b0a2067e8a9127548f5503d0ae413d69bae763c3f2a39210fbf1a46a7e14f8e60864846e87869 WHIRLPOOL 32f07ec3cc57c79508d74a9391fc9ac920255f6c51b1cd71f0d4e2984b954f98e348eaf68464c892c082e7238fc4928c5fd90f422d9b62ac6637c1c125752bdb
-EBUILD nss-3.14.2.ebuild 8081 SHA256 1eb0b25ffb7f3284b7dff580f37f5d97398148dec7c6e6f0fdf51b6bce875531 SHA512 b84cc1b8b5b3cfd84bed418eb89bf10ffa8ce72dca64a2d75c780d8dc6c760308dc9676315e9c59ec4cfbb89efef169bd8447bf24b088e5d7ab1ba014ea6eb1b WHIRLPOOL b3719a5e1763a486b839dd7bb1e70454543d1a0d54f39eda186c593f34a3cc8045148aa7f5e3e1d89dcf00ecd79837df41a6c690174a78a216c09058fc41990d
+DIST nss-3.14.3.tar.gz 6189790 SHA256 d9d366be94d33395597ebf82363fcdedfa693a6d627cf7f6bec025f609d54cc0 SHA512 4e8d8517ffb6d03da274afe9a7c50e2f0a15ffdd83e63f29a445e7aee829a8b7e2fbc772695322bd6acee81c052811735b542978044996156cb52dd7e4c001ec WHIRLPOOL 1c1c341303c8c1a13a10b732ac27d5ac8f3245b220436848bdf3877fb1487dba71654908f58810d49869e5af2a86842c4638415b283114bae0f4fbfaee3c4b29
+EBUILD nss-3.14.3.ebuild 8182 SHA256 87231b9e0044bedc088a759f5b30c0b37513ea4f8f338d59678fa93c49c96ee8 SHA512 55bcce06cfb0ce15609e7ffc1fab4857f12535dbcffbbdb3a05c1c20ddecb1b69d63cbf87e509a324a45785c6a380551bd68c9a0b041136be25455f67abc8283 WHIRLPOOL 9e129dc34a3d88e3424f91bd976acb04cbee4bb846315d1e10f5fe2ba89c9d7e65fbb78e292a03ddf80b7723ddbe4579b3ac4e2fbd6d33ca117f75a606c62a2d

diff --git a/dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch b/dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch
new file mode 100644
index 0000000..a23725d
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch
@@ -0,0 +1,24 @@
+--- nss-3.14.2/mozilla/security/coreconf/SunOS5.mk
++++ nss-3.14.2/mozilla/security/coreconf/SunOS5.mk
+@@ -5,6 +5,9 @@
+ 
+ include $(CORE_DEPTH)/coreconf/UNIX.mk
+ 
++NS_USE_GCC = 1
++GCC_USE_GNU_LD = 1
++
+ # Sun's WorkShop defines v8, v8plus and v9 architectures.
+ # gcc on Solaris defines v8 and v9 "cpus".  
+ # gcc's v9 is equivalent to Workshop's v8plus.
+@@ -71,11 +74,6 @@
+ NOMD_OS_CFLAGS += $(DSO_CFLAGS) $(OS_DEFINES) $(SOL_CFLAGS)
+ 
+ MKSHLIB  = $(CC) $(DSO_LDOPTS) $(RPATH)
+-ifdef NS_USE_GCC
+-ifeq (GNU,$(findstring GNU,$(shell `$(CC) -print-prog-name=ld` -v 2>&1)))
+-	GCC_USE_GNU_LD = 1
+-endif
+-endif
+ ifdef MAPFILE
+ ifdef NS_USE_GCC
+ ifdef GCC_USE_GNU_LD

diff --git a/dev-libs/nss/files/nss-3.14.2-x32.patch b/dev-libs/nss/files/nss-3.14.2-x32.patch
new file mode 100644
index 0000000..08c1d19
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.14.2-x32.patch
@@ -0,0 +1,66 @@
+--- nss-3.14.2/mozilla/security/coreconf/Linux.mk
++++ nss-3.14.2/mozilla/security/coreconf/Linux.mk
+@@ -50,21 +50,28 @@
+ else
+ ifeq ($(OS_TEST),alpha)
+         OS_REL_CFLAGS   = -D_ALPHA_
+ 	CPU_ARCH	= alpha
+ else
+ ifeq ($(OS_TEST),x86_64)
+ ifeq ($(USE_64),1)
+ 	CPU_ARCH	= x86_64
++	ARCHFLAG	= -m64
++else
++ifeq ($(USE_x32),1)
++	OS_REL_CFLAGS	= -Di386
++	CPU_ARCH	= x86
++	ARCHFLAG	= -mx32
+ else
+ 	OS_REL_CFLAGS	= -Di386
+ 	CPU_ARCH	= x86
+ 	ARCHFLAG	= -m32
+ endif
++endif
+ else
+ ifeq ($(OS_TEST),sparc64)
+ 	CPU_ARCH        = sparc
+ else
+ ifeq (,$(filter-out arm% sa110,$(OS_TEST)))
+ 	CPU_ARCH        = arm
+ else
+ ifeq (,$(filter-out parisc%,$(OS_TEST)))
+--- nss-3.14.2/mozilla/security/nss/lib/freebl/Makefile
++++ nss-3.14.2/mozilla/security/nss/lib/freebl/Makefile
+@@ -188,22 +188,26 @@
+     # comment the next two lines to turn off intel HW accelleration
+     DEFINES += -DUSE_HW_AES
+     ASFILES += intel-aes.s intel-gcm.s
+     EXTRA_SRCS += intel-gcm-wrap.c
+     INTEL_GCM = 1
+     MPI_SRCS += mpi_amd64.c mp_comba.c
+ endif
+ ifeq ($(CPU_ARCH),x86)
+-    ASFILES  = mpi_x86.s
+-    DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+-    DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
+-    DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
+-    # The floating point ECC code doesn't work on Linux x86 (bug 311432).
+-    #ECL_USE_FP = 1
++    ifeq ($(USE_x32),1)
++	DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
++    else
++	ASFILES  = mpi_x86.s
++	DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
++	DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
++	DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
++	# The floating point ECC code doesn't work on Linux x86 (bug 311432).
++	#ECL_USE_FP = 1
++    endif
+ endif
+ ifeq ($(CPU_ARCH),arm)
+     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE 
+     DEFINES += -DMP_USE_UINT_DIGIT
+     DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512
+     MPI_SRCS += mpi_arm.c
+ endif
+ endif # Linux

diff --git a/dev-libs/nss/files/nss-3.14.3_sync_with_upstream_softokn_changes.patch b/dev-libs/nss/files/nss-3.14.3_sync_with_upstream_softokn_changes.patch
new file mode 100644
index 0000000..9611c13
--- /dev/null
+++ b/dev-libs/nss/files/nss-3.14.3_sync_with_upstream_softokn_changes.patch
@@ -0,0 +1,407 @@
+From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001
+From: Elio Maldonado <emaldona@redhat.com>
+Date: Sat, 9 Feb 2013 17:11:00 -0500
+Subject: [PATCH] Sync up with upstream softokn changes
+
+- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux
+- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
+- It now compiles with the NSS_3_14_3_BETA1 source
+---
+ mozilla/security/nss/lib/ckfw/pem/rsawrapr.c |  338 +++++++-------------------
+ 1 files changed, 82 insertions(+), 256 deletions(-)
+
+diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
+index 5ac4f39..3780d30 100644
+--- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
++++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c
+@@ -46,6 +46,7 @@
+ #include "sechash.h"
+ #include "base.h"
+ 
++#include "lowkeyi.h"
+ #include "secerr.h"
+ 
+ #define RSA_BLOCK_MIN_PAD_LEN		8
+@@ -54,9 +55,8 @@
+ #define RSA_BLOCK_PRIVATE_PAD_OCTET	0xff
+ #define RSA_BLOCK_AFTER_PAD_OCTET	0x00
+ 
+-#define OAEP_SALT_LEN		8
+-#define OAEP_PAD_LEN		8
+-#define OAEP_PAD_OCTET		0x00
++/* Needed for RSA-PSS functions */
++static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 };
+ 
+ #define FLAT_BUFSIZE 512        /* bytes to hold flattened SHA1Context. */
+ 
+@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk)
+     return 0;
+ }
+ 
+-static SHA1Context *SHA1_CloneContext(SHA1Context * original)
+-{
+-    SHA1Context *clone = NULL;
+-    unsigned char *pBuf;
+-    int sha1ContextSize = SHA1_FlattenSize(original);
+-    SECStatus frv;
+-    unsigned char buf[FLAT_BUFSIZE];
+-
+-    PORT_Assert(sizeof buf >= sha1ContextSize);
+-    if (sizeof buf >= sha1ContextSize) {
+-        pBuf = buf;
+-    } else {
+-        pBuf = nss_ZAlloc(NULL, sha1ContextSize);
+-        if (!pBuf)
+-            goto done;
+-    }
+-
+-    frv = SHA1_Flatten(original, pBuf);
+-    if (frv == SECSuccess) {
+-        clone = SHA1_Resurrect(pBuf, NULL);
+-        memset(pBuf, 0, sha1ContextSize);
+-    }
+-  done:
+-    if (pBuf != buf)
+-        nss_ZFreeIf(pBuf);
+-    return clone;
++/* Constant time comparison of a single byte.
++ * Returns 1 iff a == b, otherwise returns 0.
++ * Note: For ranges of bytes, use constantTimeCompare.
++ */
++static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) {
++    unsigned char c = ~(a - b | b - a);
++    c >>= 7;
++    return c;
+ }
+ 
+-/*
+- * Modify data by XORing it with a special hash of salt.
++/* Constant time comparison of a range of bytes.
++ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise
++ * returns 0.
+  */
+-static SECStatus
+-oaep_xor_with_h1(unsigned char *data, unsigned int datalen,
+-                 unsigned char *salt, unsigned int saltlen)
+-{
+-    SHA1Context *sha1cx;
+-    unsigned char *dp, *dataend;
+-    unsigned char end_octet;
+-
+-    sha1cx = SHA1_NewContext();
+-    if (sha1cx == NULL) {
+-        return SECFailure;
+-    }
+-
+-    /*
+-     * Get a hash of salt started; we will use it several times,
+-     * adding in a different end octet (x00, x01, x02, ...).
+-     */
+-    SHA1_Begin(sha1cx);
+-    SHA1_Update(sha1cx, salt, saltlen);
+-    end_octet = 0;
+-
+-    dp = data;
+-    dataend = data + datalen;
+-
+-    while (dp < dataend) {
+-        SHA1Context *sha1cx_h1;
+-        unsigned int sha1len, sha1off;
+-        unsigned char sha1[SHA1_LENGTH];
+-
+-        /*
+-         * Create hash of (salt || end_octet)
+-         */
+-        sha1cx_h1 = SHA1_CloneContext(sha1cx);
+-        SHA1_Update(sha1cx_h1, &end_octet, 1);
+-        SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1));
+-        SHA1_DestroyContext(sha1cx_h1, PR_TRUE);
+-        PORT_Assert(sha1len == SHA1_LENGTH);
+-
+-        /*
+-         * XOR that hash with the data.
+-         * When we have fewer than SHA1_LENGTH octets of data
+-         * left to xor, use just the low-order ones of the hash.
+-         */
+-        sha1off = 0;
+-        if ((dataend - dp) < SHA1_LENGTH)
+-            sha1off = SHA1_LENGTH - (dataend - dp);
+-        while (sha1off < SHA1_LENGTH)
+-            *dp++ ^= sha1[sha1off++];
+-
+-        /*
+-         * Bump for next hash chunk.
+-         */
+-        end_octet++;
+-    }
+-
+-    SHA1_DestroyContext(sha1cx, PR_TRUE);
+-    return SECSuccess;
++static unsigned char constantTimeCompare(const unsigned char *a,
++                                         const unsigned char *b,
++                                         unsigned int len) {
++    unsigned char tmp = 0;
++    unsigned int i;
++    for (i = 0; i < len; ++i, ++a, ++b)
++        tmp |= *a ^ *b;
++    return constantTimeEQ8(0x00, tmp);
+ }
+ 
+-/*
+- * Modify salt by XORing it with a special hash of data.
++/* Constant time conditional.
++ * Returns a if c is 1, or b if c is 0. The result is undefined if c is
++ * not 0 or 1.
+  */
+-static SECStatus
+-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen,
+-                 unsigned char *data, unsigned int datalen)
++static unsigned int constantTimeCondition(unsigned int c,
++                                          unsigned int a,
++                                          unsigned int b)
+ {
+-    unsigned char sha1[SHA1_LENGTH];
+-    unsigned char *psalt, *psha1, *saltend;
+-    SECStatus rv;
+-
+-    /*
+-     * Create a hash of data.
+-     */
+-    rv = SHA1_HashBuf(sha1, data, datalen);
+-    if (rv != SECSuccess) {
+-        return rv;
+-    }
+-
+-    /*
+-     * XOR the low-order octets of that hash with salt.
+-     */
+-    PORT_Assert(saltlen <= SHA1_LENGTH);
+-    saltend = salt + saltlen;
+-    psalt = salt;
+-    psha1 = sha1 + SHA1_LENGTH - saltlen;
+-    while (psalt < saltend) {
+-        *psalt++ ^= *psha1++;
+-    }
+-
+-    return SECSuccess;
++    return (~(c - 1) & a) | ((c - 1) & b);
+ }
+ 
+ /*
+@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
+     unsigned char *block;
+     unsigned char *bp;
+     int padLen;
+-    int i;
++    int i, j;
+     SECStatus rv;
+ 
+     block = (unsigned char *) nss_ZAlloc(NULL, modulusLen);
+@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen,
+          */
+     case RSA_BlockPublic:
+ 
+-        /*
+-         * 0x00 || BT || Pad || 0x00 || ActualData
+-         *   1      1   padLen    1      data->len
+-         * Pad is all non-zero random bytes.
+-         */
+-        padLen = modulusLen - data->len - 3;
+-        PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN);
+-        if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
+-            nss_ZFreeIf(block);
+-            return NULL;
+-        }
+-        for (i = 0; i < padLen; i++) {
+-            /* Pad with non-zero random data. */
+-            do {
+-                rv = RNG_GenerateGlobalRandomBytes(bp + i, 1);
+-            } while (rv == SECSuccess
+-                     && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET);
+-            if (rv != SECSuccess) {
+-                nss_ZFreeIf(block);
+-                return NULL;
+-            }
+-        }
+-        bp += padLen;
+-        *bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
+-        nsslibc_memcpy(bp, data->data, data->len);
+-
+-        break;
+-
+-        /*
+-         * Blocks intended for public-key operation, using
+-         * Optimal Asymmetric Encryption Padding (OAEP).
+-         */
+-    case RSA_BlockOAEP:
+-        /*
+-         * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData)
+-         *   1      1     OAEP_SALT_LEN     OAEP_PAD_LEN + data->len [+ N]
+-         *
+-         * where:
+-         *   PaddedData is "Pad1 || ActualData [|| Pad2]"
+-         *   Salt is random data.
+-         *   Pad1 is all zeros.
+-         *   Pad2, if present, is random data.
+-         *   (The "modified" fields are all the same length as the original
+-         * unmodified values; they are just xor'd with other values.)
+-         *
+-         *   Modified1 is an XOR of PaddedData with a special octet
+-         * string constructed of iterated hashing of Salt (see below).
+-         *   Modified2 is an XOR of Salt with the low-order octets of
+-         * the hash of Modified1 (see farther below ;-).
+-         *
+-         * Whew!
+-         */
+-
+-
+-        /*
+-         * Salt
+-         */
+-        rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN);
+-        if (rv != SECSuccess) {
+-            nss_ZFreeIf(block);
+-            return NULL;
+-        }
+-        bp += OAEP_SALT_LEN;
+-
+-        /*
+-         * Pad1
+-         */
+-        nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN);
+-        bp += OAEP_PAD_LEN;
+-
+-        /*
+-         * Data
+-         */
+-        nsslibc_memcpy(bp, data->data, data->len);
+-        bp += data->len;
+-
+-        /*
+-         * Pad2
+-         */
+-        if (bp < (block + modulusLen)) {
+-            rv = RNG_GenerateGlobalRandomBytes(bp,
+-                                               block - bp + modulusLen);
+-            if (rv != SECSuccess) {
+-                nss_ZFreeIf(block);
+-                return NULL;
+-            }
+-        }
+-
+-        /*
+-         * Now we have the following:
+-         * 0x00 || BT || Salt || PaddedData
+-         * (From this point on, "Pad1 || Data [|| Pad2]" is treated
+-         * as the one entity PaddedData.)
+-         *
+-         * We need to turn PaddedData into Modified1.
+-         */
+-        if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN,
+-                             modulusLen - 2 - OAEP_SALT_LEN,
+-                             block + 2, OAEP_SALT_LEN) != SECSuccess) {
+-            nss_ZFreeIf(block);
+-            return NULL;
+-        }
+-
+-        /*
+-         * Now we have:
+-         * 0x00 || BT || Salt || Modified1(PaddedData)
+-         *
+-         * The remaining task is to turn Salt into Modified2.
+-         */
+-        if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN,
+-                             block + 2 + OAEP_SALT_LEN,
+-                             modulusLen - 2 - OAEP_SALT_LEN) !=
+-            SECSuccess) {
+-            nss_ZFreeIf(block);
+-            return NULL;
+-        }
+-
+-        break;
++	/*
++	 * 0x00 || BT || Pad || 0x00 || ActualData
++	 *   1      1   padLen    1      data->len
++	 * Pad is all non-zero random bytes.
++	 *
++	 * Build the block left to right.
++	 * Fill the entire block from Pad to the end with random bytes.
++	 * Use the bytes after Pad as a supply of extra random bytes from 
++	 * which to find replacements for the zero bytes in Pad.
++	 * If we need more than that, refill the bytes after Pad with 
++	 * new random bytes as necessary.
++	 */
++	padLen = modulusLen - (data->len + 3);
++	PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN);
++	if (padLen < RSA_BLOCK_MIN_PAD_LEN) {
++	    nss_ZFreeIf (block);
++	    return NULL;
++	}
++	j = modulusLen - 2;
++	rv = RNG_GenerateGlobalRandomBytes(bp, j);
++	if (rv == SECSuccess) {
++	    for (i = 0; i < padLen; ) {
++		unsigned char repl;
++		/* Pad with non-zero random data. */
++		if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) {
++		    ++i;
++		    continue;
++		}
++		if (j <= padLen) {
++		    rv = RNG_GenerateGlobalRandomBytes(bp + padLen,
++					  modulusLen - (2 + padLen));
++		    if (rv != SECSuccess)
++		    	break;
++		    j = modulusLen - 2;
++		}
++		do {
++		    repl = bp[--j];
++		} while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen);
++		if (repl != RSA_BLOCK_AFTER_PAD_OCTET) {
++		    bp[i++] = repl;
++		}
++	    }
++	}
++	if (rv != SECSuccess) {
++	    /*sftk_fatalError = PR_TRUE;*/
++	    nss_ZFreeIf (block);
++	    return NULL;
++	}
++	bp += padLen;
++	*bp++ = RSA_BLOCK_AFTER_PAD_OCTET;
++	nsslibc_memcpy(bp, data->data, data->len);
++	break;
+ 
+     default:
+         PORT_Assert(0);
+@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen,
+ 
+         break;
+ 
+-    case RSA_BlockOAEP:
+-        /*
+-         * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2])
+-         *
+-         * The "2" below is the first octet + the second octet.
+-         * (The other fields do not contain the clear values, but are
+-         * the same length as the clear values.)
+-         */
+-        PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN
+-                                                + OAEP_PAD_LEN)));
+-
+-        result->data = rsa_FormatOneBlock(modulusLen, blockType, data);
+-        if (result->data == NULL) {
+-            result->len = 0;
+-            return SECFailure;
+-        }
+-        result->len = modulusLen;
+-
+-        break;
+-
+     case RSA_BlockRaw:
+         /*
+          * Pad || ActualData
+-- 
+1.7.1
+
+

diff --git a/dev-libs/nss/nss-3.14.1-r1.ebuild b/dev-libs/nss/nss-3.14.1-r1.ebuild
deleted file mode 100644
index 25a32d3..0000000
--- a/dev-libs/nss/nss-3.14.1-r1.ebuild
+++ /dev/null
@@ -1,271 +0,0 @@
-# Copyright 1999-2013 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.14.1.ebuild,v 1.9 2013/01/21 18:39:38 vapier Exp $
-
-EAPI=3
-inherit eutils flag-o-matic multilib toolchain-funcs
-
-NSPR_VER="4.9.2"
-RTM_NAME="NSS_${PV//./_}_RTM"
-
-DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
-SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	http://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch
-	http://dev.gentoo.org/~anarchy/patches/${PN}-3.13.3_pem.support"
-
-LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
-SLOT="0"
-KEYWORDS="~alpha amd64 ~arm hppa ~ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
-IUSE="utils"
-
-DEPEND="virtual/pkgconfig
-	>=dev-libs/nspr-${NSPR_VER}"
-
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}
-	>=dev-db/sqlite-3.5
-	sys-libs/zlib"
-
-src_setup() {
-	export LC_ALL="C"
-}
-
-src_prepare() {
-	# Custom changes for gentoo
-	epatch "${FILESDIR}/${PN}-3.14.1-gentoo-fixups-r1.patch"
-	epatch "${FILESDIR}/${PN}-3.12.6-gentoo-fixup-warnings.patch"
-	epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
-	epatch "${DISTDIR}/${PN}-3.13.3_pem.support"
-	epatch "${FILESDIR}/${PN}-3.13.5-x32.patch"
-
-	cd "${S}"/mozilla/security/coreconf || die
-	# hack nspr paths
-	echo 'INCLUDES += -I$(DIST)/include/dbm' \
-		>> headers.mk || die "failed to append include"
-
-	# modify install path
-	sed -e 's:SOURCE_PREFIX = $(CORE_DEPTH)/\.\./dist:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
-		-i source.mk || die
-
-	# Respect LDFLAGS
-	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk || die
-
-	# Ensure we stay multilib aware
-	sed -i -e "s:gentoo\/nss:$(get_libdir):" "${S}"/mozilla/security/nss/config/Makefile || die "Failed to fix for multilib"
-
-	# Fix pkgconfig file for Prefix
-	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
-		"${S}"/mozilla/security/nss/config/Makefile || die
-
-	epatch "${FILESDIR}/nss-3.13.1-solaris-gcc.patch"
-
-	# use host shlibsign if need be #436216
-	if tc-is-cross-compiler ; then
-		sed -i \
-			-e 's:"${2}"/shlibsign:shlibsign:' \
-			"${S}"/mozilla/security/nss/cmd/shlibsign/sign.sh || die
-	fi
-
-	# dirty hack
-	cd "${S}"/mozilla/security/nss || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
-		lib/ssl/config.mk || die
-	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
-		cmd/platlibs.mk || die
-}
-
-nssarch() {
-	# Most of the arches are the same as $ARCH
-	local t=${1:-${CHOST}}
-	case ${t} in
-	hppa*)   echo "parisc";;
-	i?86*)   echo "i686";;
-	x86_64*) echo "x86_64";;
-	*)       tc-arch ${t};;
-	esac
-}
-
-nssbits() {
-	echo > "${T}"/test.c || die
-	${!1} ${CPPFLAGS} ${CFLAGS} -c "${T}"/test.c -o "${T}"/test.o || die
-	case $(file "${T}"/test.o) in
-	*32-bit*x86-64*) echo USE_x32=1;;
-	*64-bit*|*ppc64*|*x86_64*) echo USE_64=1;;
-	*32-bit*|*ppc*|*i386*) ;;
-	*) die "Failed to detect whether your arch is 64bits or 32bits, disable distcc if you're using it, please";;
-	esac
-}
-
-src_compile() {
-	strip-flags
-
-	tc-export AR RANLIB {BUILD_,}{CC,PKG_CONFIG}
-	local makeargs=(
-		CC="${CC}"
-		AR="${AR} rc \$@"
-		RANLIB="${RANLIB}"
-		OPTIMIZER=
-		$(nssbits CC)
-	)
-
-	# Take care of nspr settings #436216
-	append-cppflags $(${PKG_CONFIG} nspr --cflags)
-	append-ldflags $(${PKG_CONFIG} nspr --libs-only-L)
-	unset NSPR_INCLUDE_DIR
-	export NSPR_LIB_DIR=${T}/fake-dir
-
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
-	export BUILD_OPT=1
-	export NSS_USE_SYSTEM_SQLITE=1
-	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
-	export XCFLAGS="${CFLAGS} ${CPPFLAGS}"
-	export FREEBL_NO_DEPEND=1
-	export ASFLAGS=""
-
-	local d
-
-	# Build the host tools first.
-	LDFLAGS="${BUILD_LDFLAGS}" \
-	XCFLAGS="${BUILD_CFLAGS}" \
-	emake -j1 -C mozilla/security/coreconf \
-		CC="${BUILD_CC}" \
-		$(nssbits BUILD_CC) \
-		|| die
-	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
-
-	# Then build the target tools.
-	for d in dbm nss ; do
-		emake -j1 "${makeargs[@]}" -C mozilla/security/${d} || die "${d} make failed"
-	done
-}
-
-# Altering these 3 libraries breaks the CHK verification.
-# All of the following cause it to break:
-# - stripping
-# - prelink
-# - ELF signing
-# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
-# Either we have to NOT strip them, or we have to forcibly resign after
-# stripping.
-#local_libdir="$(get_libdir)"
-#export STRIP_MASK="
-#	*/${local_libdir}/libfreebl3.so*
-#	*/${local_libdir}/libnssdbm3.so*
-#	*/${local_libdir}/libsoftokn3.so*"
-
-export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
-
-generate_chk() {
-	local shlibsign="$1"
-	local libdir="$2"
-	einfo "Resigning core NSS libraries for FIPS validation"
-	shift 2
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libname=lib${i}.so
-		local chkname=lib${i}.chk
-		"${shlibsign}" \
-			-i "${libdir}"/${libname} \
-			-o "${libdir}"/${chkname}.tmp \
-		&& mv -f \
-			"${libdir}"/${chkname}.tmp \
-			"${libdir}"/${chkname} \
-		|| die "Failed to sign ${libname}"
-	done
-}
-
-cleanup_chk() {
-	local libdir="$1"
-	shift 1
-	local i
-	for i in ${NSS_CHK_SIGN_LIBS} ; do
-		local libfname="${libdir}/lib${i}.so"
-		# If the major version has changed, then we have old chk files.
-		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
-			&& rm -f "${libfname}.chk"
-	done
-}
-
-src_install () {
-	MINOR_VERSION=12
-	cd "${S}"/mozilla/security/dist || die
-
-	dodir /usr/$(get_libdir) || die
-	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
-	# We generate these after stripping the libraries, else they don't match.
-	#cp -L */lib/*.chk "${ED}"/usr/$(get_libdir) || die "copying chk files failed"
-	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
-
-	# Install nss-config and pkgconfig file
-	dodir /usr/bin || die
-	cp -L */bin/nss-config "${ED}"/usr/bin || die
-	dodir /usr/$(get_libdir)/pkgconfig || die
-	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
-
-	# all the include files
-	insinto /usr/include/nss
-	doins public/nss/*.h || die
-	cd "${ED}"/usr/$(get_libdir) || die
-	local n file
-	for file in *$(get_libname); do
-		n=${file%$(get_libname)}$(get_libname ${MINOR_VERSION})
-		mv ${file} ${n} || die
-		ln -s ${n} ${file} || die
-		if [[ ${CHOST} == *-darwin* ]]; then
-			install_name_tool -id "${EPREFIX}/usr/$(get_libdir)/${n}" ${n} || die
-		fi
-	done
-
-	local f nssutils
-	# Always enabled because we need it for chk generation.
-	nssutils="shlibsign"
-	if use utils; then
-		# The tests we do not need to install.
-		#nssutils_test="bltest crmftest dbtest dertimetest
-		#fipstest remtest sdrtest"
-		nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
-		cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
-		nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
-		pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
-		symkeyutil tstclnt vfychain vfyserv"
-	fi
-	cd "${S}"/mozilla/security/dist/*/bin/ || die
-	for f in $nssutils; do
-		dobin ${f} || die
-	done
-
-	# Prelink breaks the CHK files. We don't have any reliable way to run
-	# shlibsign after prelink.
-	local l libs=()
-	for l in ${NSS_CHK_SIGN_LIBS} ; do
-		libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so")
-	done
-	OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}"
-	echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss" || die
-	unset libs liblist
-	doenvd "${T}/90nss" || die
-}
-
-pkg_postinst() {
-	# We must re-sign the libraries AFTER they are stripped.
-	local shlibsign="${EROOT}/usr/bin/shlibsign"
-	# See if we can execute it (cross-compiling & such). #436216
-	"${shlibsign}" -h >&/dev/null
-	if [[ $? -gt 1 ]] ; then
-		shlibsign="shlibsign"
-	fi
-	generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir)
-}
-
-pkg_postrm() {
-	cleanup_chk "${EROOT}"/usr/$(get_libdir)
-}

diff --git a/dev-libs/nss/nss-3.14.2.ebuild b/dev-libs/nss/nss-3.14.3.ebuild
similarity index 94%
rename from dev-libs/nss/nss-3.14.2.ebuild
rename to dev-libs/nss/nss-3.14.3.ebuild
index d889d43..05025dd 100644
--- a/dev-libs/nss/nss-3.14.2.ebuild
+++ b/dev-libs/nss/nss-3.14.3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.14.1.ebuild,v 1.9 2013/01/21 18:39:38 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.14.2.ebuild,v 1.1 2013/02/15 13:30:12 polynomial-c Exp $
 
 EAPI=3
 inherit eutils flag-o-matic multilib toolchain-funcs
@@ -16,7 +16,7 @@ SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}
 
 LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
 SLOT="0"
-KEYWORDS="~alpha amd64 ~arm hppa ~ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
 IUSE="utils"
 
 DEPEND="virtual/pkgconfig
@@ -33,10 +33,12 @@ src_setup() {
 src_prepare() {
 	# Custom changes for gentoo
 	epatch "${FILESDIR}/${PN}-3.14.1-gentoo-fixups-r1.patch"
-	epatch "${FILESDIR}/${PN}-3.14.2-sqlite.patch"
 	epatch "${FILESDIR}/${PN}-3.12.6-gentoo-fixup-warnings.patch"
 	epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch"
 	epatch "${DISTDIR}/${PN}-3.13.3_pem.support"
+	epatch "${FILESDIR}/${PN}-3.14.2-x32.patch"
+	epatch "${FILESDIR}/${PN}-3.14.2-sqlite.patch"
+	epatch "${FILESDIR}/${PN}-3.14.3_sync_with_upstream_softokn_changes.patch"
 
 	cd "${S}"/mozilla/security/coreconf || die
 	# hack nspr paths
@@ -57,8 +59,7 @@ src_prepare() {
 	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
 		"${S}"/mozilla/security/nss/config/Makefile || die
 
-	# Check to see if porting is required.
-	# epatch "${FILESDIR}/nss-3.13.1-solaris-gcc.patch"
+	epatch "${FILESDIR}/nss-3.14.2-solaris-gcc.patch"
 
 	# use host shlibsign if need be #436216
 	if tc-is-cross-compiler ; then