From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 4689B138A73 for ; Sat, 16 Feb 2013 04:15:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E3DFAE0478; Sat, 16 Feb 2013 04:15:51 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4F5D9E0478 for ; Sat, 16 Feb 2013 04:15:51 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E438B33D99E for ; Sat, 16 Feb 2013 04:15:49 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id CC2BBE4073 for ; Sat, 16 Feb 2013 04:15:46 +0000 (UTC) From: "Jory Pratt" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jory Pratt" Message-ID: <1360988119.c1e8497e8681827c4bfdec551e3a1a8611dfa4bd.anarchy@gentoo> Subject: [gentoo-commits] proj/mozilla:master commit in: dev-libs/nss/files/, dev-libs/nss/ X-VCS-Repository: proj/mozilla X-VCS-Files: dev-libs/nss/Manifest dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch dev-libs/nss/files/nss-3.14.2-x32.patch dev-libs/nss/files/nss-3.14.3_sync_with_upstream_softokn_changes.patch dev-libs/nss/nss-3.14.1-r1.ebuild dev-libs/nss/nss-3.14.2.ebuild dev-libs/nss/nss-3.14.3.ebuild X-VCS-Directories: dev-libs/nss/files/ dev-libs/nss/ X-VCS-Committer: anarchy X-VCS-Committer-Name: Jory Pratt X-VCS-Revision: c1e8497e8681827c4bfdec551e3a1a8611dfa4bd X-VCS-Branch: master Date: Sat, 16 Feb 2013 04:15:46 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0e23b916-cd45-4306-bd27-5cf77e8ce752 X-Archives-Hash: 6e91029d47ef9abd22d994149bca9e41 commit: c1e8497e8681827c4bfdec551e3a1a8611dfa4bd Author: Jory A. Pratt gentoo org> AuthorDate: Sat Feb 16 04:15:19 2013 +0000 Commit: Jory Pratt gentoo org> CommitDate: Sat Feb 16 04:15:19 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/mozilla.git;a=commit;h=c1e8497e Fix bug #455558 --- dev-libs/nss/Manifest | 9 +- dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch | 24 ++ dev-libs/nss/files/nss-3.14.2-x32.patch | 66 ++++ ...3.14.3_sync_with_upstream_softokn_changes.patch | 407 ++++++++++++++++++++ dev-libs/nss/nss-3.14.1-r1.ebuild | 271 ------------- .../nss/{nss-3.14.2.ebuild => nss-3.14.3.ebuild} | 11 +- 6 files changed, 508 insertions(+), 280 deletions(-) diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest index cb9d283..6196f57 100644 --- a/dev-libs/nss/Manifest +++ b/dev-libs/nss/Manifest @@ -2,10 +2,11 @@ AUX nss-3.12.6-gentoo-fixup-warnings.patch 301 SHA256 e14b227f762bd21875208e2410 AUX nss-3.13.1-solaris-gcc.patch 994 SHA256 2633e73f8bba27fb34b5872464946b1abe03a7e73e544be4f751655c6276487b SHA512 6e06499d39c89fa60b9efac8dc5b38296d9e26003fc7fc9165434e5a545a50845ca920611cd722c9599b3c2652169ea9f0820a327dab74761e3db2dfab22cf0c WHIRLPOOL d1e3822e279361fd2b96c3e1fbac445aeddde0eca53371c0335c054d644f74de07c883466c20c0ab8d1d34f1bc3f8f4f10ff2111d2b4a1fef769bb74081063c7 AUX nss-3.13.5-x32.patch 2304 SHA256 ae402bef2c97cdeac3a00430729d3668167af5f957b1c217e3a79a3d54a3d206 SHA512 c9c4aeca3b7cc62037534b8b6dea04088e07f6d817a4f8a9f3af0de1e494119f140b67b1ed79c8c8af670cd6f86faa5366ae34afe4dda353d5e310c68a8122ee WHIRLPOOL a1507439d64dae60c237c105c3e47d5e20ff80451f97bedfa71b693aa99e9590dfb63f7fdb1bad057a6256159e3efa0a58a5941a9fb4f2d9de7aba3ca7b08102 AUX nss-3.14.1-gentoo-fixups-r1.patch 6370 SHA256 68a7e9f3f05d247825abe364e12289b7924e5e6f079d309b18aa7ef0be90d002 SHA512 8ac25987f330a34dd364ba4ea1eb9378813268d0a47dc6f287ece66184d88d2eb32fb80f8c6ea46815161ef54f6dac2960c8024ef443545d8ffdba43c10405e1 WHIRLPOOL fa45342b098c62daa6b8b798f8bcfec894743b264d50bd0c025f0395b91bd3c354547f4282fa8d9afcb5dd844f9f2590014657d881ab606cc71c2d84ba9ed7ce +AUX nss-3.14.2-solaris-gcc.patch 659 SHA256 d6ac2638602fcf5d73020efb616c2c16d5775d3a75122cc1681c944ddcd0a07f SHA512 5703fa0d6cd793f9622c331983499ce35f696b71589cac347e2a72d4d377ab53d97f79d9b1396bf1f255a933067ebe2f0e4fb6fca9cc5f3c179275d42a6be9f8 WHIRLPOOL b5f49f0a860598cf508ce7ea97165840ab5c068a00f213591d41101c12ec1e5afbffdbad7c3a1d69ef52c34f4d00da0d1aef4a80829f21209c60908e21a2663a AUX nss-3.14.2-sqlite.patch 585 SHA256 9672be84ac06e7c041a6704aa03522d75318d801adfedb23f827f62282a712d3 SHA512 e40d674795309e709ee97af8f56af2fc4e4e738d4d5428b4f3d7b2c46b36c07043c1db9f1bf77021c3401736df8ead2b607414eb5dc11120820aa38cda2c81d3 WHIRLPOOL 40fcc0df77d0ba68b2abd4d01356e662e3b277da7e738e4f283b30765044942f0f3ed0cccca69fc916cf1e35394726e66a08792936496732a5945233a82904d1 +AUX nss-3.14.2-x32.patch 1941 SHA256 396e2609aafc24d2a51382f74e2124f3eac615d9ae33a848b1a1cffa2789e1e9 SHA512 2b056701ee0d3af16d93ed965d60a55e46cce2a60c946b922f75461c91284242d32746358637292b0e7cf0013ce906b69c04545e23ca26500ef4028f00b49fe8 WHIRLPOOL 03f49c9547e47068e1ff894fec74163b7fadf6ff7e8c2a3ca0ed5b2a18c40cdb9e7f9dfb9666fd748d595925568606e138a27f2674f9f197d59b932a8777d86c +AUX nss-3.14.3_sync_with_upstream_softokn_changes.patch 12364 SHA256 34519ce93a62de743caca2904c47df16d94993a0c5f84626a88ababc3ae65156 SHA512 f41e167bcdab7850280b93b433b2cfd10d38657b52de26b6bfd63019b2b542c8a8a9fa0e99b12917239cea2eb686649da595520cf54bd34b64b53add8d7fa03d WHIRLPOOL e8fa84826d5374cae03a59d0ebc02aa405fa4034cf3c7b5f339d6bf2b4716639e212d010dd73629c9dbb9add6da38b27aa2f12b55994f9ed88dcbbd8f65dadc3 DIST nss-3.13.3_pem.support 191571 SHA256 cb6cf7955203514b3c1210c9b32504b0d2f1c158fa9b5d2509ef0bb34b68374c SHA512 223026adbacf2f325f808210cc050f95cb65cb0fe8c6022109a42bd991fd576e2e96beb5ec8e185dbbd649f4bd4516bc0f7fc10401f47eda806ab2d63f0c23a3 WHIRLPOOL 78345665e54fe67f57bc09311567ad525f9a8dae7d17e600a9639fac820fcf9c64e9f4bacc5df3f90b90a224e374ac44e938962c5248189fe76dad7143bf3476 DIST nss-3.14.1-add_spi+cacerts_ca_certs.patch 25018 SHA256 82ca25982828fd7153ad15fc6e81408c115476eeeb4045d3a71469380b56824b SHA512 2aafbd972b073061bfd66a66a4b50060691957f2910f716f7a69d22d655c499f186f05db2101bea5248a00949f339327ba8bfffec024c61c8ee908766201ae00 WHIRLPOOL c9fe397e316dac7983b187acf7227078ebd8f8da5df53f77f2564489e85f123c4d2afb88d56e8dc14b9ebfffe8a71ade4724b3c1ea683c5c4c487cb3a64eda43 -DIST nss-3.14.1.tar.gz 5814063 SHA256 80a5d4872da13d0272636ad04e1beddcf8d4572bcc0d47dbea1d12fb592fb7e5 SHA512 f62a7ebcdade8815379f80929c63de1284c3ca3f5c87214cb5b327f6689635118d301969d4ef0e1940c7a426253b13ce54acd68a91abc23ab32626341217580e WHIRLPOOL 8b292433ec764cfe857bd7cb25c216905b785c536176ece14571c9e7017a93c7a8562502645d71eed7da9f5cc52c65564c294a8a2b75ea43bda19049d6c393bb -DIST nss-3.14.2.tar.gz 6178419 SHA256 a22691209f4c4989812939c7e38c48a1df09f4b80e7ce4c66b66c9a59235ae95 SHA512 65303f09ef09900512da8d19f7f35f50ef07926256bc5b548a665b5f2ea82bf02548bc8464e0f3723014f3f0f3d2e908faf9ef82b564be21adb7da7f5295e137 WHIRLPOOL 71063478b5083e7cad64e06e84fc8a713c45b85ce9d6f0ad1af16c38b5cbb89779fd35c93813644a8d0c0c1e729805b957c44b6b0f7acf60c8032ed0eb98b4a9 -EBUILD nss-3.14.1-r1.ebuild 8036 SHA256 3623df7d0a49c990a5180e6c964e2bc0c325dcab0ed157a5dfc662cdb2d641c1 SHA512 66472b0d4106b80af2455d97edf403be7722324b63cdf90e699b0a2067e8a9127548f5503d0ae413d69bae763c3f2a39210fbf1a46a7e14f8e60864846e87869 WHIRLPOOL 32f07ec3cc57c79508d74a9391fc9ac920255f6c51b1cd71f0d4e2984b954f98e348eaf68464c892c082e7238fc4928c5fd90f422d9b62ac6637c1c125752bdb -EBUILD nss-3.14.2.ebuild 8081 SHA256 1eb0b25ffb7f3284b7dff580f37f5d97398148dec7c6e6f0fdf51b6bce875531 SHA512 b84cc1b8b5b3cfd84bed418eb89bf10ffa8ce72dca64a2d75c780d8dc6c760308dc9676315e9c59ec4cfbb89efef169bd8447bf24b088e5d7ab1ba014ea6eb1b WHIRLPOOL b3719a5e1763a486b839dd7bb1e70454543d1a0d54f39eda186c593f34a3cc8045148aa7f5e3e1d89dcf00ecd79837df41a6c690174a78a216c09058fc41990d +DIST nss-3.14.3.tar.gz 6189790 SHA256 d9d366be94d33395597ebf82363fcdedfa693a6d627cf7f6bec025f609d54cc0 SHA512 4e8d8517ffb6d03da274afe9a7c50e2f0a15ffdd83e63f29a445e7aee829a8b7e2fbc772695322bd6acee81c052811735b542978044996156cb52dd7e4c001ec WHIRLPOOL 1c1c341303c8c1a13a10b732ac27d5ac8f3245b220436848bdf3877fb1487dba71654908f58810d49869e5af2a86842c4638415b283114bae0f4fbfaee3c4b29 +EBUILD nss-3.14.3.ebuild 8182 SHA256 87231b9e0044bedc088a759f5b30c0b37513ea4f8f338d59678fa93c49c96ee8 SHA512 55bcce06cfb0ce15609e7ffc1fab4857f12535dbcffbbdb3a05c1c20ddecb1b69d63cbf87e509a324a45785c6a380551bd68c9a0b041136be25455f67abc8283 WHIRLPOOL 9e129dc34a3d88e3424f91bd976acb04cbee4bb846315d1e10f5fe2ba89c9d7e65fbb78e292a03ddf80b7723ddbe4579b3ac4e2fbd6d33ca117f75a606c62a2d diff --git a/dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch b/dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch new file mode 100644 index 0000000..a23725d --- /dev/null +++ b/dev-libs/nss/files/nss-3.14.2-solaris-gcc.patch @@ -0,0 +1,24 @@ +--- nss-3.14.2/mozilla/security/coreconf/SunOS5.mk ++++ nss-3.14.2/mozilla/security/coreconf/SunOS5.mk +@@ -5,6 +5,9 @@ + + include $(CORE_DEPTH)/coreconf/UNIX.mk + ++NS_USE_GCC = 1 ++GCC_USE_GNU_LD = 1 ++ + # Sun's WorkShop defines v8, v8plus and v9 architectures. + # gcc on Solaris defines v8 and v9 "cpus". + # gcc's v9 is equivalent to Workshop's v8plus. +@@ -71,11 +74,6 @@ + NOMD_OS_CFLAGS += $(DSO_CFLAGS) $(OS_DEFINES) $(SOL_CFLAGS) + + MKSHLIB = $(CC) $(DSO_LDOPTS) $(RPATH) +-ifdef NS_USE_GCC +-ifeq (GNU,$(findstring GNU,$(shell `$(CC) -print-prog-name=ld` -v 2>&1))) +- GCC_USE_GNU_LD = 1 +-endif +-endif + ifdef MAPFILE + ifdef NS_USE_GCC + ifdef GCC_USE_GNU_LD diff --git a/dev-libs/nss/files/nss-3.14.2-x32.patch b/dev-libs/nss/files/nss-3.14.2-x32.patch new file mode 100644 index 0000000..08c1d19 --- /dev/null +++ b/dev-libs/nss/files/nss-3.14.2-x32.patch @@ -0,0 +1,66 @@ +--- nss-3.14.2/mozilla/security/coreconf/Linux.mk ++++ nss-3.14.2/mozilla/security/coreconf/Linux.mk +@@ -50,21 +50,28 @@ + else + ifeq ($(OS_TEST),alpha) + OS_REL_CFLAGS = -D_ALPHA_ + CPU_ARCH = alpha + else + ifeq ($(OS_TEST),x86_64) + ifeq ($(USE_64),1) + CPU_ARCH = x86_64 ++ ARCHFLAG = -m64 ++else ++ifeq ($(USE_x32),1) ++ OS_REL_CFLAGS = -Di386 ++ CPU_ARCH = x86 ++ ARCHFLAG = -mx32 + else + OS_REL_CFLAGS = -Di386 + CPU_ARCH = x86 + ARCHFLAG = -m32 + endif ++endif + else + ifeq ($(OS_TEST),sparc64) + CPU_ARCH = sparc + else + ifeq (,$(filter-out arm% sa110,$(OS_TEST))) + CPU_ARCH = arm + else + ifeq (,$(filter-out parisc%,$(OS_TEST))) +--- nss-3.14.2/mozilla/security/nss/lib/freebl/Makefile ++++ nss-3.14.2/mozilla/security/nss/lib/freebl/Makefile +@@ -188,22 +188,26 @@ + # comment the next two lines to turn off intel HW accelleration + DEFINES += -DUSE_HW_AES + ASFILES += intel-aes.s intel-gcm.s + EXTRA_SRCS += intel-gcm-wrap.c + INTEL_GCM = 1 + MPI_SRCS += mpi_amd64.c mp_comba.c + endif + ifeq ($(CPU_ARCH),x86) +- ASFILES = mpi_x86.s +- DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE +- DEFINES += -DMP_ASSEMBLY_DIV_2DX1D +- DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN +- # The floating point ECC code doesn't work on Linux x86 (bug 311432). +- #ECL_USE_FP = 1 ++ ifeq ($(USE_x32),1) ++ DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN ++ else ++ ASFILES = mpi_x86.s ++ DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE ++ DEFINES += -DMP_ASSEMBLY_DIV_2DX1D ++ DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN ++ # The floating point ECC code doesn't work on Linux x86 (bug 311432). ++ #ECL_USE_FP = 1 ++ endif + endif + ifeq ($(CPU_ARCH),arm) + DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE + DEFINES += -DMP_USE_UINT_DIGIT + DEFINES += -DSHA_NO_LONG_LONG # avoid 64-bit arithmetic in SHA512 + MPI_SRCS += mpi_arm.c + endif + endif # Linux diff --git a/dev-libs/nss/files/nss-3.14.3_sync_with_upstream_softokn_changes.patch b/dev-libs/nss/files/nss-3.14.3_sync_with_upstream_softokn_changes.patch new file mode 100644 index 0000000..9611c13 --- /dev/null +++ b/dev-libs/nss/files/nss-3.14.3_sync_with_upstream_softokn_changes.patch @@ -0,0 +1,407 @@ +From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001 +From: Elio Maldonado +Date: Sat, 9 Feb 2013 17:11:00 -0500 +Subject: [PATCH] Sync up with upstream softokn changes + +- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux +- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 +- It now compiles with the NSS_3_14_3_BETA1 source +--- + mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++------------------- + 1 files changed, 82 insertions(+), 256 deletions(-) + +diff --git a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c +index 5ac4f39..3780d30 100644 +--- a/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c ++++ b/mozilla/security/nss/lib/ckfw/pem/rsawrapr.c +@@ -46,6 +46,7 @@ + #include "sechash.h" + #include "base.h" + ++#include "lowkeyi.h" + #include "secerr.h" + + #define RSA_BLOCK_MIN_PAD_LEN 8 +@@ -54,9 +55,8 @@ + #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff + #define RSA_BLOCK_AFTER_PAD_OCTET 0x00 + +-#define OAEP_SALT_LEN 8 +-#define OAEP_PAD_LEN 8 +-#define OAEP_PAD_OCTET 0x00 ++/* Needed for RSA-PSS functions */ ++static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; + + #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ + +@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) + return 0; + } + +-static SHA1Context *SHA1_CloneContext(SHA1Context * original) +-{ +- SHA1Context *clone = NULL; +- unsigned char *pBuf; +- int sha1ContextSize = SHA1_FlattenSize(original); +- SECStatus frv; +- unsigned char buf[FLAT_BUFSIZE]; +- +- PORT_Assert(sizeof buf >= sha1ContextSize); +- if (sizeof buf >= sha1ContextSize) { +- pBuf = buf; +- } else { +- pBuf = nss_ZAlloc(NULL, sha1ContextSize); +- if (!pBuf) +- goto done; +- } +- +- frv = SHA1_Flatten(original, pBuf); +- if (frv == SECSuccess) { +- clone = SHA1_Resurrect(pBuf, NULL); +- memset(pBuf, 0, sha1ContextSize); +- } +- done: +- if (pBuf != buf) +- nss_ZFreeIf(pBuf); +- return clone; ++/* Constant time comparison of a single byte. ++ * Returns 1 iff a == b, otherwise returns 0. ++ * Note: For ranges of bytes, use constantTimeCompare. ++ */ ++static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) { ++ unsigned char c = ~(a - b | b - a); ++ c >>= 7; ++ return c; + } + +-/* +- * Modify data by XORing it with a special hash of salt. ++/* Constant time comparison of a range of bytes. ++ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise ++ * returns 0. + */ +-static SECStatus +-oaep_xor_with_h1(unsigned char *data, unsigned int datalen, +- unsigned char *salt, unsigned int saltlen) +-{ +- SHA1Context *sha1cx; +- unsigned char *dp, *dataend; +- unsigned char end_octet; +- +- sha1cx = SHA1_NewContext(); +- if (sha1cx == NULL) { +- return SECFailure; +- } +- +- /* +- * Get a hash of salt started; we will use it several times, +- * adding in a different end octet (x00, x01, x02, ...). +- */ +- SHA1_Begin(sha1cx); +- SHA1_Update(sha1cx, salt, saltlen); +- end_octet = 0; +- +- dp = data; +- dataend = data + datalen; +- +- while (dp < dataend) { +- SHA1Context *sha1cx_h1; +- unsigned int sha1len, sha1off; +- unsigned char sha1[SHA1_LENGTH]; +- +- /* +- * Create hash of (salt || end_octet) +- */ +- sha1cx_h1 = SHA1_CloneContext(sha1cx); +- SHA1_Update(sha1cx_h1, &end_octet, 1); +- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1)); +- SHA1_DestroyContext(sha1cx_h1, PR_TRUE); +- PORT_Assert(sha1len == SHA1_LENGTH); +- +- /* +- * XOR that hash with the data. +- * When we have fewer than SHA1_LENGTH octets of data +- * left to xor, use just the low-order ones of the hash. +- */ +- sha1off = 0; +- if ((dataend - dp) < SHA1_LENGTH) +- sha1off = SHA1_LENGTH - (dataend - dp); +- while (sha1off < SHA1_LENGTH) +- *dp++ ^= sha1[sha1off++]; +- +- /* +- * Bump for next hash chunk. +- */ +- end_octet++; +- } +- +- SHA1_DestroyContext(sha1cx, PR_TRUE); +- return SECSuccess; ++static unsigned char constantTimeCompare(const unsigned char *a, ++ const unsigned char *b, ++ unsigned int len) { ++ unsigned char tmp = 0; ++ unsigned int i; ++ for (i = 0; i < len; ++i, ++a, ++b) ++ tmp |= *a ^ *b; ++ return constantTimeEQ8(0x00, tmp); + } + +-/* +- * Modify salt by XORing it with a special hash of data. ++/* Constant time conditional. ++ * Returns a if c is 1, or b if c is 0. The result is undefined if c is ++ * not 0 or 1. + */ +-static SECStatus +-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen, +- unsigned char *data, unsigned int datalen) ++static unsigned int constantTimeCondition(unsigned int c, ++ unsigned int a, ++ unsigned int b) + { +- unsigned char sha1[SHA1_LENGTH]; +- unsigned char *psalt, *psha1, *saltend; +- SECStatus rv; +- +- /* +- * Create a hash of data. +- */ +- rv = SHA1_HashBuf(sha1, data, datalen); +- if (rv != SECSuccess) { +- return rv; +- } +- +- /* +- * XOR the low-order octets of that hash with salt. +- */ +- PORT_Assert(saltlen <= SHA1_LENGTH); +- saltend = salt + saltlen; +- psalt = salt; +- psha1 = sha1 + SHA1_LENGTH - saltlen; +- while (psalt < saltend) { +- *psalt++ ^= *psha1++; +- } +- +- return SECSuccess; ++ return (~(c - 1) & a) | ((c - 1) & b); + } + + /* +@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, + unsigned char *block; + unsigned char *bp; + int padLen; +- int i; ++ int i, j; + SECStatus rv; + + block = (unsigned char *) nss_ZAlloc(NULL, modulusLen); +@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, + */ + case RSA_BlockPublic: + +- /* +- * 0x00 || BT || Pad || 0x00 || ActualData +- * 1 1 padLen 1 data->len +- * Pad is all non-zero random bytes. +- */ +- padLen = modulusLen - data->len - 3; +- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN); +- if (padLen < RSA_BLOCK_MIN_PAD_LEN) { +- nss_ZFreeIf(block); +- return NULL; +- } +- for (i = 0; i < padLen; i++) { +- /* Pad with non-zero random data. */ +- do { +- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1); +- } while (rv == SECSuccess +- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET); +- if (rv != SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- } +- bp += padLen; +- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; +- nsslibc_memcpy(bp, data->data, data->len); +- +- break; +- +- /* +- * Blocks intended for public-key operation, using +- * Optimal Asymmetric Encryption Padding (OAEP). +- */ +- case RSA_BlockOAEP: +- /* +- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData) +- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N] +- * +- * where: +- * PaddedData is "Pad1 || ActualData [|| Pad2]" +- * Salt is random data. +- * Pad1 is all zeros. +- * Pad2, if present, is random data. +- * (The "modified" fields are all the same length as the original +- * unmodified values; they are just xor'd with other values.) +- * +- * Modified1 is an XOR of PaddedData with a special octet +- * string constructed of iterated hashing of Salt (see below). +- * Modified2 is an XOR of Salt with the low-order octets of +- * the hash of Modified1 (see farther below ;-). +- * +- * Whew! +- */ +- +- +- /* +- * Salt +- */ +- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN); +- if (rv != SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- bp += OAEP_SALT_LEN; +- +- /* +- * Pad1 +- */ +- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN); +- bp += OAEP_PAD_LEN; +- +- /* +- * Data +- */ +- nsslibc_memcpy(bp, data->data, data->len); +- bp += data->len; +- +- /* +- * Pad2 +- */ +- if (bp < (block + modulusLen)) { +- rv = RNG_GenerateGlobalRandomBytes(bp, +- block - bp + modulusLen); +- if (rv != SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- } +- +- /* +- * Now we have the following: +- * 0x00 || BT || Salt || PaddedData +- * (From this point on, "Pad1 || Data [|| Pad2]" is treated +- * as the one entity PaddedData.) +- * +- * We need to turn PaddedData into Modified1. +- */ +- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN, +- modulusLen - 2 - OAEP_SALT_LEN, +- block + 2, OAEP_SALT_LEN) != SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- +- /* +- * Now we have: +- * 0x00 || BT || Salt || Modified1(PaddedData) +- * +- * The remaining task is to turn Salt into Modified2. +- */ +- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN, +- block + 2 + OAEP_SALT_LEN, +- modulusLen - 2 - OAEP_SALT_LEN) != +- SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- +- break; ++ /* ++ * 0x00 || BT || Pad || 0x00 || ActualData ++ * 1 1 padLen 1 data->len ++ * Pad is all non-zero random bytes. ++ * ++ * Build the block left to right. ++ * Fill the entire block from Pad to the end with random bytes. ++ * Use the bytes after Pad as a supply of extra random bytes from ++ * which to find replacements for the zero bytes in Pad. ++ * If we need more than that, refill the bytes after Pad with ++ * new random bytes as necessary. ++ */ ++ padLen = modulusLen - (data->len + 3); ++ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN); ++ if (padLen < RSA_BLOCK_MIN_PAD_LEN) { ++ nss_ZFreeIf (block); ++ return NULL; ++ } ++ j = modulusLen - 2; ++ rv = RNG_GenerateGlobalRandomBytes(bp, j); ++ if (rv == SECSuccess) { ++ for (i = 0; i < padLen; ) { ++ unsigned char repl; ++ /* Pad with non-zero random data. */ ++ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) { ++ ++i; ++ continue; ++ } ++ if (j <= padLen) { ++ rv = RNG_GenerateGlobalRandomBytes(bp + padLen, ++ modulusLen - (2 + padLen)); ++ if (rv != SECSuccess) ++ break; ++ j = modulusLen - 2; ++ } ++ do { ++ repl = bp[--j]; ++ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen); ++ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) { ++ bp[i++] = repl; ++ } ++ } ++ } ++ if (rv != SECSuccess) { ++ /*sftk_fatalError = PR_TRUE;*/ ++ nss_ZFreeIf (block); ++ return NULL; ++ } ++ bp += padLen; ++ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; ++ nsslibc_memcpy(bp, data->data, data->len); ++ break; + + default: + PORT_Assert(0); +@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, + + break; + +- case RSA_BlockOAEP: +- /* +- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) +- * +- * The "2" below is the first octet + the second octet. +- * (The other fields do not contain the clear values, but are +- * the same length as the clear values.) +- */ +- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN +- + OAEP_PAD_LEN))); +- +- result->data = rsa_FormatOneBlock(modulusLen, blockType, data); +- if (result->data == NULL) { +- result->len = 0; +- return SECFailure; +- } +- result->len = modulusLen; +- +- break; +- + case RSA_BlockRaw: + /* + * Pad || ActualData +-- +1.7.1 + + diff --git a/dev-libs/nss/nss-3.14.1-r1.ebuild b/dev-libs/nss/nss-3.14.1-r1.ebuild deleted file mode 100644 index 25a32d3..0000000 --- a/dev-libs/nss/nss-3.14.1-r1.ebuild +++ /dev/null @@ -1,271 +0,0 @@ -# Copyright 1999-2013 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.14.1.ebuild,v 1.9 2013/01/21 18:39:38 vapier Exp $ - -EAPI=3 -inherit eutils flag-o-matic multilib toolchain-funcs - -NSPR_VER="4.9.2" -RTM_NAME="NSS_${PV//./_}_RTM" - -DESCRIPTION="Mozilla's Network Security Services library that implements PKI support" -HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/" -SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz - http://dev.gentoo.org/~anarchy/patches/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch - http://dev.gentoo.org/~anarchy/patches/${PN}-3.13.3_pem.support" - -LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )" -SLOT="0" -KEYWORDS="~alpha amd64 ~arm hppa ~ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" -IUSE="utils" - -DEPEND="virtual/pkgconfig - >=dev-libs/nspr-${NSPR_VER}" - -RDEPEND=">=dev-libs/nspr-${NSPR_VER} - >=dev-db/sqlite-3.5 - sys-libs/zlib" - -src_setup() { - export LC_ALL="C" -} - -src_prepare() { - # Custom changes for gentoo - epatch "${FILESDIR}/${PN}-3.14.1-gentoo-fixups-r1.patch" - epatch "${FILESDIR}/${PN}-3.12.6-gentoo-fixup-warnings.patch" - epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch" - epatch "${DISTDIR}/${PN}-3.13.3_pem.support" - epatch "${FILESDIR}/${PN}-3.13.5-x32.patch" - - cd "${S}"/mozilla/security/coreconf || die - # hack nspr paths - echo 'INCLUDES += -I$(DIST)/include/dbm' \ - >> headers.mk || die "failed to append include" - - # modify install path - sed -e 's:SOURCE_PREFIX = $(CORE_DEPTH)/\.\./dist:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \ - -i source.mk || die - - # Respect LDFLAGS - sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk || die - - # Ensure we stay multilib aware - sed -i -e "s:gentoo\/nss:$(get_libdir):" "${S}"/mozilla/security/nss/config/Makefile || die "Failed to fix for multilib" - - # Fix pkgconfig file for Prefix - sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \ - "${S}"/mozilla/security/nss/config/Makefile || die - - epatch "${FILESDIR}/nss-3.13.1-solaris-gcc.patch" - - # use host shlibsign if need be #436216 - if tc-is-cross-compiler ; then - sed -i \ - -e 's:"${2}"/shlibsign:shlibsign:' \ - "${S}"/mozilla/security/nss/cmd/shlibsign/sign.sh || die - fi - - # dirty hack - cd "${S}"/mozilla/security/nss || die - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \ - lib/ssl/config.mk || die - sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \ - cmd/platlibs.mk || die -} - -nssarch() { - # Most of the arches are the same as $ARCH - local t=${1:-${CHOST}} - case ${t} in - hppa*) echo "parisc";; - i?86*) echo "i686";; - x86_64*) echo "x86_64";; - *) tc-arch ${t};; - esac -} - -nssbits() { - echo > "${T}"/test.c || die - ${!1} ${CPPFLAGS} ${CFLAGS} -c "${T}"/test.c -o "${T}"/test.o || die - case $(file "${T}"/test.o) in - *32-bit*x86-64*) echo USE_x32=1;; - *64-bit*|*ppc64*|*x86_64*) echo USE_64=1;; - *32-bit*|*ppc*|*i386*) ;; - *) die "Failed to detect whether your arch is 64bits or 32bits, disable distcc if you're using it, please";; - esac -} - -src_compile() { - strip-flags - - tc-export AR RANLIB {BUILD_,}{CC,PKG_CONFIG} - local makeargs=( - CC="${CC}" - AR="${AR} rc \$@" - RANLIB="${RANLIB}" - OPTIMIZER= - $(nssbits CC) - ) - - # Take care of nspr settings #436216 - append-cppflags $(${PKG_CONFIG} nspr --cflags) - append-ldflags $(${PKG_CONFIG} nspr --libs-only-L) - unset NSPR_INCLUDE_DIR - export NSPR_LIB_DIR=${T}/fake-dir - - # Do not let `uname` be used. - if use kernel_linux ; then - makeargs+=( - OS_TARGET=Linux - OS_RELEASE=2.6 - OS_TEST="$(nssarch)" - ) - fi - - export BUILD_OPT=1 - export NSS_USE_SYSTEM_SQLITE=1 - export NSDISTMODE=copy - export NSS_ENABLE_ECC=1 - export XCFLAGS="${CFLAGS} ${CPPFLAGS}" - export FREEBL_NO_DEPEND=1 - export ASFLAGS="" - - local d - - # Build the host tools first. - LDFLAGS="${BUILD_LDFLAGS}" \ - XCFLAGS="${BUILD_CFLAGS}" \ - emake -j1 -C mozilla/security/coreconf \ - CC="${BUILD_CC}" \ - $(nssbits BUILD_CC) \ - || die - makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" ) - - # Then build the target tools. - for d in dbm nss ; do - emake -j1 "${makeargs[@]}" -C mozilla/security/${d} || die "${d} make failed" - done -} - -# Altering these 3 libraries breaks the CHK verification. -# All of the following cause it to break: -# - stripping -# - prelink -# - ELF signing -# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html -# Either we have to NOT strip them, or we have to forcibly resign after -# stripping. -#local_libdir="$(get_libdir)" -#export STRIP_MASK=" -# */${local_libdir}/libfreebl3.so* -# */${local_libdir}/libnssdbm3.so* -# */${local_libdir}/libsoftokn3.so*" - -export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3" - -generate_chk() { - local shlibsign="$1" - local libdir="$2" - einfo "Resigning core NSS libraries for FIPS validation" - shift 2 - local i - for i in ${NSS_CHK_SIGN_LIBS} ; do - local libname=lib${i}.so - local chkname=lib${i}.chk - "${shlibsign}" \ - -i "${libdir}"/${libname} \ - -o "${libdir}"/${chkname}.tmp \ - && mv -f \ - "${libdir}"/${chkname}.tmp \ - "${libdir}"/${chkname} \ - || die "Failed to sign ${libname}" - done -} - -cleanup_chk() { - local libdir="$1" - shift 1 - local i - for i in ${NSS_CHK_SIGN_LIBS} ; do - local libfname="${libdir}/lib${i}.so" - # If the major version has changed, then we have old chk files. - [ ! -f "${libfname}" -a -f "${libfname}.chk" ] \ - && rm -f "${libfname}.chk" - done -} - -src_install () { - MINOR_VERSION=12 - cd "${S}"/mozilla/security/dist || die - - dodir /usr/$(get_libdir) || die - cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed" - # We generate these after stripping the libraries, else they don't match. - #cp -L */lib/*.chk "${ED}"/usr/$(get_libdir) || die "copying chk files failed" - cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed" - - # Install nss-config and pkgconfig file - dodir /usr/bin || die - cp -L */bin/nss-config "${ED}"/usr/bin || die - dodir /usr/$(get_libdir)/pkgconfig || die - cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die - - # all the include files - insinto /usr/include/nss - doins public/nss/*.h || die - cd "${ED}"/usr/$(get_libdir) || die - local n file - for file in *$(get_libname); do - n=${file%$(get_libname)}$(get_libname ${MINOR_VERSION}) - mv ${file} ${n} || die - ln -s ${n} ${file} || die - if [[ ${CHOST} == *-darwin* ]]; then - install_name_tool -id "${EPREFIX}/usr/$(get_libdir)/${n}" ${n} || die - fi - done - - local f nssutils - # Always enabled because we need it for chk generation. - nssutils="shlibsign" - if use utils; then - # The tests we do not need to install. - #nssutils_test="bltest crmftest dbtest dertimetest - #fipstest remtest sdrtest" - nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert - cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit - nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode - pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt - symkeyutil tstclnt vfychain vfyserv" - fi - cd "${S}"/mozilla/security/dist/*/bin/ || die - for f in $nssutils; do - dobin ${f} || die - done - - # Prelink breaks the CHK files. We don't have any reliable way to run - # shlibsign after prelink. - local l libs=() - for l in ${NSS_CHK_SIGN_LIBS} ; do - libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so") - done - OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}" - echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss" || die - unset libs liblist - doenvd "${T}/90nss" || die -} - -pkg_postinst() { - # We must re-sign the libraries AFTER they are stripped. - local shlibsign="${EROOT}/usr/bin/shlibsign" - # See if we can execute it (cross-compiling & such). #436216 - "${shlibsign}" -h >&/dev/null - if [[ $? -gt 1 ]] ; then - shlibsign="shlibsign" - fi - generate_chk "${shlibsign}" "${EROOT}"/usr/$(get_libdir) -} - -pkg_postrm() { - cleanup_chk "${EROOT}"/usr/$(get_libdir) -} diff --git a/dev-libs/nss/nss-3.14.2.ebuild b/dev-libs/nss/nss-3.14.3.ebuild similarity index 94% rename from dev-libs/nss/nss-3.14.2.ebuild rename to dev-libs/nss/nss-3.14.3.ebuild index d889d43..05025dd 100644 --- a/dev-libs/nss/nss-3.14.2.ebuild +++ b/dev-libs/nss/nss-3.14.3.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.14.1.ebuild,v 1.9 2013/01/21 18:39:38 vapier Exp $ +# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.14.2.ebuild,v 1.1 2013/02/15 13:30:12 polynomial-c Exp $ EAPI=3 inherit eutils flag-o-matic multilib toolchain-funcs @@ -16,7 +16,7 @@ SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAME} LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )" SLOT="0" -KEYWORDS="~alpha amd64 ~arm hppa ~ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris" IUSE="utils" DEPEND="virtual/pkgconfig @@ -33,10 +33,12 @@ src_setup() { src_prepare() { # Custom changes for gentoo epatch "${FILESDIR}/${PN}-3.14.1-gentoo-fixups-r1.patch" - epatch "${FILESDIR}/${PN}-3.14.2-sqlite.patch" epatch "${FILESDIR}/${PN}-3.12.6-gentoo-fixup-warnings.patch" epatch "${DISTDIR}/${PN}-3.14.1-add_spi+cacerts_ca_certs.patch" epatch "${DISTDIR}/${PN}-3.13.3_pem.support" + epatch "${FILESDIR}/${PN}-3.14.2-x32.patch" + epatch "${FILESDIR}/${PN}-3.14.2-sqlite.patch" + epatch "${FILESDIR}/${PN}-3.14.3_sync_with_upstream_softokn_changes.patch" cd "${S}"/mozilla/security/coreconf || die # hack nspr paths @@ -57,8 +59,7 @@ src_prepare() { sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \ "${S}"/mozilla/security/nss/config/Makefile || die - # Check to see if porting is required. - # epatch "${FILESDIR}/nss-3.13.1-solaris-gcc.patch" + epatch "${FILESDIR}/nss-3.14.2-solaris-gcc.patch" # use host shlibsign if need be #436216 if tc-is-cross-compiler ; then