* update nss to 3.49.2

2020-01-27 11:53:50 +01:00 · 2020-01-27 11:53:50 +01:00 · 0abcb8144f
commit 0abcb8144f
parent 4a139cbd8b
3 changed files with 38 additions and 9 deletions
--- a/nss/PKGBUILD
+++ b/nss/PKGBUILD
@ -3,19 +3,19 @@

 pkgbase=nss
 pkgname=(nss ca-certificates-mozilla)
-pkgver=3.49.1
+pkgver=3.49.2
 pkgrel=2
 pkgdesc="Network Security Services"
 url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
 arch=(x86_64 powerpc64le)
 license=(MPL GPL)
-_nsprver=4.20
-depends=("nspr>=${_nsprver}" sqlite zlib sh p11-kit)
+_nsprver=4.24
+depends=("nspr>=${_nsprver}" sqlite zlib sh 'p11-kit>=0.23.19')
 makedepends=(perl python gyp)
 source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"
        certdata2pem.py bundle.sh ppc64-no-vsx.patch)
-sha256sums=('d9aa42e49e02bb0dc0a2f164604cfc718e11a2a06ddb266cd676376ac21b026e'
-            '0be02cecc27a6e55e1cad1783033b147f502b26f9fb1bb5a53e7a43bbcb68fa0'
+sha256sums=('faa7502c3ce9240d4be2aa88f63d88cf7d1cc512060e63ef21a7813c236160b2'
+            'd2a1579dae05fd16175fac27ef08b54731ecefdf414085c610179afcf62b096c'
            '3bfadf722da6773bdabdd25bdf78158648043d1b7e57615574f189a88ca865dd'
            '959cd602257013d16a3bd56909cc712dc19f89d411ef7887c5f83628b3a6a9ef')

@ -23,10 +23,10 @@ prepare() {
  mkdir certs

  cd nss-$pkgver
-  patch -Np0 -i ${srcdir}/ppc64-no-vsx.patch
-
  ln -sr nss/lib/ckfw/builtins/certdata.txt ../certs/
  ln -sr nss/lib/ckfw/builtins/nssckbi.h ../certs/
+
+  patch -Np0 -i ${srcdir}/ppc64-no-vsx.patch
 }

 build() {
@ -82,12 +82,12 @@ package_nss() {
  install -Dt "$pkgdir/usr/lib" -m644 *.chk

  # Replace built-in trust with p11-kit connection
-  ln -sf libnssckbi-p11-kit.so "$pkgdir/usr/lib/libnssckbi.so"
+  ln -sf pkcs11/p11-kit-trust.so "$pkgdir/usr/lib/libnssckbi.so"
 }

 package_ca-certificates-mozilla() {
  pkgdesc="Mozilla's set of trusted CA certificates"
-  depends=(ca-certificates-utils)
+  depends=('ca-certificates-utils>=20181109-3')

  install -Dm644 ca-bundle.trust.p11-kit \
    "$pkgdir/usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit"
--- a/nss/certdata2pem.py
+++ b/nss/certdata2pem.py
@ -177,6 +177,11 @@ openssl_trust = {
  "CKA_TRUST_EMAIL_PROTECTION": "emailProtection",
 }

+cert_distrust_types = {
+  "CKA_NSS_SERVER_DISTRUST_AFTER": "nss-server-distrust-after",
+  "CKA_NSS_EMAIL_DISTRUST_AFTER": "nss-email-distrust-after",
+}
+
 for tobj in objects:
    if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
        key = tobj['CKA_LABEL'] + printable_serial(tobj)
@ -369,6 +374,16 @@ for tobj in objects:
            f.write("nss-mozilla-ca-policy: true\n")
            f.write("modifiable: false\n");

+            # requires p11-kit >= 0.23.19
+            for t in list(cert_distrust_types.keys()):
+                if t in obj:
+                    value = obj[t]
+                    if value == 'CK_FALSE':
+                        value = bytearray(1)
+                    f.write(cert_distrust_types[t] + ": \"")
+                    f.write(urllib.parse.quote(value));
+                    f.write("\"\n")
+
            f.write("-----BEGIN CERTIFICATE-----\n")
            temp_encoded_b64 = base64.b64encode(obj['CKA_VALUE'])
            temp_wrapped = textwrap.wrap(temp_encoded_b64.decode(), 64)
--- a/nss/ppc64-no-vsx.patch
+++ b/nss/ppc64-no-vsx.patch
@ -0,0 +1,14 @@
+The header contains vectors of long long, which are only available with the
+VSX instruction set. We don't compile with VSX on big endian systems.
+
+--- nss/lib/freebl/gcm.h
+++ nss/lib/freebl/gcm.h
+@@ -30,7 +30,7 @@
+ #include <arm_neon.h>
+ #endif
+ 
+-#ifdef __powerpc64__
+#if defined(__powerpc64__) && defined(__VSX__)
+ #include "altivec-types.h"
+ 
+ /* The ghash freebl test tries to use this in C++, and gcc defines conflict. */