Commit 6295f48f authored by Chaoting Liu's avatar Chaoting Liu

nss: rebuild to follow Arch

parent f220e46c
......@@ -3,40 +3,44 @@
pkgname=(nss ca-certificates-mozilla)
pkgdesc="Mozilla Network Security Services"
license=('MPL' 'GPL')
pkgdesc="Network Security Services"
arch=(i686 x86_64)
license=(MPL GPL)
depends=("nspr>=${_nsprver}" 'sqlite3' 'zlib' 'sh' 'p11-kit')
makedepends=('perl' 'python2')
options=('!strip' '!makeflags' 'staticlibs')
depends=("nspr>=${_nsprver}" sqlite3 zlib sh p11-kit)
makedepends=(perl python2 xmlto docbook-xsl gyp)
options=(!strip !makeflags staticlibs)
source=("${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz" nss-config.xml enable-libpkix.patch no-plt.diff)
prepare() {
mkdir certs
mkdir certs path
ln -s /usr/bin/python2 path/python
echo -n "$(date +"%e %B %Y")" >date.xml
echo -n "$pkgver" >version.xml
xmlto man nss-config.xml
cd nss-$pkgver
# Respect LDFLAGS
sed -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/' \
-i nss/coreconf/
patch -Np1 -i ../enable-libpkix.patch
patch -Np2 -i ../no-plt.diff
ln -sr nss/lib/ckfw/builtins/certdata.txt ../certs/
ln -sr nss/lib/ckfw/builtins/nssckbi.h ../certs/
build() {
cd certs
python2 ../
......@@ -45,26 +49,14 @@ build() {
cd nss-$pkgver/nss
export BUILD_OPT=1
export NSPR_INCLUDE_DIR="`nspr-config --includedir`"
export NSPR_LIB_DIR="`nspr-config --libdir`"
export XCFLAGS="${CFLAGS}"
export USE_64=1
make -C coreconf
make -C lib/dbm
PATH="$srcdir/path:$PATH" ./ --opt --system-sqlite --system-nspr --disable-tests
package_nss() {
cd nss-$pkgver
install -d "$pkgdir"/usr/{bin,include/nss,lib/pkgconfig}
NSS_VMAJOR=$(grep '#define.*NSS_VMAJOR' nss/lib/nss/nss.h | awk '{print $3}')
NSS_VMINOR=$(grep '#define.*NSS_VMINOR' nss/lib/nss/nss.h | awk '{print $3}')
NSS_VPATCH=$(grep '#define.*NSS_VPATCH' nss/lib/nss/nss.h | awk '{print $3}')
{ read _vmajor; read _vminor; read _vpatch; } \
< <(awk '/#define.*NSS_V(MAJOR|MINOR|PATCH)/ {print $3}' nss/lib/nss/nss.h)
sed ../ \
-e "s,%libdir%,/usr/lib,g" \
......@@ -72,8 +64,8 @@ package_nss() {
-e "s,%exec_prefix%,/usr/bin,g" \
-e "s,%includedir%,/usr/include/nss,g" \
-e "s,%NSPR_VERSION%,${_nsprver},g" \
-e "s,%NSS_VERSION%,${pkgver},g" \
> "$pkgdir/usr/lib/pkgconfig/nss.pc"
-e "s,%NSS_VERSION%,${pkgver},g" |
install -Dm644 /dev/stdin "$pkgdir/usr/lib/pkgconfig/nss.pc"
ln -s nss.pc "$pkgdir/usr/lib/pkgconfig/mozilla-nss.pc"
sed ../ \
......@@ -81,33 +73,33 @@ package_nss() {
-e "s,@prefix@,/usr/bin,g" \
-e "s,@exec_prefix@,/usr/bin,g" \
-e "s,@includedir@,/usr/include/nss,g" \
> "$pkgdir/usr/bin/nss-config"
chmod 755 "$pkgdir/usr/bin/nss-config"
-e "s,@MOD_MAJOR_VERSION@,${_vmajor},g" \
-e "s,@MOD_MINOR_VERSION@,${_vminor},g" \
-e "s,@MOD_PATCH_VERSION@,${_vpatch},g" |
install -D /dev/stdin "$pkgdir/usr/bin/nss-config"
install -Dt "$pkgdir/usr/share/man/man1" -m644 ../nss-config.1
cd dist/*.OBJ/bin
install -t "$pkgdir/usr/bin" *util shlibsign signtool signver ssltap
cd nss/doc/nroff
install -Dt "$pkgdir/usr/share/man/man1" -m644 *util.1 signtool.1 signver.1 ssltap.1
cd ../lib
install -t "$pkgdir/usr/lib" *.so
install -t "$pkgdir/usr/lib" -m644 libcrmf.a *.chk
cd ../../../dist
install -Dt "$pkgdir/usr/include/nss" -m644 public/nss/*.h
cd Release/bin
install -Dt "$pkgdir/usr/bin" *util shlibsign signtool signver ssltap
cd ../../public/nss
install -t "$pkgdir/usr/include/nss" -m644 *.h
cd ../lib
install -Dt "$pkgdir/usr/lib" *.so
install -Dt "$pkgdir/usr/lib" -m644 *.chk
rm "$pkgdir/usr/lib/"
ln -s pkcs11/ "$pkgdir/usr/lib/"
ln -sf "$pkgdir/usr/lib/"
package_ca-certificates-mozilla() {
pkgdesc="Mozilla's set of trusted CA certificates"
local _certdir="$pkgdir/usr/share/ca-certificates/trust-source"
install -Dm644 "$_certdir/"
install -Dm644 ca-bundle.neutral-trust.crt "$_certdir/mozilla.neutral-trust.crt"
install -Dm644 ca-bundle.supplement.p11-kit "$_certdir/mozilla.supplement.p11-kit"
install -Dm644 \
This diff is collapsed.
......@@ -5,11 +5,8 @@
cat <<EOF
# This is a bundle of X.509 certificates of public Certificate
# Authorities. It was generated from the Mozilla root CA list.
# These certificates are in the OpenSSL "TRUSTED CERTIFICATE"
# format and have trust bits set accordingly.
# An exception are auxiliary certificates, without positive or negative
# trust, but are used to assist in finding a preferred trust path.
# Those neutral certificates use the plain BEGIN CERTIFICATE format.
# These certificates and trust/distrust attributes use the file format accepted
# by the p11-kit-trust module.
# Source: nss/lib/ckfw/builtins/certdata.txt
# Source: nss/lib/ckfw/builtins/nssckbi.h
......@@ -18,37 +15,8 @@
cat certs/nssckbi.h | grep -w NSS_BUILTINS_LIBRARY_VERSION | awk '{print "# " $2 " " $3}'
echo '#'
) >
for f in certs/*.crt; do
echo "processing $f"
tbits=`sed -n '/^# openssl-trust/{s/^.*=//;p;}' $f`
distbits=`sed -n '/^# openssl-distrust/{s/^.*=//;p;}' $f`
alias=`sed -n '/^# alias=/{s/^.*=//;p;q;}' $f | sed "s/'//g" | sed 's/"//g'`
if [ -n "$tbits" ]; then
for t in $tbits; do
targs="${targs} -addtrust $t"
if [ -n "$distbits" ]; then
for t in $distbits; do
targs="${targs} -addreject $t"
if [ -n "$targs" ]; then
echo "trust flags $targs for $f" >>
openssl x509 -text -in "$f" -trustout $targs -setalias "$alias" >>
echo "no trust flags for $f" >> info.notrust
# p11-kit-trust defines empty trust lists as "rejected for all purposes".
# That's why we use the simple file format
# (BEGIN CERTIFICATE, no trust information)
# because p11-kit-trust will treat it as a certificate with neutral trust.
# This means we cannot use the -setalias feature for neutral trust certs.
openssl x509 -text -in "$f" >> ca-bundle.neutral-trust.crt
) >
for p in certs/*.p11-kit; do
cat "$p" >> ca-bundle.supplement.p11-kit
for p in certs/*.tmp-p11-kit; do
cat "$p" >>
This diff is collapsed.
diff -u -r nss-3.31/nss/ nss-3.31-libpkix/nss/
--- nss-3.31/nss/ 2017-06-08 12:53:01.000000000 +0200
+++ nss-3.31-libpkix/nss/ 2017-06-09 19:11:21.746133040 +0200
@@ -52,7 +52,7 @@
-gyp_params=(--depth="$cwd" --generator-output=".")
+gyp_params=(--depth="$cwd" --generator-output="." -Ddisable_libpkix=0)
This diff is collapsed.
diff --git i/security/nss/lib/freebl/mpi/mpi_x86.s w/security/nss/lib/freebl/mpi/mpi_x86.s
index 8f7e2130c3264754..b3ca1ce5b41b3771 100644
--- i/security/nss/lib/freebl/mpi/mpi_x86.s
+++ w/security/nss/lib/freebl/mpi/mpi_x86.s
@@ -22,22 +22,41 @@ is_sse: .long -1
.ifndef NO_PIC
.macro GET var,reg
- movl \var@GOTOFF(%ebx),\reg
+ call
+ addl $_GLOBAL_OFFSET_TABLE_, %eax
+ movl \var@GOTOFF(%eax),\reg
.macro PUT reg,var
- movl \reg,\var@GOTOFF(%ebx)
+ call thunk.dx
+ addl $_GLOBAL_OFFSET_TABLE_, %edx
+ movl \reg,\var@GOTOFF(%edx)
.macro GET var,reg
movl \var,\reg
.macro PUT reg,var
movl \reg,\var
+.ifndef NO_PIC
+.type, @function
+ movl (%esp),%eax
+ ret
+.globl thunk.dx
+.hidden thunk.dx
+.type thunk.dx, @function
+ movl (%esp),%edx
+ ret
# ebp - 36: caller's esi
# ebp - 32: caller's edi
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"" [
<!ENTITY date SYSTEM "date.xml">
<!ENTITY version SYSTEM "version.xml">
<refentry id="nss-config">
<title>Network Security Services</title>
<refpurpose>Return meta information about nss libraries</refpurpose>
<refsection id="description">
<para><command>nss-config</command> is a shell scrip
tool which can be used to obtain gcc options for building client pacakges of nspt. </para>
<listitem><simpara>Returns the top level system directory under which the nss libraries are installed.</simpara></listitem>
<listitem><simpara>returns the top level system directory under which any nss binaries would be installed.</simpara></listitem>
<term><option>--includedir</option> <replaceable>count</replaceable></term>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
<listitem><simpara>returns the upstream version of nss in the form major_version-minor_version-patch_version.</simpara></listitem>
<listitem><simpara>returns the compiler linking flags.</simpara></listitem>
<listitem><simpara>returns the compiler include flags.</simpara></listitem>
<listitem><simpara>returns the path to the directory were the nss libraries are installed.</simpara></listitem>
<para>The following example will query for both include path and linkage flags:
/usr/bin/nss-config --cflags --libs
<title>See also</title>
<refsection id="authors">
<para>The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google.</para>
Authors: Elio Maldonado &lt;>.
<!-- don't change -->
<refsection id="license">
<para>Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at
......@@ -7,5 +7,5 @@ Name: NSS
Description: Network Security Services
Version: %NSS_VERSION%
Requires: nspr >= %NSPR_VERSION%
Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
Libs: -L${libdir} -lssl3 -lsmime3 -lnss3 -lnssutil3
Cflags: -I${includedir}
Enable transitional scheme for ssl renegotiation:
(from mozilla/security/nss/lib/ssl/ssl.h)
Disallow unsafe renegotiation in server sockets only, but allow clients
to continue to renegotiate with vulnerable servers.
This value should only be used during the transition period when few
servers have been upgraded.
diff --git a/mozilla/security/nss/lib/ssl/sslsock.c b/mozilla/security/nss/lib/ssl/sslsock.c
index f1d1921..c074360 100644
--- a/mozilla/security/nss/lib/ssl/sslsock.c
+++ b/mozilla/security/nss/lib/ssl/sslsock.c
@@ -181,7 +181,7 @@ static sslOptions ssl_defaults = {
PR_FALSE, /* noLocks */
PR_FALSE, /* enableSessionTickets */
PR_FALSE, /* enableDeflate */
- 2, /* enableRenegotiation (default: requires extension) */
+ 3, /* enableRenegotiation (default: transitional) */
PR_FALSE, /* requireSafeNegotiation */
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment