Commit d3ce1d89 authored by Chaoting Liu's avatar Chaoting Liu Committed by Luca Giambonini

[testing] nss: update to 3.48

parent 91a235dc
Pipeline #5518 passed with stages
in 1 minute and 52 seconds
......@@ -2,21 +2,23 @@
pkgbase=nss
pkgname=(nss ca-certificates-mozilla)
pkgver=3.47
pkgver=3.48
pkgrel=1
pkgdesc="Network Security Services"
url="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
arch=(x86_64)
license=(MPL GPL)
_nsprver=4.23
_nsprver=4.24
depends=("nspr>=${_nsprver}" sqlite3 zlib sh p11-kit)
makedepends=(perl python2 gyp)
options=(!strip !makeflags staticlibs)
source=("https://ftp.mozilla.org/pub/security/nss/releases/NSS_${pkgver//./_}_RTM/src/nss-${pkgver}.tar.gz"
certdata2pem.py bundle.sh)
sha256sums=('6cd0c4438b616bdacc0b5f25ff1506b0d07ee97ea6c95d514c5487200a155fa7'
certdata2pem.py bundle.sh
nss-3.47-certdb-temp-cert.patch)
sha256sums=('3f9c822a86a4e3e1bfe63e2ed0f922d8b7c2e0b7cafe36774b1c627970d0f8ac'
'512b12a2f13129be62c008b4df0153f527dd7d71c2c5183de99dfa2a1c49dd8a'
'e412463cfa32bd38a97c1c3664e70c8eb211b676d9192e45f44fbccb0422e87d')
'e412463cfa32bd38a97c1c3664e70c8eb211b676d9192e45f44fbccb0422e87d'
'e4d7c7d6ac8c8cccd5bb23c217402922aafc1c104e46ae17a39f3c13b0e96002')
prepare() {
mkdir certs path
......@@ -27,6 +29,9 @@ prepare() {
ln -sr nss/lib/ckfw/builtins/certdata.txt ../certs/
ln -sr nss/lib/ckfw/builtins/nssckbi.h ../certs/
# https://bugzilla.mozilla.org/show_bug.cgi?id=1593167
patch -d nss -Np1 < ../nss-3.47-certdb-temp-cert.patch
}
build() {
......
# HG changeset patch
# User Daiki Ueno <dueno@redhat.com>
# Date 1575450841 -3600
# Wed Dec 04 10:14:01 2019 +0100
# Node ID 017097f0a0eaea1a3d849f3de79475c9bc28fcc2
# Parent d64102b76a437f24d98a20480dcc9f1655143e7c
Bug 1593167, certdb: propagate trust information if trust module is loaded afterwards
Summary:
When the builtin trust module is loaded after some temp certs being created, these temp certs are usually not accompanied by trust information. This causes a problem in Firefox as it loads the module from a separate thread while accessing the network cache which populates temp certs.
This change makes it properly roll up the trust information, if a temp cert doesn't have trust information.
Reviewers: rrelyea, keeler
Reviewed By: rrelyea
Subscribers: reviewbot, heftig
Bug #: 1593167
Differential Revision: https://phabricator.services.mozilla.com/D54726
diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -921,14 +921,28 @@ stan_GetCERTCertificate(NSSCertificate *
}
if (!cc->nssCertificate || forceUpdate) {
fill_CERTCertificateFields(c, cc, forceUpdate);
- } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
- !c->object.cryptoContext) {
- /* if it's a perm cert, it might have been stored before the
- * trust, so look for the trust again. But a temp cert can be
- * ignored.
- */
- CERTCertTrust *trust = NULL;
- trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
+ CERTCertTrust *trust;
+ if (!c->object.cryptoContext) {
+ /* If it's a perm cert, it might have been stored before the
+ * trust, so look for the trust again.
+ */
+ trust = nssTrust_GetCERTCertTrustForCert(c, cc);
+ } else {
+ /* If it's a temp cert, it might have been stored before the
+ * builtin trust module is loaded, so look for the trust
+ * again, but don't set the empty trust if it is not found.
+ */
+ NSSTrust *t = nssTrustDomain_FindTrustForCertificate(c->object.cryptoContext->td, c);
+ if (!t) {
+ goto loser;
+ }
+ trust = cert_trust_from_stan_trust(t, cc->arena);
+ nssTrust_Destroy(t);
+ if (!trust) {
+ goto loser;
+ }
+ }
CERT_LockCertTrust(cc);
cc->trust = trust;
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment