add ca cert support

Package-Manager: portage-2.1.10.44/cvs/Linux x86_64
author: Jory Pratt <anarchy@gentoo.org> 2012-01-27 03:45:50 +0000
committer: Jory Pratt <anarchy@gentoo.org> 2012-01-27 03:45:50 +0000
commit: 65e4f466c34d5b2de8f229252b7459fed061c74b (patch)
tree: 807c8c3f2ef23b1c68767c3b47fd2bf0b438994f /dev-libs
parent: version bump (diff)
download: historical-65e4f466c34d5b2de8f229252b7459fed061c74b.tar.gz
historical-65e4f466c34d5b2de8f229252b7459fed061c74b.tar.bz2
historical-65e4f466c34d5b2de8f229252b7459fed061c74b.zip
3 files changed, 228 insertions, 7 deletions
diff --git a/dev-libs/nss/ChangeLog b/dev-libs/nss/ChangeLog
index 24bd199bee69..895ff35d00a2 100644
--- a/dev-libs/nss/ChangeLog
+++ b/dev-libs/nss/ChangeLog
@@ -1,6 +1,11 @@
 # ChangeLog for dev-libs/nss
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/ChangeLog,v 1.233 2012/01/12 15:33:01 phajdan.jr Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/ChangeLog,v 1.234 2012/01/27 03:45:50 anarchy Exp $
+
+*nss-3.13.1-r2 (27 Jan 2012)
+
+  27 Jan 2012; <anarchy@gentoo.org> +nss-3.13.1-r2.ebuild:
+  add ca cert support to database
 
   12 Jan 2012; Pawel Hajdan jr <phajdan.jr@gentoo.org> nss-3.13.1-r1.ebuild:
   x86 stable wrt bug #395431
diff --git a/dev-libs/nss/Manifest b/dev-libs/nss/Manifest
index 72f870ebda93..9a2b5eb8f4dd 100644
--- a/dev-libs/nss/Manifest
+++ b/dev-libs/nss/Manifest
@@ -1,5 +1,5 @@
 -----BEGIN PGP SIGNED MESSAGE-----
-Hash: SHA512
+Hash: SHA1
 
 AUX nss-3.12.11-CVE-2011-3640.patch 4608 RMD160 02f2c0c428dd40904f8eee5bf6a2d2fc3ecba1ac SHA1 c3f93b6b9996e4abe7a2fa2963cadf24f3c56367 SHA256 d48b2117c52a30c8ef659fc7222f501cce175ead29891ed8dceadd6f7d8bada4
 AUX nss-3.12.4-solaris-gcc.patch 842 RMD160 83324ac0ecde97e1976bf5162e7ce01ab2ca07e6 SHA1 769562dc8fd7ecc85e4f06a88d568433f2f3f5e2 SHA256 cf2695f4d73ad9de267ffd2e47b2f8940bf56d94b51e66d1e36907b5d6368865
@@ -10,17 +10,24 @@ AUX nss-3.13.1-solaris-gcc.patch 854 RMD160 1b4190cae56a7e4399ac8f4f455346e2ab59
 DIST nss-3.12.10.tar.gz 6008914 RMD160 08c82ce0f4dc4c1806944cbc74adcad137878bf3 SHA1 229f65c8d4e2c1b34e145253bceddada5a82a142 SHA256 634f294507de6da93a5c3e08006156a469ff8d8af9ac9153f608800f4d20206e
 DIST nss-3.12.11.tar.gz 5944840 RMD160 4528d4be996bce801ff5f4c978457bd17c8e8625 SHA1 187ae83a8368512bb8729c206da2ed34db1725ad SHA256 d043f8d44212bc9418b6a954ca88e05b8ab2a71f8c59e6829a9a36d8a28e9f16
 DIST nss-3.12.9.with.ckbi.1.82.tar.gz 6012144 RMD160 a5392169f240fe804aa4d55229a246c7f4997c65 SHA1 32d8c607c2301bdf053ab5d4fea7ec5af9d5d35a SHA256 b55ea655f3029737b4236f27301c1eb48b417714ff45ac8b8b67963ea80787a3
+DIST nss-3.13.1-add_cacert_ca_certs.patch 71117 RMD160 1d5a90f1afe3b645ac75c38540454d011f06985e SHA1 d9fc8c3ba90f4470cfdaeac457d2bc8d073ef5b4 SHA256 c9a38ebbafc49ec5eda87af4528e7c91bf13c49c9894b9a37464978c9b8eaf64
 DIST nss-3.13.1.tar.gz 5985329 RMD160 c1743308c380169d666e5c08b23a455f86b360bd SHA1 d8e7ee9f9f1e0bfa2ea8b72d25727634fea130a6 SHA256 95d933b59be466f19f90f595a35b4b92213fef084caecafeb89f4e2ce7160660
+DIST nss-3.13.1.with.ckbi.1.88.tar.gz 6065634 RMD160 20bf77259d92cb054a4e4c40fbd931da335fc58c SHA1 ebc0258c8d1a3c2fe80941bd991b766552464fc6 SHA256 456fd2ad036976660ae7e4e24edddc49f2f47e7ca490c1c5372771bbb5207879
 EBUILD nss-3.12.10.ebuild 6764 RMD160 bd101be19e59dadd3fcacaa09bdc225af789cf00 SHA1 d609a403c153faaf0e42ffadc4a2e39dde0eda9e SHA256 247fb02791f7a4879327a2d6a2119d12a6aa5d736809f3c58352d9e619136d5b
 EBUILD nss-3.12.11-r1.ebuild 7127 RMD160 4c9528b288fab68583d31b63c058c377660f3f63 SHA1 6de4415f2d2df2601c6815d2a4d0c156780c51e3 SHA256 e007958db501dc133b1e11d8d4220ca24f4978bf62347b0b92d0eec48c038a75
 EBUILD nss-3.12.9-r1.ebuild 6793 RMD160 14bbb410ee3e7794ae463eb834434de50b44bc37 SHA1 7107004afd31fda20cb72124d7c81809ce97e777 SHA256 692c1e4c8756663d73b6be3ed73a62b0939f4d67b7dd54d5b95b445060f80368
 EBUILD nss-3.13.1-r1.ebuild 6863 RMD160 7ec27021d2548d11ffd3aacd66c9b528ffab98ac SHA1 6fac0189ef3b63715d11267be88ff77279d1e4c4 SHA256 4c0189f88e1f9faae220443ee9895c94c94112efd97504820362f01ca60abc7f
-MISC ChangeLog 29781 RMD160 6e9151e9e082db4e3675a9e1c8a0ff0bb37c0aca SHA1 f7b035a6aae06479b9d420696715dfdfd406dd3f SHA256 b0c8f1ecf7526eee41239ee6d9ce06961f49bcfa071d969e8097dd56191aad7d
+EBUILD nss-3.13.1-r2.ebuild 7065 RMD160 10f0c1e33696e1fcae9924831930335d1ac06dff SHA1 154fdd66ce0fc147bd602350649c536036a20226 SHA256 2b27390b3d6268a124edc0e2792063e0d5e9c4848388f80cd7010c07342080b4
+MISC ChangeLog 29902 RMD160 39197e57f6f60a0a769e0abeb75b7e9920a5f633 SHA1 880322335c3819c3a5c33652c62065349c9659ea SHA256 808384f04054e5e60b6f97ee3f630043671b8a8d78546aa8443ab42267fe2069
 MISC metadata.xml 245 RMD160 f0c9fbd458bca39f235195807582f530797bcd27 SHA1 a2c000437e0149764d8aa0a4e58b8cf106685d83 SHA256 58443b11f9dff75b5d4391f03dbafd90305a0ec8f046f8f0068fb95777c01bd4
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.17 (GNU/Linux)
+Version: GnuPG v2.0.18 (GNU/Linux)
 
-iEYEAREKAAYFAk8O/TMACgkQuUQtlDBCeQItGQCfWTiESz+pF6MOwOwEBIbKPCDn
-/5gAn3YxleZXNT9UDwqK2jUHNPY5Pvo8
-=DB9I
+iQEcBAEBAgAGBQJPIh3FAAoJEIXV9xahDnCojyUH/jAh5DFuCzIlVcX2sBZbHqK9
+qZhM+qbmDGgIqgTHYlp0xAkNAtjFp2UEXaylbJgJxRkML4mvkg8ksgZrGfjo+HCa
+GfTToFBgJYHQ3niNKDaYKPiRGAdAiNXQioDvM0Y7Ogey2OgiPuriM4PUiS0zlnp/
+9iRiyVx5hUHuxI58WtwVyl/7uw246m4zxMbDWMAdPSciCD+/N3SZEWMm68rgQCP8
+FWF7AwY+DzdOPapwRuzlGciX1PyIpCUoRsDGH1H1KhK1c7j7wKLYeSpITMNy1gGC
+Bm6+NgOfyI+VgJmpGkOwDQPRv0nfM+7xJsmbk6By5GF9MZ2z31DImFC9RFs+jIk=
+=rhxO
 -----END PGP SIGNATURE-----
diff --git a/dev-libs/nss/nss-3.13.1-r2.ebuild b/dev-libs/nss/nss-3.13.1-r2.ebuild
new file mode 100644
index 000000000000..5a0ad46694d9
--- /dev/null
+++ b/dev-libs/nss/nss-3.13.1-r2.ebuild
@@ -0,0 +1,209 @@
+# Copyright 1999-2012 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-libs/nss/nss-3.13.1-r2.ebuild,v 1.1 2012/01/27 03:45:50 anarchy Exp $
+
+EAPI=3
+inherit eutils flag-o-matic multilib toolchain-funcs
+
+NSPR_VER="4.8.9"
+RTM_NAME="NSS_${PV//./_}_RTM"
+RTM_NAMECKBI="NSS_${PV//./_}_WITH_CKBI_1_88_RTM"
+DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
+HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
+SRC_URI="ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/${RTM_NAMECKBI}/src/${P}.with.ckbi.1.88.tar.gz
+	http://dev.gentoo.org/~anarchy/patches/nss-3.13.1-add_cacert_ca_certs.patch"
+
+LICENSE="|| ( MPL-1.1 GPL-2 LGPL-2.1 )"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~x86-macos ~sparc-solaris ~x64-solaris ~x86-solaris"
+IUSE="utils"
+
+DEPEND="dev-util/pkgconfig"
+RDEPEND=">=dev-libs/nspr-${NSPR_VER}
+	>=dev-db/sqlite-3.5
+	sys-libs/zlib"
+
+src_prepare() {
+	# Custom changes for gentoo
+	epatch "${FILESDIR}/${PN}-3.12.5-gentoo-fixups.diff"
+	epatch "${FILESDIR}/${PN}-3.12.6-gentoo-fixup-warnings.patch"
+	epatch "${FILESDIR}/nss-3.13.1-pkcs11n-header-fix.patch"
+	epatch "${DISTDIR}/nss-3.13.1-add_cacert_ca_certs.patch"
+
+	cd "${S}"/mozilla/security/coreconf || die
+	# hack nspr paths
+	echo 'INCLUDES += -I'"${EPREFIX}"'/usr/include/nspr -I$(DIST)/include/dbm' \
+		>> headers.mk || die "failed to append include"
+
+	# modify install path
+	sed -e 's:SOURCE_PREFIX = $(CORE_DEPTH)/\.\./dist:SOURCE_PREFIX = $(CORE_DEPTH)/dist:' \
+		-i source.mk || die
+
+	# Respect LDFLAGS
+	sed -i -e 's/\$(MKSHLIB) -o/\$(MKSHLIB) \$(LDFLAGS) -o/g' rules.mk || die
+
+	# Ensure we stay multilib aware
+	sed -i -e "s:gentoo\/nss:$(get_libdir):" "${S}"/mozilla/security/nss/config/Makefile || die "Failed to fix for multilib"
+
+	# Fix pkgconfig file for Prefix
+	sed -i -e "/^PREFIX =/s:= /usr:= ${EPREFIX}/usr:" \
+		"${S}"/mozilla/security/nss/config/Makefile || die
+
+	epatch "${FILESDIR}/nss-3.13.1-solaris-gcc.patch"
+
+	# dirty hack
+	cd "${S}"/mozilla/security/nss || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../freebl/\$(OBJDIR):" \
+		lib/ssl/config.mk || die
+	sed -i -e "/CRYPTOLIB/s:\$(SOFTOKEN_LIB_DIR):../../lib/freebl/\$(OBJDIR):" \
+		cmd/platlibs.mk || die
+}
+
+src_compile() {
+	strip-flags
+
+	echo > "${T}"/test.c || die
+	$(tc-getCC) ${CFLAGS} -c "${T}"/test.c -o "${T}"/test.o || die
+	case $(file "${T}"/test.o) in
+	*64-bit*|*ppc64*|*x86_64*) export USE_64=1;;
+	*32-bit*|*ppc*|*i386*) ;;
+	*) die "Failed to detect whether your arch is 64bits or 32bits, disable distcc if you're using it, please";;
+	esac
+
+	export NSPR_INCLUDE_DIR=`nspr-config --includedir`
+	export NSPR_LIB_DIR=`nspr-config --libdir`
+	export BUILD_OPT=1
+	export NSS_USE_SYSTEM_SQLITE=1
+	export NSDISTMODE=copy
+	export NSS_ENABLE_ECC=1
+	export XCFLAGS="${CFLAGS}"
+	export FREEBL_NO_DEPEND=1
+	export ASFLAGS=""
+
+	cd "${S}"/mozilla/security/coreconf || die
+	emake -j1 CC="$(tc-getCC)" || die "coreconf make failed"
+	cd "${S}"/mozilla/security/dbm || die
+	emake -j1 CC="$(tc-getCC)" || die "dbm make failed"
+	cd "${S}"/mozilla/security/nss || die
+	emake -j1 CC="$(tc-getCC)" || die "nss make failed"
+}
+
+# Altering these 3 libraries breaks the CHK verification.
+# All of the following cause it to break:
+# - stripping
+# - prelink
+# - ELF signing
+# http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn6.html
+# Either we have to NOT strip them, or we have to forcibly resign after
+# stripping.
+#local_libdir="$(get_libdir)"
+#export STRIP_MASK="
+#	*/${local_libdir}/libfreebl3.so*
+#	*/${local_libdir}/libnssdbm3.so*
+#	*/${local_libdir}/libsoftokn3.so*"
+
+export NSS_CHK_SIGN_LIBS="freebl3 nssdbm3 softokn3"
+
+generate_chk() {
+	local shlibsign="$1"
+	local libdir="$2"
+	einfo "Resigning core NSS libraries for FIPS validation"
+	shift 2
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libname=lib${i}.so
+		local chkname=lib${i}.chk
+		"${shlibsign}" \
+			-i "${libdir}"/${libname} \
+			-o "${libdir}"/${chkname}.tmp \
+		&& mv -f \
+			"${libdir}"/${chkname}.tmp \
+			"${libdir}"/${chkname} \
+		|| die "Failed to sign ${libname}"
+	done
+}
+
+cleanup_chk() {
+	local libdir="$1"
+	shift 1
+	for i in ${NSS_CHK_SIGN_LIBS} ; do
+		local libfname="${libdir}/lib${i}.so"
+		# If the major version has changed, then we have old chk files.
+		[ ! -f "${libfname}" -a -f "${libfname}.chk" ] \
+			&& rm -f "${libfname}.chk"
+	done
+}
+
+src_install () {
+	MINOR_VERSION=12
+	cd "${S}"/mozilla/security/dist || die
+
+	dodir /usr/$(get_libdir) || die
+	cp -L */lib/*$(get_libname) "${ED}"/usr/$(get_libdir) || die "copying shared libs failed"
+	# We generate these after stripping the libraries, else they don't match.
+	#cp -L */lib/*.chk "${ED}"/usr/$(get_libdir) || die "copying chk files failed"
+	cp -L */lib/libcrmf.a "${ED}"/usr/$(get_libdir) || die "copying libs failed"
+
+	# Install nss-config and pkgconfig file
+	dodir /usr/bin || die
+	cp -L */bin/nss-config "${ED}"/usr/bin || die
+	dodir /usr/$(get_libdir)/pkgconfig || die
+	cp -L */lib/pkgconfig/nss.pc "${ED}"/usr/$(get_libdir)/pkgconfig || die
+
+	# all the include files
+	insinto /usr/include/nss
+	doins public/nss/*.h || die
+	cd "${ED}"/usr/$(get_libdir) || die
+	local n=
+	for file in *$(get_libname); do
+		n=${file%$(get_libname)}$(get_libname ${MINOR_VERSION})
+		mv ${file} ${n} || die
+		ln -s ${n} ${file} || die
+		if [[ ${CHOST} == *-darwin* ]]; then
+			install_name_tool -id "${EPREFIX}/usr/$(get_libdir)/${n}" ${n} || die
+		fi
+	done
+
+	local nssutils
+	# Always enabled because we need it for chk generation.
+	nssutils="shlibsign"
+	if use utils; then
+		# The tests we do not need to install.
+		#nssutils_test="bltest crmftest dbtest dertimetest
+		#fipstest remtest sdrtest"
+		nssutils="addbuiltin atob baddbdir btoa certcgi certutil checkcert
+		cmsutil conflict crlutil derdump digest makepqg mangle modutil multinit
+		nonspr10 ocspclnt oidcalc p7content p7env p7sign p7verify pk11mode
+		pk12util pp rsaperf selfserv shlibsign signtool signver ssltap strsclnt
+		symkeyutil tstclnt vfychain vfyserv"
+	fi
+	cd "${S}"/mozilla/security/dist/*/bin/ || die
+	for f in $nssutils; do
+		dobin ${f} || die
+	done
+
+	# Prelink breaks the CHK files. We don't have any reliable way to run
+	# shlibsign after prelink.
+	declare -a libs
+	for l in ${NSS_CHK_SIGN_LIBS} ; do
+		libs+=("${EPREFIX}/usr/$(get_libdir)/lib${l}.so")
+	done
+	OLD_IFS="${IFS}" IFS=":" ; liblist="${libs[*]}" ; IFS="${OLD_IFS}"
+	echo -e "PRELINK_PATH_MASK=${liblist}" >"${T}/90nss" || die
+	unset libs liblist
+	doenvd "${T}/90nss" || die
+}
+
+pkg_postinst() {
+	elog "We have reverted back to using upstreams soname."
+	elog "Please run revdep-rebuild --library libnss3.so.12 , this"
+	elog "will correct most issues. If you find a binary that does"
+	elog "not run please re-emerge package to ensure it properly"
+	elog " links after upgrade."
+	elog
+	# We must re-sign the libraries AFTER they are stripped.
+	generate_chk "${EROOT}"/usr/bin/shlibsign "${EROOT}"/usr/$(get_libdir)
+}
+
+pkg_postrm() {
+	cleanup_chk "${EROOT}"/usr/$(get_libdir)
+}
author	Jory Pratt <anarchy@gentoo.org>	2012-01-27 03:45:50 +0000
committer	Jory Pratt <anarchy@gentoo.org>	2012-01-27 03:45:50 +0000
commit	65e4f466c34d5b2de8f229252b7459fed061c74b (patch)
tree	807c8c3f2ef23b1c68767c3b47fd2bf0b438994f /dev-libs
parent	version bump (diff)
download	historical-65e4f466c34d5b2de8f229252b7459fed061c74b.tar.gz historical-65e4f466c34d5b2de8f229252b7459fed061c74b.tar.bz2 historical-65e4f466c34d5b2de8f229252b7459fed061c74b.zip