1 # Buildsheet autogenerated by ravenadm tool -- Do not edit.
7 SDESC[standard]= Application security development libraries
8 HOMEPAGE= http://www.mozilla.org/projects/security/pki/nss/
12 SITES[main]= MOZILLA/security/nss/releases/NSS_3_53_1_RTM/src
13 DISTFILE[1]= nss-3.53.1.tar.gz:main
15 SPKGS[standard]= complete
19 OPTIONS_AVAILABLE= none
20 OPTIONS_STANDARD= none
22 BUILD_DEPENDS= libressl:single:static
23 BUILDRUN_DEPENDS= nspr:single:standard
25 USES= cpe gmake perl:build sqlite zlib
27 DISTNAME= nss-3.53.1/nss
30 LICENSE_FILE= MPL:{{WRKSRC}}/COPYING
33 CPE_PRODUCT= network_security_services
35 FPC_EQUIVALENT= security/nss
37 MAKE_ENV= LIBRARY_PATH="{{LOCALBASE}}/lib"
38 SQLITE_INCLUDE_DIR="{{LOCALBASE}}/include"
41 NSS_USE_SYSTEM_SQLITE=1
45 PLIST_SUB= CERTDIR=share/certs
50 SUB_LIST= VERSION_NSS=3.53.1
52 CFLAGS= -I{{LOCALBASE}}/include/nspr
53 LDFLAGS= -Wl,-rpath,{{PREFIX}}/lib/nss
54 VAR_OPSYS[sunos]= MAKE_ENV=NS_USE_GCC=1
55 MAKE_ENV=NO_MDUPDATE=1
56 VAR_OPSYS[linux]= MAKE_ENV=RPATH=-Wl,-rpath,{{PREFIX}}/lib/nss
57 VAR_ARCH[x86_64]= MAKE_ENV=USE_64=1
60 ${REINPLACE_CMD} '/NSS_DEFAULT_SYSTEM/s,/etc,${PREFIX}&,' \
61 ${WRKSRC}/lib/sysinit/nsssysinit.c
63 ${FIND} . -name "*.c" -o -name "*.h" | \
64 ${XARGS} ${GREP} -l -F '"nspr.h"' | \
65 ${XARGS} ${REINPLACE_CMD} -e 's|"nspr.h"|<nspr.h>|')
66 ${FIND} ${WRKSRC}/tests -name '*.sh' | \
67 ${XARGS} ${GREP} -l -F '/bin/bash' | \
68 ${XARGS} ${REINPLACE_CMD} -e 's|#! */bin/bash|#!${SH}|'
69 ${REINPLACE_CMD} -e 's/@OS_RELEASE@/${OSREL}/' ${WRKSRC}/coreconf/arch.mk
72 ${SETENV} ${MAKE_ENV} ${PERL} ${WRKDIR}/MAca-bundle.pl \
73 < ${WRKSRC}/lib/ckfw/builtins/certdata.txt > ${WRKDIR}/ca-root-nss.crt
76 @${MKDIR} ${STAGEDIR}${PREFIX}/include/nss/nss \
77 ${STAGEDIR}${PREFIX}/lib/nss \
78 ${STAGEDIR}${PREFIX}/share/certs
79 ${FIND} ${WRKDIR}/nss-3.53.1/dist/public/nss -type l \
80 -exec ${INSTALL_DATA} {} ${STAGEDIR}${PREFIX}/include/nss/nss \;
81 ${INSTALL_LIB} ${WRKDIR}/nss-3.53.1/dist/${OPSYS}*_OPT.OBJ/lib/*.${LIBEXT} \
82 ${STAGEDIR}${PREFIX}/lib/nss
83 ${INSTALL_DATA} ${WRKDIR}/nss-3.53.1/dist/${OPSYS}*_OPT.OBJ/lib/libcrmf.a \
84 ${STAGEDIR}${PREFIX}/lib/nss
85 .for bin in certutil cmsutil crlutil derdump makepqg mangle modutil ocspclnt oidcalc p7content p7env p7sign p7verify pk12util rsaperf shlibsign signtool signver ssltap strsclnt symkeyutil vfychain vfyserv
86 ${INSTALL_PROGRAM} ${WRKDIR}/nss-3.53.1/dist/${OPSYS}*_OPT.OBJ/bin/${bin} \
87 ${STAGEDIR}${PREFIX}/bin
89 ${INSTALL_SCRIPT} ${WRKDIR}/nss-config ${STAGEDIR}${PREFIX}/bin
90 ${INSTALL_DATA} ${WRKDIR}/nss.pc ${STAGEDIR}${PREFIX}/lib/pkgconfig
92 .for D in openssl openssl-devel libressl libressl-devel
93 ${MKDIR} ${STAGEDIR}${PREFIX}/etc/${D}
94 ${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt \
95 ${STAGEDIR}${PREFIX}/etc/${D}/cert.pem.sample
97 ${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt \
98 ${STAGEDIR}${PREFIX}/share/certs
100 [FILE:301:descriptions/desc.primary]
101 Network Security Services (NSS) is a set of libraries designed to support
102 cross-platform development of security-enabled server applications.
103 Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5,
104 PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other
108 [FILE:120:descriptions/desc.caroot]
109 Root certificates from certificate authorities included in the Mozilla
110 NSS library and thus in Firefox and Thunderbird.
114 2dccde67079b25c4e95ac3121f11b2819c37cf8c48ca263a45d8f83f7a315316 81297900 nss-3.53.1.tar.gz
117 [FILE:1552:manifests/plist.primary]
118 %%ONLY-LINUX%%lib/nss/libnsssysinit.so
251 libnssckbi-testlib.so
261 [FILE:186:manifests/plist.caroot]
262 @sample etc/libressl-devel/cert.pem.sample
263 @sample etc/libressl/cert.pem.sample
264 @sample etc/openssl-devel/cert.pem.sample
265 @sample etc/openssl/cert.pem.sample
266 %%CERTDIR%%/ca-root-nss.crt
269 [FILE:449:patches/patch-bug301986]
270 --- lib/util/nssilckt.h.orig 2020-06-16 22:50:59 UTC
271 +++ lib/util/nssilckt.h
272 @@ -163,7 +163,7 @@ typedef enum {
273 ** Declare the trace record
276 - PRUint32 threadID; /* PR_GetThreadID() */
277 + pthread_t threadID; /* PR_GetThreadID() */
278 nssILockOp op; /* operation being performed */
279 nssILockType ltype; /* lock type identifier */
280 PRIntervalTime callTime; /* time spent in function */
283 [FILE:2109:patches/patch-const]
284 --- cmd/modutil/modutil.h.orig 2020-06-16 22:50:59 UTC
285 +++ cmd/modutil/modutil.h
289 Error LoadMechanismList(void);
290 -Error FipsMode(char *arg);
291 -Error ChkFipsMode(char *arg);
292 +Error FipsMode(const char *arg);
293 +Error ChkFipsMode(const char *arg);
294 Error AddModule(char *moduleName, char *libFile, char *ciphers,
295 char *mechanisms, char *modparms);
296 Error DeleteModule(char *moduleName);
297 --- cmd/modutil/pk11.c.orig 2020-06-16 22:50:59 UTC
298 +++ cmd/modutil/pk11.c
300 * disable FIPS mode on the internal module.
304 +FipsMode(const char *arg)
308 @@ -25,16 +25,18 @@ FipsMode(char *arg)
309 internal_name = PR_smprintf("%s",
310 SECMOD_GetInternalModule()->commonName);
311 if (SECMOD_DeleteInternalModule(internal_name) != SECSuccess) {
312 - PR_fprintf(PR_STDERR, "%s\n", SECU_Strerror(PORT_GetError()));
313 + PR_fprintf(PR_STDERR, "FipsMode(true): %s (%s)\n", SECU_Strerror(PORT_GetError()), internal_name);
314 PR_smprintf_free(internal_name);
315 PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
316 return FIPS_SWITCH_FAILED_ERR;
318 - PR_smprintf_free(internal_name);
319 if (!PK11_IsFIPS()) {
320 + PR_fprintf(PR_STDERR, "FipsMode(true): in module %s", internal_name);
321 + PR_smprintf_free(internal_name);
322 PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]);
323 return FIPS_SWITCH_FAILED_ERR;
325 + PR_smprintf_free(internal_name);
326 PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]);
328 PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_ON_ERR]);
329 @@ -75,7 +77,7 @@ FipsMode(char *arg)
330 * If arg=="false", verify FIPS mode is disabled on the internal module.
333 -ChkFipsMode(char *arg)
334 +ChkFipsMode(const char *arg)
336 if (!PORT_Strcasecmp(arg, "true")) {
340 [FILE:1383:patches/patch-coreconf_Darwin.mk]
341 --- coreconf/Darwin.mk.orig 2020-06-16 22:50:59 UTC
342 +++ coreconf/Darwin.mk
343 @@ -7,8 +7,8 @@ CC ?= gcc
347 +NSS_ENABLE_WERROR = 0
348 include $(CORE_DEPTH)/coreconf/UNIX.mk
349 -include $(CORE_DEPTH)/coreconf/Werror.mk
351 DEFAULT_COMPILER = gcc
353 @@ -127,21 +127,4 @@ PROCESS_MAP_FILE = grep -v ';+' $< | gre
357 -# The system sqlite library in the latest version of Mac OS X often becomes
358 -# newer than the sqlite library in NSS. This may result in certain Mac OS X
359 -# system libraries having unresolved sqlite symbols during the shlibsign step
360 -# of the NSS build when we set DYLD_LIBRARY_PATH to the NSS lib directory and
361 -# the NSS libsqlite3.dylib is used instead of the system one. So just use the
362 -# system sqlite library on Mac, if it's sufficiently new.
364 -SYS_SQLITE3_VERSION_FULL := $(shell /usr/bin/sqlite3 -version | awk '{print $$1}')
365 -SYS_SQLITE3_VERSION_MAJOR := $(shell echo $(SYS_SQLITE3_VERSION_FULL) | awk -F. '{ print $$1 }')
366 -SYS_SQLITE3_VERSION_MINOR := $(shell echo $(SYS_SQLITE3_VERSION_FULL) | awk -F. '{ print $$2 }')
368 -ifeq (3,$(SYS_SQLITE3_VERSION_MAJOR))
369 - ifeq (,$(filter-out 0 1 2 3 4,$(SYS_SQLITE3_VERSION_MINOR)))
370 - # sqlite <= 3.4.x is too old, it doesn't provide sqlite3_file_control
372 - NSS_USE_SYSTEM_SQLITE = 1
375 +NSS_USE_SYSTEM_SQLITE = 1
378 [FILE:1313:patches/patch-coreconf_DragonFly.mk]
379 --- /dev/null 2020-06-17 17:51:18 UTC
380 +++ coreconf/DragonFly.mk
383 +# This Source Code Form is subject to the terms of the Mozilla Public
384 +# License, v. 2.0. If a copy of the MPL was not distributed with this
385 +# file, You can obtain one at http://mozilla.org/MPL/2.0/.
387 +include $(CORE_DEPTH)/coreconf/UNIX.mk
389 +DEFAULT_COMPILER = gcc
394 +CPU_ARCH = $(OS_TEST)
395 +ifeq ($(CPU_ARCH),i386)
398 +ifeq ($(CPU_ARCH),amd64)
402 +ifneq (,$(filter %64, $(OS_TEST)))
406 +OS_CFLAGS = $(DSO_CFLAGS) -Wall -Wno-switch -DFREEBSD -DHAVE_STRERROR -DHAVE_BSD_FLOCK
409 +DSO_LDOPTS = -shared -Wl,-soname -Wl,$(notdir $@)
412 +# The default implementation strategy for FreeBSD is pthreads.
416 +DEFINES += -D_THREAD_SAFE -D_REENTRANT
418 +DSO_LDOPTS += -pthread
425 +MKSHLIB = $(CC) $(DSO_LDOPTS)
427 + MKSHLIB += -Wl,--version-script,$(MAPFILE)
429 +PROCESS_MAP_FILE = grep -v ';-' $< | \
430 + sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@
432 +G++INCLUDES = -I/usr/include/c++
438 [FILE:1125:patches/patch-coreconf_FreeBSD.mk]
439 --- coreconf/FreeBSD.mk.orig 2020-06-16 22:50:59 UTC
440 +++ coreconf/FreeBSD.mk
443 include $(CORE_DEPTH)/coreconf/UNIX.mk
445 -DEFAULT_COMPILER = gcc
448 +DEFAULT_COMPILER = $(CC)
453 CPU_ARCH = $(OS_TEST)
454 @@ -20,6 +20,16 @@ endif
455 ifeq ($(CPU_ARCH),amd64)
458 +ifneq (,$(filter arm%, $(CPU_ARCH)))
461 +ifneq (,$(filter powerpc%, $(CPU_ARCH)))
465 +ifneq (,$(filter %64, $(OS_TEST)))
469 OS_CFLAGS = $(DSO_CFLAGS) -Wall -Wno-switch -DFREEBSD -DHAVE_STRERROR -DHAVE_BSD_FLOCK
471 @@ -46,7 +56,11 @@ else
475 -MKSHLIB = $(CC) $(DSO_LDOPTS)
476 +ifneq (,$(filter alpha ia64,$(OS_TEST)))
477 +MKSHLIB = $(CC) -Wl,-Bsymbolic -lc $(DSO_LDOPTS)
479 +MKSHLIB = $(CC) -Wl,-Bsymbolic $(DSO_LDOPTS)
482 MKSHLIB += -Wl,--version-script,$(MAPFILE)
484 @@ -55,4 +69,5 @@ PROCESS_MAP_FILE = grep -v ';-' $< | \
486 G++INCLUDES = -I/usr/include/g++
488 -INCLUDES += -I/usr/X11R6/include
493 [FILE:2044:patches/patch-coreconf_SunOS5.mk]
494 --- coreconf/SunOS5.mk.orig 2020-06-16 22:50:59 UTC
495 +++ coreconf/SunOS5.mk
496 @@ -14,14 +14,14 @@ ifeq ($(USE_64), 1)
500 - ifeq ($(OS_TEST),i86pc)
501 + ifeq ($(OS_TEST),x86_64)
502 ARCHFLAG=-xarch=amd64
508 - ifneq ($(OS_TEST),i86pc)
509 + ifneq ($(OS_TEST),x86_64)
513 @@ -33,10 +33,10 @@ endif
514 DEFAULT_COMPILER = cc
519 OS_CFLAGS += -Wall -Wno-format -Werror-implicit-function-declaration -Wno-switch
520 OS_CFLAGS += -D__EXTENSIONS__
523 CCC += -Wall -Wno-format
524 ASFLAGS += -x assembler-with-cpp
525 OS_CFLAGS += $(NOMD_OS_CFLAGS) $(ARCHFLAG)
526 @@ -65,7 +65,7 @@ RANLIB = echo
528 OS_DEFINES += -DSVR4 -DSYSV -D__svr4 -D__svr4__ -DSOLARIS -D_REENTRANT
530 -ifeq ($(OS_TEST),i86pc)
531 +ifeq ($(OS_TEST),x86_64)
535 @@ -107,15 +107,11 @@ endif
536 DSO_LDOPTS += -shared -h $(notdir $@)
539 - ifeq ($(OS_TEST),i86pc)
540 - DSO_LDOPTS +=-xarch=amd64
542 - DSO_LDOPTS +=-xarch=v9
546 DSO_LDOPTS += -G -h $(notdir $@)
548 -DSO_LDOPTS += -z combreloc -z defs -z ignore
549 +# DSO_LDOPTS += -Wl,-z,origin
551 # -KPIC generates position independent code for use in shared libraries.
552 # (Similarly for -fPIC in case of gcc.)
553 @@ -127,16 +123,5 @@ endif
555 NOSUCHFILE = /solaris-rm-f-sucks
557 -ifeq ($(BUILD_SUN_PKG), 1)
558 -# The -R '$ORIGIN' linker option instructs this library to search for its
559 -# dependencies in the same directory where it resides.
561 -RPATH = -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
563 -RPATH = -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps'
566 -RPATH = -R '$$ORIGIN'
569 -OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc
571 +RPATH = $(LDFLAGS) #-Wl,-rpath,$(PREFIX)/lib/nss
574 [FILE:286:patches/patch-coreconf_UNIX.mk]
575 --- coreconf/UNIX.mk.orig 2020-06-16 22:50:59 UTC
577 @@ -10,10 +10,8 @@ AR = ar cr $@
578 LDOPTS += -L$(SOURCE_LIB_DIR)
582 DEFINES += -UDEBUG -DNDEBUG
585 DEFINES += -DDEBUG -UNDEBUG
590 [FILE:611:patches/patch-coreconf_arch.mk]
591 --- coreconf/arch.mk.orig 2020-06-16 22:50:59 UTC
593 @@ -26,7 +26,7 @@ OS_ARCH := $(subst /,_,$(shell uname -s)
594 # Attempt to differentiate between sparc and x86 Solaris
597 -OS_TEST := $(shell uname -m)
598 +OS_TEST := $(shell uname -p)
599 ifeq ($(OS_TEST),i86pc)
600 OS_RELEASE := $(shell uname -r)_$(OS_TEST)
602 @@ -118,6 +118,10 @@ ifeq ($(OS_ARCH),Linux)
606 +ifeq ($(OS_ARCH),DragonFly)
607 +OS_RELEASE := @OS_RELEASE@
610 # Since all uses of OS_ARCH that follow affect only userland, we can
611 # merge other Glibc systems with Linux here.
612 ifeq ($(OS_ARCH),GNU)
615 [FILE:496:patches/patch-coreconf_command.mk]
616 --- coreconf/command.mk.orig 2020-06-16 22:50:59 UTC
617 +++ coreconf/command.mk
618 @@ -12,7 +12,7 @@ AS = $(CC)
620 CCF = $(CC) $(CFLAGS)
621 LINK_DLL = $(LD) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS)
622 -CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \
623 +CFLAGS += $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \
624 $(DEFINES) $(INCLUDES) $(XCFLAGS)
629 [FILE:465:patches/patch-coreconf_config.mk]
630 --- coreconf/config.mk.orig 2020-06-16 22:50:59 UTC
631 +++ coreconf/config.mk
632 @@ -31,7 +31,7 @@ endif
633 #######################################################################
635 TARGET_OSES = FreeBSD BSD_OS NetBSD OpenUNIX OS2 QNX Darwin BeOS OpenBSD \
636 - AIX RISCOS WINNT WIN95 Linux Android
637 + AIX RISCOS WINNT WIN95 Linux Android DragonFly
639 ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET)))
640 include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk
643 [FILE:248:patches/patch-coreconf_location.mk]
644 --- coreconf/location.mk.orig 2020-06-16 22:50:59 UTC
645 +++ coreconf/location.mk
646 @@ -37,7 +37,7 @@ ifdef NSPR_INCLUDE_DIR
650 - NSPR_LIB_DIR = $(DIST)/lib
651 + NSPR_LIB_DIR = $(PREFIX)/lib
654 ifdef NSS_INCLUDE_DIR
657 [FILE:308:patches/patch-coreconf_ruleset.mk]
658 --- coreconf/ruleset.mk.orig 2020-06-16 22:50:59 UTC
659 +++ coreconf/ruleset.mk
664 - ifneq ($(DEFAULT_COMPILER), $(notdir $(firstword $(CC))))
665 + ifneq ($(DEFAULT_COMPILER), $(CC))
667 # Temporary define for the Client; to be removed when binary release is used
671 [FILE:720:patches/patch-lib_freebl_Makefile]
672 --- lib/freebl/Makefile.orig 2020-06-16 22:50:59 UTC
673 +++ lib/freebl/Makefile
674 @@ -238,7 +238,7 @@ ifeq ($(CPU_ARCH),x86)
678 -ifeq ($(OS_TARGET),Linux)
679 +ifeq (,$(filter-out Linux DragonFly FreeBSD, $(OS_TARGET)))
680 ifeq ($(CPU_ARCH),x86_64)
681 ASFILES = arcfour-amd64-gas.s mpi_amd64_gas.s
682 ASFLAGS += -fPIC -Wa,--noexecstack
683 @@ -323,7 +323,7 @@ endif
684 # to bind the blapi function references in FREEBLVector vector
685 # (ldvector.c) to the blapi functions defined in the freebl
687 -ifeq (,$(filter-out BSD_OS FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
688 +ifeq (,$(filter-out BSD_OS DragonFly FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET)))
689 MKSHLIB += -Wl,-Bsymbolic
694 [FILE:1041:patches/patch-lib_freebl_mpi_mpcpucache.c]
695 --- lib/freebl/mpi/mpcpucache.c.orig 2020-06-16 22:50:59 UTC
696 +++ lib/freebl/mpi/mpcpucache.c
697 @@ -706,6 +706,32 @@ s_mpi_getProcessorLineSize()
700 #if defined(__ppc64__)
702 +#if defined(__FreeBSD__)
703 +#include <sys/stddef.h>
704 +#include <sys/sysctl.h>
706 +#include <machine/cpu.h>
707 +#include <machine/md_var.h>
710 +s_mpi_getProcessorLineSize()
712 + static int cacheline_size = 0;
713 + static int cachemib[] = { CTL_MACHDEP, CPU_CACHELINE };
716 + if (cacheline_size > 0)
717 + return cacheline_size;
719 + clen = sizeof(cacheline_size);
720 + if (sysctl(cachemib, sizeof(cachemib) / sizeof(cachemib[0]),
721 + &cacheline_size, &clen, NULL, 0) < 0 || !cacheline_size)
722 + return 128; /* guess */
724 + return cacheline_size;
728 * Sigh, The PPC has some really nice features to help us determine cache
729 * size, since it had lots of direct control functions to do so. The POWER
730 @@ -759,6 +785,7 @@ s_mpi_getProcessorLineSize()
736 #define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED 1
740 [FILE:600:patches/patch-lib_softoken_pkcs11.c]
741 --- lib/softoken/pkcs11.c.orig 2020-06-16 22:50:59 UTC
742 +++ lib/softoken/pkcs11.c
743 @@ -3345,8 +3345,8 @@ nsc_CommonInitialize(CK_VOID_PTR pReserv
745 int major = 0, minor = 0;
747 - long rv = sysinfo(SI_RELEASE, buf, sizeof(buf));
748 - if (rv > 0 && rv < sizeof(buf)) {
749 + long sunrv = sysinfo(SI_RELEASE, buf, sizeof(buf));
750 + if (sunrv > 0 && sunrv < sizeof(buf)) {
751 if (2 == sscanf(buf, "%d.%d", &major, &minor)) {
752 /* Are we on Solaris 10 or greater ? */
753 if (major > 5 || (5 == major && minor >= 10)) {
756 [FILE:1013:patches/patch-lib_softoken_pkcs11c.c]
757 --- lib/softoken/pkcs11c.c.orig 2020-06-16 22:50:59 UTC
758 +++ lib/softoken/pkcs11c.c
759 @@ -6113,9 +6113,6 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
761 case NSSLOWKEYDSAKey:
763 - crv = (sftk_hasAttribute(key, CKA_NSS_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT;
766 crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType,
769 @@ -6155,9 +6152,6 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
770 /* what about fortezza??? */
773 - crv = (sftk_hasAttribute(key, CKA_NSS_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT;
776 crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType,
781 [FILE:6041:files/MAca-bundle.pl.in]
783 ## MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt
785 ## Rewritten in September 2011 by Matthias Andree to heed untrust
788 ## Copyright (c) 2011, 2013 Matthias Andree <mandree@FreeBSD.org>
789 ## All rights reserved.
791 ## Redistribution and use in source and binary forms, with or without
792 ## modification, are permitted provided that the following conditions are
795 ## * Redistributions of source code must retain the above copyright
796 ## notice, this list of conditions and the following disclaimer.
798 ## * Redistributions in binary form must reproduce the above copyright
799 ## notice, this list of conditions and the following disclaimer in the
800 ## documentation and/or other materials provided with the distribution.
802 ## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
803 ## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
804 ## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
805 ## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
806 ## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
807 ## INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
808 ## BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
809 ## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
810 ## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
811 ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
812 ## ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
813 ## POSSIBILITY OF SUCH DAMAGE.
819 my $VERSION = '$FreeBSD: head/security/ca_root_nss/files/MAca-bundle.pl.in 325572 2013-08-29 08:10:09Z mandree $';
824 ## ca-root-nss.crt -- Bundle of CA Root Certificates
826 ## This is a bundle of X.509 certificates of public Certificate
827 ## Authorities (CA). These were automatically extracted from Mozilla's
828 ## root CA list (the file `certdata.txt').
830 ## Extracted from nss-%%VERSION_NSS%%
836 if defined $ENV{'WITH_DEBUG'}
837 and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/;
842 sub printcert_plain($$)
844 my ($label, $certdata) = @_;
845 print "=== $label ===\n" if $label;
847 "-----BEGIN CERTIFICATE-----\n",
848 MIME::Base64::encode_base64($certdata),
849 "-----END CERTIFICATE-----\n\n";
852 sub printcert_info($$)
854 my (undef, $certdata) = @_;
855 return unless $certdata;
856 open(OUT, "|openssl x509 -text -inform DER -fingerprint")
857 || die "could not pipe to openssl x509";
859 close(OUT) or die "openssl x509 failed with exit code $?";
864 printcert_info($a, $b);
873 my (undef,@oct) = split /\\/;
874 my @bin = map(chr(oct), @oct);
875 $data .= join('', @bin);
892 if (/^CKA_LABEL UTF8 "([^"]+)"/) {
896 if (/^CKA_VALUE MULTILINE_OCTAL/) {
897 $certdata = graboct();
900 if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
904 return ($serial, $cka_label, $certdata);
917 if (/^CKA_LABEL UTF8 "([^"]+)"/) {
921 if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) {
925 if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/)
927 if ($2 eq 'CKT_NSS_NOT_TRUSTED') {
929 } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') {
931 } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') {
932 confess "Unknown trust setting on line $.:\n"
934 . "Script must be updated:";
939 if (!$maytrust && !$distrust && $debug) {
940 print STDERR "line $.: no explicit trust/distrust found for $cka_label\n";
943 my $trust = ($maytrust and not $distrust);
944 return ($serial, $cka_label, $trust);
948 if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) {
949 my ($serial, $label, $certdata) = grabcert();
950 if (defined $certs{$label."\0".$serial}) {
951 warn "Certificate $label duplicated!\n";
953 $certs{$label."\0".$serial} = $certdata;
954 } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) {
955 my ($serial, $label, $trust) = grabtrust();
956 if (defined $trusts{$label."\0".$serial}) {
957 warn "Trust for $label duplicated!\n";
959 $trusts{$label."\0".$serial} = $trust;
960 } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) {
961 print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n";
967 map { s/\0.*//; s/[^[:print:]]/_/g; $_ = "\"$_\""; } @res;
968 return wantarray ? @res : $res[0];
971 # weed out untrusted certificates
973 foreach my $it (keys %trusts) {
975 if (!exists($certs{$it})) {
976 warn "Found trust for nonexistent certificate ".printlabel($it)."\n" if $debug;
979 warn "Skipping untrusted ".printlabel($it)."\n" if $debug;
985 print "## Untrusted certificates omitted from this bundle: $untrusted\n\n";
986 print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n";
989 foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) {
990 if (!exists($trusts{$it})) {
991 die "Found certificate without trust block,\naborting";
993 printcert("", $certs{$it});
996 print STDERR "Trusting $certcount: ".printlabel($it)."\n" if $debug;
999 if ($certcount < 25) {
1000 die "Certificate count of $certcount is implausibly low.\nAbort";
1003 print "## Number of certificates: $certcount\n";
1004 print STDERR "## Number of certificates: $certcount\n";
1005 print "## End of file.\n";
1008 [FILE:2352:files/nss-config.in]
1012 version=%%VERSION_NSS%%
1017 Usage: nss-config [OPTIONS] [LIBRARIES]
1020 [--exec-prefix[=DIR]]
1021 [--includedir[=DIR]]
1035 if test $# -eq 0; then
1044 while test $# -gt 0; do
1046 -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
1061 echo_exec_prefix=yes
1077 *.*.*) echo $version ;;
1078 *.*) echo $version.0 ;;
1079 *) echo $version.0.0 ;;
1107 # Set variables that may be dependent upon other variables
1108 if test -z "$exec_prefix"; then
1111 if test -z "$includedir"; then
1112 includedir=$prefix/include/nss
1114 if test -z "$libdir"; then
1115 libdir=$prefix/lib/nss
1118 if test "$echo_prefix" = "yes"; then
1122 if test "$echo_exec_prefix" = "yes"; then
1126 if test "$echo_includedir" = "yes"; then
1130 if test "$echo_libdir" = "yes"; then
1134 if test "$echo_cflags" = "yes"; then
1135 echo -I$includedir -I$includedir/nss
1138 if test "$echo_libs" = "yes"; then
1139 libdirs="-Wl,-R${libdir} -L$libdir"
1140 if test -n "$lib_ssl"; then
1141 libdirs="$libdirs -lssl3"
1143 if test -n "$lib_smime"; then
1144 libdirs="$libdirs -lsmime3"
1146 if test -n "$lib_nss"; then
1147 libdirs="$libdirs -lnss3"
1149 if test -n "$lib_nssutil"; then
1150 libdirs="$libdirs -lnssutil3"
1156 [FILE:315:files/nss.pc.in]
1158 exec_prefix=%%PREFIX%%
1159 libdir=%%PREFIX%%/lib/nss
1160 includedir=%%PREFIX%%/include
1163 Description: Mozilla Network Security Services
1164 Version: %%VERSION_NSS%%
1166 Libs: -Wl,-R${libdir} -L${libdir} -lnss3 -lsmime3 -lssl3 -lnssutil3
1167 Cflags: -I${includedir}/nss -I${includedir}/nss/nss
1170 [FILE:948:files/pkg-message-caroot.in]
1171 ********************************* WARNING *********************************
1173 Ravenports do not, and can not warrant that the certification authorities
1174 whose certificates are included in this package have in any way been
1175 audited for trustworthiness or RFC 3647 compliance.
1177 Assessment and verification of trust is the complete responsibility of the
1178 system administrator.
1180 *********************************** NOTE **********************************
1182 This package installs symlinks to support root certificates discovery by
1183 default for software that uses OpenSSL.
1185 This enables SSL Certificate Verification by client software without manual
1188 If you prefer to do this manually, replace the following symlinks with
1189 either an empty file or your site-local certificate bundle.
1192 * %%PREFIX%%/etc/ssl/cert.pem
1193 * %%PREFIX%%/openssl/cert.pem
1195 ***************************************************************************