Index: branches/2020Q1/security/ca_root_nss/Makefile =================================================================== --- branches/2020Q1/security/ca_root_nss/Makefile (revision 522462) +++ branches/2020Q1/security/ca_root_nss/Makefile (revision 522463) @@ -1,68 +1,68 @@ # $FreeBSD$ PORTNAME= ca_root_nss PORTVERSION= ${VERSION_NSS} CATEGORIES= security MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} MAINTAINER= ports-secteam@FreeBSD.org COMMENT= Root certificate bundle from the Mozilla Project LICENSE= MPL20 OPTIONS_DEFINE= ETCSYMLINK OPTIONS_DEFAULT= ETCSYMLINK OPTIONS_SUB= yes ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]* USES= perl5 ssl:build USE_PERL5= build NO_ARCH= yes NO_WRKSUBDIR= yes CERTDIR?= share/certs PLIST_SUB+= CERTDIR=${CERTDIR} # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # !!! These versions are intended to track security/nss. !!! # !!! Please DO NOT submit patches for new version until it has !!! # !!! been committed there first. !!! # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -VERSION_NSS= 3.48 +VERSION_NSS= 3.49 #NSS_SUFFIX= -with-ckbi-1.98 CERTDATA_TXT_PATH= nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt BUNDLE_PROCESSOR= MAca-bundle.pl SUB_FILES= MAca-bundle.pl pkg-message SUB_LIST= VERSION_NSS=${VERSION_NSS} do-extract: @${MKDIR} ${WRKDIR} @${TAR} -C ${WRKDIR} -xf ${DISTDIR}/nss-${VERSION_NSS}${NSS_SUFFIX}${EXTRACT_SUFX} \ ${CERTDATA_TXT_PATH} @${CP} ${WRKDIR}/${CERTDATA_TXT_PATH} ${WRKDIR} @${RM} -r ${WRKDIR}/nss-${VERSION_NSS} do-build: apply-slist @${SETENV} PATH=${LOCALBASE}/bin:$${PATH} \ ${PERL} ${WRKDIR}/${BUNDLE_PROCESSOR} \ < ${WRKDIR}/certdata.txt > \ ${WRKDIR}/ca-root-nss.crt do-install: ${MKDIR} ${STAGEDIR}${PREFIX}/${CERTDIR} ${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR} ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample ${MKDIR} ${STAGEDIR}${PREFIX}/openssl ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample do-install-ETCSYMLINK-on: ${MKDIR} ${STAGEDIR}/etc/ssl ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem .include Index: branches/2020Q1/security/ca_root_nss/distinfo =================================================================== --- branches/2020Q1/security/ca_root_nss/distinfo (revision 522462) +++ branches/2020Q1/security/ca_root_nss/distinfo (revision 522463) @@ -1,3 +1,3 @@ -TIMESTAMP = 1575417811 -SHA256 (nss-3.48.tar.gz) = 3f9c822a86a4e3e1bfe63e2ed0f922d8b7c2e0b7cafe36774b1c627970d0f8ac -SIZE (nss-3.48.tar.gz) = 76481237 +TIMESTAMP = 1578083263 +SHA256 (nss-3.49.tar.gz) = 6738094dc4fd63061118a122bf3999a64fe8c7117fc52f6e81c2279181bde71d +SIZE (nss-3.49.tar.gz) = 76488781 Index: branches/2020Q1/security/nss/Makefile =================================================================== --- branches/2020Q1/security/nss/Makefile (revision 522462) +++ branches/2020Q1/security/nss/Makefile (revision 522463) @@ -1,103 +1,103 @@ # Created by: Maxim Sobolev # $FreeBSD$ PORTNAME= nss -PORTVERSION= 3.48 +PORTVERSION= 3.49 CATEGORIES= security MASTER_SITES= MOZILLA/security/${PORTNAME}/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src MAINTAINER= gecko@FreeBSD.org COMMENT= Libraries to support development of security-enabled applications LICENSE= MPL20 LICENSE_FILE= ${WRKSRC}/COPYING BUILD_DEPENDS= zip:archivers/zip LIB_DEPENDS= libnspr4.so:devel/nspr \ libsqlite3.so:databases/sqlite3 TEST_DEPENDS= bash:shells/bash WRKSRC_SUBDIR= nss MAKE_JOBS_UNSAFE= yes USE_LDCONFIG= ${PREFIX}/lib/nss USES= cpe gmake perl5 CPE_VENDOR= mozilla CPE_PRODUCT= network_security_services USE_PERL5= build MAKE_ENV= LIBRARY_PATH="${LOCALBASE}/lib" \ SQLITE_INCLUDE_DIR="${LOCALBASE}/include" \ FREEBL_LOWHASH=1 \ NSS_DISABLE_GTESTS=1 \ NSS_USE_SYSTEM_SQLITE=1 CFLAGS+= -I${LOCALBASE}/include/nspr SUB_FILES= nss-config nss.pc SUB_LIST= PORTVERSION=${PORTVERSION} DIST= ${WRKSRC:H}/dist EXTRACT_AFTER_ARGS=--exclude */lib/zlib --exclude */lib/dbm --exclude */lib/sqlite INSTALL_BINS= certutil cmsutil crlutil derdump makepqg \ mangle modutil ocspclnt oidcalc p7content p7env p7sign \ p7verify pk12util rsaperf shlibsign signtool signver \ ssltap strsclnt symkeyutil vfychain vfyserv OPTIONS_DEFINE= DEBUG .include .if ! ${PORT_OPTIONS:MDEBUG} MAKE_ENV+= BUILD_OPT=1 BINS= ${DIST}/${OPSYS}${OSREL}_OPT.OBJ .else BINS= ${DIST}/${OPSYS}${OSREL}_DBG.OBJ .endif .if ${ARCH} == powerpc64 USES+= compiler:c++11-lang # -mcrypto -mvsx .endif .if ${OPSYS} == FreeBSD && ${ARCH} == amd64 USE_BINUTILS= # intel-gcm.s CC+= -B${LOCALBASE}/bin .endif do-test: cd ${WRKSRC}/tests; \ ${SETENV} PATH="${BINS}/bin:${PATH}" \ LD_LIBRARY_PATH="${BINS}/lib" \ ${MAKE_ENV} \ bash ./all.sh @if ${GREP} -Fh '>Failed<' \ ${WRKSRC:H}/tests_results/security/*/results.html; then \ echo "Some tests have failed. Let ${MAINTAINER} know."; \ exit 1; \ else \ echo "All tests succeeded. Good news."; \ fi post-patch: @${REINPLACE_CMD} '/NSS_DEFAULT_SYSTEM/s,/etc,${PREFIX}&,' \ ${WRKSRC}/lib/sysinit/nsssysinit.c @cd ${WRKSRC} && \ ${FIND} . -name "*.c" -o -name "*.h" | \ ${XARGS} ${REINPLACE_CMD} -e 's|"nspr.h"||' do-install: ${MKDIR} ${STAGEDIR}${PREFIX}/include/nss/nss ${STAGEDIR}${PREFIX}/lib/nss ${FIND} ${DIST}/public/nss -type l \ -exec ${INSTALL_DATA} {} ${STAGEDIR}${PREFIX}/include/nss/nss \; ${INSTALL_LIB} ${BINS}/lib/*.so \ ${STAGEDIR}${PREFIX}/lib/nss ${INSTALL_DATA} ${BINS}/lib/libcrmf.a \ ${STAGEDIR}${PREFIX}/lib/nss .for bin in ${INSTALL_BINS} ${INSTALL_PROGRAM} ${BINS}/bin/${bin} \ ${STAGEDIR}${PREFIX}/bin .endfor ${INSTALL_SCRIPT} ${WRKDIR}/nss-config ${STAGEDIR}${PREFIX}/bin ${INSTALL_DATA} ${WRKDIR}/nss.pc ${STAGEDIR}${PREFIX}/libdata/pkgconfig .include Index: branches/2020Q1/security/nss/distinfo =================================================================== --- branches/2020Q1/security/nss/distinfo (revision 522462) +++ branches/2020Q1/security/nss/distinfo (revision 522463) @@ -1,3 +1,3 @@ -TIMESTAMP = 1575417811 -SHA256 (nss-3.48.tar.gz) = 3f9c822a86a4e3e1bfe63e2ed0f922d8b7c2e0b7cafe36774b1c627970d0f8ac -SIZE (nss-3.48.tar.gz) = 76481237 +TIMESTAMP = 1578083263 +SHA256 (nss-3.49.tar.gz) = 6738094dc4fd63061118a122bf3999a64fe8c7117fc52f6e81c2279181bde71d +SIZE (nss-3.49.tar.gz) = 76488781 Index: branches/2020Q1/security/nss/files/patch-bug1575843 =================================================================== --- branches/2020Q1/security/nss/files/patch-bug1575843 (revision 522462) +++ branches/2020Q1/security/nss/files/patch-bug1575843 (revision 522463) @@ -1,120 +1,121 @@ Detect ARM CPU features on FreeBSD. elf_aux_info is similar to getauxval but is nop on aarch64. ---- lib/freebl/blinit.c.orig 2019-08-30 15:46:32 UTC +--- lib/freebl/blinit.c.orig 2020-01-03 20:27:43 UTC +++ lib/freebl/blinit.c -@@ -96,8 +96,8 @@ CheckX86CPUSupport() +@@ -101,8 +101,8 @@ CheckX86CPUSupport() #ifndef __has_include #define __has_include(x) 0 #endif -#if (__has_include() || defined(__linux__)) && \ - defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__) +#if defined(__linux__) +#if defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__) /* This might be conflict with host compiler */ #if !defined(__ANDROID__) #include -@@ -106,6 +106,10 @@ extern unsigned long getauxval(unsigned long type) __a +@@ -111,6 +111,10 @@ extern unsigned long getauxval(unsigned long type) __a #else static unsigned long (*getauxval)(unsigned long) = NULL; #endif /* defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)*/ +#elif defined(__FreeBSD__) && __has_include() +#include +#define HAVE_ELF_AUX_INFO +#endif /* defined(__linux__) */ #ifndef AT_HWCAP2 #define AT_HWCAP2 26 -@@ -118,6 +122,9 @@ static unsigned long (*getauxval)(unsigned long) = NUL +@@ -123,6 +127,9 @@ static unsigned long (*getauxval)(unsigned long) = NUL /* clang-format on */ #if defined(__aarch64__) +#if defined(__FreeBSD__) +#include +#endif // Defines from hwcap.h in Linux kernel - ARM64 #ifndef HWCAP_AES #define HWCAP_AES (1 << 3) -@@ -138,6 +145,7 @@ CheckARMSupport() - char *disable_arm_neon = PR_GetEnvSecure("NSS_DISABLE_ARM_NEON"); - char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES"); - char *disable_pmull = PR_GetEnvSecure("NSS_DISABLE_PMULL"); -+#if defined(__linux__) +@@ -149,7 +156,7 @@ CheckARMSupport() + arm_pmull_support_ = arm_crypto_support && disable_pmull == NULL; + arm_sha1_support_ = arm_crypto_support; + arm_sha2_support_ = arm_crypto_support; +-#else ++#elif defined(__linux__) if (getauxval) { long hwcaps = getauxval(AT_HWCAP); arm_aes_support_ = hwcaps & HWCAP_AES && disable_hw_aes == NULL; -@@ -145,6 +153,23 @@ CheckARMSupport() +@@ -157,7 +164,23 @@ CheckARMSupport() arm_sha1_support_ = hwcaps & HWCAP_SHA1; arm_sha2_support_ = hwcaps & HWCAP_SHA2; } +#elif defined(__FreeBSD__) +#ifndef ID_AA64ISAR0_AES_VAL +#define ID_AA64ISAR0_AES_VAL ID_AA64ISAR0_AES +#endif +#ifndef ID_AA64ISAR0_SHA1_VAL +#define ID_AA64ISAR0_SHA1_VAL ID_AA64ISAR0_SHA1 +#endif +#ifndef ID_AA64ISAR0_SHA2_VAL +#define ID_AA64ISAR0_SHA2_VAL ID_AA64ISAR0_SHA2 +#endif + uint64_t id_aa64isar0; + id_aa64isar0 = READ_SPECIALREG(id_aa64isar0_el1); + arm_aes_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL; + arm_pmull_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL && disable_pmull == NULL; + arm_sha1_support_ = ID_AA64ISAR0_SHA1_VAL(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE; + arm_sha2_support_ = ID_AA64ISAR0_SHA2_VAL(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE; -+#endif /* defined(__linux__) */ + #endif /* aarch64 must support NEON. */ arm_neon_support_ = disable_arm_neon == NULL; } -@@ -187,7 +203,7 @@ GetNeonSupport() +@@ -200,7 +223,7 @@ GetNeonSupport() // If no getauxval, compiler generate NEON instruction by default, // we should allow NOEN support. return PR_TRUE; -#elif !defined(__ANDROID__) +#elif defined(__linux__) && !defined(__ANDROID__) // Android's cpu-features.c detects features by the following logic // // - Call getauxval(AT_HWCAP) -@@ -201,6 +217,10 @@ GetNeonSupport() +@@ -214,6 +237,10 @@ GetNeonSupport() if (getauxval) { return (getauxval(AT_HWCAP) & HWCAP_NEON); } +#elif defined(__FreeBSD__) && defined(HAVE_ELF_AUX_INFO) + unsigned long hwcap = 0; + elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)); + return (hwcap & HWCAP_NEON); #endif /* defined(__ARM_NEON) || defined(__ARM_NEON__) */ return PR_FALSE; } -@@ -249,6 +269,7 @@ void +@@ -262,6 +289,7 @@ void CheckARMSupport() { char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES"); +#if defined(__linux__) if (getauxval) { // Android's cpu-features.c uses AT_HWCAP2 for newer features. // AT_HWCAP2 is implemented on newer devices / kernel, so we can trust -@@ -257,13 +278,19 @@ CheckARMSupport() +@@ -270,13 +298,19 @@ CheckARMSupport() // AT_HWCAP2 isn't supported by glibc or Linux kernel, getauxval will // returns 0. long hwcaps = getauxval(AT_HWCAP2); -#ifdef __linux__ if (!hwcaps) { // Some ARMv8 devices may not implement AT_HWCAP2. So we also // read /proc/cpuinfo if AT_HWCAP2 is 0. hwcaps = ReadCPUInfoForHWCAP2(); } -#endif +#elif defined(__FreeBSD__) && defined(HAVE_ELF_AUX_INFO) + unsigned long hwcaps = 0; + elf_aux_info(AT_HWCAP2, &hwcaps, sizeof(hwcaps)); + { +#else + if (0) { + unsigned long hwcaps = 0; +#endif /* defined(__linux__) */ arm_aes_support_ = hwcaps & HWCAP2_AES && disable_hw_aes == NULL; arm_pmull_support_ = hwcaps & HWCAP2_PMULL; arm_sha1_support_ = hwcaps & HWCAP2_SHA1; Index: branches/2020Q1/security/nss/files/patch-lib_freebl_blinit.c =================================================================== --- branches/2020Q1/security/nss/files/patch-lib_freebl_blinit.c (revision 522462) +++ branches/2020Q1/security/nss/files/patch-lib_freebl_blinit.c (revision 522463) @@ -1,27 +1,27 @@ qemu:handle_cpu_signal received signal outside vCPU context https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240037 ---- lib/freebl/blinit.c.orig 2019-08-30 15:46:32 UTC +--- lib/freebl/blinit.c.orig 2020-01-03 20:27:43 UTC +++ lib/freebl/blinit.c -@@ -163,12 +163,14 @@ CheckARMSupport() +@@ -174,12 +174,14 @@ CheckARMSupport() #ifndef ID_AA64ISAR0_SHA2_VAL #define ID_AA64ISAR0_SHA2_VAL ID_AA64ISAR0_SHA2 #endif - uint64_t id_aa64isar0; - id_aa64isar0 = READ_SPECIALREG(id_aa64isar0_el1); - arm_aes_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL; - arm_pmull_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL && disable_pmull == NULL; - arm_sha1_support_ = ID_AA64ISAR0_SHA1_VAL(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE; - arm_sha2_support_ = ID_AA64ISAR0_SHA2_VAL(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE; + if (!PR_GetEnvSecure("QEMU_EMULATING")) { + uint64_t id_aa64isar0; + id_aa64isar0 = READ_SPECIALREG(id_aa64isar0_el1); + arm_aes_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL; + arm_pmull_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL && disable_pmull == NULL; + arm_sha1_support_ = ID_AA64ISAR0_SHA1_VAL(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE; + arm_sha2_support_ = ID_AA64ISAR0_SHA2_VAL(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE; + } - #endif /* defined(__linux__) */ + #endif /* aarch64 must support NEON. */ arm_neon_support_ = disable_arm_neon == NULL; Index: branches/2020Q1 =================================================================== --- branches/2020Q1 (revision 522462) +++ branches/2020Q1 (revision 522463) Property changes on: branches/2020Q1 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r522462