Index: branches/2020Q1/security/ca_root_nss/Makefile =================================================================== --- branches/2020Q1/security/ca_root_nss/Makefile (revision 525759) +++ branches/2020Q1/security/ca_root_nss/Makefile (revision 525760) @@ -1,68 +1,68 @@ # $FreeBSD$ PORTNAME= ca_root_nss PORTVERSION= ${VERSION_NSS} CATEGORIES= security MASTER_SITES= MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src DISTNAME= nss-${VERSION_NSS}${NSS_SUFFIX} MAINTAINER= ports-secteam@FreeBSD.org COMMENT= Root certificate bundle from the Mozilla Project LICENSE= MPL20 OPTIONS_DEFINE= ETCSYMLINK OPTIONS_DEFAULT= ETCSYMLINK OPTIONS_SUB= yes ETCSYMLINK_DESC= Add symlink to /etc/ssl/cert.pem ETCSYMLINK_CONFLICTS_INSTALL= ca-roots-[0-9]* USES= perl5 ssl:build USE_PERL5= build NO_ARCH= yes NO_WRKSUBDIR= yes CERTDIR?= share/certs PLIST_SUB+= CERTDIR=${CERTDIR} # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # !!! These versions are intended to track security/nss. !!! # !!! Please DO NOT submit patches for new version until it has !!! # !!! been committed there first. !!! # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -VERSION_NSS= 3.49.2 +VERSION_NSS= 3.50 #NSS_SUFFIX= -with-ckbi-1.98 CERTDATA_TXT_PATH= nss-${VERSION_NSS}/nss/lib/ckfw/builtins/certdata.txt BUNDLE_PROCESSOR= MAca-bundle.pl SUB_FILES= MAca-bundle.pl pkg-message SUB_LIST= VERSION_NSS=${VERSION_NSS} do-extract: @${MKDIR} ${WRKDIR} @${TAR} -C ${WRKDIR} -xf ${DISTDIR}/nss-${VERSION_NSS}${NSS_SUFFIX}${EXTRACT_SUFX} \ ${CERTDATA_TXT_PATH} @${CP} ${WRKDIR}/${CERTDATA_TXT_PATH} ${WRKDIR} @${RM} -r ${WRKDIR}/nss-${VERSION_NSS} do-build: apply-slist @${SETENV} PATH=${LOCALBASE}/bin:$${PATH} \ ${PERL} ${WRKDIR}/${BUNDLE_PROCESSOR} \ < ${WRKDIR}/certdata.txt > \ ${WRKDIR}/ca-root-nss.crt do-install: ${MKDIR} ${STAGEDIR}${PREFIX}/${CERTDIR} ${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/${CERTDIR} ${MKDIR} ${STAGEDIR}${PREFIX}/etc/ssl ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/etc/ssl/cert.pem.sample ${MKDIR} ${STAGEDIR}${PREFIX}/openssl ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample do-install-ETCSYMLINK-on: ${MKDIR} ${STAGEDIR}/etc/ssl ${LN} -sf ${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem .include Index: branches/2020Q1/security/ca_root_nss/distinfo =================================================================== --- branches/2020Q1/security/ca_root_nss/distinfo (revision 525759) +++ branches/2020Q1/security/ca_root_nss/distinfo (revision 525760) @@ -1,3 +1,3 @@ -TIMESTAMP = 1579818145 -SHA256 (nss-3.49.2.tar.gz) = faa7502c3ce9240d4be2aa88f63d88cf7d1cc512060e63ef21a7813c236160b2 -SIZE (nss-3.49.2.tar.gz) = 76489641 +TIMESTAMP = 1581109126 +SHA256 (nss-3.50.tar.gz) = 185df319775243f5f5daa9d49b7f9cc5f2b389435be3247c3376579bee063ba7 +SIZE (nss-3.50.tar.gz) = 78041630 Index: branches/2020Q1/security/nss/Makefile =================================================================== --- branches/2020Q1/security/nss/Makefile (revision 525759) +++ branches/2020Q1/security/nss/Makefile (revision 525760) @@ -1,103 +1,103 @@ # Created by: Maxim Sobolev # $FreeBSD$ PORTNAME= nss -PORTVERSION= 3.49.2 +PORTVERSION= 3.50 CATEGORIES= security MASTER_SITES= MOZILLA/security/${PORTNAME}/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src MAINTAINER= gecko@FreeBSD.org COMMENT= Libraries to support development of security-enabled applications LICENSE= MPL20 LICENSE_FILE= ${WRKSRC}/COPYING BUILD_DEPENDS= zip:archivers/zip LIB_DEPENDS= libnspr4.so:devel/nspr \ libsqlite3.so:databases/sqlite3 TEST_DEPENDS= bash:shells/bash WRKSRC_SUBDIR= nss MAKE_JOBS_UNSAFE= yes USE_LDCONFIG= ${PREFIX}/lib/nss USES= cpe gmake perl5 CPE_VENDOR= mozilla CPE_PRODUCT= network_security_services USE_PERL5= build MAKE_ENV= LIBRARY_PATH="${LOCALBASE}/lib" \ SQLITE_INCLUDE_DIR="${LOCALBASE}/include" \ FREEBL_LOWHASH=1 \ NSS_DISABLE_GTESTS=1 \ NSS_USE_SYSTEM_SQLITE=1 CFLAGS+= -I${LOCALBASE}/include/nspr SUB_FILES= nss-config nss.pc SUB_LIST= PORTVERSION=${PORTVERSION} DIST= ${WRKSRC:H}/dist EXTRACT_AFTER_ARGS=--exclude */lib/zlib --exclude */lib/dbm --exclude */lib/sqlite INSTALL_BINS= certutil cmsutil crlutil derdump makepqg \ mangle modutil ocspclnt oidcalc p7content p7env p7sign \ p7verify pk12util rsaperf shlibsign signtool signver \ ssltap strsclnt symkeyutil vfychain vfyserv OPTIONS_DEFINE= DEBUG .include .if ! ${PORT_OPTIONS:MDEBUG} MAKE_ENV+= BUILD_OPT=1 BINS= ${DIST}/${OPSYS}${OSREL}_OPT.OBJ .else BINS= ${DIST}/${OPSYS}${OSREL}_DBG.OBJ .endif .if ${ARCH} == powerpc64 USES+= compiler:c++11-lang # -mcrypto -mvsx .endif .if ${OPSYS} == FreeBSD && ${ARCH} == amd64 USE_BINUTILS= # intel-gcm.s CC+= -B${LOCALBASE}/bin .endif do-test: cd ${WRKSRC}/tests; \ ${SETENV} PATH="${BINS}/bin:${PATH}" \ LD_LIBRARY_PATH="${BINS}/lib" \ ${MAKE_ENV} \ bash ./all.sh @if ${GREP} -Fh '>Failed<' \ ${WRKSRC:H}/tests_results/security/*/results.html; then \ echo "Some tests have failed. Let ${MAINTAINER} know."; \ exit 1; \ else \ echo "All tests succeeded. Good news."; \ fi post-patch: @${REINPLACE_CMD} '/NSS_DEFAULT_SYSTEM/s,/etc,${PREFIX}&,' \ ${WRKSRC}/lib/sysinit/nsssysinit.c @cd ${WRKSRC} && \ ${FIND} . -name "*.c" -o -name "*.h" | \ ${XARGS} ${REINPLACE_CMD} -e 's|"nspr.h"||' do-install: ${MKDIR} ${STAGEDIR}${PREFIX}/include/nss/nss ${STAGEDIR}${PREFIX}/lib/nss ${FIND} ${DIST}/public/nss -type l \ -exec ${INSTALL_DATA} {} ${STAGEDIR}${PREFIX}/include/nss/nss \; ${INSTALL_LIB} ${BINS}/lib/*.so \ ${STAGEDIR}${PREFIX}/lib/nss ${INSTALL_DATA} ${BINS}/lib/libcrmf.a \ ${STAGEDIR}${PREFIX}/lib/nss .for bin in ${INSTALL_BINS} ${INSTALL_PROGRAM} ${BINS}/bin/${bin} \ ${STAGEDIR}${PREFIX}/bin .endfor ${INSTALL_SCRIPT} ${WRKDIR}/nss-config ${STAGEDIR}${PREFIX}/bin ${INSTALL_DATA} ${WRKDIR}/nss.pc ${STAGEDIR}${PREFIX}/libdata/pkgconfig .include Index: branches/2020Q1/security/nss/distinfo =================================================================== --- branches/2020Q1/security/nss/distinfo (revision 525759) +++ branches/2020Q1/security/nss/distinfo (revision 525760) @@ -1,3 +1,3 @@ -TIMESTAMP = 1579818145 -SHA256 (nss-3.49.2.tar.gz) = faa7502c3ce9240d4be2aa88f63d88cf7d1cc512060e63ef21a7813c236160b2 -SIZE (nss-3.49.2.tar.gz) = 76489641 +TIMESTAMP = 1581109126 +SHA256 (nss-3.50.tar.gz) = 185df319775243f5f5daa9d49b7f9cc5f2b389435be3247c3376579bee063ba7 +SIZE (nss-3.50.tar.gz) = 78041630 Index: branches/2020Q1/security/nss/files/patch-lib_freebl_blinit.c =================================================================== --- branches/2020Q1/security/nss/files/patch-lib_freebl_blinit.c (revision 525759) +++ branches/2020Q1/security/nss/files/patch-lib_freebl_blinit.c (nonexistent) @@ -1,27 +0,0 @@ -qemu:handle_cpu_signal received signal outside vCPU context - -https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=240037 - ---- lib/freebl/blinit.c.orig 2020-01-03 20:27:43 UTC -+++ lib/freebl/blinit.c -@@ -174,12 +174,14 @@ CheckARMSupport() - #ifndef ID_AA64ISAR0_SHA2_VAL - #define ID_AA64ISAR0_SHA2_VAL ID_AA64ISAR0_SHA2 - #endif -- uint64_t id_aa64isar0; -- id_aa64isar0 = READ_SPECIALREG(id_aa64isar0_el1); -- arm_aes_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL; -- arm_pmull_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL && disable_pmull == NULL; -- arm_sha1_support_ = ID_AA64ISAR0_SHA1_VAL(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE; -- arm_sha2_support_ = ID_AA64ISAR0_SHA2_VAL(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE; -+ if (!PR_GetEnvSecure("QEMU_EMULATING")) { -+ uint64_t id_aa64isar0; -+ id_aa64isar0 = READ_SPECIALREG(id_aa64isar0_el1); -+ arm_aes_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL; -+ arm_pmull_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL && disable_pmull == NULL; -+ arm_sha1_support_ = ID_AA64ISAR0_SHA1_VAL(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE; -+ arm_sha2_support_ = ID_AA64ISAR0_SHA2_VAL(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE; -+ } - #endif - /* aarch64 must support NEON. */ - arm_neon_support_ = disable_arm_neon == NULL; Property changes on: branches/2020Q1/security/nss/files/patch-lib_freebl_blinit.c ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2020Q1/security/nss/files/patch-bug1602386 =================================================================== --- branches/2020Q1/security/nss/files/patch-bug1602386 (revision 525759) +++ branches/2020Q1/security/nss/files/patch-bug1602386 (nonexistent) @@ -1,49 +0,0 @@ -Fix build on FreeBSD/powerpc platforms. - -https://bugzilla.mozilla.org/show_bug.cgi?id=1602386 - ---- lib/freebl/Makefile.orig 2019-12-04 01:03:31.000000000 +0100 -+++ lib/freebl/Makefile 2019-12-11 16:48:47.959791000 +0100 -@@ -788,5 +788,7 @@ - endif - - ifeq ($(CPU_ARCH),ppc) --$(OBJDIR)/$(PROG_PREFIX)gcm-ppc$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec -+$(OBJDIR)/$(PROG_PREFIX)gcm-ppc$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec -mvsx -+$(OBJDIR)/$(PROG_PREFIX)gcm$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec -mvsx -+$(OBJDIR)/$(PROG_PREFIX)rijndael$(OBJ_SUFFIX): CFLAGS += -mcrypto -maltivec -mvsx - endif ---- lib/freebl/blinit.c.orig 2019-12-11 17:45:06.930646000 +0100 -+++ lib/freebl/blinit.c 2019-12-11 17:50:04.797680000 +0100 -@@ -393,7 +393,12 @@ - - #if defined(__powerpc__) - -+#if defined(__FreeBSD__) && __FreeBSD__ < 12 -+#include -+#include -+#else - #include -+#endif - - // Defines from cputable.h in Linux kernel - PPC, letting us build on older kernels - #ifndef PPC_FEATURE2_VEC_CRYPTO -@@ -405,7 +410,17 @@ - { - char *disable_hw_crypto = PR_GetEnvSecure("NSS_DISABLE_PPC_GHASH"); - -- long hwcaps = getauxval(AT_HWCAP2); -+ unsigned long hwcaps = 0; -+#if defined(__linux__) -+ hwcaps = getauxval(AT_HWCAP2); -+#elif defined(__FreeBSD__) -+# if __FreeBSD__ >= 12 -+ elf_aux_info(AT_HWCAP2, &hwcaps, sizeof(hwcaps)); -+# else -+ size_t len = sizeof(hwcaps); -+ sysctlbyname("hw.cpu_features2", &hwcaps, &len, NULL, 0); -+# endif -+#endif - - ppc_crypto_support_ = hwcaps & PPC_FEATURE2_VEC_CRYPTO && disable_hw_crypto == NULL; - } Property changes on: branches/2020Q1/security/nss/files/patch-bug1602386 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2020Q1/security/nss/files/patch-bug1575843 =================================================================== --- branches/2020Q1/security/nss/files/patch-bug1575843 (revision 525759) +++ branches/2020Q1/security/nss/files/patch-bug1575843 (nonexistent) @@ -1,121 +0,0 @@ -Detect ARM CPU features on FreeBSD. - -elf_aux_info is similar to getauxval but is nop on aarch64. - ---- lib/freebl/blinit.c.orig 2020-01-03 20:27:43 UTC -+++ lib/freebl/blinit.c -@@ -101,8 +101,8 @@ CheckX86CPUSupport() - #ifndef __has_include - #define __has_include(x) 0 - #endif --#if (__has_include() || defined(__linux__)) && \ -- defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__) -+#if defined(__linux__) -+#if defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__) - /* This might be conflict with host compiler */ - #if !defined(__ANDROID__) - #include -@@ -111,6 +111,10 @@ extern unsigned long getauxval(unsigned long type) __a - #else - static unsigned long (*getauxval)(unsigned long) = NULL; - #endif /* defined(__GNUC__) && __GNUC__ >= 2 && defined(__ELF__)*/ -+#elif defined(__FreeBSD__) && __has_include() -+#include -+#define HAVE_ELF_AUX_INFO -+#endif /* defined(__linux__) */ - - #ifndef AT_HWCAP2 - #define AT_HWCAP2 26 -@@ -123,6 +127,9 @@ static unsigned long (*getauxval)(unsigned long) = NUL - /* clang-format on */ - - #if defined(__aarch64__) -+#if defined(__FreeBSD__) -+#include -+#endif - // Defines from hwcap.h in Linux kernel - ARM64 - #ifndef HWCAP_AES - #define HWCAP_AES (1 << 3) -@@ -149,7 +156,7 @@ CheckARMSupport() - arm_pmull_support_ = arm_crypto_support && disable_pmull == NULL; - arm_sha1_support_ = arm_crypto_support; - arm_sha2_support_ = arm_crypto_support; --#else -+#elif defined(__linux__) - if (getauxval) { - long hwcaps = getauxval(AT_HWCAP); - arm_aes_support_ = hwcaps & HWCAP_AES && disable_hw_aes == NULL; -@@ -157,7 +164,23 @@ CheckARMSupport() - arm_sha1_support_ = hwcaps & HWCAP_SHA1; - arm_sha2_support_ = hwcaps & HWCAP_SHA2; - } -+#elif defined(__FreeBSD__) -+#ifndef ID_AA64ISAR0_AES_VAL -+#define ID_AA64ISAR0_AES_VAL ID_AA64ISAR0_AES -+#endif -+#ifndef ID_AA64ISAR0_SHA1_VAL -+#define ID_AA64ISAR0_SHA1_VAL ID_AA64ISAR0_SHA1 -+#endif -+#ifndef ID_AA64ISAR0_SHA2_VAL -+#define ID_AA64ISAR0_SHA2_VAL ID_AA64ISAR0_SHA2 -+#endif -+ uint64_t id_aa64isar0; -+ id_aa64isar0 = READ_SPECIALREG(id_aa64isar0_el1); -+ arm_aes_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) >= ID_AA64ISAR0_AES_BASE && disable_hw_aes == NULL; -+ arm_pmull_support_ = ID_AA64ISAR0_AES_VAL(id_aa64isar0) == ID_AA64ISAR0_AES_PMULL && disable_pmull == NULL; -+ arm_sha1_support_ = ID_AA64ISAR0_SHA1_VAL(id_aa64isar0) == ID_AA64ISAR0_SHA1_BASE; -+ arm_sha2_support_ = ID_AA64ISAR0_SHA2_VAL(id_aa64isar0) >= ID_AA64ISAR0_SHA2_BASE; - #endif - /* aarch64 must support NEON. */ - arm_neon_support_ = disable_arm_neon == NULL; - } -@@ -200,7 +223,7 @@ GetNeonSupport() - // If no getauxval, compiler generate NEON instruction by default, - // we should allow NOEN support. - return PR_TRUE; --#elif !defined(__ANDROID__) -+#elif defined(__linux__) && !defined(__ANDROID__) - // Android's cpu-features.c detects features by the following logic - // - // - Call getauxval(AT_HWCAP) -@@ -214,6 +237,10 @@ GetNeonSupport() - if (getauxval) { - return (getauxval(AT_HWCAP) & HWCAP_NEON); - } -+#elif defined(__FreeBSD__) && defined(HAVE_ELF_AUX_INFO) -+ unsigned long hwcap = 0; -+ elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)); -+ return (hwcap & HWCAP_NEON); - #endif /* defined(__ARM_NEON) || defined(__ARM_NEON__) */ - return PR_FALSE; - } -@@ -262,6 +289,7 @@ void - CheckARMSupport() - { - char *disable_hw_aes = PR_GetEnvSecure("NSS_DISABLE_HW_AES"); -+#if defined(__linux__) - if (getauxval) { - // Android's cpu-features.c uses AT_HWCAP2 for newer features. - // AT_HWCAP2 is implemented on newer devices / kernel, so we can trust -@@ -270,13 +298,19 @@ CheckARMSupport() - // AT_HWCAP2 isn't supported by glibc or Linux kernel, getauxval will - // returns 0. - long hwcaps = getauxval(AT_HWCAP2); --#ifdef __linux__ - if (!hwcaps) { - // Some ARMv8 devices may not implement AT_HWCAP2. So we also - // read /proc/cpuinfo if AT_HWCAP2 is 0. - hwcaps = ReadCPUInfoForHWCAP2(); - } --#endif -+#elif defined(__FreeBSD__) && defined(HAVE_ELF_AUX_INFO) -+ unsigned long hwcaps = 0; -+ elf_aux_info(AT_HWCAP2, &hwcaps, sizeof(hwcaps)); -+ { -+#else -+ if (0) { -+ unsigned long hwcaps = 0; -+#endif /* defined(__linux__) */ - arm_aes_support_ = hwcaps & HWCAP2_AES && disable_hw_aes == NULL; - arm_pmull_support_ = hwcaps & HWCAP2_PMULL; - arm_sha1_support_ = hwcaps & HWCAP2_SHA1; Property changes on: branches/2020Q1/security/nss/files/patch-bug1575843 ___________________________________________________________________ Deleted: fbsd:nokeywords ## -1 +0,0 ## -yes \ No newline at end of property Deleted: svn:eol-style ## -1 +0,0 ## -native \ No newline at end of property Deleted: svn:mime-type ## -1 +0,0 ## -text/plain \ No newline at end of property Index: branches/2020Q1 =================================================================== --- branches/2020Q1 (revision 525759) +++ branches/2020Q1 (revision 525760) Property changes on: branches/2020Q1 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r523059,525757