# Buildsheet autogenerated by ravenadm tool -- Do not edit. NAMEBASE= nss VERSION= 3.120.1 KEYWORDS= security VARIANTS= std SDESC[std]= Application security development libraries HOMEPAGE= https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS CONTACT= nobody DOWNLOAD_GROUPS= main SITES[main]= MOZILLA/security/nss/releases/NSS_3_120_1_RTM/src DISTFILE[1]= nss-3.120.1.tar.gz:main DF_INDEX= 1 SPKGS[std]= set primary caroot dev OPTIONS_AVAILABLE= none OPTIONS_STANDARD= none BUILD_DEPENDS= libressl:primary:std nspr:dev:std BUILDRUN_DEPENDS= nspr:primary:std EXRUN[dev]= nspr:dev:std USES= cpe gmake perl:build sqlite zlib ssl:build DISTNAME= nss-3.120.1/nss LICENSE= MPL:primary LICENSE_FILE= MPL:{{WRKSRC}}/COPYING LICENSE_SCHEME= solo CPE_PRODUCT= network_security_services CPE_VENDOR= mozilla FPC_EQUIVALENT= security/nss MAKE_ENV= LIBRARY_PATH="{{LOCALBASE}}/lib" SQLITE_INCLUDE_DIR="{{LOCALBASE}}/include" FREEBL_LOWHASH=1 NSS_DISABLE_GTESTS=1 NSS_USE_SYSTEM_SQLITE=1 NSS_ENABLE_WERROR=0 BUILD_OPT=1 SINGLE_JOB= yes PLIST_SUB= CERTDIR=share/certs SUB_FILES= nss-config nss.pc messages-caroot.ucl MAca-bundle.pl SUB_LIST= VERSION_NSS=3.120.1 CFLAGS= -I{{LOCALBASE}}/include/nspr LDFLAGS= -Wl,-rpath,{{PREFIX}}/lib/nss VAR_OPSYS[sunos]= MAKE_ENV=NS_USE_GCC=1 MAKE_ENV=NO_MDUPDATE=1 VAR_OPSYS[linux]= MAKE_ENV=RPATH=-Wl,-rpath,{{PREFIX}}/lib/nss VAR_ARCH[x86_64]= MAKE_ENV=USE_64=1 post-build: ${SETENV} ${MAKE_ENV} ${PERL} ${WRKDIR}/MAca-bundle.pl \ < ${WRKSRC}/lib/ckfw/builtins/certdata.txt > ${WRKDIR}/ca-root-nss.crt pre-configure: ${REINPLACE_CMD} '/NSS_DEFAULT_SYSTEM/s,/etc,${PREFIX}&,' \ ${WRKSRC}/lib/sysinit/nsssysinit.c (cd ${WRKSRC} && \ ${FIND} . -name "*.c" -o -name "*.h" | \ ${XARGS} ${GREP} -l -F '"nspr.h"' | \ ${XARGS} ${REINPLACE_CMD} -e 's|"nspr.h"||') ${FIND} ${WRKSRC}/tests -name '*.sh' | \ ${XARGS} ${GREP} -l -F '/bin/bash' | \ ${XARGS} ${REINPLACE_CMD} -e 's|#! */bin/bash|#!${SH}|' ${REINPLACE_CMD} -e 's/@OS_RELEASE@/${OSREL}/' ${WRKSRC}/coreconf/arch.mk # prevent attempt to link to shared ssl libraries ${RM} ${LOCALBASE}/libressl/lib*.so do-install: @${MKDIR} ${STAGEDIR}${PREFIX}/include/nss/nss \ ${STAGEDIR}${PREFIX}/lib/nss \ ${STAGEDIR}${PREFIX}/share/certs ${FIND} ${WRKDIR}/nss-3.120.1/dist/public/nss -type l \ -exec ${INSTALL_DATA} {} ${STAGEDIR}${PREFIX}/include/nss/nss \; ${INSTALL_LIB} ${WRKDIR}/nss-3.120.1/dist/${OPSYS}*_OPT.OBJ/lib/*.${LIBEXT} \ ${STAGEDIR}${PREFIX}/lib/nss ${INSTALL_DATA} ${WRKDIR}/nss-3.120.1/dist/${OPSYS}*_OPT.OBJ/lib/libcrmf.a \ ${STAGEDIR}${PREFIX}/lib/nss .for bin in certutil cmsutil crlutil derdump makepqg mangle modutil ocspclnt oidcalc p7content p7env p7sign p7verify pk12util rsaperf shlibsign signtool signver ssltap strsclnt symkeyutil vfychain vfyserv ${INSTALL_PROGRAM} ${WRKDIR}/nss-3.120.1/dist/${OPSYS}*_OPT.OBJ/bin/${bin} \ ${STAGEDIR}${PREFIX}/bin .endfor ${INSTALL_SCRIPT} ${WRKDIR}/nss-config ${STAGEDIR}${PREFIX}/bin ${INSTALL_DATA} ${WRKDIR}/nss.pc ${STAGEDIR}${PREFIX}/lib/pkgconfig # CA ROOT CERT .for D in openssl30 libressl libressl-devel ${MKDIR} ${STAGEDIR}${PREFIX}/etc/${D} ${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt \ ${STAGEDIR}${PREFIX}/etc/${D}/cert.pem.sample .endfor ${INSTALL_DATA} ${WRKDIR}/ca-root-nss.crt \ ${STAGEDIR}${PREFIX}/share/certs [FILE:301:descriptions/desc.primary] Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. [FILE:120:descriptions/desc.caroot] Root certificates from certificate authorities included in the Mozilla NSS library and thus in Firefox and Thunderbird. [FILE:97:distinfo] a98f002d20bfe719f50f81824a64c9e6f067f4da3c6a1f0455e97e6d79240512 77635792 nss-3.120.1.tar.gz [FILE:438:manifests/plist.primary] %%ONLY-LINUX%%lib/nss/libnsssysinit.so bin/ certutil cmsutil crlutil derdump makepqg mangle modutil nss-config ocspclnt oidcalc p7content p7env p7sign p7verify pk12util rsaperf shlibsign signtool signver ssltap strsclnt symkeyutil vfychain vfyserv lib/nss/ libfreebl3.so libfreeblpriv3.so libnss3.so libnssckbi-testlib.so libnssckbi.so libnssdbm3.so libnssutil3.so libsmime3.so libsoftokn3.so libssl3.so [FILE:146:manifests/plist.caroot] @sample etc/libressl-devel/cert.pem.sample @sample etc/libressl/cert.pem.sample @sample etc/openssl30/cert.pem.sample %%CERTDIR%%/ca-root-nss.crt [FILE:1164:manifests/plist.dev] include/nss/nss/ base64.h blapit.h cert.h certdb.h certt.h ciferfam.h cmmf.h cmmft.h cms.h cmsreclist.h cmst.h crmf.h crmft.h cryptohi.h cryptoht.h eccutil.h ecl-exp.h hasht.h jar-ds.h jar.h jarfile.h key.h keyhi.h keyt.h keythi.h kyber.h lowkeyi.h lowkeyti.h ml_dsat.h nss.h nssb64.h nssb64t.h nssbase.h nssbaset.h nssck.api nssckbi.h nssckepv.h nssckft.h nssckfw.h nssckfwc.h nssckfwt.h nssckg.h nssckmdt.h nssckt.h nsshash.h nssilckt.h nssilock.h nsslocks.h nsslowhash.h nssrwlk.h nssrwlkt.h nssutil.h ocsp.h ocspt.h p12.h p12plcy.h p12t.h pk11func.h pk11hpke.h pk11pqg.h pk11priv.h pk11pub.h pk11sdr.h pkcs11.h pkcs11f.h pkcs11n.h pkcs11p.h pkcs11t.h pkcs11u.h pkcs11uri.h pkcs12.h pkcs12t.h pkcs1sig.h pkcs7t.h portreg.h preenc.h secasn1.h secasn1t.h seccomon.h secder.h secdert.h secdig.h secdigt.h secerr.h sechash.h secitem.h secmime.h secmod.h secmodt.h secoid.h secoidt.h secpkcs5.h secpkcs7.h secport.h shsign.h smime.h ssl.h sslerr.h sslexp.h sslproto.h sslt.h utilmodt.h utilpars.h utilparst.h utilrename.h lib/nss/libcrmf.a lib/pkgconfig/nss.pc [FILE:449:patches/patch-bug301986] --- lib/util/nssilckt.h.orig 2026-01-08 11:14:43 UTC +++ lib/util/nssilckt.h @@ -163,7 +163,7 @@ typedef enum { ** Declare the trace record */ struct pzTrace_s { - PRUint32 threadID; /* PR_GetThreadID() */ + pthread_t threadID; /* PR_GetThreadID() */ nssILockOp op; /* operation being performed */ nssILockType ltype; /* lock type identifier */ PRIntervalTime callTime; /* time spent in function */ [FILE:2109:patches/patch-const] --- cmd/modutil/modutil.h.orig 2026-01-08 11:14:43 UTC +++ cmd/modutil/modutil.h @@ -22,8 +22,8 @@ #include "error.h" Error LoadMechanismList(void); -Error FipsMode(char *arg); -Error ChkFipsMode(char *arg); +Error FipsMode(const char *arg); +Error ChkFipsMode(const char *arg); Error AddModule(char *moduleName, char *libFile, char *ciphers, char *mechanisms, char *modparms); Error DeleteModule(char *moduleName); --- cmd/modutil/pk11.c.orig 2026-01-08 11:14:43 UTC +++ cmd/modutil/pk11.c @@ -16,7 +16,7 @@ * disable FIPS mode on the internal module. */ Error -FipsMode(char *arg) +FipsMode(const char *arg) { char *internal_name; @@ -25,16 +25,18 @@ FipsMode(char *arg) internal_name = PR_smprintf("%s", SECMOD_GetInternalModule()->commonName); if (SECMOD_DeleteInternalModule(internal_name) != SECSuccess) { - PR_fprintf(PR_STDERR, "%s\n", SECU_Strerror(PORT_GetError())); + PR_fprintf(PR_STDERR, "FipsMode(true): %s (%s)\n", SECU_Strerror(PORT_GetError()), internal_name); PR_smprintf_free(internal_name); PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]); return FIPS_SWITCH_FAILED_ERR; } - PR_smprintf_free(internal_name); if (!PK11_IsFIPS()) { + PR_fprintf(PR_STDERR, "FipsMode(true): in module %s", internal_name); + PR_smprintf_free(internal_name); PR_fprintf(PR_STDERR, errStrings[FIPS_SWITCH_FAILED_ERR]); return FIPS_SWITCH_FAILED_ERR; } + PR_smprintf_free(internal_name); PR_fprintf(PR_STDOUT, msgStrings[FIPS_ENABLED_MSG]); } else { PR_fprintf(PR_STDERR, errStrings[FIPS_ALREADY_ON_ERR]); @@ -75,7 +77,7 @@ FipsMode(char *arg) * If arg=="false", verify FIPS mode is disabled on the internal module. */ Error -ChkFipsMode(char *arg) +ChkFipsMode(const char *arg) { if (!PORT_Strcasecmp(arg, "true")) { if (PK11_IsFIPS()) { [FILE:1383:patches/patch-coreconf_Darwin.mk] --- coreconf/Darwin.mk.orig 2026-01-08 11:14:43 UTC +++ coreconf/Darwin.mk @@ -7,8 +7,8 @@ CC ?= gcc CCC ?= g++ RANLIB ?= ranlib +NSS_ENABLE_WERROR = 0 include $(CORE_DEPTH)/coreconf/UNIX.mk -include $(CORE_DEPTH)/coreconf/Werror.mk DEFAULT_COMPILER = gcc @@ -130,21 +130,4 @@ PROCESS_MAP_FILE = grep -v ';+' $< | gre USE_SYSTEM_ZLIB = 1 ZLIB_LIBS = -lz -# The system sqlite library in the latest version of Mac OS X often becomes -# newer than the sqlite library in NSS. This may result in certain Mac OS X -# system libraries having unresolved sqlite symbols during the shlibsign step -# of the NSS build when we set DYLD_LIBRARY_PATH to the NSS lib directory and -# the NSS libsqlite3.dylib is used instead of the system one. So just use the -# system sqlite library on Mac, if it's sufficiently new. - -SYS_SQLITE3_VERSION_FULL := $(shell /usr/bin/sqlite3 -version | awk '{print $$1}') -SYS_SQLITE3_VERSION_MAJOR := $(shell echo $(SYS_SQLITE3_VERSION_FULL) | awk -F. '{ print $$1 }') -SYS_SQLITE3_VERSION_MINOR := $(shell echo $(SYS_SQLITE3_VERSION_FULL) | awk -F. '{ print $$2 }') - -ifeq (3,$(SYS_SQLITE3_VERSION_MAJOR)) - ifeq (,$(filter-out 0 1 2 3 4,$(SYS_SQLITE3_VERSION_MINOR))) - # sqlite <= 3.4.x is too old, it doesn't provide sqlite3_file_control - else - NSS_USE_SYSTEM_SQLITE = 1 - endif -endif +NSS_USE_SYSTEM_SQLITE = 1 [FILE:1313:patches/patch-coreconf_DragonFly.mk] --- /dev/null 2026-02-18 13:21:42 UTC +++ coreconf/DragonFly.mk @@ -0,0 +1,54 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +include $(CORE_DEPTH)/coreconf/UNIX.mk + +DEFAULT_COMPILER = gcc +CC = gcc +CCC = g++ +RANLIB = ranlib + +CPU_ARCH = $(OS_TEST) +ifeq ($(CPU_ARCH),i386) +CPU_ARCH = x86 +endif +ifeq ($(CPU_ARCH),amd64) +CPU_ARCH = x86_64 +endif + +ifneq (,$(filter %64, $(OS_TEST))) +USE_64 = 1 +endif + +OS_CFLAGS = $(DSO_CFLAGS) -Wall -Wno-switch -DFREEBSD -DHAVE_STRERROR -DHAVE_BSD_FLOCK + +DSO_CFLAGS = -fPIC +DSO_LDOPTS = -shared -Wl,-soname -Wl,$(notdir $@) + +# +# The default implementation strategy for FreeBSD is pthreads. +# +ifndef CLASSIC_NSPR +USE_PTHREADS = 1 +DEFINES += -D_THREAD_SAFE -D_REENTRANT +OS_LIBS += -pthread +DSO_LDOPTS += -pthread +endif + +ARCH = freebsd +MOZ_OBJFORMAT = elf +DLL_SUFFIX = so + +MKSHLIB = $(CC) $(DSO_LDOPTS) +ifdef MAPFILE + MKSHLIB += -Wl,--version-script,$(MAPFILE) +endif +PROCESS_MAP_FILE = grep -v ';-' $< | \ + sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@ + +G++INCLUDES = -I/usr/include/c++ + +USE_SYSTEM_ZLIB = 1 +ZLIB_LIBS = -lz [FILE:1125:patches/patch-coreconf_FreeBSD.mk] --- coreconf/FreeBSD.mk.orig 2026-01-08 11:14:43 UTC +++ coreconf/FreeBSD.mk @@ -5,9 +5,9 @@ include $(CORE_DEPTH)/coreconf/UNIX.mk -DEFAULT_COMPILER = gcc -CC = gcc -CCC = g++ +DEFAULT_COMPILER = $(CC) +CC ?= gcc +CCC = $(CXX) RANLIB = ranlib CPU_ARCH = $(OS_TEST) @@ -20,6 +20,16 @@ endif ifeq ($(CPU_ARCH),amd64) CPU_ARCH = x86_64 endif +ifneq (,$(filter arm%, $(CPU_ARCH))) +CPU_ARCH = arm +endif +ifneq (,$(filter powerpc%, $(CPU_ARCH))) +CPU_ARCH = ppc +endif + +ifneq (,$(filter %64, $(OS_TEST))) +USE_64 = 1 +endif OS_CFLAGS = $(DSO_CFLAGS) -Wall -Wno-switch -DFREEBSD -DHAVE_STRERROR -DHAVE_BSD_FLOCK @@ -46,7 +56,11 @@ else DLL_SUFFIX = so.1.0 endif -MKSHLIB = $(CC) $(DSO_LDOPTS) +ifneq (,$(filter alpha ia64,$(OS_TEST))) +MKSHLIB = $(CC) -Wl,-Bsymbolic -lc $(DSO_LDOPTS) +else +MKSHLIB = $(CC) -Wl,-Bsymbolic $(DSO_LDOPTS) +endif ifdef MAPFILE MKSHLIB += -Wl,--version-script,$(MAPFILE) endif @@ -55,4 +69,5 @@ PROCESS_MAP_FILE = grep -v ';-' $< | \ G++INCLUDES = -I/usr/include/g++ -INCLUDES += -I/usr/X11R6/include +USE_SYSTEM_ZLIB = 1 +ZLIB_LIBS = -lz [FILE:1315:patches/patch-coreconf_MidnightBSD] --- /dev/null 2026-02-18 13:21:42 UTC +++ coreconf/MidnightBSD.mk @@ -0,0 +1,54 @@ +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +include $(CORE_DEPTH)/coreconf/UNIX.mk + +DEFAULT_COMPILER = gcc +CC = gcc +CCC = g++ +RANLIB = ranlib + +CPU_ARCH = $(OS_TEST) +ifeq ($(CPU_ARCH),i386) +CPU_ARCH = x86 +endif +ifeq ($(CPU_ARCH),amd64) +CPU_ARCH = x86_64 +endif + +ifneq (,$(filter %64, $(OS_TEST))) +USE_64 = 1 +endif + +OS_CFLAGS = $(DSO_CFLAGS) -Wall -Wno-switch -DFREEBSD -DHAVE_STRERROR -DHAVE_BSD_FLOCK + +DSO_CFLAGS = -fPIC +DSO_LDOPTS = -shared -Wl,-soname -Wl,$(notdir $@) + +# +# The default implementation strategy for FreeBSD is pthreads. +# +ifndef CLASSIC_NSPR +USE_PTHREADS = 1 +DEFINES += -D_THREAD_SAFE -D_REENTRANT +OS_LIBS += -pthread +DSO_LDOPTS += -pthread +endif + +ARCH = freebsd +MOZ_OBJFORMAT = elf +DLL_SUFFIX = so + +MKSHLIB = $(CC) $(DSO_LDOPTS) +ifdef MAPFILE + MKSHLIB += -Wl,--version-script,$(MAPFILE) +endif +PROCESS_MAP_FILE = grep -v ';-' $< | \ + sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > $@ + +G++INCLUDES = -I/usr/include/c++ + +USE_SYSTEM_ZLIB = 1 +ZLIB_LIBS = -lz [FILE:1446:patches/patch-coreconf_SunOS5.mk] --- coreconf/SunOS5.mk.orig 2026-01-08 11:14:43 UTC +++ coreconf/SunOS5.mk @@ -33,10 +33,10 @@ endif DEFAULT_COMPILER = cc ifdef NS_USE_GCC - CC = gcc + CC ?= gcc OS_CFLAGS += -Wall -Wno-format -Werror-implicit-function-declaration -Wno-switch OS_CFLAGS += -D__EXTENSIONS__ - CCC = g++ + CCC ?= g++ CCC += -Wall -Wno-format ASFLAGS += -x assembler-with-cpp OS_CFLAGS += $(NOMD_OS_CFLAGS) $(ARCHFLAG) @@ -107,15 +107,11 @@ endif DSO_LDOPTS += -shared -h $(notdir $@) else ifeq ($(USE_64), 1) - ifeq ($(OS_TEST),i86pc) - DSO_LDOPTS +=-xarch=amd64 - else - DSO_LDOPTS +=-xarch=v9 - endif + DSO_LDOPTS += -m64 endif DSO_LDOPTS += -G -h $(notdir $@) endif -DSO_LDOPTS += -z combreloc -z defs -z ignore +# DSO_LDOPTS += -Wl,-z,origin # -KPIC generates position independent code for use in shared libraries. # (Similarly for -fPIC in case of gcc.) @@ -127,16 +123,5 @@ endif NOSUCHFILE = /solaris-rm-f-sucks -ifeq ($(BUILD_SUN_PKG), 1) -# The -R '$ORIGIN' linker option instructs this library to search for its -# dependencies in the same directory where it resides. -ifeq ($(USE_64), 1) -RPATH = -R '$$ORIGIN:/usr/lib/mps/secv1/64:/usr/lib/mps/64' -else -RPATH = -R '$$ORIGIN:/usr/lib/mps/secv1:/usr/lib/mps' -endif -else -RPATH = -R '$$ORIGIN' -endif - -OS_LIBS += -lthread -lnsl -lsocket -lposix4 -ldl -lc +OS_LIBS += -lrt +RPATH = $(LDFLAGS) #-Wl,-rpath,$(PREFIX)/lib/nss [FILE:286:patches/patch-coreconf_UNIX.mk] --- coreconf/UNIX.mk.orig 2026-01-08 11:14:43 UTC +++ coreconf/UNIX.mk @@ -10,10 +10,8 @@ AR = ar cr $@ LDOPTS += -L$(SOURCE_LIB_DIR) ifdef BUILD_OPT - OPTIMIZER += -O DEFINES += -UDEBUG -DNDEBUG else - OPTIMIZER += -g DEFINES += -DDEBUG -UNDEBUG endif [FILE:441:patches/patch-coreconf_arch.mk] --- coreconf/arch.mk.orig 2026-01-08 11:14:43 UTC +++ coreconf/arch.mk @@ -63,6 +63,14 @@ ifeq ($(OS_ARCH),Linux) include $(CORE_DEPTH)/coreconf/Linux.mk endif +ifeq ($(OS_ARCH),DragonFly) +OS_RELEASE := @OS_RELEASE@ +endif + +ifeq ($(OS_ARCH),MidnightBSD) +OS_RELEASE := @OS_RELEASE@ +endif + # Since all uses of OS_ARCH that follow affect only userland, we can # merge other Glibc systems with Linux here. ifeq ($(OS_ARCH),GNU) [FILE:496:patches/patch-coreconf_command.mk] --- coreconf/command.mk.orig 2026-01-08 11:14:43 UTC +++ coreconf/command.mk @@ -12,7 +12,7 @@ AS = $(CC) ASFLAGS += $(CFLAGS) CCF = $(CC) $(CFLAGS) LINK_DLL = $(LD) $(OS_DLLFLAGS) $(DLLFLAGS) $(XLDFLAGS) -CFLAGS = $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \ +CFLAGS += $(OPTIMIZER) $(OS_CFLAGS) $(WARNING_CFLAGS) $(XP_DEFINE) \ $(DEFINES) $(INCLUDES) $(XCFLAGS) CSTD = -std=c99 CXXSTD = -std=c++11 [FILE:435:patches/patch-coreconf_config.mk] --- coreconf/config.mk.orig 2026-01-08 11:14:43 UTC +++ coreconf/config.mk @@ -31,7 +31,7 @@ endif ####################################################################### TARGET_OSES = FreeBSD NetBSD OpenUNIX QNX Darwin OpenBSD \ - AIX WINNT Linux Android + AIX WINNT Linux Android DragonFly MidnightBSD ifeq (,$(filter-out $(TARGET_OSES),$(OS_TARGET))) include $(CORE_DEPTH)/coreconf/$(OS_TARGET).mk [FILE:248:patches/patch-coreconf_location.mk] --- coreconf/location.mk.orig 2026-01-08 11:14:43 UTC +++ coreconf/location.mk @@ -37,7 +37,7 @@ ifdef NSPR_INCLUDE_DIR endif ifndef NSPR_LIB_DIR - NSPR_LIB_DIR = $(DIST)/lib + NSPR_LIB_DIR = $(PREFIX)/lib endif ifdef NSS_INCLUDE_DIR [FILE:308:patches/patch-coreconf_ruleset.mk] --- coreconf/ruleset.mk.orig 2026-01-08 11:14:43 UTC +++ coreconf/ruleset.mk @@ -30,7 +30,7 @@ # ifndef COMPILER_TAG - ifneq ($(DEFAULT_COMPILER), $(notdir $(firstword $(CC)))) + ifneq ($(DEFAULT_COMPILER), $(CC)) # # Temporary define for the Client; to be removed when binary release is used # [FILE:766:patches/patch-lib_freebl_Makefile] --- lib/freebl/Makefile.orig 2026-01-08 11:14:43 UTC +++ lib/freebl/Makefile @@ -262,7 +262,7 @@ else ifeq ($(CPU_ARCH),x86) endif endif # Darwin -ifeq ($(OS_TARGET),Linux) +ifeq (,$(filter-out Linux DragonFly FreeBSD MidnightBSD, $(OS_TARGET))) ifeq ($(CPU_ARCH),x86_64) # Lower case s on mpi_amd64_common due to make implicit rules. ASFILES = arcfour-amd64-gas.s mpi_amd64_common.s @@ -354,7 +354,7 @@ endif # to bind the blapi function references in FREEBLVector vector # (ldvector.c) to the blapi functions defined in the freebl # shared libraries. -ifeq (,$(filter-out FreeBSD Linux NetBSD OpenBSD, $(OS_TARGET))) +ifeq (,$(filter-out FreeBSD Linux NetBSD OpenBSD DragonFly MidnightBSD, $(OS_TARGET))) MKSHLIB += -Wl,-Bsymbolic endif [FILE:1041:patches/patch-lib_freebl_mpi_mpcpucache.c] --- lib/freebl/mpi/mpcpucache.c.orig 2026-01-08 11:14:43 UTC +++ lib/freebl/mpi/mpcpucache.c @@ -706,6 +706,32 @@ s_mpi_getProcessorLineSize() #endif #if defined(__ppc64__) + +#if defined(__FreeBSD__) +#include +#include + +#include +#include + +unsigned long +s_mpi_getProcessorLineSize() +{ + static int cacheline_size = 0; + static int cachemib[] = { CTL_MACHDEP, CPU_CACHELINE }; + int clen; + + if (cacheline_size > 0) + return cacheline_size; + + clen = sizeof(cacheline_size); + if (sysctl(cachemib, sizeof(cachemib) / sizeof(cachemib[0]), + &cacheline_size, &clen, NULL, 0) < 0 || !cacheline_size) + return 128; /* guess */ + + return cacheline_size; +} +#else /* * Sigh, The PPC has some really nice features to help us determine cache * size, since it had lots of direct control functions to do so. The POWER @@ -759,6 +785,7 @@ s_mpi_getProcessorLineSize() } return 0; } +#endif #define MPI_GET_PROCESSOR_LINE_SIZE_DEFINED 1 #endif [FILE:2330:patches/patch-lib_freebl_verified_internal_Hacl__Bignum__Base.h] --- lib/freebl/verified/internal/Hacl_Bignum_Base.h.orig 2026-01-08 11:14:43 UTC +++ lib/freebl/verified/internal/Hacl_Bignum_Base.h @@ -67,7 +67,7 @@ Hacl_Bignum_Convert_bn_from_bytes_be_uin uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; uint32_t tmpLen = (uint32_t)8U * bnLen; KRML_CHECK_SIZE(sizeof(uint8_t), tmpLen); - uint8_t *tmp = (uint8_t *)alloca(tmpLen * sizeof(uint8_t)); + uint8_t *tmp = (uint8_t *)__builtin_alloca(tmpLen * sizeof(uint8_t)); memset(tmp, 0U, tmpLen * sizeof(uint8_t)); memcpy(tmp + tmpLen - len, b, len * sizeof(uint8_t)); for (uint32_t i = (uint32_t)0U; i < bnLen; i++) { @@ -84,7 +84,7 @@ Hacl_Bignum_Convert_bn_to_bytes_be_uint6 uint32_t bnLen = (len - (uint32_t)1U) / (uint32_t)8U + (uint32_t)1U; uint32_t tmpLen = (uint32_t)8U * bnLen; KRML_CHECK_SIZE(sizeof(uint8_t), tmpLen); - uint8_t *tmp = (uint8_t *)alloca(tmpLen * sizeof(uint8_t)); + uint8_t *tmp = (uint8_t *)__builtin_alloca(tmpLen * sizeof(uint8_t)); memset(tmp, 0U, tmpLen * sizeof(uint8_t)); for (uint32_t i = (uint32_t)0U; i < bnLen; i++) { store64_be(tmp + i * (uint32_t)8U, b[bnLen - i - (uint32_t)1U]); @@ -376,7 +376,7 @@ Hacl_Bignum_Multiplication_bn_sqr_u32(ui uint32_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u32(aLen + aLen, res, res, res); KRML_HOST_IGNORE(c0); KRML_CHECK_SIZE(sizeof(uint32_t), aLen + aLen); - uint32_t *tmp = (uint32_t *)alloca((aLen + aLen) * sizeof(uint32_t)); + uint32_t *tmp = (uint32_t *)__builtin_alloca((aLen + aLen) * sizeof(uint32_t)); memset(tmp, 0U, (aLen + aLen) * sizeof(uint32_t)); for (uint32_t i = (uint32_t)0U; i < aLen; i++) { uint64_t res1 = (uint64_t)a[i] * (uint64_t)a[i]; @@ -423,7 +423,7 @@ Hacl_Bignum_Multiplication_bn_sqr_u64(ui uint64_t c0 = Hacl_Bignum_Addition_bn_add_eq_len_u64(aLen + aLen, res, res, res); KRML_HOST_IGNORE(c0); KRML_CHECK_SIZE(sizeof(uint64_t), aLen + aLen); - uint64_t *tmp = (uint64_t *)alloca((aLen + aLen) * sizeof(uint64_t)); + uint64_t *tmp = (uint64_t *)__builtin_alloca((aLen + aLen) * sizeof(uint64_t)); memset(tmp, 0U, (aLen + aLen) * sizeof(uint64_t)); for (uint32_t i = (uint32_t)0U; i < aLen; i++) { FStar_UInt128_uint128 res1 = FStar_UInt128_mul_wide(a[i], a[i]); [FILE:566:patches/patch-lib_softoken_pkcs11.c] --- lib/softoken/pkcs11.c.orig 2026-01-08 11:14:43 UTC +++ lib/softoken/pkcs11.c @@ -3878,8 +3878,8 @@ loser: char buf[200]; int major = 0, minor = 0; - long rv = sysinfo(SI_RELEASE, buf, sizeof(buf)); - if (rv > 0 && rv < sizeof(buf)) { + long sunrv = sysinfo(SI_RELEASE, buf, sizeof(buf)); + if (sunrv > 0 && sunrv < sizeof(buf)) { if (2 == sscanf(buf, "%d.%d", &major, &minor)) { /* Are we on Solaris 10 or greater ? */ if (major > 5 || (5 == major && minor >= 10)) { [FILE:1013:patches/patch-lib_softoken_pkcs11c.c] --- lib/softoken/pkcs11c.c.orig 2026-01-08 11:14:43 UTC +++ lib/softoken/pkcs11c.c @@ -7329,9 +7329,6 @@ sftk_unwrapPrivateKey(SFTKObject *key, S break; case NSSLOWKEYDSAKey: keyType = CKK_DSA; - crv = (sftk_hasAttribute(key, CKA_NSS_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT; - if (crv != CKR_OK) - break; crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, sizeof(keyType)); if (crv != CKR_OK) @@ -7411,9 +7408,6 @@ sftk_unwrapPrivateKey(SFTKObject *key, S /* what about fortezza??? */ case NSSLOWKEYECKey: keyType = CKK_EC; - crv = (sftk_hasAttribute(key, CKA_NSS_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT; - if (crv != CKR_OK) - break; crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, sizeof(keyType)); if (crv != CKR_OK) [FILE:6041:files/MAca-bundle.pl.in] ## ## MAca-bundle.pl -- Regenerate ca-root-nss.crt from the Mozilla certdata.txt ## ## Rewritten in September 2011 by Matthias Andree to heed untrust ## ## Copyright (c) 2011, 2013 Matthias Andree ## All rights reserved. ## ## Redistribution and use in source and binary forms, with or without ## modification, are permitted provided that the following conditions are ## met: ## ## * Redistributions of source code must retain the above copyright ## notice, this list of conditions and the following disclaimer. ## ## * Redistributions in binary form must reproduce the above copyright ## notice, this list of conditions and the following disclaimer in the ## documentation and/or other materials provided with the distribution. ## ## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS ## "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT ## LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS ## FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE ## COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, ## INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, ## BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ## LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER ## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ## LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ## ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE ## POSSIBILITY OF SUCH DAMAGE. use strict; use Carp; use MIME::Base64; my $VERSION = '$FreeBSD: head/security/ca_root_nss/files/MAca-bundle.pl.in 325572 2013-08-29 08:10:09Z mandree $'; # configuration print <) { last if /^END/; my (undef,@oct) = split /\\/; my @bin = map(chr(oct), @oct); $data .= join('', @bin); } return $data; } sub grabcert() { my $certdata; my $cka_label; my $serial; while (<>) { chomp; last if ($_ eq ''); if (/^CKA_LABEL UTF8 "([^"]+)"/) { $cka_label = $1; } if (/^CKA_VALUE MULTILINE_OCTAL/) { $certdata = graboct(); } if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { $serial = graboct(); } } return ($serial, $cka_label, $certdata); } sub grabtrust() { my $cka_label; my $serial; my $maytrust = 0; my $distrust = 0; while (<>) { chomp; last if ($_ eq ''); if (/^CKA_LABEL UTF8 "([^"]+)"/) { $cka_label = $1; } if (/^CKA_SERIAL_NUMBER MULTILINE_OCTAL/) { $serial = graboct(); } if (/^CKA_TRUST_(SERVER_AUTH|EMAIL_PROTECTION|CODE_SIGNING) CK_TRUST (\S+)$/) { if ($2 eq 'CKT_NSS_NOT_TRUSTED') { $distrust = 1; } elsif ($2 eq 'CKT_NSS_TRUSTED_DELEGATOR') { $maytrust = 1; } elsif ($2 ne 'CKT_NSS_MUST_VERIFY_TRUST') { confess "Unknown trust setting on line $.:\n" . "$_\n" . "Script must be updated:"; } } } if (!$maytrust && !$distrust && $debug) { print STDERR "line $.: no explicit trust/distrust found for $cka_label\n"; } my $trust = ($maytrust and not $distrust); return ($serial, $cka_label, $trust); } while (<>) { if (/^CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE/) { my ($serial, $label, $certdata) = grabcert(); if (defined $certs{$label."\0".$serial}) { warn "Certificate $label duplicated!\n"; } $certs{$label."\0".$serial} = $certdata; } elsif (/^CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST/) { my ($serial, $label, $trust) = grabtrust(); if (defined $trusts{$label."\0".$serial}) { warn "Trust for $label duplicated!\n"; } $trusts{$label."\0".$serial} = $trust; } elsif (/^CVS_ID.*Revision: ([^ ]*).*/) { print "## Source: \"certdata.txt\" CVS revision $1\n##\n\n"; } } sub printlabel(@) { my @res = @_; map { s/\0.*//; s/[^[:print:]]/_/g; $_ = "\"$_\""; } @res; return wantarray ? @res : $res[0]; } # weed out untrusted certificates my $untrusted = 0; foreach my $it (keys %trusts) { if (!$trusts{$it}) { if (!exists($certs{$it})) { warn "Found trust for nonexistent certificate ".printlabel($it)."\n" if $debug; } else { delete $certs{$it}; warn "Skipping untrusted ".printlabel($it)."\n" if $debug; $untrusted++; } } } print "## Untrusted certificates omitted from this bundle: $untrusted\n\n"; print STDERR "## Untrusted certificates omitted from this bundle: $untrusted\n"; my $certcount = 0; foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) { if (!exists($trusts{$it})) { die "Found certificate without trust block,\naborting"; } printcert("", $certs{$it}); print "\n\n\n"; $certcount++; print STDERR "Trusting $certcount: ".printlabel($it)."\n" if $debug; } if ($certcount < 25) { die "Certificate count of $certcount is implausibly low.\nAbort"; } print "## Number of certificates: $certcount\n"; print STDERR "## Number of certificates: $certcount\n"; print "## End of file.\n"; [FILE:1049:files/messages-caroot.ucl.in] caroot: { type: "install" message: <&2 fi lib_ssl=yes lib_smime=yes lib_nss=yes lib_nssutil=yes while test $# -gt 0; do case "$1" in -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; *) optarg= ;; esac case $1 in --prefix=*) prefix=$optarg ;; --prefix) echo_prefix=yes ;; --exec-prefix=*) exec_prefix=$optarg ;; --exec-prefix) echo_exec_prefix=yes ;; --includedir=*) includedir=$optarg ;; --includedir) echo_includedir=yes ;; --libdir=*) libdir=$optarg ;; --libdir) echo_libdir=yes ;; --version) case $version in *.*.*) echo $version ;; *.*) echo $version.0 ;; *) echo $version.0.0 ;; esac ;; --cflags) echo_cflags=yes ;; --libs) echo_libs=yes ;; ssl) lib_ssl=yes ;; smime) lib_smime=yes ;; nss) lib_nss=yes ;; nssutil) lib_nssutil=yes ;; *) usage 1 1>&2 ;; esac shift done # Set variables that may be dependent upon other variables if test -z "$exec_prefix"; then exec_prefix=$prefix fi if test -z "$includedir"; then includedir=$prefix/include/nss fi if test -z "$libdir"; then libdir=$prefix/lib/nss fi if test "$echo_prefix" = "yes"; then echo $prefix fi if test "$echo_exec_prefix" = "yes"; then echo $exec_prefix fi if test "$echo_includedir" = "yes"; then echo $includedir fi if test "$echo_libdir" = "yes"; then echo $libdir fi if test "$echo_cflags" = "yes"; then echo -I$includedir -I$includedir/nss fi if test "$echo_libs" = "yes"; then libdirs="-Wl,-R${libdir} -L$libdir" if test -n "$lib_ssl"; then libdirs="$libdirs -lssl3" fi if test -n "$lib_smime"; then libdirs="$libdirs -lsmime3" fi if test -n "$lib_nss"; then libdirs="$libdirs -lnss3" fi if test -n "$lib_nssutil"; then libdirs="$libdirs -lnssutil3" fi echo $libdirs fi [FILE:315:files/nss.pc.in] prefix=%%PREFIX%% exec_prefix=%%PREFIX%% libdir=%%PREFIX%%/lib/nss includedir=%%PREFIX%%/include Name: NSS Description: Mozilla Network Security Services Version: %%VERSION_NSS%% Requires: nspr Libs: -Wl,-R${libdir} -L${libdir} -lnss3 -lsmime3 -lssl3 -lnssutil3 Cflags: -I${includedir}/nss -I${includedir}/nss/nss