508108 - NSS 3.12.3.2 release

Status: RESOLVED FIXED

(NSS :: Libraries, enhancement, P1)

Description

[Christophe Ravel]

I need to build NSS 3.12.3 on some old platforms (namely AIX 5.1 and RHEL 2.1).

There are a few patches needed to build on these platforms.
Bug 507482: NSS 3.12.3 (and later) doesn't build on AIX 5.1
Bug 323196: NSS 3.11 does not build on RHEL21

These patches have already been applied to the trunk.

I need to apply these patches to the NSS_3_12_3_MINIBRANCH and create a NSS 3.12.3.2 from there.

Comment 1

[Christophe Ravel]

Attachment: Fixes to build on AIX 5.1 and RHEL 2.1 (checked in)

Note 1: These patches are already applied to the trunk.

Note 2: The file mozilla/security/nss/lib/certdb/certi.h is different in NSS 3.12.3. There is no patch need for this file.

Comment 2

[Christophe Ravel]

Attachment: Change version to NSS 3.12.3.2 (checked in)

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 392329 [details] [diff] [review]
Fixes to build on AIX 5.1 and RHEL 2.1 (checked in)

r=nelson

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 392330 [details] [diff] [review]
Change version to NSS 3.12.3.2 (checked in)

r=nelson

Comment 5

[Alexei Volkov]

Comment on attachment 392330 [details] [diff] [review]
Change version to NSS 3.12.3.2 (checked in)

r=alexei

Comment 6

[Alexei Volkov]

Comment on attachment 392329 [details] [diff] [review]
Fixes to build on AIX 5.1 and RHEL 2.1 (checked in)

r=alexei

Comment 7

[Christophe Ravel]

Checked in on NSS_3_12_3_MINIBRANCH:

Checking in security/coreconf/Linux.mk;
/cvsroot/mozilla/security/coreconf/Linux.mk,v  <--  Linux.mk
new revision: 1.35.14.1; previous revision: 1.35
done
Checking in security/nss/cmd/lib/pk11table.h;
/cvsroot/mozilla/security/nss/cmd/lib/pk11table.h,v  <--  pk11table.h
new revision: 1.7.4.1; previous revision: 1.7
done
Checking in security/nss/cmd/pk11mode/pk11mode.c;
/cvsroot/mozilla/security/nss/cmd/pk11mode/pk11mode.c,v  <--  pk11mode.c
new revision: 1.25.4.1; previous revision: 1.25
done
Checking in security/nss/lib/libpkix/include/pkixt.h;
/cvsroot/mozilla/security/nss/lib/libpkix/include/pkixt.h,v  <--  pkixt.h
new revision: 1.16.2.1; previous revision: 1.16
done
Checking in security/nss/lib/nss/nss.h;
/cvsroot/mozilla/security/nss/lib/nss/nss.h,v  <--  nss.h
new revision: 1.64.2.2; previous revision: 1.64.2.1
done
Checking in security/nss/lib/softoken/softkver.h;
/cvsroot/mozilla/security/nss/lib/softoken/softkver.h,v  <--  softkver.h
new revision: 1.8.2.2; previous revision: 1.8.2.1
done
Checking in security/nss/lib/softoken/softoknt.h;
/cvsroot/mozilla/security/nss/lib/softoken/softoknt.h,v  <--  softoknt.h
new revision: 1.5.4.1; previous revision: 1.5
done
Checking in security/nss/lib/util/nssutil.h;
/cvsroot/mozilla/security/nss/lib/util/nssutil.h,v  <--  nssutil.h
new revision: 1.2.2.2; previous revision: 1.2.2.1
done

Comment 8

[Christophe Ravel]

I shouldn't have closed the bug since I haven't tagged the tree yet.

Comment 9

[Christophe Ravel]

Attachment: Update PayPal certs in nss/tests/libpkix/certs (checked in)

The PayPal certificate as of NSS 3.12.3 RTM is expired:

chains.sh: Verifying certificate(s)  PayPalEE.cert with flags  -d AllDB   -o OID.2.16.840.1.113733.1.7.23.6 
vfychain -d AllDB -pp -vv    -o OID.2.16.840.1.113733.1.7.23.6  /net/guybrush.red.iplanet.com/export/mccrel3/security/securitytip/builds/20090804.1/wozzeck_Solaris8/mozilla/security/nss/tests/libpkix/certs/PayPalEE.cert 
Chain is bad, -8164 = This certificate is not valid.
PROBLEM WITH THE CERT CHAIN:
CERT 0. PayPalEE :
  ERROR -8181: Peer's Certificate has expired.

Returned value is 1, expected result is pass
chains.sh: #2997: RealCerts: Verifying certificate(s)  PayPalEE.cert with flags  -d AllDB   -o OID.2.16.840.1.113733.1.7.23.6  - FAILED

This patch contains the PayPal certs from the current trunk. I need to update the NSS_3_12_3_MINIBRANCH with these new certs.

Comment 10

[Alexei Volkov]

Comment on attachment 392787 [details]
Update PayPal certs in nss/tests/libpkix/certs (checked in)

r=alexei

Comment 11

[Christophe Ravel]

Comment on attachment 392787 [details]
Update PayPal certs in nss/tests/libpkix/certs (checked in)

Checking in PayPalEE.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/PayPalEE.cert,v  <--  PayPalEE.cert
new revision: 1.2.2.1; previous revision: 1.2
done
Checking in PayPalICA.cert;
/cvsroot/mozilla/security/nss/tests/libpkix/certs/PayPalICA.cert,v  <--  PayPalICA.cert
new revision: 1.1.22.1; previous revision: 1.1
done

Comment 12

[Christophe Ravel]

Attachment: Add NSS_NO_FORK_CHECK option in config.mk (checked in)

Comment 13

[Christophe Ravel]

Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

This patch was committed on the trunk. I need it on the NSS_3_12_3_MINIBRANCH.

See Bug 508259 - Pk11mode crashed on Linux2.4

Comment 14

[Alexei Volkov]

Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

Please collapse two 'DEFINES +=' lines in to one. r=alexei

Comment 15

[Christophe Ravel]

Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

Checking in config.mk;
/cvsroot/mozilla/security/coreconf/config.mk,v  <--  config.mk
new revision: 1.27.2.1; previous revision: 1.27
done


Alexei: your comment is valid. But I have already committed this patch on the trunk and I don't want to have a different patch on the mini branch.

If you think we should change the trunk, please reopen bug 508259.

Comment 16

[Christophe Ravel]

Source tree tagged as NSS_3_12_3_2_RC0 on NSS_3_12_3_MINIBRANCH.

Comment 17

[Julien Pierre]

Christophe,
Isn't the mini-branch short-lived by definition ?
Development continues on the trunk, which is not frozen, except for FIPS. So I think it's OK to make the change suggested by Alexei only on the trunk and not on the mini-branch which is now tagged.
I have reopened bug 508259 to suggest another fix enhancement for the trunk.
I'm closing this one since 3.12.3.2 is done.

Comment 18

[Wan-Teh Chang]

Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

We are using both NO_FORK_CHECK and NO_CHECK_FORK.
We need better quality control of our code.  (I reviewed
the patch attachment 348293 [details] [diff] [review] in bug 462293, so I'm also
responsible.)

Comment 19

[Christophe Ravel]

I am not sure that NO_FORK_CHECK and NO_CHECK_FORK are identical.
From what I understand:

- NO_FORK_CHECK means the code in softoken will not check for a fork
- NO_CHECK_FORK means that the test program pk11mode will not check if the softoken checks the fork correctly.

Is it correct ?

Comment 20

[Julien Pierre]

Wan-Teh,
I am aware of that issue. As soon as the tree is reopen for FIPS, I plan on making these defines consistent between pk11mode and softoken.

Comment 21

[Julien Pierre]

Attachment: Merge of all 5 patches for bug 494107

Comment 22

[Christophe Ravel]

Comment on attachment 393887 [details] [diff] [review]
Merge of all 5 patches for bug 494107

r=christophe

Comment 23

[Julien Pierre]

Checking in coreconf/HP-UX.mk;
/cvsroot/mozilla/security/coreconf/HP-UX.mk,v  <--  HP-UX.mk
new revision: 1.11.124.1; previous revision: 1.11
done
Checking in coreconf/Linux.mk;
/cvsroot/mozilla/security/coreconf/Linux.mk,v  <--  Linux.mk
new revision: 1.35.14.2; previous revision: 1.35.14.1
done
Checking in coreconf/Linux2.1.mk;
/cvsroot/mozilla/security/coreconf/Linux2.1.mk,v  <--  Linux2.1.mk
new revision: 1.6.124.1; previous revision: 1.6
done
Checking in coreconf/Linux2.2.mk;
/cvsroot/mozilla/security/coreconf/Linux2.2.mk,v  <--  Linux2.2.mk
new revision: 1.6.124.1; previous revision: 1.6
done
Checking in coreconf/Linux2.4.mk;
/cvsroot/mozilla/security/coreconf/Linux2.4.mk,v  <--  Linux2.4.mk
new revision: 1.6.124.1; previous revision: 1.6
done
Checking in coreconf/Linux2.5.mk;
/cvsroot/mozilla/security/coreconf/Linux2.5.mk,v  <--  Linux2.5.mk
new revision: 1.5.124.1; previous revision: 1.5
done
Checking in coreconf/Linux2.6.mk;
/cvsroot/mozilla/security/coreconf/Linux2.6.mk,v  <--  Linux2.6.mk
new revision: 1.5.54.1; previous revision: 1.5
done
Checking in coreconf/SunOS5.mk;
/cvsroot/mozilla/security/coreconf/SunOS5.mk,v  <--  SunOS5.mk
new revision: 1.25.42.1; previous revision: 1.25
done
Checking in nss/lib/ckfw/builtins/config.mk;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/config.mk,v  <--  config.mk
new revision: 1.13.4.1; previous revision: 1.13
done
Checking in nss/lib/ckfw/capi/config.mk;
/cvsroot/mozilla/security/nss/lib/ckfw/capi/config.mk,v  <--  config.mk
new revision: 1.2.2.1; previous revision: 1.2
done
Checking in nss/lib/freebl/Makefile;
/cvsroot/mozilla/security/nss/lib/freebl/Makefile,v  <--  Makefile
new revision: 1.103.2.1; previous revision: 1.103
done
Checking in nss/lib/nss/config.mk;
/cvsroot/mozilla/security/nss/lib/nss/config.mk,v  <--  config.mk
new revision: 1.32.16.1; previous revision: 1.32
done
Checking in nss/lib/smime/config.mk;
/cvsroot/mozilla/security/nss/lib/smime/config.mk,v  <--  config.mk
new revision: 1.26.2.1; previous revision: 1.26
done
Checking in nss/lib/softoken/legacydb/config.mk;
/cvsroot/mozilla/security/nss/lib/softoken/legacydb/config.mk,v  <--  config.mk
new revision: 1.8.2.1; previous revision: 1.8
done
Checking in nss/lib/sqlite/config.mk;
/cvsroot/mozilla/security/nss/lib/sqlite/config.mk,v  <--  config.mk
new revision: 1.5.2.1; previous revision: 1.5
done
Checking in nss/lib/ssl/config.mk;
/cvsroot/mozilla/security/nss/lib/ssl/config.mk,v  <--  config.mk
new revision: 1.26.2.1; previous revision: 1.26
done
Checking in nss/lib/util/config.mk;
/cvsroot/mozilla/security/nss/lib/util/config.mk,v  <--  config.mk
new revision: 1.4.42.1; previous revision: 1.4
done

Comment 24

[Wan-Teh Chang]

Comment on attachment 393887 [details] [diff] [review]
Merge of all 5 patches for bug 494107

In coreconf/HP-UX.mk:

>-ifeq ($(OS_TEST),ia64)
>-	DSO_LDOPTS	+= +b '$$ORIGIN'
>+ifeq ($(USE_64), 1)
>+RPATH   = +b '$$ORIGIN'
> endif

This is not equivalent to the original code for ia64.
On HP-UX, you can do both 32-bit and 64-bit builds for
ia64.  The original code uses +b '$$ORIGIN' for both
32-bit and 64-bit builds for ia64.  The new code uses
+b '$$ORIGIN' only for 64-bit builds for ia64.

I think this is what you want:

RPATH   = +b '$$ORIGIN'
ifneq ($(OS_TEST),ia64)
# pa-risc
ifndef USE_64
RPATH   =
endif
endif

In coreconf/Linux.mk:

>+# The -rpath '$$ORIGIN' linker option instructs this library to search for its
>+# dependencies in the same directory where it resides.
>+ifeq ($(BUILD_SUN_PKG), 1)
>+ifeq ($(USE_64), 1)
>+RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib64:/opt/sun/private/lib'
>+else
>+RPATH = -Wl,-rpath,'$$ORIGIN:/opt/sun/private/lib'
>+endif
>+else
>+ifdef MOZILLA_CLIENT
>+RPATH = -Wl,-rpath,'$$ORIGIN'
>+endif
>+endif

Please remove the MOZILLA_CLIENT part.  You missed my patch (attachment 383290 [details] [diff] [review])
in bug 494107.

Comment 25

[Julien Pierre]

Wan-Teh,

re: comment 24, 

1) I wasn't aware that you could build 32-bit on ia64. Since this issue exists in the trunk too and is not a result of the backport, I think it is preferrable to reopen bug 494107 and deal with that problem only on the trunk.
This 3.12.3.2 release will never be built on ia64 (or even PA-RISC, we had that supported in 3.12.3 RTM).

2) I could have sworn that I had merged all 5 patches, I don't know how that happened. It wouldn't affect the Sun build of 3.12.3.2, since we don't set MOZILLA_CLIENT. But I have checked this change in anyway.

Checking in Linux.mk;
/cvsroot/mozilla/security/coreconf/Linux.mk,v  <--  Linux.mk
new revision: 1.35.14.3; previous revision: 1.35.14.2
done

Comment 26

[Julien Pierre]

There is one more issue in this release, which is about root certificates.

NSS 3.12.3.1 included some new root certificates for Firefox. But these are causing problems, and are unwanted by Sun for the 3.12.3.2 build. There are 2 ways to solve this :

1) I can back out certdata.c, certdata.txt, and nssckbi.h in mozilla/security/nss/lib/ckfw/builtins to the same level as NSS_3_12_3_RTM on the NSS_3_12_3_MINIBRANCH

2) Christophe can do the Sun build by checking out the NSS_3_12_3_MINIBRANCH first, then checking out those 3 files from NSS_3_12_3_RTM, then tagging the result as NSS_3_12_3_2_RC1 .

I prefer the 1) approach . 3.12.3.2 should be the last release we do from this branch. Everything else should be from the trunk after that .

Comment 27

[Wan-Teh Chang]

It would be strange if NSS_3_12_3_2_RTM were not better than
NSS_3_12_3_1_RTM in all aspects.

You can create NSS_3_12_3_2_RTM from the NSS_3_12_3_MINIBRANCH,
and then create a NSS_3_12_3_2_WITH_CKBI_1_73_RTM tag using
mozilla/security/nss/lib/ckfw/builtins from NSS_3_12_3_RTM.
Then you can give NSS_3_12_3_2_WITH_CKBI_1_73_RTM binary
releases to Sun products.

Comment 28

[Wan-Teh Chang]

Comment on attachment 393887 [details] [diff] [review]
Merge of all 5 patches for bug 494107

Julien, why does NSS 3.12.3.2 need this RPATH patch, if
you're planning to build NSS 3.12.3.2 only on AIX 5.1 and
RHEL 2.1?  In bug 494107, I only see RHEL 4 and Solaris
mentioned.  So AIX 5.1 and RHEL 2.1 should not need this
patch.

Comment 29

[Julien Pierre]

Wan-Teh,

Re: comment 28,
One product that is supported only on RHEL 2.1 and RHEL 3 requires this rpath fix to run. Since the NSS patch could be installed asynchronously from the app patches, installing a new Sun NSS patch on RHEL 2.1 without this fix would have broken the app. So, we needed to respin our RHEL 2.1 build with this fix for that issue. I am not aware that the rpath fix was required on any other platform.

Comment 30

[Wan-Teh Chang]

Comment on attachment 392798 [details] [diff] [review]
Add NSS_NO_FORK_CHECK option in config.mk (checked in)

Christophe,

On the trunk, Linux2.4.mk has

NSS_NO_FORK_CHECK=1

But you didn't backport that change to NSS_3_12_3_MINIBRANCH.
Is that an oversight?

Comment 31

[Julien Pierre]

It wasn't an oversight. The change on the trunk was made to avoid defining the variable manually in the Linux 2.4 build, which was done for 3.12.3.2 .

Comment 32

[Julien Pierre]

Re: comment 28,
The reason RHEL 2.1 and RHEL 3 were not mentioned in bug 494107 is because we had dropped support for those platforms in 3.12 . We have now been asked to support them again . The same fix that was made for RHEl4 in 3.12.4 also applies to RHEL2.1 and RHEL3.

Comment 33

[Julien Pierre]

Wan-Teh,

re: comment 27, we can't exactly do what you propose. There are other changes in the builtins directory that we want which are on the NSS_3_12_3_MINIBRANCH , specifically the config.mk change which is part of attachment 393887 [details] [diff] [review] . We have to tag only the 3 files I mentioned in comment 26 .

Comment 34

[Christophe Ravel]

Source tree tagged as NSS_3_12_3_2_RC1 on NSS_3_12_3_MINIBRANCH.

Source tree tagged as NSS_3_12_3_2_WITH_CKBI_1_73_RC1 on NSS_3_12_3_MINIBRANCH with mozilla/security/nss/lib/ckfw/builtins/certdata.c,mozilla/security/nss/lib/ckfw/builtins/certdata.txt,mozilla/security/nss/lib/ckfw/builtins/nssckbi.h from NSS_3_12_3_RTM

Comment 35

[Wan-Teh Chang]

Christophe,

If you haven't released 3.12.3.2 yet, could you include
the patch (attachment 370674 [details] [diff] [review]) in bug 486537?  Without it,
every Linux distribution has to patch their NSS 3.12.3.1
package.  Thanks.

Comment 36

[Christophe Ravel]

Although we haven't tagged it as RTM, we are extensively testing the current build we have and can't restart with a new build. So I can't include this patch for 3.12.3.2 at this time.

Comment 37

[Julien Pierre]

Wan-Teh,

Re: comment 35,
Also, we are only rebuilding 3.12.3.2 for Linux 2.4 kernel on RHEL 2.1 32-bit . We decided not to rebuild our 2.6 kernel build, either 32-bit or 64-bit, which was 3.12.3 RTM released back in April . The fix for bug 486537 is only relevant to 64 bit and thus even if we include it in this branch, our Sun customers would not get it immediately. That fix is already in 3.12.4, however.

Comment 38

[Christophe Ravel]

Tagged as NSS_3_12_3_2_RTM and NSS_3_12_3_2_WITH_CKBI_1_73_RTM.