%global nspr_version 4.11.0
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global fips_source_version 3.14.3
%global fips_validated_nss %{name}-%{fips_source_version}
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir $RPM_BUILD_ROOT/saved
# adjust to the very latest build needed
%global nspr_build_version -1
Summary: Network Security Services
Name: nss
Version: 3.21.0
Release: 6%{?dist}
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
Requires: nspr >= %{nspr_version}%{nspr_build_version}
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: nspr-devel >= %{nspr_version}%{nspr_build_version}
BuildRequires: sqlite-devel
BuildRequires: zlib-devel
BuildRequires: pkgconfig
BuildRequires: gawk
BuildRequires: zlib-devel
# Need the assembler from binutils220 which supports intel-gcm instructions
BuildRequires: binutils220
Provides: mozilla-nss
Obsoletes: mozilla-nss
# Only compatible with prelink when using a prelink.conf that has NSS signed
# libraries blacklisted, see rhbz#237350 and rhbz#230546.
Conflicts: prelink <= 0.3.9-2
Source0: %{name}-%{version}.tar.bz2
#Source0: %{name}-%{version}-ckbi-%{ckbi_version}-stripped.tar.bz2
# ckbi is the builtin roots module which may get released separately.
Source1: nss.pc.in
Source2: nss-config.in
Source3: blank-cert8.db
Source4: blank-key3.db
Source5: blank-secmod.db
Source9: PayPalEE.cert
# The fips validated softoken source tar ball
# Currently under for fips validation - plus util
Source10: %{name}-softokn-util-%{fips_source_version}.tar.bz2
Source17: TestCA.ca.cert
Source18: TestUser50.cert
Source19: TestUser51.cert
Source20: PayPalICA.cert
Source21: PayPalRootCA.cert
# we might need it
Source99: nss-split-softokn-util.sh
################## freebl and softoken patches
Patch1: add-relro-linker-option.patch
Patch2: build-nss-softoken-only.patch
Patch3: handle-old-or-new-system-sqlite.patch
Patch8: softoken-minimal-test-dependencies.patch
# This patch uses the gcc-iquote dir option documented at
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
# to place the in-tree directories at the head of the list on list of directories
# to be searched for for header files. This ensures a build even when system freebl
# headers are older. Such is the case when we are starting a major update.
# NSSUTIL_INCLUDE_DIR, after all, contains both util and freebl headers.
# Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it.
# This one for the freebl/softoken code
Patch9: iquote.patch
Patch18: nss-646045.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=857882
# This patch for freebl and softoken
Patch49: mozbz857882-fbst.patch
# For the old pkcs11n.h from util
Patch50: new-mechanisms.patch
# For CVE-2015-2730 and CVE-2015-2721
# from https://hg.mozilla.org/projects/nss/rev/2c05e861ce07
Patch102: CheckForPeqQ-or-PnoteqQ-before-adding-P-and-Q.patch
################### nss patches
Patch22: dont-include-sysinit.patch
Patch23: renegotiate-transitional.patch
Patch25: utilpars-ignore-sqldb.patch
# This patch uses the gcc-iquote dir option documented at
# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
# to place the in-tree directories at the head of the list on list of directories
# to be searched for for header files. This ensures a build even when system freebl
# headers are older. Such is the case when we are starting a major update.
# NSSUTIL_INCLUDE_DIR, after all, contains both util and freebl headers.
# Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it.
# This one for the rest of nss
Patch10: iquote4nss.patch
Patch26: nss-ssl-cbc-random-iv-off-by-default.patch
# Disabling them for now
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
# Reverse the upstream patch to continue accepting sigantures with md5 by default
Patch41: p-disable-md5-590364-reversed.patch
# Workaround for ipv6 problems on fedora and rhel
Patch44: nss-589636.patch
# Patch for RHEL-5 only, no need to submit them upstream
# Must be applied on both the nss and the freebl/softoken sections
Patch45: no-fork-check.patch
# AEG GCM fixes from upstream
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=853285
# nss and tests
# Fix AES GCM tests
Patch51: gcm-tests.patch
# Add the test files for AES GCM Test Cases 1, 7, 13
# Keeping record of this upstream patch from
# https://bugzilla.mozilla.org/show_bug.cgi?id=853285
# that can't been applied as it contains binary data. It was disabled for rhel-6 softokn as well.
# Patch52: gcm-tests-0-6-12.txt
# Nitpicks
Patch53: gcm-nits.patch
# freebl and softoken
Patch55: freebl-gcm.patch
# extra gcm syncronization with upstream
Patch66: gcm-extras4freebl.patch
Patch67: gcm-extras4softoken.patch
Patch68: disable_hw_gcm.patch
Patch64: Bug-975755-nssutil_ReadSecmodDB-leaks-memory.patch
# all.sh will display cpuinfo
Patch70: cpuinfo.patch
Patch79: define-uint32.patch
Patch80: nss-build-without-softoken-but-with-util.patch
Patch81: nocertcgi.patch
Patch170: cpuinfo4fbst.patch
Patch85: cve-2014-1568-softokn.patch
Patch86: newheader.patch
Patch87: pkcs1sig-include-prtypes.patch
# Revert upstream change of library's signature algorithm default to SHA256
Patch89: p-1058933-b-reversed.patch
# Revert upstream increase of default key size to 2048 bits for certutil
Patch90: 1129573-certutil-key-size-reversed.patch
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1151037
# Patch to keep 1024 bit legacy CA certificates enabled in the NSS root CA module
Patch97: nss-ca-2.6-enable-legacy.patch
# Patch to keep the TLS protocol versions that are enabled by default
Patch98: nss-revert-tls-version-defaults.patch
# Revert upstream changes that bumped the minimum key sizes
Patch100: ssl-server-min-key-sizes.patch
Patch110: cve-2016-1950.patch
Patch111: nss-prevent-abi-issue.patch
# supplemental for test applications
Patch112: selfserv-tstclnt-prevent-abi-issue.patch
# Required perhaps because RHEL-5.11 is at gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-16)
# Local: For RHEL-5 only
Patch113: no_compiler_tag.patch
Patch114: fix-nss-test-filtering.patch
Patch203: revert-upstream-ssl-ckm-tls12-from-nss321.patch
Patch204: disable-extended-master-secret-with-old-softoken.patch
Patch205: keep_some_cipher_suites_disabled_by_default.patch
%description
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.
%package tools
Summary: Tools for the Network Security Services
Group: System Environment/Base
Requires: %{name}%{?_isa} = %{version}-%{release}
%description tools
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
server applications. Applications built with NSS can support SSL v2
and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509
v3 certificates, and other security standards.
Install the nss-tools package if you need command-line tools to
manipulate the NSS certificate and key database.
%package devel
Summary: Development libraries for Network Security Services
Group: Development/Libraries
Requires: nss = %{version}-%{release}
Requires: nspr-devel >= %{nspr_version}
Requires: pkgconfig
Provides: mozilla-nss-devel
Obsoletes: mozilla-nss-devel
%description devel
Header and Library files for doing development with Network Security Services.
%package pkcs11-devel
Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
Group: Development/Libraries
Requires: nss-devel = %{version}-%{release}
%description pkcs11-devel
Library files for developing PKCS #11 modules using basic NSS
low level services.
%prep
%setup -q
%setup -q -T -D -n %{name}-%{version} -a 10
%{__cp} %{SOURCE9} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE20} -f ./nss/tests/libpkix/certs
%{__cp} %{SOURCE21} -f ./nss/tests/libpkix/certs
%global old_nss_lib %{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib
%global new_nss_lib nss/lib
# Ensure we will not use anything else from the new freebl/softoken code
rm -rf %{new_nss_lib}/freebl
rm -rf %{new_nss_lib}/softoken
# However, in order to build newer NSS we need some exports
cp -a %{old_nss_lib}/freebl %{new_nss_lib}
cp -a %{old_nss_lib}/softoken %{new_nss_lib}
# Copying these headers until the upstream bug is accepted
# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207
%{__cp} %{old_nss_lib}/softoken/lowkeyi.h ./nss/cmd/rsaperf
%{__cp} %{old_nss_lib}/softoken/lowkeyti.h ./nss/cmd/rsaperf
# Ensure the newer NSS tree will not build crypto code. Done via Patch43 which
# prevents building crypto on the nss tree and the libraries and tools
# are copied from the fips dist to the nss dist along with the needed
# headers. See the copying done just before we build the rest of nss
# Remove the nss sysinit directory
rm -rf nss/lib/sysinit
# Apply the patches to the NSS tree
pushd nss
%patch18 -p1 -b .646045
popd
%patch22 -p0 -b .nosysinit
%patch23 -p0 -b .transitional
%patch25 -p0 -b .nosqldb
# activate when doing a major update with new apis
%patch10 -p0 -b .iquote4nss
%patch79 -p0 -b .uint32
%patch26 -p0 -b .cve-2011-3389
%patch40 -p0 -b .noocsptest
%patch41 -p0 -b .md5okay
%patch44 -p0 -b .589636
# applying it here for compiling p11mode
%patch45 -p0 -b .noforkcheck
%patch70 -p0 -b .cpuinfo
%patch81 -p0 -b .nocertcgi
%patch80 -p0 -b .util
pushd nss
%patch87 -p1 -b .include_prtypes
popd
%patch89 -p0 -b .keep_sha1_default
%patch90 -p0 -b .keep_1024_default
pushd nss
pushd lib/ckfw/builtins
%patch97 -p0 -b .keep_legacy
popd
# attention, reverting
popd
%patch98 -p0 -b .keep_tls_default
# attention, reverting
%patch100 -p0 -b .min_key_sizes
pushd nss
%patch110 -p1 -b .cve-2016-1950
%patch111 -p1 -b .abi
%patch112 -p0 -b .abi
popd
%patch113 -p0 -b .no_compiler_tag
pushd nss
%patch114 -p1 -b .test-filtering
%patch203 -p1 -b .revert-ckm-tls12
%patch204 -p1 -b .disable-ems
popd
%patch205 -p0 -b .keep_disabled
# Apply the patches to the tree where we build freebl/softoken
cd nss-softokn-util-%{fips_source_version}
%patch1 -p0 -b .relro
%patch2 -p0 -b .softokenonly
%patch3 -p0 -b .oldsqlite
%patch8 -p0 -b .crypto
# activate if needed when doing a major update with new apis
%patch9 -p0 -b .iquote
%patch49 -p0 -b .suiteb4fbst
# for the old util
%patch50 -p0 -b .mechanisms
pushd mozilla/security/nss
%patch51 -p1 -b .aesgcm1
popd
pushd mozilla/security/nss
%patch53 -p1 -b .aesgcm3
%patch55 -p1 -b .aesgcm5
popd
%patch66 -p0 -b .sync
%patch67 -p0 -b .sync
%patch68 -p0 -b .hw_comp
pushd mozilla/security
%patch64 -p0 -b .memleak
popd
pushd mozilla/security
%patch170 -p0 -b .cpuinfo4fbst
pushd nss
%patch102 -p1 -b .extra_check
popd
popd
%patch85 -p1 -b .cve-2014-1568-soft
%patch86 -p0 -b .newheader
%build
# Not supported by current version of dev tools used on RHEL-5
export NSS_DISABLE_GTESTS=1
# uncomment if the iquote patch is activated
export IN_TREE_FREEBL_HEADERS_FIRST=1
# Pick up the assembler from binutils220 which supports intel-gcm instructions
export PATH=/usr/libexec/binutils220:$PATH
# Enable compiler optimizations and disable debugging code
BUILD_OPT=1
export BUILD_OPT
# You may uncomment to disable optimizations as when debugging
#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
#export RPM_OPT_FLAGS
# Generate symbolic info for debuggers
XCFLAGS=$RPM_OPT_FLAGS
export XCFLAGS
PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1
export PKG_CONFIG_ALLOW_SYSTEM_LIBS
export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS
NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'`
NSPR_LIB_DIR=%{_libdir}
export NSPR_INCLUDE_DIR
export NSPR_LIB_DIR
export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss | sed 's/-I//'`
export FREEBL_LIB_DIR=%{_libdir}
export USE_SYSTEM_FREEBL=1
# prevents running the sha224 portion of the powerup selftest when testing
#export NO_SHA224_AVAILABLE=1
NSS_USE_SYSTEM_SQLITE=1
export NSS_USE_SYSTEM_SQLITE
# old system sqlite
export OLD_SQLITE=1
%ifarch x86_64 ppc64 ia64 s390x
USE_64=1
export USE_64
%endif
# For freebl and higher layers of nss
NSS_ENABLE_ECC=1
export NSS_ENABLE_ECC
# Preserve ABI compatibility for RHEL-5
export NO_FORK_CHECK=1
# On RHEL-5.x the kernel lacks support for hardware GCM
export NSS_DISABLE_HW_GCM=1
##### first, build util and supporting libraries
%{__make} -C ./nss/coreconf
%{__make} -C ./nss/lib/util
# In order to build, nss-softokn needs header files
# that are exported by the util build. This also copies
# libraries
mkdir -p %{name}-softokn-util-%{fips_source_version}/mozilla/dist
#mkdir -p %{name}-softokn-util-%{fips_source_version}/mozilla/security/coreconf
#
ln -s %{name}-softokn-util-%{fips_source_version}/mozilla/security/coreconf \
%{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/coreconf
# This copying is problemmatic because in dbm the manifest.mn and Makefile
# cause nssutil not to be found even If I patch them
# cp -rv --dereference dist/* %{name}-softokn-util-%{fips_source_version}/mozilla/security/coreconf/
##### second, build freebl and softokn shared libraries plus tools
# needed by the patched softoken/pkcs11c.c
cp ./nss/lib/util/pkcs1sig.h \
%{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib/util/
cp ./nss/lib/util/pkcs1sig.h \
%{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib/softoken/
cp ./nss/lib/util/pkcs1sig.c \
%{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib/util/
cp ./nss/lib/util/pkcs1sig.c \
%{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib/softoken/
pushd %{name}-softokn-util-%{fips_source_version}
export NSS_BUILD_SOFTOKEN_ONLY=1
%{__make} -C ./mozilla/security/coreconf
%{__make} -C ./mozilla/security/dbm
%{__make} -C ./mozilla/security/nss/lib/util
%{__make} -C ./mozilla/security/nss export
%{__make} -C ./mozilla/security/nss/lib/freebl
%{__make} -C ./mozilla/security/nss/lib/softoken export
%{__make} -C ./mozilla/security/nss/lib/freebl
%{__make} -C ./mozilla/security/nss/lib/freebl install
%{__make} -C ./mozilla/security/nss/lib/softoken
%{__make} -C ./mozilla/security/nss/lib/softoken install
%{__make} -C ./mozilla/security/nss/cmd
%{__make} -C ./mozilla/security/nss/cmd install
unset NSS_BUILD_SOFTOKEN_ONLY
popd
echo we are inside:
pwd
# In order to build, the rest of NSS needs header files
# that are exported by the freebl build. This also copies
# libraries and tools
#mkdir -p mozilla/dist
mkdir -p mozilla/security/dist
# doing here would copy too much
# cp -rv --dereference nss-softokn-util-%{fips_source_version}/mozilla/dist/* dist/
# we don't want the old nss-3.14.3 lib/util, for example
mkdir -p dist/public/nss
mkdir -p dist/private/nss
# copy binaries
linux_dir=`ls nss-softokn-util-%{fips_source_version}/mozilla/dist | grep Linux`
mkdir -p mozilla/dist/${linux_dir}
mkdir -p mozilla/dist/${linux_dir}
mkdir -p mozilla/dist/${linux_dir}/bin
mkdir -p mozilla/dist/${linux_dir}/lib
# copy freebl and softoken tools
fbst_tools="bltest fipstest lowhashtest mangle shlibsign"
for f in ${fbst_tools}; do
cp --dereference nss-softokn-util-%{fips_source_version}/mozilla/dist/${linux_dir}/bin/$f mozilla/dist/${linux_dir}/bin/
done
# copy freebl and softoken static and signed shared libraries with their .chk files
mkdir -p dist/${linux_dir}/lib
mkdir -p mozilla/dist/${linux_dir}/lib
fbst_libs="libfreebl3.chk libfreebl3.so libnssdbm3.so libnssdbm3.chk libnssdbm3.chk libfreebl.a libsoftokn3.chk libsoftokn3.so libsoftokn.a"
for f in ${fbst_libs}; do
cp --dereference nss-softokn-util-%{fips_source_version}/mozilla/dist/${linux_dir}/lib/$f mozilla/dist/${linux_dir}/lib/
cp --dereference nss-softokn-util-%{fips_source_version}/mozilla/dist/${linux_dir}/lib/$f dist/${linux_dir}/lib/
done
mkdir -p dist/public/nss
mkdir -p dist/private/nss
nssNeedsFromFreebl="blapi blapit"
for f in ${nssNeedsFromFreebl}; do
%{__cp} %{old_nss_lib}/freebl/${f}.h ./dist/public/nss/
done
privateFromFreeblECL="ecl-exp"
for f in $privateFromFreeblECL; do
%{__cp} %{old_nss_lib}/freebl/ecl/${f}.h ./dist/public/nss/
%{__cp} %{old_nss_lib}/freebl/ecl/${f}.h ./dist/private/nss/
%{__cp} %{old_nss_lib}/freebl/ecl/${f}.h ./nss/lib/libpkix/pkix/top/
done
%{__cp} %{old_nss_lib}/freebl/blapi.h ./dist/private/nss/
%{__cp} %{old_nss_lib}/freebl/alghmac.h ./dist/private/nss/
%{__cp} %{old_nss_lib}/freebl/shsign.h ./dist/public/nss/
%{__cp} %{old_nss_lib}/freebl/ecl/ecl-exp.h ./dist/private/nss/
# old pkg config must go
rm -rf mozilla/dist/pkconfig
#cp -rv --dereference nss-%{fips_source_version}/mozilla/dist/* dist/
# Allow pluggable ECC
NSS_ENABLE_ECC=1
export NSS_ENABLE_ECC
NSS_ECC_MORE_THAN_SUITE_B=1
export NSS_ECC_MORE_THAN_SUITE_B
# Ensure we will not use anything else from the new freebl/softoken code
#rm -rf %{new_nss_lib}/freebl
#rm -rf %{new_nss_lib}/softoken
# Ensure we will not use anything from the freebl/softoken tools
#rm -rf %{new_nss_lib}/../cmd/bltest
#rm -rf %{new_nss_lib}/../cmd/fipstest
##### third, build all the rest of NSS
NSS_NO_PKCS11_BYPASS=1
export NSS_NO_PKCS11_BYPASS
NSS_ECC_MORE_THAN_SUITE_B=1
export NSS_ECC_MORE_THAN_SUITE_B
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
unset NSS_DISABLE_DBM
#export USE_SYSTEM_NSSUTIL=1
export USE_SYSTEM_FREBL=1
export USE_SYSTEM_SOFTOKEN=1
export SOFTOKEN_LIB_DIR=%{_libdir}
export NSS_BUILD_WITHOUT_SOFTOKEN=1
export NSS_BLTEST_NOT_AVAILABLE=1
#%{__make} -C ./nss/coreconf
#%{__make} -C ./nss/lib/util
#%{__make} -C ./nss/lib/util export
%{__make} -C ./nss/coreconf
%{__make} -C ./nss/lib/dbm
%{__cp} %{old_nss_lib}/freebl/blapit.h dist/public/nss/
%{__make} -C ./nss
unset NSS_BLTEST_NOT_AVAILABLE
unset NSS_BUILD_WITHOUT_SOFTOKEN
# Set up our package file
%{__mkdir_p} ./dist/pkgconfig
%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \
-e "s,%%prefix%%,%{_prefix},g" \
-e "s,%%exec_prefix%%,%{_prefix},g" \
-e "s,%%includedir%%,%{_includedir}/nss3,g" \
-e "s,%%NSPR_VERSION%%,%{nspr_version},g" \
-e "s,%%NSS_VERSION%%,%{version},g" > \
./dist/pkgconfig/nss.pc
NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'`
NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'`
NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'`
export NSS_VMAJOR
export NSS_VMINOR
export NSS_VPATCH
%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \
-e "s,@prefix@,%{_prefix},g" \
-e "s,@exec_prefix@,%{_prefix},g" \
-e "s,@includedir@,%{_includedir}/nss3,g" \
-e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \
-e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \
-e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \
> ./dist/pkgconfig/nss-config
chmod 755 ./dist/pkgconfig/nss-config
# freebl and softoken tools
fbst_tools="bltest fipstest lowhashtest mangle shlibsign"
for f in ${fbst_tools}; do
cp -p mozilla/dist/${linux_dir}/bin/$f dist/${linux_dir}/bin
done
%check
if [ ${DISABLETEST:-0} -eq 1 ]; then
echo "testing disabled"
exit 0
fi
# Begin -- copied from the build section
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
BUILD_OPT=1
export BUILD_OPT
%ifarch x86_64 ppc64 ia64 s390x sparc64
USE_64=1
export USE_64
%endif
export NSS_BLTEST_NOT_AVAILABLE=1
NSS_ENABLE_ECC=1
export NSS_ENABLE_ECC
# On RHEL-5.x the kernel lacks support for hardware GCM
export NSS_DISABLE_HW_GCM=1
# Preserve ABI compatibility for RHEL-5
export NO_FORK_CHECK=1
# use this for the mangling test
export SOFTOKEN_LIB_DIR=%{_libdir}
# End -- copied from the build section
################################################
# The cipher tests
################################################
# enable the following line to force a test failure
# find ./nss -name \*.chk | xargs rm -f
# Run test suite.
# In order to support multiple concurrent executions of the test suite
# (caused by concurrent RPM builds) on a single host,
# we'll use a random port. Also, we want to clean up any stuck
# selfserv processes. If process name "selfserv" is used everywhere,
# we can't simply do a "killall selfserv", because it could disturb
# concurrent builds. Therefore we'll do a search and replace and use
# a different process name.
# Using xargs doesn't mix well with spaces in filenames, in order to
# avoid weird quoting we'll require that no spaces are being used.
SPACEISBAD=`find ./nss-softokn-util-%{fips_source_version}/mozilla/security/nss/tests/ | grep -c ' '` ||:
if [ $SPACEISBAD -ne 0 ]; then
echo "error: filenames containing space are not supported (xargs)"
exit 1
fi
MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
DISTBINDIR=`ls -d ./nss-softokn-util-%{fips_source_version}/mozilla/dist/*.OBJ/bin`; echo $DISTBINDIR ||:
pushd `pwd`
cd $DISTBINDIR
ln -s selfserv $RANDSERV
popd
# man perlrun, man perlrequick
# replace word-occurrences of selfserv with selfserv_$MYRAND
find ./nss-softokn-util-%{fips_source_version}/mozilla/security/nss/tests -type f |\
grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
grep -vw CVS |xargs grep -lw selfserv |\
xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
killall $RANDSERV || :
rm -rf ./nss-softokn-util-%{fips_source_version}/mozilla/tests_results
pushd ./nss-softokn-util-%{fips_source_version}/mozilla/security/nss/tests/
# all.sh is the test suite script
# the full suites defined upstream
# nss_cycles "standard pkix upgradedb sharedb"
# nss_tests "cipher libpkix cert dbtests tools fips sdr crmf smime ssl merge pkits chains"
# nss_ssl_tests "crl bypass_normal normal_bypass normal_fips fips_normal iopr"
# nss_ssl_run "cov auth stress"
# run test suites for the supported features
%global nss_cycles "standard"
%global nss_tests "cipher lowhash"
%global nss_ssl_tests " "
%global nss_ssl_run " "
HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh
popd
# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise,
# Grep exits with status greater than 1 if an error ocurred.
# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0,
# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas
# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
killall $RANDSERV || :
TEST_FAILURES=$(grep -c FAILED ./nss-softokn-util-%{fips_source_version}/mozilla/tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
echo "okay: test suite detected no failures"
else
if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
# while a situation in which grep return status is 0 and it doesn't output
# anything shouldn't happen, set the default to something that is
# obviously wrong (-1)
echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
exit 1
else
if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
echo "error: grep has not found log file"
exit 1
else
echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
exit 1
fi
fi
fi
echo "cipher test suite completed"
################################################
# The rest of the tests
################################################
# enable the following line to force a test failure
# find ./nss -name \*.chk | xargs rm -f
# Run test suite.
# In order to support multiple concurrent executions of the test suite
# (caused by concurrent RPM builds) on a single host,
# we'll use a random port. Also, we want to clean up any stuck
# selfserv processes. If process name "selfserv" is used everywhere,
# we can't simply do a "killall selfserv", because it could disturb
# concurrent builds. Therefore we'll do a search and replace and use
# a different process name.
# Using xargs doesn't mix well with spaces in filenames, in order to
# avoid weird quoting we'll require that no spaces are being used.
SPACEISBAD=`find ./nss/tests | grep -c ' '` ||:
if [ $SPACEISBAD -ne 0 ]; then
echo "error: filenames containing space are not supported (xargs)"
exit 1
fi
MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||:
RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||:
DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||:
pushd `pwd`
cd $DISTBINDIR
ln -s selfserv $RANDSERV
popd
# man perlrun, man perlrequick
# replace word-occurrences of selfserv with selfserv_$MYRAND
find ./nss/tests -type f |\
grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\
grep -vw CVS |xargs grep -lw selfserv |\
xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||:
killall $RANDSERV || :
rm -rf ./tests_results
pushd ./nss/tests/
# all.sh is the test suite script
# the full suites defined upstream
# nss_cycles "standard pkix upgradedb sharedb"
# nss_tests "cipher libpkix cert dbtests tools fips sdr crmf smime ssl merge pkits chains"
# nss_ssl_tests "crl bypass_normal normal_bypass normal_fips fips_normal iopr"
# nss_ssl_run "cov auth stress"
#
# The upgradedb and sharedb in nss_cycles not run because
# the sqlite-based shareddb isn't supported on RHEL-5.
# run test suites for the supported features
# no upgradedb or sharedb cycles as sqlite db not supported
%global nss_cycles "standard pkix"
%global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl merge pkits chains"
# Uncomment these lines if you need to temporarily
# disable some test suites for faster test builds
# global nss_ssl_tests "normal_fips"
# global nss_ssl_run "cov auth"
# only add these if the variables are defined, otherwise all ssl tests get disabled
# NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run}
HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} ./all.sh
popd
# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise,
# Grep exits with status greater than 1 if an error ocurred.
# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0,
# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas
# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file.
killall $RANDSERV || :
TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
echo "okay: test suite detected no failures"
else
if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
# while a situation in which grep return status is 0 and it doesn't output
# anything shouldn't happen, set the default to something that is
# obviously wrong (-1)
echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)"
exit 1
else
if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then
echo "error: grep has not found log file"
exit 1
else
echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}"
exit 1
fi
fi
fi
echo "test suite completed"
%install
%{__rm} -rf $RPM_BUILD_ROOT
# There is no make install target so we'll do it ourselves.
%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3
%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir}
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
%{__mkdir_p} $RPM_BUILD_ROOT/%{_lib}
%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
# Copy the binary libraries we want
for file in libsoftokn3.so libfreebl3.so libnssdbm3.so
do
%{__install} -p -m 755 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done
# Copy the binary libraries we want
for file in libnss3.so libnssutil3.so libssl3.so libsmime3.so libnssckbi.so
do
%{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done
# These ghost files will be generated in the post step
touch $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.chk
touch $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.chk
touch $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.chk
# Install the empty NSS db files
%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
# Copy the development libraries we want
for file in libcrmf.a libnssb.a libnssckfw.a
do
%{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
done
# Copy the binaries we want
for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap
do
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir}
done
# Copy the binaries we ship as unsupported
%{__install} -p -m 755 mozilla/dist/*.OBJ/bin/shlibsign $RPM_BUILD_ROOT/%{unsupported_tools_directory}
for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain
do
%{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory}
done
# Remove include files we don't want to install
unwanted_headers="blapi.h nsslowhash.h utilpars.h utilparst.h"
for file in ${unwanted_headers}; do
%{__rm} -f dist/public/nss/$file
done
# Copy the include files we want
for file in dist/public/nss/*.h
do
%{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
done
# Install the saved package configuration files
%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc
%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config
%clean
%{__rm} -rf $RPM_BUILD_ROOT
%post
/sbin/ldconfig
%{unsupported_tools_directory}/shlibsign -i %{_libdir}/libsoftokn3.so >/dev/null 2>/dev/null || :
%{unsupported_tools_directory}/shlibsign -i %{_libdir}/libfreebl3.so >/dev/null 2>/dev/null || :
%{unsupported_tools_directory}/shlibsign -i %{_libdir}/libnssdbm3.so >/dev/null 2>/dev/null || :
%postun -p /sbin/ldconfig
%files
%defattr(-,root,root)
%{_libdir}/libnssdbm3.so
%{_libdir}/libnss3.so
%{_libdir}/libnssutil3.so
%{_libdir}/libssl3.so
%{_libdir}/libsmime3.so
%{_libdir}/libsoftokn3.so
%{_libdir}/libnssckbi.so
%{_libdir}/libfreebl3.so
%{unsupported_tools_directory}/shlibsign
%ghost %{_libdir}/libnssdbm3.chk
%ghost %{_libdir}/libsoftokn3.chk
%ghost %{_libdir}/libfreebl3.chk
%dir %{unsupported_tools_directory}
%dir %{_sysconfdir}/pki/nssdb
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db
%files tools
%defattr(-,root,root)
%{_bindir}/certutil
%{_bindir}/cmsutil
%{_bindir}/crlutil
%{_bindir}/modutil
%{_bindir}/pk12util
%{_bindir}/signtool
%{_bindir}/signver
%{_bindir}/ssltap
%{unsupported_tools_directory}/atob
%{unsupported_tools_directory}/btoa
%{unsupported_tools_directory}/derdump
%{unsupported_tools_directory}/ocspclnt
%{unsupported_tools_directory}/pp
%{unsupported_tools_directory}/selfserv
%{unsupported_tools_directory}/strsclnt
%{unsupported_tools_directory}/symkeyutil
%{unsupported_tools_directory}/tstclnt
%{unsupported_tools_directory}/vfyserv
%{unsupported_tools_directory}/vfychain
%files devel
%defattr(-,root,root)
%{_libdir}/libcrmf.a
%{_libdir}/pkgconfig/nss.pc
%{_bindir}/nss-config
%dir %{_includedir}/nss3
%{_includedir}/nss3/base64.h
%{_includedir}/nss3/blapit.h
%{_includedir}/nss3/cert.h
%{_includedir}/nss3/certdb.h
%{_includedir}/nss3/certt.h
%{_includedir}/nss3/ciferfam.h
%{_includedir}/nss3/cmmf.h
%{_includedir}/nss3/cmmft.h
%{_includedir}/nss3/cms.h
%{_includedir}/nss3/cmsreclist.h
%{_includedir}/nss3/cmst.h
%{_includedir}/nss3/crmf.h
%{_includedir}/nss3/crmft.h
%{_includedir}/nss3/cryptohi.h
%{_includedir}/nss3/cryptoht.h
%{_includedir}/nss3/ecl-exp.h
%{_includedir}/nss3/hasht.h
%{_includedir}/nss3/jar-ds.h
%{_includedir}/nss3/jar.h
%{_includedir}/nss3/jarfile.h
%{_includedir}/nss3/key.h
%{_includedir}/nss3/keyhi.h
%{_includedir}/nss3/keyt.h
%{_includedir}/nss3/keythi.h
%{_includedir}/nss3/nss.h
%{_includedir}/nss3/nssb64.h
%{_includedir}/nss3/nssb64t.h
%{_includedir}/nss3/nssckbi.h
%{_includedir}/nss3/nssilckt.h
%{_includedir}/nss3/nssilock.h
%{_includedir}/nss3/nsslocks.h
%{_includedir}/nss3/nssrwlk.h
%{_includedir}/nss3/nssrwlkt.h
%{_includedir}/nss3/nssutil.h
%{_includedir}/nss3/ocsp.h
%{_includedir}/nss3/ocspt.h
%{_includedir}/nss3/p12.h
%{_includedir}/nss3/p12plcy.h
%{_includedir}/nss3/p12t.h
%{_includedir}/nss3/pk11func.h
%{_includedir}/nss3/pk11pqg.h
%{_includedir}/nss3/pk11priv.h
%{_includedir}/nss3/pk11pub.h
%{_includedir}/nss3/pk11sdr.h
%{_includedir}/nss3/pkcs11.h
%{_includedir}/nss3/pkcs11f.h
%{_includedir}/nss3/pkcs11n.h
%{_includedir}/nss3/pkcs11p.h
%{_includedir}/nss3/pkcs11t.h
%{_includedir}/nss3/pkcs11u.h
%{_includedir}/nss3/pkcs1sig.h
%{_includedir}/nss3/pkcs12.h
%{_includedir}/nss3/pkcs12t.h
%{_includedir}/nss3/pkcs7t.h
%{_includedir}/nss3/portreg.h
%{_includedir}/nss3/preenc.h
%{_includedir}/nss3/secasn1.h
%{_includedir}/nss3/secasn1t.h
%{_includedir}/nss3/seccomon.h
%{_includedir}/nss3/secder.h
%{_includedir}/nss3/secdert.h
%{_includedir}/nss3/secdig.h
%{_includedir}/nss3/secdigt.h
%{_includedir}/nss3/secerr.h
%{_includedir}/nss3/sechash.h
%{_includedir}/nss3/secitem.h
%{_includedir}/nss3/secmime.h
%{_includedir}/nss3/secmod.h
%{_includedir}/nss3/secmodt.h
%{_includedir}/nss3/secoid.h
%{_includedir}/nss3/secoidt.h
%{_includedir}/nss3/secpkcs5.h
%{_includedir}/nss3/secpkcs7.h
%{_includedir}/nss3/secport.h
%{_includedir}/nss3/shsign.h
%{_includedir}/nss3/smime.h
%{_includedir}/nss3/ssl.h
%{_includedir}/nss3/sslerr.h
%{_includedir}/nss3/sslproto.h
%{_includedir}/nss3/sslt.h
%{_includedir}/nss3/utilmodt.h
%{_includedir}/nss3/utilrename.h
%files pkcs11-devel
%defattr(-, root, root)
%{_includedir}/nss3/nssbase.h
%{_includedir}/nss3/nssbaset.h
%{_includedir}/nss3/nssckepv.h
%{_includedir}/nss3/nssckft.h
%{_includedir}/nss3/nssckfw.h
%{_includedir}/nss3/nssckfwc.h
%{_includedir}/nss3/nssckfwt.h
%{_includedir}/nss3/nssckg.h
%{_includedir}/nss3/nssckmdt.h
%{_includedir}/nss3/nssckt.h
%{_libdir}/libnssb.a
%{_libdir}/libnssckfw.a
%changelog
* Fri Apr 08 2016 Kai Engert <kaie@redhat.com> - 3.21.0-6
- Fix SSL_DH_MIN_P_BITS in more places.
* Fri Apr 08 2016 Kai Engert <kaie@redhat.com> - 3.21.0-5
- Keep SSL_DH_MIN_P_BITS at 768 as in the previously released build.
* Wed Mar 30 2016 Kai Engert <kaie@redhat.com> - 3.21.0-4
- Run SSL tests
* Mon Mar 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-3
- Add compatility patches to prevent regressions
* Wed Mar 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-2
- Ensure all ssl.sh tests are executed
* Tue Mar 15 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1
- Rebase to nss 3.21
- Resolves: Bug 1297944 - Rebase RHEL 5.11.z to NSS 3.21 in preparation for Firefox 45
* Thu Mar 03 2016 Kai Engert <kaie@redhat.com> - 3.19.1-4
- Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ...
* Wed Feb 24 2016 Kai Engert <kaie@redhat.com> - 3.19.1-3
- Include the fix for CVE-2016-1950 from NSS 3.19.2.3
* Mon Oct 19 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-2
- Resolves: Bug 1269354 - CVE-2015-7182 CVE-2015-7181
* Wed Jul 29 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-1
- Rebase nss to 3.19.1
- Pick up upstream fix for client auth. regression caused by 3.19.1
- Revert upstream change to minimum key sizes
- Remove patches that rendered obsolote by the rebase
- Update existing patches on account of the rebase
* Tue Jul 28 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-7
- Pick up upstream patch from nss-3.19.1
- Resolves: Bug 1236954 - CVE-2015-2730 NSS: ECDSA signature validation fails to handle some signatures correctly (MFSA 2015-64)
- Resolves: Bug 1236967 - CVE-2015-2721 NSS: incorrectly permited skipping of ServerKeyExchange (MFSA 2015-71)
* Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-6
- On RHEL 6.x keep the TLS version defaults unchanged.
- Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1)
* Sat Apr 18 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-5
- Copy PayPalICA.cert and PayPalRootCA.cert to nss/tests/libpkix/certs
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
* Sat Apr 18 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-4
- Update and reeneable nss-646045.patch on account of the rebase
- Enable additional ssl test cycles and document why some aren't enabled
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
* Mon Apr 13 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-3
- Fix shell syntax error on nss/tests/all.sh
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
* Fri Apr 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-2
- Replace expired PayPal test certificate that breaks the build
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
* Fri Mar 27 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1
- Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11]
* Thu Nov 13 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-5
- Resolves: Bug 1158159 - Upgrade to NSS 3.16.2.3 for Firefox 31.3
* Thu Sep 25 2014 Kai Engert <kaie@redhat.com> - 3.16.1-4
- Adjust softokn patch to be compatible with legacy softokn API.
- Resolves: Bug 1145430 - CVE-2014-1568
* Wed Sep 24 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-3
- Add patches published with NSS 3.16.2.1
- Resolves: Bug 1145430 - CVE-2014-1568
* Mon Jun 30 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-2
- Backport nss-3.12.6 upstream fix required by Firefox 31 ESR
- Resolves: Bug 1110860
* Tue Jun 24 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-1
- Rebase to nss-3.16.1 for FF31
- Resolves: Bug 1110860 - Rebase nss in RHEL 5.11 to NSS 3.16.1, required for FF 31
* Tue Apr 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-6
- Remove unused and obsolete patches
- Related: Bug 1032468
* Thu Mar 27 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-5
- Improve shell code for error detection on %%check section
- Resolves: Bug 1035281 - Suboptimal shell code in nss.spec
* Fri Dec 13 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-4
- Revoke trust in one mis-issued anssi certificate
- Resolves: Bug 1042684 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
* Mon Dec 09 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-3
- Pick up corrections made in the rhel-10.Z branch, remove an unused patch
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws [rhel-5.11]
* Fri Nov 22 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-2
- Remove unused patch and retag for update to nss-3.15.3
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws [rhel-5.11]
* Fri Nov 22 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
- Update to nss-3.15.3
- Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws [rhel-5.11]
* Fri Nov 22 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2
- Remove unused patches
- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)
* Tue Nov 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-1
- Rebase to nss-3.15.1
- Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x)
- Resolves: rhbz#1015864 - [Regression] NSS no longer trusts MD5 certificates
- Split %%check section tests in two: freebl/softoken and rest of nss tests
- Adjust various patches and spec file steps on account of the rebase
- Add various patches and remove obsoleted ones on account of the rebase
- Renumber patches so freeb/softoken ones match the corresponding ones in rhel-6 nss-softokn
* Thu Aug 01 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-18
- Make the freebl sources identical to the corresponding ones for rhel-6.5
- Related: rhbz#987131
* Sun Jul 28 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-16
- Adjust the patches to complete the syncup with upstrean nss
- Use NSS_DISABLE_HW_GCM on the patch as we do on the spec file
- Ensure softoken/freebl code is the same on nss side as on the softoken side
- Related: rhbz#987131
* Sun Jul 28 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-16
- Add disable_hw_gcm.patch and in the spec file export NSS_DISABLE_HW_GCM=1
- Disable HW GCM on RHEL-5 as the older kernel lacks support for it
- Related: rhbz#987131
* Thu Jul 25 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-15
- Related: rhbz#987131 - Display cpuifo as part of the tests
* Wed Jul 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-14
- Resolves: rhbz#987131 - Pick up various upstream GCM code fixes applied since nss-3.14.3 was released
* Fri Jul 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-13
- Roll back to 79c87e69caa7454cbcf5f8161a628c538ff3cab3
- Peviously added patch hasn't solved the sporadic core dumps
- Related: rhbz#983766 - nssutil_ReadSecmodDB leaks memory
* Fri Jul 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-12
- Resolves: rhbz#983766 - nssutil_ReadSecmodDB leaks memory
- Add patch to get rid of sporadic blapitest core dumps
* Thu Jun 20 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-11
- Restore 'export NO_FORK_CHECK=1' required for binary compatibility on RHEL-5
- Remove an unused patch
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3
* Tue Jun 18 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-10
- Resolves: rhbz#807419 - nss-tools certutil -H does not list all options
* Thu May 23 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-9
- Apply upstream fixes for ecc enabling and aes gcm
- Rename two macros EC_MIN_KEY_BITS and EC_MAX_KEY_BITS per upstream
- Apply several upstream AES GCM fixes
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
- Resolves: rhbz#918948 - [RFE][RHEL5]
* Tue May 21 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-8
- Enable ECC support limited to suite b
- Export NSS_ENABLE_ECC=1 in the %%check section to properly test ecc
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
* Tue May 14 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-7
- Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
* Thu May 09 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-6
- Remove obsolete nss-nochktest.patch
- Related: rhbz#960241 - Enable ECC in nss and freebl
* Mon May 06 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-5
- Enable ECC by using the unstripped sources
- Resolves: rhbz#960241 - Enable ECC in nss and freebl
* Tue Apr 23 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-4
- Fix rpmdiff test reported failures and remove other unwanted changes
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
* Mon Apr 22 2013 Elio Maldonado - 3.14.3-3
- Update to NSS_3_14_3_RTM
- Rework the rebase to preserve needed idiosynchracies
- Ensure we install frebl/softoken from the extra build tree
- Don't include freebl static library or its private headers
- Add patch to deal with system sqlite not being recent enough
- Don't install nss-sysinit nor sharedb
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
* Mon Apr 01 2013 Elio Maldonado - 3.14.3-2
- Restore the freebl-softoken source tar ball updated to 3.14.3
- Renumbering of some sources for clarity
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
* Sat Mar 30 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-1
- Update to NSS_3_14_3_RTM
- Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue
* Thu Jan 10 2013 Elio Maldonado <emaldona@redhat.com> - 3.13.6-2
- Resolves: rhbz#891150 - Dis-trust TURKTRUST mis-issued *.google.com certificate
* Tue Jan 08 2013 Elio Maldonado <emaldona@redhat.com> - 3.13.6-1
- Update to NSS_3_13_6_RTM
- Resolves: rhbz#883788 - [RFE] [RHEL5] Rebase to NSS >= 3.13.6
* Fri Aug 17 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-8
- Resolves: rhbz#820684
- Fix last entry in attrFlagsArray to be {NAME_SIZE(unextractable), PK11_ATTR_UNEXTRACTABLE}
* Tue Jul 24 2012 Robert Relyea <rrelyea@redhat.com> - 3.13.5-7
- Resolves: rhbz#820684
- Enable certutil handle user supplied flags for PKCS #11 attributes.
- This will enable certutil to generate keys in fussy hardware tokens.
* Tue Jul 24 2012 Kai Engert <kaie@redhat.com> - 3.13.5-6
- fix an error in the patch meta-information area (no code change)
* Sat Jul 14 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-5
- Related: rhbz#830304 - Fix ia64 / i386 multilib nss install failure
- Remove no longer needed %%pre and %%preun scriplets meant for nss updates from RHEL-5.0
* Wed Jul 11 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-4
- Related: rhbz#830304 - Fix the changes to the %%post line
- Having multiple commands requires that /sbin/lconfig be the beginning of the scriptlet
* Wed Jul 11 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-3
- Resolves: rhbz#830304 - Fix multilib and scriptlet problems
- Fix %%post and %%postun lines per packaging guildelines
- Add %%{?_isa} to tools Requires: per packaging guidelines
- Fix explicit-lib-dependency zlib error reported by rpmlint
* Thu Jun 21 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-2
- Resolves: rhbz#830304 - Remove unwanted change to nss.pc.in
* Tue Jun 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-1
- Update to NSS_3_13_5_RTM
- Resolves: rhbz#830304 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1 for Mozilla 10.0.6
* Tue Feb 28 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-4
- Resolves: rhbz#797939 - Protect NSS_Shutdown from clients that fail to initialize nss
* Thu Feb 09 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-3
- Resolves: Bug 788039 - retagging to prevent update problems
* Wed Feb 08 2012 Elio Maldonado <emaldona@redhat.com> 3.13.1-1
- Resolves: Bug 788039 - rebase nss to make firefox 10 LTS rebase possible
- Update to 4.8.9
* Tue Jan 17 2012 Elio Maldonado Batiz <emaldona@redhat.com> - 3.12.10-9
- Resolves: Bug 713373 - File descriptor leak after service httpd reload
- Don't initialize nss if already initialized or if there are no dbs
* Fri Jan 13 2012 Elio Maldonado Batiz <emaldona@redhat.com> - 3.12.10-8
- Retagging for a Y-stream version higher than the RHEL-5-7-Z branch
* Wed Jan 11 2012 Elio Maldonado Batiz <emaldona@redhat.com> - 3.12.10-7
- Retagging to keep the n-v-r as high as that for the RHEL-5-7-Z branch
* Tue Nov 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-6
- Update builtins certs to those from NSSCKBI_1_88_RTM
* Sat Oct 01 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-5
- Plug file descriptor leaks on httpd reloads
* Fri Sep 02 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-4
- Update builtins certs to those from NSSCKBI_1_87_RTM
* Wed Aug 31 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-3
- Update builtins certs to those from NSSCKBI_1_86_RTM
* Tue Aug 30 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-2
- Update builtins certs to NSSCKBI_1_85_RTM
* Thu Jul 14 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-1
- Update to 3.12.10
* Fri Jun 03 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.8-4
- Fix libcrmf hard-coded maximum size for wrapped private keys
* Thu Mar 24 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.8-3
- Update builtin certs to NSS_3.12.9_WITH_CKBI_1_82_RTM via a patch
* Wed Mar 23 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.8-2
- Update builtin certs to those from NSS_3.12.9_WITH_CKBI_1_82_RTM
* Fri Oct 01 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-1
- Update to 3.12.8
* Fri Aug 27 2010 Kai Engert <kengert@redhat.com> - 3.12.7-2
- fix dependencies, undo previous change
* Thu Aug 26 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-1
- Update to 3.12.7
* Thu Apr 29 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-2
- Enable client applications to build with -Wstrict-prototypes
* Thu Mar 04 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1
- Update to 3.12.6
* Tue Feb 23 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5.99-1
- Update to NSS_3_12_6_RC1
* Mon Dec 07 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-1.el5_3.3
- CVE-2009-3555 MITM attacks via session renegotiation (bug 54357)
* Fri Jun 12 2009 Kai Engert <kengert@redhat.com> - 3.12.3.99.3-1.el5_3.2
- adjust ssl cipher count constant (bug 505650)
- create z-stream version
* Thu Jun 04 2009 Kai Engert <kengert@redhat.com> - 3.12.3.99.3-1
- updated to NSS_3_12_4_FIPS1_WITH_CKBI_1_75
* Wed May 20 2009 Kai Engert <kengert@redhat.com> - 3.12.3-5
- updated patch to seckey
* Thu May 14 2009 Kai Engert <kengert@redhat.com> - 3.12.3-4
- add a patch to seckey
* Wed May 13 2009 Kai Engert <kengert@redhat.com> - 3.12.3-3
- remove references to SEED
* Wed Apr 15 2009 Kai Engert <kengert@redhat.com> - 3.12.3-2
- update to NSS 3.12.3
* Fri Jan 23 2009 Kai Engert <kengert@redhat.com> - 3.12.2.0-4
- exclude binary db files from change detection
* Fri Jan 23 2009 Kai Engert <kengert@redhat.com> - 3.12.2.0-3
- Update to NSS_3_12_2_WITH_CKBI_1_73_RTM
- Add dependency to pkgconfig to devel package (bug456849)
* Wed Dec 10 2008 Kai Engert <kengert@redhat.com> - 3.12.2.0-2
- Update to NSS_3_12_2_RC1
- Use system zlib
* Thu Nov 06 2008 Kai Engert <kengert@redhat.com> - 3.12.1.1-3
- Update to NSS_3_12_1_WITH_CKBI_1_72_RTM
* Fri Sep 05 2008 Kai Engert <kengert@redhat.com> - 3.12.1.1-1
- Update to NSS_3_12_1_RC2
* Thu Sep 04 2008 Kai Engert <kengert@redhat.com> - 3.12.1.0-1
- Update to NSS_3_12_1_RC1
* Fri Jun 13 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-1
- Update to NSS_3_12_RC4
- Enable loading of external ECC modules
- Include upstream fix for a deadlock in the certutil tool, bug 447431
* Tue Apr 01 2008 Kai Engert <kengert@redhat.com> - 3.11.99.5-2
- Include additional tools, rhbz#435928
* Mon Mar 17 2008 Kai Engert <kengert@redhat.com> - 3.11.99.5-1
- Update to NSS_3_12_BETA3
* Fri Feb 22 2008 Kai Engert <kengert@redhat.com> - 3.11.99.4-1
- NSS 3.12 Beta 2
* Fri Jan 25 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-1
- NSS 3.12 Beta 1
* Thu Jan 17 2008 Kai Engert <kengert@redhat.com> - 3.11.99.2b-1
- Upgrade to NSS 3.12 Alpha 2b
* Fri Aug 03 2007 Kai Engert <kengert@redhat.com> - 3.11.7-1.3
- No longer use immutable file system attributes, rhbz#237350
* Wed Jul 11 2007 Kai Engert <kengert@redhat.com> - 3.11.7-1.2
- Ensure the fix for rhbz#212077 really gets built.
* Wed Jun 27 2007 Kai Engert <kengert@redhat.com> - 3.11.7-1.1
- Fix rhbz#212077, use a workaround to avoid Mozilla.org bug 51429
- Remove link time dependency on libsoftokn3
- Update to 3.11.7, but freebl/softokn remain at 3.11.5
* Wed Apr 18 2007 Kai Engert <kengert@redhat.com> - 3.11.5-4
- Apply upstream patch for mozilla.org bug 51429 in order to
fix an issue with smartcard login (rhbz#212077).
* Mon Mar 05 2007 Kai Engert <kengert@redhat.com> - 3.11.5-3
- Prevent .chk files from being modified by prelink and rpm building
by generating chk files at install time and setting immutable
filesystem attribute (230546, 231367).
* Wed Jan 24 2007 Kai Engert <kengert@redhat.com> - 3.11.5-1
- Update to 3.11.5
* Thu Jan 11 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.4-5
- handle the case where a smartcard is reset between the time the nss
prompts for the password and the user enters it.
* Tue Jan 9 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.4-4
- cleanout dead code
* Wed Dec 20 2006 Bob Relyea <rrelyea@redhat.com> - 3.11.4-3
- disable ECC
* Thu Nov 30 2006 Kai Engert <kengert@redhat.com> - 3.11.4-2
- rebuild
* Tue Nov 28 2006 Kai Engert <kengert@redhat.com> - 3.11.4-1
- Update to 3.11.4
* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-2
- Revert the attempt to require latest NSPR, as it is not yet available
in the build infrastructure.
* Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-1
- Update to 3.11.3
* Thu Aug 03 2006 Kai Engert <kengert@redhat.com> - 3.11.2-2
- Add /etc/pki/nssdb
* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.11.2-1.1
- rebuild
* Fri Jun 30 2006 Kai Engert <kengert@redhat.com> - 3.11.2-1
- Update to 3.11.2
- Enable executable bit on shared libs, also fixes debug info.
* Wed Jun 14 2006 Kai Engert <kengert@redhat.com> - 3.11.1-2
- Enable Elliptic Curve Cryptography (ECC)
* Fri May 26 2006 Kai Engert <kengert@redhat.com> - 3.11.1-1
- Update to 3.11.1
- Include upstream patch to limit curves
* Wed Feb 15 2006 Kai Engert <kengert@redhat.com> - 3.11-4
- add --noexecstack when compiling assembler on x86_64
* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.2
- bump again for double-long bug on ppc(64)
* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.1
- rebuilt for new gcc4.1 snapshot and glibc changes
* Thu Jan 19 2006 Ray Strode <rstrode@redhat.com> 3.11-3
- rebuild
* Fri Dec 16 2005 Christopher Aillon <caillon@redhat.com> 3.11-2
- Update file list for the devel packages
* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-1
- Update to 3.11
* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs.2
- Add patch to allow building on ppc*
- Update the pkgconfig file to Require nspr
* Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs
- Initial import into Fedora Core, based on a CVS snapshot of
the NSS_3_11_RTM tag
- Fix up the pkcs11-devel subpackage to contain the proper headers
- Build with RPM_OPT_FLAGS
- No need to have rpath of /usr/lib in the pc file
* Thu Dec 15 2005 Kai Engert <kengert@redhat.com>
- Adressed review comments by Wan-Teh Chang, Bob Relyea,
Christopher Aillon.
* Sat Jul 09 2005 Rob Crittenden <rcritten@redhat.com> 3.10-1
- Initial build
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
media
>
main-src
>
by-pkgid
>
80fa5e1138cb07f5b1e33462a61ed188
>
files
>
52
