%global nspr_version 4.11.0 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global fips_source_version 3.14.3 %global fips_validated_nss %{name}-%{fips_source_version} %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools %global saved_files_dir $RPM_BUILD_ROOT/saved # adjust to the very latest build needed %global nspr_build_version -1 Summary: Network Security Services Name: nss Version: 3.21.0 Release: 6%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries Requires: nspr >= %{nspr_version}%{nspr_build_version} BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: nspr-devel >= %{nspr_version}%{nspr_build_version} BuildRequires: sqlite-devel BuildRequires: zlib-devel BuildRequires: pkgconfig BuildRequires: gawk BuildRequires: zlib-devel # Need the assembler from binutils220 which supports intel-gcm instructions BuildRequires: binutils220 Provides: mozilla-nss Obsoletes: mozilla-nss # Only compatible with prelink when using a prelink.conf that has NSS signed # libraries blacklisted, see rhbz#237350 and rhbz#230546. Conflicts: prelink <= 0.3.9-2 Source0: %{name}-%{version}.tar.bz2 #Source0: %{name}-%{version}-ckbi-%{ckbi_version}-stripped.tar.bz2 # ckbi is the builtin roots module which may get released separately. Source1: nss.pc.in Source2: nss-config.in Source3: blank-cert8.db Source4: blank-key3.db Source5: blank-secmod.db Source9: PayPalEE.cert # The fips validated softoken source tar ball # Currently under for fips validation - plus util Source10: %{name}-softokn-util-%{fips_source_version}.tar.bz2 Source17: TestCA.ca.cert Source18: TestUser50.cert Source19: TestUser51.cert Source20: PayPalICA.cert Source21: PayPalRootCA.cert # we might need it Source99: nss-split-softokn-util.sh ################## freebl and softoken patches Patch1: add-relro-linker-option.patch Patch2: build-nss-softoken-only.patch Patch3: handle-old-or-new-system-sqlite.patch Patch8: softoken-minimal-test-dependencies.patch # This patch uses the gcc-iquote dir option documented at # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options # to place the in-tree directories at the head of the list on list of directories # to be searched for for header files. This ensures a build even when system freebl # headers are older. Such is the case when we are starting a major update. # NSSUTIL_INCLUDE_DIR, after all, contains both util and freebl headers. # Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it. # This one for the freebl/softoken code Patch9: iquote.patch Patch18: nss-646045.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=857882 # This patch for freebl and softoken Patch49: mozbz857882-fbst.patch # For the old pkcs11n.h from util Patch50: new-mechanisms.patch # For CVE-2015-2730 and CVE-2015-2721 # from https://hg.mozilla.org/projects/nss/rev/2c05e861ce07 Patch102: CheckForPeqQ-or-PnoteqQ-before-adding-P-and-Q.patch ################### nss patches Patch22: dont-include-sysinit.patch Patch23: renegotiate-transitional.patch Patch25: utilpars-ignore-sqldb.patch # This patch uses the gcc-iquote dir option documented at # http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options # to place the in-tree directories at the head of the list on list of directories # to be searched for for header files. This ensures a build even when system freebl # headers are older. Such is the case when we are starting a major update. # NSSUTIL_INCLUDE_DIR, after all, contains both util and freebl headers. # Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it. # This one for the rest of nss Patch10: iquote4nss.patch Patch26: nss-ssl-cbc-random-iv-off-by-default.patch # Disabling them for now Patch40: nss-3.14.0.0-disble-ocsp-test.patch # Reverse the upstream patch to continue accepting sigantures with md5 by default Patch41: p-disable-md5-590364-reversed.patch # Workaround for ipv6 problems on fedora and rhel Patch44: nss-589636.patch # Patch for RHEL-5 only, no need to submit them upstream # Must be applied on both the nss and the freebl/softoken sections Patch45: no-fork-check.patch # AEG GCM fixes from upstream # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=853285 # nss and tests # Fix AES GCM tests Patch51: gcm-tests.patch # Add the test files for AES GCM Test Cases 1, 7, 13 # Keeping record of this upstream patch from # https://bugzilla.mozilla.org/show_bug.cgi?id=853285 # that can't been applied as it contains binary data. It was disabled for rhel-6 softokn as well. # Patch52: gcm-tests-0-6-12.txt # Nitpicks Patch53: gcm-nits.patch # freebl and softoken Patch55: freebl-gcm.patch # extra gcm syncronization with upstream Patch66: gcm-extras4freebl.patch Patch67: gcm-extras4softoken.patch Patch68: disable_hw_gcm.patch Patch64: Bug-975755-nssutil_ReadSecmodDB-leaks-memory.patch # all.sh will display cpuinfo Patch70: cpuinfo.patch Patch79: define-uint32.patch Patch80: nss-build-without-softoken-but-with-util.patch Patch81: nocertcgi.patch Patch170: cpuinfo4fbst.patch Patch85: cve-2014-1568-softokn.patch Patch86: newheader.patch Patch87: pkcs1sig-include-prtypes.patch # Revert upstream change of library's signature algorithm default to SHA256 Patch89: p-1058933-b-reversed.patch # Revert upstream increase of default key size to 2048 bits for certutil Patch90: 1129573-certutil-key-size-reversed.patch # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1151037 # Patch to keep 1024 bit legacy CA certificates enabled in the NSS root CA module Patch97: nss-ca-2.6-enable-legacy.patch # Patch to keep the TLS protocol versions that are enabled by default Patch98: nss-revert-tls-version-defaults.patch # Revert upstream changes that bumped the minimum key sizes Patch100: ssl-server-min-key-sizes.patch Patch110: cve-2016-1950.patch Patch111: nss-prevent-abi-issue.patch # supplemental for test applications Patch112: selfserv-tstclnt-prevent-abi-issue.patch # Required perhaps because RHEL-5.11 is at gcc (GCC) 4.4.7 20120313 (Red Hat 4.4.7-16) # Local: For RHEL-5 only Patch113: no_compiler_tag.patch Patch114: fix-nss-test-filtering.patch Patch203: revert-upstream-ssl-ckm-tls12-from-nss321.patch Patch204: disable-extended-master-secret-with-old-softoken.patch Patch205: keep_some_cipher_suites_disabled_by_default.patch %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. %package tools Summary: Tools for the Network Security Services Group: System Environment/Base Requires: %{name}%{?_isa} = %{version}-%{release} %description tools Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled client and server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. Install the nss-tools package if you need command-line tools to manipulate the NSS certificate and key database. %package devel Summary: Development libraries for Network Security Services Group: Development/Libraries Requires: nss = %{version}-%{release} Requires: nspr-devel >= %{nspr_version} Requires: pkgconfig Provides: mozilla-nss-devel Obsoletes: mozilla-nss-devel %description devel Header and Library files for doing development with Network Security Services. %package pkcs11-devel Summary: Development libraries for PKCS #11 (Cryptoki) using NSS Group: Development/Libraries Requires: nss-devel = %{version}-%{release} %description pkcs11-devel Library files for developing PKCS #11 modules using basic NSS low level services. %prep %setup -q %setup -q -T -D -n %{name}-%{version} -a 10 %{__cp} %{SOURCE9} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE20} -f ./nss/tests/libpkix/certs %{__cp} %{SOURCE21} -f ./nss/tests/libpkix/certs %global old_nss_lib %{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib %global new_nss_lib nss/lib # Ensure we will not use anything else from the new freebl/softoken code rm -rf %{new_nss_lib}/freebl rm -rf %{new_nss_lib}/softoken # However, in order to build newer NSS we need some exports cp -a %{old_nss_lib}/freebl %{new_nss_lib} cp -a %{old_nss_lib}/softoken %{new_nss_lib} # Copying these headers until the upstream bug is accepted # Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207 %{__cp} %{old_nss_lib}/softoken/lowkeyi.h ./nss/cmd/rsaperf %{__cp} %{old_nss_lib}/softoken/lowkeyti.h ./nss/cmd/rsaperf # Ensure the newer NSS tree will not build crypto code. Done via Patch43 which # prevents building crypto on the nss tree and the libraries and tools # are copied from the fips dist to the nss dist along with the needed # headers. See the copying done just before we build the rest of nss # Remove the nss sysinit directory rm -rf nss/lib/sysinit # Apply the patches to the NSS tree pushd nss %patch18 -p1 -b .646045 popd %patch22 -p0 -b .nosysinit %patch23 -p0 -b .transitional %patch25 -p0 -b .nosqldb # activate when doing a major update with new apis %patch10 -p0 -b .iquote4nss %patch79 -p0 -b .uint32 %patch26 -p0 -b .cve-2011-3389 %patch40 -p0 -b .noocsptest %patch41 -p0 -b .md5okay %patch44 -p0 -b .589636 # applying it here for compiling p11mode %patch45 -p0 -b .noforkcheck %patch70 -p0 -b .cpuinfo %patch81 -p0 -b .nocertcgi %patch80 -p0 -b .util pushd nss %patch87 -p1 -b .include_prtypes popd %patch89 -p0 -b .keep_sha1_default %patch90 -p0 -b .keep_1024_default pushd nss pushd lib/ckfw/builtins %patch97 -p0 -b .keep_legacy popd # attention, reverting popd %patch98 -p0 -b .keep_tls_default # attention, reverting %patch100 -p0 -b .min_key_sizes pushd nss %patch110 -p1 -b .cve-2016-1950 %patch111 -p1 -b .abi %patch112 -p0 -b .abi popd %patch113 -p0 -b .no_compiler_tag pushd nss %patch114 -p1 -b .test-filtering %patch203 -p1 -b .revert-ckm-tls12 %patch204 -p1 -b .disable-ems popd %patch205 -p0 -b .keep_disabled # Apply the patches to the tree where we build freebl/softoken cd nss-softokn-util-%{fips_source_version} %patch1 -p0 -b .relro %patch2 -p0 -b .softokenonly %patch3 -p0 -b .oldsqlite %patch8 -p0 -b .crypto # activate if needed when doing a major update with new apis %patch9 -p0 -b .iquote %patch49 -p0 -b .suiteb4fbst # for the old util %patch50 -p0 -b .mechanisms pushd mozilla/security/nss %patch51 -p1 -b .aesgcm1 popd pushd mozilla/security/nss %patch53 -p1 -b .aesgcm3 %patch55 -p1 -b .aesgcm5 popd %patch66 -p0 -b .sync %patch67 -p0 -b .sync %patch68 -p0 -b .hw_comp pushd mozilla/security %patch64 -p0 -b .memleak popd pushd mozilla/security %patch170 -p0 -b .cpuinfo4fbst pushd nss %patch102 -p1 -b .extra_check popd popd %patch85 -p1 -b .cve-2014-1568-soft %patch86 -p0 -b .newheader %build # Not supported by current version of dev tools used on RHEL-5 export NSS_DISABLE_GTESTS=1 # uncomment if the iquote patch is activated export IN_TREE_FREEBL_HEADERS_FIRST=1 # Pick up the assembler from binutils220 which supports intel-gcm instructions export PATH=/usr/libexec/binutils220:$PATH # Enable compiler optimizations and disable debugging code BUILD_OPT=1 export BUILD_OPT # You may uncomment to disable optimizations as when debugging #RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` #export RPM_OPT_FLAGS # Generate symbolic info for debuggers XCFLAGS=$RPM_OPT_FLAGS export XCFLAGS PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 export PKG_CONFIG_ALLOW_SYSTEM_LIBS export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` NSPR_LIB_DIR=%{_libdir} export NSPR_INCLUDE_DIR export NSPR_LIB_DIR export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss | sed 's/-I//'` export FREEBL_LIB_DIR=%{_libdir} export USE_SYSTEM_FREEBL=1 # prevents running the sha224 portion of the powerup selftest when testing #export NO_SHA224_AVAILABLE=1 NSS_USE_SYSTEM_SQLITE=1 export NSS_USE_SYSTEM_SQLITE # old system sqlite export OLD_SQLITE=1 %ifarch x86_64 ppc64 ia64 s390x USE_64=1 export USE_64 %endif # For freebl and higher layers of nss NSS_ENABLE_ECC=1 export NSS_ENABLE_ECC # Preserve ABI compatibility for RHEL-5 export NO_FORK_CHECK=1 # On RHEL-5.x the kernel lacks support for hardware GCM export NSS_DISABLE_HW_GCM=1 ##### first, build util and supporting libraries %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/util # In order to build, nss-softokn needs header files # that are exported by the util build. This also copies # libraries mkdir -p %{name}-softokn-util-%{fips_source_version}/mozilla/dist #mkdir -p %{name}-softokn-util-%{fips_source_version}/mozilla/security/coreconf # ln -s %{name}-softokn-util-%{fips_source_version}/mozilla/security/coreconf \ %{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/coreconf # This copying is problemmatic because in dbm the manifest.mn and Makefile # cause nssutil not to be found even If I patch them # cp -rv --dereference dist/* %{name}-softokn-util-%{fips_source_version}/mozilla/security/coreconf/ ##### second, build freebl and softokn shared libraries plus tools # needed by the patched softoken/pkcs11c.c cp ./nss/lib/util/pkcs1sig.h \ %{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib/util/ cp ./nss/lib/util/pkcs1sig.h \ %{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib/softoken/ cp ./nss/lib/util/pkcs1sig.c \ %{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib/util/ cp ./nss/lib/util/pkcs1sig.c \ %{name}-softokn-util-%{fips_source_version}/mozilla/security/nss/lib/softoken/ pushd %{name}-softokn-util-%{fips_source_version} export NSS_BUILD_SOFTOKEN_ONLY=1 %{__make} -C ./mozilla/security/coreconf %{__make} -C ./mozilla/security/dbm %{__make} -C ./mozilla/security/nss/lib/util %{__make} -C ./mozilla/security/nss export %{__make} -C ./mozilla/security/nss/lib/freebl %{__make} -C ./mozilla/security/nss/lib/softoken export %{__make} -C ./mozilla/security/nss/lib/freebl %{__make} -C ./mozilla/security/nss/lib/freebl install %{__make} -C ./mozilla/security/nss/lib/softoken %{__make} -C ./mozilla/security/nss/lib/softoken install %{__make} -C ./mozilla/security/nss/cmd %{__make} -C ./mozilla/security/nss/cmd install unset NSS_BUILD_SOFTOKEN_ONLY popd echo we are inside: pwd # In order to build, the rest of NSS needs header files # that are exported by the freebl build. This also copies # libraries and tools #mkdir -p mozilla/dist mkdir -p mozilla/security/dist # doing here would copy too much # cp -rv --dereference nss-softokn-util-%{fips_source_version}/mozilla/dist/* dist/ # we don't want the old nss-3.14.3 lib/util, for example mkdir -p dist/public/nss mkdir -p dist/private/nss # copy binaries linux_dir=`ls nss-softokn-util-%{fips_source_version}/mozilla/dist | grep Linux` mkdir -p mozilla/dist/${linux_dir} mkdir -p mozilla/dist/${linux_dir} mkdir -p mozilla/dist/${linux_dir}/bin mkdir -p mozilla/dist/${linux_dir}/lib # copy freebl and softoken tools fbst_tools="bltest fipstest lowhashtest mangle shlibsign" for f in ${fbst_tools}; do cp --dereference nss-softokn-util-%{fips_source_version}/mozilla/dist/${linux_dir}/bin/$f mozilla/dist/${linux_dir}/bin/ done # copy freebl and softoken static and signed shared libraries with their .chk files mkdir -p dist/${linux_dir}/lib mkdir -p mozilla/dist/${linux_dir}/lib fbst_libs="libfreebl3.chk libfreebl3.so libnssdbm3.so libnssdbm3.chk libnssdbm3.chk libfreebl.a libsoftokn3.chk libsoftokn3.so libsoftokn.a" for f in ${fbst_libs}; do cp --dereference nss-softokn-util-%{fips_source_version}/mozilla/dist/${linux_dir}/lib/$f mozilla/dist/${linux_dir}/lib/ cp --dereference nss-softokn-util-%{fips_source_version}/mozilla/dist/${linux_dir}/lib/$f dist/${linux_dir}/lib/ done mkdir -p dist/public/nss mkdir -p dist/private/nss nssNeedsFromFreebl="blapi blapit" for f in ${nssNeedsFromFreebl}; do %{__cp} %{old_nss_lib}/freebl/${f}.h ./dist/public/nss/ done privateFromFreeblECL="ecl-exp" for f in $privateFromFreeblECL; do %{__cp} %{old_nss_lib}/freebl/ecl/${f}.h ./dist/public/nss/ %{__cp} %{old_nss_lib}/freebl/ecl/${f}.h ./dist/private/nss/ %{__cp} %{old_nss_lib}/freebl/ecl/${f}.h ./nss/lib/libpkix/pkix/top/ done %{__cp} %{old_nss_lib}/freebl/blapi.h ./dist/private/nss/ %{__cp} %{old_nss_lib}/freebl/alghmac.h ./dist/private/nss/ %{__cp} %{old_nss_lib}/freebl/shsign.h ./dist/public/nss/ %{__cp} %{old_nss_lib}/freebl/ecl/ecl-exp.h ./dist/private/nss/ # old pkg config must go rm -rf mozilla/dist/pkconfig #cp -rv --dereference nss-%{fips_source_version}/mozilla/dist/* dist/ # Allow pluggable ECC NSS_ENABLE_ECC=1 export NSS_ENABLE_ECC NSS_ECC_MORE_THAN_SUITE_B=1 export NSS_ECC_MORE_THAN_SUITE_B # Ensure we will not use anything else from the new freebl/softoken code #rm -rf %{new_nss_lib}/freebl #rm -rf %{new_nss_lib}/softoken # Ensure we will not use anything from the freebl/softoken tools #rm -rf %{new_nss_lib}/../cmd/bltest #rm -rf %{new_nss_lib}/../cmd/fipstest ##### third, build all the rest of NSS NSS_NO_PKCS11_BYPASS=1 export NSS_NO_PKCS11_BYPASS NSS_ECC_MORE_THAN_SUITE_B=1 export NSS_ECC_MORE_THAN_SUITE_B FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND unset NSS_DISABLE_DBM #export USE_SYSTEM_NSSUTIL=1 export USE_SYSTEM_FREBL=1 export USE_SYSTEM_SOFTOKEN=1 export SOFTOKEN_LIB_DIR=%{_libdir} export NSS_BUILD_WITHOUT_SOFTOKEN=1 export NSS_BLTEST_NOT_AVAILABLE=1 #%{__make} -C ./nss/coreconf #%{__make} -C ./nss/lib/util #%{__make} -C ./nss/lib/util export %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm %{__cp} %{old_nss_lib}/freebl/blapit.h dist/public/nss/ %{__make} -C ./nss unset NSS_BLTEST_NOT_AVAILABLE unset NSS_BUILD_WITHOUT_SOFTOKEN # Set up our package file %{__mkdir_p} ./dist/pkgconfig %{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ -e "s,%%prefix%%,%{_prefix},g" \ -e "s,%%exec_prefix%%,%{_prefix},g" \ -e "s,%%includedir%%,%{_includedir}/nss3,g" \ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ -e "s,%%NSS_VERSION%%,%{version},g" > \ ./dist/pkgconfig/nss.pc NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` export NSS_VMAJOR export NSS_VMINOR export NSS_VPATCH %{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@includedir@,%{_includedir}/nss3,g" \ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ > ./dist/pkgconfig/nss-config chmod 755 ./dist/pkgconfig/nss-config # freebl and softoken tools fbst_tools="bltest fipstest lowhashtest mangle shlibsign" for f in ${fbst_tools}; do cp -p mozilla/dist/${linux_dir}/bin/$f dist/${linux_dir}/bin done %check if [ ${DISABLETEST:-0} -eq 1 ]; then echo "testing disabled" exit 0 fi # Begin -- copied from the build section FREEBL_NO_DEPEND=1 export FREEBL_NO_DEPEND BUILD_OPT=1 export BUILD_OPT %ifarch x86_64 ppc64 ia64 s390x sparc64 USE_64=1 export USE_64 %endif export NSS_BLTEST_NOT_AVAILABLE=1 NSS_ENABLE_ECC=1 export NSS_ENABLE_ECC # On RHEL-5.x the kernel lacks support for hardware GCM export NSS_DISABLE_HW_GCM=1 # Preserve ABI compatibility for RHEL-5 export NO_FORK_CHECK=1 # use this for the mangling test export SOFTOKEN_LIB_DIR=%{_libdir} # End -- copied from the build section ################################################ # The cipher tests ################################################ # enable the following line to force a test failure # find ./nss -name \*.chk | xargs rm -f # Run test suite. # In order to support multiple concurrent executions of the test suite # (caused by concurrent RPM builds) on a single host, # we'll use a random port. Also, we want to clean up any stuck # selfserv processes. If process name "selfserv" is used everywhere, # we can't simply do a "killall selfserv", because it could disturb # concurrent builds. Therefore we'll do a search and replace and use # a different process name. # Using xargs doesn't mix well with spaces in filenames, in order to # avoid weird quoting we'll require that no spaces are being used. SPACEISBAD=`find ./nss-softokn-util-%{fips_source_version}/mozilla/security/nss/tests/ | grep -c ' '` ||: if [ $SPACEISBAD -ne 0 ]; then echo "error: filenames containing space are not supported (xargs)" exit 1 fi MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: DISTBINDIR=`ls -d ./nss-softokn-util-%{fips_source_version}/mozilla/dist/*.OBJ/bin`; echo $DISTBINDIR ||: pushd `pwd` cd $DISTBINDIR ln -s selfserv $RANDSERV popd # man perlrun, man perlrequick # replace word-occurrences of selfserv with selfserv_$MYRAND find ./nss-softokn-util-%{fips_source_version}/mozilla/security/nss/tests -type f |\ grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\ grep -vw CVS |xargs grep -lw selfserv |\ xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||: killall $RANDSERV || : rm -rf ./nss-softokn-util-%{fips_source_version}/mozilla/tests_results pushd ./nss-softokn-util-%{fips_source_version}/mozilla/security/nss/tests/ # all.sh is the test suite script # the full suites defined upstream # nss_cycles "standard pkix upgradedb sharedb" # nss_tests "cipher libpkix cert dbtests tools fips sdr crmf smime ssl merge pkits chains" # nss_ssl_tests "crl bypass_normal normal_bypass normal_fips fips_normal iopr" # nss_ssl_run "cov auth stress" # run test suites for the supported features %global nss_cycles "standard" %global nss_tests "cipher lowhash" %global nss_ssl_tests " " %global nss_ssl_run " " HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh popd # Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, # Grep exits with status greater than 1 if an error ocurred. # If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, # With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas # GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. killall $RANDSERV || : TEST_FAILURES=$(grep -c FAILED ./nss-softokn-util-%{fips_source_version}/mozilla/tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then echo "okay: test suite detected no failures" else if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then # while a situation in which grep return status is 0 and it doesn't output # anything shouldn't happen, set the default to something that is # obviously wrong (-1) echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" exit 1 else if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then echo "error: grep has not found log file" exit 1 else echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" exit 1 fi fi fi echo "cipher test suite completed" ################################################ # The rest of the tests ################################################ # enable the following line to force a test failure # find ./nss -name \*.chk | xargs rm -f # Run test suite. # In order to support multiple concurrent executions of the test suite # (caused by concurrent RPM builds) on a single host, # we'll use a random port. Also, we want to clean up any stuck # selfserv processes. If process name "selfserv" is used everywhere, # we can't simply do a "killall selfserv", because it could disturb # concurrent builds. Therefore we'll do a search and replace and use # a different process name. # Using xargs doesn't mix well with spaces in filenames, in order to # avoid weird quoting we'll require that no spaces are being used. SPACEISBAD=`find ./nss/tests | grep -c ' '` ||: if [ $SPACEISBAD -ne 0 ]; then echo "error: filenames containing space are not supported (xargs)" exit 1 fi MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: pushd `pwd` cd $DISTBINDIR ln -s selfserv $RANDSERV popd # man perlrun, man perlrequick # replace word-occurrences of selfserv with selfserv_$MYRAND find ./nss/tests -type f |\ grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\ grep -vw CVS |xargs grep -lw selfserv |\ xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||: killall $RANDSERV || : rm -rf ./tests_results pushd ./nss/tests/ # all.sh is the test suite script # the full suites defined upstream # nss_cycles "standard pkix upgradedb sharedb" # nss_tests "cipher libpkix cert dbtests tools fips sdr crmf smime ssl merge pkits chains" # nss_ssl_tests "crl bypass_normal normal_bypass normal_fips fips_normal iopr" # nss_ssl_run "cov auth stress" # # The upgradedb and sharedb in nss_cycles not run because # the sqlite-based shareddb isn't supported on RHEL-5. # run test suites for the supported features # no upgradedb or sharedb cycles as sqlite db not supported %global nss_cycles "standard pkix" %global nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl merge pkits chains" # Uncomment these lines if you need to temporarily # disable some test suites for faster test builds # global nss_ssl_tests "normal_fips" # global nss_ssl_run "cov auth" # only add these if the variables are defined, otherwise all ssl tests get disabled # NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} ./all.sh popd # Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, # Grep exits with status greater than 1 if an error ocurred. # If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, # With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas # GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. killall $RANDSERV || : TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then echo "okay: test suite detected no failures" else if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then # while a situation in which grep return status is 0 and it doesn't output # anything shouldn't happen, set the default to something that is # obviously wrong (-1) echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" exit 1 else if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then echo "error: grep has not found log file" exit 1 else echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" exit 1 fi fi fi echo "test suite completed" %install %{__rm} -rf $RPM_BUILD_ROOT # There is no make install target so we'll do it ourselves. %{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 %{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} %{__mkdir_p} $RPM_BUILD_ROOT/%{_lib} %{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig # Copy the binary libraries we want for file in libsoftokn3.so libfreebl3.so libnssdbm3.so do %{__install} -p -m 755 mozilla/dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Copy the binary libraries we want for file in libnss3.so libnssutil3.so libssl3.so libsmime3.so libnssckbi.so do %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # These ghost files will be generated in the post step touch $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.chk touch $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.chk touch $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.chk # Install the empty NSS db files %{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb %{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db %{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db %{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db # Copy the development libraries we want for file in libcrmf.a libnssb.a libnssckfw.a do %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Copy the binaries we want for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap do %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} done # Copy the binaries we ship as unsupported %{__install} -p -m 755 mozilla/dist/*.OBJ/bin/shlibsign $RPM_BUILD_ROOT/%{unsupported_tools_directory} for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain do %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} done # Remove include files we don't want to install unwanted_headers="blapi.h nsslowhash.h utilpars.h utilparst.h" for file in ${unwanted_headers}; do %{__rm} -f dist/public/nss/$file done # Copy the include files we want for file in dist/public/nss/*.h do %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 done # Install the saved package configuration files %{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc %{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config %clean %{__rm} -rf $RPM_BUILD_ROOT %post /sbin/ldconfig %{unsupported_tools_directory}/shlibsign -i %{_libdir}/libsoftokn3.so >/dev/null 2>/dev/null || : %{unsupported_tools_directory}/shlibsign -i %{_libdir}/libfreebl3.so >/dev/null 2>/dev/null || : %{unsupported_tools_directory}/shlibsign -i %{_libdir}/libnssdbm3.so >/dev/null 2>/dev/null || : %postun -p /sbin/ldconfig %files %defattr(-,root,root) %{_libdir}/libnssdbm3.so %{_libdir}/libnss3.so %{_libdir}/libnssutil3.so %{_libdir}/libssl3.so %{_libdir}/libsmime3.so %{_libdir}/libsoftokn3.so %{_libdir}/libnssckbi.so %{_libdir}/libfreebl3.so %{unsupported_tools_directory}/shlibsign %ghost %{_libdir}/libnssdbm3.chk %ghost %{_libdir}/libsoftokn3.chk %ghost %{_libdir}/libfreebl3.chk %dir %{unsupported_tools_directory} %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db %files tools %defattr(-,root,root) %{_bindir}/certutil %{_bindir}/cmsutil %{_bindir}/crlutil %{_bindir}/modutil %{_bindir}/pk12util %{_bindir}/signtool %{_bindir}/signver %{_bindir}/ssltap %{unsupported_tools_directory}/atob %{unsupported_tools_directory}/btoa %{unsupported_tools_directory}/derdump %{unsupported_tools_directory}/ocspclnt %{unsupported_tools_directory}/pp %{unsupported_tools_directory}/selfserv %{unsupported_tools_directory}/strsclnt %{unsupported_tools_directory}/symkeyutil %{unsupported_tools_directory}/tstclnt %{unsupported_tools_directory}/vfyserv %{unsupported_tools_directory}/vfychain %files devel %defattr(-,root,root) %{_libdir}/libcrmf.a %{_libdir}/pkgconfig/nss.pc %{_bindir}/nss-config %dir %{_includedir}/nss3 %{_includedir}/nss3/base64.h %{_includedir}/nss3/blapit.h %{_includedir}/nss3/cert.h %{_includedir}/nss3/certdb.h %{_includedir}/nss3/certt.h %{_includedir}/nss3/ciferfam.h %{_includedir}/nss3/cmmf.h %{_includedir}/nss3/cmmft.h %{_includedir}/nss3/cms.h %{_includedir}/nss3/cmsreclist.h %{_includedir}/nss3/cmst.h %{_includedir}/nss3/crmf.h %{_includedir}/nss3/crmft.h %{_includedir}/nss3/cryptohi.h %{_includedir}/nss3/cryptoht.h %{_includedir}/nss3/ecl-exp.h %{_includedir}/nss3/hasht.h %{_includedir}/nss3/jar-ds.h %{_includedir}/nss3/jar.h %{_includedir}/nss3/jarfile.h %{_includedir}/nss3/key.h %{_includedir}/nss3/keyhi.h %{_includedir}/nss3/keyt.h %{_includedir}/nss3/keythi.h %{_includedir}/nss3/nss.h %{_includedir}/nss3/nssb64.h %{_includedir}/nss3/nssb64t.h %{_includedir}/nss3/nssckbi.h %{_includedir}/nss3/nssilckt.h %{_includedir}/nss3/nssilock.h %{_includedir}/nss3/nsslocks.h %{_includedir}/nss3/nssrwlk.h %{_includedir}/nss3/nssrwlkt.h %{_includedir}/nss3/nssutil.h %{_includedir}/nss3/ocsp.h %{_includedir}/nss3/ocspt.h %{_includedir}/nss3/p12.h %{_includedir}/nss3/p12plcy.h %{_includedir}/nss3/p12t.h %{_includedir}/nss3/pk11func.h %{_includedir}/nss3/pk11pqg.h %{_includedir}/nss3/pk11priv.h %{_includedir}/nss3/pk11pub.h %{_includedir}/nss3/pk11sdr.h %{_includedir}/nss3/pkcs11.h %{_includedir}/nss3/pkcs11f.h %{_includedir}/nss3/pkcs11n.h %{_includedir}/nss3/pkcs11p.h %{_includedir}/nss3/pkcs11t.h %{_includedir}/nss3/pkcs11u.h %{_includedir}/nss3/pkcs1sig.h %{_includedir}/nss3/pkcs12.h %{_includedir}/nss3/pkcs12t.h %{_includedir}/nss3/pkcs7t.h %{_includedir}/nss3/portreg.h %{_includedir}/nss3/preenc.h %{_includedir}/nss3/secasn1.h %{_includedir}/nss3/secasn1t.h %{_includedir}/nss3/seccomon.h %{_includedir}/nss3/secder.h %{_includedir}/nss3/secdert.h %{_includedir}/nss3/secdig.h %{_includedir}/nss3/secdigt.h %{_includedir}/nss3/secerr.h %{_includedir}/nss3/sechash.h %{_includedir}/nss3/secitem.h %{_includedir}/nss3/secmime.h %{_includedir}/nss3/secmod.h %{_includedir}/nss3/secmodt.h %{_includedir}/nss3/secoid.h %{_includedir}/nss3/secoidt.h %{_includedir}/nss3/secpkcs5.h %{_includedir}/nss3/secpkcs7.h %{_includedir}/nss3/secport.h %{_includedir}/nss3/shsign.h %{_includedir}/nss3/smime.h %{_includedir}/nss3/ssl.h %{_includedir}/nss3/sslerr.h %{_includedir}/nss3/sslproto.h %{_includedir}/nss3/sslt.h %{_includedir}/nss3/utilmodt.h %{_includedir}/nss3/utilrename.h %files pkcs11-devel %defattr(-, root, root) %{_includedir}/nss3/nssbase.h %{_includedir}/nss3/nssbaset.h %{_includedir}/nss3/nssckepv.h %{_includedir}/nss3/nssckft.h %{_includedir}/nss3/nssckfw.h %{_includedir}/nss3/nssckfwc.h %{_includedir}/nss3/nssckfwt.h %{_includedir}/nss3/nssckg.h %{_includedir}/nss3/nssckmdt.h %{_includedir}/nss3/nssckt.h %{_libdir}/libnssb.a %{_libdir}/libnssckfw.a %changelog * Fri Apr 08 2016 Kai Engert <kaie@redhat.com> - 3.21.0-6 - Fix SSL_DH_MIN_P_BITS in more places. * Fri Apr 08 2016 Kai Engert <kaie@redhat.com> - 3.21.0-5 - Keep SSL_DH_MIN_P_BITS at 768 as in the previously released build. * Wed Mar 30 2016 Kai Engert <kaie@redhat.com> - 3.21.0-4 - Run SSL tests * Mon Mar 28 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-3 - Add compatility patches to prevent regressions * Wed Mar 23 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-2 - Ensure all ssl.sh tests are executed * Tue Mar 15 2016 Elio Maldonado <emaldona@redhat.com> - 3.21.0-1 - Rebase to nss 3.21 - Resolves: Bug 1297944 - Rebase RHEL 5.11.z to NSS 3.21 in preparation for Firefox 45 * Thu Mar 03 2016 Kai Engert <kaie@redhat.com> - 3.19.1-4 - Actually apply the fix for CVE-2016-1950 from NSS 3.19.2.3 ... * Wed Feb 24 2016 Kai Engert <kaie@redhat.com> - 3.19.1-3 - Include the fix for CVE-2016-1950 from NSS 3.19.2.3 * Mon Oct 19 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-2 - Resolves: Bug 1269354 - CVE-2015-7182 CVE-2015-7181 * Wed Jul 29 2015 Elio Maldonado <emaldona@redhat.com> - 3.19.1-1 - Rebase nss to 3.19.1 - Pick up upstream fix for client auth. regression caused by 3.19.1 - Revert upstream change to minimum key sizes - Remove patches that rendered obsolote by the rebase - Update existing patches on account of the rebase * Tue Jul 28 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-7 - Pick up upstream patch from nss-3.19.1 - Resolves: Bug 1236954 - CVE-2015-2730 NSS: ECDSA signature validation fails to handle some signatures correctly (MFSA 2015-64) - Resolves: Bug 1236967 - CVE-2015-2721 NSS: incorrectly permited skipping of ServerKeyExchange (MFSA 2015-71) * Tue Apr 28 2015 Kai Engert <kaie@redhat.com> - 3.18.0-6 - On RHEL 6.x keep the TLS version defaults unchanged. - Update to CKBI 2.4 from NSS 3.18.1 (the only change in NSS 3.18.1) * Sat Apr 18 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-5 - Copy PayPalICA.cert and PayPalRootCA.cert to nss/tests/libpkix/certs - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] * Sat Apr 18 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-4 - Update and reeneable nss-646045.patch on account of the rebase - Enable additional ssl test cycles and document why some aren't enabled - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] * Mon Apr 13 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-3 - Fix shell syntax error on nss/tests/all.sh - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] * Fri Apr 10 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-2 - Replace expired PayPal test certificate that breaks the build - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] * Fri Mar 27 2015 Elio Maldonado <emaldona@redhat.com> - 3.18.0-1 - Resolves: Bug 1200905 - Rebase nss to 3.18 for Firefox 38 ESR [RHEL-5.11] * Thu Nov 13 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-5 - Resolves: Bug 1158159 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 * Thu Sep 25 2014 Kai Engert <kaie@redhat.com> - 3.16.1-4 - Adjust softokn patch to be compatible with legacy softokn API. - Resolves: Bug 1145430 - CVE-2014-1568 * Wed Sep 24 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-3 - Add patches published with NSS 3.16.2.1 - Resolves: Bug 1145430 - CVE-2014-1568 * Mon Jun 30 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-2 - Backport nss-3.12.6 upstream fix required by Firefox 31 ESR - Resolves: Bug 1110860 * Tue Jun 24 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-1 - Rebase to nss-3.16.1 for FF31 - Resolves: Bug 1110860 - Rebase nss in RHEL 5.11 to NSS 3.16.1, required for FF 31 * Tue Apr 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-6 - Remove unused and obsolete patches - Related: Bug 1032468 * Thu Mar 27 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.3-5 - Improve shell code for error detection on %%check section - Resolves: Bug 1035281 - Suboptimal shell code in nss.spec * Fri Dec 13 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-4 - Revoke trust in one mis-issued anssi certificate - Resolves: Bug 1042684 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117) * Mon Dec 09 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-3 - Pick up corrections made in the rhel-10.Z branch, remove an unused patch - Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws [rhel-5.11] * Fri Nov 22 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-2 - Remove unused patch and retag for update to nss-3.15.3 - Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws [rhel-5.11] * Fri Nov 22 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1 - Update to nss-3.15.3 - Resolves: rhbz#1032468 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws [rhel-5.11] * Fri Nov 22 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2 - Remove unused patches - Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x) * Tue Nov 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-1 - Rebase to nss-3.15.1 - Resolves: rhbz#1002642 - Rebase RHEL 5 to NSS 3.15.1 (for FF 24.x) - Resolves: rhbz#1015864 - [Regression] NSS no longer trusts MD5 certificates - Split %%check section tests in two: freebl/softoken and rest of nss tests - Adjust various patches and spec file steps on account of the rebase - Add various patches and remove obsoleted ones on account of the rebase - Renumber patches so freeb/softoken ones match the corresponding ones in rhel-6 nss-softokn * Thu Aug 01 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-18 - Make the freebl sources identical to the corresponding ones for rhel-6.5 - Related: rhbz#987131 * Sun Jul 28 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-16 - Adjust the patches to complete the syncup with upstrean nss - Use NSS_DISABLE_HW_GCM on the patch as we do on the spec file - Ensure softoken/freebl code is the same on nss side as on the softoken side - Related: rhbz#987131 * Sun Jul 28 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-16 - Add disable_hw_gcm.patch and in the spec file export NSS_DISABLE_HW_GCM=1 - Disable HW GCM on RHEL-5 as the older kernel lacks support for it - Related: rhbz#987131 * Thu Jul 25 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-15 - Related: rhbz#987131 - Display cpuifo as part of the tests * Wed Jul 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-14 - Resolves: rhbz#987131 - Pick up various upstream GCM code fixes applied since nss-3.14.3 was released * Fri Jul 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-13 - Roll back to 79c87e69caa7454cbcf5f8161a628c538ff3cab3 - Peviously added patch hasn't solved the sporadic core dumps - Related: rhbz#983766 - nssutil_ReadSecmodDB leaks memory * Fri Jul 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-12 - Resolves: rhbz#983766 - nssutil_ReadSecmodDB leaks memory - Add patch to get rid of sporadic blapitest core dumps * Thu Jun 20 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-11 - Restore 'export NO_FORK_CHECK=1' required for binary compatibility on RHEL-5 - Remove an unused patch - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 * Tue Jun 18 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-10 - Resolves: rhbz#807419 - nss-tools certutil -H does not list all options * Thu May 23 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-9 - Apply upstream fixes for ecc enabling and aes gcm - Rename two macros EC_MIN_KEY_BITS and EC_MAX_KEY_BITS per upstream - Apply several upstream AES GCM fixes - Resolves: rhbz#960241 - Enable ECC in nss and freebl - Resolves: rhbz#918948 - [RFE][RHEL5] * Tue May 21 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-8 - Enable ECC support limited to suite b - Export NSS_ENABLE_ECC=1 in the %%check section to properly test ecc - Resolves: rhbz#960241 - Enable ECC in nss and freebl * Tue May 14 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-7 - Define -DNO_FORK_CHECK when compiling softoken for ABI compatibility - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue * Thu May 09 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-6 - Remove obsolete nss-nochktest.patch - Related: rhbz#960241 - Enable ECC in nss and freebl * Mon May 06 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-5 - Enable ECC by using the unstripped sources - Resolves: rhbz#960241 - Enable ECC in nss and freebl * Tue Apr 23 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-4 - Fix rpmdiff test reported failures and remove other unwanted changes - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue * Mon Apr 22 2013 Elio Maldonado - 3.14.3-3 - Update to NSS_3_14_3_RTM - Rework the rebase to preserve needed idiosynchracies - Ensure we install frebl/softoken from the extra build tree - Don't include freebl static library or its private headers - Add patch to deal with system sqlite not being recent enough - Don't install nss-sysinit nor sharedb - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue * Mon Apr 01 2013 Elio Maldonado - 3.14.3-2 - Restore the freebl-softoken source tar ball updated to 3.14.3 - Renumbering of some sources for clarity - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue * Sat Mar 30 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-1 - Update to NSS_3_14_3_RTM - Resolves: rhbz#918948 - [RFE][RHEL5] Rebase to nss-3.14.3 to fix the lucky-13 issue * Thu Jan 10 2013 Elio Maldonado <emaldona@redhat.com> - 3.13.6-2 - Resolves: rhbz#891150 - Dis-trust TURKTRUST mis-issued *.google.com certificate * Tue Jan 08 2013 Elio Maldonado <emaldona@redhat.com> - 3.13.6-1 - Update to NSS_3_13_6_RTM - Resolves: rhbz#883788 - [RFE] [RHEL5] Rebase to NSS >= 3.13.6 * Fri Aug 17 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-8 - Resolves: rhbz#820684 - Fix last entry in attrFlagsArray to be {NAME_SIZE(unextractable), PK11_ATTR_UNEXTRACTABLE} * Tue Jul 24 2012 Robert Relyea <rrelyea@redhat.com> - 3.13.5-7 - Resolves: rhbz#820684 - Enable certutil handle user supplied flags for PKCS #11 attributes. - This will enable certutil to generate keys in fussy hardware tokens. * Tue Jul 24 2012 Kai Engert <kaie@redhat.com> - 3.13.5-6 - fix an error in the patch meta-information area (no code change) * Sat Jul 14 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-5 - Related: rhbz#830304 - Fix ia64 / i386 multilib nss install failure - Remove no longer needed %%pre and %%preun scriplets meant for nss updates from RHEL-5.0 * Wed Jul 11 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-4 - Related: rhbz#830304 - Fix the changes to the %%post line - Having multiple commands requires that /sbin/lconfig be the beginning of the scriptlet * Wed Jul 11 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-3 - Resolves: rhbz#830304 - Fix multilib and scriptlet problems - Fix %%post and %%postun lines per packaging guildelines - Add %%{?_isa} to tools Requires: per packaging guidelines - Fix explicit-lib-dependency zlib error reported by rpmlint * Thu Jun 21 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-2 - Resolves: rhbz#830304 - Remove unwanted change to nss.pc.in * Tue Jun 19 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.5-1 - Update to NSS_3_13_5_RTM - Resolves: rhbz#830304 - Update RHEL 5.x to NSS 3.13.5 and NSPR 4.9.1 for Mozilla 10.0.6 * Tue Feb 28 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-4 - Resolves: rhbz#797939 - Protect NSS_Shutdown from clients that fail to initialize nss * Thu Feb 09 2012 Elio Maldonado <emaldona@redhat.com> - 3.13.1-3 - Resolves: Bug 788039 - retagging to prevent update problems * Wed Feb 08 2012 Elio Maldonado <emaldona@redhat.com> 3.13.1-1 - Resolves: Bug 788039 - rebase nss to make firefox 10 LTS rebase possible - Update to 4.8.9 * Tue Jan 17 2012 Elio Maldonado Batiz <emaldona@redhat.com> - 3.12.10-9 - Resolves: Bug 713373 - File descriptor leak after service httpd reload - Don't initialize nss if already initialized or if there are no dbs * Fri Jan 13 2012 Elio Maldonado Batiz <emaldona@redhat.com> - 3.12.10-8 - Retagging for a Y-stream version higher than the RHEL-5-7-Z branch * Wed Jan 11 2012 Elio Maldonado Batiz <emaldona@redhat.com> - 3.12.10-7 - Retagging to keep the n-v-r as high as that for the RHEL-5-7-Z branch * Tue Nov 08 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-6 - Update builtins certs to those from NSSCKBI_1_88_RTM * Sat Oct 01 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-5 - Plug file descriptor leaks on httpd reloads * Fri Sep 02 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-4 - Update builtins certs to those from NSSCKBI_1_87_RTM * Wed Aug 31 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-3 - Update builtins certs to those from NSSCKBI_1_86_RTM * Tue Aug 30 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-2 - Update builtins certs to NSSCKBI_1_85_RTM * Thu Jul 14 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.10-1 - Update to 3.12.10 * Fri Jun 03 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.8-4 - Fix libcrmf hard-coded maximum size for wrapped private keys * Thu Mar 24 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.8-3 - Update builtin certs to NSS_3.12.9_WITH_CKBI_1_82_RTM via a patch * Wed Mar 23 2011 Elio Maldonado <emaldona@redhat.com> - 3.12.8-2 - Update builtin certs to those from NSS_3.12.9_WITH_CKBI_1_82_RTM * Fri Oct 01 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.8-1 - Update to 3.12.8 * Fri Aug 27 2010 Kai Engert <kengert@redhat.com> - 3.12.7-2 - fix dependencies, undo previous change * Thu Aug 26 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.7-1 - Update to 3.12.7 * Thu Apr 29 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-2 - Enable client applications to build with -Wstrict-prototypes * Thu Mar 04 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.6-1 - Update to 3.12.6 * Tue Feb 23 2010 Elio Maldonado <emaldona@redhat.com> - 3.12.5.99-1 - Update to NSS_3_12_6_RC1 * Mon Dec 07 2009 Elio Maldonado<emaldona@redhat.com> - 3.12.3.99.3-1.el5_3.3 - CVE-2009-3555 MITM attacks via session renegotiation (bug 54357) * Fri Jun 12 2009 Kai Engert <kengert@redhat.com> - 3.12.3.99.3-1.el5_3.2 - adjust ssl cipher count constant (bug 505650) - create z-stream version * Thu Jun 04 2009 Kai Engert <kengert@redhat.com> - 3.12.3.99.3-1 - updated to NSS_3_12_4_FIPS1_WITH_CKBI_1_75 * Wed May 20 2009 Kai Engert <kengert@redhat.com> - 3.12.3-5 - updated patch to seckey * Thu May 14 2009 Kai Engert <kengert@redhat.com> - 3.12.3-4 - add a patch to seckey * Wed May 13 2009 Kai Engert <kengert@redhat.com> - 3.12.3-3 - remove references to SEED * Wed Apr 15 2009 Kai Engert <kengert@redhat.com> - 3.12.3-2 - update to NSS 3.12.3 * Fri Jan 23 2009 Kai Engert <kengert@redhat.com> - 3.12.2.0-4 - exclude binary db files from change detection * Fri Jan 23 2009 Kai Engert <kengert@redhat.com> - 3.12.2.0-3 - Update to NSS_3_12_2_WITH_CKBI_1_73_RTM - Add dependency to pkgconfig to devel package (bug456849) * Wed Dec 10 2008 Kai Engert <kengert@redhat.com> - 3.12.2.0-2 - Update to NSS_3_12_2_RC1 - Use system zlib * Thu Nov 06 2008 Kai Engert <kengert@redhat.com> - 3.12.1.1-3 - Update to NSS_3_12_1_WITH_CKBI_1_72_RTM * Fri Sep 05 2008 Kai Engert <kengert@redhat.com> - 3.12.1.1-1 - Update to NSS_3_12_1_RC2 * Thu Sep 04 2008 Kai Engert <kengert@redhat.com> - 3.12.1.0-1 - Update to NSS_3_12_1_RC1 * Fri Jun 13 2008 Kai Engert <kengert@redhat.com> - 3.12.0.3-1 - Update to NSS_3_12_RC4 - Enable loading of external ECC modules - Include upstream fix for a deadlock in the certutil tool, bug 447431 * Tue Apr 01 2008 Kai Engert <kengert@redhat.com> - 3.11.99.5-2 - Include additional tools, rhbz#435928 * Mon Mar 17 2008 Kai Engert <kengert@redhat.com> - 3.11.99.5-1 - Update to NSS_3_12_BETA3 * Fri Feb 22 2008 Kai Engert <kengert@redhat.com> - 3.11.99.4-1 - NSS 3.12 Beta 2 * Fri Jan 25 2008 Kai Engert <kengert@redhat.com> - 3.11.99.3-1 - NSS 3.12 Beta 1 * Thu Jan 17 2008 Kai Engert <kengert@redhat.com> - 3.11.99.2b-1 - Upgrade to NSS 3.12 Alpha 2b * Fri Aug 03 2007 Kai Engert <kengert@redhat.com> - 3.11.7-1.3 - No longer use immutable file system attributes, rhbz#237350 * Wed Jul 11 2007 Kai Engert <kengert@redhat.com> - 3.11.7-1.2 - Ensure the fix for rhbz#212077 really gets built. * Wed Jun 27 2007 Kai Engert <kengert@redhat.com> - 3.11.7-1.1 - Fix rhbz#212077, use a workaround to avoid Mozilla.org bug 51429 - Remove link time dependency on libsoftokn3 - Update to 3.11.7, but freebl/softokn remain at 3.11.5 * Wed Apr 18 2007 Kai Engert <kengert@redhat.com> - 3.11.5-4 - Apply upstream patch for mozilla.org bug 51429 in order to fix an issue with smartcard login (rhbz#212077). * Mon Mar 05 2007 Kai Engert <kengert@redhat.com> - 3.11.5-3 - Prevent .chk files from being modified by prelink and rpm building by generating chk files at install time and setting immutable filesystem attribute (230546, 231367). * Wed Jan 24 2007 Kai Engert <kengert@redhat.com> - 3.11.5-1 - Update to 3.11.5 * Thu Jan 11 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.4-5 - handle the case where a smartcard is reset between the time the nss prompts for the password and the user enters it. * Tue Jan 9 2007 Bob Relyea <rrelyea@redhat.com> - 3.11.4-4 - cleanout dead code * Wed Dec 20 2006 Bob Relyea <rrelyea@redhat.com> - 3.11.4-3 - disable ECC * Thu Nov 30 2006 Kai Engert <kengert@redhat.com> - 3.11.4-2 - rebuild * Tue Nov 28 2006 Kai Engert <kengert@redhat.com> - 3.11.4-1 - Update to 3.11.4 * Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-2 - Revert the attempt to require latest NSPR, as it is not yet available in the build infrastructure. * Thu Sep 14 2006 Kai Engert <kengert@redhat.com> - 3.11.3-1 - Update to 3.11.3 * Thu Aug 03 2006 Kai Engert <kengert@redhat.com> - 3.11.2-2 - Add /etc/pki/nssdb * Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 3.11.2-1.1 - rebuild * Fri Jun 30 2006 Kai Engert <kengert@redhat.com> - 3.11.2-1 - Update to 3.11.2 - Enable executable bit on shared libs, also fixes debug info. * Wed Jun 14 2006 Kai Engert <kengert@redhat.com> - 3.11.1-2 - Enable Elliptic Curve Cryptography (ECC) * Fri May 26 2006 Kai Engert <kengert@redhat.com> - 3.11.1-1 - Update to 3.11.1 - Include upstream patch to limit curves * Wed Feb 15 2006 Kai Engert <kengert@redhat.com> - 3.11-4 - add --noexecstack when compiling assembler on x86_64 * Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.2 - bump again for double-long bug on ppc(64) * Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 3.11-3.1 - rebuilt for new gcc4.1 snapshot and glibc changes * Thu Jan 19 2006 Ray Strode <rstrode@redhat.com> 3.11-3 - rebuild * Fri Dec 16 2005 Christopher Aillon <caillon@redhat.com> 3.11-2 - Update file list for the devel packages * Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-1 - Update to 3.11 * Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs.2 - Add patch to allow building on ppc* - Update the pkgconfig file to Require nspr * Thu Dec 15 2005 Christopher Aillon <caillon@redhat.com> 3.11-0.cvs - Initial import into Fedora Core, based on a CVS snapshot of the NSS_3_11_RTM tag - Fix up the pkcs11-devel subpackage to contain the proper headers - Build with RPM_OPT_FLAGS - No need to have rpath of /usr/lib in the pc file * Thu Dec 15 2005 Kai Engert <kengert@redhat.com> - Adressed review comments by Wan-Teh Chang, Bob Relyea, Christopher Aillon. * Sat Jul 09 2005 Rob Crittenden <rcritten@redhat.com> 3.10-1 - Initial build