diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1760934 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/nss-softokn-3.34.0.tar.gz diff --git a/.nss-softokn.metadata b/.nss-softokn.metadata new file mode 100644 index 0000000..5f27f1b --- /dev/null +++ b/.nss-softokn.metadata @@ -0,0 +1 @@ +185931ac63238c24c36369863495110450f2ee0e SOURCES/nss-softokn-3.34.0.tar.gz diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch new file mode 100644 index 0000000..3d1aa60 --- /dev/null +++ b/SOURCES/iquote.patch @@ -0,0 +1,37 @@ +diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile +--- nss/cmd/bltest/Makefile.iquote 2013-04-04 21:56:59.329249213 -0700 ++++ nss/cmd/bltest/Makefile 2013-04-04 21:57:47.583579084 -0700 +@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../private/nss + + + ####################################################################### +diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk +--- nss/coreconf/location.mk.iquote 2013-04-04 21:54:59.710477106 -0700 ++++ nss/coreconf/location.mk 2013-04-04 21:56:21.091163121 -0700 +@@ -45,6 +45,10 @@ endif + + ifdef NSS_INCLUDE_DIR + INCLUDES += -I$(NSS_INCLUDE_DIR) ++ ifdef IN_TREE_FREEBL_HEADERS_FIRST ++ INCLUDES += -iquote $(DIST)/../public/nss ++ INCLUDES += -iquote $(DIST)/../private/nss ++ endif + endif + + ifndef NSS_LIB_DIR +diff -up ./nss/lib/softoken/Makefile.iquote ./nss/lib/softoken/Makefile +--- ./nss/lib/softoken/Makefile.iquote 2014-01-06 20:35:19.931937299 -0800 ++++ ./nss/lib/softoken/Makefile 2014-01-06 20:36:15.336390664 -0800 +@@ -42,6 +42,8 @@ ifdef NSS_DISABLE_DBM + DIRS= + endif + ++INCLUDES += -iquote $(DIST)/../private/nss ++ + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # + ####################################################################### diff --git a/SOURCES/nss-softokn-3.16-add_encrypt_derive.patch b/SOURCES/nss-softokn-3.16-add_encrypt_derive.patch new file mode 100644 index 0000000..be37be3 --- /dev/null +++ b/SOURCES/nss-softokn-3.16-add_encrypt_derive.patch @@ -0,0 +1,265 @@ +diff -up nss/lib/softoken/pkcs11.c.add_encrypt_derive nss/lib/softoken/pkcs11.c +--- nss/lib/softoken/pkcs11.c.add_encrypt_derive 2017-10-30 10:38:09.000000000 +0100 ++++ nss/lib/softoken/pkcs11.c 2017-11-03 14:15:03.648179954 +0100 +@@ -421,11 +421,22 @@ static const struct mechanismList mechan + #endif + /* --------------------- Secret Key Operations ------------------------ */ + { CKM_GENERIC_SECRET_KEY_GEN, { 1, 32, CKF_GENERATE }, PR_TRUE }, +- { CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_GENERATE }, PR_FALSE }, +- { CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE }, +- { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_GENERATE }, PR_FALSE }, +- { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_GENERATE }, PR_FALSE }, ++ { CKM_CONCATENATE_BASE_AND_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_CONCATENATE_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_CONCATENATE_DATA_AND_BASE, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_XOR_BASE_AND_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + { CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_EXTRACT_KEY_FROM_KEY, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_DES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_DES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_DES3_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_DES3_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_AES_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_AES_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_CAMELLIA_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_CAMELLIA_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_SEED_ECB_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, ++ { CKM_SEED_CBC_ENCRYPT_DATA, { 1, 32, CKF_DERIVE }, PR_FALSE }, + /* ---------------------- SSL Key Derivations ------------------------- */ + { CKM_SSL3_PRE_MASTER_KEY_GEN, { 48, 48, CKF_GENERATE }, PR_FALSE }, + { CKM_SSL3_MASTER_KEY_DERIVE, { 48, 48, CKF_DERIVE }, PR_FALSE }, +diff -up nss/lib/softoken/pkcs11c.c.add_encrypt_derive nss/lib/softoken/pkcs11c.c +--- nss/lib/softoken/pkcs11c.c.add_encrypt_derive 2017-10-30 10:38:09.000000000 +0100 ++++ nss/lib/softoken/pkcs11c.c 2017-11-03 14:19:35.665109757 +0100 +@@ -6242,6 +6242,44 @@ sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_UL + } + + /* ++ * Handle The derive from a block encryption cipher ++ */ ++CK_RV ++sftk_DeriveEncrypt(SFTKObject *key, CK_ULONG keySize, void *cipherInfo, ++ int blockSize, unsigned char *data, CK_ULONG len, SFTKCipher encrypt) ++{ ++ unsigned char *tmpdata = NULL; ++ SECStatus rv; ++ unsigned int outLen; ++ CK_RV crv; ++ ++ if ((len % blockSize) != 0) { ++ return CKR_MECHANISM_PARAM_INVALID; ++ } ++ if (keySize && (len < keySize)) { ++ return CKR_MECHANISM_PARAM_INVALID; ++ } ++ if (keySize == 0) { ++ keySize = len; ++ } ++ ++ tmpdata = PORT_Alloc(len); ++ if (tmpdata == NULL) { ++ return CKR_HOST_MEMORY; ++ } ++ rv = (*encrypt)(cipherInfo, tmpdata, &outLen, len, data, len); ++ if (rv != SECSuccess) { ++ crv = sftk_MapCryptError(PORT_GetError()); ++ PORT_ZFree(tmpdata, len); ++ return crv; ++ } ++ ++ crv = sftk_forceAttribute(key, CKA_VALUE, tmpdata, keySize); ++ PORT_ZFree(tmpdata, len); ++ return crv; ++} ++ ++/* + * SSL Key generation given pre master secret + */ + #define NUM_MIXERS 9 +@@ -6286,6 +6324,9 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + CK_KEY_TYPE keyType = CKK_GENERIC_SECRET; + CK_OBJECT_CLASS classType = CKO_SECRET_KEY; + CK_KEY_DERIVATION_STRING_DATA *stringPtr; ++ CK_AES_CBC_ENCRYPT_DATA_PARAMS *aesEncryptPtr; ++ CK_DES_CBC_ENCRYPT_DATA_PARAMS *desEncryptPtr; ++ void *cipherInfo; + CK_MECHANISM_TYPE mechanism = pMechanism->mechanism; + PRBool isTLS = PR_FALSE; + PRBool isDH = PR_FALSE; +@@ -6295,6 +6336,7 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + unsigned int outLen; + unsigned char sha_out[SHA1_LENGTH]; + unsigned char key_block[NUM_MIXERS * SFTK_MAX_MAC_LENGTH]; ++ unsigned char des3key[24]; + PRBool isFIPS; + HASH_HashType hashType; + PRBool extractValue = PR_TRUE; +@@ -6899,6 +6941,168 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession + break; + } + ++ case CKM_DES_ECB_ENCRYPT_DATA: ++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; ++ cipherInfo = DES_CreateContext((unsigned char *)att->attrib.pValue, ++ NULL, NSS_DES, PR_TRUE); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8, ++ stringPtr->pData, stringPtr->ulLen, (SFTKCipher)DES_Encrypt); ++ DES_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ ++ case CKM_DES_CBC_ENCRYPT_DATA: ++ desEncryptPtr = (CK_DES_CBC_ENCRYPT_DATA_PARAMS *) ++ pMechanism->pParameter; ++ cipherInfo = DES_CreateContext((unsigned char *)att->attrib.pValue, ++ desEncryptPtr->iv, NSS_DES_CBC, PR_TRUE); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8, ++ desEncryptPtr->pData, desEncryptPtr->length, ++ (SFTKCipher)DES_Encrypt); ++ DES_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ ++ case CKM_DES3_ECB_ENCRYPT_DATA: ++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; ++ if (att->attrib.ulValueLen == 16) { ++ PORT_Memcpy(des3key, att->attrib.pValue, 16); ++ PORT_Memcpy(des3key + 16, des3key, 8); ++ } else if (att->attrib.ulValueLen == 24) { ++ PORT_Memcpy(des3key, att->attrib.pValue, 24); ++ } else { ++ crv = CKR_KEY_SIZE_RANGE; ++ break; ++ } ++ cipherInfo = DES_CreateContext(des3key, NULL, NSS_DES_EDE3, PR_TRUE); ++ PORT_Memset(des3key, 0, 24); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8, ++ stringPtr->pData, stringPtr->ulLen, (SFTKCipher)DES_Encrypt); ++ DES_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ ++ case CKM_DES3_CBC_ENCRYPT_DATA: ++ desEncryptPtr = (CK_DES_CBC_ENCRYPT_DATA_PARAMS *) ++ pMechanism->pParameter; ++ if (att->attrib.ulValueLen == 16) { ++ PORT_Memcpy(des3key, att->attrib.pValue, 16); ++ PORT_Memcpy(des3key + 16, des3key, 8); ++ } else if (att->attrib.ulValueLen == 24) { ++ PORT_Memcpy(des3key, att->attrib.pValue, 24); ++ } else { ++ crv = CKR_KEY_SIZE_RANGE; ++ break; ++ } ++ cipherInfo = DES_CreateContext(des3key, desEncryptPtr->iv, ++ NSS_DES_EDE3_CBC, PR_TRUE); ++ PORT_Memset(des3key, 0, 24); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 8, ++ desEncryptPtr->pData, desEncryptPtr->length, ++ (SFTKCipher)DES_Encrypt); ++ DES_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ ++ case CKM_AES_ECB_ENCRYPT_DATA: ++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; ++ cipherInfo = AES_CreateContext((unsigned char *)att->attrib.pValue, ++ NULL, NSS_AES, PR_TRUE, att->attrib.ulValueLen, 16); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16, ++ stringPtr->pData, stringPtr->ulLen, (SFTKCipher)AES_Encrypt); ++ AES_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ ++ case CKM_AES_CBC_ENCRYPT_DATA: ++ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *) ++ pMechanism->pParameter; ++ cipherInfo = AES_CreateContext((unsigned char *)att->attrib.pValue, ++ aesEncryptPtr->iv, NSS_AES_CBC, ++ PR_TRUE, att->attrib.ulValueLen, 16); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16, ++ aesEncryptPtr->pData, aesEncryptPtr->length, ++ (SFTKCipher)AES_Encrypt); ++ AES_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ ++ case CKM_CAMELLIA_ECB_ENCRYPT_DATA: ++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; ++ cipherInfo = Camellia_CreateContext((unsigned char *)att->attrib.pValue, ++ NULL, NSS_CAMELLIA, PR_TRUE, att->attrib.ulValueLen); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16, ++ stringPtr->pData, stringPtr->ulLen, ++ (SFTKCipher)Camellia_Encrypt); ++ Camellia_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ ++ case CKM_CAMELLIA_CBC_ENCRYPT_DATA: ++ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *) ++ pMechanism->pParameter; ++ cipherInfo = Camellia_CreateContext((unsigned char *)att->attrib.pValue, ++ aesEncryptPtr->iv, NSS_CAMELLIA_CBC, ++ PR_TRUE, att->attrib.ulValueLen); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16, ++ aesEncryptPtr->pData, aesEncryptPtr->length, ++ (SFTKCipher)Camellia_Encrypt); ++ Camellia_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ ++ case CKM_SEED_ECB_ENCRYPT_DATA: ++ stringPtr = (CK_KEY_DERIVATION_STRING_DATA *)pMechanism->pParameter; ++ cipherInfo = SEED_CreateContext((unsigned char *)att->attrib.pValue, ++ NULL, NSS_SEED, PR_TRUE); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16, ++ stringPtr->pData, stringPtr->ulLen, (SFTKCipher)SEED_Encrypt); ++ SEED_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ ++ case CKM_SEED_CBC_ENCRYPT_DATA: ++ aesEncryptPtr = (CK_AES_CBC_ENCRYPT_DATA_PARAMS *) ++ pMechanism->pParameter; ++ cipherInfo = SEED_CreateContext((unsigned char *)att->attrib.pValue, ++ aesEncryptPtr->iv, NSS_SEED_CBC, PR_TRUE); ++ if (cipherInfo == NULL) { ++ crv = CKR_HOST_MEMORY; ++ break; ++ } ++ crv = sftk_DeriveEncrypt(key, keySize, cipherInfo, 16, ++ aesEncryptPtr->pData, aesEncryptPtr->length, ++ (SFTKCipher)SEED_Encrypt); ++ SEED_DestroyContext(cipherInfo, PR_TRUE); ++ break; ++ + case CKM_CONCATENATE_BASE_AND_KEY: { + SFTKObject *newKey; + diff --git a/SOURCES/nss-softokn-3.28-fix-fips-login.patch b/SOURCES/nss-softokn-3.28-fix-fips-login.patch new file mode 100644 index 0000000..d8464e9 --- /dev/null +++ b/SOURCES/nss-softokn-3.28-fix-fips-login.patch @@ -0,0 +1,107 @@ +diff -up ./nss/lib/softoken/fipstokn.c.fix-fips-login ./nss/lib/softoken/fipstokn.c +--- ./nss/lib/softoken/fipstokn.c.fix-fips-login 2017-02-17 05:20:06.000000000 -0800 ++++ ./nss/lib/softoken/fipstokn.c 2017-05-05 15:29:23.934308889 -0700 +@@ -540,7 +540,10 @@ FC_GetTokenInfo(CK_SLOT_ID slotID, CK_TO + + crv = NSC_GetTokenInfo(slotID, pInfo); + if (crv == CKR_OK) { +- if ((pInfo->flags & CKF_LOGIN_REQUIRED) == 0) { ++ /* use the global database to figure out if we are running in ++ * FIPS 140 Level 1 or Level 2 */ ++ if (slotID == FIPS_SLOT_ID && ++ (pInfo->flags & CKF_LOGIN_REQUIRED) == 0) { + isLevel2 = PR_FALSE; + } + } +@@ -616,7 +619,8 @@ FC_InitPIN(CK_SESSION_HANDLE hSession, + * we need to make sure the pin meets FIPS requirements */ + if ((ulPinLen == 0) || ((rv = sftk_newPinCheck(pPin, ulPinLen)) == CKR_OK)) { + rv = NSC_InitPIN(hSession, pPin, ulPinLen); +- if (rv == CKR_OK) { ++ if ((rv == CKR_OK) && ++ (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) { + isLevel2 = (ulPinLen > 0) ? PR_TRUE : PR_FALSE; + } + } +@@ -644,7 +648,8 @@ FC_SetPIN(CK_SESSION_HANDLE hSession, CK + if ((rv = sftk_fipsCheck()) == CKR_OK && + (rv = sftk_newPinCheck(pNewPin, usNewLen)) == CKR_OK) { + rv = NSC_SetPIN(hSession, pOldPin, usOldLen, pNewPin, usNewLen); +- if (rv == CKR_OK) { ++ if ((rv == CKR_OK) && ++ (sftk_SlotIDFromSessionHandle(hSession) == FIPS_SLOT_ID)) { + /* if we set the password in level1 we now go + * to level2. NOTE: we don't allow the user to + * go from level2 to level1 */ +@@ -705,12 +710,24 @@ FC_GetSessionInfo(CK_SESSION_HANDLE hSes + + rv = NSC_GetSessionInfo(hSession, pInfo); + if (rv == CKR_OK) { +- if ((isLoggedIn) && (pInfo->state == CKS_RO_PUBLIC_SESSION)) { +- pInfo->state = CKS_RO_USER_FUNCTIONS; +- } +- if ((isLoggedIn) && (pInfo->state == CKS_RW_PUBLIC_SESSION)) { +- pInfo->state = CKS_RW_USER_FUNCTIONS; +- } ++ /* handle the case where the auxilary slot doesn't require login. ++ * piggy back on the main token's login state */ ++ if (isLoggedIn && ++ ((pInfo->state == CKS_RO_PUBLIC_SESSION) || ++ (pInfo->state == CKS_RW_PUBLIC_SESSION))) { ++ CK_RV crv; ++ CK_TOKEN_INFO tInfo; ++ crv = NSC_GetTokenInfo(sftk_SlotIDFromSessionHandle(hSession), ++ &tInfo); ++ /* if the token doesn't login, use our global login state */ ++ if ((crv == CKR_OK) && ((tInfo.flags & CKF_LOGIN_REQUIRED) == 0)) { ++ if (pInfo->state == CKS_RO_PUBLIC_SESSION) { ++ pInfo->state = CKS_RO_USER_FUNCTIONS; ++ } else { ++ pInfo->state = CKS_RW_USER_FUNCTIONS; ++ } ++ } ++ } + } + return rv; + } +diff -up ./nss/lib/softoken/pkcs11.c.fix-fips-login ./nss/lib/softoken/pkcs11.c +--- ./nss/lib/softoken/pkcs11.c.fix-fips-login 2017-05-05 15:33:02.247012129 -0700 ++++ ./nss/lib/softoken/pkcs11.c 2017-05-05 15:34:43.399727983 -0700 +@@ -2370,17 +2370,22 @@ sftk_SlotFromID(CK_SLOT_ID slotID, PRBoo + return slot; + } + +-SFTKSlot * +-sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle) ++CK_SLOT_ID ++sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle) + { + CK_ULONG slotIDIndex = (handle >> 24) & 0x7f; + CK_ULONG moduleIndex = (handle >> 31) & 1; + + if (slotIDIndex >= nscSlotCount[moduleIndex]) { +- return NULL; ++ return (CK_SLOT_ID)-1; + } ++ return nscSlotList[moduleIndex][slotIDIndex]; ++} + +- return sftk_SlotFromID(nscSlotList[moduleIndex][slotIDIndex], PR_FALSE); ++SFTKSlot * ++sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle) ++{ ++ return sftk_SlotFromID(sftk_SlotIDFromSessionHandle(handle), PR_FALSE); + } + + static CK_RV +diff -up ./nss/lib/softoken/pkcs11i.h.fix-fips-login ./nss/lib/softoken/pkcs11i.h +--- ./nss/lib/softoken/pkcs11i.h.fix-fips-login 2017-02-17 05:20:06.000000000 -0800 ++++ ./nss/lib/softoken/pkcs11i.h 2017-05-05 15:29:23.934308889 -0700 +@@ -667,6 +667,7 @@ extern CK_RV sftk_handleObject(SFTKObjec + + extern SFTKSlot *sftk_SlotFromID(CK_SLOT_ID slotID, PRBool all); + extern SFTKSlot *sftk_SlotFromSessionHandle(CK_SESSION_HANDLE handle); ++extern CK_SLOT_ID sftk_SlotIDFromSessionHandle(CK_SESSION_HANDLE handle); + extern SFTKSession *sftk_SessionFromHandle(CK_SESSION_HANDLE handle); + extern void sftk_FreeSession(SFTKSession *session); + extern SFTKSession *sftk_NewSession(CK_SLOT_ID slotID, CK_NOTIFY notify, diff --git a/SOURCES/nss-softokn-config.in b/SOURCES/nss-softokn-config.in new file mode 100644 index 0000000..f46ba24 --- /dev/null +++ b/SOURCES/nss-softokn-config.in @@ -0,0 +1,116 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-softokn` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-softokn` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-softokn` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + echo $libdirs +fi + diff --git a/SOURCES/nss-softokn-dracut-module-setup.sh b/SOURCES/nss-softokn-dracut-module-setup.sh new file mode 100644 index 0000000..951f427 --- /dev/null +++ b/SOURCES/nss-softokn-dracut-module-setup.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +check() { + return 255 +} + +depends() { + return 0 +} + +install() { + local _dir + + inst_libdir_file libfreeblpriv3.so libfreeblpriv3.chk \ + libfreebl3.so +} + diff --git a/SOURCES/nss-softokn-dracut.conf b/SOURCES/nss-softokn-dracut.conf new file mode 100644 index 0000000..2d9232e --- /dev/null +++ b/SOURCES/nss-softokn-dracut.conf @@ -0,0 +1,3 @@ +# turn on nss-softokn module + +add_dracutmodules+=" nss-softokn " diff --git a/SOURCES/nss-softokn-fix-ecc-post.patch b/SOURCES/nss-softokn-fix-ecc-post.patch new file mode 100644 index 0000000..3fe1836 --- /dev/null +++ b/SOURCES/nss-softokn-fix-ecc-post.patch @@ -0,0 +1,44 @@ +diff -up ./nss/lib/freebl/fipsfreebl.c.ecc_post ./nss/lib/freebl/fipsfreebl.c +--- ./nss/lib/freebl/fipsfreebl.c.ecc_post 2017-07-21 18:33:27.946809392 -0700 ++++ ./nss/lib/freebl/fipsfreebl.c 2017-07-21 18:34:09.065510689 -0700 +@@ -15,9 +15,7 @@ + #include "secerr.h" + #include "prtypes.h" + +-#ifdef NSS_ENABLE_ECC + #include "ec.h" /* Required for ECDSA */ +-#endif + + /* + * different platforms have different ways of calling and initial entry point +@@ -1077,7 +1075,6 @@ rsa_loser: + return (SECFailure); + } + +-#ifdef NSS_ENABLE_ECC + + static SECStatus + freebl_fips_ECDSA_Test(ECParams *ecparams, +@@ -1275,8 +1272,6 @@ freebl_fips_ECDSA_PowerUpSelfTest() + return (SECSuccess); + } + +-#endif /* NSS_ENABLE_ECC */ +- + static SECStatus + freebl_fips_DSA_PowerUpSelfTest(void) + { +@@ -1559,13 +1554,11 @@ freebl_fipsPowerUpSelfTest(unsigned int + if (rv != SECSuccess) + return rv; + +-#ifdef NSS_ENABLE_ECC + /* ECDSA Power-Up SelfTest(s). */ + rv = freebl_fips_ECDSA_PowerUpSelfTest(); + + if (rv != SECSuccess) + return rv; +-#endif + } + /* Passed Power-Up SelfTest(s). */ + return (SECSuccess); diff --git a/SOURCES/nss-softokn-prelink.conf b/SOURCES/nss-softokn-prelink.conf new file mode 100644 index 0000000..11d7fb0 --- /dev/null +++ b/SOURCES/nss-softokn-prelink.conf @@ -0,0 +1,6 @@ +-b /lib{,64}/libfreeblpriv3.so +-b /lib{,64}/libsoftokn3.so +-b /lib{,64}/libnssdbm3.so +-b /usr/lib{,64}/libfreeblpriv3.so +-b /usr/lib{,64}/libsoftokn3.so +-b /usr/lib{,64}/libnssdbm3.so diff --git a/SOURCES/nss-softokn-tls-abi-fix.patch b/SOURCES/nss-softokn-tls-abi-fix.patch new file mode 100644 index 0000000..18ac79b --- /dev/null +++ b/SOURCES/nss-softokn-tls-abi-fix.patch @@ -0,0 +1,26 @@ +diff -up ./nss/lib/softoken/pkcs11c.c.tls_abi_fix ./nss/lib/softoken/pkcs11c.c +--- ./nss/lib/softoken/pkcs11c.c.tls_abi_fix 2017-03-23 14:44:59.059880273 -0700 ++++ ./nss/lib/softoken/pkcs11c.c 2017-03-23 14:45:24.738316707 -0700 +@@ -2672,6 +2672,7 @@ NSC_SignInit(CK_SESSION_HANDLE hSession, + case CKM_TLS_PRF_GENERAL: + crv = sftk_TLSPRFInit(context, key, key_type, HASH_AlgNULL, 0); + break; ++ case CKM_TLS_KDF: + case CKM_TLS_MAC: { + CK_TLS_MAC_PARAMS *tls12_mac_params; + HASH_HashType tlsPrfHash; +diff -up ./nss/lib/softoken/pkcs11.c.tls_abi_fix ./nss/lib/softoken/pkcs11.c +--- ./nss/lib/softoken/pkcs11.c.tls_abi_fix 2017-03-23 14:42:21.055194120 -0700 ++++ ./nss/lib/softoken/pkcs11.c 2017-03-23 14:44:44.321629780 -0700 +@@ -373,6 +373,11 @@ static const struct mechanismList mechan + { CKM_SHA512_HMAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE }, + { CKM_TLS_PRF_GENERAL, { 0, 512, CKF_SN_VR }, PR_FALSE }, + { CKM_TLS_MAC, { 0, 512, CKF_SN_VR }, PR_FALSE }, ++ { CKM_TLS_KDF, { 0, 512, CKF_SN_VR }, PR_FALSE }, /* in RHEL 7.3 we had the wrong ++ * number for TLS_MAC. keep the old ++ * number to allow old versions of ++ * nss on * RHEL 7 to work with ++ * this softoken */ + { CKM_NSS_TLS_PRF_GENERAL_SHA256, + { 0, 512, CKF_SN_VR }, + PR_FALSE }, diff --git a/SOURCES/nss-softokn.pc.in b/SOURCES/nss-softokn.pc.in new file mode 100644 index 0000000..022ebbf --- /dev/null +++ b/SOURCES/nss-softokn.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-SOFTOKN +Description: Network Security Services Softoken PKCS #11 Module +Version: %SOFTOKEN_VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 +Cflags: -I${includedir} diff --git a/SOURCES/nss-split-softokn.sh b/SOURCES/nss-split-softokn.sh new file mode 100755 index 0000000..e8c5ab9 --- /dev/null +++ b/SOURCES/nss-split-softokn.sh @@ -0,0 +1,115 @@ +#!/bin/sh +# +# Splits NSS into nss-util and nss-softokn +# Takes as command line input the version of nss +# and assumes that a file nss-${nss_version}.tar.gz +# exists in the current directory + +set -e + +if test -z $1 +then + echo "usage: $0 nss-version" + exit +fi + +export name=nss +export version=$1 + +echo "Extracting ${name}-${version}.tar.gz" + +tar -xzf ${name}-${version}.tar.gz + +# the directory will be named ${name}-${version} + +nss_source_dir=${name}-${version} +softokn_dir=${name}-softokn-${version} + +# make_nss_softokn +#------------------------------------------------- +# create the nss-softokn subset consisting of +# nss/dbm full directory +# nss/coreconf full directory +# nss top files only +# nss/lib top files only +# nss/lib/freebl full directory +# nss/lib/softoken full directory +# nss/lib/softoken/dbm full directory +#------------------------------------------------------- + +WORK=${softokn_dir}-work +rm -rf ${WORK} +mkdir ${WORK} + +# copy everything +cp -a ${nss_source_dir} ${WORK}/${softokn_dir} + +# remove subdirectories that we don't want +rm -rf ${WORK}/${softokn_dir}/nss/cmd +rm -rf ${WORK}/${softokn_dir}/nss/tests +rm -rf ${WORK}/${softokn_dir}/nss/lib +rm -rf ${WORK}/${softokn_dir}/nss/pkg +rm -rf ${WORK}/${softokn_dir}/nss/automation +rm -rf ${WORK}/${softokn_dir}/nss/external_tests +rm -rf ${WORK}/${softokn_dir}/nss/doc +# start with an empty lib directory and copy only what we need +mkdir ${WORK}/${softokn_dir}/nss/lib +# copy the top files from nss/lib/ +topFilesL=`find ${nss_source_dir}/nss/lib/ -maxdepth 1 -mindepth 1 -type f` +for f in $topFilesL; do + cp -p $f ${WORK}/${softokn_dir}/nss/lib +done +mkdir ${WORK}/${softokn_dir}/nss/lib/util +# copy entire dbm, freebl and softoken directories recursively +cp -a ${nss_source_dir}/nss/lib/dbm ${WORK}/${softokn_dir}/nss/lib/dbm +cp -a ${nss_source_dir}/nss/lib/freebl ${WORK}/${softokn_dir}/nss/lib/freebl +cp -a ${nss_source_dir}/nss/lib/softoken ${WORK}/${softokn_dir}/nss/lib/softoken +# and some Makefiles and related files from nss +topFilesN=`find ${nss_source_dir}/nss/ -maxdepth 1 -mindepth 1 -type f` +for f in $topFilesN; do + cp -p $f ${WORK}/${softokn_dir}/nss/ +done +# copy private headers that nss-softoken needs +for f in verref.h; do + cp -p ${nss_source_dir}/nss/lib/util/$f ${WORK}/${softokn_dir}/nss/lib/util +done + +# we do need bltest, ecperf, fbectest, lib, lowhashtest, and shlibsign +# from nss/cmd +mkdir ${WORK}/${softokn_dir}/nss/cmd +# copy some files at the top and the slhlib subdirectory +topFilesC=`find ${nss_source_dir}/nss/cmd/ -maxdepth 1 -mindepth 1 -type f` +for f in $topFilesC; do + cp -p $f ${WORK}/${softokn_dir}/nss/cmd/ +done + +cp -a ${nss_source_dir}/nss/cmd/bltest ${WORK}/${softokn_dir}/nss/cmd/bltest +cp -a ${nss_source_dir}/nss/cmd/ecperf ${WORK}/${softokn_dir}/nss/cmd/ecperf +cp -a ${nss_source_dir}/nss/cmd/fbectest ${WORK}/${softokn_dir}/nss/cmd/fbectest +cp -a ${nss_source_dir}/nss/cmd/fipstest ${WORK}/${softokn_dir}/nss/cmd/fipstest +cp -a ${nss_source_dir}/nss/cmd/lib ${WORK}/${softokn_dir}/nss/cmd/lib +cp -a ${nss_source_dir}/nss/cmd/lowhashtest ${WORK}/${softokn_dir}/nss/cmd/lowhashtest +cp -a ${nss_source_dir}/nss/cmd/shlibsign ${WORK}/${softokn_dir}/nss/cmd/shlibsign + +# plus common, crypto, and lowhash from nss/tests +mkdir ${WORK}/${softokn_dir}/nss/tests +topFilesT=`find ${nss_source_dir}/nss/tests/ -maxdepth 1 -mindepth 1 -type f` +for f in $topFilesT; do + cp -p $f ${WORK}/${softokn_dir}/nss/tests/ +done +keepers="cipher common ec lowhash" +for t in $keepers; do + cp -a ${nss_source_dir}/nss/tests/$t ${WORK}/${softokn_dir}/nss/tests/$t +done + +pushd ${WORK} +# the compressed tar ball for nss-softokn +tar -czf ../${name}-softokn-${version}.tar.gz ${softokn_dir} +popd + +# cleanup after ourselves +rm -fr ${nss_source_dir} +rm -rf ${WORK} + + + diff --git a/SPECS/nss-softokn.spec b/SPECS/nss-softokn.spec new file mode 100644 index 0000000..c6d5557 --- /dev/null +++ b/SPECS/nss-softokn.spec @@ -0,0 +1,1052 @@ +%global nspr_version 4.17.0 +%global nss_name nss +%global nss_util_version 3.34.0 +%global nss_util_build -2 +%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%global saved_files_dir %{_libdir}/nss/saved +%global prelink_conf_dir %{_sysconfdir}/prelink.conf.d/ +%define dracutlibdir %{_prefix}/lib/dracut +%global dracut_modules_dir %{dracutlibdir}/modules.d/05nss-softokn/ +%global dracut_conf_dir %{dracutlibdir}/dracut.conf.d + + +# Produce .chk files for the final stripped binaries +# +# NOTE: The LD_LIBRARY_PATH line guarantees shlibsign links +# against the freebl that we just built. This is necessary +# because the signing algorithm changed on 3.14 to DSA2 with SHA256 +# whereas we previously signed with DSA and SHA1. We must Keep this line +# until all mock platforms have been updated. +# After %%{__os_install_post} we would add +#export LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \ + $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \ +%{nil} + +Summary: Network Security Services Softoken Module +Name: nss-softokn +Version: 3.34.0 +Release: 2%{?dist} +License: MPLv2.0 +URL: http://www.mozilla.org/projects/security/pki/nss/ +Group: System Environment/Libraries +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{nss_util_version}%{nss_util_build} +Requires: nss-softokn-freebl%{_isa} >= %{version}-%{release} +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: nspr-devel >= %{nspr_version} +BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build} +BuildRequires: sqlite-devel +BuildRequires: zlib-devel +BuildRequires: pkgconfig +BuildRequires: gawk +BuildRequires: psmisc +BuildRequires: perl + +Source0: %{name}-%{version}.tar.gz +# The nss-softokn tar ball is a subset of nss-{version}.tar.gz. +# We use the nss-split-softokn.sh script to keep only what we need +# via via nss-split-softokn.sh ${version} +# Detailed Steps: +# rhpkg clone nss-softokn +# cd nss-softokn +# Split off nss-softokn out of the full nss source tar ball: +# sh ./nss-split-softokn.sh ${version} +# A file named {name}-{version}.tar.gz should appear +# which is ready for uploading to the lookaside cache. +Source1: nss-split-softokn.sh +Source2: nss-softokn.pc.in +Source3: nss-softokn-config.in +Source4: nss-softokn-prelink.conf +Source5: nss-softokn-dracut-module-setup.sh +Source6: nss-softokn-dracut.conf + +# Select the tests to run based on the type of build +# This patch uses the gcc-iquote dir option documented at +# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options +# to place the in-tree directories at the head of the list on list of directories +# to be searched for for header files. This ensures a build even when system freebl +# headers are older. Such is the case when we are starting a major update. +# NSSUTIL_INCLUDE_DIR, after all, contains both util and freebl headers. +# Once has been bootstapped the patch may be removed, but it doesn't hurt to keep it. +Patch10: iquote.patch + +Patch97: nss-softokn-3.16-add_encrypt_derive.patch + +Patch102: nss-softokn-tls-abi-fix.patch +# Not upstreamed: https://bugzilla.redhat.com/show_bug.cgi?id=1390154 +Patch105: nss-softokn-3.28-fix-fips-login.patch +Patch107: nss-softokn-fix-ecc-post.patch + +%description +Network Security Services Softoken Cryptographic Module + +%package freebl +Summary: Freebl library for the Network Security Services +Group: System Environment/Base +# Needed because nss-softokn-freebl dlopen()'s nspr and nss-util +# https://bugzilla.redhat.com/show_bug.cgi?id=1477308 +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{nss_util_version}%{nss_util_build} +Conflicts: nss < 3.12.2.99.3-5 +Conflicts: prelink < 0.4.3 +Conflicts: filesystem < 3 + +%description freebl +NSS Softoken Cryptographic Module Freebl Library + +Install the nss-softokn-freebl package if you need the freebl +library. + +%package freebl-devel +Summary: Header and Library files for doing development with the Freebl library for NSS +Group: System Environment/Base +Provides: nss-softokn-freebl-static = %{version}-%{release} +Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release} + +%description freebl-devel +NSS Softoken Cryptographic Module Freebl Library Development Tools +This package supports special needs of some PKCS #11 module developers and +is otherwise considered private to NSS. As such, the programming interfaces +may change and the usual NSS binary compatibility commitments do not apply. +Developers should rely only on the officially supported NSS public API. + +%package devel +Summary: Development libraries for Network Security Services +Group: Development/Libraries +Requires: nss-softokn%{?_isa} = %{version}-%{release} +Requires: nss-softokn-freebl-devel%{?_isa} = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: nss-util-devel >= %{nss_util_version}%{nss_util_build} +Requires: pkgconfig +BuildRequires: nspr-devel >= %{nspr_version} +BuildRequires: nss-util-devel >= %{nss_util_version}%{nss_util_build} +# require nss at least the version when we split via subpackages + +%description devel +Header and library files for doing development with Network Security Services. + + +%prep +%setup -q + +# activate if needed when doing a major update with new apis +#%patch10 -p0 -b .iquote + +%patch97 -p0 -b .add_encrypt_derive + +%patch102 -p1 -b .tls-abi-fix +%patch105 -p1 -b .fix-fips-login +%patch107 -p1 -b .ecc_post + +%build + +# partial RELRO support as a security enhancement +LDFLAGS+=-Wl,-z,relro +export LDFLAGS + +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets +# copied to dist and the rpm install phase can find it +# This due of the upstream changes to fix +# https://bugzilla.mozilla.org/show_bug.cgi?id=717906 +FREEBL_LOWHASH=1 +export FREEBL_LOWHASH + +NSS_FORCE_FIPS=1 +export NSS_FORCE_FIPS + +#FREEBL_USE_PRELINK=1 +#export FREEBL_USE_PRELINK + +# Enable compiler optimizations and disable debugging code +BUILD_OPT=1 +export BUILD_OPT + +# Uncomment to disable optimizations +#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` +#export RPM_OPT_FLAGS + +# Generate symbolic info for debuggers +XCFLAGS=$RPM_OPT_FLAGS +export XCFLAGS + +PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'` + +export NSPR_INCLUDE_DIR +export NSPR_LIB_DIR + +export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` +export NSSUTIL_LIB_DIR=%{_libdir} + +NSS_USE_SYSTEM_SQLITE=1 +export NSS_USE_SYSTEM_SQLITE + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif +%endif + +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 + +# Use only the basicutil subset for sectools.a +export NSS_BUILD_SOFTOKEN_ONLY=1 + +export NSS_DISABLE_GTESTS=1 + +# display processor information +CPU_INFO=`cat /proc/cpuinfo` +echo "############## CPU INFO ##################" +echo "${CPU_INFO}" +echo "##########################################" + +# Compile softokn plus needed support +%{__make} -C ./nss/coreconf +%{__make} -C ./nss/lib/dbm + +# ldvector.c, pkcs11.c, and lginit.c include nss/lib/util/verref.h, +# which is private export, move it to where it can be found. +%{__mkdir_p} ./dist/private/nss +%{__mv} ./nss/lib/util/verref.h ./dist/private/nss/verref.h + +%{__make} -C ./nss + +# Set up our package file +# The nspr_version and nss_util_version globals used here +# must match the ones nss-softokn has for its Requires. +%{__mkdir_p} ./dist/pkgconfig +%{__cat} %{SOURCE2} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-softokn.pc + +SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'` +SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'` +SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'` + +export SOFTOKEN_VMAJOR +export SOFTOKEN_VMINOR +export SOFTOKEN_VPATCH + +%{__cat} %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$SOFTOKEN_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$SOFTOKEN_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$SOFTOKEN_VPATCH,g" \ + > ./dist/pkgconfig/nss-softokn-config + +chmod 755 ./dist/pkgconfig/nss-softokn-config + + +%check +if [ ${DISABLETEST:-0} -eq 1 ]; then + echo "testing disabled" + exit 0 +fi + +# Begin -- copied from the build section +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +BUILD_OPT=1 +export BUILD_OPT + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif +%endif + +# to test for the last tool built correctly +export NSS_BUILD_SOFTOKEN_ONLY=1 + +# End -- copied from the build section + +# enable the following line to force a test failure +# find . -name \*.chk | xargs rm -f + +# Run test suite. + +SPACEISBAD=`find ./nss/tests | grep -c ' '` ||: +if [ $SPACEISBAD -ne 0 ]; then + echo "error: filenames containing space are not supported (xargs)" + exit 1 +fi + +rm -rf ./tests_results +pushd ./nss/tests/ +# all.sh is the test suite script + +# only run cipher tests for nss-softokn +%global nss_cycles "standard" +%global nss_tests "cipher lowhash" +%global nss_ssl_tests " " +%global nss_ssl_run " " + +HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh + +popd + +# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, +# Grep exits with status greater than 1 if an error ocurred. +# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, +# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas +# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. +killall $RANDSERV || : + +TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? +if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then + echo "okay: test suite detected no failures" +else + %ifarch %{arm} + : + # do nothing on arm where the test suite is failing and has been + # for while, do run the test suite but make it non fatal on arm + %else + if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then + # while a situation in which grep return status is 0 and it doesn't output + # anything shouldn't happen, set the default to something that is + # obviously wrong (-1) + echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" + exit 1 + else + if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then + echo "error: grep has not found log file" + exit 1 + else + echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" + exit 1 + fi + fi +%endif +fi +echo "test suite completed" + +%install + +%{__rm} -rf $RPM_BUILD_ROOT + +# There is no make install target so we'll do it ourselves. + +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 +%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +%{__mkdir_p} $RPM_BUILD_ROOT/%{saved_files_dir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{prelink_conf_dir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_modules_dir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{dracut_conf_dir} + +%{__install} -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{prelink_conf_dir} +%{__install} -m 755 %{SOURCE5} $RPM_BUILD_ROOT/%{dracut_modules_dir}/module-setup.sh +%{__install} -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{dracut_conf_dir}/50-nss-softokn.conf + + +# Copy the binary libraries we want +for file in libsoftokn3.so libnssdbm3.so libfreebl3.so libfreeblpriv3.so +do + %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the binaries we ship as unsupported +for file in bltest fipstest shlibsign +do + %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} +done + +# Copy the include files we want +for file in dist/public/nss/*.h +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy some freebl include files we also want +for file in blapi.h alghmac.h +do + %{__install} -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the static freebl library +for file in libfreebl.a +do +%{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the package configuration files +%{__install} -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc +%{__install} -p -m 755 ./dist/pkgconfig/nss-softokn-config $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config + + +%clean +%{__rm} -rf $RPM_BUILD_ROOT + + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%defattr(-,root,root) +%{_libdir}/libnssdbm3.so +%{_libdir}/libnssdbm3.chk +%{_libdir}/libsoftokn3.so +%{_libdir}/libsoftokn3.chk +# shared with nss-tools +%dir %{_libdir}/nss +%dir %{saved_files_dir} +%dir %{unsupported_tools_directory} +%{unsupported_tools_directory}/bltest +%{unsupported_tools_directory}/fipstest +%{unsupported_tools_directory}/shlibsign +#shared + +%files freebl +%defattr(-,root,root) +%{_libdir}/libfreebl3.so +%{_libdir}/libfreebl3.chk +%{_libdir}/libfreeblpriv3.so +%{_libdir}/libfreeblpriv3.chk +#shared +%dir %{prelink_conf_dir} +%{prelink_conf_dir}/nss-softokn-prelink.conf +%dir %{dracut_modules_dir} +%{dracut_modules_dir}/module-setup.sh +%{dracut_conf_dir}/50-nss-softokn.conf + +%files freebl-devel +%defattr(-,root,root) +%{_libdir}/libfreebl.a +%{_includedir}/nss3/blapi.h +%{_includedir}/nss3/blapit.h +%{_includedir}/nss3/alghmac.h +%{_includedir}/nss3/lowkeyi.h +%{_includedir}/nss3/lowkeyti.h + +%files devel +%defattr(-,root,root) +%{_libdir}/pkgconfig/nss-softokn.pc +%{_bindir}/nss-softokn-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# +# The following headers are those exported public in +# nss/lib/freebl/manifest.mn and +# nss/lib/softoken/manifest.mn +# +# The following list is short because many headers, such as +# the pkcs #11 ones, have been provided by nss-util-devel +# which installed them before us. +# +%{_includedir}/nss3/ecl-exp.h +%{_includedir}/nss3/nsslowhash.h +%{_includedir}/nss3/shsign.h + +%changelog +* Tue Jan 16 2018 Daiki Ueno - 3.34.0-2 +- Rebuild to utilize ECC slotFlag added in nss-util + +* Thu Nov 23 2017 Daiki Ueno - 3.34.0-1 +- Update to NSS 3.34.0 + +* Tue Nov 14 2017 Daiki Ueno - 3.34.0-0.3.beta1 +- let nss-softokn-freebl depend on recent version of nss-util, + reported by Bob Peterson + +* Fri Nov 3 2017 Daiki Ueno - 3.34.0-0.2.beta1 +- Fix indentation of nss-softokn-3.16-add_encrypt_derive.patch + +* Mon Oct 30 2017 Daiki Ueno - 3.34.0-0.1.beta1 +- Update to NSS 3.34.BETA1 + +* Mon Oct 9 2017 Daiki Ueno - 3.33.0-1 +- Update to NSS 3.33.0 +- Remove upstreamed patches: nss-softokn-basicutil-dependency.patch, + nss-softokn-pss-modulus-bits.patch, nss-softokn-pkcs12-sha2.patch, + nss-softokn-pkcs12-rsa-pss.patch, + nss-softokn-ec-derive-pubkey-check.patch, and nss-softokn-fix-drbg.patch + +* Wed Aug 2 2017 Daiki Ueno - 3.28.3-8 +- let nss-softokn-freebl depend on recent version of nspr (rhbz#1477308), + patch by Kyle Walker + +* Fri Jul 21 2017 Bob Relyea - 3.28.3-7 +- fix fips post so that they actually run at startup + +* Fri May 26 2017 Daiki Ueno - 3.28.3-6 +- restore nss-softokn-3.16-add_encrypt_derive.patch + +* Wed May 17 2017 Daiki Ueno - 3.28.3-5 +- fix login handling for FIPS slots, patch from rhbz#1390154 +- backport upstream fix for CVE-2017-5462 (DRBG leak) + +* Thu Mar 23 2017 Bob Relyea - 3.28.3-4 +- include new PKCS12 NSS specific mechanisms. +- alias CKM_TLS_KDF to CKM_TLS_MAC to preserve ABI +- add RSA PSS oid to decrypting PKCS #5 key blobs. +- move ec public key check from softokn to freebl so apps like Java can benefit. + +* Tue Mar 7 2017 Daiki Ueno - 3.28.3-3 +- Fix RSA-PSS corner case when the modulus is not of size multiple of 8 + +* Mon Mar 6 2017 Daiki Ueno - 3.28.3-2 +- Update to NSS 3.28.3 +- Remove upstreamed patches for the previous FIPS validation +- Package lowkeyi.h and lowkeyti.h in freebl-devel +- Pick up a patch in the Fedora package to fix build issue + +* Tue Jun 28 2016 Kai Engert - 3.16.2.3-14.4 +- escape all percent characters in all changelog comments + +* Wed Apr 20 2016 Elio Maldonado - 3.16.2.3-14.3 +- Fix a flaw in %%check for nss not building on arm +- Resolves: Bug 1200856 + +* Fri Apr 15 2016 Kai Engert - 3.16.2.3-14.2 +- Adjust for a renamed variable in newer nss-util, require a compatible nss-util version. + +* Mon Apr 11 2016 Kai Engert - 3.16.2.3-14.1 +- Pick up a bugfix related to fork(), to avoid a regression with NSS 3.21 + +* Fri Aug 07 2015 Elio Maldonado - 3.16.2.3-14 +- Pick up upstream freebl patch for CVE-2015-2730 +- Check for P == Q or P ==-Q before adding P and Q + +* Thu Jul 16 2015 Elio Maldonado - 3.16.2.3-13 +- Add links to filed upstream bugs to better track patches in spec file + +* Wed Jun 24 2015 Elio Maldonado - 3.16.2.3-12 +- Bump nss_util_version to 3.19.1 + +* Fri May 29 2015 Robert Relyea - 3.16.2.3-11 +- Make sure we have enough space for generating keyblocks for ciphers with HMAC_SHA384 (TLS). + +* Wed Apr 29 2015 Elio Maldonado - 3.16.2.3-10 +- Use the TLS 1.2 mechanisms for PKCS #11 added for V2.40 + +* Mon Feb 02 2015 Tomáš Mráz - 3.16.2.3-9 +- add configuration file for dracut to add the nss-softokn module by default + +* Thu Jan 29 2015 Elio Maldonado - 3.16.2.3-8 +- fix permissions on dracut install file. +- Resolves: Bug 1169957 - curl unable to download url when url is https and environment is dracut + +* Tue Jan 20 2015 Robert Relyea - 3.16.2.3-7 +- Use RHEL-7 dracut semantics rather than RHEL-6 +- fix dependencies so nss-softokn pulls in nss-softokn-freebl +- keep dummy libfreebl3.chk for dracut kernel. + +* Tue Jan 13 2015 Elio Maldonado - 3.16.2.3-6 +- Update fix for flaws reported by coverity scan +- Resolves: Bug 1154764 - Defects found in nss-softokn + +* Fri Jan 09 2015 Elio Maldonado - 3.16.2.3-5 +- Skip the fips checks if the action is newslot or delslot. +- Resolves: Bug 1156406 - NSS fails to access sql:/etc/pki/nssdb in system FIPS mode + +* Wed Dec 10 2014 Robert Relyea - 3.16.2.3-4 +- add libfreeblpriv3.so to dracut. + +* Tue Nov 18 2014 Robert Relyea - 3.16.2.3-3 +- Resolves: Bug 1153602 - libfreebl3.so runs prelink during the initialization phase +- Decouple libfreebl3.so from the actual library. +- Blacklist the freebl libraries +- Turn off calling prelink to unprelink the binary + +* Tue Nov 18 2014 Elio Maldonado - 3.16.2.3-2 +- Remove temporary workaround for brew build problems now resolved +- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 + +* Thu Nov 13 2014 Elio Maldonado - 3.16.2-13 +- Resolves: Bug 1158161 - Upgrade to NSS 3.16.2.3 for Firefox 31.3 + +* Wed Nov 05 2014 Robert Relyea 3.16.2-12 +- Add support for encrypt_derive. +- Allow us to init database at level1 while already in FIPS mode. +- Allow UserDBOpen'ed FIPS tokens to do all the mechanisms as well as + the main fips token. +- Silence SIGCHLD when prelink is used. + +* Tue Oct 21 2014 Elio Maldonado - 3.16.2-11 +- Fix the location of an upstream URL reference + +* Tue Oct 21 2014 Elio Maldonado - 3.16.2-10 +- Resolves: Bug 1154232 - nss tools core dump on ppc64 + +* Tue Oct 21 2014 Elio Maldonado - 3.16.2-9 +- Resolves: Bug 1154764 - Defects found in nss-softokn-3.16.2-7.el7 + +* Thu Oct 16 2014 Robert Relyea 3.16.2-8 +- Conform RSA keygen to FIPS 186-4 tests + +* Fri Oct 10 2014 Elio Maldonado - 3.16.2-7 +- Change RSA_PrivateKeyCheck to not require p > q +- Resolves: Bug 1150645 - Importing an RSA private key fails if p < q + +* Sat Sep 27 2014 Elio Maldonado - 3.16.2-6 +- Add lowhash to the softoken tests to run as done on rhel-6.6 +- Adapt suboptimal shell code in nss.spec fix from bug 108750 +- Resolves: Bug 1145434 - CVE-2014-1568 + +* Sat Sep 27 2014 Elio Maldonado - 3.16.2-5- +- Fix incorrect path in the %%check section +- Add way to skip test suite execution during development work +- Resolves: Bug 1145434 - CVE-2014-1568 + +* Thu Sep 25 2014 Elio Maldonado - 3.16.2-4 +- Resolves: Bug 1145434 - CVE-2014-1568 + +* Mon Sep 22 2014 Robert Relyea 3.16.2-3 +- Update for FIPS validation + +* Tue Aug 05 2014 Elio Maldonado 3.16.2-2 +- Generic 32/64 bit platform detection (fix ppc64le build) +- Resolves: Bug 1125620 - nss-softokn fails to build on arch: ppc64le (build failure) +- Fix contributed by Peter Robinson + +* Tue Jul 08 2014 Elio Maldonado - 3.16.2-1 +- Update to nss-3.16.2 +- Resolves: Bug 1103925 - Rebase RHEL 7.1 to at least NSS-SOFTOKN 3.16.1 (FF 31) + +* Fri Jan 24 2014 Daniel Mach - 3.15.4-2 +- Mass rebuild 2014-01-24 + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-4 +- Rebase to nss-3.15.4 +- Resolves: Bug 1054457 - CVE-2013-1740 +- Update softokn splitting script to oparate on the upstream pristine source +- Using the .gz archives directly, not repackaging as .bz2 ones +- Avoid unneeded manual steps that could introduce errors +- Update the iquote and build softoken only patches on account of the rebase + +* Sun Jan 19 2014 Elio Maldonado - 3.15.3-3 +- Fix to allow level 1 fips mode if the db has no password +- Resolves: Bug 852023 - FIPS mode detection does not work + +* Fri Dec 27 2013 Daniel Mach - 3.15.3-2 +- Mass rebuild 2013-12-27 + +* Mon Nov 25 2013 Elio Maldonado - 3.15.3-1 +- Rebase to NSS_3_15_3_RTM +- Related: Bug 1031463 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 + +* Tue Oct 29 2013 Elio Maldonado - 3.15.2-2 +- Resolves: rhbz#1020395 - Allow Level 1 FIPS mode if the nss db has no password + +* Mon Oct 21 2013 Elio Maldonado - 3.15.2-1 +- Rebase to nss-softoken from nss-3.15.2 +- Resolves: rhbz#1012679 - pick up NSS-SOFTOKN 3.15.2 (required for bug 1012656) + +* Thu Oct 10 2013 Elio Maldonado - 3.15.1-3 +- Add export NSS_ENABLE_ECC=1 rto the %%build and %%check sections +- Resolves: rhbz#752980 - [7.0 FEAT] Support ECDSA algorithm in the nss packag + +* Tue Aug 06 2013 Elio Maldonado - 3.15.1-2 +- Remove an obsolete script and adjust the sources numbering accordingly + +* Fri Jul 26 2013 Elio Maldonado - 3.15.1-1 +- Update to NSS_3_15_1_RTM + +* Tue Jul 02 2013 Elio Maldonado - 3.15-4 +- Split off nss-softokn from the unstripped nss source tar ball + +* Mon Jun 17 2013 Elio Maldonado - 3.15-3 +- Update to NSS_3_15_RTM +- Require nspr-4.10 or greater +- Fix patch that selects tests to run + +* Tue Apr 23 2013 Elio Maldonado - 3.15-0.1.beta.3 +- Reverse the last changes since pk11gcmtest properly belongs to nss + +* Tue Apr 23 2013 Elio Maldonado - 3.15-0.1.beta.2 +- Add lowhashtest and pk11gcmtest as unsupported tools +- Modify nss-softoken-split script to include them in the split + +* Fri Apr 05 2013 Elio Maldonado - 3.15-0.1.beta.1 +- Update to NSS_3_15_BETA1 +- Update spec file, patches, and helper scrips on account of a shallwer source tree + +* Fri Feb 15 2013 Elio Maldonado - 3.14.3-1 +- Update to NSS_3_14_3_RTM +- Resolves: rhbz#909781 - specfile support for AArch64 + +* Mon Feb 04 2013 Elio Maldonado - 3.14.2-3 +- Allow building nss-softokn against older system sqlite + +* Sat Feb 02 2013 Elio Maldonado - 3.14.2-2 +- Update to NSS_3_14_2_RTM +- Restore comments on how to transition when signing algorithm changes +- Remove unused patches + +* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1 +- Update to NSS_3_14_2_RTM + +* Thu Dec 27 2012 Elio Maldonado - 3.14.1-5 +- Add RSA performance test for freebl +- Fix bogus date in changelog warnings + +* Mon Dec 24 2012 Elio Maldonado - 3.14.1-4 +- Fix bogus date warnings in %%changelog + +* Sat Dec 22 2012 Elio Maldonado - 3.14.1-3 +- Cleanup patches for building softoken only libraries and tests + +* Mon Dec 17 2012 Elio Maldonado - 3.14.1-2 +- Require nspr version >= 4.9.4 + +* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1 +- Update to NSS_3_14_1_RTM + +* Mon Dec 03 2012 Elio Maldonado - 3.14-6 +- Bug 883114 - Install bltest and fipstest as unsupported tools + +* Mon Nov 19 2012 Elio Maldonado - 3.14-5 +- Truly apply the bug 829088 patch this time +- Resolves: rhbz#829088 - Fix failure in sha244 self-test + +* Mon Nov 19 2012 Elio Maldonado - 3.14-4 +- Apply the bug 829088 patch in question +- Adjust the patch to account for code changes in nss-3.14 +- Resolves: rhbz#829088 - Fix failure in sha244 self-test + +* Sun Nov 18 2012 Elio Maldonado - 3.14-3 +- Resolves: rhbz#829088 - Fix failure in sha244 self-test +- Fixes login failures on fips mode + +* Sat Oct 27 2012 Elio Maldonado - 3.14-2 + - Update the license to MPLv2.0 + +* Mon Oct 22 2012 Elio Maldonado - 3.14-1 +- Update to NSS_3_14_RTM + +* Sun Oct 21 2012 Elio Maldonado - 3.14-0.1.rc1.2 +- Update to NSS_3_14_RC +- Remove the temporary bootstrapping modifications + +* Sun Oct 21 2012 Elio Maldonado - 3.14-0.1.rc.1 +- Update to NSS_3_14_RC1 +- Remove patches rendered obsolete by this update and update others +- Temporarily modifiy the spec file while bootstrapping the buildroot a follows: +- Remove unwanted headers that we lo loger ship +- Modified the post install scriplet to ensure the in-tree freebl library is loaded + +* Fri Jul 20 2012 Fedora Release Engineering - 3.13.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jun 20 2012 Elio Maldonado - 3.13.5-2 +- Resolves: rhbz#833529 - revert unwanted change to nss-softokn.pc.in + +* Mon Jun 18 2012 Elio Maldonado - 3.13.5-1 +- Update to NSS_3_13_5_RTM +- Remove unneeded fix for gcc 4.7 c++ issue in secmodt.h which undoes the upstream fix +- Fix Libs: line on nss-softokn.pc.in + +* Wed Jun 13 2012 Elio Maldonado - 3.13.4-3 +- Resolves: rhbz#745224 - nss-softokn sha224 self-test fails in fips mode + +* Tue Apr 10 2012 Elio Maldonado - 3.13.4-2 +- Resolves: Bug 801975 Restore use of NSS_NoDB_Init or alternate to fipstest + +* Fri Apr 06 2012 Elio Maldonado - 3.13.4-1 +- Update to NSS_3_13_4 + +* Sun Apr 01 2012 Elio Maldonado - 3.13.4-0.1.beta.1 +- Update to NSS_3_13_4_BETA1 +- Improve steps for splitting off softokn from the full nss + +* Wed Mar 21 2012 Elio Maldonado - 3.13.3-2 +- Resolves: Bug 805719 - Library needs partial RELRO support added + +* Thu Mar 01 2012 Elio Maldonado - 3.13.3-1 +- Update to NSS_3_13_3_RTM + +* Wed Feb 1 2012 Tom Callaway 3.13.1-20 +- re-enable /usrmove changes + +* Wed Feb 1 2012 Tom Callaway 3.13.1-19.1 +- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals +- temporarily revert /usrmove changes. they will be restored in -20 for the f17-usrmove tag. + +* Wed Jan 25 2012 Harald Hoyer 3.13.1-19 +- add filesystem guard + +* Wed Jan 25 2012 Harald Hoyer 3.13.1-18 +- install everything in /usr + https://fedoraproject.org/wiki/Features/UsrMove + +* Fri Jan 13 2012 Elio Maldonado Batiz - 3.13.1-17 +- Remove unneeded prelink patch afterthe nss update to 3.13.1 + +* Fri Jan 13 2012 Fedora Release Engineering - 3.13.1-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Dec 30 2011 Elio Maldonado - 3.13.1-15 +- Bug 770999 - Fix segmentation violation when turning on fips mode +- Reintroduce the iquote patch but don't apply it unless needed + +* Tue Dec 13 2011 Elio Maldonado - 3.12.9-14 +- Restore the update to 3.13.1 +- Update the patch for freebl to deal with prelinked shared libraries +- Add additional dbrg power-up self-tests as required by fips +- Reactivate the tests + +* Tue Dec 06 2011 Elio Maldonado - 3.12.9-13 +- Bug 757005 Build nss-softokn for rhel 7 +- Make it almost like nss-softokn-3.12.9 in rhel 6.2 +- Added a patch to build with Linux 3 and higher +- Meant to work with nss and nss-utul 3.1.3.1 +- Download only the 3.12.9 sources from the lookaside cache + +* Fri Dec 02 2011 Elio Maldonado - 3.12.9-12 +- Retagging + +* Wed Nov 23 2011 Elio Maldonado - 3.12.9-11 +- Downgrading to 3.12.9 for a merge into new RHEL git repo +- This build is for the buildroot for a limited time only +- Do not not push it to update-testing + +* Tue Nov 08 2011 Elio Maldonado - 3.13.1-1 +- Update to NSS_3_13_1_RTM + +* Wed Oct 12 2011 Elio Maldonado - 3.12.10-6 +- Fix failure to switch nss-softokn to FIPS mode (#745571) + +* Tue Oct 11 2011 Elio Maldonado - 3.13-0.1.rc0.3 +- Update to NSS_3_13_RC0 post bootstrapping +- Don't incude util in sources for the lookaside cache +- Reenable building the fipstest tool +- Restore full cli argument parsing in the sectool library + +* Sun Oct 09 2011 Elio Maldonado - 3.13-0.1.rc0.2 +- Update to NSS_3_13_RC0 bootstrapping the system phase 2 +- Reenable the cipher test suite + +* Sat Oct 08 2011 Elio Maldonado - 3.13-0.rc0.1 +- Update to NSS_3_13_RC0 + +* Thu Sep 8 2011 Ville Skyttä - 3.12.11-3 +- Avoid %%post/un shell invocations and dependencies. + +* Wed Aug 17 2011 Elio Maldonado - 3.12.10-5 +- rebuilt as recommended to deal with an rpm 4.9.1 issue + +* Wed Jul 20 2011 Elio Maldonado - 3.12.10-4 +- Adjustements from code review (#715402) + +* Sun Jun 26 2011 Elio Maldonado - 3.12.10-3 +- Add %%{check} section to run crypto tests as part of the build (#715402) + +* Tue Jun 14 2011 Elio Maldonado - 3.12.10-2 +- Fix intel optimized aes code to deal with case where input and ouput are in the same buffer (#709517) + +* Fri May 06 2011 Elio Maldonado - 3.12.10-1 +- Update to NSS_3_12_10_RTM + +* Wed Apr 27 2011 Elio Maldonado - 3.12.10-0.1.beta1 +- Update to NSS_3_12_10_BETA1 + +* Fri Feb 25 2011 Elio Maldonado - 3.12.9-7 +- Add requires nss-softokn-freebl-devel to nss-softokn-devel (#675196) + +* Mon Feb 14 2011 Elio Maldonado - 3.12.9-5 +- Expand the nss-softokn-freebl-devel package description (#675196) + +* Mon Feb 14 2011 Elio Maldonado - 3.12.9-5 +- Remove duplicates from the file lists + +* Sun Feb 13 2011 Elio Maldonado - 3.12.9-4 +- Add blapit.h to headers provided by nss-softokn-freebl-devel (#675196) +- Expand the freebl-devel package description + +* Tue Feb 08 2011 Fedora Release Engineering - 3.12.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Fri Feb 04 2011 Elio Maldonado - 3.12.9-2 +- Add header for nss-softokn-freebl-devel (#675196) + +* Wed Jan 12 2011 Elio Maldonado - 3.12.9-1 +- Update to 3.12.9 + +* Mon Dec 27 2010 Elio Maldonado - 3.12.9-0.1.beta2 +- Rebuilt according to fedora pre-release package naming guidelines + +* Fri Dec 10 2010 Elio Maldonado - 3.12.8.99.2-1 +- Update to NSS_3_12_9_BETA2 + +* Wed Dec 08 2010 Elio Maldonado - 3.12.8.99.1-1 +- Update to NSS_3_12_9_BETA1 + +* Wed Sep 29 2010 jkeating - 3.12.8-2 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Elio Maldonado - 3.12.8-1 +- Update to 3.12.8 +- Adhere to static library packaging guidelines (#609613) +- Fix nss-util-devel version dependency line +- Shorten freebl and freebl subpackages descriptions + +* Sat Sep 18 2010 Elio Maldonado - 3.12.99.4-1 +- NSS 3.12.8 RC0 + +* Sun Sep 12 2010 Elio Maldonado - 3.12.7.99.3-2 +- Update the required version of nss-util to 3.12.7.99.3 + +* Sat Sep 04 2010 Elio Maldonado - 3.12.7.99.3-1 +- NSS 3.12.8 Beta 3 + +* Mon Aug 30 2010 Elio Maldonado - 3.12.7-3 +- Update BuildRequires on nspr-devel and nss-util-devel + +* Sun Aug 29 2010 Elio Maldonado - 3.12.7-2 +- Define NSS_USE_SYSTEM_SQLITE and remove nss-nolocalsql patch +- Fix rpmlint warnings about macros in comments and changelog + +* Mon Aug 16 2010 Elio Maldonado - 3.12.7-1 +- Update to 3.12.7 +- Fix build files to ensure nsslowhash.h is included in public headers + +* Tue Jun 08 2010 Elio Maldonado - 3.12.6-3 +- Retagging + +* Mon Jun 07 2010 Elio Maldonado - 3.12.6-2 +- Bump NVR to be greater than those for nss-softokn subpackages in F11 (rhbz#601407) + +* Sun Jun 06 2010 Elio Maldonado - 3.12.4-23 +- Bump release number + +* Fri Jun 04 2010 Elio Maldonado - 3.12.4-22 +- Cleanup changelog comments to avoid unwanted macro expansions + +* Wed Jun 02 2010 Elio Maldonado - 3.12.4-21 +- Retagging + +* Wed Jun 02 2010 Elio Maldonado - 3.12.4-20 +- Add %%{?_isa} to the requires in the devel packages (#596840) +- Fix typo in the package description (#598295) +- Update nspr version to 4.8.4 + +* Sat May 08 2010 Elio Maldonado - 3.12.4-19 +- Consider the system as not fips enabled when /proc/sys/crypto/fips_enabled isn't present (rhbz#590199) + +* Sat May 08 2010 Elio Maldonado - 3.12.4-18 +- Fix Conflicts line to prevent update when prelink is not yet the right version (rhbz#590199) + +* Mon Apr 19 2010 Elio Maldonado - 3.12.4-17 +- Updated prelink patch rhbz#504949 + +* Thu Apr 15 2010 Elio Maldonado - 3.12.4-16 +- allow prelink of softoken and freebl. Change the verify code to use + prelink -u if prelink is installed. Fix by Robert Relyea rhbz#504949 + +* Mon Jan 18 2010 Elio Maldonado - 3.12.4-15 +- Move libfreebl3.so and its .chk file to /lib{64} (rhbz#561544) + +* Mon Jan 18 2010 Elio Maldonado - 3.12.4-13 +- Fix in nss-softokn-spec.in +- Require nss-util >= 3.12.4 + +* Thu Dec 03 2009 Elio Maldonado - 3.12.4-12 +- Require nss-util 3.12.5 + +* Fri Nov 20 2009 Elio Maldonado - 3.12.4-11 +- export freebl devel tools (#538226) + +* Wed Sep 23 2009 Elio Maldonado - 3.12.4-10 +- Fix paths in nss-softokn-prelink so signed libraries don't get touched, rhbz#524794 + +* Thu Sep 17 2009 Elio Maldonado - 3.12.4-9 +- Add nssdbm3.so to nss-softokn-prelink.conf, rhbz#524077 + +* Thu Sep 10 2009 Elio Maldonado - 3.12.4-8 +- Retagging for a chained build + +* Thu Sep 10 2009 Elio Maldonado - 3.12.4-6 +- Don't list libraries in nss-softokn-config, dynamic linking required + +* Tue Sep 08 2009 Elio Maldonado - 3.12.4-5 +- Installing shared libraries to %%{_libdir} + +* Sun Sep 06 2009 Elio Maldonado - 3.12.4-4 +- Postuninstall scriptlet finishes quietly + +* Sat Sep 05 2009 Elio Maldonado - 3.12.4-3 +- Remove symblic links to shared libraries from devel, rhbz#521155 +- Apply the nss-nolocalsql patch +- No rpath-link in nss-softokn-config + +* Fri Sep 04 2009 serstring=Elio Maldonado - 3.12.4-2 +- Retagging to pick up the correct .cvsignore + +* Tue Sep 01 2009 Elio Maldonado - 3.12.4-1 +- Update to 3.12.4 +- Fix logic on postun +- Don't require sqlite + +* Mon Aug 31 2009 Elio Maldonado - 3.12.3.99.3-24 +- Fixed test on %%postun to avoid returning 1 when nss-softokn instances still remain + +* Sun Aug 30 2009 Elio Maldonado - 3.12.3.99.3-23 +- Explicitly state via nss_util_version the nss-util version we require + +* Fri Aug 28 2009 Warren Togami - 3.12.3.99.3-22 +- caolan's nss-softokn.pc patch + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-21 +- Bump the release number for a chained build of nss-util, nss-softokn and nss + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-20 +- List freebl, nssdbm and softokn libraries in nss-softokn-config and nss-softokn.pc + +* Thu Aug 27 2009 Elio Maldonado@ - 3.12.3.99.3-19 +- Determine NSSUTIL_INCLUDE_DIR and NSSUTIL_LIB_DIR with a pkg-config query on nss-util +- Remove the release 17 hack + +* Thu Aug 27 2009 Elio maldonado - 3.12.3.99.3-18 +- fix spurious executable permissions on nss-softokn.pc + +* Thu Aug 27 2009 Adel Gadllah - 3.12.3.99.3-17 +- Add hack to fix build + +* Tue Aug 25 2009 Dennis Gilmore - 3.12.3.99.3-16 +- only have a single Requires: line in the .pc file + +* Tue Aug 25 2009 Dennis Gilmore - 3.12.3.99.3-12 +- bump to unique rpm nvr + +* Tue Aug 25 2009 Elio Maldonado - 3.12.3.99.3-10 +- Build after nss with subpackages and new nss-util + +* Thu Aug 20 2009 Dennis Gilmore 3.12.3.99.3-9 +- revert to shipping bits + +* Wed Aug 19 2009 Elio Maldonado 3.12.3.99.3-8.1 +- Disable installing until conflicts are relsoved + +* Wed Aug 19 2009 Elio Maldonado 3.12.3.99.3-8 +- Initial build