diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b07de21 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/nss-util-3.39.tar.gz diff --git a/.nss-util.metadata b/.nss-util.metadata new file mode 100644 index 0000000..0ddb19d --- /dev/null +++ b/.nss-util.metadata @@ -0,0 +1 @@ +9c1cfdc6dd91ba54fe54f3bc193bca5333fc3370 SOURCES/nss-util-3.39.tar.gz diff --git a/SOURCES/nss-split-util.sh b/SOURCES/nss-split-util.sh new file mode 100644 index 0000000..4377658 --- /dev/null +++ b/SOURCES/nss-split-util.sh @@ -0,0 +1,88 @@ +#!/bin/sh +# +# Splits NSS into nss-util +# Takes as command line input the version of nss +# and assumes that a file nss-${nss_version}-stripped.tar.bz2 +# exits in the current directory + +set -e + +if test -z $1 +then + echo "usage: $0 nss-version" + exit +fi + +export name=nss +export version=$1 + +echo "Extracting ${name}-${version}.tar.gz" + +tar -xzf ${name}-${version}.tar.gz + +# the directory will be named ${name}-${version} + +nss_source_dir=${name}-${version} +util_dir=${name}-util-${version} +softokn_dir=${name}-softokn-${version} + +# make_nss_util +#------------------------------------------------- +# create the nss-util subset consisting of +# nss/dbm --- full directory +# nss/coreconf --- full directory +# nss --- top files only +# nss/lib --- top files only +# nss/lib/util --- full directory +#-------------------------------------------------- + +UTIL_WORK=${util_dir}-work +rm -rf ${UTIL_WORK} +mkdir ${UTIL_WORK} + +# copy everything +cp -a ${nss_source_dir} ${UTIL_WORK}/${util_dir} + +# remove subdirectories that we don't want +rm -rf ${UTIL_WORK}/${util_dir}/nss/cmd +rm -rf ${UTIL_WORK}/${util_dir}/nss/tests +rm -rf ${UTIL_WORK}/${util_dir}/nss/lib +rm -rf ${UTIL_WORK}/${util_dir}/nss/automation +rm -rf ${UTIL_WORK}/${util_dir}/nss/external_tests +rm -rf ${UTIL_WORK}/${util_dir}/nss/doc + +# start with an empty cmd lib directories to be filled selectively +mkdir ${UTIL_WORK}/${util_dir}/nss/cmd +cp ${nss_source_dir}/nss/cmd/Makefile ${UTIL_WORK}/${util_dir}/nss/cmd +cp ${nss_source_dir}/nss/cmd/manifest.mn ${UTIL_WORK}/${util_dir}/nss/cmd +cp ${nss_source_dir}/nss/cmd/platlibs.mk ${UTIL_WORK}/${util_dir}/nss/cmd +cp ${nss_source_dir}/nss/cmd/platrules.mk ${UTIL_WORK}/${util_dir}/nss/cmd + +mkdir ${UTIL_WORK}/${util_dir}/nss/lib +# copy some files at the top and the util subdirectory recursively +cp ${nss_source_dir}/nss/lib/Makefile ${UTIL_WORK}/${util_dir}/nss/lib +cp ${nss_source_dir}/nss/lib/manifest.mn ${UTIL_WORK}/${util_dir}/nss/lib +cp -a ${nss_source_dir}/nss/lib/util ${UTIL_WORK}/${util_dir}/nss/lib/util + +# plus common and gtests from nss/tests +mkdir ${UTIL_WORK}/${util_dir}/nss/tests +topFilesT=`find ${nss_source_dir}/nss/tests/ -maxdepth 1 -mindepth 1 -type f` +for f in $topFilesT; do + cp -p $f ${UTIL_WORK}/${util_dir}/nss/tests/ +done +keepers="common gtests" +for t in $keepers; do + cp -a ${nss_source_dir}/nss/tests/$t ${UTIL_WORK}/${util_dir}/nss/tests/$t +done + +pushd ${UTIL_WORK} +# the compressed tar ball for nss-util +tar -czf ../${name}-util-${version}.tar.gz ${util_dir} +popd + +# cleanup after ourselves +rm -fr ${nss_source_dir} +rm -fr ${UTIL_WORK} + + + diff --git a/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch b/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch new file mode 100644 index 0000000..d7aeaac --- /dev/null +++ b/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch @@ -0,0 +1,124 @@ +diff --git a/lib/util/secoid.c b/lib/util/secoid.c +--- a/lib/util/secoid.c ++++ b/lib/util/secoid.c +@@ -117,17 +117,19 @@ const char __nss_util_version[] = "Versi + /* for DH algorithm */ + /* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */ + /* need real OID person to look at this, copied the above line + * and added 6 to second to last value (and changed '4' to '2' */ + #define ANSI_X942_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2 + + #define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45 + +-#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07 ++#define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05 ++ ++#define PKIX INTERNET_SECURITY_MECH, 0x07 + #define PKIX_CERT_EXTENSIONS PKIX, 1 + #define PKIX_POLICY_QUALIFIERS PKIX, 2 + #define PKIX_KEY_USAGE PKIX, 3 + #define PKIX_ACCESS_DESCRIPTION PKIX, 0x30 + #define PKIX_OCSP PKIX_ACCESS_DESCRIPTION, 1 + #define PKIX_CA_ISSUERS PKIX_ACCESS_DESCRIPTION, 2 + + #define PKIX_ID_PKIP PKIX, 5 +@@ -355,16 +357,17 @@ CONST_OID x509CertificatePolicies[] = { + CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 }; + CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 }; + CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 36 }; + CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 }; + CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 }; + CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 }; + + CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 }; ++CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 }; + + CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 }; + CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 }; + + CONST_OID x509SIATimeStamping[] = { PKIX_ACCESS_DESCRIPTION, 0x03 }; + CONST_OID x509SIACaRepository[] = { PKIX_ACCESS_DESCRIPTION, 0x05 }; + + /* pkcs 12 additions */ +@@ -449,18 +452,23 @@ CONST_OID pkixRegInfoUTF8Pairs[] = { PKI + CONST_OID pkixRegInfoCertReq[] = { PKIX_ID_REGINFO, 2 }; + + CONST_OID pkixExtendedKeyUsageServerAuth[] = { PKIX_KEY_USAGE, 1 }; + CONST_OID pkixExtendedKeyUsageClientAuth[] = { PKIX_KEY_USAGE, 2 }; + CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 }; + CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 }; + CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 }; + CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 }; ++/* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */ ++CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 }; + CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 }; + ++CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 }; ++CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 }; ++ + /* OIDs for Netscape defined algorithms */ + CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 }; + + /* Fortezza algorithm OIDs */ + CONST_OID skipjackCBC[] = { MISSI, 0x04 }; + CONST_OID dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 }; + + CONST_OID idea_CBC[] = { ASCOM_IDEA_ALG, 2 }; +@@ -1749,16 +1757,32 @@ const static SECOidData oids[SEC_OID_TOT + ODE(SEC_OID_TLS_FFDHE_8192, + "TLS FFDHE 8192-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + ODE(SEC_OID_TLS_DHE_CUSTOM, + "TLS DHE custom group key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + OD(curve25519, SEC_OID_CURVE25519, + "Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + ODE(SEC_OID_TLS13_KEA_ANY, + "TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ ++ OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE, ++ "Any Extended Key Usage", ++ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ OD(pkixExtendedKeyUsageIPsecIKE, ++ SEC_OID_EXT_KEY_USAGE_IPSEC_IKE, ++ "IPsec IKE Certificate", ++ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ OD(ipsecIKEEnd, ++ SEC_OID_IPSEC_IKE_END, ++ "IPsec IKE End", ++ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), ++ OD(ipsecIKEIntermediate, ++ SEC_OID_IPSEC_IKE_INTERMEDIATE, ++ "IPsec IKE Intermediate", ++ CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION), + }; + + /* PRIVATE EXTENDED SECOID Table + * This table is private. Its structure is opaque to the outside. + * It is indexed by the same SECOidTag as the oids table above. + * Every member of this struct must have accessor functions (set, get) + * and those functions must operate by value, not by reference. + * The addresses of the contents of this table must not be exposed +diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h +--- a/lib/util/secoidt.h ++++ b/lib/util/secoidt.h +@@ -489,16 +489,21 @@ typedef enum { + SEC_OID_TLS_FFDHE_6144 = 352, + SEC_OID_TLS_FFDHE_8192 = 353, + SEC_OID_TLS_DHE_CUSTOM = 354, + + SEC_OID_CURVE25519 = 355, + + SEC_OID_TLS13_KEA_ANY = 356, + ++ SEC_OID_X509_ANY_EXT_KEY_USAGE = 357, ++ SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358, ++ SEC_OID_IPSEC_IKE_END = 359, ++ SEC_OID_IPSEC_IKE_INTERMEDIATE = 360, ++ + SEC_OID_TOTAL + } SECOidTag; + + #define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1 + #define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1 + #define SEC_OID_PKCS12_KEY_USAGE SEC_OID_X509_KEY_USAGE + + /* fake OID for DSS sign/verify */ diff --git a/SOURCES/nss-util-config.in b/SOURCES/nss-util-config.in new file mode 100644 index 0000000..ef8751d --- /dev/null +++ b/SOURCES/nss-util-config.in @@ -0,0 +1,118 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss-util` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss-util` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss-util` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/SOURCES/nss-util-dso-ldflags.patch b/SOURCES/nss-util-dso-ldflags.patch new file mode 100644 index 0000000..fe39ae3 --- /dev/null +++ b/SOURCES/nss-util-dso-ldflags.patch @@ -0,0 +1,22 @@ +diff --git a/coreconf/Linux.mk b/coreconf/Linux.mk +--- a/coreconf/Linux.mk ++++ b/coreconf/Linux.mk +@@ -135,17 +135,17 @@ ifeq ($(KERNEL),Linux) + endif + OS_LIBS = $(OS_PTHREAD) -ldl -lc + + ifdef USE_PTHREADS + DEFINES += -D_REENTRANT + endif + + DSO_CFLAGS = -fPIC +-DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections ++DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,--gc-sections $(DSO_LDFLAGS) + # The linker on Red Hat Linux 7.2 and RHEL 2.1 (GNU ld version 2.11.90.0.8) + # incorrectly reports undefined references in the libraries we link with, so + # we don't use -z defs there. + # Also, -z defs conflicts with Address Sanitizer, which emits relocations + # against the libsanitizer runtime built into the main executable. + ZDEFS_FLAG = -Wl,-z,defs + DSO_LDOPTS += $(if $(findstring 2.11.90.0.8,$(shell ld -v)),,$(ZDEFS_FLAG)) + LDFLAGS += $(ARCHFLAG) -z noexecstack diff --git a/SOURCES/nss-util.pc.in b/SOURCES/nss-util.pc.in new file mode 100644 index 0000000..1310248 --- /dev/null +++ b/SOURCES/nss-util.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-UTIL +Description: Network Security Services Utility Library +Version: %NSSUTIL_VERSION% +Requires: nspr >= %NSPR_VERSION% +Libs: -L${libdir} -lnssutil3 +Cflags: -I${includedir} diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec new file mode 100644 index 0000000..9ea30d8 --- /dev/null +++ b/SPECS/nss-util.spec @@ -0,0 +1,703 @@ +%global nspr_version 4.20.0 +%global nss_util_version 3.39.0 + +# The upstream omits the trailing ".0", while we need it for +# consistency with the pkg-config version: +# https://bugzilla.redhat.com/show_bug.cgi?id=1578106 +%{lua: +rpm.define(string.format("nss_util_archive_version %s", + string.gsub(rpm.expand("%nss_util_version"), "(.*)%.0$", "%1"))) +} + +Summary: Network Security Services Utilities Library +Name: nss-util +Version: %{nss_util_version} +# for Rawhide, please always use release >= 2 +# for Fedora release branches, please use release < 2 (1.0, 1.1, ...) +Release: 1.1%{?dist} +License: MPLv2.0 +URL: http://www.mozilla.org/projects/security/pki/nss/ +Group: System Environment/Libraries +Requires: nspr >= %{nspr_version} +BuildRequires: nspr-devel >= %{nspr_version} +BuildRequires: zlib-devel +BuildRequires: pkgconfig +BuildRequires: gawk +BuildRequires: psmisc +BuildRequires: perl-interpreter +BuildRequires: gcc-c++ + +Source0: %{name}-%{nss_util_archive_version}.tar.gz +# The nss-util tar ball is a subset of nss-{version}.tar.gz. +# We use the nss-split-util.sh script for keeping only what we need +# nss-util is produced via via nss-split-util.sh {version} +# Detailed Steps: +# fedpkg clone nss-util +# cd nss-util +# Make the source tarball for nss-util out of the nss one: +# sh ./nss-split-util.sh ${version} +# A file named ${name}-${version}.tar.gz should appear +# ready to upload to the lookaside cache. +Source1: nss-split-util.sh +Source2: nss-util.pc.in +Source3: nss-util-config.in + +# Local patches +# TODO: investigate whether this patch should also be applied to +# nss-softokn and nss and whether it should be submitted upstream. +# First ensure that it won't cause any FIPS tests breakage. +Patch4: nss-util-dso-ldflags.patch +Patch5: nss-util-3.36-ipsec_cert_vfy.patch + +%description +Utilities for Network Security Services and the Softoken module + +# We shouln't need to have a devel subpackage as util will be used in the +# context of nss or nss-softoken. keeping to please rpmlint. +# +%package devel +Summary: Development libraries for Network Security Services Utilities +Group: Development/Libraries +Requires: nss-util = %{version}-%{release} +Requires: nspr-devel >= %{nspr_version} +Requires: pkgconfig + +%description devel +Header and library files for doing development with Network Security Services. + + +%prep +%setup -q -n %{name}-%{nss_util_archive_version} +pushd nss +%patch4 -p1 -b .ldflags +%patch5 -p1 -b .ipsec_vfy +popd + + +%build + +LDFLAGS=$RPM_LD_FLAGS +export LDFLAGS + +DSO_LDFLAGS=$RPM_LD_FLAGS +export DSO_LDFLAGS + +# Enable compiler optimizations and disable debugging code +export BUILD_OPT=1 + +# Uncomment to disable optimizations +#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` +#export RPM_OPT_FLAGS + +# Generate symbolic info for debuggers +XCFLAGS=$RPM_OPT_FLAGS +export XCFLAGS + +PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +NSPR_LIB_DIR=`/usr/bin/pkg-config --libs-only-L nspr | sed 's/-L//'` + +export NSPR_INCLUDE_DIR +export NSPR_LIB_DIR + +export NSS_USE_SYSTEM_SQLITE=1 + +export NSS_BUILD_UTIL_ONLY=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif +%endif + +# make util +%{__make} -C ./nss/coreconf +%{__make} -C ./nss + +# Set up our package file +%{__mkdir_p} ./dist/pkgconfig +%{__cat} %{SOURCE2} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-util.pc + +NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'` +NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'` +NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'` + +export NSSUTIL_VMAJOR +export NSSUTIL_VMINOR +export NSSUTIL_VPATCH + +%{__cat} %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$NSSUTIL_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$NSSUTIL_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$NSSUTIL_VPATCH,g" \ + > ./dist/pkgconfig/nss-util-config + +chmod 755 ./dist/pkgconfig/nss-util-config + + +%check + +# Enable compiler optimizations and disable debugging code +export BUILD_OPT=1 + +# Uncomment to disable optimizations +#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` +#export RPM_OPT_FLAGS + +# Generate symbolic info for debuggers +XCFLAGS=$RPM_OPT_FLAGS +export XCFLAGS + +export NSS_BUILD_UTIL_ONLY=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif +%endif + +rm -rf ./tests_results +pushd ./nss/tests/ +# all.sh is the test suite script + +# only run gtests for nss-util +%global nss_cycles "standard" +%global nss_tests "gtests" +%global nss_ssl_tests " " +%global nss_ssl_run " " + +SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE` + +if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then + HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh +fi + +popd + +if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then + TEST_FAILURES=`grep -c FAILED ./tests_results/security/localhost.1/output.log` || : +else + TEST_FAILURES=0 +fi + +if [ $TEST_FAILURES -ne 0 ]; then + echo "error: test suite returned failure(s)" + exit 1 +fi +echo "test suite completed" + +%install + +%{__rm} -rf $RPM_BUILD_ROOT + +# There is no make install target so we'll do it ourselves. + +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/nss3 +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} + +for file in libnssutil3.so +do + %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the include files we want +# The util headers, the rest come from softokn and nss +for file in dist/public/nss/*.h +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the template files we want +for file in dist/private/nss/templates.c +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +done + +# Copy the package configuration files +%{__install} -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc +%{__install} -p -m 755 ./dist/pkgconfig/nss-util-config $RPM_BUILD_ROOT/%{_bindir}/nss-util-config + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%files +%{!?_licensedir:%global license %%doc} +%license nss/COPYING +%{_libdir}/libnssutil3.so + +%files devel +# package configuration files +%{_libdir}/pkgconfig/nss-util.pc +%{_bindir}/nss-util-config + +# co-owned with nss +%dir %{_includedir}/nss3 +# these are marked as public export in nss/lib/util/manifest.mk +%{_includedir}/nss3/base64.h +%{_includedir}/nss3/ciferfam.h +%{_includedir}/nss3/eccutil.h +%{_includedir}/nss3/hasht.h +%{_includedir}/nss3/nssb64.h +%{_includedir}/nss3/nssb64t.h +%{_includedir}/nss3/nsslocks.h +%{_includedir}/nss3/nssilock.h +%{_includedir}/nss3/nssilckt.h +%{_includedir}/nss3/nssrwlk.h +%{_includedir}/nss3/nssrwlkt.h +%{_includedir}/nss3/nssutil.h +%{_includedir}/nss3/pkcs1sig.h +%{_includedir}/nss3/pkcs11.h +%{_includedir}/nss3/pkcs11f.h +%{_includedir}/nss3/pkcs11n.h +%{_includedir}/nss3/pkcs11p.h +%{_includedir}/nss3/pkcs11t.h +%{_includedir}/nss3/pkcs11u.h +%{_includedir}/nss3/pkcs11uri.h +%{_includedir}/nss3/portreg.h +%{_includedir}/nss3/secasn1.h +%{_includedir}/nss3/secasn1t.h +%{_includedir}/nss3/seccomon.h +%{_includedir}/nss3/secder.h +%{_includedir}/nss3/secdert.h +%{_includedir}/nss3/secdig.h +%{_includedir}/nss3/secdigt.h +%{_includedir}/nss3/secerr.h +%{_includedir}/nss3/secitem.h +%{_includedir}/nss3/secoid.h +%{_includedir}/nss3/secoidt.h +%{_includedir}/nss3/secport.h +%{_includedir}/nss3/utilmodt.h +%{_includedir}/nss3/utilpars.h +%{_includedir}/nss3/utilparst.h +%{_includedir}/nss3/utilrename.h +%{_includedir}/nss3/templates/templates.c + +%changelog +* Tue Dec 3 2018 Bob Relyea - 3.39.0-1.1 + - Support for IKE/IPsec typical PKIX usage so libreswan can use nss without + rejecting certs based on EKU +* Tue Sep 25 2018 Daiki Ueno - 3.39.0-1.0 +- Update to NSS 3.39 +- Use the upstream tarball versioning as it is (rhbz#1578106) + +* Thu Sep 20 2018 Daiki Ueno - 3.38.0-1.1 +- Fix LDFLAGS injection + +* Wed Jul 18 2018 Daiki Ueno - 3.38.0-1.0 +- Update to NSS 3.38 + +* Tue Jul 17 2018 Kai Engert - 3.36.1-1.2 +- Backport upstream addition of nss-policy-check utility, rhbz#1428746 + +* Thu May 24 2018 Daiki Ueno - 3.36.1-1.1 +- Switch the default DB type to SQL + +* Tue Apr 24 2018 Daiki Ueno - 3.36.1-1.0 +- Update to NSS 3.36.1 +- Revert the change that makes NSS default DB to SQL + +* Fri Mar 9 2018 Daiki Ueno - 3.36.0-1.0 +- Update to NSS 3.36.0 +- Add gcc-c++ to BuildRequires (C++ is needed for gtests) + +* Thu Feb 08 2018 Fedora Release Engineering - 3.35.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Tue Jan 30 2018 Kai Engert - 3.35.0-4 +- Rebuild + +* Tue Jan 23 2018 Daiki Ueno - 3.35.0-3 +- Bump nspr version requirement + +* Tue Jan 23 2018 Daiki Ueno - 3.35.0-2 +- Update to NSS 3.35.0 + +* Tue Nov 14 2017 Daiki Ueno - 3.34.0-2 +- Update to NSS 3.34.0 + +* Tue Nov 7 2017 Kai Engert - 3.33.0-3 +- Change default database file format to "sql", rhbz#1496560 + +* Tue Oct 3 2017 Daiki Ueno - 3.33.0-2 +- Update to NSS 3.33.0 + +* Wed Sep 6 2017 Daiki Ueno - 3.32.0-3 +- Drop the patches which removed #include in hasht.h + +* Mon Aug 7 2017 Daiki Ueno - 3.32.0-2 +- Update to NSS 3.32.0 + +* Thu Aug 03 2017 Fedora Release Engineering - 3.31.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 3.31.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Wed Jun 21 2017 Daiki Ueno - 3.31.0-2 +- Update to NSS 3.31.0 + +* Fri Jun 2 2017 Daiki Ueno - 3.30.2-3 +- Enable gtests + +* Fri Apr 21 2017 Daiki Ueno - 3.30.2-2 +- Update to NSS 3.30.2 + +* Fri Apr 7 2017 Daiki Ueno - 3.30.1-2 +- Update to NSS 3.30.1 + +* Tue Mar 21 2017 Daiki Ueno - 3.30.0-2 +- Update to NSS 3.30.0 + +* Thu Mar 02 2017 Kai Engert - 3.29.1-3 +- Backport mozbz#1334976 and mozbz#1336487. + +* Fri Feb 17 2017 Daiki Ueno - 3.29.1-2 +- Update to NSS 3.29.1 + +* Wed Feb 8 2017 Daiki Ueno - 3.29.0-2 +- Update to NSS 3.29.0 + +* Fri Jan 6 2017 Daiki Ueno - 3.28.1-2 +- Update to NSS 3.28.1 + +* Thu Dec 22 2016 Kai Engert - 3.28.0-2 +- Update to NSS 3.28.0 + +* Thu Sep 29 2016 Daiki Ueno - 3.27.0-2 +- Update to NSS 3.27.0 + +* Mon Aug 8 2016 Daiki Ueno - 3.26.0-2 +- Update to NSS 3.26.0 +- Remove check policy file patch as it has been upstreamed +- Remove unused directories from split tarball + +* Fri Jun 24 2016 Elio Maldonado - 3.25.0-2 +- Update to NSS 3.25.0 + +* Tue May 24 2016 Elio Maldonado - 3.24.0-1.0 +- Update to NSS 3.24.0 + +* Wed Apr 20 2016 Elio Maldonado - 3.23.0-4 +- Update check policy file patch to better match what will be submitted upstream + +* Thu Mar 24 2016 Elio Maldonado - 3.23.0-3 +- Enable checking the crypto policy file +- Related: Bug 1157720 - NSS should enforce the system-wide crypto policy + +* Sat Mar 05 2016 Elio Maldonado - 3.22.3-2 +- Update to NSS 3.23.0 + +* Sun Feb 28 2016 Elio Maldonado - 3.22.2-2.1 +- Fix version number for update to NSS 3.22.2 + +* Sun Feb 21 2016 Elio Maldonado - 3.22.1-2 +- Update to NSS 3.22.1 + +* Sat Feb 06 2016 Elio Maldonado - 3.22.0-2 +- Update to NSS 3.22 + +* Thu Feb 04 2016 Fedora Release Engineering - 3.21.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Nov 12 2015 Elio Maldonado Batiz - 3.21.1-2 +- Update to NSS 3.21 +- Resolves: Bug 1279912 - nss-3.21 is available +- Resolves: Bug 1258425 - Use __isa_bits macro instead of list of 64-bit architectures + +* Fri Oct 30 2015 Elio Maldonado - 3.20.1-1 +- Update to NSS 3.20.1 + +* Thu Aug 20 2015 Elio Maldonado - 3.20.0-2 +- Update to NSS 3.20 + +* Mon Aug 17 2015 Adam Jackson 3.19.3-3 +- Link with -z now + +* Sat Aug 08 2015 Elio Maldonado - 3.19.3-2 +- Update to NSS 3.19.3 + +* Wed Jun 17 2015 Kai Engert - 3.19.2-2 +- Update to NSS 3.19.2 + +* Thu May 28 2015 Kai Engert - 3.19.1-2 +- Update to NSS 3.19.1 + +* Tue May 19 2015 Kai Engert - 3.19.0-2 +- Update to NSS 3.19 + +* Thu Mar 19 2015 Elio Maldonado - 3.18.0-1 +- Update to nss-3.18.0 + +* Wed Jan 28 2015 Elio Maldonado - 3.17.4-1 +- Update to nss-3.17.4 + +* Fri Dec 05 2014 Elio Maldonado - 3.17.3-1 +- Update to nss-3.17.3 + +* Sun Oct 12 2014 Elio Maldonado - 3.17.2-1 +- Update to nss-3.17.2 + +* Wed Sep 24 2014 Kai Engert - 3.17.1-1 +- Update to nss-3.17.1 + +* Tue Aug 19 2014 Elio Maldonado - 3.17.0-1 +- Update to nss-3.17.0 + +* Sun Aug 17 2014 Fedora Release Engineering - 3.16.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 18 2014 Tom Callaway - 3.16.2-2 +- fix license handling + +* Sun Jun 29 2014 Elio Maldonado - 3.16.2-1 +- Update to nss-3.16.2 + +* Sat Jun 07 2014 Fedora Release Engineering - 3.16.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue May 06 2014 Elio Maldonado - 3.16.1-1 +- Update to nss-3.16.1 +- Resolves: Bug 1094702 - nss-3.16.1 is available + +* Tue Mar 18 2014 Elio Maldonado - 3.16.0-0 +- Update to nss-3.16.0 + +* Wed Feb 19 2014 Elio Maldonado - 3.15.5-1 +- Update to nss-3.15.5 - Resolves: Bug 1066877 + +* Sat Jan 25 2014 Elio Maldonado - 3.15.4-2 +- Add support for ppc64le, Resolves: Bug 1052552 + +* Tue Jan 07 2014 Elio Maldonado - 3.15.4-1 +- Update to NSS_3_15_4_RTM +- Resolves: Bug 1049229 - nss-3.15.4 is available + +* Sun Nov 24 2013 Elio Maldonado - 3.15.3-1 +- Update to NSS_3_15_3_RTM +- Related: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 + +* Wed Oct 23 2013 Elio Maldonado - 3.15.2-2 +- Split off nss-util from full nss sources as released upstream + +* Thu Sep 26 2013 Elio Maldonado - 3.15.2-1 +- Update to NSS_3_15_2_RTM + +* Sat Aug 03 2013 Fedora Release Engineering - 3.15.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Tue Jul 02 2013 Elio Maldonado - 3.15.1-1 +- Update to NSS_3_15_1_RTM + +* Wed May 29 2013 Elio Maldonado - 3.15-1 +- Update to NSS_3_15_RTM + +* Fri Apr 19 2013 Elio Maldonado - 3.15-0.1.beta1.2 +- Don't include prtypes.h from hasht.t +- Resolves: rhbz#953277 - rawhide build of glibc fails due to fatal error from nss3/hasht.h + +* Fri Apr 05 2013 Elio Maldonado - 3.15.beta1-0.1.beta.1 +- Update to NSS_3_15_BETA1 +- Update spec file, patches, and helper scripts on account of a shallower source tree + +* Fri Feb 15 2013 Elio Maldonado - 3.14.3-1 +- Update to NSS_3_14_3_RTM +- Resolves: rhbz#909782 - specfile support for AArch64 + +* Sat Feb 02 2013 Elio Maldonado - 3.14.2-2 +- Retagging to prevent nvr update problems with f18 + +* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1 +- Update to NSS_3_14_2_RTM + +* Thu Dec 27 2012 Elio Maldonado - 3.14.1-2 +- Install templates.c in /usr/includes/nss3/templates +- Fix bogus date warnings + +* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1 +- Update to NSS_3_14_1_RTM + +* Sat Oct 27 2012 Elio Maldonado - 3.14-2 +- Update the license to MPLv2.0 + +* Mon Oct 22 2012 Elio Maldonado - 3.14-1 +- Update to NSS_3_14_RTM + +* Fri Oct 19 2012 Elio Maldonado - 3.14-0.1.rc1.1 +- Update to NSS_3_14_RC1 +- The hasht.h from now on is provided by nss-util-devel + +* Fri Jul 20 2012 Fedora Release Engineering - 3.13.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Wed Jun 20 2012 Elio Maldonado - 3.13.5-3 +- Resolves: rhbz#833529 - revert unwanted change to nss-util.pc.in + +* Tue Jun 19 2012 Elio Maldonado - 3.13.5-2 +- Resolves: rhbz#833529 - Remove space from Libs: line in nss-util.pc.in + +* Sat Jun 16 2012 Elio Maldonado - 3.13.5-1 +- Update to NSS_3_13_5_RTM + +* Sun Apr 08 2012 Elio Maldonado - 3.13.4-2 +- Resolves: Bug 805716 - Library needs partial RELRO support added +- Patch coreconf/Linux.mk as done on RHEL 6.2 + +* Fri Apr 06 2012 Elio Maldonado - 3.13.4-1 +- Update to NSS_3_13_4 + +* Sun Apr 01 2012 Elio Maldonado - 3.13.4-0.1.beta.1 +- Update to NSS_3_13_4_BETA1 +- Improve steps to splitting off util from the nss +- Add executable attribute to the splitting script + +* Tue Mar 27 2012 Elio Maldonado - 3.13.3-4 +- Resolves: Bug 805716 - Library needs partial RELRO support added + +* Fri Mar 16 2012 Elio Maldonado Batiz - 3.13.3-3 +- Update the release tag to be higher than in f16 + +* Fri Mar 09 2012 Elio Maldonado Batiz - 3.13.3-2 +- Require nspr 4.9 + +* Thu Mar 01 2012 Elio Maldonado Batiz - 3.13.1-4 +- Update to NSS_3_13_3_RTM + +* Fri Jan 13 2012 Fedora Release Engineering - 3.13.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon Nov 28 2011 Elio Maldonado - 3.13.1-2 +- Fix a gnuc def typo + +* Thu Nov 03 2011 Elio Maldonado - 3.13.1-1 +- Update to NSS_3_13_1_RTM + +* Sat Oct 15 2011 Elio Maldonado - 3.13-1 +- Update to NSS_3_13_RTM + +* Fri Oct 07 2011 Elio Maldonado - 3.13-0.1.rc0.1 +- Update to NSS_3_13_RC0 + +* Thu Sep 8 2011 Ville Skyttä - 3.12.11-2 +- Avoid %%post/un shell invocations and dependencies. + +* Tue Aug 09 2011 Elio Maldonado - 3.12.11-1 +- Update to NSS_3_12_11_RTM + +* Fri May 06 2011 Elio Maldonado - 3.12.10-1 +- Update to NSS_3_12_10_RTM + +* Mon Apr 25 2011 Elio Maldonado Batiz - 3.12.10-0.1.beta1 +- Update to NSS_3_12_10_BETA1 + +* Tue Feb 08 2011 Fedora Release Engineering - 3.12.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Wed Jan 12 2011 Elio Maldonado - 3.12.9-1 +- Update to 3.12.9 + +* Mon Dec 27 2010 Elio Maldonado - 3.12.9-0.1beta2 +- Rebuilt according to fedora pre-release package naming guidelines + +* Fri Dec 10 2010 Elio Maldonado - 3.12.8.99.2-1 +- Update to NSS_3_12_9_BETA2 + +* Wed Dec 08 2010 Elio Maldonado - 3.12.8.99.1-1 +- Update to NSS_3_12_9_BETA1 + +* Wed Sep 29 2010 jkeating - 3.12.8-2 +- Rebuilt for gcc bug 634757 + +* Thu Sep 23 2010 Elio Maldonado - 3.12.8-1 +- Update to 3.12.8 + +* Sat Sep 18 2010 Elio Maldonado - 3.12.7.99.4-1 +- NSS 3.12.8 RC0 + +* Sat Sep 04 2010 Elio Maldonado - 3.12.7.99.3-1 +- NSS 3.12.8 Beta 3 + +* Sun Aug 29 2010 Elio Maldonado - 3.12.7-2 +- Define NSS_USE_SYSTEM_SQLITE and remove nolocalsql patch + +* Mon Aug 16 2010 Elio Maldonado - 3.12.7-1 +- Update to 3.12.7 + +* Fri Mar 05 2010 Elio Maldonado - 3.12.6-1 +- Update to 3.12.6 + +* Mon Jan 18 2010 Elio Maldonado - 3.12.5-2 +- Fix in nss-util-config.in + +* Thu Dec 03 2009 Elio Maldonado - 3.12.5-1 +- Update to 3.12.5 + +* Thu Sep 10 2009 Elio Maldonado - 3.12.4-8 +- Retagging for a chained build with nss-softokn and nss + +* Thu Sep 10 2009 Elio Maldonado - 3.12.4-5 +- Restoring -rpath-link to nss-util-config + +* Tue Sep 08 2009 Elio Maldonado - 3.12.4-4 +- Installing shared libraries to %%{_libdir} + +* Sat Sep 05 2009 Elio Maldonado - 3.12.4-3 +- Remove symbolic links to shared libraries from devel - 521155 +- Apply nss-nolocalsql patch subset for nss-util +- No rpath-link in nss-util-config + +* Fri Sep 04 2009 Elio Maldonado - 3.12.4-2 +- Retagging for a chained build + +* Thu Sep 03 2009 Elio Maldonado - 3.12.4-1 +- Update to 3.12.4 +- Don't require sqlite + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-15 +- Bump the release number for a chained build of nss-util, nss-softokn and nss + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-14 +- Cleanup nss-util-config.in + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-13 +- nss-util-devel doesn't require nss-devel + +* Wed Aug 26 2009 Elio Maldonado - 3.12.3.99.3-12 +- bump to unique nvr + +* Wed Aug 26 2009 Elio Maldonado - 3.12.3.99.3-11 +- Remove spurious executable permissions from nss-util-config +- Shorten some descriptions to keep rpmlint happy + +* Mon Aug 24 2009 Dennis Gilmore 3.12.3.99.3-10 +- dont include the headers in nss-util only in the -devel package +- nss-util-devel Requires nss-devel since its only providing a subset of the headers. + +* Thu Aug 20 2009 Dennis Gilmore 3.12.3.99.3-9 +- Provide nss-devel since we obsolete it + +* Wed Aug 19 2009 Elio Maldonado 3.12.3.99.3-8.1 +- nss-util-devel obsoletes nss-devel < 3.12.3.99.3-8 + +* Wed Aug 19 2009 Elio Maldonado 3.12.3.99.3-8 +- Initial build