diff --git a/.nss.metadata b/.nss.metadata new file mode 100644 index 0000000..d4c0feb --- /dev/null +++ b/.nss.metadata @@ -0,0 +1,11 @@ +7f78b5bcecdb5005e7b803604b2ec9d1a9df2fb5 SOURCES/blank-key3.db +1a4738a7fcc0bca303b47e9a24739637a9ab6640 SOURCES/TestCA.ca.cert +d63e287dc5d012993221373fe14a8e1dac5eaff7 SOURCES/TestUser51.cert +d272a7b58364862613d44261c5744f7a336bf177 SOURCES/blank-cert8.db +69c70f63ccf23ca0761e77085fd1970211cdab1e SOURCES/nss-3.15.2.tar.bz2 +f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db +59f95324bb4fad179498bf1ddce2ceb0ee245356 SOURCES/nss-pem-20130405.tar.bz2 +b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db +bd748cf6e1465a1bbe6e751b72ffc0076aff0b50 SOURCES/blank-secmod.db +4019f0c1959c2b7102d470821e917e9c02551010 SOURCES/TestUser50.cert +21774825dc4a9c54ce02b070928a2e72ce5878e7 SOURCES/PayPalEE.cert diff --git a/README.md b/README.md deleted file mode 100644 index 0e7897f..0000000 --- a/README.md +++ /dev/null @@ -1,5 +0,0 @@ -The master branch has no content - -Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6 - -If you find this file in a distro specific branch, it means that no content has been checked in yet diff --git a/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch b/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch new file mode 100644 index 0000000..36fbd9d --- /dev/null +++ b/SOURCES/0001-sync-up-with-upstream-softokn-changes.patch @@ -0,0 +1,406 @@ +From d6dbecfea317a468be12423595e584f43d84d8ec Mon Sep 17 00:00:00 2001 +From: Elio Maldonado +Date: Sat, 9 Feb 2013 17:11:00 -0500 +Subject: [PATCH] Sync up with upstream softokn changes + +- Disable RSA OEP case in FormatBlock, RSA_OAEP support is experimental and in a state of flux +- Numerous change upstream due to the work for TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169 +- It now compiles with the NSS_3_14_3_BETA1 source +--- + mozilla/security/nss/lib/ckfw/pem/rsawrapr.c | 338 +++++++------------------- + 1 files changed, 82 insertions(+), 256 deletions(-) + +diff --git a/nss/lib/ckfw/pem/rsawrapr.c b/nss/lib/ckfw/pem/rsawrapr.c +index 5ac4f39..3780d30 100644 +--- a/nss/lib/ckfw/pem/rsawrapr.c ++++ b/nss/lib/ckfw/pem/rsawrapr.c +@@ -46,6 +46,7 @@ + #include "sechash.h" + #include "base.h" + ++#include "lowkeyi.h" + #include "secerr.h" + + #define RSA_BLOCK_MIN_PAD_LEN 8 +@@ -54,9 +55,8 @@ + #define RSA_BLOCK_PRIVATE_PAD_OCTET 0xff + #define RSA_BLOCK_AFTER_PAD_OCTET 0x00 + +-#define OAEP_SALT_LEN 8 +-#define OAEP_PAD_LEN 8 +-#define OAEP_PAD_OCTET 0x00 ++/* Needed for RSA-PSS functions */ ++static const unsigned char eightZeros[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; + + #define FLAT_BUFSIZE 512 /* bytes to hold flattened SHA1Context. */ + +@@ -78,127 +78,39 @@ pem_PublicModulusLen(NSSLOWKEYPublicKey *pubk) + return 0; + } + +-static SHA1Context *SHA1_CloneContext(SHA1Context * original) +-{ +- SHA1Context *clone = NULL; +- unsigned char *pBuf; +- int sha1ContextSize = SHA1_FlattenSize(original); +- SECStatus frv; +- unsigned char buf[FLAT_BUFSIZE]; +- +- PORT_Assert(sizeof buf >= sha1ContextSize); +- if (sizeof buf >= sha1ContextSize) { +- pBuf = buf; +- } else { +- pBuf = nss_ZAlloc(NULL, sha1ContextSize); +- if (!pBuf) +- goto done; +- } +- +- frv = SHA1_Flatten(original, pBuf); +- if (frv == SECSuccess) { +- clone = SHA1_Resurrect(pBuf, NULL); +- memset(pBuf, 0, sha1ContextSize); +- } +- done: +- if (pBuf != buf) +- nss_ZFreeIf(pBuf); +- return clone; ++/* Constant time comparison of a single byte. ++ * Returns 1 iff a == b, otherwise returns 0. ++ * Note: For ranges of bytes, use constantTimeCompare. ++ */ ++static unsigned char constantTimeEQ8(unsigned char a, unsigned char b) { ++ unsigned char c = ~(a - b | b - a); ++ c >>= 7; ++ return c; + } + +-/* +- * Modify data by XORing it with a special hash of salt. ++/* Constant time comparison of a range of bytes. ++ * Returns 1 iff len bytes of a are identical to len bytes of b, otherwise ++ * returns 0. + */ +-static SECStatus +-oaep_xor_with_h1(unsigned char *data, unsigned int datalen, +- unsigned char *salt, unsigned int saltlen) +-{ +- SHA1Context *sha1cx; +- unsigned char *dp, *dataend; +- unsigned char end_octet; +- +- sha1cx = SHA1_NewContext(); +- if (sha1cx == NULL) { +- return SECFailure; +- } +- +- /* +- * Get a hash of salt started; we will use it several times, +- * adding in a different end octet (x00, x01, x02, ...). +- */ +- SHA1_Begin(sha1cx); +- SHA1_Update(sha1cx, salt, saltlen); +- end_octet = 0; +- +- dp = data; +- dataend = data + datalen; +- +- while (dp < dataend) { +- SHA1Context *sha1cx_h1; +- unsigned int sha1len, sha1off; +- unsigned char sha1[SHA1_LENGTH]; +- +- /* +- * Create hash of (salt || end_octet) +- */ +- sha1cx_h1 = SHA1_CloneContext(sha1cx); +- SHA1_Update(sha1cx_h1, &end_octet, 1); +- SHA1_End(sha1cx_h1, sha1, &sha1len, sizeof(sha1)); +- SHA1_DestroyContext(sha1cx_h1, PR_TRUE); +- PORT_Assert(sha1len == SHA1_LENGTH); +- +- /* +- * XOR that hash with the data. +- * When we have fewer than SHA1_LENGTH octets of data +- * left to xor, use just the low-order ones of the hash. +- */ +- sha1off = 0; +- if ((dataend - dp) < SHA1_LENGTH) +- sha1off = SHA1_LENGTH - (dataend - dp); +- while (sha1off < SHA1_LENGTH) +- *dp++ ^= sha1[sha1off++]; +- +- /* +- * Bump for next hash chunk. +- */ +- end_octet++; +- } +- +- SHA1_DestroyContext(sha1cx, PR_TRUE); +- return SECSuccess; ++static unsigned char constantTimeCompare(const unsigned char *a, ++ const unsigned char *b, ++ unsigned int len) { ++ unsigned char tmp = 0; ++ unsigned int i; ++ for (i = 0; i < len; ++i, ++a, ++b) ++ tmp |= *a ^ *b; ++ return constantTimeEQ8(0x00, tmp); + } + +-/* +- * Modify salt by XORing it with a special hash of data. ++/* Constant time conditional. ++ * Returns a if c is 1, or b if c is 0. The result is undefined if c is ++ * not 0 or 1. + */ +-static SECStatus +-oaep_xor_with_h2(unsigned char *salt, unsigned int saltlen, +- unsigned char *data, unsigned int datalen) ++static unsigned int constantTimeCondition(unsigned int c, ++ unsigned int a, ++ unsigned int b) + { +- unsigned char sha1[SHA1_LENGTH]; +- unsigned char *psalt, *psha1, *saltend; +- SECStatus rv; +- +- /* +- * Create a hash of data. +- */ +- rv = SHA1_HashBuf(sha1, data, datalen); +- if (rv != SECSuccess) { +- return rv; +- } +- +- /* +- * XOR the low-order octets of that hash with salt. +- */ +- PORT_Assert(saltlen <= SHA1_LENGTH); +- saltend = salt + saltlen; +- psalt = salt; +- psha1 = sha1 + SHA1_LENGTH - saltlen; +- while (psalt < saltend) { +- *psalt++ ^= *psha1++; +- } +- +- return SECSuccess; ++ return (~(c - 1) & a) | ((c - 1) & b); + } + + /* +@@ -212,7 +124,7 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, + unsigned char *block; + unsigned char *bp; + int padLen; +- int i; ++ int i, j; + SECStatus rv; + + block = (unsigned char *) nss_ZAlloc(NULL, modulusLen); +@@ -260,124 +172,58 @@ static unsigned char *rsa_FormatOneBlock(unsigned modulusLen, + */ + case RSA_BlockPublic: + +- /* +- * 0x00 || BT || Pad || 0x00 || ActualData +- * 1 1 padLen 1 data->len +- * Pad is all non-zero random bytes. +- */ +- padLen = modulusLen - data->len - 3; +- PORT_Assert(padLen >= RSA_BLOCK_MIN_PAD_LEN); +- if (padLen < RSA_BLOCK_MIN_PAD_LEN) { +- nss_ZFreeIf(block); +- return NULL; +- } +- for (i = 0; i < padLen; i++) { +- /* Pad with non-zero random data. */ +- do { +- rv = RNG_GenerateGlobalRandomBytes(bp + i, 1); +- } while (rv == SECSuccess +- && bp[i] == RSA_BLOCK_AFTER_PAD_OCTET); +- if (rv != SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- } +- bp += padLen; +- *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; +- nsslibc_memcpy(bp, data->data, data->len); +- +- break; +- +- /* +- * Blocks intended for public-key operation, using +- * Optimal Asymmetric Encryption Padding (OAEP). +- */ +- case RSA_BlockOAEP: +- /* +- * 0x00 || BT || Modified2(Salt) || Modified1(PaddedData) +- * 1 1 OAEP_SALT_LEN OAEP_PAD_LEN + data->len [+ N] +- * +- * where: +- * PaddedData is "Pad1 || ActualData [|| Pad2]" +- * Salt is random data. +- * Pad1 is all zeros. +- * Pad2, if present, is random data. +- * (The "modified" fields are all the same length as the original +- * unmodified values; they are just xor'd with other values.) +- * +- * Modified1 is an XOR of PaddedData with a special octet +- * string constructed of iterated hashing of Salt (see below). +- * Modified2 is an XOR of Salt with the low-order octets of +- * the hash of Modified1 (see farther below ;-). +- * +- * Whew! +- */ +- +- +- /* +- * Salt +- */ +- rv = RNG_GenerateGlobalRandomBytes(bp, OAEP_SALT_LEN); +- if (rv != SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- bp += OAEP_SALT_LEN; +- +- /* +- * Pad1 +- */ +- nsslibc_memset(bp, OAEP_PAD_OCTET, OAEP_PAD_LEN); +- bp += OAEP_PAD_LEN; +- +- /* +- * Data +- */ +- nsslibc_memcpy(bp, data->data, data->len); +- bp += data->len; +- +- /* +- * Pad2 +- */ +- if (bp < (block + modulusLen)) { +- rv = RNG_GenerateGlobalRandomBytes(bp, +- block - bp + modulusLen); +- if (rv != SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- } +- +- /* +- * Now we have the following: +- * 0x00 || BT || Salt || PaddedData +- * (From this point on, "Pad1 || Data [|| Pad2]" is treated +- * as the one entity PaddedData.) +- * +- * We need to turn PaddedData into Modified1. +- */ +- if (oaep_xor_with_h1(block + 2 + OAEP_SALT_LEN, +- modulusLen - 2 - OAEP_SALT_LEN, +- block + 2, OAEP_SALT_LEN) != SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- +- /* +- * Now we have: +- * 0x00 || BT || Salt || Modified1(PaddedData) +- * +- * The remaining task is to turn Salt into Modified2. +- */ +- if (oaep_xor_with_h2(block + 2, OAEP_SALT_LEN, +- block + 2 + OAEP_SALT_LEN, +- modulusLen - 2 - OAEP_SALT_LEN) != +- SECSuccess) { +- nss_ZFreeIf(block); +- return NULL; +- } +- +- break; ++ /* ++ * 0x00 || BT || Pad || 0x00 || ActualData ++ * 1 1 padLen 1 data->len ++ * Pad is all non-zero random bytes. ++ * ++ * Build the block left to right. ++ * Fill the entire block from Pad to the end with random bytes. ++ * Use the bytes after Pad as a supply of extra random bytes from ++ * which to find replacements for the zero bytes in Pad. ++ * If we need more than that, refill the bytes after Pad with ++ * new random bytes as necessary. ++ */ ++ padLen = modulusLen - (data->len + 3); ++ PORT_Assert (padLen >= RSA_BLOCK_MIN_PAD_LEN); ++ if (padLen < RSA_BLOCK_MIN_PAD_LEN) { ++ nss_ZFreeIf (block); ++ return NULL; ++ } ++ j = modulusLen - 2; ++ rv = RNG_GenerateGlobalRandomBytes(bp, j); ++ if (rv == SECSuccess) { ++ for (i = 0; i < padLen; ) { ++ unsigned char repl; ++ /* Pad with non-zero random data. */ ++ if (bp[i] != RSA_BLOCK_AFTER_PAD_OCTET) { ++ ++i; ++ continue; ++ } ++ if (j <= padLen) { ++ rv = RNG_GenerateGlobalRandomBytes(bp + padLen, ++ modulusLen - (2 + padLen)); ++ if (rv != SECSuccess) ++ break; ++ j = modulusLen - 2; ++ } ++ do { ++ repl = bp[--j]; ++ } while (repl == RSA_BLOCK_AFTER_PAD_OCTET && j > padLen); ++ if (repl != RSA_BLOCK_AFTER_PAD_OCTET) { ++ bp[i++] = repl; ++ } ++ } ++ } ++ if (rv != SECSuccess) { ++ /*sftk_fatalError = PR_TRUE;*/ ++ nss_ZFreeIf (block); ++ return NULL; ++ } ++ bp += padLen; ++ *bp++ = RSA_BLOCK_AFTER_PAD_OCTET; ++ nsslibc_memcpy(bp, data->data, data->len); ++ break; + + default: + PORT_Assert(0); +@@ -427,26 +273,6 @@ rsa_FormatBlock(SECItem * result, unsigned modulusLen, + + break; + +- case RSA_BlockOAEP: +- /* +- * 0x00 || BT || M1(Salt) || M2(Pad1||ActualData[||Pad2]) +- * +- * The "2" below is the first octet + the second octet. +- * (The other fields do not contain the clear values, but are +- * the same length as the clear values.) +- */ +- PORT_Assert(data->len <= (modulusLen - (2 + OAEP_SALT_LEN +- + OAEP_PAD_LEN))); +- +- result->data = rsa_FormatOneBlock(modulusLen, blockType, data); +- if (result->data == NULL) { +- result->len = 0; +- return SECFailure; +- } +- result->len = modulusLen; +- +- break; +- + case RSA_BlockRaw: + /* + * Pad || ActualData +-- +1.7.1 + diff --git a/SOURCES/Bug-1001841-disable-sslv2-libssl.patch b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch new file mode 100644 index 0000000..a9bc128 --- /dev/null +++ b/SOURCES/Bug-1001841-disable-sslv2-libssl.patch @@ -0,0 +1,75 @@ +diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk +--- ./nss/lib/ssl/config.mk.disableSSL2 2013-09-25 06:57:55.000000000 -0700 ++++ ./nss/lib/ssl/config.mk 2013-11-05 16:09:47.459727948 -0800 +@@ -7,6 +7,10 @@ ifdef NISCC_TEST + DEFINES += -DNISCC_TEST + endif + ++ifdef NSS_NO_SSL2 ++DEFINES += -DNSS_NO_SSL2 ++endif ++ + ifdef NSS_NO_PKCS11_BYPASS + DEFINES += -DNO_PKCS11_BYPASS + else +diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c +--- ./nss/lib/ssl/sslsock.c.disableSSL2 2013-11-05 16:09:47.419727310 -0800 ++++ ./nss/lib/ssl/sslsock.c 2013-11-05 16:09:47.461727980 -0800 +@@ -639,6 +639,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + break; + + case SSL_ENABLE_SSL2: ++#ifdef NSS_NO_SSL2 ++ if (on) { ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++ } ++ break; ++ ss->opt.enableSSL2 = on; ++#else + if (IS_DTLS(ss)) { + if (on) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -650,6 +658,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + if (on) { + ss->opt.v2CompatibleHello = on; + } ++#endif + ss->preferredCipher = NULL; + if (ss->cipherSpecs) { + PORT_Free(ss->cipherSpecs); +@@ -671,6 +680,13 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + break; + + case SSL_V2_COMPATIBLE_HELLO: ++#ifdef NSS_NO_SSL2 ++ if (on) { ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++ break; ++ } ++#else + if (IS_DTLS(ss)) { + if (on) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); +@@ -678,6 +694,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh + } + break; + } ++#endif + ss->opt.v2CompatibleHello = on; + if (!on) { + ss->opt.enableSSL2 = on; +@@ -1112,7 +1129,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt + if (ssl_IsRemovedCipherSuite(which)) { + rv = SECSuccess; + } else if (SSL_IS_SSL2_CIPHER(which)) { ++#ifdef NSS_NO_SSL2 ++ PORT_SetError(SSL_ERROR_SSL2_DISABLED); ++ rv = SECFailure; /* not allowed */ ++#else + rv = ssl2_SetPolicy(which, policy); ++#endif + } else { + rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy); + } diff --git a/SOURCES/Bug-1001841-disable-sslv2-tests.patch b/SOURCES/Bug-1001841-disable-sslv2-tests.patch new file mode 100644 index 0000000..bf0adcb --- /dev/null +++ b/SOURCES/Bug-1001841-disable-sslv2-tests.patch @@ -0,0 +1,13 @@ +diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh +--- ./nss/tests/ssl/ssl.sh.disableSSL2 2013-09-25 06:57:55.000000000 -0700 ++++ ./nss/tests/ssl/ssl.sh 2013-11-03 16:43:48.905914207 -0800 +@@ -278,6 +278,9 @@ ssl_cov() + echo "${testname}" | grep "SSL2" > /dev/null + SSL2=$? + ++ # skip export and ssl2 tests when build has disabled SSL2 ++ if [ "${NSS_NO_SSL2}" = 1 ] && [ -n ${EXP} -o -n ${SSL2} ] && continue ++ + if [ "${SSL2}" -eq 0 ] ; then + # We cannot use asynchronous cert verification with SSL2 + SSL2_FLAGS=-O diff --git a/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch b/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch new file mode 100644 index 0000000..6f0e88c --- /dev/null +++ b/SOURCES/Bug-896651-pem-dont-trash-keys-on-failed-login.patch @@ -0,0 +1,44 @@ +--- nss/lib/ckfw/pem/psession.c ++++ nss/lib/ckfw/pem/psession.c +@@ -230,6 +230,7 @@ pem_mdSession_Login + unsigned int len = 0; + NSSLOWKEYPrivateKey *lpk = NULL; + PLArenaPool *arena; ++ SECItem plain; + int i; + + fwSlot = NSSCKFWToken_GetFWSlot(fwToken); +@@ -306,23 +321,27 @@ pem_mdSession_Login + lpk->keyType = NSSLOWKEYRSAKey; + prepare_low_rsa_priv_key_for_asn1(lpk); + +- nss_ZFreeIf(io->u.key.key.privateKey->data); +- io->u.key.key.privateKey->len = len - output[len - 1]; +- io->u.key.key.privateKey->data = +- (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); +- memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); + + /* Decode the resulting blob and see if it is a decodable DER that fits + * our private key template. If so we declare success and move on. If not + * then we return an error. + */ ++ memset(&plain, 0, sizeof(plain)); ++ plain.data = output; ++ plain.len = len - output[len - 1]; + rv = SEC_QuickDERDecodeItem(arena, lpk, pem_RSAPrivateKeyTemplate, +- io->u.key.key.privateKey); ++ &plain); + pem_DestroyPrivateKey(lpk); + arena = NULL; + if (rv != SECSuccess) + goto loser; + ++ nss_ZFreeIf(io->u.key.key.privateKey->data); ++ io->u.key.key.privateKey->len = len - output[len - 1]; ++ io->u.key.key.privateKey->data = ++ (void *) nss_ZAlloc(NULL, io->u.key.key.privateKey->len); ++ memcpy(io->u.key.key.privateKey->data, output, len - output[len - 1]); ++ + rv = CKR_OK; + + loser: diff --git a/SOURCES/add-relro-linker-option.patch b/SOURCES/add-relro-linker-option.patch new file mode 100644 index 0000000..7ab9db1 --- /dev/null +++ b/SOURCES/add-relro-linker-option.patch @@ -0,0 +1,16 @@ +diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk +--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700 ++++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700 +@@ -174,6 +174,12 @@ endif + endif + endif + ++# harden DSOs/executables a bit against exploits ++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE)))) ++DSO_LDOPTS+=-Wl,-z,relro ++LDFLAGS += -Wl,-z,relro ++endif ++ + USE_SYSTEM_ZLIB = 1 + ZLIB_LIBS = -lz + diff --git a/SOURCES/cert8.db.xml b/SOURCES/cert8.db.xml new file mode 100644 index 0000000..e82948d --- /dev/null +++ b/SOURCES/cert8.db.xml @@ -0,0 +1,59 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + cert8.db + 5 + + + + cert8.db + Legacy NSS certificate database + + + + Description + cert8.db is an NSS certificate database. + This certificate database is in the legacy database format. Consider migrating to cert9.db and key4.db which are the new sqlite-based shared database format with support for concurrent access. + + + + + Files + /etc/pki/nssdb/cert8.db + + + + See also + cert9.db(5), key4.db(5), pkcs11.txt(5), + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/SOURCES/cert9.db.xml b/SOURCES/cert9.db.xml new file mode 100644 index 0000000..6cff889 --- /dev/null +++ b/SOURCES/cert9.db.xml @@ -0,0 +1,59 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + cert9.db + 5 + + + + cert9.db + Legacy NSS certificate database + + + + Description + cert9.db is an NSS certificate database. + This certificate database is the sqlite-based shared databse with support for concurrent access. + + + + + Files + /etc/pki/nssdb/cert9.db + + + + See also + pkcs11.txt(5) + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/SOURCES/disable-ocsp-stapling-tests.patch b/SOURCES/disable-ocsp-stapling-tests.patch new file mode 100644 index 0000000..df27c0e --- /dev/null +++ b/SOURCES/disable-ocsp-stapling-tests.patch @@ -0,0 +1,9 @@ +diff -up nss/tests/ocsp/ocsp.sh.skipoutbound nss/tests/ocsp/ocsp.sh +--- nss/tests/ocsp/ocsp.sh.skipoutbound 2013-04-24 18:04:30.203307355 -0700 ++++ nss/tests/ocsp/ocsp.sh 2013-04-24 18:06:27.967176794 -0700 +@@ -115,4 +115,4 @@ ocsp_stapling() + ################## main ################################################# + ocsp_init + ocsp_iopr_run +-ocsp_stapling ++#ocsp_stapling diff --git a/SOURCES/document-certutil-email-option.patch b/SOURCES/document-certutil-email-option.patch new file mode 100644 index 0000000..b9ca7e1 --- /dev/null +++ b/SOURCES/document-certutil-email-option.patch @@ -0,0 +1,25 @@ +diff --git a/doc/certutil.xml b/doc/certutil.xml +--- a/doc/certutil.xml ++++ b/doc/certutil.xml +@@ -204,16 +204,21 @@ If this option is not used, the validity + + + + -e + Check a certificate's signature during the process of validating a certificate. + + + ++ --email email-address ++ Specify the email address, used with the -L command option to print a single named certificate. ++ ++ ++ + -f password-file + Specify a file that will automatically supply the password to include in a certificate + or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent + unauthorized access to this file. + + + + -g keysize diff --git a/SOURCES/enable-fips-when-system-is-in-fips-mode.patch b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch new file mode 100644 index 0000000..3870cfc --- /dev/null +++ b/SOURCES/enable-fips-when-system-is-in-fips-mode.patch @@ -0,0 +1,78 @@ +diff -up nss/lib/pk11wrap/pk11pars.c.fips nss/lib/pk11wrap/pk11pars.c +--- nss/lib/pk11wrap/pk11pars.c.fips 2013-05-28 14:43:24.000000000 -0700 ++++ nss/lib/pk11wrap/pk11pars.c 2013-07-10 18:54:16.733465910 -0700 +@@ -150,6 +150,10 @@ SECMOD_CreateModule(const char *library, + } + mod->internal = NSSUTIL_ArgHasFlag("flags","internal",nssc); + mod->isFIPS = NSSUTIL_ArgHasFlag("flags","FIPS",nssc); ++ /* if the system FIPS mode is enabled, force FIPS to be on */ ++ if (SECMOD_GetSystemFIPSEnabled()) { ++ mod->isFIPS = PR_TRUE; ++ } + mod->isCritical = NSSUTIL_ArgHasFlag("flags","critical",nssc); + slotParams = NSSUTIL_ArgGetParamValue("slotParams",nssc); + mod->slotInfo = NSSUTIL_ArgParseSlotInfo(mod->arena,slotParams, +diff -up nss/lib/pk11wrap/pk11util.c.fips nss/lib/pk11wrap/pk11util.c +--- nss/lib/pk11wrap/pk11util.c.fips 2013-05-28 14:43:24.000000000 -0700 ++++ nss/lib/pk11wrap/pk11util.c 2013-07-10 18:54:16.734465927 -0700 +@@ -95,6 +95,25 @@ SECMOD_Shutdown() + return SECSuccess; + } + ++int SECMOD_GetSystemFIPSEnabled(void) { ++#ifdef LINUX ++ FILE *f; ++ char d; ++ size_t size; ++ ++ f = fopen("/proc/sys/crypto/fips_enabled", "r"); ++ if (!f) ++ return 0; ++ ++ size = fread(&d, 1, 1, f); ++ fclose(f); ++ if (size != 1) ++ return 0; ++ if (d == '1') ++ return 1; ++#endif ++ return 0; ++} + + /* + * retrieve the internal module +@@ -417,7 +436,7 @@ SECMOD_DeleteInternalModule(const char * + SECMODModuleList **mlpp; + SECStatus rv = SECFailure; + +- if (pendingModule) { ++ if (SECMOD_GetSystemFIPSEnabled() || pendingModule) { + PORT_SetError(SEC_ERROR_MODULE_STUCK); + return rv; + } +@@ -888,7 +907,7 @@ SECMOD_DestroyModuleList(SECMODModuleLis + PRBool + SECMOD_CanDeleteInternalModule(void) + { +- return (PRBool) (pendingModule == NULL); ++ return (PRBool) ((pendingModule == NULL) && !SECMOD_GetSystemFIPSEnabled()); + } + + /* +diff -up nss/lib/pk11wrap/secmodi.h.fips nss/lib/pk11wrap/secmodi.h +--- nss/lib/pk11wrap/secmodi.h.fips 2013-07-10 18:55:06.358298154 -0700 ++++ nss/lib/pk11wrap/secmodi.h 2013-07-10 18:56:52.050069372 -0700 +@@ -116,7 +116,12 @@ PK11SymKey *pk11_TokenKeyGenWithFlagsAnd + CK_MECHANISM_TYPE pk11_GetPBECryptoMechanism(SECAlgorithmID *algid, + SECItem **param, SECItem *pwd, PRBool faulty3DES); + +- ++/* Get the state of the system FIPS mode */ ++/* NSS uses this to force FIPS mode if the system bit is on. Applications which ++ * use the SECMOD_CanDeleteInteral() to check to see if they can switch to or ++ * from FIPS mode will automatically be told that they can't swith out of FIPS ++ * mode */ ++int SECMOD_GetSystemFIPSEnabled(); + + extern void pk11sdr_Init(void); + extern void pk11sdr_Shutdown(void); diff --git a/SOURCES/iquote.patch b/SOURCES/iquote.patch new file mode 100644 index 0000000..3df4927 --- /dev/null +++ b/SOURCES/iquote.patch @@ -0,0 +1,62 @@ +diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile +--- nss/cmd/bltest/Makefile.iquote 2013-06-27 10:58:08.000000000 -0700 ++++ nss/cmd/bltest/Makefile 2013-07-02 15:02:26.656643246 -0700 +@@ -45,6 +45,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + ++INCLUDES += -iquote $(DIST)/../private/nss + + + ####################################################################### +diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile +--- nss/cmd/lib/Makefile.iquote 2013-07-02 15:07:47.260622471 -0700 ++++ nss/cmd/lib/Makefile 2013-07-02 15:08:47.219179157 -0700 +@@ -38,7 +38,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../private/nss ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk +--- nss/coreconf/location.mk.iquote 2013-06-27 10:58:08.000000000 -0700 ++++ nss/coreconf/location.mk 2013-07-02 15:02:26.656643246 -0700 +@@ -45,6 +45,10 @@ endif + + ifdef NSS_INCLUDE_DIR + INCLUDES += -I$(NSS_INCLUDE_DIR) ++ ifdef IN_TREE_FREEBL_HEADERS_FIRST ++ INCLUDES += -iquote $(DIST)/../public/nss ++ INCLUDES += -iquote $(DIST)/../private/nss ++ endif + endif + + ifndef NSS_LIB_DIR +diff -up nss/lib/certhigh/Makefile.iquote nss/lib/certhigh/Makefile +--- nss/lib/certhigh/Makefile.iquote 2013-09-27 11:13:55.158689314 -0700 ++++ nss/lib/certhigh/Makefile 2013-09-27 11:14:38.181042336 -0700 +@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up nss/lib/cryptohi/Makefile.iquote nss/lib/cryptohi/Makefile +--- nss/lib/cryptohi/Makefile.iquote 2013-09-27 11:11:30.117494489 -0700 ++++ nss/lib/cryptohi/Makefile 2013-09-27 11:12:54.704194915 -0700 +@@ -38,7 +38,7 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # diff --git a/SOURCES/key3.db.xml b/SOURCES/key3.db.xml new file mode 100644 index 0000000..444d7aa --- /dev/null +++ b/SOURCES/key3.db.xml @@ -0,0 +1,59 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + key3.db + 5 + + + + key3.db + Legacy NSS certificate database + + + + Description + key3.db is an NSS certificate database. + This is a key database in the legacy database format. Consider migrating to cert9.db and key4.db which which are the new sqlite-based shared database format with support for concurrent access. + + + + + Files + /etc/pki/nssdb/key3.db + + + + See also + cert9.db(5), key4.db(5), pkcs11.txt(5), + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/SOURCES/key4.db.xml b/SOURCES/key4.db.xml new file mode 100644 index 0000000..9b65f41 --- /dev/null +++ b/SOURCES/key4.db.xml @@ -0,0 +1,59 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + key4.db + 5 + + + + key4.db + NSS certificate database + + + + Description + key4.db is an NSS key database. + This key database is the sqlite-based shared database format with support for concurrent access. + + + + + Files + /etc/pki/nssdb/key4.db + + + + See also + pkcs11.txt(5) + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch new file mode 100644 index 0000000..3347ee9 --- /dev/null +++ b/SOURCES/nss-3.14.0.0-disble-ocsp-test.patch @@ -0,0 +1,11 @@ +diff -up nss/tests/chains/scenarios/scenarios.noocsptest nss/tests/chains/scenarios/scenarios +--- nss/tests/chains/scenarios/scenarios.noocsptest 2013-06-27 10:58:08.000000000 -0700 ++++ nss/tests/chains/scenarios/scenarios 2013-07-02 16:13:27.075038930 -0700 +@@ -50,7 +50,6 @@ bridgewithpolicyextensionandmapping.cfg + realcerts.cfg + dsa.cfg + revoc.cfg +-ocsp.cfg + crldp.cfg + trustanchors.cfg + nameconstraints.cfg diff --git a/SOURCES/nss-539183.patch b/SOURCES/nss-539183.patch new file mode 100644 index 0000000..3798c35 --- /dev/null +++ b/SOURCES/nss-539183.patch @@ -0,0 +1,54 @@ +diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c +--- nss/cmd/httpserv/httpserv.c.539183 2013-05-28 14:43:24.000000000 -0700 ++++ nss/cmd/httpserv/httpserv.c 2013-05-30 22:16:46.685373471 -0700 +@@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port + PRStatus prStatus; + PRNetAddr addr; + PRSocketOptionData opt; ++ PRUint16 socketDomain = PR_AF_INET; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ if (PR_GetEnv("NSS_USE_SDP")) { ++ socketDomain = PR_AF_INET_SDP; ++ } ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSocket error"); + } + + opt.option = PR_SockOpt_Nonblocking; +diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c +--- nss/cmd/selfserv/selfserv.c.539183 2013-05-28 14:43:24.000000000 -0700 ++++ nss/cmd/selfserv/selfserv.c 2013-05-30 22:16:46.688373495 -0700 +@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port + PRStatus prStatus; + PRNetAddr addr; + PRSocketOptionData opt; ++ PRUint16 socketDomain = PR_AF_INET; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ if (PR_GetEnv("NSS_USE_SDP")) { ++ socketDomain = PR_AF_INET_SDP; ++ } ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSocket error"); + } + + opt.option = PR_SockOpt_Nonblocking; diff --git a/SOURCES/nss-646045.patch b/SOURCES/nss-646045.patch new file mode 100644 index 0000000..33b80fe --- /dev/null +++ b/SOURCES/nss-646045.patch @@ -0,0 +1,34 @@ +diff -up nss/tests/dbtests/dbtests.sh.646045 nss/tests/dbtests/dbtests.sh +--- nss/tests/dbtests/dbtests.sh.646045 2013-04-04 13:31:55.000000000 -0700 ++++ nss/tests/dbtests/dbtests.sh 2013-04-04 15:57:46.298127149 -0700 +@@ -168,6 +168,9 @@ dbtest_main() + cat $RONLY_DIR/* > /dev/null + fi + ++ # skipping the next two tests when user is root, ++ # otherwise they would fail due to rooty powers ++ if [[ $EUID -ne 0 ]] then + ${BINDIR}/dbtest -d $RONLY_DIR + ret=$? + if [ $ret -ne 46 ]; then +@@ -175,6 +178,10 @@ dbtest_main() + else + html_passed "Dbtest r/w didn't work in an readonly dir $ret" + fi ++ else ++ html_passed "Skipping Dbtest r/w in a readonly dir because user is root" ++ fi ++ if [[ $EUID -ne 0 ]] then + ${BINDIR}/certutil -D -n "TestUser" -d . + ret=$? + if [ $ret -ne 255 ]; then +@@ -182,6 +189,9 @@ dbtest_main() + else + html_passed "Certutil didn't work in an readonly dir $ret" + fi ++ else ++ html_passed "Skipping Certutil delete cert in an readonly directory test because user is root" ++ fi + + Echo "test opening the database ronly in a readonly directory" + diff --git a/SOURCES/nss-config.in b/SOURCES/nss-config.in new file mode 100644 index 0000000..f8f893e --- /dev/null +++ b/SOURCES/nss-config.in @@ -0,0 +1,145 @@ +#!/bin/sh + +prefix=@prefix@ + +major_version=@MOD_MAJOR_VERSION@ +minor_version=@MOD_MINOR_VERSION@ +patch_version=@MOD_PATCH_VERSION@ + +usage() +{ + cat <&2 +fi + +lib_ssl=yes +lib_smime=yes +lib_nss=yes +lib_nssutil=yes + +while test $# -gt 0; do + case "$1" in + -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; + *) optarg= ;; + esac + + case $1 in + --prefix=*) + prefix=$optarg + ;; + --prefix) + echo_prefix=yes + ;; + --exec-prefix=*) + exec_prefix=$optarg + ;; + --exec-prefix) + echo_exec_prefix=yes + ;; + --includedir=*) + includedir=$optarg + ;; + --includedir) + echo_includedir=yes + ;; + --libdir=*) + libdir=$optarg + ;; + --libdir) + echo_libdir=yes + ;; + --version) + echo ${major_version}.${minor_version}.${patch_version} + ;; + --cflags) + echo_cflags=yes + ;; + --libs) + echo_libs=yes + ;; + ssl) + lib_ssl=yes + ;; + smime) + lib_smime=yes + ;; + nss) + lib_nss=yes + ;; + nssutil) + lib_nssutil=yes + ;; + *) + usage 1 1>&2 + ;; + esac + shift +done + +# Set variables that may be dependent upon other variables +if test -z "$exec_prefix"; then + exec_prefix=`pkg-config --variable=exec_prefix nss` +fi +if test -z "$includedir"; then + includedir=`pkg-config --variable=includedir nss` +fi +if test -z "$libdir"; then + libdir=`pkg-config --variable=libdir nss` +fi + +if test "$echo_prefix" = "yes"; then + echo $prefix +fi + +if test "$echo_exec_prefix" = "yes"; then + echo $exec_prefix +fi + +if test "$echo_includedir" = "yes"; then + echo $includedir +fi + +if test "$echo_libdir" = "yes"; then + echo $libdir +fi + +if test "$echo_cflags" = "yes"; then + echo -I$includedir +fi + +if test "$echo_libs" = "yes"; then + libdirs="-Wl,-rpath-link,$libdir -L$libdir" + if test -n "$lib_ssl"; then + libdirs="$libdirs -lssl${major_version}" + fi + if test -n "$lib_smime"; then + libdirs="$libdirs -lsmime${major_version}" + fi + if test -n "$lib_nss"; then + libdirs="$libdirs -lnss${major_version}" + fi + if test -n "$lib_nssutil"; then + libdirs="$libdirs -lnssutil${major_version}" + fi + echo $libdirs +fi + diff --git a/SOURCES/nss-config.xml b/SOURCES/nss-config.xml new file mode 100644 index 0000000..f9518c9 --- /dev/null +++ b/SOURCES/nss-config.xml @@ -0,0 +1,132 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + nss-config + 1 + + + + nss-config + Return meta information about nss libraries + + + + + nss-config + + + + + + + + + + + + Description + + nss-config is a shell scrip + tool which can be used to obtain gcc options for building client pacakges of nspt. + + + + + Options + + + + + Returns the top level system directory under which the nss libraries are installed. + + + + + returns the top level system directory under which any nss binaries would be installed. + + + + count + returns the path to the directory were the nss libraries are installed. + + + + + returns the upstream version of nss in the form major_version-minor_version-patch_version. + + + + + returns the compiler linking flags. + + + + + returns the compiler include flags. + + + + + returns the path to the directory were the nss libraries are installed. + + + + + + + Examples + + The following example will query for both include path and linkage flags: + + + /usr/bin/nss-config --cflags --libs + + + + + + + + + Files + + /usr/bin/nss-config + + + + + See also + pkg-config(1) + + + + Authors + The nss liraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + diff --git a/SOURCES/nss-enable-pem.patch b/SOURCES/nss-enable-pem.patch new file mode 100644 index 0000000..723039a --- /dev/null +++ b/SOURCES/nss-enable-pem.patch @@ -0,0 +1,12 @@ +diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn +--- nss/lib/ckfw/manifest.mn.libpem 2013-05-28 14:43:24.000000000 -0700 ++++ nss/lib/ckfw/manifest.mn 2013-05-30 22:14:49.247459672 -0700 +@@ -5,7 +5,7 @@ + + CORE_DEPTH = ../.. + +-DIRS = builtins ++DIRS = builtins pem + + PRIVATE_EXPORTS = \ + ck.h \ diff --git a/SOURCES/nss-skip-bltest-and-fipstest.patch b/SOURCES/nss-skip-bltest-and-fipstest.patch new file mode 100644 index 0000000..7d2427b --- /dev/null +++ b/SOURCES/nss-skip-bltest-and-fipstest.patch @@ -0,0 +1,17 @@ +diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile +--- nss/cmd/Makefile.nobltest 2013-05-28 14:43:24.000000000 -0700 ++++ nss/cmd/Makefile 2013-06-15 11:51:11.669655168 -0700 +@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS + DIRS += libpkix + endif + +-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) ++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) + BLTEST_SRCDIR = +-FIPSTEST_SRCDIR = +-SHLIBSIGN_SRCDIR = ++FIPSTEST_SRCDIR = ++SHLIBSIGN_SRCDIR = shlibsign + else + BLTEST_SRCDIR = bltest + FIPSTEST_SRCDIR = fipstest diff --git a/SOURCES/nss-versus-softoken-tests.patch b/SOURCES/nss-versus-softoken-tests.patch new file mode 100644 index 0000000..e77487d --- /dev/null +++ b/SOURCES/nss-versus-softoken-tests.patch @@ -0,0 +1,38 @@ +diff -up nss/tests/all.sh.crypto nss/tests/all.sh +--- nss/tests/all.sh.crypto 2013-05-28 14:43:24.000000000 -0700 ++++ nss/tests/all.sh 2013-06-13 12:14:12.741082184 -0700 +@@ -299,9 +299,10 @@ fi + # created, we check for modutil to know whether the build + # is complete. If a new file is created after that, the + # following test for modutil should check for that instead. ++# Except when building softoken only where shlibsign is the last one built. ++export LAST_BUILT=[ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ] && shlibsign || modutil + +-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \ +- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then ++if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} -a ]; then + echo "Build Incomplete. Aborting test." >> ${LOGFILE} + html_head "Testing Initialization" + Exit "Checking for build" +diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh +--- nss/tests/cipher/cipher.sh.crypto 2013-05-28 14:43:24.000000000 -0700 ++++ nss/tests/cipher/cipher.sh 2013-06-13 11:58:00.956064976 -0700 +@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${ + return 0 + fi + cipher_init +-cipher_main +-cipher_gcm ++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then ++ echo "Skipping cipher_gcm because this is a softoken only build" ++ cipher_main ++elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then ++ echo "Skipping cipher_main because this an nss without softoken build" ++ cipher_gcm ++else ++ # default is to run both ++ cipher_init ++ cipher_main ++ cipher_gcm ++fi + cipher_cleanup diff --git a/SOURCES/nss.pc.in b/SOURCES/nss.pc.in new file mode 100644 index 0000000..69823cb --- /dev/null +++ b/SOURCES/nss.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS +Description: Network Security Services +Version: %NSS_VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lssl3 -lsmime3 -lnss3 +Cflags: -I${includedir} diff --git a/SOURCES/nsspem-use-system-freebl.patch b/SOURCES/nsspem-use-system-freebl.patch new file mode 100644 index 0000000..115b49c --- /dev/null +++ b/SOURCES/nsspem-use-system-freebl.patch @@ -0,0 +1,80 @@ +diff -up nss/lib/ckfw/pem/config.mk.systemfreebl nss/lib/ckfw/pem/config.mk +--- nss/lib/ckfw/pem/config.mk.systemfreebl 2012-08-11 09:06:59.000000000 -0700 ++++ nss/lib/ckfw/pem/config.mk 2013-04-04 16:02:33.805744145 -0700 +@@ -41,6 +41,11 @@ CONFIG_CVS_ID = "@(#) $RCSfile: config.m + # are specifed as dependencies within rules.mk. + # + ++ ++EXTRA_LIBS += \ ++ $(SOFTOKEN_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ ++ $(NULL) ++ + TARGETS = $(SHARED_LIBRARY) + LIBRARY = + IMPORT_LIBRARY = +@@ -69,3 +74,22 @@ ifeq ($(OS_TARGET),SunOS) + MKSHLIB += -R '$$ORIGIN' + endif + ++# If a platform has a system nssutil, set USE_SYSTEM_NSSUTIL to 1 and ++# NSSUTIL_LIBS to the linker command-line arguments for the system nssutil ++# (for example, -lnssutil3 on fedora) in the platform's config file in coreconf. ++ifdef USE_SYSTEM_NSSUTIL ++OS_LIBS += $(NSSUTIL_LIBS) ++else ++NSSUTIL_LIBS = $(DIST)/lib/$(LIB_PREFIX)nssutil3.$(LIB_SUFFIX) ++EXTRA_LIBS += $(NSSUTIL_LIBS) ++endif ++# If a platform has a system freebl, set USE_SYSTEM_FREEBL to 1 and ++# FREEBL_LIBS to the linker command-line arguments for the system nssutil ++# (for example, -lfreebl3 on fedora) in the platform's config file in coreconf. ++ifdef USE_SYSTEM_FREEBL ++OS_LIBS += $(FREEBL_LIBS) ++else ++FREEBL_LIBS = $(DIST)/lib/$(LIB_PREFIX)freebl3.$(LIB_SUFFIX) ++EXTRA_LIBS += $(FREEBL_LIBS) ++endif ++ +diff -up nss/lib/ckfw/pem/Makefile.systemfreebl nss/lib/ckfw/pem/Makefile +--- nss/lib/ckfw/pem/Makefile.systemfreebl 2012-08-11 09:06:59.000000000 -0700 ++++ nss/lib/ckfw/pem/Makefile 2013-04-04 16:02:33.806744154 -0700 +@@ -43,8 +43,7 @@ include config.mk + EXTRA_LIBS = \ + $(DIST)/lib/$(LIB_PREFIX)nssckfw.$(LIB_SUFFIX) \ + $(DIST)/lib/$(LIB_PREFIX)nssb.$(LIB_SUFFIX) \ +- $(DIST)/lib/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ +- $(DIST)/lib/$(LIB_PREFIX)nssutil.$(LIB_SUFFIX) \ ++ $(FREEBL_LIB_DIR)/$(LIB_PREFIX)freebl.$(LIB_SUFFIX) \ + $(NULL) + + # can't do this in manifest.mn because OS_TARGET isn't defined there. +@@ -56,6 +55,9 @@ EXTRA_LIBS += \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ ++ -L$(NSSUTIL_LIB_DIR) \ ++ -lnssutil3 \ ++ -lfreebl3 + $(NULL) + else + EXTRA_SHARED_LIBS += \ +@@ -74,6 +76,9 @@ EXTRA_LIBS += \ + -lplc4 \ + -lplds4 \ + -lnspr4 \ ++ -L$(NSSUTIL_LIB_DIR) \ ++ -lnssutil3 \ ++ -lfreebl3 \ + $(NULL) + endif + +diff -up nss/lib/ckfw/pem/manifest.mn.systemfreebl nss/lib/ckfw/pem/manifest.mn +--- nss/lib/ckfw/pem/manifest.mn.systemfreebl 2012-08-11 09:06:59.000000000 -0700 ++++ nss/lib/ckfw/pem/manifest.mn 2013-04-04 16:02:33.807744163 -0700 +@@ -65,4 +65,4 @@ REQUIRES = nspr + + LIBRARY_NAME = nsspem + +-#EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 ++EXTRA_SHARED_LIBS = -L$(DIST)/lib -lnssckfw -lnssb -lplc4 -lplds4 -L$(NSS_LIB_DIR) -lnssutil3 -lfreebl3 -lsoftokn3 diff --git a/SOURCES/p-ignore-setpolicy.patch b/SOURCES/p-ignore-setpolicy.patch new file mode 100644 index 0000000..c6632b3 --- /dev/null +++ b/SOURCES/p-ignore-setpolicy.patch @@ -0,0 +1,31 @@ +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -1252,25 +1252,22 @@ SSL_CipherPrefGet(PRFileDesc *fd, PRInt3 + rv = ssl3_CipherPrefGet(ss, (ssl3CipherSuite)which, enabled); + } + return rv; + } + + SECStatus + NSS_SetDomesticPolicy(void) + { +- SECStatus status = SECSuccess; + const PRUint16 *cipher; + + for (cipher = SSL_ImplementedCiphers; *cipher != 0; ++cipher) { +- status = SSL_SetPolicy(*cipher, SSL_ALLOWED); +- if (status != SECSuccess) +- break; ++ SSL_SetPolicy(*cipher, SSL_ALLOWED); + } +- return status; ++ return SECSuccess; + } + + SECStatus + NSS_SetExportPolicy(void) + { + return NSS_SetDomesticPolicy(); + } + diff --git a/SOURCES/pkcs11.txt.xml b/SOURCES/pkcs11.txt.xml new file mode 100644 index 0000000..d30e469 --- /dev/null +++ b/SOURCES/pkcs11.txt.xml @@ -0,0 +1,56 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + pkcs11.txt + 5 + + + + pkcs11.txt + NSS PKCS #11 module configuration file + + + + Description + +The pkcs11.txt file is used to configure initialization parameters for the nss security module and optionally other pkcs #11 modules. + + +For full documentation visit PKCS #11 Module Specs. + + + + + Files + /etc/pki/nssdb/pkcs11.txt + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + diff --git a/SOURCES/renegotiate-transitional.patch b/SOURCES/renegotiate-transitional.patch new file mode 100644 index 0000000..c55a1a2 --- /dev/null +++ b/SOURCES/renegotiate-transitional.patch @@ -0,0 +1,12 @@ +diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.transitional 2013-05-30 22:10:54.882675807 -0700 ++++ nss/lib/ssl/sslsock.c 2013-05-30 22:12:11.909260024 -0700 +@@ -149,7 +149,7 @@ static sslOptions ssl_defaults = { + PR_FALSE, /* noLocks */ + PR_FALSE, /* enableSessionTickets */ + PR_FALSE, /* enableDeflate */ +- 2, /* enableRenegotiation (default: requires extension) */ ++ 3, /* enableRenegotiation (default: transitional) */ + PR_FALSE, /* requireSafeNegotiation */ + PR_FALSE, /* enableFalseStart */ + PR_TRUE, /* cbcRandomIV */ diff --git a/SOURCES/secmod.db.xml b/SOURCES/secmod.db.xml new file mode 100644 index 0000000..afc9dce --- /dev/null +++ b/SOURCES/secmod.db.xml @@ -0,0 +1,63 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + secmod.db + 5 + + + + secmod.db + Legacy NSS security modules database + + + + Description + secmod.db is an NSS security modules database. + The security modules database is used to keep track of the NSS security modules. The NSS security modules export their services via the PKCS #11 API which NSS uses as its Services Provider Interface. + + The command line utility modutil is used for managing PKCS #11 module information both within secmod.db files and within hardware tokens. + + For new applications the recommended way of tracking security modules is via the pkcs11.txt configuration file used in conjunction the new sqlite-based shared database format for certificate and key databases. + + + + + Files + /etc/pki/nssdb/secmod.db + + + + See also + modutil(1), cert8.db(5), cert9.db(5), key3.db(5), key4.db(5), pkcs11.txt(5) + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + + diff --git a/SOURCES/setup-nsssysinit.sh b/SOURCES/setup-nsssysinit.sh new file mode 100755 index 0000000..8e1f5f7 --- /dev/null +++ b/SOURCES/setup-nsssysinit.sh @@ -0,0 +1,68 @@ +#!/bin/sh +# +# Turns on or off the nss-sysinit module db by editing the +# global PKCS #11 congiguration file. Displays the status. +# +# This script can be invoked by the user as super user. +# It is invoked at nss-sysinit post install time with argument on. +# +usage() +{ + cat <&2 +fi + +# the system-wide configuration file +p11conf="/etc/pki/nssdb/pkcs11.txt" +# must exist, otherwise report it and exit with failure +if [ ! -f $p11conf ]; then + echo "Could not find ${p11conf}" + exit 1 +fi + +# check if nsssysinit is currently enabled or disabled +sysinit_enabled() +{ + grep -q '^library=libnsssysinit' ${p11conf} +} + +umask 022 +case "$1" in + on | ON ) + if sysinit_enabled; then + exit 0 + fi + cat ${p11conf} | \ + sed -e 's/^library=$/library=libnsssysinit.so/' \ + -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ + ${p11conf}.on + mv ${p11conf}.on ${p11conf} + ;; + off | OFF ) + if ! sysinit_enabled; then + exit 0 + fi + cat ${p11conf} | \ + sed -e 's/^library=libnsssysinit.so/library=/' \ + -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ + ${p11conf}.off + mv ${p11conf}.off ${p11conf} + ;; + status ) + echo -n 'NSS sysinit is ' + sysinit_enabled && echo 'enabled' || echo 'disabled' + ;; + * ) + usage 1 1>&2 + ;; +esac diff --git a/SOURCES/setup-nsssysinit.xml b/SOURCES/setup-nsssysinit.xml new file mode 100644 index 0000000..bca4bfa --- /dev/null +++ b/SOURCES/setup-nsssysinit.xml @@ -0,0 +1,106 @@ + + + +]> + + + + + &date; + Network Security Services + nss + &version; + + + + setup-nsssysinit + 1 + + + + setup-nsssysinit + Query or enable the nss-sysinit module + + + + + setup-nsssysinit + + + + + + + + Description + setup-nsssysinit is a shell script to query the status of the nss-sysinit module and when run with root priviledge it can enable or disable it. + Turns on or off the nss-sysinit module db by editing the global PKCS #11 configuration file. Displays the status. This script can be invoked by the user as super user. It is invoked at nss-sysinit post install time with argument on. + + + + + Options + + + + + Turn on nss-sysinit. + + + + + Turn on nss-sysinit. + + + + count + returns whether nss-syinit is enabled or not. + + + + + + + Examples + + The following example will query for the status of nss-sysinit: + + /usr/bin/setup-nsssysinit --status + + + + The following example, when run as superuser, will turn on nss-sysinit: + + /usr/bin/setup-nsssysinit --on + + + + + + + Files + /usr/sbin/setup-nsssysinit + + + + See also + pkg-config(1) + + + + Authors + The nss libraries were written and maintained by developers with Netscape, Red Hat, Sun, Oracle, Mozilla, and Google. + Authors: Elio Maldonado <emaldona@redhat.com>. + + + + + LICENSE + Licensed under the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. + + + + + diff --git a/SOURCES/system-pkcs11.txt b/SOURCES/system-pkcs11.txt new file mode 100644 index 0000000..c2f5704 --- /dev/null +++ b/SOURCES/system-pkcs11.txt @@ -0,0 +1,5 @@ +library=libnsssysinit.so +name=NSS Internal PKCS #11 Module +parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' +NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) + diff --git a/SOURCES/utilwrap-include-templates.patch b/SOURCES/utilwrap-include-templates.patch new file mode 100644 index 0000000..649b548 --- /dev/null +++ b/SOURCES/utilwrap-include-templates.patch @@ -0,0 +1,14 @@ +diff -up nss/lib/nss/config.mk.templates nss/lib/nss/config.mk +--- nss/lib/nss/config.mk.templates 2013-06-18 11:32:07.590089155 -0700 ++++ nss/lib/nss/config.mk 2013-06-18 11:33:28.732763345 -0700 +@@ -3,6 +3,10 @@ + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + ++#ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) ++INCLUDES += -I/usr/include/nss3/templates ++#endif ++ + # can't do this in manifest.mn because OS_TARGET isn't defined there. + ifeq (,$(filter-out WIN%,$(OS_TARGET))) + diff --git a/SPECS/nss.spec b/SPECS/nss.spec new file mode 100644 index 0000000..fffec65 --- /dev/null +++ b/SPECS/nss.spec @@ -0,0 +1,1645 @@ +%global nspr_version 4.10 +%global nss_util_version 3.15.2 +%global nss_softokn_fips_version 3.12.9 +%global nss_softokn_version 3.15.2 +%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" + +# solution taken from icedtea-web.spec +%define multilib_arches ppc64 s390x sparc64 x86_64 +%ifarch %{multilib_arches} +%define alt_ckbi libnssckbi.so.%{_arch} +%else +%define alt_ckbi libnssckbi.so +%endif + +# Define if using a source archive like "nss-version.with.ckbi.version". +# To "disable", add "#" to start of line, AND a space after "%". +#% define nss_ckbi_suffix .with.ckbi.1.93 + +Summary: Network Security Services +Name: nss +Version: 3.15.2 +Release: 8%{?dist} +License: MPLv2.0 +URL: http://www.mozilla.org/projects/security/pki/nss/ +Group: System Environment/Libraries +Requires: nspr >= %{nspr_version} +Requires: nss-util >= %{nss_util_version} +# TODO: revert to same version as nss once we are done with the merge +Requires: nss-softokn%{_isa} >= %{nss_softokn_version} +Requires: nss-system-init +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRequires: nspr-devel >= %{nspr_version} +# TODO: revert to same version as nss once we are done with the merge +# Using '>=' but on RHEL the requires should be '=' +BuildRequires: nss-softokn-devel >= %{nss_softokn_version} +BuildRequires: nss-util-devel >= %{nss_util_version} +BuildRequires: sqlite-devel +BuildRequires: zlib-devel +BuildRequires: pkgconfig +BuildRequires: gawk +BuildRequires: psmisc +BuildRequires: perl + +%{!?nss_ckbi_suffix:%define full_nss_version %{version}} +%{?nss_ckbi_suffix:%define full_nss_version %{version}%{nss_ckbi_suffix}} + +Source0: %{name}-%{full_nss_version}.tar.bz2 +Source1: nss.pc.in +Source2: nss-config.in +Source3: blank-cert8.db +Source4: blank-key3.db +Source5: blank-secmod.db +Source6: blank-cert9.db +Source7: blank-key4.db +Source8: system-pkcs11.txt +Source9: setup-nsssysinit.sh +Source10: PayPalEE.cert +Source12: %{name}-pem-20130405.tar.bz2 +Source17: TestCA.ca.cert +Source18: TestUser50.cert +Source19: TestUser51.cert +Source20: nss-config.xml +Source21: setup-nsssysinit.xml +Source22: pkcs11.txt.xml +Source23: cert8.db.xml +Source24: cert9.db.xml +Source25: key3.db.xml +Source26: key4.db.xml +Source27: secmod.db.xml + +Patch2: add-relro-linker-option.patch +Patch3: renegotiate-transitional.patch +Patch6: nss-enable-pem.patch +Patch16: nss-539183.patch +Patch18: nss-646045.patch +# must statically link pem against the freebl in the buildroot +# Needed only when freebl on tree has new APIS +Patch25: nsspem-use-system-freebl.patch +# TODO: Remove this patch when the ocsp test are fixed +Patch40: nss-3.14.0.0-disble-ocsp-test.patch +Patch44: 0001-sync-up-with-upstream-softokn-changes.patch +Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch +# The ocsp stapling tests currently require access to the +# kuix.de test server but koji forbids outbount connections +Patch46: disable-ocsp-stapling-tests.patch +# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator +Patch47: utilwrap-include-templates.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171 +Patch48: nss-versus-softoken-tests.patch +# TODO remove when we switch to building nss without softoken +Patch49: nss-skip-bltest-and-fipstest.patch +Patch50: iquote.patch +Patch52: Bug-1001841-disable-sslv2-libssl.patch +Patch53: Bug-1001841-disable-sslv2-tests.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=932001 +Patch54: document-certutil-email-option.patch +Patch55: enable-fips-when-system-is-in-fips-mode.patch +# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677 +Patch56: p-ignore-setpolicy.patch + +%description +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled client and +server applications. Applications built with NSS can support SSL v2 +and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 +v3 certificates, and other security standards. + +%package tools +Summary: Tools for the Network Security Services +Group: System Environment/Base +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description tools +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled client and +server applications. Applications built with NSS can support SSL v2 +and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 +v3 certificates, and other security standards. + +Install the nss-tools package if you need command-line tools to +manipulate the NSS certificate and key database. + +%package sysinit +Summary: System NSS Initialization +Group: System Environment/Base +# providing nss-system-init without version so that it can +# be replaced by a better one, e.g. supplied by the os vendor +Provides: nss-system-init +Requires: nss = %{version}-%{release} +Requires(post): coreutils, sed + +%description sysinit +Default Operating System module that manages applications loading +NSS globally on the system. This module loads the system defined +PKCS #11 modules for NSS and chains with other NSS modules to load +any system or user configured modules. + +%package devel +Summary: Development libraries for Network Security Services +Group: Development/Libraries +Provides: nss-static = %{version}-%{release} +Requires: nss = %{version}-%{release} +Requires: nss-util-devel +Requires: nss-softokn-devel +Requires: nspr-devel >= %{nspr_version} +Requires: pkgconfig +BuildRequires: xmlto + +%description devel +Header and Library files for doing development with Network Security Services. + + +%package pkcs11-devel +Summary: Development libraries for PKCS #11 (Cryptoki) using NSS +Group: Development/Libraries +Provides: nss-pkcs11-devel-static = %{version}-%{release} +Requires: nss-devel = %{version}-%{release} +# TODO: revert to using nss_softokn_version once we are done with +# the merge into to new rhel git repo +# For RHEL we should have '=' instead of '>=' +Requires: nss-softokn-freebl-devel >= %{nss_softokn_version} + +%description pkcs11-devel +Library files for developing PKCS #11 modules using basic NSS +low level services. + + +%prep +%setup -q +%{__cp} %{SOURCE10} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE17} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE18} -f ./nss/tests/libpkix/certs +%{__cp} %{SOURCE19} -f ./nss/tests/libpkix/certs +%setup -q -T -D -n %{name}-%{version} -a 12 + +%patch2 -p0 -b .relro +%patch3 -p0 -b .transitional +%patch6 -p0 -b .libpem +%patch16 -p0 -b .539183 +%patch18 -p0 -b .646045 +# link pem against buildroot's freebl, essential when mixing and matching +%patch25 -p0 -b .systemfreebl +%patch40 -p0 -b .noocsptest +%patch44 -p1 -b .syncupwithupstream +%patch45 -p0 -b .notrash +%patch46 -p0 -b .skipoutbound +%patch47 -p0 -b .templates +%patch48 -p0 -b .crypto +%patch49 -p0 -b .skipthem +%patch50 -p0 -b .iquote +%patch52 -p0 -b .disableSSL2 +%patch53 -p0 -b .disableSSL2 +pushd nss +%patch54 -p1 -b .948495 +popd +%patch55 -p0 -b .852023 +pushd nss +%patch56 -p1 -b .1026677 +popd + +######################################################### +# Higher-level libraries and test tools need access to +# module-private headers from util, freebl, and softoken +# until fixed upstream we must copy some headers locally +######################################################### + +pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt" +for file in ${pemNeedsFromSoftoken}; do + %{__cp} ./nss/lib/softoken/${file}.h ./nss/lib/ckfw/pem/ +done + +# Copying these header util the upstream bug is accepted +# Upstream https://bugzilla.mozilla.org/show_bug.cgi?id=820207 +%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf +%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf + + +%build + +export NSS_NO_SSL2=1 + +NSS_NO_PKCS11_BYPASS=1 +export NSS_NO_PKCS11_BYPASS + +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +# Enable compiler optimizations and disable debugging code +BUILD_OPT=1 +export BUILD_OPT + +# Uncomment to disable optimizations +#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` +#export RPM_OPT_FLAGS + +# Generate symbolic info for debuggers +XCFLAGS=$RPM_OPT_FLAGS +export XCFLAGS + +PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +NSPR_LIB_DIR=%{_libdir} + +export NSPR_INCLUDE_DIR +export NSPR_LIB_DIR + +export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` +export NSSUTIL_LIB_DIR=%{_libdir} + +export FREEBL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-softokn | sed 's/-I//'` +export FREEBL_LIB_DIR=%{_libdir} +export USE_SYSTEM_FREEBL=1 +# FIXME choose one or the other style and submit a patch upstream +# wtc has suggested using NSS_USE_SYSTEM_FREEBL +export NSS_USE_SYSTEM_FREEBL=1 + +export FREEBL_LIBS=`/usr/bin/pkg-config --libs nss-softokn` + +export SOFTOKEN_LIB_DIR=%{_libdir} +# use the system ones +export USE_SYSTEM_NSSUTIL=1 +export USE_SYSTEM_SOFTOKEN=1 + +# tell the upstream build system what we are doing +export NSS_BUILD_WITHOUT_SOFTOKEN=1 + +NSS_USE_SYSTEM_SQLITE=1 +export NSS_USE_SYSTEM_SQLITE + +%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 +USE_64=1 +export USE_64 +%endif + +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 + +##### phase 1: remove util/freebl/softoken and low level tools +# +######## Remove freebl, softoken and util +%{__rm} -rf ./mozilla/security/nss/lib/freebl +%{__rm} -rf ./mozilla/security/nss/lib/softoken +%{__rm} -rf ./mozilla/security/nss/lib/util +######## Remove nss-softokn test tools +%{__rm} -rf ./mozilla/security/nss/cmd/bltest +%{__rm} -rf ./mozilla/security/nss/cmd/fipstest +%{__rm} -rf ./mozilla/security/nss/cmd/rsaperf_low + +##### phase 2: build the rest of nss +# nss supports pluggable ecc +NSS_ENABLE_ECC=1 +export NSS_ENABLE_ECC +NSS_ECC_MORE_THAN_SUITE_B=1 +export NSS_ECC_MORE_THAN_SUITE_B + +export NSS_BLTEST_NOT_AVAILABLE=1 +%{__make} -C ./nss/coreconf +%{__make} -C ./nss/lib/dbm +%{__make} -C ./nss +unset NSS_BLTEST_NOT_AVAILABLE + +# build the man pages clean +pushd ./nss +%{__make} clean_docs build_docs +popd + +# and copy them here +for m in "%{allTools}"; do + cp ./nss/doc/nroff/${m}.1 . +done + +# Set up our package file +# The nspr_version and nss_{util|softokn}_version globals used +# here match the ones nss has for its Requires. +# Using the current %%{nss_softokn_version} for fedora again +%{__mkdir_p} ./dist/pkgconfig +%{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSS_VERSION%%,%{version},g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \ + ./dist/pkgconfig/nss.pc + +NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` +NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` +NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` + +export NSS_VMAJOR +export NSS_VMINOR +export NSS_VPATCH + +%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ + -e "s,@prefix@,%{_prefix},g" \ + -e "s,@exec_prefix@,%{_prefix},g" \ + -e "s,@includedir@,%{_includedir}/nss3,g" \ + -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ + -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ + -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ + > ./dist/pkgconfig/nss-config + +chmod 755 ./dist/pkgconfig/nss-config + +%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh +chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh + +%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/ + +date +"%e %B %Y" | tr -d '\n' > date.xml +echo -n %{version} > version.xml + +# configuration files and setup script +for m in %{SOURCE20} %{SOURCE21} %{SOURCE22}; do + cp ${m} . +done +for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml; do + xmlto man ${m} +done + +# nss databases considered to be configuration files +for m in %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}; do + cp ${m} . +done +for m in cert8.db.xml cert9.db.xml key3.db.xml key4.db.xml secmod.db.xml; do + xmlto man ${m} +done + + +%check +if [ $DISABLETEST -eq 1 ]; then + echo "testing disabled" + exit 0 +fi + +# Begin -- copied from the build section + +# inform the ssl test scripts that SSL2 is disabled +export NSS_NO_SSL2=1 + +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +BUILD_OPT=1 +export BUILD_OPT + +%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 +USE_64=1 +export USE_64 +%endif + +export NSS_BLTEST_NOT_AVAILABLE=1 + +# needed for the fips manging test +export SOFTOKEN_LIB_DIR=%{_libdir} + +# End -- copied from the build section + +# enable the following line to force a test failure +# find ./nss -name \*.chk | xargs rm -f + +# Run test suite. +# In order to support multiple concurrent executions of the test suite +# (caused by concurrent RPM builds) on a single host, +# we'll use a random port. Also, we want to clean up any stuck +# selfserv processes. If process name "selfserv" is used everywhere, +# we can't simply do a "killall selfserv", because it could disturb +# concurrent builds. Therefore we'll do a search and replace and use +# a different process name. +# Using xargs doesn't mix well with spaces in filenames, in order to +# avoid weird quoting we'll require that no spaces are being used. + +SPACEISBAD=`find ./nss/tests | grep -c ' '` ||: +if [ $SPACEISBAD -ne 0 ]; then + echo "error: filenames containing space are not supported (xargs)" + exit 1 +fi +MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: +RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: +DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: +pushd `pwd` +cd $DISTBINDIR +ln -s selfserv $RANDSERV +popd +# man perlrun, man perlrequick +# replace word-occurrences of selfserv with selfserv_$MYRAND +find ./nss/tests -type f |\ + grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\ + grep -vw CVS |xargs grep -lw selfserv |\ + xargs -l perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||: + +killall $RANDSERV || : + +rm -rf ./tests_results +cd ./nss/tests/ +# all.sh is the test suite script + +# don't need to run all the tests when testing packaging +# nss_cycles: standard pkix upgradedb sharedb +nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains" +# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr +# nss_ssl_run: cov auth stress +# +# Uncomment these lines if you need to temporarily +# disable some test suites for faster test builds +# global nss_ssl_tests "normal_fips" +# global nss_ssl_run "cov auth" + +HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh + +cd ../../ + +killall $RANDSERV || : + +TEST_FAILURES=`grep -c FAILED ./tests_results/security/localhost.1/output.log` || : +# test suite is failing on arm and has for awhile let's run the test suite but make it non fatal on arm +%ifnarch %{arm} +if [ $TEST_FAILURES -ne 0 ]; then + echo "error: test suite returned failure(s)" + exit 1 +fi +echo "test suite completed" +%endif + +%install + +%{__rm} -rf $RPM_BUILD_ROOT + +# There is no make install target so we'll do it ourselves. + +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig + +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 +mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 + +touch $RPM_BUILD_ROOT%{_libdir}/libnssckbi.so +%{__install} -p -m 755 dist/*.OBJ/lib/libnssckbi.so $RPM_BUILD_ROOT/%{_libdir}/nss/libnssckbi.so + +# Copy the binary libraries we want +for file in libnss3.so libnsspem.so libnsssysinit.so libsmime3.so libssl3.so +do + %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Install the empty NSS db files +# Legacy db +%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb +%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db +%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db +%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db +# Shared db +%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db +%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db +%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt + +# Copy the development libraries we want +for file in libcrmf.a libnssb.a libnssckfw.a +do + %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done + +# Copy the binaries we want +for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap +do + %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} +done + +# Copy the binaries we ship as unsupported +for file in atob btoa derdump ocspclnt pp selfserv strsclnt symkeyutil tstclnt vfyserv vfychain +do + %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} +done + +# Copy the include files we want +for file in dist/public/nss/*.h +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done + +# Copy the template files we want +for file in dist/private/nss/nssck.api +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +done + +# Copy the package configuration files +%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc +%{__install} -p -m 755 ./dist/pkgconfig/nss-config $RPM_BUILD_ROOT/%{_bindir}/nss-config +# Copy the pkcs #11 configuration script +%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh +# install a symbolic link top it, without the ".sh" suffix, +# that matches the man page documentation +ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit + +# Copy the man pages for scripts +for f in nss-config setup-nsssysinit; do + install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 +done +# Copy the man pages for the nss tools +for f in "%{allTools}"; do + install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 +done +# Copy the man pages for the configuration files +for f in pkcs11.txt; do + install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 +done +# Copy the man pages for the nss databases +for f in cert8.db cert9.db key3.db key4.db secmod.db; do + install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 +done + +%clean +%{__rm} -rf $RPM_BUILD_ROOT + +%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3 +# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet +# from previous versions of nss.spec +/usr/bin/setup-nsssysinit.sh on + +%post +# If we upgrade, and the shared filename is a regular file, then we must +# remove it, before we can install the alternatives symbolic link. +if [ $1 -gt 1 ] ; then + # when upgrading or downgrading + if ! test -L %{_libdir}/libnssckbi.so; then + rm -f %{_libdir}/libnssckbi.so + fi +fi +# Install the symbolic link +# FYI: Certain other packages use alternatives --set to enforce that the first +# installed package is preferred. We don't do that. Highest priority wins. +%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ + %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10 +/sbin/ldconfig + +%postun +if [ $1 -eq 0 ] ; then + # package removal + %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so +else + # upgrade or downgrade + # If the new installed package uses a regular file (not a symblic link), + # then cleanup the alternatives link. + if ! test -L %{_libdir}/libnssckbi.so; then + %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/nss/libnssckbi.so + fi +fi +/sbin/ldconfig + +%posttrans +# An earlier version of this package had an incorrect %postun script (3.14.3-9). +# (The incorrect %postun always called "update-alternatives --remove", +# because it incorrectly assumed that test -f returns false for symbolic links.) +# The only possible remedy to fix the mistake that "always removes on upgrade" +# made by the older %postun script, is to repair it in %posttrans of the new package. +# Strategy: +# %posttrans is never called when uninstalling. +# %posttrans is only called when installing or upgrading a package. +# Because %posttrans is the very last action of a package install, +# %{_libdir}/libnssckbi.so must exist. +# If it does not, it's the result of the incorrect removal from a broken %postun. +# In this case, we repeat installation of the alternatives link. +if ! test -e %{_libdir}/libnssckbi.so; then + %{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ + %{alt_ckbi} %{_libdir}/nss/libnssckbi.so 10 +fi + + +%files +%defattr(-,root,root) +%{_libdir}/libnss3.so +%{_libdir}/libssl3.so +%{_libdir}/libsmime3.so +%ghost %{_libdir}/libnssckbi.so +%{_libdir}/nss/libnssckbi.so +%{_libdir}/libnsspem.so +%dir %{_sysconfdir}/pki/nssdb +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db +%attr(0644,root,root) %doc /usr/share/man/man5/* +%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz + +%files sysinit +%defattr(-,root,root) +%{_libdir}/libnsssysinit.so +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt +%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz +%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz +%{_bindir}/setup-nsssysinit.sh +# symbolic link to setup-nsssysinit.sh +%{_bindir}/setup-nsssysinit +%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz + +%files tools +%defattr(-,root,root) +%{_bindir}/certutil +%{_bindir}/cmsutil +%{_bindir}/crlutil +%{_bindir}/modutil +%{_bindir}/pk12util +%{_bindir}/signtool +%{_bindir}/signver +%{_bindir}/ssltap +%{unsupported_tools_directory}/atob +%{unsupported_tools_directory}/btoa +%{unsupported_tools_directory}/derdump +%{unsupported_tools_directory}/ocspclnt +%{unsupported_tools_directory}/pp +%{unsupported_tools_directory}/selfserv +%{unsupported_tools_directory}/strsclnt +%{unsupported_tools_directory}/symkeyutil +%{unsupported_tools_directory}/tstclnt +%{unsupported_tools_directory}/vfyserv +%{unsupported_tools_directory}/vfychain +# instead of %{_mandir}/man*/* let's list them explicitely +# supported tools +%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz +# unsupported tools +%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz +%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz + +%files devel +%defattr(-,root,root) +%{_libdir}/libcrmf.a +%{_libdir}/pkgconfig/nss.pc +%{_bindir}/nss-config +%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz + +%dir %{_includedir}/nss3 +%{_includedir}/nss3/cert.h +%{_includedir}/nss3/certdb.h +%{_includedir}/nss3/certt.h +%{_includedir}/nss3/cmmf.h +%{_includedir}/nss3/cmmft.h +%{_includedir}/nss3/cms.h +%{_includedir}/nss3/cmsreclist.h +%{_includedir}/nss3/cmst.h +%{_includedir}/nss3/crmf.h +%{_includedir}/nss3/crmft.h +%{_includedir}/nss3/cryptohi.h +%{_includedir}/nss3/cryptoht.h +%{_includedir}/nss3/sechash.h +%{_includedir}/nss3/jar-ds.h +%{_includedir}/nss3/jar.h +%{_includedir}/nss3/jarfile.h +%{_includedir}/nss3/key.h +%{_includedir}/nss3/keyhi.h +%{_includedir}/nss3/keyt.h +%{_includedir}/nss3/keythi.h +%{_includedir}/nss3/nss.h +%{_includedir}/nss3/nssckbi.h +%{_includedir}/nss3/nsspem.h +%{_includedir}/nss3/ocsp.h +%{_includedir}/nss3/ocspt.h +%{_includedir}/nss3/p12.h +%{_includedir}/nss3/p12plcy.h +%{_includedir}/nss3/p12t.h +%{_includedir}/nss3/pk11func.h +%{_includedir}/nss3/pk11pqg.h +%{_includedir}/nss3/pk11priv.h +%{_includedir}/nss3/pk11pub.h +%{_includedir}/nss3/pk11sdr.h +%{_includedir}/nss3/pkcs12.h +%{_includedir}/nss3/pkcs12t.h +%{_includedir}/nss3/pkcs7t.h +%{_includedir}/nss3/preenc.h +%{_includedir}/nss3/secmime.h +%{_includedir}/nss3/secmod.h +%{_includedir}/nss3/secmodt.h +%{_includedir}/nss3/secpkcs5.h +%{_includedir}/nss3/secpkcs7.h +%{_includedir}/nss3/smime.h +%{_includedir}/nss3/ssl.h +%{_includedir}/nss3/sslerr.h +%{_includedir}/nss3/sslproto.h +%{_includedir}/nss3/sslt.h + + +%files pkcs11-devel +%defattr(-, root, root) +%{_includedir}/nss3/nssbase.h +%{_includedir}/nss3/nssbaset.h +%{_includedir}/nss3/nssckepv.h +%{_includedir}/nss3/nssckft.h +%{_includedir}/nss3/nssckfw.h +%{_includedir}/nss3/nssckfwc.h +%{_includedir}/nss3/nssckfwt.h +%{_includedir}/nss3/nssckg.h +%{_includedir}/nss3/nssckmdt.h +%{_includedir}/nss3/nssckt.h +%{_includedir}/nss3/templates/nssck.api +%{_libdir}/libnssb.a +%{_libdir}/libnssckfw.a + + +%changelog +* Wed Nov 06 2013 Elio Maldonado - 3.15.2-8 +- Fix patch for disabling ssl2 in ssl to correctly set error code +- Fix syntax error reported in the build.log even tough it succeeds +- Add patch top ignore setpolicy result +- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites +- Resolves: rhbz#1026677 - Attempt to run ipa-client-install fails + +* Sun Nov 03 2013 Elio Maldonado - 3.15.2-7 +- Fix bash syntax error in patch for disabling ssl2 tests +- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites + +* Sat Nov 02 2013 Elio Maldonado - 3.15.2-6 +- Fix errors in ssl disabling patches for both library and tests +- Add s390x to the multilib_arches definition used for alt_ckbi +- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites + +* Thu Oct 31 2013 Elio Maldonado - 3.15.2-5 +- Fix errors in nss-sysinit manpage options descriptions +- Resolves: rhbz#982723 + +* Tue Oct 29 2013 Elio Maldonado - 3.15.2-4 +- Enable fips when system is in fips mode +- Resolves: rhbz#852023 - FIPS mode detection does not work + +* Tue Oct 29 2013 Elio Maldonado - 3.15.2-3 +- Remove unused and obsoleted patches +- Related: rhbz#1012656 + +* Mon Oct 28 2013 Elio Maldonado - 3.15.2-2 +- Add description of the certutil's --email option to it's manpage +- Resolves: rhbz#Bug 948495 - Man page scan results for nss + +* Mon Oct 21 2013 Elio Maldonado - 3.15.2-1 +- Rebase to nss-3.15.2 +- Resolves: rhbz#1012656 - pick up NSS 3.15.2 to fix CVE-2013-1739 and disable MD5 in OCSP/CRL + +* Fri Oct 11 2013 Elio Maldonado - 3.15.1-4 +- Install symlink to nss-sysinit.sh without the .sh suffix +- Resolves: rhbz#982723 - nss-sysinit man page has wrong path for the script + +* Tue Oct 08 2013 Elio Maldonado - 3.15.1-3 +- Resolves: rhbz#1001841 - Disable SSL2 and the export cipher suites + +* Tue Aug 06 2013 Elio Maldonado - 3.15.1-2 +- Add upstream bug URL for a patch subitted upstream and remove obsolete script + +* Wed Jul 24 2013 Elio Maldonado - 3.15.1-2 +- Update to NSS_3_15_1_RTM +- Apply various fixes to the man pages and add new ones +- Enable the iquote.patch to access newly introduced types +- Add man page for pkcs11.txt configuration file and cert and key databases +- Add missing option descriptions for {cert|cms|crl}util +- Resolves: rhbz#948495 - Man page scan results for nss +- Resolves: rhbz#982723 - Fix path to script in man page for nss-sysinit + +* Tue Jul 02 2013 Elio Maldonado - 3.15-6 +- Use the unstripped source tar ball + +* Wed Jun 19 2013 Elio Maldonado - 3.15-5 +- Install man pages for nss-tools and the nss-config and setup-nsssysinit scripts +- Resolves: rhbz#606020 - nss security tools lack man pages + +* Tue Jun 18 2013 emaldona - 3.15-4 +- Build nss without softoken or util sources in the tree +- Resolves: rhbz#689918 + +* Mon Jun 17 2013 emaldona - 3.15-3 +- Update ssl-cbc-random-iv-by-default.patch + +* Sun Jun 16 2013 Elio Maldonado - 3.15-2 +- Fix generation of NSS_VMAJOR, NSS_VMINOR, and NSS_VPATCH for nss-config + +* Sat Jun 15 2013 Elio Maldonado - 3.15-1 +- Update to NSS_3_15_RTM + +* Tue May 14 2013 Elio Maldonado - 3.14.3-13.0 +- Reactivate nss-ssl-cbc-random-iv-off-by-default.patch + +* Fri Apr 19 2013 Kai Engert - 3.14.3-12.0 +- Add upstream patch to fix rhbz#872761 + +* Sun Mar 24 2013 Kai Engert - 3.14.3-11 +- Update expired test certificates (fixed in upstream bug 852781) + +* Fri Mar 08 2013 Kai Engert - 3.14.3-10 +- Fix incorrect post/postun scripts. Fix broken links in posttrans. + +* Wed Mar 06 2013 Kai Engert - 3.14.3-9 +- Configure libnssckbi.so to use the alternatives system + in order to prepare for a drop in replacement. + +* Fri Feb 15 2013 Elio Maldonado - 3.14.3-1 +- Update to NSS_3_14_3_RTM +- sync up pem rsawrapr.c with softoken upstream changes for nss-3.14.3 +- Resolves: rhbz#908257 - CVE-2013-1620 nss: TLS CBC padding timing attack +- Resolves: rhbz#896651 - PEM module trashes private keys if login fails +- Resolves: rhbz#909775 - specfile support for AArch64 +- Resolves: rhbz#910584 - certutil -a does not produce ASCII output + +* Mon Feb 04 2013 Elio Maldonado - 3.14.2-2 +- Allow building nss against older system sqlite + +* Fri Feb 01 2013 Elio Maldonado - 3.14.2-1 +- Update to NSS_3_14_2_RTM + +* Wed Jan 02 2013 Kai Engert - 3.14.1-3 +- Update to NSS_3_14_1_WITH_CKBI_1_93_RTM + +* Sat Dec 22 2012 Elio Maldonado - 3.14.1-2 +- Require nspr >= 4.9.4 +- Fix changelog invalid dates + +* Mon Dec 17 2012 Elio Maldonado - 3.14.1-1 +- Update to NSS_3_14_1_RTM + +* Wed Dec 12 2012 Elio Maldonado - 3.14-12 +- Bug 879978 - Install the nssck.api header template where mod_revocator can access it +- Install nssck.api in /usr/includes/nss3/templates + +* Tue Nov 27 2012 Elio Maldonado - 3.14-11 +- Bug 879978 - Install the nssck.api header template in a place where mod_revocator can access it +- Install nssck.api in /usr/includes/nss3 + +* Mon Nov 19 2012 Elio Maldonado - 3.14-10 +- Bug 870864 - Add support in NSS for Secure Boot + +* Sat Nov 10 2012 Elio Maldonado - 3.14-9 +- Disable bypass code at build time and return failure on attempts to enable at runtime +- Bug 806588 - Disable SSL PKCS #11 bypass at build time + +* Sun Nov 04 2012 Elio Maldonado - 3.14-8 +- Fix pk11wrap locking which fixes 'fedpkg new-sources' and 'fedpkg update' hangs +- Bug 872124 - nss-3.14 breaks fedpkg new-sources +- Fix should be considered preliminary since the patch may change upon upstream approval + +* Thu Nov 01 2012 Elio Maldonado - 3.14-7 +- Add a dummy source file for testing /preventing fedpkg breakage +- Helps test the fedpkg new-sources and upload commands for breakage by nss updates +- Related to Bug 872124 - nss 3.14 breaks fedpkg new-sources + +* Thu Nov 01 2012 Elio Maldonado - 3.14-6 +- Fix a previous unwanted merge from f18 +- Update the SS_SSL_CBC_RANDOM_IV patch to match new sources while +- Keeping the patch disabled while we are still in rawhide and +- State in comment that patch is needed for both stable and beta branches +- Update .gitignore to download only the new sources + +* Wed Oct 31 2012 Elio Maldonado - 3.14-5 +- Fix the spec file so sechash.h gets installed +- Resolves: rhbz#871882 - missing header: sechash.h in nss 3.14 + +* Sat Oct 27 2012 Elio Maldonado - 3.14-4 +- Update the license to MPLv2.0 + +* Wed Oct 24 2012 Elio Maldonado - 3.14-3 +- Use only -f when removing unwanted headers + +* Tue Oct 23 2012 Elio Maldonado - 3.14-2 +- Add secmodt.h to the headers installed by nss-devel +- nss-devel must install secmodt.h which moved from softoken to pk11wrap with nss-3.14 + +* Mon Oct 22 2012 Elio Maldonado - 3.14-1 +- Update to NSS_3_14_RTM + +* Sun Oct 21 2012 Elio Maldonado - 3.14-0.1.rc.1 +- Update to NSS_3_14_RC1 +- update nss-589636.patch to apply to httpdserv +- turn off ocsp tests for now +- remove no longer needed patches +- remove headers shipped by nss-util + +* Fri Oct 05 2012 Kai Engert - 3.13.6-1 +- Update to NSS_3_13_6_RTM + +* Mon Aug 27 2012 Elio Maldonado - 3.13.5-8 +- Rebase pem sources to fedora-hosted upstream to pick up two fixes from rhel-6.3 +- Resolves: rhbz#847460 - Fix invalid read and free on invalid cert load +- Resolves: rhbz#847462 - PEM module may attempt to free uninitialized pointer +- Remove unneeded fix gcc 4.7 c++ issue in secmodt.h that actually undoes the upstream fix + +* Mon Aug 13 2012 Elio Maldonado - 3.13.5-7 +- Fix pluggable ecc support + +* Fri Jul 20 2012 Fedora Release Engineering - 3.13.5-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Sun Jul 01 2012 Elio Maldonado - 3.13.5-5 +- Fix checkin comment to prevent unwanted expansions of percents + +* Sun Jul 01 2012 Elio Maldonado - 3.13.5-4 +- Resolves: Bug 830410 - Missing Requires %%{?_isa} +- Use Requires: %%{name}%%{?_isa} = %%{version}-%%{release} on tools +- Drop zlib requires which rpmlint reports as error E: explicit-lib-dependency zlib +- Enable sha224 portion of powerup selftest when running test suites +- Require nspr 4.9.1 + +* Wed Jun 20 2012 Elio Maldonado - 3.13.5-3 +- Resolves: rhbz#833529 - revert unwanted change to nss.pc.in + +* Tue Jun 19 2012 Elio Maldonado - 3.13.5-2 +- Resolves: rhbz#833529 - Remove unwanted space from the Libs: line on nss.pc.in + +* Mon Jun 18 2012 Elio Maldonado - 3.13.5-1 +- Update to NSS_3_13_5_RTM + +* Fri Apr 13 2012 Elio Maldonado - 3.13.4-3 +- Resolves: Bug 812423 - nss_Init leaks memory, fix from RHEL 6.3 + +* Sun Apr 08 2012 Elio Maldonado - 3.13.4-2 +- Resolves: Bug 805723 - Library needs partial RELRO support added +- Patch coreconf/Linux.mk as done on RHEL 6.2 + +* Fri Apr 06 2012 Elio Maldonado - 3.13.4-1 +- Update to NSS_3_13_4_RTM +- Update the nss-pem source archive to the latest version +- Remove no longer needed patches +- Resolves: Bug 806043 - use pem files interchangeably in a single process +- Resolves: Bug 806051 - PEM various flaws detected by Coverity +- Resolves: Bug 806058 - PEM pem_CreateObject leaks memory given a non-existing file name + +* Wed Mar 21 2012 Elio Maldonado - 3.13.3-4 +- Resolves: Bug 805723 - Library needs partial RELRO support added + +* Fri Mar 09 2012 Elio Maldonado - 3.13.3-3 +- Cleanup of the spec file +- Add references to the upstream bugs +- Fix typo in Summary for sysinit + +* Thu Mar 08 2012 Elio Maldonado - 3.13.3-2 +- Pick up fixes from RHEL +- Resolves: rhbz#800674 - Unable to contact LDAP Server during winsync +- Resolves: rhbz#800682 - Qpid AMQP daemon fails to load after nss update +- Resolves: rhbz#800676 - NSS workaround for freebl bug that causes openswan to drop connections + +* Thu Mar 01 2012 Elio Maldonado - 3.13.3-1 +- Update to NSS_3_13_3_RTM + +* Mon Jan 30 2012 Tom Callaway - 3.13.1-13 +- fix issue with gcc 4.7 in secmodt.h and C++11 user-defined literals + +* Thu Jan 26 2012 Elio Maldonado - 3.13.1-12 +- Resolves: Bug 784672 - nss should protect against being called before nss_Init + +* Fri Jan 13 2012 Fedora Release Engineering - 3.13.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Fri Jan 06 2012 Elio Maldonado - 3.13.1-11 +- Deactivate a patch currently meant for stable branches only + +* Fri Jan 06 2012 Elio Maldonado - 3.13.1-10 +- Resolves: Bug 770682 - nss update breaks pidgin-sipe connectivity +- NSS_SSL_CBC_RANDOM_IV set to 0 by default and changed to 1 on user request + +* Tue Dec 13 2011 elio maldonado - 3.13.1-9 +- Revert to using current nss_softokn_version +- Patch to deal with lack of sha224 is no longer needed + +* Tue Dec 13 2011 Elio Maldonado - 3.13.1-8 +- Resolves: Bug 754771 - [PEM] an unregistered callback causes a SIGSEGV + +* Mon Dec 12 2011 Elio Maldonado - 3.13.1-7 +- Resolves: Bug 750376 - nss 3.13 breaks sssd TLS +- Fix how pem is built so that nss-3.13.x works with nss-softokn-3.12.y +- Only patch blapitest for the lack of sha224 on system freebl +- Completed the patch to make pem link against system freebl + +* Mon Dec 05 2011 Elio Maldonado - 3.13.1-6 +- Removed unwanted /usr/include/nss3 in front of the normal cflags include path +- Removed unnecessary patch dealing with CERTDB_TERMINAL_RECORD, it's visible + +* Sun Dec 04 2011 Elio Maldonado - 3.13.1-5 +- Statically link the pem module against system freebl found in buildroot +- Disabling sha224-related powerup selftest until we update softokn +- Disable sha224 and pss tests which nss-softokn 3.12.x doesn't support + +* Fri Dec 02 2011 Elio Maldonado Batiz - 3.13.1-4 +- Rebuild with nss-softokn from 3.12 in the buildroot +- Allows the pem module to statically link against 3.12.x freebl +- Required for using nss-3.13.x with nss-softokn-3.12.y for a merge inrto rhel git repo +- Build will be temprarily placed on buildroot override but not pushed in bodhi + +* Fri Nov 04 2011 Elio Maldonado - 3.13.1-2 +- Fix broken dependencies by updating the nss-util and nss-softokn versions + +* Thu Nov 03 2011 Elio Maldonado - 3.13.1-1 +- Update to NSS_3_13_1_RTM +- Update builtin certs to those from NSSCKBI_1_88_RTM + +* Sat Oct 15 2011 Elio Maldonado - 3.13-1 +- Update to NSS_3_13_RTM + +* Sat Oct 08 2011 Elio Maldonado - 3.13-0.1.rc0.1 +- Update to NSS_3_13_RC0 + +* Wed Sep 14 2011 Elio Maldonado - 3.12.11-3 +- Fix attempt to free initilized pointer (#717338) +- Fix leak on pem_CreateObject when given non-existing file name (#734760) +- Fix pem_Initialize to return CKR_CANT_LOCK on multi-treaded calls (#736410) + +* Tue Sep 06 2011 Kai Engert - 3.12.11-2 +- Update builtins certs to those from NSSCKBI_1_87_RTM + +* Tue Aug 09 2011 Elio Maldonado - 3.12.11-1 +- Update to NSS_3_12_11_RTM + +* Sat Jul 23 2011 Elio Maldonado - 3.12.10-6 +- Indicate the provenance of stripped source tarball (#688015) + +* Mon Jun 27 2011 Michael Schwendt - 3.12.10-5 +- Provide virtual -static package to meet guidelines (#609612). + +* Fri Jun 10 2011 Elio Maldonado - 3.12.10-4 +- Enable pluggable ecc support (#712556) +- Disable the nssdb write-access-on-read-only-dir tests when user is root (#646045) + +* Fri May 20 2011 Dennis Gilmore - 3.12.10-3 +- make the testsuite non fatal on arm arches + +* Tue May 17 2011 Elio Maldonado - 3.12.10-2 +- Fix crmf hard-coded maximum size for wrapped private keys (#703656) + +* Fri May 06 2011 Elio Maldonado - 3.12.10-1 +- Update to NSS_3_12_10_RTM + +* Wed Apr 27 2011 Elio Maldonado - 3.12.10-0.1.beta1 +- Update to NSS_3_12_10_BETA1 + +* Mon Apr 11 2011 Elio Maldonado - 3.12.9-15 +- Implement PEM logging using NSPR's own (#695011) + +* Wed Mar 23 2011 Elio Maldonado - 3.12.9-14 +- Update to NSS_3.12.9_WITH_CKBI_1_82_RTM + +* Thu Feb 24 2011 Elio Maldonado - 3.12.9-13 +- Short-term fix for ssl test suites hangs on ipv6 type connections (#539183) + +* Fri Feb 18 2011 Elio Maldonado - 3.12.9-12 +- Add a missing requires for pkcs11-devel (#675196) + +* Tue Feb 15 2011 Elio Maldonado - 3.12.9-11 +- Run the test suites in the check section (#677809) + +* Thu Feb 10 2011 Elio Maldonado - 3.12.9-10 +- Fix cms headers to not use c++ reserved words (#676036) +- Reenabling Bug 499444 patches +- Fix to swap internal key slot on fips mode switches + +* Tue Feb 08 2011 Elio Maldonado - 3.12.9-9 +- Revert patches for 499444 until all c++ reserved words are found and extirpated + +* Tue Feb 08 2011 Fedora Release Engineering - 3.12.9-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Feb 08 2011 Elio Maldonado - 3.12.9-7 +- Fix cms header to not use c++ reserved word (#676036) +- Reenable patches for bug 499444 + +* Tue Feb 08 2011 Christopher Aillon - 3.12.9-6 +- Revert patches for 499444 as they use a C++ reserved word and + cause compilation of Firefox to fail + +* Fri Feb 04 2011 Elio Maldonado - 3.12.9-5 +- Fix the earlier infinite recursion patch (#499444) +- Remove a header that now nss-softokn-freebl-devel ships + +* Tue Feb 01 2011 Elio Maldonado - 3.12.9-4 +- Fix infinite recursion when encoding NSS enveloped/digested data (#499444) + +* Mon Jan 31 2011 Elio Maldonado - 3.12.9-3 +- Update the cacert trust patch per upstream review requests (#633043) + +* Wed Jan 19 2011 Elio Maldonado - 3.12.9-2 +- Fix to honor the user's cert trust preferences (#633043) +- Remove obsoleted patch + +* Wed Jan 12 2011 Elio Maldonado - 3.12.9-1 +- Update to 3.12.9 + +* Mon Dec 27 2010 Elio Maldonado - 3.12.9-0.1.beta2 +- Rebuilt according to fedora pre-release package naming guidelines + +* Fri Dec 10 2010 Elio Maldonado - 3.12.8.99.2-1 +- Update to NSS_3_12_9_BETA2 +- Fix libpnsspem crash when cacert dir contains other directories (#642433) + +* Wed Dec 08 2010 Elio Maldonado - 3.12.8.99.1-1 +- Update to NSS_3_12_9_BETA1 + +* Thu Nov 25 2010 Elio Maldonado - 3.12.8-9 +- Update pem source tar with fixes for 614532 and 596674 +- Remove no longer needed patches + +* Fri Nov 05 2010 Elio Maldonado - 3.12.8-8 +- Update PayPalEE.cert test certificate which had expired + +* Sun Oct 31 2010 Elio Maldonado - 3.12.8-7 +- Tell rpm not to verify md5, size, and modtime of configurations file + +* Mon Oct 18 2010 Elio Maldonado - 3.12.8-6 +- Fix certificates trust order (#643134) +- Apply nss-sysinit-userdb-first.patch last + +* Wed Oct 06 2010 Elio Maldonado - 3.12.8-5 +- Move triggerpostun -n nss-sysinit script ahead of the other ones (#639248) + +* Tue Oct 05 2010 Elio Maldonado - 3.12.8-4 +- Fix invalid %postun scriptlet (#639248) + +* Wed Sep 29 2010 Elio Maldonado - 3.12.8-3 +- Replace posttrans sysinit scriptlet with a triggerpostun one (#636787) +- Fix and cleanup the setup-nsssysinit.sh script (#636792, #636801) + +* Mon Sep 27 2010 Elio Maldonado - 3.12.8-2 +- Add posttrans scriptlet (#636787) + +* Thu Sep 23 2010 Elio Maldonado - 3.12.8-1 +- Update to 3.12.8 +- Prevent disabling of nss-sysinit on package upgrade (#636787) +- Create pkcs11.txt with correct permissions regardless of umask (#636792) +- Setup-nsssysinit.sh reports whether nss-sysinit is turned on or off (#636801) +- Added provides pkcs11-devel-static to comply with packaging guidelines (#609612) + +* Sat Sep 18 2010 Elio Maldonado - 3.12.7.99.4-1 +- NSS 3.12.8 RC0 + +* Sun Sep 05 2010 Elio Maldonado - 3.12.7.99.3-2 +- Fix nss-util_version and nss_softokn_version required to be 3.12.7.99.3 + +* Sat Sep 04 2010 Elio Maldonado - 3.12.7.99.3-1 +- NSS 3.12.8 Beta3 +- Fix unclosed comment in renegotiate-transitional.patch + +* Sat Aug 28 2010 Elio Maldonado - 3.12.7-3 +- Change BuildRequries to available version of nss-util-devel + +* Sat Aug 28 2010 Elio Maldonado - 3.12.7-2 +- Define NSS_USE_SYSTEM_SQLITE and remove unneeded patch +- Add comments regarding an unversioned provides which triggers rpmlint warning +- Build requires nss-softokn-devel >= 3.12.7 + +* Mon Aug 16 2010 Elio Maldonado - 3.12.7-1 +- Update to 3.12.7 + +* Sat Aug 14 2010 Elio Maldonado - 3.12.6-12 +- Apply the patches to fix rhbz#614532 + +* Mon Aug 09 2010 Elio Maldonado - 3.12.6-11 +- Removed pem sourecs as they are in the cache + +* Mon Aug 09 2010 Elio Maldonado - 3.12.6-10 +- Add support for PKCS#8 encoded PEM RSA private key files (#614532) + +* Sat Jul 31 2010 Elio Maldonado - 3.12.6-9 +- Fix nsssysinit to return userdb ahead of systemdb (#603313) + +* Tue Jun 08 2010 Dennis Gilmore - 3.12.6-8 +- Require and BuildRequire >= the listed version not = + +* Tue Jun 08 2010 Elio Maldonado - 3.12.6-7 +- Require nss-softoken 3.12.6 + +* Sun Jun 06 2010 Elio Maldonado - 3.12.6-6 +- Fix SIGSEGV within CreateObject (#596674) + +* Mon Apr 12 2010 Elio Maldonado - 3.12.6-5 +- Update pem source tar to pick up the following bug fixes: +- PEM - Allow collect objects to search through all objects +- PEM - Make CopyObject return a new shallow copy +- PEM - Fix memory leak in pem_mdCryptoOperationRSAPriv + +* Wed Apr 07 2010 Elio Maldonado - 3.12.6-4 +- Update the test cert in the setup phase + +* Wed Apr 07 2010 Elio Maldonado - 3.12.6-3 +- Add sed to sysinit requires as setup-nsssysinit.sh requires it (#576071) +- Update PayPalEE test cert with unexpired one (#580207) + +* Thu Mar 18 2010 Elio Maldonado - 3.12.6-2 +- Fix ns.spec to not require nss-softokn (#575001) + +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1.2 +- rebuilt with all tests enabled + +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1.1 +- Using SSL_RENEGOTIATE_TRANSITIONAL as default while on transition period +- Disabling ssl tests suites until bug 539183 is resolved + +* Sat Mar 06 2010 Elio Maldonado - 3.12.6-1 +- Update to 3.12.6 +- Reactivate all tests +- Patch tools to validate command line options arguments + +* Mon Jan 25 2010 Elio Maldonado - 3.12.5-8 +- Fix curl related regression and general patch code clean up + +* Wed Jan 13 2010 Elio Maldonado - 3.12.5-5 +- retagging + +* Tue Jan 12 2010 Elio Maldonado - 3.12.5-1.1 +- Fix SIGSEGV on call of NSS_Initialize (#553638) + +* Wed Jan 06 2010 Elio Maldonado - 3.12.5-1.13.2 +- New version of patch to allow root to modify ystem database (#547860) + +* Thu Dec 31 2009 Elio Maldonado - 3.12.5-1.13.1 +- Temporarily disabling the ssl tests + +* Sat Dec 26 2009 Elio Maldonado - 3.12.5-1.13 +- Fix nsssysinit to allow root to modify the nss system database (#547860) + +* Fri Dec 25 2009 Elio Maldonado - 3.12.5-1.11 +- Fix an error introduced when adapting the patch for rhbz #546211 + +* Sat Dec 19 2009 Elio maldonado - 3.12.5-1.9 +- Remove left over trace statements from nsssysinit patching + +* Fri Dec 18 2009 Elio Maldonado - 3.12.5-2.7 +- Fix a misconstructed patch + +* Thu Dec 17 2009 Elio Maldonado - 3.12.5-1.6 +- Fix nsssysinit to enable apps to use system cert store, patch contributed by David Woodhouse (#546221) +- Fix spec so sysinit requires coreutils for post install scriplet (#547067) +- Fix segmentation fault when listing keys or certs in the database, patch contributed by Kamil Dudka (#540387) + +* Thu Dec 10 2009 Elio Maldonado - 3.12.5-1.5 +- Fix nsssysinit to set the default flags on the crypto module (#545779) +- Remove redundant header from the pem module + +* Wed Dec 09 2009 Elio Maldonado - 3.12.5-1.1 +- Remove unneeded patch + +* Thu Dec 03 2009 Elio Maldonado - 3.12.5-1.1 +- Retagging to include missing patch + +* Thu Dec 03 2009 Elio Maldonado - 3.12.5-1 +- Update to 3.12.5 +- Patch to allow ssl/tls clients to interoperate with servers that require renogiation + +* Fri Nov 20 2009 Elio Maldonado - 3.12.4-14.1 +- Retagging + +* Tue Oct 20 2009 Elio Maldonado - 3.12.4-13.1 +- Require nss-softoken of same architecture as nss (#527867) +- Merge setup-nsssysinit.sh improvements from F-12 (#527051) + +* Sat Oct 03 2009 Elio Maldonado - 3.12.4-13 +- User no longer prompted for a password when listing keys an empty system db (#527048) +- Fix setup-nsssysinit to handle more general formats (#527051) + +* Sun Sep 27 2009 Elio Maldonado - 3.12.4-12 +- Fix syntax error in setup-nsssysinit.sh + +* Sun Sep 27 2009 Elio Maldonado - 3.12.4-11 +- Fix sysinit to be under mozilla/security/nss/lib + +* Sat Sep 26 2009 Elio Maldonado - 3.12.4-10 +- Add nss-sysinit activation/deactivation script + +* Fri Sep 18 2009 Elio Maldonado - 3.12.4-8 +- Restoring nssutil and -rpath-link to nss-config for now - 522477 + +* Tue Sep 08 2009 Elio Maldonado - 3.12.4-6 +- Installing shared libraries to %%{_libdir} + +* Mon Sep 07 2009 Elio Maldonado - 3.12.4-5 +- Retagging to pick up new sources + +* Mon Sep 07 2009 Elio Maldonado - 3.12.4-4 +- Update pem enabling source tar with latest fixes (509705, 51209) + +* Sun Sep 06 2009 Elio Maldonado - 3.12.4-3 +- PEM module implements memory management for internal objects - 509705 +- PEM module doesn't crash when processing malformed key files - 512019 + +* Sat Sep 05 2009 Elio Maldonado - 3.12.4-2 +- Remove symbolic links to shared libraries from devel - 521155 +- No rpath-link in nss-softokn-config + +* Tue Sep 01 2009 Elio Maldonado - 3.12.4-1 +- Update to 3.12.4 + +* Mon Aug 31 2009 Elio Maldonado - 3.12.3.99.3-30 +- Fix FORTIFY_SOURCE buffer overflows in test suite on ppc and ppc64 - bug 519766 +- Fixed requires and buildrequires as per recommendations in spec file review + +* Sun Aug 30 2009 Elio Maldonado - 3.12.3.99.3-29 +- Restoring patches 2 and 7 as we still compile all sources +- Applying the nss-nolocalsql.patch solves nss-tools sqlite dependency problems + +* Sun Aug 30 2009 Elio Maldonado - 3.12.3.99.3-28 +- restore require sqlite + +* Sat Aug 29 2009 Elio Maldonado - 3.12.3.99.3-27 +- Don't require sqlite for nss + +* Sat Aug 29 2009 Elio Maldonado - 3.12.3.99.3-26 +- Ensure versions in the requires match those used when creating nss.pc + +* Fri Aug 28 2009 Elio Maldonado - 3.12.3.99.3-25 +- Remove nss-prelink.conf as signed all shared libraries moved to nss-softokn +- Add a temprary hack to nss.pc.in to unblock builds + +* Fri Aug 28 2009 Warren Togami - 3.12.3.99.3-24 +- caolan's nss.pc patch + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-23 +- Bump the release number for a chained build of nss-util, nss-softokn and nss + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-22 +- Fix nss-config not to include nssutil +- Add BuildRequires on nss-softokn and nss-util since build also runs the test suite + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-21 +- disabling all tests while we investigate a buffer overflow bug + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-20 +- disabling some tests while we investigate a buffer overflow bug - 519766 + +* Thu Aug 27 2009 Elio Maldonado - 3.12.3.99.3-19 +- remove patches that are now in nss-softokn and +- remove spurious exec-permissions for nss.pc per rpmlint +- single requires line in nss.pc.in + +* Wed Aug 26 2009 Elio Maldonado - 3.12.3.99.3-18 +- Fix BuildRequires: nss-softokn-devel release number + +* Wed Aug 26 2009 Elio Maldonado - 3.12.3.99.3-16 +- cleanups for softokn + +* Tue Aug 25 2009 Dennis Gilmore - 3.12.3.99.3-15 +- remove the softokn subpackages + +* Mon Aug 24 2009 Dennis Gilmore - 3.12.3.99.3-14 +- don install the nss-util pkgconfig bits + +* Mon Aug 24 2009 Dennis Gilmore - 3.12.3.99.3-13 +- remove from -devel the 3 headers that ship in nss-util-devel + +* Mon Aug 24 2009 Dennis Gilmore - 3.12.3.99.3-12 +- kill off the nss-util nss-util-devel subpackages + +* Sun Aug 23 2009 Elio Maldonado+emaldona@redhat.com - 3.12.3.99.3-11 +- split off nss-softokn and nss-util as subpackages with their own rpms +- first phase of splitting nss-softokn and nss-util as their own packages + +* Thu Aug 20 2009 Elio Maldonado - 3.12.3.99.3-10 +- must install libnssutil3.since nss-util is untagged at the moment +- preserve time stamps when installing various files + +* Thu Aug 20 2009 Dennis Gilmore - 3.12.3.99.3-9 +- dont install libnssutil3.so since its now in nss-util + +* Thu Aug 06 2009 Elio Maldonado - 3.12.3.99.3-7.1 +- Fix spec file problems uncovered by Fedora_12_Mass_Rebuild + +* Sat Jul 25 2009 Fedora Release Engineering - 3.12.3.99.3-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jun 22 2009 Elio Maldonado - 3.12.3.99.3-6 +- removed two patch files which are no longer needed and fixed previous change log number +* Mon Jun 22 2009 Elio Maldonado - 3.12.3.99.3-5 +- updated pem module incorporates various patches +- fix off-by-one error when computing size to reduce memory leak. (483855) +- fix data type to work on x86_64 systems. (429175) +- fix various memory leaks and free internal objects on module unload. (501080) +- fix to not clone internal objects in collect_objects(). (501118) +- fix to not bypass initialization if module arguments are omitted. (501058) +- fix numerous gcc warnings. (500815) +- fix to support arbitrarily long password while loading a private key. (500180) +- fix memory leak in make_key and memory leaks and return values in pem_mdSession_Login (501191) +* Mon Jun 08 2009 Elio Maldonado - 3.12.3.99.3-4 +- add patch for bug 502133 upstream bug 496997 +* Fri Jun 05 2009 Kai Engert - 3.12.3.99.3-3 +- rebuild with higher release number for upgrade sanity +* Fri Jun 05 2009 Kai Engert - 3.12.3.99.3-2 +- updated to NSS_3_12_4_FIPS1_WITH_CKBI_1_75 +* Thu May 07 2009 Kai Engert - 3.12.3-7 +- re-enable test suite +- add patch for upstream bug 488646 and add newer paypal + certs in order to make the test suite pass +* Wed May 06 2009 Kai Engert - 3.12.3-4 +- add conflicts info in order to fix bug 499436 +* Tue Apr 14 2009 Kai Engert - 3.12.3-3 +- ship .chk files instead of running shlibsign at install time +- include .chk file in softokn-freebl subpackage +- add patch for upstream nss bug 488350 +* Tue Apr 14 2009 Kai Engert - 3.12.3-2 +- Update to NSS 3.12.3 +* Mon Apr 06 2009 Kai Engert - 3.12.2.99.3-7 +- temporarily disable the test suite because of bug 494266 +* Mon Apr 06 2009 Kai Engert - 3.12.2.99.3-6 +- fix softokn-freebl dependency for multilib (bug 494122) +* Thu Apr 02 2009 Kai Engert - 3.12.2.99.3-5 +- introduce separate nss-softokn-freebl package +* Thu Apr 02 2009 Kai Engert - 3.12.2.99.3-4 +- disable execstack when building freebl +* Tue Mar 31 2009 Kai Engert - 3.12.2.99.3-3 +- add upstream patch to fix bug 483855 +* Tue Mar 31 2009 Kai Engert - 3.12.2.99.3-2 +- build nspr-less freebl library +* Tue Mar 31 2009 Kai Engert - 3.12.2.99.3-1 +- Update to NSS_3_12_3_BETA4 + +* Wed Feb 25 2009 Fedora Release Engineering - 3.12.2.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Wed Oct 22 2008 Kai Engert - 3.12.2.0-3 +- update to NSS_3_12_2_RC1 +- use system zlib +* Tue Sep 30 2008 Dennis Gilmore - 3.12.1.1-4 +- add sparc64 to the list of 64 bit arches + +* Wed Sep 24 2008 Kai Engert - 3.12.1.1-3 +- bug 456847, move pkgconfig requirement to devel package +* Fri Sep 05 2008 Kai Engert - 3.12.1.1-2 +- Update to NSS_3_12_1_RC2 +* Fri Aug 22 2008 Kai Engert - 3.12.1.0-2 +- NSS 3.12.1 RC1 +* Fri Aug 15 2008 Kai Engert - 3.12.0.3-7 +- fix bug bug 429175 in libpem module +* Tue Aug 05 2008 Kai Engert - 3.12.0.3-6 +- bug 456847, add Requires: pkgconfig +* Tue Jun 24 2008 Kai Engert - 3.12.0.3-3 +- nss package should own /etc/prelink.conf.d folder, rhbz#452062 +- use upstream patch to fix test suite abort +* Mon Jun 02 2008 Kai Engert - 3.12.0.3-2 +- Update to NSS_3_12_RC4 +* Mon Apr 14 2008 Kai Engert - 3.12.0.1-1 +- Update to NSS_3_12_RC2 +* Thu Mar 20 2008 Jesse Keating - 3.11.99.5-2 +- Zapping old Obsoletes/Provides. No longer needed, causes multilib headache. +* Mon Mar 17 2008 Kai Engert - 3.11.99.5-1 +- Update to NSS_3_12_BETA3 +* Fri Feb 22 2008 Kai Engert - 3.11.99.4-1 +- NSS 3.12 Beta 2 +- Use /usr/lib{64} as devel libdir, create symbolic links. +* Sat Feb 16 2008 Kai Engert - 3.11.99.3-6 +- Apply upstream patch for bug 417664, enable test suite on pcc. +* Fri Feb 15 2008 Kai Engert - 3.11.99.3-5 +- Support concurrent runs of the test suite on a single build host. +* Thu Feb 14 2008 Kai Engert - 3.11.99.3-4 +- disable test suite on ppc +* Thu Feb 14 2008 Kai Engert - 3.11.99.3-3 +- disable test suite on ppc64 + +* Thu Feb 14 2008 Kai Engert - 3.11.99.3-2 +- Build against gcc 4.3.0, use workaround for bug 432146 +- Run the test suite after the build and abort on failures. + +* Thu Jan 24 2008 Kai Engert - 3.11.99.3-1 +* NSS 3.12 Beta 1 + +* Mon Jan 07 2008 Kai Engert - 3.11.99.2b-3 +- move .so files to /lib + +* Wed Dec 12 2007 Kai Engert - 3.11.99.2b-2 +- NSS 3.12 alpha 2b + +* Mon Dec 03 2007 Kai Engert - 3.11.99.2-2 +- upstream patches to avoid calling netstat for random data + +* Wed Nov 07 2007 Kai Engert - 3.11.99.2-1 +- NSS 3.12 alpha 2 + +* Wed Oct 10 2007 Kai Engert - 3.11.7-10 +- Add /etc/prelink.conf.d/nss-prelink.conf in order to blacklist + our signed libraries and protect them from modification. + +* Thu Sep 06 2007 Rob Crittenden - 3.11.7-9 +- Fix off-by-one error in the PEM module + +* Thu Sep 06 2007 Kai Engert - 3.11.7-8 +- fix a C++ mode compilation error + +* Wed Sep 05 2007 Bob Relyea - 3.11.7-7 +- Add 3.12 ckfw and libnsspem + +* Tue Aug 28 2007 Kai Engert - 3.11.7-6 +- Updated license tag + +* Wed Jul 11 2007 Kai Engert - 3.11.7-5 +- Ensure the workaround for mozilla bug 51429 really get's built. + +* Mon Jun 18 2007 Kai Engert - 3.11.7-4 +- Better approach to ship freebl/softokn based on 3.11.5 +- Remove link time dependency on softokn + +* Sun Jun 10 2007 Kai Engert - 3.11.7-3 +- Fix unowned directories, rhbz#233890 + +* Fri Jun 01 2007 Kai Engert - 3.11.7-2 +- Update to 3.11.7, but freebl/softokn remain at 3.11.5. +- Use a workaround to avoid mozilla bug 51429. + +* Fri Mar 02 2007 Kai Engert - 3.11.5-2 +- Fix rhbz#230545, failure to enable FIPS mode +- Fix rhbz#220542, make NSS more tolerant of resets when in the + middle of prompting for a user password. + +* Sat Feb 24 2007 Kai Engert - 3.11.5-1 +- Update to 3.11.5 +- This update fixes two security vulnerabilities with SSL 2 +- Do not use -rpath link option +- Added several unsupported tools to tools package + +* Tue Jan 9 2007 Bob Relyea - 3.11.4-4 +- disable ECC, cleanout dead code + +* Tue Nov 28 2006 Kai Engert - 3.11.4-1 +- Update to 3.11.4 + +* Thu Sep 14 2006 Kai Engert - 3.11.3-2 +- Revert the attempt to require latest NSPR, as it is not yet available + in the build infrastructure. + +* Thu Sep 14 2006 Kai Engert - 3.11.3-1 +- Update to 3.11.3 + +* Thu Aug 03 2006 Kai Engert - 3.11.2-2 +- Add /etc/pki/nssdb + +* Wed Jul 12 2006 Jesse Keating - 3.11.2-1.1 +- rebuild + +* Fri Jun 30 2006 Kai Engert - 3.11.2-1 +- Update to 3.11.2 +- Enable executable bit on shared libs, also fixes debug info. + +* Wed Jun 14 2006 Kai Engert - 3.11.1-2 +- Enable Elliptic Curve Cryptography (ECC) + +* Fri May 26 2006 Kai Engert - 3.11.1-1 +- Update to 3.11.1 +- Include upstream patch to limit curves + +* Wed Feb 15 2006 Kai Engert - 3.11-4 +- add --noexecstack when compiling assembler on x86_64 + +* Fri Feb 10 2006 Jesse Keating - 3.11-3.2 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 3.11-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Thu Jan 19 2006 Ray Strode 3.11-3 +- rebuild + +* Fri Dec 16 2005 Christopher Aillon 3.11-2 +- Update file list for the devel packages + +* Thu Dec 15 2005 Christopher Aillon 3.11-1 +- Update to 3.11 + +* Thu Dec 15 2005 Christopher Aillon 3.11-0.cvs.2 +- Add patch to allow building on ppc* +- Update the pkgconfig file to Require nspr + +* Thu Dec 15 2005 Christopher Aillon 3.11-0.cvs +- Initial import into Fedora Core, based on a CVS snapshot of + the NSS_3_11_RTM tag +- Fix up the pkcs11-devel subpackage to contain the proper headers +- Build with RPM_OPT_FLAGS +- No need to have rpath of /usr/lib in the pc file + +* Thu Dec 15 2005 Kai Engert +- Adressed review comments by Wan-Teh Chang, Bob Relyea, + Christopher Aillon. + +* Sat Jul 9 2005 Rob Crittenden 3.10-1 +- Initial build