diff --git a/add-relro-linker-option.patch b/add-relro-linker-option.patch new file mode 100644 index 0000000..7ab9db1 --- /dev/null +++ b/add-relro-linker-option.patch @@ -0,0 +1,16 @@ +diff -up nss/coreconf/Linux.mk.relro nss/coreconf/Linux.mk +--- nss/coreconf/Linux.mk.relro 2013-04-09 14:29:45.943228682 -0700 ++++ nss/coreconf/Linux.mk 2013-04-09 14:31:26.194953927 -0700 +@@ -174,6 +174,12 @@ endif + endif + endif + ++# harden DSOs/executables a bit against exploits ++ifeq (2.6,$(firstword $(sort 2.6 $(OS_RELEASE)))) ++DSO_LDOPTS+=-Wl,-z,relro ++LDFLAGS += -Wl,-z,relro ++endif ++ + USE_SYSTEM_ZLIB = 1 + ZLIB_LIBS = -lz + diff --git a/iquote.patch b/iquote.patch new file mode 100644 index 0000000..6e4adcd --- /dev/null +++ b/iquote.patch @@ -0,0 +1,13 @@ +diff -up nss/coreconf/location.mk.iquote nss/coreconf/location.mk +--- nss/coreconf/location.mk.iquote 2017-07-27 16:09:32.000000000 +0200 ++++ nss/coreconf/location.mk 2017-09-06 13:23:14.633611555 +0200 +@@ -75,4 +75,9 @@ ifndef SQLITE_LIB_NAME + SQLITE_LIB_NAME = sqlite3 + endif + ++# Prefer in-tree headers over system headers ++ifdef IN_TREE_FREEBL_HEADERS_FIRST ++ INCLUDES += -iquote $(DIST)/../public/nss -iquote $(DIST)/../private/nss ++endif ++ + MK_LOCATION = included diff --git a/nss-3.13.3-notimestamps.patch b/nss-3.13.3-notimestamps.patch deleted file mode 100644 index 3de9f1a..0000000 --- a/nss-3.13.3-notimestamps.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: nss-3.20.1/nss/lib/ckfw/pem/ckpemver.c -=================================================================== ---- nss-3.20.1.orig/nss/lib/ckfw/pem/ckpemver.c -+++ nss-3.20.1/nss/lib/ckfw/pem/ckpemver.c -@@ -53,7 +53,7 @@ - */ - const char __nss_ckpem_rcsid[] = "$Header: NSS Access to Flat Files in PEM format" - NSS_CKPEM_LIBRARY_VERSION _DEBUG_STRING -- " " __DATE__ " " __TIME__ " $"; -+ " " "Built in OBS" " " "see rpm -q --info nss for more information" " $"; - const char __nss_ckcapi_sccsid[] = "@(#)NSS Access to Flag Files in PEM format " - NSS_CKPEM_LIBRARY_VERSION _DEBUG_STRING -- " " __DATE__ " " __TIME__; -+ " " "Built in OBS" " " "see rpm -q --info nss for more information"; diff --git a/nss-3.20.1.tar.gz b/nss-3.20.1.tar.gz deleted file mode 100644 index eb79c5a..0000000 Binary files a/nss-3.20.1.tar.gz and /dev/null differ diff --git a/nss-3.39.tar.gz b/nss-3.39.tar.gz new file mode 100644 index 0000000..e7ce4a8 Binary files /dev/null and b/nss-3.39.tar.gz differ diff --git a/nss-539183.patch b/nss-539183.patch new file mode 100644 index 0000000..eda3249 --- /dev/null +++ b/nss-539183.patch @@ -0,0 +1,62 @@ +--- ./nss/cmd/httpserv/httpserv.c.539183 2016-05-21 18:31:39.879585420 -0700 ++++ ./nss/cmd/httpserv/httpserv.c 2016-05-21 18:37:22.374464057 -0700 +@@ -953,23 +953,23 @@ + getBoundListenSocket(unsigned short port) + { + PRFileDesc *listen_sock; + int listenQueueDepth = 5 + (2 * maxThreads); + PRStatus prStatus; + PRNetAddr addr; + PRSocketOptionData opt; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSockett"); + } + + opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(listen_sock, &opt); + if (prStatus < 0) { + PR_Close(listen_sock); + errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); +--- ./nss/cmd/selfserv/selfserv.c.539183 2016-05-21 18:31:39.882585367 -0700 ++++ ./nss/cmd/selfserv/selfserv.c 2016-05-21 18:41:43.092801174 -0700 +@@ -1711,23 +1711,23 @@ + getBoundListenSocket(unsigned short port) + { + PRFileDesc *listen_sock; + int listenQueueDepth = 5 + (2 * maxThreads); + PRStatus prStatus; + PRNetAddr addr; + PRSocketOptionData opt; + +- addr.inet.family = PR_AF_INET; +- addr.inet.ip = PR_INADDR_ANY; +- addr.inet.port = PR_htons(port); ++ if (PR_SetNetAddr(PR_IpAddrAny, PR_AF_INET6, port, &addr) != PR_SUCCESS) { ++ errExit("PR_SetNetAddr"); ++ } + +- listen_sock = PR_NewTCPSocket(); ++ listen_sock = PR_OpenTCPSocket(PR_AF_INET6); + if (listen_sock == NULL) { +- errExit("PR_NewTCPSocket"); ++ errExit("PR_OpenTCPSocket error"); + } + + opt.option = PR_SockOpt_Nonblocking; + opt.value.non_blocking = PR_FALSE; + prStatus = PR_SetSocketOption(listen_sock, &opt); + if (prStatus < 0) { + PR_Close(listen_sock); + errExit("PR_SetSocketOption(PR_SockOpt_Nonblocking)"); diff --git a/nss-config.in b/nss-config.in deleted file mode 100644 index f8f893e..0000000 --- a/nss-config.in +++ /dev/null @@ -1,145 +0,0 @@ -#!/bin/sh - -prefix=@prefix@ - -major_version=@MOD_MAJOR_VERSION@ -minor_version=@MOD_MINOR_VERSION@ -patch_version=@MOD_PATCH_VERSION@ - -usage() -{ - cat <&2 -fi - -lib_ssl=yes -lib_smime=yes -lib_nss=yes -lib_nssutil=yes - -while test $# -gt 0; do - case "$1" in - -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; - *) optarg= ;; - esac - - case $1 in - --prefix=*) - prefix=$optarg - ;; - --prefix) - echo_prefix=yes - ;; - --exec-prefix=*) - exec_prefix=$optarg - ;; - --exec-prefix) - echo_exec_prefix=yes - ;; - --includedir=*) - includedir=$optarg - ;; - --includedir) - echo_includedir=yes - ;; - --libdir=*) - libdir=$optarg - ;; - --libdir) - echo_libdir=yes - ;; - --version) - echo ${major_version}.${minor_version}.${patch_version} - ;; - --cflags) - echo_cflags=yes - ;; - --libs) - echo_libs=yes - ;; - ssl) - lib_ssl=yes - ;; - smime) - lib_smime=yes - ;; - nss) - lib_nss=yes - ;; - nssutil) - lib_nssutil=yes - ;; - *) - usage 1 1>&2 - ;; - esac - shift -done - -# Set variables that may be dependent upon other variables -if test -z "$exec_prefix"; then - exec_prefix=`pkg-config --variable=exec_prefix nss` -fi -if test -z "$includedir"; then - includedir=`pkg-config --variable=includedir nss` -fi -if test -z "$libdir"; then - libdir=`pkg-config --variable=libdir nss` -fi - -if test "$echo_prefix" = "yes"; then - echo $prefix -fi - -if test "$echo_exec_prefix" = "yes"; then - echo $exec_prefix -fi - -if test "$echo_includedir" = "yes"; then - echo $includedir -fi - -if test "$echo_libdir" = "yes"; then - echo $libdir -fi - -if test "$echo_cflags" = "yes"; then - echo -I$includedir -fi - -if test "$echo_libs" = "yes"; then - libdirs="-Wl,-rpath-link,$libdir -L$libdir" - if test -n "$lib_ssl"; then - libdirs="$libdirs -lssl${major_version}" - fi - if test -n "$lib_smime"; then - libdirs="$libdirs -lsmime${major_version}" - fi - if test -n "$lib_nss"; then - libdirs="$libdirs -lnss${major_version}" - fi - if test -n "$lib_nssutil"; then - libdirs="$libdirs -lnssutil${major_version}" - fi - echo $libdirs -fi - diff --git a/nss-enable-pem.patch b/nss-enable-pem.patch deleted file mode 100644 index 3892b29..0000000 --- a/nss-enable-pem.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ./nss/lib/ckfw/manifest.mn.prepem ./nss/lib/ckfw/manifest.mn ---- ./nss/lib/ckfw/manifest.mn.prepem 2008-08-05 16:34:23.000000000 -0700 -+++ ./nss/lib/ckfw/manifest.mn 2008-08-05 16:34:30.000000000 -0700 -@@ -38,7 +38,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile: manife - - CORE_DEPTH = ../.. - --DIRS = builtins -+DIRS = builtins pem - - PRIVATE_EXPORTS = \ - ck.h \ diff --git a/nss-no-rpath.patch b/nss-no-rpath.patch deleted file mode 100644 index d873e1c..0000000 --- a/nss-no-rpath.patch +++ /dev/null @@ -1,14 +0,0 @@ ---- ./nss/cmd/platlibs.mk.withrpath 2013-03-09 02:09:57.584660753 +0200 -+++ ./nss/cmd/platlibs.mk 2013-03-09 02:10:59.144484108 +0200 -@@ -18,9 +18,9 @@ - - ifeq ($(OS_ARCH), Linux) - ifeq ($(USE_64), 1) --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' -+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' - else --EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' -+#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' - endif - endif - diff --git a/nss-pem-1.0.4.tar.xz b/nss-pem-1.0.4.tar.xz new file mode 100644 index 0000000..644055a Binary files /dev/null and b/nss-pem-1.0.4.tar.xz differ diff --git a/nss-pem-20140125.tar.bz2 b/nss-pem-20140125.tar.bz2 deleted file mode 100644 index 9b2a101..0000000 Binary files a/nss-pem-20140125.tar.bz2 and /dev/null differ diff --git a/nss-pem.cmake b/nss-pem.cmake new file mode 100644 index 0000000..e119c8f --- /dev/null +++ b/nss-pem.cmake @@ -0,0 +1,6 @@ +# Add external nss header locations +include_directories(../../dist/public/nss;../../dist/private/nss) +# Find the external library path for linking +execute_process(COMMAND find ${PROJECT_SOURCE_DIR}/../../dist -name libnssckfw.a OUTPUT_VARIABLE NSS_EXT_LIB_PATH) +get_filename_component(NSS_LIB_PATH ${NSS_EXT_LIB_PATH} DIRECTORY) +link_directories(${NSS_LIB_PATH}) diff --git a/nss-skip-bltest-and-fipstest.patch b/nss-skip-bltest-and-fipstest.patch new file mode 100644 index 0000000..aee646c --- /dev/null +++ b/nss-skip-bltest-and-fipstest.patch @@ -0,0 +1,15 @@ +diff -up ./nss/cmd/Makefile.skipthem ./nss/cmd/Makefile +--- ./nss/cmd/Makefile.skipthem 2017-01-06 13:17:27.477848351 +0100 ++++ ./nss/cmd/Makefile 2017-01-06 13:19:30.244586100 +0100 +@@ -19,7 +19,11 @@ BLTEST_SRCDIR = + ECPERF_SRCDIR = + FREEBL_ECTEST_SRCDIR = + FIPSTEST_SRCDIR = ++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) ++SHLIBSIGN_SRCDIR = shlibsign ++else + SHLIBSIGN_SRCDIR = ++endif + else + BLTEST_SRCDIR = bltest + ECPERF_SRCDIR = ecperf diff --git a/nss-skip-util-gtest.patch b/nss-skip-util-gtest.patch new file mode 100644 index 0000000..94391c8 --- /dev/null +++ b/nss-skip-util-gtest.patch @@ -0,0 +1,10 @@ +diff -up nss/gtests/manifest.mn.skip_util_gtest nss/gtests/manifest.mn +--- nss/gtests/manifest.mn.skip_util_gtest 2017-08-08 12:45:57.598801125 +0200 ++++ nss/gtests/manifest.mn 2017-08-08 12:46:59.682419852 +0200 +@@ -31,6 +31,5 @@ endif + + DIRS = \ + $(LIB_SRCDIRS) \ +- $(UTIL_SRCDIRS) \ + $(NSS_SRCDIRS) \ + $(NULL) diff --git a/nss-softokn.pc.in b/nss-softokn.pc.in new file mode 100644 index 0000000..022ebbf --- /dev/null +++ b/nss-softokn.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-SOFTOKN +Description: Network Security Services Softoken PKCS #11 Module +Version: %SOFTOKEN_VERSION% +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lfreebl3 -lnssdbm3 -lsoftokn3 +Cflags: -I${includedir} diff --git a/nss-sysinit-userdb-first.patch b/nss-sysinit-userdb-first.patch index eea78e6..526419a 100644 --- a/nss-sysinit-userdb-first.patch +++ b/nss-sysinit-userdb-first.patch @@ -1,54 +1,38 @@ -diff -up ./nss/lib/sysinit/nsssysinit.c.603313 ./nss/lib/sysinit/nsssysinit.c ---- ./nss/lib/sysinit/nsssysinit.c.603313 2010-10-15 13:57:42.719738316 -0700 -+++ ./nss/lib/sysinit/nsssysinit.c 2010-10-15 14:07:51.704637349 -0700 -@@ -263,16 +263,26 @@ get_list(char *filename, char *stripped_ +--- ./nss/lib/sysinit/nsssysinit.c.603313 2017-11-14 10:01:25.000000000 +0200 ++++ ./nss/lib/sysinit/nsssysinit.c 2017-11-22 16:28:56.324234787 +0200 +@@ -231,6 +231,17 @@ get_list(char *filename, char *stripped_ sysdb = getSystemDB(); userdb = getUserDB(); -- /* Don't open root's user DB */ + /* return a list of databases to open. First the system database */ + if (sysdb) { + const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly"; -+ module_list[next++] = PR_smprintf( -+ "library= " -+ "module=\"NSS system database\" " -+ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " -+ "NSS=\"trustOrder=80 %sflags=internal,critical\"", ++ module_list[next++] = PR_smprintf( ++ "library= " ++ "module=\"NSS system database\" " ++ "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " ++ "NSS=\"trustOrder=80 %sflags=internal,critical\"", + sysdb, readonly, nssflags); + } + -+ /* Next the user database, but not for root. */ + /* Don't open root's user DB */ if (userdb != NULL && !userIsRoot()) { -- /* return a list of databases to open. First the user Database */ - module_list[next++] = PR_smprintf( - "library= " - "module=\"NSS User database\" " - "parameters=\"configdir='sql:%s' %s tokenDescription='NSS user database'\" " -- "NSS=\"trustOrder=75 %sflags=internal%s\"", -- userdb, stripped_parameters, nssflags, -- isFIPS ? ",FIPS" : ""); -+ "NSS=\"trustOrder=75 %sflags=internal%s\"", -+ userdb, stripped_parameters, nssflags, -+ isFIPS ? ",FIPS" : ""); + /* return a list of databases to open. First the user Database */ +@@ -252,17 +263,6 @@ get_list(char *filename, char *stripped_ + userdb, stripped_parameters); + } - /* now open the user's defined PKCS #11 modules */ - /* skip the local user DB entry */ -@@ -283,17 +293,7 @@ get_list(char *filename, char *stripped_ - "module=\"NSS User database\" " - "parameters=\"configdir='sql:%s' %s\" " - "NSS=\"flags=internal,moduleDBOnly,defaultModDB,skipFirst\"", -- userdb, stripped_parameters); -- } -- - /* now the system database (always read only unless it's root) */ - if (sysdb) { -- const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly"; -- module_list[next++] = PR_smprintf( -- "library= " -- "module=\"NSS system database\" " -- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " -- "NSS=\"trustOrder=80 %sflags=internal,critical\"",sysdb, readonly, nssflags); -+ userdb, stripped_parameters); - } - +- const char *readonly = userCanModifySystemDB() ? "" : "flags=readonly"; +- module_list[next++] = PR_smprintf( +- "library= " +- "module=\"NSS system database\" " +- "parameters=\"configdir='sql:%s' tokenDescription='NSS system database' %s\" " +- "NSS=\"trustOrder=80 %sflags=internal,critical\"", +- sysdb, readonly, nssflags); +- } +- /* that was the last module */ + module_list[next] = 0; + diff --git a/nss-util.pc.in b/nss-util.pc.in new file mode 100644 index 0000000..1310248 --- /dev/null +++ b/nss-util.pc.in @@ -0,0 +1,11 @@ +prefix=%prefix% +exec_prefix=%exec_prefix% +libdir=%libdir% +includedir=%includedir% + +Name: NSS-UTIL +Description: Network Security Services Utility Library +Version: %NSSUTIL_VERSION% +Requires: nspr >= %NSPR_VERSION% +Libs: -L${libdir} -lnssutil3 +Cflags: -I${includedir} diff --git a/nss.changes b/nss.changes index 1aa20d2..5483275 100644 --- a/nss.changes +++ b/nss.changes @@ -1,3 +1,7 @@ +* Wed Jan 09 2019 Marko Kenttälä - 3.39-1 +- Update to nss-3.39 and nss-pem-1.0.4, fixes jb#36180 +- Fedora spec file used as a base + * Wed Nov 04 2015 Pasi Sjöholm - 3.20.1 - Update to 3.20.1 - Fixes CVE-2015-7181 and CVE-2015-7182. Contributes to MER#1407 @@ -12,7 +16,7 @@ * Wed Nov 26 2014 John Brooks - 3.16.6 - Update to 3.16.6 and split libnssckbi into a separate package -* Tue Sep 25 2014 Pasi Sjöholm - 3.16.5 +* Thu Sep 25 2014 Pasi Sjöholm - 3.16.5 - Update to 3.16.5 - Fixes CVE-2014-1568. @@ -69,13 +73,13 @@ * Fri May 13 2011 Anas Nashif - 3.12.9 - Do not run test code, it does not work -* Wed 02 Mar 2011 Passion Zhao +* Wed Mar 02 2011 Passion Zhao - 3.12.9 - Update to 3.12.9 from fennec requirement #BMC13425 -* Tue 16 Nov 2010 Stephan Binner +* Tue Nov 16 2010 Stephan Binner - 3.12.8 - Update to 3.12.8, disable non-applying likely obsolete patches, BMC#10122 -* Fri Apr 30 2010 David Woodhouse +* Fri Apr 30 2010 David Woodhouse - 3.12.6 - Fix Mozilla bug #524013 (hopefully MeeGo bug #1558) * Tue Feb 16 2010 Anas Nashif - 3.12.5 diff --git a/nss.pc.in b/nss.pc.in index d47b9e1..69823cb 100644 --- a/nss.pc.in +++ b/nss.pc.in @@ -6,6 +6,6 @@ includedir=%includedir% Name: NSS Description: Network Security Services Version: %NSS_VERSION% -Requires: nspr >= %NSPR_VERSION% -Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3 +Requires: nspr >= %NSPR_VERSION%, nss-util >= %NSSUTIL_VERSION% +Libs: -L${libdir} -lssl3 -lsmime3 -lnss3 Cflags: -I${includedir} diff --git a/nss.spec b/nss.spec index 6749054..f6da988 100644 --- a/nss.spec +++ b/nss.spec @@ -1,27 +1,41 @@ -%define nspr_version 4.10.8 -%define unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%global nspr_version 4.20 +%global nss_util_version 3.39 +%global nss_softokn_version 3.39 +%global nss_version 3.39 +%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools +%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" +%global saved_files_dir %{_libdir}/nss/saved + +# The upstream omits the trailing ".0", while we need it for +# consistency with the pkg-config version: +# https://bugzilla.redhat.com/show_bug.cgi?id=1578106 +%{lua: +rpm.define(string.format("nss_archive_version %s", + string.gsub(rpm.expand("%nss_version"), "(.*)%.0$", "%1"))) +} Summary: Network Security Services Name: nss -Version: 3.20.1 -Release: 1 -License: MPLv2 +Version: %{nss_version} +Release: 1%{?dist} +License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ -Group: System/Libraries +Group: System Environment/Libraries Requires: nspr >= %{nspr_version} -Requires: nss-softokn-freebl%{_isa} >= %{version} Requires: nss-system-init -Requires: nss-ckbi +Requires: p11-kit-trust BuildRequires: nspr-devel >= %{nspr_version} BuildRequires: sqlite-devel BuildRequires: zlib-devel BuildRequires: pkgconfig BuildRequires: gawk +BuildRequires: psmisc +BuildRequires: perl +BuildRequires: gcc-c++ +BuildRequires: cmake -Source0: %{name}-%{version}.tar.gz - +Source0: %{name}-%{nss_archive_version}.tar.gz Source1: nss.pc.in -Source2: nss-config.in Source3: blank-cert8.db Source4: blank-key3.db Source5: blank-secmod.db @@ -29,14 +43,35 @@ Source6: blank-cert9.db Source7: blank-key4.db Source8: system-pkcs11.txt Source9: setup-nsssysinit.sh -Source11: nss-prelink.conf -Source12: %{name}-pem-20140125.tar.bz2 - -Patch1: nss-no-rpath.patch -Patch2: nss-nolocalsql.patch -Patch6: nss-enable-pem.patch +Source10: nss-softokn.pc.in +Source12: nss-util.pc.in +Source14: nss-pem-1.0.4.tar.xz +Source15: nss-pem.cmake +Source16: nss-prelink.conf + +Patch1: nss-nolocalsql.patch +Patch2: add-relro-linker-option.patch +Patch3: renegotiate-transitional.patch Patch8: nss-sysinit-userdb-first.patch -Patch9: nss-3.13.3-notimestamps.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723 +Patch16: nss-539183.patch +# TODO remove when we switch to building nss without softoken +Patch49: nss-skip-bltest-and-fipstest.patch +# This patch uses the GCC -iquote option documented at +# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options +# to give the in-tree headers a higher priority over the system headers, +# when they are included through the quote form (#include "file.h"). +# +# This ensures a build even when system headers are older. Such is the +# case when starting an update with API changes or even private export +# changes. +# +# Once the buildroot aha been bootstrapped the patch may be removed +# but it doesn't hurt to keep it. +Patch50: iquote.patch +# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers +Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch +Patch62: nss-skip-util-gtest.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -45,35 +80,10 @@ server applications. Applications built with NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. -%package ckbi -Summary: CA trust library for Network Security Services -Group: System/Base -Requires: nss = %{version}-%{release} - -%description ckbi -The nss-ckbi package provides CA trust store functionality to NSS. -This package is separated to allow replacing this library with -another compatible implementation. - -%package softokn-freebl -Summary: Freebl library for the Network Security Services -Group: System/Base - -%description softokn-freebl -Network Security Services (NSS) is a set of libraries designed to -support cross-platform development of security-enabled client and -server applications. Applications built with NSS can support SSL v2 -and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 -v3 certificates, and other security standards. - -Install the nss-softokn-freebl package if you need the freebl -library. - - %package tools Summary: Tools for the Network Security Services -Group: System/Base -Requires: nss = %{version}-%{release} +Group: System Environment/Base +Requires: %{name}%{?_isa} = %{version}-%{release} %description tools Network Security Services (NSS) is a set of libraries designed to @@ -85,14 +95,14 @@ v3 certificates, and other security standards. Install the nss-tools package if you need command-line tools to manipulate the NSS certificate and key database. - %package sysinit -Summary: System NSS Initilization -Group: System/Base +Summary: System NSS Initialization +Group: System Environment/Base +# providing nss-system-init without version so that it can +# be replaced by a better one, e.g. supplied by the os vendor Provides: nss-system-init Requires: nss = %{version}-%{release} -Requires(post): coreutils -Requires(post): sed +Requires(post): coreutils, sed %description sysinit Default Operating System module that manages applications loading @@ -100,10 +110,10 @@ NSS globally on the system. This module loads the system defined PKCS #11 modules for NSS and chains with other NSS modules to load any system or user configured modules. - %package devel Summary: Development libraries for Network Security Services Group: Development/Libraries +Provides: nss-static = %{version}-%{release} Requires: nss = %{version}-%{release} Requires: nspr-devel >= %{nspr_version} Requires: pkgconfig @@ -115,242 +125,540 @@ Header and Library files for doing development with Network Security Services. %package pkcs11-devel Summary: Development libraries for PKCS #11 (Cryptoki) using NSS Group: Development/Libraries +Provides: nss-pkcs11-devel-static = %{version}-%{release} Requires: nss-devel = %{version}-%{release} +Requires: nss-softokn-freebl-devel >= %{nss_softokn_version} %description pkcs11-devel -Library files for developing PKCS #11 modules using basic NSS +Library files for developing PKCS #11 modules using basic NSS low level services. +%package softokn-freebl +Summary: Network Security Services Softoken and Freebl Cryptographic Modules +Group: System Environment/Base +Requires: nss-devel = %{version}-%{release} +Requires: nspr >= 4.12 +Requires: nss >= 3.33 -%prep -%setup -q -%setup -q -T -D -n %{name}-%{version} -a 12 +%description softokn-freebl +Network Security Services Softoken and Freebl Cryptographic Modules + +%package softokn-freebl-devel +Summary: Header and Library files for doing development with the Softoken Freebl libraries for NSS +Group: System Environment/Base +Provides: nss-softokn-freebl-static = %{version}-%{release} +Requires: nss-softokn-freebl%{?_isa} = %{version}-%{release} + +%description softokn-freebl-devel +NSS Softoken Cryptographic Module Freebl Library Development Tools +This package supports special needs of some PKCS #11 module developers and +is otherwise considered private to NSS. As such, the programming interfaces +may change and the usual NSS binary compatibility commitments do not apply. +Developers should rely only on the officially supported NSS public API. + +%package pem +Summary: PEM file reader for Network Security Services +Group: System Environment/Libraries +Requires: nspr >= %{nspr_version} + +%description pem +PEM file reader for Network Security Services (NSS), implemented as a PKCS#11 module. -%patch1 -p0 -%patch2 -p0 -%patch6 -p0 -b .libpem -%patch8 -p0 -b .rh603313 -%patch9 -p1 -b .timestamping +%prep +%setup -q -n %{name}-%{nss_archive_version} +%setup -q -T -D -n %{name}-%{nss_archive_version} -a 14 + +%patch1 -p0 -b .nolocalsql +%patch2 -p0 -b .relro +%patch3 -p0 -b .transitional +%patch8 -p0 -b .userdbfirst +%patch16 -p0 -b .539183 +%patch49 -p0 -b .skipthem +%patch50 -p0 -b .iquote +%patch58 -p0 -b .1185708_3des +pushd nss +%patch62 -p1 -b .skip_util_gtest +popd %build -export FREEBL_NO_DEPEND=1 -export FREEBL_LOWHASH=1 +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +# Must export FREEBL_LOWHASH=1 for nsslowhash.h so that it gets +# copied to dist and the rpm install phase can find it +# This due of the upstream changes to fix +# https://bugzilla.mozilla.org/show_bug.cgi?id=717906 +FREEBL_LOWHASH=1 +export FREEBL_LOWHASH + +# Enable FIPS startup test +NSS_FORCE_FIPS=1 +export NSS_FORCE_FIPS # Enable compiler optimizations and disable debugging code export BUILD_OPT=1 +# Uncomment to disable optimizations +#RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'` +#export RPM_OPT_FLAGS + # Generate symbolic info for debuggers -export XCFLAGS=$RPM_OPT_FLAGS +XCFLAGS=$RPM_OPT_FLAGS +export XCFLAGS + +LDFLAGS=$RPM_LD_FLAGS +export LDFLAGS + +PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 +PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 + +export PKG_CONFIG_ALLOW_SYSTEM_LIBS +export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS + +NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` +NSPR_LIB_DIR=%{_libdir} -export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1 -export PKG_CONFIG_ALLOW_SYSTEM_CFLAGS=1 +export NSPR_INCLUDE_DIR +export NSPR_LIB_DIR -export NSPR_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nspr | sed 's/-I//'` -export NSPR_LIB_DIR=%{_libdir} +export NSSUTIL_INCLUDE_DIR=`/usr/bin/pkg-config --cflags-only-I nss-util | sed 's/-I//'` +export NSSUTIL_LIB_DIR=%{_libdir} -export USE_SYSTEM_ZLIB=1 +NSS_USE_SYSTEM_SQLITE=1 +export NSS_USE_SYSTEM_SQLITE -export NSS_USE_SYSTEM_SQLITE=1 +export NSS_ALLOW_SSLKEYLOGFILE=1 -%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64 -export USE_64=1 +export NSS_DISABLE_GTESTS=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif %endif -# NSS_ENABLE_ECC=1 -# export NSS_ENABLE_ECC +# uncomment if the iquote patch is activated +export IN_TREE_FREEBL_HEADERS_FIRST=1 -%{__make} -C ./nss +##### phase 2: build the rest of nss +export NSS_BLTEST_NOT_AVAILABLE=1 +%{__make} -C ./nss/coreconf +%{__make} -C ./nss/lib/dbm -# Produce .chk files for the final stripped binaries -%define __spec_install_post \ - %{?__debug_package:%{__debug_install_post}} \ - %{__arch_install_post} \ - %{__os_install_post} \ - LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \ - LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_libdir} $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \ -%{nil} +# Set the policy file location +# if set NSS will always check for the policy file and load if it exists +export POLICY_FILE="nss.config" +# location of the policy file +export POLICY_PATH="/etc/crypto-policies/back-ends" -%install +%{__make} -C ./nss +# This will copy to dist dir and sign libraries +%{__make} -C ./nss install +unset NSS_BLTEST_NOT_AVAILABLE + +# build the man pages clean +pushd ./nss +%{__make} clean_docs build_docs +popd + +# and copy them to the dist directory for %%install to find them +%{__mkdir_p} ./dist/docs/nroff +%{__cp} ./nss/doc/nroff/* ./dist/docs/nroff # Set up our package file -%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +# The nspr_version and nss_{util|softokn}_version globals used +# here match the ones nss has for its Requires. +# Using the current %%{nss_softokn_version} for fedora again +%{__mkdir_p} ./dist/pkgconfig %{__cat} %{SOURCE1} | sed -e "s,%%libdir%%,%{_libdir},g" \ -e "s,%%prefix%%,%{_prefix},g" \ -e "s,%%exec_prefix%%,%{_prefix},g" \ -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSS_VERSION%%,%{version},g" \ -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ - -e "s,%%NSS_VERSION%%,%{version},g" > \ - $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc + -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{nss_softokn_version},g" > \ + ./dist/pkgconfig/nss.pc NSS_VMAJOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | awk '{print $3}'` NSS_VMINOR=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VMINOR" | awk '{print $3}'` NSS_VPATCH=`cat nss/lib/nss/nss.h | grep "#define.*NSS_VPATCH" | awk '{print $3}'` -export NSS_VMAJOR -export NSS_VMINOR +export NSS_VMAJOR +export NSS_VMINOR export NSS_VPATCH -%{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} -%{__cat} %{SOURCE2} | sed -e "s,@libdir@,%{_libdir},g" \ - -e "s,@prefix@,%{_prefix},g" \ - -e "s,@exec_prefix@,%{_prefix},g" \ - -e "s,@includedir@,%{_includedir}/nss3,g" \ - -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ - -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ - -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ - > $RPM_BUILD_ROOT/%{_bindir}/nss-config +# Set up our package file +# The nspr_version and nss_util_version globals used here +# must match the ones nss-softokn has for its Requires. +%{__mkdir_p} ./dist/pkgconfig +%{__cat} %{SOURCE10} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{nss_util_version},g" \ + -e "s,%%SOFTOKEN_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-softokn.pc + +SOFTOKEN_VMAJOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMAJOR" | awk '{print $3}'` +SOFTOKEN_VMINOR=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VMINOR" | awk '{print $3}'` +SOFTOKEN_VPATCH=`cat nss/lib/softoken/softkver.h | grep "#define.*SOFTOKEN_VPATCH" | awk '{print $3}'` + +export SOFTOKEN_VMAJOR +export SOFTOKEN_VMINOR +export SOFTOKEN_VPATCH + +%{__cat} %{SOURCE12} | sed -e "s,%%libdir%%,%{_libdir},g" \ + -e "s,%%prefix%%,%{_prefix},g" \ + -e "s,%%exec_prefix%%,%{_prefix},g" \ + -e "s,%%includedir%%,%{_includedir}/nss3,g" \ + -e "s,%%NSPR_VERSION%%,%{nspr_version},g" \ + -e "s,%%NSSUTIL_VERSION%%,%{version},g" > \ + ./dist/pkgconfig/nss-util.pc -chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config +NSSUTIL_VMAJOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMAJOR" | awk '{print $3}'` +NSSUTIL_VMINOR=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VMINOR" | awk '{print $3}'` +NSSUTIL_VPATCH=`cat nss/lib/util/nssutil.h | grep "#define.*NSSUTIL_VPATCH" | awk '{print $3}'` +export NSSUTIL_VMAJOR +export NSSUTIL_VMINOR +export NSSUTIL_VPATCH -install -m 755 %{SOURCE9} $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh +%{__cat} %{SOURCE9} > ./dist/pkgconfig/setup-nsssysinit.sh +chmod 755 ./dist/pkgconfig/setup-nsssysinit.sh + +%{__cp} ./nss/lib/ckfw/nssck.api ./dist/private/nss/ + +date +"%e %B %Y" | tr -d '\n' > date.xml +echo -n %{version} > version.xml + +# PEM plugin +%{__mkdir_p} nss-pem-1.0.4/build +cp %{SOURCE15} nss-pem-1.0.4/build/ +cd nss-pem-1.0.4/build +PKG_CONFIG_PATH=$PWD/../../dist/pkgconfig cmake -DCMAKE_PROJECT_libnsspem_INCLUDE=%{SOURCE15} ../src +make + +%check +if [ ${DISABLETEST:-0} -eq 1 ]; then + echo "testing disabled" + exit 0 +fi + +# Begin -- copied from the build section + +FREEBL_NO_DEPEND=1 +export FREEBL_NO_DEPEND + +export BUILD_OPT=1 + +%ifnarch noarch +%if 0%{__isa_bits} == 64 +USE_64=1 +export USE_64 +%endif +%endif + +export NSS_BLTEST_NOT_AVAILABLE=1 + +# needed for the fips mangling test +export SOFTOKEN_LIB_DIR=%{_libdir} + +# End -- copied from the build section + +# This is necessary because the test suite tests algorithms that are +# disabled by the system policy. +export NSS_IGNORE_SYSTEM_POLICY=1 + +# enable the following line to force a test failure +# find ./nss -name \*.chk | xargs rm -f + +# Run test suite. +# In order to support multiple concurrent executions of the test suite +# (caused by concurrent RPM builds) on a single host, +# we'll use a random port. Also, we want to clean up any stuck +# selfserv processes. If process name "selfserv" is used everywhere, +# we can't simply do a "killall selfserv", because it could disturb +# concurrent builds. Therefore we'll do a search and replace and use +# a different process name. +# Using xargs doesn't mix well with spaces in filenames, in order to +# avoid weird quoting we'll require that no spaces are being used. + +SPACEISBAD=`find ./nss/tests | grep -c ' '` ||: +if [ $SPACEISBAD -ne 0 ]; then + echo "error: filenames containing space are not supported (xargs)" + exit 1 +fi +MYRAND=`perl -e 'print 9000 + int rand 1000'`; echo $MYRAND ||: +RANDSERV=selfserv_${MYRAND}; echo $RANDSERV ||: +DISTBINDIR=`ls -d ./dist/*.OBJ/bin`; echo $DISTBINDIR ||: +pushd `pwd` +cd $DISTBINDIR +ln -s selfserv $RANDSERV +popd +# man perlrun, man perlrequick +# replace word-occurrences of selfserv with selfserv_$MYRAND +find ./nss/tests -type f |\ + grep -v "\.db$" |grep -v "\.crl$" | grep -v "\.crt$" |\ + grep -vw CVS |xargs grep -lw selfserv |\ + xargs -L 1 perl -pi -e "s/\bselfserv\b/$RANDSERV/g" ||: + +killall $RANDSERV || : + +rm -rf ./tests_results +pushd ./nss/tests/ +# all.sh is the test suite script + +# don't need to run all the tests when testing packaging +# nss_cycles: standard pkix upgradedb sharedb +# the full list from all.sh is: +# "cipher lowhash libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +%define nss_tests "libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains ec gtests ssl_gtests" +# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr policy +# nss_ssl_run: cov auth stapling stress +# +# Uncomment these lines if you need to temporarily +# disable some test suites for faster test builds +# % define nss_ssl_tests "normal_fips" +# % define nss_ssl_run "cov" + +SKIP_NSS_TEST_SUITE=1 + +if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then + HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh +else + echo "skipped test suite" +fi + +popd + +# Normally, the grep exit status is 0 if selected lines are found and 1 otherwise, +# Grep exits with status greater than 1 if an error ocurred. +# If there are test failures we expect TEST_FAILURES > 0 and GREP_EXIT_STATUS = 0, +# With no test failures we expect TEST_FAILURES = 0 and GREP_EXIT_STATUS = 1, whereas +# GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. +killall $RANDSERV || : + +if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then + TEST_FAILURES=$(grep -c -- '- FAILED$' ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? +else + TEST_FAILURES=0 + GREP_EXIT_STATUS=1 +fi + +if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then + echo "okay: test suite detected no failures" +else + if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then + # while a situation in which grep return status is 0 and it doesn't output + # anything shouldn't happen, set the default to something that is + # obviously wrong (-1) + echo "error: test suite had ${TEST_FAILURES:--1} test failure(s)" + exit 1 + else + if [ ${GREP_EXIT_STATUS:-0} -eq 2 ]; then + echo "error: grep has not found log file" + exit 1 + else + echo "error: grep failed with exit code: ${GREP_EXIT_STATUS}" + exit 1 + fi + fi +fi +echo "test suite completed" + +%install + +%{__rm} -rf $RPM_BUILD_ROOT # There is no make install target so we'll do it ourselves. %{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3 +%{__mkdir_p} $RPM_BUILD_ROOT/%{_includedir}/nss3/templates %{__mkdir_p} $RPM_BUILD_ROOT/%{_bindir} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} %{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} +%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +%{__mkdir_p} $RPM_BUILD_ROOT/%{saved_files_dir} +# because of the pp.1 conflict with perl-PAR-Packer +%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools # Copy the binary libraries we want -for file in libsoftokn3.so libfreebl3.so libnss3.so libnssutil3.so \ - libssl3.so libsmime3.so libnssckbi.so libnsspem.so libnssdbm3.so \ - libnsssysinit.so +for file in libnss3.so libnsssysinit.so libsmime3.so libssl3.so libsoftokn3.so libsoftokn3.chk libnssdbm3.so libnssdbm3.chk libfreebl3.so libfreebl3.chk libfreeblpriv3.so libfreeblpriv3.chk libnssutil3.so do - %{__install} -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} + %{__install} -p -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Install the empty NSS db files # Legacy db %{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb -%{__install} -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db -%{__install} -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db -%{__install} -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db +%{__install} -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db +%{__install} -p -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db +%{__install} -p -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db # Shared db -%{__install} -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db -%{__install} -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db -%{__install} -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt +%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db +%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db +%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt +# prelink %{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d -%{__install} -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/nss-prelink.conf +%{__install} -m 644 %{SOURCE16} $RPM_BUILD_ROOT/%{_sysconfdir}/prelink.conf.d/nss-prelink.conf # Copy the development libraries we want for file in libcrmf.a libnssb.a libnssckfw.a do - %{__install} -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} + %{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} done # Copy the binaries we want -for file in certutil cmsutil crlutil modutil pk12util signtool signver ssltap +for file in certutil cmsutil crlutil modutil nss-policy-check pk12util signver ssltap do - %{__install} -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} + %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{_bindir} done # Copy the binaries we ship as unsupported -for file in atob btoa derdump ocspclnt pp selfserv shlibsign strsclnt symkeyutil tstclnt vfyserv vfychain +for file in atob btoa derdump listsuites ocspclnt pp selfserv signtool strsclnt symkeyutil tstclnt vfyserv vfychain bltest ecperf fbectest fipstest shlibsign do - %{__install} -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} + %{__install} -p -m 755 dist/*.OBJ/bin/$file $RPM_BUILD_ROOT/%{unsupported_tools_directory} done # Copy the include files we want for file in dist/public/nss/*.h do - %{__install} -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3 done +# Copy some freebl include files we also want +for file in blapi.h alghmac.h +do + %{__install} -p -m 644 dist/private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 +done -%clean -%{__rm} -rf $RPM_BUILD_ROOT - - -%post -p /sbin/ldconfig +# Copy the static freebl library +for file in libfreebl.a +do +%{__install} -p -m 644 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir} +done +# Copy the template files we want +for file in dist/private/nss/nssck.api +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +done +for file in dist/private/nss/templates.c +do + %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates +done -%postun -p /sbin/ldconfig +# Copy the package configuration files +%{__install} -p -m 644 ./dist/pkgconfig/nss.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss.pc +%{__install} -p -m 644 ./dist/pkgconfig/nss-softokn.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-softokn.pc +%{__install} -p -m 644 ./dist/pkgconfig/nss-util.pc $RPM_BUILD_ROOT/%{_libdir}/pkgconfig/nss-util.pc +# pem +%{__install} -m 755 ./nss-pem-1.0.4/build/libnsspem.so $RPM_BUILD_ROOT/%{_libdir} +%{__install} -m 644 ./nss-pem-1.0.4/src/nsspem.h $RPM_BUILD_ROOT/%{_includedir}/nss3 -%post sysinit -%{_bindir}/setup-nsssysinit.sh on +# Copy the pkcs #11 configuration script +%{__install} -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh +# install a symbolic link to it, without the ".sh" suffix, +# that matches the man page documentation +ln -s -f setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit -%preun sysinit -%{_bindir}/setup-nsssysinit.sh off +%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3 +# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet +# from previous versions of nss.spec +/usr/bin/setup-nsssysinit.sh on +%ldconfig_scriptlets %files -%defattr(-,root,root,-) +%license nss/COPYING %{_libdir}/libnss3.so -%{_libdir}/libnssutil3.so -%{_libdir}/libnssdbm3.so %{_libdir}/libssl3.so %{_libdir}/libsmime3.so +%{_libdir}/libnssutil3.so %{_libdir}/libsoftokn3.so %{_libdir}/libsoftokn3.chk -%{_libdir}/libnsspem.so -%{unsupported_tools_directory}/shlibsign -%dir %{_libdir}/nss -%dir %{unsupported_tools_directory} +%{_libdir}/libnssdbm3.so +%{_libdir}/libnssdbm3.chk +%{_libdir}/libfreebl3.so +%{_libdir}/libfreebl3.chk +%{_libdir}/libfreeblpriv3.so +%{_libdir}/libfreeblpriv3.chk %dir %{_sysconfdir}/pki/nssdb -%config(noreplace) %{_sysconfdir}/pki/nssdb/cert8.db -%config(noreplace) %{_sysconfdir}/pki/nssdb/key3.db -%config(noreplace) %{_sysconfdir}/pki/nssdb/secmod.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert8.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key3.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/secmod.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db +%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt %dir %{_sysconfdir}/prelink.conf.d %config %{_sysconfdir}/prelink.conf.d/nss-prelink.conf +%dir %{unsupported_tools_directory} +%{unsupported_tools_directory}/shlibsign + +%files softokn-freebl +%license nss/COPYING +%dir %{_libdir}/nss +%dir %{saved_files_dir} +%dir %{unsupported_tools_directory} +%{unsupported_tools_directory}/bltest +%{unsupported_tools_directory}/ecperf +%{unsupported_tools_directory}/fbectest +%{unsupported_tools_directory}/fipstest -%files ckbi -%defattr(-,root,root,-) -%{_libdir}/libnssckbi.so +%files softokn-freebl-devel +%dir %{_includedir}/nss3 +%{_libdir}/libfreebl.a +%{_libdir}/pkgconfig/nss-softokn.pc +%{_includedir}/nss3/blapi.h +%{_includedir}/nss3/alghmac.h +%{_includedir}/nss3/lowkeyi.h +%{_includedir}/nss3/lowkeyti.h +%{_includedir}/nss3/nsslowhash.h +%{_includedir}/nss3/shsign.h %files sysinit -%defattr(-,root,root,-) %{_libdir}/libnsssysinit.so -%config(noreplace) %{_sysconfdir}/pki/nssdb/cert9.db -%config(noreplace) %{_sysconfdir}/pki/nssdb/key4.db -%config(noreplace) %{_sysconfdir}/pki/nssdb/pkcs11.txt %{_bindir}/setup-nsssysinit.sh - - -%files softokn-freebl -%defattr(-,root,root,-) -%{_libdir}/libfreebl3.so -%{_libdir}/libfreebl3.chk +# symbolic link to setup-nsssysinit.sh +%{_bindir}/setup-nsssysinit %files tools -%defattr(-,root,root,-) %{_bindir}/certutil %{_bindir}/cmsutil %{_bindir}/crlutil %{_bindir}/modutil +%{_bindir}/nss-policy-check %{_bindir}/pk12util -%{_bindir}/signtool %{_bindir}/signver %{_bindir}/ssltap %{unsupported_tools_directory}/atob %{unsupported_tools_directory}/btoa %{unsupported_tools_directory}/derdump +%{unsupported_tools_directory}/listsuites %{unsupported_tools_directory}/ocspclnt %{unsupported_tools_directory}/pp %{unsupported_tools_directory}/selfserv +%{unsupported_tools_directory}/signtool %{unsupported_tools_directory}/strsclnt %{unsupported_tools_directory}/symkeyutil %{unsupported_tools_directory}/tstclnt %{unsupported_tools_directory}/vfyserv %{unsupported_tools_directory}/vfychain - %files devel -%defattr(-,root,root,-) %{_libdir}/libcrmf.a %{_libdir}/pkgconfig/nss.pc -%{_bindir}/nss-config - %dir %{_includedir}/nss3 -%{_includedir}/nss3/base64.h -%{_includedir}/nss3/blapit.h %{_includedir}/nss3/cert.h %{_includedir}/nss3/certdb.h %{_includedir}/nss3/certt.h -%{_includedir}/nss3/ciferfam.h %{_includedir}/nss3/cmmf.h %{_includedir}/nss3/cmmft.h %{_includedir}/nss3/cms.h @@ -360,8 +668,7 @@ done %{_includedir}/nss3/crmft.h %{_includedir}/nss3/cryptohi.h %{_includedir}/nss3/cryptoht.h -%{_includedir}/nss3/ecl-exp.h -%{_includedir}/nss3/hasht.h +%{_includedir}/nss3/sechash.h %{_includedir}/nss3/jar-ds.h %{_includedir}/nss3/jar.h %{_includedir}/nss3/jarfile.h @@ -370,17 +677,7 @@ done %{_includedir}/nss3/keyt.h %{_includedir}/nss3/keythi.h %{_includedir}/nss3/nss.h -%{_includedir}/nss3/nssb64.h -%{_includedir}/nss3/nssb64t.h %{_includedir}/nss3/nssckbi.h -%{_includedir}/nss3/nssilckt.h -%{_includedir}/nss3/nssilock.h -%{_includedir}/nss3/nsslocks.h -%{_includedir}/nss3/nsslowhash.h -%{_includedir}/nss3/nsspem.h -%{_includedir}/nss3/nssrwlk.h -%{_includedir}/nss3/nssrwlkt.h -%{_includedir}/nss3/nssutil.h %{_includedir}/nss3/ocsp.h %{_includedir}/nss3/ocspt.h %{_includedir}/nss3/p12.h @@ -391,6 +688,36 @@ done %{_includedir}/nss3/pk11priv.h %{_includedir}/nss3/pk11pub.h %{_includedir}/nss3/pk11sdr.h +%{_includedir}/nss3/pkcs12.h +%{_includedir}/nss3/pkcs12t.h +%{_includedir}/nss3/pkcs7t.h +%{_includedir}/nss3/preenc.h +%{_includedir}/nss3/secmime.h +%{_includedir}/nss3/secmod.h +%{_includedir}/nss3/secmodt.h +%{_includedir}/nss3/secpkcs5.h +%{_includedir}/nss3/secpkcs7.h +%{_includedir}/nss3/smime.h +%{_includedir}/nss3/ssl.h +%{_includedir}/nss3/sslerr.h +%{_includedir}/nss3/sslexp.h +%{_includedir}/nss3/sslproto.h +%{_includedir}/nss3/sslt.h +%{_includedir}/nss3/blapit.h +%{_includedir}/nss3/ecl-exp.h +%{_libdir}/pkgconfig/nss-util.pc +%{_includedir}/nss3/base64.h +%{_includedir}/nss3/ciferfam.h +%{_includedir}/nss3/eccutil.h +%{_includedir}/nss3/hasht.h +%{_includedir}/nss3/nssb64.h +%{_includedir}/nss3/nssb64t.h +%{_includedir}/nss3/nsslocks.h +%{_includedir}/nss3/nssilock.h +%{_includedir}/nss3/nssilckt.h +%{_includedir}/nss3/nssrwlk.h +%{_includedir}/nss3/nssrwlkt.h +%{_includedir}/nss3/nssutil.h %{_includedir}/nss3/pkcs1sig.h %{_includedir}/nss3/pkcs11.h %{_includedir}/nss3/pkcs11f.h @@ -398,11 +725,8 @@ done %{_includedir}/nss3/pkcs11p.h %{_includedir}/nss3/pkcs11t.h %{_includedir}/nss3/pkcs11u.h -%{_includedir}/nss3/pkcs12.h -%{_includedir}/nss3/pkcs12t.h -%{_includedir}/nss3/pkcs7t.h +%{_includedir}/nss3/pkcs11uri.h %{_includedir}/nss3/portreg.h -%{_includedir}/nss3/preenc.h %{_includedir}/nss3/secasn1.h %{_includedir}/nss3/secasn1t.h %{_includedir}/nss3/seccomon.h @@ -411,29 +735,17 @@ done %{_includedir}/nss3/secdig.h %{_includedir}/nss3/secdigt.h %{_includedir}/nss3/secerr.h -%{_includedir}/nss3/sechash.h %{_includedir}/nss3/secitem.h -%{_includedir}/nss3/secmime.h -%{_includedir}/nss3/secmod.h -%{_includedir}/nss3/secmodt.h %{_includedir}/nss3/secoid.h %{_includedir}/nss3/secoidt.h -%{_includedir}/nss3/secpkcs5.h -%{_includedir}/nss3/secpkcs7.h %{_includedir}/nss3/secport.h -%{_includedir}/nss3/shsign.h -%{_includedir}/nss3/smime.h -%{_includedir}/nss3/ssl.h -%{_includedir}/nss3/sslerr.h -%{_includedir}/nss3/sslproto.h -%{_includedir}/nss3/sslt.h -%{_includedir}/nss3/utilrename.h %{_includedir}/nss3/utilmodt.h %{_includedir}/nss3/utilpars.h %{_includedir}/nss3/utilparst.h +%{_includedir}/nss3/utilrename.h +%{_includedir}/nss3/templates/templates.c %files pkcs11-devel -%defattr(-, root, root,-) %{_includedir}/nss3/nssbase.h %{_includedir}/nss3/nssbaset.h %{_includedir}/nss3/nssckepv.h @@ -444,7 +756,10 @@ done %{_includedir}/nss3/nssckg.h %{_includedir}/nss3/nssckmdt.h %{_includedir}/nss3/nssckt.h +%{_includedir}/nss3/templates/nssck.api %{_libdir}/libnssb.a %{_libdir}/libnssckfw.a - +%files pem +%{_libdir}/libnsspem.so +%{_includedir}/nss3/nsspem.h diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch new file mode 100644 index 0000000..d3aa3bd --- /dev/null +++ b/renegotiate-transitional.patch @@ -0,0 +1,12 @@ +diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c +--- nss/lib/ssl/sslsock.c.transitional 2018-03-09 13:57:50.615706802 +0100 ++++ nss/lib/ssl/sslsock.c 2018-03-09 13:58:23.708974970 +0100 +@@ -67,7 +67,7 @@ static sslOptions ssl_defaults = { + .noLocks = PR_FALSE, + .enableSessionTickets = PR_FALSE, + .enableDeflate = PR_FALSE, +- .enableRenegotiation = SSL_RENEGOTIATE_REQUIRES_XTN, ++ .enableRenegotiation = SSL_RENEGOTIATE_TRANSITIONAL, + .requireSafeNegotiation = PR_FALSE, + .enableFalseStart = PR_FALSE, + .cbcRandomIV = PR_TRUE, diff --git a/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch new file mode 100644 index 0000000..455c747 --- /dev/null +++ b/rhbz1185708-enable-ecc-3des-ciphers-by-default.patch @@ -0,0 +1,23 @@ +--- ./nss/lib/ssl/ssl3con.c.1185708_3des 2016-06-23 21:10:09.765992512 -0400 ++++ ./nss/lib/ssl/ssl3con.c 2016-06-23 22:58:39.121398601 -0400 +@@ -118,18 +118,18 @@ + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, +- { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, ++ { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, ++ { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + + { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_TRUE, PR_FALSE}, + { TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256,SSL_ALLOWED,PR_TRUE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, + { TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_ALLOWED, PR_FALSE, PR_FALSE}, diff --git a/setup-nsssysinit.sh b/setup-nsssysinit.sh index 9c1727b..8e1f5f7 100644 --- a/setup-nsssysinit.sh +++ b/setup-nsssysinit.sh @@ -1,24 +1,24 @@ #!/bin/sh # # Turns on or off the nss-sysinit module db by editing the -# global PKCS #11 congiguration file. +# global PKCS #11 congiguration file. Displays the status. # # This script can be invoked by the user as super user. -# It is invoked at nss-sysinit post install time with argument on -# and at nss-sysinit pre uninstall with argument off. +# It is invoked at nss-sysinit post install time with argument on. # usage() { cat <&2 fi @@ -30,17 +30,26 @@ if [ ! -f $p11conf ]; then exit 1 fi -on="1" +# check if nsssysinit is currently enabled or disabled +sysinit_enabled() +{ + grep -q '^library=libnsssysinit' ${p11conf} +} + +umask 022 case "$1" in on | ON ) + if sysinit_enabled; then + exit 0 + fi cat ${p11conf} | \ - sed -e 's/^library=$/library=libnsssysinit.so/' \ - -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ - ${p11conf}.on + sed -e 's/^library=$/library=libnsssysinit.so/' \ + -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ + ${p11conf}.on mv ${p11conf}.on ${p11conf} ;; off | OFF ) - if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then + if ! sysinit_enabled; then exit 0 fi cat ${p11conf} | \ @@ -49,6 +58,10 @@ case "$1" in ${p11conf}.off mv ${p11conf}.off ${p11conf} ;; + status ) + echo -n 'NSS sysinit is ' + sysinit_enabled && echo 'enabled' || echo 'disabled' + ;; * ) usage 1 1>&2 ;; diff --git a/system-pkcs11.txt b/system-pkcs11.txt index 0aa7a5c..c2f5704 100644 --- a/system-pkcs11.txt +++ b/system-pkcs11.txt @@ -1,5 +1,5 @@ -library= +library=libnsssysinit.so name=NSS Internal PKCS #11 Module parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' -NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) +NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})