Browse Source

nss-3.33-1

git-svn-id: http://trac.vinelinux.org/repos/projects/specs@11204 ec354946-7b23-47d6-9f5a-488ba84defc7
tomop 5 years ago
parent
commit
ea6608cb2a
1 changed files with 76 additions and 111 deletions
  1. 76 111
      n/nss/nss-vl.spec

+ 76 - 111
n/nss/nss-vl.spec

@@ -2,8 +2,10 @@
 
 %define _unpackaged_files_terminate_build 1
 
-%define nspr_version 4.11
+%define nspr_version 4.13.1
+%define pem_version 1.0.3
 %define unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
 
 # Produce .chk files for the final stripped binaries
 #
@@ -19,6 +21,7 @@
     %{__arch_install_post} \
     %{__os_install_post} \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
+    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \
 %{nil}
@@ -26,8 +29,8 @@
 
 Summary:          Network Security Services
 Name:             nss
-Version:          3.21.1
-Release:          3%{?_dist_release}
+Version:          3.33
+Release:          1%{?_dist_release}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -43,83 +46,52 @@ Source5:          blank-secmod.db
 Source6:          blank-cert9.db
 Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
-Source12:         %{name}-pem-20140125.tar.bz2
-Source101:	  nss-util.pc.in
-Source102:	  nss-util-config.in
+Source9:          setup-nsssysinit.sh
+Source20:         nss-config.xml
+Source21:         setup-nsssysinit.xml
+Source22:         pkcs11.txt.xml
+Source23:         cert8.db.xml
+Source24:         cert9.db.xml
+Source25:         key3.db.xml
+Source26:         key4.db.xml
+Source27:         secmod.db.xml
+Source101:	      nss-util.pc.in
+Source102:	      nss-util-config.in
 Source103:        nss-softokn.pc.in
 Source104:        nss-softokn-config.in
 
+Source1000:       https://github.com/kdudka/nss-pem/releases/download/nss-pem-1.0.3/nss-pem-%{pem_version}.tar.xz
+Source1001:       pem-makefile.tar.gz
+
 Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
-Patch6:           nss-enable-pem.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
 Patch16:          nss-539183.patch
-Patch18:          nss-646045.patch
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
+# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
+Patch47:          utilwrap-include-templates.patch
+# TODO remove when we switch to building nss without softoken
+Patch49:          nss-skip-bltest-and-fipstest.patch
+# This patch uses the GCC -iquote option documented at
+# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
+# to give the in-tree headers a higher priority over the system headers,
+# when they are included through the quote form (#include "file.h").
+#
+# This ensures a build even when system headers are older. Such is the
+# case when starting an update with API changes or even private export
+# changes.
+#
+# Once the buildroot aha been bootstrapped the patch may be removed
+# but it doesn't hurt to keep it.
 Patch50:          iquote.patch
-# As of nss-3.21 we compile NSS with -Werror.
-# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
-# This requires a cleanup of the PEM module as we have it here.
-# TODO: submit a patch to the interim nss-pem upstream project
-# The submission will be very different from this patch as
-# cleanup there is already in progress there.
-Patch51:          pem-compile-with-Werror.patch
-Patch52:          Bug-1001841-disable-sslv2-libssl.patch
-Patch53:          Bug-1001841-disable-sslv2-tests.patch
-Patch54:          sslauth-no-v2.patch
-Patch55:          enable-fips-when-system-is-in-fips-mode.patch
-# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
-Patch56:          p-ignore-setpolicy.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144
-Patch62: nss-fix-deadlock-squash.patch
-# Two patches from from rhel6.8 that are also needed for rhel-7
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
-Patch74: race.patch
-Patch94: nss-3.16-token-init-race.patch
-Patch99: ssl-server-min-key-sizes.patch
-Patch100: fix-min-library-version-in-SSLVersionRange.patch
-# Add support for sha384 tls cipher suites, dss cipher suites, and
-# server-side dhe key exchange
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
-Patch101: dhe-sha384-dss-support.patch
-# TODO: From upstream review: For the client authentication case, should
-# probably drop our hack of swapping between sha256 and sha384 and plan
-# on implementing the fix we already have a patch for. What is that fix?
-Patch102: client_auth_for_sha384_prf_support.patch
-Patch103: nss-fix-client-auth-init-hashes.patch
-Patch104: nss-map-oid-to-hashalg.patch
-Patch105: nss-remove-bogus-assert.patch
-Patch106: nss-old-pkcs11-num.patch
-Patch107: nss-enable-384-cipher-tests.patch
-Patch108: nss-sni-c-v-fix.patch
-Patch109: nss-fix-signature-and-hash.patch
-Patch110: nss-sslstress-txt-ssl3-lower-value-in-range.patch
-
-# Enable by default two additional ciphers and fix order of two tables 
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1211403
-Patch112: rh1238290.patch
-# Local: keep as long nss-softokn lacks support
-Patch113: disable-extended-master-secret-with-old-softoken.patch
-# extra tests needed
-Patch114: tests-extra.patch
-Patch115: nss-prevent-abi-issue.patch
-Patch116: nss-tests-prevent-abi-issue.patch
-Patch117: fix-nss-test-filtering.patch
-Patch118: fix-allowed-sig-alg.patch
-Patch119: nss-ssl-ssl3con-delete-duplicates.patch
-
-# Local patches
-Patch1002: hasht-dont-include-prtypes.patch
-Patch1007: pkcs1sig-include-prtypes.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
-Patch1008: nss-util-3.19.1-tls12-mechanisms.patch
-
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
+Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
+Patch59: nss-check-policy-file.patch
+Patch62: nss-skip-util-gtest.patch
 
+Patch1000: nss-enable-pem.patch
 
 BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:    nspr-devel >= %{nspr_version}
@@ -194,54 +166,23 @@ v3 certificates, and other security standards.
 
 %prep
 %setup -q
-%setup -q -T -D -n %{name}-%{version} -a 12
+%setup -q -T -D -n %{name}-%{version} -a 1000
+%{__mv} nss-pem-%{pem_version}/src nss/lib/ckfw/pem
+pushd nss/lib/ckfw/pem/
+tar xvf %{SOURCE1001}
+perl -pi -e 's/^#define USE_UTIL_DIRECTLY.*$//' ckpem.h
+popd
 
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
-%patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
-pushd nss
-%patch18 -p1 -b .646045
-popd
 %patch40 -p0 -b .noocsptest
 %patch50 -p0 -b .iquote
-%patch51 -p1 -b -Werror
 pushd nss
-%patch52 -p1 -b .disableSSL2libssl
-%patch53 -p1 -b .disableSSL2tests
-%patch54 -p1 -b .sslauth-no-v2
-%patch55 -p1 -b .852023_enable_fips_when_in_fips_mode
-%patch56 -p1 -b .1026677_ignore_set_policy
-%patch62 -p1 -b .fix_deadlock
-%patch99 -p1 -b .min_key_sizes
-%patch100 -p0 -b .1171318
-%patch101 -p1 -b .dhe_and_sha384
-%patch102 -p1 -b .client_auth_prf
-%patch112 -p1 -b .1238290
-%patch113 -p1 -b .disable-ems
-%patch114 -p1 -b .extra
-%patch115 -p1 -b .abi_lib
-%patch116 -p1 -b .abi_tests
-%patch117 -p1 -b .test-filtering
-%patch74 -p1 -b .race
+%patch62 -p1 -b .skip_util_gtest
 popd
-%patch94 -p0 -b .init-token-race
-%patch103 -p0 -b .fix_client_auth_crash
-%patch104 -p0 -b .use_oids
-%patch105 -p0 -b .remove_bogus_assert
-%patch106 -p0 -b .old_pkcs11_num
-%patch107 -p0 -b .enable_384_cipher_tests
-%patch108 -p0 -b .sni_c_v_fix
-%patch109 -p0 -b .fix_signature_and_hash
-%patch110 -p0 -b .no_ssl2
-pushd nss
-%patch118 -p1 -b .allowed-sig-alg
-popd
-%patch119 -p0 -b .delete_duplicates
 
-%patch1002 -p0 -b .prtypes
-%patch1007 -p0 -b .include_prtypes
-%patch1008 -p1 -b .tls12_mechs
+%patch1000 -p0 -b .libpem
 
 
 pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
@@ -306,6 +247,8 @@ export USE_SYSTEM_FREEBL=0
 NSS_USE_SYSTEM_SQLITE=1
 export NSS_USE_SYSTEM_SQLITE
 
+export NSS_ALLOW_SSLKEYLOGFILE=1
+
 export USE_SYSTEM_ZLIB=1
 export ZLIB_LIBS=%{_libdir}
 
@@ -321,6 +264,7 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
 # 
 #%{__make} -C ./nss/coreconf
 #%{__make} -C ./nss/lib/dbm
+
 %{__make} -C ./nss
 
 
@@ -336,8 +280,10 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
 
 # Copy the binary libraries we want
-for file in libsoftokn3.so libfreebl3.so libnss3.so libnssutil3.so \
-            libssl3.so libsmime3.so libnssckbi.so libnsspem.so libnssdbm3.so
+for file in libsoftokn3.so libfreebl3.so libfreeblpriv3.so \
+            libnss3.so libnssutil3.so \
+            libssl3.so libsmime3.so libnssckbi.so \
+            libnsspem.so libnssdbm3.so
 do
   %{__install} -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
 done
@@ -378,6 +324,12 @@ do
   %{__install} -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
 done
 
+# Copy the template files we want
+for file in nss/lib/ckfw/nssck.api
+do
+  %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
+done
+
 # Copy some freebl include files we also want
 for file in blapi.h alghmac.h
 do
@@ -499,8 +451,10 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 %{_libdir}/libnssckbi.so
 %{_libdir}/libnsspem.so
 %{_libdir}/libfreebl3.so
+%{_libdir}/libfreeblpriv3.so
 %{unsupported_tools_directory}/shlibsign
 %{_libdir}/libfreebl3.chk
+%{_libdir}/libfreeblpriv3.chk
 %{_libdir}/libnssdbm3.chk
 %{_libdir}/libsoftokn3.chk
 %dir %{_sysconfdir}/pki/nssdb
@@ -563,6 +517,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 %{_includedir}/nss3/crmft.h
 %{_includedir}/nss3/cryptohi.h
 %{_includedir}/nss3/cryptoht.h
+%{_includedir}/nss3/eccutil.h
 %{_includedir}/nss3/ecl-exp.h
 %{_includedir}/nss3/hasht.h
 %{_includedir}/nss3/jar-ds.h
@@ -572,6 +527,8 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 %{_includedir}/nss3/keyhi.h
 %{_includedir}/nss3/keyt.h
 %{_includedir}/nss3/keythi.h
+%{_includedir}/nss3/lowkeyi.h
+%{_includedir}/nss3/lowkeyti.h
 %{_includedir}/nss3/nss.h
 %{_includedir}/nss3/nssb64.h
 %{_includedir}/nss3/nssb64t.h
@@ -600,6 +557,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 %{_includedir}/nss3/pkcs11p.h
 %{_includedir}/nss3/pkcs11t.h
 %{_includedir}/nss3/pkcs11u.h
+%{_includedir}/nss3/pkcs11uri.h
 %{_includedir}/nss3/pkcs12.h
 %{_includedir}/nss3/pkcs12t.h
 %{_includedir}/nss3/pkcs7t.h
@@ -628,6 +586,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 %{_includedir}/nss3/smime.h
 %{_includedir}/nss3/ssl.h
 %{_includedir}/nss3/sslerr.h
+%{_includedir}/nss3/sslexp.h
 %{_includedir}/nss3/sslproto.h
 %{_includedir}/nss3/sslt.h
 %{_includedir}/nss3/utilrename.h
@@ -648,6 +607,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 %{_includedir}/nss3/nssckg.h
 %{_includedir}/nss3/nssckmdt.h
 %{_includedir}/nss3/nssckt.h
+%{_includedir}/nss3/templates/nssck.api
 %{_libdir}/libnssb.a
 %{_libdir}/libnssckfw.a
 
@@ -659,11 +619,16 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 %{_libdir}/*.so
 %ghost %{_libdir}/libsoftokn3.chk
 %ghost %{_libdir}/libfreebl3.chk
+%ghost %{_libdir}/libfreeblpriv3.chk
+%ghost %{_libdir}/libnssdbm3.chk
 %{unsupported_tools_directory}/shlibsign
 %endif
 
 
 %changelog
+* Mon Oct 09 2017 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.33-1
+- update to 3.33.
+
 * Mon Jun 20 2016 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.21.1-3
 - added libfreebl.a.