Browse Source


git-svn-id: ec354946-7b23-47d6-9f5a-488ba84defc7
tomop 5 years ago
1 changed files with 76 additions and 111 deletions
  1. 76 111

+ 76 - 111

@@ -2,8 +2,10 @@
 %define _unpackaged_files_terminate_build 1
-%define nspr_version 4.11
+%define nspr_version 4.13.1
+%define pem_version 1.0.3
 %define unsupported_tools_directory %{_libdir}/nss/unsupported-tools
+%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
 # Produce .chk files for the final stripped binaries
@@ -19,6 +21,7 @@
     %{__arch_install_post} \
     %{__os_install_post} \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/ \
+    $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/ \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/ \
     $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/ \
@@ -26,8 +29,8 @@
 Summary:          Network Security Services
 Name:             nss
-Version:          3.21.1
-Release:          3%{?_dist_release}
+Version:          3.33
+Release:          1%{?_dist_release}
 License:          MPLv1.1 or GPLv2+ or LGPLv2+
 Group:            System Environment/Libraries
@@ -43,83 +46,52 @@ Source5:          blank-secmod.db
 Source6:          blank-cert9.db
 Source7:          blank-key4.db
 Source8:          system-pkcs11.txt
-Source12:         %{name}-pem-20140125.tar.bz2
+Source20:         nss-config.xml
+Source21:         setup-nsssysinit.xml
+Source22:         pkcs11.txt.xml
+Source23:         cert8.db.xml
+Source24:         cert9.db.xml
+Source25:         key3.db.xml
+Source26:         key4.db.xml
+Source27:         secmod.db.xml
+Source1001:       pem-makefile.tar.gz
 Patch2:           add-relro-linker-option.patch
 Patch3:           renegotiate-transitional.patch
-Patch6:           nss-enable-pem.patch
+# Upstream:
 Patch16:          nss-539183.patch
-Patch18:          nss-646045.patch
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-
+# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
+Patch47:          utilwrap-include-templates.patch
+# TODO remove when we switch to building nss without softoken
+Patch49:          nss-skip-bltest-and-fipstest.patch
+# This patch uses the GCC -iquote option documented at
+# to give the in-tree headers a higher priority over the system headers,
+# when they are included through the quote form (#include "file.h").
+# This ensures a build even when system headers are older. Such is the
+# case when starting an update with API changes or even private export
+# changes.
+# Once the buildroot aha been bootstrapped the patch may be removed
+# but it doesn't hurt to keep it.
 Patch50:          iquote.patch
-# As of nss-3.21 we compile NSS with -Werror.
-# see
-# This requires a cleanup of the PEM module as we have it here.
-# TODO: submit a patch to the interim nss-pem upstream project
-# The submission will be very different from this patch as
-# cleanup there is already in progress there.
-Patch51:          pem-compile-with-Werror.patch
-Patch52:          Bug-1001841-disable-sslv2-libssl.patch
-Patch53:          Bug-1001841-disable-sslv2-tests.patch
-Patch54:          sslauth-no-v2.patch
-Patch55:          enable-fips-when-system-is-in-fips-mode.patch
-# rhbz:
-Patch56:          p-ignore-setpolicy.patch
-# Upstream:
-Patch62: nss-fix-deadlock-squash.patch
-# Two patches from from rhel6.8 that are also needed for rhel-7
-# Upstream:
-Patch74: race.patch
-Patch94: nss-3.16-token-init-race.patch
-Patch99: ssl-server-min-key-sizes.patch
-Patch100: fix-min-library-version-in-SSLVersionRange.patch
-# Add support for sha384 tls cipher suites, dss cipher suites, and
-# server-side dhe key exchange
-# Upstream:
-# Upstream:
-# Upstream:
-Patch101: dhe-sha384-dss-support.patch
-# TODO: From upstream review: For the client authentication case, should
-# probably drop our hack of swapping between sha256 and sha384 and plan
-# on implementing the fix we already have a patch for. What is that fix?
-Patch102: client_auth_for_sha384_prf_support.patch
-Patch103: nss-fix-client-auth-init-hashes.patch
-Patch104: nss-map-oid-to-hashalg.patch
-Patch105: nss-remove-bogus-assert.patch
-Patch106: nss-old-pkcs11-num.patch
-Patch107: nss-enable-384-cipher-tests.patch
-Patch108: nss-sni-c-v-fix.patch
-Patch109: nss-fix-signature-and-hash.patch
-Patch110: nss-sslstress-txt-ssl3-lower-value-in-range.patch
-# Enable by default two additional ciphers and fix order of two tables 
-# Upstream:
-# Upstream:
-# Upstream:
-Patch112: rh1238290.patch
-# Local: keep as long nss-softokn lacks support
-Patch113: disable-extended-master-secret-with-old-softoken.patch
-# extra tests needed
-Patch114: tests-extra.patch
-Patch115: nss-prevent-abi-issue.patch
-Patch116: nss-tests-prevent-abi-issue.patch
-Patch117: fix-nss-test-filtering.patch
-Patch118: fix-allowed-sig-alg.patch
-Patch119: nss-ssl-ssl3con-delete-duplicates.patch
-# Local patches
-Patch1002: hasht-dont-include-prtypes.patch
-Patch1007: pkcs1sig-include-prtypes.patch
-# Upstream:
-# Upstream:
-Patch1008: nss-util-3.19.1-tls12-mechanisms.patch
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
+Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
+# Upstream:
+Patch59: nss-check-policy-file.patch
+Patch62: nss-skip-util-gtest.patch
+Patch1000: nss-enable-pem.patch
 BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:    nspr-devel >= %{nspr_version}
@@ -194,54 +166,23 @@ v3 certificates, and other security standards.
 %setup -q
-%setup -q -T -D -n %{name}-%{version} -a 12
+%setup -q -T -D -n %{name}-%{version} -a 1000
+%{__mv} nss-pem-%{pem_version}/src nss/lib/ckfw/pem
+pushd nss/lib/ckfw/pem/
+tar xvf %{SOURCE1001}
+perl -pi -e 's/^#define USE_UTIL_DIRECTLY.*$//' ckpem.h
 %patch2 -p0 -b .relro
 %patch3 -p0 -b .transitional
-%patch6 -p0 -b .libpem
 %patch16 -p0 -b .539183
-pushd nss
-%patch18 -p1 -b .646045
 %patch40 -p0 -b .noocsptest
 %patch50 -p0 -b .iquote
-%patch51 -p1 -b -Werror
 pushd nss
-%patch52 -p1 -b .disableSSL2libssl
-%patch53 -p1 -b .disableSSL2tests
-%patch54 -p1 -b .sslauth-no-v2
-%patch55 -p1 -b .852023_enable_fips_when_in_fips_mode
-%patch56 -p1 -b .1026677_ignore_set_policy
-%patch62 -p1 -b .fix_deadlock
-%patch99 -p1 -b .min_key_sizes
-%patch100 -p0 -b .1171318
-%patch101 -p1 -b .dhe_and_sha384
-%patch102 -p1 -b .client_auth_prf
-%patch112 -p1 -b .1238290
-%patch113 -p1 -b .disable-ems
-%patch114 -p1 -b .extra
-%patch115 -p1 -b .abi_lib
-%patch116 -p1 -b .abi_tests
-%patch117 -p1 -b .test-filtering
-%patch74 -p1 -b .race
+%patch62 -p1 -b .skip_util_gtest
-%patch94 -p0 -b .init-token-race
-%patch103 -p0 -b .fix_client_auth_crash
-%patch104 -p0 -b .use_oids
-%patch105 -p0 -b .remove_bogus_assert
-%patch106 -p0 -b .old_pkcs11_num
-%patch107 -p0 -b .enable_384_cipher_tests
-%patch108 -p0 -b .sni_c_v_fix
-%patch109 -p0 -b .fix_signature_and_hash
-%patch110 -p0 -b .no_ssl2
-pushd nss
-%patch118 -p1 -b .allowed-sig-alg
-%patch119 -p0 -b .delete_duplicates
-%patch1002 -p0 -b .prtypes
-%patch1007 -p0 -b .include_prtypes
-%patch1008 -p1 -b .tls12_mechs
+%patch1000 -p0 -b .libpem
 pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
@@ -306,6 +247,8 @@ export USE_SYSTEM_FREEBL=0
 export ZLIB_LIBS=%{_libdir}
@@ -321,6 +264,7 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
 #%{__make} -C ./nss/coreconf
 #%{__make} -C ./nss/lib/dbm
 %{__make} -C ./nss
@@ -336,8 +280,10 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
 # Copy the binary libraries we want
-for file in \
+for file in \
+   \
+   \
   %{__install} -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
@@ -378,6 +324,12 @@ do
   %{__install} -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
+# Copy the template files we want
+for file in nss/lib/ckfw/nssck.api
+  %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
 # Copy some freebl include files we also want
 for file in blapi.h alghmac.h
@@ -499,8 +451,10 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 %dir %{_sysconfdir}/pki/nssdb
@@ -563,6 +517,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
@@ -572,6 +527,8 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
@@ -600,6 +557,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
@@ -628,6 +586,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
@@ -648,6 +607,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
@@ -659,11 +619,16 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
 %ghost %{_libdir}/libsoftokn3.chk
 %ghost %{_libdir}/libfreebl3.chk
+%ghost %{_libdir}/libfreeblpriv3.chk
+%ghost %{_libdir}/libnssdbm3.chk
+* Mon Oct 09 2017 Tomohiro "Tomo-p" KATO <> 3.33-1
+- update to 3.33.
 * Mon Jun 20 2016 Tomohiro "Tomo-p" KATO <> 3.21.1-3
 - added libfreebl.a.