|
@@ -2,8 +2,10 @@
|
|
|
|
|
|
%define _unpackaged_files_terminate_build 1
|
|
|
|
|
|
-%define nspr_version 4.11
|
|
|
+%define nspr_version 4.13.1
|
|
|
+%define pem_version 1.0.3
|
|
|
%define unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
|
|
+%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
|
|
|
|
|
|
# Produce .chk files for the final stripped binaries
|
|
|
#
|
|
@@ -19,6 +21,7 @@
|
|
|
%{__arch_install_post} \
|
|
|
%{__os_install_post} \
|
|
|
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.so \
|
|
|
+ $RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreeblpriv3.so \
|
|
|
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.so \
|
|
|
$RPM_BUILD_ROOT/%{unsupported_tools_directory}/shlibsign -i $RPM_BUILD_ROOT/%{_libdir}/libnssdbm3.so \
|
|
|
%{nil}
|
|
@@ -26,8 +29,8 @@
|
|
|
|
|
|
Summary: Network Security Services
|
|
|
Name: nss
|
|
|
-Version: 3.21.1
|
|
|
-Release: 3%{?_dist_release}
|
|
|
+Version: 3.33
|
|
|
+Release: 1%{?_dist_release}
|
|
|
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
|
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
|
|
Group: System Environment/Libraries
|
|
@@ -43,83 +46,52 @@ Source5: blank-secmod.db
|
|
|
Source6: blank-cert9.db
|
|
|
Source7: blank-key4.db
|
|
|
Source8: system-pkcs11.txt
|
|
|
-Source12: %{name}-pem-20140125.tar.bz2
|
|
|
-Source101: nss-util.pc.in
|
|
|
-Source102: nss-util-config.in
|
|
|
+Source9: setup-nsssysinit.sh
|
|
|
+Source20: nss-config.xml
|
|
|
+Source21: setup-nsssysinit.xml
|
|
|
+Source22: pkcs11.txt.xml
|
|
|
+Source23: cert8.db.xml
|
|
|
+Source24: cert9.db.xml
|
|
|
+Source25: key3.db.xml
|
|
|
+Source26: key4.db.xml
|
|
|
+Source27: secmod.db.xml
|
|
|
+Source101: nss-util.pc.in
|
|
|
+Source102: nss-util-config.in
|
|
|
Source103: nss-softokn.pc.in
|
|
|
Source104: nss-softokn-config.in
|
|
|
|
|
|
+Source1000: https://github.com/kdudka/nss-pem/releases/download/nss-pem-1.0.3/nss-pem-%{pem_version}.tar.xz
|
|
|
+Source1001: pem-makefile.tar.gz
|
|
|
+
|
|
|
Patch2: add-relro-linker-option.patch
|
|
|
Patch3: renegotiate-transitional.patch
|
|
|
-Patch6: nss-enable-pem.patch
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=617723
|
|
|
Patch16: nss-539183.patch
|
|
|
-Patch18: nss-646045.patch
|
|
|
# TODO: Remove this patch when the ocsp test are fixed
|
|
|
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
|
|
+# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
|
|
+Patch47: utilwrap-include-templates.patch
|
|
|
+# TODO remove when we switch to building nss without softoken
|
|
|
+Patch49: nss-skip-bltest-and-fipstest.patch
|
|
|
+# This patch uses the GCC -iquote option documented at
|
|
|
+# http://gcc.gnu.org/onlinedocs/gcc/Directory-Options.html#Directory-Options
|
|
|
+# to give the in-tree headers a higher priority over the system headers,
|
|
|
+# when they are included through the quote form (#include "file.h").
|
|
|
+#
|
|
|
+# This ensures a build even when system headers are older. Such is the
|
|
|
+# case when starting an update with API changes or even private export
|
|
|
+# changes.
|
|
|
+#
|
|
|
+# Once the buildroot aha been bootstrapped the patch may be removed
|
|
|
+# but it doesn't hurt to keep it.
|
|
|
Patch50: iquote.patch
|
|
|
-# As of nss-3.21 we compile NSS with -Werror.
|
|
|
-# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
|
|
|
-# This requires a cleanup of the PEM module as we have it here.
|
|
|
-# TODO: submit a patch to the interim nss-pem upstream project
|
|
|
-# The submission will be very different from this patch as
|
|
|
-# cleanup there is already in progress there.
|
|
|
-Patch51: pem-compile-with-Werror.patch
|
|
|
-Patch52: Bug-1001841-disable-sslv2-libssl.patch
|
|
|
-Patch53: Bug-1001841-disable-sslv2-tests.patch
|
|
|
-Patch54: sslauth-no-v2.patch
|
|
|
-Patch55: enable-fips-when-system-is-in-fips-mode.patch
|
|
|
-# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
|
|
|
-Patch56: p-ignore-setpolicy.patch
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144
|
|
|
-Patch62: nss-fix-deadlock-squash.patch
|
|
|
-# Two patches from from rhel6.8 that are also needed for rhel-7
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
|
|
|
-Patch74: race.patch
|
|
|
-Patch94: nss-3.16-token-init-race.patch
|
|
|
-Patch99: ssl-server-min-key-sizes.patch
|
|
|
-Patch100: fix-min-library-version-in-SSLVersionRange.patch
|
|
|
-# Add support for sha384 tls cipher suites, dss cipher suites, and
|
|
|
-# server-side dhe key exchange
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
|
|
|
-Patch101: dhe-sha384-dss-support.patch
|
|
|
-# TODO: From upstream review: For the client authentication case, should
|
|
|
-# probably drop our hack of swapping between sha256 and sha384 and plan
|
|
|
-# on implementing the fix we already have a patch for. What is that fix?
|
|
|
-Patch102: client_auth_for_sha384_prf_support.patch
|
|
|
-Patch103: nss-fix-client-auth-init-hashes.patch
|
|
|
-Patch104: nss-map-oid-to-hashalg.patch
|
|
|
-Patch105: nss-remove-bogus-assert.patch
|
|
|
-Patch106: nss-old-pkcs11-num.patch
|
|
|
-Patch107: nss-enable-384-cipher-tests.patch
|
|
|
-Patch108: nss-sni-c-v-fix.patch
|
|
|
-Patch109: nss-fix-signature-and-hash.patch
|
|
|
-Patch110: nss-sslstress-txt-ssl3-lower-value-in-range.patch
|
|
|
-
|
|
|
-# Enable by default two additional ciphers and fix order of two tables
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1211403
|
|
|
-Patch112: rh1238290.patch
|
|
|
-# Local: keep as long nss-softokn lacks support
|
|
|
-Patch113: disable-extended-master-secret-with-old-softoken.patch
|
|
|
-# extra tests needed
|
|
|
-Patch114: tests-extra.patch
|
|
|
-Patch115: nss-prevent-abi-issue.patch
|
|
|
-Patch116: nss-tests-prevent-abi-issue.patch
|
|
|
-Patch117: fix-nss-test-filtering.patch
|
|
|
-Patch118: fix-allowed-sig-alg.patch
|
|
|
-Patch119: nss-ssl-ssl3con-delete-duplicates.patch
|
|
|
-
|
|
|
-# Local patches
|
|
|
-Patch1002: hasht-dont-include-prtypes.patch
|
|
|
-Patch1007: pkcs1sig-include-prtypes.patch
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
|
|
|
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
|
|
|
-Patch1008: nss-util-3.19.1-tls12-mechanisms.patch
|
|
|
-
|
|
|
+# Local patch for TLS_ECDHE_{ECDSA|RSA}_WITH_3DES_EDE_CBC_SHA ciphers
|
|
|
+Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
|
|
|
+Patch59: nss-check-policy-file.patch
|
|
|
+Patch62: nss-skip-util-gtest.patch
|
|
|
|
|
|
+Patch1000: nss-enable-pem.patch
|
|
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
|
BuildRequires: nspr-devel >= %{nspr_version}
|
|
@@ -194,54 +166,23 @@ v3 certificates, and other security standards.
|
|
|
|
|
|
%prep
|
|
|
%setup -q
|
|
|
-%setup -q -T -D -n %{name}-%{version} -a 12
|
|
|
+%setup -q -T -D -n %{name}-%{version} -a 1000
|
|
|
+%{__mv} nss-pem-%{pem_version}/src nss/lib/ckfw/pem
|
|
|
+pushd nss/lib/ckfw/pem/
|
|
|
+tar xvf %{SOURCE1001}
|
|
|
+perl -pi -e 's/^#define USE_UTIL_DIRECTLY.*$//' ckpem.h
|
|
|
+popd
|
|
|
|
|
|
%patch2 -p0 -b .relro
|
|
|
%patch3 -p0 -b .transitional
|
|
|
-%patch6 -p0 -b .libpem
|
|
|
%patch16 -p0 -b .539183
|
|
|
-pushd nss
|
|
|
-%patch18 -p1 -b .646045
|
|
|
-popd
|
|
|
%patch40 -p0 -b .noocsptest
|
|
|
%patch50 -p0 -b .iquote
|
|
|
-%patch51 -p1 -b -Werror
|
|
|
pushd nss
|
|
|
-%patch52 -p1 -b .disableSSL2libssl
|
|
|
-%patch53 -p1 -b .disableSSL2tests
|
|
|
-%patch54 -p1 -b .sslauth-no-v2
|
|
|
-%patch55 -p1 -b .852023_enable_fips_when_in_fips_mode
|
|
|
-%patch56 -p1 -b .1026677_ignore_set_policy
|
|
|
-%patch62 -p1 -b .fix_deadlock
|
|
|
-%patch99 -p1 -b .min_key_sizes
|
|
|
-%patch100 -p0 -b .1171318
|
|
|
-%patch101 -p1 -b .dhe_and_sha384
|
|
|
-%patch102 -p1 -b .client_auth_prf
|
|
|
-%patch112 -p1 -b .1238290
|
|
|
-%patch113 -p1 -b .disable-ems
|
|
|
-%patch114 -p1 -b .extra
|
|
|
-%patch115 -p1 -b .abi_lib
|
|
|
-%patch116 -p1 -b .abi_tests
|
|
|
-%patch117 -p1 -b .test-filtering
|
|
|
-%patch74 -p1 -b .race
|
|
|
+%patch62 -p1 -b .skip_util_gtest
|
|
|
popd
|
|
|
-%patch94 -p0 -b .init-token-race
|
|
|
-%patch103 -p0 -b .fix_client_auth_crash
|
|
|
-%patch104 -p0 -b .use_oids
|
|
|
-%patch105 -p0 -b .remove_bogus_assert
|
|
|
-%patch106 -p0 -b .old_pkcs11_num
|
|
|
-%patch107 -p0 -b .enable_384_cipher_tests
|
|
|
-%patch108 -p0 -b .sni_c_v_fix
|
|
|
-%patch109 -p0 -b .fix_signature_and_hash
|
|
|
-%patch110 -p0 -b .no_ssl2
|
|
|
-pushd nss
|
|
|
-%patch118 -p1 -b .allowed-sig-alg
|
|
|
-popd
|
|
|
-%patch119 -p0 -b .delete_duplicates
|
|
|
|
|
|
-%patch1002 -p0 -b .prtypes
|
|
|
-%patch1007 -p0 -b .include_prtypes
|
|
|
-%patch1008 -p1 -b .tls12_mechs
|
|
|
+%patch1000 -p0 -b .libpem
|
|
|
|
|
|
|
|
|
pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
|
|
@@ -306,6 +247,8 @@ export USE_SYSTEM_FREEBL=0
|
|
|
NSS_USE_SYSTEM_SQLITE=1
|
|
|
export NSS_USE_SYSTEM_SQLITE
|
|
|
|
|
|
+export NSS_ALLOW_SSLKEYLOGFILE=1
|
|
|
+
|
|
|
export USE_SYSTEM_ZLIB=1
|
|
|
export ZLIB_LIBS=%{_libdir}
|
|
|
|
|
@@ -321,6 +264,7 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
|
|
|
#
|
|
|
#%{__make} -C ./nss/coreconf
|
|
|
#%{__make} -C ./nss/lib/dbm
|
|
|
+
|
|
|
%{__make} -C ./nss
|
|
|
|
|
|
|
|
@@ -336,8 +280,10 @@ export IN_TREE_FREEBL_HEADERS_FIRST=1
|
|
|
%{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
|
|
|
|
|
|
# Copy the binary libraries we want
|
|
|
-for file in libsoftokn3.so libfreebl3.so libnss3.so libnssutil3.so \
|
|
|
- libssl3.so libsmime3.so libnssckbi.so libnsspem.so libnssdbm3.so
|
|
|
+for file in libsoftokn3.so libfreebl3.so libfreeblpriv3.so \
|
|
|
+ libnss3.so libnssutil3.so \
|
|
|
+ libssl3.so libsmime3.so libnssckbi.so \
|
|
|
+ libnsspem.so libnssdbm3.so
|
|
|
do
|
|
|
%{__install} -m 755 dist/*.OBJ/lib/$file $RPM_BUILD_ROOT/%{_libdir}
|
|
|
done
|
|
@@ -378,6 +324,12 @@ do
|
|
|
%{__install} -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3
|
|
|
done
|
|
|
|
|
|
+# Copy the template files we want
|
|
|
+for file in nss/lib/ckfw/nssck.api
|
|
|
+do
|
|
|
+ %{__install} -p -m 644 $file $RPM_BUILD_ROOT/%{_includedir}/nss3/templates
|
|
|
+done
|
|
|
+
|
|
|
# Copy some freebl include files we also want
|
|
|
for file in blapi.h alghmac.h
|
|
|
do
|
|
@@ -499,8 +451,10 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
|
|
|
%{_libdir}/libnssckbi.so
|
|
|
%{_libdir}/libnsspem.so
|
|
|
%{_libdir}/libfreebl3.so
|
|
|
+%{_libdir}/libfreeblpriv3.so
|
|
|
%{unsupported_tools_directory}/shlibsign
|
|
|
%{_libdir}/libfreebl3.chk
|
|
|
+%{_libdir}/libfreeblpriv3.chk
|
|
|
%{_libdir}/libnssdbm3.chk
|
|
|
%{_libdir}/libsoftokn3.chk
|
|
|
%dir %{_sysconfdir}/pki/nssdb
|
|
@@ -563,6 +517,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
|
|
|
%{_includedir}/nss3/crmft.h
|
|
|
%{_includedir}/nss3/cryptohi.h
|
|
|
%{_includedir}/nss3/cryptoht.h
|
|
|
+%{_includedir}/nss3/eccutil.h
|
|
|
%{_includedir}/nss3/ecl-exp.h
|
|
|
%{_includedir}/nss3/hasht.h
|
|
|
%{_includedir}/nss3/jar-ds.h
|
|
@@ -572,6 +527,8 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
|
|
|
%{_includedir}/nss3/keyhi.h
|
|
|
%{_includedir}/nss3/keyt.h
|
|
|
%{_includedir}/nss3/keythi.h
|
|
|
+%{_includedir}/nss3/lowkeyi.h
|
|
|
+%{_includedir}/nss3/lowkeyti.h
|
|
|
%{_includedir}/nss3/nss.h
|
|
|
%{_includedir}/nss3/nssb64.h
|
|
|
%{_includedir}/nss3/nssb64t.h
|
|
@@ -600,6 +557,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
|
|
|
%{_includedir}/nss3/pkcs11p.h
|
|
|
%{_includedir}/nss3/pkcs11t.h
|
|
|
%{_includedir}/nss3/pkcs11u.h
|
|
|
+%{_includedir}/nss3/pkcs11uri.h
|
|
|
%{_includedir}/nss3/pkcs12.h
|
|
|
%{_includedir}/nss3/pkcs12t.h
|
|
|
%{_includedir}/nss3/pkcs7t.h
|
|
@@ -628,6 +586,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
|
|
|
%{_includedir}/nss3/smime.h
|
|
|
%{_includedir}/nss3/ssl.h
|
|
|
%{_includedir}/nss3/sslerr.h
|
|
|
+%{_includedir}/nss3/sslexp.h
|
|
|
%{_includedir}/nss3/sslproto.h
|
|
|
%{_includedir}/nss3/sslt.h
|
|
|
%{_includedir}/nss3/utilrename.h
|
|
@@ -648,6 +607,7 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
|
|
|
%{_includedir}/nss3/nssckg.h
|
|
|
%{_includedir}/nss3/nssckmdt.h
|
|
|
%{_includedir}/nss3/nssckt.h
|
|
|
+%{_includedir}/nss3/templates/nssck.api
|
|
|
%{_libdir}/libnssb.a
|
|
|
%{_libdir}/libnssckfw.a
|
|
|
|
|
@@ -659,11 +619,16 @@ chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-softokn-config
|
|
|
%{_libdir}/*.so
|
|
|
%ghost %{_libdir}/libsoftokn3.chk
|
|
|
%ghost %{_libdir}/libfreebl3.chk
|
|
|
+%ghost %{_libdir}/libfreeblpriv3.chk
|
|
|
+%ghost %{_libdir}/libnssdbm3.chk
|
|
|
%{unsupported_tools_directory}/shlibsign
|
|
|
%endif
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
+* Mon Oct 09 2017 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.33-1
|
|
|
+- update to 3.33.
|
|
|
+
|
|
|
* Mon Jun 20 2016 Tomohiro "Tomo-p" KATO <tomop@teamgedoh.net> 3.21.1-3
|
|
|
- added libfreebl.a.
|
|
|
|