|
@@ -1,11 +1,11 @@
|
|
|
%define build_compat32 %{?_with_compat32:1}%{!?_with_compat32:0}
|
|
|
|
|
|
-%define nspr_version 4.10.6
|
|
|
+%define nspr_version 4.11
|
|
|
%define unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
|
|
|
|
|
Summary: Network Security Services
|
|
|
Name: nss
|
|
|
-Version: 3.16.1
|
|
|
+Version: 3.21.1
|
|
|
Release: 1%{?_dist_release}
|
|
|
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
|
|
URL: http://www.mozilla.org/projects/security/pki/nss/
|
|
@@ -17,7 +17,10 @@ Source2: nss-config.in
|
|
|
Source3: blank-cert8.db
|
|
|
Source4: blank-key3.db
|
|
|
Source5: blank-secmod.db
|
|
|
-Source12: %{name}-pem-20130828.tar.bz2
|
|
|
+Source6: blank-cert9.db
|
|
|
+Source7: blank-key4.db
|
|
|
+Source8: system-pkcs11.txt
|
|
|
+Source12: %{name}-pem-20140125.tar.bz2
|
|
|
Source101: nss-util.pc.in
|
|
|
Source102: nss-util-config.in
|
|
|
|
|
@@ -31,13 +34,72 @@ Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
|
|
# Fedora / RHEL-only patch, the templates directory was originally
|
|
|
# introduced to support mod _revocator
|
|
|
Patch47: utilwrap-include-templates.patch
|
|
|
-# TODO submit this patch upstream
|
|
|
-Patch48: nss-versus-softoken-tests.patch
|
|
|
# TODO remove when we switch to building nss without softoken
|
|
|
Patch49: nss-skip-bltest-and-fipstest.patch
|
|
|
Patch50: iquote.patch
|
|
|
+# As of nss-3.21 we compile NSS with -Werror.
|
|
|
+# see https://bugzilla.mozilla.org/show_bug.cgi?id=1182667
|
|
|
+# This requires a cleanup of the PEM module as we have it here.
|
|
|
+# TODO: submit a patch to the interim nss-pem upstream project
|
|
|
+# The submission will be very different from this patch as
|
|
|
+# cleanup there is already in progress there.
|
|
|
+Patch51: pem-compile-with-Werror.patch
|
|
|
+Patch52: Bug-1001841-disable-sslv2-libssl.patch
|
|
|
+Patch53: Bug-1001841-disable-sslv2-tests.patch
|
|
|
+Patch54: sslauth-no-v2.patch
|
|
|
+Patch55: enable-fips-when-system-is-in-fips-mode.patch
|
|
|
+# rhbz: https://bugzilla.redhat.com/show_bug.cgi?id=1026677
|
|
|
+Patch56: p-ignore-setpolicy.patch
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=943144
|
|
|
+Patch62: nss-fix-deadlock-squash.patch
|
|
|
+# Two patches from from rhel6.8 that are also needed for rhel-7
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1054373
|
|
|
+Patch74: race.patch
|
|
|
+Patch94: nss-3.16-token-init-race.patch
|
|
|
+Patch99: ssl-server-min-key-sizes.patch
|
|
|
+Patch100: fix-min-library-version-in-SSLVersionRange.patch
|
|
|
+# Add support for sha384 tls cipher suites, dss cipher suites, and
|
|
|
+# server-side dhe key exchange
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=102794
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
|
|
|
+Patch101: dhe-sha384-dss-support.patch
|
|
|
+# TODO: From upstream review: For the client authentication case, should
|
|
|
+# probably drop our hack of swapping between sha256 and sha384 and plan
|
|
|
+# on implementing the fix we already have a patch for. What is that fix?
|
|
|
+Patch102: client_auth_for_sha384_prf_support.patch
|
|
|
+Patch103: nss-fix-client-auth-init-hashes.patch
|
|
|
+Patch104: nss-map-oid-to-hashalg.patch
|
|
|
+Patch105: nss-remove-bogus-assert.patch
|
|
|
+Patch106: nss-old-pkcs11-num.patch
|
|
|
+Patch107: nss-enable-384-cipher-tests.patch
|
|
|
+Patch108: nss-sni-c-v-fix.patch
|
|
|
+Patch109: nss-fix-signature-and-hash.patch
|
|
|
+Patch110: nss-sslstress-txt-ssl3-lower-value-in-range.patch
|
|
|
+
|
|
|
+# Enable by default two additional ciphers and fix order of two tables
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1211403
|
|
|
+Patch112: rh1238290.patch
|
|
|
+# Local: keep as long nss-softokn lacks support
|
|
|
+Patch113: disable-extended-master-secret-with-old-softoken.patch
|
|
|
+# extra tests needed
|
|
|
+Patch114: tests-extra.patch
|
|
|
+Patch115: nss-prevent-abi-issue.patch
|
|
|
+Patch116: nss-tests-prevent-abi-issue.patch
|
|
|
+Patch117: fix-nss-test-filtering.patch
|
|
|
+Patch118: fix-allowed-sig-alg.patch
|
|
|
+Patch119: nss-ssl-ssl3con-delete-duplicates.patch
|
|
|
+
|
|
|
+# Local patches
|
|
|
+Patch1002: hasht-dont-include-prtypes.patch
|
|
|
+Patch1007: pkcs1sig-include-prtypes.patch
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=951455
|
|
|
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=923089
|
|
|
+Patch1008: nss-util-3.19.1-tls12-mechanisms.patch
|
|
|
+
|
|
|
|
|
|
-Patch100: nss-3.16.1-rsawrapr.patch
|
|
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
|
BuildRequires: nspr-devel >= %{nspr_version}
|
|
@@ -116,13 +178,51 @@ v3 certificates, and other security standards.
|
|
|
%patch3 -p0 -b .transitional
|
|
|
%patch6 -p0 -b .libpem
|
|
|
%patch16 -p0 -b .539183
|
|
|
-%patch18 -p0 -b .646045
|
|
|
+pushd nss
|
|
|
+%patch18 -p1 -b .646045
|
|
|
+popd
|
|
|
%patch40 -p0 -b .noocsptest
|
|
|
%patch47 -p0 -b .templates
|
|
|
-%patch48 -p0 -b .crypto
|
|
|
%patch49 -p0 -b .skipthem
|
|
|
%patch50 -p0 -b .iquote
|
|
|
-%patch100 -p0 -b .buildfix
|
|
|
+%patch51 -p1 -b -Werror
|
|
|
+pushd nss
|
|
|
+%patch52 -p1 -b .disableSSL2libssl
|
|
|
+%patch53 -p1 -b .disableSSL2tests
|
|
|
+%patch54 -p1 -b .sslauth-no-v2
|
|
|
+%patch55 -p1 -b .852023_enable_fips_when_in_fips_mode
|
|
|
+%patch56 -p1 -b .1026677_ignore_set_policy
|
|
|
+%patch62 -p1 -b .fix_deadlock
|
|
|
+%patch99 -p1 -b .min_key_sizes
|
|
|
+%patch100 -p0 -b .1171318
|
|
|
+%patch101 -p1 -b .dhe_and_sha384
|
|
|
+%patch102 -p1 -b .client_auth_prf
|
|
|
+%patch112 -p1 -b .1238290
|
|
|
+%patch113 -p1 -b .disable-ems
|
|
|
+%patch114 -p1 -b .extra
|
|
|
+%patch115 -p1 -b .abi_lib
|
|
|
+%patch116 -p1 -b .abi_tests
|
|
|
+%patch117 -p1 -b .test-filtering
|
|
|
+%patch74 -p1 -b .race
|
|
|
+popd
|
|
|
+%patch94 -p0 -b .init-token-race
|
|
|
+%patch103 -p0 -b .fix_client_auth_crash
|
|
|
+%patch104 -p0 -b .use_oids
|
|
|
+%patch105 -p0 -b .remove_bogus_assert
|
|
|
+%patch106 -p0 -b .old_pkcs11_num
|
|
|
+%patch107 -p0 -b .enable_384_cipher_tests
|
|
|
+%patch108 -p0 -b .sni_c_v_fix
|
|
|
+%patch109 -p0 -b .fix_signature_and_hash
|
|
|
+%patch110 -p0 -b .no_ssl2
|
|
|
+pushd nss
|
|
|
+%patch118 -p1 -b .allowed-sig-alg
|
|
|
+popd
|
|
|
+%patch119 -p0 -b .delete_duplicates
|
|
|
+
|
|
|
+%patch1002 -p0 -b .prtypes
|
|
|
+%patch1007 -p0 -b .include_prtypes
|
|
|
+%patch1008 -p1 -b .tls12_mechs
|
|
|
+
|
|
|
|
|
|
pemNeedsFromSoftoken="lowkeyi lowkeyti softoken softoknt"
|
|
|
for file in ${pemNeedsFromSoftoken}; do
|
|
@@ -131,9 +231,17 @@ done
|
|
|
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
|
|
|
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
|
|
|
|
|
|
+pushd nss/tests/ssl
|
|
|
+# Create versions of sslcov.txt and sslstress.txt that disable tests
|
|
|
+# for SSL2 and EXPORT ciphers.
|
|
|
+cat sslcov.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslcov.noSSL2orExport.txt
|
|
|
+cat sslstress.txt| sed -r "s/^([^#].*EXPORT|^[^#].*SSL2)/#disabled \1/" > sslstress.noSSL2orExport.txt
|
|
|
+popd
|
|
|
|
|
|
%build
|
|
|
|
|
|
+export NSS_NO_SSL2=1
|
|
|
+
|
|
|
#NSS_NO_PKCS11_BYPASS=1
|
|
|
#export NSS_NO_PKCS11_BYPASS
|
|
|
|
|
@@ -262,10 +370,16 @@ touch $RPM_BUILD_ROOT/%{_libdir}/libsoftokn3.chk
|
|
|
touch $RPM_BUILD_ROOT/%{_libdir}/libfreebl3.chk
|
|
|
|
|
|
# Install the empty NSS db files
|
|
|
+# Legacy db
|
|
|
%{__mkdir_p} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb
|
|
|
%{__install} -m 644 %{SOURCE3} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert8.db
|
|
|
%{__install} -m 644 %{SOURCE4} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key3.db
|
|
|
%{__install} -m 644 %{SOURCE5} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/secmod.db
|
|
|
+# Shared db
|
|
|
+%{__install} -p -m 644 %{SOURCE6} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/cert9.db
|
|
|
+%{__install} -p -m 644 %{SOURCE7} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/key4.db
|
|
|
+%{__install} -p -m 644 %{SOURCE8} $RPM_BUILD_ROOT/%{_sysconfdir}/pki/nssdb/pkcs11.txt
|
|
|
+
|
|
|
|
|
|
# Copy the development libraries we want
|
|
|
for file in libcrmf.a libnssb.a libnssckfw.a
|
|
@@ -324,6 +438,9 @@ done
|
|
|
%config(noreplace) %{_sysconfdir}/pki/nssdb/cert8.db
|
|
|
%config(noreplace) %{_sysconfdir}/pki/nssdb/key3.db
|
|
|
%config(noreplace) %{_sysconfdir}/pki/nssdb/secmod.db
|
|
|
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
|
|
|
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
|
|
|
+%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
|
|
|
|
|
|
%files tools
|
|
|
%defattr(-,root,root)
|
|
@@ -412,6 +529,7 @@ done
|
|
|
%{_includedir}/nss3/pkcs12.h
|
|
|
%{_includedir}/nss3/pkcs12t.h
|
|
|
%{_includedir}/nss3/pkcs7t.h
|
|
|
+%{_includedir}/nss3/pkcs1sig.h
|
|
|
%{_includedir}/nss3/portreg.h
|
|
|
%{_includedir}/nss3/preenc.h
|
|
|
%{_includedir}/nss3/secasn1.h
|
|
@@ -472,6 +590,10 @@ done
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
+* Tue May 10 2016 Yoji TOYODA <bsyamato@sea.plala.or.jp> 3.21.1-1
|
|
|
+- update to 3.21.1
|
|
|
+- import patches from centos package
|
|
|
+
|
|
|
* Thu Jun 12 2014 Daisuke SUZUKI <daisuke@vinelinux.org> 3.16.1-1
|
|
|
- update to 3.16.1
|
|
|
|