Hello community, here is the log from the commit of package mozilla-nss.5440 for openSUSE:13.2:Update checked in at 2016-08-04 21:50:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/mozilla-nss.5440 (Old) and /work/SRC/openSUSE:13.2:Update/.mozilla-nss.5440.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozilla-nss.5440" Changes: -------- New Changes file: --- /dev/null 2016-07-07 10:01:34.856033756 +0200 +++ /work/SRC/openSUSE:13.2:Update/.mozilla-nss.5440.new/mozilla-nss.changes 2016-08-04 21:50:11.000000000 +0200 @@ -0,0 +1,1679 @@ +------------------------------------------------------------------- +Sat Jul 30 08:53:02 UTC 2016 - w...@rosenauer.org + +- update to NSS 3.24 + New functionality: + * NSS softoken has been updated with the latest National Institute + of Standards and Technology (NIST) guidance (as of 2015): + - Software integrity checks and POST functions are executed on + shared library load. These checks have been disabled by default, + as they can cause a performance regression. To enable these + checks, you must define symbol NSS_FORCE_FIPS when building NSS. + - Counter mode and Galois/Counter Mode (GCM) have checks to + prevent counter overflow. + - Additional CSPs are zeroed in the code. + - NSS softoken uses new guidance for how many Rabin-Miller tests + are needed to verify a prime based on prime size. + * NSS softoken has also been updated to allow NSS to run in FIPS + Level 1 (no password). This mode is triggered by setting the + database password to the empty string. In FIPS mode, you may move + from Level 1 to Level 2 (by setting an appropriate password), + but not the reverse. + * A SSL_ConfigServerCert function has been added for configuring + SSL/TLS server sockets with a certificate and private key. Use + this new function in place of SSL_ConfigSecureServer, + SSL_ConfigSecureServerWithCertChain, SSL_SetStapledOCSPResponses, + and SSL_SetSignedCertTimestamps. SSL_ConfigServerCert automatically + determines the certificate type from the certificate and private key. + The caller is no longer required to use SSLKEAType explicitly to + select a "slot" into which the certificate is configured (which + incorrectly identifies a key agreement type rather than a certificate). + Separate functions for configuring Online Certificate Status Protocol + (OCSP) responses or Signed Certificate Timestamps are not needed, + since these can be added to the optional SSLExtraServerCertData struct + provided to SSL_ConfigServerCert. Also, partial support for RSA + Probabilistic Signature Scheme (RSA-PSS) certificates has been added. + Although these certificates can be configured, they will not be + used by NSS in this version. + New functions + * SSL_ConfigServerCert - Configures an SSL/TLS socket with a + certificate, private key, and other information. + * PORT_InitCheapArena - Initializes an arena that was created on + the stack. (See PORTCheapArenaPool.= + * PORT_DestroyCheapArena - Destroys an arena that was created on + the stack. (See PORTCheapArenaPool.) + New types + * SSLExtraServerCertData - Optionally passed as an argument to + SSL_ConfigServerCert. This struct contains supplementary information + about a certificate, such as the intended type of the certificate, + stapled OCSP responses, or Signed Certificate Timestamps (used for + certificate transparency). + * PORTCheapArenaPool - A stack-allocated arena pool, to be used for + temporary arena allocations. + New macros + * CKM_TLS12_MAC + * SEC_OID_TLS_ECDHE_PSK - This OID governs the use of the + TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 cipher suite, which is used + only for session resumption in TLS 1.3. + Notable changes: + * Deprecate the following functions. (Applications should instead use the new + SSL_ConfigServerCert function.): + - SSL_SetStapledOCSPResponses + - SSL_SetSignedCertTimestamps + - SSL_ConfigSecureServer + - SSL_ConfigSecureServerWithCertChain + * Deprecate the NSS_FindCertKEAType function, as it reports a misleading + value for certificates that might be used for signing rather than + key exchange. + * Update SSLAuthType to define a larger number of authentication key types. + * Deprecate the member attribute authAlgorithm of type SSLCipherSuiteInfo. + Instead, applications should use the newly added attribute authType. + * Rename ssl_auth_rsa to ssl_auth_rsa_decrypt. + * Add a shared library (libfreeblpriv3) on Linux platforms that + define FREEBL_LOWHASH. + * Remove most code related to SSL v2, including the ability to actively + send a SSLv2-compatible client hello. However, the server-side + implementation of the SSL/TLS protocol still supports processing + of received v2-compatible client hello messages. + * Disable (by default) NSS support in optimized builds for logging SSL/TLS + key material to a logfile if the SSLKEYLOGFILE environment variable + is set. To enable the functionality in optimized builds, you must define + the symbol NSS_ALLOW_SSLKEYLOGFILE when building NSS. + * Update NSS to protect it against the Cachebleed attack. + * Disable support for DTLS compression. + * Improve support for TLS 1.3. This includes support for DTLS 1.3. + Note that TLS 1.3 support is experimental and not suitable for + production use. +- removed obsolete nss-bmo1236011.patch + +------------------------------------------------------------------- +Thu May 26 05:59:03 UTC 2016 - w...@rosenauer.org + +- update to NSS 3.23 + New functionality: + * ChaCha20/Poly1305 cipher and TLS cipher suites now supported + * Experimental-only support TLS 1.3 1-RTT mode (draft-11). + This code is not ready for production use. + New functions: + * SSL_SetDowngradeCheckVersion - Set maximum version for new + ServerRandom anti-downgrade mechanism. Clients that perform a + version downgrade (which is generally a very bad idea) call this + with the highest version number that they possibly support. + This gives them access to the version downgrade protection from + TLS 1.3. + Notable changes: + * The copy of SQLite shipped with NSS has been updated to version + 3.10.2 + * The list of TLS extensions sent in the TLS handshake has been + reordered to increase compatibility of the Extended Master Secret + with with servers + * The build time environment variable NSS_ENABLE_ZLIB has been + renamed to NSS_SSL_ENABLE_ZLIB + * The build time environment variable NSS_DISABLE_CHACHAPOLY was + added, which can be used to prevent compilation of the + ChaCha20/Poly1305 code. + * The following CA certificates were Removed + - Staat der Nederlanden Root CA + - NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado + - NetLock Kozjegyzoi (Class A) Tanusitvanykiado + - NetLock Uzleti (Class B) Tanusitvanykiado + - NetLock Expressz (Class C) Tanusitvanykiado + - VeriSign Class 1 Public PCA – G2 + - VeriSign Class 3 Public PCA + - VeriSign Class 3 Public PCA – G2 + - CA Disig + * The following CA certificates were Added + + SZAFIR ROOT CA2 + + Certum Trusted Network CA 2 + * The following CA certificate had the Email trust bit turned on + + Actalis Authentication Root CA + Security fixes: + * CVE-2016-2834: Memory safety bugs (boo#983639) + MFSA-2016-61 bmo#1206283 bmo#1221620 bmo#1241034 bmo#1241037 +- removed obsolete nss_gcc6_change.patch + +------------------------------------------------------------------- +Mon Apr 18 15:53:40 UTC 2016 - norm...@linux.vnet.ibm.com + +- add nss_gcc6_change.patch + +------------------------------------------------------------------- +Tue Mar 15 10:25:38 UTC 2016 - w...@rosenauer.org + +- update to NSS 3.22.3 + * required for Firefox 46.0 + * Increase compatibility of TLS extended master secret, + don't send an empty TLS extension last in the handshake + (bmo#1243641) + * Fixed a heap-based buffer overflow related to the parsing of + certain ASN.1 structures. An attacker could create a specially-crafted + certificate which, when parsed by NSS, would cause a crash or + execution of arbitrary code with the permissions of the user. + (CVE-2016-1950, bmo#1245528) + +------------------------------------------------------------------- +Wed Mar 9 15:42:01 UTC 2016 - w...@rosenauer.org + +- update to NSS 3.22.2 + New functionality: + * RSA-PSS signatures are now supported (bmo#1215295) + * Pseudorandom functions based on hashes other than SHA-1 are now supported + * Enforce an External Policy on NSS from a config file (bmo#1009429) + New functions: + * PK11_SignWithMechanism - an extended version PK11_Sign() + * PK11_VerifyWithMechanism - an extended version of PK11_Verify() + * SSL_PeerSignedCertTimestamps - Get signed_certificate_timestamp + TLS extension data + * SSL_SetSignedCertTimestamps - Set signed_certificate_timestamp + TLS extension data + New types: + * ssl_signed_cert_timestamp_xtn is added to SSLExtensionType + * Constants for several object IDs are added to SECOidTag + New macros: + * SSL_ENABLE_SIGNED_CERT_TIMESTAMPS + * NSS_USE_ALG_IN_SSL + * NSS_USE_POLICY_IN_SSL + * NSS_RSA_MIN_KEY_SIZE + * NSS_DH_MIN_KEY_SIZE + * NSS_DSA_MIN_KEY_SIZE + * NSS_TLS_VERSION_MIN_POLICY + * NSS_TLS_VERSION_MAX_POLICY + * NSS_DTLS_VERSION_MIN_POLICY + * NSS_DTLS_VERSION_MAX_POLICY + * CKP_PKCS5_PBKD2_HMAC_SHA224 + * CKP_PKCS5_PBKD2_HMAC_SHA256 + * CKP_PKCS5_PBKD2_HMAC_SHA384 + * CKP_PKCS5_PBKD2_HMAC_SHA512 + * CKP_PKCS5_PBKD2_HMAC_GOSTR3411 - (not supported) + * CKP_PKCS5_PBKD2_HMAC_SHA512_224 - (not supported) + * CKP_PKCS5_PBKD2_HMAC_SHA512_256 - (not supported) + Notable changes: + * NSS C++ tests are built by default, requiring a C++11 compiler. + Set the NSS_DISABLE_GTESTS variable to 1 to disable building these tests. + * NSS has been changed to use the PR_GetEnvSecure function that + was made available in NSPR 4.12 + +------------------------------------------------------------------- +Mon Mar 7 15:41:50 UTC 2016 - w...@rosenauer.org ++++ 1482 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.mozilla-nss.5440.new/mozilla-nss.changes New: ---- baselibs.conf cert9.db key4.db malloc.patch mozilla-nss-rpmlintrc mozilla-nss.changes mozilla-nss.spec nss-3.24.tar.gz nss-config.in nss-disable-ocsp-test.patch nss-no-rpath.patch nss-opt.patch nss-sqlitename.patch nss.pc.in pkcs11.txt renegotiate-transitional.patch setup-nsssysinit.sh system-nspr.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-nss.spec ++++++ # # spec file for package mozilla-nss # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2006-2016 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # %global nss_softokn_fips_version 3.21 Name: mozilla-nss BuildRequires: gcc-c++ BuildRequires: mozilla-nspr-devel >= 4.12 BuildRequires: pkg-config BuildRequires: sqlite-devel BuildRequires: zlib-devel Version: 3.24 Release: 0 # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-64bit %endif # Summary: Network Security Services License: MPL-2.0 Group: System/Libraries Url: http://www.mozilla.org/projects/security/pki/nss/ Source: https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_24_RTM/src/nss-%{version}.tar.gz # hg clone https://hg.mozilla.org/projects/nss nss-3.24/nss ; cd nss-3.24/nss ; hg up NSS_3_24_RTM #Source: nss-%{version}.tar.gz Source1: nss.pc.in Source3: nss-config.in Source4: %{name}-rpmlintrc Source5: baselibs.conf Source6: setup-nsssysinit.sh Source7: cert9.db Source8: key4.db Source9: pkcs11.txt #Source10: PayPalEE.cert Source99: %{name}.changes Patch1: nss-opt.patch Patch2: system-nspr.patch Patch4: nss-no-rpath.patch Patch5: renegotiate-transitional.patch Patch6: malloc.patch Patch7: nss-disable-ocsp-test.patch Patch8: nss-sqlitename.patch %define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) PreReq: mozilla-nspr >= %nspr_ver PreReq: libfreebl3 >= %{nss_softokn_fips_version} PreReq: libsoftokn3 >= %{nss_softokn_fips_version} %if %{_lib} == lib64 Requires: libnssckbi.so()(64bit) %else Requires: libnssckbi.so %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build %define nssdbdir %{_sysconfdir}/pki/nssdb %ifnarch %sparc %if ! 0%{?qemu_user_space_build} # disabled temporarily bmo#1236340 %define run_testsuite 0 %endif %endif %description Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. %package devel Summary: Network (Netscape) Security Services development files Group: Development/Libraries/Other Requires: libfreebl3 Requires: libsoftokn3 Requires: mozilla-nspr-devel >= 4.9 Requires: mozilla-nss = %{version}-%{release} # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-devel-64bit %endif %description devel Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. %package tools Summary: Tools for developing, debugging, and managing applications that use NSS Group: System/Management PreReq: mozilla-nss >= %{version} %description tools The NSS Security Tools allow developers to test, debug, and manage applications that use NSS. %package sysinit Summary: System NSS Initialization Group: System/Management Requires: mozilla-nss >= %{version} Requires(post): coreutils %description sysinit Default Operation System module that manages applications loading NSS globally on the system. This module loads the system defined PKCS #11 modules for NSS and chains with other NSS modules to load any system or user configured modules. %package -n libfreebl3 Summary: Freebl library for the Network Security Services Group: System/Libraries Provides: libfreebl3-hmac %description -n libfreebl3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. This package installs the freebl library from NSS. %package -n libsoftokn3 Summary: Network Security Services Softoken Module Group: System/Libraries Requires: libfreebl3 = %{version}-%{release} Provides: libsoftokn3-hmac %description -n libsoftokn3 Network Security Services (NSS) is a set of libraries designed to support cross-platform development of security-enabled server applications. Applications built with NSS can support SSL v3, TLS v1.0, v1.1, v1.2, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 certificates, and other security standards. Network Security Services Softoken Cryptographic Module %package certs Summary: CA certificates for NSS Group: Productivity/Networking/Security %description certs This package contains the integrated CA root certificates from the Mozilla project. %prep %setup -n nss-%{version} -q cd nss %patch1 -p1 %patch2 -p1 %patch4 -p1 %patch5 -p1 %if %suse_version > 1110 %patch6 -p1 %endif %patch7 -p1 %patch8 -p1 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt #make generate %build cd nss modified="$(sed -n '/^----/n;s/ - .*$//;p;q' "%{S:99}")" DATE="\"$(date -d "${modified}" "+%%b %%e %%Y")\"" TIME="\"$(date -d "${modified}" "+%%R")\"" find . -name '*.[ch]' -print -exec sed -i "s/__DATE__/${DATE}/g;s/__TIME__/${TIME}/g" {} + export FREEBL_NO_DEPEND=1 export FREEBL_LOWHASH=1 export NSPR_INCLUDE_DIR=`nspr-config --includedir` export NSPR_LIB_DIR=`nspr-config --libdir` export OPT_FLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing" export LIBDIR=%{_libdir} %ifarch x86_64 s390x ppc64 ppc64le ia64 aarch64 export USE_64=1 %endif export NSS_USE_SYSTEM_SQLITE=1 #export SQLITE_LIB_NAME=nsssqlite3 MAKE_FLAGS="BUILD_OPT=1" make nss_build_all $MAKE_FLAGS # run testsuite %if 0%{?run_testsuite} export BUILD_OPT=1 export HOST="localhost" export DOMSUF=" " export USE_IP=TRUE export IP_ADDRESS="127.0.0.1" cd tests ./all.sh if grep "FAILED" ../../../tests_results/security/localhost.1/output.log ; then echo "Testsuite FAILED" exit 1 fi %endif %install cd nss mkdir -p $RPM_BUILD_ROOT%{_libdir} mkdir -p $RPM_BUILD_ROOT%{_libexecdir}/nss mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3 mkdir -p $RPM_BUILD_ROOT%{_bindir} mkdir -p $RPM_BUILD_ROOT%{_sbindir} mkdir -p $RPM_BUILD_ROOT/%{_lib} mkdir -p $RPM_BUILD_ROOT%{nssdbdir} pushd ../dist/Linux* # copy headers cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3 # copy some freebl include files we also want for file in blapi.h alghmac.h do cp -L ../private/nss/$file $RPM_BUILD_ROOT/%{_includedir}/nss3 done # copy dynamic libs cp -L lib/libnss3.so \ lib/libnssdbm3.so \ lib/libnssdbm3.chk \ lib/libnssutil3.so \ lib/libnssckbi.so \ lib/libnsssysinit.so \ lib/libsmime3.so \ lib/libsoftokn3.so \ lib/libsoftokn3.chk \ lib/libssl3.so \ $RPM_BUILD_ROOT%{_libdir} cp -L lib/libfreebl3.so \ lib/libfreebl3.chk \ lib/libfreeblpriv3.so \ lib/libfreeblpriv3.chk \ $RPM_BUILD_ROOT/%{_lib} #cp -L lib/libnsssqlite3.so \ # $RPM_BUILD_ROOT%{_libdir} # copy static libs cp -L lib/libcrmf.a \ lib/libfreebl.a \ lib/libnssb.a \ lib/libnssckfw.a \ $RPM_BUILD_ROOT%{_libdir} # copy tools cp -L bin/certutil \ bin/cmsutil \ bin/crlutil \ bin/modutil \ bin/pk12util \ bin/signtool \ bin/signver \ bin/ssltap \ $RPM_BUILD_ROOT%{_bindir} # copy unsupported tools cp -L bin/atob \ bin/btoa \ bin/derdump \ bin/ocspclnt \ bin/pp \ bin/selfserv \ bin/shlibsign \ bin/strsclnt \ bin/symkeyutil \ bin/tstclnt \ bin/vfyserv \ bin/vfychain \ $RPM_BUILD_ROOT%{_libexecdir}/nss # prepare pkgconfig file mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/ sed "s:%%LIBDIR%%:%{_libdir}:g s:%%VERSION%%:%{version}:g s:%%NSPR_VERSION%%:%{nspr_ver}:g" \ %{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc # prepare nss-config file popd NSS_VMAJOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMAJOR" | gawk '{print $3}'` NSS_VMINOR=`cat lib/nss/nss.h | grep "#define.*NSS_VMINOR" | gawk '{print $3}'` NSS_VPATCH=`cat lib/nss/nss.h | grep "#define.*NSS_VPATCH" | gawk '{print $3}'` cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ -e "s,@prefix@,%{_prefix},g" \ -e "s,@exec_prefix@,%{_prefix},g" \ -e "s,@includedir@,%{_includedir}/nss3,g" \ -e "s,@MOD_MAJOR_VERSION@,$NSS_VMAJOR,g" \ -e "s,@MOD_MINOR_VERSION@,$NSS_VMINOR,g" \ -e "s,@MOD_PATCH_VERSION@,$NSS_VPATCH,g" \ > $RPM_BUILD_ROOT/%{_bindir}/nss-config chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config # setup-nsssysinfo.sh install -m 744 %{SOURCE6} $RPM_BUILD_ROOT%{_sbindir}/ # create empty NSS database #LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/modutil -force -dbdir "sql:$RPM_BUILD_ROOT%{nssdbdir}" -create #LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_bindir}/certutil -N -d "sql:$RPM_BUILD_ROOT%{nssdbdir}" -f /dev/null 2>&1 > /dev/null #chmod 644 "$RPM_BUILD_ROOT%{nssdbdir}"/* #sed "s:%{buildroot}::g #s/^library=$/library=libnsssysinit.so/ #/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/" \ # $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt > $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt.sed # mv $RPM_BUILD_ROOT%{nssdbdir}/pkcs11.txt{.sed,} # copy empty NSS database install -m 644 %{SOURCE7} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE8} $RPM_BUILD_ROOT%{nssdbdir} install -m 644 %{SOURCE9} $RPM_BUILD_ROOT%{nssdbdir} # create shlib sigs after extracting debuginfo %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ %{__os_install_post} \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libsoftokn3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT%{_libdir}/libnssdbm3.so \ LD_LIBRARY_PATH=$RPM_BUILD_ROOT/%{_lib}:$RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_libexecdir}/nss/shlibsign -i $RPM_BUILD_ROOT/%{_lib}/libfreebl3.so \ %{nil} %post -p /sbin/ldconfig %postun -p /sbin/ldconfig %post -n libfreebl3 -p /sbin/ldconfig %postun -n libfreebl3 -p /sbin/ldconfig %post -n libsoftokn3 -p /sbin/ldconfig %postun -n libsoftokn3 -p /sbin/ldconfig %post sysinit /sbin/ldconfig # make sure the current config is enabled %{_sbindir}/setup-nsssysinit.sh on %preun sysinit if [ $1 = 0 ]; then %{_sbindir}/setup-nsssysinit.sh off fi %postun sysinit -p /sbin/ldconfig %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-, root, root) %{_libdir}/libnss3.so %{_libdir}/libnssutil3.so %{_libdir}/libsmime3.so %{_libdir}/libssl3.so #%{_libdir}/libnsssqlite3.so %files devel %defattr(644, root, root, 755) %{_includedir}/nss3/ %{_libdir}/*.a %{_libdir}/pkgconfig/* %attr(755,root,root) %{_bindir}/nss-config %files tools %defattr(-, root, root) %{_bindir}/* %exclude %{_sbindir}/setup-nsssysinit.sh %{_libexecdir}/nss/ %exclude %{_bindir}/nss-config %files sysinit %defattr(-, root, root) %dir %{_sysconfdir}/pki %dir %{_sysconfdir}/pki/nssdb %config(noreplace) %{_sysconfdir}/pki/nssdb/* %{_libdir}/libnsssysinit.so %{_sbindir}/setup-nsssysinit.sh %files -n libfreebl3 %defattr(-, root, root) /%{_lib}/libfreebl3.so /%{_lib}/libfreebl3.chk /%{_lib}/libfreeblpriv3.so /%{_lib}/libfreeblpriv3.chk %files -n libsoftokn3 %defattr(-, root, root) %{_libdir}/libsoftokn3.so %{_libdir}/libsoftokn3.chk %{_libdir}/libnssdbm3.so %{_libdir}/libnssdbm3.chk %files certs %defattr(-, root, root) %{_libdir}/libnssckbi.so %changelog ++++++ baselibs.conf ++++++ mozilla-nss requires "libfreebl3-<targettype>" requires "libsoftokn3-<targettype>" requires "mozilla-nss-certs-<targettype>" libsoftokn3 requires "libfreebl3-<targettype> = <version>" +/usr/lib/libsoftokn3.chk +/usr/lib/libnssdbm3.chk libfreebl3 +/lib/libfreebl3.chk mozilla-nss-sysinit mozilla-nss-certs ++++++ malloc.patch ++++++ Index: security/nss/tests/ssl/ssl.sh =================================================================== RCS file: /cvsroot/mozilla/security/nss/tests/ssl/ssl.sh,v retrieving revision 1.100 diff -u -r1.100 ssl.sh --- security/nss/tests/ssl/ssl.sh 26 Mar 2009 23:14:34 -0000 1.100 +++ nss/tests/ssl/ssl.sh 6 Jun 2009 06:21:07 -0000 @@ -974,6 +974,7 @@ ################################# main ################################# +unset MALLOC_CHECK_ ssl_init ssl_run_tests ssl_cleanup ++++++ mozilla-nss-rpmlintrc ++++++ addFilter("shlib-policy-name-error") addFilter("shlib-policy-missing-lib") addFilter("shlib-policy-missing-suffix") addFilter("shlib-unversioned-lib") addFilter("shlib-fixed-dependency") ++++++ nss-config.in ++++++ #!/bin/sh prefix=@prefix@ major_version=@MOD_MAJOR_VERSION@ minor_version=@MOD_MINOR_VERSION@ patch_version=@MOD_PATCH_VERSION@ usage() { cat <<EOF Usage: nss-config [OPTIONS] [LIBRARIES] Options: [--prefix[=DIR]] [--exec-prefix[=DIR]] [--includedir[=DIR]] [--libdir[=DIR]] [--version] [--libs] [--cflags] Dynamic Libraries: nss ssl smime EOF exit $1 } if test $# -eq 0; then usage 1 1>&2 fi lib_ssl=yes lib_smime=yes lib_nss=yes lib_nssutil=yes while test $# -gt 0; do case "$1" in -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;; *) optarg= ;; esac case $1 in --prefix=*) prefix=$optarg ;; --prefix) echo_prefix=yes ;; --exec-prefix=*) exec_prefix=$optarg ;; --exec-prefix) echo_exec_prefix=yes ;; --includedir=*) includedir=$optarg ;; --includedir) echo_includedir=yes ;; --libdir=*) libdir=$optarg ;; --libdir) echo_libdir=yes ;; --version) echo ${major_version}.${minor_version}.${patch_version} ;; --cflags) echo_cflags=yes ;; --libs) echo_libs=yes ;; ssl) lib_ssl=yes ;; smime) lib_smime=yes ;; nss) lib_nss=yes ;; nssutil) lib_nssutil=yes ;; *) usage 1 1>&2 ;; esac shift done # Set variables that may be dependent upon other variables if test -z "$exec_prefix"; then exec_prefix=@exec_prefix@ fi if test -z "$includedir"; then includedir=@includedir@ fi if test -z "$libdir"; then libdir=@libdir@ fi if test "$echo_prefix" = "yes"; then echo $prefix fi if test "$echo_exec_prefix" = "yes"; then echo $exec_prefix fi if test "$echo_includedir" = "yes"; then echo $includedir fi if test "$echo_libdir" = "yes"; then echo $libdir fi if test "$echo_cflags" = "yes"; then echo -I$includedir fi if test "$echo_libs" = "yes"; then libdirs="-Wl,-rpath-link,$libdir -L$libdir" if test -n "$lib_ssl"; then libdirs="$libdirs -lssl${major_version}" fi if test -n "$lib_smime"; then libdirs="$libdirs -lsmime${major_version}" fi if test -n "$lib_nss"; then libdirs="$libdirs -lnss${major_version}" fi if test -n "$lib_nssutil"; then libdirs="$libdirs -lnssutil${major_version}" fi echo $libdirs fi ++++++ nss-disable-ocsp-test.patch ++++++ diff --git a/tests/chains/scenarios/scenarios b/tests/chains/scenarios/scenarios --- a/tests/chains/scenarios/scenarios +++ b/tests/chains/scenarios/scenarios @@ -45,12 +45,11 @@ mapping.cfg mapping2.cfg aia.cfg bridgewithaia.cfg bridgewithhalfaia.cfg bridgewithpolicyextensionandmapping.cfg realcerts.cfg dsa.cfg revoc.cfg -ocsp.cfg crldp.cfg trustanchors.cfg nameconstraints.cfg ++++++ nss-no-rpath.patch ++++++ Index: security/nss/cmd/platlibs.mk =================================================================== RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v retrieving revision 1.71 diff -u -p -6 -r1.71 platlibs.mk --- security/nss/cmd/platlibs.mk 17 Jul 2012 15:22:42 -0000 1.71 +++ nss/cmd/platlibs.mk 25 Oct 2012 12:07:35 -0000 @@ -15,15 +15,15 @@ else EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps' endif endif ifeq ($(OS_ARCH), Linux) ifeq ($(USE_64), 1) -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib' else -EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' +#EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib' endif endif endif # BUILD_SUN_PKG ifdef NSS_DISABLE_DBM ++++++ nss-opt.patch ++++++ Index: security/coreconf/Linux.mk =================================================================== RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v retrieving revision 1.45.2.1 diff -u -r1.45.2.1 Linux.mk --- security/coreconf/Linux.mk 31 Jul 2010 04:23:37 -0000 1.45.2.1 +++ nss/coreconf/Linux.mk 5 Aug 2010 07:35:06 -0000 @@ -112,11 +112,7 @@ endif ifdef BUILD_OPT -ifeq (11,$(ALLOW_OPT_CODE_SIZE)$(OPT_CODE_SIZE)) - OPTIMIZER = -Os -else - OPTIMIZER = -O2 -endif + OPTIMIZER = $(OPT_FLAGS) ifdef MOZ_DEBUG_SYMBOLS ifdef MOZ_DEBUG_FLAGS OPTIMIZER += $(MOZ_DEBUG_FLAGS) ++++++ nss-sqlitename.patch ++++++ Index: security/nss/lib/sqlite/manifest.mn =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v retrieving revision 1.5 diff -u -r1.5 manifest.mn --- security/nss/lib/sqlite/manifest.mn 25 Apr 2012 14:50:11 -0000 1.5 +++ nss/lib/sqlite/manifest.mn 28 Jan 2013 20:48:22 -0000 @@ -6,9 +6,10 @@ MODULE = nss -LIBRARY_NAME = sqlite +LIBRARY_NAME = nsssqlite LIBRARY_VERSION = 3 MAPFILE = $(OBJDIR)/sqlite.def +MAPFILE_SOURCE = sqlite.def DEFINES += -DSQLITE_THREADSAFE=1 EXPORTS = \ ++++++ nss.pc.in ++++++ prefix=/usr exec_prefix=${prefix} libdir=%LIBDIR% includedir=${prefix}/include/nss3 Name: NSS Description: Network Security Services Version: %VERSION% Requires: nspr >= %NSPR_VERSION% Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3 Cflags: -I${includedir} ++++++ pkcs11.txt ++++++ library=libnsssysinit.so name=NSS Internal PKCS #11 Module parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) ++++++ renegotiate-transitional.patch ++++++ diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c --- a/lib/ssl/sslsock.c +++ b/lib/ssl/sslsock.c @@ -72,17 +72,17 @@ static sslOptions ssl_defaults = { PR_FALSE, /* v2CompatibleHello */ /* now defaults to off in NSS 3.13 */ PR_TRUE, /* detectRollBack */ PR_FALSE, /* noStepDown */ PR_FALSE, /* bypassPKCS11 */ PR_FALSE, /* noLocks */ PR_FALSE, /* enableSessionTickets */ PR_FALSE, /* enableDeflate */ - 2, /* enableRenegotiation (default: requires extension) */ + 3, /* enableRenegotiation (default: requires extension) */ PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ PR_TRUE, /* cbcRandomIV */ PR_FALSE, /* enableOCSPStapling */ PR_TRUE, /* enableNPN */ PR_FALSE, /* enableALPN */ PR_TRUE, /* reuseServerECDHEKey */ PR_FALSE, /* enableFallbackSCSV */ ++++++ setup-nsssysinit.sh ++++++ #!/bin/sh # # Turns on or off the nss-sysinit module db by editing the # global PKCS #11 congiguration file. # # This script can be invoked by the user as super user. # It is invoked at nss-sysinit post install time with argument on # and at nss-sysinit pre uninstall with argument off. # usage() { cat <<EOF Usage: setup-nsssysinit [on|off] on - turns on nsssysinit off - turns off nsssysinit EOF exit $1 } # validate if test $# -eq 0; then usage 1 1>&2 fi # the system-wide configuration file p11conf="/etc/pki/nssdb/pkcs11.txt" # must exist, otherwise report it and exit with failure if [ ! -f $p11conf ]; then echo "Could not find ${p11conf}" exit 1 fi on="1" case "$1" in on | ON ) cat ${p11conf} | \ sed -e 's/^library=$/library=libnsssysinit.so/' \ -e '/^NSS/s/\(Flags=internal\)\(,[^m]\)/\1,moduleDBOnly\2/' > \ ${p11conf}.on mv ${p11conf}.on ${p11conf} ;; off | OFF ) if [ ! `grep "^library=libnsssysinit" ${p11conf}` ]; then exit 0 fi cat ${p11conf} | \ sed -e 's/^library=libnsssysinit.so/library=/' \ -e '/^NSS/s/Flags=internal,moduleDBOnly/Flags=internal/' > \ ${p11conf}.off mv ${p11conf}.off ${p11conf} ;; * ) usage 1 1>&2 ;; esac ++++++ system-nspr.patch ++++++ diff --git a/Makefile b/Makefile --- a/Makefile +++ b/Makefile @@ -39,17 +39,17 @@ include $(CORE_DEPTH)/coreconf/rules.mk ####################################################################### ####################################################################### # (7) Execute "local" rules. (OPTIONAL). # ####################################################################### -nss_build_all: build_nspr all +nss_build_all: all nss_clean_all: clobber_nspr clobber NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/configure # # Translate coreconf build options to NSPR configure options.