diff --git a/.gitignore b/.gitignore index d357569..b6751ad 100644 --- a/.gitignore +++ b/.gitignore @@ -8,4 +8,4 @@ TestCA.ca.cert TestUser50.cert TestUser51.cert /nss-pem-20140125.tar.bz2 -/nss-3.16.2.tar.gz +/nss-3.17.4.tar.gz diff --git a/iquote.patch b/iquote.patch index 2d853c7..becdd7e 100644 --- a/iquote.patch +++ b/iquote.patch @@ -9,6 +9,32 @@ diff -up nss/cmd/bltest/Makefile.iquote nss/cmd/bltest/Makefile ####################################################################### +diff -up nss/cmd/certcgi/Makefile.iquote nss/cmd/certcgi/Makefile +--- nss/cmd/certcgi/Makefile.iquote 2014-08-19 10:18:35.713017904 -0700 ++++ nss/cmd/certcgi/Makefile 2014-08-19 10:19:36.106528087 -0700 +@@ -36,7 +36,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # +diff -up nss/cmd/certutil/Makefile.iquote nss/cmd/certutil/Makefile +--- nss/cmd/certutil/Makefile.iquote 2014-08-19 10:23:39.697585905 -0700 ++++ nss/cmd/certutil/Makefile 2014-08-19 10:24:31.060019803 -0700 +@@ -37,7 +37,8 @@ include $(CORE_DEPTH)/coreconf/rules.mk + # (6) Execute "component" rules. (OPTIONAL) # + ####################################################################### + +- ++INCLUDES += -iquote $(DIST)/../public/nss ++INCLUDES += -iquote $(DIST)/../private/nss + + ####################################################################### + # (7) Execute "local" rules. (OPTIONAL). # diff -up nss/cmd/lib/Makefile.iquote nss/cmd/lib/Makefile --- nss/cmd/lib/Makefile.iquote 2014-05-01 20:27:18.000000000 -0700 +++ nss/cmd/lib/Makefile 2014-05-06 07:15:41.174387806 -0700 diff --git a/nss.spec b/nss.spec index 5e95883..23d38c6 100644 --- a/nss.spec +++ b/nss.spec @@ -1,8 +1,8 @@ -%global nspr_version 4.10.6 -%global nss_util_version 3.16.2 -%global nss_softokn_version 3.16.2 +%global nspr_version 4.10.7 +%global nss_util_version 3.17.4 +%global nss_softokn_version 3.17.4 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools -%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv" +%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv" # solution taken from icedtea-web.spec %define multilib_arches %{power64} sparc64 x86_64 @@ -18,7 +18,7 @@ Summary: Network Security Services Name: nss -Version: 3.16.2 +Version: 3.17.4 Release: 2%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ @@ -74,7 +74,6 @@ Patch2: add-relro-linker-option.patch Patch3: renegotiate-transitional.patch Patch6: nss-enable-pem.patch Patch16: nss-539183.patch -Patch18: nss-646045.patch # must statically link pem against the freebl in the buildroot # Needed only when freebl on tree has new APIS Patch25: nsspem-use-system-freebl.patch @@ -91,8 +90,15 @@ Patch49: nss-skip-bltest-and-fipstest.patch # headers are older. Such is the case when starting an update with API changes or even private export changes. # Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it. Patch50: iquote.patch -Patch52: disable-sslv2-libssl.patch -Patch53: disable-sslv2-tests.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1083900 +Patch51: tls12.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1057463 +# Implementing TLS 1.3 is a tracking bug and it's possible that +# it may necessitate disabling SSL2 support. SSL2 support has been +# disabled downstream in Red Hat Enterprise Linux since RHEL-7.0 +Patch52: disableSSL2.patch +# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1128367 +Patch92: scripts-syntax-errors.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -173,15 +179,17 @@ low level services. %patch3 -p0 -b .transitional %patch6 -p0 -b .libpem %patch16 -p0 -b .539183 -%patch18 -p0 -b .646045 # link pem against buildroot's freebl, essential when mixing and matching %patch25 -p0 -b .systemfreebl %patch40 -p0 -b .noocsptest %patch47 -p0 -b .templates %patch49 -p0 -b .skipthem %patch50 -p0 -b .iquote -%patch52 -p0 -b .disableSSL2 -%patch53 -p0 -b .disableSSL2 +pushd nss +%patch51 -p1 -b .994599 +%patch52 -p1 -b .disableSSL2 +%patch92 -p1 -b .syntax +popd ######################################################### # Higher-level libraries and test tools need access to @@ -433,7 +441,13 @@ nss_tests="libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits c # global nss_ssl_tests "normal_fips" # global nss_ssl_run "cov auth" -HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh +SKIP_NSS_TEST_SUITE=`echo $SKIP_NSS_TEST_SUITE` + +if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then + HOST=localhost DOMSUF=localdomain PORT=$MYRAND NSS_CYCLES=%{?nss_cycles} NSS_TESTS=%{?nss_tests} NSS_SSL_TESTS=%{?nss_ssl_tests} NSS_SSL_RUN=%{?nss_ssl_run} ./all.sh +else + echo "skipped test suite" +fi popd @@ -444,7 +458,13 @@ popd # GREP_EXIT_STATUS > 1 would indicate an error in grep such as failure to find the log file. killall $RANDSERV || : -TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? +if [ "x$SKIP_NSS_TEST_SUITE" == "x" ]; then + TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$? +else + TEST_FAILURES=0 + GREP_EXIT_STATUS=1 +fi + if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then echo "okay: test suite detected no failures" else @@ -478,6 +498,12 @@ echo "test suite completed" %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir} %{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory} %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig +%if %{defined rhel} +# not needed for rhel and its derivatives only fedora +%else +# because of the pp.1 conflict with perl-PAR-Packer +%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools +%endif mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5 @@ -549,6 +575,12 @@ done for f in "%{allTools}"; do install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1 done +%if %{defined rhel} +install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1 +%else +install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1 +%endif + # Copy the man pages for the configuration files for f in pkcs11.txt; do install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5 @@ -617,6 +649,8 @@ fi %files %defattr(-,root,root) +%{!?_licensedir:%global license %%doc} +%license nss/COPYING %{_libdir}/libnss3.so %{_libdir}/libssl3.so %{_libdir}/libsmime3.so @@ -630,12 +664,12 @@ fi %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt -%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz -%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz +%attr(0644,root,root) %doc %{_mandir}/man5/cert8.db.5.gz +%attr(0644,root,root) %doc %{_mandir}/man5/key3.db.5.gz +%attr(0644,root,root) %doc %{_mandir}/man5/secmod.db.5.gz +%attr(0644,root,root) %doc %{_mandir}/man5/cert9.db.5.gz +%attr(0644,root,root) %doc %{_mandir}/man5/key4.db.5.gz +%attr(0644,root,root) %doc %{_mandir}/man5/pkcs11.txt.5.gz %files sysinit %defattr(-,root,root) @@ -643,7 +677,7 @@ fi %{_bindir}/setup-nsssysinit.sh # symbolic link to setup-nsssysinit.sh %{_bindir}/setup-nsssysinit -%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/setup-nsssysinit.1.gz %files tools %defattr(-,root,root) @@ -668,26 +702,31 @@ fi %{unsupported_tools_directory}/vfychain # instead of %%{_mandir}/man*/* let's list them explicitely # supported tools -%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/certutil.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/cmsutil.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/crlutil.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/modutil.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/pk12util.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/signtool.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/signver.1.gz # unsupported tools -%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz -%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/derdump.1.gz +%if %{defined rhel} +%attr(0644,root,root) %doc %{_mandir}/man1/pp.1.gz +%else +%dir %{_datadir}/doc/nss-tools +%attr(0644,root,root) %doc %{_datadir}/doc/nss-tools/pp.1 +%endif +%attr(0644,root,root) %doc %{_mandir}/man1/ssltap.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/vfychain.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/vfyserv.1.gz %files devel %defattr(-,root,root) %{_libdir}/libcrmf.a %{_libdir}/pkgconfig/nss.pc %{_bindir}/nss-config -%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz +%attr(0644,root,root) %doc %{_mandir}/man1/nss-config.1.gz %dir %{_includedir}/nss3 %{_includedir}/nss3/cert.h @@ -757,8 +796,52 @@ fi %changelog -* Fri Jul 18 2014 Elio Maldonado - 3.16.2-2 -- Disable support for ssl2 +* Wed Feb 04 2015 Elio Maldonado - 3.17.4-2 +- Disable SSL2 support and fix syntax errors in various shell scripts + +* Wed Jan 28 2015 Elio Maldonado - 3.17.4-1 +- Update to nss-3.17.4 + +* Sat Jan 24 2015 Ville Skyttä - 3.17.3-4 +- Own the %%{_datadir}/doc/nss-tools dir + +* Tue Dec 16 2014 Elio Maldonado - 3.17.3-3 +- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer +- Install pp man page in %%{_datadir}/doc/nss-tools/pp.1 +- Use %%{_mandir} instead of /usr/share/man as more generic + +* Mon Dec 15 2014 Elio Maldonado - 3.17.3-2 +- Install pp man page in alternative location +- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer + +* Fri Dec 05 2014 Elio Maldonado - 3.17.3-1 +- Update to nss-3.17.3 +- Resolves: Bug 1171012 - nss-3.17.3 is available + +* Thu Oct 16 2014 Elio Maldonado - 3.17.2-2 +- Resolves: Bug 994599 - Enable TLS 1.2 by default + +* Sun Oct 12 2014 Elio Maldonado - 3.17.2-1 +- Update to nss-3.17.2 + +* Wed Sep 24 2014 Kai Engert - 3.17.1-1 +- Update to nss-3.17.1 +- Add a mechanism to skip test suite execution during development work + +* Thu Aug 21 2014 Kevin Fenzi - 3.17.0-2 +- Rebuild for rpm bug 1131960 + +* Tue Aug 19 2014 Elio Maldonado - 3.17.0-1 +- Update to nss-3.17.0 + +* Sun Aug 17 2014 Fedora Release Engineering - 3.16.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Wed Jul 30 2014 Elio Maldonado - 3.16.2-3 +- Replace expired PayPal test cert with current one to prevent build failure + +* Fri Jul 18 2014 Tom Callaway - 3.16.2-2 +- fix license handling * Sun Jun 29 2014 Elio Maldonado - 3.16.2-1 - Update to nss-3.16.2 diff --git a/scripts-syntax-errors.patch b/scripts-syntax-errors.patch new file mode 100644 index 0000000..984141b --- /dev/null +++ b/scripts-syntax-errors.patch @@ -0,0 +1,87 @@ +diff --git a/tests/all.sh b/tests/all.sh +--- a/tests/all.sh ++++ b/tests/all.sh +@@ -296,17 +296,17 @@ fi + + # NOTE: + # Since in make at the top level, modutil is the last file + # created, we check for modutil to know whether the build + # is complete. If a new file is created after that, the + # following test for modutil should check for that instead. + # Exception: when building softoken only, shlibsign is the + # last file created. +-if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then ++if [ ${NSS_BUILD_SOFTOKEN_ONLY} = "1" ]; then + LAST_FILE_BUILT=shlibsign + else + LAST_FILE_BUILT=modutil + fi + + if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_FILE_BUILT}${PROG_SUFFIX} ]; then + echo "Build Incomplete. Aborting test." >> ${LOGFILE} + html_head "Testing Initialization" +diff --git a/tests/cipher/cipher.sh b/tests/cipher/cipher.sh +--- a/tests/cipher/cipher.sh ++++ b/tests/cipher/cipher.sh +@@ -119,17 +119,17 @@ cipher_cleanup() + } + + ################## main ################################################# + + # When building without softoken, bltest isn't built. It was already + # built and the cipher suite run as part of an nss-softoken build. + if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${PROG_SUFFIX} ]; then + echo "bltest not built, skipping this test." >> ${LOGFILE} +- res = 0 ++ #res = 0 + html_msg $res $EXP_RET "$TESTNAME" + return 0 + fi + cipher_init + # Skip cipher_main if this an NSS without softoken build. + if [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" != "1" ]; then + cipher_main + fi +diff --git a/tests/common/init.sh b/tests/common/init.sh +--- a/tests/common/init.sh ++++ b/tests/common/init.sh +@@ -220,17 +220,17 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU + { + + html "" + html "" + echo "$SCRIPTNAME: $* ===============================" + } + html_msg() + { +- if [ "$1" -ne "$2" ] ; then ++ if [ "$1" != "$2" ] ; then + html_failed "$3" "$4" + else + html_passed "$3" "$4" + fi + } + HTML_FAILED='' + HTML_FAILED_CORE='' + HTML_PASSED='' +diff --git a/tests/dbtests/dbtests.sh b/tests/dbtests/dbtests.sh +--- a/tests/dbtests/dbtests.sh ++++ b/tests/dbtests/dbtests.sh +@@ -170,7 +170,7 @@ dbtest_main() + + # skipping the next two tests when user is root, + # otherwise they would fail due to rooty powers +- if [ $UID -ne 0 ] then ++ if [[ $UID -ne 0 ]]; then + ${BINDIR}/dbtest -d $RONLY_DIR + ret=$? + if [ $ret -ne 46 ]; then +@@ -181,7 +181,7 @@ dbtest_main() + else + html_passed "Skipping Dbtest r/w in a readonly dir because user is root" + fi +- if [ $UID -ne 0 ] then ++ if [[ $UID -ne 0 ]]; then + ${BINDIR}/certutil -D -n "TestUser" -d . + ret=$? + if [ $ret -ne 255 ]; then diff --git a/sources b/sources index 4dfe671..0c96330 100644 --- a/sources +++ b/sources @@ -3,9 +3,9 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db 73bc040a0542bba387e6dd7fb9fd7d23 blank-secmod.db 691e663ccc07b7a1eaa6f088e03bf8e2 blank-cert9.db 2ec9e0606ba40fe65196545564b7cc2a blank-key4.db -838b7b6e0c3563059f6e77d149666448 PayPalEE.cert +c9fefa97dc184a5857f12d938517ed81 PayPalEE.cert f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert b8a94e863c852e1f8b75e930e76f8640 nss-pem-20140125.tar.bz2 -afc6789c9d805db5be1e5f3c533394f1 nss-3.16.2.tar.gz +a77df26072cabf8afb26911b6fa9b755 nss-3.17.4.tar.gz diff --git a/tls12.patch b/tls12.patch new file mode 100644 index 0000000..0293383 --- /dev/null +++ b/tls12.patch @@ -0,0 +1,36 @@ +# HG changeset patch +# User Martin Thomson +# Date 1413479112 25200 +# Thu Oct 16 10:05:12 2014 -0700 +# Node ID f7e1c2c652f4c2522a0a5ec232ecebae1983053d +# Parent 24852c6f89ea7ed2b8f231320d9a0a03bdd706d4 +Bug 1083900 - Updating default maximum version to 1.2 + +diff --git a/lib/ssl/sslsock.c b/lib/ssl/sslsock.c +--- a/lib/ssl/sslsock.c ++++ b/lib/ssl/sslsock.c +@@ -85,22 +85,22 @@ static sslOptions ssl_defaults = { + PR_FALSE /* enableFallbackSCSV */ + }; + + /* + * default range of enabled SSL/TLS protocols + */ + static SSLVersionRange versions_defaults_stream = { + SSL_LIBRARY_VERSION_3_0, +- SSL_LIBRARY_VERSION_TLS_1_0 ++ SSL_LIBRARY_VERSION_TLS_1_2 + }; + + static SSLVersionRange versions_defaults_datagram = { + SSL_LIBRARY_VERSION_TLS_1_1, +- SSL_LIBRARY_VERSION_TLS_1_1 ++ SSL_LIBRARY_VERSION_TLS_1_2 + }; + + #define VERSIONS_DEFAULTS(variant) \ + (variant == ssl_variant_stream ? &versions_defaults_stream : \ + &versions_defaults_datagram) + + sslSessionIDLookupFunc ssl_sid_lookup; + sslSessionIDCacheFunc ssl_sid_cache;
$*
Test CaseResult
Failed
Failed Core
Passed