Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer

- Install pp man page in %{_datadir}/doc/nss-tools/pp.1
- Use %{_mandir} instead of /usr/share/man as more generic

nss-ssl-cbc-random-iv-off-by-default.patch

@@ -0,0 +1,25 @@
+diff -up nss/lib/ssl/sslsock.c.cbcrandomivoff nss/lib/ssl/sslsock.c
+--- nss/lib/ssl/sslsock.c.cbcrandomivoff	2014-08-25 11:43:06.706511447 -0700
++++ nss/lib/ssl/sslsock.c	2014-08-25 11:45:49.931041264 -0700
+@@ -77,7 +77,7 @@ static sslOptions ssl_defaults = {
+     3,          /* enableRenegotiation (default: transitional) */
+     PR_FALSE,   /* requireSafeNegotiation */
+     PR_FALSE,   /* enableFalseStart   */
+-    PR_TRUE,    /* cbcRandomIV        */
++    PR_FALSE,   /* cbcRandomIV       */ /* defaults to off for compatibility */
+     PR_FALSE,   /* enableOCSPStapling */
+     PR_TRUE,    /* enableNPN          */
+     PR_FALSE,   /* enableALPN         */
+@@ -2899,9 +2899,9 @@ ssl_SetDefaultsFromEnvironment(void)
+                         PR_TRUE));
+         }
+         ev = getenv("NSS_SSL_CBC_RANDOM_IV");
+-        if (ev && ev[0] == '0') {
+-            ssl_defaults.cbcRandomIV = PR_FALSE;
+-            SSL_TRACE(("SSL: cbcRandomIV set to 0"));
++        if (ev && ev[0] == '1') {
++            ssl_defaults.cbcRandomIV = PR_TRUE;
++            SSL_TRACE(("SSL: cbcRandomIV set to 1"));
+         }
+     }
+ #endif /* NSS_HAVE_GETENV */

nss.spec

@@ -2,10 +2,10 @@
 %global nss_util_version 3.17.3
 %global nss_softokn_version 3.17.3
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
-%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
+%global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
 # solution taken from icedtea-web.spec
-%define multilib_arches %{power64} sparc64 x86_64
+%define multilib_arches ppc64 sparc64 x86_64
 %ifarch %{multilib_arches}
 %define alt_ckbi  libnssckbi.so.%{_arch}
 %else
@@ -19,7 +19,7 @@
 Summary:          Network Security Services
 Name:             nss
 Version:          3.17.3
-Release:          1%{?dist}
+Release:          2%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -78,6 +78,8 @@ Patch18:          nss-646045.patch
 # must statically link pem against the freebl in the buildroot
 # Needed only when freebl on tree has new APIS
 Patch25:          nsspem-use-system-freebl.patch
+# This patch is currently meant for stable branches
+Patch29:          nss-ssl-cbc-random-iv-off-by-default.patch
 # TODO: Remove this patch when the ocsp test are fixed
 Patch40:          nss-3.14.0.0-disble-ocsp-test.patch
 # Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
@@ -176,6 +178,8 @@ low level services.
 %patch18 -p0 -b .646045
 # link pem against buildroot's freebl, essential when mixing and matching
 %patch25 -p0 -b .systemfreebl
+# activate for stable branches
+%patch29 -p0 -b .cbcrandomivoff
 %patch40 -p0 -b .noocsptest
 %patch47 -p0 -b .templates
 %patch49 -p0 -b .skipthem
@@ -266,7 +270,7 @@ export NSS_BUILD_WITHOUT_SOFTOKEN=1
 NSS_USE_SYSTEM_SQLITE=1
 export NSS_USE_SYSTEM_SQLITE
 
-%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
+%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
 USE_64=1
 export USE_64
 %endif
@@ -366,7 +370,7 @@ export FREEBL_NO_DEPEND
 BUILD_OPT=1
 export BUILD_OPT
 
-%ifarch x86_64 %{power64} ia64 s390x sparc64 aarch64
+%ifarch x86_64 ppc64 ia64 s390x sparc64 aarch64
 USE_64=1
 export USE_64
 %endif
@@ -485,6 +489,12 @@ echo "test suite completed"
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}
 %{__mkdir_p} $RPM_BUILD_ROOT/%{unsupported_tools_directory}
 %{__mkdir_p} $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
+%if %{defined rhel}
+# not needed for rhel and its derivatives only fedora
+%else
+# because of the pp.1 conflict with perl-PAR-Packer
+%{__mkdir_p} $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools
+%endif
 
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man1
 mkdir -p $RPM_BUILD_ROOT%{_mandir}/man5
@@ -556,6 +566,12 @@ done
 for f in "%{allTools}"; do 
    install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
 done
+%if %{defined rhel}
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
+%else
+install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
+%endif
+
 # Copy the man pages for the configuration files
 for f in pkcs11.txt; do 
    install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
@@ -639,12 +655,12 @@ fi
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
 %config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
-%attr(0644,root,root) %doc /usr/share/man/man5/cert8.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/key3.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/secmod.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/cert9.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/key4.db.5.gz
-%attr(0644,root,root) %doc /usr/share/man/man5/pkcs11.txt.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/cert8.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/key3.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/secmod.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/cert9.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/key4.db.5.gz
+%attr(0644,root,root) %doc %{_mandir}/man5/pkcs11.txt.5.gz
 
 %files sysinit
 %defattr(-,root,root)
@@ -652,7 +668,7 @@ fi
 %{_bindir}/setup-nsssysinit.sh
 # symbolic link to setup-nsssysinit.sh
 %{_bindir}/setup-nsssysinit
-%attr(0644,root,root) %doc /usr/share/man/man1/setup-nsssysinit.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/setup-nsssysinit.1.gz
 
 %files tools
 %defattr(-,root,root)
@@ -677,26 +693,30 @@ fi
 %{unsupported_tools_directory}/vfychain
 # instead of %%{_mandir}/man*/* let's list them explicitely
 # supported tools
-%attr(0644,root,root) %doc /usr/share/man/man1/certutil.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/cmsutil.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/crlutil.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/modutil.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/pk12util.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/signtool.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/signver.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/certutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/cmsutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/crlutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/modutil.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/pk12util.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/signtool.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/signver.1.gz
 # unsupported tools
-%attr(0644,root,root) %doc /usr/share/man/man1/derdump.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/pp.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/ssltap.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/vfychain.1.gz
-%attr(0644,root,root) %doc /usr/share/man/man1/vfyserv.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/derdump.1.gz
+%if %{defined rhel}
+%attr(0644,root,root) %doc %{_mandir}/man1/pp.1.gz
+%else
+%attr(0644,root,root) %doc %{_datadir}/doc/nss-tools/pp.1
+%endif
+%attr(0644,root,root) %doc %{_mandir}/man1/ssltap.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/vfychain.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/vfyserv.1.gz
 
 %files devel
 %defattr(-,root,root)
 %{_libdir}/libcrmf.a
 %{_libdir}/pkgconfig/nss.pc
 %{_bindir}/nss-config
-%attr(0644,root,root) %doc /usr/share/man/man1/nss-config.1.gz
+%attr(0644,root,root) %doc %{_mandir}/man1/nss-config.1.gz
 
 %dir %{_includedir}/nss3
 %{_includedir}/nss3/cert.h
@@ -766,53 +786,39 @@ fi
 
 
 %changelog
-* Fri Dec 05 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-1
+* Mon Dec 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-2
+- Resolves: Bug 987189 - nss-tools RPM conflicts with perl-PAR-Packer
+- Install pp man page in %%{_datadir}/doc/nss-tools/pp.1
+- Use %%{_mandir} instead of /usr/share/man as more generic
+
+* Sat Dec 06 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.3-1
 - Update to nss-3.17.3
 - Resolves: Bug 1171012 - nss-3.17.3 is available
-
-* Thu Oct 16 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.2-2
 - Resolves: Bug 994599 - Enable TLS 1.2 by default
 
-* Sun Oct 12 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.2-1
+* Mon Oct 13 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.2-1
 - Update to nss-3.17.2
 
 * Wed Sep 24 2014 Kai Engert <kaie@redhat.com> - 3.17.1-1
 - Update to nss-3.17.1
 - Add a mechanism to skip test suite execution during development work
 
-* Thu Aug 21 2014 Kevin Fenzi <kevin@scrye.com> - 3.17.0-2
-- Rebuild for rpm bug 1131960
-
-* Tue Aug 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.0-1
+* Fri Aug 22 2014 Elio Maldonado <emaldona@redhat.com> - 3.17.0-1
 - Update to nss-3.17.0
 
-* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.16.2-4
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
-
-* Wed Jul 30 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-3
+* Wed Jul 30 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-2
 - Replace expired PayPal test cert with current one to prevent build failure
 
-* Fri Jul 18 2014 Tom Callaway <spot@fedoraproject.org> - 3.16.2-2
-- fix license handling
-
-* Sun Jun 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
+* Mon Jun 30 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
 - Update to nss-3.16.2
-
-* Sun Jun 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-4
-- Remove unwanted source directories at end of %%prep so it truly does it
+- Remove unwanted source directories at end of %%prep so it truly removes them
 - Skip the cipher suite already run as part of the nss-softokn build
-
-* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.16.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
-
-* Mon May 12 2014 Jaromir Capik <jcapik@redhat.com> - 3.16.1-2
-- Replacing ppc64 and ppc64le with the power64 macro
-- Related: Bug 1052545 - Trivial change for ppc64le in nss spec
+- Resolves: Bug 1114319 - nss-3.16.2 is available
 
 * Tue May 06 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-1
 - Update to nss-3.16.1
 - Update the iquote patch on account of the rebase
-- Improve error detection in the %%section
+- Improve test error detection in the %%section
 - Resolves: Bug 1094702 - nss-3.16.1 is available
 
 * Tue Mar 18 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.0-1
@@ -820,71 +826,57 @@ fi
 - Cleanup the copying of the tools man pages
 - Update the iquote.patch on account of the rebase
 
-* Tue Mar 04 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.5-2
-- Restore requiring nss_softokn_version >= 3.15.5
-
-* Wed Feb 19 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.5-1
-- Update to nss-3.15.5
-- Temporarily requiring only nss_softokn_version >= 3.15.4
-- Fix location of sharedb files and their manpages
-- Move cert9.db, key4.db, and pkcs11.txt to the main package
-- Move nss-sysinit manpages tar archives to the main package
-- Resolves: Bug 1066877 - nss-3.15.5 is available
+* Fri Feb 28 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.5-1
+- Update to nss-3.15.5 - Resolves: Bug 1066877
+- Pick fix for same files in two packages that can create rpm conflict
+- Move cert9.db, key4.db, and pkcs11.txt and their man pages to the main package where they rightfully belong
 - Resolves: Bug 1067091 - Move sharedb files to the %%files section
 
-* Thu Feb 06 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-5
+* Sat Feb 08 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-3
 - Revert previous change that moved some sysinit manpages
 - Restore nss-sysinit manpages tar archives to %%files sysinit
 - Removing spurious wildcard entry was the only change needed
 
-* Mon Jan 27 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-4
-- Add explanatory comments for iquote.patch as was done on f20
-
-* Sat Jan 25 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-3
+* Sun Feb 02 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-2
+- Selective merge fom f20 to pick up various fixes
 - Update pem sources to latest from nss-pem upstream
 - Pick up pem fixes verified on RHEL and applied upstream
 - Fix a problem where same files in two rpms created rpm conflict
-- Move some nss-sysinit manpages tar archives to the %%files the
 - All man pages are listed by name so there shouldn't be wildcard inclusion
-- Add support for ppc64le, Resolves: Bug 1052545
 
-* Mon Jan 20 2014 Peter Robinson <pbrobinson@fedoraproject.org> 3.15.4-2
-- ARM tests pass so remove ARM conditional
-
-* Tue Jan 07 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-1
+* Fri Jan 17 2014 Elio Maldonado <emaldona@redhat.com> - 3.15.4-1
 - Update to nss-3.15.4 (hg tag NSS_3_15_4_RTM)
 - Resolves: Bug 1049229 - nss-3.15.4 is available
+- Resolves: Bug 1054456 - CVE-2013-1740 nss: false start PR_Recv information disclosure security issue
 - Update pem sources to latest from the interim upstream for pem
 - Remove no longer needed patches
 - Update pem/rsawrapr.c patch on account of upstream changes to freebl/softoken
 - Update iquote.patch on account of upstream changes
+- Add comments documenting the iquote patch
+- Selective merge from master and f20
 
-* Wed Dec 11 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3.1-1
+* Wed Dec 18 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3.1-1
 - Update to nss-3.15.3.1 (hg tag NSS_3_15_3_1_RTM)
 - Resolves: Bug 1040282 - nss: Mis-issued ANSSI/DCSSI certificate (MFSA 2013-117)
 - Resolves: Bug 1040192 - nss-3.15.3.1 is available
+- Install symlink to setup-nsssysinit.sh, without suffix, to match manpage
 
-* Tue Dec 03 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-2
-- Bump the release tag
-
-* Sun Nov 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
+* Wed Dec 04 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.3-1
 - Update to NSS_3_15_3_RTM
 - Resolves: Bug 1031897 - CVE-2013-5605 CVE-2013-5606 CVE-2013-1741 nss: various flaws
 - Fix option descriptions for setup-nsssysinit manpage
 - Fix man page of nss-sysinit wrong path and other flaws
-- Document email option for certutil manpage
+- Install symlink to setup-nsssysinit.sh, without suffix, to match manpage
 - Remove unused patches
 
-* Sun Oct 27 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-3
-- Revert one change from last commit to preserve full nss pluggable ecc supprt [1019245]
-
-* Wed Oct 23 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-2
-- Use the full sources from upstream
+* Sun Oct 27 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-2
+- Use the full pristine sources from upstream
 - Bug 1019245 - ECDHE in openssl available -> NSS needs too for Firefox/Thunderbird
 
 * Thu Sep 26 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.2-1
 - Update to NSS_3_15_2_RTM
 - Update iquote.patch on account of modified prototype on cert.h installed by nss-devel
+- Keep the nss-ssl-cbc-random-iv-off-by-default.patch enabled
 
 * Wed Aug 28 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-7
 - Update pem sources to pick up a patch applied upstream which a faulty merge had missed
@@ -904,11 +896,11 @@ fi
 - Ignore invalid-url Source0 as it comes from the git lookaside cache
 - Ignore invalid-url Source12 as it comes from the git lookaside cache
 
-* Thu Jul 25 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-3
+* Fri Aug 02 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-3
 - Add man page for pkcs11.txt configuration file and cert and key databases
 - Resolves: rhbz#985114 - Provide man pages for the nss configuration files
 
-* Fri Jul 19 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2
+* Wed Jul 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.15.1-2
 - Fix errors in the man pages
 - Resolves: rhbz#984106 - Add missing option descriptions to man pages for {cert|cms|crl}util
 - Resolves: rhbz#982856 - Fix path to script in man page for nss-sysinit
@@ -934,17 +926,13 @@ fi
 * Sat Jun 15 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-1
 - Update to NSS_3_15_RTM
 
-* Wed Apr 24 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-0.1.beta1.2
-- Fix incorrect path that hid failed test from view
-- Add ocsp to the test suites to run but ...
-- Temporarily disable the ocsp stapling tests
-- Do not treat failed attempts at ssl pkcs11 bypass as fatal errors
+* Tue May 14 2013 Elio Maldonado <emaldona@redhat.com> - 3.14.3-13.0
+- Reactivate nss-ssl-cbc-random-iv-off-by-default.patch
 
-* Thu Apr 04 2013 Elio Maldonado <emaldona@redhat.com> - 3.15-0.1.beta1.1
-- Update to NSS_3_15_BETA1
-- Update spec file, patches, and helper scripts on account of a shallower source tree
+* Fri Apr 19 2013 Kai Engert <kaie@redhat.com> - 3.14.3-12.0
+- Add upstream patch to fix rhbz#872761
 
-* Sun Mar 24 2013 Kai Engert <kaie@redhat.com> - 3.14.3-12
+* Sun Mar 24 2013 Kai Engert <kaie@redhat.com> - 3.14.3-11
 - Update expired test certificates (fixed in upstream bug 852781)
 
 * Fri Mar 08 2013 Kai Engert <kaie@redhat.com> - 3.14.3-10