Compare commits
3 Commits
master
...
private-di
| Author | SHA1 | Date |
|---|---|---|
Elio Maldonado
|
5b04337f78 | |
|
Elio Maldonado
|
f2b8284caa | |
|
Elio Maldonado
|
d0f5af3a94 |
|
|
@ -0,0 +1,75 @@
|
|||
diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
|
||||
--- ./nss/lib/ssl/config.mk.disableSSL2 2013-09-25 06:57:55.000000000 -0700
|
||||
+++ ./nss/lib/ssl/config.mk 2013-11-05 16:09:47.459727948 -0800
|
||||
@@ -7,6 +7,10 @@ ifdef NISCC_TEST
|
||||
DEFINES += -DNISCC_TEST
|
||||
endif
|
||||
|
||||
+ifdef NSS_NO_SSL2
|
||||
+DEFINES += -DNSS_NO_SSL2
|
||||
+endif
|
||||
+
|
||||
ifdef NSS_NO_PKCS11_BYPASS
|
||||
DEFINES += -DNO_PKCS11_BYPASS
|
||||
else
|
||||
diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
|
||||
--- ./nss/lib/ssl/sslsock.c.disableSSL2 2014-07-10 18:45:18.756370281 -0700
|
||||
+++ ./nss/lib/ssl/sslsock.c 2014-07-10 18:47:55.956392803 -0700
|
||||
@@ -653,6 +653,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
break;
|
||||
|
||||
case SSL_ENABLE_SSL2:
|
||||
+#ifdef NSS_NO_SSL2
|
||||
+if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ }
|
||||
+ break;
|
||||
+ ss->opt.enableSSL2 = on;
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -664,6 +672,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
if (on) {
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
}
|
||||
+#endif
|
||||
ss->preferredCipher = NULL;
|
||||
if (ss->cipherSpecs) {
|
||||
PORT_Free(ss->cipherSpecs);
|
||||
@@ -685,6 +694,13 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
break;
|
||||
|
||||
case SSL_V2_COMPATIBLE_HELLO:
|
||||
+#ifdef NSS_NO_SSL2
|
||||
+ if (on) {
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+ break;
|
||||
+ }
|
||||
+#else
|
||||
if (IS_DTLS(ss)) {
|
||||
if (on) {
|
||||
PORT_SetError(SEC_ERROR_INVALID_ARGS);
|
||||
@@ -692,6 +708,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
|
||||
}
|
||||
break;
|
||||
}
|
||||
+#endif
|
||||
ss->opt.v2CompatibleHello = on;
|
||||
if (!on) {
|
||||
ss->opt.enableSSL2 = on;
|
||||
@@ -1146,7 +1163,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
|
||||
if (ssl_IsRemovedCipherSuite(which)) {
|
||||
rv = SECSuccess;
|
||||
} else if (SSL_IS_SSL2_CIPHER(which)) {
|
||||
+#ifdef NSS_NO_SSL2
|
||||
+ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
|
||||
+ rv = SECFailure; /* not allowed */
|
||||
+#else
|
||||
rv = ssl2_SetPolicy(which, policy);
|
||||
+#endif
|
||||
} else {
|
||||
rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
|
||||
}
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
diff -up ./nss/tests/chains/chains.sh.disableSSL2 ./nss/tests/chains/chains.sh
|
||||
--- ./nss/tests/chains/chains.sh.disableSSL2 2014-05-31 08:05:08.487016999 -0700
|
||||
+++ ./nss/tests/chains/chains.sh 2014-05-31 08:07:53.817239640 -0700
|
||||
@@ -40,7 +40,11 @@ is_httpserv_alive()
|
||||
fi
|
||||
|
||||
echo "kill -0 ${PID} >/dev/null 2>/dev/null"
|
||||
+ if [ "${NSS_NO_SSL2}" = "1" ]; then
|
||||
+ echo "skipping kill because NSS_NO_SSL=${NSS_NO_SSL2}"
|
||||
+ else
|
||||
kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
|
||||
+ fi
|
||||
|
||||
echo "httpserv with PID ${PID} found at `date`"
|
||||
}
|
||||
@@ -59,7 +63,11 @@ wait_for_httpserv()
|
||||
echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
|
||||
${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
|
||||
if [ $? -ne 0 ]; then
|
||||
- html_failed "Waiting for Server"
|
||||
+ if [ "${NSS_NO_SSL2}" = "1" ]; then
|
||||
+ html_passed "Waiting for Server is supposed to fail"
|
||||
+ else
|
||||
+ html_failed "Waiting for Server"
|
||||
+ fi
|
||||
fi
|
||||
fi
|
||||
is_httpserv_alive
|
||||
@@ -1180,7 +1188,11 @@ parse_config()
|
||||
TESTNAME="Test that OCSP server is reachable"
|
||||
check_ocsp ${VALUE}
|
||||
if [ $? -ne 0 ]; then
|
||||
+ if [ "${NSS_NO_SSL2}" = "1" ]; then
|
||||
+ html_passed "$TESTNAME"
|
||||
+ else
|
||||
html_failed "$TESTNAME"
|
||||
+ fi
|
||||
break;
|
||||
else
|
||||
html_passed "$TESTNAME"
|
||||
diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
|
||||
--- ./nss/tests/ssl/ssl.sh.disableSSL2 2014-05-01 20:27:18.000000000 -0700
|
||||
+++ ./nss/tests/ssl/ssl.sh 2014-05-31 08:04:34.586582044 -0700
|
||||
@@ -278,6 +278,12 @@ ssl_cov()
|
||||
echo "${testname}" | grep "SSL2" > /dev/null
|
||||
SSL2=$?
|
||||
|
||||
+ # skip export and ssl2 tests when build has disabled SSL2
|
||||
+ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
|
||||
+ echo "SKIPPED"
|
||||
+ continue
|
||||
+ fi
|
||||
+
|
||||
if [ "${SSL2}" -eq 0 ] ; then
|
||||
# We cannot use asynchronous cert verification with SSL2
|
||||
SSL2_FLAGS=-O
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
diff -up nss/tests/all.sh.crypto nss/tests/all.sh
|
||||
--- nss/tests/all.sh.crypto 2013-05-28 14:43:24.000000000 -0700
|
||||
+++ nss/tests/all.sh 2013-06-13 12:14:12.741082184 -0700
|
||||
@@ -299,9 +299,10 @@ fi
|
||||
# created, we check for modutil to know whether the build
|
||||
# is complete. If a new file is created after that, the
|
||||
# following test for modutil should check for that instead.
|
||||
+# Except when building softoken only where shlibsign is the last one built.
|
||||
+export LAST_BUILT=[ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ] && shlibsign || modutil
|
||||
|
||||
-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \
|
||||
- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
|
||||
+if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} -a ]; then
|
||||
echo "Build Incomplete. Aborting test." >> ${LOGFILE}
|
||||
html_head "Testing Initialization"
|
||||
Exit "Checking for build"
|
||||
diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh
|
||||
--- nss/tests/cipher/cipher.sh.crypto 2013-05-28 14:43:24.000000000 -0700
|
||||
+++ nss/tests/cipher/cipher.sh 2013-06-13 11:58:00.956064976 -0700
|
||||
@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${
|
||||
return 0
|
||||
fi
|
||||
cipher_init
|
||||
-cipher_main
|
||||
-cipher_gcm
|
||||
+if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then
|
||||
+ echo "Skipping cipher_gcm because this is a softoken only build"
|
||||
+ cipher_main
|
||||
+elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then
|
||||
+ echo "Skipping cipher_main because this an nss without softoken build"
|
||||
+ cipher_gcm
|
||||
+else
|
||||
+ # default is to run both
|
||||
+ cipher_init
|
||||
+ cipher_main
|
||||
+ cipher_gcm
|
||||
+fi
|
||||
cipher_cleanup
|
||||
70
nss.spec
70
nss.spec
|
|
@ -1,6 +1,6 @@
|
|||
%global nspr_version 4.10.5
|
||||
%global nss_util_version 3.16.1
|
||||
%global nss_softokn_version 3.16.1
|
||||
%global nspr_version 4.10.6
|
||||
%global nss_util_version 3.16.2
|
||||
%global nss_softokn_version 3.16.2
|
||||
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
|
||||
%global allTools "certutil cmsutil crlutil derdump modutil pk12util pp signtool signver ssltap vfychain vfyserv"
|
||||
|
||||
|
|
@ -18,7 +18,7 @@
|
|||
|
||||
Summary: Network Security Services
|
||||
Name: nss
|
||||
Version: 3.16.1
|
||||
Version: 3.16.2
|
||||
Release: 2%{?dist}
|
||||
License: MPLv2.0
|
||||
URL: http://www.mozilla.org/projects/security/pki/nss/
|
||||
|
|
@ -82,8 +82,6 @@ Patch25: nsspem-use-system-freebl.patch
|
|||
Patch40: nss-3.14.0.0-disble-ocsp-test.patch
|
||||
# Fedora / RHEL-only patch, the templates directory was originally introduced to support mod_revocator
|
||||
Patch47: utilwrap-include-templates.patch
|
||||
# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=902171
|
||||
Patch48: nss-versus-softoken-tests.patch
|
||||
# TODO remove when we switch to building nss without softoken
|
||||
Patch49: nss-skip-bltest-and-fipstest.patch
|
||||
# This patch uses the gcc-iquote dir option documented at
|
||||
|
|
@ -94,6 +92,9 @@ Patch49: nss-skip-bltest-and-fipstest.patch
|
|||
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
|
||||
Patch50: iquote.patch
|
||||
|
||||
Patch51: disable-sslv2-libssl.patch
|
||||
Patch52: disable-sslv2-tests.patch
|
||||
|
||||
%description
|
||||
Network Security Services (NSS) is a set of libraries designed to
|
||||
support cross-platform development of security-enabled client and
|
||||
|
|
@ -178,9 +179,10 @@ low level services.
|
|||
%patch25 -p0 -b .systemfreebl
|
||||
%patch40 -p0 -b .noocsptest
|
||||
%patch47 -p0 -b .templates
|
||||
%patch48 -p0 -b .crypto
|
||||
%patch49 -p0 -b .skipthem
|
||||
%patch50 -p0 -b .iquote
|
||||
%patch51 -p0 -b .disableSSL2
|
||||
%patch52 -p0 -b .disableSSL2
|
||||
|
||||
#########################################################
|
||||
# Higher-level libraries and test tools need access to
|
||||
|
|
@ -198,9 +200,23 @@ done
|
|||
%{__cp} ./nss/lib/softoken/lowkeyi.h ./nss/cmd/rsaperf
|
||||
%{__cp} ./nss/lib/softoken/lowkeyti.h ./nss/cmd/rsaperf
|
||||
|
||||
##### Remove util/freebl/softoken and low level tools
|
||||
######## Remove freebl, softoken and util
|
||||
%{__rm} -rf ./nss/lib/freebl
|
||||
%{__rm} -rf ./nss/lib/softoken
|
||||
%{__rm} -rf ./nss/lib/util
|
||||
######## Remove nss-softokn test tools as we already ran
|
||||
# the cipher test suite as part of the nss-softokn build
|
||||
%{__rm} -rf ./nss/cmd/bltest
|
||||
%{__rm} -rf ./nss/cmd/fipstest
|
||||
%{__rm} -rf ./nss/cmd/rsaperf_low
|
||||
|
||||
%build
|
||||
|
||||
if [ ${DISABLE_SSL2:-0} -eq 1 ]; then
|
||||
export NSS_NO_SSL2=1
|
||||
fi
|
||||
|
||||
NSS_NO_PKCS11_BYPASS=1
|
||||
export NSS_NO_PKCS11_BYPASS
|
||||
|
||||
|
|
@ -262,17 +278,6 @@ export USE_64
|
|||
# uncomment if the iquote patch is activated
|
||||
export IN_TREE_FREEBL_HEADERS_FIRST=1
|
||||
|
||||
##### phase 1: remove util/freebl/softoken and low level tools
|
||||
#
|
||||
######## Remove freebl, softoken and util
|
||||
%{__rm} -rf ./mozilla/security/nss/lib/freebl
|
||||
%{__rm} -rf ./mozilla/security/nss/lib/softoken
|
||||
%{__rm} -rf ./mozilla/security/nss/lib/util
|
||||
######## Remove nss-softokn test tools
|
||||
%{__rm} -rf ./mozilla/security/nss/cmd/bltest
|
||||
%{__rm} -rf ./mozilla/security/nss/cmd/fipstest
|
||||
%{__rm} -rf ./mozilla/security/nss/cmd/rsaperf_low
|
||||
|
||||
##### phase 2: build the rest of nss
|
||||
# nss supports pluggable ecc with more than suite-b
|
||||
NSS_ECC_MORE_THAN_SUITE_B=1
|
||||
|
|
@ -289,7 +294,7 @@ pushd ./nss
|
|||
%{__make} clean_docs build_docs
|
||||
popd
|
||||
|
||||
# and copy them to the dist directory
|
||||
# and copy them to the dist directory for %%install to find them
|
||||
%{__mkdir_p} ./dist/docs/nroff
|
||||
%{__cp} ./nss/doc/nroff/* ./dist/docs/nroff
|
||||
|
||||
|
|
@ -353,12 +358,18 @@ done
|
|||
|
||||
|
||||
%check
|
||||
if [ $DISABLETEST -eq 1 ]; then
|
||||
if [ ${DISABLETEST:-0} -eq 1 ]; then
|
||||
echo "testing disabled"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Begin -- copied from the build section
|
||||
|
||||
# inform the ssl test scripts that SSL2 is disabled
|
||||
if [ ${DISABLE_SSL2:-0} -eq 1 ]; then
|
||||
export NSS_NO_SSL2=1
|
||||
fi
|
||||
|
||||
FREEBL_NO_DEPEND=1
|
||||
export FREEBL_NO_DEPEND
|
||||
|
||||
|
|
@ -418,7 +429,7 @@ pushd ./nss/tests/
|
|||
|
||||
# don't need to run all the tests when testing packaging
|
||||
# nss_cycles: standard pkix upgradedb sharedb
|
||||
nss_tests="cipher libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
|
||||
nss_tests="libpkix cert dbtests tools fips sdr crmf smime ssl ocsp merge pkits chains"
|
||||
# nss_ssl_tests: crl bypass_normal normal_bypass normal_fips fips_normal iopr
|
||||
# nss_ssl_run: cov auth stress
|
||||
#
|
||||
|
|
@ -441,7 +452,7 @@ killall $RANDSERV || :
|
|||
TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
|
||||
if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
|
||||
echo "okay: test suite detected no failures"
|
||||
else
|
||||
else
|
||||
if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
|
||||
# while a situation in which grep return status is 0 and it doesn't output
|
||||
# anything shouldn't happen, set the default to something that is
|
||||
|
|
@ -541,7 +552,7 @@ for f in nss-config setup-nsssysinit; do
|
|||
done
|
||||
# Copy the man pages for the nss tools
|
||||
for f in "%{allTools}"; do
|
||||
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
|
||||
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
|
||||
done
|
||||
# Copy the man pages for the configuration files
|
||||
for f in pkcs11.txt; do
|
||||
|
|
@ -751,6 +762,19 @@ fi
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Jul 10 2014 Elio Maldonado <emaldona@redhat.com> -3.16.1-2
|
||||
- rebuilt with ssl2 disabled
|
||||
|
||||
* Sun Jun 29 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.2-1
|
||||
- Update to nss-3.16.2
|
||||
|
||||
* Sun Jun 15 2014 Elio Maldonado <emaldona@redhat.com> - 3.16.1-4
|
||||
- Remove unwanted source directories at end of %%prep so it truly does it
|
||||
- Skip the cipher suite already run as part of the nss-softokn build
|
||||
|
||||
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.16.1-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
|
||||
|
||||
* Mon May 12 2014 Jaromir Capik <jcapik@redhat.com> - 3.16.1-2
|
||||
- Replacing ppc64 and ppc64le with the power64 macro
|
||||
- Related: Bug 1052545 - Trivial change for ppc64le in nss spec
|
||||
|
|
|
|||
Loading…
Reference in New Issue