Compare commits

..

No commits in common. 'c9' and 'i10c-beta' have entirely different histories.

3
.gitignore vendored

@ -1,4 +1,3 @@
SOURCES/blank-cert9.db
SOURCES/blank-key4.db
SOURCES/nspr-4.35.tar.gz
SOURCES/nss-3.101.tar.gz
SOURCES/nss-3.101-with-nspr-4.35.tar.gz

@ -1,4 +1,3 @@
b5570125fbf6bfb410705706af48217a0817c03a SOURCES/blank-cert9.db
f9c9568442386da370193474de1b25c3f68cdaf6 SOURCES/blank-key4.db
71267859a581d61fea8d7d36c25f716750271cac SOURCES/nspr-4.35.tar.gz
90f6f1d5440e7cc72cd27f2ecf2e8f3f680a00aa SOURCES/nss-3.101.tar.gz
592ea337ee2504efb09a21a4593cc1f19e4477c2 SOURCES/nss-3.101-with-nspr-4.35.tar.gz

File diff suppressed because it is too large Load Diff

@ -1,14 +0,0 @@
diff -up ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default ./cmd/pk12util/pk12util.c
--- ./cmd/pk12util/pk12util.c.no_pkcs12_macpbe_default 2024-07-18 08:26:35.773248450 -0700
+++ ./cmd/pk12util/pk12util.c 2024-07-18 08:27:05.796595554 -0700
@@ -1165,10 +1165,6 @@ main(int argc, char **argv)
}
}
}
- /* in FIPS mode default to encoding with pkcs5v2 for the MAC */
- if (PK11_IsFIPS()) {
- hash = SEC_OID_HMAC_SHA256;
- }
if (pk12util.options[opt_Mac].activated) {
char *hashString = pk12util.options[opt_Mac].arg;

@ -0,0 +1,12 @@
diff -up ./tests/fips/cavs_scripts/validate1.sh.fix_cavs ./tests/fips/cavs_scripts/validate1.sh
--- ./tests/fips/cavs_scripts/validate1.sh.fix_cavs 2024-09-12 14:39:41.421586862 -0700
+++ ./tests/fips/cavs_scripts/validate1.sh 2024-09-12 14:39:55.036747283 -0700
@@ -21,7 +21,7 @@ name=`basename $request .req`
echo ">>>>> $name"
sed -e 's; ;;g' -e 's; ; ;g' -e '/^#/d' $extraneous_response ${TESTDIR}/resp/${name}.rsp > /tmp/y1
# if we didn't generate any output, flag that as an error
-size=`sum /tmp/y1 | awk '{ print $NF }'`
+size=`sum /tmp/y1 | awk '{ print $1 }'`
if [ $size -eq 0 ]; then
echo "${TESTDIR}/resp/${name}.rsp: empty"
exit 1;

@ -1,83 +0,0 @@
diff -up ./lib/pkcs12/p12plcy.c.no_p12_smime_policy ./lib/pkcs12/p12plcy.c
--- ./lib/pkcs12/p12plcy.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/pkcs12/p12plcy.c 2024-07-17 11:26:00.334836451 -0700
@@ -37,6 +37,7 @@ static pkcs12SuiteMap pkcs12SuiteMaps[]
static PRBool
sec_PKCS12Allowed(SECOidTag alg, PRUint32 needed)
{
+#ifdef notdef
PRUint32 policy;
SECStatus rv;
@@ -48,6 +49,9 @@ sec_PKCS12Allowed(SECOidTag alg, PRUint3
return PR_TRUE;
}
return PR_FALSE;
+#else
+ return PR_TRUE;
+#endif
}
PRBool
diff -up ./lib/smime/smimeutil.c.no_p12_smime_policy ./lib/smime/smimeutil.c
--- ./lib/smime/smimeutil.c.no_p12_smime_policy 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/smime/smimeutil.c 2024-07-17 11:27:04.716617111 -0700
@@ -202,6 +202,7 @@ smime_get_policy_tag_from_key_length(SEC
PRBool
smime_allowed_by_policy(SECOidTag algtag, PRUint32 neededPolicy)
{
+#ifdef notdef
PRUint32 policyFlags;
/* some S/MIME algs map to the same underlying KEA mechanism,
@@ -221,6 +222,7 @@ smime_allowed_by_policy(SECOidTag algtag
PORT_SetError(SEC_ERROR_BAD_EXPORT_ALGORITHM);
return PR_FALSE;
}
+#endif
return PR_TRUE;
}
@@ -485,6 +487,7 @@ smime_init_once(void *arg)
return PR_FAILURE;
}
+#ifdef notdef
/* At initialization time, we need to set up the defaults. We first
* look to see if the system or application has set up certain algorithms
* by policy. If they have set up values by policy we'll only allow those
@@ -497,6 +500,11 @@ smime_init_once(void *arg)
PORT_Free(tags);
tags = NULL;
}
+#else
+ /* just initialize the old maps */
+ rv = SECSuccess;
+ tagCount = 0;
+#endif
if ((rv != SECSuccess) || (tagCount == 0)) {
/* No algorithms have been enabled by policy (either by the system
* or by the application, we then will use the traditional default
diff -up ./tests/smime/smime.sh.no_p12_smime_policy ./tests/smime/smime.sh
--- ./tests/smime/smime.sh.no_p12_smime_policy 2024-07-17 11:26:00.303836075 -0700
+++ ./tests/smime/smime.sh 2024-07-17 11:26:00.334836451 -0700
@@ -872,6 +872,6 @@ smime_init
smime_main
smime_data_tb
smime_p7
-smime_policy
+#smime_policy
smime_cleanup
diff -up ./tests/tools/tools.sh.no_p12_smime_policy ./tests/tools/tools.sh
--- ./tests/tools/tools.sh.no_p12_smime_policy 2024-07-17 11:26:00.304836087 -0700
+++ ./tests/tools/tools.sh 2024-07-17 11:26:00.334836451 -0700
@@ -585,7 +585,7 @@ tools_p12()
tools_p12_import_old_files
tools_p12_import_pbmac1_samples
tools_p12_import_rsa_pss_private_key
- tools_p12_policy
+ #tools_p12_policy
}
############################## tools_sign ##############################

@ -1,104 +0,0 @@
diff -up ./lib/certhigh/certvfypkix.c.revert_libpkix ./lib/certhigh/certvfypkix.c
--- ./lib/certhigh/certvfypkix.c.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/certhigh/certvfypkix.c 2024-07-05 13:18:34.285174699 -0700
@@ -39,7 +39,7 @@ pkix_pl_lifecycle_ObjectTableUpdate(int
PRInt32 parallelFnInvocationCount;
#endif /* PKIX_OBJECT_LEAK_TEST */
-static PRBool usePKIXValidationEngine = PR_TRUE;
+static PRBool usePKIXValidationEngine = PR_FALSE;
#endif /* NSS_DISABLE_LIBPKIX */
/*
diff -up ./lib/nss/nssinit.c.revert_libpkix ./lib/nss/nssinit.c
--- ./lib/nss/nssinit.c.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
+++ ./lib/nss/nssinit.c 2024-07-05 13:18:34.285174699 -0700
@@ -764,9 +764,9 @@ nss_Init(const char *configdir, const ch
if (pkixError != NULL) {
goto loser;
} else {
- char *ev = PR_GetEnvSecure("NSS_DISABLE_PKIX_VERIFY");
+ char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
if (ev && ev[0]) {
- CERT_SetUsePKIXForValidation(PR_FALSE);
+ CERT_SetUsePKIXForValidation(PR_TRUE);
}
}
#endif /* NSS_DISABLE_LIBPKIX */
diff -up ./tests/all.sh.revert_libpkix ./tests/all.sh
--- ./tests/all.sh.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/all.sh 2024-07-05 13:18:34.285174699 -0700
@@ -143,9 +143,6 @@ run_cycle_standard()
{
TEST_MODE=STANDARD
- NSS_DISABLE_LIBPKIX_VERIFY="1"
- export NSS_DISABLE_LIBPKIX_VERIFY
-
TESTS="${ALL_TESTS}"
TESTS_SKIP="libpkix pkits"
@@ -153,8 +150,6 @@ run_cycle_standard()
export NSS_DEFAULT_DB_TYPE
run_tests
-
- unset NSS_DISABLE_LIBPKIX_VERIFY
}
############################ run_cycle_pkix ############################
@@ -172,6 +167,9 @@ run_cycle_pkix()
mkdir -p "${HOSTDIR}"
init_directories
+ NSS_ENABLE_PKIX_VERIFY="1"
+ export NSS_ENABLE_PKIX_VERIFY
+
TESTS="${ALL_TESTS}"
TESTS_SKIP="cipher dbtests sdr crmf smime merge multinit"
diff -up ./tests/common/init.sh.revert_libpkix ./tests/common/init.sh
--- ./tests/common/init.sh.revert_libpkix 2024-06-07 09:26:03.000000000 -0700
+++ ./tests/common/init.sh 2024-07-05 13:18:34.285174699 -0700
@@ -140,8 +140,8 @@ if [ -z "${INIT_SOURCED}" -o "${INIT_SOU
echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
echo "NSS_DEFAULT_DB_TYPE=${NSS_DEFAULT_DB_TYPE}"
echo "export NSS_DEFAULT_DB_TYPE"
- echo "NSS_DISABLE_PKIX_VERIFY=${NSS_DISABLE_PKIX_VERIFY}"
- echo "export NSS_DISABLE_PKIX_VERIFY"
+ echo "NSS_ENABLE_PKIX_VERIFY=${NSS_ENABLE_PKIX_VERIFY}"
+ echo "export NSS_ENABLE_PKIX_VERIFY"
echo "init_directories"
}
diff -up ./tests/ssl/ssl.sh.revert_libpkix ./tests/ssl/ssl.sh
--- ./tests/ssl/ssl.sh.revert_libpkix 2024-07-05 13:18:34.267174492 -0700
+++ ./tests/ssl/ssl.sh 2024-07-05 13:23:15.295402481 -0700
@@ -971,8 +971,9 @@ ssl_policy_pkix_ocsp()
return 0
fi
- PKIX_SAVE=${NSS_DISABLE_LIBPKIX_VERIFY-"unset"}
- unset NSS_DISABLE_LIBPKIX_VERIFY
+ PKIX_SAVE=${NSS_ENABLE_PKIX_VERIFY-"unset"}
+ NSS_ENABLE_PKIX_VERIFY="1"
+ export NSS_ENABLE_PKIX_VERIFY
testname=""
@@ -997,10 +998,12 @@ ssl_policy_pkix_ocsp()
html_msg $RET $RET_EXP "${testname}" \
"produced a returncode of $RET, expected is $RET_EXP"
- if [ "{PKIX_SAVE}" != "unset" ]; then
- export NSS_DISABLE_LIBPKIX_VERIFY=${PKIX_SAVE}
+ if [ "${PKIX_SAVE}" = "unset" ]; then
+ unset NSS_ENABLE_PKIX_VERIFY
+ else
+ NSS_ENABLE_PKIX_VERIFY=${PKIX_SAVE}
+ export NSS_ENABLE_PKIX_VERIFY
fi
-
cp ${P_R_SERVERDIR}/pkcs11.txt.sav ${P_R_SERVERDIR}/pkcs11.txt
html "</TABLE><BR>"

@ -1,4 +0,0 @@
name=p11-kit-proxy
library=p11-kit-proxy.so

@ -1,16 +1,16 @@
%global nss_version 3.101.0
%global nspr_version 4.35.0
# NOTE: To avoid NVR clashes of nspr* packages:
# - reset %%{nspr_release} to 1, when updating %%{nspr_version}
# - increment %%{nspr_version}, when updating the NSS part only
%global baserelease 7
%global nss_release %baserelease
# NOTE: To avoid NVR clashes of nspr* packages:
# use "%%global nspr_release %%[%%baserelease+n]" to handle offsets when
# release number between nss and nspr are different.
# when a new nspr is released with nss, reset nspr_release to baserelease.
# for each new nss relase with the same nspr, change increment n by one.
%global nspr_release %[%baserelease+7]
%global nspr_release %[%baserelease+21]
# only need to update this as we added new
# algorithms under nss policy control
%global crypto_policies_version 20210118
%global crypto_policies_version 20240522
%global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
%global saved_files_dir %{_libdir}/nss/saved
%global dracutlibdir %{_prefix}/lib/dracut
@ -57,6 +57,8 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
string.gsub(rpm.expand("%nss_archive_version"), "%.", "_")))
}
%global nss_nspr_archive nss-%{nss_archive_version}-with-nspr-%{nspr_archive_version}
# This is taken from gnutls.spec
%define srpmhash() %{lua:
local files = rpm.expand("%_specdir/nss.spec")
@ -76,7 +78,7 @@ Summary: Network Security Services
Name: nss
Version: %{nss_version}
Release: %{nss_release}%{?dist}
License: MPLv2.0
License: MPL-2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{nss_version}
@ -84,7 +86,6 @@ Requires: nss-util >= %{nss_version}
Requires: nss-softokn%{_isa} >= %{nss_version}
Requires: nss-system-init
Requires: p11-kit-trust
Requires: /usr/bin/update-crypto-policies
Requires: crypto-policies >= %{crypto_policies_version}
# for shlibsign
BuildRequires: make
@ -97,7 +98,7 @@ BuildRequires: psmisc
BuildRequires: perl-interpreter
BuildRequires: gcc-c++
Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{name}-%{nss_archive_version}.tar.gz
Source0: https://ftp.mozilla.org/pub/security/nss/releases/%{nss_release_tag}/src/%{nss_nspr_archive}.tar.gz
Source1: nss-util.pc.in
Source2: nss-util-config.in
Source3: nss-softokn.pc.in
@ -117,22 +118,18 @@ Source15: system-pkcs11.txt
Source16: setup-nsssysinit.sh
Source20: nss-config.xml
Source21: setup-nsssysinit.xml
Source22: pkcs11.txt.xml
Source24: cert9.db.xml
Source26: key4.db.xml
%if %{with dbm}
Source23: cert8.db.xml
Source25: key3.db.xml
Source27: secmod.db.xml
%endif
Source22: pkcs11.txt.xml
Source24: cert9.db.xml
Source26: key4.db.xml
Source28: nss-p11-kit.config
# fips algorithms are tied to the red hat validation, others
# will have their own validation
Source30: fips_algorithms.h
#Source50: NameConstraints_Certs.tar
Source100: nspr-%{nspr_archive_version}.tar.gz
Source101: nspr-config.xml
# This patch uses the GCC -iquote option documented at
@ -145,22 +142,19 @@ Source101: nspr-config.xml
# changes.
#
# Once the buildroot has been bootstrapped the patch may be removed
# but it doesn't hurt to keep it
# but it doesn't hurt to keep it.
Patch4: iquote.patch
Patch12: nss-signtool-format.patch
Patch20: nss-3.101-extend-db-dump-time.patch
Patch21: nss-3.101-enable-sdb-tests.patch
# connect our shared library to the build root loader flags (needed for -relro)
Patch31: nss-dso-ldflags.patch
# keep RHEL 8 semantics of disabling md4 and md5 even if the env variable is set
Patch32: nss-3.101-disable-md5.patch
# dbm is disabled on RHEL9, make the man pages reflect that
%if %{with dbm}
%else
# rhel10 disabled dbm by default
Patch33: nss-no-dbm-man-page.patch
%endif
# not upstreamable patch...
# WARNING: Need to make this patch work before checking!!! $$$$@@@
Patch34: nss-3.71-fix-lto-gtests.patch
# camellia pkcs12 docs.
Patch35: nss-3.71-camellia-pkcs12-doc.patch
@ -175,8 +169,6 @@ Patch50: nss-3.79-fips.patch
Patch51: nss-3.101-fips-review.patches
Patch52: nss-3.90-pbkdf2-indicator.patch
Patch53: nss-3.101-skip-ocsp-if-not-connected.patch
# dont upstream, must be after patch53 (sigh)
Patch54: nss-3.101-revert-libpkix-default.patch
# ems policy. needs to upstream
Patch60: nss-3.101-add-ems-policy.patch
@ -189,8 +181,6 @@ Patch75: nss-3.90-ppc_no_init.patch
Patch76: nss-3.101-enable-kyber-policy.patch
Patch77: nss-3.101-fix-rsa-policy-test.patch
Patch78: nss-3.101-fix-pkcs12-md5-decode.patch
Patch79: nss-3.101-el9-restore-old-pkcs12-default.patch
Patch80: nss-3.101-no-p12-smime-policy.patch
Patch81: nss-3.101-fix-missing-size-checks.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=1905691
Patch82: nss-3.101-chacha-timing-fix.patch
@ -199,6 +189,13 @@ Patch84: nss-3.101-fix-pkcs12-pbkdf1-encoding.patch
# https://bugzilla.mozilla.org/show_bug.cgi?id=676100
Patch85: nss-3.101-fix-cms-abi-break.patch
Patch86: nss-3.101-long-pwd-fix.patch
Patch87: nss-3.101-fix-cavs-test.patch
# RHEL-10 specific
Patch90: nss-3.101-disable_dsa.patch
# NSS reverse patches
Patch300: nss-3.79-distrusted-certs.patch
Patch100: nspr-config-pc.patch
Patch101: nspr-gcc-atomics.patch
@ -206,11 +203,6 @@ Patch101: nspr-gcc-atomics.patch
Patch110: nspr-4.34-fix-coverity-loop-issue.patch
Patch120: nspr-4.34-server-passive.patch
# NSS reverse patches
Patch300: nss-3.79-distrusted-certs.patch
%description
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
@ -220,7 +212,7 @@ v3 certificates, and other security standards.
%package tools
Summary: Tools for the Network Security Services
Requires: %{name}%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires: %{name}%{?_isa} = %{nss_version}-%{release}
%description tools
Network Security Services (NSS) is a set of libraries designed to
@ -237,7 +229,7 @@ Summary: System NSS Initialization
# providing nss-system-init without version so that it can
# be replaced by a better one, e.g. supplied by the os vendor
Provides: nss-system-init
Requires: nss%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires: nss%{?_isa} = %{nss_version}-%{release}
Requires(post): coreutils, sed
%description sysinit
@ -248,8 +240,8 @@ any system or user configured modules.
%package devel
Summary: Development libraries for Network Security Services
Provides: nss-static = %{nss_version}-%{nss_release}%{dist}
Requires: nss%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Provides: nss-static = %{nss_version}-%{release}
Requires: nss%{?_isa} = %{nss_version}-%{release}
Requires: nss-util-devel
Requires: nss-softokn-devel
Requires: nspr-devel >= %{nspr_version}
@ -262,9 +254,9 @@ Header and Library files for doing development with Network Security Services.
%package pkcs11-devel
Summary: Development libraries for PKCS #11 (Cryptoki) using NSS
Provides: nss-pkcs11-devel-static = %{nss_version}-%{nss_release}%{dist}
Requires: nss-devel = %{nss_version}-%{nss_release}%{dist}
Requires: nss-softokn-freebl-devel = %{nss_version}-%{nss_release}%{dist}
Provides: nss-pkcs11-devel-static = %{nss_version}-%{release}
Requires: nss-devel = %{nss_version}-%{release}
Requires: nss-softokn-freebl-devel = %{nss_version}-%{release}
%description pkcs11-devel
Library files for developing PKCS #11 modules using basic NSS
@ -280,7 +272,7 @@ Utilities for Network Security Services and the Softoken module
%package util-devel
Summary: Development libraries for Network Security Services Utilities
Requires: nss-util%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires: nss-util%{?_isa} = %{nss_version}-%{release}
Requires: nspr-devel >= %{nspr_version}
Requires: pkgconfig
@ -291,8 +283,8 @@ Header and library files for doing development with Network Security Services.
%package softokn
Summary: Network Security Services Softoken Module
Requires: nspr >= %{nspr_version}
Requires: nss-util >= %{nss_version}-%{nss_release}%{dist}
Requires: nss-softokn-freebl%{_isa} >= %{nss_version}-%{nss_release}%{dist}
Requires: nss-util >= %{nss_version}-%{release}
Requires: nss-softokn-freebl%{_isa} >= %{nss_version}-%{release}
%description softokn
Network Security Services Softoken Cryptographic Module
@ -313,8 +305,8 @@ Install the nss-softokn-freebl package if you need the freebl library.
%package softokn-freebl-devel
Summary: Header and Library files for doing development with the Freebl library for NSS
Provides: nss-softokn-freebl-static = %{nss_version}-%{nss_release}%{dist}
Requires: nss-softokn-freebl%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Provides: nss-softokn-freebl-static = %{nss_version}-%{release}
Requires: nss-softokn-freebl%{?_isa} = %{nss_version}-%{release}
%description softokn-freebl-devel
NSS Softoken Cryptographic Module Freebl Library Development Tools
@ -325,10 +317,10 @@ Developers should rely only on the officially supported NSS public API.
%package softokn-devel
Summary: Development libraries for Network Security Services
Requires: nss-softokn%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires: nss-softokn-freebl-devel%{?_isa} = %{nss_version}-%{nss_release}%{dist}
Requires: nss-softokn%{?_isa} = %{nss_version}-%{release}
Requires: nss-softokn-freebl-devel%{?_isa} = %{nss_version}-%{release}
Requires: nspr-devel >= %{nspr_version}
Requires: nss-util-devel >= %{nss_version}-%{nss_release}%{dist}
Requires: nss-util-devel >= %{nss_version}-%{release}
Requires: pkgconfig
%description softokn-devel
@ -338,7 +330,7 @@ Header and library files for doing development with Network Security Services.
Summary: Netscape Portable Runtime
Version: %{nspr_version}
Release: %{nspr_release}%{?dist}
License: MPLv2.0
License: MPL-2.0
URL: http://www.mozilla.org/projects/nspr/
Conflicts: filesystem < 3
BuildRequires: gcc
@ -361,12 +353,8 @@ Conflicts: filesystem < 3
%description -n nspr-devel
Header files for doing development with the Netscape Portable Runtime.
%prep
%setup -q -T -b 100 -n nspr-%{nspr_archive_version}
%setup -q -T -b 0 -n %{name}-%{nss_archive_version}
mv ../nspr-%{nspr_archive_version}/nspr .
cp ./nspr/config/nspr-config.in ./nspr/config/nspr-config-pc.in
%patch -P 100 -p0 -b .flags
@ -374,12 +362,10 @@ pushd nspr
%autopatch -p 1 -m 101 -M 299
popd
pushd nss
%autopatch -p1 -M 99
#%%patch -P 400 -p1 -b .backup
# sigh it would be nice if autopatch supported -R
%patch -P 300 -R -p1
%patch -P 300 -R -p 1
popd
# copy the fips_algorithms.h for this release
@ -387,11 +373,6 @@ popd
# each vendors claim in their own FIPS certification
cp %{SOURCE30} nss/lib/softoken/
#update expired test certs
#pushd nss
#tar xvf %{SOURCE50}
#popd
# https://bugzilla.redhat.com/show_bug.cgi?id=1247353
find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
@ -404,8 +385,6 @@ find nss/lib/libpkix -perm /u+x -type f -exec chmod -x {} \;
# adjustment in the NSS build process.
mkdir -p nspr_build
pushd nspr_build
export LDFLAGS="$RPM_LD_FLAGS"
export CFLAGS="$RPM_OPT_FLAGS"
../nspr/configure \
--prefix=%{_prefix} \
--libdir=%{_libdir} \
@ -455,6 +434,10 @@ popd
# uncomment if the iquote patch is activated
export IN_TREE_FREEBL_HEADERS_FIRST=1
# deprication
export NSS_DISABLE_DEPRECATED_SEED=1
export NSS_DISABLE_DSA=1
# FIPS related defines
export NSS_FORCE_FIPS=1
export NSS_FIPS_VERSION="%{name}\ %{nss_version}-%{srpmhash}"
@ -484,6 +467,8 @@ export XCFLAGS="$XCFLAGS -Wno-error=maybe-uninitialized"
# Similarly, but for gcc-11
export XCFLAGS="$XCFLAGS -Wno-array-parameter"
export LDFLAGS=$RPM_LD_FLAGS
export DSO_LDFLAGS=$RPM_LD_FLAGS
export PKG_CONFIG_ALLOW_SYSTEM_LIBS=1
@ -515,6 +500,7 @@ export POLICY_FILE="nss.config"
# location of the policy file
export POLICY_PATH="/etc/crypto-policies/back-ends"
%{__make} -C ./nss all
%{__make} -C ./nss latest
@ -611,22 +597,20 @@ date +"%e %B %Y" | tr -d '\n' > date.xml
echo -n %{nss_version} > version.xml
# configuration files and setup script
for m in %{SOURCE20} %{SOURCE21} %{SOURCE22} %{SOURCE24} %{SOURCE26}; do
cp ${m} .
done
for m in nss-config.xml setup-nsssysinit.xml pkcs11.txt.xml cert9.db.xml key4.db.xml; do
xmlto man ${m}
done
%if %{with dbm}
# nss dbm databases
for m in %{SOURCE23} %{SOURCE25} %{SOURCE27}; do
%global XMLSOURCES %{SOURCE23} %{SOURCE24} %{SOURCE25} %{SOURCE26} %{SOURCE27}
%global dbfiles cert8.db key3.db secmod.db cert9.db key4.db pkcs11.txt
%else
%global XMLSOURCES %{SOURCE22} %{SOURCE24} %{SOURCE26}
%global dbfiles cert9.db key4.db pkcs11.txt
%endif
for m in %{SOURCE20} %{SOURCE21} %{XMLSOURCES}; do
cp ${m} .
done
for m in cert8.db.xml key3.db.xml secmod.db.xml; do
xmlto man ${m}
%global configFiles nss-config setup-nsssysinit
for m in %{configFiles} %{dbfiles}; do
xmlto man ${m}.xml
done
%endif
%check
@ -650,6 +634,9 @@ popd
export FREEBL_NO_DEPEND=1
export BUILD_OPT=1
export NSS_DISABLE_PPC_GHASH=1
export NSS_DISABLE_DEPRECATED_SEED=1
export NSS_DISABLE_DSA=1
%ifnarch noarch
%if 0%{__isa_bits} == 64
@ -672,10 +659,6 @@ done
# disabled by the system policy.
export NSS_IGNORE_SYSTEM_POLICY=1
%ifarch i686 ppcle64
export NSS_DB_DUMP_TIME=10
%endif
# enable the following line to force a test failure
# find ./nss -name \*.chk | xargs rm -f
@ -786,7 +769,6 @@ mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
mkdir -p $RPM_BUILD_ROOT/%{saved_files_dir}
mkdir -p $RPM_BUILD_ROOT/%{dracut_modules_dir}
mkdir -p $RPM_BUILD_ROOT/%{dracut_conf_dir}
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
%if %{defined rhel}
# not needed for rhel and its derivatives only fedora
%else
@ -875,11 +857,11 @@ install -p -m 755 ./dist/pkgconfig/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir
ln -r -s -f $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit.sh $RPM_BUILD_ROOT/%{_bindir}/setup-nsssysinit
# Copy the man pages for scripts
for f in nss-config setup-nsssysinit; do
for f in %{configFiles}; do
install -c -m 644 ${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done
# Copy the man pages for the nss tools
for f in certutil cmsutil crlutil derdump modutil nss-policy-check pk12util signtool signver ssltap vfychain vfyserv; do
for f in certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv; do
install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done
%if %{defined rhel}
@ -888,19 +870,10 @@ install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_mandir}/man1/pp.1
install -c -m 644 ./dist/docs/nroff/pp.1 $RPM_BUILD_ROOT%{_datadir}/doc/nss-tools/pp.1
%endif
# Copy the man pages for the configuration files
for f in pkcs11.txt cert9.db key4.db; do
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
done
# Copy the man pages for the nss dbm databases
%if %{with dbm}
for f in cert8.db key3.db secmod.db; do
# Copy the man pages for the nss databases
for f in %{dbfiles}; do
install -c -m 644 ${f}.5 $RPM_BUILD_ROOT%{_mandir}/man5/${f}.5
done
%endif
# Copy the crypto-policies configuration file
install -p -m 644 %{SOURCE28} $RPM_BUILD_ROOT/%{_sysconfdir}/crypto-policies/local.d
%triggerpostun -n nss-sysinit -- nss-sysinit < 3.12.8-3
# Reverse unwanted disabling of sysinit by faulty preun sysinit scriplet
@ -921,9 +894,6 @@ if test $1 -eq 2; then
fi
%endif
%posttrans
update-crypto-policies &> /dev/null || :
%files
%{!?_licensedir:%global license %%doc}
@ -940,7 +910,6 @@ update-crypto-policies &> /dev/null || :
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/cert9.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/key4.db
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/pki/nssdb/pkcs11.txt
%config(noreplace) %verify(not md5 size mtime) %{_sysconfdir}/crypto-policies/local.d/nss-p11-kit.config
%if %{with dbm}
%doc %{_mandir}/man5/cert8.db.5*
%doc %{_mandir}/man5/key3.db.5*
@ -986,7 +955,6 @@ update-crypto-policies &> /dev/null || :
%doc %{_mandir}/man1/cmsutil.1*
%doc %{_mandir}/man1/crlutil.1*
%doc %{_mandir}/man1/modutil.1*
%doc %{_mandir}/man1/nss-policy-check.1*
%doc %{_mandir}/man1/pk12util.1*
%doc %{_mandir}/man1/signver.1*
# unsupported tools
@ -1089,8 +1057,8 @@ update-crypto-policies &> /dev/null || :
%{_includedir}/nss3/base64.h
%{_includedir}/nss3/ciferfam.h
%{_includedir}/nss3/eccutil.h
%{_includedir}/nss3/hasht.h
%{_includedir}/nss3/kyber.h
%{_includedir}/nss3/hasht.h
%{_includedir}/nss3/nssb64.h
%{_includedir}/nss3/nssb64t.h
%{_includedir}/nss3/nsshash.h
@ -1200,6 +1168,9 @@ update-crypto-policies &> /dev/null || :
%changelog
* Tue Nov 26 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 3.101.0-7
- Rebuilt for MSVSphere 10
* Wed Sep 4 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-7
- fix cms abi breakage
- fix long password issue on pbmac encodings
@ -1208,187 +1179,159 @@ update-crypto-policies &> /dev/null || :
- fix param encoding in pkcs12 pbamac encoding
- add support for certificate compression in selfserv and tstclient
* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
* Wed Jul 24 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-5
- Fix missing and inaccurate key length checks
- Fix chacha timing issue
* Tue Jul 16 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
* Thu Jul 18 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-4
- Fix MD-5 decode issue in pkcs #12
- turn off policy processing for pkcs12 and smime
- restore the rhel9 pkcs12 defaults for pk12util
* Tue Jun 11 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
- Rebase to NSS 3.101
- restore ppc init support
* Mon Jul 15 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-3
- Add FIPS 140-3 defines to sec file
* Wed Apr 10 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-7
- Allow for shorter ecdsa signatures by padding them to full length
* Fri Jul 12 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-2
- Fix spec to deal with annocheck failures
* Tue Jan 23 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-6
- Fix ecc DER wrapping.
* Tue Jun 25 2024 Bob Relyea <rrelyea@redhat.com> - 3.101.0-1
- Update NSS to 3.101.0
- Pick up RHEL FIPS and other patches
- Turn off SEED and DSA
* Tue Jan 9 2024 Bob Relyea <rrelyea@redhat.com> - 3.90.0-5
- Pick up validated constant time implementations of p256, p384, and p521
from upsream
- More Fips indicator changes
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.97.0-2
- Bump release for June 2024 mass rebuild
* Wed Nov 22 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-4
- FIPS review changes
- add PORT_SafeZero to avoid compiler optimizing a way zeroing memory.
- update the indicators for this release
- allow hashing of longer than int32 values in a single PKCS #11 call.
* Sun Jan 28 2024 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.97.0-1
- Update NSS to 3.97.0
* Tue Nov 21 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3.3
- Fix expired certs in tests
- Fix CVE-2023-5388
* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.96.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Aug 4 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-3
- add indicator for pbkdf
- fix ems policy bug
* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 3.96.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jun 29 2023 frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-2
- fix release number
* Thu Dec 21 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.96.1-1
- Update NSS to 3.96.1
* Wed Jun 28 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
- fix missing dist tag in packages version
- move from deprecate %%patch format
* Mon Nov 27 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.95.0-1
- Update NSS to 3.95.0
* Mon Jun 12 2023 Bob Relyea <rrelyea@redhat.com> - 3.90.0-1
- Rebase to NSS-3.90
- Rebase to NSPR-3.35
- fix incorrect version values in the NSS spec file for FIPS
* Wed Oct 25 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.94.0-2
- revert HACL 256 code to fix binary compatibility issue.
* Fri Mar 17 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-18
- fix memory leak, add generator test in FIPS mode.
* Wed Oct 4 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.94.0-1
- Update NSS to 3.94.0
* Thu Mar 16 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-17
- fix consistency return errors. We shouldn't lock the FIPS
token if the application asked for invalid DH parameters on
on keygen.
* Thu Sep 07 2023 Bob Relyea <rrelyea@redhat.com> - 3.93.0-2
- Update License field to SPDX.
* Mon Mar 13 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-16
- Add check for RSA PSS Salt required by FIPS
- Update fips_algorithms.sh according to the review.
* Thu Aug 31 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.93.0-1
- Update NSS to 3.93.0
* Thu Mar 2 2023 Bob Relyea <rrelyea@redhat.com> - 3.79.0-15
- Fix CVE-2023-0767
* Tue Aug 1 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.92.0-1
- Update NSS to 3.92.0
* Wed Aug 24 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-14
- Update fips_algorithms.h to match the final FIPS requirements
- Disable delegated credentials
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.91.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Aug 24 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-13
- remove OAEP from the FIPS indicators
* Tue Jul 4 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.91.0-1
- Update NSS to 3.91.0
* Thu Aug 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-12
- only turn off rand changes on all non-fips kernels
* Tue Jun 6 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
- Add patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1836781 &
https://bugzilla.mozilla.org/show_bug.cgi?id=1836925
* Mon Aug 8 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-11
- only turn off rand changes on ppc64le at build-test time.
* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
- Update %%patch syntax
* Mon Aug 8 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-10
- turn off rand changes on ppc64le
* Mon Jun 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.90.0-1
- Update NSS to 3.90.0
* Sun Aug 7 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-9
- FIPS 140-3 changes
* Fri May 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
- combine nss and nspr source togeather
* Thu Jul 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-8
- fix encoding issue with NULL passwords
* Fri May 5 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
- replace %{version} with %{nss_version} as it version can be overiden.
* Thu Jul 7 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-7
- more complete fix for cert auth regression crash
* Fri Mar 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.89.0-1
- Update NSS to 3.89.0
* Wed Jun 22 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-6
- Remove debugging printf from a patch
- increase the pbe cache size to handle reusing the same token key.
* Fri Feb 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.88.1-1
- Update NSS to 3.88.1
* Mon Jun 20 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-5
- FIPS 140-3 changes
- Reject Small RSA keys, 1024 bit keys are marked as FIP OK when verifying, reject
signature keys by policy
- Allow applications to retrigger selftests on demand.
* Tue Jan 24 2023 Bob Relyea - 3.87.0-2
- Fix rebuild errors
* Tue Jun 14 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-4
- server passive fix
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 3.87.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Sat Jun 11 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-3
- fix regressions in test suite
* Tue Jan 10 2023 Frantisek Krenzelok <krenzelok.frantisek@gmail.com> - 3.87.0-1
- Update NSS to 3.87 & remove unused patches
* Mon Jun 6 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
- fix nspr coverify issues.
* Thu Nov 17 2022 Bob Relyea <rrelyea@redhat.com> - 3.85.0-1
- update to NSS 3.83
* Wed Jun 1 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
- update to NSS 3.79
- update to NSPR 4.34
- change FIPS Modulename to conform with our final module standard
* Fri Sep 9 2022 Bob Relyea <rrelyea@redhat.com> - 3.83.0-1
- update to NSS 3.83
- update to NSPR 4.35
* Wed Feb 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-7
- Fix handling of pkcs12 passwords for PKCS5v2 cases which causes failures
on long passwords.
* Fri Sep 9 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-2
- add dbtool
* Wed Jan 26 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-6
- update pkcs12 documentation to include camellia
- turn on lto
* Thu Jul 21 2022 Bob Relyea <rrelyea@redhat.com> - 3.81.0-1
- udpate to NSS 3.81
* Wed Jan 12 2022 Bob Relyea <rrelyea@redhat.com> - 3.71.0-5
- remove old dbm files from the build
* Thu Jun 16 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-2
- Fix crash when getting client cert and there is none in the database.
* Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-2
- Fix CVE-2021-43527
* Tue May 31 2022 Bob Relyea <rrelyea@redhat.com> - 3.79.0-1
- Update to NSS 3.79
- Update to NSPR 4.34
* Tue Oct 19 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-2
- make sure validation is built
- fix syntax on FIPS module name
* Mon Apr 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.77.0-1
- Update to 3.77
* Tue Oct 5 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-1
- rebase to NSS-3.71
* Fri Feb 4 2022 Bob Relyea <rrelyea@redhat.com> - 3.75.0-1
- Update to 3.75
- fix PayPal expiration issue
* Wed Aug 25 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-13
- rebuild to clear gating.yaml test
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.73.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Aug 19 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-12
- pick up nspr 3.2 for Firefox 92
* Wed Dec 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.73.0-1
- Update to 3.73
- includes CVE 2021-43527
* Thu Aug 12 2021 Florian Weimer <fweimer@redhat.com> - 3.67.0-11
- Change release number to correct cross-package dependencies (#1991688)
* Mon Oct 4 2021 Bob Relyea <rrelyea@redhat.com> - 3.71.0-1
- Update to 3.71
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com>
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jul 8 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-8
- fix relro support in nspr part of build
* Tue Jul 6 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-7
- fix ssl alert regressions
* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-2
- turn on lto
* Fri Jul 2 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-6
- bump the nspr release number
* Tue Aug 10 2021 Bob Relyea <rrelyea@redhat.com> - 3.69.0-1
- Update to 3.69
- Update to NSPR 4.31
* Thu Jul 1 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-5
- fix error when trying to read keys from updated databases when updated
from unpatched versions of NSS (like on fedora or upstream).
- fix spelling of LD_OPTFLAGS which prevents relro from working.
* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
- switch to baserelease so rpmdev-bumpspec will work next time
* Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-4
- update nspr man page files to only pick up nspr man pages
* Tue Jul 27 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3
- rpmdev-bumpspec doesn't work correctly with nss/nspr. Fixup version numbers
* Fri Jun 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-3
- Update NSS to 3.67
- Update NSPR to 2.31
- pick up rhel coverity patches which have not yet been pushed upstream.
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 3.67.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Apr 16 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-3
- prevent MD5 from being enabled even with the environment variables
and policy. This mirrors the rhel8 semantics.
- add DSO_LDFLAGS support so we pick up system LDFLAGS in our shared libraries
* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-1
- Update to 3.67
- Update to NSPR 2.31
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 3.63.0-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.65.0-1
- Update to 3.65
- update nss-tools manages to remove references to dbm
* Wed Mar 24 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1
- Update NSS to 3.62
- Update NSPR to 2.30
* Tue Mar 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.63.0-1
- Update to 3.63
- Update to NSPR 2.30
- Remove old dbm files and man pages
* Tue Feb 23 2021 Bob Relyea <rrelyea@redhat.com> - 3.62.0-1
- Update to 3.62

Loading…
Cancel
Save