OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/mozilla-nss?expand=0&rev=17

baselibs.conf

@@ -1 +1,5 @@
 mozilla-nss
+  requires "libfreebl3-<targettype> >= <version>"
+  +/usr/lib/libsoftokn3.chk
+  +/lib/libfreebl3.chk
+libfreebl3

bmo485145-libjar.patch.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:18bb217adb927e4ef618dacb3b3dea7fc123f28544bf3b2c49b7a886f65e061c
+size 36032

bmo488646-oscp-test.patch

@@ -0,0 +1,104 @@
+Index: chains.sh
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/tests/chains/chains.sh,v
+retrieving revision 1.15
+diff -u -9 -r1.15 chains.sh
+--- chains.sh	15 Apr 2009 18:04:35 -0000	1.15
++++ security/nss/tests/chains/chains.sh	17 Apr 2009 13:02:49 -0000
+@@ -689,18 +689,49 @@
+     if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then
+         html_passed "${SCENARIO}${TESTNAME}"
+     elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then
+         html_passed "${SCENARIO}${TESTNAME}"
+     else
+         html_failed "${SCENARIO}${TESTNAME}"
+     fi
+ }
+ 
++
++check_ocsp()
++{
++    OCSP_CERT=$1
++
++    CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1`
++    CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2`
++
++    if [ "${CERT_ISSUER}" = "x" ]; then
++        CERT_ISSUER=
++        CERT=${CERT_NICK}.cert
++        CERT_FILE="${QADIR}/libpkix/certs/${CERT}"
++    else
++        CERT=${CERT_NICK}${CERT_ISSUER}.der
++        CERT_FILE=${CERT}
++    fi
++
++    OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//")
++
++    if [ "${OS_ARCH}" = "WINNT" ]; then
++        ping -n 1 ${OCSP_HOST}
++        return $?
++    elif [ "${OS_ARCH}" = "HP-UX" ]; then
++        ping ${OCSP_HOST} -c 1
++        return $?
++    else
++        ping -c 1 ${OCSP_HOST}
++        return $?
++    fi
++}
++
+ ############################ parse_result ##############################
+ # local shell function to process expected result value
+ # this function was created for case that expected result depends on
+ # some conditions - in our case type of cert DB
+ #
+ # default results are pass and fail
+ # this function added parsable values in format:
+ # type1:value1 type2:value2 .... typex:valuex
+ #
+@@ -859,18 +890,25 @@
+                 LOGFILE="${LOGDIR}/${LOGNAME}"
+             fi
+             ;;
+         "sleep")
+             sleep ${VALUE}
+             ;;
+         "break")
+             break
+             ;;
++        "check_ocsp")
++            check_ocsp ${VALUE}
++            if [ $? -ne 0 ]; then
++                echo "OCSP server not accessible, skipping OCSP tests"
++                break;
++            fi
++            ;;
+         "")
+             if [ -n "${ENTITY}" ]; then
+                 if [ -z "${DB}" ]; then
+                     create_entity "${ENTITY}" "${TYPE}"
+                 fi
+                 sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}"
+                 if [ "${TYPE}" = "Bridge" ]; then
+                     create_pkcs7 "${ENTITY}"
+                 fi
+Index: scenarios/ocsp.cfg
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v
+retrieving revision 1.4
+diff -u -9 -r1.4 ocsp.cfg
+--- scenarios/ocsp.cfg	19 Mar 2009 09:55:31 -0000	1.4
++++ security/nss/tests/chains/scenarios/ocsp.cfg	17 Apr 2009 13:02:49 -0000
+@@ -1,11 +1,13 @@
+ scenario OCSP
+ 
++check_ocsp OCSPEE11:x
++
+ db OCSPRoot
+ import OCSPRoot:x:CT,C,C
+ 
+ db OCSPCA1
+ import_key OCSPCA1
+ 
+ crl OCSPCA1
+ 
+ revoke OCSPCA1

mozilla-nss.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Mon Apr 20 14:47:43 CEST 2009 - wr@rosenauer.org
+
+- update to version 3.12.3 RTM
+  * default behaviour changed slightly but can be set up
+    backward compatible using environment variables
+    https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables
+  * New Korean SEED cipher
+  * Some new functions in the nss library:
+    CERT_RFC1485_EscapeAndQuote (see cert.h)
+    CERT_CompareCerts (see cert.h)
+    CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h)
+    PK11_GetSymKeyHandle (see pk11pqg.h)
+    UTIL_SetForkState (see secoid.h)
+    NSS_GetAlgorithmPolicy (see secoid.h)
+    NSS_SetAlgorithmPolicy (see secoid.h)
+- created libfreebl3 subpackage and build it w/o nspr and nss deps
+- added patch to make all ASM noexecstack
+- create the softokn3 and freebl3 checksums at installation time
+  (moved shlibsign to the main package to achieve that)
+- applied upstream patch to avoid OSCP test failures (bmo#488646)
+- applied upstream patch to fix libjar crashes (bmo#485145)
+
 -------------------------------------------------------------------
 Wed Feb  4 08:46:15 CET 2009 - wr@rosenauer.org
 

mozilla-nss.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package mozilla-nss (Version 3.12.2)
+# spec file for package mozilla-nss (Version 3.12.3)
 #
 # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -27,7 +27,7 @@ BuildRequires:  sqlite-devel
 BuildRequires:  sqlite3-devel
 %endif
 License:        GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL/NPL)
-Version:        3.12.2
+Version:        3.12.3
 Release:        1
 # bug437293
 %ifarch ppc64
@@ -37,6 +37,7 @@ Obsoletes:      mozilla-nss-64bit
 Summary:        Network (Netscape) Security Services
 Url:            http://www.mozilla.org/projects/security/pki/nss/
 Group:          System/Libraries
+# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r <RTM_TAG> NSS
 Source:         nss-%{version}.tar.bz2
 Source1:        nss.pc.in
 Source2:        addon-certs.txt
@@ -46,10 +47,15 @@ Patch2:         nss-sqlitename.patch
 Patch3:         system-nspr.patch
 Patch4:         char.patch
 Patch5:         nss-no-rpath.patch
+Patch6:         nss-noexec.patch
+Patch7:         bmo488646-oscp-test.patch
+Patch8:         bmo485145-libjar.patch.bz2
 # Remove remnant traces from the package split.
 Provides:       libnss3 = %{version}-%{release}
 Obsoletes:      libnss3 <= %{version}-%{release}
-PreReq:         mozilla-nspr >= %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
+%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr)
+PreReq:         mozilla-nspr >= %nspr_ver
+PreReq:         libfreebl3 >= %{version}
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %define nssdbdir %{_sysconfdir}/pki/nssdb
 
@@ -72,11 +78,11 @@ Summary:        Network (Netscape) Security Services development files
 Group:          Development/Libraries/Other
 Requires:       mozilla-nspr-devel 
 Requires:       mozilla-nss = %{version}-%{release}
+Requires:       libfreebl3 = %{version}-%{release}
 # bug437293
 %ifarch ppc64
 Obsoletes:      mozilla-nss-devel-64bit
 %endif
-#
 
 %description devel
 Network Security Services (NSS) is a set of libraries designed to
@@ -95,8 +101,8 @@ Authors:
 License:        GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL/NPL)
 Summary:        Tools for developing, debugging, and managing applications that use NSS.
 Group:          System/Management
-PreReq:         mozilla-nss >= %{version}-%{release}
-PreReq:         coreutils
+PreReq:         mozilla-nss >= %{version}
+Requires(post): coreutils
 
 %description tools
 The NSS Security Tools allow developers to test, debug, and manage
@@ -108,6 +114,26 @@ Authors:
 --------
     Mozilla Foundation <drivers@mozilla.org>
 
+%package -n libfreebl3
+License:        GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL/NPL)
+Summary:        Freebl library for the Network Security Services
+Group:          System/Libraries
+
+%description -n libfreebl3
+Network Security Services (NSS) is a set of libraries designed to
+support cross-platform development of security-enabled server
+applications. Applications built with NSS can support SSL v2 and v3,
+TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3
+certificates, and other security standards.
+
+This package installs the freebl library from NSS.
+
+
+
+Authors:
+--------
+    Mozilla Foundation
+
 %prep
 %setup -n nss-%{version} -q
 cd mozilla
@@ -116,12 +142,16 @@ cd mozilla
 %patch3
 %patch4
 %patch5
+%patch6
+%patch7
+%patch8
 # additional CA certificates
 #cd security/nss/lib/ckfw/builtins
 #cat %{SOURCE2} >> certdata.txt
 #make generate
 
 %build
+export FREEBL_NO_DEPEND=1
 cd mozilla/security/nss
 export NSPR_INCLUDE_DIR=`nspr-config --includedir`
 export NSPR_LIB_DIR=`nspr-config --libdir`
@@ -152,6 +182,7 @@ fi
 mkdir -p $RPM_BUILD_ROOT%{_libdir}/nss
 mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3
 mkdir -p $RPM_BUILD_ROOT%{_bindir}
+mkdir -p $RPM_BUILD_ROOT/%{_lib}
 pushd mozilla/dist/Linux*
 # copy headers
 cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3
@@ -164,9 +195,10 @@ cp -L  lib/libnss3.so \
        lib/libsoftokn3.so \
        lib/libsoftokn3.chk \
        lib/libssl3.so \
-       lib/libfreebl3.so \
-       lib/libfreebl3.chk \
        $RPM_BUILD_ROOT%{_libdir}
+cp -L  lib/libfreebl3.so \
+       lib/libfreebl3.chk \
+       $RPM_BUILD_ROOT/%{_lib}
 %if %suse_version < 1030
 cp -L  lib/libnsssqlite3.so \
        $RPM_BUILD_ROOT%{_libdir}
@@ -203,7 +235,8 @@ cp -L  bin/atob \
 # prepare pkgconfig file
 mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/
 sed "s:%%LIBDIR%%:%{_libdir}:g
-s:%%VERSION%%:%{version}:g" \
+s:%%VERSION%%:%{version}:g
+s:%%NSPR_VERSION%%:%{nspr_ver}:g" \
   %{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc
 # prepare nss-config file
 popd
@@ -220,10 +253,35 @@ cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \
                      > $RPM_BUILD_ROOT/%{_bindir}/nss-config
 chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config
 
-%post -p /sbin/ldconfig
+%post 
+/sbin/ldconfig
+# sign
+# removal of libfreebl3.so is a special needed case:
+# with this package it moves to %_lib and therefore is still
+# installed when %post runs disturbing the shlibsign tool
+rm -f %{_libdir}/libfreebl3.so
+rm -f %{_libdir}/libsoftokn3.chk
+rm -f /%{_lib}/libfreebl3.chk
+%{_libdir}/nss/shlibsign -i %{_libdir}/libsoftokn3.so
+%{_libdir}/nss/shlibsign -i /%{_lib}/libfreebl3.so
+# sign existing baselibs as well (FIXME other multiarchs)
+%ifarch x86_64
+if [ -e /lib/libfreebl3.so ]; then
+  rm -f /lib/libfreebl3.chk
+  %{_libdir}/nss/shlibsign -i /lib/libfreebl3.so
+fi
+if [ -e /usr/lib/libsoftokn3.so ]; then
+  rm -f /usr/lib/libsoftokn3.chk
+  %{_libdir}/nss/shlibsign -i /usr/lib/libsoftokn3.so
+fi
+%endif
 
 %postun -p /sbin/ldconfig
 
+%post -n libfreebl3 -p /sbin/ldconfig
+
+%postun -n libfreebl3 -p /sbin/ldconfig
+
 %post tools
 if [ ! -d "%{nssdbdir}" ] ; then
     mkdir -p "%{nssdbdir}"
@@ -238,8 +296,19 @@ rm -rf $RPM_BUILD_ROOT
 
 %files
 %defattr(-, root, root)
-%{_libdir}/*.so
-%{_libdir}/*.chk
+%{_libdir}/libnss3.so
+%{_libdir}/libnssckbi.so
+%{_libdir}/libnssdbm3.so
+%{_libdir}/libnssutil3.so
+%{_libdir}/libsmime3.so
+%{_libdir}/libsoftokn3.so
+%{_libdir}/libssl3.so
+%if %suse_version < 1030
+%{_libdir}/libnsssqlite3.so
+%endif
+%{_libdir}/nss/shlibsign
+%ghost %verify(not md5 mtime size) %{_libdir}/libsoftokn3.chk
+%ghost %verify(not md5 mtime size) /%{_lib}/libfreebl3.chk
 
 %files devel
 %defattr(644, root, root, 755)
@@ -252,8 +321,33 @@ rm -rf $RPM_BUILD_ROOT
 %defattr(-, root, root)
 %{_bindir}/*
 %{_libdir}/nss/
+%exclude %{_libdir}/nss/shlibsign
 %exclude %{_bindir}/nss-config
+
+%files -n libfreebl3
+%defattr(-, root, root)
+/%{_lib}/libfreebl3.so
 %changelog
+* Mon Apr 20 2009 wr@rosenauer.org
+- update to version 3.12.3 RTM
+  * default behaviour changed slightly but can be set up
+  backward compatible using environment variables
+  https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables
+  * New Korean SEED cipher
+  * Some new functions in the nss library:
+  CERT_RFC1485_EscapeAndQuote (see cert.h)
+  CERT_CompareCerts (see cert.h)
+  CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h)
+  PK11_GetSymKeyHandle (see pk11pqg.h)
+  UTIL_SetForkState (see secoid.h)
+  NSS_GetAlgorithmPolicy (see secoid.h)
+  NSS_SetAlgorithmPolicy (see secoid.h)
+- created libfreebl3 subpackage and build it w/o nspr and nss deps
+- added patch to make all ASM noexecstack
+- create the softokn3 and freebl3 checksums at installation time
+  (moved shlibsign to the main package to achieve that)
+- applied upstream patch to avoid OSCP test failures (bmo#488646)
+- applied upstream patch to fix libjar crashes (bmo#485145)
 * Wed Feb 04 2009 wr@rosenauer.org
 - update to version 3.12.2 RTM (with CKBI 1.73) as in FF 3.0.6
 * Tue Jan 13 2009 wr@rosenauer.org
@@ -306,7 +400,7 @@ rm -rf $RPM_BUILD_ROOT
 - use string[0] instead of string in char.patch
 * Mon Jun 11 2007 ro@suse.de
 - update to NSS 3.11.6 (pull in from wr from opensuse BS)
-* Wed Feb 21 2007 maw@suse.de
+* Thu Feb 22 2007 maw@suse.de
 - Update to NSS 3.11.5 (thanks, Wolfgang)
 * Sun Oct 01 2006 wr@rosenauer.org
 - update to NSS 3.11.3

nss-3.12.2.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0d65867cde61e7ec6ed4dcde366acf96d39bdc408e7bd81dd5bba916297595ae
-size 3976689

nss-3.12.3.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:12522e8826a93ab0a75ae8cd2371d14a442c29b508c0cbfd9bbbb9d12a5a0d8b
+size 4057203

nss-noexec.patch

@@ -0,0 +1,25 @@
+Index: mozilla/security/coreconf/Linux.mk
+===================================================================
+RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v
+retrieving revision 1.35
+diff -u -8 -r1.35 Linux.mk
+--- security/coreconf/Linux.mk	5 Sep 2008 23:17:23 -0000	1.35
++++ security/coreconf/Linux.mk	3 Apr 2009 03:17:22 -0000
+@@ -172,16 +172,17 @@
+ endif
+ 
+ ARCH			= linux
+ 
+ DSO_CFLAGS		= -fPIC
+ DSO_LDOPTS		= -shared $(ARCHFLAG) -Wl,-z,defs
+ DSO_LDFLAGS		=
+ LDFLAGS			+= $(ARCHFLAG)
++ASFLAGS			+= -Wa,--noexecstack
+ 
+ # INCLUDES += -I/usr/include -Y/usr/include/linux
+ G++INCLUDES		= -I/usr/include/g++
+ 
+ #
+ # Always set CPU_TAG on Linux, OpenVMS, WINCE.
+ #
+ CPU_TAG = _$(CPU_ARCH)

nss-sqlitename.patch

@@ -1,28 +1,3 @@
-Index: security/nss/cmd/platlibs.mk
-===================================================================
-RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v
-retrieving revision 1.55
-diff -u -p -6 -r1.55 platlibs.mk
---- security/nss/cmd/platlibs.mk	12 Oct 2007 01:44:40 -0000	1.55
-+++ security/nss/cmd/platlibs.mk	23 Jan 2008 08:25:42 -0000
-@@ -69,13 +69,17 @@ EXTRA_SHARED_LIBS += \
- else
- EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib'
- endif
- endif
- endif
- 
-+ifdef NSS_USE_SYSTEM_SQLITE
- SQLITE=-lsqlite3
-+else
-+SQLITE=-lnsssqlite3
-+endif
- 
- ifdef USE_STATIC_LIBS
- 
- # can't do this in manifest.mn because OS_ARCH isn't defined there.
- ifeq ($(OS_ARCH), WINNT)
- 
 Index: security/nss/lib/sqlite/manifest.mn
 ===================================================================
 RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v
@@ -73,3 +48,28 @@ diff -u -p -r1.23 config.mk
  endif
  
  ifeq ($(OS_TARGET),AIX)
+Index: security/nss/cmd/platlibs.mk
+===================================================================
+RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v
+retrieving revision 1.59
+diff -u -p -6 -r1.59 platlibs.mk
+--- security/nss/cmd/platlibs.mk	2 Dec 2008 23:24:46 -0000	1.59
++++ security/nss/cmd/platlibs.mk	14 Apr 2009 11:07:52 -0000
+@@ -69,13 +69,17 @@ EXTRA_SHARED_LIBS += \
+ else
+ EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib'
+ endif
+ endif
+ endif
+ 
++ifdef NSS_USE_SYSTEM_SQLITE
+ SQLITE=-lsqlite3
++else
++SQLITE=-lnsssqlite3
++endif
+ 
+ ifdef NSS_DISABLE_DBM
+ DBMLIB = $(NULL)
+ else
+ DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) 
+ endif

nss.pc.in

@@ -6,6 +6,6 @@ includedir=${prefix}/include/nss3
 Name: NSS
 Description: Network Security Services
 Version: %VERSION%
-Requires: nspr >= 4.7.2
-Libs: -Wl,-rpath-link,${libdir} -L${libdir} -lssl3 -lsmime3 -lnss3 -lnssutil3
+Requires: nspr >= %NSPR_VERSION% 
+Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
 Cflags: -I${includedir}