diff --git a/baselibs.conf b/baselibs.conf index a36bd96..ede1c5b 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1 +1,5 @@ mozilla-nss + requires "libfreebl3- >= " + +/usr/lib/libsoftokn3.chk + +/lib/libfreebl3.chk +libfreebl3 diff --git a/bmo485145-libjar.patch.bz2 b/bmo485145-libjar.patch.bz2 new file mode 100644 index 0000000..6cb839c --- /dev/null +++ b/bmo485145-libjar.patch.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:18bb217adb927e4ef618dacb3b3dea7fc123f28544bf3b2c49b7a886f65e061c +size 36032 diff --git a/bmo488646-oscp-test.patch b/bmo488646-oscp-test.patch new file mode 100644 index 0000000..be621f6 --- /dev/null +++ b/bmo488646-oscp-test.patch @@ -0,0 +1,104 @@ +Index: chains.sh +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/tests/chains/chains.sh,v +retrieving revision 1.15 +diff -u -9 -r1.15 chains.sh +--- chains.sh 15 Apr 2009 18:04:35 -0000 1.15 ++++ security/nss/tests/chains/chains.sh 17 Apr 2009 13:02:49 -0000 +@@ -689,18 +689,49 @@ + if [ "${EXP_RESULT}" = "pass" -a ${RESULT} -eq 0 ]; then + html_passed "${SCENARIO}${TESTNAME}" + elif [ "${EXP_RESULT}" = "fail" -a ${RESULT} -ne 0 ]; then + html_passed "${SCENARIO}${TESTNAME}" + else + html_failed "${SCENARIO}${TESTNAME}" + fi + } + ++ ++check_ocsp() ++{ ++ OCSP_CERT=$1 ++ ++ CERT_NICK=`echo ${OCSP_CERT} | cut -d: -f1` ++ CERT_ISSUER=`echo ${OCSP_CERT} | cut -d: -f2` ++ ++ if [ "${CERT_ISSUER}" = "x" ]; then ++ CERT_ISSUER= ++ CERT=${CERT_NICK}.cert ++ CERT_FILE="${QADIR}/libpkix/certs/${CERT}" ++ else ++ CERT=${CERT_NICK}${CERT_ISSUER}.der ++ CERT_FILE=${CERT} ++ fi ++ ++ OCSP_HOST=$(${BINDIR}/pp -t certificate -i ${CERT_FILE} | grep URI | sed "s/.*:\/\///" | sed "s/:.*//") ++ ++ if [ "${OS_ARCH}" = "WINNT" ]; then ++ ping -n 1 ${OCSP_HOST} ++ return $? ++ elif [ "${OS_ARCH}" = "HP-UX" ]; then ++ ping ${OCSP_HOST} -c 1 ++ return $? ++ else ++ ping -c 1 ${OCSP_HOST} ++ return $? ++ fi ++} ++ + ############################ parse_result ############################## + # local shell function to process expected result value + # this function was created for case that expected result depends on + # some conditions - in our case type of cert DB + # + # default results are pass and fail + # this function added parsable values in format: + # type1:value1 type2:value2 .... typex:valuex + # +@@ -859,18 +890,25 @@ + LOGFILE="${LOGDIR}/${LOGNAME}" + fi + ;; + "sleep") + sleep ${VALUE} + ;; + "break") + break + ;; ++ "check_ocsp") ++ check_ocsp ${VALUE} ++ if [ $? -ne 0 ]; then ++ echo "OCSP server not accessible, skipping OCSP tests" ++ break; ++ fi ++ ;; + "") + if [ -n "${ENTITY}" ]; then + if [ -z "${DB}" ]; then + create_entity "${ENTITY}" "${TYPE}" + fi + sign_cert "${ENTITY}" "${ISSUER}" "${TYPE}" + if [ "${TYPE}" = "Bridge" ]; then + create_pkcs7 "${ENTITY}" + fi +Index: scenarios/ocsp.cfg +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/tests/chains/scenarios/ocsp.cfg,v +retrieving revision 1.4 +diff -u -9 -r1.4 ocsp.cfg +--- scenarios/ocsp.cfg 19 Mar 2009 09:55:31 -0000 1.4 ++++ security/nss/tests/chains/scenarios/ocsp.cfg 17 Apr 2009 13:02:49 -0000 +@@ -1,11 +1,13 @@ + scenario OCSP + ++check_ocsp OCSPEE11:x ++ + db OCSPRoot + import OCSPRoot:x:CT,C,C + + db OCSPCA1 + import_key OCSPCA1 + + crl OCSPCA1 + + revoke OCSPCA1 diff --git a/mozilla-nss.changes b/mozilla-nss.changes index 6e34cf8..793a182 100644 --- a/mozilla-nss.changes +++ b/mozilla-nss.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Mon Apr 20 14:47:43 CEST 2009 - wr@rosenauer.org + +- update to version 3.12.3 RTM + * default behaviour changed slightly but can be set up + backward compatible using environment variables + https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables + * New Korean SEED cipher + * Some new functions in the nss library: + CERT_RFC1485_EscapeAndQuote (see cert.h) + CERT_CompareCerts (see cert.h) + CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) + PK11_GetSymKeyHandle (see pk11pqg.h) + UTIL_SetForkState (see secoid.h) + NSS_GetAlgorithmPolicy (see secoid.h) + NSS_SetAlgorithmPolicy (see secoid.h) +- created libfreebl3 subpackage and build it w/o nspr and nss deps +- added patch to make all ASM noexecstack +- create the softokn3 and freebl3 checksums at installation time + (moved shlibsign to the main package to achieve that) +- applied upstream patch to avoid OSCP test failures (bmo#488646) +- applied upstream patch to fix libjar crashes (bmo#485145) + ------------------------------------------------------------------- Wed Feb 4 08:46:15 CET 2009 - wr@rosenauer.org diff --git a/mozilla-nss.spec b/mozilla-nss.spec index a0202ce..b277b98 100644 --- a/mozilla-nss.spec +++ b/mozilla-nss.spec @@ -1,5 +1,5 @@ # -# spec file for package mozilla-nss (Version 3.12.2) +# spec file for package mozilla-nss (Version 3.12.3) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -27,7 +27,7 @@ BuildRequires: sqlite-devel BuildRequires: sqlite3-devel %endif License: GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL/NPL) -Version: 3.12.2 +Version: 3.12.3 Release: 1 # bug437293 %ifarch ppc64 @@ -37,6 +37,7 @@ Obsoletes: mozilla-nss-64bit Summary: Network (Netscape) Security Services Url: http://www.mozilla.org/projects/security/pki/nss/ Group: System/Libraries +# cvs -d :pserver:anonymous@cvs-mirror.mozilla.org:/cvsroot co -r NSS Source: nss-%{version}.tar.bz2 Source1: nss.pc.in Source2: addon-certs.txt @@ -46,10 +47,15 @@ Patch2: nss-sqlitename.patch Patch3: system-nspr.patch Patch4: char.patch Patch5: nss-no-rpath.patch +Patch6: nss-noexec.patch +Patch7: bmo488646-oscp-test.patch +Patch8: bmo485145-libjar.patch.bz2 # Remove remnant traces from the package split. Provides: libnss3 = %{version}-%{release} Obsoletes: libnss3 <= %{version}-%{release} -PreReq: mozilla-nspr >= %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) +%define nspr_ver %(rpm -q --queryformat '%{VERSION}' mozilla-nspr) +PreReq: mozilla-nspr >= %nspr_ver +PreReq: libfreebl3 >= %{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build %define nssdbdir %{_sysconfdir}/pki/nssdb @@ -72,11 +78,11 @@ Summary: Network (Netscape) Security Services development files Group: Development/Libraries/Other Requires: mozilla-nspr-devel Requires: mozilla-nss = %{version}-%{release} +Requires: libfreebl3 = %{version}-%{release} # bug437293 %ifarch ppc64 Obsoletes: mozilla-nss-devel-64bit %endif -# %description devel Network Security Services (NSS) is a set of libraries designed to @@ -95,8 +101,8 @@ Authors: License: GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL/NPL) Summary: Tools for developing, debugging, and managing applications that use NSS. Group: System/Management -PreReq: mozilla-nss >= %{version}-%{release} -PreReq: coreutils +PreReq: mozilla-nss >= %{version} +Requires(post): coreutils %description tools The NSS Security Tools allow developers to test, debug, and manage @@ -108,6 +114,26 @@ Authors: -------- Mozilla Foundation +%package -n libfreebl3 +License: GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL/NPL) +Summary: Freebl library for the Network Security Services +Group: System/Libraries + +%description -n libfreebl3 +Network Security Services (NSS) is a set of libraries designed to +support cross-platform development of security-enabled server +applications. Applications built with NSS can support SSL v2 and v3, +TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12, S/MIME, X.509 v3 +certificates, and other security standards. + +This package installs the freebl library from NSS. + + + +Authors: +-------- + Mozilla Foundation + %prep %setup -n nss-%{version} -q cd mozilla @@ -116,12 +142,16 @@ cd mozilla %patch3 %patch4 %patch5 +%patch6 +%patch7 +%patch8 # additional CA certificates #cd security/nss/lib/ckfw/builtins #cat %{SOURCE2} >> certdata.txt #make generate %build +export FREEBL_NO_DEPEND=1 cd mozilla/security/nss export NSPR_INCLUDE_DIR=`nspr-config --includedir` export NSPR_LIB_DIR=`nspr-config --libdir` @@ -152,6 +182,7 @@ fi mkdir -p $RPM_BUILD_ROOT%{_libdir}/nss mkdir -p $RPM_BUILD_ROOT%{_includedir}/nss3 mkdir -p $RPM_BUILD_ROOT%{_bindir} +mkdir -p $RPM_BUILD_ROOT/%{_lib} pushd mozilla/dist/Linux* # copy headers cp -rL ../public/nss/*.h $RPM_BUILD_ROOT%{_includedir}/nss3 @@ -164,9 +195,10 @@ cp -L lib/libnss3.so \ lib/libsoftokn3.so \ lib/libsoftokn3.chk \ lib/libssl3.so \ - lib/libfreebl3.so \ - lib/libfreebl3.chk \ $RPM_BUILD_ROOT%{_libdir} +cp -L lib/libfreebl3.so \ + lib/libfreebl3.chk \ + $RPM_BUILD_ROOT/%{_lib} %if %suse_version < 1030 cp -L lib/libnsssqlite3.so \ $RPM_BUILD_ROOT%{_libdir} @@ -203,7 +235,8 @@ cp -L bin/atob \ # prepare pkgconfig file mkdir -p $RPM_BUILD_ROOT%{_libdir}/pkgconfig/ sed "s:%%LIBDIR%%:%{_libdir}:g -s:%%VERSION%%:%{version}:g" \ +s:%%VERSION%%:%{version}:g +s:%%NSPR_VERSION%%:%{nspr_ver}:g" \ %{SOURCE1} > $RPM_BUILD_ROOT%{_libdir}/pkgconfig/nss.pc # prepare nss-config file popd @@ -220,10 +253,35 @@ cat %{SOURCE3} | sed -e "s,@libdir@,%{_libdir},g" \ > $RPM_BUILD_ROOT/%{_bindir}/nss-config chmod 755 $RPM_BUILD_ROOT/%{_bindir}/nss-config -%post -p /sbin/ldconfig +%post +/sbin/ldconfig +# sign +# removal of libfreebl3.so is a special needed case: +# with this package it moves to %_lib and therefore is still +# installed when %post runs disturbing the shlibsign tool +rm -f %{_libdir}/libfreebl3.so +rm -f %{_libdir}/libsoftokn3.chk +rm -f /%{_lib}/libfreebl3.chk +%{_libdir}/nss/shlibsign -i %{_libdir}/libsoftokn3.so +%{_libdir}/nss/shlibsign -i /%{_lib}/libfreebl3.so +# sign existing baselibs as well (FIXME other multiarchs) +%ifarch x86_64 +if [ -e /lib/libfreebl3.so ]; then + rm -f /lib/libfreebl3.chk + %{_libdir}/nss/shlibsign -i /lib/libfreebl3.so +fi +if [ -e /usr/lib/libsoftokn3.so ]; then + rm -f /usr/lib/libsoftokn3.chk + %{_libdir}/nss/shlibsign -i /usr/lib/libsoftokn3.so +fi +%endif %postun -p /sbin/ldconfig +%post -n libfreebl3 -p /sbin/ldconfig + +%postun -n libfreebl3 -p /sbin/ldconfig + %post tools if [ ! -d "%{nssdbdir}" ] ; then mkdir -p "%{nssdbdir}" @@ -238,8 +296,19 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-, root, root) -%{_libdir}/*.so -%{_libdir}/*.chk +%{_libdir}/libnss3.so +%{_libdir}/libnssckbi.so +%{_libdir}/libnssdbm3.so +%{_libdir}/libnssutil3.so +%{_libdir}/libsmime3.so +%{_libdir}/libsoftokn3.so +%{_libdir}/libssl3.so +%if %suse_version < 1030 +%{_libdir}/libnsssqlite3.so +%endif +%{_libdir}/nss/shlibsign +%ghost %verify(not md5 mtime size) %{_libdir}/libsoftokn3.chk +%ghost %verify(not md5 mtime size) /%{_lib}/libfreebl3.chk %files devel %defattr(644, root, root, 755) @@ -252,8 +321,33 @@ rm -rf $RPM_BUILD_ROOT %defattr(-, root, root) %{_bindir}/* %{_libdir}/nss/ +%exclude %{_libdir}/nss/shlibsign %exclude %{_bindir}/nss-config + +%files -n libfreebl3 +%defattr(-, root, root) +/%{_lib}/libfreebl3.so %changelog +* Mon Apr 20 2009 wr@rosenauer.org +- update to version 3.12.3 RTM + * default behaviour changed slightly but can be set up + backward compatible using environment variables + https://developer.mozilla.org/En/NSS_reference/NSS_environment_variables + * New Korean SEED cipher + * Some new functions in the nss library: + CERT_RFC1485_EscapeAndQuote (see cert.h) + CERT_CompareCerts (see cert.h) + CERT_RegisterAlternateOCSPAIAInfoCallBack (see ocsp.h) + PK11_GetSymKeyHandle (see pk11pqg.h) + UTIL_SetForkState (see secoid.h) + NSS_GetAlgorithmPolicy (see secoid.h) + NSS_SetAlgorithmPolicy (see secoid.h) +- created libfreebl3 subpackage and build it w/o nspr and nss deps +- added patch to make all ASM noexecstack +- create the softokn3 and freebl3 checksums at installation time + (moved shlibsign to the main package to achieve that) +- applied upstream patch to avoid OSCP test failures (bmo#488646) +- applied upstream patch to fix libjar crashes (bmo#485145) * Wed Feb 04 2009 wr@rosenauer.org - update to version 3.12.2 RTM (with CKBI 1.73) as in FF 3.0.6 * Tue Jan 13 2009 wr@rosenauer.org @@ -306,7 +400,7 @@ rm -rf $RPM_BUILD_ROOT - use string[0] instead of string in char.patch * Mon Jun 11 2007 ro@suse.de - update to NSS 3.11.6 (pull in from wr from opensuse BS) -* Wed Feb 21 2007 maw@suse.de +* Thu Feb 22 2007 maw@suse.de - Update to NSS 3.11.5 (thanks, Wolfgang) * Sun Oct 01 2006 wr@rosenauer.org - update to NSS 3.11.3 diff --git a/nss-3.12.2.tar.bz2 b/nss-3.12.2.tar.bz2 deleted file mode 100644 index 4c73c52..0000000 --- a/nss-3.12.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0d65867cde61e7ec6ed4dcde366acf96d39bdc408e7bd81dd5bba916297595ae -size 3976689 diff --git a/nss-3.12.3.tar.bz2 b/nss-3.12.3.tar.bz2 new file mode 100644 index 0000000..e37d48b --- /dev/null +++ b/nss-3.12.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:12522e8826a93ab0a75ae8cd2371d14a442c29b508c0cbfd9bbbb9d12a5a0d8b +size 4057203 diff --git a/nss-noexec.patch b/nss-noexec.patch new file mode 100644 index 0000000..9bbf50d --- /dev/null +++ b/nss-noexec.patch @@ -0,0 +1,25 @@ +Index: mozilla/security/coreconf/Linux.mk +=================================================================== +RCS file: /cvsroot/mozilla/security/coreconf/Linux.mk,v +retrieving revision 1.35 +diff -u -8 -r1.35 Linux.mk +--- security/coreconf/Linux.mk 5 Sep 2008 23:17:23 -0000 1.35 ++++ security/coreconf/Linux.mk 3 Apr 2009 03:17:22 -0000 +@@ -172,16 +172,17 @@ + endif + + ARCH = linux + + DSO_CFLAGS = -fPIC + DSO_LDOPTS = -shared $(ARCHFLAG) -Wl,-z,defs + DSO_LDFLAGS = + LDFLAGS += $(ARCHFLAG) ++ASFLAGS += -Wa,--noexecstack + + # INCLUDES += -I/usr/include -Y/usr/include/linux + G++INCLUDES = -I/usr/include/g++ + + # + # Always set CPU_TAG on Linux, OpenVMS, WINCE. + # + CPU_TAG = _$(CPU_ARCH) diff --git a/nss-sqlitename.patch b/nss-sqlitename.patch index eac43a4..a39b344 100644 --- a/nss-sqlitename.patch +++ b/nss-sqlitename.patch @@ -1,28 +1,3 @@ -Index: security/nss/cmd/platlibs.mk -=================================================================== -RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v -retrieving revision 1.55 -diff -u -p -6 -r1.55 platlibs.mk ---- security/nss/cmd/platlibs.mk 12 Oct 2007 01:44:40 -0000 1.55 -+++ security/nss/cmd/platlibs.mk 23 Jan 2008 08:25:42 -0000 -@@ -69,13 +69,17 @@ EXTRA_SHARED_LIBS += \ - else - EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib' - endif - endif - endif - -+ifdef NSS_USE_SYSTEM_SQLITE - SQLITE=-lsqlite3 -+else -+SQLITE=-lnsssqlite3 -+endif - - ifdef USE_STATIC_LIBS - - # can't do this in manifest.mn because OS_ARCH isn't defined there. - ifeq ($(OS_ARCH), WINNT) - Index: security/nss/lib/sqlite/manifest.mn =================================================================== RCS file: /cvsroot/mozilla/security/nss/lib/sqlite/manifest.mn,v @@ -73,3 +48,28 @@ diff -u -p -r1.23 config.mk endif ifeq ($(OS_TARGET),AIX) +Index: security/nss/cmd/platlibs.mk +=================================================================== +RCS file: /cvsroot/mozilla/security/nss/cmd/platlibs.mk,v +retrieving revision 1.59 +diff -u -p -6 -r1.59 platlibs.mk +--- security/nss/cmd/platlibs.mk 2 Dec 2008 23:24:46 -0000 1.59 ++++ security/nss/cmd/platlibs.mk 14 Apr 2009 11:07:52 -0000 +@@ -69,13 +69,17 @@ EXTRA_SHARED_LIBS += \ + else + EXTRA_SHARED_LIBS += -Wl,+b,'$$ORIGIN/../lib' + endif + endif + endif + ++ifdef NSS_USE_SYSTEM_SQLITE + SQLITE=-lsqlite3 ++else ++SQLITE=-lnsssqlite3 ++endif + + ifdef NSS_DISABLE_DBM + DBMLIB = $(NULL) + else + DBMLIB = $(DIST)/lib/$(LIB_PREFIX)dbm.$(LIB_SUFFIX) + endif diff --git a/nss.pc.in b/nss.pc.in index 26511df..84032a4 100644 --- a/nss.pc.in +++ b/nss.pc.in @@ -6,6 +6,6 @@ includedir=${prefix}/include/nss3 Name: NSS Description: Network Security Services Version: %VERSION% -Requires: nspr >= 4.7.2 -Libs: -Wl,-rpath-link,${libdir} -L${libdir} -lssl3 -lsmime3 -lnss3 -lnssutil3 +Requires: nspr >= %NSPR_VERSION% +Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3 Cflags: -I${includedir}