From f6ec57311f2fde3fad7d56b371eb8606069d5601 Mon Sep 17 00:00:00 2001 From: Elio Maldonado Date: Sat, 15 Jun 2013 12:48:12 -0700 Subject: [PATCH] Update to NSS_3_15_RTM --- no-softoken-freebl-tests.patch | 50 +++++++--------------- nss-539183.patch | 10 ++--- nss-enable-pem.patch | 6 +-- nss-skip-bltest-and-fipstest.patch | 17 ++++++++ nss-ssl-cbc-random-iv-off-by-default.patch | 8 ++-- nss-ssl-enforce-no-pkcs11-bypass.path | 6 +-- nss-versus-softoken-tests.patch | 38 ++++++++++++++++ nss.spec | 21 +++++++-- renegotiate-transitional.patch | 6 +-- sources | 2 +- utilwrap-include-templates.patch | 18 ++++++++ 11 files changed, 125 insertions(+), 57 deletions(-) create mode 100644 nss-skip-bltest-and-fipstest.patch create mode 100644 nss-versus-softoken-tests.patch create mode 100644 utilwrap-include-templates.patch diff --git a/no-softoken-freebl-tests.patch b/no-softoken-freebl-tests.patch index ec27a97..3c2b9ae 100644 --- a/no-softoken-freebl-tests.patch +++ b/no-softoken-freebl-tests.patch @@ -1,39 +1,19 @@ diff -up nss/cmd/Makefile.nosoftokentests nss/cmd/Makefile ---- nss/cmd/Makefile.nosoftokentests 2012-12-22 14:06:13.193304912 -0800 -+++ nss/cmd/Makefile 2012-12-22 14:10:04.942248630 -0800 -@@ -14,6 +14,14 @@ ifdef BUILD_LIBPKIX_TESTS - DIRS += libpkix +--- nss/cmd/Makefile.nosoftokentests 2013-05-30 23:43:20.982027783 -0700 ++++ nss/cmd/Makefile 2013-05-30 23:47:11.865874884 -0700 +@@ -19,9 +19,15 @@ BLTEST_SRCDIR = + FIPSTEST_SRCDIR = + SHLIBSIGN_SRCDIR = + else ++ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) ++BLTEST_SRCDIR = ++FIPSTEST_SRCDIR = ++SHLIBSIGN_SRCDIR = ++else + BLTEST_SRCDIR = bltest + FIPSTEST_SRCDIR = fipstest + SHLIBSIGN_SRCDIR = shlibsign ++endif endif -+# nss-softoken only tests -+BLTEST_SRCDIR= -+FIPSTEST_SRCDIR= -+ifeq ($(NSS_BUILD_SOFTOKEN_ONLY),1) -+BLTEST_SRCDIR=bltest # Add the bltest directory to DIRS. -+FIPSTEST_SRCDIR=fipstest # Add the fipstest directory to DIRS. -+endif -+ LOWHASHTEST_SRCDIR= - ifeq ($(FREEBL_LOWHASH),1) - LOWHASHTEST_SRCDIR = lowhashtest # Add the lowhashtest directory to DIRS. -diff -up nss/cmd/manifest.mn.nosoftokentests nss/cmd/manifest.mn ---- nss/cmd/manifest.mn.nosoftokentests 2012-12-22 14:06:35.191293837 -0800 -+++ nss/cmd/manifest.mn 2012-12-22 14:11:22.342263467 -0800 -@@ -11,7 +11,7 @@ REQUIRES = nss nspr libdbm - DIRS = lib \ - addbuiltin \ - atob \ -- bltest \ -+ $(BLTEST_SRCDIR) \ - btoa \ - certcgi \ - certutil \ -@@ -23,7 +23,7 @@ DIRS = lib \ - derdump \ - digest \ - httpserv \ -- fipstest \ -+ $(FIPSTEST_SRCDIR) \ - $(LOWHASHTEST_SRCDIR) \ - listsuites \ - makepqg \ diff --git a/nss-539183.patch b/nss-539183.patch index 4247a55..3798c35 100644 --- a/nss-539183.patch +++ b/nss-539183.patch @@ -1,6 +1,6 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c ---- nss/cmd/httpserv/httpserv.c.539183 2013-04-04 13:31:50.000000000 -0700 -+++ nss/cmd/httpserv/httpserv.c 2013-04-04 15:44:24.965842070 -0700 +--- nss/cmd/httpserv/httpserv.c.539183 2013-05-28 14:43:24.000000000 -0700 ++++ nss/cmd/httpserv/httpserv.c 2013-05-30 22:16:46.685373471 -0700 @@ -661,14 +661,18 @@ getBoundListenSocket(unsigned short port PRStatus prStatus; PRNetAddr addr; @@ -26,9 +26,9 @@ diff -up nss/cmd/httpserv/httpserv.c.539183 nss/cmd/httpserv/httpserv.c opt.option = PR_SockOpt_Nonblocking; diff -up nss/cmd/selfserv/selfserv.c.539183 nss/cmd/selfserv/selfserv.c ---- nss/cmd/selfserv/selfserv.c.539183 2013-04-04 13:31:51.000000000 -0700 -+++ nss/cmd/selfserv/selfserv.c 2013-04-04 15:44:24.967842088 -0700 -@@ -1690,14 +1690,18 @@ getBoundListenSocket(unsigned short port +--- nss/cmd/selfserv/selfserv.c.539183 2013-05-28 14:43:24.000000000 -0700 ++++ nss/cmd/selfserv/selfserv.c 2013-05-30 22:16:46.688373495 -0700 +@@ -1687,14 +1687,18 @@ getBoundListenSocket(unsigned short port PRStatus prStatus; PRNetAddr addr; PRSocketOptionData opt; diff --git a/nss-enable-pem.patch b/nss-enable-pem.patch index 7234fcf..723039a 100644 --- a/nss-enable-pem.patch +++ b/nss-enable-pem.patch @@ -1,7 +1,7 @@ diff -up nss/lib/ckfw/manifest.mn.libpem nss/lib/ckfw/manifest.mn ---- nss/lib/ckfw/manifest.mn.libpem 2013-04-04 15:38:01.631363005 -0700 -+++ nss/lib/ckfw/manifest.mn 2013-04-04 15:38:32.668644523 -0700 -@@ -6,7 +6,7 @@ MANIFEST_CVS_ID = "@(#) $RCSfile$ $Revis +--- nss/lib/ckfw/manifest.mn.libpem 2013-05-28 14:43:24.000000000 -0700 ++++ nss/lib/ckfw/manifest.mn 2013-05-30 22:14:49.247459672 -0700 +@@ -5,7 +5,7 @@ CORE_DEPTH = ../.. diff --git a/nss-skip-bltest-and-fipstest.patch b/nss-skip-bltest-and-fipstest.patch new file mode 100644 index 0000000..7d2427b --- /dev/null +++ b/nss-skip-bltest-and-fipstest.patch @@ -0,0 +1,17 @@ +diff -up nss/cmd/Makefile.skipthem nss/cmd/Makefile +--- nss/cmd/Makefile.nobltest 2013-05-28 14:43:24.000000000 -0700 ++++ nss/cmd/Makefile 2013-06-15 11:51:11.669655168 -0700 +@@ -14,10 +14,10 @@ ifdef BUILD_LIBPKIX_TESTS + DIRS += libpkix + endif + +-ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) ++ifeq ($(NSS_BLTEST_NOT_AVAILABLE),1) + BLTEST_SRCDIR = +-FIPSTEST_SRCDIR = +-SHLIBSIGN_SRCDIR = ++FIPSTEST_SRCDIR = ++SHLIBSIGN_SRCDIR = shlibsign + else + BLTEST_SRCDIR = bltest + FIPSTEST_SRCDIR = fipstest diff --git a/nss-ssl-cbc-random-iv-off-by-default.patch b/nss-ssl-cbc-random-iv-off-by-default.patch index bdc777e..85fa5b8 100644 --- a/nss-ssl-cbc-random-iv-off-by-default.patch +++ b/nss-ssl-cbc-random-iv-off-by-default.patch @@ -1,7 +1,7 @@ diff -up nss/lib/ssl/sslsock.c.cbcrandomivoff nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.cbcrandomivoff 2013-04-04 16:07:40.273535199 -0700 -+++ nss/lib/ssl/sslsock.c 2013-04-04 16:10:02.861834236 -0700 -@@ -153,7 +153,7 @@ static sslOptions ssl_defaults = { +--- nss/lib/ssl/sslsock.c.cbcrandomivoff 2013-05-30 22:20:52.181292812 -0700 ++++ nss/lib/ssl/sslsock.c 2013-05-30 22:20:52.194292913 -0700 +@@ -152,7 +152,7 @@ static sslOptions ssl_defaults = { 3, /* enableRenegotiation (default: transitional) */ PR_FALSE, /* requireSafeNegotiation */ PR_FALSE, /* enableFalseStart */ @@ -10,7 +10,7 @@ diff -up nss/lib/ssl/sslsock.c.cbcrandomivoff nss/lib/ssl/sslsock.c PR_FALSE /* enableOCSPStapling */ }; -@@ -2910,9 +2910,9 @@ ssl_SetDefaultsFromEnvironment(void) +@@ -2906,9 +2906,9 @@ ssl_SetDefaultsFromEnvironment(void) PR_TRUE)); } ev = getenv("NSS_SSL_CBC_RANDOM_IV"); diff --git a/nss-ssl-enforce-no-pkcs11-bypass.path b/nss-ssl-enforce-no-pkcs11-bypass.path index b9e41e6..3c99446 100644 --- a/nss-ssl-enforce-no-pkcs11-bypass.path +++ b/nss-ssl-enforce-no-pkcs11-bypass.path @@ -1,7 +1,7 @@ diff -up nss/lib/ssl/sslsock.c.nobypass nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.nobypass 2013-04-04 16:52:20.614559042 -0700 -+++ nss/lib/ssl/sslsock.c 2013-04-04 16:55:55.353777732 -0700 -@@ -554,8 +554,10 @@ static PRStatus SSL_BypassRegisterShutdo +--- nss/lib/ssl/sslsock.c.nobypass 2013-05-30 22:23:37.305583715 -0700 ++++ nss/lib/ssl/sslsock.c 2013-05-30 22:23:37.311583762 -0700 +@@ -553,8 +553,10 @@ static PRStatus SSL_BypassRegisterShutdo static PRStatus SSL_BypassSetup(void) { #ifdef NO_PKCS11_BYPASS diff --git a/nss-versus-softoken-tests.patch b/nss-versus-softoken-tests.patch new file mode 100644 index 0000000..e77487d --- /dev/null +++ b/nss-versus-softoken-tests.patch @@ -0,0 +1,38 @@ +diff -up nss/tests/all.sh.crypto nss/tests/all.sh +--- nss/tests/all.sh.crypto 2013-05-28 14:43:24.000000000 -0700 ++++ nss/tests/all.sh 2013-06-13 12:14:12.741082184 -0700 +@@ -299,9 +299,10 @@ fi + # created, we check for modutil to know whether the build + # is complete. If a new file is created after that, the + # following test for modutil should check for that instead. ++# Except when building softoken only where shlibsign is the last one built. ++export LAST_BUILT=[ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ] && shlibsign || modutil + +-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \ +- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then ++if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} -a ]; then + echo "Build Incomplete. Aborting test." >> ${LOGFILE} + html_head "Testing Initialization" + Exit "Checking for build" +diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh +--- nss/tests/cipher/cipher.sh.crypto 2013-05-28 14:43:24.000000000 -0700 ++++ nss/tests/cipher/cipher.sh 2013-06-13 11:58:00.956064976 -0700 +@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${ + return 0 + fi + cipher_init +-cipher_main +-cipher_gcm ++if [ "${NSS_BUILD_SOFTOKEN_ONLY}" = "1" ]; then ++ echo "Skipping cipher_gcm because this is a softoken only build" ++ cipher_main ++elif [ "${NSS_BUILD_WITHOUT_SOFTOKEN}" = "1" ]; then ++ echo "Skipping cipher_main because this an nss without softoken build" ++ cipher_gcm ++else ++ # default is to run both ++ cipher_init ++ cipher_main ++ cipher_gcm ++fi + cipher_cleanup diff --git a/nss.spec b/nss.spec index 6775055..18db246 100644 --- a/nss.spec +++ b/nss.spec @@ -1,4 +1,4 @@ -%global nspr_version 4.9.5 +%global nspr_version 4.10 %global nss_util_version 3.15 %global nss_softokn_fips_version 3.12.9 %global nss_softokn_version 3.15 @@ -19,7 +19,7 @@ Summary: Network Security Services Name: nss Version: 3.15 -Release: 0.1%{?dist}.beta1.2 +Release: 1%{?dist} License: MPLv2.0 URL: http://www.mozilla.org/projects/security/pki/nss/ Group: System Environment/Libraries @@ -96,6 +96,10 @@ Patch45: Bug-896651-pem-dont-trash-keys-on-failed-login.patch # The ocsp stapling tests currently require access to the # kuix.de test server but koji forbids outbount connections Patch46: disable-ocsp-stapling-tests.patch +Patch47: utilwrap-include-templates.patch +Patch48: nss-versus-softoken-tests.patch +# TODO remove when we switch to building nss without softoken +Patch49: nss-skip-bltest-and-fipstest.patch %description Network Security Services (NSS) is a set of libraries designed to @@ -182,10 +186,13 @@ low level services. #%patch29 -p0 -b .cbcrandomivoff #%patch39 -p0 -b .nobypass %patch40 -p0 -b .noocsptest -%patch43 -p0 -b .nosoftokentests +#%patch43 -p0 -b .nosoftokentests %patch44 -p1 -b .syncupwithupstream %patch45 -p0 -b .notrash %patch46 -p0 -b .skipoutbound +#%patch47 -p0 -b .templates +%patch48 -p0 -b .crypto +%patch49 -p0 -b .skipthem %build @@ -262,9 +269,11 @@ export NSS_ECC_MORE_THAN_SUITE_B # private exports from util. The install section will ensure not # to override nss-util and nss-softoken headers already installed. # +export NSS_BLTEST_NOT_AVAILABLE=1 %{__make} -C ./nss/coreconf %{__make} -C ./nss/lib/dbm %{__make} -C ./nss +unset NSS_BLTEST_NOT_AVAILABLE ##### phase 3: build bltest and fipstest tar xf build_these_later.tar @@ -328,6 +337,9 @@ export BUILD_OPT USE_64=1 export USE_64 %endif + +export NSS_BLTEST_NOT_AVAILABLE=1 + # End -- copied from the build section # enable the following line to force a test failure @@ -682,6 +694,9 @@ fi %changelog +* Sat Jun 15 2013 Elio Maldonado - 3.15-1 +- Update to NSS_3_15_RTM + * Wed Apr 24 2013 Elio Maldonado - 3.15-0.1.beta1.2 - Fix incorrect path that hid failed test from view - Add ocsp to the test suites to run but ... diff --git a/renegotiate-transitional.patch b/renegotiate-transitional.patch index 730bbc1..c55a1a2 100644 --- a/renegotiate-transitional.patch +++ b/renegotiate-transitional.patch @@ -1,7 +1,7 @@ diff -up nss/lib/ssl/sslsock.c.transitional nss/lib/ssl/sslsock.c ---- nss/lib/ssl/sslsock.c.transitional 2013-04-04 15:32:21.567170092 -0700 -+++ nss/lib/ssl/sslsock.c 2013-04-04 15:33:20.555729144 -0700 -@@ -150,7 +150,7 @@ static sslOptions ssl_defaults = { +--- nss/lib/ssl/sslsock.c.transitional 2013-05-30 22:10:54.882675807 -0700 ++++ nss/lib/ssl/sslsock.c 2013-05-30 22:12:11.909260024 -0700 +@@ -149,7 +149,7 @@ static sslOptions ssl_defaults = { PR_FALSE, /* noLocks */ PR_FALSE, /* enableSessionTickets */ PR_FALSE, /* enableDeflate */ diff --git a/sources b/sources index bedd7b5..ab31890 100644 --- a/sources +++ b/sources @@ -7,5 +7,5 @@ a5ae49867124ac75f029a9a33af31bad blank-cert8.db f998b70c1be25e8bb9f5fdb5d50eb6f2 TestCA.ca.cert 1b7b6808cd77d5df29bf5bb9e5fac967 TestUser50.cert ab0b56dd505a995425c03e5266f7c8d6 TestUser51.cert -efb41291d540c1278bbb953d201b41bf nss-3.15-stripped.tar.bz2 +496ef1cf07cf38bf0c1a8dae2d880a5e nss-3.15-stripped.tar.bz2 8b9cf94e7ed23586ab3f618366b6acb6 nss-pem-20130405.tar.bz2 diff --git a/utilwrap-include-templates.patch b/utilwrap-include-templates.patch new file mode 100644 index 0000000..4f468f4 --- /dev/null +++ b/utilwrap-include-templates.patch @@ -0,0 +1,18 @@ +Index: ./nss/lib/nss/config.mk +=================================================================== +RCS file: /cvsroot/nss/lib/nss/config.mk,v +retrieving revision 1.37 +diff -u -p -r1.37 config.mk +--- ./nss/lib/nss/config.mk 25 Apr 2012 14:50:03 -0000 1.37 ++++ ./nss/lib/nss/config.mk 7 Feb 2013 02:22:58 -0000 +@@ -3,6 +3,10 @@ + # License, v. 2.0. If a copy of the MPL was not distributed with this + # file, You can obtain one at http://mozilla.org/MPL/2.0/. + ++ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1) ++INCLUDES += -I/usr/include/nss3/templates ++endif ++ + # can't do this in manifest.mn because OS_TARGET isn't defined there. + ifeq (,$(filter-out WIN%,$(OS_TARGET))) +