From 1be8c9d88ace1b354d5056a4fe650dc0d29ea127 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 23 2019 00:43:52 +0000 Subject: import p11-kit-0.23.5-3.el7 --- diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0c316ba --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/p11-kit-0.23.5.tar.gz diff --git a/.p11-kit.metadata b/.p11-kit.metadata new file mode 100644 index 0000000..d550650 --- /dev/null +++ b/.p11-kit.metadata @@ -0,0 +1 @@ +964ef53439fff90ce2bf60024ef9bc26cb8534f7 SOURCES/p11-kit-0.23.5.tar.gz diff --git a/SOURCES/p11-kit-doc.patch b/SOURCES/p11-kit-doc.patch new file mode 100644 index 0000000..0a056a0 --- /dev/null +++ b/SOURCES/p11-kit-doc.patch @@ -0,0 +1,25 @@ +From 14c50e25d8280ce81a323ef79a71a66892b65f1a Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Mon, 12 Jun 2017 15:38:21 +0200 +Subject: [PATCH] doc: Use correct PKCS#11 URI syntax + +--- + doc/manual/trust.xml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/doc/manual/trust.xml b/doc/manual/trust.xml +index f6f2b3e..14dcbba 100644 +--- a/doc/manual/trust.xml ++++ b/doc/manual/trust.xml +@@ -157,7 +157,7 @@ $ trust list + + $ trust anchor /path/to/certificate.crt + $ trust anchor --remove /path/to/certificate.crt +-$ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;object-type=cert" ++$ trust anchor --remove "pkcs11:id=%AA%BB%CC%DD%EE;type=cert" + + + Store or remove trust anchors in the trust policy store. These are +-- +2.9.4 + diff --git a/SOURCES/p11-kit-modifiable.patch b/SOURCES/p11-kit-modifiable.patch new file mode 100644 index 0000000..3d4b4d3 --- /dev/null +++ b/SOURCES/p11-kit-modifiable.patch @@ -0,0 +1,256 @@ +From acf8c4a91a76bf8049f6bfbd95b04e2e36bae4ea Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 18 May 2017 10:45:26 +0200 +Subject: [PATCH 1/2] Revert "trust: Honor "modifiable" setting in persist + file" + +This reverts commit 8eed1e60b0921d05872e2f43eee9088cef038d7e, which +broke "trust anchor --remove". +--- + trust/input/verisign-v1.p11-kit | 1 - + trust/parser.c | 10 +--------- + trust/test-parser.c | 1 - + 3 files changed, 1 insertion(+), 11 deletions(-) + +diff --git a/trust/input/verisign-v1.p11-kit b/trust/input/verisign-v1.p11-kit +index aea49ea..eaa080d 100644 +--- a/trust/input/verisign-v1.p11-kit ++++ b/trust/input/verisign-v1.p11-kit +@@ -1,6 +1,5 @@ + [p11-kit-object-v1] + trusted: true +-modifiable: false + + -----BEGIN CERTIFICATE----- + MIICPDCCAaUCED9pHoGc8JpK83P/uUii5N0wDQYJKoZIhvcNAQEFBQAwXzELMAkG +diff --git a/trust/parser.c b/trust/parser.c +index 52d1128..41513d4 100644 +--- a/trust/parser.c ++++ b/trust/parser.c +@@ -610,7 +610,6 @@ p11_parser_format_persist (p11_parser *parser, + { + CK_BBOOL modifiablev = CK_TRUE; + CK_ATTRIBUTE *attrs; +- CK_ATTRIBUTE *attr; + p11_array *objects; + bool ret; + int i; +@@ -631,14 +630,7 @@ p11_parser_format_persist (p11_parser *parser, + ret = p11_persist_read (parser->persist, parser->basename, data, length, objects); + if (ret) { + for (i = 0; i < objects->num; i++) { +- /* By default, we mark objects read from a persist +- * file as modifiable, as the persist format is +- * writable. However, if CKA_MODIFIABLE is explictly +- * set in the file, respect the setting. */ +- attrs = objects->elem[i]; +- attr = p11_attrs_find_valid (objects->elem[i], CKA_MODIFIABLE); +- if (!attr) +- attrs = p11_attrs_build (attrs, &modifiable, NULL); ++ attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL); + sink_object (parser, attrs); + } + } +diff --git a/trust/test-parser.c b/trust/test-parser.c +index 088cff9..b5c2525 100644 +--- a/trust/test-parser.c ++++ b/trust/test-parser.c +@@ -168,7 +168,6 @@ test_parse_p11_kit_persist (void) + { CKA_CLASS, &certificate, sizeof (certificate) }, + { CKA_VALUE, (void *)verisign_v1_ca, sizeof (verisign_v1_ca) }, + { CKA_TRUSTED, &truev, sizeof (truev) }, +- { CKA_MODIFIABLE, &falsev, sizeof (falsev) }, + { CKA_X_DISTRUSTED, &falsev, sizeof (falsev) }, + { CKA_INVALID }, + }; +-- +2.9.4 + + +From 66c6a7e912d39d66cd4cc91375ac7be418bf7176 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 18 May 2017 11:11:45 +0200 +Subject: [PATCH 2/2] trust: Check magic comment in persist file for + modifiablity + +A persistent file written by the trust module starts with the line "# +This file has been auto-generated and written by p11-kit". This can +be used as a magic word to determine whether the objects read from a +.p11-kit file are read-only. +--- + trust/parser.c | 6 +++++- + trust/persist.c | 9 ++++++++- + trust/test-token.c | 1 + + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/trust/parser.c b/trust/parser.c +index 41513d4..abe86fc 100644 +--- a/trust/parser.c ++++ b/trust/parser.c +@@ -49,6 +49,7 @@ + #include "pem.h" + #include "pkcs11x.h" + #include "persist.h" ++#include "types.h" + #include "x509.h" + + #include +@@ -630,7 +631,10 @@ p11_parser_format_persist (p11_parser *parser, + ret = p11_persist_read (parser->persist, parser->basename, data, length, objects); + if (ret) { + for (i = 0; i < objects->num; i++) { +- attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL); ++ CK_BBOOL generatedv; ++ attrs = objects->elem[i]; ++ if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv) ++ attrs = p11_attrs_build (attrs, &modifiable, NULL); + sink_object (parser, attrs); + } + } +diff --git a/trust/persist.c b/trust/persist.c +index 63a531e..928260e 100644 +--- a/trust/persist.c ++++ b/trust/persist.c +@@ -631,6 +631,9 @@ p11_persist_read (p11_persist *persist, + CK_ATTRIBUTE *attrs; + bool failed; + bool skip; ++ CK_BBOOL generatedv = CK_FALSE; ++ CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) }; ++ static const char comment[] = "# This file has been auto-generated and written by p11-kit."; + + return_val_if_fail (persist != NULL, false); + return_val_if_fail (objects != NULL, false); +@@ -639,6 +642,10 @@ p11_persist_read (p11_persist *persist, + attrs = NULL; + failed = false; + ++ if (length >= sizeof (comment) - 1 && ++ memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0) ++ generatedv = CK_TRUE; ++ + p11_lexer_init (&lexer, filename, (const char *)data, length); + while (p11_lexer_next (&lexer, &failed)) { + switch (lexer.tok_type) { +@@ -650,7 +657,7 @@ p11_persist_read (p11_persist *persist, + p11_lexer_msg (&lexer, "unrecognized or invalid section header"); + skip = true; + } else { +- attrs = p11_attrs_build (NULL, NULL); ++ attrs = p11_attrs_build (NULL, &generated, NULL); + return_val_if_fail (attrs != NULL, false); + skip = false; + } +diff --git a/trust/test-token.c b/trust/test-token.c +index ad22fcb..3e7d735 100644 +--- a/trust/test-token.c ++++ b/trust/test-token.c +@@ -610,6 +610,7 @@ static void + test_modify_multiple (void) + { + const char *test_data = ++ "# This file has been auto-generated and written by p11-kit.\n" + "[p11-kit-object-v1]\n" + "class: data\n" + "label: \"first\"\n" +-- +2.9.4 + +From d661194319f2375c1764125b449bf924c0cbc8a1 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Thu, 18 May 2017 14:27:36 +0200 +Subject: [PATCH] trust: Simplify the check for the magic + +Instead of reusing the CKA_X_GENERATED attribute, check the file +contents directly in the caller side. +--- + trust/parser.c | 7 +++---- + trust/persist.c | 19 +++++++++++-------- + trust/persist.h | 3 +++ + 3 files changed, 17 insertions(+), 12 deletions(-) + +diff --git a/trust/parser.c b/trust/parser.c +index abe86fc..f92cdc9 100644 +--- a/trust/parser.c ++++ b/trust/parser.c +@@ -630,11 +630,10 @@ p11_parser_format_persist (p11_parser *parser, + + ret = p11_persist_read (parser->persist, parser->basename, data, length, objects); + if (ret) { ++ if (!p11_persist_is_generated (data, length)) ++ modifiablev = CK_FALSE; + for (i = 0; i < objects->num; i++) { +- CK_BBOOL generatedv; +- attrs = objects->elem[i]; +- if (p11_attrs_find_bool (attrs, CKA_X_GENERATED, &generatedv) && generatedv) +- attrs = p11_attrs_build (attrs, &modifiable, NULL); ++ attrs = p11_attrs_build (objects->elem[i], &modifiable, NULL); + sink_object (parser, attrs); + } + } +diff --git a/trust/persist.c b/trust/persist.c +index 928260e..887b316 100644 +--- a/trust/persist.c ++++ b/trust/persist.c +@@ -70,6 +70,16 @@ p11_persist_magic (const unsigned char *data, + return (strnstr ((char *)data, "[" PERSIST_HEADER "]", length) != NULL); + } + ++bool ++p11_persist_is_generated (const unsigned char *data, ++ size_t length) ++{ ++ static const char comment[] = ++ "# This file has been auto-generated and written by p11-kit."; ++ return length >= sizeof (comment) - 1 && ++ memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0; ++} ++ + p11_persist * + p11_persist_new (void) + { +@@ -631,9 +641,6 @@ p11_persist_read (p11_persist *persist, + CK_ATTRIBUTE *attrs; + bool failed; + bool skip; +- CK_BBOOL generatedv = CK_FALSE; +- CK_ATTRIBUTE generated = { CKA_X_GENERATED, &generatedv, sizeof (generatedv) }; +- static const char comment[] = "# This file has been auto-generated and written by p11-kit."; + + return_val_if_fail (persist != NULL, false); + return_val_if_fail (objects != NULL, false); +@@ -642,10 +649,6 @@ p11_persist_read (p11_persist *persist, + attrs = NULL; + failed = false; + +- if (length >= sizeof (comment) - 1 && +- memcmp ((const char *)data, comment, sizeof (comment) - 1) == 0) +- generatedv = CK_TRUE; +- + p11_lexer_init (&lexer, filename, (const char *)data, length); + while (p11_lexer_next (&lexer, &failed)) { + switch (lexer.tok_type) { +@@ -657,7 +660,7 @@ p11_persist_read (p11_persist *persist, + p11_lexer_msg (&lexer, "unrecognized or invalid section header"); + skip = true; + } else { +- attrs = p11_attrs_build (NULL, &generated, NULL); ++ attrs = p11_attrs_build (NULL, NULL); + return_val_if_fail (attrs != NULL, false); + skip = false; + } +diff --git a/trust/persist.h b/trust/persist.h +index 0ef142c..6344e4e 100644 +--- a/trust/persist.h ++++ b/trust/persist.h +@@ -60,4 +60,7 @@ bool p11_persist_write (p11_persist *persist, + + void p11_persist_free (p11_persist *persist); + ++bool p11_persist_is_generated (const unsigned char *data, ++ size_t length); ++ + #endif /* P11_PERSIST_H_ */ +-- +2.9.4 + diff --git a/SOURCES/p11-kit-oaep.patch b/SOURCES/p11-kit-oaep.patch new file mode 100644 index 0000000..9b5766b --- /dev/null +++ b/SOURCES/p11-kit-oaep.patch @@ -0,0 +1,38 @@ +From c11a951a24b91f80e109951b0fe2ce418ea70f17 Mon Sep 17 00:00:00 2001 +From: Daiki Ueno +Date: Tue, 23 May 2017 11:55:25 +0200 +Subject: [PATCH] pkcs11: Make CK_RSA_PKCS_OAEP_PARAMS useful + +--- + common/pkcs11.h | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/common/pkcs11.h b/common/pkcs11.h +index 357c9bb..ad1cdec 100644 +--- a/common/pkcs11.h ++++ b/common/pkcs11.h +@@ -738,6 +738,12 @@ struct ck_mechanism_info + ck_flags_t flags; + }; + ++#define CKG_MGF1_SHA1 0x00000001UL ++#define CKG_MGF1_SHA224 0x00000005UL ++#define CKG_MGF1_SHA256 0x00000002UL ++#define CKG_MGF1_SHA384 0x00000003UL ++#define CKG_MGF1_SHA512 0x00000004UL ++ + typedef unsigned long ck_rsa_pkcs_mgf_type_t; + typedef unsigned long ck_rsa_pkcs_oaep_source_type_t; + +@@ -1319,7 +1325,7 @@ typedef struct ck_function_list **CK_FUNCTION_LIST_PTR_PTR; + typedef struct ck_c_initialize_args CK_C_INITIALIZE_ARGS; + typedef struct ck_c_initialize_args *CK_C_INITIALIZE_ARGS_PTR; + +-typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAM; ++typedef struct ck_rsa_pkcs_oaep_params CK_RSA_PKCS_OAEP_PARAMS; + typedef struct ck_rsa_pkcs_oaep_params *CK_RSA_PKCS_OAEP_PARAMS_PTR; + + #define NULL_PTR NULL +-- +2.9.4 + diff --git a/SOURCES/p11-kit-strerror.patch b/SOURCES/p11-kit-strerror.patch new file mode 100644 index 0000000..f72764c --- /dev/null +++ b/SOURCES/p11-kit-strerror.patch @@ -0,0 +1,17 @@ +diff -up ./p11-kit/rpc-transport.c.strerror ./p11-kit/rpc-transport.c +--- ./p11-kit/rpc-transport.c.strerror 2017-06-12 11:44:45.799209430 +0200 ++++ ./p11-kit/rpc-transport.c 2017-06-12 11:46:41.979498070 +0200 +@@ -1065,7 +1065,12 @@ rpc_unix_connect (p11_rpc_client_vtable + } + + if (connect (fd, (struct sockaddr *)&run->sa, sizeof (run->sa)) < 0) { +- p11_debug ("failed to connect to socket: %s", strerror (errno)); ++ int errn = errno; ++ char strerr[P11_MESSAGE_MAX]; ++ snprintf (strerr, sizeof (strerr), "Unknown error %d", errn); ++ strerror_r (errn, strerr, sizeof (strerr)); ++ strerr[P11_MESSAGE_MAX - 1] = 0; ++ p11_debug ("failed to connect to socket: %s", strerr); + close (fd); + return CKR_DEVICE_REMOVED; + } diff --git a/SOURCES/trust-extract-compat b/SOURCES/trust-extract-compat new file mode 100755 index 0000000..fe9c991 --- /dev/null +++ b/SOURCES/trust-extract-compat @@ -0,0 +1,16 @@ +#!/usr/bin/bash + +set -e + +if test "$UID" != "0"; then + echo "p11-kit: the 'extract-trust' command must be run as root" >&2 + exit 2 +fi + +if test $# -gt 1; then + echo "p11-kit: no additional arguments are supported for this command" >&2 + exit 2 +fi + +exec /usr/bin/update-ca-trust + diff --git a/SPECS/p11-kit.spec b/SPECS/p11-kit.spec new file mode 100644 index 0000000..6a057e2 --- /dev/null +++ b/SPECS/p11-kit.spec @@ -0,0 +1,304 @@ +Name: p11-kit +Version: 0.23.5 +Release: 3%{?dist} +Summary: Library for loading and sharing PKCS#11 modules + +License: BSD +URL: http://p11-glue.freedesktop.org/p11-kit.html +Source0: http://p11-glue.freedesktop.org/releases/p11-kit-%{version}.tar.gz +Source1: trust-extract-compat +Patch0: p11-kit-modifiable.patch +Patch1: p11-kit-strerror.patch +Patch2: p11-kit-oaep.patch +Patch3: p11-kit-doc.patch + +BuildRequires: libtasn1-devel >= 2.3 +BuildRequires: nss-softokn-freebl +BuildRequires: libffi-devel +BuildRequires: gtk-doc + +%description +p11-kit provides a way to load and enumerate PKCS#11 modules, as well +as a standard configuration setup for installing PKCS#11 modules in +such a way that they're discoverable. + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + +%package doc +Summary: Documentation files for %{name} +BuildArch: noarch + +%description doc +The %{name}-doc package contains additional documentation for p11-kit +and developing applications to take advantage of it. + +%package trust +Summary: System trust module from %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Conflicts: nss < 3.14.3-9 + +%description trust +The %{name}-trust package contains a system trust PKCS#11 module which +contains certificate anchors and black lists. + + +# solution taken from icedtea-web.spec +%define multilib_arches ppc64 sparc64 x86_64 s390x +%ifarch %{multilib_arches} +%define alt_ckbi libnssckbi.so.%{_arch} +%else +%define alt_ckbi libnssckbi.so +%endif + + +%prep +%autosetup -p1 + +%build +# These paths are the source paths that come from the plan here: +# https://fedoraproject.org/wiki/Features/SharedSystemCertificates:SubTasks +%configure --disable-static --enable-doc --with-trust-paths=%{_sysconfdir}/pki/ca-trust/source:%{_datadir}/pki/ca-trust-source --with-hash-impl=freebl --disable-silent-rules +make %{?_smp_mflags} V=1 + +%install +make install DESTDIR=$RPM_BUILD_ROOT +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/modules +rm -f $RPM_BUILD_ROOT%{_libdir}/*.la +rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/*.la +install -p -m 755 %{SOURCE1} $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/ +# Install the example conf with %%doc instead +rm $RPM_BUILD_ROOT%{_sysconfdir}/pkcs11/pkcs11.conf.example +# We don't support PKCS#11 forwarding in RHEL-7 yet +rm -f $RPM_BUILD_ROOT%{_libexecdir}/p11-kit/p11-kit-server +rm -f $RPM_BUILD_ROOT%{_libdir}/pkcs11/p11-kit-client.so + +%check +make check + + +%post -p /sbin/ldconfig + +%post trust +%{_sbindir}/update-alternatives --install %{_libdir}/libnssckbi.so \ + %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so 30 + +# Fix bad links from earlier p11-kit packages which didn't include s390x +%posttrans trust +%ifarch s390x +if %{_sbindir}/update-alternatives --display libnssckbi.so | grep -q lib64; then + %{_sbindir}/update-alternatives --remove libnssckbi.so %{_libdir}/pkcs11/p11-kit-trust.so + if test -e /usr/lib/nss/libnssckbi.so; then + %{_sbindir}/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/nss/libnssckbi.so 10 + fi +fi +%endif + +%postun -p /sbin/ldconfig + +%postun trust +if [ $1 -eq 0 ] ; then + # package removal + %{_sbindir}/update-alternatives --remove %{alt_ckbi} %{_libdir}/pkcs11/p11-kit-trust.so +fi + + +%files +%doc AUTHORS COPYING NEWS README +%doc p11-kit/pkcs11.conf.example +%dir %{_sysconfdir}/pkcs11 +%dir %{_sysconfdir}/pkcs11/modules +%dir %{_datadir}/p11-kit +%dir %{_datadir}/p11-kit/modules +%dir %{_libexecdir}/p11-kit +%{_bindir}/p11-kit +%{_libdir}/libp11-kit.so.* +%{_libdir}/p11-kit-proxy.so +%{_libexecdir}/p11-kit/p11-kit-remote +%{_mandir}/man8/p11-kit.8.gz +%{_mandir}/man5/pkcs11.conf.5.gz + +%files devel +%{_includedir}/p11-kit-1/ +%{_libdir}/libp11-kit.so +%{_libdir}/pkgconfig/p11-kit-1.pc + +%files doc +%doc %{_datadir}/gtk-doc/ + +%files trust +%{_bindir}/trust +%{_mandir}/man1/trust.1.gz +%{_libdir}/pkcs11/p11-kit-trust.so +%{_datadir}/p11-kit/modules/p11-kit-trust.module +%{_libexecdir}/p11-kit/trust-extract-compat + + +%changelog +* Mon Jun 12 2017 Daiki Ueno - 0.23.5-3 +- Avoid reference to thread-unsafe strerror rhbz#1378947 +- Fix PKCS#11 OAEP interface rhbz#1191209 +- Update documentation to follow RFC7512 rhbz#1165977 + +* Thu May 18 2017 Daiki Ueno - 0.23.5-2 +- Make "trust anchor --remove" work again + +* Mon Mar 6 2017 Daiki Ueno - 0.23.5-1 +- Rebase to upstream version 0.23.5 + +* Wed Feb 22 2017 Daiki Ueno - 0.23.4-1 +- Rebase to upstream version 0.23.4 + +* Thu Jan 08 2015 Stef Walter - 0.20.7-3 +- Fix incorrect alternative links for s390 and s390x rhbz#1174178 + +* Sun Oct 05 2014 Stef Walter - 0.20.7-2 +- Fix deadlock related to forking and pthread_atfork rhbz#1148774 + +* Thu Sep 18 2014 Stef Walter - 0.20.7-1 +- Update to upstream stable 0.20.7 release +- Expose pkcs11x.h header and defines for attached extensions rhbz#1142305 + +* Tue Sep 09 2014 Stef Walter - 0.20.6-1 +- Update to upstream stable 0.20.6 release +- Respect critical = no in p11-kit-proxy.so rhbz#1128615 + +* Fri Sep 05 2014 Stef Walter - 0.20.5-1 +- Update to upstream version 0.20.5 +- Fixes several issues highlighted at rhbz#1128218 + +* Thu Aug 07 2014 Stef Walter - 0.20.4-1 +- Rebase to upstream version 0.20.x (#1122528) + +* Fri Jan 24 2014 Daniel Mach - 0.18.7-4 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 0.18.7-3 +- Mass rebuild 2013-12-27 + +* Mon Nov 04 2013 Stef Walter - 0.18.7-2 +- Move devel docs into subpackage due to gtk-doc multilib incompatibility (#983176) + +* Thu Oct 10 2013 Stef Walter - 0.18.7-1 +- Update to new upstream point release for RHEL bug fixes + +* Thu Jul 18 2013 Stef Walter - 0.18.5-1 +- Update to new upstream point release +- Use freebl for hash algorithms +- Don't load configs in home dir when setuid or setgid +- Use $TMPDIR instead of $TEMP while testing +- Open files and fds with O_CLOEXEC +- Abort initialization if critical module fails to load +- Don't use thread-unsafe: strerror, getpwuid +- Fix p11_kit_space_strlen() result when empty string + +* Tue Jun 25 2013 Stef Walter - 0.18.4-1 +- Fix running the extract-trust external command + +* Wed Jun 05 2013 Stef Walter - 0.18.3-1 +- Update to new upstream stable release +- Fix intermittent firefox cert validation issues (#960230) +- Include the manual pages in the package + +* Tue May 14 2013 Stef Walter - 0.18.2-1 +- Update to new upstream stable release +- Reduce the libtasn1 dependency minimum version + +* Thu May 02 2013 Stef Walter - 0.18.1-1 +- Update to new upstream stable release +- 'p11-kit extract-trust' lives in libdir + +* Thu Apr 04 2013 Stef Walter - 0.18.0-1 +- Update to new upstream stable release +- Various logging tweaks (#928914, #928750) +- Make the 'p11-kit extract-trust' explicitly reject + additional arguments + +* Fri Mar 29 2013 Stef Walter - 0.17.5-2 +- Fix problem with empathy connecting to Google Talk (#928913) + +* Thu Mar 28 2013 Stef Walter - 0.17.5-1 +- Make 'p11-kit extract-trust' call update-ca-trust +- Work around 32-bit oveflow of certificate dates +- Build fixes + +* Tue Mar 26 2013 Stef Walter - 0.17.4-2 +- Pull in patch from upstream to fix build on ppc (#927394) + +* Wed Mar 20 2013 Stef Walter - 0.17.4-1 +- Update to upstream version 0.17.4 + +* Mon Mar 18 2013 Stef Walter - 0.17.3-1 +- Update to upstream version 0.17.3 +- Put the trust input paths in the right order + +* Tue Mar 12 2013 Stef Walter - 0.16.4-1 +- Update to upstream version 0.16.4 + +* Fri Mar 08 2013 Stef Walter - 0.16.3-1 +- Update to upstream version 0.16.3 +- Split out system trust module into its own package. +- p11-kit-trust provides an alternative to an nss module + +* Tue Mar 05 2013 Stef Walter - 0.16.1-1 +- Update to upstream version 0.16.1 +- Setup source directories as appropriate for Shared System Certificates feature + +* Tue Mar 05 2013 Stef Walter - 0.16.0-1 +- Update to upstream version 0.16.0 + +* Thu Feb 14 2013 Fedora Release Engineering - 0.14-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Sep 17 2012 Kalev Lember - 0.14-1 +- Update to 0.14 + +* Fri Jul 20 2012 Fedora Release Engineering - 0.13-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Mon Jul 16 2012 Kalev Lember - 0.13-1 +- Update to 0.13 + +* Tue Mar 27 2012 Kalev Lember - 0.12-1 +- Update to 0.12 +- Run self tests in %%check + +* Sat Feb 11 2012 Kalev Lember - 0.11-1 +- Update to 0.11 + +* Fri Jan 13 2012 Fedora Release Engineering - 0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Dec 20 2011 Matthias Clasen - 0.9-1 +- Update to 0.9 + +* Wed Oct 26 2011 Kalev Lember - 0.8-1 +- Update to 0.8 + +* Mon Sep 19 2011 Matthias Clasen - 0.6-1 +- Update to 0.6 + +* Sun Sep 04 2011 Kalev Lember - 0.5-1 +- Update to 0.5 + +* Sun Aug 21 2011 Kalev Lember - 0.4-1 +- Update to 0.4 +- Install the example config file to documentation directory + +* Wed Aug 17 2011 Kalev Lember - 0.3-2 +- Tighten -devel subpackage deps (#725905) + +* Fri Jul 29 2011 Kalev Lember - 0.3-1 +- Update to 0.3 +- Upstream rewrote the ASL 2.0 bits, which makes the whole package + BSD-licensed + +* Tue Jul 12 2011 Kalev Lember - 0.2-1 +- Initial RPM release